ma-agents 3.2.0 → 3.3.0

package/.roo/skills/verify-hardened-docker-skill/scripts/verify-docker-hardening.sh

@@ -0,0 +1,439 @@
+#!/bin/bash
+#
+# verify-docker-hardening.sh
+# Comprehensive Docker security verification script
+# Checks Dockerfile, docker-compose.yml, and running containers
+# against CIS, OWASP, and NIST standards
+#
+
+set -e
+
+# Colors for output
+RED='\033[0;31m'
+GREEN='\033[0;32m'
+YELLOW='\033[1;33m'
+BLUE='\033[0;34m'
+NC='\033[0m' # No Color
+
+# Configuration
+IMAGE_NAME="${1:-contacts-app}"
+CONTAINER_NAME="${2:-contacts-app}"
+EXIT_CODE=0
+
+# Counters
+TOTAL_CHECKS=0
+PASSED_CHECKS=0
+FAILED_CHECKS=0
+WARNING_CHECKS=0
+
+# Helper functions
+print_header() {
+    echo ""
+    echo -e "${BLUE}========================================${NC}"
+    echo -e "${BLUE}$1${NC}"
+    echo -e "${BLUE}========================================${NC}"
+}
+
+print_check() {
+    TOTAL_CHECKS=$((TOTAL_CHECKS + 1))
+    echo -ne "  [$TOTAL_CHECKS] $1... "
+}
+
+pass() {
+    PASSED_CHECKS=$((PASSED_CHECKS + 1))
+    echo -e "${GREEN}✅ PASS${NC}"
+}
+
+fail() {
+    FAILED_CHECKS=$((FAILED_CHECKS + 1))
+    EXIT_CODE=2
+    echo -e "${RED}❌ FAIL${NC}"
+    [ -n "$1" ] && echo -e "      ${RED}→ $1${NC}"
+}
+
+warn() {
+    WARNING_CHECKS=$((WARNING_CHECKS + 1))
+    echo -e "${YELLOW}⚠️  WARN${NC}"
+    [ -n "$1" ] && echo -e "      ${YELLOW}→ $1${NC}"
+}
+
+critical() {
+    FAILED_CHECKS=$((FAILED_CHECKS + 1))
+    EXIT_CODE=1
+    echo -e "${RED}🚨 CRITICAL${NC}"
+    [ -n "$1" ] && echo -e "      ${RED}→ $1${NC}"
+}
+
+# Start verification
+echo -e "${BLUE}🔍 Docker Security Verification${NC}"
+echo -e "${BLUE}================================${NC}"
+echo "Image: $IMAGE_NAME"
+echo "Container: $CONTAINER_NAME"
+
+# ============================================================================
+# 1. Dockerfile Verification
+# ============================================================================
+print_header "1. Dockerfile Security"
+
+if [ ! -f "Dockerfile" ]; then
+    print_check "Dockerfile exists"
+    critical "Dockerfile not found in current directory"
+    EXIT_CODE=5
+    exit $EXIT_CODE
+fi
+
+# Check for specific version tags
+print_check "Specific version tags (no :latest)"
+if grep -qE "^FROM.*:(latest|alpine)$" Dockerfile; then
+    fail "Using :latest or unversioned :alpine tag"
+else
+    pass
+fi
+
+# Check for non-root user
+print_check "Non-root user configured"
+if grep -qE "^USER (root|[0-9]+)" Dockerfile; then
+    if grep -qE "^USER root" Dockerfile; then
+        fail "Running as root user"
+    else
+        pass
+    fi
+elif grep -qE "^USER [a-zA-Z]" Dockerfile; then
+    pass
+else
+    fail "No USER directive found"
+fi
+
+# Check for HEALTHCHECK
+print_check "HEALTHCHECK instruction"
+if grep -q "^HEALTHCHECK" Dockerfile; then
+    pass
+else
+    warn "Missing HEALTHCHECK instruction"
+fi
+
+# Check for hardcoded secrets
+print_check "No hardcoded secrets in ENV/ARG"
+if grep -iE "^(ENV|ARG).*(SECRET|PASSWORD|KEY|TOKEN|CLIENT_ID)=" Dockerfile | grep -v "REACT_APP_API_BASE_URL" > /dev/null; then
+    fail "Potential hardcoded secrets found"
+else
+    pass
+fi
+
+# Check for multi-stage build
+print_check "Multi-stage build pattern"
+if [ $(grep -c "^FROM" Dockerfile) -ge 2 ]; then
+    pass
+else
+    warn "Not using multi-stage build"
+fi
+
+# Check for Alpine base images
+print_check "Minimal Alpine base images"
+if grep -qE "^FROM.*alpine" Dockerfile; then
+    pass
+else
+    warn "Not using Alpine base images"
+fi
+
+# ============================================================================
+# 2. docker-compose.yml Verification
+# ============================================================================
+print_header "2. docker-compose.yml Security"
+
+if [ ! -f "docker-compose.yml" ]; then
+    print_check "docker-compose.yml exists"
+    warn "docker-compose.yml not found (optional)"
+else
+    # Check for read-only filesystem
+    print_check "Read-only root filesystem"
+    if grep -q "read_only: true" docker-compose.yml; then
+        pass
+    else
+        fail "Missing read_only: true"
+    fi
+
+    # Check for no-new-privileges
+    print_check "No new privileges"
+    if grep -q "no-new-privileges:true" docker-compose.yml; then
+        pass
+    else
+        fail "Missing security_opt: no-new-privileges:true"
+    fi
+
+    # Check for capability dropping
+    print_check "Capabilities dropped"
+    if grep -q "cap_drop:" docker-compose.yml; then
+        pass
+    else
+        fail "Missing cap_drop configuration"
+    fi
+
+    # Check for tmpfs mounts
+    print_check "Tmpfs mounts for writable dirs"
+    if grep -q "tmpfs:" docker-compose.yml; then
+        pass
+    else
+        fail "Missing tmpfs mounts"
+    fi
+
+    # Check for resource limits
+    print_check "Memory limits configured"
+    if grep -q "memory:" docker-compose.yml; then
+        pass
+    else
+        warn "Missing memory limits"
+    fi
+
+    print_check "CPU limits configured"
+    if grep -q "cpus:" docker-compose.yml; then
+        pass
+    else
+        warn "Missing CPU limits"
+    fi
+
+    # Check for health check
+    print_check "Healthcheck configured"
+    if grep -q "healthcheck:" docker-compose.yml; then
+        pass
+    else
+        warn "Missing healthcheck configuration"
+    fi
+
+    # Check for privileged mode
+    print_check "Not running in privileged mode"
+    if grep -q "privileged: true" docker-compose.yml; then
+        critical "Running in privileged mode"
+    else
+        pass
+    fi
+fi
+
+# ============================================================================
+# 3. .dockerignore Verification
+# ============================================================================
+print_header "3. .dockerignore Configuration"
+
+if [ ! -f ".dockerignore" ]; then
+    print_check ".dockerignore exists"
+    warn ".dockerignore not found"
+else
+    print_check ".env excluded from Docker context"
+    if grep -qE "^\.env$" .dockerignore; then
+        pass
+    else
+        critical ".env not in .dockerignore - secret leakage risk!"
+    fi
+
+    print_check "node_modules excluded"
+    if grep -q "node_modules" .dockerignore; then
+        pass
+    else
+        warn "node_modules not excluded"
+    fi
+
+    print_check ".git excluded"
+    if grep -qE "^\.git" .dockerignore; then
+        pass
+    else
+        warn ".git not excluded"
+    fi
+fi
+
+# ============================================================================
+# 4. Image Security Scanning
+# ============================================================================
+print_header "4. Image Vulnerability Scanning"
+
+# Check if image exists
+if ! docker images --format "{{.Repository}}" | grep -q "^${IMAGE_NAME}$"; then
+    print_check "Docker image exists"
+    warn "Image '$IMAGE_NAME' not found locally. Skipping image scans."
+    echo "      Run 'docker build -t $IMAGE_NAME .' to build the image."
+else
+    # Check if trivy is installed
+    if ! command -v trivy &> /dev/null; then
+        print_check "Trivy scanner installed"
+        warn "Trivy not installed. Skipping vulnerability scans."
+        echo "      Install: brew install aquasecurity/trivy/trivy (macOS)"
+        echo "             : apt-get install trivy (Linux)"
+    else
+        # Scan for CRITICAL vulnerabilities
+        print_check "No CRITICAL vulnerabilities"
+        if trivy image --quiet --severity CRITICAL --exit-code 1 "$IMAGE_NAME" > /dev/null 2>&1; then
+            pass
+        else
+            critical "CRITICAL vulnerabilities found. Run: trivy image --severity CRITICAL $IMAGE_NAME"
+        fi
+
+        # Scan for HIGH vulnerabilities
+        print_check "No HIGH vulnerabilities"
+        if trivy image --quiet --severity HIGH --exit-code 1 "$IMAGE_NAME" > /dev/null 2>&1; then
+            pass
+        else
+            fail "HIGH vulnerabilities found. Run: trivy image --severity HIGH $IMAGE_NAME"
+        fi
+
+        # Scan for leaked secrets
+        print_check "No leaked secrets in image"
+        if trivy image --quiet --scanners secret --exit-code 1 "$IMAGE_NAME" > /dev/null 2>&1; then
+            pass
+        else
+            critical "Secrets detected in image! Run: trivy image --scanners secret $IMAGE_NAME"
+        fi
+    fi
+
+    # Check image size
+    print_check "Optimized image size (< 100MB)"
+    IMAGE_SIZE=$(docker images --format "{{.Size}}" "$IMAGE_NAME" | head -1 | sed 's/MB//' | sed 's/GB/*1024/' | bc 2>/dev/null || echo "0")
+    if [ -n "$IMAGE_SIZE" ] && [ "$IMAGE_SIZE" != "0" ]; then
+        if (( $(echo "$IMAGE_SIZE < 100" | bc -l) )); then
+            pass
+        else
+            warn "Image size is ${IMAGE_SIZE}MB (recommended < 100MB)"
+        fi
+    else
+        warn "Could not determine image size"
+    fi
+
+    # Check for .env in image
+    print_check ".env file not baked into image"
+    if docker run --rm "$IMAGE_NAME" sh -c "ls -la / 2>/dev/null | grep -q .env"; then
+        critical ".env file found in image! Secrets leaked!"
+    else
+        pass
+    fi
+fi
+
+# ============================================================================
+# 5. Runtime Security (if container is running)
+# ============================================================================
+print_header "5. Runtime Security Verification"
+
+if ! docker ps --filter "name=$CONTAINER_NAME" --format "{{.Names}}" | grep -q "^$CONTAINER_NAME$"; then
+    echo -e "${YELLOW}  Container '$CONTAINER_NAME' is not running.${NC}"
+    echo -e "${YELLOW}  Run 'docker-compose up -d' to enable runtime checks.${NC}"
+else
+    # Check container runs as non-root
+    print_check "Container runs as non-root"
+    CONTAINER_USER=$(docker exec "$CONTAINER_NAME" whoami 2>/dev/null || echo "root")
+    if [ "$CONTAINER_USER" != "root" ]; then
+        pass
+    else
+        critical "Container running as root user!"
+    fi
+
+    # Check user ID is not 0
+    print_check "User ID is not 0 (root)"
+    USER_ID=$(docker exec "$CONTAINER_NAME" id -u 2>/dev/null || echo "0")
+    if [ "$USER_ID" != "0" ]; then
+        pass
+    else
+        critical "Container running with UID 0 (root)!"
+    fi
+
+    # Check read-only filesystem
+    print_check "Root filesystem is read-only"
+    if docker exec "$CONTAINER_NAME" sh -c "touch /test 2>/dev/null"; then
+        fail "Root filesystem is writable"
+        docker exec "$CONTAINER_NAME" sh -c "rm /test 2>/dev/null" || true
+    else
+        pass
+    fi
+
+    # Check tmpfs is writable
+    print_check "Tmpfs mount is writable"
+    if docker exec "$CONTAINER_NAME" sh -c "touch /tmp/test 2>/dev/null && rm /tmp/test 2>/dev/null"; then
+        pass
+    else
+        warn "Tmpfs mount /tmp is not writable"
+    fi
+
+    # Check health status
+    print_check "Container is healthy"
+    HEALTH_STATUS=$(docker inspect --format='{{.State.Health.Status}}' "$CONTAINER_NAME" 2>/dev/null || echo "none")
+    if [ "$HEALTH_STATUS" = "healthy" ]; then
+        pass
+    elif [ "$HEALTH_STATUS" = "none" ]; then
+        warn "No health check configured"
+    else
+        fail "Container health status: $HEALTH_STATUS"
+    fi
+
+    # Check capabilities
+    print_check "Capabilities dropped"
+    CAPS_DROPPED=$(docker inspect --format='{{.HostConfig.CapDrop}}' "$CONTAINER_NAME" 2>/dev/null || echo "[]")
+    if echo "$CAPS_DROPPED" | grep -q "ALL"; then
+        pass
+    else
+        warn "Not all capabilities dropped"
+    fi
+
+    # Check memory limit
+    print_check "Memory limit enforced"
+    MEMORY_LIMIT=$(docker inspect --format='{{.HostConfig.Memory}}' "$CONTAINER_NAME" 2>/dev/null || echo "0")
+    if [ "$MEMORY_LIMIT" != "0" ]; then
+        pass
+    else
+        warn "No memory limit set"
+    fi
+fi
+
+# ============================================================================
+# 6. Git Secret Protection
+# ============================================================================
+print_header "6. Git Secret Protection"
+
+if [ -d ".git" ]; then
+    # Check .env in .gitignore
+    print_check ".env in .gitignore"
+    if [ -f ".gitignore" ] && grep -qE "^\.env$" .gitignore; then
+        pass
+    else
+        critical ".env not in .gitignore! Secrets may be committed!"
+    fi
+
+    # Check .env.example exists
+    print_check ".env.example exists (template)"
+    if [ -f ".env.example" ]; then
+        pass
+    else
+        warn ".env.example not found"
+    fi
+
+    # Check if .env is committed
+    print_check ".env not committed to git"
+    if git ls-files --error-unmatch .env > /dev/null 2>&1; then
+        critical ".env is tracked by git! Remove immediately!"
+    else
+        pass
+    fi
+else
+    echo -e "${YELLOW}  Not a git repository. Skipping git checks.${NC}"
+fi
+
+# ============================================================================
+# Summary
+# ============================================================================
+print_header "Verification Summary"
+
+echo ""
+echo "  Total checks:    $TOTAL_CHECKS"
+echo -e "  ${GREEN}Passed:          $PASSED_CHECKS${NC}"
+echo -e "  ${YELLOW}Warnings:        $WARNING_CHECKS${NC}"
+echo -e "  ${RED}Failed:          $FAILED_CHECKS${NC}"
+echo ""
+
+if [ $FAILED_CHECKS -eq 0 ]; then
+    echo -e "${GREEN}✅ All critical security checks passed!${NC}"
+    if [ $WARNING_CHECKS -gt 0 ]; then
+        echo -e "${YELLOW}⚠️  $WARNING_CHECKS warning(s) - consider addressing these.${NC}"
+    fi
+else
+    echo -e "${RED}❌ $FAILED_CHECKS security check(s) failed!${NC}"
+    echo -e "${RED}   Please fix the issues above before deploying.${NC}"
+fi
+
+echo ""
+
+exit $EXIT_CODE

package/README.md

@@ -1,6 +1,6 @@
 # ma-agents
 
-A universal NPX tool to install AI coding agent skills. Write skills once, install them across Claude Code, Gemini, Copilot, Cline, Cursor, and Kilocode.
+A universal NPX tool to install AI coding agent skills. Write skills once, install them across Claude Code, Gemini, Copilot, Cline, Cursor, Kilocode, and Roo Code.
 
 ## Installation & Usage
 
@@ -115,6 +115,7 @@ The file is version-controlled as part of `_bmad-output/` project knowledge. Com
 | Cursor | `.cursor/skills/` | `generic` | `.cursor/cursor.md` |
 | Kilocode | `.kilocode/skills/` | `generic` | `.kilocode/kilocode.md` |
 | Cline | `.cline/skills/` | `cline` | `.cline/clinerules.md` |
+| Roo Code | `.roo/skills/` | `generic` | `.roo/rules/00-ma-agents.md` |
 | SRE Agent (Alex) | `_bmad/skills/` | `generic` | `_bmad/bmm/agents/sre.md` |
 | DevOps Agent (Amit) | `_bmad/skills/` | `generic` | `_bmad/bmm/agents/devops.md` |
 | Cyber Analyst (Yael) | `_bmad/skills/` | `generic` | `_bmad/bmm/agents/cyber.md` |

package/lib/agents.js

@@ -135,6 +135,29 @@ const agents = [
     instructionFiles: ['.cline/clinerules.md', '.clinerules'],
     injectionStrategy: { position: 'top', skipPatterns: ['---'] }
   },
+  {
+    id: 'roo-code',
+    name: 'Roo Code',
+    version: '1.0.0',
+    category: 'ide',
+    description: 'Roo Code AI Assistant (Enhanced Cline fork)',
+    skillsDir: '.roo/skills',
+    getProjectPath: () => path.join(process.cwd(), '.roo', 'skills'),
+    getGlobalPath: () => {
+      const platform = os.platform();
+      if (platform === 'win32') {
+        return path.join(os.homedir(), 'AppData', 'Roaming', 'Code', 'User', 'globalStorage', 'rooveterinaryinc.roo-cline', 'skills');
+      } else if (platform === 'darwin') {
+        return path.join(os.homedir(), 'Library', 'Application Support', 'Code', 'User', 'globalStorage', 'rooveterinaryinc.roo-cline', 'skills');
+      } else {
+        return path.join(os.homedir(), '.config', 'Code', 'User', 'globalStorage', 'rooveterinaryinc.roo-cline', 'skills');
+      }
+    },
+    fileExtension: '.md',
+    template: 'generic',
+    instructionFiles: ['.roo/rules/00-ma-agents.md'],
+    injectionStrategy: { position: 'top', skipPatterns: ['---'] }
+  },
   {
     id: 'cursor',
     name: 'Cursor',

package/package.json

@@ -1,14 +1,14 @@
 {
   "name": "ma-agents",
-  "version": "3.2.0",
-  "description": "NPX tool to install skills for AI coding agents (Claude Code, Gemini, Copilot, Kilocode, Cline, Cursor)",
+  "version": "3.3.0",
+  "description": "NPX tool to install skills for AI coding agents (Claude Code, Gemini, Copilot, Kilocode, Cline, Cursor, Roo Code)",
   "main": "index.js",
   "bin": {
     "ma-agents": "bin/cli.js"
   },
   "scripts": {
     "start": "node bin/cli.js",
-    "test": "node test/yes-flag.test.js && node test/skill-authoring.test.js && node test/skill-validation.test.js && node test/skill-mandatory.test.js && node test/skill-customize-agent.test.js && node test/create-agent.test.js && node test/generate-project-context.test.js && node test/build-bmad-args.test.js && node test/bmad-version-bump.test.js && node test/extension-module-restructure.test.js && node test/convert-agents-to-skills.test.js && node test/migration.test.js && node test/migration-validation.test.js && node test/story-15-5-workflow-skills.test.js && node test/repo-layout.test.js && node test/config-storage.test.js && node test/cross-repo-validation.test.js && node test/config-lost-on-update.test.js && node test/portable-paths.test.js && node test/cicd-remote-mode.test.js && node test/config-layout.test.js",
+    "test": "node test/yes-flag.test.js && node test/skill-authoring.test.js && node test/skill-validation.test.js && node test/skill-mandatory.test.js && node test/skill-customize-agent.test.js && node test/create-agent.test.js && node test/generate-project-context.test.js && node test/build-bmad-args.test.js && node test/bmad-version-bump.test.js && node test/extension-module-restructure.test.js && node test/convert-agents-to-skills.test.js && node test/migration.test.js && node test/migration-validation.test.js && node test/story-15-5-workflow-skills.test.js && node test/repo-layout.test.js && node test/config-storage.test.js && node test/cross-repo-validation.test.js && node test/config-lost-on-update.test.js && node test/portable-paths.test.js && node test/cicd-remote-mode.test.js && node test/config-layout.test.js && node test/roo-code-agent.test.js && node test/roo-code-injection.test.js",
     "build:bmad-cache": "node scripts/build-bmad-cache.js"
   },
   "keywords": [
@@ -21,6 +21,7 @@
     "kilocode",
     "cline",
     "cursor",
+    "roo-code",
     "npx"
   ],
   "author": "",

package/test/roo-code-agent.test.js

@@ -0,0 +1,166 @@
+#!/usr/bin/env node
+/**
+ * Tests for Story 18.1: Register Roo Code Agent in Registry
+ *
+ * Validates that the roo-code agent entry conforms to the required schema
+ * and resolves correctly through the existing config-driven registry pattern.
+ */
+'use strict';
+
+const assert = require('assert');
+
+let passed = 0;
+let failed = 0;
+const errors = [];
+
+function test(name, fn) {
+  try {
+    fn();
+    console.log(`  \u2713 ${name}`);
+    passed++;
+  } catch (err) {
+    console.error(`  \u2717 ${name}: ${err.message}`);
+    failed++;
+    errors.push({ name, error: err.message });
+  }
+}
+
+const { getAllAgents, getAgent, getAgentsByCategory } = require('../lib/agents');
+const allAgents = getAllAgents();
+const rooCode = getAgent('roo-code');
+
+// --- Schema validation ---
+
+console.log('\nRoo Code agent schema validation');
+
+test('roo-code agent exists in registry', () => {
+  assert.ok(rooCode, 'roo-code agent should exist in the registry');
+});
+
+test('id is "roo-code"', () => {
+  assert.strictEqual(rooCode.id, 'roo-code');
+});
+
+test('name is "Roo Code"', () => {
+  assert.strictEqual(rooCode.name, 'Roo Code');
+});
+
+test('category is "ide"', () => {
+  assert.strictEqual(rooCode.category, 'ide');
+});
+
+test('getProjectPath is a function', () => {
+  assert.strictEqual(typeof rooCode.getProjectPath, 'function',
+    'getProjectPath should be a function');
+});
+
+test('getGlobalPath is a function', () => {
+  assert.strictEqual(typeof rooCode.getGlobalPath, 'function',
+    'getGlobalPath should be a function');
+});
+
+test('getProjectPath returns path ending in .roo/skills', () => {
+  const projectPath = rooCode.getProjectPath();
+  assert.ok(
+    projectPath.endsWith('.roo/skills') || projectPath.endsWith('.roo\\skills'),
+    `Expected path ending in .roo/skills, got: ${projectPath}`
+  );
+});
+
+test('getGlobalPath returns a non-empty string', () => {
+  const globalPath = rooCode.getGlobalPath();
+  assert.strictEqual(typeof globalPath, 'string');
+  assert.ok(globalPath.length > 0, 'getGlobalPath should return a non-empty string');
+});
+
+test('getGlobalPath contains roo-cline (VS Code extension storage convention)', () => {
+  const globalPath = rooCode.getGlobalPath();
+  assert.ok(
+    globalPath.includes('roo-cline'),
+    `Expected global path to contain 'roo-cline', got: ${globalPath}`
+  );
+});
+
+test('fileExtension is ".md"', () => {
+  assert.strictEqual(rooCode.fileExtension, '.md');
+});
+
+test('description is a non-empty string', () => {
+  assert.strictEqual(typeof rooCode.description, 'string',
+    'description should be a string');
+  assert.ok(rooCode.description.length > 0, 'description should not be empty');
+});
+
+test('description mentions Cline fork lineage', () => {
+  assert.ok(rooCode.description.includes('Cline'),
+    `description should mention Cline fork lineage, got: ${rooCode.description}`);
+});
+
+test('template is "generic"', () => {
+  assert.strictEqual(rooCode.template, 'generic');
+});
+
+test('skillsDir is ".roo/skills"', () => {
+  assert.strictEqual(rooCode.skillsDir, '.roo/skills');
+});
+
+test('instructionFiles is a non-empty array', () => {
+  assert.ok(Array.isArray(rooCode.instructionFiles),
+    'instructionFiles should be an array');
+  assert.ok(rooCode.instructionFiles.length > 0,
+    'instructionFiles should not be empty');
+});
+
+test('instructionFiles targets .roo/rules/ directory', () => {
+  const hasRooRules = rooCode.instructionFiles.some(f =>
+    f.includes('.roo/rules/') || f.includes('.roo\\rules\\')
+  );
+  assert.ok(hasRooRules,
+    `instructionFiles should target .roo/rules/ directory, got: ${rooCode.instructionFiles}`);
+});
+
+test('injectionStrategy is an object', () => {
+  assert.ok(rooCode.injectionStrategy && typeof rooCode.injectionStrategy === 'object',
+    'injectionStrategy should be an object');
+});
+
+test('injectionStrategy.position is "top"', () => {
+  assert.strictEqual(rooCode.injectionStrategy.position, 'top');
+});
+
+// --- Registry resolution ---
+
+console.log('\nRoo Code agent resolution');
+
+test('getAgent("roo-code") returns the agent', () => {
+  const resolved = getAgent('roo-code');
+  assert.ok(resolved, 'getAgent("roo-code") should return an agent object');
+  assert.strictEqual(resolved.id, 'roo-code');
+});
+
+test('roo-code appears in getAllAgents()', () => {
+  const ids = allAgents.map(a => a.id);
+  assert.ok(ids.includes('roo-code'), 'roo-code should appear in getAllAgents()');
+});
+
+test('roo-code is in the ide category', () => {
+  const ideAgents = getAgentsByCategory('ide');
+  const ids = ideAgents.map(a => a.id);
+  assert.ok(ids.includes('roo-code'), 'roo-code should be in ide category');
+});
+
+test('roo-code is distinct from cline', () => {
+  const cline = getAgent('cline');
+  assert.ok(cline, 'cline agent should still exist');
+  assert.notStrictEqual(cline.id, rooCode.id, 'roo-code and cline should be different agents');
+  assert.notStrictEqual(cline.skillsDir, rooCode.skillsDir,
+    'roo-code and cline should use different skills directories');
+});
+
+// Print summary
+console.log(`\n${passed} passed, ${failed} failed`);
+if (errors.length > 0) {
+  console.log('\nFailed tests:');
+  errors.forEach(e => console.log(`  - ${e.name}: ${e.error}`));
+}
+if (failed > 0) process.exit(1);