add private tools

Author: keithagroves

docs/private-tools-plan.md

@@ -8,8 +8,8 @@ Add a `--private` flag to `enact publish` that sets tool visibility. Private too
 
 ### Phases
 
-1. **Phase 1**: Basic private/public visibility
-2. **Phase 2**: Unlisted visibility + management command
+1. **Phase 1**: Basic private/public visibility ✅ **COMPLETE**
+2. **Phase 2**: Unlisted visibility + management command ✅ **COMPLETE** (merged with Phase 1)
 3. **Phase 3**: Individual collaborator access grants
 4. **Phase 4**: Organization-level tools and membership
 
@@ -24,9 +24,28 @@ Add a `--private` flag to `enact publish` that sets tool visibility. Private too
 
 ---
 
-## Phase 1: Basic Private Tools
+## Phase 1: Basic Private Tools ✅ IMPLEMENTED
 
-### 1.1 Database Schema Changes
+### Implementation Summary
+
+**Database Migration**: `packages/server/supabase/migrations/20251221000000_add_tool_visibility.sql`
+- Added `visibility` column with CHECK constraint
+- Updated RLS policies for tools and tool_versions
+
+**Search Migration**: `packages/server/supabase/migrations/20251221000001_update_search_for_visibility.sql`
+- Updated `search_tools_hybrid` function to only return public tools
+
+**CLI Changes**:
+- `enact publish --private` - Publish as private
+- `enact publish --unlisted` - Publish as unlisted
+- `enact visibility <tool> <visibility>` - Change tool visibility
+
+**API Changes**:
+- Added `visibility` field to publish form data
+- Added `PATCH /tools/{name}/visibility` endpoint
+- Added `visibility` field to tool metadata responses
+
+### Original 1.1 Database Schema Changes
 
 Add visibility column to the `tools` table:
 

packages/api/src/index.ts

@@ -60,6 +60,7 @@ export type {
   BundleInfo,
   SubmitAttestationOptions,
   AttestationResult,
+  ToolVisibility,
 } from "./publish";
 
 // =============================================================================

packages/api/src/publish.ts

@@ -102,6 +102,11 @@ export async function createBundle(toolDir: string): Promise<BundleInfo> {
   throw new Error(`createBundle not yet implemented for: ${toolDir}`);
 }
 
+/**
+ * Tool visibility levels
+ */
+export type ToolVisibility = "public" | "private" | "unlisted";
+
 /**
  * Publish a tool to the registry (v2 - multipart upload)
  *
@@ -116,7 +121,8 @@ export async function createBundle(toolDir: string): Promise<BundleInfo> {
  *   name: "alice/utils/greeter",
  *   manifest: { enact: "2.0.0", name: "alice/utils/greeter", version: "1.2.0", ... },
  *   bundle: bundle.data,
- *   rawManifest: "---\nenact: 2.0.0\n...\n---\n# My Tool\n\nDescription..."
+ *   rawManifest: "---\nenact: 2.0.0\n...\n---\n# My Tool\n\nDescription...",
+ *   visibility: "private"
  * });
  * console.log(`Published: ${result.bundleHash}`);
  * ```
@@ -129,9 +135,11 @@ export async function publishTool(
     bundle: ArrayBuffer | Uint8Array;
     /** The raw enact.md file content (frontmatter + markdown documentation) */
     rawManifest?: string | undefined;
+    /** Tool visibility: public, private, or unlisted */
+    visibility?: ToolVisibility | undefined;
   }
 ): Promise<PublishResult> {
-  const { name, manifest, bundle, rawManifest } = options;
+  const { name, manifest, bundle, rawManifest, visibility = "private" } = options;
 
   // Create FormData for multipart upload
   const formData = new FormData();
@@ -151,6 +159,9 @@ export async function publishTool(
     formData.append("raw_manifest", rawManifest);
   }
 
+  // Add visibility
+  formData.append("visibility", visibility);
+
   // Make multipart request (v2 endpoint is POST /tools/{name})
   const response = await fetch(`${client.getBaseUrl()}/tools/${name}`, {
     method: "POST",

packages/api/src/types.ts

@@ -51,6 +51,11 @@ export interface VersionMetadata {
     | undefined;
 }
 
+/**
+ * Tool visibility levels
+ */
+export type ToolVisibility = "public" | "private" | "unlisted";
+
 /**
  * Tool search result item
  */
@@ -67,6 +72,8 @@ export interface ToolSearchResult {
   author: ApiAuthor;
   /** Total downloads */
   downloads: number;
+  /** Tool visibility (only included for owner's own tools) */
+  visibility?: ToolVisibility | undefined;
   /** Trust status */
   trust_status?:
     | {
@@ -93,6 +100,8 @@ export interface ToolMetadata {
   repository?: string | undefined;
   /** Homepage URL */
   homepage?: string | undefined;
+  /** Tool visibility: public, private, or unlisted */
+  visibility?: ToolVisibility | undefined;
   /** Creation timestamp */
   created_at: string;
   /** Last update timestamp */

packages/api/tests/publish.test.ts

@@ -96,6 +96,73 @@ describe("publish module", () => {
       expect(result.name).toBeTruthy();
     });
 
+    test("supports visibility option", async () => {
+      const client = createApiClient({ authToken: "valid-token" });
+      const bundle = new TextEncoder().encode("mock bundle content");
+
+      // Test private visibility (default)
+      const privateResult = await publishTool(client, {
+        name: "alice/utils/private-tool",
+        manifest: {
+          enact: "2.0.0",
+          name: "alice/utils/private-tool",
+          version: "1.0.0",
+          description: "A private tool",
+        },
+        bundle,
+        visibility: "private",
+      });
+      expect(privateResult.name).toBeTruthy();
+
+      // Test public visibility
+      const publicResult = await publishTool(client, {
+        name: "alice/utils/public-tool",
+        manifest: {
+          enact: "2.0.0",
+          name: "alice/utils/public-tool",
+          version: "1.0.0",
+          description: "A public tool",
+        },
+        bundle,
+        visibility: "public",
+      });
+      expect(publicResult.name).toBeTruthy();
+
+      // Test unlisted visibility
+      const unlistedResult = await publishTool(client, {
+        name: "alice/utils/unlisted-tool",
+        manifest: {
+          enact: "2.0.0",
+          name: "alice/utils/unlisted-tool",
+          version: "1.0.0",
+          description: "An unlisted tool",
+        },
+        bundle,
+        visibility: "unlisted",
+      });
+      expect(unlistedResult.name).toBeTruthy();
+    });
+
+    test("defaults to private visibility when not specified", async () => {
+      const client = createApiClient({ authToken: "valid-token" });
+      const bundle = new TextEncoder().encode("mock bundle content");
+
+      // When visibility is not specified, it should default to private
+      const result = await publishTool(client, {
+        name: "alice/utils/default-visibility",
+        manifest: {
+          enact: "2.0.0",
+          name: "alice/utils/default-visibility",
+          version: "1.0.0",
+          description: "Default visibility test",
+        },
+        bundle,
+        // No visibility specified - should default to "private"
+      });
+
+      expect(result.name).toBeTruthy();
+    });
+
     test("requires authentication", async () => {
       const client = createApiClient({ baseUrl: "http://localhost" });
       const bundle = new TextEncoder().encode("mock bundle content");

packages/cli/src/commands/index.ts

@@ -30,3 +30,6 @@ export { configureInspectCommand } from "./inspect";
 // API v2 migration commands
 export { configureYankCommand } from "./yank";
 export { configureUnyankCommand } from "./unyank";
+
+// Private tools (Phase - visibility management)
+export { configureVisibilityCommand } from "./visibility";

packages/cli/src/commands/publish/index.ts

@@ -39,10 +39,15 @@ import { loadGitignore, shouldIgnore } from "../../utils/ignore";
 const AUTH_NAMESPACE = "enact:auth";
 const ACCESS_TOKEN_KEY = "access_token";
 
+/** Tool visibility levels */
+export type ToolVisibility = "public" | "private" | "unlisted";
+
 interface PublishOptions extends GlobalOptions {
   dryRun?: boolean;
   tag?: string;
   skipAuth?: boolean;
+  public?: boolean;
+  unlisted?: boolean;
 }
 
 /**
@@ -203,10 +208,18 @@ async function publishHandler(
   header(`Publishing ${toolName}@${version}`);
   newline();
 
+  // Determine visibility (private by default for security)
+  const visibility: ToolVisibility = options.public
+    ? "public"
+    : options.unlisted
+      ? "unlisted"
+      : "private";
+
   // Show what we're publishing
   keyValue("Name", toolName);
   keyValue("Version", version);
   keyValue("Description", manifest.description);
+  keyValue("Visibility", visibility);
   if (manifest.tags && manifest.tags.length > 0) {
     keyValue("Tags", manifest.tags.join(", "));
   }
@@ -290,6 +303,7 @@ async function publishHandler(
     info("Would publish to registry:");
     keyValue("Tool", toolName);
     keyValue("Version", version);
+    keyValue("Visibility", visibility);
     keyValue("Source", toolDir);
 
     // Show files that would be bundled
@@ -326,6 +340,7 @@ async function publishHandler(
       manifest: manifest as unknown as Record<string, unknown>,
       bundle,
       rawManifest: rawManifestContent,
+      visibility,
     });
   });
 
@@ -337,10 +352,15 @@ async function publishHandler(
 
   // Success output
   newline();
-  success(`Published ${result.name}@${result.version}`);
+  success(`Published ${result.name}@${result.version} (${visibility})`);
   keyValue("Bundle Hash", result.bundleHash);
   keyValue("Published At", result.publishedAt.toISOString());
   newline();
+  if (visibility === "private") {
+    dim("This tool is private - only you can access it.");
+  } else if (visibility === "unlisted") {
+    dim("This tool is unlisted - accessible via direct link, not searchable.");
+  }
   dim(`Install with: enact install ${toolName}`);
 }
 
@@ -356,6 +376,8 @@ export function configurePublishCommand(program: Command): void {
     .option("-v, --verbose", "Show detailed output")
     .option("--skip-auth", "Skip authentication (for local development)")
     .option("--json", "Output as JSON")
+    .option("--public", "Publish as public (searchable by everyone)")
+    .option("--unlisted", "Publish as unlisted (accessible via direct link, not searchable)")
     .action(async (pathArg: string | undefined, options: PublishOptions) => {
       const resolvedPath = pathArg ?? ".";
       const ctx: CommandContext = {