@wipcomputer/wip-ldm-os 0.4.85-alpha.2 → 0.4.85-alpha.21

package/scripts/test-crc-pair-relink-audit-and-rotation.mjs

@@ -0,0 +1,164 @@
+import { readFileSync } from "node:fs";
+import {
+  codexDaemonPubkeyFingerprint,
+  createCodexDaemonPubkeyRegistry,
+  evaluateCodexDaemonReconnectPubkey,
+} from "../src/hosted-mcp/codex-relay-e2ee-registry.mjs";
+
+const server = readFileSync("src/hosted-mcp/server.mjs", "utf8");
+const pairHtml = readFileSync("src/hosted-mcp/app/pair.html", "utf8");
+const loginHtml = readFileSync("src/hosted-mcp/app/kaleidoscope-login.html", "utf8");
+const registrySource = readFileSync("src/hosted-mcp/codex-relay-e2ee-registry.mjs", "utf8");
+const ticket = readFileSync("ai/product/bugs/codex-remote-control/2026-05-05--codex--remote-control-pair-relink-audit-and-rotation.md", "utf8");
+
+function assertContains(haystack, needle, label) {
+  if (!haystack.includes(needle)) {
+    throw new Error(`${label} missing expected text: ${needle}`);
+  }
+}
+
+function assert(condition, label, detail = "") {
+  if (!condition) throw new Error(`${label}${detail ? ": " + detail : ""}`);
+}
+
+function createSilentLogger() {
+  return { log() {}, error() {} };
+}
+
+assertContains(server, "const CODEX_PAIR_PRESENCE_TTL_MS = 2 * 60 * 1000;", "short pair presence ttl");
+assertContains(server, "const codexPairPresenceTokens = new Map();", "pair presence token store");
+assertContains(server, "function generateCodexPairPresenceToken(agentId)", "pair presence token mint");
+assertContains(server, "function consumeCodexPairPresenceToken(token, agentId)", "pair presence token consume");
+assertContains(server, "codex_pair_presence_token: generateCodexPairPresenceToken(agentId)", "registration mints pair presence token");
+assertContains(server, "codex_pair_presence_token: generateCodexPairPresenceToken(entry.agentId)", "authentication mints pair presence token");
+assertContains(server, 'error: "fresh_presence_required"', "pair-complete fresh presence rejection");
+assertContains(server, "consumeCodexPairPresenceToken(pairPresenceToken, identity.agentId)", "pair-complete consumes pair presence token");
+assertContains(server, 'json(res, 404, { error: "invalid or already-used code" });', "pair code reuse rejection");
+assertContains(server, 'json(res, 410, { error: "code expired or already used" });', "pair code expiry rejection");
+assertContains(server, "invalidateCodexBrowserSessionsForAgent(identity.agentId, \"daemon key replaced\")", "daemon replacement invalidates stale browser sessions");
+assertContains(server, "evaluateCodexDaemonReconnectPubkey(", "daemon reconnect checks existing key policy");
+assertContains(server, "daemon key change requires fresh pair", "changed daemon reconnect key requires pair flow");
+assertContains(server, "daemonIdentityAccepted = activateCodexDaemonWs();", "daemon only becomes active after identity is accepted");
+assertContains(server, "daemon already online", "duplicate daemon cannot evict an online daemon");
+assertContains(server, "daemon identity required", "daemon frames require identity before routing");
+assertContains(server, "p.replaced_daemon_key = !!daemonKeyResult?.replaced;", "pair state records replacement status");
+assertContains(server, "replaced_daemon_key: !!p.replaced_daemon_key", "pair-status exposes relink replacement status");
+assertContains(pairHtml, "codex_pair_presence_token: getPairPresenceToken()", "pair page sends pair presence token");
+assertContains(pairHtml, "fresh_presence_required", "pair page handles fresh presence error");
+assertContains(pairHtml, "Remote Control relinked this laptop.", "pair page gives relink message");
+assertContains(loginHtml, "wip_codex_pair_presence_token", "login carries pair presence token into pair page");
+assertContains(registrySource, "CREATE TABLE IF NOT EXISTS codex_daemon_e2ee_key_audit", "pair audit table");
+assertContains(registrySource, "old_pubkey_fingerprint", "audit stores old key fingerprint");
+assertContains(registrySource, "new_pubkey_fingerprint", "audit stores new key fingerprint");
+assertContains(ticket, "status: done", "ticket marked done");
+
+const oldFingerprint = codexDaemonPubkeyFingerprint("old-spki-key");
+const newFingerprint = codexDaemonPubkeyFingerprint("new-spki-key");
+assert(oldFingerprint && oldFingerprint.startsWith("sha256:"), "fingerprint has sha256 prefix");
+assert(oldFingerprint !== newFingerprint, "fingerprint changes when daemon key changes");
+
+const registry = createCodexDaemonPubkeyRegistry({
+  usePrisma: false,
+  devMode: false,
+  logger: createSilentLogger(),
+});
+const first = await registry.register("acct:test-user-a", "old-spki-key", ["e2ee-v1"], "pair-complete");
+assert(first.registered === true, "first pair registers key");
+assert(first.replaced === false, "first pair is not replacement");
+const second = await registry.register("acct:test-user-a", "new-spki-key", ["e2ee-v1"], "pair-complete");
+assert(second.registered === true, "relink registers new key");
+assert(second.replaced === true, "relink replacement is detected");
+assert(second.old_fingerprint === oldFingerprint, "relink reports old fingerprint");
+assert(second.new_fingerprint === newFingerprint, "relink reports new fingerprint");
+assert(registry.auditLog.length === 2, "registry keeps audit entries");
+assert(registry.auditLog[1].replaced === true, "audit marks replacement");
+assert(registry.auditLog[1].old_pubkey_fingerprint === oldFingerprint, "audit stores old fingerprint");
+assert(registry.auditLog[1].new_pubkey_fingerprint === newFingerprint, "audit stores new fingerprint");
+
+const firstReconnectPolicy = evaluateCodexDaemonReconnectPubkey(null, "daemon-reconnect-key");
+assert(firstReconnectPolicy.allowed === true, "daemon reconnect can self-heal when no key is registered");
+assert(firstReconnectPolicy.replaced === false, "first daemon reconnect is not a replacement");
+const sameReconnectPolicy = evaluateCodexDaemonReconnectPubkey({ pubkey: "daemon-reconnect-key" }, "daemon-reconnect-key");
+assert(sameReconnectPolicy.allowed === true, "daemon reconnect can re-register the same key");
+assert(sameReconnectPolicy.replaced === false, "same-key daemon reconnect is not a replacement");
+const changedReconnectPolicy = evaluateCodexDaemonReconnectPubkey({ pubkey: "daemon-reconnect-key" }, "attacker-reconnect-key");
+assert(changedReconnectPolicy.allowed === false, "daemon reconnect cannot replace an existing key");
+assert(changedReconnectPolicy.reason === "fresh_pair_required", "changed daemon reconnect requires fresh pair");
+assert(changedReconnectPolicy.replaced === true, "changed daemon reconnect is detected as replacement");
+assert(changedReconnectPolicy.old_fingerprint === codexDaemonPubkeyFingerprint("daemon-reconnect-key"), "changed reconnect reports old fingerprint");
+assert(changedReconnectPolicy.new_fingerprint === codexDaemonPubkeyFingerprint("attacker-reconnect-key"), "changed reconnect reports new fingerprint");
+const invalidReconnectPolicy = evaluateCodexDaemonReconnectPubkey({ pubkey: "daemon-reconnect-key" }, "");
+assert(invalidReconnectPolicy.allowed === false, "daemon reconnect rejects missing pubkey");
+assert(invalidReconnectPolicy.reason === "invalid_daemon_pubkey", "missing daemon reconnect pubkey has explicit reason");
+const oversizedReconnectPolicy = evaluateCodexDaemonReconnectPubkey(null, "x".repeat(1025));
+assert(oversizedReconnectPolicy.allowed === false, "daemon reconnect rejects oversized pubkey");
+assert(oversizedReconnectPolicy.reason === "invalid_daemon_pubkey", "oversized daemon reconnect pubkey has explicit reason");
+
+const executeCalls = [];
+const persistedRegistry = createCodexDaemonPubkeyRegistry({
+  usePrisma: true,
+  devMode: false,
+  logger: createSilentLogger(),
+  prisma: {
+    async $executeRawUnsafe(sql, ...args) {
+      executeCalls.push({ sql, args });
+      return 1;
+    },
+  },
+});
+await persistedRegistry.register("acct:test-user-b", "persisted-spki-key", ["e2ee-v1"], "daemon-reconnect");
+const auditInsert = executeCalls.find((call) => call.sql.includes("INSERT INTO codex_daemon_e2ee_key_audit"));
+assert(auditInsert, "audit insert executes for persisted registry");
+assert(auditInsert.sql.includes("$7::timestamptz"), "audit insert casts registered_at parameter to timestamptz");
+assert(typeof auditInsert.args[6] === "string" && auditInsert.args[6].includes("T"), "audit insert passes ISO registered_at value");
+
+function pairCompleteModel({ hasDaemonPublicKey, pairPresenceOk, previousPubkey, nextPubkey }) {
+  if (hasDaemonPublicKey && !pairPresenceOk) return { code: 403, error: "fresh_presence_required" };
+  const replaced = !!(previousPubkey && nextPubkey && previousPubkey !== nextPubkey);
+  return { code: 200, replaced };
+}
+
+assert(
+  pairCompleteModel({
+    hasDaemonPublicKey: true,
+    pairPresenceOk: false,
+    previousPubkey: "old",
+    nextPubkey: "new",
+  }).code === 403,
+  "ck token alone cannot replace daemon key",
+);
+assert(
+  pairCompleteModel({
+    hasDaemonPublicKey: true,
+    pairPresenceOk: true,
+    previousPubkey: "old",
+    nextPubkey: "new",
+  }).replaced === true,
+  "fresh pair presence permits relink",
+);
+assert(
+  pairCompleteModel({
+    hasDaemonPublicKey: true,
+    pairPresenceOk: true,
+    previousPubkey: null,
+    nextPubkey: "new",
+  }).replaced === false,
+  "fresh pair presence permits first pair",
+);
+
+function pairCodeModel(pair, codeKnown, now) {
+  if (!codeKnown) return { code: 404, error: "invalid or already-used code" };
+  if (!pair || pair.status !== "pending" || now > pair.expires) {
+    return { code: 410, error: "code expired or already used" };
+  }
+  pair.status = "completed";
+  return { code: 200 };
+}
+
+const pair = { status: "pending", expires: 100 };
+assert(pairCodeModel(pair, true, 10).code === 200, "first pair-complete succeeds");
+assert(pairCodeModel(pair, true, 20).code === 410, "pair code reuse fails");
+assert(pairCodeModel({ status: "pending", expires: 100 }, true, 200).code === 410, "expired pair code fails");
+assert(pairCodeModel(null, false, 10).code === 404, "unknown pair code fails");
+
+console.log("crc pair relink audit and rotation checks passed");

package/scripts/test-crc-pair-status-poll-token.mjs

@@ -0,0 +1,73 @@
+import { readFileSync } from "node:fs";
+
+const server = readFileSync("src/hosted-mcp/server.mjs", "utf8");
+
+function assertContains(needle, label) {
+  if (!server.includes(needle)) {
+    throw new Error(`${label} missing expected text: ${needle}`);
+  }
+}
+
+function assertNotContains(needle, label) {
+  if (server.includes(needle)) {
+    throw new Error(`${label} still contains forbidden text: ${needle}`);
+  }
+}
+
+assertContains("function generateCodexPairPollToken()", "pair poll token generator");
+assertContains('return "ppt_" + randomBytes(32).toString("base64url");', "pair poll token entropy");
+assertContains("function getBearerToken(req)", "bearer token helper");
+assertContains("const pollToken = generateCodexPairPollToken();", "pair-init mints poll token");
+assertContains("poll_token: pollToken,", "pair state stores poll token");
+assertContains("poll_token_used: false,", "pair state tracks token consumption");
+assertContains("pair_poll_token: pollToken,", "pair-init returns poll token to daemon");
+assertContains('json(res, 401, { error: "pair_poll_token_expired" });', "expired token rejected");
+assertContains('json(res, 401, { error: "invalid_pair_poll_token" });', "missing or wrong token rejected");
+assertContains("if (!pollToken || pollToken !== p.poll_token || p.poll_token_used)", "pair-status validates token");
+assertContains("p.poll_token_used = true;", "completed credential response consumes token");
+
+function pairStatusModel(pair, bearer, now) {
+  if (now > pair.expires) return { code: 401, body: { error: "pair_poll_token_expired" } };
+  if (!bearer || bearer !== pair.poll_token || pair.poll_token_used) {
+    return { code: 401, body: { error: "invalid_pair_poll_token" } };
+  }
+  if (pair.status === "completed") {
+    pair.poll_token_used = true;
+    return { code: 200, body: { status: "completed", api_key: pair.apiKey, handle: pair.handle } };
+  }
+  return { code: 200, body: { status: pair.status } };
+}
+
+const pair = {
+  status: "pending",
+  expires: 10_000,
+  poll_token: "ppt_good",
+  poll_token_used: false,
+  apiKey: "ck_secret",
+  handle: "Parker",
+};
+
+if (pairStatusModel({ ...pair }, null, 1).code !== 401) {
+  throw new Error("missing poll token should fail");
+}
+if (pairStatusModel({ ...pair }, "ppt_wrong", 1).code !== 401) {
+  throw new Error("wrong poll token should fail");
+}
+if (pairStatusModel({ ...pair }, "ppt_good", 20_000).code !== 401) {
+  throw new Error("expired poll token should fail");
+}
+if (pairStatusModel({ ...pair }, "ppt_good", 1).body.status !== "pending") {
+  throw new Error("correct poll token should return pending before completion");
+}
+
+const completedPair = { ...pair, status: "completed" };
+const completed = pairStatusModel(completedPair, "ppt_good", 1);
+if (completed.code !== 200 || completed.body.api_key !== "ck_secret") {
+  throw new Error("correct poll token should return completed credential once");
+}
+const replay = pairStatusModel(completedPair, "ppt_good", 1);
+if (replay.code !== 401) {
+  throw new Error("reused completed poll token should fail");
+}
+
+console.log("crc pair-status poll token checks passed");

package/scripts/test-install-prompt-policy.mjs

@@ -0,0 +1,60 @@
+import { readFileSync } from "node:fs";
+import { join } from "node:path";
+import { fileURLToPath } from "node:url";
+
+const repoRoot = fileURLToPath(new URL("..", import.meta.url));
+
+const files = [
+  "README.md",
+  "SKILL.md",
+  "shared/templates/install-prompt.md",
+];
+
+const contents = Object.fromEntries(
+  files.map((file) => [file, readFileSync(join(repoRoot, file), "utf8")]),
+);
+
+const failures = [];
+
+for (const file of ["README.md", "shared/templates/install-prompt.md"]) {
+  const text = contents[file];
+  for (const phrase of [
+    "Use the install document and live local checks as the source of truth. Do not search memory or prior notes for this install.",
+    "If installed: run `ldm status`",
+    "If yes to dry run, run `ldm install --dry-run`.",
+    "`npm install -g @wipcomputer/wip-ldm-os@latest && ldm install && ldm doctor`",
+    "Then run:\n`ldm init --dry-run`",
+    "If I say install, run:\n`ldm init`",
+  ]) {
+    if (!text.includes(phrase)) {
+      failures.push(`${file} missing install prompt phrase: ${phrase}`);
+    }
+  }
+  if (text.includes("If it is, run ldm install --dry-run")) {
+    failures.push(`${file} still tells installed users to start with ldm install --dry-run`);
+  }
+}
+
+const skill = contents["SKILL.md"];
+for (const phrase of [
+  "Do not run GitHub release commands during the install-state flow.",
+  "Do not run `gh release list` or `gh release view` unless the user explicitly asks for release notes.",
+  "Use the output of `ldm status`, installed package metadata, and npm metadata.",
+  "Do not use GitHub release commands here.",
+]) {
+  if (!skill.includes(phrase)) {
+    failures.push(`SKILL.md missing install policy phrase: ${phrase}`);
+  }
+}
+
+if (/gh release (list|view) --repo/.test(skill)) {
+  failures.push("SKILL.md still includes concrete gh release commands in the install flow");
+}
+
+if (failures.length > 0) {
+  console.error("install prompt policy checks failed:");
+  for (const failure of failures) console.error(`  - ${failure}`);
+  process.exit(1);
+}
+
+console.log("install-prompt-policy: LDM OS prompt and install doc agree");

package/scripts/test-installer-skill-directory.mjs

@@ -0,0 +1,55 @@
+#!/usr/bin/env node
+import { existsSync, lstatSync, mkdirSync, mkdtempSync, readFileSync, rmSync, writeFileSync } from 'node:fs';
+import { join } from 'node:path';
+import { tmpdir } from 'node:os';
+
+const home = mkdtempSync(join(tmpdir(), 'ldm-skill-dir-home-'));
+const source = mkdtempSync(join(tmpdir(), 'ldm-skill-dir-source-'));
+
+function assert(condition, message) {
+  if (!condition) throw new Error(message);
+}
+
+try {
+  process.env.HOME = home;
+
+  for (const dir of ['.claude', '.openclaw', '.codex', '.agents']) {
+    mkdirSync(join(home, dir), { recursive: true });
+  }
+
+  const skillDir = join(source, 'skills', 'wip-ai-chat-ui');
+  mkdirSync(join(skillDir, 'references'), { recursive: true });
+  mkdirSync(join(skillDir, 'agents'), { recursive: true });
+  writeFileSync(join(skillDir, 'SKILL.md'), '---\nname: wip-ai-chat-ui\ndescription: "test skill"\n---\n\n# Test Skill\n');
+  writeFileSync(join(skillDir, 'references', 'stack.md'), '# Stack\n');
+  writeFileSync(join(skillDir, 'agents', 'openai.yaml'), 'display_name: "WIP AI Chat UI"\n');
+
+  const { detectInterfacesJSON } = await import('../lib/detect.mjs');
+  const detected = detectInterfacesJSON(source);
+  assert(detected.interfaceCount === 1, 'skill directory repo should expose one interface');
+  assert(detected.interfaces.skill?.skills?.[0]?.name === 'wip-ai-chat-ui', 'skill directory name should be detected');
+
+  const { installFromPath } = await import('../lib/deploy.mjs');
+  const result = await installFromPath(source);
+  assert(result.interfaces === 1, 'skill directory install should process one interface');
+
+  for (const target of [
+    join(home, '.claude', 'skills', 'wip-ai-chat-ui'),
+    join(home, '.openclaw', 'skills', 'wip-ai-chat-ui'),
+    join(home, '.codex', 'skills', 'wip-ai-chat-ui'),
+    join(home, '.agents', 'skills', 'wip-ai-chat-ui'),
+  ]) {
+    assert(existsSync(join(target, 'SKILL.md')), `${target} should include SKILL.md`);
+    assert(existsSync(join(target, 'references', 'stack.md')), `${target} should include references`);
+    assert(existsSync(join(target, 'agents', 'openai.yaml')), `${target} should include agents metadata`);
+    assert(!lstatSync(target).isSymbolicLink(), `${target} should be a deployed directory, not a symlink`);
+  }
+
+  const codexSkill = readFileSync(join(home, '.codex', 'skills', 'wip-ai-chat-ui', 'SKILL.md'), 'utf8');
+  assert(codexSkill.includes('name: wip-ai-chat-ui'), 'Codex target should contain the expected skill');
+
+  console.log('installer skill directory regression passed');
+} finally {
+  rmSync(home, { recursive: true, force: true });
+  rmSync(source, { recursive: true, force: true });
+}

package/scripts/test-installer-skill-dry-run-destinations.mjs

@@ -0,0 +1,100 @@
+#!/usr/bin/env node
+import { mkdirSync, mkdtempSync, rmSync, writeFileSync } from 'node:fs';
+import { join } from 'node:path';
+import { tmpdir } from 'node:os';
+
+const home = mkdtempSync(join(tmpdir(), 'ldm-skill-dry-run-home-'));
+const source = mkdtempSync(join(tmpdir(), 'ldm-skill-dry-run-source-'));
+
+function assert(condition, message) {
+  if (!condition) throw new Error(message);
+}
+
+try {
+  process.env.HOME = home;
+
+  for (const dir of ['.claude', '.openclaw', '.codex', '.agents']) {
+    mkdirSync(join(home, dir), { recursive: true });
+  }
+
+  const workspace = join(home, 'workspace');
+  mkdirSync(workspace, { recursive: true });
+  mkdirSync(join(home, '.ldm'), { recursive: true });
+  writeFileSync(join(home, '.ldm', 'config.json'), JSON.stringify({
+    workspace,
+    harnesses: {
+      'claude-code': {
+        detected: true,
+        home: join(home, '.claude'),
+        skills: join(home, '.claude', 'skills'),
+      },
+      openclaw: {
+        detected: true,
+        home: join(home, '.openclaw'),
+        skills: join(home, '.openclaw', 'skills'),
+      },
+      codex: {
+        detected: true,
+        home: join(home, '.codex'),
+        skills: join(home, '.codex', 'skills'),
+      },
+      'wip-agents': {
+        detected: true,
+        home: join(home, '.agents'),
+        skills: join(home, '.agents', 'skills'),
+      },
+    },
+  }, null, 2));
+
+  mkdirSync(join(source, 'references'), { recursive: true });
+  mkdirSync(join(source, 'agents'), { recursive: true });
+  writeFileSync(join(source, 'package.json'), JSON.stringify({
+    name: '@wipcomputer/wip-ai-chat-ui',
+    version: '0.1.1',
+  }, null, 2));
+  writeFileSync(join(source, 'SKILL.md'), '---\nname: wip-ai-chat-ui\ndescription: "test skill"\n---\n\n# Test Skill\n');
+  writeFileSync(join(source, 'references', 'stack.md'), '# Stack\n');
+  writeFileSync(join(source, 'agents', 'openai.yaml'), 'display_name: "WIP AI Chat UI"\n');
+
+  const { setFlags, installFromPath } = await import('../lib/deploy.mjs');
+
+  const lines = [];
+  const originalLog = console.log;
+  console.log = (...args) => lines.push(args.join(' '));
+
+  try {
+    setFlags({ dryRun: true, jsonOutput: false });
+    const result = await installFromPath(source);
+    assert(result.interfaces === 1, 'dry run should process one skill interface');
+  } finally {
+    console.log = originalLog;
+  }
+
+  const output = lines.join('\n');
+
+  for (const expected of [
+    'Would copy:',
+    '- SKILL.md',
+    '- references/',
+    '- agents/',
+    'Permanent copy:',
+    join(home, '.ldm', 'extensions', 'wip-ai-chat-ui', 'SKILL.md'),
+    join(home, '.ldm', 'extensions', 'wip-ai-chat-ui', 'references/'),
+    'Agent skill targets:',
+    `claude-code: ${join(home, '.claude', 'skills', 'wip-ai-chat-ui')}`,
+    join(home, '.claude', 'skills', 'wip-ai-chat-ui', 'SKILL.md'),
+    `openclaw: ${join(home, '.openclaw', 'skills', 'wip-ai-chat-ui')}`,
+    join(home, '.openclaw', 'skills', 'wip-ai-chat-ui', 'references/'),
+    `codex: ${join(home, '.codex', 'skills', 'wip-ai-chat-ui')}`,
+    `wip-agents: ${join(home, '.agents', 'skills', 'wip-ai-chat-ui')}`,
+    'Workspace docs target:',
+    `${join(workspace, 'settings', 'docs', 'skills', 'wip-ai-chat-ui')} (references/ only)`,
+  ]) {
+    assert(output.includes(expected), `dry-run output should include ${expected}\n\n${output}`);
+  }
+
+  console.log('installer skill dry-run destinations regression passed');
+} finally {
+  rmSync(home, { recursive: true, force: true });
+  rmSync(source, { recursive: true, force: true });
+}

package/scripts/test-installer-target-self-update.mjs

@@ -0,0 +1,131 @@
+#!/usr/bin/env node
+import { chmodSync, mkdirSync, mkdtempSync, readFileSync, rmSync, writeFileSync } from 'node:fs';
+import { tmpdir } from 'node:os';
+import { dirname, join } from 'node:path';
+import { spawnSync } from 'node:child_process';
+import { fileURLToPath } from 'node:url';
+
+const root = dirname(dirname(fileURLToPath(import.meta.url)));
+const cli = readFileSync(join(root, 'bin', 'ldm.js'), 'utf8');
+
+const helperName = 'function maybeSelfUpdateLdmCliBeforeInstall()';
+const helperIdx = cli.indexOf(helperName);
+if (helperIdx === -1) {
+  throw new Error('Missing shared LDM OS self-update preflight helper');
+}
+
+const helperBlock = cli.slice(helperIdx, cli.indexOf('// ── Dead backup trigger cleanup', helperIdx));
+if (!helperBlock.includes('Dry run only: continuing with v${PKG_VERSION}.')) {
+  throw new Error('Self-update helper must warn on dry run without updating');
+}
+
+if (!helperBlock.includes("execSync(`npm install -g @wipcomputer/wip-ldm-os@${latest}`")) {
+  throw new Error('Self-update helper must update LDM OS before real installs');
+}
+
+if (!helperBlock.includes("spawnSync('ldm'")) {
+  throw new Error('Self-update helper must re-run the original install command without shell joining args');
+}
+
+if (helperBlock.includes('process.argv.slice(2).join')) {
+  throw new Error('Self-update helper must preserve argv boundaries when re-running install');
+}
+
+const cmdInstallIdx = cli.indexOf('async function cmdInstall()');
+const lockIdx = cli.indexOf('acquireInstallLock()', cmdInstallIdx);
+const initIdx = cli.indexOf('LDM OS not initialized. Running init first', cmdInstallIdx);
+const targetIdx = cli.indexOf('// Find the target (skip flags)', cmdInstallIdx);
+const preflightCallIdx = cli.indexOf('maybeSelfUpdateLdmCliBeforeInstall();', cmdInstallIdx);
+if (cmdInstallIdx === -1 || targetIdx === -1 || preflightCallIdx === -1) {
+  throw new Error('Could not find cmdInstall self-update placement');
+}
+
+if (preflightCallIdx > lockIdx || preflightCallIdx > initIdx) {
+  throw new Error('Self-update preflight must run before lock acquisition and init work');
+}
+
+if (preflightCallIdx > targetIdx) {
+  throw new Error('Self-update preflight must run before target resolution so app installs are covered');
+}
+
+const catalogIdx = cli.indexOf('async function cmdInstallCatalog()');
+const oldCatalogBlock = cli.indexOf('Self-update: check if CLI itself is outdated', catalogIdx);
+const autoDetectIdx = cli.indexOf('autoDetectExtensions();', catalogIdx);
+if (oldCatalogBlock !== -1 && oldCatalogBlock < autoDetectIdx) {
+  throw new Error('Catalog install should not own the only self-update block');
+}
+
+const tempRoot = mkdtempSync(join(tmpdir(), 'ldm-target-self-update-'));
+try {
+  const home = join(tempRoot, 'home');
+  const fakeBin = join(tempRoot, 'bin');
+  const target = join(tempRoot, 'target skill with spaces');
+
+  mkdirSync(join(home, '.ldm'), { recursive: true });
+  writeFileSync(join(home, '.ldm', 'version.json'), JSON.stringify({
+    version: '0.0.0',
+    installed: new Date().toISOString(),
+    updated: new Date().toISOString(),
+  }, null, 2) + '\n');
+
+  mkdirSync(fakeBin, { recursive: true });
+  const fakeNpm = join(fakeBin, 'npm');
+  writeFileSync(fakeNpm, `#!/usr/bin/env bash
+if [ "$1" = "view" ] && [ "$2" = "@wipcomputer/wip-ldm-os" ] && [ "$3" = "dist-tags.alpha" ]; then
+  echo "99.0.0-alpha.1"
+  exit 0
+fi
+echo "unexpected npm command: $*" >&2
+exit 64
+`);
+  chmodSync(fakeNpm, 0o755);
+
+  mkdirSync(target, { recursive: true });
+  writeFileSync(join(target, 'SKILL.md'), `---
+name: test-target-skill
+description: Test target skill for installer self-update dry-run checks.
+---
+
+# Test Target Skill
+`);
+
+  const result = spawnSync(process.execPath, [
+    join(root, 'bin', 'ldm.js'),
+    'install',
+    '--alpha',
+    '--dry-run',
+    target,
+  ], {
+    cwd: root,
+    encoding: 'utf8',
+    env: {
+      ...process.env,
+      HOME: home,
+      PATH: `${fakeBin}:${process.env.PATH || ''}`,
+    },
+  });
+
+  if (result.status !== 0) {
+    throw new Error(`Runtime dry-run exited ${result.status}\nstdout:\n${result.stdout}\nstderr:\n${result.stderr}`);
+  }
+
+  if (!result.stdout.includes('LDM OS CLI v')) {
+    throw new Error(`Runtime dry-run did not print the LDM OS skew warning\nstdout:\n${result.stdout}`);
+  }
+
+  if (!result.stdout.includes('-> v99.0.0-alpha.1 (alpha track) is available.')) {
+    throw new Error(`Runtime dry-run did not include the selected alpha track version\nstdout:\n${result.stdout}`);
+  }
+
+  if (!result.stdout.includes('Dry run only: continuing with v')) {
+    throw new Error(`Runtime dry-run did not say it would continue without updating\nstdout:\n${result.stdout}`);
+  }
+
+  if (!result.stdout.includes('Installing: target skill with spaces (dry run)')) {
+    throw new Error(`Runtime dry-run did not continue to the targeted install preview\nstdout:\n${result.stdout}`);
+  }
+} finally {
+  rmSync(tempRoot, { recursive: true, force: true });
+}
+
+console.log('targeted install self-update regression checks passed');

package/scripts/test-ldm-status-timeout.mjs

@@ -0,0 +1,80 @@
+#!/usr/bin/env node
+import { chmodSync, mkdirSync, mkdtempSync, readFileSync, rmSync, writeFileSync } from 'node:fs';
+import { tmpdir } from 'node:os';
+import { dirname, join } from 'node:path';
+import { spawnSync } from 'node:child_process';
+import { fileURLToPath } from 'node:url';
+
+const root = dirname(dirname(fileURLToPath(import.meta.url)));
+const tempRoot = mkdtempSync(join(tmpdir(), 'ldm-status-timeout-'));
+const sourceVersion = JSON.parse(readFileSync(join(root, 'package.json'), 'utf8')).version;
+
+function assert(condition, message) {
+  if (!condition) throw new Error(message);
+}
+
+try {
+  const home = join(tempRoot, 'home');
+  const fakeBin = join(tempRoot, 'bin');
+  const extensions = join(home, '.ldm', 'extensions');
+
+  mkdirSync(extensions, { recursive: true });
+  writeFileSync(join(home, '.ldm', 'version.json'), JSON.stringify({
+    version: '0.0.0-test',
+    installed: '2026-05-12T00:00:00.000Z',
+    updated: '2026-05-12T00:00:00.000Z',
+  }, null, 2) + '\n');
+  writeFileSync(join(extensions, 'registry.json'), JSON.stringify({
+    extensions: {
+      'hung-extension': {
+        source: { npm: 'hung-extension' },
+        installed: { version: '1.0.0' },
+      },
+      'second-extension': {
+        source: { npm: 'second-extension' },
+        installed: { version: '1.0.0' },
+      },
+    },
+  }, null, 2) + '\n');
+
+  mkdirSync(fakeBin, { recursive: true });
+  const fakeNpm = join(fakeBin, 'npm');
+  writeFileSync(fakeNpm, `#!/usr/bin/env bash
+if [ "$1" = "view" ]; then
+  sleep 2
+  echo "9.9.9"
+  exit 0
+fi
+echo "unexpected npm command: $*" >&2
+exit 64
+`);
+  chmodSync(fakeNpm, 0o755);
+
+  const startedAt = Date.now();
+  const result = spawnSync(process.execPath, [join(root, 'bin', 'ldm.js'), 'status'], {
+    cwd: root,
+    encoding: 'utf8',
+    timeout: 3000,
+    env: {
+      ...process.env,
+      HOME: home,
+      PATH: `${fakeBin}:${process.env.PATH || ''}`,
+      LDM_STATUS_NPM_TIMEOUT_MS: '75',
+      LDM_STATUS_TOTAL_BUDGET_MS: '250',
+    },
+  });
+  const elapsedMs = Date.now() - startedAt;
+
+  assert(result.status === 0, `ldm status exited ${result.status}\nstdout:\n${result.stdout}\nstderr:\n${result.stderr}`);
+  assert(elapsedMs < 2500, `ldm status should return before the process timeout; elapsed ${elapsedMs}ms`);
+  assert(result.stdout.includes(`LDM OS v${sourceVersion}`), `status should print installed LDM OS version\n${result.stdout}`);
+  assert(result.stdout.includes('Extensions: 2'), `status should print extension count\n${result.stdout}`);
+  assert(result.stdout.includes('Checking updates:'), `status should show progress before update checks\n${result.stdout}`);
+  assert(result.stdout.includes('hung-extension: checking npm'), `status should print the extension name before probing it\n${result.stdout}`);
+  assert(result.stdout.includes('Update checks skipped:'), `status should report skipped checks instead of hanging\n${result.stdout}`);
+  assert(result.stdout.includes('hung-extension: [timeout] hung-extension'), `hung extension should be reported as a timeout\n${result.stdout}`);
+} finally {
+  rmSync(tempRoot, { recursive: true, force: true });
+}
+
+console.log('ldm status timeout regression passed');