drafted 1.8.5 → 1.9.0

package/cli/drafted.mjs

@@ -1200,6 +1200,13 @@ const UUID_RE = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/
 // as the body only (name/description/triggerPatterns are columns), so we prepend
 // YAML frontmatter — JSON scalars are valid YAML — for Causeway's projection and
 // Claude's native loader to read.
+// normalizeSetup mirrors the server (server/lib/skill-hash.mjs) — keep in lockstep.
+function normalizeSetup(setup) {
+  if (setup == null) return [];
+  const arr = Array.isArray(setup) ? setup : [setup];
+  return arr.filter((s) => typeof s === 'string' && s.trim().length > 0);
+}
+
 function synthesizeSkillMd(skill) {
   const lines = ['---', `name: ${JSON.stringify(skill.name || skill.slug || '')}`];
   if (skill.description) lines.push(`description: ${JSON.stringify(skill.description)}`);
@@ -1208,6 +1215,15 @@ function synthesizeSkillMd(skill) {
     lines.push('triggerPatterns:');
     for (const t of triggers) lines.push(`  - ${JSON.stringify(t)}`);
   }
+  // `setup` emitted ONLY when present, so a skill without it produces the exact
+  // SKILL.md (and hash) it did before the field existed. Must match the server.
+  const setup = normalizeSetup(skill.setup);
+  if (setup.length === 1 && typeof skill.setup === 'string') {
+    lines.push(`setup: ${JSON.stringify(setup[0])}`);
+  } else if (setup.length) {
+    lines.push('setup:');
+    for (const s of setup) lines.push(`  - ${JSON.stringify(s)}`);
+  }
   lines.push('---', '');
   return lines.join('\n') + (skill.content || '');
 }
@@ -1223,15 +1239,29 @@ function bundleHash(files) {
   return h.digest('hex').slice(0, 12);
 }
 
-async function syncOneSkill(ref, outDir) {
+// Build an `unresolvable` reason from a failed resolve response (404/403),
+// naming the org when --org was used so Causeway can render `✗ unresolvable
+// (org X)` instead of a silent miss.
+async function unresolvableReason(res, org) {
+  let why = 'skill not found';
+  try { const e = await res.json(); if (e && e.error) why = e.error; } catch { /* keep default */ }
+  if (org && !why.toLowerCase().includes(String(org).toLowerCase())) return `${why} (org ${org})`;
+  return why;
+}
+
+async function syncOneSkill(ref, outDir, org) {
   const at = ref.lastIndexOf('@');
   const idOrSlug = at > 0 ? ref.slice(0, at) : ref;
   const server = getServerUrl().replace(/\/$/, '');
+  // --org binds resolution to a specific org per-request (X-Drafted-Org header);
+  // the server validates it against the caller's memberships and never mutates
+  // the shared session's active org. Omitted -> ambient session org (unchanged).
+  const orgHeaders = org ? { 'X-Drafted-Org': org } : {};
   const loadUrl = UUID_RE.test(idOrSlug)
     ? `${server}/api/skills/${idOrSlug}`
     : `${server}/api/skills/slug/${encodeURIComponent(idOrSlug)}`;
-  const res = await authFetch(loadUrl);
-  if (res.status === 404) return { ref, slug: '', hash: '', status: 'unresolvable', error: 'skill not found' };
+  const res = await authFetch(loadUrl, { headers: orgHeaders });
+  if (res.status === 404 || res.status === 403) return { ref, slug: '', hash: '', status: 'unresolvable', error: await unresolvableReason(res, org) };
   if (!res.ok) return { ref, slug: '', hash: '', status: 'error', error: `HTTP ${res.status}` };
   const skill = await res.json();
   const slug = skill.slug || idOrSlug;
@@ -1240,12 +1270,14 @@ async function syncOneSkill(ref, outDir) {
   for (const p of Array.isArray(skill.files) ? skill.files : []) {
     if (typeof p !== 'string' || p.includes('..')) continue;
     const encoded = p.split('/').map(encodeURIComponent).join('/');
-    const fr = await authFetch(`${server}/api/skills/${skill.id}/files/${encoded}`);
+    const fr = await authFetch(`${server}/api/skills/${skill.id}/files/${encoded}`, { headers: orgHeaders });
     if (!fr.ok) return { ref, slug, hash: '', status: 'error', error: `file ${p}: HTTP ${fr.status}` };
     const fdata = await fr.json();
     files[p] = typeof fdata === 'string' ? fdata : (fdata.content || '');
   }
-  const hash = bundleHash(files);
+  // Drafted is the hash authority — prefer the server-reported hash; fall back to
+  // local bundle compute only for older servers that don't return one.
+  const hash = skill.hash || bundleHash(files);
 
   const base = join(outDir, slug);
   for (const [rel, content] of Object.entries(files)) {
@@ -1262,6 +1294,7 @@ skillCmd
   .description('Materialize pinned skills into a local cache dir (Causeway seam)')
   .option('--ref <ref>', 'skill ref slug[@hash] (repeatable)', (v, acc) => { acc.push(v); return acc; }, [])
   .requiredOption('--out <dir>', 'output directory for bundles')
+  .option('--org <org>', 'resolve against this Drafted org (id or name); scopes per-request without switching the session')
   .option('--format <fmt>', 'output format: json or text', 'text')
   .action(async (opts) => {
     requireLogin();
@@ -1271,7 +1304,7 @@ skillCmd
     let allOk = refs.length > 0;
     for (const ref of refs) {
       try {
-        const r = await syncOneSkill(ref, opts.out);
+        const r = await syncOneSkill(ref, opts.out, opts.org);
         results.push(r);
         if (r.status !== 'ok') allOk = false;
       } catch (err) {
@@ -1317,14 +1350,14 @@ skillCmd
     const server = getServerUrl().replace(/\/$/, '');
     const res = await authFetch(`${server}/api/skills`, {
       method: 'POST', headers: { 'Content-Type': 'application/json' },
-      body: JSON.stringify({ name: p.name, description: p.description, content: p.content, tags: p.tags, triggerPatterns: p.triggerPatterns }),
+      body: JSON.stringify({ name: p.name, description: p.description, content: p.content, tags: p.tags, triggerPatterns: p.triggerPatterns, setup: p.setup }),
     });
     const data = await res.json().catch(() => ({}));
     if (!res.ok) {
       emitSkillResult(opts.format, { status: res.status === 409 ? 'conflict' : 'error', error: data.error || `HTTP ${res.status}` });
       process.exit(1);
     }
-    emitSkillResult(opts.format, { status: 'ok', slug: data.slug, id: data.id, hash: bundleHash({ 'SKILL.md': synthesizeSkillMd(data) }) });
+    emitSkillResult(opts.format, { status: 'ok', slug: data.slug, id: data.id, hash: data.hash || bundleHash({ 'SKILL.md': synthesizeSkillMd(data) }) });
   });
 
 skillCmd
@@ -1347,34 +1380,39 @@ skillCmd
     if (!id) { emitSkillResult(opts.format, { status: 'error', error: 'update requires --id or --slug' }); process.exit(1); }
     const res = await authFetch(`${server}/api/skills/${id}`, {
       method: 'PUT', headers: { 'Content-Type': 'application/json' },
-      body: JSON.stringify({ name: p.name, description: p.description, content: p.content, tags: p.tags, triggerPatterns: p.triggerPatterns }),
+      body: JSON.stringify({ name: p.name, description: p.description, content: p.content, tags: p.tags, triggerPatterns: p.triggerPatterns, setup: p.setup }),
     });
     const data = await res.json().catch(() => ({}));
     if (!res.ok) {
       emitSkillResult(opts.format, { status: res.status === 404 ? 'unresolvable' : 'error', error: data.error || `HTTP ${res.status}` });
       process.exit(1);
     }
-    emitSkillResult(opts.format, { status: 'ok', slug: data.slug, id: data.id, hash: bundleHash({ 'SKILL.md': synthesizeSkillMd(data) }) });
+    emitSkillResult(opts.format, { status: 'ok', slug: data.slug, id: data.id, hash: data.hash || bundleHash({ 'SKILL.md': synthesizeSkillMd(data) }) });
   });
 
 // check reports the current canonical hash for refs WITHOUT materializing — the
 // Causeway freshness probe. Hash is computed the same way as sync, so a check
 // hash and a sync hash for the same skill match.
-async function checkOneSkill(ref) {
+async function checkOneSkill(ref, org) {
   const at = ref.lastIndexOf('@');
   const idOrSlug = at > 0 ? ref.slice(0, at) : ref;
   const server = getServerUrl().replace(/\/$/, '');
+  const orgHeaders = org ? { 'X-Drafted-Org': org } : {};
   const loadUrl = UUID_RE.test(idOrSlug)
     ? `${server}/api/skills/${idOrSlug}`
     : `${server}/api/skills/slug/${encodeURIComponent(idOrSlug)}`;
-  const res = await authFetch(loadUrl);
-  if (res.status === 404) return { ref, slug: '', hash: '', status: 'unresolvable' };
+  const res = await authFetch(loadUrl, { headers: orgHeaders });
+  if (res.status === 404 || res.status === 403) return { ref, slug: '', hash: '', status: 'unresolvable', error: await unresolvableReason(res, org) };
   if (!res.ok) return { ref, slug: '', hash: '', status: 'error', error: `HTTP ${res.status}` };
   const skill = await res.json();
+  // Drafted is the hash authority — when the server reports a hash, trust it and
+  // skip the per-file fetches entirely (cheap freshness probe). Older servers
+  // without a reported hash fall back to local bundle compute.
+  if (skill.hash) return { ref, slug: skill.slug, hash: skill.hash, status: 'ok', updatedAt: skill.updatedAt };
   const files = { 'SKILL.md': synthesizeSkillMd(skill) };
   for (const p of Array.isArray(skill.files) ? skill.files : []) {
     if (typeof p !== 'string' || p.includes('..')) continue;
-    const fr = await authFetch(`${server}/api/skills/${skill.id}/files/${p.split('/').map(encodeURIComponent).join('/')}`);
+    const fr = await authFetch(`${server}/api/skills/${skill.id}/files/${p.split('/').map(encodeURIComponent).join('/')}`, { headers: orgHeaders });
     if (!fr.ok) return { ref, slug: skill.slug, hash: '', status: 'error', error: `file ${p}: HTTP ${fr.status}` };
     const fdata = await fr.json();
     files[p] = typeof fdata === 'string' ? fdata : (fdata.content || '');
@@ -1386,12 +1424,13 @@ skillCmd
   .command('check')
   .description('Report the current canonical hash for refs without materializing (freshness)')
   .option('--ref <ref>', 'skill ref (repeatable)', (v, acc) => { acc.push(v); return acc; }, [])
+  .option('--org <org>', 'resolve against this Drafted org (id or name); scopes per-request without switching the session')
   .option('--format <fmt>', 'output format: json or text', 'text')
   .action(async (opts) => {
     requireLogin();
     const results = [];
     for (const ref of (opts.ref || [])) {
-      try { results.push(await checkOneSkill(ref)); }
+      try { results.push(await checkOneSkill(ref, opts.org)); }
       catch (e) { results.push({ ref, slug: '', hash: '', status: 'error', error: String((e && e.message) || e) }); }
     }
     if (opts.format === 'json') console.log(JSON.stringify(results));
@@ -1415,4 +1454,96 @@ skillCmd
     emitSkillResult(opts.format, { status: 'ok', id: opts.id });
   });
 
+// Resolve --slug -> id (honoring --org), shared by fork/push. Returns id or null.
+async function resolveSkillId(opts, server, orgHeaders) {
+  if (opts.id) return opts.id;
+  if (!opts.slug) return null;
+  const lookup = await authFetch(`${server}/api/skills/slug/${encodeURIComponent(opts.slug)}`, { headers: orgHeaders });
+  if (!lookup.ok) return null;
+  return (await lookup.json().catch(() => ({}))).id || null;
+}
+
+skillCmd
+  .command('fork')
+  .description('Fork a skill into your org so you can edit it (block-then-fork; system/other-org skills are read-only)')
+  .option('--id <id>', 'source skill id')
+  .option('--slug <slug>', 'source skill slug (resolved to id)')
+  .option('--org <org>', 'fork into / resolve against this Drafted org (id or name)')
+  .option('--format <fmt>', 'output format: json or text', 'text')
+  .action(async (opts) => {
+    requireLogin();
+    const server = getServerUrl().replace(/\/$/, '');
+    const orgHeaders = opts.org ? { 'X-Drafted-Org': opts.org } : {};
+    const id = await resolveSkillId(opts, server, orgHeaders);
+    if (!id) { emitSkillResult(opts.format, { status: 'unresolvable', error: opts.slug ? `slug ${opts.slug} not found` : 'fork requires --id or --slug' }); process.exit(1); }
+    const res = await authFetch(`${server}/api/skills/${id}/fork`, { method: 'POST', headers: { 'Content-Type': 'application/json', ...orgHeaders } });
+    const data = await res.json().catch(() => ({}));
+    if (!res.ok) {
+      const status = res.status === 409 ? 'conflict' : (res.status === 404 || res.status === 403 ? 'unresolvable' : 'error');
+      emitSkillResult(opts.format, { status, slug: data.slug, error: data.error || `HTTP ${res.status}` });
+      process.exit(1);
+    }
+    emitSkillResult(opts.format, { status: 'ok', slug: data.slug, id: data.id, hash: data.hash });
+  });
+
+// collectSkillTree walks a local source tree for `skill push`, pre-filtering heavy
+// dirs and any local .skillignore as a convenience so we don't ship a node_modules
+// tree over the wire. The SERVER re-runs the authoritative hygiene pipeline.
+function collectSkillTree(dir) {
+  const root = resolve(dir);
+  if (!existsSync(root) || !statSync(root).isDirectory()) throw new Error(`not a directory: ${dir}`);
+  const SKIP_DIRS = new Set(['node_modules', '.git', '.venv', 'venv', '__pycache__', 'dist', 'build', '.next', 'target', 'coverage', '.cache', '.turbo', '.gradle', 'Pods', '.terraform']);
+  let ignore = () => false;
+  const ignPath = join(root, '.skillignore');
+  if (existsSync(ignPath)) {
+    const pats = readFileSync(ignPath, 'utf8').split(/\r?\n/).map((l) => l.trim()).filter((l) => l && !l.startsWith('#'));
+    ignore = (rel) => pats.some((p) => { const d = p.replace(/\/$/, ''); return rel === d || rel.startsWith(d + '/') || rel.split('/').pop() === d; });
+  }
+  const out = [];
+  const walk = (abs, rel) => {
+    for (const name of readdirSync(abs)) {
+      const childAbs = join(abs, name);
+      const childRel = rel ? `${rel}/${name}` : name;
+      const st = statSync(childAbs);
+      if (st.isDirectory()) { if (SKIP_DIRS.has(name) || ignore(childRel)) continue; walk(childAbs, childRel); }
+      else if (st.isFile()) {
+        if (ignore(childRel)) continue;
+        const content = readFileSync(childAbs, 'utf8');
+        if (content.includes('\x00')) continue; // skip binary; server rejects it anyway
+        out.push({ path: childRel, content });
+      }
+    }
+  };
+  walk(root, '');
+  return out;
+}
+
+skillCmd
+  .command('push')
+  .description('Push a local source tree into a skill (bulk ingest; server strips artifacts + enforces caps)')
+  .option('--id <id>', 'skill id')
+  .option('--slug <slug>', 'skill slug (resolved to id)')
+  .requiredOption('--dir <dir>', 'local source tree to push')
+  .option('--org <org>', 'resolve against this Drafted org (id or name)')
+  .option('--delete-missing', 'remove stored files not present in the pushed tree')
+  .option('--format <fmt>', 'output format: json or text', 'text')
+  .action(async (opts) => {
+    requireLogin();
+    const server = getServerUrl().replace(/\/$/, '');
+    const orgHeaders = opts.org ? { 'X-Drafted-Org': opts.org } : {};
+    const id = await resolveSkillId(opts, server, orgHeaders);
+    if (!id) { emitSkillResult(opts.format, { status: 'unresolvable', error: opts.slug ? `slug ${opts.slug} not found` : 'push requires --id or --slug' }); process.exit(1); }
+    let files;
+    try { files = collectSkillTree(opts.dir); }
+    catch (e) { emitSkillResult(opts.format, { status: 'error', error: String((e && e.message) || e) }); process.exit(1); }
+    const res = await authFetch(`${server}/api/skills/${id}/files/bulk`, {
+      method: 'POST', headers: { 'Content-Type': 'application/json', ...orgHeaders },
+      body: JSON.stringify({ files, deleteMissing: !!opts.deleteMissing }),
+    });
+    const data = await res.json().catch(() => ({}));
+    if (!res.ok) { emitSkillResult(opts.format, { status: 'error', id, error: data.error || `HTTP ${res.status}` }); process.exit(1); }
+    if (opts.format === 'json') console.log(JSON.stringify({ status: 'ok', id, hash: data.hash, count: data.count, stripped: data.stripped, files: data.files }));
+    else console.log(`ok\t${id}\t${data.hash}\tpushed ${data.count}${data.stripped ? `, stripped ${data.stripped}` : ''}`);
+  });
+
 program.parse();

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "drafted",
-  "version": "1.8.5",
+  "version": "1.9.0",
   "description": "Drafted — visual thinking surface for humans and AI agents. Renders HTML, markdown, images, and code as frames on a zoomable canvas, with MCP tools for AI agents and real-time sync for humans.",
   "type": "module",
   "files": [