claudekit-cli 2.6.0 → 3.0.1

package/dist/index.js

@@ -5052,9 +5052,6 @@ var init_types2 = __esm(() => {
     files: exports_external.array(TrackedFileSchema).optional()
   });
   ConfigSchema = exports_external.object({
-    github: exports_external.object({
-      token: exports_external.string().optional()
-    }).optional(),
     defaults: exports_external.object({
       kit: KitType.optional(),
       dir: exports_external.string().optional()
@@ -5425,7 +5422,7 @@ var require_polyfills = __commonJS((exports, module) => {
   var constants = __require("constants");
   var origCwd = process.cwd;
   var cwd = null;
-  var platform3 = process.env.GRACEFUL_FS_PLATFORM || process.platform;
+  var platform2 = process.env.GRACEFUL_FS_PLATFORM || process.platform;
   process.cwd = function() {
     if (!cwd)
       cwd = origCwd.call(process);
@@ -5484,7 +5481,7 @@ var require_polyfills = __commonJS((exports, module) => {
       };
       fs.lchownSync = function() {};
     }
-    if (platform3 === "win32") {
+    if (platform2 === "win32") {
       fs.rename = typeof fs.rename !== "function" ? fs.rename : function(fs$rename) {
         function rename(from, to, cb) {
           var start = Date.now();
@@ -5924,8 +5921,8 @@ GFS4: `);
     fs2.createReadStream = createReadStream;
     fs2.createWriteStream = createWriteStream2;
     var fs$readFile = fs2.readFile;
-    fs2.readFile = readFile3;
-    function readFile3(path, options, cb) {
+    fs2.readFile = readFile2;
+    function readFile2(path, options, cb) {
       if (typeof options === "function")
         cb = options, options = null;
       return go$readFile(path, options, cb);
@@ -5941,8 +5938,8 @@ GFS4: `);
       }
     }
     var fs$writeFile = fs2.writeFile;
-    fs2.writeFile = writeFile3;
-    function writeFile3(path, data, options, cb) {
+    fs2.writeFile = writeFile2;
+    function writeFile2(path, data, options, cb) {
       if (typeof options === "function")
         cb = options, options = null;
       return go$writeFile(path, data, options, cb);
@@ -6862,14 +6859,14 @@ var require_empty = __commonJS((exports, module) => {
   var u = require_universalify().fromPromise;
   var fs = require_fs();
   var path = __require("path");
-  var mkdir3 = require_mkdirs();
+  var mkdir2 = require_mkdirs();
   var remove = require_remove();
   var emptyDir = u(async function emptyDir(dir) {
     let items;
     try {
       items = await fs.readdir(dir);
     } catch {
-      return mkdir3.mkdirs(dir);
+      return mkdir2.mkdirs(dir);
     }
     return Promise.all(items.map((item) => remove.remove(path.join(dir, item))));
   });
@@ -6878,7 +6875,7 @@ var require_empty = __commonJS((exports, module) => {
     try {
       items = fs.readdirSync(dir);
     } catch {
-      return mkdir3.mkdirsSync(dir);
+      return mkdir2.mkdirsSync(dir);
     }
     items.forEach((item) => {
       item = path.join(dir, item);
@@ -6898,7 +6895,7 @@ var require_file = __commonJS((exports, module) => {
   var u = require_universalify().fromPromise;
   var path = __require("path");
   var fs = require_fs();
-  var mkdir3 = require_mkdirs();
+  var mkdir2 = require_mkdirs();
   async function createFile(file) {
     let stats;
     try {
@@ -6912,7 +6909,7 @@ var require_file = __commonJS((exports, module) => {
       dirStats = await fs.stat(dir);
     } catch (err) {
       if (err.code === "ENOENT") {
-        await mkdir3.mkdirs(dir);
+        await mkdir2.mkdirs(dir);
         await fs.writeFile(file, "");
         return;
       } else {
@@ -6939,7 +6936,7 @@ var require_file = __commonJS((exports, module) => {
       }
     } catch (err) {
       if (err && err.code === "ENOENT")
-        mkdir3.mkdirsSync(dir);
+        mkdir2.mkdirsSync(dir);
       else
         throw err;
     }
@@ -6956,7 +6953,7 @@ var require_link = __commonJS((exports, module) => {
   var u = require_universalify().fromPromise;
   var path = __require("path");
   var fs = require_fs();
-  var mkdir3 = require_mkdirs();
+  var mkdir2 = require_mkdirs();
   var { pathExists } = require_path_exists();
   var { areIdentical } = require_stat();
   async function createLink(srcpath, dstpath) {
@@ -6976,7 +6973,7 @@ var require_link = __commonJS((exports, module) => {
     const dir = path.dirname(dstpath);
     const dirExists = await pathExists(dir);
     if (!dirExists) {
-      await mkdir3.mkdirs(dir);
+      await mkdir2.mkdirs(dir);
     }
     await fs.link(srcpath, dstpath);
   }
@@ -6997,7 +6994,7 @@ var require_link = __commonJS((exports, module) => {
     const dirExists = fs.existsSync(dir);
     if (dirExists)
       return fs.linkSync(srcpath, dstpath);
-    mkdir3.mkdirsSync(dir);
+    mkdir2.mkdirsSync(dir);
     return fs.linkSync(srcpath, dstpath);
   }
   module.exports = {
@@ -7237,7 +7234,7 @@ var require_jsonfile = __commonJS((exports, module) => {
     }
     return obj;
   }
-  var readFile3 = universalify.fromPromise(_readFile);
+  var readFile2 = universalify.fromPromise(_readFile);
   function readFileSync(file, options = {}) {
     if (typeof options === "string") {
       options = { encoding: options };
@@ -7262,16 +7259,16 @@ var require_jsonfile = __commonJS((exports, module) => {
     const str = stringify(obj, options);
     await universalify.fromCallback(fs.writeFile)(file, str, options);
   }
-  var writeFile3 = universalify.fromPromise(_writeFile);
+  var writeFile2 = universalify.fromPromise(_writeFile);
   function writeFileSync(file, obj, options = {}) {
     const fs = options.fs || _fs;
     const str = stringify(obj, options);
     return fs.writeFileSync(file, str, options);
   }
   module.exports = {
-    readFile: readFile3,
+    readFile: readFile2,
     readFileSync,
-    writeFile: writeFile3,
+    writeFile: writeFile2,
     writeFileSync
   };
 });
@@ -7292,19 +7289,19 @@ var require_output_file = __commonJS((exports, module) => {
   var u = require_universalify().fromPromise;
   var fs = require_fs();
   var path = __require("path");
-  var mkdir3 = require_mkdirs();
+  var mkdir2 = require_mkdirs();
   var pathExists = require_path_exists().pathExists;
   async function outputFile(file, data, encoding = "utf-8") {
     const dir = path.dirname(file);
     if (!await pathExists(dir)) {
-      await mkdir3.mkdirs(dir);
+      await mkdir2.mkdirs(dir);
     }
     return fs.writeFile(file, data, encoding);
   }
   function outputFileSync(file, ...args) {
     const dir = path.dirname(file);
     if (!fs.existsSync(dir)) {
-      mkdir3.mkdirsSync(dir);
+      mkdir2.mkdirsSync(dir);
     }
     fs.writeFileSync(file, ...args);
   }
@@ -13045,7 +13042,7 @@ var cac = (name = "") => new CAC(name);
 // package.json
 var package_default = {
   name: "claudekit-cli",
-  version: "2.6.0",
+  version: "3.0.1",
   description: "CLI tool for bootstrapping and updating ClaudeKit projects",
   type: "module",
   repository: {
@@ -13134,17 +13131,89 @@ init_dist2();
 import { execSync as execSync2 } from "node:child_process";
 
 // src/lib/auth.ts
-init_dist2();
 init_types2();
+init_logger();
 import { execSync } from "node:child_process";
 
-// src/utils/config.ts
+class AuthManager {
+  static token = null;
+  static ghCliInstalled = null;
+  static async getToken() {
+    if (AuthManager.token) {
+      return { token: AuthManager.token, method: "gh-cli" };
+    }
+    if (!AuthManager.isGhCliInstalled()) {
+      throw new AuthenticationError(`GitHub CLI is not installed.
+
+` + `ClaudeKit requires GitHub CLI for accessing private repositories.
+
+` + `To install:
+` + `  macOS:   brew install gh
+` + `  Windows: winget install GitHub.cli
+` + `  Linux:   sudo apt install gh  (or see: gh.io/install)
+
+` + "After installing, run: gh auth login");
+    }
+    const token = AuthManager.getFromGhCli();
+    if (token) {
+      AuthManager.token = token;
+      logger.debug("Using GitHub CLI authentication");
+      return { token, method: "gh-cli" };
+    }
+    throw new AuthenticationError(`GitHub CLI is not authenticated.
+
+` + `Run: gh auth login
+
+` + "Then follow the prompts to authenticate with your GitHub account.");
+  }
+  static isGhCliInstalled() {
+    if (AuthManager.ghCliInstalled !== null) {
+      return AuthManager.ghCliInstalled;
+    }
+    try {
+      execSync("gh --version", {
+        stdio: "ignore",
+        timeout: 5000
+      });
+      AuthManager.ghCliInstalled = true;
+      return true;
+    } catch {
+      AuthManager.ghCliInstalled = false;
+      return false;
+    }
+  }
+  static getFromGhCli() {
+    try {
+      const token = execSync("gh auth token", {
+        encoding: "utf-8",
+        stdio: ["pipe", "pipe", "ignore"],
+        timeout: 5000
+      }).trim();
+      if (token && token.length > 0) {
+        return token;
+      }
+      return null;
+    } catch {
+      return null;
+    }
+  }
+  static async clearToken() {
+    AuthManager.token = null;
+    logger.debug("Cleared cached token");
+  }
+}
+
+// src/lib/github.ts
 init_types2();
 init_logger();
+import { Octokit } from "@octokit/rest";
+
+// src/lib/release-cache.ts
+init_zod();
+init_logger();
 import { existsSync } from "node:fs";
-import { mkdir, readFile, writeFile } from "node:fs/promises";
-import { chmod } from "node:fs/promises";
-import { platform as platform2 } from "node:os";
+import { mkdir, readFile, unlink, writeFile } from "node:fs/promises";
+import { join as join2 } from "node:path";
 
 // src/utils/path-resolver.ts
 import { homedir, platform } from "node:os";
@@ -13248,243 +13317,7 @@ class PathResolver {
   }
 }
 
-// src/utils/config.ts
-class ConfigManager {
-  static config = null;
-  static globalFlag = false;
-  static setGlobalFlag(global2) {
-    ConfigManager.globalFlag = global2;
-    ConfigManager.config = null;
-  }
-  static getGlobalFlag() {
-    return ConfigManager.globalFlag;
-  }
-  static async load() {
-    if (ConfigManager.config) {
-      return ConfigManager.config;
-    }
-    const configFile = PathResolver.getConfigFile(ConfigManager.globalFlag);
-    try {
-      if (existsSync(configFile)) {
-        const content = await readFile(configFile, "utf-8");
-        const data = JSON.parse(content);
-        ConfigManager.config = ConfigSchema.parse(data);
-        logger.debug(`Config loaded from ${configFile}`);
-        return ConfigManager.config;
-      }
-    } catch (error) {
-      logger.warning(`Failed to load config: ${error instanceof Error ? error.message : "Unknown error"}`);
-    }
-    ConfigManager.config = { github: {}, defaults: {} };
-    return ConfigManager.config;
-  }
-  static async save(config) {
-    try {
-      const validConfig = ConfigSchema.parse(config);
-      const configDir = PathResolver.getConfigDir(ConfigManager.globalFlag);
-      const configFile = PathResolver.getConfigFile(ConfigManager.globalFlag);
-      if (!existsSync(configDir)) {
-        await mkdir(configDir, { recursive: true });
-        if (platform2() !== "win32") {
-          await chmod(configDir, 448);
-        }
-      }
-      await writeFile(configFile, JSON.stringify(validConfig, null, 2), "utf-8");
-      if (platform2() !== "win32") {
-        await chmod(configFile, 384);
-      }
-      ConfigManager.config = validConfig;
-      logger.debug(`Config saved to ${configFile}`);
-    } catch (error) {
-      throw new Error(`Failed to save config: ${error instanceof Error ? error.message : "Unknown error"}`);
-    }
-  }
-  static async get() {
-    return ConfigManager.load();
-  }
-  static async set(key, value) {
-    const config = await ConfigManager.load();
-    const keys = key.split(".");
-    let current = config;
-    for (let i = 0;i < keys.length - 1; i++) {
-      if (!(keys[i] in current)) {
-        current[keys[i]] = {};
-      }
-      current = current[keys[i]];
-    }
-    current[keys[keys.length - 1]] = value;
-    await ConfigManager.save(config);
-  }
-  static async getToken() {
-    const config = await ConfigManager.load();
-    return config.github?.token;
-  }
-  static async setToken(token) {
-    await ConfigManager.set("github.token", token);
-  }
-}
-
-// src/lib/auth.ts
-init_logger();
-var keytarModule = null;
-async function getKeytar() {
-  if (keytarModule)
-    return keytarModule;
-  try {
-    keytarModule = await import("keytar");
-    return keytarModule;
-  } catch (error) {
-    logger.debug(`Keytar not available: ${String(error)}`);
-    return null;
-  }
-}
-var SERVICE_NAME = "claudekit-cli";
-var ACCOUNT_NAME = "github-token";
-
-class AuthManager {
-  static token = null;
-  static authMethod = null;
-  static async getToken() {
-    if (AuthManager.token && AuthManager.authMethod) {
-      return { token: AuthManager.token, method: AuthManager.authMethod };
-    }
-    try {
-      const token = await AuthManager.getFromGhCli();
-      if (token) {
-        AuthManager.token = token;
-        AuthManager.authMethod = "gh-cli";
-        logger.debug("Using GitHub CLI authentication");
-        return { token, method: "gh-cli" };
-      }
-    } catch (error) {
-      logger.debug("GitHub CLI not available");
-    }
-    const envToken = process.env.GITHUB_TOKEN || process.env.GH_TOKEN;
-    if (envToken) {
-      AuthManager.token = envToken;
-      AuthManager.authMethod = "env-var";
-      logger.debug("Using environment variable authentication");
-      return { token: envToken, method: "env-var" };
-    }
-    try {
-      const configToken = await ConfigManager.getToken();
-      if (configToken) {
-        AuthManager.token = configToken;
-        AuthManager.authMethod = "env-var";
-        logger.debug("Using config file authentication");
-        return { token: configToken, method: "env-var" };
-      }
-    } catch (error) {
-      logger.debug("No token in config file");
-    }
-    try {
-      const keytar = await getKeytar();
-      if (keytar) {
-        const keychainToken = await keytar.getPassword(SERVICE_NAME, ACCOUNT_NAME);
-        if (keychainToken) {
-          AuthManager.token = keychainToken;
-          AuthManager.authMethod = "keychain";
-          logger.debug("Using keychain authentication");
-          return { token: keychainToken, method: "keychain" };
-        }
-      } else {
-        logger.debug("Keychain not available on this system");
-      }
-    } catch (error) {
-      logger.debug("No token in keychain");
-    }
-    const promptedToken = await AuthManager.promptForToken();
-    AuthManager.token = promptedToken;
-    AuthManager.authMethod = "prompt";
-    return { token: promptedToken, method: "prompt" };
-  }
-  static async getFromGhCli() {
-    try {
-      const token = execSync("gh auth token", {
-        encoding: "utf-8",
-        stdio: ["pipe", "pipe", "ignore"],
-        timeout: 5000
-      }).trim();
-      if (token && token.length > 0) {
-        return token;
-      }
-      return null;
-    } catch {
-      return null;
-    }
-  }
-  static async promptForToken() {
-    logger.info("");
-    logger.info("GitHub authentication required to access private repositories.");
-    logger.info("");
-    logger.info("\uD83D\uDCA1 Tip: For easier setup, use GitHub CLI instead:");
-    logger.info("   gh auth login");
-    logger.info("");
-    logger.info("Or create a Personal Access Token:");
-    logger.info("   https://github.com/settings/tokens/new?scopes=repo&description=ClaudeKit%20CLI");
-    logger.info("");
-    const token = await re({
-      message: "Enter your GitHub Personal Access Token:",
-      validate: (value) => {
-        if (!value || value.length === 0) {
-          return "Token is required";
-        }
-        if (!value.startsWith("ghp_") && !value.startsWith("github_pat_")) {
-          return 'Invalid token format. Token should start with "ghp_" or "github_pat_"';
-        }
-        return;
-      }
-    });
-    if (lD(token)) {
-      logger.info("");
-      logger.info("Alternative: Set GITHUB_TOKEN environment variable or use 'gh auth login'");
-      throw new AuthenticationError("Authentication cancelled by user");
-    }
-    const keytar = await getKeytar();
-    if (keytar) {
-      const save = await se({
-        message: "Save token securely in OS keychain?"
-      });
-      if (save && !lD(save)) {
-        try {
-          await keytar.setPassword(SERVICE_NAME, ACCOUNT_NAME, token);
-          logger.success("Token saved securely in keychain");
-        } catch (error) {
-          logger.warning("Failed to save token to keychain");
-        }
-      }
-    }
-    return token;
-  }
-  static async clearToken() {
-    AuthManager.token = null;
-    AuthManager.authMethod = null;
-    try {
-      const keytar = await getKeytar();
-      if (keytar) {
-        await keytar.deletePassword(SERVICE_NAME, ACCOUNT_NAME);
-        logger.success("Token cleared from keychain");
-      }
-    } catch (error) {
-      logger.warning("Failed to clear token from keychain");
-    }
-  }
-  static isValidTokenFormat(token) {
-    return token.startsWith("ghp_") || token.startsWith("github_pat_");
-  }
-}
-
-// src/lib/github.ts
-init_types2();
-init_logger();
-import { Octokit } from "@octokit/rest";
-
 // src/lib/release-cache.ts
-init_zod();
-init_logger();
-import { existsSync as existsSync2 } from "node:fs";
-import { mkdir as mkdir2, readFile as readFile2, unlink, writeFile as writeFile2 } from "node:fs/promises";
-import { join as join2 } from "node:path";
 var ReleaseCacheEntrySchema = exports_external.object({
   timestamp: exports_external.number(),
   releases: exports_external.array(exports_external.any())
@@ -13500,11 +13333,11 @@ class ReleaseCache {
   async get(key) {
     const cacheFile = this.getCachePath(key);
     try {
-      if (!existsSync2(cacheFile)) {
+      if (!existsSync(cacheFile)) {
         logger.debug(`Release cache not found for key: ${key}`);
         return null;
       }
-      const content = await readFile2(cacheFile, "utf-8");
+      const content = await readFile(cacheFile, "utf-8");
       const parsed = JSON.parse(content);
       const cacheEntry = ReleaseCacheEntrySchema.parse(parsed);
       if (this.isExpired(cacheEntry.timestamp)) {
@@ -13525,12 +13358,12 @@ class ReleaseCache {
   async set(key, releases) {
     const cacheFile = this.getCachePath(key);
     try {
-      await mkdir2(this.cacheDir, { recursive: true, mode: 448 });
+      await mkdir(this.cacheDir, { recursive: true, mode: 448 });
       const cacheEntry = {
         timestamp: Date.now(),
         releases
       };
-      await writeFile2(cacheFile, JSON.stringify(cacheEntry, null, 2), "utf-8");
+      await writeFile(cacheFile, JSON.stringify(cacheEntry, null, 2), "utf-8");
       logger.debug(`Release cache set for key: ${key}, cached ${releases.length} releases`);
     } catch (error) {
       logger.debug(`Failed to set release cache for key ${key}: ${error}`);
@@ -13540,7 +13373,7 @@ class ReleaseCache {
     if (key) {
       const cacheFile = this.getCachePath(key);
       try {
-        if (existsSync2(cacheFile)) {
+        if (existsSync(cacheFile)) {
           await unlink(cacheFile);
           logger.debug(`Release cache cleared for key: ${key}`);
         }
@@ -13850,50 +13683,57 @@ class GitHubClient {
       });
       return GitHubReleaseSchema.parse(data);
     } catch (error) {
-      if (error?.status === 404) {
-        throw new GitHubError(`Cannot access ${kit.name} repository.
+      return this.handleHttpError(error, {
+        kit,
+        operation: "fetch release",
+        verboseFlag: "ck new --verbose"
+      });
+    }
+  }
+  async invalidateAuth() {
+    await AuthManager.clearToken();
+    this.octokit = null;
+    logger.debug("Invalidated cached authentication due to 401 error");
+  }
+  async handleHttpError(error, context) {
+    const { kit, operation, verboseFlag = "ck new --verbose" } = context;
+    if (error?.status === 401) {
+      await this.invalidateAuth();
+      throw new GitHubError(`Authentication failed.
 
-Possible causes:
-  • You haven't accepted the GitHub repository invitation
-  • Your token lacks the 'repo' scope (needs full private repo access)
-  • You're not added as a collaborator yet
-  • Repository doesn't exist
+Your GitHub CLI session may have expired.
 
-Solutions:
-  1. Check email for GitHub invitation and accept it
-  2. Use 'gh auth login' for automatic authentication (recommended)
-  3. Recreate token with 'repo' scope: https://github.com/settings/tokens/new?scopes=repo
-  4. Wait 2-5 minutes after accepting invitation for permissions to sync
+Solution: Re-authenticate with GitHub CLI
+  gh auth login
 
-Need help? Run with: ck new --verbose`, 404);
-      }
-      if (error?.status === 401) {
-        throw new GitHubError(`Authentication failed - token is invalid or expired.
+Need help? Run with: ${verboseFlag}`, 401);
+    }
+    if (error?.status === 403) {
+      throw new GitHubError(`Access forbidden.
 
-` + `Solutions:
-` + `  1. Use GitHub CLI (recommended): gh auth login
-` + `  2. Create new token: https://github.com/settings/tokens/new?scopes=repo
-` + `  3. Verify token format (should start with 'ghp_' or 'github_pat_')
-` + `  4. Check token is set: echo $GITHUB_TOKEN
+Your GitHub CLI session may lack required permissions.
 
-` + "Need help? Run with: ck new --verbose", 401);
-      }
-      if (error?.status === 403) {
-        throw new GitHubError(`Access forbidden - token lacks required permissions.
+Solution: Re-authenticate with GitHub CLI
+  gh auth login
 
-` + `Your token needs the 'repo' scope for private repositories.
+Need help? Run with: ${verboseFlag}`, 403);
+    }
+    if (error?.status === 404) {
+      throw new GitHubError(`Cannot access ${kit.name} repository.
 
-` + `Solutions:
-` + `  1. Use GitHub CLI (handles scopes automatically): gh auth login
-` + `  2. Recreate token with 'repo' scope: https://github.com/settings/tokens/new?scopes=repo
-` + `  3. Check existing token scopes: https://github.com/settings/tokens
+Possible causes:
+  • You haven't accepted the GitHub repository invitation
+  • You're not added as a collaborator yet
+  • Repository doesn't exist
 
-` + `Common mistake: Using 'public_repo' scope doesn't work for private repos.
+Solutions:
+  1. Check email for GitHub invitation and accept it
+  2. Re-authenticate: gh auth login
+  3. Wait 2-5 minutes after accepting invitation for permissions to sync
 
-` + "Need help? Run with: ck new --verbose", 403);
-      }
-      throw new GitHubError(`Failed to fetch release: ${error?.message || "Unknown error"}`, error?.status);
+Need help? Run with: ${verboseFlag}`, 404);
     }
+    throw new GitHubError(`Failed to ${operation}: ${error?.message || "Unknown error"}`, error?.status);
   }
   async getReleaseByTag(kit, tag) {
     try {
@@ -13912,40 +13752,19 @@ Need help? Run with: ck new --verbose`, 404);
 Possible causes:
   • Release version doesn't exist (check: ck versions --kit ${kit.name.toLowerCase()})
   • You don't have repository access
-  • Your token lacks the 'repo' scope
 
 Solutions:
   1. List available versions: ck versions --kit ${kit.name.toLowerCase()}
   2. Check email for GitHub invitation and accept it
-  3. Use 'gh auth login' for automatic authentication
-  4. Recreate token: https://github.com/settings/tokens/new?scopes=repo
+  3. Re-authenticate: gh auth login
 
 Need help? Run with: ck new --verbose`, 404);
       }
-      if (error?.status === 401) {
-        throw new GitHubError(`Authentication failed - token is invalid or expired.
-
-` + `Solutions:
-` + `  1. Use GitHub CLI (recommended): gh auth login
-` + `  2. Create new token: https://github.com/settings/tokens/new?scopes=repo
-` + `  3. Verify token format (should start with 'ghp_' or 'github_pat_')
-` + `  4. Check token is set: echo $GITHUB_TOKEN
-
-` + "Need help? Run with: ck new --verbose", 401);
-      }
-      if (error?.status === 403) {
-        throw new GitHubError(`Access forbidden - token lacks required permissions.
-
-` + `Your token needs the 'repo' scope for private repositories.
-
-` + `Solutions:
-` + `  1. Use GitHub CLI (handles scopes automatically): gh auth login
-` + `  2. Recreate token with 'repo' scope: https://github.com/settings/tokens/new?scopes=repo
-` + `  3. Check existing token scopes: https://github.com/settings/tokens
-
-` + "Need help? Run with: ck new --verbose", 403);
-      }
-      throw new GitHubError(`Failed to fetch release: ${error?.message || "Unknown error"}`, error?.status);
+      return this.handleHttpError(error, {
+        kit,
+        operation: "fetch release",
+        verboseFlag: "ck new --verbose"
+      });
     }
   }
   async listReleases(kit, limit = 10) {
@@ -13959,40 +13778,11 @@ Need help? Run with: ck new --verbose`, 404);
       });
       return data.map((release) => GitHubReleaseSchema.parse(release));
     } catch (error) {
-      if (error?.status === 401) {
-        throw new GitHubError(`Authentication failed - token is invalid or expired.
-
-` + `Solutions:
-` + `  1. Use GitHub CLI (recommended): gh auth login
-` + `  2. Create new token: https://github.com/settings/tokens/new?scopes=repo
-` + `  3. Verify token format (should start with 'ghp_' or 'github_pat_')
-
-` + "Need help? Run with: ck versions --verbose", 401);
-      }
-      if (error?.status === 403) {
-        throw new GitHubError(`Access forbidden - token lacks required permissions.
-
-` + `Your token needs the 'repo' scope for private repositories.
-
-` + `Solutions:
-` + `  1. Use GitHub CLI (handles scopes automatically): gh auth login
-` + `  2. Recreate token with 'repo' scope: https://github.com/settings/tokens/new?scopes=repo
-
-` + "Need help? Run with: ck versions --verbose", 403);
-      }
-      if (error?.status === 404) {
-        throw new GitHubError(`Cannot access ${kit.name} repository.
-
-You may not have been added as a collaborator yet.
-
-Solutions:
-  1. Check email for GitHub invitation and accept it
-  2. Contact support to verify repository access
-  3. Use 'gh auth login' for automatic authentication
-
-Need help? Run with: ck versions --verbose`, 404);
-      }
-      throw new GitHubError(`Failed to list releases: ${error?.message || "Unknown error"}`, error?.status);
+      return this.handleHttpError(error, {
+        kit,
+        operation: "list releases",
+        verboseFlag: "ck versions --verbose"
+      });
     }
   }
   async checkAccess(kit) {
@@ -14009,45 +13799,22 @@ Need help? Run with: ck versions --verbose`, 404);
 
 Possible causes:
   • You haven't accepted the GitHub repository invitation
-  • Your token lacks the 'repo' scope (needs full private repo access)
   • You're not added as a collaborator yet
-  • Token belongs to a different GitHub account
+  • You're logged into a different GitHub account
 
 Solutions:
   1. Check email for GitHub invitation and accept it
-  2. Use 'gh auth login' for automatic authentication (recommended)
-  3. Recreate token with 'repo' scope: https://github.com/settings/tokens/new?scopes=repo
-  4. Verify you're using the correct GitHub account
-  5. Wait 2-5 minutes after accepting invitation for permissions to sync
+  2. Re-authenticate: gh auth login
+  3. Verify you're using the correct GitHub account
+  4. Wait 2-5 minutes after accepting invitation for permissions to sync
 
 Need help? Run with: ck new --verbose`, 404);
       }
-      if (error?.status === 403) {
-        throw new GitHubError(`Access forbidden - token lacks required permissions.
-
-` + `Your token needs the 'repo' scope for private repositories.
-
-` + `Solutions:
-` + `  1. Use GitHub CLI (handles scopes automatically): gh auth login
-` + `  2. Recreate token with 'repo' scope: https://github.com/settings/tokens/new?scopes=repo
-` + `  3. Check existing token scopes: https://github.com/settings/tokens
-
-` + `Common mistake: Using 'public_repo' scope doesn't work for private repos.
-
-` + "Need help? Run with: ck new --verbose", 403);
-      }
-      if (error?.status === 401) {
-        throw new GitHubError(`Authentication failed - token is invalid or expired.
-
-` + `Solutions:
-` + `  1. Use GitHub CLI (recommended): gh auth login
-` + `  2. Create new token: https://github.com/settings/tokens/new?scopes=repo
-` + `  3. Verify token format (should start with 'ghp_' or 'github_pat_')
-` + `  4. Check token is set: echo $GITHUB_TOKEN
-
-` + "Need help? Run with: ck new --verbose", 401);
-      }
-      throw new GitHubError(`Failed to check repository access: ${error?.message || "Unknown error"}`, error?.status);
+      return this.handleHttpError(error, {
+        kit,
+        operation: "check repository access",
+        verboseFlag: "ck new --verbose"
+      });
     }
   }
   async listReleasesWithCache(kit, options = {}) {
@@ -14174,18 +13941,18 @@ import { promisify } from "node:util";
 var execAsync = promisify(exec);
 var isCIEnvironment = process.env.CI === "true" || process.env.CI_SAFE_MODE === "true";
 function getOSInfo() {
-  const platform3 = process.platform;
+  const platform2 = process.platform;
   const arch = process.arch;
-  const isWindows = platform3 === "win32";
-  const isMacOS = platform3 === "darwin";
-  const isLinux = platform3 === "linux";
+  const isWindows = platform2 === "win32";
+  const isMacOS = platform2 === "darwin";
+  const isLinux = platform2 === "linux";
   const isWSL = isLinux && process.env.WSL_DISTRO_NAME !== undefined;
-  let details = `${platform3}-${arch}`;
+  let details = `${platform2}-${arch}`;
   if (isWSL) {
     details += ` (WSL: ${process.env.WSL_DISTRO_NAME})`;
   }
   return {
-    platform: platform3,
+    platform: platform2,
     arch,
     isWindows,
     isMacOS,
@@ -14462,68 +14229,40 @@ function checkEnvironmentVariables() {
   const githubToken = process.env.GITHUB_TOKEN;
   const ghToken = process.env.GH_TOKEN;
   if (githubToken || ghToken) {
-    const tokenToCheck = githubToken || ghToken;
     const tokenVar = githubToken ? "GITHUB_TOKEN" : "GH_TOKEN";
-    if (!tokenToCheck?.startsWith("ghp_") && !tokenToCheck?.startsWith("github_pat_")) {
-      return {
-        name: "Environment Variables",
-        status: "fail",
-        message: `${tokenVar} is set but has invalid format`,
-        details: "Token should start with 'ghp_' or 'github_pat_'",
-        suggestion: "Create new token: https://github.com/settings/tokens/new?scopes=repo"
-      };
-    }
     return {
       name: "Environment Variables",
-      status: "pass",
-      message: `${tokenVar} is set and has valid format`,
-      details: `Token: ${tokenToCheck.substring(0, 8)}...`
+      status: "info",
+      message: `${tokenVar} is set but PAT authentication is no longer supported`,
+      details: "ClaudeKit now uses GitHub CLI exclusively for authentication",
+      suggestion: "Run: gh auth login"
     };
   }
   return {
     name: "Environment Variables",
     status: "info",
-    message: "No GitHub token found in environment variables",
-    details: "GITHUB_TOKEN or GH_TOKEN not set",
-    suggestion: `Set token:
-` + `   • Unix/Mac: export GITHUB_TOKEN=ghp_xxx
-` + "   • Windows: [System.Environment]::SetEnvironmentVariable('GITHUB_TOKEN', 'ghp_xxx', 'User')"
+    message: "No GitHub token found in environment variables (expected)",
+    details: "ClaudeKit uses GitHub CLI for authentication"
   };
 }
 async function checkAuthentication() {
   try {
-    const { token, method } = await AuthManager.getToken();
-    const methodLabels = {
-      "gh-cli": "GitHub CLI",
-      "env-var": "Environment Variable",
-      keychain: "OS Keychain",
-      prompt: "User Prompt"
-    };
-    if (!AuthManager.isValidTokenFormat(token)) {
-      return {
-        name: "Authentication",
-        status: "fail",
-        message: "Token has invalid format",
-        details: "Token should start with 'ghp_' or 'github_pat_'",
-        suggestion: "Create new token: https://github.com/settings/tokens/new?scopes=repo"
-      };
-    }
+    const { token } = await AuthManager.getToken();
     return {
       name: "Authentication",
       status: "pass",
-      message: `Successfully authenticated via ${methodLabels[method]}`,
+      message: "Successfully authenticated via GitHub CLI",
       details: `Token: ${token.substring(0, 8)}...`
     };
   } catch (error) {
     return {
       name: "Authentication",
       status: "fail",
-      message: "Failed to obtain authentication token",
+      message: "GitHub CLI authentication required",
       details: error?.message || "Unknown error",
-      suggestion: `Options:
-` + `   1. Use GitHub CLI: gh auth login
-` + `   2. Set GITHUB_TOKEN environment variable
-` + "   3. Create token: https://github.com/settings/tokens/new?scopes=repo"
+      suggestion: `To authenticate:
+` + `   1. Install GitHub CLI: https://cli.github.com
+` + "   2. Run: gh auth login"
     };
   }
 }
@@ -14552,7 +14291,7 @@ async function checkRepositoryAccess(kit) {
       message: `Cannot access ${kitConfig.owner}/${kitConfig.repo}`,
       suggestion: `Solutions:
 ` + `   1. Check email for GitHub invitation and accept it
-` + `   2. Verify token has 'repo' scope (not just 'public_repo')
+` + `   2. Re-authenticate: gh auth login
 ` + `   3. Wait 2-5 minutes after accepting invitation
 ` + "   4. Contact support if issue persists"
     };
@@ -14563,9 +14302,9 @@ async function checkRepositoryAccess(kit) {
       message: "Failed to check repository access",
       details: error?.message || "Unknown error",
       suggestion: `Possible causes:
-` + `   • Token lacks 'repo' scope
 ` + `   • You haven't been added as collaborator
-` + "   • Network connectivity issues"
+` + `   • Network connectivity issues
+` + "   • Try: gh auth login"
     };
   }
 }
@@ -14633,7 +14372,7 @@ function checkSystemInfo() {
 
 // src/commands/doctor.ts
 init_dist2();
-import { existsSync as existsSync4 } from "node:fs";
+import { existsSync as existsSync3 } from "node:fs";
 import { join as join4 } from "node:path";
 
 // src/utils/claudekit-scanner.ts
@@ -14732,16 +14471,16 @@ import { promisify as promisify2 } from "node:util";
 init_logger();
 var execAsync2 = promisify2(exec2);
 async function detectOS() {
-  const platform3 = process.platform;
-  const info = { platform: platform3 };
-  if (platform3 === "darwin") {
+  const platform2 = process.platform;
+  const info = { platform: platform2 };
+  if (platform2 === "darwin") {
     try {
       await execAsync2("which brew");
       info.hasHomebrew = true;
     } catch {
       info.hasHomebrew = false;
     }
-  } else if (platform3 === "linux") {
+  } else if (platform2 === "linux") {
     try {
       if (fs.existsSync("/etc/os-release")) {
         const content = fs.readFileSync("/etc/os-release", "utf-8");
@@ -15013,14 +14752,14 @@ function getManualInstructions(dependency, osInfo) {
 init_environment();
 init_logger();
 function checkSkillsInstallation() {
-  const platform3 = process.platform;
-  const scriptName = platform3 === "win32" ? "install.ps1" : "install.sh";
+  const platform2 = process.platform;
+  const scriptName = platform2 === "win32" ? "install.ps1" : "install.sh";
   const globalSkillsDir = join4(PathResolver.getGlobalKitDir(), "skills");
   const globalScriptPath = join4(globalSkillsDir, scriptName);
-  const globalAvailable = existsSync4(globalScriptPath);
+  const globalAvailable = existsSync3(globalScriptPath);
   const projectSkillsDir = join4(process.cwd(), ".claude", "skills");
   const projectScriptPath = join4(projectSkillsDir, scriptName);
-  const projectAvailable = existsSync4(projectScriptPath);
+  const projectAvailable = existsSync3(projectScriptPath);
   return {
     global: {
       available: globalAvailable,
@@ -15292,7 +15031,7 @@ import { join as join22, resolve as resolve4 } from "node:path";
 // src/lib/commands-prefix.ts
 init_logger();
 var import_fs_extra3 = __toESM(require_lib(), 1);
-import { lstat, mkdir as mkdir3, readdir as readdir2, stat as stat2 } from "node:fs/promises";
+import { lstat, mkdir as mkdir2, readdir as readdir2, stat as stat2 } from "node:fs/promises";
 import { join as join6 } from "node:path";
 
 // src/utils/manifest-writer.ts
@@ -15451,8 +15190,11 @@ class OwnershipChecker {
       const hash = createHash("sha256");
       const stream = createReadStream(filePath);
       stream.on("data", (chunk) => hash.update(chunk));
-      stream.on("end", () => resolve(hash.digest("hex")));
+      stream.on("end", () => {
+        resolve(hash.digest("hex"));
+      });
       stream.on("error", (err) => {
+        stream.destroy();
         reject(new Error(`Failed to calculate checksum for "${filePath}": ${err.message}`));
       });
     });
@@ -15696,9 +15438,9 @@ class CommandsPrefix {
       }
       await import_fs_extra3.copy(commandsDir, backupDir);
       logger.verbose("Created backup of commands directory");
-      await mkdir3(tempDir, { recursive: true });
+      await mkdir2(tempDir, { recursive: true });
       const ckDir = join6(tempDir, "ck");
-      await mkdir3(ckDir, { recursive: true });
+      await mkdir2(ckDir, { recursive: true });
       let processedCount = 0;
       for (const entry of entries) {
         const sourcePath = join6(commandsDir, entry);
@@ -15774,9 +15516,9 @@ class CommandsPrefix {
     }
     const metadata = await ManifestWriter.readManifest(claudeDir);
     if (!metadata || !metadata.files || metadata.files.length === 0) {
-      logger.warning("No ownership metadata found - aborting cleanup for safety");
-      logger.warning("Run 'ck init' to migrate legacy installation first");
-      throw new Error("Cannot cleanup without ownership metadata (legacy install detected)");
+      logger.verbose("No ownership metadata found - skipping cleanup (legacy/fresh install)");
+      logger.verbose("All existing files will be preserved as user-owned");
+      return result;
     }
     const entries = await readdir2(commandsDir);
     if (entries.length === 0) {
@@ -15972,7 +15714,7 @@ var import_ignore = __toESM(require_ignore(), 1);
 import { Buffer as Buffer3 } from "node:buffer";
 import { execFile } from "node:child_process";
 import { createWriteStream as createWriteStream2 } from "node:fs";
-import { mkdir as mkdir5 } from "node:fs/promises";
+import { mkdir as mkdir4 } from "node:fs/promises";
 import { tmpdir } from "node:os";
 import { join as join8, relative as relative2, resolve } from "node:path";
 import { TextDecoder } from "node:util";
@@ -19273,8 +19015,8 @@ class Minipass3 extends EventEmitter4 {
 }
 
 // node_modules/tar/dist/esm/normalize-windows-path.js
-var platform3 = process.env.TESTING_TAR_FAKE_PLATFORM || process.platform;
-var normalizeWindowsPath = platform3 !== "win32" ? (p) => p : (p) => p && p.replace(/\\/g, "/");
+var platform2 = process.env.TESTING_TAR_FAKE_PLATFORM || process.platform;
+var normalizeWindowsPath = platform2 !== "win32" ? (p) => p : (p) => p && p.replace(/\\/g, "/");
 
 // node_modules/tar/dist/esm/read-entry.js
 class ReadEntry extends Minipass3 {
@@ -21472,8 +21214,8 @@ import path6 from "node:path";
 
 // node_modules/tar/dist/esm/get-write-flag.js
 import fs6 from "fs";
-var platform4 = process.env.__FAKE_PLATFORM__ || process.platform;
-var isWindows2 = platform4 === "win32";
+var platform3 = process.env.__FAKE_PLATFORM__ || process.platform;
+var isWindows2 = platform3 === "win32";
 var { O_CREAT, O_TRUNC, O_WRONLY } = fs6.constants;
 var UV_FS_O_FILEMAP = Number(process.env.__FAKE_FS_O_FILENAME__) || fs6.constants.UV_FS_O_FILEMAP || 0;
 var fMapEnabled = isWindows2 && !!UV_FS_O_FILEMAP;
@@ -21604,7 +21346,7 @@ var checkCwd = (dir, cb) => {
     cb(er);
   });
 };
-var mkdir4 = (dir, opt, cb) => {
+var mkdir3 = (dir, opt, cb) => {
   dir = normalizeWindowsPath(dir);
   const umask = opt.umask ?? 18;
   const mode = opt.mode | 448;
@@ -21764,8 +21506,8 @@ var normalizeUnicode = (s) => {
 };
 
 // node_modules/tar/dist/esm/path-reservations.js
-var platform5 = process.env.TESTING_TAR_FAKE_PLATFORM || process.platform;
-var isWindows3 = platform5 === "win32";
+var platform4 = process.env.TESTING_TAR_FAKE_PLATFORM || process.platform;
+var isWindows3 = platform4 === "win32";
 var getDirs = (path6) => {
   const dirs = path6.split("/").slice(0, -1).reduce((set, path7) => {
     const s = set[set.length - 1];
@@ -21911,8 +21653,8 @@ var DOCHOWN = Symbol("doChown");
 var UID = Symbol("uid");
 var GID = Symbol("gid");
 var CHECKED_CWD = Symbol("checkedCwd");
-var platform6 = process.env.TESTING_TAR_FAKE_PLATFORM || process.platform;
-var isWindows4 = platform6 === "win32";
+var platform5 = process.env.TESTING_TAR_FAKE_PLATFORM || process.platform;
+var isWindows4 = platform5 === "win32";
 var DEFAULT_MAX_DEPTH = 1024;
 var unlinkFile = (path7, cb) => {
   if (!isWindows4) {
@@ -22127,7 +21869,7 @@ class Unpack extends Parser {
     }
   }
   [MKDIR](dir, mode, cb) {
-    mkdir4(normalizeWindowsPath(dir), {
+    mkdir3(normalizeWindowsPath(dir), {
       uid: this.uid,
       gid: this.gid,
       processUid: this.processUid,
@@ -25944,7 +25686,7 @@ class DownloadManager {
   async downloadAsset(asset, destDir) {
     try {
       const destPath = join8(destDir, asset.name);
-      await mkdir5(destDir, { recursive: true });
+      await mkdir4(destDir, { recursive: true });
       logger.info(`Downloading ${asset.name} (${this.formatBytes(asset.size)})...`);
       const progressBar = new import_cli_progress.default.SingleBar({
         format: "Progress |{bar}| {percentage}% | {value}/{total} MB",
@@ -25994,7 +25736,7 @@ class DownloadManager {
   async downloadFile(params) {
     const { url, name: name2, size, destDir, token } = params;
     const destPath = join8(destDir, name2);
-    await mkdir5(destDir, { recursive: true });
+    await mkdir4(destDir, { recursive: true });
     logger.info(`Downloading ${name2}${size ? ` (${this.formatBytes(size)})` : ""}...`);
     const headers = {};
     if (token && url.includes("api.github.com")) {
@@ -26058,7 +25800,7 @@ class DownloadManager {
     try {
       this.resetExtractionSize();
       const detectedType = archiveType || this.detectArchiveType(archivePath);
-      await mkdir5(destDir, { recursive: true });
+      await mkdir4(destDir, { recursive: true });
       if (detectedType === "tar.gz") {
         await this.extractTarGz(archivePath, destDir);
       } else if (detectedType === "zip") {
@@ -26311,7 +26053,7 @@ class DownloadManager {
     const timestamp = Date.now();
     const primaryTempDir = join8(tmpdir(), `claudekit-${timestamp}`);
     try {
-      await mkdir5(primaryTempDir, { recursive: true });
+      await mkdir4(primaryTempDir, { recursive: true });
       logger.debug(`Created temp directory: ${primaryTempDir}`);
       return primaryTempDir;
     } catch (primaryError) {
@@ -26327,7 +26069,7 @@ Solutions:
       }
       const fallbackTempDir = join8(homeDir, ".claudekit", "tmp", `claudekit-${timestamp}`);
       try {
-        await mkdir5(fallbackTempDir, { recursive: true });
+        await mkdir4(fallbackTempDir, { recursive: true });
         logger.debug(`Created temp directory (fallback): ${fallbackTempDir}`);
         logger.warning(`Using fallback temp directory: ${fallbackTempDir}
   (OS temp directory was not accessible)`);
@@ -26396,10 +26138,10 @@ async function handleFreshInstallation(claudeDir, prompts) {
 
 // src/lib/global-path-transformer.ts
 init_logger();
-import { readFile as readFile5, readdir as readdir3, writeFile as writeFile4 } from "node:fs/promises";
-import { platform as platform7 } from "node:os";
+import { readFile as readFile4, readdir as readdir3, writeFile as writeFile3 } from "node:fs/promises";
+import { platform as platform6 } from "node:os";
 import { extname, join as join10 } from "node:path";
-var IS_WINDOWS = platform7() === "win32";
+var IS_WINDOWS = platform6() === "win32";
 var HOME_PREFIX = IS_WINDOWS ? "%USERPROFILE%" : "$HOME";
 function getHomeDirPrefix() {
   return HOME_PREFIX;
@@ -26498,10 +26240,10 @@ async function transformPathsForGlobalInstall(directory, options = {}) {
         await processDirectory(fullPath);
       } else if (entry.isFile() && shouldTransformFile(entry.name)) {
         try {
-          const content = await readFile5(fullPath, "utf-8");
+          const content = await readFile4(fullPath, "utf-8");
           const { transformed, changes } = transformContent(content);
           if (changes > 0) {
-            await writeFile4(fullPath, transformed, "utf-8");
+            await writeFile3(fullPath, transformed, "utf-8");
             filesTransformed++;
             totalChanges += changes;
             if (options.verbose) {
@@ -29076,7 +28818,7 @@ init_types2();
 init_logger();
 var import_fs_extra10 = __toESM(require_lib(), 1);
 import { createHash as createHash2 } from "node:crypto";
-import { readFile as readFile9, readdir as readdir6, writeFile as writeFile8 } from "node:fs/promises";
+import { readFile as readFile8, readdir as readdir6, writeFile as writeFile7 } from "node:fs/promises";
 import { join as join16, relative as relative5 } from "node:path";
 
 class SkillsManifestManager {
@@ -29100,7 +28842,7 @@ class SkillsManifestManager {
   }
   static async writeManifest(skillsDir, manifest) {
     const manifestPath = join16(skillsDir, SkillsManifestManager.MANIFEST_FILENAME);
-    await writeFile8(manifestPath, JSON.stringify(manifest, null, 2), "utf-8");
+    await writeFile7(manifestPath, JSON.stringify(manifest, null, 2), "utf-8");
     logger.debug(`Wrote manifest to: ${manifestPath}`);
   }
   static async readManifest(skillsDir) {
@@ -29110,7 +28852,7 @@ class SkillsManifestManager {
       return null;
     }
     try {
-      const content = await readFile9(manifestPath, "utf-8");
+      const content = await readFile8(manifestPath, "utf-8");
       const data = JSON.parse(content);
       const manifest = SkillsManifestSchema.parse(data);
       logger.debug(`Read manifest from: ${manifestPath}`);
@@ -29182,7 +28924,7 @@ class SkillsManifestManager {
     files.sort();
     for (const file of files) {
       const relativePath = relative5(dirPath, file);
-      const content = await readFile9(file);
+      const content = await readFile8(file);
       hash.update(relativePath);
       hash.update(content);
     }
@@ -29478,14 +29220,14 @@ class SkillsMigrationDetector {
 init_types2();
 init_logger();
 var import_fs_extra14 = __toESM(require_lib(), 1);
-import { copyFile as copyFile2, mkdir as mkdir7, readdir as readdir10, rm as rm2 } from "node:fs/promises";
+import { copyFile as copyFile2, mkdir as mkdir6, readdir as readdir10, rm as rm2 } from "node:fs/promises";
 import { join as join20 } from "node:path";
 
 // src/lib/skills-backup-manager.ts
 init_types2();
 init_logger();
 var import_fs_extra12 = __toESM(require_lib(), 1);
-import { copyFile, mkdir as mkdir6, readdir as readdir8, rm, stat as stat4 } from "node:fs/promises";
+import { copyFile, mkdir as mkdir5, readdir as readdir8, rm, stat as stat4 } from "node:fs/promises";
 import { basename as basename2, join as join18, normalize as normalize2 } from "node:path";
 function validatePath2(path9, paramName) {
   if (!path9 || typeof path9 !== "string") {
@@ -29515,7 +29257,7 @@ class SkillsBackupManager {
     const backupDir = parentDir ? join18(parentDir, backupDirName) : join18(skillsDir, "..", backupDirName);
     logger.info(`Creating backup at: ${backupDir}`);
     try {
-      await mkdir6(backupDir, { recursive: true });
+      await mkdir5(backupDir, { recursive: true });
       await SkillsBackupManager.copyDirectory(skillsDir, backupDir);
       logger.success("Backup created successfully");
       return backupDir;
@@ -29537,7 +29279,7 @@ class SkillsBackupManager {
       if (await import_fs_extra12.pathExists(targetDir)) {
         await rm(targetDir, { recursive: true, force: true });
       }
-      await mkdir6(targetDir, { recursive: true });
+      await mkdir5(targetDir, { recursive: true });
       await SkillsBackupManager.copyDirectory(backupDir, targetDir);
       logger.success("Backup restored successfully");
     } catch (error2) {
@@ -29597,7 +29339,7 @@ class SkillsBackupManager {
         continue;
       }
       if (entry.isDirectory()) {
-        await mkdir6(destPath, { recursive: true });
+        await mkdir5(destPath, { recursive: true });
         await SkillsBackupManager.copyDirectory(sourcePath, destPath);
       } else if (entry.isFile()) {
         await copyFile(sourcePath, destPath);
@@ -29638,7 +29380,7 @@ init_logger();
 var import_fs_extra13 = __toESM(require_lib(), 1);
 import { createHash as createHash3 } from "node:crypto";
 import { createReadStream as createReadStream2 } from "node:fs";
-import { readFile as readFile10, readdir as readdir9 } from "node:fs/promises";
+import { readFile as readFile9, readdir as readdir9 } from "node:fs/promises";
 import { join as join19, normalize as normalize3, relative as relative6 } from "node:path";
 function validatePath3(path9, paramName) {
   if (!path9 || typeof path9 !== "string") {
@@ -29851,8 +29593,13 @@ class SkillsCustomizationScanner {
       const hash = createHash3("sha256");
       const stream = createReadStream2(filePath);
       stream.on("data", (chunk) => hash.update(chunk));
-      stream.on("end", () => resolve2(hash.digest("hex")));
-      stream.on("error", (error2) => reject(error2));
+      stream.on("end", () => {
+        resolve2(hash.digest("hex"));
+      });
+      stream.on("error", (error2) => {
+        stream.destroy();
+        reject(error2);
+      });
     });
   }
   static async hashDirectory(dirPath) {
@@ -29861,7 +29608,7 @@ class SkillsCustomizationScanner {
     files.sort();
     for (const file of files) {
       const relativePath = relative6(dirPath, file);
-      const content = await readFile10(file);
+      const content = await readFile9(file);
       hash.update(relativePath);
       hash.update(content);
     }
@@ -30124,7 +29871,7 @@ class SkillsMigrator {
     const preserved = [];
     const errors2 = [];
     const tempDir = join20(currentSkillsDir, "..", ".skills-migration-temp");
-    await mkdir7(tempDir, { recursive: true });
+    await mkdir6(tempDir, { recursive: true });
     try {
       for (const mapping of mappings) {
         try {
@@ -30146,7 +29893,7 @@ class SkillsMigrator {
           const category = mapping.category;
           const targetPath = category ? join20(tempDir, category, skillName) : join20(tempDir, skillName);
           if (category) {
-            await mkdir7(join20(tempDir, category), { recursive: true });
+            await mkdir6(join20(tempDir, category), { recursive: true });
           }
           await SkillsMigrator.copySkillDirectory(currentSkillPath, targetPath);
           migrated.push(skillName);
@@ -30165,7 +29912,7 @@ class SkillsMigrator {
         }
       }
       await rm2(currentSkillsDir, { recursive: true, force: true });
-      await mkdir7(currentSkillsDir, { recursive: true });
+      await mkdir6(currentSkillsDir, { recursive: true });
       await SkillsMigrator.copySkillDirectory(tempDir, currentSkillsDir);
       await rm2(tempDir, { recursive: true, force: true });
       return { migrated, preserved, errors: errors2 };
@@ -30177,7 +29924,7 @@ class SkillsMigrator {
     }
   }
   static async copySkillDirectory(sourceDir, destDir) {
-    await mkdir7(destDir, { recursive: true });
+    await mkdir6(destDir, { recursive: true });
     const entries = await readdir10(sourceDir, { withFileTypes: true });
     for (const entry of entries) {
       const sourcePath = join20(sourceDir, entry.name);
@@ -30196,6 +29943,83 @@ class SkillsMigrator {
 
 // src/commands/init.ts
 init_types2();
+
+// src/utils/config.ts
+init_types2();
+init_logger();
+import { existsSync as existsSync4 } from "node:fs";
+import { mkdir as mkdir7, readFile as readFile10, writeFile as writeFile8 } from "node:fs/promises";
+import { chmod } from "node:fs/promises";
+import { platform as platform7 } from "node:os";
+class ConfigManager {
+  static config = null;
+  static globalFlag = false;
+  static setGlobalFlag(global3) {
+    ConfigManager.globalFlag = global3;
+    ConfigManager.config = null;
+  }
+  static getGlobalFlag() {
+    return ConfigManager.globalFlag;
+  }
+  static async load() {
+    if (ConfigManager.config) {
+      return ConfigManager.config;
+    }
+    const configFile = PathResolver.getConfigFile(ConfigManager.globalFlag);
+    try {
+      if (existsSync4(configFile)) {
+        const content = await readFile10(configFile, "utf-8");
+        const data = JSON.parse(content);
+        ConfigManager.config = ConfigSchema.parse(data);
+        logger.debug(`Config loaded from ${configFile}`);
+        return ConfigManager.config;
+      }
+    } catch (error2) {
+      logger.warning(`Failed to load config: ${error2 instanceof Error ? error2.message : "Unknown error"}`);
+    }
+    ConfigManager.config = { defaults: {} };
+    return ConfigManager.config;
+  }
+  static async save(config) {
+    try {
+      const validConfig = ConfigSchema.parse(config);
+      const configDir = PathResolver.getConfigDir(ConfigManager.globalFlag);
+      const configFile = PathResolver.getConfigFile(ConfigManager.globalFlag);
+      if (!existsSync4(configDir)) {
+        await mkdir7(configDir, { recursive: true });
+        if (platform7() !== "win32") {
+          await chmod(configDir, 448);
+        }
+      }
+      await writeFile8(configFile, JSON.stringify(validConfig, null, 2), "utf-8");
+      if (platform7() !== "win32") {
+        await chmod(configFile, 384);
+      }
+      ConfigManager.config = validConfig;
+      logger.debug(`Config saved to ${configFile}`);
+    } catch (error2) {
+      throw new Error(`Failed to save config: ${error2 instanceof Error ? error2.message : "Unknown error"}`);
+    }
+  }
+  static async get() {
+    return ConfigManager.load();
+  }
+  static async set(key, value) {
+    const config = await ConfigManager.load();
+    const keys = key.split(".");
+    let current = config;
+    for (let i = 0;i < keys.length - 1; i++) {
+      if (!(keys[i] in current)) {
+        current[keys[i]] = {};
+      }
+      current = current[keys[i]];
+    }
+    current[keys[keys.length - 1]] = value;
+    await ConfigManager.save(config);
+  }
+}
+
+// src/commands/init.ts
 init_environment();
 
 // src/utils/file-scanner.ts
@@ -31076,7 +30900,7 @@ import { promisify as promisify5 } from "node:util";
 // package.json
 var package_default2 = {
   name: "claudekit-cli",
-  version: "2.6.0",
+  version: "3.0.1",
   description: "CLI tool for bootstrapping and updating ClaudeKit projects",
   type: "module",
   repository: {
@@ -32094,9 +31918,6 @@ var MetadataSchema2 = exports_external.object({
   files: exports_external.array(TrackedFileSchema2).optional()
 });
 var ConfigSchema2 = exports_external.object({
-  github: exports_external.object({
-    token: exports_external.string().optional()
-  }).optional(),
   defaults: exports_external.object({
     kit: KitType2.optional(),
     dir: exports_external.string().optional()