multimodel-dev-os 2.8.1 → 3.0.0

package/.ai/plugins/catalog/.ai/checks/pre-commit-gate.md

@@ -0,0 +1,14 @@
+# Pre-commit Quality Gate
+
+This check enforces repository sanity checks before commits are made.
+
+## Verification Checklist
+
+1. **Syntax & Style:**
+   - Run linter checks (e.g. `npm run lint` or `eslint`).
+   - Run typecheckers (e.g. `npm run typecheck` or `tsc`).
+2. **Schema & Diagnostics:**
+   - Run `npx multimodel-dev-os validate` to ensure directory structure compliance.
+   - Run `npx multimodel-dev-os doctor` to audit ignored folders and token sizes.
+3. **Working Tree Cleanliness:**
+   - Run `git diff` to confirm there are no leftover debug statements or scratch files.

package/.ai/plugins/catalog/.ai/skills/checkout-ops.md

@@ -0,0 +1,12 @@
+# E-Commerce Webhook & Gateway Audits Skill
+
+This skill guides the AI agent when managing checkout configurations and payment webhook processing code.
+
+## Guidelines
+
+1. **Webhook Security:**
+   - Always verify signature payloads using the provider's SDK (e.g. `stripe.webhooks.constructEvent`).
+   - Throw explicit, logged errors on signature validation failures to assist debugging.
+2. **Transaction Integrity:**
+   - Double-check payment amounts and currency codes against internal database models before marking orders paid.
+   - Use transactional writes when updating orders and inventory counts.

package/.ai/plugins/catalog/.ai/skills/git-operations.md

@@ -0,0 +1,21 @@
+# Git Operations Skill
+
+This skill guides the AI agent when managing Git repositories and releasing versions.
+
+## Guidelines
+
+1. **Commit Messages:**
+   - Adhere to Conventional Commits:
+     - `feat: ...` for new features
+     - `fix: ...` for bug fixes
+     - `docs: ...` for documentation updates
+     - `chore: ...` for builds, versions, etc.
+   - Keep the summary line under 50 characters.
+
+2. **Branch Management:**
+   - Ensure you are working on the target branch (e.g. `main` or `develop`).
+   - Check working tree cleanliness before tagging or pushing.
+
+3. **Releasing:**
+   - Verify version alignment in package config, scripts, and logs before releasing.
+   - Tag releases with annotated git tags: `git tag -a vX.Y.Z -m "message"`.

package/.ai/plugins/catalog/.ai/skills/nextjs-builder.md

@@ -0,0 +1,12 @@
+# Next.js Route & Action Builder Skill
+
+This skill guides the AI agent when designing and auditing Next.js App Router applications.
+
+## Guidelines
+
+1. **Server Actions Security:**
+   - Ensure Server Actions (declared with `'use server'`) validate all input payloads using Zod or equivalent schemas.
+   - Enforce authorization checks inside every action before processing requests.
+2. **Route Handlers:**
+   - Enforce standard response formats: always return `NextResponse.json(...)` or proper redirect responses.
+   - Handle CORS and HTTP methods properly, returning status `405 Method Not Allowed` for unsupported verbs.

package/.ai/plugins/catalog/.ai/skills/release-ops.md

@@ -0,0 +1,12 @@
+# Release Preparation & Package Audit Skill
+
+This skill guides the AI agent when verifying workspace state for a package release.
+
+## Guidelines
+
+1. **Version Auditing:**
+   - Double-check that target tags match version fields in `package.json`, install scripts, and changelogs.
+   - Refuse tag generation if uncommitted files are present in the working tree.
+2. **Hygiene Checks:**
+   - Verify that `.npmrc` file is ignored or properly configured before running pack dry-runs.
+   - Confirm lockfiles are updated and represent the exact active package versions.

package/.ai/plugins/catalog/.ai/skills/seo-audit-ops.md

@@ -0,0 +1,14 @@
+# SEO Audit Operations Skill
+
+This skill guides the AI agent when verifying search engine readiness of target frontend applications.
+
+## Guidelines
+
+1. **Heading Structure:**
+   - Enforce a single `<h1>` tag per page representing the primary page topic.
+   - Maintain a sequential heading hierarchy (`<h2>`, `<h3>` etc.) without skips.
+2. **Metadata Checks:**
+   - Verify every page has a unique, descriptive `<title>` tag under 60 characters.
+   - Verify presence of a `<meta name="description" content="...">` tag under 160 characters.
+3. **Sitemaps:**
+   - Confirm sitemap.xml lists all accessible routes and complies with XML schema.

package/.ai/plugins/catalog/.ai/skills/wp-helper.md

@@ -0,0 +1,13 @@
+# WordPress Theme & Plugin Helper Skill
+
+This skill guides the AI agent when generating WordPress themes and plugins PHP code.
+
+## Guidelines
+
+1. **Coding Standards:**
+   - Adhere to the official WordPress PHP Coding Standards.
+   - Prefix all custom function names, classes, and globals with a unique slug to prevent namespace collisions.
+2. **Security & Validation:**
+   - Enforce escaping on all outputs (e.g. using `esc_html()`, `esc_attr()`, `esc_url()`).
+   - Validate and sanitize input data using `sanitize_text_field()`, `absint()`, etc.
+   - Implement nonce checks on all form submissions and AJAX requests using `wp_verify_nonce()`.

package/.ai/plugins/catalog/README.md

@@ -0,0 +1,34 @@
+# Workflow Marketplace & Plugin Catalog Directory
+
+This directory stores the curated, first-party plugin definitions and their declarative assets for the local Workflow Marketplace.
+
+## Folder Structure
+
+* `catalog.yaml`: The master catalog index referencing all available plugin slugs, categories, tags, and file previews.
+* `catalog/`: Holds the actual plugin YAML configuration manifests and their respective sub-assets.
+  - `git-workflows.yaml`: Git pre-commit checks and branch audit operations.
+  - `seo-workflows.yaml`: HTML metadata audits and sitemap verification helpers.
+  - `wordpress-workflows.yaml`: Boilderplate generators and security checks for WordPress.
+  - `nextjs-workflows.yaml`: App router, middleware, and route handler validations for Next.js.
+  - `ecommerce-workflows.yaml`: Stripe webhook signature and transaction auditing templates.
+  - `release-workflows.yaml`: CI-safe package publishing pre-flight checklists and verifiers.
+
+Any assets copied by these plugins (such as skills, checks, or prompts) must reside relative to this catalog root folder matching their destination layout (e.g. inside `catalog/.ai/skills/` or `catalog/.ai/checks/`).
+
+## Installation
+
+These catalog plugins can be listed, searched, and installed using the CLI:
+
+```bash
+# List all catalog plugins
+npx multimodel-dev-os catalog list
+
+# Search for a plugin
+npx multimodel-dev-os catalog search git
+
+# Get recommendations for the current repository
+npx multimodel-dev-os catalog recommend
+
+# Install a plugin
+npx multimodel-dev-os catalog install git-workflows --approved
+```

package/.ai/plugins/catalog/ecommerce-workflows.yaml

@@ -0,0 +1,14 @@
+name: "E-Commerce Webhook & Gateway Audits"
+slug: "ecommerce-workflows"
+version: "1.0.0"
+description: "Declarative schemas for payment gateways (Stripe, bKash) and webhook validation rules."
+author: "MultiModel Dev OS Team"
+safety_notes: "This plugin provides webhook auditing. No network connections are opened."
+allowed_file_patterns:
+  - .ai/skills/checkout-ops.md
+workflows:
+  webhook-verify:
+    name: "Audit Webhook Endpoints"
+    description: "Scan code for proper signature checks on Stripe/bKash webhooks."
+    steps:
+      - run: "echo 'Verifying webhook security patterns...'"

package/.ai/plugins/catalog/git-workflows.yaml

@@ -0,0 +1,22 @@
+name: "Git Workflows & Verification"
+slug: "git-workflows"
+version: "1.0.0"
+description: "Automated git pre-commit checks, branch compliance, and tag/push audits."
+author: "MultiModel Dev OS Team"
+safety_notes: "This plugin configures git workflows and checks. It is safe and does not modify source code."
+allowed_file_patterns:
+  - .ai/skills/git-operations.md
+  - .ai/checks/pre-commit-gate.md
+workflows:
+  git-audit:
+    name: "Git Repository Audit"
+    description: "Check working tree cleanliness and verify latest tag matches version."
+    steps:
+      - run: "git status --short"
+      - run: "git log -1 --oneline"
+  pre-commit-gate:
+    name: "Pre-commit Quality Gate"
+    description: "Strict checks before making commits."
+    steps:
+      - run: "npx multimodel-dev-os validate"
+      - run: "npx multimodel-dev-os doctor"

package/.ai/plugins/catalog/nextjs-workflows.yaml

@@ -0,0 +1,14 @@
+name: "Next.js Route & Action Builder"
+slug: "nextjs-workflows"
+version: "1.0.0"
+description: "Server Actions structural helper, Route Handler validation, and middleware auditing."
+author: "MultiModel Dev OS Team"
+safety_notes: "This plugin assists with Next.js structures. No package changes are made."
+allowed_file_patterns:
+  - .ai/skills/nextjs-builder.md
+workflows:
+  nextjs-action-check:
+    name: "Server Action Validation"
+    description: "Scan route folders and verify that 'use server' directives are configured securely."
+    steps:
+      - run: "echo 'Scanning Next.js actions...'"

package/.ai/plugins/catalog/release-workflows.yaml

@@ -0,0 +1,14 @@
+name: "Release Preparation & Package Audit"
+slug: "release-workflows"
+version: "1.0.0"
+description: "Automated release checklist, version bump verification, and NPM package pre-flight doctor checks."
+author: "MultiModel Dev OS Team"
+safety_notes: "This plugin configures packaging and release-prep workflows."
+allowed_file_patterns:
+  - .ai/skills/release-ops.md
+workflows:
+  release-check:
+    name: "Perform Release Check"
+    description: "Verify version alignments across files and run dry-run builds."
+    steps:
+      - run: "npx multimodel-dev-os doctor --release"

package/.ai/plugins/catalog/seo-workflows.yaml

@@ -0,0 +1,19 @@
+name: "SEO Audit & Optimization"
+slug: "seo-workflows"
+version: "1.0.0"
+description: "Automated SEO tag analysis, meta checklist validation, and sitemap auditing."
+author: "MultiModel Dev OS Team"
+safety_notes: "This plugin provides automated SEO checks. It does not perform active network requests or package installs."
+allowed_file_patterns:
+  - .ai/skills/seo-audit-ops.md
+workflows:
+  seo-audit:
+    name: "Run SEO Page Audit"
+    description: "Scan target HTML files and verify title tags, descriptions, and hierarchy."
+    steps:
+      - run: "echo 'Verifying page SEO elements...'"
+  meta-verify:
+    name: "Verify Meta Tags"
+    description: "Assert sitemaps and meta tag compliance."
+    steps:
+      - run: "echo 'Verifying sitemaps/robots.txt configurations...'"

package/.ai/plugins/catalog/wordpress-workflows.yaml

@@ -0,0 +1,14 @@
+name: "WordPress Theme & Plugin Helper"
+slug: "wordpress-workflows"
+version: "1.0.0"
+description: "Standards-compliant WordPress PHP boilerplate, security checks, and folder audits."
+author: "MultiModel Dev OS Team"
+safety_notes: "This plugin configures WordPress boilerplates. It is entirely declarative."
+allowed_file_patterns:
+  - .ai/skills/wp-helper.md
+workflows:
+  wp-security-check:
+    name: "WordPress Security Scan"
+    description: "Scan plugins/themes folders for unsafe file permissions and missing index.php files."
+    steps:
+      - run: "echo 'Scanning WordPress theme/plugin directory permissions...'"

package/.ai/plugins/catalog.yaml

@@ -0,0 +1,161 @@
+catalog:
+  version: "2.9.0"
+  description: "Curated first-party plugin and workflow catalog"
+  plugins:
+    - slug: git-workflows
+      name: "Git Workflows & Verification"
+      version: "1.0.0"
+      description: "Automated git pre-commit checks, branch compliance, and tag/push audits."
+      category: "git"
+      tags:
+        - git
+        - workflow
+        - vcs
+      use_cases:
+        - Pre-commit validation
+        - CI pre-flight checks
+      supported_templates:
+        - "*"
+      provided_workflows:
+        - git-audit
+        - pre-commit-gate
+      provided_skills:
+        - git-operations.md
+      provided_prompts:
+        - git-commit-helper.md
+      provided_checks:
+        - git-clean-check.md
+      safety_level: "sandboxed"
+      install_scope: "declarative"
+      recommended_for: "All Git repositories requiring structured push gates"
+      files_preview:
+        - dest: ".ai/plugins/git-workflows.yaml"
+        - dest: ".ai/skills/git-operations.md"
+        - dest: ".ai/checks/pre-commit-gate.md"
+    - slug: seo-workflows
+      name: "SEO Audit & Optimization"
+      version: "1.0.0"
+      description: "Automated SEO tag analysis, meta checklist validation, and sitemap auditing."
+      category: "seo"
+      tags:
+        - seo
+        - html
+        - marketing
+      use_cases:
+        - Landing page audit
+        - Semantic HTML checks
+      supported_templates:
+        - seo-landing-page
+        - wordpress-site
+        - nextjs-saas
+      provided_workflows:
+        - seo-audit
+        - meta-verify
+      provided_skills:
+        - seo-audit-ops.md
+      safety_level: "sandboxed"
+      install_scope: "declarative"
+      recommended_for: "Public-facing frontends and content-heavy sites"
+      files_preview:
+        - dest: ".ai/plugins/seo-workflows.yaml"
+        - dest: ".ai/skills/seo-audit-ops.md"
+    - slug: wordpress-workflows
+      name: "WordPress Theme & Plugin Helper"
+      version: "1.0.0"
+      description: "Standards-compliant WordPress PHP boilerplate, security checks, and folder audits."
+      category: "wordpress"
+      tags:
+        - wordpress
+        - php
+        - cms
+      use_cases:
+        - Boilerplate creation
+        - WordPress theme/plugin checks
+      supported_templates:
+        - wordpress-site
+      provided_workflows:
+        - wp-generate-boilerplate
+        - wp-security-check
+      provided_skills:
+        - wp-helper.md
+      safety_level: "sandboxed"
+      install_scope: "declarative"
+      recommended_for: "WordPress themes, custom plugins, and PHP-based CMS projects"
+      files_preview:
+        - dest: ".ai/plugins/wordpress-workflows.yaml"
+        - dest: ".ai/skills/wp-helper.md"
+    - slug: nextjs-workflows
+      name: "Next.js Route & Action Builder"
+      version: "1.0.0"
+      description: "Server Actions structural helper, Route Handler validation, and middleware auditing."
+      category: "nextjs"
+      tags:
+        - nextjs
+        - react
+        - typescript
+      use_cases:
+        - Server Action validation
+        - Route handler checks
+      supported_templates:
+        - nextjs-saas
+      provided_workflows:
+        - nextjs-action-check
+        - nextjs-route-audit
+      provided_skills:
+        - nextjs-builder.md
+      safety_level: "sandboxed"
+      install_scope: "declarative"
+      recommended_for: "Next.js applications utilizing React Server Components or App Router"
+      files_preview:
+        - dest: ".ai/plugins/nextjs-workflows.yaml"
+        - dest: ".ai/skills/nextjs-builder.md"
+    - slug: ecommerce-workflows
+      name: "E-Commerce Webhook & Gateway Audits"
+      version: "1.0.0"
+      description: "Declarative schemas for payment gateways (Stripe, bKash) and webhook validation rules."
+      category: "ecommerce"
+      tags:
+        - ecommerce
+        - checkout
+        - stripe
+      use_cases:
+        - Webhook structure checks
+        - Transaction log validation
+      supported_templates:
+        - ecommerce-store
+      provided_workflows:
+        - webhook-verify
+        - payment-flow-audit
+      provided_skills:
+        - checkout-ops.md
+      safety_level: "sandboxed"
+      install_scope: "declarative"
+      recommended_for: "E-commerce stores and subscription payment integrations"
+      files_preview:
+        - dest: ".ai/plugins/ecommerce-workflows.yaml"
+        - dest: ".ai/skills/checkout-ops.md"
+    - slug: release-workflows
+      name: "Release Preparation & Package Audit"
+      version: "1.0.0"
+      description: "Automated release checklist, version bump verification, and NPM package pre-flight doctor checks."
+      category: "release"
+      tags:
+        - release
+        - publishing
+        - npm
+      use_cases:
+        - Release prep verification
+        - Package hygiene checks
+      supported_templates:
+        - "*"
+      provided_workflows:
+        - release-check
+        - doctor-audit
+      provided_skills:
+        - release-ops.md
+      safety_level: "sandboxed"
+      install_scope: "declarative"
+      recommended_for: "Libraries, packages, and frameworks targeting public distribution"
+      files_preview:
+        - dest: ".ai/plugins/release-workflows.yaml"
+        - dest: ".ai/skills/release-ops.md"

package/.ai/policies/registry-policy.yaml

@@ -0,0 +1,51 @@
+# Registry Policy Configuration
+# Controls what remote registry operations are permitted.
+# All remote operations are DISABLED by default.
+# This file is the single source of truth for registry governance.
+
+# Master switch: must be true before any remote registry can be added or synced.
+allow_remote_registries: false
+
+# Require the --approved flag for all sync operations.
+require_approval_for_remote_sync: true
+
+# Require SHA256 checksum verification for synced catalog files.
+require_checksum: true
+
+# Require cryptographic signature verification (placeholder for future release).
+require_signature: false
+
+# Allow installing plugins from registries with trust_level: untrusted.
+allow_untrusted_install: false
+
+# Directories where plugins are allowed to write files.
+allowed_write_roots:
+  - ".ai/"
+  - "adapters/"
+
+# Paths that are always blocked from plugin writes.
+blocked_paths:
+  - ".env"
+  - ".npmrc"
+  - ".git/"
+  - "node_modules/"
+  - "package.json"
+  - "package-lock.json"
+  - "pnpm-lock.yaml"
+  - "yarn.lock"
+
+# Maximum number of files a single plugin can install.
+max_plugin_files: 20
+
+# Maximum total size (KB) of files a single plugin can install.
+max_plugin_size_kb: 100
+
+# Maximum total cache size (KB) per remote registry.
+max_registry_cache_size_kb: 512
+
+# File extensions allowed for plugin assets.
+allowed_file_extensions:
+  - ".md"
+  - ".yaml"
+  - ".yml"
+  - ".json"

package/.ai/registries/sources.yaml

@@ -0,0 +1,15 @@
+# Registry Sources Configuration
+# Defines where catalog plugin indexes are loaded from.
+# Remote registries are DISABLED by default.
+# Enable via .ai/policies/registry-policy.yaml (set allow_remote_registries: true)
+# Then add sources via: npx multimodel-dev-os registry add <name> <url> --approved
+
+sources:
+  - name: "bundled"
+    type: "local"
+    url: ".ai/plugins/catalog.yaml"
+    enabled: true
+    trust_level: "trusted"
+    safety_policy: "sandboxed"
+    signature_required: false
+    checksum_required: false

package/.ai/registry-cache/README.md

@@ -0,0 +1,35 @@
+# Registry Cache Directory
+
+This directory is auto-generated by `npx multimodel-dev-os registry sync <name> --approved`.
+
+## Purpose
+
+Stores locally cached copies of remote catalog indexes after an approved sync operation. Each subdirectory corresponds to a named registry source.
+
+## Structure
+
+```
+.ai/registry-cache/
+├── README.md                     ← This file
+├── <registry-name>/
+│   ├── catalog.yaml              ← Cached catalog index from remote
+│   ├── manifest.json             ← Registry provenance metadata
+│   └── checksums.json            ← SHA256 hashes of cached files
+```
+
+## Safety Guarantees
+
+- **No executable content.** All cached files are declarative YAML, JSON, or Markdown.
+- **No automatic installation.** Cached plugins must be installed individually via `catalog install <slug> --approved`.
+- **No automatic sync.** Remote sync requires explicit `--approved` flag.
+- **Gitignored.** This directory is excluded from version control by default.
+- **Disposable.** Clear the cache at any time via `npx multimodel-dev-os registry cache clear --approved`.
+
+## Commands
+
+| Command | Description |
+|---|---|
+| `registry list` | List configured registry sources |
+| `registry status` | Show sync timestamps and cache health |
+| `registry verify <name>` | Verify SHA256 checksums of cached files |
+| `registry cache clear --approved` | Delete all cached registry data |

package/.ai/schema/registry-manifest.schema.json

@@ -0,0 +1,57 @@
+{
+  "$schema": "http://json-schema.org/draft-07/schema#",
+  "title": "MultiModel Dev OS Registry Manifest Schema",
+  "description": "JSON schema for the registry manifest file that accompanies remote catalog indexes, providing provenance metadata and integrity checksums",
+  "type": "object",
+  "required": [
+    "registry_name",
+    "publisher",
+    "version",
+    "generated_at",
+    "catalog_hash",
+    "files_hashes",
+    "minimum_mmdo_version",
+    "safety_policy_version"
+  ],
+  "properties": {
+    "registry_name": {
+      "type": "string",
+      "description": "Unique name identifier of the registry."
+    },
+    "publisher": {
+      "type": "string",
+      "description": "Name of the person or organization that published this registry."
+    },
+    "version": {
+      "type": "string",
+      "description": "Semantic version of the registry catalog."
+    },
+    "generated_at": {
+      "type": "string",
+      "format": "date-time",
+      "description": "ISO 8601 timestamp when the manifest was generated."
+    },
+    "catalog_hash": {
+      "type": "string",
+      "description": "SHA256 hash of the catalog.yaml file, prefixed with 'sha256:'."
+    },
+    "files_hashes": {
+      "type": "object",
+      "additionalProperties": { "type": "string" },
+      "description": "Map of filename to SHA256 hash string for each file in the registry."
+    },
+    "minimum_mmdo_version": {
+      "type": "string",
+      "description": "Minimum MultiModel Dev OS version required to use this registry."
+    },
+    "safety_policy_version": {
+      "type": "string",
+      "description": "Version of the safety policy specification this registry conforms to."
+    },
+    "signature": {
+      "type": ["string", "null"],
+      "description": "Cryptographic signature of the manifest. Placeholder for future implementation."
+    }
+  },
+  "additionalProperties": false
+}

package/.ai/schema/registry-policy.schema.json

@@ -0,0 +1,66 @@
+{
+  "$schema": "http://json-schema.org/draft-07/schema#",
+  "title": "MultiModel Dev OS Registry Policy Schema",
+  "description": "JSON schema defining allowed governance settings for remote registry sync, plugin installation, and path safety boundaries",
+  "type": "object",
+  "required": [
+    "allow_remote_registries",
+    "require_approval_for_remote_sync",
+    "require_checksum",
+    "require_signature",
+    "allow_untrusted_install",
+    "allowed_write_roots",
+    "blocked_paths",
+    "allowed_file_extensions"
+  ],
+  "properties": {
+    "allow_remote_registries": {
+      "type": "boolean",
+      "description": "Master switch to enable remote registry sources. Must be true before any remote registry can be added or synced."
+    },
+    "require_approval_for_remote_sync": {
+      "type": "boolean",
+      "description": "Whether the --approved flag is required for all sync operations."
+    },
+    "require_checksum": {
+      "type": "boolean",
+      "description": "Whether SHA256 checksum verification is required for synced catalog files."
+    },
+    "require_signature": {
+      "type": "boolean",
+      "description": "Whether cryptographic signature verification is required. Placeholder for future release."
+    },
+    "allow_untrusted_install": {
+      "type": "boolean",
+      "description": "Whether plugins from untrusted registries can be installed."
+    },
+    "allowed_write_roots": {
+      "type": "array",
+      "items": { "type": "string" },
+      "description": "Directory prefixes where plugins are permitted to write files."
+    },
+    "blocked_paths": {
+      "type": "array",
+      "items": { "type": "string" },
+      "description": "Paths that are always blocked from plugin writes, regardless of allowed_write_roots."
+    },
+    "max_plugin_files": {
+      "type": "integer",
+      "description": "Maximum number of files a single plugin can install."
+    },
+    "max_plugin_size_kb": {
+      "type": "integer",
+      "description": "Maximum total size in kilobytes of files a single plugin can install."
+    },
+    "max_registry_cache_size_kb": {
+      "type": "integer",
+      "description": "Maximum total cache size in kilobytes per remote registry."
+    },
+    "allowed_file_extensions": {
+      "type": "array",
+      "items": { "type": "string" },
+      "description": "File extensions permitted for plugin asset files."
+    }
+  },
+  "additionalProperties": false
+}