oathbound 0.5.1 → 0.6.1

package/auth.ts

@@ -0,0 +1,219 @@
+import { createClient } from '@supabase/supabase-js';
+import { spawn } from 'node:child_process';
+import {
+  mkdirSync, writeFileSync, readFileSync, unlinkSync, existsSync,
+} from 'node:fs';
+import { join } from 'node:path';
+import { homedir } from 'node:os';
+import { intro, outro } from '@clack/prompts';
+import { BRAND, GREEN, DIM, BOLD, RESET, fail, spinner } from './ui';
+
+const SUPABASE_URL = 'https://mjnfqagwuewhgwbtrdgs.supabase.co';
+const SUPABASE_ANON_KEY = 'sb_publishable_T-rk0azNRqAMLLGCyadyhQ_ulk9685n';
+const API_BASE = process.env.OATHBOUND_API_URL ?? 'https://oathbound.ai';
+
+const AUTH_DIR = join(homedir(), '.oathbound');
+const AUTH_FILE = join(AUTH_DIR, 'auth.json');
+
+interface StoredSession {
+  access_token: string;
+  refresh_token: string;
+  expires_at: number;
+}
+
+function saveSession(session: StoredSession): void {
+  mkdirSync(AUTH_DIR, { recursive: true, mode: 0o700 });
+  writeFileSync(AUTH_FILE, JSON.stringify(session, null, 2), { mode: 0o600 });
+}
+
+function loadSession(): StoredSession | null {
+  if (!existsSync(AUTH_FILE)) return null;
+  try {
+    return JSON.parse(readFileSync(AUTH_FILE, 'utf-8'));
+  } catch {
+    return null;
+  }
+}
+
+function clearSession(): void {
+  if (existsSync(AUTH_FILE)) unlinkSync(AUTH_FILE);
+}
+
+function openBrowser(url: string): void {
+  const cmd = process.platform === 'darwin' ? 'open'
+    : process.platform === 'win32' ? 'cmd'
+    : 'xdg-open';
+  const args = process.platform === 'win32' ? ['/c', 'start', '', url] : [url];
+  try {
+    spawn(cmd, args, { stdio: 'ignore', detached: true }).unref();
+  } catch {
+    // URL is already printed — user can open manually
+  }
+}
+
+const SUCCESS_HTML = `<!DOCTYPE html>
+<html><head><title>Oathbound CLI</title></head>
+<body style="font-family:system-ui;display:flex;justify-content:center;align-items:center;height:100vh;margin:0;background:#0a0a0a;color:#e5e5e5">
+<div style="text-align:center">
+<h1 style="color:#3fa8a4">&#10003; Logged in</h1>
+<p>You can close this tab and return to your terminal.</p>
+</div></body></html>`;
+
+const ERROR_HTML = `<!DOCTYPE html>
+<html><head><title>Oathbound CLI</title></head>
+<body style="font-family:system-ui;display:flex;justify-content:center;align-items:center;height:100vh;margin:0;background:#0a0a0a;color:#e5e5e5">
+<div style="text-align:center">
+<h1 style="color:#ef4444">Login failed</h1>
+<p>Missing session tokens. Please try again.</p>
+</div></body></html>`;
+
+export async function login(): Promise<void> {
+  intro(BRAND);
+
+  let resolveSession: (s: StoredSession) => void;
+  let rejectSession: (e: Error) => void;
+  const sessionPromise = new Promise<StoredSession>((res, rej) => {
+    resolveSession = res;
+    rejectSession = rej;
+  });
+
+  const server = Bun.serve({
+    port: 0,
+    fetch(req) {
+      const url = new URL(req.url);
+      if (url.pathname !== '/callback') {
+        return new Response('Not found', { status: 404 });
+      }
+
+      const accessToken = url.searchParams.get('access_token');
+      const refreshToken = url.searchParams.get('refresh_token');
+      const expiresAt = url.searchParams.get('expires_at');
+
+      if (!accessToken || !refreshToken || !expiresAt) {
+        rejectSession!(new Error('Missing session tokens from callback'));
+        setTimeout(() => server.stop(), 500);
+        return new Response(ERROR_HTML, { headers: { 'Content-Type': 'text/html' } });
+      }
+
+      resolveSession!({
+        access_token: accessToken,
+        refresh_token: refreshToken,
+        expires_at: Number(expiresAt),
+      });
+
+      setTimeout(() => server.stop(), 500);
+      return new Response(SUCCESS_HTML, { headers: { 'Content-Type': 'text/html' } });
+    },
+  });
+
+  const port = server.port;
+  const loginUrl = `${API_BASE}/cli-login?port=${port}`;
+
+  console.log(`${DIM}   Opening browser...${RESET}`);
+  console.log(`${DIM}   If it doesn't open, visit:${RESET}`);
+  console.log(`${DIM}   ${loginUrl}${RESET}\n`);
+
+  openBrowser(loginUrl);
+
+  const spin = spinner('Waiting for login...');
+
+  const timeout = new Promise<never>((_, rej) =>
+    setTimeout(() => rej(new Error('Login timed out (2 minutes). Please try again.')), 120_000),
+  );
+
+  let session: StoredSession;
+  try {
+    session = await Promise.race([sessionPromise, timeout]);
+  } catch (err) {
+    spin.stop();
+    server.stop();
+    fail('Login failed', err instanceof Error ? err.message : 'Unknown error');
+  }
+
+  spin.stop();
+  saveSession(session);
+
+  // Get username for display
+  const supabase = createClient(SUPABASE_URL, SUPABASE_ANON_KEY, {
+    global: { headers: { Authorization: `Bearer ${session.access_token}` } },
+    auth: { autoRefreshToken: false, persistSession: false },
+  });
+
+  const { data: { user } } = await supabase.auth.getUser();
+  let displayName = user?.email ?? 'unknown';
+  if (user) {
+    const { data: userRecord } = await supabase
+      .from('users')
+      .select('username')
+      .eq('user_id', user.id)
+      .single();
+    if (userRecord?.username) displayName = userRecord.username;
+  }
+
+  outro(`Logged in as ${BOLD}${displayName}${RESET}`);
+}
+
+export async function logout(): Promise<void> {
+  clearSession();
+  console.log(`\n${BRAND} ${GREEN}✓ Logged out${RESET}`);
+}
+
+export async function getAccessToken(): Promise<string> {
+  const session = loadSession();
+  if (!session) {
+    fail('Not logged in', 'Run: oathbound login');
+  }
+
+  // Token still valid (with 60s buffer) — use it directly
+  const now = Math.floor(Date.now() / 1000);
+  if (session.expires_at > now + 60) {
+    return session.access_token;
+  }
+
+  // Token expired or expiring soon — refresh
+  const supabase = createClient(SUPABASE_URL, SUPABASE_ANON_KEY, {
+    auth: { autoRefreshToken: false, persistSession: false },
+  });
+
+  const { data, error } = await supabase.auth.setSession({
+    access_token: session.access_token,
+    refresh_token: session.refresh_token,
+  });
+
+  if (error || !data.session) {
+    clearSession();
+    fail('Session expired', 'Run: oathbound login');
+  }
+
+  saveSession({
+    access_token: data.session.access_token,
+    refresh_token: data.session.refresh_token,
+    expires_at: data.session.expires_at!,
+  });
+
+  return data.session.access_token;
+}
+
+export async function whoami(): Promise<void> {
+  const token = await getAccessToken();
+
+  const supabase = createClient(SUPABASE_URL, SUPABASE_ANON_KEY, {
+    global: { headers: { Authorization: `Bearer ${token}` } },
+    auth: { autoRefreshToken: false, persistSession: false },
+  });
+
+  const { data: { user }, error } = await supabase.auth.getUser();
+  if (error || !user) {
+    fail('Failed to get user', error?.message ?? 'Unknown error');
+  }
+
+  const { data: userRecord } = await supabase
+    .from('users')
+    .select('username')
+    .eq('user_id', user.id)
+    .single();
+
+  console.log(`\n${BRAND}`);
+  console.log(`  ${BOLD}Username:${RESET} ${userRecord?.username ?? 'not set'}`);
+  console.log(`  ${DIM}Email:${RESET}    ${user.email ?? 'unknown'}`);
+}

package/cli.ts

@@ -17,13 +17,15 @@ import {
 } from './config';
 import { checkForUpdate, isNewer } from './update';
 import { verify, verifyCheck, findSkillsDir } from './verify';
+import { login, logout, whoami } from './auth';
+import { push } from './push';
 
 // Re-exports for tests
 export { stripJsoncComments, writeOathboundConfig, mergeClaudeSettings, type MergeResult } from './config';
 export { isNewer } from './update';
 export { installDevDependency, type InstallResult, setup, addPrepareScript, type PrepareResult };
 
-const VERSION = '0.5.1';
+const VERSION = '0.6.1';
 
 // --- Supabase ---
 const SUPABASE_URL = 'https://mjnfqagwuewhgwbtrdgs.supabase.co';
@@ -329,6 +331,26 @@ if (subcommand === 'init') {
     process.stderr.write(`oathbound verify: ${msg}\n`);
     process.exit(1);
   });
+} else if (subcommand === 'login') {
+  login().catch((err: unknown) => {
+    const msg = err instanceof Error ? err.message : 'Unknown error';
+    fail('Login failed', msg);
+  });
+} else if (subcommand === 'logout') {
+  logout().catch((err: unknown) => {
+    const msg = err instanceof Error ? err.message : 'Unknown error';
+    fail('Logout failed', msg);
+  });
+} else if (subcommand === 'whoami') {
+  whoami().catch((err: unknown) => {
+    const msg = err instanceof Error ? err.message : 'Unknown error';
+    fail('Failed', msg);
+  });
+} else if (subcommand === 'push') {
+  push(args[1]).catch((err: unknown) => {
+    const msg = err instanceof Error ? err.message : 'Unknown error';
+    fail('Push failed', msg);
+  });
 } else {
   const PULL_ALIASES = new Set(['pull', 'i', 'install']);
   const skillArg = args[1];

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "oathbound",
-  "version": "0.5.1",
+  "version": "0.6.1",
   "description": "Install verified Claude Code skills from the Oath Bound registry",
   "license": "BUSL-1.1",
   "author": "Josh Anderson",
@@ -29,6 +29,8 @@
     "update.ts",
     "verify.ts",
     "content-hash.ts",
+    "auth.ts",
+    "push.ts",
     "bin/cli.cjs",
     "install.cjs"
   ],

package/push.ts

@@ -0,0 +1,118 @@
+import { existsSync, statSync } from 'node:fs';
+import { join, basename, resolve } from 'node:path';
+import { intro, outro } from '@clack/prompts';
+import { BRAND, GREEN, DIM, BOLD, RESET, fail, spinner } from './ui';
+import { getAccessToken } from './auth';
+import { collectFiles } from './content-hash';
+
+const API_BASE = process.env.OATHBOUND_API_URL ?? 'https://oathbound.ai';
+
+export async function push(pathArg?: string): Promise<void> {
+  intro(BRAND);
+
+  // Resolve skill directory
+  const skillDir = resolveSkillDir(pathArg);
+  console.log(`${DIM}   directory: ${skillDir}${RESET}`);
+
+  // Read and validate SKILL.md exists
+  if (!existsSync(join(skillDir, 'SKILL.md'))) {
+    fail('No SKILL.md found', `Expected at ${join(skillDir, 'SKILL.md')}`);
+  }
+
+  // Collect files
+  const rawFiles = collectFiles(skillDir);
+
+  // Parse SKILL.md frontmatter to extract metadata
+  const skillMdFile = rawFiles.find(f => f.path === 'SKILL.md');
+  if (!skillMdFile) fail('SKILL.md not found in collected files');
+
+  const meta = parseFrontmatter(skillMdFile.content.toString('utf-8'));
+  if (!meta.name) fail('SKILL.md frontmatter missing: name');
+  if (!meta.description) fail('SKILL.md frontmatter missing: description');
+  if (!meta.license) fail('SKILL.md frontmatter missing: license');
+
+  // Build files array with root dir prefix (API expects rootDir/path format)
+  const files = rawFiles.map(f => ({
+    path: `${meta.name}/${f.path}`,
+    content: f.content.toString('utf-8'),
+  }));
+
+  console.log(`${DIM}   name: ${meta.name}${RESET}`);
+  console.log(`${DIM}   license: ${meta.license}${RESET}`);
+  console.log(`${DIM}   ${files.length} file(s)${RESET}`);
+
+  // Authenticate
+  const token = await getAccessToken();
+
+  // Push to API
+  const spin = spinner('Pushing...');
+
+  const response = await fetch(`${API_BASE}/api/skills`, {
+    method: 'POST',
+    headers: {
+      'Content-Type': 'application/json',
+      Authorization: `Bearer ${token}`,
+    },
+    body: JSON.stringify({
+      name: meta.name,
+      description: meta.description,
+      license: meta.license,
+      compatibility: meta.compatibility || null,
+      allowedTools: meta['allowed-tools'] || null,
+      files,
+    }),
+  });
+
+  spin.stop();
+
+  if (!response.ok) {
+    const body = await response.json().catch(() => ({ error: 'Unknown error' }));
+    const details = Array.isArray(body.details)
+      ? '\n' + body.details.map((d: string) => `   - ${d}`).join('\n')
+      : '';
+    fail(`Push failed (${response.status})`, `${body.error}${details}`);
+  }
+
+  const result = await response.json();
+
+  outro(`${GREEN}✓ Published ${BOLD}${result.namespace}/${result.name}${RESET}`);
+  if (result.suiObjectId) {
+    console.log(`${DIM}   on-chain: ${result.suiObjectId}${RESET}`);
+  }
+}
+
+function resolveSkillDir(pathArg?: string): string {
+  if (pathArg) {
+    const resolved = resolve(pathArg);
+    if (!existsSync(resolved) || !statSync(resolved).isDirectory()) {
+      fail('Invalid path', `${resolved} is not a directory`);
+    }
+    return resolved;
+  }
+
+  // No path given — check if cwd has a SKILL.md
+  if (existsSync(join(process.cwd(), 'SKILL.md'))) {
+    return process.cwd();
+  }
+
+  fail(
+    'No skill directory found',
+    'Run from within a skill directory or pass a path: oathbound push ./my-skill',
+  );
+}
+
+/** Lightweight frontmatter parser (mirrors frontend/lib/skill-validator.ts) */
+function parseFrontmatter(content: string): Record<string, string> {
+  const match = content.match(/^---\s*\n([\s\S]*?)\n---\s*\n/);
+  if (!match) return {};
+
+  const meta: Record<string, string> = {};
+  for (const line of match[1].split('\n')) {
+    const idx = line.indexOf(':');
+    if (idx === -1) continue;
+    const key = line.slice(0, idx).trim();
+    const value = line.slice(idx + 1).trim();
+    if (key) meta[key] = value;
+  }
+  return meta;
+}

package/ui.ts

@@ -12,12 +12,16 @@ export const BRAND = `${TEAL}${BOLD}🛡️ oathbound${RESET}`;
 
 export function usage(exitCode = 1): never {
   console.log(`
-${BOLD}oathbound${RESET} — install and verify skills
+${BOLD}oathbound${RESET} — install, verify, and publish skills
 
 ${DIM}Usage:${RESET}
   oathbound init                ${DIM}Setup wizard — configure project${RESET}
   oathbound pull <namespace/skill-name>
   oathbound install <namespace/skill-name>
+  oathbound push [path]         ${DIM}Publish a skill to the registry${RESET}
+  oathbound login               ${DIM}Authenticate with oathbound.ai${RESET}
+  oathbound logout              ${DIM}Clear stored credentials${RESET}
+  oathbound whoami              ${DIM}Show current user${RESET}
   oathbound verify              ${DIM}SessionStart hook — verify all skills${RESET}
   oathbound verify --check      ${DIM}PreToolUse hook — check skill integrity${RESET}