Bug
hackmyagent check <bare-package-name> (e.g. check left-pad, check NONEXISTENT-XYZ-9999) misroutes to the skill-identifier parser instead of trying npm. Two failure modes:
Plain output
$ hackmyagent check left-pad
Error: Invalid skill identifier
Accepted formats:
@publisher/skill-name
https://github.com/...
./path
npm package is THE primary documented use-case but isn't even mentioned in the error message.
--json contract violation
$ hackmyagent check NONEXISTENT-XYZ-9999 --json
Error: Invalid skill identifier # plain stderr, NOT JSON
CI consumers piping through jq see a JSON parse error. By contrast, check pip:nonexistent --json correctly emits {"found":false,"error":"...","ecosystem":"pip"}.
Severity
P1 per /release-test rules — release-blocker for the next routing-touching release. Currently deferred as a known issue in 0.21.1 / 0.22.0 because both versions ship with the same behavior and the routing fix needs its own dedicated release with proper test coverage.
Expected behavior
Bare names should try registry/npm lookup BEFORE the skill-id parser. On 404, emit the canonical NotFoundOutput shape (same as the pip: and @scope/name paths) with errorHint: "Verify the URL: https://www.npmjs.com/package/<name>".
Acceptance criteria
hackmyagent check left-pad succeeds against npm and renders the rich block.hackmyagent check NONEXISTENT-XYZ-9999 emits human-readable not-found with a npm-aware hint and exits 1.hackmyagent check NONEXISTENT-XYZ-9999 --json emits valid NotFoundOutput JSON shape (same fields as pip: and scoped paths).- Regression test in
__tests__/checker/check-not-found-json.test.ts covers the bare-name → npm path (currently covered for scoped + pip + github paths).
Caught by
/release-test fresh-user subagent during 0.22.0 release prep. Documented at the time but explicitly deferred by the team per the publish-batching policy.
Related
- Closes parity gap with
ai-trust check and opena2a check (both correctly handle bare names as npm).
- Reference:
cli-finding-ux-standard.md § The bar.
Bug
hackmyagent check <bare-package-name>(e.g.check left-pad,check NONEXISTENT-XYZ-9999) misroutes to the skill-identifier parser instead of trying npm. Two failure modes:Plain output
npm package is THE primary documented use-case but isn't even mentioned in the error message.
--jsoncontract violationCI consumers piping through
jqsee a JSON parse error. By contrast,check pip:nonexistent --jsoncorrectly emits{"found":false,"error":"...","ecosystem":"pip"}.Severity
P1 per /release-test rules — release-blocker for the next routing-touching release. Currently deferred as a known issue in 0.21.1 / 0.22.0 because both versions ship with the same behavior and the routing fix needs its own dedicated release with proper test coverage.
Expected behavior
Bare names should try registry/npm lookup BEFORE the skill-id parser. On 404, emit the canonical
NotFoundOutputshape (same as thepip:and@scope/namepaths) witherrorHint: "Verify the URL: https://www.npmjs.com/package/<name>".Acceptance criteria
hackmyagent check left-padsucceeds against npm and renders the rich block.hackmyagent check NONEXISTENT-XYZ-9999emits human-readable not-found with a npm-aware hint and exits 1.hackmyagent check NONEXISTENT-XYZ-9999 --jsonemits validNotFoundOutputJSON shape (same fields aspip:and scoped paths).__tests__/checker/check-not-found-json.test.tscovers the bare-name → npm path (currently covered for scoped + pip + github paths).Caught by
/release-test fresh-user subagent during 0.22.0 release prep. Documented at the time but explicitly deferred by the team per the publish-batching policy.
Related
ai-trust checkandopena2a check(both correctly handle bare names as npm).cli-finding-ux-standard.md§ The bar.