npm - tokrepo - Versions diffs - 3.2.0 → 3.3.1 - Mend

tokrepo 3.2.0 → 3.3.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (2) hide show

package/bin/tokrepo.js +369 -408
package/package.json +3 -3

package/bin/tokrepo.js CHANGED Viewed

@@ -2,7 +2,6 @@
 const fs = require('fs');
 const path = require('path');
-const crypto = require('crypto');
 const https = require('https');
 const http = require('http');
 const readline = require('readline');
@@ -22,10 +21,9 @@ const C = {
 const CONFIG_DIR = path.join(require('os').homedir(), '.tokrepo');
 const CONFIG_FILE = path.join(CONFIG_DIR, 'config.json');
-const SYNC_STATE_FILE = path.join(CONFIG_DIR, 'sync-state.json');
 const PROJECT_CONFIG = '.tokrepo.json';
 const DEFAULT_API = 'https://api.tokrepo.com';
-const CLI_VERSION = '3.2.0';
+const CLI_VERSION = '3.3.0';
 const VERSION_CHECK_FILE = path.join(require('os').homedir(), '.tokrepo', '.version-check');
 // ─── Helpers ───
@@ -37,6 +35,11 @@ function warn(msg) { log(`${C.yellow}!${C.reset} ${msg}`); }
 function info(msg) { log(`${C.cyan}→${C.reset} ${msg}`); }
 function readConfig() {
+  // P0: TOKREPO_TOKEN env var takes priority (enables Agent automation)
+  const envToken = process.env.TOKREPO_TOKEN;
+  if (envToken) {
+    return { token: envToken, api: process.env.TOKREPO_API || DEFAULT_API };
+  }
   try {
     return JSON.parse(fs.readFileSync(CONFIG_FILE, 'utf8'));
   } catch {
@@ -106,15 +109,6 @@ function compareVersions(a, b) {
   return 0;
 }
-// Sync state: maps "dirPath:title" → { uuid, hash, lastSync }
-function readSyncState() {
-  try { return JSON.parse(fs.readFileSync(SYNC_STATE_FILE, 'utf8')); } catch { return {}; }
-}
-function writeSyncState(state) {
-  if (!fs.existsSync(CONFIG_DIR)) fs.mkdirSync(CONFIG_DIR, { recursive: true, mode: 0o700 });
-  fs.writeFileSync(SYNC_STATE_FILE, JSON.stringify(state, null, 2), { mode: 0o600 });
-}
 function readProjectConfig(baseDir = process.cwd()) {
   const configPath = path.join(baseDir, PROJECT_CONFIG);
   try {
@@ -151,7 +145,7 @@ function apiRequest(method, urlPath, body, token, apiBase) {
     const headers = {
       'Content-Type': 'application/json',
-      'User-Agent': 'tokrepo-cli/2.0.0',
+      'User-Agent': `tokrepo-cli/${CLI_VERSION}`,
     };
     if (token) {
       headers['Authorization'] = `Bearer ${token}`;
@@ -216,8 +210,7 @@ function detectFileType(filename) {
 // Guess tag from file type
 function guessTag(fileType) {
-  // Use lowercase singular names to match backend tag slugs
-  const map = { skill: 'skill', prompt: 'prompt', script: 'script', config: 'config', mcp: 'mcp' };
+  const map = { skill: 'Skills', prompt: 'Prompts', script: 'Scripts', config: 'Configs' };
   return map[fileType] || null;
 }
@@ -326,11 +319,6 @@ function collectFiles(paths, baseDir) {
   for (const p of paths) {
     const resolved = path.resolve(baseDir, p);
-    // Prevent path traversal — resolved must be within baseDir
-    if (!resolved.startsWith(path.resolve(baseDir) + path.sep) && resolved !== path.resolve(baseDir)) {
-      warn(`Skipped (outside project): ${p}`);
-      continue;
-    }
     if (!fs.existsSync(resolved)) {
       warn(`Not found: ${p}`);
       continue;
@@ -388,15 +376,33 @@ function guessTitle(files, baseDir) {
 async function cmdLogin() {
   log(`\n${C.bold}tokrepo login${C.reset}\n`);
-  info('Get your API token from https://tokrepo.com/en/workflows/submit');
+  // Check for --token flag for manual token entry
+  const args = process.argv.slice(2);
+  const useToken = args.includes('--token') || args.includes('-t');
+  if (useToken) {
+    // Manual token flow
+    info('Paste your API token (from https://tokrepo.com/en/my/settings)');
+    log('');
+    const token = await ask('API Token:');
+    if (!token) error('Token is required');
+    return await saveAndVerifyToken(token);
+  }
+  // Browser OAuth flow (default)
+  info('Opening browser for authentication...');
+  log(`  ${C.dim}(Use ${C.cyan}tokrepo login --token${C.dim} to paste a token manually)${C.reset}`);
   log('');
-  const token = await ask('API Token:');
-  if (!token) error('Token is required');
+  const token = await browserAuthFlow();
+  if (!token) error('Authentication failed or was cancelled');
+  return await saveAndVerifyToken(token);
+}
+async function saveAndVerifyToken(token) {
   writeConfig({ token, api: DEFAULT_API });
   success(`Config saved to ${CONFIG_FILE}`);
   try {
     const config = readConfig();
     const data = await fetchCurrentUser(config);
@@ -406,6 +412,71 @@ async function cmdLogin() {
   }
 }
+function browserAuthFlow() {
+  return new Promise((resolve) => {
+    const server = http.createServer((req, res) => {
+      // CORS headers for browser fetch
+      res.setHeader('Access-Control-Allow-Origin', '*');
+      res.setHeader('Access-Control-Allow-Methods', 'POST, OPTIONS');
+      res.setHeader('Access-Control-Allow-Headers', 'Content-Type');
+      if (req.method === 'OPTIONS') {
+        res.writeHead(204);
+        res.end();
+        return;
+      }
+      if (req.method === 'POST' && req.url === '/callback') {
+        let body = '';
+        req.on('data', (chunk) => { body += chunk; });
+        req.on('end', () => {
+          try {
+            const data = JSON.parse(body);
+            res.writeHead(200, { 'Content-Type': 'application/json' });
+            res.end(JSON.stringify({ ok: true }));
+            server.close();
+            clearTimeout(timeout);
+            resolve(data.token);
+          } catch {
+            res.writeHead(400);
+            res.end('Invalid request');
+          }
+        });
+        return;
+      }
+      res.writeHead(404);
+      res.end('Not found');
+    });
+    // Listen on random port
+    server.listen(0, '127.0.0.1', () => {
+      const port = server.address().port;
+      const authUrl = `https://tokrepo.com/en/cli-auth?port=${port}`;
+      info(`Listening on http://127.0.0.1:${port}`);
+      log(`  ${C.dim}If browser doesn't open, visit:${C.reset}`);
+      log(`  ${C.cyan}${authUrl}${C.reset}`);
+      log('');
+      info('Waiting for authorization...');
+      // Open browser
+      const opener = process.platform === 'darwin' ? 'open'
+        : process.platform === 'win32' ? 'start'
+        : 'xdg-open';
+      require('child_process').exec(`${opener} "${authUrl}"`);
+    });
+    // Timeout after 5 minutes
+    const timeout = setTimeout(() => {
+      server.close();
+      log('');
+      warn('Authorization timed out (5 minutes). Try again or use --token flag.');
+      resolve(null);
+    }, 5 * 60 * 1000);
+  });
+}
 async function cmdPush() {
   const args = parseArgs(process.argv);
@@ -446,7 +517,7 @@ async function cmdPush() {
   // Flags override config
   title = args.flags.title || title || guessTitle(filesToPush, baseDir);
   description = args.flags.desc || description || '';
-  visibility = args.flags.public ? 1 : (args.flags.private ? 0 : (projectConfig?.visibility ?? 1));
+  visibility = args.flags.public ? 1 : (args.flags.private ? 0 : (projectConfig?.visibility ?? 0));
   tags = args.flags.tags || tags || [];
   // Read files and detect types
@@ -482,8 +553,8 @@ async function cmdPush() {
   // Show summary
   log(`\n${C.bold}tokrepo push${C.reset}\n`);
   log(`  ${C.bold}Title:${C.reset}      ${title}`);
-  log(`  ${C.bold}Visibility:${C.reset} ${visibility === 1 ? `${C.green}public${C.reset}` : `${C.yellow}private${C.reset}`}`);
-  log(`  ${C.bold}Files:${C.reset}      ${pushFiles.length}`);
+  log(`  ${C.bold}Visibility:${C.reset} ${visibility === 1 ? `${C.green}public${C.reset} (visible to everyone)` : `${C.yellow}private${C.reset} (only you can see)`}`);
+  log(`  ${C.bold}Files:${C.reset}      ${pushFiles.length} (only these files will be uploaded)`);
   if (detectedTags.size > 0) {
     log(`  ${C.bold}Tags:${C.reset}       ${Array.from(detectedTags).join(', ')}`);
   }
@@ -501,7 +572,7 @@ async function cmdPush() {
   info('Pushing...');
   try {
-    const data = await apiRequest('POST', '/api/v1/tokenboard/push/create', {
+    const data = await apiRequest('POST', '/api/v1/tokenboard/push/upsert', {
       title,
       description,
       files: pushFiles,
@@ -511,7 +582,10 @@ async function cmdPush() {
     }, config.token, config.api);
     log('');
-    success(`Pushed!`);
+    const actionLabel = data.action === 'created' ? 'Created'
+      : data.action === 'updated' ? 'Updated'
+      : 'Unchanged (no diff)';
+    success(`${actionLabel}!`);
     log(`\n  ${C.bold}URL:${C.reset}  ${C.cyan}${data.url}${C.reset}`);
     log(`  ${C.bold}UUID:${C.reset} ${data.uuid}\n`);
   } catch (e) {
@@ -540,7 +614,7 @@ async function cmdInit() {
     title: title || dirName,
     description: description || '',
     files: ['*.md', '*.sh', '*.py', '*.js', '*.mjs', '*.ts', '*.json', '*.yaml'],
-    visibility: 1,
+    visibility: 0,
     tags: [],
   };
@@ -555,17 +629,15 @@ async function cmdInit() {
 async function cmdPull() {
   const urlOrUuid = process.argv[3];
-  if (!urlOrUuid) error('Usage: tokrepo pull <url-or-uuid>');
+  if (!urlOrUuid) error('Usage: tokrepo pull <url|uuid|@user/name>');
   log(`\n${C.bold}tokrepo pull${C.reset}\n`);
-  let uuid = urlOrUuid;
-  const urlMatch = urlOrUuid.match(/workflows\/([a-f0-9-]+)/);
-  if (urlMatch) uuid = urlMatch[1];
   const config = readConfig();
   const apiBase = config?.api || DEFAULT_API;
+  let uuid = await resolveAssetId(urlOrUuid, config, apiBase);
   info(`Fetching ${uuid}...`);
   try {
@@ -591,13 +663,70 @@ async function cmdPull() {
   }
 }
+// Normalize query: replace hyphens/underscores/dots with spaces for better matching
+function normalizeQuery(q) {
+  return q.replace(/[-_.]/g, ' ').replace(/\s+/g, ' ').trim();
+}
+// Resolve various input formats to a UUID:
+//   - UUID directly: "ca000374-f5d8-..."
+//   - Full URL: "https://tokrepo.com/en/workflows/ca000374-f5d8-..."
+//   - @username/asset-name: search by author + keyword
+//   - Plain name: search by keyword
+async function resolveAssetId(input, config, apiBase) {
+  // Already a UUID
+  if (/^[a-f0-9-]{36}$/.test(input)) return input;
+  // URL containing UUID
+  const urlMatch = input.match(/workflows\/([a-f0-9-]{36})/);
+  if (urlMatch) return urlMatch[1];
+  // @username/asset-name format
+  const atMatch = input.match(/^@([^/]+)\/(.+)$/);
+  if (atMatch) {
+    const [, username, assetName] = atMatch;
+    const normalizedName = normalizeQuery(assetName);
+    info(`Searching for "${normalizedName}" by @${username}...`);
+    // Search by keyword, then filter by author nickname
+    const encoded = encodeURIComponent(normalizedName);
+    try {
+      const data = await apiRequest('GET', `/api/v1/tokenboard/workflows/list?keyword=${encoded}&page=1&page_size=20&sort_by=views`, null, config?.token, apiBase);
+      const items = data.list || data.items || [];
+      const match = items.find(w => {
+        const authorName = (w.author?.nickname || w.nickname || '').toLowerCase();
+        return authorName === username.toLowerCase();
+      });
+      if (match) return match.uuid;
+      // Fallback: return first result
+      if (items.length > 0) {
+        warn(`No exact match for @${username}, using best match: "${items[0].title}"`);
+        return items[0].uuid;
+      }
+    } catch { /* fall through */ }
+    error(`Asset not found: ${input}`);
+  }
+  // Plain name: search by keyword (normalize separators)
+  const normalizedInput = normalizeQuery(input);
+  info(`Searching for "${normalizedInput}"...`);
+  const encoded = encodeURIComponent(normalizedInput);
+  try {
+    const data = await apiRequest('GET', `/api/v1/tokenboard/workflows/list?keyword=${encoded}&page=1&page_size=5&sort_by=views`, null, config?.token, apiBase);
+    const items = data.list || data.items || [];
+    if (items.length > 0) return items[0].uuid;
+  } catch { /* fall through */ }
+  error(`Asset not found: ${input}`);
+}
 // ─── Search ───
 async function cmdSearch() {
-  const query = process.argv.slice(3).join(' ');
-  if (!query) error('Usage: tokrepo search <keyword>');
+  const rawQuery = process.argv.slice(3).join(' ');
+  if (!rawQuery) error('Usage: tokrepo search <keyword>');
-  log(`\n${C.bold}tokrepo search${C.reset} "${query}"\n`);
+  const query = normalizeQuery(rawQuery);
+  const displayQuery = query !== rawQuery ? `"${rawQuery}" → "${query}"` : `"${query}"`;
+  log(`\n${C.bold}tokrepo search${C.reset} ${displayQuery}\n`);
   const config = readConfig();
   const apiBase = config?.api || DEFAULT_API;
@@ -608,7 +737,14 @@ async function cmdSearch() {
     if (!data.list || data.list.length === 0) {
       info('No assets found.');
-      log(`\n  ${C.dim}Try different keywords or browse: https://tokrepo.com/en/featured${C.reset}\n`);
+      // Suggest broader search terms
+      const words = query.split(' ');
+      if (words.length > 1) {
+        log(`\n  ${C.dim}Try fewer keywords:${C.reset}`);
+        log(`  ${C.cyan}tokrepo search ${words[0]}${C.reset}`);
+        log(`  ${C.cyan}tokrepo search ${words.slice(0, 2).join(' ')}${C.reset}`);
+      }
+      log(`\n  ${C.dim}Browse all: https://tokrepo.com/en/featured${C.reset}\n`);
       return;
     }
@@ -619,8 +755,13 @@ async function cmdSearch() {
       const tags = (wf.tags || []).map(t => t.name).join(', ');
       const views = wf.view_count || 0;
       const votes = wf.vote_count || 0;
+      // Truncate long descriptions for readability
+      const desc = (wf.description || '').length > 80
+        ? wf.description.substring(0, 77) + '...'
+        : (wf.description || '');
       log(`  ${C.dim}${String(i + 1).padStart(2)}.${C.reset} ${C.bold}${wf.title}${C.reset}`);
+      if (desc) log(`      ${desc}`);
       if (tags) log(`      ${C.cyan}${tags}${C.reset}  ${C.dim}★${votes} 👁${views}${C.reset}`);
       log(`      ${C.dim}tokrepo install ${wf.uuid}${C.reset}`);
       log('');
@@ -658,18 +799,23 @@ Examples:
   }
   // UUID format check
   else if (!/^[a-f0-9-]{36}$/.test(target)) {
-    // Search by name
-    info(`Searching for "${target}"...`);
+    // Search by name (normalize separators for better matching)
+    const normalizedTarget = normalizeQuery(target);
+    info(`Searching for "${normalizedTarget}"...`);
     try {
-      const encoded = encodeURIComponent(target);
+      const encoded = encodeURIComponent(normalizedTarget);
       const searchData = await apiRequest('GET', `/api/v1/tokenboard/workflows/list?keyword=${encoded}&page=1&page_size=5&sort_by=views`, null, config?.token, apiBase);
       if (!searchData.list || searchData.list.length === 0) {
         error(`No asset found matching "${target}". Try: tokrepo search ${target}`);
       }
-      // If exact title match, use it directly
-      const exact = searchData.list.find(w => w.title.toLowerCase().includes(target.toLowerCase()));
+      // If title contains all query words, prefer it
+      const queryWords = normalizedTarget.toLowerCase().split(' ');
+      const exact = searchData.list.find(w => {
+        const title = w.title.toLowerCase();
+        return queryWords.every(word => title.includes(word));
+      });
       const chosen = exact || searchData.list[0];
       uuid = chosen.uuid;
@@ -752,9 +898,6 @@ Examples:
       }
       case 'mcp':
       case 'mcp configs': {
-        // Security warning for MCP configs
-        warn('MCP server config detected. Review the configuration carefully before adding to your project.');
-        warn('MCP servers can execute arbitrary code. Only install from trusted sources.');
         // Save as mcp config, hint about manual merge
         if (!fileName.endsWith('.json')) fileName = fileName.replace(/\.md$/, '.json');
         break;
@@ -785,10 +928,14 @@ Examples:
       }
     }
-    // Sanitize fileName to prevent path traversal from API response
-    fileName = path.basename(fileName);
     const destPath = path.join(destDir, fileName);
+    // Path traversal guard: ensure resolved path stays inside destDir
+    if (!path.resolve(destPath).startsWith(path.resolve(destDir) + path.sep) && path.resolve(destPath) !== path.resolve(destDir)) {
+      warn(`Skipping "${fileName}" — path traversal detected`);
+      continue;
+    }
     // Don't overwrite without warning
     if (fs.existsSync(destPath)) {
       warn(`File exists: ${path.relative(process.cwd(), destPath)} (overwriting)`);
@@ -913,403 +1060,221 @@ async function cmdDelete() {
   }
 }
-async function cmdTags() {
-  log(`\n${C.bold}tokrepo tags${C.reset}\n`);
+async function cmdClone() {
+  const target = process.argv[3];
+  if (!target) error('Usage: tokrepo clone @username');
+  log(`\n${C.bold}tokrepo clone${C.reset}\n`);
   const config = readConfig();
   const apiBase = config?.api || DEFAULT_API;
-  try {
-    const data = await apiRequest('GET', '/api/v1/tokenboard/tags/list', null, null, apiBase);
-    log(`  Available tags:\n`);
-    for (const tag of data.tags) {
-      log(`  ${C.cyan}${tag.name}${C.reset}${tag.count ? ` ${C.dim}(${tag.count} assets)${C.reset}` : ''}`);
-    }
-    log('');
-  } catch (e) {
-    error(`Failed: ${e.message}`);
-  }
-}
-// ─── Sync: scan directory, diff with remote, upsert changes ───
+  // Extract username from @username format
+  let username = target;
+  if (username.startsWith('@')) username = username.slice(1);
-function computeHash(files) {
-  const h = crypto.createHash('sha256');
-  for (const f of files) {
-    h.update(f.name);
-    h.update('\0');
-    h.update(f.content);
-    h.update('\0');
-  }
-  return h.digest('hex');
-}
-function isProjectDirectory(dirPath) {
-  const PROJECT_MARKERS = [
-    'package.json', '.tokrepo.json', 'go.mod', 'Cargo.toml',
-    'pyproject.toml', 'setup.py', 'Gemfile', 'pom.xml',
-    'build.gradle', 'Makefile', 'CMakeLists.txt', 'deno.json',
-  ];
-  return PROJECT_MARKERS.some(m => fs.existsSync(path.join(dirPath, m)));
-}
-function scanDirectory(dirPath) {
-  const assets = [];
-  const SKIP_DIRS = new Set(['node_modules', '.git', '__pycache__', '.venv', 'dist', 'build']);
-  const SKIP_FILES = new Set(['.DS_Store', 'Thumbs.db', 'package-lock.json', 'yarn.lock']);
-  // If the directory itself is a project, treat the whole thing as one asset
-  if (isProjectDirectory(dirPath)) {
-    const files = collectAssetFiles(dirPath);
-    if (files.length > 0) {
-      const title = guessAssetTitle(files, path.basename(dirPath));
-      const hash = computeHash(files);
-      const detectedTags = new Set();
-      for (const f of files) {
-        const ft = detectFileType(f.name);
-        const tag = guessTag(ft);
-        if (tag) detectedTags.add(tag);
+  // Step 1: Find user's UUID by searching for their workflows
+  info(`Finding user @${username}...`);
+  let authorUuid = '';
+  try {
+    const searchData = await apiRequest('GET', `/api/v1/tokenboard/workflows/list?keyword=${encodeURIComponent(username)}&page=1&page_size=5&sort_by=latest`, null, config?.token, apiBase);
+    const items = searchData.list || searchData.items || [];
+    for (const item of items) {
+      const authorName = (item.author?.nickname || item.nickname || '').toLowerCase();
+      if (authorName === username.toLowerCase()) {
+        authorUuid = item.author?.uuid || item.author_uuid || '';
+        break;
       }
-      assets.push({ title, files, hash, tags: Array.from(detectedTags), sourcePath: dirPath });
     }
-    return assets;
+  } catch { /* fall through */ }
+  if (!authorUuid) {
+    // Try fetching user's own workflows if logged in and cloning self
+    if (config?.token) {
+      try {
+        const me = await apiRequest('GET', '/api/v1/tokenboard/auth/me', null, config.token, apiBase);
+        if (me.nickname?.toLowerCase() === username.toLowerCase()) {
+          authorUuid = me.uuid;
+        }
+      } catch { /* fall through */ }
+    }
+    if (!authorUuid) error(`User @${username} not found. Make sure they have published assets.`);
   }
-  // Non-project directory: each subdirectory = one asset; loose files = one asset per file
-  let entries;
-  try { entries = fs.readdirSync(dirPath, { withFileTypes: true }); } catch { return assets; }
-  const looseFiles = [];
-  for (const entry of entries) {
-    if (entry.name.startsWith('.') || SKIP_DIRS.has(entry.name) || SKIP_FILES.has(entry.name)) continue;
-    const fullPath = path.join(dirPath, entry.name);
-    if (entry.isDirectory()) {
-      // Subdirectory = one asset (e.g., ~/.claude/skills/my-skill/)
-      const files = collectAssetFiles(fullPath);
-      if (files.length === 0) continue;
-      const title = entry.name;
-      const hash = computeHash(files);
-      const detectedTags = new Set();
-      for (const f of files) {
-        const ft = detectFileType(f.name);
-        const tag = guessTag(ft);
-        if (tag) detectedTags.add(tag);
-      }
-      assets.push({ title, files, hash, tags: Array.from(detectedTags), sourcePath: fullPath });
-    } else if (entry.isFile()) {
-      // Loose file
-      const ext = path.extname(entry.name).toLowerCase();
-      const validExts = ['.md', '.sh', '.py', '.js', '.mjs', '.ts', '.json', '.yaml', '.yml', '.toml', '.prompt'];
-      if (validExts.includes(ext) || entry.name === '.cursorrules' || entry.name === '.windsurfrules') {
-        looseFiles.push({ path: fullPath, name: entry.name });
-      }
+  // Step 2: List all public workflows by this author
+  info(`Fetching all assets by @${username}...`);
+  let allItems = [];
+  let page = 1;
+  while (true) {
+    try {
+      const data = await apiRequest('GET', `/api/v1/tokenboard/workflows/list?author_uuid=${authorUuid}&page=${page}&page_size=50&sort_by=latest`, null, config?.token, apiBase);
+      const items = data.list || data.items || [];
+      if (items.length === 0) break;
+      allItems = allItems.concat(items);
+      if (items.length < 50) break;
+      page++;
+    } catch (e) {
+      error(`Failed to list assets: ${e.message}`);
     }
   }
-  // Each loose file = one asset
-  for (const f of looseFiles) {
-    let content;
-    try { content = fs.readFileSync(f.path, 'utf8'); } catch { continue; }
-    if (!content.trim()) continue;
+  if (allItems.length === 0) {
+    info(`@${username} has no public assets.`);
+    return;
+  }
-    const files = [{ name: f.name, content, type: detectFileType(f.name) }];
-    const title = guessAssetTitle(files, path.basename(f.name, path.extname(f.name)));
-    const hash = computeHash(files);
-    const ft = detectFileType(f.name);
-    const tag = guessTag(ft);
+  log(`  Found ${C.bold}${allItems.length}${C.reset} assets\n`);
-    assets.push({ title, files, hash, tags: tag ? [tag] : [], sourcePath: f.path });
+  // Step 3: Create directory and pull each asset
+  const outDir = path.join(process.cwd(), username);
+  if (!fs.existsSync(outDir)) {
+    fs.mkdirSync(outDir, { recursive: true });
   }
-  return assets;
-}
-function collectAssetFiles(dirPath) {
-  const files = [];
-  const SKIP = new Set(['.DS_Store', 'node_modules', '.git', '__pycache__']);
+  let downloaded = 0;
+  for (const item of allItems) {
+    const title = item.title || item.uuid;
+    const safeDirName = title.replace(/[/\\?%*:|"<>]/g, '-').substring(0, 80);
+    const assetDir = path.join(outDir, safeDirName);
-  function walk(dir, relBase) {
-    let entries;
-    try { entries = fs.readdirSync(dir, { withFileTypes: true }); } catch { return; }
-    for (const entry of entries) {
-      if (entry.name.startsWith('.') || SKIP.has(entry.name)) continue;
-      const fullPath = path.join(dir, entry.name);
-      const relPath = relBase ? `${relBase}/${entry.name}` : entry.name;
-      if (entry.isDirectory()) {
-        walk(fullPath, relPath);
-      } else if (entry.isFile()) {
-        const ext = path.extname(entry.name).toLowerCase();
-        const validExts = ['.md', '.sh', '.py', '.js', '.mjs', '.ts', '.json', '.yaml', '.yml', '.toml', '.prompt', '.rb', '.go', '.rs'];
-        if (validExts.includes(ext) || entry.name === '.cursorrules') {
-          let content;
-          try { content = fs.readFileSync(fullPath, 'utf8'); } catch { continue; }
-          if (!content.trim()) continue;
-          files.push({ name: relPath, content, type: detectFileType(relPath) });
+    try {
+      const detail = await apiRequest('GET', `/api/v1/tokenboard/workflows/detail?uuid=${item.uuid}`, null, config?.token, apiBase);
+      const workflow = detail.workflow;
+      if (workflow.steps && workflow.steps.length > 0) {
+        if (!fs.existsSync(assetDir)) fs.mkdirSync(assetDir, { recursive: true });
+        for (const step of workflow.steps) {
+          const content = step.prompt_template || step.promptTemplate;
+          if (content) {
+            const fileName = `${step.title || 'step-' + step.step_order}`;
+            const safeName = fileName.replace(/[/\\?%*:|"<>]/g, '-');
+            fs.writeFileSync(path.join(assetDir, safeName), content);
+          }
         }
+        downloaded++;
+        log(`  ${C.green}✓${C.reset} ${safeDirName} ${C.dim}(${workflow.steps.length} files)${C.reset}`);
       }
+    } catch (e) {
+      log(`  ${C.yellow}!${C.reset} ${safeDirName} ${C.dim}(skipped: ${e.message})${C.reset}`);
     }
   }
-  walk(dirPath, '');
-  return files;
+  log('');
+  success(`Cloned ${downloaded}/${allItems.length} assets to ./${username}/`);
 }
-function guessAssetTitle(files, fallbackName) {
-  // Try to find a heading in the first .md file
-  for (const f of files) {
-    if (f.name.toLowerCase().endsWith('.md')) {
-      const match = f.content.match(/^#\s+(.+)$/m);
-      if (match) return match[1].trim();
+async function cmdTags() {
+  log(`\n${C.bold}tokrepo tags${C.reset}\n`);
+  const config = readConfig();
+  const apiBase = config?.api || DEFAULT_API;
+  try {
+    const data = await apiRequest('GET', '/api/v1/tokenboard/tags/list', null, null, apiBase);
+    log(`  Available tags:\n`);
+    for (const tag of data.tags) {
+      log(`  ${C.cyan}${tag.name}${C.reset}${tag.count ? ` ${C.dim}(${tag.count} assets)${C.reset}` : ''}`);
     }
+    log('');
+  } catch (e) {
+    error(`Failed: ${e.message}`);
   }
-  // Clean up fallback name
-  return fallbackName
-    .replace(/[-_]/g, ' ')
-    .replace(/\b\w/g, c => c.toUpperCase());
 }
-async function cmdSync() {
-  const args = parseArgs(process.argv);
+async function cmdStatus() {
+  log(`\n${C.bold}tokrepo status${C.reset}\n`);
   const config = readConfig();
   if (!config || !config.token) error(`Not logged in. Run: ${C.cyan}tokrepo login${C.reset}`);
-  const targetDir = args.positional[0]
-    ? path.resolve(args.positional[0])
-    : path.join(require('os').homedir(), '.claude', 'skills');
+  const projectConfig = readProjectConfig();
+  const baseDir = process.cwd();
-  if (!fs.existsSync(targetDir)) {
-    error(`Directory not found: ${targetDir}`);
+  // Collect local files
+  let filesToCheck;
+  if (projectConfig) {
+    const patterns = projectConfig.files || ['*.md'];
+    filesToCheck = findFiles(patterns, baseDir);
+  } else {
+    filesToCheck = collectFiles(['.'], baseDir);
   }
-  const visibility = args.flags.public ? 1 : 0; // default private for sync
-  log(`\n${C.bold}tokrepo sync${C.reset}\n`);
-  info(`Scanning ${targetDir}...`);
-  const assets = scanDirectory(targetDir);
-  if (assets.length === 0) {
-    info('No assets found in directory.');
+  if (filesToCheck.length === 0) {
+    info('No pushable files found in current directory.');
     return;
   }
-  log(`  Found ${C.bold}${assets.length}${C.reset} assets\n`);
-  // Load local sync state for fast local-only diff
-  const syncState = readSyncState();
-  // Classify each asset: check local state first, then remote diff for unknowns
-  const needsRemoteCheck = [];
-  const localStatus = {};
-  for (const asset of assets) {
-    const key = asset.sourcePath;
-    const cached = syncState[key];
-    if (cached && cached.hash === asset.hash) {
-      // Local hash matches last sync — unchanged
-      localStatus[asset.title] = { status: 'unchanged', uuid: cached.uuid };
-    } else if (cached && cached.hash !== asset.hash) {
-      // Local hash differs from last sync — updated
-      localStatus[asset.title] = { status: 'updated', uuid: cached.uuid };
-    } else {
-      // Not in local state — check remote
-      needsRemoteCheck.push(asset);
-    }
-  }
-  // Remote diff for assets not in local state
-  if (needsRemoteCheck.length > 0) {
-    info('Comparing with remote...');
-    const diffPayload = needsRemoteCheck.map(a => ({ title: a.title, content_hash: a.hash }));
-    try {
-      const data = await apiRequest('POST', '/api/v1/tokenboard/push/diff', { assets: diffPayload }, config.token, config.api);
-      for (const r of data.results) {
-        localStatus[r.title] = { status: r.status, uuid: r.remote_uuid || '' };
-      }
-    } catch (e) {
-      warn(`Diff API: ${e.message} — treating unknowns as new`);
-      for (const a of needsRemoteCheck) {
-        localStatus[a.title] = { status: 'new', uuid: '' };
-      }
-    }
-  }
+  // Build assets with content hashes for diff
+  const crypto = require('crypto');
+  const assets = [];
+  const titleBase = projectConfig?.title || guessTitle(filesToCheck, baseDir);
-  // Show status
-  let newCount = 0, updatedCount = 0, unchangedCount = 0;
-  for (const asset of assets) {
-    const st = localStatus[asset.title] || { status: 'new' };
-    if (st.status === 'new') {
-      log(`  ${C.green}+ new${C.reset}       ${asset.title} ${C.dim}(${asset.files.length} files)${C.reset}`);
-      newCount++;
-    } else if (st.status === 'updated') {
-      log(`  ${C.yellow}~ updated${C.reset}   ${asset.title}`);
-      updatedCount++;
-    } else {
-      log(`  ${C.dim}= unchanged ${asset.title}${C.reset}`);
-      unchangedCount++;
-    }
+  // Each file becomes an asset for diff comparison
+  // But the primary asset is the whole push unit
+  const pushFiles = [];
+  for (const f of filesToCheck) {
+    let content;
+    try { content = fs.readFileSync(f.path, 'utf8'); } catch { continue; }
+    if (!content.trim()) continue;
+    pushFiles.push({ name: f.relPath, content });
   }
-  log('');
-  log(`  ${C.green}${newCount} new${C.reset}  ${C.yellow}${updatedCount} updated${C.reset}  ${C.dim}${unchangedCount} unchanged${C.reset}`);
-  if (newCount === 0 && updatedCount === 0) {
-    log('');
-    success('Everything is up to date!');
+  if (pushFiles.length === 0) {
+    info('No readable text files found.');
     return;
   }
-  log('');
-  // Confirm unless -y
-  if (!args.flags.yes) {
-    const confirm = await ask(`Push ${newCount + updatedCount} assets? (y/N):`);
-    if (confirm.toLowerCase() !== 'y') { log('Aborted.'); return; }
-  }
-  // Upsert each changed asset + save state
-  let successCount = 0;
-  let failCount = 0;
-  for (const asset of assets) {
-    const st = localStatus[asset.title] || { status: 'new' };
-    if (st.status === 'unchanged') continue;
-    const totalChars = asset.files.reduce((sum, f) => sum + f.content.length, 0);
-    try {
-      const data = await apiRequest('POST', '/api/v1/tokenboard/push/upsert', {
-        title: asset.title,
-        files: asset.files,
-        tags: asset.tags,
-        token_cost: String(Math.round(totalChars / 4)),
-        visibility,
-      }, config.token, config.api);
-      const action = data.action === 'created' ? C.green + '+ created' : C.yellow + '~ updated';
-      log(`  ${action}${C.reset}  ${asset.title}  ${C.dim}${data.url}${C.reset}`);
-      // Save to local sync state
-      syncState[asset.sourcePath] = {
-        uuid: data.uuid,
-        hash: asset.hash,
-        title: asset.title,
-        url: data.url,
-        lastSync: new Date().toISOString(),
-      };
-      successCount++;
-    } catch (e) {
-      log(`  ${C.red}✗ failed${C.reset}   ${asset.title}: ${e.message}`);
-      failCount++;
-    }
-  }
-  // Persist sync state
-  writeSyncState(syncState);
-  log('');
-  if (failCount === 0) {
-    success(`Synced ${successCount} assets!`);
-  } else {
-    warn(`${successCount} synced, ${failCount} failed`);
-  }
-  log('');
-}
-async function cmdStatus() {
-  const args = parseArgs(process.argv);
-  const config = readConfig();
-  if (!config || !config.token) error(`Not logged in. Run: ${C.cyan}tokrepo login${C.reset}`);
-  const targetDir = args.positional[0]
-    ? path.resolve(args.positional[0])
-    : path.join(require('os').homedir(), '.claude', 'skills');
-  if (!fs.existsSync(targetDir)) {
-    error(`Directory not found: ${targetDir}`);
+  // Compute content hash matching backend's computeContentHash format
+  const h = crypto.createHash('sha256');
+  for (const f of pushFiles) {
+    h.update(f.name);
+    h.update('\0');
+    h.update(f.content);
+    h.update('\0');
   }
+  const localHash = h.digest('hex');
-  log(`\n${C.bold}tokrepo status${C.reset}\n`);
-  info(`Scanning ${targetDir}...`);
+  assets.push({ title: titleBase, content_hash: localHash });
-  const assets = scanDirectory(targetDir);
-  if (assets.length === 0) {
-    info('No assets found in directory.');
-    return;
-  }
+  info('Comparing local files with remote...');
-  // Check local sync state first, remote for unknowns
-  const syncState = readSyncState();
-  const localStatus = {};
-  const needsRemoteCheck = [];
-  for (const asset of assets) {
-    const cached = syncState[asset.sourcePath];
-    if (cached && cached.hash === asset.hash) {
-      localStatus[asset.title] = { status: 'unchanged', uuid: cached.uuid };
-    } else if (cached && cached.hash !== asset.hash) {
-      localStatus[asset.title] = { status: 'updated', uuid: cached.uuid };
-    } else {
-      needsRemoteCheck.push(asset);
+  try {
+    const data = await apiRequest('POST', '/api/v1/tokenboard/push/diff', { assets }, config.token, config.api);
+    log('');
+    for (const r of data.results) {
+      const icon = r.status === 'new' ? `${C.green}+ new${C.reset}`
+        : r.status === 'updated' ? `${C.yellow}~ modified${C.reset}`
+        : `${C.dim}= unchanged${C.reset}`;
+      log(`  ${icon}  ${r.title}${r.remote_uuid ? ` ${C.dim}(${r.remote_uuid.substring(0, 8)}...)${C.reset}` : ''}`);
     }
-  }
+    log('');
-  if (needsRemoteCheck.length > 0) {
-    info('Comparing with remote...');
-    const diffPayload = needsRemoteCheck.map(a => ({ title: a.title, content_hash: a.hash }));
-    try {
-      const data = await apiRequest('POST', '/api/v1/tokenboard/push/diff', { assets: diffPayload }, config.token, config.api);
-      for (const r of data.results) {
-        localStatus[r.title] = { status: r.status, uuid: r.remote_uuid || '' };
-      }
-    } catch (e) {
-      error(`Diff API error: ${e.message}`);
-    }
-  }
+    const newCount = data.results.filter(r => r.status === 'new').length;
+    const updatedCount = data.results.filter(r => r.status === 'updated').length;
+    const unchangedCount = data.results.filter(r => r.status === 'unchanged').length;
-  log('');
-  let newCount = 0, updatedCount = 0, unchangedCount = 0;
-  for (const asset of assets) {
-    const st = localStatus[asset.title] || { status: 'new', uuid: '' };
-    const status = st.status;
-    const uuid = st.uuid || '';
-    const uuidShort = uuid ? ` ${C.dim}(${uuid.substring(0, 8)})${C.reset}` : '';
-    if (status === 'new') {
-      log(`  ${C.green}+ new${C.reset}       ${asset.title} ${C.dim}(${asset.files.length} files)${C.reset}`);
-      newCount++;
-    } else if (status === 'updated') {
-      log(`  ${C.yellow}~ modified${C.reset}  ${asset.title}${uuidShort}`);
-      updatedCount++;
+    if (newCount || updatedCount) {
+      info(`${newCount ? newCount + ' new' : ''}${newCount && updatedCount ? ', ' : ''}${updatedCount ? updatedCount + ' modified' : ''}. Run ${C.cyan}tokrepo push${C.reset} to sync.`);
     } else {
-      log(`  ${C.dim}  unchanged ${asset.title}${uuidShort}${C.reset}`);
-      unchangedCount++;
+      success('Everything up to date.');
     }
+  } catch (e) {
+    error(`Status check failed: ${e.message}`);
   }
-  log('');
-  log(`  ${C.bold}${assets.length}${C.reset} local assets: ${C.green}${newCount} new${C.reset}  ${C.yellow}${updatedCount} modified${C.reset}  ${C.dim}${unchangedCount} synced${C.reset}`);
-  if (newCount > 0 || updatedCount > 0) {
-    log(`\n  Run ${C.cyan}tokrepo sync ${args.positional[0] || ''}${C.reset} to push changes`);
-  }
-  log('');
 }
 function showHelp() {
   log(`
 ${C.bold}tokrepo${C.reset} — AI assets for humans and agents. Like GitHub, for AI experience.
+  ${C.dim}You control what gets pushed. Each push uploads only the files you specify.
+  Nothing is shared without your explicit action. Private by default.${C.reset}
 ${C.bold}QUICK START${C.reset}
   ${C.cyan}tokrepo search cursor rules${C.reset}             # find assets
   ${C.cyan}tokrepo install awesome-cursor-rules${C.reset}    # install to your project
-  ${C.cyan}tokrepo push --public .${C.reset}                 # share your own assets
+  ${C.cyan}tokrepo push --private my-skill.md${C.reset}      # save privately (only you can see)
+  ${C.cyan}tokrepo push --public my-skill.md${C.reset}       # share publicly
 ${C.bold}USAGE${C.reset}
   tokrepo <command> [args] [options]
@@ -1317,26 +1282,26 @@ ${C.bold}USAGE${C.reset}
 ${C.bold}DISCOVER & INSTALL${C.reset}
   ${C.cyan}search${C.reset} <query>      Search assets by keyword
   ${C.cyan}install${C.reset} <name|uuid> Smart install (auto-detects type & placement)
-  ${C.cyan}pull${C.reset} <url|uuid>     Download raw asset files
+  ${C.cyan}pull${C.reset} <url|uuid|@u/n> Download raw asset files
+  ${C.cyan}clone${C.reset} @username      Clone all assets from a user
-${C.bold}PUBLISH & SYNC${C.reset}
-  ${C.cyan}push${C.reset} [files...]     Push files/directory (creates new asset)
-  ${C.cyan}sync${C.reset} [dir]          Sync directory to TokRepo (smart upsert)
-  ${C.cyan}status${C.reset} [dir]        Show local vs remote diff
+${C.bold}PUBLISH${C.reset}
+  ${C.cyan}push${C.reset} [files...]     Push files/directory (idempotent upsert)
+  ${C.cyan}status${C.reset}              Compare local vs remote (like git status)
   ${C.cyan}init${C.reset}                Create .tokrepo.json project config
-  ${C.cyan}update${C.reset} <uuid> [f]   Update existing asset by UUID
+  ${C.cyan}update${C.reset} <uuid> [f]   Update existing asset
   ${C.cyan}delete${C.reset} <uuid>       Delete an asset
 ${C.bold}ACCOUNT${C.reset}
-  ${C.cyan}login${C.reset}               Save API token
+  ${C.cyan}login${C.reset}               Save API token (or set TOKREPO_TOKEN env var)
   ${C.cyan}list${C.reset}                List your published assets
   ${C.cyan}tags${C.reset}                List available tags
   ${C.cyan}whoami${C.reset}              Show current user
   ${C.cyan}help${C.reset}                Show this help
 ${C.bold}PUSH OPTIONS${C.reset}
-  ${C.cyan}--public${C.reset}            Make asset publicly visible (default)
-  ${C.cyan}--private${C.reset}           Make asset private
+  ${C.cyan}--private${C.reset}           Keep asset private — only you can see it (recommended for personal assets)
+  ${C.cyan}--public${C.reset}            Share asset publicly with the community
   ${C.cyan}--title${C.reset} "..."       Set title (auto-detected from README or dir name)
   ${C.cyan}--desc${C.reset} "..."        Set description
   ${C.cyan}--tag${C.reset} Skills        Add tag (repeatable)
@@ -1348,21 +1313,13 @@ ${C.bold}INSTALL BEHAVIOR${C.reset}
   MCP      → current dir        (.json)
   Prompts  → current dir        (.md)
-${C.bold}SYNC (the killer feature)${C.reset}
-  ${C.cyan}tokrepo sync ~/.claude/skills/${C.reset}          # Sync all skills (default: private)
-  ${C.cyan}tokrepo sync ~/.claude/skills/ --public${C.reset} # Sync as public assets
-  ${C.cyan}tokrepo sync . -y${C.reset}                       # Sync current dir, skip confirm
-  ${C.cyan}tokrepo status${C.reset}                          # Show what would change
-  Sync scans a directory, detects new/modified assets, and pushes only
-  what changed. Each subdirectory becomes one asset. Loose files become
-  individual assets. Like ${C.bold}git push${C.reset} for your AI assets.
 ${C.bold}EXAMPLES${C.reset}
   tokrepo search "mcp server"                 # Find MCP configs
   tokrepo install ca000374-f5d8-...           # Install by UUID
-  tokrepo push --public .                     # Push current directory
-  tokrepo push --public --title "My MCP" .    # Push with custom title
+  tokrepo push --private my-rules.md          # Save one file privately
+  tokrepo push --public skill.md              # Share one file publicly
+  tokrepo push --private .                    # Push current dir as private
+  tokrepo push --public --title "My MCP" .    # Push dir publicly with title
 ${C.bold}FILE TYPE AUTO-DETECTION${C.reset}
   .sh .py .js .ts .mjs .go .rs  →  script
@@ -1371,8 +1328,12 @@ ${C.bold}FILE TYPE AUTO-DETECTION${C.reset}
   .prompt .prompt.md            →  prompt
   .md (other)                   →  other
+${C.bold}AGENT / CI SETUP${C.reset}
+  export TOKREPO_TOKEN=tk_xxx          # skip login, agents use this
+  export TOKREPO_API=https://...       # optional custom API endpoint
 ${C.bold}GET YOUR TOKEN${C.reset}
-  https://tokrepo.com/en/workflows/submit
+  https://tokrepo.com/en/my/settings
 `);
 }
@@ -1385,15 +1346,15 @@ async function main() {
     case 'login': await cmdLogin(); break;
     case 'init': await cmdInit(); break;
     case 'push': await cmdPush(); break;
-    case 'sync': await cmdSync(); break;
-    case 'status': case 'st': await cmdStatus(); break;
     case 'pull': await cmdPull(); break;
     case 'search': case 'find': await cmdSearch(); break;
     case 'install': case 'i': await cmdInstall(); break;
     case 'list': await cmdList(); break;
     case 'update': await cmdUpdate(); break;
     case 'delete': await cmdDelete(); break;
+    case 'clone': await cmdClone(); break;
     case 'tags': await cmdTags(); break;
+    case 'status': case 'diff': await cmdStatus(); break;
     case 'whoami': await cmdWhoami(); break;
     case '--version': case '-v': case 'version':
       log(`tokrepo ${CLI_VERSION}`); break;

package/package.json CHANGED Viewed

@@ -1,7 +1,7 @@
 {
   "name": "tokrepo",
-  "version": "3.2.0",
-  "description": "AI assets for humans and agents — sync, search, install, push. Like git push for your AI skills.",
+  "version": "3.3.1",
+  "description": "AI assets for humans and agents — search, install, push. Like GitHub, for AI experience.",
   "bin": {
     "tokrepo": "bin/tokrepo.js"
   },
@@ -11,7 +11,7 @@
   "license": "MIT",
   "repository": {
     "type": "git",
-    "url": "git+https://github.com/henu-wang/tokrepo-cli.git"
+    "url": "git+https://github.com/tokrepo/cli.git"
   },
   "homepage": "https://tokrepo.com",
   "keywords": [