@anytio/pspm 0.0.4 → 0.0.7

package/dist/index.js

@@ -1,11 +1,11 @@
 #!/usr/bin/env node
 import { readFileSync } from 'fs';
-import { dirname, join, relative } from 'path';
-import { fileURLToPath, URL } from 'url';
+import { dirname, join, basename, relative } from 'path';
+import { fileURLToPath, URL as URL$1 } from 'url';
 import { Command } from 'commander';
-import { stat, writeFile, mkdir, rm, access, readFile, readdir, unlink } from 'fs/promises';
 import { createHash, randomBytes } from 'crypto';
 import * as semver from 'semver';
+import { stat, writeFile, readdir, mkdir, rm, rename, access as access$1, readFile, unlink } from 'fs/promises';
 import { homedir } from 'os';
 import * as ini from 'ini';
 import http from 'http';
@@ -18,6 +18,36 @@ function calculateIntegrity(data) {
   return `sha256-${hash}`;
 }
 
+// ../../packages/shared/pspm-types/src/manifest.ts
+var DEFAULT_SKILL_FILES = [
+  "SKILL.md",
+  "runtime",
+  "scripts",
+  "data"
+];
+var PSPM_SCHEMA_URL = "https://pspm.dev/schema/pspm.json";
+function validateManifest(manifest) {
+  if (!manifest.name) {
+    return { valid: false, error: "Manifest must have a 'name' field" };
+  }
+  if (!manifest.version) {
+    return { valid: false, error: "Manifest must have a 'version' field" };
+  }
+  if (!/^[a-z][a-z0-9_-]*$/.test(manifest.name)) {
+    return {
+      valid: false,
+      error: "Name must start with a lowercase letter and contain only lowercase letters, numbers, hyphens, and underscores"
+    };
+  }
+  if (!/^\d+\.\d+\.\d+/.test(manifest.version)) {
+    return {
+      valid: false,
+      error: "Version must be a valid semantic version (e.g., 1.0.0)"
+    };
+  }
+  return { valid: true };
+}
+
 // ../../packages/shared/pspm-types/src/specifier.ts
 var SPECIFIER_PATTERN = /^@user\/([a-zA-Z0-9_-]+)\/([a-z][a-z0-9_-]*)(?:@(.+))?$/;
 function parseSkillSpecifier(specifier) {
@@ -53,13 +83,16 @@ function getConfig() {
 async function customFetch(url, options) {
   const { baseUrl, apiKey } = getConfig();
   const fullUrl = `${baseUrl}${url}`;
+  const headers = {
+    ...options.headers ?? {},
+    "Content-Type": "application/json"
+  };
+  if (apiKey) {
+    headers.Authorization = `Bearer ${apiKey}`;
+  }
   const response = await fetch(fullUrl, {
     ...options,
-    headers: {
-      ...options.headers,
-      Authorization: `Bearer ${apiKey}`,
-      "Content-Type": "application/json"
-    }
+    headers
   });
   const text = await response.text();
   let data = null;
@@ -179,6 +212,102 @@ async function whoamiRequest(registryUrl, apiKey) {
     return null;
   }
 }
+async function deprecateSkillVersion(skillName, version2, message) {
+  const config2 = getConfig();
+  if (!config2) {
+    return { status: 401, error: "SDK not configured" };
+  }
+  try {
+    const response = await fetch(
+      `${config2.baseUrl}/api/skills/${skillName}/${version2}/deprecate`,
+      {
+        method: "POST",
+        headers: {
+          "Content-Type": "application/json",
+          Authorization: `Bearer ${config2.apiKey}`
+        },
+        body: JSON.stringify({ message })
+      }
+    );
+    if (!response.ok) {
+      const error = await response.text();
+      return { status: response.status, error };
+    }
+    const data = await response.json();
+    return { status: response.status, data };
+  } catch (error) {
+    return {
+      status: 500,
+      error: error instanceof Error ? error.message : "Unknown error"
+    };
+  }
+}
+async function undeprecateSkillVersion(skillName, version2) {
+  const config2 = getConfig();
+  if (!config2) {
+    return { status: 401, error: "SDK not configured" };
+  }
+  try {
+    const response = await fetch(
+      `${config2.baseUrl}/api/skills/${skillName}/${version2}/deprecate`,
+      {
+        method: "DELETE",
+        headers: {
+          Authorization: `Bearer ${config2.apiKey}`
+        }
+      }
+    );
+    if (!response.ok) {
+      const error = await response.text();
+      return { status: response.status, error };
+    }
+    const data = await response.json();
+    return { status: response.status, data };
+  } catch (error) {
+    return {
+      status: 500,
+      error: error instanceof Error ? error.message : "Unknown error"
+    };
+  }
+}
+async function changeSkillAccess(skillName, input) {
+  const config2 = getConfig();
+  if (!config2) {
+    return { status: 401, error: "SDK not configured" };
+  }
+  try {
+    const response = await fetch(
+      `${config2.baseUrl}/api/skills/${skillName}/access`,
+      {
+        method: "POST",
+        headers: {
+          "Content-Type": "application/json",
+          Authorization: `Bearer ${config2.apiKey}`
+        },
+        body: JSON.stringify(input)
+      }
+    );
+    if (!response.ok) {
+      const error = await response.text();
+      try {
+        const errorJson = JSON.parse(error);
+        return {
+          status: response.status,
+          error: errorJson.message || errorJson.error || error
+        };
+      } catch {
+        return { status: response.status, error };
+      }
+    }
+    const data = await response.json();
+    return { status: response.status, data };
+  } catch (error) {
+    return {
+      status: 500,
+      error: error instanceof Error ? error.message : "Unknown error"
+    };
+  }
+}
 
 // src/errors.ts
 var ConfigError = class extends Error {
@@ -238,12 +367,24 @@ function getConfigPath() {
 function getLegacyConfigPath() {
   return join(homedir(), ".pspm", "config.json");
 }
+function getPspmDir() {
+  return join(process.cwd(), ".pspm");
+}
 function getSkillsDir() {
-  return join(process.cwd(), ".skills");
+  return join(process.cwd(), ".pspm", "skills");
+}
+function getCacheDir() {
+  return join(process.cwd(), ".pspm", "cache");
 }
 function getLockfilePath() {
+  return join(process.cwd(), "pspm-lock.json");
+}
+function getLegacyLockfilePath() {
   return join(process.cwd(), "skill-lock.json");
 }
+function getLegacySkillsDir() {
+  return join(process.cwd(), ".skills");
+}
 async function readUserConfig() {
   const configPath = getConfigPath();
   if (process.env.PSPM_DEBUG) {
@@ -255,10 +396,35 @@ async function readUserConfig() {
     if (process.env.PSPM_DEBUG) {
       console.log(`[config] Parsed config:`, JSON.stringify(parsed, null, 2));
     }
+    const scopedRegistries = {};
+    for (const key of Object.keys(parsed)) {
+      const scopeMatch = key.match(/^(@[^:]+):registry$/);
+      if (scopeMatch) {
+        const scope = scopeMatch[1];
+        scopedRegistries[scope] = parsed[key];
+      }
+    }
+    const registryTokens = {};
+    for (const key of Object.keys(parsed)) {
+      const tokenMatch = key.match(/^\/\/([^:]+):authToken$/);
+      if (tokenMatch) {
+        const host = tokenMatch[1];
+        registryTokens[host] = parsed[key];
+      }
+      if (key.startsWith("//") && typeof parsed[key] === "object") {
+        const host = key.slice(2);
+        const section = parsed[key];
+        if (section.authToken) {
+          registryTokens[host] = section.authToken;
+        }
+      }
+    }
     return {
       registry: parsed.registry,
       authToken: parsed.authToken,
-      username: parsed.username
+      username: parsed.username,
+      scopedRegistries: Object.keys(scopedRegistries).length > 0 ? scopedRegistries : void 0,
+      registryTokens: Object.keys(registryTokens).length > 0 ? registryTokens : void 0
     };
   } catch (error) {
     if (process.env.PSPM_DEBUG) {
@@ -374,6 +540,8 @@ async function resolveConfig() {
   let registryUrl = DEFAULT_REGISTRY_URL;
   let apiKey = userConfig.authToken;
   const username = userConfig.username;
+  const scopedRegistries = userConfig.scopedRegistries ?? {};
+  const registryTokens = userConfig.registryTokens ?? {};
   if (userConfig.registry) {
     registryUrl = userConfig.registry;
   }
@@ -391,13 +559,33 @@ async function resolveConfig() {
     console.log(`[config]   registryUrl: ${registryUrl}`);
     console.log(`[config]   apiKey: ${apiKey ? "***" : "(not set)"}`);
     console.log(`[config]   username: ${username || "(not set)"}`);
+    console.log(
+      `[config]   scopedRegistries: ${JSON.stringify(scopedRegistries)}`
+    );
+    console.log(
+      `[config]   registryTokens: ${Object.keys(registryTokens).length} configured`
+    );
   }
   return {
     registryUrl,
     apiKey,
-    username
+    username,
+    scopedRegistries,
+    registryTokens
   };
 }
+function getTokenForRegistry(config2, registryUrl) {
+  try {
+    const url = new URL(registryUrl);
+    const host = url.host;
+    if (config2.registryTokens[host]) {
+      return config2.registryTokens[host];
+    }
+    return config2.apiKey;
+  } catch {
+    return config2.apiKey;
+  }
+}
 async function setCredentials(authToken, username, registry) {
   const config2 = await readUserConfig();
   config2.authToken = authToken;
@@ -442,43 +630,198 @@ async function getRegistryUrl() {
   const resolved = await resolveConfig();
   return resolved.registryUrl;
 }
+
+// src/commands/access.ts
+async function access(specifier, options) {
+  try {
+    const apiKey = await requireApiKey();
+    const registryUrl = await getRegistryUrl();
+    if (options.public && options.private) {
+      console.error("Error: Cannot specify both --public and --private");
+      process.exit(1);
+    }
+    if (!options.public && !options.private) {
+      console.error("Error: Must specify either --public or --private");
+      process.exit(1);
+    }
+    const visibility = options.public ? "public" : "private";
+    let packageName;
+    if (specifier) {
+      const parsed = parseSkillSpecifier(specifier);
+      if (!parsed) {
+        console.error(
+          `Error: Invalid skill specifier "${specifier}". Use format: @user/{username}/{name}`
+        );
+        process.exit(1);
+      }
+      packageName = parsed.name;
+    } else {
+      const { readFile: readFile6 } = await import('fs/promises');
+      const { join: join10 } = await import('path');
+      let manifest = null;
+      try {
+        const content = await readFile6(
+          join10(process.cwd(), "pspm.json"),
+          "utf-8"
+        );
+        manifest = JSON.parse(content);
+      } catch {
+        try {
+          const content = await readFile6(
+            join10(process.cwd(), "package.json"),
+            "utf-8"
+          );
+          manifest = JSON.parse(content);
+        } catch {
+          console.error(
+            "Error: No pspm.json or package.json found in current directory"
+          );
+          console.error(
+            "Either run this command in a package directory or specify a package name"
+          );
+          process.exit(1);
+        }
+      }
+      if (!manifest?.name) {
+        console.error("Error: Package manifest is missing 'name' field");
+        process.exit(1);
+      }
+      packageName = manifest.name;
+    }
+    configure2({ registryUrl, apiKey });
+    console.log(`Setting ${packageName} to ${visibility}...`);
+    const response = await changeSkillAccess(packageName, { visibility });
+    if (response.status !== 200 || !response.data) {
+      const errorMessage = response.error ?? "Failed to change visibility";
+      console.error(`Error: ${errorMessage}`);
+      process.exit(1);
+    }
+    const result = response.data;
+    console.log(
+      `+ @user/${result.username}/${result.name} is now ${result.visibility}`
+    );
+    if (visibility === "public") {
+      console.log("");
+      console.log(
+        "Note: This action is irreversible. Public packages cannot be made private."
+      );
+    }
+  } catch (error) {
+    const message = error instanceof Error ? error.message : "Unknown error";
+    console.error(`Error: ${message}`);
+    process.exit(1);
+  }
+}
+async function hasLegacyLockfile() {
+  try {
+    await stat(getLegacyLockfilePath());
+    return true;
+  } catch {
+    return false;
+  }
+}
+async function migrateLockfileIfNeeded() {
+  const legacyPath = getLegacyLockfilePath();
+  const newPath = getLockfilePath();
+  try {
+    await stat(legacyPath);
+  } catch {
+    return false;
+  }
+  try {
+    await stat(newPath);
+    return false;
+  } catch {
+  }
+  try {
+    const content = await readFile(legacyPath, "utf-8");
+    const oldLockfile = JSON.parse(content);
+    const newLockfile = {
+      lockfileVersion: 2,
+      registryUrl: oldLockfile.registryUrl,
+      packages: oldLockfile.skills ?? {}
+    };
+    await writeFile(newPath, `${JSON.stringify(newLockfile, null, 2)}
+`);
+    console.log(`Migrated lockfile: skill-lock.json \u2192 pspm-lock.json`);
+    return true;
+  } catch {
+    return false;
+  }
+}
 async function readLockfile() {
   const lockfilePath = getLockfilePath();
   try {
     const content = await readFile(lockfilePath, "utf-8");
-    return JSON.parse(content);
+    const lockfile = JSON.parse(content);
+    if (lockfile.lockfileVersion === 1 && lockfile.skills && !lockfile.packages) {
+      return {
+        ...lockfile,
+        lockfileVersion: 2,
+        packages: lockfile.skills
+      };
+    }
+    return lockfile;
   } catch {
+    if (await hasLegacyLockfile()) {
+      try {
+        const content = await readFile(getLegacyLockfilePath(), "utf-8");
+        const legacyLockfile = JSON.parse(content);
+        return {
+          lockfileVersion: 2,
+          registryUrl: legacyLockfile.registryUrl,
+          packages: legacyLockfile.skills ?? {}
+        };
+      } catch {
+        return null;
+      }
+    }
     return null;
   }
 }
 async function writeLockfile(lockfile) {
   const lockfilePath = getLockfilePath();
   await mkdir(dirname(lockfilePath), { recursive: true });
-  await writeFile(lockfilePath, `${JSON.stringify(lockfile, null, 2)}
+  const normalized = {
+    lockfileVersion: 2,
+    registryUrl: lockfile.registryUrl,
+    packages: lockfile.packages ?? lockfile.skills ?? {}
+  };
+  await writeFile(lockfilePath, `${JSON.stringify(normalized, null, 2)}
 `);
 }
 async function createEmptyLockfile() {
   const registryUrl = await getRegistryUrl();
   return {
-    lockfileVersion: 1,
+    lockfileVersion: 2,
     registryUrl,
-    skills: {}
+    packages: {}
   };
 }
+function getPackages(lockfile) {
+  return lockfile.packages ?? lockfile.skills ?? {};
+}
 async function addToLockfile(fullName, entry) {
   let lockfile = await readLockfile();
   if (!lockfile) {
     lockfile = await createEmptyLockfile();
   }
-  lockfile.skills[fullName] = entry;
+  const packages = getPackages(lockfile);
+  packages[fullName] = entry;
+  lockfile.packages = packages;
   await writeLockfile(lockfile);
 }
 async function removeFromLockfile(fullName) {
   const lockfile = await readLockfile();
-  if (!lockfile || !lockfile.skills[fullName]) {
+  if (!lockfile) {
+    return false;
+  }
+  const packages = getPackages(lockfile);
+  if (!packages[fullName]) {
     return false;
   }
-  delete lockfile.skills[fullName];
+  delete packages[fullName];
+  lockfile.packages = packages;
   await writeLockfile(lockfile);
   return true;
 }
@@ -487,7 +830,8 @@ async function listLockfileSkills() {
   if (!lockfile) {
     return [];
   }
-  return Object.entries(lockfile.skills).map(([name, entry]) => ({
+  const packages = getPackages(lockfile);
+  return Object.entries(packages).map(([name, entry]) => ({
     name,
     entry
   }));
@@ -496,8 +840,9 @@ async function listLockfileSkills() {
 // src/commands/add.ts
 async function add(specifier, _options) {
   try {
-    const apiKey = await requireApiKey();
-    const registryUrl = await getRegistryUrl();
+    const config2 = await resolveConfig();
+    const registryUrl = config2.registryUrl;
+    const apiKey = getTokenForRegistry(config2, registryUrl);
     const parsed = parseSkillSpecifier(specifier);
     if (!parsed) {
       console.error(
@@ -506,10 +851,23 @@ async function add(specifier, _options) {
       process.exit(1);
     }
     const { username, name, versionRange } = parsed;
-    configure2({ registryUrl, apiKey });
+    configure2({ registryUrl, apiKey: apiKey ?? "" });
     console.log(`Resolving ${specifier}...`);
     const versionsResponse = await listSkillVersions(username, name);
     if (versionsResponse.status !== 200) {
+      if (versionsResponse.status === 401) {
+        if (!apiKey) {
+          console.error(
+            `Error: Package @user/${username}/${name} requires authentication`
+          );
+          console.error("Please run 'pspm login' to authenticate");
+        } else {
+          console.error(
+            `Error: Access denied to @user/${username}/${name}. You may not have permission to access this private package.`
+          );
+        }
+        process.exit(1);
+      }
       const errorMessage = extractApiErrorMessage(
         versionsResponse,
         `Skill @user/${username}/${name} not found`
@@ -542,11 +900,13 @@ async function add(specifier, _options) {
       process.exit(1);
     }
     const versionInfo = versionResponse.data;
-    const downloadUrl = `${registryUrl}/@user/${username}/${name}/${resolved}/download`;
-    const tarballResponse = await fetch(downloadUrl, {
-      headers: {
-        Authorization: `Bearer ${apiKey}`
-      },
+    const isPresignedUrl = versionInfo.downloadUrl.includes(".r2.cloudflarestorage.com") || versionInfo.downloadUrl.includes("X-Amz-Signature");
+    const downloadHeaders = {};
+    if (!isPresignedUrl && apiKey) {
+      downloadHeaders.Authorization = `Bearer ${apiKey}`;
+    }
+    const tarballResponse = await fetch(versionInfo.downloadUrl, {
+      headers: downloadHeaders,
       redirect: "follow"
     });
     if (!tarballResponse.ok) {
@@ -565,16 +925,16 @@ async function add(specifier, _options) {
     const skillsDir = getSkillsDir();
     const destDir = join(skillsDir, username, name);
     await mkdir(destDir, { recursive: true });
-    const { writeFile: writeFile4 } = await import('fs/promises');
+    const { writeFile: writeFile6 } = await import('fs/promises');
     const tempFile = join(destDir, ".temp.tgz");
-    await writeFile4(tempFile, tarballBuffer);
+    await writeFile6(tempFile, tarballBuffer);
     const { exec: exec2 } = await import('child_process');
     const { promisify: promisify2 } = await import('util');
     const execAsync = promisify2(exec2);
     try {
       await rm(destDir, { recursive: true, force: true });
       await mkdir(destDir, { recursive: true });
-      await writeFile4(tempFile, tarballBuffer);
+      await writeFile6(tempFile, tarballBuffer);
       await execAsync(
         `tar -xzf "${tempFile}" -C "${destDir}" --strip-components=1`
       );
@@ -654,11 +1014,190 @@ async function configShow() {
     process.exit(1);
   }
 }
-async function install(options) {
+
+// src/commands/deprecate.ts
+async function deprecate(specifier, message, options) {
   try {
     const apiKey = await requireApiKey();
-    await getRegistryUrl();
+    const registryUrl = await getRegistryUrl();
+    const parsed = parseSkillSpecifier(specifier);
+    if (!parsed) {
+      console.error(
+        `Error: Invalid skill specifier "${specifier}". Use format: @user/{username}/{name}@{version}`
+      );
+      process.exit(1);
+    }
+    const { username, name, versionRange } = parsed;
+    if (!versionRange) {
+      console.error(
+        "Error: Version is required for deprecation. Use format: @user/{username}/{name}@{version}"
+      );
+      process.exit(1);
+    }
+    configure2({ registryUrl, apiKey });
+    if (options.undo) {
+      console.log(
+        `Removing deprecation from @user/${username}/${name}@${versionRange}...`
+      );
+      const response = await undeprecateSkillVersion(name, versionRange);
+      if (response.status !== 200) {
+        console.error(
+          `Error: ${response.error || "Failed to remove deprecation"}`
+        );
+        process.exit(1);
+      }
+      console.log(
+        `Removed deprecation from @user/${username}/${name}@${versionRange}`
+      );
+    } else {
+      if (!message) {
+        console.error(
+          "Error: Deprecation message is required. Usage: pspm deprecate <specifier> <message>"
+        );
+        process.exit(1);
+      }
+      console.log(`Deprecating @user/${username}/${name}@${versionRange}...`);
+      const response = await deprecateSkillVersion(name, versionRange, message);
+      if (response.status !== 200) {
+        console.error(
+          `Error: ${response.error || "Failed to deprecate version"}`
+        );
+        process.exit(1);
+      }
+      console.log(`Deprecated @user/${username}/${name}@${versionRange}`);
+      console.log(`Message: ${message}`);
+      console.log("");
+      console.log(
+        "Users installing this version will see a deprecation warning."
+      );
+      console.log("The package is still available for download.");
+    }
+  } catch (error) {
+    const errorMessage = error instanceof Error ? error.message : "Unknown error";
+    console.error(`Error: ${errorMessage}`);
+    process.exit(1);
+  }
+}
+async function readExistingPackageJson() {
+  try {
+    const content = await readFile(
+      join(process.cwd(), "package.json"),
+      "utf-8"
+    );
+    const pkg = JSON.parse(content);
+    return {
+      name: pkg.name,
+      version: pkg.version,
+      description: pkg.description,
+      author: typeof pkg.author === "string" ? pkg.author : pkg.author?.name,
+      license: pkg.license
+    };
+  } catch {
+    return null;
+  }
+}
+function sanitizeName(name) {
+  const withoutScope = name.replace(/^@[^/]+\//, "");
+  return withoutScope.toLowerCase().replace(/[^a-z0-9_-]/g, "-").replace(/^-+|-+$/g, "").replace(/-+/g, "-");
+}
+async function init(options) {
+  try {
+    const pspmJsonPath = join(process.cwd(), "pspm.json");
+    try {
+      await stat(pspmJsonPath);
+      console.error("Error: pspm.json already exists in this directory.");
+      console.error("Use --force to overwrite (not yet implemented).");
+      process.exit(1);
+    } catch {
+    }
+    const existingPkg = await readExistingPackageJson();
+    const defaultName = options.name || sanitizeName(existingPkg?.name || basename(process.cwd()));
+    const defaultVersion = existingPkg?.version || "0.1.0";
+    const defaultDescription = options.description || existingPkg?.description || "";
+    const defaultAuthor = options.author || existingPkg?.author || "";
+    const defaultLicense = existingPkg?.license || "MIT";
+    const manifest = {
+      $schema: PSPM_SCHEMA_URL,
+      name: defaultName,
+      version: defaultVersion,
+      description: defaultDescription || void 0,
+      author: defaultAuthor || void 0,
+      license: defaultLicense,
+      type: "skill",
+      capabilities: [],
+      main: "SKILL.md",
+      requirements: {
+        pspm: ">=0.1.0"
+      },
+      files: [...DEFAULT_SKILL_FILES],
+      dependencies: {},
+      private: false
+    };
+    if (!manifest.description) delete manifest.description;
+    if (!manifest.author) delete manifest.author;
+    const content = JSON.stringify(manifest, null, 2);
+    await writeFile(pspmJsonPath, `${content}
+`);
+    console.log("Created pspm.json:");
+    console.log("");
+    console.log(content);
+    console.log("");
+    try {
+      await stat(join(process.cwd(), "SKILL.md"));
+    } catch {
+      console.log(
+        "Note: Create a SKILL.md file with your skill's prompt content."
+      );
+    }
+    if (existingPkg) {
+      console.log("Note: Values were derived from existing package.json.");
+      console.log("      pspm.json is for publishing to PSPM registry.");
+      console.log("      package.json can still be used for npm dependencies.");
+    }
+  } catch (error) {
+    const message = error instanceof Error ? error.message : "Unknown error";
+    console.error(`Error: ${message}`);
+    process.exit(1);
+  }
+}
+function getCacheFilePath(cacheDir, integrity) {
+  const match = integrity.match(/^sha256-(.+)$/);
+  if (!match) {
+    throw new Error(`Invalid integrity format: ${integrity}`);
+  }
+  const base64Hash = match[1];
+  const hexHash = Buffer.from(base64Hash, "base64").toString("hex");
+  return join(cacheDir, `sha256-${hexHash}.tgz`);
+}
+async function readFromCache(cacheDir, integrity) {
+  try {
+    const cachePath = getCacheFilePath(cacheDir, integrity);
+    const data = await readFile(cachePath);
+    const actualIntegrity = `sha256-${createHash("sha256").update(data).digest("base64")}`;
+    if (actualIntegrity !== integrity) {
+      await rm(cachePath, { force: true });
+      return null;
+    }
+    return data;
+  } catch {
+    return null;
+  }
+}
+async function writeToCache(cacheDir, integrity, data) {
+  try {
+    await mkdir(cacheDir, { recursive: true });
+    const cachePath = getCacheFilePath(cacheDir, integrity);
+    await writeFile(cachePath, data);
+  } catch {
+  }
+}
+async function install(options) {
+  try {
+    const config2 = await resolveConfig();
+    const apiKey = getTokenForRegistry(config2, config2.registryUrl);
     const skillsDir = options.dir || getSkillsDir();
+    const cacheDir = getCacheDir();
+    await migrateLockfileIfNeeded();
     const lockfile = await readLockfile();
     if (!lockfile) {
       if (options.frozenLockfile) {
@@ -670,14 +1209,17 @@ async function install(options) {
       console.log("No lockfile found. Nothing to install.");
       return;
     }
-    const skillCount = Object.keys(lockfile.skills).length;
+    const skillCount = Object.keys(
+      lockfile.packages ?? lockfile.skills ?? {}
+    ).length;
     if (skillCount === 0) {
       console.log("No skills in lockfile. Nothing to install.");
       return;
     }
     console.log(`Installing ${skillCount} skill(s)...
 `);
-    const entries = Object.entries(lockfile.skills);
+    const packages = lockfile.packages ?? lockfile.skills ?? {};
+    const entries = Object.entries(packages);
     for (const [fullName, entry] of entries) {
       const match = fullName.match(/^@user\/([^/]+)\/([^/]+)$/);
       if (!match) {
@@ -686,34 +1228,58 @@ async function install(options) {
       }
       const [, username, name] = match;
       console.log(`Installing ${fullName}@${entry.version}...`);
-      const response = await fetch(entry.resolved, {
-        headers: {
-          Authorization: `Bearer ${apiKey}`
-        },
-        redirect: "follow"
-      });
-      if (!response.ok) {
-        console.error(
-          `  Error: Failed to download ${fullName} (${response.status})`
-        );
-        continue;
-      }
-      const tarballBuffer = Buffer.from(await response.arrayBuffer());
-      const { createHash: createHash3 } = await import('crypto');
-      const actualIntegrity = `sha256-${createHash3("sha256").update(tarballBuffer).digest("base64")}`;
-      if (actualIntegrity !== entry.integrity) {
-        console.error(`  Error: Checksum verification failed for ${fullName}`);
-        if (options.frozenLockfile) {
-          process.exit(1);
+      let tarballBuffer;
+      let fromCache = false;
+      const cachedTarball = await readFromCache(cacheDir, entry.integrity);
+      if (cachedTarball) {
+        tarballBuffer = cachedTarball;
+        fromCache = true;
+      } else {
+        const isPresignedUrl = entry.resolved.includes(".r2.cloudflarestorage.com") || entry.resolved.includes("X-Amz-Signature");
+        const downloadHeaders = {};
+        if (!isPresignedUrl && apiKey) {
+          downloadHeaders.Authorization = `Bearer ${apiKey}`;
         }
-        continue;
+        const response = await fetch(entry.resolved, {
+          headers: downloadHeaders,
+          redirect: "follow"
+        });
+        if (!response.ok) {
+          if (response.status === 401) {
+            if (!apiKey) {
+              console.error(
+                `  Error: ${fullName} requires authentication. Run 'pspm login' first.`
+              );
+            } else {
+              console.error(
+                `  Error: Access denied to ${fullName}. You may not have permission to access this private package.`
+              );
+            }
+          } else {
+            console.error(
+              `  Error: Failed to download ${fullName} (${response.status})`
+            );
+          }
+          continue;
+        }
+        tarballBuffer = Buffer.from(await response.arrayBuffer());
+        const actualIntegrity = `sha256-${createHash("sha256").update(tarballBuffer).digest("base64")}`;
+        if (actualIntegrity !== entry.integrity) {
+          console.error(
+            `  Error: Checksum verification failed for ${fullName}`
+          );
+          if (options.frozenLockfile) {
+            process.exit(1);
+          }
+          continue;
+        }
+        await writeToCache(cacheDir, entry.integrity, tarballBuffer);
       }
       const destDir = join(skillsDir, username, name);
       await rm(destDir, { recursive: true, force: true });
       await mkdir(destDir, { recursive: true });
       const tempFile = join(destDir, ".temp.tgz");
-      const { writeFile: writeFile4 } = await import('fs/promises');
-      await writeFile4(tempFile, tarballBuffer);
+      await writeFile(tempFile, tarballBuffer);
       const { exec: exec2 } = await import('child_process');
       const { promisify: promisify2 } = await import('util');
       const execAsync = promisify2(exec2);
@@ -724,7 +1290,9 @@ async function install(options) {
       } finally {
         await rm(tempFile, { force: true });
       }
-      console.log(`  Installed to ${destDir}`);
+      console.log(
+        `  Installed to ${destDir}${fromCache ? " (from cache)" : ""}`
+      );
     }
     console.log(`
 All ${skillCount} skill(s) installed.`);
@@ -754,7 +1322,7 @@ async function list(options) {
       const skillPath = join(skillsDir, username, skillName);
       let status = "installed";
       try {
-        await access(skillPath);
+        await access$1(skillPath);
       } catch {
         status = "missing";
       }
@@ -777,7 +1345,7 @@ function getWebAppUrl(registryUrl) {
     return process.env.PSPM_WEB_URL.replace(/\/$/, "");
   }
   try {
-    const url = new URL(registryUrl);
+    const url = new URL$1(registryUrl);
     return `${url.protocol}//${url.host}`;
   } catch {
     return DEFAULT_WEB_APP_URL;
@@ -785,7 +1353,7 @@ function getWebAppUrl(registryUrl) {
 }
 function getServerUrl(registryUrl) {
   try {
-    const url = new URL(registryUrl);
+    const url = new URL$1(registryUrl);
     return `${url.protocol}//${url.host}`;
   } catch {
     return DEFAULT_WEB_APP_URL;
@@ -817,7 +1385,7 @@ function startCallbackServer(expectedState) {
       rejectToken = reject;
     });
     const server = http.createServer((req, res) => {
-      const url = new URL(req.url || "/", `http://localhost`);
+      const url = new URL$1(req.url || "/", `http://localhost`);
       if (url.pathname === "/callback") {
         const token = url.searchParams.get("token");
         const state = url.searchParams.get("state");
@@ -963,7 +1531,132 @@ async function logout() {
     process.exit(1);
   }
 }
+async function migrate(options) {
+  try {
+    const legacySkillsDir = getLegacySkillsDir();
+    const newSkillsDir = getSkillsDir();
+    const legacyLockfilePath = getLegacyLockfilePath();
+    const newLockfilePath = getLockfilePath();
+    const pspmDir = getPspmDir();
+    let migrationNeeded = false;
+    const actions = [];
+    try {
+      const legacyStats = await stat(legacySkillsDir);
+      if (legacyStats.isDirectory()) {
+        const contents = await readdir(legacySkillsDir);
+        if (contents.length > 0) {
+          migrationNeeded = true;
+          actions.push(`Move .skills/ \u2192 .pspm/skills/`);
+        }
+      }
+    } catch {
+    }
+    try {
+      await stat(legacyLockfilePath);
+      try {
+        await stat(newLockfilePath);
+        actions.push(
+          `Note: Both skill-lock.json and pspm-lock.json exist. Manual merge may be needed.`
+        );
+      } catch {
+        migrationNeeded = true;
+        actions.push(`Migrate skill-lock.json \u2192 pspm-lock.json`);
+      }
+    } catch {
+    }
+    if (!migrationNeeded && actions.length === 0) {
+      console.log(
+        "No migration needed. Project is already using the new structure."
+      );
+      return;
+    }
+    if (options.dryRun) {
+      console.log("Migration plan (dry run):");
+      console.log("");
+      for (const action of actions) {
+        console.log(`  - ${action}`);
+      }
+      console.log("");
+      console.log("Run without --dry-run to perform migration.");
+      return;
+    }
+    console.log("Migrating project structure...\n");
+    const lockfileMigrated = await migrateLockfileIfNeeded();
+    if (lockfileMigrated) {
+      console.log("  \u2713 Migrated skill-lock.json \u2192 pspm-lock.json");
+    }
+    try {
+      const legacyStats = await stat(legacySkillsDir);
+      if (legacyStats.isDirectory()) {
+        const contents = await readdir(legacySkillsDir);
+        if (contents.length > 0) {
+          await mkdir(pspmDir, { recursive: true });
+          try {
+            const newStats = await stat(newSkillsDir);
+            if (newStats.isDirectory()) {
+              const newContents = await readdir(newSkillsDir);
+              if (newContents.length > 0) {
+                console.log(
+                  "  ! Both .skills/ and .pspm/skills/ have content. Manual merge required."
+                );
+              } else {
+                await rm(newSkillsDir, { recursive: true, force: true });
+                await rename(legacySkillsDir, newSkillsDir);
+                console.log("  \u2713 Moved .skills/ \u2192 .pspm/skills/");
+              }
+            }
+          } catch {
+            await rename(legacySkillsDir, newSkillsDir);
+            console.log("  \u2713 Moved .skills/ \u2192 .pspm/skills/");
+          }
+        }
+      }
+    } catch {
+    }
+    console.log("");
+    console.log("Migration complete!");
+    console.log("");
+    console.log(
+      "You can safely delete these legacy files if they still exist:"
+    );
+    console.log("  - skill-lock.json (replaced by pspm-lock.json)");
+    console.log("  - .skills/ (replaced by .pspm/skills/)");
+    console.log("");
+    console.log("Update your .gitignore to include:");
+    console.log("  .pspm/cache/");
+  } catch (error) {
+    const message = error instanceof Error ? error.message : "Unknown error";
+    console.error(`Error: ${message}`);
+    process.exit(1);
+  }
+}
 var exec = promisify(exec$1);
+async function detectManifest() {
+  const cwd = process.cwd();
+  const pspmJsonPath = join(cwd, "pspm.json");
+  try {
+    const content = await readFile(pspmJsonPath, "utf-8");
+    const manifest = JSON.parse(content);
+    return { type: "pspm.json", manifest, path: pspmJsonPath };
+  } catch {
+  }
+  const packageJsonPath = join(cwd, "package.json");
+  try {
+    const content = await readFile(packageJsonPath, "utf-8");
+    const packageJson2 = JSON.parse(content);
+    const manifest = {
+      name: packageJson2.name,
+      version: packageJson2.version,
+      description: packageJson2.description,
+      author: typeof packageJson2.author === "string" ? packageJson2.author : packageJson2.author?.name,
+      license: packageJson2.license,
+      files: packageJson2.files
+    };
+    return { type: "package.json", manifest, path: packageJsonPath };
+  } catch {
+    throw new Error("No pspm.json or package.json found in current directory");
+  }
+}
 function formatBytes(bytes) {
   if (bytes < 1024) return `${bytes}B`;
   if (bytes < 1024 * 1024) return `${(bytes / 1024).toFixed(1)}kB`;
@@ -995,23 +1688,26 @@ async function publishCommand(options) {
   try {
     const apiKey = await requireApiKey();
     const registryUrl = await getRegistryUrl();
-    const packageJsonPath = join(process.cwd(), "package.json");
-    let packageJson2;
-    try {
-      const content = await readFile(packageJsonPath, "utf-8");
-      packageJson2 = JSON.parse(content);
-    } catch {
-      console.error("Error: No package.json found in current directory");
-      process.exit(1);
-    }
-    if (!packageJson2.name) {
-      console.error("Error: package.json must have a 'name' field");
-      process.exit(1);
+    const detection = await detectManifest();
+    const manifest = detection.manifest;
+    if (detection.type === "package.json") {
+      console.log("pspm warn Using package.json instead of pspm.json");
+      console.log(
+        "pspm warn Run 'pspm init' to create a dedicated pspm.json manifest"
+      );
+      console.log("");
     }
-    if (!packageJson2.version) {
-      console.error("Error: package.json must have a 'version' field");
+    const validation = validateManifest(manifest);
+    if (!validation.valid) {
+      console.error(`Error: ${validation.error}`);
       process.exit(1);
     }
+    const packageJson2 = {
+      name: manifest.name,
+      version: manifest.version,
+      description: manifest.description,
+      files: manifest.files
+    };
     if (options.bump) {
       const semver2 = await import('semver');
       const newVersion = semver2.default.inc(packageJson2.version, options.bump);
@@ -1029,13 +1725,7 @@ async function publishCommand(options) {
     const tempDir = join(process.cwd(), ".pspm-publish");
     try {
       await exec(`rm -rf "${tempDir}" && mkdir -p "${tempDir}"`);
-      const files = packageJson2.files || [
-        "package.json",
-        "SKILL.md",
-        "runtime",
-        "scripts",
-        "data"
-      ];
+      const files = packageJson2.files || [...DEFAULT_SKILL_FILES];
       await exec(`mkdir -p "${tempDir}/package"`);
       for (const file of files) {
         try {
@@ -1045,7 +1735,18 @@ async function publishCommand(options) {
         } catch {
         }
       }
-      await exec(`cp package.json "${tempDir}/package/"`);
+      if (detection.type === "pspm.json") {
+        await exec(`cp pspm.json "${tempDir}/package/"`);
+        try {
+          await stat(join(process.cwd(), "package.json"));
+          await exec(
+            `cp package.json "${tempDir}/package/" 2>/dev/null || true`
+          );
+        } catch {
+        }
+      } else {
+        await exec(`cp package.json "${tempDir}/package/"`);
+      }
       const packageDir = join(tempDir, "package");
       const tarballContents = await getFilesWithSizes(packageDir, packageDir);
       const unpackedSize = tarballContents.reduce((acc, f) => acc + f.size, 0);
@@ -1102,6 +1803,25 @@ async function publishCommand(options) {
         `+ @user/${result.skill.username}/${result.skill.name}@${result.version.version}`
       );
       console.log(`Checksum: ${result.version.checksum}`);
+      if (options.access) {
+        console.log(`
+Setting visibility to ${options.access}...`);
+        const accessResponse = await changeSkillAccess(packageJson2.name, {
+          visibility: options.access
+        });
+        if (accessResponse.status !== 200 || !accessResponse.data) {
+          console.warn(
+            `Warning: Failed to set visibility: ${accessResponse.error ?? "Unknown error"}`
+          );
+        } else {
+          console.log(`Package is now ${accessResponse.data.visibility}`);
+          if (options.access === "public") {
+            console.log(
+              "Note: This action is irreversible. Public packages cannot be made private."
+            );
+          }
+        }
+      }
     } finally {
       await exec(`rm -rf "${tempDir}"`).catch(() => {
       });
@@ -1355,6 +2075,19 @@ program.command("logout").description("Log out and clear stored credentials").ac
 program.command("whoami").description("Show current user information").action(async () => {
   await whoami();
 });
+program.command("init").description("Create a new pspm.json manifest in the current directory").option("-n, --name <name>", "Skill name").option("-d, --description <desc>", "Skill description").option("-a, --author <author>", "Author name").option("-y, --yes", "Skip prompts and use defaults").action(async (options) => {
+  await init({
+    name: options.name,
+    description: options.description,
+    author: options.author,
+    yes: options.yes
+  });
+});
+program.command("migrate").description(
+  "Migrate from old directory structure (.skills/, skill-lock.json)"
+).option("--dry-run", "Show what would be migrated without making changes").action(async (options) => {
+  await migrate({ dryRun: options.dryRun });
+});
 program.command("add <specifier>").description("Add a skill (e.g., @user/bsheng/vite_slides@^2.0.0)").option("--save", "Save to lockfile (default)").action(async (specifier, options) => {
   await add(specifier, { save: options.save ?? true });
 });
@@ -1373,15 +2106,29 @@ program.command("install").alias("i").description("Install all skills from lockf
 program.command("update").description("Update all skills to latest compatible versions").option("--dry-run", "Show what would be updated without making changes").action(async (options) => {
   await update({ dryRun: options.dryRun });
 });
-program.command("publish").description("Publish current directory as a skill").option("--bump <level>", "Bump version (major, minor, patch)").option("--tag <tag>", "Tag for the release").action(async (options) => {
+program.command("publish").description("Publish current directory as a skill").option("--bump <level>", "Bump version (major, minor, patch)").option("--tag <tag>", "Tag for the release").option("--access <level>", "Set package visibility (public or private)").action(async (options) => {
   await publishCommand({
     bump: options.bump,
-    tag: options.tag
+    tag: options.tag,
+    access: options.access
   });
 });
-program.command("unpublish <specifier>").description("Remove a published skill version").option("--force", "Confirm destructive action").action(async (specifier, options) => {
+program.command("unpublish <specifier>").description(
+  "Remove a published skill version (only within 72 hours of publishing)"
+).option("--force", "Confirm destructive action").action(async (specifier, options) => {
   await unpublish(specifier, { force: options.force });
 });
+program.command("access [specifier]").description("Change package visibility (public/private)").option("--public", "Make the package public (irreversible)").option("--private", "Make the package private (only for private packages)").action(async (specifier, options) => {
+  await access(specifier, {
+    public: options.public,
+    private: options.private
+  });
+});
+program.command("deprecate <specifier> [message]").description(
+  "Mark a skill version as deprecated (alternative to unpublish after 72 hours)"
+).option("--undo", "Remove deprecation status").action(async (specifier, message, options) => {
+  await deprecate(specifier, message, { undo: options.undo });
+});
 program.parse();
 //# sourceMappingURL=index.js.map
 //# sourceMappingURL=index.js.map