@cpmai/cli 0.1.1

package/dist/index.js

@@ -0,0 +1,2167 @@
+#!/usr/bin/env node
+
+// src/index.ts
+import { Command } from "commander";
+import chalk6 from "chalk";
+
+// src/commands/install.ts
+import chalk from "chalk";
+import ora from "ora";
+import path6 from "path";
+
+// src/adapters/claude-code.ts
+import fs2 from "fs-extra";
+import path2 from "path";
+
+// src/adapters/base.ts
+var PlatformAdapter = class {
+};
+
+// src/utils/platform.ts
+import fs from "fs-extra";
+import path from "path";
+import os from "os";
+var detectionRules = {
+  "claude-code": {
+    paths: [".claude", ".claude.json"],
+    global: [
+      path.join(os.homedir(), ".claude.json"),
+      path.join(os.homedir(), ".claude")
+    ]
+  }
+};
+async function detectPlatforms(projectPath = process.cwd()) {
+  const results = [];
+  for (const [platform, rules] of Object.entries(detectionRules)) {
+    let detected = false;
+    let configPath;
+    for (const p of rules.paths) {
+      const fullPath = path.join(projectPath, p);
+      if (await fs.pathExists(fullPath)) {
+        detected = true;
+        configPath = fullPath;
+        break;
+      }
+    }
+    if (!detected) {
+      for (const p of rules.global) {
+        if (await fs.pathExists(p)) {
+          detected = true;
+          configPath = p;
+          break;
+        }
+      }
+    }
+    results.push({
+      platform,
+      detected,
+      configPath
+    });
+  }
+  return results;
+}
+async function getDetectedPlatforms(projectPath = process.cwd()) {
+  const detections = await detectPlatforms(projectPath);
+  return detections.filter((d) => d.detected).map((d) => d.platform);
+}
+function getClaudeCodeHome() {
+  return path.join(os.homedir(), ".claude");
+}
+function getRulesPath(platform) {
+  if (platform !== "claude-code") {
+    throw new Error(`Rules path is not supported for platform: ${platform}`);
+  }
+  return path.join(getClaudeCodeHome(), "rules");
+}
+function getSkillsPath() {
+  return path.join(getClaudeCodeHome(), "skills");
+}
+
+// src/utils/logger.ts
+import { createConsola } from "consola";
+function getLogLevel(options) {
+  if (options.quiet) return 0;
+  if (options.verbose) return 4;
+  return 3;
+}
+function createLogger(options = {}) {
+  const consola = createConsola({
+    level: getLogLevel(options),
+    formatOptions: {
+      date: false,
+      colors: true,
+      compact: true
+    }
+  });
+  return {
+    /**
+     * Debug message (only shown in verbose mode)
+     */
+    debug: (message, ...args) => {
+      consola.debug(message, ...args);
+    },
+    /**
+     * Informational message
+     */
+    info: (message, ...args) => {
+      consola.info(message, ...args);
+    },
+    /**
+     * Success message
+     */
+    success: (message, ...args) => {
+      consola.success(message, ...args);
+    },
+    /**
+     * Warning message
+     */
+    warn: (message, ...args) => {
+      consola.warn(message, ...args);
+    },
+    /**
+     * Error message
+     */
+    error: (message, ...args) => {
+      consola.error(message, ...args);
+    },
+    /**
+     * Plain output (always shown, no prefix)
+     * Use for formatted CLI output like tables, lists
+     */
+    log: (message) => {
+      if (!options.quiet) {
+        console.log(message);
+      }
+    },
+    /**
+     * Output a blank line
+     */
+    newline: () => {
+      if (!options.quiet) {
+        console.log();
+      }
+    },
+    /**
+     * Check if in quiet mode
+     */
+    isQuiet: () => options.quiet ?? false,
+    /**
+     * Check if in verbose mode
+     */
+    isVerbose: () => options.verbose ?? false
+  };
+}
+var loggerOptions = {};
+var loggerInstance = createLogger(loggerOptions);
+function configureLogger(options) {
+  loggerOptions = options;
+  loggerInstance = createLogger(options);
+}
+var logger = {
+  debug: (message, ...args) => loggerInstance.debug(message, ...args),
+  info: (message, ...args) => loggerInstance.info(message, ...args),
+  success: (message, ...args) => loggerInstance.success(message, ...args),
+  warn: (message, ...args) => loggerInstance.warn(message, ...args),
+  error: (message, ...args) => loggerInstance.error(message, ...args),
+  log: (message) => loggerInstance.log(message),
+  newline: () => loggerInstance.newline(),
+  isQuiet: () => loggerInstance.isQuiet(),
+  isVerbose: () => loggerInstance.isVerbose()
+};
+
+// src/adapters/claude-code.ts
+var ALLOWED_MCP_COMMANDS = [
+  "npx",
+  "node",
+  "python",
+  "python3",
+  "deno",
+  "bun",
+  "uvx"
+];
+var BLOCKED_MCP_ARG_PATTERNS = [
+  /--eval/i,
+  /-e\s/,
+  /-c\s/,
+  /\bcurl\b/i,
+  /\bwget\b/i,
+  /\brm\s/i,
+  /\bsudo\b/i,
+  /\bchmod\b/i,
+  /\bchown\b/i,
+  /[|;&`$]/
+  // Shell metacharacters
+];
+function validateMcpConfig(mcp) {
+  if (!mcp?.command) {
+    return { valid: false, error: "MCP command is required" };
+  }
+  const baseCommand = path2.basename(mcp.command);
+  if (!ALLOWED_MCP_COMMANDS.includes(
+    baseCommand
+  )) {
+    return {
+      valid: false,
+      error: `MCP command '${baseCommand}' is not allowed. Allowed: ${ALLOWED_MCP_COMMANDS.join(", ")}`
+    };
+  }
+  if (mcp.args) {
+    const argsString = mcp.args.join(" ");
+    for (const pattern of BLOCKED_MCP_ARG_PATTERNS) {
+      if (pattern.test(argsString)) {
+        return {
+          valid: false,
+          error: `MCP arguments contain blocked pattern: ${pattern.source}`
+        };
+      }
+    }
+  }
+  return { valid: true };
+}
+function sanitizeFileName(fileName) {
+  if (!fileName || typeof fileName !== "string") {
+    return { safe: false, sanitized: "", error: "File name cannot be empty" };
+  }
+  const baseName = path2.basename(fileName);
+  if (baseName.includes("\0")) {
+    return {
+      safe: false,
+      sanitized: "",
+      error: "File name contains null bytes"
+    };
+  }
+  if (baseName.startsWith(".") && baseName !== ".md") {
+    return { safe: false, sanitized: "", error: "Hidden files not allowed" };
+  }
+  const sanitized = baseName.replace(/[<>:"|?*\\]/g, "_");
+  if (sanitized.includes("..") || sanitized.includes("/") || sanitized.includes("\\")) {
+    return {
+      safe: false,
+      sanitized: "",
+      error: "Path traversal detected in file name"
+    };
+  }
+  if (!sanitized.endsWith(".md")) {
+    return { safe: false, sanitized: "", error: "Only .md files allowed" };
+  }
+  return { safe: true, sanitized };
+}
+function sanitizeFolderName(name) {
+  if (!name || typeof name !== "string") {
+    throw new Error("Package name cannot be empty");
+  }
+  let decoded = name;
+  try {
+    decoded = decodeURIComponent(name);
+  } catch {
+  }
+  if (decoded.includes("\0")) {
+    throw new Error("Invalid package name: contains null bytes");
+  }
+  let sanitized = decoded.includes("/") ? decoded.split("/").pop() || decoded : decoded.replace(/^@/, "");
+  sanitized = sanitized.replace(/\.\./g, "");
+  sanitized = sanitized.replace(/%2e%2e/gi, "");
+  sanitized = sanitized.replace(/%2f/gi, "");
+  sanitized = sanitized.replace(/%5c/gi, "");
+  sanitized = sanitized.replace(/[<>:"|?*\\]/g, "");
+  if (!sanitized || sanitized.startsWith(".")) {
+    throw new Error(`Invalid package name: ${name}`);
+  }
+  const normalized = path2.normalize(sanitized);
+  if (normalized !== sanitized || normalized.includes("..")) {
+    throw new Error(`Invalid package name (path traversal detected): ${name}`);
+  }
+  const testPath = path2.join("/test", sanitized);
+  const resolved = path2.resolve(testPath);
+  if (!resolved.startsWith("/test/")) {
+    throw new Error(`Invalid package name (path traversal detected): ${name}`);
+  }
+  return sanitized;
+}
+function isPathWithinDirectory(filePath, directory) {
+  const resolvedPath = path2.resolve(filePath);
+  const resolvedDir = path2.resolve(directory);
+  return resolvedPath.startsWith(resolvedDir + path2.sep) || resolvedPath === resolvedDir;
+}
+async function writePackageMetadata(packageDir, manifest) {
+  const metadata = {
+    name: manifest.name,
+    version: manifest.version,
+    type: manifest.type || "unknown",
+    installedAt: (/* @__PURE__ */ new Date()).toISOString()
+  };
+  const metadataPath = path2.join(packageDir, ".cpm.json");
+  try {
+    await fs2.writeJson(metadataPath, metadata, { spaces: 2 });
+  } catch (error) {
+    logger.warn(
+      `Could not write metadata: ${error instanceof Error ? error.message : "Unknown error"}`
+    );
+  }
+  return metadataPath;
+}
+var ClaudeCodeAdapter = class extends PlatformAdapter {
+  platform = "claude-code";
+  displayName = "Claude Code";
+  async isAvailable(_projectPath) {
+    return true;
+  }
+  async install(manifest, projectPath, packagePath) {
+    const filesWritten = [];
+    try {
+      switch (manifest.type) {
+        case "rules": {
+          const rulesResult = await this.installRules(
+            manifest,
+            projectPath,
+            packagePath
+          );
+          filesWritten.push(...rulesResult);
+          break;
+        }
+        case "skill": {
+          const skillResult = await this.installSkill(
+            manifest,
+            projectPath,
+            packagePath
+          );
+          filesWritten.push(...skillResult);
+          break;
+        }
+        case "mcp": {
+          const mcpResult = await this.installMcp(manifest, projectPath);
+          filesWritten.push(...mcpResult);
+          break;
+        }
+        default:
+          if (manifest.skill) {
+            const skillResult = await this.installSkill(
+              manifest,
+              projectPath,
+              packagePath
+            );
+            filesWritten.push(...skillResult);
+          } else if (manifest.mcp) {
+            const mcpResult = await this.installMcp(manifest, projectPath);
+            filesWritten.push(...mcpResult);
+          } else if (manifest.universal?.rules) {
+            const rulesResult = await this.installRules(
+              manifest,
+              projectPath,
+              packagePath
+            );
+            filesWritten.push(...rulesResult);
+          }
+      }
+      return {
+        success: true,
+        platform: "claude-code",
+        filesWritten
+      };
+    } catch (error) {
+      return {
+        success: false,
+        platform: "claude-code",
+        filesWritten,
+        error: error instanceof Error ? error.message : "Unknown error"
+      };
+    }
+  }
+  async uninstall(packageName, _projectPath) {
+    const filesWritten = [];
+    const folderName = sanitizeFolderName(packageName);
+    try {
+      const rulesBaseDir = getRulesPath("claude-code");
+      const rulesPath = path2.join(rulesBaseDir, folderName);
+      if (await fs2.pathExists(rulesPath)) {
+        await fs2.remove(rulesPath);
+        filesWritten.push(rulesPath);
+      }
+      const skillsDir = getSkillsPath();
+      const skillPath = path2.join(skillsDir, folderName);
+      if (await fs2.pathExists(skillPath)) {
+        await fs2.remove(skillPath);
+        filesWritten.push(skillPath);
+      }
+      await this.removeMcpServer(folderName, filesWritten);
+      return {
+        success: true,
+        platform: "claude-code",
+        filesWritten
+      };
+    } catch (error) {
+      return {
+        success: false,
+        platform: "claude-code",
+        filesWritten,
+        error: error instanceof Error ? error.message : "Unknown error"
+      };
+    }
+  }
+  /**
+   * Remove an MCP server configuration from ~/.claude.json
+   */
+  async removeMcpServer(serverName, filesWritten) {
+    const claudeHome = getClaudeCodeHome();
+    const mcpConfigPath = path2.join(path2.dirname(claudeHome), ".claude.json");
+    if (!await fs2.pathExists(mcpConfigPath)) {
+      return;
+    }
+    try {
+      const config = await fs2.readJson(mcpConfigPath);
+      const mcpServers = config.mcpServers;
+      if (!mcpServers || !mcpServers[serverName]) {
+        return;
+      }
+      const { [serverName]: _removed, ...remainingServers } = mcpServers;
+      const updatedConfig = {
+        ...config,
+        mcpServers: remainingServers
+      };
+      await fs2.writeJson(mcpConfigPath, updatedConfig, { spaces: 2 });
+      filesWritten.push(mcpConfigPath);
+    } catch (error) {
+      logger.warn(
+        `Could not update MCP config: ${error instanceof Error ? error.message : "Unknown error"}`
+      );
+    }
+  }
+  async installRules(manifest, _projectPath, packagePath) {
+    const filesWritten = [];
+    const rulesBaseDir = getRulesPath("claude-code");
+    const folderName = sanitizeFolderName(manifest.name);
+    const rulesDir = path2.join(rulesBaseDir, folderName);
+    await fs2.ensureDir(rulesDir);
+    if (packagePath && await fs2.pathExists(packagePath)) {
+      const files = await fs2.readdir(packagePath);
+      const mdFiles = files.filter(
+        (f) => f.endsWith(".md") && f.toLowerCase() !== "cpm.yaml"
+      );
+      if (mdFiles.length > 0) {
+        for (const file of mdFiles) {
+          const validation = sanitizeFileName(file);
+          if (!validation.safe) {
+            logger.warn(`Skipping unsafe file: ${file} (${validation.error})`);
+            continue;
+          }
+          const srcPath = path2.join(packagePath, file);
+          const destPath = path2.join(rulesDir, validation.sanitized);
+          if (!isPathWithinDirectory(destPath, rulesDir)) {
+            logger.warn(`Blocked path traversal attempt: ${file}`);
+            continue;
+          }
+          await fs2.copy(srcPath, destPath);
+          filesWritten.push(destPath);
+        }
+        const metadataPath2 = await writePackageMetadata(rulesDir, manifest);
+        filesWritten.push(metadataPath2);
+        return filesWritten;
+      }
+    }
+    const rulesContent = manifest.universal?.rules || manifest.universal?.prompt;
+    if (!rulesContent) return filesWritten;
+    const rulesPath = path2.join(rulesDir, "RULES.md");
+    const content = `# ${manifest.name}
+
+${manifest.description}
+
+${rulesContent.trim()}
+`;
+    await fs2.writeFile(rulesPath, content, "utf-8");
+    filesWritten.push(rulesPath);
+    const metadataPath = await writePackageMetadata(rulesDir, manifest);
+    filesWritten.push(metadataPath);
+    return filesWritten;
+  }
+  async installSkill(manifest, _projectPath, packagePath) {
+    const filesWritten = [];
+    const skillsDir = getSkillsPath();
+    const folderName = sanitizeFolderName(manifest.name);
+    const skillDir = path2.join(skillsDir, folderName);
+    await fs2.ensureDir(skillDir);
+    if (packagePath && await fs2.pathExists(packagePath)) {
+      const files = await fs2.readdir(packagePath);
+      const contentFiles = files.filter(
+        (f) => f.endsWith(".md") && f.toLowerCase() !== "cpm.yaml"
+      );
+      if (contentFiles.length > 0) {
+        for (const file of contentFiles) {
+          const validation = sanitizeFileName(file);
+          if (!validation.safe) {
+            logger.warn(`Skipping unsafe file: ${file} (${validation.error})`);
+            continue;
+          }
+          const srcPath = path2.join(packagePath, file);
+          const destPath = path2.join(skillDir, validation.sanitized);
+          if (!isPathWithinDirectory(destPath, skillDir)) {
+            logger.warn(`Blocked path traversal attempt: ${file}`);
+            continue;
+          }
+          await fs2.copy(srcPath, destPath);
+          filesWritten.push(destPath);
+        }
+        const metadataPath = await writePackageMetadata(skillDir, manifest);
+        filesWritten.push(metadataPath);
+        return filesWritten;
+      }
+    }
+    if (manifest.skill) {
+      const skillContent = this.formatSkillMd(manifest);
+      const skillPath = path2.join(skillDir, "SKILL.md");
+      await fs2.writeFile(skillPath, skillContent, "utf-8");
+      filesWritten.push(skillPath);
+      const metadataPath = await writePackageMetadata(skillDir, manifest);
+      filesWritten.push(metadataPath);
+    } else if (manifest.universal?.prompt || manifest.universal?.rules) {
+      const content = manifest.universal.prompt || manifest.universal.rules || "";
+      const skillPath = path2.join(skillDir, "SKILL.md");
+      const skillContent = `# ${manifest.name}
+
+${manifest.description}
+
+${content.trim()}
+`;
+      await fs2.writeFile(skillPath, skillContent, "utf-8");
+      filesWritten.push(skillPath);
+      const metadataPath = await writePackageMetadata(skillDir, manifest);
+      filesWritten.push(metadataPath);
+    }
+    return filesWritten;
+  }
+  async installMcp(manifest, _projectPath) {
+    const filesWritten = [];
+    if (!manifest.mcp) return filesWritten;
+    const mcpValidation = validateMcpConfig(manifest.mcp);
+    if (!mcpValidation.valid) {
+      throw new Error(`MCP security validation failed: ${mcpValidation.error}`);
+    }
+    const claudeHome = getClaudeCodeHome();
+    const mcpConfigPath = path2.join(path2.dirname(claudeHome), ".claude.json");
+    let existingConfig = {};
+    if (await fs2.pathExists(mcpConfigPath)) {
+      try {
+        existingConfig = await fs2.readJson(mcpConfigPath);
+      } catch {
+        logger.warn(`Could not parse ${mcpConfigPath}, creating new config`);
+        existingConfig = {};
+      }
+    }
+    const sanitizedName = sanitizeFolderName(manifest.name);
+    const existingMcpServers = existingConfig.mcpServers || {};
+    const updatedConfig = {
+      ...existingConfig,
+      mcpServers: {
+        ...existingMcpServers,
+        [sanitizedName]: {
+          command: manifest.mcp.command,
+          args: manifest.mcp.args,
+          env: manifest.mcp.env
+        }
+      }
+    };
+    await fs2.writeJson(mcpConfigPath, updatedConfig, { spaces: 2 });
+    filesWritten.push(mcpConfigPath);
+    return filesWritten;
+  }
+  formatSkillMd(manifest) {
+    if (!manifest.skill) {
+      throw new Error(
+        "Cannot format skill markdown: manifest.skill is undefined"
+      );
+    }
+    const skill = manifest.skill;
+    const content = manifest.universal?.prompt || manifest.universal?.rules || "";
+    return `---
+name: ${manifest.name}
+command: ${skill.command || `/${manifest.name}`}
+description: ${skill.description || manifest.description}
+version: ${manifest.version}
+---
+
+# ${manifest.name}
+
+${manifest.description}
+
+## Instructions
+
+${content.trim()}
+`;
+  }
+};
+
+// src/adapters/index.ts
+var adapters = {
+  "claude-code": new ClaudeCodeAdapter()
+};
+function getAdapter(platform) {
+  return adapters[platform];
+}
+
+// src/utils/config.ts
+import path3 from "path";
+import os2 from "os";
+import fs3 from "fs-extra";
+function getClaudeHome() {
+  return path3.join(os2.homedir(), ".claude");
+}
+async function ensureClaudeDirs() {
+  const claudeHome = getClaudeHome();
+  await fs3.ensureDir(path3.join(claudeHome, "rules"));
+  await fs3.ensureDir(path3.join(claudeHome, "skills"));
+}
+
+// src/utils/registry.ts
+import got from "got";
+import fs4 from "fs-extra";
+import path4 from "path";
+import os3 from "os";
+
+// src/types.ts
+function getTypeFromPath(path9) {
+  if (path9.startsWith("skills/")) return "skill";
+  if (path9.startsWith("rules/")) return "rules";
+  if (path9.startsWith("mcp/")) return "mcp";
+  if (path9.startsWith("agents/")) return "agent";
+  if (path9.startsWith("hooks/")) return "hook";
+  if (path9.startsWith("workflows/")) return "workflow";
+  if (path9.startsWith("templates/")) return "template";
+  if (path9.startsWith("bundles/")) return "bundle";
+  return null;
+}
+function resolvePackageType(pkg) {
+  if (pkg.type) return pkg.type;
+  if (pkg.path) {
+    const derived = getTypeFromPath(pkg.path);
+    if (derived) return derived;
+  }
+  throw new Error(`Cannot determine type for package: ${pkg.name}`);
+}
+
+// src/utils/registry.ts
+var DEFAULT_REGISTRY_URL = process.env.CPM_REGISTRY_URL || "https://raw.githubusercontent.com/cpmai-dev/packages/main/registry.json";
+var CACHE_DIR = path4.join(os3.homedir(), ".cpm", "cache");
+var CACHE_FILE = path4.join(CACHE_DIR, "registry.json");
+var CACHE_TTL = 5 * 60 * 1e3;
+var Registry = class {
+  registryUrl;
+  cache = null;
+  cacheTimestamp = 0;
+  constructor(registryUrl = DEFAULT_REGISTRY_URL) {
+    this.registryUrl = registryUrl;
+  }
+  /**
+   * Fetch the registry data (with caching)
+   */
+  async fetch(forceRefresh = false) {
+    if (!forceRefresh && this.cache && Date.now() - this.cacheTimestamp < CACHE_TTL) {
+      return this.cache;
+    }
+    if (!forceRefresh) {
+      try {
+        await fs4.ensureDir(CACHE_DIR);
+        if (await fs4.pathExists(CACHE_FILE)) {
+          const stat = await fs4.stat(CACHE_FILE);
+          if (Date.now() - stat.mtimeMs < CACHE_TTL) {
+            const cached = await fs4.readJson(CACHE_FILE);
+            this.cache = cached;
+            this.cacheTimestamp = Date.now();
+            return cached;
+          }
+        }
+      } catch {
+      }
+    }
+    try {
+      const response = await got(this.registryUrl, {
+        timeout: { request: 1e4 },
+        responseType: "json"
+      });
+      const data = response.body;
+      this.cache = data;
+      this.cacheTimestamp = Date.now();
+      try {
+        await fs4.ensureDir(CACHE_DIR);
+        await fs4.writeJson(CACHE_FILE, data, { spaces: 2 });
+      } catch {
+      }
+      return data;
+    } catch {
+      if (this.cache) {
+        return this.cache;
+      }
+      try {
+        if (await fs4.pathExists(CACHE_FILE)) {
+          const cached = await fs4.readJson(CACHE_FILE);
+          this.cache = cached;
+          return cached;
+        }
+      } catch {
+      }
+      return this.getFallbackRegistry();
+    }
+  }
+  /**
+   * Search for packages
+   */
+  async search(options = {}) {
+    const data = await this.fetch();
+    let packages = [...data.packages];
+    if (options.query) {
+      const query = options.query.toLowerCase();
+      packages = packages.filter(
+        (pkg) => pkg.name?.toLowerCase().includes(query) || pkg.description?.toLowerCase().includes(query) || pkg.keywords?.some((k) => k?.toLowerCase().includes(query))
+      );
+    }
+    if (options.type) {
+      packages = packages.filter((pkg) => {
+        try {
+          return resolvePackageType(pkg) === options.type;
+        } catch {
+          return false;
+        }
+      });
+    }
+    const sort = options.sort || "downloads";
+    packages.sort((a, b) => {
+      switch (sort) {
+        case "downloads":
+          return (b.downloads ?? 0) - (a.downloads ?? 0);
+        case "stars":
+          return (b.stars ?? 0) - (a.stars ?? 0);
+        case "recent":
+          return new Date(b.publishedAt || 0).getTime() - new Date(a.publishedAt || 0).getTime();
+        case "name":
+          return (a.name ?? "").localeCompare(b.name ?? "");
+        default:
+          return 0;
+      }
+    });
+    const total = packages.length;
+    const offset = options.offset || 0;
+    const limit = options.limit || 10;
+    packages = packages.slice(offset, offset + limit);
+    return { packages, total };
+  }
+  /**
+   * Get a specific package by name
+   */
+  async getPackage(name) {
+    const data = await this.fetch();
+    return data.packages.find((pkg) => pkg.name === name) || null;
+  }
+  /**
+   * Get package manifest from GitHub
+   */
+  async getManifest(pkg) {
+    if (!pkg.repository) {
+      return null;
+    }
+    try {
+      const repoUrl = pkg.repository.replace(
+        "github.com",
+        "raw.githubusercontent.com"
+      );
+      const manifestUrl = `${repoUrl}/main/cpm.yaml`;
+      const response = await got(manifestUrl, {
+        timeout: { request: 1e4 }
+      });
+      const yaml2 = await import("yaml");
+      return yaml2.parse(response.body);
+    } catch {
+      return null;
+    }
+  }
+  /**
+   * Fallback registry data when network is unavailable
+   */
+  getFallbackRegistry() {
+    return {
+      version: 1,
+      updated: (/* @__PURE__ */ new Date()).toISOString(),
+      packages: [
+        {
+          name: "@cpm/nextjs-rules",
+          version: "1.0.0",
+          description: "Next.js 14+ App Router conventions and best practices for Claude Code",
+          type: "rules",
+          author: "cpm",
+          downloads: 1250,
+          stars: 89,
+          verified: true,
+          repository: "https://github.com/cpm-ai/nextjs-rules",
+          tarball: "https://github.com/cpm-ai/nextjs-rules/releases/download/v1.0.0/package.tar.gz",
+          keywords: ["nextjs", "react", "typescript", "app-router"]
+        },
+        {
+          name: "@cpm/typescript-strict",
+          version: "1.0.0",
+          description: "TypeScript strict mode best practices and conventions",
+          type: "rules",
+          author: "cpm",
+          downloads: 980,
+          stars: 67,
+          verified: true,
+          repository: "https://github.com/cpm-ai/typescript-strict",
+          tarball: "https://github.com/cpm-ai/typescript-strict/releases/download/v1.0.0/package.tar.gz",
+          keywords: ["typescript", "strict", "types"]
+        },
+        {
+          name: "@cpm/react-patterns",
+          version: "1.0.0",
+          description: "React component patterns and best practices",
+          type: "rules",
+          author: "cpm",
+          downloads: 875,
+          stars: 54,
+          verified: true,
+          repository: "https://github.com/cpm-ai/react-patterns",
+          tarball: "https://github.com/cpm-ai/react-patterns/releases/download/v1.0.0/package.tar.gz",
+          keywords: ["react", "components", "hooks", "patterns"]
+        },
+        {
+          name: "@cpm/code-review",
+          version: "1.0.0",
+          description: "Automated code review skill for Claude Code",
+          type: "skill",
+          author: "cpm",
+          downloads: 2100,
+          stars: 156,
+          verified: true,
+          repository: "https://github.com/cpm-ai/code-review",
+          tarball: "https://github.com/cpm-ai/code-review/releases/download/v1.0.0/package.tar.gz",
+          keywords: ["code-review", "quality", "skill"]
+        },
+        {
+          name: "@cpm/git-commit",
+          version: "1.0.0",
+          description: "Smart commit message generation skill",
+          type: "skill",
+          author: "cpm",
+          downloads: 1800,
+          stars: 112,
+          verified: true,
+          repository: "https://github.com/cpm-ai/git-commit",
+          tarball: "https://github.com/cpm-ai/git-commit/releases/download/v1.0.0/package.tar.gz",
+          keywords: ["git", "commit", "messages", "skill"]
+        },
+        {
+          name: "@cpm/api-design",
+          version: "1.0.0",
+          description: "REST and GraphQL API design conventions",
+          type: "rules",
+          author: "cpm",
+          downloads: 650,
+          stars: 43,
+          verified: true,
+          repository: "https://github.com/cpm-ai/api-design",
+          tarball: "https://github.com/cpm-ai/api-design/releases/download/v1.0.0/package.tar.gz",
+          keywords: ["api", "rest", "graphql", "design"]
+        },
+        {
+          name: "@cpm/testing-patterns",
+          version: "1.0.0",
+          description: "Testing best practices for JavaScript/TypeScript projects",
+          type: "rules",
+          author: "cpm",
+          downloads: 720,
+          stars: 51,
+          verified: true,
+          repository: "https://github.com/cpm-ai/testing-patterns",
+          tarball: "https://github.com/cpm-ai/testing-patterns/releases/download/v1.0.0/package.tar.gz",
+          keywords: ["testing", "jest", "vitest", "patterns"]
+        },
+        {
+          name: "@cpm/refactor",
+          version: "1.0.0",
+          description: "Code refactoring assistant skill",
+          type: "skill",
+          author: "cpm",
+          downloads: 1450,
+          stars: 98,
+          verified: true,
+          repository: "https://github.com/cpm-ai/refactor",
+          tarball: "https://github.com/cpm-ai/refactor/releases/download/v1.0.0/package.tar.gz",
+          keywords: ["refactor", "clean-code", "skill"]
+        },
+        {
+          name: "@cpm/explain",
+          version: "1.0.0",
+          description: "Code explanation and documentation skill",
+          type: "skill",
+          author: "cpm",
+          downloads: 1320,
+          stars: 87,
+          verified: true,
+          repository: "https://github.com/cpm-ai/explain",
+          tarball: "https://github.com/cpm-ai/explain/releases/download/v1.0.0/package.tar.gz",
+          keywords: ["explain", "documentation", "skill"]
+        },
+        {
+          name: "@cpm/github-mcp",
+          version: "1.0.0",
+          description: "GitHub API integration MCP server for Claude Code",
+          type: "mcp",
+          author: "cpm",
+          downloads: 890,
+          stars: 72,
+          verified: true,
+          repository: "https://github.com/cpm-ai/github-mcp",
+          tarball: "https://github.com/cpm-ai/github-mcp/releases/download/v1.0.0/package.tar.gz",
+          keywords: ["github", "mcp", "api", "integration"]
+        }
+      ]
+    };
+  }
+};
+var registry = new Registry();
+
+// src/utils/downloader.ts
+import got2 from "got";
+import fs5 from "fs-extra";
+import path5 from "path";
+import os4 from "os";
+import * as tar from "tar";
+import yaml from "yaml";
+
+// src/utils/embedded-packages.ts
+var EMBEDDED_PACKAGES = {
+  "@cpm/nextjs-rules": {
+    name: "@cpm/nextjs-rules",
+    version: "1.0.0",
+    description: "Next.js 14+ App Router conventions and best practices for Claude Code",
+    type: "rules",
+    author: { name: "CPM Team", url: "https://cpm-ai.dev" },
+    license: "MIT",
+    keywords: ["nextjs", "react", "typescript", "app-router"],
+    universal: {
+      globs: ["**/*.tsx", "**/*.ts", "app/**/*", "src/**/*"],
+      rules: `# Next.js 14+ Best Practices
+
+You are an expert Next.js developer specializing in the App Router architecture.
+
+## Core Principles
+
+1. **App Router First**: Always use the App Router (\`app/\` directory), never the Pages Router
+2. **Server Components by Default**: Components are Server Components unless marked with \`'use client'\`
+3. **TypeScript Required**: Use TypeScript with strict mode enabled
+4. **Colocation**: Keep related files together (components, styles, tests)
+
+## File Conventions
+
+- \`page.tsx\` - Unique UI for a route
+- \`layout.tsx\` - Shared UI for a segment and children
+- \`loading.tsx\` - Loading UI with Suspense
+- \`error.tsx\` - Error boundary with recovery
+- \`not-found.tsx\` - 404 UI for a segment
+
+## Data Fetching
+
+- Use \`fetch()\` in Server Components with proper caching
+- Implement \`generateStaticParams\` for static generation
+- Use \`revalidatePath\` and \`revalidateTag\` for on-demand revalidation
+- Prefer Server Actions for mutations
+
+## Component Patterns
+
+\`\`\`typescript
+// Server Component (default)
+async function ProductList() {
+  const products = await getProducts();
+  return <ul>{products.map(p => <li key={p.id}>{p.name}</li>)}</ul>;
+}
+
+// Client Component (interactive)
+'use client';
+function Counter() {
+  const [count, setCount] = useState(0);
+  return <button onClick={() => setCount(c => c + 1)}>{count}</button>;
+}
+\`\`\`
+
+## Best Practices
+
+- Use \`next/image\` for optimized images
+- Implement proper metadata with \`generateMetadata\`
+- Use route groups \`(group)\` for organization without URL impact
+- Implement parallel routes for complex UIs
+- Use intercepting routes for modals`
+    }
+  },
+  "@cpm/typescript-strict": {
+    name: "@cpm/typescript-strict",
+    version: "1.0.0",
+    description: "TypeScript strict mode best practices and conventions",
+    type: "rules",
+    author: { name: "CPM Team", url: "https://cpm-ai.dev" },
+    license: "MIT",
+    keywords: ["typescript", "strict", "types"],
+    universal: {
+      globs: ["**/*.ts", "**/*.tsx"],
+      rules: `# TypeScript Strict Mode Best Practices
+
+You are an expert TypeScript developer who prioritizes type safety and clean code.
+
+## Strict Mode Requirements
+
+Always ensure these compiler options are enabled:
+- \`strict: true\` (enables all strict checks)
+- \`noUncheckedIndexedAccess: true\`
+- \`noImplicitReturns: true\`
+- \`noFallthroughCasesInSwitch: true\`
+
+## Type Safety Principles
+
+1. **No \`any\`**: Never use \`any\`. Use \`unknown\` with type guards instead.
+2. **Explicit Return Types**: Always declare return types for functions.
+3. **Readonly by Default**: Use \`readonly\` and \`Readonly<T>\` wherever possible.
+4. **Discriminated Unions**: Prefer discriminated unions over optional properties.
+
+## Patterns
+
+\`\`\`typescript
+// Good: Discriminated union
+type Result<T> =
+  | { success: true; data: T }
+  | { success: false; error: Error };
+
+// Good: Type guard
+function isString(value: unknown): value is string {
+  return typeof value === 'string';
+}
+
+// Good: Explicit return type
+function getUser(id: string): Promise<User | null> {
+  return db.users.find(id);
+}
+
+// Good: Readonly
+function processItems(items: readonly Item[]): void {
+  // Cannot mutate items
+}
+\`\`\`
+
+## Avoid
+
+- \`as\` type assertions (use type guards)
+- Non-null assertion \`!\` (use proper null checks)
+- \`Object\`, \`Function\`, \`{}\` types (be specific)
+- Implicit \`any\` from untyped imports`
+    }
+  },
+  "@cpm/code-review": {
+    name: "@cpm/code-review",
+    version: "1.0.0",
+    description: "Automated code review skill for Claude Code",
+    type: "skill",
+    author: { name: "CPM Team", url: "https://cpm-ai.dev" },
+    license: "MIT",
+    keywords: ["code-review", "quality", "skill"],
+    skill: {
+      command: "/review",
+      description: "Review code for bugs, performance, and best practices"
+    },
+    universal: {
+      prompt: `# Code Review Skill
+
+You are an expert code reviewer. When the user invokes /review, analyze the provided code thoroughly.
+
+## Review Checklist
+
+1. **Bugs & Logic Errors**
+   - Off-by-one errors
+   - Null/undefined handling
+   - Race conditions
+   - Error handling gaps
+
+2. **Performance**
+   - Unnecessary re-renders (React)
+   - N+1 queries
+   - Memory leaks
+   - Inefficient algorithms
+
+3. **Security**
+   - Input validation
+   - SQL injection risks
+   - XSS vulnerabilities
+   - Secrets in code
+
+4. **Maintainability**
+   - Code complexity
+   - Naming conventions
+   - DRY violations
+   - Missing documentation
+
+5. **Best Practices**
+   - Framework conventions
+   - Design patterns
+   - Error boundaries
+   - Testing considerations
+
+## Output Format
+
+\`\`\`
+## Code Review Summary
+
+### Critical Issues
+- [ ] Issue description with line reference
+
+### Warnings
+- [ ] Warning description
+
+### Suggestions
+- [ ] Suggestion for improvement
+
+### Positive Notes
+- What's done well
+\`\`\``
+    }
+  },
+  "@cpm/git-commit": {
+    name: "@cpm/git-commit",
+    version: "1.0.0",
+    description: "Smart commit message generation skill",
+    type: "skill",
+    author: { name: "CPM Team", url: "https://cpm-ai.dev" },
+    license: "MIT",
+    keywords: ["git", "commit", "messages", "skill"],
+    skill: {
+      command: "/commit",
+      description: "Generate a commit message for staged changes"
+    },
+    universal: {
+      prompt: `# Git Commit Message Skill
+
+Generate clear, conventional commit messages based on staged changes.
+
+## Commit Format
+
+\`\`\`
+<type>(<scope>): <subject>
+
+<body>
+
+<footer>
+\`\`\`
+
+## Types
+
+- **feat**: New feature
+- **fix**: Bug fix
+- **docs**: Documentation changes
+- **style**: Formatting, no code change
+- **refactor**: Code restructuring
+- **perf**: Performance improvement
+- **test**: Adding tests
+- **chore**: Maintenance tasks
+
+## Guidelines
+
+1. Subject line max 50 characters
+2. Use imperative mood ("Add feature" not "Added feature")
+3. No period at end of subject
+4. Body explains what and why (not how)
+5. Reference issues in footer
+
+## Examples
+
+\`\`\`
+feat(auth): add OAuth2 login support
+
+Implement Google and GitHub OAuth providers using NextAuth.js.
+This allows users to sign in without creating a password.
+
+Closes #123
+\`\`\``
+    }
+  },
+  "@cpm/react-patterns": {
+    name: "@cpm/react-patterns",
+    version: "1.0.0",
+    description: "React component patterns and best practices",
+    type: "rules",
+    author: { name: "CPM Team", url: "https://cpm-ai.dev" },
+    license: "MIT",
+    keywords: ["react", "components", "hooks", "patterns"],
+    universal: {
+      globs: ["**/*.tsx", "**/*.jsx"],
+      rules: `# React Component Patterns
+
+You are an expert React developer following modern best practices.
+
+## Component Design
+
+1. **Single Responsibility**: Each component does one thing well
+2. **Composition over Inheritance**: Use children and render props
+3. **Controlled Components**: Form inputs controlled by state
+4. **Hooks for Logic**: Extract reusable logic into custom hooks
+
+## Patterns
+
+### Custom Hook Pattern
+\`\`\`tsx
+function useUser(id: string) {
+  const [user, setUser] = useState<User | null>(null);
+  const [loading, setLoading] = useState(true);
+
+  useEffect(() => {
+    fetchUser(id).then(setUser).finally(() => setLoading(false));
+  }, [id]);
+
+  return { user, loading };
+}
+\`\`\`
+
+### Compound Components
+\`\`\`tsx
+function Tabs({ children }) { /* ... */ }
+Tabs.Tab = function Tab({ children }) { /* ... */ };
+Tabs.Panel = function Panel({ children }) { /* ... */ };
+\`\`\`
+
+## Performance
+
+- Use \`React.memo\` for expensive pure components
+- Use \`useMemo\` for expensive calculations
+- Use \`useCallback\` for stable function references
+- Avoid inline objects/arrays in props`
+    }
+  },
+  "@cpm/refactor": {
+    name: "@cpm/refactor",
+    version: "1.0.0",
+    description: "Code refactoring assistant skill",
+    type: "skill",
+    author: { name: "CPM Team", url: "https://cpm-ai.dev" },
+    license: "MIT",
+    keywords: ["refactor", "clean-code", "skill"],
+    skill: {
+      command: "/refactor",
+      description: "Suggest and apply code refactoring improvements"
+    },
+    universal: {
+      prompt: `# Code Refactoring Skill
+
+You are an expert at improving code quality through refactoring.
+
+## Refactoring Techniques
+
+1. **Extract Function**: Pull out complex logic into named functions
+2. **Extract Variable**: Name complex expressions
+3. **Inline Variable**: Remove unnecessary intermediates
+4. **Rename**: Use clear, descriptive names
+5. **Move Function**: Place code where it belongs
+
+## Code Smells to Address
+
+- Long functions (>20 lines)
+- Deep nesting (>3 levels)
+- Duplicate code
+- God objects
+- Feature envy
+
+## Process
+
+1. Understand the current behavior
+2. Write tests if missing
+3. Make small, incremental changes
+4. Verify tests pass after each change
+5. Commit frequently`
+    }
+  },
+  "@cpm/explain": {
+    name: "@cpm/explain",
+    version: "1.0.0",
+    description: "Code explanation and documentation skill",
+    type: "skill",
+    author: { name: "CPM Team", url: "https://cpm-ai.dev" },
+    license: "MIT",
+    keywords: ["explain", "documentation", "skill"],
+    skill: {
+      command: "/explain",
+      description: "Explain code in detail with examples"
+    },
+    universal: {
+      prompt: `# Code Explanation Skill
+
+You are an expert at explaining code clearly and thoroughly.
+
+## Explanation Structure
+
+1. **Overview**: What does this code do at a high level?
+2. **Key Concepts**: What patterns/techniques are used?
+3. **Line-by-Line**: Detailed walkthrough of important parts
+4. **Examples**: Show how to use or modify this code
+5. **Gotchas**: Common pitfalls or edge cases
+
+## Adapt to Audience
+
+- **Beginner**: More context, simpler terms, more examples
+- **Intermediate**: Focus on patterns and best practices
+- **Expert**: Focus on edge cases and optimization`
+    }
+  },
+  "@cpm/api-design": {
+    name: "@cpm/api-design",
+    version: "1.0.0",
+    description: "REST and GraphQL API design conventions",
+    type: "rules",
+    author: { name: "CPM Team", url: "https://cpm-ai.dev" },
+    license: "MIT",
+    keywords: ["api", "rest", "graphql", "design"],
+    universal: {
+      globs: ["**/api/**/*", "**/routes/**/*", "**/graphql/**/*"],
+      rules: `# API Design Best Practices
+
+You are an expert API designer following industry best practices.
+
+## REST Conventions
+
+### URL Structure
+- Use nouns, not verbs: \`/users\` not \`/getUsers\`
+- Use plural nouns: \`/users\` not \`/user\`
+- Nest for relationships: \`/users/{id}/posts\`
+- Use kebab-case: \`/user-profiles\`
+
+### HTTP Methods
+- GET: Read (idempotent)
+- POST: Create
+- PUT: Full update (idempotent)
+- PATCH: Partial update
+- DELETE: Remove (idempotent)
+
+### Status Codes
+- 200: Success
+- 201: Created
+- 400: Bad Request
+- 401: Unauthorized
+- 404: Not Found
+- 500: Server Error`
+    }
+  },
+  "@cpm/testing-patterns": {
+    name: "@cpm/testing-patterns",
+    version: "1.0.0",
+    description: "Testing best practices for JavaScript/TypeScript projects",
+    type: "rules",
+    author: { name: "CPM Team", url: "https://cpm-ai.dev" },
+    license: "MIT",
+    keywords: ["testing", "jest", "vitest", "patterns"],
+    universal: {
+      globs: ["**/*.test.ts", "**/*.test.tsx", "**/*.spec.ts", "**/*.spec.tsx"],
+      rules: `# Testing Best Practices
+
+You are an expert in writing maintainable, reliable tests.
+
+## Testing Principles
+
+1. **Test Behavior, Not Implementation**
+2. **Arrange-Act-Assert Pattern**
+3. **One Assertion per Test** (when practical)
+4. **Tests Should Be Independent**
+5. **Use Descriptive Test Names**
+
+## Test Structure
+
+\`\`\`typescript
+describe('UserService', () => {
+  describe('createUser', () => {
+    it('should create a user with valid data', async () => {
+      // Arrange
+      const userData = { name: 'John', email: 'john@example.com' };
+
+      // Act
+      const user = await userService.createUser(userData);
+
+      // Assert
+      expect(user.name).toBe('John');
+    });
+  });
+});
+\`\`\`
+
+## Mocking
+
+- Mock external dependencies, not internal modules
+- Use dependency injection for testability
+- Reset mocks between tests`
+    }
+  },
+  "@cpm/github-mcp": {
+    name: "@cpm/github-mcp",
+    version: "1.0.0",
+    description: "GitHub API integration MCP server for Claude Code",
+    type: "mcp",
+    author: { name: "CPM Team", url: "https://cpm-ai.dev" },
+    license: "MIT",
+    keywords: ["github", "mcp", "api", "integration"],
+    mcp: {
+      transport: "stdio",
+      command: "npx",
+      args: ["-y", "@modelcontextprotocol/server-github"],
+      env: {
+        GITHUB_PERSONAL_ACCESS_TOKEN: "${GITHUB_TOKEN}"
+      }
+    }
+  }
+};
+function getEmbeddedManifest(packageName) {
+  return EMBEDDED_PACKAGES[packageName] ?? null;
+}
+
+// src/utils/downloader.ts
+var TEMP_DIR = path5.join(os4.tmpdir(), "cpm-downloads");
+var PACKAGES_BASE_URL = process.env.CPM_PACKAGES_URL || "https://raw.githubusercontent.com/cpmai-dev/packages/main";
+var TIMEOUTS = {
+  MANIFEST_FETCH: 5e3,
+  TARBALL_DOWNLOAD: 3e4,
+  API_REQUEST: 1e4
+};
+function sanitizeFileName2(fileName) {
+  const sanitized = path5.basename(fileName).replace(/[^a-zA-Z0-9._-]/g, "_");
+  if (!sanitized || sanitized.includes("..") || sanitized.startsWith(".")) {
+    throw new Error(`Invalid file name: ${fileName}`);
+  }
+  return sanitized;
+}
+function validatePathWithinDir(destPath, allowedDir) {
+  const resolvedDest = path5.resolve(destPath);
+  const resolvedDir = path5.resolve(allowedDir);
+  if (!resolvedDest.startsWith(resolvedDir + path5.sep) && resolvedDest !== resolvedDir) {
+    throw new Error(`Path traversal detected: ${destPath}`);
+  }
+}
+function validatePackagePath(pkgPath) {
+  const normalized = path5.normalize(pkgPath).replace(/\\/g, "/");
+  if (normalized.includes("..") || normalized.startsWith("/")) {
+    throw new Error(`Invalid package path: ${pkgPath}`);
+  }
+  return normalized;
+}
+async function downloadPackage(pkg) {
+  try {
+    await fs5.ensureDir(TEMP_DIR);
+    const packageTempDir = path5.join(
+      TEMP_DIR,
+      `${pkg.name.replace(/[@/]/g, "_")}-${Date.now()}`
+    );
+    await fs5.ensureDir(packageTempDir);
+    let manifest = null;
+    if (pkg.path) {
+      manifest = await fetchPackageFromPath(pkg, packageTempDir);
+    }
+    if (!manifest && pkg.repository) {
+      manifest = await fetchManifestFromRepo(pkg.repository);
+    }
+    if (!manifest && pkg.tarball) {
+      manifest = await downloadAndExtractTarball(pkg, packageTempDir);
+    }
+    if (!manifest) {
+      manifest = getEmbeddedManifest(pkg.name);
+    }
+    if (!manifest) {
+      manifest = createManifestFromRegistry(pkg);
+    }
+    return { success: true, manifest, tempDir: packageTempDir };
+  } catch (error) {
+    return {
+      success: false,
+      manifest: {},
+      error: error instanceof Error ? error.message : "Download failed"
+    };
+  }
+}
+async function cleanupTempDir(tempDir) {
+  try {
+    if (tempDir.startsWith(TEMP_DIR)) {
+      await fs5.remove(tempDir);
+    }
+  } catch {
+  }
+}
+async function fetchManifestFromRepo(repoUrl) {
+  try {
+    const match = repoUrl.match(/github\.com\/([^/]+)\/([^/]+)/);
+    if (!match) return null;
+    const [, owner, repo] = match;
+    const rawUrl = `https://raw.githubusercontent.com/${owner}/${repo}/main/cpm.yaml`;
+    const response = await got2(rawUrl, {
+      timeout: { request: TIMEOUTS.MANIFEST_FETCH }
+    });
+    return yaml.parse(response.body);
+  } catch {
+    return null;
+  }
+}
+async function downloadAndExtractTarball(pkg, tempDir) {
+  if (!pkg.tarball) return null;
+  try {
+    const parsedUrl = new URL(pkg.tarball);
+    if (parsedUrl.protocol !== "https:") {
+      throw new Error("Only HTTPS URLs are allowed for downloads");
+    }
+    const response = await got2(pkg.tarball, {
+      timeout: { request: TIMEOUTS.TARBALL_DOWNLOAD },
+      followRedirect: true,
+      responseType: "buffer"
+    });
+    const tarballPath = path5.join(tempDir, "package.tar.gz");
+    await fs5.writeFile(tarballPath, response.body);
+    await extractTarball(tarballPath, tempDir);
+    const manifestPath = path5.join(tempDir, "cpm.yaml");
+    if (await fs5.pathExists(manifestPath)) {
+      const content = await fs5.readFile(manifestPath, "utf-8");
+      return yaml.parse(content);
+    }
+    return null;
+  } catch {
+    return null;
+  }
+}
+async function extractTarball(tarballPath, destDir) {
+  await fs5.ensureDir(destDir);
+  const resolvedDestDir = path5.resolve(destDir);
+  await tar.extract({
+    file: tarballPath,
+    cwd: destDir,
+    strip: 1,
+    filter: (entryPath) => {
+      const resolvedPath = path5.resolve(destDir, entryPath);
+      const isWithinDest = resolvedPath.startsWith(resolvedDestDir + path5.sep) || resolvedPath === resolvedDestDir;
+      if (!isWithinDest) {
+        logger.warn(`Blocked path traversal in tarball: ${entryPath}`);
+        return false;
+      }
+      return true;
+    }
+  });
+}
+async function fetchPackageFromPath(pkg, tempDir) {
+  if (!pkg.path) return null;
+  try {
+    const safePath = validatePackagePath(pkg.path);
+    const githubInfo = parseGitHubInfo(PACKAGES_BASE_URL);
+    if (!githubInfo) {
+      return fetchSingleFileFromPath(pkg);
+    }
+    const apiUrl = `https://api.github.com/repos/${githubInfo.owner}/${githubInfo.repo}/contents/${safePath}`;
+    const response = await got2(apiUrl, {
+      timeout: { request: TIMEOUTS.API_REQUEST },
+      headers: {
+        Accept: "application/vnd.github.v3+json",
+        "User-Agent": "cpm-cli"
+      },
+      responseType: "json"
+    });
+    const files = response.body;
+    let mainContent = "";
+    const pkgType = resolvePackageType(pkg);
+    const contentFile = getContentFileName(pkgType);
+    for (const file of files) {
+      if (file.type === "file" && file.download_url) {
+        const safeFileName = sanitizeFileName2(file.name);
+        const destPath = path5.join(tempDir, safeFileName);
+        validatePathWithinDir(destPath, tempDir);
+        const fileResponse = await got2(file.download_url, {
+          timeout: { request: TIMEOUTS.API_REQUEST }
+        });
+        await fs5.writeFile(destPath, fileResponse.body, "utf-8");
+        if (file.name === contentFile) {
+          mainContent = fileResponse.body;
+        }
+      }
+    }
+    return createManifestWithContent(pkg, mainContent);
+  } catch {
+    return fetchSingleFileFromPath(pkg);
+  }
+}
+async function fetchSingleFileFromPath(pkg) {
+  if (!pkg.path) return null;
+  try {
+    const safePath = validatePackagePath(pkg.path);
+    const pkgType = resolvePackageType(pkg);
+    const contentFile = getContentFileName(pkgType);
+    const contentUrl = `${PACKAGES_BASE_URL}/${safePath}/${contentFile}`;
+    const response = await got2(contentUrl, {
+      timeout: { request: TIMEOUTS.API_REQUEST }
+    });
+    return createManifestWithContent(pkg, response.body);
+  } catch {
+    return null;
+  }
+}
+function getContentFileName(type) {
+  const fileNames = {
+    skill: "SKILL.md",
+    rules: "RULES.md",
+    mcp: "MCP.md",
+    agent: "AGENT.md",
+    hook: "HOOK.md",
+    workflow: "WORKFLOW.md",
+    template: "TEMPLATE.md",
+    bundle: "BUNDLE.md"
+  };
+  return fileNames[type] || "README.md";
+}
+function parseGitHubInfo(baseUrl) {
+  const match = baseUrl.match(/github(?:usercontent)?\.com\/([^/]+)\/([^/]+)/);
+  if (!match) return null;
+  return { owner: match[1], repo: match[2] };
+}
+function createManifestWithContent(pkg, content) {
+  const pkgType = resolvePackageType(pkg);
+  return {
+    name: pkg.name,
+    version: pkg.version,
+    description: pkg.description,
+    type: pkgType,
+    author: { name: pkg.author },
+    keywords: pkg.keywords,
+    universal: {
+      rules: content,
+      prompt: content
+    },
+    skill: pkgType === "skill" ? {
+      command: `/${pkg.name.split("/").pop()}`,
+      description: pkg.description
+    } : void 0
+  };
+}
+function createManifestFromRegistry(pkg) {
+  return {
+    name: pkg.name,
+    version: pkg.version,
+    description: pkg.description,
+    type: resolvePackageType(pkg),
+    author: { name: pkg.author },
+    repository: pkg.repository,
+    keywords: pkg.keywords,
+    universal: {
+      rules: `# ${pkg.name}
+
+${pkg.description}`
+    }
+  };
+}
+
+// src/commands/install.ts
+var VALID_PLATFORMS = ["claude-code"];
+var MAX_PACKAGE_NAME_LENGTH = 214;
+function validatePackageName(name) {
+  if (!name || typeof name !== "string") {
+    return { valid: false, error: "Package name cannot be empty" };
+  }
+  let decoded = name;
+  try {
+    decoded = decodeURIComponent(name);
+  } catch {
+  }
+  if (decoded.length > MAX_PACKAGE_NAME_LENGTH) {
+    return { valid: false, error: `Package name too long (max ${MAX_PACKAGE_NAME_LENGTH} characters)` };
+  }
+  if (decoded.includes("\0")) {
+    return { valid: false, error: "Invalid characters in package name" };
+  }
+  const hasPathTraversal = decoded.includes("..") || decoded.includes("\\") || decoded.includes("%2e") || decoded.includes("%2E") || decoded.includes("%5c") || decoded.includes("%5C") || decoded.includes("%2f") || decoded.includes("%2F");
+  if (hasPathTraversal) {
+    return { valid: false, error: "Invalid characters in package name" };
+  }
+  const packageNameRegex = /^(@[a-z0-9-~][a-z0-9-._~]*\/)?[a-z0-9-~][a-z0-9-._~]*$/;
+  if (!packageNameRegex.test(name.toLowerCase())) {
+    return { valid: false, error: "Invalid package name format" };
+  }
+  return { valid: true };
+}
+function isValidPlatform(platform) {
+  return VALID_PLATFORMS.includes(platform);
+}
+function normalizePackageName(name) {
+  if (name.startsWith("@")) {
+    return name;
+  }
+  return `@cpm/${name}`;
+}
+async function resolveTargetPlatforms(options) {
+  if (options.platform && options.platform !== "all") {
+    if (!isValidPlatform(options.platform)) {
+      return null;
+    }
+    return [options.platform];
+  }
+  let platforms = await getDetectedPlatforms();
+  if (platforms.length === 0) {
+    platforms = ["claude-code"];
+  }
+  platforms = platforms.filter((p) => p === "claude-code");
+  if (platforms.length === 0) {
+    platforms = ["claude-code"];
+  }
+  return platforms;
+}
+async function installToPlatforms(manifest, tempDir, platforms) {
+  return Promise.all(
+    platforms.map(async (platform) => {
+      const adapter = getAdapter(platform);
+      return adapter.install(manifest, process.cwd(), tempDir);
+    })
+  );
+}
+function displaySuccessMessage(manifest, successfulResults) {
+  logger.log(chalk.dim(`
+  ${manifest.description}`));
+  logger.log(chalk.dim("\n  Files created:"));
+  for (const result of successfulResults) {
+    for (const file of result.filesWritten) {
+      logger.log(chalk.dim(`    + ${path6.relative(process.cwd(), file)}`));
+    }
+  }
+  logger.newline();
+  displayUsageHints(manifest);
+}
+function displayUsageHints(manifest) {
+  switch (manifest.type) {
+    case "skill":
+      if (manifest.skill?.command) {
+        logger.log(
+          `  ${chalk.cyan("Usage:")} Type ${chalk.yellow(manifest.skill.command)} in Claude Code`
+        );
+      }
+      break;
+    case "rules":
+      logger.log(
+        `  ${chalk.cyan("Usage:")} Rules are automatically applied to matching files`
+      );
+      break;
+    case "mcp":
+      logger.log(
+        `  ${chalk.cyan("Usage:")} MCP server configured. Restart Claude Code to activate.`
+      );
+      if (manifest.mcp?.env) {
+        const envVars = Object.keys(manifest.mcp.env);
+        if (envVars.length > 0) {
+          logger.log(chalk.yellow(`
+  Required environment variables:`));
+          for (const envVar of envVars) {
+            logger.log(chalk.dim(`    - ${envVar}`));
+          }
+        }
+      }
+      break;
+  }
+}
+function displayWarnings(failedResults) {
+  if (failedResults.length === 0) return;
+  logger.log(chalk.yellow("\n  Warnings:"));
+  for (const result of failedResults) {
+    logger.log(chalk.yellow(`    - ${result.platform}: ${result.error}`));
+  }
+}
+async function installCommand(packageName, options) {
+  const validation = validatePackageName(packageName);
+  if (!validation.valid) {
+    logger.error(`Invalid package name: ${validation.error}`);
+    return;
+  }
+  const spinner = logger.isQuiet() ? null : ora(`Installing ${chalk.cyan(packageName)}...`).start();
+  let tempDir;
+  try {
+    const normalizedName = normalizePackageName(packageName);
+    if (spinner) spinner.text = `Searching for ${chalk.cyan(normalizedName)}...`;
+    const pkg = await registry.getPackage(normalizedName);
+    if (!pkg) {
+      if (spinner) spinner.fail(`Package ${chalk.red(normalizedName)} not found`);
+      else logger.error(`Package ${normalizedName} not found`);
+      logger.log(chalk.dim("\nTry searching for packages:"));
+      logger.log(chalk.dim(`  cpm search ${packageName.replace(/^@[^/]+\//, "")}`));
+      return;
+    }
+    if (spinner) spinner.text = `Downloading ${chalk.cyan(pkg.name)}@${pkg.version}...`;
+    const downloadResult = await downloadPackage(pkg);
+    if (!downloadResult.success) {
+      if (spinner) spinner.fail(`Failed to download ${pkg.name}: ${downloadResult.error}`);
+      else logger.error(`Failed to download ${pkg.name}: ${downloadResult.error}`);
+      return;
+    }
+    tempDir = downloadResult.tempDir;
+    const targetPlatforms = await resolveTargetPlatforms(options);
+    if (!targetPlatforms) {
+      if (spinner) spinner.fail(`Invalid platform: ${options.platform}`);
+      else logger.error(`Invalid platform: ${options.platform}`);
+      logger.log(chalk.dim(`Valid platforms: ${VALID_PLATFORMS.join(", ")}`));
+      return;
+    }
+    if (spinner) spinner.text = `Installing to ${targetPlatforms.join(", ")}...`;
+    await ensureClaudeDirs();
+    const results = await installToPlatforms(
+      downloadResult.manifest,
+      tempDir,
+      targetPlatforms
+    );
+    const successful = results.filter((r) => r.success);
+    const failed = results.filter((r) => !r.success);
+    if (successful.length > 0) {
+      if (spinner) {
+        spinner.succeed(
+          `Installed ${chalk.green(downloadResult.manifest.name)}@${chalk.dim(downloadResult.manifest.version)}`
+        );
+      } else {
+        logger.success(`Installed ${downloadResult.manifest.name}@${downloadResult.manifest.version}`);
+      }
+      displaySuccessMessage(downloadResult.manifest, successful);
+    }
+    displayWarnings(failed);
+  } catch (error) {
+    if (spinner) spinner.fail(`Failed to install ${packageName}`);
+    else logger.error(`Failed to install ${packageName}`);
+    if (error instanceof Error) {
+      logger.error(error.message);
+    }
+  } finally {
+    if (tempDir) {
+      await cleanupTempDir(tempDir);
+    }
+  }
+}
+
+// src/commands/search.ts
+import chalk2 from "chalk";
+import ora2 from "ora";
+var typeColors = {
+  rules: chalk2.yellow,
+  skill: chalk2.blue,
+  mcp: chalk2.magenta,
+  agent: chalk2.green,
+  hook: chalk2.cyan,
+  workflow: chalk2.red,
+  template: chalk2.white,
+  bundle: chalk2.gray
+};
+var typeEmoji = {
+  rules: "\u{1F4DC}",
+  skill: "\u26A1",
+  mcp: "\u{1F50C}",
+  agent: "\u{1F916}",
+  hook: "\u{1FA9D}",
+  workflow: "\u{1F4CB}",
+  template: "\u{1F4C1}",
+  bundle: "\u{1F4E6}"
+};
+async function searchCommand(query, options) {
+  const spinner = logger.isQuiet() ? null : ora2(`Searching for "${query}"...`).start();
+  const parsedLimit = parseInt(options.limit || "10", 10);
+  const limit = Number.isNaN(parsedLimit) ? 10 : Math.max(1, Math.min(parsedLimit, 100));
+  try {
+    const searchOptions = {
+      query,
+      limit
+    };
+    if (options.type) {
+      searchOptions.type = options.type;
+    }
+    if (options.sort) {
+      searchOptions.sort = options.sort;
+    }
+    const results = await registry.search(searchOptions);
+    if (spinner) spinner.stop();
+    if (results.packages.length === 0) {
+      logger.warn(`No packages found for "${query}"`);
+      logger.log(chalk2.dim("\nAvailable package types: rules, skill, mcp"));
+      logger.log(chalk2.dim("Try: cpm search react --type rules"));
+      return;
+    }
+    logger.log(chalk2.dim(`
+Found ${results.total} package(s)
+`));
+    for (const pkg of results.packages) {
+      const pkgType = resolvePackageType(pkg);
+      const typeColor = typeColors[pkgType] || chalk2.white;
+      const emoji = typeEmoji[pkgType] || "\u{1F4E6}";
+      const badges = [];
+      if (pkg.verified) {
+        badges.push(chalk2.green("\u2713 verified"));
+      }
+      logger.log(
+        `${emoji} ${chalk2.bold.white(pkg.name)} ${chalk2.dim(`v${pkg.version}`)}` + (badges.length > 0 ? ` ${badges.join(" ")}` : "")
+      );
+      logger.log(`   ${chalk2.dim(pkg.description)}`);
+      const meta = [
+        typeColor(pkgType),
+        chalk2.dim(`\u2193 ${formatNumber(pkg.downloads ?? 0)}`),
+        pkg.stars !== void 0 ? chalk2.dim(`\u2605 ${pkg.stars}`) : null,
+        chalk2.dim(`@${pkg.author}`)
+      ].filter(Boolean);
+      logger.log(`   ${meta.join(chalk2.dim(" \xB7 "))}`);
+      logger.newline();
+    }
+    logger.log(chalk2.dim("\u2500".repeat(50)));
+    logger.log(chalk2.dim(`Install with: ${chalk2.cyan("cpm install <package-name>")}`));
+  } catch (error) {
+    if (spinner) spinner.fail("Search failed");
+    else logger.error("Search failed");
+    logger.error(error instanceof Error ? error.message : "Unknown error");
+  }
+}
+function formatNumber(num) {
+  if (num >= 1e3) {
+    return `${(num / 1e3).toFixed(1)}k`;
+  }
+  return num.toString();
+}
+
+// src/commands/list.ts
+import chalk3 from "chalk";
+import fs6 from "fs-extra";
+import path7 from "path";
+import os5 from "os";
+var typeColors2 = {
+  rules: chalk3.yellow,
+  skill: chalk3.blue,
+  mcp: chalk3.magenta
+};
+async function readPackageMetadata(packageDir) {
+  const metadataPath = path7.join(packageDir, ".cpm.json");
+  try {
+    if (await fs6.pathExists(metadataPath)) {
+      return await fs6.readJson(metadataPath);
+    }
+  } catch {
+  }
+  return null;
+}
+async function scanInstalledPackages() {
+  const items = [];
+  const claudeHome = path7.join(os5.homedir(), ".claude");
+  const rulesDir = path7.join(claudeHome, "rules");
+  if (await fs6.pathExists(rulesDir)) {
+    const entries = await fs6.readdir(rulesDir);
+    for (const entry of entries) {
+      const entryPath = path7.join(rulesDir, entry);
+      const stat = await fs6.stat(entryPath);
+      if (stat.isDirectory()) {
+        const metadata = await readPackageMetadata(entryPath);
+        items.push({
+          name: metadata?.name || entry,
+          folderName: entry,
+          type: "rules",
+          version: metadata?.version,
+          path: entryPath
+        });
+      }
+    }
+  }
+  const skillsDir = path7.join(claudeHome, "skills");
+  if (await fs6.pathExists(skillsDir)) {
+    const dirs = await fs6.readdir(skillsDir);
+    for (const dir of dirs) {
+      const skillPath = path7.join(skillsDir, dir);
+      const stat = await fs6.stat(skillPath);
+      if (stat.isDirectory()) {
+        const metadata = await readPackageMetadata(skillPath);
+        items.push({
+          name: metadata?.name || dir,
+          folderName: dir,
+          type: "skill",
+          version: metadata?.version,
+          path: skillPath
+        });
+      }
+    }
+  }
+  const mcpConfigPath = path7.join(os5.homedir(), ".claude.json");
+  if (await fs6.pathExists(mcpConfigPath)) {
+    try {
+      const config = await fs6.readJson(mcpConfigPath);
+      const mcpServers = config.mcpServers || {};
+      for (const name of Object.keys(mcpServers)) {
+        items.push({
+          name,
+          folderName: name,
+          type: "mcp",
+          path: mcpConfigPath
+        });
+      }
+    } catch {
+    }
+  }
+  return items;
+}
+async function listCommand() {
+  try {
+    const packages = await scanInstalledPackages();
+    if (packages.length === 0) {
+      logger.warn("No packages installed");
+      logger.log(chalk3.dim(`
+Run ${chalk3.cyan("cpm install <package>")} to install a package`));
+      return;
+    }
+    logger.log(chalk3.bold(`
+Installed packages (${packages.length}):
+`));
+    const byType = packages.reduce((acc, pkg) => ({
+      ...acc,
+      [pkg.type]: [...acc[pkg.type] || [], pkg]
+    }), {});
+    for (const [type, items] of Object.entries(byType)) {
+      const typeColor = typeColors2[type] || chalk3.white;
+      logger.log(typeColor(`  ${type.toUpperCase()}`));
+      for (const item of items) {
+        const version = item.version ? chalk3.dim(` v${item.version}`) : "";
+        logger.log(`    ${chalk3.green("\u25C9")} ${chalk3.bold(item.name)}${version}`);
+      }
+      logger.newline();
+    }
+    logger.log(chalk3.dim("Run cpm uninstall <package-name> to remove a package"));
+    logger.log(chalk3.dim("  e.g., cpm uninstall backend-patterns"));
+  } catch (error) {
+    logger.error("Failed to list packages");
+    logger.error(error instanceof Error ? error.message : "Unknown error");
+  }
+}
+
+// src/commands/init.ts
+import chalk4 from "chalk";
+import fs7 from "fs-extra";
+import path8 from "path";
+var TEMPLATE = `# Package manifest for cpm
+# https://cpm-ai.dev/docs/packages
+
+name: my-package
+version: 0.1.0
+description: A brief description of your package
+type: rules  # rules | skill | mcp | agent | hook | workflow | template | bundle
+
+author:
+  name: Your Name
+  email: you@example.com
+  url: https://github.com/yourusername
+
+repository: https://github.com/yourusername/my-package
+license: MIT
+
+keywords:
+  - keyword1
+  - keyword2
+
+# Universal content (works on all platforms)
+universal:
+  # File patterns this applies to
+  globs:
+    - "**/*.ts"
+    - "**/*.tsx"
+
+  # Rules/instructions (markdown)
+  rules: |
+    You are an expert developer.
+
+    ## Guidelines
+
+    - Follow best practices
+    - Write clean, maintainable code
+    - Include proper error handling
+
+# Platform-specific configurations (optional)
+# platforms:
+#   cursor:
+#     settings:
+#       alwaysApply: true
+#   claude-code:
+#     skill:
+#       command: /my-command
+#       description: What this skill does
+
+# MCP server configuration (if type: mcp)
+# mcp:
+#   command: npx
+#   args: ["your-mcp-server"]
+#   env:
+#     API_KEY: "\${API_KEY}"
+`;
+async function initCommand(_options) {
+  const manifestPath = path8.join(process.cwd(), "cpm.yaml");
+  if (await fs7.pathExists(manifestPath)) {
+    logger.warn("cpm.yaml already exists in this directory");
+    return;
+  }
+  try {
+    await fs7.writeFile(manifestPath, TEMPLATE, "utf-8");
+    logger.success("Created cpm.yaml");
+    logger.newline();
+    logger.log("Next steps:");
+    logger.log(chalk4.dim("  1. Edit cpm.yaml to configure your package"));
+    logger.log(chalk4.dim("  2. Run cpm publish to publish to the registry"));
+    logger.newline();
+    logger.log(
+      chalk4.dim(
+        `Learn more: ${chalk4.cyan("https://cpm-ai.dev/docs/publishing")}`
+      )
+    );
+  } catch (error) {
+    logger.error("Failed to create cpm.yaml");
+    logger.error(error instanceof Error ? error.message : "Unknown error");
+  }
+}
+
+// src/commands/uninstall.ts
+import chalk5 from "chalk";
+import ora3 from "ora";
+async function uninstallCommand(packageName) {
+  const spinner = logger.isQuiet() ? null : ora3(`Uninstalling ${chalk5.cyan(packageName)}...`).start();
+  try {
+    const folderName = packageName.includes("/") ? packageName.split("/").pop() || packageName : packageName.replace(/^@/, "");
+    const adapter = getAdapter("claude-code");
+    const result = await adapter.uninstall(folderName, process.cwd());
+    if (result.success && result.filesWritten.length > 0) {
+      if (spinner) spinner.succeed(`Uninstalled ${chalk5.green(packageName)}`);
+      else logger.success(`Uninstalled ${packageName}`);
+      logger.log(chalk5.dim("\nFiles removed:"));
+      for (const file of result.filesWritten) {
+        logger.log(chalk5.dim(`  - ${file}`));
+      }
+    } else if (result.success) {
+      if (spinner) spinner.warn(`Package ${packageName} was not found`);
+      else logger.warn(`Package ${packageName} was not found`);
+    } else {
+      if (spinner) spinner.fail(`Failed to uninstall: ${result.error}`);
+      else logger.error(`Failed to uninstall: ${result.error}`);
+    }
+  } catch (error) {
+    if (spinner) spinner.fail(`Failed to uninstall ${packageName}`);
+    else logger.error(`Failed to uninstall ${packageName}`);
+    logger.error(error instanceof Error ? error.message : "Unknown error");
+  }
+}
+
+// src/index.ts
+var program = new Command();
+var logo = `
+  ${chalk6.hex("#f97316")("\u2591\u2588\u2588\u2588\u2588\u2588\u2557\u2591\u2588\u2588\u2588\u2588\u2588\u2588\u2557\u2591\u2588\u2588\u2588\u2557\u2591\u2591\u2591\u2588\u2588\u2588\u2557")}
+  ${chalk6.hex("#f97316")("\u2588\u2588\u2554\u2550\u2550\u2588\u2588\u2557\u2588\u2588\u2554\u2550\u2550\u2588\u2588\u2557\u2588\u2588\u2588\u2588\u2557\u2591\u2588\u2588\u2588\u2588\u2551")}
+  ${chalk6.hex("#fb923c")("\u2588\u2588\u2551\u2591\u2591\u255A\u2550\u255D\u2588\u2588\u2588\u2588\u2588\u2588\u2554\u255D\u2588\u2588\u2554\u2588\u2588\u2588\u2588\u2554\u2588\u2588\u2551")}
+  ${chalk6.hex("#fb923c")("\u2588\u2588\u2551\u2591\u2591\u2588\u2588\u2557\u2588\u2588\u2554\u2550\u2550\u2550\u255D\u2591\u2588\u2588\u2551\u255A\u2588\u2588\u2554\u255D\u2588\u2588\u2551")}
+  ${chalk6.hex("#fbbf24")("\u255A\u2588\u2588\u2588\u2588\u2588\u2554\u255D\u2588\u2588\u2551\u2591\u2591\u2591\u2591\u2591\u2588\u2588\u2551\u2591\u255A\u2550\u255D\u2591\u2588\u2588\u2551")}
+  ${chalk6.hex("#fbbf24")("\u2591\u255A\u2550\u2550\u2550\u2550\u255D\u2591\u255A\u2550\u255D\u2591\u2591\u2591\u2591\u2591\u255A\u2550\u255D\u2591\u2591\u2591\u2591\u2591\u255A\u2550\u255D")}
+`;
+program.name("cpm").description(`${logo}
+  ${chalk6.dim("The package manager for Claude Code")}
+`).version("0.1.0").option("-q, --quiet", "Suppress all output except errors").option("-v, --verbose", "Enable verbose output for debugging").hook("preAction", (thisCommand) => {
+  const opts = thisCommand.optsWithGlobals();
+  configureLogger({
+    quiet: opts.quiet,
+    verbose: opts.verbose
+  });
+});
+program.command("install <package>").alias("i").description("Install a package").option("-p, --platform <platform>", "Target platform (claude-code)", "all").action(installCommand);
+program.command("uninstall <package>").alias("rm").description("Uninstall a package").option("-p, --platform <platform>", "Target platform").action(uninstallCommand);
+program.command("search <query>").alias("s").description("Search for packages").option("-t, --type <type>", "Filter by type (rules, mcp, skill, agent)").option("-l, --limit <number>", "Limit results", "10").action(searchCommand);
+program.command("list").alias("ls").description("List installed packages").action(listCommand);
+program.command("init").description("Create a new cpm package").option("-y, --yes", "Skip prompts and use defaults").action(initCommand);
+program.command("info <package>").description("Show package details").action(async () => {
+  logger.warn("Coming soon: package info");
+});
+program.command("update").alias("up").description("Update installed packages").action(async () => {
+  logger.warn("Coming soon: package updates");
+});
+program.command("publish").description("Publish a package to the registry").action(async () => {
+  logger.warn("Coming soon: package publishing");
+});
+program.parse();