oathbound 0.8.1 → 0.11.0

package/cli.ts

@@ -16,6 +16,7 @@ import {
   type EnforcementLevel, type MergeResult,
 } from './config';
 import { checkForUpdate, isNewer } from './update';
+import { isValidSemver, compareSemver } from './semver';
 import { verify, verifyCheck, findSkillsDir } from './verify';
 import { login, logout, whoami } from './auth';
 import { push } from './push';
@@ -25,7 +26,7 @@ export { stripJsoncComments, writeOathboundConfig, mergeClaudeSettings, type Mer
 export { isNewer } from './update';
 export { installDevDependency, type InstallResult, setup, addPrepareScript, type PrepareResult };
 
-const VERSION = '0.8.1';
+const VERSION = '0.11.0';
 
 // --- Supabase ---
 const SUPABASE_URL = 'https://mjnfqagwuewhgwbtrdgs.supabase.co';
@@ -35,15 +36,24 @@ const SUPABASE_ANON_KEY = 'sb_publishable_T-rk0azNRqAMLLGCyadyhQ_ulk9685n';
 interface SkillRow {
   name: string;
   namespace: string;
-  version: number;
+  version: string;
   tar_hash: string;
   storage_path: string;
 }
 
-function parseSkillArg(arg: string): { namespace: string; name: string } | null {
+function parseSkillArg(arg: string): { namespace: string; name: string; version: string | null } | null {
   const slash = arg.indexOf('/');
   if (slash < 1 || slash === arg.length - 1) return null;
-  return { namespace: arg.slice(0, slash), name: arg.slice(slash + 1) };
+  const afterSlash = arg.slice(slash + 1);
+  const atIdx = afterSlash.indexOf('@');
+  if (atIdx === -1) {
+    return { namespace: arg.slice(0, slash), name: afterSlash, version: null };
+  }
+  const name = afterSlash.slice(0, atIdx);
+  if (!name) return null;
+  const vStr = afterSlash.slice(atIdx + 1);
+  if (!isValidSemver(vStr)) return null;
+  return { namespace: arg.slice(0, slash), name, version: vStr };
 }
 
 // --- Package manager detection ---
@@ -223,25 +233,41 @@ async function init(): Promise<void> {
 async function pull(skillArg: string): Promise<void> {
   const parsed = parseSkillArg(skillArg);
   if (!parsed) usage();
-  const { namespace, name } = parsed;
+  const { namespace, name, version } = parsed;
   const fullName = `${namespace}/${name}`;
 
-  console.log(`\n${BRAND} ${TEAL}↓ Pulling ${fullName}...${RESET}`);
+  console.log(`\n${BRAND} ${TEAL}↓ Pulling ${fullName}${version ? `@${version}` : ''}...${RESET}`);
 
   const supabase = createClient(SUPABASE_URL, SUPABASE_ANON_KEY);
 
   // 1. Query for the skill
-  const { data: skill, error } = await supabase
-    .from('skills')
-    .select('name, namespace, version, tar_hash, storage_path')
-    .eq('namespace', namespace)
-    .eq('name', name)
-    .order('version', { ascending: false })
-    .limit(1)
-    .single<SkillRow>();
-
-  if (error || !skill) {
-    fail(`Skill not found: ${fullName}`);
+  let skill: SkillRow;
+
+  if (version !== null) {
+    const { data, error } = await supabase
+      .from('skills')
+      .select('name, namespace, version, tar_hash, storage_path')
+      .eq('namespace', namespace)
+      .eq('name', name)
+      .eq('version', version)
+      .single<SkillRow>();
+
+    if (error || !data) {
+      fail(`Skill not found: ${fullName}@${version}`);
+    }
+    skill = data;
+  } else {
+    // Fetch all versions, pick highest via semver comparison
+    const { data, error } = await supabase
+      .from('skills')
+      .select('name, namespace, version, tar_hash, storage_path')
+      .eq('namespace', namespace)
+      .eq('name', name);
+
+    if (error || !data || data.length === 0) {
+      fail(`Skill not found: ${fullName}`);
+    }
+    skill = (data as SkillRow[]).sort((a, b) => compareSemver(a.version, b.version)).at(-1)!;
   }
 
   // 2. Download the tar from storage
@@ -347,7 +373,10 @@ if (subcommand === 'init') {
     fail('Failed', msg);
   });
 } else if (subcommand === 'push') {
-  push(args[1]).catch((err: unknown) => {
+  const pushArgs = args.slice(1);
+  const isPrivate = pushArgs.includes('--private');
+  const pushPath = pushArgs.find(a => !a.startsWith('--'));
+  push(pushPath, { private: isPrivate }).catch((err: unknown) => {
     const msg = err instanceof Error ? err.message : 'Unknown error';
     fail('Push failed', msg);
   });

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "oathbound",
-  "version": "0.8.1",
+  "version": "0.11.0",
   "description": "Install verified Claude Code skills from the Oath Bound registry",
   "license": "BUSL-1.1",
   "author": "Josh Anderson",
@@ -31,6 +31,7 @@
     "content-hash.ts",
     "auth.ts",
     "push.ts",
+    "semver.ts",
     "bin/cli.cjs",
     "install.cjs"
   ],

package/push.ts

@@ -5,10 +5,11 @@ import { parse as yamlParse } from 'yaml';
 import { BRAND, GREEN, DIM, BOLD, RESET, fail, spinner } from './ui';
 import { getAccessToken } from './auth';
 import { collectFiles } from './content-hash';
+import { isValidSemver } from './semver';
 
 const API_BASE = process.env.OATHBOUND_API_URL ?? 'https://www.oathbound.ai';
 
-export async function push(pathArg?: string): Promise<void> {
+export async function push(pathArg?: string, options?: { private?: boolean }): Promise<void> {
   intro(BRAND);
 
   // Resolve skill directory
@@ -33,6 +34,8 @@ export async function push(pathArg?: string): Promise<void> {
   const name = String(meta.name ?? '');
   const description = String(meta.description ?? '');
   const license = String(meta.license ?? '');
+  const rawVersion = meta.version != null ? String(meta.version) : null;
+  const version = rawVersion && isValidSemver(rawVersion) ? rawVersion : null;
   if (!name) fail('SKILL.md frontmatter missing: name');
   if (!description) fail('SKILL.md frontmatter missing: description');
   if (!license) fail('SKILL.md frontmatter missing: license');
@@ -47,10 +50,15 @@ export async function push(pathArg?: string): Promise<void> {
   }));
 
   console.log(`${DIM}   name: ${name}${RESET}`);
+  console.log(`${DIM}   version: ${version ?? 'auto (next)'}${RESET}`);
   console.log(`${DIM}   license: ${license}${RESET}`);
   if (originalAuthor) {
     console.log(`${DIM}   original author: ${originalAuthor}${RESET}`);
   }
+  const visibility = options?.private ? 'private' : 'public';
+  if (options?.private) {
+    console.log(`${DIM}   visibility: ${BOLD}private${RESET}`);
+  }
   console.log(`${DIM}   ${files.length} file(s)${RESET}`);
 
   // Authenticate
@@ -69,9 +77,11 @@ export async function push(pathArg?: string): Promise<void> {
       name,
       description,
       license,
+      version,
       compatibility: String(meta.compatibility ?? '') || null,
       allowedTools: String(meta['allowed-tools'] ?? '') || null,
       originalAuthor: originalAuthor || null,
+      visibility,
       files,
     }),
   });
@@ -88,7 +98,7 @@ export async function push(pathArg?: string): Promise<void> {
 
   const result = await response.json();
 
-  outro(`${GREEN}✓ Published ${BOLD}${result.namespace}/${result.name}${RESET}`);
+  outro(`${GREEN}✓ Published ${BOLD}${result.namespace}/${result.name}${RESET}${GREEN} v${result.version}${RESET}`);
   if (result.suiObjectId) {
     console.log(`${DIM}   on-chain: ${result.suiObjectId}${RESET}`);
   }

package/semver.ts

@@ -0,0 +1,39 @@
+const SEMVER_RE = /^\d+\.\d+\.\d+$/;
+
+export interface SemverParts {
+  major: number;
+  minor: number;
+  patch: number;
+}
+
+/** Parse a semver string into parts. Returns null if invalid. */
+export function parseSemver(version: string): SemverParts | null {
+  if (!SEMVER_RE.test(version)) return null;
+  const [major, minor, patch] = version.split(".").map(Number);
+  return { major, minor, patch };
+}
+
+/** Validate a semver string (MAJOR.MINOR.PATCH). */
+export function isValidSemver(version: string): boolean {
+  return SEMVER_RE.test(version);
+}
+
+/**
+ * Compare two semver strings.
+ * Returns negative if a < b, 0 if equal, positive if a > b.
+ */
+export function compareSemver(a: string, b: string): number {
+  const pa = parseSemver(a);
+  const pb = parseSemver(b);
+  if (!pa || !pb) throw new Error(`Invalid semver: ${!pa ? a : b}`);
+  if (pa.major !== pb.major) return pa.major - pb.major;
+  if (pa.minor !== pb.minor) return pa.minor - pb.minor;
+  return pa.patch - pb.patch;
+}
+
+/** Bump the patch version: "1.2.3" -> "1.2.4" */
+export function bumpPatch(version: string): string {
+  const parts = parseSemver(version);
+  if (!parts) throw new Error(`Invalid semver: ${version}`);
+  return `${parts.major}.${parts.minor}.${parts.patch + 1}`;
+}

package/ui.ts

@@ -22,9 +22,9 @@ ${BOLD}oathbound${RESET} — install, verify, and publish skills
 
 ${DIM}Usage:${RESET}
   oathbound init                ${DIM}Setup wizard — configure project${RESET}
-  oathbound pull <namespace/skill-name>
-  oathbound install <namespace/skill-name>
-  oathbound push [path]         ${DIM}Publish a skill to the registry${RESET}
+  oathbound pull <namespace/skill-name[@version]>
+  oathbound install <namespace/skill-name[@version]>
+  oathbound push [path] [--private]  ${DIM}Publish a skill to the registry${RESET}
   oathbound login               ${DIM}Authenticate with oathbound.ai${RESET}
   oathbound logout              ${DIM}Clear stored credentials${RESET}
   oathbound whoami              ${DIM}Show current user${RESET}

package/verify.ts

@@ -5,9 +5,11 @@ import {
 } from 'node:fs';
 import { join, resolve } from 'node:path';
 import { tmpdir } from 'node:os';
+import { parse as yamlParse } from 'yaml';
 import { BRAND, TEAL, GREEN, RED, YELLOW, DIM, BOLD, RESET } from './ui';
 import { hashSkillDir } from './content-hash';
 import { readOathboundConfig, type EnforcementLevel } from './config';
+import { isValidSemver } from './semver';
 
 // --- Session state file ---
 interface SessionState {
@@ -137,6 +139,23 @@ function isExternalSkillAccess(
   return false;
 }
 
+function parseSkillVersion(skillDir: string): string | null {
+  const skillMdPath = join(skillDir, 'SKILL.md');
+  if (!existsSync(skillMdPath)) return null;
+  const content = readFileSync(skillMdPath, 'utf-8');
+  const match = content.match(/^---\s*\n([\s\S]*?)\n---\s*\n/);
+  if (!match) return null;
+  try {
+    const parsed = yamlParse(match[1]);
+    const v = parsed?.version;
+    if (v == null) return null;
+    const vStr = String(v);
+    return isValidSemver(vStr) ? vStr : null;
+  } catch {
+    return null;
+  }
+}
+
 // --- Verify (SessionStart hook) ---
 export async function verify(supabaseUrl: string, supabaseAnonKey: string): Promise<void> {
   let input: Record<string, unknown>;
@@ -174,18 +193,20 @@ export async function verify(supabaseUrl: string, supabaseAnonKey: string): Prom
     process.exit(0);
   }
 
-  // Hash each local skill
-  const localHashes: Record<string, string> = {};
+  // Hash each local skill and parse version from SKILL.md
+  const localSkills: Record<string, { hash: string; version: string }> = {};
   for (const dir of skillDirs) {
     const fullPath = join(skillsDir, dir.name);
-    localHashes[dir.name] = hashSkillDir(fullPath);
+    const hash = hashSkillDir(fullPath);
+    const version = parseSkillVersion(fullPath) ?? "1.0.0"; // fallback for pre-semver installs
+    localSkills[dir.name] = { hash, version };
   }
 
   // Read enforcement config
   const config = readOathboundConfig();
   const enforcement: EnforcementLevel = config?.enforcement ?? 'warn';
 
-  // Fetch registry hashes from Supabase (latest version per skill name)
+  // Fetch registry data from Supabase (all versions)
   // If enforcement=audited, also fetch audit status
   const supabase = createClient(supabaseUrl, supabaseAnonKey);
   const selectFields = enforcement === 'audited'
@@ -201,19 +222,19 @@ export async function verify(supabaseUrl: string, supabaseAnonKey: string): Prom
     process.exit(1);
   }
 
-  // Build lookup: skill name → latest content_hash (dedupe by taking first per name)
-  const registryHashes = new Map<string, string>();
-  const auditedSkills = new Set<string>(); // skills with at least one passed audit
+  // Build lookup: name → version → { hash, audited }
+  const registryMap = new Map<string, Map<string, { hash: string; audited: boolean }>>();
   for (const skill of skills ?? []) {
     if (!skill.content_hash) continue;
-    if (!registryHashes.has(skill.name)) {
-      registryHashes.set(skill.name, skill.content_hash);
+    if (!registryMap.has(skill.name)) {
+      registryMap.set(skill.name, new Map());
     }
-    if (enforcement === 'audited') {
-      const audits = (skill as Record<string, unknown>).audits as Array<{ passed: boolean }> | null;
-      if (audits?.some((a) => a.passed)) {
-        auditedSkills.add(skill.name);
-      }
+    const versionMap = registryMap.get(skill.name)!;
+    if (!versionMap.has(skill.version)) {
+      const audited = enforcement === 'audited'
+        ? ((skill as Record<string, unknown>).audits as Array<{ passed: boolean }> | null)?.some(a => a.passed) ?? false
+        : false;
+      versionMap.set(skill.version, { hash: skill.content_hash, audited });
     }
   }
 
@@ -223,29 +244,31 @@ export async function verify(supabaseUrl: string, supabaseAnonKey: string): Prom
 
   process.stderr.write(`${BRAND} ${TEAL}verifying skills...${RESET}\n`);
 
-  for (const [name, localHash] of Object.entries(localHashes)) {
-    const registryHash = registryHashes.get(name);
-    if (!registryHash) {
-      process.stderr.write(`${DIM}   ${name}: ${localHash} (not in registry)${RESET}\n`);
+  for (const [name, { hash: localHash, version }] of Object.entries(localSkills)) {
+    const versionMap = registryMap.get(name);
+    const entry = versionMap?.get(version);
+
+    if (!entry) {
+      process.stderr.write(`${DIM}   ${name}@${version}: ${localHash} (not in registry)${RESET}\n`);
       if (enforcement === 'warn') {
         warnings.push({ name, reason: 'not in registry' });
-        verified[name] = localHash; // allow in warn mode
+        verified[name] = localHash;
       } else {
         rejected.push({ name, reason: 'not in registry' });
       }
-    } else if (localHash !== registryHash) {
-      process.stderr.write(`${RED}   ${name}: ${localHash} ≠ ${registryHash}${RESET}\n`);
+    } else if (localHash !== entry.hash) {
+      process.stderr.write(`${RED}   ${name}@${version}: ${localHash} ≠ ${entry.hash}${RESET}\n`);
       if (enforcement === 'warn') {
-        warnings.push({ name, reason: `content hash mismatch (local: ${localHash.slice(0, 8)}…, registry: ${registryHash.slice(0, 8)}…)` });
+        warnings.push({ name, reason: `content hash mismatch (local: ${localHash.slice(0, 8)}…, registry: ${entry.hash.slice(0, 8)}…)` });
         verified[name] = localHash;
       } else {
-        rejected.push({ name, reason: `content hash mismatch (local: ${localHash.slice(0, 8)}…, registry: ${registryHash.slice(0, 8)}…)` });
+        rejected.push({ name, reason: `content hash mismatch (local: ${localHash.slice(0, 8)}…, registry: ${entry.hash.slice(0, 8)}…)` });
       }
-    } else if (enforcement === 'audited' && !auditedSkills.has(name)) {
-      process.stderr.write(`${YELLOW}   ${name}: ${localHash} (registered but not audited)${RESET}\n`);
+    } else if (enforcement === 'audited' && !entry.audited) {
+      process.stderr.write(`${YELLOW}   ${name}@${version}: ${localHash} (registered but not audited)${RESET}\n`);
       rejected.push({ name, reason: 'no passed audit' });
     } else {
-      process.stderr.write(`${GREEN}   ${name}: ${localHash} ✓${RESET}\n`);
+      process.stderr.write(`${GREEN}   ${name}@${version}: ${localHash} ✓${RESET}\n`);
       verified[name] = localHash;
     }
   }