mcpman 0.1.1 → 0.3.0

package/dist/index.js

@@ -2,13 +2,777 @@
 import {
   getInstalledClients
 } from "./chunk-QY22QTBR.js";
+import {
+  getMasterPassword,
+  getSecretsForServer,
+  listSecrets,
+  removeSecret,
+  setSecret
+} from "./chunk-6X6Q6UZC.js";
 
 // src/index.ts
-import { defineCommand as defineCommand6, runMain } from "citty";
+import { defineCommand as defineCommand10, runMain } from "citty";
+
+// src/commands/audit.ts
+import { defineCommand } from "citty";
+import * as p from "@clack/prompts";
+import pc from "picocolors";
+import { createSpinner } from "nanospinner";
+
+// src/core/lockfile.ts
+import fs from "fs";
+import path from "path";
+import os from "os";
+var LOCKFILE_NAME = "mcpman.lock";
+function findLockfile() {
+  let dir = process.cwd();
+  while (true) {
+    const candidate = path.join(dir, LOCKFILE_NAME);
+    if (fs.existsSync(candidate)) return candidate;
+    const parent = path.dirname(dir);
+    if (parent === dir) break;
+    dir = parent;
+  }
+  return null;
+}
+function getGlobalLockfilePath() {
+  return path.join(os.homedir(), ".mcpman", LOCKFILE_NAME);
+}
+function resolveLockfilePath() {
+  return findLockfile() ?? getGlobalLockfilePath();
+}
+function readLockfile(filePath) {
+  const target = filePath ?? resolveLockfilePath();
+  if (!fs.existsSync(target)) {
+    return { lockfileVersion: 1, servers: {} };
+  }
+  try {
+    const raw = fs.readFileSync(target, "utf-8");
+    return JSON.parse(raw);
+  } catch {
+    return { lockfileVersion: 1, servers: {} };
+  }
+}
+function serialize(data) {
+  const sorted = {
+    lockfileVersion: data.lockfileVersion,
+    servers: Object.fromEntries(
+      Object.entries(data.servers).sort(([a], [b]) => a.localeCompare(b))
+    )
+  };
+  return JSON.stringify(sorted, null, 2) + "\n";
+}
+function writeLockfile(data, filePath) {
+  const target = filePath ?? resolveLockfilePath();
+  const dir = path.dirname(target);
+  if (!fs.existsSync(dir)) {
+    fs.mkdirSync(dir, { recursive: true });
+  }
+  const tmp = `${target}.tmp`;
+  fs.writeFileSync(tmp, serialize(data), "utf-8");
+  fs.renameSync(tmp, target);
+}
+function addEntry(name, entry, filePath) {
+  const data = readLockfile(filePath);
+  data.servers[name] = entry;
+  writeLockfile(data, filePath);
+}
+function createEmptyLockfile(filePath) {
+  writeLockfile({ lockfileVersion: 1, servers: {} }, filePath);
+}
+
+// src/core/security-scanner.ts
+import fs2 from "fs";
+import os2 from "os";
+import path2 from "path";
+var CACHE_PATH = path2.join(os2.homedir(), ".mcpman", ".audit-cache.json");
+var CACHE_TTL_MS = 24 * 60 * 60 * 1e3;
+function readCache() {
+  try {
+    if (!fs2.existsSync(CACHE_PATH)) return {};
+    return JSON.parse(fs2.readFileSync(CACHE_PATH, "utf-8"));
+  } catch {
+    return {};
+  }
+}
+function writeCache(cache) {
+  const dir = path2.dirname(CACHE_PATH);
+  if (!fs2.existsSync(dir)) fs2.mkdirSync(dir, { recursive: true });
+  const tmp = `${CACHE_PATH}.tmp`;
+  fs2.writeFileSync(tmp, JSON.stringify(cache, null, 2), "utf-8");
+  fs2.renameSync(tmp, CACHE_PATH);
+}
+function getCachedReport(name, version) {
+  const cache = readCache();
+  const key = `${name}@${version}`;
+  const entry = cache[key];
+  if (!entry) return null;
+  if (Date.now() - entry.timestamp > CACHE_TTL_MS) return null;
+  return entry.report;
+}
+function cacheReport(name, version, report) {
+  const cache = readCache();
+  cache[`${name}@${version}`] = { report, timestamp: Date.now() };
+  writeCache(cache);
+}
+async function fetchNpmMetadata(packageName) {
+  const timeout = 1e4;
+  const signal = AbortSignal.timeout(timeout);
+  try {
+    const [regRes, dlRes] = await Promise.all([
+      fetch(`https://registry.npmjs.org/${encodeURIComponent(packageName)}`, { signal }),
+      fetch(`https://api.npmjs.org/downloads/point/last-week/${encodeURIComponent(packageName)}`, {
+        signal: AbortSignal.timeout(timeout)
+      })
+    ]);
+    if (!regRes.ok) return null;
+    const reg = await regRes.json();
+    const time = reg["time"] ?? {};
+    const created = time["created"] ? new Date(time["created"]) : null;
+    const modified = time["modified"] ? new Date(time["modified"]) : null;
+    const packageAge = created ? Math.floor((Date.now() - created.getTime()) / 864e5) : 0;
+    const maintainers = Array.isArray(reg["maintainers"]) ? reg["maintainers"] : [];
+    const latestVersion = reg["dist-tags"]?.["latest"] ?? "";
+    const versionData = reg["versions"]?.[latestVersion];
+    const deprecated = typeof versionData?.["deprecated"] === "string";
+    let weeklyDownloads = 0;
+    if (dlRes.ok) {
+      const dl = await dlRes.json();
+      weeklyDownloads = typeof dl["downloads"] === "number" ? dl["downloads"] : 0;
+    }
+    return {
+      weeklyDownloads,
+      lastPublish: modified?.toISOString() ?? (/* @__PURE__ */ new Date()).toISOString(),
+      packageAge,
+      maintainerCount: maintainers.length,
+      deprecated
+    };
+  } catch {
+    return null;
+  }
+}
+async function fetchVulnerabilities(packageName, version) {
+  try {
+    const res = await fetch("https://api.osv.dev/v1/query", {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({ package: { name: packageName, ecosystem: "npm" }, version }),
+      signal: AbortSignal.timeout(1e4)
+    });
+    if (!res.ok) return [];
+    const data = await res.json();
+    const vulns = Array.isArray(data["vulns"]) ? data["vulns"] : [];
+    return vulns.map((v) => {
+      const severity = v["database_specific"]?.["severity"];
+      const sev = typeof severity === "string" ? severity.toLowerCase() : "moderate";
+      const refs = Array.isArray(v["references"]) ? v["references"] : [];
+      return {
+        severity: ["low", "moderate", "high", "critical"].includes(sev) ? sev : "moderate",
+        title: typeof v["summary"] === "string" ? v["summary"] : typeof v["id"] === "string" ? v["id"] : "Unknown vulnerability",
+        url: typeof refs[0]?.["url"] === "string" ? refs[0]["url"] : void 0
+      };
+    });
+  } catch {
+    return [];
+  }
+}
+async function scanServer(name, entry) {
+  if (entry.source !== "npm") {
+    return {
+      server: name,
+      source: entry.source,
+      score: null,
+      riskLevel: "UNKNOWN",
+      vulnerabilities: [],
+      metadata: null
+    };
+  }
+  const cached = getCachedReport(name, entry.version);
+  if (cached) return cached;
+  const [metadata, vulnerabilities] = await Promise.all([
+    fetchNpmMetadata(name),
+    fetchVulnerabilities(name, entry.version)
+  ]);
+  const { computeTrustScore } = await import("./trust-scorer-LYC6KZCD.js");
+  const { score, riskLevel } = computeTrustScore(metadata, vulnerabilities);
+  const report = {
+    server: name,
+    source: "npm",
+    score,
+    riskLevel,
+    vulnerabilities,
+    metadata
+  };
+  cacheReport(name, entry.version, report);
+  return report;
+}
+async function scanAllServers(servers, concurrency = 3) {
+  const entries = Object.entries(servers);
+  const results = [];
+  const executing = /* @__PURE__ */ new Set();
+  for (const [name, entry] of entries) {
+    const p10 = scanServer(name, entry).then((r) => {
+      results.push(r);
+      executing.delete(p10);
+    });
+    executing.add(p10);
+    if (executing.size >= concurrency) await Promise.race(executing);
+  }
+  await Promise.all(executing);
+  return results;
+}
+
+// src/core/version-checker.ts
+function compareVersions(a, b) {
+  const aParts = a.replace(/^v/, "").split(".").map(Number);
+  const bParts = b.replace(/^v/, "").split(".").map(Number);
+  const len = Math.max(aParts.length, bParts.length);
+  for (let i = 0; i < len; i++) {
+    const aN = aParts[i] ?? 0;
+    const bN = bParts[i] ?? 0;
+    if (Number.isNaN(aN) || Number.isNaN(bN)) return 0;
+    if (aN < bN) return -1;
+    if (aN > bN) return 1;
+  }
+  return 0;
+}
+function detectUpdateType(current, latest) {
+  const cParts = current.replace(/^v/, "").split(".").map(Number);
+  const lParts = latest.replace(/^v/, "").split(".").map(Number);
+  if ((lParts[0] ?? 0) > (cParts[0] ?? 0)) return "major";
+  if ((lParts[1] ?? 0) > (cParts[1] ?? 0)) return "minor";
+  return "patch";
+}
+async function fetchNpmLatest(packageName) {
+  try {
+    const res = await fetch(
+      `https://registry.npmjs.org/${encodeURIComponent(packageName)}/latest`,
+      {
+        headers: { Accept: "application/json" },
+        signal: AbortSignal.timeout(8e3)
+      }
+    );
+    if (!res.ok) return null;
+    const data = await res.json();
+    return typeof data.version === "string" ? data.version : null;
+  } catch {
+    return null;
+  }
+}
+async function fetchSmitheryLatest(name) {
+  try {
+    const res = await fetch(
+      `https://registry.smithery.ai/servers/${encodeURIComponent(name)}`,
+      {
+        headers: { Accept: "application/json" },
+        signal: AbortSignal.timeout(8e3)
+      }
+    );
+    if (!res.ok) return null;
+    const data = await res.json();
+    return typeof data.version === "string" ? data.version : null;
+  } catch {
+    return null;
+  }
+}
+async function fetchGithubLatest(resolved) {
+  const match = resolved.match(/github\.com\/([^/]+)\/([^/]+)/);
+  if (!match) return null;
+  const [, owner, repo] = match;
+  try {
+    const res = await fetch(
+      `https://api.github.com/repos/${owner}/${repo}/releases/latest`,
+      {
+        headers: { Accept: "application/json" },
+        signal: AbortSignal.timeout(8e3)
+      }
+    );
+    if (!res.ok) return null;
+    const data = await res.json();
+    return typeof data.tag_name === "string" ? data.tag_name.replace(/^v/, "") : null;
+  } catch {
+    return null;
+  }
+}
+async function checkVersion(name, lockEntry) {
+  const current = lockEntry.version;
+  let latest = null;
+  if (lockEntry.source === "npm") {
+    latest = await fetchNpmLatest(name);
+  } else if (lockEntry.source === "smithery") {
+    latest = await fetchSmitheryLatest(name);
+  } else if (lockEntry.source === "github") {
+    latest = await fetchGithubLatest(lockEntry.resolved);
+  }
+  if (!latest || latest === current) {
+    return {
+      server: name,
+      source: lockEntry.source,
+      currentVersion: current,
+      latestVersion: latest ?? current,
+      hasUpdate: false
+    };
+  }
+  const hasUpdate = compareVersions(current, latest) === -1;
+  return {
+    server: name,
+    source: lockEntry.source,
+    currentVersion: current,
+    latestVersion: latest,
+    hasUpdate,
+    updateType: hasUpdate ? detectUpdateType(current, latest) : void 0
+  };
+}
+async function checkAllVersions(lockfile) {
+  const entries = Object.entries(lockfile.servers);
+  if (entries.length === 0) return [];
+  const results = [];
+  const executing = /* @__PURE__ */ new Set();
+  for (const [name, entry] of entries) {
+    const p10 = checkVersion(name, entry).then((r) => {
+      results.push(r);
+      executing.delete(p10);
+    });
+    executing.add(p10);
+    if (executing.size >= 5) {
+      await Promise.race(executing);
+    }
+  }
+  await Promise.all(executing);
+  return results;
+}
+
+// src/core/registry.ts
+import { createHash } from "crypto";
+function computeIntegrity(resolvedUrl) {
+  const hash = createHash("sha512").update(resolvedUrl).digest("base64");
+  return `sha512-${hash}`;
+}
+async function resolveFromSmithery(name) {
+  const url = `https://registry.smithery.ai/servers/${encodeURIComponent(name)}`;
+  let data;
+  try {
+    const res = await fetch(url, {
+      headers: { Accept: "application/json" },
+      signal: AbortSignal.timeout(8e3)
+    });
+    if (res.status === 404) {
+      throw new Error(`Server '${name}' not found on Smithery registry`);
+    }
+    if (!res.ok) {
+      throw new Error(`Smithery API error: ${res.status}`);
+    }
+    data = await res.json();
+  } catch (err) {
+    if (err instanceof Error && err.message.includes("not found")) throw err;
+    throw new Error(
+      `Cannot reach Smithery registry: ${err instanceof Error ? err.message : String(err)}`
+    );
+  }
+  const version = typeof data.version === "string" ? data.version : "latest";
+  const command = typeof data.command === "string" ? data.command : "npx";
+  const args = Array.isArray(data.args) ? data.args : ["-y", `${name}@${version}`];
+  const envVars = Array.isArray(data.envVars) ? data.envVars : [];
+  const resolved = typeof data.resolved === "string" ? data.resolved : `smithery:${name}@${version}`;
+  return {
+    name,
+    version,
+    description: typeof data.description === "string" ? data.description : "",
+    runtime: "node",
+    command,
+    args,
+    envVars,
+    resolved
+  };
+}
+async function resolveFromNpm(packageName) {
+  const url = `https://registry.npmjs.org/${encodeURIComponent(packageName)}/latest`;
+  let data;
+  try {
+    const res = await fetch(url, {
+      headers: { Accept: "application/json" },
+      signal: AbortSignal.timeout(8e3)
+    });
+    if (res.status === 404) {
+      throw new Error(`Package '${packageName}' not found on npm`);
+    }
+    if (!res.ok) {
+      throw new Error(`npm registry error: ${res.status}`);
+    }
+    data = await res.json();
+  } catch (err) {
+    if (err instanceof Error && err.message.includes("not found")) throw err;
+    throw new Error(
+      `Cannot reach npm registry: ${err instanceof Error ? err.message : String(err)}`
+    );
+  }
+  const version = typeof data.version === "string" ? data.version : "latest";
+  const resolved = `https://registry.npmjs.org/${packageName}/-/${packageName.replace(/^@[^/]+\//, "")}-${version}.tgz`;
+  const mcpField = data.mcp && typeof data.mcp === "object" ? data.mcp : null;
+  const envVars = mcpField?.envVars ? mcpField.envVars : [];
+  return {
+    name: packageName,
+    version,
+    description: typeof data.description === "string" ? data.description : "",
+    runtime: "node",
+    command: "npx",
+    args: ["-y", `${packageName}@${version}`],
+    envVars,
+    resolved
+  };
+}
+async function resolveFromGitHub(githubUrl) {
+  const match = githubUrl.match(/github\.com\/([^/]+)\/([^/]+)/);
+  if (!match) {
+    throw new Error(`Invalid GitHub URL: ${githubUrl}`);
+  }
+  const [, owner, repo] = match;
+  const rawUrl = `https://raw.githubusercontent.com/${owner}/${repo}/main/package.json`;
+  let pkgData = {};
+  try {
+    const res = await fetch(rawUrl, { signal: AbortSignal.timeout(8e3) });
+    if (res.ok) {
+      pkgData = await res.json();
+    }
+  } catch {
+  }
+  const version = typeof pkgData.version === "string" ? pkgData.version : "main";
+  const name = typeof pkgData.name === "string" ? pkgData.name : `${owner}/${repo}`;
+  return {
+    name,
+    version,
+    description: typeof pkgData.description === "string" ? pkgData.description : "",
+    runtime: "node",
+    command: "npx",
+    args: ["-y", githubUrl],
+    envVars: [],
+    resolved: githubUrl
+  };
+}
+
+// src/core/server-resolver.ts
+function detectSource(input) {
+  if (input.startsWith("smithery:")) {
+    return { type: "smithery", input: input.slice(9) };
+  }
+  if (input.startsWith("https://github.com/") || input.startsWith("github.com/")) {
+    return { type: "github", input };
+  }
+  return { type: "npm", input };
+}
+function parseEnvFlags(envFlags) {
+  if (!envFlags) return {};
+  const flags = Array.isArray(envFlags) ? envFlags : [envFlags];
+  const result = {};
+  for (const flag of flags) {
+    const idx = flag.indexOf("=");
+    if (idx > 0) {
+      result[flag.slice(0, idx)] = flag.slice(idx + 1);
+    }
+  }
+  return result;
+}
+async function resolveServer(input) {
+  const source = detectSource(input);
+  switch (source.type) {
+    case "smithery":
+      return resolveFromSmithery(source.input);
+    case "github":
+      return resolveFromGitHub(source.input);
+    case "npm":
+      return resolveFromNpm(source.input);
+  }
+}
+
+// src/core/server-updater.ts
+async function applyServerUpdate(serverName, lockEntry, clients) {
+  const fromVersion = lockEntry.version;
+  const input = lockEntry.source === "smithery" ? `smithery:${serverName}` : lockEntry.source === "github" ? lockEntry.resolved : serverName;
+  try {
+    const metadata = await resolveServer(input);
+    const integrity = computeIntegrity(metadata.resolved);
+    addEntry(serverName, {
+      ...lockEntry,
+      version: metadata.version,
+      resolved: metadata.resolved,
+      integrity,
+      command: metadata.command,
+      args: metadata.args,
+      installedAt: (/* @__PURE__ */ new Date()).toISOString()
+    });
+    const targetClients = clients.filter(
+      (c) => lockEntry.clients.includes(c.type)
+    );
+    for (const client of targetClients) {
+      try {
+        await client.addServer(serverName, {
+          command: metadata.command,
+          args: metadata.args
+        });
+      } catch {
+      }
+    }
+    return {
+      server: serverName,
+      success: true,
+      fromVersion,
+      toVersion: metadata.version
+    };
+  } catch (err) {
+    return {
+      server: serverName,
+      success: false,
+      fromVersion,
+      toVersion: fromVersion,
+      error: err instanceof Error ? err.message : String(err)
+    };
+  }
+}
+
+// src/commands/audit.ts
+function colorRisk(level, score) {
+  const label = score !== null ? `${score}/100 (${level})` : level;
+  if (level === "LOW") return pc.green(label);
+  if (level === "MEDIUM") return pc.yellow(label);
+  if (level === "HIGH") return pc.red(label);
+  if (level === "CRITICAL") return pc.bold(pc.red(label));
+  return pc.dim(label);
+}
+function daysAgo(isoDate) {
+  const days = Math.floor((Date.now() - new Date(isoDate).getTime()) / 864e5);
+  if (days === 0) return "today";
+  if (days === 1) return "1 day ago";
+  return `${days} days ago`;
+}
+function countVulns(vulns) {
+  const c = { critical: 0, high: 0, moderate: 0, low: 0 };
+  for (const v of vulns) c[v.severity]++;
+  if (vulns.length === 0) return pc.green("none");
+  const parts = [];
+  if (c.critical) parts.push(pc.bold(pc.red(`${c.critical} critical`)));
+  if (c.high) parts.push(pc.red(`${c.high} high`));
+  if (c.moderate) parts.push(pc.yellow(`${c.moderate} moderate`));
+  if (c.low) parts.push(pc.dim(`${c.low} low`));
+  return parts.join(", ");
+}
+function printReport(report) {
+  const riskColored = colorRisk(report.riskLevel, report.score);
+  const icon = report.riskLevel === "LOW" ? pc.green("\u25CF") : report.riskLevel === "MEDIUM" ? pc.yellow("\u25CF") : report.riskLevel === "UNKNOWN" ? pc.dim("\u25CB") : pc.red("\u25CF");
+  console.log(`  ${icon} ${pc.bold(report.server)}  Score: ${riskColored}`);
+  if (report.source !== "npm") {
+    console.log(`    ${pc.dim("Non-npm source \u2014 security data unavailable")}`);
+    console.log();
+    return;
+  }
+  if (report.metadata) {
+    const { weeklyDownloads, packageAge, lastPublish, maintainerCount, deprecated } = report.metadata;
+    const dlStr = weeklyDownloads.toLocaleString();
+    console.log(
+      `    ${pc.dim("Downloads:")} ${dlStr}/week  ${pc.dim("|")}  ${pc.dim("Age:")} ${packageAge}d  ${pc.dim("|")}  ${pc.dim("Last publish:")} ${daysAgo(lastPublish)}  ${pc.dim("|")}  ${pc.dim("Maintainers:")} ${maintainerCount}` + (deprecated ? pc.red("  [DEPRECATED]") : "")
+    );
+  }
+  console.log(`    ${pc.dim("Vulnerabilities:")} ${countVulns(report.vulnerabilities)}`);
+  if (report.vulnerabilities.length > 0) {
+    for (const v of report.vulnerabilities) {
+      const sevColor = v.severity === "critical" || v.severity === "high" ? pc.red : pc.yellow;
+      const url = v.url ? pc.dim(` ${v.url}`) : "";
+      console.log(`      ${sevColor("\u25B8")} [${v.severity}] ${v.title}${url}`);
+    }
+  }
+  console.log();
+}
+var audit_default = defineCommand({
+  meta: {
+    name: "audit",
+    description: "Scan installed MCP servers for security vulnerabilities and trust scores"
+  },
+  args: {
+    server: {
+      type: "positional",
+      description: "Specific server to audit (omit to audit all)",
+      required: false
+    },
+    json: {
+      type: "boolean",
+      description: "Output results as JSON",
+      default: false
+    },
+    fix: {
+      type: "boolean",
+      description: "Apply updates to fix vulnerable packages",
+      default: false
+    },
+    yes: {
+      type: "boolean",
+      description: "Skip confirmation prompt (use with --fix)",
+      default: false
+    }
+  },
+  async run({ args }) {
+    const lockfile = readLockfile();
+    const { servers } = lockfile;
+    if (Object.keys(servers).length === 0) {
+      console.log(pc.dim("\n  No MCP servers installed. Run mcpman install <server> to get started.\n"));
+      return;
+    }
+    const targets = {};
+    if (args.server) {
+      if (!servers[args.server]) {
+        console.error(pc.red(`
+  Server "${args.server}" not found in lockfile.
+`));
+        process.exit(1);
+      }
+      targets[args.server] = servers[args.server];
+    } else {
+      Object.assign(targets, servers);
+    }
+    const spinner5 = createSpinner(`Scanning ${Object.keys(targets).length} server(s)...`).start();
+    let reports;
+    try {
+      reports = args.server ? [await scanServer(args.server, targets[args.server])] : await scanAllServers(targets);
+    } catch (err) {
+      spinner5.error({ text: "Scan failed" });
+      console.error(pc.red(String(err)));
+      process.exit(1);
+    }
+    spinner5.success({ text: `Scanned ${reports.length} server(s)` });
+    if (args.json) {
+      console.log(JSON.stringify(reports, null, 2));
+      return;
+    }
+    console.log(pc.bold("\n  mcpman audit\n"));
+    console.log(pc.dim("  " + "\u2500".repeat(60)));
+    for (const report of reports) {
+      printReport(report);
+    }
+    console.log(pc.dim("  " + "\u2500".repeat(60)));
+    const withIssues = reports.filter(
+      (r) => r.riskLevel !== "LOW" && r.riskLevel !== "UNKNOWN"
+    );
+    const npmReports = reports.filter((r) => r.source === "npm");
+    const parts = [];
+    parts.push(`${reports.length} server(s) scanned`);
+    if (npmReports.length < reports.length) {
+      parts.push(pc.dim(`${reports.length - npmReports.length} non-npm (unverified)`));
+    }
+    if (withIssues.length > 0) {
+      parts.push(pc.yellow(`${withIssues.length} with issues`));
+    } else {
+      parts.push(pc.green("all clear"));
+    }
+    console.log(`
+  Summary: ${parts.join(" | ")}
+`);
+    if (args.fix) {
+      await runAuditFix(reports, lockfile.servers, args.yes);
+    }
+  }
+});
+async function loadClients() {
+  try {
+    const mod = await import("./client-detector-SUIJSIYM.js");
+    return mod.getInstalledClients();
+  } catch {
+    return [];
+  }
+}
+async function runAuditFix(reports, servers, skipConfirm) {
+  const npmWithVulns = reports.filter(
+    (r) => r.vulnerabilities.length > 0 && r.source === "npm"
+  );
+  const nonNpmWithVulns = reports.filter(
+    (r) => r.vulnerabilities.length > 0 && r.source !== "npm"
+  );
+  if (nonNpmWithVulns.length > 0) {
+    console.log(pc.yellow("  Non-npm servers require manual update:"));
+    for (const r of nonNpmWithVulns) {
+      console.log(`    ${pc.dim("\u2192")} ${r.server} (${r.source})`);
+    }
+    console.log();
+  }
+  if (npmWithVulns.length === 0) {
+    console.log(pc.green("  No fixable vulnerabilities found.\n"));
+    return;
+  }
+  const versionSpinner = createSpinner("Checking for available updates...").start();
+  const versionChecks = await Promise.all(
+    npmWithVulns.map((r) => checkVersion(r.server, servers[r.server]))
+  );
+  versionSpinner.success({ text: "Version check complete" });
+  const updatable = versionChecks.filter((u) => u.hasUpdate);
+  if (updatable.length === 0) {
+    console.log(pc.yellow(
+      "  Vulnerable servers have no newer versions available yet.\n  Allow time for registry to publish fixes.\n"
+    ));
+    return;
+  }
+  console.log(pc.bold(`
+  ${updatable.length} server(s) can be updated to fix vulnerabilities:
+`));
+  for (const u of updatable) {
+    console.log(`    ${pc.cyan("\u2192")} ${u.server}  ${pc.dim(u.currentVersion)} \u2192 ${pc.green(u.latestVersion)}`);
+  }
+  console.log();
+  if (!skipConfirm) {
+    const confirmed = await p.confirm({
+      message: `Update ${updatable.length} vulnerable server(s)?`,
+      initialValue: true
+    });
+    if (p.isCancel(confirmed) || !confirmed) {
+      p.outro("Cancelled.");
+      return;
+    }
+  }
+  const clients = await loadClients();
+  let successCount = 0;
+  const results = [];
+  for (const u of updatable) {
+    const s = createSpinner(`Updating ${u.server}...`).start();
+    const result = await applyServerUpdate(u.server, servers[u.server], clients);
+    if (result.success) {
+      s.success({ text: `${pc.green("\u2713")} ${u.server}: ${result.fromVersion} \u2192 ${result.toVersion}` });
+      successCount++;
+    } else {
+      s.error({ text: `${pc.red("\u2717")} ${u.server}: ${result.error}` });
+    }
+    results.push({
+      server: u.server,
+      from: result.fromVersion,
+      to: result.toVersion,
+      ok: result.success,
+      error: result.error
+    });
+  }
+  console.log();
+  if (successCount > 0) {
+    const updatedNames = results.filter((r) => r.ok).map((r) => r.server);
+    const freshLockfile = readLockfile();
+    const rescanSpinner = createSpinner("Re-scanning updated servers...").start();
+    const afterReports = await Promise.all(
+      updatedNames.map((name) => scanServer(name, freshLockfile.servers[name]))
+    );
+    rescanSpinner.success({ text: "Re-scan complete" });
+    console.log(pc.bold("\n  Before / After:\n"));
+    for (const after of afterReports) {
+      const before = reports.find((r) => r.server === after.server);
+      const beforeVulns = before?.vulnerabilities.length ?? 0;
+      const afterVulns = after.vulnerabilities.length;
+      const improved = afterVulns < beforeVulns ? pc.green("improved") : pc.yellow("unchanged");
+      console.log(
+        `    ${pc.bold(after.server)}  vulns: ${beforeVulns} \u2192 ${afterVulns}  [${improved}]`
+      );
+    }
+    console.log();
+  }
+  console.log(`
+  ${successCount} of ${updatable.length} server(s) updated.
+`);
+}
 
 // src/commands/doctor.ts
-import { defineCommand } from "citty";
-import pc from "picocolors";
+import { defineCommand as defineCommand2 } from "citty";
+import pc2 from "picocolors";
 
 // src/core/server-inventory.ts
 async function getInstalledServers(clientFilter) {
@@ -272,12 +1036,12 @@ async function quickHealthProbe(config, timeoutMs = 3e3) {
 
 // src/commands/doctor.ts
 var CHECK_ICON = {
-  pass: pc.green("\u2713"),
-  fail: pc.red("\u2717"),
-  skip: pc.dim("-"),
-  warn: pc.yellow("\u26A0")
+  pass: pc2.green("\u2713"),
+  fail: pc2.red("\u2717"),
+  skip: pc2.dim("-"),
+  warn: pc2.yellow("\u26A0")
 };
-var doctor_default = defineCommand({
+var doctor_default = defineCommand2({
   meta: {
     name: "doctor",
     description: "Check MCP server health and configuration"
@@ -290,10 +1054,10 @@ var doctor_default = defineCommand({
     }
   },
   async run({ args }) {
-    console.log(pc.bold("\n  mcpman doctor\n"));
+    console.log(pc2.bold("\n  mcpman doctor\n"));
     const servers = await getInstalledServers();
     if (servers.length === 0) {
-      console.log(pc.dim("  No MCP servers installed. Run mcpman install <server> to get started."));
+      console.log(pc2.dim("  No MCP servers installed. Run mcpman install <server> to get started."));
       return;
     }
     const tasks = servers.map((s) => () => checkServerHealth(s.name, s.config));
@@ -305,14 +1069,14 @@ var doctor_default = defineCommand({
       if (result.status === "healthy") passed++;
       else failed++;
     }
-    console.log(pc.dim("  " + "\u2500".repeat(50)));
+    console.log(pc2.dim("  " + "\u2500".repeat(50)));
     const parts = [];
-    if (passed > 0) parts.push(pc.green(`${passed} healthy`));
-    if (failed > 0) parts.push(pc.red(`${failed} unhealthy`));
+    if (passed > 0) parts.push(pc2.green(`${passed} healthy`));
+    if (failed > 0) parts.push(pc2.red(`${failed} unhealthy`));
     console.log(`  Summary: ${parts.join(", ")}`);
     if (failed > 0) {
       if (!args.fix) {
-        console.log(pc.dim(`  Run ${pc.cyan("mcpman doctor --fix")} for fix suggestions.
+        console.log(pc2.dim(`  Run ${pc2.cyan("mcpman doctor --fix")} for fix suggestions.
 `));
       }
       process.exit(1);
@@ -321,13 +1085,13 @@ var doctor_default = defineCommand({
   }
 });
 function printServerResult(result, showFix) {
-  const icon = result.status === "healthy" ? pc.green("\u25CF") : pc.red("\u25CF");
-  console.log(`  ${icon} ${pc.bold(result.serverName)}`);
+  const icon = result.status === "healthy" ? pc2.green("\u25CF") : pc2.red("\u25CF");
+  console.log(`  ${icon} ${pc2.bold(result.serverName)}`);
   for (const check of result.checks) {
     const checkIcon = check.skipped ? CHECK_ICON.skip : check.passed ? CHECK_ICON.pass : CHECK_ICON.fail;
     console.log(`    ${checkIcon} ${check.name}: ${check.message}`);
     if (showFix && !check.passed && !check.skipped && check.fix) {
-      console.log(`      ${pc.yellow("\u2192")} Fix: ${pc.cyan(check.fix)}`);
+      console.log(`      ${pc2.yellow("\u2192")} Fix: ${pc2.cyan(check.fix)}`);
     }
   }
   console.log();
@@ -336,11 +1100,11 @@ async function runParallel(tasks, concurrency) {
   const results = [];
   const executing = /* @__PURE__ */ new Set();
   for (const task of tasks) {
-    const p5 = task().then((r) => {
+    const p10 = task().then((r) => {
       results.push(r);
-      executing.delete(p5);
+      executing.delete(p10);
     });
-    executing.add(p5);
+    executing.add(p10);
     if (executing.size >= concurrency) {
       await Promise.race(executing);
     }
@@ -350,182 +1114,10 @@ async function runParallel(tasks, concurrency) {
 }
 
 // src/commands/init.ts
-import { defineCommand as defineCommand2 } from "citty";
-import * as p from "@clack/prompts";
-import path2 from "path";
-
-// src/core/lockfile.ts
-import fs from "fs";
-import path from "path";
-import os from "os";
-var LOCKFILE_NAME = "mcpman.lock";
-function findLockfile() {
-  let dir = process.cwd();
-  while (true) {
-    const candidate = path.join(dir, LOCKFILE_NAME);
-    if (fs.existsSync(candidate)) return candidate;
-    const parent = path.dirname(dir);
-    if (parent === dir) break;
-    dir = parent;
-  }
-  return null;
-}
-function getGlobalLockfilePath() {
-  return path.join(os.homedir(), ".mcpman", LOCKFILE_NAME);
-}
-function resolveLockfilePath() {
-  return findLockfile() ?? getGlobalLockfilePath();
-}
-function readLockfile(filePath) {
-  const target = filePath ?? resolveLockfilePath();
-  if (!fs.existsSync(target)) {
-    return { lockfileVersion: 1, servers: {} };
-  }
-  try {
-    const raw = fs.readFileSync(target, "utf-8");
-    return JSON.parse(raw);
-  } catch {
-    return { lockfileVersion: 1, servers: {} };
-  }
-}
-function serialize(data) {
-  const sorted = {
-    lockfileVersion: data.lockfileVersion,
-    servers: Object.fromEntries(
-      Object.entries(data.servers).sort(([a], [b]) => a.localeCompare(b))
-    )
-  };
-  return JSON.stringify(sorted, null, 2) + "\n";
-}
-function writeLockfile(data, filePath) {
-  const target = filePath ?? resolveLockfilePath();
-  const dir = path.dirname(target);
-  if (!fs.existsSync(dir)) {
-    fs.mkdirSync(dir, { recursive: true });
-  }
-  const tmp = `${target}.tmp`;
-  fs.writeFileSync(tmp, serialize(data), "utf-8");
-  fs.renameSync(tmp, target);
-}
-function addEntry(name, entry, filePath) {
-  const data = readLockfile(filePath);
-  data.servers[name] = entry;
-  writeLockfile(data, filePath);
-}
-function createEmptyLockfile(filePath) {
-  writeLockfile({ lockfileVersion: 1, servers: {} }, filePath);
-}
-
-// src/core/registry.ts
-import { createHash } from "crypto";
-function computeIntegrity(resolvedUrl) {
-  const hash = createHash("sha512").update(resolvedUrl).digest("base64");
-  return `sha512-${hash}`;
-}
-async function resolveFromSmithery(name) {
-  const url = `https://registry.smithery.ai/servers/${encodeURIComponent(name)}`;
-  let data;
-  try {
-    const res = await fetch(url, {
-      headers: { Accept: "application/json" },
-      signal: AbortSignal.timeout(8e3)
-    });
-    if (res.status === 404) {
-      throw new Error(`Server '${name}' not found on Smithery registry`);
-    }
-    if (!res.ok) {
-      throw new Error(`Smithery API error: ${res.status}`);
-    }
-    data = await res.json();
-  } catch (err) {
-    if (err instanceof Error && err.message.includes("not found")) throw err;
-    throw new Error(
-      `Cannot reach Smithery registry: ${err instanceof Error ? err.message : String(err)}`
-    );
-  }
-  const version = typeof data.version === "string" ? data.version : "latest";
-  const command = typeof data.command === "string" ? data.command : "npx";
-  const args = Array.isArray(data.args) ? data.args : ["-y", `${name}@${version}`];
-  const envVars = Array.isArray(data.envVars) ? data.envVars : [];
-  const resolved = typeof data.resolved === "string" ? data.resolved : `smithery:${name}@${version}`;
-  return {
-    name,
-    version,
-    description: typeof data.description === "string" ? data.description : "",
-    runtime: "node",
-    command,
-    args,
-    envVars,
-    resolved
-  };
-}
-async function resolveFromNpm(packageName) {
-  const url = `https://registry.npmjs.org/${encodeURIComponent(packageName)}/latest`;
-  let data;
-  try {
-    const res = await fetch(url, {
-      headers: { Accept: "application/json" },
-      signal: AbortSignal.timeout(8e3)
-    });
-    if (res.status === 404) {
-      throw new Error(`Package '${packageName}' not found on npm`);
-    }
-    if (!res.ok) {
-      throw new Error(`npm registry error: ${res.status}`);
-    }
-    data = await res.json();
-  } catch (err) {
-    if (err instanceof Error && err.message.includes("not found")) throw err;
-    throw new Error(
-      `Cannot reach npm registry: ${err instanceof Error ? err.message : String(err)}`
-    );
-  }
-  const version = typeof data.version === "string" ? data.version : "latest";
-  const resolved = `https://registry.npmjs.org/${packageName}/-/${packageName.replace(/^@[^/]+\//, "")}-${version}.tgz`;
-  const mcpField = data.mcp && typeof data.mcp === "object" ? data.mcp : null;
-  const envVars = mcpField?.envVars ? mcpField.envVars : [];
-  return {
-    name: packageName,
-    version,
-    description: typeof data.description === "string" ? data.description : "",
-    runtime: "node",
-    command: "npx",
-    args: ["-y", `${packageName}@${version}`],
-    envVars,
-    resolved
-  };
-}
-async function resolveFromGitHub(githubUrl) {
-  const match = githubUrl.match(/github\.com\/([^/]+)\/([^/]+)/);
-  if (!match) {
-    throw new Error(`Invalid GitHub URL: ${githubUrl}`);
-  }
-  const [, owner, repo] = match;
-  const rawUrl = `https://raw.githubusercontent.com/${owner}/${repo}/main/package.json`;
-  let pkgData = {};
-  try {
-    const res = await fetch(rawUrl, { signal: AbortSignal.timeout(8e3) });
-    if (res.ok) {
-      pkgData = await res.json();
-    }
-  } catch {
-  }
-  const version = typeof pkgData.version === "string" ? pkgData.version : "main";
-  const name = typeof pkgData.name === "string" ? pkgData.name : `${owner}/${repo}`;
-  return {
-    name,
-    version,
-    description: typeof pkgData.description === "string" ? pkgData.description : "",
-    runtime: "node",
-    command: "npx",
-    args: ["-y", githubUrl],
-    envVars: [],
-    resolved: githubUrl
-  };
-}
-
-// src/commands/init.ts
-var init_default = defineCommand2({
+import { defineCommand as defineCommand3 } from "citty";
+import * as p2 from "@clack/prompts";
+import path3 from "path";
+var init_default = defineCommand3({
   meta: {
     name: "init",
     description: "Initialize mcpman.lock in the current project"
@@ -540,17 +1132,17 @@ var init_default = defineCommand2({
   },
   async run({ args }) {
     const nonInteractive = args.yes || !process.stdout.isTTY;
-    p.intro("mcpman init");
-    const targetPath = path2.join(process.cwd(), LOCKFILE_NAME);
+    p2.intro("mcpman init");
+    const targetPath = path3.join(process.cwd(), LOCKFILE_NAME);
     const existing = findLockfile();
     if (existing) {
       if (nonInteractive) {
-        p.log.warn(`Lockfile already exists: ${existing} \u2014 overwriting (non-interactive).`);
+        p2.log.warn(`Lockfile already exists: ${existing} \u2014 overwriting (non-interactive).`);
       } else {
-        p.log.warn(`Lockfile already exists: ${existing}`);
-        const overwrite = await p.confirm({ message: "Overwrite?" });
-        if (p.isCancel(overwrite) || !overwrite) {
-          p.outro("Cancelled.");
+        p2.log.warn(`Lockfile already exists: ${existing}`);
+        const overwrite = await p2.confirm({ message: "Overwrite?" });
+        if (p2.isCancel(overwrite) || !overwrite) {
+          p2.outro("Cancelled.");
           return;
         }
       }
@@ -560,7 +1152,7 @@ var init_default = defineCommand2({
       const mod = await import("./client-detector-SUIJSIYM.js");
       clients = await mod.getInstalledClients();
     } catch {
-      p.log.warn("Could not detect AI clients \u2014 creating empty lockfile.");
+      p2.log.warn("Could not detect AI clients \u2014 creating empty lockfile.");
     }
     const clientServers = [];
     for (const client of clients) {
@@ -574,26 +1166,26 @@ var init_default = defineCommand2({
     }
     createEmptyLockfile(targetPath);
     if (clientServers.length === 0) {
-      p.log.info("No existing servers found in any client config.");
-      p.outro(`Created ${LOCKFILE_NAME} \u2014 add it to version control!`);
+      p2.log.info("No existing servers found in any client config.");
+      p2.outro(`Created ${LOCKFILE_NAME} \u2014 add it to version control!`);
       return;
     }
     let selected;
     if (nonInteractive) {
       selected = clientServers.map((cs) => cs.client.type);
-      p.log.info(`Non-interactive mode: importing all ${clientServers.length} client(s).`);
+      p2.log.info(`Non-interactive mode: importing all ${clientServers.length} client(s).`);
     } else {
       const options = clientServers.map((cs) => ({
         value: cs.client.type,
         label: `${cs.client.displayName} (${Object.keys(cs.servers).length} servers)`
       }));
-      const toImport = await p.multiselect({
+      const toImport = await p2.multiselect({
         message: "Import existing servers into lockfile?",
         options,
         required: false
       });
-      if (p.isCancel(toImport)) {
-        p.outro(`Created empty ${LOCKFILE_NAME}`);
+      if (p2.isCancel(toImport)) {
+        p2.outro(`Created empty ${LOCKFILE_NAME}`);
         return;
       }
       selected = toImport;
@@ -619,54 +1211,52 @@ var init_default = defineCommand2({
         importCount++;
       }
     }
-    p.outro(
+    p2.outro(
       `Created ${LOCKFILE_NAME} with ${importCount} server(s) \u2014 commit to version control!`
     );
   }
 });
 
 // src/commands/install.ts
-import { defineCommand as defineCommand3 } from "citty";
+import { defineCommand as defineCommand4 } from "citty";
 
 // src/core/installer.ts
-import * as p2 from "@clack/prompts";
+import * as p4 from "@clack/prompts";
 
-// src/core/server-resolver.ts
-function detectSource(input) {
-  if (input.startsWith("smithery:")) {
-    return { type: "smithery", input: input.slice(9) };
-  }
-  if (input.startsWith("https://github.com/") || input.startsWith("github.com/")) {
-    return { type: "github", input };
-  }
-  return { type: "npm", input };
-}
-function parseEnvFlags(envFlags) {
-  if (!envFlags) return {};
-  const flags = Array.isArray(envFlags) ? envFlags : [envFlags];
-  const result = {};
-  for (const flag of flags) {
-    const idx = flag.indexOf("=");
-    if (idx > 0) {
-      result[flag.slice(0, idx)] = flag.slice(idx + 1);
+// src/core/installer-vault-helpers.ts
+import * as p3 from "@clack/prompts";
+async function tryLoadVaultSecrets(serverName) {
+  try {
+    const entries = listSecrets(serverName);
+    if (entries.length === 0 || entries[0].keys.length === 0) {
+      return {};
     }
+    const password = await getMasterPassword();
+    return getSecretsForServer(serverName, password);
+  } catch {
+    return {};
   }
-  return result;
 }
-async function resolveServer(input) {
-  const source = detectSource(input);
-  switch (source.type) {
-    case "smithery":
-      return resolveFromSmithery(source.input);
-    case "github":
-      return resolveFromGitHub(source.input);
-    case "npm":
-      return resolveFromNpm(source.input);
+async function offerVaultSave(serverName, newVars, yes) {
+  if (Object.keys(newVars).length === 0) return;
+  if (yes) return;
+  try {
+    const save = await p3.confirm({
+      message: `Save ${Object.keys(newVars).length} env var(s) to encrypted vault for future installs?`
+    });
+    if (p3.isCancel(save) || !save) return;
+    const password = await getMasterPassword();
+    for (const [key, value] of Object.entries(newVars)) {
+      setSecret(serverName, key, value, password);
+    }
+    p3.log.success(`Credentials saved to vault for '${serverName}'`);
+  } catch (err) {
+    p3.log.warn(`Could not save to vault: ${err instanceof Error ? err.message : String(err)}`);
   }
 }
 
 // src/core/installer.ts
-async function loadClients() {
+async function loadClients2() {
   try {
     const mod = await import("./client-detector-SUIJSIYM.js");
     return mod.getInstalledClients();
@@ -675,83 +1265,86 @@ async function loadClients() {
   }
 }
 async function installServer(input, options = {}) {
-  p2.intro("mcpman install");
-  const spinner2 = p2.spinner();
-  spinner2.start("Resolving server...");
+  p4.intro("mcpman install");
+  const spinner5 = p4.spinner();
+  spinner5.start("Resolving server...");
   let metadata;
   try {
     metadata = await resolveServer(input);
   } catch (err) {
-    spinner2.stop("Resolution failed");
-    p2.log.error(err instanceof Error ? err.message : String(err));
+    spinner5.stop("Resolution failed");
+    p4.log.error(err instanceof Error ? err.message : String(err));
     process.exit(1);
   }
-  spinner2.stop(`Found: ${metadata.name}@${metadata.version}`);
-  const clients = await loadClients();
+  spinner5.stop(`Found: ${metadata.name}@${metadata.version}`);
+  const clients = await loadClients2();
   if (clients.length === 0) {
-    p2.log.warn("No supported AI clients detected on this machine.");
-    p2.log.info("Supported: Claude Desktop, Cursor, VS Code, Windsurf");
+    p4.log.warn("No supported AI clients detected on this machine.");
+    p4.log.info("Supported: Claude Desktop, Cursor, VS Code, Windsurf");
     process.exit(1);
   }
   let selectedClients;
   if (options.client) {
     const found = clients.find((c) => c.type === options.client || c.displayName.toLowerCase() === options.client?.toLowerCase());
     if (!found) {
-      p2.log.error(`Client '${options.client}' not found or not installed.`);
-      p2.log.info(`Available: ${clients.map((c) => c.type).join(", ")}`);
+      p4.log.error(`Client '${options.client}' not found or not installed.`);
+      p4.log.info(`Available: ${clients.map((c) => c.type).join(", ")}`);
       process.exit(1);
     }
     selectedClients = [found];
   } else if (options.yes || clients.length === 1) {
     selectedClients = clients;
   } else {
-    const chosen = await p2.multiselect({
+    const chosen = await p4.multiselect({
       message: "Install to which client(s)?",
       options: clients.map((c) => ({ value: c.type, label: c.displayName })),
       required: true
     });
-    if (p2.isCancel(chosen)) {
-      p2.outro("Cancelled.");
+    if (p4.isCancel(chosen)) {
+      p4.outro("Cancelled.");
       process.exit(0);
     }
     selectedClients = clients.filter((c) => chosen.includes(c.type));
   }
   const providedEnv = parseEnvFlags(options.env);
-  const collectedEnv = { ...providedEnv };
+  const vaultEnv = await tryLoadVaultSecrets(metadata.name);
+  const collectedEnv = { ...vaultEnv, ...providedEnv };
+  const newlyEnteredVars = {};
   const requiredVars = metadata.envVars.filter((e) => e.required && !(e.name in collectedEnv));
   for (const envVar of requiredVars) {
     if (options.yes && envVar.default) {
       collectedEnv[envVar.name] = envVar.default;
       continue;
     }
-    const val = await p2.text({
+    const val = await p4.text({
       message: `${envVar.name}${envVar.description ? ` \u2014 ${envVar.description}` : ""}`,
       placeholder: envVar.default ?? "",
       validate: (v) => envVar.required && !v ? "Required" : void 0
     });
-    if (p2.isCancel(val)) {
-      p2.outro("Cancelled.");
+    if (p4.isCancel(val)) {
+      p4.outro("Cancelled.");
       process.exit(0);
     }
     collectedEnv[envVar.name] = val;
+    newlyEnteredVars[envVar.name] = val;
   }
   const entry = {
     command: metadata.command,
     args: metadata.args,
     ...Object.keys(collectedEnv).length > 0 ? { env: collectedEnv } : {}
   };
-  spinner2.start("Writing config...");
+  spinner5.start("Writing config...");
   const clientTypes = [];
   for (const client of selectedClients) {
     try {
       await client.addServer(metadata.name, entry);
       clientTypes.push(client.type);
     } catch (err) {
-      spinner2.stop("Partial failure");
-      p2.log.warn(`Failed to write to ${client.displayName}: ${err instanceof Error ? err.message : String(err)}`);
+      spinner5.stop("Partial failure");
+      p4.log.warn(`Failed to write to ${client.displayName}: ${err instanceof Error ? err.message : String(err)}`);
     }
   }
-  spinner2.stop("Config written");
+  spinner5.stop("Config written");
   const source = detectSource(input);
   const integrity = computeIntegrity(metadata.resolved);
   addEntry(metadata.name, {
@@ -767,12 +1360,13 @@ async function installServer(input, options = {}) {
     clients: clientTypes
   });
   const lockPath = findLockfile() ?? "mcpman.lock (global)";
-  p2.log.success(`Lockfile updated: ${lockPath}`);
-  p2.outro(`${metadata.name}@${metadata.version} installed to ${clientTypes.join(", ")}`);
+  p4.log.success(`Lockfile updated: ${lockPath}`);
+  await offerVaultSave(metadata.name, newlyEnteredVars, options.yes ?? false);
+  p4.outro(`${metadata.name}@${metadata.version} installed to ${clientTypes.join(", ")}`);
 }
 
 // src/utils/logger.ts
-import pc2 from "picocolors";
+import pc3 from "picocolors";
 var noColor = process.env.NO_COLOR !== void 0 || process.argv.includes("--no-color");
 var isVerbose = process.argv.includes("--verbose");
 var isJson = process.argv.includes("--json");
@@ -781,19 +1375,19 @@ function colorize(fn, text2) {
 }
 function info(message) {
   if (isJson) return;
-  console.log(`${colorize(pc2.cyan, "i")} ${message}`);
+  console.log(`${colorize(pc3.cyan, "i")} ${message}`);
 }
 function error(message) {
   if (isJson) return;
-  console.error(`${colorize(pc2.red, "\u2717")} ${message}`);
+  console.error(`${colorize(pc3.red, "\u2717")} ${message}`);
 }
 function json(data) {
   console.log(JSON.stringify(data, null, 2));
 }
 
 // src/commands/install.ts
-import * as p3 from "@clack/prompts";
-var install_default = defineCommand3({
+import * as p5 from "@clack/prompts";
+var install_default = defineCommand4({
   meta: {
     name: "install",
     description: "Install an MCP server into one or more AI clients"
@@ -842,8 +1436,8 @@ async function restoreFromLockfile() {
     info("Lockfile is empty \u2014 nothing to restore.");
     return;
   }
-  p3.intro(`mcpman install (restore from ${lockPath})`);
-  p3.log.info(`Restoring ${entries.length} server(s)...`);
+  p5.intro(`mcpman install (restore from ${lockPath})`);
+  p5.log.info(`Restoring ${entries.length} server(s)...`);
   for (const [name, entry] of entries) {
     const input = entry.source === "smithery" ? `smithery:${name}` : entry.source === "github" ? entry.resolved : name;
     await installServer(input, {
@@ -851,18 +1445,18 @@ async function restoreFromLockfile() {
       yes: true
     });
   }
-  p3.outro("Restore complete.");
+  p5.outro("Restore complete.");
 }
 
 // src/commands/list.ts
-import { defineCommand as defineCommand4 } from "citty";
-import pc3 from "picocolors";
+import { defineCommand as defineCommand5 } from "citty";
+import pc4 from "picocolors";
 var STATUS_ICON = {
-  healthy: pc3.green("\u25CF"),
-  unhealthy: pc3.red("\u25CF"),
-  unknown: pc3.dim("\u25CB")
+  healthy: pc4.green("\u25CF"),
+  unhealthy: pc4.red("\u25CF"),
+  unknown: pc4.dim("\u25CB")
 };
-var list_default = defineCommand4({
+var list_default = defineCommand5({
   meta: {
     name: "list",
     description: "List installed MCP servers"
@@ -882,7 +1476,7 @@ var list_default = defineCommand4({
     const servers = await getInstalledServers(args.client);
     if (servers.length === 0) {
       const filter = args.client ? ` for client "${args.client}"` : "";
-      console.log(pc3.dim(`No MCP servers installed${filter}. Run ${pc3.cyan("mcpman install <server>")} to get started.`));
+      console.log(pc4.dim(`No MCP servers installed${filter}. Run ${pc4.cyan("mcpman install <server>")} to get started.`));
       return;
     }
     const withStatus = await Promise.all(
@@ -906,8 +1500,8 @@ var list_default = defineCommand4({
     const nameWidth = Math.max(4, ...withStatus.map((s) => s.name.length));
     const clientsWidth = Math.max(7, ...withStatus.map((s) => formatClients(s.clients).length));
     const header = `  ${pad("NAME", nameWidth)}  ${pad("CLIENT(S)", clientsWidth)}  ${pad("COMMAND", 20)}  STATUS`;
-    console.log(pc3.dim(header));
-    console.log(pc3.dim(`  ${"-".repeat(nameWidth)}  ${"-".repeat(clientsWidth)}  ${"-".repeat(20)}  ------`));
+    console.log(pc4.dim(header));
+    console.log(pc4.dim(`  ${"-".repeat(nameWidth)}  ${"-".repeat(clientsWidth)}  ${"-".repeat(20)}  ------`));
     for (const s of withStatus) {
       const icon = STATUS_ICON[s.status];
       const clientsStr = formatClients(s.clients);
@@ -915,7 +1509,7 @@ var list_default = defineCommand4({
       console.log(`  ${pad(s.name, nameWidth)}  ${pad(clientsStr, clientsWidth)}  ${pad(cmdStr, 20)}  ${icon} ${s.status}`);
     }
     const clientSet = new Set(withStatus.flatMap((s) => s.clients));
-    console.log(pc3.dim(`
+    console.log(pc4.dim(`
   ${withStatus.length} server${withStatus.length !== 1 ? "s" : ""} \xB7 ${clientSet.size} client${clientSet.size !== 1 ? "s" : ""}`));
   }
 });
@@ -936,9 +1530,9 @@ function formatClients(clients) {
 }
 
 // src/commands/remove.ts
-import { defineCommand as defineCommand5 } from "citty";
-import * as p4 from "@clack/prompts";
-import pc4 from "picocolors";
+import { defineCommand as defineCommand6 } from "citty";
+import * as p6 from "@clack/prompts";
+import pc5 from "picocolors";
 var CLIENT_DISPLAY2 = {
   "claude-desktop": "Claude",
   cursor: "Cursor",
@@ -948,7 +1542,7 @@ var CLIENT_DISPLAY2 = {
 function clientDisplayName(type) {
   return CLIENT_DISPLAY2[type] ?? type;
 }
-var remove_default = defineCommand5({
+var remove_default = defineCommand6({
   meta: {
     name: "remove",
     description: "Remove an MCP server from one or more AI clients"
@@ -975,17 +1569,17 @@ var remove_default = defineCommand5({
     }
   },
   async run({ args }) {
-    p4.intro(pc4.bold("mcpman remove"));
+    p6.intro(pc5.bold("mcpman remove"));
     const serverName = args.server;
     const servers = await getInstalledServers();
     const match = servers.find((s) => s.name === serverName);
     if (!match) {
-      p4.log.warn(`Server "${serverName}" is not installed.`);
+      p6.log.warn(`Server "${serverName}" is not installed.`);
       const similar = servers.filter((s) => s.name.includes(serverName) || serverName.includes(s.name));
       if (similar.length > 0) {
-        p4.log.info(`Did you mean: ${similar.map((s) => pc4.cyan(s.name)).join(", ")}?`);
+        p6.log.info(`Did you mean: ${similar.map((s) => pc5.cyan(s.name)).join(", ")}?`);
       }
-      p4.outro("Nothing to remove.");
+      p6.outro("Nothing to remove.");
       return;
     }
     let targetClients;
@@ -993,15 +1587,15 @@ var remove_default = defineCommand5({
       targetClients = match.clients;
     } else if (args.client) {
       if (!match.clients.includes(args.client)) {
-        p4.log.warn(`Server "${serverName}" is not installed in client "${args.client}".`);
-        p4.outro("Nothing to remove.");
+        p6.log.warn(`Server "${serverName}" is not installed in client "${args.client}".`);
+        p6.outro("Nothing to remove.");
         return;
       }
       targetClients = [args.client];
     } else if (match.clients.length === 1) {
       targetClients = match.clients;
     } else {
-      const selected = await p4.multiselect({
+      const selected = await p6.multiselect({
         message: `Remove "${serverName}" from which clients?`,
         options: match.clients.map((c) => ({
           value: c,
@@ -1009,19 +1603,19 @@ var remove_default = defineCommand5({
         })),
         required: true
       });
-      if (p4.isCancel(selected)) {
-        p4.outro("Cancelled.");
+      if (p6.isCancel(selected)) {
+        p6.outro("Cancelled.");
         process.exit(0);
       }
       targetClients = selected;
     }
     if (!args.yes) {
       const clientNames = targetClients.map(clientDisplayName).join(", ");
-      const confirmed = await p4.confirm({
-        message: `Remove ${pc4.cyan(serverName)} from ${pc4.yellow(clientNames)}?`
+      const confirmed = await p6.confirm({
+        message: `Remove ${pc5.cyan(serverName)} from ${pc5.yellow(clientNames)}?`
       });
-      if (p4.isCancel(confirmed) || !confirmed) {
-        p4.outro("Cancelled.");
+      if (p6.isCancel(confirmed) || !confirmed) {
+        p6.outro("Cancelled.");
         return;
       }
     }
@@ -1035,24 +1629,597 @@ var remove_default = defineCommand5({
       }
       try {
         await handler.removeServer(serverName);
-        p4.log.success(`Removed from ${clientDisplayName(clientType)}`);
+        p6.log.success(`Removed from ${clientDisplayName(clientType)}`);
       } catch (err) {
         const msg = err instanceof Error ? err.message : String(err);
         errors.push(`${clientDisplayName(clientType)}: ${msg}`);
       }
     }
     if (errors.length > 0) {
-      for (const e of errors) p4.log.error(e);
-      p4.outro(pc4.red("Completed with errors."));
+      for (const e of errors) p6.log.error(e);
+      p6.outro(pc5.red("Completed with errors."));
+      process.exit(1);
+    }
+    p6.outro(pc5.green(`Removed "${serverName}" successfully.`));
+  }
+});
+
+// src/commands/secrets.ts
+import { defineCommand as defineCommand7 } from "citty";
+import pc6 from "picocolors";
+import * as p7 from "@clack/prompts";
+function maskValue(value) {
+  if (value.length <= 8) return "***";
+  return `${value.slice(0, 4)}***${value.slice(-3)}`;
+}
+function parseKeyValue(input) {
+  const idx = input.indexOf("=");
+  if (idx <= 0) return null;
+  return { key: input.slice(0, idx), value: input.slice(idx + 1) };
+}
+var setCommand = defineCommand7({
+  meta: { name: "set", description: "Store an encrypted secret for a server" },
+  args: {
+    server: {
+      type: "positional",
+      description: "Server name (e.g. @modelcontextprotocol/server-github)",
+      required: true
+    },
+    keyvalue: {
+      type: "positional",
+      description: "KEY=VALUE pair to store",
+      required: true
+    }
+  },
+  async run({ args }) {
+    const parsed = parseKeyValue(args.keyvalue);
+    if (!parsed) {
+      console.error(pc6.red("\u2717") + " Invalid format. Expected KEY=VALUE");
+      process.exit(1);
+    }
+    p7.intro(pc6.cyan("mcpman secrets set"));
+    const isNew = listSecrets(args.server).length === 0 || !listSecrets(args.server)[0]?.keys.includes(parsed.key);
+    const vaultPath = (await import("./vault-service-UTZAV6N6.js")).getVaultPath();
+    const vaultExists = (await import("fs")).existsSync(vaultPath);
+    const password = await getMasterPassword(!vaultExists && isNew);
+    const spin = p7.spinner();
+    spin.start("Encrypting secret...");
+    try {
+      setSecret(args.server, parsed.key, parsed.value, password);
+      spin.stop(
+        `${pc6.green("\u2713")} Stored ${pc6.bold(parsed.key)} for ${pc6.cyan(args.server)}`
+      );
+    } catch (err) {
+      spin.stop(pc6.red("\u2717") + " Failed to store secret");
+      console.error(pc6.dim(String(err)));
+      process.exit(1);
+    }
+    p7.outro(pc6.dim("Secret encrypted and saved to vault."));
+  }
+});
+var listCommand = defineCommand7({
+  meta: { name: "list", description: "List secret keys stored in the vault" },
+  args: {
+    server: {
+      type: "positional",
+      description: "Filter by server name (optional)",
+      required: false
+    }
+  },
+  async run({ args }) {
+    const results = listSecrets(args.server || void 0);
+    if (results.length === 0) {
+      const filter = args.server ? ` for ${pc6.cyan(args.server)}` : "";
+      console.log(pc6.dim(`No secrets stored${filter}.`));
+      return;
+    }
+    console.log("");
+    for (const { server, keys } of results) {
+      console.log(pc6.bold(pc6.cyan(server)));
+      for (const key of keys) {
+        console.log(`  ${pc6.green("\u25CF")} ${pc6.bold(key)}  ${pc6.dim(maskValue("\u2022\u2022\u2022\u2022\u2022\u2022\u2022\u2022\u2022\u2022\u2022\u2022"))}`);
+      }
+      console.log("");
+    }
+    const total = results.reduce((n, r) => n + r.keys.length, 0);
+    console.log(pc6.dim(`  ${total} secret${total !== 1 ? "s" : ""} in ${results.length} server${results.length !== 1 ? "s" : ""}`));
+  }
+});
+var removeCommand = defineCommand7({
+  meta: { name: "remove", description: "Delete a secret from the vault" },
+  args: {
+    server: {
+      type: "positional",
+      description: "Server name",
+      required: true
+    },
+    key: {
+      type: "positional",
+      description: "Secret key to remove",
+      required: true
+    }
+  },
+  async run({ args }) {
+    const confirmed = await p7.confirm({
+      message: `Remove ${pc6.bold(args.key)} from ${pc6.cyan(args.server)}?`,
+      initialValue: false
+    });
+    if (p7.isCancel(confirmed) || !confirmed) {
+      p7.cancel("Cancelled.");
+      return;
+    }
+    try {
+      removeSecret(args.server, args.key);
+      console.log(`${pc6.green("\u2713")} Removed ${pc6.bold(args.key)} from ${pc6.cyan(args.server)}`);
+    } catch (err) {
+      console.error(pc6.red("\u2717") + " Failed to remove secret");
+      console.error(pc6.dim(String(err)));
+      process.exit(1);
+    }
+  }
+});
+var secrets_default = defineCommand7({
+  meta: {
+    name: "secrets",
+    description: "Manage encrypted secrets for MCP servers"
+  },
+  subCommands: {
+    set: setCommand,
+    list: listCommand,
+    remove: removeCommand
+  }
+});
+
+// src/commands/sync.ts
+import { defineCommand as defineCommand8 } from "citty";
+import * as p8 from "@clack/prompts";
+import pc7 from "picocolors";
+
+// src/core/config-diff.ts
+function reconstructServerEntry(lockEntry) {
+  const entry = {
+    command: lockEntry.command
+  };
+  if (lockEntry.args && lockEntry.args.length > 0) {
+    entry.args = lockEntry.args;
+  }
+  if (lockEntry.envVars && lockEntry.envVars.length > 0) {
+    entry.env = Object.fromEntries(lockEntry.envVars.map((k) => [k, ""]));
+  }
+  return entry;
+}
+function computeDiff(lockfile, clientConfigs, options = {}) {
+  const actions = [];
+  for (const [server, lockEntry] of Object.entries(lockfile.servers)) {
+    for (const client of lockEntry.clients) {
+      const config = clientConfigs.get(client);
+      if (!config) continue;
+      if (server in config.servers) {
+        actions.push({ server, client, action: "ok" });
+      } else {
+        actions.push({
+          server,
+          client,
+          action: "add",
+          entry: reconstructServerEntry(lockEntry)
+        });
+      }
+    }
+  }
+  const extraAction = options.remove ? "remove" : "extra";
+  for (const [client, config] of clientConfigs) {
+    for (const server of Object.keys(config.servers)) {
+      if (!(server in lockfile.servers)) {
+        actions.push({ server, client, action: extraAction });
+      }
+    }
+  }
+  return actions;
+}
+function computeDiffFromClient(sourceClient, clientConfigs, options = {}) {
+  const actions = [];
+  const sourceConfig = clientConfigs.get(sourceClient);
+  if (!sourceConfig) return [];
+  const extraAction = options.remove ? "remove" : "extra";
+  for (const [client, config] of clientConfigs) {
+    if (client === sourceClient) continue;
+    for (const [server, entry] of Object.entries(sourceConfig.servers)) {
+      if (server in config.servers) {
+        actions.push({ server, client, action: "ok" });
+      } else {
+        actions.push({ server, client, action: "add", entry });
+      }
+    }
+    for (const server of Object.keys(config.servers)) {
+      if (!(server in sourceConfig.servers)) {
+        actions.push({ server, client, action: extraAction });
+      }
+    }
+  }
+  return actions;
+}
+
+// src/core/sync-engine.ts
+async function applySyncActions(actions, clients) {
+  const result = { applied: 0, removed: 0, failed: 0, errors: [] };
+  const addActions = actions.filter((a) => a.action === "add" && a.entry);
+  for (const action of addActions) {
+    const handler = clients.get(action.client);
+    if (!handler || !action.entry) {
+      result.failed++;
+      result.errors.push({
+        server: action.server,
+        client: action.client,
+        error: "No handler available for client"
+      });
+      continue;
+    }
+    try {
+      await handler.addServer(action.server, action.entry);
+      result.applied++;
+    } catch (err) {
+      result.failed++;
+      result.errors.push({
+        server: action.server,
+        client: action.client,
+        error: String(err)
+      });
+    }
+  }
+  const removeActions = actions.filter((a) => a.action === "remove");
+  for (const action of removeActions) {
+    const handler = clients.get(action.client);
+    if (!handler) {
+      result.failed++;
+      result.errors.push({
+        server: action.server,
+        client: action.client,
+        error: "No handler available for client"
+      });
+      continue;
+    }
+    try {
+      await handler.removeServer(action.server);
+      result.removed++;
+    } catch (err) {
+      result.failed++;
+      result.errors.push({
+        server: action.server,
+        client: action.client,
+        error: String(err)
+      });
+    }
+  }
+  return result;
+}
+async function getClientConfigs() {
+  const configs = /* @__PURE__ */ new Map();
+  const handlers = /* @__PURE__ */ new Map();
+  let installedClients;
+  try {
+    installedClients = await getInstalledClients();
+  } catch {
+    return { configs, handlers };
+  }
+  await Promise.all(
+    installedClients.map(async (handler) => {
+      try {
+        const config = await handler.readConfig();
+        configs.set(handler.type, config);
+        handlers.set(handler.type, handler);
+      } catch (err) {
+        console.warn(`[mcpman] Warning: could not read config for ${handler.displayName}: ${String(err)}`);
+      }
+    })
+  );
+  return { configs, handlers };
+}
+
+// src/commands/sync.ts
+var VALID_CLIENTS = ["claude-desktop", "cursor", "vscode", "windsurf"];
+var CLIENT_DISPLAY3 = {
+  "claude-desktop": "Claude Desktop",
+  cursor: "Cursor",
+  vscode: "VS Code",
+  windsurf: "Windsurf"
+};
+var sync_default = defineCommand8({
+  meta: {
+    name: "sync",
+    description: "Sync MCP server configs across all detected AI clients"
+  },
+  args: {
+    "dry-run": {
+      type: "boolean",
+      description: "Preview changes without applying them",
+      default: false
+    },
+    remove: {
+      type: "boolean",
+      description: "Remove extra servers not in lockfile",
+      default: false
+    },
+    source: {
+      type: "string",
+      description: "Use a specific client as source of truth (claude-desktop, cursor, vscode, windsurf)"
+    },
+    yes: {
+      type: "boolean",
+      description: "Skip confirmation prompt",
+      default: false
+    }
+  },
+  async run({ args }) {
+    p8.intro(`${pc7.cyan("mcpman sync")}`);
+    const sourceClient = args.source;
+    if (sourceClient && !VALID_CLIENTS.includes(sourceClient)) {
+      p8.log.error(`Invalid --source "${sourceClient}". Must be one of: ${VALID_CLIENTS.join(", ")}`);
+      process.exit(1);
+    }
+    const spinner5 = p8.spinner();
+    spinner5.start("Detecting clients and reading configs...");
+    const { configs, handlers } = await getClientConfigs();
+    spinner5.stop(`Found ${configs.size} client(s)`);
+    if (configs.size === 0) {
+      p8.log.warn("No AI clients detected. Install Claude Desktop, Cursor, VS Code, or Windsurf first.");
+      process.exit(0);
+    }
+    const diffOptions = { remove: args.remove };
+    let actions;
+    if (sourceClient) {
+      if (!configs.has(sourceClient)) {
+        p8.log.error(`Source client "${sourceClient}" is not detected or its config is unreadable.`);
+        process.exit(1);
+      }
+      p8.log.info(`Using ${CLIENT_DISPLAY3[sourceClient]} as source of truth`);
+      actions = computeDiffFromClient(sourceClient, configs, diffOptions);
+    } else {
+      const lockfile = readLockfile();
+      actions = computeDiff(lockfile, configs, diffOptions);
+    }
+    printDiffTable(actions);
+    const addCount = actions.filter((a) => a.action === "add").length;
+    const extraCount = actions.filter((a) => a.action === "extra").length;
+    const removeCount = actions.filter((a) => a.action === "remove").length;
+    if (addCount === 0 && removeCount === 0 && extraCount === 0) {
+      p8.outro(pc7.green("All clients are in sync."));
+      process.exit(0);
+    }
+    const parts = [];
+    if (addCount > 0) parts.push(pc7.green(`${addCount} to add`));
+    if (removeCount > 0) parts.push(pc7.red(`${removeCount} to remove`));
+    if (extraCount > 0) parts.push(pc7.yellow(`${extraCount} extra (informational)`));
+    p8.log.info(parts.join("  \xB7  "));
+    if (args["dry-run"]) {
+      p8.outro(pc7.dim("Dry run \u2014 no changes applied."));
+      process.exit(1);
+    }
+    if (addCount === 0 && removeCount === 0) {
+      p8.outro(pc7.dim("No additions needed. Extra servers left untouched."));
+      process.exit(1);
+    }
+    if (!args.yes) {
+      const actionParts = [];
+      if (addCount > 0) actionParts.push(`${addCount} addition(s)`);
+      if (removeCount > 0) actionParts.push(`${removeCount} removal(s)`);
+      const confirmed = await p8.confirm({
+        message: `Apply ${actionParts.join(" and ")} to client configs?`,
+        initialValue: true
+      });
+      if (p8.isCancel(confirmed) || !confirmed) {
+        p8.outro(pc7.dim("Cancelled \u2014 no changes applied."));
+        process.exit(0);
+      }
+    }
+    spinner5.start("Applying sync changes...");
+    const result = await applySyncActions(actions, handlers);
+    spinner5.stop("Done");
+    if (result.applied > 0) {
+      p8.log.success(`Added ${result.applied} server(s) to client configs.`);
+    }
+    if (result.removed > 0) {
+      p8.log.success(`Removed ${result.removed} server(s) from client configs.`);
+    }
+    if (result.failed > 0) {
+      for (const e of result.errors) {
+        p8.log.error(`Failed to sync "${e.server}" on ${e.client}: ${e.error}`);
+      }
+    }
+    p8.outro(result.failed === 0 ? pc7.green("Sync complete.") : pc7.yellow("Sync complete with errors."));
+    process.exit(result.failed > 0 ? 1 : 0);
+  }
+});
+function printDiffTable(actions) {
+  if (actions.length === 0) {
+    p8.log.info("No actions to display.");
+    return;
+  }
+  const nameWidth = Math.max(6, ...actions.map((a) => a.server.length));
+  const clientWidth = Math.max(6, ...actions.map((a) => CLIENT_DISPLAY3[a.client]?.length ?? a.client.length));
+  const header = `  ${pad2("SERVER", nameWidth)}  ${pad2("CLIENT", clientWidth)}  STATUS`;
+  console.log(pc7.dim(header));
+  console.log(pc7.dim(`  ${"-".repeat(nameWidth)}  ${"-".repeat(clientWidth)}  ------`));
+  for (const action of actions) {
+    const clientDisplay = CLIENT_DISPLAY3[action.client] ?? action.client;
+    const [icon, statusText] = formatAction(action.action);
+    console.log(`  ${pad2(action.server, nameWidth)}  ${pad2(clientDisplay, clientWidth)}  ${icon} ${statusText}`);
+  }
+  console.log("");
+}
+function formatAction(action) {
+  switch (action) {
+    case "add":
+      return [pc7.green("+"), pc7.green("missing \u2014 will add")];
+    case "extra":
+      return [pc7.yellow("?"), pc7.yellow("extra (not in lockfile)")];
+    case "remove":
+      return [pc7.red("\u2013"), pc7.red("extra \u2014 will remove")];
+    case "ok":
+      return [pc7.dim("\xB7"), pc7.dim("in sync")];
+  }
+}
+function pad2(s, width) {
+  return s.length >= width ? s : s + " ".repeat(width - s.length);
+}
+
+// src/commands/update.ts
+import { defineCommand as defineCommand9 } from "citty";
+import * as p9 from "@clack/prompts";
+import pc9 from "picocolors";
+
+// src/core/update-notifier.ts
+import fs3 from "fs";
+import path4 from "path";
+import os3 from "os";
+import pc8 from "picocolors";
+var CACHE_FILE = path4.join(os3.homedir(), ".mcpman", ".update-check");
+var TTL_MS = 24 * 60 * 60 * 1e3;
+function writeUpdateCache(data) {
+  try {
+    const dir = path4.dirname(CACHE_FILE);
+    if (!fs3.existsSync(dir)) fs3.mkdirSync(dir, { recursive: true });
+    const tmp = `${CACHE_FILE}.tmp`;
+    fs3.writeFileSync(tmp, JSON.stringify(data, null, 2), "utf-8");
+    fs3.renameSync(tmp, CACHE_FILE);
+  } catch {
+  }
+}
+
+// src/commands/update.ts
+async function loadClients3() {
+  try {
+    const mod = await import("./client-detector-SUIJSIYM.js");
+    return mod.getInstalledClients();
+  } catch {
+    return [];
+  }
+}
+function printTable(updates) {
+  const NAME_W = 28;
+  const VER_W = 10;
+  const header = [
+    "NAME".padEnd(NAME_W),
+    "CURRENT".padEnd(VER_W),
+    "LATEST".padEnd(VER_W),
+    "STATUS"
+  ].join("  ");
+  console.log(pc9.bold(`
+  ${header}`));
+  console.log(pc9.dim(`  ${"\u2500".repeat(NAME_W + VER_W * 2 + 20)}`));
+  for (const u of updates) {
+    const nameCol = u.server.slice(0, NAME_W).padEnd(NAME_W);
+    const curCol = u.currentVersion.padEnd(VER_W);
+    const latCol = u.latestVersion.padEnd(VER_W);
+    const statusCol = u.hasUpdate ? pc9.yellow(`Update available${u.updateType ? ` [${u.updateType}]` : ""}`) : pc9.green("Up to date");
+    console.log(`  ${nameCol}  ${curCol}  ${latCol}  ${statusCol}`);
+  }
+  console.log();
+}
+var update_default = defineCommand9({
+  meta: {
+    name: "update",
+    description: "Check for and apply updates to installed MCP servers"
+  },
+  args: {
+    server: {
+      type: "positional",
+      description: "Server name to update (omit to update all)",
+      required: false
+    },
+    check: {
+      type: "boolean",
+      description: "Check only \u2014 do not apply updates",
+      default: false
+    },
+    yes: {
+      type: "boolean",
+      description: "Skip confirmation prompt",
+      default: false
+    },
+    json: {
+      type: "boolean",
+      description: "Output results as JSON",
+      default: false
+    }
+  },
+  async run({ args }) {
+    const lockfile = readLockfile();
+    const servers = lockfile.servers;
+    const targetEntries = args.server ? Object.entries(servers).filter(([name]) => name === args.server) : Object.entries(servers);
+    if (targetEntries.length === 0) {
+      if (args.server) {
+        console.error(`Server '${args.server}' not found in lockfile.`);
+      } else {
+        console.log("No servers installed. Run mcpman install <server> first.");
+      }
+      process.exit(1);
+    }
+    const spinner5 = p9.spinner();
+    spinner5.start("Checking versions...");
+    let updates;
+    try {
+      const partialLock = {
+        lockfileVersion: 1,
+        servers: Object.fromEntries(targetEntries)
+      };
+      updates = await checkAllVersions(partialLock);
+    } catch (err) {
+      spinner5.stop("Version check failed");
+      console.error(err instanceof Error ? err.message : String(err));
       process.exit(1);
     }
-    p4.outro(pc4.green(`Removed "${serverName}" successfully.`));
+    spinner5.stop(`Checked ${updates.length} server(s)`);
+    if (args.json) {
+      console.log(JSON.stringify(updates, null, 2));
+      return;
+    }
+    printTable(updates);
+    const outdated = updates.filter((u) => u.hasUpdate);
+    if (outdated.length === 0) {
+      console.log(pc9.green("  All servers are up to date."));
+      return;
+    }
+    if (args.check) {
+      console.log(pc9.yellow(`  ${outdated.length} update(s) available. Run mcpman update to apply.`));
+      return;
+    }
+    if (!args.yes) {
+      const confirmed = await p9.confirm({
+        message: `Apply ${outdated.length} update(s)?`,
+        initialValue: true
+      });
+      if (p9.isCancel(confirmed) || !confirmed) {
+        p9.outro("Cancelled.");
+        return;
+      }
+    }
+    const clients = await loadClients3();
+    let successCount = 0;
+    for (const update of outdated) {
+      const s = p9.spinner();
+      s.start(`Updating ${update.server}...`);
+      const result = await applyServerUpdate(
+        update.server,
+        servers[update.server],
+        clients
+      );
+      if (result.success) {
+        s.stop(`${pc9.green("\u2713")} ${update.server}: ${result.fromVersion} \u2192 ${result.toVersion}`);
+        successCount++;
+      } else {
+        s.stop(`${pc9.red("\u2717")} ${update.server}: ${result.error}`);
+      }
+    }
+    const freshLockfile = readLockfile(resolveLockfilePath());
+    const freshUpdates = await checkAllVersions(freshLockfile);
+    writeUpdateCache({ lastCheck: (/* @__PURE__ */ new Date()).toISOString(), updates: freshUpdates });
+    p9.outro(`${successCount} of ${outdated.length} server(s) updated.`);
   }
 });
 
 // src/utils/constants.ts
 var APP_NAME = "mcpman";
-var APP_VERSION = "0.1.1";
+var APP_VERSION = "0.3.0";
 var APP_DESCRIPTION = "The package manager for MCP servers";
 
 // src/index.ts
@@ -1060,7 +2227,7 @@ process.on("SIGINT", () => {
   console.log("\nAborted.");
   process.exit(130);
 });
-var main = defineCommand6({
+var main = defineCommand10({
   meta: {
     name: APP_NAME,
     version: APP_VERSION,
@@ -1071,7 +2238,11 @@ var main = defineCommand6({
     list: list_default,
     remove: remove_default,
     doctor: doctor_default,
-    init: init_default
+    init: init_default,
+    secrets: secrets_default,
+    sync: sync_default,
+    audit: audit_default,
+    update: update_default
   }
 });
 runMain(main);