npm - @anytio/pspm - Versions diffs - 0.12.0 → 0.14.0 - Mend

@anytio/pspm 0.12.0 → 0.14.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (20) hide show

package/CHANGELOG.md +26 -2
package/CLI_GUIDE.md +248 -8
package/README.md +4 -2
package/dist/add-CcgUlOLa.js +755 -0
package/dist/add-CcgUlOLa.js.map +1 -0
package/dist/add-Cnn-OR9g.js +2 -0
package/dist/api-client-CBTk37gh.js +2 -0
package/dist/api-client-DBXUpGoX.js +452 -0
package/dist/api-client-DBXUpGoX.js.map +1 -0
package/dist/config-BQy_Rjip.js +470 -0
package/dist/config-BQy_Rjip.js.map +1 -0
package/dist/config-BZJ6_GsC.js +2 -0
package/dist/index.js +2782 -6826
package/dist/index.js.map +1 -1
package/dist/install-gcvbBeWi.js +2 -0
package/dist/install-lNvqIk5c.js +479 -0
package/dist/install-lNvqIk5c.js.map +1 -0
package/dist/symlinks-BTw8X0GG.js +1834 -0
package/dist/symlinks-BTw8X0GG.js.map +1 -0
package/package.json +14 -12

package/dist/symlinks-BTw8X0GG.js ADDED Viewed

@@ -0,0 +1,1834 @@
+import { a as getGithubSkillVersion, g as listSkillVersions, h as listOrgSkillVersions, m as getSkillVersion, n as configure, o as listGithubSkillVersions, p as getOrgSkillVersion } from "./api-client-DBXUpGoX.js";
+import { a as getLegacyLockfilePath, s as getLockfilePath, u as isGlobalMode, v as getRegistryUrl } from "./config-BQy_Rjip.js";
+import { dirname, join, relative } from "node:path";
+import { cp, lstat, mkdir, readFile, readdir, readlink, rm, stat, symlink, writeFile } from "node:fs/promises";
+import { homedir } from "node:os";
+import { createCipheriv, createDecipheriv, createHash, randomBytes, scryptSync } from "node:crypto";
+import ignore from "ignore";
+import * as semver$1 from "semver";
+import { checkbox } from "@inquirer/prompts";
+//#region src/lib/encryption.ts
+const ALGORITHM = "aes-256-gcm";
+const KEY_LENGTH = 32;
+const IV_LENGTH = 16;
+const SALT_LENGTH = 32;
+const SCRYPT_COST = 16384;
+const SCRYPT_BLOCK_SIZE = 8;
+const SCRYPT_PARALLELISM = 1;
+const AUTH_TAG_LENGTH = 16;
+/**
+* Derive an AES-256 key from a passphrase using scrypt.
+*/
+function deriveKey(passphrase, salt) {
+	return scryptSync(passphrase, salt, KEY_LENGTH, {
+		N: SCRYPT_COST,
+		r: SCRYPT_BLOCK_SIZE,
+		p: SCRYPT_PARALLELISM
+	});
+}
+/**
+* Encrypt a buffer using AES-256-GCM with a passphrase.
+*
+* @param data - The plaintext buffer to encrypt
+* @param passphrase - The encryption passphrase
+* @param scope - The scope identifier (e.g., "@user/alice" or "@org/acme")
+* @returns The encrypted buffer and metadata needed for decryption
+*/
+function encryptBuffer(data, passphrase, scope) {
+	const salt = randomBytes(SALT_LENGTH);
+	const iv = randomBytes(IV_LENGTH);
+	const cipher = createCipheriv(ALGORITHM, deriveKey(passphrase, salt), iv, { authTagLength: AUTH_TAG_LENGTH });
+	const encrypted = Buffer.concat([cipher.update(data), cipher.final()]);
+	const authTag = cipher.getAuthTag();
+	return {
+		encrypted,
+		metadata: {
+			algorithm: ALGORITHM,
+			kdf: "scrypt",
+			salt: salt.toString("hex"),
+			iv: iv.toString("hex"),
+			authTag: authTag.toString("hex"),
+			scope
+		}
+	};
+}
+/**
+* Decrypt a buffer using AES-256-GCM with a passphrase.
+*
+* @param encrypted - The encrypted buffer
+* @param passphrase - The encryption passphrase
+* @param metadata - The encryption metadata (salt, iv, authTag)
+* @returns The decrypted plaintext buffer
+* @throws Error if decryption fails (wrong passphrase or corrupted data)
+*/
+function decryptBuffer(encrypted, passphrase, metadata) {
+	const salt = Buffer.from(metadata.salt, "hex");
+	const iv = Buffer.from(metadata.iv, "hex");
+	const authTag = Buffer.from(metadata.authTag, "hex");
+	const decipher = createDecipheriv(ALGORITHM, deriveKey(passphrase, salt), iv, { authTagLength: AUTH_TAG_LENGTH });
+	decipher.setAuthTag(authTag);
+	return Buffer.concat([decipher.update(encrypted), decipher.final()]);
+}
+//#endregion
+//#region src/lib/ignore.ts
+/**
+* Ignore file handling for PSPM publish/pack
+*
+* Similar to npm's .npmignore behavior:
+* - If .pspmignore exists, use it
+* - Otherwise, fallback to .gitignore
+* - Always ignore node_modules and .git regardless
+*/
+/**
+* Files/directories that are always ignored regardless of ignore file contents
+*/
+const ALWAYS_IGNORED = [
+	"node_modules",
+	".git",
+	".pspm-publish"
+];
+/**
+* Load ignore patterns from .pspmignore or .gitignore
+*
+* Priority:
+* 1. .pspmignore (if exists)
+* 2. .gitignore (if exists)
+* 3. Default patterns only (node_modules, .git)
+*
+* @param cwd - The directory to look for ignore files (defaults to process.cwd())
+* @returns An ignore instance and the source file used
+*/
+async function loadIgnorePatterns(cwd = process.cwd()) {
+	const ig = ignore();
+	ig.add(ALWAYS_IGNORED);
+	const pspmIgnorePath = join(cwd, ".pspmignore");
+	try {
+		const patterns = parseIgnorePatterns(await readFile(pspmIgnorePath, "utf-8"));
+		ig.add(patterns);
+		return {
+			ig,
+			source: ".pspmignore",
+			patterns
+		};
+	} catch {}
+	const gitIgnorePath = join(cwd, ".gitignore");
+	try {
+		const patterns = parseIgnorePatterns(await readFile(gitIgnorePath, "utf-8"));
+		ig.add(patterns);
+		return {
+			ig,
+			source: ".gitignore",
+			patterns
+		};
+	} catch {}
+	return {
+		ig,
+		source: null,
+		patterns: []
+	};
+}
+/**
+* Create rsync exclude arguments from ignore patterns
+*
+* @param ig - The ignore instance
+* @returns Array of --exclude='pattern' arguments for rsync
+*/
+function getExcludeArgsForRsync(patterns) {
+	return [...new Set([...ALWAYS_IGNORED, ...patterns])].map((p) => `--exclude='${p}'`).join(" ");
+}
+/**
+* Parse an ignore file content into an array of patterns
+* Filters out comments and empty lines
+*
+* @param content - The content of an ignore file
+* @returns Array of patterns
+*/
+function parseIgnorePatterns(content) {
+	return content.split("\n").map((line) => line.trim()).filter((line) => line && !line.startsWith("#"));
+}
+//#endregion
+//#region src/lib/integrity.ts
+/**
+* Calculate integrity hash for a buffer.
+* Uses SHA-256 with base64 encoding, prefixed with "sha256-".
+*
+* @param data - The buffer to hash
+* @returns Integrity string (e.g., "sha256-abc123...")
+*/
+function calculateIntegrity(data) {
+	return `sha256-${createHash("sha256").update(data).digest("base64")}`;
+}
+//#endregion
+//#region src/lib/lockfile.ts
+/**
+* PSPM Lockfile Schema URL for IDE validation
+*/
+const PSPM_LOCKFILE_SCHEMA_URL = "https://pspm.dev/schema/v1/pspm-lock.json";
+//#endregion
+//#region src/lib/manifest.ts
+/**
+* Default file patterns to include when publishing
+*/
+const DEFAULT_SKILL_FILES = [
+	"SKILL.md",
+	"runtime",
+	"scripts",
+	"data"
+];
+/**
+* Schema URL for pspm.json (versioned)
+*/
+const PSPM_SCHEMA_URL = "https://pspm.dev/schema/v1/pspm.json";
+/**
+* Validate that a manifest has required fields
+*/
+function validateManifest(manifest) {
+	if (!manifest.name) return {
+		valid: false,
+		error: "Manifest must have a 'name' field"
+	};
+	if (!manifest.version) return {
+		valid: false,
+		error: "Manifest must have a 'version' field"
+	};
+	const parts = manifest.name.split("/");
+	const bareName = parts[parts.length - 1];
+	if (!/^[a-z][a-z0-9_-]*$/.test(bareName)) return {
+		valid: false,
+		error: "Name must start with a lowercase letter and contain only lowercase letters, numbers, hyphens, and underscores"
+	};
+	if (!/^\d+\.\d+\.\d+/.test(manifest.version)) return {
+		valid: false,
+		error: "Version must be a valid semantic version (e.g., 1.0.0)"
+	};
+	return { valid: true };
+}
+//#endregion
+//#region ../../packages/shared/skill-types/src/specifier.ts
+/**
+* Unified registry specifier regex pattern.
+*
+* Matches:
+* - @user/{owner}/{name}[@version]
+* - @org/{owner}/{name}[@version]
+* - @github/{owner}/{repo}/{skillname}[@version]
+*
+* Group 1: namespace (user|org|github)
+* Group 2: owner
+* Group 3: name (skill name for user/org, repo name for github)
+* Group 4: optional subname (skill name within repo, github only)
+* Group 5: optional @version
+*/
+const REGISTRY_SPECIFIER_PATTERN$1 = /^@(user|org|github)\/([a-zA-Z0-9_-]+)\/([a-zA-Z0-9._-]+)(?:\/([a-z][a-z0-9-]*))?(?:@(.+))?$/;
+/**
+* Parse a registry specifier string (any namespace).
+*
+* @param specifier - The specifier string
+* @returns Parsed specifier or null if invalid
+*
+* @example
+* ```typescript
+* parseRegistrySpecifier("@user/bsheng/my-skill@^1.0.0")
+* // => { namespace: "user", owner: "bsheng", name: "my-skill", versionRange: "^1.0.0" }
+*
+* parseRegistrySpecifier("@org/anyt/code-review")
+* // => { namespace: "org", owner: "anyt", name: "code-review" }
+*
+* parseRegistrySpecifier("@github/microsoft/skills/azure-ai@1.0.0")
+* // => { namespace: "github", owner: "microsoft", name: "skills", subname: "azure-ai", versionRange: "1.0.0" }
+* ```
+*/
+function parseRegistrySpecifier$1(specifier) {
+	const match = specifier.match(REGISTRY_SPECIFIER_PATTERN$1);
+	if (!match) return null;
+	const namespace = match[1];
+	const owner = match[2];
+	const name = match[3];
+	const subname = match[4];
+	const versionRange = match[5];
+	if (!owner || !name) return null;
+	if (namespace === "github" && !subname) return null;
+	if (namespace !== "github" && subname) return null;
+	return {
+		namespace,
+		owner,
+		name,
+		subname: subname || void 0,
+		versionRange: versionRange || void 0
+	};
+}
+//#endregion
+//#region src/lib/resolver-api.ts
+/**
+* Fetch the list of versions for a package across all namespaces.
+*/
+async function fetchVersionList(parsed) {
+	if (parsed.namespace === "github" && parsed.subname) {
+		const resp = await listGithubSkillVersions(parsed.owner, parsed.name, parsed.subname);
+		return resp.status === 200 ? resp.data : void 0;
+	}
+	if (parsed.namespace === "org") {
+		const resp = await listOrgSkillVersions(parsed.owner, parsed.name);
+		return resp.status === 200 ? resp.data : void 0;
+	}
+	const resp = await listSkillVersions(parsed.owner, parsed.name);
+	return resp.status === 200 ? resp.data : void 0;
+}
+/**
+* Fetch package details for a specific version across all namespaces.
+*/
+async function fetchVersionDetails(parsed, version) {
+	if (parsed.namespace === "github" && parsed.subname) {
+		const resp = await getGithubSkillVersion(parsed.owner, parsed.name, parsed.subname, version);
+		return resp.status === 200 && resp.data ? resp.data : null;
+	}
+	if (parsed.namespace === "org") {
+		const resp = await getOrgSkillVersion(parsed.owner, parsed.name, version);
+		return resp.status === 200 && resp.data ? resp.data : null;
+	}
+	const resp = await getSkillVersion(parsed.owner, parsed.name, version);
+	return resp.status === 200 && resp.data ? resp.data : null;
+}
+//#endregion
+//#region src/lib/resolver-format.ts
+/**
+* Topologically sort packages using Kahn's algorithm.
+* Packages with no dependencies are installed first.
+*
+* @param graph - The dependency graph
+* @returns Sorted list of package names
+*/
+function topologicalSort(graph) {
+	const inDegree = /* @__PURE__ */ new Map();
+	const dependents = /* @__PURE__ */ new Map();
+	for (const name of graph.nodes.keys()) {
+		inDegree.set(name, 0);
+		dependents.set(name, []);
+	}
+	for (const [name, node] of graph.nodes.entries()) for (const depName of Object.keys(node.dependencies)) if (graph.nodes.has(depName)) {
+		inDegree.set(name, (inDegree.get(name) ?? 0) + 1);
+		if (!dependents.has(depName)) dependents.set(depName, []);
+		dependents.get(depName)?.push(name);
+	}
+	const queue = [];
+	for (const [name, degree] of inDegree.entries()) if (degree === 0) queue.push(name);
+	const sorted = [];
+	while (queue.length > 0) {
+		const current = queue.shift();
+		if (!current) continue;
+		sorted.push(current);
+		const deps = dependents.get(current) ?? [];
+		for (const dependent of deps) {
+			const newDegree = (inDegree.get(dependent) ?? 1) - 1;
+			inDegree.set(dependent, newDegree);
+			if (newDegree === 0 && !sorted.includes(dependent)) queue.push(dependent);
+		}
+	}
+	return sorted;
+}
+/**
+* Compute installation order from lockfile packages.
+* Dependencies are installed before dependents.
+*
+* @param packages - Lockfile packages with dependencies field
+* @returns Sorted list of package names
+*/
+function computeInstallOrder(packages) {
+	const visited = /* @__PURE__ */ new Set();
+	const order = [];
+	function visit(name) {
+		if (visited.has(name)) return;
+		visited.add(name);
+		const entry = packages[name];
+		if (entry?.dependencies) for (const dep of Object.keys(entry.dependencies)) visit(dep);
+		order.push(name);
+	}
+	for (const name of Object.keys(packages)) visit(name);
+	return order;
+}
+/**
+* Format resolution errors for display.
+*
+* @param errors - Resolution errors
+* @returns Formatted error messages
+*/
+function formatResolutionErrors(errors) {
+	return errors.map((error) => {
+		switch (error.type) {
+			case "circular_dependency": return `Circular dependency: ${error.path?.join(" -> ") ?? error.package}`;
+			case "max_depth_exceeded": return `Max depth exceeded at: ${error.path?.join(" -> ") ?? error.package}`;
+			case "no_satisfying_version": return error.message;
+			case "package_not_found": return `Package not found: ${error.package}`;
+			case "fetch_error": return error.message;
+			default: return error.message;
+		}
+	});
+}
+/**
+* Format version conflicts for display.
+*
+* @param conflicts - Version conflicts
+* @returns Formatted conflict messages
+*/
+function formatVersionConflicts(conflicts) {
+	return conflicts.map((conflict) => {
+		const requirements = conflict.ranges.map((r) => `${r.dependent} needs ${r.range}`).join(", ");
+		return `No version of ${conflict.package} satisfies: ${requirements}`;
+	});
+}
+/**
+* Print resolution errors to console.
+*
+* @param errors - Resolution errors
+* @param conflicts - Version conflicts
+*/
+function printResolutionErrors(errors, conflicts = []) {
+	if (errors.length > 0) {
+		console.error("\nResolution errors:");
+		for (const msg of formatResolutionErrors(errors)) console.error(`  - ${msg}`);
+	}
+	if (conflicts.length > 0) {
+		console.error("\nVersion conflicts:");
+		for (const msg of formatVersionConflicts(conflicts)) console.error(`  - ${msg}`);
+	}
+}
+//#endregion
+//#region src/lib/version.ts
+/**
+* Resolve the best matching version from a list of available versions.
+*
+* @param range - The version range to match (e.g., "^1.0.0", "~2.1.0", "*")
+* @param availableVersions - List of available version strings
+* @returns The best matching version or null if none found
+*/
+function resolveVersion(range, availableVersions) {
+	const sorted = availableVersions.filter((v) => semver$1.valid(v)).sort((a, b) => semver$1.rcompare(a, b));
+	if (!range || range === "latest" || range === "*") return sorted[0] ?? null;
+	return semver$1.maxSatisfying(sorted, range);
+}
+/**
+* Check if version a is greater than version b.
+*/
+function isNewerVersion(a, b) {
+	return semver$1.gt(a, b);
+}
+/**
+* Find the highest version that satisfies ALL given ranges.
+* Used for pnpm-style dependency resolution where multiple dependents
+* may require the same package with different version constraints.
+*
+* @param ranges - Array of semver ranges to satisfy (e.g., ["^1.0.0", ">=1.2.0"])
+* @param availableVersions - List of available version strings
+* @returns The highest version satisfying all ranges, or null if none found
+*/
+function findHighestSatisfying(ranges, availableVersions) {
+	const sorted = availableVersions.filter((v) => semver$1.valid(v)).sort((a, b) => semver$1.rcompare(a, b));
+	if (sorted.length === 0) return null;
+	const normalizedRanges = ranges.map((r) => !r || r === "latest" || r === "*" ? "*" : r);
+	for (const version of sorted) if (normalizedRanges.every((range) => semver$1.satisfies(version, range))) return version;
+	return null;
+}
+//#endregion
+//#region src/lib/resolver.ts
+/**
+* Recursive Dependency Resolver for PSPM
+*
+* Implements pnpm-style dependency resolution:
+* - Highest satisfying version strategy
+* - 5-depth limit to prevent deep trees
+* - Circular dependency detection
+* - Topological sort for installation order
+*/
+function buildNode(name, version, versionRange, details, depth, dependent) {
+	const manifest = details.manifest;
+	return {
+		name,
+		version,
+		versionRange,
+		downloadUrl: details.downloadUrl,
+		integrity: `sha256-${Buffer.from(details.checksum, "hex").toString("base64")}`,
+		depth,
+		dependencies: manifest?.dependencies ?? {},
+		dependents: [dependent],
+		isDirect: depth === 0,
+		deprecated: details.deprecationMessage ?? void 0
+	};
+}
+/**
+* Resolve dependencies recursively using BFS.
+*
+* Algorithm:
+* 1. Queue root dependencies at depth=0
+* 2. For each package, collect all version ranges from dependents
+* 3. Find highest version satisfying ALL ranges
+* 4. Fetch package details including its dependencies
+* 5. Queue transitive dependencies at depth+1
+* 6. Topologically sort for installation order
+*
+* @param rootDeps - Direct dependencies: name -> version range
+* @param config - Resolver configuration
+* @returns Resolution result with graph and install order
+*/
+async function resolveRecursive(rootDeps, config) {
+	const graph = {
+		nodes: /* @__PURE__ */ new Map(),
+		roots: Object.keys(rootDeps),
+		errors: [],
+		conflicts: []
+	};
+	configure({
+		registryUrl: config.registryUrl,
+		apiKey: config.apiKey
+	});
+	const rangesByPackage = /* @__PURE__ */ new Map();
+	const queue = [];
+	for (const [name, range] of Object.entries(rootDeps)) queue.push({
+		name,
+		versionRange: range,
+		depth: 0,
+		dependent: "root",
+		path: []
+	});
+	await collectRanges(queue, rangesByPackage, /* @__PURE__ */ new Set(), graph, config);
+	await resolveFinalVersions(rangesByPackage, graph);
+	const installOrder = topologicalSort(graph);
+	return {
+		success: graph.errors.length === 0 && graph.conflicts.length === 0,
+		graph,
+		installOrder
+	};
+}
+async function collectRanges(queue, rangesByPackage, processing, graph, config) {
+	while (queue.length > 0) {
+		const item = queue.shift();
+		if (!item) continue;
+		const { name, versionRange, depth, dependent, path } = item;
+		if (depth > config.maxDepth) {
+			graph.errors.push({
+				type: "max_depth_exceeded",
+				package: name,
+				message: `Maximum dependency depth (${config.maxDepth}) exceeded at: ${[...path, name].join(" -> ")}`,
+				path: [...path, name]
+			});
+			continue;
+		}
+		if (path.includes(name)) {
+			graph.errors.push({
+				type: "circular_dependency",
+				package: name,
+				message: `Circular dependency detected: ${[...path, name].join(" -> ")}`,
+				path: [...path, name]
+			});
+			continue;
+		}
+		if (!rangesByPackage.has(name)) rangesByPackage.set(name, []);
+		rangesByPackage.get(name)?.push({
+			range: versionRange,
+			dependent,
+			depth
+		});
+		if (processing.has(name)) continue;
+		processing.add(name);
+		const parsed = parseRegistrySpecifier$1(name);
+		if (!parsed) {
+			graph.errors.push({
+				type: "package_not_found",
+				package: name,
+				message: `Invalid package name format: ${name}`
+			});
+			continue;
+		}
+		try {
+			const versionsData = await fetchVersionList(parsed);
+			if (!versionsData) {
+				graph.errors.push({
+					type: "package_not_found",
+					package: name,
+					message: `Package ${name} not found in registry`
+				});
+				continue;
+			}
+			if (versionsData.length === 0) {
+				graph.errors.push({
+					type: "package_not_found",
+					package: name,
+					message: `Package ${name} has no versions`
+				});
+				continue;
+			}
+			const availableVersions = versionsData.map((v) => v.version);
+			const resolvedVersion = findHighestSatisfying([versionRange], availableVersions);
+			if (!resolvedVersion) {
+				graph.errors.push({
+					type: "no_satisfying_version",
+					package: name,
+					message: `No version of ${name} satisfies: ${versionRange}`
+				});
+				continue;
+			}
+			const versionData = await fetchVersionDetails(parsed, resolvedVersion);
+			if (!versionData) {
+				graph.errors.push({
+					type: "fetch_error",
+					package: name,
+					message: `Failed to fetch ${name}@${resolvedVersion}`
+				});
+				continue;
+			}
+			const node = buildNode(name, resolvedVersion, versionRange, versionData, depth, dependent);
+			graph.nodes.set(name, node);
+			for (const [depName, depRange] of Object.entries(node.dependencies)) queue.push({
+				name: depName,
+				versionRange: depRange,
+				depth: depth + 1,
+				dependent: name,
+				path: [...path, name]
+			});
+		} catch (error) {
+			const message = error instanceof Error ? error.message : "Unknown error";
+			graph.errors.push({
+				type: "fetch_error",
+				package: name,
+				message: `Error fetching ${name}: ${message}`
+			});
+		}
+	}
+}
+async function resolveFinalVersions(rangesByPackage, graph) {
+	for (const [name, ranges] of rangesByPackage.entries()) {
+		const node = graph.nodes.get(name);
+		if (!node) continue;
+		node.dependents = [...new Set(ranges.map((r) => r.dependent))];
+		const allRanges = ranges.map((r) => r.range);
+		const parsed = parseRegistrySpecifier$1(name);
+		if (!parsed) continue;
+		try {
+			const versions = await fetchVersionList(parsed);
+			if (!versions) continue;
+			const availableVersions = versions.map((v) => v.version);
+			const finalVersion = findHighestSatisfying(allRanges, availableVersions);
+			if (!finalVersion) {
+				graph.conflicts.push({
+					package: name,
+					ranges: ranges.map((r) => ({
+						dependent: r.dependent,
+						range: r.range
+					})),
+					availableVersions
+				});
+				graph.errors.push({
+					type: "no_satisfying_version",
+					package: name,
+					message: `No version of ${name} satisfies all requirements: ${allRanges.join(", ")}`
+				});
+				continue;
+			}
+			if (finalVersion !== node.version) {
+				const versionData = await fetchVersionDetails(parsed, finalVersion);
+				if (versionData) {
+					node.version = finalVersion;
+					node.downloadUrl = versionData.downloadUrl;
+					node.integrity = `sha256-${Buffer.from(versionData.checksum, "hex").toString("base64")}`;
+					node.deprecated = versionData.deprecationMessage ?? void 0;
+					node.dependencies = versionData.manifest?.dependencies ?? {};
+				}
+			}
+		} catch {}
+	}
+}
+//#endregion
+//#region src/lib/specifier.ts
+/**
+* Unified registry specifier regex pattern.
+*
+* Matches:
+* - @user/{owner}/{name}[@version]
+* - @org/{owner}/{name}[@version]
+* - @github/{owner}/{repo}/{skillname}[@version]
+*
+* Group 1: namespace (user|org|github)
+* Group 2: owner
+* Group 3: name (skill name for user/org, repo name for github)
+* Group 4: optional subname (skill name within repo, github only)
+* Group 5: optional @version
+*/
+const REGISTRY_SPECIFIER_PATTERN = /^@(user|org|github)\/([a-zA-Z0-9_-]+)\/([a-zA-Z0-9._-]+)(?:\/([a-z][a-z0-9-]*))?(?:@(.+))?$/;
+/**
+* Parse a registry specifier string (any namespace).
+*
+* @param specifier - The specifier string
+* @returns Parsed specifier or null if invalid
+*/
+function parseRegistrySpecifier(specifier) {
+	const match = specifier.match(REGISTRY_SPECIFIER_PATTERN);
+	if (!match) return null;
+	const namespace = match[1];
+	const owner = match[2];
+	const name = match[3];
+	const subname = match[4];
+	const versionRange = match[5];
+	if (!owner || !name) return null;
+	if (namespace === "github" && !subname) return null;
+	if (namespace !== "github" && subname) return null;
+	return {
+		namespace,
+		owner,
+		name,
+		subname: subname || void 0,
+		versionRange: versionRange || void 0
+	};
+}
+/**
+* Generate a full registry identifier string.
+*/
+function generateRegistryIdentifier(spec) {
+	let base = `@${spec.namespace}/${spec.owner}/${spec.name}`;
+	if (spec.subname) base += `/${spec.subname}`;
+	if (spec.versionRange) base += `@${spec.versionRange}`;
+	return base;
+}
+/**
+* Check if a string is a registry specifier (starts with @user/, @org/, or @github/).
+*/
+function isRegistrySpecifier(specifier) {
+	return specifier.startsWith("@user/") || specifier.startsWith("@org/") || specifier.startsWith("@github/");
+}
+/**
+* GitHub specifier regex pattern
+* Matches: github:{owner}/{repo}[/{path}][@{ref}]
+*
+* Group 1: owner
+* Group 2: repo
+* Group 3: optional /path (with leading slash)
+* Group 4: optional @ref
+*/
+const GITHUB_SPECIFIER_PATTERN = /^github:([a-zA-Z0-9_-]+)\/([a-zA-Z0-9_.-]+)(\/[^@]+)?(?:@(.+))?$/;
+/**
+* Parse a GitHub specifier string.
+*
+* @param specifier - The specifier string (e.g., "github:owner/repo/path@ref")
+* @returns Parsed specifier or null if invalid
+*
+* @example
+* ```typescript
+* parseGitHubSpecifier("github:vercel-labs/agent-skills/skills/react@main")
+* // => { owner: "vercel-labs", repo: "agent-skills", path: "skills/react", ref: "main" }
+*
+* parseGitHubSpecifier("github:myorg/prompts")
+* // => { owner: "myorg", repo: "prompts", path: undefined, ref: undefined }
+* ```
+*/
+function parseGitHubSpecifier(specifier) {
+	const match = specifier.match(GITHUB_SPECIFIER_PATTERN);
+	if (!match) return null;
+	const [, owner, repo, pathWithSlash, ref] = match;
+	if (!owner || !repo) return null;
+	return {
+		owner,
+		repo,
+		path: pathWithSlash ? pathWithSlash.slice(1) : void 0,
+		ref: ref || void 0
+	};
+}
+/**
+* Format a GitHubSpecifier back to string format.
+*
+* @param spec - The GitHub specifier object
+* @returns Formatted string (e.g., "github:owner/repo/path@ref")
+*/
+function formatGitHubSpecifier(spec) {
+	let result = `github:${spec.owner}/${spec.repo}`;
+	if (spec.path) result += `/${spec.path}`;
+	if (spec.ref) result += `@${spec.ref}`;
+	return result;
+}
+/**
+* Extract skill name from GitHub specifier.
+* Uses the last segment of the path, or the repo name if no path.
+*
+* @param spec - The GitHub specifier object
+* @returns Skill name (e.g., "react-best-practices" or "prompts")
+*
+* @example
+* ```typescript
+* getGitHubSkillName({ owner: "vercel-labs", repo: "agent-skills", path: "skills/react" })
+* // => "react"
+*
+* getGitHubSkillName({ owner: "myorg", repo: "prompts" })
+* // => "prompts"
+* ```
+*/
+function getGitHubSkillName(spec) {
+	if (spec.path) {
+		const segments = spec.path.split("/").filter(Boolean);
+		const lastSegment = segments[segments.length - 1];
+		if (lastSegment) return lastSegment;
+	}
+	return spec.repo;
+}
+/**
+* Check if a string is a GitHub specifier (github: prefix)
+*/
+function isGitHubSpecifier(specifier) {
+	return specifier.startsWith("github:");
+}
+/**
+* GitHub URL patterns
+*
+* Matches:
+* - https://github.com/owner/repo/tree/branch/path/to/skill
+* - https://github.com/owner/repo/tree/branch
+* - https://github.com/owner/repo
+* - https://github.com/owner/repo.git
+*/
+const GITHUB_URL_TREE_PATTERN = /^https?:\/\/github\.com\/([^/]+)\/([^/]+)\/tree\/([^/]+)(?:\/(.+))?$/;
+const GITHUB_URL_PATTERN = /^https?:\/\/github\.com\/([^/]+)\/([^/]+?)(?:\.git)?\/?$/;
+/**
+* GitHub shorthand pattern: owner/repo or owner/repo/path
+* Must not contain :, not start with . / or @
+*/
+const GITHUB_SHORTHAND_PATTERN = /^([a-zA-Z0-9_-]+)\/([a-zA-Z0-9_.-]+)(?:\/(.+))?$/;
+/**
+* Check if a string is a GitHub URL (https://github.com/...)
+*/
+function isGitHubUrl(input) {
+	return /^https?:\/\/github\.com\/[^/]+\/[^/]+/.test(input);
+}
+/**
+* Parse a GitHub URL into a GitHubSpecifier.
+*/
+function parseGitHubUrl(input) {
+	const treeMatch = input.match(GITHUB_URL_TREE_PATTERN);
+	if (treeMatch) {
+		const [, owner, repo, ref, path] = treeMatch;
+		if (!owner || !repo || !ref) return null;
+		return {
+			owner,
+			repo,
+			ref,
+			path: path || void 0
+		};
+	}
+	const repoMatch = input.match(GITHUB_URL_PATTERN);
+	if (repoMatch) {
+		const [, owner, repo] = repoMatch;
+		if (!owner || !repo) return null;
+		return {
+			owner,
+			repo
+		};
+	}
+	return null;
+}
+/**
+* Check if a string is a GitHub shorthand (owner/repo or owner/repo/path).
+*/
+function isGitHubShorthand(input) {
+	if (input.includes(":") || input.startsWith(".") || input.startsWith("/") || input.startsWith("@")) return false;
+	return GITHUB_SHORTHAND_PATTERN.test(input);
+}
+/**
+* Parse a GitHub shorthand into a GitHubSpecifier.
+*/
+function parseGitHubShorthand(input) {
+	if (input.includes(":") || input.startsWith(".") || input.startsWith("/") || input.startsWith("@")) return null;
+	const match = input.match(GITHUB_SHORTHAND_PATTERN);
+	if (!match) return null;
+	const [, owner, repo, path] = match;
+	if (!owner || !repo) return null;
+	return {
+		owner,
+		repo,
+		path: path || void 0
+	};
+}
+//#endregion
+//#region src/agents.ts
+/**
+* Agent configuration for skill symlinks.
+*
+* Defines where different AI agents expect skills to be located.
+*/
+/**
+* Default agent configurations with display names.
+* These can be overridden in pspm.json under the "agents" key.
+*/
+const AGENT_INFO = {
+	adal: {
+		displayName: "AdaL",
+		skillsDir: ".adal/skills",
+		globalSkillsDir: ".adal/skills"
+	},
+	amp: {
+		displayName: "Amp",
+		skillsDir: ".agents/skills",
+		globalSkillsDir: ".config/agents/skills"
+	},
+	antigravity: {
+		displayName: "Antigravity",
+		skillsDir: ".agent/skills",
+		globalSkillsDir: ".gemini/antigravity/skills"
+	},
+	augment: {
+		displayName: "Augment",
+		skillsDir: ".augment/skills",
+		globalSkillsDir: ".augment/skills"
+	},
+	"claude-code": {
+		displayName: "Claude Code",
+		skillsDir: ".claude/skills",
+		globalSkillsDir: ".claude/skills"
+	},
+	cline: {
+		displayName: "Cline",
+		skillsDir: ".agents/skills",
+		globalSkillsDir: ".agents/skills"
+	},
+	codebuddy: {
+		displayName: "CodeBuddy",
+		skillsDir: ".codebuddy/skills",
+		globalSkillsDir: ".codebuddy/skills"
+	},
+	codex: {
+		displayName: "Codex",
+		skillsDir: ".agents/skills",
+		globalSkillsDir: ".codex/skills"
+	},
+	"command-code": {
+		displayName: "Command Code",
+		skillsDir: ".commandcode/skills",
+		globalSkillsDir: ".commandcode/skills"
+	},
+	continue: {
+		displayName: "Continue",
+		skillsDir: ".continue/skills",
+		globalSkillsDir: ".continue/skills"
+	},
+	cortex: {
+		displayName: "Cortex Code",
+		skillsDir: ".cortex/skills",
+		globalSkillsDir: ".snowflake/cortex/skills"
+	},
+	crush: {
+		displayName: "Crush",
+		skillsDir: ".crush/skills",
+		globalSkillsDir: ".config/crush/skills"
+	},
+	cursor: {
+		displayName: "Cursor",
+		skillsDir: ".agents/skills",
+		globalSkillsDir: ".cursor/skills"
+	},
+	droid: {
+		displayName: "Droid",
+		skillsDir: ".factory/skills",
+		globalSkillsDir: ".factory/skills"
+	},
+	"gemini-cli": {
+		displayName: "Gemini CLI",
+		skillsDir: ".agents/skills",
+		globalSkillsDir: ".gemini/skills"
+	},
+	"github-copilot": {
+		displayName: "GitHub Copilot",
+		skillsDir: ".agents/skills",
+		globalSkillsDir: ".copilot/skills"
+	},
+	goose: {
+		displayName: "Goose",
+		skillsDir: ".goose/skills",
+		globalSkillsDir: ".config/goose/skills"
+	},
+	"iflow-cli": {
+		displayName: "iFlow CLI",
+		skillsDir: ".iflow/skills",
+		globalSkillsDir: ".iflow/skills"
+	},
+	junie: {
+		displayName: "Junie",
+		skillsDir: ".junie/skills",
+		globalSkillsDir: ".junie/skills"
+	},
+	kilo: {
+		displayName: "Kilo Code",
+		skillsDir: ".kilocode/skills",
+		globalSkillsDir: ".kilocode/skills"
+	},
+	"kimi-cli": {
+		displayName: "Kimi Code CLI",
+		skillsDir: ".agents/skills",
+		globalSkillsDir: ".config/agents/skills"
+	},
+	"kiro-cli": {
+		displayName: "Kiro CLI",
+		skillsDir: ".kiro/skills",
+		globalSkillsDir: ".kiro/skills"
+	},
+	kode: {
+		displayName: "Kode",
+		skillsDir: ".kode/skills",
+		globalSkillsDir: ".kode/skills"
+	},
+	mcpjam: {
+		displayName: "MCPJam",
+		skillsDir: ".mcpjam/skills",
+		globalSkillsDir: ".mcpjam/skills"
+	},
+	"mistral-vibe": {
+		displayName: "Mistral Vibe",
+		skillsDir: ".vibe/skills",
+		globalSkillsDir: ".vibe/skills"
+	},
+	mux: {
+		displayName: "Mux",
+		skillsDir: ".mux/skills",
+		globalSkillsDir: ".mux/skills"
+	},
+	neovate: {
+		displayName: "Neovate",
+		skillsDir: ".neovate/skills",
+		globalSkillsDir: ".neovate/skills"
+	},
+	openclaw: {
+		displayName: "OpenClaw",
+		skillsDir: "skills",
+		globalSkillsDir: ".openclaw/skills"
+	},
+	opencode: {
+		displayName: "OpenCode",
+		skillsDir: ".agents/skills",
+		globalSkillsDir: ".config/opencode/skills"
+	},
+	openhands: {
+		displayName: "OpenHands",
+		skillsDir: ".openhands/skills",
+		globalSkillsDir: ".openhands/skills"
+	},
+	pi: {
+		displayName: "Pi",
+		skillsDir: ".pi/skills",
+		globalSkillsDir: ".pi/agent/skills"
+	},
+	pochi: {
+		displayName: "Pochi",
+		skillsDir: ".pochi/skills",
+		globalSkillsDir: ".pochi/skills"
+	},
+	qoder: {
+		displayName: "Qoder",
+		skillsDir: ".qoder/skills",
+		globalSkillsDir: ".qoder/skills"
+	},
+	"qwen-code": {
+		displayName: "Qwen Code",
+		skillsDir: ".qwen/skills",
+		globalSkillsDir: ".qwen/skills"
+	},
+	replit: {
+		displayName: "Replit",
+		skillsDir: ".agents/skills",
+		globalSkillsDir: ".config/agents/skills"
+	},
+	roo: {
+		displayName: "Roo Code",
+		skillsDir: ".roo/skills",
+		globalSkillsDir: ".roo/skills"
+	},
+	trae: {
+		displayName: "Trae",
+		skillsDir: ".trae/skills",
+		globalSkillsDir: ".trae/skills"
+	},
+	"trae-cn": {
+		displayName: "Trae CN",
+		skillsDir: ".trae/skills",
+		globalSkillsDir: ".trae-cn/skills"
+	},
+	universal: {
+		displayName: "Universal",
+		skillsDir: ".agents/skills",
+		globalSkillsDir: ".config/agents/skills"
+	},
+	windsurf: {
+		displayName: "Windsurf",
+		skillsDir: ".windsurf/skills",
+		globalSkillsDir: ".codeium/windsurf/skills"
+	},
+	zencoder: {
+		displayName: "Zencoder",
+		skillsDir: ".zencoder/skills",
+		globalSkillsDir: ".zencoder/skills"
+	}
+};
+/**
+* Default agent configurations (AgentConfig format).
+*/
+const DEFAULT_AGENT_CONFIGS = Object.fromEntries(Object.entries(AGENT_INFO).map(([key, info]) => [key, { skillsDir: info.skillsDir }]));
+/**
+* All built-in agent names in display order.
+*/
+const ALL_AGENTS = Object.keys(AGENT_INFO).sort();
+/**
+* Resolve agent configuration by name.
+*
+* @param name - Agent name (built-in or custom)
+* @param overrides - Custom agent configurations from pspm.json
+* @param global - If true, return global paths instead of project paths
+* @returns Agent configuration or null if not found
+*
+* @example
+* ```typescript
+* resolveAgentConfig("claude-code")
+* // => { skillsDir: ".claude/skills" }
+*
+* resolveAgentConfig("claude-code", undefined, true)
+* // => { skillsDir: ".claude/skills" } (global path, used relative to ~)
+*
+* resolveAgentConfig("my-custom", { "my-custom": { skillsDir: ".myagent/prompts" } })
+* // => { skillsDir: ".myagent/prompts" }
+* ```
+*/
+function resolveAgentConfig(name, overrides, global) {
+	if (!global && overrides?.[name]) return overrides[name];
+	if (name in AGENT_INFO) {
+		const info = AGENT_INFO[name];
+		return { skillsDir: global ? info.globalSkillsDir : info.skillsDir };
+	}
+	return null;
+}
+/**
+* Parse comma-separated agent names from CLI argument.
+*
+* @param agentArg - Comma-separated agent names (e.g., "claude-code,cursor")
+* @returns Array of agent names, or ["none"] if skipping symlinks
+*
+* @example
+* ```typescript
+* parseAgentArg("claude-code,cursor")
+* // => ["claude-code", "cursor"]
+*
+* parseAgentArg("none")
+* // => ["none"]
+*
+* parseAgentArg(undefined)
+* // => [...ALL_AGENTS]
+* ```
+*/
+function parseAgentArg(agentArg) {
+	if (!agentArg) return [...ALL_AGENTS];
+	if (agentArg === "none") return ["none"];
+	return agentArg.split(",").map((a) => a.trim()).filter(Boolean);
+}
+/**
+* Get all available agent names (built-in + custom).
+*/
+function getAvailableAgents(overrides) {
+	const builtIn = Object.keys(DEFAULT_AGENT_CONFIGS);
+	const custom = overrides ? Object.keys(overrides) : [];
+	return [...new Set([...builtIn, ...custom])];
+}
+/**
+* Prompt user to select which agents to install skills to.
+*
+* @returns Array of selected agent names
+*/
+async function promptForAgents() {
+	const selected = await checkbox({
+		message: "Select agents to install skills to",
+		choices: ALL_AGENTS.map((agent) => ({
+			name: `${AGENT_INFO[agent].displayName} (${AGENT_INFO[agent].skillsDir})`,
+			value: agent,
+			checked: true
+		}))
+	});
+	if (selected.length === 0) return ["none"];
+	return selected;
+}
+//#endregion
+//#region src/manifest.ts
+/**
+* Get the manifest file path
+* Global: ~/.pspm/pspm.json
+* Project: ./pspm.json
+*/
+function getManifestPath() {
+	if (isGlobalMode()) return join(homedir(), ".pspm", "pspm.json");
+	return join(process.cwd(), "pspm.json");
+}
+/**
+* Read the manifest file (pspm.json)
+* Returns null if file doesn't exist
+*/
+async function readManifest() {
+	try {
+		const content = await readFile(getManifestPath(), "utf-8");
+		return JSON.parse(content);
+	} catch {
+		return null;
+	}
+}
+/**
+* Write the manifest file (pspm.json)
+*/
+async function writeManifest(manifest) {
+	const content = JSON.stringify(manifest, null, 2);
+	await writeFile(getManifestPath(), `${content}\n`);
+}
+/**
+* Create a minimal manifest with just dependencies
+* Similar to how npm creates package.json with just dependencies when you run `npm add`
+* This is for consuming packages, not publishing - so only dependencies are needed
+*/
+async function createMinimalManifest() {
+	return { dependencies: {} };
+}
+/**
+* Ensure manifest exists, creating a minimal one if needed
+* Returns the manifest (existing or newly created)
+*/
+async function ensureManifest() {
+	let manifest = await readManifest();
+	if (!manifest) {
+		manifest = await createMinimalManifest();
+		await writeManifest(manifest);
+	}
+	return manifest;
+}
+/**
+* Add a dependency to the manifest
+* Creates the manifest if it doesn't exist
+*
+* @param skillName - Full skill name (e.g., "@user/alice/my-skill")
+* @param versionRange - Version range to save (e.g., "^1.0.0")
+*/
+async function addDependency(skillName, versionRange) {
+	const manifest = await ensureManifest();
+	if (!manifest.dependencies) manifest.dependencies = {};
+	manifest.dependencies[skillName] = versionRange;
+	await writeManifest(manifest);
+}
+/**
+* Remove a dependency from the manifest
+*
+* @param skillName - Full skill name (e.g., "@user/alice/my-skill")
+* @returns true if dependency was removed, false if it didn't exist
+*/
+async function removeDependency(skillName) {
+	const manifest = await readManifest();
+	if (!manifest?.dependencies?.[skillName]) return false;
+	delete manifest.dependencies[skillName];
+	await writeManifest(manifest);
+	return true;
+}
+/**
+* Get all dependencies from the manifest
+* Returns empty object if manifest doesn't exist or has no dependencies
+*/
+async function getDependencies() {
+	return (await readManifest())?.dependencies ?? {};
+}
+/**
+* Get all GitHub dependencies from the manifest
+* Returns empty object if manifest doesn't exist or has no GitHub dependencies
+*/
+async function getGitHubDependencies() {
+	return (await readManifest())?.githubDependencies ?? {};
+}
+/**
+* Add a GitHub dependency to the manifest
+* Creates the manifest if it doesn't exist
+*
+* @param specifier - GitHub specifier (e.g., "github:owner/repo/path")
+* @param ref - Git ref (branch, tag, or "latest")
+*/
+async function addGitHubDependency(specifier, ref) {
+	const manifest = await ensureManifest();
+	if (!manifest.githubDependencies) manifest.githubDependencies = {};
+	manifest.githubDependencies[specifier] = ref;
+	await writeManifest(manifest);
+}
+/**
+* Remove a GitHub dependency from the manifest
+*
+* @param specifier - GitHub specifier (e.g., "github:owner/repo/path")
+* @returns true if dependency was removed, false if it didn't exist
+*/
+async function removeGitHubDependency(specifier) {
+	const manifest = await readManifest();
+	if (!manifest?.githubDependencies?.[specifier]) return false;
+	delete manifest.githubDependencies[specifier];
+	await writeManifest(manifest);
+	return true;
+}
+/**
+* Add a local dependency to the manifest
+* Creates the manifest if it doesn't exist
+*
+* @param specifier - Local specifier (e.g., "file:../my-skill")
+* @param version - Always "*" for local packages
+*/
+async function addLocalDependency(specifier, version = "*") {
+	const manifest = await ensureManifest();
+	if (!manifest.localDependencies) manifest.localDependencies = {};
+	manifest.localDependencies[specifier] = version;
+	await writeManifest(manifest);
+}
+/**
+* Add a well-known dependency to the manifest
+*
+* @param baseUrl - The well-known base URL (e.g., "https://acme.com")
+* @param skillNames - Skill names to add (e.g., ["code-review"])
+*/
+async function addWellKnownDependency(baseUrl, skillNames) {
+	const manifest = await ensureManifest();
+	if (!manifest.wellKnownDependencies) manifest.wellKnownDependencies = {};
+	const existing = manifest.wellKnownDependencies[baseUrl];
+	if (Array.isArray(existing)) {
+		const merged = [...new Set([...existing, ...skillNames])];
+		manifest.wellKnownDependencies[baseUrl] = merged;
+	} else manifest.wellKnownDependencies[baseUrl] = skillNames;
+	await writeManifest(manifest);
+}
+//#endregion
+//#region src/github.ts
+/**
+* GitHub package download and extraction support.
+*
+* Downloads skill packages from GitHub repositories and extracts them
+* to .pspm/skills/_github/{owner}/{repo}/{path}/
+*/
+/**
+* Error thrown when GitHub API rate limit is hit.
+*/
+var GitHubRateLimitError = class extends Error {
+	constructor() {
+		super("GitHub API rate limit exceeded. Set GITHUB_TOKEN environment variable for higher limits.");
+		this.name = "GitHubRateLimitError";
+	}
+};
+/**
+* Error thrown when GitHub repository/ref is not found.
+*/
+var GitHubNotFoundError = class extends Error {
+	constructor(spec) {
+		const path = spec.path ? `/${spec.path}` : "";
+		const ref = spec.ref ? `@${spec.ref}` : "";
+		super(`GitHub repository not found: ${spec.owner}/${spec.repo}${path}${ref}`);
+		this.name = "GitHubNotFoundError";
+	}
+};
+/**
+* Error thrown when the specified path doesn't exist in the repository.
+*/
+var GitHubPathNotFoundError = class extends Error {
+	constructor(spec, availablePaths) {
+		const pathInfo = availablePaths?.length ? `\nAvailable paths in repository root:\n  ${availablePaths.join("\n  ")}` : "";
+		super(`Path "${spec.path}" not found in ${spec.owner}/${spec.repo}${pathInfo}`);
+		this.name = "GitHubPathNotFoundError";
+	}
+};
+/**
+* Get GitHub API headers, including authentication if available.
+*/
+function getGitHubHeaders() {
+	const headers = {
+		Accept: "application/vnd.github+json",
+		"X-GitHub-Api-Version": "2022-11-28",
+		"User-Agent": "pspm-cli"
+	};
+	const token = process.env.GITHUB_TOKEN;
+	if (token) headers.Authorization = `Bearer ${token}`;
+	return headers;
+}
+/**
+* Resolve a Git ref (branch/tag) to a commit SHA.
+*
+* @param owner - Repository owner
+* @param repo - Repository name
+* @param ref - Branch, tag, or commit SHA (defaults to default branch)
+* @returns Resolved commit SHA
+*/
+async function resolveGitHubRef(owner, repo, ref) {
+	const headers = getGitHubHeaders();
+	let resolvedRef = ref;
+	if (!resolvedRef || resolvedRef === "latest") {
+		const repoUrl = `https://api.github.com/repos/${owner}/${repo}`;
+		const repoResponse = await fetch(repoUrl, { headers });
+		if (repoResponse.status === 404) throw new GitHubNotFoundError({
+			owner,
+			repo
+		});
+		if (repoResponse.status === 403) {
+			if (repoResponse.headers.get("x-ratelimit-remaining") === "0") throw new GitHubRateLimitError();
+		}
+		if (!repoResponse.ok) throw new Error(`GitHub API error: ${repoResponse.status}`);
+		resolvedRef = (await repoResponse.json()).default_branch;
+	}
+	const commitUrl = `https://api.github.com/repos/${owner}/${repo}/commits/${resolvedRef}`;
+	const commitResponse = await fetch(commitUrl, { headers });
+	if (commitResponse.status === 404) throw new GitHubNotFoundError({
+		owner,
+		repo,
+		ref
+	});
+	if (commitResponse.status === 403) {
+		if (commitResponse.headers.get("x-ratelimit-remaining") === "0") throw new GitHubRateLimitError();
+	}
+	if (!commitResponse.ok) throw new Error(`GitHub API error: ${commitResponse.status}`);
+	return (await commitResponse.json()).sha;
+}
+/**
+* Download a GitHub repository tarball.
+*
+* @param spec - GitHub specifier with owner, repo, and optional ref
+* @returns Download result with buffer, commit SHA, and integrity hash
+*/
+async function downloadGitHubPackage(spec) {
+	const headers = getGitHubHeaders();
+	const commit = await resolveGitHubRef(spec.owner, spec.repo, spec.ref);
+	const tarballUrl = `https://api.github.com/repos/${spec.owner}/${spec.repo}/tarball/${commit}`;
+	const response = await fetch(tarballUrl, {
+		headers,
+		redirect: "follow"
+	});
+	if (response.status === 404) throw new GitHubNotFoundError(spec);
+	if (response.status === 403) {
+		if (response.headers.get("x-ratelimit-remaining") === "0") throw new GitHubRateLimitError();
+	}
+	if (!response.ok) throw new Error(`Failed to download GitHub tarball: ${response.status}`);
+	const buffer = Buffer.from(await response.arrayBuffer());
+	return {
+		buffer,
+		commit,
+		integrity: calculateIntegrity(buffer)
+	};
+}
+/**
+* Extract a GitHub package to the skills directory.
+*
+* For subpath specifiers, extracts only the specified subdirectory.
+* Full path structure is preserved under .pspm/skills/_github/.
+*
+* @param spec - GitHub specifier
+* @param buffer - Downloaded tarball buffer
+* @param skillsDir - Base skills directory (.pspm/skills)
+* @returns Path to extracted skill (relative to project root)
+*/
+async function extractGitHubPackage(spec, buffer, skillsDir) {
+	const destPath = spec.path ? join(skillsDir, "_github", spec.owner, spec.repo, spec.path) : join(skillsDir, "_github", spec.owner, spec.repo);
+	const tempDir = join(skillsDir, "_github", ".temp", `${Date.now()}`);
+	await mkdir(tempDir, { recursive: true });
+	const tempFile = join(tempDir, "archive.tgz");
+	try {
+		await writeFile(tempFile, buffer);
+		const { exec } = await import("node:child_process");
+		const { promisify } = await import("node:util");
+		await promisify(exec)(`tar -xzf "${tempFile}" -C "${tempDir}"`);
+		const extractedDir = (await readdir(tempDir)).find((e) => e !== "archive.tgz" && !e.startsWith("."));
+		if (!extractedDir) throw new Error("Failed to find extracted directory in tarball");
+		const sourcePath = join(tempDir, extractedDir);
+		const copySource = spec.path ? join(sourcePath, spec.path) : sourcePath;
+		if (spec.path) {
+			if (!await lstat(copySource).catch(() => null)) {
+				const rootEntries = await readdir(sourcePath);
+				const dirs = [];
+				for (const entry of rootEntries) if ((await lstat(join(sourcePath, entry)).catch(() => null))?.isDirectory() && !entry.startsWith(".")) dirs.push(entry);
+				throw new GitHubPathNotFoundError(spec, dirs);
+			}
+		}
+		await rm(destPath, {
+			recursive: true,
+			force: true
+		});
+		await mkdir(destPath, { recursive: true });
+		await cp(copySource, destPath, { recursive: true });
+		return spec.path ? `.pspm/skills/_github/${spec.owner}/${spec.repo}/${spec.path}` : `.pspm/skills/_github/${spec.owner}/${spec.repo}`;
+	} finally {
+		await rm(tempDir, {
+			recursive: true,
+			force: true
+		});
+	}
+}
+/**
+* Get a short display name for a GitHub package.
+*
+* @param spec - GitHub specifier
+* @param commit - Resolved commit SHA (first 7 chars will be shown)
+* @returns Display string like "github:owner/repo/path (ref@abc1234)"
+*/
+function getGitHubDisplayName(spec, commit) {
+	let name = `github:${spec.owner}/${spec.repo}`;
+	if (spec.path) name += `/${spec.path}`;
+	if (spec.ref || commit) {
+		const ref = spec.ref || "HEAD";
+		const shortCommit = commit ? commit.slice(0, 7) : "";
+		name += ` (${ref}${shortCommit ? `@${shortCommit}` : ""})`;
+	}
+	return name;
+}
+//#endregion
+//#region src/lockfile.ts
+/**
+* Check if legacy lockfile exists (skill-lock.json)
+*/
+async function hasLegacyLockfile() {
+	try {
+		await stat(getLegacyLockfilePath());
+		return true;
+	} catch {
+		return false;
+	}
+}
+/**
+* Migrate legacy lockfile (skill-lock.json) to new format (pspm-lock.json)
+* Returns true if migration was performed
+*/
+async function migrateLockfileIfNeeded() {
+	const legacyPath = getLegacyLockfilePath();
+	const newPath = getLockfilePath();
+	try {
+		await stat(legacyPath);
+	} catch {
+		return false;
+	}
+	try {
+		await stat(newPath);
+		return false;
+	} catch {}
+	try {
+		const content = await readFile(legacyPath, "utf-8");
+		const oldLockfile = JSON.parse(content);
+		const newLockfile = {
+			lockfileVersion: 2,
+			registryUrl: oldLockfile.registryUrl,
+			packages: oldLockfile.skills ?? {}
+		};
+		await writeFile(newPath, `${JSON.stringify(newLockfile, null, 2)}\n`);
+		console.log("Migrated lockfile: skill-lock.json → pspm-lock.json");
+		return true;
+	} catch {
+		return false;
+	}
+}
+/**
+* Read the lockfile, automatically checking for legacy format
+*/
+async function readLockfile() {
+	const lockfilePath = getLockfilePath();
+	try {
+		const content = await readFile(lockfilePath, "utf-8");
+		const lockfile = JSON.parse(content);
+		if (lockfile.lockfileVersion === 1 && lockfile.skills && !lockfile.packages) return {
+			...lockfile,
+			lockfileVersion: 2,
+			packages: lockfile.skills
+		};
+		return lockfile;
+	} catch {
+		if (await hasLegacyLockfile()) try {
+			const content = await readFile(getLegacyLockfilePath(), "utf-8");
+			const legacyLockfile = JSON.parse(content);
+			return {
+				lockfileVersion: 2,
+				registryUrl: legacyLockfile.registryUrl,
+				packages: legacyLockfile.skills ?? {}
+			};
+		} catch {
+			return null;
+		}
+		return null;
+	}
+}
+/**
+* Write the lockfile (v4 format if any package has dependencies, otherwise v3)
+*/
+async function writeLockfile(lockfile) {
+	const lockfilePath = getLockfilePath();
+	await mkdir(dirname(lockfilePath), { recursive: true });
+	const packages = lockfile.packages ?? lockfile.skills ?? {};
+	const normalized = {
+		$schema: PSPM_LOCKFILE_SCHEMA_URL,
+		lockfileVersion: Object.values(packages).some((pkg) => pkg.dependencies && Object.keys(pkg.dependencies).length > 0) ? 4 : 3,
+		registryUrl: lockfile.registryUrl,
+		packages
+	};
+	if (lockfile.githubPackages && Object.keys(lockfile.githubPackages).length > 0) normalized.githubPackages = lockfile.githubPackages;
+	if (lockfile.localPackages && Object.keys(lockfile.localPackages).length > 0) normalized.localPackages = lockfile.localPackages;
+	if (lockfile.wellKnownPackages && Object.keys(lockfile.wellKnownPackages).length > 0) normalized.wellKnownPackages = lockfile.wellKnownPackages;
+	await writeFile(lockfilePath, `${JSON.stringify(normalized, null, 2)}\n`);
+}
+/**
+* Create a new empty lockfile (v4 format)
+*/
+async function createEmptyLockfile() {
+	return {
+		lockfileVersion: 4,
+		registryUrl: await getRegistryUrl(),
+		packages: {}
+	};
+}
+/**
+* Get packages from lockfile (handles both v1 and v2)
+*/
+function getPackages(lockfile) {
+	return lockfile.packages ?? lockfile.skills ?? {};
+}
+/**
+* Add a skill to the lockfile
+*/
+async function addToLockfile(fullName, entry) {
+	let lockfile = await readLockfile();
+	if (!lockfile) lockfile = await createEmptyLockfile();
+	const packages = getPackages(lockfile);
+	packages[fullName] = entry;
+	lockfile.packages = packages;
+	await writeLockfile(lockfile);
+}
+/**
+* Add a skill to the lockfile with dependencies (v4 format)
+*/
+async function addToLockfileWithDeps(fullName, entry, dependencies) {
+	let lockfile = await readLockfile();
+	if (!lockfile) lockfile = await createEmptyLockfile();
+	const packages = getPackages(lockfile);
+	const entryWithDeps = { ...entry };
+	if (dependencies && Object.keys(dependencies).length > 0) entryWithDeps.dependencies = dependencies;
+	packages[fullName] = entryWithDeps;
+	lockfile.packages = packages;
+	await writeLockfile(lockfile);
+}
+/**
+* Remove a skill from the lockfile
+*/
+async function removeFromLockfile(fullName) {
+	const lockfile = await readLockfile();
+	if (!lockfile) return false;
+	const packages = getPackages(lockfile);
+	if (!packages[fullName]) return false;
+	delete packages[fullName];
+	lockfile.packages = packages;
+	await writeLockfile(lockfile);
+	return true;
+}
+/**
+* List all skills in the lockfile
+*/
+async function listLockfileSkills() {
+	const lockfile = await readLockfile();
+	if (!lockfile) return [];
+	const packages = getPackages(lockfile);
+	return Object.entries(packages).map(([name, entry]) => ({
+		name,
+		entry
+	}));
+}
+/**
+* Add a GitHub package to the lockfile
+*/
+async function addGitHubToLockfile(specifier, entry) {
+	let lockfile = await readLockfile();
+	if (!lockfile) lockfile = await createEmptyLockfile();
+	if (!lockfile.githubPackages) lockfile.githubPackages = {};
+	lockfile.githubPackages[specifier] = entry;
+	await writeLockfile(lockfile);
+}
+/**
+* Remove a GitHub package from the lockfile
+*/
+async function removeGitHubFromLockfile(specifier) {
+	const lockfile = await readLockfile();
+	if (!lockfile?.githubPackages?.[specifier]) return false;
+	delete lockfile.githubPackages[specifier];
+	await writeLockfile(lockfile);
+	return true;
+}
+/**
+* List all GitHub packages in the lockfile
+*/
+async function listLockfileGitHubPackages() {
+	const lockfile = await readLockfile();
+	if (!lockfile?.githubPackages) return [];
+	return Object.entries(lockfile.githubPackages).map(([specifier, entry]) => ({
+		specifier,
+		entry
+	}));
+}
+/**
+* Add a local package to the lockfile
+*/
+async function addLocalToLockfile(specifier, entry) {
+	let lockfile = await readLockfile();
+	if (!lockfile) lockfile = await createEmptyLockfile();
+	if (!lockfile.localPackages) lockfile.localPackages = {};
+	lockfile.localPackages[specifier] = entry;
+	await writeLockfile(lockfile);
+}
+/**
+* Add a well-known package to the lockfile
+*/
+async function addWellKnownToLockfile(specifier, entry) {
+	let lockfile = await readLockfile();
+	if (!lockfile) lockfile = await createEmptyLockfile();
+	if (!lockfile.wellKnownPackages) lockfile.wellKnownPackages = {};
+	lockfile.wellKnownPackages[specifier] = entry;
+	await writeLockfile(lockfile);
+}
+/**
+* List all well-known packages in the lockfile
+*/
+async function listLockfileWellKnownPackages() {
+	const lockfile = await readLockfile();
+	if (!lockfile?.wellKnownPackages) return [];
+	return Object.entries(lockfile.wellKnownPackages).map(([specifier, entry]) => ({
+		specifier,
+		entry
+	}));
+}
+//#endregion
+//#region src/symlinks.ts
+/**
+* Symlink management for agent skill directories.
+*
+* Creates relative symlinks from agent-specific directories (e.g., .claude/skills/)
+* to the central .pspm/skills/ directory for portability.
+*/
+/**
+* Create symlinks for all skills to specified agent directories.
+*
+* @param skills - List of skills to create symlinks for
+* @param options - Symlink creation options
+*/
+async function createAgentSymlinks(skills, options) {
+	const { agents, projectRoot, agentConfigs } = options;
+	if (agents.length === 1 && agents[0] === "none") return;
+	for (const agentName of agents) {
+		const config = resolveAgentConfig(agentName, agentConfigs, options.global);
+		if (!config) {
+			console.warn(`Warning: Unknown agent "${agentName}", skipping symlinks`);
+			continue;
+		}
+		const agentSkillsDir = join(projectRoot, config.skillsDir);
+		await mkdir(agentSkillsDir, { recursive: true });
+		for (const skill of skills) {
+			const symlinkPath = join(agentSkillsDir, skill.name);
+			const targetPath = join(projectRoot, skill.sourcePath);
+			await createSymlink(symlinkPath, relative(dirname(symlinkPath), targetPath), skill.name);
+		}
+	}
+}
+/**
+* Create a single symlink, handling existing files/symlinks.
+*
+* @param symlinkPath - Absolute path where symlink will be created
+* @param target - Relative path to target (relative to symlink's parent dir)
+* @param skillName - Name for logging
+*/
+async function createSymlink(symlinkPath, target, skillName) {
+	try {
+		const stats = await lstat(symlinkPath).catch(() => null);
+		if (stats) if (stats.isSymbolicLink()) {
+			if (await readlink(symlinkPath) === target) return;
+			await rm(symlinkPath);
+		} else {
+			console.warn(`Warning: File exists at symlink path for "${skillName}", skipping: ${symlinkPath}`);
+			return;
+		}
+		await symlink(target, symlinkPath);
+	} catch (error) {
+		const message = error instanceof Error ? error.message : String(error);
+		console.warn(`Warning: Failed to create symlink for "${skillName}": ${message}`);
+	}
+}
+/**
+* Remove symlinks for a skill from all agent directories.
+*
+* @param skillName - Name of the skill (symlink name)
+* @param options - Symlink options
+*/
+async function removeAgentSymlinks(skillName, options) {
+	const { agents, projectRoot, agentConfigs } = options;
+	if (agents.length === 1 && agents[0] === "none") return;
+	for (const agentName of agents) {
+		const config = resolveAgentConfig(agentName, agentConfigs);
+		if (!config) continue;
+		const symlinkPath = join(projectRoot, config.skillsDir, skillName);
+		try {
+			if ((await lstat(symlinkPath).catch(() => null))?.isSymbolicLink()) await rm(symlinkPath);
+		} catch {}
+	}
+}
+/**
+* Get the source path for a registry skill within .pspm/skills/.
+*
+* @param ownerOrNamespace - Skill author username, or namespace prefix
+* @param skillNameOrOwner - Skill name (2-arg form) or owner (3-arg form)
+* @param skillName - Skill name (3-arg form only)
+* @returns Relative path from project root (e.g., ".pspm/skills/alice/my-skill")
+*/
+function getRegistrySkillPath(ownerOrNamespace, skillNameOrOwner, skillName) {
+	if (skillName !== void 0) {
+		const namespace = ownerOrNamespace;
+		const owner = skillNameOrOwner;
+		if (namespace === "org") return `.pspm/skills/_org/${owner}/${skillName}`;
+		if (namespace === "github") return `.pspm/skills/_github-registry/${owner}/${skillName}`;
+		return `.pspm/skills/${owner}/${skillName}`;
+	}
+	return `.pspm/skills/${ownerOrNamespace}/${skillNameOrOwner}`;
+}
+/**
+* Get the source path for a GitHub skill within .pspm/skills/.
+*
+* @param owner - GitHub repository owner
+* @param repo - GitHub repository name
+* @param path - Optional path within the repository
+* @returns Relative path from project root (e.g., ".pspm/skills/_github/owner/repo/path")
+*/
+function getGitHubSkillPath(owner, repo, path) {
+	if (path) return `.pspm/skills/_github/${owner}/${repo}/${path}`;
+	return `.pspm/skills/_github/${owner}/${repo}`;
+}
+/**
+* Get the source path for a local skill within .pspm/skills/.
+*
+* @param skillName - Skill name
+* @returns Relative path from project root (e.g., ".pspm/skills/_local/my-skill")
+*/
+function getLocalSkillPath(skillName) {
+	return `.pspm/skills/_local/${skillName}`;
+}
+/**
+* Get the source path for a well-known skill within .pspm/skills/.
+*
+* @param hostname - Source hostname (e.g., "acme.com")
+* @param skillName - Skill name
+* @returns Relative path from project root (e.g., ".pspm/skills/_wellknown/acme.com/my-skill")
+*/
+function getWellKnownSkillPath(hostname, skillName) {
+	return `.pspm/skills/_wellknown/${hostname}/${skillName}`;
+}
+/**
+* Check which agents have symlinks for a given skill.
+*
+* @param skillName - Name of the skill (symlink name)
+* @param agents - Agent names to check
+* @param projectRoot - Project root directory
+* @param agentConfigs - Custom agent configurations
+* @returns Array of agent names that have valid symlinks
+*/
+async function getLinkedAgents(skillName, agents, projectRoot, agentConfigs) {
+	const linkedAgents = [];
+	for (const agentName of agents) {
+		const config = resolveAgentConfig(agentName, agentConfigs);
+		if (!config) continue;
+		const symlinkPath = join(projectRoot, config.skillsDir, skillName);
+		try {
+			if ((await lstat(symlinkPath)).isSymbolicLink()) linkedAgents.push(agentName);
+		} catch {}
+	}
+	return linkedAgents;
+}
+//#endregion
+export { isNewerVersion as $, getDependencies as A, resolveAgentConfig as B, downloadGitHubPackage as C, addGitHubDependency as D, addDependency as E, removeGitHubDependency as F, isGitHubSpecifier as G, generateRegistryIdentifier as H, writeManifest as I, parseGitHubShorthand as J, isGitHubUrl as K, getAvailableAgents as L, getManifestPath as M, readManifest as N, addLocalDependency as O, removeDependency as P, resolveRecursive as Q, parseAgentArg as R, GitHubRateLimitError as S, getGitHubDisplayName as T, getGitHubSkillName as U, formatGitHubSpecifier as V, isGitHubShorthand as W, parseGitHubUrl as X, parseGitHubSpecifier as Y, parseRegistrySpecifier as Z, readLockfile as _, getRegistrySkillPath as a, validateManifest as at, GitHubNotFoundError as b, addGitHubToLockfile as c, getExcludeArgsForRsync as ct, addToLockfileWithDeps as d, encryptBuffer as dt, resolveVersion as et, addWellKnownToLockfile as f, migrateLockfileIfNeeded as g, listLockfileWellKnownPackages as h, getLocalSkillPath as i, PSPM_SCHEMA_URL as it, getGitHubDependencies as j, addWellKnownDependency as k, addLocalToLockfile as l, loadIgnorePatterns as lt, listLockfileSkills as m, getGitHubSkillPath as n, printResolutionErrors as nt, getWellKnownSkillPath as o, calculateIntegrity as ot, listLockfileGitHubPackages as p, isRegistrySpecifier as q, getLinkedAgents as r, DEFAULT_SKILL_FILES as rt, removeAgentSymlinks as s, ALWAYS_IGNORED as st, createAgentSymlinks as t, computeInstallOrder as tt, addToLockfile as u, decryptBuffer as ut, removeFromLockfile as v, extractGitHubPackage as w, GitHubPathNotFoundError as x, removeGitHubFromLockfile as y, promptForAgents as z };
+//# sourceMappingURL=symlinks-BTw8X0GG.js.map