mcpman 0.1.1 → 0.3.0

package/dist/index.cjs

@@ -37,6 +37,90 @@ var init_cjs_shims = __esm({
   }
 });
 
+// src/core/trust-scorer.ts
+var trust_scorer_exports = {};
+__export(trust_scorer_exports, {
+  computeTrustScore: () => computeTrustScore
+});
+function vulnScore(vulns) {
+  let score = 100;
+  for (const v of vulns) {
+    if (v.severity === "critical") score -= 25;
+    else if (v.severity === "high") score -= 15;
+    else if (v.severity === "moderate") score -= 10;
+    else score -= 5;
+  }
+  return Math.max(0, score);
+}
+function downloadScore(weeklyDownloads) {
+  if (weeklyDownloads <= 0) return 0;
+  if (weeklyDownloads >= 1e6) return 100;
+  if (weeklyDownloads >= 1e5) return 80;
+  if (weeklyDownloads >= 1e4) return 60;
+  if (weeklyDownloads >= 1e3) return 40;
+  if (weeklyDownloads >= 100) return 20;
+  return 10;
+}
+function ageScore(packageAge) {
+  if (packageAge <= 0) return 0;
+  if (packageAge >= 730) return 100;
+  if (packageAge >= 365) return 80;
+  if (packageAge >= 180) return 60;
+  if (packageAge >= 30) return 30;
+  return 10;
+}
+function publishScore(lastPublish) {
+  const daysSince = Math.floor((Date.now() - new Date(lastPublish).getTime()) / 864e5);
+  if (daysSince <= 30) return 100;
+  if (daysSince <= 90) return 80;
+  if (daysSince <= 180) return 60;
+  if (daysSince <= 365) return 40;
+  return 20;
+}
+function maintainerScore(count, deprecated) {
+  let score = 0;
+  if (count >= 3) score = 90;
+  else if (count === 2) score = 70;
+  else score = 50;
+  if (!deprecated) score += 10;
+  return Math.min(100, score);
+}
+function toRiskLevel(score) {
+  if (score >= 80) return "LOW";
+  if (score >= 50) return "MEDIUM";
+  if (score >= 20) return "HIGH";
+  return "CRITICAL";
+}
+function computeTrustScore(metadata, vulns) {
+  if (!metadata) {
+    const vScore = vulnScore(vulns);
+    const score2 = Math.round(vScore * WEIGHT_VULNS * 100) / 100;
+    return { score: Math.round(score2), riskLevel: toRiskLevel(score2) };
+  }
+  const scores = {
+    vulns: vulnScore(vulns),
+    downloads: downloadScore(metadata.weeklyDownloads),
+    age: ageScore(metadata.packageAge),
+    publish: publishScore(metadata.lastPublish),
+    maintainers: maintainerScore(metadata.maintainerCount, metadata.deprecated)
+  };
+  const weighted = scores.vulns * WEIGHT_VULNS + scores.downloads * WEIGHT_DOWNLOADS + scores.age * WEIGHT_AGE + scores.publish * WEIGHT_PUBLISH_FREQ + scores.maintainers * WEIGHT_MAINTAINERS;
+  const score = Math.min(100, Math.max(0, Math.round(weighted)));
+  return { score, riskLevel: toRiskLevel(score) };
+}
+var WEIGHT_VULNS, WEIGHT_DOWNLOADS, WEIGHT_AGE, WEIGHT_PUBLISH_FREQ, WEIGHT_MAINTAINERS;
+var init_trust_scorer = __esm({
+  "src/core/trust-scorer.ts"() {
+    "use strict";
+    init_cjs_shims();
+    WEIGHT_VULNS = 0.3;
+    WEIGHT_DOWNLOADS = 0.2;
+    WEIGHT_AGE = 0.15;
+    WEIGHT_PUBLISH_FREQ = 0.15;
+    WEIGHT_MAINTAINERS = 0.2;
+  }
+});
+
 // src/clients/types.ts
 var ConfigParseError, ConfigWriteError;
 var init_types = __esm({
@@ -64,43 +148,43 @@ var init_types = __esm({
 async function atomicWrite(filePath, content) {
   const tmpPath = `${filePath}.tmp`;
   try {
-    await import_node_fs.default.promises.mkdir(import_node_path.default.dirname(filePath), { recursive: true });
-    await import_node_fs.default.promises.writeFile(tmpPath, content, { encoding: "utf-8", mode: 384 });
-    await import_node_fs.default.promises.rename(tmpPath, filePath);
+    await import_node_fs3.default.promises.mkdir(import_node_path3.default.dirname(filePath), { recursive: true });
+    await import_node_fs3.default.promises.writeFile(tmpPath, content, { encoding: "utf-8", mode: 384 });
+    await import_node_fs3.default.promises.rename(tmpPath, filePath);
   } catch (err) {
     try {
-      await import_node_fs.default.promises.unlink(tmpPath);
+      await import_node_fs3.default.promises.unlink(tmpPath);
     } catch {
     }
     throw err;
   }
 }
-async function pathExists(p5) {
+async function pathExists(p11) {
   try {
-    await import_node_fs.default.promises.access(p5);
+    await import_node_fs3.default.promises.access(p11);
     return true;
   } catch {
     return false;
   }
 }
-var import_node_fs, import_node_path, BaseClientHandler;
+var import_node_fs3, import_node_path3, BaseClientHandler;
 var init_base_client_handler = __esm({
   "src/clients/base-client-handler.ts"() {
     "use strict";
     init_cjs_shims();
-    import_node_fs = __toESM(require("fs"), 1);
-    import_node_path = __toESM(require("path"), 1);
+    import_node_fs3 = __toESM(require("fs"), 1);
+    import_node_path3 = __toESM(require("path"), 1);
     init_types();
     BaseClientHandler = class {
       async isInstalled() {
-        const dir = import_node_path.default.dirname(this.getConfigPath());
+        const dir = import_node_path3.default.dirname(this.getConfigPath());
         return pathExists(dir);
       }
       /** Read raw JSON from disk, return empty object if file missing */
       async readRaw() {
         const configPath = this.getConfigPath();
         try {
-          const raw = await import_node_fs.default.promises.readFile(configPath, "utf-8");
+          const raw = await import_node_fs3.default.promises.readFile(configPath, "utf-8");
           return JSON.parse(raw);
         } catch (err) {
           if (err.code === "ENOENT") {
@@ -151,26 +235,26 @@ var init_base_client_handler = __esm({
 
 // src/utils/paths.ts
 function getHomedir() {
-  return import_node_os.default.homedir();
+  return import_node_os3.default.homedir();
 }
 function getAppDataDir() {
   const home = getHomedir();
   if (process.platform === "darwin") {
-    return import_node_path2.default.join(home, "Library", "Application Support");
+    return import_node_path4.default.join(home, "Library", "Application Support");
   }
   if (process.platform === "win32") {
-    return process.env.APPDATA ?? import_node_path2.default.join(home, "AppData", "Roaming");
+    return process.env.APPDATA ?? import_node_path4.default.join(home, "AppData", "Roaming");
   }
-  return process.env.XDG_CONFIG_HOME ?? import_node_path2.default.join(home, ".config");
+  return process.env.XDG_CONFIG_HOME ?? import_node_path4.default.join(home, ".config");
 }
 function resolveConfigPath(client) {
   const appData = getAppDataDir();
   const home = getHomedir();
   switch (client) {
     case "claude-desktop":
-      return import_node_path2.default.join(appData, "Claude", "claude_desktop_config.json");
+      return import_node_path4.default.join(appData, "Claude", "claude_desktop_config.json");
     case "cursor":
-      return import_node_path2.default.join(
+      return import_node_path4.default.join(
         appData,
         "Cursor",
         "User",
@@ -179,7 +263,7 @@ function resolveConfigPath(client) {
         "mcp.json"
       );
     case "windsurf":
-      return import_node_path2.default.join(
+      return import_node_path4.default.join(
         appData,
         "Windsurf",
         "User",
@@ -189,21 +273,21 @@ function resolveConfigPath(client) {
       );
     case "vscode":
       if (process.platform === "darwin") {
-        return import_node_path2.default.join(appData, "Code", "User", "settings.json");
+        return import_node_path4.default.join(appData, "Code", "User", "settings.json");
       }
       if (process.platform === "win32") {
-        return import_node_path2.default.join(appData, "Code", "User", "settings.json");
+        return import_node_path4.default.join(appData, "Code", "User", "settings.json");
       }
-      return import_node_path2.default.join(home, ".config", "Code", "User", "settings.json");
+      return import_node_path4.default.join(home, ".config", "Code", "User", "settings.json");
   }
 }
-var import_node_os, import_node_path2;
+var import_node_os3, import_node_path4;
 var init_paths = __esm({
   "src/utils/paths.ts"() {
     "use strict";
     init_cjs_shims();
-    import_node_os = __toESM(require("os"), 1);
-    import_node_path2 = __toESM(require("path"), 1);
+    import_node_os3 = __toESM(require("os"), 1);
+    import_node_path4 = __toESM(require("path"), 1);
   }
 });
 
@@ -313,32 +397,947 @@ function getClient(type) {
       return new WindsurfHandler();
   }
 }
-async function getInstalledClients() {
-  const all = getAllClientTypes().map(getClient);
-  const results = await Promise.all(
-    all.map(async (handler) => ({ handler, installed: await handler.isInstalled() }))
+async function getInstalledClients() {
+  const all = getAllClientTypes().map(getClient);
+  const results = await Promise.all(
+    all.map(async (handler) => ({ handler, installed: await handler.isInstalled() }))
+  );
+  return results.filter((r) => r.installed).map((r) => r.handler);
+}
+var init_client_detector = __esm({
+  "src/clients/client-detector.ts"() {
+    "use strict";
+    init_cjs_shims();
+    init_claude_desktop();
+    init_cursor();
+    init_vscode();
+    init_windsurf();
+  }
+});
+
+// src/core/vault-service.ts
+var vault_service_exports = {};
+__export(vault_service_exports, {
+  clearPasswordCache: () => clearPasswordCache,
+  decrypt: () => decrypt,
+  encrypt: () => encrypt,
+  getMasterPassword: () => getMasterPassword,
+  getSecret: () => getSecret,
+  getSecretsForServer: () => getSecretsForServer,
+  getVaultPath: () => getVaultPath,
+  listSecrets: () => listSecrets,
+  readVault: () => readVault,
+  removeSecret: () => removeSecret,
+  setSecret: () => setSecret,
+  writeVault: () => writeVault
+});
+function getVaultPath() {
+  return import_node_path6.default.join(import_node_os4.default.homedir(), ".mcpman", "vault.enc");
+}
+function readVault(vaultPath = getVaultPath()) {
+  const empty = { version: 1, servers: {} };
+  try {
+    const raw = import_node_fs4.default.readFileSync(vaultPath, "utf-8");
+    const parsed = JSON.parse(raw);
+    if (parsed.version !== 1 || typeof parsed.servers !== "object") return empty;
+    return parsed;
+  } catch {
+    return empty;
+  }
+}
+function writeVault(data, vaultPath = getVaultPath()) {
+  const dir = import_node_path6.default.dirname(vaultPath);
+  import_node_fs4.default.mkdirSync(dir, { recursive: true });
+  const tmp = `${vaultPath}.tmp`;
+  import_node_fs4.default.writeFileSync(tmp, JSON.stringify(data, null, 2), { mode: 384 });
+  if (process.platform !== "win32") {
+    import_node_fs4.default.chmodSync(tmp, 384);
+  }
+  import_node_fs4.default.renameSync(tmp, vaultPath);
+  if (process.platform !== "win32") {
+    import_node_fs4.default.chmodSync(vaultPath, 384);
+  }
+}
+function encrypt(value, password2) {
+  const salt = import_node_crypto2.default.randomBytes(16);
+  const key = import_node_crypto2.default.pbkdf2Sync(password2, salt, 1e5, 32, "sha256");
+  const iv = import_node_crypto2.default.randomBytes(16);
+  const cipher = import_node_crypto2.default.createCipheriv("aes-256-cbc", key, iv);
+  const encrypted = Buffer.concat([cipher.update(value, "utf-8"), cipher.final()]);
+  return {
+    salt: salt.toString("hex"),
+    iv: iv.toString("hex"),
+    data: encrypted.toString("hex")
+  };
+}
+function decrypt(entry, password2) {
+  const salt = Buffer.from(entry.salt, "hex");
+  const key = import_node_crypto2.default.pbkdf2Sync(password2, salt, 1e5, 32, "sha256");
+  const iv = Buffer.from(entry.iv, "hex");
+  const decipher = import_node_crypto2.default.createDecipheriv("aes-256-cbc", key, iv);
+  const decrypted = Buffer.concat([
+    decipher.update(Buffer.from(entry.data, "hex")),
+    decipher.final()
+    // throws ERR_OSSL_BAD_DECRYPT on wrong password
+  ]);
+  return decrypted.toString("utf-8");
+}
+async function getMasterPassword(confirm8 = false) {
+  if (_cachedPassword) return _cachedPassword;
+  const password2 = await p3.password({
+    message: "Enter vault master password:",
+    validate: (v) => v.length < 8 ? "Password must be at least 8 characters" : void 0
+  });
+  if (p3.isCancel(password2)) {
+    p3.cancel("Vault access cancelled.");
+    process.exit(0);
+  }
+  if (confirm8) {
+    const confirm22 = await p3.password({ message: "Confirm master password:" });
+    if (p3.isCancel(confirm22) || confirm22 !== password2) {
+      p3.cancel("Passwords do not match.");
+      process.exit(1);
+    }
+  }
+  _cachedPassword = password2;
+  return _cachedPassword;
+}
+function clearPasswordCache() {
+  _cachedPassword = null;
+}
+function setSecret(server, key, value, password2, vaultPath = getVaultPath()) {
+  const vault = readVault(vaultPath);
+  if (!vault.servers[server]) vault.servers[server] = {};
+  vault.servers[server][key] = encrypt(value, password2);
+  writeVault(vault, vaultPath);
+}
+function getSecret(server, key, password2, vaultPath = getVaultPath()) {
+  const vault = readVault(vaultPath);
+  const entry = vault.servers[server]?.[key];
+  if (!entry) return null;
+  return decrypt(entry, password2);
+}
+function getSecretsForServer(server, password2, vaultPath = getVaultPath()) {
+  const vault = readVault(vaultPath);
+  const entries = vault.servers[server];
+  if (!entries) return {};
+  const result = {};
+  for (const [k, entry] of Object.entries(entries)) {
+    result[k] = decrypt(entry, password2);
+  }
+  return result;
+}
+function removeSecret(server, key, vaultPath = getVaultPath()) {
+  const vault = readVault(vaultPath);
+  if (vault.servers[server]) {
+    delete vault.servers[server][key];
+    if (Object.keys(vault.servers[server]).length === 0) {
+      delete vault.servers[server];
+    }
+    writeVault(vault, vaultPath);
+  }
+}
+function listSecrets(server, vaultPath = getVaultPath()) {
+  const vault = readVault(vaultPath);
+  const entries = server ? vault.servers[server] ? { [server]: vault.servers[server] } : {} : vault.servers;
+  return Object.entries(entries).map(([srv, keys]) => ({
+    server: srv,
+    keys: Object.keys(keys)
+  }));
+}
+var import_node_crypto2, import_node_fs4, import_node_os4, import_node_path6, p3, _cachedPassword;
+var init_vault_service = __esm({
+  "src/core/vault-service.ts"() {
+    "use strict";
+    init_cjs_shims();
+    import_node_crypto2 = __toESM(require("crypto"), 1);
+    import_node_fs4 = __toESM(require("fs"), 1);
+    import_node_os4 = __toESM(require("os"), 1);
+    import_node_path6 = __toESM(require("path"), 1);
+    p3 = __toESM(require("@clack/prompts"), 1);
+    _cachedPassword = null;
+    process.on("exit", () => {
+      _cachedPassword = null;
+    });
+  }
+});
+
+// src/index.ts
+init_cjs_shims();
+var import_citty10 = require("citty");
+
+// src/commands/audit.ts
+init_cjs_shims();
+var import_citty = require("citty");
+var p = __toESM(require("@clack/prompts"), 1);
+var import_picocolors = __toESM(require("picocolors"), 1);
+var import_nanospinner = require("nanospinner");
+
+// src/core/lockfile.ts
+init_cjs_shims();
+var import_node_fs = __toESM(require("fs"), 1);
+var import_node_path = __toESM(require("path"), 1);
+var import_node_os = __toESM(require("os"), 1);
+var LOCKFILE_NAME = "mcpman.lock";
+function findLockfile() {
+  let dir = process.cwd();
+  while (true) {
+    const candidate = import_node_path.default.join(dir, LOCKFILE_NAME);
+    if (import_node_fs.default.existsSync(candidate)) return candidate;
+    const parent = import_node_path.default.dirname(dir);
+    if (parent === dir) break;
+    dir = parent;
+  }
+  return null;
+}
+function getGlobalLockfilePath() {
+  return import_node_path.default.join(import_node_os.default.homedir(), ".mcpman", LOCKFILE_NAME);
+}
+function resolveLockfilePath() {
+  return findLockfile() ?? getGlobalLockfilePath();
+}
+function readLockfile(filePath) {
+  const target = filePath ?? resolveLockfilePath();
+  if (!import_node_fs.default.existsSync(target)) {
+    return { lockfileVersion: 1, servers: {} };
+  }
+  try {
+    const raw = import_node_fs.default.readFileSync(target, "utf-8");
+    return JSON.parse(raw);
+  } catch {
+    return { lockfileVersion: 1, servers: {} };
+  }
+}
+function serialize(data) {
+  const sorted = {
+    lockfileVersion: data.lockfileVersion,
+    servers: Object.fromEntries(
+      Object.entries(data.servers).sort(([a], [b]) => a.localeCompare(b))
+    )
+  };
+  return JSON.stringify(sorted, null, 2) + "\n";
+}
+function writeLockfile(data, filePath) {
+  const target = filePath ?? resolveLockfilePath();
+  const dir = import_node_path.default.dirname(target);
+  if (!import_node_fs.default.existsSync(dir)) {
+    import_node_fs.default.mkdirSync(dir, { recursive: true });
+  }
+  const tmp = `${target}.tmp`;
+  import_node_fs.default.writeFileSync(tmp, serialize(data), "utf-8");
+  import_node_fs.default.renameSync(tmp, target);
+}
+function addEntry(name, entry, filePath) {
+  const data = readLockfile(filePath);
+  data.servers[name] = entry;
+  writeLockfile(data, filePath);
+}
+function createEmptyLockfile(filePath) {
+  writeLockfile({ lockfileVersion: 1, servers: {} }, filePath);
+}
+
+// src/core/security-scanner.ts
+init_cjs_shims();
+var import_node_fs2 = __toESM(require("fs"), 1);
+var import_node_os2 = __toESM(require("os"), 1);
+var import_node_path2 = __toESM(require("path"), 1);
+var CACHE_PATH = import_node_path2.default.join(import_node_os2.default.homedir(), ".mcpman", ".audit-cache.json");
+var CACHE_TTL_MS = 24 * 60 * 60 * 1e3;
+function readCache() {
+  try {
+    if (!import_node_fs2.default.existsSync(CACHE_PATH)) return {};
+    return JSON.parse(import_node_fs2.default.readFileSync(CACHE_PATH, "utf-8"));
+  } catch {
+    return {};
+  }
+}
+function writeCache(cache) {
+  const dir = import_node_path2.default.dirname(CACHE_PATH);
+  if (!import_node_fs2.default.existsSync(dir)) import_node_fs2.default.mkdirSync(dir, { recursive: true });
+  const tmp = `${CACHE_PATH}.tmp`;
+  import_node_fs2.default.writeFileSync(tmp, JSON.stringify(cache, null, 2), "utf-8");
+  import_node_fs2.default.renameSync(tmp, CACHE_PATH);
+}
+function getCachedReport(name, version) {
+  const cache = readCache();
+  const key = `${name}@${version}`;
+  const entry = cache[key];
+  if (!entry) return null;
+  if (Date.now() - entry.timestamp > CACHE_TTL_MS) return null;
+  return entry.report;
+}
+function cacheReport(name, version, report) {
+  const cache = readCache();
+  cache[`${name}@${version}`] = { report, timestamp: Date.now() };
+  writeCache(cache);
+}
+async function fetchNpmMetadata(packageName) {
+  const timeout = 1e4;
+  const signal = AbortSignal.timeout(timeout);
+  try {
+    const [regRes, dlRes] = await Promise.all([
+      fetch(`https://registry.npmjs.org/${encodeURIComponent(packageName)}`, { signal }),
+      fetch(`https://api.npmjs.org/downloads/point/last-week/${encodeURIComponent(packageName)}`, {
+        signal: AbortSignal.timeout(timeout)
+      })
+    ]);
+    if (!regRes.ok) return null;
+    const reg = await regRes.json();
+    const time = reg["time"] ?? {};
+    const created = time["created"] ? new Date(time["created"]) : null;
+    const modified = time["modified"] ? new Date(time["modified"]) : null;
+    const packageAge = created ? Math.floor((Date.now() - created.getTime()) / 864e5) : 0;
+    const maintainers = Array.isArray(reg["maintainers"]) ? reg["maintainers"] : [];
+    const latestVersion = reg["dist-tags"]?.["latest"] ?? "";
+    const versionData = reg["versions"]?.[latestVersion];
+    const deprecated = typeof versionData?.["deprecated"] === "string";
+    let weeklyDownloads = 0;
+    if (dlRes.ok) {
+      const dl = await dlRes.json();
+      weeklyDownloads = typeof dl["downloads"] === "number" ? dl["downloads"] : 0;
+    }
+    return {
+      weeklyDownloads,
+      lastPublish: modified?.toISOString() ?? (/* @__PURE__ */ new Date()).toISOString(),
+      packageAge,
+      maintainerCount: maintainers.length,
+      deprecated
+    };
+  } catch {
+    return null;
+  }
+}
+async function fetchVulnerabilities(packageName, version) {
+  try {
+    const res = await fetch("https://api.osv.dev/v1/query", {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({ package: { name: packageName, ecosystem: "npm" }, version }),
+      signal: AbortSignal.timeout(1e4)
+    });
+    if (!res.ok) return [];
+    const data = await res.json();
+    const vulns = Array.isArray(data["vulns"]) ? data["vulns"] : [];
+    return vulns.map((v) => {
+      const severity = v["database_specific"]?.["severity"];
+      const sev = typeof severity === "string" ? severity.toLowerCase() : "moderate";
+      const refs = Array.isArray(v["references"]) ? v["references"] : [];
+      return {
+        severity: ["low", "moderate", "high", "critical"].includes(sev) ? sev : "moderate",
+        title: typeof v["summary"] === "string" ? v["summary"] : typeof v["id"] === "string" ? v["id"] : "Unknown vulnerability",
+        url: typeof refs[0]?.["url"] === "string" ? refs[0]["url"] : void 0
+      };
+    });
+  } catch {
+    return [];
+  }
+}
+async function scanServer(name, entry) {
+  if (entry.source !== "npm") {
+    return {
+      server: name,
+      source: entry.source,
+      score: null,
+      riskLevel: "UNKNOWN",
+      vulnerabilities: [],
+      metadata: null
+    };
+  }
+  const cached = getCachedReport(name, entry.version);
+  if (cached) return cached;
+  const [metadata, vulnerabilities] = await Promise.all([
+    fetchNpmMetadata(name),
+    fetchVulnerabilities(name, entry.version)
+  ]);
+  const { computeTrustScore: computeTrustScore2 } = await Promise.resolve().then(() => (init_trust_scorer(), trust_scorer_exports));
+  const { score, riskLevel } = computeTrustScore2(metadata, vulnerabilities);
+  const report = {
+    server: name,
+    source: "npm",
+    score,
+    riskLevel,
+    vulnerabilities,
+    metadata
+  };
+  cacheReport(name, entry.version, report);
+  return report;
+}
+async function scanAllServers(servers, concurrency = 3) {
+  const entries = Object.entries(servers);
+  const results = [];
+  const executing = /* @__PURE__ */ new Set();
+  for (const [name, entry] of entries) {
+    const p11 = scanServer(name, entry).then((r) => {
+      results.push(r);
+      executing.delete(p11);
+    });
+    executing.add(p11);
+    if (executing.size >= concurrency) await Promise.race(executing);
+  }
+  await Promise.all(executing);
+  return results;
+}
+
+// src/core/version-checker.ts
+init_cjs_shims();
+function compareVersions(a, b) {
+  const aParts = a.replace(/^v/, "").split(".").map(Number);
+  const bParts = b.replace(/^v/, "").split(".").map(Number);
+  const len = Math.max(aParts.length, bParts.length);
+  for (let i = 0; i < len; i++) {
+    const aN = aParts[i] ?? 0;
+    const bN = bParts[i] ?? 0;
+    if (Number.isNaN(aN) || Number.isNaN(bN)) return 0;
+    if (aN < bN) return -1;
+    if (aN > bN) return 1;
+  }
+  return 0;
+}
+function detectUpdateType(current, latest) {
+  const cParts = current.replace(/^v/, "").split(".").map(Number);
+  const lParts = latest.replace(/^v/, "").split(".").map(Number);
+  if ((lParts[0] ?? 0) > (cParts[0] ?? 0)) return "major";
+  if ((lParts[1] ?? 0) > (cParts[1] ?? 0)) return "minor";
+  return "patch";
+}
+async function fetchNpmLatest(packageName) {
+  try {
+    const res = await fetch(
+      `https://registry.npmjs.org/${encodeURIComponent(packageName)}/latest`,
+      {
+        headers: { Accept: "application/json" },
+        signal: AbortSignal.timeout(8e3)
+      }
+    );
+    if (!res.ok) return null;
+    const data = await res.json();
+    return typeof data.version === "string" ? data.version : null;
+  } catch {
+    return null;
+  }
+}
+async function fetchSmitheryLatest(name) {
+  try {
+    const res = await fetch(
+      `https://registry.smithery.ai/servers/${encodeURIComponent(name)}`,
+      {
+        headers: { Accept: "application/json" },
+        signal: AbortSignal.timeout(8e3)
+      }
+    );
+    if (!res.ok) return null;
+    const data = await res.json();
+    return typeof data.version === "string" ? data.version : null;
+  } catch {
+    return null;
+  }
+}
+async function fetchGithubLatest(resolved) {
+  const match = resolved.match(/github\.com\/([^/]+)\/([^/]+)/);
+  if (!match) return null;
+  const [, owner, repo] = match;
+  try {
+    const res = await fetch(
+      `https://api.github.com/repos/${owner}/${repo}/releases/latest`,
+      {
+        headers: { Accept: "application/json" },
+        signal: AbortSignal.timeout(8e3)
+      }
+    );
+    if (!res.ok) return null;
+    const data = await res.json();
+    return typeof data.tag_name === "string" ? data.tag_name.replace(/^v/, "") : null;
+  } catch {
+    return null;
+  }
+}
+async function checkVersion(name, lockEntry) {
+  const current = lockEntry.version;
+  let latest = null;
+  if (lockEntry.source === "npm") {
+    latest = await fetchNpmLatest(name);
+  } else if (lockEntry.source === "smithery") {
+    latest = await fetchSmitheryLatest(name);
+  } else if (lockEntry.source === "github") {
+    latest = await fetchGithubLatest(lockEntry.resolved);
+  }
+  if (!latest || latest === current) {
+    return {
+      server: name,
+      source: lockEntry.source,
+      currentVersion: current,
+      latestVersion: latest ?? current,
+      hasUpdate: false
+    };
+  }
+  const hasUpdate = compareVersions(current, latest) === -1;
+  return {
+    server: name,
+    source: lockEntry.source,
+    currentVersion: current,
+    latestVersion: latest,
+    hasUpdate,
+    updateType: hasUpdate ? detectUpdateType(current, latest) : void 0
+  };
+}
+async function checkAllVersions(lockfile) {
+  const entries = Object.entries(lockfile.servers);
+  if (entries.length === 0) return [];
+  const results = [];
+  const executing = /* @__PURE__ */ new Set();
+  for (const [name, entry] of entries) {
+    const p11 = checkVersion(name, entry).then((r) => {
+      results.push(r);
+      executing.delete(p11);
+    });
+    executing.add(p11);
+    if (executing.size >= 5) {
+      await Promise.race(executing);
+    }
+  }
+  await Promise.all(executing);
+  return results;
+}
+
+// src/core/server-updater.ts
+init_cjs_shims();
+
+// src/core/server-resolver.ts
+init_cjs_shims();
+
+// src/core/registry.ts
+init_cjs_shims();
+var import_node_crypto = require("crypto");
+function computeIntegrity(resolvedUrl) {
+  const hash = (0, import_node_crypto.createHash)("sha512").update(resolvedUrl).digest("base64");
+  return `sha512-${hash}`;
+}
+async function resolveFromSmithery(name) {
+  const url = `https://registry.smithery.ai/servers/${encodeURIComponent(name)}`;
+  let data;
+  try {
+    const res = await fetch(url, {
+      headers: { Accept: "application/json" },
+      signal: AbortSignal.timeout(8e3)
+    });
+    if (res.status === 404) {
+      throw new Error(`Server '${name}' not found on Smithery registry`);
+    }
+    if (!res.ok) {
+      throw new Error(`Smithery API error: ${res.status}`);
+    }
+    data = await res.json();
+  } catch (err) {
+    if (err instanceof Error && err.message.includes("not found")) throw err;
+    throw new Error(
+      `Cannot reach Smithery registry: ${err instanceof Error ? err.message : String(err)}`
+    );
+  }
+  const version = typeof data.version === "string" ? data.version : "latest";
+  const command = typeof data.command === "string" ? data.command : "npx";
+  const args = Array.isArray(data.args) ? data.args : ["-y", `${name}@${version}`];
+  const envVars = Array.isArray(data.envVars) ? data.envVars : [];
+  const resolved = typeof data.resolved === "string" ? data.resolved : `smithery:${name}@${version}`;
+  return {
+    name,
+    version,
+    description: typeof data.description === "string" ? data.description : "",
+    runtime: "node",
+    command,
+    args,
+    envVars,
+    resolved
+  };
+}
+async function resolveFromNpm(packageName) {
+  const url = `https://registry.npmjs.org/${encodeURIComponent(packageName)}/latest`;
+  let data;
+  try {
+    const res = await fetch(url, {
+      headers: { Accept: "application/json" },
+      signal: AbortSignal.timeout(8e3)
+    });
+    if (res.status === 404) {
+      throw new Error(`Package '${packageName}' not found on npm`);
+    }
+    if (!res.ok) {
+      throw new Error(`npm registry error: ${res.status}`);
+    }
+    data = await res.json();
+  } catch (err) {
+    if (err instanceof Error && err.message.includes("not found")) throw err;
+    throw new Error(
+      `Cannot reach npm registry: ${err instanceof Error ? err.message : String(err)}`
+    );
+  }
+  const version = typeof data.version === "string" ? data.version : "latest";
+  const resolved = `https://registry.npmjs.org/${packageName}/-/${packageName.replace(/^@[^/]+\//, "")}-${version}.tgz`;
+  const mcpField = data.mcp && typeof data.mcp === "object" ? data.mcp : null;
+  const envVars = mcpField?.envVars ? mcpField.envVars : [];
+  return {
+    name: packageName,
+    version,
+    description: typeof data.description === "string" ? data.description : "",
+    runtime: "node",
+    command: "npx",
+    args: ["-y", `${packageName}@${version}`],
+    envVars,
+    resolved
+  };
+}
+async function resolveFromGitHub(githubUrl) {
+  const match = githubUrl.match(/github\.com\/([^/]+)\/([^/]+)/);
+  if (!match) {
+    throw new Error(`Invalid GitHub URL: ${githubUrl}`);
+  }
+  const [, owner, repo] = match;
+  const rawUrl = `https://raw.githubusercontent.com/${owner}/${repo}/main/package.json`;
+  let pkgData = {};
+  try {
+    const res = await fetch(rawUrl, { signal: AbortSignal.timeout(8e3) });
+    if (res.ok) {
+      pkgData = await res.json();
+    }
+  } catch {
+  }
+  const version = typeof pkgData.version === "string" ? pkgData.version : "main";
+  const name = typeof pkgData.name === "string" ? pkgData.name : `${owner}/${repo}`;
+  return {
+    name,
+    version,
+    description: typeof pkgData.description === "string" ? pkgData.description : "",
+    runtime: "node",
+    command: "npx",
+    args: ["-y", githubUrl],
+    envVars: [],
+    resolved: githubUrl
+  };
+}
+
+// src/core/server-resolver.ts
+function detectSource(input) {
+  if (input.startsWith("smithery:")) {
+    return { type: "smithery", input: input.slice(9) };
+  }
+  if (input.startsWith("https://github.com/") || input.startsWith("github.com/")) {
+    return { type: "github", input };
+  }
+  return { type: "npm", input };
+}
+function parseEnvFlags(envFlags) {
+  if (!envFlags) return {};
+  const flags = Array.isArray(envFlags) ? envFlags : [envFlags];
+  const result = {};
+  for (const flag of flags) {
+    const idx = flag.indexOf("=");
+    if (idx > 0) {
+      result[flag.slice(0, idx)] = flag.slice(idx + 1);
+    }
+  }
+  return result;
+}
+async function resolveServer(input) {
+  const source = detectSource(input);
+  switch (source.type) {
+    case "smithery":
+      return resolveFromSmithery(source.input);
+    case "github":
+      return resolveFromGitHub(source.input);
+    case "npm":
+      return resolveFromNpm(source.input);
+  }
+}
+
+// src/core/server-updater.ts
+async function applyServerUpdate(serverName, lockEntry, clients) {
+  const fromVersion = lockEntry.version;
+  const input = lockEntry.source === "smithery" ? `smithery:${serverName}` : lockEntry.source === "github" ? lockEntry.resolved : serverName;
+  try {
+    const metadata = await resolveServer(input);
+    const integrity = computeIntegrity(metadata.resolved);
+    addEntry(serverName, {
+      ...lockEntry,
+      version: metadata.version,
+      resolved: metadata.resolved,
+      integrity,
+      command: metadata.command,
+      args: metadata.args,
+      installedAt: (/* @__PURE__ */ new Date()).toISOString()
+    });
+    const targetClients = clients.filter(
+      (c) => lockEntry.clients.includes(c.type)
+    );
+    for (const client of targetClients) {
+      try {
+        await client.addServer(serverName, {
+          command: metadata.command,
+          args: metadata.args
+        });
+      } catch {
+      }
+    }
+    return {
+      server: serverName,
+      success: true,
+      fromVersion,
+      toVersion: metadata.version
+    };
+  } catch (err) {
+    return {
+      server: serverName,
+      success: false,
+      fromVersion,
+      toVersion: fromVersion,
+      error: err instanceof Error ? err.message : String(err)
+    };
+  }
+}
+
+// src/commands/audit.ts
+function colorRisk(level, score) {
+  const label = score !== null ? `${score}/100 (${level})` : level;
+  if (level === "LOW") return import_picocolors.default.green(label);
+  if (level === "MEDIUM") return import_picocolors.default.yellow(label);
+  if (level === "HIGH") return import_picocolors.default.red(label);
+  if (level === "CRITICAL") return import_picocolors.default.bold(import_picocolors.default.red(label));
+  return import_picocolors.default.dim(label);
+}
+function daysAgo(isoDate) {
+  const days = Math.floor((Date.now() - new Date(isoDate).getTime()) / 864e5);
+  if (days === 0) return "today";
+  if (days === 1) return "1 day ago";
+  return `${days} days ago`;
+}
+function countVulns(vulns) {
+  const c = { critical: 0, high: 0, moderate: 0, low: 0 };
+  for (const v of vulns) c[v.severity]++;
+  if (vulns.length === 0) return import_picocolors.default.green("none");
+  const parts = [];
+  if (c.critical) parts.push(import_picocolors.default.bold(import_picocolors.default.red(`${c.critical} critical`)));
+  if (c.high) parts.push(import_picocolors.default.red(`${c.high} high`));
+  if (c.moderate) parts.push(import_picocolors.default.yellow(`${c.moderate} moderate`));
+  if (c.low) parts.push(import_picocolors.default.dim(`${c.low} low`));
+  return parts.join(", ");
+}
+function printReport(report) {
+  const riskColored = colorRisk(report.riskLevel, report.score);
+  const icon = report.riskLevel === "LOW" ? import_picocolors.default.green("\u25CF") : report.riskLevel === "MEDIUM" ? import_picocolors.default.yellow("\u25CF") : report.riskLevel === "UNKNOWN" ? import_picocolors.default.dim("\u25CB") : import_picocolors.default.red("\u25CF");
+  console.log(`  ${icon} ${import_picocolors.default.bold(report.server)}  Score: ${riskColored}`);
+  if (report.source !== "npm") {
+    console.log(`    ${import_picocolors.default.dim("Non-npm source \u2014 security data unavailable")}`);
+    console.log();
+    return;
+  }
+  if (report.metadata) {
+    const { weeklyDownloads, packageAge, lastPublish, maintainerCount, deprecated } = report.metadata;
+    const dlStr = weeklyDownloads.toLocaleString();
+    console.log(
+      `    ${import_picocolors.default.dim("Downloads:")} ${dlStr}/week  ${import_picocolors.default.dim("|")}  ${import_picocolors.default.dim("Age:")} ${packageAge}d  ${import_picocolors.default.dim("|")}  ${import_picocolors.default.dim("Last publish:")} ${daysAgo(lastPublish)}  ${import_picocolors.default.dim("|")}  ${import_picocolors.default.dim("Maintainers:")} ${maintainerCount}` + (deprecated ? import_picocolors.default.red("  [DEPRECATED]") : "")
+    );
+  }
+  console.log(`    ${import_picocolors.default.dim("Vulnerabilities:")} ${countVulns(report.vulnerabilities)}`);
+  if (report.vulnerabilities.length > 0) {
+    for (const v of report.vulnerabilities) {
+      const sevColor = v.severity === "critical" || v.severity === "high" ? import_picocolors.default.red : import_picocolors.default.yellow;
+      const url = v.url ? import_picocolors.default.dim(` ${v.url}`) : "";
+      console.log(`      ${sevColor("\u25B8")} [${v.severity}] ${v.title}${url}`);
+    }
+  }
+  console.log();
+}
+var audit_default = (0, import_citty.defineCommand)({
+  meta: {
+    name: "audit",
+    description: "Scan installed MCP servers for security vulnerabilities and trust scores"
+  },
+  args: {
+    server: {
+      type: "positional",
+      description: "Specific server to audit (omit to audit all)",
+      required: false
+    },
+    json: {
+      type: "boolean",
+      description: "Output results as JSON",
+      default: false
+    },
+    fix: {
+      type: "boolean",
+      description: "Apply updates to fix vulnerable packages",
+      default: false
+    },
+    yes: {
+      type: "boolean",
+      description: "Skip confirmation prompt (use with --fix)",
+      default: false
+    }
+  },
+  async run({ args }) {
+    const lockfile = readLockfile();
+    const { servers } = lockfile;
+    if (Object.keys(servers).length === 0) {
+      console.log(import_picocolors.default.dim("\n  No MCP servers installed. Run mcpman install <server> to get started.\n"));
+      return;
+    }
+    const targets = {};
+    if (args.server) {
+      if (!servers[args.server]) {
+        console.error(import_picocolors.default.red(`
+  Server "${args.server}" not found in lockfile.
+`));
+        process.exit(1);
+      }
+      targets[args.server] = servers[args.server];
+    } else {
+      Object.assign(targets, servers);
+    }
+    const spinner5 = (0, import_nanospinner.createSpinner)(`Scanning ${Object.keys(targets).length} server(s)...`).start();
+    let reports;
+    try {
+      reports = args.server ? [await scanServer(args.server, targets[args.server])] : await scanAllServers(targets);
+    } catch (err) {
+      spinner5.error({ text: "Scan failed" });
+      console.error(import_picocolors.default.red(String(err)));
+      process.exit(1);
+    }
+    spinner5.success({ text: `Scanned ${reports.length} server(s)` });
+    if (args.json) {
+      console.log(JSON.stringify(reports, null, 2));
+      return;
+    }
+    console.log(import_picocolors.default.bold("\n  mcpman audit\n"));
+    console.log(import_picocolors.default.dim("  " + "\u2500".repeat(60)));
+    for (const report of reports) {
+      printReport(report);
+    }
+    console.log(import_picocolors.default.dim("  " + "\u2500".repeat(60)));
+    const withIssues = reports.filter(
+      (r) => r.riskLevel !== "LOW" && r.riskLevel !== "UNKNOWN"
+    );
+    const npmReports = reports.filter((r) => r.source === "npm");
+    const parts = [];
+    parts.push(`${reports.length} server(s) scanned`);
+    if (npmReports.length < reports.length) {
+      parts.push(import_picocolors.default.dim(`${reports.length - npmReports.length} non-npm (unverified)`));
+    }
+    if (withIssues.length > 0) {
+      parts.push(import_picocolors.default.yellow(`${withIssues.length} with issues`));
+    } else {
+      parts.push(import_picocolors.default.green("all clear"));
+    }
+    console.log(`
+  Summary: ${parts.join(" | ")}
+`);
+    if (args.fix) {
+      await runAuditFix(reports, lockfile.servers, args.yes);
+    }
+  }
+});
+async function loadClients() {
+  try {
+    const mod = await Promise.resolve().then(() => (init_client_detector(), client_detector_exports));
+    return mod.getInstalledClients();
+  } catch {
+    return [];
+  }
+}
+async function runAuditFix(reports, servers, skipConfirm) {
+  const npmWithVulns = reports.filter(
+    (r) => r.vulnerabilities.length > 0 && r.source === "npm"
   );
-  return results.filter((r) => r.installed).map((r) => r.handler);
-}
-var init_client_detector = __esm({
-  "src/clients/client-detector.ts"() {
-    "use strict";
-    init_cjs_shims();
-    init_claude_desktop();
-    init_cursor();
-    init_vscode();
-    init_windsurf();
+  const nonNpmWithVulns = reports.filter(
+    (r) => r.vulnerabilities.length > 0 && r.source !== "npm"
+  );
+  if (nonNpmWithVulns.length > 0) {
+    console.log(import_picocolors.default.yellow("  Non-npm servers require manual update:"));
+    for (const r of nonNpmWithVulns) {
+      console.log(`    ${import_picocolors.default.dim("\u2192")} ${r.server} (${r.source})`);
+    }
+    console.log();
   }
-});
-
-// src/index.ts
-init_cjs_shims();
-var import_citty6 = require("citty");
+  if (npmWithVulns.length === 0) {
+    console.log(import_picocolors.default.green("  No fixable vulnerabilities found.\n"));
+    return;
+  }
+  const versionSpinner = (0, import_nanospinner.createSpinner)("Checking for available updates...").start();
+  const versionChecks = await Promise.all(
+    npmWithVulns.map((r) => checkVersion(r.server, servers[r.server]))
+  );
+  versionSpinner.success({ text: "Version check complete" });
+  const updatable = versionChecks.filter((u) => u.hasUpdate);
+  if (updatable.length === 0) {
+    console.log(import_picocolors.default.yellow(
+      "  Vulnerable servers have no newer versions available yet.\n  Allow time for registry to publish fixes.\n"
+    ));
+    return;
+  }
+  console.log(import_picocolors.default.bold(`
+  ${updatable.length} server(s) can be updated to fix vulnerabilities:
+`));
+  for (const u of updatable) {
+    console.log(`    ${import_picocolors.default.cyan("\u2192")} ${u.server}  ${import_picocolors.default.dim(u.currentVersion)} \u2192 ${import_picocolors.default.green(u.latestVersion)}`);
+  }
+  console.log();
+  if (!skipConfirm) {
+    const confirmed = await p.confirm({
+      message: `Update ${updatable.length} vulnerable server(s)?`,
+      initialValue: true
+    });
+    if (p.isCancel(confirmed) || !confirmed) {
+      p.outro("Cancelled.");
+      return;
+    }
+  }
+  const clients = await loadClients();
+  let successCount = 0;
+  const results = [];
+  for (const u of updatable) {
+    const s = (0, import_nanospinner.createSpinner)(`Updating ${u.server}...`).start();
+    const result = await applyServerUpdate(u.server, servers[u.server], clients);
+    if (result.success) {
+      s.success({ text: `${import_picocolors.default.green("\u2713")} ${u.server}: ${result.fromVersion} \u2192 ${result.toVersion}` });
+      successCount++;
+    } else {
+      s.error({ text: `${import_picocolors.default.red("\u2717")} ${u.server}: ${result.error}` });
+    }
+    results.push({
+      server: u.server,
+      from: result.fromVersion,
+      to: result.toVersion,
+      ok: result.success,
+      error: result.error
+    });
+  }
+  console.log();
+  if (successCount > 0) {
+    const updatedNames = results.filter((r) => r.ok).map((r) => r.server);
+    const freshLockfile = readLockfile();
+    const rescanSpinner = (0, import_nanospinner.createSpinner)("Re-scanning updated servers...").start();
+    const afterReports = await Promise.all(
+      updatedNames.map((name) => scanServer(name, freshLockfile.servers[name]))
+    );
+    rescanSpinner.success({ text: "Re-scan complete" });
+    console.log(import_picocolors.default.bold("\n  Before / After:\n"));
+    for (const after of afterReports) {
+      const before = reports.find((r) => r.server === after.server);
+      const beforeVulns = before?.vulnerabilities.length ?? 0;
+      const afterVulns = after.vulnerabilities.length;
+      const improved = afterVulns < beforeVulns ? import_picocolors.default.green("improved") : import_picocolors.default.yellow("unchanged");
+      console.log(
+        `    ${import_picocolors.default.bold(after.server)}  vulns: ${beforeVulns} \u2192 ${afterVulns}  [${improved}]`
+      );
+    }
+    console.log();
+  }
+  console.log(`
+  ${successCount} of ${updatable.length} server(s) updated.
+`);
+}
 
 // src/commands/doctor.ts
 init_cjs_shims();
-var import_citty = require("citty");
-var import_picocolors = __toESM(require("picocolors"), 1);
+var import_citty2 = require("citty");
+var import_picocolors2 = __toESM(require("picocolors"), 1);
 
 // src/core/server-inventory.ts
 init_cjs_shims();
@@ -609,12 +1608,12 @@ async function quickHealthProbe(config, timeoutMs = 3e3) {
 
 // src/commands/doctor.ts
 var CHECK_ICON = {
-  pass: import_picocolors.default.green("\u2713"),
-  fail: import_picocolors.default.red("\u2717"),
-  skip: import_picocolors.default.dim("-"),
-  warn: import_picocolors.default.yellow("\u26A0")
+  pass: import_picocolors2.default.green("\u2713"),
+  fail: import_picocolors2.default.red("\u2717"),
+  skip: import_picocolors2.default.dim("-"),
+  warn: import_picocolors2.default.yellow("\u26A0")
 };
-var doctor_default = (0, import_citty.defineCommand)({
+var doctor_default = (0, import_citty2.defineCommand)({
   meta: {
     name: "doctor",
     description: "Check MCP server health and configuration"
@@ -627,10 +1626,10 @@ var doctor_default = (0, import_citty.defineCommand)({
     }
   },
   async run({ args }) {
-    console.log(import_picocolors.default.bold("\n  mcpman doctor\n"));
+    console.log(import_picocolors2.default.bold("\n  mcpman doctor\n"));
     const servers = await getInstalledServers();
     if (servers.length === 0) {
-      console.log(import_picocolors.default.dim("  No MCP servers installed. Run mcpman install <server> to get started."));
+      console.log(import_picocolors2.default.dim("  No MCP servers installed. Run mcpman install <server> to get started."));
       return;
     }
     const tasks = servers.map((s) => () => checkServerHealth(s.name, s.config));
@@ -642,14 +1641,14 @@ var doctor_default = (0, import_citty.defineCommand)({
       if (result.status === "healthy") passed++;
       else failed++;
     }
-    console.log(import_picocolors.default.dim("  " + "\u2500".repeat(50)));
+    console.log(import_picocolors2.default.dim("  " + "\u2500".repeat(50)));
     const parts = [];
-    if (passed > 0) parts.push(import_picocolors.default.green(`${passed} healthy`));
-    if (failed > 0) parts.push(import_picocolors.default.red(`${failed} unhealthy`));
+    if (passed > 0) parts.push(import_picocolors2.default.green(`${passed} healthy`));
+    if (failed > 0) parts.push(import_picocolors2.default.red(`${failed} unhealthy`));
     console.log(`  Summary: ${parts.join(", ")}`);
     if (failed > 0) {
       if (!args.fix) {
-        console.log(import_picocolors.default.dim(`  Run ${import_picocolors.default.cyan("mcpman doctor --fix")} for fix suggestions.
+        console.log(import_picocolors2.default.dim(`  Run ${import_picocolors2.default.cyan("mcpman doctor --fix")} for fix suggestions.
 `));
       }
       process.exit(1);
@@ -658,13 +1657,13 @@ var doctor_default = (0, import_citty.defineCommand)({
   }
 });
 function printServerResult(result, showFix) {
-  const icon = result.status === "healthy" ? import_picocolors.default.green("\u25CF") : import_picocolors.default.red("\u25CF");
-  console.log(`  ${icon} ${import_picocolors.default.bold(result.serverName)}`);
+  const icon = result.status === "healthy" ? import_picocolors2.default.green("\u25CF") : import_picocolors2.default.red("\u25CF");
+  console.log(`  ${icon} ${import_picocolors2.default.bold(result.serverName)}`);
   for (const check of result.checks) {
     const checkIcon = check.skipped ? CHECK_ICON.skip : check.passed ? CHECK_ICON.pass : CHECK_ICON.fail;
     console.log(`    ${checkIcon} ${check.name}: ${check.message}`);
     if (showFix && !check.passed && !check.skipped && check.fix) {
-      console.log(`      ${import_picocolors.default.yellow("\u2192")} Fix: ${import_picocolors.default.cyan(check.fix)}`);
+      console.log(`      ${import_picocolors2.default.yellow("\u2192")} Fix: ${import_picocolors2.default.cyan(check.fix)}`);
     }
   }
   console.log();
@@ -673,11 +1672,11 @@ async function runParallel(tasks, concurrency) {
   const results = [];
   const executing = /* @__PURE__ */ new Set();
   for (const task of tasks) {
-    const p5 = task().then((r) => {
+    const p11 = task().then((r) => {
       results.push(r);
-      executing.delete(p5);
+      executing.delete(p11);
     });
-    executing.add(p5);
+    executing.add(p11);
     if (executing.size >= concurrency) {
       await Promise.race(executing);
     }
@@ -688,184 +1687,10 @@ async function runParallel(tasks, concurrency) {
 
 // src/commands/init.ts
 init_cjs_shims();
-var import_citty2 = require("citty");
-var p = __toESM(require("@clack/prompts"), 1);
-var import_node_path4 = __toESM(require("path"), 1);
-
-// src/core/lockfile.ts
-init_cjs_shims();
-var import_node_fs2 = __toESM(require("fs"), 1);
-var import_node_path3 = __toESM(require("path"), 1);
-var import_node_os2 = __toESM(require("os"), 1);
-var LOCKFILE_NAME = "mcpman.lock";
-function findLockfile() {
-  let dir = process.cwd();
-  while (true) {
-    const candidate = import_node_path3.default.join(dir, LOCKFILE_NAME);
-    if (import_node_fs2.default.existsSync(candidate)) return candidate;
-    const parent = import_node_path3.default.dirname(dir);
-    if (parent === dir) break;
-    dir = parent;
-  }
-  return null;
-}
-function getGlobalLockfilePath() {
-  return import_node_path3.default.join(import_node_os2.default.homedir(), ".mcpman", LOCKFILE_NAME);
-}
-function resolveLockfilePath() {
-  return findLockfile() ?? getGlobalLockfilePath();
-}
-function readLockfile(filePath) {
-  const target = filePath ?? resolveLockfilePath();
-  if (!import_node_fs2.default.existsSync(target)) {
-    return { lockfileVersion: 1, servers: {} };
-  }
-  try {
-    const raw = import_node_fs2.default.readFileSync(target, "utf-8");
-    return JSON.parse(raw);
-  } catch {
-    return { lockfileVersion: 1, servers: {} };
-  }
-}
-function serialize(data) {
-  const sorted = {
-    lockfileVersion: data.lockfileVersion,
-    servers: Object.fromEntries(
-      Object.entries(data.servers).sort(([a], [b]) => a.localeCompare(b))
-    )
-  };
-  return JSON.stringify(sorted, null, 2) + "\n";
-}
-function writeLockfile(data, filePath) {
-  const target = filePath ?? resolveLockfilePath();
-  const dir = import_node_path3.default.dirname(target);
-  if (!import_node_fs2.default.existsSync(dir)) {
-    import_node_fs2.default.mkdirSync(dir, { recursive: true });
-  }
-  const tmp = `${target}.tmp`;
-  import_node_fs2.default.writeFileSync(tmp, serialize(data), "utf-8");
-  import_node_fs2.default.renameSync(tmp, target);
-}
-function addEntry(name, entry, filePath) {
-  const data = readLockfile(filePath);
-  data.servers[name] = entry;
-  writeLockfile(data, filePath);
-}
-function createEmptyLockfile(filePath) {
-  writeLockfile({ lockfileVersion: 1, servers: {} }, filePath);
-}
-
-// src/core/registry.ts
-init_cjs_shims();
-var import_node_crypto = require("crypto");
-function computeIntegrity(resolvedUrl) {
-  const hash = (0, import_node_crypto.createHash)("sha512").update(resolvedUrl).digest("base64");
-  return `sha512-${hash}`;
-}
-async function resolveFromSmithery(name) {
-  const url = `https://registry.smithery.ai/servers/${encodeURIComponent(name)}`;
-  let data;
-  try {
-    const res = await fetch(url, {
-      headers: { Accept: "application/json" },
-      signal: AbortSignal.timeout(8e3)
-    });
-    if (res.status === 404) {
-      throw new Error(`Server '${name}' not found on Smithery registry`);
-    }
-    if (!res.ok) {
-      throw new Error(`Smithery API error: ${res.status}`);
-    }
-    data = await res.json();
-  } catch (err) {
-    if (err instanceof Error && err.message.includes("not found")) throw err;
-    throw new Error(
-      `Cannot reach Smithery registry: ${err instanceof Error ? err.message : String(err)}`
-    );
-  }
-  const version = typeof data.version === "string" ? data.version : "latest";
-  const command = typeof data.command === "string" ? data.command : "npx";
-  const args = Array.isArray(data.args) ? data.args : ["-y", `${name}@${version}`];
-  const envVars = Array.isArray(data.envVars) ? data.envVars : [];
-  const resolved = typeof data.resolved === "string" ? data.resolved : `smithery:${name}@${version}`;
-  return {
-    name,
-    version,
-    description: typeof data.description === "string" ? data.description : "",
-    runtime: "node",
-    command,
-    args,
-    envVars,
-    resolved
-  };
-}
-async function resolveFromNpm(packageName) {
-  const url = `https://registry.npmjs.org/${encodeURIComponent(packageName)}/latest`;
-  let data;
-  try {
-    const res = await fetch(url, {
-      headers: { Accept: "application/json" },
-      signal: AbortSignal.timeout(8e3)
-    });
-    if (res.status === 404) {
-      throw new Error(`Package '${packageName}' not found on npm`);
-    }
-    if (!res.ok) {
-      throw new Error(`npm registry error: ${res.status}`);
-    }
-    data = await res.json();
-  } catch (err) {
-    if (err instanceof Error && err.message.includes("not found")) throw err;
-    throw new Error(
-      `Cannot reach npm registry: ${err instanceof Error ? err.message : String(err)}`
-    );
-  }
-  const version = typeof data.version === "string" ? data.version : "latest";
-  const resolved = `https://registry.npmjs.org/${packageName}/-/${packageName.replace(/^@[^/]+\//, "")}-${version}.tgz`;
-  const mcpField = data.mcp && typeof data.mcp === "object" ? data.mcp : null;
-  const envVars = mcpField?.envVars ? mcpField.envVars : [];
-  return {
-    name: packageName,
-    version,
-    description: typeof data.description === "string" ? data.description : "",
-    runtime: "node",
-    command: "npx",
-    args: ["-y", `${packageName}@${version}`],
-    envVars,
-    resolved
-  };
-}
-async function resolveFromGitHub(githubUrl) {
-  const match = githubUrl.match(/github\.com\/([^/]+)\/([^/]+)/);
-  if (!match) {
-    throw new Error(`Invalid GitHub URL: ${githubUrl}`);
-  }
-  const [, owner, repo] = match;
-  const rawUrl = `https://raw.githubusercontent.com/${owner}/${repo}/main/package.json`;
-  let pkgData = {};
-  try {
-    const res = await fetch(rawUrl, { signal: AbortSignal.timeout(8e3) });
-    if (res.ok) {
-      pkgData = await res.json();
-    }
-  } catch {
-  }
-  const version = typeof pkgData.version === "string" ? pkgData.version : "main";
-  const name = typeof pkgData.name === "string" ? pkgData.name : `${owner}/${repo}`;
-  return {
-    name,
-    version,
-    description: typeof pkgData.description === "string" ? pkgData.description : "",
-    runtime: "node",
-    command: "npx",
-    args: ["-y", githubUrl],
-    envVars: [],
-    resolved: githubUrl
-  };
-}
-
-// src/commands/init.ts
-var init_default = (0, import_citty2.defineCommand)({
+var import_citty3 = require("citty");
+var p2 = __toESM(require("@clack/prompts"), 1);
+var import_node_path5 = __toESM(require("path"), 1);
+var init_default = (0, import_citty3.defineCommand)({
   meta: {
     name: "init",
     description: "Initialize mcpman.lock in the current project"
@@ -880,17 +1705,17 @@ var init_default = (0, import_citty2.defineCommand)({
   },
   async run({ args }) {
     const nonInteractive = args.yes || !process.stdout.isTTY;
-    p.intro("mcpman init");
-    const targetPath = import_node_path4.default.join(process.cwd(), LOCKFILE_NAME);
+    p2.intro("mcpman init");
+    const targetPath = import_node_path5.default.join(process.cwd(), LOCKFILE_NAME);
     const existing = findLockfile();
     if (existing) {
       if (nonInteractive) {
-        p.log.warn(`Lockfile already exists: ${existing} \u2014 overwriting (non-interactive).`);
+        p2.log.warn(`Lockfile already exists: ${existing} \u2014 overwriting (non-interactive).`);
       } else {
-        p.log.warn(`Lockfile already exists: ${existing}`);
-        const overwrite = await p.confirm({ message: "Overwrite?" });
-        if (p.isCancel(overwrite) || !overwrite) {
-          p.outro("Cancelled.");
+        p2.log.warn(`Lockfile already exists: ${existing}`);
+        const overwrite = await p2.confirm({ message: "Overwrite?" });
+        if (p2.isCancel(overwrite) || !overwrite) {
+          p2.outro("Cancelled.");
           return;
         }
       }
@@ -900,7 +1725,7 @@ var init_default = (0, import_citty2.defineCommand)({
       const mod = await Promise.resolve().then(() => (init_client_detector(), client_detector_exports));
       clients = await mod.getInstalledClients();
     } catch {
-      p.log.warn("Could not detect AI clients \u2014 creating empty lockfile.");
+      p2.log.warn("Could not detect AI clients \u2014 creating empty lockfile.");
     }
     const clientServers = [];
     for (const client of clients) {
@@ -914,26 +1739,26 @@ var init_default = (0, import_citty2.defineCommand)({
     }
     createEmptyLockfile(targetPath);
     if (clientServers.length === 0) {
-      p.log.info("No existing servers found in any client config.");
-      p.outro(`Created ${LOCKFILE_NAME} \u2014 add it to version control!`);
+      p2.log.info("No existing servers found in any client config.");
+      p2.outro(`Created ${LOCKFILE_NAME} \u2014 add it to version control!`);
       return;
     }
     let selected;
     if (nonInteractive) {
       selected = clientServers.map((cs) => cs.client.type);
-      p.log.info(`Non-interactive mode: importing all ${clientServers.length} client(s).`);
+      p2.log.info(`Non-interactive mode: importing all ${clientServers.length} client(s).`);
     } else {
       const options = clientServers.map((cs) => ({
         value: cs.client.type,
         label: `${cs.client.displayName} (${Object.keys(cs.servers).length} servers)`
       }));
-      const toImport = await p.multiselect({
+      const toImport = await p2.multiselect({
         message: "Import existing servers into lockfile?",
         options,
         required: false
       });
-      if (p.isCancel(toImport)) {
-        p.outro(`Created empty ${LOCKFILE_NAME}`);
+      if (p2.isCancel(toImport)) {
+        p2.outro(`Created empty ${LOCKFILE_NAME}`);
         return;
       }
       selected = toImport;
@@ -959,7 +1784,7 @@ var init_default = (0, import_citty2.defineCommand)({
         importCount++;
       }
     }
-    p.outro(
+    p2.outro(
       `Created ${LOCKFILE_NAME} with ${importCount} server(s) \u2014 commit to version control!`
     );
   }
@@ -967,49 +1792,48 @@ var init_default = (0, import_citty2.defineCommand)({
 
 // src/commands/install.ts
 init_cjs_shims();
-var import_citty3 = require("citty");
+var import_citty4 = require("citty");
 
 // src/core/installer.ts
 init_cjs_shims();
-var p2 = __toESM(require("@clack/prompts"), 1);
+var p5 = __toESM(require("@clack/prompts"), 1);
 
-// src/core/server-resolver.ts
+// src/core/installer-vault-helpers.ts
 init_cjs_shims();
-function detectSource(input) {
-  if (input.startsWith("smithery:")) {
-    return { type: "smithery", input: input.slice(9) };
-  }
-  if (input.startsWith("https://github.com/") || input.startsWith("github.com/")) {
-    return { type: "github", input };
-  }
-  return { type: "npm", input };
-}
-function parseEnvFlags(envFlags) {
-  if (!envFlags) return {};
-  const flags = Array.isArray(envFlags) ? envFlags : [envFlags];
-  const result = {};
-  for (const flag of flags) {
-    const idx = flag.indexOf("=");
-    if (idx > 0) {
-      result[flag.slice(0, idx)] = flag.slice(idx + 1);
-    }
-  }
-  return result;
-}
-async function resolveServer(input) {
-  const source = detectSource(input);
-  switch (source.type) {
-    case "smithery":
-      return resolveFromSmithery(source.input);
-    case "github":
-      return resolveFromGitHub(source.input);
-    case "npm":
-      return resolveFromNpm(source.input);
+var p4 = __toESM(require("@clack/prompts"), 1);
+init_vault_service();
+async function tryLoadVaultSecrets(serverName) {
+  try {
+    const entries = listSecrets(serverName);
+    if (entries.length === 0 || entries[0].keys.length === 0) {
+      return {};
+    }
+    const password2 = await getMasterPassword();
+    return getSecretsForServer(serverName, password2);
+  } catch {
+    return {};
+  }
+}
+async function offerVaultSave(serverName, newVars, yes) {
+  if (Object.keys(newVars).length === 0) return;
+  if (yes) return;
+  try {
+    const save = await p4.confirm({
+      message: `Save ${Object.keys(newVars).length} env var(s) to encrypted vault for future installs?`
+    });
+    if (p4.isCancel(save) || !save) return;
+    const password2 = await getMasterPassword();
+    for (const [key, value] of Object.entries(newVars)) {
+      setSecret(serverName, key, value, password2);
+    }
+    p4.log.success(`Credentials saved to vault for '${serverName}'`);
+  } catch (err) {
+    p4.log.warn(`Could not save to vault: ${err instanceof Error ? err.message : String(err)}`);
   }
 }
 
 // src/core/installer.ts
-async function loadClients() {
+async function loadClients2() {
   try {
     const mod = await Promise.resolve().then(() => (init_client_detector(), client_detector_exports));
     return mod.getInstalledClients();
@@ -1018,83 +1842,86 @@ async function loadClients() {
   }
 }
 async function installServer(input, options = {}) {
-  p2.intro("mcpman install");
-  const spinner2 = p2.spinner();
-  spinner2.start("Resolving server...");
+  p5.intro("mcpman install");
+  const spinner5 = p5.spinner();
+  spinner5.start("Resolving server...");
   let metadata;
   try {
     metadata = await resolveServer(input);
   } catch (err) {
-    spinner2.stop("Resolution failed");
-    p2.log.error(err instanceof Error ? err.message : String(err));
+    spinner5.stop("Resolution failed");
+    p5.log.error(err instanceof Error ? err.message : String(err));
     process.exit(1);
   }
-  spinner2.stop(`Found: ${metadata.name}@${metadata.version}`);
-  const clients = await loadClients();
+  spinner5.stop(`Found: ${metadata.name}@${metadata.version}`);
+  const clients = await loadClients2();
   if (clients.length === 0) {
-    p2.log.warn("No supported AI clients detected on this machine.");
-    p2.log.info("Supported: Claude Desktop, Cursor, VS Code, Windsurf");
+    p5.log.warn("No supported AI clients detected on this machine.");
+    p5.log.info("Supported: Claude Desktop, Cursor, VS Code, Windsurf");
     process.exit(1);
   }
   let selectedClients;
   if (options.client) {
     const found = clients.find((c) => c.type === options.client || c.displayName.toLowerCase() === options.client?.toLowerCase());
     if (!found) {
-      p2.log.error(`Client '${options.client}' not found or not installed.`);
-      p2.log.info(`Available: ${clients.map((c) => c.type).join(", ")}`);
+      p5.log.error(`Client '${options.client}' not found or not installed.`);
+      p5.log.info(`Available: ${clients.map((c) => c.type).join(", ")}`);
       process.exit(1);
     }
     selectedClients = [found];
   } else if (options.yes || clients.length === 1) {
     selectedClients = clients;
   } else {
-    const chosen = await p2.multiselect({
+    const chosen = await p5.multiselect({
       message: "Install to which client(s)?",
       options: clients.map((c) => ({ value: c.type, label: c.displayName })),
       required: true
     });
-    if (p2.isCancel(chosen)) {
-      p2.outro("Cancelled.");
+    if (p5.isCancel(chosen)) {
+      p5.outro("Cancelled.");
       process.exit(0);
     }
     selectedClients = clients.filter((c) => chosen.includes(c.type));
   }
   const providedEnv = parseEnvFlags(options.env);
-  const collectedEnv = { ...providedEnv };
+  const vaultEnv = await tryLoadVaultSecrets(metadata.name);
+  const collectedEnv = { ...vaultEnv, ...providedEnv };
+  const newlyEnteredVars = {};
   const requiredVars = metadata.envVars.filter((e) => e.required && !(e.name in collectedEnv));
   for (const envVar of requiredVars) {
     if (options.yes && envVar.default) {
       collectedEnv[envVar.name] = envVar.default;
       continue;
     }
-    const val = await p2.text({
+    const val = await p5.text({
       message: `${envVar.name}${envVar.description ? ` \u2014 ${envVar.description}` : ""}`,
       placeholder: envVar.default ?? "",
       validate: (v) => envVar.required && !v ? "Required" : void 0
     });
-    if (p2.isCancel(val)) {
-      p2.outro("Cancelled.");
+    if (p5.isCancel(val)) {
+      p5.outro("Cancelled.");
       process.exit(0);
     }
     collectedEnv[envVar.name] = val;
+    newlyEnteredVars[envVar.name] = val;
   }
   const entry = {
     command: metadata.command,
     args: metadata.args,
     ...Object.keys(collectedEnv).length > 0 ? { env: collectedEnv } : {}
   };
-  spinner2.start("Writing config...");
+  spinner5.start("Writing config...");
   const clientTypes = [];
   for (const client of selectedClients) {
     try {
       await client.addServer(metadata.name, entry);
       clientTypes.push(client.type);
     } catch (err) {
-      spinner2.stop("Partial failure");
-      p2.log.warn(`Failed to write to ${client.displayName}: ${err instanceof Error ? err.message : String(err)}`);
+      spinner5.stop("Partial failure");
+      p5.log.warn(`Failed to write to ${client.displayName}: ${err instanceof Error ? err.message : String(err)}`);
     }
   }
-  spinner2.stop("Config written");
+  spinner5.stop("Config written");
   const source = detectSource(input);
   const integrity = computeIntegrity(metadata.resolved);
   addEntry(metadata.name, {
@@ -1110,13 +1937,14 @@ async function installServer(input, options = {}) {
     clients: clientTypes
   });
   const lockPath = findLockfile() ?? "mcpman.lock (global)";
-  p2.log.success(`Lockfile updated: ${lockPath}`);
-  p2.outro(`${metadata.name}@${metadata.version} installed to ${clientTypes.join(", ")}`);
+  p5.log.success(`Lockfile updated: ${lockPath}`);
+  await offerVaultSave(metadata.name, newlyEnteredVars, options.yes ?? false);
+  p5.outro(`${metadata.name}@${metadata.version} installed to ${clientTypes.join(", ")}`);
 }
 
 // src/utils/logger.ts
 init_cjs_shims();
-var import_picocolors2 = __toESM(require("picocolors"), 1);
+var import_picocolors3 = __toESM(require("picocolors"), 1);
 var noColor = process.env.NO_COLOR !== void 0 || process.argv.includes("--no-color");
 var isVerbose = process.argv.includes("--verbose");
 var isJson = process.argv.includes("--json");
@@ -1125,19 +1953,19 @@ function colorize(fn, text2) {
 }
 function info(message) {
   if (isJson) return;
-  console.log(`${colorize(import_picocolors2.default.cyan, "i")} ${message}`);
+  console.log(`${colorize(import_picocolors3.default.cyan, "i")} ${message}`);
 }
 function error(message) {
   if (isJson) return;
-  console.error(`${colorize(import_picocolors2.default.red, "\u2717")} ${message}`);
+  console.error(`${colorize(import_picocolors3.default.red, "\u2717")} ${message}`);
 }
 function json(data) {
   console.log(JSON.stringify(data, null, 2));
 }
 
 // src/commands/install.ts
-var p3 = __toESM(require("@clack/prompts"), 1);
-var install_default = (0, import_citty3.defineCommand)({
+var p6 = __toESM(require("@clack/prompts"), 1);
+var install_default = (0, import_citty4.defineCommand)({
   meta: {
     name: "install",
     description: "Install an MCP server into one or more AI clients"
@@ -1186,8 +2014,8 @@ async function restoreFromLockfile() {
     info("Lockfile is empty \u2014 nothing to restore.");
     return;
   }
-  p3.intro(`mcpman install (restore from ${lockPath})`);
-  p3.log.info(`Restoring ${entries.length} server(s)...`);
+  p6.intro(`mcpman install (restore from ${lockPath})`);
+  p6.log.info(`Restoring ${entries.length} server(s)...`);
   for (const [name, entry] of entries) {
     const input = entry.source === "smithery" ? `smithery:${name}` : entry.source === "github" ? entry.resolved : name;
     await installServer(input, {
@@ -1195,19 +2023,19 @@ async function restoreFromLockfile() {
       yes: true
     });
   }
-  p3.outro("Restore complete.");
+  p6.outro("Restore complete.");
 }
 
 // src/commands/list.ts
 init_cjs_shims();
-var import_citty4 = require("citty");
-var import_picocolors3 = __toESM(require("picocolors"), 1);
+var import_citty5 = require("citty");
+var import_picocolors4 = __toESM(require("picocolors"), 1);
 var STATUS_ICON = {
-  healthy: import_picocolors3.default.green("\u25CF"),
-  unhealthy: import_picocolors3.default.red("\u25CF"),
-  unknown: import_picocolors3.default.dim("\u25CB")
+  healthy: import_picocolors4.default.green("\u25CF"),
+  unhealthy: import_picocolors4.default.red("\u25CF"),
+  unknown: import_picocolors4.default.dim("\u25CB")
 };
-var list_default = (0, import_citty4.defineCommand)({
+var list_default = (0, import_citty5.defineCommand)({
   meta: {
     name: "list",
     description: "List installed MCP servers"
@@ -1227,7 +2055,7 @@ var list_default = (0, import_citty4.defineCommand)({
     const servers = await getInstalledServers(args.client);
     if (servers.length === 0) {
       const filter = args.client ? ` for client "${args.client}"` : "";
-      console.log(import_picocolors3.default.dim(`No MCP servers installed${filter}. Run ${import_picocolors3.default.cyan("mcpman install <server>")} to get started.`));
+      console.log(import_picocolors4.default.dim(`No MCP servers installed${filter}. Run ${import_picocolors4.default.cyan("mcpman install <server>")} to get started.`));
       return;
     }
     const withStatus = await Promise.all(
@@ -1251,8 +2079,8 @@ var list_default = (0, import_citty4.defineCommand)({
     const nameWidth = Math.max(4, ...withStatus.map((s) => s.name.length));
     const clientsWidth = Math.max(7, ...withStatus.map((s) => formatClients(s.clients).length));
     const header = `  ${pad("NAME", nameWidth)}  ${pad("CLIENT(S)", clientsWidth)}  ${pad("COMMAND", 20)}  STATUS`;
-    console.log(import_picocolors3.default.dim(header));
-    console.log(import_picocolors3.default.dim(`  ${"-".repeat(nameWidth)}  ${"-".repeat(clientsWidth)}  ${"-".repeat(20)}  ------`));
+    console.log(import_picocolors4.default.dim(header));
+    console.log(import_picocolors4.default.dim(`  ${"-".repeat(nameWidth)}  ${"-".repeat(clientsWidth)}  ${"-".repeat(20)}  ------`));
     for (const s of withStatus) {
       const icon = STATUS_ICON[s.status];
       const clientsStr = formatClients(s.clients);
@@ -1260,7 +2088,7 @@ var list_default = (0, import_citty4.defineCommand)({
       console.log(`  ${pad(s.name, nameWidth)}  ${pad(clientsStr, clientsWidth)}  ${pad(cmdStr, 20)}  ${icon} ${s.status}`);
     }
     const clientSet = new Set(withStatus.flatMap((s) => s.clients));
-    console.log(import_picocolors3.default.dim(`
+    console.log(import_picocolors4.default.dim(`
   ${withStatus.length} server${withStatus.length !== 1 ? "s" : ""} \xB7 ${clientSet.size} client${clientSet.size !== 1 ? "s" : ""}`));
   }
 });
@@ -1282,9 +2110,9 @@ function formatClients(clients) {
 
 // src/commands/remove.ts
 init_cjs_shims();
-var import_citty5 = require("citty");
-var p4 = __toESM(require("@clack/prompts"), 1);
-var import_picocolors4 = __toESM(require("picocolors"), 1);
+var import_citty6 = require("citty");
+var p7 = __toESM(require("@clack/prompts"), 1);
+var import_picocolors5 = __toESM(require("picocolors"), 1);
 init_client_detector();
 var CLIENT_DISPLAY2 = {
   "claude-desktop": "Claude",
@@ -1295,7 +2123,7 @@ var CLIENT_DISPLAY2 = {
 function clientDisplayName(type) {
   return CLIENT_DISPLAY2[type] ?? type;
 }
-var remove_default = (0, import_citty5.defineCommand)({
+var remove_default = (0, import_citty6.defineCommand)({
   meta: {
     name: "remove",
     description: "Remove an MCP server from one or more AI clients"
@@ -1322,17 +2150,17 @@ var remove_default = (0, import_citty5.defineCommand)({
     }
   },
   async run({ args }) {
-    p4.intro(import_picocolors4.default.bold("mcpman remove"));
+    p7.intro(import_picocolors5.default.bold("mcpman remove"));
     const serverName = args.server;
     const servers = await getInstalledServers();
     const match = servers.find((s) => s.name === serverName);
     if (!match) {
-      p4.log.warn(`Server "${serverName}" is not installed.`);
+      p7.log.warn(`Server "${serverName}" is not installed.`);
       const similar = servers.filter((s) => s.name.includes(serverName) || serverName.includes(s.name));
       if (similar.length > 0) {
-        p4.log.info(`Did you mean: ${similar.map((s) => import_picocolors4.default.cyan(s.name)).join(", ")}?`);
+        p7.log.info(`Did you mean: ${similar.map((s) => import_picocolors5.default.cyan(s.name)).join(", ")}?`);
       }
-      p4.outro("Nothing to remove.");
+      p7.outro("Nothing to remove.");
       return;
     }
     let targetClients;
@@ -1340,15 +2168,15 @@ var remove_default = (0, import_citty5.defineCommand)({
       targetClients = match.clients;
     } else if (args.client) {
       if (!match.clients.includes(args.client)) {
-        p4.log.warn(`Server "${serverName}" is not installed in client "${args.client}".`);
-        p4.outro("Nothing to remove.");
+        p7.log.warn(`Server "${serverName}" is not installed in client "${args.client}".`);
+        p7.outro("Nothing to remove.");
         return;
       }
       targetClients = [args.client];
     } else if (match.clients.length === 1) {
       targetClients = match.clients;
     } else {
-      const selected = await p4.multiselect({
+      const selected = await p7.multiselect({
         message: `Remove "${serverName}" from which clients?`,
         options: match.clients.map((c) => ({
           value: c,
@@ -1356,19 +2184,19 @@ var remove_default = (0, import_citty5.defineCommand)({
         })),
         required: true
       });
-      if (p4.isCancel(selected)) {
-        p4.outro("Cancelled.");
+      if (p7.isCancel(selected)) {
+        p7.outro("Cancelled.");
         process.exit(0);
       }
       targetClients = selected;
     }
     if (!args.yes) {
       const clientNames = targetClients.map(clientDisplayName).join(", ");
-      const confirmed = await p4.confirm({
-        message: `Remove ${import_picocolors4.default.cyan(serverName)} from ${import_picocolors4.default.yellow(clientNames)}?`
+      const confirmed = await p7.confirm({
+        message: `Remove ${import_picocolors5.default.cyan(serverName)} from ${import_picocolors5.default.yellow(clientNames)}?`
       });
-      if (p4.isCancel(confirmed) || !confirmed) {
-        p4.outro("Cancelled.");
+      if (p7.isCancel(confirmed) || !confirmed) {
+        p7.outro("Cancelled.");
         return;
       }
     }
@@ -1382,25 +2210,606 @@ var remove_default = (0, import_citty5.defineCommand)({
       }
       try {
         await handler.removeServer(serverName);
-        p4.log.success(`Removed from ${clientDisplayName(clientType)}`);
+        p7.log.success(`Removed from ${clientDisplayName(clientType)}`);
       } catch (err) {
         const msg = err instanceof Error ? err.message : String(err);
         errors.push(`${clientDisplayName(clientType)}: ${msg}`);
       }
     }
     if (errors.length > 0) {
-      for (const e of errors) p4.log.error(e);
-      p4.outro(import_picocolors4.default.red("Completed with errors."));
+      for (const e of errors) p7.log.error(e);
+      p7.outro(import_picocolors5.default.red("Completed with errors."));
+      process.exit(1);
+    }
+    p7.outro(import_picocolors5.default.green(`Removed "${serverName}" successfully.`));
+  }
+});
+
+// src/commands/secrets.ts
+init_cjs_shims();
+var import_citty7 = require("citty");
+var import_picocolors6 = __toESM(require("picocolors"), 1);
+var p8 = __toESM(require("@clack/prompts"), 1);
+init_vault_service();
+function maskValue(value) {
+  if (value.length <= 8) return "***";
+  return `${value.slice(0, 4)}***${value.slice(-3)}`;
+}
+function parseKeyValue(input) {
+  const idx = input.indexOf("=");
+  if (idx <= 0) return null;
+  return { key: input.slice(0, idx), value: input.slice(idx + 1) };
+}
+var setCommand = (0, import_citty7.defineCommand)({
+  meta: { name: "set", description: "Store an encrypted secret for a server" },
+  args: {
+    server: {
+      type: "positional",
+      description: "Server name (e.g. @modelcontextprotocol/server-github)",
+      required: true
+    },
+    keyvalue: {
+      type: "positional",
+      description: "KEY=VALUE pair to store",
+      required: true
+    }
+  },
+  async run({ args }) {
+    const parsed = parseKeyValue(args.keyvalue);
+    if (!parsed) {
+      console.error(import_picocolors6.default.red("\u2717") + " Invalid format. Expected KEY=VALUE");
+      process.exit(1);
+    }
+    p8.intro(import_picocolors6.default.cyan("mcpman secrets set"));
+    const isNew = listSecrets(args.server).length === 0 || !listSecrets(args.server)[0]?.keys.includes(parsed.key);
+    const vaultPath = (await Promise.resolve().then(() => (init_vault_service(), vault_service_exports))).getVaultPath();
+    const vaultExists = (await import("fs")).existsSync(vaultPath);
+    const password2 = await getMasterPassword(!vaultExists && isNew);
+    const spin = p8.spinner();
+    spin.start("Encrypting secret...");
+    try {
+      setSecret(args.server, parsed.key, parsed.value, password2);
+      spin.stop(
+        `${import_picocolors6.default.green("\u2713")} Stored ${import_picocolors6.default.bold(parsed.key)} for ${import_picocolors6.default.cyan(args.server)}`
+      );
+    } catch (err) {
+      spin.stop(import_picocolors6.default.red("\u2717") + " Failed to store secret");
+      console.error(import_picocolors6.default.dim(String(err)));
+      process.exit(1);
+    }
+    p8.outro(import_picocolors6.default.dim("Secret encrypted and saved to vault."));
+  }
+});
+var listCommand = (0, import_citty7.defineCommand)({
+  meta: { name: "list", description: "List secret keys stored in the vault" },
+  args: {
+    server: {
+      type: "positional",
+      description: "Filter by server name (optional)",
+      required: false
+    }
+  },
+  async run({ args }) {
+    const results = listSecrets(args.server || void 0);
+    if (results.length === 0) {
+      const filter = args.server ? ` for ${import_picocolors6.default.cyan(args.server)}` : "";
+      console.log(import_picocolors6.default.dim(`No secrets stored${filter}.`));
+      return;
+    }
+    console.log("");
+    for (const { server, keys } of results) {
+      console.log(import_picocolors6.default.bold(import_picocolors6.default.cyan(server)));
+      for (const key of keys) {
+        console.log(`  ${import_picocolors6.default.green("\u25CF")} ${import_picocolors6.default.bold(key)}  ${import_picocolors6.default.dim(maskValue("\u2022\u2022\u2022\u2022\u2022\u2022\u2022\u2022\u2022\u2022\u2022\u2022"))}`);
+      }
+      console.log("");
+    }
+    const total = results.reduce((n, r) => n + r.keys.length, 0);
+    console.log(import_picocolors6.default.dim(`  ${total} secret${total !== 1 ? "s" : ""} in ${results.length} server${results.length !== 1 ? "s" : ""}`));
+  }
+});
+var removeCommand = (0, import_citty7.defineCommand)({
+  meta: { name: "remove", description: "Delete a secret from the vault" },
+  args: {
+    server: {
+      type: "positional",
+      description: "Server name",
+      required: true
+    },
+    key: {
+      type: "positional",
+      description: "Secret key to remove",
+      required: true
+    }
+  },
+  async run({ args }) {
+    const confirmed = await p8.confirm({
+      message: `Remove ${import_picocolors6.default.bold(args.key)} from ${import_picocolors6.default.cyan(args.server)}?`,
+      initialValue: false
+    });
+    if (p8.isCancel(confirmed) || !confirmed) {
+      p8.cancel("Cancelled.");
+      return;
+    }
+    try {
+      removeSecret(args.server, args.key);
+      console.log(`${import_picocolors6.default.green("\u2713")} Removed ${import_picocolors6.default.bold(args.key)} from ${import_picocolors6.default.cyan(args.server)}`);
+    } catch (err) {
+      console.error(import_picocolors6.default.red("\u2717") + " Failed to remove secret");
+      console.error(import_picocolors6.default.dim(String(err)));
+      process.exit(1);
+    }
+  }
+});
+var secrets_default = (0, import_citty7.defineCommand)({
+  meta: {
+    name: "secrets",
+    description: "Manage encrypted secrets for MCP servers"
+  },
+  subCommands: {
+    set: setCommand,
+    list: listCommand,
+    remove: removeCommand
+  }
+});
+
+// src/commands/sync.ts
+init_cjs_shims();
+var import_citty8 = require("citty");
+var p9 = __toESM(require("@clack/prompts"), 1);
+var import_picocolors7 = __toESM(require("picocolors"), 1);
+
+// src/core/config-diff.ts
+init_cjs_shims();
+function reconstructServerEntry(lockEntry) {
+  const entry = {
+    command: lockEntry.command
+  };
+  if (lockEntry.args && lockEntry.args.length > 0) {
+    entry.args = lockEntry.args;
+  }
+  if (lockEntry.envVars && lockEntry.envVars.length > 0) {
+    entry.env = Object.fromEntries(lockEntry.envVars.map((k) => [k, ""]));
+  }
+  return entry;
+}
+function computeDiff(lockfile, clientConfigs, options = {}) {
+  const actions = [];
+  for (const [server, lockEntry] of Object.entries(lockfile.servers)) {
+    for (const client of lockEntry.clients) {
+      const config = clientConfigs.get(client);
+      if (!config) continue;
+      if (server in config.servers) {
+        actions.push({ server, client, action: "ok" });
+      } else {
+        actions.push({
+          server,
+          client,
+          action: "add",
+          entry: reconstructServerEntry(lockEntry)
+        });
+      }
+    }
+  }
+  const extraAction = options.remove ? "remove" : "extra";
+  for (const [client, config] of clientConfigs) {
+    for (const server of Object.keys(config.servers)) {
+      if (!(server in lockfile.servers)) {
+        actions.push({ server, client, action: extraAction });
+      }
+    }
+  }
+  return actions;
+}
+function computeDiffFromClient(sourceClient, clientConfigs, options = {}) {
+  const actions = [];
+  const sourceConfig = clientConfigs.get(sourceClient);
+  if (!sourceConfig) return [];
+  const extraAction = options.remove ? "remove" : "extra";
+  for (const [client, config] of clientConfigs) {
+    if (client === sourceClient) continue;
+    for (const [server, entry] of Object.entries(sourceConfig.servers)) {
+      if (server in config.servers) {
+        actions.push({ server, client, action: "ok" });
+      } else {
+        actions.push({ server, client, action: "add", entry });
+      }
+    }
+    for (const server of Object.keys(config.servers)) {
+      if (!(server in sourceConfig.servers)) {
+        actions.push({ server, client, action: extraAction });
+      }
+    }
+  }
+  return actions;
+}
+
+// src/core/sync-engine.ts
+init_cjs_shims();
+init_client_detector();
+async function applySyncActions(actions, clients) {
+  const result = { applied: 0, removed: 0, failed: 0, errors: [] };
+  const addActions = actions.filter((a) => a.action === "add" && a.entry);
+  for (const action of addActions) {
+    const handler = clients.get(action.client);
+    if (!handler || !action.entry) {
+      result.failed++;
+      result.errors.push({
+        server: action.server,
+        client: action.client,
+        error: "No handler available for client"
+      });
+      continue;
+    }
+    try {
+      await handler.addServer(action.server, action.entry);
+      result.applied++;
+    } catch (err) {
+      result.failed++;
+      result.errors.push({
+        server: action.server,
+        client: action.client,
+        error: String(err)
+      });
+    }
+  }
+  const removeActions = actions.filter((a) => a.action === "remove");
+  for (const action of removeActions) {
+    const handler = clients.get(action.client);
+    if (!handler) {
+      result.failed++;
+      result.errors.push({
+        server: action.server,
+        client: action.client,
+        error: "No handler available for client"
+      });
+      continue;
+    }
+    try {
+      await handler.removeServer(action.server);
+      result.removed++;
+    } catch (err) {
+      result.failed++;
+      result.errors.push({
+        server: action.server,
+        client: action.client,
+        error: String(err)
+      });
+    }
+  }
+  return result;
+}
+async function getClientConfigs() {
+  const configs = /* @__PURE__ */ new Map();
+  const handlers = /* @__PURE__ */ new Map();
+  let installedClients;
+  try {
+    installedClients = await getInstalledClients();
+  } catch {
+    return { configs, handlers };
+  }
+  await Promise.all(
+    installedClients.map(async (handler) => {
+      try {
+        const config = await handler.readConfig();
+        configs.set(handler.type, config);
+        handlers.set(handler.type, handler);
+      } catch (err) {
+        console.warn(`[mcpman] Warning: could not read config for ${handler.displayName}: ${String(err)}`);
+      }
+    })
+  );
+  return { configs, handlers };
+}
+
+// src/commands/sync.ts
+var VALID_CLIENTS = ["claude-desktop", "cursor", "vscode", "windsurf"];
+var CLIENT_DISPLAY3 = {
+  "claude-desktop": "Claude Desktop",
+  cursor: "Cursor",
+  vscode: "VS Code",
+  windsurf: "Windsurf"
+};
+var sync_default = (0, import_citty8.defineCommand)({
+  meta: {
+    name: "sync",
+    description: "Sync MCP server configs across all detected AI clients"
+  },
+  args: {
+    "dry-run": {
+      type: "boolean",
+      description: "Preview changes without applying them",
+      default: false
+    },
+    remove: {
+      type: "boolean",
+      description: "Remove extra servers not in lockfile",
+      default: false
+    },
+    source: {
+      type: "string",
+      description: "Use a specific client as source of truth (claude-desktop, cursor, vscode, windsurf)"
+    },
+    yes: {
+      type: "boolean",
+      description: "Skip confirmation prompt",
+      default: false
+    }
+  },
+  async run({ args }) {
+    p9.intro(`${import_picocolors7.default.cyan("mcpman sync")}`);
+    const sourceClient = args.source;
+    if (sourceClient && !VALID_CLIENTS.includes(sourceClient)) {
+      p9.log.error(`Invalid --source "${sourceClient}". Must be one of: ${VALID_CLIENTS.join(", ")}`);
+      process.exit(1);
+    }
+    const spinner5 = p9.spinner();
+    spinner5.start("Detecting clients and reading configs...");
+    const { configs, handlers } = await getClientConfigs();
+    spinner5.stop(`Found ${configs.size} client(s)`);
+    if (configs.size === 0) {
+      p9.log.warn("No AI clients detected. Install Claude Desktop, Cursor, VS Code, or Windsurf first.");
+      process.exit(0);
+    }
+    const diffOptions = { remove: args.remove };
+    let actions;
+    if (sourceClient) {
+      if (!configs.has(sourceClient)) {
+        p9.log.error(`Source client "${sourceClient}" is not detected or its config is unreadable.`);
+        process.exit(1);
+      }
+      p9.log.info(`Using ${CLIENT_DISPLAY3[sourceClient]} as source of truth`);
+      actions = computeDiffFromClient(sourceClient, configs, diffOptions);
+    } else {
+      const lockfile = readLockfile();
+      actions = computeDiff(lockfile, configs, diffOptions);
+    }
+    printDiffTable(actions);
+    const addCount = actions.filter((a) => a.action === "add").length;
+    const extraCount = actions.filter((a) => a.action === "extra").length;
+    const removeCount = actions.filter((a) => a.action === "remove").length;
+    if (addCount === 0 && removeCount === 0 && extraCount === 0) {
+      p9.outro(import_picocolors7.default.green("All clients are in sync."));
+      process.exit(0);
+    }
+    const parts = [];
+    if (addCount > 0) parts.push(import_picocolors7.default.green(`${addCount} to add`));
+    if (removeCount > 0) parts.push(import_picocolors7.default.red(`${removeCount} to remove`));
+    if (extraCount > 0) parts.push(import_picocolors7.default.yellow(`${extraCount} extra (informational)`));
+    p9.log.info(parts.join("  \xB7  "));
+    if (args["dry-run"]) {
+      p9.outro(import_picocolors7.default.dim("Dry run \u2014 no changes applied."));
+      process.exit(1);
+    }
+    if (addCount === 0 && removeCount === 0) {
+      p9.outro(import_picocolors7.default.dim("No additions needed. Extra servers left untouched."));
+      process.exit(1);
+    }
+    if (!args.yes) {
+      const actionParts = [];
+      if (addCount > 0) actionParts.push(`${addCount} addition(s)`);
+      if (removeCount > 0) actionParts.push(`${removeCount} removal(s)`);
+      const confirmed = await p9.confirm({
+        message: `Apply ${actionParts.join(" and ")} to client configs?`,
+        initialValue: true
+      });
+      if (p9.isCancel(confirmed) || !confirmed) {
+        p9.outro(import_picocolors7.default.dim("Cancelled \u2014 no changes applied."));
+        process.exit(0);
+      }
+    }
+    spinner5.start("Applying sync changes...");
+    const result = await applySyncActions(actions, handlers);
+    spinner5.stop("Done");
+    if (result.applied > 0) {
+      p9.log.success(`Added ${result.applied} server(s) to client configs.`);
+    }
+    if (result.removed > 0) {
+      p9.log.success(`Removed ${result.removed} server(s) from client configs.`);
+    }
+    if (result.failed > 0) {
+      for (const e of result.errors) {
+        p9.log.error(`Failed to sync "${e.server}" on ${e.client}: ${e.error}`);
+      }
+    }
+    p9.outro(result.failed === 0 ? import_picocolors7.default.green("Sync complete.") : import_picocolors7.default.yellow("Sync complete with errors."));
+    process.exit(result.failed > 0 ? 1 : 0);
+  }
+});
+function printDiffTable(actions) {
+  if (actions.length === 0) {
+    p9.log.info("No actions to display.");
+    return;
+  }
+  const nameWidth = Math.max(6, ...actions.map((a) => a.server.length));
+  const clientWidth = Math.max(6, ...actions.map((a) => CLIENT_DISPLAY3[a.client]?.length ?? a.client.length));
+  const header = `  ${pad2("SERVER", nameWidth)}  ${pad2("CLIENT", clientWidth)}  STATUS`;
+  console.log(import_picocolors7.default.dim(header));
+  console.log(import_picocolors7.default.dim(`  ${"-".repeat(nameWidth)}  ${"-".repeat(clientWidth)}  ------`));
+  for (const action of actions) {
+    const clientDisplay = CLIENT_DISPLAY3[action.client] ?? action.client;
+    const [icon, statusText] = formatAction(action.action);
+    console.log(`  ${pad2(action.server, nameWidth)}  ${pad2(clientDisplay, clientWidth)}  ${icon} ${statusText}`);
+  }
+  console.log("");
+}
+function formatAction(action) {
+  switch (action) {
+    case "add":
+      return [import_picocolors7.default.green("+"), import_picocolors7.default.green("missing \u2014 will add")];
+    case "extra":
+      return [import_picocolors7.default.yellow("?"), import_picocolors7.default.yellow("extra (not in lockfile)")];
+    case "remove":
+      return [import_picocolors7.default.red("\u2013"), import_picocolors7.default.red("extra \u2014 will remove")];
+    case "ok":
+      return [import_picocolors7.default.dim("\xB7"), import_picocolors7.default.dim("in sync")];
+  }
+}
+function pad2(s, width) {
+  return s.length >= width ? s : s + " ".repeat(width - s.length);
+}
+
+// src/commands/update.ts
+init_cjs_shims();
+var import_citty9 = require("citty");
+var p10 = __toESM(require("@clack/prompts"), 1);
+var import_picocolors9 = __toESM(require("picocolors"), 1);
+
+// src/core/update-notifier.ts
+init_cjs_shims();
+var import_node_fs5 = __toESM(require("fs"), 1);
+var import_node_path7 = __toESM(require("path"), 1);
+var import_node_os5 = __toESM(require("os"), 1);
+var import_picocolors8 = __toESM(require("picocolors"), 1);
+var CACHE_FILE = import_node_path7.default.join(import_node_os5.default.homedir(), ".mcpman", ".update-check");
+var TTL_MS = 24 * 60 * 60 * 1e3;
+function writeUpdateCache(data) {
+  try {
+    const dir = import_node_path7.default.dirname(CACHE_FILE);
+    if (!import_node_fs5.default.existsSync(dir)) import_node_fs5.default.mkdirSync(dir, { recursive: true });
+    const tmp = `${CACHE_FILE}.tmp`;
+    import_node_fs5.default.writeFileSync(tmp, JSON.stringify(data, null, 2), "utf-8");
+    import_node_fs5.default.renameSync(tmp, CACHE_FILE);
+  } catch {
+  }
+}
+
+// src/commands/update.ts
+async function loadClients3() {
+  try {
+    const mod = await Promise.resolve().then(() => (init_client_detector(), client_detector_exports));
+    return mod.getInstalledClients();
+  } catch {
+    return [];
+  }
+}
+function printTable(updates) {
+  const NAME_W = 28;
+  const VER_W = 10;
+  const header = [
+    "NAME".padEnd(NAME_W),
+    "CURRENT".padEnd(VER_W),
+    "LATEST".padEnd(VER_W),
+    "STATUS"
+  ].join("  ");
+  console.log(import_picocolors9.default.bold(`
+  ${header}`));
+  console.log(import_picocolors9.default.dim(`  ${"\u2500".repeat(NAME_W + VER_W * 2 + 20)}`));
+  for (const u of updates) {
+    const nameCol = u.server.slice(0, NAME_W).padEnd(NAME_W);
+    const curCol = u.currentVersion.padEnd(VER_W);
+    const latCol = u.latestVersion.padEnd(VER_W);
+    const statusCol = u.hasUpdate ? import_picocolors9.default.yellow(`Update available${u.updateType ? ` [${u.updateType}]` : ""}`) : import_picocolors9.default.green("Up to date");
+    console.log(`  ${nameCol}  ${curCol}  ${latCol}  ${statusCol}`);
+  }
+  console.log();
+}
+var update_default = (0, import_citty9.defineCommand)({
+  meta: {
+    name: "update",
+    description: "Check for and apply updates to installed MCP servers"
+  },
+  args: {
+    server: {
+      type: "positional",
+      description: "Server name to update (omit to update all)",
+      required: false
+    },
+    check: {
+      type: "boolean",
+      description: "Check only \u2014 do not apply updates",
+      default: false
+    },
+    yes: {
+      type: "boolean",
+      description: "Skip confirmation prompt",
+      default: false
+    },
+    json: {
+      type: "boolean",
+      description: "Output results as JSON",
+      default: false
+    }
+  },
+  async run({ args }) {
+    const lockfile = readLockfile();
+    const servers = lockfile.servers;
+    const targetEntries = args.server ? Object.entries(servers).filter(([name]) => name === args.server) : Object.entries(servers);
+    if (targetEntries.length === 0) {
+      if (args.server) {
+        console.error(`Server '${args.server}' not found in lockfile.`);
+      } else {
+        console.log("No servers installed. Run mcpman install <server> first.");
+      }
+      process.exit(1);
+    }
+    const spinner5 = p10.spinner();
+    spinner5.start("Checking versions...");
+    let updates;
+    try {
+      const partialLock = {
+        lockfileVersion: 1,
+        servers: Object.fromEntries(targetEntries)
+      };
+      updates = await checkAllVersions(partialLock);
+    } catch (err) {
+      spinner5.stop("Version check failed");
+      console.error(err instanceof Error ? err.message : String(err));
       process.exit(1);
     }
-    p4.outro(import_picocolors4.default.green(`Removed "${serverName}" successfully.`));
+    spinner5.stop(`Checked ${updates.length} server(s)`);
+    if (args.json) {
+      console.log(JSON.stringify(updates, null, 2));
+      return;
+    }
+    printTable(updates);
+    const outdated = updates.filter((u) => u.hasUpdate);
+    if (outdated.length === 0) {
+      console.log(import_picocolors9.default.green("  All servers are up to date."));
+      return;
+    }
+    if (args.check) {
+      console.log(import_picocolors9.default.yellow(`  ${outdated.length} update(s) available. Run mcpman update to apply.`));
+      return;
+    }
+    if (!args.yes) {
+      const confirmed = await p10.confirm({
+        message: `Apply ${outdated.length} update(s)?`,
+        initialValue: true
+      });
+      if (p10.isCancel(confirmed) || !confirmed) {
+        p10.outro("Cancelled.");
+        return;
+      }
+    }
+    const clients = await loadClients3();
+    let successCount = 0;
+    for (const update of outdated) {
+      const s = p10.spinner();
+      s.start(`Updating ${update.server}...`);
+      const result = await applyServerUpdate(
+        update.server,
+        servers[update.server],
+        clients
+      );
+      if (result.success) {
+        s.stop(`${import_picocolors9.default.green("\u2713")} ${update.server}: ${result.fromVersion} \u2192 ${result.toVersion}`);
+        successCount++;
+      } else {
+        s.stop(`${import_picocolors9.default.red("\u2717")} ${update.server}: ${result.error}`);
+      }
+    }
+    const freshLockfile = readLockfile(resolveLockfilePath());
+    const freshUpdates = await checkAllVersions(freshLockfile);
+    writeUpdateCache({ lastCheck: (/* @__PURE__ */ new Date()).toISOString(), updates: freshUpdates });
+    p10.outro(`${successCount} of ${outdated.length} server(s) updated.`);
   }
 });
 
 // src/utils/constants.ts
 init_cjs_shims();
 var APP_NAME = "mcpman";
-var APP_VERSION = "0.1.1";
+var APP_VERSION = "0.3.0";
 var APP_DESCRIPTION = "The package manager for MCP servers";
 
 // src/index.ts
@@ -1408,7 +2817,7 @@ process.on("SIGINT", () => {
   console.log("\nAborted.");
   process.exit(130);
 });
-var main = (0, import_citty6.defineCommand)({
+var main = (0, import_citty10.defineCommand)({
   meta: {
     name: APP_NAME,
     version: APP_VERSION,
@@ -1419,7 +2828,11 @@ var main = (0, import_citty6.defineCommand)({
     list: list_default,
     remove: remove_default,
     doctor: doctor_default,
-    init: init_default
+    init: init_default,
+    secrets: secrets_default,
+    sync: sync_default,
+    audit: audit_default,
+    update: update_default
   }
 });
-(0, import_citty6.runMain)(main);
+(0, import_citty10.runMain)(main);