feat(marketplace): publish skills/profiles/MCPs from your PC via API token

[NagyVikt]

What & why

Users could already mint an API token on cuecards.cc (BetterAuth apiKey + the studio API view), but the only thing they could do with it was GET /api/v1/me. The marketplace Publish button was a localStorage-only stub ("will open a registry PR later").

This PR closes the loop: a user gets a token and pushes their skills, cue profiles, and MCPs to the marketplace from their own machine — via the CLI or the studio.

Hosted API (web/)

• web/lib/db.ts — shared, serverless-safe pg pool singleton (BetterAuth keeps its own).
• web/lib/market.ts — getMarket() / publishMarket(), Postgres-backed, authenticated through auth.api.getSession so a session cookie OR Authorization: Bearer <api-key> both work (same path as /api/v1/me). Security-minded by design:
  • the install command is derived server-side (cue add <handle>/<name>, cue marketplace install-mcp <name>, …) and never read from the request → a submission can't smuggle curl … | bash into someone's dashboard;
  • every field is length-clamped, names/tags slugged, sourceUrl must be https://;
  • id embeds a per-user suffix and (user_id, type, name) is unique → re-publishing updates your item and can't overwrite another user's;
  • schema is created lazily (no extra migration step).
• web/api/v1/community.ts — Vercel function: GET (public list), GET ?mine=1 (your items, any status), POST (publish). Kept on a distinct path from the local dashboard's /api/v1/market browse catalog so both coexist.
• dev-server + check-auth-flow.ts now exercise publish + list end-to-end (the existing auth gate, extended).
• vite proxy routes /api/v1/community to the auth server in dev.

CLI (src/)

cue marketplace login --token <t>     # verifies, then saves to ~/.config/cue/credentials.json (0600)
cue marketplace whoami                # who am I authenticated as
cue marketplace publish <type> <name> # push a profile / skill / mcp  (--desc --tags --source-url --api)

• src/lib/cue-credentials.ts — token store + resolution order --token > CUE_API_TOKEN > file; CUE_API_URL/--api point at a different deployment. Unit-tested.

Studio (web/src/)

• Market view Publish modal now pushes to the hosted API when signed in (falls back to a local draft + sign-in hint otherwise), and the browse list merges the community catalog with "yours" flagging.

Testing

• bun test src/lib/cue-credentials.test.ts → 5 pass (resolution order, 0600 perms, URL precedence).
• Root tsc clean for all touched files (one pre-existing unrelated error in pair-suggestions.ts).
• Web src tsc clean for touched files (one pre-existing unrelated error in studio/components/index.tsx).
• CLI smoke: publish/whoami error paths verified; marketplace --help updated.
• The full publish→list flow is covered by web/scripts/check-auth-flow.ts (needs DATABASE_URL + BETTER_AUTH_SECRET to run live).

Notes / follow-ups

• Items default to status = 'approved' (matches the existing free-signup, no-email-verification posture); the status column is the hook for moderation later without a schema change.
• Docs: new ## API section in README.md + expanded web/AUTH.md.

🤖 Generated with Claude Code

---

Generated by Claude Code