cli4ai 1.2.0 → 1.2.1

package/src/core/config.ts

@@ -1,845 +0,0 @@
-/**
- * Global cli4ai configuration (~/.cli4ai/)
- */
-
-import { readFileSync, writeFileSync, mkdirSync, existsSync, readdirSync, lstatSync, realpathSync, openSync, closeSync, unlinkSync, renameSync } from 'fs';
-import { resolve, join, normalize } from 'path';
-import { homedir } from 'os';
-import { outputError, log } from '../lib/cli.js';
-
-// ═══════════════════════════════════════════════════════════════════════════
-// SECURITY: Symlink validation
-// ═══════════════════════════════════════════════════════════════════════════
-
-/**
- * Safe directories that symlinks are allowed to point to.
- * This prevents symlink attacks pointing to sensitive system directories.
- */
-const SAFE_SYMLINK_PREFIXES = [
-  homedir(),           // User's home directory
-  '/tmp',              // Temp directory
-  '/var/tmp',          // Var temp
-  '/private/tmp',      // macOS temp
-  process.cwd(),       // Current working directory
-];
-
-/**
- * Validate that a symlink target is within safe boundaries.
- * Returns the resolved real path if safe, null if unsafe.
- */
-function validateSymlinkTarget(symlinkPath: string): string | null {
-  try {
-    const stat = lstatSync(symlinkPath);
-    if (!stat.isSymbolicLink()) {
-      // Not a symlink, return the path as-is
-      return symlinkPath;
-    }
-
-    // Resolve the real path (follows all symlinks)
-    const realPath = realpathSync(symlinkPath);
-    const normalizedRealPath = normalize(realPath);
-
-    // Check if the real path is within a safe prefix
-    const isSafe = SAFE_SYMLINK_PREFIXES.some(prefix => {
-      const normalizedPrefix = normalize(prefix);
-      return normalizedRealPath.startsWith(normalizedPrefix + '/') ||
-             normalizedRealPath === normalizedPrefix;
-    });
-
-    if (!isSafe) {
-      console.error(`Warning: Symlink ${symlinkPath} points to ${realPath} which is outside safe directories. Skipping.`);
-      return null;
-    }
-
-    return realPath;
-  } catch (err) {
-    // Broken symlink or permission error
-    return null;
-  }
-}
-
-/**
- * Check if a path is safe to use (not a malicious symlink)
- */
-export function isPathSafe(path: string): boolean {
-  return validateSymlinkTarget(path) !== null;
-}
-
-// ═══════════════════════════════════════════════════════════════════════════
-// PATHS
-// ═══════════════════════════════════════════════════════════════════════════
-
-export const CLI4AI_HOME = process.env.CLI4AI_HOME
-  ? resolve(process.env.CLI4AI_HOME)
-  : resolve(homedir(), '.cli4ai');
-export const CONFIG_FILE = resolve(CLI4AI_HOME, 'config.json');
-export const PACKAGES_DIR = resolve(CLI4AI_HOME, 'packages');
-export const CACHE_DIR = resolve(CLI4AI_HOME, 'cache');
-export const ROUTINES_DIR = resolve(CLI4AI_HOME, 'routines');
-export const SCHEDULER_DIR = resolve(CLI4AI_HOME, 'scheduler');
-export const CREDENTIALS_FILE = resolve(CLI4AI_HOME, 'credentials.json');
-const CONFIG_LOCK_FILE = CONFIG_FILE + '.lock';
-const CONFIG_TMP_FILE = CONFIG_FILE + '.tmp';
-
-// Local project paths
-export const LOCAL_DIR = '.cli4ai';
-export const LOCAL_PACKAGES_DIR = join(LOCAL_DIR, 'packages');
-export const LOCAL_ROUTINES_DIR = join(LOCAL_DIR, 'routines');
-
-// ═══════════════════════════════════════════════════════════════════════════
-// TYPES
-// ═══════════════════════════════════════════════════════════════════════════
-
-export interface Config {
-  // Registry configuration
-  registry: string;
-  localRegistries: string[];
-
-  // Runtime defaults
-  defaultRuntime: 'node';
-
-  // MCP defaults
-  mcp: {
-    transport: 'stdio' | 'http';
-    port: number;
-  };
-
-  // Audit logging configuration
-  audit: {
-    /** Enable audit logging for MCP tool calls */
-    enabled: boolean;
-  };
-
-  // Telemetry (future)
-  telemetry: boolean;
-}
-
-export interface InstalledPackage {
-  name: string;
-  version: string;
-  path: string;
-  source: 'local' | 'registry';
-  installedAt: string;
-}
-
-// ═══════════════════════════════════════════════════════════════════════════
-// DEFAULT CONFIG
-// ═══════════════════════════════════════════════════════════════════════════
-
-export const DEFAULT_CONFIG: Config = {
-  registry: 'https://registry.cli4ai.com',
-  localRegistries: [],
-  defaultRuntime: 'node',
-  mcp: {
-    transport: 'stdio',
-    port: 3100
-  },
-  audit: {
-    enabled: true
-  },
-  telemetry: false
-};
-
-// ═══════════════════════════════════════════════════════════════════════════
-// INITIALIZATION
-// ═══════════════════════════════════════════════════════════════════════════
-
-/**
- * Ensure ~/.cli4ai directory exists with required subdirectories
- */
-export function ensureCli4aiHome(): void {
-  const dirs = [CLI4AI_HOME, PACKAGES_DIR, CACHE_DIR, ROUTINES_DIR, SCHEDULER_DIR];
-
-  for (const dir of dirs) {
-    if (!existsSync(dir)) {
-      mkdirSync(dir, { recursive: true });
-    }
-  }
-}
-
-/**
- * Ensure local .cli4ai directory exists
- */
-export function ensureLocalDir(projectDir: string): void {
-  const localDir = resolve(projectDir, LOCAL_DIR);
-  const packagesDir = resolve(projectDir, LOCAL_PACKAGES_DIR);
-  const routinesDir = resolve(projectDir, LOCAL_ROUTINES_DIR);
-
-  if (!existsSync(localDir)) {
-    mkdirSync(localDir, { recursive: true });
-  }
-  if (!existsSync(packagesDir)) {
-    mkdirSync(packagesDir, { recursive: true });
-  }
-  if (!existsSync(routinesDir)) {
-    mkdirSync(routinesDir, { recursive: true });
-  }
-}
-
-// ═══════════════════════════════════════════════════════════════════════════
-// CONFIG FILE
-// ═══════════════════════════════════════════════════════════════════════════
-
-/**
- * Deep merge two objects, where source values override target values
- */
-function deepMerge(target: Config, source: Partial<Config>): Config {
-  const result: Config = { ...target };
-
-  // Handle each key explicitly to maintain type safety
-  if (source.registry !== undefined) {
-    result.registry = source.registry;
-  }
-  if (source.localRegistries !== undefined) {
-    result.localRegistries = source.localRegistries;
-  }
-  if (source.defaultRuntime !== undefined) {
-    result.defaultRuntime = source.defaultRuntime;
-  }
-  if (source.telemetry !== undefined) {
-    result.telemetry = source.telemetry;
-  }
-  // Deep merge mcp config
-  if (source.mcp !== undefined) {
-    result.mcp = {
-      transport: source.mcp.transport ?? target.mcp.transport,
-      port: source.mcp.port ?? target.mcp.port
-    };
-  }
-  // Deep merge audit config
-  if (source.audit !== undefined) {
-    result.audit = {
-      enabled: source.audit.enabled ?? target.audit.enabled
-    };
-  }
-
-  return result;
-}
-
-/**
- * Load global config, creating defaults if needed
- */
-export function loadConfig(): Config {
-  return withConfigLock(() => loadConfigUnlocked());
-}
-
-/**
- * Save global config
- */
-export function saveConfig(config: Config): void {
-  withConfigLock(() => saveConfigUnlocked(config));
-}
-
-/**
- * Update config with a read-modify-write lock to avoid cross-process races.
- */
-export function updateConfig(mutator: (config: Config) => Config): Config {
-  return withConfigLock(() => {
-    const current = loadConfigUnlocked();
-    const next = mutator(current);
-    saveConfigUnlocked(next);
-    return next;
-  });
-}
-
-/**
- * Get a config value
- */
-export function getConfigValue<K extends keyof Config>(key: K): Config[K] {
-  const config = loadConfig();
-  return config[key];
-}
-
-/**
- * Set a config value
- */
-export function setConfigValue<K extends keyof Config>(key: K, value: Config[K]): void {
-  updateConfig((config) => {
-    config[key] = value;
-    return config;
-  });
-}
-
-// ═══════════════════════════════════════════════════════════════════════════
-// LOCAL REGISTRIES
-// ═══════════════════════════════════════════════════════════════════════════
-
-/**
- * Directories that should not be used as registries
- * to prevent accidental exposure of sensitive system files.
- */
-const UNSAFE_REGISTRY_PATHS = [
-  '/etc',
-  '/usr',
-  '/bin',
-  '/sbin',
-  '/var',
-  '/sys',
-  '/proc',
-  '/dev',
-  '/boot',
-  '/root',
-  '/lib',
-  '/lib64',
-  '/System',           // macOS
-  '/Library',          // macOS
-  '/private/etc',      // macOS
-  '/private/var',      // macOS
-  'C:\\Windows',       // Windows
-  'C:\\Program Files', // Windows
-];
-
-/**
- * Validate that a registry path is safe to use.
- */
-function isRegistryPathSafe(registryPath: string): boolean {
-  const normalizedPath = normalize(registryPath);
-
-  // Check against unsafe paths
-  for (const unsafePath of UNSAFE_REGISTRY_PATHS) {
-    const normalizedUnsafe = normalize(unsafePath);
-    if (normalizedPath === normalizedUnsafe ||
-        normalizedPath.startsWith(normalizedUnsafe + '/') ||
-        normalizedPath.startsWith(normalizedUnsafe + '\\')) {
-      return false;
-    }
-  }
-
-  return true;
-}
-
-/**
- * Add a local registry path
- */
-export function addLocalRegistry(path: string): void {
-  const absolutePath = resolve(path);
-
-  // SECURITY: Validate registry path is not in sensitive system directories
-  if (!isRegistryPathSafe(absolutePath)) {
-    outputError('INVALID_INPUT', `Registry path is in a protected system directory: ${absolutePath}`, {
-      hint: 'Use a path in your home directory or a project directory'
-    });
-  }
-
-  if (!existsSync(absolutePath)) {
-    outputError('NOT_FOUND', `Directory does not exist: ${absolutePath}`);
-  }
-
-  // SECURITY: Validate symlink target if it's a symlink
-  const safePath = validateSymlinkTarget(absolutePath);
-  if (!safePath) {
-    outputError('INVALID_INPUT', `Registry path points to an unsafe location: ${absolutePath}`, {
-      hint: 'Symlinks must point to directories within safe locations'
-    });
-  }
-
-  let added = false;
-  updateConfig((config) => {
-    if (!config.localRegistries.includes(safePath)) {
-      config.localRegistries.push(safePath);
-      added = true;
-    }
-    return config;
-  });
-  if (added) log(`Added local registry: ${safePath}`);
-}
-
-/**
- * Remove a local registry path
- */
-export function removeLocalRegistry(path: string): void {
-  const absolutePath = resolve(path);
-
-  // SECURITY: Validate symlink target consistently with addLocalRegistry
-  const safePath = validateSymlinkTarget(absolutePath);
-  if (!safePath) {
-    outputError('INVALID_INPUT', `Registry path points to an unsafe location: ${absolutePath}`, {
-      hint: 'Symlinks must point to directories within safe locations'
-    });
-  }
-
-  let removed = false;
-  updateConfig((config) => {
-    const index = config.localRegistries.indexOf(safePath);
-    if (index !== -1) {
-      config.localRegistries.splice(index, 1);
-      removed = true;
-    }
-    return config;
-  });
-  if (removed) log(`Removed local registry: ${safePath}`);
-}
-
-function sleepSync(ms: number): void {
-  if (ms <= 0) return;
-  try {
-    const buf = new SharedArrayBuffer(4);
-    const view = new Int32Array(buf);
-    Atomics.wait(view, 0, 0, ms);
-  } catch {
-    const end = Date.now() + ms;
-    while (Date.now() < end) {
-      // busy wait (best effort)
-    }
-  }
-}
-
-function isPidRunning(pid: number): boolean {
-  try {
-    process.kill(pid, 0);
-    return true;
-  } catch {
-    return false;
-  }
-}
-
-function isLockStale(lockPath: string, staleMs: number): boolean {
-  try {
-    const stat = lstatSync(lockPath);
-    if (Date.now() - stat.mtimeMs > staleMs) return true;
-  } catch {
-    return false;
-  }
-
-  try {
-    const raw = readFileSync(lockPath, 'utf-8');
-    const parsed = JSON.parse(raw) as { pid?: unknown; createdAt?: unknown };
-    const pid = typeof parsed.pid === 'number' ? parsed.pid : null;
-    const createdAtMs =
-      typeof parsed.createdAt === 'number'
-        ? parsed.createdAt
-        : typeof parsed.createdAt === 'string'
-          ? Date.parse(parsed.createdAt)
-          : NaN;
-
-    if (pid !== null && !isPidRunning(pid)) return true;
-    if (Number.isFinite(createdAtMs) && Date.now() - createdAtMs > staleMs) return true;
-  } catch {
-    // ignore parse errors (fall back to mtime check above)
-  }
-
-  return false;
-}
-
-function acquireLock(lockPath: string, timeoutMs: number, staleMs: number): number {
-  const start = Date.now();
-  while (true) {
-    try {
-      const fd = openSync(lockPath, 'wx');
-      try {
-        writeFileSync(fd, JSON.stringify({ pid: process.pid, createdAt: new Date().toISOString() }) + '\n');
-      } catch {
-        // best effort
-      }
-      return fd;
-    } catch (err) {
-      const code = (err as NodeJS.ErrnoException).code;
-      if (code !== 'EEXIST') {
-        throw err;
-      }
-
-      if (isLockStale(lockPath, staleMs)) {
-        try {
-          unlinkSync(lockPath);
-          continue;
-        } catch {
-          // fall through to wait
-        }
-      }
-
-      if (Date.now() - start > timeoutMs) {
-        throw new Error(`Timed out waiting for config lock: ${lockPath}`);
-      }
-
-      sleepSync(25);
-    }
-  }
-}
-
-function releaseLock(lockPath: string, fd: number): void {
-  try {
-    closeSync(fd);
-  } catch {
-    // ignore
-  }
-  try {
-    unlinkSync(lockPath);
-  } catch {
-    // ignore
-  }
-}
-
-let configLockDepth = 0;
-let configLockFd: number | null = null;
-
-function withConfigLock<T>(fn: () => T): T {
-  const timeoutMs = 2000;
-  const staleMs = 30000;
-
-  if (configLockDepth > 0) {
-    configLockDepth++;
-    try {
-      return fn();
-    } finally {
-      configLockDepth--;
-    }
-  }
-
-  configLockDepth = 1;
-  const fd = acquireLock(CONFIG_LOCK_FILE, timeoutMs, staleMs);
-  configLockFd = fd;
-
-  try {
-    return fn();
-  } finally {
-    configLockFd = null;
-    configLockDepth = 0;
-    releaseLock(CONFIG_LOCK_FILE, fd);
-  }
-}
-
-function loadConfigUnlocked(): Config {
-  ensureCli4aiHome();
-
-  if (!existsSync(CONFIG_FILE)) {
-    saveConfigUnlocked(DEFAULT_CONFIG);
-    return DEFAULT_CONFIG;
-  }
-
-  try {
-    const content = readFileSync(CONFIG_FILE, 'utf-8');
-    const data = JSON.parse(content);
-    // Deep merge with defaults to handle missing nested fields (e.g., mcp.port)
-    return deepMerge(DEFAULT_CONFIG, data);
-  } catch {
-    log(`Warning: Invalid config file, using defaults`);
-    return DEFAULT_CONFIG;
-  }
-}
-
-function saveConfigUnlocked(config: Config): void {
-  ensureCli4aiHome();
-  const content = JSON.stringify(config, null, 2) + '\n';
-  writeFileSync(CONFIG_TMP_FILE, content);
-  renameSync(CONFIG_TMP_FILE, CONFIG_FILE);
-}
-
-// ═══════════════════════════════════════════════════════════════════════════
-// INSTALLED PACKAGES TRACKING
-// ═══════════════════════════════════════════════════════════════════════════
-
-/**
- * Get list of globally installed packages
- */
-export function getGlobalPackages(): InstalledPackage[] {
-  ensureCli4aiHome();
-
-  if (!existsSync(PACKAGES_DIR)) {
-    return [];
-  }
-
-  const packages: InstalledPackage[] = [];
-
-  for (const entry of readdirSync(PACKAGES_DIR, { withFileTypes: true })) {
-    if (!entry.isDirectory() && !entry.isSymbolicLink()) continue;
-
-    const pkgPath = resolve(PACKAGES_DIR, entry.name);
-
-    // SECURITY: Validate symlink targets
-    const safePath = validateSymlinkTarget(pkgPath);
-    if (!safePath) continue;
-
-    const manifestPath = resolve(safePath, 'cli4ai.json');
-
-    if (existsSync(manifestPath)) {
-      try {
-        const manifest = JSON.parse(readFileSync(manifestPath, 'utf-8'));
-        packages.push({
-          name: manifest.name,
-          version: manifest.version,
-          path: safePath,
-          source: 'registry',
-          installedAt: new Date().toISOString()
-        });
-      } catch {
-        // Skip invalid packages
-      }
-    }
-  }
-
-  return packages;
-}
-
-/**
- * Get list of locally installed packages (in project)
- */
-export function getLocalPackages(projectDir: string): InstalledPackage[] {
-  const packagesDir = resolve(projectDir, LOCAL_PACKAGES_DIR);
-
-  if (!existsSync(packagesDir)) {
-    return [];
-  }
-
-  const packages: InstalledPackage[] = [];
-
-  for (const entry of readdirSync(packagesDir, { withFileTypes: true })) {
-    if (!entry.isDirectory() && !entry.isSymbolicLink()) continue;
-
-    const pkgPath = resolve(packagesDir, entry.name);
-
-    // SECURITY: Validate symlink targets
-    const safePath = validateSymlinkTarget(pkgPath);
-    if (!safePath) continue;
-
-    const manifestPath = resolve(safePath, 'cli4ai.json');
-
-    if (existsSync(manifestPath)) {
-      try {
-        const manifest = JSON.parse(readFileSync(manifestPath, 'utf-8'));
-        packages.push({
-          name: manifest.name,
-          version: manifest.version,
-          path: safePath,
-          source: 'local',
-          installedAt: new Date().toISOString()
-        });
-      } catch {
-        // Skip invalid packages
-      }
-    }
-  }
-
-  return packages;
-}
-
-// Cache npm global dir to avoid repeated lookups
-let cachedNpmGlobalDir: string | null | undefined = undefined;
-
-/**
- * Get npm global packages directory
- */
-function getNpmGlobalDir(): string | null {
-  if (cachedNpmGlobalDir !== undefined) return cachedNpmGlobalDir;
-
-  // Try common locations first (faster than calling npm)
-  const commonPaths = [
-    resolve(homedir(), '.npm-global', 'lib', 'node_modules'),  // Custom npm prefix
-    '/usr/local/lib/node_modules',                              // macOS/Linux default
-    '/usr/lib/node_modules',                                    // Some Linux distros
-    resolve(homedir(), '.nvm', 'versions', 'node'),            // nvm (check later)
-  ];
-
-  for (const p of commonPaths) {
-    if (existsSync(p)) {
-      cachedNpmGlobalDir = p;
-      return p;
-    }
-  }
-
-  // Fall back to npm config (with timeout)
-  try {
-    const { execSync } = require('child_process');
-    const prefix = execSync('npm config get prefix', {
-      encoding: 'utf-8',
-      timeout: 3000,  // 3 second timeout
-      stdio: ['pipe', 'pipe', 'pipe']
-    }).trim();
-    // On Unix: prefix/lib/node_modules, on Windows: prefix/node_modules
-    const libPath = resolve(prefix, 'lib', 'node_modules');
-    if (existsSync(libPath)) {
-      cachedNpmGlobalDir = libPath;
-      return libPath;
-    }
-    const winPath = resolve(prefix, 'node_modules');
-    if (existsSync(winPath)) {
-      cachedNpmGlobalDir = winPath;
-      return winPath;
-    }
-  } catch {
-    // npm command failed or timed out
-  }
-
-  cachedNpmGlobalDir = null;
-  return null;
-}
-
-/**
- * Get bun global packages directory
- */
-function getBunGlobalDir(): string | null {
-  // Bun installs global packages to ~/.bun/install/global/node_modules
-  const bunGlobalDir = resolve(homedir(), '.bun', 'install', 'global', 'node_modules');
-  if (existsSync(bunGlobalDir)) return bunGlobalDir;
-  return null;
-}
-
-/**
- * Get packages from a global node_modules/@cli4ai directory
- */
-function getPackagesFromGlobalDir(globalDir: string): InstalledPackage[] {
-  const cli4aiDir = resolve(globalDir, '@cli4ai');
-  if (!existsSync(cli4aiDir)) return [];
-
-  const packages: InstalledPackage[] = [];
-
-  try {
-    for (const entry of readdirSync(cli4aiDir, { withFileTypes: true })) {
-      if (!entry.isDirectory() && !entry.isSymbolicLink()) continue;
-      if (entry.name === 'lib') continue; // Skip @cli4ai/lib
-
-      const pkgPath = resolve(cli4aiDir, entry.name);
-
-      // SECURITY: Validate symlink targets
-      const safePath = validateSymlinkTarget(pkgPath);
-      if (!safePath) continue;
-
-      const pkgJsonPath = resolve(safePath, 'package.json');
-      const cli4aiJsonPath = resolve(safePath, 'cli4ai.json');
-
-      // Try cli4ai.json first, then package.json
-      if (existsSync(cli4aiJsonPath)) {
-        try {
-          const manifest = JSON.parse(readFileSync(cli4aiJsonPath, 'utf-8'));
-          packages.push({
-            name: entry.name,
-            version: manifest.version,
-            path: safePath,
-            source: 'registry',
-            installedAt: new Date().toISOString()
-          });
-          continue;
-        } catch {}
-      }
-
-      if (existsSync(pkgJsonPath)) {
-        try {
-          const pkgJson = JSON.parse(readFileSync(pkgJsonPath, 'utf-8'));
-          packages.push({
-            name: entry.name,
-            version: pkgJson.version,
-            path: safePath,
-            source: 'registry',
-            installedAt: new Date().toISOString()
-          });
-        } catch {}
-      }
-    }
-  } catch {}
-
-  return packages;
-}
-
-/**
- * Get all global @cli4ai packages (from both npm and bun)
- */
-export function getNpmGlobalPackages(): InstalledPackage[] {
-  const packages: InstalledPackage[] = [];
-  const seen = new Set<string>();
-
-  // Check npm global first (this is where we install)
-  const npmGlobalDir = getNpmGlobalDir();
-  if (npmGlobalDir) {
-    for (const pkg of getPackagesFromGlobalDir(npmGlobalDir)) {
-      if (!seen.has(pkg.name)) {
-        seen.add(pkg.name);
-        packages.push(pkg);
-      }
-    }
-  }
-
-  // Check bun global (for backwards compat with old installs)
-  const bunGlobalDir = getBunGlobalDir();
-  if (bunGlobalDir) {
-    for (const pkg of getPackagesFromGlobalDir(bunGlobalDir)) {
-      if (!seen.has(pkg.name)) {
-        seen.add(pkg.name);
-        packages.push(pkg);
-      }
-    }
-  }
-
-  return packages;
-}
-
-/**
- * Try to find a package in a global directory
- */
-function findPackageInGlobalDir(globalDir: string, name: string): InstalledPackage | null {
-  // SECURITY: Validate name to prevent path traversal
-  if (name.includes('..') || name.includes('/') || name.includes('\\') || name.startsWith('.')) {
-    return null;
-  }
-
-  const scopedPath = resolve(globalDir, '@cli4ai', name);
-
-  // SECURITY: Verify resolved path is under globalDir
-  if (!scopedPath.startsWith(resolve(globalDir))) {
-    return null;
-  }
-
-  if (!existsSync(scopedPath)) return null;
-
-  const manifestPath = resolve(scopedPath, 'cli4ai.json');
-  if (existsSync(manifestPath)) {
-    try {
-      const manifest = JSON.parse(readFileSync(manifestPath, 'utf-8'));
-      return {
-        name: manifest.name || name,
-        version: manifest.version,
-        path: scopedPath,
-        source: 'registry',
-        installedAt: new Date().toISOString()
-      };
-    } catch {}
-  }
-
-  // Even without cli4ai.json, try package.json
-  const pkgJsonPath = resolve(scopedPath, 'package.json');
-  if (existsSync(pkgJsonPath)) {
-    try {
-      const pkgJson = JSON.parse(readFileSync(pkgJsonPath, 'utf-8'));
-      return {
-        name: name,
-        version: pkgJson.version,
-        path: scopedPath,
-        source: 'registry',
-        installedAt: new Date().toISOString()
-      };
-    } catch {}
-  }
-
-  return null;
-}
-
-/**
- * Find a package by name (checks local, global cli4ai, bun global, then npm global)
- */
-export function findPackage(name: string, projectDir?: string): InstalledPackage | null {
-  // Check local packages first
-  if (projectDir) {
-    const localPkgs = getLocalPackages(projectDir);
-    const local = localPkgs.find(p => p.name === name);
-    if (local) return local;
-  }
-
-  // Check cli4ai global packages
-  const globalPkgs = getGlobalPackages();
-  const globalPkg = globalPkgs.find(p => p.name === name);
-  if (globalPkg) return globalPkg;
-
-  // Check npm global packages first (this is where we install)
-  const npmGlobalDir = getNpmGlobalDir();
-  if (npmGlobalDir) {
-    const pkg = findPackageInGlobalDir(npmGlobalDir, name);
-    if (pkg) return pkg;
-  }
-
-  // Check bun global packages (for backwards compat)
-  const bunGlobalDir = getBunGlobalDir();
-  if (bunGlobalDir) {
-    const pkg = findPackageInGlobalDir(bunGlobalDir, name);
-    if (pkg) return pkg;
-  }
-
-  return null;
-}