@cpmai/cli 0.1.4 → 0.3.0-beta.1

package/dist/index.js

@@ -2,79 +2,297 @@
 
 // src/index.ts
 import { Command } from "commander";
-import chalk6 from "chalk";
+import chalk5 from "chalk";
 
-// src/commands/install.ts
-import chalk from "chalk";
-import ora from "ora";
-import path6 from "path";
+// src/constants.ts
+var TIMEOUTS = {
+  MANIFEST_FETCH: 5e3,
+  // 5 seconds - quick manifest lookups
+  TARBALL_DOWNLOAD: 3e4,
+  // 30 seconds - allow time for large downloads
+  REGISTRY_FETCH: 1e4
+  // 10 seconds - registry can be slow sometimes
+};
+var LIMITS = {
+  MAX_PACKAGE_NAME_LENGTH: 214,
+  // npm standard maximum
+  CACHE_TTL_MS: 5 * 60 * 1e3
+  // 5 minutes in milliseconds
+};
+var PACKAGE_TYPES = [
+  "rules",
+  // Coding guidelines and best practices
+  "mcp",
+  // Model Context Protocol servers
+  "skill",
+  // Slash commands for Claude Code
+  "agent",
+  // AI agent definitions
+  "hook",
+  // Git or lifecycle hooks
+  "workflow",
+  // Multi-step workflows
+  "template",
+  // Project templates
+  "bundle"
+  // Collections of packages
+];
+var SEARCH_SORT_OPTIONS = [
+  "downloads",
+  // Most downloaded first
+  "stars",
+  // Most starred first
+  "recent",
+  // Most recently published first
+  "name"
+  // Alphabetical order
+];
+var VALID_PLATFORMS = [
+  "claude-code"
+  // Currently the only supported platform
+];
+var ALLOWED_MCP_COMMANDS = [
+  "npx",
+  // Node package executor
+  "node",
+  // Node.js runtime
+  "python",
+  // Python 2.x interpreter
+  "python3",
+  // Python 3.x interpreter
+  "deno",
+  // Deno runtime
+  "bun",
+  // Bun runtime
+  "uvx"
+  // Python package runner
+];
+var BLOCKED_MCP_ARG_PATTERNS = [
+  /--eval/i,
+  // Node.js eval flag
+  /-e(?:\s|$)/,
+  // Short eval flag (with space or at end)
+  /^-e\S/,
+  // Concatenated eval flag (e.g., -eCODE)
+  /-c(?:\s|$)/,
+  // Command flag (with space or at end)
+  /\bcurl\b/i,
+  // curl command (data exfiltration)
+  /\bwget\b/i,
+  // wget command (data exfiltration)
+  /\brm(?:\s|$)/i,
+  // rm command (file deletion)
+  /\bsudo\b/i,
+  // sudo command (privilege escalation)
+  /\bchmod\b/i,
+  // chmod command (permission changes)
+  /\bchown\b/i,
+  // chown command (ownership changes)
+  /[|;&`$]/,
+  // Shell metacharacters (command chaining/injection)
+  /--inspect/i,
+  // Node.js debugger (remote code execution)
+  /--allow-all/i,
+  // Deno sandbox bypass
+  /--allow-run/i,
+  // Deno run permission
+  /--allow-write/i,
+  // Deno write permission
+  /--allow-net/i,
+  // Deno net permission
+  /^https?:\/\//i
+  // Remote URLs as standalone args (script loading)
+];
+var BLOCKED_MCP_ENV_KEYS = [
+  "PATH",
+  "LD_PRELOAD",
+  "LD_LIBRARY_PATH",
+  "DYLD_INSERT_LIBRARIES",
+  "DYLD_LIBRARY_PATH",
+  "NODE_OPTIONS",
+  "NODE_PATH",
+  "PYTHONPATH",
+  "PYTHONSTARTUP",
+  "PYTHONHOME",
+  "RUBYOPT",
+  "PERL5OPT",
+  "BASH_ENV",
+  "ENV",
+  "CDPATH",
+  "HOME",
+  "USERPROFILE",
+  "NPM_CONFIG_REGISTRY",
+  "NPM_CONFIG_PREFIX",
+  "NPM_CONFIG_GLOBALCONFIG",
+  "DENO_DIR",
+  "BUN_INSTALL"
+];
 
-// src/adapters/claude-code.ts
-import fs2 from "fs-extra";
-import path2 from "path";
+// src/types.ts
+function isPackageType(value) {
+  return PACKAGE_TYPES.includes(value);
+}
+function isValidPlatform(value) {
+  return VALID_PLATFORMS.includes(value);
+}
+function isSearchSort(value) {
+  return SEARCH_SORT_OPTIONS.includes(value);
+}
+function isRulesManifest(manifest) {
+  return manifest.type === "rules";
+}
+function isSkillManifest(manifest) {
+  return manifest.type === "skill";
+}
+function isMcpManifest(manifest) {
+  return manifest.type === "mcp";
+}
+function getTypeFromPath(path14) {
+  if (path14.startsWith("skills/")) return "skill";
+  if (path14.startsWith("rules/")) return "rules";
+  if (path14.startsWith("mcp/")) return "mcp";
+  if (path14.startsWith("agents/")) return "agent";
+  if (path14.startsWith("hooks/")) return "hook";
+  if (path14.startsWith("workflows/")) return "workflow";
+  if (path14.startsWith("templates/")) return "template";
+  if (path14.startsWith("bundles/")) return "bundle";
+  return null;
+}
+function resolvePackageType(pkg) {
+  if (pkg.type) return pkg.type;
+  if (pkg.path) {
+    const derived = getTypeFromPath(pkg.path);
+    if (derived) return derived;
+  }
+  throw new Error(`Cannot determine type for package: ${pkg.name}`);
+}
 
 // src/adapters/base.ts
 var PlatformAdapter = class {
 };
 
-// src/utils/platform.ts
-import fs from "fs-extra";
-import path from "path";
-import os from "os";
-var detectionRules = {
-  "claude-code": {
-    paths: [".claude", ".claude.json"],
-    global: [
-      path.join(os.homedir(), ".claude.json"),
-      path.join(os.homedir(), ".claude")
-    ]
+// src/adapters/handlers/handler-registry.ts
+var HandlerRegistry = class {
+  /**
+   * Internal storage for handlers.
+   * Maps package type strings to their handler instances.
+   * Using Map for O(1) lookup performance.
+   */
+  handlers = /* @__PURE__ */ new Map();
+  /**
+   * Register a handler for a specific package type.
+   *
+   * When you create a new handler (like RulesHandler), you call this method
+   * to add it to the registry so it can be found later.
+   *
+   * @param handler - The handler instance to register. The handler's
+   *                  packageType property determines which type it handles.
+   *
+   * @example
+   * ```typescript
+   * const rulesHandler = new RulesHandler();
+   * registry.register(rulesHandler);
+   * // Now "rules" type packages will use RulesHandler
+   * ```
+   */
+  register(handler) {
+    this.handlers.set(handler.packageType, handler);
   }
-};
-async function detectPlatforms(projectPath = process.cwd()) {
-  const results = [];
-  for (const [platform, rules] of Object.entries(detectionRules)) {
-    let detected = false;
-    let configPath;
-    for (const p of rules.paths) {
-      const fullPath = path.join(projectPath, p);
-      if (await fs.pathExists(fullPath)) {
-        detected = true;
-        configPath = fullPath;
-        break;
-      }
-    }
-    if (!detected) {
-      for (const p of rules.global) {
-        if (await fs.pathExists(p)) {
-          detected = true;
-          configPath = p;
-          break;
-        }
-      }
+  /**
+   * Get the handler for a specific package type.
+   *
+   * Use this when you need to install or uninstall a package.
+   * It returns the appropriate handler based on the package type.
+   *
+   * @param type - The package type to find a handler for (e.g., "rules", "skill", "mcp")
+   * @returns The handler that can process this package type
+   * @throws Error if no handler is registered for the given type
+   *
+   * @example
+   * ```typescript
+   * const handler = registry.getHandler("skill");
+   * const files = await handler.install(manifest, context);
+   * ```
+   */
+  getHandler(type) {
+    const handler = this.handlers.get(type);
+    if (!handler) {
+      throw new Error(`No handler registered for package type: ${type}`);
     }
-    results.push({
-      platform,
-      detected,
-      configPath
-    });
+    return handler;
   }
-  return results;
-}
-async function getDetectedPlatforms(projectPath = process.cwd()) {
-  const detections = await detectPlatforms(projectPath);
-  return detections.filter((d) => d.detected).map((d) => d.platform);
-}
-function getClaudeCodeHome() {
+  /**
+   * Check if a handler exists for a specific package type.
+   *
+   * Useful when you want to check availability before attempting
+   * to get a handler, avoiding the need for try-catch blocks.
+   *
+   * @param type - The package type to check
+   * @returns true if a handler is registered, false otherwise
+   *
+   * @example
+   * ```typescript
+   * if (registry.hasHandler("mcp")) {
+   *   const handler = registry.getHandler("mcp");
+   *   // ... use handler
+   * } else {
+   *   console.log("MCP packages not supported");
+   * }
+   * ```
+   */
+  hasHandler(type) {
+    return this.handlers.has(type);
+  }
+  /**
+   * Get a list of all registered package types.
+   *
+   * Useful for debugging, displaying supported types to users,
+   * or iterating over all available handlers.
+   *
+   * @returns Array of package type strings that have registered handlers
+   *
+   * @example
+   * ```typescript
+   * const types = registry.getRegisteredTypes();
+   * console.log("Supported types:", types.join(", "));
+   * // Output: "Supported types: rules, skill, mcp"
+   * ```
+   */
+  getRegisteredTypes() {
+    return Array.from(this.handlers.keys());
+  }
+};
+var handlerRegistry = new HandlerRegistry();
+
+// src/adapters/handlers/rules-handler.ts
+import fs2 from "fs-extra";
+import path5 from "path";
+
+// src/utils/platform.ts
+import path2 from "path";
+
+// src/utils/config.ts
+import path from "path";
+import os from "os";
+import fs from "fs-extra";
+function getClaudeHome() {
   return path.join(os.homedir(), ".claude");
 }
+async function ensureClaudeDirs() {
+  const claudeHome = getClaudeHome();
+  await fs.ensureDir(path.join(claudeHome, "rules"));
+  await fs.ensureDir(path.join(claudeHome, "skills"));
+}
+
+// src/utils/platform.ts
 function getRulesPath(platform) {
   if (platform !== "claude-code") {
     throw new Error(`Rules path is not supported for platform: ${platform}`);
   }
-  return path.join(getClaudeCodeHome(), "rules");
+  return path2.join(getClaudeHome(), "rules");
 }
 function getSkillsPath() {
-  return path.join(getClaudeCodeHome(), "skills");
+  return path2.join(getClaudeHome(), "skills");
 }
 
 // src/utils/logger.ts
@@ -94,18 +312,6 @@ function createLogger(options = {}) {
     }
   });
   return {
-    /**
-     * Debug message (only shown in verbose mode)
-     */
-    debug: (message, ...args) => {
-      consola.debug(message, ...args);
-    },
-    /**
-     * Informational message
-     */
-    info: (message, ...args) => {
-      consola.info(message, ...args);
-    },
     /**
      * Success message
      */
@@ -144,11 +350,7 @@ function createLogger(options = {}) {
     /**
      * Check if in quiet mode
      */
-    isQuiet: () => options.quiet ?? false,
-    /**
-     * Check if in verbose mode
-     */
-    isVerbose: () => options.verbose ?? false
+    isQuiet: () => options.quiet ?? false
   };
 }
 var loggerOptions = {};
@@ -158,93 +360,108 @@ function configureLogger(options) {
   loggerInstance = createLogger(options);
 }
 var logger = {
-  debug: (message, ...args) => loggerInstance.debug(message, ...args),
-  info: (message, ...args) => loggerInstance.info(message, ...args),
   success: (message, ...args) => loggerInstance.success(message, ...args),
   warn: (message, ...args) => loggerInstance.warn(message, ...args),
   error: (message, ...args) => loggerInstance.error(message, ...args),
   log: (message) => loggerInstance.log(message),
   newline: () => loggerInstance.newline(),
-  isQuiet: () => loggerInstance.isQuiet(),
-  isVerbose: () => loggerInstance.isVerbose()
+  isQuiet: () => loggerInstance.isQuiet()
 };
 
-// src/adapters/claude-code.ts
-var ALLOWED_MCP_COMMANDS = [
-  "npx",
-  "node",
-  "python",
-  "python3",
-  "deno",
-  "bun",
-  "uvx"
-];
-var BLOCKED_MCP_ARG_PATTERNS = [
-  /--eval/i,
-  /-e\s/,
-  /-c\s/,
-  /\bcurl\b/i,
-  /\bwget\b/i,
-  /\brm\s/i,
-  /\bsudo\b/i,
-  /\bchmod\b/i,
-  /\bchown\b/i,
-  /[|;&`$]/
-  // Shell metacharacters
-];
+// src/security/mcp-validator.ts
+function isAllowedCommand(command) {
+  if (command.includes("/") || command.includes("\\")) {
+    return false;
+  }
+  return ALLOWED_MCP_COMMANDS.includes(
+    command
+  );
+}
+function containsBlockedPattern(args) {
+  for (const arg of args) {
+    for (const pattern of BLOCKED_MCP_ARG_PATTERNS) {
+      if (pattern.test(arg)) {
+        return pattern;
+      }
+    }
+  }
+  const argsString = args.join(" ");
+  for (const pattern of BLOCKED_MCP_ARG_PATTERNS) {
+    if (pattern.test(argsString)) {
+      return pattern;
+    }
+  }
+  return null;
+}
+function containsBlockedEnvKey(env) {
+  const blockedSet = new Set(BLOCKED_MCP_ENV_KEYS.map((k) => k.toUpperCase()));
+  for (const key of Object.keys(env)) {
+    if (blockedSet.has(key.toUpperCase())) {
+      return key;
+    }
+  }
+  return null;
+}
 function validateMcpConfig(mcp) {
   if (!mcp?.command) {
     return { valid: false, error: "MCP command is required" };
   }
-  const baseCommand = path2.basename(mcp.command);
-  if (!ALLOWED_MCP_COMMANDS.includes(
-    baseCommand
-  )) {
+  if (!isAllowedCommand(mcp.command)) {
     return {
       valid: false,
-      error: `MCP command '${baseCommand}' is not allowed. Allowed: ${ALLOWED_MCP_COMMANDS.join(", ")}`
+      error: `MCP command '${mcp.command}' is not allowed. Allowed: ${ALLOWED_MCP_COMMANDS.join(", ")}`
     };
   }
   if (mcp.args) {
-    const argsString = mcp.args.join(" ");
-    for (const pattern of BLOCKED_MCP_ARG_PATTERNS) {
-      if (pattern.test(argsString)) {
-        return {
-          valid: false,
-          error: `MCP arguments contain blocked pattern: ${pattern.source}`
-        };
-      }
+    const blockedPattern = containsBlockedPattern(mcp.args);
+    if (blockedPattern) {
+      return {
+        valid: false,
+        error: `MCP arguments contain blocked pattern: ${blockedPattern.source}`
+      };
+    }
+  }
+  if (mcp.env) {
+    const blockedKey = containsBlockedEnvKey(mcp.env);
+    if (blockedKey) {
+      return {
+        valid: false,
+        error: `MCP environment variable '${blockedKey}' is not allowed. It could be used to bypass command security restrictions.`
+      };
     }
   }
   return { valid: true };
 }
+
+// src/security/file-sanitizer.ts
+import path3 from "path";
 function sanitizeFileName(fileName) {
   if (!fileName || typeof fileName !== "string") {
-    return { safe: false, sanitized: "", error: "File name cannot be empty" };
+    return { valid: false, error: "File name cannot be empty", sanitized: "" };
   }
-  const baseName = path2.basename(fileName);
+  const baseName = path3.basename(fileName);
   if (baseName.includes("\0")) {
     return {
-      safe: false,
-      sanitized: "",
-      error: "File name contains null bytes"
+      valid: false,
+      error: "File name contains null bytes",
+      sanitized: ""
     };
   }
   if (baseName.startsWith(".") && baseName !== ".md") {
-    return { safe: false, sanitized: "", error: "Hidden files not allowed" };
+    return { valid: false, error: "Hidden files not allowed", sanitized: "" };
   }
   const sanitized = baseName.replace(/[<>:"|?*\\]/g, "_");
   if (sanitized.includes("..") || sanitized.includes("/") || sanitized.includes("\\")) {
     return {
-      safe: false,
-      sanitized: "",
-      error: "Path traversal detected in file name"
+      valid: false,
+      error: "Path traversal detected in file name",
+      sanitized: ""
     };
   }
   if (!sanitized.endsWith(".md")) {
-    return { safe: false, sanitized: "", error: "Only .md files allowed" };
+    return { valid: false, error: "Only .md files allowed", sanitized: "" };
   }
-  return { safe: true, sanitized };
+  return { valid: true, sanitized };
 }
 function sanitizeFolderName(name) {
   if (!name || typeof name !== "string") {
@@ -267,30 +484,39 @@ function sanitizeFolderName(name) {
   if (!sanitized || sanitized.startsWith(".")) {
     throw new Error(`Invalid package name: ${name}`);
   }
-  const normalized = path2.normalize(sanitized);
+  const normalized = path3.normalize(sanitized);
   if (normalized !== sanitized || normalized.includes("..")) {
     throw new Error(`Invalid package name (path traversal detected): ${name}`);
   }
-  const testPath = path2.join("/test", sanitized);
-  const resolved = path2.resolve(testPath);
+  const testPath = path3.join("/test", sanitized);
+  const resolved = path3.resolve(testPath);
   if (!resolved.startsWith("/test/")) {
     throw new Error(`Invalid package name (path traversal detected): ${name}`);
   }
   return sanitized;
 }
+
+// src/security/path-validator.ts
+import path4 from "path";
 function isPathWithinDirectory(filePath, directory) {
-  const resolvedPath = path2.resolve(filePath);
-  const resolvedDir = path2.resolve(directory);
-  return resolvedPath.startsWith(resolvedDir + path2.sep) || resolvedPath === resolvedDir;
+  const resolvedPath = path4.resolve(filePath);
+  const resolvedDir = path4.resolve(directory);
+  return resolvedPath.startsWith(resolvedDir + path4.sep) || resolvedPath === resolvedDir;
 }
+
+// src/adapters/handlers/rules-handler.ts
 async function writePackageMetadata(packageDir, manifest) {
   const metadata = {
     name: manifest.name,
+    // e.g., "@cpm/typescript-strict"
     version: manifest.version,
-    type: manifest.type || "unknown",
+    // e.g., "1.0.0"
+    type: manifest.type,
+    // e.g., "rules"
     installedAt: (/* @__PURE__ */ new Date()).toISOString()
+    // ISO timestamp for when it was installed
   };
-  const metadataPath = path2.join(packageDir, ".cpm.json");
+  const metadataPath = path5.join(packageDir, ".cpm.json");
   try {
     await fs2.writeJson(metadataPath, metadata, { spaces: 2 });
   } catch (error) {
@@ -300,152 +526,45 @@ async function writePackageMetadata(packageDir, manifest) {
   }
   return metadataPath;
 }
-var ClaudeCodeAdapter = class extends PlatformAdapter {
-  platform = "claude-code";
-  displayName = "Claude Code";
-  async isAvailable(_projectPath) {
-    return true;
-  }
-  async install(manifest, projectPath, packagePath) {
-    const filesWritten = [];
-    try {
-      switch (manifest.type) {
-        case "rules": {
-          const rulesResult = await this.installRules(
-            manifest,
-            projectPath,
-            packagePath
-          );
-          filesWritten.push(...rulesResult);
-          break;
-        }
-        case "skill": {
-          const skillResult = await this.installSkill(
-            manifest,
-            projectPath,
-            packagePath
-          );
-          filesWritten.push(...skillResult);
-          break;
-        }
-        case "mcp": {
-          const mcpResult = await this.installMcp(manifest, projectPath);
-          filesWritten.push(...mcpResult);
-          break;
-        }
-        default:
-          if (manifest.skill) {
-            const skillResult = await this.installSkill(
-              manifest,
-              projectPath,
-              packagePath
-            );
-            filesWritten.push(...skillResult);
-          } else if (manifest.mcp) {
-            const mcpResult = await this.installMcp(manifest, projectPath);
-            filesWritten.push(...mcpResult);
-          } else if (manifest.universal?.rules) {
-            const rulesResult = await this.installRules(
-              manifest,
-              projectPath,
-              packagePath
-            );
-            filesWritten.push(...rulesResult);
-          }
-      }
-      return {
-        success: true,
-        platform: "claude-code",
-        filesWritten
-      };
-    } catch (error) {
-      return {
-        success: false,
-        platform: "claude-code",
-        filesWritten,
-        error: error instanceof Error ? error.message : "Unknown error"
-      };
-    }
-  }
-  async uninstall(packageName, _projectPath) {
-    const filesWritten = [];
-    const folderName = sanitizeFolderName(packageName);
-    try {
-      const rulesBaseDir = getRulesPath("claude-code");
-      const rulesPath = path2.join(rulesBaseDir, folderName);
-      if (await fs2.pathExists(rulesPath)) {
-        await fs2.remove(rulesPath);
-        filesWritten.push(rulesPath);
-      }
-      const skillsDir = getSkillsPath();
-      const skillPath = path2.join(skillsDir, folderName);
-      if (await fs2.pathExists(skillPath)) {
-        await fs2.remove(skillPath);
-        filesWritten.push(skillPath);
-      }
-      await this.removeMcpServer(folderName, filesWritten);
-      return {
-        success: true,
-        platform: "claude-code",
-        filesWritten
-      };
-    } catch (error) {
-      return {
-        success: false,
-        platform: "claude-code",
-        filesWritten,
-        error: error instanceof Error ? error.message : "Unknown error"
-      };
-    }
-  }
+var RulesHandler = class {
   /**
-   * Remove an MCP server configuration from ~/.claude.json
+   * Identifies this handler as handling "rules" type packages.
+   * The registry uses this to route rules packages to this handler.
    */
-  async removeMcpServer(serverName, filesWritten) {
-    const claudeHome = getClaudeCodeHome();
-    const mcpConfigPath = path2.join(path2.dirname(claudeHome), ".claude.json");
-    if (!await fs2.pathExists(mcpConfigPath)) {
-      return;
-    }
-    try {
-      const config = await fs2.readJson(mcpConfigPath);
-      const mcpServers = config.mcpServers;
-      if (!mcpServers || !mcpServers[serverName]) {
-        return;
-      }
-      const { [serverName]: _removed, ...remainingServers } = mcpServers;
-      const updatedConfig = {
-        ...config,
-        mcpServers: remainingServers
-      };
-      await fs2.writeJson(mcpConfigPath, updatedConfig, { spaces: 2 });
-      filesWritten.push(mcpConfigPath);
-    } catch (error) {
-      logger.warn(
-        `Could not update MCP config: ${error instanceof Error ? error.message : "Unknown error"}`
-      );
-    }
-  }
-  async installRules(manifest, _projectPath, packagePath) {
+  packageType = "rules";
+  /**
+   * Install a rules package.
+   *
+   * The installation process:
+   * 1. Determine the target directory (~/.claude/rules/<package-name>/)
+   * 2. If package files exist in packagePath, copy all .md files
+   * 3. Otherwise, create a RULES.md from the manifest content
+   * 4. Write metadata file for tracking
+   *
+   * @param manifest - The package manifest with name, content, etc.
+   * @param context - Contains projectPath and optional packagePath
+   * @returns Array of file paths that were created
+   */
+  async install(manifest, context) {
     const filesWritten = [];
     const rulesBaseDir = getRulesPath("claude-code");
     const folderName = sanitizeFolderName(manifest.name);
-    const rulesDir = path2.join(rulesBaseDir, folderName);
+    const rulesDir = path5.join(rulesBaseDir, folderName);
     await fs2.ensureDir(rulesDir);
-    if (packagePath && await fs2.pathExists(packagePath)) {
-      const files = await fs2.readdir(packagePath);
+    if (context.packagePath && await fs2.pathExists(context.packagePath)) {
+      const files = await fs2.readdir(context.packagePath);
       const mdFiles = files.filter(
         (f) => f.endsWith(".md") && f.toLowerCase() !== "cpm.yaml"
       );
       if (mdFiles.length > 0) {
         for (const file of mdFiles) {
           const validation = sanitizeFileName(file);
-          if (!validation.safe) {
+          if (!validation.valid) {
             logger.warn(`Skipping unsafe file: ${file} (${validation.error})`);
             continue;
           }
-          const srcPath = path2.join(packagePath, file);
-          const destPath = path2.join(rulesDir, validation.sanitized);
+          const srcPath = path5.join(context.packagePath, file);
+          const destPath = path5.join(rulesDir, validation.sanitized);
           if (!isPathWithinDirectory(destPath, rulesDir)) {
             logger.warn(`Blocked path traversal attempt: ${file}`);
             continue;
@@ -458,9 +577,9 @@ var ClaudeCodeAdapter = class extends PlatformAdapter {
         return filesWritten;
       }
     }
-    const rulesContent = manifest.universal?.rules || manifest.universal?.prompt;
+    const rulesContent = this.getRulesContent(manifest);
     if (!rulesContent) return filesWritten;
-    const rulesPath = path2.join(rulesDir, "RULES.md");
+    const rulesPath = path5.join(rulesDir, "RULES.md");
     const content = `# ${manifest.name}
 
 ${manifest.description}
@@ -473,76 +592,248 @@ ${rulesContent.trim()}
     filesWritten.push(metadataPath);
     return filesWritten;
   }
-  async installSkill(manifest, _projectPath, packagePath) {
-    const filesWritten = [];
-    const skillsDir = getSkillsPath();
-    const folderName = sanitizeFolderName(manifest.name);
-    const skillDir = path2.join(skillsDir, folderName);
-    await fs2.ensureDir(skillDir);
-    if (packagePath && await fs2.pathExists(packagePath)) {
-      const files = await fs2.readdir(packagePath);
-      const contentFiles = files.filter(
-        (f) => f.endsWith(".md") && f.toLowerCase() !== "cpm.yaml"
-      );
-      if (contentFiles.length > 0) {
-        for (const file of contentFiles) {
-          const validation = sanitizeFileName(file);
-          if (!validation.safe) {
-            logger.warn(`Skipping unsafe file: ${file} (${validation.error})`);
-            continue;
-          }
-          const srcPath = path2.join(packagePath, file);
-          const destPath = path2.join(skillDir, validation.sanitized);
-          if (!isPathWithinDirectory(destPath, skillDir)) {
-            logger.warn(`Blocked path traversal attempt: ${file}`);
-            continue;
-          }
-          await fs2.copy(srcPath, destPath);
-          filesWritten.push(destPath);
-        }
-        const metadataPath = await writePackageMetadata(skillDir, manifest);
-        filesWritten.push(metadataPath);
-        return filesWritten;
-      }
+  /**
+   * Uninstall a rules package.
+   *
+   * This removes the entire package directory from ~/.claude/rules/
+   *
+   * @param packageName - The name of the package to remove
+   * @param _context - Uninstall context (not used for rules, but required by interface)
+   * @returns Array of paths that were removed
+   */
+  async uninstall(packageName, _context) {
+    const filesRemoved = [];
+    const folderName = sanitizeFolderName(packageName);
+    const rulesBaseDir = getRulesPath("claude-code");
+    const rulesPath = path5.join(rulesBaseDir, folderName);
+    if (await fs2.pathExists(rulesPath)) {
+      await fs2.remove(rulesPath);
+      filesRemoved.push(rulesPath);
     }
-    if (manifest.skill) {
-      const skillContent = this.formatSkillMd(manifest);
-      const skillPath = path2.join(skillDir, "SKILL.md");
-      await fs2.writeFile(skillPath, skillContent, "utf-8");
-      filesWritten.push(skillPath);
-      const metadataPath = await writePackageMetadata(skillDir, manifest);
-      filesWritten.push(metadataPath);
-    } else if (manifest.universal?.prompt || manifest.universal?.rules) {
-      const content = manifest.universal.prompt || manifest.universal.rules || "";
-      const skillPath = path2.join(skillDir, "SKILL.md");
-      const skillContent = `# ${manifest.name}
-
-${manifest.description}
+    return filesRemoved;
+  }
+  /**
+   * Extract rules content from the manifest.
+   *
+   * Rules content can come from:
+   * - manifest.universal.rules (primary)
+   * - manifest.universal.prompt (fallback)
+   *
+   * @param manifest - The package manifest
+   * @returns The rules content string, or undefined if none exists
+   */
+  getRulesContent(manifest) {
+    if (isRulesManifest(manifest)) {
+      return manifest.universal.rules || manifest.universal.prompt;
+    }
+    return void 0;
+  }
+};
+
+// src/adapters/handlers/skill-handler.ts
+import fs3 from "fs-extra";
+import path6 from "path";
+async function writePackageMetadata2(packageDir, manifest) {
+  const metadata = {
+    name: manifest.name,
+    // e.g., "@cpm/commit-skill"
+    version: manifest.version,
+    // e.g., "1.0.0"
+    type: manifest.type,
+    // e.g., "skill"
+    installedAt: (/* @__PURE__ */ new Date()).toISOString()
+    // ISO timestamp for when it was installed
+  };
+  const metadataPath = path6.join(packageDir, ".cpm.json");
+  try {
+    await fs3.writeJson(metadataPath, metadata, { spaces: 2 });
+  } catch (error) {
+    logger.warn(
+      `Could not write metadata: ${error instanceof Error ? error.message : "Unknown error"}`
+    );
+  }
+  return metadataPath;
+}
+function formatSkillMd(manifest) {
+  const skill = manifest.skill;
+  const content = manifest.universal?.prompt || manifest.universal?.rules || "";
+  return `---
+name: ${manifest.name}
+command: ${skill.command || `/${manifest.name}`}
+description: ${skill.description || manifest.description}
+version: ${manifest.version}
+---
+
+# ${manifest.name}
+
+${manifest.description}
+
+## Instructions
 
 ${content.trim()}
 `;
-      await fs2.writeFile(skillPath, skillContent, "utf-8");
+}
+var SkillHandler = class {
+  /**
+   * Identifies this handler as handling "skill" type packages.
+   * The registry uses this to route skill packages to this handler.
+   */
+  packageType = "skill";
+  /**
+   * Install a skill package.
+   *
+   * The installation process:
+   * 1. Determine the target directory (~/.claude/skills/<package-name>/)
+   * 2. If package files exist in packagePath, copy all .md files
+   * 3. Otherwise, create a SKILL.md from the manifest content
+   * 4. Write metadata file for tracking
+   *
+   * @param manifest - The package manifest with name, content, etc.
+   * @param context - Contains projectPath and optional packagePath
+   * @returns Array of file paths that were created
+   */
+  async install(manifest, context) {
+    const filesWritten = [];
+    const skillsDir = getSkillsPath();
+    const folderName = sanitizeFolderName(manifest.name);
+    const skillDir = path6.join(skillsDir, folderName);
+    await fs3.ensureDir(skillDir);
+    if (context.packagePath && await fs3.pathExists(context.packagePath)) {
+      const files = await fs3.readdir(context.packagePath);
+      const contentFiles = files.filter(
+        (f) => f.endsWith(".md") && f.toLowerCase() !== "cpm.yaml"
+      );
+      if (contentFiles.length > 0) {
+        for (const file of contentFiles) {
+          const validation = sanitizeFileName(file);
+          if (!validation.valid) {
+            logger.warn(`Skipping unsafe file: ${file} (${validation.error})`);
+            continue;
+          }
+          const srcPath = path6.join(context.packagePath, file);
+          const destPath = path6.join(skillDir, validation.sanitized);
+          if (!isPathWithinDirectory(destPath, skillDir)) {
+            logger.warn(`Blocked path traversal attempt: ${file}`);
+            continue;
+          }
+          await fs3.copy(srcPath, destPath);
+          filesWritten.push(destPath);
+        }
+        const metadataPath = await writePackageMetadata2(skillDir, manifest);
+        filesWritten.push(metadataPath);
+        return filesWritten;
+      }
+    }
+    if (isSkillManifest(manifest)) {
+      const skillContent = formatSkillMd(manifest);
+      const skillPath = path6.join(skillDir, "SKILL.md");
+      await fs3.writeFile(skillPath, skillContent, "utf-8");
       filesWritten.push(skillPath);
-      const metadataPath = await writePackageMetadata(skillDir, manifest);
+      const metadataPath = await writePackageMetadata2(skillDir, manifest);
       filesWritten.push(metadataPath);
+    } else {
+      const content = this.getUniversalContent(manifest);
+      if (content) {
+        const skillPath = path6.join(skillDir, "SKILL.md");
+        const skillContent = `# ${manifest.name}
+
+${manifest.description}
+
+${content.trim()}
+`;
+        await fs3.writeFile(skillPath, skillContent, "utf-8");
+        filesWritten.push(skillPath);
+        const metadataPath = await writePackageMetadata2(skillDir, manifest);
+        filesWritten.push(metadataPath);
+      }
     }
     return filesWritten;
   }
-  async installMcp(manifest, _projectPath) {
+  /**
+   * Uninstall a skill package.
+   *
+   * This removes the entire package directory from ~/.claude/skills/
+   *
+   * @param packageName - The name of the package to remove
+   * @param _context - Uninstall context (not used for skills, but required by interface)
+   * @returns Array of paths that were removed
+   */
+  async uninstall(packageName, _context) {
+    const filesRemoved = [];
+    const folderName = sanitizeFolderName(packageName);
+    const skillsDir = getSkillsPath();
+    const skillPath = path6.join(skillsDir, folderName);
+    if (await fs3.pathExists(skillPath)) {
+      await fs3.remove(skillPath);
+      filesRemoved.push(skillPath);
+    }
+    return filesRemoved;
+  }
+  /**
+   * Extract universal content from the manifest.
+   *
+   * This is used as a fallback when the manifest doesn't have
+   * proper skill configuration but does have universal content.
+   *
+   * @param manifest - The package manifest
+   * @returns The universal content string, or undefined if none exists
+   */
+  getUniversalContent(manifest) {
+    if ("universal" in manifest && manifest.universal) {
+      return manifest.universal.prompt || manifest.universal.rules;
+    }
+    return void 0;
+  }
+};
+
+// src/adapters/handlers/mcp-handler.ts
+import fs4 from "fs-extra";
+import path7 from "path";
+var McpHandler = class {
+  /**
+   * Identifies this handler as handling "mcp" type packages.
+   * The registry uses this to route MCP packages to this handler.
+   */
+  packageType = "mcp";
+  /**
+   * Install an MCP package.
+   *
+   * The installation process:
+   * 1. Validate the MCP configuration for security
+   * 2. Read the existing ~/.claude.json configuration
+   * 3. Add the new MCP server to the mcpServers section
+   * 4. Write the updated configuration back
+   *
+   * @param manifest - The package manifest with MCP configuration
+   * @param _context - Install context (not used for MCP, but required by interface)
+   * @returns Array containing the path to the modified config file
+   * @throws Error if MCP configuration fails security validation
+   */
+  async install(manifest, _context) {
     const filesWritten = [];
-    if (!manifest.mcp) return filesWritten;
+    if (!isMcpManifest(manifest)) {
+      return filesWritten;
+    }
     const mcpValidation = validateMcpConfig(manifest.mcp);
     if (!mcpValidation.valid) {
       throw new Error(`MCP security validation failed: ${mcpValidation.error}`);
     }
-    const claudeHome = getClaudeCodeHome();
-    const mcpConfigPath = path2.join(path2.dirname(claudeHome), ".claude.json");
+    const claudeHome = getClaudeHome();
+    const mcpConfigPath = path7.join(path7.dirname(claudeHome), ".claude.json");
     let existingConfig = {};
-    if (await fs2.pathExists(mcpConfigPath)) {
+    if (await fs4.pathExists(mcpConfigPath)) {
       try {
-        existingConfig = await fs2.readJson(mcpConfigPath);
+        existingConfig = await fs4.readJson(mcpConfigPath);
       } catch {
-        logger.warn(`Could not parse ${mcpConfigPath}, creating new config`);
+        const backupPath = `${mcpConfigPath}.backup.${Date.now()}`;
+        try {
+          await fs4.copy(mcpConfigPath, backupPath);
+          logger.warn(
+            `Could not parse ${mcpConfigPath}, backup saved to ${backupPath}`
+          );
+        } catch {
+          logger.warn(`Could not parse ${mcpConfigPath}, creating new config`);
+        }
         existingConfig = {};
       }
     }
@@ -550,42 +841,161 @@ ${content.trim()}
     const existingMcpServers = existingConfig.mcpServers || {};
     const updatedConfig = {
       ...existingConfig,
+      // Preserve all other config settings
       mcpServers: {
         ...existingMcpServers,
+        // Preserve other MCP servers
         [sanitizedName]: {
+          // Add/update this package's MCP server
           command: manifest.mcp.command,
+          // e.g., "npx"
           args: manifest.mcp.args,
+          // e.g., ["-y", "@supabase/mcp"]
           env: manifest.mcp.env
+          // e.g., { "SUPABASE_URL": "..." }
         }
       }
     };
-    await fs2.writeJson(mcpConfigPath, updatedConfig, { spaces: 2 });
+    await fs4.writeJson(mcpConfigPath, updatedConfig, { spaces: 2 });
     filesWritten.push(mcpConfigPath);
     return filesWritten;
   }
-  formatSkillMd(manifest) {
-    if (!manifest.skill) {
-      throw new Error(
-        "Cannot format skill markdown: manifest.skill is undefined"
+  /**
+   * Uninstall an MCP package.
+   *
+   * This removes the MCP server entry from ~/.claude.json
+   *
+   * @param packageName - The name of the package to remove
+   * @param _context - Uninstall context (not used for MCP, but required by interface)
+   * @returns Array containing the path to the modified config file
+   */
+  async uninstall(packageName, _context) {
+    const filesWritten = [];
+    const folderName = sanitizeFolderName(packageName);
+    const claudeHome = getClaudeHome();
+    const mcpConfigPath = path7.join(path7.dirname(claudeHome), ".claude.json");
+    if (!await fs4.pathExists(mcpConfigPath)) {
+      return filesWritten;
+    }
+    try {
+      const config = await fs4.readJson(mcpConfigPath);
+      const mcpServers = config.mcpServers;
+      if (!mcpServers || !mcpServers[folderName]) {
+        return filesWritten;
+      }
+      const { [folderName]: _removed, ...remainingServers } = mcpServers;
+      const updatedConfig = {
+        ...config,
+        mcpServers: remainingServers
+      };
+      await fs4.writeJson(mcpConfigPath, updatedConfig, { spaces: 2 });
+      filesWritten.push(mcpConfigPath);
+    } catch (error) {
+      logger.warn(
+        `Could not update MCP config: ${error instanceof Error ? error.message : "Unknown error"}`
       );
     }
-    const skill = manifest.skill;
-    const content = manifest.universal?.prompt || manifest.universal?.rules || "";
-    return `---
-name: ${manifest.name}
-command: ${skill.command || `/${manifest.name}`}
-description: ${skill.description || manifest.description}
-version: ${manifest.version}
----
-
-# ${manifest.name}
-
-${manifest.description}
+    return filesWritten;
+  }
+};
 
-## Instructions
+// src/adapters/handlers/index.ts
+function initializeHandlers() {
+  handlerRegistry.register(new RulesHandler());
+  handlerRegistry.register(new SkillHandler());
+  handlerRegistry.register(new McpHandler());
+}
+initializeHandlers();
 
-${content.trim()}
-`;
+// src/adapters/claude-code.ts
+import fs5 from "fs-extra";
+import path8 from "path";
+var ClaudeCodeAdapter = class extends PlatformAdapter {
+  platform = "claude-code";
+  displayName = "Claude Code";
+  async isAvailable(_projectPath) {
+    return true;
+  }
+  async install(manifest, projectPath, packagePath) {
+    const filesWritten = [];
+    try {
+      const context = { projectPath, packagePath };
+      const result = await this.installByType(manifest, context);
+      filesWritten.push(...result);
+      return {
+        success: true,
+        platform: "claude-code",
+        filesWritten
+      };
+    } catch (error) {
+      return {
+        success: false,
+        platform: "claude-code",
+        filesWritten,
+        error: error instanceof Error ? error.message : "Unknown error"
+      };
+    }
+  }
+  async uninstall(packageName, projectPath) {
+    const filesWritten = [];
+    const folderName = sanitizeFolderName(packageName);
+    const context = { projectPath };
+    try {
+      const rulesBaseDir = getRulesPath("claude-code");
+      const rulesPath = path8.join(rulesBaseDir, folderName);
+      if (await fs5.pathExists(rulesPath)) {
+        await fs5.remove(rulesPath);
+        filesWritten.push(rulesPath);
+      }
+      const skillsDir = getSkillsPath();
+      const skillPath = path8.join(skillsDir, folderName);
+      if (await fs5.pathExists(skillPath)) {
+        await fs5.remove(skillPath);
+        filesWritten.push(skillPath);
+      }
+      if (handlerRegistry.hasHandler("mcp")) {
+        const mcpHandler = handlerRegistry.getHandler("mcp");
+        const mcpFiles = await mcpHandler.uninstall(packageName, context);
+        filesWritten.push(...mcpFiles);
+      }
+      return {
+        success: true,
+        platform: "claude-code",
+        filesWritten
+      };
+    } catch (error) {
+      return {
+        success: false,
+        platform: "claude-code",
+        filesWritten,
+        error: error instanceof Error ? error.message : "Unknown error"
+      };
+    }
+  }
+  async installByType(manifest, context) {
+    if (handlerRegistry.hasHandler(manifest.type)) {
+      const handler = handlerRegistry.getHandler(manifest.type);
+      return handler.install(manifest, context);
+    }
+    return this.installFallback(manifest, context);
+  }
+  async installFallback(manifest, context) {
+    logger.warn(
+      `No handler registered for type "${manifest.type}", attempting content-based detection`
+    );
+    if (isSkillManifest(manifest)) {
+      const handler = handlerRegistry.getHandler("skill");
+      return handler.install(manifest, context);
+    }
+    if (isMcpManifest(manifest)) {
+      const handler = handlerRegistry.getHandler("mcp");
+      return handler.install(manifest, context);
+    }
+    if (isRulesManifest(manifest)) {
+      const handler = handlerRegistry.getHandler("rules");
+      return handler.install(manifest, context);
+    }
+    return [];
   }
 };
 
@@ -597,51 +1007,20 @@ function getAdapter(platform) {
   return adapters[platform];
 }
 
-// src/utils/config.ts
-import path3 from "path";
-import os2 from "os";
-import fs3 from "fs-extra";
-function getClaudeHome() {
-  return path3.join(os2.homedir(), ".claude");
-}
-async function ensureClaudeDirs() {
-  const claudeHome = getClaudeHome();
-  await fs3.ensureDir(path3.join(claudeHome, "rules"));
-  await fs3.ensureDir(path3.join(claudeHome, "skills"));
-}
-
 // src/utils/registry.ts
 import got from "got";
-import fs4 from "fs-extra";
-import path4 from "path";
-import os3 from "os";
-
-// src/types.ts
-function getTypeFromPath(path9) {
-  if (path9.startsWith("skills/")) return "skill";
-  if (path9.startsWith("rules/")) return "rules";
-  if (path9.startsWith("mcp/")) return "mcp";
-  if (path9.startsWith("agents/")) return "agent";
-  if (path9.startsWith("hooks/")) return "hook";
-  if (path9.startsWith("workflows/")) return "workflow";
-  if (path9.startsWith("templates/")) return "template";
-  if (path9.startsWith("bundles/")) return "bundle";
-  return null;
-}
-function resolvePackageType(pkg) {
-  if (pkg.type) return pkg.type;
-  if (pkg.path) {
-    const derived = getTypeFromPath(pkg.path);
-    if (derived) return derived;
-  }
-  throw new Error(`Cannot determine type for package: ${pkg.name}`);
-}
-
-// src/utils/registry.ts
+import fs6 from "fs-extra";
+import path9 from "path";
+import os2 from "os";
 var DEFAULT_REGISTRY_URL = process.env.CPM_REGISTRY_URL || "https://raw.githubusercontent.com/cpmai-dev/packages/main/registry.json";
-var CACHE_DIR = path4.join(os3.homedir(), ".cpm", "cache");
-var CACHE_FILE = path4.join(CACHE_DIR, "registry.json");
-var CACHE_TTL = 5 * 60 * 1e3;
+var CACHE_DIR = path9.join(os2.homedir(), ".cpm", "cache");
+var CACHE_FILE = path9.join(CACHE_DIR, "registry.json");
+var comparators = {
+  downloads: (a, b) => (b.downloads ?? 0) - (a.downloads ?? 0),
+  stars: (a, b) => (b.stars ?? 0) - (a.stars ?? 0),
+  recent: (a, b) => new Date(b.publishedAt || 0).getTime() - new Date(a.publishedAt || 0).getTime(),
+  name: (a, b) => (a.name ?? "").localeCompare(b.name ?? "")
+};
 var Registry = class {
   registryUrl;
   cache = null;
@@ -653,275 +1032,374 @@ var Registry = class {
    * Fetch the registry data (with caching)
    */
   async fetch(forceRefresh = false) {
-    if (!forceRefresh && this.cache && Date.now() - this.cacheTimestamp < CACHE_TTL) {
+    if (this.hasValidMemoryCache() && !forceRefresh) {
       return this.cache;
     }
     if (!forceRefresh) {
-      try {
-        await fs4.ensureDir(CACHE_DIR);
-        if (await fs4.pathExists(CACHE_FILE)) {
-          const stat = await fs4.stat(CACHE_FILE);
-          if (Date.now() - stat.mtimeMs < CACHE_TTL) {
-            const cached = await fs4.readJson(CACHE_FILE);
-            this.cache = cached;
-            this.cacheTimestamp = Date.now();
-            return cached;
-          }
+      const fileCache = await this.loadFileCache();
+      if (fileCache) {
+        this.updateMemoryCache(fileCache);
+        return fileCache;
+      }
+    }
+    return this.fetchFromNetwork();
+  }
+  /**
+   * Search for packages
+   */
+  async search(options = {}) {
+    const data = await this.fetch();
+    let packages = [...data.packages];
+    packages = this.filterByQuery(packages, options.query);
+    packages = this.filterByType(packages, options.type);
+    packages = this.sortPackages(packages, options.sort || "downloads");
+    const total = packages.length;
+    packages = this.paginate(packages, options.offset, options.limit);
+    return { packages, total };
+  }
+  /**
+   * Get a specific package by name
+   */
+  async getPackage(name) {
+    const data = await this.fetch();
+    return data.packages.find((pkg) => pkg.name === name) || null;
+  }
+  // ============================================================================
+  // Private Helpers
+  // ============================================================================
+  hasValidMemoryCache() {
+    return this.cache !== null && Date.now() - this.cacheTimestamp < LIMITS.CACHE_TTL_MS;
+  }
+  updateMemoryCache(data) {
+    this.cache = data;
+    this.cacheTimestamp = Date.now();
+  }
+  async loadFileCache() {
+    try {
+      await fs6.ensureDir(CACHE_DIR);
+      if (await fs6.pathExists(CACHE_FILE)) {
+        const stat = await fs6.stat(CACHE_FILE);
+        if (Date.now() - stat.mtimeMs < LIMITS.CACHE_TTL_MS) {
+          return await fs6.readJson(CACHE_FILE);
         }
-      } catch {
       }
+    } catch {
     }
+    return null;
+  }
+  async saveFileCache(data) {
+    try {
+      await fs6.ensureDir(CACHE_DIR);
+      await fs6.writeJson(CACHE_FILE, data, { spaces: 2 });
+    } catch {
+    }
+  }
+  async fetchFromNetwork() {
     try {
       const response = await got(this.registryUrl, {
-        timeout: { request: 1e4 },
+        timeout: { request: TIMEOUTS.REGISTRY_FETCH },
         responseType: "json"
       });
       const data = response.body;
-      this.cache = data;
-      this.cacheTimestamp = Date.now();
-      try {
-        await fs4.ensureDir(CACHE_DIR);
-        await fs4.writeJson(CACHE_FILE, data, { spaces: 2 });
-      } catch {
-      }
+      this.updateMemoryCache(data);
+      await this.saveFileCache(data);
       return data;
     } catch {
-      if (this.cache) {
-        return this.cache;
+      return this.handleNetworkError();
+    }
+  }
+  async handleNetworkError() {
+    if (this.cache) {
+      return this.cache;
+    }
+    try {
+      if (await fs6.pathExists(CACHE_FILE)) {
+        const cached = await fs6.readJson(CACHE_FILE);
+        this.cache = cached;
+        return cached;
       }
+    } catch {
+    }
+    throw new Error(
+      "Unable to fetch package registry. Please check your internet connection and try again."
+    );
+  }
+  filterByQuery(packages, query) {
+    if (!query) return packages;
+    const lowerQuery = query.toLowerCase();
+    return packages.filter(
+      (pkg) => pkg.name?.toLowerCase().includes(lowerQuery) || pkg.description?.toLowerCase().includes(lowerQuery) || pkg.keywords?.some((k) => k?.toLowerCase().includes(lowerQuery))
+    );
+  }
+  filterByType(packages, type) {
+    if (!type) return packages;
+    return packages.filter((pkg) => {
       try {
-        if (await fs4.pathExists(CACHE_FILE)) {
-          const cached = await fs4.readJson(CACHE_FILE);
-          this.cache = cached;
-          return cached;
-        }
+        return resolvePackageType(pkg) === type;
       } catch {
+        return false;
+      }
+    });
+  }
+  sortPackages(packages, sort) {
+    const comparator = comparators[sort];
+    return [...packages].sort(comparator);
+  }
+  paginate(packages, offset, limit) {
+    const start = offset || 0;
+    const end = start + (limit || 10);
+    return packages.slice(start, end);
+  }
+};
+var registry = new Registry();
+
+// src/utils/downloader.ts
+import fs8 from "fs-extra";
+import path11 from "path";
+import os3 from "os";
+
+// src/sources/manifest-resolver.ts
+var ManifestResolver = class {
+  /**
+   * List of sources, sorted by priority (lowest first).
+   * This array is created once during construction and never modified.
+   */
+  sources;
+  /**
+   * Create a new ManifestResolver with the given sources.
+   *
+   * The sources are automatically sorted by priority (lowest first)
+   * so they're tried in the correct order during resolution.
+   *
+   * @param sources - Array of manifest sources to use
+   *
+   * @example
+   * ```typescript
+   * const resolver = new ManifestResolver([
+   *   new RepositorySource(),  // priority: 1
+   *   new TarballSource(),     // priority: 2
+   *   new RegistrySource(),    // priority: 4
+   * ]);
+   * // Sources will be tried in order: Repository, Tarball, Registry
+   * ```
+   */
+  constructor(sources) {
+    this.sources = [...sources].sort((a, b) => a.priority - b.priority);
+  }
+  /**
+   * Resolve the manifest for a package.
+   *
+   * This method tries each source in priority order until one
+   * successfully returns a manifest. If all sources fail, an
+   * error is thrown.
+   *
+   * The resolution process:
+   * 1. For each source (in priority order):
+   *    a. Check if the source can fetch this package (canFetch)
+   *    b. If yes, try to fetch the manifest
+   *    c. If fetch returns a manifest, return it immediately
+   *    d. If fetch returns null, continue to the next source
+   * 2. If no source returned a manifest, throw an error
+   *
+   * @param pkg - The registry package to resolve
+   * @param context - Context with temp directory for downloads
+   * @returns The resolved package manifest
+   * @throws Error if no source can provide a manifest
+   *
+   * @example
+   * ```typescript
+   * const pkg = await registry.getPackage("@cpm/typescript-rules");
+   * const context = { tempDir: "/tmp/cpm-download-123" };
+   *
+   * const manifest = await resolver.resolve(pkg, context);
+   * console.log(`Package type: ${manifest.type}`);
+   * ```
+   */
+  async resolve(pkg, context) {
+    for (const source of this.sources) {
+      if (source.canFetch(pkg)) {
+        const manifest = await source.fetch(pkg, context);
+        if (manifest) {
+          return manifest;
+        }
       }
-      return this.getFallbackRegistry();
     }
+    throw new Error(`No manifest found for package: ${pkg.name}`);
   }
   /**
-   * Search for packages
+   * Get the names of all registered sources.
+   *
+   * Useful for debugging and displaying information about
+   * which sources are configured.
+   *
+   * @returns Array of source names in priority order
+   *
+   * @example
+   * ```typescript
+   * const names = resolver.getSourceNames();
+   * console.log("Configured sources:", names.join(", "));
+   * // Output: "Configured sources: repository, tarball, embedded, registry"
+   * ```
    */
-  async search(options = {}) {
-    const data = await this.fetch();
-    let packages = [...data.packages];
-    if (options.query) {
-      const query = options.query.toLowerCase();
-      packages = packages.filter(
-        (pkg) => pkg.name?.toLowerCase().includes(query) || pkg.description?.toLowerCase().includes(query) || pkg.keywords?.some((k) => k?.toLowerCase().includes(query))
-      );
+  getSourceNames() {
+    return this.sources.map((s) => s.name);
+  }
+};
+
+// src/sources/repository-source.ts
+import got2 from "got";
+import yaml from "yaml";
+var PACKAGES_REPO_BASE = "https://raw.githubusercontent.com/cpmai-dev/packages/main/packages";
+var RepositorySource = class {
+  name = "repository";
+  priority = 1;
+  canFetch(pkg) {
+    return !!pkg.path || !!pkg.repository?.includes("github.com");
+  }
+  async fetch(pkg, _context) {
+    if (pkg.path) {
+      const manifest = await this.fetchFromPackagesRepo(pkg.path);
+      if (manifest) return manifest;
     }
-    if (options.type) {
-      packages = packages.filter((pkg) => {
-        try {
-          return resolvePackageType(pkg) === options.type;
-        } catch {
-          return false;
-        }
+    if (pkg.repository) {
+      return this.fetchFromStandaloneRepo(pkg.repository);
+    }
+    return null;
+  }
+  async fetchFromPackagesRepo(packagePath) {
+    if (packagePath.includes("..") || packagePath.startsWith("/") || packagePath.includes("\\")) {
+      return null;
+    }
+    const rawUrl = `${PACKAGES_REPO_BASE}/${packagePath}/cpm.yaml`;
+    try {
+      const response = await got2(rawUrl, {
+        timeout: { request: TIMEOUTS.MANIFEST_FETCH }
       });
+      return yaml.parse(response.body);
+    } catch {
+      return null;
     }
-    const sort = options.sort || "downloads";
-    packages.sort((a, b) => {
-      switch (sort) {
-        case "downloads":
-          return (b.downloads ?? 0) - (a.downloads ?? 0);
-        case "stars":
-          return (b.stars ?? 0) - (a.stars ?? 0);
-        case "recent":
-          return new Date(b.publishedAt || 0).getTime() - new Date(a.publishedAt || 0).getTime();
-        case "name":
-          return (a.name ?? "").localeCompare(b.name ?? "");
-        default:
-          return 0;
-      }
-    });
-    const total = packages.length;
-    const offset = options.offset || 0;
-    const limit = options.limit || 10;
-    packages = packages.slice(offset, offset + limit);
-    return { packages, total };
   }
+  async fetchFromStandaloneRepo(repository) {
+    try {
+      const match = repository.match(/github\.com\/([^/]+)\/([^/]+)/);
+      if (!match) return null;
+      const [, owner, repo] = match;
+      const rawUrl = `https://raw.githubusercontent.com/${owner}/${repo}/main/cpm.yaml`;
+      const response = await got2(rawUrl, {
+        timeout: { request: TIMEOUTS.MANIFEST_FETCH }
+      });
+      return yaml.parse(response.body);
+    } catch {
+      return null;
+    }
+  }
+};
+
+// src/sources/tarball-source.ts
+import got3 from "got";
+import fs7 from "fs-extra";
+import path10 from "path";
+import * as tar from "tar";
+import yaml2 from "yaml";
+var TarballSource = class {
   /**
-   * Get a specific package by name
+   * Name of this source for logging and debugging.
    */
-  async getPackage(name) {
-    const data = await this.fetch();
-    return data.packages.find((pkg) => pkg.name === name) || null;
+  name = "tarball";
+  /**
+   * Priority 2 - tried after repository source.
+   * Tarball downloading is slower but provides the full package.
+   */
+  priority = 2;
+  /**
+   * Check if this source can fetch the given package.
+   *
+   * We can only fetch if the package has a tarball URL.
+   *
+   * @param pkg - The registry package to check
+   * @returns true if the package has a tarball URL
+   */
+  canFetch(pkg) {
+    return !!pkg.tarball;
   }
   /**
-   * Get package manifest from GitHub
+   * Fetch the manifest by downloading and extracting the tarball.
+   *
+   * This method:
+   * 1. Validates the tarball URL (must be HTTPS)
+   * 2. Downloads the tarball to the temp directory
+   * 3. Extracts it with zip slip protection
+   * 4. Reads and parses the cpm.yaml file
+   *
+   * @param pkg - The registry package to fetch
+   * @param context - Context containing the temp directory path
+   * @returns The parsed manifest, or null if fetch fails
    */
-  async getManifest(pkg) {
-    if (!pkg.repository) {
-      return null;
-    }
+  async fetch(pkg, context) {
+    if (!pkg.tarball) return null;
     try {
-      const repoUrl = pkg.repository.replace(
-        "github.com",
-        "raw.githubusercontent.com"
-      );
-      const manifestUrl = `${repoUrl}/main/cpm.yaml`;
-      const response = await got(manifestUrl, {
-        timeout: { request: 1e4 }
+      const parsedUrl = new URL(pkg.tarball);
+      if (parsedUrl.protocol !== "https:") {
+        throw new Error("Only HTTPS URLs are allowed for downloads");
+      }
+      const response = await got3(pkg.tarball, {
+        timeout: { request: TIMEOUTS.TARBALL_DOWNLOAD },
+        // 30 second timeout
+        followRedirect: true,
+        // Follow redirects (common for CDN URLs)
+        responseType: "buffer"
+        // Get raw binary data
       });
-      const yaml2 = await import("yaml");
-      return yaml2.parse(response.body);
+      const tarballPath = path10.join(context.tempDir, "package.tar.gz");
+      await fs7.writeFile(tarballPath, response.body);
+      await this.extractTarball(tarballPath, context.tempDir);
+      const manifestPath = path10.join(context.tempDir, "cpm.yaml");
+      if (await fs7.pathExists(manifestPath)) {
+        const content = await fs7.readFile(manifestPath, "utf-8");
+        return yaml2.parse(content);
+      }
+      return null;
     } catch {
       return null;
     }
   }
   /**
-   * Fallback registry data when network is unavailable
+   * Extract a tarball to a destination directory with security checks.
+   *
+   * This method extracts the tarball while protecting against:
+   * - Zip slip attacks (files extracting outside the target directory)
+   * - Path traversal via ".." in file paths
+   *
+   * The strip: 1 option removes the top-level directory from the tarball,
+   * which is common in GitHub release tarballs (e.g., "package-1.0.0/").
+   *
+   * @param tarballPath - Path to the .tar.gz file
+   * @param destDir - Directory to extract to
    */
-  getFallbackRegistry() {
-    return {
-      version: 1,
-      updated: (/* @__PURE__ */ new Date()).toISOString(),
-      packages: [
-        {
-          name: "@cpm/nextjs-rules",
-          version: "1.0.0",
-          description: "Next.js 14+ App Router conventions and best practices for Claude Code",
-          type: "rules",
-          author: "cpm",
-          downloads: 1250,
-          stars: 89,
-          verified: true,
-          repository: "https://github.com/cpm-ai/nextjs-rules",
-          tarball: "https://github.com/cpm-ai/nextjs-rules/releases/download/v1.0.0/package.tar.gz",
-          keywords: ["nextjs", "react", "typescript", "app-router"]
-        },
-        {
-          name: "@cpm/typescript-strict",
-          version: "1.0.0",
-          description: "TypeScript strict mode best practices and conventions",
-          type: "rules",
-          author: "cpm",
-          downloads: 980,
-          stars: 67,
-          verified: true,
-          repository: "https://github.com/cpm-ai/typescript-strict",
-          tarball: "https://github.com/cpm-ai/typescript-strict/releases/download/v1.0.0/package.tar.gz",
-          keywords: ["typescript", "strict", "types"]
-        },
-        {
-          name: "@cpm/react-patterns",
-          version: "1.0.0",
-          description: "React component patterns and best practices",
-          type: "rules",
-          author: "cpm",
-          downloads: 875,
-          stars: 54,
-          verified: true,
-          repository: "https://github.com/cpm-ai/react-patterns",
-          tarball: "https://github.com/cpm-ai/react-patterns/releases/download/v1.0.0/package.tar.gz",
-          keywords: ["react", "components", "hooks", "patterns"]
-        },
-        {
-          name: "@cpm/code-review",
-          version: "1.0.0",
-          description: "Automated code review skill for Claude Code",
-          type: "skill",
-          author: "cpm",
-          downloads: 2100,
-          stars: 156,
-          verified: true,
-          repository: "https://github.com/cpm-ai/code-review",
-          tarball: "https://github.com/cpm-ai/code-review/releases/download/v1.0.0/package.tar.gz",
-          keywords: ["code-review", "quality", "skill"]
-        },
-        {
-          name: "@cpm/git-commit",
-          version: "1.0.0",
-          description: "Smart commit message generation skill",
-          type: "skill",
-          author: "cpm",
-          downloads: 1800,
-          stars: 112,
-          verified: true,
-          repository: "https://github.com/cpm-ai/git-commit",
-          tarball: "https://github.com/cpm-ai/git-commit/releases/download/v1.0.0/package.tar.gz",
-          keywords: ["git", "commit", "messages", "skill"]
-        },
-        {
-          name: "@cpm/api-design",
-          version: "1.0.0",
-          description: "REST and GraphQL API design conventions",
-          type: "rules",
-          author: "cpm",
-          downloads: 650,
-          stars: 43,
-          verified: true,
-          repository: "https://github.com/cpm-ai/api-design",
-          tarball: "https://github.com/cpm-ai/api-design/releases/download/v1.0.0/package.tar.gz",
-          keywords: ["api", "rest", "graphql", "design"]
-        },
-        {
-          name: "@cpm/testing-patterns",
-          version: "1.0.0",
-          description: "Testing best practices for JavaScript/TypeScript projects",
-          type: "rules",
-          author: "cpm",
-          downloads: 720,
-          stars: 51,
-          verified: true,
-          repository: "https://github.com/cpm-ai/testing-patterns",
-          tarball: "https://github.com/cpm-ai/testing-patterns/releases/download/v1.0.0/package.tar.gz",
-          keywords: ["testing", "jest", "vitest", "patterns"]
-        },
-        {
-          name: "@cpm/refactor",
-          version: "1.0.0",
-          description: "Code refactoring assistant skill",
-          type: "skill",
-          author: "cpm",
-          downloads: 1450,
-          stars: 98,
-          verified: true,
-          repository: "https://github.com/cpm-ai/refactor",
-          tarball: "https://github.com/cpm-ai/refactor/releases/download/v1.0.0/package.tar.gz",
-          keywords: ["refactor", "clean-code", "skill"]
-        },
-        {
-          name: "@cpm/explain",
-          version: "1.0.0",
-          description: "Code explanation and documentation skill",
-          type: "skill",
-          author: "cpm",
-          downloads: 1320,
-          stars: 87,
-          verified: true,
-          repository: "https://github.com/cpm-ai/explain",
-          tarball: "https://github.com/cpm-ai/explain/releases/download/v1.0.0/package.tar.gz",
-          keywords: ["explain", "documentation", "skill"]
-        },
-        {
-          name: "@cpm/github-mcp",
-          version: "1.0.0",
-          description: "GitHub API integration MCP server for Claude Code",
-          type: "mcp",
-          author: "cpm",
-          downloads: 890,
-          stars: 72,
-          verified: true,
-          repository: "https://github.com/cpm-ai/github-mcp",
-          tarball: "https://github.com/cpm-ai/github-mcp/releases/download/v1.0.0/package.tar.gz",
-          keywords: ["github", "mcp", "api", "integration"]
+  async extractTarball(tarballPath, destDir) {
+    await fs7.ensureDir(destDir);
+    const resolvedDestDir = path10.resolve(destDir);
+    await tar.extract({
+      file: tarballPath,
+      // The tarball file to extract
+      cwd: destDir,
+      // Extract to this directory
+      strip: 1,
+      // Remove the top-level directory (e.g., "package-1.0.0/")
+      // Security filter: check each entry before extracting
+      filter: (entryPath) => {
+        const resolvedPath = path10.resolve(destDir, entryPath);
+        const isWithinDest = resolvedPath.startsWith(resolvedDestDir + path10.sep) || resolvedPath === resolvedDestDir;
+        if (!isWithinDest) {
+          logger.warn(`Blocked path traversal in tarball: ${entryPath}`);
+          return false;
         }
-      ]
-    };
+        return true;
+      }
+    });
   }
 };
-var registry = new Registry();
-
-// src/utils/downloader.ts
-import got2 from "got";
-import fs5 from "fs-extra";
-import path5 from "path";
-import os4 from "os";
-import * as tar from "tar";
-import yaml from "yaml";
 
 // src/utils/embedded-packages.ts
 var EMBEDDED_PACKAGES = {
@@ -1408,64 +1886,207 @@ function getEmbeddedManifest(packageName) {
   return EMBEDDED_PACKAGES[packageName] ?? null;
 }
 
-// src/utils/downloader.ts
-var TEMP_DIR = path5.join(os4.tmpdir(), "cpm-downloads");
-var PACKAGES_BASE_URL = process.env.CPM_PACKAGES_URL || "https://raw.githubusercontent.com/cpmai-dev/packages/main";
-var TIMEOUTS = {
-  MANIFEST_FETCH: 5e3,
-  TARBALL_DOWNLOAD: 3e4,
-  API_REQUEST: 1e4
+// src/sources/embedded-source.ts
+var EmbeddedSource = class {
+  /**
+   * Name of this source for logging and debugging.
+   */
+  name = "embedded";
+  /**
+   * Priority 3 - used as a fallback after network sources.
+   * Embedded packages are tried after repository and tarball sources
+   * because they may be older versions.
+   */
+  priority = 3;
+  /**
+   * Check if this source can fetch the given package.
+   *
+   * We can only fetch packages that are bundled into CPM.
+   * This check looks up the package name in the embedded packages map.
+   *
+   * @param pkg - The registry package to check
+   * @returns true if the package is bundled with CPM
+   *
+   * @example
+   * ```typescript
+   * // Bundled package
+   * canFetch({ name: "@cpm/typescript-strict" }) // true (if bundled)
+   *
+   * // Not bundled
+   * canFetch({ name: "@custom/my-package" }) // false
+   * ```
+   */
+  canFetch(pkg) {
+    return getEmbeddedManifest(pkg.name) !== null;
+  }
+  /**
+   * Fetch the manifest from embedded packages.
+   *
+   * This method simply looks up the package in the embedded packages
+   * map and returns the manifest. It's synchronous internally but
+   * returns a Promise to match the interface.
+   *
+   * @param pkg - The registry package to fetch
+   * @param _context - Fetch context (not used by this source)
+   * @returns The embedded manifest, or null if not found
+   *
+   * @example
+   * ```typescript
+   * const manifest = await source.fetch(pkg, context);
+   * if (manifest) {
+   *   console.log("Using bundled manifest for:", manifest.name);
+   * }
+   * ```
+   */
+  async fetch(pkg, _context) {
+    return getEmbeddedManifest(pkg.name);
+  }
 };
-function sanitizeFileName2(fileName) {
-  const sanitized = path5.basename(fileName).replace(/[^a-zA-Z0-9._-]/g, "_");
-  if (!sanitized || sanitized.includes("..") || sanitized.startsWith(".")) {
-    throw new Error(`Invalid file name: ${fileName}`);
+
+// src/sources/registry-source.ts
+var RegistrySource = class {
+  /**
+   * Name of this source for logging and debugging.
+   */
+  name = "registry";
+  /**
+   * Priority 4 - the lowest priority (last resort).
+   * This source generates manifests rather than fetching them,
+   * so it's only used when all other sources fail.
+   */
+  priority = 4;
+  /**
+   * Check if this source can fetch the given package.
+   *
+   * This source always returns true because it generates manifests
+   * from registry data. It doesn't need anything special from the package.
+   *
+   * @param _pkg - The registry package to check (ignored)
+   * @returns Always true - we can always generate a manifest
+   */
+  canFetch(_pkg) {
+    return true;
   }
-  return sanitized;
-}
-function validatePathWithinDir(destPath, allowedDir) {
-  const resolvedDest = path5.resolve(destPath);
-  const resolvedDir = path5.resolve(allowedDir);
-  if (!resolvedDest.startsWith(resolvedDir + path5.sep) && resolvedDest !== resolvedDir) {
-    throw new Error(`Path traversal detected: ${destPath}`);
+  /**
+   * Fetch (generate) the manifest from registry data.
+   *
+   * This method creates a manifest based on:
+   * - The package's registry metadata (name, version, etc.)
+   * - The inferred or explicit package type
+   *
+   * Different manifest structures are created for different types:
+   * - "rules": Creates universal.rules with basic content
+   * - "skill": Creates skill config with slash command
+   * - "mcp": Creates mcp config with npx command
+   *
+   * @param pkg - The registry package to create a manifest for
+   * @param _context - Fetch context (not used by this source)
+   * @returns A generated manifest (never null)
+   */
+  async fetch(pkg, _context) {
+    return this.createManifestFromRegistry(pkg);
   }
-}
-function validatePackagePath(pkgPath) {
-  const normalized = path5.normalize(pkgPath).replace(/\\/g, "/");
-  if (normalized.includes("..") || normalized.startsWith("/")) {
-    throw new Error(`Invalid package path: ${pkgPath}`);
+  /**
+   * Create a manifest from registry package data.
+   *
+   * This method builds a type-appropriate manifest using the
+   * information available in the registry entry. The content
+   * is auto-generated based on the package name and description.
+   *
+   * @param pkg - The registry package to create a manifest from
+   * @returns A complete PackageManifest object
+   */
+  createManifestFromRegistry(pkg) {
+    const packageType = resolvePackageType(pkg);
+    const baseFields = {
+      name: pkg.name,
+      // e.g., "@cpm/typescript-strict"
+      version: pkg.version,
+      // e.g., "1.0.0"
+      description: pkg.description,
+      // e.g., "TypeScript strict mode rules"
+      author: { name: pkg.author },
+      // e.g., { name: "cpm" }
+      repository: pkg.repository,
+      // e.g., "https://github.com/..."
+      keywords: pkg.keywords
+      // e.g., ["typescript", "rules"]
+    };
+    if (packageType === "mcp") {
+      return {
+        ...baseFields,
+        type: "mcp",
+        mcp: {
+          command: "npx",
+          // Default to npx for Node packages
+          args: []
+          // Empty args - user will need to configure
+        }
+      };
+    }
+    if (packageType === "skill") {
+      return {
+        ...baseFields,
+        type: "skill",
+        skill: {
+          // Create slash command from package name
+          // e.g., "@cpm/commit-skill" becomes "/commit-skill"
+          command: `/${pkg.name.replace(/^@[^/]+\//, "")}`,
+          description: pkg.description
+        },
+        universal: {
+          // Auto-generate prompt content from package info
+          prompt: `# ${pkg.name}
+
+${pkg.description}`
+        }
+      };
+    }
+    return {
+      ...baseFields,
+      type: "rules",
+      universal: {
+        // Auto-generate rules content from package info
+        rules: `# ${pkg.name}
+
+${pkg.description}`
+      }
+    };
   }
-  return normalized;
+};
+
+// src/sources/index.ts
+function createDefaultResolver() {
+  return new ManifestResolver([
+    // Priority 1: Try GitHub repository first (fastest, most complete)
+    new RepositorySource(),
+    // Priority 2: Download tarball if repo fails
+    new TarballSource(),
+    // Priority 3: Use bundled packages as fallback
+    new EmbeddedSource(),
+    // Priority 4: Generate from registry data as last resort
+    new RegistrySource()
+  ]);
 }
+var defaultResolver = createDefaultResolver();
+
+// src/utils/downloader.ts
+var TEMP_DIR = path11.join(os3.tmpdir(), "cpm-downloads");
 async function downloadPackage(pkg) {
   try {
-    await fs5.ensureDir(TEMP_DIR);
-    const packageTempDir = path5.join(
+    await fs8.ensureDir(TEMP_DIR);
+    const packageTempDir = path11.join(
       TEMP_DIR,
       `${pkg.name.replace(/[@/]/g, "_")}-${Date.now()}`
     );
-    await fs5.ensureDir(packageTempDir);
-    let manifest = null;
-    if (pkg.path) {
-      manifest = await fetchPackageFromPath(pkg, packageTempDir);
-    }
-    if (!manifest && pkg.repository) {
-      manifest = await fetchManifestFromRepo(pkg.repository);
-    }
-    if (!manifest && pkg.tarball) {
-      manifest = await downloadAndExtractTarball(pkg, packageTempDir);
-    }
-    if (!manifest) {
-      manifest = getEmbeddedManifest(pkg.name);
-    }
-    if (!manifest) {
-      manifest = createManifestFromRegistry(pkg);
-    }
+    await fs8.ensureDir(packageTempDir);
+    const manifest = await defaultResolver.resolve(pkg, {
+      tempDir: packageTempDir
+    });
     return { success: true, manifest, tempDir: packageTempDir };
   } catch (error) {
     return {
       success: false,
-      manifest: {},
       error: error instanceof Error ? error.message : "Download failed"
     };
   }
@@ -1473,180 +2094,35 @@ async function downloadPackage(pkg) {
 async function cleanupTempDir(tempDir) {
   try {
     if (tempDir.startsWith(TEMP_DIR)) {
-      await fs5.remove(tempDir);
-    }
-  } catch {
-  }
-}
-async function fetchManifestFromRepo(repoUrl) {
-  try {
-    const match = repoUrl.match(/github\.com\/([^/]+)\/([^/]+)/);
-    if (!match) return null;
-    const [, owner, repo] = match;
-    const rawUrl = `https://raw.githubusercontent.com/${owner}/${repo}/main/cpm.yaml`;
-    const response = await got2(rawUrl, {
-      timeout: { request: TIMEOUTS.MANIFEST_FETCH }
-    });
-    return yaml.parse(response.body);
-  } catch {
-    return null;
-  }
-}
-async function downloadAndExtractTarball(pkg, tempDir) {
-  if (!pkg.tarball) return null;
-  try {
-    const parsedUrl = new URL(pkg.tarball);
-    if (parsedUrl.protocol !== "https:") {
-      throw new Error("Only HTTPS URLs are allowed for downloads");
-    }
-    const response = await got2(pkg.tarball, {
-      timeout: { request: TIMEOUTS.TARBALL_DOWNLOAD },
-      followRedirect: true,
-      responseType: "buffer"
-    });
-    const tarballPath = path5.join(tempDir, "package.tar.gz");
-    await fs5.writeFile(tarballPath, response.body);
-    await extractTarball(tarballPath, tempDir);
-    const manifestPath = path5.join(tempDir, "cpm.yaml");
-    if (await fs5.pathExists(manifestPath)) {
-      const content = await fs5.readFile(manifestPath, "utf-8");
-      return yaml.parse(content);
-    }
-    return null;
-  } catch {
-    return null;
-  }
-}
-async function extractTarball(tarballPath, destDir) {
-  await fs5.ensureDir(destDir);
-  const resolvedDestDir = path5.resolve(destDir);
-  await tar.extract({
-    file: tarballPath,
-    cwd: destDir,
-    strip: 1,
-    filter: (entryPath) => {
-      const resolvedPath = path5.resolve(destDir, entryPath);
-      const isWithinDest = resolvedPath.startsWith(resolvedDestDir + path5.sep) || resolvedPath === resolvedDestDir;
-      if (!isWithinDest) {
-        logger.warn(`Blocked path traversal in tarball: ${entryPath}`);
-        return false;
-      }
-      return true;
-    }
-  });
-}
-async function fetchPackageFromPath(pkg, tempDir) {
-  if (!pkg.path) return null;
-  try {
-    const safePath = validatePackagePath(pkg.path);
-    const githubInfo = parseGitHubInfo(PACKAGES_BASE_URL);
-    if (!githubInfo) {
-      return fetchSingleFileFromPath(pkg);
-    }
-    const apiUrl = `https://api.github.com/repos/${githubInfo.owner}/${githubInfo.repo}/contents/${safePath}`;
-    const response = await got2(apiUrl, {
-      timeout: { request: TIMEOUTS.API_REQUEST },
-      headers: {
-        Accept: "application/vnd.github.v3+json",
-        "User-Agent": "cpm-cli"
-      },
-      responseType: "json"
-    });
-    const files = response.body;
-    let mainContent = "";
-    const pkgType = resolvePackageType(pkg);
-    const contentFile = getContentFileName(pkgType);
-    for (const file of files) {
-      if (file.type === "file" && file.download_url) {
-        const safeFileName = sanitizeFileName2(file.name);
-        const destPath = path5.join(tempDir, safeFileName);
-        validatePathWithinDir(destPath, tempDir);
-        const fileResponse = await got2(file.download_url, {
-          timeout: { request: TIMEOUTS.API_REQUEST }
-        });
-        await fs5.writeFile(destPath, fileResponse.body, "utf-8");
-        if (file.name === contentFile) {
-          mainContent = fileResponse.body;
-        }
-      }
+      await fs8.remove(tempDir);
     }
-    return createManifestWithContent(pkg, mainContent);
-  } catch {
-    return fetchSingleFileFromPath(pkg);
-  }
-}
-async function fetchSingleFileFromPath(pkg) {
-  if (!pkg.path) return null;
-  try {
-    const safePath = validatePackagePath(pkg.path);
-    const pkgType = resolvePackageType(pkg);
-    const contentFile = getContentFileName(pkgType);
-    const contentUrl = `${PACKAGES_BASE_URL}/${safePath}/${contentFile}`;
-    const response = await got2(contentUrl, {
-      timeout: { request: TIMEOUTS.API_REQUEST }
-    });
-    return createManifestWithContent(pkg, response.body);
   } catch {
-    return null;
   }
 }
-function getContentFileName(type) {
-  const fileNames = {
-    skill: "SKILL.md",
-    rules: "RULES.md",
-    mcp: "MCP.md",
-    agent: "AGENT.md",
-    hook: "HOOK.md",
-    workflow: "WORKFLOW.md",
-    template: "TEMPLATE.md",
-    bundle: "BUNDLE.md"
-  };
-  return fileNames[type] || "README.md";
-}
-function parseGitHubInfo(baseUrl) {
-  const match = baseUrl.match(/github(?:usercontent)?\.com\/([^/]+)\/([^/]+)/);
-  if (!match) return null;
-  return { owner: match[1], repo: match[2] };
-}
-function createManifestWithContent(pkg, content) {
-  const pkgType = resolvePackageType(pkg);
-  return {
-    name: pkg.name,
-    version: pkg.version,
-    description: pkg.description,
-    type: pkgType,
-    author: { name: pkg.author },
-    keywords: pkg.keywords,
-    universal: {
-      rules: content,
-      prompt: content
-    },
-    skill: pkgType === "skill" ? {
-      command: `/${pkg.name.split("/").pop()}`,
-      description: pkg.description
-    } : void 0
-  };
-}
-function createManifestFromRegistry(pkg) {
-  return {
-    name: pkg.name,
-    version: pkg.version,
-    description: pkg.description,
-    type: resolvePackageType(pkg),
-    author: { name: pkg.author },
-    repository: pkg.repository,
-    keywords: pkg.keywords,
-    universal: {
-      rules: `# ${pkg.name}
 
-${pkg.description}`
-    }
-  };
+// src/validation/package-name.ts
+var PACKAGE_NAME_REGEX = /^(@[a-z0-9-~][a-z0-9-._~]*\/)?[a-z0-9-~][a-z0-9-._~]*$/;
+var PATH_TRAVERSAL_PATTERNS = [
+  "..",
+  // Parent directory
+  "\\",
+  // Windows path separator
+  "%2e",
+  // URL-encoded "." (lowercase)
+  "%2E",
+  // URL-encoded "." (uppercase)
+  "%5c",
+  // URL-encoded "\" (lowercase)
+  "%5C",
+  // URL-encoded "\" (uppercase)
+  "%2f",
+  // URL-encoded "/" (lowercase)
+  "%2F"
+  // URL-encoded "/" (uppercase)
+];
+function hasPathTraversal(value) {
+  return PATH_TRAVERSAL_PATTERNS.some((pattern) => value.includes(pattern));
 }
-
-// src/commands/install.ts
-var VALID_PLATFORMS = ["claude-code"];
-var MAX_PACKAGE_NAME_LENGTH = 214;
 function validatePackageName(name) {
   if (!name || typeof name !== "string") {
     return { valid: false, error: "Package name cannot be empty" };
@@ -1656,163 +2132,382 @@ function validatePackageName(name) {
     decoded = decodeURIComponent(name);
   } catch {
   }
-  if (decoded.length > MAX_PACKAGE_NAME_LENGTH) {
-    return { valid: false, error: `Package name too long (max ${MAX_PACKAGE_NAME_LENGTH} characters)` };
+  if (decoded.length > LIMITS.MAX_PACKAGE_NAME_LENGTH) {
+    return {
+      valid: false,
+      error: `Package name too long (max ${LIMITS.MAX_PACKAGE_NAME_LENGTH} characters)`
+    };
   }
   if (decoded.includes("\0")) {
     return { valid: false, error: "Invalid characters in package name" };
   }
-  const hasPathTraversal = decoded.includes("..") || decoded.includes("\\") || decoded.includes("%2e") || decoded.includes("%2E") || decoded.includes("%5c") || decoded.includes("%5C") || decoded.includes("%2f") || decoded.includes("%2F");
-  if (hasPathTraversal) {
+  if (hasPathTraversal(decoded)) {
     return { valid: false, error: "Invalid characters in package name" };
   }
-  const packageNameRegex = /^(@[a-z0-9-~][a-z0-9-._~]*\/)?[a-z0-9-~][a-z0-9-._~]*$/;
-  if (!packageNameRegex.test(name.toLowerCase())) {
+  if (!PACKAGE_NAME_REGEX.test(name.toLowerCase())) {
     return { valid: false, error: "Invalid package name format" };
   }
   return { valid: true };
 }
-function isValidPlatform(platform) {
-  return VALID_PLATFORMS.includes(platform);
-}
 function normalizePackageName(name) {
   if (name.startsWith("@")) {
     return name;
   }
   return `@cpm/${name}`;
 }
-async function resolveTargetPlatforms(options) {
-  if (options.platform && options.platform !== "all") {
-    if (!isValidPlatform(options.platform)) {
-      return null;
-    }
-    return [options.platform];
-  }
-  let platforms = await getDetectedPlatforms();
-  if (platforms.length === 0) {
-    platforms = ["claude-code"];
+
+// src/commands/ui/colors.ts
+import chalk from "chalk";
+var TYPE_COLORS = {
+  rules: chalk.yellow,
+  // Yellow - like warning/guidelines
+  skill: chalk.blue,
+  // Blue - quick actions
+  mcp: chalk.magenta,
+  // Magenta - special/protocol
+  agent: chalk.green,
+  // Green - AI/active
+  hook: chalk.cyan,
+  // Cyan - lifecycle
+  workflow: chalk.red,
+  // Red - processes
+  template: chalk.white,
+  // White - neutral/base
+  bundle: chalk.gray
+  // Gray - collection
+};
+function getTypeColor(type) {
+  return TYPE_COLORS[type] ?? chalk.white;
+}
+var TYPE_EMOJIS = {
+  rules: "\u{1F4DC}",
+  // Scroll - coding rules/guidelines
+  skill: "\u26A1",
+  // Lightning - quick commands
+  mcp: "\u{1F50C}",
+  // Plug - server connections
+  agent: "\u{1F916}",
+  // Robot - AI agents
+  hook: "\u{1FA9D}",
+  // Hook - lifecycle events
+  workflow: "\u{1F4CB}",
+  // Clipboard - workflows
+  template: "\u{1F4C1}",
+  // Folder - project templates
+  bundle: "\u{1F4E6}"
+  // Package - bundles
+};
+function getTypeEmoji(type) {
+  return TYPE_EMOJIS[type] ?? "\u{1F4E6}";
+}
+var SEMANTIC_COLORS = {
+  /** Success messages and indicators */
+  success: chalk.green,
+  /** Error messages */
+  error: chalk.red,
+  /** Warning messages */
+  warning: chalk.yellow,
+  /** Informational messages */
+  info: chalk.cyan,
+  /** Dimmed/secondary text */
+  dim: chalk.dim,
+  /** Bold emphasis */
+  bold: chalk.bold,
+  /** Package names and commands */
+  highlight: chalk.cyan,
+  /** Version numbers */
+  version: chalk.dim
+};
+
+// src/commands/ui/formatters.ts
+import chalk2 from "chalk";
+import path12 from "path";
+function formatNumber(num) {
+  if (num >= 1e6) {
+    return `${(num / 1e6).toFixed(1)}M`;
   }
-  platforms = platforms.filter((p) => p === "claude-code");
-  if (platforms.length === 0) {
-    platforms = ["claude-code"];
+  if (num >= 1e3) {
+    return `${(num / 1e3).toFixed(1)}k`;
   }
-  return platforms;
+  return num.toString();
 }
-async function installToPlatforms(manifest, tempDir, platforms) {
-  return Promise.all(
-    platforms.map(async (platform) => {
-      const adapter = getAdapter(platform);
-      return adapter.install(manifest, process.cwd(), tempDir);
-    })
-  );
+function formatPath(filePath) {
+  const relativePath = path12.relative(process.cwd(), filePath);
+  if (relativePath.startsWith("..")) {
+    return filePath;
+  }
+  return relativePath;
 }
-function displaySuccessMessage(manifest, successfulResults) {
-  logger.log(chalk.dim(`
-  ${manifest.description}`));
-  logger.log(chalk.dim("\n  Files created:"));
-  for (const result of successfulResults) {
-    for (const file of result.filesWritten) {
-      logger.log(chalk.dim(`    + ${path6.relative(process.cwd(), file)}`));
-    }
+function formatPackageHeader(pkg) {
+  const pkgType = resolvePackageType(pkg);
+  const emoji = getTypeEmoji(pkgType);
+  const badges = [];
+  if (pkg.verified) {
+    badges.push(chalk2.green("\u2713 verified"));
   }
-  logger.newline();
-  displayUsageHints(manifest);
+  const badgeStr = badges.length > 0 ? ` ${badges.join(" ")}` : "";
+  return `${emoji} ${chalk2.bold.white(pkg.name)} ${chalk2.dim(`v${pkg.version}`)}${badgeStr}`;
+}
+function formatPackageMetadata(pkg) {
+  const pkgType = resolvePackageType(pkg);
+  const typeColor = getTypeColor(pkgType);
+  const parts = [
+    typeColor(pkgType),
+    chalk2.dim(`\u2193 ${formatNumber(pkg.downloads ?? 0)}`),
+    pkg.stars !== void 0 ? chalk2.dim(`\u2605 ${pkg.stars}`) : null,
+    chalk2.dim(`@${pkg.author}`)
+  ].filter(Boolean);
+  return parts.join(chalk2.dim(" \xB7 "));
+}
+function formatPackageEntry(pkg) {
+  return [
+    formatPackageHeader(pkg),
+    `   ${chalk2.dim(pkg.description)}`,
+    `   ${formatPackageMetadata(pkg)}`
+  ];
+}
+function formatCreatedFiles(files) {
+  return files.map((file) => chalk2.dim(`    + ${formatPath(file)}`));
+}
+function formatRemovedFiles(files) {
+  return files.map((file) => chalk2.dim(`  - ${file}`));
 }
-function displayUsageHints(manifest) {
+function formatUsageHints(manifest) {
+  const hints = [];
   switch (manifest.type) {
     case "skill":
-      if (manifest.skill?.command) {
-        logger.log(
-          `  ${chalk.cyan("Usage:")} Type ${chalk.yellow(manifest.skill.command)} in Claude Code`
+      if ("skill" in manifest && manifest.skill?.command) {
+        hints.push(
+          `  ${SEMANTIC_COLORS.info("Usage:")} Type ${chalk2.yellow(manifest.skill.command)} in your editor`
         );
       }
       break;
     case "rules":
-      logger.log(
-        `  ${chalk.cyan("Usage:")} Rules are automatically applied to matching files`
+      hints.push(
+        `  ${SEMANTIC_COLORS.info("Usage:")} Rules are automatically applied to matching files`
       );
       break;
     case "mcp":
-      logger.log(
-        `  ${chalk.cyan("Usage:")} MCP server configured. Restart Claude Code to activate.`
+      hints.push(
+        `  ${SEMANTIC_COLORS.info("Usage:")} MCP server configured. Restart your editor to activate.`
       );
-      if (manifest.mcp?.env) {
+      if ("mcp" in manifest && manifest.mcp?.env) {
         const envVars = Object.keys(manifest.mcp.env);
         if (envVars.length > 0) {
-          logger.log(chalk.yellow(`
-  Required environment variables:`));
+          hints.push(
+            chalk2.yellow(
+              `
+  Configure these environment variables in ~/.claude.json:`
+            )
+          );
           for (const envVar of envVars) {
-            logger.log(chalk.dim(`    - ${envVar}`));
+            hints.push(chalk2.dim(`    - ${envVar}`));
           }
         }
       }
       break;
   }
+  return hints;
+}
+function formatSeparator(width = 50) {
+  return chalk2.dim("\u2500".repeat(width));
+}
+
+// src/commands/ui/spinner.ts
+import ora from "ora";
+import chalk3 from "chalk";
+var ActiveSpinner = class {
+  constructor(spinner) {
+    this.spinner = spinner;
+  }
+  update(text) {
+    this.spinner.text = text;
+  }
+  succeed(text) {
+    this.spinner.succeed(text);
+  }
+  fail(text) {
+    this.spinner.fail(text);
+  }
+  warn(text) {
+    this.spinner.warn(text);
+  }
+  stop() {
+    this.spinner.stop();
+  }
+};
+var QuietSpinner = class {
+  update(_text) {
+  }
+  succeed(text) {
+    logger.success(text.replace(chalk3.green(""), "").trim());
+  }
+  fail(text) {
+    logger.error(text.replace(chalk3.red(""), "").trim());
+  }
+  warn(text) {
+    logger.warn(text.replace(chalk3.yellow(""), "").trim());
+  }
+  stop() {
+  }
+};
+function createSpinner(initialText) {
+  if (logger.isQuiet()) {
+    return new QuietSpinner();
+  }
+  const spinner = ora(initialText).start();
+  return new ActiveSpinner(spinner);
+}
+function spinnerText(action, packageName) {
+  return `${action} ${chalk3.cyan(packageName)}...`;
+}
+function successText(action, packageName, version) {
+  const versionStr = version ? `@${chalk3.dim(version)}` : "";
+  return `${action} ${chalk3.green(packageName)}${versionStr}`;
+}
+function failText(action, packageName, error) {
+  const errorStr = error ? `: ${error}` : "";
+  return `${action} ${chalk3.red(packageName)}${errorStr}`;
+}
+
+// src/commands/types.ts
+function parseInstallOptions(raw) {
+  if (raw.platform && raw.platform !== "all") {
+    if (!isValidPlatform(raw.platform)) {
+      return null;
+    }
+    return {
+      platform: raw.platform,
+      version: raw.version
+    };
+  }
+  return {
+    platform: "claude-code",
+    version: raw.version
+  };
+}
+var SEARCH_DEFAULTS = {
+  limit: 10,
+  minLimit: 1,
+  maxLimit: 100
+};
+function parseSearchOptions(query, raw) {
+  const parsedLimit = parseInt(raw.limit || "", 10);
+  const limit = Number.isNaN(parsedLimit) ? SEARCH_DEFAULTS.limit : Math.max(
+    SEARCH_DEFAULTS.minLimit,
+    Math.min(parsedLimit, SEARCH_DEFAULTS.maxLimit)
+  );
+  const options = {
+    query,
+    limit
+  };
+  if (raw.type && isPackageType(raw.type)) {
+    options.type = raw.type;
+  }
+  if (raw.sort && isSearchSort(raw.sort)) {
+    options.sort = raw.sort;
+  }
+  return options;
+}
+
+// src/commands/install.ts
+async function installToPlatforms(manifest, tempDir, platforms) {
+  return Promise.all(
+    platforms.map(async (platform) => {
+      const adapter = getAdapter(platform);
+      return adapter.install(manifest, process.cwd(), tempDir);
+    })
+  );
 }
-function displayWarnings(failedResults) {
-  if (failedResults.length === 0) return;
-  logger.log(chalk.yellow("\n  Warnings:"));
-  for (const result of failedResults) {
-    logger.log(chalk.yellow(`    - ${result.platform}: ${result.error}`));
+function partitionResults(results) {
+  const successful = results.filter((r) => r.success);
+  const failed = results.filter((r) => !r.success);
+  return [successful, failed];
+}
+function displaySuccess(manifest, results) {
+  logger.log(SEMANTIC_COLORS.dim(`
+  ${manifest.description}`));
+  logger.log(SEMANTIC_COLORS.dim("\n  Files created:"));
+  const allFiles = results.flatMap((r) => r.filesWritten);
+  const formattedFiles = formatCreatedFiles(allFiles);
+  formattedFiles.forEach((line) => logger.log(line));
+  logger.newline();
+  const hints = formatUsageHints(manifest);
+  hints.forEach((line) => logger.log(line));
+}
+function displayWarnings(results) {
+  if (results.length === 0) return;
+  logger.log(SEMANTIC_COLORS.warning("\n  Warnings:"));
+  for (const result of results) {
+    logger.log(
+      SEMANTIC_COLORS.warning(`    - ${result.platform}: ${result.error}`)
+    );
   }
 }
-async function installCommand(packageName, options) {
+function displayNotFound(packageName) {
+  logger.log(SEMANTIC_COLORS.dim("\nTry searching for packages:"));
+  logger.log(
+    SEMANTIC_COLORS.dim(`  cpm search ${packageName.replace(/^@[^/]+\//, "")}`)
+  );
+}
+function displayInvalidPlatform() {
+  logger.log(
+    SEMANTIC_COLORS.dim(`Valid platforms: ${VALID_PLATFORMS.join(", ")}`)
+  );
+}
+async function installCommand(packageName, rawOptions) {
   const validation = validatePackageName(packageName);
   if (!validation.valid) {
     logger.error(`Invalid package name: ${validation.error}`);
     return;
   }
-  const spinner = logger.isQuiet() ? null : ora(`Installing ${chalk.cyan(packageName)}...`).start();
+  const options = parseInstallOptions(rawOptions);
+  if (!options) {
+    logger.error(`Invalid platform: ${rawOptions.platform}`);
+    displayInvalidPlatform();
+    return;
+  }
+  const spinner = createSpinner(spinnerText("Installing", packageName));
   let tempDir;
   try {
     const normalizedName = normalizePackageName(packageName);
-    if (spinner) spinner.text = `Searching for ${chalk.cyan(normalizedName)}...`;
+    spinner.update(spinnerText("Searching for", normalizedName));
     const pkg = await registry.getPackage(normalizedName);
     if (!pkg) {
-      if (spinner) spinner.fail(`Package ${chalk.red(normalizedName)} not found`);
-      else logger.error(`Package ${normalizedName} not found`);
-      logger.log(chalk.dim("\nTry searching for packages:"));
-      logger.log(chalk.dim(`  cpm search ${packageName.replace(/^@[^/]+\//, "")}`));
+      spinner.fail(failText("Package not found", normalizedName));
+      displayNotFound(packageName);
       return;
     }
-    if (spinner) spinner.text = `Downloading ${chalk.cyan(pkg.name)}@${pkg.version}...`;
+    spinner.update(spinnerText("Downloading", `${pkg.name}@${pkg.version}`));
     const downloadResult = await downloadPackage(pkg);
     if (!downloadResult.success) {
-      if (spinner) spinner.fail(`Failed to download ${pkg.name}: ${downloadResult.error}`);
-      else logger.error(`Failed to download ${pkg.name}: ${downloadResult.error}`);
+      spinner.fail(
+        failText("Failed to download", pkg.name, downloadResult.error)
+      );
       return;
     }
+    const manifest = downloadResult.manifest;
     tempDir = downloadResult.tempDir;
-    const targetPlatforms = await resolveTargetPlatforms(options);
-    if (!targetPlatforms) {
-      if (spinner) spinner.fail(`Invalid platform: ${options.platform}`);
-      else logger.error(`Invalid platform: ${options.platform}`);
-      logger.log(chalk.dim(`Valid platforms: ${VALID_PLATFORMS.join(", ")}`));
-      return;
-    }
-    if (spinner) spinner.text = `Installing to ${targetPlatforms.join(", ")}...`;
+    const targetPlatforms = [options.platform];
+    spinner.update(`Installing to ${targetPlatforms.join(", ")}...`);
     await ensureClaudeDirs();
     const results = await installToPlatforms(
-      downloadResult.manifest,
+      manifest,
       tempDir,
       targetPlatforms
     );
-    const successful = results.filter((r) => r.success);
-    const failed = results.filter((r) => !r.success);
+    const [successful, failed] = partitionResults(results);
     if (successful.length > 0) {
-      if (spinner) {
-        spinner.succeed(
-          `Installed ${chalk.green(downloadResult.manifest.name)}@${chalk.dim(downloadResult.manifest.version)}`
-        );
-      } else {
-        logger.success(`Installed ${downloadResult.manifest.name}@${downloadResult.manifest.version}`);
-      }
-      displaySuccessMessage(downloadResult.manifest, successful);
+      spinner.succeed(
+        successText("Installed", manifest.name, manifest.version)
+      );
+      displaySuccess(manifest, successful);
+    } else {
+      spinner.fail(failText("Failed to install", manifest.name));
     }
     displayWarnings(failed);
   } catch (error) {
-    if (spinner) spinner.fail(`Failed to install ${packageName}`);
-    else logger.error(`Failed to install ${packageName}`);
+    spinner.fail(failText("Failed to install", packageName));
     if (error instanceof Error) {
       logger.error(error.message);
     }
@@ -1824,309 +2519,205 @@ async function installCommand(packageName, options) {
 }
 
 // src/commands/search.ts
-import chalk2 from "chalk";
-import ora2 from "ora";
-var typeColors = {
-  rules: chalk2.yellow,
-  skill: chalk2.blue,
-  mcp: chalk2.magenta,
-  agent: chalk2.green,
-  hook: chalk2.cyan,
-  workflow: chalk2.red,
-  template: chalk2.white,
-  bundle: chalk2.gray
-};
-var typeEmoji = {
-  rules: "\u{1F4DC}",
-  skill: "\u26A1",
-  mcp: "\u{1F50C}",
-  agent: "\u{1F916}",
-  hook: "\u{1FA9D}",
-  workflow: "\u{1F4CB}",
-  template: "\u{1F4C1}",
-  bundle: "\u{1F4E6}"
-};
-async function searchCommand(query, options) {
-  const spinner = logger.isQuiet() ? null : ora2(`Searching for "${query}"...`).start();
-  const parsedLimit = parseInt(options.limit || "10", 10);
-  const limit = Number.isNaN(parsedLimit) ? 10 : Math.max(1, Math.min(parsedLimit, 100));
+function displayResults(packages, total) {
+  logger.log(SEMANTIC_COLORS.dim(`
+Found ${total} package(s)
+`));
+  for (const pkg of packages) {
+    const lines = formatPackageEntry(pkg);
+    lines.forEach((line) => logger.log(line));
+    logger.newline();
+  }
+  logger.log(formatSeparator());
+  logger.log(
+    SEMANTIC_COLORS.dim(
+      `Install with: ${SEMANTIC_COLORS.highlight("cpm install <package-name>")}`
+    )
+  );
+}
+function displayNoResults(query) {
+  logger.warn(`No packages found for "${query}"`);
+  logger.log(
+    SEMANTIC_COLORS.dim("\nAvailable package types: rules, skill, mcp")
+  );
+  logger.log(SEMANTIC_COLORS.dim("Try: cpm search react --type rules"));
+}
+async function searchCommand(query, rawOptions) {
+  const options = parseSearchOptions(query, rawOptions);
+  const spinner = createSpinner(`Searching for "${query}"...`);
   try {
-    const searchOptions = {
-      query,
-      limit
-    };
-    if (options.type) {
-      searchOptions.type = options.type;
-    }
-    if (options.sort) {
-      searchOptions.sort = options.sort;
-    }
-    const results = await registry.search(searchOptions);
-    if (spinner) spinner.stop();
+    const results = await registry.search({
+      query: options.query,
+      limit: options.limit,
+      type: options.type,
+      sort: options.sort
+    });
+    spinner.stop();
     if (results.packages.length === 0) {
-      logger.warn(`No packages found for "${query}"`);
-      logger.log(chalk2.dim("\nAvailable package types: rules, skill, mcp"));
-      logger.log(chalk2.dim("Try: cpm search react --type rules"));
+      displayNoResults(query);
       return;
     }
-    logger.log(chalk2.dim(`
-Found ${results.total} package(s)
-`));
-    for (const pkg of results.packages) {
-      const pkgType = resolvePackageType(pkg);
-      const typeColor = typeColors[pkgType] || chalk2.white;
-      const emoji = typeEmoji[pkgType] || "\u{1F4E6}";
-      const badges = [];
-      if (pkg.verified) {
-        badges.push(chalk2.green("\u2713 verified"));
-      }
-      logger.log(
-        `${emoji} ${chalk2.bold.white(pkg.name)} ${chalk2.dim(`v${pkg.version}`)}` + (badges.length > 0 ? ` ${badges.join(" ")}` : "")
-      );
-      logger.log(`   ${chalk2.dim(pkg.description)}`);
-      const meta = [
-        typeColor(pkgType),
-        chalk2.dim(`\u2193 ${formatNumber(pkg.downloads ?? 0)}`),
-        pkg.stars !== void 0 ? chalk2.dim(`\u2605 ${pkg.stars}`) : null,
-        chalk2.dim(`@${pkg.author}`)
-      ].filter(Boolean);
-      logger.log(`   ${meta.join(chalk2.dim(" \xB7 "))}`);
-      logger.newline();
-    }
-    logger.log(chalk2.dim("\u2500".repeat(50)));
-    logger.log(chalk2.dim(`Install with: ${chalk2.cyan("cpm install <package-name>")}`));
+    displayResults(results.packages, results.total);
   } catch (error) {
-    if (spinner) spinner.fail("Search failed");
-    else logger.error("Search failed");
+    spinner.fail("Search failed");
     logger.error(error instanceof Error ? error.message : "Unknown error");
   }
 }
-function formatNumber(num) {
-  if (num >= 1e3) {
-    return `${(num / 1e3).toFixed(1)}k`;
-  }
-  return num.toString();
-}
 
 // src/commands/list.ts
-import chalk3 from "chalk";
-import fs6 from "fs-extra";
-import path7 from "path";
-import os5 from "os";
-var typeColors2 = {
-  rules: chalk3.yellow,
-  skill: chalk3.blue,
-  mcp: chalk3.magenta
-};
+import chalk4 from "chalk";
+import fs9 from "fs-extra";
+import path13 from "path";
+import os4 from "os";
 async function readPackageMetadata(packageDir) {
-  const metadataPath = path7.join(packageDir, ".cpm.json");
+  const metadataPath = path13.join(packageDir, ".cpm.json");
   try {
-    if (await fs6.pathExists(metadataPath)) {
-      return await fs6.readJson(metadataPath);
+    if (await fs9.pathExists(metadataPath)) {
+      return await fs9.readJson(metadataPath);
     }
   } catch {
   }
   return null;
 }
-async function scanInstalledPackages() {
+async function scanDirectory(dir, type) {
   const items = [];
-  const claudeHome = path7.join(os5.homedir(), ".claude");
-  const rulesDir = path7.join(claudeHome, "rules");
-  if (await fs6.pathExists(rulesDir)) {
-    const entries = await fs6.readdir(rulesDir);
-    for (const entry of entries) {
-      const entryPath = path7.join(rulesDir, entry);
-      const stat = await fs6.stat(entryPath);
-      if (stat.isDirectory()) {
-        const metadata = await readPackageMetadata(entryPath);
-        items.push({
-          name: metadata?.name || entry,
-          folderName: entry,
-          type: "rules",
-          version: metadata?.version,
-          path: entryPath
-        });
-      }
+  if (!await fs9.pathExists(dir)) {
+    return items;
+  }
+  const entries = await fs9.readdir(dir);
+  for (const entry of entries) {
+    const entryPath = path13.join(dir, entry);
+    const stat = await fs9.stat(entryPath);
+    if (stat.isDirectory()) {
+      const metadata = await readPackageMetadata(entryPath);
+      items.push({
+        name: metadata?.name || entry,
+        folderName: entry,
+        type,
+        version: metadata?.version,
+        path: entryPath
+      });
     }
   }
-  const skillsDir = path7.join(claudeHome, "skills");
-  if (await fs6.pathExists(skillsDir)) {
-    const dirs = await fs6.readdir(skillsDir);
-    for (const dir of dirs) {
-      const skillPath = path7.join(skillsDir, dir);
-      const stat = await fs6.stat(skillPath);
-      if (stat.isDirectory()) {
-        const metadata = await readPackageMetadata(skillPath);
-        items.push({
-          name: metadata?.name || dir,
-          folderName: dir,
-          type: "skill",
-          version: metadata?.version,
-          path: skillPath
-        });
-      }
-    }
+  return items;
+}
+async function scanMcpServers() {
+  const items = [];
+  const configPath = path13.join(os4.homedir(), ".claude.json");
+  if (!await fs9.pathExists(configPath)) {
+    return items;
   }
-  const mcpConfigPath = path7.join(os5.homedir(), ".claude.json");
-  if (await fs6.pathExists(mcpConfigPath)) {
-    try {
-      const config = await fs6.readJson(mcpConfigPath);
-      const mcpServers = config.mcpServers || {};
-      for (const name of Object.keys(mcpServers)) {
-        items.push({
-          name,
-          folderName: name,
-          type: "mcp",
-          path: mcpConfigPath
-        });
-      }
-    } catch {
+  try {
+    const config = await fs9.readJson(configPath);
+    const mcpServers = config.mcpServers || {};
+    for (const name of Object.keys(mcpServers)) {
+      items.push({
+        name,
+        folderName: name,
+        type: "mcp",
+        path: configPath
+      });
     }
+  } catch {
   }
   return items;
 }
+async function scanInstalledPackages() {
+  const claudeHome = path13.join(os4.homedir(), ".claude");
+  const [rules, skills, mcp] = await Promise.all([
+    scanDirectory(path13.join(claudeHome, "rules"), "rules"),
+    scanDirectory(path13.join(claudeHome, "skills"), "skill"),
+    scanMcpServers()
+  ]);
+  return [...rules, ...skills, ...mcp];
+}
+function groupByType(packages) {
+  return packages.reduce(
+    (acc, pkg) => ({
+      ...acc,
+      [pkg.type]: [...acc[pkg.type] || [], pkg]
+    }),
+    {}
+  );
+}
+function displayPackage(pkg) {
+  const version = pkg.version ? SEMANTIC_COLORS.dim(` v${pkg.version}`) : "";
+  logger.log(
+    `    ${SEMANTIC_COLORS.success("\u25C9")} ${chalk4.bold(pkg.name)}${version}`
+  );
+}
+function displayByType(byType) {
+  for (const [type, items] of Object.entries(byType)) {
+    const typeColor = getTypeColor(type);
+    logger.log(typeColor(`  ${type.toUpperCase()}`));
+    for (const item of items) {
+      displayPackage(item);
+    }
+    logger.newline();
+  }
+}
+function displayEmpty() {
+  logger.warn("No packages installed");
+  logger.log(
+    SEMANTIC_COLORS.dim(
+      `
+Run ${SEMANTIC_COLORS.highlight("cpm install <package>")} to install a package`
+    )
+  );
+}
+function displayFooter() {
+  logger.log(
+    SEMANTIC_COLORS.dim("Run cpm uninstall <package-name> to remove a package")
+  );
+  logger.log(SEMANTIC_COLORS.dim("  e.g., cpm uninstall backend-patterns"));
+}
 async function listCommand() {
   try {
     const packages = await scanInstalledPackages();
     if (packages.length === 0) {
-      logger.warn("No packages installed");
-      logger.log(chalk3.dim(`
-Run ${chalk3.cyan("cpm install <package>")} to install a package`));
+      displayEmpty();
       return;
     }
-    logger.log(chalk3.bold(`
+    logger.log(chalk4.bold(`
 Installed packages (${packages.length}):
 `));
-    const byType = packages.reduce((acc, pkg) => ({
-      ...acc,
-      [pkg.type]: [...acc[pkg.type] || [], pkg]
-    }), {});
-    for (const [type, items] of Object.entries(byType)) {
-      const typeColor = typeColors2[type] || chalk3.white;
-      logger.log(typeColor(`  ${type.toUpperCase()}`));
-      for (const item of items) {
-        const version = item.version ? chalk3.dim(` v${item.version}`) : "";
-        logger.log(`    ${chalk3.green("\u25C9")} ${chalk3.bold(item.name)}${version}`);
-      }
-      logger.newline();
-    }
-    logger.log(chalk3.dim("Run cpm uninstall <package-name> to remove a package"));
-    logger.log(chalk3.dim("  e.g., cpm uninstall backend-patterns"));
+    const byType = groupByType(packages);
+    displayByType(byType);
+    displayFooter();
   } catch (error) {
     logger.error("Failed to list packages");
     logger.error(error instanceof Error ? error.message : "Unknown error");
   }
 }
 
-// src/commands/init.ts
-import chalk4 from "chalk";
-import fs7 from "fs-extra";
-import path8 from "path";
-var TEMPLATE = `# Package manifest for cpm
-# https://cpm-ai.dev/docs/packages
-
-name: my-package
-version: 0.1.0
-description: A brief description of your package
-type: rules  # rules | skill | mcp | agent | hook | workflow | template | bundle
-
-author:
-  name: Your Name
-  email: you@example.com
-  url: https://github.com/yourusername
-
-repository: https://github.com/yourusername/my-package
-license: MIT
-
-keywords:
-  - keyword1
-  - keyword2
-
-# Universal content (works on all platforms)
-universal:
-  # File patterns this applies to
-  globs:
-    - "**/*.ts"
-    - "**/*.tsx"
-
-  # Rules/instructions (markdown)
-  rules: |
-    You are an expert developer.
-
-    ## Guidelines
-
-    - Follow best practices
-    - Write clean, maintainable code
-    - Include proper error handling
-
-# Platform-specific configurations (optional)
-# platforms:
-#   cursor:
-#     settings:
-#       alwaysApply: true
-#   claude-code:
-#     skill:
-#       command: /my-command
-#       description: What this skill does
-
-# MCP server configuration (if type: mcp)
-# mcp:
-#   command: npx
-#   args: ["your-mcp-server"]
-#   env:
-#     API_KEY: "\${API_KEY}"
-`;
-async function initCommand(_options) {
-  const manifestPath = path8.join(process.cwd(), "cpm.yaml");
-  if (await fs7.pathExists(manifestPath)) {
-    logger.warn("cpm.yaml already exists in this directory");
-    return;
-  }
-  try {
-    await fs7.writeFile(manifestPath, TEMPLATE, "utf-8");
-    logger.success("Created cpm.yaml");
-    logger.newline();
-    logger.log("Next steps:");
-    logger.log(chalk4.dim("  1. Edit cpm.yaml to configure your package"));
-    logger.log(chalk4.dim("  2. Run cpm publish to publish to the registry"));
-    logger.newline();
-    logger.log(
-      chalk4.dim(
-        `Learn more: ${chalk4.cyan("https://cpm-ai.dev/docs/publishing")}`
-      )
-    );
-  } catch (error) {
-    logger.error("Failed to create cpm.yaml");
-    logger.error(error instanceof Error ? error.message : "Unknown error");
+// src/commands/uninstall.ts
+function extractFolderName(packageName) {
+  if (packageName.includes("/")) {
+    return packageName.split("/").pop() || packageName;
   }
+  return packageName.replace(/^@/, "");
+}
+function displayRemovedFiles(files) {
+  logger.log(SEMANTIC_COLORS.dim("\nFiles removed:"));
+  const formatted = formatRemovedFiles(files);
+  formatted.forEach((line) => logger.log(line));
 }
-
-// src/commands/uninstall.ts
-import chalk5 from "chalk";
-import ora3 from "ora";
 async function uninstallCommand(packageName) {
-  const spinner = logger.isQuiet() ? null : ora3(`Uninstalling ${chalk5.cyan(packageName)}...`).start();
+  const spinner = createSpinner(spinnerText("Uninstalling", packageName));
   try {
-    const folderName = packageName.includes("/") ? packageName.split("/").pop() || packageName : packageName.replace(/^@/, "");
+    const folderName = extractFolderName(packageName);
     const adapter = getAdapter("claude-code");
     const result = await adapter.uninstall(folderName, process.cwd());
     if (result.success && result.filesWritten.length > 0) {
-      if (spinner) spinner.succeed(`Uninstalled ${chalk5.green(packageName)}`);
-      else logger.success(`Uninstalled ${packageName}`);
-      logger.log(chalk5.dim("\nFiles removed:"));
-      for (const file of result.filesWritten) {
-        logger.log(chalk5.dim(`  - ${file}`));
-      }
+      spinner.succeed(successText("Uninstalled", packageName));
+      displayRemovedFiles(result.filesWritten);
     } else if (result.success) {
-      if (spinner) spinner.warn(`Package ${packageName} was not found`);
-      else logger.warn(`Package ${packageName} was not found`);
+      spinner.warn(`Package ${packageName} was not found`);
     } else {
-      if (spinner) spinner.fail(`Failed to uninstall: ${result.error}`);
-      else logger.error(`Failed to uninstall: ${result.error}`);
+      spinner.fail(failText("Failed to uninstall", packageName, result.error));
     }
   } catch (error) {
-    if (spinner) spinner.fail(`Failed to uninstall ${packageName}`);
-    else logger.error(`Failed to uninstall ${packageName}`);
+    spinner.fail(failText("Failed to uninstall", packageName));
     logger.error(error instanceof Error ? error.message : "Unknown error");
   }
 }
@@ -2134,16 +2725,18 @@ async function uninstallCommand(packageName) {
 // src/index.ts
 var program = new Command();
 var logo = `
-  ${chalk6.hex("#f97316")("\u2591\u2588\u2588\u2588\u2588\u2588\u2557\u2591\u2588\u2588\u2588\u2588\u2588\u2588\u2557\u2591\u2588\u2588\u2588\u2557\u2591\u2591\u2591\u2588\u2588\u2588\u2557")}
-  ${chalk6.hex("#f97316")("\u2588\u2588\u2554\u2550\u2550\u2588\u2588\u2557\u2588\u2588\u2554\u2550\u2550\u2588\u2588\u2557\u2588\u2588\u2588\u2588\u2557\u2591\u2588\u2588\u2588\u2588\u2551")}
-  ${chalk6.hex("#fb923c")("\u2588\u2588\u2551\u2591\u2591\u255A\u2550\u255D\u2588\u2588\u2588\u2588\u2588\u2588\u2554\u255D\u2588\u2588\u2554\u2588\u2588\u2588\u2588\u2554\u2588\u2588\u2551")}
-  ${chalk6.hex("#fb923c")("\u2588\u2588\u2551\u2591\u2591\u2588\u2588\u2557\u2588\u2588\u2554\u2550\u2550\u2550\u255D\u2591\u2588\u2588\u2551\u255A\u2588\u2588\u2554\u255D\u2588\u2588\u2551")}
-  ${chalk6.hex("#fbbf24")("\u255A\u2588\u2588\u2588\u2588\u2588\u2554\u255D\u2588\u2588\u2551\u2591\u2591\u2591\u2591\u2591\u2588\u2588\u2551\u2591\u255A\u2550\u255D\u2591\u2588\u2588\u2551")}
-  ${chalk6.hex("#fbbf24")("\u2591\u255A\u2550\u2550\u2550\u2550\u255D\u2591\u255A\u2550\u255D\u2591\u2591\u2591\u2591\u2591\u255A\u2550\u255D\u2591\u2591\u2591\u2591\u2591\u255A\u2550\u255D")}
+  ${chalk5.hex("#22d3ee")("\u2591\u2588\u2588\u2588\u2588\u2588\u2557\u2591\u2588\u2588\u2588\u2588\u2588\u2588\u2557\u2591\u2588\u2588\u2588\u2557\u2591\u2591\u2591\u2588\u2588\u2588\u2557")}
+  ${chalk5.hex("#22d3ee")("\u2588\u2588\u2554\u2550\u2550\u2588\u2588\u2557\u2588\u2588\u2554\u2550\u2550\u2588\u2588\u2557\u2588\u2588\u2588\u2588\u2557\u2591\u2588\u2588\u2588\u2588\u2551")}
+  ${chalk5.hex("#4ade80")("\u2588\u2588\u2551\u2591\u2591\u255A\u2550\u255D\u2588\u2588\u2588\u2588\u2588\u2588\u2554\u255D\u2588\u2588\u2554\u2588\u2588\u2588\u2588\u2554\u2588\u2588\u2551")}
+  ${chalk5.hex("#4ade80")("\u2588\u2588\u2551\u2591\u2591\u2588\u2588\u2557\u2588\u2588\u2554\u2550\u2550\u2550\u255D\u2591\u2588\u2588\u2551\u255A\u2588\u2588\u2554\u255D\u2588\u2588\u2551")}
+  ${chalk5.hex("#a3e635")("\u255A\u2588\u2588\u2588\u2588\u2588\u2554\u255D\u2588\u2588\u2551\u2591\u2591\u2591\u2591\u2591\u2588\u2588\u2551\u2591\u255A\u2550\u255D\u2591\u2588\u2588\u2551")}
+  ${chalk5.hex("#a3e635")("\u2591\u255A\u2550\u2550\u2550\u2550\u255D\u2591\u255A\u2550\u255D\u2591\u2591\u2591\u2591\u2591\u255A\u2550\u255D\u2591\u2591\u2591\u2591\u2591\u255A\u2550\u255D")}
 `;
-program.name("cpm").description(`${logo}
-  ${chalk6.dim("The package manager for Claude Code")}
-`).version("0.1.0").option("-q, --quiet", "Suppress all output except errors").option("-v, --verbose", "Enable verbose output for debugging").hook("preAction", (thisCommand) => {
+program.name("cpm").description(
+  `${logo}
+  ${chalk5.dim("Package manager for AI coding assistants")}
+`
+).version("0.2.0-beta.1").option("-q, --quiet", "Suppress all output except errors").option("-v, --verbose", "Enable verbose output for debugging").hook("preAction", (thisCommand) => {
   const opts = thisCommand.optsWithGlobals();
   configureLogger({
     quiet: opts.quiet,
@@ -2154,14 +2747,4 @@ program.command("install <package>").alias("i").description("Install a package")
 program.command("uninstall <package>").alias("rm").description("Uninstall a package").option("-p, --platform <platform>", "Target platform").action(uninstallCommand);
 program.command("search <query>").alias("s").description("Search for packages").option("-t, --type <type>", "Filter by type (rules, mcp, skill, agent)").option("-l, --limit <number>", "Limit results", "10").action(searchCommand);
 program.command("list").alias("ls").description("List installed packages").action(listCommand);
-program.command("init").description("Create a new cpm package").option("-y, --yes", "Skip prompts and use defaults").action(initCommand);
-program.command("info <package>").description("Show package details").action(async () => {
-  logger.warn("Coming soon: package info");
-});
-program.command("update").alias("up").description("Update installed packages").action(async () => {
-  logger.warn("Coming soon: package updates");
-});
-program.command("publish").description("Publish a package to the registry").action(async () => {
-  logger.warn("Coming soon: package publishing");
-});
 program.parse();