Summary
The content hash identity system (PR #382) adds unnecessary complexity. Git repos already provide identity via url + ref (SHA/tag/branch). Computing content hashes of all skill files on every sync adds CPU overhead and code complexity for no practical benefit that git rev-parse doesn't already provide.
Problem
- Content hash = overkill for git-based plugins.
git rev-parse HEAD gives you the remote content SHA cheaply. Content hashes recompute on every sync.
- npm uses hashes for integrity, not identity. npm's
package-lock.json stores SHA-512 hashes to verify downloads weren't corrupted — it still identifies packages by name + version. allagents doesn't have the same supply chain attack surface (local git repos).
- gh CLI uses a single binary with vendored deps — no runtime dependency resolution at all. Version = identity.
- Added complexity without practical benefit. The
computeContentHash function iterates all skill files and hashes them. This is wasted work when git pull + git rev-parse HEAD already tells you if content changed.
Proposal
Revert the content hash system. The lock file should track:
interface PluginLockEntry {
url: string; // plugin source
ref: string; // git SHA/tag/branch (identity)
lastSynced: number; // timestamp
}
ref (from git rev-parse HEAD after fetch) uniquely identifies contentlastSynced tells you when it was last fetched- No content hash computation needed
Scope
- Remove
computeContentHash from sync.ts
- Remove
contentHash from LockFileEntry interface
- Simplify
updateLockEntry to set ref + lastSynced only
- Remove any hash comparison logic in
needsSync
- Update tests accordingly
Why
The content hash adds:
- CPU overhead (hashing all skill files on every sync)
- Code complexity (hash computation, comparison, migration)
- No practical benefit over
git ref identity
Version pinning (fixed git ref) + git pull is sufficient. This is what npm ultimately does (lock file = exact version, not hash-for-identity), and what git does natively (commit SHA = content identity).
Summary
The content hash identity system (PR #382) adds unnecessary complexity. Git repos already provide identity via
url + ref(SHA/tag/branch). Computing content hashes of all skill files on every sync adds CPU overhead and code complexity for no practical benefit thatgit rev-parsedoesn't already provide.Problem
git rev-parse HEADgives you the remote content SHA cheaply. Content hashes recompute on every sync.package-lock.jsonstores SHA-512 hashes to verify downloads weren't corrupted — it still identifies packages by name + version. allagents doesn't have the same supply chain attack surface (local git repos).computeContentHashfunction iterates all skill files and hashes them. This is wasted work whengit pull+git rev-parse HEADalready tells you if content changed.Proposal
Revert the content hash system. The lock file should track:
ref(fromgit rev-parse HEADafter fetch) uniquely identifies contentlastSyncedtells you when it was last fetchedScope
computeContentHashfromsync.tscontentHashfromLockFileEntryinterfaceupdateLockEntryto setref+lastSyncedonlyneedsSyncWhy
The content hash adds:
git refidentityVersion pinning (fixed git ref) +
git pullis sufficient. This is what npm ultimately does (lock file = exact version, not hash-for-identity), and what git does natively (commit SHA = content identity).