skillrepo 4.0.0 → 4.2.0

package/src/test/commands/update.test.mjs

@@ -336,3 +336,138 @@ describe("runUpdate — --session-hook contract", () => {
     assert.equal(stdout.text(), "", "zero-delta 200 is silent");
   });
 });
+
+// ── --silent mode (#1240) ─────────────────────────────────────────────
+//
+// Silent mode is what the cohort SessionStart hooks Cursor / Gemini CLI /
+// Codex CLI / VS Code + Copilot install via the universal command
+// `npx --yes skillrepo update --silent`. Contract:
+//
+//   - stdout produces ONE line on success: `{}` (Gemini's hook stdout
+//     must be valid JSON; the others tolerate empty JSON).
+//   - On failure, stdout writes nothing extra; the typed CliError
+//     propagates and the dispatcher exits non-zero with an stderr
+//     message.
+//   - sync.mjs's non-fatal warnings (e.g. "failed to persist last-sync
+//     state") still go to stderr — operators running `update --silent`
+//     in a terminal still see them.
+//
+// Distinct from `--session-hook`. That mode is exit-0-on-everything
+// because Claude Code blocks session start on hook failures. Cohort
+// vendors do not block, so `--silent` propagates real exit codes.
+
+describe("runUpdate — --silent contract", () => {
+  beforeEach(setup);
+  afterEach(teardown);
+
+  it("accepts the --silent flag without throwing Unknown argument", async () => {
+    // Same regression-guard pattern as the --session-hook test —
+    // resolveFlags would normally reject the flag, so an
+    // acceptPositional callback must consume it.
+    server.setLibraryResponse({ skills: [], removals: [], syncedAt: "x" });
+    await assert.doesNotReject(
+      () =>
+        runUpdate(
+          ["--key", VALID_KEY, "--url", serverUrl, "--silent"],
+          { stdout },
+        ),
+      "update --silent must NOT throw Unknown argument",
+    );
+  });
+
+  it("emits exactly `{}\\n` on a successful empty sync (Gemini contract)", async () => {
+    // INTENT: Gemini specifically requires hook stdout to be valid JSON.
+    // The minimal valid value `{}` injects no model context.
+    server.setLibraryResponse({ skills: [], removals: [], syncedAt: "x" });
+    await runUpdate(
+      ["--key", VALID_KEY, "--url", serverUrl, "--silent"],
+      { stdout },
+    );
+    assert.equal(stdout.text(), "{}\n");
+  });
+
+  it("emits `{}\\n` even when the sync produced changes (no progress lines on stdout)", async () => {
+    server.setLibraryResponse({
+      skills: [makeSkill("silent-test")],
+      removals: [],
+      syncedAt: "x",
+    });
+    await runUpdate(
+      ["--key", VALID_KEY, "--url", serverUrl, "--silent"],
+      { stdout },
+    );
+    // Stdout still ONLY `{}` — progress is not part of the hook
+    // contract. The skill files themselves still landed on disk
+    // (verified separately in the integration tests).
+    assert.equal(stdout.text(), "{}\n");
+  });
+
+  it("propagates a real exit code on failure (does NOT silently swallow errors)", async () => {
+    // INTENT: distinct from --session-hook. Cohort vendors do not
+    // block session start on non-zero hook exit, so a failure should
+    // surface as a typed CliError that the dispatcher maps to the
+    // documented exit code. Silent-on-success does NOT mean
+    // silent-on-failure.
+    server.setForcedStatus(401, { error: "Invalid access key" });
+    await assert.rejects(
+      () =>
+        runUpdate(
+          ["--key", VALID_KEY, "--url", serverUrl, "--silent"],
+          { stdout },
+        ),
+      (err) => err instanceof CliError && err.exitCode === EXIT_AUTH,
+      "auth error must propagate as CliError under --silent",
+    );
+    // No `{}` was written — failure surfaces via the throw, not a
+    // half-success stdout line.
+    assert.equal(stdout.text(), "", "no stdout on failure");
+  });
+
+  it("propagates validation error (e.g. missing --agent value) under --silent", async () => {
+    // resolveFlags throws validationError on a malformed --agent.
+    // Silent mode must NOT catch that — same rationale as the auth
+    // error case.
+    await assert.rejects(
+      () =>
+        runUpdate(
+          ["--key", VALID_KEY, "--url", serverUrl, "--silent", "--agent"],
+          { stdout },
+        ),
+      (err) => err instanceof CliError && err.exitCode === EXIT_VALIDATION,
+    );
+  });
+
+  it("--silent + --session-hook simultaneously: session-hook wins (defensive precedence) (#1239 QA)", async () => {
+    // INTENT: defensive precedence test. The two flags have different
+    // exit-code contracts: --session-hook is exit-0-on-everything
+    // (Claude blocks session start on non-zero), --silent propagates
+    // real exit codes. Today no installer writes a hook command
+    // containing both flags, but a future code path or manual user
+    // edit could. The branches in update.mjs check sessionHook FIRST,
+    // so when both are present, the session-hook contract wins.
+    //
+    // We force a failure (unreachable server) and assert the
+    // resolveFlags-doesnt-throw + emit-failure-line-on-stdout pattern
+    // of session-hook mode, NOT silent mode's exit-non-zero pattern.
+    server.setForcedStatus(401, { error: "bad key" });
+    await assert.doesNotReject(
+      () =>
+        runUpdate(
+          [
+            "--key", VALID_KEY,
+            "--url", serverUrl,
+            "--silent",
+            "--session-hook",
+          ],
+          { stdout },
+        ),
+      "session-hook precedence over --silent must NOT throw on auth failure",
+    );
+    // Session-hook mode emits the one-line failure marker on stdout
+    assert.match(
+      stdout.text(),
+      /\[SkillRepo\] Sync failed:/,
+      "session-hook precedence must produce the session-hook failure line, not silent's empty stdout",
+    );
+  });
+});

package/src/test/dispatcher.test.mjs

@@ -71,7 +71,7 @@ describe("dispatcher — top-level help", () => {
     assert.equal(r.status, 0);
     assert.match(r.stdout, /SkillRepo CLI/);
     // All 7 commands listed
-    for (const cmd of ["init", "update", "get", "add", "remove", "list", "search"]) {
+    for (const cmd of ["init", "update", "get", "add", "push", "remove", "list", "search"]) {
       assert.match(r.stdout, new RegExp(`\\b${cmd}\\b`), `expected to see "${cmd}" in help`);
     }
   });
@@ -123,7 +123,7 @@ describe("dispatcher — unknown command", () => {
 describe("dispatcher — per-command help", () => {
   // PR1 only ships init for real; the other 6 are stubs but still
   // route --help correctly.
-  for (const cmd of ["init", "update", "get", "add", "remove", "list", "search"]) {
+  for (const cmd of ["init", "update", "get", "add", "push", "remove", "list", "search"]) {
     it(`\`skillrepo ${cmd} --help\` prints command-specific help`, async () => {
       const r = await runCli([cmd, "--help"]);
       assert.equal(r.status, 0);
@@ -194,6 +194,14 @@ describe("dispatcher — implemented commands route to their modules", () => {
     assert.ok([1, 2, 5].includes(r.status));
   });
 
+  it("`skillrepo push` is wired to the real module (not a stub)", async () => {
+    // Missing path exits validation (5); missing credentials would
+    // exit auth (2). Either proves the stub is gone.
+    const r = await runCli(["push"], { env: { HOME: "/tmp/no-skillrepo-config" } });
+    assert.doesNotMatch(r.stderr, /Not yet implemented/);
+    assert.ok([2, 5].includes(r.status));
+  });
+
   it("`skillrepo remove` is wired to the real module (not a stub)", async () => {
     const r = await runCli(["remove", "@alice/pdf-helper"], { env: { HOME: "/tmp/no-skillrepo-config" } });
     assert.doesNotMatch(r.stderr, /Not yet implemented/);

package/src/test/e2e/cli-cohort-hooks.test.mjs

@@ -0,0 +1,393 @@
+/**
+ * E2E permutation matrix for the cohort SessionStart hooks (#1240).
+ *
+ * Spawns the real CLI binary and asserts on the user-visible result —
+ * what files land at what paths, what JSON shape they have, what the
+ * `--json` summary reports, and whether `uninstall --global` reverses
+ * everything cleanly.
+ *
+ * The harness mirrors `cli-agent-permutations.test.mjs` exactly:
+ * shared mock server for the library endpoint, per-test mkdtemp for
+ * cwd + HOME, and a `runCli` helper that always resolves with
+ * stdout / stderr / status.
+ *
+ * The gap this file closes is the user-layer: "after I run init with
+ * --agent cursor,gemini, what's actually in ~/.cursor/hooks.json and
+ * ~/.gemini/settings.json on disk?" The unit tests prove the
+ * mergers' shape contracts; the integration tests prove the
+ * dispatcher's filesystem behavior; this test proves the binary
+ * actually exercises both end-to-end.
+ *
+ * NOTE on `npx --yes` and the hook command: the universal hook
+ * command is `npx --yes skillrepo update --silent`. Invoking `npx`
+ * inside the test would either fetch from npm (slow, network-
+ * dependent) or fail in offline CI. We do NOT execute the hook
+ * command in this test — we only verify it was WRITTEN correctly to
+ * disk. Verifying execution end-to-end requires a global install,
+ * which the smoke-test script (`scripts/smoke-cohort-hooks.sh`)
+ * exercises out-of-band.
+ */
+
+import { describe, it, before, after, beforeEach, afterEach } from "node:test";
+import assert from "node:assert/strict";
+import {
+  mkdtempSync,
+  rmSync,
+  existsSync,
+  readFileSync,
+  writeFileSync,
+  mkdirSync,
+} from "node:fs";
+import { join, dirname, resolve } from "node:path";
+import { tmpdir } from "node:os";
+import { execFile } from "node:child_process";
+import { fileURLToPath } from "node:url";
+
+import { createMockServer } from "./mock-server.mjs";
+import { AGENT_HOOK_COMMAND } from "../../lib/artifact-registry.mjs";
+
+const __dirname = dirname(fileURLToPath(import.meta.url));
+const CLI_BIN = resolve(__dirname, "../../../bin/skillrepo.mjs");
+const VALID_KEY = "sk_live_test_e2e";
+
+let server;
+let port;
+let tempDir;
+let tempHome;
+
+function makeSkill(owner, name) {
+  return {
+    owner,
+    name,
+    version: "1.0.0",
+    description: `${name} description`,
+    files: [
+      {
+        path: "SKILL.md",
+        content: `---\nname: ${name}\ndescription: ${name} description\n---\n\nbody\n`,
+        sha256: "x",
+        size: 100,
+        contentType: "text/markdown",
+      },
+    ],
+    updatedAt: "2025-01-01T00:00:00Z",
+  };
+}
+
+function runCli(args, extraEnv = {}) {
+  return new Promise((resolve) => {
+    execFile(
+      process.execPath,
+      [CLI_BIN, ...args],
+      {
+        cwd: tempDir,
+        encoding: "utf-8",
+        timeout: 15_000,
+        env: {
+          ...process.env,
+          HOME: tempHome,
+          USERPROFILE: tempHome, // Windows isolation
+          NO_COLOR: "1",
+          NODE_NO_WARNINGS: "1",
+          SKILLREPO_ACCESS_KEY: "",
+          SKILLREPO_TIMEOUT_MS: "5000",
+          ...extraEnv,
+        },
+      },
+      (err, stdout, stderr) => {
+        resolve({
+          stdout: stdout ?? "",
+          stderr: stderr ?? "",
+          status: err ? err.code ?? 1 : 0,
+        });
+      },
+    );
+  });
+}
+
+describe("CLI E2E — cohort SessionStart hooks (#1240)", () => {
+  before(async () => {
+    server = createMockServer({});
+    port = await server.start();
+  });
+
+  after(async () => {
+    if (server) await server.stop();
+  });
+
+  beforeEach(() => {
+    tempDir = mkdtempSync(join(tmpdir(), "cli-e2e-cohort-"));
+    tempHome = mkdtempSync(join(tmpdir(), "cli-e2e-cohort-home-"));
+    server.setLibraryResponse({
+      skills: [makeSkill("alice", "demo-skill")],
+      removals: [],
+      syncedAt: "x",
+    });
+    server.setEtag(null);
+    server.clearSkillResponses();
+    server.setSearchResponse({
+      skills: [],
+      pagination: { total: 0, limit: 20, offset: 0 },
+    });
+  });
+
+  afterEach(() => {
+    if (tempDir) rmSync(tempDir, { recursive: true, force: true });
+    if (tempHome) rmSync(tempHome, { recursive: true, force: true });
+  });
+
+  // ── Per-vendor file shape verification ─────────────────────────
+
+  it("init --agent cursor writes ~/.cursor/hooks.json with cursor-shape JSON", async () => {
+    const r = await runCli([
+      "init",
+      "--key", VALID_KEY,
+      "--url", `http://127.0.0.1:${port}`,
+      "--yes",
+      "--agent", "cursor",
+      "--json",
+    ]);
+    assert.equal(r.status, 0, `stderr: ${r.stderr}`);
+
+    const filePath = join(tempHome, ".cursor", "hooks.json");
+    assert.ok(existsSync(filePath));
+    const parsed = JSON.parse(readFileSync(filePath, "utf-8"));
+    assert.equal(parsed.version, 1);
+    assert.equal(parsed.hooks.sessionStart[0].command, AGENT_HOOK_COMMAND);
+
+    const json = JSON.parse(r.stdout);
+    assert.equal(json.sessionSync.cohortHooks.length, 1);
+    assert.equal(json.sessionSync.cohortHooks[0].vendorKey, "cursor");
+    assert.equal(json.sessionSync.cohortHooks[0].action, "installed");
+  });
+
+  it("init --agent gemini writes ~/.gemini/settings.json with claude-shape + timeout: 60000", async () => {
+    const r = await runCli([
+      "init",
+      "--key", VALID_KEY,
+      "--url", `http://127.0.0.1:${port}`,
+      "--yes",
+      "--agent", "gemini",
+      "--json",
+    ]);
+    assert.equal(r.status, 0, `stderr: ${r.stderr}`);
+
+    const filePath = join(tempHome, ".gemini", "settings.json");
+    assert.ok(existsSync(filePath));
+    const parsed = JSON.parse(readFileSync(filePath, "utf-8"));
+    const inner = parsed.hooks.SessionStart[0].hooks[0];
+    assert.equal(inner.command, AGENT_HOOK_COMMAND);
+    assert.equal(inner.type, "command");
+    assert.equal(inner.timeout, 60000);
+  });
+
+  it("init --agent codex writes ~/.codex/hooks.json with timeout: 60 seconds (#1243)", async () => {
+    // Codex's timeout is in SECONDS per the Codex hooks source.
+    // Distinct from Gemini's milliseconds. Verified against
+    // codex-rs/hooks/.
+    const r = await runCli([
+      "init",
+      "--key", VALID_KEY,
+      "--url", `http://127.0.0.1:${port}`,
+      "--yes",
+      "--agent", "codex",
+      "--json",
+    ]);
+    assert.equal(r.status, 0, `stderr: ${r.stderr}`);
+
+    const filePath = join(tempHome, ".codex", "hooks.json");
+    assert.ok(existsSync(filePath));
+    const parsed = JSON.parse(readFileSync(filePath, "utf-8"));
+    const inner = parsed.hooks.SessionStart[0].hooks[0];
+    assert.equal(inner.command, AGENT_HOOK_COMMAND);
+    assert.equal(inner.type, "command");
+    assert.equal(inner.timeout, 60);
+    // No matcher on Codex group — that's Gemini-specific (#1242)
+    assert.equal(parsed.hooks.SessionStart[0].matcher, undefined);
+  });
+
+  it("init --agent copilot writes ~/.copilot/hooks/skillrepo-update.json with lowercase sessionStart event (#1244)", async () => {
+    // Copilot's spec uses lowercase `sessionStart` per VS Code +
+    // Copilot's hook docs. Distinct from Gemini and Codex's
+    // uppercase. Per-tool single file (no merge concerns within).
+    const r = await runCli([
+      "init",
+      "--key", VALID_KEY,
+      "--url", `http://127.0.0.1:${port}`,
+      "--yes",
+      "--agent", "copilot",
+      "--json",
+    ]);
+    assert.equal(r.status, 0, `stderr: ${r.stderr}`);
+
+    const filePath = join(tempHome, ".copilot", "hooks", "skillrepo-update.json");
+    assert.ok(existsSync(filePath), "Copilot per-tool hook file must exist");
+    const parsed = JSON.parse(readFileSync(filePath, "utf-8"));
+    // Lowercase event name (Phase 4 fix)
+    assert.ok(Array.isArray(parsed.hooks.sessionStart));
+    assert.equal(parsed.hooks.SessionStart, undefined);
+    const inner = parsed.hooks.sessionStart[0].hooks[0];
+    assert.equal(inner.command, AGENT_HOOK_COMMAND);
+    assert.equal(inner.type, "command");
+    assert.equal(inner.timeout, 60);
+  });
+
+  // ── Multi-vendor combined run ──────────────────────────────────
+
+  it("init --agent cursor,gemini,codex,copilot writes all four hook files", async () => {
+    const r = await runCli([
+      "init",
+      "--key", VALID_KEY,
+      "--url", `http://127.0.0.1:${port}`,
+      "--yes",
+      "--agent", "cursor,gemini,codex,copilot",
+      "--json",
+    ]);
+    assert.equal(r.status, 0, `stderr: ${r.stderr}`);
+
+    assert.ok(existsSync(join(tempHome, ".cursor", "hooks.json")));
+    assert.ok(existsSync(join(tempHome, ".gemini", "settings.json")));
+    assert.ok(existsSync(join(tempHome, ".codex", "hooks.json")));
+    assert.ok(
+      existsSync(join(tempHome, ".copilot", "hooks", "skillrepo-update.json")),
+    );
+
+    const json = JSON.parse(r.stdout);
+    assert.equal(json.sessionSync.cohortHooks.length, 4);
+    for (const h of json.sessionSync.cohortHooks) {
+      assert.equal(h.action, "installed");
+    }
+  });
+
+  // ── --no-session-sync escape hatch ─────────────────────────────
+
+  it("init --no-session-sync skips ALL cohort hooks (semantics widened in #1240)", async () => {
+    const r = await runCli([
+      "init",
+      "--key", VALID_KEY,
+      "--url", `http://127.0.0.1:${port}`,
+      "--yes",
+      "--no-session-sync",
+      "--agent", "cursor,gemini,codex,copilot",
+      "--json",
+    ]);
+    assert.equal(r.status, 0, `stderr: ${r.stderr}`);
+
+    // None of the hook files should exist
+    assert.ok(!existsSync(join(tempHome, ".cursor", "hooks.json")));
+    assert.ok(!existsSync(join(tempHome, ".gemini", "settings.json")));
+    assert.ok(!existsSync(join(tempHome, ".codex", "hooks.json")));
+    assert.ok(
+      !existsSync(join(tempHome, ".copilot", "hooks", "skillrepo-update.json")),
+    );
+
+    const json = JSON.parse(r.stdout);
+    assert.equal(json.sessionSync.cohortHooks.length, 0);
+  });
+
+  // ── Idempotency on re-run ──────────────────────────────────────
+
+  it("re-running init with the same flags reports unchanged for every cohort vendor", async () => {
+    const baseArgs = [
+      "init",
+      "--key", VALID_KEY,
+      "--url", `http://127.0.0.1:${port}`,
+      "--yes",
+      "--agent", "cursor,gemini",
+    ];
+    const r1 = await runCli(baseArgs);
+    assert.equal(r1.status, 0, `first init stderr: ${r1.stderr}`);
+
+    const r2 = await runCli([...baseArgs, "--json"]);
+    assert.equal(r2.status, 0, `second init stderr: ${r2.stderr}`);
+    const json = JSON.parse(r2.stdout);
+    for (const h of json.sessionSync.cohortHooks) {
+      assert.equal(h.action, "unchanged", `${h.vendorKey} should be unchanged`);
+    }
+  });
+
+  // ── Multi-tool merge surface ───────────────────────────────────
+
+  it("init --agent cursor preserves a pre-existing 1Password entry in ~/.cursor/hooks.json", async () => {
+    // Seed the hook file with a "1Password" entry before init runs.
+    // The cohort installer must add the SkillRepo entry alongside
+    // without removing the pre-existing one.
+    mkdirSync(join(tempHome, ".cursor"), { recursive: true });
+    writeFileSync(
+      join(tempHome, ".cursor", "hooks.json"),
+      JSON.stringify(
+        {
+          version: 1,
+          hooks: { sessionStart: [{ command: "1password-agent-helper" }] },
+        },
+        null,
+        2,
+      ),
+    );
+
+    const r = await runCli([
+      "init",
+      "--key", VALID_KEY,
+      "--url", `http://127.0.0.1:${port}`,
+      "--yes",
+      "--agent", "cursor",
+    ]);
+    assert.equal(r.status, 0, `stderr: ${r.stderr}`);
+
+    const parsed = JSON.parse(
+      readFileSync(join(tempHome, ".cursor", "hooks.json"), "utf-8"),
+    );
+    assert.equal(parsed.hooks.sessionStart.length, 2);
+    assert.equal(
+      parsed.hooks.sessionStart[0].command,
+      "1password-agent-helper",
+    );
+    assert.equal(parsed.hooks.sessionStart[1].command, AGENT_HOOK_COMMAND);
+  });
+
+  // ── Uninstall round-trip ──────────────────────────────────────
+
+  it("uninstall --global --yes removes every cohort hook the previous init wrote", async () => {
+    // Install all four
+    const init = await runCli([
+      "init",
+      "--key", VALID_KEY,
+      "--url", `http://127.0.0.1:${port}`,
+      "--yes",
+      "--agent", "cursor,gemini,codex,copilot",
+    ]);
+    assert.equal(init.status, 0, `init stderr: ${init.stderr}`);
+
+    // Confirm files exist
+    const files = [
+      join(tempHome, ".cursor", "hooks.json"),
+      join(tempHome, ".gemini", "settings.json"),
+      join(tempHome, ".codex", "hooks.json"),
+      join(tempHome, ".copilot", "hooks", "skillrepo-update.json"),
+    ];
+    for (const f of files) assert.ok(existsSync(f), `${f} must exist before uninstall`);
+
+    // Run uninstall --global --yes
+    const uninstall = await runCli([
+      "uninstall",
+      "--global",
+      "--yes",
+      "--json",
+    ]);
+    assert.equal(uninstall.status, 0, `uninstall stderr: ${uninstall.stderr}`);
+
+    // Each cohort hook is no longer present in its file.
+    // The file may or may not exist depending on whether uninstall
+    // walked it down to {} or left an empty container — both are
+    // valid post-uninstall states. What matters is no SkillRepo
+    // command remains.
+    for (const f of files) {
+      if (!existsSync(f)) continue;
+      const content = readFileSync(f, "utf-8");
+      assert.ok(
+        !content.includes("skillrepo update --silent"),
+        `${f} still contains a SkillRepo command after uninstall`,
+      );
+    }
+  });
+});