skillvault-publisher 0.11.1 → 0.11.2

package/dist/credentials.js

@@ -15,10 +15,60 @@
  *      Stored at <roots.configDir>/project.json. Tracks active publishers and
  *      install metadata for one install (project- or global-scoped).
  */
-import { mkdirSync, readFileSync, writeFileSync, rmSync, existsSync } from 'node:fs';
-import { join } from 'node:path';
+import { mkdirSync, readFileSync, writeFileSync, rmSync, existsSync, openSync, closeSync, unlinkSync, } from 'node:fs';
+import { join, dirname } from 'node:path';
 import { homedir } from 'node:os';
 import { credentialsPath } from './scope.js';
+/**
+ * Run `fn` while holding an exclusive advisory lock on `<targetPath>.lock`.
+ * Mirrors the helper in projects-registry.ts. See that file for design notes.
+ */
+function withFileLock(targetPath, fn) {
+    const lockPath = targetPath + '.lock';
+    mkdirSync(dirname(lockPath), { recursive: true });
+    const start = Date.now();
+    const TIMEOUT_MS = 1000;
+    let fd = null;
+    while (fd === null) {
+        try {
+            fd = openSync(lockPath, 'wx', 0o600);
+        }
+        catch (err) {
+            const code = err.code;
+            if (code !== 'EEXIST')
+                throw err;
+            if (Date.now() - start > TIMEOUT_MS) {
+                try {
+                    unlinkSync(lockPath);
+                }
+                catch { }
+                try {
+                    fd = openSync(lockPath, 'wx', 0o600);
+                }
+                catch {
+                    throw new Error(`Could not acquire lock at ${lockPath} after ${TIMEOUT_MS}ms`);
+                }
+                break;
+            }
+            const buf = new SharedArrayBuffer(4);
+            const view = new Int32Array(buf);
+            Atomics.wait(view, 0, 0, 5 + Math.floor(Math.random() * 10));
+        }
+    }
+    try {
+        return fn();
+    }
+    finally {
+        try {
+            closeSync(fd);
+        }
+        catch { }
+        try {
+            unlinkSync(lockPath);
+        }
+        catch { }
+    }
+}
 const CONFIG_DIR = join(homedir(), '.skillvault');
 const CONFIG_FILE = join(CONFIG_DIR, 'config.json');
 const GRANTS_CACHE_FILE = join(CONFIG_DIR, 'grants-cache.json');
@@ -73,10 +123,15 @@ export function loadCredentials() {
 /**
  * Persist customer credentials to ~/.skillvault/credentials.json with mode 0600.
  * The credentials file holds bearer tokens, so it must never be world-readable.
+ *
+ * Wrapped in withFileLock to serialize concurrent writes — see the equivalent
+ * fix in projects-registry.ts.
  */
 export function saveCredentials(creds) {
-    ensureConfigDir();
-    writeFileSync(credentialsPath(), JSON.stringify(creds, null, 2), { mode: 0o600 });
+    withFileLock(credentialsPath(), () => {
+        ensureConfigDir();
+        writeFileSync(credentialsPath(), JSON.stringify(creds, null, 2), { mode: 0o600 });
+    });
 }
 function projectConfigPath(roots) {
     return join(roots.configDir, 'project.json');

package/dist/index.js

@@ -151807,7 +151807,7 @@ var init_pdf_report = __esm({
 import { Command as Command35 } from "commander";
 import { readFileSync as readFileSync18 } from "node:fs";
 import { fileURLToPath } from "node:url";
-import { dirname as dirname4, join as join17 } from "node:path";
+import { dirname as dirname5, join as join17 } from "node:path";
 
 // dist/commands/login.js
 import { Command } from "commander";
@@ -151815,8 +151815,8 @@ import chalk from "chalk";
 import { randomBytes } from "node:crypto";
 
 // dist/credentials.js
-import { mkdirSync as mkdirSync2, readFileSync as readFileSync2, writeFileSync as writeFileSync2, rmSync, existsSync as existsSync2 } from "node:fs";
-import { join as join2 } from "node:path";
+import { mkdirSync as mkdirSync2, readFileSync as readFileSync2, writeFileSync as writeFileSync2, rmSync, existsSync as existsSync2, openSync as openSync2, closeSync as closeSync2, unlinkSync as unlinkSync2 } from "node:fs";
+import { join as join2, dirname as dirname2 } from "node:path";
 import { homedir as homedir2 } from "node:os";
 
 // dist/scope.js
@@ -151824,7 +151824,7 @@ import { homedir } from "node:os";
 import { join } from "node:path";
 
 // dist/projects-registry.js
-import { mkdirSync, readFileSync, writeFileSync, existsSync, statSync } from "node:fs";
+import { mkdirSync, readFileSync, writeFileSync, existsSync, statSync, openSync, closeSync, unlinkSync } from "node:fs";
 import { dirname, resolve } from "node:path";
 
 // dist/credentials.js
@@ -152534,7 +152534,7 @@ import chalk4 from "chalk";
 
 // dist/publisher-workspace.js
 import { readFileSync as readFileSync4, writeFileSync as writeFileSync4, mkdirSync as mkdirSync4, existsSync as existsSync4 } from "node:fs";
-import { join as join4, dirname as dirname2, resolve as resolve2 } from "node:path";
+import { join as join4, dirname as dirname3, resolve as resolve2 } from "node:path";
 import { homedir as homedir3 } from "node:os";
 var MANIFEST_DIRNAME = ".skillvault-publisher";
 var MANIFEST_FILENAME = "workspace.json";
@@ -152582,7 +152582,7 @@ function loadWorkspace(dir) {
 }
 function saveWorkspace(dir, manifest) {
   const { manifestPath } = workspaceRootsFor(dir);
-  mkdirSync4(dirname2(manifestPath), { recursive: true });
+  mkdirSync4(dirname3(manifestPath), { recursive: true });
   writeFileSync4(manifestPath, JSON.stringify(manifest, null, 2), { mode: 420 });
 }
 function findWorkspace(cwd) {
@@ -152605,7 +152605,7 @@ function findWorkspace(cwd) {
       return null;
     if (dir === home)
       return null;
-    const parent = dirname2(dir);
+    const parent = dirname3(dir);
     if (parent === dir)
       return null;
     dir = parent;
@@ -152696,7 +152696,7 @@ function requireCommandContext(opts = {}) {
 
 // dist/publisher-workspaces-registry.js
 import { mkdirSync as mkdirSync5, readFileSync as readFileSync5, writeFileSync as writeFileSync5, existsSync as existsSync5, statSync as statSync2 } from "node:fs";
-import { dirname as dirname3, join as join5, resolve as resolve3 } from "node:path";
+import { dirname as dirname4, join as join5, resolve as resolve3 } from "node:path";
 import { homedir as homedir4 } from "node:os";
 var REGISTRY_VERSION = 1;
 var MANIFEST_DIRNAME2 = ".skillvault-publisher";
@@ -152722,7 +152722,7 @@ function readRegistry() {
 }
 function writeRegistry(reg) {
   const path = publisherWorkspacesRegistryPath();
-  mkdirSync5(dirname3(path), { recursive: true });
+  mkdirSync5(dirname4(path), { recursive: true });
   writeFileSync5(path, JSON.stringify(reg, null, 2), { mode: 384 });
 }
 function listWorkspaces() {
@@ -154307,12 +154307,12 @@ var inviteCommand = new Command15("invite").description("Manage customer invites
 
 // dist/commands/scan-output.js
 import { Command as Command16 } from "commander";
-import { readFileSync as readFileSync12, writeFileSync as writeFileSync8, mkdirSync as mkdirSync8, existsSync as existsSync11, readdirSync as readdirSync3, unlinkSync as unlinkSync2 } from "node:fs";
+import { readFileSync as readFileSync12, writeFileSync as writeFileSync8, mkdirSync as mkdirSync8, existsSync as existsSync11, readdirSync as readdirSync3, unlinkSync as unlinkSync4 } from "node:fs";
 import { join as join11 } from "node:path";
 import { homedir as homedir6 } from "node:os";
 
 // dist/commands/session-common.js
-import { readFileSync as readFileSync11, writeFileSync as writeFileSync7, mkdirSync as mkdirSync7, existsSync as existsSync10, unlinkSync } from "node:fs";
+import { readFileSync as readFileSync11, writeFileSync as writeFileSync7, mkdirSync as mkdirSync7, existsSync as existsSync10, unlinkSync as unlinkSync3 } from "node:fs";
 import { join as join10 } from "node:path";
 import { homedir as homedir5 } from "node:os";
 import { createCipheriv as createCipheriv4, createDecipheriv as createDecipheriv4, randomBytes as randomBytes6, hkdfSync as hkdfSync2 } from "node:crypto";
@@ -154372,7 +154372,7 @@ function loadActiveSession() {
       const decrypted = decryptData(raw, HKDF_SALT2);
       if (!decrypted) {
         try {
-          unlinkSync(ACTIVE_SESSION_PATH);
+          unlinkSync3(ACTIVE_SESSION_PATH);
         } catch {
         }
         return null;
@@ -154380,7 +154380,7 @@ function loadActiveSession() {
       const session2 = JSON.parse(decrypted);
       if (new Date(session2.expires_at).getTime() < Date.now()) {
         try {
-          unlinkSync(ACTIVE_SESSION_PATH);
+          unlinkSync3(ACTIVE_SESSION_PATH);
         } catch {
         }
         return null;
@@ -154392,7 +154392,7 @@ function loadActiveSession() {
       return null;
     if (new Date(session.expires_at).getTime() < Date.now()) {
       try {
-        unlinkSync(ACTIVE_SESSION_PATH);
+        unlinkSync3(ACTIVE_SESSION_PATH);
       } catch {
       }
       return null;
@@ -154405,7 +154405,7 @@ function loadActiveSession() {
 function deleteActiveSession() {
   try {
     if (existsSync10(ACTIVE_SESSION_PATH)) {
-      unlinkSync(ACTIVE_SESSION_PATH);
+      unlinkSync3(ACTIVE_SESSION_PATH);
     }
   } catch {
   }
@@ -154466,7 +154466,7 @@ function loadFingerprints() {
         const decrypted = decryptData(raw, FINGERPRINT_HKDF_SALT);
         if (!decrypted) {
           try {
-            unlinkSync2(filePath);
+            unlinkSync4(filePath);
           } catch {
           }
           continue;
@@ -154776,7 +154776,7 @@ var sessionKeepaliveCommand = new Command18("session-keepalive").description("Un
 
 // dist/commands/session-cleanup.js
 import { Command as Command19 } from "commander";
-import { readFileSync as readFileSync14, writeFileSync as writeFileSync9, existsSync as existsSync13, readdirSync as readdirSync4, unlinkSync as unlinkSync3 } from "node:fs";
+import { readFileSync as readFileSync14, writeFileSync as writeFileSync9, existsSync as existsSync13, readdirSync as readdirSync4, unlinkSync as unlinkSync5 } from "node:fs";
 import { join as join13 } from "node:path";
 import { homedir as homedir8 } from "node:os";
 var SETTINGS_PATH2 = join13(homedir8(), ".claude", "settings.json");
@@ -154830,7 +154830,7 @@ function clearFingerprintCache() {
     const files = readdirSync4(FINGERPRINT_DIR3);
     for (const file of files) {
       try {
-        unlinkSync3(join13(FINGERPRINT_DIR3, file));
+        unlinkSync5(join13(FINGERPRINT_DIR3, file));
       } catch {
       }
     }
@@ -156161,7 +156161,7 @@ workspacesCommand.command("find").description("Print the absolute path of a work
 });
 
 // dist/index.js
-var __dirname2 = dirname4(fileURLToPath(import.meta.url));
+var __dirname2 = dirname5(fileURLToPath(import.meta.url));
 var pkg = JSON.parse(readFileSync18(join17(__dirname2, "..", "package.json"), "utf8"));
 var program = new Command35();
 program.name("skillvault-publisher").description("SkillVault publisher CLI \u2014 publish, manage, and distribute encrypted skills").version(pkg.version).addHelpText("after", `

package/dist/projects-registry.js

@@ -6,10 +6,80 @@
  * `getCurrentProject()` to figure out whether the current CWD already has a
  * registered SkillVault install.
  */
-import { mkdirSync, readFileSync, writeFileSync, existsSync, statSync } from 'node:fs';
+import { mkdirSync, readFileSync, writeFileSync, existsSync, statSync, openSync, closeSync, unlinkSync, } from 'node:fs';
 import { dirname, resolve } from 'node:path';
 import { projectsRegistryPath } from './scope.js';
 const REGISTRY_VERSION = 1;
+/**
+ * Run `fn` while holding an exclusive advisory lock on `<targetPath>.lock`.
+ *
+ * Uses `openSync(..., 'wx')` to atomically create the lockfile (POSIX
+ * O_EXCL semantics — exactly one process succeeds, the rest get EEXIST).
+ * On contention, busy-waits with a small backoff up to ~1s before giving
+ * up. The lockfile is unlinked on completion (success or thrown error)
+ * via try/finally so a crash mid-operation can't permanently wedge
+ * subsequent invocations — though if a process is SIGKILL'd between the
+ * openSync and the closeSync, the lockfile will linger and the next
+ * caller will time out and either inherit the stale lock (forced) or
+ * throw. For our use case (a single-user CLI doing read-modify-write on
+ * a small JSON file), 1s is plenty.
+ *
+ * Used by registerProject + unregisterProject to fix the lost-update race
+ * when two `--invite` commands run concurrently against the same
+ * ~/.skillvault/projects.json (audit scenario 12-concurrent-install).
+ */
+function withFileLock(targetPath, fn) {
+    const lockPath = targetPath + '.lock';
+    mkdirSync(dirname(lockPath), { recursive: true });
+    const start = Date.now();
+    const TIMEOUT_MS = 1000;
+    let fd = null;
+    while (fd === null) {
+        try {
+            fd = openSync(lockPath, 'wx', 0o600);
+        }
+        catch (err) {
+            const code = err.code;
+            if (code !== 'EEXIST')
+                throw err;
+            if (Date.now() - start > TIMEOUT_MS) {
+                // Stale lock — assume the previous holder crashed and reclaim it.
+                try {
+                    unlinkSync(lockPath);
+                }
+                catch { }
+                // Loop one more time, but if it still fails, throw.
+                try {
+                    fd = openSync(lockPath, 'wx', 0o600);
+                }
+                catch {
+                    throw new Error(`Could not acquire lock at ${lockPath} after ${TIMEOUT_MS}ms`);
+                }
+                break;
+            }
+            // Busy-wait briefly. The Node.js event loop is single-threaded so
+            // we can't yield to a peer process via Promise without making the
+            // function async — and registerProject is sync. Atomics.wait on a
+            // SharedArrayBuffer is the cleanest sync sleep:
+            const buf = new SharedArrayBuffer(4);
+            const view = new Int32Array(buf);
+            Atomics.wait(view, 0, 0, 5 + Math.floor(Math.random() * 10));
+        }
+    }
+    try {
+        return fn();
+    }
+    finally {
+        try {
+            closeSync(fd);
+        }
+        catch { }
+        try {
+            unlinkSync(lockPath);
+        }
+        catch { }
+    }
+}
 function readRegistry() {
     const path = projectsRegistryPath();
     if (!existsSync(path))
@@ -75,29 +145,39 @@ export function listProjects() {
 /**
  * Insert or update a project entry. Matching is by absolute path; if an entry
  * with the same path already exists, it is replaced.
+ *
+ * The read-modify-write is wrapped in withFileLock so two concurrent
+ * `--invite` calls can't race and lose one of each other's updates.
  */
 export function registerProject(entry) {
-    const reg = readRegistry();
-    const normalized = { ...entry, path: resolve(entry.path) };
-    const idx = reg.projects.findIndex((p) => resolve(p.path) === normalized.path);
-    if (idx >= 0) {
-        reg.projects[idx] = normalized;
-    }
-    else {
-        reg.projects.push(normalized);
-    }
-    writeRegistry(reg);
+    withFileLock(projectsRegistryPath(), () => {
+        const reg = readRegistry();
+        const normalized = { ...entry, path: resolve(entry.path) };
+        const idx = reg.projects.findIndex((p) => resolve(p.path) === normalized.path);
+        if (idx >= 0) {
+            reg.projects[idx] = normalized;
+        }
+        else {
+            reg.projects.push(normalized);
+        }
+        writeRegistry(reg);
+    });
 }
 /**
  * Remove the project entry whose path matches. No-op if not present.
+ *
+ * Wrapped in withFileLock for the same reason as registerProject — a
+ * concurrent uninstall + register would otherwise race.
  */
 export function unregisterProject(path) {
-    const reg = readRegistry();
-    const target = resolve(path);
-    const before = reg.projects.length;
-    reg.projects = reg.projects.filter((p) => resolve(p.path) !== target);
-    if (reg.projects.length !== before)
-        writeRegistry(reg);
+    withFileLock(projectsRegistryPath(), () => {
+        const reg = readRegistry();
+        const target = resolve(path);
+        const before = reg.projects.length;
+        reg.projects = reg.projects.filter((p) => resolve(p.path) !== target);
+        if (reg.projects.length !== before)
+            writeRegistry(reg);
+    });
 }
 /**
  * Look up the registry entry that matches the current working directory (or

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "skillvault-publisher",
-  "version": "0.11.1",
+  "version": "0.11.2",
   "description": "SkillVault publisher CLI — publish, manage, and distribute encrypted skills",
   "type": "module",
   "bin": {