@genrtl/grtl 0.3.0 → 0.4.1

package/README.md

@@ -32,9 +32,18 @@ grtl setup --mcp --codex
 grtl setup --mcp --cursor --project
 ```
 
-Without `--cli` or `--mcp`, setup asks which mode to install.
-
-For Codex, Skills are installed under `.agents/skills` for project setup or
+Without `--cli` or `--mcp`, setup asks which mode to install.
+
+Installing a newer npm package does not modify Skills already written to an
+agent configuration directory. Run the matching setup command again after an
+upgrade to refresh the Skill. For example:
+
+```bash
+grtl setup --cli --cursor
+grtl setup --cli --cursor --project
+```
+
+For Codex, Skills are installed under `.agents/skills` for project setup or
 `~/.agents/skills` for global setup. MCP mode also updates
 `.codex/config.toml` or `~/.codex/config.toml`.
 
@@ -54,12 +63,31 @@ grtl verification-search "Verify an async FIFO"
 grtl debug-search "Explain this Vivado CDC warning"
 ```
 
-Use `--json` for structured output. `--type` accepts `spec2rtl`, `spec2plan`, `verification`, or `debug`; other filters include
-`--domain`, `--tool`, `--tool-version`, `--error-type`, `--severity`,
-`--interface`, `--target`, `--tag`, `--top-k`, `--min-score`, and
-`--workspace-id`.
-
-## Development
+Use `--json` for structured output. `--type` accepts `spec2rtl`, `spec2plan`, `verification`, or `debug`; other filters include
+`--domain`, `--tool`, `--tool-version`, `--error-type`, `--severity`,
+`--interface`, `--target`, `--tag`, `--top-k`, `--min-score`, and
+`--workspace-id`.
+
+## CBB Installation
+
+Install an exact reusable RTL CBB version into the current project:
+
+```bash
+grtl cbb install cbb_uart@1.2.0
+grtl cbb install cbb_uart@1.2.0 --target rtl/vendor/uart
+```
+
+The command calls the hosted `genrtl_cbb_acquire` MCP tool with
+`GRTL_API_KEY`, downloads the short-lived ZIP artifact, verifies its size and
+SHA-256, safely extracts it, and atomically installs it. The default target is
+`rtl/cbb/<cbb_id>_<version>`.
+
+Installed packages are recorded in `.genrtl/cbb-lock.json`. Existing targets
+are left untouched unless `--force` is provided; replacement occurs only after
+the new archive has been fully verified and extracted. Use `--json` for
+machine-readable output.
+
+## Development
 
 ```bash
 pnpm install

package/dist/index.js

@@ -2,7 +2,7 @@
 
 // src/index.ts
 import { Command as Command2 } from "commander";
-import pc6 from "picocolors";
+import pc7 from "picocolors";
 import figlet from "figlet";
 
 // src/commands/setup.ts
@@ -381,15 +381,19 @@ Choose one tool:
 - \`genrtl_debug_search\` for lint, CDC, compile, synthesis, and RTL bugs
 
 Pass the complete engineering question in \`query\`. Add filters only when useful.`;
-var FALLBACK_CLI = `Use the \`grtl\` CLI for grounded RTL engineering knowledge.
+var FALLBACK_CLI = `Use the \`grtl\` CLI for grounded RTL engineering knowledge and reusable CBB installation.
 
-Choose one command:
+For knowledge retrieval, choose one command:
 - \`npx @genrtl/grtl@latest knowledge-search "<query>"\`
 - \`npx @genrtl/grtl@latest spec2rtl-search "<query>"\`
 - \`npx @genrtl/grtl@latest spec2plan-search "<query>"\`
 - \`npx @genrtl/grtl@latest verification-search "<query>"\`
 - \`npx @genrtl/grtl@latest debug-search "<query>"\`
 
+To install a reusable RTL block into the current project:
+- \`npx @genrtl/grtl@latest cbb install <cbb_id>@<version>\`
+- Add \`--target <relative-dir>\` only when a non-default install path is needed.
+
 Pass the complete engineering question. Add filters such as \`--tool\`,
 \`--tool-version\`, \`--target\`, \`--interface\`, or \`--tag\` when known.
 If authentication fails, set \`GRTL_API_KEY\` or \`GENRTL_API_KEY\` in the
@@ -422,15 +426,15 @@ Pass the complete engineering question in \`query\`. Add \`filters\`, \`top_k\`,
 `;
 var CLI_SKILL = `---
 name: genrtl-cli
-description: Use the grtl CLI for grounded RTL design, verification, lint, CDC, synthesis, compile, and debugging knowledge.
+description: Use the grtl CLI for grounded RTL design, verification, debugging knowledge, and secure installation of reusable RTL CBBs.
 ---
 
 # GenRTL CLI
 
-Use this skill when an RTL engineering task needs grounded GenRTL knowledge and
-the GenRTL MCP server is not configured.
+Use this skill when an RTL engineering task needs grounded GenRTL knowledge or
+a reusable CBB must be installed into the user's local project.
 
-Choose exactly one command:
+For knowledge retrieval, choose exactly one command:
 
 - \`grtl knowledge-search "<query>" --json\` for cross-domain RTL questions.
 - \`grtl spec2rtl-search "<query>" --json\` for requirements, protocols, control logic, or algorithm-to-RTL work.
@@ -438,6 +442,12 @@ Choose exactly one command:
 - \`grtl verification-search "<query>" --json\` for testbenches and verification.
 - \`grtl debug-search "<query>" --json\` for lint, CDC, compile, synthesis, or RTL bugs.
 
+For a CBB selected from GenRTL search results:
+
+- \`grtl cbb install <cbb_id>@<version>\` downloads, verifies, and safely extracts it.
+- Add \`--target <relative-dir>\` only when the user requests a specific project path.
+- Do not download or extract the artifact manually; the CLI verifies SHA-256 and prevents unsafe ZIP paths.
+
 Pass the complete engineering question. Add filters such as \`--tool\`,
 \`--tool-version\`, \`--target\`, \`--interface\`, or \`--tag\` only when useful.
 The CLI requires \`GRTL_API_KEY\` or \`GENRTL_API_KEY\` in its environment.
@@ -859,6 +869,9 @@ import { InvalidArgumentError } from "commander";
 import pc4 from "picocolors";
 import ora2 from "ora";
 
+// src/utils/knowledge-api.ts
+import { randomUUID } from "crypto";
+
 // src/constants.ts
 import { readFileSync } from "fs";
 import { fileURLToPath } from "url";
@@ -901,7 +914,7 @@ function getStructuredMcpError(content) {
     code: typeof errorContent.code === "string" ? errorContent.code : void 0
   };
 }
-async function callGenrtlKnowledgeTool(toolName, input) {
+async function callGenrtlMcpTool(toolName, input) {
   const apiKey = getApiKey();
   if (!apiKey) {
     throw new Error("Authentication required. Set GRTL_API_KEY or GENRTL_API_KEY.");
@@ -933,14 +946,18 @@ async function callGenrtlKnowledgeTool(toolName, input) {
   if (!result) throw new Error("GenRTL MCP returned an empty result.");
   if (result.isError) {
     const structuredError = getStructuredMcpError(result.structuredContent);
-    const message = structuredError?.error || getMcpErrorMessage(result.content) || "GenRTL knowledge search failed.";
+    const message = structuredError?.error || getMcpErrorMessage(result.content) || "GenRTL MCP tool call failed.";
     throw new Error(structuredError?.code ? `${message} (${structuredError.code})` : message);
   }
   if (!result.structuredContent) {
-    throw new Error("GenRTL MCP response did not include structured knowledge results.");
+    throw new Error("GenRTL MCP response did not include structured results.");
   }
   return result.structuredContent;
 }
+async function callGenrtlKnowledgeTool(toolName, input) {
+  const requestInput = input.idempotency_key ? input : { ...input, idempotency_key: randomUUID() };
+  return callGenrtlMcpTool(toolName, requestInput);
+}
 
 // src/commands/knowledge.ts
 var isTTY = process.stdout.isTTY;
@@ -1085,23 +1102,485 @@ function registerKnowledgeCommands(program2) {
   }
 }
 
+// src/commands/cbb.ts
+import ora3 from "ora";
+import pc5 from "picocolors";
+
+// src/utils/cbb-install.ts
+import { createHash, randomUUID as randomUUID2 } from "crypto";
+import { createWriteStream } from "fs";
+import {
+  access as access3,
+  mkdir as mkdir4,
+  mkdtemp,
+  open,
+  readFile as readFile3,
+  realpath,
+  rename,
+  rm as rm2,
+  writeFile as writeFile4
+} from "fs/promises";
+import { dirname as dirname6, isAbsolute, join as join4, relative, resolve as resolve3, sep } from "path";
+import { Transform } from "stream";
+import { pipeline } from "stream/promises";
+import yauzl from "yauzl";
+var MAX_ARCHIVE_BYTES = 512 * 1024 * 1024;
+var MAX_EXTRACTED_BYTES = 512 * 1024 * 1024;
+var MAX_ENTRY_BYTES = 128 * 1024 * 1024;
+var MAX_COMPRESSION_RATIO = 200;
+var MAX_ZIP_ENTRIES = 1e4;
+function pathExists2(path) {
+  return access3(path).then(
+    () => true,
+    () => false
+  );
+}
+function safePathPart(value) {
+  return value.replace(/[^A-Za-z0-9._-]+/g, "_");
+}
+function parseCbbSpec(spec) {
+  const separator = spec.lastIndexOf("@");
+  if (separator <= 0 || separator === spec.length - 1) {
+    throw new Error("CBB must use the form <cbb_id>@<version>.");
+  }
+  const cbbId = spec.slice(0, separator).trim();
+  const version = spec.slice(separator + 1).trim();
+  if (!cbbId || !version) {
+    throw new Error("CBB must use the form <cbb_id>@<version>.");
+  }
+  return { cbbId, version };
+}
+function defaultCbbTarget(cbbId, version) {
+  return `rtl/cbb/${safePathPart(cbbId)}_${safePathPart(version)}`;
+}
+function normalizeRelativeTarget(value) {
+  const slashPath = value.trim().replace(/\\/g, "/").replace(/\/+/g, "/");
+  if (!slashPath || slashPath.includes("\0") || slashPath.startsWith("/") || /^[A-Za-z]:/.test(slashPath)) {
+    throw new Error("Target must be a non-empty project-relative path.");
+  }
+  const parts = slashPath.split("/").filter((part) => part && part !== ".");
+  if (parts.length === 0 || parts.some(
+    (part) => part === ".." || part.length > 255 || part.includes(":") || part.endsWith(".") || part.endsWith(" ") || windowsReservedName(part)
+  )) {
+    throw new Error("Target must not escape the project directory.");
+  }
+  return parts.join("/");
+}
+function resolveProjectTarget(projectRoot, targetDir) {
+  const targetPath = resolve3(projectRoot, ...targetDir.split("/"));
+  const relativePath = relative(projectRoot, targetPath);
+  if (!relativePath || relativePath.startsWith(`..${sep}`) || isAbsolute(relativePath)) {
+    throw new Error("Target must resolve inside the project directory.");
+  }
+  return targetPath;
+}
+async function readLockfile(projectRoot) {
+  const lockPath = join4(projectRoot, ".genrtl", "cbb-lock.json");
+  if (!await pathExists2(lockPath)) {
+    return { schema_version: 1, packages: {} };
+  }
+  let parsed;
+  try {
+    parsed = JSON.parse(await readFile3(lockPath, "utf8"));
+  } catch {
+    throw new Error(`Invalid CBB lockfile: ${lockPath}`);
+  }
+  if (!parsed || typeof parsed !== "object" || parsed.schema_version !== 1 || !parsed.packages || typeof parsed.packages !== "object") {
+    throw new Error(`Unsupported CBB lockfile format: ${lockPath}`);
+  }
+  return parsed;
+}
+async function prepareCbbInstall(projectRootInput, targetInput, cbbId, version, force) {
+  const projectRoot = await realpath(resolve3(projectRootInput));
+  const targetDir = normalizeRelativeTarget(targetInput);
+  const targetPath = resolveProjectTarget(projectRoot, targetDir);
+  if (!force && await pathExists2(targetPath)) {
+    throw new Error(`Target already exists: ${targetPath}. Use --force to replace it.`);
+  }
+  await readLockfile(projectRoot);
+  const projectHash = createHash("sha256").update(projectRoot).digest("hex");
+  const operationHash = createHash("sha256").update(`${projectRoot}\0${targetDir}\0${cbbId}\0${version}`).digest("hex");
+  return {
+    projectRoot,
+    targetDir,
+    targetPath,
+    workspaceId: `cli:${projectHash.slice(0, 40)}`,
+    jobId: `cbb-install:${safePathPart(cbbId)}@${safePathPart(version)}:${operationHash.slice(0, 16)}`,
+    idempotencyKey: `grtl-cbb-install:${operationHash}`
+  };
+}
+async function writeAll(file, chunk) {
+  let offset = 0;
+  while (offset < chunk.byteLength) {
+    const { bytesWritten } = await file.write(chunk, offset, chunk.byteLength - offset, null);
+    if (bytesWritten <= 0) throw new Error("Failed to write downloaded artifact.");
+    offset += bytesWritten;
+  }
+}
+async function downloadArtifact(descriptor, archivePath) {
+  if (!Number.isSafeInteger(descriptor.file_size) || descriptor.file_size <= 0 || descriptor.file_size > MAX_ARCHIVE_BYTES) {
+    throw new Error("CBB archive size is invalid or exceeds the 512 MiB limit.");
+  }
+  if (!/^[a-fA-F0-9]{64}$/.test(descriptor.sha256)) {
+    throw new Error("CBB archive SHA256 is invalid.");
+  }
+  const response = await fetch(descriptor.artifact_url, {
+    redirect: "follow",
+    headers: { Accept: "application/zip, application/octet-stream" }
+  });
+  if (!response.ok || !response.body) {
+    const message = (await response.text().catch(() => "")).slice(0, 500);
+    throw new Error(
+      `CBB download failed with HTTP ${response.status}${message ? `: ${message}` : ""}`
+    );
+  }
+  const contentLength = Number(response.headers.get("content-length"));
+  if (Number.isFinite(contentLength) && contentLength > MAX_ARCHIVE_BYTES) {
+    throw new Error("CBB download exceeds the 512 MiB limit.");
+  }
+  const hash = createHash("sha256");
+  const file = await open(archivePath, "wx");
+  let downloaded = 0;
+  try {
+    const reader = response.body.getReader();
+    while (true) {
+      const { value, done } = await reader.read();
+      if (done) break;
+      downloaded += value.byteLength;
+      if (downloaded > MAX_ARCHIVE_BYTES || downloaded > descriptor.file_size) {
+        await reader.cancel();
+        throw new Error("CBB download exceeded the declared archive size.");
+      }
+      hash.update(value);
+      await writeAll(file, value);
+    }
+  } finally {
+    await file.close();
+  }
+  if (downloaded !== descriptor.file_size) {
+    throw new Error(
+      `CBB archive size mismatch: expected ${descriptor.file_size}, received ${downloaded}.`
+    );
+  }
+  const actualSha256 = hash.digest("hex");
+  if (actualSha256 !== descriptor.sha256.toLowerCase()) {
+    throw new Error("CBB archive SHA256 verification failed.");
+  }
+}
+function windowsReservedName(part) {
+  const stem = part.split(".")[0].toUpperCase();
+  return /^(CON|PRN|AUX|NUL|COM[1-9]|LPT[1-9])$/.test(stem);
+}
+function validateZipEntryPath(entryName) {
+  const slashPath = entryName.replace(/\\/g, "/");
+  if (!slashPath || slashPath.includes("\0") || slashPath.startsWith("/") || /^[A-Za-z]:/.test(slashPath) || slashPath.length > 4096) {
+    throw new Error(`Unsafe ZIP entry path: ${entryName}`);
+  }
+  const directory = slashPath.endsWith("/");
+  const parts = slashPath.split("/").filter(Boolean);
+  if (parts.length === 0 || parts.some(
+    (part) => part === "." || part === ".." || part.length > 255 || part.includes(":") || part.endsWith(".") || part.endsWith(" ") || windowsReservedName(part)
+  )) {
+    throw new Error(`Unsafe ZIP entry path: ${entryName}`);
+  }
+  return `${parts.join("/")}${directory ? "/" : ""}`;
+}
+function openZip(path) {
+  return new Promise((resolvePromise, reject) => {
+    yauzl.open(path, { lazyEntries: true, autoClose: true }, (error, zipFile) => {
+      if (error || !zipFile) reject(error || new Error("Unable to open ZIP archive."));
+      else resolvePromise(zipFile);
+    });
+  });
+}
+function entryFileType(entry) {
+  return entry.externalFileAttributes >>> 16 & 61440;
+}
+function extractEntry(zipFile, entry, outputPath, extractedBytes) {
+  return new Promise((resolvePromise, reject) => {
+    zipFile.openReadStream(entry, (error, stream) => {
+      if (error || !stream) {
+        reject(error || new Error(`Unable to read ZIP entry: ${entry.fileName}`));
+        return;
+      }
+      let entryBytes = 0;
+      const limiter = new Transform({
+        transform(chunk, _encoding, callback) {
+          entryBytes += chunk.length;
+          extractedBytes.value += chunk.length;
+          if (entryBytes > MAX_ENTRY_BYTES || extractedBytes.value > MAX_EXTRACTED_BYTES) {
+            callback(new Error("CBB archive exceeds safe extraction limits."));
+            return;
+          }
+          callback(null, chunk);
+        }
+      });
+      pipeline(stream, limiter, createWriteStream(outputPath, { flags: "wx", mode: 420 })).then(
+        () => {
+          if (entryBytes !== entry.uncompressedSize) {
+            reject(new Error(`ZIP entry size mismatch: ${entry.fileName}`));
+          } else {
+            resolvePromise();
+          }
+        },
+        reject
+      );
+    });
+  });
+}
+async function extractZipSafely(archivePath, destination) {
+  const zipFile = await openZip(archivePath);
+  if (zipFile.entryCount > MAX_ZIP_ENTRIES) {
+    zipFile.close();
+    throw new Error(`CBB archive contains more than ${MAX_ZIP_ENTRIES} entries.`);
+  }
+  await mkdir4(destination, { recursive: true });
+  const destinationRoot = `${resolve3(destination)}${sep}`;
+  const seenPaths = /* @__PURE__ */ new Set();
+  const extractedBytes = { value: 0 };
+  await new Promise((resolvePromise, reject) => {
+    let settled = false;
+    const fail = (error) => {
+      if (settled) return;
+      settled = true;
+      zipFile.close();
+      reject(error instanceof Error ? error : new Error(String(error)));
+    };
+    zipFile.on("error", fail);
+    zipFile.on("end", () => {
+      if (settled) return;
+      settled = true;
+      resolvePromise();
+    });
+    zipFile.on("entry", (entry) => {
+      void (async () => {
+        if ((entry.generalPurposeBitFlag & 1) !== 0) {
+          throw new Error(`Encrypted ZIP entries are not supported: ${entry.fileName}`);
+        }
+        const normalizedName = validateZipEntryPath(entry.fileName);
+        const collisionKey = normalizedName.toLowerCase();
+        if (seenPaths.has(collisionKey)) {
+          throw new Error(`Duplicate ZIP entry path: ${entry.fileName}`);
+        }
+        seenPaths.add(collisionKey);
+        if (entry.uncompressedSize > MAX_ENTRY_BYTES || extractedBytes.value + entry.uncompressedSize > MAX_EXTRACTED_BYTES) {
+          throw new Error("CBB archive exceeds safe extraction limits.");
+        }
+        if (entry.compressedSize > 0 && entry.uncompressedSize > 1024 * 1024 && entry.uncompressedSize / entry.compressedSize > MAX_COMPRESSION_RATIO) {
+          throw new Error(`Suspicious ZIP compression ratio: ${entry.fileName}`);
+        }
+        const fileType = entryFileType(entry);
+        if (fileType === 40960) {
+          throw new Error(`Symbolic links are not allowed in CBB archives: ${entry.fileName}`);
+        }
+        const isDirectory = normalizedName.endsWith("/") || fileType === 16384;
+        if (fileType !== 0 && fileType !== 16384 && fileType !== 32768) {
+          throw new Error(`Special files are not allowed in CBB archives: ${entry.fileName}`);
+        }
+        const outputPath = resolve3(destination, ...normalizedName.split("/").filter(Boolean));
+        if (!outputPath.startsWith(destinationRoot)) {
+          throw new Error(`ZIP entry escapes the target directory: ${entry.fileName}`);
+        }
+        if (isDirectory) {
+          await mkdir4(outputPath, { recursive: true });
+        } else {
+          await mkdir4(dirname6(outputPath), { recursive: true });
+          await extractEntry(zipFile, entry, outputPath, extractedBytes);
+        }
+        zipFile.readEntry();
+      })().catch(fail);
+    });
+    zipFile.readEntry();
+  });
+}
+async function validatePackageManifest(stagingPath, cbbId, version) {
+  for (const filename of ["manifest.json", "cbb.json", "CBB.json"]) {
+    const manifestPath = join4(stagingPath, filename);
+    if (!await pathExists2(manifestPath)) continue;
+    let manifest;
+    try {
+      manifest = JSON.parse(await readFile3(manifestPath, "utf8"));
+    } catch {
+      throw new Error(`Invalid package manifest: ${filename}`);
+    }
+    if (!manifest || typeof manifest !== "object") {
+      throw new Error(`Invalid package manifest: ${filename}`);
+    }
+    const record = manifest;
+    const manifestId = typeof record.id === "string" ? record.id : typeof record.cbb_id === "string" ? record.cbb_id : void 0;
+    if (manifestId && manifestId !== cbbId) {
+      throw new Error(`CBB manifest ID mismatch: expected ${cbbId}, found ${manifestId}.`);
+    }
+    if (typeof record.version === "string" && record.version !== version) {
+      throw new Error(
+        `CBB manifest version mismatch: expected ${version}, found ${record.version}.`
+      );
+    }
+    return;
+  }
+}
+async function writeLockfile(projectRoot, cbbId, entry) {
+  const lockfile = await readLockfile(projectRoot);
+  lockfile.packages[cbbId] = entry;
+  const lockDir = join4(projectRoot, ".genrtl");
+  const lockPath = join4(lockDir, "cbb-lock.json");
+  const tempPath = join4(lockDir, `.cbb-lock-${randomUUID2()}.tmp`);
+  const backupPath = join4(lockDir, `.cbb-lock-${randomUUID2()}.bak`);
+  await mkdir4(lockDir, { recursive: true });
+  await writeFile4(tempPath, `${JSON.stringify(lockfile, null, 2)}
+`, "utf8");
+  const hadLockfile = await pathExists2(lockPath);
+  try {
+    if (hadLockfile) await rename(lockPath, backupPath);
+    await rename(tempPath, lockPath);
+    if (hadLockfile) await rm2(backupPath, { force: true });
+  } catch (error) {
+    await rm2(tempPath, { force: true }).catch(() => {
+    });
+    if (hadLockfile && await pathExists2(backupPath)) {
+      await rename(backupPath, lockPath).catch(() => {
+      });
+    }
+    throw error;
+  }
+}
+async function installCbbArtifact(descriptor, plan, force) {
+  if (descriptor.format !== "zip") {
+    throw new Error(`Unsupported CBB artifact format: ${descriptor.format}`);
+  }
+  const targetParent = dirname6(plan.targetPath);
+  await mkdir4(targetParent, { recursive: true });
+  const tempRoot = await mkdtemp(join4(targetParent, ".grtl-cbb-"));
+  const archivePath = join4(tempRoot, "artifact.zip");
+  const stagingPath = join4(tempRoot, "content");
+  const backupPath = `${plan.targetPath}.grtl-backup-${randomUUID2()}`;
+  let backupCreated = false;
+  let installed = false;
+  try {
+    await downloadArtifact(descriptor, archivePath);
+    await extractZipSafely(archivePath, stagingPath);
+    await validatePackageManifest(stagingPath, descriptor.cbb_id, descriptor.version);
+    if (await pathExists2(plan.targetPath)) {
+      if (!force) {
+        throw new Error(`Target already exists: ${plan.targetPath}. Use --force to replace it.`);
+      }
+      await rename(plan.targetPath, backupPath);
+      backupCreated = true;
+    }
+    await rename(stagingPath, plan.targetPath);
+    installed = true;
+    await writeLockfile(plan.projectRoot, descriptor.cbb_id, {
+      version: descriptor.version,
+      target: plan.targetDir,
+      sha256: descriptor.sha256.toLowerCase(),
+      file_size: descriptor.file_size,
+      receipt_id: descriptor.receipt_id,
+      installed_at: (/* @__PURE__ */ new Date()).toISOString()
+    });
+    if (backupCreated) {
+      await rm2(backupPath, { recursive: true, force: true }).catch(() => {
+      });
+    }
+    return {
+      cbb_id: descriptor.cbb_id,
+      version: descriptor.version,
+      target: plan.targetDir,
+      target_path: plan.targetPath,
+      sha256: descriptor.sha256.toLowerCase(),
+      file_size: descriptor.file_size,
+      receipt_id: descriptor.receipt_id,
+      trace_id: descriptor.trace_id
+    };
+  } catch (error) {
+    if (installed) {
+      await rm2(plan.targetPath, { recursive: true, force: true }).catch(() => {
+      });
+    }
+    if (backupCreated && await pathExists2(backupPath)) {
+      await rename(backupPath, plan.targetPath).catch(() => {
+      });
+    }
+    throw error;
+  } finally {
+    await rm2(tempRoot, { recursive: true, force: true }).catch(() => {
+    });
+  }
+}
+
+// src/commands/cbb.ts
+async function installCbb(spec, options) {
+  trackEvent("command", { name: "cbb-install" });
+  const spinner = process.stdout.isTTY && !options.json ? ora3("Preparing CBB installation...").start() : null;
+  try {
+    const { cbbId, version } = parseCbbSpec(spec);
+    const target = options.target || defaultCbbTarget(cbbId, version);
+    const plan = await prepareCbbInstall(
+      options.projectRoot || process.cwd(),
+      target,
+      cbbId,
+      version,
+      options.force || false
+    );
+    spinner && (spinner.text = "Acquiring CBB artifact...");
+    const acquireInput = {
+      cbb_id: cbbId,
+      version,
+      target_dir: plan.targetDir,
+      workspace_id: plan.workspaceId,
+      job_id: plan.jobId,
+      idempotency_key: plan.idempotencyKey
+    };
+    const descriptor = await callGenrtlMcpTool(
+      "genrtl_cbb_acquire",
+      acquireInput
+    );
+    if (descriptor.cbb_id !== cbbId || descriptor.version !== version) {
+      throw new Error("GenRTL returned a CBB artifact that does not match the request.");
+    }
+    spinner && (spinner.text = "Downloading and verifying CBB artifact...");
+    const result = await installCbbArtifact(descriptor, plan, options.force || false);
+    spinner?.succeed(`Installed ${cbbId}@${version}`);
+    if (options.json) {
+      console.log(JSON.stringify(result, null, 2));
+      return;
+    }
+    log.blank();
+    log.success(`Installed ${pc5.bold(`${cbbId}@${version}`)}`);
+    log.item(`Target: ${result.target_path}`);
+    log.item(`SHA256: ${result.sha256}`);
+    log.item(`Lockfile: ${plan.projectRoot}/.genrtl/cbb-lock.json`);
+    log.blank();
+  } catch (error) {
+    const message = error instanceof Error ? error.message : String(error);
+    spinner?.fail(message);
+    if (!spinner) log.error(message);
+    process.exitCode = 1;
+  }
+}
+function registerCbbCommands(program2) {
+  const cbb = program2.command("cbb").description("Discover and install reusable RTL CBBs");
+  cbb.command("install").description("Acquire, verify, and install a CBB ZIP into the current project").argument("<cbb>", "CBB coordinate in the form <cbb_id>@<version>").option("-t, --target <dir>", "Project-relative target directory").option("--project-root <dir>", "Project root (default: current directory)").option("-f, --force", "Replace an existing target after successful verification").option("--json", "Output the installation result as JSON").action(async (spec, options) => {
+    await installCbb(spec, options);
+  });
+}
+
 // src/commands/upgrade.ts
 import { confirm } from "@inquirer/prompts";
 import { spawn } from "child_process";
-import pc5 from "picocolors";
+import pc6 from "picocolors";
 
 // src/utils/update-check.ts
 import { homedir as homedir2 } from "os";
-import { dirname as dirname6, join as join4 } from "path";
-import { mkdir as mkdir4, readFile as readFile3, writeFile as writeFile4 } from "fs/promises";
+import { dirname as dirname7, join as join5 } from "path";
+import { mkdir as mkdir5, readFile as readFile4, writeFile as writeFile5 } from "fs/promises";
 var DEFAULT_CACHE_TTL_MS = 24 * 60 * 60 * 1e3;
-var UPDATE_STATE_FILE = join4(homedir2(), ".genrtl", "cli-state.json");
+var UPDATE_STATE_FILE = join5(homedir2(), ".genrtl", "cli-state.json");
 function getStateFilePath(stateFile) {
   return stateFile ?? UPDATE_STATE_FILE;
 }
 async function readUpdateState(stateFile) {
   try {
-    const raw = await readFile3(getStateFilePath(stateFile), "utf-8");
+    const raw = await readFile4(getStateFilePath(stateFile), "utf-8");
     return JSON.parse(raw);
   } catch {
     return {};
@@ -1109,8 +1588,8 @@ async function readUpdateState(stateFile) {
 }
 async function writeUpdateState(state, stateFile) {
   const path = getStateFilePath(stateFile);
-  await mkdir4(dirname6(path), { recursive: true });
-  await writeFile4(path, JSON.stringify(state, null, 2) + "\n", "utf-8");
+  await mkdir5(dirname7(path), { recursive: true });
+  await writeFile5(path, JSON.stringify(state, null, 2) + "\n", "utf-8");
 }
 function compareVersions(a, b) {
   const normalize = (version) => version.split("-", 1)[0].split(".").map((part) => Number.parseInt(part, 10) || 0);
@@ -1286,20 +1765,20 @@ function registerUpgradeCommand(program2) {
   });
 }
 function runCommand(command, args) {
-  return new Promise((resolve3, reject) => {
+  return new Promise((resolve4, reject) => {
     const child = spawn(command, args, {
       stdio: "inherit",
       shell: process.platform === "win32"
     });
     child.on("error", reject);
-    child.on("close", (code) => resolve3(code));
+    child.on("close", (code) => resolve4(code));
   });
 }
 async function runUpgradePlan(plan) {
   return runCommand(plan.command, plan.args);
 }
 function showUpgradeFailureHelp(plan) {
-  log.info(`Try rerunning: ${pc5.cyan(plan.displayCommand)}`);
+  log.info(`Try rerunning: ${pc6.cyan(plan.displayCommand)}`);
   const isGlobalNpmInstall = (plan.installMethod === "npm-global" || plan.installMethod === "unknown") && plan.command === "npm" && plan.args.includes("-g");
   const isGlobalAltInstall = (plan.installMethod === "pnpm-global" || plan.installMethod === "bun-global") && plan.args.includes("-g");
   if (isGlobalNpmInstall) {
@@ -1326,8 +1805,8 @@ async function maybeShowUpgradeNotice(options = {}) {
   log.blank();
   if (info.upgradePlan.needsExplicitVersion) {
     log.box([
-      `${pc5.white(pc5.bold("Update available:"))} ${pc5.green(pc5.bold(`v${info.currentVersion}`))} ${pc5.dim("->")} ${pc5.green(pc5.bold(`v${info.latestVersion}`))}`,
-      `${pc5.white("Use")} ${pc5.yellow(pc5.bold(info.upgradePlan.displayCommand))} ${pc5.white("to run the latest version")}`
+      `${pc6.white(pc6.bold("Update available:"))} ${pc6.green(pc6.bold(`v${info.currentVersion}`))} ${pc6.dim("->")} ${pc6.green(pc6.bold(`v${info.latestVersion}`))}`,
+      `${pc6.white("Use")} ${pc6.yellow(pc6.bold(info.upgradePlan.displayCommand))} ${pc6.white("to run the latest version")}`
     ]);
     await markUpdateNotificationShown(info.latestVersion);
     log.blank();
@@ -1335,18 +1814,18 @@ async function maybeShowUpgradeNotice(options = {}) {
   }
   if (!info.upgradePlan.canRun) {
     log.box([
-      `${pc5.white(pc5.bold("Update available:"))} ${pc5.green(pc5.bold(`v${info.currentVersion}`))} ${pc5.dim("->")} ${pc5.green(pc5.bold(`v${info.latestVersion}`))}`,
-      `${pc5.white("Run")} ${pc5.yellow(pc5.bold("grtl upgrade"))} ${pc5.white("for update steps")}`,
-      `${pc5.white("Or run")} ${pc5.yellow(info.upgradePlan.displayCommand)}`
+      `${pc6.white(pc6.bold("Update available:"))} ${pc6.green(pc6.bold(`v${info.currentVersion}`))} ${pc6.dim("->")} ${pc6.green(pc6.bold(`v${info.latestVersion}`))}`,
+      `${pc6.white("Run")} ${pc6.yellow(pc6.bold("grtl upgrade"))} ${pc6.white("for update steps")}`,
+      `${pc6.white("Or run")} ${pc6.yellow(info.upgradePlan.displayCommand)}`
     ]);
     await markUpdateNotificationShown(info.latestVersion);
     log.blank();
     return;
   }
   log.box([
-    `${pc5.white(pc5.bold("Update available:"))} ${pc5.green(pc5.bold(`v${info.currentVersion}`))} ${pc5.dim("->")} ${pc5.green(pc5.bold(`v${info.latestVersion}`))}`,
-    `${pc5.white("Run")} ${pc5.yellow(pc5.bold("grtl upgrade"))} ${pc5.white("to update now")}`,
-    `${pc5.white("Or run")} ${pc5.yellow(info.upgradePlan.displayCommand)}`
+    `${pc6.white(pc6.bold("Update available:"))} ${pc6.green(pc6.bold(`v${info.currentVersion}`))} ${pc6.dim("->")} ${pc6.green(pc6.bold(`v${info.latestVersion}`))}`,
+    `${pc6.white("Run")} ${pc6.yellow(pc6.bold("grtl upgrade"))} ${pc6.white("to update now")}`,
+    `${pc6.white("Or run")} ${pc6.yellow(info.upgradePlan.displayCommand)}`
   ]);
   await markUpdateNotificationShown(info.latestVersion);
   log.blank();
@@ -1357,28 +1836,28 @@ async function upgradeCommand(options) {
   const plan = info?.upgradePlan ?? getUpgradePlan();
   if (!info) {
     log.warn("Couldn't check for updates right now.");
-    log.info(`Try again later or run ${pc5.cyan(plan.displayCommand)} manually.`);
+    log.info(`Try again later or run ${pc6.cyan(plan.displayCommand)} manually.`);
     return;
   }
   if (!info.updateAvailable) {
-    log.success(`grtl is up to date (${pc5.bold(`v${VERSION}`)})`);
+    log.success(`grtl is up to date (${pc6.bold(`v${VERSION}`)})`);
     return;
   }
   log.blank();
   log.info(
-    `Update available: ${pc5.bold(`v${info.currentVersion}`)} ${pc5.dim("->")} ${pc5.bold(`v${info.latestVersion}`)}`
+    `Update available: ${pc6.bold(`v${info.currentVersion}`)} ${pc6.dim("->")} ${pc6.bold(`v${info.latestVersion}`)}`
   );
   if (plan.needsExplicitVersion) {
     log.info(`You're using an ephemeral runner (${plan.installMethod}).`);
-    log.info(`Use ${pc5.cyan(plan.displayCommand)} to run the latest version immediately.`);
-    log.info(`Or install globally with ${pc5.cyan("npm install -g @genrtl/grtl@latest")}.`);
+    log.info(`Use ${pc6.cyan(plan.displayCommand)} to run the latest version immediately.`);
+    log.info(`Or install globally with ${pc6.cyan("npm install -g @genrtl/grtl@latest")}.`);
     return;
   }
   if (!plan.canRun) {
-    log.info(`Run ${pc5.cyan(plan.displayCommand)} to update your installed version.`);
+    log.info(`Run ${pc6.cyan(plan.displayCommand)} to update your installed version.`);
     return;
   }
-  log.info(`Upgrade command: ${pc5.cyan(plan.displayCommand)}`);
+  log.info(`Upgrade command: ${pc6.cyan(plan.displayCommand)}`);
   if (options.check) {
     return;
   }
@@ -1398,7 +1877,7 @@ async function upgradeCommand(options) {
   if (exitCode === 0) {
     log.blank();
     log.success("Upgrade complete.");
-    log.info(`Run ${pc5.cyan("grtl --version")} to verify the installed version.`);
+    log.info(`Run ${pc6.cyan("grtl --version")} to verify the installed version.`);
     return;
   }
   log.blank();
@@ -1409,8 +1888,8 @@ async function upgradeCommand(options) {
 
 // src/index.ts
 var brand = {
-  primary: pc6.green,
-  dim: pc6.dim
+  primary: pc7.green,
+  dim: pc7.dim
 };
 var program = new Command2();
 program.name("grtl").description("GenRTL CLI - Search RTL engineering knowledge and configure GenRTL").version(VERSION).option("--base-url <url>").hook("preAction", (thisCommand) => {
@@ -1438,10 +1917,14 @@ Examples:
   ${brand.primary('npx @genrtl/grtl spec2plan-search "Plan an APB register block implementation"')}
   ${brand.primary('npx @genrtl/grtl verification-search "Verify an async FIFO"')}
   ${brand.primary('npx @genrtl/grtl debug-search "Explain this Vivado CDC warning"')}
+
+  ${brand.dim("# Acquire and install a reusable RTL CBB")}
+  ${brand.primary("npx @genrtl/grtl cbb install cbb_uart@1.2.0")}
 `
 );
 registerSetupCommand(program);
 registerKnowledgeCommands(program);
+registerCbbCommands(program);
 registerUpgradeCommand(program);
 program.action(() => {
   console.log("");

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@genrtl/grtl",
-  "version": "0.3.0",
+  "version": "0.4.1",
   "description": "CLI, MCP, and coding-agent Skills for GenRTL RTL engineering knowledge",
   "type": "module",
   "bin": {
@@ -25,14 +25,18 @@
   },
   "dependencies": {
     "@inquirer/prompts": "^8.2.0",
+    "boxen": "^8.0.1",
     "commander": "^13.1.0",
     "figlet": "^1.9.4",
+    "open": "^10.2.0",
     "ora": "^9.0.0",
-    "picocolors": "^1.1.1"
+    "picocolors": "^1.1.1",
+    "yauzl": "^3.2.0"
   },
   "devDependencies": {
     "@types/figlet": "^1.7.0",
     "@types/node": "^22.19.1",
+    "@types/yauzl": "^2.10.3",
     "@typescript-eslint/eslint-plugin": "^8.28.0",
     "@typescript-eslint/parser": "^8.28.0",
     "eslint": "^9.34.0",