Release version 1.4.1

**Replace main.py with module-based entry point and unify CLI execution**
* Remove legacy *main.py* and introduce *pkgmgr* module entry via *python -m pkgmgr* * Add ***main**.py* as the canonical entry point delegating to the CLI * Export *PYTHONPATH=src* in Makefile to ensure reliable imports in dev and CI * Update setup scripts (venv & nix) to use module execution * Refactor all E2E tests to execute the real module entry instead of file paths This aligns pkgmgr with standard Python packaging practices and simplifies testing, setup, and execution across environments. https://chatgpt.com/share/693c9056-716c-800f-b583-fc9245eab2b4
2025-12-12 23:06:15 +01:00 · 2025-12-12 22:59:46 +01:00 · 2025-12-12 22:50:33 +01:00 · 2025-12-12 22:20:07 +01:00 · 2025-12-12 22:17:32 +01:00 · 2025-12-12 22:04:39 +01:00
116 changed files with 3399 additions and 1960 deletions
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -13,8 +13,11 @@ jobs:
  test-integration:
    uses: ./.github/workflows/test-integration.yml
-  test-container:
+  test-env-virtual:
-    uses: ./.github/workflows/test-container.yml
+    uses: ./.github/workflows/test-env-virtual.yml
  test-env-nix:
    uses: ./.github/workflows/test-env-nix.yml
  test-e2e:
    uses: ./.github/workflows/test-e2e.yml
--- a/.github/workflows/mark-stable.yml
+++ b/.github/workflows/mark-stable.yml
@@ -14,8 +14,11 @@ jobs:
  test-integration:
    uses: ./.github/workflows/test-integration.yml
-  test-container:
+  test-env-virtual:
-    uses: ./.github/workflows/test-container.yml
+    uses: ./.github/workflows/test-env-virtual.yml
  test-env-nix:
    uses: ./.github/workflows/test-env-nix.yml
  test-e2e:
    uses: ./.github/workflows/test-e2e.yml
@@ -30,7 +33,8 @@ jobs:
    needs:
      - test-unit
      - test-integration
-      - test-container
+      - test-env-nix
      - test-env-virtual
      - test-e2e
      - test-virgin-user
      - test-virgin-root
--- a/.github/workflows/publish-containers.yml
+++ b/.github/workflows/publish-containers.yml
@@ -0,0 +1,66 @@
 name: Publish container images (GHCR)
 on:
  workflow_run:
    workflows: ["Mark stable commit"]
    types: [completed]
 jobs:
  publish:
    if: ${{ github.event.workflow_run.conclusion == 'success' }}
    runs-on: ubuntu-latest
    permissions:
      contents: read
      packages: write
    steps:
      - name: Checkout repository (with tags)
        uses: actions/checkout@v4
        with:
          fetch-depth: 0
          fetch-tags: true
      - name: Checkout workflow_run commit and refresh tags
        run: |
          set -euo pipefail
          git checkout -f "${{ github.event.workflow_run.head_sha }}"
          git fetch --tags --force
          git tag --list 'stable' 'v*' --sort=version:refname | tail -n 20
      - name: Compute version and stable flag
        id: info
        run: |
          set -euo pipefail
          SHA="$(git rev-parse HEAD)"
          V_TAG="$(git tag --points-at "${SHA}" --list 'v*' | sort -V | tail -n1)"
          [[ -n "$V_TAG" ]] || { echo "No version tag found"; exit 1; }
          VERSION="${V_TAG#v}"
          STABLE_SHA="$(git rev-parse -q --verify refs/tags/stable^{commit} 2>/dev/null || true)"
          IS_STABLE=false
          [[ -n "${STABLE_SHA}" && "${STABLE_SHA}" == "${SHA}" ]] && IS_STABLE=true
          echo "version=${VERSION}" >> "$GITHUB_OUTPUT"
          echo "is_stable=${IS_STABLE}" >> "$GITHUB_OUTPUT"
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3
        with:
          use: true
      - name: Login to GHCR
        uses: docker/login-action@v3
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}
      - name: Publish all images
        run: |
          set -euo pipefail
          OWNER="${{ github.repository_owner }}" \
          VERSION="${{ steps.info.outputs.version }}" \
          IS_STABLE="${{ steps.info.outputs.is_stable }}" \
          bash scripts/build/publish.sh
--- a/.github/workflows/test-env-nix.yml
+++ b/.github/workflows/test-env-nix.yml
@@ -0,0 +1,26 @@
 name: Test Virgin Nix (flake only)
 on:
  workflow_call:
 jobs:
  test-env-nix:
    runs-on: ubuntu-latest
    timeout-minutes: 45
    strategy:
      fail-fast: false
      matrix:
        distro: [arch, debian, ubuntu, fedora, centos]
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4
      - name: Show Docker version
        run: docker version
      - name: Nix flake-only test (${{ matrix.distro }})
        run: |
          set -euo pipefail
          distro="${{ matrix.distro }}" make test-env-nix
--- a/.github/workflows/test-env-virtual.yml
+++ b/.github/workflows/test-env-virtual.yml
@@ -4,7 +4,7 @@ on:
  workflow_call:
 jobs:
-  test-container:
+  test-env-virtual:
    runs-on: ubuntu-latest
    timeout-minutes: 30
    strategy:
@@ -25,4 +25,4 @@ jobs:
      - name: Run container tests (${{ matrix.distro }})
        run: |
          set -euo pipefail
-          distro="${{ matrix.distro }}" make test-container
+          distro="${{ matrix.distro }}" make test-env-virtual
--- a/.github/workflows/test-virgin-root.yml
+++ b/.github/workflows/test-virgin-root.yml
@@ -7,6 +7,10 @@ jobs:
  test-virgin-root:
    runs-on: ubuntu-latest
    timeout-minutes: 45
    strategy:
      fail-fast: false
      matrix:
        distro: [arch, debian, ubuntu, fedora, centos]
    steps:
      - name: Checkout repository
@@ -15,44 +19,38 @@ jobs:
      - name: Show Docker version
        run: docker version
-      - name: Virgin Arch pkgmgr flake test (root)
+      # 🔹 BUILD virgin image if missing
      - name: Build virgin container (${{ matrix.distro }})
        run: |
          set -euo pipefail
          distro="${{ matrix.distro }}" make build-missing-virgin
-          echo ">>> Starting virgin ArchLinux container test (root, with shared caches)..."
+      # 🔹 RUN test inside virgin image
      - name: Virgin ${{ matrix.distro }} pkgmgr test (root)
        run: |
          set -euo pipefail
          docker run --rm \
            -v "$PWD":/src \
            -v pkgmgr_repos:/root/Repositories \
            -v pkgmgr_pip_cache:/root/.cache/pip \
            -w /src \
-            archlinux:latest \
+            "pkgmgr-${{ matrix.distro }}-virgin" \
            bash -lc '
              set -euo pipefail
-              echo ">>> Updating and upgrading Arch system..."
+              git config --global --add safe.directory /src
              pacman -Syu --noconfirm git python python-pip nix >/dev/null
-              echo ">>> Creating isolated virtual environment for pkgmgr..."
+              make install
-              python -m venv /tmp/pkgmgr-venv
+              make setup
-              echo ">>> Activating virtual environment..."
+              . "$HOME/.venvs/pkgmgr/bin/activate"
              source /tmp/pkgmgr-venv/bin/activate
              echo ">>> Upgrading pip (cached)..."
              python -m pip install --upgrade pip >/dev/null
              echo ">>> Installing pkgmgr from current source tree (cached pip)..."
              python -m pip install /src >/dev/null
              echo ">>> Enabling Nix experimental features..."
              export NIX_CONFIG="experimental-features = nix-command flakes"
              echo ">>> Running: pkgmgr update pkgmgr --clone-mode shallow --no-verification"
              pkgmgr update pkgmgr --clone-mode shallow --no-verification
              echo ">>> Running: pkgmgr version pkgmgr"
              pkgmgr version pkgmgr
-              echo ">>> Virgin Arch (root) test completed successfully."
+              echo ">>> Running Nix-based: nix run .#pkgmgr -- version pkgmgr"
              nix run /src#pkgmgr -- version pkgmgr
            '
--- a/.github/workflows/test-virgin-user.yml
+++ b/.github/workflows/test-virgin-user.yml
@@ -7,6 +7,10 @@ jobs:
  test-virgin-user:
    runs-on: ubuntu-latest
    timeout-minutes: 45
    strategy:
      fail-fast: false
      matrix:
        distro: [arch, debian, ubuntu, fedora, centos]
    steps:
      - name: Checkout repository
@@ -15,59 +19,47 @@ jobs:
      - name: Show Docker version
        run: docker version
-      - name: Virgin Arch pkgmgr user test (non-root with sudo)
+      # 🔹 BUILD virgin image if missing
      - name: Build virgin container (${{ matrix.distro }})
        run: |
          set -euo pipefail
          distro="${{ matrix.distro }}" make build-missing-virgin
      # 🔹 RUN test inside virgin image as non-root
      - name: Virgin ${{ matrix.distro }} pkgmgr test (user)
        run: |
          set -euo pipefail
          echo ">>> Starting virgin ArchLinux container test (non-root user with sudo)..."
          docker run --rm \
            -v "$PWD":/src \
-            archlinux:latest \
+            -w /src \
            "pkgmgr-${{ matrix.distro }}-virgin" \
            bash -lc '
              set -euo pipefail
-              echo ">>> [root] Updating and upgrading Arch system..."
+              make install
              pacman -Syu --noconfirm git python python-pip sudo base-devel debugedit
              echo ">>> [root] Creating non-root user dev..."
              useradd -m dev
              echo ">>> [root] Allowing passwordless sudo for dev..."
              echo "dev ALL=(ALL) NOPASSWD: ALL" > /etc/sudoers.d/dev
              chmod 0440 /etc/sudoers.d/dev
              echo ">>> [root] Adjusting ownership of /src for dev..."
              chown -R dev:dev /src
-              echo ">>> [root] Running pkgmgr flow as non-root user dev..."
+              mkdir -p /nix/store /nix/var/nix /nix/var/log/nix /nix/var/nix/profiles
-              sudo -u dev env PKGMGR_DISABLE_NIX_FLAKE_INSTALLER=1 bash -lc "
+              chown -R dev:dev /nix
              chmod 0755 /nix
              chmod 1777 /nix/store
              sudo -H -u dev env HOME=/home/dev PKGMGR_DISABLE_NIX_FLAKE_INSTALLER=1 bash -lc "
                set -euo pipefail
                cd /src
-                echo \">>> [dev] Using user: \$(whoami)\"
+                make setup-venv
                echo \">>> [dev] Running scripts/installation/main.sh...\"
                bash scripts/installation/main.sh
                echo \">>> [dev] Activating venv...\"
                . \"\$HOME/.venvs/pkgmgr/bin/activate\"
                echo \">>> [dev] Installing pkgmgr into venv via pip...\"
                python -m pip install /src >/dev/null
                echo \">>> [dev] PKGMGR_DISABLE_NIX_FLAKE_INSTALLER=\$PKGMGR_DISABLE_NIX_FLAKE_INSTALLER\"
                echo \">>> [dev] Updating managed repo package-manager via pkgmgr...\"
                pkgmgr update pkgmgr --clone-mode shallow --no-verification
                echo \">>> [dev] PATH:\"
                echo \"\$PATH\"
                echo \">>> [dev] which pkgmgr:\"
                which pkgmgr || echo \">>> [dev] pkgmgr not found in PATH\"
                echo \">>> [dev] Running: pkgmgr version pkgmgr\"
                pkgmgr version pkgmgr
              "
-              echo ">>> [root] Container flow finished."
+                export NIX_REMOTE=local
                export NIX_CONFIG=\"experimental-features = nix-command flakes\"
                nix run /src#pkgmgr -- version pkgmgr
              "
            '
--- a/.gitignore
+++ b/.gitignore
@@ -27,8 +27,9 @@ Thumbs.db
 # Nix Cache to speed up tests
 .nix/
 .nix-dev-installed
 flake.lock
 # Ignore logs
 *.log
-result
+result
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,3 +1,68 @@
 ## [1.4.1] - 2025-12-12
 * Fixed (#1) stable release container publishing
 ## [1.4.0] - 2025-12-12
 * **Docker Container Building**
 * New official container images are automatically published on each release.
 * Images are available per distribution and as a default Arch-based image.
 * Stable releases now provide an additional `stable` container tag.
 ## [1.3.1] - 2025-12-12
 * Updated documentation with better run and installation instructions
 ## [1.3.0] - 2025-12-12
 * **Minor release – Stability & CI hardening**
 * Stabilized Nix resolution and global symlink handling across Arch, CentOS, Debian, and Ubuntu
 * Ensured Nix works reliably in CI, sudo, login, and non-login shells without overriding distro-managed paths
 * Improved error handling and deterministic behavior for non-root environments
 * Refactored Docker and CI workflows for reproducible multi-distro virgin tests
 * Made E2E tests more realistic by executing real CLI commands
 * Fixed Python compatibility and missing dependencies on affected distros
 ## [1.2.1] - 2025-12-12
 * **Changed**
 * Split container tests into *virtualenv* and *Nix flake* environments to clearly separate Python and Nix responsibilities.
 **Fixed**
 * Fixed Nix installer permission issues when running under a different user in containers.
 * Improved reliability of post-install Nix initialization across all distro packages.
 **CI**
 * Replaced generic container tests with explicit environment checks.
 * Validate Nix availability via *nix flake* tests instead of Docker build-time side effects.
 ## [1.2.0] - 2025-12-12
 * **Release workflow overhaul**
 * Introduced a fully structured release workflow with clear phases and safeguards
 * Added preview-first releases with explicit confirmation before execution
 * Automatic handling of *latest* tag when a release is the newest version
 * Optional branch closing after successful releases with interactive confirmation
 * Improved safety by syncing with remote before any changes
 * Clear separation of concerns (workflow, git handling, prompts, versioning)
 ## [1.1.0] - 2025-12-12
 * Added *branch drop* for destructive branch deletion and introduced *--force/-f* flags for branch close and branch drop to skip confirmation prompts.
 ## [1.0.0] - 2025-12-11
 * **1.0.0 – Official Stable Release 🎉**
--- a/85
+++ b/85
@@ -1,61 +1,58 @@
 # syntax=docker/dockerfile:1
 # ------------------------------------------------------------
-# Base image selector — overridden by Makefile
+# Base image selector — overridden by build args / Makefile
 # ------------------------------------------------------------
 ARG BASE_IMAGE
 FROM ${BASE_IMAGE}
-RUN echo "BASE_IMAGE=${BASE_IMAGE}" && \
+# ============================================================
-    cat /etc/os-release || true
+# Target: virgin
 # - installs distro deps (incl. make)
 # - no pkgmgr build
 # - no entrypoint
 # ============================================================
 FROM ${BASE_IMAGE} AS virgin
 SHELL ["/bin/bash", "-lc"]
-# ------------------------------------------------------------
+RUN echo "BASE_IMAGE=${BASE_IMAGE}" && cat /etc/os-release || true
 # Nix environment defaults
 #
 # Nix itself is installed by your system packages (via init-nix.sh).
 # Here we only define default configuration options.
 # ------------------------------------------------------------
 ENV NIX_CONFIG="experimental-features = nix-command flakes"
 # ------------------------------------------------------------
 # Unprivileged user for Arch package build (makepkg)
 # ------------------------------------------------------------
 RUN useradd -m aur_builder || true
 # ------------------------------------------------------------
 # Copy scripts and install distro dependencies
 # ------------------------------------------------------------
 WORKDIR /build
-# Copy only scripts first so dependency installation can run early
+# Copy scripts first so dependency installation can be cached
-COPY scripts/ scripts/
+COPY scripts/installation/ scripts/installation/
 RUN find scripts -type f -name '*.sh' -exec chmod +x {} \;
-# Install distro-specific build dependencies (and AUR builder on Arch)
+# Install distro-specific build dependencies (including make)
-RUN scripts/installation/run-dependencies.sh
+RUN bash scripts/installation/dependencies.sh
-# ------------------------------------------------------------
+# Virgin default
-# Select distro-specific Docker entrypoint
+CMD ["bash"]
 # ------------------------------------------------------------
 # Docker entrypoint (distro-agnostic, nutzt run-package.sh)
 # ------------------------------------------------------------
 COPY scripts/docker/entry.sh /usr/local/bin/docker-entry.sh
 RUN chmod +x /usr/local/bin/docker-entry.sh
-# ------------------------------------------------------------
+
-# Build and install distro-native package-manager package
+# ============================================================
-# via Makefile `install` target (calls scripts/installation/run-package.sh)
+# Target: full
-# ------------------------------------------------------------
+# - inherits from virgin
 # - builds + installs pkgmgr
 # - sets entrypoint + default cmd
 # ============================================================
 FROM virgin AS full
 # Nix environment defaults (only config; nix itself comes from deps/install flow)
 ENV NIX_CONFIG="experimental-features = nix-command flakes"
 WORKDIR /build
 # Copy full repository for build
 COPY . .
 RUN find scripts -type f -name '*.sh' -exec chmod +x {} \;
-RUN set -e; \
+# Build and install distro-native package-manager package
-    echo "Building and installing package-manager via make install..."; \
+RUN set -euo pipefail; \
-    make install; \
+  echo "Building and installing package-manager via make install..."; \
-    rm -rf /build
+  make install; \
  cd /; rm -rf /build
 # Entry point
 COPY scripts/docker/entry.sh /usr/local/bin/docker-entry.sh
 # ------------------------------------------------------------
 # Runtime working directory and dev entrypoint
 # ------------------------------------------------------------
 WORKDIR /src
 ENTRYPOINT ["/usr/local/bin/docker-entry.sh"]
 CMD ["pkgmgr", "--help"]
--- a/75
+++ b/75
@@ -1,9 +1,12 @@
-.PHONY: install setup uninstall \
+.PHONY: install uninstall \
-        test build build-no-cache test-unit test-e2e test-integration \
+        build build-no-cache build-no-cache-all build-missing \
-        test-container
+		delete-volumes purge \
        test test-unit test-e2e test-integration test-env-virtual test-env-nix \
 		setup setup-venv setup-nix
 # Distro
 # Options: arch debian ubuntu fedora centos
 DISTROS ?= arch debian ubuntu fedora centos
 distro ?= arch
 export distro
@@ -27,21 +30,53 @@ export BASE_IMAGE_CENTOS
 # PYthon Unittest Pattern
 TEST_PATTERN	:= test_*.py
 export TEST_PATTERN
 export PYTHONPATH := src
 # ------------------------------------------------------------
-# PKGMGR setup (developer wrapper -> scripts/installation/main.sh)
+# System install
 # ------------------------------------------------------------
-setup:
+install:
-	@bash scripts/installation/main.sh
+	@echo "Building and installing distro-native package-manager for this system..."
 	@bash scripts/installation/init.sh
 # ------------------------------------------------------------
 # PKGMGR setup
 # ------------------------------------------------------------
 # Default: keep current auto-detection behavior
 setup: setup-nix setup-venv
 # Explicit: developer setup (Python venv + shell RC + install)
 setup-venv: setup-nix
 	@bash scripts/setup/venv.sh
 # Explicit: Nix shell mode (no venv, no RC changes)
 setup-nix:
 	@bash scripts/setup/nix.sh
 # ------------------------------------------------------------
 # Docker build targets (delegated to scripts/build)
 # ------------------------------------------------------------
 build-no-cache:
 	@bash scripts/build/build-image-no-cache.sh
 build:
-	@bash scripts/build/build-image.sh
+	@bash scripts/build/image.sh --target virgin
 	@bash scripts/build/image.sh
 build-missing-virgin:
 	@bash scripts/build/image.sh --target virgin --missing
 build-missing: build-missing-virgin
 	@bash scripts/build/image.sh --missing
 build-no-cache:
 	@bash scripts/build/image.sh --target virgin --no-cache
 	@bash scripts/build/image.sh --no-cache
 build-no-cache-all:
 	@set -e; \
 	for d in $(DISTROS); do \
 	  echo "=== build-no-cache: $$d ==="; \
 	  distro="$$d" $(MAKE) build-no-cache; \
 	done
 # ------------------------------------------------------------
 # Test targets (delegated to scripts/test)
@@ -56,30 +91,20 @@ test-integration: build-missing
 test-e2e: build-missing
 	@bash scripts/test/test-e2e.sh
-test-container: build-missing
+test-env-virtual: build-missing
-	@bash scripts/test/test-container.sh
+	@bash scripts/test/test-env-virtual.sh
-# ------------------------------------------------------------
+test-env-nix: build-missing
-# Build only missing container images
+	@bash scripts/test/test-env-nix.sh
 # ------------------------------------------------------------
 build-missing:
 	@bash scripts/build/build-image-missing.sh
 # Combined test target for local + CI (unit + integration + e2e)
-test: test-container test-unit test-integration test-e2e
+test: test-env-virtual test-unit test-integration test-e2e
 delete-volumes: 
 	@docker volume rm pkgmgr_nix_store_${distro} pkgmgr_nix_cache_${distro} || true
 purge: delete-volumes build-no-cache
 # ------------------------------------------------------------
 # System install (native packages, calls scripts/installation/run-package.sh)
 # ------------------------------------------------------------
 install:
 	@echo "Building and installing distro-native package-manager for this system..."
 	@bash scripts/installation/run-package.sh
 # ------------------------------------------------------------
 # Uninstall target
 # ------------------------------------------------------------
--- a/README.md
+++ b/README.md
@@ -1,13 +1,16 @@
 # Package Manager 🤖📦
 ![PKGMGR Banner](assets/banner.jpg)
 [![GitHub Sponsors](https://img.shields.io/badge/Sponsor-GitHub%20Sponsors-blue?logo=github)](https://github.com/sponsors/kevinveenbirkenbach)
 [![Patreon](https://img.shields.io/badge/Support-Patreon-orange?logo=patreon)](https://www.patreon.com/c/kevinveenbirkenbach)
 [![Buy Me a Coffee](https://img.shields.io/badge/Buy%20me%20a%20Coffee-Funding-yellow?logo=buymeacoffee)](https://buymeacoffee.com/kevinveenbirkenbach)
 [![PayPal](https://img.shields.io/badge/Donate-PayPal-blue?logo=paypal)](https://s.veen.world/paypaldonate)
 [![GitHub license](https://img.shields.io/badge/License-MIT-blue.svg)](LICENSE)
 [![GitHub repo size](https://img.shields.io/github/repo-size/kevinveenbirkenbach/package-manager)](https://github.com/kevinveenbirkenbach/package-manager)
 [![Mark stable commit](https://github.com/kevinveenbirkenbach/package-manager/actions/workflows/mark-stable.yml/badge.svg)](https://github.com/kevinveenbirkenbach/package-manager/actions/workflows/mark-stable.yml)
-**Kevin's Package Manager (PKGMGR)** is a *multi-distro* package manager and workflow orchestrator.
+[**Kevin's Package Manager (PKGMGR)**](https://s.veen.world/pkgmgr) is a *multi-distro* package manager and workflow orchestrator.
 It helps you **develop, package, release and manage projects across multiple Linux-based
 operating systems** (Arch, Debian, Ubuntu, Fedora, CentOS, …).
@@ -96,55 +99,93 @@ The following diagram gives a full overview of:
 ![PKGMGR Architecture](assets/map.png)
-**Diagram status:** 11 December 2025
+**Diagram status:** 12 December 2025
 **Always-up-to-date version:** [https://s.veen.world/pkgmgrmp](https://s.veen.world/pkgmgrmp)
 ---
 Perfekt, dann hier die **noch kompaktere und korrekt differenzierte Version**, die **nur** zwischen
 **`make setup`** und **`make setup-venv`** unterscheidet und exakt deinem Verhalten entspricht.
 README-ready, ohne Over-Engineering.
 ---
 ## Installation ⚙️
-### 1. Get the latest stable version
+PKGMGR can be installed using `make`.
 The setup mode defines **which runtime layers are prepared**.
-For a stable setup, use the **latest tagged release** (the tag pointed to by
+---
-`latest`):
+
 ### Dependency installation (optional)
 System dependencies required **before running any *make* commands** are installed via:
 ```
 scripts/installation/dependencies.sh
 ```
 The script detects and normalizes the OS and installs the required **system-level dependencies** accordingly.
 ---
 ### Setup modes
 | Command             | Prepares                | Use case              |
 | ------------------- | ----------------------- | --------------------- |
 | **make setup**      | Python venv **and** Nix | Full development & CI |
 | **make setup-venv** | Python venv only        | Local user setup      |
 ---
 ### Install & setup
 ```bash
 git clone https://github.com/kevinveenbirkenbach/package-manager.git
 cd package-manager
 # Optional but recommended: checkout the latest stable tag
 git fetch --tags
 git checkout "$(git describe --tags --abbrev=0)"
 ```
 ### 2. Install via Make
 The project ships with a Makefile that encapsulates the typical installation
 flow. On most systems you only need:
 ```bash
 # Ensure make, Python and pip are installed via your distro package manager
 # (e.g. pacman -S make python python-pip, apt install make python3-pip, ...)
 make install
 ```
-This will:
+#### Full setup (venv + Nix)
 * create or reuse a Python virtual environment,
 * install PKGMGR (and its Python dependencies) into that environment,
 * expose the `pkgmgr` executable on your PATH (usually via `~/.local/bin`),
 * prepare Nix-based integration where available so PKGMGR can build and manage
  packages distribution-independently.
 For development use, you can also run:
 ```bash
 make setup
 ```
-which prepares the environment and leaves you with a fully wired development
+Use this for CI, servers, containers and full development workflows.
-workspace (including Nix, tests and scripts).
+
 #### Venv-only setup
 ```bash
 make setup-venv
 source ~/.venvs/pkgmgr/bin/activate
 ```
 Use this if you want PKGMGR isolated without Nix integration.
 ---
 ## Run without installation (Nix)
 Run PKGMGR directly via Nix Flakes.
 ```bash
 nix run github:kevinveenbirkenbach/package-manager#pkgmgr -- --help
 ```
 Example:
 ```bash
 nix run github:kevinveenbirkenbach/package-manager#pkgmgr -- version pkgmgr
 ```
 Notes:
 * full flake URL required
 * `--` separates Nix and PKGMGR arguments
 * can be used alongside any setup mode
 ---
@@ -156,21 +197,9 @@ After installation, the main entry point is:
 pkgmgr --help
 ```
-This prints a list of all available subcommands, for example:
+This prints a list of all available subcommands.
 * `pkgmgr list --all` – show all repositories in the config
 * `pkgmgr update --all --clone-mode https` – update every repository
 * `pkgmgr release patch --preview` – simulate a patch release
 * `pkgmgr version --all` – show version information for all repositories
 * `pkgmgr mirror setup --preview --all` – prepare Git mirrors (no changes in preview)
 * `pkgmgr make install --preview pkgmgr` – preview make install for the pkgmgr repo
 The help for each command is available via:
 ```bash
 pkgmgr <command> --help
 ```
 ---
 ## License 📄
--- a/_requirements.txt
+++ b/_requirements.txt
@@ -1,4 +0,0 @@
 # Legacy file used only if pip still installs from requirements.txt.
 # You may delete this file once you switch entirely to pyproject.toml.
 PyYAML
--- a/assets/banner.jpg
+++ b/assets/banner.jpg
--- a/assets/map.png
+++ b/assets/map.png
--- a/flake.lock
+++ b/flake.lock
@@ -1,27 +0,0 @@
 {
  "nodes": {
    "nixpkgs": {
      "locked": {
        "lastModified": 1765186076,
        "narHash": "sha256-hM20uyap1a0M9d344I692r+ik4gTMyj60cQWO+hAYP8=",
        "owner": "NixOS",
        "repo": "nixpkgs",
        "rev": "addf7cf5f383a3101ecfba091b98d0a1263dc9b8",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
        "ref": "nixos-unstable",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "root": {
      "inputs": {
        "nixpkgs": "nixpkgs"
      }
    }
  },
  "root": "root",
  "version": 7
 }
--- a/flake.nix
+++ b/flake.nix
@@ -36,7 +36,7 @@
        rec {
          pkgmgr = pyPkgs.buildPythonApplication {
            pname   = "package-manager";
-            version = "1.0.0";
+            version = "1.4.1";
            # Use the git repo as source
            src = ./.;
--- a/main.py
+++ b/main.py
@@ -1,14 +0,0 @@
 #!/usr/bin/env python3
 import sys
 from pathlib import Path
 # Ensure local src/ overrides installed package
 ROOT = Path(__file__).resolve().parent
 SRC = ROOT / "src"
 if SRC.is_dir():
    sys.path.insert(0, str(SRC))
 from pkgmgr.cli import main
 if __name__ == "__main__":
    main()
--- a/packaging/arch/PKGBUILD
+++ b/packaging/arch/PKGBUILD
@@ -50,9 +50,10 @@ package() {
  install -Dm0755 "scripts/pkgmgr-wrapper.sh" \
    "$pkgdir/usr/bin/pkgmgr"
-  # Install Nix init helper
+  # Install Nix bootstrap (init + lib)
-  install -Dm0755 "scripts/init-nix.sh" \
+  install -d "$pkgdir/usr/lib/package-manager/nix"
-    "$pkgdir/usr/lib/package-manager/init-nix.sh"
+  cp -a scripts/nix/* "$pkgdir/usr/lib/package-manager/nix/"
  chmod 0755 "$pkgdir/usr/lib/package-manager/nix/init.sh"
  # Install the full repository into /usr/lib/package-manager
  mkdir -p "$pkgdir/usr/lib/package-manager"
--- a/packaging/arch/package-manager.install
+++ b/packaging/arch/package-manager.install
@@ -1,9 +1,9 @@
 post_install() {
-  /usr/lib/package-manager/init-nix.sh || true
+  /usr/lib/package-manager/nix/init.sh || echo ">>> ERROR: /usr/lib/package-manager/nix/init.sh not found or not executable."
 }
 post_upgrade() {
-  /usr/lib/package-manager/init-nix.sh || true
+  /usr/lib/package-manager/nix/init.sh || echo ">>> ERROR: /usr/lib/package-manager/nix/init.sh not found or not executable."
 }
 post_remove() {
--- a/packaging/debian/postinst
+++ b/packaging/debian/postinst
@@ -3,11 +3,7 @@ set -e
 case "$1" in
    configure)
-        if [ -x /usr/lib/package-manager/init-nix.sh ]; then
+        /usr/lib/package-manager/nix/init.sh || echo ">>> ERROR: /usr/lib/package-manager/nix/init.sh not found or not executable."
            /usr/lib/package-manager/init-nix.sh || true
        else
            echo ">>> Warning: /usr/lib/package-manager/init-nix.sh not found or not executable."
        fi
        ;;
 esac
--- a/packaging/debian/rules
+++ b/packaging/debian/rules
@@ -20,7 +20,7 @@ override_dh_auto_test:
 	:
 # ---------------------------------------------------------------------------
-# Install phase: copy wrapper + init script + full project source
+# Install phase: copy wrapper + Nix bootstrap (init + lib) + full project source
 # ---------------------------------------------------------------------------
 override_dh_auto_install:
 	# Create target directories
@@ -31,9 +31,11 @@ override_dh_auto_install:
 	install -m0755 scripts/pkgmgr-wrapper.sh \
 		debian/package-manager/usr/bin/pkgmgr
-	# Install shared Nix init script
+	# Install Nix bootstrap (init + lib)
-	install -m0755 scripts/init-nix.sh \
+	install -d debian/package-manager/usr/lib/package-manager/nix
-		debian/package-manager/usr/lib/package-manager/init-nix.sh
+	cp -a scripts/nix/* \
 		debian/package-manager/usr/lib/package-manager/nix/
 	chmod 0755 debian/package-manager/usr/lib/package-manager/nix/init.sh
 	# Copy full project source into /usr/lib/package-manager,
 	# but do not include the debian/ directory itself.
--- a/packaging/fedora/package-manager.spec
+++ b/packaging/fedora/package-manager.spec
@@ -12,7 +12,7 @@ BuildArch:      noarch
 # NOTE:
 # Nix is a runtime requirement, but it is *not* declared here as a hard
 # RPM dependency, because many distributions do not ship a "nix" RPM.
-# Instead, Nix is installed and initialized by init-nix.sh, which is
+# Instead, Nix is installed and initialized by nix/init.sh, which is
 # called in the %post scriptlet below.
 %description
@@ -22,7 +22,7 @@ manager via a local Nix flake:
  nix run /usr/lib/package-manager#pkgmgr -- ...
 Nix is a runtime requirement and is installed/initialized by the
-init-nix.sh helper during package installation if it is not yet
+nix/init.sh helper during package installation if it is not yet
 available on the system.
 %prep
@@ -34,8 +34,8 @@ available on the system.
 %install
 rm -rf %{buildroot}
 install -d %{buildroot}%{_bindir}
 # Install project tree into a fixed, architecture-independent location.
 install -d %{buildroot}/usr/lib/package-manager
 # Copy full project source into /usr/lib/package-manager
@@ -44,8 +44,10 @@ cp -a . %{buildroot}/usr/lib/package-manager/
 # Wrapper
 install -m0755 scripts/pkgmgr-wrapper.sh %{buildroot}%{_bindir}/pkgmgr
-# Shared Nix init script (ensure it is executable in the installed tree)
+# Nix bootstrap (init + lib)
-install -m0755 scripts/init-nix.sh %{buildroot}/usr/lib/package-manager/init-nix.sh
+install -d %{buildroot}/usr/lib/package-manager/nix
 cp -a scripts/nix/* %{buildroot}/usr/lib/package-manager/nix/
 chmod 0755 %{buildroot}/usr/lib/package-manager/nix/init.sh
 # Remove packaging-only and development artefacts from the installed tree
 rm -rf \
@@ -60,12 +62,7 @@ rm -rf \
  %{buildroot}/usr/lib/package-manager/.gitkeep || true
 %post
-# Initialize Nix (if needed) after installing the package-manager files.
+/usr/lib/package-manager/nix/init.sh || echo ">>> ERROR: /usr/lib/package-manager/nix/init.sh not found or not executable."
 if [ -x /usr/lib/package-manager/init-nix.sh ]; then
    /usr/lib/package-manager/init-nix.sh || true
 else
    echo ">>> Warning: /usr/lib/package-manager/init-nix.sh not found or not executable."
 fi
 %postun
 echo ">>> package-manager removed. Nix itself was not removed."
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -7,10 +7,10 @@ build-backend = "setuptools.build_meta"
 [project]
 name = "package-manager"
-version = "1.0.0"
+version = "1.4.1"
 description = "Kevin's package-manager tool (pkgmgr)"
 readme = "README.md"
-requires-python = ">=3.11"
+requires-python = ">=3.9"
 license = { text = "MIT" }
 authors = [
--- a/scripts/build/resolve-base-image.sh
+++ b/scripts/build/resolve-base-image.sh
@@ -1,18 +1,20 @@
 #!/usr/bin/env bash
 set -euo pipefail
 : "${BASE_IMAGE_ARCH:=archlinux:latest}"
 : "${BASE_IMAGE_DEBIAN:=debian:stable-slim}"
 : "${BASE_IMAGE_UBUNTU:=ubuntu:latest}"
 : "${BASE_IMAGE_FEDORA:=fedora:latest}"
 : "${BASE_IMAGE_CENTOS:=quay.io/centos/centos:stream9}"
 resolve_base_image() {
  local distro="$1"
  case "$distro" in
    arch)   echo "$BASE_IMAGE_ARCH" ;;
    debian) echo "$BASE_IMAGE_DEBIAN" ;;
    ubuntu) echo "$BASE_IMAGE_UBUNTU" ;;
    fedora) echo "$BASE_IMAGE_FEDORA" ;;
    centos) echo "$BASE_IMAGE_CENTOS" ;;
-    *)
+    *) echo "ERROR: Unknown distro '$distro'" >&2; exit 1 ;;
      echo "ERROR: Unknown distro '$distro'" >&2
      exit 1
      ;;
  esac
 }
--- a/scripts/build/build-image-missing.sh
+++ b/scripts/build/build-image-missing.sh
@@ -1,24 +0,0 @@
 #!/usr/bin/env bash
 set -euo pipefail
 SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
 source "${SCRIPT_DIR}/resolve-base-image.sh"
 IMAGE="package-manager-test-$distro"
 BASE_IMAGE="$(resolve_base_image "$distro")"
 if docker image inspect "$IMAGE" >/dev/null 2>&1; then
    echo "[build-missing] Image already exists: $IMAGE (skipping)"
    exit 0
 fi
 echo
 echo "------------------------------------------------------------"
 echo "[build-missing] Building missing image: $IMAGE"
 echo "BASE_IMAGE = $BASE_IMAGE"
 echo "------------------------------------------------------------"
 docker build \
    --build-arg BASE_IMAGE="$BASE_IMAGE" \
    -t "$IMAGE" \
    .
--- a/scripts/build/build-image-no-cache.sh
+++ b/scripts/build/build-image-no-cache.sh
@@ -1,15 +0,0 @@
 #!/usr/bin/env bash
 set -euo pipefail
 SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
 source "${SCRIPT_DIR}/resolve-base-image.sh"
 base_image="$(resolve_base_image "$distro")"
 echo ">>> Building test image for distro '$distro' with NO CACHE (BASE_IMAGE=$base_image)..."
 docker build \
  --no-cache \
  --build-arg BASE_IMAGE="$base_image" \
  -t "package-manager-test-$distro" \
  .
--- a/scripts/build/build-image.sh
+++ b/scripts/build/build-image.sh
@@ -1,14 +0,0 @@
 #!/usr/bin/env bash
 set -euo pipefail
 SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
 source "${SCRIPT_DIR}/resolve-base-image.sh"
 base_image="$(resolve_base_image "$distro")"
 echo ">>> Building test image for distro '$distro' (BASE_IMAGE=$base_image)..."
 docker build \
  --build-arg BASE_IMAGE="$base_image" \
  -t "package-manager-test-$distro" \
  .
--- a/scripts/build/image.sh
+++ b/scripts/build/image.sh
@@ -0,0 +1,225 @@
 #!/usr/bin/env bash
 set -euo pipefail
 SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
 source "${SCRIPT_DIR}/base.sh"
 : "${distro:?Environment variable 'distro' must be set (arch|debian|ubuntu|fedora|centos)}"
 NO_CACHE=0
 MISSING_ONLY=0
 TARGET=""
 IMAGE_TAG=""         # local image name or base tag (without registry)
 PUSH=0               # if 1 -> use buildx and push (requires docker buildx)
 PUBLISH=0            # if 1 -> push with semantic tags (latest/version/stable + arch aliases)
 REGISTRY=""          # e.g. ghcr.io
 OWNER=""             # e.g. github org/user
 REPO_PREFIX="pkgmgr" # image base name (pkgmgr)
 VERSION=""           # X.Y.Z (required for --publish)
 IS_STABLE="false"    # "true" -> publish stable tags
 DEFAULT_DISTRO="arch"
 usage() {
  local default_tag="pkgmgr-${distro}"
  if [[ -n "${TARGET:-}" ]]; then
    default_tag="${default_tag}-${TARGET}"
  fi
  cat <<EOF
 Usage: distro=<distro> $0 [options]
 Build options:
  --missing             Build only if the image does not already exist (local build only)
  --no-cache            Build with --no-cache
  --target <name>       Build a specific Dockerfile target (e.g. virgin)
  --tag <image>         Override the output image tag (default: ${default_tag})
 Publish options:
  --push                Push the built image (uses docker buildx build --push)
  --publish             Publish semantic tags (latest, <version>, optional stable) + arch aliases
  --registry <reg>      Registry (e.g. ghcr.io)
  --owner <owner>       Registry namespace (e.g. \${GITHUB_REPOSITORY_OWNER})
  --repo-prefix <name>  Image base name (default: pkgmgr)
  --version <X.Y.Z>     Version for --publish
  --stable <true|false> Whether to publish :stable tags (default: false)
 Notes:
 - --publish implies --push and requires --registry, --owner, and --version.
 - Local build (no --push) uses "docker build" and creates local images like "pkgmgr-arch" / "pkgmgr-arch-virgin".
 EOF
 }
 while [[ $# -gt 0 ]]; do
  case "$1" in
    --no-cache) NO_CACHE=1; shift ;;
    --missing)  MISSING_ONLY=1; shift ;;
    --target)
      TARGET="${2:-}"
      [[ -n "${TARGET}" ]] || { echo "ERROR: --target requires a value (e.g. virgin)"; exit 2; }
      shift 2
      ;;
    --tag)
      IMAGE_TAG="${2:-}"
      [[ -n "${IMAGE_TAG}" ]] || { echo "ERROR: --tag requires a value"; exit 2; }
      shift 2
      ;;
    --push) PUSH=1; shift ;;
    --publish) PUBLISH=1; PUSH=1; shift ;;
    --registry)
      REGISTRY="${2:-}"
      [[ -n "${REGISTRY}" ]] || { echo "ERROR: --registry requires a value"; exit 2; }
      shift 2
      ;;
    --owner)
      OWNER="${2:-}"
      [[ -n "${OWNER}" ]] || { echo "ERROR: --owner requires a value"; exit 2; }
      shift 2
      ;;
    --repo-prefix)
      REPO_PREFIX="${2:-}"
      [[ -n "${REPO_PREFIX}" ]] || { echo "ERROR: --repo-prefix requires a value"; exit 2; }
      shift 2
      ;;
    --version)
      VERSION="${2:-}"
      [[ -n "${VERSION}" ]] || { echo "ERROR: --version requires a value"; exit 2; }
      shift 2
      ;;
    --stable)
      IS_STABLE="${2:-}"
      [[ -n "${IS_STABLE}" ]] || { echo "ERROR: --stable requires a value (true|false)"; exit 2; }
      shift 2
      ;;
    -h|--help) usage; exit 0 ;;
    *)
      echo "ERROR: Unknown argument: $1" >&2
      usage
      exit 2
      ;;
  esac
 done
 # Derive default local tag if not provided
 if [[ -z "${IMAGE_TAG}" ]]; then
  IMAGE_TAG="${REPO_PREFIX}-${distro}"
  if [[ -n "${TARGET}" ]]; then
    IMAGE_TAG="${IMAGE_TAG}-${TARGET}"
  fi
 fi
 BASE_IMAGE="$(resolve_base_image "$distro")"
 # Local-only "missing" shortcut
 if [[ "${MISSING_ONLY}" == "1" ]]; then
  if [[ "${PUSH}" == "1" ]]; then
    echo "ERROR: --missing is only supported for local builds (without --push/--publish)" >&2
    exit 2
  fi
  if docker image inspect "${IMAGE_TAG}" >/dev/null 2>&1; then
    echo "[build] Image already exists: ${IMAGE_TAG} (skipping due to --missing)"
    exit 0
  fi
 fi
 # Validate publish parameters
 if [[ "${PUBLISH}" == "1" ]]; then
  [[ -n "${REGISTRY}" ]] || { echo "ERROR: --publish requires --registry"; exit 2; }
  [[ -n "${OWNER}" ]]    || { echo "ERROR: --publish requires --owner"; exit 2; }
  [[ -n "${VERSION}" ]]  || { echo "ERROR: --publish requires --version"; exit 2; }
 fi
 # Guard: --push without --publish requires fully-qualified --tag
 if [[ "${PUSH}" == "1" && "${PUBLISH}" != "1" ]]; then
  if [[ "${IMAGE_TAG}" != */* ]]; then
    echo "ERROR: --push requires --tag with a fully-qualified name (e.g. ghcr.io/<owner>/<image>:tag), or use --publish" >&2
    exit 2
  fi
 fi
 echo
 echo "------------------------------------------------------------"
 echo "[build] Building image"
 echo "distro     = ${distro}"
 echo "BASE_IMAGE = ${BASE_IMAGE}"
 if [[ -n "${TARGET}" ]]; then echo "target    = ${TARGET}"; fi
 if [[ "${NO_CACHE}" == "1" ]]; then echo "cache     = disabled"; fi
 if [[ "${PUSH}" == "1" ]]; then echo "push      = enabled"; fi
 if [[ "${PUBLISH}" == "1" ]]; then
  echo "publish   = enabled"
  echo "registry  = ${REGISTRY}"
  echo "owner     = ${OWNER}"
  echo "version   = ${VERSION}"
  echo "stable    = ${IS_STABLE}"
 fi
 echo "------------------------------------------------------------"
 # Common build args
 build_args=(--build-arg "BASE_IMAGE=${BASE_IMAGE}")
 if [[ "${NO_CACHE}" == "1" ]]; then
  build_args+=(--no-cache)
 fi
 if [[ -n "${TARGET}" ]]; then
  build_args+=(--target "${TARGET}")
 fi
 compute_publish_tags() {
  local distro_tag_base="${REGISTRY}/${OWNER}/${REPO_PREFIX}-${distro}"
  local alias_tag_base=""
  if [[ -n "${TARGET}" ]]; then
    distro_tag_base="${distro_tag_base}-${TARGET}"
  fi
  if [[ "${distro}" == "${DEFAULT_DISTRO}" ]]; then
    alias_tag_base="${REGISTRY}/${OWNER}/${REPO_PREFIX}"
    if [[ -n "${TARGET}" ]]; then
      alias_tag_base="${alias_tag_base}-${TARGET}"
    fi
  fi
  local tags=()
  tags+=("${distro_tag_base}:latest")
  tags+=("${distro_tag_base}:${VERSION}")
  if [[ "${IS_STABLE}" == "true" ]]; then
    tags+=("${distro_tag_base}:stable")
  fi
  if [[ -n "${alias_tag_base}" ]]; then
    tags+=("${alias_tag_base}:latest")
    tags+=("${alias_tag_base}:${VERSION}")
    if [[ "${IS_STABLE}" == "true" ]]; then
      tags+=("${alias_tag_base}:stable")
    fi
  fi
  printf '%s\n' "${tags[@]}"
 }
 if [[ "${PUSH}" == "1" ]]; then
  bx_args=(docker buildx build --push)
  if [[ "${PUBLISH}" == "1" ]]; then
    while IFS= read -r t; do
      bx_args+=(-t "$t")
    done < <(compute_publish_tags)
  else
    bx_args+=(-t "${IMAGE_TAG}")
  fi
  bx_args+=("${build_args[@]}")
  bx_args+=(.)
  echo "[build] Running: ${bx_args[*]}"
  "${bx_args[@]}"
 else
  local_args=(docker build)
  local_args+=("${build_args[@]}")
  local_args+=(-t "${IMAGE_TAG}")
  local_args+=(.)
  echo "[build] Running: ${local_args[*]}"
  "${local_args[@]}"
 fi
--- a/scripts/build/publish.sh
+++ b/scripts/build/publish.sh
@@ -0,0 +1,55 @@
 #!/usr/bin/env bash
 set -euo pipefail
 # Publish all distro images (full + virgin) to a registry via image.sh --publish
 #
 # Required env:
 #   OWNER      (e.g. GITHUB_REPOSITORY_OWNER)
 #   VERSION    (e.g. 1.2.3)
 #
 # Optional env:
 #   REGISTRY   (default: ghcr.io)
 #   IS_STABLE  (default: false)
 #   DISTROS    (default: "arch debian ubuntu fedora centos")
 SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
 REGISTRY="${REGISTRY:-ghcr.io}"
 IS_STABLE="${IS_STABLE:-false}"
 DISTROS="${DISTROS:-arch debian ubuntu fedora centos}"
 : "${OWNER:?Environment variable OWNER must be set (e.g. github.repository_owner)}"
 : "${VERSION:?Environment variable VERSION must be set (e.g. 1.2.3)}"
 echo "[publish] REGISTRY=${REGISTRY}"
 echo "[publish] OWNER=${OWNER}"
 echo "[publish] VERSION=${VERSION}"
 echo "[publish] IS_STABLE=${IS_STABLE}"
 echo "[publish] DISTROS=${DISTROS}"
 for d in ${DISTROS}; do
  echo
  echo "============================================================"
  echo "[publish] distro=${d}"
  echo "============================================================"
  # virgin
  distro="${d}" bash "${SCRIPT_DIR}/image.sh" \
    --publish \
    --registry "${REGISTRY}" \
    --owner "${OWNER}" \
    --version "${VERSION}" \
    --stable "${IS_STABLE}" \
    --target virgin
  # full (default target)
  distro="${d}" bash "${SCRIPT_DIR}/image.sh" \
    --publish \
    --registry "${REGISTRY}" \
    --owner "${OWNER}" \
    --version "${VERSION}" \
    --stable "${IS_STABLE}"
 done
 echo
 echo "[publish] Done."
--- a/scripts/docker/entry.sh
+++ b/scripts/docker/entry.sh
@@ -1,53 +1,6 @@
 #!/usr/bin/env bash
 set -euo pipefail
 # ---------------------------------------------------------------------------
 # Detect and export a valid CA bundle so Nix, Git, curl and Python tooling
 # can successfully perform HTTPS requests on all distros (Debian, Ubuntu,
 # Fedora, RHEL, CentOS, etc.)
 # ---------------------------------------------------------------------------
 detect_ca_bundle() {
  # Common CA bundle locations across major Linux distributions
  local candidates=(
    /etc/ssl/certs/ca-certificates.crt                       # Debian/Ubuntu
    /etc/ssl/cert.pem                                       # Some distros
    /etc/pki/tls/certs/ca-bundle.crt                        # Fedora/RHEL/CentOS
    /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem       # CentOS/RHEL extracted bundle
    /etc/ssl/ca-bundle.pem                                  # Generic fallback
  )
  for path in "${candidates[@]}"; do
    if [[ -f "$path" ]]; then
      echo "$path"
      return 0
    fi
  done
  return 1
 }
 # Use existing NIX_SSL_CERT_FILE if provided, otherwise auto-detect
 CA_BUNDLE="${NIX_SSL_CERT_FILE:-}"
 if [[ -z "${CA_BUNDLE}" ]]; then
  CA_BUNDLE="$(detect_ca_bundle || true)"
 fi
 if [[ -n "${CA_BUNDLE}" ]]; then
  # Export for Nix (critical)
  export NIX_SSL_CERT_FILE="${CA_BUNDLE}"
  # Export for Git, Python requests, curl, etc.
  export SSL_CERT_FILE="${CA_BUNDLE}"
  export REQUESTS_CA_BUNDLE="${CA_BUNDLE}"
  export GIT_SSL_CAINFO="${CA_BUNDLE}"
  echo "[docker] Using CA bundle: ${CA_BUNDLE}"
 else
  echo "[docker] WARNING: No CA certificate bundle found."
  echo "[docker] HTTPS access for Nix flakes and other tools may fail."
 fi
 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 echo "[docker] Starting package-manager container"
@@ -68,16 +21,10 @@ cd /src
 # ---------------------------------------------------------------------------
 # DEV mode: rebuild package-manager from the mounted /src tree
 # ---------------------------------------------------------------------------
-if [[ "${PKGMGR_DEV:-0}" == "1" ]]; then
+if [[ "${REINSTALL_PKGMGR:-0}" == "1" ]]; then
-  echo "[docker] DEV mode enabled (PKGMGR_DEV=1)"
+  echo "[docker] DEV mode enabled (REINSTALL_PKGMGR=1)"
-  echo "[docker] Rebuilding package-manager from /src via scripts/installation/run-package.sh..."
+  echo "[docker] Rebuilding package-manager from /src via scripts/installation/package.sh..."
-
+  bash scripts/installation/package.sh || exit 1
  if [[ -x scripts/installation/run-package.sh ]]; then
    bash scripts/installation/run-package.sh
  else
    echo "[docker] ERROR: scripts/installation/run-package.sh not found or not executable"
    exit 1
  fi
 fi
 # ---------------------------------------------------------------------------
--- a/scripts/init-nix.sh
+++ b/scripts/init-nix.sh
@@ -1,246 +0,0 @@
 #!/usr/bin/env bash
 set -euo pipefail
 echo "[init-nix] Starting Nix initialization..."
 NIX_INSTALL_URL="${NIX_INSTALL_URL:-https://nixos.org/nix/install}"
 NIX_DOWNLOAD_MAX_TIME=300      # 5 minutes
 NIX_DOWNLOAD_SLEEP_INTERVAL=20 # 20 seconds
 # ---------------------------------------------------------------------------
 # Detect whether we are inside a container (Docker/Podman/etc.)
 # ---------------------------------------------------------------------------
 is_container() {
  if [[ -f /.dockerenv ]] || [[ -f /run/.containerenv ]]; then
    return 0
  fi
  if grep -qiE 'docker|container|podman|lxc' /proc/1/cgroup 2>/dev/null; then
    return 0
  fi
  if [[ -n "${container:-}" ]]; then
    return 0
  fi
  return 1
 }
 # ---------------------------------------------------------------------------
 # Ensure Nix binaries are on PATH (multi-user or single-user)
 # ---------------------------------------------------------------------------
 ensure_nix_on_path() {
  if [[ -x /nix/var/nix/profiles/default/bin/nix ]]; then
    export PATH="/nix/var/nix/profiles/default/bin:${PATH}"
  fi
  if [[ -x "${HOME}/.nix-profile/bin/nix" ]]; then
    export PATH="${HOME}/.nix-profile/bin:${PATH}"
  fi
  if [[ -x /home/nix/.nix-profile/bin/nix ]]; then
    export PATH="/home/nix/.nix-profile/bin:${PATH}"
  fi
 }
 # ---------------------------------------------------------------------------
 # Ensure Nix build group and users exist (build-users-group = nixbld)
 # ---------------------------------------------------------------------------
 ensure_nix_build_group() {
  if ! getent group nixbld >/dev/null 2>&1; then
    echo "[init-nix] Creating group 'nixbld'..."
    groupadd -r nixbld
  fi
  for i in $(seq 1 10); do
    if ! id "nixbld$i" >/dev/null 2>&1; then
      echo "[init-nix] Creating build user nixbld$i..."
      useradd -r -g nixbld -G nixbld -s /usr/sbin/nologin "nixbld$i"
    fi
  done
 }
 # ---------------------------------------------------------------------------
 # Download and run Nix installer with retry
 #   Usage: install_nix_with_retry daemon|no-daemon [run_as_user]
 # ---------------------------------------------------------------------------
 install_nix_with_retry() {
  local mode="$1"
  local run_as="${2:-}"
  local installer elapsed=0 mode_flag
  case "${mode}" in
    daemon)    mode_flag="--daemon" ;;
    no-daemon) mode_flag="--no-daemon" ;;
    *)
      echo "[init-nix] ERROR: Invalid mode '${mode}', expected 'daemon' or 'no-daemon'."
      exit 1
      ;;
  esac
  installer="$(mktemp -t nix-installer.XXXXXX)"
  echo "[init-nix] Downloading Nix installer from ${NIX_INSTALL_URL} with retry (max ${NIX_DOWNLOAD_MAX_TIME}s)..."
  while true; do
    if curl -fL "${NIX_INSTALL_URL}" -o "${installer}"; then
      echo "[init-nix] Successfully downloaded Nix installer to ${installer}"
      break
    fi
    local curl_exit=$?
    echo "[init-nix] WARNING: Failed to download Nix installer (curl exit code ${curl_exit})."
    elapsed=$((elapsed + NIX_DOWNLOAD_SLEEP_INTERVAL))
    if (( elapsed >= NIX_DOWNLOAD_MAX_TIME )); then
      echo "[init-nix] ERROR: Giving up after ${elapsed}s trying to download Nix installer."
      rm -f "${installer}"
      exit 1
    fi
    echo "[init-nix] Retrying in ${NIX_DOWNLOAD_SLEEP_INTERVAL}s (elapsed: ${elapsed}s/${NIX_DOWNLOAD_MAX_TIME}s)..."
    sleep "${NIX_DOWNLOAD_SLEEP_INTERVAL}"
  done
  if [[ -n "${run_as}" ]]; then
    echo "[init-nix] Running installer as user '${run_as}' with mode '${mode}'..."
    if command -v sudo >/dev/null 2>&1; then
      sudo -u "${run_as}" bash -lc "sh '${installer}' ${mode_flag}"
    else
      su - "${run_as}" -c "sh '${installer}' ${mode_flag}"
    fi
  else
    echo "[init-nix] Running installer as current user with mode '${mode}'..."
    sh "${installer}" "${mode_flag}"
  fi
  rm -f "${installer}"
 }
 # ---------------------------------------------------------------------------
 # Main
 # ---------------------------------------------------------------------------
 main() {
  # Fast path: Nix already available
  if command -v nix >/dev/null 2>&1; then
    echo "[init-nix] Nix already available on PATH: $(command -v nix)"
    return 0
  fi
  ensure_nix_on_path
  if command -v nix >/dev/null 2>&1; then
    echo "[init-nix] Nix found after adjusting PATH: $(command -v nix)"
    return 0
  fi
  echo "[init-nix] Nix not found, starting installation logic..."
  local IN_CONTAINER=0
  if is_container; then
    IN_CONTAINER=1
    echo "[init-nix] Detected container environment."
  else
    echo "[init-nix] No container detected."
  fi
  # -------------------------------------------------------------------------
  # Container + root: dedicated "nix" user, single-user install
  # -------------------------------------------------------------------------
  if [[ "${IN_CONTAINER}" -eq 1 && "${EUID:-0}" -eq 0 ]]; then
    echo "[init-nix] Container + root – installing as 'nix' user (single-user)."
    ensure_nix_build_group
    if ! id nix >/dev/null 2>&1; then
      echo "[init-nix] Creating user 'nix'..."
      local BASH_SHELL
      BASH_SHELL="$(command -v bash || true)"
      [[ -z "${BASH_SHELL}" ]] && BASH_SHELL="/bin/sh"
      useradd -m -r -g nixbld -s "${BASH_SHELL}" nix
    fi
    if [[ ! -d /nix ]]; then
      echo "[init-nix] Creating /nix with owner nix:nixbld..."
      mkdir -m 0755 /nix
      chown nix:nixbld /nix
    else
      local current_owner current_group
      current_owner="$(stat -c '%U' /nix 2>/dev/null || echo '?')"
      current_group="$(stat -c '%G' /nix 2>/dev/null || echo '?')"
      if [[ "${current_owner}" != "nix" || "${current_group}" != "nixbld" ]]; then
        echo "[init-nix] Fixing /nix ownership from ${current_owner}:${current_group} to nix:nixbld..."
        chown -R nix:nixbld /nix
      fi
      if [[ ! -w /nix ]]; then
        echo "[init-nix] WARNING: /nix is not writable after chown; Nix installer may fail."
      fi
    fi
    install_nix_with_retry "no-daemon" "nix"
    ensure_nix_on_path
    if [[ -x /home/nix/.nix-profile/bin/nix && ! -e /usr/local/bin/nix ]]; then
      echo "[init-nix] Creating /usr/local/bin/nix symlink -> /home/nix/.nix-profile/bin/nix"
      ln -s /home/nix/.nix-profile/bin/nix /usr/local/bin/nix
    fi
  # -------------------------------------------------------------------------
  # Host (no container)
  # -------------------------------------------------------------------------
  elif [[ "${IN_CONTAINER}" -eq 0 ]]; then
    if command -v systemctl >/dev/null 2>&1; then
      echo "[init-nix] Host with systemd – using multi-user install (--daemon)."
      if [[ "${EUID:-0}" -eq 0 ]]; then
        ensure_nix_build_group
      fi
      install_nix_with_retry "daemon"
    else
      if [[ "${EUID:-0}" -eq 0 ]]; then
        echo "[init-nix] Host without systemd as root – using single-user install (--no-daemon)."
        ensure_nix_build_group
      else
        echo "[init-nix] Host without systemd as non-root – using single-user install (--no-daemon)."
      fi
      install_nix_with_retry "no-daemon"
    fi
  # -------------------------------------------------------------------------
  # Container, but not root (rare)
  # -------------------------------------------------------------------------
  else
    echo "[init-nix] Container as non-root – using single-user install (--no-daemon)."
    install_nix_with_retry "no-daemon"
  fi
  # -------------------------------------------------------------------------
  # After installation: PATH + /etc/profile
  # -------------------------------------------------------------------------
  ensure_nix_on_path
  if ! command -v nix >/dev/null 2>&1; then
    echo "[init-nix] WARNING: Nix installation finished, but 'nix' is still not on PATH."
    echo "[init-nix] You may need to source your shell profile manually."
  else
    echo "[init-nix] Nix successfully installed at: $(command -v nix)"
  fi
  if [[ -w /etc/profile ]] && ! grep -q 'Nix profiles' /etc/profile 2>/dev/null; then
    cat <<'EOF' >> /etc/profile
 # Nix profiles (added by package-manager init-nix.sh)
 if [ -d /nix/var/nix/profiles/default/bin ]; then
  PATH="/nix/var/nix/profiles/default/bin:$PATH"
 fi
 if [ -d "$HOME/.nix-profile/bin" ]; then
  PATH="$HOME/.nix-profile/bin:$PATH"
 fi
 EOF
    echo "[init-nix] Appended Nix PATH setup to /etc/profile"
  fi
  echo "[init-nix] Nix initialization complete."
 }
 main "$@"
--- a/scripts/installation/arch/dependencies.sh
+++ b/scripts/installation/arch/dependencies.sh
@@ -12,6 +12,7 @@ pacman -S --noconfirm --needed \
  rsync \
  curl \
  ca-certificates \
  python \
  xz
 pacman -Scc --noconfirm
--- a/scripts/installation/arch/package.sh
+++ b/scripts/installation/arch/package.sh
@@ -1,30 +1,64 @@
 #!/usr/bin/env bash
 set -euo pipefail
-echo "[arch/package] Building Arch package (makepkg --nodeps)..."
+echo "[arch/package] Building Arch package (makepkg --nodeps) in an isolated build dir..."
 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 PROJECT_ROOT="$(cd "${SCRIPT_DIR}/../../.." && pwd)"
 PKG_DIR="${PROJECT_ROOT}/packaging/arch"
-if [[ ! -f "${PKG_DIR}/PKGBUILD" ]]; then
+# We must not build inside /src (mounted repo). Build in /tmp to avoid permission issues.
-  echo "[arch/package] ERROR: PKGBUILD not found in ${PKG_DIR}"
+BUILD_ROOT="/tmp/package-manager-arch-build"
 PKG_SRC_DIR="${PROJECT_ROOT}/packaging/arch"
 PKG_BUILD_DIR="${BUILD_ROOT}/packaging/arch"
 if [[ ! -f "${PKG_SRC_DIR}/PKGBUILD" ]]; then
  echo "[arch/package] ERROR: PKGBUILD not found in ${PKG_SRC_DIR}"
  exit 1
 fi
-cd "${PKG_DIR}"
+echo "[arch/package] Preparing build directory: ${BUILD_ROOT}"
 rm -rf "${BUILD_ROOT}"
 mkdir -p "${BUILD_ROOT}"
-if id aur_builder >/dev/null 2>&1; then
+echo "[arch/package] Syncing project sources to ${BUILD_ROOT}..."
-  echo "[arch/package] Using 'aur_builder' user for makepkg..."
+# Keep it simple: copy everything; adjust excludes if needed later.
-  chown -R aur_builder:aur_builder "${PKG_DIR}"
+rsync -a --delete \
-  su aur_builder -c "cd '${PKG_DIR}' && rm -f package-manager-*.pkg.tar.* && makepkg --noconfirm --clean --nodeps"
+  --exclude '.git' \
-else
+  --exclude '.venv' \
-  echo "[arch/package] WARNING: user 'aur_builder' not found, running makepkg as current user..."
+  --exclude '.venvs' \
-  rm -f package-manager-*.pkg.tar.*
+  --exclude '__pycache__' \
-  makepkg --noconfirm --clean --nodeps
+  --exclude '*.pyc' \
  "${PROJECT_ROOT}/" "${BUILD_ROOT}/"
 if [[ ! -d "${PKG_BUILD_DIR}" ]]; then
  echo "[arch/package] ERROR: Build PKG dir missing: ${PKG_BUILD_DIR}"
  exit 1
 fi
 # ------------------------------------------------------------
 # Unprivileged user for Arch package build (makepkg)
 # ------------------------------------------------------------
 if ! id aur_builder >/dev/null 2>&1; then
  echo "[arch/package] ERROR: user 'aur_builder' not found. Run scripts/installation/arch/aur-builder-setup.sh first."
  exit 1
 fi
 echo "[arch/package] Using 'aur_builder' user for makepkg..."
 chown -R aur_builder:aur_builder "${BUILD_ROOT}"
 echo "[arch/package] Running makepkg in: ${PKG_BUILD_DIR}"
 su aur_builder -c "cd '${PKG_BUILD_DIR}' && rm -f package-manager-*.pkg.tar.* && makepkg --noconfirm --clean --nodeps"
 echo "[arch/package] Installing generated Arch package..."
-pacman -U --noconfirm package-manager-*.pkg.tar.*
+pkg_path="$(find "${PKG_BUILD_DIR}" -maxdepth 1 -type f -name 'package-manager-*.pkg.tar.*' | head -n1)"
 if [[ -z "${pkg_path}" ]]; then
  echo "[arch/package] ERROR: Built package not found in ${PKG_BUILD_DIR}"
  exit 1
 fi
 pacman -U --noconfirm "${pkg_path}"
 echo "[arch/package] Cleanup build directory..."
 rm -rf "${BUILD_ROOT}"
 echo "[arch/package] Done."
--- a/scripts/installation/centos/dependencies.sh
+++ b/scripts/installation/centos/dependencies.sh
@@ -13,9 +13,64 @@ dnf -y install \
  bash \
  curl-minimal \
  ca-certificates \
  python3 \
  sudo \
  xz
 dnf clean all
 # -----------------------------------------------------------------------------
 # Persist CA bundle configuration system-wide (virgin-compatible)
 # -----------------------------------------------------------------------------
 detect_ca_bundle() {
  local candidates=(
    /etc/pki/tls/certs/ca-bundle.crt
    /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
    /etc/ssl/certs/ca-certificates.crt
    /etc/ssl/cert.pem
    /etc/ssl/ca-bundle.pem
  )
  for path in "${candidates[@]}"; do
    if [[ -f "$path" ]]; then
      echo "$path"
      return 0
    fi
  done
  return 1
 }
 CA_BUNDLE="$(detect_ca_bundle || true)"
 if [[ -n "${CA_BUNDLE}" ]]; then
  echo "[centos/dependencies] Persisting CA bundle: ${CA_BUNDLE}"
  # 1) Make it available for login shells
  cat >/etc/profile.d/pkgmgr-ca.sh <<EOF
 # Generated by package-manager
 export NIX_SSL_CERT_FILE="${CA_BUNDLE}"
 export SSL_CERT_FILE="${CA_BUNDLE}"
 export REQUESTS_CA_BUNDLE="${CA_BUNDLE}"
 export GIT_SSL_CAINFO="${CA_BUNDLE}"
 EOF
  chmod 0644 /etc/profile.d/pkgmgr-ca.sh
  # 2) Ensure Nix uses it even without environment variables
  mkdir -p /etc/nix
  if [[ -f /etc/nix/nix.conf ]]; then
    # Replace existing ssl-cert-file or append it
    if grep -qE '^\s*ssl-cert-file\s*=' /etc/nix/nix.conf; then
      sed -i "s|^\s*ssl-cert-file\s*=.*|ssl-cert-file = ${CA_BUNDLE}|" /etc/nix/nix.conf
    else
      echo "ssl-cert-file = ${CA_BUNDLE}" >>/etc/nix/nix.conf
    fi
  else
    echo "ssl-cert-file = ${CA_BUNDLE}" >/etc/nix/nix.conf
  fi
 else
  echo "[centos/dependencies] WARNING: No CA bundle found after installing ca-certificates."
 fi
 echo "[centos/dependencies] Done."
--- a/scripts/installation/debian/dependencies.sh
+++ b/scripts/installation/debian/dependencies.sh
@@ -13,6 +13,8 @@ DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \
  bash \
  curl \
  ca-certificates \
  python3 \
  python3-venv \
  xz-utils
 rm -rf /var/lib/apt/lists/*
--- a/scripts/installation/run-dependencies.sh
+++ b/scripts/installation/run-dependencies.sh
@@ -3,22 +3,19 @@ set -euo pipefail
 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
-# shellcheck source=/dev/null
+# shellcheck disable=SC1091
-source "${SCRIPT_DIR}/lib.sh"
+source "${SCRIPT_DIR}/os_resolver.sh"
-OS_ID="$(detect_os_id)"
+OS_ID="$(osr_get_os_id)"
 echo "[run-dependencies] Detected OS: ${OS_ID}"
-case "${OS_ID}" in
+if ! osr_is_supported "${OS_ID}"; then
-  arch|debian|ubuntu|fedora|centos)
+  echo "[run-dependencies] Unsupported OS: ${OS_ID}"
-    DEP_SCRIPT="${SCRIPT_DIR}/${OS_ID}/dependencies.sh"
+  exit 1
-    ;;
+fi
-  *)
+
-    echo "[run-dependencies] Unsupported OS: ${OS_ID}"
+DEP_SCRIPT="$(osr_script_path_for "${SCRIPT_DIR}" "${OS_ID}" "dependencies")"
    exit 1
    ;;
 esac
 if [[ ! -f "${DEP_SCRIPT}" ]]; then
  echo "[run-dependencies] Dependency script not found: ${DEP_SCRIPT}"
--- a/scripts/installation/init.sh
+++ b/scripts/installation/init.sh
@@ -0,0 +1,15 @@
 #!/usr/bin/env bash
 set -euo pipefail
 if [[ "${EUID:-$(id -u)}" -ne 0 ]]; then
  echo "[installation/install] Warning: Installation is just possible via root."
  exit 0
 fi
 echo "[installation] Running as root (EUID=0)."
 echo "[installation] Install Package Dependencies..."
 bash  scripts/installation/dependencies.sh
 echo "[installation] Install Distribution Package..."
 bash scripts/installation/package.sh
 echo "[installation] Root/system setup complete."
 exit 0
--- a/scripts/installation/lib.sh
+++ b/scripts/installation/lib.sh
@@ -1,12 +0,0 @@
 #!/usr/bin/env bash
 set -euo pipefail
 detect_os_id() {
  if [[ -f /etc/os-release ]]; then
    # shellcheck disable=SC1091
    . /etc/os-release
    echo "${ID:-unknown}"
  else
    echo "unknown"
  fi
 }
--- a/scripts/installation/main.sh
+++ b/scripts/installation/main.sh
@@ -1,87 +0,0 @@
 #!/usr/bin/env bash
 set -euo pipefail
 # ------------------------------------------------------------
 # main.sh
 #
 # Developer / system setup entrypoint.
 #
 # Responsibilities:
 #   - If inside a Nix shell (IN_NIX_SHELL=1):
 #       * Skip venv creation and dependency installation
 #       * Run `python3 main.py install`
 #   - If running as root (EUID=0):
 #       * Run system-level installer (run-package.sh)
 #   - Otherwise (normal user):
 #       * Create ~/.venvs/pkgmgr virtual environment if missing
 #       * Install Python dependencies into that venv
 #       * Append auto-activation to ~/.bashrc and ~/.zshrc
 #       * Run `main.py install` using the venv Python
 # ------------------------------------------------------------
 echo "[installation/main] Starting setup..."
 PROJECT_ROOT="$(cd "$(dirname "${BASH_SOURCE[0]}")/../.." && pwd)"
 cd "${PROJECT_ROOT}"
 VENV_DIR="${HOME}/.venvs/pkgmgr"
 RC_LINE='if [ -d "${HOME}/.venvs/pkgmgr" ]; then . "${HOME}/.venvs/pkgmgr/bin/activate"; if [ -n "${PS1:-}" ]; then echo "Global Python virtual environment '\''~/.venvs/pkgmgr'\'' activated."; fi; fi'
 # ------------------------------------------------------------
 # 1) Nix shell mode: do not touch venv, only run main.py install
 # ------------------------------------------------------------
 if [[ -n "${IN_NIX_SHELL:-}" ]]; then
    echo "[installation/main] Nix shell detected (IN_NIX_SHELL=1)."
    echo "[installation/main] Skipping virtualenv creation and dependency installation."
    echo "[installation/main] Running main.py install via system python3..."
    python3 main.py install
    echo "[installation/main] Setup finished (Nix mode)."
    exit 0
 fi
 # ------------------------------------------------------------
 # 2) Root mode: system / distro-level installation
 # ------------------------------------------------------------
 if [[ "${EUID:-$(id -u)}" -eq 0 ]]; then
    echo "[installation/main] Running as root (EUID=0)."
    echo "[installation/main] Skipping user virtualenv and shell RC modifications."
    echo "[installation/main] Delegating to scripts/installation/run-package.sh..."
    bash scripts/installation/run-package.sh
    echo "[installation/main] Root/system setup complete."
    exit 0
 fi
 # ------------------------------------------------------------
 # 3) Normal user mode: dev setup with venv
 # ------------------------------------------------------------
 echo "[installation/main] Running in normal user mode (developer setup)."
 echo "[installation/main] Ensuring main.py is executable..."
 chmod +x main.py || true
 echo "[installation/main] Ensuring global virtualenv root: ${HOME}/.venvs"
 mkdir -p "${HOME}/.venvs"
 echo "[installation/main] Creating/updating virtualenv via helper..."
 PKGMGR_VENV_DIR="${VENV_DIR}" bash scripts/installation/venv-create.sh
 echo "[installation/main] Ensuring ~/.bashrc and ~/.zshrc exist..."
 touch "${HOME}/.bashrc" "${HOME}/.zshrc"
 echo "[installation/main] Ensuring venv auto-activation is present in shell rc files..."
 for rc in "${HOME}/.bashrc" "${HOME}/.zshrc"; do
    if ! grep -qxF "${RC_LINE}" "$rc"; then
        echo "${RC_LINE}" >> "$rc"
        echo "[installation/main] Appended auto-activation to $rc"
    else
        echo "[installation/main] Auto-activation already present in $rc"
    fi
 done
 echo "[installation/main] Running main.py install via venv Python..."
 "${VENV_DIR}/bin/python" main.py install
 echo
 echo "[installation/main] Developer setup complete."
 echo "Restart your shell (or run 'exec bash' or 'exec zsh') to activate the environment."
--- a/scripts/installation/os_resolver.sh
+++ b/scripts/installation/os_resolver.sh
@@ -0,0 +1,82 @@
 #!/usr/bin/env bash
 set -euo pipefail
 # -----------------------------------------------------------------------------
 # OsResolver (bash "class-style" module)
 # Centralizes OS detection + normalization + supported checks + script paths.
 # -----------------------------------------------------------------------------
 osr_detect_raw_id() {
  if [[ -f /etc/os-release ]]; then
    # shellcheck disable=SC1091
    . /etc/os-release
    echo "${ID:-unknown}"
  else
    echo "unknown"
  fi
 }
 osr_detect_id_like() {
  if [[ -f /etc/os-release ]]; then
    # shellcheck disable=SC1091
    . /etc/os-release
    echo "${ID_LIKE:-}"
  else
    echo ""
  fi
 }
 osr_normalize_id() {
  local raw="${1:-unknown}"
  local like="${2:-}"
  # Explicit mapping first (your bugfix: manjaro -> arch everywhere)
  case "${raw}" in
    manjaro) echo "arch"; return 0 ;;
  esac
  # Keep direct IDs when they are already supported
  case "${raw}" in
    arch|debian|ubuntu|fedora|centos) echo "${raw}"; return 0 ;;
  esac
  # Fallback mapping via ID_LIKE for better portability
  # Example: many Arch derivatives expose ID_LIKE="arch"
  if [[ " ${like} " == *" arch "* ]]; then
    echo "arch"; return 0
  fi
  if [[ " ${like} " == *" debian "* ]]; then
    echo "debian"; return 0
  fi
  if [[ " ${like} " == *" fedora "* ]]; then
    echo "fedora"; return 0
  fi
  if [[ " ${like} " == *" rhel "* || " ${like} " == *" centos "* ]]; then
    echo "centos"; return 0
  fi
  echo "${raw}"
 }
 osr_get_os_id() {
  local raw like
  raw="$(osr_detect_raw_id)"
  like="$(osr_detect_id_like)"
  osr_normalize_id "${raw}" "${like}"
 }
 osr_is_supported() {
  local id="${1:-unknown}"
  case "${id}" in
    arch|debian|ubuntu|fedora|centos) return 0 ;;
    *) return 1 ;;
  esac
 }
 osr_script_path_for() {
  local script_dir="${1:?script_dir required}"
  local os_id="${2:?os_id required}"
  local kind="${3:?kind required}" # "dependencies" or "package"
  echo "${script_dir}/${os_id}/${kind}.sh"
 }
--- a/scripts/installation/package.sh
+++ b/scripts/installation/package.sh
@@ -0,0 +1,26 @@
 #!/usr/bin/env bash
 set -euo pipefail
 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 # shellcheck disable=SC1091
 source "${SCRIPT_DIR}/os_resolver.sh"
 OS_ID="$(osr_get_os_id)"
 echo "[package] Detected OS: ${OS_ID}"
 if ! osr_is_supported "${OS_ID}"; then
  echo "[package] Unsupported OS: ${OS_ID}"
  exit 1
 fi
 PKG_SCRIPT="$(osr_script_path_for "${SCRIPT_DIR}" "${OS_ID}" "package")"
 if [[ ! -f "${PKG_SCRIPT}" ]]; then
  echo "[package] Package script not found: ${PKG_SCRIPT}"
  exit 1
 fi
 echo "[package] Executing: ${PKG_SCRIPT}"
 exec bash "${PKG_SCRIPT}"
--- a/scripts/installation/run-package.sh
+++ b/scripts/installation/run-package.sh
@@ -1,35 +0,0 @@
 #!/usr/bin/env bash
 set -euo pipefail
 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 # shellcheck source=/dev/null
 source "${SCRIPT_DIR}/lib.sh"
 OS_ID="$(detect_os_id)"
 # Map Manjaro to Arch
 if [[ "${OS_ID}" == "manjaro" ]]; then
  echo "[run-package] Mapping OS 'manjaro' → 'arch'"
  OS_ID="arch"
 fi
 echo "[run-package] Detected OS: ${OS_ID}"
 case "${OS_ID}" in
  arch|debian|ubuntu|fedora|centos)
    PKG_SCRIPT="${SCRIPT_DIR}/${OS_ID}/package.sh"
    ;;
  *)
    echo "[run-package] Unsupported OS: ${OS_ID}"
    exit 1
    ;;
 esac
 if [[ ! -f "${PKG_SCRIPT}" ]]; then
  echo "[run-package] Package script not found: ${PKG_SCRIPT}"
  exit 1
 fi
 echo "[run-package] Executing: ${PKG_SCRIPT}"
 exec bash "${PKG_SCRIPT}"
--- a/scripts/installation/ubuntu/dependencies.sh
+++ b/scripts/installation/ubuntu/dependencies.sh
@@ -14,6 +14,9 @@ DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \
  rsync \
  bash \
  curl \
  make \
  python3 \
  python3-venv \
  ca-certificates \
  xz-utils
--- a/scripts/installation/venv-create.sh
+++ b/scripts/installation/venv-create.sh
@@ -1,44 +0,0 @@
 #!/usr/bin/env bash
 set -euo pipefail
 # venv-create.sh
 #
 # Small helper to create/update a Python virtual environment for pkgmgr.
 #
 # Usage:
 #   PKGMGR_VENV_DIR=/home/dev/.venvs/pkgmgr bash scripts/installation/venv-create.sh
 # or
 #   bash scripts/installation/venv-create.sh /home/dev/.venvs/pkgmgr
 PROJECT_ROOT="$(cd "$(dirname "${BASH_SOURCE[0]}")/../.." && pwd)"
 cd "${PROJECT_ROOT}"
 VENV_DIR="${PKGMGR_VENV_DIR:-${1:-${HOME}/.venvs/pkgmgr}}"
 echo "[venv-create] Using VENV_DIR=${VENV_DIR}"
 echo "[venv-create] Ensuring virtualenv parent directory exists..."
 mkdir -p "$(dirname "${VENV_DIR}")"
 if [[ ! -d "${VENV_DIR}" ]]; then
    echo "[venv-create] Creating virtual environment at: ${VENV_DIR}"
    python3 -m venv "${VENV_DIR}"
 else
    echo "[venv-create] Virtual environment already exists at: ${VENV_DIR}"
 fi
 echo "[venv-create] Installing Python tooling into venv..."
 "${VENV_DIR}/bin/python" -m ensurepip --upgrade
 "${VENV_DIR}/bin/pip" install --upgrade pip setuptools wheel
 if [[ -f "requirements.txt" ]]; then
    echo "[venv-create] Installing dependencies from requirements.txt..."
    "${VENV_DIR}/bin/pip" install -r requirements.txt
 elif [[ -f "_requirements.txt" ]]; then
    echo "[venv-create] Installing dependencies from _requirements.txt..."
    "${VENV_DIR}/bin/pip" install -r _requirements.txt
 else
    echo "[venv-create] No requirements.txt or _requirements.txt found. Skipping dependency installation."
 fi
 echo "[venv-create] Done."
--- a/scripts/nix/README.md
+++ b/scripts/nix/README.md
@@ -0,0 +1,53 @@
 # Nix Bootstrap (package-manager)
 This directory contains the **Nix initialization and bootstrap logic** used by *package-manager* to ensure the `nix` command is available on supported systems (host machines and CI containers).
 It is invoked during package installation (Arch/Debian/Fedora scriptlets) and can also be called manually.
 ---
 ## Entry Point
 - *scripts/nix/init.sh*  
  Main bootstrap script. It:
  - checks whether `nix` is already available
  - adjusts `PATH` for common Nix locations
  - installs Nix when missing (daemon install on systemd hosts, single-user in containers)
  - ensures predictable `nix` availability via symlinks (without overwriting distro-managed paths)
  - validates that `nix` is usable at the end (CI-safe)
 ---
 ## Library Layout
 The entry point sources small, focused modules from *scripts/nix/lib/*:
 - *config.sh* — configuration defaults (installer URL, retry timing)
 - *detect.sh* — container detection helpers
 - *path.sh* — PATH adjustments and `nix` binary resolution helpers
 - *symlinks.sh* — user/global symlink helpers for stable `nix` discovery
 - *users.sh* — build group/users and container ownership/perms helpers
 - *install.sh* — installer download + retry logic and execution helpers
 Each library file includes a simple guard to prevent double-sourcing.
 ---
 ## When It Runs
 This bootstrap is typically executed automatically:
 - Arch: post-install / post-upgrade hook
 - Debian: `postinst`
 - Fedora/RPM: `%post`
 ---
 ## Notes / Design Goals
 - **Cross-distro compatibility:** supports common Linux layouts (including Arch placing `nix` in */usr/sbin*).
 - **Non-destructive behavior:** avoids overwriting distro-managed `nix` binaries.
 - **CI robustness:** retry logic for downloads and a final `nix` availability check.
 - **Container-safe defaults:** single-user install as a dedicated `nix` user when running as root in containers.
--- a/scripts/nix/init.sh
+++ b/scripts/nix/init.sh
@@ -0,0 +1,130 @@
 #!/usr/bin/env bash
 set -euo pipefail
 # shellcheck source=lib/config.sh
 # shellcheck source=lib/detect.sh
 # shellcheck source=lib/path.sh
 # shellcheck source=lib/symlinks.sh
 # shellcheck source=lib/users.sh
 # shellcheck source=lib/install.sh
 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 source "${SCRIPT_DIR}/lib/config.sh"
 source "${SCRIPT_DIR}/lib/detect.sh"
 source "${SCRIPT_DIR}/lib/path.sh"
 source "${SCRIPT_DIR}/lib/symlinks.sh"
 source "${SCRIPT_DIR}/lib/users.sh"
 source "${SCRIPT_DIR}/lib/install.sh"
 echo "[init-nix] Starting Nix initialization..."
 main() {
  # Fast path: already available
  if command -v nix >/dev/null 2>&1; then
    echo "[init-nix] Nix already available on PATH: $(command -v nix)"
    ensure_nix_on_path
    if [[ "${EUID:-0}" -eq 0 ]]; then
      ensure_global_nix_symlinks "$(resolve_nix_bin 2>/dev/null || true)"
    else
      ensure_user_nix_symlink "$(resolve_nix_bin 2>/dev/null || true)"
    fi
    return 0
  fi
  ensure_nix_on_path
  if command -v nix >/dev/null 2>&1; then
    echo "[init-nix] Nix found after PATH adjustment: $(command -v nix)"
    if [[ "${EUID:-0}" -eq 0 ]]; then
      ensure_global_nix_symlinks "$(resolve_nix_bin 2>/dev/null || true)"
    else
      ensure_user_nix_symlink "$(resolve_nix_bin 2>/dev/null || true)"
    fi
    return 0
  fi
  local IN_CONTAINER=0
  if is_container; then
    IN_CONTAINER=1
    echo "[init-nix] Detected container environment."
  else
    echo "[init-nix] No container detected."
  fi
  # -------------------------------------------------------------------------
  # Container + root: dedicated "nix" user, single-user install
  # -------------------------------------------------------------------------
  if [[ "$IN_CONTAINER" -eq 1 && "${EUID:-0}" -eq 0 ]]; then
    echo "[init-nix] Container + root: installing as 'nix' user (single-user)."
    ensure_nix_build_group
    if ! id nix >/dev/null 2>&1; then
      echo "[init-nix] Creating user 'nix'..."
      local BASH_SHELL
      BASH_SHELL="$(command -v bash || true)"
      [[ -z "$BASH_SHELL" ]] && BASH_SHELL="/bin/sh"
      useradd -m -r -g nixbld -s "$BASH_SHELL" nix
    fi
    ensure_nix_store_dir_for_container_user
    install_nix_with_retry "no-daemon" "nix"
    ensure_nix_on_path
    # Ensure stable global symlink(s) (sudo secure_path friendly)
    ensure_global_nix_symlinks "/home/nix/.nix-profile/bin/nix"
    # Ensure non-root users can traverse and execute nix user profile
    ensure_container_profile_perms
  # -------------------------------------------------------------------------
  # Host (no container)
  # -------------------------------------------------------------------------
  else
    if command -v systemctl >/dev/null 2>&1; then
      echo "[init-nix] Host with systemd: using multi-user install (--daemon)."
      if [[ "${EUID:-0}" -eq 0 ]]; then
        ensure_nix_build_group
      fi
      install_nix_with_retry "daemon"
    else
      echo "[init-nix] No systemd detected: using single-user install (--no-daemon)."
      if [[ "${EUID:-0}" -eq 0 ]]; then
        ensure_nix_build_group
      fi
      install_nix_with_retry "no-daemon"
    fi
  fi
  # -------------------------------------------------------------------------
  # After install: PATH + symlink(s)
  # -------------------------------------------------------------------------
  ensure_nix_on_path
  local nix_bin_post
  nix_bin_post="$(resolve_nix_bin 2>/dev/null || true)"
  if [[ "${EUID:-0}" -eq 0 ]]; then
    ensure_global_nix_symlinks "$nix_bin_post"
  else
    ensure_user_nix_symlink "$nix_bin_post"
  fi
  # Final verification (must succeed for CI)
  if ! command -v nix >/dev/null 2>&1; then
    echo "[init-nix] ERROR: nix not found after installation."
    echo "[init-nix] DEBUG: resolved nix path = ${nix_bin_post:-<empty>}"
    echo "[init-nix] DEBUG: PATH = $PATH"
    exit 1
  fi
  echo "[init-nix] Nix successfully available at: $(command -v nix)"
  echo "[init-nix] Nix initialization complete."
 }
 main "$@"
--- a/scripts/nix/lib/config.sh
+++ b/scripts/nix/lib/config.sh
@@ -0,0 +1,11 @@
 #!/usr/bin/env bash
 # Prevent double-sourcing
 if [[ -n "${PKGMGR_NIX_CONFIG_SH:-}" ]]; then
  return 0
 fi
 PKGMGR_NIX_CONFIG_SH=1
 NIX_INSTALL_URL="${NIX_INSTALL_URL:-https://nixos.org/nix/install}"
 NIX_DOWNLOAD_MAX_TIME="${NIX_DOWNLOAD_MAX_TIME:-300}"
 NIX_DOWNLOAD_SLEEP_INTERVAL="${NIX_DOWNLOAD_SLEEP_INTERVAL:-20}"
--- a/scripts/nix/lib/detect.sh
+++ b/scripts/nix/lib/detect.sh
@@ -0,0 +1,14 @@
 #!/usr/bin/env bash
 if [[ -n "${PKGMGR_NIX_DETECT_SH:-}" ]]; then
  return 0
 fi
 PKGMGR_NIX_DETECT_SH=1
 # Detect whether we are inside a container (Docker/Podman/etc.)
 is_container() {
  [[ -f /.dockerenv || -f /run/.containerenv ]] && return 0
  grep -qiE 'docker|container|podman|lxc' /proc/1/cgroup 2>/dev/null && return 0
  [[ -n "${container:-}" ]] && return 0
  return 1
 }
--- a/scripts/nix/lib/install.sh
+++ b/scripts/nix/lib/install.sh
@@ -0,0 +1,63 @@
 #!/usr/bin/env bash
 if [[ -n "${PKGMGR_NIX_INSTALL_SH:-}" ]]; then
  return 0
 fi
 PKGMGR_NIX_INSTALL_SH=1
 # Requires: NIX_INSTALL_URL, NIX_DOWNLOAD_MAX_TIME, NIX_DOWNLOAD_SLEEP_INTERVAL
 # Download and run Nix installer with retry
 #   Usage: install_nix_with_retry daemon|no-daemon [run_as_user]
 install_nix_with_retry() {
  local mode="$1"
  local run_as="${2:-}"
  local installer elapsed=0 mode_flag
  case "$mode" in
    daemon)    mode_flag="--daemon" ;;
    no-daemon) mode_flag="--no-daemon" ;;
    *)
      echo "[init-nix] ERROR: Invalid mode '$mode' (expected 'daemon' or 'no-daemon')."
      exit 1
      ;;
  esac
  installer="$(mktemp -t nix-installer.XXXXXX)"
  chmod 0644 "$installer"
  echo "[init-nix] Downloading Nix installer from $NIX_INSTALL_URL (max ${NIX_DOWNLOAD_MAX_TIME}s)..."
  while true; do
    if curl -fL "$NIX_INSTALL_URL" -o "$installer"; then
      echo "[init-nix] Successfully downloaded installer to $installer"
      break
    fi
    elapsed=$((elapsed + NIX_DOWNLOAD_SLEEP_INTERVAL))
    echo "[init-nix] WARNING: Download failed. Retrying in ${NIX_DOWNLOAD_SLEEP_INTERVAL}s (elapsed ${elapsed}s)..."
    if (( elapsed >= NIX_DOWNLOAD_MAX_TIME )); then
      echo "[init-nix] ERROR: Giving up after ${elapsed}s trying to download Nix installer."
      rm -f "$installer"
      exit 1
    fi
    sleep "$NIX_DOWNLOAD_SLEEP_INTERVAL"
  done
  if [[ -n "$run_as" ]]; then
    chown "$run_as:$run_as" "$installer" 2>/dev/null || true
    echo "[init-nix] Running installer as user '$run_as' ($mode_flag)..."
    if command -v sudo >/dev/null 2>&1; then
      sudo -u "$run_as" bash -lc "sh '$installer' $mode_flag"
    else
      su - "$run_as" -c "sh '$installer' $mode_flag"
    fi
  else
    echo "[init-nix] Running installer as current user ($mode_flag)..."
    sh "$installer" "$mode_flag"
  fi
  rm -f "$installer"
 }
--- a/scripts/nix/lib/path.sh
+++ b/scripts/nix/lib/path.sh
@@ -0,0 +1,68 @@
 #!/usr/bin/env bash
 if [[ -n "${PKGMGR_NIX_PATH_SH:-}" ]]; then
  return 0
 fi
 PKGMGR_NIX_PATH_SH=1
 # Ensure Nix binaries are on PATH (additive, never destructive)
 ensure_nix_on_path() {
  if [[ -x /nix/var/nix/profiles/default/bin/nix ]]; then
    PATH="/nix/var/nix/profiles/default/bin:$PATH"
  fi
  if [[ -x "$HOME/.nix-profile/bin/nix" ]]; then
    PATH="$HOME/.nix-profile/bin:$PATH"
  fi
  if [[ -x /home/nix/.nix-profile/bin/nix ]]; then
    PATH="/home/nix/.nix-profile/bin:$PATH"
  fi
  if [[ -d "$HOME/.local/bin" ]]; then
    PATH="$HOME/.local/bin:$PATH"
  fi
  export PATH
 }
 # Resolve a path to a real executable (follows symlinks)
 real_exe() {
  local p="${1:-}"
  [[ -z "$p" ]] && return 1
  local r
  r="$(readlink -f "$p" 2>/dev/null || echo "$p")"
  [[ -x "$r" ]] && { echo "$r"; return 0; }
  return 1
 }
 # Resolve nix binary path robustly (works across distros + Arch /usr/sbin)
 resolve_nix_bin() {
  local nix_cmd=""
  nix_cmd="$(command -v nix 2>/dev/null || true)"
  [[ -n "$nix_cmd" ]] && real_exe "$nix_cmd" && return 0
  # IMPORTANT: prefer system locations before /usr/local to avoid self-symlink traps
  [[ -x /usr/sbin/nix ]]      && { echo "/usr/sbin/nix"; return 0; } # Arch package can land here
  [[ -x /usr/bin/nix ]]       && { echo "/usr/bin/nix"; return 0; }
  [[ -x /bin/nix ]]           && { echo "/bin/nix"; return 0; }
  # /usr/local last, and only if it resolves to a real executable
  [[ -e /usr/local/bin/nix ]] && real_exe "/usr/local/bin/nix" && return 0
  [[ -x /nix/var/nix/profiles/default/bin/nix ]] && {
    echo "/nix/var/nix/profiles/default/bin/nix"; return 0;
  }
  [[ -x "$HOME/.nix-profile/bin/nix" ]] && {
    echo "$HOME/.nix-profile/bin/nix"; return 0;
  }
  [[ -x "$HOME/.local/bin/nix" ]] && {
    echo "$HOME/.local/bin/nix"; return 0;
  }
  [[ -x /home/nix/.nix-profile/bin/nix ]] && {
    echo "/home/nix/.nix-profile/bin/nix"; return 0;
  }
  return 1
 }
--- a/scripts/nix/lib/symlinks.sh
+++ b/scripts/nix/lib/symlinks.sh
@@ -0,0 +1,95 @@
 #!/usr/bin/env bash
 if [[ -n "${PKGMGR_NIX_SYMLINKS_SH:-}" ]]; then
  return 0
 fi
 PKGMGR_NIX_SYMLINKS_SH=1
 # Requires: real_exe, resolve_nix_bin
 # shellcheck disable=SC2034
 # Ensure globally reachable nix symlink(s) (CI / non-login shells) - root only
 ensure_global_nix_symlinks() {
  local nix_bin="${1:-}"
  [[ -z "$nix_bin" ]] && nix_bin="$(resolve_nix_bin 2>/dev/null || true)"
  if [[ -z "$nix_bin" || ! -x "$nix_bin" ]]; then
    echo "[init-nix] WARNING: nix binary not found, cannot create global symlink(s)."
    return 0
  fi
  # Always link to the real executable to avoid /usr/local/bin/nix -> /usr/local/bin/nix
  nix_bin="$(real_exe "$nix_bin" 2>/dev/null || echo "$nix_bin")"
  local targets=()
  # Always provide /usr/local/bin/nix for CI shells
  mkdir -p /usr/local/bin 2>/dev/null || true
  targets+=("/usr/local/bin/nix")
  # Provide sudo-friendly locations only if they are NOT present (do not override distro paths)
  if [[ ! -e /usr/bin/nix ]]; then
    targets+=("/usr/bin/nix")
  fi
  if [[ ! -e /usr/sbin/nix ]]; then
    targets+=("/usr/sbin/nix")
  fi
  local target current_real
  for target in "${targets[@]}"; do
    current_real=""
    if [[ -e "$target" ]]; then
      current_real="$(real_exe "$target" 2>/dev/null || true)"
    fi
    if [[ -n "$current_real" && "$current_real" == "$nix_bin" ]]; then
      echo "[init-nix] $target already points to: $nix_bin"
      continue
    fi
    # If something exists but is not the same (and we promised not to override), skip.
    if [[ -e "$target" && "$target" != "/usr/local/bin/nix" ]]; then
      echo "[init-nix] WARNING: $target exists; not overwriting."
      continue
    fi
    if ln -sf "$nix_bin" "$target" 2>/dev/null; then
      echo "[init-nix] Ensured $target -> $nix_bin"
    else
      echo "[init-nix] WARNING: Failed to ensure $target symlink."
    fi
  done
 }
 # Ensure user-level nix symlink (works without root; CI-safe)
 ensure_user_nix_symlink() {
  local nix_bin="${1:-}"
  [[ -z "$nix_bin" ]] && nix_bin="$(resolve_nix_bin 2>/dev/null || true)"
  if [[ -z "$nix_bin" || ! -x "$nix_bin" ]]; then
    echo "[init-nix] WARNING: nix binary not found, cannot create user symlink."
    return 0
  fi
  nix_bin="$(real_exe "$nix_bin" 2>/dev/null || echo "$nix_bin")"
  mkdir -p "$HOME/.local/bin" 2>/dev/null || true
  ln -sf "$nix_bin" "$HOME/.local/bin/nix"
  echo "[init-nix] Ensured $HOME/.local/bin/nix -> $nix_bin"
  PATH="$HOME/.local/bin:$PATH"
  export PATH
  if [[ -w "$HOME/.profile" ]] && ! grep -q 'nix/init.sh' "$HOME/.profile" 2>/dev/null; then
    cat >>"$HOME/.profile" <<'EOF'
 # PATH for nix (added by package-manager nix/init.sh)
 if [ -d "$HOME/.local/bin" ]; then
  PATH="$HOME/.local/bin:$PATH"
 fi
 EOF
  fi
 }
--- a/scripts/nix/lib/users.sh
+++ b/scripts/nix/lib/users.sh
@@ -0,0 +1,49 @@
 #!/usr/bin/env bash
 if [[ -n "${PKGMGR_NIX_USERS_SH:-}" ]]; then
  return 0
 fi
 PKGMGR_NIX_USERS_SH=1
 # Ensure Nix build group and users exist (build-users-group = nixbld) - root only
 ensure_nix_build_group() {
  if ! getent group nixbld >/dev/null 2>&1; then
    echo "[init-nix] Creating group 'nixbld'..."
    groupadd -r nixbld
  fi
  for i in $(seq 1 10); do
    if ! id "nixbld$i" >/dev/null 2>&1; then
      echo "[init-nix] Creating build user nixbld$i..."
      useradd -r -g nixbld -G nixbld -s /usr/sbin/nologin "nixbld$i"
    fi
  done
 }
 # Container-only helper: /nix ownership + perms for single-user install as 'nix'
 ensure_nix_store_dir_for_container_user() {
  if [[ ! -d /nix ]]; then
    echo "[init-nix] Creating /nix with owner nix:nixbld..."
    mkdir -m 0755 /nix
    chown nix:nixbld /nix
    return 0
  fi
  local current_owner current_group
  current_owner="$(stat -c '%U' /nix 2>/dev/null || echo '?')"
  current_group="$(stat -c '%G' /nix 2>/dev/null || echo '?')"
  if [[ "$current_owner" != "nix" || "$current_group" != "nixbld" ]]; then
    echo "[init-nix] Fixing /nix ownership from $current_owner:$current_group to nix:nixbld..."
    chown -R nix:nixbld /nix
  fi
 }
 # Container-only helper: make nix profile executable/traversable for non-root
 ensure_container_profile_perms() {
  if [[ -d /home/nix ]]; then
    chmod o+rx /home/nix 2>/dev/null || true
  fi
  if [[ -d /home/nix/.nix-profile ]]; then
    chmod -R o+rx /home/nix/.nix-profile 2>/dev/null || true
  fi
 }
--- a/scripts/pkgmgr-wrapper.sh
+++ b/scripts/pkgmgr-wrapper.sh
@@ -28,11 +28,11 @@ if ! command -v nix >/dev/null 2>&1; then
 fi
 # ---------------------------------------------------------------------------
-# If nix is still missing, try to run init-nix.sh once
+# If nix is still missing, try to run nix/init.sh once
 # ---------------------------------------------------------------------------
 if ! command -v nix >/dev/null 2>&1; then
-  if [[ -x "${FLAKE_DIR}/init-nix.sh" ]]; then
+  if [[ -x "${FLAKE_DIR}/nix/init.sh" ]]; then
-    "${FLAKE_DIR}/init-nix.sh" || true
+    "${FLAKE_DIR}/nix/init.sh" || true
  fi
 fi
--- a/scripts/setup/nix.sh
+++ b/scripts/setup/nix.sh
@@ -0,0 +1,9 @@
 # ------------------------------------------------------------
 # Nix shell mode: do not touch venv, only run install
 # ------------------------------------------------------------
 echo "[setup] Nix mode enabled (NIX_ENABLED=1)."
 echo "[setup] Skipping virtualenv creation and dependency installation."
 echo "[setup] Running install via system python3..."
 python3 -m pkgmgr install
 echo "[setup] Setup finished (Nix mode)."
--- a/scripts/setup/venv.sh
+++ b/scripts/setup/venv.sh
@@ -0,0 +1,95 @@
 #!/usr/bin/env bash
 set -euo pipefail
 echo "[setup] Starting setup..."
 PROJECT_ROOT="$(cd "$(dirname "${BASH_SOURCE[0]}")/../.." && pwd)"
 cd "${PROJECT_ROOT}"
 VENV_DIR="${HOME}/.venvs/pkgmgr"
 RC_LINE='if [ -d "${HOME}/.venvs/pkgmgr" ]; then . "${HOME}/.venvs/pkgmgr/bin/activate"; if [ -n "${PS1:-}" ]; then echo "Global Python virtual environment '\''~/.venvs/pkgmgr'\'' activated."; fi; fi'
 # ------------------------------------------------------------
 # Normal user mode: dev setup with venv
 # ------------------------------------------------------------
 echo "[setup] Running in normal user mode (developer setup)."
 echo "[setup] Ensuring global virtualenv root: ${HOME}/.venvs"
 mkdir -p "${HOME}/.venvs"
 echo "[setup] Creating/updating virtualenv via helper..."
 PROJECT_ROOT="$(cd "$(dirname "${BASH_SOURCE[0]}")/../.." && pwd)"
 cd "${PROJECT_ROOT}"
 PIP_EDITABLE="${PKGMGR_PIP_EDITABLE:-1}"
 PIP_EXTRAS="${PKGMGR_PIP_EXTRAS:-}"
 PREFER_NIX="${PKGMGR_PREFER_NIX:-0}"
 echo "[venv] Using VENV_DIR=${VENV_DIR}"
 if [[ "${PREFER_NIX}" == "1" ]]; then
  echo "[venv] PKGMGR_PREFER_NIX=1 set."
  echo "[venv] Hint: Use Nix instead of a venv for reproducible installs:"
  echo "[venv]   nix develop"
  echo "[venv]   nix run .#pkgmgr -- --help"
  exit 2
 fi
 echo "[venv] Ensuring virtualenv parent directory exists..."
 mkdir -p "$(dirname "${VENV_DIR}")"
 if [[ ! -d "${VENV_DIR}" ]]; then
  echo "[venv] Creating virtual environment at: ${VENV_DIR}"
  python3 -m venv "${VENV_DIR}"
 else
  echo "[venv] Virtual environment already exists at: ${VENV_DIR}"
 fi
 echo "[venv] Installing Python tooling into venv..."
 "${VENV_DIR}/bin/python" -m ensurepip --upgrade
 "${VENV_DIR}/bin/pip" install --upgrade pip setuptools wheel
 # ---------------------------------------------------------------------------
 # Install dependencies
 # ---------------------------------------------------------------------------
 if [[ -f "pyproject.toml" ]]; then
  echo "[venv] Detected pyproject.toml. Installing project via pip..."
  target="."
  if [[ -n "${PIP_EXTRAS}" ]]; then
    target=".[${PIP_EXTRAS}]"
  fi
  if [[ "${PIP_EDITABLE}" == "1" ]]; then
    echo "[venv] pip install -e ${target}"
    "${VENV_DIR}/bin/pip" install -e "${target}"
  else
    echo "[venv] pip install ${target}"
    "${VENV_DIR}/bin/pip" install "${target}"
  fi
 else
  echo "[venv] No pyproject.toml found. Skipping dependency installation."
 fi
 echo "[venv] Done."
 echo "[setup] Ensuring ~/.bashrc and ~/.zshrc exist..."
 touch "${HOME}/.bashrc" "${HOME}/.zshrc"
 echo "[setup] Ensuring venv auto-activation is present in shell rc files..."
 for rc in "${HOME}/.bashrc" "${HOME}/.zshrc"; do
    if ! grep -qxF "${RC_LINE}" "$rc"; then
        echo "${RC_LINE}" >> "$rc"
        echo "[setup] Appended auto-activation to $rc"
    else
        echo "[setup] Auto-activation already present in $rc"
    fi
 done
 echo "[setup] Running install via venv Python..."
 "${VENV_DIR}/bin/python" -m pkgmgr install
 echo
 echo "[setup] Developer setup complete."
 echo "Restart your shell (or run 'exec bash' or 'exec zsh') to activate the environment."
--- a/scripts/test/test-e2e.sh
+++ b/scripts/test/test-e2e.sh
@@ -9,10 +9,10 @@ docker run --rm \
  -v "$(pwd):/src" \
  -v "pkgmgr_nix_store_${distro}:/nix" \
  -v "pkgmgr_nix_cache_${distro}:/root/.cache/nix" \
-  -e PKGMGR_DEV=1 \
+  -e REINSTALL_PKGMGR=1 \
  -e TEST_PATTERN="${TEST_PATTERN}" \
  --workdir /src \
-  "package-manager-test-${distro}" \
+  "pkgmgr-${distro}" \
  bash -lc '
    set -euo pipefail
--- a/scripts/test/test-env-nix.sh
+++ b/scripts/test/test-env-nix.sh
@@ -0,0 +1,48 @@
 #!/usr/bin/env bash
 set -euo pipefail
 IMAGE="pkgmgr-${distro}"
 echo "============================================================"
 echo ">>> Running Nix flake-only test in ${distro} container"
 echo ">>> Image: ${IMAGE}"
 echo "============================================================"
 docker run --rm \
  -v "$(pwd):/src" \
  -v "pkgmgr_nix_store_${distro}:/nix" \
  -v "pkgmgr_nix_cache_${distro}:/root/.cache/nix" \
  --workdir /src \
  -e REINSTALL_PKGMGR=1 \
  "${IMAGE}" \
  bash -lc '
    set -euo pipefail
    if command -v git >/dev/null 2>&1; then
      git config --global --add safe.directory /src || true
      git config --global --add safe.directory /src/.git || true
      git config --global --add safe.directory "*" || true
    fi
    echo ">>> preflight: nix must exist in image"
    if ! command -v nix >/dev/null 2>&1; then
      echo "NO_NIX"
      echo "ERROR: nix not found in image '\'''"${IMAGE}"''\'' (distro='"${distro}"')"
      echo "HINT: Ensure Nix is installed during image build for this distro."
      exit 1
    fi
    echo ">>> nix version"
    nix --version
    echo ">>> nix flake show"
    nix flake show . --no-write-lock-file >/dev/null
    echo ">>> nix build .#default"
    nix build .#default --no-link --no-write-lock-file
    echo ">>> nix run .#pkgmgr -- --help"
    nix run .#pkgmgr -- --help --no-write-lock-file
    echo ">>> OK: Nix flake-only test succeeded."
  '
--- a/scripts/test/test-env-virtual.sh
+++ b/scripts/test/test-env-virtual.sh
@@ -1,32 +1,32 @@
 #!/usr/bin/env bash
 set -euo pipefail
-IMAGE="package-manager-test-$distro"
+IMAGE="pkgmgr-$distro"
 echo
 echo "------------------------------------------------------------"
-echo ">>> Testing container: $IMAGE"
+echo ">>> Testing VENV: $IMAGE"
 echo "------------------------------------------------------------"
-echo "[test-container] Inspect image metadata:"
+echo "[test-env-virtual] Inspect image metadata:"
 docker image inspect "$IMAGE" | sed -n '1,40p'
-echo "[test-container] Running: docker run --rm --entrypoint pkgmgr $IMAGE --help"
+echo "[test-env-virtual] Running: docker run --rm --entrypoint pkgmgr $IMAGE --help"
 echo
 # Run the command and capture the output
 if OUTPUT=$(docker run --rm \
-        -e PKGMGR_DEV=1 \
+        -e REINSTALL_PKGMGR=1 \
        -v pkgmgr_nix_store_${distro}:/nix \
        -v "$(pwd):/src" \
        -v "pkgmgr_nix_cache_${distro}:/root/.cache/nix" \
        "$IMAGE" 2>&1); then
    echo "$OUTPUT"
    echo
-    echo "[test-container] SUCCESS: $IMAGE responded to 'pkgmgr --help'"
+    echo "[test-env-virtual] SUCCESS: $IMAGE responded to 'pkgmgr --help'"
 else
    echo "$OUTPUT"
    echo
-    echo "[test-container] ERROR: $IMAGE failed to run 'pkgmgr --help'"
+    echo "[test-env-virtual] ERROR: $IMAGE failed to run 'pkgmgr --help'"
    exit 1
 fi
--- a/scripts/test/test-integration.sh
+++ b/scripts/test/test-integration.sh
@@ -10,9 +10,9 @@ docker run --rm \
  -v pkgmgr_nix_store_${distro}:/nix \
  -v "pkgmgr_nix_cache_${distro}:/root/.cache/nix" \
  --workdir /src \
-  -e PKGMGR_DEV=1 \
+  -e REINSTALL_PKGMGR=1 \
  -e TEST_PATTERN="${TEST_PATTERN}" \
-  "package-manager-test-${distro}" \
+  "pkgmgr-${distro}" \
  bash -lc '
    set -e;
    git config --global --add safe.directory /src || true;
--- a/scripts/test/test-unit.sh
+++ b/scripts/test/test-unit.sh
@@ -10,9 +10,9 @@ docker run --rm \
  -v "pkgmgr_nix_cache_${distro}:/root/.cache/nix" \
  -v pkgmgr_nix_store_${distro}:/nix \
  --workdir /src \
-  -e PKGMGR_DEV=1 \
+  -e REINSTALL_PKGMGR=1 \
  -e TEST_PATTERN="${TEST_PATTERN}" \
-  "package-manager-test-${distro}" \
+  "pkgmgr-${distro}" \
  bash -lc '
    set -e;
    git config --global --add safe.directory /src || true;
--- a/src/pkgmgr/main.py
+++ b/src/pkgmgr/main.py
@@ -0,0 +1,5 @@
 #!/usr/bin/env python3
 from pkgmgr.cli import main
 if __name__ == "__main__":
    main()
--- a/src/pkgmgr/actions/branch/init.py
+++ b/src/pkgmgr/actions/branch/init.py
@@ -1,235 +1,14 @@
 # pkgmgr/actions/branch/__init__.py
 #!/usr/bin/env python3
 # -*- coding: utf-8 -*-
 """
-High-level helpers for branch-related operations.
+Public API for branch actions.
 This module encapsulates the actual Git logic so the CLI layer
 (pkgmgr.cli.commands.branch) stays thin and testable.
 """
-from __future__ import annotations
+from .open_branch import open_branch
 from .close_branch import close_branch
 from .drop_branch import drop_branch
-from typing import Optional
+__all__ = [
-
+    "open_branch",
-from pkgmgr.core.git import run_git, GitError, get_current_branch
+    "close_branch",
-
+    "drop_branch",
-
+]
 # ---------------------------------------------------------------------------
 # Branch creation (open)
 # ---------------------------------------------------------------------------
 def open_branch(
    name: Optional[str],
    base_branch: str = "main",
    fallback_base: str = "master",
    cwd: str = ".",
 ) -> None:
    """
    Create and push a new feature branch on top of a base branch.
    The base branch is resolved by:
        1. Trying 'base_branch' (default: 'main')
        2. Falling back to 'fallback_base' (default: 'master')
    Steps:
        1) git fetch origin
        2) git checkout <resolved_base>
        3) git pull origin <resolved_base>
        4) git checkout -b <name>
        5) git push -u origin <name>
    If `name` is None or empty, the user is prompted to enter one.
    """
    # Request name interactively if not provided
    if not name:
        name = input("Enter new branch name: ").strip()
    if not name:
        raise RuntimeError("Branch name must not be empty.")
    # Resolve which base branch to use (main or master)
    resolved_base = _resolve_base_branch(base_branch, fallback_base, cwd=cwd)
    # 1) Fetch from origin
    try:
        run_git(["fetch", "origin"], cwd=cwd)
    except GitError as exc:
        raise RuntimeError(
            f"Failed to fetch from origin before creating branch {name!r}: {exc}"
        ) from exc
    # 2) Checkout base branch
    try:
        run_git(["checkout", resolved_base], cwd=cwd)
    except GitError as exc:
        raise RuntimeError(
            f"Failed to checkout base branch {resolved_base!r}: {exc}"
        ) from exc
    # 3) Pull latest changes for base branch
    try:
        run_git(["pull", "origin", resolved_base], cwd=cwd)
    except GitError as exc:
        raise RuntimeError(
            f"Failed to pull latest changes for base branch {resolved_base!r}: {exc}"
        ) from exc
    # 4) Create new branch
    try:
        run_git(["checkout", "-b", name], cwd=cwd)
    except GitError as exc:
        raise RuntimeError(
            f"Failed to create new branch {name!r} from base {resolved_base!r}: {exc}"
        ) from exc
    # 5) Push new branch to origin
    try:
        run_git(["push", "-u", "origin", name], cwd=cwd)
    except GitError as exc:
        raise RuntimeError(
            f"Failed to push new branch {name!r} to origin: {exc}"
        ) from exc
 # ---------------------------------------------------------------------------
 # Base branch resolver (shared by open/close)
 # ---------------------------------------------------------------------------
 def _resolve_base_branch(
    preferred: str,
    fallback: str,
    cwd: str,
 ) -> str:
    """
    Resolve the base branch to use.
    Try `preferred` first (default: main),
    fall back to `fallback` (default: master).
    Raise RuntimeError if neither exists.
    """
    for candidate in (preferred, fallback):
        try:
            run_git(["rev-parse", "--verify", candidate], cwd=cwd)
            return candidate
        except GitError:
            continue
    raise RuntimeError(
        f"Neither {preferred!r} nor {fallback!r} exist in this repository."
    )
 # ---------------------------------------------------------------------------
 # Branch closing (merge + deletion)
 # ---------------------------------------------------------------------------
 def close_branch(
    name: Optional[str],
    base_branch: str = "main",
    fallback_base: str = "master",
    cwd: str = ".",
 ) -> None:
    """
    Merge a feature branch into the base branch and delete it afterwards.
    Steps:
        1) Determine the branch name (argument or current branch)
        2) Resolve base branch (main/master)
        3) Ask for confirmation
        4) git fetch origin
        5) git checkout <base>
        6) git pull origin <base>
        7) git merge --no-ff <name>
        8) git push origin <base>
        9) Delete branch locally
       10) Delete branch on origin (best effort)
    """
    # 1) Determine which branch should be closed
    if not name:
        try:
            name = get_current_branch(cwd=cwd)
        except GitError as exc:
            raise RuntimeError(f"Failed to detect current branch: {exc}") from exc
    if not name:
        raise RuntimeError("Branch name must not be empty.")
    # 2) Resolve base branch
    target_base = _resolve_base_branch(base_branch, fallback_base, cwd=cwd)
    if name == target_base:
        raise RuntimeError(
            f"Refusing to close base branch {target_base!r}. "
            "Please specify a feature branch."
        )
    # 3) Ask user for confirmation
    prompt = (
        f"Merge branch '{name}' into '{target_base}' and delete it afterwards? "
        "(y/N): "
    )
    answer = input(prompt).strip().lower()
    if answer != "y":
        print("Aborted closing branch.")
        return
    # 4) Fetch from origin
    try:
        run_git(["fetch", "origin"], cwd=cwd)
    except GitError as exc:
        raise RuntimeError(
            f"Failed to fetch from origin before closing branch {name!r}: {exc}"
        ) from exc
    # 5) Checkout base
    try:
        run_git(["checkout", target_base], cwd=cwd)
    except GitError as exc:
        raise RuntimeError(
            f"Failed to checkout base branch {target_base!r}: {exc}"
        ) from exc
    # 6) Pull latest base state
    try:
        run_git(["pull", "origin", target_base], cwd=cwd)
    except GitError as exc:
        raise RuntimeError(
            f"Failed to pull latest changes for base branch {target_base!r}: {exc}"
        ) from exc
    # 7) Merge the feature branch
    try:
        run_git(["merge", "--no-ff", name], cwd=cwd)
    except GitError as exc:
        raise RuntimeError(
            f"Failed to merge branch {name!r} into {target_base!r}: {exc}"
        ) from exc
    # 8) Push updated base
    try:
        run_git(["push", "origin", target_base], cwd=cwd)
    except GitError as exc:
        raise RuntimeError(
            f"Failed to push base branch {target_base!r} after merge: {exc}"
        ) from exc
    # 9) Delete branch locally
    try:
        run_git(["branch", "-d", name], cwd=cwd)
    except GitError as exc:
        raise RuntimeError(
            f"Failed to delete local branch {name!r}: {exc}"
        ) from exc
    # 10) Delete branch on origin (best effort)
    try:
        run_git(["push", "origin", "--delete", name], cwd=cwd)
    except GitError as exc:
        raise RuntimeError(
            f"Branch {name!r} was deleted locally, but remote deletion failed: {exc}"
        ) from exc
--- a/src/pkgmgr/actions/branch/close_branch.py
+++ b/src/pkgmgr/actions/branch/close_branch.py
@@ -0,0 +1,99 @@
 from __future__ import annotations
 from typing import Optional
 from pkgmgr.core.git import run_git, GitError, get_current_branch
 from .utils import _resolve_base_branch
 def close_branch(
    name: Optional[str],
    base_branch: str = "main",
    fallback_base: str = "master",
    cwd: str = ".",
    force: bool = False,
 ) -> None:
    """
    Merge a feature branch into the base branch and delete it afterwards.
    """
    # Determine branch name
    if not name:
        try:
            name = get_current_branch(cwd=cwd)
        except GitError as exc:
            raise RuntimeError(f"Failed to detect current branch: {exc}") from exc
    if not name:
        raise RuntimeError("Branch name must not be empty.")
    target_base = _resolve_base_branch(base_branch, fallback_base, cwd=cwd)
    if name == target_base:
        raise RuntimeError(
            f"Refusing to close base branch {target_base!r}. "
            "Please specify a feature branch."
        )
    # Confirmation
    if not force:
        answer = input(
            f"Merge branch '{name}' into '{target_base}' and delete it afterwards? (y/N): "
        ).strip().lower()
        if answer != "y":
            print("Aborted closing branch.")
            return
    # Fetch
    try:
        run_git(["fetch", "origin"], cwd=cwd)
    except GitError as exc:
        raise RuntimeError(
            f"Failed to fetch from origin before closing branch {name!r}: {exc}"
        ) from exc
    # Checkout base
    try:
        run_git(["checkout", target_base], cwd=cwd)
    except GitError as exc:
        raise RuntimeError(
            f"Failed to checkout base branch {target_base!r}: {exc}"
        ) from exc
    # Pull latest
    try:
        run_git(["pull", "origin", target_base], cwd=cwd)
    except GitError as exc:
        raise RuntimeError(
            f"Failed to pull latest changes for base branch {target_base!r}: {exc}"
        ) from exc
    # Merge
    try:
        run_git(["merge", "--no-ff", name], cwd=cwd)
    except GitError as exc:
        raise RuntimeError(
            f"Failed to merge branch {name!r} into {target_base!r}: {exc}"
        ) from exc
    # Push result
    try:
        run_git(["push", "origin", target_base], cwd=cwd)
    except GitError as exc:
        raise RuntimeError(
            f"Failed to push base branch {target_base!r} after merge: {exc}"
        ) from exc
    # Delete local
    try:
        run_git(["branch", "-d", name], cwd=cwd)
    except GitError as exc:
        raise RuntimeError(
            f"Failed to delete local branch {name!r}: {exc}"
        ) from exc
    # Delete remote
    try:
        run_git(["push", "origin", "--delete", name], cwd=cwd)
    except GitError as exc:
        raise RuntimeError(
            f"Branch {name!r} deleted locally, but remote deletion failed: {exc}"
        ) from exc
--- a/src/pkgmgr/actions/branch/drop_branch.py
+++ b/src/pkgmgr/actions/branch/drop_branch.py
@@ -0,0 +1,55 @@
 from __future__ import annotations
 from typing import Optional
 from pkgmgr.core.git import run_git, GitError, get_current_branch
 from .utils import _resolve_base_branch
 def drop_branch(
    name: Optional[str],
    base_branch: str = "main",
    fallback_base: str = "master",
    cwd: str = ".",
    force: bool = False,
 ) -> None:
    """
    Delete a branch locally and remotely without merging.
    """
    if not name:
        try:
            name = get_current_branch(cwd=cwd)
        except GitError as exc:
            raise RuntimeError(f"Failed to detect current branch: {exc}") from exc
    if not name:
        raise RuntimeError("Branch name must not be empty.")
    target_base = _resolve_base_branch(base_branch, fallback_base, cwd=cwd)
    if name == target_base:
        raise RuntimeError(
            f"Refusing to drop base branch {target_base!r}. It cannot be deleted."
        )
    # Confirmation
    if not force:
        answer = input(
            f"Delete branch '{name}' locally and on origin? This is destructive! (y/N): "
        ).strip().lower()
        if answer != "y":
            print("Aborted dropping branch.")
            return
    # Local delete
    try:
        run_git(["branch", "-d", name], cwd=cwd)
    except GitError as exc:
        raise RuntimeError(f"Failed to delete local branch {name!r}: {exc}") from exc
    # Remote delete
    try:
        run_git(["push", "origin", "--delete", name], cwd=cwd)
    except GitError as exc:
        raise RuntimeError(
            f"Branch {name!r} was deleted locally, but remote deletion failed: {exc}"
        ) from exc
--- a/src/pkgmgr/actions/branch/open_branch.py
+++ b/src/pkgmgr/actions/branch/open_branch.py
@@ -0,0 +1,64 @@
 from __future__ import annotations
 from typing import Optional
 from pkgmgr.core.git import run_git, GitError
 from .utils import _resolve_base_branch
 def open_branch(
    name: Optional[str],
    base_branch: str = "main",
    fallback_base: str = "master",
    cwd: str = ".",
 ) -> None:
    """
    Create and push a new feature branch on top of a base branch.
    """
    # Request name interactively if not provided
    if not name:
        name = input("Enter new branch name: ").strip()
    if not name:
        raise RuntimeError("Branch name must not be empty.")
    resolved_base = _resolve_base_branch(base_branch, fallback_base, cwd=cwd)
    # 1) Fetch from origin
    try:
        run_git(["fetch", "origin"], cwd=cwd)
    except GitError as exc:
        raise RuntimeError(
            f"Failed to fetch from origin before creating branch {name!r}: {exc}"
        ) from exc
    # 2) Checkout base branch
    try:
        run_git(["checkout", resolved_base], cwd=cwd)
    except GitError as exc:
        raise RuntimeError(
            f"Failed to checkout base branch {resolved_base!r}: {exc}"
        ) from exc
    # 3) Pull latest changes
    try:
        run_git(["pull", "origin", resolved_base], cwd=cwd)
    except GitError as exc:
        raise RuntimeError(
            f"Failed to pull latest changes for base branch {resolved_base!r}: {exc}"
        ) from exc
    # 4) Create new branch
    try:
        run_git(["checkout", "-b", name], cwd=cwd)
    except GitError as exc:
        raise RuntimeError(
            f"Failed to create new branch {name!r} from base {resolved_base!r}: {exc}"
        ) from exc
    # 5) Push new branch
    try:
        run_git(["push", "-u", "origin", name], cwd=cwd)
    except GitError as exc:
        raise RuntimeError(
            f"Failed to push new branch {name!r} to origin: {exc}"
        ) from exc
--- a/src/pkgmgr/actions/branch/utils.py
+++ b/src/pkgmgr/actions/branch/utils.py
@@ -0,0 +1,27 @@
 from __future__ import annotations
 from pkgmgr.core.git import run_git, GitError
 def _resolve_base_branch(
    preferred: str,
    fallback: str,
    cwd: str,
 ) -> str:
    """
    Resolve the base branch to use.
    Try `preferred` first (default: main),
    fall back to `fallback` (default: master).
    Raise RuntimeError if neither exists.
    """
    for candidate in (preferred, fallback):
        try:
            run_git(["rev-parse", "--verify", candidate], cwd=cwd)
            return candidate
        except GitError:
            continue
    raise RuntimeError(
        f"Neither {preferred!r} nor {fallback!r} exist in this repository."
    )
--- a/src/pkgmgr/actions/install/init.py
+++ b/src/pkgmgr/actions/install/init.py
@@ -15,7 +15,7 @@ Responsibilities:
 from __future__ import annotations
 import os
-from typing import Any, Dict, List
+from typing import Any, Dict, List, Optional
 from pkgmgr.core.repository.identifier import get_repo_identifier
 from pkgmgr.core.repository.dir import get_repo_dir
@@ -63,7 +63,7 @@ def _ensure_repo_dir(
    no_verification: bool,
    clone_mode: str,
    identifier: str,
-) -> str | None:
+) -> Optional[str]:
    """
    Compute and, if necessary, clone the repository directory.
--- a/src/pkgmgr/actions/install/capabilities.py
+++ b/src/pkgmgr/actions/install/capabilities.py
@@ -35,7 +35,7 @@ from __future__ import annotations
 import glob
 import os
 from abc import ABC, abstractmethod
-from typing import Iterable, TYPE_CHECKING
+from typing import Iterable, TYPE_CHECKING, Optional
 if TYPE_CHECKING:
    from pkgmgr.actions.install.context import RepoContext
@@ -46,7 +46,7 @@ if TYPE_CHECKING:
 # ---------------------------------------------------------------------------
-def _read_text_if_exists(path: str) -> str | None:
+def _read_text_if_exists(path: str) -> Optional[str]:
    """Read a file as UTF-8 text, returning None if it does not exist or fails."""
    if not os.path.exists(path):
        return None
@@ -75,7 +75,7 @@ def _scan_files_for_patterns(files: Iterable[str], patterns: Iterable[str]) -> b
    return False
-def _first_spec_file(repo_dir: str) -> str | None:
+def _first_spec_file(repo_dir: str) -> Optional[str]:
    """Return the first *.spec file in repo_dir, if any."""
    matches = glob.glob(os.path.join(repo_dir, "*.spec"))
    if not matches:
@@ -360,7 +360,7 @@ def detect_capabilities(
 def resolve_effective_capabilities(
    ctx: "RepoContext",
-    layers: Iterable[str] | None = None,
+    layers: Optional[Iterable[str]] = None,
 ) -> dict[str, set[str]]:
    """
    Resolve *effective* capabilities for each layer using a bottom-up strategy.
--- a/src/pkgmgr/actions/install/installers/base.py
+++ b/src/pkgmgr/actions/install/installers/base.py
@@ -6,7 +6,7 @@ Base interface for all installer components in the pkgmgr installation pipeline.
 """
 from abc import ABC, abstractmethod
-from typing import Set
+from typing import Set, Optional
 from pkgmgr.actions.install.context import RepoContext
 from pkgmgr.actions.install.capabilities import CAPABILITY_MATCHERS
@@ -24,7 +24,7 @@ class BaseInstaller(ABC):
    #   Examples: "nix", "python", "makefile".
    #   This is used by capability matchers to decide which patterns to
    #   search for in the repository.
-    layer: str | None = None
+    layer: Optional[str] = None
    def discover_capabilities(self, ctx: RepoContext) -> Set[str]:
        """
--- a/src/pkgmgr/actions/install/installers/os_packages/debian_control.py
+++ b/src/pkgmgr/actions/install/installers/os_packages/debian_control.py
@@ -17,7 +17,7 @@ apt/dpkg tooling are available.
 import glob
 import os
 import shutil
-from typing import List
+from typing import List, Optional
 from pkgmgr.actions.install.context import RepoContext
 from pkgmgr.actions.install.installers.base import BaseInstaller
@@ -67,7 +67,7 @@ class DebianControlInstaller(BaseInstaller):
        pattern = os.path.join(parent, "*.deb")
        return sorted(glob.glob(pattern))
-    def _privileged_prefix(self) -> str | None:
+    def _privileged_prefix(self) -> Optional[str]:
        """
        Determine how to run privileged commands:
--- a/src/pkgmgr/actions/mirror/git_remote.py
+++ b/src/pkgmgr/actions/mirror/git_remote.py
@@ -1,10 +1,10 @@
 from __future__ import annotations
 import os
 from typing import List, Optional, Set
 from pkgmgr.core.command.run import run_command
 from pkgmgr.core.git import GitError, run_git
 from typing import List, Optional, Set
 from .types import MirrorMap, RepoMirrorContext, Repository
--- a/src/pkgmgr/actions/release/README.md
+++ b/src/pkgmgr/actions/release/README.md
@@ -0,0 +1,218 @@
 # Release Action
 This module implements the `pkgmgr release` workflow.
 It provides a controlled, reproducible release process that:
 - bumps the project version
 - updates all supported packaging formats
 - creates and pushes Git tags
 - optionally maintains a floating `latest` tag
 - optionally closes the current branch
 The implementation is intentionally explicit and conservative to avoid
 accidental releases or broken Git states.
 ---
 ## What the Release Command Does
 A release performs the following high-level steps:
 1. Synchronize the current branch with its upstream (fast-forward only)
 2. Determine the next semantic version
 3. Update all versioned files
 4. Commit the release
 5. Create and push a version tag
 6. Optionally update and push the floating `latest` tag
 7. Optionally close the current branch
 All steps support **preview (dry-run)** mode.
 ---
 ## Supported Files Updated During a Release
 If present, the following files are updated automatically:
 - `pyproject.toml`
 - `CHANGELOG.md`
 - `flake.nix`
 - `PKGBUILD`
 - `package-manager.spec`
 - `debian/changelog`
 Missing files are skipped gracefully.
 ---
 ## Git Safety Rules
 The release workflow enforces strict Git safety guarantees:
 - A `git pull --ff-only` is executed **before any file modifications**
 - No merge commits are ever created automatically
 - Only the current branch and the newly created version tag are pushed
 - `git push --tags` is intentionally **not** used
 - The floating `latest` tag is force-pushed only when required
 ---
 ## Semantic Versioning
 The next version is calculated from existing Git tags:
 - Tags must follow the format `vX.Y.Z`
 - The release type controls the version bump:
  - `patch`
  - `minor`
  - `major`
 The new tag is always created as an **annotated tag**.
 ---
 ## Floating `latest` Tag
 The floating `latest` tag is handled explicitly:
 - `latest` is updated **only if** the new version is the highest existing version
 - Version comparison uses natural version sorting (`sort -V`)
 - `latest` always points to the commit behind the version tag
 - Updating `latest` uses a forced push by design
 This guarantees that `latest` always represents the highest released version,
 never an older release.
 ---
 ## Preview Mode
 Preview mode (`--preview`) performs a full dry-run:
 - No files are modified
 - No Git commands are executed
 - All intended actions are printed
 Example preview output includes:
 - version bump
 - file updates
 - commit message
 - tag creation
 - branch and tag pushes
 - `latest` update (if applicable)
 ---
 ## Interactive vs Forced Mode
 ### Interactive (default)
 1. Run a preview
 2. Ask for confirmation
 3. Execute the real release
 ### Forced (`--force`)
 - Skips preview and confirmation
 - Skips branch deletion prompts
 - Executes the release immediately
 ---
 ## Branch Closing (`--close`)
 When `--close` is enabled:
 - `main` and `master` are **never** deleted
 - Other branches:
  - prompt for confirmation (`y/N`)
  - can be skipped using `--force`
 - Branch deletion happens **only after** a successful release
 ---
 ## Execution Flow (ASCII Diagram)
 ```
 +---------------------+
 | pkgmgr release      |
 +----------+----------+
 |
 v
 +---------------------+
 | Detect branch       |
 +----------+----------+
 |
 v
 +------------------------------+
 | git fetch / pull --ff-only   |
 +----------+-------------------+
 |
 v
 +------------------------------+
 | Determine next version       |
 +----------+-------------------+
 |
 v
 +------------------------------+
 | Update versioned files       |
 +----------+-------------------+
 |
 v
 +------------------------------+
 | Commit release               |
 +----------+-------------------+
 |
 v
 +------------------------------+
 | Create version tag (vX.Y.Z)  |
 +----------+-------------------+
 |
 v
 +------------------------------+
 | Push branch + version tag    |
 +----------+-------------------+
 |
 v
 +---------------------------------------+
 | Is this the highest version?           |
 +----------+----------------------------+
 |
 yes  |  no
 |
 v
 +------------------------------+        +----------------------+
 | Update & push `latest` tag   |        | Skip `latest` update |
 +----------+-------------------+        +----------------------+
 |
 v
 +------------------------------+
 | Close branch (optional)      |
 +------------------------------+
 ```
 ---
 ## Design Goals
 - Deterministic and reproducible releases
 - No implicit Git side effects
 - Explicit tag handling
 - Safe defaults for interactive usage
 - Automation-friendly forced mode
 - Clear separation of concerns:
  - `workflow.py` – orchestration
  - `git_ops.py` – Git operations
  - `prompts.py` – user interaction
  - `versioning.py` – SemVer logic
 ---
 ## Summary
 `pkgmgr release` is a **deliberately strict** release mechanism.
 It trades convenience for safety, traceability, and correctness — making it
 suitable for both interactive development workflows and fully automated CI/CD
--- a/src/pkgmgr/actions/release/init.py
+++ b/src/pkgmgr/actions/release/init.py
@@ -1,310 +1,5 @@
 #!/usr/bin/env python3
 # -*- coding: utf-8 -*-
 """
 Release helper for pkgmgr (public entry point).
 This package provides the high-level `release()` function used by the
 pkgmgr CLI to perform versioned releases:
  - Determine the next semantic version based on existing Git tags.
  - Update pyproject.toml with the new version.
  - Update additional packaging files (flake.nix, PKGBUILD,
    debian/changelog, RPM spec) where present.
  - Prepend a basic entry to CHANGELOG.md.
  - Move the floating 'latest' tag to the newly created release tag so
    the newest release is always marked as latest.
 Additional behaviour:
  - If `preview=True` (from --preview), no files are written and no
    Git commands are executed. Instead, a detailed summary of the
    planned changes and commands is printed.
  - If `preview=False` and not forced, the release is executed in two
    phases:
      1) Preview-only run (dry-run).
      2) Interactive confirmation, then real release if confirmed.
    This confirmation can be skipped with the `force=True` flag.
  - Before creating and pushing tags, main/master is updated from origin
    when the release is performed on one of these branches.
  - If `close=True` is used and the current branch is not main/master,
    the branch will be closed via branch_commands.close_branch() after
    a successful release.
 """
 from __future__ import annotations
-import os
+from .workflow import release
 import sys
 from typing import Optional
 from pkgmgr.core.git import get_current_branch, GitError
 from pkgmgr.actions.branch import close_branch
 from .versioning import determine_current_version, bump_semver
 from .git_ops import run_git_command, sync_branch_with_remote, update_latest_tag
 from .files import (
    update_pyproject_version,
    update_flake_version,
    update_pkgbuild_version,
    update_spec_version,
    update_changelog,
    update_debian_changelog,
    update_spec_changelog,
 )
 # ---------------------------------------------------------------------------
 # Internal implementation (single-phase, preview or real)
 # ---------------------------------------------------------------------------
 def _release_impl(
    pyproject_path: str = "pyproject.toml",
    changelog_path: str = "CHANGELOG.md",
    release_type: str = "patch",
    message: Optional[str] = None,
    preview: bool = False,
    close: bool = False,
 ) -> None:
    """
    Internal implementation that performs a single-phase release.
    """
    current_ver = determine_current_version()
    new_ver = bump_semver(current_ver, release_type)
    new_ver_str = str(new_ver)
    new_tag = new_ver.to_tag(with_prefix=True)
    mode = "PREVIEW" if preview else "REAL"
    print(f"Release mode: {mode}")
    print(f"Current version: {current_ver}")
    print(f"New version:     {new_ver_str} ({release_type})")
    repo_root = os.path.dirname(os.path.abspath(pyproject_path))
    # Update core project metadata and packaging files
    update_pyproject_version(pyproject_path, new_ver_str, preview=preview)
    changelog_message = update_changelog(
        changelog_path,
        new_ver_str,
        message=message,
        preview=preview,
    )
    flake_path = os.path.join(repo_root, "flake.nix")
    update_flake_version(flake_path, new_ver_str, preview=preview)
    pkgbuild_path = os.path.join(repo_root, "PKGBUILD")
    update_pkgbuild_version(pkgbuild_path, new_ver_str, preview=preview)
    spec_path = os.path.join(repo_root, "package-manager.spec")
    update_spec_version(spec_path, new_ver_str, preview=preview)
    # Determine a single effective_message to be reused across all
    # changelog targets (project, Debian, Fedora).
    effective_message: Optional[str] = message
    if effective_message is None and isinstance(changelog_message, str):
        if changelog_message.strip():
            effective_message = changelog_message.strip()
    debian_changelog_path = os.path.join(repo_root, "debian", "changelog")
    package_name = os.path.basename(repo_root) or "package-manager"
    # Debian changelog
    update_debian_changelog(
        debian_changelog_path,
        package_name=package_name,
        new_version=new_ver_str,
        message=effective_message,
        preview=preview,
    )
    # Fedora / RPM %changelog
    update_spec_changelog(
        spec_path=spec_path,
        package_name=package_name,
        new_version=new_ver_str,
        message=effective_message,
        preview=preview,
    )
    commit_msg = f"Release version {new_ver_str}"
    tag_msg = effective_message or commit_msg
    # Determine branch and ensure it is up to date if main/master
    try:
        branch = get_current_branch() or "main"
    except GitError:
        branch = "main"
    print(f"Releasing on branch: {branch}")
    # Ensure main/master are up-to-date from origin before creating and
    # pushing tags. For other branches we only log the intent.
    sync_branch_with_remote(branch, preview=preview)
    files_to_add = [
        pyproject_path,
        changelog_path,
        flake_path,
        pkgbuild_path,
        spec_path,
        debian_changelog_path,
    ]
    existing_files = [p for p in files_to_add if p and os.path.exists(p)]
    if preview:
        for path in existing_files:
            print(f"[PREVIEW] Would run: git add {path}")
        print(f'[PREVIEW] Would run: git commit -am "{commit_msg}"')
        print(f'[PREVIEW] Would run: git tag -a {new_tag} -m "{tag_msg}"')
        print(f"[PREVIEW] Would run: git push origin {branch}")
        print("[PREVIEW] Would run: git push origin --tags")
        # Also update the floating 'latest' tag to the new highest SemVer.
        update_latest_tag(new_tag, preview=True)
        if close and branch not in ("main", "master"):
            print(
                f"[PREVIEW] Would also close branch {branch} after the release "
                "(close=True and branch is not main/master)."
            )
        elif close:
            print(
                f"[PREVIEW] close=True but current branch is {branch}; "
                "no branch would be closed."
            )
        print("Preview completed. No changes were made.")
        return
    for path in existing_files:
        run_git_command(f"git add {path}")
    run_git_command(f'git commit -am "{commit_msg}"')
    run_git_command(f'git tag -a {new_tag} -m "{tag_msg}"')
    run_git_command(f"git push origin {branch}")
    run_git_command("git push origin --tags")
    # Move 'latest' to the new release tag so the newest SemVer is always
    # marked as latest. This is best-effort and must not break the release.
    try:
        update_latest_tag(new_tag, preview=False)
    except GitError as exc:  # pragma: no cover
        print(
            f"[WARN] Failed to update floating 'latest' tag for {new_tag}: {exc}\n"
            "[WARN] The release itself completed successfully; only the "
            "'latest' tag was not updated."
        )
    print(f"Release {new_ver_str} completed.")
    if close:
        if branch in ("main", "master"):
            print(
                f"[INFO] close=True but current branch is {branch}; "
                "nothing to close."
            )
            return
        print(
            f"[INFO] Closing branch {branch} after successful release "
            "(close=True and branch is not main/master)..."
        )
        try:
            close_branch(name=branch, base_branch="main", cwd=".")
        except Exception as exc:  # pragma: no cover
            print(f"[WARN] Failed to close branch {branch} automatically: {exc}")
 # ---------------------------------------------------------------------------
 # Public release entry point
 # ---------------------------------------------------------------------------
 def release(
    pyproject_path: str = "pyproject.toml",
    changelog_path: str = "CHANGELOG.md",
    release_type: str = "patch",
    message: Optional[str] = None,
    preview: bool = False,
    force: bool = False,
    close: bool = False,
 ) -> None:
    """
    High-level release entry point.
    Modes:
    - preview=True:
        * Single-phase PREVIEW only.
    - preview=False, force=True:
        * Single-phase REAL release, no interactive preview.
    - preview=False, force=False:
        * Two-phase flow (intended default for interactive CLI use).
    """
    if preview:
        _release_impl(
            pyproject_path=pyproject_path,
            changelog_path=changelog_path,
            release_type=release_type,
            message=message,
            preview=True,
            close=close,
        )
        return
    if force:
        _release_impl(
            pyproject_path=pyproject_path,
            changelog_path=changelog_path,
            release_type=release_type,
            message=message,
            preview=False,
            close=close,
        )
        return
    if not sys.stdin.isatty():
        _release_impl(
            pyproject_path=pyproject_path,
            changelog_path=changelog_path,
            release_type=release_type,
            message=message,
            preview=False,
            close=close,
        )
        return
    print("[INFO] Running preview before actual release...\n")
    _release_impl(
        pyproject_path=pyproject_path,
        changelog_path=changelog_path,
        release_type=release_type,
        message=message,
        preview=True,
        close=close,
    )
    try:
        answer = input("Proceed with the actual release? [y/N]: ").strip().lower()
    except (EOFError, KeyboardInterrupt):
        print("\n[INFO] Release aborted (no confirmation).")
        return
    if answer not in ("y", "yes"):
        print("Release aborted by user. No changes were made.")
        return
    print("\n[INFO] Running REAL release...\n")
    _release_impl(
        pyproject_path=pyproject_path,
        changelog_path=changelog_path,
        release_type=release_type,
        message=message,
        preview=False,
        close=close,
    )
 __all__ = ["release"]
--- a/src/pkgmgr/actions/release/git_ops.py
+++ b/src/pkgmgr/actions/release/git_ops.py
@@ -1,16 +1,3 @@
 #!/usr/bin/env python3
 # -*- coding: utf-8 -*-
 """
 Git-related helpers for the release workflow.
 Responsibilities:
  - Run Git (or shell) commands with basic error reporting.
  - Ensure main/master are synchronized with origin before tagging.
  - Maintain the floating 'latest' tag that always points to the newest
    release tag.
 """
 from __future__ import annotations
 import subprocess
@@ -19,77 +6,87 @@ from pkgmgr.core.git import GitError
 def run_git_command(cmd: str) -> None:
    """
    Run a Git (or shell) command with basic error reporting.
    The command is executed via the shell, primarily for readability
    when printed (as in 'git commit -am "msg"').
    """
    print(f"[GIT] {cmd}")
    try:
-        subprocess.run(cmd, shell=True, check=True)
+        subprocess.run(
            cmd,
            shell=True,
            check=True,
            text=True,
            capture_output=True,
        )
    except subprocess.CalledProcessError as exc:
        print(f"[ERROR] Git command failed: {cmd}")
        print(f"        Exit code: {exc.returncode}")
        if exc.stdout:
-            print("--- stdout ---")
+            print("\n" + exc.stdout)
            print(exc.stdout)
        if exc.stderr:
-            print("--- stderr ---")
+            print("\n" + exc.stderr)
            print(exc.stderr)
        raise GitError(f"Git command failed: {cmd}") from exc
-def sync_branch_with_remote(branch: str, preview: bool = False) -> None:
+def _capture(cmd: str) -> str:
-    """
+    res = subprocess.run(cmd, shell=True, check=False, capture_output=True, text=True)
-    Ensure the local main/master branch is up-to-date before tagging.
+    return (res.stdout or "").strip()
-    Behaviour:
+
-      - For main/master: run 'git fetch origin' and 'git pull origin <branch>'.
+def ensure_clean_and_synced(preview: bool = False) -> None:
      - For all other branches: only log that no automatic sync is performed.
    """
-    if branch not in ("main", "master"):
+    Always run a pull BEFORE modifying anything.
-        print(
+    Uses --ff-only to avoid creating merge commits automatically.
-            f"[INFO] Skipping automatic git pull for non-main/master branch "
+    If no upstream is configured, we skip.
-            f"{branch}."
+    """
-        )
+    upstream = _capture("git rev-parse --abbrev-ref --symbolic-full-name @{u} 2>/dev/null")
    if not upstream:
        print("[INFO] No upstream configured for current branch. Skipping pull.")
        return
    print(
        f"[INFO] Updating branch {branch} from origin before creating tags..."
    )
    if preview:
-        print("[PREVIEW] Would run: git fetch origin")
+        print("[PREVIEW] Would run: git fetch origin --prune --tags --force")
-        print(f"[PREVIEW] Would run: git pull origin {branch}")
+        print("[PREVIEW] Would run: git pull --ff-only")
        return
-    run_git_command("git fetch origin")
+    print("[INFO] Syncing with remote before making any changes...")
-    run_git_command(f"git pull origin {branch}")
+    run_git_command("git fetch origin --prune --tags --force")
    run_git_command("git pull --ff-only")
 def is_highest_version_tag(tag: str) -> bool:
    """
    Return True if `tag` is the highest version among all tags matching v*.
    Comparison uses `sort -V` for natural version ordering.
    """
    all_v = _capture("git tag --list 'v*'")
    if not all_v:
        return True  # No tags yet, so the current tag is the highest
    # Get the latest tag in natural version order
    latest = _capture("git tag --list 'v*' | sort -V | tail -n1")
    print(f"[INFO] Latest tag: {latest}, Current tag: {tag}")
    # Ensure that the current tag is always considered the highest if it's the latest one
    return tag >= latest  # Use comparison operator to consider all future tags
 def update_latest_tag(new_tag: str, preview: bool = False) -> None:
    """
    Move the floating 'latest' tag to the newly created release tag.
-    Implementation details:
+    Notes:
-      - We explicitly dereference the tag object via `<tag>^{}` so that
+    - We dereference the tag object via `<tag>^{}` so that 'latest' points to the commit.
-        'latest' always points at the underlying commit, not at another tag.
+    - 'latest' is forced (floating tag), therefore the push uses --force.
      - We create/update 'latest' as an annotated tag with a short message so
        Git configurations that enforce annotated/signed tags do not fail
        with "no tag message".
    """
    target_ref = f"{new_tag}^{{}}"
    print(f"[INFO] Updating 'latest' tag to point at {new_tag} (commit {target_ref})...")
    if preview:
-        print(f"[PREVIEW] Would run: git tag -f -a latest {target_ref} "
+        print(
-              f'-m "Floating latest tag for {new_tag}"')
+            f'[PREVIEW] Would run: git tag -f -a latest {target_ref} '
            f'-m "Floating latest tag for {new_tag}"'
        )
        print("[PREVIEW] Would run: git push origin latest --force")
        return
    run_git_command(
-        f'git tag -f -a latest {target_ref} '
+        f'git tag -f -a latest {target_ref} -m "Floating latest tag for {new_tag}"'
        f'-m "Floating latest tag for {new_tag}"'
    )
    run_git_command("git push origin latest --force")
--- a/src/pkgmgr/actions/release/prompts.py
+++ b/src/pkgmgr/actions/release/prompts.py
@@ -0,0 +1,29 @@
 from __future__ import annotations
 import sys
 def should_delete_branch(force: bool) -> bool:
    """
    Ask whether the current branch should be deleted after a successful release.
    - If force=True: skip prompt and return True.
    - If non-interactive stdin: do NOT delete by default.
    """
    if force:
        return True
    if not sys.stdin.isatty():
        return False
    answer = input("Delete the current branch after release? [y/N] ").strip().lower()
    return answer in ("y", "yes")
 def confirm_proceed_release() -> bool:
    """
    Ask whether to proceed with the REAL release after the preview phase.
    """
    try:
        answer = input("Proceed with the actual release? [y/N]: ").strip().lower()
    except (EOFError, KeyboardInterrupt):
        return False
    return answer in ("y", "yes")
--- a/src/pkgmgr/actions/release/workflow.py
+++ b/src/pkgmgr/actions/release/workflow.py
@@ -0,0 +1,231 @@
 from __future__ import annotations
 from typing import Optional
 import os
 import sys
 from typing import Optional
 from pkgmgr.actions.branch import close_branch
 from pkgmgr.core.git import get_current_branch, GitError
 from .files import (
    update_changelog,
    update_debian_changelog,
    update_flake_version,
    update_pkgbuild_version,
    update_pyproject_version,
    update_spec_changelog,
    update_spec_version,
 )
 from .git_ops import (
    ensure_clean_and_synced,
    is_highest_version_tag,
    run_git_command,
    update_latest_tag,
 )
 from .prompts import confirm_proceed_release, should_delete_branch
 from .versioning import bump_semver, determine_current_version
 def _release_impl(
    pyproject_path: str = "pyproject.toml",
    changelog_path: str = "CHANGELOG.md",
    release_type: str = "patch",
    message: Optional[str] = None,
    preview: bool = False,
    close: bool = False,
    force: bool = False,
 ) -> None:
    # Determine current branch early
    try:
        branch = get_current_branch() or "main"
    except GitError:
        branch = "main"
    print(f"Releasing on branch: {branch}")
    # Pull BEFORE making any modifications
    ensure_clean_and_synced(preview=preview)
    current_ver = determine_current_version()
    new_ver = bump_semver(current_ver, release_type)
    new_ver_str = str(new_ver)
    new_tag = new_ver.to_tag(with_prefix=True)
    mode = "PREVIEW" if preview else "REAL"
    print(f"Release mode: {mode}")
    print(f"Current version: {current_ver}")
    print(f"New version:     {new_ver_str} ({release_type})")
    repo_root = os.path.dirname(os.path.abspath(pyproject_path))
    update_pyproject_version(pyproject_path, new_ver_str, preview=preview)
    changelog_message = update_changelog(
        changelog_path,
        new_ver_str,
        message=message,
        preview=preview,
    )
    flake_path = os.path.join(repo_root, "flake.nix")
    update_flake_version(flake_path, new_ver_str, preview=preview)
    pkgbuild_path = os.path.join(repo_root, "PKGBUILD")
    update_pkgbuild_version(pkgbuild_path, new_ver_str, preview=preview)
    spec_path = os.path.join(repo_root, "package-manager.spec")
    update_spec_version(spec_path, new_ver_str, preview=preview)
    effective_message: Optional[str] = message
    if effective_message is None and isinstance(changelog_message, str):
        if changelog_message.strip():
            effective_message = changelog_message.strip()
    debian_changelog_path = os.path.join(repo_root, "debian", "changelog")
    package_name = os.path.basename(repo_root) or "package-manager"
    update_debian_changelog(
        debian_changelog_path,
        package_name=package_name,
        new_version=new_ver_str,
        message=effective_message,
        preview=preview,
    )
    update_spec_changelog(
        spec_path=spec_path,
        package_name=package_name,
        new_version=new_ver_str,
        message=effective_message,
        preview=preview,
    )
    commit_msg = f"Release version {new_ver_str}"
    tag_msg = effective_message or commit_msg
    files_to_add = [
        pyproject_path,
        changelog_path,
        flake_path,
        pkgbuild_path,
        spec_path,
        debian_changelog_path,
    ]
    existing_files = [p for p in files_to_add if p and os.path.exists(p)]
    if preview:
        for path in existing_files:
            print(f"[PREVIEW] Would run: git add {path}")
        print(f'[PREVIEW] Would run: git commit -am "{commit_msg}"')
        print(f'[PREVIEW] Would run: git tag -a {new_tag} -m "{tag_msg}"')
        print(f"[PREVIEW] Would run: git push origin {branch}")
        print(f"[PREVIEW] Would run: git push origin {new_tag}")
        if is_highest_version_tag(new_tag):
            update_latest_tag(new_tag, preview=True)
        else:
            print(f"[PREVIEW] Skipping 'latest' update (tag {new_tag} is not the highest).")
        if close and branch not in ("main", "master"):
            if force:
                print(f"[PREVIEW] Would delete branch {branch} (forced).")
            else:
                print(f"[PREVIEW] Would ask whether to delete branch {branch} after release.")
        return
    for path in existing_files:
        run_git_command(f"git add {path}")
    run_git_command(f'git commit -am "{commit_msg}"')
    run_git_command(f'git tag -a {new_tag} -m "{tag_msg}"')
    # Push branch and ONLY the newly created version tag (no --tags)
    run_git_command(f"git push origin {branch}")
    run_git_command(f"git push origin {new_tag}")
    # Update 'latest' only if this is the highest version tag
    try:
        if is_highest_version_tag(new_tag):
            update_latest_tag(new_tag, preview=False)
        else:
            print(f"[INFO] Skipping 'latest' update (tag {new_tag} is not the highest).")
    except GitError as exc:
        print(f"[WARN] Failed to update floating 'latest' tag for {new_tag}: {exc}")
        print("'latest' tag was not updated.")
    print(f"Release {new_ver_str} completed.")
    if close:
        if branch in ("main", "master"):
            print(f"[INFO] close=True but current branch is {branch}; skipping branch deletion.")
            return
        if not should_delete_branch(force=force):
            print(f"[INFO] Branch deletion declined. Keeping branch {branch}.")
            return
        print(f"[INFO] Deleting branch {branch} after successful release...")
        try:
            close_branch(name=branch, base_branch="main", cwd=".")
        except Exception as exc:
            print(f"[WARN] Failed to close branch {branch} automatically: {exc}")
 def release(
    pyproject_path: str = "pyproject.toml",
    changelog_path: str = "CHANGELOG.md",
    release_type: str = "patch",
    message: Optional[str] = None,
    preview: bool = False,
    force: bool = False,
    close: bool = False,
 ) -> None:
    if preview:
        _release_impl(
            pyproject_path=pyproject_path,
            changelog_path=changelog_path,
            release_type=release_type,
            message=message,
            preview=True,
            close=close,
            force=force,
        )
        return
    # If force or non-interactive: no preview+confirmation step
    if force or (not sys.stdin.isatty()):
        _release_impl(
            pyproject_path=pyproject_path,
            changelog_path=changelog_path,
            release_type=release_type,
            message=message,
            preview=False,
            close=close,
            force=force,
        )
        return
    print("[INFO] Running preview before actual release...\n")
    _release_impl(
        pyproject_path=pyproject_path,
        changelog_path=changelog_path,
        release_type=release_type,
        message=message,
        preview=True,
        close=close,
        force=force,
    )
    if not confirm_proceed_release():
        print()
        return
    print("\n[INFO] Running REAL release...\n")
    _release_impl(
        pyproject_path=pyproject_path,
        changelog_path=changelog_path,
        release_type=release_type,
        message=message,
        preview=False,
        close=close,
        force=force,
    )
--- a/src/pkgmgr/cli/init.py
+++ b/src/pkgmgr/cli/init.py
@@ -19,7 +19,7 @@ USER_CONFIG_PATH = os.path.expanduser("~/.config/pkgmgr/config.yaml")
 DESCRIPTION_TEXT = """\
 \033[1;32mPackage Manager 🤖📦\033[0m
 \033[3mKevin's multi-distro package and workflow manager.\033[0m
-  \033[1;34mKevin Veen-Birkenbach\033[0m – \033[4mhttps://www.veen.world/\033[0m
+\033[1;34mKevin Veen-Birkenbach\033[0m – \033[4mhttps://s.veen.world/pkgmgr\033[0m
 Built in \033[1;33mPython\033[0m on top of \033[1;33mNix flakes\033[0m to manage many
 repositories and packaging formats (pyproject.toml, flake.nix,
--- a/src/pkgmgr/cli/commands/branch.py
+++ b/src/pkgmgr/cli/commands/branch.py
@@ -3,7 +3,7 @@ from __future__ import annotations
 import sys
 from pkgmgr.cli.context import CLIContext
-from pkgmgr.actions.branch import open_branch, close_branch
+from pkgmgr.actions.branch import open_branch, close_branch, drop_branch
 def handle_branch(args, ctx: CLIContext) -> None:
@@ -12,7 +12,8 @@ def handle_branch(args, ctx: CLIContext) -> None:
    Currently supported:
      - pkgmgr branch open  [<name>] [--base <branch>]
-      - pkgmgr branch close [<name>] [--base <branch>]
+      - pkgmgr branch close [<name>] [--base <branch>] [--force|-f]
      - pkgmgr branch drop  [<name>] [--base <branch>] [--force|-f]
    """
    if args.subcommand == "open":
        open_branch(
@@ -27,6 +28,16 @@ def handle_branch(args, ctx: CLIContext) -> None:
            name=getattr(args, "name", None),
            base_branch=getattr(args, "base", "main"),
            cwd=".",
            force=getattr(args, "force", False),
        )
        return
    if args.subcommand == "drop":
        drop_branch(
            name=getattr(args, "name", None),
            base_branch=getattr(args, "base", "main"),
            cwd=".",
            force=getattr(args, "force", False),
        )
        return
--- a/src/pkgmgr/cli/commands/changelog.py
+++ b/src/pkgmgr/cli/commands/changelog.py
@@ -1,4 +1,5 @@
 from __future__ import annotations
 from typing import Optional
 import os
 import sys
--- a/src/pkgmgr/cli/commands/config.py
+++ b/src/pkgmgr/cli/commands/config.py
@@ -7,7 +7,7 @@ import os
 import sys
 import shutil
 from pathlib import Path
-from typing import Any, Dict
+from typing import Any, Dict, Optional
 import yaml
@@ -36,7 +36,7 @@ def _load_user_config(user_config_path: str) -> Dict[str, Any]:
    return {"repositories": []}
-def _find_defaults_source_dir() -> str | None:
+def _find_defaults_source_dir() -> Optional[str]:
    """
    Find the directory inside the installed pkgmgr package OR the
    project root that contains default config files.
--- a/src/pkgmgr/cli/commands/version.py
+++ b/src/pkgmgr/cli/commands/version.py
@@ -1,4 +1,5 @@
 from __future__ import annotations
 from typing import Optional
 import os
 import sys
--- a/src/pkgmgr/cli/parser/branch_cmd.py
+++ b/src/pkgmgr/cli/parser/branch_cmd.py
@@ -14,7 +14,7 @@ def add_branch_subparsers(
    """
    branch_parser = subparsers.add_parser(
        "branch",
-        help="Branch-related utilities (e.g. open/close feature branches)",
+        help="Branch-related utilities (e.g. open/close/drop feature branches)",
    )
    branch_subparsers = branch_parser.add_subparsers(
        dest="subcommand",
@@ -22,6 +22,9 @@ def add_branch_subparsers(
        required=True,
    )
    # -----------------------------------------------------------------------
    # branch open
    # -----------------------------------------------------------------------
    branch_open = branch_subparsers.add_parser(
        "open",
        help="Create and push a new branch on top of a base branch",
@@ -40,6 +43,9 @@ def add_branch_subparsers(
        help="Base branch to create the new branch from (default: main)",
    )
    # -----------------------------------------------------------------------
    # branch close
    # -----------------------------------------------------------------------
    branch_close = branch_subparsers.add_parser(
        "close",
        help="Merge a feature branch into base and delete it",
@@ -60,3 +66,39 @@ def add_branch_subparsers(
            "internally if main does not exist)"
        ),
    )
    branch_close.add_argument(
        "-f",
        "--force",
        action="store_true",
        help="Skip confirmation prompt and close the branch directly",
    )
    # -----------------------------------------------------------------------
    # branch drop
    # -----------------------------------------------------------------------
    branch_drop = branch_subparsers.add_parser(
        "drop",
        help="Delete a branch locally and on origin (without merging)",
    )
    branch_drop.add_argument(
        "name",
        nargs="?",
        help=(
            "Name of the branch to drop (optional; current branch is used "
            "if omitted)"
        ),
    )
    branch_drop.add_argument(
        "--base",
        default="main",
        help=(
            "Base branch used to protect main/master from deletion "
            "(default: main; falls back to master internally)"
        ),
    )
    branch_drop.add_argument(
        "-f",
        "--force",
        action="store_true",
        help="Skip confirmation prompt and drop the branch directly",
    )
--- a/src/pkgmgr/core/command/resolve.py
+++ b/src/pkgmgr/core/command/resolve.py
@@ -1,3 +1,4 @@
 from typing import Optional
 import os
 import shutil
 from typing import Optional, List, Dict, Any
--- a/src/pkgmgr/core/command/run.py
+++ b/src/pkgmgr/core/command/run.py
@@ -1,3 +1,4 @@
 from typing import Optional
 # pkgmgr/run_command.py
 import subprocess
 import sys
--- a/src/pkgmgr/core/config/load.py
+++ b/src/pkgmgr/core/config/load.py
@@ -40,7 +40,7 @@ from __future__ import annotations
 import os
 from pathlib import Path
-from typing import Any, Dict, List, Tuple
+from typing import Any, Dict, List, Tuple, Optional
 import yaml
@@ -83,7 +83,7 @@ def _repo_key(repo: Repo) -> Tuple[str, str, str]:
 def _merge_repo_lists(
    base_list: List[Repo],
    new_list: List[Repo],
-    category_name: str | None = None,
+    category_name: Optional[str] = None,
 ) -> List[Repo]:
    """
    Merge two repository lists, matching by (provider, account, repository).
@@ -143,7 +143,7 @@ def _load_yaml_file(path: Path) -> Dict[str, Any]:
 def _load_layer_dir(
    config_dir: Path,
-    skip_filename: str | None = None,
+    skip_filename: Optional[str] = None,
 ) -> Dict[str, Any]:
    """
    Load all *.yml/*.yaml from a directory as layered defaults.
--- a/tests/e2e/test_branch_commands.py
+++ b/tests/e2e/test_branch_commands.py
@@ -27,7 +27,7 @@ class TestIntegrationBranchCommands(unittest.TestCase):
        try:
            # argv[0] is the program name; the rest are CLI arguments.
            sys.argv = ["pkgmgr"] + list(extra_args)
-            runpy.run_module("main", run_name="__main__")
+            runpy.run_module("pkgmgr", run_name="__main__")
        finally:
            sys.argv = original_argv
--- a/tests/e2e/test_branch_help.py
+++ b/tests/e2e/test_branch_help.py
@@ -0,0 +1,80 @@
 from __future__ import annotations
 import io
 import runpy
 import sys
 import unittest
 from contextlib import redirect_stdout, redirect_stderr
 def _run_pkgmgr_help(argv_tail: list[str]) -> str:
    """
    Run `pkgmgr <argv_tail> --help` via the main module and return captured output.
    argparse parses sys.argv[1:], so argv[0] must be a dummy program name.
    Any SystemExit with code 0 or None is treated as success.
    """
    original_argv = list(sys.argv)
    buffer = io.StringIO()
    cmd_repr = "pkgmgr " + " ".join(argv_tail) + " --help"
    try:
        # IMPORTANT: argv[0] must be a dummy program name
        sys.argv = ["pkgmgr"] + list(argv_tail) + ["--help"]
        try:
            with redirect_stdout(buffer), redirect_stderr(buffer):
                runpy.run_module("pkgmgr", run_name="__main__")
        except SystemExit as exc:
            code = exc.code if isinstance(exc.code, int) else None
            if code not in (0, None):
                raise AssertionError(
                    f"{cmd_repr!r} failed with exit code {exc.code}."
                ) from exc
        return buffer.getvalue()
    finally:
        sys.argv = original_argv
 class TestBranchHelpE2E(unittest.TestCase):
    """
    End-to-end tests ensuring that `pkgmgr branch` help commands
    run without error and print usage information.
    """
    def test_branch_root_help(self) -> None:
        """
        `pkgmgr branch --help` should run without error.
        """
        output = _run_pkgmgr_help(["branch"])
        self.assertIn("usage:", output)
        self.assertIn("pkgmgr branch", output)
    def test_branch_open_help(self) -> None:
        """
        `pkgmgr branch open --help` should run without error.
        """
        output = _run_pkgmgr_help(["branch", "open"])
        self.assertIn("usage:", output)
        self.assertIn("branch open", output)
    def test_branch_close_help(self) -> None:
        """
        `pkgmgr branch close --help` should run without error.
        """
        output = _run_pkgmgr_help(["branch", "close"])
        self.assertIn("usage:", output)
        self.assertIn("branch close", output)
    def test_branch_drop_help(self) -> None:
        """
        `pkgmgr branch drop --help` should run without error.
        """
        output = _run_pkgmgr_help(["branch", "drop"])
        self.assertIn("usage:", output)
        self.assertIn("branch drop", output)
 if __name__ == "__main__":
    unittest.main()
--- a/tests/e2e/test_changelog_commands.py
+++ b/tests/e2e/test_changelog_commands.py
@@ -53,7 +53,7 @@ class TestIntegrationChangelogCommands(unittest.TestCase):
            sys.argv = ["pkgmgr", "changelog"] + list(extra_args)
            try:
-                runpy.run_module("main", run_name="__main__")
+                runpy.run_module("pkgmgr", run_name="__main__")
            except SystemExit as exc:
                code = exc.code if isinstance(exc.code, int) else str(exc.code)
                if code != 0:
--- a/tests/e2e/test_clone_all.py
+++ b/tests/e2e/test_clone_all.py
@@ -47,7 +47,7 @@ class TestIntegrationCloneAllHttps(unittest.TestCase):
            try:
                # Execute main.py as if it was called from CLI.
                # This will run the full clone pipeline inside the container.
-                runpy.run_module("main", run_name="__main__")
+                runpy.run_module("pkgmgr", run_name="__main__")
            except SystemExit as exc:
                # Determine the exit code (int or string)
                exit_code = exc.code
--- a/tests/e2e/test_config_commands.py
+++ b/tests/e2e/test_config_commands.py
@@ -34,7 +34,7 @@ def _run_pkgmgr_config(extra_args: list[str]) -> None:
        sys.argv = ["pkgmgr"] + extra_args
        try:
-            runpy.run_module("main", run_name="__main__")
+            runpy.run_module("pkgmgr", run_name="__main__")
        except SystemExit as exc:
            code = exc.code if isinstance(exc.code, int) else str(exc.code)
            if code != 0:
--- a/tests/e2e/test_install_pkgmgr_shallow.py
+++ b/tests/e2e/test_install_pkgmgr_shallow.py
@@ -139,7 +139,7 @@ class TestIntegrationInstalPKGMGRShallow(unittest.TestCase):
            ]
            # Execute installation via main.py
-            runpy.run_module("main", run_name="__main__")
+            runpy.run_module("pkgmgr", run_name="__main__")
            # Debug: interactive shell test
            pkgmgr_help_debug()
--- a/tests/e2e/test_list_commands.py
+++ b/tests/e2e/test_list_commands.py
@@ -27,7 +27,7 @@ class TestIntegrationListCommands(unittest.TestCase):
            sys.argv = ["pkgmgr"] + args
            try:
-                runpy.run_module("main", run_name="__main__")
+                runpy.run_module("pkgmgr", run_name="__main__")
            except SystemExit as exc:
                code = exc.code if isinstance(exc.code, int) else str(exc.code)
                if code != 0:
--- a/tests/e2e/test_make_commands.py
+++ b/tests/e2e/test_make_commands.py
@@ -44,7 +44,7 @@ class TestIntegrationMakeCommands(unittest.TestCase):
            sys.argv = ["pkgmgr"] + extra_args
            try:
-                runpy.run_module("main", run_name="__main__")
+                runpy.run_module("pkgmgr", run_name="__main__")
            except SystemExit as exc:
                code = exc.code if isinstance(exc.code, int) else str(exc.code)
                if code != 0:
--- a/tests/e2e/test_mirror_commands.py
+++ b/tests/e2e/test_mirror_commands.py
@@ -50,7 +50,7 @@ class TestIntegrationMirrorCommands(unittest.TestCase):
            try:
                with redirect_stdout(buffer), redirect_stderr(buffer):
-                    runpy.run_module("main", run_name="__main__")
+                    runpy.run_module("pkgmgr", run_name="__main__")
            except SystemExit as exc:
                code = exc.code if isinstance(exc.code, int) else None
                if code not in (0, None):
--- a/tests/e2e/test_path_commands.py
+++ b/tests/e2e/test_path_commands.py
@@ -50,7 +50,7 @@ class TestPathCommandsE2E(unittest.TestCase):
            try:
                # Capture stdout while running the CLI entry point.
                with redirect_stdout(buffer):
-                    runpy.run_module("main", run_name="__main__")
+                    runpy.run_module("pkgmgr", run_name="__main__")
            except SystemExit as exc:
                # Determine the exit code (int or string)
                exit_code = exc.code
--- a/tests/e2e/test_proxy_commands.py
+++ b/tests/e2e/test_proxy_commands.py
@@ -27,7 +27,7 @@ class TestIntegrationProxyCommands(unittest.TestCase):
            sys.argv = ["pkgmgr"] + args
            try:
-                runpy.run_module("main", run_name="__main__")
+                runpy.run_module("pkgmgr", run_name="__main__")
            except SystemExit as exc:
                code = exc.code if isinstance(exc.code, int) else str(exc.code)
                if code != 0:
--- a/tests/e2e/test_release_commands.py
+++ b/tests/e2e/test_release_commands.py
@@ -44,7 +44,7 @@ class TestIntegrationReleaseCommand(unittest.TestCase):
        try:
            # argv[0] is the program name; the rest are CLI arguments.
            sys.argv = ["pkgmgr"] + list(extra_args)
-            runpy.run_module("main", run_name="__main__")
+            runpy.run_module("pkgmgr", run_name="__main__")
        finally:
            sys.argv = original_argv
@@ -152,7 +152,7 @@ class TestIntegrationReleaseCommand(unittest.TestCase):
            # argparse will call sys.exit(), so we expect a SystemExit here.
            with contextlib.redirect_stdout(buf), contextlib.redirect_stderr(buf):
                with self.assertRaises(SystemExit) as cm:
-                    runpy.run_module("main", run_name="__main__")
+                    runpy.run_module("pkgmgr", run_name="__main__")
        finally:
            sys.argv = original_argv
--- a/tests/e2e/test_tools_commands.py
+++ b/tests/e2e/test_tools_commands.py
@@ -55,7 +55,7 @@ class TestIntegrationToolsCommands(unittest.TestCase):
            sys.argv = ["pkgmgr"] + extra_args
            try:
-                runpy.run_module("main", run_name="__main__")
+                runpy.run_module("pkgmgr", run_name="__main__")
            except SystemExit as exc:
                code = exc.code if isinstance(exc.code, int) else str(exc.code)
                if code != 0:
--- a/tests/e2e/test_tools_help.py
+++ b/tests/e2e/test_tools_help.py
@@ -18,14 +18,6 @@ import sys
 import unittest
 from typing import List
 # Resolve project root (the repo where main.py lives, e.g. /src)
 PROJECT_ROOT = os.path.abspath(
    os.path.join(os.path.dirname(__file__), "..", "..")
 )
 MAIN_PATH = os.path.join(PROJECT_ROOT, "main.py")
 def _run_main(argv: List[str]) -> None:
    """
    Helper to run main.py with the given argv.
@@ -40,7 +32,7 @@ def _run_main(argv: List[str]) -> None:
    try:
        sys.argv = ["pkgmgr"] + argv
        try:
-            runpy.run_path(MAIN_PATH, run_name="__main__")
+            runpy.run_module("pkgmgr", run_name="__main__")
        except SystemExit as exc:  # argparse uses this for --help
            # SystemExit.code can be int, str or None; for our purposes:
            code = exc.code
--- a/Show More
+++ b/Show More