akm-cli 0.3.0 → 0.4.0

package/dist/cli.js

@@ -4,13 +4,14 @@ import path from "node:path";
 import { defineCommand, runMain } from "citty";
 import { resolveStashDir } from "./common";
 import { generateBashCompletions, installBashCompletions } from "./completions";
-import { DEFAULT_CONFIG, getConfigPath, loadConfig, saveConfig } from "./config";
+import { DEFAULT_CONFIG, getConfigPath, loadConfig, loadUserConfig, saveConfig } from "./config";
 import { getConfigValue, listConfig, setConfigValue, unsetConfigValue } from "./config-cli";
 import { closeDatabase, openDatabase } from "./db";
 import { ConfigError, NotFoundError, UsageError } from "./errors";
 import { akmIndex } from "./indexer";
 import { assembleInfo } from "./info";
 import { akmInit } from "./init";
+import { formatInstallAuditSummary } from "./install-audit";
 import { akmListSources, akmRemove, akmUpdate } from "./installed-kits";
 import { getCacheDir, getDbPath, getDefaultStashDir } from "./paths";
 import { buildRegistryIndex, writeRegistryIndex } from "./registry-build-index";
@@ -338,6 +339,9 @@ function formatPlain(command, result, detail) {
         case "search": {
             return formatSearchPlain(r, detail);
         }
+        case "curate": {
+            return formatCuratePlain(r, detail);
+        }
         case "list": {
             const sources = Array.isArray(r.sources) ? r.sources : [];
             if (sources.length === 0)
@@ -356,7 +360,13 @@ function formatPlain(command, result, detail) {
             const index = r.index;
             const scanned = index?.directoriesScanned ?? 0;
             const total = index?.totalEntries ?? 0;
-            return `Installed ${r.ref} (${scanned} directories scanned, ${total} total assets indexed)`;
+            const lines = [`Installed ${r.ref} (${scanned} directories scanned, ${total} total assets indexed)`];
+            const installed = r.installed;
+            const audit = installed?.audit;
+            if (audit && typeof audit === "object") {
+                lines.push(formatInstallAuditSummary(audit));
+            }
+            return lines.join("\n");
         }
         case "remove": {
             const target = r.target ?? r.ref ?? "";
@@ -464,6 +474,275 @@ function formatSearchPlain(r, detail) {
     }
     return lines.join("\n").trimEnd();
 }
+function formatCuratePlain(r, detail) {
+    const query = typeof r.query === "string" ? r.query : "";
+    const summary = typeof r.summary === "string" ? r.summary : "";
+    const items = Array.isArray(r.items) ? r.items : [];
+    const lines = [`Curated results for "${query}"`];
+    if (summary)
+        lines.push(summary);
+    if (items.length === 0) {
+        if (r.tip)
+            lines.push(String(r.tip));
+        return lines.join("\n");
+    }
+    for (const item of items) {
+        const type = typeof item.type === "string" ? item.type : "unknown";
+        const name = typeof item.name === "string" ? item.name : "unnamed";
+        lines.push("");
+        lines.push(`[${type}] ${name}`);
+        if (item.description)
+            lines.push(`  ${String(item.description)}`);
+        if (item.preview)
+            lines.push(`  preview: ${String(item.preview)}`);
+        if (item.ref)
+            lines.push(`  ref: ${String(item.ref)}`);
+        if (item.id)
+            lines.push(`  id: ${String(item.id)}`);
+        if (Array.isArray(item.parameters) && item.parameters.length > 0) {
+            lines.push(`  parameters: ${item.parameters.join(", ")}`);
+        }
+        if (item.run)
+            lines.push(`  run: ${String(item.run)}`);
+        if (item.followUp)
+            lines.push(`  show: ${String(item.followUp)}`);
+        if (detail !== "brief" && item.reason)
+            lines.push(`  why: ${String(item.reason)}`);
+    }
+    const warnings = Array.isArray(r.warnings) ? r.warnings : [];
+    if (warnings.length > 0) {
+        lines.push("");
+        lines.push("Warnings:");
+        for (const warning of warnings) {
+            lines.push(`- ${String(warning)}`);
+        }
+    }
+    return lines.join("\n");
+}
+const CURATE_FALLBACK_FILTER_WORDS = new Set([
+    "a",
+    "an",
+    "and",
+    "for",
+    "how",
+    "i",
+    "in",
+    "of",
+    "or",
+    "the",
+    "to",
+    "with",
+]);
+const CURATED_TYPE_FALLBACK_ORDER = ["skill", "command", "script", "knowledge", "agent", "memory"];
+const CURATED_TYPE_FALLBACK_INDEX = new Map(CURATED_TYPE_FALLBACK_ORDER.map((type, index) => [type, index]));
+const MIN_CURATE_FALLBACK_TOKEN_LENGTH = 3;
+const MAX_CURATE_FALLBACK_KEYWORDS = 6;
+const CURATE_SEARCH_LIMIT_MULTIPLIER = 4;
+const MIN_CURATE_SEARCH_LIMIT = 12;
+async function curateSearchResults(query, result, limit, selectedType) {
+    const stashHits = result.hits.filter((hit) => hit.type !== "registry");
+    const registryHits = result.registryHits ?? [];
+    let selectedStashHits;
+    if (selectedType && selectedType !== "any") {
+        selectedStashHits = stashHits.slice(0, limit);
+    }
+    else {
+        const bestByType = new Map();
+        for (const hit of stashHits) {
+            if (!bestByType.has(hit.type))
+                bestByType.set(hit.type, hit);
+        }
+        const orderedTypes = orderCuratedTypes(query, Array.from(bestByType.keys()));
+        selectedStashHits = orderedTypes
+            .map((type) => bestByType.get(type))
+            .filter((hit) => Boolean(hit));
+    }
+    const selectedRegistryHits = selectedStashHits.length >= limit ? [] : registryHits.slice(0, Math.min(2, limit - selectedStashHits.length));
+    const items = [
+        ...(await Promise.all(selectedStashHits.slice(0, limit).map((hit) => enrichCuratedStashHit(query, hit)))),
+        ...selectedRegistryHits.map((hit) => buildCuratedRegistryItem(query, hit)),
+    ].slice(0, limit);
+    return {
+        query,
+        summary: buildCurateSummary(query, items),
+        items,
+        ...(result.warnings?.length ? { warnings: result.warnings } : {}),
+        ...(result.tip ? { tip: result.tip } : {}),
+    };
+}
+function orderCuratedTypes(query, types) {
+    const lower = query.toLowerCase();
+    const boosts = new Map();
+    const addBoost = (type, amount) => boosts.set(type, (boosts.get(type) ?? 0) + amount);
+    if (/(run|script|bash|shell|cli|execute|automation|deploy|build|test|lint)/.test(lower)) {
+        addBoost("script", 6);
+        addBoost("command", 4);
+    }
+    if (/(guide|docs?|readme|reference|how|explain|learn|why)/.test(lower)) {
+        addBoost("knowledge", 6);
+        addBoost("skill", 4);
+    }
+    if (/(agent|assistant|planner|review|analy[sz]e|architect|prompt)/.test(lower)) {
+        addBoost("agent", 6);
+        addBoost("skill", 3);
+    }
+    if (/(config|template|release|generate|command)/.test(lower)) {
+        addBoost("command", 5);
+    }
+    if (/(memory|context|recall|remember)/.test(lower)) {
+        addBoost("memory", 6);
+    }
+    return [...types].sort((a, b) => {
+        const boostDiff = (boosts.get(b) ?? 0) - (boosts.get(a) ?? 0);
+        if (boostDiff !== 0)
+            return boostDiff;
+        return ((CURATED_TYPE_FALLBACK_INDEX.get(a) ?? Number.MAX_SAFE_INTEGER) -
+            (CURATED_TYPE_FALLBACK_INDEX.get(b) ?? Number.MAX_SAFE_INTEGER));
+    });
+}
+async function enrichCuratedStashHit(query, hit) {
+    let shown;
+    try {
+        shown = await akmShowUnified({ ref: hit.ref });
+    }
+    catch {
+        shown = undefined;
+    }
+    const description = shown?.description ?? hit.description;
+    const preview = buildCuratedPreview(shown, hit);
+    return {
+        source: "stash",
+        type: shown?.type ?? hit.type,
+        name: shown?.name ?? hit.name,
+        ref: hit.ref,
+        ...(description ? { description } : {}),
+        ...(preview ? { preview } : {}),
+        ...(shown?.parameters?.length ? { parameters: shown.parameters } : {}),
+        ...(shown?.run ? { run: shown.run } : {}),
+        followUp: `akm show ${hit.ref}`,
+        reason: buildCuratedReason(query, shown?.type ?? hit.type),
+        ...(hit.score !== undefined ? { score: hit.score } : {}),
+    };
+}
+function buildCuratedRegistryItem(query, hit) {
+    return {
+        source: "registry",
+        type: "registry",
+        name: hit.name,
+        id: hit.id,
+        ...(hit.description ? { description: hit.description } : {}),
+        followUp: hit.action ?? `akm add ${hit.id}`,
+        reason: `Useful external source to explore for ${query}.`,
+        ...(hit.score !== undefined ? { score: hit.score } : {}),
+    };
+}
+function firstNonEmpty(values) {
+    return values.find((value) => typeof value === "string" && value.trim().length > 0);
+}
+function buildCuratedPreview(shown, hit) {
+    if (shown?.run)
+        return truncateDescription(`run ${shown.run}`, 160);
+    const payload = firstNonEmpty([shown?.template, shown?.prompt, shown?.content, hit.description])
+        ?.replace(/\s+/g, " ")
+        .trim();
+    return payload ? truncateDescription(payload, 160) : undefined;
+}
+function buildCuratedReason(query, type) {
+    switch (type) {
+        case "script":
+            return `Best runnable script match for "${query}".`;
+        case "command":
+            return `Best reusable command/template match for "${query}".`;
+        case "knowledge":
+            return `Best reference document match for "${query}".`;
+        case "skill":
+            return `Best instructions/workflow match for "${query}".`;
+        case "agent":
+            return `Best specialized agent prompt match for "${query}".`;
+        case "memory":
+            return `Best saved context match for "${query}".`;
+        default:
+            return `Best ${type} match for "${query}".`;
+    }
+}
+function buildCurateSummary(query, items) {
+    if (items.length === 0) {
+        return `No curated assets were selected for "${query}".`;
+    }
+    const labels = items.map((item) => `${item.type}:${item.name}`);
+    return `Selected ${items.length} high-signal result${items.length === 1 ? "" : "s"}: ${labels.join(", ")}.`;
+}
+function hasSearchResults(result) {
+    return result.hits.length > 0 || (result.registryHits?.length ?? 0) > 0;
+}
+/**
+ * Extract a small set of fallback keywords when a prompt-style curate query
+ * returns no hits as a whole phrase.
+ *
+ * We keep up to MAX_CURATE_FALLBACK_KEYWORDS distinct keywords and drop short
+ * or common filler words so follow-up searches stay inexpensive while focusing
+ * on higher-signal terms.
+ */
+function deriveCurateFallbackQueries(query) {
+    return Array.from(new Set(query
+        .toLowerCase()
+        .split(/[^a-z0-9]+/)
+        .map((token) => token.trim())
+        // Keep longer tokens so fallback stays focused on higher-signal terms
+        // and avoids broad one- and two-letter matches that overwhelm curation.
+        .filter((token) => token.length >= MIN_CURATE_FALLBACK_TOKEN_LENGTH && !CURATE_FALLBACK_FILTER_WORDS.has(token)))).slice(0, MAX_CURATE_FALLBACK_KEYWORDS);
+}
+function mergeCurateSearchResponses(base, extras) {
+    const hitsByRef = new Map();
+    for (const hit of base.hits.filter((entry) => entry.type !== "registry")) {
+        hitsByRef.set(hit.ref, hit);
+    }
+    for (const result of extras) {
+        for (const hit of result.hits.filter((entry) => entry.type !== "registry")) {
+            const existing = hitsByRef.get(hit.ref);
+            if (!existing || (hit.score ?? 0) > (existing.score ?? 0)) {
+                hitsByRef.set(hit.ref, hit);
+            }
+        }
+    }
+    const registryById = new Map();
+    for (const hit of base.registryHits ?? []) {
+        registryById.set(hit.id, hit);
+    }
+    for (const result of extras) {
+        for (const hit of result.registryHits ?? []) {
+            const existing = registryById.get(hit.id);
+            if (!existing || (hit.score ?? 0) > (existing.score ?? 0)) {
+                registryById.set(hit.id, hit);
+            }
+        }
+    }
+    const warnings = Array.from(new Set([...(base.warnings ?? []), ...extras.flatMap((result) => result.warnings ?? [])]));
+    const mergedHits = [...hitsByRef.values()].sort((a, b) => (b.score ?? 0) - (a.score ?? 0));
+    const mergedRegistryHits = [...registryById.values()].sort((a, b) => (b.score ?? 0) - (a.score ?? 0));
+    return {
+        ...base,
+        hits: mergedHits,
+        ...(mergedRegistryHits.length > 0 ? { registryHits: mergedRegistryHits } : {}),
+        ...(warnings.length > 0 ? { warnings } : {}),
+        ...(mergedHits.length > 0 || mergedRegistryHits.length > 0 ? { tip: undefined } : {}),
+    };
+}
+async function searchForCuration(input) {
+    const initial = await akmSearch(input);
+    if (hasSearchResults(initial))
+        return initial;
+    const fallbackQueries = deriveCurateFallbackQueries(input.query);
+    if (fallbackQueries.length <= 1)
+        return initial;
+    const fallbackResults = await Promise.all(fallbackQueries.map((token) => akmSearch({
+        query: token,
+        type: input.type,
+        limit: input.limit,
+        source: input.source,
+    })));
+    return mergeCurateSearchResponses(initial, fallbackResults);
+}
 /**
  * Module Naming:
  * - stash-*          : Asset operations (search, show, add, clone)
@@ -550,20 +829,55 @@ const searchCommand = defineCommand({
         });
     },
 });
+const curateCommand = defineCommand({
+    meta: { name: "curate", description: "Curate the best matching assets for a task or prompt" },
+    args: {
+        query: { type: "positional", description: "Task or prompt to curate assets for", required: true },
+        type: {
+            type: "string",
+            description: "Asset type filter (e.g. skill, command, agent, knowledge, script, memory, or any).",
+        },
+        limit: { type: "string", description: "Maximum number of curated results", default: "4" },
+        source: { type: "string", description: "Search source (stash|registry|both)", default: "stash" },
+    },
+    async run({ args }) {
+        await runWithJsonErrors(async () => {
+            const type = args.type;
+            const limitRaw = args.limit ? parseInt(args.limit, 10) : undefined;
+            if (limitRaw !== undefined && Number.isNaN(limitRaw)) {
+                throw new UsageError(`Invalid --limit value: "${args.limit}". Must be a positive integer.`);
+            }
+            const limit = limitRaw && limitRaw > 0 ? limitRaw : 4;
+            const source = parseSearchSource(args.source ?? "stash");
+            const searchResult = await searchForCuration({
+                query: args.query,
+                type,
+                // Search deeper than the final curated count so we can pick one strong
+                // match per type and still have room for fallback retries.
+                limit: Math.max(limit * CURATE_SEARCH_LIMIT_MULTIPLIER, MIN_CURATE_SEARCH_LIMIT),
+                source,
+            });
+            const curated = await curateSearchResults(args.query, searchResult, limit, type);
+            output("curate", curated);
+        });
+    },
+});
 const addCommand = defineCommand({
     meta: {
         name: "add",
-        description: "Add a source (local directory, npm package, GitHub repo, git URL, or remote provider)",
+        description: "Add a source (local directory, website, npm package, GitHub repo, git URL, or remote provider)",
     },
     args: {
         ref: {
             type: "positional",
-            description: "Path, URL, or registry ref (npm package, owner/repo, git URL, or local directory)",
+            description: "Path, URL, or registry ref (website URL, npm package, owner/repo, git URL, or local directory)",
             required: true,
         },
         provider: { type: "string", description: "Provider type (e.g. openviking). Required for URL sources." },
         options: { type: "string", description: 'Provider options as JSON (e.g. \'{"apiKey":"key"}\').' },
         name: { type: "string", description: "Human-friendly name for the source" },
+        "max-pages": { type: "string", description: "Maximum pages to crawl for website sources (default: 50)" },
+        "max-depth": { type: "string", description: "Maximum crawl depth for website sources (default: 3)" },
     },
     async run({ args }) {
         await runWithJsonErrors(async () => {
@@ -580,7 +894,7 @@ const addCommand = defineCommand({
             }
             // URL with --provider → stash source (remote or git provider)
             if (args.provider) {
-                if (ref.startsWith("http://")) {
+                if (shouldWarnOnPlainHttp(ref)) {
                     warn("Warning: source URL uses plain HTTP (not HTTPS). For security, prefer https:// to protect against eavesdropping and tampering.");
                 }
                 let parsedOptions;
@@ -607,7 +921,19 @@ const addCommand = defineCommand({
                 output("stash-add", result);
                 return;
             }
-            const result = await akmAdd({ ref });
+            if (shouldWarnOnPlainHttp(ref)) {
+                warn("Warning: source URL uses plain HTTP (not HTTPS). For security, prefer https:// to protect against eavesdropping and tampering.");
+            }
+            const websiteOptions = {};
+            if (args["max-pages"])
+                websiteOptions.maxPages = args["max-pages"];
+            if (args["max-depth"])
+                websiteOptions.maxDepth = args["max-depth"];
+            const result = await akmAdd({
+                ref,
+                name: args.name,
+                options: Object.keys(websiteOptions).length > 0 ? websiteOptions : undefined,
+            });
             output("add", result);
         });
     },
@@ -624,6 +950,22 @@ function parseKindFilter(raw) {
     }
     return kinds;
 }
+function shouldWarnOnPlainHttp(ref) {
+    if (!ref.startsWith("http://"))
+        return false;
+    try {
+        const hostname = new URL(ref).hostname.toLowerCase();
+        return (hostname !== "localhost" &&
+            hostname !== "127.0.0.1" &&
+            hostname !== "0.0.0.0" &&
+            hostname !== "::1" &&
+            hostname !== "[::1]" &&
+            !hostname.endsWith(".localhost"));
+    }
+    catch {
+        return true;
+    }
+}
 const listCommand = defineCommand({
     meta: { name: "list", description: "List all sources (local directories, managed packages, remote providers)" },
     args: {
@@ -796,7 +1138,7 @@ const configCommand = defineCommand({
             },
             run({ args }) {
                 return runWithJsonErrors(() => {
-                    const updated = setConfigValue(loadConfig(), args.key, args.value);
+                    const updated = setConfigValue(loadUserConfig(), args.key, args.value);
                     saveConfig(updated);
                     output("config", listConfig(updated));
                 });
@@ -809,7 +1151,7 @@ const configCommand = defineCommand({
             },
             run({ args }) {
                 return runWithJsonErrors(() => {
-                    const updated = unsetConfigValue(loadConfig(), args.key);
+                    const updated = unsetConfigValue(loadUserConfig(), args.key);
                     saveConfig(updated);
                     output("config", listConfig(updated));
                 });
@@ -858,7 +1200,7 @@ const registryCommand = defineCommand({
             meta: { name: "list", description: "List configured registries" },
             run() {
                 return runWithJsonErrors(() => {
-                    const config = loadConfig();
+                    const config = loadUserConfig();
                     const registries = config.registries ?? DEFAULT_CONFIG.registries;
                     output("registry-list", { registries });
                 });
@@ -880,7 +1222,7 @@ const registryCommand = defineCommand({
                     if (args.url.startsWith("http://")) {
                         warn("Warning: registry URL uses plain HTTP (not HTTPS). For security, prefer https:// to protect against eavesdropping and tampering.");
                     }
-                    const config = loadConfig();
+                    const config = loadUserConfig();
                     const registries = [...(config.registries ?? [])];
                     // Deduplicate by URL
                     if (registries.some((r) => r.url === args.url)) {
@@ -913,7 +1255,7 @@ const registryCommand = defineCommand({
             },
             run({ args }) {
                 return runWithJsonErrors(() => {
-                    const config = loadConfig();
+                    const config = loadUserConfig();
                     const registries = [...(config.registries ?? [])];
                     const idx = registries.findIndex((r) => r.url === args.target || r.name === args.target);
                     if (idx === -1) {
@@ -1081,6 +1423,7 @@ const main = defineCommand({
         update: updateCommand,
         upgrade: upgradeCommand,
         search: searchCommand,
+        curate: curateCommand,
         show: showCommand,
         clone: cloneCommand,
         registry: registryCommand,
@@ -1245,6 +1588,7 @@ You have access to a searchable library of scripts, skills, commands, agents, an
 
 \`\`\`sh
 akm search "<query>"                          # Search all sources
+akm curate "<task>"                          # Curate the best matches for a task
 akm search "<query>" --type skill             # Filter by type
 akm search "<query>" --source both            # Also search registries
 akm show <ref>                                # View asset details
@@ -1273,6 +1617,7 @@ You have access to a searchable library of scripts, skills, commands, agents, an
 
 \`\`\`sh
 akm search "<query>"                          # Search all sources
+akm curate "<task>"                          # Curate the best matches for a task
 akm search "<query>" --type skill             # Filter by asset type
 akm search "<query>" --source both            # Also search registries
 akm search "<query>" --source registry        # Search registries only
@@ -1289,6 +1634,16 @@ akm search "<query>" --detail full            # Include scores, paths, timing
 | \`--detail\` | \`brief\`, \`normal\`, \`full\`, \`summary\` | \`brief\` |
 | \`--for-agent\` | boolean | \`false\` |
 
+## Curate
+
+Combine search + follow-up hints into a dense summary for a task or prompt.
+
+\`\`\`sh
+akm curate "plan a release"                   # Pick top matches across asset types
+akm curate "deploy a Bun app" --limit 3       # Keep the summary shorter
+akm curate "review architecture" --type skill # Restrict to one asset type
+\`\`\`
+
 ## Show
 
 Display an asset by ref. Knowledge assets support view modes as positional arguments.

package/dist/common.js

@@ -8,6 +8,11 @@ export const IS_WINDOWS = process.platform === "win32";
 export function isHttpUrl(value) {
     return !!value && /^https?:\/\//.test(value);
 }
+export function filterNonEmptyStrings(value) {
+    if (!Array.isArray(value))
+        return undefined;
+    return value.filter((entry) => typeof entry === "string" && entry.trim().length > 0);
+}
 // ── Validators ──────────────────────────────────────────────────────────────
 export function isAssetType(type) {
     return Object.hasOwn(TYPE_DIRS, type);

package/dist/config-cli.js

@@ -26,6 +26,16 @@ export function parseConfigValue(key, value) {
             return { output: { format: parseOutputFormat(value) } };
         case "output.detail":
             return { output: { detail: parseOutputDetail(value) } };
+        case "security.installAudit.enabled":
+            return { security: { installAudit: { enabled: parseBooleanValue(value, key) } } };
+        case "security.installAudit.blockOnCritical":
+            return { security: { installAudit: { blockOnCritical: parseBooleanValue(value, key) } } };
+        case "security.installAudit.blockUnlistedRegistries":
+            return { security: { installAudit: { blockUnlistedRegistries: parseBooleanValue(value, key) } } };
+        case "security.installAudit.registryAllowlist":
+            return { security: { installAudit: { registryAllowlist: parseStringArrayValue(value, key) } } };
+        case "security.installAudit.registryWhitelist":
+            return { security: { installAudit: { registryAllowlist: parseStringArrayValue(value, key) } } };
         default:
             throw new UsageError(`Unknown config key: ${key}`);
     }
@@ -48,6 +58,18 @@ export function getConfigValue(config, key) {
             return config.output?.format ?? null;
         case "output.detail":
             return config.output?.detail ?? null;
+        case "security":
+            return config.security ?? null;
+        case "security.installAudit.enabled":
+            return config.security?.installAudit?.enabled ?? null;
+        case "security.installAudit.blockOnCritical":
+            return config.security?.installAudit?.blockOnCritical ?? null;
+        case "security.installAudit.blockUnlistedRegistries":
+            return config.security?.installAudit?.blockUnlistedRegistries ?? null;
+        case "security.installAudit.registryAllowlist":
+            return getInstallAuditAllowlist(config);
+        case "security.installAudit.registryWhitelist":
+            return getInstallAuditAllowlist(config);
         default:
             throw new UsageError(`Unknown config key: ${key}`);
     }
@@ -62,6 +84,11 @@ export function setConfigValue(config, key, rawValue) {
         case "stashes":
         case "output.format":
         case "output.detail":
+        case "security.installAudit.enabled":
+        case "security.installAudit.blockOnCritical":
+        case "security.installAudit.blockUnlistedRegistries":
+        case "security.installAudit.registryAllowlist":
+        case "security.installAudit.registryWhitelist":
             return mergeConfigValue(config, parseConfigValue(key, rawValue));
         default:
             throw new UsageError(`Unknown config key: ${key}`);
@@ -83,6 +110,28 @@ export function unsetConfigValue(config, key) {
             return { ...config, output: mergeOutputConfig(config.output, { format: undefined }) };
         case "output.detail":
             return { ...config, output: mergeOutputConfig(config.output, { detail: undefined }) };
+        case "security":
+            return { ...config, security: undefined };
+        case "security.installAudit.enabled":
+            return { ...config, security: mergeSecurityConfig(config.security, { installAudit: { enabled: undefined } }) };
+        case "security.installAudit.blockOnCritical":
+            return {
+                ...config,
+                security: mergeSecurityConfig(config.security, { installAudit: { blockOnCritical: undefined } }),
+            };
+        case "security.installAudit.blockUnlistedRegistries":
+            return {
+                ...config,
+                security: mergeSecurityConfig(config.security, { installAudit: { blockUnlistedRegistries: undefined } }),
+            };
+        case "security.installAudit.registryAllowlist":
+        case "security.installAudit.registryWhitelist":
+            return {
+                ...config,
+                security: mergeSecurityConfig(config.security, {
+                    installAudit: { registryAllowlist: undefined, registryWhitelist: undefined },
+                }),
+            };
         default:
             throw new UsageError(`Unknown or unsupported unset key: ${key}`);
     }
@@ -100,6 +149,8 @@ export function listConfig(config) {
         result.embedding = config.embedding;
     if (config.llm)
         result.llm = config.llm;
+    if (config.security)
+        result.security = config.security;
     return result;
 }
 function mergeConfigValue(config, partial) {
@@ -107,6 +158,7 @@ function mergeConfigValue(config, partial) {
         ...config,
         ...partial,
         output: mergeOutputConfig(config.output, partial.output),
+        security: mergeSecurityConfig(config.security, partial.security),
     };
 }
 function mergeOutputConfig(base, override) {
@@ -116,6 +168,18 @@ function mergeOutputConfig(base, override) {
     };
     return merged.format || merged.detail ? merged : undefined;
 }
+function mergeSecurityConfig(base, override) {
+    const mergedInstallAudit = mergeInstallAuditConfig(base?.installAudit, override?.installAudit);
+    return mergedInstallAudit ? { installAudit: mergedInstallAudit } : undefined;
+}
+function mergeInstallAuditConfig(base, override) {
+    const merged = {
+        ...(base ?? {}),
+        ...(override ?? {}),
+    };
+    const hasValue = Object.values(merged).some((value) => value !== undefined);
+    return hasValue ? merged : undefined;
+}
 function parseOutputFormat(value) {
     if (value === "json" || value === "yaml" || value === "text")
         return value;
@@ -126,6 +190,29 @@ function parseOutputDetail(value) {
         return value;
     throw new UsageError(`Invalid value for output.detail: expected one of brief|normal|full`);
 }
+function parseBooleanValue(value, key) {
+    if (value === "true")
+        return true;
+    if (value === "false")
+        return false;
+    throw new UsageError(`Invalid value for ${key}: expected true or false`);
+}
+function parseStringArrayValue(value, key) {
+    let parsed;
+    try {
+        parsed = JSON.parse(value);
+    }
+    catch {
+        throw new UsageError(`Invalid value for ${key}: expected a JSON array of strings`);
+    }
+    if (!Array.isArray(parsed) || parsed.some((entry) => typeof entry !== "string")) {
+        throw new UsageError(`Invalid value for ${key}: expected a JSON array of strings`);
+    }
+    return parsed;
+}
+function getInstallAuditAllowlist(config) {
+    return config.security?.installAudit?.registryAllowlist ?? config.security?.installAudit?.registryWhitelist ?? null;
+}
 function parseRegistriesValue(value) {
     if (value === "null" || value === "")
         return undefined;