@cpmai/cli 0.3.0-beta.1 → 0.3.0-beta.3

package/dist/index.js

@@ -3,6 +3,7 @@
 // src/index.ts
 import { Command } from "commander";
 import chalk5 from "chalk";
+import { createRequire } from "module";
 
 // src/constants.ts
 var TIMEOUTS = {
@@ -47,10 +48,7 @@ var SEARCH_SORT_OPTIONS = [
   "name"
   // Alphabetical order
 ];
-var VALID_PLATFORMS = [
-  "claude-code"
-  // Currently the only supported platform
-];
+var VALID_PLATFORMS = ["claude-code", "cursor"];
 var ALLOWED_MCP_COMMANDS = [
   "npx",
   // Node package executor
@@ -76,6 +74,8 @@ var BLOCKED_MCP_ARG_PATTERNS = [
   // Concatenated eval flag (e.g., -eCODE)
   /-c(?:\s|$)/,
   // Command flag (with space or at end)
+  /^-c\S/,
+  // Concatenated command flag (e.g., -cCODE)
   /\bcurl\b/i,
   // curl command (data exfiltration)
   /\bwget\b/i,
@@ -147,15 +147,15 @@ function isSkillManifest(manifest) {
 function isMcpManifest(manifest) {
   return manifest.type === "mcp";
 }
-function getTypeFromPath(path14) {
-  if (path14.startsWith("skills/")) return "skill";
-  if (path14.startsWith("rules/")) return "rules";
-  if (path14.startsWith("mcp/")) return "mcp";
-  if (path14.startsWith("agents/")) return "agent";
-  if (path14.startsWith("hooks/")) return "hook";
-  if (path14.startsWith("workflows/")) return "workflow";
-  if (path14.startsWith("templates/")) return "template";
-  if (path14.startsWith("bundles/")) return "bundle";
+function getTypeFromPath(path16) {
+  if (path16.startsWith("skills/")) return "skill";
+  if (path16.startsWith("rules/")) return "rules";
+  if (path16.startsWith("mcp/")) return "mcp";
+  if (path16.startsWith("agents/")) return "agent";
+  if (path16.startsWith("hooks/")) return "hook";
+  if (path16.startsWith("workflows/")) return "workflow";
+  if (path16.startsWith("templates/")) return "template";
+  if (path16.startsWith("bundles/")) return "bundle";
   return null;
 }
 function resolvePackageType(pkg) {
@@ -265,11 +265,12 @@ var HandlerRegistry = class {
 var handlerRegistry = new HandlerRegistry();
 
 // src/adapters/handlers/rules-handler.ts
-import fs2 from "fs-extra";
-import path5 from "path";
+import fs3 from "fs-extra";
+import path6 from "path";
 
 // src/utils/platform.ts
 import path2 from "path";
+import os2 from "os";
 
 // src/utils/config.ts
 import path from "path";
@@ -283,13 +284,28 @@ async function ensureClaudeDirs() {
   await fs.ensureDir(path.join(claudeHome, "rules"));
   await fs.ensureDir(path.join(claudeHome, "skills"));
 }
+async function ensureCursorDirs(projectPath) {
+  await fs.ensureDir(path.join(projectPath, ".cursor", "rules"));
+}
 
 // src/utils/platform.ts
-function getRulesPath(platform) {
-  if (platform !== "claude-code") {
-    throw new Error(`Rules path is not supported for platform: ${platform}`);
+function getCursorHome() {
+  return path2.join(os2.homedir(), ".cursor");
+}
+function getCursorMcpConfigPath() {
+  return path2.join(getCursorHome(), "mcp.json");
+}
+function getRulesPath(platform, projectPath) {
+  if (platform === "claude-code") {
+    return path2.join(getClaudeHome(), "rules");
   }
-  return path2.join(getClaudeHome(), "rules");
+  if (platform === "cursor") {
+    if (!projectPath) {
+      return path2.join(process.cwd(), ".cursor", "rules");
+    }
+    return path2.join(projectPath, ".cursor", "rules");
+  }
+  throw new Error(`Rules path is not supported for platform: ${platform}`);
 }
 function getSkillsPath() {
   return path2.join(getClaudeHome(), "skills");
@@ -504,17 +520,70 @@ function isPathWithinDirectory(filePath, directory) {
   return resolvedPath.startsWith(resolvedDir + path4.sep) || resolvedPath === resolvedDir;
 }
 
-// src/adapters/handlers/rules-handler.ts
+// src/security/glob-validator.ts
+var BLOCKED_GLOB_PATTERNS = [
+  // Environment and secret files
+  { pattern: /\.env\b/i, reason: "targets environment/secret files" },
+  { pattern: /\.secret/i, reason: "targets secret files" },
+  { pattern: /credentials/i, reason: "targets credential files" },
+  { pattern: /\.pem$/i, reason: "targets PEM certificate/key files" },
+  { pattern: /\.key$/i, reason: "targets key files" },
+  { pattern: /\.p12$/i, reason: "targets PKCS12 certificate files" },
+  { pattern: /\.pfx$/i, reason: "targets PFX certificate files" },
+  // SSH and GPG
+  { pattern: /\.ssh\//i, reason: "targets SSH directory" },
+  { pattern: /id_rsa/i, reason: "targets SSH private keys" },
+  { pattern: /id_ed25519/i, reason: "targets SSH private keys" },
+  { pattern: /\.gnupg\//i, reason: "targets GPG directory" },
+  // Git internals
+  { pattern: /\.git\//, reason: "targets git internals" },
+  // Config files with potential secrets
+  { pattern: /\.claude\.json$/i, reason: "targets Claude Code config" },
+  { pattern: /\.npmrc$/i, reason: "targets npm config (may contain tokens)" },
+  { pattern: /\.pypirc$/i, reason: "targets PyPI config (may contain tokens)" },
+  // System files
+  { pattern: /\/etc\//, reason: "targets system configuration" },
+  { pattern: /\/passwd/, reason: "targets system password file" },
+  { pattern: /\/shadow/, reason: "targets system shadow file" },
+  // Path traversal in globs
+  { pattern: /\.\.\//, reason: "contains path traversal" }
+];
+function validateGlob(glob) {
+  if (!glob || typeof glob !== "string") {
+    return { valid: false, error: "Glob pattern cannot be empty" };
+  }
+  if (glob.includes("\0")) {
+    return { valid: false, error: "Glob pattern contains null bytes" };
+  }
+  for (const { pattern, reason } of BLOCKED_GLOB_PATTERNS) {
+    if (pattern.test(glob)) {
+      return {
+        valid: false,
+        error: `Glob pattern "${glob}" is blocked: ${reason}`
+      };
+    }
+  }
+  return { valid: true };
+}
+function validateGlobs(globs) {
+  for (const glob of globs) {
+    const result = validateGlob(glob);
+    if (!result.valid) {
+      return result;
+    }
+  }
+  return { valid: true };
+}
+
+// src/adapters/handlers/metadata.ts
+import fs2 from "fs-extra";
+import path5 from "path";
 async function writePackageMetadata(packageDir, manifest) {
   const metadata = {
     name: manifest.name,
-    // e.g., "@cpm/typescript-strict"
     version: manifest.version,
-    // e.g., "1.0.0"
     type: manifest.type,
-    // e.g., "rules"
     installedAt: (/* @__PURE__ */ new Date()).toISOString()
-    // ISO timestamp for when it was installed
   };
   const metadataPath = path5.join(packageDir, ".cpm.json");
   try {
@@ -526,6 +595,8 @@ async function writePackageMetadata(packageDir, manifest) {
   }
   return metadataPath;
 }
+
+// src/adapters/handlers/rules-handler.ts
 var RulesHandler = class {
   /**
    * Identifies this handler as handling "rules" type packages.
@@ -549,10 +620,10 @@ var RulesHandler = class {
     const filesWritten = [];
     const rulesBaseDir = getRulesPath("claude-code");
     const folderName = sanitizeFolderName(manifest.name);
-    const rulesDir = path5.join(rulesBaseDir, folderName);
-    await fs2.ensureDir(rulesDir);
-    if (context.packagePath && await fs2.pathExists(context.packagePath)) {
-      const files = await fs2.readdir(context.packagePath);
+    const rulesDir = path6.join(rulesBaseDir, folderName);
+    await fs3.ensureDir(rulesDir);
+    if (context.packagePath && await fs3.pathExists(context.packagePath)) {
+      const files = await fs3.readdir(context.packagePath);
       const mdFiles = files.filter(
         (f) => f.endsWith(".md") && f.toLowerCase() !== "cpm.yaml"
       );
@@ -563,13 +634,18 @@ var RulesHandler = class {
             logger.warn(`Skipping unsafe file: ${file} (${validation.error})`);
             continue;
           }
-          const srcPath = path5.join(context.packagePath, file);
-          const destPath = path5.join(rulesDir, validation.sanitized);
+          const srcPath = path6.join(context.packagePath, file);
+          const destPath = path6.join(rulesDir, validation.sanitized);
           if (!isPathWithinDirectory(destPath, rulesDir)) {
             logger.warn(`Blocked path traversal attempt: ${file}`);
             continue;
           }
-          await fs2.copy(srcPath, destPath);
+          const srcStat = await fs3.lstat(srcPath);
+          if (srcStat.isSymbolicLink()) {
+            logger.warn(`Blocked symlink in package: ${file}`);
+            continue;
+          }
+          await fs3.copy(srcPath, destPath);
           filesWritten.push(destPath);
         }
         const metadataPath2 = await writePackageMetadata(rulesDir, manifest);
@@ -579,14 +655,14 @@ var RulesHandler = class {
     }
     const rulesContent = this.getRulesContent(manifest);
     if (!rulesContent) return filesWritten;
-    const rulesPath = path5.join(rulesDir, "RULES.md");
+    const rulesPath = path6.join(rulesDir, "RULES.md");
     const content = `# ${manifest.name}
 
 ${manifest.description}
 
 ${rulesContent.trim()}
 `;
-    await fs2.writeFile(rulesPath, content, "utf-8");
+    await fs3.writeFile(rulesPath, content, "utf-8");
     filesWritten.push(rulesPath);
     const metadataPath = await writePackageMetadata(rulesDir, manifest);
     filesWritten.push(metadataPath);
@@ -605,9 +681,9 @@ ${rulesContent.trim()}
     const filesRemoved = [];
     const folderName = sanitizeFolderName(packageName);
     const rulesBaseDir = getRulesPath("claude-code");
-    const rulesPath = path5.join(rulesBaseDir, folderName);
-    if (await fs2.pathExists(rulesPath)) {
-      await fs2.remove(rulesPath);
+    const rulesPath = path6.join(rulesBaseDir, folderName);
+    if (await fs3.pathExists(rulesPath)) {
+      await fs3.remove(rulesPath);
       filesRemoved.push(rulesPath);
     }
     return filesRemoved;
@@ -623,7 +699,7 @@ ${rulesContent.trim()}
    * @returns The rules content string, or undefined if none exists
    */
   getRulesContent(manifest) {
-    if (isRulesManifest(manifest)) {
+    if (isRulesManifest(manifest) && manifest.universal) {
       return manifest.universal.rules || manifest.universal.prompt;
     }
     return void 0;
@@ -631,29 +707,8 @@ ${rulesContent.trim()}
 };
 
 // src/adapters/handlers/skill-handler.ts
-import fs3 from "fs-extra";
-import path6 from "path";
-async function writePackageMetadata2(packageDir, manifest) {
-  const metadata = {
-    name: manifest.name,
-    // e.g., "@cpm/commit-skill"
-    version: manifest.version,
-    // e.g., "1.0.0"
-    type: manifest.type,
-    // e.g., "skill"
-    installedAt: (/* @__PURE__ */ new Date()).toISOString()
-    // ISO timestamp for when it was installed
-  };
-  const metadataPath = path6.join(packageDir, ".cpm.json");
-  try {
-    await fs3.writeJson(metadataPath, metadata, { spaces: 2 });
-  } catch (error) {
-    logger.warn(
-      `Could not write metadata: ${error instanceof Error ? error.message : "Unknown error"}`
-    );
-  }
-  return metadataPath;
-}
+import fs4 from "fs-extra";
+import path7 from "path";
 function formatSkillMd(manifest) {
   const skill = manifest.skill;
   const content = manifest.universal?.prompt || manifest.universal?.rules || "";
@@ -696,10 +751,10 @@ var SkillHandler = class {
     const filesWritten = [];
     const skillsDir = getSkillsPath();
     const folderName = sanitizeFolderName(manifest.name);
-    const skillDir = path6.join(skillsDir, folderName);
-    await fs3.ensureDir(skillDir);
-    if (context.packagePath && await fs3.pathExists(context.packagePath)) {
-      const files = await fs3.readdir(context.packagePath);
+    const skillDir = path7.join(skillsDir, folderName);
+    await fs4.ensureDir(skillDir);
+    if (context.packagePath && await fs4.pathExists(context.packagePath)) {
+      const files = await fs4.readdir(context.packagePath);
       const contentFiles = files.filter(
         (f) => f.endsWith(".md") && f.toLowerCase() !== "cpm.yaml"
       );
@@ -710,40 +765,45 @@ var SkillHandler = class {
             logger.warn(`Skipping unsafe file: ${file} (${validation.error})`);
             continue;
           }
-          const srcPath = path6.join(context.packagePath, file);
-          const destPath = path6.join(skillDir, validation.sanitized);
+          const srcPath = path7.join(context.packagePath, file);
+          const destPath = path7.join(skillDir, validation.sanitized);
           if (!isPathWithinDirectory(destPath, skillDir)) {
             logger.warn(`Blocked path traversal attempt: ${file}`);
             continue;
           }
-          await fs3.copy(srcPath, destPath);
+          const srcStat = await fs4.lstat(srcPath);
+          if (srcStat.isSymbolicLink()) {
+            logger.warn(`Blocked symlink in package: ${file}`);
+            continue;
+          }
+          await fs4.copy(srcPath, destPath);
           filesWritten.push(destPath);
         }
-        const metadataPath = await writePackageMetadata2(skillDir, manifest);
+        const metadataPath = await writePackageMetadata(skillDir, manifest);
         filesWritten.push(metadataPath);
         return filesWritten;
       }
     }
     if (isSkillManifest(manifest)) {
       const skillContent = formatSkillMd(manifest);
-      const skillPath = path6.join(skillDir, "SKILL.md");
-      await fs3.writeFile(skillPath, skillContent, "utf-8");
+      const skillPath = path7.join(skillDir, "SKILL.md");
+      await fs4.writeFile(skillPath, skillContent, "utf-8");
       filesWritten.push(skillPath);
-      const metadataPath = await writePackageMetadata2(skillDir, manifest);
+      const metadataPath = await writePackageMetadata(skillDir, manifest);
       filesWritten.push(metadataPath);
     } else {
       const content = this.getUniversalContent(manifest);
       if (content) {
-        const skillPath = path6.join(skillDir, "SKILL.md");
+        const skillPath = path7.join(skillDir, "SKILL.md");
         const skillContent = `# ${manifest.name}
 
 ${manifest.description}
 
 ${content.trim()}
 `;
-        await fs3.writeFile(skillPath, skillContent, "utf-8");
+        await fs4.writeFile(skillPath, skillContent, "utf-8");
         filesWritten.push(skillPath);
-        const metadataPath = await writePackageMetadata2(skillDir, manifest);
+        const metadataPath = await writePackageMetadata(skillDir, manifest);
         filesWritten.push(metadataPath);
       }
     }
@@ -762,9 +822,9 @@ ${content.trim()}
     const filesRemoved = [];
     const folderName = sanitizeFolderName(packageName);
     const skillsDir = getSkillsPath();
-    const skillPath = path6.join(skillsDir, folderName);
-    if (await fs3.pathExists(skillPath)) {
-      await fs3.remove(skillPath);
+    const skillPath = path7.join(skillsDir, folderName);
+    if (await fs4.pathExists(skillPath)) {
+      await fs4.remove(skillPath);
       filesRemoved.push(skillPath);
     }
     return filesRemoved;
@@ -787,28 +847,66 @@ ${content.trim()}
 };
 
 // src/adapters/handlers/mcp-handler.ts
-import fs4 from "fs-extra";
-import path7 from "path";
-var McpHandler = class {
-  /**
-   * Identifies this handler as handling "mcp" type packages.
-   * The registry uses this to route MCP packages to this handler.
-   */
+import path9 from "path";
+
+// src/adapters/handlers/base-mcp-handler.ts
+import fs6 from "fs-extra";
+import path8 from "path";
+import crypto from "crypto";
+
+// src/utils/file-lock.ts
+import fs5 from "fs-extra";
+var LOCK_STALE_MS = 1e4;
+var LOCK_RETRY_MS = 100;
+var LOCK_MAX_RETRIES = 50;
+async function acquireLock(filePath) {
+  const lockPath = `${filePath}.lock`;
+  for (let i = 0; i < LOCK_MAX_RETRIES; i++) {
+    try {
+      await fs5.writeFile(lockPath, String(Date.now()), { flag: "wx" });
+      return async () => {
+        try {
+          await fs5.remove(lockPath);
+        } catch {
+        }
+      };
+    } catch (error) {
+      const err = error;
+      if (err.code === "EEXIST") {
+        try {
+          const content = await fs5.readFile(lockPath, "utf-8");
+          const lockTime = parseInt(content, 10);
+          if (!isNaN(lockTime) && Date.now() - lockTime > LOCK_STALE_MS) {
+            await fs5.remove(lockPath);
+            continue;
+          }
+        } catch {
+          await fs5.remove(lockPath).catch(() => {
+          });
+          continue;
+        }
+        await new Promise((resolve) => setTimeout(resolve, LOCK_RETRY_MS));
+        continue;
+      }
+      throw error;
+    }
+  }
+  throw new Error(
+    `Could not acquire lock for ${filePath} after ${LOCK_MAX_RETRIES} retries`
+  );
+}
+async function withFileLock(filePath, fn) {
+  const release = await acquireLock(filePath);
+  try {
+    return await fn();
+  } finally {
+    await release();
+  }
+}
+
+// src/adapters/handlers/base-mcp-handler.ts
+var BaseMcpHandler = class {
   packageType = "mcp";
-  /**
-   * Install an MCP package.
-   *
-   * The installation process:
-   * 1. Validate the MCP configuration for security
-   * 2. Read the existing ~/.claude.json configuration
-   * 3. Add the new MCP server to the mcpServers section
-   * 4. Write the updated configuration back
-   *
-   * @param manifest - The package manifest with MCP configuration
-   * @param _context - Install context (not used for MCP, but required by interface)
-   * @returns Array containing the path to the modified config file
-   * @throws Error if MCP configuration fails security validation
-   */
   async install(manifest, _context) {
     const filesWritten = [];
     if (!isMcpManifest(manifest)) {
@@ -818,78 +916,68 @@ var McpHandler = class {
     if (!mcpValidation.valid) {
       throw new Error(`MCP security validation failed: ${mcpValidation.error}`);
     }
-    const claudeHome = getClaudeHome();
-    const mcpConfigPath = path7.join(path7.dirname(claudeHome), ".claude.json");
-    let existingConfig = {};
-    if (await fs4.pathExists(mcpConfigPath)) {
-      try {
-        existingConfig = await fs4.readJson(mcpConfigPath);
-      } catch {
-        const backupPath = `${mcpConfigPath}.backup.${Date.now()}`;
+    const mcpConfigPath = this.getConfigPath();
+    await fs6.ensureDir(path8.dirname(mcpConfigPath));
+    await withFileLock(mcpConfigPath, async () => {
+      let existingConfig = {};
+      if (await fs6.pathExists(mcpConfigPath)) {
         try {
-          await fs4.copy(mcpConfigPath, backupPath);
-          logger.warn(
-            `Could not parse ${mcpConfigPath}, backup saved to ${backupPath}`
-          );
+          existingConfig = await fs6.readJson(mcpConfigPath);
         } catch {
-          logger.warn(`Could not parse ${mcpConfigPath}, creating new config`);
+          const backupPath = `${mcpConfigPath}.backup.${crypto.randomBytes(8).toString("hex")}`;
+          try {
+            await fs6.copy(mcpConfigPath, backupPath);
+            logger.warn(
+              `Could not parse ${mcpConfigPath}, backup saved to ${backupPath}`
+            );
+          } catch {
+            logger.warn(
+              `Could not parse ${mcpConfigPath}, creating new config`
+            );
+          }
+          existingConfig = {};
         }
-        existingConfig = {};
       }
-    }
-    const sanitizedName = sanitizeFolderName(manifest.name);
-    const existingMcpServers = existingConfig.mcpServers || {};
-    const updatedConfig = {
-      ...existingConfig,
-      // Preserve all other config settings
-      mcpServers: {
-        ...existingMcpServers,
-        // Preserve other MCP servers
-        [sanitizedName]: {
-          // Add/update this package's MCP server
-          command: manifest.mcp.command,
-          // e.g., "npx"
-          args: manifest.mcp.args,
-          // e.g., ["-y", "@supabase/mcp"]
-          env: manifest.mcp.env
-          // e.g., { "SUPABASE_URL": "..." }
+      const sanitizedName = sanitizeFolderName(manifest.name);
+      const existingMcpServers = existingConfig.mcpServers || {};
+      const updatedConfig = {
+        ...existingConfig,
+        mcpServers: {
+          ...existingMcpServers,
+          [sanitizedName]: {
+            command: manifest.mcp.command,
+            args: manifest.mcp.args,
+            env: manifest.mcp.env
+          }
         }
-      }
-    };
-    await fs4.writeJson(mcpConfigPath, updatedConfig, { spaces: 2 });
-    filesWritten.push(mcpConfigPath);
+      };
+      await fs6.writeJson(mcpConfigPath, updatedConfig, { spaces: 2 });
+      filesWritten.push(mcpConfigPath);
+    });
     return filesWritten;
   }
-  /**
-   * Uninstall an MCP package.
-   *
-   * This removes the MCP server entry from ~/.claude.json
-   *
-   * @param packageName - The name of the package to remove
-   * @param _context - Uninstall context (not used for MCP, but required by interface)
-   * @returns Array containing the path to the modified config file
-   */
   async uninstall(packageName, _context) {
     const filesWritten = [];
     const folderName = sanitizeFolderName(packageName);
-    const claudeHome = getClaudeHome();
-    const mcpConfigPath = path7.join(path7.dirname(claudeHome), ".claude.json");
-    if (!await fs4.pathExists(mcpConfigPath)) {
+    const mcpConfigPath = this.getConfigPath();
+    if (!await fs6.pathExists(mcpConfigPath)) {
       return filesWritten;
     }
     try {
-      const config = await fs4.readJson(mcpConfigPath);
-      const mcpServers = config.mcpServers;
-      if (!mcpServers || !mcpServers[folderName]) {
-        return filesWritten;
-      }
-      const { [folderName]: _removed, ...remainingServers } = mcpServers;
-      const updatedConfig = {
-        ...config,
-        mcpServers: remainingServers
-      };
-      await fs4.writeJson(mcpConfigPath, updatedConfig, { spaces: 2 });
-      filesWritten.push(mcpConfigPath);
+      await withFileLock(mcpConfigPath, async () => {
+        const config = await fs6.readJson(mcpConfigPath);
+        const mcpServers = config.mcpServers;
+        if (!mcpServers || !mcpServers[folderName]) {
+          return;
+        }
+        const { [folderName]: _removed, ...remainingServers } = mcpServers;
+        const updatedConfig = {
+          ...config,
+          mcpServers: remainingServers
+        };
+        await fs6.writeJson(mcpConfigPath, updatedConfig, { spaces: 2 });
+        filesWritten.push(mcpConfigPath);
+      });
     } catch (error) {
       logger.warn(
         `Could not update MCP config: ${error instanceof Error ? error.message : "Unknown error"}`
@@ -899,6 +987,14 @@ var McpHandler = class {
   }
 };
 
+// src/adapters/handlers/mcp-handler.ts
+var McpHandler = class extends BaseMcpHandler {
+  getConfigPath() {
+    const claudeHome = getClaudeHome();
+    return path9.join(path9.dirname(claudeHome), ".claude.json");
+  }
+};
+
 // src/adapters/handlers/index.ts
 function initializeHandlers() {
   handlerRegistry.register(new RulesHandler());
@@ -908,8 +1004,6 @@ function initializeHandlers() {
 initializeHandlers();
 
 // src/adapters/claude-code.ts
-import fs5 from "fs-extra";
-import path8 from "path";
 var ClaudeCodeAdapter = class extends PlatformAdapter {
   platform = "claude-code";
   displayName = "Claude Code";
@@ -938,25 +1032,14 @@ var ClaudeCodeAdapter = class extends PlatformAdapter {
   }
   async uninstall(packageName, projectPath) {
     const filesWritten = [];
-    const folderName = sanitizeFolderName(packageName);
     const context = { projectPath };
     try {
-      const rulesBaseDir = getRulesPath("claude-code");
-      const rulesPath = path8.join(rulesBaseDir, folderName);
-      if (await fs5.pathExists(rulesPath)) {
-        await fs5.remove(rulesPath);
-        filesWritten.push(rulesPath);
-      }
-      const skillsDir = getSkillsPath();
-      const skillPath = path8.join(skillsDir, folderName);
-      if (await fs5.pathExists(skillPath)) {
-        await fs5.remove(skillPath);
-        filesWritten.push(skillPath);
-      }
-      if (handlerRegistry.hasHandler("mcp")) {
-        const mcpHandler = handlerRegistry.getHandler("mcp");
-        const mcpFiles = await mcpHandler.uninstall(packageName, context);
-        filesWritten.push(...mcpFiles);
+      for (const type of ["rules", "skill", "mcp"]) {
+        if (handlerRegistry.hasHandler(type)) {
+          const handler = handlerRegistry.getHandler(type);
+          const files = await handler.uninstall(packageName, context);
+          filesWritten.push(...files);
+        }
       }
       return {
         success: true,
@@ -999,22 +1082,229 @@ var ClaudeCodeAdapter = class extends PlatformAdapter {
   }
 };
 
+// src/adapters/handlers/cursor-rules-handler.ts
+import fs7 from "fs-extra";
+import path10 from "path";
+function escapeYamlString(value) {
+  if (/[\n\r\t\0:#{}[\]&*?|>!%@`"',]/.test(value) || value.trim() !== value) {
+    const escaped = value.replace(/\\/g, "\\\\").replace(/"/g, '\\"').replace(/\0/g, "").replace(/\r/g, "\\r").replace(/\n/g, "\\n").replace(/\t/g, "\\t");
+    return `"${escaped}"`;
+  }
+  return value;
+}
+function toMdcContent(description, globs, rulesContent) {
+  const alwaysApply = globs.length === 0;
+  const frontmatter = [
+    "---",
+    `description: ${escapeYamlString(description)}`,
+    `globs: ${JSON.stringify(globs)}`,
+    `alwaysApply: ${alwaysApply}`,
+    "---"
+  ].join("\n");
+  return `${frontmatter}
+${rulesContent.trim()}
+`;
+}
+var CursorRulesHandler = class {
+  packageType = "rules";
+  async install(manifest, context) {
+    const filesWritten = [];
+    const rulesBaseDir = getRulesPath("cursor", context.projectPath);
+    const folderName = sanitizeFolderName(manifest.name);
+    const rulesDir = path10.join(rulesBaseDir, folderName);
+    await fs7.ensureDir(rulesDir);
+    const description = manifest.description || manifest.name;
+    const globs = manifest.universal?.globs || [];
+    if (globs.length > 0) {
+      const globValidation = validateGlobs(globs);
+      if (!globValidation.valid) {
+        throw new Error(
+          `Glob security validation failed: ${globValidation.error}`
+        );
+      }
+    }
+    if (context.packagePath && await fs7.pathExists(context.packagePath)) {
+      const files = await fs7.readdir(context.packagePath);
+      const mdFiles = files.filter(
+        (f) => f.endsWith(".md") && f.toLowerCase() !== "cpm.yaml"
+      );
+      if (mdFiles.length > 0) {
+        for (const file of mdFiles) {
+          const validation = sanitizeFileName(file);
+          if (!validation.valid) {
+            logger.warn(`Skipping unsafe file: ${file} (${validation.error})`);
+            continue;
+          }
+          const srcPath = path10.join(context.packagePath, file);
+          const mdcFileName = validation.sanitized.replace(/\.md$/, ".mdc");
+          const destPath = path10.join(rulesDir, mdcFileName);
+          if (!isPathWithinDirectory(destPath, rulesDir)) {
+            logger.warn(`Blocked path traversal attempt: ${file}`);
+            continue;
+          }
+          const srcStat = await fs7.lstat(srcPath);
+          if (srcStat.isSymbolicLink()) {
+            logger.warn(`Blocked symlink in package: ${file}`);
+            continue;
+          }
+          const content = await fs7.readFile(srcPath, "utf-8");
+          const mdcContent2 = toMdcContent(description, globs, content);
+          await fs7.writeFile(destPath, mdcContent2, "utf-8");
+          filesWritten.push(destPath);
+        }
+        const metadataPath2 = await writePackageMetadata(rulesDir, manifest);
+        filesWritten.push(metadataPath2);
+        return filesWritten;
+      }
+    }
+    const rulesContent = this.getRulesContent(manifest);
+    if (!rulesContent) return filesWritten;
+    const rulesPath = path10.join(rulesDir, "RULES.mdc");
+    const mdcContent = toMdcContent(description, globs, rulesContent);
+    await fs7.writeFile(rulesPath, mdcContent, "utf-8");
+    filesWritten.push(rulesPath);
+    const metadataPath = await writePackageMetadata(rulesDir, manifest);
+    filesWritten.push(metadataPath);
+    return filesWritten;
+  }
+  async uninstall(packageName, context) {
+    const filesRemoved = [];
+    const folderName = sanitizeFolderName(packageName);
+    const rulesBaseDir = getRulesPath("cursor", context.projectPath);
+    const rulesPath = path10.join(rulesBaseDir, folderName);
+    if (await fs7.pathExists(rulesPath)) {
+      await fs7.remove(rulesPath);
+      filesRemoved.push(rulesPath);
+    }
+    return filesRemoved;
+  }
+  getRulesContent(manifest) {
+    if (isRulesManifest(manifest) && manifest.universal) {
+      return manifest.universal.rules || manifest.universal.prompt;
+    }
+    return void 0;
+  }
+};
+
+// src/adapters/handlers/cursor-mcp-handler.ts
+var CursorMcpHandler = class extends BaseMcpHandler {
+  getConfigPath() {
+    return getCursorMcpConfigPath();
+  }
+};
+
+// src/adapters/cursor.ts
+var cursorRulesHandler = new CursorRulesHandler();
+var cursorMcpHandler = new CursorMcpHandler();
+var CursorAdapter = class extends PlatformAdapter {
+  platform = "cursor";
+  displayName = "Cursor";
+  async isAvailable(_projectPath) {
+    return true;
+  }
+  async install(manifest, projectPath, packagePath) {
+    const filesWritten = [];
+    try {
+      const context = { projectPath, packagePath };
+      if (manifest.type === "skill") {
+        logger.warn(
+          `Package "${manifest.name}" is a skill package. Skills are not supported on Cursor \u2014 skipping.`
+        );
+        return {
+          success: true,
+          platform: "cursor",
+          filesWritten
+        };
+      }
+      const result = await this.installByType(manifest, context);
+      filesWritten.push(...result);
+      return {
+        success: true,
+        platform: "cursor",
+        filesWritten
+      };
+    } catch (error) {
+      return {
+        success: false,
+        platform: "cursor",
+        filesWritten,
+        error: error instanceof Error ? error.message : "Unknown error"
+      };
+    }
+  }
+  async uninstall(packageName, projectPath) {
+    const filesWritten = [];
+    const context = { projectPath };
+    try {
+      const rulesFiles = await cursorRulesHandler.uninstall(
+        packageName,
+        context
+      );
+      filesWritten.push(...rulesFiles);
+      const mcpFiles = await cursorMcpHandler.uninstall(packageName, context);
+      filesWritten.push(...mcpFiles);
+      return {
+        success: true,
+        platform: "cursor",
+        filesWritten
+      };
+    } catch (error) {
+      return {
+        success: false,
+        platform: "cursor",
+        filesWritten,
+        error: error instanceof Error ? error.message : "Unknown error"
+      };
+    }
+  }
+  async installByType(manifest, context) {
+    switch (manifest.type) {
+      case "rules":
+        return cursorRulesHandler.install(manifest, context);
+      case "mcp":
+        return cursorMcpHandler.install(manifest, context);
+      default:
+        logger.warn(
+          `Package type "${manifest.type}" is not yet supported on Cursor`
+        );
+        return [];
+    }
+  }
+};
+
 // src/adapters/index.ts
 var adapters = {
-  "claude-code": new ClaudeCodeAdapter()
+  "claude-code": new ClaudeCodeAdapter(),
+  cursor: new CursorAdapter()
 };
 function getAdapter(platform) {
-  return adapters[platform];
+  const adapter = adapters[platform];
+  if (!adapter) {
+    throw new Error(`No adapter available for platform: ${platform}`);
+  }
+  return adapter;
 }
 
 // src/utils/registry.ts
 import got from "got";
-import fs6 from "fs-extra";
-import path9 from "path";
-import os2 from "os";
-var DEFAULT_REGISTRY_URL = process.env.CPM_REGISTRY_URL || "https://raw.githubusercontent.com/cpmai-dev/packages/main/registry.json";
-var CACHE_DIR = path9.join(os2.homedir(), ".cpm", "cache");
-var CACHE_FILE = path9.join(CACHE_DIR, "registry.json");
+import fs8 from "fs-extra";
+import path11 from "path";
+import os3 from "os";
+function getRegistryUrl() {
+  const envUrl = process.env.CPM_REGISTRY_URL;
+  if (envUrl) {
+    if (!envUrl.startsWith("https://")) {
+      throw new Error(
+        "CPM_REGISTRY_URL must use HTTPS. HTTP registries are not allowed for security reasons."
+      );
+    }
+    return envUrl;
+  }
+  return "https://raw.githubusercontent.com/cpmai-dev/packages/main/registry.json";
+}
+var DEFAULT_REGISTRY_URL = getRegistryUrl();
+var CACHE_DIR = path11.join(os3.homedir(), ".cpm", "cache");
+var CACHE_FILE = path11.join(CACHE_DIR, "registry.json");
 var comparators = {
   downloads: (a, b) => (b.downloads ?? 0) - (a.downloads ?? 0),
   stars: (a, b) => (b.stars ?? 0) - (a.stars ?? 0),
@@ -1076,11 +1366,11 @@ var Registry = class {
   }
   async loadFileCache() {
     try {
-      await fs6.ensureDir(CACHE_DIR);
-      if (await fs6.pathExists(CACHE_FILE)) {
-        const stat = await fs6.stat(CACHE_FILE);
+      await fs8.ensureDir(CACHE_DIR);
+      if (await fs8.pathExists(CACHE_FILE)) {
+        const stat = await fs8.stat(CACHE_FILE);
         if (Date.now() - stat.mtimeMs < LIMITS.CACHE_TTL_MS) {
-          return await fs6.readJson(CACHE_FILE);
+          return await fs8.readJson(CACHE_FILE);
         }
       }
     } catch {
@@ -1089,8 +1379,8 @@ var Registry = class {
   }
   async saveFileCache(data) {
     try {
-      await fs6.ensureDir(CACHE_DIR);
-      await fs6.writeJson(CACHE_FILE, data, { spaces: 2 });
+      await fs8.ensureDir(CACHE_DIR);
+      await fs8.writeJson(CACHE_FILE, data, { spaces: 2 });
     } catch {
     }
   }
@@ -1113,8 +1403,8 @@ var Registry = class {
       return this.cache;
     }
     try {
-      if (await fs6.pathExists(CACHE_FILE)) {
-        const cached = await fs6.readJson(CACHE_FILE);
+      if (await fs8.pathExists(CACHE_FILE)) {
+        const cached = await fs8.readJson(CACHE_FILE);
         this.cache = cached;
         return cached;
       }
@@ -1154,9 +1444,9 @@ var Registry = class {
 var registry = new Registry();
 
 // src/utils/downloader.ts
-import fs8 from "fs-extra";
-import path11 from "path";
-import os3 from "os";
+import fs10 from "fs-extra";
+import path13 from "path";
+import os4 from "os";
 
 // src/sources/manifest-resolver.ts
 var ManifestResolver = class {
@@ -1298,8 +1588,8 @@ var RepositorySource = class {
 
 // src/sources/tarball-source.ts
 import got3 from "got";
-import fs7 from "fs-extra";
-import path10 from "path";
+import fs9 from "fs-extra";
+import path12 from "path";
 import * as tar from "tar";
 import yaml2 from "yaml";
 var TarballSource = class {
@@ -1351,12 +1641,12 @@ var TarballSource = class {
         responseType: "buffer"
         // Get raw binary data
       });
-      const tarballPath = path10.join(context.tempDir, "package.tar.gz");
-      await fs7.writeFile(tarballPath, response.body);
+      const tarballPath = path12.join(context.tempDir, "package.tar.gz");
+      await fs9.writeFile(tarballPath, response.body);
       await this.extractTarball(tarballPath, context.tempDir);
-      const manifestPath = path10.join(context.tempDir, "cpm.yaml");
-      if (await fs7.pathExists(manifestPath)) {
-        const content = await fs7.readFile(manifestPath, "utf-8");
+      const manifestPath = path12.join(context.tempDir, "cpm.yaml");
+      if (await fs9.pathExists(manifestPath)) {
+        const content = await fs9.readFile(manifestPath, "utf-8");
         return yaml2.parse(content);
       }
       return null;
@@ -1378,8 +1668,8 @@ var TarballSource = class {
    * @param destDir - Directory to extract to
    */
   async extractTarball(tarballPath, destDir) {
-    await fs7.ensureDir(destDir);
-    const resolvedDestDir = path10.resolve(destDir);
+    await fs9.ensureDir(destDir);
+    const resolvedDestDir = path12.resolve(destDir);
     await tar.extract({
       file: tarballPath,
       // The tarball file to extract
@@ -1389,8 +1679,8 @@ var TarballSource = class {
       // Remove the top-level directory (e.g., "package-1.0.0/")
       // Security filter: check each entry before extracting
       filter: (entryPath) => {
-        const resolvedPath = path10.resolve(destDir, entryPath);
-        const isWithinDest = resolvedPath.startsWith(resolvedDestDir + path10.sep) || resolvedPath === resolvedDestDir;
+        const resolvedPath = path12.resolve(destDir, entryPath);
+        const isWithinDest = resolvedPath.startsWith(resolvedDestDir + path12.sep) || resolvedPath === resolvedDestDir;
         if (!isWithinDest) {
           logger.warn(`Blocked path traversal in tarball: ${entryPath}`);
           return false;
@@ -2071,15 +2361,15 @@ function createDefaultResolver() {
 var defaultResolver = createDefaultResolver();
 
 // src/utils/downloader.ts
-var TEMP_DIR = path11.join(os3.tmpdir(), "cpm-downloads");
+var TEMP_DIR = path13.join(os4.tmpdir(), "cpm-downloads");
 async function downloadPackage(pkg) {
   try {
-    await fs8.ensureDir(TEMP_DIR);
-    const packageTempDir = path11.join(
+    await fs10.ensureDir(TEMP_DIR);
+    const packageTempDir = path13.join(
       TEMP_DIR,
       `${pkg.name.replace(/[@/]/g, "_")}-${Date.now()}`
     );
-    await fs8.ensureDir(packageTempDir);
+    await fs10.ensureDir(packageTempDir);
     const manifest = await defaultResolver.resolve(pkg, {
       tempDir: packageTempDir
     });
@@ -2094,7 +2384,7 @@ async function downloadPackage(pkg) {
 async function cleanupTempDir(tempDir) {
   try {
     if (tempDir.startsWith(TEMP_DIR)) {
-      await fs8.remove(tempDir);
+      await fs10.remove(tempDir);
     }
   } catch {
   }
@@ -2221,7 +2511,7 @@ var SEMANTIC_COLORS = {
 
 // src/commands/ui/formatters.ts
 import chalk2 from "chalk";
-import path12 from "path";
+import path14 from "path";
 function formatNumber(num) {
   if (num >= 1e6) {
     return `${(num / 1e6).toFixed(1)}M`;
@@ -2232,7 +2522,7 @@ function formatNumber(num) {
   return num.toString();
 }
 function formatPath(filePath) {
-  const relativePath = path12.relative(process.cwd(), filePath);
+  const relativePath = path14.relative(process.cwd(), filePath);
   if (relativePath.startsWith("..")) {
     return filePath;
   }
@@ -2361,8 +2651,8 @@ function createSpinner(initialText) {
 function spinnerText(action, packageName) {
   return `${action} ${chalk3.cyan(packageName)}...`;
 }
-function successText(action, packageName, version) {
-  const versionStr = version ? `@${chalk3.dim(version)}` : "";
+function successText(action, packageName, version2) {
+  const versionStr = version2 ? `@${chalk3.dim(version2)}` : "";
   return `${action} ${chalk3.green(packageName)}${versionStr}`;
 }
 function failText(action, packageName, error) {
@@ -2490,7 +2780,11 @@ async function installCommand(packageName, rawOptions) {
     tempDir = downloadResult.tempDir;
     const targetPlatforms = [options.platform];
     spinner.update(`Installing to ${targetPlatforms.join(", ")}...`);
-    await ensureClaudeDirs();
+    if (options.platform === "cursor") {
+      await ensureCursorDirs(process.cwd());
+    } else {
+      await ensureClaudeDirs();
+    }
     const results = await installToPlatforms(
       manifest,
       tempDir,
@@ -2566,28 +2860,28 @@ async function searchCommand(query, rawOptions) {
 
 // src/commands/list.ts
 import chalk4 from "chalk";
-import fs9 from "fs-extra";
-import path13 from "path";
-import os4 from "os";
+import fs11 from "fs-extra";
+import path15 from "path";
+import os5 from "os";
 async function readPackageMetadata(packageDir) {
-  const metadataPath = path13.join(packageDir, ".cpm.json");
+  const metadataPath = path15.join(packageDir, ".cpm.json");
   try {
-    if (await fs9.pathExists(metadataPath)) {
-      return await fs9.readJson(metadataPath);
+    if (await fs11.pathExists(metadataPath)) {
+      return await fs11.readJson(metadataPath);
     }
   } catch {
   }
   return null;
 }
-async function scanDirectory(dir, type) {
+async function scanDirectory(dir, type, platform) {
   const items = [];
-  if (!await fs9.pathExists(dir)) {
+  if (!await fs11.pathExists(dir)) {
     return items;
   }
-  const entries = await fs9.readdir(dir);
+  const entries = await fs11.readdir(dir);
   for (const entry of entries) {
-    const entryPath = path13.join(dir, entry);
-    const stat = await fs9.stat(entryPath);
+    const entryPath = path15.join(dir, entry);
+    const stat = await fs11.stat(entryPath);
     if (stat.isDirectory()) {
       const metadata = await readPackageMetadata(entryPath);
       items.push({
@@ -2595,27 +2889,28 @@ async function scanDirectory(dir, type) {
         folderName: entry,
         type,
         version: metadata?.version,
-        path: entryPath
+        path: entryPath,
+        platform
       });
     }
   }
   return items;
 }
-async function scanMcpServers() {
+async function scanMcpServersFromConfig(configPath, platform) {
   const items = [];
-  const configPath = path13.join(os4.homedir(), ".claude.json");
-  if (!await fs9.pathExists(configPath)) {
+  if (!await fs11.pathExists(configPath)) {
     return items;
   }
   try {
-    const config = await fs9.readJson(configPath);
+    const config = await fs11.readJson(configPath);
     const mcpServers = config.mcpServers || {};
     for (const name of Object.keys(mcpServers)) {
       items.push({
         name,
         folderName: name,
         type: "mcp",
-        path: configPath
+        path: configPath,
+        platform
       });
     }
   } catch {
@@ -2623,13 +2918,24 @@ async function scanMcpServers() {
   return items;
 }
 async function scanInstalledPackages() {
-  const claudeHome = path13.join(os4.homedir(), ".claude");
-  const [rules, skills, mcp] = await Promise.all([
-    scanDirectory(path13.join(claudeHome, "rules"), "rules"),
-    scanDirectory(path13.join(claudeHome, "skills"), "skill"),
-    scanMcpServers()
+  const claudeHome = path15.join(os5.homedir(), ".claude");
+  const cursorRulesDir = path15.join(process.cwd(), ".cursor", "rules");
+  const cursorMcpConfig = getCursorMcpConfigPath();
+  const claudeMcpConfig = path15.join(os5.homedir(), ".claude.json");
+  const [claudeRules, claudeSkills, claudeMcp, cursorRules, cursorMcp] = await Promise.all([
+    scanDirectory(path15.join(claudeHome, "rules"), "rules", "claude-code"),
+    scanDirectory(path15.join(claudeHome, "skills"), "skill", "claude-code"),
+    scanMcpServersFromConfig(claudeMcpConfig, "claude-code"),
+    scanDirectory(cursorRulesDir, "rules", "cursor"),
+    scanMcpServersFromConfig(cursorMcpConfig, "cursor")
   ]);
-  return [...rules, ...skills, ...mcp];
+  return [
+    ...claudeRules,
+    ...claudeSkills,
+    ...claudeMcp,
+    ...cursorRules,
+    ...cursorMcp
+  ];
 }
 function groupByType(packages) {
   return packages.reduce(
@@ -2641,9 +2947,10 @@ function groupByType(packages) {
   );
 }
 function displayPackage(pkg) {
-  const version = pkg.version ? SEMANTIC_COLORS.dim(` v${pkg.version}`) : "";
+  const version2 = pkg.version ? SEMANTIC_COLORS.dim(` v${pkg.version}`) : "";
+  const platform = pkg.platform ? SEMANTIC_COLORS.dim(` [${pkg.platform}]`) : "";
   logger.log(
-    `    ${SEMANTIC_COLORS.success("\u25C9")} ${chalk4.bold(pkg.name)}${version}`
+    `    ${SEMANTIC_COLORS.success("\u25C9")} ${chalk4.bold(pkg.name)}${version2}${platform}`
   );
 }
 function displayByType(byType) {
@@ -2706,15 +3013,22 @@ async function uninstallCommand(packageName) {
   const spinner = createSpinner(spinnerText("Uninstalling", packageName));
   try {
     const folderName = extractFolderName(packageName);
-    const adapter = getAdapter("claude-code");
-    const result = await adapter.uninstall(folderName, process.cwd());
-    if (result.success && result.filesWritten.length > 0) {
+    const allFilesRemoved = [];
+    for (const platform of VALID_PLATFORMS) {
+      try {
+        const adapter = getAdapter(platform);
+        const result = await adapter.uninstall(folderName, process.cwd());
+        if (result.success) {
+          allFilesRemoved.push(...result.filesWritten);
+        }
+      } catch {
+      }
+    }
+    if (allFilesRemoved.length > 0) {
       spinner.succeed(successText("Uninstalled", packageName));
-      displayRemovedFiles(result.filesWritten);
-    } else if (result.success) {
-      spinner.warn(`Package ${packageName} was not found`);
+      displayRemovedFiles(allFilesRemoved);
     } else {
-      spinner.fail(failText("Failed to uninstall", packageName, result.error));
+      spinner.warn(`Package ${packageName} was not found`);
     }
   } catch (error) {
     spinner.fail(failText("Failed to uninstall", packageName));
@@ -2723,6 +3037,8 @@ async function uninstallCommand(packageName) {
 }
 
 // src/index.ts
+var require2 = createRequire(import.meta.url);
+var { version } = require2("../package.json");
 var program = new Command();
 var logo = `
   ${chalk5.hex("#22d3ee")("\u2591\u2588\u2588\u2588\u2588\u2588\u2557\u2591\u2588\u2588\u2588\u2588\u2588\u2588\u2557\u2591\u2588\u2588\u2588\u2557\u2591\u2591\u2591\u2588\u2588\u2588\u2557")}
@@ -2736,7 +3052,7 @@ program.name("cpm").description(
   `${logo}
   ${chalk5.dim("Package manager for AI coding assistants")}
 `
-).version("0.2.0-beta.1").option("-q, --quiet", "Suppress all output except errors").option("-v, --verbose", "Enable verbose output for debugging").hook("preAction", (thisCommand) => {
+).version(version).option("-q, --quiet", "Suppress all output except errors").option("-v, --verbose", "Enable verbose output for debugging").hook("preAction", (thisCommand) => {
   const opts = thisCommand.optsWithGlobals();
   configureLogger({
     quiet: opts.quiet,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@cpmai/cli",
-  "version": "0.3.0-beta.1",
+  "version": "0.3.0-beta.3",
   "description": "CPM CLI - cpm-ai.dev",
   "keywords": [
     "claude-code",