Skip to content

fix(skills): now we allow viking://agent/skills again, and optimize CLI for skills#2813

Merged
qin-ctx merged 24 commits into
volcengine:mainfrom
MaojiaSheng:main
Jun 25, 2026
Merged

fix(skills): now we allow viking://agent/skills again, and optimize CLI for skills#2813
qin-ctx merged 24 commits into
volcengine:mainfrom
MaojiaSheng:main

Conversation

@MaojiaSheng

@MaojiaSheng MaojiaSheng commented Jun 24, 2026

Copy link
Copy Markdown
Collaborator

This PR re-enables the account-shared viking://agent/skills scope so it coexists with the per-user viking://user//skills scope, and ships a round of UX polish for the ov skills CLI.

Server / storage

  • Restore viking://agent/skills visibility. openviking/core/namespace.py::visible_roots now returns viking://agent/skills alongside viking://resources and the user root, so the vector-store tenant filter no longer silently drops agent-scope hits. Tenant isolation is
    still enforced by the sibling account_id == ctx.account_id predicate. (openviking/core/namespace.py, tests/unit/test_namespace_uri_classification.py)
  • Skills router parity for agent scope. openviking/server/routers/skills.py (and the embedded LocalClient in openviking/client/local.py):
    • _skill_summary_from_meta now tags every row with "type": "skill" so the CLI card renderer labels results correctly.
    • _skill_summary_from_hit strips the trailing .abstract.md chunk filename via a new _skill_root_from_hit_uri helper, so search results carry the skill root URI and name (not the .abstract.md leaf).
    • _require_skill (used by ov skills show) follows a same-name priority rule: prefer viking://user//skills, fall back to viking://agent/skills if the skill is not present under the user root.
    • find_skills and list_skills merge both user and agent skill roots when no explicit root URI is provided, matching the new default scope of ov skills list/find.

CLI (ov_cli)

  • Card-format output for ov skills list / ov skills find. Aligned with ov find's renderer: numbered cards instead of a table, wrapped abstract, URI on its own line. (crates/ov_cli/src/commands/search.rs, crates/ov_cli/src/commands/skills.rs)
    • Cards hide the Level X · score Y.YYY line in skills mode.
    • Header noun is skill / skills (was generic result).
    • name: and description: render on separate lines for readability.
  • New --uri flag (alias -p) on ov skills list/find/show replacing the old --parent-auto-create. The flag scopes the operation to a specific skill root URI (e.g. viking://agent/skills); when omitted, the commands operate on the merged user + agent scope.
    add/update/remove keep --parent-auto-create since their semantics include auto-creating the parent. (crates/ov_cli/src/main.rs)

Why

Agent-scope skills had been indexed correctly but were unreachable through ov find / ov skills find because visible_roots only whitelisted the per-user root. Users could ov ls viking://agent/skills and confirm records existed in the vector store, but every semantic
search returned 0 hits. This PR closes that gap end-to-end (storage → router → CLI rendering → flag names) so account-shared skills are first-class again.

Test plan

  • pytest tests/unit/test_namespace_uri_classification.py — 7 passed (asserts viking://agent/skills ∈ visible_roots(ctx) and viking://session ∉ it).
  • cargo build -p ov_cli — clean.
  • Manual: ov skills list and ov skills find render the new skill-cards format with merged user + agent scope.
  • Manual: ov skills show -p viking://agent/skills fermat-viking-release returns L0/L1/L2 content for an agent-scope skill.
  • Manual: ov skills show falls back from user → agent when the skill isn't installed under the user root.
  • Manual smoke against a fresh server to confirm ov find --uri viking://agent/skills "" returns hits previously suppressed by the visibility filter.

MaojiaSheng and others added 17 commits June 18, 2026 11:36
Replace the monolithic `openviking/server/auth.py` with an extensible
plugin-based auth system. This refactor extracts the three built-in modes
(`dev`, `api_key`, `trusted`) into separate `AuthPlugin` implementations,
adds a registry for third-party plugins, and preserves all existing behavior
while enabling custom authentication backends (e.g. LDAP, OIDC, mTLS).

Key changes:
- **New public API**: `AuthPlugin` (ABC) and `register_auth_plugin` decorator.
- **New registry**: `AuthPluginRegistry` supports runtime registration.
- **Built-in plugins**: `DevAuthPlugin`, `ApiKeyAuthPlugin`, `TrustedAuthPlugin`.
- **Config change**: `auth_mode` widened from `Literal` to `str` for custom modes.
- **Validation delegated**: `validate_server_config()` now delegates to the active
  plugin's `validate_config()`, preserving existing validation semantics.
- **Router compatibility**: All existing `require_*` decorators and `resolve_identity`
  / `get_request_context` dependencies remain unchanged. Routers import the same
  symbols from `openviking.server.auth`.
- **Tests**: `conftest.py` manually wires the DevAuthPlugin in ASGI tests (lifespan
  not triggered). `test_auth.py` expanded with plugin registration and validation tests.
- **Docs**: `04-authentication.md` (en/zh) updated with plugin registration examples.

Co-Authored-By: claude-sonnet-4-6 <noreply@anthropic.com>
MaojiaSheng and others added 3 commits June 24, 2026 21:51
# Conflicts:
#	crates/ov_cli/src/client.rs
Align the `ov skills add` examples in the context-types and viking-uri
docs with the short flag `-p` introduced for `ov skills list/find/show`,
so all four user-facing examples consistently demonstrate the short form
when targeting `viking://agent/skills`.

Co-Authored-By: claude-sonnet-4-6 <noreply@anthropic.com>
@qin-ctx

qin-ctx commented Jun 25, 2026

Copy link
Copy Markdown
Collaborator

Review note:

Python SDK 的 scoped skill search 会把 target_uri 放在 JSON body 里,但服务端 POST /api/v1/skills/find 把 target_uri 定义成 query 参数,同时 FindSkillsRequest 是 extra="forbid"。所以类似:

await client.find_skills("q", target_uri="viking://agent/skills")

会发送 body 里的 target_uri,FastAPI 在进入 handler 前就按 extra field 拒掉,返回 422。Rust CLI 这里走的是 /api/v1/skills/find?target_uri=...,SDK 也需要把它放到 params 里,body 继续只保留 query/limit/score_threshold/level/telemetry。

@MaojiaSheng

Copy link
Copy Markdown
Collaborator Author

Review note:

Python SDK 的 scoped skill search 会把 target_uri 放在 JSON body 里,但服务端 POST /api/v1/skills/find 把 target_uri 定义成 query 参数,同时 FindSkillsRequest 是 extra="forbid"。所以类似:

await client.find_skills("q", target_uri="viking://agent/skills")

会发送 body 里的 target_uri,FastAPI 在进入 handler 前就按 extra field 拒掉,返回 422。Rust CLI 这里走的是 /api/v1/skills/find?target_uri=...,SDK 也需要把它放到 params 里,body 继续只保留 query/limit/score_threshold/level/telemetry。

处理了

@qin-ctx qin-ctx merged commit 0102a48 into volcengine:main Jun 25, 2026
14 of 15 checks passed
@github-project-automation github-project-automation Bot moved this from Backlog to Done in OpenViking project Jun 25, 2026
qin-ctx pushed a commit that referenced this pull request Jun 30, 2026
)

#2813 promoted account-shared skills (viking://agent/skills) to a
first-class, scoped capability and shipped a target_uri param across the
Python SDK (all 7 skill methods), the Rust CLI, and the server skills
router. The Go SDK skill methods were the only client left without it, so
Go adopters cannot scope skill operations to user-vs-agent roots and must
drop to Python/CLI.

Add an optional TargetURI field to the six skill option structs plus a new
DeleteSkillOptions, and thread target_uri through every skill method
matching the Python SDK + server placement exactly:
- query param: ListSkills, GetSkill, DeleteSkill
- JSON body:   AddSkill, FindSkills, ValidateSkill, UpdateSkill
target_uri is sent only when set (nil omits it), mirroring the Python
"if target_uri is not None" semantics and the server default-root fallback.
Like the Python SDK, skills send target_uri as-is (no client-side
normalization; only find/search normalize).

DeleteSkill previously took no options; it now takes a variadic
opts ...*DeleteSkillOptions so existing DeleteSkill(ctx, name) callers keep
compiling. The change is source-compatible across the module.

Adds TestSkillRequestsScopeTargetURI (asserts query-vs-body placement for
all 7 methods) and TestSkillRequestsOmitTargetURIWhenUnset (asserts omit
for all 7). go test ./... and go vet ./... pass.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

Status: Done

Development

Successfully merging this pull request may close these issues.

2 participants