skillrepo 3.1.3 → 3.1.5

package/LICENSE

@@ -0,0 +1,37 @@
+SkillRepo CLI
+Copyright (c) 2026 SkillRepo LLC. All rights reserved.
+
+This software is proprietary and confidential. Its installation, use,
+reproduction, modification, and distribution are governed exclusively by
+the SkillRepo End User License Agreement (the "EULA") available at:
+
+    https://skillrepo.dev/eula
+
+By installing, copying, or otherwise using this software you agree to be
+bound by the EULA. If you do not agree to the EULA, do not install or
+use this software.
+
+No license or right, whether by implication, estoppel, or otherwise, is
+granted except as expressly set forth in the EULA. Without limiting the
+foregoing, you may not:
+
+  - reverse engineer, decompile, disassemble, or otherwise attempt to
+    derive the source code of this software, except to the extent such
+    activity is expressly permitted by applicable law notwithstanding
+    this limitation;
+  - sell, resell, rent, lease, sublicense, distribute, or otherwise
+    transfer this software or access to it to any third party;
+  - use this software, its outputs, or any data obtained through it to
+    build or operate a service that is substantially similar to or
+    competes with the SkillRepo platform; or
+  - remove, alter, or obscure any proprietary notices on or in this
+    software.
+
+THIS SOFTWARE IS PROVIDED "AS IS," WITHOUT WARRANTY OF ANY KIND, EXPRESS
+OR IMPLIED. YOUR USE OF THIS SOFTWARE IS SUBJECT TO THE WARRANTY
+DISCLAIMERS, LIMITATION OF LIABILITY, AND ALL OTHER PROVISIONS OF THE
+EULA, WHICH ARE INCORPORATED INTO THIS NOTICE BY REFERENCE.
+
+SkillRepo and the SkillRepo logo are trademarks of SkillRepo LLC.
+
+Contact: hello@skillrepo.dev

package/README.md

@@ -346,4 +346,7 @@ fully overwrites it.
 
 ## License
 
-MIT — see [LICENSE](./LICENSE).
+Proprietary. Copyright © 2026 SkillRepo LLC. All rights reserved.
+Use of this CLI is governed by the SkillRepo End User License Agreement
+at [https://skillrepo.dev/eula](https://skillrepo.dev/eula). See
+[LICENSE](./LICENSE) for the full notice.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "skillrepo",
-  "version": "3.1.3",
+  "version": "3.1.5",
   "description": "Pull-based CLI for agent skills — init, sync, search, add, remove your library from any IDE",
   "type": "module",
   "bin": {
@@ -8,7 +8,8 @@
   },
   "files": [
     "bin/",
-    "src/"
+    "src/",
+    "LICENSE"
   ],
   "repository": {
     "type": "git",
@@ -16,7 +17,8 @@
     "directory": "packages/cli"
   },
   "keywords": ["skillrepo", "cli", "mcp", "ai-skills"],
-  "license": "MIT",
+  "author": "SkillRepo LLC",
+  "license": "SEE LICENSE IN LICENSE",
   "dependencies": {
     "cli-table3": "^0.6.5"
   }

package/src/commands/init.mjs

@@ -227,7 +227,7 @@ export async function runInit(argv, io = {}, deps = {}) {
   p.step(2, 7, "Validating key");
   let accountCtx;
   try {
-    accountCtx = await validateAccessKey(serverUrl, apiKey);
+    accountCtx = await validateAccessKey(serverUrl, apiKey, "init");
   } catch (err) {
     // If the existing config had a stale/revoked key, fall back to
     // prompt (unless --yes, which is meant to be non-interactive).
@@ -245,7 +245,7 @@ export async function runInit(argv, io = {}, deps = {}) {
       if (!apiKey || !apiKey.startsWith("sk_live_")) {
         throw validationError("Invalid access key format.");
       }
-      accountCtx = await validateAccessKey(serverUrl, apiKey);
+      accountCtx = await validateAccessKey(serverUrl, apiKey, "init");
     } else {
       throw err;
     }

package/src/lib/http.mjs

@@ -82,6 +82,22 @@ async function userAgent() {
   return `skillrepo-cli/${_cachedVersion}`;
 }
 
+/**
+ * Valid values for the `X-SkillRepo-Source` header sent on auth-validate
+ * requests. `init` is used by `skillrepo init`; every other command
+ * sends `validate`. The server-side logging middleware (atxpace/skill-repo#732)
+ * records one of `cli.bootstrap` or `cli.validate` in `server_events`
+ * based on this header. Older CLI versions that predate this header
+ * cause the server to default to `validate` — tile counts are a floor,
+ * never inflated.
+ */
+export const CLI_SOURCE_VALUES = ["init", "validate"];
+
+/** Type guard for the discriminated union — exported for tests. */
+export function isCliSource(value) {
+  return CLI_SOURCE_VALUES.includes(value);
+}
+
 /**
  * Build the canonical headers for every authenticated request.
  */
@@ -368,15 +384,38 @@ async function mapErrorResponse(res, url) {
  * authenticated account context. Replaces the deprecated
  * `/api/v1/setup` endpoint for credential validation.
  *
+ * The `source` parameter surfaces the CLI's intent to the server-side
+ * logging middleware (atxpace/skill-repo#732) via the
+ * `X-SkillRepo-Source` header:
+ *
+ *   - `"init"` → server records `cli.bootstrap` in `server_events`.
+ *     Used by `skillrepo init` — a first-install event that drives
+ *     the Feed "CLI bootstraps 7d/30d" tile counter.
+ *   - `"validate"` (default) → server records `cli.validate`. Used by
+ *     every other authenticated command that revalidates the key.
+ *
+ * An unrecognized `source` is silently coerced to `"validate"` rather
+ * than thrown. The coercion guards against a caller typo or a future
+ * value the current client-side taxonomy doesn't know yet — we prefer
+ * under-counting bootstraps to fabricating a category the caller
+ * didn't mean to use. Servers ignore unknown HTTP header values, so
+ * there is no wire-level risk to sending whatever a caller passes;
+ * the coercion is purely a safety net for CLI-side typos.
+ *
  * @param {string} serverUrl
  * @param {string} apiKey
+ * @param {string} [source] - `"init"` or `"validate"` (default).
  * @returns {Promise<AuthValidateResult>}
  */
-export async function validateAccessKey(serverUrl, apiKey) {
+export async function validateAccessKey(serverUrl, apiKey, source = "validate") {
   const url = `${normalizeUrl(serverUrl)}/api/v1/auth/validate`;
+  const normalizedSource = isCliSource(source) ? source : "validate";
   const res = await safeFetch(url, {
     method: "POST",
-    headers: await authHeaders(apiKey),
+    headers: {
+      ...(await authHeaders(apiKey)),
+      "X-SkillRepo-Source": normalizedSource,
+    },
     // POST /auth/validate is side-effect-free on the server (it
     // only reads the key and returns account context), so retrying
     // a transient 5xx is safe. 4xx auth errors are NOT retried

package/src/test/commands/init.test.mjs

@@ -112,6 +112,21 @@ describe("runInit — happy path", () => {
     assert.match(stdout.text(), /SkillRepo is ready/);
   });
 
+  it("sends X-SkillRepo-Source: init to /api/v1/auth/validate (Epic 12 #905)", async () => {
+    // The init command is the ONLY call path that should report
+    // `init` to the server. Every other CLI command reports
+    // `validate` by default. This test pins the contract so a silent
+    // regression (e.g. removing the source arg in init.mjs, or the
+    // http.mjs default drifting) surfaces here.
+    await runInit(
+      ["--key", VALID_KEY, "--url", serverUrl, "--yes"],
+      { stdout, stderr },
+    );
+    const validateHeaders = server.getLastValidateHeaders();
+    assert.ok(validateHeaders, "mock server should have seen a validate call");
+    assert.equal(validateHeaders["x-skillrepo-source"], "init");
+  });
+
   it("--json outputs structured summary", async () => {
     await runInit(
       ["--key", VALID_KEY, "--url", serverUrl, "--yes", "--json"],

package/src/test/e2e/mock-server.mjs

@@ -100,6 +100,13 @@ export function createMockServer(initialPayload, options = {}) {
   //     practice this is fine — but a future parallel test runner
   //     would need per-request capture.
   let lastPostBody = null;
+  /**
+   * Captures the headers from the most recent POST /api/v1/auth/validate
+   * request. Used by tests (e.g. init.test.mjs) to assert the CLI sent
+   * the expected `X-SkillRepo-Source` value. Reset to null on each
+   * validate-route hit so tests see only the headers they triggered.
+   */
+  let lastValidateHeaders = null;
 
   /**
    * Validate the Authorization header.
@@ -170,6 +177,12 @@ export function createMockServer(initialPayload, options = {}) {
 
     // ── PR2: POST /api/v1/auth/validate ─────────────────────────────
     if (url.pathname === "/api/v1/auth/validate" && req.method === "POST") {
+      // Snapshot request headers before the auth check so tests can
+      // assert on the CLI's `X-SkillRepo-Source` header even when the
+      // auth check fails (future-proofing — today we only call this
+      // after auth succeeds, but the snapshot is ordering-safe either
+      // way).
+      lastValidateHeaders = { ...req.headers };
       if (!checkAuth(req, res)) return;
       res.writeHead(200, { "Content-Type": "application/json" });
       res.end(JSON.stringify(validateResponse));
@@ -484,5 +497,15 @@ export function createMockServer(initialPayload, options = {}) {
     getLastPostBody() {
       return lastPostBody;
     },
+
+    /**
+     * Return the headers from the most recent POST /api/v1/auth/validate
+     * request, or null if none has been made yet. Used by init-command
+     * tests to assert the CLI sent the documented
+     * `X-SkillRepo-Source` value (Epic 12 #905).
+     */
+    getLastValidateHeaders() {
+      return lastValidateHeaders;
+    },
   };
 }

package/src/test/lib/http.test.mjs

@@ -39,6 +39,8 @@ import {
   searchSkills,
   addSkillToLibrary,
   removeSkillFromLibrary,
+  isCliSource,
+  CLI_SOURCE_VALUES,
 } from "../../lib/http.mjs";
 import {
   CliError,
@@ -91,6 +93,32 @@ const VALID_KEY = "sk_live_test_abc123";
 
 // ── validateAccessKey ──────────────────────────────────────────────────
 
+// ── CLI source header exports ──────────────────────────────────────────
+
+describe("CLI_SOURCE_VALUES / isCliSource", () => {
+  it("CLI_SOURCE_VALUES declares exactly the documented values", () => {
+    // Any new source value requires a server-side taxonomy update
+    // (atxpace/skill-repo#732). Pin the declared values so a silent
+    // extension without the corresponding server work surfaces here.
+    assert.deepEqual([...CLI_SOURCE_VALUES].sort(), ["init", "validate"]);
+  });
+
+  it("isCliSource accepts only the documented values", () => {
+    assert.equal(isCliSource("init"), true);
+    assert.equal(isCliSource("validate"), true);
+  });
+
+  it("isCliSource rejects everything else", () => {
+    assert.equal(isCliSource(""), false);
+    assert.equal(isCliSource("INIT"), false);
+    assert.equal(isCliSource("validate "), false);
+    assert.equal(isCliSource("bootstrap"), false);
+    assert.equal(isCliSource(undefined), false);
+    assert.equal(isCliSource(null), false);
+    assert.equal(isCliSource(42), false);
+  });
+});
+
 describe("validateAccessKey", () => {
   it("returns the account context on 200", async () => {
     const srv = await startServer((req, res) => {
@@ -118,6 +146,81 @@ describe("validateAccessKey", () => {
     }
   });
 
+  it("sends X-SkillRepo-Source: validate by default", async () => {
+    // Epic 12 #905: the server's CLI-logging middleware (#732)
+    // distinguishes `cli.bootstrap` from `cli.validate` based on this
+    // header. The default path MUST be `validate` so only the explicit
+    // init caller lands on the bootstrap bucket.
+    const srv = await startServer((req, res) => {
+      jsonRes(res, 200, {
+        userId: "user-1",
+        accountId: "acc-1",
+        accountSlug: "alice",
+        accountName: "Alice",
+        scopes: [],
+        keyId: "key-1",
+        tier: "free",
+      });
+    });
+    try {
+      await validateAccessKey(srv.url, VALID_KEY);
+      assert.equal(
+        srv.lastRequest.headers["x-skillrepo-source"],
+        "validate",
+      );
+    } finally {
+      await srv.close();
+    }
+  });
+
+  it("sends X-SkillRepo-Source: init when source='init' is passed", async () => {
+    const srv = await startServer((req, res) => {
+      jsonRes(res, 200, {
+        userId: "user-1",
+        accountId: "acc-1",
+        accountSlug: "alice",
+        accountName: "Alice",
+        scopes: [],
+        keyId: "key-1",
+        tier: "free",
+      });
+    });
+    try {
+      await validateAccessKey(srv.url, VALID_KEY, "init");
+      assert.equal(srv.lastRequest.headers["x-skillrepo-source"], "init");
+    } finally {
+      await srv.close();
+    }
+  });
+
+  it("coerces an unknown source to 'validate' (forward-compat safety)", async () => {
+    // A future CLI version may pass a source value the CURRENT server
+    // doesn't know about. Rather than fabricating a bogus category,
+    // the CLI silently falls back to `validate`. Server-side CLI-
+    // bootstrap counts are a floor, never inflated.
+    const srv = await startServer((req, res) => {
+      jsonRes(res, 200, {
+        userId: "user-1",
+        accountId: "acc-1",
+        accountSlug: "alice",
+        accountName: "Alice",
+        scopes: [],
+        keyId: "key-1",
+        tier: "free",
+      });
+    });
+    try {
+      // @ts-expect-error — intentional unknown source.
+      await validateAccessKey(srv.url, VALID_KEY, "experimental");
+      assert.equal(
+        srv.lastRequest.headers["x-skillrepo-source"],
+        "validate",
+      );
+    } finally {
+      await srv.close();
+    }
+  });
+
   it("throws authError on 401", async () => {
     const srv = await startServer((req, res) => {
       jsonRes(res, 401, { error: "Invalid access key" });