rulesync 6.5.0 → 6.6.0

package/README.md

@@ -36,8 +36,19 @@ rulesync --help
 
 Download pre-built binaries from the [latest release](https://github.com/dyoshikawa/rulesync/releases/latest). These binaries are built using [Bun's single-file executable bundler](https://bun.sh/docs/bundler/executables).
 
+**Quick Install (Linux/macOS - No sudo required):**
+
+```bash
+curl -fsSL https://github.com/dyoshikawa/rulesync/releases/latest/download/install.sh | bash
+```
+
+Options:
+
+- Install specific version: `curl -fsSL https://github.com/dyoshikawa/rulesync/releases/latest/download/install.sh | bash -s -- v6.4.0`
+- Custom directory: `RULESYNC_HOME=~/.local curl -fsSL https://github.com/dyoshikawa/rulesync/releases/latest/download/install.sh | bash`
+
 <details>
-<summary>Commands to install a binary for your platform</summary>
+<summary>Manual installation (requires sudo)</summary>
 
 #### Linux (x64)
 
@@ -228,6 +239,15 @@ npx rulesync generate --check --targets "*" --features "*"
 
 # Add generated files to .gitignore
 npx rulesync gitignore
+
+# Update rulesync to the latest version (single-binary installs)
+npx rulesync update
+
+# Check for updates without installing
+npx rulesync update --check
+
+# Force update even if already at latest version
+npx rulesync update --force
 ```
 
 ## Preview Modes
@@ -255,12 +275,12 @@ echo $?  # 0 if up to date, 1 if changes needed
 > [!NOTE]
 > `--dry-run` and `--check` cannot be used together.
 
-## Fetch Command (Experimental)
+## Fetch Command (In Development)
 
 The `fetch` command allows you to fetch configuration files directly from a Git repository (GitHub/GitLab).
 
-> [!WARNING]
-> This feature is experimental and may change in future releases.
+> [!NOTE]
+> This feature is in development and may change in future releases.
 
 **Note:** The fetch command searches for feature directories (`rules/`, `commands/`, `skills/`, `subagents/`, etc.) directly at the specified path, without requiring a `.rulesync/` directory structure. This allows fetching from external repositories like `vercel-labs/agent-skills` or `anthropics/skills`.
 
@@ -875,6 +895,16 @@ So, in this case, approximately 92% reduction in MCP tools consumption!
 
 </details>
 
+## Official Skills
+
+Rulesync provides official skills that you can install using the fetch command:
+
+```bash
+npx rulesync fetch dyoshikawa/rulesync --features skills
+```
+
+This will install the Rulesync documentation skill to your project.
+
 ## Rulesync MCP Server
 
 Rulesync provides an MCP (Model Context Protocol) server that enables AI agents to manage your Rulesync files. This allows AI agents to discover, read, create, update, and delete files dynamically.

package/dist/index.cjs

@@ -2428,7 +2428,7 @@ var CommandsProcessor = class extends FeatureProcessor {
     );
     const rulesyncCommands = await Promise.all(
       rulesyncCommandPaths.map(
-        (path3) => RulesyncCommand.fromFile({ relativeFilePath: (0, import_node_path19.basename)(path3) })
+        (path4) => RulesyncCommand.fromFile({ relativeFilePath: (0, import_node_path19.basename)(path4) })
       )
     );
     logger.info(`Successfully loaded ${rulesyncCommands.length} rulesync commands`);
@@ -2448,10 +2448,10 @@ var CommandsProcessor = class extends FeatureProcessor {
     );
     if (forDeletion) {
       const toolCommands2 = commandFilePaths.map(
-        (path3) => factory.class.forDeletion({
+        (path4) => factory.class.forDeletion({
           baseDir: this.baseDir,
           relativeDirPath: paths.relativeDirPath,
-          relativeFilePath: (0, import_node_path19.basename)(path3),
+          relativeFilePath: (0, import_node_path19.basename)(path4),
           global: this.global
         })
       ).filter((cmd) => cmd.isDeletable());
@@ -2460,9 +2460,9 @@ var CommandsProcessor = class extends FeatureProcessor {
     }
     const toolCommands = await Promise.all(
       commandFilePaths.map(
-        (path3) => factory.class.fromFile({
+        (path4) => factory.class.fromFile({
           baseDir: this.baseDir,
-          relativeFilePath: (0, import_node_path19.basename)(path3),
+          relativeFilePath: (0, import_node_path19.basename)(path4),
           global: this.global
         })
       )
@@ -8648,7 +8648,7 @@ var SkillsProcessor = class extends DirFeatureProcessor {
     const paths = RulesyncSkill.getSettablePaths();
     const rulesyncSkillsDirPath = (0, import_node_path69.join)(this.baseDir, paths.relativeDirPath);
     const dirPaths = await findFilesByGlobs((0, import_node_path69.join)(rulesyncSkillsDirPath, "*"), { type: "dir" });
-    const dirNames = dirPaths.map((path3) => (0, import_node_path69.basename)(path3));
+    const dirNames = dirPaths.map((path4) => (0, import_node_path69.basename)(path4));
     const rulesyncSkills = await Promise.all(
       dirNames.map(
         (dirName) => RulesyncSkill.fromDir({ baseDir: this.baseDir, dirName, global: this.global })
@@ -8666,7 +8666,7 @@ var SkillsProcessor = class extends DirFeatureProcessor {
     const paths = factory.class.getSettablePaths({ global: this.global });
     const skillsDirPath = (0, import_node_path69.join)(this.baseDir, paths.relativeDirPath);
     const dirPaths = await findFilesByGlobs((0, import_node_path69.join)(skillsDirPath, "*"), { type: "dir" });
-    const dirNames = dirPaths.map((path3) => (0, import_node_path69.basename)(path3));
+    const dirNames = dirPaths.map((path4) => (0, import_node_path69.basename)(path4));
     const toolSkills = await Promise.all(
       dirNames.map(
         (dirName) => factory.class.fromDir({
@@ -8684,7 +8684,7 @@ var SkillsProcessor = class extends DirFeatureProcessor {
     const paths = factory.class.getSettablePaths({ global: this.global });
     const skillsDirPath = (0, import_node_path69.join)(this.baseDir, paths.relativeDirPath);
     const dirPaths = await findFilesByGlobs((0, import_node_path69.join)(skillsDirPath, "*"), { type: "dir" });
-    const dirNames = dirPaths.map((path3) => (0, import_node_path69.basename)(path3));
+    const dirNames = dirPaths.map((path4) => (0, import_node_path69.basename)(path4));
     const toolSkills = dirNames.map(
       (dirName) => factory.class.forDeletion({
         baseDir: this.baseDir,
@@ -10092,10 +10092,10 @@ var SubagentsProcessor = class extends FeatureProcessor {
     );
     if (forDeletion) {
       const toolSubagents2 = subagentFilePaths.map(
-        (path3) => factory.class.forDeletion({
+        (path4) => factory.class.forDeletion({
           baseDir: this.baseDir,
           relativeDirPath: paths.relativeDirPath,
-          relativeFilePath: (0, import_node_path82.basename)(path3),
+          relativeFilePath: (0, import_node_path82.basename)(path4),
           global: this.global
         })
       ).filter((subagent) => subagent.isDeletable());
@@ -10104,9 +10104,9 @@ var SubagentsProcessor = class extends FeatureProcessor {
     }
     const toolSubagents = await Promise.all(
       subagentFilePaths.map(
-        (path3) => factory.class.fromFile({
+        (path4) => factory.class.fromFile({
           baseDir: this.baseDir,
-          relativeFilePath: (0, import_node_path82.basename)(path3),
+          relativeFilePath: (0, import_node_path82.basename)(path4),
           global: this.global
         })
       )
@@ -13521,6 +13521,18 @@ var GitHubRepoInfoSchema = import_mini51.z.looseObject({
   default_branch: import_mini51.z.string(),
   private: import_mini51.z.boolean()
 });
+var GitHubReleaseAssetSchema = import_mini51.z.looseObject({
+  name: import_mini51.z.string(),
+  browser_download_url: import_mini51.z.string(),
+  size: import_mini51.z.number()
+});
+var GitHubReleaseSchema = import_mini51.z.looseObject({
+  tag_name: import_mini51.z.string(),
+  name: import_mini51.z.nullable(import_mini51.z.string()),
+  prerelease: import_mini51.z.boolean(),
+  draft: import_mini51.z.boolean(),
+  assets: import_mini51.z.array(GitHubReleaseAssetSchema)
+});
 
 // src/lib/github-client.ts
 var GitHubClientError = class extends Error {
@@ -13580,16 +13592,16 @@ var GitHubClient = class {
   /**
    * List contents of a directory in a repository
    */
-  async listDirectory(owner, repo, path3, ref) {
+  async listDirectory(owner, repo, path4, ref) {
     try {
       const { data } = await this.octokit.repos.getContent({
         owner,
         repo,
-        path: path3,
+        path: path4,
         ref
       });
       if (!Array.isArray(data)) {
-        throw new GitHubClientError(`Path "${path3}" is not a directory`);
+        throw new GitHubClientError(`Path "${path4}" is not a directory`);
       }
       const entries = [];
       for (const item of data) {
@@ -13606,12 +13618,12 @@ var GitHubClient = class {
   /**
    * Get raw file content from a repository
    */
-  async getFileContent(owner, repo, path3, ref) {
+  async getFileContent(owner, repo, path4, ref) {
     try {
       const { data } = await this.octokit.repos.getContent({
         owner,
         repo,
-        path: path3,
+        path: path4,
         ref,
         mediaType: {
           format: "raw"
@@ -13631,12 +13643,12 @@ var GitHubClient = class {
   /**
    * Check if a file exists and is within size limits
    */
-  async getFileInfo(owner, repo, path3, ref) {
+  async getFileInfo(owner, repo, path4, ref) {
     try {
       const { data } = await this.octokit.repos.getContent({
         owner,
         repo,
-        path: path3,
+        path: path4,
         ref
       });
       if (Array.isArray(data)) {
@@ -13648,7 +13660,7 @@ var GitHubClient = class {
       }
       if (parsed.data.size > MAX_FILE_SIZE) {
         throw new GitHubClientError(
-          `File "${path3}" exceeds maximum size limit of ${MAX_FILE_SIZE / 1024 / 1024}MB`
+          `File "${path4}" exceeds maximum size limit of ${MAX_FILE_SIZE / 1024 / 1024}MB`
         );
       }
       return parsed.data;
@@ -13676,6 +13688,21 @@ var GitHubClient = class {
       throw error;
     }
   }
+  /**
+   * Get the latest release from a repository
+   */
+  async getLatestRelease(owner, repo) {
+    try {
+      const { data } = await this.octokit.repos.getLatestRelease({ owner, repo });
+      const parsed = GitHubReleaseSchema.safeParse(data);
+      if (!parsed.success) {
+        throw new GitHubClientError(`Invalid release info response: ${formatError(parsed.error)}`);
+      }
+      return parsed.data;
+    } catch (error) {
+      throw this.handleError(error);
+    }
+  }
   /**
    * Handle errors from Octokit and convert to GitHubClientError
    */
@@ -13851,13 +13878,13 @@ function parseUrl(url) {
   const repo = segments[1]?.replace(/\.git$/, "");
   if (segments.length > 2 && (segments[2] === "tree" || segments[2] === "blob")) {
     const ref = segments[3];
-    const path3 = segments.length > 4 ? segments.slice(4).join("/") : void 0;
+    const path4 = segments.length > 4 ? segments.slice(4).join("/") : void 0;
     return {
       provider,
       owner: owner ?? "",
       repo: repo ?? "",
       ref,
-      path: path3
+      path: path4
     };
   }
   return {
@@ -13868,12 +13895,12 @@ function parseUrl(url) {
 }
 function parseShorthand(source) {
   let remaining = source;
-  let path3;
+  let path4;
   let ref;
   const colonIndex = remaining.indexOf(":");
   if (colonIndex !== -1) {
-    path3 = remaining.substring(colonIndex + 1);
-    if (!path3) {
+    path4 = remaining.substring(colonIndex + 1);
+    if (!path4) {
       throw new Error(`Invalid source: ${source}. Path cannot be empty after ":".`);
     }
     remaining = remaining.substring(0, colonIndex);
@@ -13901,7 +13928,7 @@ function parseShorthand(source) {
     owner,
     repo,
     ref,
-    path: path3
+    path: path4
   };
 }
 function resolveFeatures(features) {
@@ -14077,8 +14104,8 @@ async function collectFeatureFiles(params) {
   }
   return filesToFetch;
 }
-async function listDirectoryRecursive(client, owner, repo, path3, ref) {
-  const entries = await client.listDirectory(owner, repo, path3, ref);
+async function listDirectoryRecursive(client, owner, repo, path4, ref) {
+  const entries = await client.listDirectory(owner, repo, path4, ref);
   const files = [];
   for (const entry of entries) {
     if (entry.type === "file") {
@@ -15510,12 +15537,12 @@ async function init() {
   };
 }
 async function createConfigFile() {
-  const path3 = RULESYNC_CONFIG_RELATIVE_FILE_PATH;
-  if (await fileExists(path3)) {
-    return { created: false, path: path3 };
+  const path4 = RULESYNC_CONFIG_RELATIVE_FILE_PATH;
+  if (await fileExists(path4)) {
+    return { created: false, path: path4 };
   }
   await writeFileContent(
-    path3,
+    path4,
     JSON.stringify(
       {
         targets: ["copilot", "cursor", "claudecode", "codexcli"],
@@ -15534,7 +15561,7 @@ async function createConfigFile() {
       2
     )
   );
-  return { created: true, path: path3 };
+  return { created: true, path: path4 };
 }
 async function createSampleFiles() {
   const results = [];
@@ -15715,12 +15742,12 @@ Keep the summary concise and ready to reuse in future tasks.`
   results.push(await writeIfNotExists(hooksFilepath, sampleHooksFile.content));
   return results;
 }
-async function writeIfNotExists(path3, content) {
-  if (await fileExists(path3)) {
-    return { created: false, path: path3 };
+async function writeIfNotExists(path4, content) {
+  if (await fileExists(path4)) {
+    return { created: false, path: path4 };
   }
-  await writeFileContent(path3, content);
-  return { created: true, path: path3 };
+  await writeFileContent(path4, content);
+  return { created: true, path: path4 };
 }
 
 // src/cli/commands/init.ts
@@ -17142,8 +17169,364 @@ async function mcpCommand({ version }) {
   });
 }
 
+// src/lib/update.ts
+var crypto = __toESM(require("crypto"), 1);
+var fs = __toESM(require("fs"), 1);
+var os2 = __toESM(require("os"), 1);
+var path3 = __toESM(require("path"), 1);
+var import_node_stream = require("stream");
+var import_promises2 = require("stream/promises");
+var RULESYNC_REPO_OWNER = "dyoshikawa";
+var RULESYNC_REPO_NAME = "rulesync";
+var RELEASES_URL = `https://github.com/${RULESYNC_REPO_OWNER}/${RULESYNC_REPO_NAME}/releases`;
+var MAX_DOWNLOAD_SIZE = 500 * 1024 * 1024;
+var ALLOWED_DOWNLOAD_DOMAINS = [
+  "github.com",
+  "objects.githubusercontent.com",
+  "github-releases.githubusercontent.com"
+];
+var UpdatePermissionError = class extends Error {
+  constructor(message) {
+    super(message);
+    this.name = "UpdatePermissionError";
+  }
+};
+function detectExecutionEnvironment() {
+  const execPath = process.execPath;
+  const scriptPath = process.argv[1] ?? "";
+  const isRulesyncBinary = /rulesync(-[a-z0-9]+(-[a-z0-9]+)?)?(\.exe)?$/i.test(execPath);
+  if (isRulesyncBinary) {
+    if (execPath.includes("/homebrew/") || execPath.includes("/Cellar/")) {
+      return "homebrew";
+    }
+    return "single-binary";
+  }
+  if ((scriptPath.includes("/homebrew/") || scriptPath.includes("/Cellar/")) && scriptPath.includes("rulesync")) {
+    return "homebrew";
+  }
+  return "npm";
+}
+function getPlatformAssetName() {
+  const platform2 = os2.platform();
+  const arch2 = os2.arch();
+  const platformMap = {
+    darwin: "darwin",
+    linux: "linux",
+    win32: "windows"
+  };
+  const archMap = {
+    x64: "x64",
+    arm64: "arm64"
+  };
+  const platformName = platformMap[platform2];
+  const archName = archMap[arch2];
+  if (!platformName || !archName) {
+    return null;
+  }
+  const extension = platform2 === "win32" ? ".exe" : "";
+  return `rulesync-${platformName}-${archName}${extension}`;
+}
+function normalizeVersion(v) {
+  return v.replace(/^v/, "").replace(/-.*$/, "");
+}
+function compareVersions(a, b) {
+  const aParts = normalizeVersion(a).split(".").map(Number);
+  const bParts = normalizeVersion(b).split(".").map(Number);
+  for (let i = 0; i < Math.max(aParts.length, bParts.length); i++) {
+    const aNum = aParts[i] ?? 0;
+    const bNum = bParts[i] ?? 0;
+    if (!Number.isFinite(aNum) || !Number.isFinite(bNum)) {
+      throw new Error(`Invalid version format: cannot compare "${a}" and "${b}"`);
+    }
+    if (aNum > bNum) return 1;
+    if (aNum < bNum) return -1;
+  }
+  return 0;
+}
+function validateDownloadUrl(url) {
+  let parsed;
+  try {
+    parsed = new URL(url);
+  } catch {
+    throw new Error(`Invalid download URL: ${url}`);
+  }
+  if (parsed.protocol !== "https:") {
+    throw new Error(`Download URL must use HTTPS: ${url}`);
+  }
+  const isAllowed = ALLOWED_DOWNLOAD_DOMAINS.some((domain) => parsed.hostname === domain);
+  if (!isAllowed) {
+    throw new Error(
+      `Download URL domain "${parsed.hostname}" is not in the allowed list: ${ALLOWED_DOWNLOAD_DOMAINS.join(", ")}`
+    );
+  }
+  if (parsed.hostname === "github.com") {
+    const expectedPrefix = `/${RULESYNC_REPO_OWNER}/${RULESYNC_REPO_NAME}/`;
+    if (!parsed.pathname.startsWith(expectedPrefix)) {
+      throw new Error(
+        `Download URL path must belong to ${RULESYNC_REPO_OWNER}/${RULESYNC_REPO_NAME}: ${url}`
+      );
+    }
+  }
+}
+async function checkForUpdate(currentVersion, token) {
+  const client = new GitHubClient({
+    token: GitHubClient.resolveToken(token)
+  });
+  const release = await client.getLatestRelease(RULESYNC_REPO_OWNER, RULESYNC_REPO_NAME);
+  const latestVersion = normalizeVersion(release.tag_name);
+  const normalizedCurrentVersion = normalizeVersion(currentVersion);
+  return {
+    currentVersion: normalizedCurrentVersion,
+    latestVersion,
+    hasUpdate: compareVersions(latestVersion, normalizedCurrentVersion) > 0,
+    release
+  };
+}
+function findAsset(release, assetName) {
+  return release.assets.find((asset) => asset.name === assetName) ?? null;
+}
+async function downloadFile(url, destPath) {
+  validateDownloadUrl(url);
+  const response = await fetch(url, {
+    redirect: "follow"
+  });
+  if (!response.ok) {
+    throw new Error(`Failed to download: HTTP ${response.status}`);
+  }
+  if (response.url) {
+    validateDownloadUrl(response.url);
+  }
+  const contentLength = response.headers.get("content-length");
+  if (contentLength && Number(contentLength) > MAX_DOWNLOAD_SIZE) {
+    throw new Error(
+      `Download too large: ${contentLength} bytes exceeds limit of ${MAX_DOWNLOAD_SIZE} bytes`
+    );
+  }
+  if (!response.body) {
+    throw new Error("Response body is empty");
+  }
+  const fileStream = fs.createWriteStream(destPath);
+  let downloadedBytes = 0;
+  const bodyReader = import_node_stream.Readable.fromWeb(
+    // eslint-disable-next-line no-type-assertion/no-type-assertion
+    response.body
+  );
+  const sizeChecker = new import_node_stream.Transform({
+    transform(chunk, _encoding, callback) {
+      downloadedBytes += chunk.length;
+      if (downloadedBytes > MAX_DOWNLOAD_SIZE) {
+        callback(
+          new Error(
+            `Download too large: exceeded limit of ${MAX_DOWNLOAD_SIZE} bytes during streaming`
+          )
+        );
+        return;
+      }
+      callback(null, chunk);
+    }
+  });
+  await (0, import_promises2.pipeline)(bodyReader, sizeChecker, fileStream);
+}
+async function calculateSha256(filePath) {
+  const content = await fs.promises.readFile(filePath);
+  return crypto.createHash("sha256").update(content).digest("hex");
+}
+function parseSha256Sums(content) {
+  const result = /* @__PURE__ */ new Map();
+  for (const line of content.split("\n")) {
+    const trimmed = line.trim();
+    if (!trimmed) continue;
+    const match = /^([a-f0-9]{64})\s+(.+)$/.exec(trimmed);
+    if (match && match[1] && match[2]) {
+      result.set(match[2].trim(), match[1]);
+    }
+  }
+  return result;
+}
+async function performBinaryUpdate(currentVersion, options = {}) {
+  const { force = false, token } = options;
+  const updateCheck = await checkForUpdate(currentVersion, token);
+  if (!updateCheck.hasUpdate && !force) {
+    return `Already at the latest version (${currentVersion})`;
+  }
+  const assetName = getPlatformAssetName();
+  if (!assetName) {
+    throw new Error(
+      `Unsupported platform: ${os2.platform()} ${os2.arch()}. Please download manually from ${RELEASES_URL}`
+    );
+  }
+  const binaryAsset = findAsset(updateCheck.release, assetName);
+  if (!binaryAsset) {
+    throw new Error(
+      `Binary for ${assetName} not found in release. Please download manually from ${RELEASES_URL}`
+    );
+  }
+  const checksumAsset = findAsset(updateCheck.release, "SHA256SUMS");
+  if (!checksumAsset) {
+    throw new Error(
+      `SHA256SUMS not found in release. Cannot verify download integrity. Please download manually from ${RELEASES_URL}`
+    );
+  }
+  const tempDir = await fs.promises.mkdtemp(path3.join(os2.tmpdir(), "rulesync-update-"));
+  let restoreFailed = false;
+  try {
+    if (os2.platform() !== "win32") {
+      await fs.promises.chmod(tempDir, 448);
+    }
+    const tempBinaryPath = path3.join(tempDir, assetName);
+    await downloadFile(binaryAsset.browser_download_url, tempBinaryPath);
+    const checksumsPath = path3.join(tempDir, "SHA256SUMS");
+    await downloadFile(checksumAsset.browser_download_url, checksumsPath);
+    const checksumsContent = await fs.promises.readFile(checksumsPath, "utf-8");
+    const checksums = parseSha256Sums(checksumsContent);
+    const expectedChecksum = checksums.get(assetName);
+    if (!expectedChecksum) {
+      throw new Error(
+        `Checksum entry for "${assetName}" not found in SHA256SUMS. Cannot verify download integrity.`
+      );
+    }
+    const actualChecksum = await calculateSha256(tempBinaryPath);
+    if (actualChecksum !== expectedChecksum) {
+      throw new Error(
+        `Checksum verification failed. Expected: ${expectedChecksum}, Got: ${actualChecksum}. The download may be corrupted.`
+      );
+    }
+    const currentExePath = await fs.promises.realpath(process.execPath);
+    const currentDir = path3.dirname(currentExePath);
+    const backupPath = path3.join(tempDir, "rulesync.backup");
+    try {
+      await fs.promises.copyFile(currentExePath, backupPath);
+    } catch (error) {
+      if (isPermissionError(error)) {
+        throw new UpdatePermissionError(
+          `Permission denied: Cannot read ${currentExePath}. Try running with sudo.`
+        );
+      }
+      throw error;
+    }
+    try {
+      const tempInPlace = path3.join(currentDir, `.rulesync-update-${crypto.randomUUID()}`);
+      try {
+        await fs.promises.copyFile(tempBinaryPath, tempInPlace);
+        if (os2.platform() !== "win32") {
+          await fs.promises.chmod(tempInPlace, 493);
+        }
+        await fs.promises.rename(tempInPlace, currentExePath);
+      } catch {
+        try {
+          await fs.promises.unlink(tempInPlace);
+        } catch {
+        }
+        await fs.promises.copyFile(tempBinaryPath, currentExePath);
+        if (os2.platform() !== "win32") {
+          await fs.promises.chmod(currentExePath, 493);
+        }
+      }
+      return `Successfully updated from ${currentVersion} to ${updateCheck.latestVersion}`;
+    } catch (error) {
+      try {
+        await fs.promises.copyFile(backupPath, currentExePath);
+      } catch {
+        restoreFailed = true;
+        throw new Error(
+          `Failed to replace binary and restore failed. Backup is preserved at: ${backupPath} (in ${tempDir}). Please manually copy it to ${currentExePath}. Original error: ${error instanceof Error ? error.message : String(error)}`,
+          { cause: error }
+        );
+      }
+      if (isPermissionError(error)) {
+        throw new UpdatePermissionError(
+          `Permission denied: Cannot write to ${path3.dirname(currentExePath)}. Try running with sudo.`
+        );
+      }
+      throw error;
+    }
+  } finally {
+    if (!restoreFailed) {
+      try {
+        await fs.promises.rm(tempDir, { recursive: true, force: true });
+      } catch {
+      }
+    }
+  }
+}
+function isPermissionError(error) {
+  if (typeof error === "object" && error !== null && "code" in error) {
+    const record = error;
+    return record["code"] === "EACCES" || record["code"] === "EPERM";
+  }
+  return false;
+}
+function getNpmUpgradeInstructions() {
+  return `This rulesync installation was installed via npm/npx.
+
+To upgrade, run one of the following commands:
+
+  Global installation:
+    npm install -g rulesync@latest
+
+  Project dependency:
+    npm install rulesync@latest
+
+  Or use npx to always run the latest version:
+    npx rulesync@latest --version`;
+}
+function getHomebrewUpgradeInstructions() {
+  return `This rulesync installation was installed via Homebrew.
+
+To upgrade, run:
+  brew upgrade rulesync`;
+}
+
+// src/cli/commands/update.ts
+async function updateCommand(currentVersion, options) {
+  const { check = false, force = false, verbose = false, silent = false, token } = options;
+  logger.configure({ verbose, silent });
+  try {
+    const environment = detectExecutionEnvironment();
+    logger.debug(`Detected environment: ${environment}`);
+    if (environment === "npm") {
+      logger.info(getNpmUpgradeInstructions());
+      return;
+    }
+    if (environment === "homebrew") {
+      logger.info(getHomebrewUpgradeInstructions());
+      return;
+    }
+    if (check) {
+      logger.info("Checking for updates...");
+      const updateCheck = await checkForUpdate(currentVersion, token);
+      if (updateCheck.hasUpdate) {
+        logger.success(
+          `Update available: ${updateCheck.currentVersion} -> ${updateCheck.latestVersion}`
+        );
+      } else {
+        logger.info(`Already at the latest version (${updateCheck.currentVersion})`);
+      }
+      return;
+    }
+    logger.info("Checking for updates...");
+    const message = await performBinaryUpdate(currentVersion, { force, token });
+    logger.success(message);
+  } catch (error) {
+    if (error instanceof GitHubClientError) {
+      logger.error(`GitHub API Error: ${error.message}`);
+      if (error.statusCode === 401 || error.statusCode === 403) {
+        logger.info(
+          "Tip: Set GITHUB_TOKEN or GH_TOKEN environment variable for better rate limits."
+        );
+      }
+    } else if (error instanceof UpdatePermissionError) {
+      logger.error(error.message);
+      logger.info("Tip: Run with elevated privileges (e.g., sudo rulesync update)");
+    } else {
+      logger.error(formatError(error));
+    }
+    process.exit(1);
+  }
+}
+
 // src/cli/index.ts
-var getVersion = () => "6.5.0";
+var getVersion = () => "6.6.0";
 var main = async () => {
   const program = new import_commander.Command();
   const version = getVersion();
@@ -17266,6 +17649,15 @@ var main = async () => {
       process.exit(1);
     }
   });
+  program.command("update").description("Update rulesync to the latest version").option("--check", "Check for updates without installing").option("--force", "Force update even if already at latest version").option("--token <token>", "GitHub token for API access").option("-V, --verbose", "Verbose output").option("-s, --silent", "Suppress all output").action(async (options) => {
+    await updateCommand(version, {
+      check: options.check,
+      force: options.force,
+      token: options.token,
+      verbose: options.verbose,
+      silent: options.silent
+    });
+  });
   program.parse();
 };
 main().catch((error) => {

package/dist/index.js

@@ -2405,7 +2405,7 @@ var CommandsProcessor = class extends FeatureProcessor {
     );
     const rulesyncCommands = await Promise.all(
       rulesyncCommandPaths.map(
-        (path3) => RulesyncCommand.fromFile({ relativeFilePath: basename16(path3) })
+        (path4) => RulesyncCommand.fromFile({ relativeFilePath: basename16(path4) })
       )
     );
     logger.info(`Successfully loaded ${rulesyncCommands.length} rulesync commands`);
@@ -2425,10 +2425,10 @@ var CommandsProcessor = class extends FeatureProcessor {
     );
     if (forDeletion) {
       const toolCommands2 = commandFilePaths.map(
-        (path3) => factory.class.forDeletion({
+        (path4) => factory.class.forDeletion({
           baseDir: this.baseDir,
           relativeDirPath: paths.relativeDirPath,
-          relativeFilePath: basename16(path3),
+          relativeFilePath: basename16(path4),
           global: this.global
         })
       ).filter((cmd) => cmd.isDeletable());
@@ -2437,9 +2437,9 @@ var CommandsProcessor = class extends FeatureProcessor {
     }
     const toolCommands = await Promise.all(
       commandFilePaths.map(
-        (path3) => factory.class.fromFile({
+        (path4) => factory.class.fromFile({
           baseDir: this.baseDir,
-          relativeFilePath: basename16(path3),
+          relativeFilePath: basename16(path4),
           global: this.global
         })
       )
@@ -8625,7 +8625,7 @@ var SkillsProcessor = class extends DirFeatureProcessor {
     const paths = RulesyncSkill.getSettablePaths();
     const rulesyncSkillsDirPath = join68(this.baseDir, paths.relativeDirPath);
     const dirPaths = await findFilesByGlobs(join68(rulesyncSkillsDirPath, "*"), { type: "dir" });
-    const dirNames = dirPaths.map((path3) => basename18(path3));
+    const dirNames = dirPaths.map((path4) => basename18(path4));
     const rulesyncSkills = await Promise.all(
       dirNames.map(
         (dirName) => RulesyncSkill.fromDir({ baseDir: this.baseDir, dirName, global: this.global })
@@ -8643,7 +8643,7 @@ var SkillsProcessor = class extends DirFeatureProcessor {
     const paths = factory.class.getSettablePaths({ global: this.global });
     const skillsDirPath = join68(this.baseDir, paths.relativeDirPath);
     const dirPaths = await findFilesByGlobs(join68(skillsDirPath, "*"), { type: "dir" });
-    const dirNames = dirPaths.map((path3) => basename18(path3));
+    const dirNames = dirPaths.map((path4) => basename18(path4));
     const toolSkills = await Promise.all(
       dirNames.map(
         (dirName) => factory.class.fromDir({
@@ -8661,7 +8661,7 @@ var SkillsProcessor = class extends DirFeatureProcessor {
     const paths = factory.class.getSettablePaths({ global: this.global });
     const skillsDirPath = join68(this.baseDir, paths.relativeDirPath);
     const dirPaths = await findFilesByGlobs(join68(skillsDirPath, "*"), { type: "dir" });
-    const dirNames = dirPaths.map((path3) => basename18(path3));
+    const dirNames = dirPaths.map((path4) => basename18(path4));
     const toolSkills = dirNames.map(
       (dirName) => factory.class.forDeletion({
         baseDir: this.baseDir,
@@ -10069,10 +10069,10 @@ var SubagentsProcessor = class extends FeatureProcessor {
     );
     if (forDeletion) {
       const toolSubagents2 = subagentFilePaths.map(
-        (path3) => factory.class.forDeletion({
+        (path4) => factory.class.forDeletion({
           baseDir: this.baseDir,
           relativeDirPath: paths.relativeDirPath,
-          relativeFilePath: basename22(path3),
+          relativeFilePath: basename22(path4),
           global: this.global
         })
       ).filter((subagent) => subagent.isDeletable());
@@ -10081,9 +10081,9 @@ var SubagentsProcessor = class extends FeatureProcessor {
     }
     const toolSubagents = await Promise.all(
       subagentFilePaths.map(
-        (path3) => factory.class.fromFile({
+        (path4) => factory.class.fromFile({
           baseDir: this.baseDir,
-          relativeFilePath: basename22(path3),
+          relativeFilePath: basename22(path4),
           global: this.global
         })
       )
@@ -13498,6 +13498,18 @@ var GitHubRepoInfoSchema = z51.looseObject({
   default_branch: z51.string(),
   private: z51.boolean()
 });
+var GitHubReleaseAssetSchema = z51.looseObject({
+  name: z51.string(),
+  browser_download_url: z51.string(),
+  size: z51.number()
+});
+var GitHubReleaseSchema = z51.looseObject({
+  tag_name: z51.string(),
+  name: z51.nullable(z51.string()),
+  prerelease: z51.boolean(),
+  draft: z51.boolean(),
+  assets: z51.array(GitHubReleaseAssetSchema)
+});
 
 // src/lib/github-client.ts
 var GitHubClientError = class extends Error {
@@ -13557,16 +13569,16 @@ var GitHubClient = class {
   /**
    * List contents of a directory in a repository
    */
-  async listDirectory(owner, repo, path3, ref) {
+  async listDirectory(owner, repo, path4, ref) {
     try {
       const { data } = await this.octokit.repos.getContent({
         owner,
         repo,
-        path: path3,
+        path: path4,
         ref
       });
       if (!Array.isArray(data)) {
-        throw new GitHubClientError(`Path "${path3}" is not a directory`);
+        throw new GitHubClientError(`Path "${path4}" is not a directory`);
       }
       const entries = [];
       for (const item of data) {
@@ -13583,12 +13595,12 @@ var GitHubClient = class {
   /**
    * Get raw file content from a repository
    */
-  async getFileContent(owner, repo, path3, ref) {
+  async getFileContent(owner, repo, path4, ref) {
     try {
       const { data } = await this.octokit.repos.getContent({
         owner,
         repo,
-        path: path3,
+        path: path4,
         ref,
         mediaType: {
           format: "raw"
@@ -13608,12 +13620,12 @@ var GitHubClient = class {
   /**
    * Check if a file exists and is within size limits
    */
-  async getFileInfo(owner, repo, path3, ref) {
+  async getFileInfo(owner, repo, path4, ref) {
     try {
       const { data } = await this.octokit.repos.getContent({
         owner,
         repo,
-        path: path3,
+        path: path4,
         ref
       });
       if (Array.isArray(data)) {
@@ -13625,7 +13637,7 @@ var GitHubClient = class {
       }
       if (parsed.data.size > MAX_FILE_SIZE) {
         throw new GitHubClientError(
-          `File "${path3}" exceeds maximum size limit of ${MAX_FILE_SIZE / 1024 / 1024}MB`
+          `File "${path4}" exceeds maximum size limit of ${MAX_FILE_SIZE / 1024 / 1024}MB`
         );
       }
       return parsed.data;
@@ -13653,6 +13665,21 @@ var GitHubClient = class {
       throw error;
     }
   }
+  /**
+   * Get the latest release from a repository
+   */
+  async getLatestRelease(owner, repo) {
+    try {
+      const { data } = await this.octokit.repos.getLatestRelease({ owner, repo });
+      const parsed = GitHubReleaseSchema.safeParse(data);
+      if (!parsed.success) {
+        throw new GitHubClientError(`Invalid release info response: ${formatError(parsed.error)}`);
+      }
+      return parsed.data;
+    } catch (error) {
+      throw this.handleError(error);
+    }
+  }
   /**
    * Handle errors from Octokit and convert to GitHubClientError
    */
@@ -13828,13 +13855,13 @@ function parseUrl(url) {
   const repo = segments[1]?.replace(/\.git$/, "");
   if (segments.length > 2 && (segments[2] === "tree" || segments[2] === "blob")) {
     const ref = segments[3];
-    const path3 = segments.length > 4 ? segments.slice(4).join("/") : void 0;
+    const path4 = segments.length > 4 ? segments.slice(4).join("/") : void 0;
     return {
       provider,
       owner: owner ?? "",
       repo: repo ?? "",
       ref,
-      path: path3
+      path: path4
     };
   }
   return {
@@ -13845,12 +13872,12 @@ function parseUrl(url) {
 }
 function parseShorthand(source) {
   let remaining = source;
-  let path3;
+  let path4;
   let ref;
   const colonIndex = remaining.indexOf(":");
   if (colonIndex !== -1) {
-    path3 = remaining.substring(colonIndex + 1);
-    if (!path3) {
+    path4 = remaining.substring(colonIndex + 1);
+    if (!path4) {
       throw new Error(`Invalid source: ${source}. Path cannot be empty after ":".`);
     }
     remaining = remaining.substring(0, colonIndex);
@@ -13878,7 +13905,7 @@ function parseShorthand(source) {
     owner,
     repo,
     ref,
-    path: path3
+    path: path4
   };
 }
 function resolveFeatures(features) {
@@ -14054,8 +14081,8 @@ async function collectFeatureFiles(params) {
   }
   return filesToFetch;
 }
-async function listDirectoryRecursive(client, owner, repo, path3, ref) {
-  const entries = await client.listDirectory(owner, repo, path3, ref);
+async function listDirectoryRecursive(client, owner, repo, path4, ref) {
+  const entries = await client.listDirectory(owner, repo, path4, ref);
   const files = [];
   for (const entry of entries) {
     if (entry.type === "file") {
@@ -15487,12 +15514,12 @@ async function init() {
   };
 }
 async function createConfigFile() {
-  const path3 = RULESYNC_CONFIG_RELATIVE_FILE_PATH;
-  if (await fileExists(path3)) {
-    return { created: false, path: path3 };
+  const path4 = RULESYNC_CONFIG_RELATIVE_FILE_PATH;
+  if (await fileExists(path4)) {
+    return { created: false, path: path4 };
   }
   await writeFileContent(
-    path3,
+    path4,
     JSON.stringify(
       {
         targets: ["copilot", "cursor", "claudecode", "codexcli"],
@@ -15511,7 +15538,7 @@ async function createConfigFile() {
       2
     )
   );
-  return { created: true, path: path3 };
+  return { created: true, path: path4 };
 }
 async function createSampleFiles() {
   const results = [];
@@ -15692,12 +15719,12 @@ Keep the summary concise and ready to reuse in future tasks.`
   results.push(await writeIfNotExists(hooksFilepath, sampleHooksFile.content));
   return results;
 }
-async function writeIfNotExists(path3, content) {
-  if (await fileExists(path3)) {
-    return { created: false, path: path3 };
+async function writeIfNotExists(path4, content) {
+  if (await fileExists(path4)) {
+    return { created: false, path: path4 };
   }
-  await writeFileContent(path3, content);
-  return { created: true, path: path3 };
+  await writeFileContent(path4, content);
+  return { created: true, path: path4 };
 }
 
 // src/cli/commands/init.ts
@@ -17119,8 +17146,364 @@ async function mcpCommand({ version }) {
   });
 }
 
+// src/lib/update.ts
+import * as crypto from "crypto";
+import * as fs from "fs";
+import * as os2 from "os";
+import * as path3 from "path";
+import { Readable, Transform } from "stream";
+import { pipeline } from "stream/promises";
+var RULESYNC_REPO_OWNER = "dyoshikawa";
+var RULESYNC_REPO_NAME = "rulesync";
+var RELEASES_URL = `https://github.com/${RULESYNC_REPO_OWNER}/${RULESYNC_REPO_NAME}/releases`;
+var MAX_DOWNLOAD_SIZE = 500 * 1024 * 1024;
+var ALLOWED_DOWNLOAD_DOMAINS = [
+  "github.com",
+  "objects.githubusercontent.com",
+  "github-releases.githubusercontent.com"
+];
+var UpdatePermissionError = class extends Error {
+  constructor(message) {
+    super(message);
+    this.name = "UpdatePermissionError";
+  }
+};
+function detectExecutionEnvironment() {
+  const execPath = process.execPath;
+  const scriptPath = process.argv[1] ?? "";
+  const isRulesyncBinary = /rulesync(-[a-z0-9]+(-[a-z0-9]+)?)?(\.exe)?$/i.test(execPath);
+  if (isRulesyncBinary) {
+    if (execPath.includes("/homebrew/") || execPath.includes("/Cellar/")) {
+      return "homebrew";
+    }
+    return "single-binary";
+  }
+  if ((scriptPath.includes("/homebrew/") || scriptPath.includes("/Cellar/")) && scriptPath.includes("rulesync")) {
+    return "homebrew";
+  }
+  return "npm";
+}
+function getPlatformAssetName() {
+  const platform2 = os2.platform();
+  const arch2 = os2.arch();
+  const platformMap = {
+    darwin: "darwin",
+    linux: "linux",
+    win32: "windows"
+  };
+  const archMap = {
+    x64: "x64",
+    arm64: "arm64"
+  };
+  const platformName = platformMap[platform2];
+  const archName = archMap[arch2];
+  if (!platformName || !archName) {
+    return null;
+  }
+  const extension = platform2 === "win32" ? ".exe" : "";
+  return `rulesync-${platformName}-${archName}${extension}`;
+}
+function normalizeVersion(v) {
+  return v.replace(/^v/, "").replace(/-.*$/, "");
+}
+function compareVersions(a, b) {
+  const aParts = normalizeVersion(a).split(".").map(Number);
+  const bParts = normalizeVersion(b).split(".").map(Number);
+  for (let i = 0; i < Math.max(aParts.length, bParts.length); i++) {
+    const aNum = aParts[i] ?? 0;
+    const bNum = bParts[i] ?? 0;
+    if (!Number.isFinite(aNum) || !Number.isFinite(bNum)) {
+      throw new Error(`Invalid version format: cannot compare "${a}" and "${b}"`);
+    }
+    if (aNum > bNum) return 1;
+    if (aNum < bNum) return -1;
+  }
+  return 0;
+}
+function validateDownloadUrl(url) {
+  let parsed;
+  try {
+    parsed = new URL(url);
+  } catch {
+    throw new Error(`Invalid download URL: ${url}`);
+  }
+  if (parsed.protocol !== "https:") {
+    throw new Error(`Download URL must use HTTPS: ${url}`);
+  }
+  const isAllowed = ALLOWED_DOWNLOAD_DOMAINS.some((domain) => parsed.hostname === domain);
+  if (!isAllowed) {
+    throw new Error(
+      `Download URL domain "${parsed.hostname}" is not in the allowed list: ${ALLOWED_DOWNLOAD_DOMAINS.join(", ")}`
+    );
+  }
+  if (parsed.hostname === "github.com") {
+    const expectedPrefix = `/${RULESYNC_REPO_OWNER}/${RULESYNC_REPO_NAME}/`;
+    if (!parsed.pathname.startsWith(expectedPrefix)) {
+      throw new Error(
+        `Download URL path must belong to ${RULESYNC_REPO_OWNER}/${RULESYNC_REPO_NAME}: ${url}`
+      );
+    }
+  }
+}
+async function checkForUpdate(currentVersion, token) {
+  const client = new GitHubClient({
+    token: GitHubClient.resolveToken(token)
+  });
+  const release = await client.getLatestRelease(RULESYNC_REPO_OWNER, RULESYNC_REPO_NAME);
+  const latestVersion = normalizeVersion(release.tag_name);
+  const normalizedCurrentVersion = normalizeVersion(currentVersion);
+  return {
+    currentVersion: normalizedCurrentVersion,
+    latestVersion,
+    hasUpdate: compareVersions(latestVersion, normalizedCurrentVersion) > 0,
+    release
+  };
+}
+function findAsset(release, assetName) {
+  return release.assets.find((asset) => asset.name === assetName) ?? null;
+}
+async function downloadFile(url, destPath) {
+  validateDownloadUrl(url);
+  const response = await fetch(url, {
+    redirect: "follow"
+  });
+  if (!response.ok) {
+    throw new Error(`Failed to download: HTTP ${response.status}`);
+  }
+  if (response.url) {
+    validateDownloadUrl(response.url);
+  }
+  const contentLength = response.headers.get("content-length");
+  if (contentLength && Number(contentLength) > MAX_DOWNLOAD_SIZE) {
+    throw new Error(
+      `Download too large: ${contentLength} bytes exceeds limit of ${MAX_DOWNLOAD_SIZE} bytes`
+    );
+  }
+  if (!response.body) {
+    throw new Error("Response body is empty");
+  }
+  const fileStream = fs.createWriteStream(destPath);
+  let downloadedBytes = 0;
+  const bodyReader = Readable.fromWeb(
+    // eslint-disable-next-line no-type-assertion/no-type-assertion
+    response.body
+  );
+  const sizeChecker = new Transform({
+    transform(chunk, _encoding, callback) {
+      downloadedBytes += chunk.length;
+      if (downloadedBytes > MAX_DOWNLOAD_SIZE) {
+        callback(
+          new Error(
+            `Download too large: exceeded limit of ${MAX_DOWNLOAD_SIZE} bytes during streaming`
+          )
+        );
+        return;
+      }
+      callback(null, chunk);
+    }
+  });
+  await pipeline(bodyReader, sizeChecker, fileStream);
+}
+async function calculateSha256(filePath) {
+  const content = await fs.promises.readFile(filePath);
+  return crypto.createHash("sha256").update(content).digest("hex");
+}
+function parseSha256Sums(content) {
+  const result = /* @__PURE__ */ new Map();
+  for (const line of content.split("\n")) {
+    const trimmed = line.trim();
+    if (!trimmed) continue;
+    const match = /^([a-f0-9]{64})\s+(.+)$/.exec(trimmed);
+    if (match && match[1] && match[2]) {
+      result.set(match[2].trim(), match[1]);
+    }
+  }
+  return result;
+}
+async function performBinaryUpdate(currentVersion, options = {}) {
+  const { force = false, token } = options;
+  const updateCheck = await checkForUpdate(currentVersion, token);
+  if (!updateCheck.hasUpdate && !force) {
+    return `Already at the latest version (${currentVersion})`;
+  }
+  const assetName = getPlatformAssetName();
+  if (!assetName) {
+    throw new Error(
+      `Unsupported platform: ${os2.platform()} ${os2.arch()}. Please download manually from ${RELEASES_URL}`
+    );
+  }
+  const binaryAsset = findAsset(updateCheck.release, assetName);
+  if (!binaryAsset) {
+    throw new Error(
+      `Binary for ${assetName} not found in release. Please download manually from ${RELEASES_URL}`
+    );
+  }
+  const checksumAsset = findAsset(updateCheck.release, "SHA256SUMS");
+  if (!checksumAsset) {
+    throw new Error(
+      `SHA256SUMS not found in release. Cannot verify download integrity. Please download manually from ${RELEASES_URL}`
+    );
+  }
+  const tempDir = await fs.promises.mkdtemp(path3.join(os2.tmpdir(), "rulesync-update-"));
+  let restoreFailed = false;
+  try {
+    if (os2.platform() !== "win32") {
+      await fs.promises.chmod(tempDir, 448);
+    }
+    const tempBinaryPath = path3.join(tempDir, assetName);
+    await downloadFile(binaryAsset.browser_download_url, tempBinaryPath);
+    const checksumsPath = path3.join(tempDir, "SHA256SUMS");
+    await downloadFile(checksumAsset.browser_download_url, checksumsPath);
+    const checksumsContent = await fs.promises.readFile(checksumsPath, "utf-8");
+    const checksums = parseSha256Sums(checksumsContent);
+    const expectedChecksum = checksums.get(assetName);
+    if (!expectedChecksum) {
+      throw new Error(
+        `Checksum entry for "${assetName}" not found in SHA256SUMS. Cannot verify download integrity.`
+      );
+    }
+    const actualChecksum = await calculateSha256(tempBinaryPath);
+    if (actualChecksum !== expectedChecksum) {
+      throw new Error(
+        `Checksum verification failed. Expected: ${expectedChecksum}, Got: ${actualChecksum}. The download may be corrupted.`
+      );
+    }
+    const currentExePath = await fs.promises.realpath(process.execPath);
+    const currentDir = path3.dirname(currentExePath);
+    const backupPath = path3.join(tempDir, "rulesync.backup");
+    try {
+      await fs.promises.copyFile(currentExePath, backupPath);
+    } catch (error) {
+      if (isPermissionError(error)) {
+        throw new UpdatePermissionError(
+          `Permission denied: Cannot read ${currentExePath}. Try running with sudo.`
+        );
+      }
+      throw error;
+    }
+    try {
+      const tempInPlace = path3.join(currentDir, `.rulesync-update-${crypto.randomUUID()}`);
+      try {
+        await fs.promises.copyFile(tempBinaryPath, tempInPlace);
+        if (os2.platform() !== "win32") {
+          await fs.promises.chmod(tempInPlace, 493);
+        }
+        await fs.promises.rename(tempInPlace, currentExePath);
+      } catch {
+        try {
+          await fs.promises.unlink(tempInPlace);
+        } catch {
+        }
+        await fs.promises.copyFile(tempBinaryPath, currentExePath);
+        if (os2.platform() !== "win32") {
+          await fs.promises.chmod(currentExePath, 493);
+        }
+      }
+      return `Successfully updated from ${currentVersion} to ${updateCheck.latestVersion}`;
+    } catch (error) {
+      try {
+        await fs.promises.copyFile(backupPath, currentExePath);
+      } catch {
+        restoreFailed = true;
+        throw new Error(
+          `Failed to replace binary and restore failed. Backup is preserved at: ${backupPath} (in ${tempDir}). Please manually copy it to ${currentExePath}. Original error: ${error instanceof Error ? error.message : String(error)}`,
+          { cause: error }
+        );
+      }
+      if (isPermissionError(error)) {
+        throw new UpdatePermissionError(
+          `Permission denied: Cannot write to ${path3.dirname(currentExePath)}. Try running with sudo.`
+        );
+      }
+      throw error;
+    }
+  } finally {
+    if (!restoreFailed) {
+      try {
+        await fs.promises.rm(tempDir, { recursive: true, force: true });
+      } catch {
+      }
+    }
+  }
+}
+function isPermissionError(error) {
+  if (typeof error === "object" && error !== null && "code" in error) {
+    const record = error;
+    return record["code"] === "EACCES" || record["code"] === "EPERM";
+  }
+  return false;
+}
+function getNpmUpgradeInstructions() {
+  return `This rulesync installation was installed via npm/npx.
+
+To upgrade, run one of the following commands:
+
+  Global installation:
+    npm install -g rulesync@latest
+
+  Project dependency:
+    npm install rulesync@latest
+
+  Or use npx to always run the latest version:
+    npx rulesync@latest --version`;
+}
+function getHomebrewUpgradeInstructions() {
+  return `This rulesync installation was installed via Homebrew.
+
+To upgrade, run:
+  brew upgrade rulesync`;
+}
+
+// src/cli/commands/update.ts
+async function updateCommand(currentVersion, options) {
+  const { check = false, force = false, verbose = false, silent = false, token } = options;
+  logger.configure({ verbose, silent });
+  try {
+    const environment = detectExecutionEnvironment();
+    logger.debug(`Detected environment: ${environment}`);
+    if (environment === "npm") {
+      logger.info(getNpmUpgradeInstructions());
+      return;
+    }
+    if (environment === "homebrew") {
+      logger.info(getHomebrewUpgradeInstructions());
+      return;
+    }
+    if (check) {
+      logger.info("Checking for updates...");
+      const updateCheck = await checkForUpdate(currentVersion, token);
+      if (updateCheck.hasUpdate) {
+        logger.success(
+          `Update available: ${updateCheck.currentVersion} -> ${updateCheck.latestVersion}`
+        );
+      } else {
+        logger.info(`Already at the latest version (${updateCheck.currentVersion})`);
+      }
+      return;
+    }
+    logger.info("Checking for updates...");
+    const message = await performBinaryUpdate(currentVersion, { force, token });
+    logger.success(message);
+  } catch (error) {
+    if (error instanceof GitHubClientError) {
+      logger.error(`GitHub API Error: ${error.message}`);
+      if (error.statusCode === 401 || error.statusCode === 403) {
+        logger.info(
+          "Tip: Set GITHUB_TOKEN or GH_TOKEN environment variable for better rate limits."
+        );
+      }
+    } else if (error instanceof UpdatePermissionError) {
+      logger.error(error.message);
+      logger.info("Tip: Run with elevated privileges (e.g., sudo rulesync update)");
+    } else {
+      logger.error(formatError(error));
+    }
+    process.exit(1);
+  }
+}
+
 // src/cli/index.ts
-var getVersion = () => "6.5.0";
+var getVersion = () => "6.6.0";
 var main = async () => {
   const program = new Command();
   const version = getVersion();
@@ -17243,6 +17626,15 @@ var main = async () => {
       process.exit(1);
     }
   });
+  program.command("update").description("Update rulesync to the latest version").option("--check", "Check for updates without installing").option("--force", "Force update even if already at latest version").option("--token <token>", "GitHub token for API access").option("-V, --verbose", "Verbose output").option("-s, --silent", "Suppress all output").action(async (options) => {
+    await updateCommand(version, {
+      check: options.check,
+      force: options.force,
+      token: options.token,
+      verbose: options.verbose,
+      silent: options.silent
+    });
+  });
   program.parse();
 };
 main().catch((error) => {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "rulesync",
-  "version": "6.5.0",
+  "version": "6.6.0",
   "description": "Unified AI rules management CLI tool that generates configuration files for various AI development tools",
   "keywords": [
     "ai",