npm - @anytio/pspm - Versions diffs - 0.11.0 → 0.12.0 - Mend

@anytio/pspm 0.11.0 → 0.12.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

package/dist/index.js CHANGED Viewed

@@ -8,7 +8,7 @@ import { createHash, randomBytes } from 'crypto';
 import * as semver2 from 'semver';
 import semver2__default from 'semver';
 import { checkbox } from '@inquirer/prompts';
-import { readFileSync } from 'fs';
+import { readFileSync, writeFileSync } from 'fs';
 import { fileURLToPath, URL as URL$1 } from 'url';
 import { Command } from 'commander';
 import { createInterface } from 'readline';
@@ -968,7 +968,9 @@ function validateManifest(manifest) {
   if (!manifest.version) {
     return { valid: false, error: "Manifest must have a 'version' field" };
   }
-  if (!/^[a-z][a-z0-9_-]*$/.test(manifest.name)) {
+  const parts = manifest.name.split("/");
+  const bareName = parts[parts.length - 1];
+  if (!/^[a-z][a-z0-9_-]*$/.test(bareName)) {
     return {
       valid: false,
       error: "Name must start with a lowercase letter and contain only lowercase letters, numbers, hyphens, and underscores"
@@ -3329,103 +3331,615 @@ var init_add = __esm({
   }
 });
-// src/commands/access.ts
-init_api_client();
-init_config();
-init_lib();
-function isLocalSpecifier2(specifier) {
-  return specifier.startsWith("file:") || specifier.startsWith("./") || specifier.startsWith("../");
+// src/commands/install.ts
+var install_exports = {};
+__export(install_exports, {
+  install: () => install
+});
+function getCacheFilePath(cacheDir, integrity) {
+  const match = integrity.match(/^sha256-(.+)$/);
+  if (!match) {
+    throw new Error(`Invalid integrity format: ${integrity}`);
+  }
+  const base64Hash = match[1];
+  const hexHash = Buffer.from(base64Hash, "base64").toString("hex");
+  return join(cacheDir, `sha256-${hexHash}.tgz`);
 }
-async function access(specifier, options) {
+async function readFromCache(cacheDir, integrity) {
   try {
-    const apiKey = await requireApiKey();
-    const registryUrl = await getRegistryUrl();
-    if (options.public && options.private) {
-      console.error("Error: Cannot specify both --public and --private");
-      process.exit(1);
+    const cachePath = getCacheFilePath(cacheDir, integrity);
+    const data = await readFile(cachePath);
+    const actualIntegrity = `sha256-${createHash("sha256").update(data).digest("base64")}`;
+    if (actualIntegrity !== integrity) {
+      await rm(cachePath, { force: true });
+      return null;
     }
-    if (!options.public && !options.private) {
-      console.error("Error: Must specify either --public or --private");
-      process.exit(1);
+    return data;
+  } catch {
+    return null;
+  }
+}
+async function writeToCache(cacheDir, integrity, data) {
+  try {
+    await mkdir(cacheDir, { recursive: true });
+    const cachePath = getCacheFilePath(cacheDir, integrity);
+    await writeFile(cachePath, data);
+  } catch {
+  }
+}
+async function install(specifiers, options) {
+  if (options.global) {
+    const { setGlobalMode: setGlobalMode2 } = await Promise.resolve().then(() => (init_config(), config_exports));
+    setGlobalMode2(true);
+  }
+  if (options.list) {
+    const listSpecifiers = await resolveListToSpecifiers(options.list);
+    if (listSpecifiers.length === 0) {
+      console.log("No skills in the list to install.");
+      return;
     }
-    const visibility = options.public ? "public" : "private";
-    let packageName;
-    let packageUsername;
-    if (specifier) {
-      if (isGitHubSpecifier2(specifier)) {
-        const ghSpec = parseGitHubSpecifier2(specifier);
-        if (ghSpec) {
-          console.error(`Error: Cannot change visibility of GitHub packages.`);
-          console.error(
-            `  "${specifier}" is hosted on GitHub, not the PSPM registry.`
-          );
-          console.error(
-            `  Visibility can only be changed for packages published to the registry.`
-          );
-        } else {
-          console.error(`Error: Invalid GitHub specifier "${specifier}".`);
-          console.error(`  Use format: github:{owner}/{repo}[/{path}][@{ref}]`);
-        }
-        process.exit(1);
-      }
-      if (isLocalSpecifier2(specifier)) {
-        console.error(`Error: Cannot change visibility of local packages.`);
-        console.error(
-          `  "${specifier}" is a local directory, not a registry package.`
-        );
-        console.error(
-          `  Visibility can only be changed for packages published to the registry.`
-        );
-        process.exit(1);
+    const allSpecifiers = [...specifiers, ...listSpecifiers];
+    const { add: add2 } = await Promise.resolve().then(() => (init_add(), add_exports));
+    await add2(allSpecifiers, {
+      save: true,
+      agent: options.agent,
+      yes: options.yes,
+      global: options.global
+    });
+    return;
+  }
+  if (specifiers.length > 0) {
+    const { add: add2 } = await Promise.resolve().then(() => (init_add(), add_exports));
+    await add2(specifiers, {
+      save: true,
+      agent: options.agent,
+      yes: options.yes,
+      global: options.global
+    });
+    return;
+  }
+  await installFromLockfile(options);
+}
+async function resolveListToSpecifiers(listSpec) {
+  const match = listSpec.match(/^@(user|org)\/([^/]+)\/([^/]+)$/);
+  if (!match) {
+    console.error(
+      `Error: Invalid list specifier "${listSpec}". Use format: @user/{username}/{list-name} or @org/{orgname}/{list-name}`
+    );
+    process.exit(1);
+  }
+  const [, ownerType, ownerName, listName] = match;
+  const config2 = await resolveConfig();
+  configure2({
+    registryUrl: config2.registryUrl,
+    apiKey: getTokenForRegistry(config2, config2.registryUrl)
+  });
+  console.log(
+    `Fetching skill list @${ownerType}/${ownerName}/${listName}...
+`
+  );
+  const { fetchSkillList: fetchSkillList2 } = await Promise.resolve().then(() => (init_api_client(), api_client_exports));
+  const response = await fetchSkillList2(
+    ownerType,
+    ownerName,
+    listName
+  );
+  if (response.status !== 200 || !response.data) {
+    const errorMsg = response.status === 404 ? `List "@${ownerType}/${ownerName}/${listName}" not found or is private.` : response.error || "Failed to fetch list";
+    console.error(`Error: ${errorMsg}`);
+    process.exit(1);
+  }
+  const list2 = response.data;
+  console.log(
+    `List: ${list2.name}${list2.description ? ` \u2014 ${list2.description}` : ""}`
+  );
+  console.log(`Skills: ${list2.items.length}
+`);
+  const specifiers = [];
+  for (const item of list2.items) {
+    const ns = item.namespace === "org" ? "org" : "user";
+    let spec = `@${ns}/${item.ownerName}/${item.skillName}`;
+    if (item.pinnedVersion) {
+      spec += `@${item.pinnedVersion}`;
+    }
+    specifiers.push(spec);
+  }
+  return specifiers;
+}
+async function installFromLockfile(options) {
+  try {
+    const config2 = await resolveConfig();
+    const registryUrl = config2.registryUrl;
+    const apiKey = getTokenForRegistry(config2, registryUrl);
+    const skillsDir = options.dir || getSkillsDir();
+    const cacheDir = getCacheDir();
+    await migrateLockfileIfNeeded();
+    let lockfile = await readLockfile();
+    const manifestDeps = await getDependencies();
+    const manifestGitHubDeps = await getGitHubDependencies();
+    const lockfilePackages = lockfile?.packages ?? lockfile?.skills ?? {};
+    const lockfileGitHubPackages = lockfile?.githubPackages ?? {};
+    const installedSkills = [];
+    const missingDeps = [];
+    for (const [fullName, versionRange] of Object.entries(manifestDeps)) {
+      if (!lockfilePackages[fullName]) {
+        missingDeps.push({ fullName, versionRange });
       }
-      const parsed = parseRegistrySpecifier2(specifier);
-      if (!parsed) {
-        console.error(`Error: Invalid package specifier "${specifier}".`);
-        console.error(
-          `  Use format: @user/{username}/{name} or @org/{orgname}/{name}`
-        );
-        console.error(``);
-        console.error(`  Examples:`);
-        console.error(`    pspm access @user/myname/my-skill --public`);
+    }
+    if (missingDeps.length > 0) {
+      if (options.frozenLockfile) {
         console.error(
-          `    pspm access --public  (uses current directory's pspm.json)`
+          "Error: Dependencies in pspm.json are not in lockfile. Cannot install with --frozen-lockfile"
         );
+        console.error("Missing dependencies:");
+        for (const dep of missingDeps) {
+          console.error(`  - ${dep.fullName}@${dep.versionRange}`);
+        }
         process.exit(1);
       }
-      packageName = parsed.name;
-      packageUsername = parsed.owner;
-    } else {
-      const { readFile: readFile10 } = await import('fs/promises');
-      const { join: join18 } = await import('path');
-      let manifest = null;
-      try {
-        const content = await readFile10(
-          join18(process.cwd(), "pspm.json"),
-          "utf-8"
-        );
-        manifest = JSON.parse(content);
-      } catch {
-        try {
-          const content = await readFile10(
-            join18(process.cwd(), "package.json"),
-            "utf-8"
+      console.log(`Resolving ${missingDeps.length} new dependency(ies)...
+`);
+      configure2({ registryUrl, apiKey });
+      for (const { fullName, versionRange } of missingDeps) {
+        const parsed = parseRegistrySpecifier2(fullName);
+        if (!parsed) {
+          console.error(`Error: Invalid dependency specifier: ${fullName}`);
+          continue;
+        }
+        const { owner, name } = parsed;
+        console.log(`Resolving ${fullName}@${versionRange}...`);
+        const versionsResponse = await listSkillVersions(owner, name);
+        if (versionsResponse.status !== 200) {
+          const errorMessage = extractApiErrorMessage(
+            versionsResponse,
+            `Skill ${fullName} not found`
           );
-          manifest = JSON.parse(content);
-        } catch {
+          console.error(`Error: ${errorMessage}`);
+          continue;
+        }
+        const versions = versionsResponse.data;
+        if (versions.length === 0) {
+          console.error(`Error: Skill ${fullName} not found`);
+          continue;
+        }
+        const versionStrings = versions.map(
+          (v) => v.version
+        );
+        const resolved = resolveVersion2(versionRange || "*", versionStrings);
+        if (!resolved) {
           console.error(
-            "Error: No pspm.json or package.json found in current directory"
+            `Error: No version matching "${versionRange}" for ${fullName}`
           );
-          console.error(
-            "Either run this command in a package directory or specify a package name"
+          continue;
+        }
+        const versionResponse = await getSkillVersion(owner, name, resolved);
+        if (versionResponse.status !== 200 || !versionResponse.data) {
+          const errorMessage = extractApiErrorMessage(
+            versionResponse,
+            `Version ${resolved} not found`
           );
-          process.exit(1);
+          console.error(`Error: ${errorMessage}`);
+          continue;
         }
-      }
-      if (!manifest?.name) {
-        console.error("Error: Package manifest is missing 'name' field");
-        process.exit(1);
-      }
-      packageName = manifest.name;
+        const versionInfo = versionResponse.data;
+        const isPresignedUrl = versionInfo.downloadUrl.includes(".r2.cloudflarestorage.com") || versionInfo.downloadUrl.includes("X-Amz-Signature");
+        const downloadHeaders = {};
+        if (!isPresignedUrl && apiKey) {
+          downloadHeaders.Authorization = `Bearer ${apiKey}`;
+        }
+        const tarballResponse = await fetch(versionInfo.downloadUrl, {
+          headers: downloadHeaders,
+          redirect: "follow"
+        });
+        if (!tarballResponse.ok) {
+          console.error(
+            `Error: Failed to download tarball for ${fullName} (${tarballResponse.status})`
+          );
+          continue;
+        }
+        const tarballBuffer = Buffer.from(await tarballResponse.arrayBuffer());
+        const integrity = calculateIntegrity(tarballBuffer);
+        await addToLockfile(fullName, {
+          version: resolved,
+          resolved: versionInfo.downloadUrl,
+          integrity
+        });
+        await writeToCache(cacheDir, integrity, tarballBuffer);
+        console.log(`  Resolved ${fullName}@${resolved}`);
+      }
+      lockfile = await readLockfile();
+    }
+    const missingGitHubDeps = [];
+    for (const [specifier, ref] of Object.entries(manifestGitHubDeps)) {
+      if (!lockfileGitHubPackages[specifier]) {
+        missingGitHubDeps.push({ specifier, ref });
+      }
+    }
+    if (missingGitHubDeps.length > 0) {
+      if (options.frozenLockfile) {
+        console.error(
+          "Error: GitHub dependencies in pspm.json are not in lockfile. Cannot install with --frozen-lockfile"
+        );
+        console.error("Missing GitHub dependencies:");
+        for (const dep of missingGitHubDeps) {
+          console.error(`  - ${dep.specifier}@${dep.ref}`);
+        }
+        process.exit(1);
+      }
+      console.log(
+        `
+Resolving ${missingGitHubDeps.length} GitHub dependency(ies)...
+`
+      );
+      for (const { specifier, ref } of missingGitHubDeps) {
+        const parsed = parseGitHubSpecifier2(specifier);
+        if (!parsed) {
+          console.error(`Error: Invalid GitHub specifier: ${specifier}`);
+          continue;
+        }
+        parsed.ref = parsed.ref || ref;
+        console.log(`Resolving ${getGitHubDisplayName(parsed)}...`);
+        try {
+          const result = await downloadGitHubPackage(parsed);
+          await extractGitHubPackage(parsed, result.buffer, skillsDir);
+          const entry = {
+            version: result.commit.slice(0, 7),
+            resolved: `https://github.com/${parsed.owner}/${parsed.repo}`,
+            integrity: result.integrity,
+            gitCommit: result.commit,
+            gitRef: ref || "HEAD"
+          };
+          await addGitHubToLockfile(specifier, entry);
+          await writeToCache(cacheDir, result.integrity, result.buffer);
+          console.log(
+            `  Resolved ${specifier} (${ref}@${result.commit.slice(0, 7)})`
+          );
+        } catch (error) {
+          if (error instanceof GitHubRateLimitError) {
+            console.error(`Error: ${error.message}`);
+          } else if (error instanceof GitHubPathNotFoundError) {
+            console.error(`Error: ${error.message}`);
+          } else if (error instanceof GitHubNotFoundError) {
+            console.error(`Error: ${error.message}`);
+          } else {
+            const message = error instanceof Error ? error.message : String(error);
+            console.error(`Error resolving ${specifier}: ${message}`);
+          }
+        }
+      }
+      lockfile = await readLockfile();
+    }
+    const manifest = await readManifest();
+    const agentConfigs = manifest?.agents;
+    let agents;
+    if (options.agent) {
+      agents = parseAgentArg(options.agent);
+    } else if (manifest) {
+      agents = parseAgentArg(void 0);
+    } else if (options.yes) {
+      agents = parseAgentArg(void 0);
+    } else {
+      console.log("\nNo pspm.json found. Let's set up your project.\n");
+      agents = await promptForAgents();
+      console.log();
+    }
+    const packages = lockfile?.packages ?? lockfile?.skills ?? {};
+    const packageCount = Object.keys(packages).length;
+    if (packageCount > 0) {
+      console.log(`
+Installing ${packageCount} registry skill(s)...
+`);
+      const installOrder = computeInstallOrder(packages);
+      const entries = installOrder.filter((name) => packages[name]).map((name) => [name, packages[name]]);
+      for (const [fullName, entry] of entries) {
+        const parsedName = parseRegistrySpecifier2(fullName);
+        if (!parsedName) {
+          console.warn(`Warning: Invalid skill name in lockfile: ${fullName}`);
+          continue;
+        }
+        const { namespace: ns, owner: pkgOwner, name, subname } = parsedName;
+        console.log(`Installing ${fullName}@${entry.version}...`);
+        let tarballBuffer;
+        let fromCache = false;
+        const cachedTarball = await readFromCache(cacheDir, entry.integrity);
+        if (cachedTarball) {
+          tarballBuffer = cachedTarball;
+          fromCache = true;
+        } else {
+          const isPresignedUrl = entry.resolved.includes(".r2.cloudflarestorage.com") || entry.resolved.includes("X-Amz-Signature");
+          const downloadHeaders = {};
+          if (!isPresignedUrl && apiKey) {
+            downloadHeaders.Authorization = `Bearer ${apiKey}`;
+          }
+          const response = await fetch(entry.resolved, {
+            headers: downloadHeaders,
+            redirect: "follow"
+          });
+          if (!response.ok) {
+            if (response.status === 401) {
+              if (!apiKey) {
+                console.error(
+                  `  Error: ${fullName} requires authentication. Run 'pspm login' first.`
+                );
+              } else {
+                console.error(
+                  `  Error: Access denied to ${fullName}. You may not have permission to access this private package.`
+                );
+              }
+            } else {
+              console.error(
+                `  Error: Failed to download ${fullName} (${response.status})`
+              );
+            }
+            continue;
+          }
+          tarballBuffer = Buffer.from(await response.arrayBuffer());
+          const actualIntegrity = `sha256-${createHash("sha256").update(tarballBuffer).digest("base64")}`;
+          if (actualIntegrity !== entry.integrity) {
+            console.error(
+              `  Error: Checksum verification failed for ${fullName}`
+            );
+            if (options.frozenLockfile) {
+              process.exit(1);
+            }
+            continue;
+          }
+          await writeToCache(cacheDir, entry.integrity, tarballBuffer);
+        }
+        const effectiveSkillName = subname ?? name;
+        let destDir;
+        if (ns === "org") {
+          destDir = join(skillsDir, "_org", pkgOwner, effectiveSkillName);
+        } else if (ns === "github" && subname) {
+          destDir = join(
+            skillsDir,
+            "_github-registry",
+            pkgOwner,
+            name,
+            subname
+          );
+        } else {
+          destDir = join(skillsDir, pkgOwner, effectiveSkillName);
+        }
+        await rm(destDir, { recursive: true, force: true });
+        await mkdir(destDir, { recursive: true });
+        const tempFile = join(destDir, ".temp.tgz");
+        await writeFile(tempFile, tarballBuffer);
+        const { exec: exec2 } = await import('child_process');
+        const { promisify: promisify2 } = await import('util');
+        const execAsync = promisify2(exec2);
+        try {
+          await execAsync(
+            `tar -xzf "${tempFile}" -C "${destDir}" --strip-components=1`
+          );
+        } finally {
+          await rm(tempFile, { force: true });
+        }
+        console.log(
+          `  Installed to ${destDir}${fromCache ? " (from cache)" : ""}`
+        );
+        const pathSkillName = ns === "github" && subname ? `${name}/${subname}` : name;
+        installedSkills.push({
+          name: effectiveSkillName,
+          sourcePath: getRegistrySkillPath(ns, pkgOwner, pathSkillName)
+        });
+      }
+    }
+    const githubPackages = lockfile?.githubPackages ?? {};
+    const githubCount = Object.keys(githubPackages).length;
+    if (githubCount > 0) {
+      console.log(`
+Installing ${githubCount} GitHub skill(s)...
+`);
+      for (const [specifier, entry] of Object.entries(githubPackages)) {
+        const parsed = parseGitHubSpecifier2(specifier);
+        if (!parsed) {
+          console.warn(
+            `Warning: Invalid GitHub specifier in lockfile: ${specifier}`
+          );
+          continue;
+        }
+        const ghEntry = entry;
+        console.log(
+          `Installing ${specifier} (${ghEntry.gitRef}@${ghEntry.gitCommit.slice(0, 7)})...`
+        );
+        let tarballBuffer;
+        let fromCache = false;
+        const cachedTarball = await readFromCache(cacheDir, ghEntry.integrity);
+        if (cachedTarball) {
+          tarballBuffer = cachedTarball;
+          fromCache = true;
+        } else {
+          try {
+            const specWithCommit = { ...parsed, ref: ghEntry.gitCommit };
+            const result = await downloadGitHubPackage(specWithCommit);
+            tarballBuffer = result.buffer;
+            if (result.integrity !== ghEntry.integrity) {
+              console.error(
+                `  Error: Checksum verification failed for ${specifier}`
+              );
+              if (options.frozenLockfile) {
+                process.exit(1);
+              }
+              continue;
+            }
+            await writeToCache(cacheDir, ghEntry.integrity, tarballBuffer);
+          } catch (error) {
+            if (error instanceof GitHubRateLimitError) {
+              console.error(`  Error: ${error.message}`);
+            } else if (error instanceof GitHubPathNotFoundError) {
+              console.error(`  Error: ${error.message}`);
+            } else if (error instanceof GitHubNotFoundError) {
+              console.error(`  Error: ${error.message}`);
+            } else {
+              const message = error instanceof Error ? error.message : String(error);
+              console.error(`  Error downloading ${specifier}: ${message}`);
+            }
+            continue;
+          }
+        }
+        try {
+          const destPath = await extractGitHubPackage(
+            parsed,
+            tarballBuffer,
+            skillsDir
+          );
+          console.log(
+            `  Installed to ${destPath}${fromCache ? " (from cache)" : ""}`
+          );
+          const skillName = getGitHubSkillName2(parsed);
+          installedSkills.push({
+            name: skillName,
+            sourcePath: getGitHubSkillPath(
+              parsed.owner,
+              parsed.repo,
+              parsed.path
+            )
+          });
+        } catch (error) {
+          const message = error instanceof Error ? error.message : String(error);
+          console.error(`  Error extracting ${specifier}: ${message}`);
+        }
+      }
+    }
+    if (installedSkills.length > 0 && agents[0] !== "none") {
+      const globalMode = isGlobalMode();
+      console.log(
+        `
+Creating symlinks for agent(s): ${agents.join(", ")}${globalMode ? " (global)" : ""}...`
+      );
+      await createAgentSymlinks(installedSkills, {
+        agents,
+        projectRoot: globalMode ? homedir() : process.cwd(),
+        agentConfigs,
+        global: globalMode
+      });
+      console.log("  Symlinks created.");
+    }
+    const totalCount = packageCount + githubCount;
+    if (totalCount === 0) {
+      console.log("No skills to install.");
+    } else {
+      console.log(`
+All ${totalCount} skill(s) installed.`);
+    }
+  } catch (error) {
+    const message = error instanceof Error ? error.message : "Unknown error";
+    console.error(`Error: ${message}`);
+    process.exit(1);
+  }
+}
+var init_install = __esm({
+  "src/commands/install.ts"() {
+    init_agents();
+    init_api_client();
+    init_config();
+    init_errors();
+    init_github();
+    init_lib();
+    init_lockfile3();
+    init_manifest3();
+    init_symlinks();
+  }
+});
+// src/commands/access.ts
+init_api_client();
+init_config();
+init_lib();
+function isLocalSpecifier2(specifier) {
+  return specifier.startsWith("file:") || specifier.startsWith("./") || specifier.startsWith("../");
+}
+async function access(specifier, options) {
+  try {
+    const apiKey = await requireApiKey();
+    const registryUrl = await getRegistryUrl();
+    if (options.public && options.private) {
+      console.error("Error: Cannot specify both --public and --private");
+      process.exit(1);
+    }
+    if (!options.public && !options.private) {
+      console.error("Error: Must specify either --public or --private");
+      process.exit(1);
+    }
+    const visibility = options.public ? "public" : "private";
+    let packageName;
+    let packageUsername;
+    if (specifier) {
+      if (isGitHubSpecifier2(specifier)) {
+        const ghSpec = parseGitHubSpecifier2(specifier);
+        if (ghSpec) {
+          console.error(`Error: Cannot change visibility of GitHub packages.`);
+          console.error(
+            `  "${specifier}" is hosted on GitHub, not the PSPM registry.`
+          );
+          console.error(
+            `  Visibility can only be changed for packages published to the registry.`
+          );
+        } else {
+          console.error(`Error: Invalid GitHub specifier "${specifier}".`);
+          console.error(`  Use format: github:{owner}/{repo}[/{path}][@{ref}]`);
+        }
+        process.exit(1);
+      }
+      if (isLocalSpecifier2(specifier)) {
+        console.error(`Error: Cannot change visibility of local packages.`);
+        console.error(
+          `  "${specifier}" is a local directory, not a registry package.`
+        );
+        console.error(
+          `  Visibility can only be changed for packages published to the registry.`
+        );
+        process.exit(1);
+      }
+      const parsed = parseRegistrySpecifier2(specifier);
+      if (!parsed) {
+        console.error(`Error: Invalid package specifier "${specifier}".`);
+        console.error(
+          `  Use format: @user/{username}/{name} or @org/{orgname}/{name}`
+        );
+        console.error(``);
+        console.error(`  Examples:`);
+        console.error(`    pspm access @user/myname/my-skill --public`);
+        console.error(
+          `    pspm access --public  (uses current directory's pspm.json)`
+        );
+        process.exit(1);
+      }
+      packageName = parsed.name;
+      packageUsername = parsed.owner;
+    } else {
+      const { readFile: readFile10 } = await import('fs/promises');
+      const { join: join18 } = await import('path');
+      let manifest = null;
+      try {
+        const content = await readFile10(
+          join18(process.cwd(), "pspm.json"),
+          "utf-8"
+        );
+        manifest = JSON.parse(content);
+      } catch {
+        try {
+          const content = await readFile10(
+            join18(process.cwd(), "package.json"),
+            "utf-8"
+          );
+          manifest = JSON.parse(content);
+        } catch {
+          console.error(
+            "Error: No pspm.json or package.json found in current directory"
+          );
+          console.error(
+            "Either run this command in a package directory or specify a package name"
+          );
+          process.exit(1);
+        }
+      }
+      if (!manifest?.name) {
+        console.error("Error: Package manifest is missing 'name' field");
+        process.exit(1);
+      }
+      packageName = manifest.name;
     }
     if (!packageUsername) {
       const config2 = await resolveConfig();
@@ -3497,7 +4011,6 @@ async function audit(options) {
     }
     const issues = [];
     const skillsDir = getSkillsDir();
-    const projectRoot = process.cwd();
     if (!options.json) {
       console.log("Auditing installed skills...\n");
     }
@@ -3506,7 +4019,7 @@ async function audit(options) {
       const match = fullName.match(/^@user\/([^/]+)\/([^/]+)$/);
       if (!match) continue;
       const [, username, skillName] = match;
-      const destDir = join(projectRoot, skillsDir, username, skillName);
+      const destDir = join(skillsDir, username, skillName);
       const exists = await pathExists(destDir);
       if (!exists) {
         issues.push({
@@ -3542,14 +4055,7 @@ async function audit(options) {
     for (const { specifier } of githubSkills) {
       const parsed = parseGitHubSpecifier2(specifier);
       if (!parsed) continue;
-      const destDir = parsed.path ? join(
-        projectRoot,
-        skillsDir,
-        "_github",
-        parsed.owner,
-        parsed.repo,
-        parsed.path
-      ) : join(projectRoot, skillsDir, "_github", parsed.owner, parsed.repo);
+      const destDir = parsed.path ? join(skillsDir, "_github", parsed.owner, parsed.repo, parsed.path) : join(skillsDir, "_github", parsed.owner, parsed.repo);
       const exists = await pathExists(destDir);
       if (!exists) {
         issues.push({
@@ -3576,7 +4082,6 @@ async function audit(options) {
     for (const { specifier, entry } of wellKnownSkills) {
       const wkEntry = entry;
       const destDir = join(
-        projectRoot,
         skillsDir,
         "_wellknown",
         wkEntry.hostname,
@@ -3637,383 +4142,92 @@ async function audit(options) {
         console.log(`    ${issue.message}`);
       }
       console.log();
-    }
-    if (warnings.length > 0) {
-      console.log("Warnings:");
-      for (const issue of warnings) {
-        console.log(
-          `  [${issue.type.toUpperCase()}] ${issue.name} (${issue.source})`
-        );
-        console.log(`    ${issue.message}`);
-      }
-      console.log();
-    }
-    const totalPackages = registrySkills.length + githubSkills.length + wellKnownSkills.length;
-    console.log(
-      `Audited ${totalPackages} package(s): ${errorCount} error(s), ${warningCount} warning(s).`
-    );
-    if (errorCount > 0) {
-      process.exit(1);
-    }
-  } catch (error) {
-    const message = error instanceof Error ? error.message : "Unknown error";
-    console.error(`Error: ${message}`);
-    process.exit(1);
-  }
-}
-async function pathExists(path) {
-  try {
-    await stat(path);
-    return true;
-  } catch {
-    return false;
-  }
-}
-async function configInit(options) {
-  try {
-    const configPath = join(process.cwd(), ".pspmrc");
-    try {
-      await stat(configPath);
-      console.error("Error: .pspmrc already exists in this directory.");
-      process.exit(1);
-    } catch {
-    }
-    const lines = ["; Project-specific PSPM configuration", ""];
-    if (options.registry) {
-      lines.push(`registry = ${options.registry}`);
-    } else {
-      lines.push("; Uncomment to use a custom registry:");
-      lines.push("; registry = https://custom-registry.example.com");
-    }
-    lines.push("");
-    await writeFile(configPath, lines.join("\n"));
-    console.log("Created .pspmrc");
-    console.log("");
-    console.log("Contents:");
-    console.log(lines.join("\n"));
-    console.log("Note: .pspmrc should be committed to version control.");
-    console.log("API keys should NOT be stored here - use pspm login instead.");
-  } catch (error) {
-    const message = error instanceof Error ? error.message : "Unknown error";
-    console.error(`Error: ${message}`);
-    process.exit(1);
-  }
-}
-// src/commands/config/show.ts
-init_config();
-async function configShow() {
-  try {
-    const resolved = await resolveConfig();
-    const projectConfig = await findProjectConfig();
-    const configPath = getConfigPath();
-    console.log("Resolved Configuration:\n");
-    console.log(`  Registry URL:   ${resolved.registryUrl}`);
-    console.log(`  API Key:        ${resolved.apiKey ? "***" : "(not set)"}`);
-    console.log(`  Username:       ${resolved.username || "(not set)"}`);
-    console.log("");
-    console.log("Config Locations:");
-    console.log(`  User config:    ${configPath}`);
-    console.log(`  Project config: ${projectConfig ? ".pspmrc" : "(none)"}`);
-    console.log("");
-    console.log("Environment Variables:");
-    console.log(
-      `  PSPM_REGISTRY_URL: ${process.env.PSPM_REGISTRY_URL || "(not set)"}`
-    );
-    console.log(
-      `  PSPM_API_KEY:      ${process.env.PSPM_API_KEY ? "***" : "(not set)"}`
-    );
-  } catch (error) {
-    const message = error instanceof Error ? error.message : "Unknown error";
-    console.error(`Error: ${message}`);
-    process.exit(1);
-  }
-}
-// src/commands/deprecate.ts
-init_api_client();
-init_config();
-init_lib();
-async function deprecate(specifier, message, options) {
-  try {
-    const apiKey = await requireApiKey();
-    const registryUrl = await getRegistryUrl();
-    const parsed = parseRegistrySpecifier2(specifier);
-    if (!parsed) {
-      console.error(
-        `Error: Invalid skill specifier "${specifier}". Use format: @user/{username}/{name}@{version} or @org/{orgname}/{name}@{version}`
-      );
-      process.exit(1);
-    }
-    const { owner, name, versionRange } = parsed;
-    const fullName = generateRegistryIdentifier2({
-      namespace: parsed.namespace,
-      owner,
-      name
-    });
-    if (!versionRange) {
-      console.error(
-        "Error: Version is required for deprecation. Use format: @user/{username}/{name}@{version}"
-      );
-      process.exit(1);
-    }
-    configure2({ registryUrl, apiKey });
-    if (options.undo) {
-      console.log(`Removing deprecation from ${fullName}@${versionRange}...`);
-      const response = await undeprecateSkillVersion(owner, name, versionRange);
-      if (response.status !== 200) {
-        console.error(
-          `Error: ${response.error || "Failed to remove deprecation"}`
-        );
-        process.exit(1);
-      }
-      console.log(`Removed deprecation from ${fullName}@${versionRange}`);
-    } else {
-      if (!message) {
-        console.error(
-          "Error: Deprecation message is required. Usage: pspm deprecate <specifier> <message>"
-        );
-        process.exit(1);
-      }
-      console.log(`Deprecating ${fullName}@${versionRange}...`);
-      const response = await deprecateSkillVersion(
-        owner,
-        name,
-        versionRange,
-        message
-      );
-      if (response.status !== 200) {
-        console.error(
-          `Error: ${response.error || "Failed to deprecate version"}`
+    }
+    if (warnings.length > 0) {
+      console.log("Warnings:");
+      for (const issue of warnings) {
+        console.log(
+          `  [${issue.type.toUpperCase()}] ${issue.name} (${issue.source})`
         );
-        process.exit(1);
+        console.log(`    ${issue.message}`);
       }
-      console.log(`Deprecated ${fullName}@${versionRange}`);
-      console.log(`Message: ${message}`);
-      console.log("");
-      console.log(
-        "Users installing this version will see a deprecation warning."
-      );
-      console.log("The package is still available for download.");
+      console.log();
+    }
+    const totalPackages = registrySkills.length + githubSkills.length + wellKnownSkills.length;
+    console.log(
+      `Audited ${totalPackages} package(s): ${errorCount} error(s), ${warningCount} warning(s).`
+    );
+    if (errorCount > 0) {
+      process.exit(1);
     }
   } catch (error) {
-    const errorMessage = error instanceof Error ? error.message : "Unknown error";
-    console.error(`Error: ${errorMessage}`);
+    const message = error instanceof Error ? error.message : "Unknown error";
+    console.error(`Error: ${message}`);
     process.exit(1);
   }
 }
-// src/commands/init.ts
-init_lib();
-function prompt(rl, question, defaultValue) {
-  return new Promise((resolve2) => {
-    const displayDefault = defaultValue ? ` (${defaultValue})` : "";
-    rl.question(`${question}${displayDefault} `, (answer) => {
-      resolve2(answer.trim() || defaultValue);
-    });
-  });
-}
-async function readExistingPackageJson() {
-  try {
-    const content = await readFile(
-      join(process.cwd(), "package.json"),
-      "utf-8"
-    );
-    const pkg = JSON.parse(content);
-    return {
-      name: pkg.name,
-      version: pkg.version,
-      description: pkg.description,
-      author: typeof pkg.author === "string" ? pkg.author : pkg.author?.name,
-      license: pkg.license
-    };
-  } catch {
-    return null;
-  }
-}
-async function getGitAuthor() {
+async function pathExists(path) {
   try {
-    const { exec: exec2 } = await import('child_process');
-    const { promisify: promisify2 } = await import('util');
-    const execAsync = promisify2(exec2);
-    const [nameResult, emailResult] = await Promise.all([
-      execAsync("git config user.name").catch(() => ({ stdout: "" })),
-      execAsync("git config user.email").catch(() => ({ stdout: "" }))
-    ]);
-    const name = nameResult.stdout.trim();
-    const email = emailResult.stdout.trim();
-    if (name && email) {
-      return `${name} <${email}>`;
-    }
-    if (name) {
-      return name;
-    }
-    return null;
+    await stat(path);
+    return true;
   } catch {
-    return null;
+    return false;
   }
 }
-function sanitizeName(name) {
-  const withoutScope = name.replace(/^@[^/]+\//, "");
-  return withoutScope.toLowerCase().replace(/[^a-z0-9_-]/g, "-").replace(/^-+|-+$/g, "").replace(/-+/g, "-");
-}
-function isValidName(name) {
-  return /^[a-z][a-z0-9_-]*$/.test(name);
-}
-function isValidVersion(version3) {
-  return /^\d+\.\d+\.\d+(-[a-zA-Z0-9.-]+)?(\+[a-zA-Z0-9.-]+)?$/.test(version3);
-}
-async function init(options) {
+async function configInit(options) {
   try {
-    const pspmJsonPath = join(process.cwd(), "pspm.json");
-    let exists = false;
+    const configPath = join(process.cwd(), ".pspmrc");
     try {
-      await stat(pspmJsonPath);
-      exists = true;
-    } catch {
-    }
-    if (exists && !options.force) {
-      console.error("Error: pspm.json already exists in this directory.");
-      console.error("Use --force to overwrite.");
+      await stat(configPath);
+      console.error("Error: .pspmrc already exists in this directory.");
       process.exit(1);
+    } catch {
     }
-    const existingPkg = await readExistingPackageJson();
-    const gitAuthor = await getGitAuthor();
-    const defaultName = sanitizeName(
-      options.name || existingPkg?.name || basename(process.cwd())
-    );
-    const defaultVersion = existingPkg?.version || "0.1.0";
-    const defaultDescription = options.description || existingPkg?.description || "";
-    const defaultAuthor = options.author || existingPkg?.author || gitAuthor || "";
-    const defaultLicense = existingPkg?.license || "MIT";
-    const defaultMain = "SKILL.md";
-    const defaultCapabilities = "";
-    let manifest;
-    if (options.yes) {
-      manifest = {
-        $schema: PSPM_SCHEMA_URL,
-        name: defaultName,
-        version: defaultVersion,
-        description: defaultDescription || void 0,
-        author: defaultAuthor || void 0,
-        license: defaultLicense,
-        type: "skill",
-        capabilities: [],
-        main: defaultMain,
-        requirements: {
-          pspm: ">=0.1.0"
-        },
-        files: [...DEFAULT_SKILL_FILES],
-        dependencies: {},
-        private: false
-      };
+    const lines = ["; Project-specific PSPM configuration", ""];
+    if (options.registry) {
+      lines.push(`registry = ${options.registry}`);
     } else {
-      console.log(
-        "This utility will walk you through creating a pspm.json file."
-      );
-      console.log(
-        "It only covers the most common items, and tries to guess sensible defaults."
-      );
-      console.log("");
-      console.log(
-        "See `pspm init --help` for definitive documentation on these fields"
-      );
-      console.log("and exactly what they do.");
-      console.log("");
-      console.log("Press ^C at any time to quit.");
-      const rl = createInterface({
-        input: process.stdin,
-        output: process.stdout
-      });
-      try {
-        let name = await prompt(rl, "skill name:", defaultName);
-        while (!isValidName(name)) {
-          console.log(
-            "  Name must start with a lowercase letter and contain only lowercase letters, numbers, hyphens, and underscores."
-          );
-          name = await prompt(rl, "skill name:", sanitizeName(name));
-        }
-        let version3 = await prompt(rl, "version:", defaultVersion);
-        while (!isValidVersion(version3)) {
-          console.log("  Version must be valid semver (e.g., 1.0.0)");
-          version3 = await prompt(rl, "version:", "0.1.0");
-        }
-        const description = await prompt(
-          rl,
-          "description:",
-          defaultDescription
-        );
-        const main = await prompt(rl, "entry point:", defaultMain);
-        const capabilitiesStr = await prompt(
-          rl,
-          "capabilities (comma-separated):",
-          defaultCapabilities
-        );
-        const author = await prompt(rl, "author:", defaultAuthor);
-        const license = await prompt(rl, "license:", defaultLicense);
-        rl.close();
-        const capabilities = capabilitiesStr ? capabilitiesStr.split(",").map((s) => s.trim()).filter(Boolean) : [];
-        manifest = {
-          $schema: PSPM_SCHEMA_URL,
-          name,
-          version: version3,
-          description: description || void 0,
-          author: author || void 0,
-          license,
-          type: "skill",
-          capabilities,
-          main,
-          requirements: {
-            pspm: ">=0.1.0"
-          },
-          files: [...DEFAULT_SKILL_FILES],
-          dependencies: {},
-          private: false
-        };
-      } catch (error) {
-        rl.close();
-        if (error instanceof Error && error.message.includes("readline was closed")) {
-          console.log("\nAborted.");
-          process.exit(0);
-        }
-        throw error;
-      }
+      lines.push("; Uncomment to use a custom registry:");
+      lines.push("; registry = https://custom-registry.example.com");
     }
-    if (!manifest.description) manifest.description = void 0;
-    if (!manifest.author) manifest.author = void 0;
-    if (manifest.capabilities?.length === 0) manifest.capabilities = void 0;
-    const content = JSON.stringify(manifest, null, 2);
-    console.log("");
-    console.log(`About to write to ${pspmJsonPath}:`);
-    console.log("");
-    console.log(content);
+    lines.push("");
+    await writeFile(configPath, lines.join("\n"));
+    console.log("Created .pspmrc");
     console.log("");
-    if (!options.yes) {
-      const rl = createInterface({
-        input: process.stdin,
-        output: process.stdout
-      });
-      const confirm2 = await prompt(rl, "Is this OK?", "yes");
-      rl.close();
-      if (confirm2.toLowerCase() !== "yes" && confirm2.toLowerCase() !== "y") {
-        console.log("Aborted.");
-        process.exit(0);
-      }
-    }
-    await writeFile(pspmJsonPath, `${content}
-`);
-    try {
-      await stat(join(process.cwd(), "SKILL.md"));
-    } catch {
-      console.log(
-        "Note: Create a SKILL.md file with your skill's prompt content."
-      );
-    }
-    if (existingPkg) {
-      console.log("Note: Values were derived from existing package.json.");
-      console.log("      pspm.json is for publishing to PSPM registry.");
-      console.log("      package.json can still be used for npm dependencies.");
-    }
+    console.log("Contents:");
+    console.log(lines.join("\n"));
+    console.log("Note: .pspmrc should be committed to version control.");
+    console.log("API keys should NOT be stored here - use pspm login instead.");
+  } catch (error) {
+    const message = error instanceof Error ? error.message : "Unknown error";
+    console.error(`Error: ${message}`);
+    process.exit(1);
+  }
+}
+// src/commands/config/show.ts
+init_config();
+async function configShow() {
+  try {
+    const resolved = await resolveConfig();
+    const projectConfig = await findProjectConfig();
+    const configPath = getConfigPath();
+    console.log("Resolved Configuration:\n");
+    console.log(`  Registry URL:   ${resolved.registryUrl}`);
+    console.log(`  API Key:        ${resolved.apiKey ? "***" : "(not set)"}`);
+    console.log(`  Username:       ${resolved.username || "(not set)"}`);
+    console.log("");
+    console.log("Config Locations:");
+    console.log(`  User config:    ${configPath}`);
+    console.log(`  Project config: ${projectConfig ? ".pspmrc" : "(none)"}`);
+    console.log("");
+    console.log("Environment Variables:");
+    console.log(
+      `  PSPM_REGISTRY_URL: ${process.env.PSPM_REGISTRY_URL || "(not set)"}`
+    );
+    console.log(
+      `  PSPM_API_KEY:      ${process.env.PSPM_API_KEY ? "***" : "(not set)"}`
+    );
   } catch (error) {
     const message = error instanceof Error ? error.message : "Unknown error";
     console.error(`Error: ${message}`);
@@ -4021,502 +4235,289 @@ async function init(options) {
   }
 }
-// src/commands/install.ts
-init_agents();
+// src/commands/deprecate.ts
 init_api_client();
 init_config();
-init_errors();
-init_github();
 init_lib();
-init_lockfile3();
-init_manifest3();
-init_symlinks();
-function getCacheFilePath(cacheDir, integrity) {
-  const match = integrity.match(/^sha256-(.+)$/);
-  if (!match) {
-    throw new Error(`Invalid integrity format: ${integrity}`);
-  }
-  const base64Hash = match[1];
-  const hexHash = Buffer.from(base64Hash, "base64").toString("hex");
-  return join(cacheDir, `sha256-${hexHash}.tgz`);
-}
-async function readFromCache(cacheDir, integrity) {
-  try {
-    const cachePath = getCacheFilePath(cacheDir, integrity);
-    const data = await readFile(cachePath);
-    const actualIntegrity = `sha256-${createHash("sha256").update(data).digest("base64")}`;
-    if (actualIntegrity !== integrity) {
-      await rm(cachePath, { force: true });
-      return null;
-    }
-    return data;
-  } catch {
-    return null;
-  }
-}
-async function writeToCache(cacheDir, integrity, data) {
+async function deprecate(specifier, message, options) {
   try {
-    await mkdir(cacheDir, { recursive: true });
-    const cachePath = getCacheFilePath(cacheDir, integrity);
-    await writeFile(cachePath, data);
-  } catch {
-  }
-}
-async function install(specifiers, options) {
-  if (options.global) {
-    const { setGlobalMode: setGlobalMode2 } = await Promise.resolve().then(() => (init_config(), config_exports));
-    setGlobalMode2(true);
-  }
-  if (options.list) {
-    const listSpecifiers = await resolveListToSpecifiers(options.list);
-    if (listSpecifiers.length === 0) {
-      console.log("No skills in the list to install.");
-      return;
+    const apiKey = await requireApiKey();
+    const registryUrl = await getRegistryUrl();
+    const parsed = parseRegistrySpecifier2(specifier);
+    if (!parsed) {
+      console.error(
+        `Error: Invalid skill specifier "${specifier}". Use format: @user/{username}/{name}@{version} or @org/{orgname}/{name}@{version}`
+      );
+      process.exit(1);
     }
-    const allSpecifiers = [...specifiers, ...listSpecifiers];
-    const { add: add2 } = await Promise.resolve().then(() => (init_add(), add_exports));
-    await add2(allSpecifiers, {
-      save: true,
-      agent: options.agent,
-      yes: options.yes,
-      global: options.global
-    });
-    return;
-  }
-  if (specifiers.length > 0) {
-    const { add: add2 } = await Promise.resolve().then(() => (init_add(), add_exports));
-    await add2(specifiers, {
-      save: true,
-      agent: options.agent,
-      yes: options.yes,
-      global: options.global
+    const { owner, name, versionRange } = parsed;
+    const fullName = generateRegistryIdentifier2({
+      namespace: parsed.namespace,
+      owner,
+      name
     });
-    return;
-  }
-  await installFromLockfile(options);
-}
-async function resolveListToSpecifiers(listSpec) {
-  const match = listSpec.match(/^@(user|org)\/([^/]+)\/([^/]+)$/);
-  if (!match) {
-    console.error(
-      `Error: Invalid list specifier "${listSpec}". Use format: @user/{username}/{list-name} or @org/{orgname}/{list-name}`
-    );
-    process.exit(1);
-  }
-  const [, ownerType, ownerName, listName] = match;
-  const config2 = await resolveConfig();
-  configure2({
-    registryUrl: config2.registryUrl,
-    apiKey: getTokenForRegistry(config2, config2.registryUrl)
-  });
-  console.log(
-    `Fetching skill list @${ownerType}/${ownerName}/${listName}...
-`
-  );
-  const { fetchSkillList: fetchSkillList2 } = await Promise.resolve().then(() => (init_api_client(), api_client_exports));
-  const response = await fetchSkillList2(
-    ownerType,
-    ownerName,
-    listName
-  );
-  if (response.status !== 200 || !response.data) {
-    const errorMsg = response.status === 404 ? `List "@${ownerType}/${ownerName}/${listName}" not found or is private.` : response.error || "Failed to fetch list";
-    console.error(`Error: ${errorMsg}`);
-    process.exit(1);
-  }
-  const list2 = response.data;
-  console.log(
-    `List: ${list2.name}${list2.description ? ` \u2014 ${list2.description}` : ""}`
-  );
-  console.log(`Skills: ${list2.items.length}
-`);
-  const specifiers = [];
-  for (const item of list2.items) {
-    const ns = item.namespace === "org" ? "org" : "user";
-    let spec = `@${ns}/${item.ownerName}/${item.skillName}`;
-    if (item.pinnedVersion) {
-      spec += `@${item.pinnedVersion}`;
-    }
-    specifiers.push(spec);
-  }
-  return specifiers;
-}
-async function installFromLockfile(options) {
-  try {
-    const config2 = await resolveConfig();
-    const registryUrl = config2.registryUrl;
-    const apiKey = getTokenForRegistry(config2, registryUrl);
-    const skillsDir = options.dir || getSkillsDir();
-    const cacheDir = getCacheDir();
-    await migrateLockfileIfNeeded();
-    let lockfile = await readLockfile();
-    const manifestDeps = await getDependencies();
-    const manifestGitHubDeps = await getGitHubDependencies();
-    const lockfilePackages = lockfile?.packages ?? lockfile?.skills ?? {};
-    const lockfileGitHubPackages = lockfile?.githubPackages ?? {};
-    const installedSkills = [];
-    const missingDeps = [];
-    for (const [fullName, versionRange] of Object.entries(manifestDeps)) {
-      if (!lockfilePackages[fullName]) {
-        missingDeps.push({ fullName, versionRange });
-      }
+    if (!versionRange) {
+      console.error(
+        "Error: Version is required for deprecation. Use format: @user/{username}/{name}@{version}"
+      );
+      process.exit(1);
     }
-    if (missingDeps.length > 0) {
-      if (options.frozenLockfile) {
+    configure2({ registryUrl, apiKey });
+    if (options.undo) {
+      console.log(`Removing deprecation from ${fullName}@${versionRange}...`);
+      const response = await undeprecateSkillVersion(owner, name, versionRange);
+      if (response.status !== 200) {
         console.error(
-          "Error: Dependencies in pspm.json are not in lockfile. Cannot install with --frozen-lockfile"
+          `Error: ${response.error || "Failed to remove deprecation"}`
         );
-        console.error("Missing dependencies:");
-        for (const dep of missingDeps) {
-          console.error(`  - ${dep.fullName}@${dep.versionRange}`);
-        }
         process.exit(1);
       }
-      console.log(`Resolving ${missingDeps.length} new dependency(ies)...
-`);
-      configure2({ registryUrl, apiKey });
-      for (const { fullName, versionRange } of missingDeps) {
-        const parsed = parseRegistrySpecifier2(fullName);
-        if (!parsed) {
-          console.error(`Error: Invalid dependency specifier: ${fullName}`);
-          continue;
-        }
-        const { owner, name } = parsed;
-        console.log(`Resolving ${fullName}@${versionRange}...`);
-        const versionsResponse = await listSkillVersions(owner, name);
-        if (versionsResponse.status !== 200) {
-          const errorMessage = extractApiErrorMessage(
-            versionsResponse,
-            `Skill ${fullName} not found`
-          );
-          console.error(`Error: ${errorMessage}`);
-          continue;
-        }
-        const versions = versionsResponse.data;
-        if (versions.length === 0) {
-          console.error(`Error: Skill ${fullName} not found`);
-          continue;
-        }
-        const versionStrings = versions.map(
-          (v) => v.version
-        );
-        const resolved = resolveVersion2(versionRange || "*", versionStrings);
-        if (!resolved) {
-          console.error(
-            `Error: No version matching "${versionRange}" for ${fullName}`
-          );
-          continue;
-        }
-        const versionResponse = await getSkillVersion(owner, name, resolved);
-        if (versionResponse.status !== 200 || !versionResponse.data) {
-          const errorMessage = extractApiErrorMessage(
-            versionResponse,
-            `Version ${resolved} not found`
-          );
-          console.error(`Error: ${errorMessage}`);
-          continue;
-        }
-        const versionInfo = versionResponse.data;
-        const isPresignedUrl = versionInfo.downloadUrl.includes(".r2.cloudflarestorage.com") || versionInfo.downloadUrl.includes("X-Amz-Signature");
-        const downloadHeaders = {};
-        if (!isPresignedUrl && apiKey) {
-          downloadHeaders.Authorization = `Bearer ${apiKey}`;
-        }
-        const tarballResponse = await fetch(versionInfo.downloadUrl, {
-          headers: downloadHeaders,
-          redirect: "follow"
-        });
-        if (!tarballResponse.ok) {
-          console.error(
-            `Error: Failed to download tarball for ${fullName} (${tarballResponse.status})`
-          );
-          continue;
-        }
-        const tarballBuffer = Buffer.from(await tarballResponse.arrayBuffer());
-        const integrity = calculateIntegrity(tarballBuffer);
-        await addToLockfile(fullName, {
-          version: resolved,
-          resolved: versionInfo.downloadUrl,
-          integrity
-        });
-        await writeToCache(cacheDir, integrity, tarballBuffer);
-        console.log(`  Resolved ${fullName}@${resolved}`);
-      }
-      lockfile = await readLockfile();
-    }
-    const missingGitHubDeps = [];
-    for (const [specifier, ref] of Object.entries(manifestGitHubDeps)) {
-      if (!lockfileGitHubPackages[specifier]) {
-        missingGitHubDeps.push({ specifier, ref });
+      console.log(`Removed deprecation from ${fullName}@${versionRange}`);
+    } else {
+      if (!message) {
+        console.error(
+          "Error: Deprecation message is required. Usage: pspm deprecate <specifier> <message>"
+        );
+        process.exit(1);
       }
-    }
-    if (missingGitHubDeps.length > 0) {
-      if (options.frozenLockfile) {
+      console.log(`Deprecating ${fullName}@${versionRange}...`);
+      const response = await deprecateSkillVersion(
+        owner,
+        name,
+        versionRange,
+        message
+      );
+      if (response.status !== 200) {
         console.error(
-          "Error: GitHub dependencies in pspm.json are not in lockfile. Cannot install with --frozen-lockfile"
+          `Error: ${response.error || "Failed to deprecate version"}`
         );
-        console.error("Missing GitHub dependencies:");
-        for (const dep of missingGitHubDeps) {
-          console.error(`  - ${dep.specifier}@${dep.ref}`);
-        }
         process.exit(1);
       }
+      console.log(`Deprecated ${fullName}@${versionRange}`);
+      console.log(`Message: ${message}`);
+      console.log("");
       console.log(
-        `
-Resolving ${missingGitHubDeps.length} GitHub dependency(ies)...
-`
+        "Users installing this version will see a deprecation warning."
       );
-      for (const { specifier, ref } of missingGitHubDeps) {
-        const parsed = parseGitHubSpecifier2(specifier);
-        if (!parsed) {
-          console.error(`Error: Invalid GitHub specifier: ${specifier}`);
-          continue;
-        }
-        parsed.ref = parsed.ref || ref;
-        console.log(`Resolving ${getGitHubDisplayName(parsed)}...`);
-        try {
-          const result = await downloadGitHubPackage(parsed);
-          await extractGitHubPackage(parsed, result.buffer, skillsDir);
-          const entry = {
-            version: result.commit.slice(0, 7),
-            resolved: `https://github.com/${parsed.owner}/${parsed.repo}`,
-            integrity: result.integrity,
-            gitCommit: result.commit,
-            gitRef: ref || "HEAD"
-          };
-          await addGitHubToLockfile(specifier, entry);
-          await writeToCache(cacheDir, result.integrity, result.buffer);
-          console.log(
-            `  Resolved ${specifier} (${ref}@${result.commit.slice(0, 7)})`
-          );
-        } catch (error) {
-          if (error instanceof GitHubRateLimitError) {
-            console.error(`Error: ${error.message}`);
-          } else if (error instanceof GitHubPathNotFoundError) {
-            console.error(`Error: ${error.message}`);
-          } else if (error instanceof GitHubNotFoundError) {
-            console.error(`Error: ${error.message}`);
-          } else {
-            const message = error instanceof Error ? error.message : String(error);
-            console.error(`Error resolving ${specifier}: ${message}`);
-          }
-        }
-      }
-      lockfile = await readLockfile();
+      console.log("The package is still available for download.");
     }
-    const manifest = await readManifest();
-    const agentConfigs = manifest?.agents;
-    let agents;
-    if (options.agent) {
-      agents = parseAgentArg(options.agent);
-    } else if (manifest) {
-      agents = parseAgentArg(void 0);
-    } else if (options.yes) {
-      agents = parseAgentArg(void 0);
-    } else {
-      console.log("\nNo pspm.json found. Let's set up your project.\n");
-      agents = await promptForAgents();
-      console.log();
+  } catch (error) {
+    const errorMessage = error instanceof Error ? error.message : "Unknown error";
+    console.error(`Error: ${errorMessage}`);
+    process.exit(1);
+  }
+}
+// src/commands/init.ts
+init_lib();
+function prompt(rl, question, defaultValue) {
+  return new Promise((resolve3) => {
+    const displayDefault = defaultValue ? ` (${defaultValue})` : "";
+    rl.question(`${question}${displayDefault} `, (answer) => {
+      resolve3(answer.trim() || defaultValue);
+    });
+  });
+}
+async function readExistingPackageJson() {
+  try {
+    const content = await readFile(
+      join(process.cwd(), "package.json"),
+      "utf-8"
+    );
+    const pkg = JSON.parse(content);
+    return {
+      name: pkg.name,
+      version: pkg.version,
+      description: pkg.description,
+      author: typeof pkg.author === "string" ? pkg.author : pkg.author?.name,
+      license: pkg.license
+    };
+  } catch {
+    return null;
+  }
+}
+async function getGitAuthor() {
+  try {
+    const { exec: exec2 } = await import('child_process');
+    const { promisify: promisify2 } = await import('util');
+    const execAsync = promisify2(exec2);
+    const [nameResult, emailResult] = await Promise.all([
+      execAsync("git config user.name").catch(() => ({ stdout: "" })),
+      execAsync("git config user.email").catch(() => ({ stdout: "" }))
+    ]);
+    const name = nameResult.stdout.trim();
+    const email = emailResult.stdout.trim();
+    if (name && email) {
+      return `${name} <${email}>`;
     }
-    const packages = lockfile?.packages ?? lockfile?.skills ?? {};
-    const packageCount = Object.keys(packages).length;
-    if (packageCount > 0) {
-      console.log(`
-Installing ${packageCount} registry skill(s)...
-`);
-      const installOrder = computeInstallOrder(packages);
-      const entries = installOrder.filter((name) => packages[name]).map((name) => [name, packages[name]]);
-      for (const [fullName, entry] of entries) {
-        const parsedName = parseRegistrySpecifier2(fullName);
-        if (!parsedName) {
-          console.warn(`Warning: Invalid skill name in lockfile: ${fullName}`);
-          continue;
-        }
-        const { namespace: ns, owner: pkgOwner, name, subname } = parsedName;
-        console.log(`Installing ${fullName}@${entry.version}...`);
-        let tarballBuffer;
-        let fromCache = false;
-        const cachedTarball = await readFromCache(cacheDir, entry.integrity);
-        if (cachedTarball) {
-          tarballBuffer = cachedTarball;
-          fromCache = true;
-        } else {
-          const isPresignedUrl = entry.resolved.includes(".r2.cloudflarestorage.com") || entry.resolved.includes("X-Amz-Signature");
-          const downloadHeaders = {};
-          if (!isPresignedUrl && apiKey) {
-            downloadHeaders.Authorization = `Bearer ${apiKey}`;
-          }
-          const response = await fetch(entry.resolved, {
-            headers: downloadHeaders,
-            redirect: "follow"
-          });
-          if (!response.ok) {
-            if (response.status === 401) {
-              if (!apiKey) {
-                console.error(
-                  `  Error: ${fullName} requires authentication. Run 'pspm login' first.`
-                );
-              } else {
-                console.error(
-                  `  Error: Access denied to ${fullName}. You may not have permission to access this private package.`
-                );
-              }
-            } else {
-              console.error(
-                `  Error: Failed to download ${fullName} (${response.status})`
-              );
-            }
-            continue;
-          }
-          tarballBuffer = Buffer.from(await response.arrayBuffer());
-          const actualIntegrity = `sha256-${createHash("sha256").update(tarballBuffer).digest("base64")}`;
-          if (actualIntegrity !== entry.integrity) {
-            console.error(
-              `  Error: Checksum verification failed for ${fullName}`
-            );
-            if (options.frozenLockfile) {
-              process.exit(1);
-            }
-            continue;
-          }
-          await writeToCache(cacheDir, entry.integrity, tarballBuffer);
-        }
-        const effectiveSkillName = subname ?? name;
-        let destDir;
-        if (ns === "org") {
-          destDir = join(skillsDir, "_org", pkgOwner, effectiveSkillName);
-        } else if (ns === "github" && subname) {
-          destDir = join(
-            skillsDir,
-            "_github-registry",
-            pkgOwner,
-            name,
-            subname
+    if (name) {
+      return name;
+    }
+    return null;
+  } catch {
+    return null;
+  }
+}
+function sanitizeName(name) {
+  const withoutScope = name.replace(/^@[^/]+\//, "");
+  return withoutScope.toLowerCase().replace(/[^a-z0-9_-]/g, "-").replace(/^-+|-+$/g, "").replace(/-+/g, "-");
+}
+function isValidName(name) {
+  return /^[a-z][a-z0-9_-]*$/.test(name);
+}
+function isValidVersion(version3) {
+  return /^\d+\.\d+\.\d+(-[a-zA-Z0-9.-]+)?(\+[a-zA-Z0-9.-]+)?$/.test(version3);
+}
+async function init(options) {
+  try {
+    const pspmJsonPath = join(process.cwd(), "pspm.json");
+    let exists = false;
+    try {
+      await stat(pspmJsonPath);
+      exists = true;
+    } catch {
+    }
+    if (exists && !options.force) {
+      console.error("Error: pspm.json already exists in this directory.");
+      console.error("Use --force to overwrite.");
+      process.exit(1);
+    }
+    const existingPkg = await readExistingPackageJson();
+    const gitAuthor = await getGitAuthor();
+    const defaultName = sanitizeName(
+      options.name || existingPkg?.name || basename(process.cwd())
+    );
+    const defaultVersion = existingPkg?.version || "0.1.0";
+    const defaultDescription = options.description || existingPkg?.description || "";
+    const defaultAuthor = options.author || existingPkg?.author || gitAuthor || "";
+    const defaultLicense = existingPkg?.license || "MIT";
+    const defaultMain = "SKILL.md";
+    const defaultCapabilities = "";
+    let manifest;
+    if (options.yes) {
+      manifest = {
+        $schema: PSPM_SCHEMA_URL,
+        name: defaultName,
+        version: defaultVersion,
+        description: defaultDescription || void 0,
+        author: defaultAuthor || void 0,
+        license: defaultLicense,
+        type: "skill",
+        capabilities: [],
+        main: defaultMain,
+        requirements: {
+          pspm: ">=0.1.0"
+        },
+        files: [...DEFAULT_SKILL_FILES],
+        dependencies: {},
+        private: false
+      };
+    } else {
+      console.log(
+        "This utility will walk you through creating a pspm.json file."
+      );
+      console.log(
+        "It only covers the most common items, and tries to guess sensible defaults."
+      );
+      console.log("");
+      console.log(
+        "See `pspm init --help` for definitive documentation on these fields"
+      );
+      console.log("and exactly what they do.");
+      console.log("");
+      console.log("Press ^C at any time to quit.");
+      const rl = createInterface({
+        input: process.stdin,
+        output: process.stdout
+      });
+      try {
+        let name = await prompt(rl, "skill name:", defaultName);
+        while (!isValidName(name)) {
+          console.log(
+            "  Name must start with a lowercase letter and contain only lowercase letters, numbers, hyphens, and underscores."
           );
-        } else {
-          destDir = join(skillsDir, pkgOwner, effectiveSkillName);
+          name = await prompt(rl, "skill name:", sanitizeName(name));
         }
-        await rm(destDir, { recursive: true, force: true });
-        await mkdir(destDir, { recursive: true });
-        const tempFile = join(destDir, ".temp.tgz");
-        await writeFile(tempFile, tarballBuffer);
-        const { exec: exec2 } = await import('child_process');
-        const { promisify: promisify2 } = await import('util');
-        const execAsync = promisify2(exec2);
-        try {
-          await execAsync(
-            `tar -xzf "${tempFile}" -C "${destDir}" --strip-components=1`
-          );
-        } finally {
-          await rm(tempFile, { force: true });
+        let version3 = await prompt(rl, "version:", defaultVersion);
+        while (!isValidVersion(version3)) {
+          console.log("  Version must be valid semver (e.g., 1.0.0)");
+          version3 = await prompt(rl, "version:", "0.1.0");
         }
-        console.log(
-          `  Installed to ${destDir}${fromCache ? " (from cache)" : ""}`
+        const description = await prompt(
+          rl,
+          "description:",
+          defaultDescription
         );
-        const pathSkillName = ns === "github" && subname ? `${name}/${subname}` : name;
-        installedSkills.push({
-          name: effectiveSkillName,
-          sourcePath: getRegistrySkillPath(ns, pkgOwner, pathSkillName)
-        });
-      }
-    }
-    const githubPackages = lockfile?.githubPackages ?? {};
-    const githubCount = Object.keys(githubPackages).length;
-    if (githubCount > 0) {
-      console.log(`
-Installing ${githubCount} GitHub skill(s)...
-`);
-      for (const [specifier, entry] of Object.entries(githubPackages)) {
-        const parsed = parseGitHubSpecifier2(specifier);
-        if (!parsed) {
-          console.warn(
-            `Warning: Invalid GitHub specifier in lockfile: ${specifier}`
-          );
-          continue;
-        }
-        const ghEntry = entry;
-        console.log(
-          `Installing ${specifier} (${ghEntry.gitRef}@${ghEntry.gitCommit.slice(0, 7)})...`
+        const main = await prompt(rl, "entry point:", defaultMain);
+        const capabilitiesStr = await prompt(
+          rl,
+          "capabilities (comma-separated):",
+          defaultCapabilities
         );
-        let tarballBuffer;
-        let fromCache = false;
-        const cachedTarball = await readFromCache(cacheDir, ghEntry.integrity);
-        if (cachedTarball) {
-          tarballBuffer = cachedTarball;
-          fromCache = true;
-        } else {
-          try {
-            const specWithCommit = { ...parsed, ref: ghEntry.gitCommit };
-            const result = await downloadGitHubPackage(specWithCommit);
-            tarballBuffer = result.buffer;
-            if (result.integrity !== ghEntry.integrity) {
-              console.error(
-                `  Error: Checksum verification failed for ${specifier}`
-              );
-              if (options.frozenLockfile) {
-                process.exit(1);
-              }
-              continue;
-            }
-            await writeToCache(cacheDir, ghEntry.integrity, tarballBuffer);
-          } catch (error) {
-            if (error instanceof GitHubRateLimitError) {
-              console.error(`  Error: ${error.message}`);
-            } else if (error instanceof GitHubPathNotFoundError) {
-              console.error(`  Error: ${error.message}`);
-            } else if (error instanceof GitHubNotFoundError) {
-              console.error(`  Error: ${error.message}`);
-            } else {
-              const message = error instanceof Error ? error.message : String(error);
-              console.error(`  Error downloading ${specifier}: ${message}`);
-            }
-            continue;
-          }
-        }
-        try {
-          const destPath = await extractGitHubPackage(
-            parsed,
-            tarballBuffer,
-            skillsDir
-          );
-          console.log(
-            `  Installed to ${destPath}${fromCache ? " (from cache)" : ""}`
-          );
-          const skillName = getGitHubSkillName2(parsed);
-          installedSkills.push({
-            name: skillName,
-            sourcePath: getGitHubSkillPath(
-              parsed.owner,
-              parsed.repo,
-              parsed.path
-            )
-          });
-        } catch (error) {
-          const message = error instanceof Error ? error.message : String(error);
-          console.error(`  Error extracting ${specifier}: ${message}`);
+        const author = await prompt(rl, "author:", defaultAuthor);
+        const license = await prompt(rl, "license:", defaultLicense);
+        rl.close();
+        const capabilities = capabilitiesStr ? capabilitiesStr.split(",").map((s) => s.trim()).filter(Boolean) : [];
+        manifest = {
+          $schema: PSPM_SCHEMA_URL,
+          name,
+          version: version3,
+          description: description || void 0,
+          author: author || void 0,
+          license,
+          type: "skill",
+          capabilities,
+          main,
+          requirements: {
+            pspm: ">=0.1.0"
+          },
+          files: [...DEFAULT_SKILL_FILES],
+          dependencies: {},
+          private: false
+        };
+      } catch (error) {
+        rl.close();
+        if (error instanceof Error && error.message.includes("readline was closed")) {
+          console.log("\nAborted.");
+          process.exit(0);
         }
+        throw error;
       }
     }
-    if (installedSkills.length > 0 && agents[0] !== "none") {
-      const globalMode = isGlobalMode();
+    if (!manifest.description) manifest.description = void 0;
+    if (!manifest.author) manifest.author = void 0;
+    if (manifest.capabilities?.length === 0) manifest.capabilities = void 0;
+    const content = JSON.stringify(manifest, null, 2);
+    console.log("");
+    console.log(`About to write to ${pspmJsonPath}:`);
+    console.log("");
+    console.log(content);
+    console.log("");
+    if (!options.yes) {
+      const rl = createInterface({
+        input: process.stdin,
+        output: process.stdout
+      });
+      const confirm2 = await prompt(rl, "Is this OK?", "yes");
+      rl.close();
+      if (confirm2.toLowerCase() !== "yes" && confirm2.toLowerCase() !== "y") {
+        console.log("Aborted.");
+        process.exit(0);
+      }
+    }
+    await writeFile(pspmJsonPath, `${content}
+`);
+    try {
+      await stat(join(process.cwd(), "SKILL.md"));
+    } catch {
       console.log(
-        `
-Creating symlinks for agent(s): ${agents.join(", ")}${globalMode ? " (global)" : ""}...`
+        "Note: Create a SKILL.md file with your skill's prompt content."
       );
-      await createAgentSymlinks(installedSkills, {
-        agents,
-        projectRoot: globalMode ? homedir() : process.cwd(),
-        agentConfigs,
-        global: globalMode
-      });
-      console.log("  Symlinks created.");
     }
-    const totalCount = packageCount + githubCount;
-    if (totalCount === 0) {
-      console.log("No skills to install.");
-    } else {
-      console.log(`
-All ${totalCount} skill(s) installed.`);
+    if (existingPkg) {
+      console.log("Note: Values were derived from existing package.json.");
+      console.log("      pspm.json is for publishing to PSPM registry.");
+      console.log("      package.json can still be used for npm dependencies.");
     }
   } catch (error) {
     const message = error instanceof Error ? error.message : "Unknown error";
@@ -4525,6 +4526,9 @@ All ${totalCount} skill(s) installed.`);
   }
 }
+// src/commands/index.ts
+init_install();
 // src/commands/link.ts
 init_agents();
 init_lib();
@@ -4830,8 +4834,8 @@ function startCallbackServer(expectedState) {
     let resolveToken;
     let rejectToken;
     let timeoutId;
-    const tokenPromise = new Promise((resolve2, reject) => {
-      resolveToken = resolve2;
+    const tokenPromise = new Promise((resolve3, reject) => {
+      resolveToken = resolve3;
       rejectToken = reject;
     });
     const server = http.createServer((req, res) => {
@@ -5072,18 +5076,104 @@ async function migrate(options) {
     console.log("Migration complete!");
     console.log("");
     console.log(
-      "You can safely delete these legacy files if they still exist:"
+      "You can safely delete these legacy files if they still exist:"
+    );
+    console.log("  - skill-lock.json (replaced by pspm-lock.json)");
+    console.log("  - .skills/ (replaced by .pspm/skills/)");
+    console.log("");
+    console.log("Update your .gitignore to include:");
+    console.log("  .pspm/cache/");
+  } catch (error) {
+    const message = error instanceof Error ? error.message : "Unknown error";
+    console.error(`Error: ${message}`);
+    process.exit(1);
+  }
+}
+// src/commands/notebook.ts
+init_config();
+async function fetchApi(path, options = {}) {
+  const config2 = await resolveConfig();
+  const apiKey = await requireApiKey();
+  const baseUrl = config2.registryUrl.replace(/\/api\/skills\/?$/, "");
+  const headers = {
+    "Content-Type": "application/json",
+    ...options.headers
+  };
+  if (apiKey) {
+    headers.Authorization = `Bearer ${apiKey}`;
+  }
+  return fetch(`${baseUrl}${path}`, { ...options, headers });
+}
+async function notebookUpload(filePath, options) {
+  const absPath = resolve(filePath);
+  const content = readFileSync(absPath, "utf-8");
+  const name = basename(filePath).replace(/\.anyt\.md$|\.anyt$|\.md$/, "");
+  const body = {
+    name,
+    content,
+    description: options.description,
+    visibility: options.visibility || "private"
+  };
+  const path = options.org ? `/api/notebooks/org/${options.org}` : "/api/notebooks";
+  const response = await fetchApi(path, {
+    method: "POST",
+    body: JSON.stringify(body)
+  });
+  if (!response.ok) {
+    const err = await response.json().catch(() => ({}));
+    throw new Error(
+      err.message || `Upload failed (${response.status})`
+    );
+  }
+  const notebook = await response.json();
+  console.log(
+    `Uploaded: ${notebook.name} (${notebook.id})${options.org ? ` to org ${options.org}` : ""}`
+  );
+}
+async function notebookList(options) {
+  const path = options.org ? `/api/notebooks/org/${options.org}` : "/api/notebooks/-/mine";
+  const response = await fetchApi(path);
+  if (!response.ok) {
+    throw new Error(`Failed to list notebooks (${response.status})`);
+  }
+  const notebooks = await response.json();
+  if (notebooks.length === 0) {
+    console.log("No notebooks found");
+    return;
+  }
+  console.log(
+    `
+${"Name".padEnd(30)} ${"Cells".padEnd(8)} ${"Visibility".padEnd(12)} ${"Updated".padEnd(12)} ID`
+  );
+  console.log("-".repeat(90));
+  for (const nb of notebooks) {
+    const updated = new Date(nb.updatedAt).toLocaleDateString();
+    console.log(
+      `${nb.name.slice(0, 28).padEnd(30)} ${String(nb.cellCount).padEnd(8)} ${nb.visibility.padEnd(12)} ${updated.padEnd(12)} ${nb.id}`
     );
-    console.log("  - skill-lock.json (replaced by pspm-lock.json)");
-    console.log("  - .skills/ (replaced by .pspm/skills/)");
-    console.log("");
-    console.log("Update your .gitignore to include:");
-    console.log("  .pspm/cache/");
-  } catch (error) {
-    const message = error instanceof Error ? error.message : "Unknown error";
-    console.error(`Error: ${message}`);
-    process.exit(1);
   }
+  console.log(`
+${notebooks.length} notebook(s)`);
+}
+async function notebookDownload(id, output) {
+  const response = await fetchApi(`/api/notebooks/${id}`);
+  if (!response.ok) {
+    throw new Error(`Notebook not found (${response.status})`);
+  }
+  const notebook = await response.json();
+  const outPath = output || `${notebook.slug}.anyt.md`;
+  writeFileSync(outPath, notebook.content, "utf-8");
+  console.log(`Downloaded: ${notebook.name} -> ${outPath}`);
+}
+async function notebookDelete(id) {
+  const response = await fetchApi(`/api/notebooks/${id}`, {
+    method: "DELETE"
+  });
+  if (!response.ok) {
+    throw new Error(`Failed to delete notebook (${response.status})`);
+  }
+  console.log(`Notebook ${id} deleted`);
 }
 function resolveVersion3(range, availableVersions) {
   const sorted = availableVersions.filter((v) => semver2.valid(v)).sort((a, b) => semver2.rcompare(a, b));
@@ -5101,7 +5191,7 @@ function getLatestVersion3(versions) {
   return valid5.sort((a, b) => semver2.rcompare(a, b))[0];
 }
-// ../../packages/server/skill-registry/src/client/outdated.ts
+// ../../packages/features/skill-registry/src/client/outdated.ts
 function createOutdatedChecker(config2) {
   const { registryUrl, apiKey, githubToken } = config2;
   async function fetchWithAuth(url, token) {
@@ -5121,14 +5211,26 @@ function createOutdatedChecker(config2) {
     const response = await fetchWithAuth(url, apiKey);
     return await response.json();
   }
+  async function fetchGithubRegistryVersions(owner, repo, skillname) {
+    const url = `${registryUrl}/@github/${owner}/${repo}/${skillname}/versions`;
+    const response = await fetchWithAuth(url, apiKey);
+    return await response.json();
+  }
   async function checkRegistryPackage(specifier, entry, versionRange) {
-    const match = specifier.match(/^@user\/([^/]+)\/([^/]+)$/);
-    if (!match) {
+    const userMatch = specifier.match(/^@(?:user|org)\/([^/]+)\/([^/]+)$/);
+    const githubMatch = specifier.match(/^@github\/([^/]+)\/([^/]+)\/([^/]+)$/);
+    if (!userMatch && !githubMatch) {
       throw new Error(`Invalid registry specifier: ${specifier}`);
     }
-    const [, username, name] = match;
+    const isGithubRegistry = !!githubMatch;
+    const username = userMatch ? userMatch[1] : "";
+    const name = userMatch ? userMatch[2] : "";
     try {
-      const versions = await fetchRegistryVersions(username, name);
+      const versions = isGithubRegistry && githubMatch ? await fetchGithubRegistryVersions(
+        githubMatch[1],
+        githubMatch[2],
+        githubMatch[3]
+      ) : await fetchRegistryVersions(username, name);
       const versionStrings = versions.map((v) => v.version);
       const range = versionRange || "*";
       const wanted = resolveVersion3(range, versionStrings);
@@ -5354,7 +5456,7 @@ init_errors();
 init_lib();
 var exec = promisify(exec$1);
 function confirm(question) {
-  return new Promise((resolve2) => {
+  return new Promise((resolve3) => {
     const rl = createInterface({
       input: process.stdin,
       output: process.stdout
@@ -5362,7 +5464,7 @@ function confirm(question) {
     rl.question(`${question} (y/N) `, (answer) => {
       rl.close();
       const normalized = answer.trim().toLowerCase();
-      resolve2(normalized === "y" || normalized === "yes");
+      resolve3(normalized === "y" || normalized === "yes");
     });
   });
 }
@@ -5472,8 +5574,10 @@ async function publishCommand(options) {
       }
       console.log("");
     }
+    const nameParts = manifest.name.split("/");
+    const bareName = nameParts[nameParts.length - 1];
     const packageJson2 = {
-      name: manifest.name,
+      name: bareName,
       version: manifest.version,
       description: manifest.description,
       files: manifest.files,
@@ -5678,8 +5782,8 @@ async function removeRegistry(specifier, agents, agentConfigs) {
     console.error(`Error: Invalid skill specifier: ${specifier}`);
     process.exit(1);
   }
-  const { namespace, owner, name } = parsed;
-  const fullName = `@${namespace}/${owner}/${name}`;
+  const { namespace, owner, name, subname } = parsed;
+  const fullName = namespace === "github" && subname ? `@github/${owner}/${name}/${subname}` : `@${namespace}/${owner}/${name}`;
   console.log(`Removing ${fullName}...`);
   const removedFromLockfile = await removeFromLockfile(fullName);
   const removedFromManifest = await removeDependency(fullName);
@@ -5687,13 +5791,21 @@ async function removeRegistry(specifier, agents, agentConfigs) {
     console.error(`Error: ${fullName} not found in lockfile or pspm.json`);
     process.exit(1);
   }
-  await removeAgentSymlinks(name, {
+  const symlinkName = subname ?? name;
+  await removeAgentSymlinks(symlinkName, {
     agents,
     projectRoot: process.cwd(),
     agentConfigs
   });
   const skillsDir = getSkillsDir();
-  const destDir = namespace === "org" ? join(skillsDir, "_org", owner, name) : join(skillsDir, owner, name);
+  let destDir;
+  if (namespace === "github" && subname) {
+    destDir = join(skillsDir, "_github-registry", owner, name, subname);
+  } else if (namespace === "org") {
+    destDir = join(skillsDir, "_org", owner, name);
+  } else {
+    destDir = join(skillsDir, owner, name);
+  }
   try {
     await rm(destDir, { recursive: true, force: true });
   } catch {
@@ -5733,7 +5845,9 @@ async function removeByShortName(shortName, agents, agentConfigs) {
   const registrySkills = await listLockfileSkills();
   const foundRegistry = registrySkills.find((s) => {
     const parsed = parseRegistrySpecifier2(s.name);
-    return parsed && parsed.name === shortName;
+    if (!parsed) return false;
+    const effectiveName = parsed.subname ?? parsed.name;
+    return effectiveName === shortName;
   });
   if (foundRegistry) {
     await removeRegistry(foundRegistry.name, agents, agentConfigs);
@@ -5835,6 +5949,396 @@ function formatDownloads(count) {
   return String(count);
 }
+// src/commands/skill-list.ts
+init_api_client();
+init_config();
+function parseListSpecifier(specifier) {
+  const match = specifier.match(/^@(user|org)\/([^/]+)\/([^/]+)$/);
+  if (!match) return null;
+  return {
+    ownerType: match[1],
+    ownerName: match[2],
+    listName: match[3]
+  };
+}
+function extractErrorMessage(text) {
+  try {
+    const json = JSON.parse(text);
+    if (typeof json.message === "string") return json.message;
+    if (typeof json.error === "string") return json.error;
+    if (typeof json.error?.message === "string") return json.error.message;
+  } catch {
+  }
+  return text;
+}
+async function getBaseUrl() {
+  const config2 = await resolveConfig();
+  return config2.registryUrl.replace(/\/api\/skills\/?$/, "");
+}
+async function getAuthHeaders() {
+  const apiKey = await requireApiKey();
+  return {
+    "Content-Type": "application/json",
+    Authorization: `Bearer ${apiKey}`
+  };
+}
+async function getOptionalAuthHeaders() {
+  const config2 = await resolveConfig();
+  const apiKey = getTokenForRegistry(config2, config2.registryUrl);
+  const headers = {
+    "Content-Type": "application/json"
+  };
+  if (apiKey) {
+    headers.Authorization = `Bearer ${apiKey}`;
+  }
+  return headers;
+}
+async function skillListList(options) {
+  const baseUrl = await getBaseUrl();
+  const config2 = await resolveConfig();
+  let path;
+  if (options.org) {
+    path = `/api/skill-lists/lists/@org/${options.org}`;
+  } else {
+    if (!config2.username) {
+      console.error("Error: Not logged in. Run `pspm login` first.");
+      process.exit(1);
+    }
+    path = `/api/skill-lists/lists/@user/${config2.username}`;
+  }
+  const headers = await getOptionalAuthHeaders();
+  const response = await fetch(`${baseUrl}${path}`, { headers });
+  if (!response.ok) {
+    const errorText = await response.text();
+    console.error(
+      `Error: Failed to list skill lists (${response.status}): ${extractErrorMessage(errorText)}`
+    );
+    process.exit(1);
+  }
+  const lists = await response.json();
+  if (options.json) {
+    console.log(JSON.stringify(lists, null, 2));
+    return;
+  }
+  if (lists.length === 0) {
+    console.log("No skill lists found.");
+    return;
+  }
+  const ownerLabel = options.org ? `@org/${options.org}` : `@user/${config2.username}`;
+  console.log(`
+Skill lists for ${ownerLabel}:
+`);
+  console.log(
+    `${"Name".padEnd(35)} ${"Skills".padEnd(8)} ${"Visibility".padEnd(12)} Description`
+  );
+  console.log("-".repeat(90));
+  for (const list2 of lists) {
+    const desc = list2.description ? list2.description.slice(0, 30) : "";
+    console.log(
+      `${list2.name.slice(0, 33).padEnd(35)} ${String(list2.itemCount).padEnd(8)} ${list2.visibility.padEnd(12)} ${desc}`
+    );
+  }
+  console.log(`
+${lists.length} list(s)`);
+}
+async function skillListCreate(name, options) {
+  const baseUrl = await getBaseUrl();
+  const headers = await getAuthHeaders();
+  const config2 = await resolveConfig();
+  const visibility = options.visibility || "private";
+  if (visibility !== "public" && visibility !== "private") {
+    console.error('Error: --visibility must be "public" or "private"');
+    process.exit(1);
+  }
+  let path;
+  if (options.org) {
+    path = `/api/skill-lists/lists/@org/${options.org}`;
+  } else {
+    if (!config2.username) {
+      console.error("Error: Not logged in. Run `pspm login` first.");
+      process.exit(1);
+    }
+    path = `/api/skill-lists/lists/@user/${config2.username}`;
+  }
+  const body = { name, visibility };
+  if (options.description) {
+    body.description = options.description;
+  }
+  const response = await fetch(`${baseUrl}${path}`, {
+    method: "POST",
+    headers,
+    body: JSON.stringify(body)
+  });
+  if (!response.ok) {
+    const errorText = await response.text();
+    console.error(
+      `Error: Failed to create list (${response.status}): ${extractErrorMessage(errorText)}`
+    );
+    process.exit(1);
+  }
+  const list2 = await response.json();
+  const ownerLabel = options.org ? `@org/${options.org}` : `@user/${config2.username}`;
+  console.log(`Created list: ${ownerLabel}/${list2.name} (${list2.visibility})`);
+  console.log(
+    `
+Install command: pspm skill-list install ${ownerLabel}/${list2.name}`
+  );
+}
+async function skillListShow(specifier, options) {
+  const parsed = parseListSpecifier(specifier);
+  if (!parsed) {
+    console.error(
+      "Error: Invalid list specifier. Use @user/<username>/<list-name> or @org/<orgname>/<list-name>"
+    );
+    process.exit(1);
+  }
+  const config2 = await resolveConfig();
+  configure2({
+    registryUrl: config2.registryUrl,
+    apiKey: getTokenForRegistry(config2, config2.registryUrl)
+  });
+  const response = await fetchSkillList(
+    parsed.ownerType,
+    parsed.ownerName,
+    parsed.listName
+  );
+  if (response.status !== 200 || !response.data) {
+    const errorMsg = response.status === 404 ? `List "${specifier}" not found or is private.` : response.error || "Failed to fetch list";
+    console.error(`Error: ${errorMsg}`);
+    process.exit(1);
+  }
+  const list2 = response.data;
+  if (options.json) {
+    console.log(JSON.stringify(list2, null, 2));
+    return;
+  }
+  console.log(`
+${list2.name}`);
+  if (list2.description) {
+    console.log(`  ${list2.description}`);
+  }
+  console.log(`  Visibility: ${list2.visibility}`);
+  console.log(`  Owner: @${list2.ownerType}/${list2.ownerName}`);
+  console.log(`  Skills: ${list2.items.length}`);
+  if (list2.items.length > 0) {
+    console.log("");
+    for (const item of list2.items) {
+      const ns = item.namespace === "org" ? "org" : "user";
+      const spec = `@${ns}/${item.ownerName}/${item.skillName}`;
+      const ver = item.pinnedVersion ? `@${item.pinnedVersion}` : "";
+      console.log(`  - ${spec}${ver}`);
+    }
+  }
+  console.log(`
+Install all: pspm skill-list install ${specifier}`);
+}
+async function skillListDelete(specifier) {
+  const parsed = parseListSpecifier(specifier);
+  if (!parsed) {
+    console.error(
+      "Error: Invalid list specifier. Use @user/<username>/<list-name> or @org/<orgname>/<list-name>"
+    );
+    process.exit(1);
+  }
+  const baseUrl = await getBaseUrl();
+  const headers = await getAuthHeaders();
+  const path = `/api/skill-lists/lists/@${parsed.ownerType}/${parsed.ownerName}/${parsed.listName}`;
+  const response = await fetch(`${baseUrl}${path}`, {
+    method: "DELETE",
+    headers
+  });
+  if (!response.ok) {
+    const errorText = await response.text();
+    if (response.status === 404) {
+      console.error(`Error: List "${specifier}" not found.`);
+    } else {
+      console.error(
+        `Error: Failed to delete list (${response.status}): ${extractErrorMessage(errorText)}`
+      );
+    }
+    process.exit(1);
+  }
+  console.log(`Deleted list: ${specifier}`);
+}
+async function skillListUpdate(specifier, options) {
+  const parsed = parseListSpecifier(specifier);
+  if (!parsed) {
+    console.error(
+      "Error: Invalid list specifier. Use @user/<username>/<list-name> or @org/<orgname>/<list-name>"
+    );
+    process.exit(1);
+  }
+  if (!options.description && !options.visibility) {
+    console.error(
+      "Error: Provide at least one of --description or --visibility"
+    );
+    process.exit(1);
+  }
+  if (options.visibility && options.visibility !== "public" && options.visibility !== "private") {
+    console.error('Error: --visibility must be "public" or "private"');
+    process.exit(1);
+  }
+  const baseUrl = await getBaseUrl();
+  const headers = await getAuthHeaders();
+  const body = {};
+  if (options.description !== void 0) {
+    body.description = options.description;
+  }
+  if (options.visibility) {
+    body.visibility = options.visibility;
+  }
+  const path = `/api/skill-lists/lists/@${parsed.ownerType}/${parsed.ownerName}/${parsed.listName}`;
+  const response = await fetch(`${baseUrl}${path}`, {
+    method: "PUT",
+    headers,
+    body: JSON.stringify(body)
+  });
+  if (!response.ok) {
+    const errorText = await response.text();
+    console.error(
+      `Error: Failed to update list (${response.status}): ${extractErrorMessage(errorText)}`
+    );
+    process.exit(1);
+  }
+  console.log(`Updated list: ${specifier}`);
+}
+async function skillListAddSkill(specifier, skillSpecifiers, options) {
+  const parsed = parseListSpecifier(specifier);
+  if (!parsed) {
+    console.error(
+      "Error: Invalid list specifier. Use @user/<username>/<list-name> or @org/<orgname>/<list-name>"
+    );
+    process.exit(1);
+  }
+  const baseUrl = await getBaseUrl();
+  const headers = await getAuthHeaders();
+  const config2 = await resolveConfig();
+  configure2({
+    registryUrl: config2.registryUrl,
+    apiKey: getTokenForRegistry(config2, config2.registryUrl)
+  });
+  for (const skillSpec of skillSpecifiers) {
+    const skillId = await resolveSkillId(baseUrl, headers, skillSpec);
+    if (!skillId) {
+      console.error(`Error: Skill "${skillSpec}" not found.`);
+      continue;
+    }
+    const path = `/api/skill-lists/lists/@${parsed.ownerType}/${parsed.ownerName}/${parsed.listName}/items`;
+    const addBody = { skillId };
+    if (options.note) {
+      addBody.note = options.note;
+    }
+    const response = await fetch(`${baseUrl}${path}`, {
+      method: "POST",
+      headers,
+      body: JSON.stringify(addBody)
+    });
+    if (!response.ok) {
+      const errorText = await response.text();
+      if (response.status === 409) {
+        console.log(`Already in list: ${skillSpec}`);
+      } else {
+        console.error(
+          `Error: Failed to add "${skillSpec}" (${response.status}): ${extractErrorMessage(errorText)}`
+        );
+      }
+      continue;
+    }
+    console.log(`Added: ${skillSpec}`);
+  }
+}
+async function skillListRemoveSkill(specifier, skillSpecifier) {
+  const parsed = parseListSpecifier(specifier);
+  if (!parsed) {
+    console.error(
+      "Error: Invalid list specifier. Use @user/<username>/<list-name> or @org/<orgname>/<list-name>"
+    );
+    process.exit(1);
+  }
+  const config2 = await resolveConfig();
+  configure2({
+    registryUrl: config2.registryUrl,
+    apiKey: getTokenForRegistry(config2, config2.registryUrl)
+  });
+  const listResponse = await fetchSkillList(
+    parsed.ownerType,
+    parsed.ownerName,
+    parsed.listName
+  );
+  if (listResponse.status !== 200 || !listResponse.data) {
+    console.error(`Error: List "${specifier}" not found.`);
+    process.exit(1);
+  }
+  const item = listResponse.data.items.find((i) => {
+    const ns = i.namespace === "org" ? "org" : "user";
+    const fullSpec = `@${ns}/${i.ownerName}/${i.skillName}`;
+    return fullSpec === skillSpecifier || i.skillName === skillSpecifier || `${i.ownerName}/${i.skillName}` === skillSpecifier;
+  });
+  if (!item) {
+    console.error(
+      `Error: Skill "${skillSpecifier}" not found in list "${specifier}".`
+    );
+    process.exit(1);
+  }
+  const baseUrl = await getBaseUrl();
+  const headers = await getAuthHeaders();
+  const path = `/api/skill-lists/lists/@${parsed.ownerType}/${parsed.ownerName}/${parsed.listName}/items/${item.id}`;
+  const response = await fetch(`${baseUrl}${path}`, {
+    method: "DELETE",
+    headers
+  });
+  if (!response.ok) {
+    const errorText = await response.text();
+    console.error(
+      `Error: Failed to remove skill (${response.status}): ${extractErrorMessage(errorText)}`
+    );
+    process.exit(1);
+  }
+  console.log(`Removed: ${skillSpecifier} from ${specifier}`);
+}
+async function skillListInstall(specifier, options) {
+  const { install: install2 } = await Promise.resolve().then(() => (init_install(), install_exports));
+  await install2([], {
+    list: specifier,
+    agent: options.agent,
+    yes: options.yes,
+    global: options.global,
+    dir: options.dir
+  });
+}
+async function resolveSkillId(baseUrl, headers, specifier) {
+  const match = specifier.match(/^@(user|org|github)\/(.+)$/);
+  let search2;
+  let namespace;
+  if (match) {
+    namespace = match[1];
+    const parts = match[2].split("/");
+    search2 = parts[parts.length - 1];
+  } else {
+    search2 = specifier;
+  }
+  const params = new URLSearchParams({ search: search2, limit: "5" });
+  if (namespace) {
+    params.set("namespace", namespace);
+  }
+  const response = await fetch(`${baseUrl}/api/skills/-/explore?${params}`, {
+    headers
+  });
+  if (!response.ok) return null;
+  const data = await response.json();
+  if (!data.skills || data.skills.length === 0) return null;
+  if (match) {
+    const parts = match[2].split("/");
+    const skillName = parts[parts.length - 1];
+    const ownerName = parts.length >= 2 ? parts[parts.length - 2] : void 0;
+    const exact = data.skills.find(
+      (s) => s.name === skillName && (!ownerName || s.username === ownerName) && (!namespace || s.namespace === namespace)
+    );
+    if (exact) return exact.id;
+  }
+  return data.skills[0].id;
+}
 // src/commands/unpublish.ts
 init_api_client();
 init_config();
@@ -6367,6 +6871,73 @@ program.command("deprecate <specifier> [message]").description(
 ).option("--undo", "Remove deprecation status").action(async (specifier, message, options) => {
   await deprecate(specifier, message, { undo: options.undo });
 });
+var skillListCmd = program.command("skill-list").description("Manage skill lists (collections of skills)");
+skillListCmd.command("list").description("List your skill lists").option("--org <orgname>", "List organization skill lists").option("--json", "Output as JSON").action(async (options) => {
+  await skillListList({ org: options.org, json: options.json });
+});
+skillListCmd.command("create <name>").description("Create a new skill list").option("-d, --description <description>", "List description").option(
+  "--visibility <visibility>",
+  "Visibility: private or public",
+  "private"
+).option("--org <orgname>", "Create under an organization").action(async (name, options) => {
+  await skillListCreate(name, {
+    description: options.description,
+    visibility: options.visibility,
+    org: options.org
+  });
+});
+skillListCmd.command("show <specifier>").description("Show skill list details (e.g. @user/alice/my-tools)").option("--json", "Output as JSON").action(async (specifier, options) => {
+  await skillListShow(specifier, { json: options.json });
+});
+skillListCmd.command("delete <specifier>").description("Delete a skill list").action(async (specifier) => {
+  await skillListDelete(specifier);
+});
+skillListCmd.command("update <specifier>").description("Update skill list metadata").option("-d, --description <description>", "New description").option("--visibility <visibility>", "New visibility: private or public").action(async (specifier, options) => {
+  await skillListUpdate(specifier, {
+    description: options.description,
+    visibility: options.visibility
+  });
+});
+skillListCmd.command("add-skill <specifier> <skills...>").description(
+  "Add skills to a list (e.g. pspm skill-list add-skill @user/me/my-list @user/alice/tool)"
+).option("--note <note>", "Note for the added skill").action(async (specifier, skills, options) => {
+  await skillListAddSkill(specifier, skills, {
+    note: options.note
+  });
+});
+skillListCmd.command("remove-skill <specifier> <skill>").description("Remove a skill from a list").action(async (specifier, skill) => {
+  await skillListRemoveSkill(specifier, skill);
+});
+skillListCmd.command("install <specifier>").description(
+  "Install all skills from a list (e.g. pspm skill-list install @user/alice/my-tools)"
+).option(
+  "--agent <agents>",
+  'Comma-separated agents for symlinks (default: all agents, use "none" to skip)'
+).option("--dir <path>", "Install skills to a specific directory").option("-g, --global", "Install to user home directory instead of project").option("-y, --yes", "Skip agent selection prompt and use defaults").action(async (specifier, options) => {
+  await skillListInstall(specifier, {
+    agent: options.agent,
+    yes: options.yes,
+    global: options.global,
+    dir: options.dir
+  });
+});
+var notebookCmd = program.command("notebook").description("Manage AnyT notebooks");
+notebookCmd.command("upload <file>").description("Upload a .anyt notebook").option("--org <orgname>", "Upload to an organization").option(
+  "--visibility <visibility>",
+  "Visibility: private, team, or public",
+  "private"
+).option("--description <description>", "Notebook description").action(async (file, options) => {
+  await notebookUpload(file, options);
+});
+notebookCmd.command("list").description("List notebooks").option("--org <orgname>", "List organization notebooks").action(async (options) => {
+  await notebookList(options);
+});
+notebookCmd.command("download <id>").description("Download a notebook by ID").option("-o, --output <path>", "Output file path").action(async (id, options) => {
+  await notebookDownload(id, options.output);
+});
+notebookCmd.command("delete <id>").description("Delete a notebook by ID").action(async (id) => {
+  await notebookDelete(id);
+});
 await program.parseAsync();
 var executedCommand = program.args[0];
 if (executedCommand !== "upgrade") {