happyskills 0.37.0 → 0.39.0

package/CHANGELOG.md

@@ -7,6 +7,29 @@ and this project adheres to [Semantic Versioning](https://semver.org/).
 
 ## [Unreleased]
 
+## [0.39.0] - 2026-05-01
+
+### Removed
+- **BREAKING:** Remove the `refresh` command (and its `r` alias) entirely. Its smart-batch-check behavior is now the default for `update` — see the Changed entry below. The `r` alias is also removed. Anyone scripting `happyskills refresh ...` should switch to `happyskills update --all -y --json` (same outcome, same JSON shape under `.data.results`).
+
+### Changed
+- **BREAKING (behavior):** `update [--all]` is now smart by default. It runs one `POST /repos:check-updates` batch call against the registry and only re-installs skills that are actually outdated. Skills already at the latest version are left alone (no download). Previously `update --all` always re-installed every locked skill regardless of version. Pass `--force` to opt back into the legacy "always re-install" behavior (now also overwrites local modifications, replacing the previous narrow meaning of `--force`).
+- For `--all`, only **root-level** skills are checked (transitive dependencies follow their parents through the install pipeline). For a specific target, any locked skill works.
+- `update --json` output shape now mirrors what `refresh --json` returned: `{ results, outdated_count, up_to_date_count, updated, skipped, already_up_to_date, errors }` plus `symlink_repairs`. With `--force`, the shape is the simpler `{ updated, count, forced: true }`.
+
+### Migration
+- Replace `happyskills refresh` → `happyskills update --all`
+- Replace `happyskills refresh -y --json` → `happyskills update --all -y --json`
+- If you actually wanted the old `update --all` behavior (force re-install regardless of version), now use `happyskills update --all --force`
+
+## [0.38.0] - 2026-05-01
+
+### Changed
+- **BREAKING:** Make `--limit` required for the `search` command — there is no default. Running `happyskills search ...` without `--limit` now returns a usage error (exit code 2). The previous hidden default of 10 caused AI-agent callers to miss results without realizing a limit was being applied. Affects both smart-search and `--exact` keyword modes. Update help text and all examples to show `--limit` explicitly.
+
+### Fixed
+- Fix `search --workspace <slug>` (in browse mode with no query, and in `--exact` keyword mode) silently excluding private skills the caller has access to. The CLI was omitting the auth token when only `--workspace` was specified without `--mine` or `--personal`, causing the API to fall back to public-only results. The auth token is now always attached when one is available, regardless of the search mode.
+
 ## [0.37.0] - 2026-04-25
 
 ### Added

package/package.json

@@ -1,6 +1,6 @@
 {
 	"name": "happyskills",
-	"version": "0.37.0",
+	"version": "0.39.0",
 	"description": "Package manager for AI agent skills",
 	"license": "SEE LICENSE IN LICENSE",
 	"author": "Nicolas Dao <nic@cloudlesslabs.com> (https://cloudlesslabs.com)",

package/src/api/repos.js

@@ -10,8 +10,7 @@ const search = (query, options = {}) => catch_errors('Search failed', async () =
 	if (options.workspace) params.set('workspace', options.workspace)
 	if (options.tags) params.set('tags', options.tags)
 	if (options.type) params.set('type', options.type)
-	const needs_auth = options.scope && options.scope !== 'public'
-	const [errors, data] = await client.get(`/repos/search?${params}`, { auth: needs_auth || false })
+	const [errors, data] = await client.get(`/repos/search?${params}`)
 	if (errors) throw errors[errors.length - 1]
 	return data
 })

package/src/commands/search.js

@@ -23,21 +23,21 @@ Options:
   --tags <tags>           Filter by tags (comma-separated)
   --type <type>           Filter by type (skill, kit)
   --exact                 Use keyword-only matching instead of smart search
-  --limit <n>             Max results (default: 10, max: 50)
+  --limit <n>             Max results (required, 1-50)
   --min-quality <n>       Minimum quality score 0-100
   --json                  Output as JSON
 
 Aliases: s
 
 Examples:
-  happyskills search deploy
-  happyskills search "REST API with Node.js"
-  happyskills search --mine
-  happyskills search deploy --workspace acme
-  happyskills search --type kit
-  happyskills s --personal --json
+  happyskills search deploy --limit 10
+  happyskills search "REST API with Node.js" --limit 10
+  happyskills search --mine --limit 20
+  happyskills search deploy --workspace acme --limit 50
+  happyskills search --type kit --limit 10
+  happyskills s --personal --json --limit 20
   happyskills search "deploy to AWS" --limit 5
-  happyskills search deploy --exact`
+  happyskills search deploy --exact --limit 10`
 
 const QUALITY_TIERS = [
 	{ min: 80, label: 'High quality', color: cyan },
@@ -95,7 +95,7 @@ const format_smart_result = (item, index) => {
 }
 
 const run_smart_search = (args, query, options) => catch_errors('Smart search failed', async () => {
-	const limit = args.flags.limit ? parseInt(args.flags.limit) : 10
+	const limit = parseInt(args.flags.limit)
 	const capped_limit = Math.min(Math.max(limit, 1), 50)
 	const min_quality = args.flags['min-quality'] != null ? parseInt(args.flags['min-quality']) : null
 
@@ -230,6 +230,10 @@ const run = (args) => catch_errors('Search failed', async () => {
 		throw new UsageError('Please provide a search query or use --mine, --personal, or --workspace.')
 	}
 
+	if (!args.flags.limit) {
+		throw new UsageError('--limit is required. Specify the number of results you want (e.g. --limit 10).')
+	}
+
 	if (type && !VALID_SKILL_TYPES.includes(type)) {
 		throw new UsageError(`--type must be one of: ${VALID_SKILL_TYPES.join(', ')}`)
 	}

package/src/commands/update.js

@@ -1,31 +1,65 @@
 const { error: { catch_errors, wrap_errors: e } } = require('puffy-core')
 const { install } = require('../engine/installer')
 const { read_lock, get_all_locked_skills, get_via } = require('../lock/reader')
+const { read_manifest } = require('../manifest/reader')
 const { detect_status } = require('../merge/detector')
-const { print_help, print_success, print_info, print_warn, print_json } = require('../ui/output')
+const repos_api = require('../api/repos')
+const { print_help, print_table, print_json, print_info, print_success, print_warn, print_hint, code } = require('../ui/output')
+const { green, yellow, red } = require('../ui/colors')
+const { create_spinner } = require('../ui/spinner')
 const { exit_with_error, UsageError } = require('../utils/errors')
 const { find_project_root, lock_root, skills_dir, skill_install_dir } = require('../config/paths')
-const { EXIT_CODES } = require('../constants')
+const { EXIT_CODES, SKILL_TYPES } = require('../constants')
+const { resolve_agents, verify_and_repair_symlinks } = require('../agents')
+const { is_skill_enabled } = require('../agents/status')
 
 const HELP_TEXT = `Usage: happyskills update [owner/skill|--all] [options]
 
-Upgrade skills to latest compatible versions.
+Bring installed skills up to date. By default, checks each skill against the
+registry (one batch API call) and only re-installs skills that are actually
+outdated. Skills already at the latest version are left alone — no download,
+no work. Use --force to re-install regardless of version.
 
 Arguments:
-  owner/skill       Update specific skill (optional)
+  owner/skill       Update a specific skill (optional)
 
 Options:
-  --all             Update all installed skills
+  --all             Update all installed root-level skills
+  --force           Re-install regardless of version. Also overwrites skills
+                    with local modifications.
   -g, --global      Update globally installed skills
   -y, --yes         Skip confirmation prompts
+  --agents <list>   Target specific agents (comma-separated). Default: auto-detect
   --json            Output as JSON
 
 Aliases: up
 
 Examples:
-  happyskills update acme/deploy-aws
-  happyskills up --all
-  happyskills up -g --all`
+  happyskills update acme/deploy-aws       # update one skill if outdated
+  happyskills up --all                     # check + update all outdated skills
+  happyskills up --all --force             # force re-install everything
+  happyskills up --all -y --json           # batch mode, no prompt`
+
+/**
+ * Returns true if the lock entry's dependencies differ from the installed
+ * skill.json's dependencies — indicates the lock file is stale relative to
+ * the on-disk manifest.
+ */
+const has_dependency_drift = (lock_entry, manifest) => {
+	if (!manifest) return false
+	const lock_deps = JSON.stringify(lock_entry.dependencies || {})
+	const manifest_deps = JSON.stringify(manifest.dependencies || {})
+	return lock_deps !== manifest_deps
+}
+
+const confirm_prompt = (question) => new Promise((resolve) => {
+	const readline = require('readline')
+	const rl = readline.createInterface({ input: process.stdin, output: process.stderr })
+	rl.question(question, (answer) => {
+		rl.close()
+		resolve(answer.trim().toLowerCase())
+	})
+})
 
 const run = (args) => catch_errors('Update failed', async () => {
 	if (args.flags._show_help) {
@@ -36,80 +70,241 @@ const run = (args) => catch_errors('Update failed', async () => {
 	const project_root = find_project_root()
 	const target_skill = args._[0]
 	const update_all = args.flags.all || false
+	const force = args.flags.force || false
+	const auto_yes = args.flags.yes || false
+	const is_global = args.flags.global || false
 
 	if (!target_skill && !update_all) {
 		throw new UsageError("Specify a skill to update or use --all (e.g., 'happyskills update acme/deploy-aws' or 'happyskills update --all').")
 	}
 
-	const is_global = args.flags.global || false
 	const [, lock_data] = await read_lock(lock_root(is_global, project_root))
 	const skills = get_all_locked_skills(lock_data)
+	const base_dir = skills_dir(is_global, project_root)
 
-	const to_update = target_skill
-		? [[target_skill, skills[target_skill]]]
-		: Object.entries(skills).filter(([, data]) => data !== null)
+	// Determine which skills to consider.
+	// For --all, only root-level skills (transitive deps come along through their parents).
+	// For a specific target, allow any locked skill.
+	const candidates = target_skill
+		? (skills[target_skill] ? [[target_skill, skills[target_skill]]] : [])
+		: Object.entries(skills).filter(([, data]) => data && data.requested_by?.includes('__root__'))
 
-	if (to_update.length === 0) {
+	if (candidates.length === 0) {
+		if (target_skill) {
+			throw new UsageError(`${target_skill} is not installed. Run 'happyskills install ${target_skill}' first.`)
+		}
 		if (args.flags.json) {
-			print_json({ data: { updated: [], already_up_to_date: [], count: 0 } })
+			print_json({ data: { results: [], outdated_count: 0, up_to_date_count: 0, updated: [], already_up_to_date: [], errors: [] } })
 			return
 		}
-		print_info('No skills to update.')
+		print_info('No skills installed.')
 		return
 	}
 
-	const options = {
-		global: is_global,
-		fresh: true,
-		agents: args.flags.agents || undefined,
-		project_root
+	// ─── --force path: skip the version check, re-install everything ─────────
+	if (force) {
+		const options = { global: is_global, fresh: true, force: true, agents: args.flags.agents || undefined, project_root }
+		const updated = []
+		for (const [name, data] of candidates) {
+			const before_version = data?.version || null
+			const spinner = !args.flags.json ? create_spinner(`Re-installing ${name}…`) : null
+			const [errors, result] = await install(name, options)
+			if (errors) {
+				spinner?.fail(`Failed to re-install ${name}`)
+				throw e(`Update ${name} failed`, errors)
+			}
+			spinner?.succeed(`Re-installed ${name}@${result.version}`)
+			updated.push({ skill: name, from: before_version, to: result.version, via: get_via(data) })
+		}
+		if (args.flags.json) {
+			print_json({ data: { updated, count: updated.length, forced: true } })
+			return
+		}
+		if (updated.length > 0) {
+			print_success(`Re-installed ${updated.length} skill(s) (--force).`)
+		}
+		return
 	}
 
-	const updated = []
-	const already_up_to_date = []
+	// ─── Default smart path: batch-check, then install only outdated ─────────
+	const spinner = !args.flags.json ? create_spinner('Checking for updates…') : null
+	const skill_names = candidates.map(([name]) => name)
+	const [batch_err, batch_data] = await repos_api.check_updates(skill_names)
 
-	const base_dir = skills_dir(is_global, project_root)
-	const force = args.flags.force || false
+	const results = []
+	if (batch_err) {
+		spinner?.fail('Failed to check for updates')
+		for (const [name, data] of candidates) {
+			results.push({ skill: name, installed: data.version, latest: 'error', status: 'error' })
+		}
+	} else {
+		spinner?.succeed('Checked for updates')
 
-	// Detect local modifications for all skills in parallel
-	const modified_set = new Set()
-	if (!force) {
-		const detections = await Promise.all(to_update.map(([name, data]) => {
-			if (!data) return { name, modified: false }
+		// Read installed manifests in parallel for dependency-drift detection
+		const manifest_map = {}
+		await Promise.all(candidates.map(async ([name]) => {
 			const short_name = name.split('/')[1] || name
 			const dir = skill_install_dir(base_dir, short_name)
-			return detect_status(data, dir).then(([, det]) => ({ name, modified: det?.local_modified || false }))
+			const [, manifest] = await read_manifest(dir)
+			if (manifest) manifest_map[name] = manifest
 		}))
-		for (const { name, modified } of detections) {
-			if (modified) modified_set.add(name)
+
+		for (const [name, data] of candidates) {
+			const info = batch_data?.results?.[name]
+			if (info?.access_denied) {
+				results.push({ skill: name, installed: data.version, latest: '-', status: 'no-access' })
+			} else if (!info || !info.latest_version) {
+				results.push({ skill: name, installed: data.version, latest: '-', status: 'unknown' })
+			} else if (data.base_commit && info.commit && data.base_commit !== info.commit) {
+				results.push({ skill: name, installed: data.version, latest: info.latest_version, status: 'outdated' })
+			} else if (!data.base_commit && info.latest_version !== data.version) {
+				// Fallback to version comparison for old lock files without base_commit
+				results.push({ skill: name, installed: data.version, latest: info.latest_version, status: 'outdated' })
+			} else if (has_dependency_drift(data, manifest_map[name])) {
+				// Lock dependencies are stale compared to installed skill.json
+				results.push({ skill: name, installed: data.version, latest: info.latest_version, status: 'outdated' })
+			} else {
+				results.push({ skill: name, installed: data.version, latest: info.latest_version, status: 'up-to-date' })
+			}
 		}
 	}
 
-	for (const [name, data] of to_update) {
-		if (modified_set.has(name)) {
-			print_warn(`${name} has local modifications. Use --force to discard, or 'happyskills pull' to merge.`)
-			continue
+	const outdated = results.filter(r => r.status === 'outdated')
+	const up_to_date = results.filter(r => r.status === 'up-to-date')
+
+	// Verify and repair symlinks (even when nothing is outdated)
+	const [, agents_data] = await resolve_agents(args.flags.agents)
+	const detected_agents = agents_data?.agents || []
+	let symlink_repairs = []
+	if (detected_agents.length > 0) {
+		const skills_to_check = []
+		for (const [name, data] of Object.entries(skills)) {
+			if (data?.type === SKILL_TYPES.KIT) continue
+			const short_name = name.split('/')[1] || name
+			const source_dir = skill_install_dir(base_dir, short_name)
+			const [, enabled] = await is_skill_enabled(short_name, detected_agents, is_global, project_root)
+			if (enabled) {
+				skills_to_check.push({ skill_name: short_name, source_dir })
+			}
 		}
+		if (skills_to_check.length > 0) {
+			const link_spinner = !args.flags.json ? create_spinner('Verifying symlinks…') : null
+			const [, repair_result] = await verify_and_repair_symlinks(skills_to_check, detected_agents, { global: is_global, project_root })
+			symlink_repairs = repair_result?.repaired || []
+			if (symlink_repairs.length > 0) {
+				link_spinner?.succeed(`Repaired ${symlink_repairs.length} symlink(s)`)
+			} else {
+				link_spinner?.succeed('All symlinks verified')
+			}
+		}
+	}
 
-		const before_version = data?.version || null
-		const [errors, result] = await install(name, options)
-		if (errors) throw e(`Update ${name} failed`, errors)
-		if (!result.no_op) {
-			updated.push({ skill: name, from: before_version, to: result.version, via: get_via(data) })
+	// If nothing to update, report and exit
+	if (outdated.length === 0) {
+		if (args.flags.json) {
+			print_json({ data: { results, outdated_count: 0, up_to_date_count: up_to_date.length, updated: [], already_up_to_date: up_to_date.map(r => ({ skill: r.skill, version: r.installed })), symlink_repairs, errors: [] } })
+			return
+		}
+		print_table(['Skill', 'Installed', 'Latest', 'Status'], results.map(r => [
+			r.skill, r.installed, r.latest, green(r.status)
+		]))
+		console.log()
+		if (symlink_repairs.length > 0) {
+			print_success(`All skills are up to date. Repaired ${symlink_repairs.length} symlink(s).`)
 		} else {
-			already_up_to_date.push({ skill: name, version: result.version, via: get_via(data) })
+			print_success('All skills are up to date.')
 		}
+		return
 	}
 
+	// Show results table (non-json)
+	if (!args.flags.json) {
+		const status_colors = { 'up-to-date': green, 'outdated': yellow, 'no-access': yellow, 'error': red, 'unknown': (s) => s }
+		print_table(['Skill', 'Installed', 'Latest', 'Status'], results.map(r => [
+			r.skill, r.installed, r.latest, (status_colors[r.status] || ((s) => s))(r.status)
+		]))
+		console.log()
+		print_info(`${outdated.length} skill(s) can be updated.`)
+	}
+
+	// Confirm
+	const should_update = auto_yes || !process.stdin.isTTY
+	if (!should_update && !args.flags.json) {
+		const answer = await confirm_prompt(`\nUpdate ${outdated.length} skill(s)? [y/N] `)
+		if (answer !== 'y' && answer !== 'yes') {
+			print_info('Skipped.')
+			return
+		}
+	}
+
+	// Detect local modifications on the outdated set
+	const detections = await Promise.all(outdated.map(r => {
+		const lock_entry = skills[r.skill]
+		const short_name = r.skill.split('/')[1] || r.skill
+		const dir = skill_install_dir(base_dir, short_name)
+		return detect_status(lock_entry, dir).then(([, det]) => ({ r, det }))
+	}))
+
+	const skipped = []
+	const safe_to_update = []
+	for (const { r, det } of detections) {
+		if (det?.local_modified) {
+			skipped.push({ skill: r.skill, reason: 'local_modifications', suggestion: `happyskills pull ${r.skill}` })
+		} else {
+			safe_to_update.push(r)
+		}
+	}
+
+	// Install only the outdated, non-modified skills
+	const options = { global: is_global, fresh: true, agents: args.flags.agents || undefined, project_root }
+	const updated = []
+	const update_errors = []
+
+	for (const r of safe_to_update) {
+		const update_spinner = !args.flags.json ? create_spinner(`Updating ${r.skill}…`) : null
+		const [errors, result] = await install(r.skill, options)
+		if (errors) {
+			update_spinner?.fail(`Failed to update ${r.skill}`)
+			update_errors.push({ skill: r.skill, message: errors[errors.length - 1]?.message || 'Unknown error' })
+		} else if (!result.no_op) {
+			update_spinner?.succeed(`Updated ${r.skill} ${r.installed} → ${result.version}`)
+			updated.push({ skill: r.skill, from: r.installed, to: result.version })
+		} else {
+			update_spinner?.succeed(`${r.skill} already up to date`)
+		}
+	}
+
+	// Output
 	if (args.flags.json) {
-		print_json({ data: { updated, already_up_to_date, count: updated.length } })
+		print_json({
+			data: {
+				results,
+				outdated_count: outdated.length,
+				up_to_date_count: up_to_date.length,
+				updated,
+				skipped,
+				already_up_to_date: up_to_date.map(r => ({ skill: r.skill, version: r.installed })),
+				errors: update_errors
+			}
+		})
 		return
 	}
 
+	if (skipped.length > 0) {
+		console.log()
+		print_warn(`Skipped ${skipped.length} skill(s) with local modifications:`)
+		for (const s of skipped) {
+			print_info(`  ${s.skill}`)
+		}
+		print_hint(`Use ${code('happyskills pull <skill>')} to merge remote changes.`)
+	}
 	if (updated.length > 0) {
-		print_success(`Updated ${updated.length} skill(s)`)
-	} else {
-		print_success('All skills are already up to date.')
+		console.log()
+		print_success(`Updated ${updated.length} skill(s).`)
+	}
+	if (update_errors.length > 0) {
+		console.log()
+		print_info(`${update_errors.length} skill(s) failed to update. Run ${code('happyskills check')} for details.`)
 	}
 }).then(([errors]) => { if (errors) { exit_with_error(errors); return } })
 

package/src/constants.js

@@ -30,7 +30,6 @@ const COMMAND_ALIASES = {
 	remove: 'uninstall',
 	ls: 'list',
 	s: 'search',
-	r: 'refresh',
 	st: 'status',
 	d: 'diff',
 	up: 'update',
@@ -52,7 +51,6 @@ const COMMANDS = [
 	'list',
 	'search',
 	'check',
-	'refresh',
 	'status',
 	'pull',
 	'diff',

package/src/index.js

@@ -92,11 +92,10 @@ Commands:
   list                     List installed skills (alias: ls)
   search <query>           Search the registry (alias: s)
   check [owner/skill]      Check for available updates
-  refresh                  Check + update all outdated skills (alias: r)
   status [owner/skill]     Show divergence status (alias: st)
   pull <owner/skill>       Pull remote changes and merge
   diff <owner/skill>       Show file-level differences (alias: d)
-  update [owner/skill]     Upgrade to latest versions (alias: up)
+  update [owner/skill]     Update outdated skills (alias: up). Smart by default; --force to re-install regardless
   publish                  Push skill to registry (alias: pub)
   validate <skill-name>    Validate skill against all rules (alias: v)
   fork <owner/skill>       Fork a skill to your workspace

package/src/integration/cli.test.js

@@ -92,7 +92,7 @@ describe('CLI — global flags', () => {
 
 	it('--help lists all expected commands', () => {
 		const { stdout } = run(['--help'])
-		const expected_commands = ['install', 'uninstall', 'list', 'search', 'check', 'refresh', 'update', 'publish', 'validate', 'fork', 'login', 'logout', 'whoami', 'init', 'setup', 'self-update']
+		const expected_commands = ['install', 'uninstall', 'list', 'search', 'check', 'update', 'publish', 'validate', 'fork', 'login', 'logout', 'whoami', 'init', 'setup', 'self-update']
 		for (const cmd of expected_commands) {
 			assert.ok(stdout.includes(cmd), `help output should mention "${cmd}"`)
 		}
@@ -160,10 +160,8 @@ describe('CLI — command --help', () => {
 		['search',    'Arguments:'],
 		['search',    'Aliases:'],
 		['check',     'Examples:'],
-		['refresh',   'Options:'],
-		['refresh',   'Examples:'],
-		['refresh',   'Aliases:'],
 		['update',    'Aliases:'],
+		['update',    '--force'],
 		['publish',   'Aliases:'],
 		['validate',  'Arguments:'],
 		['validate',  'Aliases:'],
@@ -199,7 +197,6 @@ describe('CLI — command aliases', () => {
 		['remove', 'uninstall'],
 		['ls',     'list'],
 		['s',      'search'],
-		['r',      'refresh'],
 		['up',     'update'],
 		['pub',    'publish'],
 		['v',      'validate'],
@@ -276,8 +273,9 @@ describe('CLI — --json: stdout is always valid JSON', () => {
 	})
 
 	it('network error produces JSON with code NETWORK_ERROR', () => {
-		// search requires a network call; localhost:0 always fails
-		const { stdout, code } = run(['search', 'anything', '--json'])
+		// search requires a network call; localhost:0 always fails.
+		// --limit is required, so it must be passed to reach the network call.
+		const { stdout, code } = run(['search', 'anything', '--json', '--limit', '10'])
 		assert.strictEqual(code, 4)
 		const out = parse_json_output(stdout, 'search --json network failure')
 		assert.strictEqual(out.error.code, 'NETWORK_ERROR')
@@ -422,15 +420,15 @@ describe('CLI — --json: existing json commands now use { data } envelope', ()
 	})
 })
 
-// ─── refresh command ──────────────────────────────────────────────────────────
+// ─── update --all (smart batch-check) ─────────────────────────────────────────
 
-describe('CLI — --json: refresh command', () => {
-	it('refresh --json with no skills returns { data: { results, outdated_count, ... } }', () => {
+describe('CLI — --json: update --all command', () => {
+	it('update --all --json with no installed skills returns { data: { results, outdated_count, ... } }', () => {
 		const tmp = make_tmp()
 		try {
-			const { stdout, code } = run(['refresh', '--json'], {}, { cwd: tmp })
+			const { stdout, code } = run(['update', '--all', '--json'], {}, { cwd: tmp })
 			assert.strictEqual(code, 0)
-			const out = parse_json_output(stdout, 'refresh --json empty')
+			const out = parse_json_output(stdout, 'update --all --json empty')
 			assert.ok('data' in out)
 			assert.ok(Array.isArray(out.data.results))
 			assert.strictEqual(out.data.outdated_count, 0)

package/src/commands/refresh.js

@@ -1,256 +0,0 @@
-const { error: { catch_errors, wrap_errors: e } } = require('puffy-core')
-const { install } = require('../engine/installer')
-const { read_lock, get_all_locked_skills } = require('../lock/reader')
-const { read_manifest } = require('../manifest/reader')
-const { detect_status } = require('../merge/detector')
-const repos_api = require('../api/repos')
-const { print_help, print_table, print_json, print_info, print_success, print_warn, print_hint, code } = require('../ui/output')
-const { green, yellow, red } = require('../ui/colors')
-const { create_spinner } = require('../ui/spinner')
-const { exit_with_error } = require('../utils/errors')
-const { find_project_root, lock_root, skills_dir, skill_install_dir } = require('../config/paths')
-const { EXIT_CODES, SKILL_TYPES } = require('../constants')
-const { resolve_agents, verify_and_repair_symlinks } = require('../agents')
-const { is_skill_enabled } = require('../agents/status')
-
-const HELP_TEXT = `Usage: happyskills refresh [options]
-
-Check all installed skills for updates and upgrade outdated ones.
-
-Options:
-  -g, --global      Refresh globally installed skills
-  -y, --yes         Skip confirmation prompts
-  --json            Output as JSON
-
-Aliases: r
-
-Examples:
-  happyskills refresh
-  happyskills refresh -y
-  happyskills refresh -g -y --json`
-
-/**
- * Returns true if the lock entry's dependencies differ from the installed skill.json's dependencies.
- */
-const has_dependency_drift = (lock_entry, manifest) => {
-	if (!manifest) return false
-	const lock_deps = JSON.stringify(lock_entry.dependencies || {})
-	const manifest_deps = JSON.stringify(manifest.dependencies || {})
-	return lock_deps !== manifest_deps
-}
-
-const confirm_prompt = (question) => new Promise((resolve) => {
-	const readline = require('readline')
-	const rl = readline.createInterface({ input: process.stdin, output: process.stderr })
-	rl.question(question, (answer) => {
-		rl.close()
-		resolve(answer.trim().toLowerCase())
-	})
-})
-
-const run = (args) => catch_errors('Refresh failed', async () => {
-	if (args.flags._show_help) {
-		print_help(HELP_TEXT)
-		return process.exit(EXIT_CODES.SUCCESS)
-	}
-
-	const is_global = args.flags.global || false
-	const auto_yes = args.flags.yes || false
-	const project_root = find_project_root()
-	const [, lock_data] = await read_lock(lock_root(is_global, project_root))
-	const skills = get_all_locked_skills(lock_data)
-	const entries = Object.entries(skills)
-
-	const to_check = entries.filter(([, data]) => data.requested_by?.includes('__root__'))
-
-	if (to_check.length === 0) {
-		if (args.flags.json) {
-			print_json({ data: { results: [], outdated_count: 0, up_to_date_count: 0, updated: [], already_up_to_date: [], errors: [] } })
-			return
-		}
-		print_info('No skills installed.')
-		return
-	}
-
-	// 1. Check for updates
-	const spinner = !args.flags.json ? create_spinner('Checking for updates…') : null
-	const skill_names = to_check.map(([name]) => name)
-	const [batch_err, batch_data] = await repos_api.check_updates(skill_names)
-	const base_dir = skills_dir(is_global, project_root)
-
-	const results = []
-	if (batch_err) {
-		spinner?.fail('Failed to check for updates')
-		for (const [name, data] of to_check) {
-			results.push({ skill: name, installed: data.version, latest: 'error', status: 'error' })
-		}
-	} else {
-		spinner?.succeed('Checked for updates')
-		// Read all installed manifests in parallel to check for dependency drift
-		const manifest_map = {}
-		await Promise.all(to_check.map(async ([name]) => {
-			const short_name = name.split('/')[1] || name
-			const dir = skill_install_dir(base_dir, short_name)
-			const [, manifest] = await read_manifest(dir)
-			if (manifest) manifest_map[name] = manifest
-		}))
-		for (const [name, data] of to_check) {
-			const info = batch_data?.results?.[name]
-			if (info?.access_denied) {
-				results.push({ skill: name, installed: data.version, latest: '-', status: 'no-access' })
-			} else if (!info || !info.latest_version) {
-				results.push({ skill: name, installed: data.version, latest: '-', status: 'unknown' })
-			} else if (data.base_commit && info.commit && data.base_commit !== info.commit) {
-				results.push({ skill: name, installed: data.version, latest: info.latest_version, status: 'outdated' })
-			} else if (!data.base_commit && info.latest_version !== data.version) {
-				// Fallback to version comparison for old lock files without base_commit
-				results.push({ skill: name, installed: data.version, latest: info.latest_version, status: 'outdated' })
-			} else if (has_dependency_drift(data, manifest_map[name])) {
-				// Lock dependencies are stale compared to installed skill.json
-				results.push({ skill: name, installed: data.version, latest: info.latest_version, status: 'outdated' })
-			} else {
-				results.push({ skill: name, installed: data.version, latest: info.latest_version, status: 'up-to-date' })
-			}
-		}
-	}
-
-	const outdated = results.filter(r => r.status === 'outdated')
-	const up_to_date = results.filter(r => r.status === 'up-to-date')
-
-	// 2. Verify and repair symlinks for all skills (even when nothing is outdated)
-	const [, agents_data] = await resolve_agents(args.flags.agents)
-	const detected_agents = agents_data?.agents || []
-	let symlink_repairs = []
-	if (detected_agents.length > 0) {
-		const skills_to_check = []
-		for (const [name, data] of entries) {
-			if (data.type === SKILL_TYPES.KIT) continue
-			const short_name = name.split('/')[1] || name
-			const source_dir = skill_install_dir(base_dir, short_name)
-			const [, enabled] = await is_skill_enabled(short_name, detected_agents, is_global, project_root)
-			if (enabled) {
-				skills_to_check.push({ skill_name: short_name, source_dir })
-			}
-		}
-		if (skills_to_check.length > 0) {
-			const link_spinner = !args.flags.json ? create_spinner('Verifying symlinks…') : null
-			const [, repair_result] = await verify_and_repair_symlinks(skills_to_check, detected_agents, { global: is_global, project_root })
-			symlink_repairs = repair_result?.repaired || []
-			if (symlink_repairs.length > 0) {
-				link_spinner?.succeed(`Repaired ${symlink_repairs.length} symlink(s)`)
-			} else {
-				link_spinner?.succeed('All symlinks verified')
-			}
-		}
-	}
-
-	// 3. If nothing to update, report and exit
-	if (outdated.length === 0) {
-		if (args.flags.json) {
-			print_json({ data: { results, outdated_count: 0, up_to_date_count: up_to_date.length, updated: [], already_up_to_date: up_to_date.map(r => ({ skill: r.skill, version: r.installed })), symlink_repairs, errors: [] } })
-			return
-		}
-		print_table(['Skill', 'Installed', 'Latest', 'Status'], results.map(r => [
-			r.skill, r.installed, r.latest, green(r.status)
-		]))
-		console.log()
-		if (symlink_repairs.length > 0) {
-			print_success(`All skills are up to date. Repaired ${symlink_repairs.length} symlink(s).`)
-		} else {
-			print_success('All skills are up to date.')
-		}
-		return
-	}
-
-	// 4. Show results table (non-json)
-	if (!args.flags.json) {
-		const status_colors = { 'up-to-date': green, 'outdated': yellow, 'no-access': yellow, 'error': red, 'unknown': (s) => s }
-		print_table(['Skill', 'Installed', 'Latest', 'Status'], results.map(r => [
-			r.skill, r.installed, r.latest, (status_colors[r.status] || ((s) => s))(r.status)
-		]))
-		console.log()
-		print_info(`${outdated.length} skill(s) can be updated.`)
-	}
-
-	// 5. Confirm update
-	const should_update = auto_yes || !process.stdin.isTTY
-	if (!should_update && !args.flags.json) {
-		const answer = await confirm_prompt(`\nUpdate ${outdated.length} skill(s)? [y/N] `)
-		if (answer !== 'y' && answer !== 'yes') {
-			print_info('Skipped.')
-			return
-		}
-	}
-
-	// 6. Detect local modifications for all outdated skills in parallel
-	const detections = await Promise.all(outdated.map(r => {
-		const lock_entry = skills[r.skill]
-		const short_name = r.skill.split('/')[1] || r.skill
-		const dir = skill_install_dir(base_dir, short_name)
-		return detect_status(lock_entry, dir).then(([, det]) => ({ r, det }))
-	}))
-
-	const skipped = []
-	const safe_to_update = []
-	for (const { r, det } of detections) {
-		if (det?.local_modified) {
-			skipped.push({ skill: r.skill, reason: 'local_modifications', suggestion: `happyskills pull ${r.skill}` })
-		} else {
-			safe_to_update.push(r)
-		}
-	}
-
-	// 7. Update safe skills
-	const options = { global: is_global, fresh: true, agents: args.flags.agents || undefined, project_root }
-	const updated = []
-	const update_errors = []
-
-	for (const r of safe_to_update) {
-		const update_spinner = !args.flags.json ? create_spinner(`Updating ${r.skill}…`) : null
-		const [errors, result] = await install(r.skill, options)
-		if (errors) {
-			update_spinner?.fail(`Failed to update ${r.skill}`)
-			update_errors.push({ skill: r.skill, message: errors[errors.length - 1]?.message || 'Unknown error' })
-		} else if (!result.no_op) {
-			update_spinner?.succeed(`Updated ${r.skill} ${r.installed} → ${result.version}`)
-			updated.push({ skill: r.skill, from: r.installed, to: result.version })
-		} else {
-			update_spinner?.succeed(`${r.skill} already up to date`)
-		}
-	}
-
-	// 8. Output results
-	if (args.flags.json) {
-		print_json({
-			data: {
-				results,
-				outdated_count: outdated.length,
-				up_to_date_count: up_to_date.length,
-				updated,
-				skipped,
-				already_up_to_date: up_to_date.map(r => ({ skill: r.skill, version: r.installed })),
-				errors: update_errors
-			}
-		})
-		return
-	}
-
-	if (skipped.length > 0) {
-		console.log()
-		print_warn(`Skipped ${skipped.length} skill(s) with local modifications:`)
-		for (const s of skipped) {
-			print_info(`  ${s.skill}`)
-		}
-		print_hint(`Use ${code('happyskills pull <skill>')} to merge remote changes.`)
-	}
-	if (updated.length > 0) {
-		console.log()
-		print_success(`Updated ${updated.length} skill(s).`)
-	}
-	if (update_errors.length > 0) {
-		console.log()
-		print_info(`${update_errors.length} skill(s) failed to update. Run ${code('happyskills check')} for details.`)
-	}
-}).then(([errors]) => { if (errors) { exit_with_error(errors); return } })
-
-module.exports = { run }