mogmd 0.1.0

package/dist/bin.js

@@ -0,0 +1,1488 @@
+#!/usr/bin/env node
+
+// src/bin.ts
+import { program } from "commander";
+
+// src/commands/auth.ts
+import { Command } from "commander";
+import chalk2 from "chalk";
+import ora from "ora";
+import open from "open";
+
+// src/config.ts
+import { readFileSync, writeFileSync, mkdirSync, existsSync } from "fs";
+import { join } from "path";
+import { homedir } from "os";
+var CONFIG_DIR = join(homedir(), ".config", "mog");
+var CREDENTIALS_FILE = join(CONFIG_DIR, "credentials.json");
+var API_BASE = process.env.MOG_API_URL ?? "https://api.mog.md";
+var APP_BASE = process.env.MOG_APP_URL ?? "https://mog.md";
+var LOCKFILE_NAME = "mog.lock.json";
+function readCredentials() {
+  try {
+    if (!existsSync(CREDENTIALS_FILE)) return null;
+    return JSON.parse(readFileSync(CREDENTIALS_FILE, "utf-8"));
+  } catch {
+    return null;
+  }
+}
+function writeCredentials(creds) {
+  mkdirSync(CONFIG_DIR, { recursive: true });
+  writeFileSync(CREDENTIALS_FILE, JSON.stringify(creds, null, 2), { mode: 384 });
+}
+function clearCredentials() {
+  try {
+    if (existsSync(CREDENTIALS_FILE)) {
+      writeFileSync(CREDENTIALS_FILE, "{}");
+    }
+  } catch {
+  }
+}
+
+// src/api.ts
+var ApiError = class extends Error {
+  constructor(status, message, body) {
+    super(message);
+    this.status = status;
+    this.body = body;
+    this.name = "ApiError";
+  }
+};
+async function request(method, path, options = {}) {
+  const creds = readCredentials();
+  const token = options.token ?? creds?.token;
+  const headers = {};
+  if (token && !options.noAuth) {
+    headers["Authorization"] = `Bearer ${token}`;
+  }
+  let body;
+  if (options.multipart) {
+    body = options.multipart;
+  } else if (options.body !== void 0) {
+    headers["Content-Type"] = "application/json";
+    body = JSON.stringify(options.body);
+  }
+  const controller = new AbortController();
+  const timeout = setTimeout(() => controller.abort(), 3e4);
+  let res;
+  try {
+    res = await fetch(`${API_BASE}${path}`, {
+      method,
+      headers,
+      body,
+      signal: controller.signal
+    });
+  } catch (err) {
+    if (err?.name === "AbortError") {
+      throw new ApiError(408, "Request timed out (30s)");
+    }
+    throw err;
+  } finally {
+    clearTimeout(timeout);
+  }
+  const data = await res.json().catch(() => ({ error: res.statusText }));
+  if (!res.ok) {
+    if (res.status === 401) {
+      throw new ApiError(
+        401,
+        "Your session has expired or is invalid. Run `mog auth` to sign in again.",
+        data
+      );
+    }
+    throw new ApiError(res.status, data.error ?? res.statusText, data);
+  }
+  return data;
+}
+var api = {
+  get: (path) => request("GET", path),
+  post: (path, body) => request("POST", path, { body }),
+  postNoAuth: (path, body) => request("POST", path, { body, noAuth: true }),
+  patch: (path, body) => request("PATCH", path, { body }),
+  upload: (path, form) => request("POST", path, { multipart: form })
+};
+
+// src/output.ts
+import chalk from "chalk";
+var jsonMode = false;
+function setJsonMode(val) {
+  jsonMode = val;
+}
+var EXIT = {
+  SUCCESS: 0,
+  ERROR: 1,
+  APPROVAL_REQUIRED: 2
+};
+function output(envelope) {
+  if (jsonMode) {
+    process.stdout.write(JSON.stringify(envelope) + "\n");
+  }
+  process.exit(envelope.ok ? EXIT.SUCCESS : envelope.approvalUrl ? EXIT.APPROVAL_REQUIRED : EXIT.ERROR);
+}
+function success(command, data) {
+  if (jsonMode) {
+    output({ ok: true, command, data, errors: [], approvalUrl: null });
+  }
+  process.exit(EXIT.SUCCESS);
+}
+function fail(command, message, approvalUrl) {
+  if (jsonMode) {
+    output({
+      ok: false,
+      command,
+      errors: [message],
+      approvalUrl: approvalUrl ?? null
+    });
+  }
+  console.error(chalk.red(`\u2717 ${message}`));
+  if (approvalUrl) {
+    console.error(chalk.yellow(`  Approval required: ${approvalUrl}`));
+  }
+  process.exit(approvalUrl ? EXIT.APPROVAL_REQUIRED : EXIT.ERROR);
+}
+function info(msg) {
+  if (!jsonMode) console.log(msg);
+}
+function warn(msg) {
+  if (!jsonMode) console.warn(chalk.yellow(`\u26A0 ${msg}`));
+}
+
+// src/commands/auth.ts
+function sleep(ms) {
+  return new Promise((resolve3) => setTimeout(resolve3, ms));
+}
+function decodeTokenPayload(token) {
+  try {
+    const parts = token.split(".");
+    if (parts.length !== 3) return null;
+    const payload = Buffer.from(parts[1], "base64url").toString("utf-8");
+    return JSON.parse(payload);
+  } catch {
+    return null;
+  }
+}
+function formatTimeRemaining(ms) {
+  if (ms <= 0) return "expired";
+  const days = Math.floor(ms / (1e3 * 60 * 60 * 24));
+  const hours = Math.floor(ms % (1e3 * 60 * 60 * 24) / (1e3 * 60 * 60));
+  if (days > 0) return `${days}d ${hours}h remaining`;
+  const minutes = Math.floor(ms % (1e3 * 60 * 60) / (1e3 * 60));
+  if (hours > 0) return `${hours}h ${minutes}m remaining`;
+  return `${minutes}m remaining`;
+}
+var authCommand = new Command("auth").description("Authenticate with the mog marketplace").option("--logout", "Log out and remove stored credentials").option("--status", "Show current auth status").option("--force", "Re-authenticate even if already signed in").option("--json", "Output as JSON").action(async (opts) => {
+  if (opts.json) setJsonMode(true);
+  if (opts.logout) {
+    clearCredentials();
+    info(chalk2.green("\u2713 Logged out"));
+    success("auth", { loggedOut: true });
+    return;
+  }
+  if (opts.status) {
+    const creds = readCredentials();
+    if (creds?.token) {
+      const payload = decodeTokenPayload(creds.token);
+      const exp = payload?.exp;
+      const sub = payload?.sub;
+      const scopes = payload?.scopes;
+      if (exp) {
+        const expiresAt = new Date(exp * 1e3);
+        const remaining = expiresAt.getTime() - Date.now();
+        if (remaining <= 0) {
+          info(chalk2.yellow("\u26A0 Token expired. Run `mog auth` to sign in again."));
+          success("auth", { authenticated: false, expired: true });
+        } else {
+          info(chalk2.green("\u2713 Authenticated"));
+          info(`  Expires: ${expiresAt.toLocaleDateString("en-US", { month: "long", day: "numeric", year: "numeric" })} (${formatTimeRemaining(remaining)})`);
+          if (scopes) info(`  Scopes:  ${scopes.join(", ")}`);
+          success("auth", {
+            authenticated: true,
+            userId: sub,
+            scopes,
+            expiresAt: expiresAt.toISOString(),
+            remainingMs: remaining,
+            issuedAt: creds.issuedAt
+          });
+        }
+      } else {
+        info(chalk2.green("\u2713 Authenticated"));
+        success("auth", { authenticated: true, issuedAt: creds.issuedAt });
+      }
+    } else {
+      info(chalk2.yellow("Not authenticated. Run: mog auth"));
+      success("auth", { authenticated: false });
+    }
+    return;
+  }
+  const existing = readCredentials();
+  if (existing?.token && !opts.force) {
+    const payload = decodeTokenPayload(existing.token);
+    const exp = payload?.exp;
+    const isExpired = exp ? exp * 1e3 < Date.now() : false;
+    if (isExpired) {
+      info(chalk2.yellow("\u26A0 Your token has expired. Starting re-authentication..."));
+    } else {
+      info(chalk2.green("\u2713 Already authenticated. Use --force to re-authenticate, or --logout to sign out."));
+      success("auth", { authenticated: true });
+      return;
+    }
+  }
+  const spinner = ora("Requesting device code...").start();
+  let deviceData;
+  try {
+    deviceData = await api.postNoAuth("/v1/auth/device/start");
+    spinner.stop();
+  } catch (err) {
+    spinner.fail("Failed to connect to mog API");
+    fail("auth", String(err));
+    return;
+  }
+  console.log();
+  console.log(chalk2.bold("To authenticate, visit:"));
+  console.log(chalk2.cyan(`  ${deviceData.verificationUri}`));
+  console.log();
+  console.log(chalk2.bold("Enter code:"), chalk2.yellow.bold(deviceData.userCode));
+  console.log();
+  try {
+    await open(deviceData.verificationUri);
+    info(chalk2.dim("(Opened in browser)"));
+  } catch {
+  }
+  const pollSpinner = ora("Waiting for approval...").start();
+  const deadline = Date.now() + deviceData.expiresIn * 1e3;
+  while (Date.now() < deadline) {
+    await sleep(deviceData.interval * 1e3);
+    try {
+      const result = await api.postNoAuth("/v1/auth/device/poll", {
+        deviceCode: deviceData.deviceCode
+      });
+      if (result.status === "approved" && result.token) {
+        pollSpinner.succeed(chalk2.green("Authenticated!"));
+        writeCredentials({ token: result.token, issuedAt: (/* @__PURE__ */ new Date()).toISOString() });
+        info(chalk2.green("\n\u2713 You are now signed in to mog.md"));
+        success("auth", { authenticated: true });
+        return;
+      }
+      if (result.status === "expired") {
+        pollSpinner.fail("Code expired");
+        fail("auth", "Authentication timed out. Please try again.");
+        return;
+      }
+    } catch (err) {
+      if (err instanceof ApiError && err.status === 400) {
+        pollSpinner.fail("Code expired");
+        fail("auth", "Authentication timed out. Please try again.");
+        return;
+      }
+    }
+  }
+  pollSpinner.fail("Timed out");
+  fail("auth", "Authentication timed out.");
+});
+
+// src/commands/search.ts
+import { Command as Command2 } from "commander";
+import chalk3 from "chalk";
+
+// ../../packages/shared/dist/schemas/mog-yaml.js
+import { z } from "zod";
+var PackageTypeSchema = z.enum(["skill", "rule", "bundle", "template", "mcp"]);
+var TargetSchema = z.enum(["cursor", "claude-code", "codex", "gemini-cli", "windsurf", "generic"]);
+var InstallMapSchema = z.object({
+  cursor: z.string().optional(),
+  "claude-code": z.string().optional(),
+  codex: z.string().optional(),
+  "gemini-cli": z.string().optional(),
+  windsurf: z.string().optional(),
+  generic: z.string().optional()
+});
+var McpEnvVarSchema = z.object({
+  name: z.string().min(1).max(128).regex(/^[A-Z_][A-Z0-9_]*$/, "Must be an uppercase env var name (e.g. GITHUB_TOKEN)"),
+  description: z.string().max(512).optional(),
+  required: z.boolean().default(true),
+  secret: z.boolean().default(false)
+});
+var McpConfigSchema = z.object({
+  transport: z.enum(["stdio", "http"]).default("stdio"),
+  command: z.string().min(1).max(256),
+  args: z.array(z.string().max(512)).default([]),
+  env: z.array(McpEnvVarSchema).max(50).optional(),
+  // http transport only
+  url: z.string().url().optional(),
+  headers: z.record(z.string(), z.string()).optional()
+});
+var MogYamlSourceSchema = z.object({
+  url: z.string().url().optional(),
+  provider: z.string().max(128).optional(),
+  stars: z.number().int().nonnegative().optional()
+});
+var MogYamlSchema = z.object({
+  name: z.string().min(1).max(128).regex(/^[a-z0-9-]+\/[a-z0-9-]+$/, "Must be in format vendor/package-name (lowercase letters, numbers, hyphens)"),
+  version: z.string().regex(/^\d+\.\d+\.\d+$/, "Must be a valid semver (e.g. 1.0.0)"),
+  type: PackageTypeSchema,
+  description: z.string().min(1).max(1024),
+  targets: z.array(TargetSchema).min(1),
+  install_map: InstallMapSchema.optional(),
+  entrypoint: z.string().optional(),
+  requires: z.object({
+    tools: z.array(z.string()).optional()
+  }).optional(),
+  license: z.string().optional().default("MIT"),
+  readme: z.string().optional(),
+  mcp: McpConfigSchema.optional(),
+  source: MogYamlSourceSchema.optional()
+}).superRefine((data, ctx) => {
+  if (data.type === "mcp" && !data.mcp) {
+    ctx.addIssue({
+      code: z.ZodIssueCode.custom,
+      message: 'mcp field is required when type is "mcp"',
+      path: ["mcp"]
+    });
+  }
+  if (data.type !== "mcp" && data.mcp) {
+    ctx.addIssue({
+      code: z.ZodIssueCode.custom,
+      message: 'mcp field is only allowed when type is "mcp"',
+      path: ["mcp"]
+    });
+  }
+  if (data.mcp?.transport === "http" && !data.mcp.url) {
+    ctx.addIssue({
+      code: z.ZodIssueCode.custom,
+      message: 'mcp.url is required when transport is "http"',
+      path: ["mcp", "url"]
+    });
+  }
+  if (data.mcp?.transport === "stdio" && !data.mcp.command) {
+    ctx.addIssue({
+      code: z.ZodIssueCode.custom,
+      message: 'mcp.command is required when transport is "stdio"',
+      path: ["mcp", "command"]
+    });
+  }
+});
+
+// ../../packages/shared/dist/schemas/lockfile.js
+import { z as z2 } from "zod";
+var LockfileEntrySchema = z2.object({
+  name: z2.string(),
+  vendor: z2.string(),
+  slug: z2.string(),
+  version: z2.string(),
+  listingId: z2.string().uuid(),
+  releaseId: z2.string().uuid(),
+  entitlementId: z2.string().uuid(),
+  installedAt: z2.string().datetime(),
+  target: z2.string(),
+  installPath: z2.string(),
+  archiveSha256: z2.string(),
+  files: z2.array(z2.object({
+    path: z2.string(),
+    sha256: z2.string(),
+    size: z2.number()
+  })),
+  updateChannel: z2.enum(["patch", "minor", "major"]).default("minor"),
+  // For MCP packages: tracks which client config files were written
+  installType: z2.enum(["files", "mcp-config"]).default("files"),
+  mcpConfigPaths: z2.array(z2.string()).optional()
+});
+var LockfileSchema = z2.object({
+  version: z2.literal(1),
+  lockfileVersion: z2.string().default("1.0.0"),
+  generatedAt: z2.string().datetime(),
+  packages: z2.record(z2.string(), LockfileEntrySchema)
+});
+
+// ../../packages/shared/dist/schemas/api.js
+import { z as z3 } from "zod";
+var DeviceStartResponseSchema = z3.object({
+  deviceCode: z3.string(),
+  userCode: z3.string(),
+  verificationUri: z3.string().url(),
+  expiresIn: z3.number(),
+  interval: z3.number()
+});
+var DevicePollRequestSchema = z3.object({
+  deviceCode: z3.string()
+});
+var DevicePollResponseSchema = z3.discriminatedUnion("status", [
+  z3.object({ status: z3.literal("authorization_pending") }),
+  z3.object({ status: z3.literal("expired") }),
+  z3.object({
+    status: z3.literal("approved"),
+    token: z3.string(),
+    tokenType: z3.literal("Bearer"),
+    expiresIn: z3.number()
+  })
+]);
+var ListingSchema = z3.object({
+  id: z3.string().uuid(),
+  vendorSlug: z3.string(),
+  slug: z3.string(),
+  title: z3.string(),
+  description: z3.string(),
+  type: PackageTypeSchema,
+  tags: z3.array(z3.string()),
+  targets: z3.array(TargetSchema),
+  priceCents: z3.number(),
+  currency: z3.string().default("usd"),
+  latestVersion: z3.string().nullable(),
+  installCount: z3.number().default(0),
+  rating: z3.number().nullable(),
+  ratingCount: z3.number().default(0),
+  createdAt: z3.string().datetime()
+});
+var SearchResponseSchema = z3.object({
+  results: z3.array(ListingSchema),
+  total: z3.number(),
+  page: z3.number(),
+  perPage: z3.number()
+});
+var PurchaseRequestSchema = z3.object({
+  listingId: z3.string().uuid(),
+  releaseId: z3.string().uuid().optional(),
+  maxPriceCents: z3.number().optional()
+});
+var PurchaseResponseSchema = z3.discriminatedUnion("status", [
+  z3.object({
+    status: z3.literal("purchased"),
+    entitlementId: z3.string().uuid(),
+    orderId: z3.string().uuid(),
+    amountCents: z3.number()
+  }),
+  z3.object({
+    status: z3.literal("already_owned"),
+    entitlementId: z3.string().uuid()
+  }),
+  z3.object({
+    status: z3.literal("approval_required"),
+    approvalUrl: z3.string().url(),
+    reason: z3.string()
+  })
+]);
+var DownloadTokenRequestSchema = z3.object({
+  releaseId: z3.string().uuid()
+});
+var DownloadTokenResponseSchema = z3.object({
+  url: z3.string().url(),
+  sha256: z3.string(),
+  expiresAt: z3.string().datetime()
+});
+var EntitlementSchema = z3.object({
+  id: z3.string().uuid(),
+  listingId: z3.string().uuid(),
+  releaseId: z3.string().uuid(),
+  vendorSlug: z3.string(),
+  listingSlug: z3.string(),
+  version: z3.string(),
+  grantedAt: z3.string().datetime()
+});
+
+// ../../packages/shared/dist/index.js
+var MIN_PRICE_CENTS = 99;
+var MAX_PRICE_CENTS = 5e4;
+function resolveInstallPath(installMap, target, slug) {
+  const defaults = {
+    cursor: ".cursor/skills/{slug}/",
+    "claude-code": ".claude/skills/{slug}/",
+    codex: "mog_modules/{slug}/",
+    "gemini-cli": ".gemini/skills/{slug}/",
+    windsurf: ".windsurf/skills/{slug}/",
+    generic: "mog_modules/{slug}/"
+  };
+  const template = installMap?.[target] ?? defaults[target] ?? "mog_modules/{slug}/";
+  return template.replace("{slug}", slug).replace("{name}", slug);
+}
+function formatPrice(cents, currency = "usd") {
+  if (cents === 0)
+    return "Free";
+  return new Intl.NumberFormat("en-US", {
+    style: "currency",
+    currency: currency.toUpperCase()
+  }).format(cents / 100);
+}
+
+// src/commands/search.ts
+var searchCommand = new Command2("search").description("Search the mog marketplace").argument("[query]", "Search query").option("--type <type>", "Filter by type: skill, rule, bundle, template").option("--target <target>", "Filter by target: cursor, claude-code, codex, generic").option("--sort <sort>", "Sort by: popular, recent, price_asc, price_desc", "popular").option("--free", "Show only free packages").option("--page <n>", "Page number", "1").option("--json", "Output as JSON").action(
+  async (query, opts) => {
+    if (opts.json) setJsonMode(true);
+    const params = new URLSearchParams();
+    if (query) params.set("q", query);
+    if (opts.type) params.set("type", opts.type);
+    if (opts.target) params.set("target", opts.target);
+    if (opts.sort) params.set("sort", opts.sort);
+    if (opts.free) params.set("free", "true");
+    if (opts.page) params.set("page", opts.page);
+    let data;
+    try {
+      data = await api.get(`/v1/search?${params.toString()}`);
+    } catch (err) {
+      fail("search", `Search failed: ${String(err)}`);
+    }
+    if (opts.json) {
+      success("search", data);
+    }
+    console.log(chalk3.dim(`${data.total} result${data.total !== 1 ? "s" : ""}
+`));
+    if (data.results.length === 0) {
+      info(chalk3.yellow("No results found. Try a different query or remove filters."));
+      process.exit(0);
+    }
+    for (const pkg of data.results) {
+      const price = formatPrice(pkg.priceCents, pkg.currency);
+      const verified = pkg.vendorVerified ? chalk3.blue(" \u2713") : "";
+      const rating = pkg.rating ? chalk3.yellow(` \u2605${pkg.rating}`) : "";
+      console.log(
+        chalk3.bold(`${pkg.vendorSlug}/${pkg.slug}`) + chalk3.dim(`@${pkg.latestVersion ?? "?"}`) + `  ${chalk3.green(price)}${rating}`
+      );
+      console.log(`  ${chalk3.cyan(pkg.type.padEnd(8))}  ${pkg.targets.join(", ")}  by ${pkg.vendorName}${verified}`);
+      console.log(`  ${chalk3.dim(pkg.description.slice(0, 90))}`);
+      console.log();
+    }
+    console.log(chalk3.dim(`Install with: mog install <vendor>/<package>`));
+    process.exit(0);
+  }
+);
+
+// src/commands/buy.ts
+import { Command as Command3 } from "commander";
+import chalk4 from "chalk";
+import ora2 from "ora";
+var buyCommand = new Command3("buy").description("Purchase a package from the mog marketplace").argument("<package>", "Package to buy (e.g. acme/router-eval)").option("--max-price <cents>", "Maximum price in cents to auto-approve").option("--auto", "Allow automatic purchase if within policy limits").option("--json", "Output as JSON").action(
+  async (pkg, opts) => {
+    if (opts.json) setJsonMode(true);
+    const creds = readCredentials();
+    if (!creds?.token) {
+      fail("buy", "Not authenticated. Run: mog auth");
+    }
+    const [vendor, slug] = pkg.split("/");
+    if (!vendor || !slug) {
+      fail("buy", `Invalid package format: "${pkg}". Expected: vendor/slug`);
+    }
+    let listing;
+    try {
+      listing = await api.get(`/v1/listings/${vendor}/${slug}`);
+    } catch (err) {
+      if (err instanceof ApiError && err.status === 404) {
+        fail("buy", `Package "${pkg}" not found`);
+      }
+      fail("buy", `Failed to fetch package: ${String(err)}`);
+    }
+    info(`
+${chalk4.bold(pkg)} \u2014 ${chalk4.green(formatPrice(listing.priceCents, listing.currency))}`);
+    info(`${chalk4.dim(listing.title)}
+`);
+    if (listing.priceCents === 0) {
+      info(chalk4.dim("Free package \u2014 no payment required"));
+    }
+    const spinner = ora2("Purchasing...").start();
+    const body = { listingId: listing.id };
+    if (opts.maxPrice) body.maxPriceCents = parseInt(opts.maxPrice, 10);
+    let result;
+    try {
+      result = await api.post("/v1/purchases", body);
+      spinner.stop();
+    } catch (err) {
+      spinner.stop();
+      if (err instanceof ApiError && err.status === 402) {
+        const body2 = err.body;
+        if (body2?.approvalUrl) {
+          fail("buy", body2.reason ?? "Human approval required", body2.approvalUrl);
+        }
+      }
+      fail("buy", `Purchase failed: ${String(err)}`);
+    }
+    if (result.status === "already_owned") {
+      spinner.stop();
+      info(chalk4.green(`\u2713 Already owned (entitlement: ${result.entitlementId})`));
+      success("buy", result);
+    }
+    if (result.status === "approval_required") {
+      spinner.stop();
+      fail("buy", result.reason ?? "Approval required", result.approvalUrl);
+    }
+    spinner.succeed(chalk4.green(`Purchased ${pkg}!`));
+    info(`  Entitlement: ${result.entitlementId}`);
+    if (result.amountCents && result.amountCents > 0) {
+      info(`  Charged: ${formatPrice(result.amountCents)}`);
+    }
+    info(chalk4.dim(`
+Install with: mog install ${pkg}`));
+    success("buy", result);
+  }
+);
+
+// src/commands/install.ts
+import { Command as Command4 } from "commander";
+import chalk5 from "chalk";
+import ora3 from "ora";
+import { createHash } from "crypto";
+import { mkdirSync as mkdirSync3, writeFileSync as writeFileSync4, existsSync as existsSync4, rmSync } from "fs";
+import { join as join4, dirname as dirname3, resolve } from "path";
+import { createInterface } from "readline";
+import AdmZip from "adm-zip";
+import yaml from "js-yaml";
+
+// src/lockfile.ts
+import { readFileSync as readFileSync2, writeFileSync as writeFileSync2, existsSync as existsSync2, renameSync } from "fs";
+import { join as join2 } from "path";
+function readLockfile(cwd = process.cwd()) {
+  const path = join2(cwd, LOCKFILE_NAME);
+  if (!existsSync2(path)) {
+    return {
+      version: 1,
+      lockfileVersion: "1.0.0",
+      generatedAt: (/* @__PURE__ */ new Date()).toISOString(),
+      packages: {}
+    };
+  }
+  const raw = JSON.parse(readFileSync2(path, "utf-8"));
+  const result = LockfileSchema.safeParse(raw);
+  if (!result.success) {
+    return raw;
+  }
+  return result.data;
+}
+function writeLockfile(lockfile, cwd = process.cwd()) {
+  const finalPath = join2(cwd, LOCKFILE_NAME);
+  const tmpPath = finalPath + ".tmp";
+  lockfile.generatedAt = (/* @__PURE__ */ new Date()).toISOString();
+  writeFileSync2(tmpPath, JSON.stringify(lockfile, null, 2) + "\n");
+  renameSync(tmpPath, finalPath);
+}
+function addToLockfile(entry, cwd = process.cwd()) {
+  const lock = readLockfile(cwd);
+  const key = `${entry.vendor}/${entry.slug}`;
+  lock.packages[key] = entry;
+  writeLockfile(lock, cwd);
+}
+function removeFromLockfile(key, cwd = process.cwd()) {
+  const lock = readLockfile(cwd);
+  delete lock.packages[key];
+  writeLockfile(lock, cwd);
+}
+
+// src/mcp-config.ts
+import { readFileSync as readFileSync3, writeFileSync as writeFileSync3, mkdirSync as mkdirSync2, existsSync as existsSync3 } from "fs";
+import { join as join3, dirname as dirname2 } from "path";
+import { homedir as homedir2, platform } from "os";
+function readJsonConfig(filePath) {
+  if (!existsSync3(filePath)) return { mcpServers: {} };
+  try {
+    const raw = JSON.parse(readFileSync3(filePath, "utf-8"));
+    if (typeof raw === "object" && raw !== null) {
+      return { mcpServers: {}, ...raw };
+    }
+  } catch {
+  }
+  return { mcpServers: {} };
+}
+function writeJsonConfig(filePath, config) {
+  mkdirSync2(dirname2(filePath), { recursive: true });
+  writeFileSync3(filePath, JSON.stringify(config, null, 2) + "\n", "utf-8");
+}
+function upsertJsonMcpServer(filePath, serverName, entry) {
+  const config = readJsonConfig(filePath);
+  config.mcpServers = { ...config.mcpServers, [serverName]: entry };
+  writeJsonConfig(filePath, config);
+}
+function removeJsonMcpServer(filePath, serverName) {
+  if (!existsSync3(filePath)) return;
+  const config = readJsonConfig(filePath);
+  delete config.mcpServers[serverName];
+  writeJsonConfig(filePath, config);
+}
+function serializeTomlValue(value) {
+  if (typeof value === "string") return JSON.stringify(value);
+  if (typeof value === "number" || typeof value === "boolean") return String(value);
+  if (Array.isArray(value)) {
+    return "[" + value.map(serializeTomlValue).join(", ") + "]";
+  }
+  return JSON.stringify(value);
+}
+function buildCodexMcpSection(serverName, entry) {
+  const lines = [];
+  lines.push(`[mcp_servers.${serverName}]`);
+  if (entry.command) lines.push(`command = ${serializeTomlValue(entry.command)}`);
+  if (entry.args?.length) lines.push(`args = ${serializeTomlValue(entry.args)}`);
+  if (entry.url) lines.push(`url = ${serializeTomlValue(entry.url)}`);
+  if (entry.env && Object.keys(entry.env).length > 0) {
+    lines.push(`
+[mcp_servers.${serverName}.env]`);
+    for (const [k, v] of Object.entries(entry.env)) {
+      lines.push(`${k} = ${serializeTomlValue(v)}`);
+    }
+  }
+  if (entry.headers && Object.keys(entry.headers).length > 0) {
+    lines.push(`
+[mcp_servers.${serverName}.headers]`);
+    for (const [k, v] of Object.entries(entry.headers)) {
+      lines.push(`${k} = ${serializeTomlValue(v)}`);
+    }
+  }
+  return lines.join("\n");
+}
+function upsertTomlMcpServer(filePath, serverName, entry) {
+  mkdirSync2(dirname2(filePath), { recursive: true });
+  let existing = "";
+  if (existsSync3(filePath)) {
+    existing = readFileSync3(filePath, "utf-8");
+  }
+  existing = removeTomlSection(existing, serverName);
+  const newSection = buildCodexMcpSection(serverName, entry);
+  const separator = existing.endsWith("\n\n") ? "" : existing.length > 0 ? "\n\n" : "";
+  writeFileSync3(filePath, existing + separator + newSection + "\n", "utf-8");
+}
+function removeTomlSection(content, serverName) {
+  const sectionPattern = new RegExp(
+    `\\[mcp_servers\\.${escapeRegex(serverName)}\\](?:\\n(?!\\[)[^\\n]*)*\\n?`,
+    "g"
+  );
+  const subSectionPattern = new RegExp(
+    `\\[mcp_servers\\.${escapeRegex(serverName)}\\.[^\\]]+\\](?:\\n(?!\\[)[^\\n]*)*\\n?`,
+    "g"
+  );
+  return content.replace(sectionPattern, "").replace(subSectionPattern, "").replace(/\n{3,}/g, "\n\n");
+}
+function removeTomlMcpServer(filePath, serverName) {
+  if (!existsSync3(filePath)) return;
+  const content = readFileSync3(filePath, "utf-8");
+  const updated = removeTomlSection(content, serverName);
+  writeFileSync3(filePath, updated, "utf-8");
+}
+function escapeRegex(s) {
+  return s.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+}
+function getMcpConfigPath(target, cwd) {
+  const home = homedir2();
+  switch (target) {
+    case "cursor":
+      return join3(cwd, ".cursor", "mcp.json");
+    case "claude-code":
+      return join3(cwd, ".mcp.json");
+    case "codex":
+      return join3(cwd, ".codex", "config.toml");
+    case "gemini-cli":
+      return join3(cwd, ".gemini", "settings.json");
+    case "windsurf": {
+      if (platform() === "win32") {
+        return join3(process.env.USERPROFILE ?? home, ".codeium", "windsurf", "mcp_config.json");
+      }
+      return join3(home, ".codeium", "windsurf", "mcp_config.json");
+    }
+    default:
+      return join3(cwd, ".mcp.json");
+  }
+}
+function upsertMcpServer(target, cwd, serverName, entry) {
+  const configPath = getMcpConfigPath(target, cwd);
+  if (target === "codex") {
+    upsertTomlMcpServer(configPath, serverName, entry);
+  } else {
+    upsertJsonMcpServer(configPath, serverName, entry);
+  }
+  return configPath;
+}
+function removeMcpServer(target, cwd, serverName) {
+  const configPath = getMcpConfigPath(target, cwd);
+  if (target === "codex") {
+    removeTomlMcpServer(configPath, serverName);
+  } else {
+    removeJsonMcpServer(configPath, serverName);
+  }
+}
+function mcpServerName(vendorSlug, packageSlug) {
+  return `${vendorSlug}-${packageSlug}`;
+}
+function interpolateMcpArgs(args, version) {
+  return args.map((a) => a.replace(/\{version\}/g, version));
+}
+
+// src/commands/install.ts
+function safeJoin(base, unsafePath) {
+  const resolved = resolve(base, unsafePath);
+  if (!resolved.startsWith(resolve(base) + "/") && resolved !== resolve(base)) {
+    throw new Error(`Path traversal detected: ${unsafePath}`);
+  }
+  return resolved;
+}
+function detectTarget() {
+  const cwd = process.cwd();
+  if (existsSync4(join4(cwd, ".cursor"))) return "cursor";
+  if (existsSync4(join4(cwd, ".claude"))) return "claude-code";
+  if (existsSync4(join4(cwd, ".windsurf"))) return "windsurf";
+  if (existsSync4(join4(cwd, ".gemini"))) return "gemini-cli";
+  if (existsSync4(join4(cwd, ".codex"))) return "codex";
+  return "generic";
+}
+async function promptEnvVar(varName, description) {
+  return new Promise((resolve3) => {
+    const rl = createInterface({ input: process.stdin, output: process.stdout });
+    const hint = description ? chalk5.dim(` (${description})`) : "";
+    rl.question(`  ${chalk5.cyan(varName)}${hint}: `, (answer) => {
+      rl.close();
+      resolve3(answer.trim());
+    });
+  });
+}
+async function collectEnvVars(envVarDefs, provided, interactive) {
+  const result = { ...provided };
+  for (const def of envVarDefs) {
+    if (result[def.name]) continue;
+    if (!def.required) continue;
+    if (!interactive) {
+      fail(
+        "install",
+        `Required env var ${def.name} not provided. Use --env ${def.name}=<value> to supply it non-interactively.`
+      );
+    }
+    const value = await promptEnvVar(def.name, def.description);
+    if (!value) {
+      fail("install", `${def.name} is required but was left blank.`);
+    }
+    result[def.name] = value;
+  }
+  return result;
+}
+async function downloadAndVerify(url, expectedSha256) {
+  const res = await fetch(url);
+  if (!res.ok) throw new Error(`Download failed: ${res.status} ${res.statusText}`);
+  const buffer = Buffer.from(await res.arrayBuffer());
+  const actual = createHash("sha256").update(buffer).digest("hex");
+  if (actual !== expectedSha256) {
+    throw new Error(`Hash mismatch! Expected ${expectedSha256}, got ${actual}`);
+  }
+  return buffer;
+}
+var installCommand = new Command4("install").description("Install a package from the mog marketplace").argument("<package>", "Package to install (e.g. acme/router-eval)").option("--target <target>", "Installation target: cursor, claude-code, codex, gemini-cli, windsurf, generic").option("--auto-buy", "Automatically purchase if not owned").option("--max-price <cents>", "Maximum price in cents when using --auto-buy").option("--preflight", "Show what would happen without making changes").option("--dir <path>", "Installation directory (default: current directory)").option("--env <KEY=VALUE>", "Set an env var for MCP packages (repeatable)", (v, prev) => [...prev, v], []).option("--json", "Output as JSON").action(
+  async (pkg, opts) => {
+    if (opts.json) setJsonMode(true);
+    const creds = readCredentials();
+    if (!creds?.token) {
+      fail("install", "Not authenticated. Run: mog auth");
+    }
+    const [vendor, slug] = pkg.split("/");
+    if (!vendor || !slug) {
+      fail("install", `Invalid package format: "${pkg}". Expected: vendor/slug`);
+    }
+    const cwd = opts.dir ?? process.cwd();
+    const target = opts.target ?? detectTarget();
+    info(chalk5.dim(`Target: ${target}`));
+    let listing;
+    try {
+      listing = await api.get(`/v1/listings/${vendor}/${slug}`);
+    } catch (err) {
+      if (err instanceof ApiError && err.status === 404) {
+        fail("install", `Package "${pkg}" not found`);
+      }
+      fail("install", `Failed to fetch package: ${String(err)}`);
+    }
+    if (!listing.targets.includes(target) && !listing.targets.includes("generic")) {
+      warn(`Package may not support target "${target}". Proceeding with generic install.`);
+    }
+    const releasesData = await api.get(
+      `/v1/listings/${vendor}/${slug}/releases`
+    );
+    const [latestRelease] = releasesData.releases;
+    if (!latestRelease) {
+      fail("install", "No published releases available");
+    }
+    const entCheck = await api.get(
+      `/v1/entitlements/${listing.id}`
+    ).catch(() => ({ owned: false, entitlement: void 0 }));
+    if (!entCheck.owned) {
+      if (!opts.autoBuy && listing.priceCents > 0) {
+        fail(
+          "install",
+          `You don't own "${pkg}". Purchase it first with: mog buy ${pkg}
+Or add --auto-buy to install and purchase in one step.`
+        );
+      }
+      const purchaseBody = {
+        listingId: listing.id,
+        releaseId: latestRelease.id
+      };
+      if (opts.maxPrice) purchaseBody.maxPriceCents = parseInt(opts.maxPrice, 10);
+      const buySpinner = ora3(listing.priceCents === 0 ? "Claiming free package..." : "Purchasing...").start();
+      let purchaseResult;
+      try {
+        purchaseResult = await api.post("/v1/purchases", purchaseBody);
+        buySpinner.stop();
+      } catch (err) {
+        buySpinner.stop();
+        if (err instanceof ApiError && err.status === 402) {
+          const body = err.body;
+          if (body?.approvalUrl) {
+            fail("install", body.reason ?? "Approval required", body.approvalUrl);
+          }
+        }
+        fail("install", `Purchase failed: ${String(err)}`);
+      }
+      if (purchaseResult.status === "approval_required") {
+        fail("install", purchaseResult.reason ?? "Approval required", purchaseResult.approvalUrl);
+      }
+    }
+    if (opts.preflight) {
+      const installPath2 = resolveInstallPath(void 0, target, `${vendor}/${slug}`);
+      info("\n" + chalk5.bold("Preflight plan:"));
+      info(`  Package:     ${pkg}@${latestRelease.version}`);
+      info(`  Target:      ${target}`);
+      info(`  Install to:  ${join4(cwd, installPath2)}`);
+      info(`  SHA-256:     ${latestRelease.archiveSha256}`);
+      info(`  Price:       ${listing.priceCents === 0 ? "Free" : `${listing.priceCents}\xA2`}
+`);
+      success("install", {
+        preflight: true,
+        package: pkg,
+        version: latestRelease.version,
+        target,
+        installPath: join4(cwd, installPath2),
+        sha256: latestRelease.archiveSha256
+      });
+    }
+    const downloadSpinner = ora3("Fetching download link...").start();
+    let downloadToken;
+    try {
+      downloadToken = await api.post("/v1/downloads", {
+        releaseId: latestRelease.id
+      });
+      downloadSpinner.stop();
+    } catch (err) {
+      downloadSpinner.stop();
+      fail("install", `Failed to get download URL: ${String(err)}`);
+    }
+    const dlSpinner = ora3("Downloading...").start();
+    let buffer;
+    try {
+      buffer = await downloadAndVerify(downloadToken.url, downloadToken.sha256);
+      dlSpinner.succeed(chalk5.dim(`Downloaded (${(buffer.length / 1024).toFixed(1)}KB)`));
+    } catch (err) {
+      dlSpinner.fail("Download failed");
+      fail("install", String(err));
+    }
+    const zip = new AdmZip(buffer);
+    const mogYamlEntry = zip.getEntries().find((e) => e.entryName === "mog.yaml" || e.entryName.endsWith("/mog.yaml"));
+    let manifest = null;
+    if (mogYamlEntry) {
+      const parsed = MogYamlSchema.safeParse(yaml.load(mogYamlEntry.getData().toString("utf-8")));
+      if (parsed.success) manifest = parsed.data;
+    }
+    if (manifest?.type === "mcp") {
+      const mcpConfig = manifest.mcp;
+      const serverKey = mcpServerName(vendor, slug);
+      const providedEnv = {};
+      for (const pair of opts.env ?? []) {
+        const eqIdx = pair.indexOf("=");
+        if (eqIdx < 1) {
+          warn(`Ignoring malformed --env value: "${pair}" (expected KEY=VALUE)`);
+          continue;
+        }
+        providedEnv[pair.slice(0, eqIdx)] = pair.slice(eqIdx + 1);
+      }
+      if (opts.preflight) {
+        info("\n" + chalk5.bold("Preflight plan (MCP server):"));
+        info(`  Package:    ${pkg}@${latestRelease.version}`);
+        info(`  Target:     ${target}`);
+        info(`  Server key: ${serverKey}`);
+        info(`  Command:    ${mcpConfig.command} ${mcpConfig.args?.join(" ") ?? ""}`);
+        if (mcpConfig.env?.length) {
+          info(`  Env vars:   ${mcpConfig.env.map((e) => `${e.name}${e.required ? "" : " (optional)"}`).join(", ")}`);
+        }
+        success("install", {
+          preflight: true,
+          package: pkg,
+          version: latestRelease.version,
+          target,
+          type: "mcp",
+          serverKey
+        });
+        return;
+      }
+      const isInteractive = process.stdin.isTTY && !opts.json;
+      if (mcpConfig.env?.length) {
+        info(chalk5.bold("\nEnvironment variables required for this MCP server:"));
+      }
+      const resolvedEnv = await collectEnvVars(mcpConfig.env ?? [], providedEnv, isInteractive);
+      const serverEntry = {
+        command: mcpConfig.transport === "stdio" ? mcpConfig.command : void 0,
+        args: mcpConfig.transport === "stdio" ? interpolateMcpArgs(mcpConfig.args ?? [], latestRelease.version) : void 0,
+        url: mcpConfig.transport === "http" ? mcpConfig.url : void 0,
+        headers: mcpConfig.transport === "http" ? mcpConfig.headers : void 0,
+        env: Object.keys(resolvedEnv).length > 0 ? resolvedEnv : void 0
+      };
+      const configSpinner = ora3(`Configuring MCP server for ${target}...`).start();
+      let configPath;
+      try {
+        configPath = upsertMcpServer(target, cwd, serverKey, serverEntry);
+        configSpinner.succeed(chalk5.green(`MCP server configured`));
+      } catch (err) {
+        configSpinner.fail("Failed to write MCP config");
+        fail("install", String(err));
+      }
+      addToLockfile({
+        name: pkg,
+        vendor,
+        slug,
+        version: latestRelease.version,
+        listingId: listing.id,
+        releaseId: latestRelease.id,
+        entitlementId: entCheck.entitlement?.id ?? "",
+        installedAt: (/* @__PURE__ */ new Date()).toISOString(),
+        target,
+        installPath: configPath,
+        archiveSha256: downloadToken.sha256,
+        files: [],
+        updateChannel: "minor",
+        installType: "mcp-config",
+        mcpConfigPaths: [configPath]
+      }, cwd);
+      info(chalk5.dim(`  \u2192 ${configPath}`));
+      info(chalk5.dim(`  Lockfile updated: mog.lock.json`));
+      info(chalk5.yellow(`  Restart your IDE for the MCP server to take effect.`));
+      success("install", {
+        package: pkg,
+        version: latestRelease.version,
+        target,
+        type: "mcp",
+        serverKey,
+        configPath
+      });
+      return;
+    }
+    const installPath = resolveInstallPath(
+      manifest?.install_map,
+      target,
+      slug
+    );
+    const fullInstallPath = join4(cwd, installPath);
+    const extractSpinner = ora3(`Installing to ${installPath}...`).start();
+    const extractedPaths = [];
+    try {
+      mkdirSync3(fullInstallPath, { recursive: true });
+      const files = [];
+      for (const entry of zip.getEntries()) {
+        if (entry.isDirectory) continue;
+        const data = entry.getData();
+        const hash = createHash("sha256").update(data).digest("hex");
+        const entryName = entry.entryName.replace(/^[^/]+\//, "");
+        const destPath = safeJoin(fullInstallPath, entryName);
+        mkdirSync3(dirname3(destPath), { recursive: true });
+        writeFileSync4(destPath, data);
+        extractedPaths.push(destPath);
+        files.push({ path: entryName, sha256: hash, size: data.length });
+      }
+      extractSpinner.succeed(chalk5.green(`Installed ${pkg}@${latestRelease.version}`));
+      try {
+        addToLockfile({
+          name: pkg,
+          vendor,
+          slug,
+          version: latestRelease.version,
+          listingId: listing.id,
+          releaseId: latestRelease.id,
+          entitlementId: entCheck.entitlement?.id ?? "",
+          installedAt: (/* @__PURE__ */ new Date()).toISOString(),
+          target,
+          installPath: fullInstallPath,
+          archiveSha256: downloadToken.sha256,
+          files,
+          updateChannel: "minor",
+          installType: "files"
+        }, cwd);
+      } catch (lockErr) {
+        for (const p of extractedPaths) {
+          try {
+            rmSync(p);
+          } catch {
+          }
+        }
+        throw lockErr;
+      }
+      info(chalk5.dim(`  \u2192 ${fullInstallPath}`));
+      info(chalk5.dim(`  Lockfile updated: mog.lock.json`));
+      success("install", {
+        package: pkg,
+        version: latestRelease.version,
+        target,
+        installPath: fullInstallPath,
+        files: files.length
+      });
+    } catch (err) {
+      extractSpinner.fail("Installation failed");
+      fail("install", String(err));
+    }
+  }
+);
+
+// src/commands/ls.ts
+import { Command as Command5 } from "commander";
+import chalk6 from "chalk";
+var lsCommand = new Command5("ls").description("List installed packages").option("--dir <path>", "Project directory (default: current directory)").option("--json", "Output as JSON").action(async (opts) => {
+  if (opts.json) setJsonMode(true);
+  const cwd = opts.dir ?? process.cwd();
+  const lockfile = readLockfile(cwd);
+  const packages = Object.values(lockfile.packages);
+  if (opts.json) {
+    success("ls", { packages, count: packages.length });
+  }
+  if (packages.length === 0) {
+    info(chalk6.dim("No packages installed. Run: mog install <vendor>/<package>"));
+    process.exit(0);
+  }
+  console.log(chalk6.bold(`
+${packages.length} installed package${packages.length !== 1 ? "s" : ""}
+`));
+  for (const pkg of packages) {
+    console.log(
+      chalk6.bold(`${pkg.vendor}/${pkg.slug}`) + chalk6.dim(`@${pkg.version}`) + `  ${chalk6.cyan(pkg.target)}`
+    );
+    console.log(chalk6.dim(`  ${pkg.installPath}`));
+    console.log(chalk6.dim(`  Installed: ${new Date(pkg.installedAt).toLocaleDateString()}`));
+    console.log();
+  }
+  process.exit(0);
+});
+
+// src/commands/update.ts
+import { Command as Command6 } from "commander";
+import chalk7 from "chalk";
+import ora4 from "ora";
+import { createHash as createHash2 } from "crypto";
+import { mkdirSync as mkdirSync4, writeFileSync as writeFileSync5 } from "fs";
+import { join as join5, dirname as dirname4 } from "path";
+import AdmZip2 from "adm-zip";
+import semver from "semver";
+var updateCommand = new Command6("update").description("Update installed packages to latest compatible versions").argument("[package]", "Specific package to update (e.g. acme/router-eval)").option("--dir <path>", "Project directory (default: current directory)").option("--dry-run", "Show available updates without installing").option("--json", "Output as JSON").action(async (pkg, opts) => {
+  if (opts.json) setJsonMode(true);
+  const creds = readCredentials();
+  if (!creds?.token) {
+    fail("update", "Not authenticated. Run: mog auth");
+  }
+  const cwd = opts.dir ?? process.cwd();
+  const lockfile = readLockfile(cwd);
+  const packages = Object.values(lockfile.packages);
+  if (packages.length === 0) {
+    info(chalk7.dim("No installed packages to update"));
+    success("update", { updated: [], skipped: [] });
+  }
+  const toCheck = pkg ? packages.filter((p) => `${p.vendor}/${p.slug}` === pkg) : packages;
+  if (toCheck.length === 0) {
+    fail("update", `Package "${pkg}" not found in lockfile`);
+  }
+  const updates = [];
+  const skipped = [];
+  for (const installed of toCheck) {
+    const name = `${installed.vendor}/${installed.slug}`;
+    try {
+      const releasesData = await api.get(
+        `/v1/listings/${installed.vendor}/${installed.slug}/releases`
+      );
+      const [latest] = releasesData.releases;
+      if (!latest) {
+        skipped.push({ name, version: installed.version, reason: "No releases found" });
+        continue;
+      }
+      if (latest.version === installed.version) {
+        info(chalk7.dim(`  ${name}: already at ${installed.version}`));
+        continue;
+      }
+      const currentVersion = installed.version;
+      const newVersion = latest.version;
+      const channel = installed.updateChannel ?? "minor";
+      if (channel === "patch" && !semver.satisfies(newVersion, `~${currentVersion}`)) {
+        skipped.push({ name, version: newVersion, reason: `Blocked by update channel (patch only). New: ${newVersion}` });
+        warn(`  ${name}: ${newVersion} available but blocked (patch-only channel). Use --major to upgrade.`);
+        continue;
+      }
+      if (channel === "minor" && semver.major(newVersion) > semver.major(currentVersion)) {
+        skipped.push({ name, version: newVersion, reason: `Major upgrade requires explicit opt-in. New: ${newVersion}` });
+        warn(`  ${name}: ${newVersion} available but blocked (major upgrade). Add @${newVersion} to upgrade.`);
+        continue;
+      }
+      updates.push({ name, from: currentVersion, to: newVersion });
+      if (opts.dryRun) {
+        info(`  ${chalk7.bold(name)}: ${chalk7.dim(currentVersion)} \u2192 ${chalk7.green(newVersion)}`);
+        continue;
+      }
+      const spinner = ora4(`Updating ${name}...`).start();
+      try {
+        const downloadToken = await api.post("/v1/downloads", {
+          releaseId: latest.id
+        });
+        const res = await fetch(downloadToken.url);
+        const buffer = Buffer.from(await res.arrayBuffer());
+        const actualHash = createHash2("sha256").update(buffer).digest("hex");
+        if (actualHash !== downloadToken.sha256) {
+          throw new Error("Hash verification failed");
+        }
+        const zip = new AdmZip2(buffer);
+        const fullInstallPath = installed.installPath;
+        mkdirSync4(fullInstallPath, { recursive: true });
+        const files = [];
+        for (const entry of zip.getEntries()) {
+          if (entry.isDirectory) continue;
+          const data = entry.getData();
+          const hash = createHash2("sha256").update(data).digest("hex");
+          const entryName = entry.entryName.replace(/^[^/]+\//, "");
+          const destPath = join5(fullInstallPath, entryName);
+          mkdirSync4(dirname4(destPath), { recursive: true });
+          writeFileSync5(destPath, data);
+          files.push({ path: entryName, sha256: hash, size: data.length });
+        }
+        addToLockfile({
+          ...installed,
+          version: latest.version,
+          releaseId: latest.id,
+          archiveSha256: downloadToken.sha256,
+          installedAt: (/* @__PURE__ */ new Date()).toISOString(),
+          files
+        }, cwd);
+        spinner.succeed(`${name}: ${currentVersion} \u2192 ${chalk7.green(newVersion)}`);
+      } catch (err) {
+        spinner.fail(`Failed to update ${name}`);
+        warn(String(err));
+      }
+    } catch (err) {
+      skipped.push({ name, version: installed.version, reason: String(err) });
+      warn(`  ${name}: ${String(err)}`);
+    }
+  }
+  if (opts.dryRun) {
+    info(chalk7.dim(`
+${updates.length} update(s) available. Remove --dry-run to apply.`));
+  } else if (updates.length === 0) {
+    info(chalk7.green("\n\u2713 All packages up to date"));
+  }
+  success("update", { updated: updates, skipped });
+});
+
+// src/commands/uninstall.ts
+import { Command as Command7 } from "commander";
+import chalk8 from "chalk";
+import { rmSync as rmSync2, existsSync as existsSync6 } from "fs";
+var uninstallCommand = new Command7("uninstall").description("Remove an installed package and update the lockfile").argument("<package>", "Package to uninstall (e.g. acme/router-eval)").option("--dir <path>", "Installation directory (default: current directory)").option("--json", "Output as JSON").action(async (pkg, opts) => {
+  if (opts.json) setJsonMode(true);
+  const [vendor, slug] = pkg.split("/");
+  if (!vendor || !slug) {
+    fail("uninstall", `Invalid package format: "${pkg}". Expected: vendor/slug`);
+  }
+  const cwd = opts.dir ?? process.cwd();
+  const lockfile = readLockfile(cwd);
+  const key = `${vendor}/${slug}`;
+  const entry = lockfile.packages[key];
+  if (!entry) {
+    fail("uninstall", `Package "${pkg}" is not in the lockfile`);
+  }
+  if (entry.installType === "mcp-config") {
+    const serverKey = mcpServerName(vendor, slug);
+    info(chalk8.dim(`Removing MCP server "${serverKey}" from ${entry.target} config\u2026`));
+    try {
+      removeMcpServer(entry.target, cwd, serverKey);
+    } catch (err) {
+      info(chalk8.dim(`Could not remove from config file: ${String(err)}`));
+    }
+    removeFromLockfile(key, cwd);
+    info(chalk8.yellow(`  Restart your IDE for the change to take effect.`));
+    success("uninstall", {
+      package: pkg,
+      type: "mcp",
+      serverKey,
+      removedPath: entry.installPath ?? null
+    });
+    return;
+  }
+  const installPath = entry.installPath;
+  if (installPath && existsSync6(installPath)) {
+    info(chalk8.dim(`Removing ${installPath}\u2026`));
+    rmSync2(installPath, { recursive: true, force: true });
+  } else {
+    info(chalk8.dim(`Install path not found, removing from lockfile only`));
+  }
+  removeFromLockfile(key, cwd);
+  success("uninstall", {
+    package: pkg,
+    removedPath: installPath ?? null
+  });
+});
+
+// src/commands/publish.ts
+import { Command as Command8 } from "commander";
+import chalk9 from "chalk";
+import ora5 from "ora";
+import { createHash as createHash3 } from "crypto";
+import { readFileSync as readFileSync4, readdirSync, statSync, existsSync as existsSync7 } from "fs";
+import { join as join6, relative, resolve as resolve2 } from "path";
+import AdmZip3 from "adm-zip";
+import yaml2 from "js-yaml";
+function addDirectoryToZip(zip, dirPath, baseDir) {
+  const entries = readdirSync(dirPath);
+  for (const entry of entries) {
+    if (entry === ".git" || entry === "node_modules" || entry === ".DS_Store") continue;
+    const fullPath = join6(dirPath, entry);
+    const relativePath = relative(baseDir, fullPath);
+    const stat = statSync(fullPath);
+    if (stat.isDirectory()) {
+      addDirectoryToZip(zip, fullPath, baseDir);
+    } else {
+      const content = readFileSync4(fullPath);
+      zip.addFile(relativePath, content);
+    }
+  }
+}
+function sha256Hex(buf) {
+  return createHash3("sha256").update(buf).digest("hex");
+}
+var publishCommand = new Command8("publish").description("Build, upload, and publish a package from a local directory").option("--dir <path>", "Package directory (default: current directory)").option("--price <dollars>", "Price in USD (0 for free, $0.99\u2013$500 for paid). Only applied on first upload.").option("--yes", "Skip confirmation prompts").option("--json", "Output as JSON").action(
+  async (opts) => {
+    if (opts.json) setJsonMode(true);
+    const creds = readCredentials();
+    if (!creds?.token) {
+      fail("publish", "Not authenticated. Run: mog auth");
+    }
+    const pkgDir = resolve2(opts.dir ?? process.cwd());
+    if (!existsSync7(pkgDir)) {
+      fail("publish", `Directory not found: ${pkgDir}`);
+    }
+    const mogYamlPath = join6(pkgDir, "mog.yaml");
+    if (!existsSync7(mogYamlPath)) {
+      fail("publish", `mog.yaml not found in ${pkgDir}`);
+    }
+    let rawYaml;
+    try {
+      rawYaml = yaml2.load(readFileSync4(mogYamlPath, "utf-8"));
+    } catch (err) {
+      fail("publish", `Failed to parse mog.yaml: ${String(err)}`);
+    }
+    const parsed = MogYamlSchema.safeParse(rawYaml);
+    if (!parsed.success) {
+      const errors = Object.entries(parsed.error.flatten().fieldErrors).map(([k, v]) => `  ${k}: ${v.join(", ")}`).join("\n");
+      fail("publish", `Invalid mog.yaml:
+${errors}`);
+    }
+    const manifest = parsed.data;
+    info(chalk9.bold(`
+Publishing ${chalk9.cyan(manifest.name)} v${chalk9.yellow(manifest.version)}`));
+    info(chalk9.dim(`  Type:     ${manifest.type}`));
+    info(chalk9.dim(`  Targets:  ${manifest.targets.join(", ")}`));
+    const buildSpinner = ora5("Building archive\u2026").start();
+    let buffer;
+    try {
+      const zip = new AdmZip3();
+      addDirectoryToZip(zip, pkgDir, pkgDir);
+      buffer = zip.toBuffer();
+      buildSpinner.succeed(chalk9.dim(`Archive built (${(buffer.length / 1024).toFixed(1)} KB, ${sha256Hex(buffer).slice(0, 12)}\u2026)`));
+    } catch (err) {
+      buildSpinner.fail("Build failed");
+      fail("publish", String(err));
+    }
+    if (!opts.yes && !opts.json) {
+      const readline = await import("readline/promises");
+      const rl = readline.createInterface({ input: process.stdin, output: process.stdout });
+      const ans = await rl.question(chalk9.yellow(`
+Upload and publish? [y/N] `));
+      rl.close();
+      if (!ans.toLowerCase().startsWith("y")) {
+        info(chalk9.dim("Aborted."));
+        process.exit(0);
+      }
+    }
+    const uploadSpinner = ora5("Uploading\u2026").start();
+    let uploaded;
+    try {
+      const form = new FormData();
+      form.append("archive", new Blob([buffer], { type: "application/zip" }), "package.zip");
+      if (opts.price !== void 0) {
+        const priceCents = Math.round(parseFloat(opts.price) * 100);
+        if (isNaN(priceCents) || priceCents !== 0 && priceCents < MIN_PRICE_CENTS) {
+          fail("publish", `Minimum price is $${(MIN_PRICE_CENTS / 100).toFixed(2)} (or $0 for free)`);
+        }
+        if (priceCents > MAX_PRICE_CENTS) {
+          fail("publish", `Maximum price is $${(MAX_PRICE_CENTS / 100).toFixed(2)}`);
+        }
+        form.append("priceCents", String(priceCents));
+      }
+      uploaded = await api.upload("/v1/vendor/releases", form);
+      uploadSpinner.succeed(chalk9.dim(`Uploaded release ${uploaded.release.id.slice(0, 8)}\u2026`));
+    } catch (err) {
+      uploadSpinner.fail("Upload failed");
+      if (err instanceof ApiError) {
+        fail("publish", err.message);
+      }
+      fail("publish", String(err));
+    }
+    const scanSpinner = ora5("Scanning package\u2026").start();
+    const releaseId = uploaded.release.id;
+    const listingSlug = uploaded.listing.slug;
+    const [vendorSlug] = manifest.name.split("/");
+    const POLL_INTERVAL_MS = 3e3;
+    const POLL_TIMEOUT_MS = 12e4;
+    const start = Date.now();
+    let finalScanStatus = uploaded.release.scanStatus;
+    let scanResult = null;
+    while (finalScanStatus === "pending" || finalScanStatus === "scanning") {
+      if (Date.now() - start > POLL_TIMEOUT_MS) {
+        scanSpinner.fail("Scan timed out after 2 minutes");
+        fail("publish", "Package scan is taking too long. Check the dashboard for status.");
+      }
+      await new Promise((r) => setTimeout(r, POLL_INTERVAL_MS));
+      try {
+        const releasesData = await api.get(
+          `/v1/listings/${vendorSlug}/${listingSlug}/releases`
+        );
+        const rel = releasesData.releases.find((r) => r.id === releaseId);
+        if (rel) {
+          finalScanStatus = rel.scanStatus;
+          scanResult = rel.scanResult;
+        }
+      } catch {
+      }
+    }
+    if (finalScanStatus === "failed") {
+      scanSpinner.fail("Scan failed");
+      let reason = "Unknown reason";
+      if (scanResult) {
+        try {
+          reason = JSON.parse(scanResult).reason ?? reason;
+        } catch {
+        }
+      }
+      fail("publish", `Package failed security scan: ${reason}`);
+    }
+    scanSpinner.succeed(chalk9.green("Scan passed"));
+    const publishSpinner = ora5("Publishing\u2026").start();
+    try {
+      await api.patch(`/v1/vendor/releases/${releaseId}/publish`);
+      publishSpinner.succeed(chalk9.green(`Published ${manifest.name}@${manifest.version}`));
+    } catch (err) {
+      publishSpinner.fail("Publish failed");
+      if (err instanceof ApiError) {
+        fail("publish", err.message);
+      }
+      fail("publish", String(err));
+    }
+    info("");
+    info(chalk9.bold("Install command:"));
+    info(chalk9.cyan(`  mog install ${manifest.name}`));
+    info("");
+    success("publish", {
+      name: manifest.name,
+      version: manifest.version,
+      releaseId,
+      listingId: uploaded.listing.id
+    });
+  }
+);
+
+// src/bin.ts
+program.name("mog").description("Marketplace for agent skills \u2014 buy and sell .md files autonomously").version("0.1.0");
+program.addCommand(authCommand);
+program.addCommand(searchCommand);
+program.addCommand(buyCommand);
+program.addCommand(installCommand);
+program.addCommand(uninstallCommand);
+program.addCommand(lsCommand);
+program.addCommand(updateCommand);
+program.addCommand(publishCommand);
+program.parseAsync(process.argv).catch((err) => {
+  console.error("Error:", err);
+  process.exit(1);
+});