@prave/shared 1.3.0 → 1.4.0

package/dist/lib/index.d.ts

@@ -1,3 +1,4 @@
 export * from './classify.js';
 export * from './compile-skill.js';
+export * from './secret-scanner.js';
 //# sourceMappingURL=index.d.ts.map

package/dist/lib/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/lib/index.ts"],"names":[],"mappings":"AAAA,cAAc,eAAe,CAAA;AAC7B,cAAc,oBAAoB,CAAA"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/lib/index.ts"],"names":[],"mappings":"AAAA,cAAc,eAAe,CAAA;AAC7B,cAAc,oBAAoB,CAAA;AAClC,cAAc,qBAAqB,CAAA"}

package/dist/lib/index.js

@@ -1,2 +1,3 @@
 export * from './classify.js';
 export * from './compile-skill.js';
+export * from './secret-scanner.js';

package/dist/lib/secret-scanner.d.ts

@@ -0,0 +1,63 @@
+/**
+ * Secret-scanner — shared pre-insert gate for skill bundles.
+ *
+ * Two layers:
+ *
+ *   1. **Path patterns** — file names / paths that are categorically
+ *      forbidden in a public-facing skill bundle. Hits are an immediate
+ *      reject, no content peek needed.
+ *
+ *   2. **Content regexes** — high-confidence credential shapes that
+ *      stand out even inside a text body. We only run these against
+ *      files that look like text (we don't want to false-match a key
+ *      shape inside a compressed binary blob).
+ *
+ * The scanner is called from two places:
+ *
+ *   • `apps/worker/src/jobs/scan-github-repo.job.ts` — silent reject,
+ *     bundle is marked 'rejected' and never surfaces in the catalogue.
+ *   • `apps/api/src/services/bundle-storage.service.ts` — surfaces the
+ *     finding back to the user so they can scrub the file and re-deploy.
+ *
+ * Same code, two failure modes. Keep this file dependency-free so the
+ * worker (Node) and the API (Node) and a future web-side validator
+ * (browser) can all run it without bundling friction.
+ */
+export interface SecretFinding {
+    /** Path of the offending file within the bundle. */
+    path: string;
+    /** Short identifier of the rule that fired (`env-file`, `aws-key`, …). */
+    rule: string;
+    /**
+     * 1-indexed line where the match was found, when a content regex
+     * fired. Omitted for path-based rejects.
+     */
+    line?: number;
+}
+export interface SecretScanInput {
+    /** File path relative to the bundle root, e.g. `scripts/post.ts`. */
+    path: string;
+    /** File content as a UTF-8 string. NULL/undefined for binary files. */
+    content?: string | null;
+}
+export interface SecretScanResult {
+    /** Final verdict. `clean` means the bundle is safe to expose / run. */
+    status: 'clean' | 'rejected';
+    /** Every triggered rule. Empty when `status === 'clean'`. */
+    findings: SecretFinding[];
+}
+/**
+ * Run both layers across a list of files. Returns a verdict + every
+ * matching rule across every file. Empty findings = clean bundle.
+ *
+ * Files where `content` is missing skip the content-regex stage but
+ * still trip path rules.
+ */
+export declare function scanForSecrets(files: SecretScanInput[]): SecretScanResult;
+/**
+ * Whether a path likely points at a text-readable file (worth running
+ * content regexes against). Used by callers to filter the input list
+ * before they bother loading binary blobs.
+ */
+export declare function isLikelyTextPath(path: string): boolean;
+//# sourceMappingURL=secret-scanner.d.ts.map

package/dist/lib/secret-scanner.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"secret-scanner.d.ts","sourceRoot":"","sources":["../../src/lib/secret-scanner.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AAEH,MAAM,WAAW,aAAa;IAC5B,oDAAoD;IACpD,IAAI,EAAE,MAAM,CAAA;IACZ,0EAA0E;IAC1E,IAAI,EAAE,MAAM,CAAA;IACZ;;;OAGG;IACH,IAAI,CAAC,EAAE,MAAM,CAAA;CACd;AAED,MAAM,WAAW,eAAe;IAC9B,qEAAqE;IACrE,IAAI,EAAE,MAAM,CAAA;IACZ,uEAAuE;IACvE,OAAO,CAAC,EAAE,MAAM,GAAG,IAAI,CAAA;CACxB;AAED,MAAM,WAAW,gBAAgB;IAC/B,uEAAuE;IACvE,MAAM,EAAE,OAAO,GAAG,UAAU,CAAA;IAC5B,6DAA6D;IAC7D,QAAQ,EAAE,aAAa,EAAE,CAAA;CAC1B;AAwGD;;;;;;GAMG;AACH,wBAAgB,cAAc,CAAC,KAAK,EAAE,eAAe,EAAE,GAAG,gBAAgB,CAmCzE;AAED;;;;GAIG;AACH,wBAAgB,gBAAgB,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAStD"}

package/dist/lib/secret-scanner.js

@@ -0,0 +1,214 @@
+/**
+ * Secret-scanner — shared pre-insert gate for skill bundles.
+ *
+ * Two layers:
+ *
+ *   1. **Path patterns** — file names / paths that are categorically
+ *      forbidden in a public-facing skill bundle. Hits are an immediate
+ *      reject, no content peek needed.
+ *
+ *   2. **Content regexes** — high-confidence credential shapes that
+ *      stand out even inside a text body. We only run these against
+ *      files that look like text (we don't want to false-match a key
+ *      shape inside a compressed binary blob).
+ *
+ * The scanner is called from two places:
+ *
+ *   • `apps/worker/src/jobs/scan-github-repo.job.ts` — silent reject,
+ *     bundle is marked 'rejected' and never surfaces in the catalogue.
+ *   • `apps/api/src/services/bundle-storage.service.ts` — surfaces the
+ *     finding back to the user so they can scrub the file and re-deploy.
+ *
+ * Same code, two failure modes. Keep this file dependency-free so the
+ * worker (Node) and the API (Node) and a future web-side validator
+ * (browser) can all run it without bundling friction.
+ */
+// ── Path patterns ────────────────────────────────────────────────────
+// Matched against the lowercased file path. Anchored at the basename
+// where it makes sense (`.env`) and as substring elsewhere (`secrets/`).
+const PATH_RULES = [
+    {
+        rule: 'env-file',
+        test: (p) => {
+            const base = basename(p);
+            // .env, .env.local, .env.production, .envrc — but NOT .env.example
+            // or .env.sample (templates are encouraged).
+            if (base === '.env' || base.startsWith('.env.')) {
+                return !/\.(example|sample|template)$/.test(base);
+            }
+            if (base === '.envrc')
+                return true;
+            return false;
+        },
+    },
+    {
+        rule: 'private-key',
+        test: (p) => /\.(pem|p12|pfx|key|jks)$/i.test(p),
+    },
+    {
+        rule: 'ssh-private-key',
+        test: (p) => {
+            const base = basename(p);
+            return /^id_(rsa|ecdsa|ed25519|dsa)$/.test(base);
+        },
+    },
+    {
+        rule: 'gcp-service-account',
+        test: (p) => {
+            const base = basename(p).toLowerCase();
+            return (base === 'service-account.json' ||
+                /^service-account[-_].*\.json$/.test(base) ||
+                base === 'gcp-key.json' ||
+                base === 'firebase-adminsdk.json');
+        },
+    },
+    {
+        rule: 'aws-credentials',
+        test: (p) => {
+            const lower = p.toLowerCase();
+            return (lower.endsWith('/.aws/credentials') ||
+                lower === '.aws/credentials' ||
+                lower.endsWith('aws-credentials.json'));
+        },
+    },
+    {
+        rule: 'credentials-file',
+        test: (p) => {
+            const base = basename(p).toLowerCase();
+            return (base === 'credentials.json' ||
+                base === 'secrets.json' ||
+                base === 'secret.json');
+        },
+    },
+    {
+        rule: 'secrets-dir',
+        test: (p) => /(^|\/)secrets\//i.test(p),
+    },
+];
+// ── Content regexes ──────────────────────────────────────────────────
+// High-confidence shapes only — false positives mean a frustrated user
+// re-uploading after a scrub they couldn't validate. Keep the bar high.
+const CONTENT_RULES = [
+    // Anthropic
+    { rule: 'anthropic-api-key', regex: /\bsk-ant-[a-zA-Z0-9-_]{20,}\b/ },
+    // OpenAI
+    { rule: 'openai-api-key', regex: /\bsk-(?:proj-)?[a-zA-Z0-9-_]{32,}\b/ },
+    // AWS
+    { rule: 'aws-access-key-id', regex: /\bAKIA[0-9A-Z]{16}\b/ },
+    { rule: 'aws-secret-access-key', regex: /aws_secret_access_key\s*=\s*['"]?[A-Za-z0-9/+=]{40}\b/i },
+    // GitHub
+    { rule: 'github-personal-token', regex: /\bghp_[A-Za-z0-9]{36}\b/ },
+    { rule: 'github-oauth-token', regex: /\bgho_[A-Za-z0-9]{36}\b/ },
+    { rule: 'github-fine-grained-token', regex: /\bgithub_pat_[A-Za-z0-9_]{82}\b/ },
+    // Stripe
+    { rule: 'stripe-live-key', regex: /\bsk_live_[A-Za-z0-9]{24,}\b/ },
+    { rule: 'stripe-restricted-key', regex: /\brk_live_[A-Za-z0-9]{24,}\b/ },
+    // Google API key
+    { rule: 'google-api-key', regex: /\bAIza[0-9A-Za-z\-_]{35}\b/ },
+    // Slack
+    { rule: 'slack-bot-token', regex: /\bxoxb-[A-Za-z0-9-]{20,}\b/ },
+    { rule: 'slack-user-token', regex: /\bxoxp-[A-Za-z0-9-]{20,}\b/ },
+    // GitLab
+    { rule: 'gitlab-personal-token', regex: /\bglpat-[A-Za-z0-9_-]{20}\b/ },
+    // Supabase / JWT-shaped service-role key (the shape, not the host).
+    // Has 3 base64url segments separated by '.'. We require an `eyJ`
+    // header (RFC 7519 typ:"JWT") to dodge random base64 strings.
+    {
+        rule: 'jwt-token',
+        regex: /\beyJ[A-Za-z0-9_-]{8,}\.[A-Za-z0-9_-]{8,}\.[A-Za-z0-9_-]{8,}\b/,
+    },
+];
+/**
+ * Run both layers across a list of files. Returns a verdict + every
+ * matching rule across every file. Empty findings = clean bundle.
+ *
+ * Files where `content` is missing skip the content-regex stage but
+ * still trip path rules.
+ */
+export function scanForSecrets(files) {
+    const findings = [];
+    for (const file of files) {
+        // Path-based rules
+        for (const { rule, test } of PATH_RULES) {
+            if (test(file.path)) {
+                findings.push({ path: file.path, rule });
+            }
+        }
+        // Content-based rules — only on text. We could be smarter (e.g.
+        // skip files >1MB) but the worker already caps bundle size and
+        // skips known-binary extensions before getting here.
+        if (typeof file.content === 'string' && file.content.length > 0) {
+            // Split once for line numbers; the regex tests run against the
+            // full body so multiline shapes still match.
+            const lines = file.content.split('\n');
+            for (const { rule, regex } of CONTENT_RULES) {
+                // Reset stateful regexes — we don't use /g but be defensive.
+                const localRegex = new RegExp(regex.source, regex.flags.replace('g', ''));
+                for (let i = 0; i < lines.length; i++) {
+                    if (localRegex.test(lines[i] ?? '')) {
+                        findings.push({ path: file.path, rule, line: i + 1 });
+                        break;
+                    }
+                }
+            }
+        }
+    }
+    return {
+        status: findings.length > 0 ? 'rejected' : 'clean',
+        findings,
+    };
+}
+/**
+ * Whether a path likely points at a text-readable file (worth running
+ * content regexes against). Used by callers to filter the input list
+ * before they bother loading binary blobs.
+ */
+export function isLikelyTextPath(path) {
+    const ext = path.toLowerCase().split('.').pop() ?? '';
+    return (TEXT_EXTENSIONS.has(ext) ||
+        // Files without an extension that we'd still want to scan
+        path.endsWith('Dockerfile') ||
+        path.endsWith('Makefile') ||
+        /\.env(\.|$)/.test(path));
+}
+const TEXT_EXTENSIONS = new Set([
+    'md',
+    'mdx',
+    'txt',
+    'json',
+    'yaml',
+    'yml',
+    'toml',
+    'ini',
+    'cfg',
+    'conf',
+    'env',
+    'js',
+    'jsx',
+    'ts',
+    'tsx',
+    'mjs',
+    'cjs',
+    'py',
+    'rb',
+    'go',
+    'rs',
+    'sh',
+    'bash',
+    'zsh',
+    'fish',
+    'sql',
+    'graphql',
+    'gql',
+    'html',
+    'xml',
+    'svg',
+    'css',
+    'scss',
+    'less',
+    'lock',
+]);
+function basename(p) {
+    const i = p.lastIndexOf('/');
+    return i === -1 ? p : p.slice(i + 1);
+}

package/dist/schemas/index.d.ts

@@ -14,4 +14,5 @@ export * from './skill-pr.schema.js';
 export * from './intelligence.schema.js';
 export * from './api-keys.schema.js';
 export * from './skill-report.schema.js';
+export * from './run.schema.js';
 //# sourceMappingURL=index.d.ts.map

package/dist/schemas/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/schemas/index.ts"],"names":[],"mappings":"AAAA,cAAc,0BAA0B,CAAA;AACxC,cAAc,mBAAmB,CAAA;AACjC,cAAc,2BAA2B,CAAA;AACzC,cAAc,iBAAiB,CAAA;AAC/B,cAAc,oBAAoB,CAAA;AAClC,cAAc,4BAA4B,CAAA;AAC1C,cAAc,8BAA8B,CAAA;AAC5C,cAAc,wBAAwB,CAAA;AACtC,cAAc,yBAAyB,CAAA;AACvC,cAAc,qBAAqB,CAAA;AACnC,cAAc,qBAAqB,CAAA;AACnC,cAAc,qBAAqB,CAAA;AACnC,cAAc,sBAAsB,CAAA;AACpC,cAAc,0BAA0B,CAAA;AACxC,cAAc,sBAAsB,CAAA;AACpC,cAAc,0BAA0B,CAAA"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/schemas/index.ts"],"names":[],"mappings":"AAAA,cAAc,0BAA0B,CAAA;AACxC,cAAc,mBAAmB,CAAA;AACjC,cAAc,2BAA2B,CAAA;AACzC,cAAc,iBAAiB,CAAA;AAC/B,cAAc,oBAAoB,CAAA;AAClC,cAAc,4BAA4B,CAAA;AAC1C,cAAc,8BAA8B,CAAA;AAC5C,cAAc,wBAAwB,CAAA;AACtC,cAAc,yBAAyB,CAAA;AACvC,cAAc,qBAAqB,CAAA;AACnC,cAAc,qBAAqB,CAAA;AACnC,cAAc,qBAAqB,CAAA;AACnC,cAAc,sBAAsB,CAAA;AACpC,cAAc,0BAA0B,CAAA;AACxC,cAAc,sBAAsB,CAAA;AACpC,cAAc,0BAA0B,CAAA;AACxC,cAAc,iBAAiB,CAAA"}

package/dist/schemas/index.js

@@ -14,3 +14,4 @@ export * from './skill-pr.schema.js';
 export * from './intelligence.schema.js';
 export * from './api-keys.schema.js';
 export * from './skill-report.schema.js';
+export * from './run.schema.js';

package/dist/schemas/run.schema.d.ts

@@ -0,0 +1,501 @@
+import { z } from 'zod';
+/**
+ * Run schemas — server-side scheduled Skill executions.
+ *
+ * The on-disk shape is split across three tables:
+ *
+ *   - `skill_bundles`   uploaded project folder (SKILL.md + scripts + .env)
+ *   - `runs`            schedule + agent + status for one deployment
+ *   - `run_executions`  append-only fire-history with logs and tokens
+ *
+ * (See supabase/migrations/049_runs_and_bundles.sql for the full
+ * column-level docstrings.)
+ */
+export declare const runAgentSchema: z.ZodEnum<["claude", "codex", "cursor", "gemini", "cline", "amp"]>;
+export type RunAgent = z.infer<typeof runAgentSchema>;
+export declare const runScheduleKindSchema: z.ZodEnum<["hourly", "daily", "weekly", "monthly", "custom"]>;
+export type RunScheduleKind = z.infer<typeof runScheduleKindSchema>;
+export declare const runStatusSchema: z.ZodEnum<["active", "paused", "failed", "disabled"]>;
+export type RunStatus = z.infer<typeof runStatusSchema>;
+export declare const runExecutionStatusSchema: z.ZodEnum<["running", "success", "failed", "timeout", "cancelled"]>;
+export type RunExecutionStatus = z.infer<typeof runExecutionStatusSchema>;
+export declare const runScheduleInputSchema: z.ZodDiscriminatedUnion<"kind", [z.ZodObject<{
+    kind: z.ZodLiteral<"hourly">;
+}, "strip", z.ZodTypeAny, {
+    kind: "hourly";
+}, {
+    kind: "hourly";
+}>, z.ZodObject<{
+    kind: z.ZodLiteral<"daily">;
+    time: z.ZodString;
+}, "strip", z.ZodTypeAny, {
+    kind: "daily";
+    time: string;
+}, {
+    kind: "daily";
+    time: string;
+}>, z.ZodObject<{
+    kind: z.ZodLiteral<"weekly">;
+    time: z.ZodString;
+    weekday: z.ZodNumber;
+}, "strip", z.ZodTypeAny, {
+    kind: "weekly";
+    time: string;
+    weekday: number;
+}, {
+    kind: "weekly";
+    time: string;
+    weekday: number;
+}>, z.ZodObject<{
+    kind: z.ZodLiteral<"monthly">;
+    time: z.ZodString;
+    day_of_month: z.ZodNumber;
+}, "strip", z.ZodTypeAny, {
+    kind: "monthly";
+    time: string;
+    day_of_month: number;
+}, {
+    kind: "monthly";
+    time: string;
+    day_of_month: number;
+}>, z.ZodObject<{
+    kind: z.ZodLiteral<"custom">;
+    cron_expr: z.ZodString;
+}, "strip", z.ZodTypeAny, {
+    kind: "custom";
+    cron_expr: string;
+}, {
+    kind: "custom";
+    cron_expr: string;
+}>]>;
+export type RunScheduleInput = z.infer<typeof runScheduleInputSchema>;
+export declare const skillBundleSchema: z.ZodObject<{
+    id: z.ZodString;
+    owner_id: z.ZodString;
+    skill_id: z.ZodNullable<z.ZodString>;
+    source: z.ZodEnum<["upload", "github"]>;
+    tarball_path: z.ZodString;
+    manifest: z.ZodArray<z.ZodObject<{
+        path: z.ZodString;
+        size: z.ZodNumber;
+        sha256: z.ZodString;
+        kind: z.ZodEnum<["text", "binary", "script"]>;
+    }, "strip", z.ZodTypeAny, {
+        path: string;
+        kind: "text" | "binary" | "script";
+        size: number;
+        sha256: string;
+    }, {
+        path: string;
+        kind: "text" | "binary" | "script";
+        size: number;
+        sha256: string;
+    }>, "many">;
+    total_size_bytes: z.ZodNumber;
+    has_scripts: z.ZodBoolean;
+    has_env_template: z.ZodBoolean;
+    secret_scan_status: z.ZodEnum<["pending", "clean", "rejected"]>;
+    secret_scan_findings: z.ZodNullable<z.ZodArray<z.ZodObject<{
+        path: z.ZodString;
+        rule: z.ZodString;
+        line: z.ZodOptional<z.ZodNumber>;
+    }, "strip", z.ZodTypeAny, {
+        path: string;
+        rule: string;
+        line?: number | undefined;
+    }, {
+        path: string;
+        rule: string;
+        line?: number | undefined;
+    }>, "many">>;
+    created_at: z.ZodString;
+    updated_at: z.ZodString;
+}, "strip", z.ZodTypeAny, {
+    id: string;
+    skill_id: string | null;
+    created_at: string;
+    updated_at: string;
+    owner_id: string;
+    source: "upload" | "github";
+    tarball_path: string;
+    manifest: {
+        path: string;
+        kind: "text" | "binary" | "script";
+        size: number;
+        sha256: string;
+    }[];
+    total_size_bytes: number;
+    has_scripts: boolean;
+    has_env_template: boolean;
+    secret_scan_status: "pending" | "clean" | "rejected";
+    secret_scan_findings: {
+        path: string;
+        rule: string;
+        line?: number | undefined;
+    }[] | null;
+}, {
+    id: string;
+    skill_id: string | null;
+    created_at: string;
+    updated_at: string;
+    owner_id: string;
+    source: "upload" | "github";
+    tarball_path: string;
+    manifest: {
+        path: string;
+        kind: "text" | "binary" | "script";
+        size: number;
+        sha256: string;
+    }[];
+    total_size_bytes: number;
+    has_scripts: boolean;
+    has_env_template: boolean;
+    secret_scan_status: "pending" | "clean" | "rejected";
+    secret_scan_findings: {
+        path: string;
+        rule: string;
+        line?: number | undefined;
+    }[] | null;
+}>;
+export type SkillBundle = z.infer<typeof skillBundleSchema>;
+export declare const runSchema: z.ZodObject<{
+    id: z.ZodString;
+    owner_id: z.ZodString;
+    bundle_id: z.ZodString;
+    slug: z.ZodString;
+    name: z.ZodString;
+    agent: z.ZodEnum<["claude", "codex", "cursor", "gemini", "cline", "amp"]>;
+    schedule_kind: z.ZodEnum<["hourly", "daily", "weekly", "monthly", "custom"]>;
+    cron_expr: z.ZodString;
+    timezone: z.ZodString;
+    status: z.ZodEnum<["active", "paused", "failed", "disabled"]>;
+    timeout_seconds: z.ZodNumber;
+    max_log_bytes: z.ZodNumber;
+    next_run_at: z.ZodNullable<z.ZodString>;
+    last_run_at: z.ZodNullable<z.ZodString>;
+    last_exec_status: z.ZodNullable<z.ZodEnum<["success", "failed", "timeout", "cancelled"]>>;
+    total_runs: z.ZodNumber;
+    total_failures: z.ZodNumber;
+    created_at: z.ZodString;
+    updated_at: z.ZodString;
+}, "strip", z.ZodTypeAny, {
+    status: "failed" | "active" | "paused" | "disabled";
+    id: string;
+    created_at: string;
+    updated_at: string;
+    slug: string;
+    name: string;
+    owner_id: string;
+    cron_expr: string;
+    bundle_id: string;
+    agent: "claude" | "codex" | "cursor" | "gemini" | "cline" | "amp";
+    schedule_kind: "custom" | "monthly" | "hourly" | "daily" | "weekly";
+    timezone: string;
+    timeout_seconds: number;
+    max_log_bytes: number;
+    next_run_at: string | null;
+    last_run_at: string | null;
+    last_exec_status: "success" | "failed" | "timeout" | "cancelled" | null;
+    total_runs: number;
+    total_failures: number;
+}, {
+    status: "failed" | "active" | "paused" | "disabled";
+    id: string;
+    created_at: string;
+    updated_at: string;
+    slug: string;
+    name: string;
+    owner_id: string;
+    cron_expr: string;
+    bundle_id: string;
+    agent: "claude" | "codex" | "cursor" | "gemini" | "cline" | "amp";
+    schedule_kind: "custom" | "monthly" | "hourly" | "daily" | "weekly";
+    timezone: string;
+    timeout_seconds: number;
+    max_log_bytes: number;
+    next_run_at: string | null;
+    last_run_at: string | null;
+    last_exec_status: "success" | "failed" | "timeout" | "cancelled" | null;
+    total_runs: number;
+    total_failures: number;
+}>;
+export type Run = z.infer<typeof runSchema>;
+export declare const createRunInputSchema: z.ZodObject<{
+    bundle_id: z.ZodString;
+    name: z.ZodString;
+    agent: z.ZodEnum<["claude", "codex", "cursor", "gemini", "cline", "amp"]>;
+    schedule: z.ZodDiscriminatedUnion<"kind", [z.ZodObject<{
+        kind: z.ZodLiteral<"hourly">;
+    }, "strip", z.ZodTypeAny, {
+        kind: "hourly";
+    }, {
+        kind: "hourly";
+    }>, z.ZodObject<{
+        kind: z.ZodLiteral<"daily">;
+        time: z.ZodString;
+    }, "strip", z.ZodTypeAny, {
+        kind: "daily";
+        time: string;
+    }, {
+        kind: "daily";
+        time: string;
+    }>, z.ZodObject<{
+        kind: z.ZodLiteral<"weekly">;
+        time: z.ZodString;
+        weekday: z.ZodNumber;
+    }, "strip", z.ZodTypeAny, {
+        kind: "weekly";
+        time: string;
+        weekday: number;
+    }, {
+        kind: "weekly";
+        time: string;
+        weekday: number;
+    }>, z.ZodObject<{
+        kind: z.ZodLiteral<"monthly">;
+        time: z.ZodString;
+        day_of_month: z.ZodNumber;
+    }, "strip", z.ZodTypeAny, {
+        kind: "monthly";
+        time: string;
+        day_of_month: number;
+    }, {
+        kind: "monthly";
+        time: string;
+        day_of_month: number;
+    }>, z.ZodObject<{
+        kind: z.ZodLiteral<"custom">;
+        cron_expr: z.ZodString;
+    }, "strip", z.ZodTypeAny, {
+        kind: "custom";
+        cron_expr: string;
+    }, {
+        kind: "custom";
+        cron_expr: string;
+    }>]>;
+    timezone: z.ZodDefault<z.ZodString>;
+    timeout_seconds: z.ZodOptional<z.ZodNumber>;
+}, "strip", z.ZodTypeAny, {
+    name: string;
+    bundle_id: string;
+    agent: "claude" | "codex" | "cursor" | "gemini" | "cline" | "amp";
+    timezone: string;
+    schedule: {
+        kind: "hourly";
+    } | {
+        kind: "daily";
+        time: string;
+    } | {
+        kind: "weekly";
+        time: string;
+        weekday: number;
+    } | {
+        kind: "monthly";
+        time: string;
+        day_of_month: number;
+    } | {
+        kind: "custom";
+        cron_expr: string;
+    };
+    timeout_seconds?: number | undefined;
+}, {
+    name: string;
+    bundle_id: string;
+    agent: "claude" | "codex" | "cursor" | "gemini" | "cline" | "amp";
+    schedule: {
+        kind: "hourly";
+    } | {
+        kind: "daily";
+        time: string;
+    } | {
+        kind: "weekly";
+        time: string;
+        weekday: number;
+    } | {
+        kind: "monthly";
+        time: string;
+        day_of_month: number;
+    } | {
+        kind: "custom";
+        cron_expr: string;
+    };
+    timezone?: string | undefined;
+    timeout_seconds?: number | undefined;
+}>;
+export type CreateRunInput = z.infer<typeof createRunInputSchema>;
+export declare const updateRunInputSchema: z.ZodObject<{
+    name: z.ZodOptional<z.ZodString>;
+    agent: z.ZodOptional<z.ZodEnum<["claude", "codex", "cursor", "gemini", "cline", "amp"]>>;
+    schedule: z.ZodOptional<z.ZodDiscriminatedUnion<"kind", [z.ZodObject<{
+        kind: z.ZodLiteral<"hourly">;
+    }, "strip", z.ZodTypeAny, {
+        kind: "hourly";
+    }, {
+        kind: "hourly";
+    }>, z.ZodObject<{
+        kind: z.ZodLiteral<"daily">;
+        time: z.ZodString;
+    }, "strip", z.ZodTypeAny, {
+        kind: "daily";
+        time: string;
+    }, {
+        kind: "daily";
+        time: string;
+    }>, z.ZodObject<{
+        kind: z.ZodLiteral<"weekly">;
+        time: z.ZodString;
+        weekday: z.ZodNumber;
+    }, "strip", z.ZodTypeAny, {
+        kind: "weekly";
+        time: string;
+        weekday: number;
+    }, {
+        kind: "weekly";
+        time: string;
+        weekday: number;
+    }>, z.ZodObject<{
+        kind: z.ZodLiteral<"monthly">;
+        time: z.ZodString;
+        day_of_month: z.ZodNumber;
+    }, "strip", z.ZodTypeAny, {
+        kind: "monthly";
+        time: string;
+        day_of_month: number;
+    }, {
+        kind: "monthly";
+        time: string;
+        day_of_month: number;
+    }>, z.ZodObject<{
+        kind: z.ZodLiteral<"custom">;
+        cron_expr: z.ZodString;
+    }, "strip", z.ZodTypeAny, {
+        kind: "custom";
+        cron_expr: string;
+    }, {
+        kind: "custom";
+        cron_expr: string;
+    }>]>>;
+    timezone: z.ZodOptional<z.ZodString>;
+    timeout_seconds: z.ZodOptional<z.ZodNumber>;
+    status: z.ZodOptional<z.ZodEnum<["active", "paused"]>>;
+}, "strip", z.ZodTypeAny, {
+    status?: "active" | "paused" | undefined;
+    name?: string | undefined;
+    agent?: "claude" | "codex" | "cursor" | "gemini" | "cline" | "amp" | undefined;
+    timezone?: string | undefined;
+    timeout_seconds?: number | undefined;
+    schedule?: {
+        kind: "hourly";
+    } | {
+        kind: "daily";
+        time: string;
+    } | {
+        kind: "weekly";
+        time: string;
+        weekday: number;
+    } | {
+        kind: "monthly";
+        time: string;
+        day_of_month: number;
+    } | {
+        kind: "custom";
+        cron_expr: string;
+    } | undefined;
+}, {
+    status?: "active" | "paused" | undefined;
+    name?: string | undefined;
+    agent?: "claude" | "codex" | "cursor" | "gemini" | "cline" | "amp" | undefined;
+    timezone?: string | undefined;
+    timeout_seconds?: number | undefined;
+    schedule?: {
+        kind: "hourly";
+    } | {
+        kind: "daily";
+        time: string;
+    } | {
+        kind: "weekly";
+        time: string;
+        weekday: number;
+    } | {
+        kind: "monthly";
+        time: string;
+        day_of_month: number;
+    } | {
+        kind: "custom";
+        cron_expr: string;
+    } | undefined;
+}>;
+export type UpdateRunInput = z.infer<typeof updateRunInputSchema>;
+export declare const runExecutionSchema: z.ZodObject<{
+    id: z.ZodString;
+    run_id: z.ZodString;
+    worker_id: z.ZodNullable<z.ZodString>;
+    status: z.ZodEnum<["running", "success", "failed", "timeout", "cancelled"]>;
+    started_at: z.ZodString;
+    finished_at: z.ZodNullable<z.ZodString>;
+    duration_ms: z.ZodNullable<z.ZodNumber>;
+    exit_code: z.ZodNullable<z.ZodNumber>;
+    log_text: z.ZodNullable<z.ZodString>;
+    log_truncated: z.ZodBoolean;
+    input_tokens: z.ZodNullable<z.ZodNumber>;
+    output_tokens: z.ZodNullable<z.ZodNumber>;
+    cost_estimate_cents: z.ZodNullable<z.ZodNumber>;
+    error_message: z.ZodNullable<z.ZodString>;
+    created_at: z.ZodString;
+}, "strip", z.ZodTypeAny, {
+    status: "success" | "failed" | "running" | "timeout" | "cancelled";
+    id: string;
+    created_at: string;
+    input_tokens: number | null;
+    output_tokens: number | null;
+    error_message: string | null;
+    run_id: string;
+    worker_id: string | null;
+    started_at: string;
+    finished_at: string | null;
+    duration_ms: number | null;
+    exit_code: number | null;
+    log_text: string | null;
+    log_truncated: boolean;
+    cost_estimate_cents: number | null;
+}, {
+    status: "success" | "failed" | "running" | "timeout" | "cancelled";
+    id: string;
+    created_at: string;
+    input_tokens: number | null;
+    output_tokens: number | null;
+    error_message: string | null;
+    run_id: string;
+    worker_id: string | null;
+    started_at: string;
+    finished_at: string | null;
+    duration_ms: number | null;
+    exit_code: number | null;
+    log_text: string | null;
+    log_truncated: boolean;
+    cost_estimate_cents: number | null;
+}>;
+export type RunExecution = z.infer<typeof runExecutionSchema>;
+export declare const deploySessionSchema: z.ZodObject<{
+    session_id: z.ZodString;
+    upload_url: z.ZodString;
+    wizard_url: z.ZodString;
+    expires_at: z.ZodString;
+}, "strip", z.ZodTypeAny, {
+    expires_at: string;
+    session_id: string;
+    upload_url: string;
+    wizard_url: string;
+}, {
+    expires_at: string;
+    session_id: string;
+    upload_url: string;
+    wizard_url: string;
+}>;
+export type DeploySession = z.infer<typeof deploySessionSchema>;
+export interface RunExecuteJob {
+    run_id: string;
+    execution_id: string;
+    scheduled_at: string;
+}
+//# sourceMappingURL=run.schema.d.ts.map

package/dist/schemas/run.schema.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"run.schema.d.ts","sourceRoot":"","sources":["../../src/schemas/run.schema.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAA;AAEvB;;;;;;;;;;;GAWG;AAKH,eAAO,MAAM,cAAc,oEAOzB,CAAA;AACF,MAAM,MAAM,QAAQ,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,cAAc,CAAC,CAAA;AAKrD,eAAO,MAAM,qBAAqB,+DAMhC,CAAA;AACF,MAAM,MAAM,eAAe,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,qBAAqB,CAAC,CAAA;AAEnE,eAAO,MAAM,eAAe,uDAK1B,CAAA;AACF,MAAM,MAAM,SAAS,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,eAAe,CAAC,CAAA;AAEvD,eAAO,MAAM,wBAAwB,qEAMnC,CAAA;AACF,MAAM,MAAM,kBAAkB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,wBAAwB,CAAC,CAAA;AAezE,eAAO,MAAM,sBAAsB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;IAsBjC,CAAA;AACF,MAAM,MAAM,gBAAgB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,sBAAsB,CAAC,CAAA;AAGrE,eAAO,MAAM,iBAAiB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EA6B5B,CAAA;AACF,MAAM,MAAM,WAAW,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,iBAAiB,CAAC,CAAA;AAG3D,eAAO,MAAM,SAAS;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAsBpB,CAAA;AACF,MAAM,MAAM,GAAG,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,SAAS,CAAC,CAAA;AAE3C,eAAO,MAAM,oBAAoB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAO/B,CAAA;AACF,MAAM,MAAM,cAAc,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,oBAAoB,CAAC,CAAA;AAEjE,eAAO,MAAM,oBAAoB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAO/B,CAAA;AACF,MAAM,MAAM,cAAc,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,oBAAoB,CAAC,CAAA;AAGjE,eAAO,MAAM,kBAAkB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAgB7B,CAAA;AACF,MAAM,MAAM,YAAY,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,kBAAkB,CAAC,CAAA;AAO7D,eAAO,MAAM,mBAAmB;;;;;;;;;;;;;;;EAK9B,CAAA;AACF,MAAM,MAAM,aAAa,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,mBAAmB,CAAC,CAAA;AAG/D,MAAM,WAAW,aAAa;IAC5B,MAAM,EAAE,MAAM,CAAA;IACd,YAAY,EAAE,MAAM,CAAA;IACpB,YAAY,EAAE,MAAM,CAAA;CACrB"}

package/dist/schemas/run.schema.js

@@ -0,0 +1,179 @@
+import { z } from 'zod';
+/**
+ * Run schemas — server-side scheduled Skill executions.
+ *
+ * The on-disk shape is split across three tables:
+ *
+ *   - `skill_bundles`   uploaded project folder (SKILL.md + scripts + .env)
+ *   - `runs`            schedule + agent + status for one deployment
+ *   - `run_executions`  append-only fire-history with logs and tokens
+ *
+ * (See supabase/migrations/049_runs_and_bundles.sql for the full
+ * column-level docstrings.)
+ */
+// ── Agent identifier ─────────────────────────────────────────────────
+// Same string set as the existing multi-agent feature. The runner
+// picks the matching CLI invocation per name.
+export const runAgentSchema = z.enum([
+    'claude',
+    'codex',
+    'cursor',
+    'gemini',
+    'cline',
+    'amp',
+]);
+// ── Schedule presets ─────────────────────────────────────────────────
+// The wizard picker only shows the presets; `custom` is a power-user
+// affordance exposed via the same form's "Advanced" twirl-down.
+export const runScheduleKindSchema = z.enum([
+    'hourly',
+    'daily',
+    'weekly',
+    'monthly',
+    'custom',
+]);
+export const runStatusSchema = z.enum([
+    'active',
+    'paused',
+    'failed',
+    'disabled',
+]);
+export const runExecutionStatusSchema = z.enum([
+    'running',
+    'success',
+    'failed',
+    'timeout',
+    'cancelled',
+]);
+// ── Schedule input ───────────────────────────────────────────────────
+//
+// The wizard sends one of:
+//
+//   { kind: 'hourly' }                                  → "0 * * * *"
+//   { kind: 'daily',   time: '08:00' }                  → "0 8 * * *"
+//   { kind: 'weekly',  time: '08:00', weekday: 1 }      → "0 8 * * 1"
+//   { kind: 'monthly', time: '08:00', day_of_month: 1 } → "0 8 1 * *"
+//   { kind: 'custom',  cron_expr: '*/15 * * * *' }
+//
+// The API service expands these into the canonical 5-field cron used
+// downstream. Timezone is captured separately so "daily at 08:00" lands
+// at the user's local 08:00 regardless of server location.
+export const runScheduleInputSchema = z.discriminatedUnion('kind', [
+    z.object({
+        kind: z.literal('hourly'),
+    }),
+    z.object({
+        kind: z.literal('daily'),
+        time: z.string().regex(/^([01]\d|2[0-3]):[0-5]\d$/, 'HH:MM'),
+    }),
+    z.object({
+        kind: z.literal('weekly'),
+        time: z.string().regex(/^([01]\d|2[0-3]):[0-5]\d$/, 'HH:MM'),
+        weekday: z.number().int().min(0).max(6),
+    }),
+    z.object({
+        kind: z.literal('monthly'),
+        time: z.string().regex(/^([01]\d|2[0-3]):[0-5]\d$/, 'HH:MM'),
+        day_of_month: z.number().int().min(1).max(28),
+    }),
+    z.object({
+        kind: z.literal('custom'),
+        cron_expr: z.string().min(9).max(120),
+    }),
+]);
+// ── Bundle ───────────────────────────────────────────────────────────
+export const skillBundleSchema = z.object({
+    id: z.string().uuid(),
+    owner_id: z.string().uuid(),
+    skill_id: z.string().uuid().nullable(),
+    source: z.enum(['upload', 'github']),
+    tarball_path: z.string(),
+    manifest: z.array(z.object({
+        path: z.string(),
+        size: z.number().int().nonnegative(),
+        sha256: z.string(),
+        kind: z.enum(['text', 'binary', 'script']),
+    })),
+    total_size_bytes: z.number().int().nonnegative(),
+    has_scripts: z.boolean(),
+    has_env_template: z.boolean(),
+    secret_scan_status: z.enum(['pending', 'clean', 'rejected']),
+    secret_scan_findings: z
+        .array(z.object({
+        path: z.string(),
+        rule: z.string(),
+        line: z.number().int().nonnegative().optional(),
+    }))
+        .nullable(),
+    created_at: z.string().datetime(),
+    updated_at: z.string().datetime(),
+});
+// ── Run ──────────────────────────────────────────────────────────────
+export const runSchema = z.object({
+    id: z.string().uuid(),
+    owner_id: z.string().uuid(),
+    bundle_id: z.string().uuid(),
+    slug: z.string(),
+    name: z.string(),
+    agent: runAgentSchema,
+    schedule_kind: runScheduleKindSchema,
+    cron_expr: z.string(),
+    timezone: z.string(),
+    status: runStatusSchema,
+    timeout_seconds: z.number().int().positive(),
+    max_log_bytes: z.number().int().positive(),
+    next_run_at: z.string().datetime().nullable(),
+    last_run_at: z.string().datetime().nullable(),
+    last_exec_status: z
+        .enum(['success', 'failed', 'timeout', 'cancelled'])
+        .nullable(),
+    total_runs: z.number().int().nonnegative(),
+    total_failures: z.number().int().nonnegative(),
+    created_at: z.string().datetime(),
+    updated_at: z.string().datetime(),
+});
+export const createRunInputSchema = z.object({
+    bundle_id: z.string().uuid(),
+    name: z.string().min(1).max(120),
+    agent: runAgentSchema,
+    schedule: runScheduleInputSchema,
+    timezone: z.string().min(2).max(60).default('UTC'),
+    timeout_seconds: z.number().int().min(5).max(300).optional(),
+});
+export const updateRunInputSchema = z.object({
+    name: z.string().min(1).max(120).optional(),
+    agent: runAgentSchema.optional(),
+    schedule: runScheduleInputSchema.optional(),
+    timezone: z.string().optional(),
+    timeout_seconds: z.number().int().min(5).max(300).optional(),
+    status: z.enum(['active', 'paused']).optional(),
+});
+// ── Execution ────────────────────────────────────────────────────────
+export const runExecutionSchema = z.object({
+    id: z.string().uuid(),
+    run_id: z.string().uuid(),
+    worker_id: z.string().nullable(),
+    status: runExecutionStatusSchema,
+    started_at: z.string().datetime(),
+    finished_at: z.string().datetime().nullable(),
+    duration_ms: z.number().int().nullable(),
+    exit_code: z.number().int().nullable(),
+    log_text: z.string().nullable(),
+    log_truncated: z.boolean(),
+    input_tokens: z.number().int().nullable(),
+    output_tokens: z.number().int().nullable(),
+    cost_estimate_cents: z.number().int().nullable(),
+    error_message: z.string().nullable(),
+    created_at: z.string().datetime(),
+});
+// ── Deploy-CLI session ──────────────────────────────────────────────
+// The CLI's `prave deploy` flow uses a short-lived session token to
+// hand off the upload from the terminal to the browser wizard. The
+// API mints the session, the CLI uploads the tarball, the browser
+// claims the session and finalizes the Run.
+export const deploySessionSchema = z.object({
+    session_id: z.string(),
+    upload_url: z.string().url(),
+    wizard_url: z.string().url(),
+    expires_at: z.string().datetime(),
+});

package/dist/types/plan-limits.d.ts

@@ -125,6 +125,26 @@ export interface PlanLimits {
     has_priority_support: boolean;
     /** Early access to in-development features. */
     has_early_access: boolean;
+    /**
+     * Max number of active Runs (deployed schedules) per user. 0 = the
+     * feature is locked behind an upgrade — the user can still browse
+     * the section but the "Schedule a run" CTA opens an upgrade modal.
+     */
+    runs_max_active: number;
+    /**
+     * Smallest schedule interval the user can pick. Strings map to the
+     * wizard's preset list:
+     *   'none'     — Runs feature disabled entirely
+     *   'daily'    — daily / weekly / monthly only
+     *   'hourly'   — adds the hourly preset (Max-tier)
+     *   'custom'   — adds the custom-cron field (Max-tier)
+     * The UI uses this to hide presets the plan doesn't allow.
+     */
+    runs_min_frequency: 'none' | 'daily' | 'hourly' | 'custom';
+    /** Hard timeout cap (seconds) per single execution. */
+    runs_max_timeout_seconds: number;
+    /** Max stdout/stderr captured per execution (bytes). */
+    runs_max_log_bytes: number;
 }
 export declare const PLAN_LIMITS: Record<Plan, PlanLimits>;
 export declare const PLAN_RANK: Record<Plan, number>;

package/dist/types/plan-limits.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"plan-limits.d.ts","sourceRoot":"","sources":["../../src/types/plan-limits.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,IAAI,EAAE,MAAM,8BAA8B,CAAA;AAExD;;;;;;;;;;;;;;GAcG;AACH,MAAM,WAAW,UAAU;IACzB,+EAA+E;IAC/E,KAAK,EAAE,MAAM,CAAA;IACb,2CAA2C;IAC3C,OAAO,EAAE,MAAM,CAAA;IACf,2EAA2E;IAC3E,iBAAiB,EAAE,MAAM,CAAA;IACzB,gEAAgE;IAChE,gBAAgB,EAAE,MAAM,CAAA;IACxB,8DAA8D;IAC9D,IAAI,EAAE,MAAM,CAAA;IACZ,0DAA0D;IAC1D,SAAS,EAAE,OAAO,CAAA;IAGlB,+EAA+E;IAC/E,YAAY,EAAE,OAAO,CAAA;IACrB,8BAA8B;IAC9B,YAAY,EAAE,OAAO,CAAA;IACrB;;;;;;;;OAQG;IACH,mBAAmB,EAAE,OAAO,CAAA;IAG5B;;;OAGG;IACH,qBAAqB,EAAE,MAAM,GAAG,IAAI,CAAA;IACpC,mEAAmE;IACnE,mBAAmB,EAAE,aAAa,CAAC,QAAQ,GAAG,OAAO,GAAG,QAAQ,GAAG,QAAQ,GAAG,OAAO,GAAG,KAAK,CAAC,CAAA;IAC9F,4BAA4B;IAC5B,YAAY,EAAE,OAAO,CAAA;IACrB,wDAAwD;IACxD,cAAc,EAAE,OAAO,CAAA;IACvB,yCAAyC;IACzC,sBAAsB,EAAE,OAAO,CAAA;IAG/B,0CAA0C;IAC1C,oBAAoB,EAAE,OAAO,CAAA;IAC7B,0CAA0C;IAC1C,qBAAqB,EAAE,OAAO,CAAA;IAC9B;;OAEG;IACH,oBAAoB,EAAE,MAAM,GAAG,IAAI,CAAA;IACnC,4BAA4B;IAC5B,cAAc,EAAE,OAAO,CAAA;IACvB,oDAAoD;IACpD,kBAAkB,EAAE,OAAO,CAAA;IAC3B,+CAA+C;IAC/C,iBAAiB,EAAE,OAAO,CAAA;IAG1B;;;;OAIG;IACH,sBAAsB,EAAE,MAAM,CAAA;IAC9B,gDAAgD;IAChD,mBAAmB,EAAE,MAAM,CAAA;IAC3B;;;OAGG;IACH,uBAAuB,EAAE,MAAM,CAAA;IAC/B,6EAA6E;IAC7E,kBAAkB,EAAE,OAAO,CAAA;IAG3B,gDAAgD;IAChD,gBAAgB,EAAE,OAAO,CAAA;IACzB;;;;;OAKG;IACH,wBAAwB,EAAE,MAAM,GAAG,IAAI,CAAA;IACvC;;;;;OAKG;IACH,wBAAwB,EAAE,MAAM,GAAG,IAAI,CAAA;IACvC,uDAAuD;IACvD,aAAa,EAAE,OAAO,CAAA;IACtB,qCAAqC;IACrC,kBAAkB,EAAE,OAAO,CAAA;IAC3B;;;OAGG;IACH,kBAAkB,EAAE,MAAM,GAAG,IAAI,CAAA;IACjC,mCAAmC;IACnC,gBAAgB,EAAE,OAAO,CAAA;IAGzB,8CAA8C;IAC9C,kBAAkB,EAAE,OAAO,CAAA;IAC3B;;;OAGG;IACH,oBAAoB,EAAE,OAAO,CAAA;IAC7B,oDAAoD;IACpD,kBAAkB,EAAE,OAAO,CAAA;IAC3B,mEAAmE;IACnE,kBAAkB,EAAE,OAAO,CAAA;IAG3B,6CAA6C;IAC7C,oBAAoB,EAAE,OAAO,CAAA;IAC7B,+CAA+C;IAC/C,gBAAgB,EAAE,OAAO,CAAA;CAC1B;AAID,eAAO,MAAM,WAAW,EAAE,MAAM,CAAC,IAAI,EAAE,UAAU,CA8JhD,CAAA;AAED,eAAO,MAAM,SAAS,EAAE,MAAM,CAAC,IAAI,EAAE,MAAM,CAI1C,CAAA;AAED,8DAA8D;AAC9D,eAAO,MAAM,SAAS,GAAI,QAAQ,IAAI,EAAE,UAAU,IAAI,KAAG,OACf,CAAA;AAE1C;;;;;;GAMG;AACH,eAAO,MAAM,UAAU,GAAI,SAAS,MAAM,UAAU,KAAG,IAAI,GAAG,IAU7D,CAAA;AAED;;;;GAIG;AACH,eAAO,MAAM,SAAS,GAAI,MAAM,IAAI,KAAG,MAAiC,CAAA;AAExE;;;GAGG;AACH,eAAO,MAAM,iBAAiB,GAAI,MAAM,IAAI,EAAE,eAAe,MAAM,KAAG,MAAM,GAAG,IAI9E,CAAA"}
+{"version":3,"file":"plan-limits.d.ts","sourceRoot":"","sources":["../../src/types/plan-limits.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,IAAI,EAAE,MAAM,8BAA8B,CAAA;AAExD;;;;;;;;;;;;;;GAcG;AACH,MAAM,WAAW,UAAU;IACzB,+EAA+E;IAC/E,KAAK,EAAE,MAAM,CAAA;IACb,2CAA2C;IAC3C,OAAO,EAAE,MAAM,CAAA;IACf,2EAA2E;IAC3E,iBAAiB,EAAE,MAAM,CAAA;IACzB,gEAAgE;IAChE,gBAAgB,EAAE,MAAM,CAAA;IACxB,8DAA8D;IAC9D,IAAI,EAAE,MAAM,CAAA;IACZ,0DAA0D;IAC1D,SAAS,EAAE,OAAO,CAAA;IAGlB,+EAA+E;IAC/E,YAAY,EAAE,OAAO,CAAA;IACrB,8BAA8B;IAC9B,YAAY,EAAE,OAAO,CAAA;IACrB;;;;;;;;OAQG;IACH,mBAAmB,EAAE,OAAO,CAAA;IAG5B;;;OAGG;IACH,qBAAqB,EAAE,MAAM,GAAG,IAAI,CAAA;IACpC,mEAAmE;IACnE,mBAAmB,EAAE,aAAa,CAAC,QAAQ,GAAG,OAAO,GAAG,QAAQ,GAAG,QAAQ,GAAG,OAAO,GAAG,KAAK,CAAC,CAAA;IAC9F,4BAA4B;IAC5B,YAAY,EAAE,OAAO,CAAA;IACrB,wDAAwD;IACxD,cAAc,EAAE,OAAO,CAAA;IACvB,yCAAyC;IACzC,sBAAsB,EAAE,OAAO,CAAA;IAG/B,0CAA0C;IAC1C,oBAAoB,EAAE,OAAO,CAAA;IAC7B,0CAA0C;IAC1C,qBAAqB,EAAE,OAAO,CAAA;IAC9B;;OAEG;IACH,oBAAoB,EAAE,MAAM,GAAG,IAAI,CAAA;IACnC,4BAA4B;IAC5B,cAAc,EAAE,OAAO,CAAA;IACvB,oDAAoD;IACpD,kBAAkB,EAAE,OAAO,CAAA;IAC3B,+CAA+C;IAC/C,iBAAiB,EAAE,OAAO,CAAA;IAG1B;;;;OAIG;IACH,sBAAsB,EAAE,MAAM,CAAA;IAC9B,gDAAgD;IAChD,mBAAmB,EAAE,MAAM,CAAA;IAC3B;;;OAGG;IACH,uBAAuB,EAAE,MAAM,CAAA;IAC/B,6EAA6E;IAC7E,kBAAkB,EAAE,OAAO,CAAA;IAG3B,gDAAgD;IAChD,gBAAgB,EAAE,OAAO,CAAA;IACzB;;;;;OAKG;IACH,wBAAwB,EAAE,MAAM,GAAG,IAAI,CAAA;IACvC;;;;;OAKG;IACH,wBAAwB,EAAE,MAAM,GAAG,IAAI,CAAA;IACvC,uDAAuD;IACvD,aAAa,EAAE,OAAO,CAAA;IACtB,qCAAqC;IACrC,kBAAkB,EAAE,OAAO,CAAA;IAC3B;;;OAGG;IACH,kBAAkB,EAAE,MAAM,GAAG,IAAI,CAAA;IACjC,mCAAmC;IACnC,gBAAgB,EAAE,OAAO,CAAA;IAGzB,8CAA8C;IAC9C,kBAAkB,EAAE,OAAO,CAAA;IAC3B;;;OAGG;IACH,oBAAoB,EAAE,OAAO,CAAA;IAC7B,oDAAoD;IACpD,kBAAkB,EAAE,OAAO,CAAA;IAC3B,mEAAmE;IACnE,kBAAkB,EAAE,OAAO,CAAA;IAG3B,6CAA6C;IAC7C,oBAAoB,EAAE,OAAO,CAAA;IAC7B,+CAA+C;IAC/C,gBAAgB,EAAE,OAAO,CAAA;IAGzB;;;;OAIG;IACH,eAAe,EAAE,MAAM,CAAA;IACvB;;;;;;;;OAQG;IACH,kBAAkB,EAAE,MAAM,GAAG,OAAO,GAAG,QAAQ,GAAG,QAAQ,CAAA;IAC1D,uDAAuD;IACvD,wBAAwB,EAAE,MAAM,CAAA;IAChC,wDAAwD;IACxD,kBAAkB,EAAE,MAAM,CAAA;CAC3B;AAID,eAAO,MAAM,WAAW,EAAE,MAAM,CAAC,IAAI,EAAE,UAAU,CAoLhD,CAAA;AAED,eAAO,MAAM,SAAS,EAAE,MAAM,CAAC,IAAI,EAAE,MAAM,CAI1C,CAAA;AAED,8DAA8D;AAC9D,eAAO,MAAM,SAAS,GAAI,QAAQ,IAAI,EAAE,UAAU,IAAI,KAAG,OACf,CAAA;AAE1C;;;;;;GAMG;AACH,eAAO,MAAM,UAAU,GAAI,SAAS,MAAM,UAAU,KAAG,IAAI,GAAG,IAU7D,CAAA;AAED;;;;GAIG;AACH,eAAO,MAAM,SAAS,GAAI,MAAM,IAAI,KAAG,MAAiC,CAAA;AAExE;;;GAGG;AACH,eAAO,MAAM,iBAAiB,GAAI,MAAM,IAAI,EAAE,eAAe,MAAM,KAAG,MAAM,GAAG,IAI9E,CAAA"}

package/dist/types/plan-limits.js

@@ -20,15 +20,22 @@ export const PLAN_LIMITS = {
         can_cli_sync: false,
         can_cli_update: false,
         can_cross_machine_sync: false,
+        // Free can author *one* private skill — enough to try the editor,
+        // not enough to fill the catalogue. Public publishing + versioning
+        // stay locked behind Pro because that's where Skill Intelligence
+        // (token audit + conflict detection) starts paying for itself.
         can_authoring_public: false,
-        can_authoring_private: false,
-        authoring_max_skills: 0,
+        can_authoring_private: true,
+        authoring_max_skills: 1,
         can_versioning: false,
         can_ai_description: false,
         can_pull_requests: false,
-        tester_credits_monthly: 0,
+        // Free gets a single Tester run / month — one taste of the agent
+        // sandbox so the upgrade prompt isn't an abstract "you've never
+        // seen this" wall. 1 run = 5 credits = ~$0.02 LLM cost to us.
+        tester_credits_monthly: 5,
         tester_cost_per_run: 5,
-        tester_cooldown_seconds: 0,
+        tester_cooldown_seconds: 600,
         can_byo_tester_key: false,
         can_intelligence: false,
         intelligence_indexed_max: 0,
@@ -43,6 +50,10 @@ export const PLAN_LIMITS = {
         has_priority_badge: false,
         has_priority_support: false,
         has_early_access: false,
+        runs_max_active: 0,
+        runs_min_frequency: 'none',
+        runs_max_timeout_seconds: 0,
+        runs_max_log_bytes: 0,
     },
     // ── Pro (internally `explorer`) ───────────────────────────────────
     explorer: {
@@ -89,6 +100,10 @@ export const PLAN_LIMITS = {
         has_priority_badge: false,
         has_priority_support: false,
         has_early_access: false,
+        runs_max_active: 3,
+        runs_min_frequency: 'daily',
+        runs_max_timeout_seconds: 60,
+        runs_max_log_bytes: 65_536,
     },
     // ── Max (internally `creator`) ────────────────────────────────────
     creator: {
@@ -133,6 +148,10 @@ export const PLAN_LIMITS = {
         has_priority_badge: true,
         has_priority_support: true,
         has_early_access: true,
+        runs_max_active: 25,
+        runs_min_frequency: 'custom',
+        runs_max_timeout_seconds: 300,
+        runs_max_log_bytes: 262_144,
     },
 };
 export const PLAN_RANK = {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@prave/shared",
-  "version": "1.3.0",
+  "version": "1.4.0",
   "type": "module",
   "publishConfig": {
     "access": "public"