fix: allow skill owner to move skill to an org acct while publishing existing skill

[pushmatrix]

Fixes: #1431

Summary

• When republishing a skill under a different publisher (e.g. moving from personal to org), insertVersion incorrectly threw "Slug is already taken" even when the caller owns the skill
• The check at convex/skills.ts:5820 treated any ownerPublisherId mismatch as a conflict with no escape hatch for the actual owner
• Now, if the caller is the ownerUserId, the skill's publisher is updated instead of throwing
• Slug aliases are also updated to stay in sync (matching the pattern used by the transfer flow)

Test plan

• Added test: owner can move skill from personal publisher to org publisher
• Added test: non-owner is still blocked from claiming a skill with a different publisher
• Added test: slug aliases are updated when moving skill to a different publisher
• Manual: republish an existing skill under a different org via the web UI

🤖 Generated with Claude Code

[vercel]

@pushmatrix is attempting to deploy a commit to the 0xBuns Team on Vercel.

A member of the Team first needs to authorize it.

[greptile-apps]

Greptile Summary

The production change in convex/skills.ts is correct: it allows a skill owner to reassign their skill to a different publisher, provided they already hold the "publisher" role in the destination (enforced by the existing requirePublisherRole check at line 5787). The slug-alias sync matches the existing transfer-flow pattern.

All three new tests, however, share a mock gap that causes them to fail in CI before the new code path is reached.

Confidence Score: 4/5

Production logic is correct, but all three new tests fail before exercising the new code path — the feature is effectively untested.

Two P1 findings: the positive tests never call patch (so the assertions fail) and the negative test asserts the wrong error. The new behavior is not validated by the test suite.

convex/skills.rateLimit.test.ts — all three new tests need db.get mock fixes

Prompt To Fix All With AI

This is a comment left during a code review.
Path: convex/skills.rateLimit.test.ts
Line: 1364-1376

Comment:
**`db.get` mock missing `"publishers:org"` — positive test never exercises new code**

With `ownerPublisherId: "publishers:org"` and `personalPublisher._id = "publishers:personal"`, the handler calls `requirePublisherRole(ctx, { publisherId: "publishers:org", ... })` at `skills.ts:5788`. That function calls `ctx.db.get("publishers:org")`, which returns `null` here, so `isPublisherActive(null)` → false → throws `ConvexError("Publisher not found")`. `patch` is never called and the `expect(patch).toHaveBeenCalledWith(...)` assertion fails.

Add the missing publisher to the `get` mock:

```suggestion
      get: vi.fn(async (id: string) => {
        if (id === "users:owner") {
          return {
            _id: "users:owner",
            handle: "pushmatrix",
            deletedAt: undefined,
            deactivatedAt: undefined,
          };
        }
        if (id === "publishers:personal") {
          return { _id: "publishers:personal", kind: "user", linkedUserId: "users:owner" };
        }
        if (id === "publishers:org") {
          return { _id: "publishers:org", kind: "org", deletedAt: undefined, deactivatedAt: undefined };
        }
        return null;
      }),
```

The same gap exists in the third test ("updates slug aliases", line 1501–1508) — add the identical `"publishers:org"` branch there as well.

How can I resolve this? If you propose a fix, please make it concise.

---

This is a comment left during a code review.
Path: convex/skills.rateLimit.test.ts
Line: 1440-1495

Comment:
**Wrong error asserted — test fails for the wrong reason**

The test expects `rejects.toThrow(/slug is already taken/i)`, but execution never reaches the slug-conflict check. Because `ownerPublisherId: "publishers:strangerOrg"` ≠ `personalPublisher._id` (`"publishers:personal"`), `requirePublisherRole` is called. `ctx.db.get("publishers:strangerOrg")` returns `null` (not in the mock), so the function throws `ConvexError("Publisher not found")` — not "slug is already taken".

For this test to validate that a non-owner is blocked at the slug level, the mock needs `"publishers:strangerOrg"` to resolve as a valid publisher, and the stranger must appear as a member. Without those, the test only confirms that publishing to a non-existent publisher is blocked, which is already covered elsewhere.

How can I resolve this? If you propose a fix, please make it concise.

_{Reviews (1): Last reviewed commit: "fix: allow skill owner to move skill to ..." | Re-trigger Greptile}

[greptile-apps]

db.get mock missing "publishers:org" — positive test never exercises new code

With ownerPublisherId: "publishers:org" and personalPublisher._id = "publishers:personal", the handler calls requirePublisherRole(ctx, { publisherId: "publishers:org", ... }) at skills.ts:5788. That function calls ctx.db.get("publishers:org"), which returns null here, so isPublisherActive(null) → false → throws ConvexError("Publisher not found"). patch is never called and the expect(patch).toHaveBeenCalledWith(...) assertion fails.

Add the missing publisher to the get mock:

Suggested change

	get: vi.fn(async (id: string) => {
	if (id === "users:owner") {
	return {
	_id: "users:owner",
	handle: "pushmatrix",
	deletedAt: undefined,
	deactivatedAt: undefined,
	};
	}
	if (id === "publishers:personal") {
	return { _id: "publishers:personal", kind: "user", linkedUserId: "users:owner" };
	}
	return null;
	get: vi.fn(async (id: string) => {
	if (id === "users:owner") {
	return {
	_id: "users:owner",
	handle: "pushmatrix",
	deletedAt: undefined,
	deactivatedAt: undefined,
	};
	}
	if (id === "publishers:personal") {
	return { _id: "publishers:personal", kind: "user", linkedUserId: "users:owner" };
	}
	if (id === "publishers:org") {
	return { _id: "publishers:org", kind: "org", deletedAt: undefined, deactivatedAt: undefined };
	}
	return null;
	}),

The same gap exists in the third test ("updates slug aliases", line 1501–1508) — add the identical "publishers:org" branch there as well.

Prompt To Fix With AI

This is a comment left during a code review.
Path: convex/skills.rateLimit.test.ts
Line: 1364-1376

Comment:
**`db.get` mock missing `"publishers:org"` — positive test never exercises new code**

With `ownerPublisherId: "publishers:org"` and `personalPublisher._id = "publishers:personal"`, the handler calls `requirePublisherRole(ctx, { publisherId: "publishers:org", ... })` at `skills.ts:5788`. That function calls `ctx.db.get("publishers:org")`, which returns `null` here, so `isPublisherActive(null)` → false → throws `ConvexError("Publisher not found")`. `patch` is never called and the `expect(patch).toHaveBeenCalledWith(...)` assertion fails.

Add the missing publisher to the `get` mock:

```suggestion
      get: vi.fn(async (id: string) => {
        if (id === "users:owner") {
          return {
            _id: "users:owner",
            handle: "pushmatrix",
            deletedAt: undefined,
            deactivatedAt: undefined,
          };
        }
        if (id === "publishers:personal") {
          return { _id: "publishers:personal", kind: "user", linkedUserId: "users:owner" };
        }
        if (id === "publishers:org") {
          return { _id: "publishers:org", kind: "org", deletedAt: undefined, deactivatedAt: undefined };
        }
        return null;
      }),
```

The same gap exists in the third test ("updates slug aliases", line 1501–1508) — add the identical `"publishers:org"` branch there as well.

How can I resolve this? If you propose a fix, please make it concise.

[greptile-apps]

Wrong error asserted — test fails for the wrong reason

The test expects rejects.toThrow(/slug is already taken/i), but execution never reaches the slug-conflict check. Because ownerPublisherId: "publishers:strangerOrg" ≠ personalPublisher._id ("publishers:personal"), requirePublisherRole is called. ctx.db.get("publishers:strangerOrg") returns null (not in the mock), so the function throws ConvexError("Publisher not found") — not "slug is already taken".

For this test to validate that a non-owner is blocked at the slug level, the mock needs "publishers:strangerOrg" to resolve as a valid publisher, and the stranger must appear as a member. Without those, the test only confirms that publishing to a non-existent publisher is blocked, which is already covered elsewhere.

Prompt To Fix With AI

This is a comment left during a code review.
Path: convex/skills.rateLimit.test.ts
Line: 1440-1495

Comment:
**Wrong error asserted — test fails for the wrong reason**

The test expects `rejects.toThrow(/slug is already taken/i)`, but execution never reaches the slug-conflict check. Because `ownerPublisherId: "publishers:strangerOrg"` ≠ `personalPublisher._id` (`"publishers:personal"`), `requirePublisherRole` is called. `ctx.db.get("publishers:strangerOrg")` returns `null` (not in the mock), so the function throws `ConvexError("Publisher not found")` — not "slug is already taken".

For this test to validate that a non-owner is blocked at the slug level, the mock needs `"publishers:strangerOrg"` to resolve as a valid publisher, and the stranger must appear as a member. Without those, the test only confirms that publishing to a non-existent publisher is blocked, which is already covered elsewhere.

How can I resolve this? If you propose a fix, please make it concise.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 895f811bcc

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[chatgpt-codex-connector]

Mock target publisher before asserting move-publisher behavior

These new tests pass ownerPublisherId values like publishers:org, but the db.get mock only returns publishers:personal and otherwise returns null. In insertVersion, that causes requirePublisherRole to fail with Publisher not found before the owner/non-owner slug logic runs, so the tests do not actually exercise the behavior they claim to validate and are likely to fail for the wrong reason.

Useful? React with 👍 / 👎.

[lbs-bmap]

This is useful for me! Thank you!
Wish it will be published online soon!

[momothemage]

Please note that CI / build (pull_request)Failing after 1m. All test cases must be successful before merge. @pushmatrix