skillrepo 4.5.0 → 4.5.2

package/src/test/lib/cli-config.test.mjs

@@ -507,14 +507,65 @@ describe("resolveFlags — positional callback", () => {
 // ── effectiveVendors ───────────────────────────────────────────────────
 
 describe("effectiveVendors", () => {
-  it("returns ['claudeCode'] by default (no flags)", () => {
-    assert.deepEqual(effectiveVendors({ vendors: null, global: false }), ["claudeCode"]);
+  // Inject empty detection so the default-fallback branch fires
+  // deterministically regardless of the test runner's environment.
+  // The default callable reads `detectAgents()` from the live process —
+  // useful in production but non-deterministic across dev machines.
+  const noneDetected = { detect: () => [] };
+  const detectsClaudeCursor = { detect: () => ["claudeCode", "cursor"] };
+
+  it("returns ['claudeCode'] fallback when no vendors detected", () => {
+    assert.deepEqual(
+      effectiveVendors({ vendors: null, global: false }, noneDetected),
+      ["claudeCode"],
+    );
   });
 
-  it("returns ['claudeCode'] for bare --global with no --agent", () => {
-    // Bare --global preserves the historical default of writing to
-    // ~/.claude/skills/. The user can override with `--global --agent X`.
-    assert.deepEqual(effectiveVendors({ vendors: null, global: true }), ["claudeCode"]);
+  it("returns ['claudeCode'] fallback for bare --global with nothing detected", () => {
+    // Bare --global with nothing detected preserves the historical
+    // single-vendor default. The user can override with `--global --agent X`.
+    assert.deepEqual(
+      effectiveVendors({ vendors: null, global: true }, noneDetected),
+      ["claudeCode"],
+    );
+  });
+
+  it("returns all detected vendors when --agent is not passed (4.5.1+)", () => {
+    // The 4.5.1 change: no --agent defaults to every detected vendor
+    // instead of just ["claudeCode"]. Matches `list`'s drift detection
+    // and `init`'s picker.
+    assert.deepEqual(
+      effectiveVendors({ vendors: null, global: false }, detectsClaudeCursor),
+      ["claudeCode", "cursor"],
+    );
+  });
+
+  it("returns a 3-vendor detected list verbatim (proves no hardcoded pair)", () => {
+    // QA H1 guard: the 2-vendor test alone can't distinguish a
+    // passthrough from a hardcoded `["claudeCode", "cursor"]`. A
+    // future regression that "helpfully" filtered or sliced the
+    // detected list would pass the 2-vendor case but fail here.
+    const detectsThree = {
+      detect: () => ["claudeCode", "cursor", "windsurf"],
+    };
+    assert.deepEqual(
+      effectiveVendors({ vendors: null, global: false }, detectsThree),
+      ["claudeCode", "cursor", "windsurf"],
+    );
+  });
+
+  it("preserves detection order verbatim (no reordering, no dedup beyond what detect returns)", () => {
+    // Lock the contract that `effectiveVendors` is a pure passthrough
+    // of the detect callable. The order of placement writes depends
+    // on this in `placementTargetsFor` — a reorder could change which
+    // target appears first in user-visible "wrote to X" output.
+    const reverseOrder = {
+      detect: () => ["windsurf", "cursor", "claudeCode"],
+    };
+    assert.deepEqual(
+      effectiveVendors({ vendors: null, global: false }, reverseOrder),
+      ["windsurf", "cursor", "claudeCode"],
+    );
   });
 
   it("preserves --agent under --global (does NOT discard the vendor list)", () => {

package/src/test/lib/detect-agents.test.mjs

@@ -13,7 +13,7 @@
 
 import { describe, it, beforeEach, afterEach } from "node:test";
 import assert from "node:assert/strict";
-import { mkdtempSync, mkdirSync, rmSync } from "node:fs";
+import { mkdtempSync, mkdirSync, rmSync, writeFileSync } from "node:fs";
 import { join } from "node:path";
 import { tmpdir } from "node:os";
 
@@ -168,11 +168,37 @@ describe("detectAgents — home signal", () => {
   beforeEach(setup);
   afterEach(teardown);
 
-  it("detects Claude Code via ~/.claude/ directory", () => {
+  it("detects Claude Code via ~/.claude/settings.json (file, not bare dir)", () => {
+    // Claude Code's home signal probes the settings.json file
+    // Claude Code itself creates on first run, NOT the bare `.claude/`
+    // directory. The earlier broad-directory signal false-positive-
+    // detected on Cursor-only users because SkillRepo creates
+    // `~/.claude/skillrepo/` for its own state — which forced
+    // `~/.claude/` to exist on every machine ever touched by the CLI.
+    // See PR #1574 production-readiness audit + the comment in
+    // agent-registry.mjs above the claudeCode entry.
+    const settingsPath = join(process.env.HOME, ".claude", "settings.json");
     mkdirSync(join(process.env.HOME, ".claude"), { recursive: true });
+    writeFileSync(settingsPath, "{}", "utf-8");
     const result = findResult(detectAgents(), "claudeCode");
     assert.equal(result.detected, true);
-    assert.equal(result.reason, "~/.claude/");
+    assert.equal(result.reason, "~/.claude/settings.json");
+  });
+
+  it("does NOT detect Claude Code on bare ~/.claude/ directory (SkillRepo state-dir poisoning guard)", () => {
+    // Regression guard for the 4.5.x false-positive bug. The CLI
+    // writes its own state to `~/.claude/skillrepo/config.json` and
+    // `~/.claude/skillrepo/.last-sync`, creating `~/.claude/` as a
+    // side effect. Without the narrowed signal, every CLI user — even
+    // those who don't use Claude Code — would be detected as a Claude
+    // Code user from their second invocation onward, producing all-
+    // MISS output in `list`. This test holds the line.
+    mkdirSync(join(process.env.HOME, ".claude", "skillrepo"), {
+      recursive: true,
+    });
+    const result = findResult(detectAgents(), "claudeCode");
+    assert.equal(result.detected, false);
+    assert.equal(result.reason, null);
   });
 
   it("detects Cursor via ~/.cursor/ directory", () => {
@@ -294,10 +320,17 @@ describe("detectAgents — OR semantics + priority", () => {
 
   it("home signal wins over project signal when env is absent", () => {
     mkdirSync(join(process.env.HOME, ".claude"), { recursive: true });
+    writeFileSync(
+      join(process.env.HOME, ".claude", "settings.json"),
+      "{}",
+      "utf-8",
+    );
     mkdirSync(join(process.cwd(), ".claude"), { recursive: true });
     const result = findResult(detectAgents(), "claudeCode");
     assert.equal(result.detected, true);
-    assert.equal(result.reason, "~/.claude/");
+    // settings.json is a file → reason has no trailing slash (file vs dir
+    // distinguished by statSync in formatHomeReason).
+    assert.equal(result.reason, "~/.claude/settings.json");
   });
 
   it("primary env signal wins over fallback env signal (Cursor: CURSOR_AGENT > CURSOR_CLI)", () => {

package/src/test/lib/sync.test.mjs

@@ -38,6 +38,7 @@ import {
   runSync,
   readLastSync,
   writeLastSync,
+  placementsAreComplete,
   LAST_SYNC_SCHEMA_VERSION,
 } from "../../lib/sync.mjs";
 import { resolvePlacementDir } from "../../lib/file-write.mjs";
@@ -780,6 +781,48 @@ describe("runSync — ETag round-trip", () => {
     const after = readFileSync(join(dir, "SKILL.md"), "utf-8");
     assert.equal(before, after);
   });
+
+  it("forced re-fetch (placementsAreComplete=false) sets fullSync=false (prior state existed)", async () => {
+    // Locks in the semantic contract from QA Round 2 Gap 5: a forced
+    // full re-fetch (placementsAreComplete returns false because a
+    // placement was missing) does NOT bump fullSync to true. fullSync
+    // is determined by whether prior `syncedAt` existed, not by
+    // whether the server returned a delta or full payload. The
+    // distinction matters to init.mjs which interprets the
+    // `fullSync` × `counters-all-zero` combination — for an `init`
+    // that hits a placement-incomplete state, counters won't be all
+    // zero (the missing skill produces added>=1), so the consumer
+    // distinction is preserved. This test pins that behavior.
+    server.setEtag('"v1"');
+    server.setLibraryResponse({
+      skills: [makeSkill("forced")],
+      removals: [],
+      syncedAt: "2025-01-01T00:00:00Z",
+    });
+    await runSync({ serverUrl, apiKey: VALID_KEY, vendors: ["claudeCode"] });
+
+    // Delete the placement on disk — forces re-fetch on next runSync.
+    rmSync(resolvePlacementDir("claudeProject", "forced"), {
+      recursive: true,
+      force: true,
+    });
+
+    const result = await runSync({
+      serverUrl,
+      apiKey: VALID_KEY,
+      vendors: ["claudeCode"],
+    });
+    // Prior syncedAt was set → fullSync stays false even though a
+    // full re-fetch happened. This preserves the init.mjs consumer
+    // semantic: fullSync=true means "no prior sync state existed",
+    // not "this sync returned a full library payload."
+    assert.equal(result.fullSync, false);
+    // The forced re-fetch DOES produce a non-zero write count —
+    // which is why the behavioral consequence of the semantic
+    // mismatch is unreachable. Documents that fact.
+    assert.equal(result.added, 1, "forced re-fetch must restore the missing skill");
+    assert.equal(result.notModified, false);
+  });
 });
 
 // ── runSync — argument validation ──────────────────────────────────────
@@ -1093,3 +1136,180 @@ describe("runSync — cohort placement classification", () => {
     );
   });
 });
+
+// ───────────────────────────────────────────────────────────────────
+// placementsAreComplete unit tests (PR #1575 hotfix)
+// ───────────────────────────────────────────────────────────────────
+//
+// Direct unit coverage for the function that decides whether the ETag
+// short-circuit is safe. The integration tests in
+// update-list-contract.integration.test.mjs exercise the function
+// end-to-end through runSync; this suite covers the branches:
+//
+//   - empty/missing skills map (returns false — force re-fetch)
+//   - empty/missing vendors (returns true — nothing to verify)
+//   - placementTargetsFor throws (returns false — safe direction)
+//   - malformed skill keys (skip without crash)
+//   - skill present in EVERY target (returns true)
+//   - skill missing in ONE target (returns false)
+//   - directory exists but SKILL.md missing (returns false)
+
+describe("placementsAreComplete — direct unit coverage", () => {
+  beforeEach(() => {
+    sandbox = mkdtempSync(join(tmpdir(), "cli-pac-"));
+    mkdirSync(join(sandbox, "project"), { recursive: true });
+    mkdirSync(join(sandbox, "home"), { recursive: true });
+    originalCwd = process.cwd();
+    originalHomeEnv = captureHome();
+    process.chdir(join(sandbox, "project"));
+    setSandboxHome(join(sandbox, "home"));
+  });
+  afterEach(() => {
+    process.chdir(originalCwd);
+    restoreHome(originalHomeEnv);
+    if (sandbox) rmSync(sandbox, { recursive: true, force: true });
+  });
+
+  function seedSkillMd(target, skillName) {
+    const dir = resolvePlacementDir(target, skillName);
+    mkdirSync(dir, { recursive: true });
+    writeFileSync(
+      join(dir, "SKILL.md"),
+      `---\nname: ${skillName}\ndescription: x\n---\n`,
+      "utf-8",
+    );
+  }
+
+  it("returns false on null skillsMap (can't trust empty baseline)", () => {
+    assert.equal(placementsAreComplete(null, ["claudeCode"], false), false);
+  });
+
+  it("returns false on undefined skillsMap", () => {
+    assert.equal(placementsAreComplete(undefined, ["claudeCode"], false), false);
+  });
+
+  it("returns false on empty skillsMap object (v1 → v2 recovery path)", () => {
+    assert.equal(placementsAreComplete({}, ["claudeCode"], false), false);
+  });
+
+  it("returns true on empty vendors array (no placements to verify)", () => {
+    // Defensive guard — `requireVendorTargets` in the command layer
+    // catches this case before runSync, but if it ever reached here
+    // we'd return true (no targets means trivially complete).
+    const skills = {
+      "alice/skill": {
+        version: "1.0.0",
+        skillMdSha256: "a".repeat(64),
+        filesSha256: "b".repeat(64),
+        syncedAt: "x",
+      },
+    };
+    assert.equal(placementsAreComplete(skills, [], false), true);
+  });
+
+  it("returns true on undefined vendors (same defensive path)", () => {
+    const skills = {
+      "alice/skill": {
+        version: "1.0.0",
+        skillMdSha256: "a".repeat(64),
+        filesSha256: "b".repeat(64),
+        syncedAt: "x",
+      },
+    };
+    assert.equal(placementsAreComplete(skills, undefined, false), true);
+  });
+
+  it("returns true when every (skill, target) pair has its SKILL.md on disk", () => {
+    seedSkillMd("claudeProject", "skill-a");
+    const skills = {
+      "alice/skill-a": {
+        version: "1.0.0",
+        skillMdSha256: "a".repeat(64),
+        filesSha256: "b".repeat(64),
+        syncedAt: "x",
+      },
+    };
+    assert.equal(placementsAreComplete(skills, ["claudeCode"], false), true);
+  });
+
+  it("returns false when ONE skill's SKILL.md is missing in ONE target", () => {
+    // Two skills, claudeProject + agentsProject expected. Only one
+    // skill landed in claudeProject; agentsProject has neither.
+    seedSkillMd("claudeProject", "skill-a");
+    const skills = {
+      "alice/skill-a": {
+        version: "1.0.0",
+        skillMdSha256: "a".repeat(64),
+        filesSha256: "b".repeat(64),
+        syncedAt: "x",
+      },
+    };
+    // Both claudeCode and cursor → both targets must have skill-a.
+    // Only claudeProject does → returns false → forces re-fetch.
+    assert.equal(
+      placementsAreComplete(skills, ["claudeCode", "cursor"], false),
+      false,
+    );
+  });
+
+  it("returns false when directory exists but SKILL.md is missing (partial dir guard)", () => {
+    // The HIGH finding from the code-reviewer audit: an empty
+    // directory satisfies existsSync but lacks the load-bearing
+    // SKILL.md. The check probes SKILL.md specifically.
+    const dir = resolvePlacementDir("claudeProject", "partial");
+    mkdirSync(dir, { recursive: true });
+    // NOTE: no writeFileSync — dir exists but is empty.
+    const skills = {
+      "alice/partial": {
+        version: "1.0.0",
+        skillMdSha256: "a".repeat(64),
+        filesSha256: "b".repeat(64),
+        syncedAt: "x",
+      },
+    };
+    assert.equal(placementsAreComplete(skills, ["claudeCode"], false), false);
+  });
+
+  it("returns false when placementTargetsFor throws (conservative direction)", () => {
+    // copilot has globalTarget=null. `--global` with copilot throws
+    // inside placementTargetsFor. placementsAreComplete catches the
+    // throw and returns false so we drop the ETag and the
+    // downstream write loop surfaces the same error with the
+    // correct typed exception.
+    const skills = {
+      "alice/skill": {
+        version: "1.0.0",
+        skillMdSha256: "a".repeat(64),
+        filesSha256: "b".repeat(64),
+        syncedAt: "x",
+      },
+    };
+    assert.equal(
+      placementsAreComplete(skills, ["copilot"], true),
+      false,
+    );
+  });
+
+  it("skips malformed skill keys (no slash) without crashing", () => {
+    seedSkillMd("claudeProject", "good");
+    const skills = {
+      "alice/good": {
+        version: "1.0.0",
+        skillMdSha256: "a".repeat(64),
+        filesSha256: "b".repeat(64),
+        syncedAt: "x",
+      },
+      // Malformed key — no slash. Should be silently skipped so a
+      // corrupt entry doesn't poison the whole check.
+      "no-slash-key": {
+        version: "1.0.0",
+        skillMdSha256: "a".repeat(64),
+        filesSha256: "b".repeat(64),
+        syncedAt: "x",
+      },
+    };
+    // Returns true because the valid skill is on disk and the
+    // malformed entry is skipped (continue) — no false negative.
+    assert.equal(placementsAreComplete(skills, ["claudeCode"], false), true);
+  });
+});