skillrepo 4.5.0 → 4.5.1

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "skillrepo",
-  "version": "4.5.0",
+  "version": "4.5.1",
   "description": "Pull-based CLI for agent skills — init, sync, search, add, remove your library from any IDE",
   "type": "module",
   "bin": {

package/src/commands/add.mjs

@@ -46,6 +46,7 @@ import {
   effectiveVendors,
   requireVendorTargets,
 } from "../lib/cli-config.mjs";
+import { upsertLastSyncEntry } from "../lib/sync.mjs";
 import { parseIdentifier, formatIdentifier } from "../lib/identifier.mjs";
 import { validationError } from "../lib/errors.mjs";
 
@@ -158,6 +159,20 @@ export async function runAdd(argv, io = {}) {
 
   writeSkillDir(skill, { vendors, global: flags.global });
 
+  // Update `.last-sync` so `list` immediately recognizes this skill
+  // as `current`. Without this the user adds a skill, then runs
+  // `list`, and sees their freshly-added skill marked MISS — the
+  // exact same class of contract gap that PR #1574 fixed for the
+  // multi-vendor case in `update`/`list`. See `upsertLastSyncEntry`
+  // docstring for the etag-preservation rationale.
+  try {
+    upsertLastSyncEntry(skill);
+  } catch {
+    // Non-fatal: skill is on disk, the state file write failure
+    // does not change that. Same semantics as runSync's warn-and-
+    // proceed for last-sync persistence failures.
+  }
+
   if (flags.json) {
     stdout.write(
       JSON.stringify(

package/src/commands/get.mjs

@@ -36,6 +36,7 @@ import {
   effectiveVendors,
   requireVendorTargets,
 } from "../lib/cli-config.mjs";
+import { upsertLastSyncEntry } from "../lib/sync.mjs";
 import { parseIdentifier, formatIdentifier } from "../lib/identifier.mjs";
 import { validationError } from "../lib/errors.mjs";
 
@@ -109,6 +110,21 @@ export async function runGet(argv, io = {}) {
 
   writeSkillDir(skill, { vendors, global: flags.global });
 
+  // Update `.last-sync` so `list` recognizes this skill as `current`
+  // afterward instead of reporting a stale `MISSING`. Best-effort:
+  // a state-file write failure is non-fatal (the files are already
+  // on disk), but writeLastSync throws diskError if it cannot
+  // persist — we catch and continue. Pre-PR #1574 `get` skipped
+  // this entirely, which surfaced every freshly-fetched skill as
+  // MISS in the very next `list` invocation.
+  try {
+    upsertLastSyncEntry(skill);
+  } catch {
+    // Same failure semantics as runSync's "couldn't persist last
+    // sync state" path: warn and proceed, the user's intent (files
+    // on disk) was honored.
+  }
+
   if (flags.json) {
     stdout.write(
       JSON.stringify({

package/src/commands/remove.mjs

@@ -43,6 +43,7 @@ import {
   effectiveVendors,
   requireVendorTargets,
 } from "../lib/cli-config.mjs";
+import { deleteLastSyncEntry } from "../lib/sync.mjs";
 import { parseIdentifier, formatIdentifier } from "../lib/identifier.mjs";
 import { validationError } from "../lib/errors.mjs";
 
@@ -111,6 +112,18 @@ export async function runRemove(argv, io = {}) {
   // owner-namespacing caveat.
   const localResult = removeSkillDir(name, { vendors, global: flags.global });
 
+  // Step 2.5: purge the `.last-sync` entry for this skill so a future
+  // re-add of the same identifier doesn't compare against a stale
+  // baseline. Idempotent: no-op if the entry isn't there. Non-fatal
+  // on write failure — the user's primary intent (skill gone from
+  // library + disk) was honored; a stale baseline is recoverable
+  // via the next `update`.
+  try {
+    deleteLastSyncEntry(owner, name);
+  } catch {
+    // Same warn-and-proceed semantics as runSync's last-sync writes.
+  }
+
   if (flags.json) {
     stdout.write(
       JSON.stringify(

package/src/lib/agent-registry.mjs

@@ -140,7 +140,21 @@ export const AGENT_REGISTRY = Object.freeze([
     agentHook: null,
     detectionSignals: Object.freeze([
       Object.freeze({ type: "env", value: "CLAUDECODE" }),
-      Object.freeze({ type: "home", value: ".claude" }),
+      // Home signal MUST be a file Claude Code creates that SkillRepo
+      // itself never writes. The earlier `.claude` (bare dir) signal
+      // false-positive-detected on any user who'd ever run a SkillRepo
+      // command — because `init` writes config to
+      // `~/.claude/skillrepo/config.json` and every `runSync` writes
+      // `.last-sync` to the same parent, both of which create the
+      // `~/.claude/` directory as a side effect. Cursor-only users
+      // (or any non-Claude-Code user) were then incorrectly detected
+      // as Claude Code users on every subsequent `list` invocation,
+      // producing MISS for every skill at the claudeProject placement
+      // that was never populated. Probing `settings.json` — created by
+      // Claude Code on first run and never touched by SkillRepo — is
+      // the load-bearing distinction. See PR #1574 production-
+      // readiness audit for the full chain.
+      Object.freeze({ type: "home", value: ".claude/settings.json" }),
       Object.freeze({ type: "project", value: ".claude" }),
     ]),
   }),

package/src/lib/cli-config.mjs

@@ -25,6 +25,7 @@ import {
   AGENTS_COHORT_KEYS,
   getAgentByAlias,
 } from "./agent-registry.mjs";
+import { detectAgents } from "./detect-agents.mjs";
 import { authError, validationError } from "./errors.mjs";
 
 const ALL_VENDOR_KEYS = AGENT_REGISTRY.map((entry) => entry.key);
@@ -204,22 +205,48 @@ export function resolveFlags(argv, opts = {}) {
  *      always wins. Both flags propagate together, so `--global
  *      --agent windsurf` correctly resolves to `["windsurf"]` and
  *      placementTargetsFor maps that to `windsurfGlobal`.
- *   2. No `--agent` defaults to `["claudeCode"]`, regardless of
- *      `--global`. The v3.0.0 CLI deliberately does NOT silently
- *      fall back to `[claudeCode, cursor]` like v2.0.0 did.
+ *   2. No `--agent` defaults to ALL DETECTED vendors (4.5.1+) — every
+ *      agent whose detection signal fires in the current cwd / HOME /
+ *      env. This matches `init`'s picker behavior and `list`'s drift
+ *      detection model: the CLI assumes you want to keep every
+ *      agent on your machine in sync.
+ *   3. Fallback to `["claudeCode"]` when nothing is detected (fresh
+ *      machine with no agent installed yet — extremely rare, but
+ *      preserves the historical default so `skillrepo init` from
+ *      scratch still has a meaningful behavior).
+ *
+ * History: 4.4.0 and earlier defaulted to `["claudeCode"]` only,
+ * which created a mismatch with `list`'s drift detection in 4.5.0:
+ * `list` reported drift against all detected vendors while
+ * `update`/`add`/`remove`/`get` only wrote to Claude Code's
+ * placement. Multi-agent users saw every skill as `MISS` even after
+ * a full sync because the cohort `.agents/skills/` directory was
+ * never written to. See #1573 follow-up.
  *
  * The empty-array `--agent none` sentinel is returned verbatim —
  * callers detect "no placement" via `vendors.length === 0`. The
  * default-fallback branch uses an explicit null/undefined check so
  * the empty array survives.
  */
-export function effectiveVendors(flags) {
+export function effectiveVendors(flags, { detect = defaultDetectVendors } = {}) {
   if (flags.vendors === null || flags.vendors === undefined) {
-    return ["claudeCode"];
+    const detected = detect();
+    return detected.length > 0 ? detected : ["claudeCode"];
   }
   return flags.vendors;
 }
 
+/**
+ * Default detection callable for `effectiveVendors`. Exposed for tests
+ * that want to inject a deterministic vendor list via the second-arg
+ * `{ detect }` option — production callers should not pass anything.
+ */
+function defaultDetectVendors() {
+  return detectAgents()
+    .filter((d) => d.detected)
+    .map((d) => d.key);
+}
+
 /**
  * Reject `--agent none` for commands that have no meaningful behavior
  * without a placement target. `init` and `update` accept `--agent none`

package/src/lib/detect-agents.mjs

@@ -34,12 +34,51 @@
  * so probes are sandbox-isolated on every platform.
  */
 
-import { existsSync } from "node:fs";
+import { existsSync, statSync } from "node:fs";
 import { homedir } from "node:os";
 import { join } from "node:path";
 
 import { AGENT_REGISTRY } from "./agent-registry.mjs";
 
+/**
+ * Returns true when `path` exists and is reachable. Wraps `existsSync`
+ * for symmetry with the file-vs-dir formatters below; kept as a
+ * separate helper so a future refinement (e.g., disallow broken
+ * symlinks) can land in one place.
+ */
+function probeFsPath(path) {
+  return existsSync(path);
+}
+
+/**
+ * Format the `reason` for a fired `home` signal. Bare-directory signals
+ * (`.cursor`, `~/.codeium/windsurf`) get a trailing slash; file-shaped
+ * signals (`.claude/settings.json`) do not, because rendering a file
+ * path with a trailing slash misleads the user in init's
+ * "(detected: …)" hint string. We `statSync` to distinguish — that
+ * avoids brittle string heuristics (we cannot just look for a dot in
+ * the last segment, because directories with dots in their names are
+ * permitted by every supported filesystem).
+ */
+function formatHomeReason(value, path) {
+  return isFile(path) ? `~/${value}` : `~/${value}/`;
+}
+
+function formatProjectReason(value, path) {
+  return isFile(path) ? value : `${value}/`;
+}
+
+function isFile(path) {
+  try {
+    return statSync(path).isFile();
+  } catch {
+    // statSync after a successful existsSync is unlikely to throw, but
+    // a TOCTOU between the two would crash the picker. Default to the
+    // directory format on any read error.
+    return false;
+  }
+}
+
 /**
  * @typedef {Object} AgentDetection
  * @property {string} key                 - Canonical agent key.
@@ -72,13 +111,11 @@ function probeSignal(signal) {
   }
   if (signal.type === "home") {
     const path = join(homedir(), signal.value);
-    if (!existsSync(path)) return null;
-    return `~/${signal.value}/`;
+    return probeFsPath(path) ? formatHomeReason(signal.value, path) : null;
   }
   if (signal.type === "project") {
     const path = join(process.cwd(), signal.value);
-    if (!existsSync(path)) return null;
-    return `${signal.value}/`;
+    return probeFsPath(path) ? formatProjectReason(signal.value, path) : null;
   }
   // Unknown type — defensive guard. Callers should never see this
   // because the registry's frozen entries are typed.

package/src/lib/sync.mjs

@@ -218,6 +218,99 @@ export function writeLastSync({ etag, syncedAt, skills } = {}) {
   }
 }
 
+/**
+ * Add or replace a single skill's entry in `.last-sync` without
+ * touching the library-level `etag`/`syncedAt` fields.
+ *
+ * Why this exists: `get` and `add` write skills to disk one at a time
+ * without going through `runSync`. Pre-PR #1574 those commands left
+ * `.last-sync` untouched — meaning `list` afterwards couldn't see the
+ * skill in its baseline map and rendered it as `MISSING` even though
+ * it was sitting right there on disk. This helper closes that
+ * contract gap: any command that writes one skill's bytes to disk
+ * MUST also record the corresponding SHAs in `.last-sync` so the
+ * read-side drift detection can find them.
+ *
+ * Library-level `etag` and `syncedAt` are preserved verbatim from the
+ * prior state because they describe "what library snapshot did we
+ * fetch last" — `get` and `add` did not refresh that snapshot, so
+ * overwriting those fields would break the 304 short-circuit on the
+ * NEXT `update` (the server would think we're already past a state
+ * we never reached).
+ *
+ * Non-fatal on read/write failure: the actual skill files were
+ * already written to disk before we got here, so a broken state file
+ * should not roll back the user's intent. We throw on `writeLastSync`
+ * failure (same as the bulk path) so the caller can surface the
+ * warning, but otherwise this function is best-effort.
+ *
+ * @param {Object} skill - The skill that was just written.
+ * @param {string} skill.owner
+ * @param {string} skill.name
+ * @param {string} skill.version
+ * @param {{ path: string, content: string }[]} skill.files
+ */
+export function upsertLastSyncEntry(skill) {
+  if (!skill || typeof skill !== "object") return;
+  if (typeof skill.owner !== "string" || typeof skill.name !== "string") return;
+  if (!Array.isArray(skill.files)) return;
+
+  const shas = computeSkillShas(skill.files);
+  // computeSkillShas returns nulls when there's no SKILL.md; persisting
+  // null SHAs would later classify as `edited`, which is wrong for a
+  // skill we just installed. Skip the upsert in that pathological case
+  // — list.mjs's `MISSING` verdict for an unknown skill is a more
+  // accurate signal than a fabricated `current` or `edited`.
+  if (shas.skillMdSha256 === null || shas.filesSha256 === null) return;
+
+  const prior = readLastSync();
+  const priorSkills =
+    prior && prior.skills && typeof prior.skills === "object"
+      ? prior.skills
+      : {};
+
+  const key = `${skill.owner}/${skill.name}`;
+  const updated = {
+    ...priorSkills,
+    [key]: {
+      version: typeof skill.version === "string" ? skill.version : "",
+      skillMdSha256: shas.skillMdSha256,
+      filesSha256: shas.filesSha256,
+      syncedAt: new Date().toISOString(),
+    },
+  };
+
+  writeLastSync({
+    // Preserve etag and syncedAt — see docstring "why this exists."
+    etag: prior?.etag ?? null,
+    syncedAt: prior?.syncedAt,
+    skills: updated,
+  });
+}
+
+/**
+ * Remove a single skill's entry from `.last-sync` without touching
+ * library-level fields. Used by `remove` after deleting the on-disk
+ * files. Idempotent: if the entry isn't there, no-op.
+ *
+ * @param {string} owner
+ * @param {string} name
+ */
+export function deleteLastSyncEntry(owner, name) {
+  if (typeof owner !== "string" || typeof name !== "string") return;
+  const prior = readLastSync();
+  if (!prior || !prior.skills || typeof prior.skills !== "object") return;
+  const key = `${owner}/${name}`;
+  if (!(key in prior.skills)) return;
+  // eslint-disable-next-line no-unused-vars -- destructure-to-omit pattern
+  const { [key]: _removed, ...rest } = prior.skills;
+  writeLastSync({
+    etag: prior.etag ?? null,
+    syncedAt: prior.syncedAt,
+    skills: rest,
+  });
+}
+
 /**
  * Run a library sync against the server.
  *