skillrepo 4.5.2 → 4.6.0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "skillrepo",
-  "version": "4.5.2",
+  "version": "4.6.0",
   "description": "Pull-based CLI for agent skills — init, sync, search, add, remove your library from any IDE",
   "type": "module",
   "bin": {

package/src/commands/list.mjs

@@ -56,7 +56,14 @@ export async function runList(argv, io = {}) {
   const stdout = io.stdout ?? process.stdout;
   const flags = resolveFlags(argv);
 
-  const libraryResponse = await getLibrary(flags.serverUrl, flags.apiKey);
+  // `list` is a read-only drift check — it must NEVER set sync state.
+  // Use the manifest read (#1832): metadata only, no file bodies, and the
+  // server records no delivery for it. Per-skill drift is computed from
+  // on-disk SHAs + `.last-sync` below, never from the response body, so
+  // the empty `files` array a manifest returns is irrelevant here.
+  const libraryResponse = await getLibrary(flags.serverUrl, flags.apiKey, {
+    manifest: true,
+  });
 
   // Defensive guard: `list` calls getLibrary without an If-None-Match
   // header so it can't legitimately receive a 304 today. But getLibrary's

package/src/lib/http.mjs

@@ -305,10 +305,20 @@ async function mapErrorResponse(res, url) {
   if (res.status === 401) {
     // Derive the auth URL from the request URL's origin so users
     // running against staging see a staging hint, not a prod hint.
-    // `url` here is the full request URL (e.g.
-    // https://staging.skillrepo.dev/api/v1/library); `new URL(...).origin`
-    // gives us "https://staging.skillrepo.dev" which is what
-    // `cliAuthUrl` expects.
+    // `url` here is the full request URL — typically
+    // `https://staging.skillrepo.dev/api/v1/library` (canonical) or
+    // `https://api.staging.skillrepo.dev/v1/library` (subdomain alias
+    // per #1588). `new URL(...).origin` strips back to the host —
+    // `https://staging.skillrepo.dev` or `https://api.staging.skillrepo.dev`
+    // — and `cliAuthUrl` builds the `/cli/auth` URL from there.
+    //
+    // Known limitation: if the request URL uses the api.* / mcp.*
+    // subdomain, the resulting auth hint URL points at that subdomain
+    // (`https://api.staging.skillrepo.dev/cli/auth`), which 404s
+    // because /cli/auth only lives on the canonical host. Today the
+    // CLI defaults to the canonical URL so this is latent; surfaces
+    // only when a user passes `--url https://api.<env>.skillrepo.dev`
+    // explicitly. Tracked separately — not blocking this PR.
     let authUrl = DEFAULT_CLI_AUTH_URL;
     try {
       authUrl = cliAuthUrl(new URL(url).origin);
@@ -526,12 +536,20 @@ export async function validateAccessKey(serverUrl, apiKey, source = "validate")
  * @param {object} [opts]
  * @param {string} [opts.ifNoneMatch] - ETag to send as If-None-Match
  * @param {string} [opts.since]       - ISO timestamp for delta filter
+ * @param {boolean} [opts.manifest]   - Request a metadata-only manifest:
+ *   the server returns empty `files` for every skill and records NO
+ *   delivery. Used by `skillrepo list` for a read-only drift check that
+ *   must not set sync state (#1832).
  * @returns {Promise<LibrarySyncResult>}
  */
 export async function getLibrary(serverUrl, apiKey, opts = {}) {
   const base = normalizeUrl(serverUrl);
   const params = new URLSearchParams();
   if (opts.since) params.set("since", opts.since);
+  // Manifest mode (#1832): metadata-only, non-recording read used by
+  // `skillrepo list`. A peek must not set sync state, so the server
+  // returns empty `files` and records no delivery for this request.
+  if (opts.manifest) params.set("manifest", "1");
   const url = params.toString()
     ? `${base}/api/v1/library?${params.toString()}`
     : `${base}/api/v1/library`;
@@ -573,6 +591,56 @@ export async function getLibrary(serverUrl, apiKey, opts = {}) {
   };
 }
 
+/**
+ * POST /api/v1/library/sync-receipts — report confirmed local writes (#1832).
+ *
+ * Called by `runSync` AFTER it successfully writes skill files to disk.
+ * Carries the (owner, name, version) pairs actually written so the server
+ * records sync state from a confirmed write, never from a fetch response.
+ *
+ * Best-effort + retryable: the receipt is telemetry and the files are
+ * already on disk by the time we call this, so callers treat a failure as
+ * a non-fatal warning. Transient 5xx / network failures retry — the server
+ * dedups by `(user, skill, version, UTC day)` and stamps idempotently, so
+ * a replay is safe. A non-2xx after retries throws a typed error.
+ *
+ * @param {string} serverUrl
+ * @param {string} apiKey
+ * @param {object} receipt
+ * @param {{owner: string, name: string, version: string}[]} receipt.skills
+ *   The skills written to disk this sync. Empty array is a valid no-op.
+ * @param {string} receipt.syncedAt - ISO timestamp of the sync.
+ * @returns {Promise<{recorded: number}>}
+ */
+export async function postSyncReceipt(serverUrl, apiKey, receipt) {
+  const url = `${normalizeUrl(serverUrl)}/api/v1/library/sync-receipts`;
+  const res = await safeFetch(url, {
+    method: "POST",
+    headers: {
+      ...(await authHeaders(apiKey)),
+      "Content-Type": "application/json",
+    },
+    body: JSON.stringify({
+      syncedAt: receipt.syncedAt,
+      skills: receipt.skills,
+    }),
+    // Idempotent server-side (dedup bucket + idempotent UPDATE), so a
+    // transient 5xx / network blip is safe to retry.
+    retry: true,
+  });
+  if (!res.ok) {
+    const err = await mapErrorResponse(res, url);
+    if (err === null) {
+      throw validationError(
+        `The server at ${normalizeUrl(serverUrl)} does not expose ` +
+          `/api/v1/library/sync-receipts. Is --url correct?`,
+      );
+    }
+    throw err;
+  }
+  return parseJsonOrThrow(res, url);
+}
+
 // ── /api/v1/skills/[owner]/[name] ───────────────────────────────────────
 
 /**

package/src/lib/sync.mjs

@@ -87,7 +87,7 @@
 import { existsSync, readFileSync } from "node:fs";
 import { join } from "node:path";
 
-import { getLibrary } from "./http.mjs";
+import { getLibrary, postSyncReceipt } from "./http.mjs";
 import {
   writeSkillDir,
   removeSkillDir,
@@ -606,6 +606,11 @@ export async function runSync(options) {
   let anyIncomplete = false;
   /** @type {Record<string, SyncedSkillEntry>} */
   const skillsMap = {};
+  // Skills actually written to disk this sync, for the confirmed-write
+  // receipt (#1832). Only what we WRITE this round — carry-forward skills
+  // were reported on the sync that wrote them.
+  /** @type {{owner: string, name: string, version: string}[]} */
+  const writtenThisSync = [];
   // Carry forward entries from the previous sync for skills we did
   // NOT re-fetch this round. A delta sync that touched 2 of 50
   // skills must keep the other 48's metadata — otherwise the
@@ -669,6 +674,17 @@ export async function runSync(options) {
         syncedAt: result.syncedAt,
       };
     }
+
+    // Record this write for the sync receipt (#1832). Only entries with a
+    // real version label can resolve to a delivery server-side, so skip
+    // null/empty versions (a skill with no current published version).
+    if (typeof skill.version === "string" && skill.version !== "") {
+      writtenThisSync.push({
+        owner: skill.owner,
+        name: skill.name,
+        version: skill.version,
+      });
+    }
   }
 
   // Step 7: persist new ETag + skills map (only if the response was
@@ -696,6 +712,28 @@ export async function runSync(options) {
     }
   }
 
+  // Post a sync receipt for the skills actually written this sync
+  // (#1832). This confirmed-write signal — not the fetch itself — is what
+  // sets team sync state. Independent of the ETag persist above: skills
+  // skipped for `filesIncomplete` are excluded from `writtenThisSync`, so
+  // a partial sync still reports exactly what landed on disk. Best-effort:
+  // the files are already written and the server dedups replays, so a
+  // failed receipt is a non-fatal warning, never a sync failure.
+  if (writtenThisSync.length > 0) {
+    try {
+      await postSyncReceipt(serverUrl, apiKey, {
+        skills: writtenThisSync,
+        syncedAt: result.syncedAt,
+      });
+    } catch (err) {
+      stderr.write(
+        `  warning: failed to report sync receipt (${err.message}). ` +
+          `Your skills are synced locally; team sync status may lag until ` +
+          `your next sync.\n`,
+      );
+    }
+  }
+
   return summary;
 }
 

package/src/test/commands/list.test.mjs

@@ -92,6 +92,20 @@ describe("runList — happy path", () => {
     assert.match(out, /2 skills in your library/);
   });
 
+  it("makes a non-recording manifest read (#1832)", async () => {
+    server.setLibraryResponse({
+      skills: [makeSkill("alice", "pdf-helper")],
+      removals: [],
+      syncedAt: "x",
+    });
+    await runList(["--key", VALID_KEY, "--url", serverUrl], { stdout });
+    // `list` is a peek — it must hit the metadata-only manifest path so
+    // the server records no delivery for it...
+    assert.equal(server.getLastLibraryManifest(), "1");
+    // ...and it never posts a sync receipt (that's a write-confirm signal).
+    assert.equal(server.getReceiptRequestCount(), 0);
+  });
+
   it("sorts alphabetically by owner then name", async () => {
     server.setLibraryResponse({
       skills: [

package/src/test/e2e/mock-server.mjs

@@ -91,6 +91,19 @@ export function createMockServer(initialPayload, options = {}) {
   /** @type {string | null} */
   let lastLibrarySince = null;
   let libraryRequestCount = 0;
+  // #1832 — `?manifest=1` capture for the GET /api/v1/library route so
+  // tests can assert `skillrepo list` made the non-recording manifest read.
+  /** @type {string | null} */
+  let lastLibraryManifest = null;
+
+  // #1832 — POST /api/v1/library/sync-receipts inspection + response slot.
+  // `lastReceipt` holds the most recent JSON-parsed receipt body;
+  // `receiptResponse` overrides the default 200 so tests can simulate
+  // failures (the CLI treats a failed receipt as a non-fatal warning).
+  let lastReceipt = null;
+  let receiptRequestCount = 0;
+  /** @type {{ status: number, body: any } | null} */
+  let receiptResponse = null;
 
   // PR3a mutable slots for POST/DELETE library routes
   //
@@ -274,6 +287,41 @@ export function createMockServer(initialPayload, options = {}) {
       return;
     }
 
+    // ── #1832: POST /api/v1/library/sync-receipts (confirmed-write) ─
+    //
+    // The CLI posts this after `runSync` writes skills to disk. Default
+    // 200 echoes a `recorded` count; tests can override via
+    // setReceiptResponse to exercise the non-fatal-warning path.
+    if (
+      url.pathname === "/api/v1/library/sync-receipts" &&
+      req.method === "POST"
+    ) {
+      if (!checkAuth(req, res)) return;
+      let body;
+      try {
+        body = rawBody.length > 0 ? JSON.parse(rawBody) : {};
+      } catch {
+        res.writeHead(400, { "Content-Type": "application/json" });
+        res.end(
+          JSON.stringify({ error: "Body must be JSON", code: "bad_request" }),
+        );
+        return;
+      }
+      lastReceipt = body;
+      receiptRequestCount++;
+      if (receiptResponse) {
+        res.writeHead(receiptResponse.status, {
+          "Content-Type": "application/json",
+        });
+        res.end(JSON.stringify(receiptResponse.body ?? {}));
+        return;
+      }
+      const recorded = Array.isArray(body?.skills) ? body.skills.length : 0;
+      res.writeHead(200, { "Content-Type": "application/json" });
+      res.end(JSON.stringify({ recorded }));
+      return;
+    }
+
     // ── #1452: POST /api/v1/library (multipart file-push) ──────────
     //
     // Accepts multipart/form-data and returns a synthesized
@@ -507,6 +555,7 @@ export function createMockServer(initialPayload, options = {}) {
       const sinceParam = url.searchParams.get("since");
       lastLibraryIfNoneMatch = ifNoneMatch ?? null;
       lastLibrarySince = sinceParam ?? null;
+      lastLibraryManifest = url.searchParams.get("manifest");
       libraryRequestCount++;
       if (libraryEtag && ifNoneMatch === libraryEtag) {
         res.writeHead(304, { ETag: libraryEtag });
@@ -673,9 +722,53 @@ export function createMockServer(initialPayload, options = {}) {
     resetLibraryInspection() {
       lastLibraryIfNoneMatch = null;
       lastLibrarySince = null;
+      lastLibraryManifest = null;
       libraryRequestCount = 0;
     },
 
+    /**
+     * Inspect the inbound `?manifest=` query param from the LAST request
+     * to GET /api/v1/library. `"1"` means the client made the
+     * non-recording manifest read (#1832, `skillrepo list`); `null`
+     * means a normal recording sync.
+     */
+    getLastLibraryManifest() {
+      return lastLibraryManifest;
+    },
+
+    // ── #1832: sync-receipt slots ─────────────────────────────────
+
+    /**
+     * Return the most recent POST /api/v1/library/sync-receipts body
+     * (JSON-parsed), or null if none received. Tests assert on
+     * `.skills` (the confirmed-write list) and `.syncedAt`.
+     */
+    getLastReceipt() {
+      return lastReceipt;
+    },
+
+    /** Count of sync-receipt POSTs since server start or reset. */
+    getReceiptRequestCount() {
+      return receiptRequestCount;
+    },
+
+    /**
+     * Override the sync-receipt response to simulate a failure (e.g.
+     * `{ status: 500, body: { error: "boom" } }`). The CLI treats a
+     * failed receipt as a non-fatal warning, so tests use this to
+     * assert the sync still succeeds. Pass null to restore the 200.
+     */
+    setReceiptResponse(override) {
+      receiptResponse = override;
+    },
+
+    /** Reset sync-receipt inspection slots. */
+    resetReceipts() {
+      lastReceipt = null;
+      receiptRequestCount = 0;
+      receiptResponse = null;
+    },
+
     /** Register a single-skill response keyed by `owner/name`. */
     setSkillResponse(owner, name, skill) {
       skillResponses.set(`${owner}/${name}`, skill);

package/src/test/lib/http.test.mjs

@@ -35,6 +35,7 @@ import { once } from "node:events";
 import {
   validateAccessKey,
   getLibrary,
+  postSyncReceipt,
   getSkill,
   searchSkills,
   addSkillToLibrary,
@@ -520,6 +521,20 @@ describe("getLibrary", () => {
     }
   });
 
+  it("sends manifest=1 when the manifest option is set (#1832)", async () => {
+    let capturedUrl;
+    const srv = await startServer((req, res) => {
+      capturedUrl = req.url;
+      jsonRes(res, 200, { skills: [], removals: [], syncedAt: "x" });
+    });
+    try {
+      await getLibrary(srv.url, VALID_KEY, { manifest: true });
+      assert.match(capturedUrl, /[?&]manifest=1/);
+    } finally {
+      await srv.close();
+    }
+  });
+
   it("tolerates missing fields in the response (defaults applied)", async () => {
     const srv = await startServer((req, res) => {
       jsonRes(res, 200, {});
@@ -563,6 +578,94 @@ describe("getLibrary", () => {
   });
 });
 
+// ── postSyncReceipt ─────────────────────────────────────────────────────
+
+describe("postSyncReceipt", () => {
+  it("POSTs the receipt body and returns the parsed result", async () => {
+    const srv = await startServer((req, res) => {
+      jsonRes(res, 200, { recorded: 2 });
+    });
+    try {
+      const result = await postSyncReceipt(srv.url, VALID_KEY, {
+        syncedAt: "2025-06-01T00:00:00Z",
+        skills: [
+          { owner: "alice", name: "pdf-helper", version: "1.0" },
+          { owner: "bob", name: "code-review", version: "2.1" },
+        ],
+      });
+      assert.equal(result.recorded, 2);
+      assert.equal(srv.lastRequest.method, "POST");
+      assert.match(srv.lastRequest.url, /\/api\/v1\/library\/sync-receipts$/);
+      assert.equal(
+        srv.lastRequest.headers.authorization,
+        `Bearer ${VALID_KEY}`,
+      );
+      assert.match(
+        srv.lastRequest.headers["content-type"],
+        /application\/json/,
+      );
+      const sent = JSON.parse(srv.lastRequest.body);
+      assert.equal(sent.syncedAt, "2025-06-01T00:00:00Z");
+      assert.equal(sent.skills.length, 2);
+      assert.deepEqual(sent.skills[0], {
+        owner: "alice",
+        name: "pdf-helper",
+        version: "1.0",
+      });
+    } finally {
+      await srv.close();
+    }
+  });
+
+  it("throws authError on 401", async () => {
+    const srv = await startServer((req, res) =>
+      jsonRes(res, 401, { error: "nope" }),
+    );
+    try {
+      await assert.rejects(
+        () =>
+          postSyncReceipt(srv.url, VALID_KEY, { syncedAt: "x", skills: [] }),
+        (err) => err instanceof CliError && err.exitCode === EXIT_AUTH,
+      );
+    } finally {
+      await srv.close();
+    }
+  });
+
+  it("throws validationError on 404 (endpoint missing — wrong URL)", async () => {
+    const srv = await startServer((req, res) =>
+      jsonRes(res, 404, { error: "nope" }),
+    );
+    try {
+      await assert.rejects(
+        () =>
+          postSyncReceipt(srv.url, VALID_KEY, { syncedAt: "x", skills: [] }),
+        (err) => err instanceof CliError && err.exitCode === EXIT_VALIDATION,
+      );
+    } finally {
+      await srv.close();
+    }
+  });
+
+  it("throws networkError on a persistent 5xx (runSync treats it as non-fatal)", async () => {
+    // Pins the http-layer contract: a 5xx must THROW so runSync's
+    // try/catch surfaces the non-fatal warning. If this ever started
+    // returning null instead, the warning path would silently break.
+    const srv = await startServer((req, res) =>
+      jsonRes(res, 500, { error: "boom" }),
+    );
+    try {
+      await assert.rejects(
+        () =>
+          postSyncReceipt(srv.url, VALID_KEY, { syncedAt: "x", skills: [] }),
+        (err) => err instanceof CliError && err.exitCode === EXIT_NETWORK,
+      );
+    } finally {
+      await srv.close();
+    }
+  });
+});
+
 // ── getSkill ────────────────────────────────────────────────────────────
 
 describe("getSkill", () => {

package/src/test/lib/mcp-merge.test.mjs

@@ -76,7 +76,7 @@ describe("mergeMcpForVendors — happy path", () => {
   it("creates .mcp.json when it does not exist (claudeCode)", async () => {
     const results = await mergeMcpForVendors({
       vendors: ["claudeCode"],
-      mcpUrl: "https://skillrepo.dev/api/mcp",
+      mcpUrl: "https://mcp.skillrepo.dev",
       yes: true,
       io: { stdout, stderr },
     });
@@ -88,7 +88,7 @@ describe("mergeMcpForVendors — happy path", () => {
     const mcp = JSON.parse(readFileSync(join(process.cwd(), ".mcp.json"), "utf-8"));
     assert.ok(mcp.mcpServers?.skillrepo);
     assert.equal(mcp.mcpServers.skillrepo.type, "http");
-    assert.equal(mcp.mcpServers.skillrepo.url, "https://skillrepo.dev/api/mcp");
+    assert.equal(mcp.mcpServers.skillrepo.url, "https://mcp.skillrepo.dev");
   });
 
   it("merges into existing .mcp.json preserving other servers", async () => {

package/src/test/lib/sync.test.mjs

@@ -390,6 +390,124 @@ describe("runSync — write skills", () => {
   });
 });
 
+// ── runSync — sync receipts (#1832) ────────────────────────────────────
+
+describe("runSync — sync receipts (#1832)", () => {
+  beforeEach(setupServer);
+  afterEach(teardownServer);
+
+  it("posts a receipt with the skills it wrote", async () => {
+    server.setLibraryResponse({
+      skills: [makeSkill("pdf-helper"), makeSkill("code-review")],
+      removals: [],
+      syncedAt: "2025-06-01T00:00:00Z",
+    });
+    await runSync({ serverUrl, apiKey: VALID_KEY, vendors: ["claudeCode"] });
+
+    assert.equal(server.getReceiptRequestCount(), 1);
+    const receipt = server.getLastReceipt();
+    assert.equal(receipt.syncedAt, "2025-06-01T00:00:00Z");
+    const names = receipt.skills.map((s) => s.name).sort();
+    assert.deepEqual(names, ["code-review", "pdf-helper"]);
+    for (const s of receipt.skills) {
+      assert.equal(s.owner, "alice");
+      assert.equal(s.version, "1.0.0");
+    }
+  });
+
+  it("does NOT post a receipt on a 304 (nothing written)", async () => {
+    server.setEtag('"v1"');
+    server.setLibraryResponse({
+      skills: [makeSkill("pdf-helper")],
+      removals: [],
+      syncedAt: "2025-06-01T00:00:00Z",
+    });
+    // First sync writes + posts a receipt.
+    await runSync({ serverUrl, apiKey: VALID_KEY, vendors: ["claudeCode"] });
+    assert.equal(server.getReceiptRequestCount(), 1);
+    server.resetReceipts();
+
+    // Second sync 304-short-circuits (etag matches, placement present).
+    const result = await runSync({
+      serverUrl,
+      apiKey: VALID_KEY,
+      vendors: ["claudeCode"],
+    });
+    assert.equal(result.notModified, true);
+    assert.equal(server.getReceiptRequestCount(), 0);
+  });
+
+  it("excludes a filesIncomplete skill from the receipt", async () => {
+    const incomplete = makeSkill("incomplete");
+    incomplete.filesIncomplete = true;
+    server.setLibraryResponse({
+      skills: [incomplete, makeSkill("complete")],
+      removals: [],
+      syncedAt: "x",
+    });
+    await runSync({ serverUrl, apiKey: VALID_KEY, vendors: ["claudeCode"] });
+
+    const receipt = server.getLastReceipt();
+    assert.deepEqual(
+      receipt.skills.map((s) => s.name),
+      ["complete"],
+    );
+  });
+
+  it("does NOT post a receipt when ALL skills are filesIncomplete", async () => {
+    // Distinct branch from the mixed case above: `writtenThisSync` stays
+    // empty, so the `writtenThisSync.length > 0` guard skips the POST.
+    const a = makeSkill("inc-a");
+    a.filesIncomplete = true;
+    const b = makeSkill("inc-b");
+    b.filesIncomplete = true;
+    server.setLibraryResponse({ skills: [a, b], removals: [], syncedAt: "x" });
+    await runSync({ serverUrl, apiKey: VALID_KEY, vendors: ["claudeCode"] });
+    assert.equal(server.getReceiptRequestCount(), 0);
+  });
+
+  it("omits skills with no version label from the receipt", async () => {
+    const draft = makeSkill("draft");
+    draft.version = null;
+    server.setLibraryResponse({
+      skills: [draft, makeSkill("published")],
+      removals: [],
+      syncedAt: "x",
+    });
+    await runSync({ serverUrl, apiKey: VALID_KEY, vendors: ["claudeCode"] });
+
+    const receipt = server.getLastReceipt();
+    assert.deepEqual(
+      receipt.skills.map((s) => s.name),
+      ["published"],
+    );
+  });
+
+  it("a failed receipt POST is non-fatal — the sync still succeeds", async () => {
+    const { createCaptureStream } = await import(
+      "../helpers/capture-stream.mjs"
+    );
+    const stderr = createCaptureStream();
+    server.setReceiptResponse({ status: 500, body: { error: "boom" } });
+    server.setLibraryResponse({
+      skills: [makeSkill("pdf-helper")],
+      removals: [],
+      syncedAt: "x",
+    });
+    const result = await runSync({
+      serverUrl,
+      apiKey: VALID_KEY,
+      vendors: ["claudeCode"],
+      io: { stderr },
+    });
+    // Files still written, summary intact despite the receipt failure.
+    assert.equal(result.added, 1);
+    const dir = resolvePlacementDir("claudeProject", "pdf-helper");
+    assert.ok(existsSync(join(dir, "SKILL.md")));
+    assert.match(stderr.text(), /failed to report sync receipt/);
+  });
+});
+
 // ── runSync — skills map population (v2) ───────────────────────────────
 //
 // #1553 — every successful sync populates `.last-sync.skills` with the
@@ -684,6 +802,9 @@ describe("runSync — tombstones", () => {
     });
     await runSync({ serverUrl, apiKey: VALID_KEY, vendors: ["claudeCode"] });
     assert.ok(existsSync(resolvePlacementDir("claudeProject", "doomed")));
+    // Reset receipt tracking so the tombstone-only sync below is measured
+    // from zero (the first sync legitimately posted one).
+    server.resetReceipts();
 
     // Now the server says it's removed (the response has the tombstone
     // AND the skill is no longer in skills[])
@@ -700,6 +821,8 @@ describe("runSync — tombstones", () => {
     });
     assert.equal(result.removed, 1);
     assert.ok(!existsSync(resolvePlacementDir("claudeProject", "doomed")));
+    // A tombstone-only sync writes nothing → posts no receipt (#1832).
+    assert.equal(server.getReceiptRequestCount(), 0);
   });
 
   it("applies removals BEFORE writes (re-add scenario)", async () => {

package/src/test/mergers/claude-mcp.test.mjs

@@ -22,14 +22,14 @@ afterEach(() => {
 describe("Claude Code MCP config merger", () => {
   it("creates .mcp.json when file does not exist", async () => {
     const { mergeClaudeMcpConfig } = await import("../../lib/mergers/claude-mcp.mjs");
-    const result = mergeClaudeMcpConfig("https://skillrepo.dev/api/mcp");
+    const result = mergeClaudeMcpConfig("https://mcp.skillrepo.dev");
 
     assert.equal(result.action, "created");
     assert.equal(result.path, ".mcp.json");
 
     const content = JSON.parse(readFileSync(join(tempDir, ".mcp.json"), "utf-8"));
     assert.equal(content.mcpServers.skillrepo.type, "http");
-    assert.equal(content.mcpServers.skillrepo.url, "https://skillrepo.dev/api/mcp");
+    assert.equal(content.mcpServers.skillrepo.url, "https://mcp.skillrepo.dev");
     assert.equal(content.mcpServers.skillrepo.headers.Authorization, "Bearer ${SKILLREPO_ACCESS_KEY}");
   });
 
@@ -44,7 +44,7 @@ describe("Claude Code MCP config merger", () => {
     };
     writeFileSync(join(tempDir, ".mcp.json"), JSON.stringify(existing));
 
-    const result = mergeClaudeMcpConfig("https://skillrepo.dev/api/mcp");
+    const result = mergeClaudeMcpConfig("https://mcp.skillrepo.dev");
 
     assert.equal(result.action, "merged"); // adding to existing file
     const content = JSON.parse(readFileSync(join(tempDir, ".mcp.json"), "utf-8"));
@@ -73,6 +73,6 @@ describe("Claude Code MCP config merger", () => {
     const { mergeClaudeMcpConfig } = await import("../../lib/mergers/claude-mcp.mjs");
     writeFileSync(join(tempDir, ".mcp.json"), "not json");
 
-    assert.throws(() => mergeClaudeMcpConfig("https://skillrepo.dev/api/mcp"), /invalid JSON/);
+    assert.throws(() => mergeClaudeMcpConfig("https://mcp.skillrepo.dev"), /invalid JSON/);
   });
 });

package/src/test/mergers/uninstall-claude-mcp.test.mjs

@@ -59,7 +59,7 @@ describe("removeClaudeMcp", () => {
           mcpServers: {
             skillrepo: {
               type: "http",
-              url: "https://skillrepo.dev/api/mcp",
+              url: "https://mcp.skillrepo.dev",
               headers: { Authorization: "Bearer ${SKILLREPO_ACCESS_KEY}" },
             },
             otherTool: {

package/src/test/mergers/uninstall-vscode-mcp.test.mjs

@@ -61,7 +61,7 @@ describe("removeVscodeMcp", () => {
           servers: {
             skillrepo: {
               type: "http",
-              url: "https://skillrepo.dev/api/mcp",
+              url: "https://mcp.skillrepo.dev",
               headers: { Authorization: "Bearer ${input:skillrepo-api-key}" },
             },
             anotherTool: {