Problem
There's no way to remove a published skill from the registry. Once published, a skill stays forever. Authors who published something by mistake or want to deprecate a skill have no recourse.
Proposed Solution
Add a skillsctl unpublish <name> command and a corresponding UnpublishSkill RPC endpoint.
Authorization
- The original publisher (matched by OIDC subject) can unpublish their own skill
- Admins (users in the configured admin group) can unpublish any skill
Behavior
- Removes the skill and all its versions from the registry
- Returns an error if the skill doesn't exist
- Returns a permission denied error if the caller is not the owner or an admin
- Requires authentication
Implementation
- New
UnpublishSkill RPC in the proto definition
- Server-side handler checks ownership (OIDC subject matches skill owner) or admin group membership
- CLI command:
skillsctl unpublish <name> with confirmation prompt (skip with --yes)
- Consider a soft-delete approach (mark as unpublished rather than hard delete) to preserve audit trail
Open questions
- Should unpublishing remove the skill entirely or just hide it from listing/install?
- Should individual versions be unpublishable, or only the entire skill?
Problem
There's no way to remove a published skill from the registry. Once published, a skill stays forever. Authors who published something by mistake or want to deprecate a skill have no recourse.
Proposed Solution
Add a
skillsctl unpublish <name>command and a correspondingUnpublishSkillRPC endpoint.Authorization
Behavior
Implementation
UnpublishSkillRPC in the proto definitionskillsctl unpublish <name>with confirmation prompt (skip with--yes)Open questions