@cpmai/cli 0.2.0-beta.1 → 0.3.0-beta.1

package/dist/index.js

@@ -4,107 +4,6 @@
 import { Command } from "commander";
 import chalk5 from "chalk";
 
-// src/adapters/base.ts
-var PlatformAdapter = class {
-};
-
-// src/adapters/handlers/handler-registry.ts
-var HandlerRegistry = class {
-  /**
-   * Internal storage for handlers.
-   * Maps package type strings to their handler instances.
-   * Using Map for O(1) lookup performance.
-   */
-  handlers = /* @__PURE__ */ new Map();
-  /**
-   * Register a handler for a specific package type.
-   *
-   * When you create a new handler (like RulesHandler), you call this method
-   * to add it to the registry so it can be found later.
-   *
-   * @param handler - The handler instance to register. The handler's
-   *                  packageType property determines which type it handles.
-   *
-   * @example
-   * ```typescript
-   * const rulesHandler = new RulesHandler();
-   * registry.register(rulesHandler);
-   * // Now "rules" type packages will use RulesHandler
-   * ```
-   */
-  register(handler) {
-    this.handlers.set(handler.packageType, handler);
-  }
-  /**
-   * Get the handler for a specific package type.
-   *
-   * Use this when you need to install or uninstall a package.
-   * It returns the appropriate handler based on the package type.
-   *
-   * @param type - The package type to find a handler for (e.g., "rules", "skill", "mcp")
-   * @returns The handler that can process this package type
-   * @throws Error if no handler is registered for the given type
-   *
-   * @example
-   * ```typescript
-   * const handler = registry.getHandler("skill");
-   * const files = await handler.install(manifest, context);
-   * ```
-   */
-  getHandler(type) {
-    const handler = this.handlers.get(type);
-    if (!handler) {
-      throw new Error(`No handler registered for package type: ${type}`);
-    }
-    return handler;
-  }
-  /**
-   * Check if a handler exists for a specific package type.
-   *
-   * Useful when you want to check availability before attempting
-   * to get a handler, avoiding the need for try-catch blocks.
-   *
-   * @param type - The package type to check
-   * @returns true if a handler is registered, false otherwise
-   *
-   * @example
-   * ```typescript
-   * if (registry.hasHandler("mcp")) {
-   *   const handler = registry.getHandler("mcp");
-   *   // ... use handler
-   * } else {
-   *   console.log("MCP packages not supported");
-   * }
-   * ```
-   */
-  hasHandler(type) {
-    return this.handlers.has(type);
-  }
-  /**
-   * Get a list of all registered package types.
-   *
-   * Useful for debugging, displaying supported types to users,
-   * or iterating over all available handlers.
-   *
-   * @returns Array of package type strings that have registered handlers
-   *
-   * @example
-   * ```typescript
-   * const types = registry.getRegisteredTypes();
-   * console.log("Supported types:", types.join(", "));
-   * // Output: "Supported types: rules, skill, mcp"
-   * ```
-   */
-  getRegisteredTypes() {
-    return Array.from(this.handlers.keys());
-  }
-};
-var handlerRegistry = new HandlerRegistry();
-
-// src/adapters/handlers/rules-handler.ts
-import fs2 from "fs-extra";
-import path6 from "path";
-
 // src/constants.ts
 var TIMEOUTS = {
   MANIFEST_FETCH: 5e3,
@@ -171,15 +70,17 @@ var ALLOWED_MCP_COMMANDS = [
 var BLOCKED_MCP_ARG_PATTERNS = [
   /--eval/i,
   // Node.js eval flag
-  /-e\s/,
-  // Short eval flag with space
-  /-c\s/,
-  // Command flag with space
+  /-e(?:\s|$)/,
+  // Short eval flag (with space or at end)
+  /^-e\S/,
+  // Concatenated eval flag (e.g., -eCODE)
+  /-c(?:\s|$)/,
+  // Command flag (with space or at end)
   /\bcurl\b/i,
   // curl command (data exfiltration)
   /\bwget\b/i,
   // wget command (data exfiltration)
-  /\brm\s/i,
+  /\brm(?:\s|$)/i,
   // rm command (file deletion)
   /\bsudo\b/i,
   // sudo command (privilege escalation)
@@ -187,8 +88,44 @@ var BLOCKED_MCP_ARG_PATTERNS = [
   // chmod command (permission changes)
   /\bchown\b/i,
   // chown command (ownership changes)
-  /[|;&`$]/
+  /[|;&`$]/,
   // Shell metacharacters (command chaining/injection)
+  /--inspect/i,
+  // Node.js debugger (remote code execution)
+  /--allow-all/i,
+  // Deno sandbox bypass
+  /--allow-run/i,
+  // Deno run permission
+  /--allow-write/i,
+  // Deno write permission
+  /--allow-net/i,
+  // Deno net permission
+  /^https?:\/\//i
+  // Remote URLs as standalone args (script loading)
+];
+var BLOCKED_MCP_ENV_KEYS = [
+  "PATH",
+  "LD_PRELOAD",
+  "LD_LIBRARY_PATH",
+  "DYLD_INSERT_LIBRARIES",
+  "DYLD_LIBRARY_PATH",
+  "NODE_OPTIONS",
+  "NODE_PATH",
+  "PYTHONPATH",
+  "PYTHONSTARTUP",
+  "PYTHONHOME",
+  "RUBYOPT",
+  "PERL5OPT",
+  "BASH_ENV",
+  "ENV",
+  "CDPATH",
+  "HOME",
+  "USERPROFILE",
+  "NPM_CONFIG_REGISTRY",
+  "NPM_CONFIG_PREFIX",
+  "NPM_CONFIG_GLOBALCONFIG",
+  "DENO_DIR",
+  "BUN_INSTALL"
 ];
 
 // src/types.ts
@@ -210,15 +147,15 @@ function isSkillManifest(manifest) {
 function isMcpManifest(manifest) {
   return manifest.type === "mcp";
 }
-function getTypeFromPath(path15) {
-  if (path15.startsWith("skills/")) return "skill";
-  if (path15.startsWith("rules/")) return "rules";
-  if (path15.startsWith("mcp/")) return "mcp";
-  if (path15.startsWith("agents/")) return "agent";
-  if (path15.startsWith("hooks/")) return "hook";
-  if (path15.startsWith("workflows/")) return "workflow";
-  if (path15.startsWith("templates/")) return "template";
-  if (path15.startsWith("bundles/")) return "bundle";
+function getTypeFromPath(path14) {
+  if (path14.startsWith("skills/")) return "skill";
+  if (path14.startsWith("rules/")) return "rules";
+  if (path14.startsWith("mcp/")) return "mcp";
+  if (path14.startsWith("agents/")) return "agent";
+  if (path14.startsWith("hooks/")) return "hook";
+  if (path14.startsWith("workflows/")) return "workflow";
+  if (path14.startsWith("templates/")) return "template";
+  if (path14.startsWith("bundles/")) return "bundle";
   return null;
 }
 function resolvePackageType(pkg) {
@@ -230,6 +167,107 @@ function resolvePackageType(pkg) {
   throw new Error(`Cannot determine type for package: ${pkg.name}`);
 }
 
+// src/adapters/base.ts
+var PlatformAdapter = class {
+};
+
+// src/adapters/handlers/handler-registry.ts
+var HandlerRegistry = class {
+  /**
+   * Internal storage for handlers.
+   * Maps package type strings to their handler instances.
+   * Using Map for O(1) lookup performance.
+   */
+  handlers = /* @__PURE__ */ new Map();
+  /**
+   * Register a handler for a specific package type.
+   *
+   * When you create a new handler (like RulesHandler), you call this method
+   * to add it to the registry so it can be found later.
+   *
+   * @param handler - The handler instance to register. The handler's
+   *                  packageType property determines which type it handles.
+   *
+   * @example
+   * ```typescript
+   * const rulesHandler = new RulesHandler();
+   * registry.register(rulesHandler);
+   * // Now "rules" type packages will use RulesHandler
+   * ```
+   */
+  register(handler) {
+    this.handlers.set(handler.packageType, handler);
+  }
+  /**
+   * Get the handler for a specific package type.
+   *
+   * Use this when you need to install or uninstall a package.
+   * It returns the appropriate handler based on the package type.
+   *
+   * @param type - The package type to find a handler for (e.g., "rules", "skill", "mcp")
+   * @returns The handler that can process this package type
+   * @throws Error if no handler is registered for the given type
+   *
+   * @example
+   * ```typescript
+   * const handler = registry.getHandler("skill");
+   * const files = await handler.install(manifest, context);
+   * ```
+   */
+  getHandler(type) {
+    const handler = this.handlers.get(type);
+    if (!handler) {
+      throw new Error(`No handler registered for package type: ${type}`);
+    }
+    return handler;
+  }
+  /**
+   * Check if a handler exists for a specific package type.
+   *
+   * Useful when you want to check availability before attempting
+   * to get a handler, avoiding the need for try-catch blocks.
+   *
+   * @param type - The package type to check
+   * @returns true if a handler is registered, false otherwise
+   *
+   * @example
+   * ```typescript
+   * if (registry.hasHandler("mcp")) {
+   *   const handler = registry.getHandler("mcp");
+   *   // ... use handler
+   * } else {
+   *   console.log("MCP packages not supported");
+   * }
+   * ```
+   */
+  hasHandler(type) {
+    return this.handlers.has(type);
+  }
+  /**
+   * Get a list of all registered package types.
+   *
+   * Useful for debugging, displaying supported types to users,
+   * or iterating over all available handlers.
+   *
+   * @returns Array of package type strings that have registered handlers
+   *
+   * @example
+   * ```typescript
+   * const types = registry.getRegisteredTypes();
+   * console.log("Supported types:", types.join(", "));
+   * // Output: "Supported types: rules, skill, mcp"
+   * ```
+   */
+  getRegisteredTypes() {
+    return Array.from(this.handlers.keys());
+  }
+};
+var handlerRegistry = new HandlerRegistry();
+
+// src/adapters/handlers/rules-handler.ts
+import fs2 from "fs-extra";
+import path5 from "path";
+
 // src/utils/platform.ts
 import path2 from "path";
 
@@ -331,14 +369,22 @@ var logger = {
 };
 
 // src/security/mcp-validator.ts
-import path3 from "path";
 function isAllowedCommand(command) {
-  const baseCommand = path3.basename(command);
+  if (command.includes("/") || command.includes("\\")) {
+    return false;
+  }
   return ALLOWED_MCP_COMMANDS.includes(
-    baseCommand
+    command
   );
 }
 function containsBlockedPattern(args) {
+  for (const arg of args) {
+    for (const pattern of BLOCKED_MCP_ARG_PATTERNS) {
+      if (pattern.test(arg)) {
+        return pattern;
+      }
+    }
+  }
   const argsString = args.join(" ");
   for (const pattern of BLOCKED_MCP_ARG_PATTERNS) {
     if (pattern.test(argsString)) {
@@ -347,15 +393,23 @@ function containsBlockedPattern(args) {
   }
   return null;
 }
+function containsBlockedEnvKey(env) {
+  const blockedSet = new Set(BLOCKED_MCP_ENV_KEYS.map((k) => k.toUpperCase()));
+  for (const key of Object.keys(env)) {
+    if (blockedSet.has(key.toUpperCase())) {
+      return key;
+    }
+  }
+  return null;
+}
 function validateMcpConfig(mcp) {
   if (!mcp?.command) {
     return { valid: false, error: "MCP command is required" };
   }
-  const baseCommand = path3.basename(mcp.command);
   if (!isAllowedCommand(mcp.command)) {
     return {
       valid: false,
-      error: `MCP command '${baseCommand}' is not allowed. Allowed: ${ALLOWED_MCP_COMMANDS.join(", ")}`
+      error: `MCP command '${mcp.command}' is not allowed. Allowed: ${ALLOWED_MCP_COMMANDS.join(", ")}`
     };
   }
   if (mcp.args) {
@@ -367,16 +421,25 @@ function validateMcpConfig(mcp) {
       };
     }
   }
+  if (mcp.env) {
+    const blockedKey = containsBlockedEnvKey(mcp.env);
+    if (blockedKey) {
+      return {
+        valid: false,
+        error: `MCP environment variable '${blockedKey}' is not allowed. It could be used to bypass command security restrictions.`
+      };
+    }
+  }
   return { valid: true };
 }
 
 // src/security/file-sanitizer.ts
-import path4 from "path";
+import path3 from "path";
 function sanitizeFileName(fileName) {
   if (!fileName || typeof fileName !== "string") {
     return { valid: false, error: "File name cannot be empty", sanitized: "" };
   }
-  const baseName = path4.basename(fileName);
+  const baseName = path3.basename(fileName);
   if (baseName.includes("\0")) {
     return {
       valid: false,
@@ -421,12 +484,12 @@ function sanitizeFolderName(name) {
   if (!sanitized || sanitized.startsWith(".")) {
     throw new Error(`Invalid package name: ${name}`);
   }
-  const normalized = path4.normalize(sanitized);
+  const normalized = path3.normalize(sanitized);
   if (normalized !== sanitized || normalized.includes("..")) {
     throw new Error(`Invalid package name (path traversal detected): ${name}`);
   }
-  const testPath = path4.join("/test", sanitized);
-  const resolved = path4.resolve(testPath);
+  const testPath = path3.join("/test", sanitized);
+  const resolved = path3.resolve(testPath);
   if (!resolved.startsWith("/test/")) {
     throw new Error(`Invalid package name (path traversal detected): ${name}`);
   }
@@ -434,11 +497,11 @@ function sanitizeFolderName(name) {
 }
 
 // src/security/path-validator.ts
-import path5 from "path";
+import path4 from "path";
 function isPathWithinDirectory(filePath, directory) {
-  const resolvedPath = path5.resolve(filePath);
-  const resolvedDir = path5.resolve(directory);
-  return resolvedPath.startsWith(resolvedDir + path5.sep) || resolvedPath === resolvedDir;
+  const resolvedPath = path4.resolve(filePath);
+  const resolvedDir = path4.resolve(directory);
+  return resolvedPath.startsWith(resolvedDir + path4.sep) || resolvedPath === resolvedDir;
 }
 
 // src/adapters/handlers/rules-handler.ts
@@ -453,7 +516,7 @@ async function writePackageMetadata(packageDir, manifest) {
     installedAt: (/* @__PURE__ */ new Date()).toISOString()
     // ISO timestamp for when it was installed
   };
-  const metadataPath = path6.join(packageDir, ".cpm.json");
+  const metadataPath = path5.join(packageDir, ".cpm.json");
   try {
     await fs2.writeJson(metadataPath, metadata, { spaces: 2 });
   } catch (error) {
@@ -486,7 +549,7 @@ var RulesHandler = class {
     const filesWritten = [];
     const rulesBaseDir = getRulesPath("claude-code");
     const folderName = sanitizeFolderName(manifest.name);
-    const rulesDir = path6.join(rulesBaseDir, folderName);
+    const rulesDir = path5.join(rulesBaseDir, folderName);
     await fs2.ensureDir(rulesDir);
     if (context.packagePath && await fs2.pathExists(context.packagePath)) {
       const files = await fs2.readdir(context.packagePath);
@@ -500,8 +563,8 @@ var RulesHandler = class {
             logger.warn(`Skipping unsafe file: ${file} (${validation.error})`);
             continue;
           }
-          const srcPath = path6.join(context.packagePath, file);
-          const destPath = path6.join(rulesDir, validation.sanitized);
+          const srcPath = path5.join(context.packagePath, file);
+          const destPath = path5.join(rulesDir, validation.sanitized);
           if (!isPathWithinDirectory(destPath, rulesDir)) {
             logger.warn(`Blocked path traversal attempt: ${file}`);
             continue;
@@ -516,7 +579,7 @@ var RulesHandler = class {
     }
     const rulesContent = this.getRulesContent(manifest);
     if (!rulesContent) return filesWritten;
-    const rulesPath = path6.join(rulesDir, "RULES.md");
+    const rulesPath = path5.join(rulesDir, "RULES.md");
     const content = `# ${manifest.name}
 
 ${manifest.description}
@@ -542,7 +605,7 @@ ${rulesContent.trim()}
     const filesRemoved = [];
     const folderName = sanitizeFolderName(packageName);
     const rulesBaseDir = getRulesPath("claude-code");
-    const rulesPath = path6.join(rulesBaseDir, folderName);
+    const rulesPath = path5.join(rulesBaseDir, folderName);
     if (await fs2.pathExists(rulesPath)) {
       await fs2.remove(rulesPath);
       filesRemoved.push(rulesPath);
@@ -569,7 +632,7 @@ ${rulesContent.trim()}
 
 // src/adapters/handlers/skill-handler.ts
 import fs3 from "fs-extra";
-import path7 from "path";
+import path6 from "path";
 async function writePackageMetadata2(packageDir, manifest) {
   const metadata = {
     name: manifest.name,
@@ -581,7 +644,7 @@ async function writePackageMetadata2(packageDir, manifest) {
     installedAt: (/* @__PURE__ */ new Date()).toISOString()
     // ISO timestamp for when it was installed
   };
-  const metadataPath = path7.join(packageDir, ".cpm.json");
+  const metadataPath = path6.join(packageDir, ".cpm.json");
   try {
     await fs3.writeJson(metadataPath, metadata, { spaces: 2 });
   } catch (error) {
@@ -633,7 +696,7 @@ var SkillHandler = class {
     const filesWritten = [];
     const skillsDir = getSkillsPath();
     const folderName = sanitizeFolderName(manifest.name);
-    const skillDir = path7.join(skillsDir, folderName);
+    const skillDir = path6.join(skillsDir, folderName);
     await fs3.ensureDir(skillDir);
     if (context.packagePath && await fs3.pathExists(context.packagePath)) {
       const files = await fs3.readdir(context.packagePath);
@@ -647,8 +710,8 @@ var SkillHandler = class {
             logger.warn(`Skipping unsafe file: ${file} (${validation.error})`);
             continue;
           }
-          const srcPath = path7.join(context.packagePath, file);
-          const destPath = path7.join(skillDir, validation.sanitized);
+          const srcPath = path6.join(context.packagePath, file);
+          const destPath = path6.join(skillDir, validation.sanitized);
           if (!isPathWithinDirectory(destPath, skillDir)) {
             logger.warn(`Blocked path traversal attempt: ${file}`);
             continue;
@@ -663,7 +726,7 @@ var SkillHandler = class {
     }
     if (isSkillManifest(manifest)) {
       const skillContent = formatSkillMd(manifest);
-      const skillPath = path7.join(skillDir, "SKILL.md");
+      const skillPath = path6.join(skillDir, "SKILL.md");
       await fs3.writeFile(skillPath, skillContent, "utf-8");
       filesWritten.push(skillPath);
       const metadataPath = await writePackageMetadata2(skillDir, manifest);
@@ -671,7 +734,7 @@ var SkillHandler = class {
     } else {
       const content = this.getUniversalContent(manifest);
       if (content) {
-        const skillPath = path7.join(skillDir, "SKILL.md");
+        const skillPath = path6.join(skillDir, "SKILL.md");
         const skillContent = `# ${manifest.name}
 
 ${manifest.description}
@@ -699,7 +762,7 @@ ${content.trim()}
     const filesRemoved = [];
     const folderName = sanitizeFolderName(packageName);
     const skillsDir = getSkillsPath();
-    const skillPath = path7.join(skillsDir, folderName);
+    const skillPath = path6.join(skillsDir, folderName);
     if (await fs3.pathExists(skillPath)) {
       await fs3.remove(skillPath);
       filesRemoved.push(skillPath);
@@ -725,7 +788,7 @@ ${content.trim()}
 
 // src/adapters/handlers/mcp-handler.ts
 import fs4 from "fs-extra";
-import path8 from "path";
+import path7 from "path";
 var McpHandler = class {
   /**
    * Identifies this handler as handling "mcp" type packages.
@@ -756,13 +819,21 @@ var McpHandler = class {
       throw new Error(`MCP security validation failed: ${mcpValidation.error}`);
     }
     const claudeHome = getClaudeHome();
-    const mcpConfigPath = path8.join(path8.dirname(claudeHome), ".claude.json");
+    const mcpConfigPath = path7.join(path7.dirname(claudeHome), ".claude.json");
     let existingConfig = {};
     if (await fs4.pathExists(mcpConfigPath)) {
       try {
         existingConfig = await fs4.readJson(mcpConfigPath);
       } catch {
-        logger.warn(`Could not parse ${mcpConfigPath}, creating new config`);
+        const backupPath = `${mcpConfigPath}.backup.${Date.now()}`;
+        try {
+          await fs4.copy(mcpConfigPath, backupPath);
+          logger.warn(
+            `Could not parse ${mcpConfigPath}, backup saved to ${backupPath}`
+          );
+        } catch {
+          logger.warn(`Could not parse ${mcpConfigPath}, creating new config`);
+        }
         existingConfig = {};
       }
     }
@@ -802,7 +873,7 @@ var McpHandler = class {
     const filesWritten = [];
     const folderName = sanitizeFolderName(packageName);
     const claudeHome = getClaudeHome();
-    const mcpConfigPath = path8.join(path8.dirname(claudeHome), ".claude.json");
+    const mcpConfigPath = path7.join(path7.dirname(claudeHome), ".claude.json");
     if (!await fs4.pathExists(mcpConfigPath)) {
       return filesWritten;
     }
@@ -838,7 +909,7 @@ initializeHandlers();
 
 // src/adapters/claude-code.ts
 import fs5 from "fs-extra";
-import path9 from "path";
+import path8 from "path";
 var ClaudeCodeAdapter = class extends PlatformAdapter {
   platform = "claude-code";
   displayName = "Claude Code";
@@ -865,23 +936,28 @@ var ClaudeCodeAdapter = class extends PlatformAdapter {
       };
     }
   }
-  async uninstall(packageName, _projectPath) {
+  async uninstall(packageName, projectPath) {
     const filesWritten = [];
     const folderName = sanitizeFolderName(packageName);
+    const context = { projectPath };
     try {
       const rulesBaseDir = getRulesPath("claude-code");
-      const rulesPath = path9.join(rulesBaseDir, folderName);
+      const rulesPath = path8.join(rulesBaseDir, folderName);
       if (await fs5.pathExists(rulesPath)) {
         await fs5.remove(rulesPath);
         filesWritten.push(rulesPath);
       }
       const skillsDir = getSkillsPath();
-      const skillPath = path9.join(skillsDir, folderName);
+      const skillPath = path8.join(skillsDir, folderName);
       if (await fs5.pathExists(skillPath)) {
         await fs5.remove(skillPath);
         filesWritten.push(skillPath);
       }
-      await this.removeMcpServer(folderName, filesWritten);
+      if (handlerRegistry.hasHandler("mcp")) {
+        const mcpHandler = handlerRegistry.getHandler("mcp");
+        const mcpFiles = await mcpHandler.uninstall(packageName, context);
+        filesWritten.push(...mcpFiles);
+      }
       return {
         success: true,
         platform: "claude-code",
@@ -904,45 +980,23 @@ var ClaudeCodeAdapter = class extends PlatformAdapter {
     return this.installFallback(manifest, context);
   }
   async installFallback(manifest, context) {
-    if ("skill" in manifest && manifest.skill) {
+    logger.warn(
+      `No handler registered for type "${manifest.type}", attempting content-based detection`
+    );
+    if (isSkillManifest(manifest)) {
       const handler = handlerRegistry.getHandler("skill");
       return handler.install(manifest, context);
     }
-    if ("mcp" in manifest && manifest.mcp) {
+    if (isMcpManifest(manifest)) {
       const handler = handlerRegistry.getHandler("mcp");
       return handler.install(manifest, context);
     }
-    if ("universal" in manifest && manifest.universal?.rules) {
+    if (isRulesManifest(manifest)) {
       const handler = handlerRegistry.getHandler("rules");
       return handler.install(manifest, context);
     }
     return [];
   }
-  async removeMcpServer(serverName, filesWritten) {
-    const claudeHome = getClaudeHome();
-    const mcpConfigPath = path9.join(path9.dirname(claudeHome), ".claude.json");
-    if (!await fs5.pathExists(mcpConfigPath)) {
-      return;
-    }
-    try {
-      const config = await fs5.readJson(mcpConfigPath);
-      const mcpServers = config.mcpServers;
-      if (!mcpServers || !mcpServers[serverName]) {
-        return;
-      }
-      const { [serverName]: _removed, ...remainingServers } = mcpServers;
-      const updatedConfig = {
-        ...config,
-        mcpServers: remainingServers
-      };
-      await fs5.writeJson(mcpConfigPath, updatedConfig, { spaces: 2 });
-      filesWritten.push(mcpConfigPath);
-    } catch (error) {
-      logger.warn(
-        `Could not update MCP config: ${error instanceof Error ? error.message : "Unknown error"}`
-      );
-    }
-  }
 };
 
 // src/adapters/index.ts
@@ -956,11 +1010,11 @@ function getAdapter(platform) {
 // src/utils/registry.ts
 import got from "got";
 import fs6 from "fs-extra";
-import path10 from "path";
+import path9 from "path";
 import os2 from "os";
 var DEFAULT_REGISTRY_URL = process.env.CPM_REGISTRY_URL || "https://raw.githubusercontent.com/cpmai-dev/packages/main/registry.json";
-var CACHE_DIR = path10.join(os2.homedir(), ".cpm", "cache");
-var CACHE_FILE = path10.join(CACHE_DIR, "registry.json");
+var CACHE_DIR = path9.join(os2.homedir(), ".cpm", "cache");
+var CACHE_FILE = path9.join(CACHE_DIR, "registry.json");
 var comparators = {
   downloads: (a, b) => (b.downloads ?? 0) - (a.downloads ?? 0),
   stars: (a, b) => (b.stars ?? 0) - (a.stars ?? 0),
@@ -1101,7 +1155,7 @@ var registry = new Registry();
 
 // src/utils/downloader.ts
 import fs8 from "fs-extra";
-import path12 from "path";
+import path11 from "path";
 import os3 from "os";
 
 // src/sources/manifest-resolver.ts
@@ -1195,76 +1249,45 @@ var ManifestResolver = class {
 // src/sources/repository-source.ts
 import got2 from "got";
 import yaml from "yaml";
+var PACKAGES_REPO_BASE = "https://raw.githubusercontent.com/cpmai-dev/packages/main/packages";
 var RepositorySource = class {
-  /**
-   * Name of this source for logging and debugging.
-   */
   name = "repository";
-  /**
-   * Priority 1 - this is the first source tried.
-   * Repository fetching is fast and provides complete manifests.
-   */
   priority = 1;
-  /**
-   * Check if this source can fetch the given package.
-   *
-   * We can only fetch from GitHub repositories, so we check
-   * if the package has a repository URL that includes "github.com".
-   *
-   * @param pkg - The registry package to check
-   * @returns true if the package has a GitHub repository URL
-   *
-   * @example
-   * ```typescript
-   * // Package with GitHub repo
-   * canFetch({ repository: "https://github.com/cpm/rules" }) // true
-   *
-   * // Package without repo
-   * canFetch({ repository: undefined }) // false
-   *
-   * // Package with non-GitHub repo
-   * canFetch({ repository: "https://gitlab.com/..." }) // false
-   * ```
-   */
   canFetch(pkg) {
-    return !!pkg.repository?.includes("github.com");
+    return !!pkg.path || !!pkg.repository?.includes("github.com");
   }
-  /**
-   * Fetch the manifest from the package's GitHub repository.
-   *
-   * This method:
-   * 1. Extracts the owner and repo name from the URL
-   * 2. Constructs a raw.githubusercontent.com URL for cpm.yaml
-   * 3. Fetches the file with a timeout
-   * 4. Parses the YAML content
-   *
-   * @param pkg - The registry package to fetch
-   * @param _context - Fetch context (not used by this source)
-   * @returns The parsed manifest, or null if fetch fails
-   *
-   * @example
-   * ```typescript
-   * const manifest = await source.fetch({
-   *   name: "@cpm/typescript-rules",
-   *   repository: "https://github.com/cpm/typescript-rules",
-   *   // ... other fields
-   * }, context);
-   *
-   * if (manifest) {
-   *   console.log("Fetched:", manifest.name, manifest.version);
-   * }
-   * ```
-   */
   async fetch(pkg, _context) {
-    if (!pkg.repository) return null;
+    if (pkg.path) {
+      const manifest = await this.fetchFromPackagesRepo(pkg.path);
+      if (manifest) return manifest;
+    }
+    if (pkg.repository) {
+      return this.fetchFromStandaloneRepo(pkg.repository);
+    }
+    return null;
+  }
+  async fetchFromPackagesRepo(packagePath) {
+    if (packagePath.includes("..") || packagePath.startsWith("/") || packagePath.includes("\\")) {
+      return null;
+    }
+    const rawUrl = `${PACKAGES_REPO_BASE}/${packagePath}/cpm.yaml`;
     try {
-      const match = pkg.repository.match(/github\.com\/([^/]+)\/([^/]+)/);
+      const response = await got2(rawUrl, {
+        timeout: { request: TIMEOUTS.MANIFEST_FETCH }
+      });
+      return yaml.parse(response.body);
+    } catch {
+      return null;
+    }
+  }
+  async fetchFromStandaloneRepo(repository) {
+    try {
+      const match = repository.match(/github\.com\/([^/]+)\/([^/]+)/);
       if (!match) return null;
       const [, owner, repo] = match;
       const rawUrl = `https://raw.githubusercontent.com/${owner}/${repo}/main/cpm.yaml`;
       const response = await got2(rawUrl, {
         timeout: { request: TIMEOUTS.MANIFEST_FETCH }
-        // 5 second timeout
       });
       return yaml.parse(response.body);
     } catch {
@@ -1276,7 +1299,7 @@ var RepositorySource = class {
 // src/sources/tarball-source.ts
 import got3 from "got";
 import fs7 from "fs-extra";
-import path11 from "path";
+import path10 from "path";
 import * as tar from "tar";
 import yaml2 from "yaml";
 var TarballSource = class {
@@ -1328,10 +1351,10 @@ var TarballSource = class {
         responseType: "buffer"
         // Get raw binary data
       });
-      const tarballPath = path11.join(context.tempDir, "package.tar.gz");
+      const tarballPath = path10.join(context.tempDir, "package.tar.gz");
       await fs7.writeFile(tarballPath, response.body);
       await this.extractTarball(tarballPath, context.tempDir);
-      const manifestPath = path11.join(context.tempDir, "cpm.yaml");
+      const manifestPath = path10.join(context.tempDir, "cpm.yaml");
       if (await fs7.pathExists(manifestPath)) {
         const content = await fs7.readFile(manifestPath, "utf-8");
         return yaml2.parse(content);
@@ -1356,7 +1379,7 @@ var TarballSource = class {
    */
   async extractTarball(tarballPath, destDir) {
     await fs7.ensureDir(destDir);
-    const resolvedDestDir = path11.resolve(destDir);
+    const resolvedDestDir = path10.resolve(destDir);
     await tar.extract({
       file: tarballPath,
       // The tarball file to extract
@@ -1366,8 +1389,8 @@ var TarballSource = class {
       // Remove the top-level directory (e.g., "package-1.0.0/")
       // Security filter: check each entry before extracting
       filter: (entryPath) => {
-        const resolvedPath = path11.resolve(destDir, entryPath);
-        const isWithinDest = resolvedPath.startsWith(resolvedDestDir + path11.sep) || resolvedPath === resolvedDestDir;
+        const resolvedPath = path10.resolve(destDir, entryPath);
+        const isWithinDest = resolvedPath.startsWith(resolvedDestDir + path10.sep) || resolvedPath === resolvedDestDir;
         if (!isWithinDest) {
           logger.warn(`Blocked path traversal in tarball: ${entryPath}`);
           return false;
@@ -2048,11 +2071,11 @@ function createDefaultResolver() {
 var defaultResolver = createDefaultResolver();
 
 // src/utils/downloader.ts
-var TEMP_DIR = path12.join(os3.tmpdir(), "cpm-downloads");
+var TEMP_DIR = path11.join(os3.tmpdir(), "cpm-downloads");
 async function downloadPackage(pkg) {
   try {
     await fs8.ensureDir(TEMP_DIR);
-    const packageTempDir = path12.join(
+    const packageTempDir = path11.join(
       TEMP_DIR,
       `${pkg.name.replace(/[@/]/g, "_")}-${Date.now()}`
     );
@@ -2198,7 +2221,7 @@ var SEMANTIC_COLORS = {
 
 // src/commands/ui/formatters.ts
 import chalk2 from "chalk";
-import path13 from "path";
+import path12 from "path";
 function formatNumber(num) {
   if (num >= 1e6) {
     return `${(num / 1e6).toFixed(1)}M`;
@@ -2209,7 +2232,7 @@ function formatNumber(num) {
   return num.toString();
 }
 function formatPath(filePath) {
-  const relativePath = path13.relative(process.cwd(), filePath);
+  const relativePath = path12.relative(process.cwd(), filePath);
   if (relativePath.startsWith("..")) {
     return filePath;
   }
@@ -2271,8 +2294,12 @@ function formatUsageHints(manifest) {
       if ("mcp" in manifest && manifest.mcp?.env) {
         const envVars = Object.keys(manifest.mcp.env);
         if (envVars.length > 0) {
-          hints.push(chalk2.yellow(`
-  Required environment variables:`));
+          hints.push(
+            chalk2.yellow(
+              `
+  Configure these environment variables in ~/.claude.json:`
+            )
+          );
           for (const envVar of envVars) {
             hints.push(chalk2.dim(`    - ${envVar}`));
           }
@@ -2540,10 +2567,10 @@ async function searchCommand(query, rawOptions) {
 // src/commands/list.ts
 import chalk4 from "chalk";
 import fs9 from "fs-extra";
-import path14 from "path";
+import path13 from "path";
 import os4 from "os";
 async function readPackageMetadata(packageDir) {
-  const metadataPath = path14.join(packageDir, ".cpm.json");
+  const metadataPath = path13.join(packageDir, ".cpm.json");
   try {
     if (await fs9.pathExists(metadataPath)) {
       return await fs9.readJson(metadataPath);
@@ -2559,7 +2586,7 @@ async function scanDirectory(dir, type) {
   }
   const entries = await fs9.readdir(dir);
   for (const entry of entries) {
-    const entryPath = path14.join(dir, entry);
+    const entryPath = path13.join(dir, entry);
     const stat = await fs9.stat(entryPath);
     if (stat.isDirectory()) {
       const metadata = await readPackageMetadata(entryPath);
@@ -2576,7 +2603,7 @@ async function scanDirectory(dir, type) {
 }
 async function scanMcpServers() {
   const items = [];
-  const configPath = path14.join(os4.homedir(), ".claude.json");
+  const configPath = path13.join(os4.homedir(), ".claude.json");
   if (!await fs9.pathExists(configPath)) {
     return items;
   }
@@ -2596,10 +2623,10 @@ async function scanMcpServers() {
   return items;
 }
 async function scanInstalledPackages() {
-  const claudeHome = path14.join(os4.homedir(), ".claude");
+  const claudeHome = path13.join(os4.homedir(), ".claude");
   const [rules, skills, mcp] = await Promise.all([
-    scanDirectory(path14.join(claudeHome, "rules"), "rules"),
-    scanDirectory(path14.join(claudeHome, "skills"), "skill"),
+    scanDirectory(path13.join(claudeHome, "rules"), "rules"),
+    scanDirectory(path13.join(claudeHome, "skills"), "skill"),
     scanMcpServers()
   ]);
   return [...rules, ...skills, ...mcp];

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@cpmai/cli",
-  "version": "0.2.0-beta.1",
+  "version": "0.3.0-beta.1",
   "description": "CPM CLI - cpm-ai.dev",
   "keywords": [
     "claude-code",