@anytio/pspm 0.6.0 → 0.7.1

package/CHANGELOG.md

@@ -5,6 +5,20 @@ All notable changes to the PSPM CLI will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [0.7.1] - 2026-03-02
+
+### Added
+
+- **`outdated` command**: Check for outdated packages in your project
+  - Shows installed vs latest versions for registry, GitHub, and local dependencies
+  - Helps identify which packages need updating
+
+## [0.7.0] - 2026-02-25
+
+### Changed
+
+- **BREAKING: `--access` is now required for `pspm publish`** — You must explicitly specify `--access public` or `--access private` when publishing. Previously, omitting `--access` would default to public (free users) or private (pro users). This prevents accidental public publishes.
+
 ## [0.6.0] - 2026-02-17
 
 ### Changed

package/README.md

@@ -80,6 +80,7 @@ pspm list                     # List installed skills (alias: ls)
 pspm install [specifiers...]  # Install from lockfile, or add specific packages (alias: i)
 pspm link                     # Recreate agent symlinks without reinstalling
 pspm update                   # Update skills to latest compatible versions
+pspm outdated                 # Check for outdated packages
 ```
 
 **Multiple package support (like npm):**
@@ -125,13 +126,15 @@ pspm version patch --dry-run  # Preview changes without writing
 ### Publishing
 
 ```bash
-pspm publish                  # Publish current directory as a skill
-pspm publish --bump patch     # Auto-bump version (major, minor, patch)
-pspm publish --access public  # Publish and make public in one step
-pspm unpublish <spec> --force # Remove a published skill version
-pspm deprecate <spec> [msg]   # Mark a version as deprecated
+pspm publish --access private    # Publish as private (requires Pro)
+pspm publish --access public     # Publish as public (irreversible)
+pspm publish --access private --bump patch  # Bump version and publish
+pspm unpublish <spec> --force    # Remove a published skill version
+pspm deprecate <spec> [msg]      # Mark a version as deprecated
 ```
 
+**`--access` is required.** You must specify `--access public` or `--access private` every time you publish. Private skills require a Pro subscription.
+
 **Publish preview:** Before uploading, `pspm publish` shows a preview of included files, package size, and requires confirmation. Max package size is **10MB**.
 
 
@@ -310,3 +313,5 @@ pspm install --frozen-lockfile
 ## License
 
 This project is licensed under [The Artistic License 2.0](LICENSE), the same license used by npm.
+
+<!-- @doc-sync: 17484e41aef17ad72e470bb5511876ce0bdfcbb4 | 2026-02-20 15:00 -->

package/dist/index.js

@@ -1986,16 +1986,16 @@ async function installFromNode(node, options) {
   const skillsDir = getSkillsDir();
   const destDir = join(skillsDir, username, name);
   await mkdir(destDir, { recursive: true });
-  const { writeFile: writeFile8 } = await import('fs/promises');
+  const { writeFile: writeFile9 } = await import('fs/promises');
   const tempFile = join(destDir, ".temp.tgz");
-  await writeFile8(tempFile, tarballBuffer);
+  await writeFile9(tempFile, tarballBuffer);
   const { exec: exec2 } = await import('child_process');
   const { promisify: promisify2 } = await import('util');
   const execAsync = promisify2(exec2);
   try {
     await rm(destDir, { recursive: true, force: true });
     await mkdir(destDir, { recursive: true });
-    await writeFile8(tempFile, tarballBuffer);
+    await writeFile9(tempFile, tarballBuffer);
     await execAsync(
       `tar -xzf "${tempFile}" -C "${destDir}" --strip-components=1`
     );
@@ -2331,19 +2331,19 @@ async function access(specifier, options) {
       packageName = parsed.name;
       packageUsername = parsed.username;
     } else {
-      const { readFile: readFile8 } = await import('fs/promises');
-      const { join: join14 } = await import('path');
+      const { readFile: readFile9 } = await import('fs/promises');
+      const { join: join15 } = await import('path');
       let manifest = null;
       try {
-        const content = await readFile8(
-          join14(process.cwd(), "pspm.json"),
+        const content = await readFile9(
+          join15(process.cwd(), "pspm.json"),
           "utf-8"
         );
         manifest = JSON.parse(content);
       } catch {
         try {
-          const content = await readFile8(
-            join14(process.cwd(), "package.json"),
+          const content = await readFile9(
+            join15(process.cwd(), "package.json"),
             "utf-8"
           );
           manifest = JSON.parse(content);
@@ -3679,6 +3679,267 @@ async function migrate(options) {
     process.exit(1);
   }
 }
+function resolveVersion2(range, availableVersions) {
+  const sorted = availableVersions.filter((v) => semver.valid(v)).sort((a, b) => semver.rcompare(a, b));
+  if (range === "latest") {
+    return sorted[0] ?? null;
+  }
+  return semver.maxSatisfying(sorted, range);
+}
+function compareVersions2(a, b) {
+  return semver.compare(a, b);
+}
+function getLatestVersion2(versions) {
+  const valid3 = versions.filter((v) => semver.valid(v));
+  if (valid3.length === 0) return null;
+  return valid3.sort((a, b) => semver.rcompare(a, b))[0];
+}
+
+// ../../packages/server/skill-registry/src/client/outdated.ts
+function createOutdatedChecker(config2) {
+  const { registryUrl, apiKey, githubToken } = config2;
+  async function fetchWithAuth(url, token) {
+    const headers = {};
+    if (token) {
+      headers.Authorization = `Bearer ${token}`;
+    }
+    const response = await fetch(url, { headers });
+    if (!response.ok) {
+      const text = await response.text();
+      throw new Error(`Request failed (${response.status}): ${text}`);
+    }
+    return response;
+  }
+  async function fetchRegistryVersions(username, name) {
+    const url = `${registryUrl}/@user/${username}/${name}/versions`;
+    const response = await fetchWithAuth(url, apiKey);
+    return await response.json();
+  }
+  async function checkRegistryPackage(specifier, entry, versionRange) {
+    const match = specifier.match(/^@user\/([^/]+)\/([^/]+)$/);
+    if (!match) {
+      throw new Error(`Invalid registry specifier: ${specifier}`);
+    }
+    const [, username, name] = match;
+    try {
+      const versions = await fetchRegistryVersions(username, name);
+      const versionStrings = versions.map((v) => v.version);
+      const range = versionRange || "*";
+      const wanted = resolveVersion2(range, versionStrings);
+      const latest = getLatestVersion2(versionStrings);
+      const currentVersionInfo = versions.find(
+        (v) => v.version === entry.version
+      );
+      const deprecated = currentVersionInfo?.deprecationMessage ?? void 0;
+      const isOutdated = wanted !== null && compareVersions2(entry.version, wanted) < 0 || latest !== null && compareVersions2(entry.version, latest) < 0;
+      const wantedBehindLatest = wanted !== null && latest !== null && compareVersions2(wanted, latest) < 0;
+      return {
+        name: specifier,
+        current: entry.version,
+        wanted,
+        latest,
+        type: "registry",
+        isOutdated,
+        wantedBehindLatest,
+        versionRange: range,
+        deprecated
+      };
+    } catch {
+      return {
+        name: specifier,
+        current: entry.version,
+        wanted: null,
+        latest: null,
+        type: "registry",
+        isOutdated: false,
+        wantedBehindLatest: false,
+        versionRange
+      };
+    }
+  }
+  async function fetchGitHubLatestCommit(owner, repo, ref) {
+    try {
+      const url = `https://api.github.com/repos/${owner}/${repo}/commits/${ref}`;
+      const response = await fetchWithAuth(url, githubToken);
+      const data = await response.json();
+      return data.sha;
+    } catch {
+      return null;
+    }
+  }
+  async function checkGitHubPackage(specifier, entry) {
+    const match = specifier.match(
+      /^github:([a-zA-Z0-9_-]+)\/([a-zA-Z0-9_.-]+)/
+    );
+    if (!match) {
+      throw new Error(`Invalid GitHub specifier: ${specifier}`);
+    }
+    const [, owner, repo] = match;
+    const ref = entry.gitRef || "HEAD";
+    const latestCommit = await fetchGitHubLatestCommit(owner, repo, ref);
+    const currentShort = entry.gitCommit.slice(0, 7);
+    const latestShort = latestCommit?.slice(0, 7) ?? null;
+    const isOutdated = latestCommit !== null && entry.gitCommit !== latestCommit;
+    return {
+      name: specifier,
+      current: currentShort,
+      wanted: latestShort,
+      latest: latestShort,
+      type: "github",
+      isOutdated,
+      wantedBehindLatest: false,
+      versionRange: ref
+    };
+  }
+  function checkLocalPackage(specifier, _entry) {
+    return {
+      name: specifier,
+      current: "local",
+      wanted: null,
+      latest: null,
+      type: "local",
+      isOutdated: false,
+      wantedBehindLatest: false
+    };
+  }
+  async function checkOutdated2(options) {
+    const {
+      lockfile,
+      manifest,
+      includeUpToDate = false,
+      includeLocal = false,
+      packages: filterPackages
+    } = options;
+    const results = [];
+    const registryPackages = lockfile.packages || lockfile.skills || {};
+    const registryDeps = manifest?.dependencies || {};
+    const registryEntries = Object.entries(registryPackages).filter(
+      ([specifier]) => !filterPackages || filterPackages.includes(specifier)
+    );
+    const registryResults = await Promise.all(
+      registryEntries.map(
+        ([specifier, entry]) => checkRegistryPackage(
+          specifier,
+          entry,
+          registryDeps[specifier]
+        )
+      )
+    );
+    results.push(...registryResults);
+    const githubPackages = lockfile.githubPackages || {};
+    const githubEntries = Object.entries(githubPackages).filter(
+      ([specifier]) => !filterPackages || filterPackages.includes(specifier)
+    );
+    const githubResults = await Promise.all(
+      githubEntries.map(
+        ([specifier, entry]) => checkGitHubPackage(specifier, entry)
+      )
+    );
+    results.push(...githubResults);
+    if (includeLocal) {
+      const localPackages = lockfile.localPackages || {};
+      const localEntries = Object.entries(localPackages).filter(
+        ([specifier]) => !filterPackages || filterPackages.includes(specifier)
+      );
+      for (const [specifier, entry] of localEntries) {
+        results.push(checkLocalPackage(specifier));
+      }
+    }
+    if (!includeUpToDate) {
+      return results.filter((r) => r.isOutdated);
+    }
+    return results;
+  }
+  return {
+    checkOutdated: checkOutdated2,
+    checkRegistryPackage,
+    checkGitHubPackage,
+    checkLocalPackage,
+    fetchRegistryVersions
+  };
+}
+async function checkOutdated(config2, options) {
+  const checker = createOutdatedChecker(config2);
+  return checker.checkOutdated(options);
+}
+
+// src/commands/outdated.ts
+init_config();
+init_lockfile2();
+init_manifest2();
+async function outdated(packages, options) {
+  try {
+    const lockfile = await readLockfile();
+    if (!lockfile) {
+      console.log("No skills installed.");
+      return;
+    }
+    const hasPackages = Object.keys(lockfile.packages ?? lockfile.skills ?? {}).length > 0 || Object.keys(lockfile.githubPackages ?? {}).length > 0 || Object.keys(lockfile.localPackages ?? {}).length > 0;
+    if (!hasPackages) {
+      console.log("No skills installed.");
+      return;
+    }
+    const config2 = await resolveConfig();
+    const registryUrl = config2.registryUrl;
+    const apiKey = getTokenForRegistry(config2, registryUrl);
+    const githubToken = process.env.GITHUB_TOKEN;
+    const manifest = await readManifest();
+    console.log("Checking for outdated packages...\n");
+    const results = await checkOutdated(
+      { registryUrl, apiKey, githubToken },
+      {
+        lockfile,
+        manifest: manifest ?? void 0,
+        includeUpToDate: options.all,
+        packages: packages.length > 0 ? packages : void 0
+      }
+    );
+    if (results.length === 0) {
+      console.log("All skills are up to date.");
+      return;
+    }
+    if (options.json) {
+      console.log(JSON.stringify(results, null, 2));
+    } else {
+      printTable(results);
+    }
+    const deprecated = results.filter((r) => r.deprecated);
+    if (deprecated.length > 0) {
+      console.log("");
+      for (const r of deprecated) {
+        console.log(`\x1B[33m\u26A0 ${r.name}: ${r.deprecated}\x1B[0m`);
+      }
+    }
+    const hasOutdated = results.some((r) => r.isOutdated);
+    if (hasOutdated) {
+      process.exitCode = 1;
+    }
+  } catch (error) {
+    const message = error instanceof Error ? error.message : "Unknown error";
+    console.error(`Error: ${message}`);
+    process.exit(1);
+  }
+}
+function printTable(results) {
+  const headers = ["Package", "Current", "Wanted", "Latest", "Type"];
+  const rows = results.map((r) => [
+    r.name,
+    r.current,
+    r.wanted ?? "\u2014",
+    r.latest ?? "\u2014",
+    r.type
+  ]);
+  const widths = headers.map(
+    (h, i) => Math.max(h.length, ...rows.map((row) => row[i].length))
+  );
+  const headerLine = headers.map((h, i) => h.padEnd(widths[i])).join("  ");
+  console.log(headerLine);
+  console.log(widths.map((w) => "\u2500".repeat(w)).join("\u2500\u2500"));
+  for (const row of rows) {
+    const line = row.map((cell, i) => cell.padEnd(widths[i])).join("  ");
+    console.log(line);
+  }
+}
 
 // src/commands/publish.ts
 init_api_client();
@@ -3813,8 +4074,8 @@ async function publishCommand(options) {
       dependencies: manifest.dependencies
     };
     if (options.bump) {
-      const semver3 = await import('semver');
-      const newVersion = semver3.default.inc(packageJson2.version, options.bump);
+      const semver4 = await import('semver');
+      const newVersion = semver4.default.inc(packageJson2.version, options.bump);
       if (!newVersion) {
         console.error(
           `Error: Failed to bump version from ${packageJson2.version}`
@@ -4370,6 +4631,9 @@ program.command("link").description("Recreate agent symlinks without reinstallin
 program.command("update").description("Update all skills to latest compatible versions").option("--dry-run", "Show what would be updated without making changes").action(async (options) => {
   await update({ dryRun: options.dryRun });
 });
+program.command("outdated [packages...]").description("Check for outdated skills").option("--json", "Output as JSON").option("--all", "Include up-to-date packages").action(async (packages, options) => {
+  await outdated(packages, { json: options.json, all: options.all });
+});
 program.command("version <bump>").description("Bump package version (major, minor, patch)").option("--dry-run", "Show what would be changed without writing").action(async (bump, options) => {
   const validBumps = ["major", "minor", "patch"];
   if (!validBumps.includes(bump)) {
@@ -4381,11 +4645,19 @@ program.command("version <bump>").description("Bump package version (major, mino
     dryRun: options.dryRun
   });
 });
-program.command("publish").description("Publish current directory as a skill").option("--bump <level>", "Bump version (major, minor, patch)").option("--tag <tag>", "Tag for the release").option("--access <level>", "Set package visibility (public or private)").action(async (options) => {
+program.command("publish").description("Publish current directory as a skill").option("--bump <level>", "Bump version (major, minor, patch)").option("--tag <tag>", "Tag for the release").requiredOption(
+  "--access <level>",
+  "Set package visibility (public or private)"
+).action(async (options) => {
+  const access3 = options.access;
+  if (access3 !== "public" && access3 !== "private") {
+    console.error('Error: --access must be "public" or "private"');
+    process.exit(1);
+  }
   await publishCommand({
     bump: options.bump,
     tag: options.tag,
-    access: options.access
+    access: access3
   });
 });
 program.command("unpublish <specifier>").description(