chore(config): refresh default repository list

Drops the `analysis-ready-code` entry and renames the `infinito-nexus` default to `infinito-nexus/core`. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
chore(claude): expand permissions and require sandbox
2026-05-12 22:19:03 +02:00 · 2026-05-12 22:18:54 +02:00 · 2026-05-12 22:18:43 +02:00 · 2026-05-12 22:18:31 +02:00 · 2026-05-12 19:54:34 +02:00 · 2026-03-26 17:10:21 +01:00
338 changed files with 11389 additions and 3578 deletions
--- a/.claude/settings.json
+++ b/.claude/settings.json
@@ -0,0 +1,16 @@
+{
+  "permissions": {
+    "allow": [
+      "Bash(*)"
+    ],
+    "ask": [
+      "Skill(update-config)",
+      "Skill(update-config:*)"
+    ]
+  },
+  "sandbox": {
+    "enabled": true,
+    "failIfUnavailable": true,
+    "autoAllowBashIfSandboxed": true
+  }
+}
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -2,34 +2,72 @@ name: CI

 on:
  push:
-    branches-ignore:
-      - main
+    branches:
+      - '**'
  pull_request:

+permissions:
+  contents: read
+
+concurrency:
+  group: global-ci-${{ github.repository }}-${{ github.ref_name }}
+  cancel-in-progress: false
+
 jobs:
+  security-codeql:
+    permissions:
+      contents: read
+      packages: read
+      security-events: write
+    uses: ./.github/workflows/security-codeql.yml
+
  test-unit:
+    permissions:
+      contents: read
    uses: ./.github/workflows/test-unit.yml

  test-integration:
+    permissions:
+      contents: read
    uses: ./.github/workflows/test-integration.yml

  test-env-virtual:
+    permissions:
+      contents: read
    uses: ./.github/workflows/test-env-virtual.yml

  test-env-nix:
+    permissions:
+      contents: read
    uses: ./.github/workflows/test-env-nix.yml

  test-e2e:
+    permissions:
+      contents: read
    uses: ./.github/workflows/test-e2e.yml

  test-virgin-user:
+    permissions:
+      contents: read
    uses: ./.github/workflows/test-virgin-user.yml

  test-virgin-root:
+    permissions:
+      contents: read
    uses: ./.github/workflows/test-virgin-root.yml

-  linter-shell:
-    uses: ./.github/workflows/linter-shell.yml
+  lint-shell:
+    permissions:
+      contents: read
+    uses: ./.github/workflows/lint-shell.yml

-  linter-python:
-    uses: ./.github/workflows/linter-python.yml
+  lint-python:
+    permissions:
+      contents: read
+    uses: ./.github/workflows/lint-python.yml
+
+  lint-docker:
+    permissions:
+      contents: read
+      security-events: write
+    uses: ./.github/workflows/lint-docker.yml
--- a/.github/workflows/lint-docker.yml
+++ b/.github/workflows/lint-docker.yml
@@ -0,0 +1,40 @@
+name: Docker Linter
+
+on:
+  workflow_call:
+
+permissions:
+  contents: read
+
+jobs:
+  lint-docker:
+    name: Lint Dockerfile
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      security-events: write
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Run hadolint (produce SARIF)
+        id: hadolint
+        continue-on-error: true
+        uses: hadolint/hadolint-action@2332a7b74a6de0dda2e2221d575162eba76ba5e5
+        with:
+          dockerfile: ./Dockerfile
+          format: sarif
+          output-file: hadolint-results.sarif
+          failure-threshold: warning
+
+      - name: Upload analysis results to GitHub
+        if: always()
+        uses: github/codeql-action/upload-sarif@v4
+        with:
+          sarif_file: hadolint-results.sarif
+          wait-for-processing: true
+          category: hadolint
+
+      - name: Fail if SARIF contains warnings or errors
+        if: always()
+        run: python3 src/pkgmgr/github/check_hadolint_sarif.py hadolint-results.sarif
--- a/.github/workflows/linter-python.yml
+++ b/.github/workflows/linter-python.yml
@@ -3,8 +3,11 @@ name: Ruff (Python code sniffer)
 on:
  workflow_call:

+permissions:
+  contents: read
+
 jobs:
-  linter-python:
+  lint-python:
    runs-on: ubuntu-latest

    steps:
--- a/.github/workflows/linter-shell.yml
+++ b/.github/workflows/linter-shell.yml
@@ -3,8 +3,11 @@ name: ShellCheck
 on:
  workflow_call:

+permissions:
+  contents: read
+
 jobs:
-  linter-shell:
+  lint-shell:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
--- a/.github/workflows/mark-stable.yml
+++ b/.github/workflows/mark-stable.yml
@@ -1,110 +1,39 @@
 name: Mark stable commit

+concurrency:
+  group: mark-stable-${{ github.repository }}-main
+  cancel-in-progress: true
+
 on:
  push:
-    branches:
-      - main          # still run tests for main
    tags:
-      - 'v*'          # run tests for version tags (e.g. v0.9.1)
-
+      - 'v*'
 jobs:
-  test-unit:
-    uses: ./.github/workflows/test-unit.yml
-
-  test-integration:
-    uses: ./.github/workflows/test-integration.yml
-
-  test-env-virtual:
-    uses: ./.github/workflows/test-env-virtual.yml
-
-  test-env-nix:
-    uses: ./.github/workflows/test-env-nix.yml
-
-  test-e2e:
-    uses: ./.github/workflows/test-e2e.yml
-
-  test-virgin-user:
-    uses: ./.github/workflows/test-virgin-user.yml
-
-  test-virgin-root:
-    uses: ./.github/workflows/test-virgin-root.yml
-
-  linter-shell:
-    uses: ./.github/workflows/linter-shell.yml
-
-  linter-python:
-    uses: ./.github/workflows/linter-python.yml
-
  mark-stable:
-    needs:
-      - linter-shell
-      - linter-python
-      - test-unit
-      - test-integration
-      - test-env-nix
-      - test-env-virtual
-      - test-e2e
-      - test-virgin-user
-      - test-virgin-root
    runs-on: ubuntu-latest
-
-    # Only run this job if the push is for a version tag (v*)
-    if: startsWith(github.ref, 'refs/tags/v')
+    timeout-minutes: 330

    permissions:
-      contents: write  # Required to move/update the tag
+      actions: read
+      contents: write

    steps:
      - name: Checkout repository
        uses: actions/checkout@v4
        with:
          fetch-depth: 0
-          fetch-tags: true  # We need all tags for version comparison
+          fetch-tags: true  # We need tags and main history for version comparison
+
+      - name: Check whether tagged commit is on main
+        id: branch-check
+        run: bash scripts/github/common/check-tagged-commit-on-main.sh
+
+      - name: Wait for CI success on main for this commit
+        if: steps.branch-check.outputs.is_on_main == 'true'
+        env:
+          GH_TOKEN: ${{ github.token }}
+        run: bash scripts/github/mark-stable/wait-for-main-ci-success.sh

      - name: Move 'stable' tag only if this version is the highest
-        run: |
-          set -euo pipefail
-
-          git config user.name "github-actions[bot]"
-          git config user.email "github-actions[bot]@users.noreply.github.com"
-
-          echo "Ref: $GITHUB_REF"
-          echo "SHA: $GITHUB_SHA"
-
-          VERSION="${GITHUB_REF#refs/tags/}"
-          echo "Current version tag: ${VERSION}"
-
-          echo "Collecting all version tags..."
-          ALL_V_TAGS="$(git tag --list 'v*' || true)"
-
-          if [[ -z "${ALL_V_TAGS}" ]]; then
-            echo "No version tags found. Skipping stable update."
-            exit 0
-          fi
-
-          echo "All version tags:"
-          echo "${ALL_V_TAGS}"
-
-          # Determine highest version using natural version sorting
-          LATEST_TAG="$(printf '%s\n' ${ALL_V_TAGS} | sort -V | tail -n1)"
-
-          echo "Highest version tag: ${LATEST_TAG}"
-
-          if [[ "${VERSION}" != "${LATEST_TAG}" ]]; then
-            echo "Current version ${VERSION} is NOT the highest version."
-            echo "Stable tag will NOT be updated."
-            exit 0
-          fi
-
-          echo "Current version ${VERSION} IS the highest version."
-          echo "Updating 'stable' tag..."
-
-          # Delete existing stable tag (local + remote)
-          git tag -d stable 2>/dev/null || true
-          git push origin :refs/tags/stable || true
-
-          # Create new stable tag
-          git tag stable "$GITHUB_SHA"
-          git push origin stable
-
-          echo "✅ Stable tag updated to ${VERSION}."
+        if: steps.branch-check.outputs.is_on_main == 'true'
+        run: bash scripts/github/mark-stable/mark-stable-if-highest-version.sh
--- a/.github/workflows/publish-containers.yml
+++ b/.github/workflows/publish-containers.yml
@@ -21,44 +21,30 @@ jobs:
          fetch-depth: 0

      - name: Checkout workflow_run commit and refresh tags
-        run: |
-          set -euo pipefail
-          git checkout -f "${{ github.event.workflow_run.head_sha }}"
-          git fetch --tags --force
-          git tag --list 'stable' 'v*' --sort=version:refname | tail -n 20
+        env:
+          WORKFLOW_RUN_SHA: ${{ github.event.workflow_run.head_sha }}
+        run: bash scripts/github/publish-containers/checkout-workflow-run-commit.sh
+
+      - name: Check whether tagged commit is on main
+        id: branch-check
+        env:
+          TARGET_SHA: ${{ github.event.workflow_run.head_sha }}
+        run: bash scripts/github/common/check-tagged-commit-on-main.sh

      - name: Compute version and stable flag
        id: info
-        run: |
-          set -euo pipefail
-          SHA="$(git rev-parse HEAD)"
-
-          V_TAG="$(git tag --points-at "${SHA}" --list 'v*' | sort -V | tail -n1)"
-          if [[ -z "${V_TAG}" ]]; then
-            echo "No version tag found for ${SHA}. Skipping publish."
-            echo "should_publish=false" >> "$GITHUB_OUTPUT"
-            exit 0
-          fi
-
-          VERSION="${V_TAG#v}"
-
-          STABLE_SHA="$(git rev-parse -q --verify refs/tags/stable^{commit} 2>/dev/null || true)"
-          IS_STABLE=false
-          [[ -n "${STABLE_SHA}" && "${STABLE_SHA}" == "${SHA}" ]] && IS_STABLE=true
-
-          echo "should_publish=true" >> "$GITHUB_OUTPUT"
-          echo "version=${VERSION}" >> "$GITHUB_OUTPUT"
-          echo "is_stable=${IS_STABLE}" >> "$GITHUB_OUTPUT"
+        if: steps.branch-check.outputs.is_on_main == 'true'
+        run: bash scripts/github/publish-containers/compute-publish-container-info.sh

      - name: Set up Docker Buildx
        if: ${{ steps.info.outputs.should_publish == 'true' }}
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f
        with:
          use: true

      - name: Login to GHCR
        if: ${{ steps.info.outputs.should_publish == 'true' }}
-        uses: docker/login-action@v3
+        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
@@ -66,9 +52,8 @@ jobs:

      - name: Publish all images
        if: ${{ steps.info.outputs.should_publish == 'true' }}
-        run: |
-          set -euo pipefail
-          OWNER="${{ github.repository_owner }}" \
-          VERSION="${{ steps.info.outputs.version }}" \
-          IS_STABLE="${{ steps.info.outputs.is_stable }}" \
-          bash scripts/build/publish.sh
+        env:
+          OWNER: ${{ github.repository_owner }}
+          VERSION: ${{ steps.info.outputs.version }}
+          IS_STABLE: ${{ steps.info.outputs.is_stable }}
+        run: bash scripts/github/publish-containers/publish-container-images.sh
--- a/.github/workflows/security-codeql.yml
+++ b/.github/workflows/security-codeql.yml
@@ -0,0 +1,47 @@
+name: CodeQL Advanced
+
+on:
+  workflow_call:
+
+jobs:
+  analyze:
+    name: Check security
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+      packages: read
+      contents: read
+
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - language: actions
+            build-mode: none
+          - language: python
+            build-mode: none
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v4
+        with:
+          languages: ${{ matrix.language }}
+          build-mode: ${{ matrix.build-mode }}
+          queries: security-extended,security-and-quality
+
+      - name: Run manual build steps
+        if: matrix.build-mode == 'manual'
+        shell: bash
+        run: |
+          echo 'If you are using a "manual" build mode for one or more of the' \
+            'languages you are analyzing, replace this with the commands to build' \
+            'your code.'
+          exit 1
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v4
+        with:
+          category: "/language:${{ matrix.language }}"
--- a/.github/workflows/test-e2e.yml
+++ b/.github/workflows/test-e2e.yml
@@ -3,6 +3,9 @@ name: Test End-To-End
 on:
  workflow_call:

+permissions:
+  contents: read
+
 jobs:
  test-e2e:
    runs-on: ubuntu-latest
@@ -11,7 +14,9 @@ jobs:
      fail-fast: false
      matrix:
        distro: [arch, debian, ubuntu, fedora, centos]
-
+    env:
+      NIX_CONFIG: |
+        access-tokens = github.com=${{ secrets.GITHUB_TOKEN }}
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4
--- a/.github/workflows/test-env-nix.yml
+++ b/.github/workflows/test-env-nix.yml
@@ -3,6 +3,9 @@ name: Test Virgin Nix (flake only)
 on:
  workflow_call:

+permissions:
+  contents: read
+
 jobs:
  test-env-nix:
    runs-on: ubuntu-latest
@@ -12,7 +15,9 @@ jobs:
      fail-fast: false
      matrix:
        distro: [arch, debian, ubuntu, fedora, centos]
-
+    env:
+      NIX_CONFIG: |
+        access-tokens = github.com=${{ secrets.GITHUB_TOKEN }}
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4
--- a/.github/workflows/test-env-virtual.yml
+++ b/.github/workflows/test-env-virtual.yml
@@ -3,6 +3,9 @@ name: Test OS Containers
 on:
  workflow_call:

+permissions:
+  contents: read
+
 jobs:
  test-env-virtual:
    runs-on: ubuntu-latest
@@ -11,7 +14,9 @@ jobs:
      fail-fast: false
      matrix:
        distro: [arch, debian, ubuntu, fedora, centos]
-
+    env:
+      NIX_CONFIG: |
+        access-tokens = github.com=${{ secrets.GITHUB_TOKEN }}
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4
--- a/.github/workflows/test-integration.yml
+++ b/.github/workflows/test-integration.yml
@@ -3,11 +3,16 @@ name: Test Code Integration
 on:
  workflow_call:

+permissions:
+  contents: read
+
 jobs:
  test-integration:
    runs-on: ubuntu-latest
    timeout-minutes: 30
-
+    env:
+      NIX_CONFIG: |
+        access-tokens = github.com=${{ secrets.GITHUB_TOKEN }}
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4
--- a/.github/workflows/test-unit.yml
+++ b/.github/workflows/test-unit.yml
@@ -3,11 +3,16 @@ name: Test Units
 on:
  workflow_call:

+permissions:
+  contents: read
+
 jobs:
  test-unit:
    runs-on: ubuntu-latest
    timeout-minutes: 30
-
+    env:
+      NIX_CONFIG: |
+        access-tokens = github.com=${{ secrets.GITHUB_TOKEN }}
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4
--- a/.github/workflows/test-virgin-root.yml
+++ b/.github/workflows/test-virgin-root.yml
@@ -3,6 +3,9 @@ name: Test Virgin Root
 on:
  workflow_call:

+permissions:
+  contents: read
+
 jobs:
  test-virgin-root:
    runs-on: ubuntu-latest
@@ -11,7 +14,9 @@ jobs:
      fail-fast: false
      matrix:
        distro: [arch, debian, ubuntu, fedora, centos]
-
+    env:
+      NIX_CONFIG: |
+        access-tokens = github.com=${{ secrets.GITHUB_TOKEN }}
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4
@@ -19,27 +24,26 @@ jobs:
      - name: Show Docker version
        run: docker version

-      # 🔹 BUILD virgin image if missing
      - name: Build virgin container (${{ matrix.distro }})
        run: |
          set -euo pipefail
          PKGMGR_DISTRO="${{ matrix.distro }}" make build-missing-virgin

-      # 🔹 RUN test inside virgin image
      - name: Virgin ${{ matrix.distro }} pkgmgr test (root)
        run: |
          set -euo pipefail

          docker run --rm \
-            -v "$PWD":/src \
+            -v "$PWD":/opt/src/pkgmgr \
            -v pkgmgr_repos:/root/Repositories \
            -v pkgmgr_pip_cache:/root/.cache/pip \
-            -w /src \
+            -e NIX_CONFIG="${NIX_CONFIG}" \
+            -w /opt/src/pkgmgr \
            "pkgmgr-${{ matrix.distro }}-virgin" \
            bash -lc '
              set -euo pipefail

-              git config --global --add safe.directory /src
+              git config --global --add safe.directory /opt/src/pkgmgr

              make install
              make setup
@@ -50,5 +54,5 @@ jobs:
              pkgmgr version pkgmgr

              echo ">>> Running Nix-based: nix run .#pkgmgr -- version pkgmgr"
-              nix run /src#pkgmgr -- version pkgmgr
+              nix run /opt/src/pkgmgr#pkgmgr -- version pkgmgr
            '
--- a/.github/workflows/test-virgin-user.yml
+++ b/.github/workflows/test-virgin-user.yml
@@ -3,6 +3,9 @@ name: Test Virgin User
 on:
  workflow_call:

+permissions:
+  contents: read
+
 jobs:
  test-virgin-user:
    runs-on: ubuntu-latest
@@ -11,7 +14,9 @@ jobs:
      fail-fast: false
      matrix:
        distro: [arch, debian, ubuntu, fedora, centos]
-
+    env:
+      NIX_CONFIG: |
+        access-tokens = github.com=${{ secrets.GITHUB_TOKEN }}
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4
@@ -19,20 +24,19 @@ jobs:
      - name: Show Docker version
        run: docker version

-      # 🔹 BUILD virgin image if missing
      - name: Build virgin container (${{ matrix.distro }})
        run: |
          set -euo pipefail
          PKGMGR_DISTRO="${{ matrix.distro }}" make build-missing-virgin

-      # 🔹 RUN test inside virgin image as non-root
      - name: Virgin ${{ matrix.distro }} pkgmgr test (user)
        run: |
          set -euo pipefail

          docker run --rm \
-            -v "$PWD":/src \
-            -w /src \
+            -v "$PWD":/opt/src/pkgmgr \
+            -e NIX_CONFIG="${NIX_CONFIG}" \
+            -w /opt/src/pkgmgr \
            "pkgmgr-${{ matrix.distro }}-virgin" \
            bash -lc '
              set -euo pipefail
@@ -42,23 +46,25 @@ jobs:
              useradd -m dev
              echo "dev ALL=(ALL) NOPASSWD: ALL" > /etc/sudoers.d/dev
              chmod 0440 /etc/sudoers.d/dev
-              chown -R dev:dev /src
+              chown -R dev:dev /opt/src/pkgmgr

              mkdir -p /nix/store /nix/var/nix /nix/var/log/nix /nix/var/nix/profiles
              chown -R dev:dev /nix
              chmod 0755 /nix
              chmod 1777 /nix/store
+              sudo -H -u dev env \
+                HOME=/home/dev \
+                NIX_CONFIG="$NIX_CONFIG" \
+                PKGMGR_DISABLE_NIX_FLAKE_INSTALLER=1 \
+                bash -lc "
+                  set -euo pipefail
+                  cd /opt/src/pkgmgr
+                  make setup-venv
+                  . \"\$HOME/.venvs/pkgmgr/bin/activate\"

-              sudo -H -u dev env HOME=/home/dev PKGMGR_DISABLE_NIX_FLAKE_INSTALLER=1 bash -lc "
-                set -euo pipefail
-                cd /src
+                  pkgmgr version pkgmgr

-                make setup-venv
-                . \"\$HOME/.venvs/pkgmgr/bin/activate\"
-
-                pkgmgr version pkgmgr
-
-                export NIX_REMOTE=local
-                nix run /src#pkgmgr -- version pkgmgr
-              "
+                  export NIX_REMOTE=local
+                  nix run /opt/src/pkgmgr#pkgmgr -- version pkgmgr
+                "
            '
--- a/.gitignore
+++ b/.gitignore
@@ -24,10 +24,9 @@ package-manager-*
 .DS_Store
 Thumbs.db

-# Nix Cache to speed up tests
+# Nix cache to speed up tests
 .nix/
 .nix-dev-installed
-flake.lock

 # Ignore logs
 *.log
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,3 +1,188 @@
+## [1.13.3] - 2026-03-26
+
+* CI pipelines now include automated security scanning (CodeQL, Docker lint), increasing detection of vulnerabilities and misconfigurations
+* Workflow permissions were tightened and fixed, ensuring secure and reliable execution of reusable workflows
+* Publishing and “stable” tagging are now restricted to the `main` branch, preventing accidental releases from other branches
+* Stale CI runs are automatically cancelled, reducing wasted resources and speeding up feedback cycles
+* Overall CI reliability and security posture improved, with fewer false positives and more consistent pipeline results
+
+
+## [1.13.2] - 2026-03-26
+
+* Fail fast with a clear error when the Nix bootstrap or nix binary is unavailable instead of continuing with a broken startup path.
+
+
+## [1.13.1] - 2026-03-20
+
+* Fixed misleading GPG verification failures by adding explicit git and gnupg runtime dependencies and surfacing signing-key lookup errors accurately.
+
+
+## [1.13.0] - 2026-03-20
+
+* Set CentOS docker image to latest
+
+
+## [1.12.5] - 2026-02-24
+
+* The stable-tag workflow now waits up to two hours for a successful main-branch CI run on the same commit before updating stable.
+
+
+## [1.12.4] - 2026-02-24
+
+* The release pipeline now updates the stable tag only for v* tags after a successful CI run on main for the same commit, while avoiding duplicate test executions.
+
+
+## [1.12.3] - 2026-02-24
+
+* Stabilized Nix-based builds by switching to nixos-25.11 and committing flake.lock, ensuring reproducible pkgmgr test/runtime environments (with pip) and avoiding transient sphinx/Python 3.11 breakage.
+
+
+## [1.12.2] - 2026-02-24
+
+* Removed infinito-sphinx package
+
+
+## [1.12.1] - 2026-02-14
+
+* pkgmgr now prefers distro-managed nix binaries on Arch before profile/PATH resolution, preventing libllhttp mismatch failures after pacman system upgrades.
+
+
+## [1.12.0] - 2026-02-08
+
+* Adds explicit concurrency groups to the CI and mark-stable workflows to prevent overlapping runs on the same branch and make pipeline execution more predictable.
+
+
+## [1.11.2] - 2026-02-08
+
+* Removes the v* tag trigger from the mark-stable workflow so it runs only on branch pushes and avoids duplicate executions during releases.
+
+
+## [1.11.1] - 2026-02-08
+
+* Implements pushing the branch and the version tag together in a single command so the CI release workflow can reliably detect the version tag on HEAD.
+
+
+## [1.11.0] - 2026-01-21
+
+* Adds a dedicated slim Docker image for pkgmgr and publishes slim variants for all supported distros.
+
+
+## [1.10.0] - 2026-01-20
+
+* Introduce safe verbose image cleanup to reduce Docker image size and build artifacts
+
+## [1.9.5] - 2026-01-16
+
+* Release patch: improve git pull error diagnostics
+
+
+## [1.9.4] - 2026-01-13
+
+* fix(ci): replace sudo with su for user switching to avoid PAM failures in minimal container images
+
+
+## [1.9.3] - 2026-01-07
+
+* Made the Nix dependency optional on non-x86_64 architectures to avoid broken Arch Linux ARM repository packages.
+
+
+## [1.9.2] - 2025-12-21
+
+* Default configuration files are now packaged and loaded correctly when no user config exists, while fully preserving custom user configurations.
+
+
+## [1.9.1] - 2025-12-21
+
+* Fixed installation issues and improved loading of default configuration files.
+
+
+## [1.9.0] - 2025-12-20
+
+* * New ***mirror visibility*** command to set remote Git repositories to ***public*** or ***private***.
+* New ***--public*** flag for ***mirror provision*** to create repositories and immediately make them public.
+* All configured git mirrors are now provisioned.
+
+
+## [1.8.7] - 2025-12-19
+
+* * **Release version updates now correctly modify ***pyproject.toml*** files that follow PEP 621**, ensuring the ***[project].version*** field is updated as expected.
+* **Invalid or incomplete ***pyproject.toml*** files are now handled gracefully** with clear error messages instead of abrupt process termination.
+* **RPM spec files remain compatible during releases**: existing macros such as ***%{?dist}*** are preserved and no longer accidentally modified.
+
+
+## [1.8.6] - 2025-12-17
+
+* Prevent Rate Limits during GitHub Nix Setups
+
+
+## [1.8.5] - 2025-12-17
+
+* * Clearer Git error handling, especially when a directory is not a Git repository.
+* More reliable repository verification with improved commit and GPG signature checks.
+* Better error messages and overall robustness when working with Git-based workflows.
+
+
+## [1.9.0] - 2025-12-17
+
+* Automated release.
+
+
+## [1.8.4] - 2025-12-17
+
+* * Made pkgmgr’s base-layer role explicit by standardizing the Docker/CI mount path to *`/opt/src/pkgmgr`*.
+
+
+## [1.8.3] - 2025-12-16
+
+* MIRRORS now supports plain URL entries, ensuring metadata-only sources like PyPI are recorded without ever being added to the Git configuration.
+
+
+## [1.8.2] - 2025-12-16
+
+* * ***pkgmgr tools code*** is more robust and predictable: it now fails early with clear errors if VS Code is not installed or a repository is not yet identified.
+
+
+## [1.8.1] - 2025-12-16
+
+* * Improved stability and consistency of all Git operations (clone, pull, push, release, branch handling) with clearer error messages and predictable preview behavior.
+* Mirrors are now handled cleanly: only valid Git remotes are used for Git operations, while non-Git URLs (e.g. PyPI) are excluded, preventing broken or confusing repository configs.
+* GitHub authentication is more robust: tokens are automatically resolved via the GitHub CLI (`gh`), invalid stored tokens are replaced, and interactive prompts occur only when necessary.
+* Repository creation and release workflows are more reliable, producing cleaner Git configurations and more predictable version handling.
+
+
+## [1.8.0] - 2025-12-15
+
+* *** New Features: ***
+- **Silent Updates**: You can now use the `--silent` flag during installs and updates to suppress error messages for individual repositories and get a single summary at the end. This ensures the process continues even if some repositories fail, while still preserving interactive checks when not in silent mode.
+- **Repository Scaffolding**: The process for creating new repositories has been improved. You can now use templates to scaffold repositories with a preview and automatic mirror setup.
+
+*** Bug Fixes: ***
+- **Pip Installation**: Pip is now installed automatically on all supported systems. This includes `python-pip` for Arch and `python3-pip` for CentOS, Debian, Fedora, and Ubuntu, ensuring that pip is available for Python package installations.
+- **Pacman Keyring**: Fixed an issue on Arch Linux where package installation would fail due to missing keys. The pacman keyring is now properly initialized before installing packages.
+
+
+## [1.7.2] - 2025-12-15
+
+* * Git mirrors are now resolved consistently (origin → MIRRORS file → config → default).
+* The `origin` remote is always enforced to use the primary URL for both fetch and push.
+* Additional mirrors are added as extra push targets without duplication.
+* Local and remote mirror setup behaves more predictably and consistently.
+* Improved test coverage ensures stable origin and push URL handling.
+
+
+## [1.7.1] - 2025-12-14
+
+* Patched package-manager to kpmx to publish on pypi
+
+
+## [1.7.0] - 2025-12-14
+
+* * New *pkgmgr publish* command to publish repository artifacts to PyPI based on the *MIRRORS* file.
+* Automatically selects the current repository when no explicit selection is given.
+* Publishes only when a semantic version tag is present on *HEAD*; otherwise skips with a clear info message.
+* Supports non-interactive mode for CI environments via *--non-interactive*.
+
+
 ## [1.6.4] - 2025-12-14

 * * Improved reliability of Nix installs and updates, including automatic resolution of profile conflicts and better handling of GitHub 403 rate limits.
--- a/18
+++ b/18
@@ -33,6 +33,7 @@ CMD ["bash"]
 # - inherits from virgin
 # - builds + installs pkgmgr
 # - sets entrypoint + default cmd
+# - NOTE: does NOT run slim.sh (that is done in slim stage)
 # ============================================================
 FROM virgin AS full

@@ -42,14 +43,25 @@ WORKDIR /build
 COPY . .

 # Build and install distro-native package-manager package
-RUN set -euo pipefail; \
+RUN set -eu; \
  echo "Building and installing package-manager via make install..."; \
  make install; \
-  cd /; rm -rf /build
+  rm -rf /build

 # Entry point
 COPY scripts/docker/entry.sh /usr/local/bin/docker-entry.sh

-WORKDIR /src
+WORKDIR /opt/src/pkgmgr
 ENTRYPOINT ["/usr/local/bin/docker-entry.sh"]
 CMD ["pkgmgr", "--help"]
+
+
+# ============================================================
+# Target: slim
+# - based on full
+# - runs slim.sh
+# ============================================================
+FROM full AS slim
+
+COPY scripts/docker/slim.sh /usr/local/bin/slim.sh
+RUN chmod +x /usr/local/bin/slim.sh && /usr/local/bin/slim.sh
--- a/1
+++ b/1
@@ -1,3 +1,4 @@
 git@github.com:kevinveenbirkenbach/package-manager.git
 ssh://git@git.veen.world:2201/kevinveenbirkenbach/pkgmgr.git
 ssh://git@code.infinito.nexus:2201/kevinveenbirkenbach/pkgmgr.git
+https://pypi.org/project/kpmx/
--- a/4
+++ b/4
@@ -10,6 +10,10 @@ DISTROS ?= arch debian ubuntu fedora centos
 PKGMGR_DISTRO ?= arch
 export PKGMGR_DISTRO

+# Nix Config Variable (To avoid rate limit)
+NIX_CONFIG ?=
+export NIX_CONFIG
+
 # ------------------------------------------------------------
 # Base images
 # (kept for documentation/reference; actual build logic is in scripts/build)
--- a/flake.lock
+++ b/flake.lock
@@ -0,0 +1,27 @@
+{
+  "nodes": {
+    "nixpkgs": {
+      "locked": {
+        "lastModified": 1771714954,
+        "narHash": "sha256-nhZJPnBavtu40/L2aqpljrfUNb2rxmWTmSjK2c9UKds=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "afbbf774e2087c3d734266c22f96fca2e78d3620",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-25.11",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "root": {
+      "inputs": {
+        "nixpkgs": "nixpkgs"
+      }
+    }
+  },
+  "root": "root",
+  "version": 7
+}
--- a/flake.nix
+++ b/flake.nix
@@ -6,7 +6,7 @@
  };

  inputs = {
-    nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
+    nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.11";
  };

  outputs = { self, nixpkgs }:
@@ -32,7 +32,7 @@
        rec {
          pkgmgr = pyPkgs.buildPythonApplication {
            pname   = "package-manager";
-            version = "1.6.4";
+            version = "1.13.3";

            # Use the git repo as source
            src = ./.;
@@ -40,6 +40,10 @@
            # Build using pyproject.toml
            format = "pyproject";

+            # Clear any stale wheels carried in from the source tree so
+            # pypaInstallPhase doesn't collide on bin/pkgmgr.
+            preBuild = "rm -rf dist";
+
            # Build backend requirements from [build-system]
            nativeBuildInputs = [
              pyPkgs.setuptools
@@ -49,7 +53,10 @@
            # Runtime dependencies (matches [project.dependencies] in pyproject.toml)
            propagatedBuildInputs = [
              pyPkgs.pyyaml
+              pyPkgs.jinja2
              pyPkgs.pip
+              pkgs.git
+              pkgs.gnupg
            ];

            doCheck = false;
@@ -78,6 +85,7 @@
          pythonWithDeps = python.withPackages (ps: [
            ps.pip
            ps.pyyaml
+            ps.jinja2
          ]);
        in
        {
@@ -85,6 +93,7 @@
            buildInputs = [
              pythonWithDeps
              pkgs.git
+              pkgs.gnupg
              ansiblePkg
            ];

--- a/packaging/arch/PKGBUILD
+++ b/packaging/arch/PKGBUILD
@@ -1,15 +1,25 @@
 # Maintainer: Kevin Veen-Birkenbach <info@veen.world>

 pkgname=package-manager
-pkgver=1.6.4
+pkgver=1.13.3
 pkgrel=1
 pkgdesc="Local-flake wrapper for Kevin's package-manager (Nix-based)."
 arch=('any')
 url="https://github.com/kevinveenbirkenbach/package-manager"
 license=('MIT')

-# Nix is the only runtime dependency; Python is provided by the Nix closure.
-depends=('nix')
+# Nix is required at runtime to run pkgmgr via the flake.
+# On Arch x86_64 we can depend on the distro package.
+# On other arches (e.g. ARM) we only declare it as optional because the
+# repo package may be broken/out-of-sync; installation can be done via the official installer.
+depends=()
+optdepends=('nix: required to run pkgmgr via flake')
+
+if [[ "${CARCH}" == "x86_64" ]]; then
+  depends=('nix')
+  optdepends=()
+fi
+
 makedepends=('rsync')

 install=${pkgname}.install
--- a/packaging/arch/package-manager.install
+++ b/packaging/arch/package-manager.install
@@ -1,9 +1,9 @@
 post_install() {
-  /usr/lib/package-manager/nix/init.sh || echo ">>> ERROR: /usr/lib/package-manager/nix/init.sh not found or not executable."
+  /usr/lib/package-manager/nix/init.sh
 }

 post_upgrade() {
-  /usr/lib/package-manager/nix/init.sh || echo ">>> ERROR: /usr/lib/package-manager/nix/init.sh not found or not executable."
+  /usr/lib/package-manager/nix/init.sh
 }

 post_remove() {
--- a/packaging/debian/changelog
+++ b/packaging/debian/changelog
@@ -1,3 +1,221 @@
+package-manager (1.13.3-1) unstable; urgency=medium
+
+  * CI pipelines now include automated security scanning (CodeQL, Docker lint), increasing detection of vulnerabilities and misconfigurations
+* Workflow permissions were tightened and fixed, ensuring secure and reliable execution of reusable workflows
+* Publishing and “stable” tagging are now restricted to the `main` branch, preventing accidental releases from other branches
+* Stale CI runs are automatically cancelled, reducing wasted resources and speeding up feedback cycles
+* Overall CI reliability and security posture improved, with fewer false positives and more consistent pipeline results
+
+ -- Kevin Veen-Birkenbach <kevin@veen.world>  Thu, 26 Mar 2026 17:10:21 +0100
+
+package-manager (1.13.2-1) unstable; urgency=medium
+
+  * Fail fast with a clear error when the Nix bootstrap or nix binary is unavailable instead of continuing with a broken startup path.
+
+ -- Kevin Veen-Birkenbach <kevin@veen.world>  Thu, 26 Mar 2026 12:26:55 +0100
+
+package-manager (1.13.1-1) unstable; urgency=medium
+
+  * Fixed misleading GPG verification failures by adding explicit git and gnupg runtime dependencies and surfacing signing-key lookup errors accurately.
+
+ -- Kevin Veen-Birkenbach <kevin@veen.world>  Fri, 20 Mar 2026 02:57:25 +0100
+
+package-manager (1.13.0-1) unstable; urgency=medium
+
+  * Set CentOS docker image to latest
+
+ -- Kevin Veen-Birkenbach <kevin@veen.world>  Fri, 20 Mar 2026 01:29:38 +0100
+
+package-manager (1.12.5-1) unstable; urgency=medium
+
+  * The stable-tag workflow now waits up to two hours for a successful main-branch CI run on the same commit before updating stable.
+
+ -- Kevin Veen-Birkenbach <kevin@veen.world>  Tue, 24 Feb 2026 09:35:39 +0100
+
+package-manager (1.12.4-1) unstable; urgency=medium
+
+  * The release pipeline now updates the stable tag only for v* tags after a successful CI run on main for the same commit, while avoiding duplicate test executions.
+
+ -- Kevin Veen-Birkenbach <kevin@veen.world>  Tue, 24 Feb 2026 09:32:01 +0100
+
+package-manager (1.12.3-1) unstable; urgency=medium
+
+  * Stabilized Nix-based builds by switching to nixos-25.11 and committing flake.lock, ensuring reproducible pkgmgr test/runtime environments (with pip) and avoiding transient sphinx/Python 3.11 breakage.
+
+ -- Kevin Veen-Birkenbach <kevin@veen.world>  Tue, 24 Feb 2026 08:29:34 +0100
+
+package-manager (1.12.2-1) unstable; urgency=medium
+
+  * Removed infinito-sphinx package
+
+ -- Kevin Veen-Birkenbach <kevin@veen.world>  Tue, 24 Feb 2026 07:40:55 +0100
+
+package-manager (1.12.1-1) unstable; urgency=medium
+
+  * pkgmgr now prefers distro-managed nix binaries on Arch before profile/PATH resolution, preventing libllhttp mismatch failures after pacman system upgrades.
+
+ -- Kevin Veen-Birkenbach <kevin@veen.world>  Sat, 14 Feb 2026 23:26:17 +0100
+
+package-manager (1.12.0-1) unstable; urgency=medium
+
+  * Adds explicit concurrency groups to the CI and mark-stable workflows to prevent overlapping runs on the same branch and make pipeline execution more predictable.
+
+ -- Kevin Veen-Birkenbach <kevin@veen.world>  Sun, 08 Feb 2026 18:26:25 +0100
+
+package-manager (1.11.2-1) unstable; urgency=medium
+
+  * Removes the v* tag trigger from the mark-stable workflow so it runs only on branch pushes and avoids duplicate executions during releases.
+
+ -- Kevin Veen-Birkenbach <kevin@veen.world>  Sun, 08 Feb 2026 18:21:50 +0100
+
+package-manager (1.11.1-1) unstable; urgency=medium
+
+  * Implements pushing the branch and the version tag together in a single command so the CI release workflow can reliably detect the version tag on HEAD.
+
+ -- Kevin Veen-Birkenbach <kevin@veen.world>  Sun, 08 Feb 2026 18:18:09 +0100
+
+package-manager (1.11.0-1) unstable; urgency=medium
+
+  * Adds a dedicated slim Docker image for pkgmgr and publishes slim variants for all supported distros.
+
+ -- Kevin Veen-Birkenbach <kevin@veen.world>  Wed, 21 Jan 2026 01:18:31 +0100
+
+package-manager (1.10.0-1) unstable; urgency=medium
+
+  * Automated release.
+
+ -- Kevin Veen-Birkenbach <kevin@veen.world>  Tue, 20 Jan 2026 10:44:58 +0100
+
+package-manager (1.9.5-1) unstable; urgency=medium
+
+  * Release patch: improve git pull error diagnostics
+
+ -- Kevin Veen-Birkenbach <kevin@veen.world>  Fri, 16 Jan 2026 10:09:43 +0100
+
+package-manager (1.9.4-1) unstable; urgency=medium
+
+  * fix(ci): replace sudo with su for user switching to avoid PAM failures in minimal container images
+
+ -- Kevin Veen-Birkenbach <kevin@veen.world>  Tue, 13 Jan 2026 14:48:50 +0100
+
+package-manager (1.9.3-1) unstable; urgency=medium
+
+  * Made the Nix dependency optional on non-x86_64 architectures to avoid broken Arch Linux ARM repository packages.
+
+ -- Kevin Veen-Birkenbach <kevin@veen.world>  Wed, 07 Jan 2026 13:44:40 +0100
+
+package-manager (1.9.2-1) unstable; urgency=medium
+
+  * Default configuration files are now packaged and loaded correctly when no user config exists, while fully preserving custom user configurations.
+
+ -- Kevin Veen-Birkenbach <kevin@veen.world>  Sun, 21 Dec 2025 15:30:22 +0100
+
+package-manager (1.9.1-1) unstable; urgency=medium
+
+  * Fixed installation issues and improved loading of default configuration files.
+
+ -- Kevin Veen-Birkenbach <kevin@veen.world>  Sun, 21 Dec 2025 13:38:58 +0100
+
+package-manager (1.9.0-1) unstable; urgency=medium
+
+  * * New ***mirror visibility*** command to set remote Git repositories to ***public*** or ***private***.
+* New ***--public*** flag for ***mirror provision*** to create repositories and immediately make them public.
+* All configured git mirrors are now provisioned.
+
+ -- Kevin Veen-Birkenbach <kevin@veen.world>  Sat, 20 Dec 2025 14:37:58 +0100
+
+package-manager (1.8.7-1) unstable; urgency=medium
+
+  * * **Release version updates now correctly modify ***pyproject.toml*** files that follow PEP 621**, ensuring the ***[project].version*** field is updated as expected.
+* **Invalid or incomplete ***pyproject.toml*** files are now handled gracefully** with clear error messages instead of abrupt process termination.
+* **RPM spec files remain compatible during releases**: existing macros such as ***%{?dist}*** are preserved and no longer accidentally modified.
+
+ -- Kevin Veen-Birkenbach <kevin@veen.world>  Fri, 19 Dec 2025 14:15:47 +0100
+
+package-manager (1.8.6-1) unstable; urgency=medium
+
+  * Prevent Rate Limits during GitHub Nix Setups
+
+ -- Kevin Veen-Birkenbach <kevin@veen.world>  Wed, 17 Dec 2025 23:50:31 +0100
+
+package-manager (1.8.5-1) unstable; urgency=medium
+
+  * * Clearer Git error handling, especially when a directory is not a Git repository.
+* More reliable repository verification with improved commit and GPG signature checks.
+* Better error messages and overall robustness when working with Git-based workflows.
+
+ -- Kevin Veen-Birkenbach <kevin@veen.world>  Wed, 17 Dec 2025 22:15:48 +0100
+
+package-manager (1.9.0-1) unstable; urgency=medium
+
+  * Automated release.
+
+ -- Kevin Veen-Birkenbach <kevin@veen.world>  Wed, 17 Dec 2025 22:10:31 +0100
+
+package-manager (1.8.4-1) unstable; urgency=medium
+
+  * * Made pkgmgr’s base-layer role explicit by standardizing the Docker/CI mount path to *`/opt/src/pkgmgr`*.
+
+ -- Kevin Veen-Birkenbach <kevin@veen.world>  Wed, 17 Dec 2025 11:20:16 +0100
+
+package-manager (1.8.3-1) unstable; urgency=medium
+
+  * MIRRORS now supports plain URL entries, ensuring metadata-only sources like PyPI are recorded without ever being added to the Git configuration.
+
+ -- Kevin Veen-Birkenbach <kevin@veen.world>  Tue, 16 Dec 2025 19:49:51 +0100
+
+package-manager (1.8.2-1) unstable; urgency=medium
+
+  * * ***pkgmgr tools code*** is more robust and predictable: it now fails early with clear errors if VS Code is not installed or a repository is not yet identified.
+
+ -- Kevin Veen-Birkenbach <kevin@veen.world>  Tue, 16 Dec 2025 19:22:41 +0100
+
+package-manager (1.8.1-1) unstable; urgency=medium
+
+  * * Improved stability and consistency of all Git operations (clone, pull, push, release, branch handling) with clearer error messages and predictable preview behavior.
+* Mirrors are now handled cleanly: only valid Git remotes are used for Git operations, while non-Git URLs (e.g. PyPI) are excluded, preventing broken or confusing repository configs.
+* GitHub authentication is more robust: tokens are automatically resolved via the GitHub CLI (`gh`), invalid stored tokens are replaced, and interactive prompts occur only when necessary.
+* Repository creation and release workflows are more reliable, producing cleaner Git configurations and more predictable version handling.
+
+ -- Kevin Veen-Birkenbach <kevin@veen.world>  Tue, 16 Dec 2025 18:06:35 +0100
+
+package-manager (1.8.0-1) unstable; urgency=medium
+
+  * *** New Features: ***
+- **Silent Updates**: You can now use the `--silent` flag during installs and updates to suppress error messages for individual repositories and get a single summary at the end. This ensures the process continues even if some repositories fail, while still preserving interactive checks when not in silent mode.
+- **Repository Scaffolding**: The process for creating new repositories has been improved. You can now use templates to scaffold repositories with a preview and automatic mirror setup.
+
+*** Bug Fixes: ***
+- **Pip Installation**: Pip is now installed automatically on all supported systems. This includes `python-pip` for Arch and `python3-pip` for CentOS, Debian, Fedora, and Ubuntu, ensuring that pip is available for Python package installations.
+- **Pacman Keyring**: Fixed an issue on Arch Linux where package installation would fail due to missing keys. The pacman keyring is now properly initialized before installing packages.
+
+ -- Kevin Veen-Birkenbach <kevin@veen.world>  Mon, 15 Dec 2025 13:37:42 +0100
+
+package-manager (1.7.2-1) unstable; urgency=medium
+
+  * * Git mirrors are now resolved consistently (origin → MIRRORS file → config → default).
+* The `origin` remote is always enforced to use the primary URL for both fetch and push.
+* Additional mirrors are added as extra push targets without duplication.
+* Local and remote mirror setup behaves more predictably and consistently.
+* Improved test coverage ensures stable origin and push URL handling.
+
+ -- Kevin Veen-Birkenbach <kevin@veen.world>  Mon, 15 Dec 2025 00:53:26 +0100
+
+package-manager (1.7.1-1) unstable; urgency=medium
+
+  * Patched package-manager to kpmx to publish on pypi
+
+ -- Kevin Veen-Birkenbach <kevin@veen.world>  Sun, 14 Dec 2025 21:19:11 +0100
+
+package-manager (1.7.0-1) unstable; urgency=medium
+
+  * * New *pkgmgr publish* command to publish repository artifacts to PyPI based on the *MIRRORS* file.
+* Automatically selects the current repository when no explicit selection is given.
+* Publishes only when a semantic version tag is present on *HEAD*; otherwise skips with a clear info message.
+* Supports non-interactive mode for CI environments via *--non-interactive*.
+
+ -- Kevin Veen-Birkenbach <kevin@veen.world>  Sun, 14 Dec 2025 21:10:06 +0100
+
 package-manager (1.6.4-1) unstable; urgency=medium

  * * Improved reliability of Nix installs and updates, including automatic resolution of profile conflicts and better handling of GitHub 403 rate limits.
--- a/packaging/debian/postinst
+++ b/packaging/debian/postinst
@@ -3,7 +3,7 @@ set -e

 case "$1" in
    configure)
-        /usr/lib/package-manager/nix/init.sh || echo ">>> ERROR: /usr/lib/package-manager/nix/init.sh not found or not executable."
+        /usr/lib/package-manager/nix/init.sh
        ;;
 esac

--- a/packaging/fedora/package-manager.spec
+++ b/packaging/fedora/package-manager.spec
@@ -1,5 +1,5 @@
 Name:           package-manager
-Version:        1.6.4
+Version:        1.13.3
 Release:        1%{?dist}
 Summary:        Wrapper that runs Kevin's package-manager via Nix flake

@@ -62,7 +62,7 @@ rm -rf \
  %{buildroot}/usr/lib/package-manager/.gitkeep || true

 %post
-/usr/lib/package-manager/nix/init.sh || echo ">>> ERROR: /usr/lib/package-manager/nix/init.sh not found or not executable."
+/usr/lib/package-manager/nix/init.sh

 %postun
 echo ">>> package-manager removed. Nix itself was not removed."
@@ -74,6 +74,128 @@ echo ">>> package-manager removed. Nix itself was not removed."
 /usr/lib/package-manager/

 %changelog
+* Thu Mar 26 2026 Kevin Veen-Birkenbach <kevin@veen.world> - 1.13.3-1
+- CI pipelines now include automated security scanning (CodeQL, Docker lint), increasing detection of vulnerabilities and misconfigurations
+* Workflow permissions were tightened and fixed, ensuring secure and reliable execution of reusable workflows
+* Publishing and “stable” tagging are now restricted to the `main` branch, preventing accidental releases from other branches
+* Stale CI runs are automatically cancelled, reducing wasted resources and speeding up feedback cycles
+* Overall CI reliability and security posture improved, with fewer false positives and more consistent pipeline results
+
+* Thu Mar 26 2026 Kevin Veen-Birkenbach <kevin@veen.world> - 1.13.2-1
+- Fail fast with a clear error when the Nix bootstrap or nix binary is unavailable instead of continuing with a broken startup path.
+
+* Fri Mar 20 2026 Kevin Veen-Birkenbach <kevin@veen.world> - 1.13.1-1
+- Fixed misleading GPG verification failures by adding explicit git and gnupg runtime dependencies and surfacing signing-key lookup errors accurately.
+
+* Fri Mar 20 2026 Kevin Veen-Birkenbach <kevin@veen.world> - 1.13.0-1
+- Set CentOS docker image to latest
+
+* Tue Feb 24 2026 Kevin Veen-Birkenbach <kevin@veen.world> - 1.12.5-1
+- The stable-tag workflow now waits up to two hours for a successful main-branch CI run on the same commit before updating stable.
+
+* Tue Feb 24 2026 Kevin Veen-Birkenbach <kevin@veen.world> - 1.12.4-1
+- The release pipeline now updates the stable tag only for v* tags after a successful CI run on main for the same commit, while avoiding duplicate test executions.
+
+* Tue Feb 24 2026 Kevin Veen-Birkenbach <kevin@veen.world> - 1.12.3-1
+- Stabilized Nix-based builds by switching to nixos-25.11 and committing flake.lock, ensuring reproducible pkgmgr test/runtime environments (with pip) and avoiding transient sphinx/Python 3.11 breakage.
+
+* Tue Feb 24 2026 Kevin Veen-Birkenbach <kevin@veen.world> - 1.12.2-1
+- Removed infinito-sphinx package
+
+* Sat Feb 14 2026 Kevin Veen-Birkenbach <kevin@veen.world> - 1.12.1-1
+- pkgmgr now prefers distro-managed nix binaries on Arch before profile/PATH resolution, preventing libllhttp mismatch failures after pacman system upgrades.
+
+* Sun Feb 08 2026 Kevin Veen-Birkenbach <kevin@veen.world> - 1.12.0-1
+- Adds explicit concurrency groups to the CI and mark-stable workflows to prevent overlapping runs on the same branch and make pipeline execution more predictable.
+
+* Sun Feb 08 2026 Kevin Veen-Birkenbach <kevin@veen.world> - 1.11.2-1
+- Removes the v* tag trigger from the mark-stable workflow so it runs only on branch pushes and avoids duplicate executions during releases.
+
+* Sun Feb 08 2026 Kevin Veen-Birkenbach <kevin@veen.world> - 1.11.1-1
+- Implements pushing the branch and the version tag together in a single command so the CI release workflow can reliably detect the version tag on HEAD.
+
+* Wed Jan 21 2026 Kevin Veen-Birkenbach <kevin@veen.world> - 1.11.0-1
+- Adds a dedicated slim Docker image for pkgmgr and publishes slim variants for all supported distros.
+
+* Tue Jan 20 2026 Kevin Veen-Birkenbach <kevin@veen.world> - 1.10.0-1
+- Automated release.
+
+* Fri Jan 16 2026 Kevin Veen-Birkenbach <kevin@veen.world> - 1.9.5-1
+- Release patch: improve git pull error diagnostics
+
+* Tue Jan 13 2026 Kevin Veen-Birkenbach <kevin@veen.world> - 1.9.4-1
+- fix(ci): replace sudo with su for user switching to avoid PAM failures in minimal container images
+
+* Wed Jan 07 2026 Kevin Veen-Birkenbach <kevin@veen.world> - 1.9.3-1
+- Made the Nix dependency optional on non-x86_64 architectures to avoid broken Arch Linux ARM repository packages.
+
+* Sun Dec 21 2025 Kevin Veen-Birkenbach <kevin@veen.world> - 1.9.2-1
+- Default configuration files are now packaged and loaded correctly when no user config exists, while fully preserving custom user configurations.
+
+* Sun Dec 21 2025 Kevin Veen-Birkenbach <kevin@veen.world> - 1.9.1-1
+- Fixed installation issues and improved loading of default configuration files.
+
+* Sat Dec 20 2025 Kevin Veen-Birkenbach <kevin@veen.world> - 1.9.0-1
+- * New ***mirror visibility*** command to set remote Git repositories to ***public*** or ***private***.
+* New ***--public*** flag for ***mirror provision*** to create repositories and immediately make them public.
+* All configured git mirrors are now provisioned.
+
+* Fri Dec 19 2025 Kevin Veen-Birkenbach <kevin@veen.world> - 1.8.7-1
+- * **Release version updates now correctly modify ***pyproject.toml*** files that follow PEP 621**, ensuring the ***[project].version*** field is updated as expected.
+* **Invalid or incomplete ***pyproject.toml*** files are now handled gracefully** with clear error messages instead of abrupt process termination.
+* **RPM spec files remain compatible during releases**: existing macros such as ***%{?dist}*** are preserved and no longer accidentally modified.
+
+* Wed Dec 17 2025 Kevin Veen-Birkenbach <kevin@veen.world> - 1.8.6-1
+- Prevent Rate Limits during GitHub Nix Setups
+
+* Wed Dec 17 2025 Kevin Veen-Birkenbach <kevin@veen.world> - 1.8.5-1
+- * Clearer Git error handling, especially when a directory is not a Git repository.
+* More reliable repository verification with improved commit and GPG signature checks.
+* Better error messages and overall robustness when working with Git-based workflows.
+
+* Wed Dec 17 2025 Kevin Veen-Birkenbach <kevin@veen.world> - 1.9.0-1
+- Automated release.
+
+* Wed Dec 17 2025 Kevin Veen-Birkenbach <kevin@veen.world> - 1.8.4-1
+- * Made pkgmgr’s base-layer role explicit by standardizing the Docker/CI mount path to *`/opt/src/pkgmgr`*.
+
+* Tue Dec 16 2025 Kevin Veen-Birkenbach <kevin@veen.world> - 1.8.3-1
+- MIRRORS now supports plain URL entries, ensuring metadata-only sources like PyPI are recorded without ever being added to the Git configuration.
+
+* Tue Dec 16 2025 Kevin Veen-Birkenbach <kevin@veen.world> - 1.8.2-1
+- * ***pkgmgr tools code*** is more robust and predictable: it now fails early with clear errors if VS Code is not installed or a repository is not yet identified.
+
+* Tue Dec 16 2025 Kevin Veen-Birkenbach <kevin@veen.world> - 1.8.1-1
+- * Improved stability and consistency of all Git operations (clone, pull, push, release, branch handling) with clearer error messages and predictable preview behavior.
+* Mirrors are now handled cleanly: only valid Git remotes are used for Git operations, while non-Git URLs (e.g. PyPI) are excluded, preventing broken or confusing repository configs.
+* GitHub authentication is more robust: tokens are automatically resolved via the GitHub CLI (`gh`), invalid stored tokens are replaced, and interactive prompts occur only when necessary.
+* Repository creation and release workflows are more reliable, producing cleaner Git configurations and more predictable version handling.
+
+* Mon Dec 15 2025 Kevin Veen-Birkenbach <kevin@veen.world> - 1.8.0-1
+- *** New Features: ***
+- **Silent Updates**: You can now use the `--silent` flag during installs and updates to suppress error messages for individual repositories and get a single summary at the end. This ensures the process continues even if some repositories fail, while still preserving interactive checks when not in silent mode.
+- **Repository Scaffolding**: The process for creating new repositories has been improved. You can now use templates to scaffold repositories with a preview and automatic mirror setup.
+
+*** Bug Fixes: ***
+- **Pip Installation**: Pip is now installed automatically on all supported systems. This includes `python-pip` for Arch and `python3-pip` for CentOS, Debian, Fedora, and Ubuntu, ensuring that pip is available for Python package installations.
+- **Pacman Keyring**: Fixed an issue on Arch Linux where package installation would fail due to missing keys. The pacman keyring is now properly initialized before installing packages.
+
+* Mon Dec 15 2025 Kevin Veen-Birkenbach <kevin@veen.world> - 1.7.2-1
+- * Git mirrors are now resolved consistently (origin → MIRRORS file → config → default).
+* The `origin` remote is always enforced to use the primary URL for both fetch and push.
+* Additional mirrors are added as extra push targets without duplication.
+* Local and remote mirror setup behaves more predictably and consistently.
+* Improved test coverage ensures stable origin and push URL handling.
+
+* Sun Dec 14 2025 Kevin Veen-Birkenbach <kevin@veen.world> - 1.7.1-1
+- Patched package-manager to kpmx to publish on pypi
+
+* Sun Dec 14 2025 Kevin Veen-Birkenbach <kevin@veen.world> - 1.7.0-1
+- * New *pkgmgr publish* command to publish repository artifacts to PyPI based on the *MIRRORS* file.
+* Automatically selects the current repository when no explicit selection is given.
+* Publishes only when a semantic version tag is present on *HEAD*; otherwise skips with a clear info message.
+* Supports non-interactive mode for CI environments via *--non-interactive*.
+
 * Sun Dec 14 2025 Kevin Veen-Birkenbach <kevin@veen.world> - 1.6.4-1
 - * Improved reliability of Nix installs and updates, including automatic resolution of profile conflicts and better handling of GitHub 403 rate limits.
 * More stable launcher behavior in packaged and virtual-env setups.
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -6,8 +6,8 @@ requires = [
 build-backend = "setuptools.build_meta"

 [project]
-name = "package-manager"
-version = "1.6.4"
+name = "kpmx"
+version = "1.13.3"
 description = "Kevin's package-manager tool (pkgmgr)"
 readme = "README.md"
 requires-python = ">=3.9"
@@ -21,6 +21,7 @@ authors = [
 dependencies = [
  "PyYAML>=6.0",
  "tomli; python_version < \"3.11\"",
+  "jinja2>=3.1"
 ]

 [project.urls]
@@ -42,11 +43,12 @@ pkgmgr = "pkgmgr.cli:main"
 # -----------------------------
 # Source layout: all packages live under "src/"
 [tool.setuptools]
-package-dir = { "" = "src", "config" = "config" }
+package-dir = { "" = "src" }
+include-package-data = true

 [tool.setuptools.packages.find]
-where = ["src", "."]
-include = ["pkgmgr*", "config*"]
+where = ["src"]
+include = ["pkgmgr*"]

 [tool.setuptools.package-data]
-"config" = ["defaults.yaml"]
+"pkgmgr.config" = ["*.yml", "*.yaml"]
--- a/scripts/build/base.sh
+++ b/scripts/build/base.sh
@@ -5,7 +5,7 @@ set -euo pipefail
 : "${BASE_IMAGE_DEBIAN:=debian:stable-slim}"
 : "${BASE_IMAGE_UBUNTU:=ubuntu:latest}"
 : "${BASE_IMAGE_FEDORA:=fedora:latest}"
-: "${BASE_IMAGE_CENTOS:=quay.io/centos/centos:stream9}"
+: "${BASE_IMAGE_CENTOS:=quay.io/centos/centos:latest}"

 resolve_base_image() {
  local PKGMGR_DISTRO="$1"
--- a/scripts/build/image.sh
+++ b/scripts/build/image.sh
@@ -33,7 +33,7 @@ Usage: PKGMGR_DISTRO=<distro> $0 [options]
 Build options:
  --missing             Build only if the image does not already exist (local build only)
  --no-cache            Build with --no-cache
-  --target <name>       Build a specific Dockerfile target (e.g. virgin)
+  --target <name>       Build a specific Dockerfile target (e.g. virgin, slim)
  --tag <image>         Override the output image tag (default: ${default_tag})

 Publish options:
@@ -47,7 +47,7 @@ Publish options:

 Notes:
 - --publish implies --push and requires --registry, --owner, and --version.
- Local build (no --push) uses "docker build" and creates local images like "pkgmgr-arch" / "pkgmgr-arch-virgin".
+- Local build (no --push) uses "docker build" and creates local images like "pkgmgr-arch" / "pkgmgr-arch-virgin" / "pkgmgr-arch-slim".
 EOF
 }

@@ -57,7 +57,7 @@ while [[ $# -gt 0 ]]; do
    --missing)  MISSING_ONLY=1; shift ;;
    --target)
      TARGET="${2:-}"
-      [[ -n "${TARGET}" ]] || { echo "ERROR: --target requires a value (e.g. virgin)"; exit 2; }
+      [[ -n "${TARGET}" ]] || { echo "ERROR: --target requires a value (e.g. virgin|slim)"; exit 2; }
      shift 2
      ;;
    --tag)
--- a/scripts/build/publish.sh
+++ b/scripts/build/publish.sh
@@ -1,7 +1,7 @@
 #!/usr/bin/env bash
 set -euo pipefail

-# Publish all distro images (full + virgin) to a registry via image.sh --publish
+# Publish all distro images (full + virgin + slim) to a registry via image.sh --publish
 #
 # Required env:
 #   OWNER      (e.g. GITHUB_REPOSITORY_OWNER)
@@ -11,6 +11,9 @@ set -euo pipefail
 #   REGISTRY   (default: ghcr.io)
 #   IS_STABLE  (default: false)
 #   DISTROS    (default: "arch debian ubuntu fedora centos")
+#
+# Notes:
+# - This expects Dockerfile targets: virgin, full (default), slim

 SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"

@@ -33,7 +36,10 @@ for d in ${DISTROS}; do
  echo "[publish] PKGMGR_DISTRO=${d}"
  echo "============================================================"

+  # ----------------------------------------------------------
  # virgin
+  # -> ghcr.io/<owner>/pkgmgr-<distro>-virgin:{latest,<version>,stable?}
+  # ----------------------------------------------------------
  PKGMGR_DISTRO="${d}" bash "${SCRIPT_DIR}/image.sh" \
    --publish \
    --registry "${REGISTRY}" \
@@ -42,13 +48,29 @@ for d in ${DISTROS}; do
    --stable "${IS_STABLE}" \
    --target virgin

+  # ----------------------------------------------------------
  # full (default target)
+  # -> ghcr.io/<owner>/pkgmgr-<distro>:{latest,<version>,stable?}
+  # ----------------------------------------------------------
  PKGMGR_DISTRO="${d}" bash "${SCRIPT_DIR}/image.sh" \
    --publish \
    --registry "${REGISTRY}" \
    --owner "${OWNER}" \
    --version "${VERSION}" \
    --stable "${IS_STABLE}"
+
+  # ----------------------------------------------------------
+  # slim
+  # -> ghcr.io/<owner>/pkgmgr-<distro>-slim:{latest,<version>,stable?}
+  # + alias for default distro: ghcr.io/<owner>/pkgmgr-slim:{...}
+  # ----------------------------------------------------------
+  PKGMGR_DISTRO="${d}" bash "${SCRIPT_DIR}/image.sh" \
+    --publish \
+    --registry "${REGISTRY}" \
+    --owner "${OWNER}" \
+    --version "${VERSION}" \
+    --stable "${IS_STABLE}" \
+    --target slim
 done

 echo
--- a/scripts/docker/entry.sh
+++ b/scripts/docker/entry.sh
@@ -1,7 +1,7 @@
 #!/usr/bin/env bash
 set -euo pipefail

-echo "[docker] Starting package-manager container"
+echo "[docker-pkgmgr] Starting package-manager container"

 # ---------------------------------------------------------------------------
 # Log distribution info
@@ -9,19 +9,19 @@ echo "[docker] Starting package-manager container"
 if [[ -f /etc/os-release ]]; then
  # shellcheck disable=SC1091
  . /etc/os-release
-  echo "[docker] Detected distro: ${ID:-unknown} (like: ${ID_LIKE:-})"
+  echo "[docker-pkgmgr] Detected distro: ${ID:-unknown} (like: ${ID_LIKE:-})"
 fi

-# Always use /src (mounted from host) as working directory
-echo "[docker] Using /src as working directory"
-cd /src
+# Always use /opt/src/pkgmgr (mounted from host) as working directory
+echo "[docker-pkgmgr] Using /opt/src/pkgmgr as working directory"
+cd /opt/src/pkgmgr

 # ---------------------------------------------------------------------------
-# DEV mode: rebuild package-manager from the mounted /src tree
+# DEV mode: rebuild package-manager from the mounted /opt/src/pkgmgr tree
 # ---------------------------------------------------------------------------
 if [[ "${REINSTALL_PKGMGR:-0}" == "1" ]]; then
-  echo "[docker] DEV mode enabled (REINSTALL_PKGMGR=1)"
-  echo "[docker] Rebuilding package-manager from /src via scripts/installation/package.sh..."
+  echo "[docker-pkgmgr] DEV mode enabled (REINSTALL_PKGMGR=1)"
+  echo "[docker-pkgmgr] Rebuilding package-manager from /opt/src/pkgmgr via scripts/installation/package.sh..."
  bash scripts/installation/package.sh || exit 1
 fi

@@ -29,9 +29,9 @@ fi
 # Hand off to pkgmgr or arbitrary command
 # ---------------------------------------------------------------------------
 if [[ $# -eq 0 ]]; then
-  echo "[docker] No arguments provided. Showing pkgmgr help..."
+  echo "[docker-pkgmgr] No arguments provided. Showing pkgmgr help..."
  exec pkgmgr --help
 else
-  echo "[docker] Executing command: $*"
+  echo "[docker-pkgmgr] Executing command: $*"
  exec "$@"
 fi
--- a/scripts/docker/slim.sh
+++ b/scripts/docker/slim.sh
@@ -0,0 +1,130 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+log()  { echo "[cleanup] $*"; }
+warn() { echo "[cleanup][WARN] $*" >&2; }
+
+MODE="${MODE:-safe}" # safe | aggressive
+# safe: caches/logs/tmp only
+# aggressive: safe + docs/man/info (optional)
+
+ID="unknown"
+if [ -f /etc/os-release ]; then
+  # shellcheck disable=SC1091
+  . /etc/os-release
+  ID="${ID:-unknown}"
+fi
+
+log "Starting image cleanup"
+log "Mode: ${MODE}"
+log "Detected OS: ${ID}"
+
+# ------------------------------------------------------------
+# Package manager caches (SAFE)
+# ------------------------------------------------------------
+case "${ID}" in
+  alpine)
+    log "Cleaning apk cache"
+    if [ -d /var/cache/apk ]; then
+      du -sh /var/cache/apk || true
+      rm -rvf /var/cache/apk/* || true
+    else
+      log "apk cache directory not present (already clean)"
+    fi
+    ;;
+  arch)
+    log "Cleaning pacman cache"
+    du -sh /var/cache/pacman/pkg 2>/dev/null || true
+    pacman -Scc --noconfirm || true
+    rm -rvf /var/cache/pacman/pkg/* || true
+    ;;
+  debian|ubuntu)
+    log "Cleaning apt cache"
+    du -sh /var/lib/apt/lists 2>/dev/null || true
+    apt-get clean || true
+    rm -rvf /var/lib/apt/lists/* || true
+    ;;
+  fedora)
+    log "Cleaning dnf cache"
+    du -sh /var/cache/dnf 2>/dev/null || true
+    dnf clean all || true
+    rm -rvf /var/cache/dnf/* || true
+    ;;
+  centos|rhel)
+    log "Cleaning yum/dnf cache"
+    du -sh /var/cache/yum /var/cache/dnf 2>/dev/null || true
+    (command -v dnf >/dev/null 2>&1 && dnf clean all) || true
+    (command -v yum >/dev/null 2>&1 && yum clean all) || true
+    rm -rvf /var/cache/yum/* /var/cache/dnf/* || true
+    ;;
+  *)
+    warn "Unknown distro '${ID}' — skipping package manager cleanup"
+    ;;
+esac
+
+# ------------------------------------------------------------
+# Python caches (SAFE)
+# ------------------------------------------------------------
+log "Cleaning pip cache"
+du -sh /root/.cache/pip 2>/dev/null || true
+rm -rvf /root/.cache/pip 2>/dev/null || true
+rm -rvf /home/*/.cache/pip 2>/dev/null || true
+
+log "Cleaning __pycache__ directories"
+find /opt /usr /root /home -type d -name "__pycache__" -print -prune 2>/dev/null || true
+find /opt /usr /root /home -type d -name "__pycache__" -prune -exec rm -rvf {} + 2>/dev/null || true
+
+# ------------------------------------------------------------
+# Logs (SAFE)
+# ------------------------------------------------------------
+log "Truncating log files (keeping paths intact)"
+if [ -d /var/log ]; then
+  find /var/log -type f -name "*.log" -print 2>/dev/null || true
+  find /var/log -type f -name "*.log" -exec sh -lc ': > "$1" 2>/dev/null || true' _ {} \; 2>/dev/null || true
+  
+  find /var/log -type f -name "*.out" -print 2>/dev/null || true
+  find /var/log -type f -name "*.out" -exec sh -lc ': > "$1" 2>/dev/null || true' _ {} \; 2>/dev/null || true
+fi
+
+if command -v journalctl >/dev/null 2>&1; then
+  log "Vacuuming journald logs"
+  journalctl --disk-usage || true
+  journalctl --vacuum-size=10M || true
+  journalctl --vacuum-time=1s || true
+  journalctl --disk-usage || true
+else
+  log "journald not present (skipping)"
+fi
+
+# ------------------------------------------------------------
+# Temporary files (SAFE)
+# ------------------------------------------------------------
+log "Cleaning temporary directories"
+if [ -d /tmp ]; then
+  du -sh /tmp 2>/dev/null || true
+  rm -rvf /tmp/* || true
+fi
+
+if [ -d /var/tmp ]; then
+  du -sh /var/tmp 2>/dev/null || true
+  rm -rvf /var/tmp/* || true
+fi
+
+# ------------------------------------------------------------
+# Generic caches (SAFE)
+# ------------------------------------------------------------
+log "Cleaning generic caches"
+du -sh /root/.cache 2>/dev/null || true
+rm -rvf /root/.cache/* 2>/dev/null || true
+rm -rvf /home/*/.cache/* 2>/dev/null || true
+
+# ------------------------------------------------------------
+# Optional aggressive extras (still safe for runtime)
+# ------------------------------------------------------------
+if [[ "${MODE}" == "aggressive" ]]; then
+  log "Aggressive mode enabled: removing docs/man/info"
+  du -sh /usr/share/doc /usr/share/man /usr/share/info 2>/dev/null || true
+  rm -rvf /usr/share/doc/* /usr/share/man/* /usr/share/info/* 2>/dev/null || true
+fi
+
+log "Cleanup finished successfully"
--- a/scripts/github/common/check-tagged-commit-on-main.sh
+++ b/scripts/github/common/check-tagged-commit-on-main.sh
@@ -0,0 +1,14 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+TARGET_SHA="${TARGET_SHA:-${GITHUB_SHA:?GITHUB_SHA must be set}}"
+
+git fetch --no-tags origin main
+
+if git merge-base --is-ancestor "${TARGET_SHA}" "origin/main"; then
+  echo "is_on_main=true" >> "$GITHUB_OUTPUT"
+  echo "Target commit ${TARGET_SHA} is contained in origin/main."
+else
+  echo "is_on_main=false" >> "$GITHUB_OUTPUT"
+  echo "Target commit ${TARGET_SHA} is not contained in origin/main. Skipping main-only action."
+fi
--- a/scripts/github/mark-stable/mark-stable-if-highest-version.sh
+++ b/scripts/github/mark-stable/mark-stable-if-highest-version.sh
@@ -0,0 +1,43 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+git config user.name "github-actions[bot]"
+git config user.email "github-actions[bot]@users.noreply.github.com"
+
+echo "Ref: $GITHUB_REF"
+echo "SHA: $GITHUB_SHA"
+
+VERSION="${GITHUB_REF#refs/tags/}"
+echo "Current version tag: ${VERSION}"
+
+echo "Collecting all version tags..."
+ALL_V_TAGS="$(git tag --list 'v*' || true)"
+
+if [[ -z "${ALL_V_TAGS}" ]]; then
+  echo "No version tags found. Skipping stable update."
+  exit 0
+fi
+
+echo "All version tags:"
+echo "${ALL_V_TAGS}"
+
+LATEST_TAG="$(printf '%s\n' "${ALL_V_TAGS}" | sort -V | tail -n1)"
+
+echo "Highest version tag: ${LATEST_TAG}"
+
+if [[ "${VERSION}" != "${LATEST_TAG}" ]]; then
+  echo "Current version ${VERSION} is NOT the highest version."
+  echo "Stable tag will NOT be updated."
+  exit 0
+fi
+
+echo "Current version ${VERSION} IS the highest version."
+echo "Updating 'stable' tag..."
+
+git tag -d stable 2>/dev/null || true
+git push origin :refs/tags/stable || true
+
+git tag stable "$GITHUB_SHA"
+git push origin stable
+
+echo "Stable tag updated to ${VERSION}."
--- a/scripts/github/mark-stable/wait-for-main-ci-success.sh
+++ b/scripts/github/mark-stable/wait-for-main-ci-success.sh
@@ -0,0 +1,43 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+SHA="${GITHUB_SHA}"
+API_URL="https://api.github.com/repos/${GITHUB_REPOSITORY}/actions/workflows/ci.yml/runs?head_sha=${SHA}&event=push&per_page=20"
+WAIT_INTERVAL_SECONDS=20
+MAX_ATTEMPTS=990 # 5 hours 30 minutes max wait
+
+STATUS=""
+CONCLUSION=""
+
+echo "Waiting for CI on main for ${SHA} (up to 5 hours 30 minutes)..."
+for attempt in $(seq 1 "${MAX_ATTEMPTS}"); do
+  RESPONSE="$(curl -fsSL \
+    -H "Authorization: Bearer ${GH_TOKEN}" \
+    -H "Accept: application/vnd.github+json" \
+    "${API_URL}")"
+
+  STATUS="$(printf '%s' "${RESPONSE}" | jq -r '.workflow_runs[] | select(.head_branch=="main") | .status' | head -n1)"
+  CONCLUSION="$(printf '%s' "${RESPONSE}" | jq -r '.workflow_runs[] | select(.head_branch=="main") | .conclusion' | head -n1)"
+
+  if [[ -n "${STATUS}" ]]; then
+    echo "CI status=${STATUS} conclusion=${CONCLUSION:-none} (attempt ${attempt}/${MAX_ATTEMPTS})"
+  else
+    echo "No CI run for main found yet (attempt ${attempt}/${MAX_ATTEMPTS})"
+  fi
+
+  if [[ "${STATUS}" == "completed" ]]; then
+    if [[ "${CONCLUSION}" == "success" ]]; then
+      echo "CI succeeded for ${SHA}."
+      break
+    fi
+    echo "CI failed for ${SHA} (conclusion=${CONCLUSION})."
+    exit 1
+  fi
+
+  sleep "${WAIT_INTERVAL_SECONDS}"
+done
+
+if [[ "${STATUS}" != "completed" || "${CONCLUSION}" != "success" ]]; then
+  echo "Timed out waiting for successful CI on main for ${SHA}."
+  exit 1
+fi
--- a/scripts/github/publish-containers/checkout-workflow-run-commit.sh
+++ b/scripts/github/publish-containers/checkout-workflow-run-commit.sh
@@ -0,0 +1,8 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+WORKFLOW_RUN_SHA="${WORKFLOW_RUN_SHA:?WORKFLOW_RUN_SHA must be set}"
+
+git checkout -f "${WORKFLOW_RUN_SHA}"
+git fetch --tags --force
+git tag --list 'stable' 'v*' --sort=version:refname | tail -n 20
--- a/scripts/github/publish-containers/compute-publish-container-info.sh
+++ b/scripts/github/publish-containers/compute-publish-container-info.sh
@@ -0,0 +1,23 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+SHA="$(git rev-parse HEAD)"
+
+V_TAG="$(git tag --points-at "${SHA}" --list 'v*' | sort -V | tail -n1)"
+if [[ -z "${V_TAG}" ]]; then
+  echo "No version tag found for ${SHA}. Skipping publish."
+  echo "should_publish=false" >> "$GITHUB_OUTPUT"
+  exit 0
+fi
+
+VERSION="${V_TAG#v}"
+
+STABLE_SHA="$(git rev-parse -q --verify 'refs/tags/stable^{commit}' 2>/dev/null || true)"
+IS_STABLE=false
+[[ -n "${STABLE_SHA}" && "${STABLE_SHA}" == "${SHA}" ]] && IS_STABLE=true
+
+{
+  echo "should_publish=true"
+  echo "version=${VERSION}"
+  echo "is_stable=${IS_STABLE}"
+} >> "$GITHUB_OUTPUT"
--- a/scripts/github/publish-containers/publish-container-images.sh
+++ b/scripts/github/publish-containers/publish-container-images.sh
@@ -0,0 +1,8 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+: "${OWNER:?OWNER must be set}"
+: "${VERSION:?VERSION must be set}"
+: "${IS_STABLE:?IS_STABLE must be set}"
+
+bash scripts/build/publish.sh
--- a/scripts/installation/arch/aur-builder-setup.sh
+++ b/scripts/installation/arch/aur-builder-setup.sh
@@ -38,11 +38,7 @@ echo "[aur-builder-setup] Configuring sudoers for aur_builder..."
 ${ROOT_CMD} bash -c "echo '%aur_builder ALL=(ALL) NOPASSWD: /usr/bin/pacman' > /etc/sudoers.d/aur_builder"
 ${ROOT_CMD} chmod 0440 /etc/sudoers.d/aur_builder

-if command -v sudo >/dev/null 2>&1; then
-  RUN_AS_AUR=(sudo -u aur_builder bash -lc)
-else
-  RUN_AS_AUR=(su - aur_builder -c)
-fi
+RUN_AS_AUR=(su - aur_builder -s /bin/bash -c)

 echo "[aur-builder-setup] Ensuring yay is installed for aur_builder..."

--- a/scripts/installation/arch/dependencies.sh
+++ b/scripts/installation/arch/dependencies.sh
@@ -6,13 +6,22 @@ SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 echo "[arch/dependencies] Installing Arch build dependencies..."

 pacman -Syu --noconfirm
+
+if ! pacman-key --list-sigs &>/dev/null; then
+    echo "[arch/dependencies] Initializing pacman keyring..."
+    pacman-key --init
+    pacman-key --populate archlinux
+fi
+
 pacman -S --noconfirm --needed \
  base-devel \
  git \
+  gnupg \
  rsync \
  curl \
  ca-certificates \
  python \
+  python-pip \
  xz

 pacman -Scc --noconfirm
--- a/scripts/installation/arch/package.sh
+++ b/scripts/installation/arch/package.sh
@@ -6,7 +6,7 @@ echo "[arch/package] Building Arch package (makepkg --nodeps) in an isolated bui
 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 PROJECT_ROOT="$(cd "${SCRIPT_DIR}/../../.." && pwd)"

-# We must not build inside /src (mounted repo). Build in /tmp to avoid permission issues.
+# We must not build inside /opt/src/pkgmgr (mounted repo). Build in /tmp to avoid permission issues.
 BUILD_ROOT="/tmp/package-manager-arch-build"
 PKG_SRC_DIR="${PROJECT_ROOT}/packaging/arch"
 PKG_BUILD_DIR="${BUILD_ROOT}/packaging/arch"
--- a/scripts/installation/centos/dependencies.sh
+++ b/scripts/installation/centos/dependencies.sh
@@ -6,6 +6,7 @@ echo "[centos/dependencies] Installing CentOS build dependencies..."
 dnf -y update
 dnf -y install \
  git \
+  gnupg2 \
  rsync \
  rpm-build \
  make \
@@ -14,6 +15,7 @@ dnf -y install \
  curl-minimal \
  ca-certificates \
  python3 \
+  python3-pip \
  sudo \
  xz

--- a/scripts/installation/debian/dependencies.sh
+++ b/scripts/installation/debian/dependencies.sh
@@ -9,12 +9,14 @@ DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \
  debhelper \
  dpkg-dev \
  git \
+  gnupg \
  rsync \
  bash \
  curl \
  ca-certificates \
  python3 \
  python3-venv \
+  python3-pip \
  xz-utils

 rm -rf /var/lib/apt/lists/*
--- a/scripts/installation/fedora/dependencies.sh
+++ b/scripts/installation/fedora/dependencies.sh
@@ -6,6 +6,7 @@ echo "[fedora/dependencies] Installing Fedora build dependencies..."
 dnf -y update
 dnf -y install \
  git \
+  gnupg2 \
  rsync \
  rpm-build \
  make \
@@ -14,6 +15,7 @@ dnf -y install \
  curl \
  ca-certificates \
  python3 \
+  python3-pip \
  xz

 dnf clean all
--- a/scripts/installation/ubuntu/dependencies.sh
+++ b/scripts/installation/ubuntu/dependencies.sh
@@ -9,6 +9,7 @@ DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \
  debhelper \
  dpkg-dev \
  git \
+  gnupg \
  tzdata \
  lsb-release \
  rsync \
@@ -17,6 +18,7 @@ DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \
  make \
  python3 \
  python3-venv \
+  python3-pip \
  ca-certificates \
  xz-utils

--- a/scripts/launcher.sh
+++ b/scripts/launcher.sh
@@ -37,10 +37,16 @@ fi
 # ---------------------------------------------------------------------------
 if ! command -v nix >/dev/null 2>&1; then
  if [[ -x "${FLAKE_DIR}/nix/init.sh" ]]; then
-    "${FLAKE_DIR}/nix/init.sh" || true
+    "${FLAKE_DIR}/nix/init.sh"
  fi
 fi

+if ! command -v nix >/dev/null 2>&1; then
+  echo "[launcher] ERROR: 'nix' binary not found on PATH after init." >&2
+  echo "[launcher] Nix is required to run pkgmgr (no Python fallback)." >&2
+  exit 1
+fi
+
 # ---------------------------------------------------------------------------
 # Primary path: use Nix flake if available (with GitHub 403 retry)
 # ---------------------------------------------------------------------------
@@ -51,7 +57,3 @@ if declare -F run_with_github_403_retry >/dev/null; then
 else
  exec nix run "${FLAKE_DIR}#pkgmgr" -- "$@"
 fi
-
-echo "[launcher] ERROR: 'nix' binary not found on PATH after init."
-echo "[launcher] Nix is required to run pkgmgr (no Python fallback)."
-exit 1
--- a/scripts/nix/lib/install.sh
+++ b/scripts/nix/lib/install.sh
@@ -49,11 +49,7 @@ install_nix_with_retry() {
  if [[ -n "$run_as" ]]; then
    chown "$run_as:$run_as" "$installer" 2>/dev/null || true
    echo "[init-nix] Running installer as user '$run_as' ($mode_flag)..."
-    if command -v sudo >/dev/null 2>&1; then
-      sudo -u "$run_as" bash -lc "sh '$installer' $mode_flag"
-    else
-      su - "$run_as" -c "sh '$installer' $mode_flag"
-    fi
+    su - "$run_as" -s /bin/bash -c "bash -lc \"sh '$installer' $mode_flag\""
  else
    echo "[init-nix] Running installer as current user ($mode_flag)..."
    sh "$installer" "$mode_flag"
--- a/scripts/nix/lib/path.sh
+++ b/scripts/nix/lib/path.sh
@@ -36,16 +36,17 @@ real_exe() {

 # Resolve nix binary path robustly (works across distros + Arch /usr/sbin)
 resolve_nix_bin() {
-  local nix_cmd=""
-  nix_cmd="$(command -v nix 2>/dev/null || true)"
-  [[ -n "$nix_cmd" ]] && real_exe "$nix_cmd" && return 0
-
-  # IMPORTANT: prefer system locations before /usr/local to avoid self-symlink traps
+  # IMPORTANT: prefer distro-managed locations first.
+  # This avoids pinning /usr/local/bin/nix to a stale user-profile nix binary.
  [[ -x /usr/sbin/nix ]]      && { echo "/usr/sbin/nix"; return 0; } # Arch package can land here
  [[ -x /usr/bin/nix ]]       && { echo "/usr/bin/nix"; return 0; }
  [[ -x /bin/nix ]]           && { echo "/bin/nix"; return 0; }

-  # /usr/local last, and only if it resolves to a real executable
+  local nix_cmd=""
+  nix_cmd="$(command -v nix 2>/dev/null || true)"
+  [[ -n "$nix_cmd" ]] && real_exe "$nix_cmd" && return 0
+
+  # /usr/local after system locations, and only if it resolves to a real executable
  [[ -e /usr/local/bin/nix ]] && real_exe "/usr/local/bin/nix" && return 0

  [[ -x /nix/var/nix/profiles/default/bin/nix ]] && {
--- a/scripts/test/test-e2e.sh
+++ b/scripts/test/test-e2e.sh
@@ -6,12 +6,13 @@ echo ">>> Running E2E tests: $PKGMGR_DISTRO"
 echo "============================================================"

 docker run --rm \
-  -v "$(pwd):/src" \
+  -v "$(pwd):/opt/src/pkgmgr" \
  -v "pkgmgr_nix_store_${PKGMGR_DISTRO}:/nix" \
  -v "pkgmgr_nix_cache_${PKGMGR_DISTRO}:/root/.cache/nix" \
  -e REINSTALL_PKGMGR=1 \
  -e TEST_PATTERN="${TEST_PATTERN}" \
-  --workdir /src \
+  -e NIX_CONFIG="${NIX_CONFIG}" \
+  --workdir /opt/src/pkgmgr \
  "pkgmgr-${PKGMGR_DISTRO}" \
  bash -lc '
    set -euo pipefail
@@ -40,14 +41,14 @@ docker run --rm \
    }

    # Mark the mounted repository as safe to avoid Git ownership errors.
-    # Newer Git (e.g. on Ubuntu) complains about the gitdir (/src/.git),
-    # older versions about the worktree (/src). Nix turns "." into the
-    # flake input "git+file:///src", which then uses Git under the hood.
+    # Newer Git (e.g. on Ubuntu) complains about the gitdir (/opt/src/pkgmgr/.git),
+    # older versions about the worktree (/opt/src/pkgmgr). Nix turns "." into the
+    # flake input "git+file:///opt/src/pkgmgr", which then uses Git under the hood.
    if command -v git >/dev/null 2>&1; then
      # Worktree path
-      git config --global --add safe.directory /src || true
+      git config --global --add safe.directory /opt/src/pkgmgr || true
      # Gitdir path shown in the "dubious ownership" error
-      git config --global --add safe.directory /src/.git || true
+      git config --global --add safe.directory /opt/src/pkgmgr/.git || true
      # Ephemeral CI containers: allow all paths as a last resort
      git config --global --add safe.directory "*" || true
    fi
@@ -55,6 +56,6 @@ docker run --rm \
    # Run the E2E tests inside the Nix development shell
    nix develop .#default --no-write-lock-file -c \
      python3 -m unittest discover \
-        -s /src/tests/e2e \
+        -s /opt/src/pkgmgr/tests/e2e \
        -p "$TEST_PATTERN"
  '
--- a/scripts/test/test-env-nix.sh
+++ b/scripts/test/test-env-nix.sh
@@ -9,18 +9,19 @@ echo ">>> Image: ${IMAGE}"
 echo "============================================================"

 docker run --rm \
-  -v "$(pwd):/src" \
+  -v "$(pwd):/opt/src/pkgmgr" \
  -v "pkgmgr_nix_store_${PKGMGR_DISTRO}:/nix" \
  -v "pkgmgr_nix_cache_${PKGMGR_DISTRO}:/root/.cache/nix" \
-  --workdir /src \
+  --workdir /opt/src/pkgmgr \
  -e REINSTALL_PKGMGR=1 \
+  -e NIX_CONFIG="${NIX_CONFIG}" \
  "${IMAGE}" \
  bash -lc '
    set -euo pipefail

    if command -v git >/dev/null 2>&1; then
-      git config --global --add safe.directory /src || true
-      git config --global --add safe.directory /src/.git || true
+      git config --global --add safe.directory /opt/src/pkgmgr || true
+      git config --global --add safe.directory /opt/src/pkgmgr/.git || true
      git config --global --add safe.directory "*" || true
    fi

@@ -38,9 +39,9 @@ docker run --rm \
    # ------------------------------------------------------------
    # Retry helper for GitHub API rate-limit (HTTP 403)
    # ------------------------------------------------------------
-    if [[ -f /src/scripts/nix/lib/retry_403.sh ]]; then
+    if [[ -f /opt/src/pkgmgr/scripts/nix/lib/retry_403.sh ]]; then
      # shellcheck source=./scripts/nix/lib/retry_403.sh
-      source /src/scripts/nix/lib/retry_403.sh
+      source /opt/src/pkgmgr/scripts/nix/lib/retry_403.sh
    elif [[ -f ./scripts/nix/lib/retry_403.sh ]]; then
      # shellcheck source=./scripts/nix/lib/retry_403.sh
      source ./scripts/nix/lib/retry_403.sh
--- a/scripts/test/test-env-virtual.sh
+++ b/scripts/test/test-env-virtual.sh
@@ -17,8 +17,9 @@ echo
 # ------------------------------------------------------------
 if OUTPUT=$(docker run --rm \
    -e REINSTALL_PKGMGR=1 \
-    -v "$(pwd):/src" \
-    -w /src \
+    -v "$(pwd):/opt/src/pkgmgr" \
+    -w /opt/src/pkgmgr \
+    -e NIX_CONFIG="${NIX_CONFIG}" \
    "${IMAGE}" \
    bash -lc '
        set -euo pipefail
--- a/scripts/test/test-integration.sh
+++ b/scripts/test/test-integration.sh
@@ -6,19 +6,20 @@ echo ">>> Running INTEGRATION tests in ${PKGMGR_DISTRO} container"
 echo "============================================================"

 docker run --rm \
-  -v "$(pwd):/src" \
+  -v "$(pwd):/opt/src/pkgmgr" \
  -v "pkgmgr_nix_store_${PKGMGR_DISTRO}:/nix" \
  -v "pkgmgr_nix_cache_${PKGMGR_DISTRO}:/root/.cache/nix" \
-  --workdir /src \
+  --workdir /opt/src/pkgmgr \
  -e REINSTALL_PKGMGR=1 \
  -e TEST_PATTERN="${TEST_PATTERN}" \
+  -e NIX_CONFIG="${NIX_CONFIG}" \
  "pkgmgr-${PKGMGR_DISTRO}" \
  bash -lc '
    set -e;
-    git config --global --add safe.directory /src || true;
+    git config --global --add safe.directory /opt/src/pkgmgr || true;
    nix develop .#default --no-write-lock-file -c \
      python3 -m unittest discover \
        -s tests/integration \
-        -t /src \
+        -t /opt/src/pkgmgr \
        -p "$TEST_PATTERN";
  '
--- a/scripts/test/test-unit.sh
+++ b/scripts/test/test-unit.sh
@@ -6,19 +6,20 @@ echo ">>> Running UNIT tests in ${PKGMGR_DISTRO} container"
 echo "============================================================"

 docker run --rm \
-  -v "$(pwd):/src" \
+  -v "$(pwd):/opt/src/pkgmgr" \
  -v "pkgmgr_nix_cache_${PKGMGR_DISTRO}:/root/.cache/nix" \
  -v "pkgmgr_nix_store_${PKGMGR_DISTRO}:/nix" \
-  --workdir /src \
+  --workdir /opt/src/pkgmgr \
  -e REINSTALL_PKGMGR=1 \
  -e TEST_PATTERN="${TEST_PATTERN}" \
+  -e NIX_CONFIG="${NIX_CONFIG}" \
  "pkgmgr-${PKGMGR_DISTRO}" \
  bash -lc '
    set -e;
-    git config --global --add safe.directory /src || true;
+    git config --global --add safe.directory /opt/src/pkgmgr || true;
    nix develop .#default --no-write-lock-file -c \
      python3 -m unittest discover \
        -s tests/unit \
-        -t /src \
+        -t /opt/src/pkgmgr \
        -p "$TEST_PATTERN";
  '
--- a/src/pkgmgr/init.py
+++ b/src/pkgmgr/init.py
@@ -25,12 +25,12 @@ __all__ = ["cli"]


 def __getattr__(name: str) -> Any:
-  """
-  Lazily expose ``pkgmgr.cli`` as attribute on the top-level package.
+    """
+    Lazily expose ``pkgmgr.cli`` as attribute on the top-level package.

-  This keeps ``import pkgmgr`` lightweight while still allowing
-  ``from pkgmgr import cli`` in tests and entry points.
-  """
-  if name == "cli":
-      return import_module("pkgmgr.cli")
-  raise AttributeError(f"module 'pkgmgr' has no attribute {name!r}")
+    This keeps ``import pkgmgr`` lightweight while still allowing
+    ``from pkgmgr import cli`` in tests and entry points.
+    """
+    if name == "cli":
+        return import_module("pkgmgr.cli")
+    raise AttributeError(f"module 'pkgmgr' has no attribute {name!r}")
--- a/src/pkgmgr/actions/init.py
+++ b/src/pkgmgr/actions/init.py
@@ -0,0 +1,6 @@
+from __future__ import annotations
+
+# expose subpackages for patch() / resolve_name() friendliness
+from . import release as release  # noqa: F401
+
+__all__ = ["release"]
--- a/src/pkgmgr/actions/branch/close_branch.py
+++ b/src/pkgmgr/actions/branch/close_branch.py
@@ -1,7 +1,21 @@
 from __future__ import annotations
+
 from typing import Optional
-from pkgmgr.core.git import run_git, GitError, get_current_branch
-from .utils import _resolve_base_branch
+
+from pkgmgr.core.git.errors import GitRunError
+from pkgmgr.core.git.queries import get_current_branch
+from pkgmgr.core.git.commands import (
+    GitDeleteRemoteBranchError,
+    checkout,
+    delete_local_branch,
+    delete_remote_branch,
+    fetch,
+    merge_no_ff,
+    pull,
+    push,
+)
+
+from pkgmgr.core.git.queries import resolve_base_branch


 def close_branch(
@@ -14,18 +28,17 @@ def close_branch(
    """
    Merge a feature branch into the base branch and delete it afterwards.
    """
-
    # Determine branch name
    if not name:
        try:
            name = get_current_branch(cwd=cwd)
-        except GitError as exc:
+        except GitRunError as exc:
            raise RuntimeError(f"Failed to detect current branch: {exc}") from exc

    if not name:
        raise RuntimeError("Branch name must not be empty.")

-    target_base = _resolve_base_branch(base_branch, fallback_base, cwd=cwd)
+    target_base = resolve_base_branch(base_branch, fallback_base, cwd=cwd)

    if name == target_base:
        raise RuntimeError(
@@ -35,65 +48,31 @@ def close_branch(

    # Confirmation
    if not force:
-        answer = input(
-            f"Merge branch '{name}' into '{target_base}' and delete it afterwards? (y/N): "
-        ).strip().lower()
+        answer = (
+            input(
+                f"Merge branch '{name}' into '{target_base}' and delete it afterwards? (y/N): "
+            )
+            .strip()
+            .lower()
+        )
        if answer != "y":
            print("Aborted closing branch.")
            return

-    # Fetch
-    try:
-        run_git(["fetch", "origin"], cwd=cwd)
-    except GitError as exc:
-        raise RuntimeError(
-            f"Failed to fetch from origin before closing branch {name!r}: {exc}"
-        ) from exc
+    # Execute workflow (commands raise specific GitRunError subclasses)
+    fetch("origin", cwd=cwd)
+    checkout(target_base, cwd=cwd)
+    pull("origin", target_base, cwd=cwd)
+    merge_no_ff(name, cwd=cwd)
+    push("origin", target_base, cwd=cwd)

-    # Checkout base
-    try:
-        run_git(["checkout", target_base], cwd=cwd)
-    except GitError as exc:
-        raise RuntimeError(
-            f"Failed to checkout base branch {target_base!r}: {exc}"
-        ) from exc
+    # Delete local branch (safe delete by default)
+    delete_local_branch(name, cwd=cwd, force=False)

-    # Pull latest
+    # Delete remote branch (special-case error message)
    try:
-        run_git(["pull", "origin", target_base], cwd=cwd)
-    except GitError as exc:
-        raise RuntimeError(
-            f"Failed to pull latest changes for base branch {target_base!r}: {exc}"
-        ) from exc
-
-    # Merge
-    try:
-        run_git(["merge", "--no-ff", name], cwd=cwd)
-    except GitError as exc:
-        raise RuntimeError(
-            f"Failed to merge branch {name!r} into {target_base!r}: {exc}"
-        ) from exc
-
-    # Push result
-    try:
-        run_git(["push", "origin", target_base], cwd=cwd)
-    except GitError as exc:
-        raise RuntimeError(
-            f"Failed to push base branch {target_base!r} after merge: {exc}"
-        ) from exc
-
-    # Delete local
-    try:
-        run_git(["branch", "-d", name], cwd=cwd)
-    except GitError as exc:
-        raise RuntimeError(
-            f"Failed to delete local branch {name!r}: {exc}"
-        ) from exc
-
-    # Delete remote
-    try:
-        run_git(["push", "origin", "--delete", name], cwd=cwd)
-    except GitError as exc:
+        delete_remote_branch("origin", name, cwd=cwd)
+    except GitDeleteRemoteBranchError as exc:
        raise RuntimeError(
            f"Branch {name!r} deleted locally, but remote deletion failed: {exc}"
        ) from exc
--- a/src/pkgmgr/actions/branch/drop_branch.py
+++ b/src/pkgmgr/actions/branch/drop_branch.py
@@ -1,7 +1,16 @@
 from __future__ import annotations
+
 from typing import Optional
-from pkgmgr.core.git import run_git, GitError, get_current_branch
-from .utils import _resolve_base_branch
+
+from pkgmgr.core.git.errors import GitRunError
+from pkgmgr.core.git.queries import get_current_branch
+from pkgmgr.core.git.commands import (
+    GitDeleteRemoteBranchError,
+    delete_local_branch,
+    delete_remote_branch,
+)
+
+from pkgmgr.core.git.queries import resolve_base_branch


 def drop_branch(
@@ -14,17 +23,16 @@ def drop_branch(
    """
    Delete a branch locally and remotely without merging.
    """
-
    if not name:
        try:
            name = get_current_branch(cwd=cwd)
-        except GitError as exc:
+        except GitRunError as exc:
            raise RuntimeError(f"Failed to detect current branch: {exc}") from exc

    if not name:
        raise RuntimeError("Branch name must not be empty.")

-    target_base = _resolve_base_branch(base_branch, fallback_base, cwd=cwd)
+    target_base = resolve_base_branch(base_branch, fallback_base, cwd=cwd)

    if name == target_base:
        raise RuntimeError(
@@ -33,23 +41,23 @@ def drop_branch(

    # Confirmation
    if not force:
-        answer = input(
-            f"Delete branch '{name}' locally and on origin? This is destructive! (y/N): "
-        ).strip().lower()
+        answer = (
+            input(
+                f"Delete branch '{name}' locally and on origin? This is destructive! (y/N): "
+            )
+            .strip()
+            .lower()
+        )
        if answer != "y":
            print("Aborted dropping branch.")
            return

-    # Local delete
-    try:
-        run_git(["branch", "-d", name], cwd=cwd)
-    except GitError as exc:
-        raise RuntimeError(f"Failed to delete local branch {name!r}: {exc}") from exc
+    delete_local_branch(name, cwd=cwd, force=False)

-    # Remote delete
+    # Remote delete (special-case message)
    try:
-        run_git(["push", "origin", "--delete", name], cwd=cwd)
-    except GitError as exc:
+        delete_remote_branch("origin", name, cwd=cwd)
+    except GitDeleteRemoteBranchError as exc:
        raise RuntimeError(
            f"Branch {name!r} was deleted locally, but remote deletion failed: {exc}"
        ) from exc
--- a/src/pkgmgr/actions/branch/open_branch.py
+++ b/src/pkgmgr/actions/branch/open_branch.py
@@ -1,7 +1,15 @@
 from __future__ import annotations
+
 from typing import Optional
-from pkgmgr.core.git import run_git, GitError
-from .utils import _resolve_base_branch
+
+from pkgmgr.core.git.commands import (
+    checkout,
+    create_branch,
+    fetch,
+    pull,
+    push_upstream,
+)
+from pkgmgr.core.git.queries import resolve_base_branch


 def open_branch(
@@ -13,7 +21,6 @@ def open_branch(
    """
    Create and push a new feature branch on top of a base branch.
    """
-
    # Request name interactively if not provided
    if not name:
        name = input("Enter new branch name: ").strip()
@@ -21,44 +28,13 @@ def open_branch(
    if not name:
        raise RuntimeError("Branch name must not be empty.")

-    resolved_base = _resolve_base_branch(base_branch, fallback_base, cwd=cwd)
+    resolved_base = resolve_base_branch(base_branch, fallback_base, cwd=cwd)

-    # 1) Fetch from origin
-    try:
-        run_git(["fetch", "origin"], cwd=cwd)
-    except GitError as exc:
-        raise RuntimeError(
-            f"Failed to fetch from origin before creating branch {name!r}: {exc}"
-        ) from exc
+    # Workflow (commands raise specific GitBaseError subclasses)
+    fetch("origin", cwd=cwd)
+    checkout(resolved_base, cwd=cwd)
+    pull("origin", resolved_base, cwd=cwd)

-    # 2) Checkout base branch
-    try:
-        run_git(["checkout", resolved_base], cwd=cwd)
-    except GitError as exc:
-        raise RuntimeError(
-            f"Failed to checkout base branch {resolved_base!r}: {exc}"
-        ) from exc
-
-    # 3) Pull latest changes
-    try:
-        run_git(["pull", "origin", resolved_base], cwd=cwd)
-    except GitError as exc:
-        raise RuntimeError(
-            f"Failed to pull latest changes for base branch {resolved_base!r}: {exc}"
-        ) from exc
-
-    # 4) Create new branch
-    try:
-        run_git(["checkout", "-b", name], cwd=cwd)
-    except GitError as exc:
-        raise RuntimeError(
-            f"Failed to create new branch {name!r} from base {resolved_base!r}: {exc}"
-        ) from exc
-
-    # 5) Push new branch
-    try:
-        run_git(["push", "-u", "origin", name], cwd=cwd)
-    except GitError as exc:
-        raise RuntimeError(
-            f"Failed to push new branch {name!r} to origin: {exc}"
-        ) from exc
+    # Create new branch from resolved base and push it with upstream tracking
+    create_branch(name, resolved_base, cwd=cwd)
+    push_upstream("origin", name, cwd=cwd)
--- a/src/pkgmgr/actions/branch/utils.py
+++ b/src/pkgmgr/actions/branch/utils.py
@@ -1,27 +0,0 @@
-from __future__ import annotations
-from pkgmgr.core.git import run_git, GitError
-
-
-def _resolve_base_branch(
-    preferred: str,
-    fallback: str,
-    cwd: str,
-) -> str:
-    """
-    Resolve the base branch to use.
-
-    Try `preferred` first (default: main),
-    fall back to `fallback` (default: master).
-
-    Raise RuntimeError if neither exists.
-    """
-    for candidate in (preferred, fallback):
-        try:
-            run_git(["rev-parse", "--verify", candidate], cwd=cwd)
-            return candidate
-        except GitError:
-            continue
-
-    raise RuntimeError(
-        f"Neither {preferred!r} nor {fallback!r} exist in this repository."
-    )
--- a/src/pkgmgr/actions/changelog/init.py
+++ b/src/pkgmgr/actions/changelog/init.py
@@ -3,17 +3,16 @@

 """
 Helpers to generate changelog information from Git history.
-
-This module provides a small abstraction around `git log` so that
-CLI commands can request a changelog between two refs (tags, branches,
-commits) without dealing with raw subprocess calls.
 """

 from __future__ import annotations

 from typing import Optional

-from pkgmgr.core.git import run_git, GitError
+from pkgmgr.core.git.queries import (
+    get_changelog,
+    GitChangelogQueryError,
+)


 def generate_changelog(
@@ -25,48 +24,20 @@ def generate_changelog(
    """
    Generate a plain-text changelog between two Git refs.

-    Parameters
-    ----------
-    cwd:
-        Repository directory in which to run Git commands.
-    from_ref:
-        Optional starting reference (exclusive). If provided together
-        with `to_ref`, the range `from_ref..to_ref` is used.
-        If only `from_ref` is given, the range `from_ref..HEAD` is used.
-    to_ref:
-        Optional end reference (inclusive). If omitted, `HEAD` is used.
-    include_merges:
-        If False (default), merge commits are filtered out.
-
-    Returns
-    -------
-    str
-        The output of `git log` formatted as a simple text changelog.
-        If no commits are found or Git fails, an explanatory message
-        is returned instead of raising.
+    Returns a human-readable message instead of raising.
    """
-    # Determine the revision range
    if to_ref is None:
        to_ref = "HEAD"

-    if from_ref:
-        rev_range = f"{from_ref}..{to_ref}"
-    else:
-        rev_range = to_ref
-
-    # Use a custom pretty format that includes tags/refs (%d)
-    cmd = [
-        "log",
-        "--pretty=format:%h %d %s",
-    ]
-    if not include_merges:
-        cmd.append("--no-merges")
-    cmd.append(rev_range)
-
+    rev_range = f"{from_ref}..{to_ref}" if from_ref else to_ref
    try:
-        output = run_git(cmd, cwd=cwd)
-    except GitError as exc:
-        # Do not raise to the CLI, return a human-readable error instead.
+        output = get_changelog(
+            cwd=cwd,
+            from_ref=from_ref,
+            to_ref=to_ref,
+            include_merges=include_merges,
+        )
+    except GitChangelogQueryError as exc:
        return (
            f"[ERROR] Failed to generate changelog in {cwd!r} "
            f"for range {rev_range!r}:\n{exc}"
--- a/src/pkgmgr/actions/config/add.py
+++ b/src/pkgmgr/actions/config/add.py
@@ -1,15 +1,18 @@
 import yaml
 import os
-from pkgmgr.core.config.save import save_user_config 
+from pkgmgr.core.config.save import save_user_config

-def interactive_add(config,USER_CONFIG_PATH:str):
+
+def interactive_add(config, USER_CONFIG_PATH: str):
    """Interactively prompt the user to add a new repository entry to the user config."""
    print("Adding a new repository configuration entry.")
    new_entry = {}
    new_entry["provider"] = input("Provider (e.g., github.com): ").strip()
    new_entry["account"] = input("Account (e.g., yourusername): ").strip()
    new_entry["repository"] = input("Repository name (e.g., mytool): ").strip()
-    new_entry["command"] = input("Command (optional, leave blank to auto-detect): ").strip()
+    new_entry["command"] = input(
+        "Command (optional, leave blank to auto-detect): "
+    ).strip()
    new_entry["description"] = input("Description (optional): ").strip()
    new_entry["replacement"] = input("Replacement (optional): ").strip()
    new_entry["alias"] = input("Alias (optional): ").strip()
@@ -25,12 +28,12 @@ def interactive_add(config,USER_CONFIG_PATH:str):
    confirm = input("Add this entry to user config? (y/N): ").strip().lower()
    if confirm == "y":
        if os.path.exists(USER_CONFIG_PATH):
-            with open(USER_CONFIG_PATH, 'r') as f:
+            with open(USER_CONFIG_PATH, "r") as f:
                user_config = yaml.safe_load(f) or {}
        else:
            user_config = {"repositories": []}
        user_config.setdefault("repositories", [])
        user_config["repositories"].append(new_entry)
-        save_user_config(user_config,USER_CONFIG_PATH)
+        save_user_config(user_config, USER_CONFIG_PATH)
    else:
-        print("Entry not added.")
+        print("Entry not added.")
--- a/src/pkgmgr/actions/config/init.py
+++ b/src/pkgmgr/actions/config/init.py
@@ -14,7 +14,7 @@ with the expected structure:

 For each discovered repository, the function:
  • derives provider, account, repository from the folder structure
-  • (optionally) determines the latest commit hash via git log
+  • (optionally) determines the latest commit hash via git
  • generates a unique CLI alias
  • marks ignore=True for newly discovered repos
  • skips repos already known in defaults or user config
@@ -23,11 +23,11 @@ For each discovered repository, the function:
 from __future__ import annotations

 import os
-import subprocess
 from typing import Any, Dict

 from pkgmgr.core.command.alias import generate_alias
 from pkgmgr.core.config.save import save_user_config
+from pkgmgr.core.git.queries import get_latest_commit


 def config_init(
@@ -107,36 +107,33 @@ def config_init(
                # Already known?
                if key in default_keys:
                    skipped += 1
-                    print(f"[SKIP]     (defaults)       {provider}/{account}/{repo_name}")
+                    print(
+                        f"[SKIP]     (defaults)       {provider}/{account}/{repo_name}"
+                    )
                    continue
                if key in existing_keys:
                    skipped += 1
-                    print(f"[SKIP]     (user-config)    {provider}/{account}/{repo_name}")
+                    print(
+                        f"[SKIP]     (user-config)    {provider}/{account}/{repo_name}"
+                    )
                    continue

                print(f"[ADD]      {provider}/{account}/{repo_name}")

-                # Determine commit hash
-                try:
-                    result = subprocess.run(
-                        ["git", "log", "-1", "--format=%H"],
-                        cwd=repo_path,
-                        stdout=subprocess.PIPE,
-                        stderr=subprocess.PIPE,
-                        text=True,
-                        check=True,
+                # Determine commit hash via git query
+                verified_commit = get_latest_commit(repo_path) or ""
+                if verified_commit:
+                    print(f"[INFO]       Latest commit: {verified_commit}")
+                else:
+                    print(
+                        "[WARN]       Could not read commit (not a git repo or no commits)."
                    )
-                    verified = result.stdout.strip()
-                    print(f"[INFO]       Latest commit: {verified}")
-                except Exception as exc:
-                    verified = ""
-                    print(f"[WARN]       Could not read commit: {exc}")

-                entry = {
+                entry: Dict[str, Any] = {
                    "provider": provider,
                    "account": account,
                    "repository": repo_name,
-                    "verified": {"commit": verified},
+                    "verified": {"commit": verified_commit},
                    "ignore": True,
                }

--- a/src/pkgmgr/actions/config/show.py
+++ b/src/pkgmgr/actions/config/show.py
@@ -1,6 +1,7 @@
 import yaml
 from pkgmgr.core.config.load import load_config

+
 def show_config(selected_repos, user_config_path, full_config=False):
    """Display configuration for one or more repositories, or the entire merged config."""
    if full_config:
@@ -8,8 +9,10 @@ def show_config(selected_repos, user_config_path, full_config=False):
        print(yaml.dump(merged, default_flow_style=False))
    else:
        for repo in selected_repos:
-            identifier = f'{repo.get("provider")}/{repo.get("account")}/{repo.get("repository")}'
+            identifier = (
+                f"{repo.get('provider')}/{repo.get('account')}/{repo.get('repository')}"
+            )
            print(f"Repository: {identifier}")
            for key, value in repo.items():
                print(f"  {key}: {value}")
-            print("-" * 40)
+            print("-" * 40)
--- a/src/pkgmgr/actions/install/init.py
+++ b/src/pkgmgr/actions/install/init.py
@@ -16,7 +16,7 @@ Responsibilities:
 from __future__ import annotations

 import os
-from typing import Any, Dict, List, Optional
+from typing import Any, Dict, List, Optional, Tuple

 from pkgmgr.core.repository.identifier import get_repo_identifier
 from pkgmgr.core.repository.dir import get_repo_dir
@@ -66,10 +66,7 @@ def _ensure_repo_dir(
    repo_dir = get_repo_dir(repositories_base_dir, repo)

    if not os.path.exists(repo_dir):
-        print(
-            f"Repository directory '{repo_dir}' does not exist. "
-            "Cloning it now..."
-        )
+        print(f"Repository directory '{repo_dir}' does not exist. Cloning it now...")
        clone_repos(
            [repo],
            repositories_base_dir,
@@ -79,10 +76,7 @@ def _ensure_repo_dir(
            clone_mode,
        )
        if not os.path.exists(repo_dir):
-            print(
-                f"Cloning failed for repository {identifier}. "
-                "Skipping installation."
-            )
+            print(f"Cloning failed for repository {identifier}. Skipping installation.")
            return None

    return repo_dir
@@ -93,6 +87,7 @@ def _verify_repo(
    repo_dir: str,
    no_verification: bool,
    identifier: str,
+    silent: bool,
 ) -> bool:
    """
    Verify a repository using the configured verification data.
@@ -111,10 +106,17 @@ def _verify_repo(
        print(f"Warning: Verification failed for {identifier}:")
        for err in errors:
            print(f"  - {err}")
-        choice = input("Continue anyway? [y/N]: ").strip().lower()
-        if choice != "y":
-            print(f"Skipping installation for {identifier}.")
-            return False
+
+        if silent:
+            # Non-interactive mode: continue with a warning.
+            print(
+                f"[Warning] Continuing despite verification failure for {identifier} (--silent)."
+            )
+        else:
+            choice = input("Continue anyway? [y/N]: ").strip().lower()
+            if choice != "y":
+                print(f"Skipping installation for {identifier}.")
+                return False

    return True

@@ -163,6 +165,8 @@ def install_repos(
    clone_mode: str,
    update_dependencies: bool,
    force_update: bool = False,
+    silent: bool = False,
+    emit_summary: bool = True,
 ) -> None:
    """
    Install one or more repositories according to the configured installers
@@ -170,45 +174,76 @@ def install_repos(

    If force_update=True, installers of the currently active layer are allowed
    to run again (upgrade/refresh), even if that layer is already loaded.
+
+    If silent=True, repository failures are downgraded to warnings and the
+    overall command never exits non-zero because of per-repository failures.
    """
    pipeline = InstallationPipeline(INSTALLERS)
+    failures: List[Tuple[str, str]] = []

    for repo in selected_repos:
        identifier = get_repo_identifier(repo, all_repos)

-        repo_dir = _ensure_repo_dir(
-            repo=repo,
-            repositories_base_dir=repositories_base_dir,
-            all_repos=all_repos,
-            preview=preview,
-            no_verification=no_verification,
-            clone_mode=clone_mode,
-            identifier=identifier,
-        )
-        if not repo_dir:
+        try:
+            repo_dir = _ensure_repo_dir(
+                repo=repo,
+                repositories_base_dir=repositories_base_dir,
+                all_repos=all_repos,
+                preview=preview,
+                no_verification=no_verification,
+                clone_mode=clone_mode,
+                identifier=identifier,
+            )
+            if not repo_dir:
+                failures.append((identifier, "clone/ensure repo directory failed"))
+                continue
+
+            if not _verify_repo(
+                repo=repo,
+                repo_dir=repo_dir,
+                no_verification=no_verification,
+                identifier=identifier,
+                silent=silent,
+            ):
+                continue
+
+            ctx = _create_context(
+                repo=repo,
+                identifier=identifier,
+                repo_dir=repo_dir,
+                repositories_base_dir=repositories_base_dir,
+                bin_dir=bin_dir,
+                all_repos=all_repos,
+                no_verification=no_verification,
+                preview=preview,
+                quiet=quiet,
+                clone_mode=clone_mode,
+                update_dependencies=update_dependencies,
+                force_update=force_update,
+            )
+
+            pipeline.run(ctx)
+
+        except SystemExit as exc:
+            code = exc.code if isinstance(exc.code, int) else str(exc.code)
+            failures.append((identifier, f"installer failed (exit={code})"))
+            if not quiet:
+                print(
+                    f"[Warning] install: repository {identifier} failed (exit={code}). Continuing..."
+                )
+            continue
+        except Exception as exc:
+            failures.append((identifier, f"unexpected error: {exc}"))
+            if not quiet:
+                print(
+                    f"[Warning] install: repository {identifier} hit an unexpected error: {exc}. Continuing..."
+                )
            continue

-        if not _verify_repo(
-            repo=repo,
-            repo_dir=repo_dir,
-            no_verification=no_verification,
-            identifier=identifier,
-        ):
-            continue
+    if failures and emit_summary and not quiet:
+        print("\n[pkgmgr] Installation finished with warnings:")
+        for ident, msg in failures:
+            print(f"  - {ident}: {msg}")

-        ctx = _create_context(
-            repo=repo,
-            identifier=identifier,
-            repo_dir=repo_dir,
-            repositories_base_dir=repositories_base_dir,
-            bin_dir=bin_dir,
-            all_repos=all_repos,
-            no_verification=no_verification,
-            preview=preview,
-            quiet=quiet,
-            clone_mode=clone_mode,
-            update_dependencies=update_dependencies,
-            force_update=force_update,
-        )
-
-        pipeline.run(ctx)
+    if failures and not silent:
+        raise SystemExit(1)
--- a/src/pkgmgr/actions/install/installers/init.py
+++ b/src/pkgmgr/actions/install/installers/init.py
@@ -14,6 +14,10 @@ from pkgmgr.actions.install.installers.python import PythonInstaller  # noqa: F4
 from pkgmgr.actions.install.installers.makefile import MakefileInstaller  # noqa: F401

 # OS-specific installers
-from pkgmgr.actions.install.installers.os_packages.arch_pkgbuild import ArchPkgbuildInstaller  # noqa: F401
-from pkgmgr.actions.install.installers.os_packages.debian_control import DebianControlInstaller  # noqa: F401
+from pkgmgr.actions.install.installers.os_packages.arch_pkgbuild import (
+    ArchPkgbuildInstaller as ArchPkgbuildInstaller,
+)  # noqa: F401
+from pkgmgr.actions.install.installers.os_packages.debian_control import (
+    DebianControlInstaller as DebianControlInstaller,
+)  # noqa: F401
 from pkgmgr.actions.install.installers.os_packages.rpm_spec import RpmSpecInstaller  # noqa: F401
--- a/src/pkgmgr/actions/install/installers/base.py
+++ b/src/pkgmgr/actions/install/installers/base.py
@@ -41,7 +41,9 @@ class BaseInstaller(ABC):
            return caps

        for matcher in CAPABILITY_MATCHERS:
-            if matcher.applies_to_layer(self.layer) and matcher.is_provided(ctx, self.layer):
+            if matcher.applies_to_layer(self.layer) and matcher.is_provided(
+                ctx, self.layer
+            ):
                caps.add(matcher.name)

        return caps
--- a/src/pkgmgr/actions/install/installers/makefile.py
+++ b/src/pkgmgr/actions/install/installers/makefile.py
@@ -16,7 +16,9 @@ class MakefileInstaller(BaseInstaller):
    def supports(self, ctx: RepoContext) -> bool:
        if os.environ.get("PKGMGR_DISABLE_MAKEFILE_INSTALLER") == "1":
            if not ctx.quiet:
-                print("[INFO] PKGMGR_DISABLE_MAKEFILE_INSTALLER=1 – skipping MakefileInstaller.")
+                print(
+                    "[INFO] PKGMGR_DISABLE_MAKEFILE_INSTALLER=1 – skipping MakefileInstaller."
+                )
            return False

        makefile_path = os.path.join(ctx.repo_dir, self.MAKEFILE_NAME)
@@ -46,7 +48,9 @@ class MakefileInstaller(BaseInstaller):
            return

        if not ctx.quiet:
-            print(f"[pkgmgr] Running make install for {ctx.identifier} (MakefileInstaller)")
+            print(
+                f"[pkgmgr] Running make install for {ctx.identifier} (MakefileInstaller)"
+            )

        run_command("make install", cwd=ctx.repo_dir, preview=ctx.preview)

--- a/src/pkgmgr/actions/install/installers/nix/conflicts.py
+++ b/src/pkgmgr/actions/install/installers/nix/conflicts.py
@@ -57,7 +57,9 @@ class NixConflictResolver:

            # 3) Fallback: output-name based lookup (also covers nix suggesting: `nix profile remove pkgmgr`)
            if not tokens:
-                tokens = self._profile.find_remove_tokens_for_output(ctx, self._runner, output)
+                tokens = self._profile.find_remove_tokens_for_output(
+                    ctx, self._runner, output
+                )

            if tokens:
                if not quiet:
@@ -94,7 +96,9 @@ class NixConflictResolver:
                continue

            if not quiet:
-                print("[nix] conflict detected but could not resolve profile entries to remove.")
+                print(
+                    "[nix] conflict detected but could not resolve profile entries to remove."
+                )
            return False

        return False
--- a/src/pkgmgr/actions/install/installers/nix/installer.py
+++ b/src/pkgmgr/actions/install/installers/nix/installer.py
@@ -75,7 +75,9 @@ class NixFlakeInstaller(BaseInstaller):
    # Core install path
    # ---------------------------------------------------------------------

-    def _install_only(self, ctx: "RepoContext", output: str, allow_failure: bool) -> None:
+    def _install_only(
+        self, ctx: "RepoContext", output: str, allow_failure: bool
+    ) -> None:
        install_cmd = f"nix profile install {self._installable(ctx, output)}"

        if not ctx.quiet:
@@ -96,7 +98,9 @@ class NixFlakeInstaller(BaseInstaller):
            output=output,
        ):
            if not ctx.quiet:
-                print(f"[nix] output '{output}' successfully installed after conflict cleanup.")
+                print(
+                    f"[nix] output '{output}' successfully installed after conflict cleanup."
+                )
            return

        if not ctx.quiet:
@@ -107,20 +111,26 @@ class NixFlakeInstaller(BaseInstaller):

        # If indices are supported, try legacy index-upgrade path.
        if self._indices_supported is not False:
-            indices = self._profile.find_installed_indices_for_output(ctx, self._runner, output)
+            indices = self._profile.find_installed_indices_for_output(
+                ctx, self._runner, output
+            )

            upgraded = False
            for idx in indices:
                if self._upgrade_index(ctx, idx):
                    upgraded = True
                    if not ctx.quiet:
-                        print(f"[nix] output '{output}' successfully upgraded (index {idx}).")
+                        print(
+                            f"[nix] output '{output}' successfully upgraded (index {idx})."
+                        )

            if upgraded:
                return

            if indices and not ctx.quiet:
-                print(f"[nix] upgrade failed; removing indices {indices} and reinstalling '{output}'.")
+                print(
+                    f"[nix] upgrade failed; removing indices {indices} and reinstalling '{output}'."
+                )

            for idx in indices:
                self._remove_index(ctx, idx)
@@ -139,7 +149,9 @@ class NixFlakeInstaller(BaseInstaller):
                print(f"[nix] output '{output}' successfully re-installed.")
            return

-        print(f"[ERROR] Failed to install Nix flake output '{output}' (exit {final.returncode})")
+        print(
+            f"[ERROR] Failed to install Nix flake output '{output}' (exit {final.returncode})"
+        )
        if not allow_failure:
            raise SystemExit(final.returncode)

@@ -149,7 +161,9 @@ class NixFlakeInstaller(BaseInstaller):
    # force_update path
    # ---------------------------------------------------------------------

-    def _force_upgrade_output(self, ctx: "RepoContext", output: str, allow_failure: bool) -> None:
+    def _force_upgrade_output(
+        self, ctx: "RepoContext", output: str, allow_failure: bool
+    ) -> None:
        # Prefer token path if indices unsupported (new nix)
        if self._indices_supported is False:
            self._remove_tokens_for_output(ctx, output)
@@ -158,14 +172,18 @@ class NixFlakeInstaller(BaseInstaller):
                print(f"[nix] output '{output}' successfully upgraded.")
            return

-        indices = self._profile.find_installed_indices_for_output(ctx, self._runner, output)
+        indices = self._profile.find_installed_indices_for_output(
+            ctx, self._runner, output
+        )

        upgraded_any = False
        for idx in indices:
            if self._upgrade_index(ctx, idx):
                upgraded_any = True
                if not ctx.quiet:
-                    print(f"[nix] output '{output}' successfully upgraded (index {idx}).")
+                    print(
+                        f"[nix] output '{output}' successfully upgraded (index {idx})."
+                    )

        if upgraded_any:
            if not ctx.quiet:
@@ -173,7 +191,9 @@ class NixFlakeInstaller(BaseInstaller):
            return

        if indices and not ctx.quiet:
-            print(f"[nix] upgrade failed; removing indices {indices} and reinstalling '{output}'.")
+            print(
+                f"[nix] upgrade failed; removing indices {indices} and reinstalling '{output}'."
+            )

        for idx in indices:
            self._remove_index(ctx, idx)
@@ -223,7 +243,9 @@ class NixFlakeInstaller(BaseInstaller):
            return

        if not ctx.quiet:
-            print(f"[nix] indices unsupported; removing by token(s): {', '.join(tokens)}")
+            print(
+                f"[nix] indices unsupported; removing by token(s): {', '.join(tokens)}"
+            )

        for t in tokens:
            self._runner.run(ctx, f"nix profile remove {t}", allow_failure=True)
--- a/src/pkgmgr/actions/install/installers/nix/profile/inspector.py
+++ b/src/pkgmgr/actions/install/installers/nix/profile/inspector.py
@@ -101,7 +101,9 @@ class NixProfileInspector:
        data = self.list_json(ctx, runner)
        entries = normalize_elements(data)

-        tokens: List[str] = [out]  # critical: matches nix's own suggestion for conflicts
+        tokens: List[str] = [
+            out
+        ]  # critical: matches nix's own suggestion for conflicts

        for e in entries:
            if entry_matches_output(e, out):
--- a/src/pkgmgr/actions/install/installers/nix/profile_list.py
+++ b/src/pkgmgr/actions/install/installers/nix/profile_list.py
@@ -48,7 +48,9 @@ class NixProfileListReader:

        return uniq

-    def indices_matching_store_prefixes(self, ctx: "RepoContext", prefixes: List[str]) -> List[int]:
+    def indices_matching_store_prefixes(
+        self, ctx: "RepoContext", prefixes: List[str]
+    ) -> List[int]:
        prefixes = [self._store_prefix(p) for p in prefixes if p]
        prefixes = [p for p in prefixes if p]
        if not prefixes:
--- a/src/pkgmgr/actions/install/installers/nix/retry.py
+++ b/src/pkgmgr/actions/install/installers/nix/retry.py
@@ -11,6 +11,7 @@ if TYPE_CHECKING:
    from pkgmgr.actions.install.context import RepoContext
    from .runner import CommandRunner

+
@dataclass(frozen=True)
 class RetryPolicy:
    max_attempts: int = 7
@@ -35,13 +36,19 @@ class GitHubRateLimitRetry:
        install_cmd: str,
    ) -> RunResult:
        quiet = bool(getattr(ctx, "quiet", False))
-        delays = list(self._fibonacci_backoff(self._policy.base_delay_seconds, self._policy.max_attempts))
+        delays = list(
+            self._fibonacci_backoff(
+                self._policy.base_delay_seconds, self._policy.max_attempts
+            )
+        )

        last: RunResult | None = None

        for attempt, base_delay in enumerate(delays, start=1):
            if not quiet:
-                print(f"[nix] attempt {attempt}/{self._policy.max_attempts}: {install_cmd}")
+                print(
+                    f"[nix] attempt {attempt}/{self._policy.max_attempts}: {install_cmd}"
+                )

            res = runner.run(ctx, install_cmd, allow_failure=True)
            last = res
@@ -56,7 +63,9 @@ class GitHubRateLimitRetry:
            if attempt >= self._policy.max_attempts:
                break

-            jitter = random.randint(self._policy.jitter_seconds_min, self._policy.jitter_seconds_max)
+            jitter = random.randint(
+                self._policy.jitter_seconds_min, self._policy.jitter_seconds_max
+            )
            wait_time = base_delay + jitter

            if not quiet:
@@ -67,7 +76,11 @@ class GitHubRateLimitRetry:

            time.sleep(wait_time)

-        return last if last is not None else RunResult(returncode=1, stdout="", stderr="nix install retry failed")
+        return (
+            last
+            if last is not None
+            else RunResult(returncode=1, stdout="", stderr="nix install retry failed")
+        )

    @staticmethod
    def _is_github_rate_limit_error(text: str) -> bool:
--- a/src/pkgmgr/actions/install/installers/nix/runner.py
+++ b/src/pkgmgr/actions/install/installers/nix/runner.py
@@ -9,6 +9,7 @@ from .types import RunResult
 if TYPE_CHECKING:
    from pkgmgr.actions.install.context import RepoContext

+
 class CommandRunner:
    """
    Executes commands (shell=True) inside a repository directory (if provided).
@@ -40,7 +41,9 @@ class CommandRunner:
                raise
            return RunResult(returncode=1, stdout="", stderr=str(e))

-        res = RunResult(returncode=p.returncode, stdout=p.stdout or "", stderr=p.stderr or "")
+        res = RunResult(
+            returncode=p.returncode, stdout=p.stdout or "", stderr=p.stderr or ""
+        )

        if res.returncode != 0 and not quiet:
            self._print_compact_failure(res)
--- a/src/pkgmgr/actions/install/installers/nix/textparse.py
+++ b/src/pkgmgr/actions/install/installers/nix/textparse.py
@@ -20,7 +20,9 @@ class NixConflictTextParser:
        tokens: List[str] = []
        for m in pat.finditer(text or ""):
            t = (m.group(1) or "").strip()
-            if (t.startswith("'") and t.endswith("'")) or (t.startswith('"') and t.endswith('"')):
+            if (t.startswith("'") and t.endswith("'")) or (
+                t.startswith('"') and t.endswith('"')
+            ):
                t = t[1:-1]
            if t:
                tokens.append(t)
--- a/src/pkgmgr/actions/install/installers/python.py
+++ b/src/pkgmgr/actions/install/installers/python.py
@@ -14,7 +14,9 @@ class PythonInstaller(BaseInstaller):

    def supports(self, ctx: RepoContext) -> bool:
        if os.environ.get("PKGMGR_DISABLE_PYTHON_INSTALLER") == "1":
-            print("[INFO] PythonInstaller disabled via PKGMGR_DISABLE_PYTHON_INSTALLER.")
+            print(
+                "[INFO] PythonInstaller disabled via PKGMGR_DISABLE_PYTHON_INSTALLER."
+            )
            return False

        return os.path.exists(os.path.join(ctx.repo_dir, "pyproject.toml"))
--- a/src/pkgmgr/actions/install/pipeline.py
+++ b/src/pkgmgr/actions/install/pipeline.py
@@ -132,7 +132,11 @@ class InstallationPipeline:
                continue

            if not quiet:
-                if ctx.force_update and state.layer is not None and installer_layer == state.layer:
+                if (
+                    ctx.force_update
+                    and state.layer is not None
+                    and installer_layer == state.layer
+                ):
                    print(
                        f"[pkgmgr] Running installer {installer.__class__.__name__} "
                        f"for {identifier} in '{repo_dir}' (upgrade requested)..."
--- a/src/pkgmgr/actions/mirror/init.py
+++ b/src/pkgmgr/actions/mirror/init.py
@@ -14,6 +14,7 @@ from .list_cmd import list_mirrors
 from .diff_cmd import diff_mirrors
 from .merge_cmd import merge_mirrors
 from .setup_cmd import setup_mirrors
+from .visibility_cmd import set_mirror_visibility

 __all__ = [
    "Repository",
@@ -22,4 +23,5 @@ __all__ = [
    "diff_mirrors",
    "merge_mirrors",
    "setup_mirrors",
+    "set_mirror_visibility",
 ]
--- a/src/pkgmgr/actions/mirror/git_remote.py
+++ b/src/pkgmgr/actions/mirror/git_remote.py
@@ -1,20 +1,50 @@
 from __future__ import annotations

 import os
+from typing import Optional, Set

-from pkgmgr.core.command.run import run_command
-from pkgmgr.core.git import GitError, run_git
-from typing import List, Optional, Set
+from pkgmgr.core.git.errors import GitRunError
+from pkgmgr.core.git.commands import (
+    GitAddRemoteError,
+    GitAddRemotePushUrlError,
+    GitSetRemoteUrlError,
+    add_remote,
+    add_remote_push_url,
+    set_remote_url,
+)
+from pkgmgr.core.git.queries import get_remote_push_urls, list_remotes

 from .types import MirrorMap, RepoMirrorContext, Repository


-def build_default_ssh_url(repo: Repository) -> Optional[str]:
+def _is_git_remote_url(url: str) -> bool:
    """
-    Build a simple SSH URL from repo config if no explicit mirror is defined.
+    True only for URLs that should become git remotes / push URLs.

-    Example: git@github.com:account/repository.git
+    Accepted:
+      - git@host:owner/repo(.git)                (SCP-like SSH)
+      - ssh://git@host(:port)/owner/repo(.git)   (SSH URL)
+      - https://host/owner/repo.git              (HTTPS git remote)
+      - http://host/owner/repo.git               (rare, but possible)
+    Everything else (e.g. PyPI project page) stays metadata only.
    """
+    u = (url or "").strip()
+    if not u:
+        return False
+
+    if u.startswith("git@"):
+        return True
+
+    if u.startswith("ssh://"):
+        return True
+
+    if (u.startswith("https://") or u.startswith("http://")) and u.endswith(".git"):
+        return True
+
+    return False
+
+
+def build_default_ssh_url(repo: Repository) -> Optional[str]:
    provider = repo.get("provider")
    account = repo.get("account")
    name = repo.get("repository")
@@ -23,96 +53,80 @@ def build_default_ssh_url(repo: Repository) -> Optional[str]:
    if not provider or not account or not name:
        return None

-    provider = str(provider)
-    account = str(account)
-    name = str(name)
-
    if port:
        return f"ssh://git@{provider}:{port}/{account}/{name}.git"

-    # GitHub-style shorthand
    return f"git@{provider}:{account}/{name}.git"


+def _git_mirrors_only(m: MirrorMap) -> MirrorMap:
+    return {k: v for k, v in m.items() if v and _is_git_remote_url(v)}
+
+
 def determine_primary_remote_url(
    repo: Repository,
-    resolved_mirrors: MirrorMap,
+    ctx: RepoMirrorContext,
 ) -> Optional[str]:
    """
-    Determine the primary remote URL in a consistent way:
-
-      1. resolved_mirrors["origin"]
-      2. any resolved mirror (first by name)
-      3. default SSH URL from provider/account/repository
+    Priority order (GIT URLS ONLY):
+      1. origin from resolved mirrors (if it is a git URL)
+      2. first git URL from MIRRORS file (in file order)
+      3. first git URL from config mirrors (in config order)
+      4. default SSH URL
    """
-    if "origin" in resolved_mirrors:
-        return resolved_mirrors["origin"]
+    resolved = ctx.resolved_mirrors
+    origin = resolved.get("origin")
+    if origin and _is_git_remote_url(origin):
+        return origin

-    if resolved_mirrors:
-        first_name = sorted(resolved_mirrors.keys())[0]
-        return resolved_mirrors[first_name]
+    for mirrors in (ctx.file_mirrors, ctx.config_mirrors):
+        for _, url in mirrors.items():
+            if url and _is_git_remote_url(url):
+                return url

    return build_default_ssh_url(repo)


-def _safe_git_output(args: List[str], cwd: str) -> Optional[str]:
-    """
-    Run a Git command via run_git and return its stdout, or None on failure.
-    """
-    try:
-        return run_git(args, cwd=cwd)
-    except GitError:
-        return None
-
-
-def current_origin_url(repo_dir: str) -> Optional[str]:
-    """
-    Return the current URL for remote 'origin', or None if not present.
-    """
-    output = _safe_git_output(["remote", "get-url", "origin"], cwd=repo_dir)
-    if not output:
-        return None
-    url = output.strip()
-    return url or None
-
-
 def has_origin_remote(repo_dir: str) -> bool:
-    """
-    Check whether a remote called 'origin' exists in the repository.
-    """
-    output = _safe_git_output(["remote"], cwd=repo_dir)
-    if not output:
+    try:
+        return "origin" in list_remotes(cwd=repo_dir)
+    except GitRunError:
        return False
-    names = output.split()
-    return "origin" in names


-def _ensure_push_urls_for_origin(
+def _set_origin_fetch_and_push(repo_dir: str, url: str, preview: bool) -> None:
+    """
+    Ensure origin has fetch URL and push URL set to the primary URL.
+    Preview is handled by the underlying git runner.
+    """
+    set_remote_url("origin", url, cwd=repo_dir, push=False, preview=preview)
+    set_remote_url("origin", url, cwd=repo_dir, push=True, preview=preview)
+
+
+def _ensure_additional_push_urls(
    repo_dir: str,
    mirrors: MirrorMap,
+    primary: str,
    preview: bool,
 ) -> None:
    """
-    Ensure that all mirror URLs are present as push URLs on 'origin'.
+    Ensure all *git* mirror URLs (except primary) are configured as additional
+    push URLs for origin.
+
+    Non-git URLs (like PyPI) are ignored and will never land in git config.
    """
-    desired: Set[str] = {url for url in mirrors.values() if url}
+    git_only = _git_mirrors_only(mirrors)
+    desired: Set[str] = {u for u in git_only.values() if u and u != primary}
    if not desired:
        return

-    existing_output = _safe_git_output(
-        ["remote", "get-url", "--push", "--all", "origin"],
-        cwd=repo_dir,
-    )
-    existing = set(existing_output.splitlines()) if existing_output else set()
+    try:
+        existing = get_remote_push_urls("origin", cwd=repo_dir)
+    except GitRunError:
+        existing = set()

-    missing = sorted(desired - existing)
-    for url in missing:
-        cmd = f"git remote set-url --add --push origin {url}"
-        if preview:
-            print(f"[PREVIEW] Would run in {repo_dir!r}: {cmd}")
-        else:
-            print(f"[INFO] Adding push URL to 'origin': {url}")
-            run_command(cmd, cwd=repo_dir, preview=False)
+    for url in sorted(desired - existing):
+        add_remote_push_url("origin", url, cwd=repo_dir, preview=preview)


 def ensure_origin_remote(
@@ -120,60 +134,33 @@ def ensure_origin_remote(
    ctx: RepoMirrorContext,
    preview: bool,
 ) -> None:
-    """
-    Ensure that a usable 'origin' remote exists and has all push URLs.
-    """
    repo_dir = ctx.repo_dir
-    resolved_mirrors = ctx.resolved_mirrors

    if not os.path.isdir(os.path.join(repo_dir, ".git")):
-        print(f"[WARN] {repo_dir} is not a Git repository (no .git directory).")
+        print(f"[WARN] {repo_dir} is not a Git repository.")
        return

-    url = determine_primary_remote_url(repo, resolved_mirrors)
+    primary = determine_primary_remote_url(repo, ctx)
+    if not primary or not _is_git_remote_url(primary):
+        print("[WARN] No valid git primary mirror URL could be determined.")
+        return

+    # 1) Ensure origin exists
    if not has_origin_remote(repo_dir):
-        if not url:
-            print(
-                "[WARN] Could not determine URL for 'origin' remote. "
-                "Please configure mirrors or provider/account/repository."
-            )
-            return
+        try:
+            add_remote("origin", primary, cwd=repo_dir, preview=preview)
+        except GitAddRemoteError as exc:
+            print(f"[WARN] Failed to add origin remote: {exc}")
+            return  # without origin we cannot reliably proceed

-        cmd = f"git remote add origin {url}"
-        if preview:
-            print(f"[PREVIEW] Would run in {repo_dir!r}: {cmd}")
-        else:
-            print(f"[INFO] Adding 'origin' remote in {repo_dir}: {url}")
-            run_command(cmd, cwd=repo_dir, preview=False)
-    else:
-        current = current_origin_url(repo_dir)
-        if current == url or not url:
-            print(
-                "[INFO] 'origin' already points to "
-                f"{current or '<unknown>'} (no change needed)."
-            )
-        else:
-            # We do not auto-change origin here, only log the mismatch.
-            print(
-                "[INFO] 'origin' exists with URL "
-                f"{current or '<unknown>'}; not changing to {url}."
-            )
-
-    # Ensure all mirrors are present as push URLs
-    _ensure_push_urls_for_origin(repo_dir, resolved_mirrors, preview)
-
-
-def is_remote_reachable(url: str, cwd: Optional[str] = None) -> bool:
-    """
-    Check whether a remote repository is reachable via `git ls-remote`.
-
-    This does NOT modify anything; it only probes the remote.
-    """
-    workdir = cwd or os.getcwd()
+    # 2) Ensure origin fetch+push URLs are correct
    try:
-        # --exit-code → non-zero exit code if the remote does not exist
-        run_git(["ls-remote", "--exit-code", url], cwd=workdir)
-        return True
-    except GitError:
-        return False
+        _set_origin_fetch_and_push(repo_dir, primary, preview)
+    except GitSetRemoteUrlError as exc:
+        print(f"[WARN] Failed to set origin URLs: {exc}")
+
+    # 3) Ensure additional push URLs for mirrors (git urls only)
+    try:
+        _ensure_additional_push_urls(repo_dir, ctx.resolved_mirrors, primary, preview)
+    except GitAddRemotePushUrlError as exc:
+        print(f"[WARN] Failed to add additional push URLs: {exc}")
--- a/src/pkgmgr/actions/mirror/io.py
+++ b/src/pkgmgr/actions/mirror/io.py
@@ -1,8 +1,9 @@
 from __future__ import annotations

 import os
+from collections.abc import Iterable, Mapping
+from typing import Union
 from urllib.parse import urlparse
-from typing import Mapping

 from .types import MirrorMap, Repository

@@ -32,7 +33,7 @@ def read_mirrors_file(repo_dir: str, filename: str = "MIRRORS") -> MirrorMap:
    """
    Supports:
        NAME URL
-        URL  → auto name = hostname
+        URL  -> auto-generate name from hostname
    """
    path = os.path.join(repo_dir, filename)
    mirrors: MirrorMap = {}
@@ -52,7 +53,8 @@ def read_mirrors_file(repo_dir: str, filename: str = "MIRRORS") -> MirrorMap:
                # Case 1: "name url"
                if len(parts) == 2:
                    name, url = parts
-                # Case 2: "url" → auto-generate name
+
+                # Case 2: "url" -> auto name
                elif len(parts) == 1:
                    url = parts[0]
                    parsed = urlparse(url)
@@ -67,21 +69,56 @@ def read_mirrors_file(repo_dir: str, filename: str = "MIRRORS") -> MirrorMap:
                    continue

                mirrors[name] = url
+
    except OSError as exc:
        print(f"[WARN] Could not read MIRRORS file at {path}: {exc}")

    return mirrors


+MirrorsInput = Union[Mapping[str, str], Iterable[str]]
+
+
 def write_mirrors_file(
    repo_dir: str,
-    mirrors: Mapping[str, str],
+    mirrors: MirrorsInput,
    filename: str = "MIRRORS",
    preview: bool = False,
 ) -> None:
+    """
+    Write MIRRORS in one of two formats:

+    1) Mapping[str, str] -> "NAME URL" per line (legacy / compatible)
+    2) Iterable[str]     -> "URL" per line (new preferred)
+
+    Strings are treated as a single URL (not iterated character-by-character).
+    """
    path = os.path.join(repo_dir, filename)
-    lines = [f"{name} {url}" for name, url in sorted(mirrors.items())]
+
+    lines: list[str]
+
+    if isinstance(mirrors, Mapping):
+        items = [
+            (str(name), str(url))
+            for name, url in mirrors.items()
+            if url is not None and str(url).strip()
+        ]
+        items.sort(key=lambda x: (x[0], x[1]))
+        lines = [f"{name} {url}" for name, url in items]
+
+    else:
+        if isinstance(mirrors, (str, bytes)):
+            urls = [str(mirrors).strip()]
+        else:
+            urls = [
+                str(url).strip()
+                for url in mirrors
+                if url is not None and str(url).strip()
+            ]
+
+        urls = sorted(set(urls))
+        lines = urls
+
    content = "\n".join(lines) + ("\n" if lines else "")

    if preview:
@@ -94,5 +131,6 @@ def write_mirrors_file(
        with open(path, "w", encoding="utf-8") as fh:
            fh.write(content)
        print(f"[INFO] Wrote MIRRORS file at {path}")
+
    except OSError as exc:
        print(f"[ERROR] Failed to write MIRRORS file at {path}: {exc}")
--- a/src/pkgmgr/actions/mirror/merge_cmd.py
+++ b/src/pkgmgr/actions/mirror/merge_cmd.py
@@ -16,6 +16,7 @@ from .types import MirrorMap, Repository
 # Helpers
 # -----------------------------------------------------------------------------

+
 def _repo_key(repo: Repository) -> Tuple[str, str, str]:
    """
    Normalised key for identifying a repository in config files.
@@ -47,6 +48,7 @@ def _load_user_config(path: str) -> Dict[str, object]:
 # Main merge command
 # -----------------------------------------------------------------------------

+
 def merge_mirrors(
    selected_repos: List[Repository],
    repositories_base_dir: str,
--- a/src/pkgmgr/actions/mirror/remote_check.py
+++ b/src/pkgmgr/actions/mirror/remote_check.py
@@ -1,21 +0,0 @@
-# src/pkgmgr/actions/mirror/remote_check.py
-from __future__ import annotations
-
-from typing import Tuple
-
-from pkgmgr.core.git import GitError, run_git
-
-
-def probe_mirror(url: str, repo_dir: str) -> Tuple[bool, str]:
-    """
-    Probe a remote mirror URL using `git ls-remote`.
-
-    Returns:
-      (True, "") on success,
-      (False, error_message) on failure.
-    """
-    try:
-        run_git(["ls-remote", url], cwd=repo_dir)
-        return True, ""
-    except GitError as exc:
-        return False, str(exc)
--- a/src/pkgmgr/actions/mirror/remote_provision.py
+++ b/src/pkgmgr/actions/mirror/remote_provision.py
@@ -1,4 +1,3 @@
-# src/pkgmgr/actions/mirror/remote_provision.py
 from __future__ import annotations

 from typing import List
@@ -12,43 +11,37 @@ from .types import Repository
 from .url_utils import normalize_provider_host, parse_repo_from_git_url


-def ensure_remote_repository(
-    repo: Repository,
-    repositories_base_dir: str,
-    all_repos: List[Repository],
+def _provider_hint_from_host(host: str) -> str | None:
+    h = (host or "").lower()
+    if h == "github.com":
+        return "github"
+    # Best-effort default for self-hosted git domains
+    return "gitea" if h else None
+
+
+def ensure_remote_repository_for_url(
+    *,
+    url: str,
+    private_default: bool,
+    description: str,
    preview: bool,
 ) -> None:
-    ctx = build_context(repo, repositories_base_dir, all_repos)
-    resolved_mirrors = ctx.resolved_mirrors
-
-    primary_url = determine_primary_remote_url(repo, resolved_mirrors)
-    if not primary_url:
-        print("[INFO] No remote URL could be derived; skipping remote provisioning.")
-        return
-
-    host_raw, owner_from_url, name_from_url = parse_repo_from_git_url(primary_url)
+    host_raw, owner, name = parse_repo_from_git_url(url)
    host = normalize_provider_host(host_raw)

-    if not host or not owner_from_url or not name_from_url:
-        print("[WARN] Could not derive host/owner/repository from URL; cannot ensure remote repo.")
-        print(f"       url={primary_url!r}")
-        print(f"       host={host!r}, owner={owner_from_url!r}, repository={name_from_url!r}")
+    if not host or not owner or not name:
+        print(f"[WARN] Could not parse repo from URL: {url}")
        return

-    print("------------------------------------------------------------")
-    print(f"[REMOTE ENSURE] {ctx.identifier}")
-    print(f"[REMOTE ENSURE] host: {host}")
-    print("------------------------------------------------------------")
-
    spec = RepoSpec(
-        host=str(host),
-        owner=str(owner_from_url),
-        name=str(name_from_url),
-        private=bool(repo.get("private", True)),
-        description=str(repo.get("description", "")),
+        host=host,
+        owner=owner,
+        name=name,
+        private=private_default,
+        description=description,
    )

-    provider_kind = str(repo.get("provider", "")).strip().lower() or None
+    provider_kind = _provider_hint_from_host(host)

    try:
        result = ensure_remote_repo(
@@ -65,6 +58,29 @@ def ensure_remote_repository(
        if result.url:
            print(f"[REMOTE ENSURE] URL: {result.url}")
    except Exception as exc:  # noqa: BLE001
-        print(f"[ERROR] Remote provisioning failed: {exc}")
+        print(f"[ERROR] Remote provisioning failed for {url!r}: {exc}")

-    print()
+
+def ensure_remote_repository(
+    repo: Repository,
+    repositories_base_dir: str,
+    all_repos: List[Repository],
+    preview: bool,
+) -> None:
+    """
+    Backwards-compatible wrapper: ensure the *primary* remote repository
+    derived from the primary URL.
+    """
+    ctx = build_context(repo, repositories_base_dir, all_repos)
+
+    primary_url = determine_primary_remote_url(repo, ctx)
+    if not primary_url:
+        print("[INFO] No primary URL found; skipping remote provisioning.")
+        return
+
+    ensure_remote_repository_for_url(
+        url=primary_url,
+        private_default=bool(repo.get("private", True)),
+        description=str(repo.get("description", "")),
+        preview=preview,
+    )
--- a/src/pkgmgr/actions/mirror/setup_cmd.py
+++ b/src/pkgmgr/actions/mirror/setup_cmd.py
@@ -1,13 +1,90 @@
-# src/pkgmgr/actions/mirror/setup_cmd.py
 from __future__ import annotations

 from typing import List

+from pkgmgr.core.git.queries import probe_remote_reachable_detail
+from pkgmgr.core.remote_provisioning import ProviderHint, RepoSpec, set_repo_visibility
+from pkgmgr.core.remote_provisioning.visibility import VisibilityOptions
+
 from .context import build_context
-from .git_remote import ensure_origin_remote, determine_primary_remote_url
-from .remote_check import probe_mirror
-from .remote_provision import ensure_remote_repository
+from .git_remote import determine_primary_remote_url, ensure_origin_remote
+from .remote_provision import ensure_remote_repository_for_url
 from .types import Repository
+from .url_utils import normalize_provider_host, parse_repo_from_git_url
+
+
+def _is_git_remote_url(url: str) -> bool:
+    # Keep the same filtering semantics as in git_remote.py (duplicated on purpose
+    # to keep setup_cmd independent of private helpers).
+    u = (url or "").strip()
+    if not u:
+        return False
+    if u.startswith("git@"):
+        return True
+    if u.startswith("ssh://"):
+        return True
+    if (u.startswith("https://") or u.startswith("http://")) and u.endswith(".git"):
+        return True
+    return False
+
+
+def _provider_hint_from_host(host: str) -> str | None:
+    h = (host or "").lower()
+    if h == "github.com":
+        return "github"
+    return "gitea" if h else None
+
+
+def _apply_visibility_for_url(
+    *,
+    url: str,
+    private: bool,
+    description: str,
+    preview: bool,
+) -> None:
+    host_raw, owner, name = parse_repo_from_git_url(url)
+    host = normalize_provider_host(host_raw)
+
+    if not host or not owner or not name:
+        print(f"[WARN] Could not parse repo from URL: {url}")
+        return
+
+    spec = RepoSpec(
+        host=host,
+        owner=owner,
+        name=name,
+        private=private,
+        description=description,
+    )
+
+    provider_kind = _provider_hint_from_host(host)
+    res = set_repo_visibility(
+        spec,
+        private=private,
+        provider_hint=ProviderHint(kind=provider_kind),
+        options=VisibilityOptions(preview=preview),
+    )
+    print(f"[REMOTE VISIBILITY] {res.status.upper()}: {res.message}")
+
+
+def _print_probe_result(name: str | None, url: str, *, cwd: str) -> None:
+    """
+    Print probe result for a git remote URL, including a short failure reason.
+    """
+    ok, reason = probe_remote_reachable_detail(url, cwd=cwd)
+
+    prefix = f"{name}: " if name else ""
+    if ok:
+        print(f"[OK] {prefix}{url}")
+        return
+
+    print(f"[WARN] {prefix}{url}")
+    if reason:
+        reason = reason.strip()
+        if len(reason) > 240:
+            reason = reason[:240].rstrip() + "…"
+        print(f"       reason: {reason}")
+

 def _setup_local_mirrors_for_repo(
    repo: Repository,
@@ -22,7 +99,7 @@ def _setup_local_mirrors_for_repo(
    print(f"[MIRROR SETUP:LOCAL] dir: {ctx.repo_dir}")
    print("------------------------------------------------------------")

-    ensure_origin_remote(repo, ctx, preview=preview)
+    ensure_origin_remote(repo, ctx, preview)
    print()


@@ -32,49 +109,87 @@ def _setup_remote_mirrors_for_repo(
    all_repos: List[Repository],
    preview: bool,
    ensure_remote: bool,
+    ensure_visibility: str | None,
 ) -> None:
    ctx = build_context(repo, repositories_base_dir, all_repos)
-    resolved_mirrors = ctx.resolved_mirrors

    print("------------------------------------------------------------")
    print(f"[MIRROR SETUP:REMOTE] {ctx.identifier}")
    print(f"[MIRROR SETUP:REMOTE] dir: {ctx.repo_dir}")
    print("------------------------------------------------------------")

-    if ensure_remote:
-        ensure_remote_repository(
-            repo,
-            repositories_base_dir=repositories_base_dir,
-            all_repos=all_repos,
-            preview=preview,
-        )
+    git_mirrors = {
+        k: v for k, v in ctx.resolved_mirrors.items() if _is_git_remote_url(v)
+    }

-    if not resolved_mirrors:
-        primary_url = determine_primary_remote_url(repo, resolved_mirrors)
-        if not primary_url:
-            print("[INFO] No mirrors configured and no primary URL available.")
+    def _desired_private_default() -> bool:
+        # default behavior: repo['private'] (or True)
+        if ensure_visibility == "public":
+            return False
+        if ensure_visibility == "private":
+            return True
+        return bool(repo.get("private", True))
+
+    def _should_enforce_visibility() -> bool:
+        return ensure_visibility in ("public", "private")
+
+    def _visibility_private_value() -> bool:
+        return ensure_visibility == "private"
+
+    description = str(repo.get("description", ""))
+
+    # If there are no git mirrors, fall back to primary (git) URL.
+    if not git_mirrors:
+        primary = determine_primary_remote_url(repo, ctx)
+        if not primary or not _is_git_remote_url(primary):
+            print("[INFO] No git mirrors to probe or provision.")
            print()
            return

-        ok, error_message = probe_mirror(primary_url, ctx.repo_dir)
-        if ok:
-            print(f"[OK] primary: {primary_url}")
-        else:
-            print(f"[WARN] primary: {primary_url}")
-            for line in error_message.splitlines():
-                print(f"         {line}")
+        if ensure_remote:
+            print(f"[REMOTE ENSURE] ensuring primary: {primary}")
+            ensure_remote_repository_for_url(
+                url=primary,
+                private_default=_desired_private_default(),
+                description=description,
+                preview=preview,
+            )
+            # IMPORTANT: enforce visibility only if requested
+            if _should_enforce_visibility():
+                _apply_visibility_for_url(
+                    url=primary,
+                    private=_visibility_private_value(),
+                    description=description,
+                    preview=preview,
+                )
+            print()

+        _print_probe_result(None, primary, cwd=ctx.repo_dir)
        print()
        return

-    for name, url in sorted(resolved_mirrors.items()):
-        ok, error_message = probe_mirror(url, ctx.repo_dir)
-        if ok:
-            print(f"[OK] {name}: {url}")
-        else:
-            print(f"[WARN] {name}: {url}")
-            for line in error_message.splitlines():
-                print(f"         {line}")
+    # Provision ALL git mirrors (if requested)
+    if ensure_remote:
+        for name, url in git_mirrors.items():
+            print(f"[REMOTE ENSURE] ensuring mirror {name!r}: {url}")
+            ensure_remote_repository_for_url(
+                url=url,
+                private_default=_desired_private_default(),
+                description=description,
+                preview=preview,
+            )
+            if _should_enforce_visibility():
+                _apply_visibility_for_url(
+                    url=url,
+                    private=_visibility_private_value(),
+                    description=description,
+                    preview=preview,
+                )
+        print()
+
+    # Probe ALL git mirrors
+    for name, url in git_mirrors.items():
+        _print_probe_result(name, url, cwd=ctx.repo_dir)

    print()

@@ -87,21 +202,23 @@ def setup_mirrors(
    local: bool = True,
    remote: bool = True,
    ensure_remote: bool = False,
+    ensure_visibility: str | None = None,
 ) -> None:
    for repo in selected_repos:
        if local:
            _setup_local_mirrors_for_repo(
-                repo=repo,
-                repositories_base_dir=repositories_base_dir,
-                all_repos=all_repos,
-                preview=preview,
+                repo,
+                repositories_base_dir,
+                all_repos,
+                preview,
            )

        if remote:
            _setup_remote_mirrors_for_repo(
-                repo=repo,
-                repositories_base_dir=repositories_base_dir,
-                all_repos=all_repos,
-                preview=preview,
-                ensure_remote=ensure_remote,
+                repo,
+                repositories_base_dir,
+                all_repos,
+                preview,
+                ensure_remote,
+                ensure_visibility,
            )
--- a/src/pkgmgr/actions/mirror/url_utils.py
+++ b/src/pkgmgr/actions/mirror/url_utils.py
@@ -17,7 +17,7 @@ def hostport_from_git_url(url: str) -> Tuple[str, Optional[str]]:
            netloc = netloc.split("@", 1)[1]

        if netloc.startswith("[") and "]" in netloc:
-            host = netloc[1:netloc.index("]")]
+            host = netloc[1 : netloc.index("]")]
            rest = netloc[netloc.index("]") + 1 :]
            port = rest[1:] if rest.startswith(":") else None
            return host.strip(), (port.strip() if port else None)
@@ -43,7 +43,7 @@ def normalize_provider_host(host: str) -> str:
        return ""

    if host.startswith("[") and "]" in host:
-        host = host[1:host.index("]")]
+        host = host[1 : host.index("]")]

    if ":" in host and host.count(":") == 1:
        host = host.rsplit(":", 1)[0]
--- a/src/pkgmgr/actions/mirror/visibility_cmd.py
+++ b/src/pkgmgr/actions/mirror/visibility_cmd.py
@@ -0,0 +1,134 @@
+from __future__ import annotations
+
+from typing import List
+
+from pkgmgr.core.remote_provisioning import ProviderHint, RepoSpec, set_repo_visibility
+from pkgmgr.core.remote_provisioning.visibility import VisibilityOptions
+
+from .context import build_context
+from .git_remote import determine_primary_remote_url
+from .types import Repository
+from .url_utils import normalize_provider_host, parse_repo_from_git_url
+
+
+def _is_git_remote_url(url: str) -> bool:
+    # Keep same semantics as setup_cmd.py / git_remote.py
+    u = (url or "").strip()
+    if not u:
+        return False
+    if u.startswith("git@"):
+        return True
+    if u.startswith("ssh://"):
+        return True
+    if (u.startswith("https://") or u.startswith("http://")) and u.endswith(".git"):
+        return True
+    return False
+
+
+def _provider_hint_from_host(host: str) -> str | None:
+    h = (host or "").lower()
+    if h == "github.com":
+        return "github"
+    # Best-effort default for self-hosted git domains
+    return "gitea" if h else None
+
+
+def _apply_visibility_for_url(
+    *,
+    url: str,
+    private: bool,
+    description: str,
+    preview: bool,
+) -> None:
+    host_raw, owner, name = parse_repo_from_git_url(url)
+    host = normalize_provider_host(host_raw)
+
+    if not host or not owner or not name:
+        print(f"[WARN] Could not parse repo from URL: {url}")
+        return
+
+    spec = RepoSpec(
+        host=host,
+        owner=owner,
+        name=name,
+        private=private,
+        description=description,
+    )
+
+    provider_kind = _provider_hint_from_host(host)
+    res = set_repo_visibility(
+        spec,
+        private=private,
+        provider_hint=ProviderHint(kind=provider_kind),
+        options=VisibilityOptions(preview=preview),
+    )
+    print(f"[REMOTE VISIBILITY] {res.status.upper()}: {res.message}")
+
+
+def set_mirror_visibility(
+    selected_repos: List[Repository],
+    repositories_base_dir: str,
+    all_repos: List[Repository],
+    *,
+    visibility: str,
+    preview: bool = False,
+) -> None:
+    """
+    Set remote repository visibility for all git mirrors of each selected repo.
+
+    visibility:
+      - "private"
+      - "public"
+    """
+    v = (visibility or "").strip().lower()
+    if v not in ("private", "public"):
+        raise ValueError("visibility must be 'private' or 'public'")
+
+    desired_private = v == "private"
+
+    for repo in selected_repos:
+        ctx = build_context(repo, repositories_base_dir, all_repos)
+
+        print("------------------------------------------------------------")
+        print(f"[MIRROR VISIBILITY] {ctx.identifier}")
+        print(f"[MIRROR VISIBILITY] dir: {ctx.repo_dir}")
+        print(f"[MIRROR VISIBILITY] target: {v}")
+        print("------------------------------------------------------------")
+
+        git_mirrors = {
+            name: url
+            for name, url in ctx.resolved_mirrors.items()
+            if url and _is_git_remote_url(url)
+        }
+
+        # If there are no git mirrors, fall back to primary (git) URL.
+        if not git_mirrors:
+            primary = determine_primary_remote_url(repo, ctx)
+            if not primary or not _is_git_remote_url(primary):
+                print(
+                    "[INFO] No git mirrors found (and no primary git URL). Nothing to do."
+                )
+                print()
+                continue
+
+            print(f"[MIRROR VISIBILITY] applying to primary: {primary}")
+            _apply_visibility_for_url(
+                url=primary,
+                private=desired_private,
+                description=str(repo.get("description", "")),
+                preview=preview,
+            )
+            print()
+            continue
+
+        # Apply to ALL git mirrors
+        for name, url in git_mirrors.items():
+            print(f"[MIRROR VISIBILITY] applying to mirror {name!r}: {url}")
+            _apply_visibility_for_url(
+                url=url,
+                private=desired_private,
+                description=str(repo.get("description", "")),
+                preview=preview,
+            )
+
+        print()
--- a/src/pkgmgr/actions/proxy.py
+++ b/src/pkgmgr/actions/proxy.py
@@ -4,7 +4,16 @@ from pkgmgr.core.repository.dir import get_repo_dir
 from pkgmgr.core.command.run import run_command
 import sys

-def exec_proxy_command(proxy_prefix: str, selected_repos, repositories_base_dir, all_repos, proxy_command: str, extra_args, preview: bool):
+
+def exec_proxy_command(
+    proxy_prefix: str,
+    selected_repos,
+    repositories_base_dir,
+    all_repos,
+    proxy_command: str,
+    extra_args,
+    preview: bool,
+):
    """Execute a given proxy command with extra arguments for each repository."""
    error_repos = []
    max_exit_code = 0
@@ -22,7 +31,9 @@ def exec_proxy_command(proxy_prefix: str, selected_repos, repositories_base_dir,
        try:
            run_command(full_cmd, cwd=repo_dir, preview=preview)
        except SystemExit as e:
-            print(f"[ERROR] Command failed in {repo_identifier} with exit code {e.code}.")
+            print(
+                f"[ERROR] Command failed in {repo_identifier} with exit code {e.code}."
+            )
            error_repos.append((repo_identifier, e.code))
            max_exit_code = max(max_exit_code, e.code)

@@ -30,4 +41,4 @@ def exec_proxy_command(proxy_prefix: str, selected_repos, repositories_base_dir,
        print("\nSummary of failed commands:")
        for repo_identifier, exit_code in error_repos:
            print(f"- {repo_identifier} failed with exit code {exit_code}")
-        sys.exit(max_exit_code)
+        sys.exit(max_exit_code)
--- a/src/pkgmgr/actions/publish/init.py
+++ b/src/pkgmgr/actions/publish/init.py
@@ -0,0 +1,5 @@
+from __future__ import annotations
+
+from .workflow import publish
+
+__all__ = ["publish"]
--- a/src/pkgmgr/actions/publish/git_tags.py
+++ b/src/pkgmgr/actions/publish/git_tags.py
@@ -0,0 +1,10 @@
+from __future__ import annotations
+
+from pkgmgr.core.git.queries import get_tags_at_ref
+from pkgmgr.core.version.semver import SemVer, is_semver_tag
+
+
+def head_semver_tags(cwd: str = ".") -> list[str]:
+    tags = get_tags_at_ref("HEAD", cwd=cwd)
+    tags = [t for t in tags if is_semver_tag(t) and t.startswith("v")]
+    return sorted(tags, key=SemVer.parse)
--- a/src/pkgmgr/actions/publish/pypi_url.py
+++ b/src/pkgmgr/actions/publish/pypi_url.py
@@ -0,0 +1,24 @@
+from __future__ import annotations
+
+from urllib.parse import urlparse
+
+from .types import PyPITarget
+
+
+def parse_pypi_project_url(url: str) -> PyPITarget | None:
+    u = (url or "").strip()
+    if not u:
+        return None
+
+    parsed = urlparse(u)
+    host = (parsed.netloc or "").lower()
+    path = (parsed.path or "").strip("/")
+
+    if host not in ("pypi.org", "test.pypi.org"):
+        return None
+
+    parts = [p for p in path.split("/") if p]
+    if len(parts) >= 2 and parts[0] == "project":
+        return PyPITarget(host=host, project=parts[1])
+
+    return None
--- a/src/pkgmgr/actions/publish/types.py
+++ b/src/pkgmgr/actions/publish/types.py
@@ -0,0 +1,9 @@
+from __future__ import annotations
+
+from dataclasses import dataclass
+
+
+@dataclass(frozen=True)
+class PyPITarget:
+    host: str
+    project: str
--- a/src/pkgmgr/actions/publish/workflow.py
+++ b/src/pkgmgr/actions/publish/workflow.py
@@ -0,0 +1,112 @@
+from __future__ import annotations
+
+import glob
+import os
+import shutil
+import subprocess
+
+from pkgmgr.actions.mirror.io import read_mirrors_file
+from pkgmgr.actions.mirror.types import Repository
+from pkgmgr.core.credentials.resolver import ResolutionOptions, TokenResolver
+from pkgmgr.core.version.semver import SemVer
+
+from .git_tags import head_semver_tags
+from .pypi_url import parse_pypi_project_url
+
+
+def _require_tool(module: str) -> None:
+    try:
+        subprocess.run(
+            ["python", "-m", module, "--help"],
+            stdout=subprocess.DEVNULL,
+            stderr=subprocess.DEVNULL,
+            check=True,
+        )
+    except Exception as exc:
+        raise RuntimeError(
+            f"Required Python module '{module}' is not available. "
+            f"Install it via: pip install {module}"
+        ) from exc
+
+
+def publish(
+    repo: Repository,
+    repo_dir: str,
+    *,
+    preview: bool = False,
+    interactive: bool = True,
+    allow_prompt: bool = True,
+) -> None:
+    mirrors = read_mirrors_file(repo_dir)
+
+    targets = []
+    for url in mirrors.values():
+        t = parse_pypi_project_url(url)
+        if t:
+            targets.append(t)
+
+    if not targets:
+        print("[INFO] No PyPI mirror found. Skipping publish.")
+        return
+
+    if len(targets) > 1:
+        raise RuntimeError("Multiple PyPI mirrors found; refusing to publish.")
+
+    tags = head_semver_tags(cwd=repo_dir)
+    if not tags:
+        print("[INFO] No version tag on HEAD. Skipping publish.")
+        return
+
+    tag = max(tags, key=SemVer.parse)
+    target = targets[0]
+
+    print(f"[INFO] Publishing {target.project} for tag {tag}")
+
+    if preview:
+        print("[PREVIEW] Would build and upload to PyPI.")
+        return
+
+    _require_tool("build")
+    _require_tool("twine")
+
+    dist_dir = os.path.join(repo_dir, "dist")
+    if os.path.isdir(dist_dir):
+        shutil.rmtree(dist_dir, ignore_errors=True)
+
+    subprocess.run(
+        ["python", "-m", "build"],
+        cwd=repo_dir,
+        check=True,
+    )
+
+    artifacts = sorted(glob.glob(os.path.join(dist_dir, "*")))
+    if not artifacts:
+        raise RuntimeError("No build artifacts found in dist/.")
+
+    resolver = TokenResolver()
+
+    # Store PyPI token per OS user (keyring is already user-scoped).
+    # Do NOT scope by project name.
+    token = resolver.get_token(
+        provider_kind="pypi",
+        host=target.host,
+        owner=None,
+        options=ResolutionOptions(
+            interactive=interactive,
+            allow_prompt=allow_prompt,
+            save_prompt_token_to_keyring=True,
+        ),
+    ).token
+
+    env = dict(os.environ)
+    env["TWINE_USERNAME"] = "__token__"
+    env["TWINE_PASSWORD"] = token
+
+    subprocess.run(
+        ["python", "-m", "twine", "upload", *artifacts],
+        cwd=repo_dir,
+        env=env,
+        check=True,
+    )
+
+    print("[INFO] Publish completed.")
--- a/src/pkgmgr/actions/release/files.py
+++ b/src/pkgmgr/actions/release/files.py
@@ -1,537 +0,0 @@
-#!/usr/bin/env python3
-# -*- coding: utf-8 -*-
-
-"""
-File and metadata update helpers for the release workflow.
-
-Responsibilities:
-  - Update pyproject.toml with the new version.
-  - Update flake.nix, PKGBUILD, RPM spec files where present.
-  - Prepend release entries to CHANGELOG.md.
-  - Maintain distribution-specific changelog files:
-      * debian/changelog
-      * RPM spec %changelog section
-    including maintainer metadata where applicable.
-"""
-
-from __future__ import annotations
-
-import os
-import re
-import subprocess
-import sys
-import tempfile
-from datetime import date, datetime
-from typing import Optional, Tuple
-
-
-# ---------------------------------------------------------------------------
-# Editor helper for interactive changelog messages
-# ---------------------------------------------------------------------------
-
-
-def _open_editor_for_changelog(initial_message: Optional[str] = None) -> str:
-    """
-    Open $EDITOR (fallback 'nano') so the user can enter a changelog message.
-
-    The temporary file is pre-filled with commented instructions and an
-    optional initial_message. Lines starting with '#' are ignored when the
-    message is read back.
-
-    Returns the final message (may be empty string if user leaves it blank).
-    """
-    editor = os.environ.get("EDITOR", "nano")
-
-    with tempfile.NamedTemporaryFile(
-        mode="w+",
-        delete=False,
-        encoding="utf-8",
-    ) as tmp:
-        tmp_path = tmp.name
-        tmp.write(
-            "# Write the changelog entry for this release.\n"
-            "# Lines starting with '#' will be ignored.\n"
-            "# Empty result will fall back to a generic message.\n\n"
-        )
-        if initial_message:
-            tmp.write(initial_message.strip() + "\n")
-        tmp.flush()
-
-    try:
-        subprocess.call([editor, tmp_path])
-    except FileNotFoundError:
-        print(
-            f"[WARN] Editor {editor!r} not found; proceeding without "
-            "interactive changelog message."
-        )
-
-    try:
-        with open(tmp_path, "r", encoding="utf-8") as f:
-            content = f.read()
-    finally:
-        try:
-            os.remove(tmp_path)
-        except OSError:
-            pass
-
-    lines = [
-        line for line in content.splitlines()
-        if not line.strip().startswith("#")
-    ]
-    return "\n".join(lines).strip()
-
-
-# ---------------------------------------------------------------------------
-# File update helpers (pyproject + extra packaging + changelog)
-# ---------------------------------------------------------------------------
-
-def update_pyproject_version(
-    pyproject_path: str,
-    new_version: str,
-    preview: bool = False,
-) -> None:
-    """
-    Update the version in pyproject.toml with the new version.
-
-    The function looks for a line matching:
-
-        version = "X.Y.Z"
-
-    and replaces the version part with the given new_version string.
-
-    If the file does not exist, it is skipped without failing the release.
-    """
-    if not os.path.exists(pyproject_path):
-        print(
-            f"[INFO] pyproject.toml not found at: {pyproject_path}, "
-            "skipping version update."
-        )
-        return
-
-    try:
-        with open(pyproject_path, "r", encoding="utf-8") as f:
-            content = f.read()
-    except OSError as exc:
-        print(
-            f"[WARN] Could not read pyproject.toml at {pyproject_path}: {exc}. "
-            "Skipping version update."
-        )
-        return
-
-    pattern = r'^(version\s*=\s*")([^"]+)(")'
-    new_content, count = re.subn(
-        pattern,
-        lambda m: f'{m.group(1)}{new_version}{m.group(3)}',
-        content,
-        flags=re.MULTILINE,
-    )
-
-    if count == 0:
-        print("[ERROR] Could not find version line in pyproject.toml")
-        sys.exit(1)
-
-    if preview:
-        print(f"[PREVIEW] Would update pyproject.toml version to {new_version}")
-        return
-
-    with open(pyproject_path, "w", encoding="utf-8") as f:
-        f.write(new_content)
-
-    print(f"Updated pyproject.toml version to {new_version}")
-
-
-def update_flake_version(
-    flake_path: str,
-    new_version: str,
-    preview: bool = False,
-) -> None:
-    """
-    Update the version in flake.nix, if present.
-    """
-    if not os.path.exists(flake_path):
-        print("[INFO] flake.nix not found, skipping.")
-        return
-
-    try:
-        with open(flake_path, "r", encoding="utf-8") as f:
-            content = f.read()
-    except Exception as exc:
-        print(f"[WARN] Could not read flake.nix: {exc}")
-        return
-
-    pattern = r'(version\s*=\s*")([^"]+)(")'
-    new_content, count = re.subn(
-        pattern,
-        lambda m: f'{m.group(1)}{new_version}{m.group(3)}',
-        content,
-    )
-
-    if count == 0:
-        print("[WARN] No version assignment found in flake.nix, skipping.")
-        return
-
-    if preview:
-        print(f"[PREVIEW] Would update flake.nix version to {new_version}")
-        return
-
-    with open(flake_path, "w", encoding="utf-8") as f:
-        f.write(new_content)
-
-    print(f"Updated flake.nix version to {new_version}")
-
-
-def update_pkgbuild_version(
-    pkgbuild_path: str,
-    new_version: str,
-    preview: bool = False,
-) -> None:
-    """
-    Update the version in PKGBUILD, if present.
-
-    Expects:
-        pkgver=1.2.3
-        pkgrel=1
-    """
-    if not os.path.exists(pkgbuild_path):
-        print("[INFO] PKGBUILD not found, skipping.")
-        return
-
-    try:
-        with open(pkgbuild_path, "r", encoding="utf-8") as f:
-            content = f.read()
-    except Exception as exc:
-        print(f"[WARN] Could not read PKGBUILD: {exc}")
-        return
-
-    ver_pattern = r"^(pkgver\s*=\s*)(.+)$"
-    new_content, ver_count = re.subn(
-        ver_pattern,
-        lambda m: f"{m.group(1)}{new_version}",
-        content,
-        flags=re.MULTILINE,
-    )
-
-    if ver_count == 0:
-        print("[WARN] No pkgver line found in PKGBUILD.")
-        new_content = content
-
-    rel_pattern = r"^(pkgrel\s*=\s*)(.+)$"
-    new_content, rel_count = re.subn(
-        rel_pattern,
-        lambda m: f"{m.group(1)}1",
-        new_content,
-        flags=re.MULTILINE,
-    )
-
-    if rel_count == 0:
-        print("[WARN] No pkgrel line found in PKGBUILD.")
-
-    if preview:
-        print(f"[PREVIEW] Would update PKGBUILD to pkgver={new_version}, pkgrel=1")
-        return
-
-    with open(pkgbuild_path, "w", encoding="utf-8") as f:
-        f.write(new_content)
-
-    print(f"Updated PKGBUILD to pkgver={new_version}, pkgrel=1")
-
-
-def update_spec_version(
-    spec_path: str,
-    new_version: str,
-    preview: bool = False,
-) -> None:
-    """
-    Update the version in an RPM spec file, if present.
-    """
-    if not os.path.exists(spec_path):
-        print("[INFO] RPM spec file not found, skipping.")
-        return
-
-    try:
-        with open(spec_path, "r", encoding="utf-8") as f:
-            content = f.read()
-    except Exception as exc:
-        print(f"[WARN] Could not read spec file: {exc}")
-        return
-
-    ver_pattern = r"^(Version:\s*)(.+)$"
-    new_content, ver_count = re.subn(
-        ver_pattern,
-        lambda m: f"{m.group(1)}{new_version}",
-        content,
-        flags=re.MULTILINE,
-    )
-
-    if ver_count == 0:
-        print("[WARN] No 'Version:' line found in spec file.")
-
-    rel_pattern = r"^(Release:\s*)(.+)$"
-
-    def _release_repl(m: re.Match[str]) -> str:  # type: ignore[name-defined]
-        rest = m.group(2).strip()
-        match = re.match(r"^(\d+)(.*)$", rest)
-        if match:
-            suffix = match.group(2)
-        else:
-            suffix = ""
-        return f"{m.group(1)}1{suffix}"
-
-    new_content, rel_count = re.subn(
-        rel_pattern,
-        _release_repl,
-        new_content,
-        flags=re.MULTILINE,
-    )
-
-    if rel_count == 0:
-        print("[WARN] No 'Release:' line found in spec file.")
-
-    if preview:
-        print(
-            "[PREVIEW] Would update spec file "
-            f"{os.path.basename(spec_path)} to Version: {new_version}, Release: 1..."
-        )
-        return
-
-    with open(spec_path, "w", encoding="utf-8") as f:
-        f.write(new_content)
-
-    print(
-        f"Updated spec file {os.path.basename(spec_path)} "
-        f"to Version: {new_version}, Release: 1..."
-    )
-
-
-def update_changelog(
-    changelog_path: str,
-    new_version: str,
-    message: Optional[str] = None,
-    preview: bool = False,
-) -> str:
-    """
-    Prepend a new release section to CHANGELOG.md with the new version,
-    current date, and a message.
-    """
-    today = date.today().isoformat()
-
-    if message is None:
-        if preview:
-            message = "Automated release."
-        else:
-            print(
-                "\n[INFO] No release message provided, opening editor for "
-                "changelog entry...\n"
-            )
-            editor_message = _open_editor_for_changelog()
-            if not editor_message:
-                message = "Automated release."
-            else:
-                message = editor_message
-
-    header = f"## [{new_version}] - {today}\n"
-    header += f"\n* {message}\n\n"
-
-    if os.path.exists(changelog_path):
-        try:
-            with open(changelog_path, "r", encoding="utf-8") as f:
-                changelog = f.read()
-        except Exception as exc:
-            print(f"[WARN] Could not read existing CHANGELOG.md: {exc}")
-            changelog = ""
-    else:
-        changelog = ""
-
-    new_changelog = header + "\n" + changelog if changelog else header
-
-    print("\n================ CHANGELOG ENTRY ================")
-    print(header.rstrip())
-    print("=================================================\n")
-
-    if preview:
-        print(f"[PREVIEW] Would prepend new entry for {new_version} to CHANGELOG.md")
-        return message
-
-    with open(changelog_path, "w", encoding="utf-8") as f:
-        f.write(new_changelog)
-
-    print(f"Updated CHANGELOG.md with version {new_version}")
-
-    return message
-
-
-# ---------------------------------------------------------------------------
-# Debian changelog helpers (with Git config fallback for maintainer)
-# ---------------------------------------------------------------------------
-
-
-def _get_git_config_value(key: str) -> Optional[str]:
-    """
-    Try to read a value from `git config --get <key>`.
-    """
-    try:
-        result = subprocess.run(
-            ["git", "config", "--get", key],
-            capture_output=True,
-            text=True,
-            check=False,
-        )
-    except Exception:
-        return None
-
-    value = result.stdout.strip()
-    return value or None
-
-
-def _get_debian_author() -> Tuple[str, str]:
-    """
-    Determine the maintainer name/email for debian/changelog entries.
-    """
-    name = os.environ.get("DEBFULLNAME")
-    email = os.environ.get("DEBEMAIL")
-
-    if not name:
-        name = os.environ.get("GIT_AUTHOR_NAME")
-    if not email:
-        email = os.environ.get("GIT_AUTHOR_EMAIL")
-
-    if not name:
-        name = _get_git_config_value("user.name")
-    if not email:
-        email = _get_git_config_value("user.email")
-
-    if not name:
-        name = "Unknown Maintainer"
-    if not email:
-        email = "unknown@example.com"
-
-    return name, email
-
-
-def update_debian_changelog(
-    debian_changelog_path: str,
-    package_name: str,
-    new_version: str,
-    message: Optional[str] = None,
-    preview: bool = False,
-) -> None:
-    """
-    Prepend a new entry to debian/changelog, if it exists.
-    """
-    if not os.path.exists(debian_changelog_path):
-        print("[INFO] debian/changelog not found, skipping.")
-        return
-
-    debian_version = f"{new_version}-1"
-    now = datetime.now().astimezone()
-    date_str = now.strftime("%a, %d %b %Y %H:%M:%S %z")
-
-    author_name, author_email = _get_debian_author()
-
-    first_line = f"{package_name} ({debian_version}) unstable; urgency=medium"
-    body_line = message.strip() if message else f"Automated release {new_version}."
-    stanza = (
-        f"{first_line}\n\n"
-        f"  * {body_line}\n\n"
-        f" -- {author_name} <{author_email}>  {date_str}\n\n"
-    )
-
-    if preview:
-        print(
-            "[PREVIEW] Would prepend the following stanza to debian/changelog:\n"
-            f"{stanza}"
-        )
-        return
-
-    try:
-        with open(debian_changelog_path, "r", encoding="utf-8") as f:
-            existing = f.read()
-    except Exception as exc:
-        print(f"[WARN] Could not read debian/changelog: {exc}")
-        existing = ""
-
-    new_content = stanza + existing
-
-    with open(debian_changelog_path, "w", encoding="utf-8") as f:
-        f.write(new_content)
-
-    print(f"Updated debian/changelog with version {debian_version}")
-
-
-# ---------------------------------------------------------------------------
-# Fedora / RPM spec %changelog helper
-# ---------------------------------------------------------------------------
-
-
-def update_spec_changelog(
-    spec_path: str,
-    package_name: str,
-    new_version: str,
-    message: Optional[str] = None,
-    preview: bool = False,
-) -> None:
-    """
-    Prepend a new entry to the %changelog section of an RPM spec file,
-    if present.
-
-    Typical RPM-style entry:
-
-        * Tue Dec 09 2025 John Doe <john@example.com> - 0.5.1-1
-        - Your changelog message
-    """
-    if not os.path.exists(spec_path):
-        print("[INFO] RPM spec file not found, skipping spec changelog update.")
-        return
-
-    try:
-        with open(spec_path, "r", encoding="utf-8") as f:
-            content = f.read()
-    except Exception as exc:
-        print(f"[WARN] Could not read spec file for changelog update: {exc}")
-        return
-
-    debian_version = f"{new_version}-1"
-    now = datetime.now().astimezone()
-    date_str = now.strftime("%a %b %d %Y")
-
-    # Reuse Debian maintainer discovery for author name/email.
-    author_name, author_email = _get_debian_author()
-
-    body_line = message.strip() if message else f"Automated release {new_version}."
-
-    stanza = (
-        f"* {date_str} {author_name} <{author_email}> - {debian_version}\n"
-        f"- {body_line}\n\n"
-    )
-
-    marker = "%changelog"
-    idx = content.find(marker)
-
-    if idx == -1:
-        # No %changelog section yet: append one at the end.
-        new_content = content.rstrip() + "\n\n%changelog\n" + stanza
-    else:
-        # Insert stanza right after the %changelog line.
-        before = content[: idx + len(marker)]
-        after = content[idx + len(marker) :]
-        new_content = before + "\n" + stanza + after.lstrip("\n")
-
-    if preview:
-        print(
-            "[PREVIEW] Would update RPM %changelog section with the following "
-            "stanza:\n"
-            f"{stanza}"
-        )
-        return
-
-    try:
-        with open(spec_path, "w", encoding="utf-8") as f:
-            f.write(new_content)
-    except Exception as exc:
-        print(f"[WARN] Failed to write updated spec changelog section: {exc}")
-        return
-
-    print(
-        f"Updated RPM %changelog section in {os.path.basename(spec_path)} "
-        f"for {package_name} {debian_version}"
-    )
--- a/src/pkgmgr/actions/release/files/init.py
+++ b/src/pkgmgr/actions/release/files/init.py
@@ -0,0 +1,35 @@
+#!/usr/bin/env python3
+# -*- coding: utf-8 -*-
+
+"""
+Backwards-compatible facade for the release file update helpers.
+
+Implementations live in this package:
+  pkgmgr.actions.release.files.*
+
+Keep this package stable so existing imports continue to work, e.g.:
+  from pkgmgr.actions.release.files import update_pyproject_version
+"""
+
+from __future__ import annotations
+
+from .editor import _open_editor_for_changelog
+from .pyproject import update_pyproject_version
+from .flake import update_flake_version
+from .pkgbuild import update_pkgbuild_version
+from .rpm_spec import update_spec_version
+from .changelog_md import update_changelog
+from .debian import _get_debian_author, update_debian_changelog
+from .rpm_changelog import update_spec_changelog
+
+__all__ = [
+    "_open_editor_for_changelog",
+    "update_pyproject_version",
+    "update_flake_version",
+    "update_pkgbuild_version",
+    "update_spec_version",
+    "update_changelog",
+    "_get_debian_author",
+    "update_debian_changelog",
+    "update_spec_changelog",
+]
--- a/src/pkgmgr/actions/release/files/changelog_md.py
+++ b/src/pkgmgr/actions/release/files/changelog_md.py
@@ -0,0 +1,62 @@
+from __future__ import annotations
+
+import os
+from datetime import date
+from typing import Optional
+
+from .editor import _open_editor_for_changelog
+
+
+def update_changelog(
+    changelog_path: str,
+    new_version: str,
+    message: Optional[str] = None,
+    preview: bool = False,
+) -> str:
+    """
+    Prepend a new release section to CHANGELOG.md with the new version,
+    current date, and a message.
+    """
+    today = date.today().isoformat()
+
+    if message is None:
+        if preview:
+            message = "Automated release."
+        else:
+            print(
+                "\n[INFO] No release message provided, opening editor for changelog entry...\n"
+            )
+            editor_message = _open_editor_for_changelog()
+            if not editor_message:
+                message = "Automated release."
+            else:
+                message = editor_message
+
+    header = f"## [{new_version}] - {today}\n"
+    header += f"\n* {message}\n\n"
+
+    if os.path.exists(changelog_path):
+        try:
+            with open(changelog_path, "r", encoding="utf-8") as f:
+                changelog = f.read()
+        except Exception as exc:
+            print(f"[WARN] Could not read existing CHANGELOG.md: {exc}")
+            changelog = ""
+    else:
+        changelog = ""
+
+    new_changelog = header + "\n" + changelog if changelog else header
+
+    print("\n================ CHANGELOG ENTRY ================")
+    print(header.rstrip())
+    print("=================================================\n")
+
+    if preview:
+        print(f"[PREVIEW] Would prepend new entry for {new_version} to CHANGELOG.md")
+        return message
+
+    with open(changelog_path, "w", encoding="utf-8") as f:
+        f.write(new_changelog)
+
+    print(f"Updated CHANGELOG.md with version {new_version}")
+    return message
--- a/src/pkgmgr/actions/release/files/debian.py
+++ b/src/pkgmgr/actions/release/files/debian.py
@@ -0,0 +1,74 @@
+from __future__ import annotations
+
+import os
+from datetime import datetime
+from typing import Optional, Tuple
+
+from pkgmgr.core.git.queries import get_config_value
+
+
+def _get_debian_author() -> Tuple[str, str]:
+    name = os.environ.get("DEBFULLNAME")
+    email = os.environ.get("DEBEMAIL")
+
+    if not name:
+        name = os.environ.get("GIT_AUTHOR_NAME")
+    if not email:
+        email = os.environ.get("GIT_AUTHOR_EMAIL")
+
+    if not name:
+        name = get_config_value("user.name")
+    if not email:
+        email = get_config_value("user.email")
+
+    if not name:
+        name = "Unknown Maintainer"
+    if not email:
+        email = "unknown@example.com"
+
+    return name, email
+
+
+def update_debian_changelog(
+    debian_changelog_path: str,
+    package_name: str,
+    new_version: str,
+    message: Optional[str] = None,
+    preview: bool = False,
+) -> None:
+    if not os.path.exists(debian_changelog_path):
+        print("[INFO] debian/changelog not found, skipping.")
+        return
+
+    debian_version = f"{new_version}-1"
+    now = datetime.now().astimezone()
+    date_str = now.strftime("%a, %d %b %Y %H:%M:%S %z")
+
+    author_name, author_email = _get_debian_author()
+
+    first_line = f"{package_name} ({debian_version}) unstable; urgency=medium"
+    body_line = message.strip() if message else f"Automated release {new_version}."
+    stanza = (
+        f"{first_line}\n\n"
+        f"  * {body_line}\n\n"
+        f" -- {author_name} <{author_email}>  {date_str}\n\n"
+    )
+
+    if preview:
+        print(
+            "[PREVIEW] Would prepend the following stanza to debian/changelog:\n"
+            f"{stanza}"
+        )
+        return
+
+    try:
+        with open(debian_changelog_path, "r", encoding="utf-8") as f:
+            existing = f.read()
+    except Exception as exc:
+        print(f"[WARN] Could not read debian/changelog: {exc}")
+        existing = ""
+
+    with open(debian_changelog_path, "w", encoding="utf-8") as f:
+        f.write(stanza + existing)
+
+    print(f"Updated debian/changelog with version {debian_version}")
--- a/src/pkgmgr/actions/release/files/editor.py
+++ b/src/pkgmgr/actions/release/files/editor.py
@@ -0,0 +1,45 @@
+from __future__ import annotations
+
+import os
+import subprocess
+import tempfile
+from typing import Optional
+
+
+def _open_editor_for_changelog(initial_message: Optional[str] = None) -> str:
+    editor = os.environ.get("EDITOR", "nano")
+
+    with tempfile.NamedTemporaryFile(
+        mode="w+",
+        delete=False,
+        encoding="utf-8",
+    ) as tmp:
+        tmp_path = tmp.name
+        tmp.write(
+            "# Write the changelog entry for this release.\n"
+            "# Lines starting with '#' will be ignored.\n"
+            "# Empty result will fall back to a generic message.\n\n"
+        )
+        if initial_message:
+            tmp.write(initial_message.strip() + "\n")
+        tmp.flush()
+
+    try:
+        subprocess.call([editor, tmp_path])
+    except FileNotFoundError:
+        print(
+            f"[WARN] Editor {editor!r} not found; proceeding without "
+            "interactive changelog message."
+        )
+
+    try:
+        with open(tmp_path, "r", encoding="utf-8") as f:
+            content = f.read()
+    finally:
+        try:
+            os.remove(tmp_path)
+        except OSError:
+            pass
+
+    lines = [line for line in content.splitlines() if not line.strip().startswith("#")]
+    return "\n".join(lines).strip()
--- a/src/pkgmgr/actions/release/files/flake.py
+++ b/src/pkgmgr/actions/release/files/flake.py
@@ -0,0 +1,39 @@
+from __future__ import annotations
+
+import os
+import re
+
+
+def update_flake_version(
+    flake_path: str, new_version: str, preview: bool = False
+) -> None:
+    if not os.path.exists(flake_path):
+        print("[INFO] flake.nix not found, skipping.")
+        return
+
+    try:
+        with open(flake_path, "r", encoding="utf-8") as f:
+            content = f.read()
+    except Exception as exc:
+        print(f"[WARN] Could not read flake.nix: {exc}")
+        return
+
+    pattern = r'(version\s*=\s*")([^"]+)(")'
+    new_content, count = re.subn(
+        pattern,
+        lambda m: f"{m.group(1)}{new_version}{m.group(3)}",
+        content,
+    )
+
+    if count == 0:
+        print("[WARN] No version found in flake.nix.")
+        return
+
+    if preview:
+        print(f"[PREVIEW] Would update flake.nix version to {new_version}")
+        return
+
+    with open(flake_path, "w", encoding="utf-8") as f:
+        f.write(new_content)
+
+    print(f"Updated flake.nix version to {new_version}")
--- a/src/pkgmgr/actions/release/files/pkgbuild.py
+++ b/src/pkgmgr/actions/release/files/pkgbuild.py
@@ -0,0 +1,41 @@
+from __future__ import annotations
+
+import os
+import re
+
+
+def update_pkgbuild_version(
+    pkgbuild_path: str, new_version: str, preview: bool = False
+) -> None:
+    if not os.path.exists(pkgbuild_path):
+        print("[INFO] PKGBUILD not found, skipping.")
+        return
+
+    try:
+        with open(pkgbuild_path, "r", encoding="utf-8") as f:
+            content = f.read()
+    except Exception as exc:
+        print(f"[WARN] Could not read PKGBUILD: {exc}")
+        return
+
+    content, _ = re.subn(
+        r"^(pkgver\s*=\s*)(.+)$",
+        lambda m: f"{m.group(1)}{new_version}",
+        content,
+        flags=re.MULTILINE,
+    )
+    content, _ = re.subn(
+        r"^(pkgrel\s*=\s*)(.+)$",
+        lambda m: f"{m.group(1)}1",
+        content,
+        flags=re.MULTILINE,
+    )
+
+    if preview:
+        print(f"[PREVIEW] Would update PKGBUILD to pkgver={new_version}, pkgrel=1")
+        return
+
+    with open(pkgbuild_path, "w", encoding="utf-8") as f:
+        f.write(content)
+
+    print(f"Updated PKGBUILD to pkgver={new_version}, pkgrel=1")
--- a/src/pkgmgr/actions/release/files/pyproject.py
+++ b/src/pkgmgr/actions/release/files/pyproject.py
@@ -0,0 +1,45 @@
+from __future__ import annotations
+
+import os
+import re
+
+
+def update_pyproject_version(
+    pyproject_path: str, new_version: str, preview: bool = False
+) -> None:
+    if not os.path.exists(pyproject_path):
+        print(f"[INFO] pyproject.toml not found at: {pyproject_path}, skipping.")
+        return
+
+    try:
+        with open(pyproject_path, "r", encoding="utf-8") as f:
+            content = f.read()
+    except OSError as exc:
+        print(f"[WARN] Could not read pyproject.toml: {exc}")
+        return
+
+    m = re.search(r"(?ms)^\s*\[project\]\s*$.*?(?=^\s*\[|\Z)", content)
+    if not m:
+        raise RuntimeError("Missing [project] section in pyproject.toml")
+
+    project_block = m.group(0)
+    ver_pat = r'(?m)^(\s*version\s*=\s*")([^"]+)(")\s*$'
+
+    new_block, count = re.subn(
+        ver_pat,
+        lambda mm: f"{mm.group(1)}{new_version}{mm.group(3)}",
+        project_block,
+    )
+    if count == 0:
+        raise RuntimeError("Missing version key in [project] section")
+
+    new_content = content[: m.start()] + new_block + content[m.end() :]
+
+    if preview:
+        print(f"[PREVIEW] Would update pyproject.toml version to {new_version}")
+        return
+
+    with open(pyproject_path, "w", encoding="utf-8") as f:
+        f.write(new_content)
+
+    print(f"Updated pyproject.toml version to {new_version}")
--- a/Show More
+++ b/Show More