@tankpkg/cli 0.9.1 → 0.10.2

package/dist/bin/tank.js

@@ -1,44 +1,23 @@
 #!/usr/bin/env node
-import { a as VERSION, c as getConfigDir, i as USER_AGENT, n as flushLogs, o as logger, s as getConfig, t as authFlowLog, u as setConfig } from "../debug-logger-nDgSC2MM.js";
+import { a as VERSION, c as getConfigDir, i as USER_AGENT, n as flushLogs, o as logger, s as getConfig, t as authFlowLog, u as setConfig } from "../debug-logger-Djt3NpiR.js";
 import { Command } from "commander";
 import chalk from "chalk";
 import fs from "node:fs";
 import os from "node:os";
 import path from "node:path";
-import semver from "semver";
 import { z } from "zod";
 import { confirm, input } from "@inquirer/prompts";
 import crypto$1 from "node:crypto";
+import semver from "semver";
 import ora from "ora";
 import { create, extract } from "tar";
 import open from "open";
 import ignore from "ignore";
+process.env.TANK_REGISTRY_URL;
 const MANIFEST_FILENAME = "tank.json";
 const LEGACY_MANIFEST_FILENAME = "skills.json";
 const LOCKFILE_FILENAME = "tank.lock";
 const LEGACY_LOCKFILE_FILENAME = "skills.lock";
-/**
-* Resolves a semver range against a list of available versions.
-* Returns the highest version that satisfies the range, or null if none match.
-*
-* Pre-release versions are excluded from range matching unless the range
-* explicitly includes a pre-release tag (e.g., ">=1.0.0-beta.1").
-* Exact version matches always work, including for pre-release versions.
-*
-* @param range - A semver range string (e.g., "^2.1.0", "~1.0.0", ">=2.0.0 <3.0.0", "*")
-* @param versions - An array of semver version strings to match against
-* @returns The highest matching version string, or null if no match
-*/
-function resolve(range, versions) {
-	try {
-		if (!range || !semver.validRange(range)) return null;
-		const validVersions = versions.filter((v) => semver.valid(v) !== null);
-		if (validVersions.length === 0) return null;
-		return semver.maxSatisfying(validVersions, range) ?? null;
-	} catch {
-		return null;
-	}
-}
 const networkPermissionsSchema = z.object({ outbound: z.array(z.string()).optional() }).strict();
 const filesystemPermissionsSchema = z.object({
 	read: z.array(z.string()).optional(),
@@ -78,9 +57,9 @@ z.enum([
 	"org.delete"
 ]);
 const skillsJsonSchema = z.object({
-	name: z.string().min(1, "Name must not be empty").max(214, "Name must be 214 characters or fewer").regex(/^@[a-z0-9-]+\/[a-z0-9][a-z0-9-]*$/, "Name must be scoped (@org/name), lowercase alphanumeric and hyphens"),
+	name: z.string().min(1, "Name must not be empty").max(214, `Name must be 214 characters or fewer`).regex(/^@[a-z0-9-]+\/[a-z0-9][a-z0-9-]*$/, "Name must be scoped (@org/name), lowercase alphanumeric and hyphens"),
 	version: z.string().regex(/^\d+\.\d+\.\d+(-[a-zA-Z0-9.-]+)?(\+[a-zA-Z0-9.-]+)?$/, "Version must be valid semver"),
-	description: z.string().max(500, "Description must be 500 characters or fewer").optional(),
+	description: z.string().max(500, `Description must be 500 characters or fewer`).optional(),
 	skills: z.record(z.string(), z.string()).optional(),
 	permissions: permissionsSchema.optional(),
 	repository: z.string().url("Repository must be a valid URL").optional(),
@@ -876,7 +855,7 @@ async function initCommand(options = {}) {
 			for (const issue of result.error.issues) logger.error(`  ${issue.path.join(".")}: ${issue.message}`);
 			return;
 		}
-		fs.writeFileSync(filePath, JSON.stringify(manifest, null, 2) + "\n");
+		fs.writeFileSync(filePath, `${JSON.stringify(manifest, null, 2)}\n`);
 		logger.success(`Created ${MANIFEST_FILENAME}`);
 		return;
 	}
@@ -934,10 +913,22 @@ async function initCommand(options = {}) {
 		for (const issue of result.error.issues) logger.error(`  ${issue.path.join(".")}: ${issue.message}`);
 		return;
 	}
-	fs.writeFileSync(filePath, JSON.stringify(manifest, null, 2) + "\n");
+	fs.writeFileSync(filePath, `${JSON.stringify(manifest, null, 2)}\n`);
 	logger.success(`Created ${MANIFEST_FILENAME}`);
 }
 //#endregion
+//#region ../internals-helpers/dist/index.js
+function resolve(range, versions) {
+	try {
+		if (!range || !semver.validRange(range)) return null;
+		const validVersions = versions.filter((v) => semver.valid(v) !== null);
+		if (validVersions.length === 0) return null;
+		return semver.maxSatisfying(validVersions, range) ?? null;
+	} catch {
+		return null;
+	}
+}
+//#endregion
 //#region src/lib/dependency-resolver.ts
 function buildSkillKey(name, version) {
 	return `${name}@${version}`;
@@ -1291,6 +1282,26 @@ function getResolvedNodesInOrder(nodes, installOrder) {
 //#endregion
 //#region src/lib/permission-checker.ts
 /**
+* Check if a skill's permissions fit within the project's permission budget.
+* Throws if any permission exceeds the budget.
+*/
+function checkPermissionBudget(budget, skillPerms, skillName) {
+	if (!skillPerms) return;
+	if (skillPerms.subprocess === true && budget.subprocess !== true) throw new Error(`Permission denied: ${skillName} requires subprocess access, but project budget does not allow it`);
+	if (skillPerms.network?.outbound && skillPerms.network.outbound.length > 0) {
+		const budgetDomains = budget.network?.outbound ?? [];
+		for (const domain of skillPerms.network.outbound) if (!isDomainAllowed$1(domain, budgetDomains)) throw new Error(`Permission denied: ${skillName} requests network access to "${domain}", which is not in the project's permission budget`);
+	}
+	if (skillPerms.filesystem?.read && skillPerms.filesystem.read.length > 0) {
+		const budgetPaths = budget.filesystem?.read ?? [];
+		for (const p of skillPerms.filesystem.read) if (!isPathAllowed$1(p, budgetPaths)) throw new Error(`Permission denied: ${skillName} requests filesystem read access to "${p}", which is not in the project's permission budget`);
+	}
+	if (skillPerms.filesystem?.write && skillPerms.filesystem.write.length > 0) {
+		const budgetPaths = budget.filesystem?.write ?? [];
+		for (const p of skillPerms.filesystem.write) if (!isPathAllowed$1(p, budgetPaths)) throw new Error(`Permission denied: ${skillName} requests filesystem write access to "${p}", which is not in the project's permission budget`);
+	}
+}
+/**
 * Check if a domain is allowed by the budget's domain list.
 * Supports wildcard matching: *.example.com matches sub.example.com
 */
@@ -1319,91 +1330,6 @@ function isPathAllowed$1(requestedPath, allowedPaths) {
 	}
 	return false;
 }
-/**
-* Collect all permission violations without throwing.
-* Mirrors checkPermissionBudget() logic but returns violations as an array.
-*/
-function collectPermissionViolations(budget, skillPerms, skillName) {
-	if (!skillPerms) return [];
-	const violations = [];
-	if (skillPerms.subprocess === true && budget.subprocess !== true) violations.push({
-		skillName,
-		type: "subprocess",
-		requested: "true"
-	});
-	if (skillPerms.network?.outbound && skillPerms.network.outbound.length > 0) {
-		const budgetDomains = budget.network?.outbound ?? [];
-		for (const domain of skillPerms.network.outbound) if (!isDomainAllowed$1(domain, budgetDomains)) violations.push({
-			skillName,
-			type: "network.outbound",
-			requested: domain
-		});
-	}
-	if (skillPerms.filesystem?.read && skillPerms.filesystem.read.length > 0) {
-		const budgetPaths = budget.filesystem?.read ?? [];
-		for (const p of skillPerms.filesystem.read) if (!isPathAllowed$1(p, budgetPaths)) violations.push({
-			skillName,
-			type: "filesystem.read",
-			requested: p
-		});
-	}
-	if (skillPerms.filesystem?.write && skillPerms.filesystem.write.length > 0) {
-		const budgetPaths = budget.filesystem?.write ?? [];
-		for (const p of skillPerms.filesystem.write) if (!isPathAllowed$1(p, budgetPaths)) violations.push({
-			skillName,
-			type: "filesystem.write",
-			requested: p
-		});
-	}
-	return violations;
-}
-//#endregion
-//#region src/lib/permission-prompt.ts
-async function promptForPermissionExpansion(violations, options) {
-	if (options.yes === true) return "accept";
-	if (options.isInteractive === false) return "decline";
-	logger.warn("The following permissions exceed your project budget:");
-	for (const v of violations) logger.warn(`  ${v.skillName}: ${v.type} → ${v.requested}`);
-	return await confirm({
-		message: "Would you like to add these permissions to tank.json?",
-		default: true
-	}) ? "accept" : "decline";
-}
-function mergePermissionsIntoBudget(currentBudget, violations) {
-	const result = {
-		...currentBudget,
-		network: currentBudget.network ? {
-			...currentBudget.network,
-			outbound: [...currentBudget.network.outbound ?? []]
-		} : void 0,
-		filesystem: currentBudget.filesystem ? {
-			...currentBudget.filesystem,
-			read: currentBudget.filesystem.read ? [...currentBudget.filesystem.read] : void 0,
-			write: currentBudget.filesystem.write ? [...currentBudget.filesystem.write] : void 0
-		} : void 0
-	};
-	for (const v of violations) switch (v.type) {
-		case "filesystem.read":
-			if (!result.filesystem) result.filesystem = {};
-			if (!result.filesystem.read) result.filesystem.read = [];
-			if (!result.filesystem.read.includes(v.requested)) result.filesystem.read.push(v.requested);
-			break;
-		case "filesystem.write":
-			if (!result.filesystem) result.filesystem = {};
-			if (!result.filesystem.write) result.filesystem.write = [];
-			if (!result.filesystem.write.includes(v.requested)) result.filesystem.write.push(v.requested);
-			break;
-		case "network.outbound":
-			if (!result.network) result.network = {};
-			if (!result.network.outbound) result.network.outbound = [];
-			if (!result.network.outbound.includes(v.requested)) result.network.outbound.push(v.requested);
-			break;
-		case "subprocess":
-			result.subprocess = true;
-			break;
-	}
-	return result;
-}
 //#endregion
 //#region src/commands/install.ts
 function createRegistryFetcher(registry, headers) {
@@ -1497,30 +1423,15 @@ function buildLockedVersionByName(lock) {
 function createExtractDirResolver(directory, global, resolvedHome) {
 	return (skillName) => global ? getGlobalExtractDir(resolvedHome, skillName) : getExtractDir$1(directory, skillName);
 }
-async function validateResolvedNodes(resolvedNodes, projectPermissions, auditMinScore, options) {
+function validateResolvedNodes(resolvedNodes, projectPermissions, auditMinScore) {
 	if (!projectPermissions) logger.warn(`No permission budget defined in ${MANIFEST_FILENAME}. Install proceeding without permission checks.`);
-	if (projectPermissions) {
-		const allViolations = resolvedNodes.flatMap((node) => collectPermissionViolations(projectPermissions, node.meta.permissions, node.name));
-		if (allViolations.length > 0) {
-			const isInteractive = !process.env.CI && process.stdout.isTTY === true;
-			const decision = await promptForPermissionExpansion(allViolations, {
-				yes: options?.yes,
-				isInteractive
-			});
-			if (decision === "accept" && options?.skillsJsonPath && options?.skillsJson) {
-				const merged = mergePermissionsIntoBudget(projectPermissions, allViolations);
-				options.skillsJson.permissions = merged;
-				fs.writeFileSync(options.skillsJsonPath, `${JSON.stringify(options.skillsJson, null, 2)}\n`);
-			} else if (decision === "decline") {
-				const first = allViolations[0];
-				throw new Error(`Permission denied: ${first.skillName} requests ${first.type} access to "${first.requested}", which is not in the project's permission budget`);
-			}
+	for (const node of resolvedNodes) {
+		if (projectPermissions) checkPermissionBudget(projectPermissions, node.meta.permissions, node.name);
+		if (auditMinScore !== void 0) {
+			if (node.meta.auditScore === null || node.meta.auditScore === void 0) logger.warn(`Audit score not yet available for ${node.name}. Install proceeding without audit score check.`);
+			else if (node.meta.auditScore < auditMinScore) throw new Error(`Audit score ${node.meta.auditScore} for ${node.name} is below minimum threshold ${auditMinScore} defined in ${MANIFEST_FILENAME}`);
 		}
 	}
-	for (const node of resolvedNodes) if (auditMinScore !== void 0) {
-		if (node.meta.auditScore === null || node.meta.auditScore === void 0) logger.warn(`Audit score not yet available for ${node.name}. Install proceeding without audit score check.`);
-		else if (node.meta.auditScore < auditMinScore) throw new Error(`Audit score ${node.meta.auditScore} for ${node.name} is below minimum threshold ${auditMinScore} defined in ${MANIFEST_FILENAME}`);
-	}
 }
 async function runLegacyFallback(options) {
 	const { rootSkillNames, resolvedNodeByName, extractDirForSkill, directory, configDir, global, homedir } = options;
@@ -1570,12 +1481,8 @@ function linkInstalledRoots(options) {
 	if (detectInstalledAgents(homedir).length === 0) logger.warn("No agents detected for linking");
 }
 async function executeInstallPipeline(options) {
-	const { directory, configDir, global, homedir, resolvedHome, lock, lockPath, resolvedNodes, nodesToInstall, rootSkillNames, projectPermissions, auditMinScore, spinner, yes, skillsJsonPath, skillsJson } = options;
-	if (!global) await validateResolvedNodes(resolvedNodes, projectPermissions, auditMinScore, {
-		yes,
-		skillsJsonPath,
-		skillsJson
-	});
+	const { directory, configDir, global, homedir, resolvedHome, lock, lockPath, resolvedNodes, nodesToInstall, rootSkillNames, projectPermissions, auditMinScore, spinner } = options;
+	if (!global) validateResolvedNodes(resolvedNodes, projectPermissions, auditMinScore);
 	const extractDirForSkill = createExtractDirResolver(directory, global, resolvedHome);
 	const resolvedNodeByName = new Map(resolvedNodes.map((node) => [node.name, node]));
 	const downloaded = await downloadAllParallel(nodesToInstall, spinner);
@@ -1613,7 +1520,7 @@ async function executeInstallPipeline(options) {
 	return updatedLock;
 }
 async function installCommand(options) {
-	const { name, versionRange = "*", directory = process.cwd(), configDir, global = false, homedir, isTransitive = false, yes } = options;
+	const { name, versionRange = "*", directory = process.cwd(), configDir, global = false, homedir, isTransitive = false } = options;
 	const config = getConfig(configDir);
 	const resolvedHome = homedir ?? os.homedir();
 	const requestHeaders = { "User-Agent": USER_AGENT };
@@ -1669,10 +1576,7 @@ async function installCommand(options) {
 			rootSkillNames: [name],
 			projectPermissions,
 			auditMinScore,
-			spinner,
-			yes,
-			skillsJsonPath,
-			skillsJson
+			spinner
 		});
 		if (!global && !isTransitive) {
 			const skills = skillsJson.skills ?? {};
@@ -1770,7 +1674,7 @@ async function installFromLockfile(options) {
 	}
 }
 async function installAll(options) {
-	const { directory = process.cwd(), configDir, global = false, homedir, yes } = options;
+	const { directory = process.cwd(), configDir, global = false, homedir } = options;
 	const resolvedHome = homedir ?? os.homedir();
 	const config = getConfig(configDir);
 	const requestHeaders = { "User-Agent": USER_AGENT };
@@ -1825,10 +1729,7 @@ async function installAll(options) {
 			rootSkillNames: skillEntries.map(([skillName]) => skillName),
 			projectPermissions,
 			auditMinScore,
-			spinner,
-			yes,
-			skillsJsonPath,
-			skillsJson
+			spinner
 		});
 		spinner.succeed(`Installed ${skillEntries.length} root skill${skillEntries.length === 1 ? "" : "s"}`);
 	} catch (err) {
@@ -1914,28 +1815,38 @@ async function loginCommand(options = {}) {
 	const state = crypto.randomUUID();
 	authFlowLog.info({ state: `${state.slice(0, 8)}...` }, "Login flow started");
 	logger.info("Starting login...");
-	const startRes = await fetch(`${baseUrl}/api/v1/cli-auth/start`, {
-		method: "POST",
-		headers: { "Content-Type": "application/json" },
-		body: JSON.stringify({ state })
-	});
-	if (!startRes.ok) {
-		const body = await startRes.json().catch(() => null);
-		authFlowLog.error({
-			status: startRes.status,
-			error: body?.error
-		}, "Start request failed");
-		throw new Error(`Failed to start auth session: ${body?.error ?? startRes.statusText}`);
-	}
-	authFlowLog.info({
-		ok: startRes.ok,
-		status: startRes.status
-	}, "Start response received");
-	const { authUrl, sessionCode } = await startRes.json();
-	authFlowLog.info({
-		authUrl,
-		sessionCode: `${sessionCode.slice(0, 8)}...`
-	}, "Session created, opening browser");
+	let authUrl;
+	let sessionCode;
+	try {
+		const startRes = await fetch(`${baseUrl}/api/v1/cli-auth/start`, {
+			method: "POST",
+			headers: { "Content-Type": "application/json" },
+			body: JSON.stringify({ state })
+		});
+		if (!startRes.ok) {
+			const body = await startRes.json().catch(() => null);
+			authFlowLog.error({
+				status: startRes.status,
+				error: body?.error
+			}, "Start request failed");
+			throw new Error(`Failed to start auth session: ${body?.error ?? startRes.statusText}`);
+		}
+		authFlowLog.info({
+			ok: startRes.ok,
+			status: startRes.status
+		}, "Start response received");
+		const startData = await startRes.json();
+		authUrl = startData.authUrl;
+		sessionCode = startData.sessionCode;
+		authFlowLog.info({
+			authUrl,
+			sessionCode: `${sessionCode.slice(0, 8)}...`
+		}, "Session created, opening browser");
+	} catch (err) {
+		if (err instanceof Error && err.message.startsWith("Failed to start auth session:")) throw err;
+		authFlowLog.error({ error: err instanceof Error ? err.message : String(err) }, "Start request failed");
+		throw new Error(`Could not reach registry at ${baseUrl}. Check your internet connection or registry URL.\n  Error: ${err instanceof Error ? err.message : String(err)}`);
+	}
 	try {
 		await open(authUrl);
 		logger.info("Opened browser for authentication.");
@@ -2293,6 +2204,7 @@ async function packForScan(directory) {
 		readmeContent = "";
 	}
 	const files = collectFiles(absDir, absDir, buildIgnoreFilter(absDir));
+	if (files.length === 0) throw new Error(`No manifest found and no files to scan in ${absDir}`);
 	if (files.length > MAX_FILE_COUNT) throw new Error(`Too many files: ${files.length} exceeds maximum of ${MAX_FILE_COUNT}`);
 	let totalSize = 0;
 	for (const file of files) {
@@ -2568,7 +2480,7 @@ async function removeCommand(options) {
 	if (!(name in skills)) throw new Error(`Skill "${name}" is not installed (not found in ${path.basename(resolvedManifest.path)})`);
 	delete skills[name];
 	skillsJson.skills = skills;
-	fs.writeFileSync(resolvedManifest.path, JSON.stringify(skillsJson, null, 2) + "\n");
+	fs.writeFileSync(resolvedManifest.path, `${JSON.stringify(skillsJson, null, 2)}\n`);
 	const resolvedLocalLock = resolveLockfilePath(directory);
 	const lockPath = resolvedLocalLock.path;
 	if (resolvedLocalLock.exists) {
@@ -3130,6 +3042,10 @@ async function upgradeCommand(opts) {
 		console.log(chalk.yellow("Tank was installed via Homebrew. Run `brew upgrade tank` instead."));
 		return;
 	}
+	if (currentBinaryPath.includes("node_modules") || currentBinaryPath.endsWith(".js") || currentBinaryPath.endsWith(".mjs")) {
+		console.log(chalk.yellow("Tank was installed via npm/npx. Run `npm update -g @tankpkg/cli` to upgrade instead."));
+		return;
+	}
 	let targetVersion;
 	if (opts?.version) targetVersion = opts.version;
 	else {
@@ -3384,18 +3300,14 @@ program.command("publish").alias("pub").description("Pack and publish a skill to
 		process.exit(1);
 	}
 });
-program.command("install").alias("i").description("Install a skill from the Tank registry, or all skills from lockfile").argument("[name]", "Skill name (e.g., @org/skill-name). Omit to install from lockfile.").argument("[version-range]", "Semver range (default: *)", "*").option("-g, --global", "Install skill globally (available to all projects)").option("-y, --yes", "Auto-accept permission budget expansion").action(async (name, versionRange, opts) => {
+program.command("install").alias("i").description("Install a skill from the Tank registry, or all skills from lockfile").argument("[name]", "Skill name (e.g., @org/skill-name). Omit to install from lockfile.").argument("[version-range]", "Semver range (default: *)", "*").option("-g, --global", "Install skill globally (available to all projects)").action(async (name, versionRange, opts) => {
 	try {
 		if (name) await installCommand({
 			name,
 			versionRange,
-			global: opts.global,
-			yes: opts.yes
-		});
-		else await installAll({
-			global: opts.global,
-			yes: opts.yes
+			global: opts.global
 		});
+		else await installAll({ global: opts.global });
 	} catch (err) {
 		const msg = err instanceof Error ? err.message : String(err);
 		console.error(`Install failed: ${msg}`);
@@ -3480,26 +3392,7 @@ program.command("scan").description("Scan a local skill for security issues with
 		process.exit(1);
 	}
 });
-program.command("link").alias("ln").description("Link current skill to all detected AI agents for local development").addHelpText("after", `
-Creates symlinks from each agent's skills directory to this skill source,
-so changes are reflected immediately without re-publishing.
-
-Must be run from a directory containing a valid tank.json.
-
-Supported agents:
-  Claude Code    ~/.claude/skills
-  OpenCode       ~/.config/opencode/skills
-  Cursor         ~/.cursor/skills
-  Codex          ~/.codex/skills
-  OpenClaw       ~/.openclaw/skills
-  Universal      ~/.agents/skills
-
-Examples:
-  $ cd my-skill && tank link     Link to all detected agents
-  $ tank doctor                  Verify link health
-  $ tank unlink                  Remove all symlinks
-
-See also: tank unlink, tank doctor`).action(async () => {
+program.command("link").alias("ln").description("Link current skill directory to AI agent directories (for development)").action(async () => {
 	try {
 		await linkCommand();
 	} catch (err) {
@@ -3508,14 +3401,7 @@ See also: tank unlink, tank doctor`).action(async () => {
 		process.exit(1);
 	}
 });
-program.command("unlink").description("Remove skill symlinks from all AI agent directories").addHelpText("after", `
-Removes the symlinks created by \`tank link\` from every detected agent.
-Must be run from the same skill directory that was originally linked.
-
-Examples:
-  $ cd my-skill && tank unlink   Remove links for this skill
-
-See also: tank link, tank doctor`).action(async () => {
+program.command("unlink").description("Remove skill symlinks from AI agent directories").action(async () => {
 	try {
 		await unlinkCommand();
 	} catch (err) {