npm - @tankpkg/cli - Versions diffs - 0.15.7 → 0.16.0 - Mend

@tankpkg/cli 0.15.7 → 0.16.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (10) hide show

package/dist/bin/tank.js +565 -144
package/dist/bin/tank.js.map +1 -1
package/dist/{debug-logger-B6uLj2h_.js → debug-logger-C7P_qoCR.js} +2 -2
package/dist/debug-logger-C7P_qoCR.js.map +1 -0
package/dist/index.d.ts +2 -0
package/dist/index.d.ts.map +1 -1
package/dist/index.js +1 -1
package/dist/package.json +11 -1
package/package.json +14 -2
package/dist/debug-logger-B6uLj2h_.js.map +0 -1

package/dist/bin/tank.js CHANGED Viewed

@@ -1,5 +1,5 @@
 #!/usr/bin/env node
-import { a as VERSION, i as USER_AGENT, l as setConfig, n as flushLogs, o as getConfig, s as getConfigDir, t as authFlowLog } from "../debug-logger-B6uLj2h_.js";
+import { a as VERSION, i as USER_AGENT, l as setConfig, n as flushLogs, o as getConfig, s as getConfigDir, t as authFlowLog } from "../debug-logger-C7P_qoCR.js";
 import { t as logger } from "../logger-BhULz3Uz.js";
 import { createRequire } from "node:module";
 import { Command } from "commander";
@@ -10,12 +10,12 @@ import path, { join } from "node:path";
 import { z } from "zod";
 import semver from "semver";
 import ora from "ora";
+import crypto$1, { randomUUID } from "node:crypto";
+import { createInterface } from "node:readline";
 import { confirm, input } from "@inquirer/prompts";
 import { execSync, spawn } from "node:child_process";
-import crypto$1 from "node:crypto";
-import { mkdir, mkdtemp, rm, stat } from "node:fs/promises";
 import { create, extract } from "tar";
-import { createInterface } from "node:readline";
+import { mkdir, mkdtemp, rm, stat } from "node:fs/promises";
 import { Readable } from "node:stream";
 import { pipeline } from "node:stream/promises";
 import open from "open";
@@ -231,6 +231,54 @@ z.enum([
 	"org.member.remove",
 	"org.delete"
 ]);
+const commandSchema$1 = z.string().min(1, "command must not be empty");
+const argSchema$1 = z.array(z.string()).default([]);
+const envSchema$1 = z.record(z.string(), z.string()).optional();
+const remoteUrlSchema$1 = z.string().url("remote must be a valid URL");
+const localMcpServerSchema = z.object({
+	command: commandSchema$1,
+	args: argSchema$1,
+	env: envSchema$1,
+	requires_auth: z.literal(false).optional()
+}).strict();
+const remoteMcpServerSchema = z.object({
+	remote: remoteUrlSchema$1,
+	requires_auth: z.boolean().default(false),
+	env: envSchema$1
+}).strict();
+const mcpServerSchema$1 = z.union([localMcpServerSchema, remoteMcpServerSchema]);
+function isRemoteMcpServer(server) {
+	return "remote" in server;
+}
+const baseManifestFields$1 = {
+	name: z.string().min(1, "Name must not be empty").max(214, `Name must be 214 characters or fewer`).regex(/^@[a-z0-9-]+\/[a-z0-9][a-z0-9-]*$/, "Name must be scoped (@org/name), lowercase alphanumeric and hyphens"),
+	version: z.string().regex(/^\d+\.\d+\.\d+(-[a-zA-Z0-9.-]+)?(\+[a-zA-Z0-9.-]+)?$/, "Version must be valid semver"),
+	description: z.string().max(500, `Description must be 500 characters or fewer`).optional(),
+	skills: z.record(z.string(), z.string()).optional(),
+	permissions: permissionsSchema$1.optional(),
+	repository: z.string().url("Repository must be a valid URL").optional(),
+	visibility: z.enum(["public", "private"]).optional(),
+	audit: z.object({ min_score: z.number().min(0).max(10) }).strict().optional(),
+	mcp_server: mcpServerSchema$1.optional()
+};
+/** Legacy skills.json schema — strict, no atoms. Used for backward-compatible consumers. */
+const skillsJsonSchema = z.object(baseManifestFields$1).strict();
+const publishConfigSchema$1 = z.object({
+	build: z.string().min(1, "publish.build must be a non-empty shell command").optional(),
+	files: z.array(z.string().min(1)).optional()
+}).strict();
+/**
+* Publish manifest schema — accepts both legacy skills.json AND atom-enriched tank.json.
+* The `atoms` and `includes` fields are passed through as opaque JSON arrays,
+* validated only at surface level. Full atom IR validation happens at build time.
+* The `publish` block is a CLI-only lifecycle config (build hook + files allow-list).
+*/
+const publishManifestSchema = z.object({
+	...baseManifestFields$1,
+	atoms: z.array(z.record(z.string(), z.unknown())).optional(),
+	includes: z.array(z.string()).optional(),
+	publish: publishConfigSchema$1.optional()
+}).strict();
 const promptIRSchema$1 = z.object({
 	kind: z.literal("prompt"),
 	name: z.string().min(1, "Prompt name must not be empty"),
@@ -269,8 +317,9 @@ const mcpServerConfigSchema$1 = z.object({
 	args: z.array(z.string()).optional(),
 	env: z.record(z.string(), z.string()).optional(),
 	runtime: z.string().min(1).optional(),
-	entry: z.string().min(1).optional()
-}).strict().refine((data) => data.command || data.runtime && data.entry, "MCP config must have either \"command\" or both \"runtime\" and \"entry\"");
+	entry: z.string().min(1).optional(),
+	package: z.string().min(1).optional()
+}).strict().refine((data) => Boolean(data.command) || Boolean(data.runtime && (data.entry || data.package)), "MCP config must have either \"command\" or \"runtime\" plus one of \"entry\"/\"package\"");
 const toolIRSchema$1 = z.object({
 	kind: z.literal("tool"),
 	name: z.string().min(1, "Tool name must not be empty"),
@@ -299,27 +348,9 @@ const packageIRSchema = z.object({
 	permissions: permissionsSchema$1.optional(),
 	repository: z.string().url("Repository must be a valid URL").optional(),
 	visibility: z.enum(["public", "private"]).optional(),
-	audit: z.object({ min_score: z.number().min(0).max(10) }).strict().optional()
-}).strict();
-const commandSchema$1 = z.string().min(1, "command must not be empty");
-const argSchema$1 = z.array(z.string()).default([]);
-const envSchema$1 = z.record(z.string(), z.string()).optional();
-const remoteUrlSchema$1 = z.string().url("remote must be a valid URL");
-const localMcpServerSchema = z.object({
-	command: commandSchema$1,
-	args: argSchema$1,
-	env: envSchema$1,
-	requires_auth: z.literal(false).optional()
-}).strict();
-const remoteMcpServerSchema = z.object({
-	remote: remoteUrlSchema$1,
-	requires_auth: z.boolean().default(false),
-	env: envSchema$1
+	audit: z.object({ min_score: z.number().min(0).max(10) }).strict().optional(),
+	publish: publishConfigSchema$1.optional()
 }).strict();
-const mcpServerSchema$1 = z.union([localMcpServerSchema, remoteMcpServerSchema]);
-function isRemoteMcpServer(server) {
-	return "remote" in server;
-}
 const perToolOverrideSchema$1 = z.object({
 	scan: z.boolean().optional(),
 	blockOnMatch: z.boolean().optional()
@@ -330,29 +361,6 @@ z.object({
 	resetPinsOnMismatch: z.boolean().optional(),
 	perTool: z.record(z.string(), perToolOverrideSchema$1).optional()
 }).strict();
-const baseManifestFields$1 = {
-	name: z.string().min(1, "Name must not be empty").max(214, `Name must be 214 characters or fewer`).regex(/^@[a-z0-9-]+\/[a-z0-9][a-z0-9-]*$/, "Name must be scoped (@org/name), lowercase alphanumeric and hyphens"),
-	version: z.string().regex(/^\d+\.\d+\.\d+(-[a-zA-Z0-9.-]+)?(\+[a-zA-Z0-9.-]+)?$/, "Version must be valid semver"),
-	description: z.string().max(500, `Description must be 500 characters or fewer`).optional(),
-	skills: z.record(z.string(), z.string()).optional(),
-	permissions: permissionsSchema$1.optional(),
-	repository: z.string().url("Repository must be a valid URL").optional(),
-	visibility: z.enum(["public", "private"]).optional(),
-	audit: z.object({ min_score: z.number().min(0).max(10) }).strict().optional(),
-	mcp_server: mcpServerSchema$1.optional()
-};
-/** Legacy skills.json schema — strict, no atoms. Used for backward-compatible consumers. */
-const skillsJsonSchema = z.object(baseManifestFields$1).strict();
-/**
-* Publish manifest schema — accepts both legacy skills.json AND atom-enriched tank.json.
-* The `atoms` and `includes` fields are passed through as opaque JSON arrays,
-* validated only at surface level. Full atom IR validation happens at build time.
-*/
-const publishManifestSchema = z.object({
-	...baseManifestFields$1,
-	atoms: z.array(z.record(z.string(), z.unknown())).optional(),
-	includes: z.array(z.string()).optional()
-}).strict();
 const SKILL_SOURCES$1 = [
 	"registry",
 	"github",
@@ -633,6 +641,89 @@ async function auditCommand(options) {
 }
 //#endregion
 //#region ../adapters/dist/index.mjs
+function resolveMcpCommand(atom, adapterName) {
+	if (atom.mcp) return resolveFromMcpBlock(atom.mcp);
+	const fromExtensions = resolveFromExtensions(atom.extensions, adapterName);
+	if (fromExtensions) return fromExtensions;
+	return null;
+}
+function resolveFromMcpBlock(mcp) {
+	const env = mcp.env;
+	if (mcp.command) return {
+		command: mcp.command,
+		args: mcp.args ?? [],
+		...env ? { env } : {}
+	};
+	if (!mcp.runtime) return null;
+	const args = mcp.args ?? [];
+	switch (mcp.runtime) {
+		case "uvx":
+			if (!mcp.package) return null;
+			return {
+				command: "uvx",
+				args: [mcp.package, ...args],
+				...env ? { env } : {}
+			};
+		case "npx":
+			if (!mcp.package) return null;
+			return {
+				command: "npx",
+				args: [
+					"-y",
+					mcp.package,
+					...args
+				],
+				...env ? { env } : {}
+			};
+		case "bunx":
+			if (!mcp.package) return null;
+			return {
+				command: "bunx",
+				args: [mcp.package, ...args],
+				...env ? { env } : {}
+			};
+		case "pipx":
+			if (!mcp.package) return null;
+			return {
+				command: "pipx",
+				args: [
+					"run",
+					mcp.package,
+					...args
+				],
+				...env ? { env } : {}
+			};
+		case "node":
+			if (!mcp.entry) return null;
+			return {
+				command: "node",
+				args: [mcp.entry, ...args],
+				...env ? { env } : {}
+			};
+		case "python":
+			if (!mcp.entry) return null;
+			return {
+				command: "python",
+				args: [mcp.entry, ...args],
+				...env ? { env } : {}
+			};
+		default: return null;
+	}
+}
+function resolveFromExtensions(extensions, adapterName) {
+	if (!extensions) return null;
+	const bag = extensions[adapterName];
+	if (!bag || typeof bag !== "object") return null;
+	const candidate = bag;
+	if (typeof candidate.command !== "string" || candidate.command.length === 0) return null;
+	const args = Array.isArray(candidate.args) ? candidate.args.filter((a) => typeof a === "string") : [];
+	const env = candidate.env && typeof candidate.env === "object" && !Array.isArray(candidate.env) ? Object.fromEntries(Object.entries(candidate.env).filter(([, v]) => typeof v === "string")) : void 0;
+	return {
+		command: candidate.command,
+		args,
+		...env ? { env } : {}
+	};
+}
 function emitInstruction$5(atom) {
 	const globs = atom.globs?.length ? atom.globs : void 0;
 	if (globs) {
@@ -733,7 +824,8 @@ function emitAgent$5(atom) {
 	};
 }
 function emitTool$5(atom) {
-	if (!atom.mcp) return {
+	const resolved = resolveMcpCommand(atom, "claude-code");
+	if (!resolved) return {
 		files: [],
 		warnings: [{
 			level: "skipped",
@@ -742,9 +834,9 @@ function emitTool$5(atom) {
 		}]
 	};
 	const mcpConfig = { mcpServers: { [atom.name]: {
-		command: atom.mcp.command,
-		args: atom.mcp.args ?? [],
-		...atom.mcp.env ? { env: atom.mcp.env } : {}
+		command: resolved.command,
+		args: resolved.args,
+		...resolved.env ? { env: resolved.env } : {}
 	} } };
 	return {
 		files: [{
@@ -944,7 +1036,8 @@ function emitAgent$4(atom) {
 	};
 }
 function emitTool$4(atom) {
-	if (!atom.mcp) return {
+	const resolved = resolveMcpCommand(atom, "cline");
+	if (!resolved) return {
 		files: [],
 		warnings: [{
 			level: "skipped",
@@ -953,10 +1046,10 @@ function emitTool$4(atom) {
 		}]
 	};
 	const config = { mcpServers: { [atom.name]: {
-		command: atom.mcp.command,
-		args: atom.mcp.args ?? [],
+		command: resolved.command,
+		args: resolved.args,
 		disabled: false,
-		...atom.mcp.env ? { env: atom.mcp.env } : {}
+		...resolved.env ? { env: resolved.env } : {}
 	} } };
 	return {
 		files: [{
@@ -1126,7 +1219,8 @@ function emitAgent$3(atom) {
 	};
 }
 function emitTool$3(atom) {
-	if (!atom.mcp) return {
+	const resolved = resolveMcpCommand(atom, "cursor");
+	if (!resolved) return {
 		files: [],
 		warnings: [{
 			level: "skipped",
@@ -1135,9 +1229,9 @@ function emitTool$3(atom) {
 		}]
 	};
 	const config = { mcpServers: { [atom.name]: {
-		command: atom.mcp.command,
-		args: atom.mcp.args ?? [],
-		...atom.mcp.env ? { env: atom.mcp.env } : {}
+		command: resolved.command,
+		args: resolved.args,
+		...resolved.env ? { env: resolved.env } : {}
 	} } };
 	return {
 		files: [{
@@ -1324,7 +1418,8 @@ function emitAgent$2(atom) {
 	};
 }
 function emitTool$2(atom) {
-	if (!atom.mcp) return {
+	const resolved = resolveMcpCommand(atom, "opencode");
+	if (!resolved) return {
 		files: [],
 		warnings: [{
 			level: "skipped",
@@ -1334,8 +1429,8 @@ function emitTool$2(atom) {
 	};
 	const config = { [atom.name]: {
 		type: "local",
-		command: [atom.mcp.command, ...atom.mcp.args ?? []],
-		...atom.mcp.env ? { environment: atom.mcp.env } : {}
+		command: [resolved.command, ...resolved.args],
+		...resolved.env ? { environment: resolved.env } : {}
 	} };
 	return {
 		files: [{
@@ -1598,7 +1693,8 @@ function emitAgent$1(atom) {
 	};
 }
 function emitTool$1(atom) {
-	if (!atom.mcp) return {
+	const resolved = resolveMcpCommand(atom, "roo-code");
+	if (!resolved) return {
 		files: [],
 		warnings: [{
 			level: "skipped",
@@ -1607,10 +1703,10 @@ function emitTool$1(atom) {
 		}]
 	};
 	const config = { mcpServers: { [atom.name]: {
-		command: atom.mcp.command,
-		args: atom.mcp.args ?? [],
+		command: resolved.command,
+		args: resolved.args,
 		disabled: false,
-		...atom.mcp.env ? { env: atom.mcp.env } : {}
+		...resolved.env ? { env: resolved.env } : {}
 	} } };
 	return {
 		files: [{
@@ -1768,7 +1864,8 @@ function emitAgent(atom) {
 	};
 }
 function emitTool(atom) {
-	if (!atom.mcp) return {
+	const resolved = resolveMcpCommand(atom, "windsurf");
+	if (!resolved) return {
 		files: [],
 		warnings: [{
 			level: "skipped",
@@ -1777,9 +1874,9 @@ function emitTool(atom) {
 		}]
 	};
 	const config = { mcpServers: { [atom.name]: {
-		command: atom.mcp.command,
-		args: atom.mcp.args ?? [],
-		...atom.mcp.env ? { env: atom.mcp.env } : {}
+		command: resolved.command,
+		args: resolved.args,
+		...resolved.env ? { env: resolved.env } : {}
 	} } };
 	return {
 		files: [{
@@ -2411,6 +2508,122 @@ function getSkillLinkStatus(options) {
 	return agents.map((agent) => getStatusForAgent(agent, options.skillName));
 }
 //#endregion
+//#region src/lib/telemetry.ts
+const POSTHOG_PROJECT_KEY = process.env.TANK_POSTHOG_KEY ?? "phc_j9KjoTTYWsM4k40f2h61x8TRe8cx4ZhIMIKIVri0G7Z";
+const POSTHOG_DEFAULT_HOST = "https://eu.i.posthog.com";
+function getHost() {
+	return process.env.TANK_TELEMETRY_HOST ?? POSTHOG_DEFAULT_HOST;
+}
+function isSelfhosted() {
+	return process.env.TANK_MODE === "selfhosted";
+}
+function getTelemetryStatus(configDir) {
+	if (isSelfhosted()) return {
+		enabled: false,
+		reason: "onprem"
+	};
+	if (!POSTHOG_PROJECT_KEY) return {
+		enabled: false,
+		reason: "no-key"
+	};
+	const env = process.env.TANK_TELEMETRY?.trim();
+	if (env === "0" || env === "false" || env === "off") return {
+		enabled: false,
+		reason: "env-off"
+	};
+	if (env === "1" || env === "true" || env === "on") return {
+		enabled: true,
+		reason: "env-on"
+	};
+	if (getConfig(configDir).telemetry === true) return {
+		enabled: true,
+		reason: "config"
+	};
+	return {
+		enabled: false,
+		reason: "default-off"
+	};
+}
+function getOrCreateDistinctId(configDir) {
+	const cfg = getConfig(configDir);
+	if (cfg.telemetryDistinctId) return cfg.telemetryDistinctId;
+	const id = randomUUID();
+	setConfig({ telemetryDistinctId: id }, configDir);
+	return id;
+}
+function setTelemetry(enabled, configDir) {
+	setConfig({ telemetry: enabled }, configDir);
+}
+function captureEvent(evt, configDir) {
+	if (!getTelemetryStatus(configDir).enabled) return;
+	const distinctId = getOrCreateDistinctId(configDir);
+	const payload = {
+		api_key: POSTHOG_PROJECT_KEY,
+		event: evt.event,
+		distinct_id: distinctId,
+		properties: {
+			...evt.properties,
+			cli_version: VERSION,
+			platform: process.platform,
+			node_version: process.versions.node,
+			$lib: "tank-cli"
+		},
+		timestamp: (/* @__PURE__ */ new Date()).toISOString()
+	};
+	const url = `${getHost()}/i/v0/e/`;
+	const controller = new AbortController();
+	const timer = setTimeout(() => controller.abort(), 2e3);
+	fetch(url, {
+		method: "POST",
+		headers: { "Content-Type": "application/json" },
+		body: JSON.stringify(payload),
+		signal: controller.signal
+	}).catch(() => {}).finally(() => clearTimeout(timer));
+}
+function describeTelemetryState(configDir) {
+	const status = getTelemetryStatus(configDir);
+	if (status.reason === "onprem") return "Telemetry: disabled (on-prem mode)";
+	if (status.reason === "no-key") return "Telemetry: disabled (no key compiled in this build)";
+	if (status.reason === "env-off") return "Telemetry: disabled (overridden by TANK_TELEMETRY env var)";
+	if (status.reason === "env-on") return "Telemetry: enabled (overridden by TANK_TELEMETRY env var)";
+	if (status.reason === "config") return "Telemetry: enabled";
+	return "Telemetry: disabled. Run `tank telemetry on` to opt in.";
+}
+/**
+* Prompt the user once for telemetry consent on first interactive use.
+* Skipped if: a decision is already recorded, no TTY (CI), on-prem, no key compiled.
+* The decision (true or false) is persisted to config so we never prompt again.
+*/
+async function maybePromptForTelemetryConsent(configDir) {
+	if (isSelfhosted()) return;
+	if (!POSTHOG_PROJECT_KEY) return;
+	if (!process.stdin.isTTY || !process.stdout.isTTY) return;
+	if (process.env.CI || process.env.TANK_TELEMETRY) return;
+	if (typeof getConfig(configDir).telemetry === "boolean") return;
+	const answer = await askYesNo("Help improve Tank by sending anonymous usage analytics? (No package names, paths, or keys are ever sent.)");
+	setConfig({ telemetry: answer }, configDir);
+	if (answer) {
+		captureEvent({
+			event: "cli_opted_in",
+			properties: { source: "first-run-prompt" }
+		}, configDir);
+		process.stderr.write("Telemetry: enabled. Disable any time with `tank telemetry off`.\n");
+	} else process.stderr.write("Telemetry: disabled. Re-enable any time with `tank telemetry on`.\n");
+}
+function askYesNo(question) {
+	return new Promise((resolve) => {
+		const rl = createInterface({
+			input: process.stdin,
+			output: process.stderr
+		});
+		rl.question(`${question} [y/N] `, (raw) => {
+			rl.close();
+			const a = raw.trim().toLowerCase();
+			resolve(a === "y" || a === "yes");
+		});
+	});
+}
+//#endregion
 //#region src/commands/doctor.ts
 const parseLockKey$3 = (key) => {
 	const lastAt = key.lastIndexOf("@");
@@ -2528,6 +2741,8 @@ async function doctorCommand(options) {
 			console.log(`  ${skillName}  ${summary.statusText}`);
 		}
 		if (localSkills.length === 0 && uniqueGlobal.length === 0 && devLinks.length === 0) suggestions.add("Run `tank install @tank/typescript` to add your first skill");
+		printSectionHeader("Telemetry");
+		console.log(`  ${describeTelemetryState()}`);
 		printSectionHeader("Suggestions");
 		if (suggestions.size === 0) console.log("  none");
 		else for (const suggestion of suggestions) console.log(`  • ${suggestion}`);
@@ -2674,6 +2889,7 @@ async function initCommand(options = {}) {
 		}
 		fs.writeFileSync(filePath, `${JSON.stringify(manifest, null, 2)}\n`);
 		logger.success(`Created ${MANIFEST_FILENAME$1}`);
+		await maybePromptForTelemetryConsent();
 		return;
 	}
 	if (resolved.exists) {
@@ -2732,6 +2948,7 @@ async function initCommand(options = {}) {
 	}
 	fs.writeFileSync(filePath, `${JSON.stringify(manifest, null, 2)}\n`);
 	logger.success(`Created ${MANIFEST_FILENAME$1}`);
+	await maybePromptForTelemetryConsent();
 }
 //#endregion
 //#region ../internals-helpers/dist/index.js
@@ -7065,6 +7282,42 @@ _enum([
 	"org.member.remove",
 	"org.delete"
 ]);
+const commandSchema = string().min(1, "command must not be empty");
+const argSchema = array(string()).default([]);
+const envSchema = record(string(), string()).optional();
+const remoteUrlSchema = string().url("remote must be a valid URL");
+const mcpServerSchema = union([object({
+	command: commandSchema,
+	args: argSchema,
+	env: envSchema,
+	requires_auth: literal(false).optional()
+}).strict(), object({
+	remote: remoteUrlSchema,
+	requires_auth: boolean().default(false),
+	env: envSchema
+}).strict()]);
+const baseManifestFields = {
+	name: string().min(1, "Name must not be empty").max(214, `Name must be 214 characters or fewer`).regex(/^@[a-z0-9-]+\/[a-z0-9][a-z0-9-]*$/, "Name must be scoped (@org/name), lowercase alphanumeric and hyphens"),
+	version: string().regex(/^\d+\.\d+\.\d+(-[a-zA-Z0-9.-]+)?(\+[a-zA-Z0-9.-]+)?$/, "Version must be valid semver"),
+	description: string().max(500, `Description must be 500 characters or fewer`).optional(),
+	skills: record(string(), string()).optional(),
+	permissions: permissionsSchema.optional(),
+	repository: string().url("Repository must be a valid URL").optional(),
+	visibility: _enum(["public", "private"]).optional(),
+	audit: object({ min_score: number().min(0).max(10) }).strict().optional(),
+	mcp_server: mcpServerSchema.optional()
+};
+object(baseManifestFields).strict();
+const publishConfigSchema = object({
+	build: string().min(1, "publish.build must be a non-empty shell command").optional(),
+	files: array(string().min(1)).optional()
+}).strict();
+object({
+	...baseManifestFields,
+	atoms: array(record(string(), unknown())).optional(),
+	includes: array(string()).optional(),
+	publish: publishConfigSchema.optional()
+}).strict();
 const promptIRSchema = object({
 	kind: literal("prompt"),
 	name: string().min(1, "Prompt name must not be empty"),
@@ -7103,8 +7356,9 @@ const mcpServerConfigSchema = object({
 	args: array(string()).optional(),
 	env: record(string(), string()).optional(),
 	runtime: string().min(1).optional(),
-	entry: string().min(1).optional()
-}).strict().refine((data) => data.command || data.runtime && data.entry, "MCP config must have either \"command\" or both \"runtime\" and \"entry\"");
+	entry: string().min(1).optional(),
+	package: string().min(1).optional()
+}).strict().refine((data) => Boolean(data.command) || Boolean(data.runtime && (data.entry || data.package)), "MCP config must have either \"command\" or \"runtime\" plus one of \"entry\"/\"package\"");
 const toolIRSchema = object({
 	kind: literal("tool"),
 	name: string().min(1, "Tool name must not be empty"),
@@ -7133,22 +7387,9 @@ object({
 	permissions: permissionsSchema.optional(),
 	repository: string().url("Repository must be a valid URL").optional(),
 	visibility: _enum(["public", "private"]).optional(),
-	audit: object({ min_score: number().min(0).max(10) }).strict().optional()
+	audit: object({ min_score: number().min(0).max(10) }).strict().optional(),
+	publish: publishConfigSchema.optional()
 }).strict();
-const commandSchema = string().min(1, "command must not be empty");
-const argSchema = array(string()).default([]);
-const envSchema = record(string(), string()).optional();
-const remoteUrlSchema = string().url("remote must be a valid URL");
-const mcpServerSchema = union([object({
-	command: commandSchema,
-	args: argSchema,
-	env: envSchema,
-	requires_auth: literal(false).optional()
-}).strict(), object({
-	remote: remoteUrlSchema,
-	requires_auth: boolean().default(false),
-	env: envSchema
-}).strict()]);
 const perToolOverrideSchema = object({
 	scan: boolean().optional(),
 	blockOnMatch: boolean().optional()
@@ -7159,23 +7400,6 @@ object({
 	resetPinsOnMismatch: boolean().optional(),
 	perTool: record(string(), perToolOverrideSchema).optional()
 }).strict();
-const baseManifestFields = {
-	name: string().min(1, "Name must not be empty").max(214, `Name must be 214 characters or fewer`).regex(/^@[a-z0-9-]+\/[a-z0-9][a-z0-9-]*$/, "Name must be scoped (@org/name), lowercase alphanumeric and hyphens"),
-	version: string().regex(/^\d+\.\d+\.\d+(-[a-zA-Z0-9.-]+)?(\+[a-zA-Z0-9.-]+)?$/, "Version must be valid semver"),
-	description: string().max(500, `Description must be 500 characters or fewer`).optional(),
-	skills: record(string(), string()).optional(),
-	permissions: permissionsSchema.optional(),
-	repository: string().url("Repository must be a valid URL").optional(),
-	visibility: _enum(["public", "private"]).optional(),
-	audit: object({ min_score: number().min(0).max(10) }).strict().optional(),
-	mcp_server: mcpServerSchema.optional()
-};
-object(baseManifestFields).strict();
-object({
-	...baseManifestFields,
-	atoms: array(record(string(), unknown())).optional(),
-	includes: array(string()).optional()
-}).strict();
 const SKILL_SOURCES = [
 	"registry",
 	"github",
@@ -10372,6 +10596,7 @@ async function loginCommand(options = {}) {
 				}, configDir);
 				const displayName = user.name ?? user.email ?? "unknown";
 				logger.success(`Logged in as ${displayName}`);
+				await maybePromptForTelemetryConsent(configDir);
 				return;
 			}
 			if (exchangeRes.status !== 400) {
@@ -10607,6 +10832,31 @@ async function proxyCommand(options) {
 	process.exit(code);
 }
 //#endregion
+//#region src/lib/build-hook.ts
+function runBuildHook(directory, command) {
+	return new Promise((resolve, reject) => {
+		const child = spawn(command, {
+			cwd: directory,
+			shell: true,
+			stdio: "inherit"
+		});
+		child.on("error", (err) => {
+			reject(/* @__PURE__ */ new Error(`Build hook failed to start: ${err.message}`));
+		});
+		child.on("close", (code, signal) => {
+			if (code === 0) {
+				resolve();
+				return;
+			}
+			if (signal) {
+				reject(/* @__PURE__ */ new Error(`Build hook terminated by signal ${signal}`));
+				return;
+			}
+			reject(/* @__PURE__ */ new Error(`Build hook exited with code ${code ?? "unknown"}`));
+		});
+	});
+}
+//#endregion
 //#region src/lib/packer.ts
 const MAX_PACKAGE_SIZE = 50 * 1024 * 1024;
 const MAX_FILE_COUNT = 1e3;
@@ -10620,18 +10870,7 @@ const DEFAULT_IGNORES = [
 ];
 const ALWAYS_IGNORED = ["node_modules", ".git"];
 const IGNORE_FILES = [".tankignore", ".gitignore"];
-/**
-* Pack a skill directory into a .tgz tarball with integrity hashing.
-*
-* Validates:
-* - tank.json (or skills.json) exists and is valid
-* - No symlinks or hardlinks
-* - No path traversal (.. components)
-* - No absolute paths
-* - File count <= 1000
-* - Tarball size <= 50MB
-*/
-async function pack(directory) {
+async function pack(directory, options = {}) {
 	const absDir = path.resolve(directory);
 	if (!fs.existsSync(absDir)) throw new Error(`Directory does not exist: ${absDir}`);
 	if (!fs.statSync(absDir).isDirectory()) throw new Error(`Not a directory: ${absDir}`);
@@ -10672,7 +10911,7 @@ async function pack(directory) {
 	} catch {
 		readmeContent = "";
 	}
-	const files = collectFiles(absDir, absDir, buildIgnoreFilter(absDir));
+	const files = options.files && options.files.length > 0 ? collectFromAllowList(absDir, options.files, manifestFilename) : collectFiles(absDir, absDir, buildIgnoreFilter(absDir));
 	if (files.length > MAX_FILE_COUNT) throw new Error(`Too many files: ${files.length} exceeds maximum of ${MAX_FILE_COUNT}`);
 	let totalSize = 0;
 	for (const file of files) {
@@ -10741,9 +10980,15 @@ async function packForScan(directory) {
 		files
 	};
 }
-/**
-* Build an ignore filter from .tankignore, .gitignore, or defaults.
-*/
+function collectFromAllowList(baseDir, globs, manifestFilename) {
+	const securityFilter = ignore().add(ALWAYS_IGNORED);
+	const allowMatcher = ignore().add(globs);
+	const all = collectFiles(baseDir, baseDir, securityFilter);
+	const always = new Set([manifestFilename]);
+	if (fs.existsSync(path.join(baseDir, "SKILL.md"))) always.add("SKILL.md");
+	if (fs.existsSync(path.join(baseDir, "README.md"))) always.add("README.md");
+	return all.filter((rel) => always.has(rel) || allowMatcher.ignores(rel));
+}
 function buildIgnoreFilter(dir) {
 	const ig = ignore();
 	ig.add(ALWAYS_IGNORED);
@@ -10848,14 +11093,21 @@ async function publishCommand(options = {}) {
 	if (effectiveVisibility) manifest.visibility = effectiveVisibility;
 	const name = manifest.name;
 	const version = manifest.version;
+	const publishConfig = manifest.publish ?? void 0;
+	if (publishConfig?.build) {
+		logger.info(`Running build: ${publishConfig.build}`);
+		await runBuildHook(directory, publishConfig.build);
+	}
 	const spinner = ora("Packing...").start();
 	let packResult;
 	try {
-		packResult = await pack(directory);
+		packResult = await pack(directory, publishConfig?.files ? { files: publishConfig.files } : {});
 	} catch (err) {
 		spinner.fail("Packing failed");
 		throw err;
 	}
+	const outboundManifest = { ...manifest };
+	delete outboundManifest.publish;
 	const { tarball, integrity, fileCount, totalSize, readme, files } = packResult;
 	if (dryRun) {
 		spinner.stop();
@@ -10891,7 +11143,7 @@ async function publishCommand(options = {}) {
 		method: "POST",
 		headers,
 		body: JSON.stringify({
-			manifest,
+			manifest: outboundManifest,
 			readme,
 			files
 		})
@@ -11334,6 +11586,39 @@ async function searchCommand(options) {
 	console.log(`${data.results.length} skill${data.results.length === 1 ? "" : "s"} found`);
 }
 //#endregion
+//#region src/commands/telemetry.ts
+async function telemetryCommand(opts) {
+	const { action, configDir } = opts;
+	if (action === "status") {
+		logger.info(describeTelemetryState(configDir));
+		return;
+	}
+	if (action === "on") {
+		setTelemetry(true, configDir);
+		const status = getTelemetryStatus(configDir);
+		if (status.reason === "onprem") {
+			logger.warn("Telemetry config written, but disabled because TANK_MODE=selfhosted.");
+			return;
+		}
+		if (status.reason === "no-key") {
+			logger.warn("Telemetry config written, but this build has no telemetry key compiled in.");
+			return;
+		}
+		captureEvent({ event: "cli_opted_in" }, configDir);
+		logger.info("Telemetry: enabled. Thanks for helping improve Tank.");
+		logger.info("Disable any time: tank telemetry off");
+		return;
+	}
+	if (action === "off") {
+		captureEvent({ event: "cli_opted_out" }, configDir);
+		setTelemetry(false, configDir);
+		logger.info("Telemetry: disabled.");
+		return;
+	}
+	logger.error(`Unknown telemetry action: ${action}. Use on | off | status.`);
+	process.exitCode = 1;
+}
+//#endregion
 //#region src/commands/unlink.ts
 async function unlinkCommand(options = {}) {
 	const resolvedManifest = resolveManifestPath(options.directory ?? process.cwd());
@@ -11792,6 +12077,92 @@ function printUserInfo(user) {
 	logger.info(`Email: ${user.email ?? "unknown"}`);
 }
 //#endregion
+//#region src/lib/install-suggestions.ts
+/**
+* Best-effort fuzzy lookup of similar skill names. Hits the public /api/v1/search
+* endpoint (no auth needed for public skills). Returns up to `limit` matches.
+* Silent failure: never throws — suggestions are advisory, not critical-path.
+*/
+async function fetchSimilarSkillNames(query, opts = {}) {
+	const { configDir, limit = 3, timeoutMs = 2e3 } = opts;
+	const config = getConfig(configDir);
+	const searchTerm = query.replace(/^@[^/]+\//, "").replace(/^[^a-z0-9]+/i, "") || query;
+	const controller = new AbortController();
+	const timer = setTimeout(() => controller.abort(), timeoutMs);
+	try {
+		const res = await fetch(`${config.registry}/api/v1/search?q=${encodeURIComponent(searchTerm)}&limit=${limit}`, {
+			headers: { "User-Agent": USER_AGENT },
+			signal: controller.signal
+		});
+		clearTimeout(timer);
+		if (!res.ok) return [];
+		return ((await res.json()).results ?? []).filter((r) => r.name && r.name !== query).slice(0, limit);
+	} catch {
+		clearTimeout(timer);
+		return [];
+	}
+}
+function formatInstallSuggestions(name, suggestions) {
+	if (suggestions.length === 0) return `Try \`tank search ${name}\` to find similar packages.`;
+	const lines = ["Did you mean one of these?"];
+	for (const s of suggestions) lines.push(`  • ${s.name}${s.description ? `  — ${s.description.slice(0, 60)}` : ""}`);
+	lines.push(`\nOr search: \`tank search ${name}\``);
+	return lines.join("\n");
+}
+//#endregion
+//#region src/lib/install-target.ts
+/**
+* Parse a single install target string into a structured target.
+*
+* Accepted forms (npm-compatible):
+*   - `@org/pkg`               → name with no range
+*   - `@org/pkg@^1.0.0`        → name + range (split on the LAST `@` for scoped names)
+*   - `pkg`                    → unscoped name with no range
+*   - `pkg@1.0.0`              → unscoped name + range
+*   - `https://github.com/...` → URL install
+*
+* The `@` that separates name from range is the FIRST `@` that is NOT at position 0
+* (position 0 is the scope marker for `@org/...`).
+*/
+function parseInstallTarget(target) {
+	if (isUrl(target)) return {
+		kind: "url",
+		url: target
+	};
+	const searchStart = target.startsWith("@") ? 1 : 0;
+	const versionAt = target.indexOf("@", searchStart);
+	if (versionAt === -1) return {
+		kind: "name",
+		name: target
+	};
+	const name = target.slice(0, versionAt);
+	const versionRange = target.slice(versionAt + 1);
+	if (!name || !versionRange) return {
+		kind: "name",
+		name: target
+	};
+	return {
+		kind: "name",
+		name,
+		versionRange
+	};
+}
+/**
+* Heuristic: does this string look like a bare semver range rather than a skill name?
+* Used to detect the legacy `tank install @org/skill ^1.0.0` positional form so we can
+* preserve back-compat with the previous CLI signature.
+*
+* Returns true for strings like `^1.0.0`, `~1`, `>=2`, `1.x`, `*`, `latest`, `next`, `1.2.3`.
+* Returns false for skill names (contain `/`, start with `@`, or are URLs).
+*/
+function looksLikeVersionRange(s) {
+	if (!s || s.includes("/") || s.startsWith("@") || isUrl(s)) return false;
+	if (s === "*" || s === "latest" || s === "next") return true;
+	if (/^[\^~><=]/.test(s)) return true;
+	if (/^\d/.test(s)) return true;
+	return false;
+}
+//#endregion
 //#region src/lib/upgrade-check.ts
 function isNewerVersion(candidateVersion, currentVersion) {
 	if (candidateVersion === currentVersion) return false;
@@ -11836,6 +12207,14 @@ async function checkForUpgrade(configDir) {
 //#region src/bin/tank.ts
 const program = new Command();
 program.name("tank").description("Security-first package manager for AI agent skills").version(VERSION);
+program.hook("preAction", (_thisCommand, actionCommand) => {
+	const name = actionCommand.name();
+	if (name === "telemetry") return;
+	captureEvent({
+		event: "cli_command",
+		properties: { command: name }
+	});
+});
 program.command("init").description("Create a new tank.json in the current directory").option("-y, --yes", "Skip prompts, use defaults").option("--name <name>", "Skill name").option("--skill-version <version>", "Skill version (default: 0.1.0)").option("--description <desc>", "Skill description").option("--private", "Make skill private").option("--force", "Overwrite existing tank.json").action(async (opts) => {
 	try {
 		await initCommand({
@@ -11909,26 +12288,54 @@ program.command("publish").alias("pub").description("Pack and publish a skill to
 		process.exit(1);
 	}
 });
-program.command("install").alias("i").description("Install a skill from the Tank registry, a URL, or all skills from lockfile").argument("[name]", "Skill name or URL (e.g., @org/skill-name or https://github.com/owner/repo). Omit to install from lockfile.").argument("[version-range]", "Semver range (default: *)", "*").option("-g, --global", "Install skill globally (available to all projects)").option("-y, --yes", "Auto-accept flagged scan verdicts").option("--dangerously-no-tank-proxy", "Skip wrapping MCP servers with the tank proxy (no scanning, no enforcement)").action(async (name, versionRange, opts) => {
-	try {
-		if (name && isUrl(name)) await installFromUrl(name, {
-			global: opts.global,
-			yes: opts.yes,
-			...opts.dangerouslyNoTankProxy ? { dangerouslyNoTankProxy: true } : {}
-		});
-		else if (name) await installCommand({
-			name,
-			versionRange,
-			global: opts.global,
-			...opts.dangerouslyNoTankProxy ? { dangerouslyNoTankProxy: true } : {}
-		});
-		else await installAll({
-			global: opts.global,
-			...opts.dangerouslyNoTankProxy ? { dangerouslyNoTankProxy: true } : {}
-		});
-	} catch (err) {
-		const msg = err instanceof Error ? err.message : String(err);
-		console.error(`Install failed: ${msg}`);
+program.command("install").alias("i").description("Install one or more skills from the Tank registry, URLs, or all skills from lockfile").argument("[targets...]", "One or more skill specs or URLs (e.g. @org/skill, @org/skill@^1.0.0, https://github.com/owner/repo). Omit to install from lockfile.").option("-g, --global", "Install skill globally (available to all projects)").option("-y, --yes", "Auto-accept flagged scan verdicts").option("--dangerously-no-tank-proxy", "Skip wrapping MCP servers with the tank proxy (no scanning, no enforcement)").action(async (targets, opts) => {
+	const proxyOpt = opts.dangerouslyNoTankProxy ? { dangerouslyNoTankProxy: true } : {};
+	if (targets.length === 0) {
+		try {
+			await installAll({
+				global: opts.global,
+				...proxyOpt
+			});
+		} catch (err) {
+			const msg = err instanceof Error ? err.message : String(err);
+			console.error(`Install failed: ${msg}`);
+			process.exit(1);
+		}
+		return;
+	}
+	const effectiveTargets = targets.length === 2 && looksLikeVersionRange(targets[1]) ? [`${targets[0]}@${targets[1]}`] : targets;
+	const failures = [];
+	for (const target of effectiveTargets) {
+		const parsed = parseInstallTarget(target);
+		try {
+			if (parsed.kind === "url") await installFromUrl(parsed.url, {
+				global: opts.global,
+				yes: opts.yes,
+				...proxyOpt
+			});
+			else await installCommand({
+				name: parsed.name,
+				versionRange: parsed.versionRange ?? "*",
+				global: opts.global,
+				...proxyOpt
+			});
+		} catch (err) {
+			const msg = err instanceof Error ? err.message : String(err);
+			failures.push({
+				target,
+				error: msg,
+				parsedName: parsed.kind === "name" ? parsed.name : void 0
+			});
+			console.error(`Install failed for ${target}: ${msg}`);
+		}
+	}
+	for (const failure of failures) {
+		if (!failure.parsedName || !/not found/i.test(failure.error)) continue;
+		const suggestions = await fetchSimilarSkillNames(failure.parsedName);
+		console.error(`\n${formatInstallSuggestions(failure.parsedName, suggestions)}`);
+	}
+	if (failures.length > 0) {
+		console.error(`\nInstall finished with ${failures.length}/${effectiveTargets.length} failure(s).`);
 		process.exit(1);
 	}
 });
@@ -12115,6 +12522,20 @@ program.command("upgrade").description("Update tank to the latest version").argu
 	}
 	await flushLogs();
 });
+program.command("telemetry <action>").description("Manage anonymous usage telemetry (on | off | status). Opt-in only, never enabled by default.").action(async (action) => {
+	try {
+		const normalized = action.toLowerCase();
+		if (normalized !== "on" && normalized !== "off" && normalized !== "status") {
+			console.error(`Unknown telemetry action: ${action}. Use: on | off | status.`);
+			process.exit(1);
+		}
+		await telemetryCommand({ action: normalized });
+	} catch (err) {
+		const msg = err instanceof Error ? err.message : String(err);
+		console.error(`Telemetry command failed: ${msg}`);
+		process.exit(1);
+	}
+});
 checkForUpgrade().catch(() => {});
 program.parse();
 //#endregion