feat(sdk-typescript): add download methods, remove dead code#32
Open
shwetank-dev wants to merge 10 commits intomainfrom
Open
feat(sdk-typescript): add download methods, remove dead code#32shwetank-dev wants to merge 10 commits intomainfrom
shwetank-dev wants to merge 10 commits intomainfrom
Conversation
Add two new public methods to MpakClient:
- downloadContent(url, sha256): low-level fetch + SHA-256 verification,
returns a Buffer. Works for any downloadable artifact.
- downloadBundle(name, version?, platform?): high-level method that
resolves bundle download info via the registry API, then downloads
and verifies the binary. Defaults to latest version and auto-detected
platform. Returns { bundleRaw, bundleMetadata }.
Also update computeSha256 to accept Buffer in addition to string.
Includes unit tests for both methods covering happy path, integrity
errors, network errors, and 404 propagation.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Add downloadSkillBundle(name, version?) to MpakClient, mirroring the
downloadBundle method for consistency. Internally uses
getSkillVersionDownload with 'latest' as default version, matching
how downloadBundle uses getBundleDownload with 'latest'.
Both download methods now follow the same pattern:
- Resolve download info from registry API
- Fetch binary via downloadContent (shared fetch + SHA-256 verify)
- Return { raw, metadata } with verified buffer and artifact metadata
Includes unit tests covering happy path, version defaulting to latest,
404 propagation, and SHA-256 integrity error propagation.
All monorepo tests pass (55 SDK, 105 CLI, 65 registry, 64 schemas, 61 web).
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Comment out the following methods and types that are not used by the CLI or any external consumer, marked with TODO for removal once approved: Methods removed from client.ts: - downloadSkillContent: replaced by downloadContent + downloadSkillBundle - resolveSkillRef: not used outside SDK - resolveMpakSkill, resolveGithubSkill, resolveUrlSkill: private helpers for resolveSkillRef - extractSkillFromZip: peeked inside zip content, no longer needed - verifyIntegrityOrThrow, extractHash: private helpers for resolve methods Types commented out from index.ts exports: - SkillReference, MpakSkillReference, GithubSkillReference, UrlSkillReference, ResolvedSkill Also: - Remove jszip mention from class doc (no longer used) - Update index.ts module example to show downloadBundle/downloadSkillBundle - Comment out downloadSkillContent tests (replaced by downloadContent tests) - Add TODO comment noting getSkillDownload and getSkillVersionDownload should be merged to mirror getBundleDownload once CLI is updated SDK build size reduced from 16.83KB to 12.34KB (ESM). Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Comment out SkillReferenceBase, MpakSkillReference, GithubSkillReference, UrlSkillReference, SkillReference, and ResolvedSkill from types.ts. These types supported the now-commented-out resolveSkillRef functionality and are not used by the CLI or any external consumer. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
…SkillBundle Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
mgoldsborough
requested changes
Mar 10, 2026
Contributor
mgoldsborough
left a comment
mgoldsborough
left a comment
There was a problem hiding this comment.
Clean up all the old code/comments etc - it's a relatively small PR but the diff is super messy with more than half the lines just comments.
Contributor
|
I'd also recommend switching Buffer to Three things to change:
Plus test updates. |
…ip to devDependencies Remove all commented-out methods, types, and TODO markers per PR review. Move jszip from dependencies to devDependencies since it's only used in integration tests. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
…eturn fields Switch download methods from Node-specific Buffer to standard Uint8Array for cross-runtime compatibility. Rename return fields from bundleRaw/bundleMetadata and skillRaw/skillMetadata to data/metadata. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Collaborator
Author
|
@mgoldsborough if you can clear this one, then it we can dogfood this in the CLI. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds three new public methods to
MpakClientfor downloading bundles and skills with SHA-256 integrity verification. Removes dead code that was not used by the CLI or any external consumer.New methods
downloadContent(url, sha256)— Low-level fetch + SHA-256 verification. Returns a verifiedBuffer. Shared by both bundle and skill downloads.downloadBundle(name, version?, platform?)— Downloads an MCP bundle by name. Defaults to latest version and auto-detected platform. Returns{ bundleRaw, bundleMetadata }.downloadSkillBundle(name, version?)— Downloads a skill bundle by name. Defaults to latest version. Returns{ skillRaw, skillMetadata }. Internally usesgetSkillVersionDownloadwith'latest'to mirror howdownloadBundleusesgetBundleDownload.Smoke tests
Added integration smoke tests for
downloadBundleanddownloadSkillBundlethat hit the realregistry.mpak.devAPI:downloadBundle— downloads@nimblebraininc/echo, verifies buffer, metadata, SHA-256, and sizedownloadSkillBundle— downloads@nimblebraininc/ipinfo, verifies buffer, metadata, SHA-256, and sizeDead code commented out (with TODO markers)
The removed code (
resolveSkillRef,extractSkillFromZip, GitHub/URL resolvers, etc.) was built around two assumptions we've moved away from:Commented-out methods:
downloadSkillContent,resolveSkillRef,resolveMpakSkill,resolveGithubSkill,resolveUrlSkill,extractSkillFromZip,verifyIntegrityOrThrow,extractHashCommented-out types:
SkillReference,MpakSkillReference,GithubSkillReference,UrlSkillReference,ResolvedSkillThe
jszipdependency is no longer used at runtime.Follow-up items
getSkillDownloadandgetSkillVersionDownloadinto a single method mirroringgetBundleDownload(blocked by CLI usage)README.mdwith new method documentationtest:integration) to CI/CD pipelineTest plan
downloadBundleanddownloadSkillBundleagainst live registrypnpm typecheckpasses across full monorepo (CLI still compiles)pnpm testpasses across full monorepo (51 SDK, 105 CLI, 65 registry, 64 schemas, 61 web)🤖 Generated with Claude Code