@wipcomputer/wip-ldm-os 0.4.85-alpha.3 → 0.4.85-alpha.30

package/bin/ldm.js

@@ -20,9 +20,9 @@
  *   ldm --version         Show version
  */
 
-import { existsSync, readFileSync, writeFileSync, mkdirSync, readdirSync, cpSync, chmodSync, unlinkSync, readlinkSync, renameSync, statSync, lstatSync, symlinkSync } from 'node:fs';
+import { existsSync, readFileSync, writeFileSync, mkdirSync, readdirSync, cpSync, chmodSync, unlinkSync, readlinkSync, renameSync, statSync, lstatSync, symlinkSync, copyFileSync } from 'node:fs';
 import { join, basename, resolve, dirname } from 'node:path';
-import { execSync } from 'node:child_process';
+import { execSync, spawnSync } from 'node:child_process';
 import { fileURLToPath } from 'node:url';
 
 const __filename = fileURLToPath(import.meta.url);
@@ -211,6 +211,11 @@ function writeJSON(path, data) {
   writeFileSync(path, JSON.stringify(data, null, 2) + '\n');
 }
 
+function parsePositiveInt(value, fallback) {
+  const parsed = Number.parseInt(value || '', 10);
+  return Number.isFinite(parsed) && parsed > 0 ? parsed : fallback;
+}
+
 // ── CLI version check (#29) ──
 
 function checkCliVersion() {
@@ -229,6 +234,62 @@ function checkCliVersion() {
   }
 }
 
+function selectedLdmNpmTrack() {
+  return ALPHA_FLAG ? 'alpha' : BETA_FLAG ? 'beta' : 'latest';
+}
+
+function selectedLdmTrackLabel(npmTag) {
+  return npmTag === 'latest' ? '' : ` (${npmTag} track)`;
+}
+
+function latestLdmCliForSelectedTrack() {
+  const npmTag = selectedLdmNpmTrack();
+  const npmViewCmd = npmTag === 'latest'
+    ? 'npm view @wipcomputer/wip-ldm-os version 2>/dev/null'
+    : `npm view @wipcomputer/wip-ldm-os dist-tags.${npmTag} 2>/dev/null`;
+  const latest = execSync(npmViewCmd, {
+    encoding: 'utf8',
+    timeout: 15000,
+  }).trim();
+  return { latest, npmTag };
+}
+
+function maybeSelfUpdateLdmCliBeforeInstall() {
+  // This shared preflight covers both bare `ldm install` and targeted
+  // `ldm install <app>`. Dry runs never update, but still disclose skew.
+  if (process.env.LDM_SELF_UPDATED) return;
+
+  try {
+    const { latest, npmTag } = latestLdmCliForSelectedTrack();
+    if (!latest || !semverNewer(latest, PKG_VERSION)) return;
+
+    const trackLabel = selectedLdmTrackLabel(npmTag);
+
+    if (DRY_RUN) {
+      console.log(`  LDM OS CLI v${PKG_VERSION} -> v${latest}${trackLabel} is available.`);
+      console.log(`  Dry run only: continuing with v${PKG_VERSION}.`);
+      console.log('');
+      return;
+    }
+
+    console.log(`  LDM OS CLI v${PKG_VERSION} -> v${latest}${trackLabel}. Updating first...`);
+    try {
+      execSync(`npm install -g @wipcomputer/wip-ldm-os@${latest}`, { stdio: 'inherit', timeout: 60000 });
+      console.log(`  CLI updated to v${latest}. Re-running with new code...`);
+      console.log('');
+      const reArgs = process.argv.slice(2);
+      const child = spawnSync('ldm', reArgs.length > 0 ? reArgs : ['install'], {
+        stdio: 'inherit',
+        env: { ...process.env, LDM_SELF_UPDATED: '1' },
+      });
+      if (child.error) throw child.error;
+      process.exit(child.status ?? 1);
+    } catch (e) {
+      console.log(`  ! Self-update failed: ${e.message}. Continuing with v${PKG_VERSION}.`);
+    }
+  } catch {}
+}
+
 // ── Dead backup trigger cleanup (#207) ──
 // Three backup systems were competing. Only ai.openclaw.ldm-backup (3am) works.
 // This removes: broken cron entry (LDMDevTools.app), old com.wipcomputer.daily-backup.
@@ -1440,23 +1501,6 @@ async function showCatalogPicker() {
 // ── ldm install ──
 
 async function cmdInstall() {
-  if (!DRY_RUN && !acquireInstallLock()) return;
-
-  // Ensure LDM is initialized
-  if (!existsSync(VERSION_PATH)) {
-    console.log('  LDM OS not initialized. Running init first...');
-    console.log('');
-    cmdInit();
-  }
-
-  const { setFlags, installFromPath, installSingleTool, installToolbox, detectHarnesses } = await import('../lib/deploy.mjs');
-  const { detectInterfacesJSON } = await import('../lib/detect.mjs');
-
-  // Refresh harness detection (catches newly installed harnesses)
-  detectHarnesses();
-
-  setFlags({ dryRun: DRY_RUN, jsonOutput: JSON_OUTPUT, origin: 'manual' });
-
   // --help flag (#81)
   if (args.includes('--help') || args.includes('-h')) {
     console.log(`
@@ -1476,6 +1520,25 @@ async function cmdInstall() {
     process.exit(0);
   }
 
+  maybeSelfUpdateLdmCliBeforeInstall();
+
+  if (!DRY_RUN && !acquireInstallLock()) return;
+
+  // Ensure LDM is initialized
+  if (!existsSync(VERSION_PATH)) {
+    console.log('  LDM OS not initialized. Running init first...');
+    console.log('');
+    cmdInit();
+  }
+
+  const { setFlags, installFromPath, installSingleTool, installToolbox, detectHarnesses } = await import('../lib/deploy.mjs');
+  const { detectInterfacesJSON } = await import('../lib/detect.mjs');
+
+  // Refresh harness detection (catches newly installed harnesses)
+  detectHarnesses();
+
+  setFlags({ dryRun: DRY_RUN, jsonOutput: JSON_OUTPUT, origin: 'manual' });
+
   // Find the target (skip flags)
   const target = args.slice(1).find(a => !a.startsWith('--'));
 
@@ -1736,6 +1799,135 @@ function migrateRegistry() {
   return migrated;
 }
 
+// ── Legacy source.npm honest cleanup (Phase 1 of source-types refactor) ──
+// See ai/product/bugs/installer/2026-05-13--cc-mini--installer-source-npm-honest-cleanup.md
+
+async function migrateLegacyNpmSources({ dryRun = false } = {}) {
+  const {
+    planLegacyNpmSourcesMigration,
+    summaryHasChanges,
+    npmPackageExists,
+    executeDirectoryMoves,
+  } = await import('../lib/registry-migrations.mjs');
+
+  const registry = readJSON(REGISTRY_PATH);
+  if (!registry?.extensions) return null;
+
+  const { newRegistry, summary } = await planLegacyNpmSourcesMigration({
+    registry,
+    probeNpm: (name) => npmPackageExists(name, { timeoutMs: 2000 }),
+    // Resolve the entry's on-disk location before declaring it a phantom.
+    // Entries autoregistered with `ldmPath` (bin/ldm.js:1822 path) or with
+    // a `paths.ldm` field (lib/deploy.mjs path) can live outside the
+    // default ~/.ldm/extensions/<name> location. A naive check would
+    // silently delete a working entry as "phantom."
+    extensionExists: (name, entry) => {
+      const customPath = entry?.paths?.ldm || entry?.ldmPath;
+      if (customPath && existsSync(customPath)) return true;
+      return existsSync(join(LDM_EXTENSIONS, name));
+    },
+    now: () => new Date(),
+  });
+
+  if (!summaryHasChanges(summary)) return summary;
+
+  if (!dryRun) {
+    const stamp = summary.timestamp.replace(/[:.]/g, '-');
+    const backupPath = `${REGISTRY_PATH}.bak-${stamp}`;
+    copyFileSync(REGISTRY_PATH, backupPath);
+    summary.backupPath = backupPath;
+    writeJSON(REGISTRY_PATH, newRegistry);
+
+    // Execute directory moves AFTER the registry write. Each move sends a
+    // deduplicated extension's on-disk directory to ~/.ldm/_trash/<name>-
+    // deduplicated-<timestamp> so autoDetectExtensions (which only scans
+    // ~/.ldm/extensions/) cannot find it on the next install pass.
+    // Without this, the registry dedup reverts within the same install run.
+    // See ai/product/bugs/installer/2026-05-13--cc-mini--installer-dedup-reverts-between-installs.md
+    const { performed, skipped } = executeDirectoryMoves({
+      directoryMoves: summary.directoryMoves,
+      extensionsRoot: LDM_EXTENSIONS,
+      trashRoot: join(LDM_ROOT, '_trash'),
+    });
+    summary.directoryMovesPerformed.push(...performed);
+    summary.directoryMovesSkipped.push(...skipped);
+  }
+
+  return summary;
+}
+
+function printLegacyNpmSourcesSummary(summary, { dryRun = false } = {}) {
+  if (!summary) return;
+  const writeableChanges =
+    summary.migrated.length +
+    summary.phantomsRemoved.length +
+    summary.duplicatesRemoved.length;
+  const probeFailureCount = summary.probeFailures?.length || 0;
+  // Always surface probe failures even when nothing was writeable. If every
+  // probe times out, the install would otherwise look like a no-op and the
+  // [unavailable] rows in `ldm status` would survive silently.
+  if (writeableChanges === 0 && probeFailureCount === 0) return;
+
+  console.log('');
+  console.log(dryRun
+    ? '  Registry source.npm cleanup (dry run, no changes written):'
+    : '  Registry source.npm cleanup:');
+
+  if (summary.migrated.length > 0) {
+    console.log(`  + ${dryRun ? 'Would migrate' : 'Migrated'} ${summary.migrated.length} entr${summary.migrated.length === 1 ? 'y' : 'ies'} to updateSource.type=untracked`);
+    for (const m of summary.migrated) {
+      const detail = m.legacyNpmName
+        ? ` (legacy source.npm "${m.legacyNpmName}" preserved in provenance)`
+        : ' (no source info; classified as untracked)';
+      console.log(`      ${m.name}${detail}`);
+    }
+  }
+  if (summary.phantomsRemoved.length > 0) {
+    console.log(`  + ${dryRun ? 'Would remove' : 'Removed'} ${summary.phantomsRemoved.length} phantom entr${summary.phantomsRemoved.length === 1 ? 'y' : 'ies'}:`);
+    for (const p of summary.phantomsRemoved) {
+      console.log(`      ${p.name} (${p.reason})`);
+    }
+  }
+  if (summary.duplicatesRemoved.length > 0) {
+    console.log(`  + ${dryRun ? 'Would remove' : 'Removed'} ${summary.duplicatesRemoved.length} duplicate entr${summary.duplicatesRemoved.length === 1 ? 'y' : 'ies'}:`);
+    for (const d of summary.duplicatesRemoved) {
+      console.log(`      ${d.removed} (canonical: ${d.keep})`);
+    }
+  }
+  if (summary.directoryMoves && summary.directoryMoves.length > 0) {
+    if (dryRun) {
+      console.log(`  + Would move ${summary.directoryMoves.length} duplicate director${summary.directoryMoves.length === 1 ? 'y' : 'ies'} to ~/.ldm/_trash/ (so autoDetectExtensions cannot re-register):`);
+      for (const m of summary.directoryMoves) {
+        console.log(`      ~/.ldm/extensions/${m.name} -> ~/.ldm/_trash/${m.trashName}`);
+      }
+    } else {
+      const performed = summary.directoryMovesPerformed || [];
+      const skipped = summary.directoryMovesSkipped || [];
+      if (performed.length > 0) {
+        console.log(`  + Moved ${performed.length} duplicate director${performed.length === 1 ? 'y' : 'ies'} to ~/.ldm/_trash/ (autoDetectExtensions cannot re-register):`);
+        for (const m of performed) {
+          console.log(`      ${m.name} -> ${m.destPath.replace(HOME, '~')}`);
+        }
+      }
+      if (skipped.length > 0) {
+        console.log(`  ! ${skipped.length} duplicate director${skipped.length === 1 ? 'y' : 'ies'} could not be moved (registry entries are removed; autoDetect may re-add on next install):`);
+        for (const m of skipped) {
+          console.log(`      ${m.name} (${m.reason})`);
+        }
+      }
+    }
+  }
+  if (summary.probeFailures && summary.probeFailures.length > 0) {
+    console.log(`  ! ${summary.probeFailures.length} npm probe${summary.probeFailures.length === 1 ? '' : 's'} could not complete (will retry on next install):`);
+    for (const f of summary.probeFailures) {
+      console.log(`      ${f.name} (source.npm "${f.npmName}")`);
+    }
+  }
+  if (!dryRun && summary.backupPath) {
+    console.log(`  + Registry backup: ${summary.backupPath.replace(HOME, '~')}`);
+  }
+}
+
 // ── Auto-detect unregistered extensions ──
 
 function autoDetectExtensions() {
@@ -1921,38 +2113,6 @@ async function cmdInstallCatalog() {
   // No lock here. cmdInstall() already holds it when calling this.
   installLog(`ldm install started (v${PKG_VERSION}, DRY_RUN=${DRY_RUN})`);
 
-  // Self-update: check if CLI itself is outdated. Update first, then re-exec.
-  // This breaks the chicken-and-egg: new features in ldm install are always
-  // available because the installer upgrades itself before doing anything else.
-  // --alpha and --beta flags check the corresponding npm dist-tag instead of @latest.
-  if (!DRY_RUN && !process.env.LDM_SELF_UPDATED) {
-    try {
-      const npmTag = ALPHA_FLAG ? 'alpha' : BETA_FLAG ? 'beta' : 'latest';
-      const trackLabel = npmTag === 'latest' ? '' : ` (${npmTag} track)`;
-      const npmViewCmd = npmTag === 'latest'
-        ? 'npm view @wipcomputer/wip-ldm-os version 2>/dev/null'
-        : `npm view @wipcomputer/wip-ldm-os dist-tags.${npmTag} 2>/dev/null`;
-      const latest = execSync(npmViewCmd, {
-        encoding: 'utf8', timeout: 15000,
-      }).trim();
-      if (latest && semverNewer(latest, PKG_VERSION)) {
-        console.log(`  LDM OS CLI v${PKG_VERSION} -> v${latest}${trackLabel}. Updating first...`);
-        try {
-          execSync(`npm install -g @wipcomputer/wip-ldm-os@${latest}`, { stdio: 'inherit', timeout: 60000 });
-          console.log(`  CLI updated to v${latest}. Re-running with new code...`);
-          console.log('');
-          // Re-exec with the new binary. LDM_SELF_UPDATED prevents infinite loop.
-          // process.argv.slice(2) skips 'node' and the script path, keeps just 'install' + flags
-          const reArgs = process.argv.slice(2).join(' ') || 'install';
-          execSync(`LDM_SELF_UPDATED=1 ldm ${reArgs}`, { stdio: 'inherit' });
-          process.exit(0);
-        } catch (e) {
-          console.log(`  ! Self-update failed: ${e.message}. Continuing with v${PKG_VERSION}.`);
-        }
-      }
-    } catch {}
-  }
-
   autoDetectExtensions();
 
   // Migrate old registry entries to v2 format (#262)
@@ -1961,6 +2121,12 @@ async function cmdInstallCatalog() {
     console.log(`  + Migrated ${migrated} registry entries to v2 format (source info added)`);
   }
 
+  // Phase 1 of source-types refactor: clear bad source.npm entries, dedupe,
+  // and classify mystery rows as untracked so `ldm status` stops lying.
+  // See ai/product/bugs/installer/2026-05-13--cc-mini--installer-source-npm-honest-cleanup.md
+  const npmCleanupSummary = await migrateLegacyNpmSources({ dryRun: DRY_RUN });
+  printLegacyNpmSourcesSummary(npmCleanupSummary, { dryRun: DRY_RUN });
+
   // Aggregate the bin ownership manifest BEFORE seedLocalCatalog,
   // deployBridge, deployScripts, and the heal walk run. If two
   // declarers claim the same file in ~/.ldm/bin/ we cannot safely
@@ -2891,6 +3057,27 @@ async function cmdDoctor() {
     }
   }
 
+  // Warn on registry entries whose legacy source.npm value 404s on npm.
+  // `ldm install` migrates these to updateSource.type=untracked; this catches
+  // future drift and any entries the install-time probe couldn't reach.
+  // See ai/product/bugs/installer/2026-05-13--cc-mini--installer-source-npm-honest-cleanup.md
+  try {
+    const { findLegacyNpm404Entries, npmPackageExists } = await import('../lib/registry-migrations.mjs');
+    const docRegistry = readJSON(REGISTRY_PATH);
+    const legacy404 = await findLegacyNpm404Entries({
+      registry: docRegistry,
+      probeNpm: (name) => npmPackageExists(name, { timeoutMs: 1500 }),
+    });
+    if (legacy404.length > 0) {
+      console.log('');
+      console.log(`  ! ${legacy404.length} extension(s) declare an npm source whose package does not exist on npm:`);
+      for (const { name, npmName } of legacy404) {
+        console.log(`      ${name}  (source.npm "${npmName}")`);
+      }
+      console.log('      Run `ldm install` to migrate these to updateSource.type=untracked.');
+    }
+  } catch {}
+
   // --fix: clean up registered-missing entries
   if (FIX_FLAG && registeredMissing.length > 0) {
     const registry = readJSON(REGISTRY_PATH);
@@ -3251,7 +3438,91 @@ async function cmdDoctor() {
 
 // ── ldm status ──
 
-function cmdStatus() {
+const STATUS_NPM_TIMEOUT_MS = parsePositiveInt(process.env.LDM_STATUS_NPM_TIMEOUT_MS, 5000);
+const STATUS_TOTAL_BUDGET_MS = parsePositiveInt(process.env.LDM_STATUS_TOTAL_BUDGET_MS, 60000);
+const STATUS_NPM_CONCURRENCY = parsePositiveInt(process.env.LDM_STATUS_NPM_CONCURRENCY, 8);
+const STATUS_NPM_REGISTRY_URL = process.env.LDM_STATUS_NPM_REGISTRY_URL || 'https://registry.npmjs.org';
+
+async function npmViewVersionForStatus(pkg, timeoutMs) {
+  const controller = new AbortController();
+  const timeout = setTimeout(() => controller.abort(), timeoutMs);
+  try {
+    const registry = STATUS_NPM_REGISTRY_URL.replace(/\/+$/, '');
+    const response = await fetch(`${registry}/${encodeURIComponent(pkg)}`, {
+      signal: controller.signal,
+      headers: { accept: 'application/vnd.npm.install-v1+json, application/json' },
+    });
+    if (!response.ok) {
+      const error = new Error(`npm registry returned ${response.status}`);
+      error.statusCode = response.status;
+      throw error;
+    }
+    const metadata = await response.json();
+    return metadata?.['dist-tags']?.latest || '';
+  } finally {
+    clearTimeout(timeout);
+  }
+}
+
+function remainingStatusBudgetMs(startedAt) {
+  return Math.max(0, STATUS_TOTAL_BUDGET_MS - (Date.now() - startedAt));
+}
+
+function formatStatusElapsed(ms) {
+  if (!Number.isFinite(ms) || ms <= 0) return '0ms';
+  if (ms < 1000) return `${Math.round(ms)}ms`;
+  return `${(ms / 1000).toFixed(1)}s`;
+}
+
+function classifyStatusCheckError(error) {
+  if (error?.name === 'AbortError' || error?.signal === 'SIGTERM' || error?.code === 'ETIMEDOUT' || String(error?.message || '').includes('ETIMEDOUT')) {
+    return 'timeout';
+  }
+  return 'unavailable';
+}
+
+async function runStatusProbesWithConcurrency(items, concurrency, statusStartedAt) {
+  if (items.length === 0) return [];
+
+  const results = new Array(items.length);
+  const workerCount = Math.max(1, Math.min(concurrency, items.length));
+  let nextIndex = 0;
+
+  async function worker() {
+    while (nextIndex < items.length) {
+      const index = nextIndex;
+      nextIndex += 1;
+      const item = items[index];
+      const remaining = remainingStatusBudgetMs(statusStartedAt);
+
+      if (remaining <= 0) {
+        results[index] = { ...item, status: 'skipped', reason: 'budget', elapsedMs: 0 };
+        continue;
+      }
+
+      const timeout = Math.min(STATUS_NPM_TIMEOUT_MS, remaining);
+      const probeStartedAt = Date.now();
+      console.log(`    ${item.name}: checking npm`);
+
+      try {
+        const latest = await npmViewVersionForStatus(item.npm, timeout);
+        results[index] = { ...item, status: 'ok', latest, elapsedMs: Date.now() - probeStartedAt };
+      } catch (error) {
+        results[index] = {
+          ...item,
+          status: 'skipped',
+          reason: classifyStatusCheckError(error),
+          elapsedMs: Date.now() - probeStartedAt,
+        };
+      }
+    }
+  }
+
+  await Promise.all(Array.from({ length: workerCount }, () => worker()));
+  return results;
+}
+
+async function cmdStatus() {
   const version = readJSON(VERSION_PATH);
   const registry = readJSON(REGISTRY_PATH);
   const extCount = Object.keys(registry?.extensions || {}).length;
@@ -3272,18 +3543,46 @@ function cmdStatus() {
     return;
   }
 
-  // Check CLI version against npm
-  let cliUpdate = null;
-  try {
-    const latest = execSync('npm view @wipcomputer/wip-ldm-os version 2>/dev/null', {
-      encoding: 'utf8', timeout: 10000,
-    }).trim();
-    if (latest && semverNewer(latest, PKG_VERSION)) cliUpdate = latest;
-  } catch {}
+  console.log('');
+  console.log(`  LDM OS v${version.version}`);
+  console.log(`  Installed: ${version.installed?.split('T')[0] || 'unknown'}`);
+  console.log(`  Updated:   ${version.updated?.split('T')[0] || 'unknown'}`);
+  console.log(`  Extensions: ${extCount}`);
+  console.log(`  Root: ${LDM_ROOT}`);
+
+  const statusStartedAt = Date.now();
+  const skipped = [];
+
+  console.log('');
+  console.log('  Checking updates:');
 
   // Check extensions against npm using registry source info (#262)
+  const probeItems = [{
+    kind: 'cli',
+    name: 'ldm cli',
+    npm: '@wipcomputer/wip-ldm-os',
+    current: PKG_VERSION,
+  }];
+
   const updates = [];
+  const untrackedEntries = [];
   for (const [name, info] of Object.entries(registry?.extensions || {})) {
+    // Phase 1 of source-types refactor: entries explicitly marked as untracked
+    // are listed in a separate section and never probed. Honest reporting:
+    // we don't know how to check their source yet.
+    if (info?.updateSource?.type === 'untracked') {
+      const currentVersion = info?.installed?.version || info.version || 'unknown';
+      untrackedEntries.push({ name, version: currentVersion });
+      continue;
+    }
+    // Defensive skip for any other Phase 2 updateSource types (git, bundled,
+    // private, etc.) that may appear in the registry before their probe
+    // logic ships. Falling through would use the legacy info.source.npm
+    // path, which is wrong for these types and would print them as
+    // [unavailable]. Phase 2 replaces this skip with proper dispatch.
+    if (info?.updateSource && info.updateSource.type !== 'npm') {
+      continue;
+    }
     // Use registry source.npm (v2) or fall back to extension's package.json
     let npmPkg = info?.source?.npm || null;
     if (!npmPkg) {
@@ -3294,22 +3593,52 @@ function cmdStatus() {
     if (!npmPkg) continue;
     const currentVersion = info?.installed?.version || info.version;
     if (!currentVersion) continue;
-    try {
-      const latest = execSync(`npm view ${npmPkg} version 2>/dev/null`, {
-        encoding: 'utf8', timeout: 10000,
-      }).trim();
-      if (latest && semverNewer(latest, currentVersion)) {
-        updates.push({ name, current: currentVersion, latest, npm: npmPkg });
-      }
-    } catch {}
+    probeItems.push({
+      kind: 'extension',
+      name,
+      npm: npmPkg,
+      current: currentVersion,
+    });
+  }
+  untrackedEntries.sort((a, b) => a.name.localeCompare(b.name));
+
+  let cliUpdate = null;
+  const probeResults = await runStatusProbesWithConcurrency(probeItems, STATUS_NPM_CONCURRENCY, statusStartedAt);
+  for (const result of probeResults) {
+    if (!result) continue;
+    if (result.status === 'skipped') {
+      skipped.push({
+        name: result.name,
+        npm: result.npm,
+        reason: result.reason,
+        elapsedMs: result.elapsedMs,
+      });
+      continue;
+    }
+
+    if (result.kind === 'cli') {
+      if (result.latest && semverNewer(result.latest, PKG_VERSION)) cliUpdate = result.latest;
+    } else if (result.latest && semverNewer(result.latest, result.current)) {
+      updates.push({
+        name: result.name,
+        current: result.current,
+        latest: result.latest,
+        npm: result.npm,
+      });
+    }
   }
 
   console.log('');
-  console.log(`  LDM OS v${version.version}${cliUpdate ? ` (v${cliUpdate} available)` : ' (latest)'}`);
-  console.log(`  Installed: ${version.installed?.split('T')[0]}`);
-  console.log(`  Updated:   ${version.updated?.split('T')[0]}`);
-  console.log(`  Extensions: ${extCount}${updates.length > 0 ? `, ${updates.length} update(s) available` : ', all up to date'}`);
-  console.log(`  Root: ${LDM_ROOT}`);
+  if (updates.length === 0 && !cliUpdate && skipped.length === 0 && untrackedEntries.length === 0) {
+    console.log('  Update summary: all up to date');
+  } else {
+    const summaryParts = [];
+    if (updates.length > 0) summaryParts.push(`${updates.length} extension update(s) available`);
+    if (cliUpdate) summaryParts.push('CLI update available');
+    if (untrackedEntries.length > 0) summaryParts.push(`${untrackedEntries.length} untracked`);
+    if (skipped.length > 0) summaryParts.push(`${skipped.length} update check(s) skipped`);
+    console.log(`  Update summary: ${summaryParts.join(', ')}`);
+  }
 
   if (updates.length > 0) {
     console.log('');
@@ -3325,6 +3654,24 @@ function cmdStatus() {
     console.log(`  CLI update: npm install -g @wipcomputer/wip-ldm-os@${cliUpdate}`);
   }
 
+  if (untrackedEntries.length > 0) {
+    console.log('');
+    console.log('  Untracked extensions (pending reclassification):');
+    const maxNameLen = Math.max(...untrackedEntries.map(e => e.name.length));
+    for (const e of untrackedEntries) {
+      console.log(`    ${e.name.padEnd(maxNameLen)}  v${e.version}`);
+    }
+    console.log('    (run `ldm doctor --reclassify-sources` to classify these)');
+  }
+
+  if (skipped.length > 0) {
+    console.log('');
+    console.log('  Update checks skipped:');
+    for (const item of skipped) {
+      console.log(`    ${item.name}: [${item.reason} ${formatStatusElapsed(item.elapsedMs)}] ${item.npm}`);
+    }
+  }
+
   console.log('');
 }
 
@@ -4005,7 +4352,7 @@ async function main() {
     console.log('    Module     ... ESM main/exports -> importable');
     console.log('    MCP Server ... mcp-server.mjs -> claude mcp add --scope user');
     console.log('    OpenClaw   ... openclaw.plugin.json -> ~/.ldm/extensions/ + ~/.openclaw/extensions/');
-    console.log('    Skill      ... SKILL.md -> ~/.openclaw/skills/<tool>/');
+    console.log('    Skill      ... SKILL.md or skills/<name>/SKILL.md -> agent skill paths');
     console.log('    CC Hook    ... guard.mjs or claudeCode.hook -> ~/.claude/settings.json');
     console.log('');
     console.log(`  v${PKG_VERSION}`);
@@ -4780,7 +5127,7 @@ async function main() {
       await cmdDoctor();
       break;
     case 'status':
-      cmdStatus();
+      await cmdStatus();
       break;
     case 'sessions':
       await cmdSessions();

package/docs/universal-installer/SPEC.md

@@ -144,13 +144,15 @@ A plugin for OpenClaw agents. Lifecycle hooks, tool registration, settings.
 
 A markdown file that teaches agents when and how to use the tool. The instruction interface. Follows the [Agent Skills Spec](https://agentskills.io/specification).
 
-**Convention:** `SKILL.md` at the repo root. YAML frontmatter with name, description. Optional `references/` directory for context files.
+**Convention:** either `SKILL.md` at the repo root, or one or more skill folders at `skills/<skill-name>/SKILL.md`. YAML frontmatter includes name and description. Optional `references/`, `agents/`, `scripts/`, and `assets/` directories live beside `SKILL.md`.
 
 **Platform variants:** Codex CLI reads `AGENTS.md` instead of `SKILL.md`, with the same role and the same content shape. Treat `AGENTS.md` as the Codex-flavored filename for this same interface, not a separate interface. A repo may ship both (or symlink one to the other) so it works in Codex and SKILL.md-aware agents.
 
-**Detection:** `SKILL.md` exists.
+**Detection:** `SKILL.md` exists, or at least one `skills/<skill-name>/SKILL.md` exists.
 
-**Install:** `SKILL.md` deployed to `~/.openclaw/skills/<name>/`. If `references/` exists, deployed alongside SKILL.md and to `settings/docs/skills/<name>/` in the workspace.
+**Install:** the skill folder is deployed to every supported local agent skill surface, including OpenClaw, Codex, Claude Code, and WIP agent compatibility paths when present. If `references/` exists, it is deployed alongside SKILL.md and to `settings/docs/skills/<name>/` in the workspace.
+
+**Npm package shape:** a public skill package can expose `SKILL.md` at package root. For example, `@wipcomputer/wip-ai-chat-ui` is sourced from a private repo folder at `design/skills/wip-ai-chat-ui/`, but publishes a tarball with `SKILL.md`, `agents/`, and `references/` at package root so `ldm install @wipcomputer/wip-ai-chat-ui` installs the skill directly.
 
 **Structure:**
 ```
@@ -162,6 +164,17 @@ repo/
     └── ...
 ```
 
+Multiple skills can also live in one repo:
+
+```text
+repo/
+└── skills/
+    └── wip-ai-chat-ui/
+        ├── SKILL.md
+        ├── agents/
+        └── references/
+```
+
 **Key rules (from Agent Skills Spec):**
 - SKILL.md body < 5000 tokens. Process goes in SKILL.md, context goes in references/.
 - Imperative language: "Run this command" not "This product enables..."

package/docs/universal-installer/TECHNICAL.md

@@ -148,13 +148,13 @@ A plugin for OpenClaw agents. Lifecycle hooks, tool registration, settings.
 
 A markdown file that teaches agents when and how to use the tool. The instruction interface. Follows the [Agent Skills Spec](https://agentskills.io/specification).
 
-**Convention:** `SKILL.md` at the repo root. Optional `references/` directory for context files.
+**Convention:** either `SKILL.md` at the repo root, or one or more skill folders at `skills/<skill-name>/SKILL.md`. Optional `references/`, `agents/`, `scripts/`, and `assets/` directories live beside `SKILL.md`.
 
 **Platform variants:** Codex CLI reads `AGENTS.md` with the same role and content shape. Treat as the Codex-flavored filename for this same interface, not a separate one.
 
-**Detection:** `SKILL.md` exists.
+**Detection:** `SKILL.md` exists, or at least one `skills/<skill-name>/SKILL.md` exists.
 
-**Install:** `ldm install` deploys `SKILL.md` to `~/.openclaw/skills/<name>/`. If `references/` exists, it is deployed alongside and also to `settings/docs/skills/<name>/` in the workspace (so all agents can read them).
+**Install:** `ldm install` deploys the skill folder to every supported local agent skill surface, including OpenClaw, Codex, Claude Code, and WIP agent compatibility paths when present. If `references/` exists, it is deployed alongside and also to `settings/docs/skills/<name>/` in the workspace so all agents can read them.
 
 **Key rules:**
 - SKILL.md body < 5000 tokens. Process in SKILL.md, context in references/.
@@ -364,7 +364,7 @@ ldm install                            # update all
 | `mcp-server.mjs` | MCP (local stdio) | Adds `command` + `args` entry to `.mcp.json` |
 | `mcp.remote.url` in `package.json` | Remote MCP | Adds `url` + `transport` entry to `.mcp.json`; prints Claude Desktop hint. **Implementation in flight ([ticket](../../ai/product/bugs/installer/2026-04-28--cc-mini--installer-remote-mcp-detection.md)).** |
 | `openclaw.plugin.json` | OpenClaw | Copies to `~/.openclaw/extensions/` |
-| `SKILL.md` | Skill | Reports path |
+| `SKILL.md` or `skills/<name>/SKILL.md` | Skill | Deploys skill folder to supported agent skill paths |
 | `guard.mjs` or `claudeCode.hook` | CC Hook | Adds to `~/.claude/settings.json` |
 | `.claude-plugin/plugin.json` | CC Plugin | Registers with Claude Code marketplace |