@cpmai/cli 0.2.0-beta.1 → 0.3.0-beta.2

package/dist/index.js

@@ -4,107 +4,6 @@
 import { Command } from "commander";
 import chalk5 from "chalk";
 
-// src/adapters/base.ts
-var PlatformAdapter = class {
-};
-
-// src/adapters/handlers/handler-registry.ts
-var HandlerRegistry = class {
-  /**
-   * Internal storage for handlers.
-   * Maps package type strings to their handler instances.
-   * Using Map for O(1) lookup performance.
-   */
-  handlers = /* @__PURE__ */ new Map();
-  /**
-   * Register a handler for a specific package type.
-   *
-   * When you create a new handler (like RulesHandler), you call this method
-   * to add it to the registry so it can be found later.
-   *
-   * @param handler - The handler instance to register. The handler's
-   *                  packageType property determines which type it handles.
-   *
-   * @example
-   * ```typescript
-   * const rulesHandler = new RulesHandler();
-   * registry.register(rulesHandler);
-   * // Now "rules" type packages will use RulesHandler
-   * ```
-   */
-  register(handler) {
-    this.handlers.set(handler.packageType, handler);
-  }
-  /**
-   * Get the handler for a specific package type.
-   *
-   * Use this when you need to install or uninstall a package.
-   * It returns the appropriate handler based on the package type.
-   *
-   * @param type - The package type to find a handler for (e.g., "rules", "skill", "mcp")
-   * @returns The handler that can process this package type
-   * @throws Error if no handler is registered for the given type
-   *
-   * @example
-   * ```typescript
-   * const handler = registry.getHandler("skill");
-   * const files = await handler.install(manifest, context);
-   * ```
-   */
-  getHandler(type) {
-    const handler = this.handlers.get(type);
-    if (!handler) {
-      throw new Error(`No handler registered for package type: ${type}`);
-    }
-    return handler;
-  }
-  /**
-   * Check if a handler exists for a specific package type.
-   *
-   * Useful when you want to check availability before attempting
-   * to get a handler, avoiding the need for try-catch blocks.
-   *
-   * @param type - The package type to check
-   * @returns true if a handler is registered, false otherwise
-   *
-   * @example
-   * ```typescript
-   * if (registry.hasHandler("mcp")) {
-   *   const handler = registry.getHandler("mcp");
-   *   // ... use handler
-   * } else {
-   *   console.log("MCP packages not supported");
-   * }
-   * ```
-   */
-  hasHandler(type) {
-    return this.handlers.has(type);
-  }
-  /**
-   * Get a list of all registered package types.
-   *
-   * Useful for debugging, displaying supported types to users,
-   * or iterating over all available handlers.
-   *
-   * @returns Array of package type strings that have registered handlers
-   *
-   * @example
-   * ```typescript
-   * const types = registry.getRegisteredTypes();
-   * console.log("Supported types:", types.join(", "));
-   * // Output: "Supported types: rules, skill, mcp"
-   * ```
-   */
-  getRegisteredTypes() {
-    return Array.from(this.handlers.keys());
-  }
-};
-var handlerRegistry = new HandlerRegistry();
-
-// src/adapters/handlers/rules-handler.ts
-import fs2 from "fs-extra";
-import path6 from "path";
-
 // src/constants.ts
 var TIMEOUTS = {
   MANIFEST_FETCH: 5e3,
@@ -148,10 +47,7 @@ var SEARCH_SORT_OPTIONS = [
   "name"
   // Alphabetical order
 ];
-var VALID_PLATFORMS = [
-  "claude-code"
-  // Currently the only supported platform
-];
+var VALID_PLATFORMS = ["claude-code", "cursor"];
 var ALLOWED_MCP_COMMANDS = [
   "npx",
   // Node package executor
@@ -171,15 +67,19 @@ var ALLOWED_MCP_COMMANDS = [
 var BLOCKED_MCP_ARG_PATTERNS = [
   /--eval/i,
   // Node.js eval flag
-  /-e\s/,
-  // Short eval flag with space
-  /-c\s/,
-  // Command flag with space
+  /-e(?:\s|$)/,
+  // Short eval flag (with space or at end)
+  /^-e\S/,
+  // Concatenated eval flag (e.g., -eCODE)
+  /-c(?:\s|$)/,
+  // Command flag (with space or at end)
+  /^-c\S/,
+  // Concatenated command flag (e.g., -cCODE)
   /\bcurl\b/i,
   // curl command (data exfiltration)
   /\bwget\b/i,
   // wget command (data exfiltration)
-  /\brm\s/i,
+  /\brm(?:\s|$)/i,
   // rm command (file deletion)
   /\bsudo\b/i,
   // sudo command (privilege escalation)
@@ -187,8 +87,44 @@ var BLOCKED_MCP_ARG_PATTERNS = [
   // chmod command (permission changes)
   /\bchown\b/i,
   // chown command (ownership changes)
-  /[|;&`$]/
+  /[|;&`$]/,
   // Shell metacharacters (command chaining/injection)
+  /--inspect/i,
+  // Node.js debugger (remote code execution)
+  /--allow-all/i,
+  // Deno sandbox bypass
+  /--allow-run/i,
+  // Deno run permission
+  /--allow-write/i,
+  // Deno write permission
+  /--allow-net/i,
+  // Deno net permission
+  /^https?:\/\//i
+  // Remote URLs as standalone args (script loading)
+];
+var BLOCKED_MCP_ENV_KEYS = [
+  "PATH",
+  "LD_PRELOAD",
+  "LD_LIBRARY_PATH",
+  "DYLD_INSERT_LIBRARIES",
+  "DYLD_LIBRARY_PATH",
+  "NODE_OPTIONS",
+  "NODE_PATH",
+  "PYTHONPATH",
+  "PYTHONSTARTUP",
+  "PYTHONHOME",
+  "RUBYOPT",
+  "PERL5OPT",
+  "BASH_ENV",
+  "ENV",
+  "CDPATH",
+  "HOME",
+  "USERPROFILE",
+  "NPM_CONFIG_REGISTRY",
+  "NPM_CONFIG_PREFIX",
+  "NPM_CONFIG_GLOBALCONFIG",
+  "DENO_DIR",
+  "BUN_INSTALL"
 ];
 
 // src/types.ts
@@ -210,15 +146,15 @@ function isSkillManifest(manifest) {
 function isMcpManifest(manifest) {
   return manifest.type === "mcp";
 }
-function getTypeFromPath(path15) {
-  if (path15.startsWith("skills/")) return "skill";
-  if (path15.startsWith("rules/")) return "rules";
-  if (path15.startsWith("mcp/")) return "mcp";
-  if (path15.startsWith("agents/")) return "agent";
-  if (path15.startsWith("hooks/")) return "hook";
-  if (path15.startsWith("workflows/")) return "workflow";
-  if (path15.startsWith("templates/")) return "template";
-  if (path15.startsWith("bundles/")) return "bundle";
+function getTypeFromPath(path16) {
+  if (path16.startsWith("skills/")) return "skill";
+  if (path16.startsWith("rules/")) return "rules";
+  if (path16.startsWith("mcp/")) return "mcp";
+  if (path16.startsWith("agents/")) return "agent";
+  if (path16.startsWith("hooks/")) return "hook";
+  if (path16.startsWith("workflows/")) return "workflow";
+  if (path16.startsWith("templates/")) return "template";
+  if (path16.startsWith("bundles/")) return "bundle";
   return null;
 }
 function resolvePackageType(pkg) {
@@ -230,8 +166,110 @@ function resolvePackageType(pkg) {
   throw new Error(`Cannot determine type for package: ${pkg.name}`);
 }
 
+// src/adapters/base.ts
+var PlatformAdapter = class {
+};
+
+// src/adapters/handlers/handler-registry.ts
+var HandlerRegistry = class {
+  /**
+   * Internal storage for handlers.
+   * Maps package type strings to their handler instances.
+   * Using Map for O(1) lookup performance.
+   */
+  handlers = /* @__PURE__ */ new Map();
+  /**
+   * Register a handler for a specific package type.
+   *
+   * When you create a new handler (like RulesHandler), you call this method
+   * to add it to the registry so it can be found later.
+   *
+   * @param handler - The handler instance to register. The handler's
+   *                  packageType property determines which type it handles.
+   *
+   * @example
+   * ```typescript
+   * const rulesHandler = new RulesHandler();
+   * registry.register(rulesHandler);
+   * // Now "rules" type packages will use RulesHandler
+   * ```
+   */
+  register(handler) {
+    this.handlers.set(handler.packageType, handler);
+  }
+  /**
+   * Get the handler for a specific package type.
+   *
+   * Use this when you need to install or uninstall a package.
+   * It returns the appropriate handler based on the package type.
+   *
+   * @param type - The package type to find a handler for (e.g., "rules", "skill", "mcp")
+   * @returns The handler that can process this package type
+   * @throws Error if no handler is registered for the given type
+   *
+   * @example
+   * ```typescript
+   * const handler = registry.getHandler("skill");
+   * const files = await handler.install(manifest, context);
+   * ```
+   */
+  getHandler(type) {
+    const handler = this.handlers.get(type);
+    if (!handler) {
+      throw new Error(`No handler registered for package type: ${type}`);
+    }
+    return handler;
+  }
+  /**
+   * Check if a handler exists for a specific package type.
+   *
+   * Useful when you want to check availability before attempting
+   * to get a handler, avoiding the need for try-catch blocks.
+   *
+   * @param type - The package type to check
+   * @returns true if a handler is registered, false otherwise
+   *
+   * @example
+   * ```typescript
+   * if (registry.hasHandler("mcp")) {
+   *   const handler = registry.getHandler("mcp");
+   *   // ... use handler
+   * } else {
+   *   console.log("MCP packages not supported");
+   * }
+   * ```
+   */
+  hasHandler(type) {
+    return this.handlers.has(type);
+  }
+  /**
+   * Get a list of all registered package types.
+   *
+   * Useful for debugging, displaying supported types to users,
+   * or iterating over all available handlers.
+   *
+   * @returns Array of package type strings that have registered handlers
+   *
+   * @example
+   * ```typescript
+   * const types = registry.getRegisteredTypes();
+   * console.log("Supported types:", types.join(", "));
+   * // Output: "Supported types: rules, skill, mcp"
+   * ```
+   */
+  getRegisteredTypes() {
+    return Array.from(this.handlers.keys());
+  }
+};
+var handlerRegistry = new HandlerRegistry();
+
+// src/adapters/handlers/rules-handler.ts
+import fs3 from "fs-extra";
+import path6 from "path";
+
 // src/utils/platform.ts
 import path2 from "path";
+import os2 from "os";
 
 // src/utils/config.ts
 import path from "path";
@@ -245,13 +283,28 @@ async function ensureClaudeDirs() {
   await fs.ensureDir(path.join(claudeHome, "rules"));
   await fs.ensureDir(path.join(claudeHome, "skills"));
 }
+async function ensureCursorDirs(projectPath) {
+  await fs.ensureDir(path.join(projectPath, ".cursor", "rules"));
+}
 
 // src/utils/platform.ts
-function getRulesPath(platform) {
-  if (platform !== "claude-code") {
-    throw new Error(`Rules path is not supported for platform: ${platform}`);
+function getCursorHome() {
+  return path2.join(os2.homedir(), ".cursor");
+}
+function getCursorMcpConfigPath() {
+  return path2.join(getCursorHome(), "mcp.json");
+}
+function getRulesPath(platform, projectPath) {
+  if (platform === "claude-code") {
+    return path2.join(getClaudeHome(), "rules");
   }
-  return path2.join(getClaudeHome(), "rules");
+  if (platform === "cursor") {
+    if (!projectPath) {
+      return path2.join(process.cwd(), ".cursor", "rules");
+    }
+    return path2.join(projectPath, ".cursor", "rules");
+  }
+  throw new Error(`Rules path is not supported for platform: ${platform}`);
 }
 function getSkillsPath() {
   return path2.join(getClaudeHome(), "skills");
@@ -331,14 +384,22 @@ var logger = {
 };
 
 // src/security/mcp-validator.ts
-import path3 from "path";
 function isAllowedCommand(command) {
-  const baseCommand = path3.basename(command);
+  if (command.includes("/") || command.includes("\\")) {
+    return false;
+  }
   return ALLOWED_MCP_COMMANDS.includes(
-    baseCommand
+    command
   );
 }
 function containsBlockedPattern(args) {
+  for (const arg of args) {
+    for (const pattern of BLOCKED_MCP_ARG_PATTERNS) {
+      if (pattern.test(arg)) {
+        return pattern;
+      }
+    }
+  }
   const argsString = args.join(" ");
   for (const pattern of BLOCKED_MCP_ARG_PATTERNS) {
     if (pattern.test(argsString)) {
@@ -347,15 +408,23 @@ function containsBlockedPattern(args) {
   }
   return null;
 }
+function containsBlockedEnvKey(env) {
+  const blockedSet = new Set(BLOCKED_MCP_ENV_KEYS.map((k) => k.toUpperCase()));
+  for (const key of Object.keys(env)) {
+    if (blockedSet.has(key.toUpperCase())) {
+      return key;
+    }
+  }
+  return null;
+}
 function validateMcpConfig(mcp) {
   if (!mcp?.command) {
     return { valid: false, error: "MCP command is required" };
   }
-  const baseCommand = path3.basename(mcp.command);
   if (!isAllowedCommand(mcp.command)) {
     return {
       valid: false,
-      error: `MCP command '${baseCommand}' is not allowed. Allowed: ${ALLOWED_MCP_COMMANDS.join(", ")}`
+      error: `MCP command '${mcp.command}' is not allowed. Allowed: ${ALLOWED_MCP_COMMANDS.join(", ")}`
     };
   }
   if (mcp.args) {
@@ -367,16 +436,25 @@ function validateMcpConfig(mcp) {
       };
     }
   }
+  if (mcp.env) {
+    const blockedKey = containsBlockedEnvKey(mcp.env);
+    if (blockedKey) {
+      return {
+        valid: false,
+        error: `MCP environment variable '${blockedKey}' is not allowed. It could be used to bypass command security restrictions.`
+      };
+    }
+  }
   return { valid: true };
 }
 
 // src/security/file-sanitizer.ts
-import path4 from "path";
+import path3 from "path";
 function sanitizeFileName(fileName) {
   if (!fileName || typeof fileName !== "string") {
     return { valid: false, error: "File name cannot be empty", sanitized: "" };
   }
-  const baseName = path4.basename(fileName);
+  const baseName = path3.basename(fileName);
   if (baseName.includes("\0")) {
     return {
       valid: false,
@@ -421,12 +499,12 @@ function sanitizeFolderName(name) {
   if (!sanitized || sanitized.startsWith(".")) {
     throw new Error(`Invalid package name: ${name}`);
   }
-  const normalized = path4.normalize(sanitized);
+  const normalized = path3.normalize(sanitized);
   if (normalized !== sanitized || normalized.includes("..")) {
     throw new Error(`Invalid package name (path traversal detected): ${name}`);
   }
-  const testPath = path4.join("/test", sanitized);
-  const resolved = path4.resolve(testPath);
+  const testPath = path3.join("/test", sanitized);
+  const resolved = path3.resolve(testPath);
   if (!resolved.startsWith("/test/")) {
     throw new Error(`Invalid package name (path traversal detected): ${name}`);
   }
@@ -434,26 +512,79 @@ function sanitizeFolderName(name) {
 }
 
 // src/security/path-validator.ts
-import path5 from "path";
+import path4 from "path";
 function isPathWithinDirectory(filePath, directory) {
-  const resolvedPath = path5.resolve(filePath);
-  const resolvedDir = path5.resolve(directory);
-  return resolvedPath.startsWith(resolvedDir + path5.sep) || resolvedPath === resolvedDir;
+  const resolvedPath = path4.resolve(filePath);
+  const resolvedDir = path4.resolve(directory);
+  return resolvedPath.startsWith(resolvedDir + path4.sep) || resolvedPath === resolvedDir;
+}
+
+// src/security/glob-validator.ts
+var BLOCKED_GLOB_PATTERNS = [
+  // Environment and secret files
+  { pattern: /\.env\b/i, reason: "targets environment/secret files" },
+  { pattern: /\.secret/i, reason: "targets secret files" },
+  { pattern: /credentials/i, reason: "targets credential files" },
+  { pattern: /\.pem$/i, reason: "targets PEM certificate/key files" },
+  { pattern: /\.key$/i, reason: "targets key files" },
+  { pattern: /\.p12$/i, reason: "targets PKCS12 certificate files" },
+  { pattern: /\.pfx$/i, reason: "targets PFX certificate files" },
+  // SSH and GPG
+  { pattern: /\.ssh\//i, reason: "targets SSH directory" },
+  { pattern: /id_rsa/i, reason: "targets SSH private keys" },
+  { pattern: /id_ed25519/i, reason: "targets SSH private keys" },
+  { pattern: /\.gnupg\//i, reason: "targets GPG directory" },
+  // Git internals
+  { pattern: /\.git\//, reason: "targets git internals" },
+  // Config files with potential secrets
+  { pattern: /\.claude\.json$/i, reason: "targets Claude Code config" },
+  { pattern: /\.npmrc$/i, reason: "targets npm config (may contain tokens)" },
+  { pattern: /\.pypirc$/i, reason: "targets PyPI config (may contain tokens)" },
+  // System files
+  { pattern: /\/etc\//, reason: "targets system configuration" },
+  { pattern: /\/passwd/, reason: "targets system password file" },
+  { pattern: /\/shadow/, reason: "targets system shadow file" },
+  // Path traversal in globs
+  { pattern: /\.\.\//, reason: "contains path traversal" }
+];
+function validateGlob(glob) {
+  if (!glob || typeof glob !== "string") {
+    return { valid: false, error: "Glob pattern cannot be empty" };
+  }
+  if (glob.includes("\0")) {
+    return { valid: false, error: "Glob pattern contains null bytes" };
+  }
+  for (const { pattern, reason } of BLOCKED_GLOB_PATTERNS) {
+    if (pattern.test(glob)) {
+      return {
+        valid: false,
+        error: `Glob pattern "${glob}" is blocked: ${reason}`
+      };
+    }
+  }
+  return { valid: true };
+}
+function validateGlobs(globs) {
+  for (const glob of globs) {
+    const result = validateGlob(glob);
+    if (!result.valid) {
+      return result;
+    }
+  }
+  return { valid: true };
 }
 
-// src/adapters/handlers/rules-handler.ts
+// src/adapters/handlers/metadata.ts
+import fs2 from "fs-extra";
+import path5 from "path";
 async function writePackageMetadata(packageDir, manifest) {
   const metadata = {
     name: manifest.name,
-    // e.g., "@cpm/typescript-strict"
     version: manifest.version,
-    // e.g., "1.0.0"
     type: manifest.type,
-    // e.g., "rules"
     installedAt: (/* @__PURE__ */ new Date()).toISOString()
-    // ISO timestamp for when it was installed
   };
-  const metadataPath = path6.join(packageDir, ".cpm.json");
+  const metadataPath = path5.join(packageDir, ".cpm.json");
   try {
     await fs2.writeJson(metadataPath, metadata, { spaces: 2 });
   } catch (error) {
@@ -463,6 +594,8 @@ async function writePackageMetadata(packageDir, manifest) {
   }
   return metadataPath;
 }
+
+// src/adapters/handlers/rules-handler.ts
 var RulesHandler = class {
   /**
    * Identifies this handler as handling "rules" type packages.
@@ -487,9 +620,9 @@ var RulesHandler = class {
     const rulesBaseDir = getRulesPath("claude-code");
     const folderName = sanitizeFolderName(manifest.name);
     const rulesDir = path6.join(rulesBaseDir, folderName);
-    await fs2.ensureDir(rulesDir);
-    if (context.packagePath && await fs2.pathExists(context.packagePath)) {
-      const files = await fs2.readdir(context.packagePath);
+    await fs3.ensureDir(rulesDir);
+    if (context.packagePath && await fs3.pathExists(context.packagePath)) {
+      const files = await fs3.readdir(context.packagePath);
       const mdFiles = files.filter(
         (f) => f.endsWith(".md") && f.toLowerCase() !== "cpm.yaml"
       );
@@ -506,7 +639,12 @@ var RulesHandler = class {
             logger.warn(`Blocked path traversal attempt: ${file}`);
             continue;
           }
-          await fs2.copy(srcPath, destPath);
+          const srcStat = await fs3.lstat(srcPath);
+          if (srcStat.isSymbolicLink()) {
+            logger.warn(`Blocked symlink in package: ${file}`);
+            continue;
+          }
+          await fs3.copy(srcPath, destPath);
           filesWritten.push(destPath);
         }
         const metadataPath2 = await writePackageMetadata(rulesDir, manifest);
@@ -523,7 +661,7 @@ ${manifest.description}
 
 ${rulesContent.trim()}
 `;
-    await fs2.writeFile(rulesPath, content, "utf-8");
+    await fs3.writeFile(rulesPath, content, "utf-8");
     filesWritten.push(rulesPath);
     const metadataPath = await writePackageMetadata(rulesDir, manifest);
     filesWritten.push(metadataPath);
@@ -543,8 +681,8 @@ ${rulesContent.trim()}
     const folderName = sanitizeFolderName(packageName);
     const rulesBaseDir = getRulesPath("claude-code");
     const rulesPath = path6.join(rulesBaseDir, folderName);
-    if (await fs2.pathExists(rulesPath)) {
-      await fs2.remove(rulesPath);
+    if (await fs3.pathExists(rulesPath)) {
+      await fs3.remove(rulesPath);
       filesRemoved.push(rulesPath);
     }
     return filesRemoved;
@@ -568,29 +706,8 @@ ${rulesContent.trim()}
 };
 
 // src/adapters/handlers/skill-handler.ts
-import fs3 from "fs-extra";
+import fs4 from "fs-extra";
 import path7 from "path";
-async function writePackageMetadata2(packageDir, manifest) {
-  const metadata = {
-    name: manifest.name,
-    // e.g., "@cpm/commit-skill"
-    version: manifest.version,
-    // e.g., "1.0.0"
-    type: manifest.type,
-    // e.g., "skill"
-    installedAt: (/* @__PURE__ */ new Date()).toISOString()
-    // ISO timestamp for when it was installed
-  };
-  const metadataPath = path7.join(packageDir, ".cpm.json");
-  try {
-    await fs3.writeJson(metadataPath, metadata, { spaces: 2 });
-  } catch (error) {
-    logger.warn(
-      `Could not write metadata: ${error instanceof Error ? error.message : "Unknown error"}`
-    );
-  }
-  return metadataPath;
-}
 function formatSkillMd(manifest) {
   const skill = manifest.skill;
   const content = manifest.universal?.prompt || manifest.universal?.rules || "";
@@ -634,9 +751,9 @@ var SkillHandler = class {
     const skillsDir = getSkillsPath();
     const folderName = sanitizeFolderName(manifest.name);
     const skillDir = path7.join(skillsDir, folderName);
-    await fs3.ensureDir(skillDir);
-    if (context.packagePath && await fs3.pathExists(context.packagePath)) {
-      const files = await fs3.readdir(context.packagePath);
+    await fs4.ensureDir(skillDir);
+    if (context.packagePath && await fs4.pathExists(context.packagePath)) {
+      const files = await fs4.readdir(context.packagePath);
       const contentFiles = files.filter(
         (f) => f.endsWith(".md") && f.toLowerCase() !== "cpm.yaml"
       );
@@ -653,10 +770,15 @@ var SkillHandler = class {
             logger.warn(`Blocked path traversal attempt: ${file}`);
             continue;
           }
-          await fs3.copy(srcPath, destPath);
+          const srcStat = await fs4.lstat(srcPath);
+          if (srcStat.isSymbolicLink()) {
+            logger.warn(`Blocked symlink in package: ${file}`);
+            continue;
+          }
+          await fs4.copy(srcPath, destPath);
           filesWritten.push(destPath);
         }
-        const metadataPath = await writePackageMetadata2(skillDir, manifest);
+        const metadataPath = await writePackageMetadata(skillDir, manifest);
         filesWritten.push(metadataPath);
         return filesWritten;
       }
@@ -664,9 +786,9 @@ var SkillHandler = class {
     if (isSkillManifest(manifest)) {
       const skillContent = formatSkillMd(manifest);
       const skillPath = path7.join(skillDir, "SKILL.md");
-      await fs3.writeFile(skillPath, skillContent, "utf-8");
+      await fs4.writeFile(skillPath, skillContent, "utf-8");
       filesWritten.push(skillPath);
-      const metadataPath = await writePackageMetadata2(skillDir, manifest);
+      const metadataPath = await writePackageMetadata(skillDir, manifest);
       filesWritten.push(metadataPath);
     } else {
       const content = this.getUniversalContent(manifest);
@@ -678,9 +800,9 @@ ${manifest.description}
 
 ${content.trim()}
 `;
-        await fs3.writeFile(skillPath, skillContent, "utf-8");
+        await fs4.writeFile(skillPath, skillContent, "utf-8");
         filesWritten.push(skillPath);
-        const metadataPath = await writePackageMetadata2(skillDir, manifest);
+        const metadataPath = await writePackageMetadata(skillDir, manifest);
         filesWritten.push(metadataPath);
       }
     }
@@ -700,8 +822,8 @@ ${content.trim()}
     const folderName = sanitizeFolderName(packageName);
     const skillsDir = getSkillsPath();
     const skillPath = path7.join(skillsDir, folderName);
-    if (await fs3.pathExists(skillPath)) {
-      await fs3.remove(skillPath);
+    if (await fs4.pathExists(skillPath)) {
+      await fs4.remove(skillPath);
       filesRemoved.push(skillPath);
     }
     return filesRemoved;
@@ -724,28 +846,66 @@ ${content.trim()}
 };
 
 // src/adapters/handlers/mcp-handler.ts
-import fs4 from "fs-extra";
+import path9 from "path";
+
+// src/adapters/handlers/base-mcp-handler.ts
+import fs6 from "fs-extra";
 import path8 from "path";
-var McpHandler = class {
-  /**
-   * Identifies this handler as handling "mcp" type packages.
-   * The registry uses this to route MCP packages to this handler.
-   */
+import crypto from "crypto";
+
+// src/utils/file-lock.ts
+import fs5 from "fs-extra";
+var LOCK_STALE_MS = 1e4;
+var LOCK_RETRY_MS = 100;
+var LOCK_MAX_RETRIES = 50;
+async function acquireLock(filePath) {
+  const lockPath = `${filePath}.lock`;
+  for (let i = 0; i < LOCK_MAX_RETRIES; i++) {
+    try {
+      await fs5.writeFile(lockPath, String(Date.now()), { flag: "wx" });
+      return async () => {
+        try {
+          await fs5.remove(lockPath);
+        } catch {
+        }
+      };
+    } catch (error) {
+      const err = error;
+      if (err.code === "EEXIST") {
+        try {
+          const content = await fs5.readFile(lockPath, "utf-8");
+          const lockTime = parseInt(content, 10);
+          if (!isNaN(lockTime) && Date.now() - lockTime > LOCK_STALE_MS) {
+            await fs5.remove(lockPath);
+            continue;
+          }
+        } catch {
+          await fs5.remove(lockPath).catch(() => {
+          });
+          continue;
+        }
+        await new Promise((resolve) => setTimeout(resolve, LOCK_RETRY_MS));
+        continue;
+      }
+      throw error;
+    }
+  }
+  throw new Error(
+    `Could not acquire lock for ${filePath} after ${LOCK_MAX_RETRIES} retries`
+  );
+}
+async function withFileLock(filePath, fn) {
+  const release = await acquireLock(filePath);
+  try {
+    return await fn();
+  } finally {
+    await release();
+  }
+}
+
+// src/adapters/handlers/base-mcp-handler.ts
+var BaseMcpHandler = class {
   packageType = "mcp";
-  /**
-   * Install an MCP package.
-   *
-   * The installation process:
-   * 1. Validate the MCP configuration for security
-   * 2. Read the existing ~/.claude.json configuration
-   * 3. Add the new MCP server to the mcpServers section
-   * 4. Write the updated configuration back
-   *
-   * @param manifest - The package manifest with MCP configuration
-   * @param _context - Install context (not used for MCP, but required by interface)
-   * @returns Array containing the path to the modified config file
-   * @throws Error if MCP configuration fails security validation
-   */
   async install(manifest, _context) {
     const filesWritten = [];
     if (!isMcpManifest(manifest)) {
@@ -755,70 +915,68 @@ var McpHandler = class {
     if (!mcpValidation.valid) {
       throw new Error(`MCP security validation failed: ${mcpValidation.error}`);
     }
-    const claudeHome = getClaudeHome();
-    const mcpConfigPath = path8.join(path8.dirname(claudeHome), ".claude.json");
-    let existingConfig = {};
-    if (await fs4.pathExists(mcpConfigPath)) {
-      try {
-        existingConfig = await fs4.readJson(mcpConfigPath);
-      } catch {
-        logger.warn(`Could not parse ${mcpConfigPath}, creating new config`);
-        existingConfig = {};
-      }
-    }
-    const sanitizedName = sanitizeFolderName(manifest.name);
-    const existingMcpServers = existingConfig.mcpServers || {};
-    const updatedConfig = {
-      ...existingConfig,
-      // Preserve all other config settings
-      mcpServers: {
-        ...existingMcpServers,
-        // Preserve other MCP servers
-        [sanitizedName]: {
-          // Add/update this package's MCP server
-          command: manifest.mcp.command,
-          // e.g., "npx"
-          args: manifest.mcp.args,
-          // e.g., ["-y", "@supabase/mcp"]
-          env: manifest.mcp.env
-          // e.g., { "SUPABASE_URL": "..." }
+    const mcpConfigPath = this.getConfigPath();
+    await fs6.ensureDir(path8.dirname(mcpConfigPath));
+    await withFileLock(mcpConfigPath, async () => {
+      let existingConfig = {};
+      if (await fs6.pathExists(mcpConfigPath)) {
+        try {
+          existingConfig = await fs6.readJson(mcpConfigPath);
+        } catch {
+          const backupPath = `${mcpConfigPath}.backup.${crypto.randomBytes(8).toString("hex")}`;
+          try {
+            await fs6.copy(mcpConfigPath, backupPath);
+            logger.warn(
+              `Could not parse ${mcpConfigPath}, backup saved to ${backupPath}`
+            );
+          } catch {
+            logger.warn(
+              `Could not parse ${mcpConfigPath}, creating new config`
+            );
+          }
+          existingConfig = {};
         }
       }
-    };
-    await fs4.writeJson(mcpConfigPath, updatedConfig, { spaces: 2 });
-    filesWritten.push(mcpConfigPath);
+      const sanitizedName = sanitizeFolderName(manifest.name);
+      const existingMcpServers = existingConfig.mcpServers || {};
+      const updatedConfig = {
+        ...existingConfig,
+        mcpServers: {
+          ...existingMcpServers,
+          [sanitizedName]: {
+            command: manifest.mcp.command,
+            args: manifest.mcp.args,
+            env: manifest.mcp.env
+          }
+        }
+      };
+      await fs6.writeJson(mcpConfigPath, updatedConfig, { spaces: 2 });
+      filesWritten.push(mcpConfigPath);
+    });
     return filesWritten;
   }
-  /**
-   * Uninstall an MCP package.
-   *
-   * This removes the MCP server entry from ~/.claude.json
-   *
-   * @param packageName - The name of the package to remove
-   * @param _context - Uninstall context (not used for MCP, but required by interface)
-   * @returns Array containing the path to the modified config file
-   */
   async uninstall(packageName, _context) {
     const filesWritten = [];
     const folderName = sanitizeFolderName(packageName);
-    const claudeHome = getClaudeHome();
-    const mcpConfigPath = path8.join(path8.dirname(claudeHome), ".claude.json");
-    if (!await fs4.pathExists(mcpConfigPath)) {
+    const mcpConfigPath = this.getConfigPath();
+    if (!await fs6.pathExists(mcpConfigPath)) {
       return filesWritten;
     }
     try {
-      const config = await fs4.readJson(mcpConfigPath);
-      const mcpServers = config.mcpServers;
-      if (!mcpServers || !mcpServers[folderName]) {
-        return filesWritten;
-      }
-      const { [folderName]: _removed, ...remainingServers } = mcpServers;
-      const updatedConfig = {
-        ...config,
-        mcpServers: remainingServers
-      };
-      await fs4.writeJson(mcpConfigPath, updatedConfig, { spaces: 2 });
-      filesWritten.push(mcpConfigPath);
+      await withFileLock(mcpConfigPath, async () => {
+        const config = await fs6.readJson(mcpConfigPath);
+        const mcpServers = config.mcpServers;
+        if (!mcpServers || !mcpServers[folderName]) {
+          return;
+        }
+        const { [folderName]: _removed, ...remainingServers } = mcpServers;
+        const updatedConfig = {
+          ...config,
+          mcpServers: remainingServers
+        };
+        await fs6.writeJson(mcpConfigPath, updatedConfig, { spaces: 2 });
+        filesWritten.push(mcpConfigPath);
+      });
     } catch (error) {
       logger.warn(
         `Could not update MCP config: ${error instanceof Error ? error.message : "Unknown error"}`
@@ -828,6 +986,14 @@ var McpHandler = class {
   }
 };
 
+// src/adapters/handlers/mcp-handler.ts
+var McpHandler = class extends BaseMcpHandler {
+  getConfigPath() {
+    const claudeHome = getClaudeHome();
+    return path9.join(path9.dirname(claudeHome), ".claude.json");
+  }
+};
+
 // src/adapters/handlers/index.ts
 function initializeHandlers() {
   handlerRegistry.register(new RulesHandler());
@@ -837,8 +1003,6 @@ function initializeHandlers() {
 initializeHandlers();
 
 // src/adapters/claude-code.ts
-import fs5 from "fs-extra";
-import path9 from "path";
 var ClaudeCodeAdapter = class extends PlatformAdapter {
   platform = "claude-code";
   displayName = "Claude Code";
@@ -865,23 +1029,17 @@ var ClaudeCodeAdapter = class extends PlatformAdapter {
       };
     }
   }
-  async uninstall(packageName, _projectPath) {
+  async uninstall(packageName, projectPath) {
     const filesWritten = [];
-    const folderName = sanitizeFolderName(packageName);
+    const context = { projectPath };
     try {
-      const rulesBaseDir = getRulesPath("claude-code");
-      const rulesPath = path9.join(rulesBaseDir, folderName);
-      if (await fs5.pathExists(rulesPath)) {
-        await fs5.remove(rulesPath);
-        filesWritten.push(rulesPath);
-      }
-      const skillsDir = getSkillsPath();
-      const skillPath = path9.join(skillsDir, folderName);
-      if (await fs5.pathExists(skillPath)) {
-        await fs5.remove(skillPath);
-        filesWritten.push(skillPath);
+      for (const type of ["rules", "skill", "mcp"]) {
+        if (handlerRegistry.hasHandler(type)) {
+          const handler = handlerRegistry.getHandler(type);
+          const files = await handler.uninstall(packageName, context);
+          filesWritten.push(...files);
+        }
       }
-      await this.removeMcpServer(folderName, filesWritten);
       return {
         success: true,
         platform: "claude-code",
@@ -904,63 +1062,248 @@ var ClaudeCodeAdapter = class extends PlatformAdapter {
     return this.installFallback(manifest, context);
   }
   async installFallback(manifest, context) {
-    if ("skill" in manifest && manifest.skill) {
+    logger.warn(
+      `No handler registered for type "${manifest.type}", attempting content-based detection`
+    );
+    if (isSkillManifest(manifest)) {
       const handler = handlerRegistry.getHandler("skill");
       return handler.install(manifest, context);
     }
-    if ("mcp" in manifest && manifest.mcp) {
+    if (isMcpManifest(manifest)) {
       const handler = handlerRegistry.getHandler("mcp");
       return handler.install(manifest, context);
     }
-    if ("universal" in manifest && manifest.universal?.rules) {
+    if (isRulesManifest(manifest)) {
       const handler = handlerRegistry.getHandler("rules");
       return handler.install(manifest, context);
     }
     return [];
   }
-  async removeMcpServer(serverName, filesWritten) {
-    const claudeHome = getClaudeHome();
-    const mcpConfigPath = path9.join(path9.dirname(claudeHome), ".claude.json");
-    if (!await fs5.pathExists(mcpConfigPath)) {
-      return;
+};
+
+// src/adapters/handlers/cursor-rules-handler.ts
+import fs7 from "fs-extra";
+import path10 from "path";
+function escapeYamlString(value) {
+  if (/[\n\r\t\0:#{}[\]&*?|>!%@`"',]/.test(value) || value.trim() !== value) {
+    const escaped = value.replace(/\\/g, "\\\\").replace(/"/g, '\\"').replace(/\0/g, "").replace(/\r/g, "\\r").replace(/\n/g, "\\n").replace(/\t/g, "\\t");
+    return `"${escaped}"`;
+  }
+  return value;
+}
+function toMdcContent(description, globs, rulesContent) {
+  const alwaysApply = globs.length === 0;
+  const frontmatter = [
+    "---",
+    `description: ${escapeYamlString(description)}`,
+    `globs: ${JSON.stringify(globs)}`,
+    `alwaysApply: ${alwaysApply}`,
+    "---"
+  ].join("\n");
+  return `${frontmatter}
+${rulesContent.trim()}
+`;
+}
+var CursorRulesHandler = class {
+  packageType = "rules";
+  async install(manifest, context) {
+    const filesWritten = [];
+    const rulesBaseDir = getRulesPath("cursor", context.projectPath);
+    const folderName = sanitizeFolderName(manifest.name);
+    const rulesDir = path10.join(rulesBaseDir, folderName);
+    await fs7.ensureDir(rulesDir);
+    const description = manifest.description || manifest.name;
+    const globs = manifest.universal?.globs || [];
+    if (globs.length > 0) {
+      const globValidation = validateGlobs(globs);
+      if (!globValidation.valid) {
+        throw new Error(
+          `Glob security validation failed: ${globValidation.error}`
+        );
+      }
+    }
+    if (context.packagePath && await fs7.pathExists(context.packagePath)) {
+      const files = await fs7.readdir(context.packagePath);
+      const mdFiles = files.filter(
+        (f) => f.endsWith(".md") && f.toLowerCase() !== "cpm.yaml"
+      );
+      if (mdFiles.length > 0) {
+        for (const file of mdFiles) {
+          const validation = sanitizeFileName(file);
+          if (!validation.valid) {
+            logger.warn(`Skipping unsafe file: ${file} (${validation.error})`);
+            continue;
+          }
+          const srcPath = path10.join(context.packagePath, file);
+          const mdcFileName = validation.sanitized.replace(/\.md$/, ".mdc");
+          const destPath = path10.join(rulesDir, mdcFileName);
+          if (!isPathWithinDirectory(destPath, rulesDir)) {
+            logger.warn(`Blocked path traversal attempt: ${file}`);
+            continue;
+          }
+          const srcStat = await fs7.lstat(srcPath);
+          if (srcStat.isSymbolicLink()) {
+            logger.warn(`Blocked symlink in package: ${file}`);
+            continue;
+          }
+          const content = await fs7.readFile(srcPath, "utf-8");
+          const mdcContent2 = toMdcContent(description, globs, content);
+          await fs7.writeFile(destPath, mdcContent2, "utf-8");
+          filesWritten.push(destPath);
+        }
+        const metadataPath2 = await writePackageMetadata(rulesDir, manifest);
+        filesWritten.push(metadataPath2);
+        return filesWritten;
+      }
+    }
+    const rulesContent = this.getRulesContent(manifest);
+    if (!rulesContent) return filesWritten;
+    const rulesPath = path10.join(rulesDir, "RULES.mdc");
+    const mdcContent = toMdcContent(description, globs, rulesContent);
+    await fs7.writeFile(rulesPath, mdcContent, "utf-8");
+    filesWritten.push(rulesPath);
+    const metadataPath = await writePackageMetadata(rulesDir, manifest);
+    filesWritten.push(metadataPath);
+    return filesWritten;
+  }
+  async uninstall(packageName, context) {
+    const filesRemoved = [];
+    const folderName = sanitizeFolderName(packageName);
+    const rulesBaseDir = getRulesPath("cursor", context.projectPath);
+    const rulesPath = path10.join(rulesBaseDir, folderName);
+    if (await fs7.pathExists(rulesPath)) {
+      await fs7.remove(rulesPath);
+      filesRemoved.push(rulesPath);
+    }
+    return filesRemoved;
+  }
+  getRulesContent(manifest) {
+    if (isRulesManifest(manifest)) {
+      return manifest.universal.rules || manifest.universal.prompt;
     }
+    return void 0;
+  }
+};
+
+// src/adapters/handlers/cursor-mcp-handler.ts
+var CursorMcpHandler = class extends BaseMcpHandler {
+  getConfigPath() {
+    return getCursorMcpConfigPath();
+  }
+};
+
+// src/adapters/cursor.ts
+var cursorRulesHandler = new CursorRulesHandler();
+var cursorMcpHandler = new CursorMcpHandler();
+var CursorAdapter = class extends PlatformAdapter {
+  platform = "cursor";
+  displayName = "Cursor";
+  async isAvailable(_projectPath) {
+    return true;
+  }
+  async install(manifest, projectPath, packagePath) {
+    const filesWritten = [];
     try {
-      const config = await fs5.readJson(mcpConfigPath);
-      const mcpServers = config.mcpServers;
-      if (!mcpServers || !mcpServers[serverName]) {
-        return;
+      const context = { projectPath, packagePath };
+      if (manifest.type === "skill") {
+        logger.warn(
+          `Package "${manifest.name}" is a skill package. Skills are not supported on Cursor \u2014 skipping.`
+        );
+        return {
+          success: true,
+          platform: "cursor",
+          filesWritten
+        };
       }
-      const { [serverName]: _removed, ...remainingServers } = mcpServers;
-      const updatedConfig = {
-        ...config,
-        mcpServers: remainingServers
+      const result = await this.installByType(manifest, context);
+      filesWritten.push(...result);
+      return {
+        success: true,
+        platform: "cursor",
+        filesWritten
       };
-      await fs5.writeJson(mcpConfigPath, updatedConfig, { spaces: 2 });
-      filesWritten.push(mcpConfigPath);
     } catch (error) {
-      logger.warn(
-        `Could not update MCP config: ${error instanceof Error ? error.message : "Unknown error"}`
+      return {
+        success: false,
+        platform: "cursor",
+        filesWritten,
+        error: error instanceof Error ? error.message : "Unknown error"
+      };
+    }
+  }
+  async uninstall(packageName, projectPath) {
+    const filesWritten = [];
+    const context = { projectPath };
+    try {
+      const rulesFiles = await cursorRulesHandler.uninstall(
+        packageName,
+        context
       );
+      filesWritten.push(...rulesFiles);
+      const mcpFiles = await cursorMcpHandler.uninstall(packageName, context);
+      filesWritten.push(...mcpFiles);
+      return {
+        success: true,
+        platform: "cursor",
+        filesWritten
+      };
+    } catch (error) {
+      return {
+        success: false,
+        platform: "cursor",
+        filesWritten,
+        error: error instanceof Error ? error.message : "Unknown error"
+      };
+    }
+  }
+  async installByType(manifest, context) {
+    switch (manifest.type) {
+      case "rules":
+        return cursorRulesHandler.install(manifest, context);
+      case "mcp":
+        return cursorMcpHandler.install(manifest, context);
+      default:
+        logger.warn(
+          `Package type "${manifest.type}" is not yet supported on Cursor`
+        );
+        return [];
     }
   }
 };
 
 // src/adapters/index.ts
 var adapters = {
-  "claude-code": new ClaudeCodeAdapter()
+  "claude-code": new ClaudeCodeAdapter(),
+  cursor: new CursorAdapter()
 };
 function getAdapter(platform) {
-  return adapters[platform];
+  const adapter = adapters[platform];
+  if (!adapter) {
+    throw new Error(`No adapter available for platform: ${platform}`);
+  }
+  return adapter;
 }
 
 // src/utils/registry.ts
 import got from "got";
-import fs6 from "fs-extra";
-import path10 from "path";
-import os2 from "os";
-var DEFAULT_REGISTRY_URL = process.env.CPM_REGISTRY_URL || "https://raw.githubusercontent.com/cpmai-dev/packages/main/registry.json";
-var CACHE_DIR = path10.join(os2.homedir(), ".cpm", "cache");
-var CACHE_FILE = path10.join(CACHE_DIR, "registry.json");
+import fs8 from "fs-extra";
+import path11 from "path";
+import os3 from "os";
+function getRegistryUrl() {
+  const envUrl = process.env.CPM_REGISTRY_URL;
+  if (envUrl) {
+    if (!envUrl.startsWith("https://")) {
+      throw new Error(
+        "CPM_REGISTRY_URL must use HTTPS. HTTP registries are not allowed for security reasons."
+      );
+    }
+    return envUrl;
+  }
+  return "https://raw.githubusercontent.com/cpmai-dev/packages/main/registry.json";
+}
+var DEFAULT_REGISTRY_URL = getRegistryUrl();
+var CACHE_DIR = path11.join(os3.homedir(), ".cpm", "cache");
+var CACHE_FILE = path11.join(CACHE_DIR, "registry.json");
 var comparators = {
   downloads: (a, b) => (b.downloads ?? 0) - (a.downloads ?? 0),
   stars: (a, b) => (b.stars ?? 0) - (a.stars ?? 0),
@@ -1022,11 +1365,11 @@ var Registry = class {
   }
   async loadFileCache() {
     try {
-      await fs6.ensureDir(CACHE_DIR);
-      if (await fs6.pathExists(CACHE_FILE)) {
-        const stat = await fs6.stat(CACHE_FILE);
+      await fs8.ensureDir(CACHE_DIR);
+      if (await fs8.pathExists(CACHE_FILE)) {
+        const stat = await fs8.stat(CACHE_FILE);
         if (Date.now() - stat.mtimeMs < LIMITS.CACHE_TTL_MS) {
-          return await fs6.readJson(CACHE_FILE);
+          return await fs8.readJson(CACHE_FILE);
         }
       }
     } catch {
@@ -1035,8 +1378,8 @@ var Registry = class {
   }
   async saveFileCache(data) {
     try {
-      await fs6.ensureDir(CACHE_DIR);
-      await fs6.writeJson(CACHE_FILE, data, { spaces: 2 });
+      await fs8.ensureDir(CACHE_DIR);
+      await fs8.writeJson(CACHE_FILE, data, { spaces: 2 });
     } catch {
     }
   }
@@ -1059,8 +1402,8 @@ var Registry = class {
       return this.cache;
     }
     try {
-      if (await fs6.pathExists(CACHE_FILE)) {
-        const cached = await fs6.readJson(CACHE_FILE);
+      if (await fs8.pathExists(CACHE_FILE)) {
+        const cached = await fs8.readJson(CACHE_FILE);
         this.cache = cached;
         return cached;
       }
@@ -1100,9 +1443,9 @@ var Registry = class {
 var registry = new Registry();
 
 // src/utils/downloader.ts
-import fs8 from "fs-extra";
-import path12 from "path";
-import os3 from "os";
+import fs10 from "fs-extra";
+import path13 from "path";
+import os4 from "os";
 
 // src/sources/manifest-resolver.ts
 var ManifestResolver = class {
@@ -1195,76 +1538,45 @@ var ManifestResolver = class {
 // src/sources/repository-source.ts
 import got2 from "got";
 import yaml from "yaml";
+var PACKAGES_REPO_BASE = "https://raw.githubusercontent.com/cpmai-dev/packages/main/packages";
 var RepositorySource = class {
-  /**
-   * Name of this source for logging and debugging.
-   */
   name = "repository";
-  /**
-   * Priority 1 - this is the first source tried.
-   * Repository fetching is fast and provides complete manifests.
-   */
   priority = 1;
-  /**
-   * Check if this source can fetch the given package.
-   *
-   * We can only fetch from GitHub repositories, so we check
-   * if the package has a repository URL that includes "github.com".
-   *
-   * @param pkg - The registry package to check
-   * @returns true if the package has a GitHub repository URL
-   *
-   * @example
-   * ```typescript
-   * // Package with GitHub repo
-   * canFetch({ repository: "https://github.com/cpm/rules" }) // true
-   *
-   * // Package without repo
-   * canFetch({ repository: undefined }) // false
-   *
-   * // Package with non-GitHub repo
-   * canFetch({ repository: "https://gitlab.com/..." }) // false
-   * ```
-   */
   canFetch(pkg) {
-    return !!pkg.repository?.includes("github.com");
+    return !!pkg.path || !!pkg.repository?.includes("github.com");
   }
-  /**
-   * Fetch the manifest from the package's GitHub repository.
-   *
-   * This method:
-   * 1. Extracts the owner and repo name from the URL
-   * 2. Constructs a raw.githubusercontent.com URL for cpm.yaml
-   * 3. Fetches the file with a timeout
-   * 4. Parses the YAML content
-   *
-   * @param pkg - The registry package to fetch
-   * @param _context - Fetch context (not used by this source)
-   * @returns The parsed manifest, or null if fetch fails
-   *
-   * @example
-   * ```typescript
-   * const manifest = await source.fetch({
-   *   name: "@cpm/typescript-rules",
-   *   repository: "https://github.com/cpm/typescript-rules",
-   *   // ... other fields
-   * }, context);
-   *
-   * if (manifest) {
-   *   console.log("Fetched:", manifest.name, manifest.version);
-   * }
-   * ```
-   */
   async fetch(pkg, _context) {
-    if (!pkg.repository) return null;
+    if (pkg.path) {
+      const manifest = await this.fetchFromPackagesRepo(pkg.path);
+      if (manifest) return manifest;
+    }
+    if (pkg.repository) {
+      return this.fetchFromStandaloneRepo(pkg.repository);
+    }
+    return null;
+  }
+  async fetchFromPackagesRepo(packagePath) {
+    if (packagePath.includes("..") || packagePath.startsWith("/") || packagePath.includes("\\")) {
+      return null;
+    }
+    const rawUrl = `${PACKAGES_REPO_BASE}/${packagePath}/cpm.yaml`;
+    try {
+      const response = await got2(rawUrl, {
+        timeout: { request: TIMEOUTS.MANIFEST_FETCH }
+      });
+      return yaml.parse(response.body);
+    } catch {
+      return null;
+    }
+  }
+  async fetchFromStandaloneRepo(repository) {
     try {
-      const match = pkg.repository.match(/github\.com\/([^/]+)\/([^/]+)/);
+      const match = repository.match(/github\.com\/([^/]+)\/([^/]+)/);
       if (!match) return null;
       const [, owner, repo] = match;
       const rawUrl = `https://raw.githubusercontent.com/${owner}/${repo}/main/cpm.yaml`;
       const response = await got2(rawUrl, {
         timeout: { request: TIMEOUTS.MANIFEST_FETCH }
-        // 5 second timeout
       });
       return yaml.parse(response.body);
     } catch {
@@ -1275,8 +1587,8 @@ var RepositorySource = class {
 
 // src/sources/tarball-source.ts
 import got3 from "got";
-import fs7 from "fs-extra";
-import path11 from "path";
+import fs9 from "fs-extra";
+import path12 from "path";
 import * as tar from "tar";
 import yaml2 from "yaml";
 var TarballSource = class {
@@ -1328,12 +1640,12 @@ var TarballSource = class {
         responseType: "buffer"
         // Get raw binary data
       });
-      const tarballPath = path11.join(context.tempDir, "package.tar.gz");
-      await fs7.writeFile(tarballPath, response.body);
+      const tarballPath = path12.join(context.tempDir, "package.tar.gz");
+      await fs9.writeFile(tarballPath, response.body);
       await this.extractTarball(tarballPath, context.tempDir);
-      const manifestPath = path11.join(context.tempDir, "cpm.yaml");
-      if (await fs7.pathExists(manifestPath)) {
-        const content = await fs7.readFile(manifestPath, "utf-8");
+      const manifestPath = path12.join(context.tempDir, "cpm.yaml");
+      if (await fs9.pathExists(manifestPath)) {
+        const content = await fs9.readFile(manifestPath, "utf-8");
         return yaml2.parse(content);
       }
       return null;
@@ -1355,8 +1667,8 @@ var TarballSource = class {
    * @param destDir - Directory to extract to
    */
   async extractTarball(tarballPath, destDir) {
-    await fs7.ensureDir(destDir);
-    const resolvedDestDir = path11.resolve(destDir);
+    await fs9.ensureDir(destDir);
+    const resolvedDestDir = path12.resolve(destDir);
     await tar.extract({
       file: tarballPath,
       // The tarball file to extract
@@ -1366,8 +1678,8 @@ var TarballSource = class {
       // Remove the top-level directory (e.g., "package-1.0.0/")
       // Security filter: check each entry before extracting
       filter: (entryPath) => {
-        const resolvedPath = path11.resolve(destDir, entryPath);
-        const isWithinDest = resolvedPath.startsWith(resolvedDestDir + path11.sep) || resolvedPath === resolvedDestDir;
+        const resolvedPath = path12.resolve(destDir, entryPath);
+        const isWithinDest = resolvedPath.startsWith(resolvedDestDir + path12.sep) || resolvedPath === resolvedDestDir;
         if (!isWithinDest) {
           logger.warn(`Blocked path traversal in tarball: ${entryPath}`);
           return false;
@@ -2048,15 +2360,15 @@ function createDefaultResolver() {
 var defaultResolver = createDefaultResolver();
 
 // src/utils/downloader.ts
-var TEMP_DIR = path12.join(os3.tmpdir(), "cpm-downloads");
+var TEMP_DIR = path13.join(os4.tmpdir(), "cpm-downloads");
 async function downloadPackage(pkg) {
   try {
-    await fs8.ensureDir(TEMP_DIR);
-    const packageTempDir = path12.join(
+    await fs10.ensureDir(TEMP_DIR);
+    const packageTempDir = path13.join(
       TEMP_DIR,
       `${pkg.name.replace(/[@/]/g, "_")}-${Date.now()}`
     );
-    await fs8.ensureDir(packageTempDir);
+    await fs10.ensureDir(packageTempDir);
     const manifest = await defaultResolver.resolve(pkg, {
       tempDir: packageTempDir
     });
@@ -2071,7 +2383,7 @@ async function downloadPackage(pkg) {
 async function cleanupTempDir(tempDir) {
   try {
     if (tempDir.startsWith(TEMP_DIR)) {
-      await fs8.remove(tempDir);
+      await fs10.remove(tempDir);
     }
   } catch {
   }
@@ -2198,7 +2510,7 @@ var SEMANTIC_COLORS = {
 
 // src/commands/ui/formatters.ts
 import chalk2 from "chalk";
-import path13 from "path";
+import path14 from "path";
 function formatNumber(num) {
   if (num >= 1e6) {
     return `${(num / 1e6).toFixed(1)}M`;
@@ -2209,7 +2521,7 @@ function formatNumber(num) {
   return num.toString();
 }
 function formatPath(filePath) {
-  const relativePath = path13.relative(process.cwd(), filePath);
+  const relativePath = path14.relative(process.cwd(), filePath);
   if (relativePath.startsWith("..")) {
     return filePath;
   }
@@ -2271,8 +2583,12 @@ function formatUsageHints(manifest) {
       if ("mcp" in manifest && manifest.mcp?.env) {
         const envVars = Object.keys(manifest.mcp.env);
         if (envVars.length > 0) {
-          hints.push(chalk2.yellow(`
-  Required environment variables:`));
+          hints.push(
+            chalk2.yellow(
+              `
+  Configure these environment variables in ~/.claude.json:`
+            )
+          );
           for (const envVar of envVars) {
             hints.push(chalk2.dim(`    - ${envVar}`));
           }
@@ -2463,7 +2779,11 @@ async function installCommand(packageName, rawOptions) {
     tempDir = downloadResult.tempDir;
     const targetPlatforms = [options.platform];
     spinner.update(`Installing to ${targetPlatforms.join(", ")}...`);
-    await ensureClaudeDirs();
+    if (options.platform === "cursor") {
+      await ensureCursorDirs(process.cwd());
+    } else {
+      await ensureClaudeDirs();
+    }
     const results = await installToPlatforms(
       manifest,
       tempDir,
@@ -2539,28 +2859,28 @@ async function searchCommand(query, rawOptions) {
 
 // src/commands/list.ts
 import chalk4 from "chalk";
-import fs9 from "fs-extra";
-import path14 from "path";
-import os4 from "os";
+import fs11 from "fs-extra";
+import path15 from "path";
+import os5 from "os";
 async function readPackageMetadata(packageDir) {
-  const metadataPath = path14.join(packageDir, ".cpm.json");
+  const metadataPath = path15.join(packageDir, ".cpm.json");
   try {
-    if (await fs9.pathExists(metadataPath)) {
-      return await fs9.readJson(metadataPath);
+    if (await fs11.pathExists(metadataPath)) {
+      return await fs11.readJson(metadataPath);
     }
   } catch {
   }
   return null;
 }
-async function scanDirectory(dir, type) {
+async function scanDirectory(dir, type, platform) {
   const items = [];
-  if (!await fs9.pathExists(dir)) {
+  if (!await fs11.pathExists(dir)) {
     return items;
   }
-  const entries = await fs9.readdir(dir);
+  const entries = await fs11.readdir(dir);
   for (const entry of entries) {
-    const entryPath = path14.join(dir, entry);
-    const stat = await fs9.stat(entryPath);
+    const entryPath = path15.join(dir, entry);
+    const stat = await fs11.stat(entryPath);
     if (stat.isDirectory()) {
       const metadata = await readPackageMetadata(entryPath);
       items.push({
@@ -2568,27 +2888,28 @@ async function scanDirectory(dir, type) {
         folderName: entry,
         type,
         version: metadata?.version,
-        path: entryPath
+        path: entryPath,
+        platform
       });
     }
   }
   return items;
 }
-async function scanMcpServers() {
+async function scanMcpServersFromConfig(configPath, platform) {
   const items = [];
-  const configPath = path14.join(os4.homedir(), ".claude.json");
-  if (!await fs9.pathExists(configPath)) {
+  if (!await fs11.pathExists(configPath)) {
     return items;
   }
   try {
-    const config = await fs9.readJson(configPath);
+    const config = await fs11.readJson(configPath);
     const mcpServers = config.mcpServers || {};
     for (const name of Object.keys(mcpServers)) {
       items.push({
         name,
         folderName: name,
         type: "mcp",
-        path: configPath
+        path: configPath,
+        platform
       });
     }
   } catch {
@@ -2596,13 +2917,24 @@ async function scanMcpServers() {
   return items;
 }
 async function scanInstalledPackages() {
-  const claudeHome = path14.join(os4.homedir(), ".claude");
-  const [rules, skills, mcp] = await Promise.all([
-    scanDirectory(path14.join(claudeHome, "rules"), "rules"),
-    scanDirectory(path14.join(claudeHome, "skills"), "skill"),
-    scanMcpServers()
+  const claudeHome = path15.join(os5.homedir(), ".claude");
+  const cursorRulesDir = path15.join(process.cwd(), ".cursor", "rules");
+  const cursorMcpConfig = getCursorMcpConfigPath();
+  const claudeMcpConfig = path15.join(os5.homedir(), ".claude.json");
+  const [claudeRules, claudeSkills, claudeMcp, cursorRules, cursorMcp] = await Promise.all([
+    scanDirectory(path15.join(claudeHome, "rules"), "rules", "claude-code"),
+    scanDirectory(path15.join(claudeHome, "skills"), "skill", "claude-code"),
+    scanMcpServersFromConfig(claudeMcpConfig, "claude-code"),
+    scanDirectory(cursorRulesDir, "rules", "cursor"),
+    scanMcpServersFromConfig(cursorMcpConfig, "cursor")
   ]);
-  return [...rules, ...skills, ...mcp];
+  return [
+    ...claudeRules,
+    ...claudeSkills,
+    ...claudeMcp,
+    ...cursorRules,
+    ...cursorMcp
+  ];
 }
 function groupByType(packages) {
   return packages.reduce(
@@ -2615,8 +2947,9 @@ function groupByType(packages) {
 }
 function displayPackage(pkg) {
   const version = pkg.version ? SEMANTIC_COLORS.dim(` v${pkg.version}`) : "";
+  const platform = pkg.platform ? SEMANTIC_COLORS.dim(` [${pkg.platform}]`) : "";
   logger.log(
-    `    ${SEMANTIC_COLORS.success("\u25C9")} ${chalk4.bold(pkg.name)}${version}`
+    `    ${SEMANTIC_COLORS.success("\u25C9")} ${chalk4.bold(pkg.name)}${version}${platform}`
   );
 }
 function displayByType(byType) {
@@ -2679,15 +3012,22 @@ async function uninstallCommand(packageName) {
   const spinner = createSpinner(spinnerText("Uninstalling", packageName));
   try {
     const folderName = extractFolderName(packageName);
-    const adapter = getAdapter("claude-code");
-    const result = await adapter.uninstall(folderName, process.cwd());
-    if (result.success && result.filesWritten.length > 0) {
+    const allFilesRemoved = [];
+    for (const platform of VALID_PLATFORMS) {
+      try {
+        const adapter = getAdapter(platform);
+        const result = await adapter.uninstall(folderName, process.cwd());
+        if (result.success) {
+          allFilesRemoved.push(...result.filesWritten);
+        }
+      } catch {
+      }
+    }
+    if (allFilesRemoved.length > 0) {
       spinner.succeed(successText("Uninstalled", packageName));
-      displayRemovedFiles(result.filesWritten);
-    } else if (result.success) {
-      spinner.warn(`Package ${packageName} was not found`);
+      displayRemovedFiles(allFilesRemoved);
     } else {
-      spinner.fail(failText("Failed to uninstall", packageName, result.error));
+      spinner.warn(`Package ${packageName} was not found`);
     }
   } catch (error) {
     spinner.fail(failText("Failed to uninstall", packageName));