@tankpkg/cli 0.0.0-nightly.20260401.49863f7

package/dist/bin/tank.js

@@ -0,0 +1,3205 @@
+#!/usr/bin/env node
+import { a as VERSION, c as getConfigDir, i as USER_AGENT, n as flushLogs, o as logger, s as getConfig, t as authFlowLog, u as setConfig } from "../debug-logger-CvbB8v_c.js";
+import { Command } from "commander";
+import chalk from "chalk";
+import fs from "node:fs";
+import os from "node:os";
+import path from "node:path";
+import { z } from "zod";
+import { confirm, input } from "@inquirer/prompts";
+import crypto$1 from "node:crypto";
+import semver from "semver";
+import ora from "ora";
+import { buildSkillKey, checkPermissionBudget, downloadAllParallel, extractSafely, getExtractDir as getExtractDir$1, getGlobalExtractDir, getResolvedNodesInOrder, parseLockKey as parseLockKey$2, parseVersionFromLockKey, readExtractedDependencies, resolveDependencyTree, verifyExtractedDependencies, writeLockfileWithResolvedGraph } from "@tankpkg/sdk";
+import open from "open";
+import ignore from "ignore";
+import { create } from "tar";
+import { spawn } from "node:child_process";
+import { fileURLToPath } from "node:url";
+process.env.TANK_REGISTRY_URL;
+const MANIFEST_FILENAME = "tank.json";
+const LEGACY_MANIFEST_FILENAME = "skills.json";
+const LOCKFILE_FILENAME = "tank.lock";
+const LEGACY_LOCKFILE_FILENAME = "skills.lock";
+const networkPermissionsSchema = z.object({ outbound: z.array(z.string()).optional() }).strict();
+const filesystemPermissionsSchema = z.object({
+	read: z.array(z.string()).optional(),
+	write: z.array(z.string()).optional()
+}).strict();
+const permissionsSchema = z.object({
+	network: networkPermissionsSchema.optional(),
+	filesystem: filesystemPermissionsSchema.optional(),
+	subprocess: z.boolean().optional()
+}).strict();
+z.enum(["user", "admin"]);
+z.enum([
+	"active",
+	"suspended",
+	"banned"
+]);
+z.enum([
+	"active",
+	"deprecated",
+	"quarantined",
+	"removed"
+]);
+z.enum([
+	"user.ban",
+	"user.suspend",
+	"user.unban",
+	"user.promote",
+	"user.demote",
+	"skill.quarantine",
+	"skill.remove",
+	"skill.deprecate",
+	"skill.restore",
+	"skill.feature",
+	"skill.unfeature",
+	"org.suspend",
+	"org.member.remove",
+	"org.delete"
+]);
+const skillsJsonSchema = z.object({
+	name: z.string().min(1, "Name must not be empty").max(214, `Name must be 214 characters or fewer`).regex(/^@[a-z0-9-]+\/[a-z0-9][a-z0-9-]*$/, "Name must be scoped (@org/name), lowercase alphanumeric and hyphens"),
+	version: z.string().regex(/^\d+\.\d+\.\d+(-[a-zA-Z0-9.-]+)?(\+[a-zA-Z0-9.-]+)?$/, "Version must be valid semver"),
+	description: z.string().max(500, `Description must be 500 characters or fewer`).optional(),
+	skills: z.record(z.string(), z.string()).optional(),
+	permissions: permissionsSchema.optional(),
+	repository: z.string().url("Repository must be a valid URL").optional(),
+	visibility: z.enum(["public", "private"]).optional(),
+	audit: z.object({ min_score: z.number().min(0).max(10) }).strict().optional()
+}).strict();
+const lockedSkillV1Schema = z.object({
+	resolved: z.string().url(),
+	integrity: z.string().regex(/^sha512-/, "Integrity must start with sha512-"),
+	permissions: permissionsSchema,
+	audit_score: z.number().min(0).max(10).nullable()
+});
+z.object({
+	lockfileVersion: z.literal(1),
+	skills: z.record(z.string(), lockedSkillV1Schema)
+});
+const lockedSkillSchema = z.object({
+	resolved: z.string().url(),
+	integrity: z.string().regex(/^sha512-/, "Integrity must start with sha512-"),
+	permissions: permissionsSchema,
+	audit_score: z.number().min(0).max(10).nullable(),
+	dependencies: z.record(z.string(), z.string()).optional()
+});
+z.object({
+	lockfileVersion: z.union([z.literal(1), z.literal(2)]),
+	skills: z.record(z.string(), lockedSkillSchema)
+});
+//#endregion
+//#region src/lib/manifest.ts
+const warnedManifest = /* @__PURE__ */ new Set();
+const warnedLockfile = /* @__PURE__ */ new Set();
+/**
+* Resolve the manifest file path with fallback priority:
+* 1. tank.json (preferred)
+* 2. skills.json (deprecated fallback)
+*
+* If both exist, prefers tank.json and warns about duplicate.
+* Returns the path even if neither exists (for write operations).
+*/
+function resolveManifestPath(directory) {
+	const dir = directory ?? process.cwd();
+	const newPath = path.join(dir, MANIFEST_FILENAME);
+	const legacyPath = path.join(dir, LEGACY_MANIFEST_FILENAME);
+	const newExists = fs.existsSync(newPath);
+	const legacyExists = fs.existsSync(legacyPath);
+	if (newExists && legacyExists && !warnedManifest.has(dir)) {
+		warnedManifest.add(dir);
+		logger.warn(`Both ${MANIFEST_FILENAME} and ${LEGACY_MANIFEST_FILENAME} exist. Using ${MANIFEST_FILENAME}.`);
+	}
+	if (newExists) return {
+		path: newPath,
+		isLegacy: false,
+		exists: true
+	};
+	if (legacyExists) {
+		if (!warnedManifest.has(dir)) {
+			warnedManifest.add(dir);
+			logger.warn(`${LEGACY_MANIFEST_FILENAME} is deprecated — run \`tank migrate\` to switch to ${MANIFEST_FILENAME}`);
+		}
+		return {
+			path: legacyPath,
+			isLegacy: true,
+			exists: true
+		};
+	}
+	return {
+		path: newPath,
+		isLegacy: false,
+		exists: false
+	};
+}
+/**
+* Resolve the lockfile path with fallback priority:
+* 1. tank.lock (preferred)
+* 2. skills.lock (deprecated fallback)
+*/
+function resolveLockfilePath(directory) {
+	const dir = directory ?? process.cwd();
+	const newPath = path.join(dir, LOCKFILE_FILENAME);
+	const legacyPath = path.join(dir, LEGACY_LOCKFILE_FILENAME);
+	const newExists = fs.existsSync(newPath);
+	const legacyExists = fs.existsSync(legacyPath);
+	if (newExists && legacyExists && !warnedLockfile.has(dir)) {
+		warnedLockfile.add(dir);
+		logger.warn(`Both ${LOCKFILE_FILENAME} and ${LEGACY_LOCKFILE_FILENAME} exist. Using ${LOCKFILE_FILENAME}.`);
+	}
+	if (newExists) return {
+		path: newPath,
+		isLegacy: false,
+		exists: true
+	};
+	if (legacyExists) {
+		if (!warnedLockfile.has(dir)) {
+			warnedLockfile.add(dir);
+			logger.warn(`${LEGACY_LOCKFILE_FILENAME} is deprecated — run \`tank migrate\` to switch to ${LOCKFILE_FILENAME}`);
+		}
+		return {
+			path: legacyPath,
+			isLegacy: true,
+			exists: true
+		};
+	}
+	return {
+		path: newPath,
+		isLegacy: false,
+		exists: false
+	};
+}
+//#endregion
+//#region src/lib/lockfile.ts
+/**
+* Read and parse the lockfile from the given directory.
+* Returns null if the file doesn't exist or is corrupt.
+*/
+function readLockfile$1(directory) {
+	const resolved = resolveLockfilePath(directory);
+	if (!resolved.exists) return null;
+	try {
+		const raw = fs.readFileSync(resolved.path, "utf-8");
+		return JSON.parse(raw);
+	} catch {
+		return null;
+	}
+}
+//#endregion
+//#region src/commands/audit.ts
+function scoreColor$2(score) {
+	if (score >= 7) return chalk.green;
+	if (score >= 4) return chalk.yellow;
+	return chalk.red;
+}
+function formatScore(result) {
+	if (result.error) return chalk.dim("error");
+	if (result.score == null || result.status !== "completed") return chalk.dim("pending");
+	return scoreColor$2(result.score)(result.score.toFixed(1));
+}
+function formatStatus(result) {
+	if (result.error) return chalk.dim("error");
+	if (result.score == null || result.status !== "completed") return chalk.dim("Analysis pending");
+	if (result.score >= 4) return chalk.green("pass");
+	return chalk.red("issues");
+}
+function padRight$1(text, width) {
+	if (text.length >= width) return text;
+	return text + " ".repeat(width - text.length);
+}
+/**
+* Parse a lockfile key like "@org/skill@1.0.0" into { name, version }.
+* Scoped packages start with @, so find the LAST @ to split.
+*/
+function parseLockKey$4(key) {
+	const lastAt = key.lastIndexOf("@");
+	if (lastAt <= 0) throw new Error(`Invalid lockfile key: ${key}`);
+	return {
+		name: key.slice(0, lastAt),
+		version: key.slice(lastAt + 1)
+	};
+}
+async function fetchVersionDetails(registryUrl, name, version) {
+	const url = `${registryUrl}/api/v1/skills/${encodeURIComponent(name)}/${version}`;
+	let res;
+	try {
+		res = await fetch(url, { headers: { "User-Agent": USER_AGENT } });
+	} catch (err) {
+		throw new Error(`Network error fetching audit data: ${err instanceof Error ? err.message : String(err)}`);
+	}
+	if (!res.ok) throw new Error(`API error for ${name}@${version}: ${res.status} ${res.statusText}`);
+	return await res.json();
+}
+function displayDetailedAudit(result) {
+	console.log("");
+	console.log(chalk.bold(result.name));
+	console.log("");
+	console.log(`${chalk.dim("Version:".padEnd(14))}${result.version}`);
+	console.log(`${chalk.dim("Audit Score:".padEnd(14))}${formatScore(result)}`);
+	console.log(`${chalk.dim("Status:".padEnd(14))}${result.status}`);
+	const perms = result.permissions;
+	if (perms) {
+		console.log("");
+		console.log(chalk.bold("Permissions:"));
+		const networkDomains = perms.network?.outbound;
+		if (networkDomains && networkDomains.length > 0) console.log(`  ${chalk.dim("Network:".padEnd(14))}${networkDomains.join(", ")}`);
+		const fsRead = perms.filesystem?.read;
+		const fsWrite = perms.filesystem?.write;
+		if (fsRead || fsWrite) {
+			const parts = [];
+			if (fsRead && fsRead.length > 0) parts.push(`${fsRead.join(", ")} (read)`);
+			if (fsWrite && fsWrite.length > 0) parts.push(`${fsWrite.join(", ")} (write)`);
+			console.log(`  ${chalk.dim("Filesystem:".padEnd(14))}${parts.join(", ")}`);
+		}
+		console.log(`  ${chalk.dim("Subprocess:".padEnd(14))}${perms.subprocess ? "yes" : "no"}`);
+	}
+}
+function displayTable(results) {
+	console.log(`${padRight$1("NAME", 30) + padRight$1("VERSION", 12) + padRight$1("SCORE", 10)}STATUS`);
+	for (const result of results) {
+		const name = chalk.bold(padRight$1(result.name, 30));
+		const version = padRight$1(result.version, 12);
+		const score = padRight$1(formatScore(result), 10);
+		const status = formatStatus(result);
+		console.log(`${name}${version}${score}${status}`);
+	}
+	const total = results.length;
+	const pass = results.filter((r) => !r.error && r.score != null && r.status === "completed" && r.score >= 4).length;
+	const issues = total - pass;
+	console.log("");
+	console.log(`${total} skill${total === 1 ? "" : "s"} audited. ${pass} pass, ${issues} ${issues === 1 ? "has" : "have"} issues.`);
+}
+async function auditCommand(options) {
+	const { name, configDir } = options;
+	const config = getConfig(configDir);
+	const lock = readLockfile$1();
+	if (!lock) {
+		console.log("No lockfile found. Run: tank install");
+		return;
+	}
+	const entries = Object.entries(lock.skills);
+	if (entries.length === 0) {
+		console.log("No skills installed.");
+		return;
+	}
+	if (name) {
+		const matchingEntry = entries.find(([key]) => {
+			return parseLockKey$4(key).name === name;
+		});
+		if (!matchingEntry) {
+			console.log(`Skill not installed: ${name}`);
+			return;
+		}
+		const [key] = matchingEntry;
+		const parsed = parseLockKey$4(key);
+		const details = await fetchVersionDetails(config.registry, parsed.name, parsed.version);
+		displayDetailedAudit({
+			name: parsed.name,
+			version: parsed.version,
+			score: details.auditScore,
+			status: details.auditStatus,
+			permissions: details.permissions
+		});
+		return;
+	}
+	const results = [];
+	for (const [key] of entries) {
+		const parsed = parseLockKey$4(key);
+		try {
+			const details = await fetchVersionDetails(config.registry, parsed.name, parsed.version);
+			results.push({
+				name: parsed.name,
+				version: parsed.version,
+				score: details.auditScore,
+				status: details.auditStatus
+			});
+		} catch (err) {
+			if (err instanceof Error && err.message.startsWith("Network error")) throw err;
+			results.push({
+				name: parsed.name,
+				version: parsed.version,
+				score: null,
+				status: "error",
+				error: true
+			});
+		}
+	}
+	displayTable(results);
+}
+//#endregion
+//#region src/lib/agents.ts
+const resolveHomedir = (homedir) => homedir ?? os.homedir();
+const isWindows = process.platform === "win32";
+const SUPPORTED_AGENTS = [
+	{
+		id: "claude",
+		name: "Claude Code",
+		configDirs: (homedir) => [path.join(homedir, ".claude")]
+	},
+	{
+		id: "opencode",
+		name: "OpenCode",
+		configDirs: (homedir) => {
+			const dirs = [path.join(homedir, ".config", "opencode")];
+			if (isWindows) {
+				const appData = process.env.APPDATA;
+				if (appData) dirs.push(path.join(appData, "opencode"));
+			}
+			return dirs;
+		}
+	},
+	{
+		id: "cursor",
+		name: "Cursor",
+		configDirs: (homedir) => {
+			const dirs = [path.join(homedir, ".cursor")];
+			if (isWindows) {
+				const appData = process.env.APPDATA;
+				if (appData) dirs.push(path.join(appData, "Cursor"));
+			}
+			return dirs;
+		}
+	},
+	{
+		id: "codex",
+		name: "Codex",
+		configDirs: (homedir) => [path.join(homedir, ".codex")]
+	},
+	{
+		id: "openclaw",
+		name: "OpenClaw",
+		configDirs: (homedir) => [path.join(homedir, ".openclaw")]
+	},
+	{
+		id: "universal",
+		name: "Universal",
+		configDirs: (homedir) => [path.join(homedir, ".agents")]
+	}
+];
+/**
+* Returns the first existing config directory for an agent,
+* or the first (default) directory if none exist.
+*/
+function resolveConfigDir(agent, homedir) {
+	const dirs = agent.configDirs(homedir);
+	return dirs.find((d) => fs.existsSync(d)) ?? dirs[0];
+}
+function isAgentInstalled(agent, homedir) {
+	return agent.configDirs(homedir).some((d) => fs.existsSync(d));
+}
+function getSupportedAgents(homedir) {
+	const resolved = resolveHomedir(homedir);
+	return SUPPORTED_AGENTS.map((agent) => ({
+		id: agent.id,
+		name: agent.name,
+		skillsDir: path.join(resolveConfigDir(agent, resolved), "skills")
+	}));
+}
+function detectInstalledAgents(homedir) {
+	const resolved = resolveHomedir(homedir);
+	return SUPPORTED_AGENTS.filter((agent) => isAgentInstalled(agent, resolved)).map((agent) => ({
+		id: agent.id,
+		name: agent.name,
+		skillsDir: path.join(resolveConfigDir(agent, resolved), "skills")
+	}));
+}
+function getSymlinkName(skillName) {
+	const match = skillName.match(/^@([^/]+)\/(.+)$/);
+	if (!match) return skillName;
+	const [, scope, name] = match;
+	if (scope.length === 0 || name.length === 0) return skillName;
+	return `${scope}--${name}`;
+}
+function getGlobalSkillsDir(homedir) {
+	return path.join(resolveHomedir(homedir), ".tank", "skills");
+}
+function getGlobalAgentSkillsDir(homedir) {
+	return path.join(resolveHomedir(homedir), ".tank", "agent-skills");
+}
+//#endregion
+//#region src/lib/links.ts
+function createEmptyManifest() {
+	return {
+		version: 1,
+		links: {}
+	};
+}
+function readLinks(linksDir) {
+	if (!fs.existsSync(linksDir)) return createEmptyManifest();
+	const linksPath = path.join(linksDir, "links.json");
+	if (!fs.existsSync(linksPath)) return createEmptyManifest();
+	try {
+		const raw = fs.readFileSync(linksPath, "utf-8");
+		return JSON.parse(raw);
+	} catch {
+		return createEmptyManifest();
+	}
+}
+function writeLinks(linksDir, manifest) {
+	if (!fs.existsSync(linksDir)) fs.mkdirSync(linksDir, { recursive: true });
+	const sortedLinks = {};
+	for (const skillName of Object.keys(manifest.links).sort()) {
+		const entry = manifest.links[skillName];
+		const sortedAgentLinks = {};
+		for (const agentId of Object.keys(entry.agentLinks).sort()) sortedAgentLinks[agentId] = entry.agentLinks[agentId];
+		sortedLinks[skillName] = {
+			source: entry.source,
+			sourceDir: entry.sourceDir,
+			installedAt: entry.installedAt,
+			agentLinks: sortedAgentLinks
+		};
+	}
+	const output = {
+		version: manifest.version,
+		links: sortedLinks
+	};
+	fs.writeFileSync(path.join(linksDir, "links.json"), `${JSON.stringify(output, null, 2)}\n`);
+}
+function readGlobalLinks(homedir) {
+	const home = homedir ?? os.homedir();
+	return readLinks(path.join(home, ".tank"));
+}
+//#endregion
+//#region src/lib/linker.ts
+const resolveSymlinkTarget = (symlinkPath, target) => {
+	if (path.isAbsolute(target)) return target;
+	return path.resolve(path.dirname(symlinkPath), target);
+};
+const checkSymlink = (symlinkPath) => {
+	try {
+		if (!fs.lstatSync(symlinkPath).isSymbolicLink()) return {
+			exists: true,
+			isSymlink: false,
+			targetPath: null,
+			targetValid: false
+		};
+		const targetPath = resolveSymlinkTarget(symlinkPath, fs.readlinkSync(symlinkPath));
+		return {
+			exists: true,
+			isSymlink: true,
+			targetPath,
+			targetValid: fs.existsSync(targetPath)
+		};
+	} catch {
+		return {
+			exists: false,
+			isSymlink: false,
+			targetPath: null,
+			targetValid: false
+		};
+	}
+};
+const createEntry = (manifest, skillName, entry) => ({
+	version: manifest.version,
+	links: {
+		...manifest.links,
+		[skillName]: entry
+	}
+});
+function linkSkillToAgents(options) {
+	const result = {
+		linked: [],
+		skipped: [],
+		failed: []
+	};
+	const agents = detectInstalledAgents(options.homedir);
+	const symlinkName = getSymlinkName(options.skillName);
+	const resolvedSource = path.resolve(options.sourceDir);
+	const agentLinks = {};
+	for (const agent of agents) {
+		const symlinkPath = path.join(agent.skillsDir, symlinkName);
+		try {
+			fs.mkdirSync(agent.skillsDir, { recursive: true });
+			const check = checkSymlink(symlinkPath);
+			if (check.exists && !check.isSymlink) {
+				result.failed.push({
+					agentId: agent.id,
+					error: `Path exists and is not a symlink: ${symlinkPath}`
+				});
+				continue;
+			}
+			if (check.exists && check.isSymlink && check.targetPath) {
+				if (path.resolve(check.targetPath) === resolvedSource && check.targetValid) {
+					result.skipped.push(agent.id);
+					agentLinks[agent.id] = symlinkPath;
+					continue;
+				}
+				fs.unlinkSync(symlinkPath);
+			}
+			fs.symlinkSync(options.sourceDir, symlinkPath, "dir");
+			result.linked.push(agent.id);
+			agentLinks[agent.id] = symlinkPath;
+		} catch (error) {
+			const message = error instanceof Error ? error.message : String(error);
+			result.failed.push({
+				agentId: agent.id,
+				error: message
+			});
+		}
+	}
+	const manifest = readLinks(options.linksDir);
+	const entry = {
+		source: options.source,
+		sourceDir: options.sourceDir,
+		installedAt: (/* @__PURE__ */ new Date()).toISOString(),
+		agentLinks
+	};
+	const updated = createEntry(manifest, options.skillName, entry);
+	writeLinks(options.linksDir, updated);
+	return result;
+}
+function unlinkSkillFromAgents(options) {
+	const manifest = readLinks(options.linksDir);
+	const entry = manifest.links[options.skillName];
+	if (!entry) return {
+		unlinked: [],
+		notFound: []
+	};
+	const result = {
+		unlinked: [],
+		notFound: []
+	};
+	for (const [agentId, symlinkPath] of Object.entries(entry.agentLinks)) try {
+		if (!fs.lstatSync(symlinkPath).isSymbolicLink()) {
+			result.notFound.push(agentId);
+			continue;
+		}
+		fs.unlinkSync(symlinkPath);
+		result.unlinked.push(agentId);
+	} catch {
+		result.notFound.push(agentId);
+	}
+	const updated = {
+		version: manifest.version,
+		links: { ...manifest.links }
+	};
+	if (options.skillName in updated.links) delete updated.links[options.skillName];
+	writeLinks(options.linksDir, updated);
+	return result;
+}
+const getStatusForAgent = (agent, skillName) => {
+	const symlinkName = getSymlinkName(skillName);
+	const symlinkPath = path.join(agent.skillsDir, symlinkName);
+	const check = checkSymlink(symlinkPath);
+	return {
+		agentId: agent.id,
+		agentName: agent.name,
+		linked: check.exists && check.isSymlink,
+		symlinkPath,
+		targetValid: check.exists && check.isSymlink && check.targetValid
+	};
+};
+function getSkillLinkStatus(options) {
+	const agents = detectInstalledAgents(options.homedir);
+	readLinks(options.linksDir);
+	return agents.map((agent) => getStatusForAgent(agent, options.skillName));
+}
+//#endregion
+//#region src/commands/doctor.ts
+const parseLockKey$3 = (key) => {
+	const lastAt = key.lastIndexOf("@");
+	if (lastAt > 0) return key.slice(0, lastAt);
+	return key;
+};
+const getExtractDir$2 = (baseDir, skillName) => {
+	if (skillName.startsWith("@")) {
+		const [scope, name] = skillName.split("/");
+		return path.join(baseDir, scope, name);
+	}
+	return path.join(baseDir, skillName);
+};
+const formatAgents = (agents, label) => {
+	if (agents.length === 0) return `${label}`;
+	return `${label} (${agents.map((agent) => agent.agentName).join(", ")})`;
+};
+const summarizeStatus = (skillName, statuses, extractExists, scope) => {
+	if (statuses.length === 0) return {
+		statusText: chalk.yellow("⚠️ no agents detected"),
+		issues: []
+	};
+	const brokenAgents = statuses.filter((status) => status.linked && !status.targetValid);
+	const linkedAgents = statuses.filter((status) => status.linked && status.targetValid);
+	if (brokenAgents.length > 0) return {
+		statusText: formatAgents(brokenAgents, chalk.yellow("⚠️ broken link")),
+		issues: [scope === "dev" ? `Run \`tank link\` in the skill directory to fix ${skillName}` : `Run \`tank install ${skillName}\` to fix broken link`]
+	};
+	if (linkedAgents.length > 0) {
+		if (!extractExists && scope !== "dev") return {
+			statusText: chalk.yellow("⚠️ missing extract"),
+			issues: [`Run \`tank install ${skillName}\` to install missing extract`]
+		};
+		return {
+			statusText: formatAgents(linkedAgents, chalk.green("✅ linked")),
+			issues: []
+		};
+	}
+	if (!extractExists && scope !== "dev") return {
+		statusText: chalk.yellow("⚠️ missing extract"),
+		issues: [`Run \`tank install ${skillName}\` to install missing extract`]
+	};
+	return {
+		statusText: chalk.red("❌ not linked"),
+		issues: []
+	};
+};
+const printSectionHeader = (title) => {
+	console.log(`\n${chalk.bold(title)}:`);
+};
+async function doctorCommand(options) {
+	try {
+		const directory = options?.directory ?? process.cwd();
+		const homedir = options?.homedir ?? os.homedir();
+		const supportedAgents = getSupportedAgents(homedir);
+		const installedAgents = detectInstalledAgents(homedir);
+		const installedIds = new Set(installedAgents.map((agent) => agent.id));
+		const resolvedManifest = resolveManifestPath(directory);
+		const localSkills = resolvedManifest.exists ? Object.keys(JSON.parse(fs.readFileSync(resolvedManifest.path, "utf-8")).skills ?? {}) : [];
+		localSkills.sort();
+		const resolvedGlobalLock = resolveLockfilePath(path.join(homedir, ".tank"));
+		const globalSkills = resolvedGlobalLock.exists ? Object.keys(JSON.parse(fs.readFileSync(resolvedGlobalLock.path, "utf-8")).skills ?? {}).map(parseLockKey$3) : [];
+		const uniqueGlobal = Array.from(new Set(globalSkills)).sort();
+		const globalLinks = readGlobalLinks(homedir);
+		const devLinks = Object.entries(globalLinks.links).filter(([, entry]) => entry.source === "dev").map(([skillName]) => skillName).sort();
+		const suggestions = /* @__PURE__ */ new Set();
+		console.log(chalk.bold("Tank Doctor Report"));
+		console.log(chalk.bold("=================="));
+		printSectionHeader("Detected Agents");
+		for (const agent of supportedAgents) {
+			const installed = installedIds.has(agent.id);
+			const icon = installed ? chalk.green("✅") : chalk.red("❌");
+			const details = installed ? agent.skillsDir : chalk.gray("(not found)");
+			console.log(`  ${icon} ${agent.name}    ${details}`);
+		}
+		if (installedAgents.length === 0) suggestions.add("No agents detected. Install an AI agent to enable skill linking.");
+		const localLinksDir = path.join(directory, ".tank");
+		printSectionHeader(`Local Skills (${localSkills.length}):                          [project: ${directory}]`);
+		if (localSkills.length === 0) console.log("  none");
+		for (const skillName of localSkills) {
+			const extractDir = getExtractDir$2(path.join(directory, ".tank", "skills"), skillName);
+			const extractExists = fs.existsSync(extractDir);
+			const summary = summarizeStatus(skillName, getSkillLinkStatus({
+				skillName,
+				linksDir: localLinksDir,
+				homedir
+			}), extractExists, "local");
+			for (const issue of summary.issues) suggestions.add(issue);
+			console.log(`  ${skillName}  ${summary.statusText}`);
+		}
+		const globalLinksDir = path.join(homedir, ".tank");
+		const globalSkillsDir = getGlobalSkillsDir(homedir);
+		printSectionHeader(`Global Skills (${uniqueGlobal.length}):                         [${globalSkillsDir}]`);
+		if (uniqueGlobal.length === 0) console.log("  none");
+		for (const skillName of uniqueGlobal) {
+			const extractDir = getExtractDir$2(globalSkillsDir, skillName);
+			const extractExists = fs.existsSync(extractDir);
+			const summary = summarizeStatus(skillName, getSkillLinkStatus({
+				skillName,
+				linksDir: globalLinksDir,
+				homedir
+			}), extractExists, "global");
+			for (const issue of summary.issues) suggestions.add(issue);
+			console.log(`  ${skillName}  ${summary.statusText}`);
+		}
+		printSectionHeader(`Dev Links (${devLinks.length}):                             [tank link]`);
+		if (devLinks.length === 0) console.log("  none");
+		for (const skillName of devLinks) {
+			const summary = summarizeStatus(skillName, getSkillLinkStatus({
+				skillName,
+				linksDir: globalLinksDir,
+				homedir
+			}), true, "dev");
+			for (const issue of summary.issues) suggestions.add(issue);
+			console.log(`  ${skillName}  ${summary.statusText}`);
+		}
+		if (localSkills.length === 0 && uniqueGlobal.length === 0 && devLinks.length === 0) suggestions.add("Run `tank install @tank/typescript` to add your first skill");
+		printSectionHeader("Suggestions");
+		if (suggestions.size === 0) console.log("  none");
+		else for (const suggestion of suggestions) console.log(`  • ${suggestion}`);
+	} catch (error) {
+		const message = error instanceof Error ? error.message : String(error);
+		console.log(chalk.red(`Doctor report failed: ${message}`));
+		console.log("Suggestions:");
+		console.log("  • Run `tank install @tank/typescript` to add your first skill");
+	}
+}
+//#endregion
+//#region src/commands/info.ts
+function formatDate(iso) {
+	try {
+		return iso.split("T")[0];
+	} catch {
+		return iso;
+	}
+}
+function labelValue(label, value) {
+	return `${chalk.dim(label.padEnd(14))}${value}`;
+}
+async function infoCommand(options) {
+	const { name, configDir } = options;
+	const config = getConfig(configDir);
+	const encodedName = encodeURIComponent(name);
+	const metaUrl = `${config.registry}/api/v1/skills/${encodedName}`;
+	const headers = { "User-Agent": USER_AGENT };
+	if (config.token) headers.Authorization = `Bearer ${config.token}`;
+	let metaRes;
+	try {
+		metaRes = await fetch(metaUrl, { headers });
+	} catch (err) {
+		throw new Error(`Network error fetching skill info: ${err instanceof Error ? err.message : String(err)}`);
+	}
+	if (metaRes.status === 404) {
+		console.log(`Skill not found: ${name}`);
+		return;
+	}
+	if (!metaRes.ok) {
+		const body = await metaRes.json().catch(() => null);
+		throw new Error(body?.error ?? `Failed to fetch skill info: ${metaRes.statusText}`);
+	}
+	const meta = await metaRes.json();
+	const versionUrl = `${config.registry}/api/v1/skills/${encodedName}/${meta.latestVersion}`;
+	let versionRes;
+	try {
+		versionRes = await fetch(versionUrl, { headers });
+	} catch (err) {
+		throw new Error(`Network error fetching version details: ${err instanceof Error ? err.message : String(err)}`);
+	}
+	let versionData;
+	if (versionRes.ok) versionData = await versionRes.json();
+	console.log("");
+	console.log(chalk.bold(meta.name));
+	console.log("");
+	if (meta.description) console.log(labelValue("Description:", meta.description));
+	console.log(labelValue("Version:", meta.latestVersion));
+	if (meta.visibility) console.log(labelValue("Visibility:", meta.visibility));
+	console.log(labelValue("Publisher:", meta.publisher?.displayName ?? "unknown"));
+	if (versionData?.auditScore != null) console.log(labelValue("Audit Score:", `${versionData.auditScore}/10`));
+	console.log(labelValue("Created:", formatDate(meta.createdAt)));
+	const perms = versionData?.permissions;
+	if (perms) {
+		console.log("");
+		console.log(chalk.bold("Permissions:"));
+		const networkDomains = perms.network?.outbound;
+		if (networkDomains && networkDomains.length > 0) console.log(`  ${chalk.dim("Network:".padEnd(14))}${networkDomains.join(", ")}`);
+		const fsRead = perms.filesystem?.read;
+		const fsWrite = perms.filesystem?.write;
+		if (fsRead || fsWrite) {
+			const parts = [];
+			if (fsRead && fsRead.length > 0) parts.push(`${fsRead.join(", ")} (read)`);
+			if (fsWrite && fsWrite.length > 0) parts.push(`${fsWrite.join(", ")} (write)`);
+			console.log(`  ${chalk.dim("Filesystem:".padEnd(14))}${parts.join(", ")}`);
+		}
+		const subprocess = perms.subprocess;
+		console.log(`  ${chalk.dim("Subprocess:".padEnd(14))}${subprocess ? "yes" : "no"}`);
+	}
+	console.log("");
+	console.log(`Install: ${chalk.cyan(`tank install ${meta.name}`)}`);
+}
+//#endregion
+//#region src/commands/init.ts
+const NAME_PATTERN = /^(@[a-z0-9-]+\/)?[a-z0-9][a-z0-9-]*$/;
+const SEMVER_PATTERN = /^\d+\.\d+\.\d+(-[a-zA-Z0-9.-]+)?(\+[a-zA-Z0-9.-]+)?$/;
+const MAX_NAME_LENGTH = 214;
+function validateName(value) {
+	if (!value) return "Name must not be empty";
+	if (value.length > MAX_NAME_LENGTH) return `Name must be ${MAX_NAME_LENGTH} characters or fewer`;
+	if (!NAME_PATTERN.test(value)) return "Name must be lowercase, alphanumeric + hyphens, optionally scoped (@org/name)";
+	return true;
+}
+function validateVersion(value) {
+	if (!SEMVER_PATTERN.test(value)) return "Version must be valid semver (e.g. 1.0.0)";
+	return true;
+}
+async function initCommand(options = {}) {
+	const cwd = process.cwd();
+	const resolved = resolveManifestPath(cwd);
+	const filePath = resolved.exists ? resolved.path : path.join(cwd, MANIFEST_FILENAME);
+	if (options.yes) {
+		const dirName = path.basename(cwd);
+		const name = options.name ?? dirName;
+		const version = options.version ?? "0.1.0";
+		const description = options.description ?? "";
+		const privateChoice = options.private ?? false;
+		const nameResult = validateName(name);
+		if (nameResult !== true) {
+			logger.error(nameResult);
+			return;
+		}
+		const versionResult = validateVersion(version);
+		if (versionResult !== true) {
+			logger.error(versionResult);
+			return;
+		}
+		if (resolved.exists) {
+			if (!options.force) {
+				logger.error(`${path.basename(resolved.path)} already exists. Use --force to overwrite.`);
+				return;
+			}
+		}
+		const manifest = {
+			name,
+			version,
+			...description ? { description } : {},
+			visibility: privateChoice ? "private" : "public",
+			skills: {},
+			permissions: {
+				network: { outbound: [] },
+				filesystem: {
+					read: [],
+					write: []
+				},
+				subprocess: false
+			}
+		};
+		const result = skillsJsonSchema.safeParse(manifest);
+		if (!result.success) {
+			logger.error(`Generated ${MANIFEST_FILENAME} is invalid:`);
+			for (const issue of result.error.issues) logger.error(`  ${issue.path.join(".")}: ${issue.message}`);
+			return;
+		}
+		fs.writeFileSync(filePath, `${JSON.stringify(manifest, null, 2)}\n`);
+		logger.success(`Created ${MANIFEST_FILENAME}`);
+		return;
+	}
+	if (resolved.exists) {
+		logger.warn(`${path.basename(resolved.path)} already exists in this directory.`);
+		if (!await confirm({
+			message: `Overwrite existing ${path.basename(resolved.path)}?`,
+			default: false
+		})) {
+			logger.info("Aborted.");
+			return;
+		}
+	}
+	const defaultAuthor = getConfig().user?.name ?? "";
+	const name = await input({
+		message: "Skill name:",
+		default: path.basename(cwd),
+		validate: validateName
+	});
+	const version = await input({
+		message: "Version:",
+		default: "0.1.0",
+		validate: validateVersion
+	});
+	const description = await input({
+		message: "Description:",
+		default: ""
+	});
+	const privateChoice = await confirm({
+		message: "Make this skill private?",
+		default: name.startsWith("@")
+	});
+	await input({
+		message: "Author:",
+		default: defaultAuthor
+	});
+	const manifest = {
+		name,
+		version,
+		...description ? { description } : {},
+		visibility: privateChoice ? "private" : "public",
+		skills: {},
+		permissions: {
+			network: { outbound: [] },
+			filesystem: {
+				read: [],
+				write: []
+			},
+			subprocess: false
+		}
+	};
+	const result = skillsJsonSchema.safeParse(manifest);
+	if (!result.success) {
+		logger.error(`Generated ${MANIFEST_FILENAME} is invalid:`);
+		for (const issue of result.error.issues) logger.error(`  ${issue.path.join(".")}: ${issue.message}`);
+		return;
+	}
+	fs.writeFileSync(filePath, `${JSON.stringify(manifest, null, 2)}\n`);
+	logger.success(`Created ${MANIFEST_FILENAME}`);
+}
+//#endregion
+//#region ../internals-helpers/dist/index.js
+function resolve(range, versions) {
+	try {
+		if (!range || !semver.validRange(range)) return null;
+		const validVersions = versions.filter((v) => semver.valid(v) !== null);
+		if (validVersions.length === 0) return null;
+		return semver.maxSatisfying(validVersions, range) ?? null;
+	} catch {
+		return null;
+	}
+}
+//#endregion
+//#region src/lib/frontmatter.ts
+function hasFrontmatter(content) {
+	return /^---\s*\n/.test(content);
+}
+function stripScope(skillName) {
+	const match = skillName.match(/^@[^/]+\/(.+)$/);
+	if (!match) return skillName;
+	return match[1] ?? skillName;
+}
+function extractDescriptionFromMarkdown(content) {
+	const lines = content.split(/\r?\n/);
+	const firstLine = lines.find((line) => line.trim().length > 0);
+	if (firstLine && /^#\s+/.test(firstLine)) return firstLine.replace(/^#\s+/, "").trim();
+	let seenHeading = false;
+	let paragraphLines = [];
+	for (const line of lines) {
+		const trimmed = line.trim();
+		if (/^#{1,6}\s+/.test(trimmed)) {
+			seenHeading = true;
+			paragraphLines = [];
+			continue;
+		}
+		if (!seenHeading) continue;
+		if (trimmed.length === 0) {
+			if (paragraphLines.length > 0) break;
+			continue;
+		}
+		paragraphLines.push(trimmed);
+	}
+	if (paragraphLines.length > 0) {
+		const paragraph = paragraphLines.join(" ").trim();
+		const match = paragraph.match(/^(.+?[.!?])(\s|$)/);
+		return (match ? match[1] : paragraph).trim();
+	}
+	return "An AI agent skill";
+}
+function generateFrontmatter(name, description) {
+	return `---\nname: ${name}\ndescription: |\n${description.split(/\r?\n/).map((line) => `  ${line}`).join("\n")}\n---\n\n`;
+}
+function prepareAgentSkillDir(options) {
+	const { skillName, extractDir, agentSkillsBaseDir, description } = options;
+	const symlinkName = getSymlinkName(skillName);
+	const targetDir = path.resolve(agentSkillsBaseDir, symlinkName);
+	fs.mkdirSync(targetDir, { recursive: true });
+	const sourceSkillPath = path.join(extractDir, "SKILL.md");
+	const targetSkillPath = path.join(targetDir, "SKILL.md");
+	const baseName = stripScope(skillName);
+	if (!fs.existsSync(sourceSkillPath)) {
+		const minimal = generateFrontmatter(baseName, description ?? "An AI agent skill");
+		fs.writeFileSync(targetSkillPath, minimal, "utf-8");
+	} else {
+		const content = fs.readFileSync(sourceSkillPath, "utf-8");
+		if (hasFrontmatter(content)) fs.writeFileSync(targetSkillPath, content, "utf-8");
+		else {
+			const frontmatter = generateFrontmatter(baseName, description ?? extractDescriptionFromMarkdown(content));
+			fs.writeFileSync(targetSkillPath, `${frontmatter}${content}`, "utf-8");
+		}
+	}
+	const entries = fs.readdirSync(extractDir, { withFileTypes: true });
+	for (const entry of entries) {
+		if (entry.name === "SKILL.md") continue;
+		const sourcePath = path.join(extractDir, entry.name);
+		const targetPath = path.join(targetDir, entry.name);
+		fs.cpSync(sourcePath, targetPath, { recursive: true });
+	}
+	return targetDir;
+}
+//#endregion
+//#region src/commands/install.ts
+function createRegistryFetcher(registry, headers) {
+	const versionsCache = /* @__PURE__ */ new Map();
+	const metadataCache = /* @__PURE__ */ new Map();
+	return {
+		async fetchVersions(name) {
+			const cached = versionsCache.get(name);
+			if (cached) return cached;
+			const encoded = encodeURIComponent(name);
+			let res;
+			try {
+				res = await fetch(`${registry}/api/v1/skills/${encoded}/versions`, { headers });
+			} catch (err) {
+				throw new Error(`Network error fetching versions: ${err instanceof Error ? err.message : String(err)}`);
+			}
+			if (!res.ok) {
+				if (res.status === 403) throw new Error("Token lacks required scope: skills:read");
+				if (res.status === 404) throw new Error(`Skill not found or no access: ${name}`);
+				const body = await res.json().catch(() => null);
+				throw new Error(body?.error ?? res.statusText);
+			}
+			const data = await res.json();
+			versionsCache.set(name, data.versions);
+			return data.versions;
+		},
+		async fetchMetadata(name, version) {
+			const cacheKey = buildSkillKey(name, version);
+			const cached = metadataCache.get(cacheKey);
+			if (cached) return cached;
+			const encoded = encodeURIComponent(name);
+			let res;
+			try {
+				res = await fetch(`${registry}/api/v1/skills/${encoded}/${version}`, { headers });
+			} catch (err) {
+				throw new Error(`Network error fetching metadata: ${err instanceof Error ? err.message : String(err)}`);
+			}
+			if (!res.ok) {
+				if (res.status === 403) throw new Error("Token lacks required scope: skills:read");
+				if (res.status === 404) throw new Error(`Skill not found or no access: ${name}@${version}`);
+				const body = await res.json().catch(() => null);
+				throw new Error(body?.error ?? res.statusText);
+			}
+			const data = await res.json();
+			const normalized = {
+				...data,
+				dependencies: data.dependencies ?? {}
+			};
+			metadataCache.set(cacheKey, normalized);
+			return normalized;
+		}
+	};
+}
+function readSkillsJson(skillsJsonPath) {
+	try {
+		const raw = fs.readFileSync(skillsJsonPath, "utf-8");
+		return JSON.parse(raw);
+	} catch {
+		throw new Error(`Failed to read or parse ${path.basename(skillsJsonPath)}`);
+	}
+}
+function readOrCreateSkillsJson(skillsJsonPath) {
+	if (!fs.existsSync(skillsJsonPath)) {
+		const skillsJson = { skills: {} };
+		fs.writeFileSync(skillsJsonPath, `${JSON.stringify(skillsJson, null, 2)}\n`);
+		logger.info(`Created ${MANIFEST_FILENAME}`);
+		return skillsJson;
+	}
+	return readSkillsJson(skillsJsonPath);
+}
+function readLockOrFresh(lockPath) {
+	if (!fs.existsSync(lockPath)) return {
+		lockfileVersion: 2,
+		skills: {}
+	};
+	try {
+		const raw = fs.readFileSync(lockPath, "utf-8");
+		return JSON.parse(raw);
+	} catch {
+		return {
+			lockfileVersion: 2,
+			skills: {}
+		};
+	}
+}
+function buildLockedVersionByName(lock) {
+	const lockedVersionByName = /* @__PURE__ */ new Map();
+	for (const key of Object.keys(lock.skills)) lockedVersionByName.set(parseLockKey$2(key), parseVersionFromLockKey(key));
+	return lockedVersionByName;
+}
+function createExtractDirResolver(directory, global, resolvedHome) {
+	return (skillName) => global ? getGlobalExtractDir(resolvedHome, skillName) : getExtractDir$1(directory, skillName);
+}
+function validateResolvedNodes(resolvedNodes, projectPermissions, auditMinScore) {
+	if (!projectPermissions) logger.warn(`No permission budget defined in ${MANIFEST_FILENAME}. Install proceeding without permission checks.`);
+	for (const node of resolvedNodes) {
+		if (projectPermissions) checkPermissionBudget(projectPermissions, node.meta.permissions, node.name);
+		if (auditMinScore !== void 0) {
+			if (node.meta.auditScore === null || node.meta.auditScore === void 0) logger.warn(`Audit score not yet available for ${node.name}. Install proceeding without audit score check.`);
+			else if (node.meta.auditScore < auditMinScore) throw new Error(`Audit score ${node.meta.auditScore} for ${node.name} is below minimum threshold ${auditMinScore} defined in ${MANIFEST_FILENAME}`);
+		}
+	}
+}
+async function runLegacyFallback(options) {
+	const { rootSkillNames, resolvedNodeByName, extractDirForSkill, directory, configDir, global, homedir } = options;
+	for (const skillName of rootSkillNames) {
+		const node = resolvedNodeByName.get(skillName);
+		if (!node || Object.keys(node.meta.dependencies).length > 0) continue;
+		const extractedDeps = readExtractedDependencies(extractDirForSkill(skillName));
+		for (const [depName, depRange] of Object.entries(extractedDeps)) {
+			if (depName === skillName) continue;
+			await installCommand({
+				name: depName,
+				versionRange: depRange,
+				directory,
+				configDir,
+				global,
+				homedir,
+				isTransitive: true
+			});
+		}
+	}
+}
+function linkInstalledRoots(options) {
+	const { rootSkillNames, resolvedNodeByName, extractDirForSkill, directory, global, resolvedHome, homedir } = options;
+	const agentSkillsBaseDir = global ? getGlobalAgentSkillsDir(resolvedHome) : path.join(directory, ".tank", "agent-skills");
+	const linksDir = global ? path.join(resolvedHome, ".tank") : path.join(directory, ".tank");
+	for (const skillName of rootSkillNames) try {
+		const node = resolvedNodeByName.get(skillName);
+		if (!node) continue;
+		const linkResult = linkSkillToAgents({
+			skillName,
+			sourceDir: prepareAgentSkillDir({
+				skillName,
+				extractDir: extractDirForSkill(skillName),
+				agentSkillsBaseDir,
+				description: node.meta.description
+			}),
+			linksDir,
+			source: global ? "global" : "local",
+			homedir
+		});
+		if (linkResult.linked.length > 0) logger.info(`Linked to ${linkResult.linked.length} agent(s)`);
+		if (linkResult.failed.length > 0) for (const failedLink of linkResult.failed) logger.warn(`Failed to link to ${failedLink.agentId}: ${failedLink.error}`);
+	} catch {
+		if (rootSkillNames.length === 1) logger.warn("Agent linking skipped (non-fatal)");
+		else logger.warn(`Agent linking skipped for ${skillName} (non-fatal)`);
+	}
+	if (detectInstalledAgents(homedir).length === 0) logger.warn("No agents detected for linking");
+}
+async function executeInstallPipeline(options) {
+	const { directory, configDir, global, homedir, resolvedHome, lock, lockPath, resolvedNodes, nodesToInstall, rootSkillNames, projectPermissions, auditMinScore, spinner } = options;
+	if (!global) validateResolvedNodes(resolvedNodes, projectPermissions, auditMinScore);
+	const extractDirForSkill = createExtractDirResolver(directory, global, resolvedHome);
+	const resolvedNodeByName = new Map(resolvedNodes.map((node) => [node.name, node]));
+	const downloaded = await downloadAllParallel(nodesToInstall, (msg) => {
+		spinner.text = msg;
+	});
+	for (const node of nodesToInstall) {
+		const payload = downloaded.get(node.name);
+		if (!payload) throw new Error(`Missing downloaded tarball for ${node.name}@${node.version}`);
+		spinner.text = `Extracting ${node.name}@${node.version}...`;
+		const extractDir = extractDirForSkill(node.name);
+		fs.mkdirSync(extractDir, { recursive: true });
+		await extractSafely(payload.buffer, extractDir);
+		verifyExtractedDependencies(extractDir, node);
+	}
+	lock.lockfileVersion = 2;
+	const updatedLock = writeLockfileWithResolvedGraph(lock, resolvedNodes, downloaded);
+	fs.mkdirSync(path.dirname(lockPath), { recursive: true });
+	fs.writeFileSync(lockPath, `${JSON.stringify(updatedLock, null, 2)}\n`);
+	await runLegacyFallback({
+		rootSkillNames,
+		resolvedNodeByName,
+		extractDirForSkill,
+		directory,
+		configDir,
+		global,
+		homedir
+	});
+	linkInstalledRoots({
+		rootSkillNames,
+		resolvedNodeByName,
+		extractDirForSkill,
+		directory,
+		global,
+		resolvedHome,
+		homedir
+	});
+	return updatedLock;
+}
+async function installCommand(options) {
+	const { name, versionRange = "*", directory = process.cwd(), configDir, global = false, homedir, isTransitive = false } = options;
+	const config = getConfig(configDir);
+	const resolvedHome = homedir ?? os.homedir();
+	const requestHeaders = { "User-Agent": USER_AGENT };
+	if (config.token) requestHeaders.Authorization = `Bearer ${config.token}`;
+	const resolvedManifest = resolveManifestPath(directory);
+	const skillsJsonPath = resolvedManifest.exists ? resolvedManifest.path : path.join(directory, MANIFEST_FILENAME);
+	const skillsJson = global ? { skills: {} } : readOrCreateSkillsJson(skillsJsonPath);
+	const resolvedLock = global ? resolveLockfilePath(path.join(resolvedHome, ".tank")) : resolveLockfilePath(directory);
+	const lockPath = resolvedLock.exists ? resolvedLock.path : global ? path.join(resolvedHome, ".tank", LOCKFILE_FILENAME) : path.join(directory, LOCKFILE_FILENAME);
+	const lock = readLockOrFresh(lockPath);
+	const spinner = ora("Resolving dependency graph...").start();
+	try {
+		const fetcher = createRegistryFetcher(config.registry, requestHeaders);
+		const requestedAvailableVersions = (await fetcher.fetchVersions(name)).map((versionInfo) => versionInfo.version);
+		const requestedResolvedVersion = resolve(versionRange, requestedAvailableVersions);
+		if (!requestedResolvedVersion) throw new Error(`No version of ${name} satisfies range "${versionRange}". Available: ${requestedAvailableVersions.join(", ")}`);
+		const requestedLockKey = buildSkillKey(name, requestedResolvedVersion);
+		if (lock.skills[requestedLockKey]) {
+			logger.info(`${name}@${requestedResolvedVersion} is already installed`);
+			spinner.succeed(`${name}@${requestedResolvedVersion} is already installed`);
+			return;
+		}
+		const rootDependencies = {};
+		if (!global && !isTransitive) {
+			const existingSkills = skillsJson.skills ?? {};
+			const lockedVersionByName = buildLockedVersionByName(lock);
+			for (const [skillName, range] of Object.entries(existingSkills)) {
+				if (typeof range !== "string") continue;
+				rootDependencies[skillName] = lockedVersionByName.get(skillName) ?? range;
+			}
+		}
+		rootDependencies[name] = versionRange;
+		const resolvedGraph = await resolveDependencyTree(rootDependencies, fetcher);
+		const resolvedNodes = getResolvedNodesInOrder(resolvedGraph.nodes, resolvedGraph.installOrder);
+		const rootNode = resolvedGraph.nodes.get(name);
+		if (!rootNode) throw new Error(`Failed to resolve requested skill: ${name}`);
+		const nodesToInstall = resolvedNodes.filter((node) => {
+			const lockKey = buildSkillKey(node.name, node.version);
+			return !lock.skills[lockKey];
+		});
+		const projectPermissions = global ? void 0 : skillsJson.permissions;
+		const auditMinScore = global ? void 0 : skillsJson.audit?.min_score;
+		await executeInstallPipeline({
+			directory,
+			configDir,
+			global,
+			homedir,
+			resolvedHome,
+			lock,
+			lockPath,
+			resolvedNodes,
+			nodesToInstall,
+			rootSkillNames: [name],
+			projectPermissions,
+			auditMinScore,
+			spinner
+		});
+		if (!global && !isTransitive) {
+			const skills = skillsJson.skills ?? {};
+			skills[name] = versionRange === "*" ? `^${rootNode.version}` : versionRange;
+			skillsJson.skills = skills;
+			fs.writeFileSync(skillsJsonPath, `${JSON.stringify(skillsJson, null, 2)}\n`);
+		}
+		spinner.succeed(`Installed ${name}@${rootNode.version}`);
+	} catch (err) {
+		spinner.fail("Install failed");
+		throw err;
+	}
+}
+async function installFromLockfile(options) {
+	const { directory = process.cwd(), configDir, global = false, homedir } = options;
+	const resolvedHome = homedir ?? os.homedir();
+	const config = getConfig(configDir);
+	const requestHeaders = { "User-Agent": USER_AGENT };
+	if (config.token) requestHeaders.Authorization = `Bearer ${config.token}`;
+	const resolvedLock = global ? resolveLockfilePath(path.join(resolvedHome, ".tank")) : resolveLockfilePath(directory);
+	const lockPath = resolvedLock.path;
+	if (!resolvedLock.exists) throw new Error(`No ${LOCKFILE_FILENAME} found in ${directory}`);
+	let lock;
+	try {
+		const raw = fs.readFileSync(lockPath, "utf-8");
+		lock = JSON.parse(raw);
+	} catch {
+		throw new Error(`Failed to read or parse ${path.basename(lockPath)}`);
+	}
+	const entries = Object.entries(lock.skills);
+	if (entries.length === 0) {
+		logger.info("No skills in lockfile");
+		return;
+	}
+	const spinner = ora("Installing from lockfile...").start();
+	const skillsDir = global ? getGlobalSkillsDir(resolvedHome) : path.join(directory, ".tank", "skills");
+	try {
+		for (const [key, entry] of entries) {
+			const skillName = parseLockKey$2(key);
+			const version = parseVersionFromLockKey(key);
+			spinner.text = `Installing ${key}...`;
+			const encodedName = encodeURIComponent(skillName);
+			const metaUrl = `${config.registry}/api/v1/skills/${encodedName}/${version}`;
+			let metaRes;
+			try {
+				metaRes = await fetch(metaUrl, { headers: requestHeaders });
+			} catch (err) {
+				throw new Error(`Network error fetching ${key}: ${err instanceof Error ? err.message : String(err)}`);
+			}
+			if (!metaRes.ok) {
+				if (metaRes.status === 404) throw new Error(`Skill or version not found: ${key}`);
+				const body = await metaRes.json().catch(() => null);
+				throw new Error(`Failed to fetch ${key}: ${body?.error ?? metaRes.statusText}`);
+			}
+			const downloadUrl = (await metaRes.json()).downloadUrl;
+			const downloadRes = await fetch(downloadUrl);
+			if (!downloadRes.ok) throw new Error(`Failed to download ${key}: ${downloadRes.status} ${downloadRes.statusText}`);
+			const tarballBuffer = Buffer.from(await downloadRes.arrayBuffer());
+			const computedIntegrity = buildIntegrity(tarballBuffer);
+			if (computedIntegrity !== entry.integrity) throw new Error(`Integrity mismatch for ${key}. Expected: ${entry.integrity}, Got: ${computedIntegrity}`);
+			const extractDir = global ? getGlobalExtractDir(resolvedHome, skillName) : getExtractDir$1(directory, skillName);
+			if (fs.existsSync(extractDir)) fs.rmSync(extractDir, {
+				recursive: true,
+				force: true
+			});
+			fs.mkdirSync(extractDir, { recursive: true });
+			await extractSafely(tarballBuffer, extractDir);
+			if (global) try {
+				const linkResult = linkSkillToAgents({
+					skillName,
+					sourceDir: prepareAgentSkillDir({
+						skillName,
+						extractDir,
+						agentSkillsBaseDir: getGlobalAgentSkillsDir(resolvedHome)
+					}),
+					linksDir: path.join(resolvedHome, ".tank"),
+					source: "global",
+					homedir
+				});
+				if (detectInstalledAgents(homedir).length === 0) logger.warn("No agents detected for linking");
+				if (linkResult.linked.length > 0) logger.info(`Linked to ${linkResult.linked.length} agent(s)`);
+				if (linkResult.failed.length > 0) for (const failedLink of linkResult.failed) logger.warn(`Failed to link to ${failedLink.agentId}: ${failedLink.error}`);
+			} catch {
+				logger.warn("Agent linking skipped (non-fatal)");
+			}
+		}
+		spinner.succeed(`Installed ${entries.length} skill${entries.length === 1 ? "" : "s"} from lockfile`);
+	} catch (err) {
+		spinner.fail("Install from lockfile failed");
+		if (fs.existsSync(skillsDir)) fs.rmSync(skillsDir, {
+			recursive: true,
+			force: true
+		});
+		throw err;
+	}
+}
+async function installAll(options) {
+	const { directory = process.cwd(), configDir, global = false, homedir } = options;
+	const resolvedHome = homedir ?? os.homedir();
+	const config = getConfig(configDir);
+	const requestHeaders = { "User-Agent": USER_AGENT };
+	if (config.token) requestHeaders.Authorization = `Bearer ${config.token}`;
+	const resolvedLock = global ? resolveLockfilePath(path.join(resolvedHome, ".tank")) : resolveLockfilePath(directory);
+	const lockPath = resolvedLock.exists ? resolvedLock.path : global ? path.join(resolvedHome, ".tank", LOCKFILE_FILENAME) : path.join(directory, LOCKFILE_FILENAME);
+	const resolvedManifest = resolveManifestPath(directory);
+	const skillsJsonPath = resolvedManifest.path;
+	if (resolvedLock.exists) return installFromLockfile({
+		directory,
+		configDir,
+		global,
+		homedir
+	});
+	if (global) {
+		logger.info(`No ${LOCKFILE_FILENAME} found — nothing to install`);
+		return;
+	}
+	if (!resolvedManifest.exists) {
+		logger.info(`No ${MANIFEST_FILENAME} found — nothing to install`);
+		return;
+	}
+	const skillsJson = readSkillsJson(skillsJsonPath);
+	const skills = skillsJson.skills ?? {};
+	const skillEntries = Object.entries(skills);
+	if (skillEntries.length === 0) {
+		logger.info(`No skills defined in ${MANIFEST_FILENAME}`);
+		return;
+	}
+	const spinner = ora("Resolving dependency graph...").start();
+	try {
+		const rootDependencies = {};
+		for (const [skillName, range] of skillEntries) if (typeof range === "string") rootDependencies[skillName] = range;
+		const resolvedGraph = await resolveDependencyTree(rootDependencies, createRegistryFetcher(config.registry, requestHeaders));
+		const resolvedNodes = getResolvedNodesInOrder(resolvedGraph.nodes, resolvedGraph.installOrder);
+		const lock = {
+			lockfileVersion: 2,
+			skills: {}
+		};
+		const projectPermissions = skillsJson.permissions;
+		const auditMinScore = skillsJson.audit?.min_score;
+		await executeInstallPipeline({
+			directory,
+			configDir,
+			global,
+			homedir,
+			resolvedHome,
+			lock,
+			lockPath,
+			resolvedNodes,
+			nodesToInstall: resolvedNodes,
+			rootSkillNames: skillEntries.map(([skillName]) => skillName),
+			projectPermissions,
+			auditMinScore,
+			spinner
+		});
+		spinner.succeed(`Installed ${skillEntries.length} root skill${skillEntries.length === 1 ? "" : "s"}`);
+	} catch (err) {
+		spinner.fail("Install failed");
+		throw err;
+	}
+}
+function buildIntegrity(buffer) {
+	return `sha512-${crypto$1.createHash("sha512").update(buffer).digest("base64")}`;
+}
+//#endregion
+//#region src/commands/link.ts
+async function linkCommand(options = {}) {
+	const workDir = options.directory ?? process.cwd();
+	const homedir = options.homedir ?? os.homedir();
+	const resolvedManifest = resolveManifestPath(workDir);
+	if (!resolvedManifest.exists) throw new Error(`No ${MANIFEST_FILENAME} found. Run this command from a skill directory.`);
+	let skillsJson;
+	try {
+		const raw = fs.readFileSync(resolvedManifest.path, "utf-8");
+		skillsJson = JSON.parse(raw);
+	} catch {
+		throw new Error(`Failed to read or parse ${path.basename(resolvedManifest.path)}`);
+	}
+	const skillName = skillsJson.name;
+	if (typeof skillName !== "string" || skillName.trim().length === 0) throw new Error(`Missing 'name' in ${path.basename(resolvedManifest.path)}`);
+	const description = typeof skillsJson.description === "string" ? skillsJson.description : void 0;
+	const agents = detectInstalledAgents(options.homedir);
+	if (agents.length === 0) {
+		logger.info("No AI agents detected. Skills linked to agents will be available once agents are installed.");
+		return;
+	}
+	const skillMdPath = path.join(workDir, "SKILL.md");
+	let sourceDir = workDir;
+	if (fs.existsSync(skillMdPath)) {
+		if (!hasFrontmatter(fs.readFileSync(skillMdPath, "utf-8"))) sourceDir = prepareAgentSkillDir({
+			skillName,
+			extractDir: workDir,
+			agentSkillsBaseDir: getGlobalAgentSkillsDir(homedir),
+			description
+		});
+	} else sourceDir = prepareAgentSkillDir({
+		skillName,
+		extractDir: workDir,
+		agentSkillsBaseDir: getGlobalAgentSkillsDir(homedir),
+		description
+	});
+	readGlobalLinks(homedir);
+	const result = linkSkillToAgents({
+		skillName,
+		sourceDir,
+		linksDir: path.join(homedir, ".tank"),
+		source: "dev",
+		homedir: options.homedir
+	});
+	const agentNames = new Map(agents.map((agent) => [agent.id, agent.name]));
+	for (const agentId of result.linked) logger.success(agentNames.get(agentId) ?? agentId);
+	for (const agentId of result.skipped) {
+		const name = agentNames.get(agentId) ?? agentId;
+		logger.warn(`- ${name} (already linked)`);
+	}
+	for (const failure of result.failed) {
+		const name = agentNames.get(failure.agentId) ?? failure.agentId;
+		logger.error(`${name}: ${failure.error}`);
+	}
+	logger.success(`Linked ${skillName} to ${result.linked.length} agent(s)`);
+}
+//#endregion
+//#region src/commands/login.ts
+const DEFAULT_POLL_INTERVAL_MS = 2e3;
+const DEFAULT_TIMEOUT_MS = 300 * 1e3;
+/**
+* Start the CLI login flow:
+* 1. Generate random state
+* 2. POST /api/v1/cli-auth/start → get authUrl + sessionCode
+* 3. Open browser to authUrl
+* 4. Poll POST /api/v1/cli-auth/exchange until authorized or timeout
+* 5. Write token + user to config
+*/
+async function loginCommand(options = {}) {
+	const { configDir, timeout = DEFAULT_TIMEOUT_MS, pollInterval = DEFAULT_POLL_INTERVAL_MS } = options;
+	const baseUrl = getConfig(configDir).registry;
+	const state = crypto.randomUUID();
+	authFlowLog.info({ state: `${state.slice(0, 8)}...` }, "Login flow started");
+	logger.info("Starting login...");
+	let authUrl;
+	let sessionCode;
+	try {
+		const startRes = await fetch(`${baseUrl}/api/v1/cli-auth/start`, {
+			method: "POST",
+			headers: { "Content-Type": "application/json" },
+			body: JSON.stringify({ state })
+		});
+		if (!startRes.ok) {
+			const body = await startRes.json().catch(() => null);
+			authFlowLog.error({
+				status: startRes.status,
+				error: body?.error
+			}, "Start request failed");
+			throw new Error(`Failed to start auth session: ${body?.error ?? startRes.statusText}`);
+		}
+		authFlowLog.info({
+			ok: startRes.ok,
+			status: startRes.status
+		}, "Start response received");
+		const startData = await startRes.json();
+		authUrl = startData.authUrl;
+		sessionCode = startData.sessionCode;
+		authFlowLog.info({
+			authUrl,
+			sessionCode: `${sessionCode.slice(0, 8)}...`
+		}, "Session created, opening browser");
+	} catch (err) {
+		if (err instanceof Error && err.message.startsWith("Failed to start auth session:")) throw err;
+		authFlowLog.error({ error: err instanceof Error ? err.message : String(err) }, "Start request failed");
+		throw new Error(`Could not reach registry at ${baseUrl}. Check your internet connection or registry URL.\n  Error: ${err instanceof Error ? err.message : String(err)}`);
+	}
+	try {
+		await open(authUrl);
+		logger.info("Opened browser for authentication.");
+	} catch {
+		logger.warn("Could not open browser automatically.");
+		logger.info(`Open this URL in your browser:\n  ${authUrl}`);
+	}
+	logger.info("Waiting for authorization...");
+	const deadline = Date.now() + timeout;
+	while (Date.now() < deadline) {
+		try {
+			const exchangeRes = await fetch(`${baseUrl}/api/v1/cli-auth/exchange`, {
+				method: "POST",
+				headers: { "Content-Type": "application/json" },
+				body: JSON.stringify({
+					sessionCode,
+					state
+				})
+			});
+			authFlowLog.debug({
+				status: exchangeRes.status,
+				ok: exchangeRes.ok
+			}, "Exchange poll response");
+			if (exchangeRes.ok) {
+				const { token, user } = await exchangeRes.json();
+				authFlowLog.info({
+					userName: user.name,
+					userEmail: user.email
+				}, "Login successful, saving config");
+				setConfig({
+					token,
+					user
+				}, configDir);
+				const displayName = user.name ?? user.email ?? "unknown";
+				logger.success(`Logged in as ${displayName}`);
+				return;
+			}
+			if (exchangeRes.status !== 400) {
+				const body = await exchangeRes.json().catch(() => null);
+				throw new Error(`Exchange failed: ${body?.error ?? exchangeRes.statusText}`);
+			}
+		} catch (err) {
+			authFlowLog.warn({ error: err instanceof Error ? err.message : String(err) }, "Exchange poll error");
+			if (err instanceof Error && err.message.startsWith("Exchange failed:")) throw err;
+		}
+		await new Promise((resolve) => setTimeout(resolve, pollInterval));
+	}
+	authFlowLog.error({}, "Login timed out");
+	throw new Error("Login timed out. Please try again.");
+}
+//#endregion
+//#region src/commands/logout.ts
+/**
+* Logout command: Remove token and user from config.
+* If not logged in, prints "Not logged in" and returns.
+* If logged in, removes token and user, prints success message.
+*/
+async function logoutCommand(options = {}) {
+	const { configDir } = options;
+	if (!getConfig(configDir).token) {
+		logger.warn("Not logged in. Run: tank login");
+		return;
+	}
+	setConfig({
+		token: void 0,
+		user: void 0
+	}, configDir);
+	logger.success("Logged out");
+}
+//#endregion
+//#region src/commands/migrate.ts
+async function migrateCommand(options = {}) {
+	const dir = options.directory ?? process.cwd();
+	let migrated = false;
+	const legacyManifest = path.join(dir, LEGACY_MANIFEST_FILENAME);
+	const newManifest = path.join(dir, MANIFEST_FILENAME);
+	if (fs.existsSync(newManifest)) logger.info(`${MANIFEST_FILENAME} already exists — skipping manifest migration`);
+	else if (fs.existsSync(legacyManifest)) {
+		fs.copyFileSync(legacyManifest, newManifest);
+		logger.success(`${LEGACY_MANIFEST_FILENAME} → ${MANIFEST_FILENAME}`);
+		migrated = true;
+	} else logger.info(`No ${LEGACY_MANIFEST_FILENAME} found — nothing to migrate`);
+	const legacyLock = path.join(dir, LEGACY_LOCKFILE_FILENAME);
+	const newLock = path.join(dir, LOCKFILE_FILENAME);
+	if (fs.existsSync(newLock)) logger.info(`${LOCKFILE_FILENAME} already exists — skipping lockfile migration`);
+	else if (fs.existsSync(legacyLock)) {
+		fs.copyFileSync(legacyLock, newLock);
+		logger.success(`${LEGACY_LOCKFILE_FILENAME} → ${LOCKFILE_FILENAME}`);
+		migrated = true;
+	} else logger.info(`No ${LEGACY_LOCKFILE_FILENAME} found — nothing to migrate`);
+	if (migrated) {
+		logger.info("Old files were kept. Remove them when ready:");
+		if (fs.existsSync(legacyManifest) && fs.existsSync(newManifest)) logger.info(`  rm ${LEGACY_MANIFEST_FILENAME}`);
+		if (fs.existsSync(legacyLock) && fs.existsSync(newLock)) logger.info(`  rm ${LEGACY_LOCKFILE_FILENAME}`);
+		logger.info("If your .gitignore or CI configs reference the old filenames, update them too.");
+	} else logger.info("Already migrated — nothing to do");
+}
+//#endregion
+//#region src/commands/permissions.ts
+/**
+* Parse a lockfile key like "@org/skill@1.0.0" into the skill name "@org/skill".
+*/
+function parseSkillName(key) {
+	const lastAt = key.lastIndexOf("@");
+	if (lastAt > 0) return key.slice(0, lastAt);
+	return key;
+}
+function collectPermissions(lockfile) {
+	const networkMap = /* @__PURE__ */ new Map();
+	const fsReadMap = /* @__PURE__ */ new Map();
+	const fsWriteMap = /* @__PURE__ */ new Map();
+	const subprocessSkills = [];
+	for (const [key, entry] of Object.entries(lockfile.skills)) {
+		const skillName = parseSkillName(key);
+		const perms = entry.permissions;
+		if (perms.network?.outbound) for (const domain of perms.network.outbound) {
+			const existing = networkMap.get(domain) ?? [];
+			existing.push(skillName);
+			networkMap.set(domain, existing);
+		}
+		if (perms.filesystem?.read) for (const p of perms.filesystem.read) {
+			const existing = fsReadMap.get(p) ?? [];
+			existing.push(skillName);
+			fsReadMap.set(p, existing);
+		}
+		if (perms.filesystem?.write) for (const p of perms.filesystem.write) {
+			const existing = fsWriteMap.get(p) ?? [];
+			existing.push(skillName);
+			fsWriteMap.set(p, existing);
+		}
+		if (perms.subprocess === true) subprocessSkills.push(skillName);
+	}
+	const toEntries = (map) => Array.from(map.entries()).map(([value, skills]) => ({
+		value,
+		skills
+	}));
+	return {
+		networkOutbound: toEntries(networkMap),
+		filesystemRead: toEntries(fsReadMap),
+		filesystemWrite: toEntries(fsWriteMap),
+		subprocess: subprocessSkills
+	};
+}
+/**
+* Check if a domain is allowed by the budget's domain list.
+* Supports wildcard matching: *.example.com matches sub.example.com
+*/
+function isDomainAllowed(domain, allowedDomains) {
+	for (const allowed of allowedDomains) {
+		if (allowed === domain) return true;
+		if (allowed.startsWith("*.")) {
+			const suffix = allowed.slice(1);
+			if (domain.endsWith(suffix) || domain === allowed.slice(2)) return true;
+			if (domain === allowed) return true;
+		}
+	}
+	return false;
+}
+/**
+* Check if a path is allowed by the budget's path list.
+*/
+function isPathAllowed(requestedPath, allowedPaths) {
+	for (const allowed of allowedPaths) {
+		if (allowed === requestedPath) return true;
+		if (allowed.endsWith("/**")) {
+			const prefix = allowed.slice(0, -3);
+			if (requestedPath.startsWith(prefix)) return true;
+		}
+	}
+	return false;
+}
+function checkBudget(resolved, budget) {
+	const violations = [];
+	const budgetDomains = budget.network?.outbound ?? [];
+	for (const entry of resolved.networkOutbound) if (!isDomainAllowed(entry.value, budgetDomains)) violations.push({
+		category: "network outbound",
+		value: entry.value,
+		skills: entry.skills
+	});
+	const budgetReadPaths = budget.filesystem?.read ?? [];
+	for (const entry of resolved.filesystemRead) if (!isPathAllowed(entry.value, budgetReadPaths)) violations.push({
+		category: "filesystem read",
+		value: entry.value,
+		skills: entry.skills
+	});
+	const budgetWritePaths = budget.filesystem?.write ?? [];
+	for (const entry of resolved.filesystemWrite) if (!isPathAllowed(entry.value, budgetWritePaths)) violations.push({
+		category: "filesystem write",
+		value: entry.value,
+		skills: entry.skills
+	});
+	if (resolved.subprocess.length > 0 && budget.subprocess !== true) violations.push({
+		category: "subprocess",
+		value: "subprocess access",
+		skills: resolved.subprocess
+	});
+	return violations;
+}
+function formatAttribution(skills) {
+	return chalk.gray(`← ${skills.join(", ")}`);
+}
+function printPermissionSection(title, entries) {
+	console.log(`\n${chalk.bold(title)}:`);
+	if (entries.length === 0) console.log("  none");
+	else for (const entry of entries) console.log(`  ${entry.value}    ${formatAttribution(entry.skills)}`);
+}
+async function permissionsCommand(options) {
+	const dir = options?.directory ?? process.cwd();
+	const resolvedLock = resolveLockfilePath(dir);
+	if (!resolvedLock.exists) {
+		console.log("No skills installed.");
+		return;
+	}
+	const lockfileContent = fs.readFileSync(resolvedLock.path, "utf-8");
+	const lockfile = JSON.parse(lockfileContent);
+	if (!lockfile.skills || Object.keys(lockfile.skills).length === 0) {
+		console.log("No skills installed.");
+		return;
+	}
+	const resolved = collectPermissions(lockfile);
+	console.log("\nResolved permissions for this project:\n");
+	printPermissionSection("Network (outbound)", resolved.networkOutbound);
+	printPermissionSection("Filesystem (read)", resolved.filesystemRead);
+	printPermissionSection("Filesystem (write)", resolved.filesystemWrite);
+	console.log(`\n${chalk.bold("Subprocess")}:`);
+	if (resolved.subprocess.length === 0) console.log("  none");
+	else console.log(`  allowed    ${formatAttribution(resolved.subprocess)}`);
+	const resolvedManifest = resolveManifestPath(dir);
+	let budget;
+	if (resolvedManifest.exists) {
+		const skillsJsonContent = fs.readFileSync(resolvedManifest.path, "utf-8");
+		budget = JSON.parse(skillsJsonContent).permissions;
+	}
+	console.log("");
+	if (!budget) {
+		console.log(`Budget status: ${chalk.yellow("⚠ No budget defined")}`);
+		return;
+	}
+	const violations = checkBudget(resolved, budget);
+	if (violations.length === 0) console.log(`Budget status: ${chalk.green("✓ PASS")} (all within budget)`);
+	else {
+		console.log(`Budget status: ${chalk.red("✗ FAIL")}`);
+		for (const v of violations) console.log(chalk.red(`  - ${v.category}: "${v.value}" not in budget (requested by ${v.skills.join(", ")})`));
+	}
+}
+//#endregion
+//#region src/lib/packer.ts
+const MAX_PACKAGE_SIZE = 50 * 1024 * 1024;
+const MAX_FILE_COUNT = 1e3;
+const DEFAULT_IGNORES = [
+	"node_modules",
+	".git",
+	".env*",
+	"*.log",
+	".tank",
+	".DS_Store"
+];
+const ALWAYS_IGNORED = ["node_modules", ".git"];
+const IGNORE_FILES = [".tankignore", ".gitignore"];
+/**
+* Pack a skill directory into a .tgz tarball with integrity hashing.
+*
+* Validates:
+* - skills.json exists and is valid
+* - SKILL.md exists
+* - No symlinks or hardlinks
+* - No path traversal (.. components)
+* - No absolute paths
+* - File count <= 1000
+* - Tarball size <= 50MB
+*/
+async function pack(directory) {
+	const absDir = path.resolve(directory);
+	if (!fs.existsSync(absDir)) throw new Error(`Directory does not exist: ${absDir}`);
+	if (!fs.statSync(absDir).isDirectory()) throw new Error(`Not a directory: ${absDir}`);
+	let manifestPath = path.join(absDir, MANIFEST_FILENAME);
+	let manifestFilename = MANIFEST_FILENAME;
+	if (!fs.existsSync(manifestPath)) {
+		manifestPath = path.join(absDir, LEGACY_MANIFEST_FILENAME);
+		manifestFilename = LEGACY_MANIFEST_FILENAME;
+	}
+	if (!fs.existsSync(manifestPath)) throw new Error(`Missing required file: ${MANIFEST_FILENAME}`);
+	let skillsJsonContent;
+	try {
+		skillsJsonContent = fs.readFileSync(manifestPath, "utf-8");
+	} catch {
+		throw new Error(`Failed to read ${manifestFilename}`);
+	}
+	let parsed;
+	try {
+		parsed = JSON.parse(skillsJsonContent);
+	} catch {
+		throw new Error(`Invalid ${manifestFilename}: not valid JSON`);
+	}
+	const validation = skillsJsonSchema.safeParse(parsed);
+	if (!validation.success) {
+		const issues = validation.error.issues.map((i) => `  - ${i.path.join(".")}: ${i.message}`).join("\n");
+		throw new Error(`Invalid ${manifestFilename}:\n${issues}`);
+	}
+	const skillMdPath = path.join(absDir, "SKILL.md");
+	if (!fs.existsSync(skillMdPath)) throw new Error("Missing required file: SKILL.md");
+	let readmeContent;
+	try {
+		readmeContent = fs.readFileSync(skillMdPath, "utf-8");
+	} catch {
+		throw new Error("Failed to read SKILL.md");
+	}
+	const files = collectFiles(absDir, absDir, buildIgnoreFilter(absDir));
+	if (files.length > MAX_FILE_COUNT) throw new Error(`Too many files: ${files.length} exceeds maximum of ${MAX_FILE_COUNT}`);
+	let totalSize = 0;
+	for (const file of files) {
+		const filePath = path.join(absDir, file);
+		const fileStat = fs.statSync(filePath);
+		totalSize += fileStat.size;
+	}
+	const tarball = await createTarball(absDir, files);
+	if (tarball.length > MAX_PACKAGE_SIZE) throw new Error(`Tarball too large: ${tarball.length} bytes exceeds maximum of ${MAX_PACKAGE_SIZE} bytes (50MB)`);
+	return {
+		tarball,
+		integrity: `sha512-${crypto$1.createHash("sha512").update(tarball).digest("base64")}`,
+		fileCount: files.length,
+		totalSize,
+		readme: readmeContent,
+		files
+	};
+}
+/**
+* Pack a directory into a .tgz tarball for security scanning.
+*
+* Unlike pack(), this function does NOT require skills.json or SKILL.md.
+* It applies the same security checks (no symlinks, no path traversal, etc.)
+* and returns the same PackResult interface.
+*
+* Validates:
+* - Directory exists
+* - No symlinks or hardlinks
+* - No path traversal (.. components)
+* - No absolute paths
+* - File count <= 1000
+* - Tarball size <= 50MB
+*
+* Does NOT validate:
+* - skills.json existence or validity
+* - SKILL.md existence (but reads it if present)
+*/
+async function packForScan(directory) {
+	const absDir = path.resolve(directory);
+	if (!fs.existsSync(absDir)) throw new Error(`Directory does not exist: ${absDir}`);
+	if (!fs.statSync(absDir).isDirectory()) throw new Error(`Not a directory: ${absDir}`);
+	let readmeContent = "";
+	const skillMdPath = path.join(absDir, "SKILL.md");
+	if (fs.existsSync(skillMdPath)) try {
+		readmeContent = fs.readFileSync(skillMdPath, "utf-8");
+	} catch {
+		readmeContent = "";
+	}
+	const files = collectFiles(absDir, absDir, buildIgnoreFilter(absDir));
+	if (files.length === 0) throw new Error(`No manifest found and no files to scan in ${absDir}`);
+	if (files.length > MAX_FILE_COUNT) throw new Error(`Too many files: ${files.length} exceeds maximum of ${MAX_FILE_COUNT}`);
+	let totalSize = 0;
+	for (const file of files) {
+		const filePath = path.join(absDir, file);
+		const fileStat = fs.statSync(filePath);
+		totalSize += fileStat.size;
+	}
+	const tarball = await createTarball(absDir, files);
+	if (tarball.length > MAX_PACKAGE_SIZE) throw new Error(`Tarball too large: ${tarball.length} bytes exceeds maximum of ${MAX_PACKAGE_SIZE} bytes (50MB)`);
+	return {
+		tarball,
+		integrity: `sha512-${crypto$1.createHash("sha512").update(tarball).digest("base64")}`,
+		fileCount: files.length,
+		totalSize,
+		readme: readmeContent,
+		files
+	};
+}
+/**
+* Build an ignore filter from .tankignore, .gitignore, or defaults.
+*/
+function buildIgnoreFilter(dir) {
+	const ig = ignore();
+	ig.add(ALWAYS_IGNORED);
+	const tankIgnorePath = path.join(dir, ".tankignore");
+	const gitIgnorePath = path.join(dir, ".gitignore");
+	if (fs.existsSync(tankIgnorePath)) {
+		const content = fs.readFileSync(tankIgnorePath, "utf-8");
+		ig.add(content);
+		ig.add(IGNORE_FILES);
+	} else if (fs.existsSync(gitIgnorePath)) {
+		const content = fs.readFileSync(gitIgnorePath, "utf-8");
+		ig.add(content);
+		ig.add(IGNORE_FILES);
+	} else ig.add(DEFAULT_IGNORES);
+	return ig;
+}
+/**
+* Recursively collect files from a directory, applying ignore rules and security checks.
+*/
+function collectFiles(baseDir, currentDir, ig) {
+	const files = [];
+	const entries = fs.readdirSync(currentDir, { withFileTypes: true });
+	for (const entry of entries) {
+		const fullPath = path.join(currentDir, entry.name);
+		const relativePath = path.relative(baseDir, fullPath);
+		if (relativePath.split(path.sep).includes("..")) throw new Error(`Path traversal detected: "${relativePath}" contains ".." component`);
+		if (path.isAbsolute(relativePath)) throw new Error(`Absolute path detected: "${relativePath}"`);
+		const lstatResult = fs.lstatSync(fullPath);
+		if (lstatResult.isSymbolicLink()) throw new Error(`Symlink detected: "${relativePath}" — symlinks are not allowed in skill packages`);
+		const pathForIgnore = lstatResult.isDirectory() ? `${relativePath}/` : relativePath;
+		if (ig.ignores(pathForIgnore)) continue;
+		if (lstatResult.isDirectory()) {
+			const subFiles = collectFiles(baseDir, fullPath, ig);
+			files.push(...subFiles);
+		} else if (lstatResult.isFile()) files.push(relativePath);
+	}
+	return files;
+}
+/**
+* Create a gzipped tarball from the given files in the directory.
+*/
+async function createTarball(cwd, files) {
+	return new Promise((resolve, reject) => {
+		const chunks = [];
+		const stream = create({
+			gzip: true,
+			cwd,
+			portable: true
+		}, files);
+		stream.on("data", (chunk) => {
+			chunks.push(chunk);
+		});
+		stream.on("end", () => {
+			resolve(Buffer.concat(chunks));
+		});
+		stream.on("error", (err) => {
+			reject(err);
+		});
+	});
+}
+//#endregion
+//#region src/commands/publish.ts
+/**
+* Format bytes into a human-readable size string.
+*/
+function formatSize$1(bytes) {
+	if (bytes < 1024) return `${bytes} B`;
+	if (bytes < 1024 * 1024) return `${(bytes / 1024).toFixed(1)} KB`;
+	return `${(bytes / (1024 * 1024)).toFixed(1)} MB`;
+}
+/**
+* Publish a skill package to the Tank registry.
+*
+* Flow:
+* 1. Check auth (token exists)
+* 2. Read skills.json from directory
+* 3. Pack directory into tarball
+* 4. If --dry-run: print summary and exit
+* 5. POST /api/v1/skills with manifest → get uploadUrl, skillId, versionId
+* 6. PUT tarball to uploadUrl
+* 7. POST /api/v1/skills/confirm with integrity data
+* 8. Print success
+*/
+async function publishCommand(options = {}) {
+	const { directory = process.cwd(), configDir, dryRun = false, private: privateFlag, visibility } = options;
+	const config = getConfig(configDir);
+	if (!config.token) throw new Error("Not logged in. Run: tank login");
+	const resolvedManifest = resolveManifestPath(directory);
+	if (!resolvedManifest.exists) throw new Error(`No ${MANIFEST_FILENAME} found in ${directory}. Run: tank init`);
+	let manifest;
+	try {
+		const raw = fs.readFileSync(resolvedManifest.path, "utf-8");
+		manifest = JSON.parse(raw);
+	} catch {
+		throw new Error(`Failed to read or parse ${path.basename(resolvedManifest.path)}`);
+	}
+	if (visibility && visibility !== "public" && visibility !== "private") throw new Error("Invalid visibility. Use 'public' or 'private'");
+	const effectiveVisibility = visibility ?? (privateFlag ? "private" : void 0);
+	if (effectiveVisibility) manifest.visibility = effectiveVisibility;
+	const name = manifest.name;
+	const version = manifest.version;
+	const spinner = ora("Packing...").start();
+	let packResult;
+	try {
+		packResult = await pack(directory);
+	} catch (err) {
+		spinner.fail("Packing failed");
+		throw err;
+	}
+	const { tarball, integrity, fileCount, totalSize, readme, files } = packResult;
+	if (dryRun) {
+		spinner.stop();
+		logger.info(`name:    ${name}`);
+		logger.info(`version: ${version}`);
+		logger.info(`visibility: ${String(manifest.visibility ?? "default")}`);
+		logger.info(`size:    ${formatSize$1(totalSize)} (${fileCount} files)`);
+		logger.info(`tarball: ${formatSize$1(tarball.length)} (compressed)`);
+		try {
+			const verifyRes = await fetch(`${config.registry}/api/v1/auth/whoami`, {
+				method: "GET",
+				headers: {
+					Authorization: `Bearer ${config.token}`,
+					"User-Agent": USER_AGENT
+				}
+			});
+			if (verifyRes.status === 401) logger.warn("Token is invalid or expired. Run: tank login");
+			else if (!verifyRes.ok) logger.warn("Could not verify token with server. Publish may fail.");
+			else logger.success("Auth verified with server.");
+		} catch {
+			logger.warn("Could not reach server to verify token. Publish may fail.");
+		}
+		logger.success("Dry run complete — no files were uploaded.");
+		return;
+	}
+	spinner.text = "Publishing...";
+	const headers = {
+		Authorization: `Bearer ${config.token}`,
+		"Content-Type": "application/json",
+		"User-Agent": USER_AGENT
+	};
+	const step1Res = await fetch(`${config.registry}/api/v1/skills`, {
+		method: "POST",
+		headers,
+		body: JSON.stringify({
+			manifest,
+			readme,
+			files
+		})
+	});
+	if (!step1Res.ok) {
+		spinner.fail("Publish failed");
+		const errorMsg = (await step1Res.json().catch(() => null))?.error ?? step1Res.statusText;
+		if (step1Res.status === 401) throw new Error("Authentication failed. Your token may be expired or invalid. Run: tank login");
+		if (step1Res.status === 403) throw new Error(`Publish failed: ${errorMsg}`);
+		if (step1Res.status === 404) throw new Error(`Publish failed: ${errorMsg}`);
+		if (step1Res.status === 409) throw new Error(`Version already exists. Bump the version in ${MANIFEST_FILENAME}`);
+		throw new Error(errorMsg);
+	}
+	const { uploadUrl, versionId } = await step1Res.json();
+	spinner.text = "Uploading...";
+	const uploadRes = await fetch(uploadUrl, {
+		method: "PUT",
+		headers: { "Content-Type": "application/octet-stream" },
+		body: new Uint8Array(tarball)
+	});
+	if (!uploadRes.ok) {
+		spinner.fail("Upload failed");
+		throw new Error(`Failed to upload tarball: ${uploadRes.status} ${uploadRes.statusText}`);
+	}
+	spinner.text = "Confirming...";
+	const confirmRes = await fetch(`${config.registry}/api/v1/skills/confirm`, {
+		method: "POST",
+		headers,
+		body: JSON.stringify({
+			versionId,
+			integrity,
+			fileCount,
+			tarballSize: totalSize,
+			readme
+		})
+	});
+	if (!confirmRes.ok) {
+		spinner.fail("Publish confirmation failed");
+		const body = await confirmRes.json().catch(() => null);
+		throw new Error(`Failed to confirm publish: ${body?.error ?? confirmRes.statusText}`);
+	}
+	spinner.succeed(`Published ${name}@${version} (${formatSize$1(totalSize)}, ${fileCount} files)`);
+}
+//#endregion
+//#region src/commands/remove.ts
+async function removeCommand(options) {
+	const { name, directory = process.cwd(), global, homedir } = options;
+	if (global) {
+		const resolvedHome = homedir ?? os.homedir();
+		try {
+			const unlinkResult = unlinkSkillFromAgents({
+				skillName: name,
+				linksDir: path.join(resolvedHome, ".tank"),
+				homedir
+			});
+			if (unlinkResult.unlinked.length > 0) logger.info(`Unlinked from ${unlinkResult.unlinked.length} agent(s)`);
+		} catch {
+			logger.warn("Agent unlinking skipped (non-fatal)");
+		}
+		const symlinkName = getSymlinkName(name);
+		const agentSkillDir = path.join(getGlobalAgentSkillsDir(resolvedHome), symlinkName);
+		if (fs.existsSync(agentSkillDir)) fs.rmSync(agentSkillDir, {
+			recursive: true,
+			force: true
+		});
+		const skillDir = getGlobalSkillDir(resolvedHome, name);
+		if (fs.existsSync(skillDir)) fs.rmSync(skillDir, {
+			recursive: true,
+			force: true
+		});
+		const resolvedLock = resolveLockfilePath(path.join(resolvedHome, ".tank"));
+		const lockPath = resolvedLock.path;
+		if (resolvedLock.exists) {
+			let lock;
+			try {
+				const raw = fs.readFileSync(lockPath, "utf-8");
+				lock = JSON.parse(raw);
+			} catch {
+				lock = {
+					lockfileVersion: 2,
+					skills: {}
+				};
+			}
+			for (const key of Object.keys(lock.skills)) {
+				const lastAt = key.lastIndexOf("@");
+				if (lastAt <= 0) continue;
+				if (key.slice(0, lastAt) === name) delete lock.skills[key];
+			}
+			const sortedSkills = {};
+			for (const key of Object.keys(lock.skills).sort()) sortedSkills[key] = lock.skills[key];
+			lock.skills = sortedSkills;
+			fs.writeFileSync(lockPath, `${JSON.stringify(lock, null, 2)}\n`);
+		}
+		logger.success(`Removed ${name} (global)`);
+		return;
+	}
+	const resolvedManifest = resolveManifestPath(directory);
+	if (!resolvedManifest.exists) throw new Error(`No ${MANIFEST_FILENAME} found in ${directory}. Run: tank init`);
+	let skillsJson;
+	try {
+		const raw = fs.readFileSync(resolvedManifest.path, "utf-8");
+		skillsJson = JSON.parse(raw);
+	} catch {
+		throw new Error(`Failed to read or parse ${path.basename(resolvedManifest.path)}`);
+	}
+	const skills = skillsJson.skills ?? {};
+	if (!(name in skills)) throw new Error(`Skill "${name}" is not installed (not found in ${path.basename(resolvedManifest.path)})`);
+	delete skills[name];
+	skillsJson.skills = skills;
+	fs.writeFileSync(resolvedManifest.path, `${JSON.stringify(skillsJson, null, 2)}\n`);
+	const resolvedLocalLock = resolveLockfilePath(directory);
+	const lockPath = resolvedLocalLock.path;
+	if (resolvedLocalLock.exists) {
+		let lock;
+		try {
+			const raw = fs.readFileSync(lockPath, "utf-8");
+			lock = JSON.parse(raw);
+		} catch {
+			lock = {
+				lockfileVersion: 2,
+				skills: {}
+			};
+		}
+		for (const key of Object.keys(lock.skills)) {
+			const lastAt = key.lastIndexOf("@");
+			if (lastAt <= 0) continue;
+			if (key.slice(0, lastAt) === name) delete lock.skills[key];
+		}
+		const sortedSkills = {};
+		for (const key of Object.keys(lock.skills).sort()) sortedSkills[key] = lock.skills[key];
+		lock.skills = sortedSkills;
+		fs.writeFileSync(lockPath, `${JSON.stringify(lock, null, 2)}\n`);
+	}
+	try {
+		const unlinkResult = unlinkSkillFromAgents({
+			skillName: name,
+			linksDir: path.join(directory, ".tank"),
+			homedir
+		});
+		if (unlinkResult.unlinked.length > 0) logger.info(`Unlinked from ${unlinkResult.unlinked.length} agent(s)`);
+	} catch {
+		logger.warn("Agent unlinking skipped (non-fatal)");
+	}
+	const symlinkName = getSymlinkName(name);
+	const agentSkillDir = path.join(directory, ".tank", "agent-skills", symlinkName);
+	if (fs.existsSync(agentSkillDir)) fs.rmSync(agentSkillDir, {
+		recursive: true,
+		force: true
+	});
+	const skillDir = getSkillDir(directory, name);
+	if (fs.existsSync(skillDir)) fs.rmSync(skillDir, {
+		recursive: true,
+		force: true
+	});
+	logger.success(`Removed ${name}`);
+}
+function getSkillDir(projectDir, skillName) {
+	if (skillName.startsWith("@")) {
+		const [scope, name] = skillName.split("/");
+		return path.join(projectDir, ".tank", "skills", scope, name);
+	}
+	return path.join(projectDir, ".tank", "skills", skillName);
+}
+function getGlobalSkillDir(homedir, skillName) {
+	const globalDir = getGlobalSkillsDir(homedir);
+	if (skillName.startsWith("@")) {
+		const [scope, name] = skillName.split("/");
+		return path.join(globalDir, scope, name);
+	}
+	return path.join(globalDir, skillName);
+}
+//#endregion
+//#region src/commands/run.ts
+const AGENTS_MODULE = "@tankpkg/vault/src/runner/agents";
+const RUNNER_MODULE = "@tankpkg/vault/src/runner/run";
+const SERVER_MODULE = "@tankpkg/vault/src/proxy/server";
+const VAULT_MODULE = "@tankpkg/vault/src/tokenizer/vault";
+const __dirname = path.dirname(fileURLToPath(import.meta.url));
+const BOOTSTRAP_PATH = path.resolve(__dirname, "..", "..", "..", "vault", "src", "proxy", "bootstrap.cjs");
+const PLACEHOLDER_REQUIRE = "--require tank-vault-proxy-bootstrap.js";
+async function runCommand(options) {
+	const [agentsModule, runnerModule, serverModule, vaultModule] = await Promise.all([
+		import(AGENTS_MODULE),
+		import(RUNNER_MODULE),
+		import(SERVER_MODULE),
+		import(VAULT_MODULE)
+	]);
+	const { getAgentConfig, getSupportedAgentIds } = agentsModule;
+	const { buildAgentEnv } = runnerModule;
+	const { startProxy } = serverModule;
+	const { VaultStore } = vaultModule;
+	const config = getAgentConfig(options.agent);
+	if (!config) {
+		const supported = getSupportedAgentIds().join(", ");
+		console.error(chalk.red(`Unknown agent: ${options.agent}`));
+		console.error(`Supported agents: ${supported}`);
+		process.exit(1);
+	}
+	const vault = new VaultStore();
+	const proxy = await startProxy(vault);
+	console.log(`Vault proxy started on port ${proxy.port}`);
+	console.log(`Agent: ${config.name} (${config.runtime})`);
+	console.log("Credentials will be detected from traffic");
+	const env = buildAgentEnv(config.strategy, proxy.url, process.env);
+	const bootstrapRequire = `--require ${BOOTSTRAP_PATH}`;
+	if (env.NODE_OPTIONS?.includes(PLACEHOLDER_REQUIRE)) env.NODE_OPTIONS = env.NODE_OPTIONS.replace(PLACEHOLDER_REQUIRE, bootstrapRequire);
+	if (options.verbose) {
+		console.log(`Bootstrap: ${BOOTSTRAP_PATH}`);
+		console.log(`Proxy URL: ${proxy.url}`);
+	}
+	const child = spawn(config.command, options.agentArgs ?? [], {
+		env,
+		stdio: "inherit"
+	});
+	let cleaningUp = false;
+	const cleanupAndExit = async (code) => {
+		if (cleaningUp) return;
+		cleaningUp = true;
+		process.off("SIGINT", onSigint);
+		process.off("SIGTERM", onSigterm);
+		vault.clear();
+		await proxy.close();
+		process.exit(code);
+	};
+	const onSigint = () => {
+		child.kill("SIGINT");
+	};
+	const onSigterm = () => {
+		child.kill("SIGTERM");
+	};
+	process.on("SIGINT", onSigint);
+	process.on("SIGTERM", onSigterm);
+	child.once("error", async (error) => {
+		console.error(chalk.red(`Failed to launch agent: ${error.message}`));
+		await cleanupAndExit(1);
+	});
+	child.once("exit", async (code, signal) => {
+		await cleanupAndExit(typeof code === "number" ? code : signal ? 1 : 0);
+	});
+}
+//#endregion
+//#region src/commands/scan.ts
+function verdictColor(verdict) {
+	switch (verdict) {
+		case "pass": return chalk.green;
+		case "pass_with_notes": return chalk.yellow;
+		case "flagged": return chalk.hex("#FF8C00");
+		case "fail": return chalk.red;
+		default: return chalk.white;
+	}
+}
+function severityColor(severity) {
+	switch (severity) {
+		case "critical": return chalk.red;
+		case "high": return chalk.hex("#FF8C00");
+		case "medium": return chalk.yellow;
+		case "low": return chalk.green;
+		default: return chalk.white;
+	}
+}
+function scoreColor$1(score) {
+	if (score >= 7) return chalk.green;
+	if (score >= 4) return chalk.yellow;
+	return chalk.red;
+}
+function formatSize(bytes) {
+	if (bytes < 1024) return `${bytes} B`;
+	if (bytes < 1024 * 1024) return `${(bytes / 1024).toFixed(1)} KB`;
+	return `${(bytes / (1024 * 1024)).toFixed(1)} MB`;
+}
+async function scanCommand(options = {}) {
+	const { directory = process.cwd(), configDir } = options;
+	const absDir = path.resolve(directory);
+	const config = getConfig(configDir);
+	if (!config.token) throw new Error("Not logged in. Run: tank login");
+	const spinner = ora("Packing skill...").start();
+	const resolvedManifest = resolveManifestPath(absDir);
+	let manifest;
+	let packResult;
+	if (resolvedManifest.exists) {
+		try {
+			packResult = await pack(absDir);
+		} catch (err) {
+			spinner.fail("Packing failed");
+			throw err;
+		}
+		try {
+			manifest = JSON.parse(fs.readFileSync(resolvedManifest.path, "utf-8"));
+		} catch (err) {
+			spinner.fail(`Failed to read ${path.basename(resolvedManifest.path)}`);
+			throw err;
+		}
+	} else {
+		try {
+			packResult = await packForScan(absDir);
+		} catch (err) {
+			spinner.fail("Packing failed");
+			throw err;
+		}
+		manifest = {
+			name: path.basename(absDir),
+			version: "0.0.0",
+			description: "Local scan"
+		};
+	}
+	const name = manifest.name ?? "unknown";
+	const version = manifest.version ?? "0.0.0";
+	spinner.text = `Scanning ${name}@${version}...`;
+	const formData = new FormData();
+	const blob = new Blob([new Uint8Array(packResult.tarball)], { type: "application/gzip" });
+	formData.append("tarball", blob, `${name}-${version}.tgz`);
+	formData.append("manifest", JSON.stringify(manifest));
+	let scanRes;
+	try {
+		scanRes = await fetch(`${config.registry}/api/v1/scan`, {
+			method: "POST",
+			headers: {
+				Authorization: `Bearer ${config.token}`,
+				"User-Agent": USER_AGENT
+			},
+			body: formData
+		});
+	} catch (err) {
+		spinner.fail("Scan failed");
+		throw new Error(`Network error: ${err instanceof Error ? err.message : String(err)}`);
+	}
+	if (!scanRes.ok) {
+		spinner.fail("Scan failed");
+		const body = await scanRes.json().catch(() => null);
+		if (scanRes.status === 401) throw new Error("Authentication failed. Your token may be expired or invalid. Run: tank login");
+		throw new Error(body?.error ?? scanRes.statusText);
+	}
+	const result = await scanRes.json();
+	spinner.stop();
+	const verdictLabel = verdictColor(result.verdict)(result.verdict.toUpperCase());
+	const auditScore = result.audit_score ?? 0;
+	const scoreLabel = scoreColor$1(auditScore)(auditScore.toFixed(1));
+	console.log("");
+	console.log(chalk.bold(`Security Scan: ${name}@${version}`));
+	console.log("");
+	console.log(`${chalk.dim("Verdict:".padEnd(14))}${verdictLabel}`);
+	console.log(`${chalk.dim("Score:".padEnd(14))}${scoreLabel}/10`);
+	console.log(`${chalk.dim("Duration:".padEnd(14))}${(result.duration_ms / 1e3).toFixed(1)}s`);
+	console.log(`${chalk.dim("Files:".padEnd(14))}${packResult.fileCount} (${formatSize(packResult.totalSize)})`);
+	if (result.findings.length > 0) {
+		console.log("");
+		console.log(chalk.bold(`Findings (${result.findings.length})`));
+		const bySeverity = {
+			critical: [],
+			high: [],
+			medium: [],
+			low: []
+		};
+		for (const f of result.findings) bySeverity[f.severity].push(f);
+		for (const severity of [
+			"critical",
+			"high",
+			"medium",
+			"low"
+		]) {
+			const findings = bySeverity[severity];
+			if (findings.length === 0) continue;
+			console.log("");
+			const label = severityColor(severity)(`${severity.toUpperCase()} (${findings.length})`);
+			console.log(`  ${label}`);
+			for (const f of findings) {
+				console.log(`    - ${chalk.bold(f.type)}: ${f.description}`);
+				if (f.location) console.log(`      ${chalk.dim("Location:")} ${f.location}`);
+			}
+		}
+	} else {
+		console.log("");
+		console.log(chalk.green("No findings. Your skill looks secure!"));
+	}
+	if (result.stage_results?.length > 0) {
+		console.log("");
+		console.log(chalk.bold("Scan Stages"));
+		for (const stage of result.stage_results) {
+			const icon = stage.status === "passed" ? chalk.green("✓") : chalk.red("✗");
+			console.log(`  ${icon} ${stage.stage} (${stage.duration_ms}ms)`);
+		}
+	}
+	if (result.scan_id) {
+		console.log("");
+		console.log(chalk.dim(`Full report: ${config.registry}/scans/${result.scan_id}`));
+	}
+	console.log("");
+}
+//#endregion
+//#region src/commands/search.ts
+const MAX_DESC_LENGTH = 60;
+function scoreColor(score) {
+	if (score >= 7) return chalk.green;
+	if (score >= 4) return chalk.yellow;
+	return chalk.red;
+}
+function truncate(text, maxLen) {
+	if (text.length <= maxLen) return text;
+	return `${text.slice(0, maxLen - 3)}...`;
+}
+function padRight(text, width) {
+	if (text.length >= width) return text;
+	return text + " ".repeat(width - text.length);
+}
+async function searchCommand(options) {
+	const { query, configDir } = options;
+	const config = getConfig(configDir);
+	const url = `${config.registry}/api/v1/search?q=${encodeURIComponent(query)}&limit=20`;
+	let res;
+	try {
+		const headers = { "User-Agent": USER_AGENT };
+		if (config.token) headers.Authorization = `Bearer ${config.token}`;
+		res = await fetch(url, { headers });
+	} catch (err) {
+		throw new Error(`Network error searching: ${err instanceof Error ? err.message : String(err)}`);
+	}
+	if (!res.ok) {
+		const body = await res.json().catch(() => null);
+		throw new Error(body?.error ?? `Search failed: ${res.statusText}`);
+	}
+	const data = await res.json();
+	if (data.results.length === 0) {
+		console.log(`No skills found for "${query}"`);
+		return;
+	}
+	console.log(`${padRight("NAME", 30) + padRight("VERSION", 10) + padRight("SCORE", 8)}DESCRIPTION`);
+	for (const result of data.results) {
+		const name = chalk.bold(padRight(result.name, 30));
+		const version = padRight(result.latestVersion, 10);
+		const scoreStr = Number.isInteger(result.auditScore) ? result.auditScore.toFixed(1) : String(result.auditScore);
+		const score = scoreColor(result.auditScore)(padRight(scoreStr, 8));
+		const desc = truncate(result.description ?? "", MAX_DESC_LENGTH);
+		console.log(`${name}${version}${score}${desc}`);
+	}
+	console.log("");
+	console.log(`${data.results.length} skill${data.results.length === 1 ? "" : "s"} found`);
+}
+//#endregion
+//#region src/commands/unlink.ts
+async function unlinkCommand(options = {}) {
+	const resolvedManifest = resolveManifestPath(options.directory ?? process.cwd());
+	if (!resolvedManifest.exists) throw new Error(`No ${MANIFEST_FILENAME} found. Run this command from a skill directory.`);
+	let skillsJson;
+	try {
+		const raw = fs.readFileSync(resolvedManifest.path, "utf-8");
+		skillsJson = JSON.parse(raw);
+	} catch {
+		throw new Error(`Failed to read or parse ${path.basename(resolvedManifest.path)}`);
+	}
+	const skillName = skillsJson.name;
+	if (typeof skillName !== "string" || skillName.trim().length === 0) throw new Error(`Missing 'name' in ${path.basename(resolvedManifest.path)}`);
+	const homedir = options.homedir ?? os.homedir();
+	const result = unlinkSkillFromAgents({
+		skillName,
+		linksDir: path.join(homedir, ".tank"),
+		homedir: options.homedir
+	});
+	const symlinkName = getSymlinkName(skillName);
+	const wrapperDir = path.join(getGlobalAgentSkillsDir(options.homedir), symlinkName);
+	if (fs.existsSync(wrapperDir)) fs.rmSync(wrapperDir, {
+		recursive: true,
+		force: true
+	});
+	if (result.unlinked.length === 0 && result.notFound.length === 0) {
+		logger.info(`No links found for ${skillName}`);
+		return;
+	}
+	logger.success(`Unlinked ${skillName} from ${result.unlinked.length} agent(s)`);
+}
+//#endregion
+//#region src/commands/update.ts
+const VERSION_CHECK_CONCURRENCY = 8;
+async function updateCommand(options) {
+	const { name, directory = process.cwd(), configDir, global = false, homedir } = options;
+	if (global) {
+		if (name) await updateSingleGlobal(name, configDir, homedir);
+		else await updateAllGlobal(configDir, homedir);
+		return;
+	}
+	const resolvedManifest = resolveManifestPath(directory);
+	if (!resolvedManifest.exists) throw new Error(`No ${MANIFEST_FILENAME} found in ${directory}. Run: tank init`);
+	let skillsJson;
+	try {
+		const raw = fs.readFileSync(resolvedManifest.path, "utf-8");
+		skillsJson = JSON.parse(raw);
+	} catch {
+		throw new Error(`Failed to read or parse ${path.basename(resolvedManifest.path)}`);
+	}
+	const skills = skillsJson.skills ?? {};
+	if (name) await updateSingle(name, skills, directory, configDir, global, homedir);
+	else await updateAll(skills, directory, configDir, global, homedir);
+}
+function parseLockKey$1(key) {
+	const lastAt = key.lastIndexOf("@");
+	if (lastAt <= 0) return null;
+	return {
+		name: key.slice(0, lastAt),
+		version: key.slice(lastAt + 1)
+	};
+}
+function readLockfile(lockPath) {
+	if (!fs.existsSync(lockPath)) return null;
+	try {
+		const raw = fs.readFileSync(lockPath, "utf-8");
+		return JSON.parse(raw);
+	} catch {
+		return null;
+	}
+}
+function readLockfileStrict(lockPath) {
+	if (!fs.existsSync(lockPath)) throw new Error(`Global ${LOCKFILE_FILENAME} not found at ${lockPath}`);
+	try {
+		const raw = fs.readFileSync(lockPath, "utf-8");
+		return JSON.parse(raw);
+	} catch {
+		throw new Error(`Failed to read or parse global ${LOCKFILE_FILENAME}`);
+	}
+}
+function getGlobalLockPath(homedir) {
+	const resolvedHome = homedir ?? os.homedir();
+	return resolveLockfilePath(path.join(resolvedHome, ".tank")).path;
+}
+async function fetchAvailableVersions(name, registry, headers) {
+	const versionsUrl = `${registry}/api/v1/skills/${encodeURIComponent(name)}/versions`;
+	let versionsRes;
+	try {
+		versionsRes = await fetch(versionsUrl, { headers });
+	} catch (err) {
+		throw new Error(`Network error fetching versions for ${name}: ${err instanceof Error ? err.message : String(err)}`);
+	}
+	if (!versionsRes.ok) {
+		if (versionsRes.status === 404) throw new Error(`Skill not found in registry: ${name}`);
+		const body = await versionsRes.json().catch(() => null);
+		throw new Error(body?.error ?? versionsRes.statusText);
+	}
+	return (await versionsRes.json()).versions.map((v) => v.version);
+}
+/**
+* Deduplicate lockfile entries by skill name.
+* When multiple versions of the same skill exist in the lockfile (e.g. from
+* transitive dependencies), keeps only the highest version per skill name.
+*/
+function deduplicateByName(entries) {
+	const versionsByName = /* @__PURE__ */ new Map();
+	for (const key of entries) {
+		const parsed = parseLockKey$1(key);
+		if (!parsed) continue;
+		const versions = versionsByName.get(parsed.name) ?? [];
+		versions.push(parsed.version);
+		versionsByName.set(parsed.name, versions);
+	}
+	const latestByName = /* @__PURE__ */ new Map();
+	for (const [name, versions] of versionsByName) {
+		const latest = resolve("*", versions);
+		if (latest) latestByName.set(name, latest);
+	}
+	return latestByName;
+}
+async function fetchVersionsBatch(skillNames, registry, headers) {
+	const results = /* @__PURE__ */ new Map();
+	for (let i = 0; i < skillNames.length; i += VERSION_CHECK_CONCURRENCY) {
+		const batch = skillNames.slice(i, i + VERSION_CHECK_CONCURRENCY);
+		const settled = await Promise.allSettled(batch.map(async (name) => {
+			return {
+				name,
+				versions: await fetchAvailableVersions(name, registry, headers)
+			};
+		}));
+		for (const result of settled) if (result.status === "fulfilled") results.set(result.value.name, result.value.versions);
+		else throw result.reason;
+	}
+	return results;
+}
+async function updateSingle(name, skills, directory, configDir, global = false, homedir) {
+	const versionRange = skills[name];
+	if (!versionRange) throw new Error(`Skill "${name}" is not installed (not found in ${MANIFEST_FILENAME})`);
+	const config = getConfig(configDir);
+	const requestHeaders = { "User-Agent": USER_AGENT };
+	if (config.token) requestHeaders.Authorization = `Bearer ${config.token}`;
+	const availableVersions = await fetchAvailableVersions(name, config.registry, requestHeaders);
+	const resolved = resolve(versionRange, availableVersions);
+	if (!resolved) throw new Error(`No version of ${name} satisfies range "${versionRange}". Available: ${availableVersions.join(", ")}`);
+	const lockPath = global ? getGlobalLockPath(homedir) : resolveLockfilePath(directory).path;
+	let currentVersion = null;
+	const lock = readLockfile(lockPath);
+	if (lock) for (const key of Object.keys(lock.skills)) {
+		const parsed = parseLockKey$1(key);
+		if (!parsed) continue;
+		if (parsed.name === name) {
+			currentVersion = parsed.version;
+			break;
+		}
+	}
+	if (resolved === currentVersion) {
+		logger.info(`Already at latest: ${name}@${resolved}`);
+		return;
+	}
+	await installCommand({
+		name,
+		versionRange,
+		directory,
+		configDir,
+		global,
+		homedir
+	});
+	logger.success(`Updated ${name} to ${resolved}`);
+}
+async function updateAll(skills, directory, configDir, global = false, homedir) {
+	const skillEntries = Object.entries(skills);
+	if (skillEntries.length === 0) {
+		logger.info(`No skills defined in ${MANIFEST_FILENAME}`);
+		return;
+	}
+	const config = getConfig(configDir);
+	const requestHeaders = { "User-Agent": USER_AGENT };
+	if (config.token) requestHeaders.Authorization = `Bearer ${config.token}`;
+	const lock = readLockfile(global ? getGlobalLockPath(homedir) : resolveLockfilePath(directory).path);
+	const currentVersionByName = /* @__PURE__ */ new Map();
+	if (lock) for (const key of Object.keys(lock.skills)) {
+		const parsed = parseLockKey$1(key);
+		if (!parsed) continue;
+		const existing = currentVersionByName.get(parsed.name);
+		if (!existing) currentVersionByName.set(parsed.name, parsed.version);
+		else {
+			const higher = resolve("*", [existing, parsed.version]);
+			if (higher) currentVersionByName.set(parsed.name, higher);
+		}
+	}
+	const allVersions = await fetchVersionsBatch(skillEntries.map(([name]) => name), config.registry, requestHeaders);
+	const toUpdate = [];
+	for (const [name, versionRange] of skillEntries) {
+		const availableVersions = allVersions.get(name);
+		if (!availableVersions) continue;
+		const resolved = resolve(versionRange, availableVersions);
+		if (!resolved) continue;
+		if (resolved === (currentVersionByName.get(name) ?? null)) continue;
+		toUpdate.push({
+			name,
+			versionRange
+		});
+	}
+	if (toUpdate.length === 0) {
+		logger.info("All skills up to date");
+		return;
+	}
+	for (const { name, versionRange } of toUpdate) await installCommand({
+		name,
+		versionRange,
+		directory,
+		configDir,
+		global,
+		homedir
+	});
+	logger.success(`Updated ${toUpdate.length} skill${toUpdate.length === 1 ? "" : "s"}`);
+}
+async function updateSingleGlobal(name, configDir, homedir) {
+	const lock = readLockfileStrict(getGlobalLockPath(homedir));
+	let currentVersion = null;
+	for (const key of Object.keys(lock.skills)) {
+		const parsed = parseLockKey$1(key);
+		if (!parsed) continue;
+		if (parsed.name === name) {
+			currentVersion = parsed.version;
+			break;
+		}
+	}
+	if (!currentVersion) throw new Error(`Skill "${name}" is not installed globally (not found in ${LOCKFILE_FILENAME})`);
+	const config = getConfig(configDir);
+	const requestHeaders = { "User-Agent": USER_AGENT };
+	if (config.token) requestHeaders.Authorization = `Bearer ${config.token}`;
+	const availableVersions = await fetchAvailableVersions(name, config.registry, requestHeaders);
+	const versionRange = `>=${currentVersion}`;
+	const resolved = resolve(versionRange, availableVersions);
+	if (!resolved) throw new Error(`No version of ${name} satisfies range "${versionRange}". Available: ${availableVersions.join(", ")}`);
+	if (resolved === currentVersion) {
+		logger.info(`Already at latest: ${name}@${resolved}`);
+		return;
+	}
+	await installCommand({
+		name,
+		versionRange,
+		global: true,
+		homedir,
+		configDir
+	});
+	logger.success(`Updated ${name} to ${resolved}`);
+}
+async function updateAllGlobal(configDir, homedir) {
+	const lock = readLockfileStrict(getGlobalLockPath(homedir));
+	const entries = Object.keys(lock.skills);
+	if (entries.length === 0) {
+		logger.info(`No skills defined in global ${LOCKFILE_FILENAME}`);
+		return;
+	}
+	const config = getConfig(configDir);
+	const requestHeaders = { "User-Agent": USER_AGENT };
+	if (config.token) requestHeaders.Authorization = `Bearer ${config.token}`;
+	const latestByName = deduplicateByName(entries);
+	const allVersions = await fetchVersionsBatch(Array.from(latestByName.keys()), config.registry, requestHeaders);
+	const toUpdate = [];
+	for (const [name, currentVersion] of latestByName) {
+		const availableVersions = allVersions.get(name);
+		if (!availableVersions) continue;
+		const resolved = resolve("*", availableVersions);
+		if (!resolved) continue;
+		if (resolved === currentVersion) continue;
+		toUpdate.push(name);
+	}
+	if (toUpdate.length === 0) {
+		logger.info("All skills up to date");
+		return;
+	}
+	for (const name of toUpdate) await installCommand({
+		name,
+		versionRange: "*",
+		global: true,
+		homedir,
+		configDir
+	});
+	logger.success(`Updated ${toUpdate.length} skill${toUpdate.length === 1 ? "" : "s"}`);
+}
+//#endregion
+//#region src/commands/upgrade.ts
+function isNewerVersion$1(candidateVersion, currentVersion) {
+	if (candidateVersion === currentVersion) return false;
+	return resolve("*", [candidateVersion, currentVersion]) === candidateVersion;
+}
+function resolveCurrentBinary() {
+	try {
+		return fs.realpathSync(process.argv[1]);
+	} catch {
+		return process.execPath;
+	}
+}
+async function upgradeCommand(opts) {
+	const currentBinaryPath = resolveCurrentBinary();
+	if (process.platform !== "win32" && (currentBinaryPath.includes("/Cellar/") || currentBinaryPath.includes("/homebrew/"))) {
+		console.log(chalk.yellow("Tank was installed via Homebrew. Run `brew upgrade tank` instead."));
+		return;
+	}
+	if (currentBinaryPath.includes("node_modules") || currentBinaryPath.endsWith(".js") || currentBinaryPath.endsWith(".mjs")) {
+		console.log(chalk.yellow("Tank was installed via npm/npx. Run `npm update -g @tankpkg/cli` to upgrade instead."));
+		return;
+	}
+	let targetVersion;
+	if (opts?.version) targetVersion = opts.version;
+	else {
+		const res = await fetch("https://api.github.com/repos/tankpkg/tank/releases/latest", { headers: { "User-Agent": USER_AGENT } });
+		if (!res.ok) throw new Error(`Failed to fetch latest release: ${res.status} ${res.statusText}`);
+		targetVersion = (await res.json()).tag_name.replace(/^v/, "");
+	}
+	if (!isNewerVersion$1(targetVersion, VERSION) && !opts?.force) {
+		console.log(chalk.green(`✓ Already on latest version: ${VERSION}`));
+		return;
+	}
+	const binaryName = `tank-${process.platform === "win32" ? "windows" : process.platform === "darwin" ? "darwin" : "linux"}-${process.arch === "arm64" ? "arm64" : "x64"}${process.platform === "win32" ? ".exe" : ""}`;
+	if (opts?.dryRun) {
+		console.log(`Would upgrade tank ${VERSION} → ${targetVersion}`);
+		return;
+	}
+	console.log(chalk.cyan(`Upgrading tank ${VERSION} → ${targetVersion}...`));
+	const tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), "tank-upgrade-"));
+	try {
+		const binaryUrl = `https://github.com/tankpkg/tank/releases/download/v${targetVersion}/${binaryName}`;
+		const tmpBin = path.join(tmpDir, binaryName);
+		const binRes = await fetch(binaryUrl, { headers: { "User-Agent": USER_AGENT } });
+		if (!binRes.ok) throw new Error(`Failed to download binary: ${binRes.status} ${binRes.statusText}`);
+		if (!binRes.body) throw new Error("Empty response body when downloading binary");
+		const binBuffer = Buffer.from(await binRes.arrayBuffer());
+		fs.writeFileSync(tmpBin, binBuffer);
+		const sumsUrl = `https://github.com/tankpkg/tank/releases/download/v${targetVersion}/SHA256SUMS`;
+		const sumsRes = await fetch(sumsUrl, { headers: { "User-Agent": USER_AGENT } });
+		if (!sumsRes.ok) throw new Error(`Failed to download SHA256SUMS: ${sumsRes.status} ${sumsRes.statusText}`);
+		const sumsText = await sumsRes.text();
+		let expectedHash;
+		for (const line of sumsText.split("\n")) {
+			const trimmed = line.trim();
+			if (!trimmed) continue;
+			const parts = trimmed.split(/\s+/);
+			if (parts.length >= 2 && parts[1] === binaryName) {
+				expectedHash = parts[0];
+				break;
+			}
+		}
+		if (!expectedHash) throw new Error(`No checksum found for ${binaryName} in SHA256SUMS`);
+		const fileBuffer = fs.readFileSync(tmpBin);
+		if (crypto$1.createHash("sha256").update(fileBuffer).digest("hex") !== expectedHash) {
+			console.log(chalk.red("Checksum mismatch. Aborting for security."));
+			return;
+		}
+		if (process.platform !== "win32") fs.chmodSync(tmpBin, 493);
+		fs.copyFileSync(tmpBin, currentBinaryPath);
+		if (process.platform !== "win32") fs.chmodSync(currentBinaryPath, 493);
+		console.log(chalk.green(`✓ Upgraded tank ${VERSION} → ${targetVersion}`));
+		console.log(chalk.gray(`Release notes: https://github.com/tankpkg/tank/releases/tag/v${targetVersion}`));
+	} finally {
+		fs.rmSync(tmpDir, {
+			recursive: true,
+			force: true
+		});
+	}
+}
+//#endregion
+//#region src/commands/verify.ts
+/**
+* Verify that installed skills match the lockfile.
+*
+* For each entry in skills.lock:
+* 1. Parse the skill name from the lock key
+* 2. Check that the skill directory exists in .tank/skills/
+* 3. Check that the directory is not empty
+*
+* Throws on failure (exit code 1). Prints success message on pass.
+*/
+async function verifyCommand(options) {
+	const directory = options?.directory ?? process.cwd();
+	const lock = readLockfile$1(directory);
+	if (!lock) throw new Error(`No ${LOCKFILE_FILENAME} found in ${directory}. Run: tank install`);
+	const entries = Object.entries(lock.skills);
+	if (entries.length === 0) {
+		logger.success("No skills to verify (lockfile is empty)");
+		return;
+	}
+	const issues = [];
+	for (const [key] of entries) {
+		const skillDir = getExtractDir(directory, parseLockKey(key));
+		if (!fs.existsSync(skillDir)) {
+			issues.push(`${key}: directory missing at ${skillDir}`);
+			continue;
+		}
+		if (fs.readdirSync(skillDir).length === 0) issues.push(`${key}: directory exists but is empty`);
+	}
+	if (issues.length > 0) {
+		for (const issue of issues) logger.error(issue);
+		throw new Error(`Verification failed: ${issues.length} issue${issues.length === 1 ? "" : "s"} found`);
+	}
+	const count = entries.length;
+	logger.success(`All ${count} skill${count === 1 ? "" : "s"} verified`);
+}
+function parseLockKey(key) {
+	const lastAt = key.lastIndexOf("@");
+	if (lastAt <= 0) throw new Error(`Invalid lockfile key: ${key}`);
+	return key.slice(0, lastAt);
+}
+function getExtractDir(projectDir, skillName) {
+	if (skillName.startsWith("@")) {
+		const [scope, name] = skillName.split("/");
+		return path.join(projectDir, ".tank", "skills", scope, name);
+	}
+	return path.join(projectDir, ".tank", "skills", skillName);
+}
+//#endregion
+//#region src/commands/whoami.ts
+async function whoamiCommand(options = {}) {
+	const { configDir } = options;
+	const config = getConfig(configDir);
+	if (!config.token) {
+		logger.warn("Not logged in. Run: tank login");
+		return;
+	}
+	try {
+		const res = await fetch(`${config.registry}/api/v1/auth/whoami`, {
+			method: "GET",
+			headers: {
+				Authorization: `Bearer ${config.token}`,
+				"User-Agent": USER_AGENT
+			}
+		});
+		if (res.status === 401) {
+			logger.error("Token is invalid or expired. Run: tank login");
+			return;
+		}
+		if (!res.ok) {
+			if (config.user) {
+				printUserInfo(config.user);
+				logger.warn("Could not verify token with server. Run: tank login");
+			} else logger.error("Could not verify token. Server returned an error. Run: tank login");
+			process.exitCode = 1;
+			return;
+		}
+		if (config.user) printUserInfo(config.user);
+		else logger.info("Logged in (token verified).");
+	} catch {
+		if (config.user) {
+			logger.info(`Logged in as: ${config.user.name ?? "unknown"} (offline)`);
+			logger.info(`Email: ${config.user.email ?? "unknown"}`);
+			logger.warn("Could not reach server to verify token. Run: tank login");
+		} else logger.error("Could not verify token. Check your network connection.");
+		process.exitCode = 1;
+	}
+}
+function printUserInfo(user) {
+	logger.info(`Logged in as: ${user.name ?? "unknown"}`);
+	logger.info(`Email: ${user.email ?? "unknown"}`);
+}
+//#endregion
+//#region src/lib/upgrade-check.ts
+function isNewerVersion(candidateVersion, currentVersion) {
+	if (candidateVersion === currentVersion) return false;
+	return resolve("*", [candidateVersion, currentVersion]) === candidateVersion;
+}
+async function checkForUpgrade(configDir) {
+	try {
+		if (process.env.TANK_NO_UPDATE_CHECK || process.env.CI) return;
+		const cacheDir = getConfigDir(configDir);
+		const cachePath = path.join(cacheDir, "upgrade_check.json");
+		let cache = null;
+		try {
+			const raw = fs.readFileSync(cachePath, "utf-8");
+			cache = JSON.parse(raw);
+		} catch {}
+		if (cache !== null && Date.now() - cache.lastCheck < 1440 * 60 * 1e3 && cache !== null) {
+			if (isNewerVersion(cache.latestVersion, VERSION)) {
+				console.error(`\n  ${chalk.cyan("ℹ")} New version available: ${chalk.gray(VERSION)} → ${chalk.green(cache.latestVersion)}`);
+				console.error(`  Run ${chalk.cyan("`tank upgrade`")} to update.\n`);
+			}
+			return;
+		}
+		const res = await fetch("https://api.github.com/repos/tankpkg/tank/releases/latest", {
+			headers: { "User-Agent": `tank-cli/${VERSION}` },
+			signal: AbortSignal.timeout(3e3)
+		});
+		if (!res.ok) return;
+		const latestVersion = (await res.json()).tag_name.replace(/^v/, "");
+		if (!fs.existsSync(cacheDir)) fs.mkdirSync(cacheDir, { recursive: true });
+		const newCache = {
+			lastCheck: Date.now(),
+			latestVersion
+		};
+		fs.writeFileSync(cachePath, `${JSON.stringify(newCache, null, 2)}\n`);
+		if (isNewerVersion(latestVersion, VERSION)) {
+			console.error(`\n  ${chalk.cyan("ℹ")} New version available: ${chalk.gray(VERSION)} → ${chalk.green(latestVersion)}`);
+			console.error(`  Run ${chalk.cyan("`tank upgrade`")} to update.\n`);
+		}
+	} catch {}
+}
+//#endregion
+//#region src/bin/tank.ts
+const program = new Command();
+program.name("tank").description("Security-first package manager for AI agent skills").version(VERSION);
+program.command("init").description("Create a new tank.json in the current directory").option("-y, --yes", "Skip prompts, use defaults").option("--name <name>", "Skill name").option("--skill-version <version>", "Skill version (default: 0.1.0)").option("--description <desc>", "Skill description").option("--private", "Make skill private").option("--force", "Overwrite existing tank.json").action(async (opts) => {
+	try {
+		await initCommand({
+			yes: opts.yes,
+			name: opts.name,
+			version: opts.skillVersion,
+			description: opts.description,
+			private: opts.private,
+			force: opts.force
+		});
+	} catch (err) {
+		const msg = err instanceof Error ? err.message : String(err);
+		console.error(`Init failed: ${msg}`);
+		process.exit(1);
+	}
+});
+program.command("login").description("Authenticate with the Tank registry via browser").action(async () => {
+	try {
+		await loginCommand();
+	} catch (err) {
+		const msg = err instanceof Error ? err.message : String(err);
+		console.error(`Login failed: ${msg}`);
+		await flushLogs();
+		process.exit(1);
+	}
+	await flushLogs();
+});
+program.command("whoami").description("Show the currently logged-in user").action(async () => {
+	try {
+		await whoamiCommand();
+	} catch (err) {
+		const msg = err instanceof Error ? err.message : String(err);
+		console.error(`Error: ${msg}`);
+		process.exit(1);
+	}
+});
+program.command("logout").description("Remove authentication token from config").action(async () => {
+	try {
+		await logoutCommand();
+	} catch (err) {
+		const msg = err instanceof Error ? err.message : String(err);
+		console.error(`Logout failed: ${msg}`);
+		process.exit(1);
+	}
+});
+program.command("publish").alias("pub").description("Pack and publish a skill to the Tank registry").option("--dry-run", "Validate and pack without uploading").option("--private", "Publish skill as private").option("--visibility <mode>", "Skill visibility (public|private)").action(async (opts) => {
+	try {
+		await publishCommand({
+			dryRun: opts.dryRun,
+			private: opts.private,
+			visibility: opts.visibility
+		});
+	} catch (err) {
+		const msg = err instanceof Error ? err.message : String(err);
+		console.error(`Publish failed: ${msg}`);
+		process.exit(1);
+	}
+});
+program.command("install").alias("i").description("Install a skill from the Tank registry, or all skills from lockfile").argument("[name]", "Skill name (e.g., @org/skill-name). Omit to install from lockfile.").argument("[version-range]", "Semver range (default: *)", "*").option("-g, --global", "Install skill globally (available to all projects)").action(async (name, versionRange, opts) => {
+	try {
+		if (name) await installCommand({
+			name,
+			versionRange,
+			global: opts.global
+		});
+		else await installAll({ global: opts.global });
+	} catch (err) {
+		const msg = err instanceof Error ? err.message : String(err);
+		console.error(`Install failed: ${msg}`);
+		process.exit(1);
+	}
+});
+program.command("remove").aliases(["rm", "r"]).description("Remove an installed skill").argument("<name>", "Skill name (e.g., @org/skill-name)").option("-g, --global", "Remove a globally installed skill").action(async (name, opts) => {
+	try {
+		await removeCommand({
+			name,
+			global: opts.global
+		});
+	} catch (err) {
+		const msg = err instanceof Error ? err.message : String(err);
+		console.error(`Remove failed: ${msg}`);
+		process.exit(1);
+	}
+});
+program.command("update").alias("up").description("Update skills to latest versions within their ranges").argument("[name]", "Skill name to update (omit to update all)").option("-g, --global", "Update globally installed skills").action(async (name, opts) => {
+	try {
+		await updateCommand({
+			name,
+			global: opts.global
+		});
+	} catch (err) {
+		const msg = err instanceof Error ? err.message : String(err);
+		console.error(`Update failed: ${msg}`);
+		process.exit(1);
+	}
+});
+program.command("verify").description("Verify installed skills match the lockfile").action(async () => {
+	try {
+		await verifyCommand();
+	} catch (err) {
+		const msg = err instanceof Error ? err.message : String(err);
+		console.error(`Verify failed: ${msg}`);
+		process.exit(1);
+	}
+});
+program.command("permissions").alias("perms").description("Display resolved permission summary for installed skills").action(async () => {
+	try {
+		await permissionsCommand();
+	} catch (err) {
+		const msg = err instanceof Error ? err.message : String(err);
+		console.error(`Error: ${msg}`);
+		process.exit(1);
+	}
+});
+program.command("search").alias("s").description("Search for skills in the Tank registry").argument("<query>", "Search query").action(async (query) => {
+	try {
+		await searchCommand({ query });
+	} catch (err) {
+		const msg = err instanceof Error ? err.message : String(err);
+		console.error(`Search failed: ${msg}`);
+		process.exit(1);
+	}
+});
+program.command("info").alias("show").description("Show detailed information about a skill").argument("<name>", "Skill name (e.g., @org/skill-name)").action(async (name) => {
+	try {
+		await infoCommand({ name });
+	} catch (err) {
+		const msg = err instanceof Error ? err.message : String(err);
+		console.error(`Info failed: ${msg}`);
+		process.exit(1);
+	}
+});
+program.command("audit").description("Display security audit results for installed skills").argument("[name]", "Skill name to audit (omit to audit all)").action(async (name) => {
+	try {
+		await auditCommand({ name });
+	} catch (err) {
+		const msg = err instanceof Error ? err.message : String(err);
+		console.error(`Audit failed: ${msg}`);
+		process.exit(1);
+	}
+});
+program.command("run").description("Launch an agent with credential protection (vault proxy)").argument("<agent>", "Agent ID to launch").allowUnknownOption(true).allowExcessArguments(true).option("--verbose", "Print verbose vault proxy details").action(async (agent, opts, cmd) => {
+	try {
+		const agentArgs = cmd.args.slice(1);
+		await runCommand({
+			agent,
+			verbose: opts.verbose,
+			agentArgs
+		});
+	} catch (err) {
+		const msg = err instanceof Error ? err.message : String(err);
+		console.error(`Run failed: ${msg}`);
+		process.exit(1);
+	}
+});
+program.command("scan").description("Scan a local skill for security issues without publishing").option("-d, --directory <path>", "Directory to scan (default: current directory)").action(async (opts) => {
+	try {
+		await scanCommand({ directory: opts.directory });
+	} catch (err) {
+		const msg = err instanceof Error ? err.message : String(err);
+		console.error(`Scan failed: ${msg}`);
+		process.exit(1);
+	}
+});
+program.command("link").alias("ln").description("Link current skill directory to AI agent directories (for development)").action(async () => {
+	try {
+		await linkCommand();
+	} catch (err) {
+		const msg = err instanceof Error ? err.message : String(err);
+		console.error(`Link failed: ${msg}`);
+		process.exit(1);
+	}
+});
+program.command("unlink").description("Remove skill symlinks from AI agent directories").action(async () => {
+	try {
+		await unlinkCommand();
+	} catch (err) {
+		const msg = err instanceof Error ? err.message : String(err);
+		console.error(`Unlink failed: ${msg}`);
+		process.exit(1);
+	}
+});
+program.command("doctor").description("Diagnose agent integration health").action(async () => {
+	try {
+		await doctorCommand();
+	} catch (err) {
+		const msg = err instanceof Error ? err.message : String(err);
+		console.error(`Doctor failed: ${msg}`);
+		process.exit(1);
+	}
+});
+program.command("migrate").description("Migrate skills.json → tank.json and skills.lock → tank.lock").action(async () => {
+	try {
+		await migrateCommand();
+	} catch (err) {
+		const msg = err instanceof Error ? err.message : String(err);
+		console.error(`Migration failed: ${msg}`);
+		process.exit(1);
+	}
+});
+program.command("upgrade").description("Update tank to the latest version").argument("[version]", "Target version (default: latest)").option("--dry-run", "Check for updates without installing").option("--force", "Reinstall even if already on the target version").action(async (version, opts) => {
+	try {
+		await upgradeCommand({
+			version,
+			dryRun: opts.dryRun,
+			force: opts.force
+		});
+	} catch (err) {
+		const msg = err instanceof Error ? err.message : String(err);
+		console.error(`Upgrade failed: ${msg}`);
+		await flushLogs();
+		process.exit(1);
+	}
+	await flushLogs();
+});
+checkForUpgrade().catch(() => {});
+program.parse();
+//#endregion
+export {};
+
+//# sourceMappingURL=tank.js.map