@anytio/pspm 0.12.0 → 0.14.0

package/CHANGELOG.md

@@ -5,6 +5,30 @@ All notable changes to the PSPM CLI will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [0.14.0] - 2026-05-02
+
+### Added
+
+- **Unpublish org skills**: `pspm unpublish @org/myorg/skill-name` now routes to the org delete endpoint and works for org-namespaced packages. Version-specific deletion for org skills is not yet supported server-side and returns a clear error.
+
+### Changed
+
+- Replaced tsup with tsdown (rolldown-based) for ESM bundling
+- Upgraded TypeScript to 6.0 and updated all dependencies to latest versions
+- Internal: workspace package scope renamed from `@repo/*` to `@anytio/*`
+- Internal: split large files/functions and added unit tests for CLI helpers (no behavior changes)
+
+## [0.13.0] - 2026-03-24
+
+### Added
+
+- **Client-side encryption for private packages**: Encrypt skill packages before publishing with AES-256-GCM encryption
+  - `pspm config set-encryption-key` — Set an encryption key for a scope (`@user/x` or `@org/x`)
+  - `pspm config get-encryption-key` — Check if an encryption key is set for a scope
+  - `pspm config remove-encryption-key` — Remove an encryption key for a scope
+  - Private packages are automatically encrypted on publish and decrypted on install when a key is configured
+  - Uses scrypt key derivation for secure key management
+
 ## [0.12.0] - 2026-03-19
 
 ### Added
@@ -103,7 +127,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - **`audit` command**: Verify integrity of installed skills
   - Checks for missing packages, deprecated versions, corrupted installations
   - `--json` flag for CI integration
-- **Expanded agent support**: From 6 to 41 supported AI coding agents
+- **Expanded agent support**: From 6 to 41 supported AI agents
   - Added Windsurf, Amp, Augment, Cline, Continue, Goose, Kilo Code, Kiro CLI, OpenCode, OpenHands, Replit, Roo Code, Trae, and 22 more
 
 ### Changed
@@ -130,7 +154,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ### Fixed
 
-- **Fix npm install failure**: Moved `@repo/types` and `@repo/skill-registry` from `dependencies` to `devDependencies` to prevent npm from trying to install workspace-only packages from the public registry
+- **Fix npm install failure**: Moved `@anytio/types` and `@anytio/skill-registry` from `dependencies` to `devDependencies` to prevent npm from trying to install workspace-only packages from the public registry
 
 ## [0.7.1] - 2026-03-02
 

package/CLI_GUIDE.md

@@ -1,6 +1,6 @@
 # PSPM CLI Guide
 
-PSPM is a package manager for AI agent skills. It provides commands for authentication, configuration, skill management, and publishing across AI coding agents.
+PSPM is a package manager for AI agent skills. It provides commands for authentication, configuration, skill management, and publishing across AI agents.
 
 ## Installation
 
@@ -24,7 +24,7 @@ Options:
   -h, --help                                 display help for command
 
 Commands:
-  config                                     Manage PSPM configuration
+  config                                     Manage PSPM configuration (show, init, set-encryption-key, get-encryption-key, remove-encryption-key)
   login [options]                            Log in via browser or with an API key
   logout                                     Log out and clear stored credentials
   whoami                                     Show current user information
@@ -36,11 +36,17 @@ Commands:
   install|i [options] [specifiers...]        Install skills from lockfile, or add and install specific packages
   link [options]                             Recreate agent symlinks without reinstalling
   update [options]                           Update all skills to latest compatible versions
+  search|find [options] [query]              Search and discover skills from the registry
+  audit [options]                            Verify integrity of installed skills
+  outdated [options] [packages...]           Check for outdated skills
   version <bump>                             Bump package version (major, minor, patch)
   publish [options]                          Publish current directory as a skill
   unpublish [options] <specifier>            Remove a published skill version (only within 72 hours of publishing)
   access [options] [specifier]               Change package visibility (public/private)
   deprecate [options] <specifier> [message]  Mark a skill version as deprecated (alternative to unpublish after 72 hours)
+  skill-list                                 Manage skill lists (list, create, show, update, delete, add-skill, remove-skill, install)
+  notebook                                   Manage notebooks (upload, list, download, delete)
+  upgrade                                    Update pspm itself to the latest version
   help [command]                             display help for command
 ```
 
@@ -171,6 +177,7 @@ pspm add @user/alice/skill1 @user/bob/skill2
 pspm add @user/skill --agent claude-code,cursor  # Link to multiple agents
 pspm add github:owner/repo --agent none          # Skip symlink creation
 pspm add @user/skill -y                          # Skip agent selection prompt
+pspm add @user/skill -g                          # Install to user home directory
 ```
 
 ### Remove Skill
@@ -193,6 +200,9 @@ pspm ls
 # JSON output for scripting
 pspm list --json
 
+# List global skills
+pspm list -g
+
 # Example output:
 # Installed skills:
 #
@@ -219,6 +229,7 @@ pspm install --dir ./vendor/skills       # Install to specific directory
 pspm install --agent claude-code,cursor  # Link to multiple agents
 pspm install --agent none                # Skip symlink creation
 pspm install -y                          # Skip agent selection prompt
+pspm install -g                          # Install to user home directory
 
 # Install specific packages (like npm):
 pspm install @user/alice/skill1 github:org/repo
@@ -236,6 +247,7 @@ Recreate agent symlinks without reinstalling (useful after adding agents):
 pspm link
 pspm link --agent claude-code,cursor  # Link to specific agents
 pspm link -y                          # Skip agent selection prompt
+pspm link -g                          # Recreate global agent symlinks
 ```
 
 ### Update Skills
@@ -245,6 +257,39 @@ pspm update
 pspm update --dry-run    # Preview updates without applying
 ```
 
+### Search Skills
+
+Search and discover skills from the registry:
+
+```bash
+pspm search typescript        # Search by keyword
+pspm find react               # Alias for search
+pspm search react --json      # JSON output
+pspm search --sort recent --limit 10
+```
+
+### Check Outdated Skills
+
+```bash
+pspm outdated                 # Check all packages
+pspm outdated code-review     # Check specific package
+pspm outdated --json          # JSON output
+pspm outdated --all           # Include up-to-date packages
+```
+
+Exits with code `1` if any packages are outdated.
+
+### Audit Skills
+
+Verify integrity of installed skills:
+
+```bash
+pspm audit                    # Human-readable output
+pspm audit --json             # JSON output (for CI)
+```
+
+Checks for: missing packages, deprecated versions, corrupted installations.
+
 ## Versioning
 
 ### Bump Version
@@ -276,12 +321,15 @@ The command:
 Publish the current directory as a skill:
 
 ```bash
-pspm publish
-pspm publish --bump patch    # Auto-bump version (major, minor, patch)
-pspm publish --bump minor --tag beta
-pspm publish --access public # Publish and make public in one step
+pspm publish --access public          # Publish as public
+pspm publish --access private         # Publish as private
+pspm publish --access team --org myorg # Publish under org
+pspm publish --access public --bump patch    # Auto-bump version
+pspm publish --access public --bump minor --tag beta
 ```
 
+The `--access` flag is required and must be `public`, `private`, or `team`.
+
 **Required `pspm.json` fields:**
 - `name` - Skill name (e.g., `@user/username/skillname`)
 - `version` - Semver version
@@ -298,13 +346,18 @@ Remove a published skill version (only within 72 hours of publishing):
 ```bash
 pspm unpublish <specifier> --force
 
-# Delete specific version
+# Delete specific version (user skills only)
 pspm unpublish @user/bsheng/vite_slides@2.0.0 --force
 
-# Delete all versions
+# Delete all versions (user skill)
 pspm unpublish @user/bsheng/vite_slides --force
+
+# Delete all versions (org skill)
+pspm unpublish @org/myorg/team-skill --force
 ```
 
+**Note:** Version-specific deletion for org skills is not yet supported. Use the full skill specifier without a version to delete the entire org skill.
+
 ### Deprecate Skill
 
 Mark a skill version as deprecated (alternative to unpublish after 72 hours):
@@ -338,6 +391,88 @@ pspm access @user/bsheng/vite_slides --public
 - **Private packages** (default): Require authentication to download
 - **Public packages**: Anyone can download without authentication
 
+## Client-Side Encryption
+
+Private packages can be encrypted before upload so that the PSPM server and storage (R2) only ever see ciphertext. The encryption key never leaves your machine.
+
+### How It Works
+
+- **Publish:** If an encryption key is set for the package scope, the CLI encrypts the tarball with AES-256-GCM before uploading. The server stores only ciphertext.
+- **Install:** The CLI checks the package manifest for encryption metadata. If present, it decrypts the tarball locally before extracting.
+- **Public packages** are never encrypted — encryption only applies to `private` and `team` visibility.
+
+### Set an Encryption Key
+
+Each scope (`@user/yourname` or `@org/orgname`) has one encryption key. All private packages under that scope use the same key.
+
+```bash
+# Set encryption key for your user scope
+pspm config set-encryption-key @user/yourname my-secret-passphrase
+
+# Set encryption key for an organization
+pspm config set-encryption-key @org/myorg shared-team-secret
+```
+
+Or use environment variables:
+
+```bash
+export PSPM_ENCRYPTION_KEY_USER_YOURNAME="my-secret-passphrase"
+export PSPM_ENCRYPTION_KEY_ORG_MYORG="shared-team-secret"
+```
+
+### Manage Encryption Keys
+
+```bash
+# Check if a key is set
+pspm config get-encryption-key @user/yourname
+
+# Remove a key
+pspm config remove-encryption-key @user/yourname
+```
+
+### Publish with Encryption
+
+When you publish a private package and an encryption key is configured for the scope, the CLI automatically encrypts:
+
+```bash
+pspm config set-encryption-key @user/yourname my-secret
+pspm publish --access private
+# Output: pspm notice Encrypting package (scope: @user/yourname)
+```
+
+If no encryption key is set, the package is uploaded unencrypted with a warning.
+
+### Install Encrypted Packages
+
+```bash
+# Set the same key used during publish
+pspm config set-encryption-key @user/yourname my-secret
+
+# Install as usual — decryption is automatic
+pspm install
+```
+
+If you don't have the key, the CLI will show an error with instructions:
+
+```
+Error: Package @user/yourname/my-skill is encrypted.
+Set the key: pspm config set-encryption-key @user/yourname <passphrase>
+```
+
+### Team Sharing
+
+For organization packages, share the encryption key with team members through a secure channel (e.g., a password manager). Each team member adds it to their local config:
+
+```bash
+pspm config set-encryption-key @org/myorg shared-team-secret
+```
+
+### Important Notes
+
+- **Key loss = data loss.** If you lose your encryption key, encrypted packages cannot be recovered. Back up your keys.
+- The server stores encryption metadata (algorithm, salt, IV) alongside the package — these are not secrets and are safe to store publicly.
+- Encryption is opt-in. If no key is configured, private packages are uploaded unencrypted.
+
 ## Configuration Files
 
 ### User Config: `~/.pspmrc`
@@ -357,6 +492,10 @@ username = myuser
 ; Multi-registry: Per-registry tokens (optional)
 //pspm.dev:authToken = sk_public_token
 //corp.pspm.io:authToken = sk_corp_token
+
+; Encryption keys (optional)
+encryption-key:@user/yourname = my-secret-passphrase
+encryption-key:@org/myorg = shared-team-secret
 ```
 
 ### Project Config: `.pspmrc`
@@ -441,6 +580,7 @@ Configuration is resolved in priority order:
 | `PSPM_API_KEY` | Override API key |
 | `PSPM_DEBUG` | Enable debug logging |
 | `GITHUB_TOKEN` | GitHub token for private repos and higher rate limits |
+| `PSPM_ENCRYPTION_KEY_<SCOPE>` | Encryption key for a scope (e.g., `PSPM_ENCRYPTION_KEY_USER_ALICE`) |
 
 ## Directory Structure
 
@@ -517,6 +657,106 @@ pspm init
 pspm publish --bump patch
 ```
 
+## Skill Lists
+
+### List Skill Lists
+
+```bash
+pspm skill-list list              # Your lists
+pspm skill-list list --org myorg  # Organization's lists
+pspm skill-list list --json       # JSON output
+```
+
+### Create Skill List
+
+```bash
+pspm skill-list create my-favorites
+pspm skill-list create my-favorites --visibility public
+pspm skill-list create team-tools --org myorg -d "Our team's tools"
+```
+
+### Show Skill List
+
+```bash
+pspm skill-list show @user/alice/my-favorites
+pspm skill-list show @org/myorg/team-tools --json
+```
+
+### Update Skill List
+
+```bash
+pspm skill-list update @user/alice/my-favorites --description "Updated desc"
+pspm skill-list update @user/alice/my-favorites --visibility public
+```
+
+### Delete Skill List
+
+```bash
+pspm skill-list delete @user/alice/my-favorites
+```
+
+### Add Skill to List
+
+```bash
+pspm skill-list add-skill @user/alice/my-favorites @user/bob/code-review
+pspm skill-list add-skill @user/alice/my-favorites @user/bob/lint --note "Great for CI"
+```
+
+### Remove Skill from List
+
+```bash
+pspm skill-list remove-skill @user/alice/my-favorites @user/bob/code-review
+```
+
+### Install from Skill List
+
+```bash
+pspm skill-list install @user/alice/my-favorites
+pspm skill-list install @org/myorg/team-tools --agent claude-code
+```
+
+## Notebook Management
+
+### Upload Notebook
+
+```bash
+pspm notebook upload notebook.anyt.md
+pspm notebook upload notebook.anyt.md --visibility public
+pspm notebook upload notebook.anyt.md --org myorg
+```
+
+### List Notebooks
+
+```bash
+pspm notebook list
+pspm notebook list --org myorg
+pspm notebook list --json
+```
+
+### Download Notebook
+
+```bash
+pspm notebook download <id>
+```
+
+### Delete Notebook
+
+```bash
+pspm notebook delete <id>
+```
+
+## Self-Update
+
+### Upgrade PSPM
+
+Update pspm itself to the latest version:
+
+```bash
+pspm upgrade
+```
+
+Auto-detects your package manager (pnpm, npm, yarn, bun). The CLI also checks for updates every 24 hours and notifies you when a newer version is available.
+
 ## Troubleshooting
 
 | Error | Solution |

package/README.md

@@ -130,6 +130,8 @@ pspm install
 | `pspm login` | Authenticate via browser or API key |
 | `pspm skill-list <subcommand>` | Manage skill lists (list, create, show, delete, update, add-skill, remove-skill, install) |
 | `pspm notebook <subcommand>` | Manage notebooks (upload, list, download, delete) |
+| `pspm config <subcommand>` | Manage configuration and per-scope encryption keys (show, init, set/get/remove-encryption-key) |
+| `pspm migrate` | Migrate from older on-disk skill directory layouts |
 | `pspm upgrade` | Update pspm itself to the latest version |
 
 ### `pspm install`
@@ -445,7 +447,7 @@ project/
 |   |   +-- _local/          # Local skill symlinks
 |   +-- cache/               # Tarball cache
 +-- .claude/
-|   +-- skills/              # Symlinks for Claude Code
+|   +-- skills/              # Symlinks for Claude Code (and other agents)
 +-- .cursor/
     +-- skills/              # Symlinks for Cursor (if configured)
 ```
@@ -514,4 +516,4 @@ Auto-detects your package manager (pnpm, npm, yarn, bun). The CLI also checks fo
 
 This project is licensed under [The Artistic License 2.0](LICENSE), the same license used by npm.
 
-<!-- @doc-sync: 1f5c64d | 2026-03-18 10:30 -->
+<!-- @doc-sync: 99b1a4a | 2026-04-24 13:00 -->