@xiashe/skill 0.1.17 → 0.1.19

package/README.md

@@ -15,14 +15,15 @@ This package is intentionally separate from the full `@xiashe/cli` product CLI a
 - diagnose whether a local Skill has the expected registry disclosure, Agent Ack instructions, and runtime callback wiring where supported
 - send labeled local verification events so the Dashboard can confirm integration health
 - write an explicit `xiashe.skill.json` registry manifest
+- build and upload the XiaShe complete Skill package to XiaShe File Storage when the `xiashe` target is selected
 - generate one unified `UPLOAD_HANDOFF.md` that the creator's Agent can use with Xiaohongshu's official `skillhub-upload` or `uploader.md`
 - generate optional runtime analytics snippets
 
-It does not install background services, run postinstall hooks, read secrets, or override Red Skill upload rules. The creator's Agent is responsible for packaging and uploading according to Xiaohongshu's official flow.
+It does not install background services, run postinstall hooks, read secrets, or override Red Skill upload rules. XiaShe package upload is handled by this CLI for the XiaShe-owned registry; the creator's Agent is responsible only for third-party packaging and uploading according to Xiaohongshu's official flow.
 
 The user-facing product flow should point creators at the official publish Markdown page and the `xiashe-publish` Skill. Direct CLI commands are implementation details for local Agents and developers.
 
-`setup --hub all` now defaults to XiaShe Store and Red Skill. It writes private `.xiashe/*` handoff files for local Agents, plus no-secret public runtime protocol files at `xiashe/runtime.yaml`, `xiashe/AGENT_ACK.md`, and `xiashe/REGISTRY_DISCLOSURE.md` for Red Markdown/YAML source packages when the target platform accepts them. Users should not need to pick files manually. When Red Skill provides `uploader.md`, `skillhub-upload`, or its own upload prompt, follow that official flow first; XiaShe keeps tokens, signing secrets, package hashes, storage ids, and private handoff files local while recording Red usage through Agent Ack when the host Agent safely calls it.
+`setup --hub all` now defaults to XiaShe Store and Red Skill. It writes private `.xiashe/*` handoff files for local Agents, uploads the XiaShe complete package as `.tgz` through the registry storage flow, plus writes no-secret public runtime protocol files at `xiashe/runtime.yaml`, `xiashe/AGENT_ACK.md`, and `xiashe/REGISTRY_DISCLOSURE.md` for Red Markdown/YAML source packages when the target platform accepts them. Users should not need to pick files manually. When Red Skill provides `uploader.md`, `skillhub-upload`, or its own upload prompt, follow that official flow first; XiaShe keeps tokens, signing secrets, package hashes, storage ids, and private handoff files local while recording Red usage through Agent Ack when the host Agent safely calls it.
 
 ## Local development
 

package/bin/xiashe-skill.mjs

@@ -5,8 +5,10 @@ import { existsSync } from 'node:fs';
 import { mkdir, readdir, readFile, stat, writeFile } from 'node:fs/promises';
 import os from 'node:os';
 import path from 'node:path';
+import { promisify } from 'node:util';
+import { gzip } from 'node:zlib';
 
-const VERSION = '0.1.17';
+const VERSION = '0.1.18';
 const COMMAND_NAME = process.env.XIASHE_SKILL_CLI_NAME || 'xiashe-skill';
 const PRODUCT_NAME = process.env.XIASHE_SKILL_PRODUCT_NAME || (COMMAND_NAME === 'agentpie-skill' ? 'AgentPie' : 'XiaShe');
 const REGISTRY_PROVIDER = process.env.XIASHE_SKILL_REGISTRY_PROVIDER || (COMMAND_NAME === 'agentpie-skill' ? 'agentpie' : 'xiashe');
@@ -22,6 +24,8 @@ const HANDOFF_FILE = 'UPLOAD_HANDOFF.md';
 const DEFAULT_REGISTRY_URL = process.env.XIASHE_SKILL_REGISTRY_URL || `${DEFAULT_BASE_URL}/registry/skill-events`;
 const DEFAULT_AGENT_ACK_URL = process.env.XIASHE_SKILL_AGENT_ACK_URL || `${DEFAULT_BASE_URL}/registry/agent-ack`;
 const DEFAULT_CLAIM_URL = process.env.XIASHE_SKILL_CLAIM_URL || `${DEFAULT_BASE_URL}/registry/skill/claim`;
+const DEFAULT_PACKAGE_UPLOAD_URL = process.env.XIASHE_SKILL_PACKAGE_UPLOAD_URL || `${DEFAULT_BASE_URL}/registry/skill/package-upload-url`;
+const DEFAULT_PACKAGE_ARTIFACT_URL = process.env.XIASHE_SKILL_PACKAGE_ARTIFACT_URL || `${DEFAULT_BASE_URL}/registry/skill/package-artifact`;
 const EVENT_SCHEMA_VERSION = process.env.XIASHE_SKILL_EVENT_SCHEMA_VERSION || (REGISTRY_PROVIDER === 'agentpie'
   ? 'agentpie.skill.event.v1'
   : 'xiashe.skill.event.v1');
@@ -212,6 +216,8 @@ const DEFAULT_IGNORE = new Set([
 ]);
 const MAX_FILE_BYTES = 2 * 1024 * 1024;
 const MAX_SOURCE_BYTES = 30 * 1024 * 1024;
+const MAX_XIASHE_PACKAGE_BYTES = 100 * 1024 * 1024;
+const gzipAsync = promisify(gzip);
 
 function usage() {
   return `${COMMAND_NAME} ${VERSION}
@@ -260,8 +266,11 @@ Options:
   --signing-secret <secret>   Optional HMAC secret for signed runtime events.
   --source-url <url>          User-provided source URL an Agent can use during third-party upload.
   --package-url <url>         Deprecated alias for --source-url.
+  --package-upload-url <url>  Package upload ticket endpoint. Defaults to ${DEFAULT_PACKAGE_UPLOAD_URL}
+  --package-artifact-url <url> Package artifact attach endpoint. Defaults to ${DEFAULT_PACKAGE_ARTIFACT_URL}
   --out <path>                Output prompt or snippet file.
   --out-dir <path>            Output directory for setup artifacts. Defaults to ${WORK_DIR}/.
+  --no-xiashe-package-upload  Skip automatic ${PRODUCT_NAME} complete package upload.
   --embed-skill-md            Also write a clearly marked registry section into SKILL.md.
   --no-skill-md               Do not write registry text into SKILL.md. Red hub embeds by default.
   --no-snippet                Setup should skip writing the runtime analytics snippet.
@@ -280,7 +289,7 @@ function fail(message, code = 1) {
 
 function parseArgs(argv) {
   const args = { _: [], json: false, dryRun: false };
-  const booleanFlags = new Set(['embed-skill-md', 'no-skill-md', 'no-snippet', 'no-track']);
+  const booleanFlags = new Set(['embed-skill-md', 'no-skill-md', 'no-snippet', 'no-track', 'no-xiashe-package-upload']);
   for (let i = 0; i < argv.length; i += 1) {
     const value = argv[i];
     if (value === '--help' || value === '-h') {
@@ -699,6 +708,285 @@ async function postJson(url, body, timeoutMs = 20_000) {
   }
 }
 
+function urlForRegistryPath(baseUrl, pathname, fallback) {
+  const base = normalizeText(baseUrl, 1_000) || fallback;
+  try {
+    return new URL(pathname, base).toString();
+  } catch {
+    return fallback;
+  }
+}
+
+function shouldIgnorePackageEntry(relativePath, entryName, isDirectory = false) {
+  const normalized = String(relativePath || '').replace(/\\/g, '/');
+  const localRegistryPrefix = `${WORK_DIR}/`;
+  const packageArtifactPrefix = `${WORK_DIR}/package-artifact/`;
+  if (normalized === '.git' || normalized.startsWith('.git/')) return true;
+  if (normalized === 'node_modules' || normalized.startsWith('node_modules/')) return true;
+  if (normalized === 'dist' || normalized.startsWith('dist/')) return true;
+  if (normalized === 'build' || normalized.startsWith('build/')) return true;
+  if (normalized === 'coverage' || normalized.startsWith('coverage/')) return true;
+  if (normalized === '.DS_Store' || normalized.endsWith('/.DS_Store')) return true;
+  if (entryName === '.env' || entryName.startsWith('.env.')) return true;
+  if (/\.(pem|key)$/i.test(entryName)) return true;
+  if (packageArtifactPrefix && normalized.startsWith(packageArtifactPrefix)) return true;
+  if (isDirectory && (normalized === WORK_DIR || normalized === PUBLIC_PROTOCOL_DIR)) return false;
+  if (isDirectory && (normalized.startsWith(`${WORK_DIR}/`) || normalized.startsWith(`${PUBLIC_PROTOCOL_DIR}/`))) return false;
+  if ((normalized === WORK_DIR || normalized.startsWith(localRegistryPrefix)) && !isXiashePackageRegistryFile(normalized)) {
+    return true;
+  }
+  const otherRegistryDir = WORK_DIR === '.xiashe' ? '.agentpie' : '.xiashe';
+  if (normalized === otherRegistryDir || normalized.startsWith(`${otherRegistryDir}/`)) return true;
+  return false;
+}
+
+function isXiashePackageRegistryFile(relativePath) {
+  const normalized = String(relativePath || '').replace(/\\/g, '/');
+  const allowed = new Set([
+    `${WORK_DIR}/${MANIFEST_FILE}`,
+    `${WORK_DIR}/AGENT_ACK.md`,
+    `${WORK_DIR}/REGISTRY_DISCLOSURE.md`,
+    `${WORK_DIR}/runtime-events.js`,
+    `${PUBLIC_PROTOCOL_DIR}/AGENT_ACK.md`,
+    `${PUBLIC_PROTOCOL_DIR}/REGISTRY_DISCLOSURE.md`,
+    `${PUBLIC_PROTOCOL_DIR}/runtime.yaml`
+  ]);
+  return allowed.has(normalized);
+}
+
+async function walkXiashePackageFiles(root, current = root, out = []) {
+  const entries = await readdir(current, { withFileTypes: true });
+  for (const entry of entries) {
+    const absolute = path.join(current, entry.name);
+    const relative = path.relative(root, absolute).replaceAll(path.sep, '/');
+    if (shouldIgnorePackageEntry(relative, entry.name, entry.isDirectory())) continue;
+    if (entry.isDirectory()) {
+      await walkXiashePackageFiles(root, absolute, out);
+      continue;
+    }
+    if (!entry.isFile()) continue;
+    const info = await stat(absolute);
+    if (info.size > MAX_XIASHE_PACKAGE_BYTES) {
+      throw new Error(`Package file is too large: ${relative}`);
+    }
+    out.push({ absolute, relative, size: info.size, mode: info.mode, mtime: info.mtime });
+  }
+  return out.sort((a, b) => a.relative.localeCompare(b.relative));
+}
+
+function octal(value, length) {
+  const text = Math.max(0, Math.floor(value)).toString(8);
+  return text.length >= length ? `${text.slice(-(length - 1))}\0` : `${text.padStart(length - 1, '0')}\0`;
+}
+
+function splitTarPath(name) {
+  const normalized = String(name || '').replace(/\\/g, '/');
+  if (Buffer.byteLength(normalized) <= 100) {
+    return { name: normalized, prefix: '' };
+  }
+  const parts = normalized.split('/');
+  for (let i = parts.length - 1; i > 0; i -= 1) {
+    const namePart = parts.slice(i).join('/');
+    const prefix = parts.slice(0, i).join('/');
+    if (Buffer.byteLength(namePart) <= 100 && Buffer.byteLength(prefix) <= 155) {
+      return { name: namePart, prefix };
+    }
+  }
+  throw new Error(`Package path is too long for portable tar: ${normalized}`);
+}
+
+function tarHeader(file, size) {
+  const header = Buffer.alloc(512, 0);
+  const split = splitTarPath(file.relative);
+  header.write(split.name, 0, 100, 'utf8');
+  header.write(octal(file.mode & 0o777 || 0o644, 8), 100, 8, 'ascii');
+  header.write(octal(0, 8), 108, 8, 'ascii');
+  header.write(octal(0, 8), 116, 8, 'ascii');
+  header.write(octal(size, 12), 124, 12, 'ascii');
+  header.write(octal(Math.floor(new Date(file.mtime).getTime() / 1000), 12), 136, 12, 'ascii');
+  header.fill(0x20, 148, 156);
+  header.write('0', 156, 1, 'ascii');
+  header.write('ustar', 257, 6, 'ascii');
+  header.write('00', 263, 2, 'ascii');
+  if (split.prefix) {
+    header.write(split.prefix, 345, 155, 'utf8');
+  }
+  let checksum = 0;
+  for (const byte of header) checksum += byte;
+  header.write(octal(checksum, 8), 148, 8, 'ascii');
+  return header;
+}
+
+async function createTarGz(files) {
+  const chunks = [];
+  let sourceTotalBytes = 0;
+  const sourceHash = createHash('sha256');
+  for (const file of files) {
+    const bytes = await readFile(file.absolute);
+    sourceTotalBytes += bytes.length;
+    if (sourceTotalBytes > MAX_XIASHE_PACKAGE_BYTES) {
+      throw new Error(`Package source exceeds ${Math.round(MAX_XIASHE_PACKAGE_BYTES / (1024 * 1024))}MB.`);
+    }
+    sourceHash.update(file.relative);
+    sourceHash.update('\0');
+    sourceHash.update(bytes);
+    sourceHash.update('\0');
+    chunks.push(tarHeader(file, bytes.length));
+    chunks.push(bytes);
+    const padding = (512 - (bytes.length % 512)) % 512;
+    if (padding > 0) chunks.push(Buffer.alloc(padding, 0));
+  }
+  chunks.push(Buffer.alloc(1024, 0));
+  const tar = Buffer.concat(chunks);
+  const gzipped = await gzipAsync(tar, { level: 9 });
+  if (gzipped.length > MAX_XIASHE_PACKAGE_BYTES) {
+    throw new Error(`Package artifact exceeds ${Math.round(MAX_XIASHE_PACKAGE_BYTES / (1024 * 1024))}MB.`);
+  }
+  return {
+    bytes: gzipped,
+    sourceSha256: sourceHash.digest('hex'),
+    sourceTotalBytes,
+    artifactSha256: createHash('sha256').update(gzipped).digest('hex')
+  };
+}
+
+async function buildXiashePackageArtifact(root, inspected, flags = {}) {
+  const absoluteRoot = path.resolve(root || '.');
+  const files = await walkXiashePackageFiles(absoluteRoot);
+  const manifestRelative = `${WORK_DIR}/${MANIFEST_FILE}`;
+  const skillMarkdownPresent = files.some((file) => /^SKILL(\.[a-z0-9]+)?$/i.test(file.relative));
+  const manifestPresent = files.some((file) => file.relative === manifestRelative);
+  if (!skillMarkdownPresent) {
+    throw new Error('SKILL.md is required before uploading the XiaShe complete package.');
+  }
+  if (!manifestPresent) {
+    throw new Error(`${manifestRelative} is required before uploading the XiaShe complete package.`);
+  }
+  const artifact = await createTarGz(files);
+  const artifactDir = path.resolve(flags['package-out-dir'] || path.join(absoluteRoot, WORK_DIR, 'package-artifact'));
+  await mkdir(artifactDir, { recursive: true });
+  const fileName = `${safeSkillKey(inspected.skillKey)}-${safeSkillKey(inspected.version || '0.1.0')}.tgz`;
+  const artifactPath = path.join(artifactDir, fileName);
+  await writeFile(artifactPath, artifact.bytes, { mode: 0o600 });
+  return {
+    artifactPath,
+    fileName,
+    contentType: 'application/gzip',
+    files,
+    fileCount: files.length,
+    manifestPresent,
+    skillMarkdownPresent,
+    sourceSha256: artifact.sourceSha256,
+    sourceTotalBytes: artifact.sourceTotalBytes,
+    artifactSha256: artifact.artifactSha256,
+    sizeBytes: artifact.bytes.length
+  };
+}
+
+async function uploadBytesToStorage(uploadUrl, bytes, contentType, timeoutMs = 60_000) {
+  const controller = new AbortController();
+  const timer = setTimeout(() => controller.abort(), timeoutMs);
+  try {
+    const response = await fetch(uploadUrl, {
+      method: 'POST',
+      headers: { 'content-type': contentType || 'application/octet-stream' },
+      body: bytes,
+      signal: controller.signal
+    });
+    const text = await response.text();
+    let payload = {};
+    try {
+      payload = text ? JSON.parse(text) : {};
+    } catch {
+      throw new Error(`Bad upload response from ${uploadUrl}`);
+    }
+    if (!response.ok || payload.ok === false) {
+      throw new Error(payload.error || payload.message || `HTTP ${response.status}`);
+    }
+    const storageId = normalizeText(payload.storageId, 160);
+    if (!storageId) {
+      throw new Error('Upload response did not include storageId.');
+    }
+    return { ...payload, storageId };
+  } finally {
+    clearTimeout(timer);
+  }
+}
+
+async function uploadXiashePackageArtifact(root, flags, manifestResult) {
+  if (flags.dryRun || flags['no-xiashe-package-upload']) {
+    return {
+      ok: true,
+      skipped: true,
+      reason: flags.dryRun ? 'dry_run' : 'disabled_by_flag'
+    };
+  }
+  const inspected = await inspectSkill(root, flags);
+  const registry = manifestResult.manifest?.registry || inspected.registry || {};
+  const publicToken = normalizeText(registry.publicToken, 512);
+  if (!publicToken) {
+    throw new Error('Cannot upload XiaShe package without registry publicToken.');
+  }
+  const artifact = await buildXiashePackageArtifact(root, inspected, flags);
+  const registrySourceSha256 =
+    normalizeText(manifestResult.manifest?.sourceFingerprint?.sha256, 128) ||
+    normalizeText(inspected.package?.sha256, 128) ||
+    artifact.sourceSha256;
+  const claimUrl = normalizeText(flags['claim-url'], 800) || DEFAULT_CLAIM_URL;
+  const uploadTicket =
+    manifestResult.claimPackageArtifactUpload ||
+    await postJson(
+      normalizeText(flags['package-upload-url'], 1_000) || urlForRegistryPath(claimUrl, '/registry/skill/package-upload-url', DEFAULT_PACKAGE_UPLOAD_URL),
+      {
+        publicToken,
+        idempotencyKey: registrySourceSha256
+      },
+      Number(flags['timeout-ms'] || 20_000)
+    );
+  const uploadUrl = normalizeText(uploadTicket?.uploadUrl, 2_000);
+  if (!uploadUrl) {
+    throw new Error('XiaShe package upload URL was not returned by registry.');
+  }
+  const bytes = await readFile(artifact.artifactPath);
+  const uploaded = await uploadBytesToStorage(uploadUrl, bytes, artifact.contentType, Number(flags['upload-timeout-ms'] || 90_000));
+  const attachResult = await postJson(
+    normalizeText(flags['package-artifact-url'], 1_000) || urlForRegistryPath(claimUrl, '/registry/skill/package-artifact', DEFAULT_PACKAGE_ARTIFACT_URL),
+    {
+      publicToken,
+      storageId: uploaded.storageId,
+      uploadJobId: normalizeText(uploadTicket?.uploadJobId, 160) || undefined,
+      idempotencyKey: registrySourceSha256,
+      fileName: artifact.fileName,
+      contentType: artifact.contentType,
+      packageSha256: registrySourceSha256,
+      packageFileCount: artifact.fileCount,
+      packageTotalBytes: artifact.sourceTotalBytes,
+      version: inspected.version,
+      manifestPresent: artifact.manifestPresent,
+      skillMarkdownPresent: artifact.skillMarkdownPresent,
+      creatorCardUrl: normalizeText(registry.creatorCardUrl, 800) || undefined,
+      platformSource: 'xiashe',
+      source: `${REGISTRY_PROVIDER}_skill_cli`
+    },
+    Number(flags['timeout-ms'] || 20_000)
+  );
+  return {
+    ok: true,
+    skipped: false,
+    artifactPath: artifact.artifactPath,
+    fileName: artifact.fileName,
+    sizeBytes: artifact.sizeBytes,
+    sourceSha256: registrySourceSha256,
+    packageSourceSha256: artifact.sourceSha256,
+    artifactSha256: artifact.artifactSha256,
+    fileCount: artifact.fileCount,
+    storageId: uploaded.storageId,
+    publishStatus: attachResult.publishStatus ?? null,
+    uploadJobId: attachResult.uploadJobId ?? normalizeText(uploadTicket?.uploadJobId, 160) ?? null,
+    attachResult
+  };
+}
+
 async function inspectSkill(root, flags = {}) {
   const absoluteRoot = path.resolve(root || '.');
   const info = await stat(absoluteRoot).catch(() => null);
@@ -746,14 +1034,24 @@ async function writeManifest(root, flags) {
         Number(flags['timeout-ms'] || 20_000)
       )
     : null;
-  const publicToken = normalizeText(flags['public-token'] || claim?.publicToken, 512);
+  const existingRegistry = inspected.registry || {};
+  const publicToken = normalizeText(flags['public-token'] || claim?.publicToken || existingRegistry.publicToken, 512);
   if (!publicToken) {
     throw new Error('Missing --code or --public-token.');
   }
   const now = new Date().toISOString();
   const claimCreatorProfile = normalizeCreatorProfile(claim?.creatorProfile);
-  const creatorCardUrl = normalizeText(flags['creator-card-url'] || claim?.creatorCardUrl || claimCreatorProfile?.cardUrl, 800) || null;
+  const existingCreatorProfile = normalizeCreatorProfile(existingRegistry.creatorProfile);
+  const creatorCardUrl = normalizeText(
+    flags['creator-card-url'] ||
+    claim?.creatorCardUrl ||
+    claimCreatorProfile?.cardUrl ||
+    existingRegistry.creatorCardUrl ||
+    existingCreatorProfile?.cardUrl,
+    800
+  ) || null;
   const creatorProfile = normalizeCreatorProfile({
+    ...existingCreatorProfile,
     ...claimCreatorProfile,
     cardUrl: creatorCardUrl
   });
@@ -765,15 +1063,17 @@ async function writeManifest(root, flags) {
     version: normalizeText(claim?.version, 80) || inspected.version,
     registry: {
       provider: REGISTRY_PROVIDER,
-      skillId: normalizeText(flags['skill-id'] || claim?.skillId, 160) || null,
+      skillId: normalizeText(flags['skill-id'] || claim?.skillId || existingRegistry.skillId, 160) || null,
       publicToken,
-      registryUrl: normalizeText(flags['registry-url'] || claim?.registryUrl, 800) || DEFAULT_REGISTRY_URL,
-      agentAckUrl: normalizeText(flags['agent-ack-url'], 800) || DEFAULT_AGENT_ACK_URL,
+      registryUrl: normalizeText(flags['registry-url'] || claim?.registryUrl || existingRegistry.registryUrl, 800) || DEFAULT_REGISTRY_URL,
+      agentAckUrl: normalizeText(flags['agent-ack-url'] || existingRegistry.agentAckUrl, 800) || DEFAULT_AGENT_ACK_URL,
       creatorCardUrl,
       creatorProfile,
       eventSchemaVersion: EVENT_SCHEMA_VERSION,
       signing: {
-        mode: normalizeText(flags['signing-secret'], 20) ? 'optional' : 'off',
+        mode: normalizeText(claim?.signingMode || existingRegistry.signing?.mode || existingRegistry.signingMode, 20) || (normalizeText(claim?.signingSecret || flags['signing-secret'] || existingRegistry.signing?.secret, 512) ? 'optional' : 'off'),
+        secret: normalizeText(flags['signing-secret'] || claim?.signingSecret || existingRegistry.signing?.secret, 512) || undefined,
+        secretHint: normalizeText(claim?.signingSecretHint || existingRegistry.signing?.secretHint, 80) || undefined,
         secretEnv: `${REGISTRY_PROVIDER.toUpperCase()}_SKILL_SIGNING_SECRET`
       },
       analytics: {
@@ -813,8 +1113,8 @@ async function writeManifest(root, flags) {
             hub,
             sourceSurface: hub,
             skillKey: safeSkillKey(claim?.skillKey || inspected.skillKey),
-            publicSkillId: normalizeText(flags['skill-id'] || claim?.skillId, 160) || null,
-            agentAckUrl: normalizeText(flags['agent-ack-url'], 800) || DEFAULT_AGENT_ACK_URL,
+            publicSkillId: normalizeText(flags['skill-id'] || claim?.skillId || existingRegistry.skillId, 160) || null,
+            agentAckUrl: normalizeText(flags['agent-ack-url'] || existingRegistry.agentAckUrl, 800) || DEFAULT_AGENT_ACK_URL,
             creatorCardUrl,
             creatorProfile
           }
@@ -835,7 +1135,12 @@ async function writeManifest(root, flags) {
       : path.join(inspected.root, MANIFEST_FILE);
   await mkdir(path.dirname(manifestPath), { recursive: true });
   await writeFile(manifestPath, `${JSON.stringify(manifest, null, 2)}\n`, { mode: 0o600 });
-  return { ok: true, manifestPath, manifest };
+  return {
+    ok: true,
+    manifestPath,
+    manifest,
+    claimPackageArtifactUpload: claim?.packageArtifactUpload ?? null
+  };
 }
 
 function hubInstruction(hub) {
@@ -1883,7 +2188,13 @@ async function submitTrackEvent(root, flags) {
     idempotencyKey: normalizeText(flags.idempotencyKey || flags['idempotency-key'], 220) || `${invocationId}:${eventType}`,
     occurredAt: Number.isFinite(occurredAt) ? occurredAt : Date.now()
   };
-  const signingSecret = normalizeText(flags['signing-secret'], 512);
+  const signingSecret = normalizeText(
+    flags['signing-secret'] ||
+    registry.signing?.secret ||
+    process.env[registry.signing?.secretEnv || ''] ||
+    process.env.XIASHE_SKILL_SIGNING_SECRET,
+    512
+  );
   const signature = signEventPayload(payload, signingSecret);
   if (signature) {
     payload.signature = signature;
@@ -2239,6 +2550,13 @@ async function setupAgentWorkflow(root, flags) {
     promptResults,
     packagePlans
   });
+  const xiashePackageArtifact = hubs.includes('xiashe') && REGISTRY_PROVIDER === 'xiashe'
+    ? await uploadXiashePackageArtifact(absoluteRoot, flags, manifestResult)
+    : {
+        ok: true,
+        skipped: true,
+        reason: hubs.includes('xiashe') ? 'non_xiashe_provider' : 'xiashe_not_selected'
+      };
 
   const warnings = [];
   const promptEvents = [];
@@ -2273,10 +2591,14 @@ async function setupAgentWorkflow(root, flags) {
     agentAckPath,
     disclosurePath,
     snippetPath: snippetResult ? snippetResult.outPath : null,
+    xiashePackageArtifact,
     promptEvents,
     warnings,
     publicProtocol,
     next: [
+      xiashePackageArtifact?.skipped
+        ? `XiaShe complete package upload was skipped (${xiashePackageArtifact.reason}).`
+        : `XiaShe complete package uploaded: ${path.relative(absoluteRoot, xiashePackageArtifact.artifactPath)} (${xiashePackageArtifact.publishStatus || 'queued'}).`,
       `Use ${path.relative(absoluteRoot, handoffPath)} as the single Agent handoff. The Agent should not ask the user to manually pick registry files.`,
       `Use ${path.relative(absoluteRoot, profilesPath)} and package-<hub>.json as the platform review profiles and upload allowlists.`,
       publicProtocol
@@ -2345,6 +2667,9 @@ async function main() {
           ...result.packagePlanPaths.map((item) => `Package plan (${item.hub}): ${item.planPath}`),
           result.skillMdPath ? `Updated: ${result.skillMdPath}` : null,
           result.publicProtocol ? `Public Red protocol: ${result.publicProtocol.runtimePath}, ${result.publicProtocol.agentAckPath}, ${result.publicProtocol.disclosurePath}` : null,
+          result.xiashePackageArtifact && !result.xiashePackageArtifact.skipped
+            ? `XiaShe package: ${result.xiashePackageArtifact.artifactPath} (${result.xiashePackageArtifact.publishStatus || 'queued'})`
+            : null,
           `Disclosure: ${result.disclosurePath}`,
           result.snippetPath ? `Runtime snippet: ${result.snippetPath}` : null,
           ...result.warnings.map((warning) => `Warning: ${warning}`),
@@ -2352,10 +2677,10 @@ async function main() {
           'Next:',
           '- Treat the target platform official upload flow as authoritative.',
           '- Use the handoff file as the only XiaShe registry checklist.',
-          '- Before uploading, check whether this Skill already has a draft, submitted review, or published listing for the selected target; skip duplicate uploads and verify/update the existing record when possible.',
+          '- XiaShe complete package upload is already handled by this command when the xiashe target is selected.',
+          '- Before uploading to third-party targets, check whether this Skill already has a draft, submitted review, or published listing for the selected target; skip duplicate uploads and verify/update the existing record when possible.',
           '- Check upload readiness and runtime readiness separately before submission.',
-          '- For XiaShe Store, run `npx -y @xiashe/cli skills publish draft . --source xiashe`; it should use the local registry public token first and create or reuse a searchable listing without creator login.',
-          '- Only ask for creator CLI login if the registry public token is missing or rejected.',
+          '- Only ask for creator CLI login if a separate store-management command is needed and the registry public token is missing or rejected.',
           '- For Markdown/TXT-only platforms, copy the disclosure text into an allowed public field instead of uploading registry JSON.',
           '- Only count runtime usage when the Skill or Agent callback sends real runtime events.'
         ].filter(Boolean);
@@ -2377,6 +2702,9 @@ async function main() {
           result.publicProtocol ? `Wrote ${result.publicProtocol.runtimePath}` : null,
           result.publicProtocol ? `Wrote ${result.publicProtocol.agentAckPath}` : null,
           result.publicProtocol ? `Wrote ${result.publicProtocol.disclosurePath}` : null,
+          result.xiashePackageArtifact && !result.xiashePackageArtifact.skipped
+            ? `Uploaded XiaShe package ${result.xiashePackageArtifact.artifactPath} (${result.xiashePackageArtifact.publishStatus || 'queued'})`
+            : null,
           `Wrote ${result.disclosurePath}`,
           result.snippetPath ? `Wrote ${result.snippetPath}` : null,
           ...result.warnings.map((warning) => `Warning: ${warning}`),

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@xiashe/skill",
-  "version": "0.1.17",
+  "version": "0.1.19",
   "type": "module",
   "bin": {
     "xiashe-skill": "bin/xiashe-skill.mjs"