Release version 1.6.4

* Add reusable fakes for runner and retry logic
* Cover conflict resolution paths (store-prefix, output-token, textual fallback)
* Add unit tests for profile parsing, normalization, matching, and text parsing
* Verify installer core behavior for success, mandatory failure, and optional failure
* Keep tests Nix-free using pure unittest + mocks

https://chatgpt.com/share/693efe80-d928-800f-98b7-0aaafee1d32a

.github/workflows/ci.yml

@@ -28,8 +28,8 @@ jobs:
   test-virgin-root:
     uses: ./.github/workflows/test-virgin-root.yml
 
-  codesniffer-shellcheck:
-    uses: ./.github/workflows/codesniffer-shellcheck.yml
+  linter-shell:
+    uses: ./.github/workflows/linter-shell.yml
 
-  codesniffer-ruff:
-    uses: ./.github/workflows/codesniffer-ruff.yml
+  linter-python:
+    uses: ./.github/workflows/linter-python.yml

.github/workflows/linter-python.yml

@@ -4,7 +4,7 @@ on:
   workflow_call:
 
 jobs:
-  codesniffer-ruff:
+  linter-python:
     runs-on: ubuntu-latest
 
     steps:

.github/workflows/linter-shell.yml

@@ -4,7 +4,7 @@ on:
   workflow_call:
 
 jobs:
-  codesniffer-shellcheck:
+  linter-shell:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4

.github/workflows/mark-stable.yml

@@ -29,16 +29,16 @@ jobs:
   test-virgin-root:
     uses: ./.github/workflows/test-virgin-root.yml
 
-  codesniffer-shellcheck:
-    uses: ./.github/workflows/codesniffer-shellcheck.yml
+  linter-shell:
+    uses: ./.github/workflows/linter-shell.yml
 
-  codesniffer-ruff:
-    uses: ./.github/workflows/codesniffer-ruff.yml
+  linter-python:
+    uses: ./.github/workflows/linter-python.yml
 
   mark-stable:
     needs:
-      - codesniffer-shellcheck
-      - codesniffer-ruff
+      - linter-shell
+      - linter-python
       - test-unit
       - test-integration
       - test-env-nix

.github/workflows/publish-containers.yml

@@ -19,7 +19,6 @@ jobs:
         uses: actions/checkout@v4
         with:
           fetch-depth: 0
-          fetch-tags: true
 
       - name: Checkout workflow_run commit and refresh tags
         run: |
@@ -35,22 +34,30 @@ jobs:
           SHA="$(git rev-parse HEAD)"
 
           V_TAG="$(git tag --points-at "${SHA}" --list 'v*' | sort -V | tail -n1)"
-          [[ -n "$V_TAG" ]] || { echo "No version tag found"; exit 1; }
+          if [[ -z "${V_TAG}" ]]; then
+            echo "No version tag found for ${SHA}. Skipping publish."
+            echo "should_publish=false" >> "$GITHUB_OUTPUT"
+            exit 0
+          fi
+
           VERSION="${V_TAG#v}"
 
           STABLE_SHA="$(git rev-parse -q --verify refs/tags/stable^{commit} 2>/dev/null || true)"
           IS_STABLE=false
           [[ -n "${STABLE_SHA}" && "${STABLE_SHA}" == "${SHA}" ]] && IS_STABLE=true
 
+          echo "should_publish=true" >> "$GITHUB_OUTPUT"
           echo "version=${VERSION}" >> "$GITHUB_OUTPUT"
           echo "is_stable=${IS_STABLE}" >> "$GITHUB_OUTPUT"
 
       - name: Set up Docker Buildx
+        if: ${{ steps.info.outputs.should_publish == 'true' }}
         uses: docker/setup-buildx-action@v3
         with:
           use: true
 
       - name: Login to GHCR
+        if: ${{ steps.info.outputs.should_publish == 'true' }}
         uses: docker/login-action@v3
         with:
           registry: ghcr.io
@@ -58,6 +65,7 @@ jobs:
           password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Publish all images
+        if: ${{ steps.info.outputs.should_publish == 'true' }}
         run: |
           set -euo pipefail
           OWNER="${{ github.repository_owner }}" \

.github/workflows/test-virgin-root.yml

@@ -46,8 +46,6 @@ jobs:
 
               . "$HOME/.venvs/pkgmgr/bin/activate"
 
-              export NIX_CONFIG="experimental-features = nix-command flakes"
-
               pkgmgr update pkgmgr --clone-mode shallow --no-verification
               pkgmgr version pkgmgr
 

.github/workflows/test-virgin-user.yml

@@ -59,7 +59,6 @@ jobs:
                 pkgmgr version pkgmgr
 
                 export NIX_REMOTE=local
-                export NIX_CONFIG=\"experimental-features = nix-command flakes\"
                 nix run /src#pkgmgr -- version pkgmgr
               "
             '

CHANGELOG.md

@@ -1,3 +1,46 @@
+## [1.6.4] - 2025-12-14
+
+* * Improved reliability of Nix installs and updates, including automatic resolution of profile conflicts and better handling of GitHub 403 rate limits.
+* More stable launcher behavior in packaged and virtual-env setups.
+* Enhanced mirror and remote handling: repository owner/name are derived from URLs, with smoother provisioning and clearer credential handling.
+* More reliable releases and artifacts due to safer CI behavior when no version tag is present.
+
+
+## [1.6.3] - 2025-12-14
+
+* ***Fixed:*** Corrected repository path resolution so release and version logic consistently use the canonical packaging/* layout, preventing changelog and packaging files from being read or updated from incorrect locations.
+
+
+## [1.6.2] - 2025-12-14
+
+* **pkgmgr version** now also shows the installed pkgmgr version when run outside a repository.
+
+
+## [1.6.1] - 2025-12-14
+
+* * Added automatic retry handling for GitHub 403 / rate-limit errors during Nix flake installs (Fibonacci backoff with jitter).
+
+
+## [1.6.0] - 2025-12-14
+
+* *** Changed ***
+- Unified update handling via a single top-level `pkgmgr update` command, removing ambiguous update paths.
+- Improved update reliability by routing all update logic through a central UpdateManager.
+- Renamed system update flag from `--system-update` to `--system` for clarity and consistency.
+- Made mirror handling explicit and safer by separating setup, check, and provision responsibilities.
+- Improved credential resolution for remote providers (environment → keyring → interactive).
+
+*** Added ***
+- Optional system updates via `pkgmgr update --system` (Arch, Debian/Ubuntu, Fedora/RHEL).
+- `pkgmgr install --update` to force re-running installers and refresh existing installations.
+- Remote repository provisioning for mirrors on supported providers.
+- Extended end-to-end test coverage for update and mirror workflows.
+
+*** Fixed ***
+- Resolved “Unknown repos command: update” errors after CLI refactoring.
+- Improved Nix update stability and reduced CI failures caused by transient rate limits.
+
+
 ## [1.5.0] - 2025-12-13
 
 * - Commands now show live output while running, making long operations easier to follow

Dockerfile

@@ -36,9 +36,6 @@ CMD ["bash"]
 # ============================================================
 FROM virgin AS full
 
-# Nix environment defaults (only config; nix itself comes from deps/install flow)
-ENV NIX_CONFIG="experimental-features = nix-command flakes"
-
 WORKDIR /build
 
 # Copy full repository for build

MIRRORS

@@ -1,3 +1,3 @@
 git@github.com:kevinveenbirkenbach/package-manager.git
 ssh://git@git.veen.world:2201/kevinveenbirkenbach/pkgmgr.git
-ssh://git@code.cymais.cloud:2201/kevinveenbirkenbach/pkgmgr.git
+ssh://git@code.infinito.nexus:2201/kevinveenbirkenbach/pkgmgr.git

Makefile

@@ -44,7 +44,7 @@ install:
 # ------------------------------------------------------------
 
 # Default: keep current auto-detection behavior
-setup: setup-nix setup-venv
+setup: setup-venv
 
 # Explicit: developer setup (Python venv + shell RC + install)
 setup-venv: setup-nix

flake.nix

@@ -32,7 +32,7 @@
         rec {
           pkgmgr = pyPkgs.buildPythonApplication {
             pname   = "package-manager";
-            version = "1.5.0";
+            version = "1.6.4";
 
             # Use the git repo as source
             src = ./.;

packaging/arch/PKGBUILD

@@ -1,7 +1,7 @@
 # Maintainer: Kevin Veen-Birkenbach <info@veen.world>
 
 pkgname=package-manager
-pkgver=0.9.1
+pkgver=1.6.4
 pkgrel=1
 pkgdesc="Local-flake wrapper for Kevin's package-manager (Nix-based)."
 arch=('any')
@@ -47,7 +47,7 @@ package() {
   cd "$srcdir/$_srcdir_name"
 
   # Install the wrapper into /usr/bin
-  install -Dm0755 "scripts/pkgmgr-wrapper.sh" \
+  install -Dm0755 "scripts/launcher.sh" \
     "$pkgdir/usr/bin/pkgmgr"
 
   # Install Nix bootstrap (init + lib)

packaging/debian/changelog

@@ -1,3 +1,18 @@
+package-manager (1.6.4-1) unstable; urgency=medium
+
+  * * Improved reliability of Nix installs and updates, including automatic resolution of profile conflicts and better handling of GitHub 403 rate limits.
+* More stable launcher behavior in packaged and virtual-env setups.
+* Enhanced mirror and remote handling: repository owner/name are derived from URLs, with smoother provisioning and clearer credential handling.
+* More reliable releases and artifacts due to safer CI behavior when no version tag is present.
+
+ -- Kevin Veen-Birkenbach <kevin@veen.world>  Sun, 14 Dec 2025 19:33:07 +0100
+
+package-manager (1.6.3-1) unstable; urgency=medium
+
+  * ***Fixed:*** Corrected repository path resolution so release and version logic consistently use the canonical packaging/* layout, preventing changelog and packaging files from being read or updated from incorrect locations.
+
+ -- Kevin Veen-Birkenbach <kevin@veen.world>  Sun, 14 Dec 2025 13:39:52 +0100
+
 package-manager (0.9.1-1) unstable; urgency=medium
 
   * * Refactored installer: new `venv-create.sh`, cleaner root/user setup flow, updated README with architecture map.

packaging/debian/rules

@@ -28,7 +28,7 @@ override_dh_auto_install:
 	install -d debian/package-manager/usr/lib/package-manager
 
 	# Install wrapper
-	install -m0755 scripts/pkgmgr-wrapper.sh \
+	install -m0755 scripts/launcher.sh \
 		debian/package-manager/usr/bin/pkgmgr
 
 	# Install Nix bootstrap (init + lib)

packaging/fedora/package-manager.spec

@@ -1,5 +1,5 @@
 Name:           package-manager
-Version:        0.9.1
+Version:        1.6.4
 Release:        1%{?dist}
 Summary:        Wrapper that runs Kevin's package-manager via Nix flake
 
@@ -42,7 +42,7 @@ install -d %{buildroot}/usr/lib/package-manager
 cp -a . %{buildroot}/usr/lib/package-manager/
 
 # Wrapper
-install -m0755 scripts/pkgmgr-wrapper.sh %{buildroot}%{_bindir}/pkgmgr
+install -m0755 scripts/launcher.sh %{buildroot}%{_bindir}/pkgmgr
 
 # Nix bootstrap (init + lib)
 install -d %{buildroot}/usr/lib/package-manager/nix
@@ -74,6 +74,15 @@ echo ">>> package-manager removed. Nix itself was not removed."
 /usr/lib/package-manager/
 
 %changelog
+* Sun Dec 14 2025 Kevin Veen-Birkenbach <kevin@veen.world> - 1.6.4-1
+- * Improved reliability of Nix installs and updates, including automatic resolution of profile conflicts and better handling of GitHub 403 rate limits.
+* More stable launcher behavior in packaged and virtual-env setups.
+* Enhanced mirror and remote handling: repository owner/name are derived from URLs, with smoother provisioning and clearer credential handling.
+* More reliable releases and artifacts due to safer CI behavior when no version tag is present.
+
+* Sun Dec 14 2025 Kevin Veen-Birkenbach <kevin@veen.world> - 1.6.3-1
+- ***Fixed:*** Corrected repository path resolution so release and version logic consistently use the canonical packaging/* layout, preventing changelog and packaging files from being read or updated from incorrect locations.
+
 * Wed Dec 10 2025 Kevin Veen-Birkenbach <kevin@veen.world> - 0.9.1-1
 - * Refactored installer: new `venv-create.sh`, cleaner root/user setup flow, updated README with architecture map.
 * Split virgin tests into root/user workflows; stabilized Nix installer across distros; improved test scripts with dynamic distro selection and isolated Nix stores.

pyproject.toml

@@ -7,7 +7,7 @@ build-backend = "setuptools.build_meta"
 
 [project]
 name = "package-manager"
-version = "1.5.0"
+version = "1.6.4"
 description = "Kevin's package-manager tool (pkgmgr)"
 readme = "README.md"
 requires-python = ">=3.9"
@@ -19,16 +19,17 @@ authors = [
 
 # Base runtime dependencies
 dependencies = [
-  "PyYAML>=6.0"
+  "PyYAML>=6.0",
+  "tomli; python_version < \"3.11\"",
 ]
 
 [project.urls]
-Homepage = "https://github.com/kevinveenbirkenbach/package-manager"
+Homepage = "https://s.veen.world/pkgmgr"
 Source   = "https://github.com/kevinveenbirkenbach/package-manager"
 
 [project.optional-dependencies]
+keyring = ["keyring>=24.0.0"]
 dev = [
-  "pytest",
   "mypy"
 ]
 

scripts/launcher.sh

@@ -1,12 +1,17 @@
 #!/usr/bin/env bash
 set -euo pipefail
 
-# Ensure NIX_CONFIG has our defaults if not already set
-if [[ -z "${NIX_CONFIG:-}" ]]; then
-  export NIX_CONFIG="experimental-features = nix-command flakes"
-fi
-
 FLAKE_DIR="/usr/lib/package-manager"
+NIX_LIB_DIR="${FLAKE_DIR}/nix/lib"
+RETRY_LIB="${NIX_LIB_DIR}/retry_403.sh"
+
+# ---------------------------------------------------------------------------
+# Hard requirement: retry helper must exist (fail if missing)
+# ---------------------------------------------------------------------------
+if [[ ! -f "${RETRY_LIB}" ]]; then
+  echo "[launcher] ERROR: Required retry helper not found: ${RETRY_LIB}" >&2
+  exit 1
+fi
 
 # ---------------------------------------------------------------------------
 # Try to ensure that "nix" is on PATH (common locations + container user)
@@ -37,12 +42,16 @@ if ! command -v nix >/dev/null 2>&1; then
 fi
 
 # ---------------------------------------------------------------------------
-# Primary path: use Nix flake if available
+# Primary path: use Nix flake if available (with GitHub 403 retry)
 # ---------------------------------------------------------------------------
-if command -v nix >/dev/null 2>&1; then
+if declare -F run_with_github_403_retry >/dev/null; then
+  # shellcheck source=./scripts/nix/lib/retry_403.sh
+  source "${RETRY_LIB}"
+  exec run_with_github_403_retry nix run "${FLAKE_DIR}#pkgmgr" -- "$@"
+else
   exec nix run "${FLAKE_DIR}#pkgmgr" -- "$@"
 fi
 
-echo "[pkgmgr-wrapper] ERROR: 'nix' binary not found on PATH after init."
-echo "[pkgmgr-wrapper] Nix is required to run pkgmgr (no Python fallback)."
+echo "[launcher] ERROR: 'nix' binary not found on PATH after init."
+echo "[launcher] Nix is required to run pkgmgr (no Python fallback)."
 exit 1

scripts/nix/lib/nix_conf_file.sh

@@ -11,45 +11,79 @@ nixconf_file_path() {
   echo "/etc/nix/nix.conf"
 }
 
-nixconf_ensure_experimental_features() {
-  local nix_conf want
-  nix_conf="$(nixconf_file_path)"
-  want="experimental-features = nix-command flakes"
+# Ensure a given nix.conf key contains required tokens (merged, no duplicates)
+nixconf_ensure_features_key() {
+  local nix_conf="$1"
+  local key="$2"
+  shift 2
+  local required=("$@")
 
   mkdir -p /etc/nix
 
+  # Create file if missing (with just the required tokens)
   if [[ ! -f "${nix_conf}" ]]; then
+    local want="${key} = ${required[*]}"
     echo "[nix-conf] Creating ${nix_conf} with: ${want}"
     printf "%s\n" "${want}" >"${nix_conf}"
     return 0
   fi
 
-  if grep -qE '^\s*experimental-features\s*=' "${nix_conf}"; then
-    if grep -qE '^\s*experimental-features\s*=.*\bnix-command\b' "${nix_conf}" \
-      && grep -qE '^\s*experimental-features\s*=.*\bflakes\b' "${nix_conf}"; then
-      echo "[nix-conf] experimental-features already correct"
+  # Key exists -> merge tokens
+  if grep -qE "^\s*${key}\s*=" "${nix_conf}"; then
+    local ok=1
+    local t
+    for t in "${required[@]}"; do
+      if ! grep -qE "^\s*${key}\s*=.*\b${t}\b" "${nix_conf}"; then
+        ok=0
+        break
+      fi
+    done
+
+    if [[ "$ok" -eq 1 ]]; then
+      echo "[nix-conf] ${key} already correct"
       return 0
     fi
 
-    echo "[nix-conf] Extending experimental-features in ${nix_conf}"
+    echo "[nix-conf] Extending ${key} in ${nix_conf}"
 
     local current
-    current="$(grep -E '^\s*experimental-features\s*=' "${nix_conf}" | head -n1 | cut -d= -f2-)"
+    current="$(grep -E "^\s*${key}\s*=" "${nix_conf}" | head -n1 | cut -d= -f2-)"
     current="$(echo "${current}" | xargs)" # trim
 
-    # Build a merged feature string without duplicates (simple token set)
-    local merged="nix-command flakes"
+    local merged=""
     local token
+
+    # Start with existing tokens
     for token in ${current}; do
       if [[ " ${merged} " != *" ${token} "* ]]; then
         merged="${merged} ${token}"
       fi
     done
 
-    sed -i "s|^\s*experimental-features\s*=.*|experimental-features = ${merged}|" "${nix_conf}"
+    # Add required tokens
+    for token in "${required[@]}"; do
+      if [[ " ${merged} " != *" ${token} "* ]]; then
+        merged="${merged} ${token}"
+      fi
+    done
+
+    merged="$(echo "${merged}" | xargs)" # trim
+
+    sed -i "s|^\s*${key}\s*=.*|${key} = ${merged}|" "${nix_conf}"
     return 0
   fi
 
+  # Key missing -> append
+  local want="${key} = ${required[*]}"
   echo "[nix-conf] Appending to ${nix_conf}: ${want}"
   printf "\n%s\n" "${want}" >>"${nix_conf}"
 }
+
+nixconf_ensure_experimental_features() {
+  local nix_conf
+  nix_conf="$(nixconf_file_path)"
+
+  # Ensure both keys to avoid prompts and cover older/alternate expectations
+  nixconf_ensure_features_key "${nix_conf}" "experimental-features" "nix-command" "flakes"
+  nixconf_ensure_features_key "${nix_conf}" "extra-experimental-features" "nix-command" "flakes"
+}

scripts/test/test-e2e.sh

@@ -49,7 +49,7 @@ docker run --rm \
       # Gitdir path shown in the "dubious ownership" error
       git config --global --add safe.directory /src/.git || true
       # Ephemeral CI containers: allow all paths as a last resort
-      git config --global --add safe.directory '*' || true
+      git config --global --add safe.directory "*" || true
     fi
 
     # Run the E2E tests inside the Nix development shell

scripts/test/test-env-virtual.sh

@@ -1,32 +1,49 @@
 #!/usr/bin/env bash
 set -euo pipefail
 
-IMAGE="pkgmgr-$PKGMGR_DISTRO"
+IMAGE="pkgmgr-${PKGMGR_DISTRO}"
 
 echo
 echo "------------------------------------------------------------"
-echo ">>> Testing VENV: $IMAGE"
+echo ">>> Testing VENV: ${IMAGE}"
 echo "------------------------------------------------------------"
+
 echo "[test-env-virtual] Inspect image metadata:"
-docker image inspect "$IMAGE" | sed -n '1,40p'
-
-echo "[test-env-virtual] Running: docker run --rm --entrypoint pkgmgr $IMAGE --help"
+docker image inspect "${IMAGE}" | sed -n '1,40p'
 echo
 
-# Run the command and capture the output
+# ------------------------------------------------------------
+# Run VENV-based pkgmgr test inside container
+# ------------------------------------------------------------
 if OUTPUT=$(docker run --rm \
-        -e REINSTALL_PKGMGR=1 \
-        -v "pkgmgr_nix_store_${PKGMGR_DISTRO}:/nix" \
-        -v "$(pwd):/src" \
-        -v "pkgmgr_nix_cache_${PKGMGR_DISTRO}:/root/.cache/nix" \
-        "$IMAGE" 2>&1); then
+    -e REINSTALL_PKGMGR=1 \
+    -v "$(pwd):/src" \
+    -w /src \
+    "${IMAGE}" \
+    bash -lc '
+        set -euo pipefail
+
+        echo "[test-env-virtual] Installing pkgmgr (distro package)..."
+        make install
+
+        echo "[test-env-virtual] Setting up Python venv..."
+        make setup-venv
+
+        echo "[test-env-virtual] Activating venv..."
+        . "$HOME/.venvs/pkgmgr/bin/activate"
+
+        echo "[test-env-virtual] Using pkgmgr from:"
+        command -v pkgmgr
+        pkgmgr --help
+    ' 2>&1); then
+
     echo "$OUTPUT"
     echo
-    echo "[test-env-virtual] SUCCESS: $IMAGE responded to 'pkgmgr --help'"
+    echo "[test-env-virtual] SUCCESS: venv-based pkgmgr works in ${IMAGE}"
 
 else
     echo "$OUTPUT"
     echo
-    echo "[test-env-virtual] ERROR: $IMAGE failed to run 'pkgmgr --help'"
+    echo "[test-env-virtual] ERROR: venv-based pkgmgr failed in ${IMAGE}"
     exit 1
-fi
+fi

src/pkgmgr/actions/install/__init__.py

@@ -1,3 +1,4 @@
+# src/pkgmgr/actions/install/__init__.py
 #!/usr/bin/env python3
 # -*- coding: utf-8 -*-
 
@@ -27,7 +28,7 @@ from pkgmgr.actions.install.installers.os_packages import (
     DebianControlInstaller,
     RpmSpecInstaller,
 )
-from pkgmgr.actions.install.installers.nix_flake import (
+from pkgmgr.actions.install.installers.nix import (
     NixFlakeInstaller,
 )
 from pkgmgr.actions.install.installers.python import PythonInstaller
@@ -36,10 +37,8 @@ from pkgmgr.actions.install.installers.makefile import (
 )
 from pkgmgr.actions.install.pipeline import InstallationPipeline
 
-
 Repository = Dict[str, Any]
 
-# All available installers, in the order they should be considered.
 INSTALLERS = [
     ArchPkgbuildInstaller(),
     DebianControlInstaller(),
@@ -50,11 +49,6 @@ INSTALLERS = [
 ]
 
 
-# ---------------------------------------------------------------------------
-# Internal helpers
-# ---------------------------------------------------------------------------
-
-
 def _ensure_repo_dir(
     repo: Repository,
     repositories_base_dir: str,
@@ -137,6 +131,7 @@ def _create_context(
     quiet: bool,
     clone_mode: str,
     update_dependencies: bool,
+    force_update: bool,
 ) -> RepoContext:
     """
     Build a RepoContext instance for the given repository.
@@ -153,14 +148,10 @@ def _create_context(
         quiet=quiet,
         clone_mode=clone_mode,
         update_dependencies=update_dependencies,
+        force_update=force_update,
     )
 
 
-# ---------------------------------------------------------------------------
-# Public API
-# ---------------------------------------------------------------------------
-
-
 def install_repos(
     selected_repos: List[Repository],
     repositories_base_dir: str,
@@ -171,10 +162,14 @@ def install_repos(
     quiet: bool,
     clone_mode: str,
     update_dependencies: bool,
+    force_update: bool = False,
 ) -> None:
     """
     Install one or more repositories according to the configured installers
     and the CLI layer precedence rules.
+
+    If force_update=True, installers of the currently active layer are allowed
+    to run again (upgrade/refresh), even if that layer is already loaded.
     """
     pipeline = InstallationPipeline(INSTALLERS)
 
@@ -213,6 +208,7 @@ def install_repos(
             quiet=quiet,
             clone_mode=clone_mode,
             update_dependencies=update_dependencies,
+            force_update=force_update,
         )
 
         pipeline.run(ctx)

src/pkgmgr/actions/install/context.py

@@ -1,3 +1,4 @@
+# src/pkgmgr/actions/install/context.py
 #!/usr/bin/env python3
 # -*- coding: utf-8 -*-
 
@@ -28,3 +29,6 @@ class RepoContext:
     quiet: bool
     clone_mode: str
     update_dependencies: bool
+
+    # If True, allow re-running installers of the currently active layer.
+    force_update: bool = False

src/pkgmgr/actions/install/installers/__init__.py

@@ -9,7 +9,7 @@ pkgmgr.actions.install.installers.
 """
 
 from pkgmgr.actions.install.installers.base import BaseInstaller  # noqa: F401
-from pkgmgr.actions.install.installers.nix_flake import NixFlakeInstaller  # noqa: F401
+from pkgmgr.actions.install.installers.nix import NixFlakeInstaller  # noqa: F401
 from pkgmgr.actions.install.installers.python import PythonInstaller  # noqa: F401
 from pkgmgr.actions.install.installers.makefile import MakefileInstaller  # noqa: F401
 

src/pkgmgr/actions/install/installers/makefile.py

@@ -1,3 +1,4 @@
+# src/pkgmgr/actions/install/installers/makefile.py
 from __future__ import annotations
 
 import os
@@ -9,89 +10,45 @@ from pkgmgr.core.command.run import run_command
 
 
 class MakefileInstaller(BaseInstaller):
-    """
-    Generic installer that runs `make install` if a Makefile with an
-    install target is present.
-
-    Safety rules:
-      - If PKGMGR_DISABLE_MAKEFILE_INSTALLER=1 is set, this installer
-        is globally disabled.
-      - The higher-level InstallationPipeline ensures that Makefile
-        installation does not run if a stronger CLI layer already owns
-        the command (e.g. Nix or OS packages).
-    """
-
     layer = "makefile"
     MAKEFILE_NAME = "Makefile"
 
     def supports(self, ctx: RepoContext) -> bool:
-        """
-        Return True if this repository has a Makefile and the installer
-        is not globally disabled.
-        """
-        # Optional global kill switch.
         if os.environ.get("PKGMGR_DISABLE_MAKEFILE_INSTALLER") == "1":
             if not ctx.quiet:
-                print(
-                    "[INFO] MakefileInstaller is disabled via "
-                    "PKGMGR_DISABLE_MAKEFILE_INSTALLER."
-                )
+                print("[INFO] PKGMGR_DISABLE_MAKEFILE_INSTALLER=1 – skipping MakefileInstaller.")
             return False
 
         makefile_path = os.path.join(ctx.repo_dir, self.MAKEFILE_NAME)
         return os.path.exists(makefile_path)
 
     def _has_install_target(self, makefile_path: str) -> bool:
-        """
-        Heuristically check whether the Makefile defines an install target.
-
-        We look for:
-
-          - a plain 'install:' target, or
-          - any 'install-*:' style target.
-        """
         try:
             with open(makefile_path, "r", encoding="utf-8", errors="ignore") as f:
                 content = f.read()
         except OSError:
             return False
 
-        # Simple heuristics: look for "install:" or targets starting with "install-"
         if re.search(r"^install\s*:", content, flags=re.MULTILINE):
             return True
-
         if re.search(r"^install-[a-zA-Z0-9_-]*\s*:", content, flags=re.MULTILINE):
             return True
-
         return False
 
     def run(self, ctx: RepoContext) -> None:
-        """
-        Execute `make install` in the repository directory if an install
-        target exists.
-        """
         makefile_path = os.path.join(ctx.repo_dir, self.MAKEFILE_NAME)
-
         if not os.path.exists(makefile_path):
-            if not ctx.quiet:
-                print(
-                    f"[pkgmgr] Makefile '{makefile_path}' not found, "
-                    "skipping MakefileInstaller."
-                )
             return
 
         if not self._has_install_target(makefile_path):
             if not ctx.quiet:
-                print(
-                    f"[pkgmgr] No 'install' target found in {makefile_path}."
-                )
+                print(f"[pkgmgr] No 'install' target found in {makefile_path}.")
             return
 
         if not ctx.quiet:
-            print(
-                f"[pkgmgr] Running 'make install' in {ctx.repo_dir} "
-                "(MakefileInstaller)"
-            )
+            print(f"[pkgmgr] Running make install for {ctx.identifier} (MakefileInstaller)")
 
-        cmd = "make install"
-        run_command(cmd, cwd=ctx.repo_dir, preview=ctx.preview)
+        run_command("make install", cwd=ctx.repo_dir, preview=ctx.preview)
+
+        if ctx.force_update and not ctx.quiet:
+            print(f"[makefile] repo '{ctx.identifier}' successfully upgraded.")

src/pkgmgr/actions/install/installers/nix/__init__.py

@@ -0,0 +1,4 @@
+from .installer import NixFlakeInstaller
+from .retry import RetryPolicy
+
+__all__ = ["NixFlakeInstaller", "RetryPolicy"]

src/pkgmgr/actions/install/installers/nix/conflicts.py

@@ -0,0 +1,100 @@
+from __future__ import annotations
+
+from typing import TYPE_CHECKING, List
+
+from .profile import NixProfileInspector
+from .retry import GitHubRateLimitRetry
+from .runner import CommandRunner
+from .textparse import NixConflictTextParser
+
+if TYPE_CHECKING:
+    from pkgmgr.actions.install.context import RepoContext
+
+
+class NixConflictResolver:
+    """
+    Resolves nix profile file conflicts by:
+      1. Parsing conflicting store paths from stderr
+      2. Mapping them to profile remove tokens via `nix profile list --json`
+      3. Removing those tokens deterministically
+      4. Retrying install
+    """
+
+    def __init__(
+        self,
+        runner: CommandRunner,
+        retry: GitHubRateLimitRetry,
+        profile: NixProfileInspector,
+    ) -> None:
+        self._runner = runner
+        self._retry = retry
+        self._profile = profile
+        self._parser = NixConflictTextParser()
+
+    def resolve(
+        self,
+        ctx: "RepoContext",
+        install_cmd: str,
+        stdout: str,
+        stderr: str,
+        *,
+        output: str,
+        max_rounds: int = 10,
+    ) -> bool:
+        quiet = bool(getattr(ctx, "quiet", False))
+        combined = f"{stdout}\n{stderr}"
+
+        for _ in range(max_rounds):
+            # 1) Extract conflicting store prefixes from nix error output
+            store_prefixes = self._parser.existing_store_prefixes(combined)
+
+            # 2) Resolve them to concrete remove tokens
+            tokens: List[str] = self._profile.find_remove_tokens_for_store_prefixes(
+                ctx,
+                self._runner,
+                store_prefixes,
+            )
+
+            # 3) Fallback: output-name based lookup (also covers nix suggesting: `nix profile remove pkgmgr`)
+            if not tokens:
+                tokens = self._profile.find_remove_tokens_for_output(ctx, self._runner, output)
+
+            if tokens:
+                if not quiet:
+                    print(
+                        "[nix] conflict detected; removing existing profile entries: "
+                        + ", ".join(tokens)
+                    )
+
+                for t in tokens:
+                    # tokens may contain things like "pkgmgr" or "pkgmgr-1" or quoted tokens (we keep raw)
+                    self._runner.run(ctx, f"nix profile remove {t}", allow_failure=True)
+
+                res = self._retry.run_with_retry(ctx, self._runner, install_cmd)
+                if res.returncode == 0:
+                    return True
+
+                combined = f"{res.stdout}\n{res.stderr}"
+                continue
+
+            # 4) Last-resort fallback: use textual remove tokens from stderr (“nix profile remove X”)
+            tokens = self._parser.remove_tokens(combined)
+            if tokens:
+                if not quiet:
+                    print("[nix] fallback remove tokens: " + ", ".join(tokens))
+
+                for t in tokens:
+                    self._runner.run(ctx, f"nix profile remove {t}", allow_failure=True)
+
+                res = self._retry.run_with_retry(ctx, self._runner, install_cmd)
+                if res.returncode == 0:
+                    return True
+
+                combined = f"{res.stdout}\n{res.stderr}"
+                continue
+
+            if not quiet:
+                print("[nix] conflict detected but could not resolve profile entries to remove.")
+            return False
+
+        return False

src/pkgmgr/actions/install/installers/nix/installer.py

@@ -0,0 +1,229 @@
+from __future__ import annotations
+
+import os
+import shutil
+from typing import TYPE_CHECKING, List, Tuple
+
+from pkgmgr.actions.install.installers.base import BaseInstaller
+
+from .conflicts import NixConflictResolver
+from .profile import NixProfileInspector
+from .retry import GitHubRateLimitRetry, RetryPolicy
+from .runner import CommandRunner
+
+if TYPE_CHECKING:
+    from pkgmgr.actions.install.context import RepoContext
+
+
+class NixFlakeInstaller(BaseInstaller):
+    layer = "nix"
+    FLAKE_FILE = "flake.nix"
+
+    def __init__(self, policy: RetryPolicy | None = None) -> None:
+        self._runner = CommandRunner()
+        self._retry = GitHubRateLimitRetry(policy=policy)
+        self._profile = NixProfileInspector()
+        self._conflicts = NixConflictResolver(self._runner, self._retry, self._profile)
+
+        # Newer nix rejects numeric indices; we learn this at runtime and cache the decision.
+        self._indices_supported: bool | None = None
+
+    def supports(self, ctx: "RepoContext") -> bool:
+        if os.environ.get("PKGMGR_DISABLE_NIX_FLAKE_INSTALLER") == "1":
+            if not ctx.quiet:
+                print(
+                    "[INFO] PKGMGR_DISABLE_NIX_FLAKE_INSTALLER=1 – "
+                    "skipping NixFlakeInstaller."
+                )
+            return False
+
+        if shutil.which("nix") is None:
+            return False
+
+        return os.path.exists(os.path.join(ctx.repo_dir, self.FLAKE_FILE))
+
+    def _profile_outputs(self, ctx: "RepoContext") -> List[Tuple[str, bool]]:
+        # (output_name, allow_failure)
+        if ctx.identifier in {"pkgmgr", "package-manager"}:
+            return [("pkgmgr", False), ("default", True)]
+        return [("default", False)]
+
+    def run(self, ctx: "RepoContext") -> None:
+        if not self.supports(ctx):
+            return
+
+        outputs = self._profile_outputs(ctx)
+
+        if not ctx.quiet:
+            msg = (
+                "[nix] flake detected in "
+                f"{ctx.identifier}, ensuring outputs: "
+                + ", ".join(name for name, _ in outputs)
+            )
+            print(msg)
+
+        for output, allow_failure in outputs:
+            if ctx.force_update:
+                self._force_upgrade_output(ctx, output, allow_failure)
+            else:
+                self._install_only(ctx, output, allow_failure)
+
+    def _installable(self, ctx: "RepoContext", output: str) -> str:
+        return f"{ctx.repo_dir}#{output}"
+
+    # ---------------------------------------------------------------------
+    # Core install path
+    # ---------------------------------------------------------------------
+
+    def _install_only(self, ctx: "RepoContext", output: str, allow_failure: bool) -> None:
+        install_cmd = f"nix profile install {self._installable(ctx, output)}"
+
+        if not ctx.quiet:
+            print(f"[nix] install: {install_cmd}")
+
+        res = self._retry.run_with_retry(ctx, self._runner, install_cmd)
+        if res.returncode == 0:
+            if not ctx.quiet:
+                print(f"[nix] output '{output}' successfully installed.")
+            return
+
+        # Conflict resolver first (handles the common “existing package already provides file” case)
+        if self._conflicts.resolve(
+            ctx,
+            install_cmd,
+            res.stdout,
+            res.stderr,
+            output=output,
+        ):
+            if not ctx.quiet:
+                print(f"[nix] output '{output}' successfully installed after conflict cleanup.")
+            return
+
+        if not ctx.quiet:
+            print(
+                f"[nix] install failed for '{output}' (exit {res.returncode}), "
+                "trying upgrade/remove+install..."
+            )
+
+        # If indices are supported, try legacy index-upgrade path.
+        if self._indices_supported is not False:
+            indices = self._profile.find_installed_indices_for_output(ctx, self._runner, output)
+
+            upgraded = False
+            for idx in indices:
+                if self._upgrade_index(ctx, idx):
+                    upgraded = True
+                    if not ctx.quiet:
+                        print(f"[nix] output '{output}' successfully upgraded (index {idx}).")
+
+            if upgraded:
+                return
+
+            if indices and not ctx.quiet:
+                print(f"[nix] upgrade failed; removing indices {indices} and reinstalling '{output}'.")
+
+            for idx in indices:
+                self._remove_index(ctx, idx)
+
+            # If we learned indices are unsupported, immediately fall back below
+            if self._indices_supported is False:
+                self._remove_tokens_for_output(ctx, output)
+
+        else:
+            # indices explicitly unsupported
+            self._remove_tokens_for_output(ctx, output)
+
+        final = self._runner.run(ctx, install_cmd, allow_failure=True)
+        if final.returncode == 0:
+            if not ctx.quiet:
+                print(f"[nix] output '{output}' successfully re-installed.")
+            return
+
+        print(f"[ERROR] Failed to install Nix flake output '{output}' (exit {final.returncode})")
+        if not allow_failure:
+            raise SystemExit(final.returncode)
+
+        print(f"[WARNING] Continuing despite failure of optional output '{output}'.")
+
+    # ---------------------------------------------------------------------
+    # force_update path
+    # ---------------------------------------------------------------------
+
+    def _force_upgrade_output(self, ctx: "RepoContext", output: str, allow_failure: bool) -> None:
+        # Prefer token path if indices unsupported (new nix)
+        if self._indices_supported is False:
+            self._remove_tokens_for_output(ctx, output)
+            self._install_only(ctx, output, allow_failure)
+            if not ctx.quiet:
+                print(f"[nix] output '{output}' successfully upgraded.")
+            return
+
+        indices = self._profile.find_installed_indices_for_output(ctx, self._runner, output)
+
+        upgraded_any = False
+        for idx in indices:
+            if self._upgrade_index(ctx, idx):
+                upgraded_any = True
+                if not ctx.quiet:
+                    print(f"[nix] output '{output}' successfully upgraded (index {idx}).")
+
+        if upgraded_any:
+            if not ctx.quiet:
+                print(f"[nix] output '{output}' successfully upgraded.")
+            return
+
+        if indices and not ctx.quiet:
+            print(f"[nix] upgrade failed; removing indices {indices} and reinstalling '{output}'.")
+
+        for idx in indices:
+            self._remove_index(ctx, idx)
+
+        # If we learned indices are unsupported, also remove by token to actually clear conflicts
+        if self._indices_supported is False:
+            self._remove_tokens_for_output(ctx, output)
+
+        self._install_only(ctx, output, allow_failure)
+
+        if not ctx.quiet:
+            print(f"[nix] output '{output}' successfully upgraded.")
+
+    # ---------------------------------------------------------------------
+    # Helpers
+    # ---------------------------------------------------------------------
+
+    def _stderr_says_indices_unsupported(self, stderr: str) -> bool:
+        s = (stderr or "").lower()
+        return "no longer supports indices" in s or "does not support indices" in s
+
+    def _upgrade_index(self, ctx: "RepoContext", idx: int) -> bool:
+        cmd = f"nix profile upgrade --refresh {idx}"
+        res = self._runner.run(ctx, cmd, allow_failure=True)
+
+        if self._stderr_says_indices_unsupported(getattr(res, "stderr", "")):
+            self._indices_supported = False
+            return False
+
+        if self._indices_supported is None:
+            self._indices_supported = True
+
+        return res.returncode == 0
+
+    def _remove_index(self, ctx: "RepoContext", idx: int) -> None:
+        res = self._runner.run(ctx, f"nix profile remove {idx}", allow_failure=True)
+
+        if self._stderr_says_indices_unsupported(getattr(res, "stderr", "")):
+            self._indices_supported = False
+
+        if self._indices_supported is None:
+            self._indices_supported = True
+
+    def _remove_tokens_for_output(self, ctx: "RepoContext", output: str) -> None:
+        tokens = self._profile.find_remove_tokens_for_output(ctx, self._runner, output)
+        if not tokens:
+            return
+
+        if not ctx.quiet:
+            print(f"[nix] indices unsupported; removing by token(s): {', '.join(tokens)}")
+
+        for t in tokens:
+            self._runner.run(ctx, f"nix profile remove {t}", allow_failure=True)

src/pkgmgr/actions/install/installers/nix/profile/__init__.py

@@ -0,0 +1,4 @@
+from .inspector import NixProfileInspector
+from .models import NixProfileEntry
+
+__all__ = ["NixProfileInspector", "NixProfileEntry"]

src/pkgmgr/actions/install/installers/nix/profile/inspector.py

@@ -0,0 +1,162 @@
+from __future__ import annotations
+
+from typing import Any, List, TYPE_CHECKING
+
+from .matcher import (
+    entry_matches_output,
+    entry_matches_store_path,
+    stable_unique_ints,
+)
+from .normalizer import normalize_elements
+from .parser import parse_profile_list_json
+from .result import extract_stdout_text
+
+if TYPE_CHECKING:
+    # Keep these as TYPE_CHECKING-only to avoid runtime import cycles.
+    from pkgmgr.actions.install.context import RepoContext
+    from pkgmgr.core.command.runner import CommandRunner
+
+
+class NixProfileInspector:
+    """
+    Reads and inspects the user's Nix profile list (JSON).
+
+    Public API:
+      - list_json()
+      - find_installed_indices_for_output()   (legacy; may not work on newer nix)
+      - find_indices_by_store_path()          (legacy; may not work on newer nix)
+      - find_remove_tokens_for_output()
+      - find_remove_tokens_for_store_prefixes()
+    """
+
+    def list_json(self, ctx: "RepoContext", runner: "CommandRunner") -> dict[str, Any]:
+        res = runner.run(ctx, "nix profile list --json", allow_failure=False)
+        raw = extract_stdout_text(res)
+        return parse_profile_list_json(raw)
+
+    # ---------------------------------------------------------------------
+    # Legacy index helpers (still useful on older nix; newer nix may reject indices)
+    # ---------------------------------------------------------------------
+
+    def find_installed_indices_for_output(
+        self,
+        ctx: "RepoContext",
+        runner: "CommandRunner",
+        output: str,
+    ) -> List[int]:
+        data = self.list_json(ctx, runner)
+        entries = normalize_elements(data)
+
+        hits: List[int] = []
+        for e in entries:
+            if e.index is None:
+                continue
+            if entry_matches_output(e, output):
+                hits.append(e.index)
+
+        return stable_unique_ints(hits)
+
+    def find_indices_by_store_path(
+        self,
+        ctx: "RepoContext",
+        runner: "CommandRunner",
+        store_path: str,
+    ) -> List[int]:
+        needle = (store_path or "").strip()
+        if not needle:
+            return []
+
+        data = self.list_json(ctx, runner)
+        entries = normalize_elements(data)
+
+        hits: List[int] = []
+        for e in entries:
+            if e.index is None:
+                continue
+            if entry_matches_store_path(e, needle):
+                hits.append(e.index)
+
+        return stable_unique_ints(hits)
+
+    # ---------------------------------------------------------------------
+    # New token-based helpers (works with newer nix where indices are rejected)
+    # ---------------------------------------------------------------------
+
+    def find_remove_tokens_for_output(
+        self,
+        ctx: "RepoContext",
+        runner: "CommandRunner",
+        output: str,
+    ) -> List[str]:
+        """
+        Returns profile remove tokens to remove entries matching a given output.
+
+        We always include the raw output token first because nix itself suggests:
+          nix profile remove pkgmgr
+        """
+        out = (output or "").strip()
+        if not out:
+            return []
+
+        data = self.list_json(ctx, runner)
+        entries = normalize_elements(data)
+
+        tokens: List[str] = [out]  # critical: matches nix's own suggestion for conflicts
+
+        for e in entries:
+            if entry_matches_output(e, out):
+                # Prefer removing by key/name (non-index) when possible.
+                # New nix rejects numeric indices; these tokens are safer.
+                k = (e.key or "").strip()
+                n = (e.name or "").strip()
+
+                if k and not k.isdigit():
+                    tokens.append(k)
+                elif n and not n.isdigit():
+                    tokens.append(n)
+
+        # stable unique preserving order
+        seen: set[str] = set()
+        uniq: List[str] = []
+        for t in tokens:
+            if t and t not in seen:
+                uniq.append(t)
+                seen.add(t)
+        return uniq
+
+    def find_remove_tokens_for_store_prefixes(
+        self,
+        ctx: "RepoContext",
+        runner: "CommandRunner",
+        prefixes: List[str],
+    ) -> List[str]:
+        """
+        Returns remove tokens for entries whose store path matches any prefix.
+        """
+        prefixes = [(p or "").strip() for p in (prefixes or []) if p]
+        prefixes = [p for p in prefixes if p]
+        if not prefixes:
+            return []
+
+        data = self.list_json(ctx, runner)
+        entries = normalize_elements(data)
+
+        tokens: List[str] = []
+        for e in entries:
+            if not e.store_paths:
+                continue
+            if any(sp == p for sp in e.store_paths for p in prefixes):
+                k = (e.key or "").strip()
+                n = (e.name or "").strip()
+                if k and not k.isdigit():
+                    tokens.append(k)
+                elif n and not n.isdigit():
+                    tokens.append(n)
+
+        seen: set[str] = set()
+        uniq: List[str] = []
+        for t in tokens:
+            if t and t not in seen:
+                uniq.append(t)
+                seen.add(t)
+        return uniq

src/pkgmgr/actions/install/installers/nix/profile/matcher.py

@@ -0,0 +1,62 @@
+from __future__ import annotations
+
+from typing import List
+
+from .models import NixProfileEntry
+
+
+def entry_matches_output(entry: NixProfileEntry, output: str) -> bool:
+    """
+    Heuristic matcher: output is typically a flake output name (e.g. "pkgmgr"),
+    and we match against name/attrPath patterns.
+    """
+    out = (output or "").strip()
+    if not out:
+        return False
+
+    candidates = [entry.name, entry.attr_path]
+
+    for c in candidates:
+        c = (c or "").strip()
+        if not c:
+            continue
+
+        # Direct match
+        if c == out:
+            return True
+
+        # AttrPath contains "#<output>"
+        if f"#{out}" in c:
+            return True
+
+        # AttrPath ends with ".<output>"
+        if c.endswith(f".{out}"):
+            return True
+
+        # Name pattern "<output>-<n>" (common, e.g. pkgmgr-1)
+        if c.startswith(f"{out}-"):
+            return True
+
+        # Historical special case: repo is "package-manager" but output is "pkgmgr"
+        if out == "pkgmgr" and c.startswith("package-manager-"):
+            return True
+
+    return False
+
+
+def entry_matches_store_path(entry: NixProfileEntry, store_path: str) -> bool:
+    needle = (store_path or "").strip()
+    if not needle:
+        return False
+    return any((p or "") == needle for p in entry.store_paths)
+
+
+def stable_unique_ints(values: List[int]) -> List[int]:
+    seen: set[int] = set()
+    uniq: List[int] = []
+    for v in values:
+        if v in seen:
+            continue
+        uniq.append(v)
+        seen.add(v)
+    return uniq

src/pkgmgr/actions/install/installers/nix/profile/models.py

@@ -0,0 +1,17 @@
+from __future__ import annotations
+
+from dataclasses import dataclass
+from typing import List, Optional
+
+
+@dataclass(frozen=True)
+class NixProfileEntry:
+    """
+    Minimal normalized representation of one nix profile element entry.
+    """
+
+    key: str
+    index: Optional[int]
+    name: str
+    attr_path: str
+    store_paths: List[str]

src/pkgmgr/actions/install/installers/nix/profile/normalizer.py

@@ -0,0 +1,128 @@
+from __future__ import annotations
+
+import re
+from typing import Any, Dict, Iterable, List, Optional
+
+from .models import NixProfileEntry
+
+
+def coerce_index(key: str, entry: Dict[str, Any]) -> Optional[int]:
+    """
+    Nix JSON schema varies:
+      - elements keys might be "0", "1", ...
+      - or might be names like "pkgmgr-1"
+    Some versions include an explicit index field.
+    We try safe options in order.
+    """
+    k = (key or "").strip()
+
+    # 1) Classic: numeric keys
+    if k.isdigit():
+        try:
+            return int(k)
+        except Exception:
+            return None
+
+    # 2) Explicit index fields (schema-dependent)
+    for field in ("index", "id", "position"):
+        v = entry.get(field)
+        if isinstance(v, int):
+            return v
+        if isinstance(v, str) and v.strip().isdigit():
+            try:
+                return int(v.strip())
+            except Exception:
+                pass
+
+    # 3) Last resort: extract trailing number from key if it looks like "<name>-<n>"
+    m = re.match(r"^.+-(\d+)$", k)
+    if m:
+        try:
+            return int(m.group(1))
+        except Exception:
+            return None
+
+    return None
+
+
+def iter_store_paths(entry: Dict[str, Any]) -> Iterable[str]:
+    """
+    Yield all possible store paths from a nix profile JSON entry.
+
+    Nix has had schema shifts. We support common variants:
+      - "storePaths": ["/nix/store/..", ...]
+      - "storePaths": "/nix/store/.."  (rare)
+      - "storePath": "/nix/store/.."   (some variants)
+      - nested "outputs" dict(s) with store paths (best-effort)
+    """
+    if not isinstance(entry, dict):
+        return
+
+    sp = entry.get("storePaths")
+    if isinstance(sp, list):
+        for p in sp:
+            if isinstance(p, str):
+                yield p
+    elif isinstance(sp, str):
+        yield sp
+
+    sp2 = entry.get("storePath")
+    if isinstance(sp2, str):
+        yield sp2
+
+    outs = entry.get("outputs")
+    if isinstance(outs, dict):
+        for _, ov in outs.items():
+            if isinstance(ov, dict):
+                p = ov.get("storePath")
+                if isinstance(p, str):
+                    yield p
+
+
+def normalize_store_path(store_path: str) -> str:
+    """
+    Normalize store path for matching.
+    Currently just strips whitespace; hook for future normalization if needed.
+    """
+    return (store_path or "").strip()
+
+
+def normalize_elements(data: Dict[str, Any]) -> List[NixProfileEntry]:
+    """
+    Converts nix profile list JSON into a list of normalized entries.
+
+    JSON formats observed:
+      - {"elements": {"0": {...}, "1": {...}}}
+      - {"elements": {"pkgmgr-1": {...}, "pkgmgr-2": {...}}}
+    """
+    elements = data.get("elements")
+    if not isinstance(elements, dict):
+        return []
+
+    normalized: List[NixProfileEntry] = []
+
+    for k, entry in elements.items():
+        if not isinstance(entry, dict):
+            continue
+
+        idx = coerce_index(str(k), entry)
+        name = str(entry.get("name", "") or "")
+        attr = str(entry.get("attrPath", "") or "")
+
+        store_paths: List[str] = []
+        for p in iter_store_paths(entry):
+            sp = normalize_store_path(p)
+            if sp:
+                store_paths.append(sp)
+
+        normalized.append(
+            NixProfileEntry(
+                key=str(k),
+                index=idx,
+                name=name,
+                attr_path=attr,
+                store_paths=store_paths,
+            )
+        )
+
+    return normalized

src/pkgmgr/actions/install/installers/nix/profile/parser.py

@@ -0,0 +1,19 @@
+from __future__ import annotations
+
+import json
+from typing import Any, Dict
+
+
+def parse_profile_list_json(raw: str) -> Dict[str, Any]:
+    """
+    Parse JSON output from `nix profile list --json`.
+
+    Raises SystemExit with a helpful excerpt on parse failure.
+    """
+    try:
+        return json.loads(raw)
+    except json.JSONDecodeError as e:
+        excerpt = (raw or "")[:5000]
+        raise SystemExit(
+            f"[nix] Failed to parse `nix profile list --json`: {e}\n{excerpt}"
+        ) from e

src/pkgmgr/actions/install/installers/nix/profile/result.py

@@ -0,0 +1,28 @@
+from __future__ import annotations
+
+from typing import Any
+
+
+def extract_stdout_text(result: Any) -> str:
+    """
+    Normalize different runner return types to a stdout string.
+
+    Supported patterns:
+      - result is str -> returned as-is
+      - result is bytes/bytearray -> decoded UTF-8 (replace errors)
+      - result has `.stdout` (str or bytes) -> used
+      - fallback: str(result)
+    """
+    if isinstance(result, str):
+        return result
+
+    if isinstance(result, (bytes, bytearray)):
+        return bytes(result).decode("utf-8", errors="replace")
+
+    stdout = getattr(result, "stdout", None)
+    if isinstance(stdout, str):
+        return stdout
+    if isinstance(stdout, (bytes, bytearray)):
+        return bytes(stdout).decode("utf-8", errors="replace")
+
+    return str(result)

src/pkgmgr/actions/install/installers/nix/profile_list.py

@@ -0,0 +1,69 @@
+from __future__ import annotations
+
+import re
+from typing import TYPE_CHECKING, List, Tuple
+
+from .runner import CommandRunner
+
+if TYPE_CHECKING:
+    from pkgmgr.actions.install.context import RepoContext
+
+
+class NixProfileListReader:
+    def __init__(self, runner: CommandRunner) -> None:
+        self._runner = runner
+
+    @staticmethod
+    def _store_prefix(path: str) -> str:
+        raw = (path or "").strip()
+        m = re.match(r"^(/nix/store/[0-9a-z]{32}-[^/ \t]+)", raw)
+        return m.group(1) if m else raw
+
+    def entries(self, ctx: "RepoContext") -> List[Tuple[int, str]]:
+        res = self._runner.run(ctx, "nix profile list", allow_failure=True)
+        if res.returncode != 0:
+            return []
+
+        entries: List[Tuple[int, str]] = []
+        pat = re.compile(
+            r"^\s*(\d+)\s+.*?(/nix/store/[0-9a-z]{32}-[^/ \t]+)",
+            re.MULTILINE,
+        )
+
+        for m in pat.finditer(res.stdout or ""):
+            idx_s = m.group(1)
+            sp = m.group(2)
+            try:
+                idx = int(idx_s)
+            except Exception:
+                continue
+            entries.append((idx, self._store_prefix(sp)))
+
+        seen: set[int] = set()
+        uniq: List[Tuple[int, str]] = []
+        for idx, sp in entries:
+            if idx not in seen:
+                seen.add(idx)
+                uniq.append((idx, sp))
+
+        return uniq
+
+    def indices_matching_store_prefixes(self, ctx: "RepoContext", prefixes: List[str]) -> List[int]:
+        prefixes = [self._store_prefix(p) for p in prefixes if p]
+        prefixes = [p for p in prefixes if p]
+        if not prefixes:
+            return []
+
+        hits: List[int] = []
+        for idx, sp in self.entries(ctx):
+            if any(sp == p for p in prefixes):
+                hits.append(idx)
+
+        seen: set[int] = set()
+        uniq: List[int] = []
+        for i in hits:
+            if i not in seen:
+                seen.add(i)
+                uniq.append(i)
+
+        return uniq

src/pkgmgr/actions/install/installers/nix/retry.py

@@ -0,0 +1,87 @@
+from __future__ import annotations
+
+import random
+import time
+from dataclasses import dataclass
+from typing import Iterable, TYPE_CHECKING
+
+from .types import RunResult
+
+if TYPE_CHECKING:
+    from pkgmgr.actions.install.context import RepoContext
+    from .runner import CommandRunner
+
+@dataclass(frozen=True)
+class RetryPolicy:
+    max_attempts: int = 7
+    base_delay_seconds: int = 30
+    jitter_seconds_min: int = 0
+    jitter_seconds_max: int = 60
+
+
+class GitHubRateLimitRetry:
+    """
+    Retries nix install commands only when the error looks like a GitHub API rate limit (HTTP 403).
+    Backoff: Fibonacci(base, base, ...) + random jitter.
+    """
+
+    def __init__(self, policy: RetryPolicy | None = None) -> None:
+        self._policy = policy or RetryPolicy()
+
+    def run_with_retry(
+        self,
+        ctx: "RepoContext",
+        runner: "CommandRunner",
+        install_cmd: str,
+    ) -> RunResult:
+        quiet = bool(getattr(ctx, "quiet", False))
+        delays = list(self._fibonacci_backoff(self._policy.base_delay_seconds, self._policy.max_attempts))
+
+        last: RunResult | None = None
+
+        for attempt, base_delay in enumerate(delays, start=1):
+            if not quiet:
+                print(f"[nix] attempt {attempt}/{self._policy.max_attempts}: {install_cmd}")
+
+            res = runner.run(ctx, install_cmd, allow_failure=True)
+            last = res
+
+            if res.returncode == 0:
+                return res
+
+            combined = f"{res.stdout}\n{res.stderr}"
+            if not self._is_github_rate_limit_error(combined):
+                return res
+
+            if attempt >= self._policy.max_attempts:
+                break
+
+            jitter = random.randint(self._policy.jitter_seconds_min, self._policy.jitter_seconds_max)
+            wait_time = base_delay + jitter
+
+            if not quiet:
+                print(
+                    "[nix] GitHub rate limit detected (403). "
+                    f"Retrying in {wait_time}s (base={base_delay}s, jitter={jitter}s)..."
+                )
+
+            time.sleep(wait_time)
+
+        return last if last is not None else RunResult(returncode=1, stdout="", stderr="nix install retry failed")
+
+    @staticmethod
+    def _is_github_rate_limit_error(text: str) -> bool:
+        t = (text or "").lower()
+        return (
+            "http error 403" in t
+            or "rate limit exceeded" in t
+            or "github api rate limit" in t
+            or "api rate limit exceeded" in t
+        )
+
+    @staticmethod
+    def _fibonacci_backoff(base: int, attempts: int) -> Iterable[int]:
+        a, b = base, base
+        for _ in range(max(1, attempts)):
+            yield a
+            a, b = b, a + b

src/pkgmgr/actions/install/installers/nix/runner.py

@@ -0,0 +1,64 @@
+from __future__ import annotations
+
+import subprocess
+
+from typing import TYPE_CHECKING
+
+from .types import RunResult
+
+if TYPE_CHECKING:
+    from pkgmgr.actions.install.context import RepoContext
+
+class CommandRunner:
+    """
+    Executes commands (shell=True) inside a repository directory (if provided).
+    Supports preview mode and compact failure output logging.
+    """
+
+    def run(self, ctx: "RepoContext", cmd: str, allow_failure: bool) -> RunResult:
+        repo_dir = getattr(ctx, "repo_dir", None) or getattr(ctx, "repo_path", None)
+        preview = bool(getattr(ctx, "preview", False))
+        quiet = bool(getattr(ctx, "quiet", False))
+
+        if preview:
+            if not quiet:
+                print(f"[preview] {cmd}")
+            return RunResult(returncode=0, stdout="", stderr="")
+
+        try:
+            p = subprocess.run(
+                cmd,
+                shell=True,
+                cwd=repo_dir,
+                check=False,
+                stdout=subprocess.PIPE,
+                stderr=subprocess.PIPE,
+                text=True,
+            )
+        except Exception as e:
+            if not allow_failure:
+                raise
+            return RunResult(returncode=1, stdout="", stderr=str(e))
+
+        res = RunResult(returncode=p.returncode, stdout=p.stdout or "", stderr=p.stderr or "")
+
+        if res.returncode != 0 and not quiet:
+            self._print_compact_failure(res)
+
+        if res.returncode != 0 and not allow_failure:
+            raise SystemExit(res.returncode)
+
+        return res
+
+    @staticmethod
+    def _print_compact_failure(res: RunResult) -> None:
+        out = (res.stdout or "").strip()
+        err = (res.stderr or "").strip()
+
+        if out:
+            print("[nix] stdout (last lines):")
+            print("\n".join(out.splitlines()[-20:]))
+
+        if err:
+            print("[nix] stderr (last lines):")
+            print("\n".join(err.splitlines()[-40:]))

src/pkgmgr/actions/install/installers/nix/textparse.py

@@ -0,0 +1,76 @@
+from __future__ import annotations
+
+import re
+from typing import List
+
+
+class NixConflictTextParser:
+    @staticmethod
+    def _store_prefix(path: str) -> str:
+        raw = (path or "").strip()
+        m = re.match(r"^(/nix/store/[0-9a-z]{32}-[^/ \t]+)", raw)
+        return m.group(1) if m else raw
+
+    def remove_tokens(self, text: str) -> List[str]:
+        pat = re.compile(
+            r"^\s*nix profile remove\s+([^\s'\"`]+|'[^']+'|\"[^\"]+\")\s*$",
+            re.MULTILINE,
+        )
+
+        tokens: List[str] = []
+        for m in pat.finditer(text or ""):
+            t = (m.group(1) or "").strip()
+            if (t.startswith("'") and t.endswith("'")) or (t.startswith('"') and t.endswith('"')):
+                t = t[1:-1]
+            if t:
+                tokens.append(t)
+
+        seen: set[str] = set()
+        uniq: List[str] = []
+        for t in tokens:
+            if t not in seen:
+                seen.add(t)
+                uniq.append(t)
+
+        return uniq
+
+    def existing_store_prefixes(self, text: str) -> List[str]:
+        lines = (text or "").splitlines()
+        prefixes: List[str] = []
+
+        in_existing = False
+        in_new = False
+
+        store_pat = re.compile(r"^\s*(/nix/store/[0-9a-z]{32}-[^ \t]+)")
+
+        for raw in lines:
+            line = raw.strip()
+
+            if "An existing package already provides the following file" in line:
+                in_existing = True
+                in_new = False
+                continue
+
+            if "This is the conflicting file from the new package" in line:
+                in_existing = False
+                in_new = True
+                continue
+
+            if in_existing:
+                m = store_pat.match(raw)
+                if m:
+                    prefixes.append(m.group(1))
+                    continue
+
+            _ = in_new
+
+        norm = [self._store_prefix(p) for p in prefixes if p]
+
+        seen: set[str] = set()
+        uniq: List[str] = []
+        for p in norm:
+            if p and p not in seen:
+                seen.add(p)
+                uniq.append(p)
+
+        return uniq

src/pkgmgr/actions/install/installers/nix/types.py

@@ -0,0 +1,10 @@
+from __future__ import annotations
+
+from dataclasses import dataclass
+
+
+@dataclass(frozen=True)
+class RunResult:
+    returncode: int
+    stdout: str
+    stderr: str

src/pkgmgr/actions/install/installers/nix_flake.py

@@ -1,165 +0,0 @@
-#!/usr/bin/env python3
-# -*- coding: utf-8 -*-
-
-"""
-Installer for Nix flakes.
-
-If a repository contains flake.nix and the 'nix' command is available, this
-installer will try to install profile outputs from the flake.
-
-Behavior:
-  - If flake.nix is present and `nix` exists on PATH:
-      * First remove any existing `package-manager` profile entry (best-effort).
-      * Then install one or more flake outputs via `nix profile install`.
-  - For the package-manager repo:
-      * `pkgmgr` is mandatory (CLI), `default` is optional.
-  - For all other repos:
-      * `default` is mandatory.
-
-Special handling:
-  - If PKGMGR_DISABLE_NIX_FLAKE_INSTALLER=1 is set, the installer is
-    globally disabled (useful for CI or debugging).
-
-The higher-level InstallationPipeline and CLI-layer model decide when this
-installer is allowed to run, based on where the current CLI comes from
-(e.g. Nix, OS packages, Python, Makefile).
-"""
-
-import os
-import shutil
-from typing import TYPE_CHECKING, List, Tuple
-
-from pkgmgr.actions.install.installers.base import BaseInstaller
-from pkgmgr.core.command.run import run_command
-
-if TYPE_CHECKING:
-    from pkgmgr.actions.install.context import RepoContext
-    from pkgmgr.actions.install import InstallContext
-
-
-class NixFlakeInstaller(BaseInstaller):
-    """Install Nix flake profiles for repositories that define flake.nix."""
-
-    # Logical layer name, used by capability matchers.
-    layer = "nix"
-
-    FLAKE_FILE = "flake.nix"
-    PROFILE_NAME = "package-manager"
-
-    def supports(self, ctx: "RepoContext") -> bool:
-        """
-        Only support repositories that:
-          - Are NOT explicitly disabled via PKGMGR_DISABLE_NIX_FLAKE_INSTALLER=1,
-          - Have a flake.nix,
-          - And have the `nix` command available.
-        """
-        # Optional global kill-switch for CI or debugging.
-        if os.environ.get("PKGMGR_DISABLE_NIX_FLAKE_INSTALLER") == "1":
-            print(
-                "[INFO] PKGMGR_DISABLE_NIX_FLAKE_INSTALLER=1 – "
-                "NixFlakeInstaller is disabled."
-            )
-            return False
-
-        # Nix must be available.
-        if shutil.which("nix") is None:
-            return False
-
-        # flake.nix must exist in the repository.
-        flake_path = os.path.join(ctx.repo_dir, self.FLAKE_FILE)
-        return os.path.exists(flake_path)
-
-    def _ensure_old_profile_removed(self, ctx: "RepoContext") -> None:
-        """
-        Best-effort removal of an existing profile entry.
-
-        This handles the "already provides the following file" conflict by
-        removing previous `package-manager` installations before we install
-        the new one.
-
-        Any error in `nix profile remove` is intentionally ignored, because
-        a missing profile entry is not a fatal condition.
-        """
-        if shutil.which("nix") is None:
-            return
-
-        cmd = f"nix profile remove {self.PROFILE_NAME} || true"
-        try:
-            # NOTE: no allow_failure here → matches the existing unit tests
-            run_command(cmd, cwd=ctx.repo_dir, preview=ctx.preview)
-        except SystemExit:
-            # Unit tests explicitly assert this is swallowed
-            pass
-
-    def _profile_outputs(self, ctx: "RepoContext") -> List[Tuple[str, bool]]:
-        """
-        Decide which flake outputs to install and whether failures are fatal.
-
-        Returns a list of (output_name, allow_failure) tuples.
-
-        Rules:
-          - For the package-manager repo (identifier 'pkgmgr' or 'package-manager'):
-                [("pkgmgr", False), ("default", True)]
-          - For all other repos:
-                [("default", False)]
-        """
-        ident = ctx.identifier
-
-        if ident in {"pkgmgr", "package-manager"}:
-            # pkgmgr: main CLI output is "pkgmgr" (mandatory),
-            # "default" is nice-to-have (non-fatal).
-            return [("pkgmgr", False), ("default", True)]
-
-        # Generic repos: we expect a sensible "default" package/app.
-        # Failure to install it is considered fatal.
-        return [("default", False)]
-
-    def run(self, ctx: "InstallContext") -> None:
-        """
-        Install Nix flake profile outputs.
-
-        For the package-manager repo, failure installing 'pkgmgr' is fatal,
-        failure installing 'default' is non-fatal.
-        For other repos, failure installing 'default' is fatal.
-        """
-        # Reuse supports() to keep logic in one place.
-        if not self.supports(ctx):  # type: ignore[arg-type]
-            return
-
-        outputs = self._profile_outputs(ctx)  # list of (name, allow_failure)
-
-        print(
-            "Nix flake detected in "
-            f"{ctx.identifier}, attempting to install profile outputs: "
-            + ", ".join(name for name, _ in outputs)
-        )
-
-        # Handle the "already installed" case up-front for the shared profile.
-        self._ensure_old_profile_removed(ctx)  # type: ignore[arg-type]
-
-        for output, allow_failure in outputs:
-            cmd = f"nix profile install {ctx.repo_dir}#{output}"
-            print(f"[INFO] Running: {cmd}")
-            ret = os.system(cmd)
-
-            # Extract real exit code from os.system() result
-            if os.WIFEXITED(ret):
-                exit_code = os.WEXITSTATUS(ret)
-            else:
-                # abnormal termination (signal etc.) – keep raw value
-                exit_code = ret
-
-            if exit_code == 0:
-                print(f"Nix flake output '{output}' successfully installed.")
-                continue
-
-            print(f"[Error] Failed to install Nix flake output '{output}'")
-            print(f"[Error] Command exited with code {exit_code}")
-
-            if not allow_failure:
-                raise SystemExit(exit_code)
-
-            print(
-                "[Warning] Continuing despite failure to install "
-                f"optional output '{output}'."
-            )

src/pkgmgr/actions/install/installers/python.py

@@ -1,104 +1,40 @@
-#!/usr/bin/env python3
-# -*- coding: utf-8 -*-
-
-"""
-PythonInstaller — install Python projects defined via pyproject.toml.
-
-Installation rules:
-
-1. pip command resolution:
-      a) If PKGMGR_PIP is set → use it exactly as provided.
-      b) Else if running inside a virtualenv → use `sys.executable -m pip`.
-      c) Else → create/use a per-repository virtualenv under ~/.venvs/<repo>/.
-
-2. Installation target:
-      - Always install into the resolved pip environment.
-      - Never modify system Python, never rely on --user.
-      - Nix-immutable systems (PEP 668) are automatically avoided because we
-        never touch system Python.
-
-3. The installer is skipped when:
-      - PKGMGR_DISABLE_PYTHON_INSTALLER=1 is set.
-      - The repository has no pyproject.toml.
-
-All pip failures are treated as fatal.
-"""
-
+# src/pkgmgr/actions/install/installers/python.py
 from __future__ import annotations
 
 import os
 import sys
-import subprocess
-from typing import TYPE_CHECKING
 
 from pkgmgr.actions.install.installers.base import BaseInstaller
+from pkgmgr.actions.install.context import RepoContext
 from pkgmgr.core.command.run import run_command
 
-if TYPE_CHECKING:
-    from pkgmgr.actions.install.context import RepoContext
-    from pkgmgr.actions.install import InstallContext
-
 
 class PythonInstaller(BaseInstaller):
-    """Install Python projects and dependencies via pip using isolated environments."""
-
     layer = "python"
 
-    # ----------------------------------------------------------------------
-    # Installer activation logic
-    # ----------------------------------------------------------------------
-    def supports(self, ctx: "RepoContext") -> bool:
-        """
-        Return True if this installer should handle this repository.
-
-        The installer is active only when:
-          - A pyproject.toml exists in the repo, and
-          - PKGMGR_DISABLE_PYTHON_INSTALLER is not set.
-        """
+    def supports(self, ctx: RepoContext) -> bool:
         if os.environ.get("PKGMGR_DISABLE_PYTHON_INSTALLER") == "1":
             print("[INFO] PythonInstaller disabled via PKGMGR_DISABLE_PYTHON_INSTALLER.")
             return False
 
         return os.path.exists(os.path.join(ctx.repo_dir, "pyproject.toml"))
 
-    # ----------------------------------------------------------------------
-    # Virtualenv handling
-    # ----------------------------------------------------------------------
     def _in_virtualenv(self) -> bool:
-        """Detect whether the current interpreter is inside a venv."""
         if os.environ.get("VIRTUAL_ENV"):
             return True
-
         base = getattr(sys, "base_prefix", sys.prefix)
         return sys.prefix != base
 
-    def _ensure_repo_venv(self, ctx: "InstallContext") -> str:
-        """
-        Ensure that ~/.venvs/<identifier>/ exists and contains a minimal venv.
-
-        Returns the venv directory path.
-        """
+    def _ensure_repo_venv(self, ctx: RepoContext) -> str:
         venv_dir = os.path.expanduser(f"~/.venvs/{ctx.identifier}")
         python = sys.executable
 
-        if not os.path.isdir(venv_dir):
-            print(f"[python-installer] Creating virtualenv: {venv_dir}")
-            subprocess.check_call([python, "-m", "venv", venv_dir])
+        if not os.path.exists(venv_dir):
+            run_command(f"{python} -m venv {venv_dir}", preview=ctx.preview)
 
         return venv_dir
 
-    # ----------------------------------------------------------------------
-    # pip command resolution
-    # ----------------------------------------------------------------------
-    def _pip_cmd(self, ctx: "InstallContext") -> str:
-        """
-        Determine which pip command to use.
-
-        Priority:
-          1. PKGMGR_PIP override given by user or automation.
-          2. Active virtualenv → use sys.executable -m pip.
-          3. Per-repository venv → ~/.venvs/<repo>/bin/pip
-        """
+    def _pip_cmd(self, ctx: RepoContext) -> str:
         explicit = os.environ.get("PKGMGR_PIP", "").strip()
         if explicit:
             return explicit
@@ -107,33 +43,19 @@ class PythonInstaller(BaseInstaller):
             return f"{sys.executable} -m pip"
 
         venv_dir = self._ensure_repo_venv(ctx)
-        pip_path = os.path.join(venv_dir, "bin", "pip")
-        return pip_path
+        return os.path.join(venv_dir, "bin", "pip")
 
-    # ----------------------------------------------------------------------
-    # Execution
-    # ----------------------------------------------------------------------
-    def run(self, ctx: "InstallContext") -> None:
-        """
-        Install the project defined by pyproject.toml.
-
-        Uses the resolved pip environment. Installation is isolated and never
-        touches system Python.
-        """
-        if not self.supports(ctx):  # type: ignore[arg-type]
-            return
-
-        pyproject = os.path.join(ctx.repo_dir, "pyproject.toml")
-        if not os.path.exists(pyproject):
+    def run(self, ctx: RepoContext) -> None:
+        if not self.supports(ctx):
             return
 
         print(f"[python-installer] Installing Python project for {ctx.identifier}...")
 
         pip_cmd = self._pip_cmd(ctx)
+        run_command(f"{pip_cmd} install .", cwd=ctx.repo_dir, preview=ctx.preview)
 
-        # Final install command: ALWAYS isolated, never system-wide.
-        install_cmd = f"{pip_cmd} install ."
-
-        run_command(install_cmd, cwd=ctx.repo_dir, preview=ctx.preview)
+        if ctx.force_update:
+            # test-visible marker
+            print(f"[python-installer] repo '{ctx.identifier}' successfully upgraded.")
 
         print(f"[python-installer] Installation finished for {ctx.identifier}.")

src/pkgmgr/actions/install/pipeline.py

@@ -1,21 +1,9 @@
+# src/pkgmgr/actions/install/pipeline.py
 #!/usr/bin/env python3
 # -*- coding: utf-8 -*-
 
 """
 Installation pipeline orchestration for repositories.
-
-This module implements the "Setup Controller" logic:
-
-  1. Detect current CLI command for the repo (if any).
-  2. Classify it into a layer (os-packages, nix, python, makefile).
-  3. Iterate over installers in layer order:
-       - Skip installers whose layer is weaker than an already-loaded one.
-       - Run only installers that support() the repo and add new capabilities.
-       - After each installer, re-resolve the command and update the layer.
-  4. Maintain the repo["command"] field and create/update symlinks via create_ink().
-
-The goal is to prevent conflicting installations and make the layering
-behaviour explicit and testable.
 """
 
 from __future__ import annotations
@@ -36,34 +24,15 @@ from pkgmgr.core.command.resolve import resolve_command_for_repo
 
 @dataclass
 class CommandState:
-    """
-    Represents the current CLI state for a repository:
-
-      - command: absolute or relative path to the CLI entry point
-      - layer:   which conceptual layer this command belongs to
-    """
-
     command: Optional[str]
     layer: Optional[CliLayer]
 
 
 class CommandResolver:
-    """
-    Small helper responsible for resolving the current command for a repo
-    and mapping it into a CommandState.
-    """
-
     def __init__(self, ctx: RepoContext) -> None:
         self._ctx = ctx
 
     def resolve(self) -> CommandState:
-        """
-        Resolve the current command for this repository.
-
-        If resolve_command_for_repo raises SystemExit (e.g. Python package
-        without installed entry point), we treat this as "no command yet"
-        from the point of view of the installers.
-        """
         repo = self._ctx.repo
         identifier = self._ctx.identifier
         repo_dir = self._ctx.repo_dir
@@ -85,28 +54,10 @@ class CommandResolver:
 
 
 class InstallationPipeline:
-    """
-    High-level orchestrator that applies a sequence of installers
-    to a repository based on CLI layer precedence.
-    """
-
     def __init__(self, installers: Sequence[BaseInstaller]) -> None:
         self._installers = list(installers)
 
-    # ------------------------------------------------------------------
-    # Public API
-    # ------------------------------------------------------------------
     def run(self, ctx: RepoContext) -> None:
-        """
-        Execute the installation pipeline for a single repository.
-
-        - Detect initial command & layer.
-        - Optionally create a symlink.
-        - Run installers in order, skipping those whose layer is weaker
-          than an already-loaded CLI.
-        - After each installer, re-resolve the command and refresh the
-          symlink if needed.
-        """
         repo = ctx.repo
         repo_dir = ctx.repo_dir
         identifier = ctx.identifier
@@ -119,7 +70,6 @@ class InstallationPipeline:
         resolver = CommandResolver(ctx)
         state = resolver.resolve()
 
-        # Persist initial command (if any) and create a symlink.
         if state.command:
             repo["command"] = state.command
             create_ink(
@@ -135,11 +85,9 @@ class InstallationPipeline:
 
         provided_capabilities: Set[str] = set()
 
-        # Main installer loop
         for installer in self._installers:
             layer_name = getattr(installer, "layer", None)
 
-            # Installers without a layer participate without precedence logic.
             if layer_name is None:
                 self._run_installer(installer, ctx, identifier, repo_dir, quiet)
                 continue
@@ -147,17 +95,13 @@ class InstallationPipeline:
             try:
                 installer_layer = CliLayer(layer_name)
             except ValueError:
-                # Unknown layer string → treat as lowest priority.
                 installer_layer = None
 
-            # "Previous/Current layer already loaded?"
             if state.layer is not None and installer_layer is not None:
                 current_prio = layer_priority(state.layer)
                 installer_prio = layer_priority(installer_layer)
 
                 if current_prio < installer_prio:
-                    # Current CLI comes from a higher-priority layer,
-                    # so we skip this installer entirely.
                     if not quiet:
                         print(
                             "[pkgmgr] Skipping installer "
@@ -166,9 +110,7 @@ class InstallationPipeline:
                         )
                     continue
 
-                if current_prio == installer_prio:
-                    # Same layer already provides a CLI; usually there is no
-                    # need to run another installer on top of it.
+                if current_prio == installer_prio and not ctx.force_update:
                     if not quiet:
                         print(
                             "[pkgmgr] Skipping installer "
@@ -177,12 +119,9 @@ class InstallationPipeline:
                         )
                     continue
 
-            # Check if this installer is applicable at all.
             if not installer.supports(ctx):
                 continue
 
-            # Capabilities: if everything this installer would provide is already
-            # covered, we can safely skip it.
             caps = installer.discover_capabilities(ctx)
             if caps and caps.issubset(provided_capabilities):
                 if not quiet:
@@ -193,18 +132,22 @@ class InstallationPipeline:
                 continue
 
             if not quiet:
-                print(
-                    f"[pkgmgr] Running installer {installer.__class__.__name__} "
-                    f"for {identifier} in '{repo_dir}' "
-                    f"(new capabilities: {caps or set()})..."
-                )
+                if ctx.force_update and state.layer is not None and installer_layer == state.layer:
+                    print(
+                        f"[pkgmgr] Running installer {installer.__class__.__name__} "
+                        f"for {identifier} in '{repo_dir}' (upgrade requested)..."
+                    )
+                else:
+                    print(
+                        f"[pkgmgr] Running installer {installer.__class__.__name__} "
+                        f"for {identifier} in '{repo_dir}' "
+                        f"(new capabilities: {caps or set()})..."
+                    )
 
-            # Run the installer with error reporting.
             self._run_installer(installer, ctx, identifier, repo_dir, quiet)
 
             provided_capabilities.update(caps)
 
-            # After running an installer, re-resolve the command and layer.
             new_state = resolver.resolve()
             if new_state.command:
                 repo["command"] = new_state.command
@@ -221,9 +164,6 @@ class InstallationPipeline:
 
             state = new_state
 
-    # ------------------------------------------------------------------
-    # Internal helpers
-    # ------------------------------------------------------------------
     @staticmethod
     def _run_installer(
         installer: BaseInstaller,
@@ -232,9 +172,6 @@ class InstallationPipeline:
         repo_dir: str,
         quiet: bool,
     ) -> None:
-        """
-        Execute a single installer with unified error handling.
-        """
         try:
             installer.run(ctx)
         except SystemExit as exc:

src/pkgmgr/actions/mirror/remote_check.py

@@ -0,0 +1,21 @@
+# src/pkgmgr/actions/mirror/remote_check.py
+from __future__ import annotations
+
+from typing import Tuple
+
+from pkgmgr.core.git import GitError, run_git
+
+
+def probe_mirror(url: str, repo_dir: str) -> Tuple[bool, str]:
+    """
+    Probe a remote mirror URL using `git ls-remote`.
+
+    Returns:
+      (True, "") on success,
+      (False, error_message) on failure.
+    """
+    try:
+        run_git(["ls-remote", url], cwd=repo_dir)
+        return True, ""
+    except GitError as exc:
+        return False, str(exc)

src/pkgmgr/actions/mirror/remote_provision.py

@@ -0,0 +1,70 @@
+# src/pkgmgr/actions/mirror/remote_provision.py
+from __future__ import annotations
+
+from typing import List
+
+from pkgmgr.core.remote_provisioning import ProviderHint, RepoSpec, ensure_remote_repo
+from pkgmgr.core.remote_provisioning.ensure import EnsureOptions
+
+from .context import build_context
+from .git_remote import determine_primary_remote_url
+from .types import Repository
+from .url_utils import normalize_provider_host, parse_repo_from_git_url
+
+
+def ensure_remote_repository(
+    repo: Repository,
+    repositories_base_dir: str,
+    all_repos: List[Repository],
+    preview: bool,
+) -> None:
+    ctx = build_context(repo, repositories_base_dir, all_repos)
+    resolved_mirrors = ctx.resolved_mirrors
+
+    primary_url = determine_primary_remote_url(repo, resolved_mirrors)
+    if not primary_url:
+        print("[INFO] No remote URL could be derived; skipping remote provisioning.")
+        return
+
+    host_raw, owner_from_url, name_from_url = parse_repo_from_git_url(primary_url)
+    host = normalize_provider_host(host_raw)
+
+    if not host or not owner_from_url or not name_from_url:
+        print("[WARN] Could not derive host/owner/repository from URL; cannot ensure remote repo.")
+        print(f"       url={primary_url!r}")
+        print(f"       host={host!r}, owner={owner_from_url!r}, repository={name_from_url!r}")
+        return
+
+    print("------------------------------------------------------------")
+    print(f"[REMOTE ENSURE] {ctx.identifier}")
+    print(f"[REMOTE ENSURE] host: {host}")
+    print("------------------------------------------------------------")
+
+    spec = RepoSpec(
+        host=str(host),
+        owner=str(owner_from_url),
+        name=str(name_from_url),
+        private=bool(repo.get("private", True)),
+        description=str(repo.get("description", "")),
+    )
+
+    provider_kind = str(repo.get("provider", "")).strip().lower() or None
+
+    try:
+        result = ensure_remote_repo(
+            spec,
+            provider_hint=ProviderHint(kind=provider_kind),
+            options=EnsureOptions(
+                preview=preview,
+                interactive=True,
+                allow_prompt=True,
+                save_prompt_token_to_keyring=True,
+            ),
+        )
+        print(f"[REMOTE ENSURE] {result.status.upper()}: {result.message}")
+        if result.url:
+            print(f"[REMOTE ENSURE] URL: {result.url}")
+    except Exception as exc:  # noqa: BLE001
+        print(f"[ERROR] Remote provisioning failed: {exc}")
+
+    print()

src/pkgmgr/actions/mirror/setup_cmd.py

@@ -1,23 +1,20 @@
+# src/pkgmgr/actions/mirror/setup_cmd.py
 from __future__ import annotations
 
-from typing import List, Tuple
-
-from pkgmgr.core.git import run_git, GitError
+from typing import List
 
 from .context import build_context
-from .git_remote import determine_primary_remote_url, ensure_origin_remote
+from .git_remote import ensure_origin_remote, determine_primary_remote_url
+from .remote_check import probe_mirror
+from .remote_provision import ensure_remote_repository
 from .types import Repository
 
-
 def _setup_local_mirrors_for_repo(
     repo: Repository,
     repositories_base_dir: str,
     all_repos: List[Repository],
     preview: bool,
 ) -> None:
-    """
-    Ensure local Git state is sane (currently: 'origin' remote).
-    """
     ctx = build_context(repo, repositories_base_dir, all_repos)
 
     print("------------------------------------------------------------")
@@ -29,103 +26,57 @@ def _setup_local_mirrors_for_repo(
     print()
 
 
-def _probe_mirror(url: str, repo_dir: str) -> Tuple[bool, str]:
-    """
-    Probe a remote mirror by running `git ls-remote <url>`.
-
-    Returns:
-      (True, "") on success,
-      (False, error_message) on failure.
-
-    Wichtig:
-      - Wir werten ausschließlich den Exit-Code aus.
-      - STDERR kann Hinweise/Warnings enthalten und ist NICHT automatisch ein Fehler.
-    """
-    try:
-        # Wir ignorieren stdout komplett; wichtig ist nur, dass der Befehl ohne
-        # GitError (also Exit-Code 0) durchläuft.
-        run_git(["ls-remote", url], cwd=repo_dir)
-        return True, ""
-    except GitError as exc:
-        return False, str(exc)
-
-
 def _setup_remote_mirrors_for_repo(
     repo: Repository,
     repositories_base_dir: str,
     all_repos: List[Repository],
     preview: bool,
+    ensure_remote: bool,
 ) -> None:
-    """
-    Remote-side setup / validation.
-
-    Aktuell werden nur **nicht-destruktive Checks** gemacht:
-
-      - Für jeden Mirror (aus config + MIRRORS-Datei, file gewinnt):
-          * `git ls-remote <url>` wird ausgeführt.
-          * Bei Exit-Code 0 → [OK]
-          * Bei Fehler → [WARN] + Details aus der GitError-Exception
-
-    Es werden **keine** Provider-APIs aufgerufen und keine Repos angelegt.
-    """
     ctx = build_context(repo, repositories_base_dir, all_repos)
-    resolved_m = ctx.resolved_mirrors
+    resolved_mirrors = ctx.resolved_mirrors
 
     print("------------------------------------------------------------")
     print(f"[MIRROR SETUP:REMOTE] {ctx.identifier}")
     print(f"[MIRROR SETUP:REMOTE] dir: {ctx.repo_dir}")
     print("------------------------------------------------------------")
 
-    if not resolved_m:
-        # Optional: Fallback auf eine heuristisch bestimmte URL, falls wir
-        # irgendwann "automatisch anlegen" implementieren wollen.
-        primary_url = determine_primary_remote_url(repo, resolved_m)
+    if ensure_remote:
+        ensure_remote_repository(
+            repo,
+            repositories_base_dir=repositories_base_dir,
+            all_repos=all_repos,
+            preview=preview,
+        )
+
+    if not resolved_mirrors:
+        primary_url = determine_primary_remote_url(repo, resolved_mirrors)
         if not primary_url:
-            print(
-                "[INFO] No mirrors configured (config or MIRRORS file), and no "
-                "primary URL could be derived from provider/account/repository."
-            )
+            print("[INFO] No mirrors configured and no primary URL available.")
             print()
             return
 
-        ok, error_message = _probe_mirror(primary_url, ctx.repo_dir)
+        ok, error_message = probe_mirror(primary_url, ctx.repo_dir)
         if ok:
-            print(f"[OK]   Remote mirror (primary) is reachable: {primary_url}")
+            print(f"[OK] primary: {primary_url}")
         else:
-            print("[WARN] Primary remote URL is NOT reachable:")
-            print(f"       {primary_url}")
-            if error_message:
-                print("       Details:")
-                for line in error_message.splitlines():
-                    print(f"         {line}")
+            print(f"[WARN] primary: {primary_url}")
+            for line in error_message.splitlines():
+                print(f"         {line}")
 
-        print()
-        print(
-            "[INFO] Remote checks are non-destructive and only use `git ls-remote` "
-            "to probe mirror URLs."
-        )
         print()
         return
 
-    # Normaler Fall: wir haben benannte Mirrors aus config/MIRRORS
-    for name, url in sorted(resolved_m.items()):
-        ok, error_message = _probe_mirror(url, ctx.repo_dir)
+    for name, url in sorted(resolved_mirrors.items()):
+        ok, error_message = probe_mirror(url, ctx.repo_dir)
         if ok:
-            print(f"[OK]   Remote mirror '{name}' is reachable: {url}")
+            print(f"[OK] {name}: {url}")
         else:
-            print(f"[WARN] Remote mirror '{name}' is NOT reachable:")
-            print(f"       {url}")
-            if error_message:
-                print("       Details:")
-                for line in error_message.splitlines():
-                    print(f"         {line}")
+            print(f"[WARN] {name}: {url}")
+            for line in error_message.splitlines():
+                print(f"         {line}")
 
     print()
-    print(
-        "[INFO] Remote checks are non-destructive and only use `git ls-remote` "
-        "to probe mirror URLs."
-    )
-    print()
 
 
 def setup_mirrors(
@@ -135,22 +86,12 @@ def setup_mirrors(
     preview: bool = False,
     local: bool = True,
     remote: bool = True,
+    ensure_remote: bool = False,
 ) -> None:
-    """
-    Setup mirrors for the selected repositories.
-
-    local:
-      - Configure local Git remotes (currently: ensure 'origin' is present and
-        points to a reasonable URL).
-
-    remote:
-      - Non-destructive remote checks using `git ls-remote` for each mirror URL.
-        Es werden keine Repositories auf dem Provider angelegt.
-    """
     for repo in selected_repos:
         if local:
             _setup_local_mirrors_for_repo(
-                repo,
+                repo=repo,
                 repositories_base_dir=repositories_base_dir,
                 all_repos=all_repos,
                 preview=preview,
@@ -158,8 +99,9 @@ def setup_mirrors(
 
         if remote:
             _setup_remote_mirrors_for_repo(
-                repo,
+                repo=repo,
                 repositories_base_dir=repositories_base_dir,
                 all_repos=all_repos,
                 preview=preview,
+                ensure_remote=ensure_remote,
             )

src/pkgmgr/actions/mirror/url_utils.py

@@ -0,0 +1,111 @@
+# src/pkgmgr/actions/mirror/url_utils.py
+from __future__ import annotations
+
+from urllib.parse import urlparse
+from typing import Optional, Tuple
+
+
+def hostport_from_git_url(url: str) -> Tuple[str, Optional[str]]:
+    url = (url or "").strip()
+    if not url:
+        return "", None
+
+    if "://" in url:
+        parsed = urlparse(url)
+        netloc = (parsed.netloc or "").strip()
+        if "@" in netloc:
+            netloc = netloc.split("@", 1)[1]
+
+        if netloc.startswith("[") and "]" in netloc:
+            host = netloc[1:netloc.index("]")]
+            rest = netloc[netloc.index("]") + 1 :]
+            port = rest[1:] if rest.startswith(":") else None
+            return host.strip(), (port.strip() if port else None)
+
+        if ":" in netloc:
+            host, port = netloc.rsplit(":", 1)
+            return host.strip(), (port.strip() or None)
+
+        return netloc.strip(), None
+
+    if "@" in url and ":" in url:
+        after_at = url.split("@", 1)[1]
+        host = after_at.split(":", 1)[0].strip()
+        return host, None
+
+    host = url.split("/", 1)[0].strip()
+    return host, None
+
+
+def normalize_provider_host(host: str) -> str:
+    host = (host or "").strip()
+    if not host:
+        return ""
+
+    if host.startswith("[") and "]" in host:
+        host = host[1:host.index("]")]
+
+    if ":" in host and host.count(":") == 1:
+        host = host.rsplit(":", 1)[0]
+
+    return host.strip().lower()
+
+
+def _strip_dot_git(name: str) -> str:
+    n = (name or "").strip()
+    if n.lower().endswith(".git"):
+        return n[:-4]
+    return n
+
+
+def parse_repo_from_git_url(url: str) -> Tuple[str, Optional[str], Optional[str]]:
+    """
+    Parse (host, owner, repo_name) from common Git remote URLs.
+
+    Supports:
+      - ssh://git@host:2201/owner/repo.git
+      - https://host/owner/repo.git
+      - git@host:owner/repo.git
+      - host/owner/repo(.git) (best-effort)
+
+    Returns:
+      (host, owner, repo_name) with owner/repo possibly None if not derivable.
+    """
+    u = (url or "").strip()
+    if not u:
+        return "", None, None
+
+    # URL-style (ssh://, https://, http://)
+    if "://" in u:
+        parsed = urlparse(u)
+        host = (parsed.hostname or "").strip()
+        path = (parsed.path or "").strip("/")
+        parts = [p for p in path.split("/") if p]
+        if len(parts) >= 2:
+            owner = parts[0]
+            repo_name = _strip_dot_git(parts[1])
+            return host, owner, repo_name
+        return host, None, None
+
+    # SCP-like: git@host:owner/repo.git
+    if "@" in u and ":" in u:
+        after_at = u.split("@", 1)[1]
+        host = after_at.split(":", 1)[0].strip()
+        path = after_at.split(":", 1)[1].strip("/")
+        parts = [p for p in path.split("/") if p]
+        if len(parts) >= 2:
+            owner = parts[0]
+            repo_name = _strip_dot_git(parts[1])
+            return host, owner, repo_name
+        return host, None, None
+
+    # Fallback: host/owner/repo.git
+    host = u.split("/", 1)[0].strip()
+    rest = u.split("/", 1)[1] if "/" in u else ""
+    parts = [p for p in rest.strip("/").split("/") if p]
+    if len(parts) >= 2:
+        owner = parts[0]
+        repo_name = _strip_dot_git(parts[1])
+        return host, owner, repo_name
+
+    return host, None, None

src/pkgmgr/actions/release/workflow.py

@@ -1,10 +1,13 @@
+# src/pkgmgr/actions/release/workflow.py
 from __future__ import annotations
-from typing import Optional
+
 import os
 import sys
+from typing import Optional
 
 from pkgmgr.actions.branch import close_branch
 from pkgmgr.core.git import get_current_branch, GitError
+from pkgmgr.core.repository.paths import resolve_repo_paths
 
 from .files import (
     update_changelog,
@@ -55,8 +58,12 @@ def _release_impl(
     print(f"New version:     {new_ver_str} ({release_type})")
 
     repo_root = os.path.dirname(os.path.abspath(pyproject_path))
+    paths = resolve_repo_paths(repo_root)
+
+    # --- Update versioned files ------------------------------------------------
 
     update_pyproject_version(pyproject_path, new_ver_str, preview=preview)
+
     changelog_message = update_changelog(
         changelog_path,
         new_ver_str,
@@ -64,38 +71,46 @@ def _release_impl(
         preview=preview,
     )
 
-    flake_path = os.path.join(repo_root, "flake.nix")
-    update_flake_version(flake_path, new_ver_str, preview=preview)
+    update_flake_version(paths.flake_nix, new_ver_str, preview=preview)
 
-    pkgbuild_path = os.path.join(repo_root, "PKGBUILD")
-    update_pkgbuild_version(pkgbuild_path, new_ver_str, preview=preview)
+    if paths.arch_pkgbuild:
+        update_pkgbuild_version(paths.arch_pkgbuild, new_ver_str, preview=preview)
+    else:
+        print("[INFO] No PKGBUILD found (packaging/arch/PKGBUILD or PKGBUILD). Skipping.")
 
-    spec_path = os.path.join(repo_root, "package-manager.spec")
-    update_spec_version(spec_path, new_ver_str, preview=preview)
+    if paths.rpm_spec:
+        update_spec_version(paths.rpm_spec, new_ver_str, preview=preview)
+    else:
+        print("[INFO] No RPM spec file found. Skipping spec version update.")
 
     effective_message: Optional[str] = message
     if effective_message is None and isinstance(changelog_message, str):
         if changelog_message.strip():
             effective_message = changelog_message.strip()
 
-    debian_changelog_path = os.path.join(repo_root, "debian", "changelog")
     package_name = os.path.basename(repo_root) or "package-manager"
 
-    update_debian_changelog(
-        debian_changelog_path,
-        package_name=package_name,
-        new_version=new_ver_str,
-        message=effective_message,
-        preview=preview,
-    )
+    if paths.debian_changelog:
+        update_debian_changelog(
+            paths.debian_changelog,
+            package_name=package_name,
+            new_version=new_ver_str,
+            message=effective_message,
+            preview=preview,
+        )
+    else:
+        print("[INFO] No debian changelog found. Skipping debian/changelog update.")
 
-    update_spec_changelog(
-        spec_path=spec_path,
-        package_name=package_name,
-        new_version=new_ver_str,
-        message=effective_message,
-        preview=preview,
-    )
+    if paths.rpm_spec:
+        update_spec_changelog(
+            spec_path=paths.rpm_spec,
+            package_name=package_name,
+            new_version=new_ver_str,
+            message=effective_message,
+            preview=preview,
+        )
+
+    # --- Git commit / tag / push ----------------------------------------------
 
     commit_msg = f"Release version {new_ver_str}"
     tag_msg = effective_message or commit_msg
@@ -103,12 +118,12 @@ def _release_impl(
     files_to_add = [
         pyproject_path,
         changelog_path,
-        flake_path,
-        pkgbuild_path,
-        spec_path,
-        debian_changelog_path,
+        paths.flake_nix,
+        paths.arch_pkgbuild,
+        paths.rpm_spec,
+        paths.debian_changelog,
     ]
-    existing_files = [p for p in files_to_add if p and os.path.exists(p)]
+    existing_files = [p for p in files_to_add if isinstance(p, str) and p and os.path.exists(p)]
 
     if preview:
         for path in existing_files:

src/pkgmgr/actions/repository/pull.py

@@ -1,9 +1,12 @@
+#!/usr/bin/env python3
+# -*- coding: utf-8 -*-
+
 import os
 import subprocess
 import sys
 
-from pkgmgr.core.repository.identifier import get_repo_identifier
 from pkgmgr.core.repository.dir import get_repo_dir
+from pkgmgr.core.repository.identifier import get_repo_identifier
 from pkgmgr.core.repository.verify import verify_repository
 
 
@@ -17,13 +20,6 @@ def pull_with_verification(
 ) -> None:
     """
     Execute `git pull` for each repository with verification.
-
-    - Uses verify_repository() in "pull" mode.
-    - If verification fails (and verification info is set) and
-      --no-verification is not enabled, the user is prompted to confirm
-      the pull.
-    - In preview mode, no interactive prompts are performed and no
-      Git commands are executed; only the would-be command is printed.
     """
     for repo in selected_repos:
         repo_identifier = get_repo_identifier(repo, all_repos)
@@ -34,18 +30,13 @@ def pull_with_verification(
             continue
 
         verified_info = repo.get("verified")
-        verified_ok, errors, commit_hash, signing_key = verify_repository(
+        verified_ok, errors, _commit_hash, _signing_key = verify_repository(
             repo,
             repo_dir,
             mode="pull",
             no_verification=no_verification,
         )
 
-        # Only prompt the user if:
-        #   - we are NOT in preview mode
-        #   - verification is enabled
-        #   - the repo has verification info configured
-        #   - verification failed
         if (
             not preview
             and not no_verification
@@ -59,16 +50,14 @@ def pull_with_verification(
             if choice != "y":
                 continue
 
-        # Build the git pull command (include extra args if present)
         args_part = " ".join(extra_args) if extra_args else ""
         full_cmd = f"git pull{(' ' + args_part) if args_part else ''}"
 
         if preview:
-            # Preview mode: only show the command, do not execute or prompt.
             print(f"[Preview] In '{repo_dir}': {full_cmd}")
         else:
             print(f"Running in '{repo_dir}': {full_cmd}")
-            result = subprocess.run(full_cmd, cwd=repo_dir, shell=True)
+            result = subprocess.run(full_cmd, cwd=repo_dir, shell=True, check=False)
             if result.returncode != 0:
                 print(
                     f"'git pull' for {repo_identifier} failed "

src/pkgmgr/actions/repository/update.py

@@ -1,67 +0,0 @@
-import shutil
-
-from pkgmgr.actions.repository.pull import pull_with_verification
-from pkgmgr.actions.install import install_repos
-
-
-def update_repos(
-    selected_repos,
-    repositories_base_dir,
-    bin_dir,
-    all_repos,
-    no_verification,
-    system_update,
-    preview: bool,
-    quiet: bool,
-    update_dependencies: bool,
-    clone_mode: str,
-):
-    """
-    Update repositories by pulling latest changes and installing them.
-
-    Parameters:
-    - selected_repos: List of selected repositories.
-    - repositories_base_dir: Base directory for repositories.
-    - bin_dir: Directory for symbolic links.
-    - all_repos: All repository configurations.
-    - no_verification: Whether to skip verification.
-    - system_update: Whether to run system update.
-    - preview: If True, only show commands without executing.
-    - quiet: If True, suppress messages.
-    - update_dependencies: Whether to update dependent repositories.
-    - clone_mode: Method to clone repositories (ssh or https).
-    """
-    pull_with_verification(
-        selected_repos,
-        repositories_base_dir,
-        all_repos,
-        [],
-        no_verification,
-        preview,
-    )
-
-    install_repos(
-        selected_repos,
-        repositories_base_dir,
-        bin_dir,
-        all_repos,
-        no_verification,
-        preview,
-        quiet,
-        clone_mode,
-        update_dependencies,
-    )
-
-    if system_update:
-        from pkgmgr.core.command.run import run_command
-
-        # Nix: upgrade all profile entries (if Nix is available)
-        if shutil.which("nix") is not None:
-            try:
-                run_command("nix profile upgrade '.*'", preview=preview)
-            except SystemExit as e:
-                print(f"[Warning] 'nix profile upgrade' failed: {e}")
-
-        # Arch / AUR system update
-        run_command("sudo -u aur_builder yay -Syu --noconfirm", preview=preview)
-        run_command("sudo pacman -Syyu --noconfirm", preview=preview)

src/pkgmgr/actions/update/__init__.py

@@ -0,0 +1,10 @@
+#!/usr/bin/env python3
+# -*- coding: utf-8 -*-
+
+from __future__ import annotations
+
+from pkgmgr.actions.update.manager import UpdateManager
+
+__all__ = [
+    "UpdateManager",
+]

src/pkgmgr/actions/update/manager.py

@@ -0,0 +1,61 @@
+#!/usr/bin/env python3
+# -*- coding: utf-8 -*-
+
+from __future__ import annotations
+
+from typing import Any, Iterable
+
+from pkgmgr.actions.update.system_updater import SystemUpdater
+
+
+class UpdateManager:
+    """
+    Orchestrates:
+      - repository pull + installation
+      - optional system update
+    """
+
+    def __init__(self) -> None:
+        self._system_updater = SystemUpdater()
+
+    def run(
+        self,
+        selected_repos: Iterable[Any],
+        repositories_base_dir: str,
+        bin_dir: str,
+        all_repos: Any,
+        no_verification: bool,
+        system_update: bool,
+        preview: bool,
+        quiet: bool,
+        update_dependencies: bool,
+        clone_mode: str,
+        force_update: bool = True,
+    ) -> None:
+        from pkgmgr.actions.install import install_repos
+        from pkgmgr.actions.repository.pull import pull_with_verification
+
+        pull_with_verification(
+            selected_repos,
+            repositories_base_dir,
+            all_repos,
+            [],
+            no_verification,
+            preview,
+        )
+
+        install_repos(
+            selected_repos,
+            repositories_base_dir,
+            bin_dir,
+            all_repos,
+            no_verification,
+            preview,
+            quiet,
+            clone_mode,
+            update_dependencies,
+            force_update=force_update,
+        )
+
+        if system_update:
+            self._system_updater.run(preview=preview)

src/pkgmgr/actions/update/os_release.py

@@ -0,0 +1,66 @@
+#!/usr/bin/env python3
+# -*- coding: utf-8 -*-
+
+from __future__ import annotations
+
+import os
+from dataclasses import dataclass
+from typing import Dict
+
+
+def read_os_release(path: str = "/etc/os-release") -> Dict[str, str]:
+    """
+    Parse /etc/os-release into a dict. Returns empty dict if missing.
+    """
+    if not os.path.exists(path):
+        return {}
+
+    result: Dict[str, str] = {}
+    with open(path, "r", encoding="utf-8") as f:
+        for line in f:
+            line = line.strip()
+            if not line or line.startswith("#") or "=" not in line:
+                continue
+            key, value = line.split("=", 1)
+            result[key.strip()] = value.strip().strip('"')
+    return result
+
+
+@dataclass(frozen=True)
+class OSReleaseInfo:
+    """
+    Minimal /etc/os-release representation for distro detection.
+    """
+    id: str = ""
+    id_like: str = ""
+    pretty_name: str = ""
+
+    @staticmethod
+    def load() -> "OSReleaseInfo":
+        data = read_os_release()
+        return OSReleaseInfo(
+            id=(data.get("ID") or "").lower(),
+            id_like=(data.get("ID_LIKE") or "").lower(),
+            pretty_name=(data.get("PRETTY_NAME") or ""),
+        )
+
+    def ids(self) -> set[str]:
+        ids: set[str] = set()
+        if self.id:
+            ids.add(self.id)
+        if self.id_like:
+            for part in self.id_like.split():
+                ids.add(part.strip())
+        return ids
+
+    def is_arch_family(self) -> bool:
+        ids = self.ids()
+        return ("arch" in ids) or ("archlinux" in ids)
+
+    def is_debian_family(self) -> bool:
+        ids = self.ids()
+        return bool(ids.intersection({"debian", "ubuntu"}))
+
+    def is_fedora_family(self) -> bool:
+        ids = self.ids()
+        return bool(ids.intersection({"fedora", "rhel", "centos", "rocky", "almalinux"}))

src/pkgmgr/actions/update/system_updater.py

@@ -0,0 +1,96 @@
+#!/usr/bin/env python3
+# -*- coding: utf-8 -*-
+
+from __future__ import annotations
+
+import platform
+import shutil
+
+from pkgmgr.actions.update.os_release import OSReleaseInfo
+
+
+class SystemUpdater:
+    """
+    Executes distro-specific system update commands, plus Nix profile upgrades if available.
+    """
+
+    def run(self, *, preview: bool) -> None:
+        from pkgmgr.core.command.run import run_command
+
+        # Distro-agnostic: Nix profile upgrades (if Nix is present).
+        if shutil.which("nix") is not None:
+            try:
+                run_command("nix profile upgrade '.*'", preview=preview)
+            except SystemExit as e:
+                print(f"[Warning] 'nix profile upgrade' failed: {e}")
+
+        osr = OSReleaseInfo.load()
+
+        if osr.is_arch_family():
+            self._update_arch(preview=preview)
+            return
+
+        if osr.is_debian_family():
+            self._update_debian(preview=preview)
+            return
+
+        if osr.is_fedora_family():
+            self._update_fedora(preview=preview)
+            return
+
+        distro = osr.pretty_name or platform.platform()
+        print(f"[Warning] Unsupported distribution for system update: {distro}")
+
+    def _update_arch(self, *, preview: bool) -> None:
+        from pkgmgr.core.command.run import run_command
+
+        yay = shutil.which("yay")
+        pacman = shutil.which("pacman")
+        sudo = shutil.which("sudo")
+
+        # Prefer yay if available (repo + AUR in one pass).
+        # Avoid running yay and pacman afterwards to prevent double update passes.
+        if yay and sudo:
+            run_command("sudo -u aur_builder yay -Syu --noconfirm", preview=preview)
+            return
+
+        if pacman and sudo:
+            run_command("sudo pacman -Syu --noconfirm", preview=preview)
+            return
+
+        print("[Warning] Cannot update Arch system: missing required tools (sudo/yay/pacman).")
+
+    def _update_debian(self, *, preview: bool) -> None:
+        from pkgmgr.core.command.run import run_command
+
+        sudo = shutil.which("sudo")
+        apt_get = shutil.which("apt-get")
+
+        if not (sudo and apt_get):
+            print("[Warning] Cannot update Debian/Ubuntu system: missing required tools (sudo/apt-get).")
+            return
+
+        env = "DEBIAN_FRONTEND=noninteractive"
+        run_command(f"sudo {env} apt-get update -y", preview=preview)
+        run_command(f"sudo {env} apt-get -y dist-upgrade", preview=preview)
+
+    def _update_fedora(self, *, preview: bool) -> None:
+        from pkgmgr.core.command.run import run_command
+
+        sudo = shutil.which("sudo")
+        dnf = shutil.which("dnf")
+        microdnf = shutil.which("microdnf")
+
+        if not sudo:
+            print("[Warning] Cannot update Fedora/RHEL-like system: missing sudo.")
+            return
+
+        if dnf:
+            run_command("sudo dnf -y upgrade", preview=preview)
+            return
+
+        if microdnf:
+            run_command("sudo microdnf -y upgrade", preview=preview)
+            return
+
+        print("[Warning] Cannot update Fedora/RHEL-like system: missing dnf/microdnf.")

src/pkgmgr/cli/commands/mirror.py

@@ -1,32 +1,30 @@
+# src/pkgmgr/cli/commands/mirror.py
 from __future__ import annotations
 
 import sys
 from typing import Any, Dict, List
 
-from pkgmgr.actions.mirror import (
-    diff_mirrors,
-    list_mirrors,
-    merge_mirrors,
-    setup_mirrors,
-)
+from pkgmgr.actions.mirror import diff_mirrors, list_mirrors, merge_mirrors, setup_mirrors
 from pkgmgr.cli.context import CLIContext
 
 Repository = Dict[str, Any]
 
 
 def handle_mirror_command(
-    args,
     ctx: CLIContext,
+    args: Any,
     selected: List[Repository],
 ) -> None:
     """
     Entry point for 'pkgmgr mirror' subcommands.
 
     Subcommands:
-      - mirror list   → list configured mirrors
-      - mirror diff   → compare config vs MIRRORS file
-      - mirror merge  → merge mirrors between config and MIRRORS file
-      - mirror setup  → configure local Git + remote placeholders
+      - mirror list
+      - mirror diff
+      - mirror merge
+      - mirror setup
+      - mirror check
+      - mirror provision
     """
     if not selected:
         print("[INFO] No repositories selected for 'mirror' command.")
@@ -34,9 +32,6 @@ def handle_mirror_command(
 
     subcommand = getattr(args, "subcommand", None)
 
-    # ------------------------------------------------------------
-    # mirror list
-    # ------------------------------------------------------------
     if subcommand == "list":
         source = getattr(args, "source", "all")
         list_mirrors(
@@ -47,9 +42,6 @@ def handle_mirror_command(
         )
         return
 
-    # ------------------------------------------------------------
-    # mirror diff
-    # ------------------------------------------------------------
     if subcommand == "diff":
         diff_mirrors(
             selected_repos=selected,
@@ -58,27 +50,17 @@ def handle_mirror_command(
         )
         return
 
-    # ------------------------------------------------------------
-    # mirror merge
-    # ------------------------------------------------------------
     if subcommand == "merge":
         source = getattr(args, "source", None)
         target = getattr(args, "target", None)
         preview = getattr(args, "preview", False)
 
         if source == target:
-            print(
-                "[ERROR] For 'mirror merge', source and target "
-                "must differ (one of: config, file)."
-            )
+            print("[ERROR] For 'mirror merge', source and target must differ (config vs file).")
             sys.exit(2)
 
-        # Config file path can be passed explicitly via --config-path.
-        # If not given, fall back to the global context (if available).
         explicit_config_path = getattr(args, "config_path", None)
-        user_config_path = explicit_config_path or getattr(
-            ctx, "user_config_path", None
-        )
+        user_config_path = explicit_config_path or getattr(ctx, "user_config_path", None)
 
         merge_mirrors(
             selected_repos=selected,
@@ -91,26 +73,42 @@ def handle_mirror_command(
         )
         return
 
-    # ------------------------------------------------------------
-    # mirror setup
-    # ------------------------------------------------------------
     if subcommand == "setup":
-        local = getattr(args, "local", False)
-        remote = getattr(args, "remote", False)
         preview = getattr(args, "preview", False)
-
-        # If neither flag is set → default to both.
-        if not local and not remote:
-            local = True
-            remote = True
-
         setup_mirrors(
             selected_repos=selected,
             repositories_base_dir=ctx.repositories_base_dir,
             all_repos=ctx.all_repositories,
             preview=preview,
-            local=local,
-            remote=remote,
+            local=True,
+            remote=False,
+            ensure_remote=False,
+        )
+        return
+
+    if subcommand == "check":
+        preview = getattr(args, "preview", False)
+        setup_mirrors(
+            selected_repos=selected,
+            repositories_base_dir=ctx.repositories_base_dir,
+            all_repos=ctx.all_repositories,
+            preview=preview,
+            local=False,
+            remote=True,
+            ensure_remote=False,
+        )
+        return
+
+    if subcommand == "provision":
+        preview = getattr(args, "preview", False)
+        setup_mirrors(
+            selected_repos=selected,
+            repositories_base_dir=ctx.repositories_base_dir,
+            all_repos=ctx.all_repositories,
+            preview=preview,
+            local=False,
+            remote=True,
+            ensure_remote=True,
         )
         return
 

src/pkgmgr/cli/commands/repos.py

@@ -10,11 +10,10 @@ from pkgmgr.cli.context import CLIContext
 from pkgmgr.actions.install import install_repos
 from pkgmgr.actions.repository.deinstall import deinstall_repos
 from pkgmgr.actions.repository.delete import delete_repos
-from pkgmgr.actions.repository.update import update_repos
 from pkgmgr.actions.repository.status import status_repos
 from pkgmgr.actions.repository.list import list_repositories
-from pkgmgr.core.command.run import run_command
 from pkgmgr.actions.repository.create import create_repo
+from pkgmgr.core.command.run import run_command
 from pkgmgr.core.repository.dir import get_repo_dir
 
 Repository = Dict[str, Any]
@@ -51,7 +50,7 @@ def handle_repos_command(
     selected: List[Repository],
 ) -> None:
     """
-    Handle core repository commands (install/update/deinstall/delete/.../list).
+    Handle core repository commands (install/update/deinstall/delete/status/list/path/shell/create).
     """
 
     # ------------------------------------------------------------
@@ -68,24 +67,7 @@ def handle_repos_command(
             args.quiet,
             args.clone_mode,
             args.dependencies,
-        )
-        return
-
-    # ------------------------------------------------------------
-    # update
-    # ------------------------------------------------------------
-    if args.command == "update":
-        update_repos(
-            selected,
-            ctx.repositories_base_dir,
-            ctx.binaries_dir,
-            ctx.all_repositories,
-            args.no_verification,
-            args.system,
-            args.preview,
-            args.quiet,
-            args.dependencies,
-            args.clone_mode,
+            force_update=getattr(args, "update", False),
         )
         return
 
@@ -146,9 +128,7 @@ def handle_repos_command(
                     f"{repository.get('account', '?')}/"
                     f"{repository.get('repository', '?')}"
                 )
-                print(
-                    f"[WARN] Could not resolve directory for {ident}: {exc}"
-                )
+                print(f"[WARN] Could not resolve directory for {ident}: {exc}")
                 continue
 
             print(repo_dir)

src/pkgmgr/cli/commands/version.py

@@ -9,8 +9,13 @@ from pkgmgr.core.repository.dir import get_repo_dir
 from pkgmgr.core.repository.identifier import get_repo_identifier
 from pkgmgr.core.git import get_tags
 from pkgmgr.core.version.semver import SemVer, find_latest_version
+from pkgmgr.core.version.installed import (
+    get_installed_python_version,
+    get_installed_nix_profile_version,
+)
 from pkgmgr.core.version.source import (
     read_pyproject_version,
+    read_pyproject_project_name,
     read_flake_version,
     read_pkgbuild_version,
     read_debian_changelog_version,
@@ -18,10 +23,54 @@ from pkgmgr.core.version.source import (
     read_ansible_galaxy_version,
 )
 
-
 Repository = Dict[str, Any]
 
 
+def _print_pkgmgr_self_version() -> None:
+    """
+    Print version information for pkgmgr itself (installed env + nix profile),
+    used when no repository is selected (e.g. user is not inside a repo).
+    """
+    print("pkgmgr version info")
+    print("====================")
+    print("\nRepository: <pkgmgr self>")
+    print("----------------------------------------")
+
+    # Common distribution/module naming variants.
+    python_candidates = [
+        "package-manager",   # PyPI dist name in your project
+        "package_manager",   # module-ish variant
+        "pkgmgr",            # console/alias-ish
+    ]
+    nix_candidates = [
+        "pkgmgr",
+        "package-manager",
+    ]
+
+    installed_python = get_installed_python_version(*python_candidates)
+    installed_nix = get_installed_nix_profile_version(*nix_candidates)
+
+    if installed_python:
+        print(
+            f"Installed (Python env):  {installed_python.version} "
+            f"(dist: {installed_python.name})"
+        )
+    else:
+        print("Installed (Python env):  <not installed>")
+
+    if installed_nix:
+        print(
+            f"Installed (Nix profile): {installed_nix.version} "
+            f"(match: {installed_nix.name})"
+        )
+    else:
+        print("Installed (Nix profile): <not installed>")
+
+    # Helpful context for debugging "why do versions differ?"
+    print(f"Python executable:       {sys.executable}")
+    print(f"Python prefix:           {sys.prefix}")
+
+
 def handle_version(
     args,
     ctx: CLIContext,
@@ -30,20 +79,39 @@ def handle_version(
     """
     Handle the 'version' command.
 
-    Shows version information from various sources (git tags, pyproject,
-    flake.nix, PKGBUILD, debian, spec, Ansible Galaxy).
-    """
+    Shows version information from:
+      - Git tags
+      - packaging metadata
+      - installed Python environment
+      - installed Nix profile
 
-    repo_list = selected
-    if not repo_list:
-        print("No repositories selected for version.")
-        sys.exit(1)
+    Special case:
+      - If no repositories are selected (e.g. not in a repo and no identifiers),
+        print pkgmgr's own installed versions instead of exiting with an error.
+    """
+    if not selected:
+        _print_pkgmgr_self_version()
+        return
 
     print("pkgmgr version info")
     print("====================")
 
-    for repo in repo_list:
-        # Resolve repository directory
+    for repo in selected:
+        identifier = get_repo_identifier(repo, ctx.all_repositories)
+
+        python_candidates: list[str] = []
+        nix_candidates: list[str] = [identifier]
+
+        for key in ("pypi", "pip", "python_package", "distribution", "package"):
+            val = repo.get(key)
+            if isinstance(val, str) and val.strip():
+                python_candidates.append(val.strip())
+
+        python_candidates.append(identifier)
+
+        installed_python = get_installed_python_version(*python_candidates)
+        installed_nix = get_installed_nix_profile_version(*nix_candidates)
+
         repo_dir = repo.get("directory")
         if not repo_dir:
             try:
@@ -51,51 +119,79 @@ def handle_version(
             except Exception:
                 repo_dir = None
 
-        # If no local clone exists, skip gracefully with info message
         if not repo_dir or not os.path.isdir(repo_dir):
-            identifier = get_repo_identifier(repo, ctx.all_repositories)
             print(f"\nRepository: {identifier}")
             print("----------------------------------------")
             print(
-                "[INFO] Skipped: repository directory does not exist "
-                "locally, version detection is not possible."
+                "[INFO] Skipped: repository directory does not exist locally, "
+                "version detection is not possible."
             )
+
+            if installed_python:
+                print(
+                    f"Installed (Python env):  {installed_python.version} "
+                    f"(dist: {installed_python.name})"
+                )
+            else:
+                print("Installed (Python env):  <not installed>")
+
+            if installed_nix:
+                print(
+                    f"Installed (Nix profile): {installed_nix.version} "
+                    f"(match: {installed_nix.name})"
+                )
+            else:
+                print("Installed (Nix profile): <not installed>")
+
             continue
 
         print(f"\nRepository: {repo_dir}")
         print("----------------------------------------")
 
-        # 1) Git tags (SemVer)
         try:
             tags = get_tags(cwd=repo_dir)
         except Exception as exc:
             print(f"[ERROR] Could not read git tags: {exc}")
             tags = []
 
-        latest_tag_info: Optional[Tuple[str, SemVer]]
-        latest_tag_info = find_latest_version(tags) if tags else None
+        latest_tag_info: Optional[Tuple[str, SemVer]] = (
+            find_latest_version(tags) if tags else None
+        )
 
-        if latest_tag_info is None:
-            latest_tag_str = None
-            latest_ver = None
+        if latest_tag_info:
+            tag, ver = latest_tag_info
+            print(f"Git (latest SemVer tag): {tag} (parsed: {ver})")
         else:
-            latest_tag_str, latest_ver = latest_tag_info
+            print("Git (latest SemVer tag): <none found>")
 
-        # 2) Packaging / metadata sources
         pyproject_version = read_pyproject_version(repo_dir)
+        pyproject_name = read_pyproject_project_name(repo_dir)
         flake_version = read_flake_version(repo_dir)
         pkgbuild_version = read_pkgbuild_version(repo_dir)
         debian_version = read_debian_changelog_version(repo_dir)
         spec_version = read_spec_version(repo_dir)
         ansible_version = read_ansible_galaxy_version(repo_dir)
 
-        # 3) Print version summary
-        if latest_ver is not None:
+        if pyproject_name:
+            installed_python = get_installed_python_version(
+                pyproject_name, *python_candidates
+            )
+
+        if installed_python:
             print(
-                f"Git (latest SemVer tag): {latest_tag_str} (parsed: {latest_ver})"
+                f"Installed (Python env):  {installed_python.version} "
+                f"(dist: {installed_python.name})"
             )
         else:
-            print("Git (latest SemVer tag): <none found>")
+            print("Installed (Python env):  <not installed>")
+
+        if installed_nix:
+            print(
+                f"Installed (Nix profile): {installed_nix.version} "
+                f"(match: {installed_nix.name})"
+            )
+        else:
+            print("Installed (Nix profile): <not installed>")
 
         print(f"pyproject.toml:         {pyproject_version or '<not found>'}")
         print(f"flake.nix:              {flake_version or '<not found>'}")
@@ -104,15 +200,16 @@ def handle_version(
         print(f"package-manager.spec:   {spec_version or '<not found>'}")
         print(f"Ansible Galaxy meta:    {ansible_version or '<not found>'}")
 
-        # 4) Consistency hint (Git tag vs. pyproject)
-        if latest_ver is not None and pyproject_version is not None:
+        if latest_tag_info and pyproject_version:
             try:
                 file_ver = SemVer.parse(pyproject_version)
-                if file_ver != latest_ver:
+                if file_ver != latest_tag_info[1]:
                     print(
-                        f"[WARN] Version mismatch: Git={latest_ver}, pyproject={file_ver}"
+                        f"[WARN] Version mismatch: "
+                        f"Git={latest_tag_info[1]}, pyproject={file_ver}"
                     )
             except ValueError:
                 print(
-                    f"[WARN] pyproject version {pyproject_version!r} is not valid SemVer."
+                    f"[WARN] pyproject version {pyproject_version!r} "
+                    f"is not valid SemVer."
                 )

src/pkgmgr/cli/dispatch.py

@@ -129,7 +129,6 @@ def dispatch_command(args, ctx: CLIContext) -> None:
     # ------------------------------------------------------------------ #
     if args.command in (
         "install",
-        "update",
         "deinstall",
         "delete",
         "status",
@@ -141,6 +140,27 @@ def dispatch_command(args, ctx: CLIContext) -> None:
         handle_repos_command(args, ctx, selected)
         return
 
+    # ------------------------------------------------------------
+    # update
+    # ------------------------------------------------------------
+    if args.command == "update":
+        from pkgmgr.actions.update import UpdateManager
+        UpdateManager().run(
+            selected_repos=selected,
+            repositories_base_dir=ctx.repositories_base_dir,
+            bin_dir=ctx.binaries_dir,
+            all_repos=ctx.all_repositories,
+            no_verification=args.no_verification,
+            system_update=args.system,
+            preview=args.preview,
+            quiet=args.quiet,
+            update_dependencies=args.dependencies,
+            clone_mode=args.clone_mode,
+            force_update=True,
+        )
+        return
+
+
     # ------------------------------------------------------------------ #
     # Tools (explore / terminal / code)
     # ------------------------------------------------------------------ #
@@ -176,7 +196,7 @@ def dispatch_command(args, ctx: CLIContext) -> None:
         return
 
     if args.command == "mirror":
-        handle_mirror_command(args, ctx, selected)
+        handle_mirror_command(ctx, args, selected)
         return
 
     print(f"Unknown command: {args.command}")

src/pkgmgr/cli/parser/common.py

@@ -1,96 +1,134 @@
-#!/usr/bin/env python3
-# -*- coding: utf-8 -*-
-
+# src/pkgmgr/cli/parser/common.py
 from __future__ import annotations
 
 import argparse
+from typing import Optional, Tuple
 
 
 class SortedSubParsersAction(argparse._SubParsersAction):
     """
-    Subparsers action that keeps choices sorted alphabetically.
+    Subparsers action that keeps subcommands sorted alphabetically.
     """
 
     def add_parser(self, name, **kwargs):
         parser = super().add_parser(name, **kwargs)
-        # Sort choices alphabetically by dest (subcommand name)
         self._choices_actions.sort(key=lambda a: a.dest)
         return parser
 
 
+def _has_action(
+    parser: argparse.ArgumentParser,
+    *,
+    positional: Optional[str] = None,
+    options: Tuple[str, ...] = (),
+) -> bool:
+    """
+    Check whether the parser already has an action.
+
+    - positional: name of a positional argument (e.g. "identifiers")
+    - options: option strings (e.g. "--preview", "-q")
+    """
+    for action in parser._actions:
+        if positional and action.dest == positional:
+            return True
+        if options and any(opt in action.option_strings for opt in options):
+            return True
+    return False
+
+
+def _add_positional_if_missing(
+    parser: argparse.ArgumentParser,
+    name: str,
+    **kwargs,
+) -> None:
+    """Safely add a positional argument."""
+    if _has_action(parser, positional=name):
+        return
+    parser.add_argument(name, **kwargs)
+
+
+def _add_option_if_missing(
+    parser: argparse.ArgumentParser,
+    *option_strings: str,
+    **kwargs,
+) -> None:
+    """Safely add an optional argument."""
+    if _has_action(parser, options=tuple(option_strings)):
+        return
+    parser.add_argument(*option_strings, **kwargs)
+
+
 def add_identifier_arguments(subparser: argparse.ArgumentParser) -> None:
     """
     Common identifier / selection arguments for many subcommands.
-
-    Selection modes (mutual intent, not hard-enforced):
-      - identifiers (positional): select by alias / provider/account/repo
-      - --all: select all repositories
-      - --category / --string / --tag: filter-based selection on top
-        of the full repository set
     """
-    subparser.add_argument(
+    _add_positional_if_missing(
+        subparser,
         "identifiers",
         nargs="*",
         help=(
             "Identifier(s) for repositories. "
-            "Default: Repository of current folder."
+            "Default: repository of the current working directory."
         ),
     )
-    subparser.add_argument(
+
+    _add_option_if_missing(
+        subparser,
         "--all",
         action="store_true",
         default=False,
         help=(
             "Apply the subcommand to all repositories in the config. "
-            "Some subcommands ask for confirmation. If you want to give this "
-            "confirmation for all repositories, pipe 'yes'. E.g: "
-            "yes | pkgmgr {subcommand} --all"
+            "Pipe 'yes' to auto-confirm. Example:\n"
+            "  yes | pkgmgr <command> --all"
         ),
     )
-    subparser.add_argument(
+
+    _add_option_if_missing(
+        subparser,
         "--category",
         nargs="+",
         default=[],
-        help=(
-            "Filter repositories by category patterns derived from config "
-            "filenames or repo metadata (use filename without .yml/.yaml, "
-            "or /regex/ to use a regular expression)."
-        ),
+        help="Filter repositories by category (supports /regex/).",
     )
-    subparser.add_argument(
+
+    _add_option_if_missing(
+        subparser,
         "--string",
         default="",
-        help=(
-            "Filter repositories whose identifier / name / path contains this "
-            "substring (case-insensitive). Use /regex/ for regular expressions."
-        ),
+        help="Filter repositories by substring or /regex/.",
     )
-    subparser.add_argument(
+
+    _add_option_if_missing(
+        subparser,
         "--tag",
         action="append",
         default=[],
-        help=(
-            "Filter repositories by tag. Matches tags from the repository "
-            "collector and category tags. Use /regex/ for regular expressions."
-        ),
+        help="Filter repositories by tag (supports /regex/).",
     )
-    subparser.add_argument(
+
+    _add_option_if_missing(
+        subparser,
         "--preview",
         action="store_true",
-        help="Preview changes without executing commands",
+        help="Preview changes without executing commands.",
     )
-    subparser.add_argument(
+
+    _add_option_if_missing(
+        subparser,
         "--list",
         action="store_true",
-        help="List affected repositories (with preview or status)",
+        help="List affected repositories.",
     )
-    subparser.add_argument(
+
+    _add_option_if_missing(
+        subparser,
         "-a",
         "--args",
-        nargs=argparse.REMAINDER,
         dest="extra_args",
-        help="Additional parameters to be attached.",
+        nargs=argparse.REMAINDER,
         default=[],
+        help="Additional parameters to be attached.",
     )
 
 
@@ -99,29 +137,34 @@ def add_install_update_arguments(subparser: argparse.ArgumentParser) -> None:
     Common arguments for install/update commands.
     """
     add_identifier_arguments(subparser)
-    subparser.add_argument(
+
+    _add_option_if_missing(
+        subparser,
         "-q",
         "--quiet",
         action="store_true",
-        help="Suppress warnings and info messages",
+        help="Suppress warnings and info messages.",
     )
-    subparser.add_argument(
+
+    _add_option_if_missing(
+        subparser,
         "--no-verification",
         action="store_true",
         default=False,
-        help="Disable verification via commit/gpg",
+        help="Disable verification via commit / GPG.",
     )
-    subparser.add_argument(
+
+    _add_option_if_missing(
+        subparser,
         "--dependencies",
         action="store_true",
-        help="Also pull and update dependencies",
+        help="Also pull and update dependencies.",
     )
-    subparser.add_argument(
+
+    _add_option_if_missing(
+        subparser,
         "--clone-mode",
         choices=["ssh", "https", "shallow"],
         default="ssh",
-        help=(
-            "Specify the clone mode: ssh, https, or shallow "
-            "(HTTPS shallow clone; default: ssh)"
-        ),
+        help="Specify clone mode (default: ssh).",
     )

src/pkgmgr/cli/parser/install_update.py

@@ -1,11 +1,12 @@
 #!/usr/bin/env python3
 # -*- coding: utf-8 -*-
 
-from __future__ import annotations
-
 import argparse
 
-from .common import add_install_update_arguments, add_identifier_arguments
+from pkgmgr.cli.parser.common import (
+    add_install_update_arguments,
+    add_identifier_arguments,
+)
 
 
 def add_install_update_subparsers(
@@ -14,11 +15,17 @@ def add_install_update_subparsers(
     """
     Register install / update / deinstall / delete commands.
     """
+
     install_parser = subparsers.add_parser(
         "install",
         help="Setup repository/repositories alias links to executables",
     )
     add_install_update_arguments(install_parser)
+    install_parser.add_argument(
+        "--update",
+        action="store_true",
+        help="Force re-run installers (upgrade/refresh) even if the CLI layer is already loaded",
+    )
 
     update_parser = subparsers.add_parser(
         "update",
@@ -27,9 +34,11 @@ def add_install_update_subparsers(
     add_install_update_arguments(update_parser)
     update_parser.add_argument(
         "--system",
+        dest="system",
         action="store_true",
         help="Include system update commands",
     )
+    # No --update here: update implies force_update=True
 
     deinstall_parser = subparsers.add_parser(
         "deinstall",

src/pkgmgr/cli/parser/mirror_cmd.py

@@ -1,3 +1,4 @@
+# src/pkgmgr/cli/parser/mirror_cmd.py
 #!/usr/bin/env python3
 # -*- coding: utf-8 -*-
 
@@ -8,103 +9,55 @@ import argparse
 from .common import add_identifier_arguments
 
 
-def add_mirror_subparsers(
-    subparsers: argparse._SubParsersAction,
-) -> None:
-    """
-    Register mirror command and its subcommands (list, diff, merge, setup).
-    """
+def add_mirror_subparsers(subparsers: argparse._SubParsersAction) -> None:
     mirror_parser = subparsers.add_parser(
         "mirror",
-        help="Mirror-related utilities (list, diff, merge, setup)",
+        help="Mirror-related utilities (list, diff, merge, setup, check, provision)",
     )
     mirror_subparsers = mirror_parser.add_subparsers(
         dest="subcommand",
-        help="Mirror subcommands",
+        metavar="SUBCOMMAND",
         required=True,
     )
 
-    # ------------------------------------------------------------------
-    # mirror list
-    # ------------------------------------------------------------------
-    mirror_list = mirror_subparsers.add_parser(
-        "list",
-        help="List configured mirrors for repositories",
-    )
+    mirror_list = mirror_subparsers.add_parser("list", help="List configured mirrors for repositories")
     add_identifier_arguments(mirror_list)
     mirror_list.add_argument(
         "--source",
-        choices=["all", "config", "file", "resolved"],
+        choices=["config", "file", "all"],
         default="all",
         help="Which mirror source to show.",
     )
 
-    # ------------------------------------------------------------------
-    # mirror diff
-    # ------------------------------------------------------------------
-    mirror_diff = mirror_subparsers.add_parser(
-        "diff",
-        help="Show differences between config mirrors and MIRRORS file",
-    )
+    mirror_diff = mirror_subparsers.add_parser("diff", help="Show differences between config mirrors and MIRRORS file")
     add_identifier_arguments(mirror_diff)
 
-    # ------------------------------------------------------------------
-    # mirror merge {config,file} {config,file}
-    # ------------------------------------------------------------------
     mirror_merge = mirror_subparsers.add_parser(
         "merge",
-        help=(
-            "Merge mirrors between config and MIRRORS file "
-            "(example: pkgmgr mirror merge config file --all)"
-        ),
+        help="Merge mirrors between config and MIRRORS file (example: pkgmgr mirror merge config file --all)",
     )
-
-    # First define merge direction positionals, then selection args.
-    mirror_merge.add_argument(
-        "source",
-        choices=["config", "file"],
-        help="Source of mirrors.",
-    )
-    mirror_merge.add_argument(
-        "target",
-        choices=["config", "file"],
-        help="Target of mirrors.",
-    )
-
-    # Selection / filter / preview arguments
+    mirror_merge.add_argument("source", choices=["config", "file"], help="Source of mirrors.")
+    mirror_merge.add_argument("target", choices=["config", "file"], help="Target of mirrors.")
     add_identifier_arguments(mirror_merge)
-
     mirror_merge.add_argument(
         "--config-path",
-        help=(
-            "Path to the user config file to update. "
-            "If omitted, the global config path is used."
-        ),
+        help="Path to the user config file to update. If omitted, the global config path is used.",
     )
-    # Note: --preview, --all, --category, --tag, --list, etc. are provided
-    # by add_identifier_arguments().
 
-    # ------------------------------------------------------------------
-    # mirror setup
-    # ------------------------------------------------------------------
     mirror_setup = mirror_subparsers.add_parser(
         "setup",
-        help=(
-            "Setup mirror configuration for repositories.\n"
-            " --local  → configure local Git (remotes, pushurls)\n"
-            " --remote → create remote repositories if missing\n"
-            "Default: both local and remote."
-        ),
+        help="Configure local Git remotes and push URLs (origin, pushurl list).",
     )
     add_identifier_arguments(mirror_setup)
-    mirror_setup.add_argument(
-        "--local",
-        action="store_true",
-        help="Only configure the local Git repository.",
+
+    mirror_check = mirror_subparsers.add_parser(
+        "check",
+        help="Check remote mirror reachability (git ls-remote). Read-only.",
     )
-    mirror_setup.add_argument(
-        "--remote",
-        action="store_true",
-        help="Only operate on remote repositories.",
+    add_identifier_arguments(mirror_check)
+
+    mirror_provision = mirror_subparsers.add_parser(
+        "provision",
+        help="Provision remote repositories via provider APIs (create missing repos).",
     )
-    # Note: --preview also comes from add_identifier_arguments().
+    add_identifier_arguments(mirror_provision)

src/pkgmgr/core/command/layer.py

@@ -0,0 +1,30 @@
+# src/pkgmgr/core/command/layer.py
+from __future__ import annotations
+
+from enum import Enum
+
+
+class CliLayer(str, Enum):
+    """
+    CLI layer precedence (lower number = stronger layer).
+    """
+    OS_PACKAGES = "os-packages"
+    NIX = "nix"
+    PYTHON = "python"
+    MAKEFILE = "makefile"
+
+
+_LAYER_PRIORITY: dict[CliLayer, int] = {
+    CliLayer.OS_PACKAGES: 0,
+    CliLayer.NIX: 1,
+    CliLayer.PYTHON: 2,
+    CliLayer.MAKEFILE: 3,
+}
+
+
+def layer_priority(layer: CliLayer) -> int:
+    """
+    Return precedence priority for the given layer.
+    Lower value means higher priority (stronger layer).
+    """
+    return _LAYER_PRIORITY.get(layer, 999)

src/pkgmgr/core/credentials/__init__.py

@@ -0,0 +1,21 @@
+# src/pkgmgr/core/credentials/__init__.py
+"""Credential resolution for provider APIs."""
+
+from .resolver import ResolutionOptions, TokenResolver
+from .types import (
+    CredentialError,
+    KeyringUnavailableError,
+    NoCredentialsError,
+    TokenRequest,
+    TokenResult,
+)
+
+__all__ = [
+    "TokenResolver",
+    "ResolutionOptions",
+    "CredentialError",
+    "NoCredentialsError",
+    "KeyringUnavailableError",
+    "TokenRequest",
+    "TokenResult",
+]

src/pkgmgr/core/credentials/providers/__init__.py

@@ -0,0 +1,11 @@
+"""Credential providers used by TokenResolver."""
+
+from .env import EnvTokenProvider
+from .keyring import KeyringTokenProvider
+from .prompt import PromptTokenProvider
+
+__all__ = [
+    "EnvTokenProvider",
+    "KeyringTokenProvider",
+    "PromptTokenProvider",
+]

src/pkgmgr/core/credentials/providers/env.py

@@ -0,0 +1,23 @@
+# src/pkgmgr/core/credentials/providers/env.py
+from __future__ import annotations
+
+import os
+from dataclasses import dataclass
+from typing import Optional
+
+from ..store_keys import env_var_candidates
+from ..types import TokenRequest, TokenResult
+
+
+@dataclass(frozen=True)
+class EnvTokenProvider:
+    """Resolve tokens from environment variables."""
+
+    source_name: str = "env"
+
+    def get(self, request: TokenRequest) -> Optional[TokenResult]:
+        for key in env_var_candidates(request.provider_kind, request.host, request.owner):
+            val = os.environ.get(key)
+            if val:
+                return TokenResult(token=val.strip(), source=self.source_name)
+        return None

src/pkgmgr/core/credentials/providers/keyring.py

@@ -0,0 +1,57 @@
+# src/pkgmgr/core/credentials/providers/keyring.py
+from __future__ import annotations
+
+from dataclasses import dataclass
+from typing import Optional
+
+from ..store_keys import build_keyring_key
+from ..types import KeyringUnavailableError, TokenRequest, TokenResult
+
+
+def _import_keyring():
+    """
+    Import python-keyring.
+
+    Raises:
+      KeyringUnavailableError if:
+        - library is missing
+        - no backend is configured / usable
+        - import fails for any reason
+    """
+    try:
+        import keyring  # type: ignore
+    except Exception as exc:  # noqa: BLE001
+        raise KeyringUnavailableError(
+            "python-keyring is not installed."
+        ) from exc
+
+    # Some environments have keyring installed but no usable backend.
+    # We do a lightweight "backend sanity check" by attempting to read the backend.
+    try:
+        _ = keyring.get_keyring()
+    except Exception as exc:  # noqa: BLE001
+        raise KeyringUnavailableError(
+            "python-keyring is installed but no usable keyring backend is configured."
+        ) from exc
+
+    return keyring
+
+
+@dataclass(frozen=True)
+class KeyringTokenProvider:
+    """Resolve/store tokens from/to OS keyring via python-keyring."""
+
+    source_name: str = "keyring"
+
+    def get(self, request: TokenRequest) -> Optional[TokenResult]:
+        keyring = _import_keyring()
+        key = build_keyring_key(request.provider_kind, request.host, request.owner)
+        token = keyring.get_password(key.service, key.username)
+        if token:
+            return TokenResult(token=token.strip(), source=self.source_name)
+        return None
+
+    def set(self, request: TokenRequest, token: str) -> None:
+        keyring = _import_keyring()
+        key = build_keyring_key(request.provider_kind, request.host, request.owner)
+        keyring.set_password(key.service, key.username, token)

src/pkgmgr/core/credentials/providers/prompt.py

@@ -0,0 +1,68 @@
+# src/pkgmgr/core/credentials/providers/prompt.py
+from __future__ import annotations
+
+import sys
+from dataclasses import dataclass
+from getpass import getpass
+from typing import Optional
+
+from ..types import TokenRequest, TokenResult
+
+
+def _token_help_url(provider_kind: str, host: str) -> Optional[str]:
+    """
+    Return a provider-specific URL where a user can create/get an API token.
+
+    Keep this conservative and stable:
+    - GitHub: official token settings URL
+    - Gitea/Forgejo: common settings path on the given host
+    - GitLab: common personal access token path
+    """
+    kind = (provider_kind or "").strip().lower()
+    h = (host or "").strip()
+
+    # GitHub (cloud)
+    if kind == "github":
+        return "https://github.com/settings/tokens"
+
+    # Gitea / Forgejo (self-hosted)
+    if kind in ("gitea", "forgejo"):
+        # Typical UI path: Settings -> Applications -> Access Tokens
+        # In many installations this is available at /user/settings/applications
+        base = f"https://{h}".rstrip("/")
+        return f"{base}/user/settings/applications"
+
+    # GitLab (cloud or self-hosted)
+    if kind == "gitlab":
+        base = "https://gitlab.com" if not h else f"https://{h}".rstrip("/")
+        return f"{base}/-/profile/personal_access_tokens"
+
+    return None
+
+
+@dataclass(frozen=True)
+class PromptTokenProvider:
+    """Interactively prompt for a token.
+
+    Only used when:
+    - interactive mode is enabled
+    - stdin is a TTY
+    """
+
+    source_name: str = "prompt"
+
+    def get(self, request: TokenRequest) -> Optional[TokenResult]:
+        if not sys.stdin.isatty():
+            return None
+
+        owner_info = f" (owner: {request.owner})" if request.owner else ""
+        help_url = _token_help_url(request.provider_kind, request.host)
+
+        if help_url:
+            print(f"[INFO] Create/get your token here: {help_url}")
+
+        prompt = f"Enter API token for {request.provider_kind} on {request.host}{owner_info}: "
+        token = (getpass(prompt) or "").strip()
+        if not token:
+            return None
+        return TokenResult(token=token, source=self.source_name)

src/pkgmgr/core/credentials/resolver.py

@@ -0,0 +1,96 @@
+# src/pkgmgr/core/credentials/resolver.py
+from __future__ import annotations
+
+import sys
+from dataclasses import dataclass
+from typing import Optional
+
+from .providers.env import EnvTokenProvider
+from .providers.keyring import KeyringTokenProvider
+from .providers.prompt import PromptTokenProvider
+from .types import KeyringUnavailableError, NoCredentialsError, TokenRequest, TokenResult
+
+
+@dataclass(frozen=True)
+class ResolutionOptions:
+    """Controls token resolution behavior."""
+
+    interactive: bool = True
+    allow_prompt: bool = True
+    save_prompt_token_to_keyring: bool = True
+
+
+class TokenResolver:
+    """Resolve tokens from multiple sources (ENV -> Keyring -> Prompt)."""
+
+    def __init__(self) -> None:
+        self._env = EnvTokenProvider()
+        self._keyring = KeyringTokenProvider()
+        self._prompt = PromptTokenProvider()
+        self._warned_keyring: bool = False
+
+    def _warn_keyring_unavailable(self, exc: Exception) -> None:
+        if self._warned_keyring:
+            return
+        self._warned_keyring = True
+
+        msg = str(exc).strip() or "Keyring is unavailable."
+        print("[WARN] Keyring support is not available.", file=sys.stderr)
+        print(f"       {msg}", file=sys.stderr)
+        print("       Tokens will NOT be persisted securely.", file=sys.stderr)
+        print("", file=sys.stderr)
+        print("       To enable secure token storage, install python-keyring:", file=sys.stderr)
+        print("         pip install keyring", file=sys.stderr)
+        print("", file=sys.stderr)
+        print("       Or install via system packages:", file=sys.stderr)
+        print("         sudo apt install python3-keyring", file=sys.stderr)
+        print("         sudo pacman -S python-keyring", file=sys.stderr)
+        print("         sudo dnf install python3-keyring", file=sys.stderr)
+        print("", file=sys.stderr)
+
+    def get_token(
+        self,
+        provider_kind: str,
+        host: str,
+        owner: Optional[str] = None,
+        options: Optional[ResolutionOptions] = None,
+    ) -> TokenResult:
+        opts = options or ResolutionOptions()
+        request = TokenRequest(provider_kind=provider_kind, host=host, owner=owner)
+
+        # 1) ENV
+        env_res = self._env.get(request)
+        if env_res:
+            return env_res
+
+        # 2) Keyring
+        try:
+            kr_res = self._keyring.get(request)
+            if kr_res:
+                return kr_res
+        except KeyringUnavailableError as exc:
+            # Show a helpful warning once, then continue (prompt fallback).
+            self._warn_keyring_unavailable(exc)
+        except Exception:
+            # Unknown keyring errors: do not block prompting; still avoid hard crash.
+            pass
+
+        # 3) Prompt (optional)
+        if opts.interactive and opts.allow_prompt:
+            prompt_res = self._prompt.get(request)
+            if prompt_res:
+                if opts.save_prompt_token_to_keyring:
+                    try:
+                        self._keyring.set(request, prompt_res.token)
+                    except KeyringUnavailableError as exc:
+                        self._warn_keyring_unavailable(exc)
+                    except Exception:
+                        # If keyring cannot store, still use token for this run.
+                        pass
+                return prompt_res
+
+        raise NoCredentialsError(
+            f"No token available for {provider_kind}@{host}"
+            + (f" (owner: {owner})" if owner else "")
+            + ". Provide it via environment variable or keyring."
+        )

src/pkgmgr/core/credentials/store_keys.py

@@ -0,0 +1,54 @@
+# src/pkgmgr/core/credentials/store_keys.py
+from __future__ import annotations
+
+from dataclasses import dataclass
+from typing import Optional
+
+
+@dataclass(frozen=True)
+class KeyringKey:
+    """Keyring address for a token."""
+
+    service: str
+    username: str
+
+
+def build_keyring_key(provider_kind: str, host: str, owner: Optional[str]) -> KeyringKey:
+    """Build a stable keyring key.
+
+    - service: "pkgmgr:<provider>"
+    - username: "<host>|<owner>" or "<host>|-"
+    """
+    provider_kind = str(provider_kind).strip().lower()
+    host = str(host).strip()
+    owner_part = (str(owner).strip() if owner else "-")
+    return KeyringKey(service=f"pkgmgr:{provider_kind}", username=f"{host}|{owner_part}")
+
+
+def env_var_candidates(provider_kind: str, host: str, owner: Optional[str]) -> list[str]:
+    """Return a list of environment variable names to try.
+
+    Order is from most specific to most generic.
+    """
+    kind = re_sub_non_alnum(str(provider_kind).strip().upper())
+    host_norm = re_sub_non_alnum(str(host).strip().upper())
+    candidates: list[str] = []
+
+    if owner:
+        owner_norm = re_sub_non_alnum(str(owner).strip().upper())
+        candidates.append(f"PKGMGR_{kind}_TOKEN_{host_norm}_{owner_norm}")
+        candidates.append(f"PKGMGR_TOKEN_{kind}_{host_norm}_{owner_norm}")
+
+    candidates.append(f"PKGMGR_{kind}_TOKEN_{host_norm}")
+    candidates.append(f"PKGMGR_TOKEN_{kind}_{host_norm}")
+    candidates.append(f"PKGMGR_{kind}_TOKEN")
+    candidates.append(f"PKGMGR_TOKEN_{kind}")
+    candidates.append("PKGMGR_TOKEN")
+    return candidates
+
+
+def re_sub_non_alnum(value: str) -> str:
+    """Normalize to an uppercase env-var friendly token (A-Z0-9_)."""
+    import re
+
+    return re.sub(r"[^A-Z0-9]+", "_", value).strip("_")

src/pkgmgr/core/credentials/types.py

@@ -0,0 +1,34 @@
+# src/pkgmgr/core/credentials/types.py
+from __future__ import annotations
+
+from dataclasses import dataclass
+from typing import Optional
+
+
+class CredentialError(RuntimeError):
+    """Base class for credential resolution errors."""
+
+
+class NoCredentialsError(CredentialError):
+    """Raised when no usable credential could be resolved."""
+
+
+class KeyringUnavailableError(CredentialError):
+    """Raised when keyring is requested but no backend is available."""
+
+
+@dataclass(frozen=True)
+class TokenRequest:
+    """Parameters describing which token we need."""
+
+    provider_kind: str  # e.g. "gitea", "github"
+    host: str  # e.g. "git.example.org" or "github.com"
+    owner: Optional[str] = None  # optional org/user
+
+
+@dataclass(frozen=True)
+class TokenResult:
+    """A resolved token plus metadata about its source."""
+
+    token: str
+    source: str  # "env" | "keyring" | "prompt"

src/pkgmgr/core/remote_provisioning/__init__.py

@@ -0,0 +1,14 @@
+# src/pkgmgr/core/remote_provisioning/__init__.py
+"""Remote repository provisioning (ensure remote repo exists)."""
+
+from .ensure import ensure_remote_repo
+from .registry import ProviderRegistry
+from .types import EnsureResult, ProviderHint, RepoSpec
+
+__all__ = [
+    "ensure_remote_repo",
+    "RepoSpec",
+    "EnsureResult",
+    "ProviderHint",
+    "ProviderRegistry",
+]

src/pkgmgr/core/remote_provisioning/ensure.py

@@ -0,0 +1,99 @@
+# src/pkgmgr/core/remote_provisioning/ensure.py
+from __future__ import annotations
+
+from dataclasses import dataclass
+from typing import Optional
+
+from pkgmgr.core.credentials.resolver import ResolutionOptions, TokenResolver
+
+from .http.errors import HttpError
+from .registry import ProviderRegistry
+from .types import (
+    AuthError,
+    EnsureResult,
+    NetworkError,
+    PermissionError,
+    ProviderHint,
+    RepoSpec,
+    UnsupportedProviderError,
+)
+
+
+@dataclass(frozen=True)
+class EnsureOptions:
+    """Options controlling remote provisioning."""
+
+    preview: bool = False
+    interactive: bool = True
+    allow_prompt: bool = True
+    save_prompt_token_to_keyring: bool = True
+
+
+def _raise_mapped_http_error(exc: HttpError, host: str) -> None:
+    """Map HttpError into domain-specific error types."""
+    if exc.status == 0:
+        raise NetworkError(f"Network error while talking to {host}: {exc}") from exc
+    if exc.status == 401:
+        raise AuthError(f"Authentication failed for {host} (401).") from exc
+    if exc.status == 403:
+        raise PermissionError(f"Permission denied for {host} (403).") from exc
+
+    raise NetworkError(
+        f"HTTP error from {host}: status={exc.status}, message={exc}, body={exc.body}"
+    ) from exc
+
+
+def ensure_remote_repo(
+    spec: RepoSpec,
+    provider_hint: Optional[ProviderHint] = None,
+    options: Optional[EnsureOptions] = None,
+    registry: Optional[ProviderRegistry] = None,
+    token_resolver: Optional[TokenResolver] = None,
+) -> EnsureResult:
+    """Ensure that the remote repository exists (create if missing).
+
+    - Uses TokenResolver (ENV -> keyring -> prompt)
+    - Selects provider via ProviderRegistry (or provider_hint override)
+    - Respects preview mode (no remote changes)
+    - Maps HTTP errors to domain-specific errors
+    """
+    opts = options or EnsureOptions()
+    reg = registry or ProviderRegistry.default()
+    resolver = token_resolver or TokenResolver()
+
+    provider = reg.resolve(spec.host)
+    if provider_hint and provider_hint.kind:
+        forced = provider_hint.kind.strip().lower()
+        forced_provider = next(
+            (p for p in reg.providers if getattr(p, "kind", "").lower() == forced),
+            None,
+        )
+        if forced_provider is not None:
+            provider = forced_provider
+
+    if provider is None:
+        raise UnsupportedProviderError(f"No provider matched host: {spec.host}")
+
+    token_opts = ResolutionOptions(
+        interactive=opts.interactive,
+        allow_prompt=opts.allow_prompt,
+        save_prompt_token_to_keyring=opts.save_prompt_token_to_keyring,
+    )
+    token = resolver.get_token(
+        provider_kind=getattr(provider, "kind", "unknown"),
+        host=spec.host,
+        owner=spec.owner,
+        options=token_opts,
+    )
+
+    if opts.preview:
+        return EnsureResult(
+            status="skipped",
+            message="Preview mode: no remote changes performed.",
+        )
+
+    try:
+        return provider.ensure_repo(token.token, spec)
+    except HttpError as exc:
+        _raise_mapped_http_error(exc, host=spec.host)
+        return EnsureResult(status="failed", message="Unreachable error mapping.")

src/pkgmgr/core/remote_provisioning/http/__init__.py

@@ -0,0 +1,5 @@
+# src/pkgmgr/core/remote_provisioning/http/__init__.py
+from .client import HttpClient, HttpResponse
+from .errors import HttpError
+
+__all__ = ["HttpClient", "HttpResponse", "HttpError"]

src/pkgmgr/core/remote_provisioning/http/client.py

@@ -0,0 +1,69 @@
+# src/pkgmgr/core/remote_provisioning/http/client.py
+from __future__ import annotations
+
+import json
+import ssl
+import urllib.error
+import urllib.request
+from dataclasses import dataclass
+from typing import Any, Dict, Optional
+
+from .errors import HttpError
+
+
+@dataclass(frozen=True)
+class HttpResponse:
+    status: int
+    text: str
+    json: Optional[Dict[str, Any]] = None
+
+
+class HttpClient:
+    """Tiny HTTP client (stdlib) with JSON support."""
+
+    def __init__(self, timeout_s: int = 15) -> None:
+        self._timeout_s = int(timeout_s)
+
+    def request_json(
+        self,
+        method: str,
+        url: str,
+        headers: Optional[Dict[str, str]] = None,
+        payload: Optional[Dict[str, Any]] = None,
+    ) -> HttpResponse:
+        data: Optional[bytes] = None
+        final_headers: Dict[str, str] = dict(headers or {})
+
+        if payload is not None:
+            data = json.dumps(payload).encode("utf-8")
+            final_headers.setdefault("Content-Type", "application/json")
+
+        req = urllib.request.Request(url=url, data=data, method=method.upper())
+        for k, v in final_headers.items():
+            req.add_header(k, v)
+
+        try:
+            with urllib.request.urlopen(
+                req,
+                timeout=self._timeout_s,
+                context=ssl.create_default_context(),
+            ) as resp:
+                raw = resp.read().decode("utf-8", errors="replace")
+
+                parsed: Optional[Dict[str, Any]] = None
+                if raw:
+                    try:
+                        loaded = json.loads(raw)
+                        parsed = loaded if isinstance(loaded, dict) else None
+                    except Exception:
+                        parsed = None
+
+                return HttpResponse(status=int(resp.status), text=raw, json=parsed)
+        except urllib.error.HTTPError as exc:
+            try:
+                body = exc.read().decode("utf-8", errors="replace")
+            except Exception:
+                body = ""
+            raise HttpError(status=int(exc.code), message=str(exc), body=body) from exc
+        except urllib.error.URLError as exc:
+            raise HttpError(status=0, message=str(exc), body="") from exc

src/pkgmgr/core/remote_provisioning/http/errors.py

@@ -0,0 +1,9 @@
+# src/pkgmgr/core/remote_provisioning/http/errors.py
+from __future__ import annotations
+
+
+class HttpError(RuntimeError):
+    def __init__(self, status: int, message: str, body: str = "") -> None:
+        super().__init__(message)
+        self.status = status
+        self.body = body

src/pkgmgr/core/remote_provisioning/providers/__init__.py

@@ -0,0 +1,6 @@
+# src/pkgmgr/core/remote_provisioning/providers/__init__.py
+from .base import RemoteProvider
+from .gitea import GiteaProvider
+from .github import GitHubProvider
+
+__all__ = ["RemoteProvider", "GiteaProvider", "GitHubProvider"]

src/pkgmgr/core/remote_provisioning/providers/base.py

@@ -0,0 +1,36 @@
+# src/pkgmgr/core/remote_provisioning/providers/base.py
+from __future__ import annotations
+
+from abc import ABC, abstractmethod
+
+from ..types import EnsureResult, RepoSpec
+
+
+class RemoteProvider(ABC):
+    """Provider interface for remote repo provisioning."""
+
+    kind: str
+
+    @abstractmethod
+    def can_handle(self, host: str) -> bool:
+        """Return True if this provider implementation matches the host."""
+
+    @abstractmethod
+    def repo_exists(self, token: str, spec: RepoSpec) -> bool:
+        """Return True if repo exists and is accessible."""
+
+    @abstractmethod
+    def create_repo(self, token: str, spec: RepoSpec) -> EnsureResult:
+        """Create a repository (owner may be user or org)."""
+
+    def ensure_repo(self, token: str, spec: RepoSpec) -> EnsureResult:
+        if self.repo_exists(token, spec):
+            return EnsureResult(status="exists", message="Repository exists.")
+        return self.create_repo(token, spec)
+
+    @staticmethod
+    def _api_base(host: str) -> str:
+        # Default to https. If you need http for local dev, store host as "http://..."
+        if host.startswith("http://") or host.startswith("https://"):
+            return host.rstrip("/")
+        return f"https://{host}".rstrip("/")

src/pkgmgr/core/remote_provisioning/providers/gitea.py

@@ -0,0 +1,106 @@
+# src/pkgmgr/core/remote_provisioning/providers/gitea.py
+from __future__ import annotations
+
+from typing import Any, Dict
+
+from ..http.client import HttpClient
+from ..http.errors import HttpError
+from ..types import EnsureResult, RepoSpec
+from .base import RemoteProvider
+
+
+class GiteaProvider(RemoteProvider):
+    """Gitea provider using Gitea REST API v1."""
+
+    kind = "gitea"
+
+    def __init__(self, timeout_s: int = 15) -> None:
+        self._http = HttpClient(timeout_s=timeout_s)
+
+    def can_handle(self, host: str) -> bool:
+        """
+        Heuristic host match:
+        - Acts as a fallback provider for self-hosted setups.
+        - Must NOT claim GitHub hosts.
+        - If you add more providers later, tighten this heuristic or use provider hints.
+        """
+        h = host.lower()
+        if h in ("github.com", "api.github.com") or h.endswith(".github.com"):
+            return False
+        return True
+
+    def _headers(self, token: str) -> Dict[str, str]:
+        """
+        Gitea commonly supports:
+          Authorization: token <TOKEN>
+        Newer versions may also accept Bearer tokens, but "token" is broadly compatible.
+        """
+        return {
+            "Authorization": f"token {token}",
+            "Accept": "application/json",
+            "User-Agent": "pkgmgr",
+        }
+
+    def repo_exists(self, token: str, spec: RepoSpec) -> bool:
+        base = self._api_base(spec.host)
+        url = f"{base}/api/v1/repos/{spec.owner}/{spec.name}"
+        try:
+            resp = self._http.request_json("GET", url, headers=self._headers(token))
+            return 200 <= resp.status < 300
+        except HttpError as exc:
+            if exc.status == 404:
+                return False
+            raise
+
+    def create_repo(self, token: str, spec: RepoSpec) -> EnsureResult:
+        base = self._api_base(spec.host)
+
+        payload: Dict[str, Any] = {
+            "name": spec.name,
+            "private": bool(spec.private),
+        }
+        if spec.description:
+            payload["description"] = spec.description
+        if spec.default_branch:
+            payload["default_branch"] = spec.default_branch
+
+        org_url = f"{base}/api/v1/orgs/{spec.owner}/repos"
+        user_url = f"{base}/api/v1/user/repos"
+
+        # Try org first, then fall back to user creation.
+        try:
+            resp = self._http.request_json(
+                "POST",
+                org_url,
+                headers=self._headers(token),
+                payload=payload,
+            )
+            if 200 <= resp.status < 300:
+                html_url = (resp.json or {}).get("html_url") if resp.json else None
+                return EnsureResult(
+                    status="created",
+                    message="Repository created (org).",
+                    url=str(html_url) if html_url else None,
+                )
+        except HttpError:
+            # Typical org failures: 404 (not an org), 403 (no rights), 401 (bad token).
+            pass
+
+        resp = self._http.request_json(
+            "POST",
+            user_url,
+            headers=self._headers(token),
+            payload=payload,
+        )
+        if 200 <= resp.status < 300:
+            html_url = (resp.json or {}).get("html_url") if resp.json else None
+            return EnsureResult(
+                status="created",
+                message="Repository created (user).",
+                url=str(html_url) if html_url else None,
+            )
+
+        return EnsureResult(
+            status="failed",
+            message=f"Failed to create repository (status {resp.status}).",
+        )

src/pkgmgr/core/remote_provisioning/providers/github.py

@@ -0,0 +1,101 @@
+# src/pkgmgr/core/remote_provisioning/providers/github.py
+from __future__ import annotations
+
+from typing import Any, Dict
+
+from ..http.client import HttpClient
+from ..http.errors import HttpError
+from ..types import EnsureResult, RepoSpec
+from .base import RemoteProvider
+
+
+class GitHubProvider(RemoteProvider):
+    """GitHub provider using GitHub REST API."""
+
+    kind = "github"
+
+    def __init__(self, timeout_s: int = 15) -> None:
+        self._http = HttpClient(timeout_s=timeout_s)
+
+    def can_handle(self, host: str) -> bool:
+        h = host.lower()
+        return h in ("github.com", "api.github.com") or h.endswith(".github.com")
+
+    def _api_base(self, host: str) -> str:
+        """
+        GitHub API base:
+        - Public GitHub: https://api.github.com
+        - GitHub Enterprise Server: https://<host>/api/v3
+        """
+        h = host.lower()
+        if h in ("github.com", "api.github.com"):
+            return "https://api.github.com"
+
+        # Enterprise instance:
+        if host.startswith("http://") or host.startswith("https://"):
+            return host.rstrip("/") + "/api/v3"
+        return f"https://{host}/api/v3"
+
+    def _headers(self, token: str) -> Dict[str, str]:
+        return {
+            "Authorization": f"Bearer {token}",
+            "Accept": "application/vnd.github+json",
+            "User-Agent": "pkgmgr",
+        }
+
+    def repo_exists(self, token: str, spec: RepoSpec) -> bool:
+        api = self._api_base(spec.host)
+        url = f"{api}/repos/{spec.owner}/{spec.name}"
+        try:
+            resp = self._http.request_json("GET", url, headers=self._headers(token))
+            return 200 <= resp.status < 300
+        except HttpError as exc:
+            if exc.status == 404:
+                return False
+            raise
+
+    def create_repo(self, token: str, spec: RepoSpec) -> EnsureResult:
+        api = self._api_base(spec.host)
+
+        payload: Dict[str, Any] = {
+            "name": spec.name,
+            "private": bool(spec.private),
+        }
+        if spec.description:
+            payload["description"] = spec.description
+        if spec.default_branch:
+            payload["default_branch"] = spec.default_branch
+
+        org_url = f"{api}/orgs/{spec.owner}/repos"
+        user_url = f"{api}/user/repos"
+
+        # Try org first, then fall back to user creation.
+        try:
+            resp = self._http.request_json(
+                "POST", org_url, headers=self._headers(token), payload=payload
+            )
+            if 200 <= resp.status < 300:
+                html_url = (resp.json or {}).get("html_url") if resp.json else None
+                return EnsureResult(
+                    status="created",
+                    message="Repository created (org).",
+                    url=str(html_url) if html_url else None,
+                )
+        except HttpError:
+            pass
+
+        resp = self._http.request_json(
+            "POST", user_url, headers=self._headers(token), payload=payload
+        )
+        if 200 <= resp.status < 300:
+            html_url = (resp.json or {}).get("html_url") if resp.json else None
+            return EnsureResult(
+                status="created",
+                message="Repository created (user).",
+                url=str(html_url) if html_url else None,
+            )
+
+        return EnsureResult(
+            status="failed",
+            message=f"Failed to create repository (status {resp.status}).",
+        )

src/pkgmgr/core/remote_provisioning/registry.py

@@ -0,0 +1,30 @@
+# src/pkgmgr/core/remote_provisioning/registry.py
+from __future__ import annotations
+
+from dataclasses import dataclass
+from typing import List, Optional
+
+from .providers.base import RemoteProvider
+from .providers.gitea import GiteaProvider
+from .providers.github import GitHubProvider
+
+
+@dataclass
+class ProviderRegistry:
+    """Resolve the correct provider implementation for a host."""
+
+    providers: List[RemoteProvider]
+
+    @classmethod
+    def default(cls) -> "ProviderRegistry":
+        # Order matters: more specific providers first; fallback providers last.
+        return cls(providers=[GitHubProvider(), GiteaProvider()])
+
+    def resolve(self, host: str) -> Optional[RemoteProvider]:
+        for p in self.providers:
+            try:
+                if p.can_handle(host):
+                    return p
+            except Exception:
+                continue
+        return None

src/pkgmgr/core/remote_provisioning/types.py

@@ -0,0 +1,61 @@
+# src/pkgmgr/core/remote_provisioning/types.py
+from __future__ import annotations
+
+from dataclasses import dataclass
+from typing import Literal, Optional
+
+EnsureStatus = Literal["exists", "created", "skipped", "failed"]
+
+
+@dataclass(frozen=True)
+class ProviderHint:
+    """Optional hint to force a provider kind."""
+
+    kind: Optional[str] = None  # e.g. "gitea" or "github"
+
+
+@dataclass(frozen=True)
+class RepoSpec:
+    """Desired remote repository."""
+
+    host: str
+    owner: str
+    name: str
+    private: bool = True
+    description: str = ""
+    default_branch: Optional[str] = None
+
+
+@dataclass(frozen=True)
+class EnsureResult:
+    status: EnsureStatus
+    message: str
+    url: Optional[str] = None
+
+
+class RemoteProvisioningError(RuntimeError):
+    """Base class for remote provisioning errors."""
+
+
+class AuthError(RemoteProvisioningError):
+    """Authentication failed (401)."""
+
+
+class PermissionError(RemoteProvisioningError):
+    """Permission denied (403)."""
+
+
+class NotFoundError(RemoteProvisioningError):
+    """Resource not found (404)."""
+
+
+class PolicyError(RemoteProvisioningError):
+    """Provider/org policy prevents the operation."""
+
+
+class NetworkError(RemoteProvisioningError):
+    """Network/transport errors."""
+
+
+class UnsupportedProviderError(RemoteProvisioningError):
+    """No provider matched for the given host."""

src/pkgmgr/core/repository/paths.py

@@ -0,0 +1,124 @@
+#!/usr/bin/env python3
+# -*- coding: utf-8 -*-
+
+"""
+Central repository path resolver.
+
+Goal:
+- Provide ONE place to define where packaging / changelog / metadata files live.
+- Prefer modern layout (packaging/*) but stay backwards-compatible with legacy
+  root-level paths.
+
+Both:
+- readers (pkgmgr.core.version.source)
+- writers (pkgmgr.actions.release.workflow)
+
+should use this module instead of hardcoding paths.
+"""
+
+from __future__ import annotations
+
+import os
+from dataclasses import dataclass
+from typing import Iterable, Optional
+
+
+@dataclass(frozen=True)
+class RepoPaths:
+    repo_dir: str
+
+    pyproject_toml: str
+    flake_nix: str
+
+    # Human changelog (typically Markdown)
+    changelog_md: Optional[str]
+
+    # Packaging-related files
+    arch_pkgbuild: Optional[str]
+    debian_changelog: Optional[str]
+    rpm_spec: Optional[str]
+
+
+def _first_existing(candidates: Iterable[str]) -> Optional[str]:
+    for p in candidates:
+        if p and os.path.isfile(p):
+            return p
+    return None
+
+
+def _find_first_spec_in_dir(dir_path: str) -> Optional[str]:
+    if not os.path.isdir(dir_path):
+        return None
+    try:
+        for fn in sorted(os.listdir(dir_path)):
+            if fn.endswith(".spec"):
+                p = os.path.join(dir_path, fn)
+                if os.path.isfile(p):
+                    return p
+    except OSError:
+        return None
+    return None
+
+
+def resolve_repo_paths(repo_dir: str) -> RepoPaths:
+    """
+    Resolve canonical file locations for a repository.
+
+    Preferences (new layout first, legacy fallback second):
+      - PKGBUILD:            packaging/arch/PKGBUILD  -> PKGBUILD
+      - Debian changelog:    packaging/debian/changelog -> debian/changelog
+      - RPM spec:            packaging/fedora/package-manager.spec
+                             -> first *.spec in packaging/fedora
+                             -> first *.spec in repo root
+      - CHANGELOG.md:        CHANGELOG.md -> packaging/CHANGELOG.md (optional fallback)
+
+    Notes:
+      - This resolver only returns paths; it does not read/parse files.
+      - Callers should treat Optional paths as "may not exist".
+    """
+    repo_dir = os.path.abspath(repo_dir)
+
+    pyproject_toml = os.path.join(repo_dir, "pyproject.toml")
+    flake_nix = os.path.join(repo_dir, "flake.nix")
+
+    changelog_md = _first_existing(
+        [
+            os.path.join(repo_dir, "CHANGELOG.md"),
+            os.path.join(repo_dir, "packaging", "CHANGELOG.md"),
+        ]
+    )
+
+    arch_pkgbuild = _first_existing(
+        [
+            os.path.join(repo_dir, "packaging", "arch", "PKGBUILD"),
+            os.path.join(repo_dir, "PKGBUILD"),
+        ]
+    )
+
+    debian_changelog = _first_existing(
+        [
+            os.path.join(repo_dir, "packaging", "debian", "changelog"),
+            os.path.join(repo_dir, "debian", "changelog"),
+        ]
+    )
+
+    # RPM spec: prefer the canonical file, else first spec in packaging/fedora, else first spec in repo root.
+    rpm_spec = _first_existing(
+        [
+            os.path.join(repo_dir, "packaging", "fedora", "package-manager.spec"),
+        ]
+    )
+    if rpm_spec is None:
+        rpm_spec = _find_first_spec_in_dir(os.path.join(repo_dir, "packaging", "fedora"))
+    if rpm_spec is None:
+        rpm_spec = _find_first_spec_in_dir(repo_dir)
+
+    return RepoPaths(
+        repo_dir=repo_dir,
+        pyproject_toml=pyproject_toml,
+        flake_nix=flake_nix,
+        changelog_md=changelog_md,
+        arch_pkgbuild=arch_pkgbuild,
+        debian_changelog=debian_changelog,
+        rpm_spec=rpm_spec,
+    )

src/pkgmgr/core/version/installed.py

@@ -0,0 +1,168 @@
+from __future__ import annotations
+
+import json
+import re
+import shutil
+import subprocess
+from dataclasses import dataclass
+from typing import Iterable, Optional, Tuple
+
+
+@dataclass(frozen=True)
+class InstalledVersion:
+    """
+    Represents a resolved installed version and the matched name.
+    """
+    name: str
+    version: str
+
+
+def _normalize(name: str) -> str:
+    return re.sub(r"[-_.]+", "-", (name or "").strip()).lower()
+
+
+def _unique_candidates(names: Iterable[str]) -> list[str]:
+    seen: set[str] = set()
+    out: list[str] = []
+    for n in names:
+        if not n:
+            continue
+        key = _normalize(n)
+        if key in seen:
+            continue
+        seen.add(key)
+        out.append(n)
+    return out
+
+
+def get_installed_python_version(*candidates: str) -> Optional[InstalledVersion]:
+    """
+    Detect installed Python package version in the CURRENT Python environment.
+
+    Strategy:
+      1) Exact normalized match using importlib.metadata.version()
+      2) Substring fallback by scanning installed distributions
+    """
+    try:
+        from importlib import metadata as importlib_metadata
+    except Exception:
+        return None
+
+    candidates = _unique_candidates(candidates)
+
+    expanded: list[str] = []
+    for c in candidates:
+        n = _normalize(c)
+        expanded.extend([c, n, n.replace("-", "_"), n.replace("-", ".")])
+    expanded = _unique_candidates(expanded)
+
+    # 1) Direct queries first (fast path)
+    for name in expanded:
+        try:
+            version = importlib_metadata.version(name)
+            return InstalledVersion(name=name, version=version)
+        except Exception:
+            continue
+
+    # 2) Fallback: scan distributions (last resort)
+    try:
+        dists = importlib_metadata.distributions()
+    except Exception:
+        return None
+
+    norm_candidates = {_normalize(c) for c in candidates}
+
+    for dist in dists:
+        dist_name = dist.metadata.get("Name", "") or ""
+        norm_dist = _normalize(dist_name)
+        for c in norm_candidates:
+            if c and (c in norm_dist or norm_dist in c):
+                ver = getattr(dist, "version", None)
+                if ver:
+                    return InstalledVersion(name=dist_name, version=ver)
+
+    return None
+
+
+def _run_nix(args: list[str]) -> Tuple[int, str, str]:
+    p = subprocess.run(
+        args,
+        stdout=subprocess.PIPE,
+        stderr=subprocess.PIPE,
+        text=True,
+        check=False,
+    )
+    return p.returncode, p.stdout or "", p.stderr or ""
+
+
+def _extract_version_from_store_path(path: str) -> Optional[str]:
+    if not path:
+        return None
+    base = path.rstrip("/").split("/")[-1]
+    if "-" not in base:
+        return None
+    tail = base.split("-")[-1]
+    if re.match(r"\d+(\.\d+){0,3}([a-z0-9+._-]*)?$", tail, re.I):
+        return tail
+    return None
+
+
+def get_installed_nix_profile_version(*candidates: str) -> Optional[InstalledVersion]:
+    """
+    Detect installed version from the current Nix profile.
+
+    Strategy:
+      1) JSON output (exact normalized match)
+      2) Text fallback (substring)
+    """
+    if shutil.which("nix") is None:
+        return None
+
+    candidates = _unique_candidates(candidates)
+    if not candidates:
+        return None
+
+    norm_candidates = {_normalize(c) for c in candidates}
+
+    # Preferred: JSON output
+    rc, out, _ = _run_nix(["nix", "profile", "list", "--json"])
+    if rc == 0 and out.strip():
+        try:
+            data = json.loads(out)
+            elements = data.get("elements") or data.get("items") or {}
+            if isinstance(elements, dict):
+                for elem in elements.values():
+                    if not isinstance(elem, dict):
+                        continue
+                    name = (elem.get("name") or elem.get("pname") or "").strip()
+                    version = (elem.get("version") or "").strip()
+                    norm_name = _normalize(name)
+
+                    if norm_name in norm_candidates:
+                        if version:
+                            return InstalledVersion(name=name, version=version)
+                        for sp in elem.get("storePaths", []) or []:
+                            guess = _extract_version_from_store_path(sp)
+                            if guess:
+                                return InstalledVersion(name=name, version=guess)
+        except Exception:
+            pass
+
+    # Fallback: text mode
+    rc, out, _ = _run_nix(["nix", "profile", "list"])
+    if rc != 0:
+        return None
+
+    for line in out.splitlines():
+        norm_line = _normalize(line)
+        for c in norm_candidates:
+            if c in norm_line:
+                m = re.search(r"\b\d+(\.\d+){0,3}[a-z0-9+._-]*\b", line, re.I)
+                if m:
+                    return InstalledVersion(name=c, version=m.group(0))
+                if "/nix/store/" in line:
+                    guess = _extract_version_from_store_path(line.split()[-1])
+                    if guess:
+                        return InstalledVersion(name=c, version=guess)
+
+    return None

src/pkgmgr/core/version/source.py

@@ -1,21 +1,4 @@
-#!/usr/bin/env python3
-# -*- coding: utf-8 -*-
-
-"""
-Helpers to extract version information from various packaging files.
-
-All functions take a repository directory and return either a version
-string or None if the corresponding file or version field is missing.
-
-Supported sources:
-- pyproject.toml   (PEP 621, [project].version)
-- flake.nix        (version = "X.Y.Z";)
-- PKGBUILD         (pkgver / pkgrel)
-- debian/changelog (first entry line: package (version) ...)
-- RPM spec file    (package-manager.spec: Version / Release)
-- Ansible Galaxy   (galaxy.yml or meta/main.yml)
-"""
-
+# src/pkgmgr/core/version/source.py
 from __future__ import annotations
 
 import os
@@ -24,52 +7,72 @@ from typing import Optional
 
 import yaml
 
+from pkgmgr.core.repository.paths import resolve_repo_paths
+
 
 def read_pyproject_version(repo_dir: str) -> Optional[str]:
     """
     Read the version from pyproject.toml in repo_dir, if present.
 
     Expects a PEP 621-style [project] table with a 'version' field.
-    Returns the version string or None.
     """
-    path = os.path.join(repo_dir, "pyproject.toml")
-    if not os.path.exists(path):
+    paths = resolve_repo_paths(repo_dir)
+    path = paths.pyproject_toml
+    if not os.path.isfile(path):
         return None
 
     try:
-        try:
-            import tomllib  # Python 3.11+
-        except ModuleNotFoundError:  # pragma: no cover
-            tomllib = None
-
-        if tomllib is None:
-            return None
+        import tomllib  # Python 3.11+
+    except Exception:
+        import tomli as tomllib  # type: ignore
 
+    try:
         with open(path, "rb") as f:
             data = tomllib.load(f)
-
-        project = data.get("project", {})
-        if isinstance(project, dict):
-            version = project.get("version")
-            if isinstance(version, str):
-                return version.strip() or None
+        project = data.get("project") or {}
+        version = project.get("version")
+        return str(version).strip() if version else None
     except Exception:
-        # Intentionally swallow errors and fall back to None.
         return None
 
-    return None
+
+def read_pyproject_project_name(repo_dir: str) -> Optional[str]:
+    """
+    Read distribution name from pyproject.toml ([project].name).
+
+    This is required to correctly resolve installed Python package
+    versions via importlib.metadata.
+    """
+    paths = resolve_repo_paths(repo_dir)
+    path = paths.pyproject_toml
+    if not os.path.isfile(path):
+        return None
+
+    try:
+        import tomllib  # Python 3.11+
+    except Exception:
+        import tomli as tomllib  # type: ignore
+
+    try:
+        with open(path, "rb") as f:
+            data = tomllib.load(f)
+        project = data.get("project") or {}
+        name = project.get("name")
+        return str(name).strip() if name else None
+    except Exception:
+        return None
 
 
 def read_flake_version(repo_dir: str) -> Optional[str]:
     """
     Read the version from flake.nix in repo_dir, if present.
 
-    Looks for a line like:
-        version = "1.2.3";
-    and returns the string inside the quotes.
+    Looks for:
+        version = "X.Y.Z";
     """
-    path = os.path.join(repo_dir, "flake.nix")
-    if not os.path.exists(path):
+    paths = resolve_repo_paths(repo_dir)
+    path = paths.flake_nix
+    if not os.path.isfile(path):
         return None
 
     try:
@@ -81,22 +84,22 @@ def read_flake_version(repo_dir: str) -> Optional[str]:
     match = re.search(r'version\s*=\s*"([^"]+)"', text)
     if not match:
         return None
-    version = match.group(1).strip()
-    return version or None
+
+    return match.group(1).strip() or None
 
 
 def read_pkgbuild_version(repo_dir: str) -> Optional[str]:
     """
-    Read the version from PKGBUILD in repo_dir, if present.
+    Read the version from PKGBUILD (preferring packaging/arch/PKGBUILD).
 
-    Expects:
-        pkgver=1.2.3
-        pkgrel=1
-
-    Returns either "1.2.3-1" (if both are present) or just "1.2.3".
+    Combines pkgver and pkgrel if both exist:
+      pkgver=1.2.3
+      pkgrel=1
+    -> 1.2.3-1
     """
-    path = os.path.join(repo_dir, "PKGBUILD")
-    if not os.path.exists(path):
+    paths = resolve_repo_paths(repo_dir)
+    path = paths.arch_pkgbuild
+    if not path or not os.path.isfile(path):
         return None
 
     try:
@@ -121,15 +124,19 @@ def read_pkgbuild_version(repo_dir: str) -> Optional[str]:
 
 def read_debian_changelog_version(repo_dir: str) -> Optional[str]:
     """
-    Read the latest Debian version from debian/changelog in repo_dir, if present.
+    Read the latest version from debian changelog.
 
-    The first non-empty line typically looks like:
-        package-name (1.2.3-1) unstable; urgency=medium
+    Preferred path:
+      packaging/debian/changelog
+    Fallback:
+      debian/changelog
 
-    We extract the text inside the first parentheses.
+    Expected format:
+      package (1.2.3-1) unstable; urgency=medium
     """
-    path = os.path.join(repo_dir, "debian", "changelog")
-    if not os.path.exists(path):
+    paths = resolve_repo_paths(repo_dir)
+    path = paths.debian_changelog
+    if not path or not os.path.isfile(path):
         return None
 
     try:
@@ -140,8 +147,7 @@ def read_debian_changelog_version(repo_dir: str) -> Optional[str]:
                     continue
                 match = re.search(r"\(([^)]+)\)", line)
                 if match:
-                    version = match.group(1).strip()
-                    return version or None
+                    return match.group(1).strip() or None
                 break
     except Exception:
         return None
@@ -151,19 +157,21 @@ def read_debian_changelog_version(repo_dir: str) -> Optional[str]:
 
 def read_spec_version(repo_dir: str) -> Optional[str]:
     """
-    Read the version from a RPM spec file.
+    Read the version from an RPM spec file.
 
-    For now, we assume a fixed file name 'package-manager.spec'
-    in repo_dir with lines like:
+    Preferred paths:
+      packaging/fedora/package-manager.spec
+      packaging/fedora/*.spec
+      repo_root/*.spec
 
-        Version: 1.2.3
-        Release: 1%{?dist}
-
-    Returns either "1.2.3-1" (if Release is present) or "1.2.3".
-    Any RPM macro suffix like '%{?dist}' is stripped from the release.
+    Combines:
+      Version: 1.2.3
+      Release: 1%{?dist}
+    -> 1.2.3-1
     """
-    path = os.path.join(repo_dir, "package-manager.spec")
-    if not os.path.exists(path):
+    paths = resolve_repo_paths(repo_dir)
+    path = paths.rpm_spec
+    if not path or not os.path.isfile(path):
         return None
 
     try:
@@ -180,10 +188,7 @@ def read_spec_version(repo_dir: str) -> Optional[str]:
     rel_match = re.search(r"^Release:\s*(.+)$", text, re.MULTILINE)
     if rel_match:
         release_raw = rel_match.group(1).strip()
-        # Strip common RPM macro suffix like %... (e.g. 1%{?dist})
-        release = release_raw.split("%", 1)[0].strip()
-        # Also strip anything after first whitespace, just in case
-        release = release.split(" ", 1)[0].strip()
+        release = release_raw.split("%", 1)[0].split(" ", 1)[0].strip()
         if release:
             return f"{version}-{release}"
 
@@ -192,40 +197,35 @@ def read_spec_version(repo_dir: str) -> Optional[str]:
 
 def read_ansible_galaxy_version(repo_dir: str) -> Optional[str]:
     """
-    Read the version from Ansible Galaxy metadata, if present.
+    Read the version from Ansible Galaxy metadata.
 
-    Supported locations:
-    - galaxy.yml  (preferred for modern roles/collections)
-    - meta/main.yml (legacy style roles; uses galaxy_info.version or version)
+    Supported:
+      - galaxy.yml
+      - meta/main.yml (galaxy_info.version or version)
     """
-    # 1) galaxy.yml in repo root
-    galaxy_path = os.path.join(repo_dir, "galaxy.yml")
-    if os.path.exists(galaxy_path):
+    galaxy_yml = os.path.join(repo_dir, "galaxy.yml")
+    if os.path.isfile(galaxy_yml):
         try:
-            with open(galaxy_path, "r", encoding="utf-8") as f:
+            with open(galaxy_yml, "r", encoding="utf-8") as f:
                 data = yaml.safe_load(f) or {}
             version = data.get("version")
             if isinstance(version, str) and version.strip():
                 return version.strip()
         except Exception:
-            # Ignore parse errors and fall through to meta/main.yml
             pass
 
-    # 2) meta/main.yml (classic Ansible role)
-    meta_path = os.path.join(repo_dir, "meta", "main.yml")
-    if os.path.exists(meta_path):
+    meta_yml = os.path.join(repo_dir, "meta", "main.yml")
+    if os.path.isfile(meta_yml):
         try:
-            with open(meta_path, "r", encoding="utf-8") as f:
+            with open(meta_yml, "r", encoding="utf-8") as f:
                 data = yaml.safe_load(f) or {}
 
-            # Preferred: galaxy_info.version
             galaxy_info = data.get("galaxy_info") or {}
             if isinstance(galaxy_info, dict):
                 version = galaxy_info.get("version")
                 if isinstance(version, str) and version.strip():
                     return version.strip()
 
-            # Fallback: top-level 'version'
             version = data.get("version")
             if isinstance(version, str) and version.strip():
                 return version.strip()

tests/e2e/_util.py

@@ -0,0 +1,24 @@
+import subprocess
+
+
+def run(cmd, *, cwd=None, env=None, shell=False) -> str:
+    proc = subprocess.run(
+        cmd,
+        cwd=cwd,
+        env=env,
+        shell=shell,
+        text=True,
+        stdout=subprocess.PIPE,
+        stderr=subprocess.STDOUT,
+    )
+
+    print("----- BEGIN COMMAND -----")
+    print(cmd if isinstance(cmd, str) else " ".join(cmd))
+    print("----- OUTPUT -----")
+    print(proc.stdout.rstrip())
+    print("----- END COMMAND -----")
+
+    if proc.returncode != 0:
+        raise AssertionError(proc.stdout)
+
+    return proc.stdout

tests/e2e/test_install_makefile_three_times.py

@@ -0,0 +1,25 @@
+from tests.e2e._util import run
+import tempfile
+import unittest
+from pathlib import Path
+
+class TestMakefileThreeTimes(unittest.TestCase):
+    def test_make_install_three_times(self):
+        with tempfile.TemporaryDirectory(prefix="makefile-3x-") as tmp:
+            repo = Path(tmp)
+
+            # Minimal Makefile with install target
+            (repo / "Makefile").write_text(
+                "install:\n\t@echo install >> install.log\n"
+            )
+
+            for i in range(1, 4):
+                print(f"\n=== RUN {i}/3 ===")
+                run(["make", "install"], cwd=repo)
+
+            log = (repo / "install.log").read_text().splitlines()
+            self.assertEqual(
+                len(log),
+                3,
+                "make install should have been executed exactly three times",
+            )

tests/e2e/test_install_pkgmgr_three_times_nix.py

@@ -0,0 +1,37 @@
+import os
+from tests.e2e._util import run
+import tempfile
+import unittest
+from pathlib import Path
+
+
+class TestPkgmgrInstallThreeTimesNix(unittest.TestCase):
+    def test_three_times_install_nix(self):
+        with tempfile.TemporaryDirectory(prefix="pkgmgr-nix-") as tmp:
+            tmp_path = Path(tmp)
+
+            env = os.environ.copy()
+            env["HOME"] = tmp
+
+            # Ensure nix is found
+            env["PATH"] = "/nix/var/nix/profiles/default/bin:" + os.environ.get("PATH", "")
+
+            # IMPORTANT:
+            # nix run uses git+file:///src internally -> Git will reject /src if it's not a safe.directory.
+            # Our test sets HOME to a temp dir, so we must provide a temp global gitconfig.
+            gitconfig = tmp_path / ".gitconfig"
+            gitconfig.write_text(
+                "[safe]\n"
+                "\tdirectory = /src\n"
+                "\tdirectory = /src/.git\n"
+                "\tdirectory = *\n"
+            )
+            env["GIT_CONFIG_GLOBAL"] = str(gitconfig)
+
+            for i in range(1, 4):
+                print(f"\n=== RUN {i}/3 ===")
+                run(
+                    "nix run .#pkgmgr -- install pkgmgr --update --clone-mode shallow --no-verification",
+                    env=env,
+                    shell=True,
+                )

tests/e2e/test_install_pkgmgr_three_times_venv.py

@@ -0,0 +1,34 @@
+from tests.e2e._util import run
+import tempfile
+import unittest
+from pathlib import Path
+import os
+
+
+class TestPkgmgrInstallThreeTimesVenv(unittest.TestCase):
+    def test_three_times_install_venv(self):
+        with tempfile.TemporaryDirectory(prefix="pkgmgr-venv-") as tmp:
+            home = Path(tmp)
+            bin_dir = home / ".local" / "bin"
+            bin_dir.mkdir(parents=True)
+
+            env = os.environ.copy()
+            env["HOME"] = tmp
+
+            # pkgmgr kommt aus dem Projekt-venv
+            env["PATH"] = (
+                f"{Path.cwd() / '.venv' / 'bin'}:"
+                f"{bin_dir}:"
+                + os.environ.get("PATH", "")
+            )
+
+            # nix explizit deaktivieren → Python/Venv-Pfad
+            env["PKGMGR_DISABLE_NIX_FLAKE_INSTALLER"] = "1"
+
+            for i in range(1, 4):
+                print(f"\n=== RUN {i}/3 ===")
+                run(
+                    "pkgmgr install pkgmgr --update --clone-mode shallow --no-verification",
+                    env=env,
+                    shell=True,
+                )

tests/e2e/test_mirror_commands.py

@@ -1,143 +0,0 @@
-#!/usr/bin/env python3
-# -*- coding: utf-8 -*-
-
-"""
-E2E integration tests for the `pkgmgr mirror` command family.
-
-This test class covers:
-
-  - pkgmgr mirror --help
-  - pkgmgr mirror list --preview --all
-  - pkgmgr mirror diff --preview --all
-  - pkgmgr mirror merge config file --preview --all
-  - pkgmgr mirror setup --preview --all
-
-All of these subcommands are fully wired at CLI level and do not
-require mocks. With --preview, merge and setup do not perform
-destructive actions, making them safe for CI execution.
-"""
-
-from __future__ import annotations
-
-import io
-import runpy
-import sys
-import unittest
-from contextlib import redirect_stdout, redirect_stderr
-
-
-class TestIntegrationMirrorCommands(unittest.TestCase):
-    """
-    E2E tests for `pkgmgr mirror` commands.
-    """
-
-    # ------------------------------------------------------------
-    # Helper
-    # ------------------------------------------------------------
-    def _run_pkgmgr(self, args: list[str]) -> str:
-        """
-        Execute pkgmgr with the given arguments and return captured stdout+stderr.
-
-        - Treat SystemExit(0) or SystemExit(None) as success.
-        - Convert non-zero exit codes into AssertionError.
-        """
-        original_argv = list(sys.argv)
-        buffer = io.StringIO()
-        cmd_repr = "pkgmgr " + " ".join(args)
-
-        try:
-            sys.argv = ["pkgmgr"] + args
-
-            try:
-                with redirect_stdout(buffer), redirect_stderr(buffer):
-                    runpy.run_module("pkgmgr", run_name="__main__")
-            except SystemExit as exc:
-                code = exc.code if isinstance(exc.code, int) else None
-                if code not in (0, None):
-                    raise AssertionError(
-                        f"{cmd_repr!r} failed with exit code {exc.code}. "
-                        "Scroll up to inspect the pkgmgr output."
-                    ) from exc
-
-            return buffer.getvalue()
-
-        finally:
-            sys.argv = original_argv
-
-    # ------------------------------------------------------------
-    # Tests
-    # ------------------------------------------------------------
-
-    def test_mirror_help(self) -> None:
-        """
-        Ensure `pkgmgr mirror --help` runs successfully
-        and prints a usage message for the mirror command.
-        """
-        output = self._run_pkgmgr(["mirror", "--help"])
-        self.assertIn("usage:", output)
-        self.assertIn("pkgmgr mirror", output)
-
-    def test_mirror_list_preview_all(self) -> None:
-        """
-        `pkgmgr mirror list --preview --all` should run without error
-        and produce some output for the selected repositories.
-        """
-        output = self._run_pkgmgr(["mirror", "list", "--preview", "--all"])
-        # Do not assert specific wording; just ensure something was printed.
-        self.assertTrue(
-            output.strip(),
-            msg="Expected `pkgmgr mirror list --preview --all` to produce output.",
-        )
-
-    def test_mirror_diff_preview_all(self) -> None:
-        """
-        `pkgmgr mirror diff --preview --all` should run without error
-        and produce some diagnostic output (diff header, etc.).
-        """
-        output = self._run_pkgmgr(["mirror", "diff", "--preview", "--all"])
-        self.assertTrue(
-            output.strip(),
-            msg="Expected `pkgmgr mirror diff --preview --all` to produce output.",
-        )
-
-    def test_mirror_merge_config_to_file_preview_all(self) -> None:
-        """
-        `pkgmgr mirror merge config file --preview --all` should run without error.
-
-        In preview mode this does not change either config or MIRRORS files;
-        it only prints what would be merged.
-        """
-        output = self._run_pkgmgr(
-            [
-                "mirror",
-                "merge",
-                "config",
-                "file",
-                "--preview",
-                "--all",
-            ]
-        )
-        self.assertTrue(
-            output.strip(),
-            msg=(
-                "Expected `pkgmgr mirror merge config file --preview --all` "
-                "to produce output."
-            ),
-        )
-
-    def test_mirror_setup_preview_all(self) -> None:
-        """
-        `pkgmgr mirror setup --preview --all` should run without error.
-
-        In preview mode only the intended Git operations and remote
-        suggestions are printed; no real changes are made.
-        """
-        output = self._run_pkgmgr(["mirror", "setup", "--preview", "--all"])
-        self.assertTrue(
-            output.strip(),
-            msg="Expected `pkgmgr mirror setup --preview --all` to produce output.",
-        )
-
-
-if __name__ == "__main__":
-    unittest.main()

tests/e2e/test_update_all.py

@@ -1,92 +0,0 @@
-"""
-Integration test: update all configured repositories using
---clone-mode https and --no-verification.
-
-This test is intended to be run inside the Docker container where:
-  - network access is available,
-  - the config/config.yaml is present,
-  - and it is safe to perform real git operations.
-
-It passes if BOTH commands complete successfully (in separate tests):
-  1) pkgmgr update --all --clone-mode https --no-verification
-  2) nix run .#pkgmgr -- update --all --clone-mode https --no-verification
-"""
-
-import os
-import subprocess
-import unittest
-
-from test_install_pkgmgr_shallow import (
-    nix_profile_list_debug,
-    remove_pkgmgr_from_nix_profile,
-    pkgmgr_help_debug,
-)
-
-
-class TestIntegrationUpdateAllHttps(unittest.TestCase):
-    def _run_cmd(self, cmd: list[str], label: str) -> None:
-        """
-        Run a real CLI command and raise a helpful assertion on failure.
-        """
-        cmd_repr = " ".join(cmd)
-        env = os.environ.copy()
-
-        try:
-            print(f"\n[TEST] Running ({label}): {cmd_repr}")
-            subprocess.run(
-                cmd,
-                check=True,
-                cwd=os.getcwd(),
-                env=env,
-                text=True,
-            )
-        except subprocess.CalledProcessError as exc:
-            print(f"\n[TEST] Command failed ({label})")
-            print(f"[TEST] Command : {cmd_repr}")
-            print(f"[TEST] Exit code: {exc.returncode}")
-
-            nix_profile_list_debug(f"ON FAILURE ({label})")
-
-            raise AssertionError(
-                f"({label}) {cmd_repr!r} failed with exit code {exc.returncode}. "
-                "Scroll up to see the full pkgmgr/nix output inside the container."
-            ) from exc
-
-    def _common_setup(self) -> None:
-        # Debug before cleanup
-        nix_profile_list_debug("BEFORE CLEANUP")
-
-        # Cleanup: aggressively try to drop any pkgmgr/profile entries
-        # (keeps the environment comparable to other integration tests).
-        remove_pkgmgr_from_nix_profile()
-
-        # Debug after cleanup
-        nix_profile_list_debug("AFTER CLEANUP")
-
-    def test_update_all_repositories_https_pkgmgr(self) -> None:
-        """
-        Run: pkgmgr update --all --clone-mode https --no-verification
-        """
-        self._common_setup()
-
-        args = ["update", "--all", "--clone-mode", "https", "--no-verification"]
-        self._run_cmd(["pkgmgr", *args], label="pkgmgr")
-
-        # After successful update: show `pkgmgr --help` via interactive bash
-        pkgmgr_help_debug()
-
-    def test_update_all_repositories_https_nix_pkgmgr(self) -> None:
-        """
-        Run: nix run .#pkgmgr -- update --all --clone-mode https --no-verification
-        """
-        self._common_setup()
-
-        args = ["update", "--all", "--clone-mode", "https", "--no-verification"]
-        self._run_cmd(["nix", "run", ".#pkgmgr", "--", *args], label="nix run .#pkgmgr")
-
-        # After successful update: show `pkgmgr --help` via interactive bash
-        pkgmgr_help_debug()
-
-
-if __name__ == "__main__":
-    unittest.main()

tests/e2e/test_update_all_no_system.py

@@ -0,0 +1,123 @@
+"""
+Integration test: update all configured repositories using
+--clone-mode shallow and --no-verification, WITHOUT system updates.
+
+This test is intended to be run inside the Docker container where:
+  - network access is available,
+  - the config/config.yaml is present,
+  - and it is safe to perform real git operations.
+
+It passes if BOTH commands complete successfully (in separate tests):
+  1) pkgmgr update --all --clone-mode shallow --no-verification
+  2) nix run .#pkgmgr -- update --all --clone-mode shallow --no-verification
+"""
+
+from __future__ import annotations
+
+import os
+import subprocess
+import tempfile
+import unittest
+from pathlib import Path
+
+from test_install_pkgmgr_shallow import (
+    nix_profile_list_debug,
+    remove_pkgmgr_from_nix_profile,
+    pkgmgr_help_debug,
+)
+
+
+def _make_temp_gitconfig_with_safe_dirs(home: Path) -> Path:
+    gitconfig = home / ".gitconfig"
+    gitconfig.write_text(
+        "[safe]\n"
+        "\tdirectory = /src\n"
+        "\tdirectory = /src/.git\n"
+        "\tdirectory = *\n"
+    )
+    return gitconfig
+
+
+class TestIntegrationUpdateAllshallowNoSystem(unittest.TestCase):
+    def _common_env(self, home_dir: str) -> dict[str, str]:
+        env = os.environ.copy()
+        env["HOME"] = home_dir
+
+        home = Path(home_dir)
+        home.mkdir(parents=True, exist_ok=True)
+
+        env["GIT_CONFIG_GLOBAL"] = str(_make_temp_gitconfig_with_safe_dirs(home))
+
+        # Ensure nix is discoverable if the container has it
+        env["PATH"] = "/nix/var/nix/profiles/default/bin:" + env.get("PATH", "")
+
+        return env
+
+    def _run_cmd(self, cmd: list[str], label: str, env: dict[str, str]) -> None:
+        cmd_repr = " ".join(cmd)
+        print(f"\n[TEST] Running ({label}): {cmd_repr}")
+
+        proc = subprocess.run(
+            cmd,
+            check=False,
+            cwd=os.getcwd(),
+            env=env,
+            text=True,
+            stdout=subprocess.PIPE,
+            stderr=subprocess.STDOUT,
+        )
+
+        print(proc.stdout.rstrip())
+
+        if proc.returncode != 0:
+            print(f"\n[TEST] Command failed ({label})")
+            print(f"[TEST] Command : {cmd_repr}")
+            print(f"[TEST] Exit code: {proc.returncode}")
+
+            nix_profile_list_debug(f"ON FAILURE ({label})")
+
+            raise AssertionError(
+                f"({label}) {cmd_repr!r} failed with exit code {proc.returncode}.\n\n"
+                f"--- output ---\n{proc.stdout}\n"
+            )
+
+    def _common_setup(self) -> None:
+        nix_profile_list_debug("BEFORE CLEANUP")
+        remove_pkgmgr_from_nix_profile()
+        nix_profile_list_debug("AFTER CLEANUP")
+
+    def test_update_all_repositories_shallow_pkgmgr_no_system(self) -> None:
+        self._common_setup()
+        with tempfile.TemporaryDirectory(prefix="pkgmgr-updateall-nosys-") as tmp:
+            env = self._common_env(tmp)
+            args = [
+                "update",
+                "--all",
+                "--clone-mode",
+                "shallow",
+                "--no-verification",
+            ]
+            self._run_cmd(["pkgmgr", *args], label="pkgmgr", env=env)
+            pkgmgr_help_debug()
+
+    def test_update_all_repositories_shallow_nix_pkgmgr_no_system(self) -> None:
+        self._common_setup()
+        with tempfile.TemporaryDirectory(prefix="pkgmgr-updateall-nosys-nix-") as tmp:
+            env = self._common_env(tmp)
+            args = [
+                "update",
+                "--all",
+                "--clone-mode",
+                "shallow",
+                "--no-verification",
+            ]
+            self._run_cmd(
+                ["nix", "run", ".#pkgmgr", "--", *args],
+                label="nix run .#pkgmgr",
+                env=env,
+            )
+            pkgmgr_help_debug()
+
+
+if __name__ == "__main__":
+    unittest.main()

tests/e2e/test_update_pkgmgr_system.py

@@ -0,0 +1,124 @@
+"""
+Integration test: update ONLY the 'pkgmgr' repository with system updates enabled.
+
+This test is intended to be run inside the Docker container where:
+  - network access is available,
+  - the config/config.yaml is present,
+  - and it is safe to perform real git operations.
+
+It passes if BOTH commands complete successfully (in separate tests):
+  1) pkgmgr update pkgmgr --clone-mode shallow --no-verification --system
+  2) nix run .#pkgmgr -- update pkgmgr --clone-mode shallow --no-verification --system
+"""
+
+from __future__ import annotations
+
+import os
+import subprocess
+import tempfile
+import unittest
+from pathlib import Path
+
+from test_install_pkgmgr_shallow import (
+    nix_profile_list_debug,
+    remove_pkgmgr_from_nix_profile,
+    pkgmgr_help_debug,
+)
+
+
+def _make_temp_gitconfig_with_safe_dirs(home: Path) -> Path:
+    gitconfig = home / ".gitconfig"
+    gitconfig.write_text(
+        "[safe]\n"
+        "\tdirectory = /src\n"
+        "\tdirectory = /src/.git\n"
+        "\tdirectory = *\n"
+    )
+    return gitconfig
+
+
+class TestIntegrationUpdatePkgmgrWithSystem(unittest.TestCase):
+    def _common_env(self, home_dir: str) -> dict[str, str]:
+        env = os.environ.copy()
+        env["HOME"] = home_dir
+
+        home = Path(home_dir)
+        home.mkdir(parents=True, exist_ok=True)
+
+        env["GIT_CONFIG_GLOBAL"] = str(_make_temp_gitconfig_with_safe_dirs(home))
+
+        # Ensure nix is discoverable if the container has it
+        env["PATH"] = "/nix/var/nix/profiles/default/bin:" + env.get("PATH", "")
+
+        return env
+
+    def _run_cmd(self, cmd: list[str], label: str, env: dict[str, str]) -> None:
+        cmd_repr = " ".join(cmd)
+        print(f"\n[TEST] Running ({label}): {cmd_repr}")
+
+        proc = subprocess.run(
+            cmd,
+            check=False,
+            cwd=os.getcwd(),
+            env=env,
+            text=True,
+            stdout=subprocess.PIPE,
+            stderr=subprocess.STDOUT,
+        )
+
+        print(proc.stdout.rstrip())
+
+        if proc.returncode != 0:
+            print(f"\n[TEST] Command failed ({label})")
+            print(f"[TEST] Command : {cmd_repr}")
+            print(f"[TEST] Exit code: {proc.returncode}")
+
+            nix_profile_list_debug(f"ON FAILURE ({label})")
+
+            raise AssertionError(
+                f"({label}) {cmd_repr!r} failed with exit code {proc.returncode}.\n\n"
+                f"--- output ---\n{proc.stdout}\n"
+            )
+
+    def _common_setup(self) -> None:
+        nix_profile_list_debug("BEFORE CLEANUP")
+        remove_pkgmgr_from_nix_profile()
+        nix_profile_list_debug("AFTER CLEANUP")
+
+    def test_update_pkgmgr_shallow_pkgmgr_with_system(self) -> None:
+        self._common_setup()
+        with tempfile.TemporaryDirectory(prefix="pkgmgr-update-pkgmgr-sys-") as tmp:
+            env = self._common_env(tmp)
+            args = [
+                "update",
+                "pkgmgr",
+                "--clone-mode",
+                "shallow",
+                "--no-verification",
+                "--system",
+            ]
+            self._run_cmd(["pkgmgr", *args], label="pkgmgr", env=env)
+            pkgmgr_help_debug()
+
+    def test_update_pkgmgr_shallow_nix_pkgmgr_with_system(self) -> None:
+        self._common_setup()
+        with tempfile.TemporaryDirectory(prefix="pkgmgr-update-pkgmgr-sys-nix-") as tmp:
+            env = self._common_env(tmp)
+            args = [
+                "update",
+                "pkgmgr",
+                "--clone-mode",
+                "shallow",
+                "--no-verification",
+                "--system",
+            ]
+            self._run_cmd(
+                ["nix", "run", ".#pkgmgr", "--", *args],
+                label="nix run .#pkgmgr",
+                env=env,
+            )
+            pkgmgr_help_debug()
+
+
+if __name__ == "__main__":
+    unittest.main()

tests/integration/test_mirror_commands.py

@@ -0,0 +1,172 @@
+#!/usr/bin/env python3
+# -*- coding: utf-8 -*-
+
+"""
+CLI integration tests for `pkgmgr mirror`.
+
+These tests validate:
+- CLI argument parsing
+- command dispatch
+- command orchestration
+
+All side effects (git, network, remote provisioning, filesystem writes)
+are patched to keep tests deterministic and CI-safe.
+"""
+
+from __future__ import annotations
+
+import importlib
+import io
+import os
+import runpy
+import sys
+import unittest
+from contextlib import ExitStack, redirect_stderr, redirect_stdout
+from typing import Dict, List, Optional
+from unittest.mock import MagicMock, PropertyMock, patch
+
+
+class TestIntegrationMirrorCommands(unittest.TestCase):
+    """
+    Integration tests for `pkgmgr mirror` commands.
+    """
+
+    def _run_pkgmgr(self, args: List[str], extra_env: Optional[Dict[str, str]] = None) -> str:
+        """
+        Execute pkgmgr with the given arguments and return captured output.
+
+        - Treat SystemExit(0) or SystemExit(None) as success.
+        - Any other exit code is considered a test failure.
+        - Mirror commands are patched to avoid network/destructive operations.
+        """
+        original_argv = list(sys.argv)
+        original_env = dict(os.environ)
+        buffer = io.StringIO()
+        cmd_repr = "pkgmgr " + " ".join(args)
+
+        # Shared dummy context used by multiple mirror commands
+        dummy_ctx = MagicMock()
+        dummy_ctx.identifier = "dummy-repo"
+        dummy_ctx.repo_dir = "/tmp/dummy-repo"
+        dummy_ctx.config_mirrors = {"origin": "git@github.com:alice/repo.git"}
+        dummy_ctx.file_mirrors = {"backup": "ssh://git@git.example:2201/alice/repo.git"}
+        type(dummy_ctx).resolved_mirrors = PropertyMock(
+            return_value={
+                "origin": "git@github.com:alice/repo.git",
+                "backup": "ssh://git@git.example:2201/alice/repo.git",
+            }
+        )
+
+        # Helper: patch with create=True so missing symbols don't explode.
+        # IMPORTANT: patch() does not auto-import submodules when resolving dotted names.
+        def _p(target: str, **kwargs):
+            module_name = target.rsplit(".", 1)[0]
+            try:
+                importlib.import_module(module_name)
+            except ModuleNotFoundError:
+                # If the module truly doesn't exist, create=True may still allow patching
+                # in some cases, but dotted resolution can still fail. Best-effort.
+                pass
+            return patch(target, create=True, **kwargs)
+
+        # Fake result for remote provisioning (preview-safe)
+        def _fake_ensure_remote_repo(spec, provider_hint=None, options=None):
+            # Safety: E2E should only ever call this in preview mode
+            if options is not None and getattr(options, "preview", False) is not True:
+                raise AssertionError(
+                    f"{cmd_repr} attempted ensure_remote_repo without preview=True in E2E."
+                )
+            r = MagicMock()
+            r.status = "preview"
+            r.message = "Preview mode (E2E patched): no remote provisioning performed."
+            r.url = None
+            return r
+
+        try:
+            sys.argv = ["pkgmgr"] + list(args)
+            if extra_env:
+                os.environ.update(extra_env)
+
+            with ExitStack() as stack:
+                # build_context is imported directly in these modules:
+                stack.enter_context(_p("pkgmgr.actions.mirror.list_cmd.build_context", return_value=dummy_ctx))
+                stack.enter_context(_p("pkgmgr.actions.mirror.diff_cmd.build_context", return_value=dummy_ctx))
+                stack.enter_context(_p("pkgmgr.actions.mirror.merge_cmd.build_context", return_value=dummy_ctx))
+                stack.enter_context(_p("pkgmgr.actions.mirror.setup_cmd.build_context", return_value=dummy_ctx))
+                stack.enter_context(_p("pkgmgr.actions.mirror.remote_provision.build_context", return_value=dummy_ctx))
+
+                # Deterministic remote probing (covers setup + likely check implementations)
+                stack.enter_context(_p("pkgmgr.actions.mirror.remote_check.probe_mirror", return_value=(True, "")))
+                stack.enter_context(_p("pkgmgr.actions.mirror.setup_cmd.probe_mirror", return_value=(True, "")))
+                stack.enter_context(_p("pkgmgr.actions.mirror.git_remote.is_remote_reachable", return_value=True))
+
+                # setup_cmd imports ensure_origin_remote directly:
+                stack.enter_context(_p("pkgmgr.actions.mirror.setup_cmd.ensure_origin_remote", return_value=None))
+                # Extra safety: if any code calls git_remote.ensure_origin_remote directly
+                stack.enter_context(_p("pkgmgr.actions.mirror.git_remote.ensure_origin_remote", return_value=None))
+
+                # remote provisioning: remote_provision imports ensure_remote_repo directly from core:
+                stack.enter_context(
+                    _p(
+                        "pkgmgr.actions.mirror.remote_provision.ensure_remote_repo",
+                        side_effect=_fake_ensure_remote_repo,
+                    )
+                )
+
+                # Extra safety: if anything calls remote_check.run_git directly, make it inert
+                stack.enter_context(_p("pkgmgr.actions.mirror.remote_check.run_git", return_value="dummy"))
+
+                with redirect_stdout(buffer), redirect_stderr(buffer):
+                    try:
+                        runpy.run_module("pkgmgr", run_name="__main__")
+                    except SystemExit as exc:
+                        code = exc.code if isinstance(exc.code, int) else None
+                        if code not in (0, None):
+                            raise AssertionError(
+                                "%r failed with exit code %r.\n\nOutput:\n%s"
+                                % (cmd_repr, exc.code, buffer.getvalue())
+                            )
+
+            return buffer.getvalue()
+
+        finally:
+            sys.argv = original_argv
+            os.environ.clear()
+            os.environ.update(original_env)
+
+    # ------------------------------------------------------------
+    # Tests
+    # ------------------------------------------------------------
+
+    def test_mirror_help(self) -> None:
+        output = self._run_pkgmgr(["mirror", "--help"])
+        self.assertIn("usage:", output.lower())
+        self.assertIn("mirror", output.lower())
+
+    def test_mirror_list_preview_all(self) -> None:
+        output = self._run_pkgmgr(["mirror", "list", "--preview", "--all"])
+        self.assertTrue(output.strip(), "Expected output from mirror list")
+
+    def test_mirror_diff_preview_all(self) -> None:
+        output = self._run_pkgmgr(["mirror", "diff", "--preview", "--all"])
+        self.assertTrue(output.strip(), "Expected output from mirror diff")
+
+    def test_mirror_merge_config_to_file_preview_all(self) -> None:
+        output = self._run_pkgmgr(["mirror", "merge", "config", "file", "--preview", "--all"])
+        self.assertTrue(output.strip(), "Expected output from mirror merge (config -> file)")
+
+    def test_mirror_setup_preview_all(self) -> None:
+        output = self._run_pkgmgr(["mirror", "setup", "--preview", "--all"])
+        self.assertTrue(output.strip(), "Expected output from mirror setup")
+
+    def test_mirror_check_preview_all(self) -> None:
+        output = self._run_pkgmgr(["mirror", "check", "--preview", "--all"])
+        self.assertTrue(output.strip(), "Expected output from mirror check")
+
+    def test_mirror_provision_preview_all(self) -> None:
+        output = self._run_pkgmgr(["mirror", "provision", "--preview", "--all"])
+        self.assertTrue(output.strip(), "Expected output from mirror provision (preview)")
+
+
+if __name__ == "__main__":
+    unittest.main()

tests/integration/test_nix_profile_list_json.py

@@ -0,0 +1,63 @@
+from __future__ import annotations
+
+import json
+import unittest
+from dataclasses import dataclass
+
+
+@dataclass
+class FakeRunResult:
+    """
+    Mimics your runner returning a structured result object.
+    """
+    returncode: int
+    stdout: str
+    stderr: str = ""
+
+
+class FakeRunner:
+    """
+    Minimal runner stub: returns exactly what we configure.
+    """
+    def __init__(self, result):
+        self._result = result
+
+    def run(self, ctx, cmd: str, allow_failure: bool = False):
+        return self._result
+
+
+class TestE2ENixProfileListJsonParsing(unittest.TestCase):
+    """
+    This test verifies that NixProfileInspector can parse `nix profile list --json`
+    regardless of whether the CommandRunner returns:
+      - raw stdout string, OR
+      - a RunResult-like object with a `.stdout` attribute.
+    """
+
+    def test_list_json_accepts_raw_string(self) -> None:
+        from pkgmgr.actions.install.installers.nix.profile import NixProfileInspector
+
+        payload = {"elements": {"pkgmgr-1": {"attrPath": "packages.x86_64-linux.pkgmgr"}}}
+        raw = json.dumps(payload)
+
+        runner = FakeRunner(raw)
+        inspector = NixProfileInspector()
+
+        data = inspector.list_json(ctx=None, runner=runner)
+        self.assertEqual(data["elements"]["pkgmgr-1"]["attrPath"], "packages.x86_64-linux.pkgmgr")
+
+    def test_list_json_accepts_runresult_object(self) -> None:
+        from pkgmgr.actions.install.installers.nix.profile import NixProfileInspector
+
+        payload = {"elements": {"pkgmgr-1": {"attrPath": "packages.x86_64-linux.pkgmgr"}}}
+        raw = json.dumps(payload)
+
+        runner = FakeRunner(FakeRunResult(returncode=0, stdout=raw))
+        inspector = NixProfileInspector()
+
+        data = inspector.list_json(ctx=None, runner=runner)
+        self.assertEqual(data["elements"]["pkgmgr-1"]["attrPath"], "packages.x86_64-linux.pkgmgr")
+
+
+if __name__ == "__main__":
+    unittest.main()

tests/integration/test_recursive_capabilities.py

@@ -23,7 +23,7 @@ from unittest.mock import patch
 import pkgmgr.actions.install as install_mod
 from pkgmgr.actions.install import install_repos
 from pkgmgr.actions.install.installers.makefile import MakefileInstaller
-from pkgmgr.actions.install.installers.nix_flake import NixFlakeInstaller
+from pkgmgr.actions.install.installers.nix import NixFlakeInstaller
 from pkgmgr.actions.install.installers.os_packages.arch_pkgbuild import (
     ArchPkgbuildInstaller,
 )

tests/integration/test_repository_paths_exist.py

@@ -0,0 +1,65 @@
+from __future__ import annotations
+
+import os
+import unittest
+from pathlib import Path
+
+from pkgmgr.core.repository.paths import resolve_repo_paths
+
+
+def _find_repo_root() -> Path:
+    """
+    Locate the pkgmgr repository root from the test location.
+
+    Assumes:
+      repo_root/
+        src/pkgmgr/...
+        tests/integration/...
+    """
+    here = Path(__file__).resolve()
+    for parent in here.parents:
+        if (parent / "pyproject.toml").is_file() and (parent / "src" / "pkgmgr").is_dir():
+            return parent
+    raise RuntimeError("Could not determine repository root for pkgmgr integration test")
+
+
+class TestRepositoryPathsExist(unittest.TestCase):
+    """
+    Integration test: pkgmgr is the TEMPLATE repository.
+    All canonical paths resolved for pkgmgr must exist.
+    """
+
+    def test_pkgmgr_repository_paths_exist(self) -> None:
+        repo_root = _find_repo_root()
+        paths = resolve_repo_paths(str(repo_root))
+
+        missing: list[str] = []
+
+        def require(path: str | None, description: str) -> None:
+            if not path:
+                missing.append(f"{description}: <not resolved>")
+                return
+            if not os.path.isfile(path):
+                missing.append(f"{description}: {path} (missing)")
+
+        # Core metadata
+        require(paths.pyproject_toml, "pyproject.toml")
+        require(paths.flake_nix, "flake.nix")
+
+        # Human changelog
+        require(paths.changelog_md, "CHANGELOG.md")
+
+        # Packaging files (pkgmgr defines the template)
+        require(paths.arch_pkgbuild, "Arch PKGBUILD")
+        require(paths.debian_changelog, "Debian changelog")
+        require(paths.rpm_spec, "RPM spec file")
+
+        if missing:
+            self.fail(
+                "pkgmgr repository does not satisfy the canonical repository layout:\n"
+                + "\n".join(f"  - {item}" for item in missing)
+            )
+
+
+if __name__ == "__main__":
+    unittest.main()

tests/unit/pkgmgr/actions/install/installers/nix/_fakes.py

@@ -0,0 +1,44 @@
+from __future__ import annotations
+
+from dataclasses import dataclass
+from typing import Any, Optional
+
+
+@dataclass
+class FakeRunResult:
+    returncode: int
+    stdout: str = ""
+    stderr: str = ""
+
+
+class FakeRunner:
+    """
+    Minimal runner stub compatible with:
+      - CommandRunner.run(ctx, cmd, allow_failure=...)
+      - Generic runner.run(ctx, cmd, allow_failure=...)
+    """
+
+    def __init__(self, mapping: Optional[dict[str, Any]] = None, default: Any = None):
+        self.mapping = mapping or {}
+        self.default = default if default is not None else FakeRunResult(0, "", "")
+        self.calls: list[tuple[Any, str, bool]] = []
+
+    def run(self, ctx, cmd: str, allow_failure: bool = False):
+        self.calls.append((ctx, cmd, allow_failure))
+        return self.mapping.get(cmd, self.default)
+
+
+class FakeRetry:
+    """
+    Mimics GitHubRateLimitRetry.run_with_retry(ctx, runner, cmd)
+    """
+
+    def __init__(self, results: list[FakeRunResult]):
+        self._results = list(results)
+        self.calls: list[str] = []
+
+    def run_with_retry(self, ctx, runner, cmd: str):
+        self.calls.append(cmd)
+        if self._results:
+            return self._results.pop(0)
+        return FakeRunResult(0, "", "")

tests/unit/pkgmgr/actions/install/installers/nix/test_conflicts_resolver.py

@@ -0,0 +1,58 @@
+from __future__ import annotations
+
+import unittest
+
+from pkgmgr.actions.install.installers.nix.conflicts import NixConflictResolver
+from ._fakes import FakeRunResult, FakeRunner, FakeRetry
+
+
+class DummyCtx:
+    quiet = True
+
+
+class TestNixConflictResolver(unittest.TestCase):
+    def test_resolve_removes_tokens_and_retries_success(self) -> None:
+        ctx = DummyCtx()
+        install_cmd = "nix profile install /repo#default"
+
+        stderr = '''
+        error: An existing package already provides the following file:
+          /nix/store/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-pkgmgr/bin/pkgmgr
+        '''
+
+        runner = FakeRunner(mapping={
+            "nix profile remove pkgmgr": FakeRunResult(0, "", ""),
+        })
+        retry = FakeRetry(results=[FakeRunResult(0, "", "")])
+
+        class FakeProfile:
+            def find_remove_tokens_for_store_prefixes(self, ctx, runner, prefixes):
+                return []
+            def find_remove_tokens_for_output(self, ctx, runner, output):
+                return ["pkgmgr"]
+
+        resolver = NixConflictResolver(runner=runner, retry=retry, profile=FakeProfile())
+        ok = resolver.resolve(ctx, install_cmd, stdout="", stderr=stderr, output="pkgmgr", max_rounds=2)
+        self.assertTrue(ok)
+        self.assertIn("nix profile remove pkgmgr", [c[1] for c in runner.calls])
+
+    def test_resolve_uses_textual_remove_tokens_last_resort(self) -> None:
+        ctx = DummyCtx()
+        install_cmd = "nix profile install /repo#default"
+
+        stderr = "hint: try:\n  nix profile remove 'pkgmgr-1'\n"
+        runner = FakeRunner(mapping={
+            "nix profile remove pkgmgr-1": FakeRunResult(0, "", ""),
+        })
+        retry = FakeRetry(results=[FakeRunResult(0, "", "")])
+
+        class FakeProfile:
+            def find_remove_tokens_for_store_prefixes(self, ctx, runner, prefixes):
+                return []
+            def find_remove_tokens_for_output(self, ctx, runner, output):
+                return []
+
+        resolver = NixConflictResolver(runner=runner, retry=retry, profile=FakeProfile())
+        ok = resolver.resolve(ctx, install_cmd, stdout="", stderr=stderr, output="pkgmgr", max_rounds=2)
+        self.assertTrue(ok)
+        self.assertIn("nix profile remove pkgmgr-1", [c[1] for c in runner.calls])

tests/unit/pkgmgr/actions/install/installers/nix/test_inspector.py

@@ -0,0 +1,62 @@
+from __future__ import annotations
+
+import json
+import unittest
+
+from pkgmgr.actions.install.installers.nix.profile import NixProfileInspector
+from ._fakes import FakeRunResult, FakeRunner
+
+
+class TestNixProfileInspector(unittest.TestCase):
+    def test_list_json_accepts_raw_string(self) -> None:
+        payload = {"elements": {"pkgmgr-1": {"attrPath": "packages.x86_64-linux.pkgmgr"}}}
+        raw = json.dumps(payload)
+        runner = FakeRunner(default=raw)
+        insp = NixProfileInspector()
+        data = insp.list_json(ctx=None, runner=runner)
+        self.assertEqual(data["elements"]["pkgmgr-1"]["attrPath"], "packages.x86_64-linux.pkgmgr")
+
+    def test_list_json_accepts_result_object(self) -> None:
+        payload = {"elements": {"pkgmgr-1": {"attrPath": "packages.x86_64-linux.pkgmgr"}}}
+        raw = json.dumps(payload)
+        runner = FakeRunner(default=FakeRunResult(0, stdout=raw))
+        insp = NixProfileInspector()
+        data = insp.list_json(ctx=None, runner=runner)
+        self.assertEqual(data["elements"]["pkgmgr-1"]["attrPath"], "packages.x86_64-linux.pkgmgr")
+
+    def test_find_remove_tokens_for_output_includes_output_first(self) -> None:
+        payload = {
+            "elements": {
+                "pkgmgr-1": {"name": "pkgmgr-1", "attrPath": "packages.x86_64-linux.pkgmgr"},
+                "default-1": {"name": "default-1", "attrPath": "packages.x86_64-linux.default"},
+            }
+        }
+        raw = json.dumps(payload)
+        runner = FakeRunner(default=FakeRunResult(0, stdout=raw))
+        insp = NixProfileInspector()
+        tokens = insp.find_remove_tokens_for_output(ctx=None, runner=runner, output="pkgmgr")
+        self.assertEqual(tokens[0], "pkgmgr")
+        self.assertIn("pkgmgr-1", tokens)
+
+    def test_find_remove_tokens_for_store_prefixes(self) -> None:
+        payload = {
+            "elements": {
+                "pkgmgr-1": {
+                    "name": "pkgmgr-1",
+                    "attrPath": "packages.x86_64-linux.pkgmgr",
+                    "storePaths": ["/nix/store/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-pkgmgr"],
+                },
+                "something": {
+                    "name": "other",
+                    "attrPath": "packages.x86_64-linux.other",
+                    "storePaths": ["/nix/store/bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb-other"],
+                },
+            }
+        }
+        raw = json.dumps(payload)
+        runner = FakeRunner(default=FakeRunResult(0, stdout=raw))
+        insp = NixProfileInspector()
+        tokens = insp.find_remove_tokens_for_store_prefixes(
+            ctx=None, runner=runner, prefixes=["/nix/store/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-pkgmgr"]
+        )
+        self.assertIn("pkgmgr-1", tokens)