@anytio/pspm 0.12.0 → 0.13.0

package/CHANGELOG.md

@@ -5,6 +5,17 @@ All notable changes to the PSPM CLI will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [0.13.0] - 2026-03-24
+
+### Added
+
+- **Client-side encryption for private packages**: Encrypt skill packages before publishing with AES-256-GCM encryption
+  - `pspm config set-encryption-key` — Set an encryption key for a scope (`@user/x` or `@org/x`)
+  - `pspm config get-encryption-key` — Check if an encryption key is set for a scope
+  - `pspm config remove-encryption-key` — Remove an encryption key for a scope
+  - Private packages are automatically encrypted on publish and decrypted on install when a key is configured
+  - Uses scrypt key derivation for secure key management
+
 ## [0.12.0] - 2026-03-19
 
 ### Added
@@ -103,7 +114,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - **`audit` command**: Verify integrity of installed skills
   - Checks for missing packages, deprecated versions, corrupted installations
   - `--json` flag for CI integration
-- **Expanded agent support**: From 6 to 41 supported AI coding agents
+- **Expanded agent support**: From 6 to 41 supported AI agents
   - Added Windsurf, Amp, Augment, Cline, Continue, Goose, Kilo Code, Kiro CLI, OpenCode, OpenHands, Replit, Roo Code, Trae, and 22 more
 
 ### Changed

package/CLI_GUIDE.md

@@ -1,6 +1,6 @@
 # PSPM CLI Guide
 
-PSPM is a package manager for AI agent skills. It provides commands for authentication, configuration, skill management, and publishing across AI coding agents.
+PSPM is a package manager for AI agent skills. It provides commands for authentication, configuration, skill management, and publishing across AI agents.
 
 ## Installation
 
@@ -24,7 +24,7 @@ Options:
   -h, --help                                 display help for command
 
 Commands:
-  config                                     Manage PSPM configuration
+  config                                     Manage PSPM configuration (show, init, set-encryption-key, get-encryption-key, remove-encryption-key)
   login [options]                            Log in via browser or with an API key
   logout                                     Log out and clear stored credentials
   whoami                                     Show current user information
@@ -36,11 +36,17 @@ Commands:
   install|i [options] [specifiers...]        Install skills from lockfile, or add and install specific packages
   link [options]                             Recreate agent symlinks without reinstalling
   update [options]                           Update all skills to latest compatible versions
+  search|find [options] [query]              Search and discover skills from the registry
+  audit [options]                            Verify integrity of installed skills
+  outdated [options] [packages...]           Check for outdated skills
   version <bump>                             Bump package version (major, minor, patch)
   publish [options]                          Publish current directory as a skill
   unpublish [options] <specifier>            Remove a published skill version (only within 72 hours of publishing)
   access [options] [specifier]               Change package visibility (public/private)
   deprecate [options] <specifier> [message]  Mark a skill version as deprecated (alternative to unpublish after 72 hours)
+  skill-list                                 Manage skill lists (list, create, show, update, delete, add-skill, remove-skill, install)
+  notebook                                   Manage notebooks (upload, list, download, delete)
+  upgrade                                    Update pspm itself to the latest version
   help [command]                             display help for command
 ```
 
@@ -171,6 +177,7 @@ pspm add @user/alice/skill1 @user/bob/skill2
 pspm add @user/skill --agent claude-code,cursor  # Link to multiple agents
 pspm add github:owner/repo --agent none          # Skip symlink creation
 pspm add @user/skill -y                          # Skip agent selection prompt
+pspm add @user/skill -g                          # Install to user home directory
 ```
 
 ### Remove Skill
@@ -193,6 +200,9 @@ pspm ls
 # JSON output for scripting
 pspm list --json
 
+# List global skills
+pspm list -g
+
 # Example output:
 # Installed skills:
 #
@@ -219,6 +229,7 @@ pspm install --dir ./vendor/skills       # Install to specific directory
 pspm install --agent claude-code,cursor  # Link to multiple agents
 pspm install --agent none                # Skip symlink creation
 pspm install -y                          # Skip agent selection prompt
+pspm install -g                          # Install to user home directory
 
 # Install specific packages (like npm):
 pspm install @user/alice/skill1 github:org/repo
@@ -236,6 +247,7 @@ Recreate agent symlinks without reinstalling (useful after adding agents):
 pspm link
 pspm link --agent claude-code,cursor  # Link to specific agents
 pspm link -y                          # Skip agent selection prompt
+pspm link -g                          # Recreate global agent symlinks
 ```
 
 ### Update Skills
@@ -245,6 +257,39 @@ pspm update
 pspm update --dry-run    # Preview updates without applying
 ```
 
+### Search Skills
+
+Search and discover skills from the registry:
+
+```bash
+pspm search typescript        # Search by keyword
+pspm find react               # Alias for search
+pspm search react --json      # JSON output
+pspm search --sort recent --limit 10
+```
+
+### Check Outdated Skills
+
+```bash
+pspm outdated                 # Check all packages
+pspm outdated code-review     # Check specific package
+pspm outdated --json          # JSON output
+pspm outdated --all           # Include up-to-date packages
+```
+
+Exits with code `1` if any packages are outdated.
+
+### Audit Skills
+
+Verify integrity of installed skills:
+
+```bash
+pspm audit                    # Human-readable output
+pspm audit --json             # JSON output (for CI)
+```
+
+Checks for: missing packages, deprecated versions, corrupted installations.
+
 ## Versioning
 
 ### Bump Version
@@ -276,12 +321,15 @@ The command:
 Publish the current directory as a skill:
 
 ```bash
-pspm publish
-pspm publish --bump patch    # Auto-bump version (major, minor, patch)
-pspm publish --bump minor --tag beta
-pspm publish --access public # Publish and make public in one step
+pspm publish --access public          # Publish as public
+pspm publish --access private         # Publish as private
+pspm publish --access team --org myorg # Publish under org
+pspm publish --access public --bump patch    # Auto-bump version
+pspm publish --access public --bump minor --tag beta
 ```
 
+The `--access` flag is required and must be `public`, `private`, or `team`.
+
 **Required `pspm.json` fields:**
 - `name` - Skill name (e.g., `@user/username/skillname`)
 - `version` - Semver version
@@ -338,6 +386,88 @@ pspm access @user/bsheng/vite_slides --public
 - **Private packages** (default): Require authentication to download
 - **Public packages**: Anyone can download without authentication
 
+## Client-Side Encryption
+
+Private packages can be encrypted before upload so that the PSPM server and storage (R2) only ever see ciphertext. The encryption key never leaves your machine.
+
+### How It Works
+
+- **Publish:** If an encryption key is set for the package scope, the CLI encrypts the tarball with AES-256-GCM before uploading. The server stores only ciphertext.
+- **Install:** The CLI checks the package manifest for encryption metadata. If present, it decrypts the tarball locally before extracting.
+- **Public packages** are never encrypted — encryption only applies to `private` and `team` visibility.
+
+### Set an Encryption Key
+
+Each scope (`@user/yourname` or `@org/orgname`) has one encryption key. All private packages under that scope use the same key.
+
+```bash
+# Set encryption key for your user scope
+pspm config set-encryption-key @user/yourname my-secret-passphrase
+
+# Set encryption key for an organization
+pspm config set-encryption-key @org/myorg shared-team-secret
+```
+
+Or use environment variables:
+
+```bash
+export PSPM_ENCRYPTION_KEY_USER_YOURNAME="my-secret-passphrase"
+export PSPM_ENCRYPTION_KEY_ORG_MYORG="shared-team-secret"
+```
+
+### Manage Encryption Keys
+
+```bash
+# Check if a key is set
+pspm config get-encryption-key @user/yourname
+
+# Remove a key
+pspm config remove-encryption-key @user/yourname
+```
+
+### Publish with Encryption
+
+When you publish a private package and an encryption key is configured for the scope, the CLI automatically encrypts:
+
+```bash
+pspm config set-encryption-key @user/yourname my-secret
+pspm publish --access private
+# Output: pspm notice Encrypting package (scope: @user/yourname)
+```
+
+If no encryption key is set, the package is uploaded unencrypted with a warning.
+
+### Install Encrypted Packages
+
+```bash
+# Set the same key used during publish
+pspm config set-encryption-key @user/yourname my-secret
+
+# Install as usual — decryption is automatic
+pspm install
+```
+
+If you don't have the key, the CLI will show an error with instructions:
+
+```
+Error: Package @user/yourname/my-skill is encrypted.
+Set the key: pspm config set-encryption-key @user/yourname <passphrase>
+```
+
+### Team Sharing
+
+For organization packages, share the encryption key with team members through a secure channel (e.g., a password manager). Each team member adds it to their local config:
+
+```bash
+pspm config set-encryption-key @org/myorg shared-team-secret
+```
+
+### Important Notes
+
+- **Key loss = data loss.** If you lose your encryption key, encrypted packages cannot be recovered. Back up your keys.
+- The server stores encryption metadata (algorithm, salt, IV) alongside the package — these are not secrets and are safe to store publicly.
+- Encryption is opt-in. If no key is configured, private packages are uploaded unencrypted.
+
 ## Configuration Files
 
 ### User Config: `~/.pspmrc`
@@ -357,6 +487,10 @@ username = myuser
 ; Multi-registry: Per-registry tokens (optional)
 //pspm.dev:authToken = sk_public_token
 //corp.pspm.io:authToken = sk_corp_token
+
+; Encryption keys (optional)
+encryption-key:@user/yourname = my-secret-passphrase
+encryption-key:@org/myorg = shared-team-secret
 ```
 
 ### Project Config: `.pspmrc`
@@ -441,6 +575,7 @@ Configuration is resolved in priority order:
 | `PSPM_API_KEY` | Override API key |
 | `PSPM_DEBUG` | Enable debug logging |
 | `GITHUB_TOKEN` | GitHub token for private repos and higher rate limits |
+| `PSPM_ENCRYPTION_KEY_<SCOPE>` | Encryption key for a scope (e.g., `PSPM_ENCRYPTION_KEY_USER_ALICE`) |
 
 ## Directory Structure
 
@@ -517,6 +652,106 @@ pspm init
 pspm publish --bump patch
 ```
 
+## Skill Lists
+
+### List Skill Lists
+
+```bash
+pspm skill-list list              # Your lists
+pspm skill-list list --org myorg  # Organization's lists
+pspm skill-list list --json       # JSON output
+```
+
+### Create Skill List
+
+```bash
+pspm skill-list create my-favorites
+pspm skill-list create my-favorites --visibility public
+pspm skill-list create team-tools --org myorg -d "Our team's tools"
+```
+
+### Show Skill List
+
+```bash
+pspm skill-list show @user/alice/my-favorites
+pspm skill-list show @org/myorg/team-tools --json
+```
+
+### Update Skill List
+
+```bash
+pspm skill-list update @user/alice/my-favorites --description "Updated desc"
+pspm skill-list update @user/alice/my-favorites --visibility public
+```
+
+### Delete Skill List
+
+```bash
+pspm skill-list delete @user/alice/my-favorites
+```
+
+### Add Skill to List
+
+```bash
+pspm skill-list add-skill @user/alice/my-favorites @user/bob/code-review
+pspm skill-list add-skill @user/alice/my-favorites @user/bob/lint --note "Great for CI"
+```
+
+### Remove Skill from List
+
+```bash
+pspm skill-list remove-skill @user/alice/my-favorites @user/bob/code-review
+```
+
+### Install from Skill List
+
+```bash
+pspm skill-list install @user/alice/my-favorites
+pspm skill-list install @org/myorg/team-tools --agent claude-code
+```
+
+## Notebook Management
+
+### Upload Notebook
+
+```bash
+pspm notebook upload notebook.anyt.md
+pspm notebook upload notebook.anyt.md --visibility public
+pspm notebook upload notebook.anyt.md --org myorg
+```
+
+### List Notebooks
+
+```bash
+pspm notebook list
+pspm notebook list --org myorg
+pspm notebook list --json
+```
+
+### Download Notebook
+
+```bash
+pspm notebook download <id>
+```
+
+### Delete Notebook
+
+```bash
+pspm notebook delete <id>
+```
+
+## Self-Update
+
+### Upgrade PSPM
+
+Update pspm itself to the latest version:
+
+```bash
+pspm upgrade
+```
+
+Auto-detects your package manager (pnpm, npm, yarn, bun). The CLI also checks for updates every 24 hours and notifies you when a newer version is available.
+
 ## Troubleshooting
 
 | Error | Solution |

package/README.md

@@ -445,7 +445,7 @@ project/
 |   |   +-- _local/          # Local skill symlinks
 |   +-- cache/               # Tarball cache
 +-- .claude/
-|   +-- skills/              # Symlinks for Claude Code
+|   +-- skills/              # Symlinks for Claude Code (and other agents)
 +-- .cursor/
     +-- skills/              # Symlinks for Cursor (if configured)
 ```

package/dist/index.js

@@ -3,8 +3,8 @@ import { stat, writeFile, readdir, mkdir, rm, rename, access as access$1, readFi
 import { homedir } from 'os';
 import { join, dirname, basename, resolve, relative } from 'path';
 import * as ini from 'ini';
+import { createHash, randomBytes, createCipheriv, createDecipheriv, scryptSync } from 'crypto';
 import ignore from 'ignore';
-import { createHash, randomBytes } from 'crypto';
 import * as semver2 from 'semver';
 import semver2__default from 'semver';
 import { checkbox } from '@inquirer/prompts';
@@ -603,6 +603,8 @@ __export(config_exports, {
   findProjectConfig: () => findProjectConfig,
   getCacheDir: () => getCacheDir,
   getConfigPath: () => getConfigPath,
+  getEncryptionKey: () => getEncryptionKey,
+  getEncryptionScope: () => getEncryptionScope,
   getLegacyLockfilePath: () => getLegacyLockfilePath,
   getLegacySkillsDir: () => getLegacySkillsDir,
   getLockfilePath: () => getLockfilePath,
@@ -613,9 +615,11 @@ __export(config_exports, {
   isGlobalMode: () => isGlobalMode,
   isLoggedIn: () => isLoggedIn,
   readUserConfig: () => readUserConfig,
+  removeEncryptionKey: () => removeEncryptionKey,
   requireApiKey: () => requireApiKey,
   resolveConfig: () => resolveConfig,
   setCredentials: () => setCredentials,
+  setEncryptionKey: () => setEncryptionKey,
   setGlobalMode: () => setGlobalMode,
   writeUserConfig: () => writeUserConfig
 });
@@ -685,12 +689,21 @@ async function readUserConfig() {
         }
       }
     }
+    const encryptionKeys = {};
+    for (const key of Object.keys(parsed)) {
+      const encKeyMatch = key.match(/^encryption-key:(.+)$/);
+      if (encKeyMatch) {
+        const scope = encKeyMatch[1];
+        encryptionKeys[scope] = parsed[key];
+      }
+    }
     return {
       registry: parsed.registry,
       authToken: parsed.authToken,
       username: parsed.username,
       scopedRegistries: Object.keys(scopedRegistries).length > 0 ? scopedRegistries : void 0,
-      registryTokens: Object.keys(registryTokens).length > 0 ? registryTokens : void 0
+      registryTokens: Object.keys(registryTokens).length > 0 ? registryTokens : void 0,
+      encryptionKeys: Object.keys(encryptionKeys).length > 0 ? encryptionKeys : void 0
     };
   } catch (error) {
     if (process.env.PSPM_DEBUG) {
@@ -713,6 +726,12 @@ async function writeUserConfig(config2) {
   if (config2.username) {
     lines.push(`username = ${config2.username}`);
   }
+  if (config2.encryptionKeys && Object.keys(config2.encryptionKeys).length > 0) {
+    lines.push("; Encryption keys (scope -> passphrase)");
+    for (const [scope, key] of Object.entries(config2.encryptionKeys)) {
+      lines.push(`encryption-key:${scope} = ${key}`);
+    }
+  }
   lines.push("");
   await mkdir(dirname(configPath), { recursive: true });
   await writeFile(configPath, lines.join("\n"));
@@ -896,6 +915,36 @@ async function getRegistryUrl() {
   const resolved = await resolveConfig();
   return resolved.registryUrl;
 }
+async function getEncryptionKey(scope) {
+  const envSuffix = scope.replace(/^@/, "").replace(/\//g, "_").toUpperCase();
+  const envKey = process.env[`PSPM_ENCRYPTION_KEY_${envSuffix}`];
+  if (envKey) {
+    return envKey;
+  }
+  const config2 = await readUserConfig();
+  return config2.encryptionKeys?.[scope];
+}
+async function setEncryptionKey(scope, key) {
+  const config2 = await readUserConfig();
+  if (!config2.encryptionKeys) {
+    config2.encryptionKeys = {};
+  }
+  config2.encryptionKeys[scope] = key;
+  await writeUserConfig(config2);
+}
+async function removeEncryptionKey(scope) {
+  const config2 = await readUserConfig();
+  if (config2.encryptionKeys) {
+    delete config2.encryptionKeys[scope];
+    if (Object.keys(config2.encryptionKeys).length === 0) {
+      config2.encryptionKeys = void 0;
+    }
+  }
+  await writeUserConfig(config2);
+}
+function getEncryptionScope(namespace, owner) {
+  return `@${namespace}/${owner}`;
+}
 var DEFAULT_REGISTRY_URL, _globalMode;
 var init_config = __esm({
   "src/config.ts"() {
@@ -904,6 +953,62 @@ var init_config = __esm({
     _globalMode = false;
   }
 });
+function deriveKey(passphrase, salt) {
+  return scryptSync(passphrase, salt, KEY_LENGTH, {
+    N: SCRYPT_COST,
+    r: SCRYPT_BLOCK_SIZE,
+    p: SCRYPT_PARALLELISM
+  });
+}
+function encryptBuffer(data, passphrase, scope) {
+  const salt = randomBytes(SALT_LENGTH);
+  const iv = randomBytes(IV_LENGTH);
+  const key = deriveKey(passphrase, salt);
+  const cipher = createCipheriv(ALGORITHM, key, iv, {
+    authTagLength: AUTH_TAG_LENGTH
+  });
+  const encrypted = Buffer.concat([cipher.update(data), cipher.final()]);
+  const authTag = cipher.getAuthTag();
+  return {
+    encrypted,
+    metadata: {
+      algorithm: ALGORITHM,
+      kdf: "scrypt",
+      salt: salt.toString("hex"),
+      iv: iv.toString("hex"),
+      authTag: authTag.toString("hex"),
+      scope
+    }
+  };
+}
+function decryptBuffer(encrypted, passphrase, metadata) {
+  const salt = Buffer.from(metadata.salt, "hex");
+  const iv = Buffer.from(metadata.iv, "hex");
+  const authTag = Buffer.from(metadata.authTag, "hex");
+  const key = deriveKey(passphrase, salt);
+  const decipher = createDecipheriv(ALGORITHM, key, iv, {
+    authTagLength: AUTH_TAG_LENGTH
+  });
+  decipher.setAuthTag(authTag);
+  const decrypted = Buffer.concat([
+    decipher.update(encrypted),
+    decipher.final()
+  ]);
+  return decrypted;
+}
+var ALGORITHM, KEY_LENGTH, IV_LENGTH, SALT_LENGTH, SCRYPT_COST, SCRYPT_BLOCK_SIZE, SCRYPT_PARALLELISM, AUTH_TAG_LENGTH;
+var init_encryption = __esm({
+  "src/lib/encryption.ts"() {
+    ALGORITHM = "aes-256-gcm";
+    KEY_LENGTH = 32;
+    IV_LENGTH = 16;
+    SALT_LENGTH = 32;
+    SCRYPT_COST = 16384;
+    SCRYPT_BLOCK_SIZE = 8;
+    SCRYPT_PARALLELISM = 1;
+    AUTH_TAG_LENGTH = 16;
+  }
+});
 async function loadIgnorePatterns(cwd = process.cwd()) {
   const ig = ignore();
   ig.add(ALWAYS_IGNORED);
@@ -1626,6 +1731,7 @@ var init_specifier2 = __esm({
 // src/lib/index.ts
 var init_lib = __esm({
   "src/lib/index.ts"() {
+    init_encryption();
     init_ignore();
     init_integrity();
     init_lockfile();
@@ -3539,11 +3645,15 @@ async function installFromLockfile(options) {
         }
         const tarballBuffer = Buffer.from(await tarballResponse.arrayBuffer());
         const integrity = calculateIntegrity(tarballBuffer);
-        await addToLockfile(fullName, {
+        const lockfileEntry = {
           version: resolved,
           resolved: versionInfo.downloadUrl,
           integrity
-        });
+        };
+        if (versionInfo.manifest?.encryption) {
+          lockfileEntry.encryption = versionInfo.manifest.encryption;
+        }
+        await addToLockfile(fullName, lockfileEntry);
         await writeToCache(cacheDir, integrity, tarballBuffer);
         console.log(`  Resolved ${fullName}@${resolved}`);
       }
@@ -3686,6 +3796,28 @@ Installing ${packageCount} registry skill(s)...
           }
           await writeToCache(cacheDir, entry.integrity, tarballBuffer);
         }
+        if (entry.encryption) {
+          const scope = entry.encryption.scope;
+          const encKey = await getEncryptionKey(scope);
+          if (!encKey) {
+            console.error(
+              `  Error: Package ${fullName} is encrypted. Set the key: pspm config set-encryption-key ${scope} <passphrase>`
+            );
+            continue;
+          }
+          try {
+            tarballBuffer = decryptBuffer(
+              tarballBuffer,
+              encKey,
+              entry.encryption
+            );
+          } catch {
+            console.error(
+              `  Error: Failed to decrypt ${fullName}. Wrong encryption key for scope "${scope}".`
+            );
+            continue;
+          }
+        }
         const effectiveSkillName = subname ?? name;
         let destDir;
         if (ns === "org") {
@@ -3836,6 +3968,7 @@ var init_install = __esm({
     init_config();
     init_errors();
     init_github();
+    init_encryption();
     init_lib();
     init_lockfile3();
     init_manifest3();
@@ -5453,6 +5586,7 @@ function printTable(results) {
 init_api_client();
 init_config();
 init_errors();
+init_encryption();
 init_lib();
 var exec = promisify(exec$1);
 function confirm(question) {
@@ -5693,19 +5827,53 @@ async function publishCommand(options) {
         process.exit(0);
       }
       console.log("");
+      let finalTarballBase64 = tarballBase64;
+      if (options.access === "private" || options.access === "team") {
+        const config2 = await Promise.resolve().then(() => (init_config(), config_exports)).then((m) => m.resolveConfig());
+        const namespace2 = options.org ? "org" : "user";
+        const owner2 = options.org ?? config2.username;
+        if (!owner2) {
+          console.error(
+            "Error: Cannot determine package owner. Run 'pspm login' first."
+          );
+          process.exit(1);
+        }
+        const scope = getEncryptionScope(namespace2, owner2);
+        const encryptionKey = await getEncryptionKey(scope);
+        if (encryptionKey) {
+          console.log(`pspm notice Encrypting package (scope: ${scope})`);
+          const { encrypted, metadata } = encryptBuffer(
+            tarballBuffer,
+            encryptionKey,
+            scope
+          );
+          finalTarballBase64 = encrypted.toString("base64");
+          packageJson2.encryption = metadata;
+          console.log(
+            "pspm notice Package encrypted with client-side encryption"
+          );
+        } else {
+          console.log(
+            `pspm warn No encryption key found for scope "${scope}". Publishing without encryption.`
+          );
+          console.log(
+            `pspm warn To encrypt, run: pspm config set-encryption-key ${scope} <your-passphrase>`
+          );
+        }
+      }
       console.log(`pspm notice Publishing to ${registryUrl} with tag latest`);
       configure2({ registryUrl, apiKey });
       let response;
       if (options.org) {
         response = await publishOrgSkill(options.org, {
           manifest: packageJson2,
-          tarballBase64,
+          tarballBase64: finalTarballBase64,
           visibility: options.access
         });
       } else {
         response = await publishSkill({
           manifest: packageJson2,
-          tarballBase64,
+          tarballBase64: finalTarballBase64,
           visibility: options.access
         });
       }
@@ -5731,7 +5899,9 @@ async function publishCommand(options) {
         `+ @${namespace}/${owner}/${result.skill.name}@${result.version.version}`
       );
       console.log(`Checksum: ${result.version.checksum}`);
-      console.log(`Visibility: ${visibilityIcon} ${visibility}`);
+      console.log(
+        `Visibility: ${visibilityIcon} ${visibility}${packageJson2.encryption ? " (encrypted)" : ""}`
+      );
       if (visibility === "public") {
         console.log(
           "Note: Public packages cannot be made private. This is irreversible."
@@ -6729,6 +6899,28 @@ configCmd.command("init").description("Create a .pspmrc file in the current dire
     registry: options.registry
   });
 });
+configCmd.command("set-encryption-key <scope> <passphrase>").description(
+  "Set encryption key for a scope (e.g., pspm config set-encryption-key @user/alice my-secret)"
+).action(async (scope, passphrase) => {
+  const { setEncryptionKey: setEncryptionKey2 } = await Promise.resolve().then(() => (init_config(), config_exports));
+  await setEncryptionKey2(scope, passphrase);
+  console.log(`Encryption key set for scope "${scope}"`);
+});
+configCmd.command("remove-encryption-key <scope>").description("Remove encryption key for a scope").action(async (scope) => {
+  const { removeEncryptionKey: removeEncryptionKey2 } = await Promise.resolve().then(() => (init_config(), config_exports));
+  await removeEncryptionKey2(scope);
+  console.log(`Encryption key removed for scope "${scope}"`);
+});
+configCmd.command("get-encryption-key <scope>").description("Check if an encryption key is set for a scope").action(async (scope) => {
+  const { getEncryptionKey: getEncryptionKey2 } = await Promise.resolve().then(() => (init_config(), config_exports));
+  const key = await getEncryptionKey2(scope);
+  if (key) {
+    const masked = `${key.substring(0, 4)}***`;
+    console.log(`Encryption key for "${scope}": ${masked} (set)`);
+  } else {
+    console.log(`No encryption key set for "${scope}"`);
+  }
+});
 program.command("upgrade").description("Upgrade pspm to the latest version").action(async () => {
   await upgrade();
 });