oathbound 0.9.0 → 0.11.0

package/cli.ts

@@ -16,6 +16,7 @@ import {
   type EnforcementLevel, type MergeResult,
 } from './config';
 import { checkForUpdate, isNewer } from './update';
+import { isValidSemver, compareSemver } from './semver';
 import { verify, verifyCheck, findSkillsDir } from './verify';
 import { login, logout, whoami } from './auth';
 import { push } from './push';
@@ -25,7 +26,7 @@ export { stripJsoncComments, writeOathboundConfig, mergeClaudeSettings, type Mer
 export { isNewer } from './update';
 export { installDevDependency, type InstallResult, setup, addPrepareScript, type PrepareResult };
 
-const VERSION = '0.9.0';
+const VERSION = '0.11.0';
 
 // --- Supabase ---
 const SUPABASE_URL = 'https://mjnfqagwuewhgwbtrdgs.supabase.co';
@@ -35,12 +36,12 @@ const SUPABASE_ANON_KEY = 'sb_publishable_T-rk0azNRqAMLLGCyadyhQ_ulk9685n';
 interface SkillRow {
   name: string;
   namespace: string;
-  version: number;
+  version: string;
   tar_hash: string;
   storage_path: string;
 }
 
-function parseSkillArg(arg: string): { namespace: string; name: string; version: number | null } | null {
+function parseSkillArg(arg: string): { namespace: string; name: string; version: string | null } | null {
   const slash = arg.indexOf('/');
   if (slash < 1 || slash === arg.length - 1) return null;
   const afterSlash = arg.slice(slash + 1);
@@ -50,9 +51,9 @@ function parseSkillArg(arg: string): { namespace: string; name: string; version:
   }
   const name = afterSlash.slice(0, atIdx);
   if (!name) return null;
-  const vNum = Number(afterSlash.slice(atIdx + 1));
-  if (!Number.isInteger(vNum) || vNum < 1) return null;
-  return { namespace: arg.slice(0, slash), name, version: vNum };
+  const vStr = afterSlash.slice(atIdx + 1);
+  if (!isValidSemver(vStr)) return null;
+  return { namespace: arg.slice(0, slash), name, version: vStr };
 }
 
 // --- Package manager detection ---
@@ -240,22 +241,33 @@ async function pull(skillArg: string): Promise<void> {
   const supabase = createClient(SUPABASE_URL, SUPABASE_ANON_KEY);
 
   // 1. Query for the skill
-  let query = supabase
-    .from('skills')
-    .select('name, namespace, version, tar_hash, storage_path')
-    .eq('namespace', namespace)
-    .eq('name', name);
+  let skill: SkillRow;
 
   if (version !== null) {
-    query = query.eq('version', version);
+    const { data, error } = await supabase
+      .from('skills')
+      .select('name, namespace, version, tar_hash, storage_path')
+      .eq('namespace', namespace)
+      .eq('name', name)
+      .eq('version', version)
+      .single<SkillRow>();
+
+    if (error || !data) {
+      fail(`Skill not found: ${fullName}@${version}`);
+    }
+    skill = data;
   } else {
-    query = query.order('version', { ascending: false }).limit(1);
-  }
-
-  const { data: skill, error } = await query.single<SkillRow>();
-
-  if (error || !skill) {
-    fail(`Skill not found: ${fullName}${version ? `@${version}` : ''}`);
+    // Fetch all versions, pick highest via semver comparison
+    const { data, error } = await supabase
+      .from('skills')
+      .select('name, namespace, version, tar_hash, storage_path')
+      .eq('namespace', namespace)
+      .eq('name', name);
+
+    if (error || !data || data.length === 0) {
+      fail(`Skill not found: ${fullName}`);
+    }
+    skill = (data as SkillRow[]).sort((a, b) => compareSemver(a.version, b.version)).at(-1)!;
   }
 
   // 2. Download the tar from storage
@@ -361,7 +373,10 @@ if (subcommand === 'init') {
     fail('Failed', msg);
   });
 } else if (subcommand === 'push') {
-  push(args[1]).catch((err: unknown) => {
+  const pushArgs = args.slice(1);
+  const isPrivate = pushArgs.includes('--private');
+  const pushPath = pushArgs.find(a => !a.startsWith('--'));
+  push(pushPath, { private: isPrivate }).catch((err: unknown) => {
     const msg = err instanceof Error ? err.message : 'Unknown error';
     fail('Push failed', msg);
   });

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "oathbound",
-  "version": "0.9.0",
+  "version": "0.11.0",
   "description": "Install verified Claude Code skills from the Oath Bound registry",
   "license": "BUSL-1.1",
   "author": "Josh Anderson",
@@ -31,6 +31,7 @@
     "content-hash.ts",
     "auth.ts",
     "push.ts",
+    "semver.ts",
     "bin/cli.cjs",
     "install.cjs"
   ],

package/push.ts

@@ -5,10 +5,11 @@ import { parse as yamlParse } from 'yaml';
 import { BRAND, GREEN, DIM, BOLD, RESET, fail, spinner } from './ui';
 import { getAccessToken } from './auth';
 import { collectFiles } from './content-hash';
+import { isValidSemver } from './semver';
 
 const API_BASE = process.env.OATHBOUND_API_URL ?? 'https://www.oathbound.ai';
 
-export async function push(pathArg?: string): Promise<void> {
+export async function push(pathArg?: string, options?: { private?: boolean }): Promise<void> {
   intro(BRAND);
 
   // Resolve skill directory
@@ -33,7 +34,8 @@ export async function push(pathArg?: string): Promise<void> {
   const name = String(meta.name ?? '');
   const description = String(meta.description ?? '');
   const license = String(meta.license ?? '');
-  const version = typeof meta.version === 'number' && Number.isInteger(meta.version) && meta.version > 0 ? meta.version : null;
+  const rawVersion = meta.version != null ? String(meta.version) : null;
+  const version = rawVersion && isValidSemver(rawVersion) ? rawVersion : null;
   if (!name) fail('SKILL.md frontmatter missing: name');
   if (!description) fail('SKILL.md frontmatter missing: description');
   if (!license) fail('SKILL.md frontmatter missing: license');
@@ -53,6 +55,10 @@ export async function push(pathArg?: string): Promise<void> {
   if (originalAuthor) {
     console.log(`${DIM}   original author: ${originalAuthor}${RESET}`);
   }
+  const visibility = options?.private ? 'private' : 'public';
+  if (options?.private) {
+    console.log(`${DIM}   visibility: ${BOLD}private${RESET}`);
+  }
   console.log(`${DIM}   ${files.length} file(s)${RESET}`);
 
   // Authenticate
@@ -75,6 +81,7 @@ export async function push(pathArg?: string): Promise<void> {
       compatibility: String(meta.compatibility ?? '') || null,
       allowedTools: String(meta['allowed-tools'] ?? '') || null,
       originalAuthor: originalAuthor || null,
+      visibility,
       files,
     }),
   });

package/semver.ts

@@ -0,0 +1,39 @@
+const SEMVER_RE = /^\d+\.\d+\.\d+$/;
+
+export interface SemverParts {
+  major: number;
+  minor: number;
+  patch: number;
+}
+
+/** Parse a semver string into parts. Returns null if invalid. */
+export function parseSemver(version: string): SemverParts | null {
+  if (!SEMVER_RE.test(version)) return null;
+  const [major, minor, patch] = version.split(".").map(Number);
+  return { major, minor, patch };
+}
+
+/** Validate a semver string (MAJOR.MINOR.PATCH). */
+export function isValidSemver(version: string): boolean {
+  return SEMVER_RE.test(version);
+}
+
+/**
+ * Compare two semver strings.
+ * Returns negative if a < b, 0 if equal, positive if a > b.
+ */
+export function compareSemver(a: string, b: string): number {
+  const pa = parseSemver(a);
+  const pb = parseSemver(b);
+  if (!pa || !pb) throw new Error(`Invalid semver: ${!pa ? a : b}`);
+  if (pa.major !== pb.major) return pa.major - pb.major;
+  if (pa.minor !== pb.minor) return pa.minor - pb.minor;
+  return pa.patch - pb.patch;
+}
+
+/** Bump the patch version: "1.2.3" -> "1.2.4" */
+export function bumpPatch(version: string): string {
+  const parts = parseSemver(version);
+  if (!parts) throw new Error(`Invalid semver: ${version}`);
+  return `${parts.major}.${parts.minor}.${parts.patch + 1}`;
+}

package/ui.ts

@@ -24,7 +24,7 @@ ${DIM}Usage:${RESET}
   oathbound init                ${DIM}Setup wizard — configure project${RESET}
   oathbound pull <namespace/skill-name[@version]>
   oathbound install <namespace/skill-name[@version]>
-  oathbound push [path]         ${DIM}Publish a skill to the registry${RESET}
+  oathbound push [path] [--private]  ${DIM}Publish a skill to the registry${RESET}
   oathbound login               ${DIM}Authenticate with oathbound.ai${RESET}
   oathbound logout              ${DIM}Clear stored credentials${RESET}
   oathbound whoami              ${DIM}Show current user${RESET}

package/verify.ts

@@ -9,6 +9,7 @@ import { parse as yamlParse } from 'yaml';
 import { BRAND, TEAL, GREEN, RED, YELLOW, DIM, BOLD, RESET } from './ui';
 import { hashSkillDir } from './content-hash';
 import { readOathboundConfig, type EnforcementLevel } from './config';
+import { isValidSemver } from './semver';
 
 // --- Session state file ---
 interface SessionState {
@@ -138,7 +139,7 @@ function isExternalSkillAccess(
   return false;
 }
 
-function parseSkillVersion(skillDir: string): number | null {
+function parseSkillVersion(skillDir: string): string | null {
   const skillMdPath = join(skillDir, 'SKILL.md');
   if (!existsSync(skillMdPath)) return null;
   const content = readFileSync(skillMdPath, 'utf-8');
@@ -147,7 +148,9 @@ function parseSkillVersion(skillDir: string): number | null {
   try {
     const parsed = yamlParse(match[1]);
     const v = parsed?.version;
-    return typeof v === 'number' && Number.isInteger(v) && v > 0 ? v : null;
+    if (v == null) return null;
+    const vStr = String(v);
+    return isValidSemver(vStr) ? vStr : null;
   } catch {
     return null;
   }
@@ -191,11 +194,11 @@ export async function verify(supabaseUrl: string, supabaseAnonKey: string): Prom
   }
 
   // Hash each local skill and parse version from SKILL.md
-  const localSkills: Record<string, { hash: string; version: number }> = {};
+  const localSkills: Record<string, { hash: string; version: string }> = {};
   for (const dir of skillDirs) {
     const fullPath = join(skillsDir, dir.name);
     const hash = hashSkillDir(fullPath);
-    const version = parseSkillVersion(fullPath) ?? 1; // fallback to v1 for pre-versioning installs
+    const version = parseSkillVersion(fullPath) ?? "1.0.0"; // fallback for pre-semver installs
     localSkills[dir.name] = { hash, version };
   }
 
@@ -220,7 +223,7 @@ export async function verify(supabaseUrl: string, supabaseAnonKey: string): Prom
   }
 
   // Build lookup: name → version → { hash, audited }
-  const registryMap = new Map<string, Map<number, { hash: string; audited: boolean }>>();
+  const registryMap = new Map<string, Map<string, { hash: string; audited: boolean }>>();
   for (const skill of skills ?? []) {
     if (!skill.content_hash) continue;
     if (!registryMap.has(skill.name)) {