- Add optional authToken to skill import for GitHub private repos
- Store PAT as encrypted company secret (skill-pat:{skillId})
- Thread auth token through ghFetch, fetchText, fetchJson, and all GitHub resolution functions
- Add PATCH /companies/:companyId/skills/:skillId/auth for managing PAT per skill
- Add DELETE /companies/:companyId/skills/by-source for bulk deleting skills from a repo
- Preserve sourceAuthSecretId across skill re-imports/updates
- UI: Add PAT input field in import form for GitHub URLs
- UI: Add SkillAuthSection with ShieldCheck icon for viewing/updating/removing PAT
- UI: Add trash icon next to source label for delete-by-source
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Add DELETE /api/companies/:companyId/skills/:skillId endpoint with same
permission model as other skill mutations. Deleting a skill removes it
from the DB, cleans up materialized runtime files, and automatically
strips it from any agent desiredSkills that reference it.
- Fix parseSkillImportSourceInput to detect skills.sh URLs
(e.g. https://skills.sh/org/repo/skill) and resolve them to the
underlying GitHub repo + skill slug, instead of fetching the HTML page.
- Add tests for skills.sh URL resolution with and without skill slug.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>