npm - oathbound - Versions diffs - 0.8.1 → 0.9.0 - Mend

oathbound 0.8.1 → 0.9.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/cli.ts CHANGED Viewed

@@ -25,7 +25,7 @@ export { stripJsoncComments, writeOathboundConfig, mergeClaudeSettings, type Mer
 export { isNewer } from './update';
 export { installDevDependency, type InstallResult, setup, addPrepareScript, type PrepareResult };
-const VERSION = '0.8.1';
+const VERSION = '0.9.0';
 // --- Supabase ---
 const SUPABASE_URL = 'https://mjnfqagwuewhgwbtrdgs.supabase.co';
@@ -40,10 +40,19 @@ interface SkillRow {
   storage_path: string;
 }
-function parseSkillArg(arg: string): { namespace: string; name: string } | null {
+function parseSkillArg(arg: string): { namespace: string; name: string; version: number | null } | null {
   const slash = arg.indexOf('/');
   if (slash < 1 || slash === arg.length - 1) return null;
-  return { namespace: arg.slice(0, slash), name: arg.slice(slash + 1) };
+  const afterSlash = arg.slice(slash + 1);
+  const atIdx = afterSlash.indexOf('@');
+  if (atIdx === -1) {
+    return { namespace: arg.slice(0, slash), name: afterSlash, version: null };
+  }
+  const name = afterSlash.slice(0, atIdx);
+  if (!name) return null;
+  const vNum = Number(afterSlash.slice(atIdx + 1));
+  if (!Number.isInteger(vNum) || vNum < 1) return null;
+  return { namespace: arg.slice(0, slash), name, version: vNum };
 }
 // --- Package manager detection ---
@@ -223,25 +232,30 @@ async function init(): Promise<void> {
 async function pull(skillArg: string): Promise<void> {
   const parsed = parseSkillArg(skillArg);
   if (!parsed) usage();
-  const { namespace, name } = parsed;
+  const { namespace, name, version } = parsed;
   const fullName = `${namespace}/${name}`;
-  console.log(`\n${BRAND} ${TEAL}↓ Pulling ${fullName}...${RESET}`);
+  console.log(`\n${BRAND} ${TEAL}↓ Pulling ${fullName}${version ? `@${version}` : ''}...${RESET}`);
   const supabase = createClient(SUPABASE_URL, SUPABASE_ANON_KEY);
   // 1. Query for the skill
-  const { data: skill, error } = await supabase
+  let query = supabase
     .from('skills')
     .select('name, namespace, version, tar_hash, storage_path')
     .eq('namespace', namespace)
-    .eq('name', name)
-    .order('version', { ascending: false })
-    .limit(1)
-    .single<SkillRow>();
+    .eq('name', name);
+  if (version !== null) {
+    query = query.eq('version', version);
+  } else {
+    query = query.order('version', { ascending: false }).limit(1);
+  }
+  const { data: skill, error } = await query.single<SkillRow>();
   if (error || !skill) {
-    fail(`Skill not found: ${fullName}`);
+    fail(`Skill not found: ${fullName}${version ? `@${version}` : ''}`);
   }
   // 2. Download the tar from storage

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "oathbound",
-  "version": "0.8.1",
+  "version": "0.9.0",
   "description": "Install verified Claude Code skills from the Oath Bound registry",
   "license": "BUSL-1.1",
   "author": "Josh Anderson",

package/push.ts CHANGED Viewed

@@ -33,6 +33,7 @@ export async function push(pathArg?: string): Promise<void> {
   const name = String(meta.name ?? '');
   const description = String(meta.description ?? '');
   const license = String(meta.license ?? '');
+  const version = typeof meta.version === 'number' && Number.isInteger(meta.version) && meta.version > 0 ? meta.version : null;
   if (!name) fail('SKILL.md frontmatter missing: name');
   if (!description) fail('SKILL.md frontmatter missing: description');
   if (!license) fail('SKILL.md frontmatter missing: license');
@@ -47,6 +48,7 @@ export async function push(pathArg?: string): Promise<void> {
   }));
   console.log(`${DIM}   name: ${name}${RESET}`);
+  console.log(`${DIM}   version: ${version ?? 'auto (next)'}${RESET}`);
   console.log(`${DIM}   license: ${license}${RESET}`);
   if (originalAuthor) {
     console.log(`${DIM}   original author: ${originalAuthor}${RESET}`);
@@ -69,6 +71,7 @@ export async function push(pathArg?: string): Promise<void> {
       name,
       description,
       license,
+      version,
       compatibility: String(meta.compatibility ?? '') || null,
       allowedTools: String(meta['allowed-tools'] ?? '') || null,
       originalAuthor: originalAuthor || null,
@@ -88,7 +91,7 @@ export async function push(pathArg?: string): Promise<void> {
   const result = await response.json();
-  outro(`${GREEN}✓ Published ${BOLD}${result.namespace}/${result.name}${RESET}`);
+  outro(`${GREEN}✓ Published ${BOLD}${result.namespace}/${result.name}${RESET}${GREEN} v${result.version}${RESET}`);
   if (result.suiObjectId) {
     console.log(`${DIM}   on-chain: ${result.suiObjectId}${RESET}`);
   }

package/ui.ts CHANGED Viewed

@@ -22,8 +22,8 @@ ${BOLD}oathbound${RESET} — install, verify, and publish skills
 ${DIM}Usage:${RESET}
   oathbound init                ${DIM}Setup wizard — configure project${RESET}
-  oathbound pull <namespace/skill-name>
-  oathbound install <namespace/skill-name>
+  oathbound pull <namespace/skill-name[@version]>
+  oathbound install <namespace/skill-name[@version]>
   oathbound push [path]         ${DIM}Publish a skill to the registry${RESET}
   oathbound login               ${DIM}Authenticate with oathbound.ai${RESET}
   oathbound logout              ${DIM}Clear stored credentials${RESET}

package/verify.ts CHANGED Viewed

@@ -5,6 +5,7 @@ import {
 } from 'node:fs';
 import { join, resolve } from 'node:path';
 import { tmpdir } from 'node:os';
+import { parse as yamlParse } from 'yaml';
 import { BRAND, TEAL, GREEN, RED, YELLOW, DIM, BOLD, RESET } from './ui';
 import { hashSkillDir } from './content-hash';
 import { readOathboundConfig, type EnforcementLevel } from './config';
@@ -137,6 +138,21 @@ function isExternalSkillAccess(
   return false;
 }
+function parseSkillVersion(skillDir: string): number | null {
+  const skillMdPath = join(skillDir, 'SKILL.md');
+  if (!existsSync(skillMdPath)) return null;
+  const content = readFileSync(skillMdPath, 'utf-8');
+  const match = content.match(/^---\s*\n([\s\S]*?)\n---\s*\n/);
+  if (!match) return null;
+  try {
+    const parsed = yamlParse(match[1]);
+    const v = parsed?.version;
+    return typeof v === 'number' && Number.isInteger(v) && v > 0 ? v : null;
+  } catch {
+    return null;
+  }
+}
 // --- Verify (SessionStart hook) ---
 export async function verify(supabaseUrl: string, supabaseAnonKey: string): Promise<void> {
   let input: Record<string, unknown>;
@@ -174,18 +190,20 @@ export async function verify(supabaseUrl: string, supabaseAnonKey: string): Prom
     process.exit(0);
   }
-  // Hash each local skill
-  const localHashes: Record<string, string> = {};
+  // Hash each local skill and parse version from SKILL.md
+  const localSkills: Record<string, { hash: string; version: number }> = {};
   for (const dir of skillDirs) {
     const fullPath = join(skillsDir, dir.name);
-    localHashes[dir.name] = hashSkillDir(fullPath);
+    const hash = hashSkillDir(fullPath);
+    const version = parseSkillVersion(fullPath) ?? 1; // fallback to v1 for pre-versioning installs
+    localSkills[dir.name] = { hash, version };
   }
   // Read enforcement config
   const config = readOathboundConfig();
   const enforcement: EnforcementLevel = config?.enforcement ?? 'warn';
-  // Fetch registry hashes from Supabase (latest version per skill name)
+  // Fetch registry data from Supabase (all versions)
   // If enforcement=audited, also fetch audit status
   const supabase = createClient(supabaseUrl, supabaseAnonKey);
   const selectFields = enforcement === 'audited'
@@ -201,19 +219,19 @@ export async function verify(supabaseUrl: string, supabaseAnonKey: string): Prom
     process.exit(1);
   }
-  // Build lookup: skill name → latest content_hash (dedupe by taking first per name)
-  const registryHashes = new Map<string, string>();
-  const auditedSkills = new Set<string>(); // skills with at least one passed audit
+  // Build lookup: name → version → { hash, audited }
+  const registryMap = new Map<string, Map<number, { hash: string; audited: boolean }>>();
   for (const skill of skills ?? []) {
     if (!skill.content_hash) continue;
-    if (!registryHashes.has(skill.name)) {
-      registryHashes.set(skill.name, skill.content_hash);
+    if (!registryMap.has(skill.name)) {
+      registryMap.set(skill.name, new Map());
     }
-    if (enforcement === 'audited') {
-      const audits = (skill as Record<string, unknown>).audits as Array<{ passed: boolean }> | null;
-      if (audits?.some((a) => a.passed)) {
-        auditedSkills.add(skill.name);
-      }
+    const versionMap = registryMap.get(skill.name)!;
+    if (!versionMap.has(skill.version)) {
+      const audited = enforcement === 'audited'
+        ? ((skill as Record<string, unknown>).audits as Array<{ passed: boolean }> | null)?.some(a => a.passed) ?? false
+        : false;
+      versionMap.set(skill.version, { hash: skill.content_hash, audited });
     }
   }
@@ -223,29 +241,31 @@ export async function verify(supabaseUrl: string, supabaseAnonKey: string): Prom
   process.stderr.write(`${BRAND} ${TEAL}verifying skills...${RESET}\n`);
-  for (const [name, localHash] of Object.entries(localHashes)) {
-    const registryHash = registryHashes.get(name);
-    if (!registryHash) {
-      process.stderr.write(`${DIM}   ${name}: ${localHash} (not in registry)${RESET}\n`);
+  for (const [name, { hash: localHash, version }] of Object.entries(localSkills)) {
+    const versionMap = registryMap.get(name);
+    const entry = versionMap?.get(version);
+    if (!entry) {
+      process.stderr.write(`${DIM}   ${name}@${version}: ${localHash} (not in registry)${RESET}\n`);
       if (enforcement === 'warn') {
         warnings.push({ name, reason: 'not in registry' });
-        verified[name] = localHash; // allow in warn mode
+        verified[name] = localHash;
       } else {
         rejected.push({ name, reason: 'not in registry' });
       }
-    } else if (localHash !== registryHash) {
-      process.stderr.write(`${RED}   ${name}: ${localHash} ≠ ${registryHash}${RESET}\n`);
+    } else if (localHash !== entry.hash) {
+      process.stderr.write(`${RED}   ${name}@${version}: ${localHash} ≠ ${entry.hash}${RESET}\n`);
       if (enforcement === 'warn') {
-        warnings.push({ name, reason: `content hash mismatch (local: ${localHash.slice(0, 8)}…, registry: ${registryHash.slice(0, 8)}…)` });
+        warnings.push({ name, reason: `content hash mismatch (local: ${localHash.slice(0, 8)}…, registry: ${entry.hash.slice(0, 8)}…)` });
         verified[name] = localHash;
       } else {
-        rejected.push({ name, reason: `content hash mismatch (local: ${localHash.slice(0, 8)}…, registry: ${registryHash.slice(0, 8)}…)` });
+        rejected.push({ name, reason: `content hash mismatch (local: ${localHash.slice(0, 8)}…, registry: ${entry.hash.slice(0, 8)}…)` });
       }
-    } else if (enforcement === 'audited' && !auditedSkills.has(name)) {
-      process.stderr.write(`${YELLOW}   ${name}: ${localHash} (registered but not audited)${RESET}\n`);
+    } else if (enforcement === 'audited' && !entry.audited) {
+      process.stderr.write(`${YELLOW}   ${name}@${version}: ${localHash} (registered but not audited)${RESET}\n`);
       rejected.push({ name, reason: 'no passed audit' });
     } else {
-      process.stderr.write(`${GREEN}   ${name}: ${localHash} ✓${RESET}\n`);
+      process.stderr.write(`${GREEN}   ${name}@${version}: ${localHash} ✓${RESET}\n`);
       verified[name] = localHash;
     }
   }