@anytio/pspm 0.11.0 → 0.13.0

package/CHANGELOG.md

@@ -5,6 +5,44 @@ All notable changes to the PSPM CLI will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [0.13.0] - 2026-03-24
+
+### Added
+
+- **Client-side encryption for private packages**: Encrypt skill packages before publishing with AES-256-GCM encryption
+  - `pspm config set-encryption-key` — Set an encryption key for a scope (`@user/x` or `@org/x`)
+  - `pspm config get-encryption-key` — Check if an encryption key is set for a scope
+  - `pspm config remove-encryption-key` — Remove an encryption key for a scope
+  - Private packages are automatically encrypted on publish and decrypted on install when a key is configured
+  - Uses scrypt key derivation for secure key management
+
+## [0.12.0] - 2026-03-19
+
+### Added
+
+- **Skill list CLI commands**: Full CRUD `pspm skill-list` command group with 8 subcommands
+  - `pspm skill-list list` — list your skill lists
+  - `pspm skill-list create <name>` — create a new skill list
+  - `pspm skill-list show <name>` — view list details and items
+  - `pspm skill-list delete <name>` — delete a skill list
+  - `pspm skill-list update <name>` — update list metadata
+  - `pspm skill-list add-skill <list> <specifier>` — add a skill to a list
+  - `pspm skill-list remove-skill <list> <specifier>` — remove a skill from a list
+  - `pspm skill-list install <name>` — install all skills from a list
+- **Notebook commands**: Upload, share, and manage .anyt notebooks via CLI
+  - `pspm notebook upload <file>` — upload a notebook to the platform
+  - `pspm notebook list` — list your uploaded notebooks
+  - `pspm notebook download <id>` — download a notebook
+  - `pspm notebook delete <id>` — delete a notebook
+
+### Fixed
+
+- **Audit false positives**: Fixed double path joining that caused installed skills to always report as MISSING
+- **Publish with qualified names**: `@user/owner/name` format no longer rejected by server validation
+- **Remove @github skills**: GitHub-indexed skills can now be removed by short name
+- **Outdated command crash**: Fixed crash on @github namespace packages in lockfile
+- **Manifest validation**: Regex now accepts qualified name format in pspm.json
+
 ## [0.11.0] - 2026-03-17
 
 ### Added
@@ -76,7 +114,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - **`audit` command**: Verify integrity of installed skills
   - Checks for missing packages, deprecated versions, corrupted installations
   - `--json` flag for CI integration
-- **Expanded agent support**: From 6 to 41 supported AI coding agents
+- **Expanded agent support**: From 6 to 41 supported AI agents
   - Added Windsurf, Amp, Augment, Cline, Continue, Goose, Kilo Code, Kiro CLI, OpenCode, OpenHands, Replit, Roo Code, Trae, and 22 more
 
 ### Changed
@@ -103,7 +141,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ### Fixed
 
-- **Fix npm install failure**: Moved `@repo/pspm-types` and `@repo/skill-registry` from `dependencies` to `devDependencies` to prevent npm from trying to install workspace-only packages from the public registry
+- **Fix npm install failure**: Moved `@repo/types` and `@repo/skill-registry` from `dependencies` to `devDependencies` to prevent npm from trying to install workspace-only packages from the public registry
 
 ## [0.7.1] - 2026-03-02
 

package/CLI_GUIDE.md

@@ -1,6 +1,6 @@
 # PSPM CLI Guide
 
-PSPM is a package manager for AI agent skills. It provides commands for authentication, configuration, skill management, and publishing across AI coding agents.
+PSPM is a package manager for AI agent skills. It provides commands for authentication, configuration, skill management, and publishing across AI agents.
 
 ## Installation
 
@@ -24,7 +24,7 @@ Options:
   -h, --help                                 display help for command
 
 Commands:
-  config                                     Manage PSPM configuration
+  config                                     Manage PSPM configuration (show, init, set-encryption-key, get-encryption-key, remove-encryption-key)
   login [options]                            Log in via browser or with an API key
   logout                                     Log out and clear stored credentials
   whoami                                     Show current user information
@@ -36,11 +36,17 @@ Commands:
   install|i [options] [specifiers...]        Install skills from lockfile, or add and install specific packages
   link [options]                             Recreate agent symlinks without reinstalling
   update [options]                           Update all skills to latest compatible versions
+  search|find [options] [query]              Search and discover skills from the registry
+  audit [options]                            Verify integrity of installed skills
+  outdated [options] [packages...]           Check for outdated skills
   version <bump>                             Bump package version (major, minor, patch)
   publish [options]                          Publish current directory as a skill
   unpublish [options] <specifier>            Remove a published skill version (only within 72 hours of publishing)
   access [options] [specifier]               Change package visibility (public/private)
   deprecate [options] <specifier> [message]  Mark a skill version as deprecated (alternative to unpublish after 72 hours)
+  skill-list                                 Manage skill lists (list, create, show, update, delete, add-skill, remove-skill, install)
+  notebook                                   Manage notebooks (upload, list, download, delete)
+  upgrade                                    Update pspm itself to the latest version
   help [command]                             display help for command
 ```
 
@@ -171,6 +177,7 @@ pspm add @user/alice/skill1 @user/bob/skill2
 pspm add @user/skill --agent claude-code,cursor  # Link to multiple agents
 pspm add github:owner/repo --agent none          # Skip symlink creation
 pspm add @user/skill -y                          # Skip agent selection prompt
+pspm add @user/skill -g                          # Install to user home directory
 ```
 
 ### Remove Skill
@@ -193,6 +200,9 @@ pspm ls
 # JSON output for scripting
 pspm list --json
 
+# List global skills
+pspm list -g
+
 # Example output:
 # Installed skills:
 #
@@ -219,9 +229,14 @@ pspm install --dir ./vendor/skills       # Install to specific directory
 pspm install --agent claude-code,cursor  # Link to multiple agents
 pspm install --agent none                # Skip symlink creation
 pspm install -y                          # Skip agent selection prompt
+pspm install -g                          # Install to user home directory
 
 # Install specific packages (like npm):
 pspm install @user/alice/skill1 github:org/repo
+
+# Install all skills from a skill list:
+pspm install --list @user/alice/my-favorites
+pspm install --list @org/myteam/starter-kit
 ```
 
 ### Link Skills
@@ -232,6 +247,7 @@ Recreate agent symlinks without reinstalling (useful after adding agents):
 pspm link
 pspm link --agent claude-code,cursor  # Link to specific agents
 pspm link -y                          # Skip agent selection prompt
+pspm link -g                          # Recreate global agent symlinks
 ```
 
 ### Update Skills
@@ -241,6 +257,39 @@ pspm update
 pspm update --dry-run    # Preview updates without applying
 ```
 
+### Search Skills
+
+Search and discover skills from the registry:
+
+```bash
+pspm search typescript        # Search by keyword
+pspm find react               # Alias for search
+pspm search react --json      # JSON output
+pspm search --sort recent --limit 10
+```
+
+### Check Outdated Skills
+
+```bash
+pspm outdated                 # Check all packages
+pspm outdated code-review     # Check specific package
+pspm outdated --json          # JSON output
+pspm outdated --all           # Include up-to-date packages
+```
+
+Exits with code `1` if any packages are outdated.
+
+### Audit Skills
+
+Verify integrity of installed skills:
+
+```bash
+pspm audit                    # Human-readable output
+pspm audit --json             # JSON output (for CI)
+```
+
+Checks for: missing packages, deprecated versions, corrupted installations.
+
 ## Versioning
 
 ### Bump Version
@@ -272,12 +321,15 @@ The command:
 Publish the current directory as a skill:
 
 ```bash
-pspm publish
-pspm publish --bump patch    # Auto-bump version (major, minor, patch)
-pspm publish --bump minor --tag beta
-pspm publish --access public # Publish and make public in one step
+pspm publish --access public          # Publish as public
+pspm publish --access private         # Publish as private
+pspm publish --access team --org myorg # Publish under org
+pspm publish --access public --bump patch    # Auto-bump version
+pspm publish --access public --bump minor --tag beta
 ```
 
+The `--access` flag is required and must be `public`, `private`, or `team`.
+
 **Required `pspm.json` fields:**
 - `name` - Skill name (e.g., `@user/username/skillname`)
 - `version` - Semver version
@@ -334,6 +386,88 @@ pspm access @user/bsheng/vite_slides --public
 - **Private packages** (default): Require authentication to download
 - **Public packages**: Anyone can download without authentication
 
+## Client-Side Encryption
+
+Private packages can be encrypted before upload so that the PSPM server and storage (R2) only ever see ciphertext. The encryption key never leaves your machine.
+
+### How It Works
+
+- **Publish:** If an encryption key is set for the package scope, the CLI encrypts the tarball with AES-256-GCM before uploading. The server stores only ciphertext.
+- **Install:** The CLI checks the package manifest for encryption metadata. If present, it decrypts the tarball locally before extracting.
+- **Public packages** are never encrypted — encryption only applies to `private` and `team` visibility.
+
+### Set an Encryption Key
+
+Each scope (`@user/yourname` or `@org/orgname`) has one encryption key. All private packages under that scope use the same key.
+
+```bash
+# Set encryption key for your user scope
+pspm config set-encryption-key @user/yourname my-secret-passphrase
+
+# Set encryption key for an organization
+pspm config set-encryption-key @org/myorg shared-team-secret
+```
+
+Or use environment variables:
+
+```bash
+export PSPM_ENCRYPTION_KEY_USER_YOURNAME="my-secret-passphrase"
+export PSPM_ENCRYPTION_KEY_ORG_MYORG="shared-team-secret"
+```
+
+### Manage Encryption Keys
+
+```bash
+# Check if a key is set
+pspm config get-encryption-key @user/yourname
+
+# Remove a key
+pspm config remove-encryption-key @user/yourname
+```
+
+### Publish with Encryption
+
+When you publish a private package and an encryption key is configured for the scope, the CLI automatically encrypts:
+
+```bash
+pspm config set-encryption-key @user/yourname my-secret
+pspm publish --access private
+# Output: pspm notice Encrypting package (scope: @user/yourname)
+```
+
+If no encryption key is set, the package is uploaded unencrypted with a warning.
+
+### Install Encrypted Packages
+
+```bash
+# Set the same key used during publish
+pspm config set-encryption-key @user/yourname my-secret
+
+# Install as usual — decryption is automatic
+pspm install
+```
+
+If you don't have the key, the CLI will show an error with instructions:
+
+```
+Error: Package @user/yourname/my-skill is encrypted.
+Set the key: pspm config set-encryption-key @user/yourname <passphrase>
+```
+
+### Team Sharing
+
+For organization packages, share the encryption key with team members through a secure channel (e.g., a password manager). Each team member adds it to their local config:
+
+```bash
+pspm config set-encryption-key @org/myorg shared-team-secret
+```
+
+### Important Notes
+
+- **Key loss = data loss.** If you lose your encryption key, encrypted packages cannot be recovered. Back up your keys.
+- The server stores encryption metadata (algorithm, salt, IV) alongside the package — these are not secrets and are safe to store publicly.
+- Encryption is opt-in. If no key is configured, private packages are uploaded unencrypted.
+
 ## Configuration Files
 
 ### User Config: `~/.pspmrc`
@@ -353,6 +487,10 @@ username = myuser
 ; Multi-registry: Per-registry tokens (optional)
 //pspm.dev:authToken = sk_public_token
 //corp.pspm.io:authToken = sk_corp_token
+
+; Encryption keys (optional)
+encryption-key:@user/yourname = my-secret-passphrase
+encryption-key:@org/myorg = shared-team-secret
 ```
 
 ### Project Config: `.pspmrc`
@@ -437,6 +575,7 @@ Configuration is resolved in priority order:
 | `PSPM_API_KEY` | Override API key |
 | `PSPM_DEBUG` | Enable debug logging |
 | `GITHUB_TOKEN` | GitHub token for private repos and higher rate limits |
+| `PSPM_ENCRYPTION_KEY_<SCOPE>` | Encryption key for a scope (e.g., `PSPM_ENCRYPTION_KEY_USER_ALICE`) |
 
 ## Directory Structure
 
@@ -513,6 +652,106 @@ pspm init
 pspm publish --bump patch
 ```
 
+## Skill Lists
+
+### List Skill Lists
+
+```bash
+pspm skill-list list              # Your lists
+pspm skill-list list --org myorg  # Organization's lists
+pspm skill-list list --json       # JSON output
+```
+
+### Create Skill List
+
+```bash
+pspm skill-list create my-favorites
+pspm skill-list create my-favorites --visibility public
+pspm skill-list create team-tools --org myorg -d "Our team's tools"
+```
+
+### Show Skill List
+
+```bash
+pspm skill-list show @user/alice/my-favorites
+pspm skill-list show @org/myorg/team-tools --json
+```
+
+### Update Skill List
+
+```bash
+pspm skill-list update @user/alice/my-favorites --description "Updated desc"
+pspm skill-list update @user/alice/my-favorites --visibility public
+```
+
+### Delete Skill List
+
+```bash
+pspm skill-list delete @user/alice/my-favorites
+```
+
+### Add Skill to List
+
+```bash
+pspm skill-list add-skill @user/alice/my-favorites @user/bob/code-review
+pspm skill-list add-skill @user/alice/my-favorites @user/bob/lint --note "Great for CI"
+```
+
+### Remove Skill from List
+
+```bash
+pspm skill-list remove-skill @user/alice/my-favorites @user/bob/code-review
+```
+
+### Install from Skill List
+
+```bash
+pspm skill-list install @user/alice/my-favorites
+pspm skill-list install @org/myorg/team-tools --agent claude-code
+```
+
+## Notebook Management
+
+### Upload Notebook
+
+```bash
+pspm notebook upload notebook.anyt.md
+pspm notebook upload notebook.anyt.md --visibility public
+pspm notebook upload notebook.anyt.md --org myorg
+```
+
+### List Notebooks
+
+```bash
+pspm notebook list
+pspm notebook list --org myorg
+pspm notebook list --json
+```
+
+### Download Notebook
+
+```bash
+pspm notebook download <id>
+```
+
+### Delete Notebook
+
+```bash
+pspm notebook delete <id>
+```
+
+## Self-Update
+
+### Upgrade PSPM
+
+Update pspm itself to the latest version:
+
+```bash
+pspm upgrade
+```
+
+Auto-detects your package manager (pnpm, npm, yarn, bun). The CLI also checks for updates every 24 hours and notifies you when a newer version is available.
+
 ## Troubleshooting
 
 | Error | Solution |

package/README.md

@@ -128,6 +128,8 @@ pspm install
 | `pspm init` | Create pspm.json manifest |
 | `pspm publish` | Publish skill to registry |
 | `pspm login` | Authenticate via browser or API key |
+| `pspm skill-list <subcommand>` | Manage skill lists (list, create, show, delete, update, add-skill, remove-skill, install) |
+| `pspm notebook <subcommand>` | Manage notebooks (upload, list, download, delete) |
 | `pspm upgrade` | Update pspm itself to the latest version |
 
 ### `pspm install`
@@ -443,7 +445,7 @@ project/
 |   |   +-- _local/          # Local skill symlinks
 |   +-- cache/               # Tarball cache
 +-- .claude/
-|   +-- skills/              # Symlinks for Claude Code
+|   +-- skills/              # Symlinks for Claude Code (and other agents)
 +-- .cursor/
     +-- skills/              # Symlinks for Cursor (if configured)
 ```
@@ -511,3 +513,5 @@ Auto-detects your package manager (pnpm, npm, yarn, bun). The CLI also checks fo
 ## License
 
 This project is licensed under [The Artistic License 2.0](LICENSE), the same license used by npm.
+
+<!-- @doc-sync: 1f5c64d | 2026-03-18 10:30 -->