@anytio/pspm 0.0.7 → 0.1.1

package/dist/index.js

@@ -1,31 +1,39 @@
 #!/usr/bin/env node
-import { readFileSync } from 'fs';
-import { dirname, join, basename, relative } from 'path';
-import { fileURLToPath, URL as URL$1 } from 'url';
-import { Command } from 'commander';
 import { createHash, randomBytes } from 'crypto';
 import * as semver from 'semver';
-import { stat, writeFile, readdir, mkdir, rm, rename, access as access$1, readFile, unlink } from 'fs/promises';
+import { stat, writeFile, readdir, mkdir, rm, rename, access as access$1, readFile, lstat, unlink, cp, readlink, symlink } from 'fs/promises';
 import { homedir } from 'os';
+import { dirname, join, basename, relative } from 'path';
 import * as ini from 'ini';
+import { checkbox } from '@inquirer/prompts';
+import { readFileSync } from 'fs';
+import { fileURLToPath, URL as URL$1 } from 'url';
+import { Command } from 'commander';
+import { createInterface } from 'readline';
 import http from 'http';
 import open from 'open';
 import { exec as exec$1 } from 'child_process';
 import { promisify } from 'util';
 
+var __defProp = Object.defineProperty;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __esm = (fn, res) => function __init() {
+  return fn && (res = (0, fn[__getOwnPropNames(fn)[0]])(fn = 0)), res;
+};
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
 function calculateIntegrity(data) {
   const hash = createHash("sha256").update(data).digest("base64");
   return `sha256-${hash}`;
 }
+var init_integrity = __esm({
+  "../../packages/shared/pspm-types/src/integrity.ts"() {
+  }
+});
 
 // ../../packages/shared/pspm-types/src/manifest.ts
-var DEFAULT_SKILL_FILES = [
-  "SKILL.md",
-  "runtime",
-  "scripts",
-  "data"
-];
-var PSPM_SCHEMA_URL = "https://pspm.dev/schema/pspm.json";
 function validateManifest(manifest) {
   if (!manifest.name) {
     return { valid: false, error: "Manifest must have a 'name' field" };
@@ -47,9 +55,20 @@ function validateManifest(manifest) {
   }
   return { valid: true };
 }
+var DEFAULT_SKILL_FILES, PSPM_SCHEMA_URL;
+var init_manifest = __esm({
+  "../../packages/shared/pspm-types/src/manifest.ts"() {
+    DEFAULT_SKILL_FILES = [
+      "SKILL.md",
+      "runtime",
+      "scripts",
+      "data"
+    ];
+    PSPM_SCHEMA_URL = "https://pspm.dev/schema/v1/pspm.json";
+  }
+});
 
 // ../../packages/shared/pspm-types/src/specifier.ts
-var SPECIFIER_PATTERN = /^@user\/([a-zA-Z0-9_-]+)\/([a-z][a-z0-9_-]*)(?:@(.+))?$/;
 function parseSkillSpecifier(specifier) {
   const match = specifier.match(SPECIFIER_PATTERN);
   if (!match) {
@@ -61,6 +80,47 @@ function parseSkillSpecifier(specifier) {
     versionRange: match[3]
   };
 }
+function parseGitHubSpecifier(specifier) {
+  const match = specifier.match(GITHUB_SPECIFIER_PATTERN);
+  if (!match) {
+    return null;
+  }
+  const [, owner, repo, pathWithSlash, ref] = match;
+  return {
+    owner,
+    repo,
+    // Remove leading slash from path
+    path: pathWithSlash ? pathWithSlash.slice(1) : void 0,
+    ref: ref || void 0
+  };
+}
+function formatGitHubSpecifier(spec) {
+  let result = `github:${spec.owner}/${spec.repo}`;
+  if (spec.path) {
+    result += `/${spec.path}`;
+  }
+  if (spec.ref) {
+    result += `@${spec.ref}`;
+  }
+  return result;
+}
+function getGitHubSkillName(spec) {
+  if (spec.path) {
+    const segments = spec.path.split("/").filter(Boolean);
+    return segments[segments.length - 1];
+  }
+  return spec.repo;
+}
+function isGitHubSpecifier(specifier) {
+  return specifier.startsWith("github:");
+}
+var SPECIFIER_PATTERN, GITHUB_SPECIFIER_PATTERN;
+var init_specifier = __esm({
+  "../../packages/shared/pspm-types/src/specifier.ts"() {
+    SPECIFIER_PATTERN = /^@user\/([a-zA-Z0-9_-]+)\/([a-z][a-z0-9_-]*)(?:@(.+))?$/;
+    GITHUB_SPECIFIER_PATTERN = /^github:([a-zA-Z0-9_-]+)\/([a-zA-Z0-9_.-]+)(\/[^@]+)?(?:@(.+))?$/;
+  }
+});
 function resolveVersion(range, availableVersions) {
   const sorted = availableVersions.filter((v) => semver.valid(v)).sort((a, b) => semver.rcompare(a, b));
   if (!range || range === "latest" || range === "*") {
@@ -68,9 +128,22 @@ function resolveVersion(range, availableVersions) {
   }
   return semver.maxSatisfying(sorted, range);
 }
+var init_version = __esm({
+  "../../packages/shared/pspm-types/src/version.ts"() {
+  }
+});
+
+// ../../packages/shared/pspm-types/src/index.ts
+var init_src = __esm({
+  "../../packages/shared/pspm-types/src/index.ts"() {
+    init_integrity();
+    init_manifest();
+    init_specifier();
+    init_version();
+  }
+});
 
 // ../../packages/sdk/src/fetchers/cli-fetcher.ts
-var config = null;
 function configure(options) {
   config = options;
 }
@@ -109,84 +182,104 @@ async function customFetch(url, options) {
     headers: response.headers
   };
 }
+var config;
+var init_cli_fetcher = __esm({
+  "../../packages/sdk/src/fetchers/cli-fetcher.ts"() {
+    config = null;
+  }
+});
 
 // ../../packages/sdk/src/generated/fetch/index.ts
-var getMeUrl = () => {
-  return `/api/skills/me`;
-};
-var me = async (options) => {
-  return customFetch(
-    getMeUrl(),
-    {
-      ...options,
-      method: "GET"
-    }
-  );
-};
-var getListSkillVersionsUrl = (username, name) => {
-  return `/api/skills/@user/${username}/${name}/versions`;
-};
-var listSkillVersions = async (username, name, options) => {
-  return customFetch(
-    getListSkillVersionsUrl(username, name),
-    {
-      ...options,
-      method: "GET"
-    }
-  );
-};
-var getGetSkillVersionUrl = (username, name, version2) => {
-  return `/api/skills/@user/${username}/${name}/${version2}`;
-};
-var getSkillVersion = async (username, name, version2, options) => {
-  return customFetch(
-    getGetSkillVersionUrl(username, name, version2),
-    {
-      ...options,
-      method: "GET"
-    }
-  );
-};
-var getPublishSkillUrl = () => {
-  return `/api/skills/publish`;
-};
-var publishSkill = async (publishSkillInput, options) => {
-  return customFetch(
-    getPublishSkillUrl(),
-    {
-      ...options,
-      method: "POST",
-      headers: { "Content-Type": "application/json", ...options?.headers },
-      body: JSON.stringify(
-        publishSkillInput
-      )
-    }
-  );
-};
-var getDeleteSkillUrl = (name) => {
-  return `/api/skills/${name}`;
-};
-var deleteSkill = async (name, options) => {
-  return customFetch(
-    getDeleteSkillUrl(name),
-    {
-      ...options,
-      method: "DELETE"
-    }
-  );
-};
-var getDeleteSkillVersionUrl = (name, version2) => {
-  return `/api/skills/${name}/${version2}`;
-};
-var deleteSkillVersion = async (name, version2, options) => {
-  return customFetch(
-    getDeleteSkillVersionUrl(name, version2),
-    {
-      ...options,
-      method: "DELETE"
-    }
-  );
-};
+var getMeUrl, me, getListSkillVersionsUrl, listSkillVersions, getGetSkillVersionUrl, getSkillVersion, getPublishSkillUrl, publishSkill, getDeleteSkillUrl, deleteSkill, getDeleteSkillVersionUrl, deleteSkillVersion;
+var init_fetch = __esm({
+  "../../packages/sdk/src/generated/fetch/index.ts"() {
+    init_cli_fetcher();
+    getMeUrl = () => {
+      return `/api/skills/me`;
+    };
+    me = async (options) => {
+      return customFetch(
+        getMeUrl(),
+        {
+          ...options,
+          method: "GET"
+        }
+      );
+    };
+    getListSkillVersionsUrl = (username, name) => {
+      return `/api/skills/@user/${username}/${name}/versions`;
+    };
+    listSkillVersions = async (username, name, options) => {
+      return customFetch(
+        getListSkillVersionsUrl(username, name),
+        {
+          ...options,
+          method: "GET"
+        }
+      );
+    };
+    getGetSkillVersionUrl = (username, name, version2) => {
+      return `/api/skills/@user/${username}/${name}/${version2}`;
+    };
+    getSkillVersion = async (username, name, version2, options) => {
+      return customFetch(
+        getGetSkillVersionUrl(username, name, version2),
+        {
+          ...options,
+          method: "GET"
+        }
+      );
+    };
+    getPublishSkillUrl = () => {
+      return `/api/skills/publish`;
+    };
+    publishSkill = async (publishSkillInput, options) => {
+      return customFetch(
+        getPublishSkillUrl(),
+        {
+          ...options,
+          method: "POST",
+          headers: { "Content-Type": "application/json", ...options?.headers },
+          body: JSON.stringify(
+            publishSkillInput
+          )
+        }
+      );
+    };
+    getDeleteSkillUrl = (name) => {
+      return `/api/skills/${name}`;
+    };
+    deleteSkill = async (name, options) => {
+      return customFetch(
+        getDeleteSkillUrl(name),
+        {
+          ...options,
+          method: "DELETE"
+        }
+      );
+    };
+    getDeleteSkillVersionUrl = (name, version2) => {
+      return `/api/skills/${name}/${version2}`;
+    };
+    deleteSkillVersion = async (name, version2, options) => {
+      return customFetch(
+        getDeleteSkillVersionUrl(name, version2),
+        {
+          ...options,
+          method: "DELETE"
+        }
+      );
+    };
+  }
+});
+
+// ../../packages/sdk/src/index.ts
+var init_src2 = __esm({
+  "../../packages/sdk/src/index.ts"() {
+    init_cli_fetcher();
+    init_fetch();
+  }
+});
 
 // src/api-client.ts
 function registryUrlToBaseUrl(registryUrl) {
@@ -308,22 +401,13 @@ async function changeSkillAccess(skillName, input) {
     };
   }
 }
+var init_api_client = __esm({
+  "src/api-client.ts"() {
+    init_src2();
+  }
+});
 
 // src/errors.ts
-var ConfigError = class extends Error {
-  constructor(message) {
-    super(message);
-    this.name = "ConfigError";
-  }
-};
-var NotLoggedInError = class extends ConfigError {
-  constructor() {
-    super(
-      "Not logged in. Run 'pspm login --api-key <key>' first, or set PSPM_API_KEY env var."
-    );
-    this.name = "NotLoggedInError";
-  }
-};
 function extractApiErrorMessage(response, fallbackMessage) {
   const errorData = response.data;
   if (process.env.PSPM_DEBUG) {
@@ -358,9 +442,25 @@ ${issueMessages}`;
   }
   return errorMessage;
 }
-
-// src/config.ts
-var DEFAULT_REGISTRY_URL = "https://pspm.dev";
+var ConfigError, NotLoggedInError;
+var init_errors = __esm({
+  "src/errors.ts"() {
+    ConfigError = class extends Error {
+      constructor(message) {
+        super(message);
+        this.name = "ConfigError";
+      }
+    };
+    NotLoggedInError = class extends ConfigError {
+      constructor() {
+        super(
+          "Not logged in. Run 'pspm login --api-key <key>' first, or set PSPM_API_KEY env var."
+        );
+        this.name = "NotLoggedInError";
+      }
+    };
+  }
+});
 function getConfigPath() {
   return join(homedir(), ".pspmrc");
 }
@@ -630,88 +730,261 @@ async function getRegistryUrl() {
   const resolved = await resolveConfig();
   return resolved.registryUrl;
 }
-
-// src/commands/access.ts
-async function access(specifier, options) {
-  try {
-    const apiKey = await requireApiKey();
-    const registryUrl = await getRegistryUrl();
-    if (options.public && options.private) {
-      console.error("Error: Cannot specify both --public and --private");
-      process.exit(1);
+var DEFAULT_REGISTRY_URL;
+var init_config = __esm({
+  "src/config.ts"() {
+    init_errors();
+    DEFAULT_REGISTRY_URL = "https://pspm.dev";
+  }
+});
+function resolveAgentConfig(name, overrides) {
+  if (overrides?.[name]) {
+    return overrides[name];
+  }
+  if (name in DEFAULT_AGENT_CONFIGS) {
+    return DEFAULT_AGENT_CONFIGS[name];
+  }
+  return null;
+}
+function parseAgentArg(agentArg) {
+  if (!agentArg) {
+    return [...DEFAULT_AGENTS];
+  }
+  if (agentArg === "none") {
+    return ["none"];
+  }
+  return agentArg.split(",").map((a) => a.trim()).filter(Boolean);
+}
+function getAvailableAgents(overrides) {
+  const builtIn = Object.keys(DEFAULT_AGENT_CONFIGS);
+  const custom = overrides ? Object.keys(overrides) : [];
+  return [.../* @__PURE__ */ new Set([...builtIn, ...custom])];
+}
+async function promptForAgents() {
+  const choices = ALL_AGENTS.map((agent) => ({
+    name: `${AGENT_INFO[agent].displayName} (${AGENT_INFO[agent].skillsDir})`,
+    value: agent,
+    checked: true
+    // All selected by default
+  }));
+  const selected = await checkbox({
+    message: "Select agents to install skills to",
+    choices
+  });
+  if (selected.length === 0) {
+    return ["none"];
+  }
+  return selected;
+}
+var AGENT_INFO, DEFAULT_AGENT_CONFIGS, ALL_AGENTS, DEFAULT_AGENTS;
+var init_agents = __esm({
+  "src/agents.ts"() {
+    AGENT_INFO = {
+      "claude-code": {
+        displayName: "Claude Code",
+        skillsDir: ".claude/skills"
+      },
+      codex: {
+        displayName: "Codex",
+        skillsDir: ".codex/skills"
+      },
+      cursor: {
+        displayName: "Cursor",
+        skillsDir: ".cursor/skills"
+      },
+      gemini: {
+        displayName: "Gemini CLI",
+        skillsDir: ".gemini/skills"
+      },
+      kiro: {
+        displayName: "Kiro CLI",
+        skillsDir: ".kiro/skills"
+      },
+      opencode: {
+        displayName: "OpenCode",
+        skillsDir: ".opencode/skills"
+      }
+    };
+    DEFAULT_AGENT_CONFIGS = {
+      "claude-code": { skillsDir: AGENT_INFO["claude-code"].skillsDir },
+      codex: { skillsDir: AGENT_INFO.codex.skillsDir },
+      cursor: { skillsDir: AGENT_INFO.cursor.skillsDir },
+      gemini: { skillsDir: AGENT_INFO.gemini.skillsDir },
+      kiro: { skillsDir: AGENT_INFO.kiro.skillsDir },
+      opencode: { skillsDir: AGENT_INFO.opencode.skillsDir }
+    };
+    ALL_AGENTS = [
+      "claude-code",
+      "codex",
+      "cursor",
+      "gemini",
+      "kiro",
+      "opencode"
+    ];
+    DEFAULT_AGENTS = ALL_AGENTS;
+  }
+});
+function getGitHubHeaders() {
+  const headers = {
+    Accept: "application/vnd.github+json",
+    "X-GitHub-Api-Version": "2022-11-28",
+    "User-Agent": "pspm-cli"
+  };
+  const token = process.env.GITHUB_TOKEN;
+  if (token) {
+    headers.Authorization = `Bearer ${token}`;
+  }
+  return headers;
+}
+async function resolveGitHubRef(owner, repo, ref) {
+  const headers = getGitHubHeaders();
+  if (!ref || ref === "latest") {
+    const repoUrl = `https://api.github.com/repos/${owner}/${repo}`;
+    const repoResponse = await fetch(repoUrl, { headers });
+    if (repoResponse.status === 404) {
+      throw new GitHubNotFoundError({ owner, repo });
+    }
+    if (repoResponse.status === 403) {
+      const remaining = repoResponse.headers.get("x-ratelimit-remaining");
+      if (remaining === "0") {
+        throw new GitHubRateLimitError();
+      }
     }
-    if (!options.public && !options.private) {
-      console.error("Error: Must specify either --public or --private");
-      process.exit(1);
+    if (!repoResponse.ok) {
+      throw new Error(`GitHub API error: ${repoResponse.status}`);
     }
-    const visibility = options.public ? "public" : "private";
-    let packageName;
-    if (specifier) {
-      const parsed = parseSkillSpecifier(specifier);
-      if (!parsed) {
-        console.error(
-          `Error: Invalid skill specifier "${specifier}". Use format: @user/{username}/{name}`
+    const repoData = await repoResponse.json();
+    ref = repoData.default_branch;
+  }
+  const commitUrl = `https://api.github.com/repos/${owner}/${repo}/commits/${ref}`;
+  const commitResponse = await fetch(commitUrl, { headers });
+  if (commitResponse.status === 404) {
+    throw new GitHubNotFoundError({ owner, repo, ref });
+  }
+  if (commitResponse.status === 403) {
+    const remaining = commitResponse.headers.get("x-ratelimit-remaining");
+    if (remaining === "0") {
+      throw new GitHubRateLimitError();
+    }
+  }
+  if (!commitResponse.ok) {
+    throw new Error(`GitHub API error: ${commitResponse.status}`);
+  }
+  const commitData = await commitResponse.json();
+  return commitData.sha;
+}
+async function downloadGitHubPackage(spec) {
+  const headers = getGitHubHeaders();
+  const commit = await resolveGitHubRef(spec.owner, spec.repo, spec.ref);
+  const tarballUrl = `https://api.github.com/repos/${spec.owner}/${spec.repo}/tarball/${commit}`;
+  const response = await fetch(tarballUrl, {
+    headers,
+    redirect: "follow"
+  });
+  if (response.status === 404) {
+    throw new GitHubNotFoundError(spec);
+  }
+  if (response.status === 403) {
+    const remaining = response.headers.get("x-ratelimit-remaining");
+    if (remaining === "0") {
+      throw new GitHubRateLimitError();
+    }
+  }
+  if (!response.ok) {
+    throw new Error(`Failed to download GitHub tarball: ${response.status}`);
+  }
+  const buffer = Buffer.from(await response.arrayBuffer());
+  const integrity = calculateIntegrity(buffer);
+  return { buffer, commit, integrity };
+}
+async function extractGitHubPackage(spec, buffer, skillsDir) {
+  const destPath = spec.path ? join(skillsDir, "_github", spec.owner, spec.repo, spec.path) : join(skillsDir, "_github", spec.owner, spec.repo);
+  const tempDir = join(skillsDir, "_github", ".temp", `${Date.now()}`);
+  await mkdir(tempDir, { recursive: true });
+  const tempFile = join(tempDir, "archive.tgz");
+  try {
+    await writeFile(tempFile, buffer);
+    const { exec: exec2 } = await import('child_process');
+    const { promisify: promisify2 } = await import('util');
+    const execAsync = promisify2(exec2);
+    await execAsync(`tar -xzf "${tempFile}" -C "${tempDir}"`);
+    const entries = await readdir(tempDir);
+    const extractedDir = entries.find(
+      (e) => e !== "archive.tgz" && !e.startsWith(".")
+    );
+    if (!extractedDir) {
+      throw new Error("Failed to find extracted directory in tarball");
+    }
+    const sourcePath = join(tempDir, extractedDir);
+    const copySource = spec.path ? join(sourcePath, spec.path) : sourcePath;
+    if (spec.path) {
+      const pathExists = await lstat(copySource).catch(() => null);
+      if (!pathExists) {
+        const rootEntries = await readdir(sourcePath);
+        const dirs = [];
+        for (const entry of rootEntries) {
+          const stat7 = await lstat(join(sourcePath, entry)).catch(() => null);
+          if (stat7?.isDirectory() && !entry.startsWith(".")) {
+            dirs.push(entry);
+          }
+        }
+        throw new GitHubPathNotFoundError(spec, dirs);
+      }
+    }
+    await rm(destPath, { recursive: true, force: true });
+    await mkdir(destPath, { recursive: true });
+    await cp(copySource, destPath, { recursive: true });
+    return spec.path ? `.pspm/skills/_github/${spec.owner}/${spec.repo}/${spec.path}` : `.pspm/skills/_github/${spec.owner}/${spec.repo}`;
+  } finally {
+    await rm(tempDir, { recursive: true, force: true });
+  }
+}
+function getGitHubDisplayName(spec, commit) {
+  let name = `github:${spec.owner}/${spec.repo}`;
+  if (spec.path) {
+    name += `/${spec.path}`;
+  }
+  if (spec.ref || commit) {
+    const ref = spec.ref || "HEAD";
+    name += ` (${ref}${""})`;
+  }
+  return name;
+}
+var GitHubRateLimitError, GitHubNotFoundError, GitHubPathNotFoundError;
+var init_github = __esm({
+  "src/github.ts"() {
+    init_src();
+    GitHubRateLimitError = class extends Error {
+      constructor() {
+        super(
+          "GitHub API rate limit exceeded. Set GITHUB_TOKEN environment variable for higher limits."
         );
-        process.exit(1);
+        this.name = "GitHubRateLimitError";
       }
-      packageName = parsed.name;
-    } else {
-      const { readFile: readFile6 } = await import('fs/promises');
-      const { join: join10 } = await import('path');
-      let manifest = null;
-      try {
-        const content = await readFile6(
-          join10(process.cwd(), "pspm.json"),
-          "utf-8"
+    };
+    GitHubNotFoundError = class extends Error {
+      constructor(spec) {
+        const path = spec.path ? `/${spec.path}` : "";
+        const ref = spec.ref ? `@${spec.ref}` : "";
+        super(
+          `GitHub repository not found: ${spec.owner}/${spec.repo}${path}${ref}`
         );
-        manifest = JSON.parse(content);
-      } catch {
-        try {
-          const content = await readFile6(
-            join10(process.cwd(), "package.json"),
-            "utf-8"
-          );
-          manifest = JSON.parse(content);
-        } catch {
-          console.error(
-            "Error: No pspm.json or package.json found in current directory"
-          );
-          console.error(
-            "Either run this command in a package directory or specify a package name"
-          );
-          process.exit(1);
-        }
+        this.name = "GitHubNotFoundError";
       }
-      if (!manifest?.name) {
-        console.error("Error: Package manifest is missing 'name' field");
-        process.exit(1);
+    };
+    GitHubPathNotFoundError = class extends Error {
+      constructor(spec, availablePaths) {
+        const pathInfo = availablePaths?.length ? `
+Available paths in repository root:
+  ${availablePaths.join("\n  ")}` : "";
+        super(
+          `Path "${spec.path}" not found in ${spec.owner}/${spec.repo}${pathInfo}`
+        );
+        this.name = "GitHubPathNotFoundError";
       }
-      packageName = manifest.name;
-    }
-    configure2({ registryUrl, apiKey });
-    console.log(`Setting ${packageName} to ${visibility}...`);
-    const response = await changeSkillAccess(packageName, { visibility });
-    if (response.status !== 200 || !response.data) {
-      const errorMessage = response.error ?? "Failed to change visibility";
-      console.error(`Error: ${errorMessage}`);
-      process.exit(1);
-    }
-    const result = response.data;
-    console.log(
-      `+ @user/${result.username}/${result.name} is now ${result.visibility}`
-    );
-    if (visibility === "public") {
-      console.log("");
-      console.log(
-        "Note: This action is irreversible. Public packages cannot be made private."
-      );
-    }
-  } catch (error) {
-    const message = error instanceof Error ? error.message : "Unknown error";
-    console.error(`Error: ${message}`);
-    process.exit(1);
+    };
   }
-}
+});
 async function hasLegacyLockfile() {
   try {
     await stat(getLegacyLockfilePath());
@@ -783,17 +1056,20 @@ async function writeLockfile(lockfile) {
   const lockfilePath = getLockfilePath();
   await mkdir(dirname(lockfilePath), { recursive: true });
   const normalized = {
-    lockfileVersion: 2,
+    lockfileVersion: 3,
     registryUrl: lockfile.registryUrl,
     packages: lockfile.packages ?? lockfile.skills ?? {}
   };
+  if (lockfile.githubPackages && Object.keys(lockfile.githubPackages).length > 0) {
+    normalized.githubPackages = lockfile.githubPackages;
+  }
   await writeFile(lockfilePath, `${JSON.stringify(normalized, null, 2)}
 `);
 }
 async function createEmptyLockfile() {
   const registryUrl = await getRegistryUrl();
   return {
-    lockfileVersion: 2,
+    lockfileVersion: 3,
     registryUrl,
     packages: {}
   };
@@ -836,125 +1112,596 @@ async function listLockfileSkills() {
     entry
   }));
 }
-
-// src/commands/add.ts
-async function add(specifier, _options) {
+async function addGitHubToLockfile(specifier, entry) {
+  let lockfile = await readLockfile();
+  if (!lockfile) {
+    lockfile = await createEmptyLockfile();
+  }
+  if (!lockfile.githubPackages) {
+    lockfile.githubPackages = {};
+  }
+  lockfile.githubPackages[specifier] = entry;
+  await writeLockfile(lockfile);
+}
+async function removeGitHubFromLockfile(specifier) {
+  const lockfile = await readLockfile();
+  if (!lockfile?.githubPackages?.[specifier]) {
+    return false;
+  }
+  delete lockfile.githubPackages[specifier];
+  await writeLockfile(lockfile);
+  return true;
+}
+async function listLockfileGitHubPackages() {
+  const lockfile = await readLockfile();
+  if (!lockfile?.githubPackages) {
+    return [];
+  }
+  return Object.entries(lockfile.githubPackages).map(([specifier, entry]) => ({
+    specifier,
+    entry
+  }));
+}
+var init_lockfile = __esm({
+  "src/lockfile.ts"() {
+    init_config();
+  }
+});
+function getManifestPath() {
+  return join(process.cwd(), "pspm.json");
+}
+async function readManifest() {
   try {
-    const config2 = await resolveConfig();
-    const registryUrl = config2.registryUrl;
-    const apiKey = getTokenForRegistry(config2, registryUrl);
-    const parsed = parseSkillSpecifier(specifier);
-    if (!parsed) {
-      console.error(
-        `Error: Invalid skill specifier "${specifier}". Use format: @user/{username}/{name}[@{version}]`
-      );
-      process.exit(1);
+    const content = await readFile(getManifestPath(), "utf-8");
+    return JSON.parse(content);
+  } catch {
+    return null;
+  }
+}
+async function writeManifest(manifest) {
+  const content = JSON.stringify(manifest, null, 2);
+  await writeFile(getManifestPath(), `${content}
+`);
+}
+async function createMinimalManifest() {
+  return {
+    dependencies: {}
+  };
+}
+async function ensureManifest() {
+  let manifest = await readManifest();
+  if (!manifest) {
+    manifest = await createMinimalManifest();
+    await writeManifest(manifest);
+  }
+  return manifest;
+}
+async function addDependency(skillName, versionRange) {
+  const manifest = await ensureManifest();
+  if (!manifest.dependencies) {
+    manifest.dependencies = {};
+  }
+  manifest.dependencies[skillName] = versionRange;
+  await writeManifest(manifest);
+}
+async function removeDependency(skillName) {
+  const manifest = await readManifest();
+  if (!manifest?.dependencies?.[skillName]) {
+    return false;
+  }
+  delete manifest.dependencies[skillName];
+  await writeManifest(manifest);
+  return true;
+}
+async function getDependencies() {
+  const manifest = await readManifest();
+  return manifest?.dependencies ?? {};
+}
+async function getGitHubDependencies() {
+  const manifest = await readManifest();
+  return manifest?.githubDependencies ?? {};
+}
+async function addGitHubDependency(specifier, ref) {
+  const manifest = await ensureManifest();
+  if (!manifest.githubDependencies) {
+    manifest.githubDependencies = {};
+  }
+  manifest.githubDependencies[specifier] = ref;
+  await writeManifest(manifest);
+}
+async function removeGitHubDependency(specifier) {
+  const manifest = await readManifest();
+  if (!manifest?.githubDependencies?.[specifier]) {
+    return false;
+  }
+  delete manifest.githubDependencies[specifier];
+  await writeManifest(manifest);
+  return true;
+}
+var init_manifest2 = __esm({
+  "src/manifest.ts"() {
+  }
+});
+async function createAgentSymlinks(skills, options) {
+  const { agents, projectRoot, agentConfigs } = options;
+  if (agents.length === 1 && agents[0] === "none") {
+    return;
+  }
+  for (const agentName of agents) {
+    const config2 = resolveAgentConfig(agentName, agentConfigs);
+    if (!config2) {
+      console.warn(`Warning: Unknown agent "${agentName}", skipping symlinks`);
+      continue;
     }
-    const { username, name, versionRange } = parsed;
-    configure2({ registryUrl, apiKey: apiKey ?? "" });
-    console.log(`Resolving ${specifier}...`);
-    const versionsResponse = await listSkillVersions(username, name);
-    if (versionsResponse.status !== 200) {
-      if (versionsResponse.status === 401) {
-        if (!apiKey) {
-          console.error(
-            `Error: Package @user/${username}/${name} requires authentication`
-          );
-          console.error("Please run 'pspm login' to authenticate");
-        } else {
-          console.error(
-            `Error: Access denied to @user/${username}/${name}. You may not have permission to access this private package.`
-          );
+    const agentSkillsDir = join(projectRoot, config2.skillsDir);
+    await mkdir(agentSkillsDir, { recursive: true });
+    for (const skill of skills) {
+      const symlinkPath = join(agentSkillsDir, skill.name);
+      const targetPath = join(projectRoot, skill.sourcePath);
+      const relativeTarget = relative(dirname(symlinkPath), targetPath);
+      await createSymlink(symlinkPath, relativeTarget, skill.name);
+    }
+  }
+}
+async function createSymlink(symlinkPath, target, skillName) {
+  try {
+    const stats = await lstat(symlinkPath).catch(() => null);
+    if (stats) {
+      if (stats.isSymbolicLink()) {
+        const existingTarget = await readlink(symlinkPath);
+        if (existingTarget === target) {
+          return;
         }
-        process.exit(1);
+        await rm(symlinkPath);
+      } else {
+        console.warn(
+          `Warning: File exists at symlink path for "${skillName}", skipping: ${symlinkPath}`
+        );
+        return;
       }
-      const errorMessage = extractApiErrorMessage(
-        versionsResponse,
-        `Skill @user/${username}/${name} not found`
-      );
-      console.error(`Error: ${errorMessage}`);
-      process.exit(1);
     }
-    const versions = versionsResponse.data;
-    if (versions.length === 0) {
-      console.error(`Error: Skill @user/${username}/${name} not found`);
-      process.exit(1);
+    await symlink(target, symlinkPath);
+  } catch (error) {
+    const message = error instanceof Error ? error.message : String(error);
+    console.warn(
+      `Warning: Failed to create symlink for "${skillName}": ${message}`
+    );
+  }
+}
+async function removeAgentSymlinks(skillName, options) {
+  const { agents, projectRoot, agentConfigs } = options;
+  if (agents.length === 1 && agents[0] === "none") {
+    return;
+  }
+  for (const agentName of agents) {
+    const config2 = resolveAgentConfig(agentName, agentConfigs);
+    if (!config2) {
+      continue;
     }
-    const versionStrings = versions.map((v) => v.version);
-    const resolved = resolveVersion(versionRange || "*", versionStrings);
-    if (!resolved) {
-      console.error(
-        `Error: No version matching "${versionRange || "latest"}" found for @user/${username}/${name}`
-      );
-      console.error(`Available versions: ${versionStrings.join(", ")}`);
+    const symlinkPath = join(projectRoot, config2.skillsDir, skillName);
+    try {
+      const stats = await lstat(symlinkPath).catch(() => null);
+      if (stats?.isSymbolicLink()) {
+        await rm(symlinkPath);
+      }
+    } catch {
+    }
+  }
+}
+function getRegistrySkillPath(username, skillName) {
+  return `.pspm/skills/${username}/${skillName}`;
+}
+function getGitHubSkillPath(owner, repo, path) {
+  if (path) {
+    return `.pspm/skills/_github/${owner}/${repo}/${path}`;
+  }
+  return `.pspm/skills/_github/${owner}/${repo}`;
+}
+async function getLinkedAgents(skillName, agents, projectRoot, agentConfigs) {
+  const linkedAgents = [];
+  for (const agentName of agents) {
+    const config2 = resolveAgentConfig(agentName, agentConfigs);
+    if (!config2) continue;
+    const symlinkPath = join(projectRoot, config2.skillsDir, skillName);
+    try {
+      const stats = await lstat(symlinkPath);
+      if (stats.isSymbolicLink()) {
+        linkedAgents.push(agentName);
+      }
+    } catch {
+    }
+  }
+  return linkedAgents;
+}
+var init_symlinks = __esm({
+  "src/symlinks.ts"() {
+    init_agents();
+  }
+});
+
+// src/commands/add.ts
+var add_exports = {};
+__export(add_exports, {
+  add: () => add
+});
+async function add(specifiers, options) {
+  console.log("Resolving packages...\n");
+  const resolvedPackages = [];
+  const validationErrors = [];
+  for (const specifier of specifiers) {
+    try {
+      if (isGitHubSpecifier(specifier)) {
+        const resolved = await validateGitHubPackage(specifier);
+        resolvedPackages.push(resolved);
+      } else {
+        const resolved = await validateRegistryPackage(specifier);
+        resolvedPackages.push(resolved);
+      }
+    } catch (error) {
+      const message = error instanceof Error ? error.message : "Unknown error";
+      validationErrors.push({ specifier, error: message });
+      console.error(`Failed to resolve ${specifier}: ${message}
+`);
+    }
+  }
+  if (resolvedPackages.length === 0) {
+    console.error("No packages could be resolved.");
+    process.exit(1);
+  }
+  if (validationErrors.length > 0) {
+    console.log(
+      `Resolved ${resolvedPackages.length} of ${specifiers.length} packages.
+`
+    );
+  }
+  let agents;
+  const manifest = await readManifest();
+  if (options.agent) {
+    agents = parseAgentArg(options.agent);
+  } else if (manifest) {
+    agents = parseAgentArg(void 0);
+  } else if (options.yes) {
+    agents = parseAgentArg(void 0);
+  } else {
+    console.log("No pspm.json found. Let's set up your project.\n");
+    agents = await promptForAgents();
+    console.log();
+  }
+  const results = [];
+  for (const resolved of resolvedPackages) {
+    try {
+      if (resolved.type === "github") {
+        await installGitHubPackage(resolved, {
+          ...options,
+          resolvedAgents: agents
+        });
+      } else {
+        await installRegistryPackage(resolved, {
+          ...options,
+          resolvedAgents: agents
+        });
+      }
+      results.push({ specifier: resolved.specifier, success: true });
+    } catch (error) {
+      const message = error instanceof Error ? error.message : "Unknown error";
+      results.push({
+        specifier: resolved.specifier,
+        success: false,
+        error: message
+      });
+      console.error(`Failed to install ${resolved.specifier}: ${message}
+`);
+    }
+  }
+  if (specifiers.length > 1) {
+    const succeeded = results.filter((r) => r.success).length;
+    const failed = results.filter((r) => !r.success).length + validationErrors.length;
+    console.log(`
+Summary: ${succeeded} added, ${failed} failed`);
+    if (failed > 0) {
       process.exit(1);
     }
-    console.log(`Installing @user/${username}/${name}@${resolved}...`);
-    const versionResponse = await getSkillVersion(username, name, resolved);
-    if (versionResponse.status !== 200 || !versionResponse.data) {
-      const errorMessage = extractApiErrorMessage(
-        versionResponse,
-        `Version ${resolved} not found`
+  }
+}
+async function validateRegistryPackage(specifier) {
+  const config2 = await resolveConfig();
+  const registryUrl = config2.registryUrl;
+  const apiKey = getTokenForRegistry(config2, registryUrl);
+  const parsed = parseSkillSpecifier(specifier);
+  if (!parsed) {
+    throw new Error(
+      `Invalid skill specifier "${specifier}". Use format: @user/{username}/{name}[@{version}]`
+    );
+  }
+  const { username, name, versionRange } = parsed;
+  configure2({ registryUrl, apiKey: apiKey ?? "" });
+  console.log(`Resolving ${specifier}...`);
+  const versionsResponse = await listSkillVersions(username, name);
+  if (versionsResponse.status !== 200) {
+    if (versionsResponse.status === 401) {
+      if (!apiKey) {
+        throw new Error(
+          `Package @user/${username}/${name} requires authentication. Please run 'pspm login' to authenticate`
+        );
+      }
+      throw new Error(
+        `Access denied to @user/${username}/${name}. You may not have permission to access this private package.`
       );
-      console.error(`Error: ${errorMessage}`);
-      process.exit(1);
     }
-    const versionInfo = versionResponse.data;
-    const isPresignedUrl = versionInfo.downloadUrl.includes(".r2.cloudflarestorage.com") || versionInfo.downloadUrl.includes("X-Amz-Signature");
-    const downloadHeaders = {};
-    if (!isPresignedUrl && apiKey) {
-      downloadHeaders.Authorization = `Bearer ${apiKey}`;
+    const errorMessage = extractApiErrorMessage(
+      versionsResponse,
+      `Skill @user/${username}/${name} not found`
+    );
+    throw new Error(errorMessage);
+  }
+  const versions = versionsResponse.data;
+  if (versions.length === 0) {
+    throw new Error(`Skill @user/${username}/${name} not found`);
+  }
+  const versionStrings = versions.map((v) => v.version);
+  const resolvedVersion = resolveVersion(versionRange || "*", versionStrings);
+  if (!resolvedVersion) {
+    throw new Error(
+      `No version matching "${versionRange || "latest"}" found for @user/${username}/${name}. Available versions: ${versionStrings.join(", ")}`
+    );
+  }
+  const versionResponse = await getSkillVersion(
+    username,
+    name,
+    resolvedVersion
+  );
+  if (versionResponse.status !== 200 || !versionResponse.data) {
+    const errorMessage = extractApiErrorMessage(
+      versionResponse,
+      `Version ${resolvedVersion} not found`
+    );
+    throw new Error(errorMessage);
+  }
+  console.log(`Resolved @user/${username}/${name}@${resolvedVersion}`);
+  return {
+    type: "registry",
+    specifier,
+    username,
+    name,
+    versionRange,
+    resolvedVersion,
+    versionInfo: {
+      downloadUrl: versionResponse.data.downloadUrl,
+      checksum: versionResponse.data.checksum
     }
-    const tarballResponse = await fetch(versionInfo.downloadUrl, {
-      headers: downloadHeaders,
-      redirect: "follow"
+  };
+}
+async function validateGitHubPackage(specifier) {
+  const parsed = parseGitHubSpecifier(specifier);
+  if (!parsed) {
+    throw new Error(
+      `Invalid GitHub specifier "${specifier}". Use format: github:{owner}/{repo}[/{path}][@{ref}]`
+    );
+  }
+  const ref = parsed.ref || "HEAD";
+  console.log(`Resolving ${getGitHubDisplayName(parsed)}...`);
+  const result = await downloadGitHubPackage(parsed);
+  console.log(`Resolved ${specifier} (${ref}@${result.commit.slice(0, 7)})`);
+  return {
+    type: "github",
+    specifier,
+    parsed,
+    ref,
+    downloadResult: result
+  };
+}
+async function installRegistryPackage(resolved, options) {
+  const { username, name, versionRange, resolvedVersion, versionInfo } = resolved;
+  console.log(`Installing @user/${username}/${name}@${resolvedVersion}...`);
+  const config2 = await resolveConfig();
+  const apiKey = getTokenForRegistry(config2, config2.registryUrl);
+  const isPresignedUrl = versionInfo.downloadUrl.includes(".r2.cloudflarestorage.com") || versionInfo.downloadUrl.includes("X-Amz-Signature");
+  const downloadHeaders = {};
+  if (!isPresignedUrl && apiKey) {
+    downloadHeaders.Authorization = `Bearer ${apiKey}`;
+  }
+  const tarballResponse = await fetch(versionInfo.downloadUrl, {
+    headers: downloadHeaders,
+    redirect: "follow"
+  });
+  if (!tarballResponse.ok) {
+    throw new Error(`Failed to download tarball (${tarballResponse.status})`);
+  }
+  const tarballBuffer = Buffer.from(await tarballResponse.arrayBuffer());
+  const integrity = calculateIntegrity(tarballBuffer);
+  const expectedIntegrity = `sha256-${Buffer.from(versionInfo.checksum, "hex").toString("base64")}`;
+  if (integrity !== expectedIntegrity) {
+    throw new Error("Checksum verification failed");
+  }
+  const skillsDir = getSkillsDir();
+  const destDir = join(skillsDir, username, name);
+  await mkdir(destDir, { recursive: true });
+  const { writeFile: writeFile8 } = await import('fs/promises');
+  const tempFile = join(destDir, ".temp.tgz");
+  await writeFile8(tempFile, tarballBuffer);
+  const { exec: exec2 } = await import('child_process');
+  const { promisify: promisify2 } = await import('util');
+  const execAsync = promisify2(exec2);
+  try {
+    await rm(destDir, { recursive: true, force: true });
+    await mkdir(destDir, { recursive: true });
+    await writeFile8(tempFile, tarballBuffer);
+    await execAsync(
+      `tar -xzf "${tempFile}" -C "${destDir}" --strip-components=1`
+    );
+  } finally {
+    await rm(tempFile, { force: true });
+  }
+  const fullName = `@user/${username}/${name}`;
+  await addToLockfile(fullName, {
+    version: resolvedVersion,
+    resolved: versionInfo.downloadUrl,
+    integrity
+  });
+  const dependencyRange = versionRange || `^${resolvedVersion}`;
+  await addDependency(fullName, dependencyRange);
+  const agents = options.resolvedAgents;
+  if (agents[0] !== "none") {
+    const skillManifest = await readManifest();
+    const skillInfo = {
+      name,
+      sourcePath: getRegistrySkillPath(username, name)
+    };
+    await createAgentSymlinks([skillInfo], {
+      agents,
+      projectRoot: process.cwd(),
+      agentConfigs: skillManifest?.agents
     });
-    if (!tarballResponse.ok) {
-      console.error(
-        `Error: Failed to download tarball (${tarballResponse.status})`
-      );
+  }
+  console.log(`Installed @user/${username}/${name}@${resolvedVersion}`);
+  console.log(`Location: ${destDir}`);
+}
+async function installGitHubPackage(resolved, options) {
+  const { specifier, parsed, ref, downloadResult } = resolved;
+  console.log(
+    `Installing ${specifier} (${ref}@${downloadResult.commit.slice(0, 7)})...`
+  );
+  const skillsDir = getSkillsDir();
+  const destPath = await extractGitHubPackage(
+    parsed,
+    downloadResult.buffer,
+    skillsDir
+  );
+  const lockfileSpecifier = formatGitHubSpecifier({
+    owner: parsed.owner,
+    repo: parsed.repo,
+    path: parsed.path
+    // Don't include ref in the specifier key, it's stored in gitRef
+  });
+  const entry = {
+    version: downloadResult.commit.slice(0, 7),
+    resolved: `https://github.com/${parsed.owner}/${parsed.repo}`,
+    integrity: downloadResult.integrity,
+    gitCommit: downloadResult.commit,
+    gitRef: ref
+  };
+  await addGitHubToLockfile(lockfileSpecifier, entry);
+  await addGitHubDependency(lockfileSpecifier, ref);
+  const agents = options.resolvedAgents;
+  if (agents[0] !== "none") {
+    const manifest = await readManifest();
+    const skillName = getGitHubSkillName(parsed);
+    const skillInfo = {
+      name: skillName,
+      sourcePath: getGitHubSkillPath(parsed.owner, parsed.repo, parsed.path)
+    };
+    await createAgentSymlinks([skillInfo], {
+      agents,
+      projectRoot: process.cwd(),
+      agentConfigs: manifest?.agents
+    });
+  }
+  console.log(
+    `Installed ${specifier} (${ref}@${downloadResult.commit.slice(0, 7)})`
+  );
+  console.log(`Location: ${destPath}`);
+}
+var init_add = __esm({
+  "src/commands/add.ts"() {
+    init_src();
+    init_agents();
+    init_api_client();
+    init_config();
+    init_errors();
+    init_github();
+    init_lockfile();
+    init_manifest2();
+    init_symlinks();
+  }
+});
+
+// src/commands/access.ts
+init_src();
+init_api_client();
+init_config();
+async function access(specifier, options) {
+  try {
+    const apiKey = await requireApiKey();
+    const registryUrl = await getRegistryUrl();
+    if (options.public && options.private) {
+      console.error("Error: Cannot specify both --public and --private");
       process.exit(1);
     }
-    const tarballBuffer = Buffer.from(await tarballResponse.arrayBuffer());
-    const integrity = calculateIntegrity(tarballBuffer);
-    const expectedIntegrity = `sha256-${Buffer.from(versionInfo.checksum, "hex").toString("base64")}`;
-    if (integrity !== expectedIntegrity) {
-      console.error("Error: Checksum verification failed");
+    if (!options.public && !options.private) {
+      console.error("Error: Must specify either --public or --private");
       process.exit(1);
     }
-    const skillsDir = getSkillsDir();
-    const destDir = join(skillsDir, username, name);
-    await mkdir(destDir, { recursive: true });
-    const { writeFile: writeFile6 } = await import('fs/promises');
-    const tempFile = join(destDir, ".temp.tgz");
-    await writeFile6(tempFile, tarballBuffer);
-    const { exec: exec2 } = await import('child_process');
-    const { promisify: promisify2 } = await import('util');
-    const execAsync = promisify2(exec2);
-    try {
-      await rm(destDir, { recursive: true, force: true });
-      await mkdir(destDir, { recursive: true });
-      await writeFile6(tempFile, tarballBuffer);
-      await execAsync(
-        `tar -xzf "${tempFile}" -C "${destDir}" --strip-components=1`
+    const visibility = options.public ? "public" : "private";
+    let packageName;
+    if (specifier) {
+      const parsed = parseSkillSpecifier(specifier);
+      if (!parsed) {
+        console.error(
+          `Error: Invalid skill specifier "${specifier}". Use format: @user/{username}/{name}`
+        );
+        process.exit(1);
+      }
+      packageName = parsed.name;
+    } else {
+      const { readFile: readFile7 } = await import('fs/promises');
+      const { join: join13 } = await import('path');
+      let manifest = null;
+      try {
+        const content = await readFile7(
+          join13(process.cwd(), "pspm.json"),
+          "utf-8"
+        );
+        manifest = JSON.parse(content);
+      } catch {
+        try {
+          const content = await readFile7(
+            join13(process.cwd(), "package.json"),
+            "utf-8"
+          );
+          manifest = JSON.parse(content);
+        } catch {
+          console.error(
+            "Error: No pspm.json or package.json found in current directory"
+          );
+          console.error(
+            "Either run this command in a package directory or specify a package name"
+          );
+          process.exit(1);
+        }
+      }
+      if (!manifest?.name) {
+        console.error("Error: Package manifest is missing 'name' field");
+        process.exit(1);
+      }
+      packageName = manifest.name;
+    }
+    configure2({ registryUrl, apiKey });
+    console.log(`Setting ${packageName} to ${visibility}...`);
+    const response = await changeSkillAccess(packageName, { visibility });
+    if (response.status !== 200 || !response.data) {
+      const errorMessage = response.error ?? "Failed to change visibility";
+      console.error(`Error: ${errorMessage}`);
+      process.exit(1);
+    }
+    const result = response.data;
+    console.log(
+      `+ @user/${result.username}/${result.name} is now ${result.visibility}`
+    );
+    if (visibility === "public") {
+      console.log("");
+      console.log(
+        "Note: This action is irreversible. Public packages cannot be made private."
       );
-    } finally {
-      await rm(tempFile, { force: true });
     }
-    const fullName = `@user/${username}/${name}`;
-    await addToLockfile(fullName, {
-      version: resolved,
-      resolved: versionInfo.downloadUrl,
-      integrity
-    });
-    console.log(`Installed @user/${username}/${name}@${resolved}`);
-    console.log(`Location: ${destDir}`);
   } catch (error) {
     const message = error instanceof Error ? error.message : "Unknown error";
     console.error(`Error: ${message}`);
     process.exit(1);
   }
 }
+
+// src/commands/index.ts
+init_add();
 async function configInit(options) {
   try {
     const configPath = join(process.cwd(), ".pspmrc");
@@ -987,6 +1734,7 @@ async function configInit(options) {
 }
 
 // src/commands/config/show.ts
+init_config();
 async function configShow() {
   try {
     const resolved = await resolveConfig();
@@ -1016,6 +1764,9 @@ async function configShow() {
 }
 
 // src/commands/deprecate.ts
+init_src();
+init_api_client();
+init_config();
 async function deprecate(specifier, message, options) {
   try {
     const apiKey = await requireApiKey();
@@ -1078,6 +1829,17 @@ async function deprecate(specifier, message, options) {
     process.exit(1);
   }
 }
+
+// src/commands/init.ts
+init_src();
+function prompt(rl, question, defaultValue) {
+  return new Promise((resolve) => {
+    const displayDefault = defaultValue ? ` (${defaultValue})` : "";
+    rl.question(`${question}${displayDefault} `, (answer) => {
+      resolve(answer.trim() || defaultValue);
+    });
+  });
+}
 async function readExistingPackageJson() {
   try {
     const content = await readFile(
@@ -1096,52 +1858,177 @@ async function readExistingPackageJson() {
     return null;
   }
 }
+async function getGitAuthor() {
+  try {
+    const { exec: exec2 } = await import('child_process');
+    const { promisify: promisify2 } = await import('util');
+    const execAsync = promisify2(exec2);
+    const [nameResult, emailResult] = await Promise.all([
+      execAsync("git config user.name").catch(() => ({ stdout: "" })),
+      execAsync("git config user.email").catch(() => ({ stdout: "" }))
+    ]);
+    const name = nameResult.stdout.trim();
+    const email = emailResult.stdout.trim();
+    if (name && email) {
+      return `${name} <${email}>`;
+    }
+    if (name) {
+      return name;
+    }
+    return null;
+  } catch {
+    return null;
+  }
+}
 function sanitizeName(name) {
   const withoutScope = name.replace(/^@[^/]+\//, "");
   return withoutScope.toLowerCase().replace(/[^a-z0-9_-]/g, "-").replace(/^-+|-+$/g, "").replace(/-+/g, "-");
 }
+function isValidName(name) {
+  return /^[a-z][a-z0-9_-]*$/.test(name);
+}
+function isValidVersion(version2) {
+  return /^\d+\.\d+\.\d+(-[a-zA-Z0-9.-]+)?(\+[a-zA-Z0-9.-]+)?$/.test(version2);
+}
 async function init(options) {
   try {
     const pspmJsonPath = join(process.cwd(), "pspm.json");
+    let exists = false;
     try {
       await stat(pspmJsonPath);
+      exists = true;
+    } catch {
+    }
+    if (exists && !options.force) {
       console.error("Error: pspm.json already exists in this directory.");
-      console.error("Use --force to overwrite (not yet implemented).");
+      console.error("Use --force to overwrite.");
       process.exit(1);
-    } catch {
     }
-    const existingPkg = await readExistingPackageJson();
-    const defaultName = options.name || sanitizeName(existingPkg?.name || basename(process.cwd()));
-    const defaultVersion = existingPkg?.version || "0.1.0";
-    const defaultDescription = options.description || existingPkg?.description || "";
-    const defaultAuthor = options.author || existingPkg?.author || "";
-    const defaultLicense = existingPkg?.license || "MIT";
-    const manifest = {
-      $schema: PSPM_SCHEMA_URL,
-      name: defaultName,
-      version: defaultVersion,
-      description: defaultDescription || void 0,
-      author: defaultAuthor || void 0,
-      license: defaultLicense,
-      type: "skill",
-      capabilities: [],
-      main: "SKILL.md",
-      requirements: {
-        pspm: ">=0.1.0"
-      },
-      files: [...DEFAULT_SKILL_FILES],
-      dependencies: {},
-      private: false
-    };
+    const existingPkg = await readExistingPackageJson();
+    const gitAuthor = await getGitAuthor();
+    const defaultName = sanitizeName(
+      options.name || existingPkg?.name || basename(process.cwd())
+    );
+    const defaultVersion = existingPkg?.version || "0.1.0";
+    const defaultDescription = options.description || existingPkg?.description || "";
+    const defaultAuthor = options.author || existingPkg?.author || gitAuthor || "";
+    const defaultLicense = existingPkg?.license || "MIT";
+    const defaultMain = "SKILL.md";
+    const defaultCapabilities = "";
+    let manifest;
+    if (options.yes) {
+      manifest = {
+        $schema: PSPM_SCHEMA_URL,
+        name: defaultName,
+        version: defaultVersion,
+        description: defaultDescription || void 0,
+        author: defaultAuthor || void 0,
+        license: defaultLicense,
+        type: "skill",
+        capabilities: [],
+        main: defaultMain,
+        requirements: {
+          pspm: ">=0.1.0"
+        },
+        files: [...DEFAULT_SKILL_FILES],
+        dependencies: {},
+        private: false
+      };
+    } else {
+      console.log(
+        "This utility will walk you through creating a pspm.json file."
+      );
+      console.log(
+        "It only covers the most common items, and tries to guess sensible defaults."
+      );
+      console.log("");
+      console.log(
+        "See `pspm init --help` for definitive documentation on these fields"
+      );
+      console.log("and exactly what they do.");
+      console.log("");
+      console.log("Press ^C at any time to quit.");
+      const rl = createInterface({
+        input: process.stdin,
+        output: process.stdout
+      });
+      try {
+        let name = await prompt(rl, "skill name:", defaultName);
+        while (!isValidName(name)) {
+          console.log(
+            "  Name must start with a lowercase letter and contain only lowercase letters, numbers, hyphens, and underscores."
+          );
+          name = await prompt(rl, "skill name:", sanitizeName(name));
+        }
+        let version2 = await prompt(rl, "version:", defaultVersion);
+        while (!isValidVersion(version2)) {
+          console.log("  Version must be valid semver (e.g., 1.0.0)");
+          version2 = await prompt(rl, "version:", "0.1.0");
+        }
+        const description = await prompt(
+          rl,
+          "description:",
+          defaultDescription
+        );
+        const main = await prompt(rl, "entry point:", defaultMain);
+        const capabilitiesStr = await prompt(
+          rl,
+          "capabilities (comma-separated):",
+          defaultCapabilities
+        );
+        const author = await prompt(rl, "author:", defaultAuthor);
+        const license = await prompt(rl, "license:", defaultLicense);
+        rl.close();
+        const capabilities = capabilitiesStr ? capabilitiesStr.split(",").map((s) => s.trim()).filter(Boolean) : [];
+        manifest = {
+          $schema: PSPM_SCHEMA_URL,
+          name,
+          version: version2,
+          description: description || void 0,
+          author: author || void 0,
+          license,
+          type: "skill",
+          capabilities,
+          main,
+          requirements: {
+            pspm: ">=0.1.0"
+          },
+          files: [...DEFAULT_SKILL_FILES],
+          dependencies: {},
+          private: false
+        };
+      } catch (error) {
+        rl.close();
+        if (error instanceof Error && error.message.includes("readline was closed")) {
+          console.log("\nAborted.");
+          process.exit(0);
+        }
+        throw error;
+      }
+    }
     if (!manifest.description) delete manifest.description;
     if (!manifest.author) delete manifest.author;
+    if (manifest.capabilities?.length === 0) delete manifest.capabilities;
     const content = JSON.stringify(manifest, null, 2);
-    await writeFile(pspmJsonPath, `${content}
-`);
-    console.log("Created pspm.json:");
+    console.log("");
+    console.log(`About to write to ${pspmJsonPath}:`);
     console.log("");
     console.log(content);
     console.log("");
+    if (!options.yes) {
+      const rl = createInterface({
+        input: process.stdin,
+        output: process.stdout
+      });
+      const confirm = await prompt(rl, "Is this OK?", "yes");
+      rl.close();
+      if (confirm.toLowerCase() !== "yes" && confirm.toLowerCase() !== "y") {
+        console.log("Aborted.");
+        process.exit(0);
+      }
+    }
+    await writeFile(pspmJsonPath, `${content}
+`);
     try {
       await stat(join(process.cwd(), "SKILL.md"));
     } catch {
@@ -1160,6 +2047,17 @@ async function init(options) {
     process.exit(1);
   }
 }
+
+// src/commands/install.ts
+init_src();
+init_agents();
+init_api_client();
+init_config();
+init_errors();
+init_github();
+init_lockfile();
+init_manifest2();
+init_symlinks();
 function getCacheFilePath(cacheDir, integrity) {
   const match = integrity.match(/^sha256-(.+)$/);
   if (!match) {
@@ -1191,120 +2089,537 @@ async function writeToCache(cacheDir, integrity, data) {
   } catch {
   }
 }
-async function install(options) {
+async function install(specifiers, options) {
+  if (specifiers.length > 0) {
+    const { add: add2 } = await Promise.resolve().then(() => (init_add(), add_exports));
+    await add2(specifiers, {
+      save: true,
+      agent: options.agent,
+      yes: options.yes
+    });
+    return;
+  }
+  await installFromLockfile(options);
+}
+async function installFromLockfile(options) {
   try {
     const config2 = await resolveConfig();
-    const apiKey = getTokenForRegistry(config2, config2.registryUrl);
+    const registryUrl = config2.registryUrl;
+    const apiKey = getTokenForRegistry(config2, registryUrl);
     const skillsDir = options.dir || getSkillsDir();
     const cacheDir = getCacheDir();
     await migrateLockfileIfNeeded();
-    const lockfile = await readLockfile();
-    if (!lockfile) {
+    let lockfile = await readLockfile();
+    const manifestDeps = await getDependencies();
+    const manifestGitHubDeps = await getGitHubDependencies();
+    const lockfilePackages = lockfile?.packages ?? lockfile?.skills ?? {};
+    const lockfileGitHubPackages = lockfile?.githubPackages ?? {};
+    const installedSkills = [];
+    const missingDeps = [];
+    for (const [fullName, versionRange] of Object.entries(manifestDeps)) {
+      if (!lockfilePackages[fullName]) {
+        missingDeps.push({ fullName, versionRange });
+      }
+    }
+    if (missingDeps.length > 0) {
       if (options.frozenLockfile) {
         console.error(
-          "Error: No lockfile found. Cannot install with --frozen-lockfile"
+          "Error: Dependencies in pspm.json are not in lockfile. Cannot install with --frozen-lockfile"
         );
+        console.error("Missing dependencies:");
+        for (const dep of missingDeps) {
+          console.error(`  - ${dep.fullName}@${dep.versionRange}`);
+        }
         process.exit(1);
       }
-      console.log("No lockfile found. Nothing to install.");
-      return;
-    }
-    const skillCount = Object.keys(
-      lockfile.packages ?? lockfile.skills ?? {}
-    ).length;
-    if (skillCount === 0) {
-      console.log("No skills in lockfile. Nothing to install.");
-      return;
-    }
-    console.log(`Installing ${skillCount} skill(s)...
+      console.log(`Resolving ${missingDeps.length} new dependency(ies)...
 `);
-    const packages = lockfile.packages ?? lockfile.skills ?? {};
-    const entries = Object.entries(packages);
-    for (const [fullName, entry] of entries) {
-      const match = fullName.match(/^@user\/([^/]+)\/([^/]+)$/);
-      if (!match) {
-        console.warn(`Warning: Invalid skill name in lockfile: ${fullName}`);
-        continue;
-      }
-      const [, username, name] = match;
-      console.log(`Installing ${fullName}@${entry.version}...`);
-      let tarballBuffer;
-      let fromCache = false;
-      const cachedTarball = await readFromCache(cacheDir, entry.integrity);
-      if (cachedTarball) {
-        tarballBuffer = cachedTarball;
-        fromCache = true;
-      } else {
-        const isPresignedUrl = entry.resolved.includes(".r2.cloudflarestorage.com") || entry.resolved.includes("X-Amz-Signature");
+      configure2({ registryUrl, apiKey: apiKey ?? "" });
+      for (const { fullName, versionRange } of missingDeps) {
+        const parsed = parseSkillSpecifier(fullName);
+        if (!parsed) {
+          console.error(`Error: Invalid dependency specifier: ${fullName}`);
+          continue;
+        }
+        const { username, name } = parsed;
+        console.log(`Resolving ${fullName}@${versionRange}...`);
+        const versionsResponse = await listSkillVersions(username, name);
+        if (versionsResponse.status !== 200) {
+          const errorMessage = extractApiErrorMessage(
+            versionsResponse,
+            `Skill ${fullName} not found`
+          );
+          console.error(`Error: ${errorMessage}`);
+          continue;
+        }
+        const versions = versionsResponse.data;
+        if (versions.length === 0) {
+          console.error(`Error: Skill ${fullName} not found`);
+          continue;
+        }
+        const versionStrings = versions.map(
+          (v) => v.version
+        );
+        const resolved = resolveVersion(versionRange || "*", versionStrings);
+        if (!resolved) {
+          console.error(
+            `Error: No version matching "${versionRange}" for ${fullName}`
+          );
+          continue;
+        }
+        const versionResponse = await getSkillVersion(username, name, resolved);
+        if (versionResponse.status !== 200 || !versionResponse.data) {
+          const errorMessage = extractApiErrorMessage(
+            versionResponse,
+            `Version ${resolved} not found`
+          );
+          console.error(`Error: ${errorMessage}`);
+          continue;
+        }
+        const versionInfo = versionResponse.data;
+        const isPresignedUrl = versionInfo.downloadUrl.includes(".r2.cloudflarestorage.com") || versionInfo.downloadUrl.includes("X-Amz-Signature");
         const downloadHeaders = {};
         if (!isPresignedUrl && apiKey) {
           downloadHeaders.Authorization = `Bearer ${apiKey}`;
         }
-        const response = await fetch(entry.resolved, {
+        const tarballResponse = await fetch(versionInfo.downloadUrl, {
           headers: downloadHeaders,
           redirect: "follow"
         });
-        if (!response.ok) {
-          if (response.status === 401) {
-            if (!apiKey) {
-              console.error(
-                `  Error: ${fullName} requires authentication. Run 'pspm login' first.`
-              );
+        if (!tarballResponse.ok) {
+          console.error(
+            `Error: Failed to download tarball for ${fullName} (${tarballResponse.status})`
+          );
+          continue;
+        }
+        const tarballBuffer = Buffer.from(await tarballResponse.arrayBuffer());
+        const integrity = calculateIntegrity(tarballBuffer);
+        await addToLockfile(fullName, {
+          version: resolved,
+          resolved: versionInfo.downloadUrl,
+          integrity
+        });
+        await writeToCache(cacheDir, integrity, tarballBuffer);
+        console.log(`  Resolved ${fullName}@${resolved}`);
+      }
+      lockfile = await readLockfile();
+    }
+    const missingGitHubDeps = [];
+    for (const [specifier, ref] of Object.entries(manifestGitHubDeps)) {
+      if (!lockfileGitHubPackages[specifier]) {
+        missingGitHubDeps.push({ specifier, ref });
+      }
+    }
+    if (missingGitHubDeps.length > 0) {
+      if (options.frozenLockfile) {
+        console.error(
+          "Error: GitHub dependencies in pspm.json are not in lockfile. Cannot install with --frozen-lockfile"
+        );
+        console.error("Missing GitHub dependencies:");
+        for (const dep of missingGitHubDeps) {
+          console.error(`  - ${dep.specifier}@${dep.ref}`);
+        }
+        process.exit(1);
+      }
+      console.log(
+        `
+Resolving ${missingGitHubDeps.length} GitHub dependency(ies)...
+`
+      );
+      for (const { specifier, ref } of missingGitHubDeps) {
+        const parsed = parseGitHubSpecifier(specifier);
+        if (!parsed) {
+          console.error(`Error: Invalid GitHub specifier: ${specifier}`);
+          continue;
+        }
+        parsed.ref = parsed.ref || ref;
+        console.log(`Resolving ${getGitHubDisplayName(parsed)}...`);
+        try {
+          const result = await downloadGitHubPackage(parsed);
+          await extractGitHubPackage(parsed, result.buffer, skillsDir);
+          const entry = {
+            version: result.commit.slice(0, 7),
+            resolved: `https://github.com/${parsed.owner}/${parsed.repo}`,
+            integrity: result.integrity,
+            gitCommit: result.commit,
+            gitRef: ref || "HEAD"
+          };
+          await addGitHubToLockfile(specifier, entry);
+          await writeToCache(cacheDir, result.integrity, result.buffer);
+          console.log(
+            `  Resolved ${specifier} (${ref}@${result.commit.slice(0, 7)})`
+          );
+        } catch (error) {
+          if (error instanceof GitHubRateLimitError) {
+            console.error(`Error: ${error.message}`);
+          } else if (error instanceof GitHubPathNotFoundError) {
+            console.error(`Error: ${error.message}`);
+          } else if (error instanceof GitHubNotFoundError) {
+            console.error(`Error: ${error.message}`);
+          } else {
+            const message = error instanceof Error ? error.message : String(error);
+            console.error(`Error resolving ${specifier}: ${message}`);
+          }
+        }
+      }
+      lockfile = await readLockfile();
+    }
+    const manifest = await readManifest();
+    const agentConfigs = manifest?.agents;
+    let agents;
+    if (options.agent) {
+      agents = parseAgentArg(options.agent);
+    } else if (manifest) {
+      agents = parseAgentArg(void 0);
+    } else if (options.yes) {
+      agents = parseAgentArg(void 0);
+    } else {
+      console.log("\nNo pspm.json found. Let's set up your project.\n");
+      agents = await promptForAgents();
+      console.log();
+    }
+    const packages = lockfile?.packages ?? lockfile?.skills ?? {};
+    const packageCount = Object.keys(packages).length;
+    if (packageCount > 0) {
+      console.log(`
+Installing ${packageCount} registry skill(s)...
+`);
+      const entries = Object.entries(packages);
+      for (const [fullName, entry] of entries) {
+        const match = fullName.match(/^@user\/([^/]+)\/([^/]+)$/);
+        if (!match) {
+          console.warn(`Warning: Invalid skill name in lockfile: ${fullName}`);
+          continue;
+        }
+        const [, username, name] = match;
+        console.log(`Installing ${fullName}@${entry.version}...`);
+        let tarballBuffer;
+        let fromCache = false;
+        const cachedTarball = await readFromCache(cacheDir, entry.integrity);
+        if (cachedTarball) {
+          tarballBuffer = cachedTarball;
+          fromCache = true;
+        } else {
+          const isPresignedUrl = entry.resolved.includes(".r2.cloudflarestorage.com") || entry.resolved.includes("X-Amz-Signature");
+          const downloadHeaders = {};
+          if (!isPresignedUrl && apiKey) {
+            downloadHeaders.Authorization = `Bearer ${apiKey}`;
+          }
+          const response = await fetch(entry.resolved, {
+            headers: downloadHeaders,
+            redirect: "follow"
+          });
+          if (!response.ok) {
+            if (response.status === 401) {
+              if (!apiKey) {
+                console.error(
+                  `  Error: ${fullName} requires authentication. Run 'pspm login' first.`
+                );
+              } else {
+                console.error(
+                  `  Error: Access denied to ${fullName}. You may not have permission to access this private package.`
+                );
+              }
             } else {
               console.error(
-                `  Error: Access denied to ${fullName}. You may not have permission to access this private package.`
+                `  Error: Failed to download ${fullName} (${response.status})`
               );
             }
-          } else {
+            continue;
+          }
+          tarballBuffer = Buffer.from(await response.arrayBuffer());
+          const actualIntegrity = `sha256-${createHash("sha256").update(tarballBuffer).digest("base64")}`;
+          if (actualIntegrity !== entry.integrity) {
             console.error(
-              `  Error: Failed to download ${fullName} (${response.status})`
+              `  Error: Checksum verification failed for ${fullName}`
             );
+            if (options.frozenLockfile) {
+              process.exit(1);
+            }
+            continue;
           }
-          continue;
+          await writeToCache(cacheDir, entry.integrity, tarballBuffer);
         }
-        tarballBuffer = Buffer.from(await response.arrayBuffer());
-        const actualIntegrity = `sha256-${createHash("sha256").update(tarballBuffer).digest("base64")}`;
-        if (actualIntegrity !== entry.integrity) {
-          console.error(
-            `  Error: Checksum verification failed for ${fullName}`
+        const destDir = join(skillsDir, username, name);
+        await rm(destDir, { recursive: true, force: true });
+        await mkdir(destDir, { recursive: true });
+        const tempFile = join(destDir, ".temp.tgz");
+        await writeFile(tempFile, tarballBuffer);
+        const { exec: exec2 } = await import('child_process');
+        const { promisify: promisify2 } = await import('util');
+        const execAsync = promisify2(exec2);
+        try {
+          await execAsync(
+            `tar -xzf "${tempFile}" -C "${destDir}" --strip-components=1`
+          );
+        } finally {
+          await rm(tempFile, { force: true });
+        }
+        console.log(
+          `  Installed to ${destDir}${fromCache ? " (from cache)" : ""}`
+        );
+        installedSkills.push({
+          name,
+          sourcePath: getRegistrySkillPath(username, name)
+        });
+      }
+    }
+    const githubPackages = lockfile?.githubPackages ?? {};
+    const githubCount = Object.keys(githubPackages).length;
+    if (githubCount > 0) {
+      console.log(`
+Installing ${githubCount} GitHub skill(s)...
+`);
+      for (const [specifier, entry] of Object.entries(githubPackages)) {
+        const parsed = parseGitHubSpecifier(specifier);
+        if (!parsed) {
+          console.warn(
+            `Warning: Invalid GitHub specifier in lockfile: ${specifier}`
           );
-          if (options.frozenLockfile) {
-            process.exit(1);
-          }
           continue;
         }
-        await writeToCache(cacheDir, entry.integrity, tarballBuffer);
-      }
-      const destDir = join(skillsDir, username, name);
-      await rm(destDir, { recursive: true, force: true });
-      await mkdir(destDir, { recursive: true });
-      const tempFile = join(destDir, ".temp.tgz");
-      await writeFile(tempFile, tarballBuffer);
-      const { exec: exec2 } = await import('child_process');
-      const { promisify: promisify2 } = await import('util');
-      const execAsync = promisify2(exec2);
-      try {
-        await execAsync(
-          `tar -xzf "${tempFile}" -C "${destDir}" --strip-components=1`
+        const ghEntry = entry;
+        console.log(
+          `Installing ${specifier} (${ghEntry.gitRef}@${ghEntry.gitCommit.slice(0, 7)})...`
+        );
+        let tarballBuffer;
+        let fromCache = false;
+        const cachedTarball = await readFromCache(cacheDir, ghEntry.integrity);
+        if (cachedTarball) {
+          tarballBuffer = cachedTarball;
+          fromCache = true;
+        } else {
+          try {
+            const specWithCommit = { ...parsed, ref: ghEntry.gitCommit };
+            const result = await downloadGitHubPackage(specWithCommit);
+            tarballBuffer = result.buffer;
+            if (result.integrity !== ghEntry.integrity) {
+              console.error(
+                `  Error: Checksum verification failed for ${specifier}`
+              );
+              if (options.frozenLockfile) {
+                process.exit(1);
+              }
+              continue;
+            }
+            await writeToCache(cacheDir, ghEntry.integrity, tarballBuffer);
+          } catch (error) {
+            if (error instanceof GitHubRateLimitError) {
+              console.error(`  Error: ${error.message}`);
+            } else if (error instanceof GitHubPathNotFoundError) {
+              console.error(`  Error: ${error.message}`);
+            } else if (error instanceof GitHubNotFoundError) {
+              console.error(`  Error: ${error.message}`);
+            } else {
+              const message = error instanceof Error ? error.message : String(error);
+              console.error(`  Error downloading ${specifier}: ${message}`);
+            }
+            continue;
+          }
+        }
+        try {
+          const destPath = await extractGitHubPackage(
+            parsed,
+            tarballBuffer,
+            skillsDir
+          );
+          console.log(
+            `  Installed to ${destPath}${fromCache ? " (from cache)" : ""}`
+          );
+          const skillName = getGitHubSkillName(parsed);
+          installedSkills.push({
+            name: skillName,
+            sourcePath: getGitHubSkillPath(
+              parsed.owner,
+              parsed.repo,
+              parsed.path
+            )
+          });
+        } catch (error) {
+          const message = error instanceof Error ? error.message : String(error);
+          console.error(`  Error extracting ${specifier}: ${message}`);
+        }
+      }
+    }
+    if (installedSkills.length > 0 && agents[0] !== "none") {
+      console.log(`
+Creating symlinks for agent(s): ${agents.join(", ")}...`);
+      await createAgentSymlinks(installedSkills, {
+        agents,
+        projectRoot: process.cwd(),
+        agentConfigs
+      });
+      console.log("  Symlinks created.");
+    }
+    const totalCount = packageCount + githubCount;
+    if (totalCount === 0) {
+      console.log("No skills to install.");
+    } else {
+      console.log(`
+All ${totalCount} skill(s) installed.`);
+    }
+  } catch (error) {
+    const message = error instanceof Error ? error.message : "Unknown error";
+    console.error(`Error: ${message}`);
+    process.exit(1);
+  }
+}
+
+// src/commands/link.ts
+init_src();
+init_agents();
+init_lockfile();
+init_manifest2();
+init_symlinks();
+async function link(options) {
+  try {
+    const manifest = await readManifest();
+    const agentConfigs = manifest?.agents;
+    let agents;
+    if (options.agent) {
+      agents = parseAgentArg(options.agent);
+    } else if (manifest) {
+      agents = parseAgentArg(void 0);
+    } else if (options.yes) {
+      agents = parseAgentArg(void 0);
+    } else {
+      console.log("No pspm.json found. Let's set up your project.\n");
+      agents = await promptForAgents();
+    }
+    if (agents.length === 1 && agents[0] === "none") {
+      console.log("Skipping symlink creation (--agent none)");
+      return;
+    }
+    const skills = [];
+    const registrySkills = await listLockfileSkills();
+    for (const { name } of registrySkills) {
+      const parsed = parseSkillSpecifier(name);
+      if (!parsed) {
+        console.warn(`Warning: Invalid skill name in lockfile: ${name}`);
+        continue;
+      }
+      skills.push({
+        name: parsed.name,
+        sourcePath: getRegistrySkillPath(parsed.username, parsed.name)
+      });
+    }
+    const githubSkills = await listLockfileGitHubPackages();
+    for (const { specifier } of githubSkills) {
+      const parsed = parseGitHubSpecifier(specifier);
+      if (!parsed) {
+        console.warn(
+          `Warning: Invalid GitHub specifier in lockfile: ${specifier}`
         );
-      } finally {
-        await rm(tempFile, { force: true });
+        continue;
       }
-      console.log(
-        `  Installed to ${destDir}${fromCache ? " (from cache)" : ""}`
-      );
+      const skillName = getGitHubSkillName(parsed);
+      skills.push({
+        name: skillName,
+        sourcePath: getGitHubSkillPath(parsed.owner, parsed.repo, parsed.path)
+      });
+    }
+    if (skills.length === 0) {
+      console.log("No skills found in lockfile. Nothing to link.");
+      return;
+    }
+    console.log(
+      `Creating symlinks for ${skills.length} skill(s) to agent(s): ${agents.join(", ")}...`
+    );
+    await createAgentSymlinks(skills, {
+      agents,
+      projectRoot: process.cwd(),
+      agentConfigs
+    });
+    console.log("Symlinks created successfully.");
+    console.log("\nLinked skills:");
+    for (const skill of skills) {
+      console.log(`  ${skill.name} -> ${skill.sourcePath}`);
     }
-    console.log(`
-All ${skillCount} skill(s) installed.`);
   } catch (error) {
     const message = error instanceof Error ? error.message : "Unknown error";
     console.error(`Error: ${message}`);
     process.exit(1);
   }
 }
+
+// src/commands/list.ts
+init_src();
+init_agents();
+init_lockfile();
+init_manifest2();
+init_symlinks();
 async function list(options) {
   try {
-    const skills = await listLockfileSkills();
+    const registrySkills = await listLockfileSkills();
+    const githubSkills = await listLockfileGitHubPackages();
+    const manifest = await readManifest();
+    const agentConfigs = manifest?.agents;
+    const availableAgents = getAvailableAgents(agentConfigs);
+    const projectRoot = process.cwd();
+    const skills = [];
+    for (const { name: fullName, entry } of registrySkills) {
+      const match = fullName.match(/^@user\/([^/]+)\/([^/]+)$/);
+      if (!match) continue;
+      const [, username, skillName] = match;
+      const sourcePath = getRegistrySkillPath(username, skillName);
+      const absolutePath = join(projectRoot, sourcePath);
+      let status = "installed";
+      try {
+        await access$1(absolutePath);
+      } catch {
+        status = "missing";
+      }
+      const linkedAgents = await getLinkedAgents(
+        skillName,
+        availableAgents,
+        projectRoot,
+        agentConfigs
+      );
+      skills.push({
+        name: skillName,
+        fullName,
+        version: entry.version,
+        source: "registry",
+        sourcePath,
+        status,
+        linkedAgents
+      });
+    }
+    for (const { specifier, entry } of githubSkills) {
+      const parsed = parseGitHubSpecifier(specifier);
+      if (!parsed) continue;
+      const ghEntry = entry;
+      const skillName = getGitHubSkillName(parsed);
+      const sourcePath = getGitHubSkillPath(
+        parsed.owner,
+        parsed.repo,
+        parsed.path
+      );
+      const absolutePath = join(projectRoot, sourcePath);
+      let status = "installed";
+      try {
+        await access$1(absolutePath);
+      } catch {
+        status = "missing";
+      }
+      const linkedAgents = await getLinkedAgents(
+        skillName,
+        availableAgents,
+        projectRoot,
+        agentConfigs
+      );
+      skills.push({
+        name: skillName,
+        fullName: specifier,
+        version: ghEntry.gitCommit.slice(0, 7),
+        source: "github",
+        sourcePath,
+        status,
+        linkedAgents,
+        gitRef: ghEntry.gitRef,
+        gitCommit: ghEntry.gitCommit
+      });
+    }
     if (skills.length === 0) {
       console.log("No skills installed.");
       return;
@@ -1313,32 +2628,43 @@ async function list(options) {
       console.log(JSON.stringify(skills, null, 2));
       return;
     }
-    const skillsDir = getSkillsDir();
     console.log("Installed skills:\n");
-    for (const { name, entry } of skills) {
-      const match = name.match(/^@user\/([^/]+)\/([^/]+)$/);
-      if (!match) continue;
-      const [, username, skillName] = match;
-      const skillPath = join(skillsDir, username, skillName);
-      let status = "installed";
-      try {
-        await access$1(skillPath);
-      } catch {
-        status = "missing";
+    for (const skill of skills) {
+      if (skill.source === "registry") {
+        console.log(`  ${skill.fullName}@${skill.version} (registry)`);
+      } else {
+        const refInfo = skill.gitRef ? `${skill.gitRef}@${skill.gitCommit?.slice(0, 7)}` : skill.version;
+        console.log(`  ${skill.fullName} (${refInfo})`);
       }
-      console.log(`  ${name}@${entry.version}`);
-      if (status === "missing") {
+      if (skill.status === "missing") {
         console.log(`    Status: MISSING (run 'pspm install' to restore)`);
       }
+      if (skill.linkedAgents.length > 0) {
+        for (const agent of skill.linkedAgents) {
+          const config2 = resolveAgentConfig(agent, agentConfigs);
+          if (config2) {
+            console.log(`    -> ${config2.skillsDir}/${skill.name}`);
+          }
+        }
+      }
     }
+    const registryCount = skills.filter((s) => s.source === "registry").length;
+    const githubCount = skills.filter((s) => s.source === "github").length;
+    const parts = [];
+    if (registryCount > 0) parts.push(`${registryCount} registry`);
+    if (githubCount > 0) parts.push(`${githubCount} github`);
     console.log(`
-Total: ${skills.length} skill(s)`);
+Total: ${skills.length} skill(s) (${parts.join(", ")})`);
   } catch (error) {
     const message = error instanceof Error ? error.message : "Unknown error";
     console.error(`Error: ${message}`);
     process.exit(1);
   }
 }
+
+// src/commands/login.ts
+init_api_client();
+init_config();
 var DEFAULT_WEB_APP_URL = "https://pspm.dev";
 function getWebAppUrl(registryUrl) {
   if (process.env.PSPM_WEB_URL) {
@@ -1516,6 +2842,7 @@ async function login(options) {
 }
 
 // src/commands/logout.ts
+init_config();
 async function logout() {
   try {
     const loggedIn = await isLoggedIn();
@@ -1531,6 +2858,10 @@ async function logout() {
     process.exit(1);
   }
 }
+
+// src/commands/migrate.ts
+init_config();
+init_lockfile();
 async function migrate(options) {
   try {
     const legacySkillsDir = getLegacySkillsDir();
@@ -1630,6 +2961,12 @@ async function migrate(options) {
     process.exit(1);
   }
 }
+
+// src/commands/publish.ts
+init_src();
+init_api_client();
+init_config();
+init_errors();
 var exec = promisify(exec$1);
 async function detectManifest() {
   const cwd = process.cwd();
@@ -1835,63 +3172,119 @@ Setting visibility to ${options.access}...`);
     process.exit(1);
   }
 }
+
+// src/commands/remove.ts
+init_src();
+init_agents();
+init_config();
+init_lockfile();
+init_manifest2();
+init_symlinks();
 async function remove(nameOrSpecifier) {
   try {
-    await requireApiKey();
-    let fullName;
-    let username;
-    let name;
-    if (nameOrSpecifier.startsWith("@user/")) {
-      const match = nameOrSpecifier.match(/^@user\/([^/]+)\/([^@/]+)/);
-      if (!match) {
-        console.error(`Error: Invalid skill specifier: ${nameOrSpecifier}`);
-        process.exit(1);
-      }
-      fullName = `@user/${match[1]}/${match[2]}`;
-      username = match[1];
-      name = match[2];
+    const manifest = await readManifest();
+    const agentConfigs = manifest?.agents;
+    const agents = getAvailableAgents(agentConfigs);
+    if (isGitHubSpecifier(nameOrSpecifier)) {
+      await removeGitHub(nameOrSpecifier, agents, agentConfigs);
+    } else if (nameOrSpecifier.startsWith("@user/")) {
+      await removeRegistry(nameOrSpecifier, agents, agentConfigs);
     } else {
-      const skills = await listLockfileSkills();
-      const found = skills.find((s) => {
-        const match2 = s.name.match(/^@user\/([^/]+)\/([^/]+)$/);
-        return match2 && match2[2] === nameOrSpecifier;
-      });
-      if (!found) {
-        console.error(
-          `Error: Skill "${nameOrSpecifier}" not found in lockfile`
-        );
-        process.exit(1);
-      }
-      fullName = found.name;
-      const match = fullName.match(/^@user\/([^/]+)\/([^/]+)$/);
-      if (!match) {
-        console.error(`Error: Invalid skill name in lockfile: ${fullName}`);
-        process.exit(1);
-      }
-      username = match[1];
-      name = match[2];
-    }
-    console.log(`Removing ${fullName}...`);
-    const removed = await removeFromLockfile(fullName);
-    if (!removed) {
-      console.error(`Error: ${fullName} not found in lockfile`);
-      process.exit(1);
-    }
-    const skillsDir = getSkillsDir();
-    const destDir = join(skillsDir, username, name);
-    try {
-      await rm(destDir, { recursive: true, force: true });
-    } catch {
+      await removeByShortName(nameOrSpecifier, agents, agentConfigs);
     }
-    console.log(`Removed ${fullName}`);
   } catch (error) {
     const message = error instanceof Error ? error.message : "Unknown error";
     console.error(`Error: ${message}`);
     process.exit(1);
   }
 }
+async function removeRegistry(specifier, agents, agentConfigs) {
+  const match = specifier.match(/^@user\/([^/]+)\/([^@/]+)/);
+  if (!match) {
+    console.error(`Error: Invalid skill specifier: ${specifier}`);
+    process.exit(1);
+  }
+  const fullName = `@user/${match[1]}/${match[2]}`;
+  const username = match[1];
+  const name = match[2];
+  console.log(`Removing ${fullName}...`);
+  const removedFromLockfile = await removeFromLockfile(fullName);
+  const removedFromManifest = await removeDependency(fullName);
+  if (!removedFromLockfile && !removedFromManifest) {
+    console.error(`Error: ${fullName} not found in lockfile or pspm.json`);
+    process.exit(1);
+  }
+  await removeAgentSymlinks(name, {
+    agents,
+    projectRoot: process.cwd(),
+    agentConfigs
+  });
+  const skillsDir = getSkillsDir();
+  const destDir = join(skillsDir, username, name);
+  try {
+    await rm(destDir, { recursive: true, force: true });
+  } catch {
+  }
+  console.log(`Removed ${fullName}`);
+}
+async function removeGitHub(specifier, agents, agentConfigs) {
+  const parsed = parseGitHubSpecifier(specifier);
+  if (!parsed) {
+    console.error(`Error: Invalid GitHub specifier: ${specifier}`);
+    process.exit(1);
+  }
+  const lockfileKey = parsed.path ? `github:${parsed.owner}/${parsed.repo}/${parsed.path}` : `github:${parsed.owner}/${parsed.repo}`;
+  console.log(`Removing ${lockfileKey}...`);
+  const removedFromLockfile = await removeGitHubFromLockfile(lockfileKey);
+  const removedFromManifest = await removeGitHubDependency(lockfileKey);
+  if (!removedFromLockfile && !removedFromManifest) {
+    console.error(`Error: ${lockfileKey} not found in lockfile or pspm.json`);
+    process.exit(1);
+  }
+  const skillName = getGitHubSkillName(parsed);
+  await removeAgentSymlinks(skillName, {
+    agents,
+    projectRoot: process.cwd(),
+    agentConfigs
+  });
+  const skillsDir = getSkillsDir();
+  const destPath = getGitHubSkillPath(parsed.owner, parsed.repo, parsed.path);
+  const destDir = join(skillsDir, "..", destPath);
+  try {
+    await rm(destDir, { recursive: true, force: true });
+  } catch {
+  }
+  console.log(`Removed ${lockfileKey}`);
+}
+async function removeByShortName(shortName, agents, agentConfigs) {
+  const registrySkills = await listLockfileSkills();
+  const foundRegistry = registrySkills.find((s) => {
+    const match = s.name.match(/^@user\/([^/]+)\/([^/]+)$/);
+    return match && match[2] === shortName;
+  });
+  if (foundRegistry) {
+    await removeRegistry(foundRegistry.name, agents, agentConfigs);
+    return;
+  }
+  const githubSkills = await listLockfileGitHubPackages();
+  const foundGitHub = githubSkills.find((s) => {
+    const parsed = parseGitHubSpecifier(s.specifier);
+    if (!parsed) return false;
+    return getGitHubSkillName(parsed) === shortName;
+  });
+  if (foundGitHub) {
+    await removeGitHub(foundGitHub.specifier, agents, agentConfigs);
+    return;
+  }
+  console.error(`Error: Skill "${shortName}" not found in lockfile`);
+  process.exit(1);
+}
 
 // src/commands/unpublish.ts
+init_src();
+init_api_client();
+init_config();
+init_errors();
 async function unpublish(specifier, options) {
   try {
     const apiKey = await requireApiKey();
@@ -1950,6 +3343,12 @@ async function unpublish(specifier, options) {
 }
 
 // src/commands/update.ts
+init_src();
+init_api_client();
+init_config();
+init_errors();
+init_lockfile();
+init_add();
 async function update(options) {
   try {
     const apiKey = await requireApiKey();
@@ -2011,7 +3410,7 @@ async function update(options) {
       if (!match) continue;
       const [, username, skillName] = match;
       const specifier = `@user/${username}/${skillName}@${latest}`;
-      await add(specifier, {});
+      await add([specifier], {});
     }
     console.log("\nAll skills updated.");
   } catch (error) {
@@ -2022,6 +3421,8 @@ async function update(options) {
 }
 
 // src/commands/whoami.ts
+init_api_client();
+init_config();
 async function whoami() {
   try {
     const resolved = await resolveConfig();
@@ -2075,12 +3476,13 @@ program.command("logout").description("Log out and clear stored credentials").ac
 program.command("whoami").description("Show current user information").action(async () => {
   await whoami();
 });
-program.command("init").description("Create a new pspm.json manifest in the current directory").option("-n, --name <name>", "Skill name").option("-d, --description <desc>", "Skill description").option("-a, --author <author>", "Author name").option("-y, --yes", "Skip prompts and use defaults").action(async (options) => {
+program.command("init").description("Create a new pspm.json manifest in the current directory").option("-n, --name <name>", "Skill name").option("-d, --description <desc>", "Skill description").option("-a, --author <author>", "Author name").option("-y, --yes", "Skip prompts and use defaults").option("-f, --force", "Overwrite existing pspm.json").action(async (options) => {
   await init({
     name: options.name,
     description: options.description,
     author: options.author,
-    yes: options.yes
+    yes: options.yes,
+    force: options.force
   });
 });
 program.command("migrate").description(
@@ -2088,8 +3490,17 @@ program.command("migrate").description(
 ).option("--dry-run", "Show what would be migrated without making changes").action(async (options) => {
   await migrate({ dryRun: options.dryRun });
 });
-program.command("add <specifier>").description("Add a skill (e.g., @user/bsheng/vite_slides@^2.0.0)").option("--save", "Save to lockfile (default)").action(async (specifier, options) => {
-  await add(specifier, { save: options.save ?? true });
+program.command("add <specifiers...>").description(
+  "Add one or more skills (e.g., @user/bsheng/vite_slides@^2.0.0 or github:owner/repo/path@ref)"
+).option("--save", "Save to lockfile (default)").option(
+  "--agent <agents>",
+  'Comma-separated agents for symlinks (default: all agents, use "none" to skip)'
+).option("-y, --yes", "Skip agent selection prompt and use defaults").action(async (specifiers, options) => {
+  await add(specifiers, {
+    save: options.save ?? true,
+    agent: options.agent,
+    yes: options.yes
+  });
 });
 program.command("remove <name>").alias("rm").description("Remove an installed skill").action(async (name) => {
   await remove(name);
@@ -2097,12 +3508,25 @@ program.command("remove <name>").alias("rm").description("Remove an installed sk
 program.command("list").alias("ls").description("List installed skills").option("--json", "Output as JSON").action(async (options) => {
   await list({ json: options.json });
 });
-program.command("install").alias("i").description("Install all skills from lockfile").option("--frozen-lockfile", "Fail if lockfile is missing or outdated").option("--dir <path>", "Install skills to a specific directory").action(async (options) => {
-  await install({
+program.command("install [specifiers...]").alias("i").description(
+  "Install skills from lockfile, or add and install specific packages"
+).option("--frozen-lockfile", "Fail if lockfile is missing or outdated").option("--dir <path>", "Install skills to a specific directory").option(
+  "--agent <agents>",
+  'Comma-separated agents for symlinks (default: all agents, use "none" to skip)'
+).option("-y, --yes", "Skip agent selection prompt and use defaults").action(async (specifiers, options) => {
+  await install(specifiers, {
     frozenLockfile: options.frozenLockfile,
-    dir: options.dir
+    dir: options.dir,
+    agent: options.agent,
+    yes: options.yes
   });
 });
+program.command("link").description("Recreate agent symlinks without reinstalling").option(
+  "--agent <agents>",
+  'Comma-separated agents for symlinks (default: all agents, use "none" to skip)'
+).option("-y, --yes", "Skip agent selection prompt and use defaults").action(async (options) => {
+  await link({ agent: options.agent, yes: options.yes });
+});
 program.command("update").description("Update all skills to latest compatible versions").option("--dry-run", "Show what would be updated without making changes").action(async (options) => {
   await update({ dryRun: options.dryRun });
 });