fix(skills): address review findings on marketplace branch

- controller: mirror contentHash + publishes on Go InstanceSpec/SkillRef so hibernate/wake round-trips preserve them
- api-server: forward session instanceId from MCP list_skill_sources so template-seeded sources surface
- api-server-api: make instanceId optional on listSkills; service throws PRECONDITION_FAILED when private fallback needs an instance
- api-server: drop dead AgentRuntimeSkillsClient.readLocal + LocalSkillFile and matching test mocks
- api-server: wrap instancesRepo.updateSpec in retryOnConflict to handle concurrent MCP + UI writers

Signed-off-by: Petr Bulánek <[email protected]>

Author: PetrBulanek

packages/api-server-api/src/modules/skills/router.ts

@@ -65,10 +65,13 @@ export const skillsRouter = t.router({
       .mutation(({ ctx, input }) => ctx.skills.refreshSource(input.id)),
   }),
 
+  /** `instanceId` is optional — public-archive scans don't need an instance.
+   *  Private-source scans (that fall through to the authenticated
+   *  agent-runtime path) will throw with a clear hint if it's missing. */
   listSkills: t.procedure
     .input(z.object({
       sourceId: z.string().min(1),
-      instanceId: z.string().min(1),
+      instanceId: z.string().min(1).optional(),
     }))
     .output(z.array(skillViewSchema))
     .query(async ({ ctx, input }) => {

packages/api-server-api/src/modules/skills/types.ts

@@ -120,7 +120,7 @@ export interface SkillsService {
   createSource: (input: CreateSkillSourceInput) => Promise<SkillSource>;
   deleteSource: (id: string) => Promise<void>;
   refreshSource: (id: string) => Promise<void>;
-  listSkills: (sourceId: string, instanceId: string) => Promise<Skill[]>;
+  listSkills: (sourceId: string, instanceId?: string) => Promise<Skill[]>;
   installSkill: (input: InstallSkillInput) => Promise<SkillRef[]>;
   uninstallSkill: (input: UninstallSkillInput) => Promise<SkillRef[]>;
   listLocal: (instanceId: string) => Promise<LocalSkill[]>;

packages/api-server/src/__tests__/unit/publish-service.test.ts

@@ -47,7 +47,6 @@ function makeDeps() {
     install: vi.fn(),
     uninstall: vi.fn(),
     listLocal: vi.fn(),
-    readLocal: vi.fn(),
     publish: vi.fn().mockResolvedValue({
       prUrl: "https://github.com/foo/bar/pull/1",
       branch: "humr/publish-demo-20260101000000",

packages/api-server/src/__tests__/unit/skills-mcp-tools.test.ts

@@ -38,6 +38,14 @@ describe("skills MCP tool handlers", () => {
     expect(JSON.parse(res.content[0].text)).toEqual([SOURCE]);
   });
 
+  it("list_skill_sources forwards the session instanceId so template-seeded sources are included", async () => {
+    const listSources = vi.fn<SkillsService["listSources"]>().mockResolvedValue([SOURCE]);
+    const t = createSkillsToolHandlers(SESSION_INSTANCE_ID, makeSkills({ listSources }));
+    await t.listSources();
+    expect(listSources).toHaveBeenCalledTimes(1);
+    expect(listSources).toHaveBeenCalledWith(SESSION_INSTANCE_ID);
+  });
+
   it("list_skills_in_source rejects an unknown sourceId without calling listSkills", async () => {
     const listSkills = vi.fn<SkillsService["listSkills"]>().mockResolvedValue([]);
     const t = createSkillsToolHandlers(SESSION_INSTANCE_ID, makeSkills({

packages/api-server/src/__tests__/unit/skills-service.test.ts

@@ -103,7 +103,6 @@ function makeEnv(opts: {
     install: runtimeInstall,
     uninstall: runtimeUninstall,
     listLocal: vi.fn<AgentRuntimeSkillsClient["listLocal"]>().mockResolvedValue([]),
-    readLocal: vi.fn<AgentRuntimeSkillsClient["readLocal"]>().mockResolvedValue([]),
     publish: vi.fn<AgentRuntimeSkillsClient["publish"]>().mockResolvedValue({ prUrl: "x", branch: "y" }),
     scan: vi.fn<AgentRuntimeSkillsClient["scan"]>().mockResolvedValue([]),
   };
@@ -219,7 +218,6 @@ describe("skills-service install", () => {
         install: env.runtimeInstall,
         uninstall: env.runtimeUninstall,
         listLocal: vi.fn(),
-        readLocal: vi.fn(),
         publish: vi.fn(),
         scan: vi.fn(),
       },
@@ -318,7 +316,6 @@ describe("skills-service listLocal", () => {
         install: vi.fn(),
         uninstall: vi.fn(),
         listLocal: runtimeListLocal,
-        readLocal: vi.fn(),
         publish: vi.fn(),
         scan: vi.fn(),
       },
@@ -356,7 +353,6 @@ describe("skills-service listLocal", () => {
         install: vi.fn(),
         uninstall: vi.fn(),
         listLocal: runtimeListLocal,
-        readLocal: vi.fn(),
         publish: vi.fn(),
         scan: vi.fn(),
       },
@@ -383,7 +379,6 @@ describe("skills-service listLocal", () => {
         install: vi.fn(),
         uninstall: vi.fn(),
         listLocal: runtimeListLocal,
-        readLocal: vi.fn(),
         publish: vi.fn(),
         scan: vi.fn(),
       },
@@ -414,7 +409,6 @@ describe("skills-service listSkills routing", () => {
       install: vi.fn(),
       uninstall: vi.fn(),
       listLocal: vi.fn(),
-      readLocal: vi.fn(),
       publish: vi.fn(),
       scan: opts.runtimeScan,
     };
@@ -564,7 +558,6 @@ describe("skills-service listSkills routing", () => {
         install: vi.fn(),
         uninstall: vi.fn(),
         listLocal: vi.fn(),
-        readLocal: vi.fn(),
         publish: vi.fn(),
         scan: runtimeScan,
       },
@@ -596,7 +589,6 @@ describe("skills-service getState (ghost reconciliation)", () => {
       install: vi.fn(),
       uninstall: vi.fn(),
       listLocal: vi.fn().mockResolvedValue(opts.local ?? []),
-      readLocal: vi.fn(),
       publish: vi.fn(),
       scan: vi.fn(),
     };

packages/api-server/src/apps/harness-api-server/skills-tools.ts

@@ -36,7 +36,7 @@ export function createSkillsToolHandlers(instanceId: string, skills: SkillsServi
   return {
     async listSources(): Promise<ToolContent> {
       try {
-        const sources = await skills.listSources();
+        const sources = await skills.listSources(instanceId);
         return textResult(JSON.stringify(sources));
       } catch (err) {
         return formatToolError(err, "Failed to list skill sources");

packages/api-server/src/modules/agents/infrastructure/instances-repository.ts

@@ -13,6 +13,32 @@ import {
 } from "./poll-until-ready.js";
 import type { InfraInstance } from "../domain/instance-assembly.js";
 
+/** Matches K8s "The object has been modified..." 409 Conflict. */
+function is409(err: unknown): boolean {
+  return (
+    err instanceof Error &&
+    "code" in err &&
+    (err as { code: number }).code === 409
+  );
+}
+
+/** Re-run a read-modify-write routine when the K8s API rejects the write
+ *  with 409 Conflict. Mirrors the Go controller's `retry.RetryOnConflict`
+ *  so concurrent MCP + UI writers don't surface racy errors to the user. */
+async function retryOnConflict<T>(fn: () => Promise<T>): Promise<T> {
+  const MAX_ATTEMPTS = 5;
+  let lastErr: unknown;
+  for (let attempt = 0; attempt < MAX_ATTEMPTS; attempt++) {
+    try {
+      return await fn();
+    } catch (err) {
+      if (!is409(err)) throw err;
+      lastErr = err;
+    }
+  }
+  throw lastErr;
+}
+
 export interface InstancesRepository {
   list(owner?: string): Promise<InfraInstance[]>;
   get(id: string, owner?: string): Promise<InfraInstance | null>;
@@ -88,12 +114,17 @@ export function createInstancesRepository(k8s: K8sClient): InstancesRepository {
     },
 
     async updateSpec(id, owner, patch) {
-      const cm = await k8s.getConfigMap(id);
-      if (!cm) return null;
-      if (owner && !isOwnedBy(cm, owner)) return null;
-      cm.data = patchSpecField(cm, patch);
-      const updated = await k8s.replaceConfigMap(id, cm);
-      return parseInfraInstance(updated);
+      // read-modify-write under a conflict-retry loop: re-fetch the
+      // ConfigMap (fresh resourceVersion) on 409 so concurrent writers
+      // (MCP + UI, or two tabs) don't surface racy errors.
+      return retryOnConflict(async () => {
+        const cm = await k8s.getConfigMap(id);
+        if (!cm) return null;
+        if (owner && !isOwnedBy(cm, owner)) return null;
+        cm.data = patchSpecField(cm, patch);
+        const updated = await k8s.replaceConfigMap(id, cm);
+        return parseInfraInstance(updated);
+      });
     },
 
     async delete(id, owner?) {

packages/api-server/src/modules/skills/infrastructure/agent-runtime-client.ts

@@ -13,12 +13,6 @@ export interface UninstallSkillCall {
   skillPaths: string[];
 }
 
-export interface LocalSkillFile {
-  relPath: string;
-  content: string;
-  base64?: true;
-}
-
 export interface PublishSkillCall {
   name: string;
   skillPaths: string[];
@@ -55,12 +49,6 @@ export interface AgentRuntimeSkillsClient {
   install(instanceId: string, token: string, body: InstallSkillCall): Promise<InstallSkillResult>;
   uninstall(instanceId: string, token: string, body: UninstallSkillCall): Promise<void>;
   listLocal(instanceId: string, token: string, skillPaths: string[]): Promise<LocalSkill[]>;
-  readLocal(
-    instanceId: string,
-    token: string,
-    name: string,
-    skillPaths: string[],
-  ): Promise<LocalSkillFile[]>;
   publish(instanceId: string, token: string, body: PublishSkillCall): Promise<PublishSkillResult>;
   scan(instanceId: string, token: string, source: string): Promise<Skill[]>;
 }
@@ -138,12 +126,6 @@ export function createAgentRuntimeSkillsClient(namespace: string): AgentRuntimeS
       const { skills } = await getJson<{ skills: LocalSkill[] }>(url, token);
       return skills;
     },
-    async readLocal(instanceId, token, name, skillPaths) {
-      const qs = skillPaths.map((p) => `skillPaths=${encodeURIComponent(p)}`).join("&");
-      const url = `${base(instanceId)}/api/skills/local/${encodeURIComponent(name)}?${qs}`;
-      const { files } = await getJson<{ files: LocalSkillFile[] }>(url, token);
-      return files;
-    },
     publish: (instanceId, token, body) =>
       postJson<PublishSkillResult>(`${base(instanceId)}/api/skills/publish`, token, body),
     async scan(instanceId, token, source) {

packages/api-server/src/modules/skills/services/skills-service.ts

@@ -278,7 +278,7 @@ export function createSkillsService(deps: SkillsServiceDeps): SkillsService {
       }
     },
 
-    async listSkills(sourceId: string, instanceId: string) {
+    async listSkills(sourceId: string, instanceId?: string) {
       const src = await resolveSource(deps, sourceId);
       if (!src) return [];
 
@@ -298,7 +298,14 @@ export function createSkillsService(deps: SkillsServiceDeps): SkillsService {
       }
 
       // Private/authenticated path: delegate to agent-runtime inside a
-      // running instance pod, which uses OneCLI's token swap.
+      // running instance pod, which uses OneCLI's token swap. Without an
+      // instanceId we can't target a pod — refuse with a clear message.
+      if (!instanceId) {
+        throw new TRPCError({
+          code: "PRECONDITION_FAILED",
+          message: "source is private; select an instance to scan it",
+        });
+      }
       const infra = await deps.instancesRepo.get(instanceId, deps.owner);
       if (!infra) throw new TRPCError({ code: "NOT_FOUND", message: "instance not found" });
       if (infra.currentState !== "running") {

packages/controller/pkg/types/types.go

@@ -73,21 +73,37 @@ type MCPServerConfig struct {
 // --- Instance ---
 
 type InstanceSpec struct {
-	Version      string     `yaml:"version"`
-	DesiredState string     `yaml:"desiredState"`
-	AgentName    string     `yaml:"agentId,omitempty"`
-	Env          []EnvVar   `yaml:"env,omitempty"`
-	SecretRef    string     `yaml:"secretRef,omitempty"`
-	Description  string     `yaml:"description,omitempty"`
-	Skills       []SkillRef `yaml:"skills,omitempty"`
+	Version      string               `yaml:"version"`
+	DesiredState string               `yaml:"desiredState"`
+	AgentName    string               `yaml:"agentId,omitempty"`
+	Env          []EnvVar             `yaml:"env,omitempty"`
+	SecretRef    string               `yaml:"secretRef,omitempty"`
+	Description  string               `yaml:"description,omitempty"`
+	Skills       []SkillRef           `yaml:"skills,omitempty"`
+	Publishes    []SkillPublishRecord `yaml:"publishes,omitempty"`
 }
 
 // SkillRef identifies an installed skill on an instance.
 // Source is the source git URL; Name is the skill directory name; Version is a commit SHA.
+// ContentHash is mirrored from the TS api-server for drift detection; the Go
+// controller does not use it but must preserve it across spec round-trips.
 type SkillRef struct {
-	Source  string `yaml:"source"`
-	Name    string `yaml:"name"`
-	Version string `yaml:"version"`
+	Source      string `yaml:"source"`
+	Name        string `yaml:"name"`
+	Version     string `yaml:"version"`
+	ContentHash string `yaml:"contentHash,omitempty"`
+}
+
+// SkillPublishRecord mirrors the TS api-server's record of a successful
+// `publishSkill` call. The Go controller does not use these fields; they
+// exist only so spec round-trips (hibernate / wake / reconcile) preserve them.
+type SkillPublishRecord struct {
+	SkillName    string `yaml:"skillName"`
+	SourceID     string `yaml:"sourceId"`
+	SourceName   string `yaml:"sourceName"`
+	SourceGitURL string `yaml:"sourceGitUrl"`
+	PRURL        string `yaml:"prUrl"`
+	PublishedAt  string `yaml:"publishedAt"`
 }
 
 type InstanceStatus struct {