fix(cli): remove unnecessary Supabase auth from public-only commands (#455)

* fix(cli): remove unnecessary Supabase auth from public-only commands

Public CLI commands (dash ping, skill upload, etc.) only need an API key,
not a Supabase JWT. Move login validation into requireAdmin() and call it
only from admin commands (projects list/select/create/delete/stats).

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix(cli): populate dashUserEmail in PersistentPreRunE for non-admin commands

List/create commands for sessions, disks, spaces, and skills use
dashUserEmail to scope results to the current user. After removing
mandatory Supabase auth, dashUserEmail was only set inside
requireAdmin(), leaving it empty for non-project commands.

Add a best-effort auth.Load() fallback so the user email is always
available when auth.json exists.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: GenerQAQ

landingpage/public/SKILL.md

@@ -123,9 +123,18 @@ All dashboard commands are under `acontext dash`:
 Example — upload a skill directory:
 ```bash
 acontext skill upload ./my-skill-dir
+acontext skill upload ./my-skill-dir --user alice@example.com
+acontext skill upload ./my-skill-dir --api-key sk-ac-xxx
 ```
 The directory must contain a `SKILL.md` with name and description in YAML front-matter.
 
+| Flag        | Default                  | Description                    |
+| ----------- | ------------------------ | ------------------------------ |
+| `--user`    | logged-in email (if any) | User identifier for the skill  |
+| `--api-key` | credentials.json default | Project API key                |
+| `--meta`    | —                        | Metadata as JSON string        |
+| `--base-url`| —                        | API base URL override          |
+
 ### Other CLI Commands
 
 | Command            | Description                       |

src/client/acontext-cli/cmd/dash.go

@@ -2,6 +2,7 @@ package cmd
 
 import (
 	"fmt"
+	"sync"
 
 	"github.com/memodb-io/Acontext/acontext-cli/internal/api"
 	"github.com/memodb-io/Acontext/acontext-cli/internal/auth"
@@ -23,11 +24,14 @@ var (
 	dashAccessToken string
 )
 
+var adminOnce sync.Once
+var adminErr error
+
 // DashCmd is the parent command for all dashboard operations.
 var DashCmd = &cobra.Command{
 	Use:   "dash",
 	Short: "Dashboard operations — manage projects, sessions, skills, and more",
-	Long:  "Interact with the Acontext Dashboard API. Requires login (run 'acontext login' first).",
+	Long:  "Interact with the Acontext Dashboard API. Most commands require an API key; admin commands (projects) also require login.",
 	PersistentPreRunE: func(cmd *cobra.Command, args []string) error {
 		// Inherit parent persistent pre-run hooks (telemetry, etc.)
 		if parentE := cmd.Root().PersistentPreRunE; parentE != nil {
@@ -38,23 +42,11 @@ var DashCmd = &cobra.Command{
 			parent(cmd, args)
 		}
 
-		// 1. Require login
-		af, err := auth.Load()
-		if err != nil || af == nil {
-			return fmt.Errorf("not logged in — run 'acontext login' first")
-		}
-		af, err = auth.ValidateAndRefresh(af)
-		if err != nil {
-			return fmt.Errorf("session invalid — run 'acontext login' again: %w", err)
-		}
-		dashUserEmail = af.User.Email
-		dashUserID = af.User.ID
-		dashAccessToken = af.AccessToken
+		// Reset adminOnce for each command invocation
+		adminOnce = sync.Once{}
+		adminErr = nil
 
-		// 2. Admin client always available (JWT only)
-		dashAdminClient = api.NewAdminClient(dashBaseURL, af.AccessToken)
-
-		// 3. Resolve API key for /api/v1 routes: --api-key flag > --project flag > credentials.json default
+		// Resolve API key for /api/v1 routes: --api-key flag > --project flag > credentials.json default
 		apiKey := dashAPIKey
 		if apiKey == "" && dashProject != "" {
 			apiKey = auth.GetProjectKey(dashProject)
@@ -71,7 +63,15 @@ var DashCmd = &cobra.Command{
 		}
 
 		if apiKey != "" {
-			dashClient = api.NewClient(dashBaseURL, apiKey, af.AccessToken)
+			dashClient = api.NewClient(dashBaseURL, apiKey)
+		}
+
+		// Best-effort: populate user email from auth.json without token validation.
+		// This ensures list/create commands scope to the correct user even when
+		// full admin login is not required.
+		if af, _ := auth.Load(); af != nil {
+			dashUserEmail = af.User.Email
+			dashUserID = af.User.ID
 		}
 
 		return nil
@@ -94,3 +94,25 @@ func requireClient() (*api.Client, error) {
 	}
 	return dashClient, nil
 }
+
+// requireAdmin validates the Supabase login and creates the admin client.
+// It is cached: multiple calls within the same command invocation are no-ops.
+func requireAdmin() error {
+	adminOnce.Do(func() {
+		af, err := auth.Load()
+		if err != nil || af == nil {
+			adminErr = fmt.Errorf("not logged in — run 'acontext login' first")
+			return
+		}
+		af, err = auth.ValidateAndRefresh(af)
+		if err != nil {
+			adminErr = fmt.Errorf("session invalid — run 'acontext login' again: %w", err)
+			return
+		}
+		dashAccessToken = af.AccessToken
+		dashUserEmail = af.User.Email
+		dashUserID = af.User.ID
+		dashAdminClient = api.NewAdminClient(dashBaseURL, af.AccessToken)
+	})
+	return adminErr
+}

src/client/acontext-cli/cmd/dash_projects.go

@@ -24,6 +24,9 @@ func init() {
 	listCmd := &cobra.Command{
 		Use: "list", Short: "List your organizations and projects",
 		RunE: func(cmd *cobra.Command, args []string) error {
+			if err := requireAdmin(); err != nil {
+				return err
+			}
 			orgs, err := auth.ListOrganizations(dashAccessToken, dashUserID)
 			if err != nil {
 				return fmt.Errorf("fetch organizations: %w", err)
@@ -74,6 +77,9 @@ func init() {
 		Short: "Select and configure a default project",
 		Long:  "Interactively select a project, or use --project <id> for non-interactive mode. Generates and saves an API key locally.",
 		RunE: func(cmd *cobra.Command, args []string) error {
+			if err := requireAdmin(); err != nil {
+				return err
+			}
 			projectFlag, _ := cmd.Flags().GetString("project")
 			apiKeyFlag, _ := cmd.Flags().GetString("api-key")
 			rotateFlag, _ := cmd.Flags().GetBool("rotate")
@@ -147,6 +153,9 @@ func init() {
 	createCmd := &cobra.Command{
 		Use: "create", Short: "Create a new project",
 		RunE: func(cmd *cobra.Command, args []string) error {
+			if err := requireAdmin(); err != nil {
+				return err
+			}
 			name, _ := cmd.Flags().GetString("name")
 			orgFlag, _ := cmd.Flags().GetString("org")
 
@@ -231,6 +240,9 @@ func init() {
 	deleteCmd := &cobra.Command{
 		Use: "delete <project-id>", Short: "Delete a project", Args: cobra.ExactArgs(1),
 		RunE: func(cmd *cobra.Command, args []string) error {
+			if err := requireAdmin(); err != nil {
+				return err
+			}
 			yes, _ := cmd.Flags().GetBool("yes")
 			if !yes {
 				if !auth.IsTTY() {
@@ -261,6 +273,9 @@ func init() {
 	statsCmd := &cobra.Command{
 		Use: "stats <project-id>", Short: "Show project statistics", Args: cobra.ExactArgs(1),
 		RunE: func(cmd *cobra.Command, args []string) error {
+			if err := requireAdmin(); err != nil {
+				return err
+			}
 			stats, err := dashAdminClient.AdminGetProjectStats(context.Background(), args[0])
 			if err != nil {
 				return err

src/client/acontext-cli/cmd/skill_upload.go

@@ -19,7 +19,7 @@ var (
 var SkillCmd = &cobra.Command{
 	Use:   "skill",
 	Short: "Manage agent skills",
-	Long:  "Upload and manage agent skills. Requires login (run 'acontext login' first).",
+	Long:  "Upload and manage agent skills. Requires an API key (run 'acontext dash projects select' first).",
 	PersistentPreRunE: func(cmd *cobra.Command, args []string) error {
 		// Inherit parent persistent pre-run hooks (telemetry, etc.)
 		if parentE := cmd.Root().PersistentPreRunE; parentE != nil {
@@ -30,18 +30,6 @@ var SkillCmd = &cobra.Command{
 			parent(cmd, args)
 		}
 
-		// Require login
-		af, err := auth.Load()
-		if err != nil || af == nil {
-			return fmt.Errorf("not logged in — run 'acontext login' first")
-		}
-		af, err = auth.ValidateAndRefresh(af)
-		if err != nil {
-			return fmt.Errorf("session invalid — run 'acontext login' again: %w", err)
-		}
-		dashUserEmail = af.User.Email
-		dashAccessToken = af.AccessToken
-
 		// Resolve API key: flag > default project keystore
 		apiKey := skillAPIKey
 		if apiKey == "" {
@@ -51,7 +39,7 @@ var SkillCmd = &cobra.Command{
 			}
 		}
 		if apiKey != "" {
-			dashClient = api.NewClient(skillBaseURL, apiKey, af.AccessToken)
+			dashClient = api.NewClient(skillBaseURL, apiKey)
 		}
 
 		return nil
@@ -86,7 +74,10 @@ func init() {
 
 			user, _ := cmd.Flags().GetString("user")
 			if user == "" {
-				user = dashUserEmail
+				// Best-effort: read email from auth.json without token validation
+				if af, _ := auth.Load(); af != nil {
+					user = af.User.Email
+				}
 			}
 			meta, _ := cmd.Flags().GetString("meta")
 

src/client/acontext-cli/internal/api/client.go

@@ -23,9 +23,9 @@ type Client struct {
 	headers    map[string]string
 }
 
-// NewClient creates a client that authenticates with both JWT and API key.
-// The /api/v1 routes require ProjectAuth (API key) + SupabaseAuth (JWT).
-func NewClient(baseURL, apiKey, accessToken string) *Client {
+// NewClient creates a client that authenticates with an API key.
+// The /api/v1 routes require ProjectAuth (API key) via Authorization header.
+func NewClient(baseURL, apiKey string) *Client {
 	if baseURL == "" {
 		baseURL = DefaultBaseURL
 	}
@@ -35,9 +35,6 @@ func NewClient(baseURL, apiKey, accessToken string) *Client {
 	if apiKey != "" {
 		headers["Authorization"] = "Bearer " + apiKey
 	}
-	if accessToken != "" {
-		headers["X-Access-Token"] = accessToken
-	}
 	return &Client{
 		baseURL:    baseURL,
 		httpClient: &http.Client{Timeout: requestTimeout},