Summary
skill install uses digest-based freshness checks for OCI artifacts, but Git dependencies do not participate in that mechanism.
In internal/cli/install.go, Git dependencies leave digestFn as nil, and pkg/installer/cache.go trusts an existing cache entry without re-pulling when no digest function is available.
Why this matters
If a manifest depends on a Git ref like main or a mutable tag, repeated installs can keep using stale cached content indefinitely instead of reflecting the current remote state.
This creates surprising behavior, especially when mixing OCI and Git dependencies: OCI artifacts get freshness checks, while Git dependencies do not.
Current behavior
- OCI dependencies: install resolves remote digest and re-pulls on mismatch.
- Git dependencies: existing cache is reused as-is when present.
That means the freshness guarantee is backend-dependent today.
Desired behavior
Striatum should have a clearer strategy for Git dependency freshness during install. Possible options:
- Re-fetch Git dependencies on install when the ref is mutable.
- Record and compare commit SHAs in cache metadata.
- Treat commit-SHA refs as immutable and branch/tag refs as refreshable.
- Expose an explicit refresh mode if always checking would be too expensive.
Notes
This issue came up while reviewing documentation that described install caching behavior generically for all dependency types. Even if the docs are narrowed short-term, the product behavior is still inconsistent across backends.
Summary
skill installuses digest-based freshness checks for OCI artifacts, but Git dependencies do not participate in that mechanism.In
internal/cli/install.go, Git dependencies leavedigestFnasnil, andpkg/installer/cache.gotrusts an existing cache entry without re-pulling when no digest function is available.Why this matters
If a manifest depends on a Git ref like
mainor a mutable tag, repeated installs can keep using stale cached content indefinitely instead of reflecting the current remote state.This creates surprising behavior, especially when mixing OCI and Git dependencies: OCI artifacts get freshness checks, while Git dependencies do not.
Current behavior
That means the freshness guarantee is backend-dependent today.
Desired behavior
Striatum should have a clearer strategy for Git dependency freshness during install. Possible options:
Notes
This issue came up while reviewing documentation that described install caching behavior generically for all dependency types. Even if the docs are narrowed short-term, the product behavior is still inconsistent across backends.