mcpman 0.2.0 → 0.4.0

package/dist/index.cjs

@@ -159,9 +159,9 @@ async function atomicWrite(filePath, content) {
     throw err;
   }
 }
-async function pathExists(p9) {
+async function pathExists(p12) {
   try {
-    await import_node_fs3.default.promises.access(p9);
+    await import_node_fs3.default.promises.access(p12);
     return true;
   } catch {
     return false;
@@ -237,6 +237,12 @@ var init_base_client_handler = __esm({
 function getHomedir() {
   return import_node_os3.default.homedir();
 }
+function getMcpmanDir() {
+  return import_node_path4.default.join(import_node_os3.default.homedir(), ".mcpman");
+}
+function getConfigPath() {
+  return import_node_path4.default.join(getMcpmanDir(), "config.json");
+}
 function getAppDataDir() {
   const home = getHomedir();
   if (process.platform === "darwin") {
@@ -432,12 +438,12 @@ __export(vault_service_exports, {
   writeVault: () => writeVault
 });
 function getVaultPath() {
-  return import_node_path6.default.join(import_node_os4.default.homedir(), ".mcpman", "vault.enc");
+  return import_node_path7.default.join(import_node_os4.default.homedir(), ".mcpman", "vault.enc");
 }
 function readVault(vaultPath = getVaultPath()) {
   const empty = { version: 1, servers: {} };
   try {
-    const raw = import_node_fs4.default.readFileSync(vaultPath, "utf-8");
+    const raw = import_node_fs5.default.readFileSync(vaultPath, "utf-8");
     const parsed = JSON.parse(raw);
     if (parsed.version !== 1 || typeof parsed.servers !== "object") return empty;
     return parsed;
@@ -446,16 +452,16 @@ function readVault(vaultPath = getVaultPath()) {
   }
 }
 function writeVault(data, vaultPath = getVaultPath()) {
-  const dir = import_node_path6.default.dirname(vaultPath);
-  import_node_fs4.default.mkdirSync(dir, { recursive: true });
+  const dir = import_node_path7.default.dirname(vaultPath);
+  import_node_fs5.default.mkdirSync(dir, { recursive: true });
   const tmp = `${vaultPath}.tmp`;
-  import_node_fs4.default.writeFileSync(tmp, JSON.stringify(data, null, 2), { mode: 384 });
+  import_node_fs5.default.writeFileSync(tmp, JSON.stringify(data, null, 2), { mode: 384 });
   if (process.platform !== "win32") {
-    import_node_fs4.default.chmodSync(tmp, 384);
+    import_node_fs5.default.chmodSync(tmp, 384);
   }
-  import_node_fs4.default.renameSync(tmp, vaultPath);
+  import_node_fs5.default.renameSync(tmp, vaultPath);
   if (process.platform !== "win32") {
-    import_node_fs4.default.chmodSync(vaultPath, 384);
+    import_node_fs5.default.chmodSync(vaultPath, 384);
   }
 }
 function encrypt(value, password2) {
@@ -482,20 +488,20 @@ function decrypt(entry, password2) {
   ]);
   return decrypted.toString("utf-8");
 }
-async function getMasterPassword(confirm6 = false) {
+async function getMasterPassword(confirm9 = false) {
   if (_cachedPassword) return _cachedPassword;
-  const password2 = await p5.password({
+  const password2 = await p4.password({
     message: "Enter vault master password:",
     validate: (v) => v.length < 8 ? "Password must be at least 8 characters" : void 0
   });
-  if (p5.isCancel(password2)) {
-    p5.cancel("Vault access cancelled.");
+  if (p4.isCancel(password2)) {
+    p4.cancel("Vault access cancelled.");
     process.exit(0);
   }
-  if (confirm6) {
-    const confirm22 = await p5.password({ message: "Confirm master password:" });
-    if (p5.isCancel(confirm22) || confirm22 !== password2) {
-      p5.cancel("Passwords do not match.");
+  if (confirm9) {
+    const confirm22 = await p4.password({ message: "Confirm master password:" });
+    if (p4.isCancel(confirm22) || confirm22 !== password2) {
+      p4.cancel("Passwords do not match.");
       process.exit(1);
     }
   }
@@ -545,16 +551,16 @@ function listSecrets(server, vaultPath = getVaultPath()) {
     keys: Object.keys(keys)
   }));
 }
-var import_node_crypto2, import_node_fs4, import_node_os4, import_node_path6, p5, _cachedPassword;
+var import_node_crypto2, import_node_fs5, import_node_os4, import_node_path7, p4, _cachedPassword;
 var init_vault_service = __esm({
   "src/core/vault-service.ts"() {
     "use strict";
     init_cjs_shims();
     import_node_crypto2 = __toESM(require("crypto"), 1);
-    import_node_fs4 = __toESM(require("fs"), 1);
+    import_node_fs5 = __toESM(require("fs"), 1);
     import_node_os4 = __toESM(require("os"), 1);
-    import_node_path6 = __toESM(require("path"), 1);
-    p5 = __toESM(require("@clack/prompts"), 1);
+    import_node_path7 = __toESM(require("path"), 1);
+    p4 = __toESM(require("@clack/prompts"), 1);
     _cachedPassword = null;
     process.on("exit", () => {
       _cachedPassword = null;
@@ -564,11 +570,12 @@ var init_vault_service = __esm({
 
 // src/index.ts
 init_cjs_shims();
-var import_citty10 = require("citty");
+var import_citty14 = require("citty");
 
 // src/commands/audit.ts
 init_cjs_shims();
 var import_citty = require("citty");
+var p = __toESM(require("@clack/prompts"), 1);
 var import_picocolors = __toESM(require("picocolors"), 1);
 var import_nanospinner = require("nanospinner");
 
@@ -766,181 +773,744 @@ async function scanAllServers(servers, concurrency = 3) {
   const results = [];
   const executing = /* @__PURE__ */ new Set();
   for (const [name, entry] of entries) {
-    const p9 = scanServer(name, entry).then((r) => {
+    const p12 = scanServer(name, entry).then((r) => {
       results.push(r);
-      executing.delete(p9);
+      executing.delete(p12);
     });
-    executing.add(p9);
+    executing.add(p12);
     if (executing.size >= concurrency) await Promise.race(executing);
   }
   await Promise.all(executing);
   return results;
 }
 
-// src/commands/audit.ts
-function colorRisk(level, score) {
-  const label = score !== null ? `${score}/100 (${level})` : level;
-  if (level === "LOW") return import_picocolors.default.green(label);
-  if (level === "MEDIUM") return import_picocolors.default.yellow(label);
-  if (level === "HIGH") return import_picocolors.default.red(label);
-  if (level === "CRITICAL") return import_picocolors.default.bold(import_picocolors.default.red(label));
-  return import_picocolors.default.dim(label);
-}
-function daysAgo(isoDate) {
-  const days = Math.floor((Date.now() - new Date(isoDate).getTime()) / 864e5);
-  if (days === 0) return "today";
-  if (days === 1) return "1 day ago";
-  return `${days} days ago`;
+// src/core/version-checker.ts
+init_cjs_shims();
+function compareVersions(a, b) {
+  const aParts = a.replace(/^v/, "").split(".").map(Number);
+  const bParts = b.replace(/^v/, "").split(".").map(Number);
+  const len = Math.max(aParts.length, bParts.length);
+  for (let i = 0; i < len; i++) {
+    const aN = aParts[i] ?? 0;
+    const bN = bParts[i] ?? 0;
+    if (Number.isNaN(aN) || Number.isNaN(bN)) return 0;
+    if (aN < bN) return -1;
+    if (aN > bN) return 1;
+  }
+  return 0;
 }
-function countVulns(vulns) {
-  const c = { critical: 0, high: 0, moderate: 0, low: 0 };
-  for (const v of vulns) c[v.severity]++;
-  if (vulns.length === 0) return import_picocolors.default.green("none");
-  const parts = [];
-  if (c.critical) parts.push(import_picocolors.default.bold(import_picocolors.default.red(`${c.critical} critical`)));
-  if (c.high) parts.push(import_picocolors.default.red(`${c.high} high`));
-  if (c.moderate) parts.push(import_picocolors.default.yellow(`${c.moderate} moderate`));
-  if (c.low) parts.push(import_picocolors.default.dim(`${c.low} low`));
-  return parts.join(", ");
+function detectUpdateType(current, latest) {
+  const cParts = current.replace(/^v/, "").split(".").map(Number);
+  const lParts = latest.replace(/^v/, "").split(".").map(Number);
+  if ((lParts[0] ?? 0) > (cParts[0] ?? 0)) return "major";
+  if ((lParts[1] ?? 0) > (cParts[1] ?? 0)) return "minor";
+  return "patch";
 }
-function printReport(report) {
-  const riskColored = colorRisk(report.riskLevel, report.score);
-  const icon = report.riskLevel === "LOW" ? import_picocolors.default.green("\u25CF") : report.riskLevel === "MEDIUM" ? import_picocolors.default.yellow("\u25CF") : report.riskLevel === "UNKNOWN" ? import_picocolors.default.dim("\u25CB") : import_picocolors.default.red("\u25CF");
-  console.log(`  ${icon} ${import_picocolors.default.bold(report.server)}  Score: ${riskColored}`);
-  if (report.source !== "npm") {
-    console.log(`    ${import_picocolors.default.dim("Non-npm source \u2014 security data unavailable")}`);
-    console.log();
-    return;
-  }
-  if (report.metadata) {
-    const { weeklyDownloads, packageAge, lastPublish, maintainerCount, deprecated } = report.metadata;
-    const dlStr = weeklyDownloads.toLocaleString();
-    console.log(
-      `    ${import_picocolors.default.dim("Downloads:")} ${dlStr}/week  ${import_picocolors.default.dim("|")}  ${import_picocolors.default.dim("Age:")} ${packageAge}d  ${import_picocolors.default.dim("|")}  ${import_picocolors.default.dim("Last publish:")} ${daysAgo(lastPublish)}  ${import_picocolors.default.dim("|")}  ${import_picocolors.default.dim("Maintainers:")} ${maintainerCount}` + (deprecated ? import_picocolors.default.red("  [DEPRECATED]") : "")
+async function fetchNpmLatest(packageName) {
+  try {
+    const res = await fetch(
+      `https://registry.npmjs.org/${encodeURIComponent(packageName)}/latest`,
+      {
+        headers: { Accept: "application/json" },
+        signal: AbortSignal.timeout(8e3)
+      }
     );
+    if (!res.ok) return null;
+    const data = await res.json();
+    return typeof data.version === "string" ? data.version : null;
+  } catch {
+    return null;
   }
-  console.log(`    ${import_picocolors.default.dim("Vulnerabilities:")} ${countVulns(report.vulnerabilities)}`);
-  if (report.vulnerabilities.length > 0) {
-    for (const v of report.vulnerabilities) {
-      const sevColor = v.severity === "critical" || v.severity === "high" ? import_picocolors.default.red : import_picocolors.default.yellow;
-      const url = v.url ? import_picocolors.default.dim(` ${v.url}`) : "";
-      console.log(`      ${sevColor("\u25B8")} [${v.severity}] ${v.title}${url}`);
-    }
-  }
-  console.log();
 }
-var audit_default = (0, import_citty.defineCommand)({
-  meta: {
-    name: "audit",
-    description: "Scan installed MCP servers for security vulnerabilities and trust scores"
-  },
-  args: {
-    server: {
-      type: "positional",
-      description: "Specific server to audit (omit to audit all)",
-      required: false
-    },
-    json: {
-      type: "boolean",
-      description: "Output results as JSON",
-      default: false
-    },
-    fix: {
-      type: "boolean",
-      description: "Show available fix versions for vulnerable packages",
-      default: false
-    }
-  },
-  async run({ args }) {
-    const lockfile = readLockfile();
-    const { servers } = lockfile;
-    if (Object.keys(servers).length === 0) {
-      console.log(import_picocolors.default.dim("\n  No MCP servers installed. Run mcpman install <server> to get started.\n"));
-      return;
-    }
-    const targets = {};
-    if (args.server) {
-      if (!servers[args.server]) {
-        console.error(import_picocolors.default.red(`
-  Server "${args.server}" not found in lockfile.
-`));
-        process.exit(1);
+async function fetchSmitheryLatest(name) {
+  try {
+    const res = await fetch(
+      `https://registry.smithery.ai/servers/${encodeURIComponent(name)}`,
+      {
+        headers: { Accept: "application/json" },
+        signal: AbortSignal.timeout(8e3)
       }
-      targets[args.server] = servers[args.server];
-    } else {
-      Object.assign(targets, servers);
-    }
-    const spinner5 = (0, import_nanospinner.createSpinner)(`Scanning ${Object.keys(targets).length} server(s)...`).start();
-    let reports;
-    try {
-      reports = args.server ? [await scanServer(args.server, targets[args.server])] : await scanAllServers(targets);
-    } catch (err) {
-      spinner5.error({ text: "Scan failed" });
-      console.error(import_picocolors.default.red(String(err)));
-      process.exit(1);
-    }
-    spinner5.success({ text: `Scanned ${reports.length} server(s)` });
-    if (args.json) {
-      console.log(JSON.stringify(reports, null, 2));
-      return;
-    }
-    console.log(import_picocolors.default.bold("\n  mcpman audit\n"));
-    console.log(import_picocolors.default.dim("  " + "\u2500".repeat(60)));
-    for (const report of reports) {
-      printReport(report);
-    }
-    console.log(import_picocolors.default.dim("  " + "\u2500".repeat(60)));
-    const withIssues = reports.filter(
-      (r) => r.riskLevel !== "LOW" && r.riskLevel !== "UNKNOWN"
     );
-    const npmReports = reports.filter((r) => r.source === "npm");
-    const parts = [];
-    parts.push(`${reports.length} server(s) scanned`);
-    if (npmReports.length < reports.length) {
-      parts.push(import_picocolors.default.dim(`${reports.length - npmReports.length} non-npm (unverified)`));
-    }
-    if (withIssues.length > 0) {
-      parts.push(import_picocolors.default.yellow(`${withIssues.length} with issues`));
-    } else {
-      parts.push(import_picocolors.default.green("all clear"));
-    }
-    console.log(`
-  Summary: ${parts.join(" | ")}
-`);
-    if (args.fix) {
-      const withVulns = reports.filter((r) => r.vulnerabilities.length > 0);
-      if (withVulns.length > 0) {
-        console.log(import_picocolors.default.bold("  Fix suggestions:"));
-        for (const r of withVulns) {
-          console.log(`    ${import_picocolors.default.cyan("\u2192")} Run ${import_picocolors.default.cyan(`mcpman install ${r.server}@latest`)} to update`);
-        }
-        console.log();
+    if (!res.ok) return null;
+    const data = await res.json();
+    return typeof data.version === "string" ? data.version : null;
+  } catch {
+    return null;
+  }
+}
+async function fetchGithubLatest(resolved) {
+  const match = resolved.match(/github\.com\/([^/]+)\/([^/]+)/);
+  if (!match) return null;
+  const [, owner, repo] = match;
+  try {
+    const res = await fetch(
+      `https://api.github.com/repos/${owner}/${repo}/releases/latest`,
+      {
+        headers: { Accept: "application/json" },
+        signal: AbortSignal.timeout(8e3)
       }
+    );
+    if (!res.ok) return null;
+    const data = await res.json();
+    return typeof data.tag_name === "string" ? data.tag_name.replace(/^v/, "") : null;
+  } catch {
+    return null;
+  }
+}
+async function checkVersion(name, lockEntry) {
+  const current = lockEntry.version;
+  let latest = null;
+  if (lockEntry.source === "npm") {
+    latest = await fetchNpmLatest(name);
+  } else if (lockEntry.source === "smithery") {
+    latest = await fetchSmitheryLatest(name);
+  } else if (lockEntry.source === "github") {
+    latest = await fetchGithubLatest(lockEntry.resolved);
+  }
+  if (!latest || latest === current) {
+    return {
+      server: name,
+      source: lockEntry.source,
+      currentVersion: current,
+      latestVersion: latest ?? current,
+      hasUpdate: false
+    };
+  }
+  const hasUpdate = compareVersions(current, latest) === -1;
+  return {
+    server: name,
+    source: lockEntry.source,
+    currentVersion: current,
+    latestVersion: latest,
+    hasUpdate,
+    updateType: hasUpdate ? detectUpdateType(current, latest) : void 0
+  };
+}
+async function checkAllVersions(lockfile) {
+  const entries = Object.entries(lockfile.servers);
+  if (entries.length === 0) return [];
+  const results = [];
+  const executing = /* @__PURE__ */ new Set();
+  for (const [name, entry] of entries) {
+    const p12 = checkVersion(name, entry).then((r) => {
+      results.push(r);
+      executing.delete(p12);
+    });
+    executing.add(p12);
+    if (executing.size >= 5) {
+      await Promise.race(executing);
     }
   }
-});
+  await Promise.all(executing);
+  return results;
+}
 
-// src/commands/doctor.ts
+// src/core/server-updater.ts
 init_cjs_shims();
-var import_citty2 = require("citty");
-var import_picocolors2 = __toESM(require("picocolors"), 1);
 
-// src/core/server-inventory.ts
+// src/core/server-resolver.ts
 init_cjs_shims();
-init_client_detector();
-async function getInstalledServers(clientFilter) {
-  const clients = await getInstalledClients();
-  const filtered = clientFilter ? clients.filter((c) => c.type === clientFilter) : clients;
-  const serverMap = /* @__PURE__ */ new Map();
-  for (const client of filtered) {
-    let config;
-    try {
-      config = await client.readConfig();
-    } catch {
-      continue;
-    }
-    for (const [name, entry] of Object.entries(config.servers)) {
-      const existing = serverMap.get(name);
+
+// src/core/registry.ts
+init_cjs_shims();
+var import_node_crypto = require("crypto");
+function computeIntegrity(resolvedUrl) {
+  const hash = (0, import_node_crypto.createHash)("sha512").update(resolvedUrl).digest("base64");
+  return `sha512-${hash}`;
+}
+async function resolveFromSmithery(name) {
+  const url = `https://registry.smithery.ai/servers/${encodeURIComponent(name)}`;
+  let data;
+  try {
+    const res = await fetch(url, {
+      headers: { Accept: "application/json" },
+      signal: AbortSignal.timeout(8e3)
+    });
+    if (res.status === 404) {
+      throw new Error(`Server '${name}' not found on Smithery registry`);
+    }
+    if (!res.ok) {
+      throw new Error(`Smithery API error: ${res.status}`);
+    }
+    data = await res.json();
+  } catch (err) {
+    if (err instanceof Error && err.message.includes("not found")) throw err;
+    throw new Error(
+      `Cannot reach Smithery registry: ${err instanceof Error ? err.message : String(err)}`
+    );
+  }
+  const version = typeof data.version === "string" ? data.version : "latest";
+  const command = typeof data.command === "string" ? data.command : "npx";
+  const args = Array.isArray(data.args) ? data.args : ["-y", `${name}@${version}`];
+  const envVars = Array.isArray(data.envVars) ? data.envVars : [];
+  const resolved = typeof data.resolved === "string" ? data.resolved : `smithery:${name}@${version}`;
+  return {
+    name,
+    version,
+    description: typeof data.description === "string" ? data.description : "",
+    runtime: "node",
+    command,
+    args,
+    envVars,
+    resolved
+  };
+}
+async function resolveFromNpm(packageName) {
+  const url = `https://registry.npmjs.org/${encodeURIComponent(packageName)}/latest`;
+  let data;
+  try {
+    const res = await fetch(url, {
+      headers: { Accept: "application/json" },
+      signal: AbortSignal.timeout(8e3)
+    });
+    if (res.status === 404) {
+      throw new Error(`Package '${packageName}' not found on npm`);
+    }
+    if (!res.ok) {
+      throw new Error(`npm registry error: ${res.status}`);
+    }
+    data = await res.json();
+  } catch (err) {
+    if (err instanceof Error && err.message.includes("not found")) throw err;
+    throw new Error(
+      `Cannot reach npm registry: ${err instanceof Error ? err.message : String(err)}`
+    );
+  }
+  const version = typeof data.version === "string" ? data.version : "latest";
+  const resolved = `https://registry.npmjs.org/${packageName}/-/${packageName.replace(/^@[^/]+\//, "")}-${version}.tgz`;
+  const mcpField = data.mcp && typeof data.mcp === "object" ? data.mcp : null;
+  const envVars = mcpField?.envVars ? mcpField.envVars : [];
+  return {
+    name: packageName,
+    version,
+    description: typeof data.description === "string" ? data.description : "",
+    runtime: "node",
+    command: "npx",
+    args: ["-y", `${packageName}@${version}`],
+    envVars,
+    resolved
+  };
+}
+async function resolveFromGitHub(githubUrl) {
+  const match = githubUrl.match(/github\.com\/([^/]+)\/([^/]+)/);
+  if (!match) {
+    throw new Error(`Invalid GitHub URL: ${githubUrl}`);
+  }
+  const [, owner, repo] = match;
+  const rawUrl = `https://raw.githubusercontent.com/${owner}/${repo}/main/package.json`;
+  let pkgData = {};
+  try {
+    const res = await fetch(rawUrl, { signal: AbortSignal.timeout(8e3) });
+    if (res.ok) {
+      pkgData = await res.json();
+    }
+  } catch {
+  }
+  const version = typeof pkgData.version === "string" ? pkgData.version : "main";
+  const name = typeof pkgData.name === "string" ? pkgData.name : `${owner}/${repo}`;
+  return {
+    name,
+    version,
+    description: typeof pkgData.description === "string" ? pkgData.description : "",
+    runtime: "node",
+    command: "npx",
+    args: ["-y", githubUrl],
+    envVars: [],
+    resolved: githubUrl
+  };
+}
+
+// src/core/server-resolver.ts
+function detectSource(input) {
+  if (input.startsWith("smithery:")) {
+    return { type: "smithery", input: input.slice(9) };
+  }
+  if (input.startsWith("https://github.com/") || input.startsWith("github.com/")) {
+    return { type: "github", input };
+  }
+  return { type: "npm", input };
+}
+function parseEnvFlags(envFlags) {
+  if (!envFlags) return {};
+  const flags = Array.isArray(envFlags) ? envFlags : [envFlags];
+  const result = {};
+  for (const flag of flags) {
+    const idx = flag.indexOf("=");
+    if (idx > 0) {
+      result[flag.slice(0, idx)] = flag.slice(idx + 1);
+    }
+  }
+  return result;
+}
+async function resolveServer(input) {
+  const source = detectSource(input);
+  switch (source.type) {
+    case "smithery":
+      return resolveFromSmithery(source.input);
+    case "github":
+      return resolveFromGitHub(source.input);
+    case "npm":
+      return resolveFromNpm(source.input);
+  }
+}
+
+// src/core/server-updater.ts
+async function applyServerUpdate(serverName, lockEntry, clients) {
+  const fromVersion = lockEntry.version;
+  const input = lockEntry.source === "smithery" ? `smithery:${serverName}` : lockEntry.source === "github" ? lockEntry.resolved : serverName;
+  try {
+    const metadata = await resolveServer(input);
+    const integrity = computeIntegrity(metadata.resolved);
+    addEntry(serverName, {
+      ...lockEntry,
+      version: metadata.version,
+      resolved: metadata.resolved,
+      integrity,
+      command: metadata.command,
+      args: metadata.args,
+      installedAt: (/* @__PURE__ */ new Date()).toISOString()
+    });
+    const targetClients = clients.filter(
+      (c) => lockEntry.clients.includes(c.type)
+    );
+    for (const client of targetClients) {
+      try {
+        await client.addServer(serverName, {
+          command: metadata.command,
+          args: metadata.args
+        });
+      } catch {
+      }
+    }
+    return {
+      server: serverName,
+      success: true,
+      fromVersion,
+      toVersion: metadata.version
+    };
+  } catch (err) {
+    return {
+      server: serverName,
+      success: false,
+      fromVersion,
+      toVersion: fromVersion,
+      error: err instanceof Error ? err.message : String(err)
+    };
+  }
+}
+
+// src/commands/audit.ts
+function colorRisk(level, score) {
+  const label = score !== null ? `${score}/100 (${level})` : level;
+  if (level === "LOW") return import_picocolors.default.green(label);
+  if (level === "MEDIUM") return import_picocolors.default.yellow(label);
+  if (level === "HIGH") return import_picocolors.default.red(label);
+  if (level === "CRITICAL") return import_picocolors.default.bold(import_picocolors.default.red(label));
+  return import_picocolors.default.dim(label);
+}
+function daysAgo(isoDate) {
+  const days = Math.floor((Date.now() - new Date(isoDate).getTime()) / 864e5);
+  if (days === 0) return "today";
+  if (days === 1) return "1 day ago";
+  return `${days} days ago`;
+}
+function countVulns(vulns) {
+  const c = { critical: 0, high: 0, moderate: 0, low: 0 };
+  for (const v of vulns) c[v.severity]++;
+  if (vulns.length === 0) return import_picocolors.default.green("none");
+  const parts = [];
+  if (c.critical) parts.push(import_picocolors.default.bold(import_picocolors.default.red(`${c.critical} critical`)));
+  if (c.high) parts.push(import_picocolors.default.red(`${c.high} high`));
+  if (c.moderate) parts.push(import_picocolors.default.yellow(`${c.moderate} moderate`));
+  if (c.low) parts.push(import_picocolors.default.dim(`${c.low} low`));
+  return parts.join(", ");
+}
+function printReport(report) {
+  const riskColored = colorRisk(report.riskLevel, report.score);
+  const icon = report.riskLevel === "LOW" ? import_picocolors.default.green("\u25CF") : report.riskLevel === "MEDIUM" ? import_picocolors.default.yellow("\u25CF") : report.riskLevel === "UNKNOWN" ? import_picocolors.default.dim("\u25CB") : import_picocolors.default.red("\u25CF");
+  console.log(`  ${icon} ${import_picocolors.default.bold(report.server)}  Score: ${riskColored}`);
+  if (report.source !== "npm") {
+    console.log(`    ${import_picocolors.default.dim("Non-npm source \u2014 security data unavailable")}`);
+    console.log();
+    return;
+  }
+  if (report.metadata) {
+    const { weeklyDownloads, packageAge, lastPublish, maintainerCount, deprecated } = report.metadata;
+    const dlStr = weeklyDownloads.toLocaleString();
+    console.log(
+      `    ${import_picocolors.default.dim("Downloads:")} ${dlStr}/week  ${import_picocolors.default.dim("|")}  ${import_picocolors.default.dim("Age:")} ${packageAge}d  ${import_picocolors.default.dim("|")}  ${import_picocolors.default.dim("Last publish:")} ${daysAgo(lastPublish)}  ${import_picocolors.default.dim("|")}  ${import_picocolors.default.dim("Maintainers:")} ${maintainerCount}` + (deprecated ? import_picocolors.default.red("  [DEPRECATED]") : "")
+    );
+  }
+  console.log(`    ${import_picocolors.default.dim("Vulnerabilities:")} ${countVulns(report.vulnerabilities)}`);
+  if (report.vulnerabilities.length > 0) {
+    for (const v of report.vulnerabilities) {
+      const sevColor = v.severity === "critical" || v.severity === "high" ? import_picocolors.default.red : import_picocolors.default.yellow;
+      const url = v.url ? import_picocolors.default.dim(` ${v.url}`) : "";
+      console.log(`      ${sevColor("\u25B8")} [${v.severity}] ${v.title}${url}`);
+    }
+  }
+  console.log();
+}
+var audit_default = (0, import_citty.defineCommand)({
+  meta: {
+    name: "audit",
+    description: "Scan installed MCP servers for security vulnerabilities and trust scores"
+  },
+  args: {
+    server: {
+      type: "positional",
+      description: "Specific server to audit (omit to audit all)",
+      required: false
+    },
+    json: {
+      type: "boolean",
+      description: "Output results as JSON",
+      default: false
+    },
+    fix: {
+      type: "boolean",
+      description: "Apply updates to fix vulnerable packages",
+      default: false
+    },
+    yes: {
+      type: "boolean",
+      description: "Skip confirmation prompt (use with --fix)",
+      default: false
+    }
+  },
+  async run({ args }) {
+    const lockfile = readLockfile();
+    const { servers } = lockfile;
+    if (Object.keys(servers).length === 0) {
+      console.log(import_picocolors.default.dim("\n  No MCP servers installed. Run mcpman install <server> to get started.\n"));
+      return;
+    }
+    const targets = {};
+    if (args.server) {
+      if (!servers[args.server]) {
+        console.error(import_picocolors.default.red(`
+  Server "${args.server}" not found in lockfile.
+`));
+        process.exit(1);
+      }
+      targets[args.server] = servers[args.server];
+    } else {
+      Object.assign(targets, servers);
+    }
+    const spinner5 = (0, import_nanospinner.createSpinner)(`Scanning ${Object.keys(targets).length} server(s)...`).start();
+    let reports;
+    try {
+      reports = args.server ? [await scanServer(args.server, targets[args.server])] : await scanAllServers(targets);
+    } catch (err) {
+      spinner5.error({ text: "Scan failed" });
+      console.error(import_picocolors.default.red(String(err)));
+      process.exit(1);
+    }
+    spinner5.success({ text: `Scanned ${reports.length} server(s)` });
+    if (args.json) {
+      console.log(JSON.stringify(reports, null, 2));
+      return;
+    }
+    console.log(import_picocolors.default.bold("\n  mcpman audit\n"));
+    console.log(import_picocolors.default.dim("  " + "\u2500".repeat(60)));
+    for (const report of reports) {
+      printReport(report);
+    }
+    console.log(import_picocolors.default.dim("  " + "\u2500".repeat(60)));
+    const withIssues = reports.filter(
+      (r) => r.riskLevel !== "LOW" && r.riskLevel !== "UNKNOWN"
+    );
+    const npmReports = reports.filter((r) => r.source === "npm");
+    const parts = [];
+    parts.push(`${reports.length} server(s) scanned`);
+    if (npmReports.length < reports.length) {
+      parts.push(import_picocolors.default.dim(`${reports.length - npmReports.length} non-npm (unverified)`));
+    }
+    if (withIssues.length > 0) {
+      parts.push(import_picocolors.default.yellow(`${withIssues.length} with issues`));
+    } else {
+      parts.push(import_picocolors.default.green("all clear"));
+    }
+    console.log(`
+  Summary: ${parts.join(" | ")}
+`);
+    if (args.fix) {
+      await runAuditFix(reports, lockfile.servers, args.yes);
+    }
+  }
+});
+async function loadClients() {
+  try {
+    const mod = await Promise.resolve().then(() => (init_client_detector(), client_detector_exports));
+    return mod.getInstalledClients();
+  } catch {
+    return [];
+  }
+}
+async function runAuditFix(reports, servers, skipConfirm) {
+  const npmWithVulns = reports.filter(
+    (r) => r.vulnerabilities.length > 0 && r.source === "npm"
+  );
+  const nonNpmWithVulns = reports.filter(
+    (r) => r.vulnerabilities.length > 0 && r.source !== "npm"
+  );
+  if (nonNpmWithVulns.length > 0) {
+    console.log(import_picocolors.default.yellow("  Non-npm servers require manual update:"));
+    for (const r of nonNpmWithVulns) {
+      console.log(`    ${import_picocolors.default.dim("\u2192")} ${r.server} (${r.source})`);
+    }
+    console.log();
+  }
+  if (npmWithVulns.length === 0) {
+    console.log(import_picocolors.default.green("  No fixable vulnerabilities found.\n"));
+    return;
+  }
+  const versionSpinner = (0, import_nanospinner.createSpinner)("Checking for available updates...").start();
+  const versionChecks = await Promise.all(
+    npmWithVulns.map((r) => checkVersion(r.server, servers[r.server]))
+  );
+  versionSpinner.success({ text: "Version check complete" });
+  const updatable = versionChecks.filter((u) => u.hasUpdate);
+  if (updatable.length === 0) {
+    console.log(import_picocolors.default.yellow(
+      "  Vulnerable servers have no newer versions available yet.\n  Allow time for registry to publish fixes.\n"
+    ));
+    return;
+  }
+  console.log(import_picocolors.default.bold(`
+  ${updatable.length} server(s) can be updated to fix vulnerabilities:
+`));
+  for (const u of updatable) {
+    console.log(`    ${import_picocolors.default.cyan("\u2192")} ${u.server}  ${import_picocolors.default.dim(u.currentVersion)} \u2192 ${import_picocolors.default.green(u.latestVersion)}`);
+  }
+  console.log();
+  if (!skipConfirm) {
+    const confirmed = await p.confirm({
+      message: `Update ${updatable.length} vulnerable server(s)?`,
+      initialValue: true
+    });
+    if (p.isCancel(confirmed) || !confirmed) {
+      p.outro("Cancelled.");
+      return;
+    }
+  }
+  const clients = await loadClients();
+  let successCount = 0;
+  const results = [];
+  for (const u of updatable) {
+    const s = (0, import_nanospinner.createSpinner)(`Updating ${u.server}...`).start();
+    const result = await applyServerUpdate(u.server, servers[u.server], clients);
+    if (result.success) {
+      s.success({ text: `${import_picocolors.default.green("\u2713")} ${u.server}: ${result.fromVersion} \u2192 ${result.toVersion}` });
+      successCount++;
+    } else {
+      s.error({ text: `${import_picocolors.default.red("\u2717")} ${u.server}: ${result.error}` });
+    }
+    results.push({
+      server: u.server,
+      from: result.fromVersion,
+      to: result.toVersion,
+      ok: result.success,
+      error: result.error
+    });
+  }
+  console.log();
+  if (successCount > 0) {
+    const updatedNames = results.filter((r) => r.ok).map((r) => r.server);
+    const freshLockfile = readLockfile();
+    const rescanSpinner = (0, import_nanospinner.createSpinner)("Re-scanning updated servers...").start();
+    const afterReports = await Promise.all(
+      updatedNames.map((name) => scanServer(name, freshLockfile.servers[name]))
+    );
+    rescanSpinner.success({ text: "Re-scan complete" });
+    console.log(import_picocolors.default.bold("\n  Before / After:\n"));
+    for (const after of afterReports) {
+      const before = reports.find((r) => r.server === after.server);
+      const beforeVulns = before?.vulnerabilities.length ?? 0;
+      const afterVulns = after.vulnerabilities.length;
+      const improved = afterVulns < beforeVulns ? import_picocolors.default.green("improved") : import_picocolors.default.yellow("unchanged");
+      console.log(
+        `    ${import_picocolors.default.bold(after.server)}  vulns: ${beforeVulns} \u2192 ${afterVulns}  [${improved}]`
+      );
+    }
+    console.log();
+  }
+  console.log(`
+  ${successCount} of ${updatable.length} server(s) updated.
+`);
+}
+
+// src/commands/config.ts
+init_cjs_shims();
+var import_citty2 = require("citty");
+var import_picocolors2 = __toESM(require("picocolors"), 1);
+var p2 = __toESM(require("@clack/prompts"), 1);
+
+// src/core/config-service.ts
+init_cjs_shims();
+var import_node_fs4 = __toESM(require("fs"), 1);
+var import_node_path5 = __toESM(require("path"), 1);
+init_paths();
+var VALID_KEYS = /* @__PURE__ */ new Set([
+  "defaultClient",
+  "updateCheckInterval",
+  "preferredRegistry",
+  "vaultTimeout"
+]);
+function readConfig(configPath = getConfigPath()) {
+  try {
+    const raw = import_node_fs4.default.readFileSync(configPath, "utf-8");
+    const parsed = JSON.parse(raw);
+    if (typeof parsed !== "object" || parsed === null || Array.isArray(parsed)) {
+      return {};
+    }
+    return parsed;
+  } catch {
+    return {};
+  }
+}
+function writeConfig(data, configPath = getConfigPath()) {
+  const dir = import_node_path5.default.dirname(configPath);
+  import_node_fs4.default.mkdirSync(dir, { recursive: true });
+  const tmp = `${configPath}.tmp`;
+  import_node_fs4.default.writeFileSync(tmp, JSON.stringify(data, null, 2), { encoding: "utf-8" });
+  import_node_fs4.default.renameSync(tmp, configPath);
+}
+function getConfigValue(key, configPath = getConfigPath()) {
+  const data = readConfig(configPath);
+  if (!VALID_KEYS.has(key)) return void 0;
+  return data[key];
+}
+function setConfigValue(key, value, configPath = getConfigPath()) {
+  const data = readConfig(configPath);
+  if (!VALID_KEYS.has(key)) {
+    throw new Error(`Unknown config key: "${key}". Valid keys: ${[...VALID_KEYS].join(", ")}`);
+  }
+  data[key] = value;
+  writeConfig(data, configPath);
+}
+
+// src/commands/config.ts
+function coerceValue(raw) {
+  if (raw === "true") return true;
+  if (raw === "false") return false;
+  const num = Number(raw);
+  if (!Number.isNaN(num) && raw.trim() !== "") return num;
+  return raw;
+}
+var setCommand = (0, import_citty2.defineCommand)({
+  meta: { name: "set", description: "Set a config value" },
+  args: {
+    key: {
+      type: "positional",
+      description: "Config key (e.g. defaultClient)",
+      required: true
+    },
+    value: {
+      type: "positional",
+      description: "Value to set",
+      required: true
+    }
+  },
+  run({ args }) {
+    try {
+      const coerced = coerceValue(args.value);
+      setConfigValue(args.key, coerced);
+      console.log(
+        `${import_picocolors2.default.green("\u2713")} Set ${import_picocolors2.default.bold(args.key)} = ${import_picocolors2.default.cyan(String(coerced))}`
+      );
+    } catch (err) {
+      console.error(`${import_picocolors2.default.red("\u2717")} ${String(err)}`);
+      process.exit(1);
+    }
+  }
+});
+var getCommand = (0, import_citty2.defineCommand)({
+  meta: { name: "get", description: "Get a config value" },
+  args: {
+    key: {
+      type: "positional",
+      description: "Config key to read",
+      required: true
+    }
+  },
+  run({ args }) {
+    const val = getConfigValue(args.key);
+    if (val === void 0) {
+      console.log(import_picocolors2.default.dim(`${args.key}: (not set)`));
+    } else {
+      console.log(`${import_picocolors2.default.bold(args.key)}: ${import_picocolors2.default.cyan(String(val))}`);
+    }
+  }
+});
+var listCommand = (0, import_citty2.defineCommand)({
+  meta: { name: "list", description: "List all config values" },
+  run() {
+    const data = readConfig();
+    const entries = Object.entries(data);
+    if (entries.length === 0) {
+      console.log(import_picocolors2.default.dim("No config values set. Use `mcpman config set <key> <value>`."));
+      return;
+    }
+    console.log("");
+    console.log(import_picocolors2.default.bold("mcpman config:"));
+    console.log("");
+    for (const [key, val] of entries) {
+      console.log(`  ${import_picocolors2.default.green("\u25CF")} ${import_picocolors2.default.bold(key)}  ${import_picocolors2.default.cyan(String(val))}`);
+    }
+    console.log("");
+    console.log(import_picocolors2.default.dim(`  ${entries.length} key${entries.length !== 1 ? "s" : ""} configured`));
+  }
+});
+var resetCommand = (0, import_citty2.defineCommand)({
+  meta: { name: "reset", description: "Reset config to defaults (removes config file)" },
+  async run() {
+    const confirmed = await p2.confirm({
+      message: "Reset all config values to defaults?",
+      initialValue: false
+    });
+    if (p2.isCancel(confirmed) || !confirmed) {
+      p2.cancel("Cancelled.");
+      return;
+    }
+    writeConfig({});
+    console.log(`${import_picocolors2.default.green("\u2713")} Config reset to defaults.`);
+  }
+});
+var config_default = (0, import_citty2.defineCommand)({
+  meta: {
+    name: "config",
+    description: "Manage mcpman CLI configuration"
+  },
+  subCommands: {
+    set: setCommand,
+    get: getCommand,
+    list: listCommand,
+    reset: resetCommand
+  }
+});
+
+// src/commands/doctor.ts
+init_cjs_shims();
+var import_citty3 = require("citty");
+var import_picocolors3 = __toESM(require("picocolors"), 1);
+
+// src/core/server-inventory.ts
+init_cjs_shims();
+init_client_detector();
+async function getInstalledServers(clientFilter) {
+  const clients = await getInstalledClients();
+  const filtered = clientFilter ? clients.filter((c) => c.type === clientFilter) : clients;
+  const serverMap = /* @__PURE__ */ new Map();
+  for (const client of filtered) {
+    let config;
+    try {
+      config = await client.readConfig();
+    } catch {
+      continue;
+    }
+    for (const [name, entry] of Object.entries(config.servers)) {
+      const existing = serverMap.get(name);
       if (existing) {
         if (!existing.clients.includes(client.type)) {
           existing.clients.push(client.type);
@@ -1194,12 +1764,12 @@ async function quickHealthProbe(config, timeoutMs = 3e3) {
 
 // src/commands/doctor.ts
 var CHECK_ICON = {
-  pass: import_picocolors2.default.green("\u2713"),
-  fail: import_picocolors2.default.red("\u2717"),
-  skip: import_picocolors2.default.dim("-"),
-  warn: import_picocolors2.default.yellow("\u26A0")
+  pass: import_picocolors3.default.green("\u2713"),
+  fail: import_picocolors3.default.red("\u2717"),
+  skip: import_picocolors3.default.dim("-"),
+  warn: import_picocolors3.default.yellow("\u26A0")
 };
-var doctor_default = (0, import_citty2.defineCommand)({
+var doctor_default = (0, import_citty3.defineCommand)({
   meta: {
     name: "doctor",
     description: "Check MCP server health and configuration"
@@ -1212,10 +1782,10 @@ var doctor_default = (0, import_citty2.defineCommand)({
     }
   },
   async run({ args }) {
-    console.log(import_picocolors2.default.bold("\n  mcpman doctor\n"));
+    console.log(import_picocolors3.default.bold("\n  mcpman doctor\n"));
     const servers = await getInstalledServers();
     if (servers.length === 0) {
-      console.log(import_picocolors2.default.dim("  No MCP servers installed. Run mcpman install <server> to get started."));
+      console.log(import_picocolors3.default.dim("  No MCP servers installed. Run mcpman install <server> to get started."));
       return;
     }
     const tasks = servers.map((s) => () => checkServerHealth(s.name, s.config));
@@ -1227,14 +1797,14 @@ var doctor_default = (0, import_citty2.defineCommand)({
       if (result.status === "healthy") passed++;
       else failed++;
     }
-    console.log(import_picocolors2.default.dim("  " + "\u2500".repeat(50)));
+    console.log(import_picocolors3.default.dim("  " + "\u2500".repeat(50)));
     const parts = [];
-    if (passed > 0) parts.push(import_picocolors2.default.green(`${passed} healthy`));
-    if (failed > 0) parts.push(import_picocolors2.default.red(`${failed} unhealthy`));
+    if (passed > 0) parts.push(import_picocolors3.default.green(`${passed} healthy`));
+    if (failed > 0) parts.push(import_picocolors3.default.red(`${failed} unhealthy`));
     console.log(`  Summary: ${parts.join(", ")}`);
     if (failed > 0) {
       if (!args.fix) {
-        console.log(import_picocolors2.default.dim(`  Run ${import_picocolors2.default.cyan("mcpman doctor --fix")} for fix suggestions.
+        console.log(import_picocolors3.default.dim(`  Run ${import_picocolors3.default.cyan("mcpman doctor --fix")} for fix suggestions.
 `));
       }
       process.exit(1);
@@ -1243,13 +1813,13 @@ var doctor_default = (0, import_citty2.defineCommand)({
   }
 });
 function printServerResult(result, showFix) {
-  const icon = result.status === "healthy" ? import_picocolors2.default.green("\u25CF") : import_picocolors2.default.red("\u25CF");
-  console.log(`  ${icon} ${import_picocolors2.default.bold(result.serverName)}`);
+  const icon = result.status === "healthy" ? import_picocolors3.default.green("\u25CF") : import_picocolors3.default.red("\u25CF");
+  console.log(`  ${icon} ${import_picocolors3.default.bold(result.serverName)}`);
   for (const check of result.checks) {
     const checkIcon = check.skipped ? CHECK_ICON.skip : check.passed ? CHECK_ICON.pass : CHECK_ICON.fail;
     console.log(`    ${checkIcon} ${check.name}: ${check.message}`);
     if (showFix && !check.passed && !check.skipped && check.fix) {
-      console.log(`      ${import_picocolors2.default.yellow("\u2192")} Fix: ${import_picocolors2.default.cyan(check.fix)}`);
+      console.log(`      ${import_picocolors3.default.yellow("\u2192")} Fix: ${import_picocolors3.default.cyan(check.fix)}`);
     }
   }
   console.log();
@@ -1258,11 +1828,11 @@ async function runParallel(tasks, concurrency) {
   const results = [];
   const executing = /* @__PURE__ */ new Set();
   for (const task of tasks) {
-    const p9 = task().then((r) => {
+    const p12 = task().then((r) => {
       results.push(r);
-      executing.delete(p9);
+      executing.delete(p12);
     });
-    executing.add(p9);
+    executing.add(p12);
     if (executing.size >= concurrency) {
       await Promise.race(executing);
     }
@@ -1271,123 +1841,177 @@ async function runParallel(tasks, concurrency) {
   return results;
 }
 
-// src/commands/init.ts
+// src/commands/info.ts
 init_cjs_shims();
-var import_citty3 = require("citty");
-var p = __toESM(require("@clack/prompts"), 1);
-var import_node_path5 = __toESM(require("path"), 1);
+var import_citty4 = require("citty");
+var import_picocolors4 = __toESM(require("picocolors"), 1);
+var import_nanospinner2 = require("nanospinner");
 
-// src/core/registry.ts
+// src/core/package-info.ts
 init_cjs_shims();
-var import_node_crypto = require("crypto");
-function computeIntegrity(resolvedUrl) {
-  const hash = (0, import_node_crypto.createHash)("sha512").update(resolvedUrl).digest("base64");
-  return `sha512-${hash}`;
-}
-async function resolveFromSmithery(name) {
-  const url = `https://registry.smithery.ai/servers/${encodeURIComponent(name)}`;
-  let data;
-  try {
-    const res = await fetch(url, {
-      headers: { Accept: "application/json" },
-      signal: AbortSignal.timeout(8e3)
-    });
-    if (res.status === 404) {
-      throw new Error(`Server '${name}' not found on Smithery registry`);
-    }
-    if (!res.ok) {
-      throw new Error(`Smithery API error: ${res.status}`);
+init_trust_scorer();
+async function buildInfo(name, entry, source = "npm") {
+  const resolvedSource = entry?.source ?? source;
+  let weeklyDownloads = 0;
+  let maintainerCount = 0;
+  let packageAge = 0;
+  let lastPublish = "";
+  let deprecated = false;
+  let trustScore = null;
+  let riskLevel = "UNKNOWN";
+  if (resolvedSource === "npm") {
+    const metadata = await fetchNpmMetadata(name);
+    if (!metadata && !entry) {
+      return null;
+    }
+    if (metadata) {
+      weeklyDownloads = metadata.weeklyDownloads;
+      maintainerCount = metadata.maintainerCount;
+      packageAge = metadata.packageAge;
+      lastPublish = metadata.lastPublish;
+      deprecated = metadata.deprecated;
+      const scored = computeTrustScore(metadata, []);
+      trustScore = scored.score;
+      riskLevel = scored.riskLevel;
     }
-    data = await res.json();
-  } catch (err) {
-    if (err instanceof Error && err.message.includes("not found")) throw err;
-    throw new Error(
-      `Cannot reach Smithery registry: ${err instanceof Error ? err.message : String(err)}`
-    );
   }
-  const version = typeof data.version === "string" ? data.version : "latest";
-  const command = typeof data.command === "string" ? data.command : "npx";
-  const args = Array.isArray(data.args) ? data.args : ["-y", `${name}@${version}`];
-  const envVars = Array.isArray(data.envVars) ? data.envVars : [];
-  const resolved = typeof data.resolved === "string" ? data.resolved : `smithery:${name}@${version}`;
   return {
     name,
-    version,
-    description: typeof data.description === "string" ? data.description : "",
-    runtime: "node",
-    command,
-    args,
-    envVars,
-    resolved
+    version: entry?.version ?? "unknown",
+    description: "",
+    source: resolvedSource,
+    runtime: entry?.runtime ?? "node",
+    envVars: entry?.envVars ?? [],
+    weeklyDownloads,
+    maintainerCount,
+    packageAge,
+    lastPublish,
+    deprecated,
+    trustScore,
+    riskLevel,
+    installedClients: entry?.clients ?? [],
+    isInstalled: entry !== null
   };
 }
-async function resolveFromNpm(packageName) {
-  const url = `https://registry.npmjs.org/${encodeURIComponent(packageName)}/latest`;
-  let data;
-  try {
-    const res = await fetch(url, {
-      headers: { Accept: "application/json" },
-      signal: AbortSignal.timeout(8e3)
-    });
-    if (res.status === 404) {
-      throw new Error(`Package '${packageName}' not found on npm`);
-    }
-    if (!res.ok) {
-      throw new Error(`npm registry error: ${res.status}`);
-    }
-    data = await res.json();
-  } catch (err) {
-    if (err instanceof Error && err.message.includes("not found")) throw err;
-    throw new Error(
-      `Cannot reach npm registry: ${err instanceof Error ? err.message : String(err)}`
-    );
-  }
-  const version = typeof data.version === "string" ? data.version : "latest";
-  const resolved = `https://registry.npmjs.org/${packageName}/-/${packageName.replace(/^@[^/]+\//, "")}-${version}.tgz`;
-  const mcpField = data.mcp && typeof data.mcp === "object" ? data.mcp : null;
-  const envVars = mcpField?.envVars ? mcpField.envVars : [];
-  return {
-    name: packageName,
-    version,
-    description: typeof data.description === "string" ? data.description : "",
-    runtime: "node",
-    command: "npx",
-    args: ["-y", `${packageName}@${version}`],
-    envVars,
-    resolved
-  };
+async function getPackageInfo(serverName) {
+  const lockfile = readLockfile();
+  const entry = lockfile.servers[serverName] ?? null;
+  return buildInfo(serverName, entry);
 }
-async function resolveFromGitHub(githubUrl) {
-  const match = githubUrl.match(/github\.com\/([^/]+)\/([^/]+)/);
-  if (!match) {
-    throw new Error(`Invalid GitHub URL: ${githubUrl}`);
+
+// src/commands/info.ts
+function colorRisk2(score, riskLevel) {
+  const label = score !== null ? `${score}/100 (${riskLevel})` : riskLevel;
+  if (riskLevel === "LOW") return import_picocolors4.default.green(label);
+  if (riskLevel === "MEDIUM") return import_picocolors4.default.yellow(label);
+  if (riskLevel === "HIGH") return import_picocolors4.default.red(label);
+  if (riskLevel === "CRITICAL") return import_picocolors4.default.bold(import_picocolors4.default.red(label));
+  return import_picocolors4.default.dim(label);
+}
+function formatDaysAgo(isoDate) {
+  if (!isoDate) return "unknown";
+  const days = Math.floor((Date.now() - new Date(isoDate).getTime()) / 864e5);
+  if (days === 0) return "today";
+  if (days === 1) return "1 day ago";
+  return `${days} days ago`;
+}
+function printInfo(info2) {
+  const installedBadge = info2.isInstalled ? import_picocolors4.default.green(" [installed]") : import_picocolors4.default.dim(" [not installed]");
+  console.log();
+  console.log(import_picocolors4.default.bold(`  ${info2.name}@${info2.version}`) + installedBadge);
+  console.log(import_picocolors4.default.dim("  " + "\u2500".repeat(60)));
+  console.log(`  ${import_picocolors4.default.dim("Source:")}   ${info2.source}`);
+  console.log(`  ${import_picocolors4.default.dim("Runtime:")}  ${info2.runtime}`);
+  if (info2.description) {
+    console.log(`  ${import_picocolors4.default.dim("Description:")} ${info2.description}`);
+  }
+  if (info2.deprecated) {
+    console.log(`  ${import_picocolors4.default.red("[DEPRECATED]")} This package is deprecated`);
+  }
+  console.log();
+  console.log(`  ${import_picocolors4.default.bold("Trust & Security")}`);
+  console.log(`  ${import_picocolors4.default.dim("Trust score:")}   ${colorRisk2(info2.trustScore, info2.riskLevel)}`);
+  if (info2.source === "npm") {
+    console.log(
+      `  ${import_picocolors4.default.dim("Downloads:")}    ${info2.weeklyDownloads.toLocaleString()}/week  ${import_picocolors4.default.dim("|")}  ${import_picocolors4.default.dim("Age:")} ${info2.packageAge}d  ${import_picocolors4.default.dim("|")}  ${import_picocolors4.default.dim("Maintainers:")} ${info2.maintainerCount}`
+    );
+    if (info2.lastPublish) {
+      console.log(`  ${import_picocolors4.default.dim("Last publish:")} ${formatDaysAgo(info2.lastPublish)}`);
+    }
+  } else {
+    console.log(import_picocolors4.default.dim("  (Trust data available for npm packages only)"));
   }
-  const [, owner, repo] = match;
-  const rawUrl = `https://raw.githubusercontent.com/${owner}/${repo}/main/package.json`;
-  let pkgData = {};
-  try {
-    const res = await fetch(rawUrl, { signal: AbortSignal.timeout(8e3) });
-    if (res.ok) {
-      pkgData = await res.json();
+  console.log();
+  console.log(`  ${import_picocolors4.default.bold("Environment Variables")}`);
+  if (info2.envVars.length > 0) {
+    for (const env of info2.envVars) {
+      console.log(`    ${import_picocolors4.default.cyan("\u2022")} ${env}`);
     }
-  } catch {
+  } else {
+    console.log(import_picocolors4.default.dim("    none required"));
   }
-  const version = typeof pkgData.version === "string" ? pkgData.version : "main";
-  const name = typeof pkgData.name === "string" ? pkgData.name : `${owner}/${repo}`;
-  return {
-    name,
-    version,
-    description: typeof pkgData.description === "string" ? pkgData.description : "",
-    runtime: "node",
-    command: "npx",
-    args: ["-y", githubUrl],
-    envVars: [],
-    resolved: githubUrl
-  };
+  console.log();
+  console.log(`  ${import_picocolors4.default.bold("Installed Clients")}`);
+  if (info2.installedClients.length > 0) {
+    for (const client of info2.installedClients) {
+      console.log(`    ${import_picocolors4.default.green("\u2713")} ${client}`);
+    }
+  } else {
+    console.log(import_picocolors4.default.dim("    Not installed in any client"));
+  }
+  console.log();
+  console.log(import_picocolors4.default.dim("  " + "\u2500".repeat(60)));
+  console.log();
 }
+var info_default = (0, import_citty4.defineCommand)({
+  meta: {
+    name: "info",
+    description: "Show detailed metadata for an MCP server (installed or from registry)"
+  },
+  args: {
+    server: {
+      type: "positional",
+      description: "Server name (e.g. @modelcontextprotocol/server-filesystem)",
+      required: true
+    },
+    json: {
+      type: "boolean",
+      description: "Output results as JSON",
+      default: false
+    }
+  },
+  async run({ args }) {
+    const spinner5 = (0, import_nanospinner2.createSpinner)(`Fetching info for ${args.server}...`).start();
+    let info2;
+    try {
+      info2 = await getPackageInfo(args.server);
+    } catch (err) {
+      spinner5.error({ text: "Failed to fetch package info" });
+      console.error(import_picocolors4.default.red(String(err)));
+      process.exit(1);
+    }
+    if (!info2) {
+      spinner5.error({ text: `Package not found: ${args.server}` });
+      console.log(import_picocolors4.default.dim(`
+  "${args.server}" was not found in the npm registry or your lockfile.
+`));
+      process.exit(1);
+    }
+    spinner5.success({ text: `Found ${args.server}` });
+    if (args.json) {
+      console.log(JSON.stringify(info2, null, 2));
+      return;
+    }
+    printInfo(info2);
+  }
+});
 
 // src/commands/init.ts
-var init_default = (0, import_citty3.defineCommand)({
+init_cjs_shims();
+var import_citty5 = require("citty");
+var p3 = __toESM(require("@clack/prompts"), 1);
+var import_node_path6 = __toESM(require("path"), 1);
+var init_default = (0, import_citty5.defineCommand)({
   meta: {
     name: "init",
     description: "Initialize mcpman.lock in the current project"
@@ -1402,17 +2026,17 @@ var init_default = (0, import_citty3.defineCommand)({
   },
   async run({ args }) {
     const nonInteractive = args.yes || !process.stdout.isTTY;
-    p.intro("mcpman init");
-    const targetPath = import_node_path5.default.join(process.cwd(), LOCKFILE_NAME);
+    p3.intro("mcpman init");
+    const targetPath = import_node_path6.default.join(process.cwd(), LOCKFILE_NAME);
     const existing = findLockfile();
     if (existing) {
       if (nonInteractive) {
-        p.log.warn(`Lockfile already exists: ${existing} \u2014 overwriting (non-interactive).`);
+        p3.log.warn(`Lockfile already exists: ${existing} \u2014 overwriting (non-interactive).`);
       } else {
-        p.log.warn(`Lockfile already exists: ${existing}`);
-        const overwrite = await p.confirm({ message: "Overwrite?" });
-        if (p.isCancel(overwrite) || !overwrite) {
-          p.outro("Cancelled.");
+        p3.log.warn(`Lockfile already exists: ${existing}`);
+        const overwrite = await p3.confirm({ message: "Overwrite?" });
+        if (p3.isCancel(overwrite) || !overwrite) {
+          p3.outro("Cancelled.");
           return;
         }
       }
@@ -1422,7 +2046,7 @@ var init_default = (0, import_citty3.defineCommand)({
       const mod = await Promise.resolve().then(() => (init_client_detector(), client_detector_exports));
       clients = await mod.getInstalledClients();
     } catch {
-      p.log.warn("Could not detect AI clients \u2014 creating empty lockfile.");
+      p3.log.warn("Could not detect AI clients \u2014 creating empty lockfile.");
     }
     const clientServers = [];
     for (const client of clients) {
@@ -1436,26 +2060,26 @@ var init_default = (0, import_citty3.defineCommand)({
     }
     createEmptyLockfile(targetPath);
     if (clientServers.length === 0) {
-      p.log.info("No existing servers found in any client config.");
-      p.outro(`Created ${LOCKFILE_NAME} \u2014 add it to version control!`);
+      p3.log.info("No existing servers found in any client config.");
+      p3.outro(`Created ${LOCKFILE_NAME} \u2014 add it to version control!`);
       return;
     }
     let selected;
     if (nonInteractive) {
       selected = clientServers.map((cs) => cs.client.type);
-      p.log.info(`Non-interactive mode: importing all ${clientServers.length} client(s).`);
+      p3.log.info(`Non-interactive mode: importing all ${clientServers.length} client(s).`);
     } else {
       const options = clientServers.map((cs) => ({
         value: cs.client.type,
         label: `${cs.client.displayName} (${Object.keys(cs.servers).length} servers)`
       }));
-      const toImport = await p.multiselect({
+      const toImport = await p3.multiselect({
         message: "Import existing servers into lockfile?",
         options,
         required: false
       });
-      if (p.isCancel(toImport)) {
-        p.outro(`Created empty ${LOCKFILE_NAME}`);
+      if (p3.isCancel(toImport)) {
+        p3.outro(`Created empty ${LOCKFILE_NAME}`);
         return;
       }
       selected = toImport;
@@ -1481,7 +2105,7 @@ var init_default = (0, import_citty3.defineCommand)({
         importCount++;
       }
     }
-    p.outro(
+    p3.outro(
       `Created ${LOCKFILE_NAME} with ${importCount} server(s) \u2014 commit to version control!`
     );
   }
@@ -1489,49 +2113,48 @@ var init_default = (0, import_citty3.defineCommand)({
 
 // src/commands/install.ts
 init_cjs_shims();
-var import_citty4 = require("citty");
+var import_citty6 = require("citty");
 
 // src/core/installer.ts
 init_cjs_shims();
-var p2 = __toESM(require("@clack/prompts"), 1);
+var p6 = __toESM(require("@clack/prompts"), 1);
 
-// src/core/server-resolver.ts
+// src/core/installer-vault-helpers.ts
 init_cjs_shims();
-function detectSource(input) {
-  if (input.startsWith("smithery:")) {
-    return { type: "smithery", input: input.slice(9) };
-  }
-  if (input.startsWith("https://github.com/") || input.startsWith("github.com/")) {
-    return { type: "github", input };
-  }
-  return { type: "npm", input };
-}
-function parseEnvFlags(envFlags) {
-  if (!envFlags) return {};
-  const flags = Array.isArray(envFlags) ? envFlags : [envFlags];
-  const result = {};
-  for (const flag of flags) {
-    const idx = flag.indexOf("=");
-    if (idx > 0) {
-      result[flag.slice(0, idx)] = flag.slice(idx + 1);
+var p5 = __toESM(require("@clack/prompts"), 1);
+init_vault_service();
+async function tryLoadVaultSecrets(serverName) {
+  try {
+    const entries = listSecrets(serverName);
+    if (entries.length === 0 || entries[0].keys.length === 0) {
+      return {};
     }
+    const password2 = await getMasterPassword();
+    return getSecretsForServer(serverName, password2);
+  } catch {
+    return {};
   }
-  return result;
 }
-async function resolveServer(input) {
-  const source = detectSource(input);
-  switch (source.type) {
-    case "smithery":
-      return resolveFromSmithery(source.input);
-    case "github":
-      return resolveFromGitHub(source.input);
-    case "npm":
-      return resolveFromNpm(source.input);
+async function offerVaultSave(serverName, newVars, yes) {
+  if (Object.keys(newVars).length === 0) return;
+  if (yes) return;
+  try {
+    const save = await p5.confirm({
+      message: `Save ${Object.keys(newVars).length} env var(s) to encrypted vault for future installs?`
+    });
+    if (p5.isCancel(save) || !save) return;
+    const password2 = await getMasterPassword();
+    for (const [key, value] of Object.entries(newVars)) {
+      setSecret(serverName, key, value, password2);
+    }
+    p5.log.success(`Credentials saved to vault for '${serverName}'`);
+  } catch (err) {
+    p5.log.warn(`Could not save to vault: ${err instanceof Error ? err.message : String(err)}`);
   }
 }
 
 // src/core/installer.ts
-async function loadClients() {
+async function loadClients2() {
   try {
     const mod = await Promise.resolve().then(() => (init_client_detector(), client_detector_exports));
     return mod.getInstalledClients();
@@ -1540,65 +2163,68 @@ async function loadClients() {
   }
 }
 async function installServer(input, options = {}) {
-  p2.intro("mcpman install");
-  const spinner5 = p2.spinner();
+  p6.intro("mcpman install");
+  const spinner5 = p6.spinner();
   spinner5.start("Resolving server...");
   let metadata;
   try {
     metadata = await resolveServer(input);
   } catch (err) {
     spinner5.stop("Resolution failed");
-    p2.log.error(err instanceof Error ? err.message : String(err));
+    p6.log.error(err instanceof Error ? err.message : String(err));
     process.exit(1);
   }
   spinner5.stop(`Found: ${metadata.name}@${metadata.version}`);
-  const clients = await loadClients();
+  const clients = await loadClients2();
   if (clients.length === 0) {
-    p2.log.warn("No supported AI clients detected on this machine.");
-    p2.log.info("Supported: Claude Desktop, Cursor, VS Code, Windsurf");
+    p6.log.warn("No supported AI clients detected on this machine.");
+    p6.log.info("Supported: Claude Desktop, Cursor, VS Code, Windsurf");
     process.exit(1);
   }
   let selectedClients;
   if (options.client) {
     const found = clients.find((c) => c.type === options.client || c.displayName.toLowerCase() === options.client?.toLowerCase());
     if (!found) {
-      p2.log.error(`Client '${options.client}' not found or not installed.`);
-      p2.log.info(`Available: ${clients.map((c) => c.type).join(", ")}`);
+      p6.log.error(`Client '${options.client}' not found or not installed.`);
+      p6.log.info(`Available: ${clients.map((c) => c.type).join(", ")}`);
       process.exit(1);
     }
     selectedClients = [found];
   } else if (options.yes || clients.length === 1) {
     selectedClients = clients;
   } else {
-    const chosen = await p2.multiselect({
+    const chosen = await p6.multiselect({
       message: "Install to which client(s)?",
       options: clients.map((c) => ({ value: c.type, label: c.displayName })),
       required: true
     });
-    if (p2.isCancel(chosen)) {
-      p2.outro("Cancelled.");
+    if (p6.isCancel(chosen)) {
+      p6.outro("Cancelled.");
       process.exit(0);
     }
     selectedClients = clients.filter((c) => chosen.includes(c.type));
   }
   const providedEnv = parseEnvFlags(options.env);
-  const collectedEnv = { ...providedEnv };
+  const vaultEnv = await tryLoadVaultSecrets(metadata.name);
+  const collectedEnv = { ...vaultEnv, ...providedEnv };
+  const newlyEnteredVars = {};
   const requiredVars = metadata.envVars.filter((e) => e.required && !(e.name in collectedEnv));
   for (const envVar of requiredVars) {
     if (options.yes && envVar.default) {
       collectedEnv[envVar.name] = envVar.default;
       continue;
     }
-    const val = await p2.text({
+    const val = await p6.text({
       message: `${envVar.name}${envVar.description ? ` \u2014 ${envVar.description}` : ""}`,
       placeholder: envVar.default ?? "",
       validate: (v) => envVar.required && !v ? "Required" : void 0
     });
-    if (p2.isCancel(val)) {
-      p2.outro("Cancelled.");
+    if (p6.isCancel(val)) {
+      p6.outro("Cancelled.");
       process.exit(0);
     }
     collectedEnv[envVar.name] = val;
+    newlyEnteredVars[envVar.name] = val;
   }
   const entry = {
     command: metadata.command,
@@ -1613,7 +2239,7 @@ async function installServer(input, options = {}) {
       clientTypes.push(client.type);
     } catch (err) {
       spinner5.stop("Partial failure");
-      p2.log.warn(`Failed to write to ${client.displayName}: ${err instanceof Error ? err.message : String(err)}`);
+      p6.log.warn(`Failed to write to ${client.displayName}: ${err instanceof Error ? err.message : String(err)}`);
     }
   }
   spinner5.stop("Config written");
@@ -1632,13 +2258,14 @@ async function installServer(input, options = {}) {
     clients: clientTypes
   });
   const lockPath = findLockfile() ?? "mcpman.lock (global)";
-  p2.log.success(`Lockfile updated: ${lockPath}`);
-  p2.outro(`${metadata.name}@${metadata.version} installed to ${clientTypes.join(", ")}`);
+  p6.log.success(`Lockfile updated: ${lockPath}`);
+  await offerVaultSave(metadata.name, newlyEnteredVars, options.yes ?? false);
+  p6.outro(`${metadata.name}@${metadata.version} installed to ${clientTypes.join(", ")}`);
 }
 
 // src/utils/logger.ts
 init_cjs_shims();
-var import_picocolors3 = __toESM(require("picocolors"), 1);
+var import_picocolors5 = __toESM(require("picocolors"), 1);
 var noColor = process.env.NO_COLOR !== void 0 || process.argv.includes("--no-color");
 var isVerbose = process.argv.includes("--verbose");
 var isJson = process.argv.includes("--json");
@@ -1647,19 +2274,19 @@ function colorize(fn, text2) {
 }
 function info(message) {
   if (isJson) return;
-  console.log(`${colorize(import_picocolors3.default.cyan, "i")} ${message}`);
+  console.log(`${colorize(import_picocolors5.default.cyan, "i")} ${message}`);
 }
 function error(message) {
   if (isJson) return;
-  console.error(`${colorize(import_picocolors3.default.red, "\u2717")} ${message}`);
+  console.error(`${colorize(import_picocolors5.default.red, "\u2717")} ${message}`);
 }
 function json(data) {
   console.log(JSON.stringify(data, null, 2));
 }
 
 // src/commands/install.ts
-var p3 = __toESM(require("@clack/prompts"), 1);
-var install_default = (0, import_citty4.defineCommand)({
+var p7 = __toESM(require("@clack/prompts"), 1);
+var install_default = (0, import_citty6.defineCommand)({
   meta: {
     name: "install",
     description: "Install an MCP server into one or more AI clients"
@@ -1708,8 +2335,8 @@ async function restoreFromLockfile() {
     info("Lockfile is empty \u2014 nothing to restore.");
     return;
   }
-  p3.intro(`mcpman install (restore from ${lockPath})`);
-  p3.log.info(`Restoring ${entries.length} server(s)...`);
+  p7.intro(`mcpman install (restore from ${lockPath})`);
+  p7.log.info(`Restoring ${entries.length} server(s)...`);
   for (const [name, entry] of entries) {
     const input = entry.source === "smithery" ? `smithery:${name}` : entry.source === "github" ? entry.resolved : name;
     await installServer(input, {
@@ -1717,19 +2344,19 @@ async function restoreFromLockfile() {
       yes: true
     });
   }
-  p3.outro("Restore complete.");
+  p7.outro("Restore complete.");
 }
 
 // src/commands/list.ts
 init_cjs_shims();
-var import_citty5 = require("citty");
-var import_picocolors4 = __toESM(require("picocolors"), 1);
+var import_citty7 = require("citty");
+var import_picocolors6 = __toESM(require("picocolors"), 1);
 var STATUS_ICON = {
-  healthy: import_picocolors4.default.green("\u25CF"),
-  unhealthy: import_picocolors4.default.red("\u25CF"),
-  unknown: import_picocolors4.default.dim("\u25CB")
+  healthy: import_picocolors6.default.green("\u25CF"),
+  unhealthy: import_picocolors6.default.red("\u25CF"),
+  unknown: import_picocolors6.default.dim("\u25CB")
 };
-var list_default = (0, import_citty5.defineCommand)({
+var list_default = (0, import_citty7.defineCommand)({
   meta: {
     name: "list",
     description: "List installed MCP servers"
@@ -1749,7 +2376,7 @@ var list_default = (0, import_citty5.defineCommand)({
     const servers = await getInstalledServers(args.client);
     if (servers.length === 0) {
       const filter = args.client ? ` for client "${args.client}"` : "";
-      console.log(import_picocolors4.default.dim(`No MCP servers installed${filter}. Run ${import_picocolors4.default.cyan("mcpman install <server>")} to get started.`));
+      console.log(import_picocolors6.default.dim(`No MCP servers installed${filter}. Run ${import_picocolors6.default.cyan("mcpman install <server>")} to get started.`));
       return;
     }
     const withStatus = await Promise.all(
@@ -1773,8 +2400,8 @@ var list_default = (0, import_citty5.defineCommand)({
     const nameWidth = Math.max(4, ...withStatus.map((s) => s.name.length));
     const clientsWidth = Math.max(7, ...withStatus.map((s) => formatClients(s.clients).length));
     const header = `  ${pad("NAME", nameWidth)}  ${pad("CLIENT(S)", clientsWidth)}  ${pad("COMMAND", 20)}  STATUS`;
-    console.log(import_picocolors4.default.dim(header));
-    console.log(import_picocolors4.default.dim(`  ${"-".repeat(nameWidth)}  ${"-".repeat(clientsWidth)}  ${"-".repeat(20)}  ------`));
+    console.log(import_picocolors6.default.dim(header));
+    console.log(import_picocolors6.default.dim(`  ${"-".repeat(nameWidth)}  ${"-".repeat(clientsWidth)}  ${"-".repeat(20)}  ------`));
     for (const s of withStatus) {
       const icon = STATUS_ICON[s.status];
       const clientsStr = formatClients(s.clients);
@@ -1782,7 +2409,7 @@ var list_default = (0, import_citty5.defineCommand)({
       console.log(`  ${pad(s.name, nameWidth)}  ${pad(clientsStr, clientsWidth)}  ${pad(cmdStr, 20)}  ${icon} ${s.status}`);
     }
     const clientSet = new Set(withStatus.flatMap((s) => s.clients));
-    console.log(import_picocolors4.default.dim(`
+    console.log(import_picocolors6.default.dim(`
   ${withStatus.length} server${withStatus.length !== 1 ? "s" : ""} \xB7 ${clientSet.size} client${clientSet.size !== 1 ? "s" : ""}`));
   }
 });
@@ -1804,9 +2431,9 @@ function formatClients(clients) {
 
 // src/commands/remove.ts
 init_cjs_shims();
-var import_citty6 = require("citty");
-var p4 = __toESM(require("@clack/prompts"), 1);
-var import_picocolors5 = __toESM(require("picocolors"), 1);
+var import_citty8 = require("citty");
+var p8 = __toESM(require("@clack/prompts"), 1);
+var import_picocolors7 = __toESM(require("picocolors"), 1);
 init_client_detector();
 var CLIENT_DISPLAY2 = {
   "claude-desktop": "Claude",
@@ -1817,113 +2444,360 @@ var CLIENT_DISPLAY2 = {
 function clientDisplayName(type) {
   return CLIENT_DISPLAY2[type] ?? type;
 }
-var remove_default = (0, import_citty6.defineCommand)({
+var remove_default = (0, import_citty8.defineCommand)({
+  meta: {
+    name: "remove",
+    description: "Remove an MCP server from one or more AI clients"
+  },
+  args: {
+    server: {
+      type: "positional",
+      description: "Server name to remove",
+      required: true
+    },
+    client: {
+      type: "string",
+      description: "Target client (claude, cursor, vscode, windsurf)"
+    },
+    all: {
+      type: "boolean",
+      description: "Remove from all clients",
+      default: false
+    },
+    yes: {
+      type: "boolean",
+      description: "Skip confirmation prompt",
+      default: false
+    }
+  },
+  async run({ args }) {
+    p8.intro(import_picocolors7.default.bold("mcpman remove"));
+    const serverName = args.server;
+    const servers = await getInstalledServers();
+    const match = servers.find((s) => s.name === serverName);
+    if (!match) {
+      p8.log.warn(`Server "${serverName}" is not installed.`);
+      const similar = servers.filter((s) => s.name.includes(serverName) || serverName.includes(s.name));
+      if (similar.length > 0) {
+        p8.log.info(`Did you mean: ${similar.map((s) => import_picocolors7.default.cyan(s.name)).join(", ")}?`);
+      }
+      p8.outro("Nothing to remove.");
+      return;
+    }
+    let targetClients;
+    if (args.all) {
+      targetClients = match.clients;
+    } else if (args.client) {
+      if (!match.clients.includes(args.client)) {
+        p8.log.warn(`Server "${serverName}" is not installed in client "${args.client}".`);
+        p8.outro("Nothing to remove.");
+        return;
+      }
+      targetClients = [args.client];
+    } else if (match.clients.length === 1) {
+      targetClients = match.clients;
+    } else {
+      const selected = await p8.multiselect({
+        message: `Remove "${serverName}" from which clients?`,
+        options: match.clients.map((c) => ({
+          value: c,
+          label: clientDisplayName(c)
+        })),
+        required: true
+      });
+      if (p8.isCancel(selected)) {
+        p8.outro("Cancelled.");
+        process.exit(0);
+      }
+      targetClients = selected;
+    }
+    if (!args.yes) {
+      const clientNames = targetClients.map(clientDisplayName).join(", ");
+      const confirmed = await p8.confirm({
+        message: `Remove ${import_picocolors7.default.cyan(serverName)} from ${import_picocolors7.default.yellow(clientNames)}?`
+      });
+      if (p8.isCancel(confirmed) || !confirmed) {
+        p8.outro("Cancelled.");
+        return;
+      }
+    }
+    const installedClients = await getInstalledClients();
+    const errors = [];
+    for (const clientType of targetClients) {
+      const handler = installedClients.find((c) => c.type === clientType);
+      if (!handler) {
+        errors.push(`Client "${clientType}" not found`);
+        continue;
+      }
+      try {
+        await handler.removeServer(serverName);
+        p8.log.success(`Removed from ${clientDisplayName(clientType)}`);
+      } catch (err) {
+        const msg = err instanceof Error ? err.message : String(err);
+        errors.push(`${clientDisplayName(clientType)}: ${msg}`);
+      }
+    }
+    if (errors.length > 0) {
+      for (const e of errors) p8.log.error(e);
+      p8.outro(import_picocolors7.default.red("Completed with errors."));
+      process.exit(1);
+    }
+    p8.outro(import_picocolors7.default.green(`Removed "${serverName}" successfully.`));
+  }
+});
+
+// src/commands/run.ts
+init_cjs_shims();
+var import_citty9 = require("citty");
+var import_node_child_process3 = require("child_process");
+var import_picocolors8 = __toESM(require("picocolors"), 1);
+init_vault_service();
+var run_default = (0, import_citty9.defineCommand)({
+  meta: {
+    name: "run",
+    description: "Run an installed MCP server with vault secrets injected"
+  },
+  args: {
+    server: {
+      type: "positional",
+      description: "Server name to run (as installed in lockfile)",
+      required: true
+    },
+    env: {
+      type: "string",
+      description: "Override env var KEY=VAL (repeatable)",
+      alias: "e"
+    }
+  },
+  async run({ args }) {
+    const serverName = args.server;
+    const lockfile = readLockfile();
+    const entry = lockfile.servers[serverName];
+    if (!entry) {
+      console.error(import_picocolors8.default.red(`  Error: Server '${serverName}' is not installed.`));
+      console.error(import_picocolors8.default.dim(`  Run ${import_picocolors8.default.cyan("mcpman install <server>")} to install it first.`));
+      process.exit(1);
+    }
+    const lockfileEnv = parseEnvFlags(entry.envVars);
+    const vaultEnv = await loadVaultSecrets(serverName);
+    const cliEnv = parseEnvFlags(args.env);
+    const finalEnv = {
+      ...process.env,
+      ...lockfileEnv,
+      ...vaultEnv,
+      ...cliEnv
+    };
+    console.log(import_picocolors8.default.dim(`  Running ${import_picocolors8.default.cyan(serverName)}...`));
+    const child = (0, import_node_child_process3.spawn)(entry.command, entry.args, {
+      env: finalEnv,
+      stdio: "inherit"
+    });
+    const forwardSignal = (signal) => {
+      if (!child.killed) {
+        child.kill(signal);
+      }
+    };
+    process.on("SIGINT", () => forwardSignal("SIGINT"));
+    process.on("SIGTERM", () => forwardSignal("SIGTERM"));
+    await new Promise((resolve) => {
+      child.on("close", (code) => {
+        process.exit(code ?? 0);
+        resolve();
+      });
+      child.on("error", (err) => {
+        console.error(import_picocolors8.default.red(`  Failed to start '${serverName}': ${err.message}`));
+        process.exit(1);
+        resolve();
+      });
+    });
+  }
+});
+async function loadVaultSecrets(serverName) {
+  try {
+    const entries = listSecrets(serverName);
+    if (entries.length === 0 || entries[0].keys.length === 0) {
+      return {};
+    }
+    const password2 = await getMasterPassword();
+    return getSecretsForServer(serverName, password2);
+  } catch {
+    console.warn(import_picocolors8.default.yellow("  Warning: Could not load vault secrets, continuing without them."));
+    return {};
+  }
+}
+
+// src/commands/search.ts
+init_cjs_shims();
+var import_citty10 = require("citty");
+var import_picocolors9 = __toESM(require("picocolors"), 1);
+var import_nanospinner3 = require("nanospinner");
+
+// src/core/registry-search.ts
+init_cjs_shims();
+var SEARCH_TIMEOUT_MS = 1e4;
+async function searchNpm(query, limit = 20) {
+  const cap = Math.min(limit, 100);
+  const url = `https://registry.npmjs.org/-/v1/search?text=mcp+${encodeURIComponent(query)}&size=${cap}`;
+  try {
+    const res = await fetch(url, { signal: AbortSignal.timeout(SEARCH_TIMEOUT_MS) });
+    if (!res.ok) return [];
+    const data = await res.json();
+    const objects = Array.isArray(data["objects"]) ? data["objects"] : [];
+    return objects.map((obj) => {
+      const pkg = obj["package"] ?? {};
+      const dl = obj["downloads"];
+      return {
+        name: typeof pkg["name"] === "string" ? pkg["name"] : "",
+        description: typeof pkg["description"] === "string" ? pkg["description"] : "",
+        version: typeof pkg["version"] === "string" ? pkg["version"] : "",
+        date: typeof pkg["date"] === "string" ? pkg["date"] : "",
+        downloads: typeof dl?.["weekly"] === "number" ? dl["weekly"] : 0,
+        keywords: Array.isArray(pkg["keywords"]) ? pkg["keywords"] : []
+      };
+    }).filter((r) => r.name !== "");
+  } catch {
+    return [];
+  }
+}
+async function searchSmithery(query, limit = 20) {
+  const cap = Math.min(limit, 100);
+  const url = `https://api.smithery.ai/v1/servers?q=${encodeURIComponent(query)}&limit=${cap}`;
+  try {
+    const res = await fetch(url, { signal: AbortSignal.timeout(SEARCH_TIMEOUT_MS) });
+    if (!res.ok) return [];
+    const data = await res.json();
+    const servers = Array.isArray(data["servers"]) ? data["servers"] : [];
+    return servers.map((s) => ({
+      name: typeof s["name"] === "string" ? s["name"] : "",
+      description: typeof s["description"] === "string" ? s["description"] : "",
+      version: typeof s["version"] === "string" ? s["version"] : "latest",
+      runtime: typeof s["runtime"] === "string" ? s["runtime"] : "node"
+    })).filter((r) => r.name !== "");
+  } catch {
+    return [];
+  }
+}
+
+// src/commands/search.ts
+function truncate2(s, max) {
+  return s.length > max ? s.slice(0, max - 1) + "\u2026" : s;
+}
+function pad2(s, width) {
+  return s.length >= width ? s : s + " ".repeat(width - s.length);
+}
+function highlightMatch(name, query) {
+  const idx = name.toLowerCase().indexOf(query.toLowerCase());
+  if (idx === -1) return name;
+  return name.slice(0, idx) + import_picocolors9.default.yellow(name.slice(idx, idx + query.length)) + name.slice(idx + query.length);
+}
+function formatDownloads(n) {
+  if (!n) return import_picocolors9.default.dim("\u2014");
+  if (n >= 1e6) return `${(n / 1e6).toFixed(1)}M`;
+  if (n >= 1e3) return `${(n / 1e3).toFixed(1)}k`;
+  return String(n);
+}
+function printNpmResults(results, query) {
+  const nameWidth = Math.max(4, ...results.map((r) => r.name.length), 20);
+  const verWidth = Math.max(7, ...results.map((r) => r.version.length));
+  const dlWidth = 9;
+  const descMax = 50;
+  const header = `  ${pad2("NAME", nameWidth)}  ${pad2("VERSION", verWidth)}  ${pad2("DOWNLOADS", dlWidth)}  DESCRIPTION`;
+  console.log(import_picocolors9.default.dim(header));
+  console.log(import_picocolors9.default.dim(`  ${"-".repeat(nameWidth)}  ${"-".repeat(verWidth)}  ${"-".repeat(dlWidth)}  ${"-".repeat(descMax)}`));
+  for (const r of results) {
+    const name = highlightMatch(pad2(r.name, nameWidth), query);
+    const ver = pad2(r.version, verWidth);
+    const dl = pad2(formatDownloads(r.downloads), dlWidth);
+    const desc = truncate2(r.description || import_picocolors9.default.dim("(no description)"), descMax);
+    console.log(`  ${name}  ${import_picocolors9.default.dim(ver)}  ${dl}  ${desc}`);
+  }
+}
+function printSmitheryResults(results, query) {
+  const nameWidth = Math.max(4, ...results.map((r) => r.name.length), 20);
+  const verWidth = Math.max(7, ...results.map((r) => r.version.length));
+  const descMax = 50;
+  const header = `  ${pad2("NAME", nameWidth)}  ${pad2("VERSION", verWidth)}  DESCRIPTION`;
+  console.log(import_picocolors9.default.dim(header));
+  console.log(import_picocolors9.default.dim(`  ${"-".repeat(nameWidth)}  ${"-".repeat(verWidth)}  ${"-".repeat(descMax)}`));
+  for (const r of results) {
+    const name = highlightMatch(pad2(r.name, nameWidth), query);
+    const ver = pad2(r.version, verWidth);
+    const desc = truncate2(r.description || import_picocolors9.default.dim("(no description)"), descMax);
+    console.log(`  ${name}  ${import_picocolors9.default.dim(ver)}  ${desc}`);
+  }
+}
+var search_default = (0, import_citty10.defineCommand)({
   meta: {
-    name: "remove",
-    description: "Remove an MCP server from one or more AI clients"
+    name: "search",
+    description: "Search for MCP servers on npm or Smithery registry"
   },
   args: {
-    server: {
+    query: {
       type: "positional",
-      description: "Server name to remove",
+      description: "Search query",
       required: true
     },
-    client: {
+    registry: {
       type: "string",
-      description: "Target client (claude, cursor, vscode, windsurf)"
-    },
-    all: {
-      type: "boolean",
-      description: "Remove from all clients",
-      default: false
+      description: "Registry to search: npm or smithery (default: npm)",
+      default: "npm"
     },
-    yes: {
-      type: "boolean",
-      description: "Skip confirmation prompt",
-      default: false
+    limit: {
+      type: "string",
+      description: "Maximum number of results (default: 20, max: 100)",
+      default: "20"
     }
   },
   async run({ args }) {
-    p4.intro(import_picocolors5.default.bold("mcpman remove"));
-    const serverName = args.server;
-    const servers = await getInstalledServers();
-    const match = servers.find((s) => s.name === serverName);
-    if (!match) {
-      p4.log.warn(`Server "${serverName}" is not installed.`);
-      const similar = servers.filter((s) => s.name.includes(serverName) || serverName.includes(s.name));
-      if (similar.length > 0) {
-        p4.log.info(`Did you mean: ${similar.map((s) => import_picocolors5.default.cyan(s.name)).join(", ")}?`);
-      }
-      p4.outro("Nothing to remove.");
-      return;
-    }
-    let targetClients;
-    if (args.all) {
-      targetClients = match.clients;
-    } else if (args.client) {
-      if (!match.clients.includes(args.client)) {
-        p4.log.warn(`Server "${serverName}" is not installed in client "${args.client}".`);
-        p4.outro("Nothing to remove.");
-        return;
-      }
-      targetClients = [args.client];
-    } else if (match.clients.length === 1) {
-      targetClients = match.clients;
-    } else {
-      const selected = await p4.multiselect({
-        message: `Remove "${serverName}" from which clients?`,
-        options: match.clients.map((c) => ({
-          value: c,
-          label: clientDisplayName(c)
-        })),
-        required: true
-      });
-      if (p4.isCancel(selected)) {
-        p4.outro("Cancelled.");
-        process.exit(0);
-      }
-      targetClients = selected;
+    const query = args.query;
+    const registry = args.registry.toLowerCase();
+    const limit = Math.min(Math.max(1, Number.parseInt(args.limit, 10) || 20), 100);
+    if (registry !== "npm" && registry !== "smithery") {
+      console.error(import_picocolors9.default.red(`  Unknown registry "${registry}". Use "npm" or "smithery".`));
+      process.exit(1);
     }
-    if (!args.yes) {
-      const clientNames = targetClients.map(clientDisplayName).join(", ");
-      const confirmed = await p4.confirm({
-        message: `Remove ${import_picocolors5.default.cyan(serverName)} from ${import_picocolors5.default.yellow(clientNames)}?`
-      });
-      if (p4.isCancel(confirmed) || !confirmed) {
-        p4.outro("Cancelled.");
+    const spinner5 = (0, import_nanospinner3.createSpinner)(`Searching ${registry} for "${query}"...`).start();
+    if (registry === "npm") {
+      const results2 = await searchNpm(query, limit);
+      spinner5.stop();
+      if (results2.length === 0) {
+        console.log(import_picocolors9.default.dim(`
+  No results found for "${query}" on npm.
+`));
         return;
       }
+      console.log(import_picocolors9.default.bold(`
+  mcpman search \u2014 npm (${results2.length} result${results2.length !== 1 ? "s" : ""})
+`));
+      printNpmResults(results2, query);
+      console.log(import_picocolors9.default.dim(`
+  Install with: mcpman install <name>
+`));
+      return;
     }
-    const installedClients = await getInstalledClients();
-    const errors = [];
-    for (const clientType of targetClients) {
-      const handler = installedClients.find((c) => c.type === clientType);
-      if (!handler) {
-        errors.push(`Client "${clientType}" not found`);
-        continue;
-      }
-      try {
-        await handler.removeServer(serverName);
-        p4.log.success(`Removed from ${clientDisplayName(clientType)}`);
-      } catch (err) {
-        const msg = err instanceof Error ? err.message : String(err);
-        errors.push(`${clientDisplayName(clientType)}: ${msg}`);
-      }
-    }
-    if (errors.length > 0) {
-      for (const e of errors) p4.log.error(e);
-      p4.outro(import_picocolors5.default.red("Completed with errors."));
-      process.exit(1);
+    const results = await searchSmithery(query, limit);
+    spinner5.stop();
+    if (results.length === 0) {
+      console.log(import_picocolors9.default.dim(`
+  No results found for "${query}" on Smithery.
+`));
+      return;
     }
-    p4.outro(import_picocolors5.default.green(`Removed "${serverName}" successfully.`));
+    console.log(import_picocolors9.default.bold(`
+  mcpman search \u2014 Smithery (${results.length} result${results.length !== 1 ? "s" : ""})
+`));
+    printSmitheryResults(results, query);
+    console.log(import_picocolors9.default.dim(`
+  Install with: mcpman install <name>
+`));
   }
 });
 
 // src/commands/secrets.ts
 init_cjs_shims();
-var import_citty7 = require("citty");
-var import_picocolors6 = __toESM(require("picocolors"), 1);
-var p6 = __toESM(require("@clack/prompts"), 1);
+var import_citty11 = require("citty");
+var import_picocolors10 = __toESM(require("picocolors"), 1);
+var p9 = __toESM(require("@clack/prompts"), 1);
 init_vault_service();
 function maskValue(value) {
   if (value.length <= 8) return "***";
@@ -1934,7 +2808,7 @@ function parseKeyValue(input) {
   if (idx <= 0) return null;
   return { key: input.slice(0, idx), value: input.slice(idx + 1) };
 }
-var setCommand = (0, import_citty7.defineCommand)({
+var setCommand2 = (0, import_citty11.defineCommand)({
   meta: { name: "set", description: "Store an encrypted secret for a server" },
   args: {
     server: {
@@ -1951,30 +2825,30 @@ var setCommand = (0, import_citty7.defineCommand)({
   async run({ args }) {
     const parsed = parseKeyValue(args.keyvalue);
     if (!parsed) {
-      console.error(import_picocolors6.default.red("\u2717") + " Invalid format. Expected KEY=VALUE");
+      console.error(import_picocolors10.default.red("\u2717") + " Invalid format. Expected KEY=VALUE");
       process.exit(1);
     }
-    p6.intro(import_picocolors6.default.cyan("mcpman secrets set"));
+    p9.intro(import_picocolors10.default.cyan("mcpman secrets set"));
     const isNew = listSecrets(args.server).length === 0 || !listSecrets(args.server)[0]?.keys.includes(parsed.key);
     const vaultPath = (await Promise.resolve().then(() => (init_vault_service(), vault_service_exports))).getVaultPath();
     const vaultExists = (await import("fs")).existsSync(vaultPath);
     const password2 = await getMasterPassword(!vaultExists && isNew);
-    const spin = p6.spinner();
+    const spin = p9.spinner();
     spin.start("Encrypting secret...");
     try {
       setSecret(args.server, parsed.key, parsed.value, password2);
       spin.stop(
-        `${import_picocolors6.default.green("\u2713")} Stored ${import_picocolors6.default.bold(parsed.key)} for ${import_picocolors6.default.cyan(args.server)}`
+        `${import_picocolors10.default.green("\u2713")} Stored ${import_picocolors10.default.bold(parsed.key)} for ${import_picocolors10.default.cyan(args.server)}`
       );
     } catch (err) {
-      spin.stop(import_picocolors6.default.red("\u2717") + " Failed to store secret");
-      console.error(import_picocolors6.default.dim(String(err)));
+      spin.stop(import_picocolors10.default.red("\u2717") + " Failed to store secret");
+      console.error(import_picocolors10.default.dim(String(err)));
       process.exit(1);
     }
-    p6.outro(import_picocolors6.default.dim("Secret encrypted and saved to vault."));
+    p9.outro(import_picocolors10.default.dim("Secret encrypted and saved to vault."));
   }
 });
-var listCommand = (0, import_citty7.defineCommand)({
+var listCommand2 = (0, import_citty11.defineCommand)({
   meta: { name: "list", description: "List secret keys stored in the vault" },
   args: {
     server: {
@@ -1986,23 +2860,23 @@ var listCommand = (0, import_citty7.defineCommand)({
   async run({ args }) {
     const results = listSecrets(args.server || void 0);
     if (results.length === 0) {
-      const filter = args.server ? ` for ${import_picocolors6.default.cyan(args.server)}` : "";
-      console.log(import_picocolors6.default.dim(`No secrets stored${filter}.`));
+      const filter = args.server ? ` for ${import_picocolors10.default.cyan(args.server)}` : "";
+      console.log(import_picocolors10.default.dim(`No secrets stored${filter}.`));
       return;
     }
     console.log("");
     for (const { server, keys } of results) {
-      console.log(import_picocolors6.default.bold(import_picocolors6.default.cyan(server)));
+      console.log(import_picocolors10.default.bold(import_picocolors10.default.cyan(server)));
       for (const key of keys) {
-        console.log(`  ${import_picocolors6.default.green("\u25CF")} ${import_picocolors6.default.bold(key)}  ${import_picocolors6.default.dim(maskValue("\u2022\u2022\u2022\u2022\u2022\u2022\u2022\u2022\u2022\u2022\u2022\u2022"))}`);
+        console.log(`  ${import_picocolors10.default.green("\u25CF")} ${import_picocolors10.default.bold(key)}  ${import_picocolors10.default.dim(maskValue("\u2022\u2022\u2022\u2022\u2022\u2022\u2022\u2022\u2022\u2022\u2022\u2022"))}`);
       }
       console.log("");
     }
     const total = results.reduce((n, r) => n + r.keys.length, 0);
-    console.log(import_picocolors6.default.dim(`  ${total} secret${total !== 1 ? "s" : ""} in ${results.length} server${results.length !== 1 ? "s" : ""}`));
+    console.log(import_picocolors10.default.dim(`  ${total} secret${total !== 1 ? "s" : ""} in ${results.length} server${results.length !== 1 ? "s" : ""}`));
   }
 });
-var removeCommand = (0, import_citty7.defineCommand)({
+var removeCommand = (0, import_citty11.defineCommand)({
   meta: { name: "remove", description: "Delete a secret from the vault" },
   args: {
     server: {
@@ -2017,41 +2891,41 @@ var removeCommand = (0, import_citty7.defineCommand)({
     }
   },
   async run({ args }) {
-    const confirmed = await p6.confirm({
-      message: `Remove ${import_picocolors6.default.bold(args.key)} from ${import_picocolors6.default.cyan(args.server)}?`,
+    const confirmed = await p9.confirm({
+      message: `Remove ${import_picocolors10.default.bold(args.key)} from ${import_picocolors10.default.cyan(args.server)}?`,
       initialValue: false
     });
-    if (p6.isCancel(confirmed) || !confirmed) {
-      p6.cancel("Cancelled.");
+    if (p9.isCancel(confirmed) || !confirmed) {
+      p9.cancel("Cancelled.");
       return;
     }
     try {
       removeSecret(args.server, args.key);
-      console.log(`${import_picocolors6.default.green("\u2713")} Removed ${import_picocolors6.default.bold(args.key)} from ${import_picocolors6.default.cyan(args.server)}`);
+      console.log(`${import_picocolors10.default.green("\u2713")} Removed ${import_picocolors10.default.bold(args.key)} from ${import_picocolors10.default.cyan(args.server)}`);
     } catch (err) {
-      console.error(import_picocolors6.default.red("\u2717") + " Failed to remove secret");
-      console.error(import_picocolors6.default.dim(String(err)));
+      console.error(import_picocolors10.default.red("\u2717") + " Failed to remove secret");
+      console.error(import_picocolors10.default.dim(String(err)));
       process.exit(1);
     }
   }
 });
-var secrets_default = (0, import_citty7.defineCommand)({
+var secrets_default = (0, import_citty11.defineCommand)({
   meta: {
     name: "secrets",
     description: "Manage encrypted secrets for MCP servers"
   },
   subCommands: {
-    set: setCommand,
-    list: listCommand,
+    set: setCommand2,
+    list: listCommand2,
     remove: removeCommand
   }
 });
 
 // src/commands/sync.ts
 init_cjs_shims();
-var import_citty8 = require("citty");
-var p7 = __toESM(require("@clack/prompts"), 1);
-var import_picocolors7 = __toESM(require("picocolors"), 1);
+var import_citty12 = require("citty");
+var p10 = __toESM(require("@clack/prompts"), 1);
+var import_picocolors11 = __toESM(require("picocolors"), 1);
 
 // src/core/config-diff.ts
 init_cjs_shims();
@@ -2067,7 +2941,7 @@ function reconstructServerEntry(lockEntry) {
   }
   return entry;
 }
-function computeDiff(lockfile, clientConfigs) {
+function computeDiff(lockfile, clientConfigs, options = {}) {
   const actions = [];
   for (const [server, lockEntry] of Object.entries(lockfile.servers)) {
     for (const client of lockEntry.clients) {
@@ -2085,19 +2959,21 @@ function computeDiff(lockfile, clientConfigs) {
       }
     }
   }
+  const extraAction = options.remove ? "remove" : "extra";
   for (const [client, config] of clientConfigs) {
     for (const server of Object.keys(config.servers)) {
       if (!(server in lockfile.servers)) {
-        actions.push({ server, client, action: "extra" });
+        actions.push({ server, client, action: extraAction });
       }
     }
   }
   return actions;
 }
-function computeDiffFromClient(sourceClient, clientConfigs) {
+function computeDiffFromClient(sourceClient, clientConfigs, options = {}) {
   const actions = [];
   const sourceConfig = clientConfigs.get(sourceClient);
   if (!sourceConfig) return [];
+  const extraAction = options.remove ? "remove" : "extra";
   for (const [client, config] of clientConfigs) {
     if (client === sourceClient) continue;
     for (const [server, entry] of Object.entries(sourceConfig.servers)) {
@@ -2109,7 +2985,7 @@ function computeDiffFromClient(sourceClient, clientConfigs) {
     }
     for (const server of Object.keys(config.servers)) {
       if (!(server in sourceConfig.servers)) {
-        actions.push({ server, client, action: "extra" });
+        actions.push({ server, client, action: extraAction });
       }
     }
   }
@@ -2120,7 +2996,7 @@ function computeDiffFromClient(sourceClient, clientConfigs) {
 init_cjs_shims();
 init_client_detector();
 async function applySyncActions(actions, clients) {
-  const result = { applied: 0, failed: 0, errors: [] };
+  const result = { applied: 0, removed: 0, failed: 0, errors: [] };
   const addActions = actions.filter((a) => a.action === "add" && a.entry);
   for (const action of addActions) {
     const handler = clients.get(action.client);
@@ -2145,6 +3021,30 @@ async function applySyncActions(actions, clients) {
       });
     }
   }
+  const removeActions = actions.filter((a) => a.action === "remove");
+  for (const action of removeActions) {
+    const handler = clients.get(action.client);
+    if (!handler) {
+      result.failed++;
+      result.errors.push({
+        server: action.server,
+        client: action.client,
+        error: "No handler available for client"
+      });
+      continue;
+    }
+    try {
+      await handler.removeServer(action.server);
+      result.removed++;
+    } catch (err) {
+      result.failed++;
+      result.errors.push({
+        server: action.server,
+        client: action.client,
+        error: String(err)
+      });
+    }
+  }
   return result;
 }
 async function getClientConfigs() {
@@ -2178,7 +3078,7 @@ var CLIENT_DISPLAY3 = {
   vscode: "VS Code",
   windsurf: "Windsurf"
 };
-var sync_default = (0, import_citty8.defineCommand)({
+var sync_default = (0, import_citty12.defineCommand)({
   meta: {
     name: "sync",
     description: "Sync MCP server configs across all detected AI clients"
@@ -2189,6 +3089,11 @@ var sync_default = (0, import_citty8.defineCommand)({
       description: "Preview changes without applying them",
       default: false
     },
+    remove: {
+      type: "boolean",
+      description: "Remove extra servers not in lockfile",
+      default: false
+    },
     source: {
       type: "string",
       description: "Use a specific client as source of truth (claude-desktop, cursor, vscode, windsurf)"
@@ -2200,58 +3105,64 @@ var sync_default = (0, import_citty8.defineCommand)({
     }
   },
   async run({ args }) {
-    p7.intro(`${import_picocolors7.default.cyan("mcpman sync")}`);
+    p10.intro(`${import_picocolors11.default.cyan("mcpman sync")}`);
     const sourceClient = args.source;
     if (sourceClient && !VALID_CLIENTS.includes(sourceClient)) {
-      p7.log.error(`Invalid --source "${sourceClient}". Must be one of: ${VALID_CLIENTS.join(", ")}`);
+      p10.log.error(`Invalid --source "${sourceClient}". Must be one of: ${VALID_CLIENTS.join(", ")}`);
       process.exit(1);
     }
-    const spinner5 = p7.spinner();
+    const spinner5 = p10.spinner();
     spinner5.start("Detecting clients and reading configs...");
     const { configs, handlers } = await getClientConfigs();
     spinner5.stop(`Found ${configs.size} client(s)`);
     if (configs.size === 0) {
-      p7.log.warn("No AI clients detected. Install Claude Desktop, Cursor, VS Code, or Windsurf first.");
+      p10.log.warn("No AI clients detected. Install Claude Desktop, Cursor, VS Code, or Windsurf first.");
       process.exit(0);
     }
+    const diffOptions = { remove: args.remove };
     let actions;
     if (sourceClient) {
       if (!configs.has(sourceClient)) {
-        p7.log.error(`Source client "${sourceClient}" is not detected or its config is unreadable.`);
+        p10.log.error(`Source client "${sourceClient}" is not detected or its config is unreadable.`);
         process.exit(1);
       }
-      p7.log.info(`Using ${CLIENT_DISPLAY3[sourceClient]} as source of truth`);
-      actions = computeDiffFromClient(sourceClient, configs);
+      p10.log.info(`Using ${CLIENT_DISPLAY3[sourceClient]} as source of truth`);
+      actions = computeDiffFromClient(sourceClient, configs, diffOptions);
     } else {
       const lockfile = readLockfile();
-      actions = computeDiff(lockfile, configs);
+      actions = computeDiff(lockfile, configs, diffOptions);
     }
     printDiffTable(actions);
     const addCount = actions.filter((a) => a.action === "add").length;
     const extraCount = actions.filter((a) => a.action === "extra").length;
-    if (addCount === 0 && extraCount === 0) {
-      p7.outro(import_picocolors7.default.green("All clients are in sync."));
+    const removeCount = actions.filter((a) => a.action === "remove").length;
+    if (addCount === 0 && removeCount === 0 && extraCount === 0) {
+      p10.outro(import_picocolors11.default.green("All clients are in sync."));
       process.exit(0);
     }
     const parts = [];
-    if (addCount > 0) parts.push(import_picocolors7.default.green(`${addCount} to add`));
-    if (extraCount > 0) parts.push(import_picocolors7.default.yellow(`${extraCount} extra (informational)`));
-    p7.log.info(parts.join("  \xB7  "));
+    if (addCount > 0) parts.push(import_picocolors11.default.green(`${addCount} to add`));
+    if (removeCount > 0) parts.push(import_picocolors11.default.red(`${removeCount} to remove`));
+    if (extraCount > 0) parts.push(import_picocolors11.default.yellow(`${extraCount} extra (informational)`));
+    p10.log.info(parts.join("  \xB7  "));
     if (args["dry-run"]) {
-      p7.outro(import_picocolors7.default.dim("Dry run \u2014 no changes applied."));
+      p10.outro(import_picocolors11.default.dim("Dry run \u2014 no changes applied."));
       process.exit(1);
     }
-    if (addCount === 0) {
-      p7.outro(import_picocolors7.default.dim("No additions needed. Extra servers left untouched."));
+    if (addCount === 0 && removeCount === 0) {
+      p10.outro(import_picocolors11.default.dim("No additions needed. Extra servers left untouched."));
       process.exit(1);
     }
     if (!args.yes) {
-      const confirmed = await p7.confirm({
-        message: `Apply ${addCount} addition(s) to client configs?`,
+      const actionParts = [];
+      if (addCount > 0) actionParts.push(`${addCount} addition(s)`);
+      if (removeCount > 0) actionParts.push(`${removeCount} removal(s)`);
+      const confirmed = await p10.confirm({
+        message: `Apply ${actionParts.join(" and ")} to client configs?`,
         initialValue: true
       });
-      if (p7.isCancel(confirmed) || !confirmed) {
-        p7.outro(import_picocolors7.default.dim("Cancelled \u2014 no changes applied."));
+      if (p10.isCancel(confirmed) || !confirmed) {
+        p10.outro(import_picocolors11.default.dim("Cancelled \u2014 no changes applied."));
         process.exit(0);
       }
     }
@@ -2259,196 +3170,80 @@ var sync_default = (0, import_citty8.defineCommand)({
     const result = await applySyncActions(actions, handlers);
     spinner5.stop("Done");
     if (result.applied > 0) {
-      p7.log.success(`Added ${result.applied} server(s) to client configs.`);
+      p10.log.success(`Added ${result.applied} server(s) to client configs.`);
+    }
+    if (result.removed > 0) {
+      p10.log.success(`Removed ${result.removed} server(s) from client configs.`);
     }
     if (result.failed > 0) {
       for (const e of result.errors) {
-        p7.log.error(`Failed to add "${e.server}" to ${e.client}: ${e.error}`);
+        p10.log.error(`Failed to sync "${e.server}" on ${e.client}: ${e.error}`);
       }
     }
-    p7.outro(result.failed === 0 ? import_picocolors7.default.green("Sync complete.") : import_picocolors7.default.yellow("Sync complete with errors."));
+    p10.outro(result.failed === 0 ? import_picocolors11.default.green("Sync complete.") : import_picocolors11.default.yellow("Sync complete with errors."));
     process.exit(result.failed > 0 ? 1 : 0);
   }
 });
 function printDiffTable(actions) {
   if (actions.length === 0) {
-    p7.log.info("No actions to display.");
+    p10.log.info("No actions to display.");
     return;
   }
   const nameWidth = Math.max(6, ...actions.map((a) => a.server.length));
   const clientWidth = Math.max(6, ...actions.map((a) => CLIENT_DISPLAY3[a.client]?.length ?? a.client.length));
-  const header = `  ${pad2("SERVER", nameWidth)}  ${pad2("CLIENT", clientWidth)}  STATUS`;
-  console.log(import_picocolors7.default.dim(header));
-  console.log(import_picocolors7.default.dim(`  ${"-".repeat(nameWidth)}  ${"-".repeat(clientWidth)}  ------`));
+  const header = `  ${pad3("SERVER", nameWidth)}  ${pad3("CLIENT", clientWidth)}  STATUS`;
+  console.log(import_picocolors11.default.dim(header));
+  console.log(import_picocolors11.default.dim(`  ${"-".repeat(nameWidth)}  ${"-".repeat(clientWidth)}  ------`));
   for (const action of actions) {
     const clientDisplay = CLIENT_DISPLAY3[action.client] ?? action.client;
     const [icon, statusText] = formatAction(action.action);
-    console.log(`  ${pad2(action.server, nameWidth)}  ${pad2(clientDisplay, clientWidth)}  ${icon} ${statusText}`);
+    console.log(`  ${pad3(action.server, nameWidth)}  ${pad3(clientDisplay, clientWidth)}  ${icon} ${statusText}`);
   }
   console.log("");
 }
 function formatAction(action) {
   switch (action) {
     case "add":
-      return [import_picocolors7.default.green("+"), import_picocolors7.default.green("missing \u2014 will add")];
+      return [import_picocolors11.default.green("+"), import_picocolors11.default.green("missing \u2014 will add")];
     case "extra":
-      return [import_picocolors7.default.yellow("?"), import_picocolors7.default.yellow("extra (not in lockfile)")];
+      return [import_picocolors11.default.yellow("?"), import_picocolors11.default.yellow("extra (not in lockfile)")];
+    case "remove":
+      return [import_picocolors11.default.red("\u2013"), import_picocolors11.default.red("extra \u2014 will remove")];
     case "ok":
-      return [import_picocolors7.default.dim("\xB7"), import_picocolors7.default.dim("in sync")];
+      return [import_picocolors11.default.dim("\xB7"), import_picocolors11.default.dim("in sync")];
   }
 }
-function pad2(s, width) {
+function pad3(s, width) {
   return s.length >= width ? s : s + " ".repeat(width - s.length);
 }
 
 // src/commands/update.ts
 init_cjs_shims();
-var import_citty9 = require("citty");
-var p8 = __toESM(require("@clack/prompts"), 1);
-var import_picocolors9 = __toESM(require("picocolors"), 1);
-
-// src/core/version-checker.ts
-init_cjs_shims();
-function compareVersions(a, b) {
-  const aParts = a.replace(/^v/, "").split(".").map(Number);
-  const bParts = b.replace(/^v/, "").split(".").map(Number);
-  const len = Math.max(aParts.length, bParts.length);
-  for (let i = 0; i < len; i++) {
-    const aN = aParts[i] ?? 0;
-    const bN = bParts[i] ?? 0;
-    if (Number.isNaN(aN) || Number.isNaN(bN)) return 0;
-    if (aN < bN) return -1;
-    if (aN > bN) return 1;
-  }
-  return 0;
-}
-function detectUpdateType(current, latest) {
-  const cParts = current.replace(/^v/, "").split(".").map(Number);
-  const lParts = latest.replace(/^v/, "").split(".").map(Number);
-  if ((lParts[0] ?? 0) > (cParts[0] ?? 0)) return "major";
-  if ((lParts[1] ?? 0) > (cParts[1] ?? 0)) return "minor";
-  return "patch";
-}
-async function fetchNpmLatest(packageName) {
-  try {
-    const res = await fetch(
-      `https://registry.npmjs.org/${encodeURIComponent(packageName)}/latest`,
-      {
-        headers: { Accept: "application/json" },
-        signal: AbortSignal.timeout(8e3)
-      }
-    );
-    if (!res.ok) return null;
-    const data = await res.json();
-    return typeof data.version === "string" ? data.version : null;
-  } catch {
-    return null;
-  }
-}
-async function fetchSmitheryLatest(name) {
-  try {
-    const res = await fetch(
-      `https://registry.smithery.ai/servers/${encodeURIComponent(name)}`,
-      {
-        headers: { Accept: "application/json" },
-        signal: AbortSignal.timeout(8e3)
-      }
-    );
-    if (!res.ok) return null;
-    const data = await res.json();
-    return typeof data.version === "string" ? data.version : null;
-  } catch {
-    return null;
-  }
-}
-async function fetchGithubLatest(resolved) {
-  const match = resolved.match(/github\.com\/([^/]+)\/([^/]+)/);
-  if (!match) return null;
-  const [, owner, repo] = match;
-  try {
-    const res = await fetch(
-      `https://api.github.com/repos/${owner}/${repo}/releases/latest`,
-      {
-        headers: { Accept: "application/json" },
-        signal: AbortSignal.timeout(8e3)
-      }
-    );
-    if (!res.ok) return null;
-    const data = await res.json();
-    return typeof data.tag_name === "string" ? data.tag_name.replace(/^v/, "") : null;
-  } catch {
-    return null;
-  }
-}
-async function checkVersion(name, lockEntry) {
-  const current = lockEntry.version;
-  let latest = null;
-  if (lockEntry.source === "npm") {
-    latest = await fetchNpmLatest(name);
-  } else if (lockEntry.source === "smithery") {
-    latest = await fetchSmitheryLatest(name);
-  } else if (lockEntry.source === "github") {
-    latest = await fetchGithubLatest(lockEntry.resolved);
-  }
-  if (!latest || latest === current) {
-    return {
-      server: name,
-      source: lockEntry.source,
-      currentVersion: current,
-      latestVersion: latest ?? current,
-      hasUpdate: false
-    };
-  }
-  const hasUpdate = compareVersions(current, latest) === -1;
-  return {
-    server: name,
-    source: lockEntry.source,
-    currentVersion: current,
-    latestVersion: latest,
-    hasUpdate,
-    updateType: hasUpdate ? detectUpdateType(current, latest) : void 0
-  };
-}
-async function checkAllVersions(lockfile) {
-  const entries = Object.entries(lockfile.servers);
-  if (entries.length === 0) return [];
-  const results = [];
-  const executing = /* @__PURE__ */ new Set();
-  for (const [name, entry] of entries) {
-    const p9 = checkVersion(name, entry).then((r) => {
-      results.push(r);
-      executing.delete(p9);
-    });
-    executing.add(p9);
-    if (executing.size >= 5) {
-      await Promise.race(executing);
-    }
-  }
-  await Promise.all(executing);
-  return results;
-}
+var import_citty13 = require("citty");
+var p11 = __toESM(require("@clack/prompts"), 1);
+var import_picocolors13 = __toESM(require("picocolors"), 1);
 
 // src/core/update-notifier.ts
 init_cjs_shims();
-var import_node_fs5 = __toESM(require("fs"), 1);
-var import_node_path7 = __toESM(require("path"), 1);
+var import_node_fs6 = __toESM(require("fs"), 1);
+var import_node_path8 = __toESM(require("path"), 1);
 var import_node_os5 = __toESM(require("os"), 1);
-var import_picocolors8 = __toESM(require("picocolors"), 1);
-var CACHE_FILE = import_node_path7.default.join(import_node_os5.default.homedir(), ".mcpman", ".update-check");
+var import_picocolors12 = __toESM(require("picocolors"), 1);
+var CACHE_FILE = import_node_path8.default.join(import_node_os5.default.homedir(), ".mcpman", ".update-check");
 var TTL_MS = 24 * 60 * 60 * 1e3;
 function writeUpdateCache(data) {
   try {
-    const dir = import_node_path7.default.dirname(CACHE_FILE);
-    if (!import_node_fs5.default.existsSync(dir)) import_node_fs5.default.mkdirSync(dir, { recursive: true });
+    const dir = import_node_path8.default.dirname(CACHE_FILE);
+    if (!import_node_fs6.default.existsSync(dir)) import_node_fs6.default.mkdirSync(dir, { recursive: true });
     const tmp = `${CACHE_FILE}.tmp`;
-    import_node_fs5.default.writeFileSync(tmp, JSON.stringify(data, null, 2), "utf-8");
-    import_node_fs5.default.renameSync(tmp, CACHE_FILE);
+    import_node_fs6.default.writeFileSync(tmp, JSON.stringify(data, null, 2), "utf-8");
+    import_node_fs6.default.renameSync(tmp, CACHE_FILE);
   } catch {
   }
 }
 
 // src/commands/update.ts
-async function loadClients2() {
+async function loadClients3() {
   try {
     const mod = await Promise.resolve().then(() => (init_client_detector(), client_detector_exports));
     return mod.getInstalledClients();
@@ -2465,19 +3260,19 @@ function printTable(updates) {
     "LATEST".padEnd(VER_W),
     "STATUS"
   ].join("  ");
-  console.log(import_picocolors9.default.bold(`
+  console.log(import_picocolors13.default.bold(`
   ${header}`));
-  console.log(import_picocolors9.default.dim(`  ${"\u2500".repeat(NAME_W + VER_W * 2 + 20)}`));
+  console.log(import_picocolors13.default.dim(`  ${"\u2500".repeat(NAME_W + VER_W * 2 + 20)}`));
   for (const u of updates) {
     const nameCol = u.server.slice(0, NAME_W).padEnd(NAME_W);
     const curCol = u.currentVersion.padEnd(VER_W);
     const latCol = u.latestVersion.padEnd(VER_W);
-    const statusCol = u.hasUpdate ? import_picocolors9.default.yellow(`Update available${u.updateType ? ` [${u.updateType}]` : ""}`) : import_picocolors9.default.green("Up to date");
+    const statusCol = u.hasUpdate ? import_picocolors13.default.yellow(`Update available${u.updateType ? ` [${u.updateType}]` : ""}`) : import_picocolors13.default.green("Up to date");
     console.log(`  ${nameCol}  ${curCol}  ${latCol}  ${statusCol}`);
   }
   console.log();
 }
-var update_default = (0, import_citty9.defineCommand)({
+var update_default = (0, import_citty13.defineCommand)({
   meta: {
     name: "update",
     description: "Check for and apply updates to installed MCP servers"
@@ -2516,7 +3311,7 @@ var update_default = (0, import_citty9.defineCommand)({
       }
       process.exit(1);
     }
-    const spinner5 = p8.spinner();
+    const spinner5 = p11.spinner();
     spinner5.start("Checking versions...");
     let updates;
     try {
@@ -2538,71 +3333,51 @@ var update_default = (0, import_citty9.defineCommand)({
     printTable(updates);
     const outdated = updates.filter((u) => u.hasUpdate);
     if (outdated.length === 0) {
-      console.log(import_picocolors9.default.green("  All servers are up to date."));
+      console.log(import_picocolors13.default.green("  All servers are up to date."));
       return;
     }
     if (args.check) {
-      console.log(import_picocolors9.default.yellow(`  ${outdated.length} update(s) available. Run mcpman update to apply.`));
+      console.log(import_picocolors13.default.yellow(`  ${outdated.length} update(s) available. Run mcpman update to apply.`));
       return;
     }
     if (!args.yes) {
-      const confirmed = await p8.confirm({
+      const confirmed = await p11.confirm({
         message: `Apply ${outdated.length} update(s)?`,
         initialValue: true
       });
-      if (p8.isCancel(confirmed) || !confirmed) {
-        p8.outro("Cancelled.");
+      if (p11.isCancel(confirmed) || !confirmed) {
+        p11.outro("Cancelled.");
         return;
       }
     }
-    const clients = await loadClients2();
+    const clients = await loadClients3();
     let successCount = 0;
     for (const update of outdated) {
-      const lockEntry = servers[update.server];
-      const input = lockEntry.source === "smithery" ? `smithery:${update.server}` : lockEntry.source === "github" ? lockEntry.resolved : update.server;
-      const s = p8.spinner();
+      const s = p11.spinner();
       s.start(`Updating ${update.server}...`);
-      try {
-        const metadata = await resolveServer(input);
-        const integrity = computeIntegrity(metadata.resolved);
-        addEntry(update.server, {
-          ...lockEntry,
-          version: metadata.version,
-          resolved: metadata.resolved,
-          integrity,
-          command: metadata.command,
-          args: metadata.args,
-          installedAt: (/* @__PURE__ */ new Date()).toISOString()
-        });
-        const entryClients = clients.filter(
-          (c) => lockEntry.clients.includes(c.type)
-        );
-        for (const client of entryClients) {
-          try {
-            await client.addServer(update.server, {
-              command: metadata.command,
-              args: metadata.args
-            });
-          } catch {
-          }
-        }
-        s.stop(`${import_picocolors9.default.green("\u2713")} ${update.server}: ${update.currentVersion} \u2192 ${metadata.version}`);
+      const result = await applyServerUpdate(
+        update.server,
+        servers[update.server],
+        clients
+      );
+      if (result.success) {
+        s.stop(`${import_picocolors13.default.green("\u2713")} ${update.server}: ${result.fromVersion} \u2192 ${result.toVersion}`);
         successCount++;
-      } catch (err) {
-        s.stop(`${import_picocolors9.default.red("\u2717")} ${update.server}: ${err instanceof Error ? err.message : String(err)}`);
+      } else {
+        s.stop(`${import_picocolors13.default.red("\u2717")} ${update.server}: ${result.error}`);
       }
     }
     const freshLockfile = readLockfile(resolveLockfilePath());
     const freshUpdates = await checkAllVersions(freshLockfile);
     writeUpdateCache({ lastCheck: (/* @__PURE__ */ new Date()).toISOString(), updates: freshUpdates });
-    p8.outro(`${successCount} of ${outdated.length} server(s) updated.`);
+    p11.outro(`${successCount} of ${outdated.length} server(s) updated.`);
   }
 });
 
 // src/utils/constants.ts
 init_cjs_shims();
 var APP_NAME = "mcpman";
-var APP_VERSION = "0.2.0";
+var APP_VERSION = "0.4.0";
 var APP_DESCRIPTION = "The package manager for MCP servers";
 
 // src/index.ts
@@ -2610,7 +3385,7 @@ process.on("SIGINT", () => {
   console.log("\nAborted.");
   process.exit(130);
 });
-var main = (0, import_citty10.defineCommand)({
+var main = (0, import_citty14.defineCommand)({
   meta: {
     name: APP_NAME,
     version: APP_VERSION,
@@ -2625,7 +3400,11 @@ var main = (0, import_citty10.defineCommand)({
     secrets: secrets_default,
     sync: sync_default,
     audit: audit_default,
-    update: update_default
+    update: update_default,
+    config: config_default,
+    search: search_default,
+    info: info_default,
+    run: run_default
   }
 });
-(0, import_citty10.runMain)(main);
+(0, import_citty14.runMain)(main);