mcpman 0.2.0 → 0.3.0

package/dist/index.cjs

@@ -159,9 +159,9 @@ async function atomicWrite(filePath, content) {
     throw err;
   }
 }
-async function pathExists(p9) {
+async function pathExists(p11) {
   try {
-    await import_node_fs3.default.promises.access(p9);
+    await import_node_fs3.default.promises.access(p11);
     return true;
   } catch {
     return false;
@@ -482,20 +482,20 @@ function decrypt(entry, password2) {
   ]);
   return decrypted.toString("utf-8");
 }
-async function getMasterPassword(confirm6 = false) {
+async function getMasterPassword(confirm8 = false) {
   if (_cachedPassword) return _cachedPassword;
-  const password2 = await p5.password({
+  const password2 = await p3.password({
     message: "Enter vault master password:",
     validate: (v) => v.length < 8 ? "Password must be at least 8 characters" : void 0
   });
-  if (p5.isCancel(password2)) {
-    p5.cancel("Vault access cancelled.");
+  if (p3.isCancel(password2)) {
+    p3.cancel("Vault access cancelled.");
     process.exit(0);
   }
-  if (confirm6) {
-    const confirm22 = await p5.password({ message: "Confirm master password:" });
-    if (p5.isCancel(confirm22) || confirm22 !== password2) {
-      p5.cancel("Passwords do not match.");
+  if (confirm8) {
+    const confirm22 = await p3.password({ message: "Confirm master password:" });
+    if (p3.isCancel(confirm22) || confirm22 !== password2) {
+      p3.cancel("Passwords do not match.");
       process.exit(1);
     }
   }
@@ -545,7 +545,7 @@ function listSecrets(server, vaultPath = getVaultPath()) {
     keys: Object.keys(keys)
   }));
 }
-var import_node_crypto2, import_node_fs4, import_node_os4, import_node_path6, p5, _cachedPassword;
+var import_node_crypto2, import_node_fs4, import_node_os4, import_node_path6, p3, _cachedPassword;
 var init_vault_service = __esm({
   "src/core/vault-service.ts"() {
     "use strict";
@@ -554,7 +554,7 @@ var init_vault_service = __esm({
     import_node_fs4 = __toESM(require("fs"), 1);
     import_node_os4 = __toESM(require("os"), 1);
     import_node_path6 = __toESM(require("path"), 1);
-    p5 = __toESM(require("@clack/prompts"), 1);
+    p3 = __toESM(require("@clack/prompts"), 1);
     _cachedPassword = null;
     process.on("exit", () => {
       _cachedPassword = null;
@@ -569,6 +569,7 @@ var import_citty10 = require("citty");
 // src/commands/audit.ts
 init_cjs_shims();
 var import_citty = require("citty");
+var p = __toESM(require("@clack/prompts"), 1);
 var import_picocolors = __toESM(require("picocolors"), 1);
 var import_nanospinner = require("nanospinner");
 
@@ -766,17 +767,332 @@ async function scanAllServers(servers, concurrency = 3) {
   const results = [];
   const executing = /* @__PURE__ */ new Set();
   for (const [name, entry] of entries) {
-    const p9 = scanServer(name, entry).then((r) => {
+    const p11 = scanServer(name, entry).then((r) => {
       results.push(r);
-      executing.delete(p9);
+      executing.delete(p11);
     });
-    executing.add(p9);
+    executing.add(p11);
     if (executing.size >= concurrency) await Promise.race(executing);
   }
   await Promise.all(executing);
   return results;
 }
 
+// src/core/version-checker.ts
+init_cjs_shims();
+function compareVersions(a, b) {
+  const aParts = a.replace(/^v/, "").split(".").map(Number);
+  const bParts = b.replace(/^v/, "").split(".").map(Number);
+  const len = Math.max(aParts.length, bParts.length);
+  for (let i = 0; i < len; i++) {
+    const aN = aParts[i] ?? 0;
+    const bN = bParts[i] ?? 0;
+    if (Number.isNaN(aN) || Number.isNaN(bN)) return 0;
+    if (aN < bN) return -1;
+    if (aN > bN) return 1;
+  }
+  return 0;
+}
+function detectUpdateType(current, latest) {
+  const cParts = current.replace(/^v/, "").split(".").map(Number);
+  const lParts = latest.replace(/^v/, "").split(".").map(Number);
+  if ((lParts[0] ?? 0) > (cParts[0] ?? 0)) return "major";
+  if ((lParts[1] ?? 0) > (cParts[1] ?? 0)) return "minor";
+  return "patch";
+}
+async function fetchNpmLatest(packageName) {
+  try {
+    const res = await fetch(
+      `https://registry.npmjs.org/${encodeURIComponent(packageName)}/latest`,
+      {
+        headers: { Accept: "application/json" },
+        signal: AbortSignal.timeout(8e3)
+      }
+    );
+    if (!res.ok) return null;
+    const data = await res.json();
+    return typeof data.version === "string" ? data.version : null;
+  } catch {
+    return null;
+  }
+}
+async function fetchSmitheryLatest(name) {
+  try {
+    const res = await fetch(
+      `https://registry.smithery.ai/servers/${encodeURIComponent(name)}`,
+      {
+        headers: { Accept: "application/json" },
+        signal: AbortSignal.timeout(8e3)
+      }
+    );
+    if (!res.ok) return null;
+    const data = await res.json();
+    return typeof data.version === "string" ? data.version : null;
+  } catch {
+    return null;
+  }
+}
+async function fetchGithubLatest(resolved) {
+  const match = resolved.match(/github\.com\/([^/]+)\/([^/]+)/);
+  if (!match) return null;
+  const [, owner, repo] = match;
+  try {
+    const res = await fetch(
+      `https://api.github.com/repos/${owner}/${repo}/releases/latest`,
+      {
+        headers: { Accept: "application/json" },
+        signal: AbortSignal.timeout(8e3)
+      }
+    );
+    if (!res.ok) return null;
+    const data = await res.json();
+    return typeof data.tag_name === "string" ? data.tag_name.replace(/^v/, "") : null;
+  } catch {
+    return null;
+  }
+}
+async function checkVersion(name, lockEntry) {
+  const current = lockEntry.version;
+  let latest = null;
+  if (lockEntry.source === "npm") {
+    latest = await fetchNpmLatest(name);
+  } else if (lockEntry.source === "smithery") {
+    latest = await fetchSmitheryLatest(name);
+  } else if (lockEntry.source === "github") {
+    latest = await fetchGithubLatest(lockEntry.resolved);
+  }
+  if (!latest || latest === current) {
+    return {
+      server: name,
+      source: lockEntry.source,
+      currentVersion: current,
+      latestVersion: latest ?? current,
+      hasUpdate: false
+    };
+  }
+  const hasUpdate = compareVersions(current, latest) === -1;
+  return {
+    server: name,
+    source: lockEntry.source,
+    currentVersion: current,
+    latestVersion: latest,
+    hasUpdate,
+    updateType: hasUpdate ? detectUpdateType(current, latest) : void 0
+  };
+}
+async function checkAllVersions(lockfile) {
+  const entries = Object.entries(lockfile.servers);
+  if (entries.length === 0) return [];
+  const results = [];
+  const executing = /* @__PURE__ */ new Set();
+  for (const [name, entry] of entries) {
+    const p11 = checkVersion(name, entry).then((r) => {
+      results.push(r);
+      executing.delete(p11);
+    });
+    executing.add(p11);
+    if (executing.size >= 5) {
+      await Promise.race(executing);
+    }
+  }
+  await Promise.all(executing);
+  return results;
+}
+
+// src/core/server-updater.ts
+init_cjs_shims();
+
+// src/core/server-resolver.ts
+init_cjs_shims();
+
+// src/core/registry.ts
+init_cjs_shims();
+var import_node_crypto = require("crypto");
+function computeIntegrity(resolvedUrl) {
+  const hash = (0, import_node_crypto.createHash)("sha512").update(resolvedUrl).digest("base64");
+  return `sha512-${hash}`;
+}
+async function resolveFromSmithery(name) {
+  const url = `https://registry.smithery.ai/servers/${encodeURIComponent(name)}`;
+  let data;
+  try {
+    const res = await fetch(url, {
+      headers: { Accept: "application/json" },
+      signal: AbortSignal.timeout(8e3)
+    });
+    if (res.status === 404) {
+      throw new Error(`Server '${name}' not found on Smithery registry`);
+    }
+    if (!res.ok) {
+      throw new Error(`Smithery API error: ${res.status}`);
+    }
+    data = await res.json();
+  } catch (err) {
+    if (err instanceof Error && err.message.includes("not found")) throw err;
+    throw new Error(
+      `Cannot reach Smithery registry: ${err instanceof Error ? err.message : String(err)}`
+    );
+  }
+  const version = typeof data.version === "string" ? data.version : "latest";
+  const command = typeof data.command === "string" ? data.command : "npx";
+  const args = Array.isArray(data.args) ? data.args : ["-y", `${name}@${version}`];
+  const envVars = Array.isArray(data.envVars) ? data.envVars : [];
+  const resolved = typeof data.resolved === "string" ? data.resolved : `smithery:${name}@${version}`;
+  return {
+    name,
+    version,
+    description: typeof data.description === "string" ? data.description : "",
+    runtime: "node",
+    command,
+    args,
+    envVars,
+    resolved
+  };
+}
+async function resolveFromNpm(packageName) {
+  const url = `https://registry.npmjs.org/${encodeURIComponent(packageName)}/latest`;
+  let data;
+  try {
+    const res = await fetch(url, {
+      headers: { Accept: "application/json" },
+      signal: AbortSignal.timeout(8e3)
+    });
+    if (res.status === 404) {
+      throw new Error(`Package '${packageName}' not found on npm`);
+    }
+    if (!res.ok) {
+      throw new Error(`npm registry error: ${res.status}`);
+    }
+    data = await res.json();
+  } catch (err) {
+    if (err instanceof Error && err.message.includes("not found")) throw err;
+    throw new Error(
+      `Cannot reach npm registry: ${err instanceof Error ? err.message : String(err)}`
+    );
+  }
+  const version = typeof data.version === "string" ? data.version : "latest";
+  const resolved = `https://registry.npmjs.org/${packageName}/-/${packageName.replace(/^@[^/]+\//, "")}-${version}.tgz`;
+  const mcpField = data.mcp && typeof data.mcp === "object" ? data.mcp : null;
+  const envVars = mcpField?.envVars ? mcpField.envVars : [];
+  return {
+    name: packageName,
+    version,
+    description: typeof data.description === "string" ? data.description : "",
+    runtime: "node",
+    command: "npx",
+    args: ["-y", `${packageName}@${version}`],
+    envVars,
+    resolved
+  };
+}
+async function resolveFromGitHub(githubUrl) {
+  const match = githubUrl.match(/github\.com\/([^/]+)\/([^/]+)/);
+  if (!match) {
+    throw new Error(`Invalid GitHub URL: ${githubUrl}`);
+  }
+  const [, owner, repo] = match;
+  const rawUrl = `https://raw.githubusercontent.com/${owner}/${repo}/main/package.json`;
+  let pkgData = {};
+  try {
+    const res = await fetch(rawUrl, { signal: AbortSignal.timeout(8e3) });
+    if (res.ok) {
+      pkgData = await res.json();
+    }
+  } catch {
+  }
+  const version = typeof pkgData.version === "string" ? pkgData.version : "main";
+  const name = typeof pkgData.name === "string" ? pkgData.name : `${owner}/${repo}`;
+  return {
+    name,
+    version,
+    description: typeof pkgData.description === "string" ? pkgData.description : "",
+    runtime: "node",
+    command: "npx",
+    args: ["-y", githubUrl],
+    envVars: [],
+    resolved: githubUrl
+  };
+}
+
+// src/core/server-resolver.ts
+function detectSource(input) {
+  if (input.startsWith("smithery:")) {
+    return { type: "smithery", input: input.slice(9) };
+  }
+  if (input.startsWith("https://github.com/") || input.startsWith("github.com/")) {
+    return { type: "github", input };
+  }
+  return { type: "npm", input };
+}
+function parseEnvFlags(envFlags) {
+  if (!envFlags) return {};
+  const flags = Array.isArray(envFlags) ? envFlags : [envFlags];
+  const result = {};
+  for (const flag of flags) {
+    const idx = flag.indexOf("=");
+    if (idx > 0) {
+      result[flag.slice(0, idx)] = flag.slice(idx + 1);
+    }
+  }
+  return result;
+}
+async function resolveServer(input) {
+  const source = detectSource(input);
+  switch (source.type) {
+    case "smithery":
+      return resolveFromSmithery(source.input);
+    case "github":
+      return resolveFromGitHub(source.input);
+    case "npm":
+      return resolveFromNpm(source.input);
+  }
+}
+
+// src/core/server-updater.ts
+async function applyServerUpdate(serverName, lockEntry, clients) {
+  const fromVersion = lockEntry.version;
+  const input = lockEntry.source === "smithery" ? `smithery:${serverName}` : lockEntry.source === "github" ? lockEntry.resolved : serverName;
+  try {
+    const metadata = await resolveServer(input);
+    const integrity = computeIntegrity(metadata.resolved);
+    addEntry(serverName, {
+      ...lockEntry,
+      version: metadata.version,
+      resolved: metadata.resolved,
+      integrity,
+      command: metadata.command,
+      args: metadata.args,
+      installedAt: (/* @__PURE__ */ new Date()).toISOString()
+    });
+    const targetClients = clients.filter(
+      (c) => lockEntry.clients.includes(c.type)
+    );
+    for (const client of targetClients) {
+      try {
+        await client.addServer(serverName, {
+          command: metadata.command,
+          args: metadata.args
+        });
+      } catch {
+      }
+    }
+    return {
+      server: serverName,
+      success: true,
+      fromVersion,
+      toVersion: metadata.version
+    };
+  } catch (err) {
+    return {
+      server: serverName,
+      success: false,
+      fromVersion,
+      toVersion: fromVersion,
+      error: err instanceof Error ? err.message : String(err)
+    };
+  }
+}
+
 // src/commands/audit.ts
 function colorRisk(level, score) {
   const label = score !== null ? `${score}/100 (${level})` : level;
@@ -847,7 +1163,12 @@ var audit_default = (0, import_citty.defineCommand)({
     },
     fix: {
       type: "boolean",
-      description: "Show available fix versions for vulnerable packages",
+      description: "Apply updates to fix vulnerable packages",
+      default: false
+    },
+    yes: {
+      type: "boolean",
+      description: "Skip confirmation prompt (use with --fix)",
       default: false
     }
   },
@@ -908,17 +1229,110 @@ var audit_default = (0, import_citty.defineCommand)({
   Summary: ${parts.join(" | ")}
 `);
     if (args.fix) {
-      const withVulns = reports.filter((r) => r.vulnerabilities.length > 0);
-      if (withVulns.length > 0) {
-        console.log(import_picocolors.default.bold("  Fix suggestions:"));
-        for (const r of withVulns) {
-          console.log(`    ${import_picocolors.default.cyan("\u2192")} Run ${import_picocolors.default.cyan(`mcpman install ${r.server}@latest`)} to update`);
-        }
-        console.log();
-      }
+      await runAuditFix(reports, lockfile.servers, args.yes);
     }
   }
 });
+async function loadClients() {
+  try {
+    const mod = await Promise.resolve().then(() => (init_client_detector(), client_detector_exports));
+    return mod.getInstalledClients();
+  } catch {
+    return [];
+  }
+}
+async function runAuditFix(reports, servers, skipConfirm) {
+  const npmWithVulns = reports.filter(
+    (r) => r.vulnerabilities.length > 0 && r.source === "npm"
+  );
+  const nonNpmWithVulns = reports.filter(
+    (r) => r.vulnerabilities.length > 0 && r.source !== "npm"
+  );
+  if (nonNpmWithVulns.length > 0) {
+    console.log(import_picocolors.default.yellow("  Non-npm servers require manual update:"));
+    for (const r of nonNpmWithVulns) {
+      console.log(`    ${import_picocolors.default.dim("\u2192")} ${r.server} (${r.source})`);
+    }
+    console.log();
+  }
+  if (npmWithVulns.length === 0) {
+    console.log(import_picocolors.default.green("  No fixable vulnerabilities found.\n"));
+    return;
+  }
+  const versionSpinner = (0, import_nanospinner.createSpinner)("Checking for available updates...").start();
+  const versionChecks = await Promise.all(
+    npmWithVulns.map((r) => checkVersion(r.server, servers[r.server]))
+  );
+  versionSpinner.success({ text: "Version check complete" });
+  const updatable = versionChecks.filter((u) => u.hasUpdate);
+  if (updatable.length === 0) {
+    console.log(import_picocolors.default.yellow(
+      "  Vulnerable servers have no newer versions available yet.\n  Allow time for registry to publish fixes.\n"
+    ));
+    return;
+  }
+  console.log(import_picocolors.default.bold(`
+  ${updatable.length} server(s) can be updated to fix vulnerabilities:
+`));
+  for (const u of updatable) {
+    console.log(`    ${import_picocolors.default.cyan("\u2192")} ${u.server}  ${import_picocolors.default.dim(u.currentVersion)} \u2192 ${import_picocolors.default.green(u.latestVersion)}`);
+  }
+  console.log();
+  if (!skipConfirm) {
+    const confirmed = await p.confirm({
+      message: `Update ${updatable.length} vulnerable server(s)?`,
+      initialValue: true
+    });
+    if (p.isCancel(confirmed) || !confirmed) {
+      p.outro("Cancelled.");
+      return;
+    }
+  }
+  const clients = await loadClients();
+  let successCount = 0;
+  const results = [];
+  for (const u of updatable) {
+    const s = (0, import_nanospinner.createSpinner)(`Updating ${u.server}...`).start();
+    const result = await applyServerUpdate(u.server, servers[u.server], clients);
+    if (result.success) {
+      s.success({ text: `${import_picocolors.default.green("\u2713")} ${u.server}: ${result.fromVersion} \u2192 ${result.toVersion}` });
+      successCount++;
+    } else {
+      s.error({ text: `${import_picocolors.default.red("\u2717")} ${u.server}: ${result.error}` });
+    }
+    results.push({
+      server: u.server,
+      from: result.fromVersion,
+      to: result.toVersion,
+      ok: result.success,
+      error: result.error
+    });
+  }
+  console.log();
+  if (successCount > 0) {
+    const updatedNames = results.filter((r) => r.ok).map((r) => r.server);
+    const freshLockfile = readLockfile();
+    const rescanSpinner = (0, import_nanospinner.createSpinner)("Re-scanning updated servers...").start();
+    const afterReports = await Promise.all(
+      updatedNames.map((name) => scanServer(name, freshLockfile.servers[name]))
+    );
+    rescanSpinner.success({ text: "Re-scan complete" });
+    console.log(import_picocolors.default.bold("\n  Before / After:\n"));
+    for (const after of afterReports) {
+      const before = reports.find((r) => r.server === after.server);
+      const beforeVulns = before?.vulnerabilities.length ?? 0;
+      const afterVulns = after.vulnerabilities.length;
+      const improved = afterVulns < beforeVulns ? import_picocolors.default.green("improved") : import_picocolors.default.yellow("unchanged");
+      console.log(
+        `    ${import_picocolors.default.bold(after.server)}  vulns: ${beforeVulns} \u2192 ${afterVulns}  [${improved}]`
+      );
+    }
+    console.log();
+  }
+  console.log(`
+  ${successCount} of ${updatable.length} server(s) updated.
+`);
+}
 
 // src/commands/doctor.ts
 init_cjs_shims();
@@ -1252,141 +1666,30 @@ function printServerResult(result, showFix) {
       console.log(`      ${import_picocolors2.default.yellow("\u2192")} Fix: ${import_picocolors2.default.cyan(check.fix)}`);
     }
   }
-  console.log();
-}
-async function runParallel(tasks, concurrency) {
-  const results = [];
-  const executing = /* @__PURE__ */ new Set();
-  for (const task of tasks) {
-    const p9 = task().then((r) => {
-      results.push(r);
-      executing.delete(p9);
-    });
-    executing.add(p9);
-    if (executing.size >= concurrency) {
-      await Promise.race(executing);
-    }
-  }
-  await Promise.all(executing);
-  return results;
-}
-
-// src/commands/init.ts
-init_cjs_shims();
-var import_citty3 = require("citty");
-var p = __toESM(require("@clack/prompts"), 1);
-var import_node_path5 = __toESM(require("path"), 1);
-
-// src/core/registry.ts
-init_cjs_shims();
-var import_node_crypto = require("crypto");
-function computeIntegrity(resolvedUrl) {
-  const hash = (0, import_node_crypto.createHash)("sha512").update(resolvedUrl).digest("base64");
-  return `sha512-${hash}`;
-}
-async function resolveFromSmithery(name) {
-  const url = `https://registry.smithery.ai/servers/${encodeURIComponent(name)}`;
-  let data;
-  try {
-    const res = await fetch(url, {
-      headers: { Accept: "application/json" },
-      signal: AbortSignal.timeout(8e3)
-    });
-    if (res.status === 404) {
-      throw new Error(`Server '${name}' not found on Smithery registry`);
-    }
-    if (!res.ok) {
-      throw new Error(`Smithery API error: ${res.status}`);
-    }
-    data = await res.json();
-  } catch (err) {
-    if (err instanceof Error && err.message.includes("not found")) throw err;
-    throw new Error(
-      `Cannot reach Smithery registry: ${err instanceof Error ? err.message : String(err)}`
-    );
-  }
-  const version = typeof data.version === "string" ? data.version : "latest";
-  const command = typeof data.command === "string" ? data.command : "npx";
-  const args = Array.isArray(data.args) ? data.args : ["-y", `${name}@${version}`];
-  const envVars = Array.isArray(data.envVars) ? data.envVars : [];
-  const resolved = typeof data.resolved === "string" ? data.resolved : `smithery:${name}@${version}`;
-  return {
-    name,
-    version,
-    description: typeof data.description === "string" ? data.description : "",
-    runtime: "node",
-    command,
-    args,
-    envVars,
-    resolved
-  };
-}
-async function resolveFromNpm(packageName) {
-  const url = `https://registry.npmjs.org/${encodeURIComponent(packageName)}/latest`;
-  let data;
-  try {
-    const res = await fetch(url, {
-      headers: { Accept: "application/json" },
-      signal: AbortSignal.timeout(8e3)
-    });
-    if (res.status === 404) {
-      throw new Error(`Package '${packageName}' not found on npm`);
-    }
-    if (!res.ok) {
-      throw new Error(`npm registry error: ${res.status}`);
-    }
-    data = await res.json();
-  } catch (err) {
-    if (err instanceof Error && err.message.includes("not found")) throw err;
-    throw new Error(
-      `Cannot reach npm registry: ${err instanceof Error ? err.message : String(err)}`
-    );
-  }
-  const version = typeof data.version === "string" ? data.version : "latest";
-  const resolved = `https://registry.npmjs.org/${packageName}/-/${packageName.replace(/^@[^/]+\//, "")}-${version}.tgz`;
-  const mcpField = data.mcp && typeof data.mcp === "object" ? data.mcp : null;
-  const envVars = mcpField?.envVars ? mcpField.envVars : [];
-  return {
-    name: packageName,
-    version,
-    description: typeof data.description === "string" ? data.description : "",
-    runtime: "node",
-    command: "npx",
-    args: ["-y", `${packageName}@${version}`],
-    envVars,
-    resolved
-  };
+  console.log();
 }
-async function resolveFromGitHub(githubUrl) {
-  const match = githubUrl.match(/github\.com\/([^/]+)\/([^/]+)/);
-  if (!match) {
-    throw new Error(`Invalid GitHub URL: ${githubUrl}`);
-  }
-  const [, owner, repo] = match;
-  const rawUrl = `https://raw.githubusercontent.com/${owner}/${repo}/main/package.json`;
-  let pkgData = {};
-  try {
-    const res = await fetch(rawUrl, { signal: AbortSignal.timeout(8e3) });
-    if (res.ok) {
-      pkgData = await res.json();
+async function runParallel(tasks, concurrency) {
+  const results = [];
+  const executing = /* @__PURE__ */ new Set();
+  for (const task of tasks) {
+    const p11 = task().then((r) => {
+      results.push(r);
+      executing.delete(p11);
+    });
+    executing.add(p11);
+    if (executing.size >= concurrency) {
+      await Promise.race(executing);
     }
-  } catch {
   }
-  const version = typeof pkgData.version === "string" ? pkgData.version : "main";
-  const name = typeof pkgData.name === "string" ? pkgData.name : `${owner}/${repo}`;
-  return {
-    name,
-    version,
-    description: typeof pkgData.description === "string" ? pkgData.description : "",
-    runtime: "node",
-    command: "npx",
-    args: ["-y", githubUrl],
-    envVars: [],
-    resolved: githubUrl
-  };
+  await Promise.all(executing);
+  return results;
 }
 
 // src/commands/init.ts
+init_cjs_shims();
+var import_citty3 = require("citty");
+var p2 = __toESM(require("@clack/prompts"), 1);
+var import_node_path5 = __toESM(require("path"), 1);
 var init_default = (0, import_citty3.defineCommand)({
   meta: {
     name: "init",
@@ -1402,17 +1705,17 @@ var init_default = (0, import_citty3.defineCommand)({
   },
   async run({ args }) {
     const nonInteractive = args.yes || !process.stdout.isTTY;
-    p.intro("mcpman init");
+    p2.intro("mcpman init");
     const targetPath = import_node_path5.default.join(process.cwd(), LOCKFILE_NAME);
     const existing = findLockfile();
     if (existing) {
       if (nonInteractive) {
-        p.log.warn(`Lockfile already exists: ${existing} \u2014 overwriting (non-interactive).`);
+        p2.log.warn(`Lockfile already exists: ${existing} \u2014 overwriting (non-interactive).`);
       } else {
-        p.log.warn(`Lockfile already exists: ${existing}`);
-        const overwrite = await p.confirm({ message: "Overwrite?" });
-        if (p.isCancel(overwrite) || !overwrite) {
-          p.outro("Cancelled.");
+        p2.log.warn(`Lockfile already exists: ${existing}`);
+        const overwrite = await p2.confirm({ message: "Overwrite?" });
+        if (p2.isCancel(overwrite) || !overwrite) {
+          p2.outro("Cancelled.");
           return;
         }
       }
@@ -1422,7 +1725,7 @@ var init_default = (0, import_citty3.defineCommand)({
       const mod = await Promise.resolve().then(() => (init_client_detector(), client_detector_exports));
       clients = await mod.getInstalledClients();
     } catch {
-      p.log.warn("Could not detect AI clients \u2014 creating empty lockfile.");
+      p2.log.warn("Could not detect AI clients \u2014 creating empty lockfile.");
     }
     const clientServers = [];
     for (const client of clients) {
@@ -1436,26 +1739,26 @@ var init_default = (0, import_citty3.defineCommand)({
     }
     createEmptyLockfile(targetPath);
     if (clientServers.length === 0) {
-      p.log.info("No existing servers found in any client config.");
-      p.outro(`Created ${LOCKFILE_NAME} \u2014 add it to version control!`);
+      p2.log.info("No existing servers found in any client config.");
+      p2.outro(`Created ${LOCKFILE_NAME} \u2014 add it to version control!`);
       return;
     }
     let selected;
     if (nonInteractive) {
       selected = clientServers.map((cs) => cs.client.type);
-      p.log.info(`Non-interactive mode: importing all ${clientServers.length} client(s).`);
+      p2.log.info(`Non-interactive mode: importing all ${clientServers.length} client(s).`);
     } else {
       const options = clientServers.map((cs) => ({
         value: cs.client.type,
         label: `${cs.client.displayName} (${Object.keys(cs.servers).length} servers)`
       }));
-      const toImport = await p.multiselect({
+      const toImport = await p2.multiselect({
         message: "Import existing servers into lockfile?",
         options,
         required: false
       });
-      if (p.isCancel(toImport)) {
-        p.outro(`Created empty ${LOCKFILE_NAME}`);
+      if (p2.isCancel(toImport)) {
+        p2.outro(`Created empty ${LOCKFILE_NAME}`);
         return;
       }
       selected = toImport;
@@ -1481,7 +1784,7 @@ var init_default = (0, import_citty3.defineCommand)({
         importCount++;
       }
     }
-    p.outro(
+    p2.outro(
       `Created ${LOCKFILE_NAME} with ${importCount} server(s) \u2014 commit to version control!`
     );
   }
@@ -1493,45 +1796,44 @@ var import_citty4 = require("citty");
 
 // src/core/installer.ts
 init_cjs_shims();
-var p2 = __toESM(require("@clack/prompts"), 1);
+var p5 = __toESM(require("@clack/prompts"), 1);
 
-// src/core/server-resolver.ts
+// src/core/installer-vault-helpers.ts
 init_cjs_shims();
-function detectSource(input) {
-  if (input.startsWith("smithery:")) {
-    return { type: "smithery", input: input.slice(9) };
-  }
-  if (input.startsWith("https://github.com/") || input.startsWith("github.com/")) {
-    return { type: "github", input };
-  }
-  return { type: "npm", input };
-}
-function parseEnvFlags(envFlags) {
-  if (!envFlags) return {};
-  const flags = Array.isArray(envFlags) ? envFlags : [envFlags];
-  const result = {};
-  for (const flag of flags) {
-    const idx = flag.indexOf("=");
-    if (idx > 0) {
-      result[flag.slice(0, idx)] = flag.slice(idx + 1);
+var p4 = __toESM(require("@clack/prompts"), 1);
+init_vault_service();
+async function tryLoadVaultSecrets(serverName) {
+  try {
+    const entries = listSecrets(serverName);
+    if (entries.length === 0 || entries[0].keys.length === 0) {
+      return {};
     }
+    const password2 = await getMasterPassword();
+    return getSecretsForServer(serverName, password2);
+  } catch {
+    return {};
   }
-  return result;
 }
-async function resolveServer(input) {
-  const source = detectSource(input);
-  switch (source.type) {
-    case "smithery":
-      return resolveFromSmithery(source.input);
-    case "github":
-      return resolveFromGitHub(source.input);
-    case "npm":
-      return resolveFromNpm(source.input);
+async function offerVaultSave(serverName, newVars, yes) {
+  if (Object.keys(newVars).length === 0) return;
+  if (yes) return;
+  try {
+    const save = await p4.confirm({
+      message: `Save ${Object.keys(newVars).length} env var(s) to encrypted vault for future installs?`
+    });
+    if (p4.isCancel(save) || !save) return;
+    const password2 = await getMasterPassword();
+    for (const [key, value] of Object.entries(newVars)) {
+      setSecret(serverName, key, value, password2);
+    }
+    p4.log.success(`Credentials saved to vault for '${serverName}'`);
+  } catch (err) {
+    p4.log.warn(`Could not save to vault: ${err instanceof Error ? err.message : String(err)}`);
   }
 }
 
 // src/core/installer.ts
-async function loadClients() {
+async function loadClients2() {
   try {
     const mod = await Promise.resolve().then(() => (init_client_detector(), client_detector_exports));
     return mod.getInstalledClients();
@@ -1540,65 +1842,68 @@ async function loadClients() {
   }
 }
 async function installServer(input, options = {}) {
-  p2.intro("mcpman install");
-  const spinner5 = p2.spinner();
+  p5.intro("mcpman install");
+  const spinner5 = p5.spinner();
   spinner5.start("Resolving server...");
   let metadata;
   try {
     metadata = await resolveServer(input);
   } catch (err) {
     spinner5.stop("Resolution failed");
-    p2.log.error(err instanceof Error ? err.message : String(err));
+    p5.log.error(err instanceof Error ? err.message : String(err));
     process.exit(1);
   }
   spinner5.stop(`Found: ${metadata.name}@${metadata.version}`);
-  const clients = await loadClients();
+  const clients = await loadClients2();
   if (clients.length === 0) {
-    p2.log.warn("No supported AI clients detected on this machine.");
-    p2.log.info("Supported: Claude Desktop, Cursor, VS Code, Windsurf");
+    p5.log.warn("No supported AI clients detected on this machine.");
+    p5.log.info("Supported: Claude Desktop, Cursor, VS Code, Windsurf");
     process.exit(1);
   }
   let selectedClients;
   if (options.client) {
     const found = clients.find((c) => c.type === options.client || c.displayName.toLowerCase() === options.client?.toLowerCase());
     if (!found) {
-      p2.log.error(`Client '${options.client}' not found or not installed.`);
-      p2.log.info(`Available: ${clients.map((c) => c.type).join(", ")}`);
+      p5.log.error(`Client '${options.client}' not found or not installed.`);
+      p5.log.info(`Available: ${clients.map((c) => c.type).join(", ")}`);
       process.exit(1);
     }
     selectedClients = [found];
   } else if (options.yes || clients.length === 1) {
     selectedClients = clients;
   } else {
-    const chosen = await p2.multiselect({
+    const chosen = await p5.multiselect({
       message: "Install to which client(s)?",
       options: clients.map((c) => ({ value: c.type, label: c.displayName })),
       required: true
     });
-    if (p2.isCancel(chosen)) {
-      p2.outro("Cancelled.");
+    if (p5.isCancel(chosen)) {
+      p5.outro("Cancelled.");
       process.exit(0);
     }
     selectedClients = clients.filter((c) => chosen.includes(c.type));
   }
   const providedEnv = parseEnvFlags(options.env);
-  const collectedEnv = { ...providedEnv };
+  const vaultEnv = await tryLoadVaultSecrets(metadata.name);
+  const collectedEnv = { ...vaultEnv, ...providedEnv };
+  const newlyEnteredVars = {};
   const requiredVars = metadata.envVars.filter((e) => e.required && !(e.name in collectedEnv));
   for (const envVar of requiredVars) {
     if (options.yes && envVar.default) {
       collectedEnv[envVar.name] = envVar.default;
       continue;
     }
-    const val = await p2.text({
+    const val = await p5.text({
       message: `${envVar.name}${envVar.description ? ` \u2014 ${envVar.description}` : ""}`,
       placeholder: envVar.default ?? "",
       validate: (v) => envVar.required && !v ? "Required" : void 0
     });
-    if (p2.isCancel(val)) {
-      p2.outro("Cancelled.");
+    if (p5.isCancel(val)) {
+      p5.outro("Cancelled.");
       process.exit(0);
     }
     collectedEnv[envVar.name] = val;
+    newlyEnteredVars[envVar.name] = val;
   }
   const entry = {
     command: metadata.command,
@@ -1613,7 +1918,7 @@ async function installServer(input, options = {}) {
       clientTypes.push(client.type);
     } catch (err) {
       spinner5.stop("Partial failure");
-      p2.log.warn(`Failed to write to ${client.displayName}: ${err instanceof Error ? err.message : String(err)}`);
+      p5.log.warn(`Failed to write to ${client.displayName}: ${err instanceof Error ? err.message : String(err)}`);
     }
   }
   spinner5.stop("Config written");
@@ -1632,8 +1937,9 @@ async function installServer(input, options = {}) {
     clients: clientTypes
   });
   const lockPath = findLockfile() ?? "mcpman.lock (global)";
-  p2.log.success(`Lockfile updated: ${lockPath}`);
-  p2.outro(`${metadata.name}@${metadata.version} installed to ${clientTypes.join(", ")}`);
+  p5.log.success(`Lockfile updated: ${lockPath}`);
+  await offerVaultSave(metadata.name, newlyEnteredVars, options.yes ?? false);
+  p5.outro(`${metadata.name}@${metadata.version} installed to ${clientTypes.join(", ")}`);
 }
 
 // src/utils/logger.ts
@@ -1658,7 +1964,7 @@ function json(data) {
 }
 
 // src/commands/install.ts
-var p3 = __toESM(require("@clack/prompts"), 1);
+var p6 = __toESM(require("@clack/prompts"), 1);
 var install_default = (0, import_citty4.defineCommand)({
   meta: {
     name: "install",
@@ -1708,8 +2014,8 @@ async function restoreFromLockfile() {
     info("Lockfile is empty \u2014 nothing to restore.");
     return;
   }
-  p3.intro(`mcpman install (restore from ${lockPath})`);
-  p3.log.info(`Restoring ${entries.length} server(s)...`);
+  p6.intro(`mcpman install (restore from ${lockPath})`);
+  p6.log.info(`Restoring ${entries.length} server(s)...`);
   for (const [name, entry] of entries) {
     const input = entry.source === "smithery" ? `smithery:${name}` : entry.source === "github" ? entry.resolved : name;
     await installServer(input, {
@@ -1717,7 +2023,7 @@ async function restoreFromLockfile() {
       yes: true
     });
   }
-  p3.outro("Restore complete.");
+  p6.outro("Restore complete.");
 }
 
 // src/commands/list.ts
@@ -1805,7 +2111,7 @@ function formatClients(clients) {
 // src/commands/remove.ts
 init_cjs_shims();
 var import_citty6 = require("citty");
-var p4 = __toESM(require("@clack/prompts"), 1);
+var p7 = __toESM(require("@clack/prompts"), 1);
 var import_picocolors5 = __toESM(require("picocolors"), 1);
 init_client_detector();
 var CLIENT_DISPLAY2 = {
@@ -1844,17 +2150,17 @@ var remove_default = (0, import_citty6.defineCommand)({
     }
   },
   async run({ args }) {
-    p4.intro(import_picocolors5.default.bold("mcpman remove"));
+    p7.intro(import_picocolors5.default.bold("mcpman remove"));
     const serverName = args.server;
     const servers = await getInstalledServers();
     const match = servers.find((s) => s.name === serverName);
     if (!match) {
-      p4.log.warn(`Server "${serverName}" is not installed.`);
+      p7.log.warn(`Server "${serverName}" is not installed.`);
       const similar = servers.filter((s) => s.name.includes(serverName) || serverName.includes(s.name));
       if (similar.length > 0) {
-        p4.log.info(`Did you mean: ${similar.map((s) => import_picocolors5.default.cyan(s.name)).join(", ")}?`);
+        p7.log.info(`Did you mean: ${similar.map((s) => import_picocolors5.default.cyan(s.name)).join(", ")}?`);
       }
-      p4.outro("Nothing to remove.");
+      p7.outro("Nothing to remove.");
       return;
     }
     let targetClients;
@@ -1862,15 +2168,15 @@ var remove_default = (0, import_citty6.defineCommand)({
       targetClients = match.clients;
     } else if (args.client) {
       if (!match.clients.includes(args.client)) {
-        p4.log.warn(`Server "${serverName}" is not installed in client "${args.client}".`);
-        p4.outro("Nothing to remove.");
+        p7.log.warn(`Server "${serverName}" is not installed in client "${args.client}".`);
+        p7.outro("Nothing to remove.");
         return;
       }
       targetClients = [args.client];
     } else if (match.clients.length === 1) {
       targetClients = match.clients;
     } else {
-      const selected = await p4.multiselect({
+      const selected = await p7.multiselect({
         message: `Remove "${serverName}" from which clients?`,
         options: match.clients.map((c) => ({
           value: c,
@@ -1878,19 +2184,19 @@ var remove_default = (0, import_citty6.defineCommand)({
         })),
         required: true
       });
-      if (p4.isCancel(selected)) {
-        p4.outro("Cancelled.");
+      if (p7.isCancel(selected)) {
+        p7.outro("Cancelled.");
         process.exit(0);
       }
       targetClients = selected;
     }
     if (!args.yes) {
       const clientNames = targetClients.map(clientDisplayName).join(", ");
-      const confirmed = await p4.confirm({
+      const confirmed = await p7.confirm({
         message: `Remove ${import_picocolors5.default.cyan(serverName)} from ${import_picocolors5.default.yellow(clientNames)}?`
       });
-      if (p4.isCancel(confirmed) || !confirmed) {
-        p4.outro("Cancelled.");
+      if (p7.isCancel(confirmed) || !confirmed) {
+        p7.outro("Cancelled.");
         return;
       }
     }
@@ -1904,18 +2210,18 @@ var remove_default = (0, import_citty6.defineCommand)({
       }
       try {
         await handler.removeServer(serverName);
-        p4.log.success(`Removed from ${clientDisplayName(clientType)}`);
+        p7.log.success(`Removed from ${clientDisplayName(clientType)}`);
       } catch (err) {
         const msg = err instanceof Error ? err.message : String(err);
         errors.push(`${clientDisplayName(clientType)}: ${msg}`);
       }
     }
     if (errors.length > 0) {
-      for (const e of errors) p4.log.error(e);
-      p4.outro(import_picocolors5.default.red("Completed with errors."));
+      for (const e of errors) p7.log.error(e);
+      p7.outro(import_picocolors5.default.red("Completed with errors."));
       process.exit(1);
     }
-    p4.outro(import_picocolors5.default.green(`Removed "${serverName}" successfully.`));
+    p7.outro(import_picocolors5.default.green(`Removed "${serverName}" successfully.`));
   }
 });
 
@@ -1923,7 +2229,7 @@ var remove_default = (0, import_citty6.defineCommand)({
 init_cjs_shims();
 var import_citty7 = require("citty");
 var import_picocolors6 = __toESM(require("picocolors"), 1);
-var p6 = __toESM(require("@clack/prompts"), 1);
+var p8 = __toESM(require("@clack/prompts"), 1);
 init_vault_service();
 function maskValue(value) {
   if (value.length <= 8) return "***";
@@ -1954,12 +2260,12 @@ var setCommand = (0, import_citty7.defineCommand)({
       console.error(import_picocolors6.default.red("\u2717") + " Invalid format. Expected KEY=VALUE");
       process.exit(1);
     }
-    p6.intro(import_picocolors6.default.cyan("mcpman secrets set"));
+    p8.intro(import_picocolors6.default.cyan("mcpman secrets set"));
     const isNew = listSecrets(args.server).length === 0 || !listSecrets(args.server)[0]?.keys.includes(parsed.key);
     const vaultPath = (await Promise.resolve().then(() => (init_vault_service(), vault_service_exports))).getVaultPath();
     const vaultExists = (await import("fs")).existsSync(vaultPath);
     const password2 = await getMasterPassword(!vaultExists && isNew);
-    const spin = p6.spinner();
+    const spin = p8.spinner();
     spin.start("Encrypting secret...");
     try {
       setSecret(args.server, parsed.key, parsed.value, password2);
@@ -1971,7 +2277,7 @@ var setCommand = (0, import_citty7.defineCommand)({
       console.error(import_picocolors6.default.dim(String(err)));
       process.exit(1);
     }
-    p6.outro(import_picocolors6.default.dim("Secret encrypted and saved to vault."));
+    p8.outro(import_picocolors6.default.dim("Secret encrypted and saved to vault."));
   }
 });
 var listCommand = (0, import_citty7.defineCommand)({
@@ -2017,12 +2323,12 @@ var removeCommand = (0, import_citty7.defineCommand)({
     }
   },
   async run({ args }) {
-    const confirmed = await p6.confirm({
+    const confirmed = await p8.confirm({
       message: `Remove ${import_picocolors6.default.bold(args.key)} from ${import_picocolors6.default.cyan(args.server)}?`,
       initialValue: false
     });
-    if (p6.isCancel(confirmed) || !confirmed) {
-      p6.cancel("Cancelled.");
+    if (p8.isCancel(confirmed) || !confirmed) {
+      p8.cancel("Cancelled.");
       return;
     }
     try {
@@ -2050,7 +2356,7 @@ var secrets_default = (0, import_citty7.defineCommand)({
 // src/commands/sync.ts
 init_cjs_shims();
 var import_citty8 = require("citty");
-var p7 = __toESM(require("@clack/prompts"), 1);
+var p9 = __toESM(require("@clack/prompts"), 1);
 var import_picocolors7 = __toESM(require("picocolors"), 1);
 
 // src/core/config-diff.ts
@@ -2067,7 +2373,7 @@ function reconstructServerEntry(lockEntry) {
   }
   return entry;
 }
-function computeDiff(lockfile, clientConfigs) {
+function computeDiff(lockfile, clientConfigs, options = {}) {
   const actions = [];
   for (const [server, lockEntry] of Object.entries(lockfile.servers)) {
     for (const client of lockEntry.clients) {
@@ -2085,19 +2391,21 @@ function computeDiff(lockfile, clientConfigs) {
       }
     }
   }
+  const extraAction = options.remove ? "remove" : "extra";
   for (const [client, config] of clientConfigs) {
     for (const server of Object.keys(config.servers)) {
       if (!(server in lockfile.servers)) {
-        actions.push({ server, client, action: "extra" });
+        actions.push({ server, client, action: extraAction });
       }
     }
   }
   return actions;
 }
-function computeDiffFromClient(sourceClient, clientConfigs) {
+function computeDiffFromClient(sourceClient, clientConfigs, options = {}) {
   const actions = [];
   const sourceConfig = clientConfigs.get(sourceClient);
   if (!sourceConfig) return [];
+  const extraAction = options.remove ? "remove" : "extra";
   for (const [client, config] of clientConfigs) {
     if (client === sourceClient) continue;
     for (const [server, entry] of Object.entries(sourceConfig.servers)) {
@@ -2109,7 +2417,7 @@ function computeDiffFromClient(sourceClient, clientConfigs) {
     }
     for (const server of Object.keys(config.servers)) {
       if (!(server in sourceConfig.servers)) {
-        actions.push({ server, client, action: "extra" });
+        actions.push({ server, client, action: extraAction });
       }
     }
   }
@@ -2120,7 +2428,7 @@ function computeDiffFromClient(sourceClient, clientConfigs) {
 init_cjs_shims();
 init_client_detector();
 async function applySyncActions(actions, clients) {
-  const result = { applied: 0, failed: 0, errors: [] };
+  const result = { applied: 0, removed: 0, failed: 0, errors: [] };
   const addActions = actions.filter((a) => a.action === "add" && a.entry);
   for (const action of addActions) {
     const handler = clients.get(action.client);
@@ -2145,6 +2453,30 @@ async function applySyncActions(actions, clients) {
       });
     }
   }
+  const removeActions = actions.filter((a) => a.action === "remove");
+  for (const action of removeActions) {
+    const handler = clients.get(action.client);
+    if (!handler) {
+      result.failed++;
+      result.errors.push({
+        server: action.server,
+        client: action.client,
+        error: "No handler available for client"
+      });
+      continue;
+    }
+    try {
+      await handler.removeServer(action.server);
+      result.removed++;
+    } catch (err) {
+      result.failed++;
+      result.errors.push({
+        server: action.server,
+        client: action.client,
+        error: String(err)
+      });
+    }
+  }
   return result;
 }
 async function getClientConfigs() {
@@ -2189,6 +2521,11 @@ var sync_default = (0, import_citty8.defineCommand)({
       description: "Preview changes without applying them",
       default: false
     },
+    remove: {
+      type: "boolean",
+      description: "Remove extra servers not in lockfile",
+      default: false
+    },
     source: {
       type: "string",
       description: "Use a specific client as source of truth (claude-desktop, cursor, vscode, windsurf)"
@@ -2200,58 +2537,64 @@ var sync_default = (0, import_citty8.defineCommand)({
     }
   },
   async run({ args }) {
-    p7.intro(`${import_picocolors7.default.cyan("mcpman sync")}`);
+    p9.intro(`${import_picocolors7.default.cyan("mcpman sync")}`);
     const sourceClient = args.source;
     if (sourceClient && !VALID_CLIENTS.includes(sourceClient)) {
-      p7.log.error(`Invalid --source "${sourceClient}". Must be one of: ${VALID_CLIENTS.join(", ")}`);
+      p9.log.error(`Invalid --source "${sourceClient}". Must be one of: ${VALID_CLIENTS.join(", ")}`);
       process.exit(1);
     }
-    const spinner5 = p7.spinner();
+    const spinner5 = p9.spinner();
     spinner5.start("Detecting clients and reading configs...");
     const { configs, handlers } = await getClientConfigs();
     spinner5.stop(`Found ${configs.size} client(s)`);
     if (configs.size === 0) {
-      p7.log.warn("No AI clients detected. Install Claude Desktop, Cursor, VS Code, or Windsurf first.");
+      p9.log.warn("No AI clients detected. Install Claude Desktop, Cursor, VS Code, or Windsurf first.");
       process.exit(0);
     }
+    const diffOptions = { remove: args.remove };
     let actions;
     if (sourceClient) {
       if (!configs.has(sourceClient)) {
-        p7.log.error(`Source client "${sourceClient}" is not detected or its config is unreadable.`);
+        p9.log.error(`Source client "${sourceClient}" is not detected or its config is unreadable.`);
         process.exit(1);
       }
-      p7.log.info(`Using ${CLIENT_DISPLAY3[sourceClient]} as source of truth`);
-      actions = computeDiffFromClient(sourceClient, configs);
+      p9.log.info(`Using ${CLIENT_DISPLAY3[sourceClient]} as source of truth`);
+      actions = computeDiffFromClient(sourceClient, configs, diffOptions);
     } else {
       const lockfile = readLockfile();
-      actions = computeDiff(lockfile, configs);
+      actions = computeDiff(lockfile, configs, diffOptions);
     }
     printDiffTable(actions);
     const addCount = actions.filter((a) => a.action === "add").length;
     const extraCount = actions.filter((a) => a.action === "extra").length;
-    if (addCount === 0 && extraCount === 0) {
-      p7.outro(import_picocolors7.default.green("All clients are in sync."));
+    const removeCount = actions.filter((a) => a.action === "remove").length;
+    if (addCount === 0 && removeCount === 0 && extraCount === 0) {
+      p9.outro(import_picocolors7.default.green("All clients are in sync."));
       process.exit(0);
     }
     const parts = [];
     if (addCount > 0) parts.push(import_picocolors7.default.green(`${addCount} to add`));
+    if (removeCount > 0) parts.push(import_picocolors7.default.red(`${removeCount} to remove`));
     if (extraCount > 0) parts.push(import_picocolors7.default.yellow(`${extraCount} extra (informational)`));
-    p7.log.info(parts.join("  \xB7  "));
+    p9.log.info(parts.join("  \xB7  "));
     if (args["dry-run"]) {
-      p7.outro(import_picocolors7.default.dim("Dry run \u2014 no changes applied."));
+      p9.outro(import_picocolors7.default.dim("Dry run \u2014 no changes applied."));
       process.exit(1);
     }
-    if (addCount === 0) {
-      p7.outro(import_picocolors7.default.dim("No additions needed. Extra servers left untouched."));
+    if (addCount === 0 && removeCount === 0) {
+      p9.outro(import_picocolors7.default.dim("No additions needed. Extra servers left untouched."));
       process.exit(1);
     }
     if (!args.yes) {
-      const confirmed = await p7.confirm({
-        message: `Apply ${addCount} addition(s) to client configs?`,
+      const actionParts = [];
+      if (addCount > 0) actionParts.push(`${addCount} addition(s)`);
+      if (removeCount > 0) actionParts.push(`${removeCount} removal(s)`);
+      const confirmed = await p9.confirm({
+        message: `Apply ${actionParts.join(" and ")} to client configs?`,
         initialValue: true
       });
-      if (p7.isCancel(confirmed) || !confirmed) {
-        p7.outro(import_picocolors7.default.dim("Cancelled \u2014 no changes applied."));
+      if (p9.isCancel(confirmed) || !confirmed) {
+        p9.outro(import_picocolors7.default.dim("Cancelled \u2014 no changes applied."));
         process.exit(0);
       }
     }
@@ -2259,20 +2602,23 @@ var sync_default = (0, import_citty8.defineCommand)({
     const result = await applySyncActions(actions, handlers);
     spinner5.stop("Done");
     if (result.applied > 0) {
-      p7.log.success(`Added ${result.applied} server(s) to client configs.`);
+      p9.log.success(`Added ${result.applied} server(s) to client configs.`);
+    }
+    if (result.removed > 0) {
+      p9.log.success(`Removed ${result.removed} server(s) from client configs.`);
     }
     if (result.failed > 0) {
       for (const e of result.errors) {
-        p7.log.error(`Failed to add "${e.server}" to ${e.client}: ${e.error}`);
+        p9.log.error(`Failed to sync "${e.server}" on ${e.client}: ${e.error}`);
       }
     }
-    p7.outro(result.failed === 0 ? import_picocolors7.default.green("Sync complete.") : import_picocolors7.default.yellow("Sync complete with errors."));
+    p9.outro(result.failed === 0 ? import_picocolors7.default.green("Sync complete.") : import_picocolors7.default.yellow("Sync complete with errors."));
     process.exit(result.failed > 0 ? 1 : 0);
   }
 });
 function printDiffTable(actions) {
   if (actions.length === 0) {
-    p7.log.info("No actions to display.");
+    p9.log.info("No actions to display.");
     return;
   }
   const nameWidth = Math.max(6, ...actions.map((a) => a.server.length));
@@ -2293,6 +2639,8 @@ function formatAction(action) {
       return [import_picocolors7.default.green("+"), import_picocolors7.default.green("missing \u2014 will add")];
     case "extra":
       return [import_picocolors7.default.yellow("?"), import_picocolors7.default.yellow("extra (not in lockfile)")];
+    case "remove":
+      return [import_picocolors7.default.red("\u2013"), import_picocolors7.default.red("extra \u2014 will remove")];
     case "ok":
       return [import_picocolors7.default.dim("\xB7"), import_picocolors7.default.dim("in sync")];
   }
@@ -2304,130 +2652,9 @@ function pad2(s, width) {
 // src/commands/update.ts
 init_cjs_shims();
 var import_citty9 = require("citty");
-var p8 = __toESM(require("@clack/prompts"), 1);
+var p10 = __toESM(require("@clack/prompts"), 1);
 var import_picocolors9 = __toESM(require("picocolors"), 1);
 
-// src/core/version-checker.ts
-init_cjs_shims();
-function compareVersions(a, b) {
-  const aParts = a.replace(/^v/, "").split(".").map(Number);
-  const bParts = b.replace(/^v/, "").split(".").map(Number);
-  const len = Math.max(aParts.length, bParts.length);
-  for (let i = 0; i < len; i++) {
-    const aN = aParts[i] ?? 0;
-    const bN = bParts[i] ?? 0;
-    if (Number.isNaN(aN) || Number.isNaN(bN)) return 0;
-    if (aN < bN) return -1;
-    if (aN > bN) return 1;
-  }
-  return 0;
-}
-function detectUpdateType(current, latest) {
-  const cParts = current.replace(/^v/, "").split(".").map(Number);
-  const lParts = latest.replace(/^v/, "").split(".").map(Number);
-  if ((lParts[0] ?? 0) > (cParts[0] ?? 0)) return "major";
-  if ((lParts[1] ?? 0) > (cParts[1] ?? 0)) return "minor";
-  return "patch";
-}
-async function fetchNpmLatest(packageName) {
-  try {
-    const res = await fetch(
-      `https://registry.npmjs.org/${encodeURIComponent(packageName)}/latest`,
-      {
-        headers: { Accept: "application/json" },
-        signal: AbortSignal.timeout(8e3)
-      }
-    );
-    if (!res.ok) return null;
-    const data = await res.json();
-    return typeof data.version === "string" ? data.version : null;
-  } catch {
-    return null;
-  }
-}
-async function fetchSmitheryLatest(name) {
-  try {
-    const res = await fetch(
-      `https://registry.smithery.ai/servers/${encodeURIComponent(name)}`,
-      {
-        headers: { Accept: "application/json" },
-        signal: AbortSignal.timeout(8e3)
-      }
-    );
-    if (!res.ok) return null;
-    const data = await res.json();
-    return typeof data.version === "string" ? data.version : null;
-  } catch {
-    return null;
-  }
-}
-async function fetchGithubLatest(resolved) {
-  const match = resolved.match(/github\.com\/([^/]+)\/([^/]+)/);
-  if (!match) return null;
-  const [, owner, repo] = match;
-  try {
-    const res = await fetch(
-      `https://api.github.com/repos/${owner}/${repo}/releases/latest`,
-      {
-        headers: { Accept: "application/json" },
-        signal: AbortSignal.timeout(8e3)
-      }
-    );
-    if (!res.ok) return null;
-    const data = await res.json();
-    return typeof data.tag_name === "string" ? data.tag_name.replace(/^v/, "") : null;
-  } catch {
-    return null;
-  }
-}
-async function checkVersion(name, lockEntry) {
-  const current = lockEntry.version;
-  let latest = null;
-  if (lockEntry.source === "npm") {
-    latest = await fetchNpmLatest(name);
-  } else if (lockEntry.source === "smithery") {
-    latest = await fetchSmitheryLatest(name);
-  } else if (lockEntry.source === "github") {
-    latest = await fetchGithubLatest(lockEntry.resolved);
-  }
-  if (!latest || latest === current) {
-    return {
-      server: name,
-      source: lockEntry.source,
-      currentVersion: current,
-      latestVersion: latest ?? current,
-      hasUpdate: false
-    };
-  }
-  const hasUpdate = compareVersions(current, latest) === -1;
-  return {
-    server: name,
-    source: lockEntry.source,
-    currentVersion: current,
-    latestVersion: latest,
-    hasUpdate,
-    updateType: hasUpdate ? detectUpdateType(current, latest) : void 0
-  };
-}
-async function checkAllVersions(lockfile) {
-  const entries = Object.entries(lockfile.servers);
-  if (entries.length === 0) return [];
-  const results = [];
-  const executing = /* @__PURE__ */ new Set();
-  for (const [name, entry] of entries) {
-    const p9 = checkVersion(name, entry).then((r) => {
-      results.push(r);
-      executing.delete(p9);
-    });
-    executing.add(p9);
-    if (executing.size >= 5) {
-      await Promise.race(executing);
-    }
-  }
-  await Promise.all(executing);
-  return results;
-}
-
 // src/core/update-notifier.ts
 init_cjs_shims();
 var import_node_fs5 = __toESM(require("fs"), 1);
@@ -2448,7 +2675,7 @@ function writeUpdateCache(data) {
 }
 
 // src/commands/update.ts
-async function loadClients2() {
+async function loadClients3() {
   try {
     const mod = await Promise.resolve().then(() => (init_client_detector(), client_detector_exports));
     return mod.getInstalledClients();
@@ -2516,7 +2743,7 @@ var update_default = (0, import_citty9.defineCommand)({
       }
       process.exit(1);
     }
-    const spinner5 = p8.spinner();
+    const spinner5 = p10.spinner();
     spinner5.start("Checking versions...");
     let updates;
     try {
@@ -2546,63 +2773,43 @@ var update_default = (0, import_citty9.defineCommand)({
       return;
     }
     if (!args.yes) {
-      const confirmed = await p8.confirm({
+      const confirmed = await p10.confirm({
         message: `Apply ${outdated.length} update(s)?`,
         initialValue: true
       });
-      if (p8.isCancel(confirmed) || !confirmed) {
-        p8.outro("Cancelled.");
+      if (p10.isCancel(confirmed) || !confirmed) {
+        p10.outro("Cancelled.");
         return;
       }
     }
-    const clients = await loadClients2();
+    const clients = await loadClients3();
     let successCount = 0;
     for (const update of outdated) {
-      const lockEntry = servers[update.server];
-      const input = lockEntry.source === "smithery" ? `smithery:${update.server}` : lockEntry.source === "github" ? lockEntry.resolved : update.server;
-      const s = p8.spinner();
+      const s = p10.spinner();
       s.start(`Updating ${update.server}...`);
-      try {
-        const metadata = await resolveServer(input);
-        const integrity = computeIntegrity(metadata.resolved);
-        addEntry(update.server, {
-          ...lockEntry,
-          version: metadata.version,
-          resolved: metadata.resolved,
-          integrity,
-          command: metadata.command,
-          args: metadata.args,
-          installedAt: (/* @__PURE__ */ new Date()).toISOString()
-        });
-        const entryClients = clients.filter(
-          (c) => lockEntry.clients.includes(c.type)
-        );
-        for (const client of entryClients) {
-          try {
-            await client.addServer(update.server, {
-              command: metadata.command,
-              args: metadata.args
-            });
-          } catch {
-          }
-        }
-        s.stop(`${import_picocolors9.default.green("\u2713")} ${update.server}: ${update.currentVersion} \u2192 ${metadata.version}`);
+      const result = await applyServerUpdate(
+        update.server,
+        servers[update.server],
+        clients
+      );
+      if (result.success) {
+        s.stop(`${import_picocolors9.default.green("\u2713")} ${update.server}: ${result.fromVersion} \u2192 ${result.toVersion}`);
         successCount++;
-      } catch (err) {
-        s.stop(`${import_picocolors9.default.red("\u2717")} ${update.server}: ${err instanceof Error ? err.message : String(err)}`);
+      } else {
+        s.stop(`${import_picocolors9.default.red("\u2717")} ${update.server}: ${result.error}`);
       }
     }
     const freshLockfile = readLockfile(resolveLockfilePath());
     const freshUpdates = await checkAllVersions(freshLockfile);
     writeUpdateCache({ lastCheck: (/* @__PURE__ */ new Date()).toISOString(), updates: freshUpdates });
-    p8.outro(`${successCount} of ${outdated.length} server(s) updated.`);
+    p10.outro(`${successCount} of ${outdated.length} server(s) updated.`);
   }
 });
 
 // src/utils/constants.ts
 init_cjs_shims();
 var APP_NAME = "mcpman";
-var APP_VERSION = "0.2.0";
+var APP_VERSION = "0.3.0";
 var APP_DESCRIPTION = "The package manager for MCP servers";
 
 // src/index.ts