Release version 1.8.2

* Move VS Code workspace logic (incl. guards) from cli.commands.tools into cli.tools.vscode
* Extract shared repo path resolution into cli.tools.paths and reuse for explore/terminal
* Simplify cli.commands.tools to pure orchestration via open_vscode_workspace
* Update existing tools command unit test to assert delegation instead of patching removed internals
* Add new unit tests for cli.tools.paths and cli.tools.vscode (workspace creation, reuse, guard errors)

https://chatgpt.com/share/69419a6a-c9e4-800f-9538-b6652b2da6b3

.github/workflows/ci.yml

@@ -28,8 +28,8 @@ jobs:
   test-virgin-root:
     uses: ./.github/workflows/test-virgin-root.yml
 
-  codesniffer-shellcheck:
-    uses: ./.github/workflows/codesniffer-shellcheck.yml
+  lint-shell:
+    uses: ./.github/workflows/lint-shell.yml
 
-  codesniffer-ruff:
-    uses: ./.github/workflows/codesniffer-ruff.yml
+  lint-python:
+    uses: ./.github/workflows/lint-python.yml

.github/workflows/lint-python.yml

@@ -4,7 +4,7 @@ on:
   workflow_call:
 
 jobs:
-  codesniffer-ruff:
+  lint-python:
     runs-on: ubuntu-latest
 
     steps:

.github/workflows/lint-shell.yml

@@ -4,7 +4,7 @@ on:
   workflow_call:
 
 jobs:
-  codesniffer-shellcheck:
+  lint-shell:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4

.github/workflows/mark-stable.yml

@@ -29,16 +29,16 @@ jobs:
   test-virgin-root:
     uses: ./.github/workflows/test-virgin-root.yml
 
-  codesniffer-shellcheck:
-    uses: ./.github/workflows/codesniffer-shellcheck.yml
+  lint-shell:
+    uses: ./.github/workflows/lint-shell.yml
 
-  codesniffer-ruff:
-    uses: ./.github/workflows/codesniffer-ruff.yml
+  lint-python:
+    uses: ./.github/workflows/lint-python.yml
 
   mark-stable:
     needs:
-      - codesniffer-shellcheck
-      - codesniffer-ruff
+      - lint-shell
+      - lint-python
       - test-unit
       - test-integration
       - test-env-nix

.github/workflows/publish-containers.yml

@@ -19,7 +19,6 @@ jobs:
         uses: actions/checkout@v4
         with:
           fetch-depth: 0
-          fetch-tags: true
 
       - name: Checkout workflow_run commit and refresh tags
         run: |
@@ -35,22 +34,30 @@ jobs:
           SHA="$(git rev-parse HEAD)"
 
           V_TAG="$(git tag --points-at "${SHA}" --list 'v*' | sort -V | tail -n1)"
-          [[ -n "$V_TAG" ]] || { echo "No version tag found"; exit 1; }
+          if [[ -z "${V_TAG}" ]]; then
+            echo "No version tag found for ${SHA}. Skipping publish."
+            echo "should_publish=false" >> "$GITHUB_OUTPUT"
+            exit 0
+          fi
+
           VERSION="${V_TAG#v}"
 
           STABLE_SHA="$(git rev-parse -q --verify refs/tags/stable^{commit} 2>/dev/null || true)"
           IS_STABLE=false
           [[ -n "${STABLE_SHA}" && "${STABLE_SHA}" == "${SHA}" ]] && IS_STABLE=true
 
+          echo "should_publish=true" >> "$GITHUB_OUTPUT"
           echo "version=${VERSION}" >> "$GITHUB_OUTPUT"
           echo "is_stable=${IS_STABLE}" >> "$GITHUB_OUTPUT"
 
       - name: Set up Docker Buildx
+        if: ${{ steps.info.outputs.should_publish == 'true' }}
         uses: docker/setup-buildx-action@v3
         with:
           use: true
 
       - name: Login to GHCR
+        if: ${{ steps.info.outputs.should_publish == 'true' }}
         uses: docker/login-action@v3
         with:
           registry: ghcr.io
@@ -58,6 +65,7 @@ jobs:
           password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Publish all images
+        if: ${{ steps.info.outputs.should_publish == 'true' }}
         run: |
           set -euo pipefail
           OWNER="${{ github.repository_owner }}" \

CHANGELOG.md

@@ -1,3 +1,62 @@
+## [1.8.2] - 2025-12-16
+
+* * ***pkgmgr tools code*** is more robust and predictable: it now fails early with clear errors if VS Code is not installed or a repository is not yet identified.
+
+
+## [1.8.1] - 2025-12-16
+
+* * Improved stability and consistency of all Git operations (clone, pull, push, release, branch handling) with clearer error messages and predictable preview behavior.
+* Mirrors are now handled cleanly: only valid Git remotes are used for Git operations, while non-Git URLs (e.g. PyPI) are excluded, preventing broken or confusing repository configs.
+* GitHub authentication is more robust: tokens are automatically resolved via the GitHub CLI (`gh`), invalid stored tokens are replaced, and interactive prompts occur only when necessary.
+* Repository creation and release workflows are more reliable, producing cleaner Git configurations and more predictable version handling.
+
+
+## [1.8.0] - 2025-12-15
+
+* *** New Features: ***
+- **Silent Updates**: You can now use the `--silent` flag during installs and updates to suppress error messages for individual repositories and get a single summary at the end. This ensures the process continues even if some repositories fail, while still preserving interactive checks when not in silent mode.
+- **Repository Scaffolding**: The process for creating new repositories has been improved. You can now use templates to scaffold repositories with a preview and automatic mirror setup.
+
+*** Bug Fixes: ***
+- **Pip Installation**: Pip is now installed automatically on all supported systems. This includes `python-pip` for Arch and `python3-pip` for CentOS, Debian, Fedora, and Ubuntu, ensuring that pip is available for Python package installations.
+- **Pacman Keyring**: Fixed an issue on Arch Linux where package installation would fail due to missing keys. The pacman keyring is now properly initialized before installing packages.
+
+
+## [1.7.2] - 2025-12-15
+
+* * Git mirrors are now resolved consistently (origin → MIRRORS file → config → default).
+* The `origin` remote is always enforced to use the primary URL for both fetch and push.
+* Additional mirrors are added as extra push targets without duplication.
+* Local and remote mirror setup behaves more predictably and consistently.
+* Improved test coverage ensures stable origin and push URL handling.
+
+
+## [1.7.1] - 2025-12-14
+
+* Patched package-manager to kpmx to publish on pypi
+
+
+## [1.7.0] - 2025-12-14
+
+* * New *pkgmgr publish* command to publish repository artifacts to PyPI based on the *MIRRORS* file.
+* Automatically selects the current repository when no explicit selection is given.
+* Publishes only when a semantic version tag is present on *HEAD*; otherwise skips with a clear info message.
+* Supports non-interactive mode for CI environments via *--non-interactive*.
+
+
+## [1.6.4] - 2025-12-14
+
+* * Improved reliability of Nix installs and updates, including automatic resolution of profile conflicts and better handling of GitHub 403 rate limits.
+* More stable launcher behavior in packaged and virtual-env setups.
+* Enhanced mirror and remote handling: repository owner/name are derived from URLs, with smoother provisioning and clearer credential handling.
+* More reliable releases and artifacts due to safer CI behavior when no version tag is present.
+
+
+## [1.6.3] - 2025-12-14
+
+* ***Fixed:*** Corrected repository path resolution so release and version logic consistently use the canonical packaging/* layout, preventing changelog and packaging files from being read or updated from incorrect locations.
+
+
 ## [1.6.2] - 2025-12-14
 
 * **pkgmgr version** now also shows the installed pkgmgr version when run outside a repository.

MIRRORS

@@ -1,3 +1,4 @@
 git@github.com:kevinveenbirkenbach/package-manager.git
 ssh://git@git.veen.world:2201/kevinveenbirkenbach/pkgmgr.git
-ssh://git@code.cymais.cloud:2201/kevinveenbirkenbach/pkgmgr.git
+ssh://git@code.infinito.nexus:2201/kevinveenbirkenbach/pkgmgr.git
+https://pypi.org/project/kpmx/

flake.nix

@@ -32,7 +32,7 @@
         rec {
           pkgmgr = pyPkgs.buildPythonApplication {
             pname   = "package-manager";
-            version = "1.6.2";
+            version = "1.8.2";
 
             # Use the git repo as source
             src = ./.;
@@ -49,6 +49,7 @@
             # Runtime dependencies (matches [project.dependencies] in pyproject.toml)
             propagatedBuildInputs = [
               pyPkgs.pyyaml
+              pyPkgs.jinja2
               pyPkgs.pip
             ];
 
@@ -78,6 +79,7 @@
           pythonWithDeps = python.withPackages (ps: [
             ps.pip
             ps.pyyaml
+            ps.jinja2
           ]);
         in
         {

packaging/arch/PKGBUILD

@@ -1,7 +1,7 @@
 # Maintainer: Kevin Veen-Birkenbach <info@veen.world>
 
 pkgname=package-manager
-pkgver=0.9.1
+pkgver=1.8.2
 pkgrel=1
 pkgdesc="Local-flake wrapper for Kevin's package-manager (Nix-based)."
 arch=('any')

packaging/debian/changelog

@@ -1,3 +1,70 @@
+package-manager (1.8.2-1) unstable; urgency=medium
+
+  * * ***pkgmgr tools code*** is more robust and predictable: it now fails early with clear errors if VS Code is not installed or a repository is not yet identified.
+
+ -- Kevin Veen-Birkenbach <kevin@veen.world>  Tue, 16 Dec 2025 19:22:41 +0100
+
+package-manager (1.8.1-1) unstable; urgency=medium
+
+  * * Improved stability and consistency of all Git operations (clone, pull, push, release, branch handling) with clearer error messages and predictable preview behavior.
+* Mirrors are now handled cleanly: only valid Git remotes are used for Git operations, while non-Git URLs (e.g. PyPI) are excluded, preventing broken or confusing repository configs.
+* GitHub authentication is more robust: tokens are automatically resolved via the GitHub CLI (`gh`), invalid stored tokens are replaced, and interactive prompts occur only when necessary.
+* Repository creation and release workflows are more reliable, producing cleaner Git configurations and more predictable version handling.
+
+ -- Kevin Veen-Birkenbach <kevin@veen.world>  Tue, 16 Dec 2025 18:06:35 +0100
+
+package-manager (1.8.0-1) unstable; urgency=medium
+
+  * *** New Features: ***
+- **Silent Updates**: You can now use the `--silent` flag during installs and updates to suppress error messages for individual repositories and get a single summary at the end. This ensures the process continues even if some repositories fail, while still preserving interactive checks when not in silent mode.
+- **Repository Scaffolding**: The process for creating new repositories has been improved. You can now use templates to scaffold repositories with a preview and automatic mirror setup.
+
+*** Bug Fixes: ***
+- **Pip Installation**: Pip is now installed automatically on all supported systems. This includes `python-pip` for Arch and `python3-pip` for CentOS, Debian, Fedora, and Ubuntu, ensuring that pip is available for Python package installations.
+- **Pacman Keyring**: Fixed an issue on Arch Linux where package installation would fail due to missing keys. The pacman keyring is now properly initialized before installing packages.
+
+ -- Kevin Veen-Birkenbach <kevin@veen.world>  Mon, 15 Dec 2025 13:37:42 +0100
+
+package-manager (1.7.2-1) unstable; urgency=medium
+
+  * * Git mirrors are now resolved consistently (origin → MIRRORS file → config → default).
+* The `origin` remote is always enforced to use the primary URL for both fetch and push.
+* Additional mirrors are added as extra push targets without duplication.
+* Local and remote mirror setup behaves more predictably and consistently.
+* Improved test coverage ensures stable origin and push URL handling.
+
+ -- Kevin Veen-Birkenbach <kevin@veen.world>  Mon, 15 Dec 2025 00:53:26 +0100
+
+package-manager (1.7.1-1) unstable; urgency=medium
+
+  * Patched package-manager to kpmx to publish on pypi
+
+ -- Kevin Veen-Birkenbach <kevin@veen.world>  Sun, 14 Dec 2025 21:19:11 +0100
+
+package-manager (1.7.0-1) unstable; urgency=medium
+
+  * * New *pkgmgr publish* command to publish repository artifacts to PyPI based on the *MIRRORS* file.
+* Automatically selects the current repository when no explicit selection is given.
+* Publishes only when a semantic version tag is present on *HEAD*; otherwise skips with a clear info message.
+* Supports non-interactive mode for CI environments via *--non-interactive*.
+
+ -- Kevin Veen-Birkenbach <kevin@veen.world>  Sun, 14 Dec 2025 21:10:06 +0100
+
+package-manager (1.6.4-1) unstable; urgency=medium
+
+  * * Improved reliability of Nix installs and updates, including automatic resolution of profile conflicts and better handling of GitHub 403 rate limits.
+* More stable launcher behavior in packaged and virtual-env setups.
+* Enhanced mirror and remote handling: repository owner/name are derived from URLs, with smoother provisioning and clearer credential handling.
+* More reliable releases and artifacts due to safer CI behavior when no version tag is present.
+
+ -- Kevin Veen-Birkenbach <kevin@veen.world>  Sun, 14 Dec 2025 19:33:07 +0100
+
+package-manager (1.6.3-1) unstable; urgency=medium
+
+  * ***Fixed:*** Corrected repository path resolution so release and version logic consistently use the canonical packaging/* layout, preventing changelog and packaging files from being read or updated from incorrect locations.
+
+ -- Kevin Veen-Birkenbach <kevin@veen.world>  Sun, 14 Dec 2025 13:39:52 +0100
+
 package-manager (0.9.1-1) unstable; urgency=medium
 
   * * Refactored installer: new `venv-create.sh`, cleaner root/user setup flow, updated README with architecture map.

packaging/fedora/package-manager.spec

@@ -1,5 +1,5 @@
 Name:           package-manager
-Version:        0.9.1
+Version:        1.8.2
 Release:        1%{?dist}
 Summary:        Wrapper that runs Kevin's package-manager via Nix flake
 
@@ -74,6 +74,49 @@ echo ">>> package-manager removed. Nix itself was not removed."
 /usr/lib/package-manager/
 
 %changelog
+* Tue Dec 16 2025 Kevin Veen-Birkenbach <kevin@veen.world> - 1.8.2-1
+- * ***pkgmgr tools code*** is more robust and predictable: it now fails early with clear errors if VS Code is not installed or a repository is not yet identified.
+
+* Tue Dec 16 2025 Kevin Veen-Birkenbach <kevin@veen.world> - 1.8.1-1
+- * Improved stability and consistency of all Git operations (clone, pull, push, release, branch handling) with clearer error messages and predictable preview behavior.
+* Mirrors are now handled cleanly: only valid Git remotes are used for Git operations, while non-Git URLs (e.g. PyPI) are excluded, preventing broken or confusing repository configs.
+* GitHub authentication is more robust: tokens are automatically resolved via the GitHub CLI (`gh`), invalid stored tokens are replaced, and interactive prompts occur only when necessary.
+* Repository creation and release workflows are more reliable, producing cleaner Git configurations and more predictable version handling.
+
+* Mon Dec 15 2025 Kevin Veen-Birkenbach <kevin@veen.world> - 1.8.0-1
+- *** New Features: ***
+- **Silent Updates**: You can now use the `--silent` flag during installs and updates to suppress error messages for individual repositories and get a single summary at the end. This ensures the process continues even if some repositories fail, while still preserving interactive checks when not in silent mode.
+- **Repository Scaffolding**: The process for creating new repositories has been improved. You can now use templates to scaffold repositories with a preview and automatic mirror setup.
+
+*** Bug Fixes: ***
+- **Pip Installation**: Pip is now installed automatically on all supported systems. This includes `python-pip` for Arch and `python3-pip` for CentOS, Debian, Fedora, and Ubuntu, ensuring that pip is available for Python package installations.
+- **Pacman Keyring**: Fixed an issue on Arch Linux where package installation would fail due to missing keys. The pacman keyring is now properly initialized before installing packages.
+
+* Mon Dec 15 2025 Kevin Veen-Birkenbach <kevin@veen.world> - 1.7.2-1
+- * Git mirrors are now resolved consistently (origin → MIRRORS file → config → default).
+* The `origin` remote is always enforced to use the primary URL for both fetch and push.
+* Additional mirrors are added as extra push targets without duplication.
+* Local and remote mirror setup behaves more predictably and consistently.
+* Improved test coverage ensures stable origin and push URL handling.
+
+* Sun Dec 14 2025 Kevin Veen-Birkenbach <kevin@veen.world> - 1.7.1-1
+- Patched package-manager to kpmx to publish on pypi
+
+* Sun Dec 14 2025 Kevin Veen-Birkenbach <kevin@veen.world> - 1.7.0-1
+- * New *pkgmgr publish* command to publish repository artifacts to PyPI based on the *MIRRORS* file.
+* Automatically selects the current repository when no explicit selection is given.
+* Publishes only when a semantic version tag is present on *HEAD*; otherwise skips with a clear info message.
+* Supports non-interactive mode for CI environments via *--non-interactive*.
+
+* Sun Dec 14 2025 Kevin Veen-Birkenbach <kevin@veen.world> - 1.6.4-1
+- * Improved reliability of Nix installs and updates, including automatic resolution of profile conflicts and better handling of GitHub 403 rate limits.
+* More stable launcher behavior in packaged and virtual-env setups.
+* Enhanced mirror and remote handling: repository owner/name are derived from URLs, with smoother provisioning and clearer credential handling.
+* More reliable releases and artifacts due to safer CI behavior when no version tag is present.
+
+* Sun Dec 14 2025 Kevin Veen-Birkenbach <kevin@veen.world> - 1.6.3-1
+- ***Fixed:*** Corrected repository path resolution so release and version logic consistently use the canonical packaging/* layout, preventing changelog and packaging files from being read or updated from incorrect locations.
+
 * Wed Dec 10 2025 Kevin Veen-Birkenbach <kevin@veen.world> - 0.9.1-1
 - * Refactored installer: new `venv-create.sh`, cleaner root/user setup flow, updated README with architecture map.
 * Split virgin tests into root/user workflows; stabilized Nix installer across distros; improved test scripts with dynamic distro selection and isolated Nix stores.

pyproject.toml

@@ -6,8 +6,8 @@ requires = [
 build-backend = "setuptools.build_meta"
 
 [project]
-name = "package-manager"
-version = "1.6.2"
+name = "kpmx"
+version = "1.8.2"
 description = "Kevin's package-manager tool (pkgmgr)"
 readme = "README.md"
 requires-python = ">=3.9"
@@ -21,6 +21,7 @@ authors = [
 dependencies = [
   "PyYAML>=6.0",
   "tomli; python_version < \"3.11\"",
+  "jinja2>=3.1"
 ]
 
 [project.urls]

scripts/installation/arch/dependencies.sh

@@ -6,6 +6,13 @@ SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 echo "[arch/dependencies] Installing Arch build dependencies..."
 
 pacman -Syu --noconfirm
+
+if ! pacman-key --list-sigs &>/dev/null; then
+    echo "[arch/dependencies] Initializing pacman keyring..."
+    pacman-key --init
+    pacman-key --populate archlinux
+fi
+
 pacman -S --noconfirm --needed \
   base-devel \
   git \
@@ -13,6 +20,7 @@ pacman -S --noconfirm --needed \
   curl \
   ca-certificates \
   python \
+  python-pip \
   xz
 
 pacman -Scc --noconfirm

scripts/installation/centos/dependencies.sh

@@ -14,6 +14,7 @@ dnf -y install \
   curl-minimal \
   ca-certificates \
   python3 \
+  python3-pip \
   sudo \
   xz
 

scripts/installation/debian/dependencies.sh

@@ -15,6 +15,7 @@ DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \
   ca-certificates \
   python3 \
   python3-venv \
+  python3-pip \
   xz-utils
 
 rm -rf /var/lib/apt/lists/*

scripts/installation/fedora/dependencies.sh

@@ -14,6 +14,7 @@ dnf -y install \
   curl \
   ca-certificates \
   python3 \
+  python3-pip \
   xz
 
 dnf clean all

scripts/installation/ubuntu/dependencies.sh

@@ -17,6 +17,7 @@ DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \
   make \
   python3 \
   python3-venv \
+  python3-pip \
   ca-certificates \
   xz-utils
 

scripts/launcher.sh

@@ -2,6 +2,16 @@
 set -euo pipefail
 
 FLAKE_DIR="/usr/lib/package-manager"
+NIX_LIB_DIR="${FLAKE_DIR}/nix/lib"
+RETRY_LIB="${NIX_LIB_DIR}/retry_403.sh"
+
+# ---------------------------------------------------------------------------
+# Hard requirement: retry helper must exist (fail if missing)
+# ---------------------------------------------------------------------------
+if [[ ! -f "${RETRY_LIB}" ]]; then
+  echo "[launcher] ERROR: Required retry helper not found: ${RETRY_LIB}" >&2
+  exit 1
+fi
 
 # ---------------------------------------------------------------------------
 # Try to ensure that "nix" is on PATH (common locations + container user)
@@ -32,9 +42,13 @@ if ! command -v nix >/dev/null 2>&1; then
 fi
 
 # ---------------------------------------------------------------------------
-# Primary path: use Nix flake if available
+# Primary path: use Nix flake if available (with GitHub 403 retry)
 # ---------------------------------------------------------------------------
-if command -v nix >/dev/null 2>&1; then
+if declare -F run_with_github_403_retry >/dev/null; then
+  # shellcheck source=./scripts/nix/lib/retry_403.sh
+  source "${RETRY_LIB}"
+  exec run_with_github_403_retry nix run "${FLAKE_DIR}#pkgmgr" -- "$@"
+else
   exec nix run "${FLAKE_DIR}#pkgmgr" -- "$@"
 fi
 

scripts/test/test-env-virtual.sh

@@ -1,32 +1,49 @@
 #!/usr/bin/env bash
 set -euo pipefail
 
-IMAGE="pkgmgr-$PKGMGR_DISTRO"
+IMAGE="pkgmgr-${PKGMGR_DISTRO}"
 
 echo
 echo "------------------------------------------------------------"
-echo ">>> Testing VENV: $IMAGE"
+echo ">>> Testing VENV: ${IMAGE}"
 echo "------------------------------------------------------------"
+
 echo "[test-env-virtual] Inspect image metadata:"
-docker image inspect "$IMAGE" | sed -n '1,40p'
-
-echo "[test-env-virtual] Running: docker run --rm --entrypoint pkgmgr $IMAGE --help"
+docker image inspect "${IMAGE}" | sed -n '1,40p'
 echo
 
-# Run the command and capture the output
+# ------------------------------------------------------------
+# Run VENV-based pkgmgr test inside container
+# ------------------------------------------------------------
 if OUTPUT=$(docker run --rm \
-        -e REINSTALL_PKGMGR=1 \
-        -v "pkgmgr_nix_store_${PKGMGR_DISTRO}:/nix" \
-        -v "$(pwd):/src" \
-        -v "pkgmgr_nix_cache_${PKGMGR_DISTRO}:/root/.cache/nix" \
-        "$IMAGE" 2>&1); then
+    -e REINSTALL_PKGMGR=1 \
+    -v "$(pwd):/src" \
+    -w /src \
+    "${IMAGE}" \
+    bash -lc '
+        set -euo pipefail
+
+        echo "[test-env-virtual] Installing pkgmgr (distro package)..."
+        make install
+
+        echo "[test-env-virtual] Setting up Python venv..."
+        make setup-venv
+
+        echo "[test-env-virtual] Activating venv..."
+        . "$HOME/.venvs/pkgmgr/bin/activate"
+
+        echo "[test-env-virtual] Using pkgmgr from:"
+        command -v pkgmgr
+        pkgmgr --help
+    ' 2>&1); then
+
     echo "$OUTPUT"
     echo
-    echo "[test-env-virtual] SUCCESS: $IMAGE responded to 'pkgmgr --help'"
+    echo "[test-env-virtual] SUCCESS: venv-based pkgmgr works in ${IMAGE}"
 
 else
     echo "$OUTPUT"
     echo
-    echo "[test-env-virtual] ERROR: $IMAGE failed to run 'pkgmgr --help'"
+    echo "[test-env-virtual] ERROR: venv-based pkgmgr failed in ${IMAGE}"
     exit 1
-fi
+fi

src/pkgmgr/actions/__init__.py

@@ -0,0 +1,6 @@
+from __future__ import annotations
+
+# expose subpackages for patch() / resolve_name() friendliness
+from . import release as release  # noqa: F401
+
+__all__ = ["release"]

src/pkgmgr/actions/branch/close_branch.py

@@ -1,7 +1,21 @@
 from __future__ import annotations
+
 from typing import Optional
-from pkgmgr.core.git import run_git, GitError, get_current_branch
-from .utils import _resolve_base_branch
+
+from pkgmgr.core.git.errors import GitError
+from pkgmgr.core.git.queries import get_current_branch
+from pkgmgr.core.git.commands import (
+    GitDeleteRemoteBranchError,
+    checkout,
+    delete_local_branch,
+    delete_remote_branch,
+    fetch,
+    merge_no_ff,
+    pull,
+    push,
+)
+
+from pkgmgr.core.git.queries import resolve_base_branch
 
 
 def close_branch(
@@ -14,7 +28,6 @@ def close_branch(
     """
     Merge a feature branch into the base branch and delete it afterwards.
     """
-
     # Determine branch name
     if not name:
         try:
@@ -25,7 +38,7 @@ def close_branch(
     if not name:
         raise RuntimeError("Branch name must not be empty.")
 
-    target_base = _resolve_base_branch(base_branch, fallback_base, cwd=cwd)
+    target_base = resolve_base_branch(base_branch, fallback_base, cwd=cwd)
 
     if name == target_base:
         raise RuntimeError(
@@ -42,58 +55,20 @@ def close_branch(
             print("Aborted closing branch.")
             return
 
-    # Fetch
-    try:
-        run_git(["fetch", "origin"], cwd=cwd)
-    except GitError as exc:
-        raise RuntimeError(
-            f"Failed to fetch from origin before closing branch {name!r}: {exc}"
-        ) from exc
+    # Execute workflow (commands raise specific GitError subclasses)
+    fetch("origin", cwd=cwd)
+    checkout(target_base, cwd=cwd)
+    pull("origin", target_base, cwd=cwd)
+    merge_no_ff(name, cwd=cwd)
+    push("origin", target_base, cwd=cwd)
 
-    # Checkout base
-    try:
-        run_git(["checkout", target_base], cwd=cwd)
-    except GitError as exc:
-        raise RuntimeError(
-            f"Failed to checkout base branch {target_base!r}: {exc}"
-        ) from exc
+    # Delete local branch (safe delete by default)
+    delete_local_branch(name, cwd=cwd, force=False)
 
-    # Pull latest
+    # Delete remote branch (special-case error message)
     try:
-        run_git(["pull", "origin", target_base], cwd=cwd)
-    except GitError as exc:
-        raise RuntimeError(
-            f"Failed to pull latest changes for base branch {target_base!r}: {exc}"
-        ) from exc
-
-    # Merge
-    try:
-        run_git(["merge", "--no-ff", name], cwd=cwd)
-    except GitError as exc:
-        raise RuntimeError(
-            f"Failed to merge branch {name!r} into {target_base!r}: {exc}"
-        ) from exc
-
-    # Push result
-    try:
-        run_git(["push", "origin", target_base], cwd=cwd)
-    except GitError as exc:
-        raise RuntimeError(
-            f"Failed to push base branch {target_base!r} after merge: {exc}"
-        ) from exc
-
-    # Delete local
-    try:
-        run_git(["branch", "-d", name], cwd=cwd)
-    except GitError as exc:
-        raise RuntimeError(
-            f"Failed to delete local branch {name!r}: {exc}"
-        ) from exc
-
-    # Delete remote
-    try:
-        run_git(["push", "origin", "--delete", name], cwd=cwd)
-    except GitError as exc:
+        delete_remote_branch("origin", name, cwd=cwd)
+    except GitDeleteRemoteBranchError as exc:
         raise RuntimeError(
             f"Branch {name!r} deleted locally, but remote deletion failed: {exc}"
         ) from exc

src/pkgmgr/actions/branch/drop_branch.py

@@ -1,7 +1,16 @@
 from __future__ import annotations
+
 from typing import Optional
-from pkgmgr.core.git import run_git, GitError, get_current_branch
-from .utils import _resolve_base_branch
+
+from pkgmgr.core.git.errors import GitError
+from pkgmgr.core.git.queries import get_current_branch
+from pkgmgr.core.git.commands import (
+    GitDeleteRemoteBranchError,
+    delete_local_branch,
+    delete_remote_branch,
+)
+
+from pkgmgr.core.git.queries import resolve_base_branch
 
 
 def drop_branch(
@@ -14,7 +23,6 @@ def drop_branch(
     """
     Delete a branch locally and remotely without merging.
     """
-
     if not name:
         try:
             name = get_current_branch(cwd=cwd)
@@ -24,7 +32,7 @@ def drop_branch(
     if not name:
         raise RuntimeError("Branch name must not be empty.")
 
-    target_base = _resolve_base_branch(base_branch, fallback_base, cwd=cwd)
+    target_base = resolve_base_branch(base_branch, fallback_base, cwd=cwd)
 
     if name == target_base:
         raise RuntimeError(
@@ -40,16 +48,12 @@ def drop_branch(
             print("Aborted dropping branch.")
             return
 
-    # Local delete
+    delete_local_branch(name, cwd=cwd, force=False)
+    
+    # Remote delete (special-case message)
     try:
-        run_git(["branch", "-d", name], cwd=cwd)
-    except GitError as exc:
-        raise RuntimeError(f"Failed to delete local branch {name!r}: {exc}") from exc
-
-    # Remote delete
-    try:
-        run_git(["push", "origin", "--delete", name], cwd=cwd)
-    except GitError as exc:
+        delete_remote_branch("origin", name, cwd=cwd)
+    except GitDeleteRemoteBranchError as exc:
         raise RuntimeError(
             f"Branch {name!r} was deleted locally, but remote deletion failed: {exc}"
         ) from exc

src/pkgmgr/actions/branch/open_branch.py

@@ -1,7 +1,15 @@
 from __future__ import annotations
+
 from typing import Optional
-from pkgmgr.core.git import run_git, GitError
-from .utils import _resolve_base_branch
+
+from pkgmgr.core.git.commands import (
+    checkout,
+    create_branch,
+    fetch,
+    pull,
+    push_upstream,
+)
+from pkgmgr.core.git.queries import resolve_base_branch
 
 
 def open_branch(
@@ -13,7 +21,6 @@ def open_branch(
     """
     Create and push a new feature branch on top of a base branch.
     """
-
     # Request name interactively if not provided
     if not name:
         name = input("Enter new branch name: ").strip()
@@ -21,44 +28,13 @@ def open_branch(
     if not name:
         raise RuntimeError("Branch name must not be empty.")
 
-    resolved_base = _resolve_base_branch(base_branch, fallback_base, cwd=cwd)
+    resolved_base = resolve_base_branch(base_branch, fallback_base, cwd=cwd)
 
-    # 1) Fetch from origin
-    try:
-        run_git(["fetch", "origin"], cwd=cwd)
-    except GitError as exc:
-        raise RuntimeError(
-            f"Failed to fetch from origin before creating branch {name!r}: {exc}"
-        ) from exc
+    # Workflow (commands raise specific GitError subclasses)
+    fetch("origin", cwd=cwd)
+    checkout(resolved_base, cwd=cwd)
+    pull("origin", resolved_base, cwd=cwd)
 
-    # 2) Checkout base branch
-    try:
-        run_git(["checkout", resolved_base], cwd=cwd)
-    except GitError as exc:
-        raise RuntimeError(
-            f"Failed to checkout base branch {resolved_base!r}: {exc}"
-        ) from exc
-
-    # 3) Pull latest changes
-    try:
-        run_git(["pull", "origin", resolved_base], cwd=cwd)
-    except GitError as exc:
-        raise RuntimeError(
-            f"Failed to pull latest changes for base branch {resolved_base!r}: {exc}"
-        ) from exc
-
-    # 4) Create new branch
-    try:
-        run_git(["checkout", "-b", name], cwd=cwd)
-    except GitError as exc:
-        raise RuntimeError(
-            f"Failed to create new branch {name!r} from base {resolved_base!r}: {exc}"
-        ) from exc
-
-    # 5) Push new branch
-    try:
-        run_git(["push", "-u", "origin", name], cwd=cwd)
-    except GitError as exc:
-        raise RuntimeError(
-            f"Failed to push new branch {name!r} to origin: {exc}"
-        ) from exc
+    # Create new branch from resolved base and push it with upstream tracking
+    create_branch(name, resolved_base, cwd=cwd)
+    push_upstream("origin", name, cwd=cwd)

src/pkgmgr/actions/branch/utils.py

@@ -1,27 +0,0 @@
-from __future__ import annotations
-from pkgmgr.core.git import run_git, GitError
-
-
-def _resolve_base_branch(
-    preferred: str,
-    fallback: str,
-    cwd: str,
-) -> str:
-    """
-    Resolve the base branch to use.
-
-    Try `preferred` first (default: main),
-    fall back to `fallback` (default: master).
-
-    Raise RuntimeError if neither exists.
-    """
-    for candidate in (preferred, fallback):
-        try:
-            run_git(["rev-parse", "--verify", candidate], cwd=cwd)
-            return candidate
-        except GitError:
-            continue
-
-    raise RuntimeError(
-        f"Neither {preferred!r} nor {fallback!r} exist in this repository."
-    )

src/pkgmgr/actions/changelog/__init__.py

@@ -3,17 +3,16 @@
 
 """
 Helpers to generate changelog information from Git history.
-
-This module provides a small abstraction around `git log` so that
-CLI commands can request a changelog between two refs (tags, branches,
-commits) without dealing with raw subprocess calls.
 """
 
 from __future__ import annotations
 
 from typing import Optional
 
-from pkgmgr.core.git import run_git, GitError
+from pkgmgr.core.git.queries import (
+    get_changelog,
+    GitChangelogQueryError,
+)
 
 
 def generate_changelog(
@@ -25,48 +24,20 @@ def generate_changelog(
     """
     Generate a plain-text changelog between two Git refs.
 
-    Parameters
-    ----------
-    cwd:
-        Repository directory in which to run Git commands.
-    from_ref:
-        Optional starting reference (exclusive). If provided together
-        with `to_ref`, the range `from_ref..to_ref` is used.
-        If only `from_ref` is given, the range `from_ref..HEAD` is used.
-    to_ref:
-        Optional end reference (inclusive). If omitted, `HEAD` is used.
-    include_merges:
-        If False (default), merge commits are filtered out.
-
-    Returns
-    -------
-    str
-        The output of `git log` formatted as a simple text changelog.
-        If no commits are found or Git fails, an explanatory message
-        is returned instead of raising.
+    Returns a human-readable message instead of raising.
     """
-    # Determine the revision range
     if to_ref is None:
         to_ref = "HEAD"
 
-    if from_ref:
-        rev_range = f"{from_ref}..{to_ref}"
-    else:
-        rev_range = to_ref
-
-    # Use a custom pretty format that includes tags/refs (%d)
-    cmd = [
-        "log",
-        "--pretty=format:%h %d %s",
-    ]
-    if not include_merges:
-        cmd.append("--no-merges")
-    cmd.append(rev_range)
-
+    rev_range = f"{from_ref}..{to_ref}" if from_ref else to_ref
     try:
-        output = run_git(cmd, cwd=cwd)
-    except GitError as exc:
-        # Do not raise to the CLI, return a human-readable error instead.
+        output = get_changelog(
+            cwd=cwd,
+            from_ref=from_ref,
+            to_ref=to_ref,
+            include_merges=include_merges,
+        )
+    except GitChangelogQueryError as exc:
         return (
             f"[ERROR] Failed to generate changelog in {cwd!r} "
             f"for range {rev_range!r}:\n{exc}"

src/pkgmgr/actions/config/init.py

@@ -14,7 +14,7 @@ with the expected structure:
 
 For each discovered repository, the function:
   • derives provider, account, repository from the folder structure
-  • (optionally) determines the latest commit hash via git log
+  • (optionally) determines the latest commit hash via git
   • generates a unique CLI alias
   • marks ignore=True for newly discovered repos
   • skips repos already known in defaults or user config
@@ -23,11 +23,11 @@ For each discovered repository, the function:
 from __future__ import annotations
 
 import os
-import subprocess
 from typing import Any, Dict
 
 from pkgmgr.core.command.alias import generate_alias
 from pkgmgr.core.config.save import save_user_config
+from pkgmgr.core.git.queries import get_latest_commit
 
 
 def config_init(
@@ -116,27 +116,18 @@ def config_init(
 
                 print(f"[ADD]      {provider}/{account}/{repo_name}")
 
-                # Determine commit hash
-                try:
-                    result = subprocess.run(
-                        ["git", "log", "-1", "--format=%H"],
-                        cwd=repo_path,
-                        stdout=subprocess.PIPE,
-                        stderr=subprocess.PIPE,
-                        text=True,
-                        check=True,
-                    )
-                    verified = result.stdout.strip()
-                    print(f"[INFO]       Latest commit: {verified}")
-                except Exception as exc:
-                    verified = ""
-                    print(f"[WARN]       Could not read commit: {exc}")
+                # Determine commit hash via git query
+                verified_commit = get_latest_commit(repo_path) or ""
+                if verified_commit:
+                    print(f"[INFO]       Latest commit: {verified_commit}")
+                else:
+                    print("[WARN]       Could not read commit (not a git repo or no commits).")
 
-                entry = {
+                entry: Dict[str, Any] = {
                     "provider": provider,
                     "account": account,
                     "repository": repo_name,
-                    "verified": {"commit": verified},
+                    "verified": {"commit": verified_commit},
                     "ignore": True,
                 }
 

src/pkgmgr/actions/install/__init__.py

@@ -16,7 +16,7 @@ Responsibilities:
 from __future__ import annotations
 
 import os
-from typing import Any, Dict, List, Optional
+from typing import Any, Dict, List, Optional, Tuple
 
 from pkgmgr.core.repository.identifier import get_repo_identifier
 from pkgmgr.core.repository.dir import get_repo_dir
@@ -93,6 +93,7 @@ def _verify_repo(
     repo_dir: str,
     no_verification: bool,
     identifier: str,
+    silent: bool,
 ) -> bool:
     """
     Verify a repository using the configured verification data.
@@ -111,10 +112,15 @@ def _verify_repo(
         print(f"Warning: Verification failed for {identifier}:")
         for err in errors:
             print(f"  - {err}")
-        choice = input("Continue anyway? [y/N]: ").strip().lower()
-        if choice != "y":
-            print(f"Skipping installation for {identifier}.")
-            return False
+
+        if silent:
+            # Non-interactive mode: continue with a warning.
+            print(f"[Warning] Continuing despite verification failure for {identifier} (--silent).")
+        else:
+            choice = input("Continue anyway? [y/N]: ").strip().lower()
+            if choice != "y":
+                print(f"Skipping installation for {identifier}.")
+                return False
 
     return True
 
@@ -163,6 +169,8 @@ def install_repos(
     clone_mode: str,
     update_dependencies: bool,
     force_update: bool = False,
+    silent: bool = False,
+    emit_summary: bool = True,
 ) -> None:
     """
     Install one or more repositories according to the configured installers
@@ -170,45 +178,72 @@ def install_repos(
 
     If force_update=True, installers of the currently active layer are allowed
     to run again (upgrade/refresh), even if that layer is already loaded.
+
+    If silent=True, repository failures are downgraded to warnings and the
+    overall command never exits non-zero because of per-repository failures.
     """
     pipeline = InstallationPipeline(INSTALLERS)
+    failures: List[Tuple[str, str]] = []
 
     for repo in selected_repos:
         identifier = get_repo_identifier(repo, all_repos)
 
-        repo_dir = _ensure_repo_dir(
-            repo=repo,
-            repositories_base_dir=repositories_base_dir,
-            all_repos=all_repos,
-            preview=preview,
-            no_verification=no_verification,
-            clone_mode=clone_mode,
-            identifier=identifier,
-        )
-        if not repo_dir:
+        try:
+            repo_dir = _ensure_repo_dir(
+                repo=repo,
+                repositories_base_dir=repositories_base_dir,
+                all_repos=all_repos,
+                preview=preview,
+                no_verification=no_verification,
+                clone_mode=clone_mode,
+                identifier=identifier,
+            )
+            if not repo_dir:
+                failures.append((identifier, "clone/ensure repo directory failed"))
+                continue
+
+            if not _verify_repo(
+                repo=repo,
+                repo_dir=repo_dir,
+                no_verification=no_verification,
+                identifier=identifier,
+                silent=silent,
+            ):
+                continue
+
+            ctx = _create_context(
+                repo=repo,
+                identifier=identifier,
+                repo_dir=repo_dir,
+                repositories_base_dir=repositories_base_dir,
+                bin_dir=bin_dir,
+                all_repos=all_repos,
+                no_verification=no_verification,
+                preview=preview,
+                quiet=quiet,
+                clone_mode=clone_mode,
+                update_dependencies=update_dependencies,
+                force_update=force_update,
+            )
+
+            pipeline.run(ctx)
+
+        except SystemExit as exc:
+            code = exc.code if isinstance(exc.code, int) else str(exc.code)
+            failures.append((identifier, f"installer failed (exit={code})"))
+            if not quiet:
+                print(f"[Warning] install: repository {identifier} failed (exit={code}). Continuing...")
+            continue
+        except Exception as exc:
+            failures.append((identifier, f"unexpected error: {exc}"))
+            if not quiet:
+                print(f"[Warning] install: repository {identifier} hit an unexpected error: {exc}. Continuing...")
             continue
 
-        if not _verify_repo(
-            repo=repo,
-            repo_dir=repo_dir,
-            no_verification=no_verification,
-            identifier=identifier,
-        ):
-            continue
+    if failures and emit_summary and not quiet:
+        print("\n[pkgmgr] Installation finished with warnings:")
+        for ident, msg in failures:
+            print(f"  - {ident}: {msg}")
 
-        ctx = _create_context(
-            repo=repo,
-            identifier=identifier,
-            repo_dir=repo_dir,
-            repositories_base_dir=repositories_base_dir,
-            bin_dir=bin_dir,
-            all_repos=all_repos,
-            no_verification=no_verification,
-            preview=preview,
-            quiet=quiet,
-            clone_mode=clone_mode,
-            update_dependencies=update_dependencies,
-            force_update=force_update,
-        )
-
-        pipeline.run(ctx)
+    if failures and not silent:
+        raise SystemExit(1)

src/pkgmgr/actions/install/installers/nix/conflicts.py

@@ -0,0 +1,100 @@
+from __future__ import annotations
+
+from typing import TYPE_CHECKING, List
+
+from .profile import NixProfileInspector
+from .retry import GitHubRateLimitRetry
+from .runner import CommandRunner
+from .textparse import NixConflictTextParser
+
+if TYPE_CHECKING:
+    from pkgmgr.actions.install.context import RepoContext
+
+
+class NixConflictResolver:
+    """
+    Resolves nix profile file conflicts by:
+      1. Parsing conflicting store paths from stderr
+      2. Mapping them to profile remove tokens via `nix profile list --json`
+      3. Removing those tokens deterministically
+      4. Retrying install
+    """
+
+    def __init__(
+        self,
+        runner: CommandRunner,
+        retry: GitHubRateLimitRetry,
+        profile: NixProfileInspector,
+    ) -> None:
+        self._runner = runner
+        self._retry = retry
+        self._profile = profile
+        self._parser = NixConflictTextParser()
+
+    def resolve(
+        self,
+        ctx: "RepoContext",
+        install_cmd: str,
+        stdout: str,
+        stderr: str,
+        *,
+        output: str,
+        max_rounds: int = 10,
+    ) -> bool:
+        quiet = bool(getattr(ctx, "quiet", False))
+        combined = f"{stdout}\n{stderr}"
+
+        for _ in range(max_rounds):
+            # 1) Extract conflicting store prefixes from nix error output
+            store_prefixes = self._parser.existing_store_prefixes(combined)
+
+            # 2) Resolve them to concrete remove tokens
+            tokens: List[str] = self._profile.find_remove_tokens_for_store_prefixes(
+                ctx,
+                self._runner,
+                store_prefixes,
+            )
+
+            # 3) Fallback: output-name based lookup (also covers nix suggesting: `nix profile remove pkgmgr`)
+            if not tokens:
+                tokens = self._profile.find_remove_tokens_for_output(ctx, self._runner, output)
+
+            if tokens:
+                if not quiet:
+                    print(
+                        "[nix] conflict detected; removing existing profile entries: "
+                        + ", ".join(tokens)
+                    )
+
+                for t in tokens:
+                    # tokens may contain things like "pkgmgr" or "pkgmgr-1" or quoted tokens (we keep raw)
+                    self._runner.run(ctx, f"nix profile remove {t}", allow_failure=True)
+
+                res = self._retry.run_with_retry(ctx, self._runner, install_cmd)
+                if res.returncode == 0:
+                    return True
+
+                combined = f"{res.stdout}\n{res.stderr}"
+                continue
+
+            # 4) Last-resort fallback: use textual remove tokens from stderr (“nix profile remove X”)
+            tokens = self._parser.remove_tokens(combined)
+            if tokens:
+                if not quiet:
+                    print("[nix] fallback remove tokens: " + ", ".join(tokens))
+
+                for t in tokens:
+                    self._runner.run(ctx, f"nix profile remove {t}", allow_failure=True)
+
+                res = self._retry.run_with_retry(ctx, self._runner, install_cmd)
+                if res.returncode == 0:
+                    return True
+
+                combined = f"{res.stdout}\n{res.stderr}"
+                continue
+
+            if not quiet:
+                print("[nix] conflict detected but could not resolve profile entries to remove.")
+            return False
+
+        return False

src/pkgmgr/actions/install/installers/nix/installer.py

@@ -1,12 +1,12 @@
-# src/pkgmgr/actions/install/installers/nix/installer.py
 from __future__ import annotations
 
 import os
 import shutil
-from typing import List, Tuple, TYPE_CHECKING
+from typing import TYPE_CHECKING, List, Tuple
 
 from pkgmgr.actions.install.installers.base import BaseInstaller
 
+from .conflicts import NixConflictResolver
 from .profile import NixProfileInspector
 from .retry import GitHubRateLimitRetry, RetryPolicy
 from .runner import CommandRunner
@@ -14,6 +14,7 @@ from .runner import CommandRunner
 if TYPE_CHECKING:
     from pkgmgr.actions.install.context import RepoContext
 
+
 class NixFlakeInstaller(BaseInstaller):
     layer = "nix"
     FLAKE_FILE = "flake.nix"
@@ -22,15 +23,18 @@ class NixFlakeInstaller(BaseInstaller):
         self._runner = CommandRunner()
         self._retry = GitHubRateLimitRetry(policy=policy)
         self._profile = NixProfileInspector()
+        self._conflicts = NixConflictResolver(self._runner, self._retry, self._profile)
 
-    # ------------------------------------------------------------------ #
-    # Compatibility: supports()
-    # ------------------------------------------------------------------ #
+        # Newer nix rejects numeric indices; we learn this at runtime and cache the decision.
+        self._indices_supported: bool | None = None
 
     def supports(self, ctx: "RepoContext") -> bool:
         if os.environ.get("PKGMGR_DISABLE_NIX_FLAKE_INSTALLER") == "1":
             if not ctx.quiet:
-                print("[INFO] PKGMGR_DISABLE_NIX_FLAKE_INSTALLER=1 – skipping NixFlakeInstaller.")
+                print(
+                    "[INFO] PKGMGR_DISABLE_NIX_FLAKE_INSTALLER=1 – "
+                    "skipping NixFlakeInstaller."
+                )
             return False
 
         if shutil.which("nix") is None:
@@ -38,20 +42,12 @@ class NixFlakeInstaller(BaseInstaller):
 
         return os.path.exists(os.path.join(ctx.repo_dir, self.FLAKE_FILE))
 
-    # ------------------------------------------------------------------ #
-    # Compatibility: output selection
-    # ------------------------------------------------------------------ #
-
     def _profile_outputs(self, ctx: "RepoContext") -> List[Tuple[str, bool]]:
         # (output_name, allow_failure)
         if ctx.identifier in {"pkgmgr", "package-manager"}:
             return [("pkgmgr", False), ("default", True)]
         return [("default", False)]
 
-    # ------------------------------------------------------------------ #
-    # Compatibility: run()
-    # ------------------------------------------------------------------ #
-
     def run(self, ctx: "RepoContext") -> None:
         if not self.supports(ctx):
             return
@@ -59,11 +55,12 @@ class NixFlakeInstaller(BaseInstaller):
         outputs = self._profile_outputs(ctx)
 
         if not ctx.quiet:
-            print(
+            msg = (
                 "[nix] flake detected in "
                 f"{ctx.identifier}, ensuring outputs: "
                 + ", ".join(name for name, _ in outputs)
             )
+            print(msg)
 
         for output, allow_failure in outputs:
             if ctx.force_update:
@@ -71,13 +68,13 @@ class NixFlakeInstaller(BaseInstaller):
             else:
                 self._install_only(ctx, output, allow_failure)
 
-    # ------------------------------------------------------------------ #
-    # Core logic (unchanged semantics)
-    # ------------------------------------------------------------------ #
-
     def _installable(self, ctx: "RepoContext", output: str) -> str:
         return f"{ctx.repo_dir}#{output}"
 
+    # ---------------------------------------------------------------------
+    # Core install path
+    # ---------------------------------------------------------------------
+
     def _install_only(self, ctx: "RepoContext", output: str, allow_failure: bool) -> None:
         install_cmd = f"nix profile install {self._installable(ctx, output)}"
 
@@ -85,35 +82,56 @@ class NixFlakeInstaller(BaseInstaller):
             print(f"[nix] install: {install_cmd}")
 
         res = self._retry.run_with_retry(ctx, self._runner, install_cmd)
-
         if res.returncode == 0:
             if not ctx.quiet:
                 print(f"[nix] output '{output}' successfully installed.")
             return
 
+        # Conflict resolver first (handles the common “existing package already provides file” case)
+        if self._conflicts.resolve(
+            ctx,
+            install_cmd,
+            res.stdout,
+            res.stderr,
+            output=output,
+        ):
+            if not ctx.quiet:
+                print(f"[nix] output '{output}' successfully installed after conflict cleanup.")
+            return
+
         if not ctx.quiet:
             print(
                 f"[nix] install failed for '{output}' (exit {res.returncode}), "
-                "trying index-based upgrade/remove+install..."
+                "trying upgrade/remove+install..."
             )
 
-        indices = self._profile.find_installed_indices_for_output(ctx, self._runner, output)
+        # If indices are supported, try legacy index-upgrade path.
+        if self._indices_supported is not False:
+            indices = self._profile.find_installed_indices_for_output(ctx, self._runner, output)
 
-        upgraded = False
-        for idx in indices:
-            if self._upgrade_index(ctx, idx):
-                upgraded = True
-                if not ctx.quiet:
-                    print(f"[nix] output '{output}' successfully upgraded (index {idx}).")
+            upgraded = False
+            for idx in indices:
+                if self._upgrade_index(ctx, idx):
+                    upgraded = True
+                    if not ctx.quiet:
+                        print(f"[nix] output '{output}' successfully upgraded (index {idx}).")
 
-        if upgraded:
-            return
+            if upgraded:
+                return
 
-        if indices and not ctx.quiet:
-            print(f"[nix] upgrade failed; removing indices {indices} and reinstalling '{output}'.")
+            if indices and not ctx.quiet:
+                print(f"[nix] upgrade failed; removing indices {indices} and reinstalling '{output}'.")
 
-        for idx in indices:
-            self._remove_index(ctx, idx)
+            for idx in indices:
+                self._remove_index(ctx, idx)
+
+            # If we learned indices are unsupported, immediately fall back below
+            if self._indices_supported is False:
+                self._remove_tokens_for_output(ctx, output)
+
+        else:
+            # indices explicitly unsupported
+            self._remove_tokens_for_output(ctx, output)
 
         final = self._runner.run(ctx, install_cmd, allow_failure=True)
         if final.returncode == 0:
@@ -122,17 +140,24 @@ class NixFlakeInstaller(BaseInstaller):
             return
 
         print(f"[ERROR] Failed to install Nix flake output '{output}' (exit {final.returncode})")
-
         if not allow_failure:
             raise SystemExit(final.returncode)
 
         print(f"[WARNING] Continuing despite failure of optional output '{output}'.")
 
-    # ------------------------------------------------------------------ #
-    # force_update path (unchanged semantics)
-    # ------------------------------------------------------------------ #
+    # ---------------------------------------------------------------------
+    # force_update path
+    # ---------------------------------------------------------------------
 
     def _force_upgrade_output(self, ctx: "RepoContext", output: str, allow_failure: bool) -> None:
+        # Prefer token path if indices unsupported (new nix)
+        if self._indices_supported is False:
+            self._remove_tokens_for_output(ctx, output)
+            self._install_only(ctx, output, allow_failure)
+            if not ctx.quiet:
+                print(f"[nix] output '{output}' successfully upgraded.")
+            return
+
         indices = self._profile.find_installed_indices_for_output(ctx, self._runner, output)
 
         upgraded_any = False
@@ -143,7 +168,8 @@ class NixFlakeInstaller(BaseInstaller):
                     print(f"[nix] output '{output}' successfully upgraded (index {idx}).")
 
         if upgraded_any:
-            print(f"[nix] output '{output}' successfully upgraded.")
+            if not ctx.quiet:
+                print(f"[nix] output '{output}' successfully upgraded.")
             return
 
         if indices and not ctx.quiet:
@@ -152,17 +178,52 @@ class NixFlakeInstaller(BaseInstaller):
         for idx in indices:
             self._remove_index(ctx, idx)
 
+        # If we learned indices are unsupported, also remove by token to actually clear conflicts
+        if self._indices_supported is False:
+            self._remove_tokens_for_output(ctx, output)
+
         self._install_only(ctx, output, allow_failure)
 
-        print(f"[nix] output '{output}' successfully upgraded.")
+        if not ctx.quiet:
+            print(f"[nix] output '{output}' successfully upgraded.")
 
-    # ------------------------------------------------------------------ #
+    # ---------------------------------------------------------------------
     # Helpers
-    # ------------------------------------------------------------------ #
+    # ---------------------------------------------------------------------
+
+    def _stderr_says_indices_unsupported(self, stderr: str) -> bool:
+        s = (stderr or "").lower()
+        return "no longer supports indices" in s or "does not support indices" in s
 
     def _upgrade_index(self, ctx: "RepoContext", idx: int) -> bool:
-        res = self._runner.run(ctx, f"nix profile upgrade --refresh {idx}", allow_failure=True)
+        cmd = f"nix profile upgrade --refresh {idx}"
+        res = self._runner.run(ctx, cmd, allow_failure=True)
+
+        if self._stderr_says_indices_unsupported(getattr(res, "stderr", "")):
+            self._indices_supported = False
+            return False
+
+        if self._indices_supported is None:
+            self._indices_supported = True
+
         return res.returncode == 0
 
     def _remove_index(self, ctx: "RepoContext", idx: int) -> None:
-        self._runner.run(ctx, f"nix profile remove {idx}", allow_failure=True)
+        res = self._runner.run(ctx, f"nix profile remove {idx}", allow_failure=True)
+
+        if self._stderr_says_indices_unsupported(getattr(res, "stderr", "")):
+            self._indices_supported = False
+
+        if self._indices_supported is None:
+            self._indices_supported = True
+
+    def _remove_tokens_for_output(self, ctx: "RepoContext", output: str) -> None:
+        tokens = self._profile.find_remove_tokens_for_output(ctx, self._runner, output)
+        if not tokens:
+            return
+
+        if not ctx.quiet:
+            print(f"[nix] indices unsupported; removing by token(s): {', '.join(tokens)}")
+
+        for t in tokens:
+            self._runner.run(ctx, f"nix profile remove {t}", allow_failure=True)

src/pkgmgr/actions/install/installers/nix/profile.py

@@ -1,71 +0,0 @@
-from __future__ import annotations
-
-import json
-from typing import Any, List, TYPE_CHECKING
-
-
-if TYPE_CHECKING:
-    from pkgmgr.actions.install.context import RepoContext
-    from .runner import CommandRunner
- 
-class NixProfileInspector:
-    """
-    Reads and interprets `nix profile list --json` and provides helpers for
-    finding indices matching a given output name.
-    """
-
-    def find_installed_indices_for_output(self, ctx: "RepoContext", runner: "CommandRunner", output: str) -> List[int]:
-        res = runner.run(ctx, "nix profile list --json", allow_failure=True)
-        if res.returncode != 0:
-            return []
-
-        try:
-            data = json.loads(res.stdout or "{}")
-        except json.JSONDecodeError:
-            return []
-
-        indices: List[int] = []
-
-        elements = data.get("elements")
-        if isinstance(elements, dict):
-            for idx_str, elem in elements.items():
-                try:
-                    idx = int(idx_str)
-                except (TypeError, ValueError):
-                    continue
-                if self._element_matches_output(elem, output):
-                    indices.append(idx)
-            return sorted(indices)
-
-        if isinstance(elements, list):
-            for elem in elements:
-                idx = elem.get("index") if isinstance(elem, dict) else None
-                if isinstance(idx, int) and self._element_matches_output(elem, output):
-                    indices.append(idx)
-            return sorted(indices)
-
-        return []
-
-    @staticmethod
-    def element_matches_output(elem: Any, output: str) -> bool:
-        return NixProfileInspector._element_matches_output(elem, output)
-
-    @staticmethod
-    def _element_matches_output(elem: Any, output: str) -> bool:
-        out = (output or "").strip()
-        if not out or not isinstance(elem, dict):
-            return False
-
-        candidates: List[str] = []
-        for k in ("attrPath", "originalUrl", "url", "storePath", "name"):
-            v = elem.get(k)
-            if isinstance(v, str) and v:
-                candidates.append(v)
-
-        for c in candidates:
-            if c == out:
-                return True
-            if f"#{out}" in c:
-                return True
-
-        return False

src/pkgmgr/actions/install/installers/nix/profile/__init__.py

@@ -0,0 +1,4 @@
+from .inspector import NixProfileInspector
+from .models import NixProfileEntry
+
+__all__ = ["NixProfileInspector", "NixProfileEntry"]

src/pkgmgr/actions/install/installers/nix/profile/inspector.py

@@ -0,0 +1,162 @@
+from __future__ import annotations
+
+from typing import Any, List, TYPE_CHECKING
+
+from .matcher import (
+    entry_matches_output,
+    entry_matches_store_path,
+    stable_unique_ints,
+)
+from .normalizer import normalize_elements
+from .parser import parse_profile_list_json
+from .result import extract_stdout_text
+
+if TYPE_CHECKING:
+    # Keep these as TYPE_CHECKING-only to avoid runtime import cycles.
+    from pkgmgr.actions.install.context import RepoContext
+    from pkgmgr.core.command.runner import CommandRunner
+
+
+class NixProfileInspector:
+    """
+    Reads and inspects the user's Nix profile list (JSON).
+
+    Public API:
+      - list_json()
+      - find_installed_indices_for_output()   (legacy; may not work on newer nix)
+      - find_indices_by_store_path()          (legacy; may not work on newer nix)
+      - find_remove_tokens_for_output()
+      - find_remove_tokens_for_store_prefixes()
+    """
+
+    def list_json(self, ctx: "RepoContext", runner: "CommandRunner") -> dict[str, Any]:
+        res = runner.run(ctx, "nix profile list --json", allow_failure=False)
+        raw = extract_stdout_text(res)
+        return parse_profile_list_json(raw)
+
+    # ---------------------------------------------------------------------
+    # Legacy index helpers (still useful on older nix; newer nix may reject indices)
+    # ---------------------------------------------------------------------
+
+    def find_installed_indices_for_output(
+        self,
+        ctx: "RepoContext",
+        runner: "CommandRunner",
+        output: str,
+    ) -> List[int]:
+        data = self.list_json(ctx, runner)
+        entries = normalize_elements(data)
+
+        hits: List[int] = []
+        for e in entries:
+            if e.index is None:
+                continue
+            if entry_matches_output(e, output):
+                hits.append(e.index)
+
+        return stable_unique_ints(hits)
+
+    def find_indices_by_store_path(
+        self,
+        ctx: "RepoContext",
+        runner: "CommandRunner",
+        store_path: str,
+    ) -> List[int]:
+        needle = (store_path or "").strip()
+        if not needle:
+            return []
+
+        data = self.list_json(ctx, runner)
+        entries = normalize_elements(data)
+
+        hits: List[int] = []
+        for e in entries:
+            if e.index is None:
+                continue
+            if entry_matches_store_path(e, needle):
+                hits.append(e.index)
+
+        return stable_unique_ints(hits)
+
+    # ---------------------------------------------------------------------
+    # New token-based helpers (works with newer nix where indices are rejected)
+    # ---------------------------------------------------------------------
+
+    def find_remove_tokens_for_output(
+        self,
+        ctx: "RepoContext",
+        runner: "CommandRunner",
+        output: str,
+    ) -> List[str]:
+        """
+        Returns profile remove tokens to remove entries matching a given output.
+
+        We always include the raw output token first because nix itself suggests:
+          nix profile remove pkgmgr
+        """
+        out = (output or "").strip()
+        if not out:
+            return []
+
+        data = self.list_json(ctx, runner)
+        entries = normalize_elements(data)
+
+        tokens: List[str] = [out]  # critical: matches nix's own suggestion for conflicts
+
+        for e in entries:
+            if entry_matches_output(e, out):
+                # Prefer removing by key/name (non-index) when possible.
+                # New nix rejects numeric indices; these tokens are safer.
+                k = (e.key or "").strip()
+                n = (e.name or "").strip()
+
+                if k and not k.isdigit():
+                    tokens.append(k)
+                elif n and not n.isdigit():
+                    tokens.append(n)
+
+        # stable unique preserving order
+        seen: set[str] = set()
+        uniq: List[str] = []
+        for t in tokens:
+            if t and t not in seen:
+                uniq.append(t)
+                seen.add(t)
+        return uniq
+
+    def find_remove_tokens_for_store_prefixes(
+        self,
+        ctx: "RepoContext",
+        runner: "CommandRunner",
+        prefixes: List[str],
+    ) -> List[str]:
+        """
+        Returns remove tokens for entries whose store path matches any prefix.
+        """
+        prefixes = [(p or "").strip() for p in (prefixes or []) if p]
+        prefixes = [p for p in prefixes if p]
+        if not prefixes:
+            return []
+
+        data = self.list_json(ctx, runner)
+        entries = normalize_elements(data)
+
+        tokens: List[str] = []
+        for e in entries:
+            if not e.store_paths:
+                continue
+            if any(sp == p for sp in e.store_paths for p in prefixes):
+                k = (e.key or "").strip()
+                n = (e.name or "").strip()
+                if k and not k.isdigit():
+                    tokens.append(k)
+                elif n and not n.isdigit():
+                    tokens.append(n)
+
+        seen: set[str] = set()
+        uniq: List[str] = []
+        for t in tokens:
+            if t and t not in seen:
+                uniq.append(t)
+                seen.add(t)
+        return uniq

src/pkgmgr/actions/install/installers/nix/profile/matcher.py

@@ -0,0 +1,62 @@
+from __future__ import annotations
+
+from typing import List
+
+from .models import NixProfileEntry
+
+
+def entry_matches_output(entry: NixProfileEntry, output: str) -> bool:
+    """
+    Heuristic matcher: output is typically a flake output name (e.g. "pkgmgr"),
+    and we match against name/attrPath patterns.
+    """
+    out = (output or "").strip()
+    if not out:
+        return False
+
+    candidates = [entry.name, entry.attr_path]
+
+    for c in candidates:
+        c = (c or "").strip()
+        if not c:
+            continue
+
+        # Direct match
+        if c == out:
+            return True
+
+        # AttrPath contains "#<output>"
+        if f"#{out}" in c:
+            return True
+
+        # AttrPath ends with ".<output>"
+        if c.endswith(f".{out}"):
+            return True
+
+        # Name pattern "<output>-<n>" (common, e.g. pkgmgr-1)
+        if c.startswith(f"{out}-"):
+            return True
+
+        # Historical special case: repo is "package-manager" but output is "pkgmgr"
+        if out == "pkgmgr" and c.startswith("package-manager-"):
+            return True
+
+    return False
+
+
+def entry_matches_store_path(entry: NixProfileEntry, store_path: str) -> bool:
+    needle = (store_path or "").strip()
+    if not needle:
+        return False
+    return any((p or "") == needle for p in entry.store_paths)
+
+
+def stable_unique_ints(values: List[int]) -> List[int]:
+    seen: set[int] = set()
+    uniq: List[int] = []
+    for v in values:
+        if v in seen:
+            continue
+        uniq.append(v)
+        seen.add(v)
+    return uniq

src/pkgmgr/actions/install/installers/nix/profile/models.py

@@ -0,0 +1,17 @@
+from __future__ import annotations
+
+from dataclasses import dataclass
+from typing import List, Optional
+
+
+@dataclass(frozen=True)
+class NixProfileEntry:
+    """
+    Minimal normalized representation of one nix profile element entry.
+    """
+
+    key: str
+    index: Optional[int]
+    name: str
+    attr_path: str
+    store_paths: List[str]

src/pkgmgr/actions/install/installers/nix/profile/normalizer.py

@@ -0,0 +1,128 @@
+from __future__ import annotations
+
+import re
+from typing import Any, Dict, Iterable, List, Optional
+
+from .models import NixProfileEntry
+
+
+def coerce_index(key: str, entry: Dict[str, Any]) -> Optional[int]:
+    """
+    Nix JSON schema varies:
+      - elements keys might be "0", "1", ...
+      - or might be names like "pkgmgr-1"
+    Some versions include an explicit index field.
+    We try safe options in order.
+    """
+    k = (key or "").strip()
+
+    # 1) Classic: numeric keys
+    if k.isdigit():
+        try:
+            return int(k)
+        except Exception:
+            return None
+
+    # 2) Explicit index fields (schema-dependent)
+    for field in ("index", "id", "position"):
+        v = entry.get(field)
+        if isinstance(v, int):
+            return v
+        if isinstance(v, str) and v.strip().isdigit():
+            try:
+                return int(v.strip())
+            except Exception:
+                pass
+
+    # 3) Last resort: extract trailing number from key if it looks like "<name>-<n>"
+    m = re.match(r"^.+-(\d+)$", k)
+    if m:
+        try:
+            return int(m.group(1))
+        except Exception:
+            return None
+
+    return None
+
+
+def iter_store_paths(entry: Dict[str, Any]) -> Iterable[str]:
+    """
+    Yield all possible store paths from a nix profile JSON entry.
+
+    Nix has had schema shifts. We support common variants:
+      - "storePaths": ["/nix/store/..", ...]
+      - "storePaths": "/nix/store/.."  (rare)
+      - "storePath": "/nix/store/.."   (some variants)
+      - nested "outputs" dict(s) with store paths (best-effort)
+    """
+    if not isinstance(entry, dict):
+        return
+
+    sp = entry.get("storePaths")
+    if isinstance(sp, list):
+        for p in sp:
+            if isinstance(p, str):
+                yield p
+    elif isinstance(sp, str):
+        yield sp
+
+    sp2 = entry.get("storePath")
+    if isinstance(sp2, str):
+        yield sp2
+
+    outs = entry.get("outputs")
+    if isinstance(outs, dict):
+        for _, ov in outs.items():
+            if isinstance(ov, dict):
+                p = ov.get("storePath")
+                if isinstance(p, str):
+                    yield p
+
+
+def normalize_store_path(store_path: str) -> str:
+    """
+    Normalize store path for matching.
+    Currently just strips whitespace; hook for future normalization if needed.
+    """
+    return (store_path or "").strip()
+
+
+def normalize_elements(data: Dict[str, Any]) -> List[NixProfileEntry]:
+    """
+    Converts nix profile list JSON into a list of normalized entries.
+
+    JSON formats observed:
+      - {"elements": {"0": {...}, "1": {...}}}
+      - {"elements": {"pkgmgr-1": {...}, "pkgmgr-2": {...}}}
+    """
+    elements = data.get("elements")
+    if not isinstance(elements, dict):
+        return []
+
+    normalized: List[NixProfileEntry] = []
+
+    for k, entry in elements.items():
+        if not isinstance(entry, dict):
+            continue
+
+        idx = coerce_index(str(k), entry)
+        name = str(entry.get("name", "") or "")
+        attr = str(entry.get("attrPath", "") or "")
+
+        store_paths: List[str] = []
+        for p in iter_store_paths(entry):
+            sp = normalize_store_path(p)
+            if sp:
+                store_paths.append(sp)
+
+        normalized.append(
+            NixProfileEntry(
+                key=str(k),
+                index=idx,
+                name=name,
+                attr_path=attr,
+                store_paths=store_paths,
+            )
+        )
+
+    return normalized

src/pkgmgr/actions/install/installers/nix/profile/parser.py

@@ -0,0 +1,19 @@
+from __future__ import annotations
+
+import json
+from typing import Any, Dict
+
+
+def parse_profile_list_json(raw: str) -> Dict[str, Any]:
+    """
+    Parse JSON output from `nix profile list --json`.
+
+    Raises SystemExit with a helpful excerpt on parse failure.
+    """
+    try:
+        return json.loads(raw)
+    except json.JSONDecodeError as e:
+        excerpt = (raw or "")[:5000]
+        raise SystemExit(
+            f"[nix] Failed to parse `nix profile list --json`: {e}\n{excerpt}"
+        ) from e

src/pkgmgr/actions/install/installers/nix/profile/result.py

@@ -0,0 +1,28 @@
+from __future__ import annotations
+
+from typing import Any
+
+
+def extract_stdout_text(result: Any) -> str:
+    """
+    Normalize different runner return types to a stdout string.
+
+    Supported patterns:
+      - result is str -> returned as-is
+      - result is bytes/bytearray -> decoded UTF-8 (replace errors)
+      - result has `.stdout` (str or bytes) -> used
+      - fallback: str(result)
+    """
+    if isinstance(result, str):
+        return result
+
+    if isinstance(result, (bytes, bytearray)):
+        return bytes(result).decode("utf-8", errors="replace")
+
+    stdout = getattr(result, "stdout", None)
+    if isinstance(stdout, str):
+        return stdout
+    if isinstance(stdout, (bytes, bytearray)):
+        return bytes(stdout).decode("utf-8", errors="replace")
+
+    return str(result)

src/pkgmgr/actions/install/installers/nix/profile_list.py

@@ -0,0 +1,69 @@
+from __future__ import annotations
+
+import re
+from typing import TYPE_CHECKING, List, Tuple
+
+from .runner import CommandRunner
+
+if TYPE_CHECKING:
+    from pkgmgr.actions.install.context import RepoContext
+
+
+class NixProfileListReader:
+    def __init__(self, runner: CommandRunner) -> None:
+        self._runner = runner
+
+    @staticmethod
+    def _store_prefix(path: str) -> str:
+        raw = (path or "").strip()
+        m = re.match(r"^(/nix/store/[0-9a-z]{32}-[^/ \t]+)", raw)
+        return m.group(1) if m else raw
+
+    def entries(self, ctx: "RepoContext") -> List[Tuple[int, str]]:
+        res = self._runner.run(ctx, "nix profile list", allow_failure=True)
+        if res.returncode != 0:
+            return []
+
+        entries: List[Tuple[int, str]] = []
+        pat = re.compile(
+            r"^\s*(\d+)\s+.*?(/nix/store/[0-9a-z]{32}-[^/ \t]+)",
+            re.MULTILINE,
+        )
+
+        for m in pat.finditer(res.stdout or ""):
+            idx_s = m.group(1)
+            sp = m.group(2)
+            try:
+                idx = int(idx_s)
+            except Exception:
+                continue
+            entries.append((idx, self._store_prefix(sp)))
+
+        seen: set[int] = set()
+        uniq: List[Tuple[int, str]] = []
+        for idx, sp in entries:
+            if idx not in seen:
+                seen.add(idx)
+                uniq.append((idx, sp))
+
+        return uniq
+
+    def indices_matching_store_prefixes(self, ctx: "RepoContext", prefixes: List[str]) -> List[int]:
+        prefixes = [self._store_prefix(p) for p in prefixes if p]
+        prefixes = [p for p in prefixes if p]
+        if not prefixes:
+            return []
+
+        hits: List[int] = []
+        for idx, sp in self.entries(ctx):
+            if any(sp == p for p in prefixes):
+                hits.append(idx)
+
+        seen: set[int] = set()
+        uniq: List[int] = []
+        for i in hits:
+            if i not in seen:
+                seen.add(i)
+                uniq.append(i)
+
+        return uniq

src/pkgmgr/actions/install/installers/nix/textparse.py

@@ -0,0 +1,76 @@
+from __future__ import annotations
+
+import re
+from typing import List
+
+
+class NixConflictTextParser:
+    @staticmethod
+    def _store_prefix(path: str) -> str:
+        raw = (path or "").strip()
+        m = re.match(r"^(/nix/store/[0-9a-z]{32}-[^/ \t]+)", raw)
+        return m.group(1) if m else raw
+
+    def remove_tokens(self, text: str) -> List[str]:
+        pat = re.compile(
+            r"^\s*nix profile remove\s+([^\s'\"`]+|'[^']+'|\"[^\"]+\")\s*$",
+            re.MULTILINE,
+        )
+
+        tokens: List[str] = []
+        for m in pat.finditer(text or ""):
+            t = (m.group(1) or "").strip()
+            if (t.startswith("'") and t.endswith("'")) or (t.startswith('"') and t.endswith('"')):
+                t = t[1:-1]
+            if t:
+                tokens.append(t)
+
+        seen: set[str] = set()
+        uniq: List[str] = []
+        for t in tokens:
+            if t not in seen:
+                seen.add(t)
+                uniq.append(t)
+
+        return uniq
+
+    def existing_store_prefixes(self, text: str) -> List[str]:
+        lines = (text or "").splitlines()
+        prefixes: List[str] = []
+
+        in_existing = False
+        in_new = False
+
+        store_pat = re.compile(r"^\s*(/nix/store/[0-9a-z]{32}-[^ \t]+)")
+
+        for raw in lines:
+            line = raw.strip()
+
+            if "An existing package already provides the following file" in line:
+                in_existing = True
+                in_new = False
+                continue
+
+            if "This is the conflicting file from the new package" in line:
+                in_existing = False
+                in_new = True
+                continue
+
+            if in_existing:
+                m = store_pat.match(raw)
+                if m:
+                    prefixes.append(m.group(1))
+                    continue
+
+            _ = in_new
+
+        norm = [self._store_prefix(p) for p in prefixes if p]
+
+        seen: set[str] = set()
+        uniq: List[str] = []
+        for p in norm:
+            if p and p not in seen:
+                seen.add(p)
+                uniq.append(p)
+
+        return uniq

src/pkgmgr/actions/mirror/git_remote.py

@@ -1,20 +1,50 @@
 from __future__ import annotations
 
 import os
+from typing import Optional, Set
 
-from pkgmgr.core.command.run import run_command
-from pkgmgr.core.git import GitError, run_git
-from typing import List, Optional, Set
+from pkgmgr.core.git.errors import GitError
+from pkgmgr.core.git.commands import (
+    GitAddRemoteError,
+    GitAddRemotePushUrlError,
+    GitSetRemoteUrlError,
+    add_remote,
+    add_remote_push_url,
+    set_remote_url,
+)
+from pkgmgr.core.git.queries import get_remote_push_urls, list_remotes
 
 from .types import MirrorMap, RepoMirrorContext, Repository
 
 
-def build_default_ssh_url(repo: Repository) -> Optional[str]:
+def _is_git_remote_url(url: str) -> bool:
     """
-    Build a simple SSH URL from repo config if no explicit mirror is defined.
+    True only for URLs that should become git remotes / push URLs.
 
-    Example: git@github.com:account/repository.git
+    Accepted:
+      - git@host:owner/repo(.git)                (SCP-like SSH)
+      - ssh://git@host(:port)/owner/repo(.git)   (SSH URL)
+      - https://host/owner/repo.git              (HTTPS git remote)
+      - http://host/owner/repo.git               (rare, but possible)
+    Everything else (e.g. PyPI project page) stays metadata only.
     """
+    u = (url or "").strip()
+    if not u:
+        return False
+
+    if u.startswith("git@"):
+        return True
+
+    if u.startswith("ssh://"):
+        return True
+
+    if (u.startswith("https://") or u.startswith("http://")) and u.endswith(".git"):
+        return True
+
+    return False
+
+
+def build_default_ssh_url(repo: Repository) -> Optional[str]:
     provider = repo.get("provider")
     account = repo.get("account")
     name = repo.get("repository")
@@ -23,96 +53,80 @@ def build_default_ssh_url(repo: Repository) -> Optional[str]:
     if not provider or not account or not name:
         return None
 
-    provider = str(provider)
-    account = str(account)
-    name = str(name)
-
     if port:
         return f"ssh://git@{provider}:{port}/{account}/{name}.git"
 
-    # GitHub-style shorthand
     return f"git@{provider}:{account}/{name}.git"
 
 
+def _git_mirrors_only(m: MirrorMap) -> MirrorMap:
+    return {k: v for k, v in m.items() if v and _is_git_remote_url(v)}
+
+
 def determine_primary_remote_url(
     repo: Repository,
-    resolved_mirrors: MirrorMap,
+    ctx: RepoMirrorContext,
 ) -> Optional[str]:
     """
-    Determine the primary remote URL in a consistent way:
-
-      1. resolved_mirrors["origin"]
-      2. any resolved mirror (first by name)
-      3. default SSH URL from provider/account/repository
+    Priority order (GIT URLS ONLY):
+      1. origin from resolved mirrors (if it is a git URL)
+      2. first git URL from MIRRORS file (in file order)
+      3. first git URL from config mirrors (in config order)
+      4. default SSH URL
     """
-    if "origin" in resolved_mirrors:
-        return resolved_mirrors["origin"]
+    resolved = ctx.resolved_mirrors
+    origin = resolved.get("origin")
+    if origin and _is_git_remote_url(origin):
+        return origin
 
-    if resolved_mirrors:
-        first_name = sorted(resolved_mirrors.keys())[0]
-        return resolved_mirrors[first_name]
+    for mirrors in (ctx.file_mirrors, ctx.config_mirrors):
+        for _, url in mirrors.items():
+            if url and _is_git_remote_url(url):
+                return url
 
     return build_default_ssh_url(repo)
 
 
-def _safe_git_output(args: List[str], cwd: str) -> Optional[str]:
-    """
-    Run a Git command via run_git and return its stdout, or None on failure.
-    """
-    try:
-        return run_git(args, cwd=cwd)
-    except GitError:
-        return None
-
-
-def current_origin_url(repo_dir: str) -> Optional[str]:
-    """
-    Return the current URL for remote 'origin', or None if not present.
-    """
-    output = _safe_git_output(["remote", "get-url", "origin"], cwd=repo_dir)
-    if not output:
-        return None
-    url = output.strip()
-    return url or None
-
-
 def has_origin_remote(repo_dir: str) -> bool:
-    """
-    Check whether a remote called 'origin' exists in the repository.
-    """
-    output = _safe_git_output(["remote"], cwd=repo_dir)
-    if not output:
+    try:
+        return "origin" in list_remotes(cwd=repo_dir)
+    except GitError:
         return False
-    names = output.split()
-    return "origin" in names
 
 
-def _ensure_push_urls_for_origin(
+def _set_origin_fetch_and_push(repo_dir: str, url: str, preview: bool) -> None:
+    """
+    Ensure origin has fetch URL and push URL set to the primary URL.
+    Preview is handled by the underlying git runner.
+    """
+    set_remote_url("origin", url, cwd=repo_dir, push=False, preview=preview)
+    set_remote_url("origin", url, cwd=repo_dir, push=True, preview=preview)
+
+
+def _ensure_additional_push_urls(
     repo_dir: str,
     mirrors: MirrorMap,
+    primary: str,
     preview: bool,
 ) -> None:
     """
-    Ensure that all mirror URLs are present as push URLs on 'origin'.
+    Ensure all *git* mirror URLs (except primary) are configured as additional
+    push URLs for origin.
+
+    Non-git URLs (like PyPI) are ignored and will never land in git config.
     """
-    desired: Set[str] = {url for url in mirrors.values() if url}
+    git_only = _git_mirrors_only(mirrors)
+    desired: Set[str] = {u for u in git_only.values() if u and u != primary}
     if not desired:
         return
 
-    existing_output = _safe_git_output(
-        ["remote", "get-url", "--push", "--all", "origin"],
-        cwd=repo_dir,
-    )
-    existing = set(existing_output.splitlines()) if existing_output else set()
+    try:
+        existing = get_remote_push_urls("origin", cwd=repo_dir)
+    except GitError:
+        existing = set()
 
-    missing = sorted(desired - existing)
-    for url in missing:
-        cmd = f"git remote set-url --add --push origin {url}"
-        if preview:
-            print(f"[PREVIEW] Would run in {repo_dir!r}: {cmd}")
-        else:
-            print(f"[INFO] Adding push URL to 'origin': {url}")
-            run_command(cmd, cwd=repo_dir, preview=False)
+    for url in sorted(desired - existing):
+        add_remote_push_url("origin", url, cwd=repo_dir, preview=preview)
 
 
 def ensure_origin_remote(
@@ -120,60 +134,33 @@ def ensure_origin_remote(
     ctx: RepoMirrorContext,
     preview: bool,
 ) -> None:
-    """
-    Ensure that a usable 'origin' remote exists and has all push URLs.
-    """
     repo_dir = ctx.repo_dir
-    resolved_mirrors = ctx.resolved_mirrors
 
     if not os.path.isdir(os.path.join(repo_dir, ".git")):
-        print(f"[WARN] {repo_dir} is not a Git repository (no .git directory).")
+        print(f"[WARN] {repo_dir} is not a Git repository.")
         return
 
-    url = determine_primary_remote_url(repo, resolved_mirrors)
+    primary = determine_primary_remote_url(repo, ctx)
+    if not primary or not _is_git_remote_url(primary):
+        print("[WARN] No valid git primary mirror URL could be determined.")
+        return
 
+    # 1) Ensure origin exists
     if not has_origin_remote(repo_dir):
-        if not url:
-            print(
-                "[WARN] Could not determine URL for 'origin' remote. "
-                "Please configure mirrors or provider/account/repository."
-            )
-            return
+        try:
+            add_remote("origin", primary, cwd=repo_dir, preview=preview)
+        except GitAddRemoteError as exc:
+            print(f"[WARN] Failed to add origin remote: {exc}")
+            return  # without origin we cannot reliably proceed
 
-        cmd = f"git remote add origin {url}"
-        if preview:
-            print(f"[PREVIEW] Would run in {repo_dir!r}: {cmd}")
-        else:
-            print(f"[INFO] Adding 'origin' remote in {repo_dir}: {url}")
-            run_command(cmd, cwd=repo_dir, preview=False)
-    else:
-        current = current_origin_url(repo_dir)
-        if current == url or not url:
-            print(
-                "[INFO] 'origin' already points to "
-                f"{current or '<unknown>'} (no change needed)."
-            )
-        else:
-            # We do not auto-change origin here, only log the mismatch.
-            print(
-                "[INFO] 'origin' exists with URL "
-                f"{current or '<unknown>'}; not changing to {url}."
-            )
-
-    # Ensure all mirrors are present as push URLs
-    _ensure_push_urls_for_origin(repo_dir, resolved_mirrors, preview)
-
-
-def is_remote_reachable(url: str, cwd: Optional[str] = None) -> bool:
-    """
-    Check whether a remote repository is reachable via `git ls-remote`.
-
-    This does NOT modify anything; it only probes the remote.
-    """
-    workdir = cwd or os.getcwd()
+    # 2) Ensure origin fetch+push URLs are correct
     try:
-        # --exit-code → non-zero exit code if the remote does not exist
-        run_git(["ls-remote", "--exit-code", url], cwd=workdir)
-        return True
-    except GitError:
-        return False
+        _set_origin_fetch_and_push(repo_dir, primary, preview)
+    except GitSetRemoteUrlError as exc:
+        print(f"[WARN] Failed to set origin URLs: {exc}")
+
+    # 3) Ensure additional push URLs for mirrors (git urls only)
+    try:
+        _ensure_additional_push_urls(repo_dir, ctx.resolved_mirrors, primary, preview)
+    except GitAddRemotePushUrlError as exc:
+        print(f"[WARN] Failed to add additional push URLs: {exc}")

src/pkgmgr/actions/mirror/remote_provision.py

@@ -0,0 +1,59 @@
+from __future__ import annotations
+
+from typing import List
+
+from pkgmgr.core.remote_provisioning import ProviderHint, RepoSpec, ensure_remote_repo
+from pkgmgr.core.remote_provisioning.ensure import EnsureOptions
+
+from .context import build_context
+from .git_remote import determine_primary_remote_url
+from .types import Repository
+from .url_utils import normalize_provider_host, parse_repo_from_git_url
+
+
+def ensure_remote_repository(
+    repo: Repository,
+    repositories_base_dir: str,
+    all_repos: List[Repository],
+    preview: bool,
+) -> None:
+    ctx = build_context(repo, repositories_base_dir, all_repos)
+
+    primary_url = determine_primary_remote_url(repo, ctx)
+    if not primary_url:
+        print("[INFO] No primary URL found; skipping remote provisioning.")
+        return
+
+    host_raw, owner, name = parse_repo_from_git_url(primary_url)
+    host = normalize_provider_host(host_raw)
+
+    if not host or not owner or not name:
+        print("[WARN] Could not parse remote URL:", primary_url)
+        return
+
+    spec = RepoSpec(
+        host=host,
+        owner=owner,
+        name=name,
+        private=bool(repo.get("private", True)),
+        description=str(repo.get("description", "")),
+    )
+
+    provider_kind = str(repo.get("provider", "")).lower() or None
+
+    try:
+        result = ensure_remote_repo(
+            spec,
+            provider_hint=ProviderHint(kind=provider_kind),
+            options=EnsureOptions(
+                preview=preview,
+                interactive=True,
+                allow_prompt=True,
+                save_prompt_token_to_keyring=True,
+            ),
+        )
+        print(f"[REMOTE ENSURE] {result.status.upper()}: {result.message}")
+        if result.url:
+            print(f"[REMOTE ENSURE] URL: {result.url}")
+    except Exception as exc:  # noqa: BLE001
+        print(f"[ERROR] Remote provisioning failed: {exc}")

src/pkgmgr/actions/mirror/setup_cmd.py

@@ -1,119 +1,28 @@
-# src/pkgmgr/actions/mirror/setup_cmd.py
 from __future__ import annotations
 
-from typing import List, Tuple
-from urllib.parse import urlparse
+from typing import List
 
-from pkgmgr.core.git import GitError, run_git
-from pkgmgr.core.remote_provisioning import ProviderHint, RepoSpec, ensure_remote_repo
-from pkgmgr.core.remote_provisioning.ensure import EnsureOptions
+from pkgmgr.core.git.queries import probe_remote_reachable
 
 from .context import build_context
-from .git_remote import determine_primary_remote_url, ensure_origin_remote
+from .git_remote import ensure_origin_remote, determine_primary_remote_url
+from .remote_provision import ensure_remote_repository
 from .types import Repository
 
 
-def _probe_mirror(url: str, repo_dir: str) -> Tuple[bool, str]:
-    """
-    Probe a remote mirror URL using `git ls-remote`.
-
-    Returns:
-      (True, "") on success,
-      (False, error_message) on failure.
-    """
-    try:
-        run_git(["ls-remote", url], cwd=repo_dir)
-        return True, ""
-    except GitError as exc:
-        return False, str(exc)
-
-
-def _host_from_git_url(url: str) -> str:
-    url = (url or "").strip()
-    if not url:
-        return ""
-
-    if "://" in url:
-        parsed = urlparse(url)
-        netloc = (parsed.netloc or "").strip()
-        if "@" in netloc:
-            netloc = netloc.split("@", 1)[1]
-        # keep optional :port
-        return netloc
-
-    # scp-like: git@host:owner/repo.git
-    if "@" in url and ":" in url:
-        after_at = url.split("@", 1)[1]
-        host = after_at.split(":", 1)[0]
-        return host.strip()
-
-    return url.split("/", 1)[0].strip()
-
-def _ensure_remote_repository(
-    repo: Repository,
-    repositories_base_dir: str,
-    all_repos: List[Repository],
-    preview: bool,
-) -> None:
-    """
-    Ensure that the remote repository exists using provider APIs.
-
-    This is ONLY called when ensure_remote=True.
-    """
-    ctx = build_context(repo, repositories_base_dir, all_repos)
-    resolved_mirrors = ctx.resolved_mirrors
-
-    primary_url = determine_primary_remote_url(repo, resolved_mirrors)
-    if not primary_url:
-        print("[INFO] No remote URL could be derived; skipping remote provisioning.")
-        return
-
-    # IMPORTANT:
-    # - repo["provider"] is typically a provider *kind* (e.g. "github" / "gitea"),
-    #   NOT a hostname. We derive the actual host from the remote URL.
-    host = _host_from_git_url(primary_url)
-    owner = repo.get("account")
-    name = repo.get("repository")
-
-    if not host or not owner or not name:
-        print("[WARN] Missing host/account/repository; cannot ensure remote repo.")
-        print(f"       host={host!r}, account={owner!r}, repository={name!r}")
-        return
-
-    print("------------------------------------------------------------")
-    print(f"[REMOTE ENSURE] {ctx.identifier}")
-    print(f"[REMOTE ENSURE] host: {host}")
-    print("------------------------------------------------------------")
-
-    spec = RepoSpec(
-        host=str(host),
-        owner=str(owner),
-        name=str(name),
-        private=bool(repo.get("private", True)),
-        description=str(repo.get("description", "")),
-    )
-
-    provider_kind = str(repo.get("provider", "")).strip().lower() or None
-
-    try:
-        result = ensure_remote_repo(
-            spec,
-            provider_hint=ProviderHint(kind=provider_kind),
-            options=EnsureOptions(
-                preview=preview,
-                interactive=True,
-                allow_prompt=True,
-                save_prompt_token_to_keyring=True,
-            ),
-        )
-        print(f"[REMOTE ENSURE] {result.status.upper()}: {result.message}")
-        if result.url:
-            print(f"[REMOTE ENSURE] URL: {result.url}")
-    except Exception as exc:  # noqa: BLE001
-        # Keep action layer resilient
-        print(f"[ERROR] Remote provisioning failed: {exc}")
-
-    print()
+def _is_git_remote_url(url: str) -> bool:
+    # Keep the same filtering semantics as in git_remote.py (duplicated on purpose
+    # to keep setup_cmd independent of private helpers).
+    u = (url or "").strip()
+    if not u:
+        return False
+    if u.startswith("git@"):
+        return True
+    if u.startswith("ssh://"):
+        return True
+    if (u.startswith("https://") or u.startswith("http://")) and u.endswith(".git"):
+        return True
+    return False
 
 
 def _setup_local_mirrors_for_repo(
@@ -122,10 +31,6 @@ def _setup_local_mirrors_for_repo(
     all_repos: List[Repository],
     preview: bool,
 ) -> None:
-    """
-    Local setup:
-      - Ensure 'origin' remote exists and is sane
-    """
     ctx = build_context(repo, repositories_base_dir, all_repos)
 
     print("------------------------------------------------------------")
@@ -133,7 +38,7 @@ def _setup_local_mirrors_for_repo(
     print(f"[MIRROR SETUP:LOCAL] dir: {ctx.repo_dir}")
     print("------------------------------------------------------------")
 
-    ensure_origin_remote(repo, ctx, preview=preview)
+    ensure_origin_remote(repo, ctx, preview)
     print()
 
 
@@ -144,19 +49,7 @@ def _setup_remote_mirrors_for_repo(
     preview: bool,
     ensure_remote: bool,
 ) -> None:
-    """
-    Remote-side setup / validation.
-
-    Default behavior:
-      - Non-destructive checks using `git ls-remote`.
-
-    Optional behavior:
-      - If ensure_remote=True:
-          * Attempt to create missing repositories via provider API
-          * Uses TokenResolver (ENV -> keyring -> prompt)
-    """
     ctx = build_context(repo, repositories_base_dir, all_repos)
-    resolved_mirrors = ctx.resolved_mirrors
 
     print("------------------------------------------------------------")
     print(f"[MIRROR SETUP:REMOTE] {ctx.identifier}")
@@ -164,39 +57,32 @@ def _setup_remote_mirrors_for_repo(
     print("------------------------------------------------------------")
 
     if ensure_remote:
-        _ensure_remote_repository(
+        ensure_remote_repository(
             repo,
-            repositories_base_dir=repositories_base_dir,
-            all_repos=all_repos,
-            preview=preview,
+            repositories_base_dir,
+            all_repos,
+            preview,
         )
 
-    if not resolved_mirrors:
-        primary_url = determine_primary_remote_url(repo, resolved_mirrors)
-        if not primary_url:
-            print("[INFO] No mirrors configured and no primary URL available.")
+    # Probe only git URLs (do not try ls-remote against PyPI etc.)
+    # If there are no mirrors at all, probe the primary git URL.
+    git_mirrors = {k: v for k, v in ctx.resolved_mirrors.items() if _is_git_remote_url(v)}
+
+    if not git_mirrors:
+        primary = determine_primary_remote_url(repo, ctx)
+        if not primary or not _is_git_remote_url(primary):
+            print("[INFO] No git mirrors to probe.")
             print()
             return
 
-        ok, error_message = _probe_mirror(primary_url, ctx.repo_dir)
-        if ok:
-            print(f"[OK] primary: {primary_url}")
-        else:
-            print(f"[WARN] primary: {primary_url}")
-            for line in error_message.splitlines():
-                print(f"         {line}")
-
+        ok = probe_remote_reachable(primary, cwd=ctx.repo_dir)
+        print("[OK]" if ok else "[WARN]", primary)
         print()
         return
 
-    for name, url in sorted(resolved_mirrors.items()):
-        ok, error_message = _probe_mirror(url, ctx.repo_dir)
-        if ok:
-            print(f"[OK] {name}: {url}")
-        else:
-            print(f"[WARN] {name}: {url}")
-            for line in error_message.splitlines():
-                print(f"         {line}")
+    for name, url in git_mirrors.items():
+        ok = probe_remote_reachable(url, cwd=ctx.repo_dir)
+        print(f"[OK] {name}: {url}" if ok else f"[WARN] {name}: {url}")
 
     print()
 
@@ -210,33 +96,20 @@ def setup_mirrors(
     remote: bool = True,
     ensure_remote: bool = False,
 ) -> None:
-    """
-    Setup mirrors for the selected repositories.
-
-    local:
-      - Configure local Git remotes (ensure 'origin' exists).
-
-    remote:
-      - Non-destructive remote checks using `git ls-remote`.
-
-    ensure_remote:
-      - If True, attempt to create missing remote repositories via provider APIs.
-      - This is explicit and NEVER enabled implicitly.
-    """
     for repo in selected_repos:
         if local:
             _setup_local_mirrors_for_repo(
-                repo=repo,
-                repositories_base_dir=repositories_base_dir,
-                all_repos=all_repos,
-                preview=preview,
+                repo,
+                repositories_base_dir,
+                all_repos,
+                preview,
             )
 
         if remote:
             _setup_remote_mirrors_for_repo(
-                repo=repo,
-                repositories_base_dir=repositories_base_dir,
-                all_repos=all_repos,
-                preview=preview,
-                ensure_remote=ensure_remote,
+                repo,
+                repositories_base_dir,
+                all_repos,
+                preview,
+                ensure_remote,
             )

src/pkgmgr/actions/mirror/url_utils.py

@@ -0,0 +1,111 @@
+# src/pkgmgr/actions/mirror/url_utils.py
+from __future__ import annotations
+
+from urllib.parse import urlparse
+from typing import Optional, Tuple
+
+
+def hostport_from_git_url(url: str) -> Tuple[str, Optional[str]]:
+    url = (url or "").strip()
+    if not url:
+        return "", None
+
+    if "://" in url:
+        parsed = urlparse(url)
+        netloc = (parsed.netloc or "").strip()
+        if "@" in netloc:
+            netloc = netloc.split("@", 1)[1]
+
+        if netloc.startswith("[") and "]" in netloc:
+            host = netloc[1:netloc.index("]")]
+            rest = netloc[netloc.index("]") + 1 :]
+            port = rest[1:] if rest.startswith(":") else None
+            return host.strip(), (port.strip() if port else None)
+
+        if ":" in netloc:
+            host, port = netloc.rsplit(":", 1)
+            return host.strip(), (port.strip() or None)
+
+        return netloc.strip(), None
+
+    if "@" in url and ":" in url:
+        after_at = url.split("@", 1)[1]
+        host = after_at.split(":", 1)[0].strip()
+        return host, None
+
+    host = url.split("/", 1)[0].strip()
+    return host, None
+
+
+def normalize_provider_host(host: str) -> str:
+    host = (host or "").strip()
+    if not host:
+        return ""
+
+    if host.startswith("[") and "]" in host:
+        host = host[1:host.index("]")]
+
+    if ":" in host and host.count(":") == 1:
+        host = host.rsplit(":", 1)[0]
+
+    return host.strip().lower()
+
+
+def _strip_dot_git(name: str) -> str:
+    n = (name or "").strip()
+    if n.lower().endswith(".git"):
+        return n[:-4]
+    return n
+
+
+def parse_repo_from_git_url(url: str) -> Tuple[str, Optional[str], Optional[str]]:
+    """
+    Parse (host, owner, repo_name) from common Git remote URLs.
+
+    Supports:
+      - ssh://git@host:2201/owner/repo.git
+      - https://host/owner/repo.git
+      - git@host:owner/repo.git
+      - host/owner/repo(.git) (best-effort)
+
+    Returns:
+      (host, owner, repo_name) with owner/repo possibly None if not derivable.
+    """
+    u = (url or "").strip()
+    if not u:
+        return "", None, None
+
+    # URL-style (ssh://, https://, http://)
+    if "://" in u:
+        parsed = urlparse(u)
+        host = (parsed.hostname or "").strip()
+        path = (parsed.path or "").strip("/")
+        parts = [p for p in path.split("/") if p]
+        if len(parts) >= 2:
+            owner = parts[0]
+            repo_name = _strip_dot_git(parts[1])
+            return host, owner, repo_name
+        return host, None, None
+
+    # SCP-like: git@host:owner/repo.git
+    if "@" in u and ":" in u:
+        after_at = u.split("@", 1)[1]
+        host = after_at.split(":", 1)[0].strip()
+        path = after_at.split(":", 1)[1].strip("/")
+        parts = [p for p in path.split("/") if p]
+        if len(parts) >= 2:
+            owner = parts[0]
+            repo_name = _strip_dot_git(parts[1])
+            return host, owner, repo_name
+        return host, None, None
+
+    # Fallback: host/owner/repo.git
+    host = u.split("/", 1)[0].strip()
+    rest = u.split("/", 1)[1] if "/" in u else ""
+    parts = [p for p in rest.strip("/").split("/") if p]
+    if len(parts) >= 2:
+        owner = parts[0]
+        repo_name = _strip_dot_git(parts[1])
+        return host, owner, repo_name
+
+    return host, None, None

src/pkgmgr/actions/publish/__init__.py

@@ -0,0 +1,5 @@
+from __future__ import annotations
+
+from .workflow import publish
+
+__all__ = ["publish"]

src/pkgmgr/actions/publish/git_tags.py

@@ -0,0 +1,10 @@
+from __future__ import annotations
+
+from pkgmgr.core.git.queries import get_tags_at_ref
+from pkgmgr.core.version.semver import SemVer, is_semver_tag
+
+
+def head_semver_tags(cwd: str = ".") -> list[str]:
+    tags = get_tags_at_ref("HEAD", cwd=cwd)
+    tags = [t for t in tags if is_semver_tag(t) and t.startswith("v")]
+    return sorted(tags, key=SemVer.parse)

src/pkgmgr/actions/publish/pypi_url.py

@@ -0,0 +1,24 @@
+from __future__ import annotations
+
+from urllib.parse import urlparse
+
+from .types import PyPITarget
+
+
+def parse_pypi_project_url(url: str) -> PyPITarget | None:
+    u = (url or "").strip()
+    if not u:
+        return None
+
+    parsed = urlparse(u)
+    host = (parsed.netloc or "").lower()
+    path = (parsed.path or "").strip("/")
+
+    if host not in ("pypi.org", "test.pypi.org"):
+        return None
+
+    parts = [p for p in path.split("/") if p]
+    if len(parts) >= 2 and parts[0] == "project":
+        return PyPITarget(host=host, project=parts[1])
+
+    return None

src/pkgmgr/actions/publish/types.py

@@ -0,0 +1,9 @@
+from __future__ import annotations
+
+from dataclasses import dataclass
+
+
+@dataclass(frozen=True)
+class PyPITarget:
+    host: str
+    project: str

src/pkgmgr/actions/publish/workflow.py

@@ -0,0 +1,112 @@
+from __future__ import annotations
+
+import glob
+import os
+import shutil
+import subprocess
+
+from pkgmgr.actions.mirror.io import read_mirrors_file
+from pkgmgr.actions.mirror.types import Repository
+from pkgmgr.core.credentials.resolver import ResolutionOptions, TokenResolver
+from pkgmgr.core.version.semver import SemVer
+
+from .git_tags import head_semver_tags
+from .pypi_url import parse_pypi_project_url
+
+
+def _require_tool(module: str) -> None:
+    try:
+        subprocess.run(
+            ["python", "-m", module, "--help"],
+            stdout=subprocess.DEVNULL,
+            stderr=subprocess.DEVNULL,
+            check=True,
+        )
+    except Exception as exc:
+        raise RuntimeError(
+            f"Required Python module '{module}' is not available. "
+            f"Install it via: pip install {module}"
+        ) from exc
+
+
+def publish(
+    repo: Repository,
+    repo_dir: str,
+    *,
+    preview: bool = False,
+    interactive: bool = True,
+    allow_prompt: bool = True,
+) -> None:
+    mirrors = read_mirrors_file(repo_dir)
+
+    targets = []
+    for url in mirrors.values():
+        t = parse_pypi_project_url(url)
+        if t:
+            targets.append(t)
+
+    if not targets:
+        print("[INFO] No PyPI mirror found. Skipping publish.")
+        return
+
+    if len(targets) > 1:
+        raise RuntimeError("Multiple PyPI mirrors found; refusing to publish.")
+
+    tags = head_semver_tags(cwd=repo_dir)
+    if not tags:
+        print("[INFO] No version tag on HEAD. Skipping publish.")
+        return
+
+    tag = max(tags, key=SemVer.parse)
+    target = targets[0]
+
+    print(f"[INFO] Publishing {target.project} for tag {tag}")
+
+    if preview:
+        print("[PREVIEW] Would build and upload to PyPI.")
+        return
+
+    _require_tool("build")
+    _require_tool("twine")
+
+    dist_dir = os.path.join(repo_dir, "dist")
+    if os.path.isdir(dist_dir):
+        shutil.rmtree(dist_dir, ignore_errors=True)
+
+    subprocess.run(
+        ["python", "-m", "build"],
+        cwd=repo_dir,
+        check=True,
+    )
+
+    artifacts = sorted(glob.glob(os.path.join(dist_dir, "*")))
+    if not artifacts:
+        raise RuntimeError("No build artifacts found in dist/.")
+
+    resolver = TokenResolver()
+
+    # Store PyPI token per OS user (keyring is already user-scoped).
+    # Do NOT scope by project name.
+    token = resolver.get_token(
+        provider_kind="pypi",
+        host=target.host,
+        owner=None,
+        options=ResolutionOptions(
+            interactive=interactive,
+            allow_prompt=allow_prompt,
+            save_prompt_token_to_keyring=True,
+        ),
+    ).token
+
+    env = dict(os.environ)
+    env["TWINE_USERNAME"] = "__token__"
+    env["TWINE_PASSWORD"] = token
+
+    subprocess.run(
+        ["python", "-m", "twine", "upload", *artifacts],
+        cwd=repo_dir,
+        env=env,
+        check=True,
+    )
+
+    print("[INFO] Publish completed.")

src/pkgmgr/actions/release/files.py

@@ -24,6 +24,8 @@ import tempfile
 from datetime import date, datetime
 from typing import Optional, Tuple
 
+from pkgmgr.core.git.queries import get_config_value
+
 
 # ---------------------------------------------------------------------------
 # Editor helper for interactive changelog messages
@@ -74,10 +76,7 @@ def _open_editor_for_changelog(initial_message: Optional[str] = None) -> str:
         except OSError:
             pass
 
-    lines = [
-        line for line in content.splitlines()
-        if not line.strip().startswith("#")
-    ]
+    lines = [line for line in content.splitlines() if not line.strip().startswith("#")]
     return "\n".join(lines).strip()
 
 
@@ -85,6 +84,7 @@ def _open_editor_for_changelog(initial_message: Optional[str] = None) -> str:
 # File update helpers (pyproject + extra packaging + changelog)
 # ---------------------------------------------------------------------------
 
+
 def update_pyproject_version(
     pyproject_path: str,
     new_version: str,
@@ -365,24 +365,6 @@ def update_changelog(
 # ---------------------------------------------------------------------------
 
 
-def _get_git_config_value(key: str) -> Optional[str]:
-    """
-    Try to read a value from `git config --get <key>`.
-    """
-    try:
-        result = subprocess.run(
-            ["git", "config", "--get", key],
-            capture_output=True,
-            text=True,
-            check=False,
-        )
-    except Exception:
-        return None
-
-    value = result.stdout.strip()
-    return value or None
-
-
 def _get_debian_author() -> Tuple[str, str]:
     """
     Determine the maintainer name/email for debian/changelog entries.
@@ -396,9 +378,9 @@ def _get_debian_author() -> Tuple[str, str]:
         email = os.environ.get("GIT_AUTHOR_EMAIL")
 
     if not name:
-        name = _get_git_config_value("user.name")
+        name = get_config_value("user.name")
     if not email:
-        email = _get_git_config_value("user.email")
+        email = get_config_value("user.email")
 
     if not name:
         name = "Unknown Maintainer"

src/pkgmgr/actions/release/git_ops.py

@@ -1,73 +1,90 @@
 from __future__ import annotations
 
-import subprocess
-
-from pkgmgr.core.git import GitError
+from pkgmgr.core.git.commands import (
+    fetch,
+    pull_ff_only,
+    push,
+    tag_force_annotated,
+)
+from pkgmgr.core.git.queries import get_upstream_ref, list_tags
 
 
-def run_git_command(cmd: str) -> None:
-    print(f"[GIT] {cmd}")
-    try:
-        subprocess.run(
-            cmd,
-            shell=True,
-            check=True,
-            text=True,
-            capture_output=True,
-        )
-    except subprocess.CalledProcessError as exc:
-        print(f"[ERROR] Git command failed: {cmd}")
-        print(f"        Exit code: {exc.returncode}")
-        if exc.stdout:
-            print("\n" + exc.stdout)
-        if exc.stderr:
-            print("\n" + exc.stderr)
-        raise GitError(f"Git command failed: {cmd}") from exc
-
-
-def _capture(cmd: str) -> str:
-    res = subprocess.run(cmd, shell=True, check=False, capture_output=True, text=True)
-    return (res.stdout or "").strip()
-
-
-def ensure_clean_and_synced(preview: bool = False) -> None:
+def ensure_clean_and_synced(*, preview: bool = False) -> None:
     """
     Always run a pull BEFORE modifying anything.
     Uses --ff-only to avoid creating merge commits automatically.
     If no upstream is configured, we skip.
     """
-    upstream = _capture("git rev-parse --abbrev-ref --symbolic-full-name @{u} 2>/dev/null")
+    upstream = get_upstream_ref()
     if not upstream:
         print("[INFO] No upstream configured for current branch. Skipping pull.")
         return
 
-    if preview:
-        print("[PREVIEW] Would run: git fetch origin --prune --tags --force")
-        print("[PREVIEW] Would run: git pull --ff-only")
-        return
-
     print("[INFO] Syncing with remote before making any changes...")
-    run_git_command("git fetch origin --prune --tags --force")
-    run_git_command("git pull --ff-only")
+
+    # Mirrors old behavior:
+    #   git fetch origin --prune --tags --force
+    #   git pull --ff-only
+    fetch(remote="origin", prune=True, tags=True, force=True, preview=preview)
+    pull_ff_only(preview=preview)
+
+
+def _parse_v_tag(tag: str) -> tuple[int, ...] | None:
+    """
+    Parse tags like 'v1.2.3' into (1, 2, 3).
+    Returns None if parsing is not possible.
+    """
+    if not tag.startswith("v"):
+        return None
+
+    raw = tag[1:]
+    if not raw:
+        return None
+
+    parts = raw.split(".")
+    out: list[int] = []
+    for p in parts:
+        if not p.isdigit():
+            return None
+        out.append(int(p))
+    return tuple(out) if out else None
+
 
 def is_highest_version_tag(tag: str) -> bool:
     """
     Return True if `tag` is the highest version among all tags matching v*.
-    Comparison uses `sort -V` for natural version ordering.
+
+    We avoid shelling out to `sort -V` and implement a small vX.Y.Z parser.
+    Non-parseable v* tags are ignored for version comparison.
     """
-    all_v = _capture("git tag --list 'v*'")
+    all_v = list_tags("v*")
     if not all_v:
-        return True  # No tags yet, so the current tag is the highest
+        return True  # No tags yet -> current is highest by definition
 
-    # Get the latest tag in natural version order
-    latest = _capture("git tag --list 'v*' | sort -V | tail -n1")
-    print(f"[INFO] Latest tag: {latest}, Current tag: {tag}")
-    
-    # Ensure that the current tag is always considered the highest if it's the latest one
-    return tag >= latest  # Use comparison operator to consider all future tags
+    parsed_current = _parse_v_tag(tag)
+    if parsed_current is None:
+        # If the "current" tag isn't parseable, fall back to conservative behavior:
+        # treat it as highest only if it matches the max lexicographically.
+        latest_lex = max(all_v)
+        print(f"[INFO] Latest tag (lex): {latest_lex}, Current tag: {tag}")
+        return tag >= latest_lex
+
+    parsed_all: list[tuple[int, ...]] = []
+    for t in all_v:
+        parsed = _parse_v_tag(t)
+        if parsed is not None:
+            parsed_all.append(parsed)
+
+    if not parsed_all:
+        # No parseable tags -> nothing to compare against
+        return True
+
+    latest = max(parsed_all)
+    print(f"[INFO] Latest tag (parsed): v{'.'.join(map(str, latest))}, Current tag: {tag}")
+    return parsed_current >= latest
 
 
-def update_latest_tag(new_tag: str, preview: bool = False) -> None:
+def update_latest_tag(new_tag: str, *, preview: bool = False) -> None:
     """
     Move the floating 'latest' tag to the newly created release tag.
 
@@ -78,15 +95,10 @@ def update_latest_tag(new_tag: str, preview: bool = False) -> None:
     target_ref = f"{new_tag}^{{}}"
     print(f"[INFO] Updating 'latest' tag to point at {new_tag} (commit {target_ref})...")
 
-    if preview:
-        print(
-            f'[PREVIEW] Would run: git tag -f -a latest {target_ref} '
-            f'-m "Floating latest tag for {new_tag}"'
-        )
-        print("[PREVIEW] Would run: git push origin latest --force")
-        return
-
-    run_git_command(
-        f'git tag -f -a latest {target_ref} -m "Floating latest tag for {new_tag}"'
+    tag_force_annotated(
+        name="latest",
+        target=target_ref,
+        message=f"Floating latest tag for {new_tag}",
+        preview=preview,
     )
-    run_git_command("git push origin latest --force")
+    push("origin", "latest", force=True, preview=preview)

src/pkgmgr/actions/release/versioning.py

@@ -7,7 +7,7 @@ Version discovery and bumping helpers for the release workflow.
 
 from __future__ import annotations
 
-from pkgmgr.core.git import get_tags
+from pkgmgr.core.git.queries import get_tags
 from pkgmgr.core.version.semver import (
     SemVer,
     find_latest_version,

src/pkgmgr/actions/release/workflow.py

@@ -1,10 +1,14 @@
 from __future__ import annotations
-from typing import Optional
+
 import os
 import sys
+from typing import Optional
 
 from pkgmgr.actions.branch import close_branch
-from pkgmgr.core.git import get_current_branch, GitError
+from pkgmgr.core.git import GitError
+from pkgmgr.core.git.commands import add, commit, push, tag_annotated
+from pkgmgr.core.git.queries import get_current_branch
+from pkgmgr.core.repository.paths import resolve_repo_paths
 
 from .files import (
     update_changelog,
@@ -18,7 +22,6 @@ from .files import (
 from .git_ops import (
     ensure_clean_and_synced,
     is_highest_version_tag,
-    run_git_command,
     update_latest_tag,
 )
 from .prompts import confirm_proceed_release, should_delete_branch
@@ -55,8 +58,12 @@ def _release_impl(
     print(f"New version:     {new_ver_str} ({release_type})")
 
     repo_root = os.path.dirname(os.path.abspath(pyproject_path))
+    paths = resolve_repo_paths(repo_root)
+
+    # --- Update versioned files ------------------------------------------------
 
     update_pyproject_version(pyproject_path, new_ver_str, preview=preview)
+
     changelog_message = update_changelog(
         changelog_path,
         new_ver_str,
@@ -64,38 +71,46 @@ def _release_impl(
         preview=preview,
     )
 
-    flake_path = os.path.join(repo_root, "flake.nix")
-    update_flake_version(flake_path, new_ver_str, preview=preview)
+    update_flake_version(paths.flake_nix, new_ver_str, preview=preview)
 
-    pkgbuild_path = os.path.join(repo_root, "PKGBUILD")
-    update_pkgbuild_version(pkgbuild_path, new_ver_str, preview=preview)
+    if paths.arch_pkgbuild:
+        update_pkgbuild_version(paths.arch_pkgbuild, new_ver_str, preview=preview)
+    else:
+        print("[INFO] No PKGBUILD found (packaging/arch/PKGBUILD or PKGBUILD). Skipping.")
 
-    spec_path = os.path.join(repo_root, "package-manager.spec")
-    update_spec_version(spec_path, new_ver_str, preview=preview)
+    if paths.rpm_spec:
+        update_spec_version(paths.rpm_spec, new_ver_str, preview=preview)
+    else:
+        print("[INFO] No RPM spec file found. Skipping spec version update.")
 
     effective_message: Optional[str] = message
     if effective_message is None and isinstance(changelog_message, str):
         if changelog_message.strip():
             effective_message = changelog_message.strip()
 
-    debian_changelog_path = os.path.join(repo_root, "debian", "changelog")
     package_name = os.path.basename(repo_root) or "package-manager"
 
-    update_debian_changelog(
-        debian_changelog_path,
-        package_name=package_name,
-        new_version=new_ver_str,
-        message=effective_message,
-        preview=preview,
-    )
+    if paths.debian_changelog:
+        update_debian_changelog(
+            paths.debian_changelog,
+            package_name=package_name,
+            new_version=new_ver_str,
+            message=effective_message,
+            preview=preview,
+        )
+    else:
+        print("[INFO] No debian changelog found. Skipping debian/changelog update.")
 
-    update_spec_changelog(
-        spec_path=spec_path,
-        package_name=package_name,
-        new_version=new_ver_str,
-        message=effective_message,
-        preview=preview,
-    )
+    if paths.rpm_spec:
+        update_spec_changelog(
+            spec_path=paths.rpm_spec,
+            package_name=package_name,
+            new_version=new_ver_str,
+            message=effective_message,
+            preview=preview,
+        )
+
+    # --- Git commit / tag / push ----------------------------------------------
 
     commit_msg = f"Release version {new_ver_str}"
     tag_msg = effective_message or commit_msg
@@ -103,20 +118,19 @@ def _release_impl(
     files_to_add = [
         pyproject_path,
         changelog_path,
-        flake_path,
-        pkgbuild_path,
-        spec_path,
-        debian_changelog_path,
+        paths.flake_nix,
+        paths.arch_pkgbuild,
+        paths.rpm_spec,
+        paths.debian_changelog,
     ]
-    existing_files = [p for p in files_to_add if p and os.path.exists(p)]
+    existing_files = [p for p in files_to_add if isinstance(p, str) and p and os.path.exists(p)]
 
     if preview:
-        for path in existing_files:
-            print(f"[PREVIEW] Would run: git add {path}")
-        print(f'[PREVIEW] Would run: git commit -am "{commit_msg}"')
-        print(f'[PREVIEW] Would run: git tag -a {new_tag} -m "{tag_msg}"')
-        print(f"[PREVIEW] Would run: git push origin {branch}")
-        print(f"[PREVIEW] Would run: git push origin {new_tag}")
+        add(existing_files, preview=True)
+        commit(commit_msg, all=True, preview=True)
+        tag_annotated(new_tag, tag_msg, preview=True)
+        push("origin", branch, preview=True)
+        push("origin", new_tag, preview=True)
 
         if is_highest_version_tag(new_tag):
             update_latest_tag(new_tag, preview=True)
@@ -130,15 +144,13 @@ def _release_impl(
                 print(f"[PREVIEW] Would ask whether to delete branch {branch} after release.")
         return
 
-    for path in existing_files:
-        run_git_command(f"git add {path}")
-
-    run_git_command(f'git commit -am "{commit_msg}"')
-    run_git_command(f'git tag -a {new_tag} -m "{tag_msg}"')
+    add(existing_files, preview=False)
+    commit(commit_msg, all=True, preview=False)
+    tag_annotated(new_tag, tag_msg, preview=False)
 
     # Push branch and ONLY the newly created version tag (no --tags)
-    run_git_command(f"git push origin {branch}")
-    run_git_command(f"git push origin {new_tag}")
+    push("origin", branch, preview=False)
+    push("origin", new_tag, preview=False)
 
     # Update 'latest' only if this is the highest version tag
     try:

src/pkgmgr/actions/repository/clone.py

@@ -1,103 +1,132 @@
-import subprocess
+from __future__ import annotations
+
 import os
+from typing import Any, Dict, List, Optional
+
+from pkgmgr.core.git.commands import clone as git_clone, GitCloneError
 from pkgmgr.core.repository.dir import get_repo_dir
 from pkgmgr.core.repository.identifier import get_repo_identifier
 from pkgmgr.core.repository.verify import verify_repository
 
+Repository = Dict[str, Any]
+
+
+def _build_clone_url(repo: Repository, clone_mode: str) -> Optional[str]:
+    provider = repo.get("provider")
+    account = repo.get("account")
+    name = repo.get("repository")
+    replacement = repo.get("replacement")
+
+    if clone_mode == "ssh":
+        if not provider or not account or not name:
+            return None
+        return f"git@{provider}:{account}/{name}.git"
+
+    if clone_mode in ("https", "shallow"):
+        if replacement:
+            return f"https://{replacement}.git"
+        if not provider or not account or not name:
+            return None
+        return f"https://{provider}/{account}/{name}.git"
+
+    return None
+
+
 def clone_repos(
-    selected_repos, 
-    repositories_base_dir: str, 
-    all_repos, 
-    preview: bool, 
-    no_verification: bool, 
-    clone_mode: str
-    ):
+    selected_repos: List[Repository],
+    repositories_base_dir: str,
+    all_repos: List[Repository],
+    preview: bool,
+    no_verification: bool,
+    clone_mode: str,
+) -> None:
     for repo in selected_repos:
         repo_identifier = get_repo_identifier(repo, all_repos)
         repo_dir = get_repo_dir(repositories_base_dir, repo)
+
         if os.path.exists(repo_dir):
-            print(f"[INFO] Repository '{repo_identifier}' already exists at '{repo_dir}'. Skipping clone.")
+            print(
+                f"[INFO] Repository '{repo_identifier}' already exists at '{repo_dir}'. Skipping clone."
+            )
             continue
 
         parent_dir = os.path.dirname(repo_dir)
         os.makedirs(parent_dir, exist_ok=True)
-        # Build clone URL based on the clone_mode
-        # Build clone URL based on the clone_mode
-        if clone_mode == "ssh":
-            clone_url = (
-                f"git@{repo.get('provider')}:"
-                f"{repo.get('account')}/"
-                f"{repo.get('repository')}.git"
-            )
-        elif clone_mode in ("https", "shallow"):
-            # Use replacement if defined, otherwise construct from provider/account/repository
-            if repo.get("replacement"):
-                clone_url = f"https://{repo.get('replacement')}.git"
-            else:
-                clone_url = (
-                    f"https://{repo.get('provider')}/"
-                    f"{repo.get('account')}/"
-                    f"{repo.get('repository')}.git"
-                )
-        else:
-            print(f"Unknown clone mode '{clone_mode}'. Aborting clone for {repo_identifier}.")
+
+        clone_url = _build_clone_url(repo, clone_mode)
+        if not clone_url:
+            print(f"[WARNING] Cannot build clone URL for '{repo_identifier}'. Skipping.")
             continue
 
-        # Build base clone command
-        base_clone_cmd = "git clone"
-        if clone_mode == "shallow":
-            # Shallow clone: only latest state via HTTPS, no full history
-            base_clone_cmd += " --depth 1 --single-branch"
+        shallow = clone_mode == "shallow"
+        mode_label = "HTTPS (shallow)" if shallow else clone_mode.upper()
 
-        mode_label = "HTTPS (shallow)" if clone_mode == "shallow" else clone_mode.upper()
         print(
             f"[INFO] Attempting to clone '{repo_identifier}' using {mode_label} "
             f"from {clone_url} into '{repo_dir}'."
         )
 
-        if preview:
-            print(f"[Preview] Would run: {base_clone_cmd} {clone_url} {repo_dir} in {parent_dir}")
-            result = subprocess.CompletedProcess(args=[], returncode=0)
-        else:
-            result = subprocess.run(
-                f"{base_clone_cmd} {clone_url} {repo_dir}",
+        try:
+            args = []
+            if shallow:
+                args += ["--depth", "1", "--single-branch"]
+            args += [clone_url, repo_dir]
+
+            git_clone(
+                args,
                 cwd=parent_dir,
-                shell=True,
+                preview=preview,
             )
-        
-        if result.returncode != 0:
-            # Only offer fallback if the original mode was SSH.
-            if clone_mode == "ssh":
-                print(f"[WARNING] SSH clone failed for '{repo_identifier}' with return code {result.returncode}.")
-                choice = input("Do you want to attempt HTTPS clone instead? (y/N): ").strip().lower()
-                if choice == 'y':
-                    # Attempt HTTPS clone
-                    if repo.get("replacement"):
-                        clone_url = f"https://{repo.get('replacement')}.git"
-                    else:
-                        clone_url = f"https://{repo.get('provider')}/{repo.get('account')}/{repo.get('repository')}.git"
-                    print(f"[INFO] Attempting to clone '{repo_identifier}' using HTTPS from {clone_url} into '{repo_dir}'.")
-                    if preview:
-                        print(f"[Preview] Would run: git clone {clone_url} {repo_dir} in {parent_dir}")
-                        result = subprocess.CompletedProcess(args=[], returncode=0)
-                    else:
-                        result = subprocess.run(f"git clone {clone_url} {repo_dir}", cwd=parent_dir, shell=True)
-                else:
-                    print(f"[INFO] HTTPS clone not attempted for '{repo_identifier}'.")
-                    continue
-            else:
-                # For https mode, do not attempt fallback.
-                print(f"[WARNING] HTTPS clone failed for '{repo_identifier}' with return code {result.returncode}.")
+
+        except GitCloneError as exc:
+            if clone_mode != "ssh":
+                print(f"[WARNING] Clone failed for '{repo_identifier}': {exc}")
                 continue
-        
-        # After cloning, perform verification in local mode.
+
+            print(f"[WARNING] SSH clone failed for '{repo_identifier}': {exc}")
+            choice = input("Do you want to attempt HTTPS clone instead? (y/N): ").strip().lower()
+            if choice != "y":
+                print(f"[INFO] HTTPS clone not attempted for '{repo_identifier}'.")
+                continue
+
+            fallback_url = _build_clone_url(repo, "https")
+            if not fallback_url:
+                print(f"[WARNING] Cannot build HTTPS URL for '{repo_identifier}'.")
+                continue
+
+            print(
+                f"[INFO] Attempting to clone '{repo_identifier}' using HTTPS "
+                f"from {fallback_url} into '{repo_dir}'."
+            )
+
+            try:
+                git_clone(
+                    [fallback_url, repo_dir],
+                    cwd=parent_dir,
+                    preview=preview,
+                )
+            except GitCloneError as exc2:
+                print(f"[WARNING] HTTPS clone failed for '{repo_identifier}': {exc2}")
+                continue
+
         verified_info = repo.get("verified")
-        if verified_info:
-            verified_ok, errors, commit_hash, signing_key = verify_repository(repo, repo_dir, mode="local", no_verification=no_verification)
-            if not no_verification and not verified_ok:
-                print(f"Warning: Verification failed for {repo_identifier} after cloning:")
-                for err in errors:
-                    print(f"  - {err}")
-                choice = input("Proceed anyway? (y/N): ").strip().lower()
-                if choice != "y":
-                    print(f"Skipping repository {repo_identifier} due to failed verification.")
+        if not verified_info:
+            continue
+
+        verified_ok, errors, _commit_hash, _signing_key = verify_repository(
+            repo,
+            repo_dir,
+            mode="local",
+            no_verification=no_verification,
+        )
+
+        if no_verification or verified_ok:
+            continue
+
+        print(f"Warning: Verification failed for {repo_identifier} after cloning:")
+        for err in errors:
+            print(f"  - {err}")
+
+        choice = input("Proceed anyway? (y/N): ").strip().lower()
+        if choice != "y":
+            print(f"Skipping repository {repo_identifier} due to failed verification.")

src/pkgmgr/actions/repository/create.py

@@ -1,143 +0,0 @@
-import os
-import subprocess
-import yaml
-from pkgmgr.core.command.alias import generate_alias
-from pkgmgr.core.config.save import save_user_config
-
-def create_repo(identifier, config_merged, user_config_path, bin_dir, remote=False, preview=False):
-    """
-    Creates a new repository by performing the following steps:
-    
-    1. Parses the identifier (provider:port/account/repository) and adds a new entry to the user config
-       if it is not already present. The provider part is split into provider and port (if provided).
-    2. Creates the local repository directory and initializes a Git repository.
-    3. If --remote is set, checks for an existing "origin" remote (removing it if found),
-       adds the remote using a URL built from provider, port, account, and repository,
-       creates an initial commit (e.g. with a README.md), and pushes to the remote.
-       The push is attempted on both "main" and "master" branches.
-    """
-    parts = identifier.split("/")
-    if len(parts) != 3:
-        print("Identifier must be in the format 'provider:port/account/repository' (port is optional).")
-        return
-
-    provider_with_port, account, repository = parts
-    # Split provider and port if a colon is present.
-    if ":" in provider_with_port:
-        provider_name, port = provider_with_port.split(":", 1)
-    else:
-        provider_name = provider_with_port
-        port = None
-
-    # Check if the repository is already present in the merged config (including port)
-    exists = False
-    for repo in config_merged.get("repositories", []):
-        if (repo.get("provider") == provider_name and 
-            repo.get("account") == account and 
-            repo.get("repository") == repository):
-            exists = True
-            print(f"Repository {identifier} already exists in the configuration.")
-            break
-
-    if not exists:
-        # Create a new entry with an automatically generated alias.
-        new_entry = {
-            "provider": provider_name,
-            "port": port,
-            "account": account,
-            "repository": repository,
-            "alias": generate_alias({"repository": repository, "provider": provider_name, "account": account}, bin_dir, existing_aliases=set()),
-            "verified": {}  # No initial verification info
-        }
-        # Load or initialize the user configuration.
-        if os.path.exists(user_config_path):
-            with open(user_config_path, "r") as f:
-                user_config = yaml.safe_load(f) or {}
-        else:
-            user_config = {"repositories": []}
-        user_config.setdefault("repositories", [])
-        user_config["repositories"].append(new_entry)
-        save_user_config(user_config, user_config_path)
-        print(f"Repository {identifier} added to the configuration.")
-        # Also update the merged configuration object.
-        config_merged.setdefault("repositories", []).append(new_entry)
-
-    # Create the local repository directory based on the configured base directory.
-    base_dir = os.path.expanduser(config_merged["directories"]["repositories"])
-    repo_dir = os.path.join(base_dir, provider_name, account, repository)
-    if not os.path.exists(repo_dir):
-        os.makedirs(repo_dir, exist_ok=True)
-        print(f"Local repository directory created: {repo_dir}")
-    else:
-        print(f"Local repository directory already exists: {repo_dir}")
-
-    # Initialize a Git repository if not already initialized.
-    if not os.path.exists(os.path.join(repo_dir, ".git")):
-        cmd_init = "git init"
-        if preview:
-            print(f"[Preview] Would execute: '{cmd_init}' in {repo_dir}")
-        else:
-            subprocess.run(cmd_init, cwd=repo_dir, shell=True, check=True)
-            print(f"Git repository initialized in {repo_dir}.")
-    else:
-        print("Git repository is already initialized.")
-
-    if remote:
-        # Create a README.md if it does not exist to have content for an initial commit.
-        readme_path = os.path.join(repo_dir, "README.md")
-        if not os.path.exists(readme_path):
-            if preview:
-                print(f"[Preview] Would create README.md in {repo_dir}.")
-            else:
-                with open(readme_path, "w") as f:
-                    f.write(f"# {repository}\n")
-                subprocess.run("git add README.md", cwd=repo_dir, shell=True, check=True)
-                subprocess.run('git commit -m "Initial commit"', cwd=repo_dir, shell=True, check=True)
-                print("README.md created and initial commit made.")
-
-        # Build the remote URL.
-        if provider_name.lower() == "github.com":
-            remote_url = f"git@{provider_name}:{account}/{repository}.git"
-        else:
-            if port:
-                remote_url = f"ssh://git@{provider_name}:{port}/{account}/{repository}.git"
-            else:
-                remote_url = f"ssh://git@{provider_name}/{account}/{repository}.git"
-
-        # Check if the remote "origin" already exists.
-        cmd_list = "git remote"
-        if preview:
-            print(f"[Preview] Would check for existing remotes in {repo_dir}")
-            remote_exists = False  # Assume no remote in preview mode.
-        else:
-            result = subprocess.run(cmd_list, cwd=repo_dir, shell=True, capture_output=True, text=True, check=True)
-            remote_list = result.stdout.strip().split()
-            remote_exists = "origin" in remote_list
-
-        if remote_exists:
-            # Remove the existing remote "origin".
-            cmd_remove = "git remote remove origin"
-            if preview:
-                print(f"[Preview] Would execute: '{cmd_remove}' in {repo_dir}")
-            else:
-                subprocess.run(cmd_remove, cwd=repo_dir, shell=True, check=True)
-                print("Existing remote 'origin' removed.")
-
-        # Now add the new remote.
-        cmd_remote = f"git remote add origin {remote_url}"
-        if preview:
-            print(f"[Preview] Would execute: '{cmd_remote}' in {repo_dir}")
-        else:
-            try:
-                subprocess.run(cmd_remote, cwd=repo_dir, shell=True, check=True)
-                print(f"Remote 'origin' added: {remote_url}")
-            except subprocess.CalledProcessError:
-                print(f"Failed to add remote using URL: {remote_url}.")
-
-        # Push the initial commit to the remote repository
-        cmd_push = "git push -u origin master"
-        if preview:
-            print(f"[Preview] Would execute: '{cmd_push}' in {repo_dir}")
-        else:
-            subprocess.run(cmd_push, cwd=repo_dir, shell=True, check=True)
-            print("Initial push to the remote repository completed.")

src/pkgmgr/actions/repository/create/__init__.py

@@ -0,0 +1,28 @@
+from __future__ import annotations
+
+from typing import Any, Dict
+
+from .service import CreateRepoService
+
+RepositoryConfig = Dict[str, Any]
+
+__all__ = [
+    "CreateRepoService",
+    "create_repo",
+]
+
+
+def create_repo(
+    identifier: str,
+    config_merged: RepositoryConfig,
+    user_config_path: str,
+    bin_dir: str,
+    *,
+    remote: bool = False,
+    preview: bool = False,
+) -> None:
+    CreateRepoService(
+        config_merged=config_merged,
+        user_config_path=user_config_path,
+        bin_dir=bin_dir,
+    ).run(identifier=identifier, preview=preview, remote=remote)

src/pkgmgr/actions/repository/create/config_writer.py

@@ -0,0 +1,84 @@
+from __future__ import annotations
+
+import os
+from typing import Dict, Any, Set
+
+import yaml
+
+from pkgmgr.core.command.alias import generate_alias
+from pkgmgr.core.config.save import save_user_config
+
+Repository = Dict[str, Any]
+
+
+class ConfigRepoWriter:
+    def __init__(
+        self,
+        *,
+        config_merged: Dict[str, Any],
+        user_config_path: str,
+        bin_dir: str,
+    ):
+        self.config_merged = config_merged
+        self.user_config_path = user_config_path
+        self.bin_dir = bin_dir
+
+    def ensure_repo_entry(
+        self,
+        *,
+        host: str,
+        port: str | None,
+        owner: str,
+        name: str,
+        homepage: str,
+        preview: bool,
+    ) -> Repository:
+        repositories = self.config_merged.setdefault("repositories", [])
+
+        for repo in repositories:
+            if (
+                repo.get("provider") == host
+                and repo.get("account") == owner
+                and repo.get("repository") == name
+            ):
+                return repo
+
+        existing_aliases: Set[str] = {
+            str(r.get("alias")) for r in repositories if r.get("alias")
+        }
+
+        repo: Repository = {
+            "provider": host,
+            "port": port,
+            "account": owner,
+            "repository": name,
+            "homepage": homepage,
+            "alias": generate_alias(
+                {
+                    "repository": name,
+                    "provider": host,
+                    "account": owner,
+                },
+                self.bin_dir,
+                existing_aliases=existing_aliases,
+            ),
+            "verified": {},
+        }
+
+        if preview:
+            print(f"[Preview] Would add repository to config: {repo}")
+            return repo
+
+        if os.path.exists(self.user_config_path):
+            with open(self.user_config_path, "r", encoding="utf-8") as f:
+                user_cfg = yaml.safe_load(f) or {}
+        else:
+            user_cfg = {}
+
+        user_cfg.setdefault("repositories", []).append(repo)
+        save_user_config(user_cfg, self.user_config_path)
+
+        repositories.append(repo)
+        print(f"[INFO] Added repository to configuration: {host}/{owner}/{name}")
+
+        return repo

src/pkgmgr/actions/repository/create/git_bootstrap.py

@@ -0,0 +1,35 @@
+from __future__ import annotations
+
+from pkgmgr.core.git.commands import (
+    GitCommitError,
+    GitPushUpstreamError,
+    add_all,
+    branch_move,
+    commit,
+    init,
+    push_upstream,
+)
+
+
+class GitBootstrapper:
+    def init_repo(self, repo_dir: str, preview: bool) -> None:
+        init(cwd=repo_dir, preview=preview)
+        add_all(cwd=repo_dir, preview=preview)
+        try:
+            commit("Initial commit", cwd=repo_dir, preview=preview)
+        except GitCommitError as exc:
+            print(f"[WARN] Initial commit failed (continuing): {exc}")
+
+    def push_default_branch(self, repo_dir: str, preview: bool) -> None:
+        try:
+            branch_move("main", cwd=repo_dir, preview=preview)
+            push_upstream("origin", "main", cwd=repo_dir, preview=preview)
+            return
+        except GitPushUpstreamError:
+            pass
+
+        try:
+            branch_move("master", cwd=repo_dir, preview=preview)
+            push_upstream("origin", "master", cwd=repo_dir, preview=preview)
+        except GitPushUpstreamError as exc:
+            print(f"[WARN] Push failed: {exc}")

src/pkgmgr/actions/repository/create/mirrors.py

@@ -0,0 +1,54 @@
+from __future__ import annotations
+
+from typing import Any, Dict
+
+from pkgmgr.actions.mirror.io import write_mirrors_file
+from pkgmgr.actions.mirror.setup_cmd import setup_mirrors
+
+Repository = Dict[str, Any]
+
+
+class MirrorBootstrapper:
+    """
+    MIRRORS is the single source of truth.
+
+    We write defaults to MIRRORS and then call mirror setup which will
+    configure git remotes based on MIRRORS content (but only for git URLs).
+    """
+
+    def write_defaults(
+        self,
+        *,
+        repo_dir: str,
+        primary: str,
+        name: str,
+        preview: bool,
+    ) -> None:
+        mirrors = {
+            # preferred SSH url is supplied by CreateRepoPlanner.primary_remote
+            "origin": primary,
+            # metadata only: must NEVER be configured as a git remote
+            "pypi": f"https://pypi.org/project/{name}/",
+        }
+        write_mirrors_file(repo_dir, mirrors, preview=preview)
+
+    def setup(
+        self,
+        *,
+        repo: Repository,
+        repositories_base_dir: str,
+        all_repos: list[Repository],
+        preview: bool,
+        remote: bool,
+    ) -> None:
+        # IMPORTANT: do NOT set repo["mirrors"] here.
+        # MIRRORS file is the single source of truth.
+        setup_mirrors(
+            selected_repos=[repo],
+            repositories_base_dir=repositories_base_dir,
+            all_repos=all_repos,
+            preview=preview,
+            local=True,
+            remote=True,
+            ensure_remote=remote,
+        )

src/pkgmgr/actions/repository/create/model.py

@@ -0,0 +1,12 @@
+from __future__ import annotations
+
+from dataclasses import dataclass
+from typing import Optional
+
+
+@dataclass(frozen=True)
+class RepoParts:
+    host: str
+    port: Optional[str]
+    owner: str
+    name: str

src/pkgmgr/actions/repository/create/parser.py

@@ -0,0 +1,68 @@
+from __future__ import annotations
+
+import re
+from typing import Tuple
+from urllib.parse import urlparse
+
+from .model import RepoParts
+
+_NAME_RE = re.compile(r"^[a-z0-9_-]+$")
+
+
+def parse_identifier(identifier: str) -> RepoParts:
+    ident = identifier.strip()
+
+    if "://" in ident or ident.startswith("git@"):
+        return _parse_git_url(ident)
+
+    parts = ident.split("/")
+    if len(parts) != 3:
+        raise ValueError("Identifier must be URL or 'provider(:port)/owner/repo'.")
+
+    host_with_port, owner, name = parts
+    host, port = _split_host_port(host_with_port)
+    _ensure_valid_repo_name(name)
+
+    return RepoParts(host=host, port=port, owner=owner, name=name)
+
+
+def _parse_git_url(url: str) -> RepoParts:
+    if url.startswith("git@") and "://" not in url:
+        left, right = url.split(":", 1)
+        host = left.split("@", 1)[1]
+        owner, name = right.lstrip("/").split("/", 1)
+        name = _strip_git_suffix(name)
+        _ensure_valid_repo_name(name)
+        return RepoParts(host=host, port=None, owner=owner, name=name)
+
+    parsed = urlparse(url)
+    host = parsed.hostname or ""
+    port = str(parsed.port) if parsed.port else None
+    path = (parsed.path or "").strip("/")
+
+    if not host or "/" not in path:
+        raise ValueError(f"Could not parse git URL: {url}")
+
+    owner, name = path.split("/", 1)
+    name = _strip_git_suffix(name)
+    _ensure_valid_repo_name(name)
+
+    return RepoParts(host=host, port=port, owner=owner, name=name)
+
+
+def _split_host_port(host: str) -> Tuple[str, str | None]:
+    if ":" in host:
+        h, p = host.split(":", 1)
+        return h, p or None
+    return host, None
+
+
+def _strip_git_suffix(name: str) -> str:
+    return name[:-4] if name.endswith(".git") else name
+
+
+def _ensure_valid_repo_name(name: str) -> None:
+    if not _NAME_RE.fullmatch(name):
+        raise ValueError(
+            "Repository name must match: lowercase a-z, 0-9, '_' and '-'."
+        )

src/pkgmgr/actions/repository/create/planner.py

@@ -0,0 +1,52 @@
+from __future__ import annotations
+
+import os
+from typing import Dict, Any
+
+from .model import RepoParts
+
+
+class CreateRepoPlanner:
+    def __init__(self, parts: RepoParts, repositories_base_dir: str):
+        self.parts = parts
+        self.repositories_base_dir = os.path.expanduser(repositories_base_dir)
+
+    @property
+    def repo_dir(self) -> str:
+        return os.path.join(
+            self.repositories_base_dir,
+            self.parts.host,
+            self.parts.owner,
+            self.parts.name,
+        )
+
+    @property
+    def homepage(self) -> str:
+        return f"https://{self.parts.host}/{self.parts.owner}/{self.parts.name}"
+
+    @property
+    def primary_remote(self) -> str:
+        if self.parts.port:
+            return (
+                f"ssh://git@{self.parts.host}:{self.parts.port}/"
+                f"{self.parts.owner}/{self.parts.name}.git"
+            )
+        return f"git@{self.parts.host}:{self.parts.owner}/{self.parts.name}.git"
+
+    def template_context(
+        self,
+        *,
+        author_name: str,
+        author_email: str,
+    ) -> Dict[str, Any]:
+        return {
+            "provider": self.parts.host,
+            "port": self.parts.port,
+            "account": self.parts.owner,
+            "repository": self.parts.name,
+            "homepage": self.homepage,
+            "author_name": author_name,
+            "author_email": author_email,
+            "license_text": f"All rights reserved by {author_name}",
+            "primary_remote": self.primary_remote,
+        }

src/pkgmgr/actions/repository/create/service.py

@@ -0,0 +1,97 @@
+from __future__ import annotations
+
+import os
+from typing import Dict, Any
+
+from pkgmgr.core.git.queries import get_config_value
+
+from .parser import parse_identifier
+from .planner import CreateRepoPlanner
+from .config_writer import ConfigRepoWriter
+from .templates import TemplateRenderer
+from .git_bootstrap import GitBootstrapper
+from .mirrors import MirrorBootstrapper
+
+
+class CreateRepoService:
+    def __init__(
+        self,
+        *,
+        config_merged: Dict[str, Any],
+        user_config_path: str,
+        bin_dir: str,
+    ):
+        self.config_merged = config_merged
+        self.user_config_path = user_config_path
+        self.bin_dir = bin_dir
+
+        self.templates = TemplateRenderer()
+        self.git = GitBootstrapper()
+        self.mirrors = MirrorBootstrapper()
+
+    def run(
+        self,
+        *,
+        identifier: str,
+        preview: bool,
+        remote: bool,
+    ) -> None:
+        parts = parse_identifier(identifier)
+
+        base_dir = self.config_merged.get("directories", {}).get(
+            "repositories", "~/Repositories"
+        )
+
+        planner = CreateRepoPlanner(parts, base_dir)
+
+        writer = ConfigRepoWriter(
+            config_merged=self.config_merged,
+            user_config_path=self.user_config_path,
+            bin_dir=self.bin_dir,
+        )
+
+        repo = writer.ensure_repo_entry(
+            host=parts.host,
+            port=parts.port,
+            owner=parts.owner,
+            name=parts.name,
+            homepage=planner.homepage,
+            preview=preview,
+        )
+
+        if preview:
+            print(f"[Preview] Would ensure directory exists: {planner.repo_dir}")
+        else:
+            os.makedirs(planner.repo_dir, exist_ok=True)
+
+        author_name = get_config_value("user.name") or "Unknown Author"
+        author_email = get_config_value("user.email") or "unknown@example.invalid"
+
+        self.templates.render(
+            repo_dir=planner.repo_dir,
+            context=planner.template_context(
+                author_name=author_name,
+                author_email=author_email,
+            ),
+            preview=preview,
+        )
+
+        self.git.init_repo(planner.repo_dir, preview=preview)
+
+        self.mirrors.write_defaults(
+            repo_dir=planner.repo_dir,
+            primary=planner.primary_remote,
+            name=parts.name,
+            preview=preview,
+        )
+
+        self.mirrors.setup(
+            repo=repo,
+            repositories_base_dir=os.path.expanduser(base_dir),
+            all_repos=self.config_merged.get("repositories", []),
+            preview=preview,
+            remote=remote,
+        )
+
+        if remote:
+            self.git.push_default_branch(planner.repo_dir, preview=preview)

src/pkgmgr/actions/repository/create/templates.py

@@ -0,0 +1,80 @@
+from __future__ import annotations
+
+import os
+from pathlib import Path
+from typing import Dict, Any
+
+from pkgmgr.core.git.queries import get_repo_root
+
+try:
+    from jinja2 import Environment, FileSystemLoader, StrictUndefined
+except Exception as exc:  # pragma: no cover
+    Environment = None  # type: ignore
+    FileSystemLoader = None  # type: ignore
+    StrictUndefined = None  # type: ignore
+    _JINJA_IMPORT_ERROR = exc
+else:
+    _JINJA_IMPORT_ERROR = None
+
+
+class TemplateRenderer:
+    def __init__(self) -> None:
+        self.templates_dir = self._resolve_templates_dir()
+
+    def render(
+        self,
+        *,
+        repo_dir: str,
+        context: Dict[str, Any],
+        preview: bool,
+    ) -> None:
+        if preview:
+            self._preview()
+            return
+
+        if Environment is None:
+            raise RuntimeError(
+                "Jinja2 is required but not available. "
+                f"Import error: {_JINJA_IMPORT_ERROR}"
+            )
+
+        env = Environment(
+            loader=FileSystemLoader(self.templates_dir),
+            undefined=StrictUndefined,
+            autoescape=False,
+            keep_trailing_newline=True,
+        )
+
+        for root, _, files in os.walk(self.templates_dir):
+            for fn in files:
+                if not fn.endswith(".j2"):
+                    continue
+
+                abs_src = os.path.join(root, fn)
+                rel_src = os.path.relpath(abs_src, self.templates_dir)
+                rel_out = rel_src[:-3]
+                abs_out = os.path.join(repo_dir, rel_out)
+
+                os.makedirs(os.path.dirname(abs_out), exist_ok=True)
+                template = env.get_template(rel_src)
+                rendered = template.render(**context)
+
+                with open(abs_out, "w", encoding="utf-8") as f:
+                    f.write(rendered)
+
+    def _preview(self) -> None:
+        for root, _, files in os.walk(self.templates_dir):
+            for fn in files:
+                if fn.endswith(".j2"):
+                    rel = os.path.relpath(
+                        os.path.join(root, fn), self.templates_dir
+                    )
+                    print(f"[Preview] Would render template: {rel} -> {rel[:-3]}")
+
+    @staticmethod
+    def _resolve_templates_dir() -> str:
+        here = Path(__file__).resolve().parent
+        root = get_repo_root(cwd=str(here))
+        if not root:
+            raise RuntimeError("Could not determine repository root for templates.")
+        return os.path.join(root, "templates", "default")

src/pkgmgr/actions/repository/pull.py

@@ -1,25 +1,30 @@
-#!/usr/bin/env python3
-# -*- coding: utf-8 -*-
+from __future__ import annotations
 
 import os
-import subprocess
 import sys
+from typing import List, Dict, Any
 
+from pkgmgr.core.git.commands import pull_args, GitPullArgsError
 from pkgmgr.core.repository.dir import get_repo_dir
 from pkgmgr.core.repository.identifier import get_repo_identifier
 from pkgmgr.core.repository.verify import verify_repository
 
+Repository = Dict[str, Any]
+
 
 def pull_with_verification(
-    selected_repos,
-    repositories_base_dir,
-    all_repos,
-    extra_args,
-    no_verification,
+    selected_repos: List[Repository],
+    repositories_base_dir: str,
+    all_repos: List[Repository],
+    extra_args: List[str],
+    no_verification: bool,
     preview: bool,
 ) -> None:
     """
     Execute `git pull` for each repository with verification.
+
+    - If verification fails and verification is enabled, prompt user to continue.
+    - Uses core.git.commands.pull_args() (no raw subprocess usage).
     """
     for repo in selected_repos:
         repo_identifier = get_repo_identifier(repo, all_repos)
@@ -37,12 +42,7 @@ def pull_with_verification(
             no_verification=no_verification,
         )
 
-        if (
-            not preview
-            and not no_verification
-            and verified_info
-            and not verified_ok
-        ):
+        if not preview and not no_verification and verified_info and not verified_ok:
             print(f"Warning: Verification failed for {repo_identifier}:")
             for err in errors:
                 print(f"  - {err}")
@@ -50,17 +50,10 @@ def pull_with_verification(
             if choice != "y":
                 continue
 
-        args_part = " ".join(extra_args) if extra_args else ""
-        full_cmd = f"git pull{(' ' + args_part) if args_part else ''}"
-
-        if preview:
-            print(f"[Preview] In '{repo_dir}': {full_cmd}")
-        else:
-            print(f"Running in '{repo_dir}': {full_cmd}")
-            result = subprocess.run(full_cmd, cwd=repo_dir, shell=True, check=False)
-            if result.returncode != 0:
-                print(
-                    f"'git pull' for {repo_identifier} failed "
-                    f"with exit code {result.returncode}."
-                )
-                sys.exit(result.returncode)
+        try:
+            pull_args(extra_args, cwd=repo_dir, preview=preview)
+        except GitPullArgsError as exc:
+            # Keep behavior consistent with previous implementation:
+            # stop on first failure and propagate return code as generic failure.
+            print(str(exc))
+            sys.exit(1)

src/pkgmgr/actions/update/manager.py

@@ -3,7 +3,7 @@
 
 from __future__ import annotations
 
-from typing import Any, Iterable
+from typing import Any, Iterable, List, Tuple
 
 from pkgmgr.actions.update.system_updater import SystemUpdater
 
@@ -30,32 +30,73 @@ class UpdateManager:
         quiet: bool,
         update_dependencies: bool,
         clone_mode: str,
+        silent: bool = False,
         force_update: bool = True,
     ) -> None:
         from pkgmgr.actions.install import install_repos
         from pkgmgr.actions.repository.pull import pull_with_verification
+        from pkgmgr.core.repository.identifier import get_repo_identifier
 
-        pull_with_verification(
-            selected_repos,
-            repositories_base_dir,
-            all_repos,
-            [],
-            no_verification,
-            preview,
-        )
+        failures: List[Tuple[str, str]] = []
 
-        install_repos(
-            selected_repos,
-            repositories_base_dir,
-            bin_dir,
-            all_repos,
-            no_verification,
-            preview,
-            quiet,
-            clone_mode,
-            update_dependencies,
-            force_update=force_update,
-        )
+        for repo in list(selected_repos):
+            identifier = get_repo_identifier(repo, all_repos)
+
+            try:
+                pull_with_verification(
+                    [repo],
+                    repositories_base_dir,
+                    all_repos,
+                    [],
+                    no_verification,
+                    preview,
+                )
+            except SystemExit as exc:
+                code = exc.code if isinstance(exc.code, int) else str(exc.code)
+                failures.append((identifier, f"pull failed (exit={code})"))
+                if not quiet:
+                    print(f"[Warning] update: pull failed for {identifier} (exit={code}). Continuing...")
+                continue
+            except Exception as exc:
+                failures.append((identifier, f"pull failed: {exc}"))
+                if not quiet:
+                    print(f"[Warning] update: pull failed for {identifier}: {exc}. Continuing...")
+                continue
+
+            try:
+                install_repos(
+                    [repo],
+                    repositories_base_dir,
+                    bin_dir,
+                    all_repos,
+                    no_verification,
+                    preview,
+                    quiet,
+                    clone_mode,
+                    update_dependencies,
+                    force_update=force_update,
+                    silent=silent,
+                    emit_summary=False,
+                )
+            except SystemExit as exc:
+                code = exc.code if isinstance(exc.code, int) else str(exc.code)
+                failures.append((identifier, f"install failed (exit={code})"))
+                if not quiet:
+                    print(f"[Warning] update: install failed for {identifier} (exit={code}). Continuing...")
+                continue
+            except Exception as exc:
+                failures.append((identifier, f"install failed: {exc}"))
+                if not quiet:
+                    print(f"[Warning] update: install failed for {identifier}: {exc}. Continuing...")
+                continue
+
+        if failures and not quiet:
+            print("\n[pkgmgr] Update finished with warnings:")
+            for ident, msg in failures:
+                print(f"  - {ident}: {msg}")
+
+        if failures and not silent:
+            raise SystemExit(1)
 
         if system_update:
             self._system_updater.run(preview=preview)

src/pkgmgr/cli/commands/__init__.py

@@ -2,6 +2,7 @@ from .repos import handle_repos_command
 from .config import handle_config
 from .tools import handle_tools_command
 from .release import handle_release
+from .publish import handle_publish
 from .version import handle_version
 from .make import handle_make
 from .changelog import handle_changelog
@@ -13,6 +14,7 @@ __all__ = [
     "handle_config",
     "handle_tools_command",
     "handle_release",
+    "handle_publish",
     "handle_version",
     "handle_make",
     "handle_changelog",

src/pkgmgr/cli/commands/changelog.py

@@ -7,7 +7,7 @@ from typing import Any, Dict, List, Optional, Tuple
 from pkgmgr.cli.context import CLIContext
 from pkgmgr.core.repository.dir import get_repo_dir
 from pkgmgr.core.repository.identifier import get_repo_identifier
-from pkgmgr.core.git import get_tags
+from pkgmgr.core.git.queries import get_tags
 from pkgmgr.core.version.semver import extract_semver_from_tags
 from pkgmgr.actions.changelog import generate_changelog
 

src/pkgmgr/cli/commands/publish.py

@@ -0,0 +1,34 @@
+from __future__ import annotations
+
+import os
+from typing import Any, Dict, List
+
+from pkgmgr.actions.publish import publish
+from pkgmgr.cli.context import CLIContext
+from pkgmgr.core.repository.dir import get_repo_dir
+from pkgmgr.core.repository.identifier import get_repo_identifier
+
+Repository = Dict[str, Any]
+
+
+def handle_publish(args, ctx: CLIContext, selected: List[Repository]) -> None:
+    if not selected:
+        print("[pkgmgr] No repositories selected for publish.")
+        return
+
+    for repo in selected:
+        identifier = get_repo_identifier(repo, ctx.all_repositories)
+        repo_dir = repo.get("directory") or get_repo_dir(ctx.repositories_base_dir, repo)
+
+        if not os.path.isdir(repo_dir):
+            print(f"[WARN] Skipping {identifier}: directory missing.")
+            continue
+
+        print(f"[pkgmgr] Publishing repository {identifier}...")
+        publish(
+            repo=repo,
+            repo_dir=repo_dir,
+            preview=getattr(args, "preview", False),
+            interactive=not getattr(args, "non_interactive", False),
+            allow_prompt=not getattr(args, "non_interactive", False),
+        )

src/pkgmgr/cli/commands/release.py

@@ -1,31 +1,17 @@
 #!/usr/bin/env python3
 # -*- coding: utf-8 -*-
 
-"""
-Release command wiring for the pkgmgr CLI.
-
-This module implements the `pkgmgr release` subcommand on top of the
-generic selection logic from cli.dispatch. It does not define its
-own subparser; the CLI surface is configured in cli.parser.
-
-Responsibilities:
-  - Take the parsed argparse.Namespace for the `release` command.
-  - Use the list of selected repositories provided by dispatch_command().
-  - Optionally list affected repositories when --list is set.
-  - For each selected repository, run pkgmgr.actions.release.release(...) in
-    the context of that repository directory.
-"""
-
 from __future__ import annotations
 
 import os
+import sys
 from typing import Any, Dict, List
 
+from pkgmgr.actions.publish import publish as run_publish
+from pkgmgr.actions.release import release as run_release
 from pkgmgr.cli.context import CLIContext
 from pkgmgr.core.repository.dir import get_repo_dir
 from pkgmgr.core.repository.identifier import get_repo_identifier
-from pkgmgr.actions.release import release as run_release
-
 
 Repository = Dict[str, Any]
 
@@ -35,23 +21,10 @@ def handle_release(
     ctx: CLIContext,
     selected: List[Repository],
 ) -> None:
-    """
-    Handle the `pkgmgr release` subcommand.
-
-    Flow:
-      1) Use the `selected` repositories as computed by dispatch_command().
-      2) If --list is given, print the identifiers of the selected repos
-         and return without running any release.
-      3) For each selected repository:
-           - Resolve its identifier and local directory.
-           - Change into that directory.
-           - Call pkgmgr.actions.release.release(...) with the parsed options.
-    """
     if not selected:
         print("[pkgmgr] No repositories selected for release.")
         return
 
-    # List-only mode: show which repositories would be affected.
     if getattr(args, "list", False):
         print("[pkgmgr] Repositories that would be affected by this release:")
         for repo in selected:
@@ -62,29 +35,22 @@ def handle_release(
     for repo in selected:
         identifier = get_repo_identifier(repo, ctx.all_repositories)
 
-        repo_dir = repo.get("directory")
-        if not repo_dir:
-            try:
-                repo_dir = get_repo_dir(ctx.repositories_base_dir, repo)
-            except Exception:
-                repo_dir = None
-
-        if not repo_dir or not os.path.isdir(repo_dir):
-            print(
-                f"[WARN] Skipping repository {identifier}: "
-                "local directory does not exist."
-            )
+        try:
+            repo_dir = repo.get("directory") or get_repo_dir(ctx.repositories_base_dir, repo)
+        except Exception as exc:
+            print(f"[WARN] Skipping repository {identifier}: failed to resolve directory: {exc}")
             continue
 
-        print(
-            f"[pkgmgr] Running release for repository {identifier} "
-            f"in '{repo_dir}'..."
-        )
+        if not os.path.isdir(repo_dir):
+            print(f"[WARN] Skipping repository {identifier}: directory missing.")
+            continue
+
+        print(f"[pkgmgr] Running release for repository {identifier}...")
 
-        # Change to repo directory and invoke the helper.
         cwd_before = os.getcwd()
         try:
             os.chdir(repo_dir)
+
             run_release(
                 pyproject_path="pyproject.toml",
                 changelog_path="CHANGELOG.md",
@@ -94,5 +60,17 @@ def handle_release(
                 force=getattr(args, "force", False),
                 close=getattr(args, "close", False),
             )
+
+            if not getattr(args, "no_publish", False):
+                print(f"[pkgmgr] Running publish for repository {identifier}...")
+                is_tty = sys.stdin.isatty()
+                run_publish(
+                    repo=repo,
+                    repo_dir=repo_dir,
+                    preview=getattr(args, "preview", False),
+                    interactive=is_tty,
+                    allow_prompt=is_tty,
+                )
+
         finally:
             os.chdir(cwd_before)

src/pkgmgr/cli/commands/repos.py

@@ -68,6 +68,7 @@ def handle_repos_command(
             args.clone_mode,
             args.dependencies,
             force_update=getattr(args, "update", False),
+            silent=getattr(args, "silent", False),
         )
         return
 

src/pkgmgr/cli/commands/tools.py

@@ -1,115 +1,41 @@
-from __future__ import annotations 
+from __future__ import annotations
 
-import json 
-import os 
-
-from typing import Any, Dict, List 
-
-from pkgmgr .cli .context import CLIContext 
-from pkgmgr .core .command .run import run_command 
-from pkgmgr .core .repository .identifier import get_repo_identifier 
-from pkgmgr .core .repository .dir import get_repo_dir 
+from typing import Any, Dict, List
 
+from pkgmgr.cli.context import CLIContext
+from pkgmgr.cli.tools import open_vscode_workspace
+from pkgmgr.cli.tools.paths import resolve_repository_path
+from pkgmgr.core.command.run import run_command
 
 Repository = Dict[str, Any]
 
 
-def _resolve_repository_path(repository: Repository, ctx: CLIContext) -> str:
-    """
-    Resolve the filesystem path for a repository.
-
-    Priority:
-      1. Use explicit keys if present (directory / path / workspace / workspace_dir).
-      2. Fallback to get_repo_dir(...) using the repositories base directory
-         from the CLI context.
-    """
-
-    # 1) Explicit path-like keys on the repository object
-    for key in ("directory", "path", "workspace", "workspace_dir"):
-        value = repository.get(key)
-        if value:
-            return value
-
-    # 2) Fallback: compute from base dir + repository metadata
-    base_dir = (
-        getattr(ctx, "repositories_base_dir", None)
-        or getattr(ctx, "repositories_dir", None)
-    )
-    if not base_dir:
-        raise RuntimeError(
-            "Cannot resolve repositories base directory from context; "
-            "expected ctx.repositories_base_dir or ctx.repositories_dir."
-        )
-
-    return get_repo_dir(base_dir, repository)
-
-
 def handle_tools_command(
     args,
     ctx: CLIContext,
     selected: List[Repository],
 ) -> None:
-
     # ------------------------------------------------------------------
     # nautilus "explore" command
     # ------------------------------------------------------------------
     if args.command == "explore":
         for repository in selected:
-            repo_path = _resolve_repository_path(repository, ctx)
-            run_command(
-                f'nautilus "{repo_path}" & disown'
-            )
-        return 
+            repo_path = resolve_repository_path(repository, ctx)
+            run_command(f'nautilus "{repo_path}" & disown')
+        return
 
     # ------------------------------------------------------------------
     # GNOME terminal command
     # ------------------------------------------------------------------
     if args.command == "terminal":
         for repository in selected:
-            repo_path = _resolve_repository_path(repository, ctx)
-            run_command(
-                f'gnome-terminal --tab --working-directory="{repo_path}"'
-            )
-        return 
+            repo_path = resolve_repository_path(repository, ctx)
+            run_command(f'gnome-terminal --tab --working-directory="{repo_path}"')
+        return
 
     # ------------------------------------------------------------------
     # VS Code workspace command
     # ------------------------------------------------------------------
     if args.command == "code":
-        if not selected:
-            print("No repositories selected.")
-            return 
-
-        identifiers = [
-            get_repo_identifier(repo, ctx.all_repositories)
-            for repo in selected
-        ]
-        sorted_identifiers = sorted(identifiers)
-        workspace_name = "_".join(sorted_identifiers) + ".code-workspace"
-
-        directories_cfg = ctx.config_merged.get("directories") or {}
-        workspaces_dir = os.path.expanduser(
-            directories_cfg.get("workspaces", "~/Workspaces")
-        )
-        os.makedirs(workspaces_dir, exist_ok=True)
-        workspace_file = os.path.join(workspaces_dir, workspace_name)
-
-        folders = [
-            {"path": _resolve_repository_path(repository, ctx)}
-            for repository in selected
-        ]
-
-        workspace_data = {
-            "folders": folders,
-            "settings": {},
-        }
-
-        if not os.path.exists(workspace_file):
-            with open(workspace_file, "w", encoding="utf-8") as f:
-                json.dump(workspace_data, f, indent=4)
-            print(f"Created workspace file: {workspace_file}")
-        else:
-            print(f"Using existing workspace file: {workspace_file}")
-
-        run_command(f'code "{workspace_file}"')
+        open_vscode_workspace(ctx, selected)
         return

src/pkgmgr/cli/commands/version.py

@@ -7,7 +7,7 @@ from typing import Any, Dict, List, Optional, Tuple
 from pkgmgr.cli.context import CLIContext
 from pkgmgr.core.repository.dir import get_repo_dir
 from pkgmgr.core.repository.identifier import get_repo_identifier
-from pkgmgr.core.git import get_tags
+from pkgmgr.core.git.queries import get_tags
 from pkgmgr.core.version.semver import SemVer, find_latest_version
 from pkgmgr.core.version.installed import (
     get_installed_python_version,

src/pkgmgr/cli/dispatch.py

@@ -1,6 +1,3 @@
-#!/usr/bin/env python3
-# -*- coding: utf-8 -*-
-
 from __future__ import annotations
 
 import os
@@ -16,6 +13,7 @@ from pkgmgr.cli.commands import (
     handle_repos_command,
     handle_tools_command,
     handle_release,
+    handle_publish,
     handle_version,
     handle_config,
     handle_make,
@@ -24,40 +22,20 @@ from pkgmgr.cli.commands import (
     handle_mirror_command,
 )
 
-def _has_explicit_selection(args) -> bool:
-    """
-    Return True if the user explicitly selected repositories via
-    identifiers / --all / --category / --tag / --string.
-    """
-    identifiers = getattr(args, "identifiers", []) or []
-    use_all = getattr(args, "all", False)
-    categories = getattr(args, "category", []) or []
-    tags = getattr(args, "tag", []) or []
-    string_filter = getattr(args, "string", "") or ""
 
+def _has_explicit_selection(args) -> bool:
     return bool(
-        use_all
-        or identifiers
-        or categories
-        or tags
-        or string_filter
+        getattr(args, "all", False)
+        or getattr(args, "identifiers", [])
+        or getattr(args, "category", [])
+        or getattr(args, "tag", [])
+        or getattr(args, "string", "")
     )
 
 
-def _select_repo_for_current_directory(
-    ctx: CLIContext,
-) -> List[Dict[str, Any]]:
-    """
-    Heuristic: find the repository whose local directory matches the
-    current working directory or is the closest parent.
-
-    Example:
-      - Repo directory: /home/kevin/Repositories/foo
-      - CWD:           /home/kevin/Repositories/foo/subdir
-      → 'foo' is selected.
-    """
+def _select_repo_for_current_directory(ctx: CLIContext) -> List[Dict[str, Any]]:
     cwd = os.path.abspath(os.getcwd())
-    candidates: List[tuple[str, Dict[str, Any]]] = []
+    matches = []
 
     for repo in ctx.all_repositories:
         repo_dir = repo.get("directory")
@@ -65,33 +43,24 @@ def _select_repo_for_current_directory(
             try:
                 repo_dir = get_repo_dir(ctx.repositories_base_dir, repo)
             except Exception:
-                repo_dir = None
-        if not repo_dir:
-            continue
+                continue
 
-        repo_dir_abs = os.path.abspath(os.path.expanduser(repo_dir))
-        if cwd == repo_dir_abs or cwd.startswith(repo_dir_abs + os.sep):
-            candidates.append((repo_dir_abs, repo))
+        repo_dir = os.path.abspath(os.path.expanduser(repo_dir))
+        if cwd == repo_dir or cwd.startswith(repo_dir + os.sep):
+            matches.append((repo_dir, repo))
 
-    if not candidates:
+    if not matches:
         return []
 
-    # Pick the repo with the longest (most specific) path.
-    candidates.sort(key=lambda item: len(item[0]), reverse=True)
-    return [candidates[0][1]]
+    matches.sort(key=lambda x: len(x[0]), reverse=True)
+    return [matches[0][1]]
 
 
 def dispatch_command(args, ctx: CLIContext) -> None:
-    """
-    Dispatch the parsed arguments to the appropriate command handler.
-    """
-
-    # First: proxy commands (git / docker / docker compose / make wrapper etc.)
     if maybe_handle_proxy(args, ctx):
         return
 
-    # Commands that operate on repository selections
-    commands_with_selection: List[str] = [
+    commands_with_selection = {
         "install",
         "update",
         "deinstall",
@@ -103,31 +72,25 @@ def dispatch_command(args, ctx: CLIContext) -> None:
         "list",
         "make",
         "release",
+        "publish",
         "version",
         "changelog",
         "explore",
         "terminal",
         "code",
         "mirror",
-    ]
+    }
 
-    if getattr(args, "command", None) in commands_with_selection:
-        if _has_explicit_selection(args):
-            # Classic selection logic (identifiers / --all / filters)
-            selected = get_selected_repos(args, ctx.all_repositories)
-        else:
-            # Default per help text: repository of current folder.
-            selected = _select_repo_for_current_directory(ctx)
-            # If none is found, leave 'selected' empty.
-            # Individual handlers will then emit a clear message instead
-            # of silently picking an unrelated repository.
+    if args.command in commands_with_selection:
+        selected = (
+            get_selected_repos(args, ctx.all_repositories)
+            if _has_explicit_selection(args)
+            else _select_repo_for_current_directory(ctx)
+        )
     else:
         selected = []
 
-    # ------------------------------------------------------------------ #
-    # Repos-related commands
-    # ------------------------------------------------------------------ #
-    if args.command in (
+    if args.command in {
         "install",
         "deinstall",
         "delete",
@@ -136,15 +99,13 @@ def dispatch_command(args, ctx: CLIContext) -> None:
         "shell",
         "create",
         "list",
-    ):
+    }:
         handle_repos_command(args, ctx, selected)
         return
 
-    # ------------------------------------------------------------
-    # update
-    # ------------------------------------------------------------
     if args.command == "update":
         from pkgmgr.actions.update import UpdateManager
+
         UpdateManager().run(
             selected_repos=selected,
             repositories_base_dir=ctx.repositories_base_dir,
@@ -156,25 +117,23 @@ def dispatch_command(args, ctx: CLIContext) -> None:
             quiet=args.quiet,
             update_dependencies=args.dependencies,
             clone_mode=args.clone_mode,
+            silent=getattr(args, "silent", False),
             force_update=True,
         )
         return
 
-
-    # ------------------------------------------------------------------ #
-    # Tools (explore / terminal / code)
-    # ------------------------------------------------------------------ #
     if args.command in ("explore", "terminal", "code"):
         handle_tools_command(args, ctx, selected)
         return
 
-    # ------------------------------------------------------------------ #
-    # Release / Version / Changelog / Config / Make / Branch
-    # ------------------------------------------------------------------ #
     if args.command == "release":
         handle_release(args, ctx, selected)
         return
 
+    if args.command == "publish":
+        handle_publish(args, ctx, selected)
+        return
+
     if args.command == "version":
         handle_version(args, ctx, selected)
         return

src/pkgmgr/cli/parser/__init__.py

@@ -1,68 +1,73 @@
-#!/usr/bin/env python3
-# -*- coding: utf-8 -*-
-
 from __future__ import annotations
 
 import argparse
 
 from pkgmgr.cli.proxy import register_proxy_commands
 
-from .common import SortedSubParsersAction
-from .install_update import add_install_update_subparsers
-from .config_cmd import add_config_subparsers
-from .navigation_cmd import add_navigation_subparsers
 from .branch_cmd import add_branch_subparsers
-from .release_cmd import add_release_subparser
-from .version_cmd import add_version_subparser
 from .changelog_cmd import add_changelog_subparser
+from .common import SortedSubParsersAction
+from .config_cmd import add_config_subparsers
+from .install_update import add_install_update_subparsers
 from .list_cmd import add_list_subparser
 from .make_cmd import add_make_subparsers
 from .mirror_cmd import add_mirror_subparsers
+from .navigation_cmd import add_navigation_subparsers
+from .publish_cmd import add_publish_subparser
+from .release_cmd import add_release_subparser
+from .version_cmd import add_version_subparser
 
 
 def create_parser(description_text: str) -> argparse.ArgumentParser:
-    """
-    Create the top-level argument parser for pkgmgr.
-    """
     parser = argparse.ArgumentParser(
         description=description_text,
         formatter_class=argparse.RawTextHelpFormatter,
     )
+
     subparsers = parser.add_subparsers(
         dest="command",
         help="Subcommands",
         action=SortedSubParsersAction,
     )
 
-    # Core repo operations
+    # create
+    p_create = subparsers.add_parser(
+        "create",
+        help="Create a new repository (scaffold + config).",
+    )
+    p_create.add_argument(
+        "identifiers",
+        nargs="+",
+        help="Repository identifier(s): URL or 'provider(:port)/owner/repo'.",
+    )
+    p_create.add_argument(
+        "--remote",
+        action="store_true",
+        help="Also push an initial commit to the remote (main/master).",
+    )
+    p_create.add_argument(
+        "--preview",
+        action="store_true",
+        help="Print actions without writing files or executing commands.",
+    )
+
     add_install_update_subparsers(subparsers)
     add_config_subparsers(subparsers)
-
-    # Navigation / tooling around repos
     add_navigation_subparsers(subparsers)
 
-    # Branch & release workflow
     add_branch_subparsers(subparsers)
     add_release_subparser(subparsers)
+    add_publish_subparser(subparsers)
 
-    # Info commands
     add_version_subparser(subparsers)
     add_changelog_subparser(subparsers)
     add_list_subparser(subparsers)
 
-    # Make wrapper
     add_make_subparsers(subparsers)
-
-    # Mirror management
     add_mirror_subparsers(subparsers)
 
-    # Proxy commands (git, docker, docker compose, ...)
     register_proxy_commands(subparsers)
-
     return parser
 
 
-__all__ = [
-    "create_parser",
-    "SortedSubParsersAction",
-]
+__all__ = ["create_parser", "SortedSubParsersAction"]

src/pkgmgr/cli/parser/common.py

@@ -168,3 +168,10 @@ def add_install_update_arguments(subparser: argparse.ArgumentParser) -> None:
         default="ssh",
         help="Specify clone mode (default: ssh).",
     )
+
+    _add_option_if_missing(
+        subparser,
+        "--silent",
+        action="store_true",
+        help="Continue with other repositories if one fails; downgrade errors to warnings.",
+    )

src/pkgmgr/cli/parser/publish_cmd.py

@@ -0,0 +1,19 @@
+from __future__ import annotations
+
+import argparse
+
+from .common import add_identifier_arguments
+
+
+def add_publish_subparser(subparsers: argparse._SubParsersAction) -> None:
+    parser = subparsers.add_parser(
+        "publish",
+        help="Publish repository artifacts (e.g. PyPI) based on MIRRORS.",
+    )
+    add_identifier_arguments(parser)
+
+    parser.add_argument(
+        "--non-interactive",
+        action="store_true",
+        help="Disable interactive credential prompts (CI mode).",
+    )

src/pkgmgr/cli/parser/release_cmd.py

@@ -21,22 +21,22 @@ def add_release_subparser(
             "and updating the changelog."
         ),
     )
+
     release_parser.add_argument(
         "release_type",
         choices=["major", "minor", "patch"],
         help="Type of version increment for the release (major, minor, patch).",
     )
+
     release_parser.add_argument(
         "-m",
         "--message",
         default=None,
-        help=(
-            "Optional release message to add to the changelog and tag."
-        ),
+        help="Optional release message to add to the changelog and tag.",
     )
-    # Generic selection / preview / list / extra_args
+
     add_identifier_arguments(release_parser)
-    # Close current branch after successful release
+
     release_parser.add_argument(
         "--close",
         action="store_true",
@@ -45,7 +45,7 @@ def add_release_subparser(
             "repository, if it is not main/master."
         ),
     )
-    # Force: skip preview+confirmation and run release directly
+
     release_parser.add_argument(
         "-f",
         "--force",
@@ -55,3 +55,9 @@ def add_release_subparser(
             "release directly."
         ),
     )
+
+    release_parser.add_argument(
+        "--no-publish",
+        action="store_true",
+        help="Do not run publish automatically after a successful release.",
+    )

src/pkgmgr/cli/tools/__init__.py

@@ -0,0 +1,5 @@
+from __future__ import annotations
+
+from .vscode import open_vscode_workspace
+
+__all__ = ["open_vscode_workspace"]

src/pkgmgr/cli/tools/paths.py

@@ -0,0 +1,35 @@
+from __future__ import annotations
+
+from typing import Any, Dict
+
+from pkgmgr.cli.context import CLIContext
+from pkgmgr.core.repository.dir import get_repo_dir
+
+Repository = Dict[str, Any]
+
+
+def resolve_repository_path(repository: Repository, ctx: CLIContext) -> str:
+    """
+    Resolve the filesystem path for a repository.
+
+    Priority:
+      1. Use explicit keys if present (directory / path / workspace / workspace_dir).
+      2. Fallback to get_repo_dir(...) using the repositories base directory
+         from the CLI context.
+    """
+    for key in ("directory", "path", "workspace", "workspace_dir"):
+        value = repository.get(key)
+        if value:
+            return value
+
+    base_dir = (
+        getattr(ctx, "repositories_base_dir", None)
+        or getattr(ctx, "repositories_dir", None)
+    )
+    if not base_dir:
+        raise RuntimeError(
+            "Cannot resolve repositories base directory from context; "
+            "expected ctx.repositories_base_dir or ctx.repositories_dir."
+        )
+
+    return get_repo_dir(base_dir, repository)

src/pkgmgr/cli/tools/vscode.py

@@ -0,0 +1,102 @@
+from __future__ import annotations
+
+import json
+import os
+import shutil
+from typing import Any, Dict, List
+
+from pkgmgr.cli.context import CLIContext
+from pkgmgr.cli.tools.paths import resolve_repository_path
+from pkgmgr.core.command.run import run_command
+from pkgmgr.core.repository.identifier import get_repo_identifier
+
+Repository = Dict[str, Any]
+
+
+def _ensure_vscode_cli_available() -> None:
+    """
+    Ensure that the VS Code CLI ('code') is available in PATH.
+    """
+    if shutil.which("code") is None:
+        raise RuntimeError(
+            "VS Code CLI ('code') not found in PATH.\n\n"
+            "Hint:\n"
+            "  Install Visual Studio Code and ensure the 'code' command is available.\n"
+            "  VS Code → Command Palette → 'Shell Command: Install code command in PATH'\n"
+        )
+
+
+def _ensure_identifiers_are_filename_safe(identifiers: List[str]) -> None:
+    """
+    Ensure identifiers can be used in a filename.
+
+    If an identifier contains '/', it likely means the repository has not yet
+    been explicitly identified (no short identifier configured).
+    """
+    invalid = [i for i in identifiers if "/" in i or os.sep in i]
+    if invalid:
+        raise RuntimeError(
+            "Cannot create VS Code workspace.\n\n"
+            "The following repositories are not yet identified "
+            "(identifier contains '/'): \n"
+            + "\n".join(f"  - {i}" for i in invalid)
+            + "\n\n"
+            "Hint:\n"
+            "  The repository has no short identifier yet.\n"
+            "  Add an explicit identifier in your configuration before using `pkgmgr tools code`.\n"
+        )
+
+
+def _resolve_workspaces_dir(ctx: CLIContext) -> str:
+    directories_cfg = ctx.config_merged.get("directories") or {}
+    return os.path.expanduser(directories_cfg.get("workspaces", "~/Workspaces"))
+
+
+def _build_workspace_filename(identifiers: List[str]) -> str:
+    sorted_identifiers = sorted(identifiers)
+    return "_".join(sorted_identifiers) + ".code-workspace"
+
+
+def _build_workspace_data(selected: List[Repository], ctx: CLIContext) -> Dict[str, Any]:
+    folders = [{"path": resolve_repository_path(repo, ctx)} for repo in selected]
+    return {
+        "folders": folders,
+        "settings": {},
+    }
+
+
+def open_vscode_workspace(ctx: CLIContext, selected: List[Repository]) -> None:
+    """
+    Create (if missing) and open a VS Code workspace for the selected repositories.
+
+    Policy:
+      - Fail with a clear error if VS Code CLI is missing.
+      - Fail with a clear error if any repository identifier contains '/', because that
+        indicates the repo has not been explicitly identified (no short identifier).
+      - Do NOT auto-sanitize identifiers and do NOT create subfolders under workspaces.
+    """
+    if not selected:
+        print("No repositories selected.")
+        return
+
+    _ensure_vscode_cli_available()
+
+    identifiers = [get_repo_identifier(repo, ctx.all_repositories) for repo in selected]
+    _ensure_identifiers_are_filename_safe(identifiers)
+
+    workspaces_dir = _resolve_workspaces_dir(ctx)
+    os.makedirs(workspaces_dir, exist_ok=True)
+
+    workspace_name = _build_workspace_filename(identifiers)
+    workspace_file = os.path.join(workspaces_dir, workspace_name)
+
+    workspace_data = _build_workspace_data(selected, ctx)
+
+    if not os.path.exists(workspace_file):
+        with open(workspace_file, "w", encoding="utf-8") as f:
+            json.dump(workspace_data, f, indent=4)
+        print(f"Created workspace file: {workspace_file}")
+    else:
+        print(f"Using existing workspace file: {workspace_file}")
+
+    run_command(f'code "{workspace_file}"')

src/pkgmgr/core/credentials/__init__.py

@@ -1,4 +1,3 @@
-# src/pkgmgr/core/credentials/__init__.py
 """Credential resolution for provider APIs."""
 
 from .resolver import ResolutionOptions, TokenResolver

src/pkgmgr/core/credentials/providers/__init__.py

@@ -3,9 +3,11 @@
 from .env import EnvTokenProvider
 from .keyring import KeyringTokenProvider
 from .prompt import PromptTokenProvider
+from .gh import GhTokenProvider
 
 __all__ = [
     "EnvTokenProvider",
     "KeyringTokenProvider",
     "PromptTokenProvider",
+    "GhTokenProvider",
 ]

src/pkgmgr/core/credentials/providers/gh.py

@@ -0,0 +1,43 @@
+from __future__ import annotations
+
+import shutil
+import subprocess
+from dataclasses import dataclass
+from typing import Optional
+
+from ..types import TokenRequest, TokenResult
+
+
+@dataclass(frozen=True)
+class GhTokenProvider:
+    """
+    Resolve a GitHub token via GitHub CLI (`gh auth token`).
+
+    This does NOT persist anything; it only reads what `gh` already knows.
+    """
+    source_name: str = "gh"
+
+    def get(self, request: TokenRequest) -> Optional[TokenResult]:
+        # Only meaningful for GitHub-like providers
+        kind = (request.provider_kind or "").strip().lower()
+        if kind not in ("github", "github.com"):
+            return None
+
+        if not shutil.which("gh"):
+            return None
+
+        host = (request.host or "").strip() or "github.com"
+
+        try:
+            out = subprocess.check_output(
+                ["gh", "auth", "token", "--hostname", host],
+                stderr=subprocess.STDOUT,
+                text=True,
+            ).strip()
+        except Exception:
+            return None
+
+        if not out:
+            return None
+
+        return TokenResult(token=out, source=self.source_name)

src/pkgmgr/core/credentials/providers/keyring.py

@@ -9,15 +9,33 @@ from ..types import KeyringUnavailableError, TokenRequest, TokenResult
 
 
 def _import_keyring():
+    """
+    Import python-keyring.
+
+    Raises:
+      KeyringUnavailableError if:
+        - library is missing
+        - no backend is configured / usable
+        - import fails for any reason
+    """
     try:
         import keyring  # type: ignore
-
-        return keyring
     except Exception as exc:  # noqa: BLE001
         raise KeyringUnavailableError(
-            "python-keyring is not available or no backend is configured."
+            "python-keyring is not installed."
         ) from exc
 
+    # Some environments have keyring installed but no usable backend.
+    # We do a lightweight "backend sanity check" by attempting to read the backend.
+    try:
+        _ = keyring.get_keyring()
+    except Exception as exc:  # noqa: BLE001
+        raise KeyringUnavailableError(
+            "python-keyring is installed but no usable keyring backend is configured."
+        ) from exc
+
+    return keyring
+
 
 @dataclass(frozen=True)
 class KeyringTokenProvider:

src/pkgmgr/core/credentials/providers/prompt.py

@@ -9,6 +9,37 @@ from typing import Optional
 from ..types import TokenRequest, TokenResult
 
 
+def _token_help_url(provider_kind: str, host: str) -> Optional[str]:
+    """
+    Return a provider-specific URL where a user can create/get an API token.
+
+    Keep this conservative and stable:
+    - GitHub: official token settings URL
+    - Gitea/Forgejo: common settings path on the given host
+    - GitLab: common personal access token path
+    """
+    kind = (provider_kind or "").strip().lower()
+    h = (host or "").strip()
+
+    # GitHub (cloud)
+    if kind == "github":
+        return "https://github.com/settings/tokens"
+
+    # Gitea / Forgejo (self-hosted)
+    if kind in ("gitea", "forgejo"):
+        # Typical UI path: Settings -> Applications -> Access Tokens
+        # In many installations this is available at /user/settings/applications
+        base = f"https://{h}".rstrip("/")
+        return f"{base}/user/settings/applications"
+
+    # GitLab (cloud or self-hosted)
+    if kind == "gitlab":
+        base = "https://gitlab.com" if not h else f"https://{h}".rstrip("/")
+        return f"{base}/-/profile/personal_access_tokens"
+
+    return None
+
+
 @dataclass(frozen=True)
 class PromptTokenProvider:
     """Interactively prompt for a token.
@@ -25,6 +56,11 @@ class PromptTokenProvider:
             return None
 
         owner_info = f" (owner: {request.owner})" if request.owner else ""
+        help_url = _token_help_url(request.provider_kind, request.host)
+
+        if help_url:
+            print(f"[INFO] Create/get your token here: {help_url}")
+
         prompt = f"Enter API token for {request.provider_kind} on {request.host}{owner_info}: "
         token = (getpass(prompt) or "").strip()
         if not token:

src/pkgmgr/core/credentials/resolver.py

@@ -1,13 +1,16 @@
 # src/pkgmgr/core/credentials/resolver.py
 from __future__ import annotations
 
+import sys
 from dataclasses import dataclass
 from typing import Optional
 
 from .providers.env import EnvTokenProvider
+from .providers.gh import GhTokenProvider
 from .providers.keyring import KeyringTokenProvider
 from .providers.prompt import PromptTokenProvider
-from .types import NoCredentialsError, TokenRequest, TokenResult
+from .types import KeyringUnavailableError, NoCredentialsError, TokenRequest, TokenResult
+from .validate import validate_token
 
 
 @dataclass(frozen=True)
@@ -20,12 +23,73 @@ class ResolutionOptions:
 
 
 class TokenResolver:
-    """Resolve tokens from multiple sources (ENV -> Keyring -> Prompt)."""
+    """
+    Resolve tokens for provider APIs using the following policy:
+
+    0) ENV (explicit user intent) -> return as-is (do NOT persist)
+    1) GitHub CLI (gh)            -> if available and token validates, return
+    2) Keyring                    -> if token validates, return; if invalid and
+                                    interactive prompting is allowed, prompt and
+                                    OVERWRITE the keyring entry
+    3) Prompt                     -> prompt and (optionally) store in keyring
+
+    Notes:
+    - Keyring requires python-keyring.
+    - Token validation is provider-specific (currently GitHub cloud).
+    """
 
     def __init__(self) -> None:
         self._env = EnvTokenProvider()
+        self._gh = GhTokenProvider()
         self._keyring = KeyringTokenProvider()
         self._prompt = PromptTokenProvider()
+        self._warned_keyring: bool = False
+
+    def _warn_keyring_unavailable(self, exc: Exception) -> None:
+        if self._warned_keyring:
+            return
+        self._warned_keyring = True
+
+        msg = str(exc).strip() or "Keyring is unavailable."
+        print("[WARN] Keyring support is not available.", file=sys.stderr)
+        print(f"       {msg}", file=sys.stderr)
+        print("       Tokens will NOT be persisted securely.", file=sys.stderr)
+        print("", file=sys.stderr)
+        print("       To enable secure token storage, install python-keyring:", file=sys.stderr)
+        print("         pip install keyring", file=sys.stderr)
+        print("", file=sys.stderr)
+        print("       Or install via system packages:", file=sys.stderr)
+        print("         sudo apt install python3-keyring", file=sys.stderr)
+        print("         sudo pacman -S python-keyring", file=sys.stderr)
+        print("         sudo dnf install python3-keyring", file=sys.stderr)
+        print("", file=sys.stderr)
+
+    def _prompt_and_maybe_store(
+        self,
+        request: TokenRequest,
+        opts: ResolutionOptions,
+    ) -> Optional[TokenResult]:
+        """
+        Prompt for a token and optionally store it in keyring.
+        If keyring is unavailable, still return the token for this run.
+        """
+        if not (opts.interactive and opts.allow_prompt):
+            return None
+
+        prompt_res = self._prompt.get(request)
+        if not prompt_res:
+            return None
+
+        if opts.save_prompt_token_to_keyring:
+            try:
+                self._keyring.set(request, prompt_res.token)  # overwrite is fine
+            except KeyringUnavailableError as exc:
+                self._warn_keyring_unavailable(exc)
+            except Exception:
+                # If keyring cannot store, still use token for this run.
+                pass
+
+        return prompt_res
 
     def get_token(
         self,
@@ -37,35 +101,43 @@ class TokenResolver:
         opts = options or ResolutionOptions()
         request = TokenRequest(provider_kind=provider_kind, host=host, owner=owner)
 
-        # 1) ENV
+        # 0) ENV (highest priority; explicit user intent)
         env_res = self._env.get(request)
         if env_res:
+            # Do NOT validate or persist env tokens automatically.
             return env_res
 
-        # 2) Keyring
+        # 1) GitHub CLI (gh) (auto-read; validate)
+        gh_res = self._gh.get(request)
+        if gh_res and validate_token(request.provider_kind, request.host, gh_res.token):
+            return gh_res
+
+        # 2) Keyring (validate; if invalid -> prompt + overwrite)
         try:
             kr_res = self._keyring.get(request)
             if kr_res:
-                return kr_res
+                if validate_token(request.provider_kind, request.host, kr_res.token):
+                    return kr_res
+
+                # Token exists but seems invalid -> re-prompt and overwrite keyring.
+                renewed = self._prompt_and_maybe_store(request, opts)
+                if renewed:
+                    return renewed
+
+        except KeyringUnavailableError as exc:
+            # Show a helpful warning once, then continue (prompt fallback).
+            self._warn_keyring_unavailable(exc)
         except Exception:
-            # Keyring missing/unavailable: ignore to allow prompt (workstations)
-            # or to fail cleanly below (headless CI without prompt).
+            # Unknown keyring errors: do not block prompting; still avoid hard crash.
             pass
 
         # 3) Prompt (optional)
-        if opts.interactive and opts.allow_prompt:
-            prompt_res = self._prompt.get(request)
-            if prompt_res:
-                if opts.save_prompt_token_to_keyring:
-                    try:
-                        self._keyring.set(request, prompt_res.token)
-                    except Exception:
-                        # If keyring cannot store, still use token for this run.
-                        pass
-                return prompt_res
+        prompt_res = self._prompt_and_maybe_store(request, opts)
+        if prompt_res:
+            return prompt_res
 
         raise NoCredentialsError(
             f"No token available for {provider_kind}@{host}"
             + (f" (owner: {owner})" if owner else "")
-            + ". Provide it via environment variable or keyring."
+            + ". Provide it via environment variable, keyring, or gh auth."
         )

src/pkgmgr/core/credentials/store_keys.py

@@ -44,6 +44,7 @@ def env_var_candidates(provider_kind: str, host: str, owner: Optional[str]) -> l
     candidates.append(f"PKGMGR_{kind}_TOKEN")
     candidates.append(f"PKGMGR_TOKEN_{kind}")
     candidates.append("PKGMGR_TOKEN")
+    
     return candidates
 
 

src/pkgmgr/core/credentials/validate.py

@@ -0,0 +1,40 @@
+from __future__ import annotations
+
+import urllib.request
+import json
+
+
+def validate_token(provider_kind: str, host: str, token: str) -> bool:
+    """
+    Return True if token appears valid for the provider.
+    Currently implemented for GitHub only.
+    """
+    kind = (provider_kind or "").strip().lower()
+    host = (host or "").strip() or "github.com"
+    token = (token or "").strip()
+    if not token:
+        return False
+
+    if kind in ("github", "github.com") and host.lower() == "github.com":
+        req = urllib.request.Request(
+            "https://api.github.com/user",
+            headers={
+                "Authorization": f"Bearer {token}",
+                "Accept": "application/vnd.github+json",
+                "User-Agent": "pkgmgr",
+            },
+            method="GET",
+        )
+        try:
+            with urllib.request.urlopen(req, timeout=10) as resp:
+                if resp.status != 200:
+                    return False
+                # Optional: parse to ensure body is JSON
+                _ = json.loads(resp.read().decode("utf-8"))
+                return True
+        except Exception:
+            return False
+
+    # Unknown provider: don't hard-fail validation (conservative default)
+    # If you prefer strictness: return False here.
+    return True

src/pkgmgr/core/git/__init__.py

@@ -1,5 +1,7 @@
-#!/usr/bin/env python3
-# -*- coding: utf-8 -*-
+from __future__ import annotations
+
+from .errors import GitError
+from .run import run
 
 """
 Lightweight helper functions around Git commands.
@@ -9,84 +11,7 @@ logic (release, version, changelog) does not have to deal with the
 details of subprocess handling.
 """
 
-from __future__ import annotations
-
-import subprocess
-from typing import List, Optional
-
-
-class GitError(RuntimeError):
-    """Raised when a Git command fails in an unexpected way."""
-
-
-def run_git(args: List[str], cwd: str = ".") -> str:
-    """
-    Run a Git command and return its stdout as a stripped string.
-
-    Raises GitError if the command fails.
-    """
-    cmd = ["git"] + args
-    try:
-        result = subprocess.run(
-            cmd,
-            cwd=cwd,
-            check=True,
-            stdout=subprocess.PIPE,
-            stderr=subprocess.PIPE,
-            text=True,
-        )
-    except subprocess.CalledProcessError as exc:
-        raise GitError(
-            f"Git command failed in {cwd!r}: {' '.join(cmd)}\n"
-            f"Exit code: {exc.returncode}\n"
-            f"STDOUT:\n{exc.stdout}\n"
-            f"STDERR:\n{exc.stderr}"
-        ) from exc
-
-    return result.stdout.strip()
-
-
-def get_tags(cwd: str = ".") -> List[str]:
-    """
-    Return a list of all tags in the repository in `cwd`.
-
-    If there are no tags, an empty list is returned.
-    """
-    try:
-        output = run_git(["tag"], cwd=cwd)
-    except GitError as exc:
-        # If the repo has no tags or is not a git repo, surface a clear error.
-        # You can decide later if you want to treat this differently.
-        if "not a git repository" in str(exc):
-            raise
-        # No tags: stdout may just be empty; treat this as empty list.
-        return []
-
-    if not output:
-        return []
-
-    return [line.strip() for line in output.splitlines() if line.strip()]
-
-
-def get_head_commit(cwd: str = ".") -> Optional[str]:
-    """
-    Return the current HEAD commit hash, or None if it cannot be determined.
-    """
-    try:
-        output = run_git(["rev-parse", "HEAD"], cwd=cwd)
-    except GitError:
-        return None
-    return output or None
-
-
-def get_current_branch(cwd: str = ".") -> Optional[str]:
-    """
-    Return the current branch name, or None if it cannot be determined.
-
-    Note: In detached HEAD state this will return 'HEAD'.
-    """
-    try:
-        output = run_git(["rev-parse", "--abbrev-ref", "HEAD"], cwd=cwd)
-    except GitError:
-        return None
-    return output or None
+__all__ = [
+    "GitError",
+    "run",
+]

src/pkgmgr/core/git/commands/__init__.py

@@ -0,0 +1,72 @@
+# src/pkgmgr/core/git/commands/__init__.py
+from __future__ import annotations
+
+from .add import GitAddError, add
+from .add_all import GitAddAllError, add_all
+from .add_remote import GitAddRemoteError, add_remote
+from .add_remote_push_url import GitAddRemotePushUrlError, add_remote_push_url
+from .branch_move import GitBranchMoveError, branch_move
+from .checkout import GitCheckoutError, checkout
+from .clone import GitCloneError, clone
+from .commit import GitCommitError, commit
+from .create_branch import GitCreateBranchError, create_branch
+from .delete_local_branch import GitDeleteLocalBranchError, delete_local_branch
+from .delete_remote_branch import GitDeleteRemoteBranchError, delete_remote_branch
+from .fetch import GitFetchError, fetch
+from .init import GitInitError, init
+from .merge_no_ff import GitMergeError, merge_no_ff
+from .pull import GitPullError, pull
+from .pull_args import GitPullArgsError, pull_args  # <-- add
+from .pull_ff_only import GitPullFfOnlyError, pull_ff_only
+from .push import GitPushError, push
+from .push_upstream import GitPushUpstreamError, push_upstream
+from .set_remote_url import GitSetRemoteUrlError, set_remote_url
+from .tag_annotated import GitTagAnnotatedError, tag_annotated
+from .tag_force_annotated import GitTagForceAnnotatedError, tag_force_annotated
+
+__all__ = [
+    "add",
+    "add_all",
+    "fetch",
+    "checkout",
+    "pull",
+    "pull_args",  # <-- add
+    "pull_ff_only",
+    "merge_no_ff",
+    "push",
+    "commit",
+    "delete_local_branch",
+    "delete_remote_branch",
+    "create_branch",
+    "push_upstream",
+    "add_remote",
+    "set_remote_url",
+    "add_remote_push_url",
+    "tag_annotated",
+    "tag_force_annotated",
+    "clone",
+    "init",
+    "branch_move",
+    "GitAddError",
+    "GitAddAllError",
+    "GitFetchError",
+    "GitCheckoutError",
+    "GitPullError",
+    "GitPullArgsError",  # <-- add
+    "GitPullFfOnlyError",
+    "GitMergeError",
+    "GitPushError",
+    "GitCommitError",
+    "GitDeleteLocalBranchError",
+    "GitDeleteRemoteBranchError",
+    "GitCreateBranchError",
+    "GitPushUpstreamError",
+    "GitAddRemoteError",
+    "GitSetRemoteUrlError",
+    "GitAddRemotePushUrlError",
+    "GitTagAnnotatedError",
+    "GitTagForceAnnotatedError",
+    "GitCloneError",
+    "GitInitError",
+    "GitBranchMoveError",
+]

src/pkgmgr/core/git/commands/add.py

@@ -0,0 +1,44 @@
+from __future__ import annotations
+
+from typing import Iterable, List, Sequence, Union
+
+from ..errors import GitError, GitCommandError
+from ..run import run
+
+
+class GitAddError(GitCommandError):
+    """Raised when `git add` fails."""
+
+
+PathLike = Union[str, Sequence[str], Iterable[str]]
+
+
+def _normalize_paths(paths: PathLike) -> List[str]:
+    if isinstance(paths, str):
+        return [paths]
+    return [p for p in paths]
+
+
+def add(
+    paths: PathLike,
+    *,
+    cwd: str = ".",
+    preview: bool = False,
+) -> None:
+    """
+    Stage one or multiple paths.
+
+    Equivalent to:
+      git add <path...>
+    """
+    normalized = _normalize_paths(paths)
+    if not normalized:
+        return
+
+    try:
+        run(["add", *normalized], cwd=cwd, preview=preview)
+    except GitError as exc:
+        raise GitAddError(
+            f"Failed to add paths to staging area: {normalized!r}.",
+            cwd=cwd,
+        ) from exc

src/pkgmgr/core/git/commands/add_all.py

@@ -0,0 +1,22 @@
+# src/pkgmgr/core/git/commands/add_all.py
+from __future__ import annotations
+
+from ..errors import GitError, GitCommandError
+from ..run import run
+
+
+class GitAddAllError(GitCommandError):
+    """Raised when `git add -A` fails."""
+
+
+def add_all(*, cwd: str = ".", preview: bool = False) -> None:
+    """
+    Stage all changes (tracked + untracked).
+
+    Equivalent to:
+      git add -A
+    """
+    try:
+        run(["add", "-A"], cwd=cwd, preview=preview)
+    except GitError as exc:
+        raise GitAddAllError("Failed to stage all changes with `git add -A`.", cwd=cwd) from exc

src/pkgmgr/core/git/commands/add_remote.py

@@ -0,0 +1,34 @@
+from __future__ import annotations
+
+from ..errors import GitError, GitCommandError
+from ..run import run
+
+
+class GitAddRemoteError(GitCommandError):
+    """Raised when adding a remote fails."""
+
+
+def add_remote(
+    name: str,
+    url: str,
+    *,
+    cwd: str = ".",
+    preview: bool = False,
+) -> None:
+    """
+    Add a new remote.
+
+    Equivalent to:
+      git remote add <name> <url>
+    """
+    try:
+        run(
+            ["remote", "add", name, url],
+            cwd=cwd,
+            preview=preview,
+        )
+    except GitError as exc:
+        raise GitAddRemoteError(
+            f"Failed to add remote {name!r} with URL {url!r}.",
+            cwd=cwd,
+        ) from exc

src/pkgmgr/core/git/commands/add_remote_push_url.py

@@ -0,0 +1,34 @@
+from __future__ import annotations
+
+from ..errors import GitError, GitCommandError
+from ..run import run
+
+
+class GitAddRemotePushUrlError(GitCommandError):
+    """Raised when adding an additional push URL to a remote fails."""
+
+
+def add_remote_push_url(
+    remote: str,
+    url: str,
+    *,
+    cwd: str = ".",
+    preview: bool = False,
+) -> None:
+    """
+    Add an additional push URL to a remote.
+
+    Equivalent to:
+      git remote set-url --add --push <remote> <url>
+    """
+    try:
+        run(
+            ["remote", "set-url", "--add", "--push", remote, url],
+            cwd=cwd,
+            preview=preview,
+        )
+    except GitError as exc:
+        raise GitAddRemotePushUrlError(
+            f"Failed to add push url {url!r} to remote {remote!r}.",
+            cwd=cwd,
+        ) from exc

src/pkgmgr/core/git/commands/branch_move.py

@@ -0,0 +1,22 @@
+# src/pkgmgr/core/git/commands/branch_move.py
+from __future__ import annotations
+
+from ..errors import GitError, GitCommandError
+from ..run import run
+
+
+class GitBranchMoveError(GitCommandError):
+    """Raised when renaming/moving a branch fails."""
+
+
+def branch_move(branch: str, *, cwd: str = ".", preview: bool = False) -> None:
+    """
+    Rename the current branch to `branch`, creating it if needed.
+
+    Equivalent to:
+      git branch -M <branch>
+    """
+    try:
+        run(["branch", "-M", branch], cwd=cwd, preview=preview)
+    except GitError as exc:
+        raise GitBranchMoveError(f"Failed to move/rename current branch to {branch!r}.", cwd=cwd) from exc

src/pkgmgr/core/git/commands/checkout.py

@@ -0,0 +1,18 @@
+from __future__ import annotations
+
+from ..errors import GitError, GitCommandError
+from ..run import run
+
+
+class GitCheckoutError(GitCommandError):
+    """Raised when checking out a branch fails."""
+
+
+def checkout(branch: str, cwd: str = ".") -> None:
+    try:
+        run(["checkout", branch], cwd=cwd)
+    except GitError as exc:
+        raise GitCheckoutError(
+            f"Failed to checkout branch {branch!r}.",
+            cwd=cwd,
+        ) from exc

src/pkgmgr/core/git/commands/clone.py

@@ -0,0 +1,32 @@
+from __future__ import annotations
+
+from typing import List
+
+from ..errors import GitError, GitCommandError
+from ..run import run
+
+
+class GitCloneError(GitCommandError):
+    """Raised when `git clone` fails."""
+
+
+def clone(
+    args: List[str],
+    *,
+    cwd: str = ".",
+    preview: bool = False,
+) -> None:
+    """
+    Execute `git clone` with caller-provided arguments.
+
+    Examples:
+      ["https://example.com/repo.git", "/path/to/dir"]
+      ["--depth", "1", "--single-branch", url, dest]
+    """
+    try:
+        run(["clone", *args], cwd=cwd, preview=preview)
+    except GitError as exc:
+        raise GitCloneError(
+            f"Git clone failed with args={args!r}.",
+            cwd=cwd,
+        ) from exc

src/pkgmgr/core/git/commands/commit.py

@@ -0,0 +1,37 @@
+from __future__ import annotations
+
+from ..errors import GitError, GitCommandError
+from ..run import run
+
+
+class GitCommitError(GitCommandError):
+    """Raised when `git commit` fails."""
+
+
+def commit(
+    message: str,
+    *,
+    cwd: str = ".",
+    all: bool = False,
+    preview: bool = False,
+) -> None:
+    """
+    Create a commit.
+
+    Equivalent to:
+      git commit -m "<message>"
+    or (if all=True):
+      git commit -am "<message>"
+    """
+    args = ["commit"]
+    if all:
+        args.append("-a")
+    args += ["-m", message]
+
+    try:
+        run(args, cwd=cwd, preview=preview)
+    except GitError as exc:
+        raise GitCommitError(
+            "Failed to create commit.",
+            cwd=cwd,
+        ) from exc

src/pkgmgr/core/git/commands/create_branch.py

@@ -0,0 +1,23 @@
+from __future__ import annotations
+
+from ..errors import GitError, GitCommandError
+from ..run import run
+
+
+class GitCreateBranchError(GitCommandError):
+    """Raised when creating a new branch fails."""
+
+
+def create_branch(branch: str, base: str, cwd: str = ".") -> None:
+    """
+    Create a new branch from a base branch.
+
+    Equivalent to: git checkout -b <branch> <base>
+    """
+    try:
+        run(["checkout", "-b", branch, base], cwd=cwd)
+    except GitError as exc:
+        raise GitCreateBranchError(
+            f"Failed to create branch {branch!r} from base {base!r}.",
+            cwd=cwd,
+        ) from exc

src/pkgmgr/core/git/commands/delete_local_branch.py

@@ -0,0 +1,19 @@
+from __future__ import annotations
+
+from ..errors import GitError, GitCommandError
+from ..run import run
+
+
+class GitDeleteLocalBranchError(GitCommandError):
+    """Raised when deleting a local branch fails."""
+
+
+def delete_local_branch(branch: str, cwd: str = ".", force: bool = False) -> None:
+    flag = "-D" if force else "-d"
+    try:
+        run(["branch", flag, branch], cwd=cwd)
+    except GitError as exc:
+        raise GitDeleteLocalBranchError(
+            f"Failed to delete local branch {branch!r} (flag {flag}).",
+            cwd=cwd,
+        ) from exc