skillrepo 4.2.0 → 4.4.0

package/src/test/commands/publish.test.mjs

@@ -0,0 +1,420 @@
+/**
+ * Unit / integration tests for `runPublish` and `runUnpublish` —
+ * Epic #1444 R3 #1456.
+ *
+ * Tests both verbs in one file because they share the
+ * `setSkillVisibility` HTTP helper and have symmetric outcome
+ * mappings (only the response shape and 403 code differ). Each
+ * test exercises a distinct outcome of the discriminated
+ * `VisibilityResult` union returned by the HTTP layer.
+ */
+
+import { describe, it, beforeEach, afterEach } from "node:test";
+import assert from "node:assert/strict";
+import { mkdtempSync, mkdirSync, rmSync } from "node:fs";
+import { join } from "node:path";
+import { tmpdir } from "node:os";
+
+import { runPublish } from "../../commands/publish.mjs";
+import { runUnpublish } from "../../commands/unpublish.mjs";
+import {
+  CliError,
+  EXIT_VALIDATION,
+  EXIT_AUTH,
+  EXIT_SCOPE,
+} from "../../lib/errors.mjs";
+import { createMockServer } from "../e2e/mock-server.mjs";
+import { createCaptureStream } from "../helpers/capture-stream.mjs";
+import {
+  captureHome,
+  setSandboxHome,
+  restoreHome,
+} from "../helpers/sandbox-home.mjs";
+
+let sandbox;
+let server;
+let serverUrl;
+let originalCwd;
+/** @type {import("../helpers/sandbox-home.mjs").HomeEnvSnapshot} */
+let originalHomeEnv;
+let stdout;
+const VALID_KEY = "sk_live_test";
+
+async function setup() {
+  sandbox = mkdtempSync(join(tmpdir(), "cli-cmd-pub-"));
+  mkdirSync(join(sandbox, "project"), { recursive: true });
+  mkdirSync(join(sandbox, "home"), { recursive: true });
+  originalCwd = process.cwd();
+  originalHomeEnv = captureHome();
+  process.chdir(join(sandbox, "project"));
+  setSandboxHome(join(sandbox, "home"));
+  delete process.env.SKILLREPO_ACCESS_KEY;
+
+  server = createMockServer({});
+  const port = await server.start();
+  serverUrl = `http://127.0.0.1:${port}`;
+
+  stdout = createCaptureStream();
+}
+
+async function teardown() {
+  if (server) await server.stop();
+  process.chdir(originalCwd);
+  restoreHome(originalHomeEnv);
+  if (sandbox) rmSync(sandbox, { recursive: true, force: true });
+  server = null;
+}
+
+// argv used by both verbs — identifier first, then auth + endpoint
+// flags. Caller can append extra flags (e.g. `--json`) at the end.
+const baseArgv = (...extra) => [
+  `@alice/my-skill`,
+  "--key",
+  VALID_KEY,
+  "--url",
+  serverUrl,
+  ...extra,
+];
+
+// ── runPublish ──────────────────────────────────────────────────────────
+
+describe("runPublish — happy path", () => {
+  beforeEach(setup);
+  afterEach(teardown);
+
+  it("200 published → exit 0, prints '✓ Published @owner/name'", async () => {
+    // Default mock-server response is 200 published with synthesised
+    // SyncSkill — no slot configuration needed.
+    await runPublish(baseArgv(), { stdout });
+    const out = stdout.text();
+    // Matches the established `✓ <verb>` shape used by add/remove/push.
+    assert.match(out, /✓ Published @alice\/my-skill/);
+    assert.match(out, /now in the public catalog/);
+  });
+
+  it("200 unchanged → exit 0, prints '✓ Already published'", async () => {
+    server.setPublishResponse("alice", "my-skill", {
+      status: 200,
+      body: {
+        action: "unchanged",
+        skill: { owner: "alice", name: "my-skill" },
+      },
+    });
+    await runPublish(baseArgv(), { stdout });
+    assert.match(stdout.text(), /✓ Already published/);
+  });
+
+  it("--json emits a structured success payload (no `ok` field — matches add/remove/push convention)", async () => {
+    await runPublish(baseArgv("--json"), { stdout });
+    const parsed = JSON.parse(stdout.text());
+    // `action` is the success discriminator. NO `ok` field — the
+    // CLI exits non-zero on error, so the presence of stdout JSON
+    // already implies success. Matches add.mjs / remove.mjs /
+    // push.mjs shapes.
+    assert.equal(parsed.ok, undefined);
+    assert.equal(parsed.action, "published");
+    assert.equal(parsed.owner, "alice");
+    assert.equal(parsed.name, "my-skill");
+  });
+});
+
+describe("runPublish — error paths", () => {
+  beforeEach(setup);
+  afterEach(teardown);
+
+  it("missing identifier → CliError EXIT_VALIDATION", async () => {
+    await assert.rejects(
+      runPublish(["--key", VALID_KEY, "--url", serverUrl], { stdout }),
+      (err) =>
+        err instanceof CliError &&
+        err.exitCode === EXIT_VALIDATION &&
+        /Missing skill identifier/.test(err.message),
+    );
+  });
+
+  it("404 not-found → CliError EXIT_VALIDATION with helpful hint", async () => {
+    server.setPublishResponse("alice", "my-skill", {
+      status: 404,
+      body: { error: "Skill not found", code: "skill_not_found" },
+    });
+    await assert.rejects(
+      runPublish(baseArgv(), { stdout }),
+      (err) =>
+        err instanceof CliError &&
+        err.exitCode === EXIT_VALIDATION &&
+        /not found in your account/.test(err.message),
+    );
+  });
+
+  it("403 publish_not_permitted → CliError EXIT_SCOPE with canPublish hint", async () => {
+    server.setPublishResponse("alice", "my-skill", {
+      status: 403,
+      body: {
+        error: "You do not have permission to publish this skill.",
+        code: "publish_not_permitted",
+      },
+    });
+    await assert.rejects(
+      runPublish(baseArgv(), { stdout }),
+      (err) =>
+        err instanceof CliError &&
+        err.exitCode === EXIT_SCOPE &&
+        /canPublish/.test(err.hint ?? ""),
+    );
+  });
+
+  it("403 hint does NOT duplicate the server's error reason text", async () => {
+    // Regression guard: pre-PR-F-review the CLI hint repeated the
+    // entitlement explanation that the server already includes in
+    // its `error` field. Result was the same sentence twice in
+    // terminal output. The hint must stay short and action-only.
+    server.setPublishResponse("alice", "my-skill", {
+      status: 403,
+      body: {
+        error:
+          "You do not have permission to publish this skill. Admins, or members with the `canPublish` entitlement, can publish.",
+        code: "publish_not_permitted",
+      },
+    });
+    await assert.rejects(runPublish(baseArgv(), { stdout }), (err) => {
+      assert.ok(err instanceof CliError);
+      // The server's reason text contains "Admins, or members with
+      // the `canPublish` entitlement, can publish." That sentence
+      // must NOT appear in the hint too.
+      assert.doesNotMatch(
+        err.hint ?? "",
+        /Admins, or members with the `canPublish` entitlement, can publish\./,
+      );
+      // But the hint should still be actionable.
+      assert.match(err.hint ?? "", /Ask an account admin/);
+      return true;
+    });
+  });
+
+  it("403 plan_limit → CliError EXIT_VALIDATION (NOT authError), billing hint surfaces", async () => {
+    // Real-world regression scenario: an account over its skill
+    // quota tries to publish. Server returns 403 with code
+    // `plan_limit`. The CLI MUST classify this as exit 5
+    // validation with the billing hint, NOT exit 2 authError
+    // ("contact support") — a pre-review version of the code
+    // consumed the 403 body and let mapErrorResponse re-parse, but
+    // the body was empty by then so plan_limit fell through to
+    // authError.
+    server.setPublishResponse("alice", "my-skill", {
+      status: 403,
+      body: {
+        error: "You are over your library skill quota.",
+        code: "plan_limit",
+      },
+    });
+    await assert.rejects(runPublish(baseArgv(), { stdout }), (err) => {
+      assert.ok(err instanceof CliError);
+      assert.equal(err.exitCode, EXIT_VALIDATION);
+      assert.match(err.hint ?? "", /Upgrade your plan|billing/);
+      return true;
+    });
+  });
+
+  it("422 namespace_unset → CliError EXIT_VALIDATION, reason text passes through", async () => {
+    server.setPublishResponse("alice", "my-skill", {
+      status: 422,
+      body: {
+        error: "Set up your account namespace before publishing.",
+        code: "namespace_unset",
+      },
+    });
+    await assert.rejects(
+      runPublish(baseArgv(), { stdout }),
+      (err) =>
+        err instanceof CliError &&
+        err.exitCode === EXIT_VALIDATION &&
+        /account namespace/.test(err.message),
+    );
+  });
+
+  it("422 analysis_pending → CliError EXIT_VALIDATION, server reason wins", async () => {
+    server.setPublishResponse("alice", "my-skill", {
+      status: 422,
+      body: {
+        error: "This skill must be analyzed before publishing.",
+        code: "analysis_pending",
+      },
+    });
+    await assert.rejects(
+      runPublish(baseArgv(), { stdout }),
+      (err) =>
+        err instanceof CliError &&
+        err.exitCode === EXIT_VALIDATION &&
+        /must be analyzed/.test(err.message),
+    );
+  });
+
+  it("422 safety_grade_too_low → CliError EXIT_VALIDATION, server reason wins", async () => {
+    server.setPublishResponse("alice", "my-skill", {
+      status: 422,
+      body: {
+        error: "Skills with a safety grade of F cannot be published.",
+        code: "safety_grade_too_low",
+      },
+    });
+    await assert.rejects(
+      runPublish(baseArgv(), { stdout }),
+      (err) =>
+        err instanceof CliError &&
+        err.exitCode === EXIT_VALIDATION &&
+        /safety grade of F cannot be published/.test(err.message),
+    );
+  });
+
+  it("401 unauthorized → CliError EXIT_AUTH", async () => {
+    server.setPublishResponse("alice", "my-skill", {
+      status: 401,
+      body: { error: "Invalid access key" },
+    });
+    await assert.rejects(
+      runPublish(baseArgv(), { stdout }),
+      (err) => err instanceof CliError && err.exitCode === EXIT_AUTH,
+    );
+  });
+});
+
+// ── runUnpublish ────────────────────────────────────────────────────────
+
+describe("runUnpublish — happy path", () => {
+  beforeEach(setup);
+  afterEach(teardown);
+
+  it("200 unpublished with N=0 subscribers → exit 0, no-notifications message", async () => {
+    // Default mock-server response is 200 unpublished, count=0.
+    await runUnpublish(baseArgv(), { stdout });
+    assert.match(
+      stdout.text(),
+      /✓ Unpublished @alice\/my-skill — no other accounts had it in their library/,
+    );
+  });
+
+  it("200 unpublished with N=1 → singular 'notified 1 subscriber'", async () => {
+    server.setUnpublishResponse("alice", "my-skill", {
+      status: 200,
+      body: {
+        action: "unpublished",
+        notifiedSubscriberCount: 1,
+        skill: { owner: "alice", name: "my-skill" },
+      },
+    });
+    await runUnpublish(baseArgv(), { stdout });
+    const out = stdout.text();
+    assert.match(out, /notified 1 subscriber\b/);
+    assert.doesNotMatch(out, /1 subscribers/);
+  });
+
+  it("200 unpublished with N=5 → plural 'notified 5 subscribers'", async () => {
+    server.setUnpublishResponse("alice", "my-skill", {
+      status: 200,
+      body: {
+        action: "unpublished",
+        notifiedSubscriberCount: 5,
+        skill: { owner: "alice", name: "my-skill" },
+      },
+    });
+    await runUnpublish(baseArgv(), { stdout });
+    const out = stdout.text();
+    assert.match(out, /notified 5 subscribers/);
+    assert.match(out, /they keep their current copy/);
+  });
+
+  it("200 unchanged → exit 0, prints '✓ Already private'", async () => {
+    server.setUnpublishResponse("alice", "my-skill", {
+      status: 200,
+      body: {
+        action: "unchanged",
+        skill: { owner: "alice", name: "my-skill" },
+      },
+    });
+    await runUnpublish(baseArgv(), { stdout });
+    assert.match(stdout.text(), /✓ Already private/);
+  });
+
+  it("--json emits a structured payload with notifiedSubscriberCount (no `ok` field)", async () => {
+    server.setUnpublishResponse("alice", "my-skill", {
+      status: 200,
+      body: {
+        action: "unpublished",
+        notifiedSubscriberCount: 3,
+        skill: { owner: "alice", name: "my-skill" },
+      },
+    });
+    await runUnpublish(baseArgv("--json"), { stdout });
+    const parsed = JSON.parse(stdout.text());
+    assert.equal(parsed.ok, undefined);
+    assert.equal(parsed.action, "unpublished");
+    assert.equal(parsed.notifiedSubscriberCount, 3);
+  });
+
+  it("--json on unchanged emits notifiedSubscriberCount=0 (no `ok` field)", async () => {
+    server.setUnpublishResponse("alice", "my-skill", {
+      status: 200,
+      body: {
+        action: "unchanged",
+        skill: { owner: "alice", name: "my-skill" },
+      },
+    });
+    await runUnpublish(baseArgv("--json"), { stdout });
+    const parsed = JSON.parse(stdout.text());
+    assert.equal(parsed.ok, undefined);
+    assert.equal(parsed.action, "unchanged");
+    assert.equal(parsed.notifiedSubscriberCount, 0);
+  });
+});
+
+describe("runUnpublish — error paths", () => {
+  beforeEach(setup);
+  afterEach(teardown);
+
+  it("404 not-found → CliError EXIT_VALIDATION", async () => {
+    server.setUnpublishResponse("alice", "my-skill", {
+      status: 404,
+      body: { error: "Skill not found", code: "skill_not_found" },
+    });
+    await assert.rejects(
+      runUnpublish(baseArgv(), { stdout }),
+      (err) =>
+        err instanceof CliError &&
+        err.exitCode === EXIT_VALIDATION &&
+        /not found in your account/.test(err.message),
+    );
+  });
+
+  it("403 unpublish_not_permitted → CliError EXIT_SCOPE with action-only hint", async () => {
+    server.setUnpublishResponse("alice", "my-skill", {
+      status: 403,
+      body: {
+        error:
+          "You do not have permission to unpublish this skill. Admins, or members with the `canPublish` entitlement, can unpublish.",
+        code: "unpublish_not_permitted",
+      },
+    });
+    await assert.rejects(runUnpublish(baseArgv(), { stdout }), (err) => {
+      assert.ok(err instanceof CliError);
+      assert.equal(err.exitCode, EXIT_SCOPE);
+      // Same regression guard as the publish path — hint must NOT
+      // duplicate the server's entitlement explanation.
+      assert.doesNotMatch(
+        err.hint ?? "",
+        /Admins, or members with the `canPublish` entitlement, can unpublish\./,
+      );
+      assert.match(err.hint ?? "", /Ask an account admin/);
+      return true;
+    });
+  });
+
+  it("missing identifier → CliError EXIT_VALIDATION", async () => {
+    await assert.rejects(
+      runUnpublish(["--key", VALID_KEY, "--url", serverUrl], { stdout }),
+      (err) =>
+        err instanceof CliError &&
+        err.exitCode === EXIT_VALIDATION &&
+        /Missing skill identifier/.test(err.message),
+    );
+  });
+});

package/src/test/e2e/mock-server.mjs

@@ -9,6 +9,8 @@
  *   POST   /api/v1/library                        — multipart file-push (#1452)
  *   POST   /api/v1/library/refs                   — add catalog skill to library (#1451)
  *   DELETE /api/v1/library/[owner]/[name]         — remove from library (PR3a)
+ *   POST   /api/v1/library/[owner]/[name]/publish — make global (#1449)
+ *   POST   /api/v1/library/[owner]/[name]/unpublish — make private (#1449)
  *   GET    /api/v1/skills/[owner]/[name]          — single skill fetch (PR2)
  *   GET    /api/v1/skills/search                  — keyword search (PR2)
  *
@@ -30,6 +32,10 @@
  *   setPushResponse(resp)                — response for POST /library multipart push (#1452)
  *   getLastPostBody()                    — inspect the most recent POST body (JSON-parsed)
  *
+ *   (Epic #1444 R3 #1449 additions)
+ *   setPublishResponse(owner, name, resp)   — per-skill response for POST /library/<owner>/<name>/publish
+ *   setUnpublishResponse(owner, name, resp) — per-skill response for POST /library/<owner>/<name>/unpublish
+ *
  * The slot APIs let unit/integration tests configure each scenario
  * without spinning up multiple servers per test. Default behavior
  * for an unconfigured slot is a sensible empty payload.
@@ -86,6 +92,10 @@ export function createMockServer(initialPayload, options = {}) {
   // matches any owner/name when no exact match is registered.
   let addResponses = new Map();    // key: "owner/name" or "*" → { status, body }
   let removeResponses = new Map(); // key: "owner/name" or "*" → { status, body }
+  // Epic #1444 R3 #1456 — POST /api/v1/library/[owner]/[name]/publish
+  // and POST /api/v1/library/[owner]/[name]/unpublish (#1449).
+  let publishResponses = new Map();   // key: "owner/name" or "*" → { status, body }
+  let unpublishResponses = new Map(); // key: "owner/name" or "*" → { status, body }
 
   // #1452 — POST /api/v1/library (multipart file-push) response slot.
   // Tests set this with `setPushResponse({ status, body })`; when null,
@@ -307,6 +317,86 @@ export function createMockServer(initialPayload, options = {}) {
       return;
     }
 
+    // ── #1449: POST /api/v1/library/[owner]/[name]/publish ─────────
+    {
+      const m = url.pathname.match(
+        /^\/api\/v1\/library\/([^\/]+)\/([^\/]+)\/publish$/,
+      );
+      if (m && req.method === "POST") {
+        if (!checkAuth(req, res)) return;
+        const owner = decodeURIComponent(m[1]);
+        const name = decodeURIComponent(m[2]);
+        const configured =
+          publishResponses.get(`${owner}/${name}`) ?? publishResponses.get("*");
+        if (configured) {
+          res.writeHead(configured.status, { "Content-Type": "application/json" });
+          res.end(JSON.stringify(configured.body));
+          return;
+        }
+        // Default: 200 published with synthesized SyncSkill.
+        res.writeHead(200, { "Content-Type": "application/json" });
+        res.end(
+          JSON.stringify({
+            action: "published",
+            skill: {
+              owner,
+              name,
+              version: "1.0.0",
+              description: "mock",
+              keywords: [],
+              updatedAt: new Date().toISOString(),
+              etag: `"${owner}/${name}@0"`,
+              contextSignals: null,
+              files: [],
+              filesIncomplete: false,
+            },
+          }),
+        );
+        return;
+      }
+    }
+
+    // ── #1449: POST /api/v1/library/[owner]/[name]/unpublish ───────
+    {
+      const m = url.pathname.match(
+        /^\/api\/v1\/library\/([^\/]+)\/([^\/]+)\/unpublish$/,
+      );
+      if (m && req.method === "POST") {
+        if (!checkAuth(req, res)) return;
+        const owner = decodeURIComponent(m[1]);
+        const name = decodeURIComponent(m[2]);
+        const configured =
+          unpublishResponses.get(`${owner}/${name}`) ??
+          unpublishResponses.get("*");
+        if (configured) {
+          res.writeHead(configured.status, { "Content-Type": "application/json" });
+          res.end(JSON.stringify(configured.body));
+          return;
+        }
+        // Default: 200 unpublished, zero subscribers notified.
+        res.writeHead(200, { "Content-Type": "application/json" });
+        res.end(
+          JSON.stringify({
+            action: "unpublished",
+            notifiedSubscriberCount: 0,
+            skill: {
+              owner,
+              name,
+              version: "1.0.0",
+              description: "mock",
+              keywords: [],
+              updatedAt: new Date().toISOString(),
+              etag: `"${owner}/${name}@0"`,
+              contextSignals: null,
+              files: [],
+              filesIncomplete: false,
+            },
+          }),
+        );
+        return;
+      }
+    }
+
     // ── PR3a: DELETE /api/v1/library/[owner]/[name] (remove) ────────
     {
       const m = url.pathname.match(/^\/api\/v1\/library\/([^\/]+)\/([^\/]+)$/);
@@ -563,6 +653,26 @@ export function createMockServer(initialPayload, options = {}) {
       removeResponses = new Map();
     },
 
+    // Epic #1444 R3 #1456 — publish / unpublish slot setters.
+    setPublishResponse(owner, name, response) {
+      publishResponses.set(`${owner}/${name}`, response);
+    },
+    setPublishResponseForAny(response) {
+      publishResponses.set("*", response);
+    },
+    clearPublishResponses() {
+      publishResponses = new Map();
+    },
+    setUnpublishResponse(owner, name, response) {
+      unpublishResponses.set(`${owner}/${name}`, response);
+    },
+    setUnpublishResponseForAny(response) {
+      unpublishResponses.set("*", response);
+    },
+    clearUnpublishResponses() {
+      unpublishResponses = new Map();
+    },
+
     /**
      * #1452 — register the next POST /api/v1/library (multipart file-push)
      * response. Pass `null` to restore the default 201 LibraryPushResponse.

package/src/test/lib/config.test.mjs

@@ -206,6 +206,39 @@ describe("writeConfig", () => {
     assert.equal(mode, 0o600, `Expected 0o600, got ${mode.toString(8)}`);
   });
 
+  // Telemetry opt-in/out flag persistence (#1539). The field is only
+  // written when the caller explicitly sets it (boolean) — omitting
+  // means "no preference recorded" and the telemetry module treats
+  // that as the opt-out-friendly default of enabled.
+  it("persists telemetry=true when explicitly set", () => {
+    writeConfig({
+      apiKey: "sk_live_abc",
+      serverUrl: "https://example.com",
+      telemetry: true,
+    });
+    const raw = JSON.parse(readFileSync(globalConfigPath(), "utf-8"));
+    assert.equal(raw.telemetry, true);
+  });
+
+  it("persists telemetry=false when explicitly set", () => {
+    writeConfig({
+      apiKey: "sk_live_abc",
+      serverUrl: "https://example.com",
+      telemetry: false,
+    });
+    const raw = JSON.parse(readFileSync(globalConfigPath(), "utf-8"));
+    assert.equal(raw.telemetry, false);
+  });
+
+  it("does NOT write a telemetry field when omitted (preserves no-preference state)", () => {
+    writeConfig({
+      apiKey: "sk_live_abc",
+      serverUrl: "https://example.com",
+    });
+    const raw = JSON.parse(readFileSync(globalConfigPath(), "utf-8"));
+    assert.equal("telemetry" in raw, false);
+  });
+
   it("throws validationError on missing apiKey", () => {
     assert.throws(
       () => writeConfig({ serverUrl: "https://example.com" }),