oathbound 0.17.0 → 0.17.1

package/README.md

@@ -1,53 +1,80 @@
 # oathbound
 
-Install and verify Claude Code skills from the [Oath Bound](https://oathbound.ai) registry.
+Install, verify, and publish Claude Code skills and agents from the [Oath Bound](https://oathbound.ai) registry.
 
-Skills are downloaded as tarballs from the registry and verified using SHA-256 content hashing. Every session start and every tool invocation can be checked against the registry to detect tampering.
+Skills and agents are downloaded as tarballs from the registry and verified using SHA-256 content hashing. Every session start and every tool invocation can be checked against the registry to detect tampering.
 
 ## Installation
 
-Requires the [Bun](https://bun.sh) runtime.
+```sh
+npm install -g oathbound
+```
+
+Or via npx (no install required):
 
 ```sh
-bun add -g oathbound
+npx oathbound <command>
 ```
 
-Or via npm:
+## Quick start
 
 ```sh
-npm install -g oathbound
+oathbound init
 ```
 
-## Usage
+The `init` wizard sets up Claude Code hooks (globally and in the current project) so that skills are verified on every session start and tool invocation.
+
+## Commands
 
-### Install a skill
+### Skills
 
 ```sh
-oathbound pull <namespace/skill-name>
-oathbound install <namespace/skill-name>
+oathbound pull <namespace/skill[@version]> [--global]   # Download & verify a skill
+oathbound push [path] [--private]                        # Publish a skill to the registry
+oathbound search [query]                                 # Search skills in the registry
+oathbound list                                           # List all public skills
 ```
 
-Downloads the latest version of a skill from the registry, verifies the tarball hash, and extracts it into your `.claude/skills/` directory.
+`pull` (aliases: `install`, `i`) downloads the latest version of a skill from the registry, verifies the tarball hash, and extracts it into `.claude/skills/`. Pin a specific version with `@1.2.3`. Use `--global` to install into `~/.claude/skills/` instead of the project directory.
+
+### Agents
 
-### Verify all installed skills (SessionStart hook)
+```sh
+oathbound agent pull <namespace/name[@version]>   # Download an agent
+oathbound agent push [path] [--private]            # Publish an agent .md file
+oathbound agent search [query]                     # Search agents in the registry
+oathbound agent list                               # List all public agents
+```
+
+### Verification (hooks)
 
 ```sh
-oathbound verify
+oathbound verify          # SessionStart hook — verify all installed skills
+oathbound verify --check  # PreToolUse hook — check skill integrity mid-session
 ```
 
-Reads session context from stdin, hashes every skill directory under `.claude/skills/`, and compares each hash against the registry. Writes a session state file so subsequent checks are fast. Exits non-zero if any skill fails verification.
+### Auth
 
-### Check a skill before tool execution (PreToolUse hook)
+```sh
+oathbound login    # Authenticate with oathbound.ai
+oathbound logout   # Clear stored credentials
+oathbound whoami   # Show current user
+```
+
+### Setup
 
 ```sh
-oathbound verify --check
+oathbound init [--global|--local]   # Interactive setup wizard
+oathbound setup                     # Non-interactive (runs via npm prepare hook)
 ```
 
-Reads tool invocation context from stdin, re-hashes the relevant skill directory, and compares it against the hash recorded at session start. If the skill was modified after verification, the hook denies execution.
+`init` configures Claude Code hooks in your settings. By default it sets up both global (`~/.claude/settings.json`) and local (`.claude/settings.json`) hooks. Pass `--global` or `--local` to configure only one scope.
+
+`setup` is meant to run automatically via the `prepare` script when someone installs your project's dependencies. It reads `.oathbound.jsonc` and merges hooks into `.claude/settings.json` without prompts.
 
 ## Hook integration
 
-oathbound is designed to run as [Claude Code hooks](https://docs.anthropic.com/en/docs/claude-code/hooks). Add it to your `.claude/settings.json`:
+oathbound is designed to run as [Claude Code hooks](https://docs.anthropic.com/en/docs/claude-code/hooks). The easiest way to set this up is `oathbound init`, which adds the hooks to your `.claude/settings.json`:
 
 ```json
 {
@@ -70,14 +97,14 @@ oathbound is designed to run as [Claude Code hooks](https://docs.anthropic.com/e
 
 ## How it works
 
-1. **Pull**: Downloads a skill tarball from Supabase storage, verifies the SHA-256 hash of the tarball against the registry, and extracts the skill into `.claude/skills/`.
+1. **Pull**: Downloads a skill tarball from the registry, verifies the SHA-256 hash of the tarball, and extracts the skill into `.claude/skills/`.
 
 2. **SessionStart verification**: Walks each subdirectory in `.claude/skills/`, collects all files (excluding `node_modules`, lockfiles, and `.DS_Store`), sorts them by path, hashes each file with SHA-256, then hashes the combined manifest. The resulting content hash is compared against the registry. Verified hashes are written to a temporary session state file.
 
 3. **PreToolUse verification**: Re-hashes the skill directory on disk and compares it against the hash saved at session start. If the content has changed since verification, the tool invocation is denied. This detects mid-session tampering.
 
-The content hash algorithm is deterministic: files are sorted lexicographically by relative path, each file is individually hashed, and the concatenated `path\0hash` lines are hashed together. The same algorithm runs on both the registry (frontend) and the CLI to guarantee parity.
+The content hash algorithm is deterministic: files are sorted lexicographically by relative path, each file is individually hashed, and the concatenated `path\0hash` lines are hashed together. The same algorithm runs on both the registry and the CLI to guarantee parity.
 
 ## License
 
-Business Source License 1.1 (BUSL-1.1). The Change Date is 2028-03-04, after which the code is available under Apache 2.0.
+MIT

package/dist/cli.cjs

@@ -17954,6 +17954,13 @@ ${TEAL}${BOLD}⬡ oathbound${RESET} ${YELLOW}⚠ Warning:${RESET} skill ${BOLD}"
 `);
   process.exit(0);
 }
+function enforceSkill(skillName, reason, enforcement) {
+  if (enforcement === "warn") {
+    warnSkill(skillName, reason);
+  } else {
+    denySkill(skillName, reason, enforcement);
+  }
+}
 function isExternalSkillAccess(toolName, toolInput, knownDirs, baseName) {
   const resolvedDirs = knownDirs.map((d) => import_node_path5.resolve(d));
   const isUnderKnownDir = (p) => {
@@ -18212,27 +18219,15 @@ async function verifyCheck() {
     process.exit(0);
   }
   if (!skillDir || !import_node_fs5.existsSync(skillDir) || !import_node_fs5.statSync(skillDir).isDirectory()) {
-    if (enforcement === "warn") {
-      warnSkill(baseName, "not installed locally");
-    } else {
-      denySkill(baseName, "not installed locally", enforcement);
-    }
+    enforceSkill(baseName, "not installed locally", enforcement);
   }
   const currentHash = hashSkillDir(skillDir);
   const sessionHash = state.verified[baseName];
   if (!sessionHash) {
-    if (enforcement === "warn") {
-      warnSkill(baseName, "not verified at session start");
-    } else {
-      denySkill(baseName, "not verified at session start", enforcement);
-    }
+    enforceSkill(baseName, "not verified at session start", enforcement);
   }
   if (currentHash !== sessionHash) {
-    if (enforcement === "warn") {
-      warnSkill(baseName, `modified since session start (${currentHash.slice(0, 8)}… ≠ ${sessionHash.slice(0, 8)}…)`);
-    } else {
-      denySkill(baseName, `modified since session start — tampering detected (${currentHash.slice(0, 8)}… ≠ ${sessionHash.slice(0, 8)}…)`, enforcement);
-    }
+    enforceSkill(baseName, `modified since session start (${currentHash.slice(0, 8)}… ≠ ${sessionHash.slice(0, 8)}…)`, enforcement);
   }
   process.stderr.write(`${GREEN}   ${baseName}: ${currentHash} ✓${RESET}
 `);
@@ -18245,9 +18240,13 @@ var import_node_fs6 = require("node:fs");
 var import_node_http = require("node:http");
 var import_node_path6 = require("node:path");
 var import_node_os3 = require("node:os");
+
+// constants.ts
 var SUPABASE_URL = "https://mjnfqagwuewhgwbtrdgs.supabase.co";
 var SUPABASE_ANON_KEY = "sb_publishable_T-rk0azNRqAMLLGCyadyhQ_ulk9685n";
 var API_BASE = process.env.OATHBOUND_API_URL ?? "https://www.oathbound.ai";
+
+// auth.ts
 var AUTH_DIR = import_node_path6.join(import_node_os3.homedir(), ".oathbound");
 var AUTH_FILE = import_node_path6.join(AUTH_DIR, "auth.json");
 function saveSession(session) {
@@ -18383,7 +18382,7 @@ async function getAccessToken() {
   saveSession({
     access_token: data.session.access_token,
     refresh_token: data.session.refresh_token,
-    expires_at: data.session.expires_at
+    expires_at: data.session.expires_at ?? Math.floor(Date.now() / 1000) + 3600
   });
   return data.session.access_token;
 }
@@ -18408,7 +18407,6 @@ ${BRAND}`);
 var import_node_fs7 = require("node:fs");
 var import_node_path7 = require("node:path");
 var import_yaml2 = __toESM(require_dist(), 1);
-var API_BASE2 = process.env.OATHBOUND_API_URL ?? "https://www.oathbound.ai";
 async function push(pathArg, options) {
   Wt2(BRAND);
   const skillDir = resolveSkillDir(pathArg);
@@ -18452,7 +18450,7 @@ async function push(pathArg, options) {
   console.log(`${DIM}   ${files.length} file(s)${RESET}`);
   const token = await getAccessToken();
   const spin = spinner("Pushing...");
-  const response = await fetch(`${API_BASE2}/api/skills`, {
+  const response = await fetch(`${API_BASE}/api/skills`, {
     method: "POST",
     headers: {
       "Content-Type": "application/json",
@@ -18506,7 +18504,6 @@ function parseFrontmatter(content) {
 }
 
 // search.ts
-var API_BASE3 = process.env.OATHBOUND_API_URL ?? "https://www.oathbound.ai";
 function parseSearchArgs(args) {
   const opts = {};
   let i = 0;
@@ -18545,7 +18542,7 @@ async function search(opts) {
     params.set("limit", String(opts.limit));
   if (opts.offset != null)
     params.set("offset", String(opts.offset));
-  const url = `${API_BASE3}/api/skills?${params}`;
+  const url = `${API_BASE}/api/skills?${params}`;
   const sp = spinner("Searching...");
   let res;
   try {
@@ -18618,7 +18615,6 @@ ${BRAND} ${TEAL}${showing}${RESET}
 var import_node_fs8 = require("node:fs");
 var import_node_path8 = require("node:path");
 var import_yaml3 = __toESM(require_dist(), 1);
-var API_BASE4 = process.env.OATHBOUND_API_URL ?? "https://www.oathbound.ai";
 function parseAgentFrontmatter(content) {
   const match = content.match(/^---\s*\n([\s\S]*?)\n---\s*\n([\s\S]*)$/);
   if (!match)
@@ -18720,7 +18716,7 @@ async function agentPush(pathArg, options) {
     visibility
   };
   const spin = spinner("Pushing...");
-  const response = await fetch(`${API_BASE4}/api/agents`, {
+  const response = await fetch(`${API_BASE}/api/agents`, {
     method: "POST",
     headers: {
       "Content-Type": "application/json",
@@ -18744,7 +18740,6 @@ async function agentPush(pathArg, options) {
 }
 
 // agent-search.ts
-var API_BASE5 = process.env.OATHBOUND_API_URL ?? "https://www.oathbound.ai";
 function parseAgentSearchArgs(args) {
   const opts = {};
   let i = 0;
@@ -18783,7 +18778,7 @@ async function agentSearch(opts) {
     params.set("limit", String(opts.limit));
   if (opts.offset != null)
     params.set("offset", String(opts.offset));
-  const url = `${API_BASE5}/api/agents?${params}`;
+  const url = `${API_BASE}/api/agents?${params}`;
   const sp = spinner("Searching agents...");
   let res;
   try {
@@ -18855,10 +18850,7 @@ ${BRAND} ${TEAL}${showing}${RESET}
   }
 }
 // cli.ts
-var VERSION = "0.17.0";
-var SUPABASE_URL2 = "https://mjnfqagwuewhgwbtrdgs.supabase.co";
-var SUPABASE_ANON_KEY2 = "sb_publishable_T-rk0azNRqAMLLGCyadyhQ_ulk9685n";
-var API_BASE6 = process.env.OATHBOUND_API_URL ?? "https://www.oathbound.ai";
+var VERSION = "0.17.1";
 function parseSkillArg(arg) {
   const slash = arg.indexOf("/");
   if (slash < 1 || slash === arg.length - 1)
@@ -19039,7 +19031,7 @@ async function pull(skillArg, options = {}) {
   await ensureInitialized();
   console.log(`
 ${BRAND} ${TEAL}↓ Pulling ${fullName}${version3 ? `@${version3}` : ""}...${RESET}`);
-  const supabase = createClient(SUPABASE_URL2, SUPABASE_ANON_KEY2);
+  const supabase = createClient(SUPABASE_URL, SUPABASE_ANON_KEY);
   let skill;
   if (version3 !== null) {
     const { data, error } = await supabase.from("skills").select("id, name, namespace, version, tar_hash, storage_path").eq("namespace", namespace).eq("name", name).eq("version", version3).single();
@@ -19093,7 +19085,7 @@ ${BRAND} ${TEAL}↓ Pulling ${fullName}${version3 ? `@${version3}` : ""}...${RES
   }
   import_node_fs9.unlinkSync(tarFile);
   try {
-    const trackRes = await fetch(`${API_BASE6}/api/downloads`, {
+    const trackRes = await fetch(`${API_BASE}/api/downloads`, {
       method: "POST",
       headers: { "Content-Type": "application/json" },
       body: JSON.stringify({ skill_id: skill.id, version: skill.version })
@@ -19115,7 +19107,7 @@ async function agentPull(agentArg) {
   const fullName = `${namespace}/${name}`;
   console.log(`
 ${BRAND} ${TEAL}↓ Pulling agent ${fullName}${version3 ? `@${version3}` : ""}...${RESET}`);
-  const supabase = createClient(SUPABASE_URL2, SUPABASE_ANON_KEY2);
+  const supabase = createClient(SUPABASE_URL, SUPABASE_ANON_KEY);
   let agent;
   if (version3 !== null) {
     const { data, error } = await supabase.from("agents").select("id, name, namespace, version, content_hash, storage_path, config").eq("namespace", namespace).eq("name", name).eq("version", version3).single();
@@ -19178,7 +19170,7 @@ ${YELLOW}${BOLD} ⚠ This agent defines MCP servers (external connections):${RES
   }
   import_node_fs9.writeFileSync(targetPath, content);
   try {
-    const trackRes = await fetch(`${API_BASE6}/api/downloads`, {
+    const trackRes = await fetch(`${API_BASE}/api/downloads`, {
       method: "POST",
       headers: { "Content-Type": "application/json" },
       body: JSON.stringify({ agent_id: agent.id, version: agent.version })
@@ -19243,7 +19235,7 @@ if (require.main == module) {
       setup();
     } else if (subcommand === "verify") {
       const isCheck = args.includes("--check");
-      const run = isCheck ? verifyCheck : () => verify(SUPABASE_URL2, SUPABASE_ANON_KEY2, VERSION);
+      const run = isCheck ? verifyCheck : () => verify(SUPABASE_URL, SUPABASE_ANON_KEY, VERSION);
       await run().catch((err) => {
         const msg = err instanceof Error ? err.message : "Unknown error";
         process.stderr.write(`oathbound verify: ${msg}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "oathbound",
-  "version": "0.17.0",
+  "version": "0.17.1",
   "description": "Install verified Claude Code skills and agents from the Oath Bound registry",
   "license": "MIT",
   "author": "Josh Anderson",