@wipcomputer/wip-ldm-os 0.4.85-alpha.3 → 0.4.85-alpha.30

package/lib/deploy.mjs

@@ -177,6 +177,14 @@ export function detectHarnesses() {
     skills: join(codexHome, 'skills'),
   };
 
+  // WIP agent skill compatibility directory
+  const agentsHome = join(HOME, '.agents');
+  harnesses['wip-agents'] = {
+    detected: existsSync(agentsHome),
+    home: agentsHome,
+    skills: join(agentsHome, 'skills'),
+  };
+
   // Cursor
   const cursorHome = join(HOME, '.cursor');
   harnesses['cursor'] = {
@@ -207,7 +215,7 @@ export function detectHarnesses() {
 function getHarnesses() {
   try {
     const config = readJSON(LDM_CONFIG_PATH) || {};
-    if (config.harnesses) {
+    if (config.harnesses && config.harnesses['wip-agents']) {
       const workspace = (config.workspace || '').replace('~', HOME);
       return { harnesses: config.harnesses, workspace };
     }
@@ -1236,11 +1244,77 @@ function installClaudeCodeHookEvent(repoPath, door, toolName = basename(repoPath
   }
 }
 
-function installSkill(repoPath, toolName) {
+function copySkillTree(skillDir, dest, copyFullFolder = false) {
+  mkdirSync(dest, { recursive: true });
+  if (copyFullFolder) {
+    cpSync(skillDir, dest, { recursive: true });
+    return;
+  }
+
+  cpSync(join(skillDir, 'SKILL.md'), join(dest, 'SKILL.md'));
+  for (const child of ['references', 'agents', 'scripts', 'assets']) {
+    const src = join(skillDir, child);
+    if (existsSync(src)) cpSync(src, join(dest, child), { recursive: true });
+  }
+}
+
+const SKILL_COMPANION_DIRS = ['references', 'agents', 'scripts', 'assets'];
+
+function listSkillCopyEntries(skillDir, copyFullFolder = false) {
+  if (copyFullFolder) {
+    try {
+      return readdirSync(skillDir)
+        .filter((entry) => entry !== '.DS_Store')
+        .sort();
+    } catch {
+      return ['SKILL.md'];
+    }
+  }
+
+  const entries = ['SKILL.md'];
+  for (const child of SKILL_COMPANION_DIRS) {
+    if (existsSync(join(skillDir, child))) entries.push(`${child}/`);
+  }
+  return entries;
+}
+
+function printSkillDryRunPlan({ sourceSkillDir, refsSrc, toolName, harnesses, workspace, entries }) {
+  const formatTargetEntries = (base) => entries.map((entry) => join(base, entry));
+  const harnessTargets = Object.entries(harnesses)
+    .filter(([, h]) => h.detected && h.skills)
+    .map(([name, h]) => ({ name, base: join(h.skills, toolName) }));
+
+  ok(`Skill: ${toolName}`);
+  log(`Source: ${sourceSkillDir}`);
+  log('Would copy:');
+  for (const entry of entries) log(`- ${entry}`);
+
+  const permanentBase = join(LDM_EXTENSIONS, toolName);
+  log('Permanent copy:');
+  for (const target of formatTargetEntries(permanentBase)) log(`- ${target}`);
+
+  if (harnessTargets.length > 0) {
+    log('Agent skill targets:');
+    for (const target of harnessTargets) {
+      log(`- ${target.name}: ${target.base}`);
+      for (const entryTarget of formatTargetEntries(target.base)) log(`  - ${entryTarget}`);
+    }
+  } else {
+    log('Agent skill targets: no detected skill harnesses');
+  }
+
+  if (existsSync(refsSrc) && workspace && existsSync(workspace)) {
+    const homeRefsDest = join(workspace, 'settings', 'docs', 'skills', toolName);
+    log('Workspace docs target:');
+    log(`- ${homeRefsDest} (references/ only)`);
+  }
+}
+
+function installSkillFolder(skillDir, toolName, opts = {}) {
   const { harnesses, workspace } = getHarnesses();
 
-  // Find SKILL.md source: repo path first, then permanent copy at ~/.ldm/extensions/
-  let skillSrc = join(repoPath, 'SKILL.md');
+  // Find SKILL.md source: skill dir first, then permanent copy at ~/.ldm/extensions/
+  let skillSrc = join(skillDir, 'SKILL.md');
   const permanentSkill = join(LDM_EXTENSIONS, toolName, 'SKILL.md');
   if (!existsSync(skillSrc) && existsSync(permanentSkill)) skillSrc = permanentSkill;
   if (!existsSync(skillSrc)) return false;
@@ -1251,14 +1325,16 @@ function installSkill(repoPath, toolName) {
     return false;
   }
 
-  // Find references/ source: repo path first, then permanent copy
-  let refsSrc = join(repoPath, 'references');
+  const sourceSkillDir = dirname(skillSrc);
+
+  // Find references/ source: skill dir first, then permanent copy
+  let refsSrc = join(skillDir, 'references');
   const permanentRefs = join(LDM_EXTENSIONS, toolName, 'references');
   if (!existsSync(refsSrc) && existsSync(permanentRefs)) refsSrc = permanentRefs;
 
   if (DRY_RUN) {
-    const targets = Object.entries(harnesses).filter(([,h]) => h.detected && h.skills).map(([name]) => name);
-    ok(`Skill: would deploy ${toolName} to ${targets.join(', ')} (dry run)`);
+    const entries = listSkillCopyEntries(sourceSkillDir, opts.copyFullFolder);
+    printSkillDryRunPlan({ sourceSkillDir, refsSrc, toolName, harnesses, workspace, entries });
     return true;
   }
 
@@ -1267,21 +1343,13 @@ function installSkill(repoPath, toolName) {
 
     // 1. Save permanent copy to ~/.ldm/extensions/<name>/ (survives tmp cleanup)
     const ldmSkillDir = join(LDM_EXTENSIONS, toolName);
-    mkdirSync(ldmSkillDir, { recursive: true });
-    cpSync(skillSrc, join(ldmSkillDir, 'SKILL.md'));
-    if (existsSync(refsSrc) && refsSrc !== permanentRefs) {
-      cpSync(refsSrc, join(ldmSkillDir, 'references'), { recursive: true });
-    }
+    copySkillTree(sourceSkillDir, ldmSkillDir, opts.copyFullFolder);
 
     // 2. Deploy to every detected harness that has a skills path
     for (const [name, harness] of Object.entries(harnesses)) {
       if (!harness.detected || !harness.skills) continue;
       const dest = join(harness.skills, toolName);
-      mkdirSync(dest, { recursive: true });
-      cpSync(skillSrc, join(dest, 'SKILL.md'));
-      if (existsSync(refsSrc)) {
-        cpSync(refsSrc, join(dest, 'references'), { recursive: true });
-      }
+      copySkillTree(sourceSkillDir, dest, opts.copyFullFolder);
       deployed.push(name);
     }
 
@@ -1301,6 +1369,18 @@ function installSkill(repoPath, toolName) {
   }
 }
 
+function installSkill(repoPath, toolName, skillInfo = null) {
+  if (Array.isArray(skillInfo?.skills) && skillInfo.skills.length > 0) {
+    let installed = 0;
+    for (const skill of skillInfo.skills) {
+      if (installSkillFolder(skill.path, skill.name, { copyFullFolder: true })) installed++;
+    }
+    return installed > 0;
+  }
+
+  return installSkillFolder(repoPath, toolName);
+}
+
 // ── Single tool install ──
 
 export function installSingleTool(toolPath) {
@@ -1361,6 +1441,10 @@ export function installSingleTool(toolPath) {
       }
     }
 
+    if (interfaces.skill) {
+      installSkill(toolPath, toolName, interfaces.skill);
+    }
+
     return ifaceNames.length;
   }
 
@@ -1429,7 +1513,7 @@ export function installSingleTool(toolPath) {
 
   if (interfaces.skill) {
     // Skills always deploy. They're instruction files, not running code.
-    if (installSkill(toolPath, toolName)) installed++;
+    if (installSkill(toolPath, toolName, interfaces.skill)) installed++;
   }
 
   if (interfaces.module) {
@@ -1590,7 +1674,7 @@ export async function enableExtension(name) {
 
   if (interfaces.mcp) registerMCP(extPath, interfaces.mcp, name);
   if (interfaces.claudeCodeHook) installClaudeCodeHook(extPath, interfaces.claudeCodeHook);
-  if (interfaces.skill) installSkill(extPath, name);
+  if (interfaces.skill) installSkill(extPath, name, interfaces.skill);
 
   entry.enabled = true;
   entry.updatedAt = new Date().toISOString();

package/lib/detect.mjs

@@ -15,6 +15,23 @@ function readJSON(path) {
   }
 }
 
+function detectSkillDirectories(repoPath) {
+  const skillsDir = join(repoPath, 'skills');
+  if (!existsSync(skillsDir)) return [];
+
+  try {
+    return readdirSync(skillsDir, { withFileTypes: true })
+      .filter(e => e.isDirectory() && existsSync(join(skillsDir, e.name, 'SKILL.md')))
+      .map(e => ({
+        name: e.name,
+        path: join(skillsDir, e.name),
+        skillPath: join(skillsDir, e.name, 'SKILL.md'),
+      }));
+  } catch {
+    return [];
+  }
+}
+
 /**
  * Detect all interfaces in a repo.
  * Returns { interfaces, pkg } where interfaces is an object keyed by interface type.
@@ -48,9 +65,18 @@ export function detectInterfaces(repoPath) {
     interfaces.openclaw = { config: readJSON(ocPlugin), path: ocPlugin };
   }
 
-  // 5. Skill: SKILL.md exists
-  if (existsSync(join(repoPath, 'SKILL.md'))) {
-    interfaces.skill = { path: join(repoPath, 'SKILL.md') };
+  // 5. Skill: root SKILL.md, or a skills/<name>/SKILL.md collection.
+  const rootSkillPath = join(repoPath, 'SKILL.md');
+  if (existsSync(rootSkillPath)) {
+    interfaces.skill = { path: rootSkillPath };
+  }
+
+  const skillDirs = detectSkillDirectories(repoPath);
+  if (skillDirs.length > 0) {
+    interfaces.skill = {
+      path: join(repoPath, 'skills'),
+      skills: skillDirs,
+    };
   }
 
   // 6. Claude Code Hook: guard.mjs or claudeCode.hook(s) in package.json
@@ -103,7 +129,12 @@ export function describeInterfaces(interfaces) {
   if (interfaces.module) lines.push(`Module: ${JSON.stringify(interfaces.module.main)}`);
   if (interfaces.mcp) lines.push(`MCP Server: ${interfaces.mcp.file}`);
   if (interfaces.openclaw) lines.push(`OpenClaw Plugin: ${interfaces.openclaw.config?.name || 'detected'}`);
-  if (interfaces.skill) lines.push(`Skill: SKILL.md`);
+  if (interfaces.skill?.skills?.length) {
+    const skills = interfaces.skill.skills.map(s => `${s.name} (${s.skillPath})`);
+    lines.push(`Skill: ${skills.join(', ')}`);
+  } else if (interfaces.skill) {
+    lines.push(`Skill: SKILL.md`);
+  }
   if (interfaces.claudeCodeHook) {
     const events = interfaces.claudeCodeHook.map(h => h.event || 'PreToolUse');
     lines.push(`Claude Code Hook: ${events.join(', ')}`);

package/lib/registry-migrations.mjs

@@ -0,0 +1,296 @@
+// Registry migrations for ~/.ldm/extensions/registry.json.
+//
+// Phase 1 of the source-types refactor. Pure planner + npm-probe helper.
+// Called by bin/ldm.js during `ldm install`. Idempotent: entries that already
+// carry `updateSource` are skipped.
+//
+// `planLegacyNpmSourcesMigration` is pure (no filesystem I/O). The companion
+// `executeDirectoryMoves` IS side-effecting; the planner emits a list of
+// directory-move plans and the executor performs them. The split lets tests
+// drive the planner with in-memory fixtures and exercise the executor against
+// a real temp filesystem.
+//
+// See ai/product/bugs/installer/2026-05-13--cc-mini--installer-source-npm-honest-cleanup.md
+// and the parent design ai/product/bugs/installer/2026-05-13--cc-mini--installer-registry-source-types-architecture.md
+
+import { existsSync, mkdirSync, renameSync } from 'node:fs';
+import { join } from 'node:path';
+
+const DEFAULT_NPM_REGISTRY = 'https://registry.npmjs.org';
+
+// Phase 1 expedient. The known duplicate pairs surfaced on Parker's machine
+// during the 2026-05-13 dogfood. General-case duplicate detection is the
+// hygiene-audit ticket's Check 1
+// (ai/product/bugs/installer/2026-05-13--cc-mini--installer-registry-hygiene-audit.md);
+// do NOT extend this list as a long-term shape. Future entries belong in
+// that audit, not here.
+//
+// Dedupe drops the duplicate's `installed` block entirely. Today both rows
+// in each pair carry the same version, so no data is lost. If a duplicate
+// ever carried a newer version than its canonical, the dedup would silently
+// discard that information. Acceptable for the known pairs; not a general
+// safe pattern.
+const KNOWN_DUPLICATE_PAIRS = [
+  { keep: 'cc-session-export', remove: 'session-export' },
+  { keep: 'wip-branch-guard',  remove: 'package' },
+];
+
+export function emptyLegacyNpmSourcesSummary() {
+  return {
+    migrated: [],
+    phantomsRemoved: [],
+    duplicatesRemoved: [],
+    // Directory moves to perform AFTER the registry write. The planner
+    // emits these as a parallel list to duplicatesRemoved (1:1); the
+    // wrapper in bin/ldm.js executes them. See
+    // ai/product/bugs/installer/2026-05-13--cc-mini--installer-dedup-reverts-between-installs.md
+    // for the bug fix: without moving the on-disk directory out of
+    // ~/.ldm/extensions/, autoDetectExtensions re-registers the duplicate
+    // on the same install run and the dedup never persists.
+    directoryMoves: [],
+    directoryMovesPerformed: [],
+    directoryMovesSkipped: [],
+    probedCount: 0,
+    probeFailures: [],
+    timestamp: new Date().toISOString(),
+  };
+}
+
+export function summaryHasChanges(summary) {
+  return summary.migrated.length > 0
+    || summary.phantomsRemoved.length > 0
+    || summary.duplicatesRemoved.length > 0;
+}
+
+// Pure planner. Returns { newRegistry, summary } without touching the
+// filesystem. Tests pass an in-memory registry, a fake `probeNpm`, and a
+// fake `extensionExists`. Real callers inject the file-backed versions.
+//
+// probeNpm contract:
+//   returns true  if the package exists on npm
+//   returns false if the package returns 404 (definitely doesn't exist)
+//   returns null  if the probe failed (timeout / network) ... entry is left
+//                  alone and retried on the next install
+//
+// extensionExists contract:
+//   called as (name, entry) -> boolean
+//   The entry is provided so the resolver can honor `entry.paths.ldm` and
+//   the legacy `entry.ldmPath` field before falling back to the default
+//   ~/.ldm/extensions/<name> path. A naive resolver that only checks the
+//   default location would falsely classify custom-path entries as
+//   phantoms and remove them. Real callers must check both.
+export async function planLegacyNpmSourcesMigration({
+  registry,
+  probeNpm,
+  extensionExists,
+  now,
+}) {
+  const summary = emptyLegacyNpmSourcesSummary();
+  if (now) summary.timestamp = now().toISOString();
+  if (!registry?.extensions) return { newRegistry: registry, summary };
+
+  // Shallow-clone the top level and each entry so the input is not mutated.
+  const newRegistry = { ...registry, extensions: {} };
+  for (const [name, entry] of Object.entries(registry.extensions)) {
+    newRegistry.extensions[name] = { ...entry };
+  }
+
+  // Step 1: phantoms. Registry rows with no on-disk extension directory.
+  // The acceptance criterion says these are removed entirely; they're
+  // surfaced as an explicit summary delta, not silent.
+  //
+  // extensionExists is called with both name and entry so the resolver can
+  // honor entry.paths.ldm / entry.ldmPath. A custom-path entry must not be
+  // misclassified as phantom.
+  for (const [name, entry] of Object.entries(newRegistry.extensions)) {
+    if (entry.updateSource) continue;
+    if (extensionExists(name, entry)) continue;
+    summary.phantomsRemoved.push({
+      name,
+      reason: 'directory missing',
+      legacyNpmName: entry.source?.npm || null,
+    });
+    delete newRegistry.extensions[name];
+  }
+
+  // Step 2: dedupe known pairs. Pure structural fix; the canonical row stays
+  // untouched. Future drift is the hygiene-audit ticket's job, not this one.
+  //
+  // Each removed duplicate also emits a directoryMoves entry: the wrapper
+  // moves ~/.ldm/extensions/<remove> to ~/.ldm/_trash/<remove>-deduplicated-<ts>
+  // after the registry write so autoDetectExtensions cannot re-register
+  // the duplicate on the same install run.
+  const trashStamp = summary.timestamp.replace(/[:.]/g, '-');
+  for (const { keep, remove } of KNOWN_DUPLICATE_PAIRS) {
+    if (newRegistry.extensions[keep] && newRegistry.extensions[remove]) {
+      summary.duplicatesRemoved.push({ keep, removed: remove });
+      summary.directoryMoves.push({
+        name: remove,
+        reason: 'deduplicated',
+        trashName: `${remove}-deduplicated-${trashStamp}`,
+      });
+      delete newRegistry.extensions[remove];
+    }
+  }
+
+  // Step 3: probe entries that still carry a legacy `source.npm` value.
+  // 404 -> migrate to untracked + provenance. 200 -> leave alone. Unknown ->
+  // leave alone; the next install will retry.
+  const probeTargets = [];
+  for (const [name, entry] of Object.entries(newRegistry.extensions)) {
+    if (entry.updateSource) continue;
+    const npmName = entry.source?.npm;
+    if (!npmName) continue;
+    probeTargets.push({ name, npmName });
+  }
+
+  const probeResults = await Promise.all(
+    probeTargets.map(async ({ name, npmName }) => {
+      const exists = await probeNpm(npmName);
+      summary.probedCount++;
+      return { name, npmName, exists };
+    })
+  );
+
+  for (const { name, npmName, exists } of probeResults) {
+    if (exists === true) continue;
+    if (exists === null) {
+      summary.probeFailures.push({ name, npmName });
+      continue;
+    }
+    const entry = newRegistry.extensions[name];
+    const legacyRepo = entry.source?.repo || null;
+    summary.migrated.push({ name, legacyNpmName: npmName, legacyRepo });
+    entry.updateSource = { type: 'untracked' };
+    entry.provenance = { ...(entry.provenance || {}) };
+    entry.provenance['legacy-npm-name'] = npmName;
+    if (legacyRepo) entry.provenance.repo = legacyRepo;
+    entry.provenance.untrackedSince = summary.timestamp;
+    delete entry.source;
+  }
+
+  // Step 4: entries with no source info at all (the mystery `run`-style row).
+  // Per the ticket, migrate to untracked so they stay visible in `ldm status`.
+  for (const [name, entry] of Object.entries(newRegistry.extensions)) {
+    if (entry.updateSource) continue;
+    if (entry.source?.npm || entry.source?.repo) continue;
+    summary.migrated.push({
+      name,
+      legacyNpmName: null,
+      legacyRepo: null,
+      reason: 'no-source-info',
+    });
+    entry.updateSource = { type: 'untracked' };
+    entry.provenance = { ...(entry.provenance || {}) };
+    entry.provenance.untrackedSince = summary.timestamp;
+    if ('source' in entry) delete entry.source;
+  }
+
+  return { newRegistry, summary };
+}
+
+// Execute the directory-move plans emitted by planLegacyNpmSourcesMigration.
+// Side-effecting: moves directories from `extensionsRoot/<name>` to
+// `trashRoot/<trashName>`. Creates `trashRoot` if needed. Skips moves whose
+// source is missing or whose rename fails. Idempotent: a second call with the
+// same plan returns all-skipped (source-missing) once the moves are done.
+//
+// Returns `{ performed: [...], skipped: [...] }` for the caller to append to
+// the migration summary. Each performed entry gains a `destPath`; each skipped
+// entry gains a `reason`.
+//
+// The contract is split from the planner so:
+//   - the planner stays pure and trivially testable with in-memory fixtures,
+//   - the executor can be exercised against a real temp filesystem in a test
+//     fixture without spawning a full `ldm install` run,
+//   - tests can inject `fs` primitives via the optional `fs` option for
+//     paranoid scenarios.
+export function executeDirectoryMoves({
+  directoryMoves,
+  extensionsRoot,
+  trashRoot,
+  fs,
+}) {
+  const _existsSync = fs?.existsSync || existsSync;
+  const _mkdirSync = fs?.mkdirSync || mkdirSync;
+  const _renameSync = fs?.renameSync || renameSync;
+
+  const performed = [];
+  const skipped = [];
+  if (!directoryMoves || directoryMoves.length === 0) {
+    return { performed, skipped };
+  }
+
+  _mkdirSync(trashRoot, { recursive: true });
+
+  for (const move of directoryMoves) {
+    const src = join(extensionsRoot, move.name);
+    const dest = join(trashRoot, move.trashName);
+    if (!_existsSync(src)) {
+      skipped.push({ ...move, reason: 'source-missing' });
+      continue;
+    }
+    try {
+      _renameSync(src, dest);
+      performed.push({ ...move, destPath: dest });
+    } catch (err) {
+      skipped.push({ ...move, reason: `rename-failed: ${err.message}` });
+    }
+  }
+
+  return { performed, skipped };
+}
+
+// Real npm-registry probe. Returns true/false/null per the planner contract.
+// Mirrors the fetch pattern used by npmViewVersionForStatus in bin/ldm.js.
+export async function npmPackageExists(pkgName, opts = {}) {
+  const registryUrl = (opts.registryUrl || DEFAULT_NPM_REGISTRY).replace(/\/+$/, '');
+  const timeoutMs = Number.isFinite(opts.timeoutMs) ? opts.timeoutMs : 2000;
+  const controller = new AbortController();
+  const timeout = setTimeout(() => controller.abort(), timeoutMs);
+  try {
+    const url = `${registryUrl}/${encodeURIComponent(pkgName)}`;
+    const response = await fetch(url, {
+      signal: controller.signal,
+      headers: { accept: 'application/vnd.npm.install-v1+json, application/json' },
+    });
+    if (response.status === 404) return false;
+    if (response.ok) return true;
+    return null;
+  } catch {
+    return null;
+  } finally {
+    clearTimeout(timeout);
+  }
+}
+
+// Doctor check: returns a list of registry entries that still carry a
+// `source.npm` value pointing at a package that returns 404. These are
+// candidates for migration on the next `ldm install`, but if the doctor
+// runs first (Parker checks status / doctor before running install) we
+// warn so it's not invisible.
+//
+// Returns: [{ name, npmName }] in lexical order.
+export async function findLegacyNpm404Entries({
+  registry,
+  probeNpm,
+}) {
+  if (!registry?.extensions) return [];
+  const targets = [];
+  for (const [name, entry] of Object.entries(registry.extensions)) {
+    if (entry.updateSource) continue;
+    const npmName = entry.source?.npm;
+    if (!npmName) continue;
+    targets.push({ name, npmName });
+  }
+  const results = await Promise.all(
+    targets.map(async ({ name, npmName }) => {
+      const exists = await probeNpm(npmName);
+      return { name, npmName, exists };
+    })
+  );
+  return results
+    .filter(r => r.exists === false)
+    .map(({ name, npmName }) => ({ name, npmName }))
+    .sort((a, b) => a.name.localeCompare(b.name));
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@wipcomputer/wip-ldm-os",
-  "version": "0.4.85-alpha.3",
+  "version": "0.4.85-alpha.30",
   "type": "module",
   "description": "LDM OS: identity, memory, and sovereignty infrastructure for AI agents",
   "engines": {
@@ -18,14 +18,29 @@
   "scripts": {
     "build:bridge": "cd src/bridge && npm install && npx tsup core.ts mcp-server.ts cli.ts openclaw.ts --format esm --dts --clean --outDir ../../dist/bridge",
     "build": "npm run build:bridge",
-    "prepublishOnly": "npm run build:bridge && npm run validate:bin-manifest",
+    "prepublishOnly": "npm run build:bridge && npm run validate:bin-manifest && npm run test:install-prompt-policy && npm run test:readme-install-prompt && npm run test:ldm-status-timeout && npm run test:ldm-status-concurrency && npm run test:legacy-npm-sources-migration",
     "validate:bin-manifest": "node scripts/validate-bin-manifest.mjs",
     "test:skill-frontmatter": "node scripts/test-skill-frontmatter.mjs",
+    "test:install-prompt-policy": "node scripts/test-install-prompt-policy.mjs",
+    "test:readme-install-prompt": "node scripts/test-readme-install-prompt.mjs",
+    "test:ldm-status-timeout": "node scripts/test-ldm-status-timeout.mjs",
+    "test:ldm-status-concurrency": "node scripts/test-ldm-status-concurrency.mjs",
+    "test:legacy-npm-sources-migration": "node scripts/test-legacy-npm-sources-migration.mjs",
     "test:installer-update-tracks": "node scripts/test-installer-update-tracks.mjs",
     "test:installer-hook-toolname": "node scripts/test-installer-hook-toolname.mjs",
+    "test:installer-target-self-update": "node scripts/test-installer-target-self-update.mjs",
+    "test:installer-skill-directory": "node scripts/test-installer-skill-directory.mjs",
+    "test:installer-skill-dry-run-destinations": "node scripts/test-installer-skill-dry-run-destinations.mjs",
     "test:ldm-install-bin-shim": "node scripts/test-ldm-install-preserves-foreign-bin.mjs",
     "test:doctor-cron-target": "node scripts/test-doctor-cron-target.mjs",
     "test:bin-manifest": "node scripts/test-bin-manifest.mjs",
+    "test:crc-agentid-tenant-boundary": "node scripts/test-crc-agentid-tenant-boundary.mjs",
+    "test:crc-pair-login-flow": "node scripts/test-crc-pair-login-flow.mjs",
+    "test:crc-pair-status-poll-token": "node scripts/test-crc-pair-status-poll-token.mjs",
+    "test:crc-pair-relink-audit-and-rotation": "node scripts/test-crc-pair-relink-audit-and-rotation.mjs",
+    "test:crc-e2ee-key-persistence": "node scripts/test-crc-e2ee-key-persistence.mjs",
+    "test:crc-e2ee-session-route": "node scripts/test-crc-e2ee-session-route.mjs",
+    "test:crc-websocket-abuse-limits": "node scripts/test-crc-websocket-abuse-limits.mjs",
     "fmt": "npx prettier --write 'src/**/*.{ts,mjs}' 'lib/**/*.mjs' 'bin/**/*.js'",
     "fmt:check": "npx prettier --check 'src/**/*.{ts,mjs}' 'lib/**/*.mjs' 'bin/**/*.js'"
   },

package/scripts/test-crc-agentid-tenant-boundary.mjs

@@ -0,0 +1,80 @@
+import { createHash } from "node:crypto";
+import { readFileSync } from "node:fs";
+
+const server = readFileSync("src/hosted-mcp/server.mjs", "utf8");
+
+function assertContains(needle, label) {
+  if (!server.includes(needle)) {
+    throw new Error(`${label} missing expected text: ${needle}`);
+  }
+}
+
+function assertNotContains(needle, label) {
+  if (server.includes(needle)) {
+    throw new Error(`${label} still contains forbidden text: ${needle}`);
+  }
+}
+
+assertContains('const ACCOUNT_TENANT_PREFIX = "acct:";', "account tenant prefix");
+assertContains('const LEGACY_API_KEY_TENANT_PREFIX = "key:";', "legacy key tenant prefix");
+assertContains('function accountTenantIdForUserId(userId)', "account tenant helper");
+assertContains('function identityForApiKey(key)', "api key identity helper");
+assertContains('return identityForApiKey(key);', "http auth uses identity helper");
+assertContains("const agentId = accountTenantIdForUserId(stored.userId);", "registration uses immutable account tenant");
+assertContains("function sanitizeDisplayLabel(raw)", "display label sanitizer");
+assertContains('replace(/[\\u0000-\\u001f\\u007f]/g, "").replace(/\\s+/g, " ").trim().slice(0, 64)', "display label sanitizer preserves label semantics");
+assertContains("const displayLabel = sanitizeDisplayLabel(body?.displayName || body?.username);", "registration treats entered name as display label");
+assertContains("displayLabel,", "registration challenge stores display label");
+assertContains("await saveApiKey(apiKey, agentId, { handle: credentialLabel });", "registration stores handle separately");
+assertContains("p.handle = identity.handle;", "pair stores display handle separately");
+assertContains("handle: identity.handle,", "relay metadata returns display handle");
+assertContains("codexDaemons.has(identity.agentId)", "daemon presence uses tenant id");
+assertContains("codexDaemonPubkeyRegistry.get(identity.agentId)", "daemon pubkey uses tenant id");
+assertContains("agentId: identity.agentId,", "relay tickets bind tenant id");
+assertContains("handle: identity.handle,", "relay tickets preserve display handle");
+assertContains("codexDaemons.set(identity.agentId, ws);", "daemon ws keyed by tenant id");
+assertContains("const webKey = codexRelayKey(identity.agentId, threadId);", "web ws keyed by tenant id");
+assertContains("const daemonWs = codexDaemons.get(identity.agentId);", "web sends to tenant daemon");
+assertNotContains("const agentId = stored.username || (\"passkey-\"", "registration must not use chosen handle as tenant");
+assertNotContains("const existingKey = Object.entries(API_KEYS).find(([k, v]) => v === agentId);", "oauth must not reuse chosen handle as tenant");
+assertNotContains("function isUsernameTaken", "display labels must not be globally unique usernames");
+assertNotContains("function sanitizeUsername", "display labels must not be modeled as usernames");
+assertNotContains('json(res, 409, { error: "reserved_handle"', "display labels must not be blocked as reserved security handles");
+assertNotContains('json(res, 409, { error: "handle_taken"', "duplicate display labels must be allowed");
+
+function legacyTenantIdForApiKey(key) {
+  return "key:" + createHash("sha256").update(key).digest("base64url").slice(0, 32);
+}
+
+function accountTenantIdForUserId(userId) {
+  return "acct:" + userId;
+}
+
+const chosenHandle = "parker-smoke-test";
+const sharedDisplayLabel = "Parker";
+const accountA = accountTenantIdForUserId("user-a");
+const accountB = accountTenantIdForUserId("user-b");
+const threadId = "thread-019dfa";
+if (accountA === accountB) {
+  throw new Error("different user ids collapsed to one account tenant");
+}
+if (`${sharedDisplayLabel}:${threadId}` === `${accountA}:${threadId}` || `${sharedDisplayLabel}:${threadId}` === `${accountB}:${threadId}`) {
+  throw new Error("display label was used as a relay route key");
+}
+
+const legacyA = legacyTenantIdForApiKey("ck-a");
+const legacyB = legacyTenantIdForApiKey("ck-b");
+if (legacyA === legacyB) {
+  throw new Error("legacy API-key tenants collided");
+}
+
+const webKeyA = `${accountA}:${threadId}`;
+const webKeyB = `${accountB}:${threadId}`;
+if (webKeyA === webKeyB) {
+  throw new Error("same display handle can still collide across account tenants");
+}
+if (`${chosenHandle}:${threadId}` === webKeyA || `${chosenHandle}:${threadId}` === webKeyB) {
+  throw new Error("model still keys relay routes by display handle");
+}
+
+console.log("crc agentId tenant boundary checks passed");