mcpman 0.2.0 → 0.4.0

package/dist/index.js

@@ -1,19 +1,25 @@
 #!/usr/bin/env node
 import {
+  computeTrustScore
+} from "./chunk-RGKHLY5G.js";
+import {
+  getConfigPath,
   getInstalledClients
-} from "./chunk-QY22QTBR.js";
+} from "./chunk-RMMEBP2J.js";
 import {
   getMasterPassword,
+  getSecretsForServer,
   listSecrets,
   removeSecret,
   setSecret
 } from "./chunk-6X6Q6UZC.js";
 
 // src/index.ts
-import { defineCommand as defineCommand10, runMain } from "citty";
+import { defineCommand as defineCommand14, runMain } from "citty";
 
 // src/commands/audit.ts
 import { defineCommand } from "citty";
+import * as p from "@clack/prompts";
 import pc from "picocolors";
 import { createSpinner } from "nanospinner";
 
@@ -191,8 +197,8 @@ async function scanServer(name, entry) {
     fetchNpmMetadata(name),
     fetchVulnerabilities(name, entry.version)
   ]);
-  const { computeTrustScore } = await import("./trust-scorer-LYC6KZCD.js");
-  const { score, riskLevel } = computeTrustScore(metadata, vulnerabilities);
+  const { computeTrustScore: computeTrustScore2 } = await import("./trust-scorer-G74WK25Q.js");
+  const { score, riskLevel } = computeTrustScore2(metadata, vulnerabilities);
   const report = {
     server: name,
     source: "npm",
@@ -209,17 +215,324 @@ async function scanAllServers(servers, concurrency = 3) {
   const results = [];
   const executing = /* @__PURE__ */ new Set();
   for (const [name, entry] of entries) {
-    const p8 = scanServer(name, entry).then((r) => {
+    const p11 = scanServer(name, entry).then((r) => {
       results.push(r);
-      executing.delete(p8);
+      executing.delete(p11);
     });
-    executing.add(p8);
+    executing.add(p11);
     if (executing.size >= concurrency) await Promise.race(executing);
   }
   await Promise.all(executing);
   return results;
 }
 
+// src/core/version-checker.ts
+function compareVersions(a, b) {
+  const aParts = a.replace(/^v/, "").split(".").map(Number);
+  const bParts = b.replace(/^v/, "").split(".").map(Number);
+  const len = Math.max(aParts.length, bParts.length);
+  for (let i = 0; i < len; i++) {
+    const aN = aParts[i] ?? 0;
+    const bN = bParts[i] ?? 0;
+    if (Number.isNaN(aN) || Number.isNaN(bN)) return 0;
+    if (aN < bN) return -1;
+    if (aN > bN) return 1;
+  }
+  return 0;
+}
+function detectUpdateType(current, latest) {
+  const cParts = current.replace(/^v/, "").split(".").map(Number);
+  const lParts = latest.replace(/^v/, "").split(".").map(Number);
+  if ((lParts[0] ?? 0) > (cParts[0] ?? 0)) return "major";
+  if ((lParts[1] ?? 0) > (cParts[1] ?? 0)) return "minor";
+  return "patch";
+}
+async function fetchNpmLatest(packageName) {
+  try {
+    const res = await fetch(
+      `https://registry.npmjs.org/${encodeURIComponent(packageName)}/latest`,
+      {
+        headers: { Accept: "application/json" },
+        signal: AbortSignal.timeout(8e3)
+      }
+    );
+    if (!res.ok) return null;
+    const data = await res.json();
+    return typeof data.version === "string" ? data.version : null;
+  } catch {
+    return null;
+  }
+}
+async function fetchSmitheryLatest(name) {
+  try {
+    const res = await fetch(
+      `https://registry.smithery.ai/servers/${encodeURIComponent(name)}`,
+      {
+        headers: { Accept: "application/json" },
+        signal: AbortSignal.timeout(8e3)
+      }
+    );
+    if (!res.ok) return null;
+    const data = await res.json();
+    return typeof data.version === "string" ? data.version : null;
+  } catch {
+    return null;
+  }
+}
+async function fetchGithubLatest(resolved) {
+  const match = resolved.match(/github\.com\/([^/]+)\/([^/]+)/);
+  if (!match) return null;
+  const [, owner, repo] = match;
+  try {
+    const res = await fetch(
+      `https://api.github.com/repos/${owner}/${repo}/releases/latest`,
+      {
+        headers: { Accept: "application/json" },
+        signal: AbortSignal.timeout(8e3)
+      }
+    );
+    if (!res.ok) return null;
+    const data = await res.json();
+    return typeof data.tag_name === "string" ? data.tag_name.replace(/^v/, "") : null;
+  } catch {
+    return null;
+  }
+}
+async function checkVersion(name, lockEntry) {
+  const current = lockEntry.version;
+  let latest = null;
+  if (lockEntry.source === "npm") {
+    latest = await fetchNpmLatest(name);
+  } else if (lockEntry.source === "smithery") {
+    latest = await fetchSmitheryLatest(name);
+  } else if (lockEntry.source === "github") {
+    latest = await fetchGithubLatest(lockEntry.resolved);
+  }
+  if (!latest || latest === current) {
+    return {
+      server: name,
+      source: lockEntry.source,
+      currentVersion: current,
+      latestVersion: latest ?? current,
+      hasUpdate: false
+    };
+  }
+  const hasUpdate = compareVersions(current, latest) === -1;
+  return {
+    server: name,
+    source: lockEntry.source,
+    currentVersion: current,
+    latestVersion: latest,
+    hasUpdate,
+    updateType: hasUpdate ? detectUpdateType(current, latest) : void 0
+  };
+}
+async function checkAllVersions(lockfile) {
+  const entries = Object.entries(lockfile.servers);
+  if (entries.length === 0) return [];
+  const results = [];
+  const executing = /* @__PURE__ */ new Set();
+  for (const [name, entry] of entries) {
+    const p11 = checkVersion(name, entry).then((r) => {
+      results.push(r);
+      executing.delete(p11);
+    });
+    executing.add(p11);
+    if (executing.size >= 5) {
+      await Promise.race(executing);
+    }
+  }
+  await Promise.all(executing);
+  return results;
+}
+
+// src/core/registry.ts
+import { createHash } from "crypto";
+function computeIntegrity(resolvedUrl) {
+  const hash = createHash("sha512").update(resolvedUrl).digest("base64");
+  return `sha512-${hash}`;
+}
+async function resolveFromSmithery(name) {
+  const url = `https://registry.smithery.ai/servers/${encodeURIComponent(name)}`;
+  let data;
+  try {
+    const res = await fetch(url, {
+      headers: { Accept: "application/json" },
+      signal: AbortSignal.timeout(8e3)
+    });
+    if (res.status === 404) {
+      throw new Error(`Server '${name}' not found on Smithery registry`);
+    }
+    if (!res.ok) {
+      throw new Error(`Smithery API error: ${res.status}`);
+    }
+    data = await res.json();
+  } catch (err) {
+    if (err instanceof Error && err.message.includes("not found")) throw err;
+    throw new Error(
+      `Cannot reach Smithery registry: ${err instanceof Error ? err.message : String(err)}`
+    );
+  }
+  const version = typeof data.version === "string" ? data.version : "latest";
+  const command = typeof data.command === "string" ? data.command : "npx";
+  const args = Array.isArray(data.args) ? data.args : ["-y", `${name}@${version}`];
+  const envVars = Array.isArray(data.envVars) ? data.envVars : [];
+  const resolved = typeof data.resolved === "string" ? data.resolved : `smithery:${name}@${version}`;
+  return {
+    name,
+    version,
+    description: typeof data.description === "string" ? data.description : "",
+    runtime: "node",
+    command,
+    args,
+    envVars,
+    resolved
+  };
+}
+async function resolveFromNpm(packageName) {
+  const url = `https://registry.npmjs.org/${encodeURIComponent(packageName)}/latest`;
+  let data;
+  try {
+    const res = await fetch(url, {
+      headers: { Accept: "application/json" },
+      signal: AbortSignal.timeout(8e3)
+    });
+    if (res.status === 404) {
+      throw new Error(`Package '${packageName}' not found on npm`);
+    }
+    if (!res.ok) {
+      throw new Error(`npm registry error: ${res.status}`);
+    }
+    data = await res.json();
+  } catch (err) {
+    if (err instanceof Error && err.message.includes("not found")) throw err;
+    throw new Error(
+      `Cannot reach npm registry: ${err instanceof Error ? err.message : String(err)}`
+    );
+  }
+  const version = typeof data.version === "string" ? data.version : "latest";
+  const resolved = `https://registry.npmjs.org/${packageName}/-/${packageName.replace(/^@[^/]+\//, "")}-${version}.tgz`;
+  const mcpField = data.mcp && typeof data.mcp === "object" ? data.mcp : null;
+  const envVars = mcpField?.envVars ? mcpField.envVars : [];
+  return {
+    name: packageName,
+    version,
+    description: typeof data.description === "string" ? data.description : "",
+    runtime: "node",
+    command: "npx",
+    args: ["-y", `${packageName}@${version}`],
+    envVars,
+    resolved
+  };
+}
+async function resolveFromGitHub(githubUrl) {
+  const match = githubUrl.match(/github\.com\/([^/]+)\/([^/]+)/);
+  if (!match) {
+    throw new Error(`Invalid GitHub URL: ${githubUrl}`);
+  }
+  const [, owner, repo] = match;
+  const rawUrl = `https://raw.githubusercontent.com/${owner}/${repo}/main/package.json`;
+  let pkgData = {};
+  try {
+    const res = await fetch(rawUrl, { signal: AbortSignal.timeout(8e3) });
+    if (res.ok) {
+      pkgData = await res.json();
+    }
+  } catch {
+  }
+  const version = typeof pkgData.version === "string" ? pkgData.version : "main";
+  const name = typeof pkgData.name === "string" ? pkgData.name : `${owner}/${repo}`;
+  return {
+    name,
+    version,
+    description: typeof pkgData.description === "string" ? pkgData.description : "",
+    runtime: "node",
+    command: "npx",
+    args: ["-y", githubUrl],
+    envVars: [],
+    resolved: githubUrl
+  };
+}
+
+// src/core/server-resolver.ts
+function detectSource(input) {
+  if (input.startsWith("smithery:")) {
+    return { type: "smithery", input: input.slice(9) };
+  }
+  if (input.startsWith("https://github.com/") || input.startsWith("github.com/")) {
+    return { type: "github", input };
+  }
+  return { type: "npm", input };
+}
+function parseEnvFlags(envFlags) {
+  if (!envFlags) return {};
+  const flags = Array.isArray(envFlags) ? envFlags : [envFlags];
+  const result = {};
+  for (const flag of flags) {
+    const idx = flag.indexOf("=");
+    if (idx > 0) {
+      result[flag.slice(0, idx)] = flag.slice(idx + 1);
+    }
+  }
+  return result;
+}
+async function resolveServer(input) {
+  const source = detectSource(input);
+  switch (source.type) {
+    case "smithery":
+      return resolveFromSmithery(source.input);
+    case "github":
+      return resolveFromGitHub(source.input);
+    case "npm":
+      return resolveFromNpm(source.input);
+  }
+}
+
+// src/core/server-updater.ts
+async function applyServerUpdate(serverName, lockEntry, clients) {
+  const fromVersion = lockEntry.version;
+  const input = lockEntry.source === "smithery" ? `smithery:${serverName}` : lockEntry.source === "github" ? lockEntry.resolved : serverName;
+  try {
+    const metadata = await resolveServer(input);
+    const integrity = computeIntegrity(metadata.resolved);
+    addEntry(serverName, {
+      ...lockEntry,
+      version: metadata.version,
+      resolved: metadata.resolved,
+      integrity,
+      command: metadata.command,
+      args: metadata.args,
+      installedAt: (/* @__PURE__ */ new Date()).toISOString()
+    });
+    const targetClients = clients.filter(
+      (c) => lockEntry.clients.includes(c.type)
+    );
+    for (const client of targetClients) {
+      try {
+        await client.addServer(serverName, {
+          command: metadata.command,
+          args: metadata.args
+        });
+      } catch {
+      }
+    }
+    return {
+      server: serverName,
+      success: true,
+      fromVersion,
+      toVersion: metadata.version
+    };
+  } catch (err) {
+    return {
+      server: serverName,
+      success: false,
+      fromVersion,
+      toVersion: fromVersion,
+      error: err instanceof Error ? err.message : String(err)
+    };
+  }
+}
+
 // src/commands/audit.ts
 function colorRisk(level, score) {
   const label = score !== null ? `${score}/100 (${level})` : level;
@@ -290,7 +603,12 @@ var audit_default = defineCommand({
     },
     fix: {
       type: "boolean",
-      description: "Show available fix versions for vulnerable packages",
+      description: "Apply updates to fix vulnerable packages",
+      default: false
+    },
+    yes: {
+      type: "boolean",
+      description: "Skip confirmation prompt (use with --fix)",
       default: false
     }
   },
@@ -342,30 +660,270 @@ var audit_default = defineCommand({
     if (npmReports.length < reports.length) {
       parts.push(pc.dim(`${reports.length - npmReports.length} non-npm (unverified)`));
     }
-    if (withIssues.length > 0) {
-      parts.push(pc.yellow(`${withIssues.length} with issues`));
+    if (withIssues.length > 0) {
+      parts.push(pc.yellow(`${withIssues.length} with issues`));
+    } else {
+      parts.push(pc.green("all clear"));
+    }
+    console.log(`
+  Summary: ${parts.join(" | ")}
+`);
+    if (args.fix) {
+      await runAuditFix(reports, lockfile.servers, args.yes);
+    }
+  }
+});
+async function loadClients() {
+  try {
+    const mod = await import("./client-detector-UAP2EYZA.js");
+    return mod.getInstalledClients();
+  } catch {
+    return [];
+  }
+}
+async function runAuditFix(reports, servers, skipConfirm) {
+  const npmWithVulns = reports.filter(
+    (r) => r.vulnerabilities.length > 0 && r.source === "npm"
+  );
+  const nonNpmWithVulns = reports.filter(
+    (r) => r.vulnerabilities.length > 0 && r.source !== "npm"
+  );
+  if (nonNpmWithVulns.length > 0) {
+    console.log(pc.yellow("  Non-npm servers require manual update:"));
+    for (const r of nonNpmWithVulns) {
+      console.log(`    ${pc.dim("\u2192")} ${r.server} (${r.source})`);
+    }
+    console.log();
+  }
+  if (npmWithVulns.length === 0) {
+    console.log(pc.green("  No fixable vulnerabilities found.\n"));
+    return;
+  }
+  const versionSpinner = createSpinner("Checking for available updates...").start();
+  const versionChecks = await Promise.all(
+    npmWithVulns.map((r) => checkVersion(r.server, servers[r.server]))
+  );
+  versionSpinner.success({ text: "Version check complete" });
+  const updatable = versionChecks.filter((u) => u.hasUpdate);
+  if (updatable.length === 0) {
+    console.log(pc.yellow(
+      "  Vulnerable servers have no newer versions available yet.\n  Allow time for registry to publish fixes.\n"
+    ));
+    return;
+  }
+  console.log(pc.bold(`
+  ${updatable.length} server(s) can be updated to fix vulnerabilities:
+`));
+  for (const u of updatable) {
+    console.log(`    ${pc.cyan("\u2192")} ${u.server}  ${pc.dim(u.currentVersion)} \u2192 ${pc.green(u.latestVersion)}`);
+  }
+  console.log();
+  if (!skipConfirm) {
+    const confirmed = await p.confirm({
+      message: `Update ${updatable.length} vulnerable server(s)?`,
+      initialValue: true
+    });
+    if (p.isCancel(confirmed) || !confirmed) {
+      p.outro("Cancelled.");
+      return;
+    }
+  }
+  const clients = await loadClients();
+  let successCount = 0;
+  const results = [];
+  for (const u of updatable) {
+    const s = createSpinner(`Updating ${u.server}...`).start();
+    const result = await applyServerUpdate(u.server, servers[u.server], clients);
+    if (result.success) {
+      s.success({ text: `${pc.green("\u2713")} ${u.server}: ${result.fromVersion} \u2192 ${result.toVersion}` });
+      successCount++;
+    } else {
+      s.error({ text: `${pc.red("\u2717")} ${u.server}: ${result.error}` });
+    }
+    results.push({
+      server: u.server,
+      from: result.fromVersion,
+      to: result.toVersion,
+      ok: result.success,
+      error: result.error
+    });
+  }
+  console.log();
+  if (successCount > 0) {
+    const updatedNames = results.filter((r) => r.ok).map((r) => r.server);
+    const freshLockfile = readLockfile();
+    const rescanSpinner = createSpinner("Re-scanning updated servers...").start();
+    const afterReports = await Promise.all(
+      updatedNames.map((name) => scanServer(name, freshLockfile.servers[name]))
+    );
+    rescanSpinner.success({ text: "Re-scan complete" });
+    console.log(pc.bold("\n  Before / After:\n"));
+    for (const after of afterReports) {
+      const before = reports.find((r) => r.server === after.server);
+      const beforeVulns = before?.vulnerabilities.length ?? 0;
+      const afterVulns = after.vulnerabilities.length;
+      const improved = afterVulns < beforeVulns ? pc.green("improved") : pc.yellow("unchanged");
+      console.log(
+        `    ${pc.bold(after.server)}  vulns: ${beforeVulns} \u2192 ${afterVulns}  [${improved}]`
+      );
+    }
+    console.log();
+  }
+  console.log(`
+  ${successCount} of ${updatable.length} server(s) updated.
+`);
+}
+
+// src/commands/config.ts
+import { defineCommand as defineCommand2 } from "citty";
+import pc2 from "picocolors";
+import * as p2 from "@clack/prompts";
+
+// src/core/config-service.ts
+import fs3 from "fs";
+import path3 from "path";
+var VALID_KEYS = /* @__PURE__ */ new Set([
+  "defaultClient",
+  "updateCheckInterval",
+  "preferredRegistry",
+  "vaultTimeout"
+]);
+function readConfig(configPath = getConfigPath()) {
+  try {
+    const raw = fs3.readFileSync(configPath, "utf-8");
+    const parsed = JSON.parse(raw);
+    if (typeof parsed !== "object" || parsed === null || Array.isArray(parsed)) {
+      return {};
+    }
+    return parsed;
+  } catch {
+    return {};
+  }
+}
+function writeConfig(data, configPath = getConfigPath()) {
+  const dir = path3.dirname(configPath);
+  fs3.mkdirSync(dir, { recursive: true });
+  const tmp = `${configPath}.tmp`;
+  fs3.writeFileSync(tmp, JSON.stringify(data, null, 2), { encoding: "utf-8" });
+  fs3.renameSync(tmp, configPath);
+}
+function getConfigValue(key, configPath = getConfigPath()) {
+  const data = readConfig(configPath);
+  if (!VALID_KEYS.has(key)) return void 0;
+  return data[key];
+}
+function setConfigValue(key, value, configPath = getConfigPath()) {
+  const data = readConfig(configPath);
+  if (!VALID_KEYS.has(key)) {
+    throw new Error(`Unknown config key: "${key}". Valid keys: ${[...VALID_KEYS].join(", ")}`);
+  }
+  data[key] = value;
+  writeConfig(data, configPath);
+}
+
+// src/commands/config.ts
+function coerceValue(raw) {
+  if (raw === "true") return true;
+  if (raw === "false") return false;
+  const num = Number(raw);
+  if (!Number.isNaN(num) && raw.trim() !== "") return num;
+  return raw;
+}
+var setCommand = defineCommand2({
+  meta: { name: "set", description: "Set a config value" },
+  args: {
+    key: {
+      type: "positional",
+      description: "Config key (e.g. defaultClient)",
+      required: true
+    },
+    value: {
+      type: "positional",
+      description: "Value to set",
+      required: true
+    }
+  },
+  run({ args }) {
+    try {
+      const coerced = coerceValue(args.value);
+      setConfigValue(args.key, coerced);
+      console.log(
+        `${pc2.green("\u2713")} Set ${pc2.bold(args.key)} = ${pc2.cyan(String(coerced))}`
+      );
+    } catch (err) {
+      console.error(`${pc2.red("\u2717")} ${String(err)}`);
+      process.exit(1);
+    }
+  }
+});
+var getCommand = defineCommand2({
+  meta: { name: "get", description: "Get a config value" },
+  args: {
+    key: {
+      type: "positional",
+      description: "Config key to read",
+      required: true
+    }
+  },
+  run({ args }) {
+    const val = getConfigValue(args.key);
+    if (val === void 0) {
+      console.log(pc2.dim(`${args.key}: (not set)`));
     } else {
-      parts.push(pc.green("all clear"));
+      console.log(`${pc2.bold(args.key)}: ${pc2.cyan(String(val))}`);
     }
-    console.log(`
-  Summary: ${parts.join(" | ")}
-`);
-    if (args.fix) {
-      const withVulns = reports.filter((r) => r.vulnerabilities.length > 0);
-      if (withVulns.length > 0) {
-        console.log(pc.bold("  Fix suggestions:"));
-        for (const r of withVulns) {
-          console.log(`    ${pc.cyan("\u2192")} Run ${pc.cyan(`mcpman install ${r.server}@latest`)} to update`);
-        }
-        console.log();
-      }
+  }
+});
+var listCommand = defineCommand2({
+  meta: { name: "list", description: "List all config values" },
+  run() {
+    const data = readConfig();
+    const entries = Object.entries(data);
+    if (entries.length === 0) {
+      console.log(pc2.dim("No config values set. Use `mcpman config set <key> <value>`."));
+      return;
+    }
+    console.log("");
+    console.log(pc2.bold("mcpman config:"));
+    console.log("");
+    for (const [key, val] of entries) {
+      console.log(`  ${pc2.green("\u25CF")} ${pc2.bold(key)}  ${pc2.cyan(String(val))}`);
+    }
+    console.log("");
+    console.log(pc2.dim(`  ${entries.length} key${entries.length !== 1 ? "s" : ""} configured`));
+  }
+});
+var resetCommand = defineCommand2({
+  meta: { name: "reset", description: "Reset config to defaults (removes config file)" },
+  async run() {
+    const confirmed = await p2.confirm({
+      message: "Reset all config values to defaults?",
+      initialValue: false
+    });
+    if (p2.isCancel(confirmed) || !confirmed) {
+      p2.cancel("Cancelled.");
+      return;
     }
+    writeConfig({});
+    console.log(`${pc2.green("\u2713")} Config reset to defaults.`);
+  }
+});
+var config_default = defineCommand2({
+  meta: {
+    name: "config",
+    description: "Manage mcpman CLI configuration"
+  },
+  subCommands: {
+    set: setCommand,
+    get: getCommand,
+    list: listCommand,
+    reset: resetCommand
   }
 });
 
 // src/commands/doctor.ts
-import { defineCommand as defineCommand2 } from "citty";
-import pc2 from "picocolors";
+import { defineCommand as defineCommand3 } from "citty";
+import pc3 from "picocolors";
 
 // src/core/server-inventory.ts
 async function getInstalledServers(clientFilter) {
@@ -629,12 +1187,12 @@ async function quickHealthProbe(config, timeoutMs = 3e3) {
 
 // src/commands/doctor.ts
 var CHECK_ICON = {
-  pass: pc2.green("\u2713"),
-  fail: pc2.red("\u2717"),
-  skip: pc2.dim("-"),
-  warn: pc2.yellow("\u26A0")
+  pass: pc3.green("\u2713"),
+  fail: pc3.red("\u2717"),
+  skip: pc3.dim("-"),
+  warn: pc3.yellow("\u26A0")
 };
-var doctor_default = defineCommand2({
+var doctor_default = defineCommand3({
   meta: {
     name: "doctor",
     description: "Check MCP server health and configuration"
@@ -647,10 +1205,10 @@ var doctor_default = defineCommand2({
     }
   },
   async run({ args }) {
-    console.log(pc2.bold("\n  mcpman doctor\n"));
+    console.log(pc3.bold("\n  mcpman doctor\n"));
     const servers = await getInstalledServers();
     if (servers.length === 0) {
-      console.log(pc2.dim("  No MCP servers installed. Run mcpman install <server> to get started."));
+      console.log(pc3.dim("  No MCP servers installed. Run mcpman install <server> to get started."));
       return;
     }
     const tasks = servers.map((s) => () => checkServerHealth(s.name, s.config));
@@ -662,14 +1220,14 @@ var doctor_default = defineCommand2({
       if (result.status === "healthy") passed++;
       else failed++;
     }
-    console.log(pc2.dim("  " + "\u2500".repeat(50)));
+    console.log(pc3.dim("  " + "\u2500".repeat(50)));
     const parts = [];
-    if (passed > 0) parts.push(pc2.green(`${passed} healthy`));
-    if (failed > 0) parts.push(pc2.red(`${failed} unhealthy`));
+    if (passed > 0) parts.push(pc3.green(`${passed} healthy`));
+    if (failed > 0) parts.push(pc3.red(`${failed} unhealthy`));
     console.log(`  Summary: ${parts.join(", ")}`);
     if (failed > 0) {
       if (!args.fix) {
-        console.log(pc2.dim(`  Run ${pc2.cyan("mcpman doctor --fix")} for fix suggestions.
+        console.log(pc3.dim(`  Run ${pc3.cyan("mcpman doctor --fix")} for fix suggestions.
 `));
       }
       process.exit(1);
@@ -678,13 +1236,13 @@ var doctor_default = defineCommand2({
   }
 });
 function printServerResult(result, showFix) {
-  const icon = result.status === "healthy" ? pc2.green("\u25CF") : pc2.red("\u25CF");
-  console.log(`  ${icon} ${pc2.bold(result.serverName)}`);
+  const icon = result.status === "healthy" ? pc3.green("\u25CF") : pc3.red("\u25CF");
+  console.log(`  ${icon} ${pc3.bold(result.serverName)}`);
   for (const check of result.checks) {
     const checkIcon = check.skipped ? CHECK_ICON.skip : check.passed ? CHECK_ICON.pass : CHECK_ICON.fail;
     console.log(`    ${checkIcon} ${check.name}: ${check.message}`);
     if (showFix && !check.passed && !check.skipped && check.fix) {
-      console.log(`      ${pc2.yellow("\u2192")} Fix: ${pc2.cyan(check.fix)}`);
+      console.log(`      ${pc3.yellow("\u2192")} Fix: ${pc3.cyan(check.fix)}`);
     }
   }
   console.log();
@@ -693,11 +1251,11 @@ async function runParallel(tasks, concurrency) {
   const results = [];
   const executing = /* @__PURE__ */ new Set();
   for (const task of tasks) {
-    const p8 = task().then((r) => {
+    const p11 = task().then((r) => {
       results.push(r);
-      executing.delete(p8);
+      executing.delete(p11);
     });
-    executing.add(p8);
+    executing.add(p11);
     if (executing.size >= concurrency) {
       await Promise.race(executing);
     }
@@ -706,121 +1264,173 @@ async function runParallel(tasks, concurrency) {
   return results;
 }
 
-// src/commands/init.ts
-import { defineCommand as defineCommand3 } from "citty";
-import * as p from "@clack/prompts";
-import path3 from "path";
+// src/commands/info.ts
+import { defineCommand as defineCommand4 } from "citty";
+import pc4 from "picocolors";
+import { createSpinner as createSpinner2 } from "nanospinner";
 
-// src/core/registry.ts
-import { createHash } from "crypto";
-function computeIntegrity(resolvedUrl) {
-  const hash = createHash("sha512").update(resolvedUrl).digest("base64");
-  return `sha512-${hash}`;
-}
-async function resolveFromSmithery(name) {
-  const url = `https://registry.smithery.ai/servers/${encodeURIComponent(name)}`;
-  let data;
-  try {
-    const res = await fetch(url, {
-      headers: { Accept: "application/json" },
-      signal: AbortSignal.timeout(8e3)
-    });
-    if (res.status === 404) {
-      throw new Error(`Server '${name}' not found on Smithery registry`);
-    }
-    if (!res.ok) {
-      throw new Error(`Smithery API error: ${res.status}`);
+// src/core/package-info.ts
+async function buildInfo(name, entry, source = "npm") {
+  const resolvedSource = entry?.source ?? source;
+  let weeklyDownloads = 0;
+  let maintainerCount = 0;
+  let packageAge = 0;
+  let lastPublish = "";
+  let deprecated = false;
+  let trustScore = null;
+  let riskLevel = "UNKNOWN";
+  if (resolvedSource === "npm") {
+    const metadata = await fetchNpmMetadata(name);
+    if (!metadata && !entry) {
+      return null;
+    }
+    if (metadata) {
+      weeklyDownloads = metadata.weeklyDownloads;
+      maintainerCount = metadata.maintainerCount;
+      packageAge = metadata.packageAge;
+      lastPublish = metadata.lastPublish;
+      deprecated = metadata.deprecated;
+      const scored = computeTrustScore(metadata, []);
+      trustScore = scored.score;
+      riskLevel = scored.riskLevel;
     }
-    data = await res.json();
-  } catch (err) {
-    if (err instanceof Error && err.message.includes("not found")) throw err;
-    throw new Error(
-      `Cannot reach Smithery registry: ${err instanceof Error ? err.message : String(err)}`
-    );
   }
-  const version = typeof data.version === "string" ? data.version : "latest";
-  const command = typeof data.command === "string" ? data.command : "npx";
-  const args = Array.isArray(data.args) ? data.args : ["-y", `${name}@${version}`];
-  const envVars = Array.isArray(data.envVars) ? data.envVars : [];
-  const resolved = typeof data.resolved === "string" ? data.resolved : `smithery:${name}@${version}`;
   return {
     name,
-    version,
-    description: typeof data.description === "string" ? data.description : "",
-    runtime: "node",
-    command,
-    args,
-    envVars,
-    resolved
+    version: entry?.version ?? "unknown",
+    description: "",
+    source: resolvedSource,
+    runtime: entry?.runtime ?? "node",
+    envVars: entry?.envVars ?? [],
+    weeklyDownloads,
+    maintainerCount,
+    packageAge,
+    lastPublish,
+    deprecated,
+    trustScore,
+    riskLevel,
+    installedClients: entry?.clients ?? [],
+    isInstalled: entry !== null
   };
 }
-async function resolveFromNpm(packageName) {
-  const url = `https://registry.npmjs.org/${encodeURIComponent(packageName)}/latest`;
-  let data;
-  try {
-    const res = await fetch(url, {
-      headers: { Accept: "application/json" },
-      signal: AbortSignal.timeout(8e3)
-    });
-    if (res.status === 404) {
-      throw new Error(`Package '${packageName}' not found on npm`);
-    }
-    if (!res.ok) {
-      throw new Error(`npm registry error: ${res.status}`);
-    }
-    data = await res.json();
-  } catch (err) {
-    if (err instanceof Error && err.message.includes("not found")) throw err;
-    throw new Error(
-      `Cannot reach npm registry: ${err instanceof Error ? err.message : String(err)}`
+async function getPackageInfo(serverName) {
+  const lockfile = readLockfile();
+  const entry = lockfile.servers[serverName] ?? null;
+  return buildInfo(serverName, entry);
+}
+
+// src/commands/info.ts
+function colorRisk2(score, riskLevel) {
+  const label = score !== null ? `${score}/100 (${riskLevel})` : riskLevel;
+  if (riskLevel === "LOW") return pc4.green(label);
+  if (riskLevel === "MEDIUM") return pc4.yellow(label);
+  if (riskLevel === "HIGH") return pc4.red(label);
+  if (riskLevel === "CRITICAL") return pc4.bold(pc4.red(label));
+  return pc4.dim(label);
+}
+function formatDaysAgo(isoDate) {
+  if (!isoDate) return "unknown";
+  const days = Math.floor((Date.now() - new Date(isoDate).getTime()) / 864e5);
+  if (days === 0) return "today";
+  if (days === 1) return "1 day ago";
+  return `${days} days ago`;
+}
+function printInfo(info2) {
+  const installedBadge = info2.isInstalled ? pc4.green(" [installed]") : pc4.dim(" [not installed]");
+  console.log();
+  console.log(pc4.bold(`  ${info2.name}@${info2.version}`) + installedBadge);
+  console.log(pc4.dim("  " + "\u2500".repeat(60)));
+  console.log(`  ${pc4.dim("Source:")}   ${info2.source}`);
+  console.log(`  ${pc4.dim("Runtime:")}  ${info2.runtime}`);
+  if (info2.description) {
+    console.log(`  ${pc4.dim("Description:")} ${info2.description}`);
+  }
+  if (info2.deprecated) {
+    console.log(`  ${pc4.red("[DEPRECATED]")} This package is deprecated`);
+  }
+  console.log();
+  console.log(`  ${pc4.bold("Trust & Security")}`);
+  console.log(`  ${pc4.dim("Trust score:")}   ${colorRisk2(info2.trustScore, info2.riskLevel)}`);
+  if (info2.source === "npm") {
+    console.log(
+      `  ${pc4.dim("Downloads:")}    ${info2.weeklyDownloads.toLocaleString()}/week  ${pc4.dim("|")}  ${pc4.dim("Age:")} ${info2.packageAge}d  ${pc4.dim("|")}  ${pc4.dim("Maintainers:")} ${info2.maintainerCount}`
     );
+    if (info2.lastPublish) {
+      console.log(`  ${pc4.dim("Last publish:")} ${formatDaysAgo(info2.lastPublish)}`);
+    }
+  } else {
+    console.log(pc4.dim("  (Trust data available for npm packages only)"));
   }
-  const version = typeof data.version === "string" ? data.version : "latest";
-  const resolved = `https://registry.npmjs.org/${packageName}/-/${packageName.replace(/^@[^/]+\//, "")}-${version}.tgz`;
-  const mcpField = data.mcp && typeof data.mcp === "object" ? data.mcp : null;
-  const envVars = mcpField?.envVars ? mcpField.envVars : [];
-  return {
-    name: packageName,
-    version,
-    description: typeof data.description === "string" ? data.description : "",
-    runtime: "node",
-    command: "npx",
-    args: ["-y", `${packageName}@${version}`],
-    envVars,
-    resolved
-  };
-}
-async function resolveFromGitHub(githubUrl) {
-  const match = githubUrl.match(/github\.com\/([^/]+)\/([^/]+)/);
-  if (!match) {
-    throw new Error(`Invalid GitHub URL: ${githubUrl}`);
+  console.log();
+  console.log(`  ${pc4.bold("Environment Variables")}`);
+  if (info2.envVars.length > 0) {
+    for (const env of info2.envVars) {
+      console.log(`    ${pc4.cyan("\u2022")} ${env}`);
+    }
+  } else {
+    console.log(pc4.dim("    none required"));
   }
-  const [, owner, repo] = match;
-  const rawUrl = `https://raw.githubusercontent.com/${owner}/${repo}/main/package.json`;
-  let pkgData = {};
-  try {
-    const res = await fetch(rawUrl, { signal: AbortSignal.timeout(8e3) });
-    if (res.ok) {
-      pkgData = await res.json();
+  console.log();
+  console.log(`  ${pc4.bold("Installed Clients")}`);
+  if (info2.installedClients.length > 0) {
+    for (const client of info2.installedClients) {
+      console.log(`    ${pc4.green("\u2713")} ${client}`);
     }
-  } catch {
+  } else {
+    console.log(pc4.dim("    Not installed in any client"));
   }
-  const version = typeof pkgData.version === "string" ? pkgData.version : "main";
-  const name = typeof pkgData.name === "string" ? pkgData.name : `${owner}/${repo}`;
-  return {
-    name,
-    version,
-    description: typeof pkgData.description === "string" ? pkgData.description : "",
-    runtime: "node",
-    command: "npx",
-    args: ["-y", githubUrl],
-    envVars: [],
-    resolved: githubUrl
-  };
+  console.log();
+  console.log(pc4.dim("  " + "\u2500".repeat(60)));
+  console.log();
 }
+var info_default = defineCommand4({
+  meta: {
+    name: "info",
+    description: "Show detailed metadata for an MCP server (installed or from registry)"
+  },
+  args: {
+    server: {
+      type: "positional",
+      description: "Server name (e.g. @modelcontextprotocol/server-filesystem)",
+      required: true
+    },
+    json: {
+      type: "boolean",
+      description: "Output results as JSON",
+      default: false
+    }
+  },
+  async run({ args }) {
+    const spinner5 = createSpinner2(`Fetching info for ${args.server}...`).start();
+    let info2;
+    try {
+      info2 = await getPackageInfo(args.server);
+    } catch (err) {
+      spinner5.error({ text: "Failed to fetch package info" });
+      console.error(pc4.red(String(err)));
+      process.exit(1);
+    }
+    if (!info2) {
+      spinner5.error({ text: `Package not found: ${args.server}` });
+      console.log(pc4.dim(`
+  "${args.server}" was not found in the npm registry or your lockfile.
+`));
+      process.exit(1);
+    }
+    spinner5.success({ text: `Found ${args.server}` });
+    if (args.json) {
+      console.log(JSON.stringify(info2, null, 2));
+      return;
+    }
+    printInfo(info2);
+  }
+});
 
 // src/commands/init.ts
-var init_default = defineCommand3({
+import { defineCommand as defineCommand5 } from "citty";
+import * as p3 from "@clack/prompts";
+import path4 from "path";
+var init_default = defineCommand5({
   meta: {
     name: "init",
     description: "Initialize mcpman.lock in the current project"
@@ -835,27 +1445,27 @@ var init_default = defineCommand3({
   },
   async run({ args }) {
     const nonInteractive = args.yes || !process.stdout.isTTY;
-    p.intro("mcpman init");
-    const targetPath = path3.join(process.cwd(), LOCKFILE_NAME);
+    p3.intro("mcpman init");
+    const targetPath = path4.join(process.cwd(), LOCKFILE_NAME);
     const existing = findLockfile();
     if (existing) {
       if (nonInteractive) {
-        p.log.warn(`Lockfile already exists: ${existing} \u2014 overwriting (non-interactive).`);
+        p3.log.warn(`Lockfile already exists: ${existing} \u2014 overwriting (non-interactive).`);
       } else {
-        p.log.warn(`Lockfile already exists: ${existing}`);
-        const overwrite = await p.confirm({ message: "Overwrite?" });
-        if (p.isCancel(overwrite) || !overwrite) {
-          p.outro("Cancelled.");
+        p3.log.warn(`Lockfile already exists: ${existing}`);
+        const overwrite = await p3.confirm({ message: "Overwrite?" });
+        if (p3.isCancel(overwrite) || !overwrite) {
+          p3.outro("Cancelled.");
           return;
         }
       }
     }
     let clients = [];
     try {
-      const mod = await import("./client-detector-SUIJSIYM.js");
+      const mod = await import("./client-detector-UAP2EYZA.js");
       clients = await mod.getInstalledClients();
     } catch {
-      p.log.warn("Could not detect AI clients \u2014 creating empty lockfile.");
+      p3.log.warn("Could not detect AI clients \u2014 creating empty lockfile.");
     }
     const clientServers = [];
     for (const client of clients) {
@@ -869,26 +1479,26 @@ var init_default = defineCommand3({
     }
     createEmptyLockfile(targetPath);
     if (clientServers.length === 0) {
-      p.log.info("No existing servers found in any client config.");
-      p.outro(`Created ${LOCKFILE_NAME} \u2014 add it to version control!`);
+      p3.log.info("No existing servers found in any client config.");
+      p3.outro(`Created ${LOCKFILE_NAME} \u2014 add it to version control!`);
       return;
     }
     let selected;
     if (nonInteractive) {
       selected = clientServers.map((cs) => cs.client.type);
-      p.log.info(`Non-interactive mode: importing all ${clientServers.length} client(s).`);
+      p3.log.info(`Non-interactive mode: importing all ${clientServers.length} client(s).`);
     } else {
       const options = clientServers.map((cs) => ({
         value: cs.client.type,
         label: `${cs.client.displayName} (${Object.keys(cs.servers).length} servers)`
       }));
-      const toImport = await p.multiselect({
+      const toImport = await p3.multiselect({
         message: "Import existing servers into lockfile?",
         options,
         required: false
       });
-      if (p.isCancel(toImport)) {
-        p.outro(`Created empty ${LOCKFILE_NAME}`);
+      if (p3.isCancel(toImport)) {
+        p3.outro(`Created empty ${LOCKFILE_NAME}`);
         return;
       }
       selected = toImport;
@@ -914,121 +1524,122 @@ var init_default = defineCommand3({
         importCount++;
       }
     }
-    p.outro(
+    p3.outro(
       `Created ${LOCKFILE_NAME} with ${importCount} server(s) \u2014 commit to version control!`
     );
   }
 });
 
 // src/commands/install.ts
-import { defineCommand as defineCommand4 } from "citty";
+import { defineCommand as defineCommand6 } from "citty";
 
 // src/core/installer.ts
-import * as p2 from "@clack/prompts";
+import * as p5 from "@clack/prompts";
 
-// src/core/server-resolver.ts
-function detectSource(input) {
-  if (input.startsWith("smithery:")) {
-    return { type: "smithery", input: input.slice(9) };
-  }
-  if (input.startsWith("https://github.com/") || input.startsWith("github.com/")) {
-    return { type: "github", input };
-  }
-  return { type: "npm", input };
-}
-function parseEnvFlags(envFlags) {
-  if (!envFlags) return {};
-  const flags = Array.isArray(envFlags) ? envFlags : [envFlags];
-  const result = {};
-  for (const flag of flags) {
-    const idx = flag.indexOf("=");
-    if (idx > 0) {
-      result[flag.slice(0, idx)] = flag.slice(idx + 1);
+// src/core/installer-vault-helpers.ts
+import * as p4 from "@clack/prompts";
+async function tryLoadVaultSecrets(serverName) {
+  try {
+    const entries = listSecrets(serverName);
+    if (entries.length === 0 || entries[0].keys.length === 0) {
+      return {};
     }
+    const password = await getMasterPassword();
+    return getSecretsForServer(serverName, password);
+  } catch {
+    return {};
   }
-  return result;
 }
-async function resolveServer(input) {
-  const source = detectSource(input);
-  switch (source.type) {
-    case "smithery":
-      return resolveFromSmithery(source.input);
-    case "github":
-      return resolveFromGitHub(source.input);
-    case "npm":
-      return resolveFromNpm(source.input);
+async function offerVaultSave(serverName, newVars, yes) {
+  if (Object.keys(newVars).length === 0) return;
+  if (yes) return;
+  try {
+    const save = await p4.confirm({
+      message: `Save ${Object.keys(newVars).length} env var(s) to encrypted vault for future installs?`
+    });
+    if (p4.isCancel(save) || !save) return;
+    const password = await getMasterPassword();
+    for (const [key, value] of Object.entries(newVars)) {
+      setSecret(serverName, key, value, password);
+    }
+    p4.log.success(`Credentials saved to vault for '${serverName}'`);
+  } catch (err) {
+    p4.log.warn(`Could not save to vault: ${err instanceof Error ? err.message : String(err)}`);
   }
 }
 
 // src/core/installer.ts
-async function loadClients() {
+async function loadClients2() {
   try {
-    const mod = await import("./client-detector-SUIJSIYM.js");
+    const mod = await import("./client-detector-UAP2EYZA.js");
     return mod.getInstalledClients();
   } catch {
     return [];
   }
 }
 async function installServer(input, options = {}) {
-  p2.intro("mcpman install");
-  const spinner5 = p2.spinner();
+  p5.intro("mcpman install");
+  const spinner5 = p5.spinner();
   spinner5.start("Resolving server...");
   let metadata;
   try {
     metadata = await resolveServer(input);
   } catch (err) {
     spinner5.stop("Resolution failed");
-    p2.log.error(err instanceof Error ? err.message : String(err));
+    p5.log.error(err instanceof Error ? err.message : String(err));
     process.exit(1);
   }
   spinner5.stop(`Found: ${metadata.name}@${metadata.version}`);
-  const clients = await loadClients();
+  const clients = await loadClients2();
   if (clients.length === 0) {
-    p2.log.warn("No supported AI clients detected on this machine.");
-    p2.log.info("Supported: Claude Desktop, Cursor, VS Code, Windsurf");
+    p5.log.warn("No supported AI clients detected on this machine.");
+    p5.log.info("Supported: Claude Desktop, Cursor, VS Code, Windsurf");
     process.exit(1);
   }
   let selectedClients;
   if (options.client) {
     const found = clients.find((c) => c.type === options.client || c.displayName.toLowerCase() === options.client?.toLowerCase());
     if (!found) {
-      p2.log.error(`Client '${options.client}' not found or not installed.`);
-      p2.log.info(`Available: ${clients.map((c) => c.type).join(", ")}`);
+      p5.log.error(`Client '${options.client}' not found or not installed.`);
+      p5.log.info(`Available: ${clients.map((c) => c.type).join(", ")}`);
       process.exit(1);
     }
     selectedClients = [found];
   } else if (options.yes || clients.length === 1) {
     selectedClients = clients;
   } else {
-    const chosen = await p2.multiselect({
+    const chosen = await p5.multiselect({
       message: "Install to which client(s)?",
       options: clients.map((c) => ({ value: c.type, label: c.displayName })),
       required: true
     });
-    if (p2.isCancel(chosen)) {
-      p2.outro("Cancelled.");
+    if (p5.isCancel(chosen)) {
+      p5.outro("Cancelled.");
       process.exit(0);
     }
     selectedClients = clients.filter((c) => chosen.includes(c.type));
   }
   const providedEnv = parseEnvFlags(options.env);
-  const collectedEnv = { ...providedEnv };
+  const vaultEnv = await tryLoadVaultSecrets(metadata.name);
+  const collectedEnv = { ...vaultEnv, ...providedEnv };
+  const newlyEnteredVars = {};
   const requiredVars = metadata.envVars.filter((e) => e.required && !(e.name in collectedEnv));
   for (const envVar of requiredVars) {
     if (options.yes && envVar.default) {
       collectedEnv[envVar.name] = envVar.default;
       continue;
     }
-    const val = await p2.text({
+    const val = await p5.text({
       message: `${envVar.name}${envVar.description ? ` \u2014 ${envVar.description}` : ""}`,
       placeholder: envVar.default ?? "",
       validate: (v) => envVar.required && !v ? "Required" : void 0
     });
-    if (p2.isCancel(val)) {
-      p2.outro("Cancelled.");
+    if (p5.isCancel(val)) {
+      p5.outro("Cancelled.");
       process.exit(0);
     }
     collectedEnv[envVar.name] = val;
+    newlyEnteredVars[envVar.name] = val;
   }
   const entry = {
     command: metadata.command,
@@ -1043,7 +1654,7 @@ async function installServer(input, options = {}) {
       clientTypes.push(client.type);
     } catch (err) {
       spinner5.stop("Partial failure");
-      p2.log.warn(`Failed to write to ${client.displayName}: ${err instanceof Error ? err.message : String(err)}`);
+      p5.log.warn(`Failed to write to ${client.displayName}: ${err instanceof Error ? err.message : String(err)}`);
     }
   }
   spinner5.stop("Config written");
@@ -1062,12 +1673,13 @@ async function installServer(input, options = {}) {
     clients: clientTypes
   });
   const lockPath = findLockfile() ?? "mcpman.lock (global)";
-  p2.log.success(`Lockfile updated: ${lockPath}`);
-  p2.outro(`${metadata.name}@${metadata.version} installed to ${clientTypes.join(", ")}`);
+  p5.log.success(`Lockfile updated: ${lockPath}`);
+  await offerVaultSave(metadata.name, newlyEnteredVars, options.yes ?? false);
+  p5.outro(`${metadata.name}@${metadata.version} installed to ${clientTypes.join(", ")}`);
 }
 
 // src/utils/logger.ts
-import pc3 from "picocolors";
+import pc5 from "picocolors";
 var noColor = process.env.NO_COLOR !== void 0 || process.argv.includes("--no-color");
 var isVerbose = process.argv.includes("--verbose");
 var isJson = process.argv.includes("--json");
@@ -1076,19 +1688,19 @@ function colorize(fn, text2) {
 }
 function info(message) {
   if (isJson) return;
-  console.log(`${colorize(pc3.cyan, "i")} ${message}`);
+  console.log(`${colorize(pc5.cyan, "i")} ${message}`);
 }
 function error(message) {
   if (isJson) return;
-  console.error(`${colorize(pc3.red, "\u2717")} ${message}`);
+  console.error(`${colorize(pc5.red, "\u2717")} ${message}`);
 }
 function json(data) {
   console.log(JSON.stringify(data, null, 2));
 }
 
 // src/commands/install.ts
-import * as p3 from "@clack/prompts";
-var install_default = defineCommand4({
+import * as p6 from "@clack/prompts";
+var install_default = defineCommand6({
   meta: {
     name: "install",
     description: "Install an MCP server into one or more AI clients"
@@ -1137,8 +1749,8 @@ async function restoreFromLockfile() {
     info("Lockfile is empty \u2014 nothing to restore.");
     return;
   }
-  p3.intro(`mcpman install (restore from ${lockPath})`);
-  p3.log.info(`Restoring ${entries.length} server(s)...`);
+  p6.intro(`mcpman install (restore from ${lockPath})`);
+  p6.log.info(`Restoring ${entries.length} server(s)...`);
   for (const [name, entry] of entries) {
     const input = entry.source === "smithery" ? `smithery:${name}` : entry.source === "github" ? entry.resolved : name;
     await installServer(input, {
@@ -1146,18 +1758,18 @@ async function restoreFromLockfile() {
       yes: true
     });
   }
-  p3.outro("Restore complete.");
+  p6.outro("Restore complete.");
 }
 
 // src/commands/list.ts
-import { defineCommand as defineCommand5 } from "citty";
-import pc4 from "picocolors";
+import { defineCommand as defineCommand7 } from "citty";
+import pc6 from "picocolors";
 var STATUS_ICON = {
-  healthy: pc4.green("\u25CF"),
-  unhealthy: pc4.red("\u25CF"),
-  unknown: pc4.dim("\u25CB")
+  healthy: pc6.green("\u25CF"),
+  unhealthy: pc6.red("\u25CF"),
+  unknown: pc6.dim("\u25CB")
 };
-var list_default = defineCommand5({
+var list_default = defineCommand7({
   meta: {
     name: "list",
     description: "List installed MCP servers"
@@ -1177,7 +1789,7 @@ var list_default = defineCommand5({
     const servers = await getInstalledServers(args.client);
     if (servers.length === 0) {
       const filter = args.client ? ` for client "${args.client}"` : "";
-      console.log(pc4.dim(`No MCP servers installed${filter}. Run ${pc4.cyan("mcpman install <server>")} to get started.`));
+      console.log(pc6.dim(`No MCP servers installed${filter}. Run ${pc6.cyan("mcpman install <server>")} to get started.`));
       return;
     }
     const withStatus = await Promise.all(
@@ -1201,8 +1813,8 @@ var list_default = defineCommand5({
     const nameWidth = Math.max(4, ...withStatus.map((s) => s.name.length));
     const clientsWidth = Math.max(7, ...withStatus.map((s) => formatClients(s.clients).length));
     const header = `  ${pad("NAME", nameWidth)}  ${pad("CLIENT(S)", clientsWidth)}  ${pad("COMMAND", 20)}  STATUS`;
-    console.log(pc4.dim(header));
-    console.log(pc4.dim(`  ${"-".repeat(nameWidth)}  ${"-".repeat(clientsWidth)}  ${"-".repeat(20)}  ------`));
+    console.log(pc6.dim(header));
+    console.log(pc6.dim(`  ${"-".repeat(nameWidth)}  ${"-".repeat(clientsWidth)}  ${"-".repeat(20)}  ------`));
     for (const s of withStatus) {
       const icon = STATUS_ICON[s.status];
       const clientsStr = formatClients(s.clients);
@@ -1210,7 +1822,7 @@ var list_default = defineCommand5({
       console.log(`  ${pad(s.name, nameWidth)}  ${pad(clientsStr, clientsWidth)}  ${pad(cmdStr, 20)}  ${icon} ${s.status}`);
     }
     const clientSet = new Set(withStatus.flatMap((s) => s.clients));
-    console.log(pc4.dim(`
+    console.log(pc6.dim(`
   ${withStatus.length} server${withStatus.length !== 1 ? "s" : ""} \xB7 ${clientSet.size} client${clientSet.size !== 1 ? "s" : ""}`));
   }
 });
@@ -1231,9 +1843,9 @@ function formatClients(clients) {
 }
 
 // src/commands/remove.ts
-import { defineCommand as defineCommand6 } from "citty";
-import * as p4 from "@clack/prompts";
-import pc5 from "picocolors";
+import { defineCommand as defineCommand8 } from "citty";
+import * as p7 from "@clack/prompts";
+import pc7 from "picocolors";
 var CLIENT_DISPLAY2 = {
   "claude-desktop": "Claude",
   cursor: "Cursor",
@@ -1243,7 +1855,7 @@ var CLIENT_DISPLAY2 = {
 function clientDisplayName(type) {
   return CLIENT_DISPLAY2[type] ?? type;
 }
-var remove_default = defineCommand6({
+var remove_default = defineCommand8({
   meta: {
     name: "remove",
     description: "Remove an MCP server from one or more AI clients"
@@ -1270,17 +1882,17 @@ var remove_default = defineCommand6({
     }
   },
   async run({ args }) {
-    p4.intro(pc5.bold("mcpman remove"));
+    p7.intro(pc7.bold("mcpman remove"));
     const serverName = args.server;
     const servers = await getInstalledServers();
     const match = servers.find((s) => s.name === serverName);
     if (!match) {
-      p4.log.warn(`Server "${serverName}" is not installed.`);
+      p7.log.warn(`Server "${serverName}" is not installed.`);
       const similar = servers.filter((s) => s.name.includes(serverName) || serverName.includes(s.name));
       if (similar.length > 0) {
-        p4.log.info(`Did you mean: ${similar.map((s) => pc5.cyan(s.name)).join(", ")}?`);
+        p7.log.info(`Did you mean: ${similar.map((s) => pc7.cyan(s.name)).join(", ")}?`);
       }
-      p4.outro("Nothing to remove.");
+      p7.outro("Nothing to remove.");
       return;
     }
     let targetClients;
@@ -1288,15 +1900,15 @@ var remove_default = defineCommand6({
       targetClients = match.clients;
     } else if (args.client) {
       if (!match.clients.includes(args.client)) {
-        p4.log.warn(`Server "${serverName}" is not installed in client "${args.client}".`);
-        p4.outro("Nothing to remove.");
+        p7.log.warn(`Server "${serverName}" is not installed in client "${args.client}".`);
+        p7.outro("Nothing to remove.");
         return;
       }
       targetClients = [args.client];
     } else if (match.clients.length === 1) {
       targetClients = match.clients;
     } else {
-      const selected = await p4.multiselect({
+      const selected = await p7.multiselect({
         message: `Remove "${serverName}" from which clients?`,
         options: match.clients.map((c) => ({
           value: c,
@@ -1304,19 +1916,19 @@ var remove_default = defineCommand6({
         })),
         required: true
       });
-      if (p4.isCancel(selected)) {
-        p4.outro("Cancelled.");
+      if (p7.isCancel(selected)) {
+        p7.outro("Cancelled.");
         process.exit(0);
       }
       targetClients = selected;
     }
     if (!args.yes) {
       const clientNames = targetClients.map(clientDisplayName).join(", ");
-      const confirmed = await p4.confirm({
-        message: `Remove ${pc5.cyan(serverName)} from ${pc5.yellow(clientNames)}?`
+      const confirmed = await p7.confirm({
+        message: `Remove ${pc7.cyan(serverName)} from ${pc7.yellow(clientNames)}?`
       });
-      if (p4.isCancel(confirmed) || !confirmed) {
-        p4.outro("Cancelled.");
+      if (p7.isCancel(confirmed) || !confirmed) {
+        p7.outro("Cancelled.");
         return;
       }
     }
@@ -1330,25 +1942,268 @@ var remove_default = defineCommand6({
       }
       try {
         await handler.removeServer(serverName);
-        p4.log.success(`Removed from ${clientDisplayName(clientType)}`);
+        p7.log.success(`Removed from ${clientDisplayName(clientType)}`);
       } catch (err) {
         const msg = err instanceof Error ? err.message : String(err);
         errors.push(`${clientDisplayName(clientType)}: ${msg}`);
       }
     }
     if (errors.length > 0) {
-      for (const e of errors) p4.log.error(e);
-      p4.outro(pc5.red("Completed with errors."));
+      for (const e of errors) p7.log.error(e);
+      p7.outro(pc7.red("Completed with errors."));
       process.exit(1);
     }
-    p4.outro(pc5.green(`Removed "${serverName}" successfully.`));
+    p7.outro(pc7.green(`Removed "${serverName}" successfully.`));
+  }
+});
+
+// src/commands/run.ts
+import { defineCommand as defineCommand9 } from "citty";
+import { spawn as spawn2 } from "child_process";
+import pc8 from "picocolors";
+var run_default = defineCommand9({
+  meta: {
+    name: "run",
+    description: "Run an installed MCP server with vault secrets injected"
+  },
+  args: {
+    server: {
+      type: "positional",
+      description: "Server name to run (as installed in lockfile)",
+      required: true
+    },
+    env: {
+      type: "string",
+      description: "Override env var KEY=VAL (repeatable)",
+      alias: "e"
+    }
+  },
+  async run({ args }) {
+    const serverName = args.server;
+    const lockfile = readLockfile();
+    const entry = lockfile.servers[serverName];
+    if (!entry) {
+      console.error(pc8.red(`  Error: Server '${serverName}' is not installed.`));
+      console.error(pc8.dim(`  Run ${pc8.cyan("mcpman install <server>")} to install it first.`));
+      process.exit(1);
+    }
+    const lockfileEnv = parseEnvFlags(entry.envVars);
+    const vaultEnv = await loadVaultSecrets(serverName);
+    const cliEnv = parseEnvFlags(args.env);
+    const finalEnv = {
+      ...process.env,
+      ...lockfileEnv,
+      ...vaultEnv,
+      ...cliEnv
+    };
+    console.log(pc8.dim(`  Running ${pc8.cyan(serverName)}...`));
+    const child = spawn2(entry.command, entry.args, {
+      env: finalEnv,
+      stdio: "inherit"
+    });
+    const forwardSignal = (signal) => {
+      if (!child.killed) {
+        child.kill(signal);
+      }
+    };
+    process.on("SIGINT", () => forwardSignal("SIGINT"));
+    process.on("SIGTERM", () => forwardSignal("SIGTERM"));
+    await new Promise((resolve) => {
+      child.on("close", (code) => {
+        process.exit(code ?? 0);
+        resolve();
+      });
+      child.on("error", (err) => {
+        console.error(pc8.red(`  Failed to start '${serverName}': ${err.message}`));
+        process.exit(1);
+        resolve();
+      });
+    });
+  }
+});
+async function loadVaultSecrets(serverName) {
+  try {
+    const entries = listSecrets(serverName);
+    if (entries.length === 0 || entries[0].keys.length === 0) {
+      return {};
+    }
+    const password = await getMasterPassword();
+    return getSecretsForServer(serverName, password);
+  } catch {
+    console.warn(pc8.yellow("  Warning: Could not load vault secrets, continuing without them."));
+    return {};
+  }
+}
+
+// src/commands/search.ts
+import { defineCommand as defineCommand10 } from "citty";
+import pc9 from "picocolors";
+import { createSpinner as createSpinner3 } from "nanospinner";
+
+// src/core/registry-search.ts
+var SEARCH_TIMEOUT_MS = 1e4;
+async function searchNpm(query, limit = 20) {
+  const cap = Math.min(limit, 100);
+  const url = `https://registry.npmjs.org/-/v1/search?text=mcp+${encodeURIComponent(query)}&size=${cap}`;
+  try {
+    const res = await fetch(url, { signal: AbortSignal.timeout(SEARCH_TIMEOUT_MS) });
+    if (!res.ok) return [];
+    const data = await res.json();
+    const objects = Array.isArray(data["objects"]) ? data["objects"] : [];
+    return objects.map((obj) => {
+      const pkg = obj["package"] ?? {};
+      const dl = obj["downloads"];
+      return {
+        name: typeof pkg["name"] === "string" ? pkg["name"] : "",
+        description: typeof pkg["description"] === "string" ? pkg["description"] : "",
+        version: typeof pkg["version"] === "string" ? pkg["version"] : "",
+        date: typeof pkg["date"] === "string" ? pkg["date"] : "",
+        downloads: typeof dl?.["weekly"] === "number" ? dl["weekly"] : 0,
+        keywords: Array.isArray(pkg["keywords"]) ? pkg["keywords"] : []
+      };
+    }).filter((r) => r.name !== "");
+  } catch {
+    return [];
+  }
+}
+async function searchSmithery(query, limit = 20) {
+  const cap = Math.min(limit, 100);
+  const url = `https://api.smithery.ai/v1/servers?q=${encodeURIComponent(query)}&limit=${cap}`;
+  try {
+    const res = await fetch(url, { signal: AbortSignal.timeout(SEARCH_TIMEOUT_MS) });
+    if (!res.ok) return [];
+    const data = await res.json();
+    const servers = Array.isArray(data["servers"]) ? data["servers"] : [];
+    return servers.map((s) => ({
+      name: typeof s["name"] === "string" ? s["name"] : "",
+      description: typeof s["description"] === "string" ? s["description"] : "",
+      version: typeof s["version"] === "string" ? s["version"] : "latest",
+      runtime: typeof s["runtime"] === "string" ? s["runtime"] : "node"
+    })).filter((r) => r.name !== "");
+  } catch {
+    return [];
+  }
+}
+
+// src/commands/search.ts
+function truncate2(s, max) {
+  return s.length > max ? s.slice(0, max - 1) + "\u2026" : s;
+}
+function pad2(s, width) {
+  return s.length >= width ? s : s + " ".repeat(width - s.length);
+}
+function highlightMatch(name, query) {
+  const idx = name.toLowerCase().indexOf(query.toLowerCase());
+  if (idx === -1) return name;
+  return name.slice(0, idx) + pc9.yellow(name.slice(idx, idx + query.length)) + name.slice(idx + query.length);
+}
+function formatDownloads(n) {
+  if (!n) return pc9.dim("\u2014");
+  if (n >= 1e6) return `${(n / 1e6).toFixed(1)}M`;
+  if (n >= 1e3) return `${(n / 1e3).toFixed(1)}k`;
+  return String(n);
+}
+function printNpmResults(results, query) {
+  const nameWidth = Math.max(4, ...results.map((r) => r.name.length), 20);
+  const verWidth = Math.max(7, ...results.map((r) => r.version.length));
+  const dlWidth = 9;
+  const descMax = 50;
+  const header = `  ${pad2("NAME", nameWidth)}  ${pad2("VERSION", verWidth)}  ${pad2("DOWNLOADS", dlWidth)}  DESCRIPTION`;
+  console.log(pc9.dim(header));
+  console.log(pc9.dim(`  ${"-".repeat(nameWidth)}  ${"-".repeat(verWidth)}  ${"-".repeat(dlWidth)}  ${"-".repeat(descMax)}`));
+  for (const r of results) {
+    const name = highlightMatch(pad2(r.name, nameWidth), query);
+    const ver = pad2(r.version, verWidth);
+    const dl = pad2(formatDownloads(r.downloads), dlWidth);
+    const desc = truncate2(r.description || pc9.dim("(no description)"), descMax);
+    console.log(`  ${name}  ${pc9.dim(ver)}  ${dl}  ${desc}`);
+  }
+}
+function printSmitheryResults(results, query) {
+  const nameWidth = Math.max(4, ...results.map((r) => r.name.length), 20);
+  const verWidth = Math.max(7, ...results.map((r) => r.version.length));
+  const descMax = 50;
+  const header = `  ${pad2("NAME", nameWidth)}  ${pad2("VERSION", verWidth)}  DESCRIPTION`;
+  console.log(pc9.dim(header));
+  console.log(pc9.dim(`  ${"-".repeat(nameWidth)}  ${"-".repeat(verWidth)}  ${"-".repeat(descMax)}`));
+  for (const r of results) {
+    const name = highlightMatch(pad2(r.name, nameWidth), query);
+    const ver = pad2(r.version, verWidth);
+    const desc = truncate2(r.description || pc9.dim("(no description)"), descMax);
+    console.log(`  ${name}  ${pc9.dim(ver)}  ${desc}`);
+  }
+}
+var search_default = defineCommand10({
+  meta: {
+    name: "search",
+    description: "Search for MCP servers on npm or Smithery registry"
+  },
+  args: {
+    query: {
+      type: "positional",
+      description: "Search query",
+      required: true
+    },
+    registry: {
+      type: "string",
+      description: "Registry to search: npm or smithery (default: npm)",
+      default: "npm"
+    },
+    limit: {
+      type: "string",
+      description: "Maximum number of results (default: 20, max: 100)",
+      default: "20"
+    }
+  },
+  async run({ args }) {
+    const query = args.query;
+    const registry = args.registry.toLowerCase();
+    const limit = Math.min(Math.max(1, Number.parseInt(args.limit, 10) || 20), 100);
+    if (registry !== "npm" && registry !== "smithery") {
+      console.error(pc9.red(`  Unknown registry "${registry}". Use "npm" or "smithery".`));
+      process.exit(1);
+    }
+    const spinner5 = createSpinner3(`Searching ${registry} for "${query}"...`).start();
+    if (registry === "npm") {
+      const results2 = await searchNpm(query, limit);
+      spinner5.stop();
+      if (results2.length === 0) {
+        console.log(pc9.dim(`
+  No results found for "${query}" on npm.
+`));
+        return;
+      }
+      console.log(pc9.bold(`
+  mcpman search \u2014 npm (${results2.length} result${results2.length !== 1 ? "s" : ""})
+`));
+      printNpmResults(results2, query);
+      console.log(pc9.dim(`
+  Install with: mcpman install <name>
+`));
+      return;
+    }
+    const results = await searchSmithery(query, limit);
+    spinner5.stop();
+    if (results.length === 0) {
+      console.log(pc9.dim(`
+  No results found for "${query}" on Smithery.
+`));
+      return;
+    }
+    console.log(pc9.bold(`
+  mcpman search \u2014 Smithery (${results.length} result${results.length !== 1 ? "s" : ""})
+`));
+    printSmitheryResults(results, query);
+    console.log(pc9.dim(`
+  Install with: mcpman install <name>
+`));
   }
 });
 
 // src/commands/secrets.ts
-import { defineCommand as defineCommand7 } from "citty";
-import pc6 from "picocolors";
-import * as p5 from "@clack/prompts";
+import { defineCommand as defineCommand11 } from "citty";
+import pc10 from "picocolors";
+import * as p8 from "@clack/prompts";
 function maskValue(value) {
   if (value.length <= 8) return "***";
   return `${value.slice(0, 4)}***${value.slice(-3)}`;
@@ -1358,7 +2213,7 @@ function parseKeyValue(input) {
   if (idx <= 0) return null;
   return { key: input.slice(0, idx), value: input.slice(idx + 1) };
 }
-var setCommand = defineCommand7({
+var setCommand2 = defineCommand11({
   meta: { name: "set", description: "Store an encrypted secret for a server" },
   args: {
     server: {
@@ -1375,30 +2230,30 @@ var setCommand = defineCommand7({
   async run({ args }) {
     const parsed = parseKeyValue(args.keyvalue);
     if (!parsed) {
-      console.error(pc6.red("\u2717") + " Invalid format. Expected KEY=VALUE");
+      console.error(pc10.red("\u2717") + " Invalid format. Expected KEY=VALUE");
       process.exit(1);
     }
-    p5.intro(pc6.cyan("mcpman secrets set"));
+    p8.intro(pc10.cyan("mcpman secrets set"));
     const isNew = listSecrets(args.server).length === 0 || !listSecrets(args.server)[0]?.keys.includes(parsed.key);
     const vaultPath = (await import("./vault-service-UTZAV6N6.js")).getVaultPath();
     const vaultExists = (await import("fs")).existsSync(vaultPath);
     const password = await getMasterPassword(!vaultExists && isNew);
-    const spin = p5.spinner();
+    const spin = p8.spinner();
     spin.start("Encrypting secret...");
     try {
       setSecret(args.server, parsed.key, parsed.value, password);
       spin.stop(
-        `${pc6.green("\u2713")} Stored ${pc6.bold(parsed.key)} for ${pc6.cyan(args.server)}`
+        `${pc10.green("\u2713")} Stored ${pc10.bold(parsed.key)} for ${pc10.cyan(args.server)}`
       );
     } catch (err) {
-      spin.stop(pc6.red("\u2717") + " Failed to store secret");
-      console.error(pc6.dim(String(err)));
+      spin.stop(pc10.red("\u2717") + " Failed to store secret");
+      console.error(pc10.dim(String(err)));
       process.exit(1);
     }
-    p5.outro(pc6.dim("Secret encrypted and saved to vault."));
+    p8.outro(pc10.dim("Secret encrypted and saved to vault."));
   }
 });
-var listCommand = defineCommand7({
+var listCommand2 = defineCommand11({
   meta: { name: "list", description: "List secret keys stored in the vault" },
   args: {
     server: {
@@ -1410,23 +2265,23 @@ var listCommand = defineCommand7({
   async run({ args }) {
     const results = listSecrets(args.server || void 0);
     if (results.length === 0) {
-      const filter = args.server ? ` for ${pc6.cyan(args.server)}` : "";
-      console.log(pc6.dim(`No secrets stored${filter}.`));
+      const filter = args.server ? ` for ${pc10.cyan(args.server)}` : "";
+      console.log(pc10.dim(`No secrets stored${filter}.`));
       return;
     }
     console.log("");
     for (const { server, keys } of results) {
-      console.log(pc6.bold(pc6.cyan(server)));
+      console.log(pc10.bold(pc10.cyan(server)));
       for (const key of keys) {
-        console.log(`  ${pc6.green("\u25CF")} ${pc6.bold(key)}  ${pc6.dim(maskValue("\u2022\u2022\u2022\u2022\u2022\u2022\u2022\u2022\u2022\u2022\u2022\u2022"))}`);
+        console.log(`  ${pc10.green("\u25CF")} ${pc10.bold(key)}  ${pc10.dim(maskValue("\u2022\u2022\u2022\u2022\u2022\u2022\u2022\u2022\u2022\u2022\u2022\u2022"))}`);
       }
       console.log("");
     }
     const total = results.reduce((n, r) => n + r.keys.length, 0);
-    console.log(pc6.dim(`  ${total} secret${total !== 1 ? "s" : ""} in ${results.length} server${results.length !== 1 ? "s" : ""}`));
+    console.log(pc10.dim(`  ${total} secret${total !== 1 ? "s" : ""} in ${results.length} server${results.length !== 1 ? "s" : ""}`));
   }
 });
-var removeCommand = defineCommand7({
+var removeCommand = defineCommand11({
   meta: { name: "remove", description: "Delete a secret from the vault" },
   args: {
     server: {
@@ -1441,40 +2296,40 @@ var removeCommand = defineCommand7({
     }
   },
   async run({ args }) {
-    const confirmed = await p5.confirm({
-      message: `Remove ${pc6.bold(args.key)} from ${pc6.cyan(args.server)}?`,
+    const confirmed = await p8.confirm({
+      message: `Remove ${pc10.bold(args.key)} from ${pc10.cyan(args.server)}?`,
       initialValue: false
     });
-    if (p5.isCancel(confirmed) || !confirmed) {
-      p5.cancel("Cancelled.");
+    if (p8.isCancel(confirmed) || !confirmed) {
+      p8.cancel("Cancelled.");
       return;
     }
     try {
       removeSecret(args.server, args.key);
-      console.log(`${pc6.green("\u2713")} Removed ${pc6.bold(args.key)} from ${pc6.cyan(args.server)}`);
+      console.log(`${pc10.green("\u2713")} Removed ${pc10.bold(args.key)} from ${pc10.cyan(args.server)}`);
     } catch (err) {
-      console.error(pc6.red("\u2717") + " Failed to remove secret");
-      console.error(pc6.dim(String(err)));
+      console.error(pc10.red("\u2717") + " Failed to remove secret");
+      console.error(pc10.dim(String(err)));
       process.exit(1);
     }
   }
 });
-var secrets_default = defineCommand7({
+var secrets_default = defineCommand11({
   meta: {
     name: "secrets",
     description: "Manage encrypted secrets for MCP servers"
   },
   subCommands: {
-    set: setCommand,
-    list: listCommand,
+    set: setCommand2,
+    list: listCommand2,
     remove: removeCommand
   }
 });
 
 // src/commands/sync.ts
-import { defineCommand as defineCommand8 } from "citty";
-import * as p6 from "@clack/prompts";
-import pc7 from "picocolors";
+import { defineCommand as defineCommand12 } from "citty";
+import * as p9 from "@clack/prompts";
+import pc11 from "picocolors";
 
 // src/core/config-diff.ts
 function reconstructServerEntry(lockEntry) {
@@ -1489,7 +2344,7 @@ function reconstructServerEntry(lockEntry) {
   }
   return entry;
 }
-function computeDiff(lockfile, clientConfigs) {
+function computeDiff(lockfile, clientConfigs, options = {}) {
   const actions = [];
   for (const [server, lockEntry] of Object.entries(lockfile.servers)) {
     for (const client of lockEntry.clients) {
@@ -1507,19 +2362,21 @@ function computeDiff(lockfile, clientConfigs) {
       }
     }
   }
+  const extraAction = options.remove ? "remove" : "extra";
   for (const [client, config] of clientConfigs) {
     for (const server of Object.keys(config.servers)) {
       if (!(server in lockfile.servers)) {
-        actions.push({ server, client, action: "extra" });
+        actions.push({ server, client, action: extraAction });
       }
     }
   }
   return actions;
 }
-function computeDiffFromClient(sourceClient, clientConfigs) {
+function computeDiffFromClient(sourceClient, clientConfigs, options = {}) {
   const actions = [];
   const sourceConfig = clientConfigs.get(sourceClient);
   if (!sourceConfig) return [];
+  const extraAction = options.remove ? "remove" : "extra";
   for (const [client, config] of clientConfigs) {
     if (client === sourceClient) continue;
     for (const [server, entry] of Object.entries(sourceConfig.servers)) {
@@ -1531,7 +2388,7 @@ function computeDiffFromClient(sourceClient, clientConfigs) {
     }
     for (const server of Object.keys(config.servers)) {
       if (!(server in sourceConfig.servers)) {
-        actions.push({ server, client, action: "extra" });
+        actions.push({ server, client, action: extraAction });
       }
     }
   }
@@ -1540,7 +2397,7 @@ function computeDiffFromClient(sourceClient, clientConfigs) {
 
 // src/core/sync-engine.ts
 async function applySyncActions(actions, clients) {
-  const result = { applied: 0, failed: 0, errors: [] };
+  const result = { applied: 0, removed: 0, failed: 0, errors: [] };
   const addActions = actions.filter((a) => a.action === "add" && a.entry);
   for (const action of addActions) {
     const handler = clients.get(action.client);
@@ -1565,6 +2422,30 @@ async function applySyncActions(actions, clients) {
       });
     }
   }
+  const removeActions = actions.filter((a) => a.action === "remove");
+  for (const action of removeActions) {
+    const handler = clients.get(action.client);
+    if (!handler) {
+      result.failed++;
+      result.errors.push({
+        server: action.server,
+        client: action.client,
+        error: "No handler available for client"
+      });
+      continue;
+    }
+    try {
+      await handler.removeServer(action.server);
+      result.removed++;
+    } catch (err) {
+      result.failed++;
+      result.errors.push({
+        server: action.server,
+        client: action.client,
+        error: String(err)
+      });
+    }
+  }
   return result;
 }
 async function getClientConfigs() {
@@ -1598,7 +2479,7 @@ var CLIENT_DISPLAY3 = {
   vscode: "VS Code",
   windsurf: "Windsurf"
 };
-var sync_default = defineCommand8({
+var sync_default = defineCommand12({
   meta: {
     name: "sync",
     description: "Sync MCP server configs across all detected AI clients"
@@ -1609,6 +2490,11 @@ var sync_default = defineCommand8({
       description: "Preview changes without applying them",
       default: false
     },
+    remove: {
+      type: "boolean",
+      description: "Remove extra servers not in lockfile",
+      default: false
+    },
     source: {
       type: "string",
       description: "Use a specific client as source of truth (claude-desktop, cursor, vscode, windsurf)"
@@ -1620,58 +2506,64 @@ var sync_default = defineCommand8({
     }
   },
   async run({ args }) {
-    p6.intro(`${pc7.cyan("mcpman sync")}`);
+    p9.intro(`${pc11.cyan("mcpman sync")}`);
     const sourceClient = args.source;
     if (sourceClient && !VALID_CLIENTS.includes(sourceClient)) {
-      p6.log.error(`Invalid --source "${sourceClient}". Must be one of: ${VALID_CLIENTS.join(", ")}`);
+      p9.log.error(`Invalid --source "${sourceClient}". Must be one of: ${VALID_CLIENTS.join(", ")}`);
       process.exit(1);
     }
-    const spinner5 = p6.spinner();
+    const spinner5 = p9.spinner();
     spinner5.start("Detecting clients and reading configs...");
     const { configs, handlers } = await getClientConfigs();
     spinner5.stop(`Found ${configs.size} client(s)`);
     if (configs.size === 0) {
-      p6.log.warn("No AI clients detected. Install Claude Desktop, Cursor, VS Code, or Windsurf first.");
+      p9.log.warn("No AI clients detected. Install Claude Desktop, Cursor, VS Code, or Windsurf first.");
       process.exit(0);
     }
+    const diffOptions = { remove: args.remove };
     let actions;
     if (sourceClient) {
       if (!configs.has(sourceClient)) {
-        p6.log.error(`Source client "${sourceClient}" is not detected or its config is unreadable.`);
+        p9.log.error(`Source client "${sourceClient}" is not detected or its config is unreadable.`);
         process.exit(1);
       }
-      p6.log.info(`Using ${CLIENT_DISPLAY3[sourceClient]} as source of truth`);
-      actions = computeDiffFromClient(sourceClient, configs);
+      p9.log.info(`Using ${CLIENT_DISPLAY3[sourceClient]} as source of truth`);
+      actions = computeDiffFromClient(sourceClient, configs, diffOptions);
     } else {
       const lockfile = readLockfile();
-      actions = computeDiff(lockfile, configs);
+      actions = computeDiff(lockfile, configs, diffOptions);
     }
     printDiffTable(actions);
     const addCount = actions.filter((a) => a.action === "add").length;
     const extraCount = actions.filter((a) => a.action === "extra").length;
-    if (addCount === 0 && extraCount === 0) {
-      p6.outro(pc7.green("All clients are in sync."));
+    const removeCount = actions.filter((a) => a.action === "remove").length;
+    if (addCount === 0 && removeCount === 0 && extraCount === 0) {
+      p9.outro(pc11.green("All clients are in sync."));
       process.exit(0);
     }
     const parts = [];
-    if (addCount > 0) parts.push(pc7.green(`${addCount} to add`));
-    if (extraCount > 0) parts.push(pc7.yellow(`${extraCount} extra (informational)`));
-    p6.log.info(parts.join("  \xB7  "));
+    if (addCount > 0) parts.push(pc11.green(`${addCount} to add`));
+    if (removeCount > 0) parts.push(pc11.red(`${removeCount} to remove`));
+    if (extraCount > 0) parts.push(pc11.yellow(`${extraCount} extra (informational)`));
+    p9.log.info(parts.join("  \xB7  "));
     if (args["dry-run"]) {
-      p6.outro(pc7.dim("Dry run \u2014 no changes applied."));
+      p9.outro(pc11.dim("Dry run \u2014 no changes applied."));
       process.exit(1);
     }
-    if (addCount === 0) {
-      p6.outro(pc7.dim("No additions needed. Extra servers left untouched."));
+    if (addCount === 0 && removeCount === 0) {
+      p9.outro(pc11.dim("No additions needed. Extra servers left untouched."));
       process.exit(1);
     }
     if (!args.yes) {
-      const confirmed = await p6.confirm({
-        message: `Apply ${addCount} addition(s) to client configs?`,
+      const actionParts = [];
+      if (addCount > 0) actionParts.push(`${addCount} addition(s)`);
+      if (removeCount > 0) actionParts.push(`${removeCount} removal(s)`);
+      const confirmed = await p9.confirm({
+        message: `Apply ${actionParts.join(" and ")} to client configs?`,
         initialValue: true
       });
-      if (p6.isCancel(confirmed) || !confirmed) {
-        p6.outro(pc7.dim("Cancelled \u2014 no changes applied."));
+      if (p9.isCancel(confirmed) || !confirmed) {
+        p9.outro(pc11.dim("Cancelled \u2014 no changes applied."));
         process.exit(0);
       }
     }
@@ -1679,195 +2571,80 @@ var sync_default = defineCommand8({
     const result = await applySyncActions(actions, handlers);
     spinner5.stop("Done");
     if (result.applied > 0) {
-      p6.log.success(`Added ${result.applied} server(s) to client configs.`);
+      p9.log.success(`Added ${result.applied} server(s) to client configs.`);
+    }
+    if (result.removed > 0) {
+      p9.log.success(`Removed ${result.removed} server(s) from client configs.`);
     }
     if (result.failed > 0) {
       for (const e of result.errors) {
-        p6.log.error(`Failed to add "${e.server}" to ${e.client}: ${e.error}`);
+        p9.log.error(`Failed to sync "${e.server}" on ${e.client}: ${e.error}`);
       }
     }
-    p6.outro(result.failed === 0 ? pc7.green("Sync complete.") : pc7.yellow("Sync complete with errors."));
+    p9.outro(result.failed === 0 ? pc11.green("Sync complete.") : pc11.yellow("Sync complete with errors."));
     process.exit(result.failed > 0 ? 1 : 0);
   }
 });
 function printDiffTable(actions) {
   if (actions.length === 0) {
-    p6.log.info("No actions to display.");
+    p9.log.info("No actions to display.");
     return;
   }
   const nameWidth = Math.max(6, ...actions.map((a) => a.server.length));
   const clientWidth = Math.max(6, ...actions.map((a) => CLIENT_DISPLAY3[a.client]?.length ?? a.client.length));
-  const header = `  ${pad2("SERVER", nameWidth)}  ${pad2("CLIENT", clientWidth)}  STATUS`;
-  console.log(pc7.dim(header));
-  console.log(pc7.dim(`  ${"-".repeat(nameWidth)}  ${"-".repeat(clientWidth)}  ------`));
+  const header = `  ${pad3("SERVER", nameWidth)}  ${pad3("CLIENT", clientWidth)}  STATUS`;
+  console.log(pc11.dim(header));
+  console.log(pc11.dim(`  ${"-".repeat(nameWidth)}  ${"-".repeat(clientWidth)}  ------`));
   for (const action of actions) {
     const clientDisplay = CLIENT_DISPLAY3[action.client] ?? action.client;
     const [icon, statusText] = formatAction(action.action);
-    console.log(`  ${pad2(action.server, nameWidth)}  ${pad2(clientDisplay, clientWidth)}  ${icon} ${statusText}`);
+    console.log(`  ${pad3(action.server, nameWidth)}  ${pad3(clientDisplay, clientWidth)}  ${icon} ${statusText}`);
   }
   console.log("");
 }
 function formatAction(action) {
   switch (action) {
     case "add":
-      return [pc7.green("+"), pc7.green("missing \u2014 will add")];
+      return [pc11.green("+"), pc11.green("missing \u2014 will add")];
     case "extra":
-      return [pc7.yellow("?"), pc7.yellow("extra (not in lockfile)")];
+      return [pc11.yellow("?"), pc11.yellow("extra (not in lockfile)")];
+    case "remove":
+      return [pc11.red("\u2013"), pc11.red("extra \u2014 will remove")];
     case "ok":
-      return [pc7.dim("\xB7"), pc7.dim("in sync")];
+      return [pc11.dim("\xB7"), pc11.dim("in sync")];
   }
 }
-function pad2(s, width) {
+function pad3(s, width) {
   return s.length >= width ? s : s + " ".repeat(width - s.length);
 }
 
 // src/commands/update.ts
-import { defineCommand as defineCommand9 } from "citty";
-import * as p7 from "@clack/prompts";
-import pc9 from "picocolors";
-
-// src/core/version-checker.ts
-function compareVersions(a, b) {
-  const aParts = a.replace(/^v/, "").split(".").map(Number);
-  const bParts = b.replace(/^v/, "").split(".").map(Number);
-  const len = Math.max(aParts.length, bParts.length);
-  for (let i = 0; i < len; i++) {
-    const aN = aParts[i] ?? 0;
-    const bN = bParts[i] ?? 0;
-    if (Number.isNaN(aN) || Number.isNaN(bN)) return 0;
-    if (aN < bN) return -1;
-    if (aN > bN) return 1;
-  }
-  return 0;
-}
-function detectUpdateType(current, latest) {
-  const cParts = current.replace(/^v/, "").split(".").map(Number);
-  const lParts = latest.replace(/^v/, "").split(".").map(Number);
-  if ((lParts[0] ?? 0) > (cParts[0] ?? 0)) return "major";
-  if ((lParts[1] ?? 0) > (cParts[1] ?? 0)) return "minor";
-  return "patch";
-}
-async function fetchNpmLatest(packageName) {
-  try {
-    const res = await fetch(
-      `https://registry.npmjs.org/${encodeURIComponent(packageName)}/latest`,
-      {
-        headers: { Accept: "application/json" },
-        signal: AbortSignal.timeout(8e3)
-      }
-    );
-    if (!res.ok) return null;
-    const data = await res.json();
-    return typeof data.version === "string" ? data.version : null;
-  } catch {
-    return null;
-  }
-}
-async function fetchSmitheryLatest(name) {
-  try {
-    const res = await fetch(
-      `https://registry.smithery.ai/servers/${encodeURIComponent(name)}`,
-      {
-        headers: { Accept: "application/json" },
-        signal: AbortSignal.timeout(8e3)
-      }
-    );
-    if (!res.ok) return null;
-    const data = await res.json();
-    return typeof data.version === "string" ? data.version : null;
-  } catch {
-    return null;
-  }
-}
-async function fetchGithubLatest(resolved) {
-  const match = resolved.match(/github\.com\/([^/]+)\/([^/]+)/);
-  if (!match) return null;
-  const [, owner, repo] = match;
-  try {
-    const res = await fetch(
-      `https://api.github.com/repos/${owner}/${repo}/releases/latest`,
-      {
-        headers: { Accept: "application/json" },
-        signal: AbortSignal.timeout(8e3)
-      }
-    );
-    if (!res.ok) return null;
-    const data = await res.json();
-    return typeof data.tag_name === "string" ? data.tag_name.replace(/^v/, "") : null;
-  } catch {
-    return null;
-  }
-}
-async function checkVersion(name, lockEntry) {
-  const current = lockEntry.version;
-  let latest = null;
-  if (lockEntry.source === "npm") {
-    latest = await fetchNpmLatest(name);
-  } else if (lockEntry.source === "smithery") {
-    latest = await fetchSmitheryLatest(name);
-  } else if (lockEntry.source === "github") {
-    latest = await fetchGithubLatest(lockEntry.resolved);
-  }
-  if (!latest || latest === current) {
-    return {
-      server: name,
-      source: lockEntry.source,
-      currentVersion: current,
-      latestVersion: latest ?? current,
-      hasUpdate: false
-    };
-  }
-  const hasUpdate = compareVersions(current, latest) === -1;
-  return {
-    server: name,
-    source: lockEntry.source,
-    currentVersion: current,
-    latestVersion: latest,
-    hasUpdate,
-    updateType: hasUpdate ? detectUpdateType(current, latest) : void 0
-  };
-}
-async function checkAllVersions(lockfile) {
-  const entries = Object.entries(lockfile.servers);
-  if (entries.length === 0) return [];
-  const results = [];
-  const executing = /* @__PURE__ */ new Set();
-  for (const [name, entry] of entries) {
-    const p8 = checkVersion(name, entry).then((r) => {
-      results.push(r);
-      executing.delete(p8);
-    });
-    executing.add(p8);
-    if (executing.size >= 5) {
-      await Promise.race(executing);
-    }
-  }
-  await Promise.all(executing);
-  return results;
-}
+import { defineCommand as defineCommand13 } from "citty";
+import * as p10 from "@clack/prompts";
+import pc13 from "picocolors";
 
 // src/core/update-notifier.ts
-import fs3 from "fs";
-import path4 from "path";
+import fs4 from "fs";
+import path5 from "path";
 import os3 from "os";
-import pc8 from "picocolors";
-var CACHE_FILE = path4.join(os3.homedir(), ".mcpman", ".update-check");
+import pc12 from "picocolors";
+var CACHE_FILE = path5.join(os3.homedir(), ".mcpman", ".update-check");
 var TTL_MS = 24 * 60 * 60 * 1e3;
 function writeUpdateCache(data) {
   try {
-    const dir = path4.dirname(CACHE_FILE);
-    if (!fs3.existsSync(dir)) fs3.mkdirSync(dir, { recursive: true });
+    const dir = path5.dirname(CACHE_FILE);
+    if (!fs4.existsSync(dir)) fs4.mkdirSync(dir, { recursive: true });
     const tmp = `${CACHE_FILE}.tmp`;
-    fs3.writeFileSync(tmp, JSON.stringify(data, null, 2), "utf-8");
-    fs3.renameSync(tmp, CACHE_FILE);
+    fs4.writeFileSync(tmp, JSON.stringify(data, null, 2), "utf-8");
+    fs4.renameSync(tmp, CACHE_FILE);
   } catch {
   }
 }
 
 // src/commands/update.ts
-async function loadClients2() {
+async function loadClients3() {
   try {
-    const mod = await import("./client-detector-SUIJSIYM.js");
+    const mod = await import("./client-detector-UAP2EYZA.js");
     return mod.getInstalledClients();
   } catch {
     return [];
@@ -1882,19 +2659,19 @@ function printTable(updates) {
     "LATEST".padEnd(VER_W),
     "STATUS"
   ].join("  ");
-  console.log(pc9.bold(`
+  console.log(pc13.bold(`
   ${header}`));
-  console.log(pc9.dim(`  ${"\u2500".repeat(NAME_W + VER_W * 2 + 20)}`));
+  console.log(pc13.dim(`  ${"\u2500".repeat(NAME_W + VER_W * 2 + 20)}`));
   for (const u of updates) {
     const nameCol = u.server.slice(0, NAME_W).padEnd(NAME_W);
     const curCol = u.currentVersion.padEnd(VER_W);
     const latCol = u.latestVersion.padEnd(VER_W);
-    const statusCol = u.hasUpdate ? pc9.yellow(`Update available${u.updateType ? ` [${u.updateType}]` : ""}`) : pc9.green("Up to date");
+    const statusCol = u.hasUpdate ? pc13.yellow(`Update available${u.updateType ? ` [${u.updateType}]` : ""}`) : pc13.green("Up to date");
     console.log(`  ${nameCol}  ${curCol}  ${latCol}  ${statusCol}`);
   }
   console.log();
 }
-var update_default = defineCommand9({
+var update_default = defineCommand13({
   meta: {
     name: "update",
     description: "Check for and apply updates to installed MCP servers"
@@ -1933,7 +2710,7 @@ var update_default = defineCommand9({
       }
       process.exit(1);
     }
-    const spinner5 = p7.spinner();
+    const spinner5 = p10.spinner();
     spinner5.start("Checking versions...");
     let updates;
     try {
@@ -1955,70 +2732,50 @@ var update_default = defineCommand9({
     printTable(updates);
     const outdated = updates.filter((u) => u.hasUpdate);
     if (outdated.length === 0) {
-      console.log(pc9.green("  All servers are up to date."));
+      console.log(pc13.green("  All servers are up to date."));
       return;
     }
     if (args.check) {
-      console.log(pc9.yellow(`  ${outdated.length} update(s) available. Run mcpman update to apply.`));
+      console.log(pc13.yellow(`  ${outdated.length} update(s) available. Run mcpman update to apply.`));
       return;
     }
     if (!args.yes) {
-      const confirmed = await p7.confirm({
+      const confirmed = await p10.confirm({
         message: `Apply ${outdated.length} update(s)?`,
         initialValue: true
       });
-      if (p7.isCancel(confirmed) || !confirmed) {
-        p7.outro("Cancelled.");
+      if (p10.isCancel(confirmed) || !confirmed) {
+        p10.outro("Cancelled.");
         return;
       }
     }
-    const clients = await loadClients2();
+    const clients = await loadClients3();
     let successCount = 0;
     for (const update of outdated) {
-      const lockEntry = servers[update.server];
-      const input = lockEntry.source === "smithery" ? `smithery:${update.server}` : lockEntry.source === "github" ? lockEntry.resolved : update.server;
-      const s = p7.spinner();
+      const s = p10.spinner();
       s.start(`Updating ${update.server}...`);
-      try {
-        const metadata = await resolveServer(input);
-        const integrity = computeIntegrity(metadata.resolved);
-        addEntry(update.server, {
-          ...lockEntry,
-          version: metadata.version,
-          resolved: metadata.resolved,
-          integrity,
-          command: metadata.command,
-          args: metadata.args,
-          installedAt: (/* @__PURE__ */ new Date()).toISOString()
-        });
-        const entryClients = clients.filter(
-          (c) => lockEntry.clients.includes(c.type)
-        );
-        for (const client of entryClients) {
-          try {
-            await client.addServer(update.server, {
-              command: metadata.command,
-              args: metadata.args
-            });
-          } catch {
-          }
-        }
-        s.stop(`${pc9.green("\u2713")} ${update.server}: ${update.currentVersion} \u2192 ${metadata.version}`);
+      const result = await applyServerUpdate(
+        update.server,
+        servers[update.server],
+        clients
+      );
+      if (result.success) {
+        s.stop(`${pc13.green("\u2713")} ${update.server}: ${result.fromVersion} \u2192 ${result.toVersion}`);
         successCount++;
-      } catch (err) {
-        s.stop(`${pc9.red("\u2717")} ${update.server}: ${err instanceof Error ? err.message : String(err)}`);
+      } else {
+        s.stop(`${pc13.red("\u2717")} ${update.server}: ${result.error}`);
       }
     }
     const freshLockfile = readLockfile(resolveLockfilePath());
     const freshUpdates = await checkAllVersions(freshLockfile);
     writeUpdateCache({ lastCheck: (/* @__PURE__ */ new Date()).toISOString(), updates: freshUpdates });
-    p7.outro(`${successCount} of ${outdated.length} server(s) updated.`);
+    p10.outro(`${successCount} of ${outdated.length} server(s) updated.`);
   }
 });
 
 // src/utils/constants.ts
 var APP_NAME = "mcpman";
-var APP_VERSION = "0.2.0";
+var APP_VERSION = "0.4.0";
 var APP_DESCRIPTION = "The package manager for MCP servers";
 
 // src/index.ts
@@ -2026,7 +2783,7 @@ process.on("SIGINT", () => {
   console.log("\nAborted.");
   process.exit(130);
 });
-var main = defineCommand10({
+var main = defineCommand14({
   meta: {
     name: APP_NAME,
     version: APP_VERSION,
@@ -2041,7 +2798,11 @@ var main = defineCommand10({
     secrets: secrets_default,
     sync: sync_default,
     audit: audit_default,
-    update: update_default
+    update: update_default,
+    config: config_default,
+    search: search_default,
+    info: info_default,
+    run: run_default
   }
 });
 runMain(main);