@wipcomputer/wip-ldm-os 0.4.80 → 0.4.82-alpha.1

package/SKILL.md

@@ -9,7 +9,7 @@ license: MIT
 compatibility: Requires git, npm, node. Node.js 18+.
 metadata:
   display-name: "LDM OS"
-  version: "0.4.80"
+  version: "0.4.81"
   homepage: "https://github.com/wipcomputer/wip-ldm-os"
   author: "Parker Todd Brooks"
   category: infrastructure

package/bin/ldm.js

@@ -2334,7 +2334,11 @@ async function cmdInstallCatalog() {
     const currentVersion = matchEntry?.installed?.version || matchEntry?.version || '?';
 
     try {
-      const latest = execSync(`npm view ${comp.npm} version 2>/dev/null`, {
+      const npmTag = ALPHA_FLAG ? 'alpha' : BETA_FLAG ? 'beta' : 'latest';
+      const npmViewCmd = npmTag === 'latest'
+        ? `npm view ${comp.npm} version 2>/dev/null`
+        : `npm view ${comp.npm} dist-tags.${npmTag} 2>/dev/null`;
+      const latest = execSync(npmViewCmd, {
         encoding: 'utf8', timeout: 10000,
       }).trim();
       if (latest && semverNewer(latest, currentVersion)) {
@@ -2608,24 +2612,18 @@ async function cmdInstallCatalog() {
       execSync(`ldm install ${installSource}`, { stdio: 'inherit' });
       updated++;
 
-      // For parent packages, update registry version for all sub-tools (#139, #262)
+      // For parent packages, installFromPath already refreshes each sub-tool
+      // registry entry with that sub-tool's own package version. Do not stamp
+      // the parent package version onto sub-tools; their versions intentionally
+      // differ from the toolbox aggregate version.
       if (entry.isParent && entry.registryMatches) {
         const registry = readJSON(REGISTRY_PATH);
         if (registry?.extensions) {
-          const now = new Date().toISOString();
+          let refreshed = 0;
           for (const subTool of entry.registryMatches) {
-            if (registry.extensions[subTool]) {
-              registry.extensions[subTool].version = entry.latestVersion;
-              registry.extensions[subTool].updatedAt = now;
-              // Also update v2 installed block
-              if (registry.extensions[subTool].installed) {
-                registry.extensions[subTool].installed.version = entry.latestVersion;
-                registry.extensions[subTool].installed.updatedAt = now;
-              }
-            }
+            if (registry.extensions[subTool]) refreshed++;
           }
-          writeFileSync(REGISTRY_PATH, JSON.stringify(registry, null, 2));
-          console.log(`  + Updated registry for ${entry.registryMatches.length} sub-tools`);
+          console.log(`  + Refreshed registry for ${refreshed}/${entry.registryMatches.length} sub-tools`);
         }
       }
     } catch (e) {

package/lib/deploy.mjs

@@ -59,6 +59,57 @@ function writeJSON(path, data) {
   writeFileSync(path, JSON.stringify(data, null, 2) + '\n');
 }
 
+export function validateSkillFrontmatter(path) {
+  let content;
+  try {
+    content = readFileSync(path, 'utf8');
+  } catch (e) {
+    return { ok: false, line: 1, message: `cannot read SKILL.md: ${e.message}` };
+  }
+
+  const lines = content.split(/\r?\n/);
+  if (lines[0] !== '---') {
+    return { ok: false, line: 1, message: 'SKILL.md must start with YAML frontmatter' };
+  }
+
+  let end = -1;
+  for (let i = 1; i < lines.length; i++) {
+    if (lines[i] === '---') {
+      end = i;
+      break;
+    }
+  }
+  if (end === -1) {
+    return { ok: false, line: 1, message: 'SKILL.md frontmatter is missing a closing --- marker' };
+  }
+
+  for (let i = 1; i < end; i++) {
+    const line = lines[i];
+    const trimmed = line.trim();
+    if (!trimmed || trimmed.startsWith('#') || /^\s/.test(line)) continue;
+
+    const match = /^([A-Za-z0-9_-]+):(?:\s*(.*))?$/.exec(line);
+    if (!match) {
+      return { ok: false, line: i + 1, message: 'frontmatter line is not a simple key/value mapping' };
+    }
+
+    const value = match[2] || '';
+    const valueTrimmed = value.trimStart();
+    const first = valueTrimmed[0] || '';
+    const isQuoted = first === '"' || first === "'";
+    const isStructured = first === '[' || first === '{' || first === '|' || first === '>';
+    if (valueTrimmed.includes(': ') && !isQuoted && !isStructured) {
+      return {
+        ok: false,
+        line: i + 1,
+        message: 'value contains an unquoted colon; quote the scalar value',
+      };
+    }
+  }
+
+  return { ok: true };
+}
+
 function ensureBinExecutable(binNames) {
   try {
     const npmPrefix = execSync('npm config get prefix', { encoding: 'utf8' }).trim();
@@ -1195,6 +1246,12 @@ function installSkill(repoPath, toolName) {
   if (!existsSync(skillSrc) && existsSync(permanentSkill)) skillSrc = permanentSkill;
   if (!existsSync(skillSrc)) return false;
 
+  const frontmatter = validateSkillFrontmatter(skillSrc);
+  if (!frontmatter.ok) {
+    fail(`Skill: invalid SKILL.md frontmatter at ${skillSrc}:${frontmatter.line}: ${frontmatter.message}`);
+    return false;
+  }
+
   // Find references/ source: repo path first, then permanent copy
   let refsSrc = join(repoPath, 'references');
   const permanentRefs = join(LDM_EXTENSIONS, toolName, 'references');

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@wipcomputer/wip-ldm-os",
-  "version": "0.4.80",
+  "version": "0.4.82-alpha.1",
   "type": "module",
   "description": "LDM OS: identity, memory, and sovereignty infrastructure for AI agents",
   "engines": {
@@ -19,6 +19,8 @@
     "build:bridge": "cd src/bridge && npm install && npx tsup core.ts mcp-server.ts cli.ts openclaw.ts --format esm --dts --clean --outDir ../../dist/bridge",
     "build": "npm run build:bridge",
     "prepublishOnly": "npm run build:bridge",
+    "test:skill-frontmatter": "node scripts/test-skill-frontmatter.mjs",
+    "test:installer-update-tracks": "node scripts/test-installer-update-tracks.mjs",
     "fmt": "npx prettier --write 'src/**/*.{ts,mjs}' 'lib/**/*.mjs' 'bin/**/*.js'",
     "fmt:check": "npx prettier --check 'src/**/*.{ts,mjs}' 'lib/**/*.mjs' 'bin/**/*.js'"
   },

package/scripts/test-installer-update-tracks.mjs

@@ -0,0 +1,39 @@
+#!/usr/bin/env node
+import { readFileSync } from 'node:fs';
+import { dirname, join } from 'node:path';
+import { fileURLToPath } from 'node:url';
+
+const root = dirname(dirname(fileURLToPath(import.meta.url)));
+const cli = readFileSync(join(root, 'bin', 'ldm.js'), 'utf8');
+
+const marker = '// Check parent packages for toolbox-style repos (#132)';
+const idx = cli.indexOf(marker);
+if (idx === -1) {
+  throw new Error('Could not find toolbox parent update block');
+}
+
+const parentBlock = cli.slice(idx, cli.indexOf('const totalUpdates = npmUpdates.length;', idx));
+if (!parentBlock.includes("const npmTag = ALPHA_FLAG ? 'alpha' : BETA_FLAG ? 'beta' : 'latest';")) {
+  throw new Error('Toolbox parent update block does not select the requested release track');
+}
+
+if (!parentBlock.includes('dist-tags.${npmTag}')) {
+  throw new Error('Toolbox parent update block does not query alpha/beta dist-tags');
+}
+
+if (/const latest = execSync\(`npm view \$\{comp\.npm\} version 2>\/dev\/null`/.test(parentBlock)) {
+  throw new Error('Toolbox parent update block still hardcodes the stable npm version query');
+}
+
+const installMarker = '// For parent packages, installFromPath already refreshes each sub-tool';
+const installIdx = cli.indexOf(installMarker);
+if (installIdx === -1) {
+  throw new Error('Could not find parent registry refresh block');
+}
+
+const installBlock = cli.slice(installIdx, cli.indexOf('} catch (e) {', installIdx));
+if (installBlock.includes('= entry.latestVersion')) {
+  throw new Error('Parent update block must not stamp parent versions onto sub-tool registry entries');
+}
+
+console.log('installer update-track regression checks passed');

package/scripts/test-skill-frontmatter.mjs

@@ -0,0 +1,44 @@
+#!/usr/bin/env node
+import { mkdtempSync, writeFileSync } from 'node:fs';
+import { tmpdir } from 'node:os';
+import { join } from 'node:path';
+import { validateSkillFrontmatter } from '../lib/deploy.mjs';
+
+const dir = mkdtempSync(join(tmpdir(), 'ldm-skill-frontmatter-'));
+const bad = join(dir, 'bad-SKILL.md');
+const good = join(dir, 'good-SKILL.md');
+
+writeFileSync(bad, [
+  '---',
+  'name: bad',
+  'description: Read when: guard blocks a tool call',
+  '---',
+  '',
+  '# Bad',
+  '',
+].join('\n'));
+
+writeFileSync(good, [
+  '---',
+  'name: good',
+  'description: "Read when: guard blocks a tool call"',
+  '---',
+  '',
+  '# Good',
+  '',
+].join('\n'));
+
+const badResult = validateSkillFrontmatter(bad);
+if (badResult.ok) {
+  throw new Error('expected unquoted colon frontmatter to be rejected');
+}
+if (badResult.line !== 3) {
+  throw new Error(`expected failure on line 3, got line ${badResult.line}`);
+}
+
+const goodResult = validateSkillFrontmatter(good);
+if (!goodResult.ok) {
+  throw new Error(`expected quoted frontmatter to pass: ${goodResult.message}`);
+}
+
+console.log('skill frontmatter regression passed');

package/shared/docs/dev-guide-wipcomputerinc.md.tmpl

@@ -28,7 +28,9 @@ These are three distinct actions. Never combine them. Never skip the dogfooding
 | **Deploy** | Ship to public | `wip-release` (version bump, npm publish, GitHub release) + `deploy-public.sh` (sync to public repo). Package is available to the world. **Still not on our machine.** |
 | **Install** | Put it on our system | `crystal init` or equivalent. Extensions updated. Hooks configured. Only when Parker says "install." |
 
-**After Deploy, STOP.** Do not copy files to `~/.ldm/extensions/` or `~/.openclaw/extensions/`. Do not run `npm install -g`. Do not run `npm link`. Do not touch the installed system. Tell Parker: "v0.X.Y is published. Run the install prompt when you're ready to update."
+**Prerelease exception:** agents install alpha and beta tracks for validation. Use `ldm install --alpha` after an alpha release and `ldm install --beta` after a beta release. That is test work.
+
+**After stable Deploy, STOP.** Do not copy files to `~/.ldm/extensions/` or `~/.openclaw/extensions/`. Do not run `npm install -g`. Do not run `npm link`. Do not run `ldm install` unless Parker explicitly asks. Tell Parker: "v0.X.Y is published. Run the install prompt when you're ready to update."
 
 **We always dogfood our own software.** The install prompt exists so Parker can see what's new, review the dry run, and decide to install. If agents deploy directly to extensions, the install prompt says "already up to date" and the dogfooding loop is broken.
 

package/shared/docs/how-install-works.md.tmpl

@@ -31,6 +31,8 @@ ldm install --beta       # beta track (npm @beta)
 
 Each track overwrites whatever is installed. Alpha, beta, and stable all use the same install path. The flag only changes which npm dist-tag is checked for updates.
 
+Agents may run alpha and beta installs for prerelease validation. Stable installs are different: Parker dogfoods stable/latest releases through the install prompt unless he explicitly asks an agent to install.
+
 ## Source Resolution
 
 When updating, the installer finds the package in priority order:

package/shared/docs/how-releases-work.md.tmpl

@@ -29,11 +29,13 @@ cd /path/to/repo && git checkout main && git pull
 # 4. Alpha release
 wip-release alpha --notes="what changed"
 
-# 4. Install and test
+# 5. Agent prerelease validation
 ldm install --alpha
 ```
 
-Done. No deploy-public. No public repo sync. The installer pulls from npm @alpha (or finds the local private repo if offline).
+Done. No deploy-public. No public repo sync. The installer pulls from npm @alpha (or finds the local private repo if offline). Agents are expected to run alpha installs when validating prereleases.
+
+Beta follows the same rule with `wip-release beta` and `ldm install --beta`. Agents validate alpha and beta tracks. Parker dogfoods stable/latest releases.
 
 **Sub-tool versions:** If you changed a sub-tool's code, bump its `package.json` version in the PR. Same version = same code. `wip-release` warns if files changed without a version bump.
 
@@ -53,13 +55,15 @@ wip-release patch   # auto-detects release notes
 deploy-public /path/to/private-repo org/public-repo
 
 # 7. Dogfood
-ldm install
+Read https://wip.computer/install/wip-ldm-os.txt
 ```
 
 `wip-release` handles: version bump, CHANGELOG.md, SKILL.md sync, npm publish, GitHub release.
 
 `deploy-public` syncs everything except `ai/` to the public repo. Creates a matching release.
 
+For stable/latest releases, agents stop after publish and public sync. Do not run `ldm install` or `npm install -g` unless Parker explicitly asks. Parker dogfoods the release through the install prompt.
+
 ## Quality Gates
 
 `wip-release` enforces before publishing (stable only):
@@ -91,3 +95,5 @@ Same version = same code. Always. If code changed, the version must change. The
 | Install | `ldm install [--alpha/--beta]` | Extensions updated on your machine. |
 
 For stable releases, add a fourth step: `deploy-public` to sync the public GitHub repo.
+
+Ownership rule: agents install alpha and beta for validation. Parker installs stable/latest releases for dogfooding unless he explicitly asks an agent to do it.

package/shared/rules/release-pipeline.md

@@ -21,7 +21,9 @@ Then: repo change, PR, merge, release, `ldm install`. That's the only path.
 | **Deploy** | wip-release + deploy-public.sh | Published to npm + GitHub. Not on your machine yet. |
 | **Install** | Run the install prompt | Extensions updated on your machine. Only when Parker says "install." |
 
-After Deploy, STOP. Do not copy files. Do not npm install -g. Do not npm link. Dogfood the install prompt.
+For alpha and beta tracks, agents install prereleases for validation: `ldm install --alpha` or `ldm install --beta`. That is test work, not owner dogfooding.
+
+For stable/latest releases, after Deploy, STOP. Do not copy files. Do not npm install -g. Do not npm link. Do not run `ldm install` unless Parker explicitly asks. Parker dogfoods stable releases through the install prompt.
 
 ## The workflow
 
@@ -31,7 +33,7 @@ After Deploy, STOP. Do not copy files. Do not npm install -g. Do not npm link. D
 4. `git checkout main && git pull`
 5. `wip-release patch` (auto-detects release notes)
 6. `deploy-public.sh` to sync public repo
-7. Dogfood: `Read https://wip.computer/install/wip-ldm-os.txt`
+7. Stop. Parker dogfoods: `Read https://wip.computer/install/wip-ldm-os.txt`
 
 ## Never run tools from repo clones