skillrepo 2.0.0 → 3.0.0

package/src/test/commands/get.test.mjs

@@ -0,0 +1,176 @@
+/**
+ * Unit/integration tests for src/commands/get.mjs (PR2 of #646).
+ */
+
+import { describe, it, beforeEach, afterEach } from "node:test";
+import assert from "node:assert/strict";
+import { mkdtempSync, mkdirSync, rmSync, existsSync } from "node:fs";
+import { join } from "node:path";
+import { tmpdir } from "node:os";
+
+import { runGet } from "../../commands/get.mjs";
+import { resolvePlacementDir } from "../../lib/file-write.mjs";
+import { CliError, EXIT_VALIDATION } from "../../lib/errors.mjs";
+import { createMockServer } from "../e2e/mock-server.mjs";
+import { createCaptureStream } from "../helpers/capture-stream.mjs";
+
+let sandbox;
+let server;
+let serverUrl;
+let originalCwd;
+let originalHome;
+let stdout;
+const VALID_KEY = "sk_live_test";
+
+function makeSkill(owner, name) {
+  return {
+    owner,
+    name,
+    version: "1.0.0",
+    description: `${name} description`,
+    files: [
+      {
+        path: "SKILL.md",
+        content: `---\nname: ${name}\ndescription: ${name} description\n---\n\nbody\n`,
+        sha256: "x",
+        size: 50,
+        contentType: "text/markdown",
+      },
+      {
+        path: "scripts/run.py",
+        content: "print('hi')\n",
+        sha256: "y",
+        size: 12,
+        contentType: "text/x-python",
+      },
+    ],
+    updatedAt: new Date().toISOString(),
+  };
+}
+
+async function setup() {
+  sandbox = mkdtempSync(join(tmpdir(), "cli-cmd-get-"));
+  mkdirSync(join(sandbox, "project"), { recursive: true });
+  mkdirSync(join(sandbox, "home"), { recursive: true });
+  originalCwd = process.cwd();
+  originalHome = process.env.HOME;
+  process.chdir(join(sandbox, "project"));
+  process.env.HOME = join(sandbox, "home");
+  delete process.env.SKILLREPO_ACCESS_KEY;
+  delete process.env.SKILLREPO_URL;
+
+  server = createMockServer({});
+  const port = await server.start();
+  serverUrl = `http://127.0.0.1:${port}`;
+
+  stdout = createCaptureStream();
+}
+
+async function teardown() {
+  if (server) await server.stop();
+  process.chdir(originalCwd);
+  process.env.HOME = originalHome;
+  if (sandbox) rmSync(sandbox, { recursive: true, force: true });
+  server = null;
+}
+
+describe("runGet — happy path", () => {
+  beforeEach(setup);
+  afterEach(teardown);
+
+  it("fetches and writes a single skill", async () => {
+    const skill = makeSkill("alice", "pdf-helper");
+    server.setSkillResponse("alice", "pdf-helper", skill);
+
+    await runGet(["--key", VALID_KEY, "--url", serverUrl, "@alice/pdf-helper"], { stdout });
+
+    const dir = resolvePlacementDir("claudeProject", "pdf-helper");
+    assert.ok(existsSync(join(dir, "SKILL.md")));
+    assert.ok(existsSync(join(dir, "scripts/run.py")));
+    assert.match(stdout.text(), /Fetched/);
+  });
+
+  it("accepts identifier without leading @", async () => {
+    server.setSkillResponse("alice", "pdf-helper", makeSkill("alice", "pdf-helper"));
+    await runGet(["--key", VALID_KEY, "--url", serverUrl, "alice/pdf-helper"], { stdout });
+    assert.ok(existsSync(resolvePlacementDir("claudeProject", "pdf-helper")));
+  });
+
+  it("--global writes to home dir", async () => {
+    server.setSkillResponse("alice", "pdf-helper", makeSkill("alice", "pdf-helper"));
+    await runGet(["--key", VALID_KEY, "--url", serverUrl, "--global", "@alice/pdf-helper"], { stdout });
+    const dir = resolvePlacementDir("claudeGlobal", "pdf-helper");
+    assert.ok(existsSync(dir));
+    assert.ok(dir.startsWith(process.env.HOME));
+  });
+
+  it("--json outputs structured result", async () => {
+    server.setSkillResponse("alice", "pdf-helper", makeSkill("alice", "pdf-helper"));
+    await runGet(["--key", VALID_KEY, "--url", serverUrl, "--json", "@alice/pdf-helper"], { stdout });
+    const json = JSON.parse(stdout.text());
+    assert.equal(json.action, "fetched");
+    assert.equal(json.owner, "alice");
+    assert.equal(json.name, "pdf-helper");
+    assert.equal(json.filesWritten, 2);
+  });
+});
+
+describe("runGet — error paths", () => {
+  beforeEach(setup);
+  afterEach(teardown);
+
+  it("rejects missing identifier", async () => {
+    await assert.rejects(
+      () => runGet(["--key", VALID_KEY, "--url", serverUrl]),
+      (err) => err instanceof CliError && err.exitCode === EXIT_VALIDATION && /Missing/i.test(err.message),
+    );
+  });
+
+  it("rejects malformed identifier", async () => {
+    await assert.rejects(
+      () => runGet(["--key", VALID_KEY, "--url", serverUrl, "not-an-identifier"]),
+      (err) => err instanceof CliError && err.exitCode === EXIT_VALIDATION,
+    );
+  });
+
+  it("rejects extra positional after identifier", async () => {
+    await assert.rejects(
+      () => runGet(["--key", VALID_KEY, "--url", serverUrl, "@a/b", "@c/d"]),
+      (err) => err instanceof CliError && err.exitCode === EXIT_VALIDATION,
+    );
+  });
+
+  it("404 on the skill returns a clean validation error (not a network error)", async () => {
+    // Server has no registered skill — getSkill returns null
+    await assert.rejects(
+      () => runGet(["--key", VALID_KEY, "--url", serverUrl, "@alice/missing"]),
+      (err) =>
+        err instanceof CliError &&
+        err.exitCode === EXIT_VALIDATION &&
+        /not found/i.test(err.message),
+    );
+  });
+
+  it("rejects skill with mismatched owner/name from server", async () => {
+    // Defense in depth: server says it's @alice/pdf-helper but returns
+    // @bob/wrong. The command should refuse the response.
+    server.setSkillResponse("alice", "pdf-helper", makeSkill("bob", "wrong"));
+    await assert.rejects(
+      () => runGet(["--key", VALID_KEY, "--url", serverUrl, "@alice/pdf-helper"]),
+      (err) =>
+        err instanceof CliError &&
+        err.exitCode === EXIT_VALIDATION &&
+        /wrong skill/i.test(err.message),
+    );
+  });
+
+  it("rejects filesIncomplete skill", async () => {
+    const incomplete = makeSkill("alice", "incomplete");
+    incomplete.filesIncomplete = true;
+    server.setSkillResponse("alice", "incomplete", incomplete);
+    await assert.rejects(
+      () => runGet(["--key", VALID_KEY, "--url", serverUrl, "@alice/incomplete"]),
+      (err) => err instanceof CliError && /incomplete/i.test(err.message),
+    );
+  });
+});

package/src/test/commands/init.test.mjs

@@ -0,0 +1,486 @@
+/**
+ * Unit/integration tests for src/commands/init.mjs (PR3b rewrite, #646).
+ */
+
+import { describe, it, beforeEach, afterEach } from "node:test";
+import assert from "node:assert/strict";
+import {
+  mkdtempSync,
+  mkdirSync,
+  rmSync,
+  existsSync,
+  readFileSync,
+  writeFileSync,
+} from "node:fs";
+import { join } from "node:path";
+import { tmpdir } from "node:os";
+
+import { runInit } from "../../commands/init.mjs";
+import { readConfig } from "../../lib/config.mjs";
+import { CliError, EXIT_AUTH, EXIT_VALIDATION } from "../../lib/errors.mjs";
+import { createMockServer } from "../e2e/mock-server.mjs";
+import { createCaptureStream } from "../helpers/capture-stream.mjs";
+
+let sandbox;
+let server;
+let serverUrl;
+let originalCwd;
+let originalHome;
+let stdout;
+let stderr;
+const VALID_KEY = "sk_live_init_test";
+
+async function setup() {
+  sandbox = mkdtempSync(join(tmpdir(), "cli-cmd-init-"));
+  // init defaults to detecting IDEs in cwd. Create a `.claude/`
+  // marker so detection finds claudeCode and the command doesn't
+  // refuse for "no IDEs detected".
+  mkdirSync(join(sandbox, "project", ".claude"), { recursive: true });
+  mkdirSync(join(sandbox, "home"), { recursive: true });
+  originalCwd = process.cwd();
+  originalHome = process.env.HOME;
+  process.chdir(join(sandbox, "project"));
+  process.env.HOME = join(sandbox, "home");
+  delete process.env.SKILLREPO_ACCESS_KEY;
+  delete process.env.SKILLREPO_URL;
+
+  server = createMockServer({});
+  const port = await server.start();
+  serverUrl = `http://127.0.0.1:${port}`;
+
+  stdout = createCaptureStream();
+  stderr = createCaptureStream();
+}
+
+async function teardown() {
+  if (server) await server.stop();
+  process.chdir(originalCwd);
+  process.env.HOME = originalHome;
+  if (sandbox) rmSync(sandbox, { recursive: true, force: true });
+  server = null;
+}
+
+// ── Happy path ─────────────────────────────────────────────────────────
+
+describe("runInit — happy path", () => {
+  beforeEach(setup);
+  afterEach(teardown);
+
+  it("writes config + MCP + runs first sync with --yes", async () => {
+    await runInit(
+      ["--key", VALID_KEY, "--url", serverUrl, "--yes"],
+      { stdout, stderr },
+    );
+
+    // Config file persisted
+    const cfg = readConfig();
+    assert.ok(cfg, "config should be readable after init");
+    assert.equal(cfg.apiKey, VALID_KEY);
+    assert.equal(cfg.serverUrl, serverUrl);
+    assert.equal(cfg.accountSlug, "mock");
+
+    // MCP config created in project
+    assert.ok(existsSync(join(process.cwd(), ".mcp.json")));
+    const mcp = JSON.parse(readFileSync(join(process.cwd(), ".mcp.json"), "utf-8"));
+    assert.ok(mcp.mcpServers?.skillrepo);
+
+    // .env.local written for agent env var consumers
+    assert.ok(existsSync(join(process.cwd(), ".env.local")));
+    const envContent = readFileSync(join(process.cwd(), ".env.local"), "utf-8");
+    assert.match(envContent, new RegExp(`SKILLREPO_ACCESS_KEY=${VALID_KEY}`));
+
+    // .gitignore has the three init-required entries.
+    // Round-3 architect + code-reviewer caught that this gitignore
+    // management was documented in the README but never actually
+    // implemented — this assertion locks the fix so a future
+    // regression that removes the mergeGitignore call from init
+    // fails loudly.
+    assert.ok(existsSync(join(process.cwd(), ".gitignore")));
+    const gi = readFileSync(join(process.cwd(), ".gitignore"), "utf-8");
+    assert.match(gi, /^\.env\.local$/m, ".env.local must be gitignored (contains access key)");
+    assert.match(gi, /^\.claude\/skills\/$/m, ".claude/skills/ must be gitignored");
+    assert.match(gi, /^\.claude\/settings\.local\.json$/m, ".claude/settings.local.json must be gitignored");
+
+    // Human summary
+    assert.match(stdout.text(), /SkillRepo is ready/);
+  });
+
+  it("--json outputs structured summary", async () => {
+    await runInit(
+      ["--key", VALID_KEY, "--url", serverUrl, "--yes", "--json"],
+      { stdout, stderr },
+    );
+    const json = JSON.parse(stdout.text());
+    assert.equal(json.action, "initialized");
+    assert.equal(json.account.slug, "mock");
+    assert.ok(Array.isArray(json.vendors));
+    assert.ok(Array.isArray(json.mcp.merged));
+  });
+
+  it("respects --ide flag to override detection", async () => {
+    await runInit(
+      ["--key", VALID_KEY, "--url", serverUrl, "--yes", "--ide", "claude"],
+      { stdout, stderr },
+    );
+    const mcp = JSON.parse(readFileSync(join(process.cwd(), ".mcp.json"), "utf-8"));
+    assert.ok(mcp.mcpServers?.skillrepo);
+  });
+
+  it("detects multiple IDEs when both .claude/ and .cursor/ exist", async () => {
+    mkdirSync(join(process.cwd(), ".cursor"), { recursive: true });
+    await runInit(
+      ["--key", VALID_KEY, "--url", serverUrl, "--yes"],
+      { stdout, stderr },
+    );
+    assert.ok(existsSync(join(process.cwd(), ".mcp.json")));
+    assert.ok(existsSync(join(process.cwd(), ".cursor", "mcp.json")));
+  });
+});
+
+// ── Credential resolution ─────────────────────────────────────────────
+
+describe("runInit — credential resolution", () => {
+  beforeEach(setup);
+  afterEach(teardown);
+
+  it("reads existing config when no --key provided and server validates OK", async () => {
+    // Pre-seed the config file
+    mkdirSync(join(process.env.HOME, ".claude", "skillrepo"), { recursive: true });
+    writeFileSync(
+      join(process.env.HOME, ".claude", "skillrepo", "config.json"),
+      JSON.stringify({
+        schemaVersion: 1,
+        apiKey: VALID_KEY,
+        serverUrl,
+      }),
+    );
+    // No --key passed; init should pick up the config and succeed
+    await runInit(["--yes"], { stdout, stderr });
+    assert.match(stdout.text(), /SkillRepo is ready/);
+  });
+
+  it("reads SKILLREPO_ACCESS_KEY env var when no flag or config", async () => {
+    process.env.SKILLREPO_ACCESS_KEY = VALID_KEY;
+    process.env.SKILLREPO_URL = serverUrl;
+    await runInit(["--yes"], { stdout, stderr });
+    assert.match(stdout.text(), /SkillRepo is ready/);
+  });
+
+  it("refuses to run under --yes when no key is configured anywhere", async () => {
+    // No --key, no config, no env var, non-interactive → hard fail
+    await assert.rejects(
+      () => runInit(["--yes"], { stdout, stderr }),
+      (err) => err instanceof CliError && err.exitCode === EXIT_AUTH,
+    );
+  });
+});
+
+// ── Error paths ────────────────────────────────────────────────────────
+
+describe("runInit — error paths", () => {
+  beforeEach(setup);
+  afterEach(teardown);
+
+  it("rejects invalid key format (not sk_live_ prefix)", async () => {
+    await assert.rejects(
+      () => runInit(
+        ["--key", "not_a_valid_key", "--url", serverUrl, "--yes"],
+        { stdout, stderr },
+      ),
+      (err) => err instanceof CliError && err.exitCode === EXIT_VALIDATION,
+    );
+  });
+
+  it("401 from validate surfaces as authError", async () => {
+    server.setForcedStatus(401, { error: "Invalid access key" });
+    await assert.rejects(
+      () => runInit(
+        ["--key", VALID_KEY, "--url", serverUrl, "--yes"],
+        { stdout, stderr },
+      ),
+      (err) => err instanceof CliError && err.exitCode === EXIT_AUTH,
+    );
+  });
+
+  it("refuses with clear error when no IDE detected and no --ide flag", async () => {
+    // Remove the .claude marker that setup() created
+    rmSync(join(process.cwd(), ".claude"), { recursive: true, force: true });
+    await assert.rejects(
+      () => runInit(
+        ["--key", VALID_KEY, "--url", serverUrl, "--yes"],
+        { stdout, stderr },
+      ),
+      (err) =>
+        err instanceof CliError &&
+        err.exitCode === EXIT_VALIDATION &&
+        /No IDEs detected/.test(err.message),
+    );
+  });
+
+  it("headless CI scenario: explicit --ide claude works in empty project", async () => {
+    // Remove the .claude marker — empty dir
+    rmSync(join(process.cwd(), ".claude"), { recursive: true, force: true });
+    // With --ide claude, init should proceed even in an empty dir
+    await runInit(
+      ["--key", VALID_KEY, "--url", serverUrl, "--yes", "--ide", "claude"],
+      { stdout, stderr },
+    );
+    // And write the MCP config
+    assert.ok(existsSync(join(process.cwd(), ".mcp.json")));
+  });
+});
+
+// ── Idempotency ────────────────────────────────────────────────────────
+
+describe("runInit — idempotency", () => {
+  beforeEach(setup);
+  afterEach(teardown);
+
+  it("running init twice with valid existing config is a no-op refresh", async () => {
+    // First init
+    await runInit(
+      ["--key", VALID_KEY, "--url", serverUrl, "--yes"],
+      { stdout, stderr },
+    );
+    const firstConfig = readConfig();
+
+    // Reset captures for the second run
+    stdout = createCaptureStream();
+    stderr = createCaptureStream();
+
+    // Second init WITHOUT --key — should pick up from config
+    await runInit(["--yes"], { stdout, stderr });
+    const secondConfig = readConfig();
+    assert.equal(secondConfig.apiKey, firstConfig.apiKey);
+    assert.match(stdout.text(), /SkillRepo is ready/);
+  });
+});
+
+// ── --force flag (round-1 review fix) ──────────────────────────────────
+
+describe("runInit — --force flag", () => {
+  beforeEach(setup);
+  afterEach(teardown);
+
+  it("--force ignores existing config key (requires explicit new key)", async () => {
+    // Pre-seed a valid config
+    mkdirSync(join(process.env.HOME, ".claude", "skillrepo"), { recursive: true });
+    writeFileSync(
+      join(process.env.HOME, ".claude", "skillrepo", "config.json"),
+      JSON.stringify({
+        schemaVersion: 1,
+        apiKey: VALID_KEY,
+        serverUrl,
+      }),
+    );
+
+    // --force WITHOUT --key AND WITHOUT env var under --yes should
+    // hard-fail with EXIT_AUTH. This proves --force actually
+    // invalidates the cached credential rather than silently
+    // inheriting from the config. Before the round-1 fix, --force
+    // only cleared the key but still inherited serverUrl — this
+    // test also locks that the cached URL is ignored (the --url
+    // flag is required alongside --force for a full reset).
+    await assert.rejects(
+      () =>
+        runInit(["--force", "--yes"], { stdout, stderr }),
+      (err) => err instanceof CliError && err.exitCode === EXIT_AUTH,
+    );
+  });
+
+  it("--force + --key + --url re-runs validation against new credentials", async () => {
+    // Pre-seed with one server URL
+    mkdirSync(join(process.env.HOME, ".claude", "skillrepo"), { recursive: true });
+    writeFileSync(
+      join(process.env.HOME, ".claude", "skillrepo", "config.json"),
+      JSON.stringify({
+        schemaVersion: 1,
+        apiKey: "sk_live_old_key",
+        serverUrl: "https://old.example",
+      }),
+    );
+
+    // --force + explicit new credentials should succeed and OVERWRITE
+    // the config with the new ones (not merge).
+    await runInit(
+      ["--force", "--key", VALID_KEY, "--url", serverUrl, "--yes"],
+      { stdout, stderr },
+    );
+    const cfg = readConfig();
+    assert.equal(cfg.apiKey, VALID_KEY);
+    assert.equal(cfg.serverUrl, serverUrl);
+  });
+
+  it("--force + SKILLREPO_ACCESS_KEY env var (no --key flag) uses the env var", async () => {
+    // Cross-review coverage gap: the README explicitly documents
+    // this scenario ("init --force with SKILLREPO_ACCESS_KEY set:
+    // uses the env var (step 2). --force only clears the cached
+    // credentials, not the runtime env."), but no existing test
+    // locked it. Reviewers (correctly) pointed out that missing
+    // coverage on this path would let a regression silently change
+    // the priority order between env vars and the cached config.
+    //
+    // Pre-seed a cached config with a DIFFERENT key than the env
+    // var so we can tell which one init actually used.
+    mkdirSync(join(process.env.HOME, ".claude", "skillrepo"), { recursive: true });
+    writeFileSync(
+      join(process.env.HOME, ".claude", "skillrepo", "config.json"),
+      JSON.stringify({
+        schemaVersion: 1,
+        apiKey: "sk_live_CONFIG_KEY",
+        serverUrl: "https://old.example",
+      }),
+    );
+
+    process.env.SKILLREPO_ACCESS_KEY = VALID_KEY;
+    process.env.SKILLREPO_URL = serverUrl;
+
+    await runInit(["--force", "--yes"], { stdout, stderr });
+
+    // The config file should now contain the env var's key, NOT
+    // the seeded config key. --force cleared the cache; the env
+    // var won over the interactive-prompt fallback (which would
+    // also have fired since no --key was given).
+    const cfg = readConfig();
+    assert.equal(cfg.apiKey, VALID_KEY);
+    assert.notEqual(cfg.apiKey, "sk_live_CONFIG_KEY");
+    assert.equal(cfg.serverUrl, serverUrl);
+  });
+});
+
+// ── Non-fatal sync failure (round-2 review fix) ──────────────────────
+
+describe("runInit — non-fatal sync failure", () => {
+  beforeEach(setup);
+  afterEach(teardown);
+
+  it("sync failure during init does NOT abort the command", async () => {
+    // Round-2 review caught the prior behavior: sync failure warned
+    // "run skillrepo update later to retry" but then rethrew the
+    // error, so the init command exited non-zero — contradicting
+    // its own message. The fix: swallow the sync failure, print
+    // the warning, and exit 0 with a synthesized zero-delta summary.
+    // The user's config and MCP setup are already persisted; only
+    // the skill fetch failed, and `skillrepo update` is the
+    // documented recovery path.
+    //
+    // We simulate the failure by forcing the mock server to return
+    // 500 on the library sync endpoint AFTER validate succeeds.
+    // setForcedStatus fires once then clears, so the POST /validate
+    // in step 2 succeeds with a 200, and the subsequent GET /library
+    // hits normal routing — which we break by setting the status
+    // mid-run. The simplest approach: set the forced status to a
+    // non-200 BEFORE calling init and let it fire on the first
+    // non-auth request (the library GET comes after validate).
+    //
+    // But that would hit validate first. Instead we use a
+    // purpose-built "always 500 on /library" by overriding the
+    // library-sync response via the mock's setLibraryResponse slot.
+    server.setLibraryStatus({ status: 500, body: { error: "Upstream exploded" } });
+
+    // Init should complete without throwing
+    await runInit(
+      ["--key", VALID_KEY, "--url", serverUrl, "--yes"],
+      { stdout, stderr },
+    );
+
+    // Config IS persisted despite the sync failure
+    const cfg = readConfig();
+    assert.ok(cfg, "config must be written even when sync fails");
+    assert.equal(cfg.apiKey, VALID_KEY);
+
+    // MCP IS configured despite the sync failure
+    assert.ok(existsSync(join(process.cwd(), ".mcp.json")));
+
+    // Warning is surfaced
+    assert.match(stdout.text(), /first sync failed/i);
+    assert.match(stdout.text(), /skillrepo update/);
+
+    // Final "ready" line STILL prints — the init completed
+    assert.match(stdout.text(), /SkillRepo is ready/);
+  });
+
+  it("--json sync failure includes failureReason in the JSON payload", async () => {
+    server.setLibraryStatus({ status: 500, body: { error: "Upstream exploded" } });
+    await runInit(
+      ["--key", VALID_KEY, "--url", serverUrl, "--yes", "--json"],
+      { stdout, stderr },
+    );
+    const json = JSON.parse(stdout.text());
+    assert.equal(json.action, "initialized");
+    // `failureReason` is the sentinel — downstream scripts detect a
+    // partial init by `sync.failureReason != null`. The synthesized
+    // SyncSummary no longer carries a `failed` field because that
+    // wasn't part of the documented SyncSummary typedef; the
+    // failure is signalled exclusively via `failureReason`.
+    assert.ok(json.sync.failureReason, "sync.failureReason should be present on failure");
+    assert.equal(json.sync.added, 0);
+    assert.equal(json.sync.updated, 0);
+    assert.equal(json.sync.removed, 0);
+    assert.equal(json.sync.notModified, false);
+  });
+});
+
+// ── Stale-key handling (round-1 review fix) ───────────────────────────
+
+describe("runInit — stale-key handling", () => {
+  beforeEach(setup);
+  afterEach(teardown);
+
+  it("existing config + 401 from validate + --yes → hard failure (no re-prompt)", async () => {
+    // Pre-seed an existing config
+    mkdirSync(join(process.env.HOME, ".claude", "skillrepo"), { recursive: true });
+    writeFileSync(
+      join(process.env.HOME, ".claude", "skillrepo", "config.json"),
+      JSON.stringify({
+        schemaVersion: 1,
+        apiKey: VALID_KEY,
+        serverUrl,
+      }),
+    );
+    // Force the server to reject the stale key
+    server.setForcedStatus(401, { error: "Invalid access key" });
+
+    // Under --yes (non-interactive), init MUST NOT fall back to
+    // promptSecret because there's no interactive stdin. It must
+    // surface the auth error directly. This test locks the guard
+    // in init.mjs's catch block: the re-prompt path is gated on
+    // `!yes` specifically so non-interactive callers (CI, scripts)
+    // fail loudly instead of hanging on stdin.
+    await assert.rejects(
+      () =>
+        runInit(
+          ["--url", serverUrl, "--yes"],
+          { stdout, stderr },
+        ),
+      (err) => err instanceof CliError && err.exitCode === EXIT_AUTH,
+    );
+  });
+
+  it("existing config + 401 + --force + --yes still hard-fails (force + yes both gate)", async () => {
+    // Pre-seed config
+    mkdirSync(join(process.env.HOME, ".claude", "skillrepo"), { recursive: true });
+    writeFileSync(
+      join(process.env.HOME, ".claude", "skillrepo", "config.json"),
+      JSON.stringify({
+        schemaVersion: 1,
+        apiKey: VALID_KEY,
+        serverUrl,
+      }),
+    );
+    server.setForcedStatus(401, { error: "Invalid access key" });
+
+    // With --force AND --yes, the re-prompt path is gated twice:
+    // once by `!force` (the intent of --force is "use exactly what I
+    // passed, no fallbacks") and once by `!yes` (non-interactive).
+    // Either alone would block re-prompt; this test locks both.
+    await assert.rejects(
+      () =>
+        runInit(
+          ["--force", "--key", VALID_KEY, "--url", serverUrl, "--yes"],
+          { stdout, stderr },
+        ),
+      (err) => err instanceof CliError && err.exitCode === EXIT_AUTH,
+    );
+  });
+});