oathbound 0.13.0 → 0.14.0

package/agent-search.ts

@@ -6,6 +6,7 @@ export interface AgentSearchOptions {
   query?: string;
   namespace?: string;
   sparse?: boolean;
+  sort?: 'downloads';
   limit?: number;
   offset?: number;
 }
@@ -21,6 +22,9 @@ export function parseAgentSearchArgs(args: string[]): AgentSearchOptions {
       opts.namespace = args[++i];
     } else if (arg === '--sparse' || arg === '-s') {
       opts.sparse = true;
+    } else if (arg === '--sort') {
+      const val = args[++i];
+      if (val === 'downloads') opts.sort = 'downloads';
     } else if (arg === '--limit') {
       opts.limit = parseInt(args[++i], 10);
     } else if (arg === '--offset') {
@@ -53,6 +57,7 @@ interface AgentResult {
   permission_mode?: string | null;
   effort?: string | null;
   author?: AgentAuthor;
+  download_count?: number;
 }
 
 interface AgentSearchResponse {
@@ -69,6 +74,7 @@ export async function agentSearch(opts: AgentSearchOptions): Promise<void> {
   if (opts.query) params.set('q', opts.query);
   if (opts.namespace) params.set('namespace', opts.namespace);
   if (opts.sparse) params.set('sparse', 'true');
+  if (opts.sort) params.set('sort', opts.sort);
   if (opts.limit != null) params.set('limit', String(opts.limit));
   if (opts.offset != null) params.set('offset', String(opts.offset));
 
@@ -135,6 +141,7 @@ export async function agentSearch(opts: AgentSearchOptions): Promise<void> {
         parts.push(`by ${name}${agent.author.verified ? ' ✓' : ''}`);
       }
       if (agent.license) parts.push(agent.license);
+      if (agent.download_count != null) parts.push(`↓ ${agent.download_count}`);
       if (agent.model) parts.push(`model: ${agent.model}`);
       if (agent.permission_mode) parts.push(`mode: ${agent.permission_mode}`);
       if (agent.effort) parts.push(`effort: ${agent.effort}`);

package/cli.ts

@@ -29,14 +29,16 @@ export { stripJsoncComments, writeOathboundConfig, mergeClaudeSettings, type Mer
 export { isNewer } from './update';
 export { installDevDependency, type InstallResult, setup, addPrepareScript, type PrepareResult, addTrustedDependency, type TrustedDepResult };
 
-const VERSION = '0.13.0';
+const VERSION = '0.14.0';
 
 // --- Supabase ---
 const SUPABASE_URL = 'https://mjnfqagwuewhgwbtrdgs.supabase.co';
 const SUPABASE_ANON_KEY = 'sb_publishable_T-rk0azNRqAMLLGCyadyhQ_ulk9685n';
+const API_BASE = process.env.OATHBOUND_API_URL ?? 'https://www.oathbound.ai';
 
 // --- Types ---
 interface SkillRow {
+  id: string;
   name: string;
   namespace: string;
   version: string;
@@ -279,7 +281,7 @@ async function pull(skillArg: string): Promise<void> {
   if (version !== null) {
     const { data, error } = await supabase
       .from('skills')
-      .select('name, namespace, version, tar_hash, storage_path')
+      .select('id, name, namespace, version, tar_hash, storage_path')
       .eq('namespace', namespace)
       .eq('name', name)
       .eq('version', version)
@@ -293,7 +295,7 @@ async function pull(skillArg: string): Promise<void> {
     // Fetch all versions, pick highest via semver comparison
     const { data, error } = await supabase
       .from('skills')
-      .select('name, namespace, version, tar_hash, storage_path')
+      .select('id, name, namespace, version, tar_hash, storage_path')
       .eq('namespace', namespace)
       .eq('name', name);
 
@@ -346,7 +348,21 @@ async function pull(skillArg: string): Promise<void> {
   }
   unlinkSync(tarFile);
 
-  // 5. Success
+  // 5. Record download (non-fatal)
+  try {
+    const trackRes = await fetch(`${API_BASE}/api/downloads`, {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify({ skill_id: skill.id, version: skill.version }),
+    });
+    if (!trackRes.ok) {
+      process.stderr.write(`${DIM}   [warn] download tracking failed (${trackRes.status})${RESET}\n`);
+    }
+  } catch {
+    // Network error — non-fatal
+  }
+
+  // 6. Success
   console.log(`${BOLD}${GREEN} ✓ Skill verified${RESET}`);
   console.log(`${DIM}   ${fullName} v${skill.version}${RESET}`);
   console.log(`${DIM}   → ${join(skillsDir, name)}${RESET}`);
@@ -354,6 +370,7 @@ async function pull(skillArg: string): Promise<void> {
 
 // --- Agent types ---
 interface AgentRow {
+  id: string;
   name: string;
   namespace: string;
   version: string;
@@ -379,7 +396,7 @@ async function agentPull(agentArg: string): Promise<void> {
   if (version !== null) {
     const { data, error } = await supabase
       .from('agents')
-      .select('name, namespace, version, content_hash, storage_path, config')
+      .select('id, name, namespace, version, content_hash, storage_path, config')
       .eq('namespace', namespace)
       .eq('name', name)
       .eq('version', version)
@@ -392,7 +409,7 @@ async function agentPull(agentArg: string): Promise<void> {
   } else {
     const { data, error } = await supabase
       .from('agents')
-      .select('name, namespace, version, content_hash, storage_path, config')
+      .select('id, name, namespace, version, content_hash, storage_path, config')
       .eq('namespace', namespace)
       .eq('name', name);
 
@@ -426,25 +443,60 @@ async function agentPull(agentArg: string): Promise<void> {
     fail('Verification failed', `Downloaded file does not match expected hash for ${fullName}`);
   }
 
-  // Warn about hooks/mcpServers if present
+  // Validate name has no path traversal characters
+  if (name.includes('/') || name.includes('\\') || name.includes('..')) {
+    fail('Invalid agent name', `Name "${name}" contains path traversal characters`);
+  }
+
+  // Ensure .claude/agents/ directory exists
+  const agentsDir = join(process.cwd(), '.claude', 'agents');
+  mkdirSync(agentsDir, { recursive: true });
+
+  // Validate resolved path stays within agentsDir
+  const targetPath = join(agentsDir, `${name}.md`);
+  if (!targetPath.startsWith(agentsDir)) {
+    fail('Invalid agent name', `Resolved path escapes agents directory`);
+  }
+
+  // Warn and confirm if hooks/mcpServers are present
   const config = agent.config;
+  let hasDangerous = false;
   if (config?.hooks) {
-    console.log(`\n${YELLOW}${BOLD} ⚠ This agent defines hooks:${RESET}`);
+    console.log(`\n${YELLOW}${BOLD} ⚠ This agent defines hooks (arbitrary command execution):${RESET}`);
     console.log(`${DIM}${JSON.stringify(config.hooks, null, 2)}${RESET}\n`);
+    hasDangerous = true;
   }
   if (config?.mcpServers) {
-    console.log(`\n${YELLOW}${BOLD} ⚠ This agent defines MCP servers:${RESET}`);
+    console.log(`\n${YELLOW}${BOLD} ⚠ This agent defines MCP servers (external connections):${RESET}`);
     console.log(`${DIM}${JSON.stringify(config.mcpServers, null, 2)}${RESET}\n`);
+    hasDangerous = true;
+  }
+  if (hasDangerous) {
+    const answer = await confirm({
+      message: 'This agent contains security-sensitive configuration. Install anyway?',
+    });
+    if (isCancel(answer) || !answer) {
+      fail('Aborted', 'Agent not installed');
+    }
   }
-
-  // Ensure .claude/agents/ directory exists
-  const agentsDir = join(process.cwd(), '.claude', 'agents');
-  mkdirSync(agentsDir, { recursive: true });
 
   // Write agent file
-  const targetPath = join(agentsDir, `${name}.md`);
   writeFileSync(targetPath, content);
 
+  // Record download (non-fatal)
+  try {
+    const trackRes = await fetch(`${API_BASE}/api/downloads`, {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify({ agent_id: agent.id, version: agent.version }),
+    });
+    if (!trackRes.ok) {
+      process.stderr.write(`${DIM}   [warn] download tracking failed (${trackRes.status})${RESET}\n`);
+    }
+  } catch {
+    // Network error — non-fatal
+  }
+
   console.log(`${BOLD}${GREEN} ✓ Agent verified${RESET}`);
   console.log(`${DIM}   ${fullName} v${agent.version}${RESET}`);
   console.log(`${DIM}   → ${targetPath}${RESET}`);

package/package.json

@@ -1,8 +1,8 @@
 {
   "name": "oathbound",
-  "version": "0.13.0",
+  "version": "0.14.0",
   "description": "Install verified Claude Code skills and agents from the Oath Bound registry",
-  "license": "BUSL-1.1",
+  "license": "MIT",
   "author": "Josh Anderson",
   "homepage": "https://oathbound.ai",
   "repository": {

package/search.ts

@@ -6,6 +6,7 @@ export interface SearchOptions {
   query?: string;
   namespace?: string;
   sparse?: boolean;
+  sort?: 'downloads';
   limit?: number;
   offset?: number;
 }
@@ -21,6 +22,9 @@ export function parseSearchArgs(args: string[]): SearchOptions {
       opts.namespace = args[++i];
     } else if (arg === '--sparse' || arg === '-s') {
       opts.sparse = true;
+    } else if (arg === '--sort') {
+      const val = args[++i];
+      if (val === 'downloads') opts.sort = 'downloads';
     } else if (arg === '--limit') {
       opts.limit = parseInt(args[++i], 10);
     } else if (arg === '--offset') {
@@ -50,6 +54,7 @@ interface SkillResult {
   visibility?: string;
   author?: SkillAuthor;
   audit_status?: 'passed' | 'failed' | 'none';
+  download_count?: number;
 }
 
 interface SearchResponse {
@@ -66,6 +71,7 @@ export async function search(opts: SearchOptions): Promise<void> {
   if (opts.query) params.set('q', opts.query);
   if (opts.namespace) params.set('namespace', opts.namespace);
   if (opts.sparse) params.set('sparse', 'true');
+  if (opts.sort) params.set('sort', opts.sort);
   if (opts.limit != null) params.set('limit', String(opts.limit));
   if (opts.offset != null) params.set('offset', String(opts.offset));
 
@@ -132,6 +138,7 @@ export async function search(opts: SearchOptions): Promise<void> {
         parts.push(`by ${name}${skill.author.verified ? ' ✓' : ''}`);
       }
       if (skill.license) parts.push(skill.license);
+      if (skill.download_count != null) parts.push(`↓ ${skill.download_count}`);
       if (skill.audit_status && skill.audit_status !== 'none') {
         parts.push(skill.audit_status === 'passed' ? `${GREEN}audited${RESET}` : 'audit failed');
       }