Skip to content

RFC: Project-level skills lock file#80

Open
samuv wants to merge 4 commits into
mainfrom
rfc-skills-lock-file
Open

RFC: Project-level skills lock file#80
samuv wants to merge 4 commits into
mainfrom
rfc-skills-lock-file

Conversation

@samuv

@samuv samuv commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Summary

Proposes a project-level lock file (toolhive.lock.yaml) that pins the name, version, source, resolved reference, and digest of every project-scoped skill install, bringing skills the reproducibility guarantees that package-lock.json, Cargo.lock, and go.sum provide elsewhere.

  • Problem: thv skill install --scope project leaves no shareable, version-controlled pin, so teammates cloning a repo get whatever the catalog currently serves.
  • Lock file: committed at the project root, client-agnostic, entries sorted for stable diffs; designed as the general ToolHive project lock (skills: today, room for plugins: later).
  • New commands:
    • thv skill sync — restore the pinned skill set (drift reported distinctly; --check gives CI a npm ci-style gate; --prune removes unmanaged skills).
    • thv skill upgrade — re-resolve each entry's original source and rewrite the pin on digest change; immutable pins (OCI digests, full commit hashes) are never re-resolved.
  • Out of scope: manifest/constraint resolution, per-client pinning, dependency graphs, user-scope installs.

POC implementation: stacklok/toolhive#5715

samuv and others added 4 commits July 3, 2026 16:40
Co-authored-by: Cursor <cursoragent@cursor.com>
Co-authored-by: Cursor <cursoragent@cursor.com>
Co-authored-by: Cursor <cursoragent@cursor.com>
Co-authored-by: Cursor <cursoragent@cursor.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant