custom extensions: add --remove, ship reference YAML packs [minor-release]

- YAML schema gains optional per-tool `remove:` field
- `cps extend <pack> [tools...] --remove` runs it via bash -c, custom packs only
- Built-in packs refuse --remove explicitly; whole-pack removal also drops the rc fragment
- Ship custom-extensions/ with failures, ai-tools, praetorian, additional-cloud-tools, database
- Drop Praetorian tools from built-in manifest (now live in custom pack)

Author: Tanq16

README.md

@@ -80,10 +80,10 @@ cps extend security nuclei subfinder  # pick specific tools
 | core | Dev tools, network utils, media packages (cmake, nmap, ffmpeg, aerospace) |
 | runtimes | uv, fnm, bun, Go, Python (includes uv), Rust, Node.js LTS (includes fnm) |
 | cloud | AWS CLI, Azure CLI, gcloud CLI |
-| security | nuclei, naabu, subfinder, proxify, httpx, dnsx, trufflehog, gobuster, titus, nuclei-templates |
-| cloudsec | terraform, kubectl, kubelogin, grpcurl, cloudfox, aurelian, trivy, cloudlist |
-| appsec | katana, ffuf, hadrian, dalfox, reaper, poltergeist, wraith, gau |
-| misc | julius, trajan, gowitness, snitch, age |
+| security | nuclei, naabu, subfinder, proxify, httpx, dnsx, trufflehog, gobuster, nuclei-templates |
+| cloudsec | terraform, kubectl, kubelogin, grpcurl, cloudfox, trivy, cloudlist |
+| appsec | katana, ffuf, dalfox, reaper, poltergeist, wraith, gau |
+| misc | gowitness, snitch, age |
 | private | Personal tools (requires `--gh-token`) |
 
 Packs with shell integration (`runtimes`, `cloud`, `security`) deploy RC fragments automatically.

cmd/extend.go

@@ -6,6 +6,8 @@ import (
 	"github.com/tanq16/cli-productivity-suite/internal/runner"
 )
 
+var extendRemoveFlag bool
+
 var extendCmd = &cobra.Command{
 	Use:   "extend <pack-name> [tools...]",
 	Short: "Install extension tool packs (e.g., security, cloudsec, runtimes)",
@@ -23,6 +25,14 @@ var extendCmd = &cobra.Command{
 			runner.ExtendList()
 			return
 		}
+		if extendRemoveFlag {
+			runner.ExtendRemove(args[0], args[1:])
+			return
+		}
 		runner.Extend(args[0], args[1:], ghToken)
 	},
 }
+
+func init() {
+	extendCmd.Flags().BoolVar(&extendRemoveFlag, "remove", false, "Remove tool(s) from a custom extension pack (custom packs only)")
+}

custom-extensions/additional-cloud-tools.yaml

@@ -0,0 +1,66 @@
+name: additional-cloud-tools
+description: Extra cloud and IaC tooling (uv-managed Python CLIs and OpenTofu)
+
+tools:
+  - name: checkov
+    install: |
+      set -eo pipefail
+      export UV_TOOL_DIR="$HOME/shell/uv-tools"
+      export UV_TOOL_BIN_DIR="$HOME/shell/uv-tool-executables"
+      "$HOME/shell/executables/uv" tool install --force checkov
+    remove: |
+      set -eo pipefail
+      export UV_TOOL_DIR="$HOME/shell/uv-tools"
+      export UV_TOOL_BIN_DIR="$HOME/shell/uv-tool-executables"
+      "$HOME/shell/executables/uv" tool uninstall checkov
+
+  - name: prowler
+    install: |
+      set -eo pipefail
+      export UV_TOOL_DIR="$HOME/shell/uv-tools"
+      export UV_TOOL_BIN_DIR="$HOME/shell/uv-tool-executables"
+      "$HOME/shell/executables/uv" tool install --force prowler
+    remove: |
+      set -eo pipefail
+      export UV_TOOL_DIR="$HOME/shell/uv-tools"
+      export UV_TOOL_BIN_DIR="$HOME/shell/uv-tool-executables"
+      "$HOME/shell/executables/uv" tool uninstall prowler
+
+  - name: oci-cli
+    install: |
+      set -eo pipefail
+      export UV_TOOL_DIR="$HOME/shell/uv-tools"
+      export UV_TOOL_BIN_DIR="$HOME/shell/uv-tool-executables"
+      "$HOME/shell/executables/uv" tool install --force oci-cli
+    remove: |
+      set -eo pipefail
+      export UV_TOOL_DIR="$HOME/shell/uv-tools"
+      export UV_TOOL_BIN_DIR="$HOME/shell/uv-tool-executables"
+      "$HOME/shell/executables/uv" tool uninstall oci-cli
+
+  - name: tofu
+    install: |
+      set -eo pipefail
+      DEST_DIR="$HOME/shell/extensions"
+      mkdir -p "$DEST_DIR"
+      case "$(uname -s)" in
+        Darwin) OS=darwin ;;
+        Linux) OS=linux ;;
+        *) echo "unsupported OS: $(uname -s)" >&2; exit 1 ;;
+      esac
+      case "$(uname -m)" in
+        x86_64|amd64) ARCH=amd64 ;;
+        arm64|aarch64) ARCH=arm64 ;;
+        *) echo "unsupported arch: $(uname -m)" >&2; exit 1 ;;
+      esac
+      TAG=$(curl -fsSLI -o /dev/null -w '%{url_effective}' \
+        https://github.com/opentofu/opentofu/releases/latest | sed 's|.*/tag/||')
+      VERSION=${TAG#v}
+      URL="https://github.com/opentofu/opentofu/releases/download/${TAG}/tofu_${VERSION}_${OS}_${ARCH}.tar.gz"
+      TMP=$(mktemp -d)
+      trap 'rm -rf "$TMP"' EXIT
+      curl -fsSL "$URL" -o "$TMP/tofu.tar.gz"
+      tar -xzf "$TMP/tofu.tar.gz" -C "$TMP"
+      install -m 0755 "$TMP/tofu" "$DEST_DIR/tofu"
+    remove: |
+      rm -f "$HOME/shell/extensions/tofu"

custom-extensions/ai-tools.yaml

@@ -0,0 +1,85 @@
+name: ai-tools
+description: AI coding agents and LLM CLIs
+
+tools:
+  - name: claude-code
+    install: |
+      curl -fsSL https://claude.ai/install.sh | bash
+    remove: |
+      rm -f "$HOME/.local/bin/claude"
+      rm -rf "$HOME/.local/share/claude"
+
+  - name: opencode
+    install: |
+      set -eo pipefail
+      export FNM_DIR="$HOME/shell/fnm"
+      "$HOME/shell/extensions/fnm" exec --using=lts-latest -- \
+        npm install -g opencode-ai@latest
+    remove: |
+      set -eo pipefail
+      export FNM_DIR="$HOME/shell/fnm"
+      "$HOME/shell/extensions/fnm" exec --using=lts-latest -- \
+        npm uninstall -g opencode-ai
+
+  - name: gemini
+    install: |
+      set -eo pipefail
+      export FNM_DIR="$HOME/shell/fnm"
+      "$HOME/shell/extensions/fnm" exec --using=lts-latest -- \
+        npm install -g @google/gemini-cli
+    remove: |
+      set -eo pipefail
+      export FNM_DIR="$HOME/shell/fnm"
+      "$HOME/shell/extensions/fnm" exec --using=lts-latest -- \
+        npm uninstall -g @google/gemini-cli
+
+  - name: codex
+    install: |
+      set -eo pipefail
+      export FNM_DIR="$HOME/shell/fnm"
+      "$HOME/shell/extensions/fnm" exec --using=lts-latest -- \
+        npm install -g @openai/codex
+    remove: |
+      set -eo pipefail
+      export FNM_DIR="$HOME/shell/fnm"
+      "$HOME/shell/extensions/fnm" exec --using=lts-latest -- \
+        npm uninstall -g @openai/codex
+
+  - name: crush
+    install: |
+      set -eo pipefail
+      export FNM_DIR="$HOME/shell/fnm"
+      "$HOME/shell/extensions/fnm" exec --using=lts-latest -- \
+        npm install -g @charmland/crush
+    remove: |
+      set -eo pipefail
+      export FNM_DIR="$HOME/shell/fnm"
+      "$HOME/shell/extensions/fnm" exec --using=lts-latest -- \
+        npm uninstall -g @charmland/crush
+
+  - name: aix
+    install: |
+      set -eo pipefail
+      DEST_DIR="$HOME/shell/extensions"
+      mkdir -p "$DEST_DIR"
+      case "$(uname -s)" in
+        Darwin) OS=macOS ;;
+        Linux) OS=linux ;;
+        *) echo "unsupported OS: $(uname -s)" >&2; exit 1 ;;
+      esac
+      case "$(uname -m)" in
+        x86_64|amd64) ARCH=amd64 ;;
+        arm64|aarch64) ARCH=arm64 ;;
+        *) echo "unsupported arch: $(uname -m)" >&2; exit 1 ;;
+      esac
+      TAG=$(curl -fsSLI -o /dev/null -w '%{url_effective}' \
+        https://github.com/projectdiscovery/aix/releases/latest | sed 's|.*/tag/||')
+      VERSION=${TAG#v}
+      URL="https://github.com/projectdiscovery/aix/releases/download/${TAG}/aix_${VERSION}_${OS}_${ARCH}.zip"
+      TMP=$(mktemp -d)
+      trap 'rm -rf "$TMP"' EXIT
+      curl -fsSL "$URL" -o "$TMP/aix.zip"
+      unzip -qo "$TMP/aix.zip" -d "$TMP"
+      install -m 0755 "$TMP/aix" "$DEST_DIR/aix"
+    remove: |
+      rm -f "$HOME/shell/extensions/aix"

custom-extensions/database.yaml

@@ -0,0 +1,35 @@
+name: database
+description: Interactive database CLIs
+
+tools:
+  - name: pgcli
+    install: |
+      set -eo pipefail
+      export UV_TOOL_DIR="$HOME/shell/uv-tools"
+      export UV_TOOL_BIN_DIR="$HOME/shell/uv-tool-executables"
+      "$HOME/shell/executables/uv" tool install --force pgcli
+    remove: |
+      set -eo pipefail
+      export UV_TOOL_DIR="$HOME/shell/uv-tools"
+      export UV_TOOL_BIN_DIR="$HOME/shell/uv-tool-executables"
+      "$HOME/shell/executables/uv" tool uninstall pgcli
+
+  - name: mycli
+    install: |
+      set -eo pipefail
+      export UV_TOOL_DIR="$HOME/shell/uv-tools"
+      export UV_TOOL_BIN_DIR="$HOME/shell/uv-tool-executables"
+      "$HOME/shell/executables/uv" tool install --force mycli
+    remove: |
+      set -eo pipefail
+      export UV_TOOL_DIR="$HOME/shell/uv-tools"
+      export UV_TOOL_BIN_DIR="$HOME/shell/uv-tool-executables"
+      "$HOME/shell/executables/uv" tool uninstall mycli
+
+  - name: usql
+    install: |
+      set -eo pipefail
+      brew tap xo/xo
+      brew install usql
+    remove: |
+      brew uninstall usql

custom-extensions/failures.yaml

@@ -0,0 +1,34 @@
+name: failures
+description: Stopgap installations for fixing tools that have active upstream issues
+
+tools:
+  - name: gcloud
+    install: |
+      set -eo pipefail
+      INSTALL_DIR="$HOME/shell/extensions/gcloud"
+      mkdir -p "$INSTALL_DIR"
+      cd "$INSTALL_DIR"
+      OS=$(uname -s | tr '[:upper:]' '[:lower:]')
+      case "$(uname -m)" in
+        x86_64|amd64) ARCH=x86_64 ;;
+        arm64|aarch64) ARCH=arm ;;
+        *) echo "unsupported arch: $(uname -m)" >&2; exit 1 ;;
+      esac
+      URL="https://dl.google.com/dl/cloudsdk/channels/rapid/downloads/google-cloud-cli-${OS}-${ARCH}.tar.gz"
+      curl -fsSL "$URL" -o gcloud.tar.gz
+      rm -rf google-cloud-sdk
+      tar -xzf gcloud.tar.gz
+      rm -f gcloud.tar.gz
+      ./google-cloud-sdk/install.sh \
+        --quiet \
+        --path-update=false \
+        --usage-reporting=false \
+        --command-completion=false
+    remove: |
+      rm -rf "$HOME/shell/extensions/gcloud"
+
+shell:
+  path_prepend:
+    - $HOME/shell/extensions/gcloud/google-cloud-sdk/bin
+  source:
+    - $HOME/shell/extensions/gcloud/google-cloud-sdk/completion.zsh.inc