tokrepo 3.1.2 → 3.3.0

package/bin/tokrepo.js

@@ -2,7 +2,6 @@
 
 const fs = require('fs');
 const path = require('path');
-const crypto = require('crypto');
 const https = require('https');
 const http = require('http');
 const readline = require('readline');
@@ -22,10 +21,9 @@ const C = {
 
 const CONFIG_DIR = path.join(require('os').homedir(), '.tokrepo');
 const CONFIG_FILE = path.join(CONFIG_DIR, 'config.json');
-const SYNC_STATE_FILE = path.join(CONFIG_DIR, 'sync-state.json');
 const PROJECT_CONFIG = '.tokrepo.json';
 const DEFAULT_API = 'https://api.tokrepo.com';
-const CLI_VERSION = '3.1.1';
+const CLI_VERSION = '3.3.0';
 const VERSION_CHECK_FILE = path.join(require('os').homedir(), '.tokrepo', '.version-check');
 
 // ─── Helpers ───
@@ -37,6 +35,11 @@ function warn(msg) { log(`${C.yellow}!${C.reset} ${msg}`); }
 function info(msg) { log(`${C.cyan}→${C.reset} ${msg}`); }
 
 function readConfig() {
+  // P0: TOKREPO_TOKEN env var takes priority (enables Agent automation)
+  const envToken = process.env.TOKREPO_TOKEN;
+  if (envToken) {
+    return { token: envToken, api: process.env.TOKREPO_API || DEFAULT_API };
+  }
   try {
     return JSON.parse(fs.readFileSync(CONFIG_FILE, 'utf8'));
   } catch {
@@ -106,15 +109,6 @@ function compareVersions(a, b) {
   return 0;
 }
 
-// Sync state: maps "dirPath:title" → { uuid, hash, lastSync }
-function readSyncState() {
-  try { return JSON.parse(fs.readFileSync(SYNC_STATE_FILE, 'utf8')); } catch { return {}; }
-}
-function writeSyncState(state) {
-  if (!fs.existsSync(CONFIG_DIR)) fs.mkdirSync(CONFIG_DIR, { recursive: true, mode: 0o700 });
-  fs.writeFileSync(SYNC_STATE_FILE, JSON.stringify(state, null, 2), { mode: 0o600 });
-}
-
 function readProjectConfig(baseDir = process.cwd()) {
   const configPath = path.join(baseDir, PROJECT_CONFIG);
   try {
@@ -151,7 +145,7 @@ function apiRequest(method, urlPath, body, token, apiBase) {
 
     const headers = {
       'Content-Type': 'application/json',
-      'User-Agent': 'tokrepo-cli/2.0.0',
+      'User-Agent': `tokrepo-cli/${CLI_VERSION}`,
     };
     if (token) {
       headers['Authorization'] = `Bearer ${token}`;
@@ -216,8 +210,7 @@ function detectFileType(filename) {
 
 // Guess tag from file type
 function guessTag(fileType) {
-  // Use lowercase singular names to match backend tag slugs
-  const map = { skill: 'skill', prompt: 'prompt', script: 'script', config: 'config', mcp: 'mcp' };
+  const map = { skill: 'Skills', prompt: 'Prompts', script: 'Scripts', config: 'Configs' };
   return map[fileType] || null;
 }
 
@@ -326,11 +319,6 @@ function collectFiles(paths, baseDir) {
 
   for (const p of paths) {
     const resolved = path.resolve(baseDir, p);
-    // Prevent path traversal — resolved must be within baseDir
-    if (!resolved.startsWith(path.resolve(baseDir) + path.sep) && resolved !== path.resolve(baseDir)) {
-      warn(`Skipped (outside project): ${p}`);
-      continue;
-    }
     if (!fs.existsSync(resolved)) {
       warn(`Not found: ${p}`);
       continue;
@@ -388,15 +376,33 @@ function guessTitle(files, baseDir) {
 
 async function cmdLogin() {
   log(`\n${C.bold}tokrepo login${C.reset}\n`);
-  info('Get your API token from https://tokrepo.com/en/workflows/submit');
+
+  // Check for --token flag for manual token entry
+  const args = process.argv.slice(2);
+  const useToken = args.includes('--token') || args.includes('-t');
+
+  if (useToken) {
+    // Manual token flow
+    info('Paste your API token (from https://tokrepo.com/en/my/settings)');
+    log('');
+    const token = await ask('API Token:');
+    if (!token) error('Token is required');
+    return await saveAndVerifyToken(token);
+  }
+
+  // Browser OAuth flow (default)
+  info('Opening browser for authentication...');
+  log(`  ${C.dim}(Use ${C.cyan}tokrepo login --token${C.dim} to paste a token manually)${C.reset}`);
   log('');
 
-  const token = await ask('API Token:');
-  if (!token) error('Token is required');
+  const token = await browserAuthFlow();
+  if (!token) error('Authentication failed or was cancelled');
+  return await saveAndVerifyToken(token);
+}
 
+async function saveAndVerifyToken(token) {
   writeConfig({ token, api: DEFAULT_API });
   success(`Config saved to ${CONFIG_FILE}`);
-
   try {
     const config = readConfig();
     const data = await fetchCurrentUser(config);
@@ -406,6 +412,71 @@ async function cmdLogin() {
   }
 }
 
+function browserAuthFlow() {
+  return new Promise((resolve) => {
+    const server = http.createServer((req, res) => {
+      // CORS headers for browser fetch
+      res.setHeader('Access-Control-Allow-Origin', '*');
+      res.setHeader('Access-Control-Allow-Methods', 'POST, OPTIONS');
+      res.setHeader('Access-Control-Allow-Headers', 'Content-Type');
+
+      if (req.method === 'OPTIONS') {
+        res.writeHead(204);
+        res.end();
+        return;
+      }
+
+      if (req.method === 'POST' && req.url === '/callback') {
+        let body = '';
+        req.on('data', (chunk) => { body += chunk; });
+        req.on('end', () => {
+          try {
+            const data = JSON.parse(body);
+            res.writeHead(200, { 'Content-Type': 'application/json' });
+            res.end(JSON.stringify({ ok: true }));
+            server.close();
+            clearTimeout(timeout);
+            resolve(data.token);
+          } catch {
+            res.writeHead(400);
+            res.end('Invalid request');
+          }
+        });
+        return;
+      }
+
+      res.writeHead(404);
+      res.end('Not found');
+    });
+
+    // Listen on random port
+    server.listen(0, '127.0.0.1', () => {
+      const port = server.address().port;
+      const authUrl = `https://tokrepo.com/en/cli-auth?port=${port}`;
+
+      info(`Listening on http://127.0.0.1:${port}`);
+      log(`  ${C.dim}If browser doesn't open, visit:${C.reset}`);
+      log(`  ${C.cyan}${authUrl}${C.reset}`);
+      log('');
+      info('Waiting for authorization...');
+
+      // Open browser
+      const opener = process.platform === 'darwin' ? 'open'
+        : process.platform === 'win32' ? 'start'
+        : 'xdg-open';
+      require('child_process').exec(`${opener} "${authUrl}"`);
+    });
+
+    // Timeout after 5 minutes
+    const timeout = setTimeout(() => {
+      server.close();
+      log('');
+      warn('Authorization timed out (5 minutes). Try again or use --token flag.');
+      resolve(null);
+    }, 5 * 60 * 1000);
+  });
+}
+
 async function cmdPush() {
   const args = parseArgs(process.argv);
 
@@ -501,7 +572,7 @@ async function cmdPush() {
   info('Pushing...');
 
   try {
-    const data = await apiRequest('POST', '/api/v1/tokenboard/push/create', {
+    const data = await apiRequest('POST', '/api/v1/tokenboard/push/upsert', {
       title,
       description,
       files: pushFiles,
@@ -511,7 +582,10 @@ async function cmdPush() {
     }, config.token, config.api);
 
     log('');
-    success(`Pushed!`);
+    const actionLabel = data.action === 'created' ? 'Created'
+      : data.action === 'updated' ? 'Updated'
+      : 'Unchanged (no diff)';
+    success(`${actionLabel}!`);
     log(`\n  ${C.bold}URL:${C.reset}  ${C.cyan}${data.url}${C.reset}`);
     log(`  ${C.bold}UUID:${C.reset} ${data.uuid}\n`);
   } catch (e) {
@@ -555,17 +629,15 @@ async function cmdInit() {
 
 async function cmdPull() {
   const urlOrUuid = process.argv[3];
-  if (!urlOrUuid) error('Usage: tokrepo pull <url-or-uuid>');
+  if (!urlOrUuid) error('Usage: tokrepo pull <url|uuid|@user/name>');
 
   log(`\n${C.bold}tokrepo pull${C.reset}\n`);
 
-  let uuid = urlOrUuid;
-  const urlMatch = urlOrUuid.match(/workflows\/([a-f0-9-]+)/);
-  if (urlMatch) uuid = urlMatch[1];
-
   const config = readConfig();
   const apiBase = config?.api || DEFAULT_API;
 
+  let uuid = await resolveAssetId(urlOrUuid, config, apiBase);
+
   info(`Fetching ${uuid}...`);
 
   try {
@@ -591,6 +663,54 @@ async function cmdPull() {
   }
 }
 
+// Resolve various input formats to a UUID:
+//   - UUID directly: "ca000374-f5d8-..."
+//   - Full URL: "https://tokrepo.com/en/workflows/ca000374-f5d8-..."
+//   - @username/asset-name: search by author + keyword
+//   - Plain name: search by keyword
+async function resolveAssetId(input, config, apiBase) {
+  // Already a UUID
+  if (/^[a-f0-9-]{36}$/.test(input)) return input;
+
+  // URL containing UUID
+  const urlMatch = input.match(/workflows\/([a-f0-9-]{36})/);
+  if (urlMatch) return urlMatch[1];
+
+  // @username/asset-name format
+  const atMatch = input.match(/^@([^/]+)\/(.+)$/);
+  if (atMatch) {
+    const [, username, assetName] = atMatch;
+    info(`Searching for "${assetName}" by @${username}...`);
+    // Search by keyword, then filter by author nickname
+    const encoded = encodeURIComponent(assetName);
+    try {
+      const data = await apiRequest('GET', `/api/v1/tokenboard/workflows/list?keyword=${encoded}&page=1&page_size=20&sort_by=views`, null, config?.token, apiBase);
+      const items = data.list || data.items || [];
+      const match = items.find(w => {
+        const authorName = (w.author?.nickname || w.nickname || '').toLowerCase();
+        return authorName === username.toLowerCase();
+      });
+      if (match) return match.uuid;
+      // Fallback: return first result
+      if (items.length > 0) {
+        warn(`No exact match for @${username}, using best match: "${items[0].title}"`);
+        return items[0].uuid;
+      }
+    } catch { /* fall through */ }
+    error(`Asset not found: ${input}`);
+  }
+
+  // Plain name: search by keyword
+  info(`Searching for "${input}"...`);
+  const encoded = encodeURIComponent(input);
+  try {
+    const data = await apiRequest('GET', `/api/v1/tokenboard/workflows/list?keyword=${encoded}&page=1&page_size=5&sort_by=views`, null, config?.token, apiBase);
+    const items = data.list || data.items || [];
+    if (items.length > 0) return items[0].uuid;
+  } catch { /* fall through */ }
+  error(`Asset not found: ${input}`);
+}
+
 // ─── Search ───
 
 async function cmdSearch() {
@@ -752,9 +872,6 @@ Examples:
       }
       case 'mcp':
       case 'mcp configs': {
-        // Security warning for MCP configs
-        warn('MCP server config detected. Review the configuration carefully before adding to your project.');
-        warn('MCP servers can execute arbitrary code. Only install from trusted sources.');
         // Save as mcp config, hint about manual merge
         if (!fileName.endsWith('.json')) fileName = fileName.replace(/\.md$/, '.json');
         break;
@@ -785,10 +902,14 @@ Examples:
       }
     }
 
-    // Sanitize fileName to prevent path traversal from API response
-    fileName = path.basename(fileName);
     const destPath = path.join(destDir, fileName);
 
+    // Path traversal guard: ensure resolved path stays inside destDir
+    if (!path.resolve(destPath).startsWith(path.resolve(destDir) + path.sep) && path.resolve(destPath) !== path.resolve(destDir)) {
+      warn(`Skipping "${fileName}" — path traversal detected`);
+      continue;
+    }
+
     // Don't overwrite without warning
     if (fs.existsSync(destPath)) {
       warn(`File exists: ${path.relative(process.cwd(), destPath)} (overwriting)`);
@@ -913,369 +1034,207 @@ async function cmdDelete() {
   }
 }
 
-async function cmdTags() {
-  log(`\n${C.bold}tokrepo tags${C.reset}\n`);
+async function cmdClone() {
+  const target = process.argv[3];
+  if (!target) error('Usage: tokrepo clone @username');
+
+  log(`\n${C.bold}tokrepo clone${C.reset}\n`);
 
   const config = readConfig();
   const apiBase = config?.api || DEFAULT_API;
 
-  try {
-    const data = await apiRequest('GET', '/api/v1/tokenboard/tags/list', null, null, apiBase);
-    log(`  Available tags:\n`);
-    for (const tag of data.tags) {
-      log(`  ${C.cyan}${tag.name}${C.reset}${tag.count ? ` ${C.dim}(${tag.count} assets)${C.reset}` : ''}`);
-    }
-    log('');
-  } catch (e) {
-    error(`Failed: ${e.message}`);
-  }
-}
-
-// ─── Sync: scan directory, diff with remote, upsert changes ───
+  // Extract username from @username format
+  let username = target;
+  if (username.startsWith('@')) username = username.slice(1);
 
-function computeHash(files) {
-  const h = crypto.createHash('sha256');
-  for (const f of files) {
-    h.update(f.name);
-    h.update('\0');
-    h.update(f.content);
-    h.update('\0');
-  }
-  return h.digest('hex');
-}
-
-function scanDirectory(dirPath) {
-  const assets = [];
-  const SKIP_DIRS = new Set(['node_modules', '.git', '__pycache__', '.venv', 'dist', 'build']);
-  const SKIP_FILES = new Set(['.DS_Store', 'Thumbs.db', 'package-lock.json', 'yarn.lock']);
-
-  // Each subdirectory = one asset; loose files = one asset per file
-  let entries;
-  try { entries = fs.readdirSync(dirPath, { withFileTypes: true }); } catch { return assets; }
-
-  const looseFiles = [];
-
-  for (const entry of entries) {
-    if (entry.name.startsWith('.') || SKIP_DIRS.has(entry.name) || SKIP_FILES.has(entry.name)) continue;
-
-    const fullPath = path.join(dirPath, entry.name);
-
-    if (entry.isDirectory()) {
-      // Subdirectory = one asset (e.g., ~/.claude/skills/my-skill/)
-      const files = collectAssetFiles(fullPath);
-      if (files.length === 0) continue;
-
-      // Use directory name as title (matches what `push` uses for remote title)
-      // NOT the markdown heading, which can be completely different
-      const title = entry.name;
-      const hash = computeHash(files);
-      const detectedTags = new Set();
-      for (const f of files) {
-        const ft = detectFileType(f.name);
-        const tag = guessTag(ft);
-        if (tag) detectedTags.add(tag);
-      }
-
-      assets.push({ title, files, hash, tags: Array.from(detectedTags), sourcePath: fullPath });
-    } else if (entry.isFile()) {
-      // Loose file
-      const ext = path.extname(entry.name).toLowerCase();
-      const validExts = ['.md', '.sh', '.py', '.js', '.mjs', '.ts', '.json', '.yaml', '.yml', '.toml', '.prompt'];
-      if (validExts.includes(ext) || entry.name === '.cursorrules' || entry.name === '.windsurfrules') {
-        looseFiles.push({ path: fullPath, name: entry.name });
+  // Step 1: Find user's UUID by searching for their workflows
+  info(`Finding user @${username}...`);
+  let authorUuid = '';
+  try {
+    const searchData = await apiRequest('GET', `/api/v1/tokenboard/workflows/list?keyword=${encodeURIComponent(username)}&page=1&page_size=5&sort_by=latest`, null, config?.token, apiBase);
+    const items = searchData.list || searchData.items || [];
+    for (const item of items) {
+      const authorName = (item.author?.nickname || item.nickname || '').toLowerCase();
+      if (authorName === username.toLowerCase()) {
+        authorUuid = item.author?.uuid || item.author_uuid || '';
+        break;
       }
     }
-  }
-
-  // Each loose file = one asset
-  for (const f of looseFiles) {
-    let content;
-    try { content = fs.readFileSync(f.path, 'utf8'); } catch { continue; }
-    if (!content.trim()) continue;
-
-    const files = [{ name: f.name, content, type: detectFileType(f.name) }];
-    const title = guessAssetTitle(files, path.basename(f.name, path.extname(f.name)));
-    const hash = computeHash(files);
-    const ft = detectFileType(f.name);
-    const tag = guessTag(ft);
-
-    assets.push({ title, files, hash, tags: tag ? [tag] : [], sourcePath: f.path });
-  }
-
-  return assets;
-}
-
-function collectAssetFiles(dirPath) {
-  const files = [];
-  const SKIP = new Set(['.DS_Store', 'node_modules', '.git', '__pycache__']);
-
-  function walk(dir, relBase) {
-    let entries;
-    try { entries = fs.readdirSync(dir, { withFileTypes: true }); } catch { return; }
-    for (const entry of entries) {
-      if (entry.name.startsWith('.') || SKIP.has(entry.name)) continue;
-      const fullPath = path.join(dir, entry.name);
-      const relPath = relBase ? `${relBase}/${entry.name}` : entry.name;
-      if (entry.isDirectory()) {
-        walk(fullPath, relPath);
-      } else if (entry.isFile()) {
-        const ext = path.extname(entry.name).toLowerCase();
-        const validExts = ['.md', '.sh', '.py', '.js', '.mjs', '.ts', '.json', '.yaml', '.yml', '.toml', '.prompt', '.rb', '.go', '.rs'];
-        if (validExts.includes(ext) || entry.name === '.cursorrules') {
-          let content;
-          try { content = fs.readFileSync(fullPath, 'utf8'); } catch { continue; }
-          if (!content.trim()) continue;
-          files.push({ name: relPath, content, type: detectFileType(relPath) });
+  } catch { /* fall through */ }
+
+  if (!authorUuid) {
+    // Try fetching user's own workflows if logged in and cloning self
+    if (config?.token) {
+      try {
+        const me = await apiRequest('GET', '/api/v1/tokenboard/auth/me', null, config.token, apiBase);
+        if (me.nickname?.toLowerCase() === username.toLowerCase()) {
+          authorUuid = me.uuid;
         }
-      }
+      } catch { /* fall through */ }
     }
+    if (!authorUuid) error(`User @${username} not found. Make sure they have published assets.`);
   }
 
-  walk(dirPath, '');
-  return files;
-}
-
-function guessAssetTitle(files, fallbackName) {
-  // Try to find a heading in the first .md file
-  for (const f of files) {
-    if (f.name.toLowerCase().endsWith('.md')) {
-      const match = f.content.match(/^#\s+(.+)$/m);
-      if (match) return match[1].trim();
+  // Step 2: List all public workflows by this author
+  info(`Fetching all assets by @${username}...`);
+  let allItems = [];
+  let page = 1;
+  while (true) {
+    try {
+      const data = await apiRequest('GET', `/api/v1/tokenboard/workflows/list?author_uuid=${authorUuid}&page=${page}&page_size=50&sort_by=latest`, null, config?.token, apiBase);
+      const items = data.list || data.items || [];
+      if (items.length === 0) break;
+      allItems = allItems.concat(items);
+      if (items.length < 50) break;
+      page++;
+    } catch (e) {
+      error(`Failed to list assets: ${e.message}`);
     }
   }
-  // Clean up fallback name
-  return fallbackName
-    .replace(/[-_]/g, ' ')
-    .replace(/\b\w/g, c => c.toUpperCase());
-}
-
-async function cmdSync() {
-  const args = parseArgs(process.argv);
-  const config = readConfig();
-  if (!config || !config.token) error(`Not logged in. Run: ${C.cyan}tokrepo login${C.reset}`);
-
-  const targetDir = args.positional[0]
-    ? path.resolve(args.positional[0])
-    : path.join(require('os').homedir(), '.claude', 'skills');
 
-  if (!fs.existsSync(targetDir)) {
-    error(`Directory not found: ${targetDir}`);
-  }
-
-  const visibility = args.flags.public ? 1 : 0; // default private for sync
-
-  log(`\n${C.bold}tokrepo sync${C.reset}\n`);
-  info(`Scanning ${targetDir}...`);
-
-  const assets = scanDirectory(targetDir);
-  if (assets.length === 0) {
-    info('No assets found in directory.');
+  if (allItems.length === 0) {
+    info(`@${username} has no public assets.`);
     return;
   }
 
-  log(`  Found ${C.bold}${assets.length}${C.reset} assets\n`);
-
-  // Load local sync state for fast local-only diff
-  const syncState = readSyncState();
-
-  // Classify each asset: check local state first, then remote diff for unknowns
-  const needsRemoteCheck = [];
-  const localStatus = {};
+  log(`  Found ${C.bold}${allItems.length}${C.reset} assets\n`);
 
-  for (const asset of assets) {
-    const key = asset.sourcePath;
-    const cached = syncState[key];
-    if (cached && cached.hash === asset.hash) {
-      // Local hash matches last sync — unchanged
-      localStatus[asset.title] = { status: 'unchanged', uuid: cached.uuid };
-    } else if (cached && cached.hash !== asset.hash) {
-      // Local hash differs from last sync — updated
-      localStatus[asset.title] = { status: 'updated', uuid: cached.uuid };
-    } else {
-      // Not in local state — check remote
-      needsRemoteCheck.push(asset);
-    }
+  // Step 3: Create directory and pull each asset
+  const outDir = path.join(process.cwd(), username);
+  if (!fs.existsSync(outDir)) {
+    fs.mkdirSync(outDir, { recursive: true });
   }
 
-  // Remote diff for assets not in local state
-  if (needsRemoteCheck.length > 0) {
-    info('Comparing with remote...');
-    const diffPayload = needsRemoteCheck.map(a => ({ title: a.title, content_hash: a.hash }));
+  let downloaded = 0;
+  for (const item of allItems) {
+    const title = item.title || item.uuid;
+    const safeDirName = title.replace(/[/\\?%*:|"<>]/g, '-').substring(0, 80);
+    const assetDir = path.join(outDir, safeDirName);
+
     try {
-      const data = await apiRequest('POST', '/api/v1/tokenboard/push/diff', { assets: diffPayload }, config.token, config.api);
-      for (const r of data.results) {
-        localStatus[r.title] = { status: r.status, uuid: r.remote_uuid || '' };
+      const detail = await apiRequest('GET', `/api/v1/tokenboard/workflows/detail?uuid=${item.uuid}`, null, config?.token, apiBase);
+      const workflow = detail.workflow;
+
+      if (workflow.steps && workflow.steps.length > 0) {
+        if (!fs.existsSync(assetDir)) fs.mkdirSync(assetDir, { recursive: true });
+        for (const step of workflow.steps) {
+          const content = step.prompt_template || step.promptTemplate;
+          if (content) {
+            const fileName = `${step.title || 'step-' + step.step_order}`;
+            const safeName = fileName.replace(/[/\\?%*:|"<>]/g, '-');
+            fs.writeFileSync(path.join(assetDir, safeName), content);
+          }
+        }
+        downloaded++;
+        log(`  ${C.green}✓${C.reset} ${safeDirName} ${C.dim}(${workflow.steps.length} files)${C.reset}`);
       }
     } catch (e) {
-      warn(`Diff API: ${e.message} — treating unknowns as new`);
-      for (const a of needsRemoteCheck) {
-        localStatus[a.title] = { status: 'new', uuid: '' };
-      }
+      log(`  ${C.yellow}!${C.reset} ${safeDirName} ${C.dim}(skipped: ${e.message})${C.reset}`);
     }
   }
 
-  // Show status
-  let newCount = 0, updatedCount = 0, unchangedCount = 0;
-
-  for (const asset of assets) {
-    const st = localStatus[asset.title] || { status: 'new' };
-    if (st.status === 'new') {
-      log(`  ${C.green}+ new${C.reset}       ${asset.title} ${C.dim}(${asset.files.length} files)${C.reset}`);
-      newCount++;
-    } else if (st.status === 'updated') {
-      log(`  ${C.yellow}~ updated${C.reset}   ${asset.title}`);
-      updatedCount++;
-    } else {
-      log(`  ${C.dim}= unchanged ${asset.title}${C.reset}`);
-      unchangedCount++;
-    }
-  }
-
-  log('');
-  log(`  ${C.green}${newCount} new${C.reset}  ${C.yellow}${updatedCount} updated${C.reset}  ${C.dim}${unchangedCount} unchanged${C.reset}`);
-
-  if (newCount === 0 && updatedCount === 0) {
-    log('');
-    success('Everything is up to date!');
-    return;
-  }
-
   log('');
+  success(`Cloned ${downloaded}/${allItems.length} assets to ./${username}/`);
+}
 
-  // Confirm unless -y
-  if (!args.flags.yes) {
-    const confirm = await ask(`Push ${newCount + updatedCount} assets? (y/N):`);
-    if (confirm.toLowerCase() !== 'y') { log('Aborted.'); return; }
-  }
-
-  // Upsert each changed asset + save state
-  let successCount = 0;
-  let failCount = 0;
-
-  for (const asset of assets) {
-    const st = localStatus[asset.title] || { status: 'new' };
-    if (st.status === 'unchanged') continue;
+async function cmdTags() {
+  log(`\n${C.bold}tokrepo tags${C.reset}\n`);
 
-    const totalChars = asset.files.reduce((sum, f) => sum + f.content.length, 0);
+  const config = readConfig();
+  const apiBase = config?.api || DEFAULT_API;
 
-    try {
-      const data = await apiRequest('POST', '/api/v1/tokenboard/push/upsert', {
-        title: asset.title,
-        files: asset.files,
-        tags: asset.tags,
-        token_cost: String(Math.round(totalChars / 4)),
-        visibility,
-      }, config.token, config.api);
-
-      const action = data.action === 'created' ? C.green + '+ created' : C.yellow + '~ updated';
-      log(`  ${action}${C.reset}  ${asset.title}  ${C.dim}${data.url}${C.reset}`);
-
-      // Save to local sync state
-      syncState[asset.sourcePath] = {
-        uuid: data.uuid,
-        hash: asset.hash,
-        title: asset.title,
-        url: data.url,
-        lastSync: new Date().toISOString(),
-      };
-      successCount++;
-    } catch (e) {
-      log(`  ${C.red}✗ failed${C.reset}   ${asset.title}: ${e.message}`);
-      failCount++;
+  try {
+    const data = await apiRequest('GET', '/api/v1/tokenboard/tags/list', null, null, apiBase);
+    log(`  Available tags:\n`);
+    for (const tag of data.tags) {
+      log(`  ${C.cyan}${tag.name}${C.reset}${tag.count ? ` ${C.dim}(${tag.count} assets)${C.reset}` : ''}`);
     }
+    log('');
+  } catch (e) {
+    error(`Failed: ${e.message}`);
   }
-
-  // Persist sync state
-  writeSyncState(syncState);
-
-  log('');
-  if (failCount === 0) {
-    success(`Synced ${successCount} assets!`);
-  } else {
-    warn(`${successCount} synced, ${failCount} failed`);
-  }
-  log('');
 }
 
 async function cmdStatus() {
-  const args = parseArgs(process.argv);
+  log(`\n${C.bold}tokrepo status${C.reset}\n`);
+
   const config = readConfig();
   if (!config || !config.token) error(`Not logged in. Run: ${C.cyan}tokrepo login${C.reset}`);
 
-  const targetDir = args.positional[0]
-    ? path.resolve(args.positional[0])
-    : path.join(require('os').homedir(), '.claude', 'skills');
+  const projectConfig = readProjectConfig();
+  const baseDir = process.cwd();
 
-  if (!fs.existsSync(targetDir)) {
-    error(`Directory not found: ${targetDir}`);
+  // Collect local files
+  let filesToCheck;
+  if (projectConfig) {
+    const patterns = projectConfig.files || ['*.md'];
+    filesToCheck = findFiles(patterns, baseDir);
+  } else {
+    filesToCheck = collectFiles(['.'], baseDir);
   }
 
-  log(`\n${C.bold}tokrepo status${C.reset}\n`);
-  info(`Scanning ${targetDir}...`);
-
-  const assets = scanDirectory(targetDir);
-  if (assets.length === 0) {
-    info('No assets found in directory.');
+  if (filesToCheck.length === 0) {
+    info('No pushable files found in current directory.');
     return;
   }
 
-  // Check local sync state first, remote for unknowns
-  const syncState = readSyncState();
-  const localStatus = {};
-  const needsRemoteCheck = [];
-
-  for (const asset of assets) {
-    const cached = syncState[asset.sourcePath];
-    if (cached && cached.hash === asset.hash) {
-      localStatus[asset.title] = { status: 'unchanged', uuid: cached.uuid };
-    } else if (cached && cached.hash !== asset.hash) {
-      localStatus[asset.title] = { status: 'updated', uuid: cached.uuid };
-    } else {
-      needsRemoteCheck.push(asset);
-    }
+  // Build assets with content hashes for diff
+  const crypto = require('crypto');
+  const assets = [];
+  const titleBase = projectConfig?.title || guessTitle(filesToCheck, baseDir);
+
+  // Each file becomes an asset for diff comparison
+  // But the primary asset is the whole push unit
+  const pushFiles = [];
+  for (const f of filesToCheck) {
+    let content;
+    try { content = fs.readFileSync(f.path, 'utf8'); } catch { continue; }
+    if (!content.trim()) continue;
+    pushFiles.push({ name: f.relPath, content });
   }
 
-  if (needsRemoteCheck.length > 0) {
-    info('Comparing with remote...');
-    const diffPayload = needsRemoteCheck.map(a => ({ title: a.title, content_hash: a.hash }));
-    try {
-      const data = await apiRequest('POST', '/api/v1/tokenboard/push/diff', { assets: diffPayload }, config.token, config.api);
-      for (const r of data.results) {
-        localStatus[r.title] = { status: r.status, uuid: r.remote_uuid || '' };
-      }
-    } catch (e) {
-      error(`Diff API error: ${e.message}`);
-    }
+  if (pushFiles.length === 0) {
+    info('No readable text files found.');
+    return;
   }
 
-  log('');
-  let newCount = 0, updatedCount = 0, unchangedCount = 0;
-
-  for (const asset of assets) {
-    const st = localStatus[asset.title] || { status: 'new', uuid: '' };
-    const status = st.status;
-    const uuid = st.uuid || '';
-    const uuidShort = uuid ? ` ${C.dim}(${uuid.substring(0, 8)})${C.reset}` : '';
-
-    if (status === 'new') {
-      log(`  ${C.green}+ new${C.reset}       ${asset.title} ${C.dim}(${asset.files.length} files)${C.reset}`);
-      newCount++;
-    } else if (status === 'updated') {
-      log(`  ${C.yellow}~ modified${C.reset}  ${asset.title}${uuidShort}`);
-      updatedCount++;
-    } else {
-      log(`  ${C.dim}  unchanged ${asset.title}${uuidShort}${C.reset}`);
-      unchangedCount++;
-    }
+  // Compute content hash matching backend's computeContentHash format
+  const h = crypto.createHash('sha256');
+  for (const f of pushFiles) {
+    h.update(f.name);
+    h.update('\0');
+    h.update(f.content);
+    h.update('\0');
   }
+  const localHash = h.digest('hex');
 
-  log('');
-  log(`  ${C.bold}${assets.length}${C.reset} local assets: ${C.green}${newCount} new${C.reset}  ${C.yellow}${updatedCount} modified${C.reset}  ${C.dim}${unchangedCount} synced${C.reset}`);
+  assets.push({ title: titleBase, content_hash: localHash });
+
+  info('Comparing local files with remote...');
 
-  if (newCount > 0 || updatedCount > 0) {
-    log(`\n  Run ${C.cyan}tokrepo sync ${args.positional[0] || ''}${C.reset} to push changes`);
+  try {
+    const data = await apiRequest('POST', '/api/v1/tokenboard/push/diff', { assets }, config.token, config.api);
+    log('');
+    for (const r of data.results) {
+      const icon = r.status === 'new' ? `${C.green}+ new${C.reset}`
+        : r.status === 'updated' ? `${C.yellow}~ modified${C.reset}`
+        : `${C.dim}= unchanged${C.reset}`;
+      log(`  ${icon}  ${r.title}${r.remote_uuid ? ` ${C.dim}(${r.remote_uuid.substring(0, 8)}...)${C.reset}` : ''}`);
+    }
+    log('');
+
+    const newCount = data.results.filter(r => r.status === 'new').length;
+    const updatedCount = data.results.filter(r => r.status === 'updated').length;
+    const unchangedCount = data.results.filter(r => r.status === 'unchanged').length;
+
+    if (newCount || updatedCount) {
+      info(`${newCount ? newCount + ' new' : ''}${newCount && updatedCount ? ', ' : ''}${updatedCount ? updatedCount + ' modified' : ''}. Run ${C.cyan}tokrepo push${C.reset} to sync.`);
+    } else {
+      success('Everything up to date.');
+    }
+  } catch (e) {
+    error(`Status check failed: ${e.message}`);
   }
-  log('');
 }
 
 function showHelp() {
@@ -1293,18 +1252,18 @@ ${C.bold}USAGE${C.reset}
 ${C.bold}DISCOVER & INSTALL${C.reset}
   ${C.cyan}search${C.reset} <query>      Search assets by keyword
   ${C.cyan}install${C.reset} <name|uuid> Smart install (auto-detects type & placement)
-  ${C.cyan}pull${C.reset} <url|uuid>     Download raw asset files
+  ${C.cyan}pull${C.reset} <url|uuid|@u/n> Download raw asset files
+  ${C.cyan}clone${C.reset} @username      Clone all assets from a user
 
-${C.bold}PUBLISH & SYNC${C.reset}
-  ${C.cyan}push${C.reset} [files...]     Push files/directory (creates new asset)
-  ${C.cyan}sync${C.reset} [dir]          Sync directory to TokRepo (smart upsert)
-  ${C.cyan}status${C.reset} [dir]        Show local vs remote diff
+${C.bold}PUBLISH${C.reset}
+  ${C.cyan}push${C.reset} [files...]     Push files/directory (idempotent upsert)
+  ${C.cyan}status${C.reset}              Compare local vs remote (like git status)
   ${C.cyan}init${C.reset}                Create .tokrepo.json project config
-  ${C.cyan}update${C.reset} <uuid> [f]   Update existing asset by UUID
+  ${C.cyan}update${C.reset} <uuid> [f]   Update existing asset
   ${C.cyan}delete${C.reset} <uuid>       Delete an asset
 
 ${C.bold}ACCOUNT${C.reset}
-  ${C.cyan}login${C.reset}               Save API token
+  ${C.cyan}login${C.reset}               Save API token (or set TOKREPO_TOKEN env var)
   ${C.cyan}list${C.reset}                List your published assets
   ${C.cyan}tags${C.reset}                List available tags
   ${C.cyan}whoami${C.reset}              Show current user
@@ -1324,16 +1283,6 @@ ${C.bold}INSTALL BEHAVIOR${C.reset}
   MCP      → current dir        (.json)
   Prompts  → current dir        (.md)
 
-${C.bold}SYNC (the killer feature)${C.reset}
-  ${C.cyan}tokrepo sync ~/.claude/skills/${C.reset}          # Sync all skills (default: private)
-  ${C.cyan}tokrepo sync ~/.claude/skills/ --public${C.reset} # Sync as public assets
-  ${C.cyan}tokrepo sync . -y${C.reset}                       # Sync current dir, skip confirm
-  ${C.cyan}tokrepo status${C.reset}                          # Show what would change
-
-  Sync scans a directory, detects new/modified assets, and pushes only
-  what changed. Each subdirectory becomes one asset. Loose files become
-  individual assets. Like ${C.bold}git push${C.reset} for your AI assets.
-
 ${C.bold}EXAMPLES${C.reset}
   tokrepo search "mcp server"                 # Find MCP configs
   tokrepo install ca000374-f5d8-...           # Install by UUID
@@ -1347,8 +1296,12 @@ ${C.bold}FILE TYPE AUTO-DETECTION${C.reset}
   .prompt .prompt.md            →  prompt
   .md (other)                   →  other
 
+${C.bold}AGENT / CI SETUP${C.reset}
+  export TOKREPO_TOKEN=tk_xxx          # skip login, agents use this
+  export TOKREPO_API=https://...       # optional custom API endpoint
+
 ${C.bold}GET YOUR TOKEN${C.reset}
-  https://tokrepo.com/en/workflows/submit
+  https://tokrepo.com/en/my/settings
 `);
 }
 
@@ -1361,15 +1314,15 @@ async function main() {
     case 'login': await cmdLogin(); break;
     case 'init': await cmdInit(); break;
     case 'push': await cmdPush(); break;
-    case 'sync': await cmdSync(); break;
-    case 'status': case 'st': await cmdStatus(); break;
     case 'pull': await cmdPull(); break;
     case 'search': case 'find': await cmdSearch(); break;
     case 'install': case 'i': await cmdInstall(); break;
     case 'list': await cmdList(); break;
     case 'update': await cmdUpdate(); break;
     case 'delete': await cmdDelete(); break;
+    case 'clone': await cmdClone(); break;
     case 'tags': await cmdTags(); break;
+    case 'status': case 'diff': await cmdStatus(); break;
     case 'whoami': await cmdWhoami(); break;
     case '--version': case '-v': case 'version':
       log(`tokrepo ${CLI_VERSION}`); break;

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "tokrepo",
-  "version": "3.1.2",
-  "description": "AI assets for humans and agents — sync, search, install, push. Like git push for your AI skills.",
+  "version": "3.3.0",
+  "description": "AI assets for humans and agents — search, install, push. Like GitHub, for AI experience.",
   "bin": {
     "tokrepo": "bin/tokrepo.js"
   },