happyskills 0.47.1 → 0.49.0

package/src/commands/snapshot.js

@@ -0,0 +1,252 @@
+const path = require('path')
+const { error: { catch_errors, wrap_errors: e } } = require('puffy-core')
+const storage = require('../snapshot/storage')
+const { find_project_root, skills_dir, skill_install_dir } = require('../config/paths')
+const { read_lock, get_all_locked_skills } = require('../lock/reader')
+const { print_help, print_success, print_info, print_table, print_json, print_warn } = require('../ui/output')
+const { exit_with_error, UsageError } = require('../utils/errors')
+const { EXIT_CODES } = require('../constants')
+
+const HELP_TEXT = `Usage: happyskills snapshot <subcommand> [args] [options]
+
+Capture and restore skill state — the safety net for every mutation.
+
+Subcommands:
+  create <owner/skill>           Capture skill directory + lock entry
+  list <owner/skill>             List existing snapshots for a skill
+  restore <snapshot-id>          Restore a skill from a snapshot
+  delete <snapshot-id>           Delete a snapshot
+  prune <owner/skill>            Keep only the N most recent snapshots
+
+Options:
+  --note <text>                  Attach a note to a new snapshot (create only)
+  --keep <n>                     Retention count for prune (default: 10)
+  -g, --global                   Operate on the global snapshot store
+  --json                         Output as JSON
+
+Examples:
+  happyskills snapshot create acme/deploy-aws --note "pre-release" --json
+  happyskills snapshot list acme/deploy-aws --json
+  happyskills snapshot restore snap_20260523T103045Z_abc123 --json
+  happyskills snapshot delete snap_20260523T103045Z_abc123 --json
+  happyskills snapshot prune acme/deploy-aws --keep 5 --json`
+
+const parse_skill_arg = (raw) => {
+	if (!raw) return null
+	if (raw.includes('/')) {
+		const [workspace, ...rest] = raw.split('/')
+		return { workspace, skill: rest.join('/'), short: rest.join('/') }
+	}
+	return { workspace: null, skill: raw, short: raw }
+}
+
+const resolve_from_lock = (short_name, project_root) => catch_errors('Failed to resolve skill from lock', async () => {
+	const [, lock_data] = await read_lock(project_root)
+	if (!lock_data) return null
+	const all = get_all_locked_skills(lock_data)
+	const suffix = `/${short_name}`
+	const key = Object.keys(all).find(k => k === short_name || k.endsWith(suffix))
+	if (!key) return null
+	const [workspace, name] = key.includes('/') ? key.split('/') : [null, key]
+	return { workspace, skill: name, lock_entry: all[key] }
+})
+
+const do_create = (args) => catch_errors('Snapshot create failed', async () => {
+	const raw = args._[1]
+	if (!raw) throw new UsageError('Usage: happyskills snapshot create <owner/skill> [--note <text>]')
+
+	const project_root = find_project_root()
+	const is_global = !!args.flags.global
+	const parsed = parse_skill_arg(raw)
+	let workspace = parsed.workspace
+	let skill = parsed.skill
+	let lock_entry = null
+
+	const [, resolved] = await resolve_from_lock(parsed.short, project_root)
+	if (resolved) {
+		if (!workspace) workspace = resolved.workspace
+		skill = resolved.skill
+		lock_entry = resolved.lock_entry
+	}
+
+	if (!workspace) {
+		throw new UsageError(`Cannot determine workspace for "${raw}" — pass it as owner/skill or install via the registry first.`)
+	}
+
+	const base_dir = skills_dir(is_global, project_root)
+	const skill_dir = skill_install_dir(base_dir, skill)
+
+	const [err, result] = await storage.create({
+		skill_dir, workspace, skill, lock_entry,
+		note: typeof args.flags.note === 'string' ? args.flags.note : null,
+		is_global, project_root
+	})
+	if (err) throw e('Failed to create snapshot', err)
+
+	if (args.flags.json) {
+		print_json({ data: result })
+		return
+	}
+	print_success(`Snapshot ${result.snapshot_id}`)
+	print_info(`  Path: ${result.path}`)
+	if (result.note) print_info(`  Note: ${result.note}`)
+	if (result.pruned?.length > 0) print_info(`  Pruned ${result.pruned.length} older snapshot(s)`)
+})
+
+const do_list = (args) => catch_errors('Snapshot list failed', async () => {
+	const raw = args._[1]
+	if (!raw) throw new UsageError('Usage: happyskills snapshot list <owner/skill>')
+
+	const project_root = find_project_root()
+	const is_global = !!args.flags.global
+	const parsed = parse_skill_arg(raw)
+	let workspace = parsed.workspace
+	let skill = parsed.skill
+
+	if (!workspace) {
+		const [, resolved] = await resolve_from_lock(parsed.short, project_root)
+		if (resolved) {
+			workspace = resolved.workspace
+			skill = resolved.skill
+		}
+	}
+
+	if (!workspace) {
+		if (args.flags.json) {
+			print_json({ data: { snapshots: [] } })
+			return
+		}
+		print_info('No workspace resolved — no snapshots to list.')
+		return
+	}
+
+	const [err, result] = await storage.list({ workspace, skill, is_global, project_root })
+	if (err) throw e('Failed to list snapshots', err)
+
+	if (args.flags.json) {
+		print_json({ data: { workspace, skill, snapshots: result.snapshots } })
+		return
+	}
+
+	if (result.snapshots.length === 0) {
+		print_info(`No snapshots for ${workspace}/${skill}.`)
+		return
+	}
+	const rows = result.snapshots.map(s => [
+		s.snapshot_id,
+		s.timestamp,
+		(s.note || '').slice(0, 60)
+	])
+	print_table(['Snapshot ID', 'Timestamp', 'Note'], rows)
+})
+
+const do_restore = (args) => catch_errors('Snapshot restore failed', async () => {
+	const snapshot_id = args._[1]
+	if (!snapshot_id) throw new UsageError('Usage: happyskills snapshot restore <snapshot-id>')
+
+	const project_root = find_project_root()
+	const is_global = !!args.flags.global
+
+	const [find_err, found] = await storage.find_snapshot(snapshot_id, { is_global, project_root })
+	if (find_err) throw e('Failed to look up snapshot', find_err)
+	if (!found) {
+		throw new Error(`Snapshot not found: ${snapshot_id}`)
+	}
+
+	const base_dir = skills_dir(is_global, project_root)
+	const skill_dir = skill_install_dir(base_dir, found.skill)
+
+	const [err, result] = await storage.restore(snapshot_id, { skill_dir, is_global, project_root })
+	if (err) throw e('Failed to restore snapshot', err)
+
+	if (args.flags.json) {
+		print_json({ data: result })
+		return
+	}
+	print_success(`Restored ${result.workspace}/${result.skill} from ${snapshot_id}`)
+})
+
+const do_delete = (args) => catch_errors('Snapshot delete failed', async () => {
+	const snapshot_id = args._[1]
+	if (!snapshot_id) throw new UsageError('Usage: happyskills snapshot delete <snapshot-id>')
+	const project_root = find_project_root()
+	const is_global = !!args.flags.global
+
+	const [err, result] = await storage.remove(snapshot_id, { is_global, project_root })
+	if (err) throw e('Failed to delete snapshot', err)
+
+	if (args.flags.json) {
+		print_json({ data: result })
+		return
+	}
+	if (result.deleted) print_success(`Deleted ${snapshot_id}`)
+	else print_warn(`No snapshot deleted (${result.reason || 'unknown'}).`)
+})
+
+const do_prune = (args) => catch_errors('Snapshot prune failed', async () => {
+	const raw = args._[1]
+	if (!raw) throw new UsageError('Usage: happyskills snapshot prune <owner/skill> [--keep <n>]')
+
+	const project_root = find_project_root()
+	const is_global = !!args.flags.global
+	const parsed = parse_skill_arg(raw)
+	let workspace = parsed.workspace
+	let skill = parsed.skill
+
+	if (!workspace) {
+		const [, resolved] = await resolve_from_lock(parsed.short, project_root)
+		if (resolved) {
+			workspace = resolved.workspace
+			skill = resolved.skill
+		}
+	}
+
+	if (!workspace) {
+		throw new UsageError(`Cannot determine workspace for "${raw}" — pass it as owner/skill.`)
+	}
+
+	const keep_raw = args.flags.keep
+	const keep = keep_raw === undefined || keep_raw === true ? storage.DEFAULT_RETENTION : parseInt(keep_raw, 10)
+	if (!Number.isFinite(keep) || keep < 0) {
+		throw new UsageError(`--keep must be a non-negative integer (got "${keep_raw}")`)
+	}
+
+	const [err, result] = await storage.prune({ workspace, skill, is_global, project_root, keep })
+	if (err) throw e('Failed to prune snapshots', err)
+
+	if (args.flags.json) {
+		print_json({ data: result })
+		return
+	}
+	print_success(`Kept ${result.kept}, deleted ${result.deleted}`)
+})
+
+const SUBCOMMANDS = {
+	create: do_create,
+	list: do_list,
+	restore: do_restore,
+	delete: do_delete,
+	rm: do_delete,
+	prune: do_prune
+}
+
+const run = (args) => catch_errors('Snapshot failed', async () => {
+	if (args.flags._show_help) {
+		print_help(HELP_TEXT)
+		return process.exit(EXIT_CODES.SUCCESS)
+	}
+
+	const sub = args._[0]
+	if (!sub) {
+		throw new UsageError('Usage: happyskills snapshot <create|list|restore|delete|prune> ...')
+	}
+	const handler = SUBCOMMANDS[sub]
+	if (!handler) {
+		throw new UsageError(`Unknown snapshot subcommand: "${sub}". Run \`happyskills snapshot --help\`.`)
+	}
+
+	const [err] = await handler(args)
+	if (err) throw err
+}).then(([errors]) => { if (errors) { exit_with_error(errors); return } })
+
+module.exports = { run }

package/src/commands/status.js

@@ -1,7 +1,7 @@
 const { error: { catch_errors, wrap_errors: e } } = require('puffy-core')
 const { read_lock, get_all_locked_skills } = require('../lock/reader')
 const { detect_status } = require('../merge/detector')
-const { verify_lock_disk_consistency, describe_drift } = require('../lock/verify')
+const { verify_lock_disk_consistency, detect_ahead_state, describe_drift } = require('../lock/verify')
 const repos_api = require('../api/repos')
 const { print_help, print_info, print_json, print_warn, print_hint, code } = require('../ui/output')
 const { exit_with_error, UsageError } = require('../utils/errors')
@@ -26,12 +26,13 @@ Examples:
   happyskills st acme/deploy-aws
   happyskills status --json`
 
-// Drift outranks every other status: when the lock and the on-disk skill.json
-// disagree about what's installed, every other comparison (modified/outdated/
-// diverged/conflicts) is computed against an untrustworthy baseline.
-const classify = (drift, local_modified, remote_updated, has_conflicts) => {
+// §10.5 — seven canonical states. Drift outranks every other status because
+// the install-record baseline is broken; ahead is reported above local/remote
+// composites because it represents authoring intent the system should preserve.
+const classify = (drift, ahead, local_modified, remote_updated, has_conflicts) => {
 	if (drift && !drift.ok) return 'drift'
 	if (has_conflicts) return 'conflicts'
+	if (ahead) return 'ahead'
 	if (local_modified && remote_updated) return 'diverged'
 	if (local_modified) return 'modified'
 	if (remote_updated) return 'outdated'
@@ -92,20 +93,27 @@ const run = (args) => catch_errors('Status failed', async () => {
 
 	const base_dir = skills_dir(is_global, project_root)
 
-	// Detect drift (lock-vs-disk version mismatch) and local modifications in parallel.
-	// The drift probe is cheap (one skill.json read + version compare); detect_status
-	// is the heavier integrity check. Running both lets us distinguish "user edited
-	// content" from "structural baseline broken".
+	// Detect drift, ahead, and local modifications in parallel. The drift probe
+	// is cheap (one skill.json read + version compare); detect_status is the
+	// heavier integrity check. Running them all lets us distinguish "user edited
+	// content" from "structural baseline broken" from "author bumped locally".
 	const detections = await Promise.all(entries.map(async ([name, data]) => {
-		if (!data) return { name, data, det: null, drift: null }
+		if (!data) return { name, data, det: null, drift: null, ahead: null }
 		const short_name = name.split('/')[1] || name
 		const dir = skill_install_dir(base_dir, short_name)
 		const [, drift] = await verify_lock_disk_consistency(data, dir)
 		const [, det] = await detect_status(data, dir, { skill_name: name, project_root, is_global })
-		return { name, data, det, drift }
+		// Only check ahead when drift is clean — drift represents a broken
+		// baseline that should be reported first.
+		let ahead = null
+		if (drift && drift.ok) {
+			const [, ahead_state] = await detect_ahead_state(data, dir)
+			if (ahead_state && ahead_state.ahead) ahead = ahead_state
+		}
+		return { name, data, det, drift, ahead }
 	}))
 
-	const results = detections.map(({ name, data, det, drift }) => {
+	const results = detections.map(({ name, data, det, drift, ahead }) => {
 		if (!data) return { skill: name, status: 'not_found', local_modified: false, remote_updated: false }
 		const has_conflicts = (data.conflict_files || []).length > 0
 		return {
@@ -122,7 +130,13 @@ const run = (args) => catch_errors('Status failed', async () => {
 			drift: drift && !drift.ok
 				? { reason: drift.reason, lock_version: drift.expected, disk_version: drift.actual }
 				: null,
-			status: drift && !drift.ok ? 'drift' : (has_conflicts ? 'conflicts' : 'clean')
+			ahead: ahead ? {
+				lock_version: ahead.lock_version,
+				disk_version: ahead.disk_version,
+				has_changelog_entry: ahead.has_changelog_entry || false,
+				changelog_version: ahead.changelog_version || null
+			} : null,
+			status: drift && !drift.ok ? 'drift' : (has_conflicts ? 'conflicts' : (ahead ? 'ahead' : 'clean'))
 		}
 	})
 
@@ -145,11 +159,13 @@ const run = (args) => catch_errors('Status failed', async () => {
 	}
 
 	// Classify each result. The drift field is the canonical structural-baseline
-	// signal; pass it to classify so it can outrank everything else.
+	// signal; pass it to classify so it can outrank everything else. The ahead
+	// field is the canonical author-intent signal — it preserves the local bump
+	// during the publish flow.
 	for (const r of results) {
 		if (r.status !== 'not_found') {
 			const drift_check = r.drift ? { ok: false } : { ok: true }
-			r.status = classify(drift_check, r.local_modified, r.remote_updated, r.conflict_files.length > 0)
+			r.status = classify(drift_check, !!r.ahead, r.local_modified, r.remote_updated, r.conflict_files.length > 0)
 		}
 	}
 
@@ -174,12 +190,13 @@ const run = (args) => catch_errors('Status failed', async () => {
 			expected: r.drift?.lock_version,
 			actual: r.drift?.disk_version
 		})
-			: r.status === 'conflicts' ? 'conflicts (unresolved merge conflicts)'
-				: r.status === 'diverged' ? 'diverged (local + remote changes)'
-					: r.status === 'modified' ? 'modified (local changes)'
-						: r.status === 'outdated' ? 'outdated (remote changes)'
-							: r.status === 'not_found' ? 'not found'
-								: 'clean'
+			: r.status === 'ahead' ? `ahead (disk ${r.ahead?.disk_version}, lock ${r.ahead?.lock_version})`
+				: r.status === 'conflicts' ? 'conflicts (unresolved merge conflicts)'
+					: r.status === 'diverged' ? 'diverged (local + remote changes)'
+						: r.status === 'modified' ? 'modified (local changes)'
+							: r.status === 'outdated' ? 'outdated (remote changes)'
+								: r.status === 'not_found' ? 'not found'
+									: 'clean'
 	}))
 
 	const w_skill = Math.max(col_skill.length, ...rows.map(r => r.skill.length))
@@ -194,11 +211,16 @@ const run = (args) => catch_errors('Status failed', async () => {
 	}
 
 	const drifted = results.filter(r => r.status === 'drift')
+	const ahead_skills = results.filter(r => r.status === 'ahead')
 	if (drifted.length > 0) {
 		console.log()
 		print_warn(`${drifted.length} skill(s) drifted: lock and on-disk skill.json disagree.`)
-		print_hint(`Restore install record: ${code('happyskills install <skill> --fresh')}`)
-		print_hint(`Or accept the on-disk version: bump the lock by reinstalling at the disk version.`)
+		print_hint(`Repair: ${code('happyskills reconcile <skill>')}`)
+	}
+	if (ahead_skills.length > 0) {
+		console.log()
+		print_info(`${ahead_skills.length} skill(s) ahead of lock — bumped locally, not yet published.`)
+		print_hint(`Publish: ${code('happyskills publish <skill>')} (lock catches up atomically)`)
 	}
 }).then(([errors]) => { if (errors) { exit_with_error(errors); return } })
 

package/src/config/limits.js

@@ -0,0 +1,11 @@
+// Size limits enforced before publish. Must stay in sync with
+// api/app/config/limits.js — a drift means a publish that passes CLI
+// validation will be rejected by the API.
+
+const MAX_FILE_SIZE = 1 * 1024 * 1024   // 1 MB per file
+const MAX_TOTAL_SIZE = 1 * 1024 * 1024  // 1 MB per skill bundle
+
+module.exports = {
+	MAX_FILE_SIZE,
+	MAX_TOTAL_SIZE
+}

package/src/constants.js

@@ -74,7 +74,10 @@ const COMMANDS = [
 	'versions',
 	'changelog',
 	'agents',
-	'postlex'
+	'postlex',
+	'snapshot',
+	'reconcile',
+	'release'
 ]
 
 module.exports = {

package/src/index.js

@@ -113,6 +113,9 @@ Commands:
   login                    Authenticate with the registry
   logout                   Clear stored credentials
   whoami                   Show current user
+  snapshot <sub>           Capture and restore skill state (create, list, restore, delete, prune)
+  reconcile <owner/skill>  Diagnose and repair lock-vs-disk drift
+  release <skill-name>     Atomic release: snapshot + validate + bump + publish
 
 Global flags:
   --help                   Show help for a command

package/src/integration/bump.test.js

@@ -0,0 +1,170 @@
+'use strict'
+/**
+ * Integration tests for `happyskills bump` — § 8.6 (bump narrowed to
+ * skill.json only). After bump, skill.json's version is the new value AND
+ * the lock entry's version is UNCHANGED. Subsequent `list --json` reports
+ * the skill as `status: "ahead"`.
+ *
+ * This test prevents regression of the lock-as-registry-view principle:
+ * a local bump is not a registry interaction, so the lock has no business
+ * being mutated by it.
+ */
+const { describe, it } = require('node:test')
+const assert = require('node:assert/strict')
+const { spawnSync } = require('child_process')
+const fs = require('fs')
+const os = require('os')
+const path = require('path')
+
+const CLI = path.resolve(__dirname, '../../bin/happyskills.js')
+const NODE = process.execPath
+
+const make_tmp = () => fs.mkdtempSync(path.join(os.tmpdir(), 'hs-bump-test-'))
+const run = (args, opts) => {
+	const result = spawnSync(NODE, [CLI, ...args], {
+		env: {
+			...process.env,
+			NO_COLOR: '1',
+			HAPPYSKILLS_API_URL: 'http://localhost:0',
+			...(opts?.env || {})
+		},
+		encoding: 'utf-8',
+		timeout: 10000,
+		cwd: opts?.cwd
+	})
+	return { stdout: result.stdout || '', stderr: result.stderr || '', code: result.status }
+}
+const parse_json = (stdout, label) => {
+	try { return JSON.parse(stdout) }
+	catch { assert.fail(`${label}: stdout is not valid JSON:\n${stdout}`) }
+}
+
+// Scaffold a project with one locked-and-installed skill.
+const scaffold = ({ full, short, lock_version, disk_version }) => {
+	const root = make_tmp()
+	const skill_dir = path.join(root, '.agents', 'skills', short)
+	fs.mkdirSync(skill_dir, { recursive: true })
+	fs.writeFileSync(
+		path.join(skill_dir, 'SKILL.md'),
+		`---\nname: ${short}\ndescription: bump test skill\n---\nbody\n`
+	)
+	fs.writeFileSync(
+		path.join(skill_dir, 'skill.json'),
+		JSON.stringify({
+			name: short,
+			version: disk_version,
+			type: 'skill',
+			description: 'bump test skill'
+		}, null, '\t')
+	)
+	fs.writeFileSync(path.join(root, 'skills-lock.json'), JSON.stringify({
+		lockVersion: 2,
+		generatedAt: new Date().toISOString(),
+		skills: {
+			[full]: {
+				version: lock_version,
+				type: 'skill',
+				ref: `refs/tags/v${lock_version}`,
+				commit: 'lockcommit',
+				integrity: 'sha256-baseline',
+				base_commit: 'lockcommit',
+				base_integrity: 'sha256-baseline',
+				requested_by: ['__root__'],
+				dependencies: {}
+			}
+		}
+	}, null, '\t'))
+	return {
+		root,
+		skill_dir,
+		read_lock: () => JSON.parse(fs.readFileSync(path.join(root, 'skills-lock.json'), 'utf-8')),
+		read_manifest: () => JSON.parse(fs.readFileSync(path.join(skill_dir, 'skill.json'), 'utf-8')),
+		cleanup: () => fs.rmSync(root, { recursive: true, force: true })
+	}
+}
+
+describe('bump — § 8.6 narrowed to skill.json only', () => {
+	it('updates skill.json version but leaves the lock entry UNCHANGED', () => {
+		const ctx = scaffold({ full: 'acme/my-skill', short: 'my-skill', lock_version: '1.0.0', disk_version: '1.0.0' })
+		try {
+			const { code, stdout } = run(['bump', 'patch', 'my-skill', '--json'], { cwd: ctx.root })
+			assert.strictEqual(code, 0, `bump should exit 0, got ${code}`)
+			const out = parse_json(stdout, 'bump --json')
+			assert.strictEqual(out.data.old_version, '1.0.0')
+			assert.strictEqual(out.data.new_version, '1.0.1')
+
+			// Manifest was updated.
+			assert.strictEqual(ctx.read_manifest().version, '1.0.1', 'skill.json must be at the new version')
+
+			// Lock entry was NOT updated.
+			const lock = ctx.read_lock()
+			assert.strictEqual(
+				lock.skills['acme/my-skill'].version,
+				'1.0.0',
+				'lock entry version must be UNCHANGED — lock catches up at publish time, not bump time'
+			)
+			assert.strictEqual(
+				lock.skills['acme/my-skill'].ref,
+				'refs/tags/v1.0.0',
+				'lock entry ref must be UNCHANGED'
+			)
+			assert.strictEqual(
+				lock.skills['acme/my-skill'].integrity,
+				'sha256-baseline',
+				'lock entry integrity must be UNCHANGED'
+			)
+		} finally { ctx.cleanup() }
+	})
+
+	it('subsequent list --json reports the bumped skill as status:ahead', () => {
+		const ctx = scaffold({ full: 'acme/my-skill', short: 'my-skill', lock_version: '0.3.2', disk_version: '0.3.2' })
+		try {
+			const { code: bump_code } = run(['bump', 'patch', 'my-skill', '--json'], { cwd: ctx.root })
+			assert.strictEqual(bump_code, 0)
+
+			const { code, stdout } = run(['list', '--json'], { cwd: ctx.root })
+			assert.strictEqual(code, 0)
+			const out = parse_json(stdout, 'list --json')
+			const entry = out.data.skills['acme/my-skill']
+			assert.ok(entry, 'skill must appear in list output')
+			assert.strictEqual(entry.status, 'ahead', 'must be ahead, not drift, not installed')
+			assert.strictEqual(entry.ahead.lock_version, '0.3.2')
+			assert.strictEqual(entry.ahead.disk_version, '0.3.3')
+			assert.strictEqual(entry.drift, undefined, 'ahead must not emit a drift object')
+		} finally { ctx.cleanup() }
+	})
+
+	it('explicit version bump leaves lock untouched', () => {
+		const ctx = scaffold({ full: 'acme/exact', short: 'exact', lock_version: '0.1.0', disk_version: '0.1.0' })
+		try {
+			const { code } = run(['bump', '2.5.7', 'exact', '--json'], { cwd: ctx.root })
+			assert.strictEqual(code, 0)
+			assert.strictEqual(ctx.read_manifest().version, '2.5.7')
+			assert.strictEqual(ctx.read_lock().skills['acme/exact'].version, '0.1.0', 'lock untouched')
+		} finally { ctx.cleanup() }
+	})
+
+	it('bump still works when there is no lock entry for the skill at all', () => {
+		// e.g. a freshly-init'd skill that has never been published. There's
+		// no lock key to update, and that's fine — bump only writes to
+		// skill.json.
+		const root = make_tmp()
+		try {
+			const skill_dir = path.join(root, '.agents', 'skills', 'fresh')
+			fs.mkdirSync(skill_dir, { recursive: true })
+			fs.writeFileSync(
+				path.join(skill_dir, 'SKILL.md'),
+				'---\nname: fresh\ndescription: never-published skill\n---\nbody\n'
+			)
+			fs.writeFileSync(
+				path.join(skill_dir, 'skill.json'),
+				JSON.stringify({ name: 'fresh', version: '0.1.0', type: 'skill', description: 'never-published skill' }, null, '\t')
+			)
+			// No skills-lock.json at all.
+			const { code } = run(['bump', 'minor', 'fresh', '--json'], { cwd: root })
+			assert.strictEqual(code, 0)
+			const manifest = JSON.parse(fs.readFileSync(path.join(skill_dir, 'skill.json'), 'utf-8'))
+			assert.strictEqual(manifest.version, '0.2.0')
+		} finally { fs.rmSync(root, { recursive: true, force: true }) }
+	})
+})