@tankpkg/cli 0.15.8 → 0.16.0

package/dist/bin/tank.js

@@ -1,5 +1,5 @@
 #!/usr/bin/env node
-import { a as VERSION, i as USER_AGENT, l as setConfig, n as flushLogs, o as getConfig, s as getConfigDir, t as authFlowLog } from "../debug-logger-BCwL85ni.js";
+import { a as VERSION, i as USER_AGENT, l as setConfig, n as flushLogs, o as getConfig, s as getConfigDir, t as authFlowLog } from "../debug-logger-C7P_qoCR.js";
 import { t as logger } from "../logger-BhULz3Uz.js";
 import { createRequire } from "node:module";
 import { Command } from "commander";
@@ -10,12 +10,12 @@ import path, { join } from "node:path";
 import { z } from "zod";
 import semver from "semver";
 import ora from "ora";
+import crypto$1, { randomUUID } from "node:crypto";
+import { createInterface } from "node:readline";
 import { confirm, input } from "@inquirer/prompts";
 import { execSync, spawn } from "node:child_process";
-import crypto$1 from "node:crypto";
-import { mkdir, mkdtemp, rm, stat } from "node:fs/promises";
 import { create, extract } from "tar";
-import { createInterface } from "node:readline";
+import { mkdir, mkdtemp, rm, stat } from "node:fs/promises";
 import { Readable } from "node:stream";
 import { pipeline } from "node:stream/promises";
 import open from "open";
@@ -2508,6 +2508,122 @@ function getSkillLinkStatus(options) {
 	return agents.map((agent) => getStatusForAgent(agent, options.skillName));
 }
 //#endregion
+//#region src/lib/telemetry.ts
+const POSTHOG_PROJECT_KEY = process.env.TANK_POSTHOG_KEY ?? "phc_j9KjoTTYWsM4k40f2h61x8TRe8cx4ZhIMIKIVri0G7Z";
+const POSTHOG_DEFAULT_HOST = "https://eu.i.posthog.com";
+function getHost() {
+	return process.env.TANK_TELEMETRY_HOST ?? POSTHOG_DEFAULT_HOST;
+}
+function isSelfhosted() {
+	return process.env.TANK_MODE === "selfhosted";
+}
+function getTelemetryStatus(configDir) {
+	if (isSelfhosted()) return {
+		enabled: false,
+		reason: "onprem"
+	};
+	if (!POSTHOG_PROJECT_KEY) return {
+		enabled: false,
+		reason: "no-key"
+	};
+	const env = process.env.TANK_TELEMETRY?.trim();
+	if (env === "0" || env === "false" || env === "off") return {
+		enabled: false,
+		reason: "env-off"
+	};
+	if (env === "1" || env === "true" || env === "on") return {
+		enabled: true,
+		reason: "env-on"
+	};
+	if (getConfig(configDir).telemetry === true) return {
+		enabled: true,
+		reason: "config"
+	};
+	return {
+		enabled: false,
+		reason: "default-off"
+	};
+}
+function getOrCreateDistinctId(configDir) {
+	const cfg = getConfig(configDir);
+	if (cfg.telemetryDistinctId) return cfg.telemetryDistinctId;
+	const id = randomUUID();
+	setConfig({ telemetryDistinctId: id }, configDir);
+	return id;
+}
+function setTelemetry(enabled, configDir) {
+	setConfig({ telemetry: enabled }, configDir);
+}
+function captureEvent(evt, configDir) {
+	if (!getTelemetryStatus(configDir).enabled) return;
+	const distinctId = getOrCreateDistinctId(configDir);
+	const payload = {
+		api_key: POSTHOG_PROJECT_KEY,
+		event: evt.event,
+		distinct_id: distinctId,
+		properties: {
+			...evt.properties,
+			cli_version: VERSION,
+			platform: process.platform,
+			node_version: process.versions.node,
+			$lib: "tank-cli"
+		},
+		timestamp: (/* @__PURE__ */ new Date()).toISOString()
+	};
+	const url = `${getHost()}/i/v0/e/`;
+	const controller = new AbortController();
+	const timer = setTimeout(() => controller.abort(), 2e3);
+	fetch(url, {
+		method: "POST",
+		headers: { "Content-Type": "application/json" },
+		body: JSON.stringify(payload),
+		signal: controller.signal
+	}).catch(() => {}).finally(() => clearTimeout(timer));
+}
+function describeTelemetryState(configDir) {
+	const status = getTelemetryStatus(configDir);
+	if (status.reason === "onprem") return "Telemetry: disabled (on-prem mode)";
+	if (status.reason === "no-key") return "Telemetry: disabled (no key compiled in this build)";
+	if (status.reason === "env-off") return "Telemetry: disabled (overridden by TANK_TELEMETRY env var)";
+	if (status.reason === "env-on") return "Telemetry: enabled (overridden by TANK_TELEMETRY env var)";
+	if (status.reason === "config") return "Telemetry: enabled";
+	return "Telemetry: disabled. Run `tank telemetry on` to opt in.";
+}
+/**
+* Prompt the user once for telemetry consent on first interactive use.
+* Skipped if: a decision is already recorded, no TTY (CI), on-prem, no key compiled.
+* The decision (true or false) is persisted to config so we never prompt again.
+*/
+async function maybePromptForTelemetryConsent(configDir) {
+	if (isSelfhosted()) return;
+	if (!POSTHOG_PROJECT_KEY) return;
+	if (!process.stdin.isTTY || !process.stdout.isTTY) return;
+	if (process.env.CI || process.env.TANK_TELEMETRY) return;
+	if (typeof getConfig(configDir).telemetry === "boolean") return;
+	const answer = await askYesNo("Help improve Tank by sending anonymous usage analytics? (No package names, paths, or keys are ever sent.)");
+	setConfig({ telemetry: answer }, configDir);
+	if (answer) {
+		captureEvent({
+			event: "cli_opted_in",
+			properties: { source: "first-run-prompt" }
+		}, configDir);
+		process.stderr.write("Telemetry: enabled. Disable any time with `tank telemetry off`.\n");
+	} else process.stderr.write("Telemetry: disabled. Re-enable any time with `tank telemetry on`.\n");
+}
+function askYesNo(question) {
+	return new Promise((resolve) => {
+		const rl = createInterface({
+			input: process.stdin,
+			output: process.stderr
+		});
+		rl.question(`${question} [y/N] `, (raw) => {
+			rl.close();
+			const a = raw.trim().toLowerCase();
+			resolve(a === "y" || a === "yes");
+		});
+	});
+}
+//#endregion
 //#region src/commands/doctor.ts
 const parseLockKey$3 = (key) => {
 	const lastAt = key.lastIndexOf("@");
@@ -2625,6 +2741,8 @@ async function doctorCommand(options) {
 			console.log(`  ${skillName}  ${summary.statusText}`);
 		}
 		if (localSkills.length === 0 && uniqueGlobal.length === 0 && devLinks.length === 0) suggestions.add("Run `tank install @tank/typescript` to add your first skill");
+		printSectionHeader("Telemetry");
+		console.log(`  ${describeTelemetryState()}`);
 		printSectionHeader("Suggestions");
 		if (suggestions.size === 0) console.log("  none");
 		else for (const suggestion of suggestions) console.log(`  • ${suggestion}`);
@@ -2771,6 +2889,7 @@ async function initCommand(options = {}) {
 		}
 		fs.writeFileSync(filePath, `${JSON.stringify(manifest, null, 2)}\n`);
 		logger.success(`Created ${MANIFEST_FILENAME$1}`);
+		await maybePromptForTelemetryConsent();
 		return;
 	}
 	if (resolved.exists) {
@@ -2829,6 +2948,7 @@ async function initCommand(options = {}) {
 	}
 	fs.writeFileSync(filePath, `${JSON.stringify(manifest, null, 2)}\n`);
 	logger.success(`Created ${MANIFEST_FILENAME$1}`);
+	await maybePromptForTelemetryConsent();
 }
 //#endregion
 //#region ../internals-helpers/dist/index.js
@@ -10476,6 +10596,7 @@ async function loginCommand(options = {}) {
 				}, configDir);
 				const displayName = user.name ?? user.email ?? "unknown";
 				logger.success(`Logged in as ${displayName}`);
+				await maybePromptForTelemetryConsent(configDir);
 				return;
 			}
 			if (exchangeRes.status !== 400) {
@@ -11465,6 +11586,39 @@ async function searchCommand(options) {
 	console.log(`${data.results.length} skill${data.results.length === 1 ? "" : "s"} found`);
 }
 //#endregion
+//#region src/commands/telemetry.ts
+async function telemetryCommand(opts) {
+	const { action, configDir } = opts;
+	if (action === "status") {
+		logger.info(describeTelemetryState(configDir));
+		return;
+	}
+	if (action === "on") {
+		setTelemetry(true, configDir);
+		const status = getTelemetryStatus(configDir);
+		if (status.reason === "onprem") {
+			logger.warn("Telemetry config written, but disabled because TANK_MODE=selfhosted.");
+			return;
+		}
+		if (status.reason === "no-key") {
+			logger.warn("Telemetry config written, but this build has no telemetry key compiled in.");
+			return;
+		}
+		captureEvent({ event: "cli_opted_in" }, configDir);
+		logger.info("Telemetry: enabled. Thanks for helping improve Tank.");
+		logger.info("Disable any time: tank telemetry off");
+		return;
+	}
+	if (action === "off") {
+		captureEvent({ event: "cli_opted_out" }, configDir);
+		setTelemetry(false, configDir);
+		logger.info("Telemetry: disabled.");
+		return;
+	}
+	logger.error(`Unknown telemetry action: ${action}. Use on | off | status.`);
+	process.exitCode = 1;
+}
+//#endregion
 //#region src/commands/unlink.ts
 async function unlinkCommand(options = {}) {
 	const resolvedManifest = resolveManifestPath(options.directory ?? process.cwd());
@@ -11923,6 +12077,92 @@ function printUserInfo(user) {
 	logger.info(`Email: ${user.email ?? "unknown"}`);
 }
 //#endregion
+//#region src/lib/install-suggestions.ts
+/**
+* Best-effort fuzzy lookup of similar skill names. Hits the public /api/v1/search
+* endpoint (no auth needed for public skills). Returns up to `limit` matches.
+* Silent failure: never throws — suggestions are advisory, not critical-path.
+*/
+async function fetchSimilarSkillNames(query, opts = {}) {
+	const { configDir, limit = 3, timeoutMs = 2e3 } = opts;
+	const config = getConfig(configDir);
+	const searchTerm = query.replace(/^@[^/]+\//, "").replace(/^[^a-z0-9]+/i, "") || query;
+	const controller = new AbortController();
+	const timer = setTimeout(() => controller.abort(), timeoutMs);
+	try {
+		const res = await fetch(`${config.registry}/api/v1/search?q=${encodeURIComponent(searchTerm)}&limit=${limit}`, {
+			headers: { "User-Agent": USER_AGENT },
+			signal: controller.signal
+		});
+		clearTimeout(timer);
+		if (!res.ok) return [];
+		return ((await res.json()).results ?? []).filter((r) => r.name && r.name !== query).slice(0, limit);
+	} catch {
+		clearTimeout(timer);
+		return [];
+	}
+}
+function formatInstallSuggestions(name, suggestions) {
+	if (suggestions.length === 0) return `Try \`tank search ${name}\` to find similar packages.`;
+	const lines = ["Did you mean one of these?"];
+	for (const s of suggestions) lines.push(`  • ${s.name}${s.description ? `  — ${s.description.slice(0, 60)}` : ""}`);
+	lines.push(`\nOr search: \`tank search ${name}\``);
+	return lines.join("\n");
+}
+//#endregion
+//#region src/lib/install-target.ts
+/**
+* Parse a single install target string into a structured target.
+*
+* Accepted forms (npm-compatible):
+*   - `@org/pkg`               → name with no range
+*   - `@org/pkg@^1.0.0`        → name + range (split on the LAST `@` for scoped names)
+*   - `pkg`                    → unscoped name with no range
+*   - `pkg@1.0.0`              → unscoped name + range
+*   - `https://github.com/...` → URL install
+*
+* The `@` that separates name from range is the FIRST `@` that is NOT at position 0
+* (position 0 is the scope marker for `@org/...`).
+*/
+function parseInstallTarget(target) {
+	if (isUrl(target)) return {
+		kind: "url",
+		url: target
+	};
+	const searchStart = target.startsWith("@") ? 1 : 0;
+	const versionAt = target.indexOf("@", searchStart);
+	if (versionAt === -1) return {
+		kind: "name",
+		name: target
+	};
+	const name = target.slice(0, versionAt);
+	const versionRange = target.slice(versionAt + 1);
+	if (!name || !versionRange) return {
+		kind: "name",
+		name: target
+	};
+	return {
+		kind: "name",
+		name,
+		versionRange
+	};
+}
+/**
+* Heuristic: does this string look like a bare semver range rather than a skill name?
+* Used to detect the legacy `tank install @org/skill ^1.0.0` positional form so we can
+* preserve back-compat with the previous CLI signature.
+*
+* Returns true for strings like `^1.0.0`, `~1`, `>=2`, `1.x`, `*`, `latest`, `next`, `1.2.3`.
+* Returns false for skill names (contain `/`, start with `@`, or are URLs).
+*/
+function looksLikeVersionRange(s) {
+	if (!s || s.includes("/") || s.startsWith("@") || isUrl(s)) return false;
+	if (s === "*" || s === "latest" || s === "next") return true;
+	if (/^[\^~><=]/.test(s)) return true;
+	if (/^\d/.test(s)) return true;
+	return false;
+}
+//#endregion
 //#region src/lib/upgrade-check.ts
 function isNewerVersion(candidateVersion, currentVersion) {
 	if (candidateVersion === currentVersion) return false;
@@ -11967,6 +12207,14 @@ async function checkForUpgrade(configDir) {
 //#region src/bin/tank.ts
 const program = new Command();
 program.name("tank").description("Security-first package manager for AI agent skills").version(VERSION);
+program.hook("preAction", (_thisCommand, actionCommand) => {
+	const name = actionCommand.name();
+	if (name === "telemetry") return;
+	captureEvent({
+		event: "cli_command",
+		properties: { command: name }
+	});
+});
 program.command("init").description("Create a new tank.json in the current directory").option("-y, --yes", "Skip prompts, use defaults").option("--name <name>", "Skill name").option("--skill-version <version>", "Skill version (default: 0.1.0)").option("--description <desc>", "Skill description").option("--private", "Make skill private").option("--force", "Overwrite existing tank.json").action(async (opts) => {
 	try {
 		await initCommand({
@@ -12040,26 +12288,54 @@ program.command("publish").alias("pub").description("Pack and publish a skill to
 		process.exit(1);
 	}
 });
-program.command("install").alias("i").description("Install a skill from the Tank registry, a URL, or all skills from lockfile").argument("[name]", "Skill name or URL (e.g., @org/skill-name or https://github.com/owner/repo). Omit to install from lockfile.").argument("[version-range]", "Semver range (default: *)", "*").option("-g, --global", "Install skill globally (available to all projects)").option("-y, --yes", "Auto-accept flagged scan verdicts").option("--dangerously-no-tank-proxy", "Skip wrapping MCP servers with the tank proxy (no scanning, no enforcement)").action(async (name, versionRange, opts) => {
-	try {
-		if (name && isUrl(name)) await installFromUrl(name, {
-			global: opts.global,
-			yes: opts.yes,
-			...opts.dangerouslyNoTankProxy ? { dangerouslyNoTankProxy: true } : {}
-		});
-		else if (name) await installCommand({
-			name,
-			versionRange,
-			global: opts.global,
-			...opts.dangerouslyNoTankProxy ? { dangerouslyNoTankProxy: true } : {}
-		});
-		else await installAll({
-			global: opts.global,
-			...opts.dangerouslyNoTankProxy ? { dangerouslyNoTankProxy: true } : {}
-		});
-	} catch (err) {
-		const msg = err instanceof Error ? err.message : String(err);
-		console.error(`Install failed: ${msg}`);
+program.command("install").alias("i").description("Install one or more skills from the Tank registry, URLs, or all skills from lockfile").argument("[targets...]", "One or more skill specs or URLs (e.g. @org/skill, @org/skill@^1.0.0, https://github.com/owner/repo). Omit to install from lockfile.").option("-g, --global", "Install skill globally (available to all projects)").option("-y, --yes", "Auto-accept flagged scan verdicts").option("--dangerously-no-tank-proxy", "Skip wrapping MCP servers with the tank proxy (no scanning, no enforcement)").action(async (targets, opts) => {
+	const proxyOpt = opts.dangerouslyNoTankProxy ? { dangerouslyNoTankProxy: true } : {};
+	if (targets.length === 0) {
+		try {
+			await installAll({
+				global: opts.global,
+				...proxyOpt
+			});
+		} catch (err) {
+			const msg = err instanceof Error ? err.message : String(err);
+			console.error(`Install failed: ${msg}`);
+			process.exit(1);
+		}
+		return;
+	}
+	const effectiveTargets = targets.length === 2 && looksLikeVersionRange(targets[1]) ? [`${targets[0]}@${targets[1]}`] : targets;
+	const failures = [];
+	for (const target of effectiveTargets) {
+		const parsed = parseInstallTarget(target);
+		try {
+			if (parsed.kind === "url") await installFromUrl(parsed.url, {
+				global: opts.global,
+				yes: opts.yes,
+				...proxyOpt
+			});
+			else await installCommand({
+				name: parsed.name,
+				versionRange: parsed.versionRange ?? "*",
+				global: opts.global,
+				...proxyOpt
+			});
+		} catch (err) {
+			const msg = err instanceof Error ? err.message : String(err);
+			failures.push({
+				target,
+				error: msg,
+				parsedName: parsed.kind === "name" ? parsed.name : void 0
+			});
+			console.error(`Install failed for ${target}: ${msg}`);
+		}
+	}
+	for (const failure of failures) {
+		if (!failure.parsedName || !/not found/i.test(failure.error)) continue;
+		const suggestions = await fetchSimilarSkillNames(failure.parsedName);
+		console.error(`\n${formatInstallSuggestions(failure.parsedName, suggestions)}`);
+	}
+	if (failures.length > 0) {
+		console.error(`\nInstall finished with ${failures.length}/${effectiveTargets.length} failure(s).`);
 		process.exit(1);
 	}
 });
@@ -12246,6 +12522,20 @@ program.command("upgrade").description("Update tank to the latest version").argu
 	}
 	await flushLogs();
 });
+program.command("telemetry <action>").description("Manage anonymous usage telemetry (on | off | status). Opt-in only, never enabled by default.").action(async (action) => {
+	try {
+		const normalized = action.toLowerCase();
+		if (normalized !== "on" && normalized !== "off" && normalized !== "status") {
+			console.error(`Unknown telemetry action: ${action}. Use: on | off | status.`);
+			process.exit(1);
+		}
+		await telemetryCommand({ action: normalized });
+	} catch (err) {
+		const msg = err instanceof Error ? err.message : String(err);
+		console.error(`Telemetry command failed: ${msg}`);
+		process.exit(1);
+	}
+});
 checkForUpgrade().catch(() => {});
 program.parse();
 //#endregion