Teamup

soroushdes/Teamup

Fork 0

Commit Graph

Author	SHA1	Message	Date
soroush.asadi	62883ed01f	Skill marketplace: publish, install, org-aware listing (+ adversarial-review fixes) Orgs can now share skills across the tenant boundary — the next step after the per-org library. Endpoints (all ManageSkills-gated + audited): - POST /{key}/publish — list one of your published versions on the marketplace (Visibility→Public; only a Published/golden-tested skill may be listed). POST /{key}/unpublish reverses it. - POST /install — copy a publicly-listed skill (by row id) into your org as a private Installed copy; rejects installing your own skill and duplicate (org+key+version) installs. - GET /marketplace?organizationId= — other orgs' Authored+Public+Published skills (yours excluded), each flagged whether that exact (key, version) is already in your library. - SkillSummary now carries Id (install targets a specific source row). Authored skills default to private — listing is an explicit publish step, never a side effect of authoring. UI (Skills page): a Marketplace tab with Install / "In your library"; Publish / Unlist on your own published skills; a "Listed" badge. Fixes from the adversarial review (4 confirmed findings, all addressed): - HIGH — Public⟹Published is now a domain invariant (Skill.Index forces PrivateToOrg whenever the re-derived status isn't Published), so re-authoring a listed version without golden tests can no longer leave it Public+Draft or decouple the marketplace gate from the eval gate. - MEDIUM — install now uses an insert-only indexer path so the (org,key,version) unique index is the source of truth: a race with a concurrent install/author becomes a clean 409, never an in-place clobber of an existing row's content/ownership. - MEDIUM/LOW — AlreadyInLibrary is computed per (key, version) to match the install conflict rule, so a newer, not-yet-owned version of a key you already hold still shows as installable. Verified: ArchitectureTests 8/8, IntegrationTests 47/47 (SkillMarketplaceTests: publish gate, own-org exclusion, cross-org list→install→private copy, duplicate 409, per-version flag, Public⟹Published invariant, Member 403), client build green. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>	2026-06-13 12:27:22 +03:30
soroush.asadi	fad476f115	Dynamic per-org skill library: in-app authoring, versioning, fork (+ marketplace seam) Skills move from a global Git-only registry to a per-company library that orgs author and version in-app — Git stays as the shared starter library. Domain & persistence: - Skill gains OrganizationId (null = shared builtin, visible to every org), Origin (Builtin \| Authored \| Installed), AuthoredByMemberId. Identity is now (OrganizationId, SkillKey, Version); the unique index uses NULLS NOT DISTINCT so builtins stay unique by key+version while each org gets its own namespace (and can fork a builtin). AddSkillOwnership migration backfills existing rows as Builtin. - Owned GoldenExample rows are cloned in Skill.Index so a fork can't re-parent the source's tracked entities. Authoring (tenant, dynamic): - POST /api/skills/authored — structured fields → same indexer pipeline (embedding + publish gate apply identically), tagged org + author. POST /api/skills/{key}/fork copies a builtin/global skill into your org as an editable Authored draft. List/Get are org-scoped (your org + shared builtins). New Capability.ManageSkills (Owner + TeamOwner), audited. - GET /api/skills/marketplace: read-only seam listing public skills across orgs (install is the next step). Security (from adversarial review — two confirmed criticals): - Managing shared builtins is an operator action, not a tenant one. /index (posts arbitrary content as a global builtin) and /sync (re-indexes the shared library) now require a platform admin key (X-Skills-Admin-Key, fixed-time compare, fail-closed when unset) via SkillAdminOptions — previously any authenticated user of any org could inject/poison global skills. New test asserts an authenticated Owner without the key gets 403 on both. UI: new /skills library page — browse shared + org skills grouped by key with their versions, create / new-version / fork, golden-test editor + body, Draft/Published badge and the publish-gate hint (needs roles + ≥1 golden test). Verified: ArchitectureTests 8/8, IntegrationTests 46/46 (new SkillLibraryTests: org isolation, version coexistence, fork, publish gate, Member 403, admin-gate 403), client build green. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>	2026-06-13 11:09:02 +03:30

Author

SHA1

Message

Date

soroush.asadi

62883ed01f

Skill marketplace: publish, install, org-aware listing (+ adversarial-review fixes)

Orgs can now share skills across the tenant boundary — the next step after the per-org library.

Endpoints (all ManageSkills-gated + audited):
- POST /{key}/publish — list one of your published versions on the marketplace (Visibility→Public;
  only a Published/golden-tested skill may be listed). POST /{key}/unpublish reverses it.
- POST /install — copy a publicly-listed skill (by row id) into your org as a private Installed
  copy; rejects installing your own skill and duplicate (org+key+version) installs.
- GET /marketplace?organizationId= — other orgs' Authored+Public+Published skills (yours excluded),
  each flagged whether that exact (key, version) is already in your library.
- SkillSummary now carries Id (install targets a specific source row). Authored skills default to
  private — listing is an explicit publish step, never a side effect of authoring.

UI (Skills page): a Marketplace tab with Install / "In your library"; Publish / Unlist on your own
published skills; a "Listed" badge.

Fixes from the adversarial review (4 confirmed findings, all addressed):
- HIGH — Public⟹Published is now a domain invariant (Skill.Index forces PrivateToOrg whenever the
  re-derived status isn't Published), so re-authoring a listed version without golden tests can no
  longer leave it Public+Draft or decouple the marketplace gate from the eval gate.
- MEDIUM — install now uses an insert-only indexer path so the (org,key,version) unique index is the
  source of truth: a race with a concurrent install/author becomes a clean 409, never an in-place
  clobber of an existing row's content/ownership.
- MEDIUM/LOW — AlreadyInLibrary is computed per (key, version) to match the install conflict rule, so
  a newer, not-yet-owned version of a key you already hold still shows as installable.

Verified: ArchitectureTests 8/8, IntegrationTests 47/47 (SkillMarketplaceTests: publish gate, own-org
exclusion, cross-org list→install→private copy, duplicate 409, per-version flag, Public⟹Published
invariant, Member 403), client build green.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

2026-06-13 12:27:22 +03:30

soroush.asadi

fad476f115

Dynamic per-org skill library: in-app authoring, versioning, fork (+ marketplace seam)

Skills move from a global Git-only registry to a per-company library that orgs author and
version in-app — Git stays as the shared *starter* library.

Domain & persistence:
- Skill gains OrganizationId (null = shared builtin, visible to every org), Origin
  (Builtin | Authored | Installed), AuthoredByMemberId. Identity is now
  (OrganizationId, SkillKey, Version); the unique index uses NULLS NOT DISTINCT so builtins
  stay unique by key+version while each org gets its own namespace (and can fork a builtin).
  AddSkillOwnership migration backfills existing rows as Builtin.
- Owned GoldenExample rows are cloned in Skill.Index so a fork can't re-parent the source's
  tracked entities.

Authoring (tenant, dynamic):
- POST /api/skills/authored — structured fields → same indexer pipeline (embedding +
  publish gate apply identically), tagged org + author. POST /api/skills/{key}/fork copies a
  builtin/global skill into your org as an editable Authored draft. List/Get are org-scoped
  (your org + shared builtins). New Capability.ManageSkills (Owner + TeamOwner), audited.
- GET /api/skills/marketplace: read-only seam listing public skills across orgs (install is
  the next step).

Security (from adversarial review — two confirmed criticals):
- Managing shared builtins is an operator action, not a tenant one. /index (posts arbitrary
  content as a global builtin) and /sync (re-indexes the shared library) now require a
  platform admin key (X-Skills-Admin-Key, fixed-time compare, fail-closed when unset) via
  SkillAdminOptions — previously any authenticated user of any org could inject/poison global
  skills. New test asserts an authenticated Owner without the key gets 403 on both.

UI: new /skills library page — browse shared + org skills grouped by key with their versions,
create / new-version / fork, golden-test editor + body, Draft/Published badge and the
publish-gate hint (needs roles + ≥1 golden test).

Verified: ArchitectureTests 8/8, IntegrationTests 46/46 (new SkillLibraryTests: org
isolation, version coexistence, fork, publish gate, Member 403, admin-gate 403), client build
green.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

2026-06-13 11:09:02 +03:30

2 Commits