oathbound 0.8.0 → 0.9.0

package/cli.ts

@@ -25,7 +25,7 @@ export { stripJsoncComments, writeOathboundConfig, mergeClaudeSettings, type Mer
 export { isNewer } from './update';
 export { installDevDependency, type InstallResult, setup, addPrepareScript, type PrepareResult };
 
-const VERSION = '0.8.0';
+const VERSION = '0.9.0';
 
 // --- Supabase ---
 const SUPABASE_URL = 'https://mjnfqagwuewhgwbtrdgs.supabase.co';
@@ -40,10 +40,19 @@ interface SkillRow {
   storage_path: string;
 }
 
-function parseSkillArg(arg: string): { namespace: string; name: string } | null {
+function parseSkillArg(arg: string): { namespace: string; name: string; version: number | null } | null {
   const slash = arg.indexOf('/');
   if (slash < 1 || slash === arg.length - 1) return null;
-  return { namespace: arg.slice(0, slash), name: arg.slice(slash + 1) };
+  const afterSlash = arg.slice(slash + 1);
+  const atIdx = afterSlash.indexOf('@');
+  if (atIdx === -1) {
+    return { namespace: arg.slice(0, slash), name: afterSlash, version: null };
+  }
+  const name = afterSlash.slice(0, atIdx);
+  if (!name) return null;
+  const vNum = Number(afterSlash.slice(atIdx + 1));
+  if (!Number.isInteger(vNum) || vNum < 1) return null;
+  return { namespace: arg.slice(0, slash), name, version: vNum };
 }
 
 // --- Package manager detection ---
@@ -223,25 +232,30 @@ async function init(): Promise<void> {
 async function pull(skillArg: string): Promise<void> {
   const parsed = parseSkillArg(skillArg);
   if (!parsed) usage();
-  const { namespace, name } = parsed;
+  const { namespace, name, version } = parsed;
   const fullName = `${namespace}/${name}`;
 
-  console.log(`\n${BRAND} ${TEAL}↓ Pulling ${fullName}...${RESET}`);
+  console.log(`\n${BRAND} ${TEAL}↓ Pulling ${fullName}${version ? `@${version}` : ''}...${RESET}`);
 
   const supabase = createClient(SUPABASE_URL, SUPABASE_ANON_KEY);
 
   // 1. Query for the skill
-  const { data: skill, error } = await supabase
+  let query = supabase
     .from('skills')
     .select('name, namespace, version, tar_hash, storage_path')
     .eq('namespace', namespace)
-    .eq('name', name)
-    .order('version', { ascending: false })
-    .limit(1)
-    .single<SkillRow>();
+    .eq('name', name);
+
+  if (version !== null) {
+    query = query.eq('version', version);
+  } else {
+    query = query.order('version', { ascending: false }).limit(1);
+  }
+
+  const { data: skill, error } = await query.single<SkillRow>();
 
   if (error || !skill) {
-    fail(`Skill not found: ${fullName}`);
+    fail(`Skill not found: ${fullName}${version ? `@${version}` : ''}`);
   }
 
   // 2. Download the tar from storage

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "oathbound",
-  "version": "0.8.0",
+  "version": "0.9.0",
   "description": "Install verified Claude Code skills from the Oath Bound registry",
   "license": "BUSL-1.1",
   "author": "Josh Anderson",

package/push.ts

@@ -33,11 +33,12 @@ export async function push(pathArg?: string): Promise<void> {
   const name = String(meta.name ?? '');
   const description = String(meta.description ?? '');
   const license = String(meta.license ?? '');
+  const version = typeof meta.version === 'number' && Number.isInteger(meta.version) && meta.version > 0 ? meta.version : null;
   if (!name) fail('SKILL.md frontmatter missing: name');
   if (!description) fail('SKILL.md frontmatter missing: description');
   if (!license) fail('SKILL.md frontmatter missing: license');
 
-  const oathboundMeta = (meta.meta as Record<string, unknown> | undefined)?.oathbound as Record<string, unknown> | undefined;
+  const oathboundMeta = (meta.metadata as Record<string, unknown> | undefined)?.oathbound as Record<string, unknown> | undefined;
   const originalAuthor = String(oathboundMeta?.['original-author'] ?? '');
 
   // Build files array with root dir prefix (API expects rootDir/path format)
@@ -47,6 +48,7 @@ export async function push(pathArg?: string): Promise<void> {
   }));
 
   console.log(`${DIM}   name: ${name}${RESET}`);
+  console.log(`${DIM}   version: ${version ?? 'auto (next)'}${RESET}`);
   console.log(`${DIM}   license: ${license}${RESET}`);
   if (originalAuthor) {
     console.log(`${DIM}   original author: ${originalAuthor}${RESET}`);
@@ -69,6 +71,7 @@ export async function push(pathArg?: string): Promise<void> {
       name,
       description,
       license,
+      version,
       compatibility: String(meta.compatibility ?? '') || null,
       allowedTools: String(meta['allowed-tools'] ?? '') || null,
       originalAuthor: originalAuthor || null,
@@ -88,7 +91,7 @@ export async function push(pathArg?: string): Promise<void> {
 
   const result = await response.json();
 
-  outro(`${GREEN}✓ Published ${BOLD}${result.namespace}/${result.name}${RESET}`);
+  outro(`${GREEN}✓ Published ${BOLD}${result.namespace}/${result.name}${RESET}${GREEN} v${result.version}${RESET}`);
   if (result.suiObjectId) {
     console.log(`${DIM}   on-chain: ${result.suiObjectId}${RESET}`);
   }

package/ui.ts

@@ -22,8 +22,8 @@ ${BOLD}oathbound${RESET} — install, verify, and publish skills
 
 ${DIM}Usage:${RESET}
   oathbound init                ${DIM}Setup wizard — configure project${RESET}
-  oathbound pull <namespace/skill-name>
-  oathbound install <namespace/skill-name>
+  oathbound pull <namespace/skill-name[@version]>
+  oathbound install <namespace/skill-name[@version]>
   oathbound push [path]         ${DIM}Publish a skill to the registry${RESET}
   oathbound login               ${DIM}Authenticate with oathbound.ai${RESET}
   oathbound logout              ${DIM}Clear stored credentials${RESET}

package/verify.ts

@@ -5,6 +5,7 @@ import {
 } from 'node:fs';
 import { join, resolve } from 'node:path';
 import { tmpdir } from 'node:os';
+import { parse as yamlParse } from 'yaml';
 import { BRAND, TEAL, GREEN, RED, YELLOW, DIM, BOLD, RESET } from './ui';
 import { hashSkillDir } from './content-hash';
 import { readOathboundConfig, type EnforcementLevel } from './config';
@@ -137,6 +138,21 @@ function isExternalSkillAccess(
   return false;
 }
 
+function parseSkillVersion(skillDir: string): number | null {
+  const skillMdPath = join(skillDir, 'SKILL.md');
+  if (!existsSync(skillMdPath)) return null;
+  const content = readFileSync(skillMdPath, 'utf-8');
+  const match = content.match(/^---\s*\n([\s\S]*?)\n---\s*\n/);
+  if (!match) return null;
+  try {
+    const parsed = yamlParse(match[1]);
+    const v = parsed?.version;
+    return typeof v === 'number' && Number.isInteger(v) && v > 0 ? v : null;
+  } catch {
+    return null;
+  }
+}
+
 // --- Verify (SessionStart hook) ---
 export async function verify(supabaseUrl: string, supabaseAnonKey: string): Promise<void> {
   let input: Record<string, unknown>;
@@ -174,18 +190,20 @@ export async function verify(supabaseUrl: string, supabaseAnonKey: string): Prom
     process.exit(0);
   }
 
-  // Hash each local skill
-  const localHashes: Record<string, string> = {};
+  // Hash each local skill and parse version from SKILL.md
+  const localSkills: Record<string, { hash: string; version: number }> = {};
   for (const dir of skillDirs) {
     const fullPath = join(skillsDir, dir.name);
-    localHashes[dir.name] = hashSkillDir(fullPath);
+    const hash = hashSkillDir(fullPath);
+    const version = parseSkillVersion(fullPath) ?? 1; // fallback to v1 for pre-versioning installs
+    localSkills[dir.name] = { hash, version };
   }
 
   // Read enforcement config
   const config = readOathboundConfig();
   const enforcement: EnforcementLevel = config?.enforcement ?? 'warn';
 
-  // Fetch registry hashes from Supabase (latest version per skill name)
+  // Fetch registry data from Supabase (all versions)
   // If enforcement=audited, also fetch audit status
   const supabase = createClient(supabaseUrl, supabaseAnonKey);
   const selectFields = enforcement === 'audited'
@@ -201,19 +219,19 @@ export async function verify(supabaseUrl: string, supabaseAnonKey: string): Prom
     process.exit(1);
   }
 
-  // Build lookup: skill name → latest content_hash (dedupe by taking first per name)
-  const registryHashes = new Map<string, string>();
-  const auditedSkills = new Set<string>(); // skills with at least one passed audit
+  // Build lookup: name → version → { hash, audited }
+  const registryMap = new Map<string, Map<number, { hash: string; audited: boolean }>>();
   for (const skill of skills ?? []) {
     if (!skill.content_hash) continue;
-    if (!registryHashes.has(skill.name)) {
-      registryHashes.set(skill.name, skill.content_hash);
+    if (!registryMap.has(skill.name)) {
+      registryMap.set(skill.name, new Map());
     }
-    if (enforcement === 'audited') {
-      const audits = (skill as Record<string, unknown>).audits as Array<{ passed: boolean }> | null;
-      if (audits?.some((a) => a.passed)) {
-        auditedSkills.add(skill.name);
-      }
+    const versionMap = registryMap.get(skill.name)!;
+    if (!versionMap.has(skill.version)) {
+      const audited = enforcement === 'audited'
+        ? ((skill as Record<string, unknown>).audits as Array<{ passed: boolean }> | null)?.some(a => a.passed) ?? false
+        : false;
+      versionMap.set(skill.version, { hash: skill.content_hash, audited });
     }
   }
 
@@ -223,29 +241,31 @@ export async function verify(supabaseUrl: string, supabaseAnonKey: string): Prom
 
   process.stderr.write(`${BRAND} ${TEAL}verifying skills...${RESET}\n`);
 
-  for (const [name, localHash] of Object.entries(localHashes)) {
-    const registryHash = registryHashes.get(name);
-    if (!registryHash) {
-      process.stderr.write(`${DIM}   ${name}: ${localHash} (not in registry)${RESET}\n`);
+  for (const [name, { hash: localHash, version }] of Object.entries(localSkills)) {
+    const versionMap = registryMap.get(name);
+    const entry = versionMap?.get(version);
+
+    if (!entry) {
+      process.stderr.write(`${DIM}   ${name}@${version}: ${localHash} (not in registry)${RESET}\n`);
       if (enforcement === 'warn') {
         warnings.push({ name, reason: 'not in registry' });
-        verified[name] = localHash; // allow in warn mode
+        verified[name] = localHash;
       } else {
         rejected.push({ name, reason: 'not in registry' });
       }
-    } else if (localHash !== registryHash) {
-      process.stderr.write(`${RED}   ${name}: ${localHash} ≠ ${registryHash}${RESET}\n`);
+    } else if (localHash !== entry.hash) {
+      process.stderr.write(`${RED}   ${name}@${version}: ${localHash} ≠ ${entry.hash}${RESET}\n`);
       if (enforcement === 'warn') {
-        warnings.push({ name, reason: `content hash mismatch (local: ${localHash.slice(0, 8)}…, registry: ${registryHash.slice(0, 8)}…)` });
+        warnings.push({ name, reason: `content hash mismatch (local: ${localHash.slice(0, 8)}…, registry: ${entry.hash.slice(0, 8)}…)` });
         verified[name] = localHash;
       } else {
-        rejected.push({ name, reason: `content hash mismatch (local: ${localHash.slice(0, 8)}…, registry: ${registryHash.slice(0, 8)}…)` });
+        rejected.push({ name, reason: `content hash mismatch (local: ${localHash.slice(0, 8)}…, registry: ${entry.hash.slice(0, 8)}…)` });
       }
-    } else if (enforcement === 'audited' && !auditedSkills.has(name)) {
-      process.stderr.write(`${YELLOW}   ${name}: ${localHash} (registered but not audited)${RESET}\n`);
+    } else if (enforcement === 'audited' && !entry.audited) {
+      process.stderr.write(`${YELLOW}   ${name}@${version}: ${localHash} (registered but not audited)${RESET}\n`);
       rejected.push({ name, reason: 'no passed audit' });
     } else {
-      process.stderr.write(`${GREEN}   ${name}: ${localHash} ✓${RESET}\n`);
+      process.stderr.write(`${GREEN}   ${name}@${version}: ${localHash} ✓${RESET}\n`);
       verified[name] = localHash;
     }
   }