@tankpkg/cli 0.15.7 → 0.15.8

package/dist/bin/tank.js

@@ -1,5 +1,5 @@
 #!/usr/bin/env node
-import { a as VERSION, i as USER_AGENT, l as setConfig, n as flushLogs, o as getConfig, s as getConfigDir, t as authFlowLog } from "../debug-logger-B6uLj2h_.js";
+import { a as VERSION, i as USER_AGENT, l as setConfig, n as flushLogs, o as getConfig, s as getConfigDir, t as authFlowLog } from "../debug-logger-BCwL85ni.js";
 import { t as logger } from "../logger-BhULz3Uz.js";
 import { createRequire } from "node:module";
 import { Command } from "commander";
@@ -231,6 +231,54 @@ z.enum([
 	"org.member.remove",
 	"org.delete"
 ]);
+const commandSchema$1 = z.string().min(1, "command must not be empty");
+const argSchema$1 = z.array(z.string()).default([]);
+const envSchema$1 = z.record(z.string(), z.string()).optional();
+const remoteUrlSchema$1 = z.string().url("remote must be a valid URL");
+const localMcpServerSchema = z.object({
+	command: commandSchema$1,
+	args: argSchema$1,
+	env: envSchema$1,
+	requires_auth: z.literal(false).optional()
+}).strict();
+const remoteMcpServerSchema = z.object({
+	remote: remoteUrlSchema$1,
+	requires_auth: z.boolean().default(false),
+	env: envSchema$1
+}).strict();
+const mcpServerSchema$1 = z.union([localMcpServerSchema, remoteMcpServerSchema]);
+function isRemoteMcpServer(server) {
+	return "remote" in server;
+}
+const baseManifestFields$1 = {
+	name: z.string().min(1, "Name must not be empty").max(214, `Name must be 214 characters or fewer`).regex(/^@[a-z0-9-]+\/[a-z0-9][a-z0-9-]*$/, "Name must be scoped (@org/name), lowercase alphanumeric and hyphens"),
+	version: z.string().regex(/^\d+\.\d+\.\d+(-[a-zA-Z0-9.-]+)?(\+[a-zA-Z0-9.-]+)?$/, "Version must be valid semver"),
+	description: z.string().max(500, `Description must be 500 characters or fewer`).optional(),
+	skills: z.record(z.string(), z.string()).optional(),
+	permissions: permissionsSchema$1.optional(),
+	repository: z.string().url("Repository must be a valid URL").optional(),
+	visibility: z.enum(["public", "private"]).optional(),
+	audit: z.object({ min_score: z.number().min(0).max(10) }).strict().optional(),
+	mcp_server: mcpServerSchema$1.optional()
+};
+/** Legacy skills.json schema — strict, no atoms. Used for backward-compatible consumers. */
+const skillsJsonSchema = z.object(baseManifestFields$1).strict();
+const publishConfigSchema$1 = z.object({
+	build: z.string().min(1, "publish.build must be a non-empty shell command").optional(),
+	files: z.array(z.string().min(1)).optional()
+}).strict();
+/**
+* Publish manifest schema — accepts both legacy skills.json AND atom-enriched tank.json.
+* The `atoms` and `includes` fields are passed through as opaque JSON arrays,
+* validated only at surface level. Full atom IR validation happens at build time.
+* The `publish` block is a CLI-only lifecycle config (build hook + files allow-list).
+*/
+const publishManifestSchema = z.object({
+	...baseManifestFields$1,
+	atoms: z.array(z.record(z.string(), z.unknown())).optional(),
+	includes: z.array(z.string()).optional(),
+	publish: publishConfigSchema$1.optional()
+}).strict();
 const promptIRSchema$1 = z.object({
 	kind: z.literal("prompt"),
 	name: z.string().min(1, "Prompt name must not be empty"),
@@ -269,8 +317,9 @@ const mcpServerConfigSchema$1 = z.object({
 	args: z.array(z.string()).optional(),
 	env: z.record(z.string(), z.string()).optional(),
 	runtime: z.string().min(1).optional(),
-	entry: z.string().min(1).optional()
-}).strict().refine((data) => data.command || data.runtime && data.entry, "MCP config must have either \"command\" or both \"runtime\" and \"entry\"");
+	entry: z.string().min(1).optional(),
+	package: z.string().min(1).optional()
+}).strict().refine((data) => Boolean(data.command) || Boolean(data.runtime && (data.entry || data.package)), "MCP config must have either \"command\" or \"runtime\" plus one of \"entry\"/\"package\"");
 const toolIRSchema$1 = z.object({
 	kind: z.literal("tool"),
 	name: z.string().min(1, "Tool name must not be empty"),
@@ -299,27 +348,9 @@ const packageIRSchema = z.object({
 	permissions: permissionsSchema$1.optional(),
 	repository: z.string().url("Repository must be a valid URL").optional(),
 	visibility: z.enum(["public", "private"]).optional(),
-	audit: z.object({ min_score: z.number().min(0).max(10) }).strict().optional()
-}).strict();
-const commandSchema$1 = z.string().min(1, "command must not be empty");
-const argSchema$1 = z.array(z.string()).default([]);
-const envSchema$1 = z.record(z.string(), z.string()).optional();
-const remoteUrlSchema$1 = z.string().url("remote must be a valid URL");
-const localMcpServerSchema = z.object({
-	command: commandSchema$1,
-	args: argSchema$1,
-	env: envSchema$1,
-	requires_auth: z.literal(false).optional()
-}).strict();
-const remoteMcpServerSchema = z.object({
-	remote: remoteUrlSchema$1,
-	requires_auth: z.boolean().default(false),
-	env: envSchema$1
+	audit: z.object({ min_score: z.number().min(0).max(10) }).strict().optional(),
+	publish: publishConfigSchema$1.optional()
 }).strict();
-const mcpServerSchema$1 = z.union([localMcpServerSchema, remoteMcpServerSchema]);
-function isRemoteMcpServer(server) {
-	return "remote" in server;
-}
 const perToolOverrideSchema$1 = z.object({
 	scan: z.boolean().optional(),
 	blockOnMatch: z.boolean().optional()
@@ -330,29 +361,6 @@ z.object({
 	resetPinsOnMismatch: z.boolean().optional(),
 	perTool: z.record(z.string(), perToolOverrideSchema$1).optional()
 }).strict();
-const baseManifestFields$1 = {
-	name: z.string().min(1, "Name must not be empty").max(214, `Name must be 214 characters or fewer`).regex(/^@[a-z0-9-]+\/[a-z0-9][a-z0-9-]*$/, "Name must be scoped (@org/name), lowercase alphanumeric and hyphens"),
-	version: z.string().regex(/^\d+\.\d+\.\d+(-[a-zA-Z0-9.-]+)?(\+[a-zA-Z0-9.-]+)?$/, "Version must be valid semver"),
-	description: z.string().max(500, `Description must be 500 characters or fewer`).optional(),
-	skills: z.record(z.string(), z.string()).optional(),
-	permissions: permissionsSchema$1.optional(),
-	repository: z.string().url("Repository must be a valid URL").optional(),
-	visibility: z.enum(["public", "private"]).optional(),
-	audit: z.object({ min_score: z.number().min(0).max(10) }).strict().optional(),
-	mcp_server: mcpServerSchema$1.optional()
-};
-/** Legacy skills.json schema — strict, no atoms. Used for backward-compatible consumers. */
-const skillsJsonSchema = z.object(baseManifestFields$1).strict();
-/**
-* Publish manifest schema — accepts both legacy skills.json AND atom-enriched tank.json.
-* The `atoms` and `includes` fields are passed through as opaque JSON arrays,
-* validated only at surface level. Full atom IR validation happens at build time.
-*/
-const publishManifestSchema = z.object({
-	...baseManifestFields$1,
-	atoms: z.array(z.record(z.string(), z.unknown())).optional(),
-	includes: z.array(z.string()).optional()
-}).strict();
 const SKILL_SOURCES$1 = [
 	"registry",
 	"github",
@@ -633,6 +641,89 @@ async function auditCommand(options) {
 }
 //#endregion
 //#region ../adapters/dist/index.mjs
+function resolveMcpCommand(atom, adapterName) {
+	if (atom.mcp) return resolveFromMcpBlock(atom.mcp);
+	const fromExtensions = resolveFromExtensions(atom.extensions, adapterName);
+	if (fromExtensions) return fromExtensions;
+	return null;
+}
+function resolveFromMcpBlock(mcp) {
+	const env = mcp.env;
+	if (mcp.command) return {
+		command: mcp.command,
+		args: mcp.args ?? [],
+		...env ? { env } : {}
+	};
+	if (!mcp.runtime) return null;
+	const args = mcp.args ?? [];
+	switch (mcp.runtime) {
+		case "uvx":
+			if (!mcp.package) return null;
+			return {
+				command: "uvx",
+				args: [mcp.package, ...args],
+				...env ? { env } : {}
+			};
+		case "npx":
+			if (!mcp.package) return null;
+			return {
+				command: "npx",
+				args: [
+					"-y",
+					mcp.package,
+					...args
+				],
+				...env ? { env } : {}
+			};
+		case "bunx":
+			if (!mcp.package) return null;
+			return {
+				command: "bunx",
+				args: [mcp.package, ...args],
+				...env ? { env } : {}
+			};
+		case "pipx":
+			if (!mcp.package) return null;
+			return {
+				command: "pipx",
+				args: [
+					"run",
+					mcp.package,
+					...args
+				],
+				...env ? { env } : {}
+			};
+		case "node":
+			if (!mcp.entry) return null;
+			return {
+				command: "node",
+				args: [mcp.entry, ...args],
+				...env ? { env } : {}
+			};
+		case "python":
+			if (!mcp.entry) return null;
+			return {
+				command: "python",
+				args: [mcp.entry, ...args],
+				...env ? { env } : {}
+			};
+		default: return null;
+	}
+}
+function resolveFromExtensions(extensions, adapterName) {
+	if (!extensions) return null;
+	const bag = extensions[adapterName];
+	if (!bag || typeof bag !== "object") return null;
+	const candidate = bag;
+	if (typeof candidate.command !== "string" || candidate.command.length === 0) return null;
+	const args = Array.isArray(candidate.args) ? candidate.args.filter((a) => typeof a === "string") : [];
+	const env = candidate.env && typeof candidate.env === "object" && !Array.isArray(candidate.env) ? Object.fromEntries(Object.entries(candidate.env).filter(([, v]) => typeof v === "string")) : void 0;
+	return {
+		command: candidate.command,
+		args,
+		...env ? { env } : {}
+	};
+}
 function emitInstruction$5(atom) {
 	const globs = atom.globs?.length ? atom.globs : void 0;
 	if (globs) {
@@ -733,7 +824,8 @@ function emitAgent$5(atom) {
 	};
 }
 function emitTool$5(atom) {
-	if (!atom.mcp) return {
+	const resolved = resolveMcpCommand(atom, "claude-code");
+	if (!resolved) return {
 		files: [],
 		warnings: [{
 			level: "skipped",
@@ -742,9 +834,9 @@ function emitTool$5(atom) {
 		}]
 	};
 	const mcpConfig = { mcpServers: { [atom.name]: {
-		command: atom.mcp.command,
-		args: atom.mcp.args ?? [],
-		...atom.mcp.env ? { env: atom.mcp.env } : {}
+		command: resolved.command,
+		args: resolved.args,
+		...resolved.env ? { env: resolved.env } : {}
 	} } };
 	return {
 		files: [{
@@ -944,7 +1036,8 @@ function emitAgent$4(atom) {
 	};
 }
 function emitTool$4(atom) {
-	if (!atom.mcp) return {
+	const resolved = resolveMcpCommand(atom, "cline");
+	if (!resolved) return {
 		files: [],
 		warnings: [{
 			level: "skipped",
@@ -953,10 +1046,10 @@ function emitTool$4(atom) {
 		}]
 	};
 	const config = { mcpServers: { [atom.name]: {
-		command: atom.mcp.command,
-		args: atom.mcp.args ?? [],
+		command: resolved.command,
+		args: resolved.args,
 		disabled: false,
-		...atom.mcp.env ? { env: atom.mcp.env } : {}
+		...resolved.env ? { env: resolved.env } : {}
 	} } };
 	return {
 		files: [{
@@ -1126,7 +1219,8 @@ function emitAgent$3(atom) {
 	};
 }
 function emitTool$3(atom) {
-	if (!atom.mcp) return {
+	const resolved = resolveMcpCommand(atom, "cursor");
+	if (!resolved) return {
 		files: [],
 		warnings: [{
 			level: "skipped",
@@ -1135,9 +1229,9 @@ function emitTool$3(atom) {
 		}]
 	};
 	const config = { mcpServers: { [atom.name]: {
-		command: atom.mcp.command,
-		args: atom.mcp.args ?? [],
-		...atom.mcp.env ? { env: atom.mcp.env } : {}
+		command: resolved.command,
+		args: resolved.args,
+		...resolved.env ? { env: resolved.env } : {}
 	} } };
 	return {
 		files: [{
@@ -1324,7 +1418,8 @@ function emitAgent$2(atom) {
 	};
 }
 function emitTool$2(atom) {
-	if (!atom.mcp) return {
+	const resolved = resolveMcpCommand(atom, "opencode");
+	if (!resolved) return {
 		files: [],
 		warnings: [{
 			level: "skipped",
@@ -1334,8 +1429,8 @@ function emitTool$2(atom) {
 	};
 	const config = { [atom.name]: {
 		type: "local",
-		command: [atom.mcp.command, ...atom.mcp.args ?? []],
-		...atom.mcp.env ? { environment: atom.mcp.env } : {}
+		command: [resolved.command, ...resolved.args],
+		...resolved.env ? { environment: resolved.env } : {}
 	} };
 	return {
 		files: [{
@@ -1598,7 +1693,8 @@ function emitAgent$1(atom) {
 	};
 }
 function emitTool$1(atom) {
-	if (!atom.mcp) return {
+	const resolved = resolveMcpCommand(atom, "roo-code");
+	if (!resolved) return {
 		files: [],
 		warnings: [{
 			level: "skipped",
@@ -1607,10 +1703,10 @@ function emitTool$1(atom) {
 		}]
 	};
 	const config = { mcpServers: { [atom.name]: {
-		command: atom.mcp.command,
-		args: atom.mcp.args ?? [],
+		command: resolved.command,
+		args: resolved.args,
 		disabled: false,
-		...atom.mcp.env ? { env: atom.mcp.env } : {}
+		...resolved.env ? { env: resolved.env } : {}
 	} } };
 	return {
 		files: [{
@@ -1768,7 +1864,8 @@ function emitAgent(atom) {
 	};
 }
 function emitTool(atom) {
-	if (!atom.mcp) return {
+	const resolved = resolveMcpCommand(atom, "windsurf");
+	if (!resolved) return {
 		files: [],
 		warnings: [{
 			level: "skipped",
@@ -1777,9 +1874,9 @@ function emitTool(atom) {
 		}]
 	};
 	const config = { mcpServers: { [atom.name]: {
-		command: atom.mcp.command,
-		args: atom.mcp.args ?? [],
-		...atom.mcp.env ? { env: atom.mcp.env } : {}
+		command: resolved.command,
+		args: resolved.args,
+		...resolved.env ? { env: resolved.env } : {}
 	} } };
 	return {
 		files: [{
@@ -7065,6 +7162,42 @@ _enum([
 	"org.member.remove",
 	"org.delete"
 ]);
+const commandSchema = string().min(1, "command must not be empty");
+const argSchema = array(string()).default([]);
+const envSchema = record(string(), string()).optional();
+const remoteUrlSchema = string().url("remote must be a valid URL");
+const mcpServerSchema = union([object({
+	command: commandSchema,
+	args: argSchema,
+	env: envSchema,
+	requires_auth: literal(false).optional()
+}).strict(), object({
+	remote: remoteUrlSchema,
+	requires_auth: boolean().default(false),
+	env: envSchema
+}).strict()]);
+const baseManifestFields = {
+	name: string().min(1, "Name must not be empty").max(214, `Name must be 214 characters or fewer`).regex(/^@[a-z0-9-]+\/[a-z0-9][a-z0-9-]*$/, "Name must be scoped (@org/name), lowercase alphanumeric and hyphens"),
+	version: string().regex(/^\d+\.\d+\.\d+(-[a-zA-Z0-9.-]+)?(\+[a-zA-Z0-9.-]+)?$/, "Version must be valid semver"),
+	description: string().max(500, `Description must be 500 characters or fewer`).optional(),
+	skills: record(string(), string()).optional(),
+	permissions: permissionsSchema.optional(),
+	repository: string().url("Repository must be a valid URL").optional(),
+	visibility: _enum(["public", "private"]).optional(),
+	audit: object({ min_score: number().min(0).max(10) }).strict().optional(),
+	mcp_server: mcpServerSchema.optional()
+};
+object(baseManifestFields).strict();
+const publishConfigSchema = object({
+	build: string().min(1, "publish.build must be a non-empty shell command").optional(),
+	files: array(string().min(1)).optional()
+}).strict();
+object({
+	...baseManifestFields,
+	atoms: array(record(string(), unknown())).optional(),
+	includes: array(string()).optional(),
+	publish: publishConfigSchema.optional()
+}).strict();
 const promptIRSchema = object({
 	kind: literal("prompt"),
 	name: string().min(1, "Prompt name must not be empty"),
@@ -7103,8 +7236,9 @@ const mcpServerConfigSchema = object({
 	args: array(string()).optional(),
 	env: record(string(), string()).optional(),
 	runtime: string().min(1).optional(),
-	entry: string().min(1).optional()
-}).strict().refine((data) => data.command || data.runtime && data.entry, "MCP config must have either \"command\" or both \"runtime\" and \"entry\"");
+	entry: string().min(1).optional(),
+	package: string().min(1).optional()
+}).strict().refine((data) => Boolean(data.command) || Boolean(data.runtime && (data.entry || data.package)), "MCP config must have either \"command\" or \"runtime\" plus one of \"entry\"/\"package\"");
 const toolIRSchema = object({
 	kind: literal("tool"),
 	name: string().min(1, "Tool name must not be empty"),
@@ -7133,22 +7267,9 @@ object({
 	permissions: permissionsSchema.optional(),
 	repository: string().url("Repository must be a valid URL").optional(),
 	visibility: _enum(["public", "private"]).optional(),
-	audit: object({ min_score: number().min(0).max(10) }).strict().optional()
+	audit: object({ min_score: number().min(0).max(10) }).strict().optional(),
+	publish: publishConfigSchema.optional()
 }).strict();
-const commandSchema = string().min(1, "command must not be empty");
-const argSchema = array(string()).default([]);
-const envSchema = record(string(), string()).optional();
-const remoteUrlSchema = string().url("remote must be a valid URL");
-const mcpServerSchema = union([object({
-	command: commandSchema,
-	args: argSchema,
-	env: envSchema,
-	requires_auth: literal(false).optional()
-}).strict(), object({
-	remote: remoteUrlSchema,
-	requires_auth: boolean().default(false),
-	env: envSchema
-}).strict()]);
 const perToolOverrideSchema = object({
 	scan: boolean().optional(),
 	blockOnMatch: boolean().optional()
@@ -7159,23 +7280,6 @@ object({
 	resetPinsOnMismatch: boolean().optional(),
 	perTool: record(string(), perToolOverrideSchema).optional()
 }).strict();
-const baseManifestFields = {
-	name: string().min(1, "Name must not be empty").max(214, `Name must be 214 characters or fewer`).regex(/^@[a-z0-9-]+\/[a-z0-9][a-z0-9-]*$/, "Name must be scoped (@org/name), lowercase alphanumeric and hyphens"),
-	version: string().regex(/^\d+\.\d+\.\d+(-[a-zA-Z0-9.-]+)?(\+[a-zA-Z0-9.-]+)?$/, "Version must be valid semver"),
-	description: string().max(500, `Description must be 500 characters or fewer`).optional(),
-	skills: record(string(), string()).optional(),
-	permissions: permissionsSchema.optional(),
-	repository: string().url("Repository must be a valid URL").optional(),
-	visibility: _enum(["public", "private"]).optional(),
-	audit: object({ min_score: number().min(0).max(10) }).strict().optional(),
-	mcp_server: mcpServerSchema.optional()
-};
-object(baseManifestFields).strict();
-object({
-	...baseManifestFields,
-	atoms: array(record(string(), unknown())).optional(),
-	includes: array(string()).optional()
-}).strict();
 const SKILL_SOURCES = [
 	"registry",
 	"github",
@@ -10607,6 +10711,31 @@ async function proxyCommand(options) {
 	process.exit(code);
 }
 //#endregion
+//#region src/lib/build-hook.ts
+function runBuildHook(directory, command) {
+	return new Promise((resolve, reject) => {
+		const child = spawn(command, {
+			cwd: directory,
+			shell: true,
+			stdio: "inherit"
+		});
+		child.on("error", (err) => {
+			reject(/* @__PURE__ */ new Error(`Build hook failed to start: ${err.message}`));
+		});
+		child.on("close", (code, signal) => {
+			if (code === 0) {
+				resolve();
+				return;
+			}
+			if (signal) {
+				reject(/* @__PURE__ */ new Error(`Build hook terminated by signal ${signal}`));
+				return;
+			}
+			reject(/* @__PURE__ */ new Error(`Build hook exited with code ${code ?? "unknown"}`));
+		});
+	});
+}
+//#endregion
 //#region src/lib/packer.ts
 const MAX_PACKAGE_SIZE = 50 * 1024 * 1024;
 const MAX_FILE_COUNT = 1e3;
@@ -10620,18 +10749,7 @@ const DEFAULT_IGNORES = [
 ];
 const ALWAYS_IGNORED = ["node_modules", ".git"];
 const IGNORE_FILES = [".tankignore", ".gitignore"];
-/**
-* Pack a skill directory into a .tgz tarball with integrity hashing.
-*
-* Validates:
-* - tank.json (or skills.json) exists and is valid
-* - No symlinks or hardlinks
-* - No path traversal (.. components)
-* - No absolute paths
-* - File count <= 1000
-* - Tarball size <= 50MB
-*/
-async function pack(directory) {
+async function pack(directory, options = {}) {
 	const absDir = path.resolve(directory);
 	if (!fs.existsSync(absDir)) throw new Error(`Directory does not exist: ${absDir}`);
 	if (!fs.statSync(absDir).isDirectory()) throw new Error(`Not a directory: ${absDir}`);
@@ -10672,7 +10790,7 @@ async function pack(directory) {
 	} catch {
 		readmeContent = "";
 	}
-	const files = collectFiles(absDir, absDir, buildIgnoreFilter(absDir));
+	const files = options.files && options.files.length > 0 ? collectFromAllowList(absDir, options.files, manifestFilename) : collectFiles(absDir, absDir, buildIgnoreFilter(absDir));
 	if (files.length > MAX_FILE_COUNT) throw new Error(`Too many files: ${files.length} exceeds maximum of ${MAX_FILE_COUNT}`);
 	let totalSize = 0;
 	for (const file of files) {
@@ -10741,9 +10859,15 @@ async function packForScan(directory) {
 		files
 	};
 }
-/**
-* Build an ignore filter from .tankignore, .gitignore, or defaults.
-*/
+function collectFromAllowList(baseDir, globs, manifestFilename) {
+	const securityFilter = ignore().add(ALWAYS_IGNORED);
+	const allowMatcher = ignore().add(globs);
+	const all = collectFiles(baseDir, baseDir, securityFilter);
+	const always = new Set([manifestFilename]);
+	if (fs.existsSync(path.join(baseDir, "SKILL.md"))) always.add("SKILL.md");
+	if (fs.existsSync(path.join(baseDir, "README.md"))) always.add("README.md");
+	return all.filter((rel) => always.has(rel) || allowMatcher.ignores(rel));
+}
 function buildIgnoreFilter(dir) {
 	const ig = ignore();
 	ig.add(ALWAYS_IGNORED);
@@ -10848,14 +10972,21 @@ async function publishCommand(options = {}) {
 	if (effectiveVisibility) manifest.visibility = effectiveVisibility;
 	const name = manifest.name;
 	const version = manifest.version;
+	const publishConfig = manifest.publish ?? void 0;
+	if (publishConfig?.build) {
+		logger.info(`Running build: ${publishConfig.build}`);
+		await runBuildHook(directory, publishConfig.build);
+	}
 	const spinner = ora("Packing...").start();
 	let packResult;
 	try {
-		packResult = await pack(directory);
+		packResult = await pack(directory, publishConfig?.files ? { files: publishConfig.files } : {});
 	} catch (err) {
 		spinner.fail("Packing failed");
 		throw err;
 	}
+	const outboundManifest = { ...manifest };
+	delete outboundManifest.publish;
 	const { tarball, integrity, fileCount, totalSize, readme, files } = packResult;
 	if (dryRun) {
 		spinner.stop();
@@ -10891,7 +11022,7 @@ async function publishCommand(options = {}) {
 		method: "POST",
 		headers,
 		body: JSON.stringify({
-			manifest,
+			manifest: outboundManifest,
 			readme,
 			files
 		})