multimodel-dev-os 2.8.1 → 3.0.0

package/docs/.vitepress/config.js

@@ -32,7 +32,7 @@ export default {
         'license': 'https://opensource.org/licenses/MIT',
         'url': 'https://github.com/rizvee/multimodel-dev-os',
         'downloadUrl': 'https://www.npmjs.com/package/multimodel-dev-os',
-        'softwareVersion': '2.8.1',
+        'softwareVersion': '3.0.0',
         'description': 'Portable, vendor-neutral AI Developer OS for multi-agent coding workflows.'
       })
     ]
@@ -170,7 +170,21 @@ export default {
           { text: 'Interactive TUI Dashboard', link: '/dashboard' },
           { text: 'Declarative Plugin Hooks', link: '/plugin-hooks' },
           { text: 'Plugin Authoring Guide', link: '/plugin-authoring' },
-          { text: 'TUI & Plugin Safety', link: '/tui-safety' }
+          { text: 'TUI & Plugin Safety', link: '/tui-safety' },
+          { text: 'Workflow Marketplace Catalog', link: '/catalog' },
+          { text: 'Curated Plugin Catalog', link: '/plugin-catalog' },
+          { text: 'Workflow Marketplace Guide', link: '/workflow-marketplace' },
+          { text: 'Catalog Authoring Guide', link: '/catalog-authoring' }
+        ]
+      },
+      {
+        text: 'Trusted Registry & Governance',
+        items: [
+          { text: 'Registry Sync Guide', link: '/registry-sync' },
+          { text: 'Trusted Registries', link: '/trusted-registries' },
+          { text: 'Registry Policy Engine', link: '/registry-policy' },
+          { text: 'Registry Security Model', link: '/registry-security' },
+          { text: 'Remote Catalog Authoring', link: '/remote-catalog-authoring' }
         ]
       },
       {

package/docs/CLI.md

@@ -262,7 +262,33 @@ npx multimodel-dev-os@latest plugin status
 
 ---
 
-### 17. Registry Commands
+### 17. `catalog` — Local Workflow Marketplace & Plugin Catalog
+
+Manage and discover curated workflows and plugins offline.
+
+```bash
+npx multimodel-dev-os@latest catalog list [--category <name>]
+npx multimodel-dev-os@latest catalog search <query>
+npx multimodel-dev-os@latest catalog show <slug>
+npx multimodel-dev-os@latest catalog categories
+npx multimodel-dev-os@latest catalog recommend
+npx multimodel-dev-os@latest catalog install <slug> --approved
+npx multimodel-dev-os@latest catalog status
+```
+
+| Subcommand | Description |
+|:---|:---|
+| `list` | List all curated catalog plugins |
+| `search <query>` | Case-insensitively search catalog |
+| `show <slug>` | Inspect catalog plugin capabilities and installation actions |
+| `categories` | List all unique marketplace categories |
+| `recommend` | Scan current workspace framework/language signals and recommend plugins |
+| `install <slug>` | Install a catalog plugin (requires `--approved`) |
+| `status` | Audit installation status of catalog entries |
+
+---
+
+### 18. Registry Commands
 
 Explore model, adapter, and skill registries.
 
@@ -274,3 +300,30 @@ npx multimodel-dev-os@latest providers       # View API providers
 npx multimodel-dev-os@latest adapters        # View adapter registry
 npx multimodel-dev-os@latest skills          # View skill registry
 ```
+
+---
+
+### 19. `registry` — Trusted Remote Catalog Registries
+
+Manage trusted remote catalog registries under policy-enforced safety gates.
+
+```bash
+npx multimodel-dev-os@latest registry list
+npx multimodel-dev-os@latest registry add <name> <url> --approved
+npx multimodel-dev-os@latest registry sync <name> --approved
+npx multimodel-dev-os@latest registry status
+npx multimodel-dev-os@latest registry verify <name>
+npx multimodel-dev-os@latest registry show <name>
+npx multimodel-dev-os@latest registry cache clear --approved
+```
+
+| Subcommand | Description |
+|:---|:---|
+| `list` | Print all configured registry sources |
+| `add <name> <url>` | Add a remote registry source (requires `--approved`) |
+| `remove <name>` | Remove a registry source and its cache (requires `--approved`) |
+| `sync <name>` | Sync and cache registry manifest and assets (requires `--approved`) |
+| `status` | Show cache health, timestamps, and policy configuration |
+| `verify <name>` | Verify cached files against expected SHA256 checksums |
+| `show <name>` | Display detailed registry configuration metadata |
+| `cache clear` | Delete all files in cache directory (requires `--approved`) |

package/docs/architecture.md

@@ -38,13 +38,17 @@
 │    Layer 4: Intelligence Layer       │
 │  .ai/intelligence/  (memory, handoff)│
 │  .ai/registries/    (workflows,     │
-│    capabilities, tools)              │
+│    capabilities, tools, sources)     │
+│  .ai/registry-cache/ (cached remote) │
 │  .ai/proposals/     (improvements)  │
-│  .ai/policies/      (safety gates)  │
+│  .ai/policies/      (safety, registry│
+│    governance gates)                 │
 ├──────────────────────────────────────┤
 │    Layer 5: CLI Dashboard & Plugins  │
 │  dashboard / ui (TUI Command Center) │
 │  plugin list/show/validate/install   │
+│  catalog list/show/recommend/install │
+│  registry list/add/sync/status/verify│
 │  onboard / adapter sync              │
 └──────────────────────────────────────┘
 ```
@@ -75,7 +79,9 @@
 | `.ai/intelligence/handoff.md` | System | Next agent | CLI (`handoff build`) |
 | `.ai/intelligence/feedback-log.jsonl` | System | CLI | CLI (`feedback add`) |
 | `.ai/proposals/*.md` | System | Human + CLI | CLI (`improve propose`) |
-| `.ai/registries/*.yaml` | System | CLI | CLI (`init`) |
+| `.ai/registries/*.yaml` | System | CLI | CLI (`init` / `registry add`) |
+| `.ai/policies/*.yaml` | Human | CLI | Human |
+| `.ai/registry-cache/` | System | CLI | CLI (`registry sync`) |
 | `adapters/*/` | Community | Specific tool | Maintainers |
 
 ## Security Considerations

package/docs/catalog-authoring.md

@@ -0,0 +1,63 @@
+# Catalog Authoring Guide
+
+This guide details how to add new plugin entries to the local marketplace catalog.
+
+## Step 1: Declare Catalog Entry
+
+Add the plugin metadata to `.ai/plugins/catalog.yaml`:
+
+```yaml
+- slug: custom-workflows
+  name: "Custom Quality Audits"
+  version: "1.0.0"
+  description: "Automated checks for custom APIs."
+  category: "custom"
+  tags: ["api", "audit"]
+  use_cases: ["API audits"]
+  supported_templates: ["*"]
+  provided_workflows: ["api-audit"]
+  provided_skills: ["api-skills.md"]
+  safety_level: "sandboxed"
+  install_scope: "declarative"
+  recommended_for: "APIs and services integration"
+  files_preview:
+    - dest: ".ai/plugins/custom-workflows.yaml"
+    - dest: ".ai/skills/api-skills.md"
+```
+
+## Step 2: Create Manifest and Assets
+
+Save the plugin manifest configuration under `.ai/plugins/catalog/custom-workflows.yaml`:
+
+```yaml
+name: "Custom Quality Audits"
+slug: "custom-workflows"
+version: "1.0.0"
+description: "Automated checks for custom APIs."
+author: "Your Name"
+allowed_file_patterns:
+  - .ai/skills/api-skills.md
+workflows:
+  api-audit:
+    name: "API Audit"
+    description: "Scan routes for API spec integrity"
+    steps:
+      - run: "echo 'Verifying API routes...'"
+```
+
+Place any referenced assets relative to the catalog subdirectory:
+- `.ai/plugins/catalog/.ai/skills/api-skills.md`
+
+## Step 3: Run Validation
+
+Verify that your catalog entry complies with all safety rules:
+```bash
+npx multimodel-dev-os plugin validate .ai/plugins/catalog/custom-workflows.yaml
+```
+
+## Parser-Safe YAML Guidelines
+
+To ensure parser compatibility across all environments:
+1. **Flow Arrays**: Both block lists (using `-`) and inline flow arrays (e.g. `tags: ["api", "audit"]`) are fully supported.
+2. **Type Preservation**: Wrap version numbers and slugs in quotes (e.g., `version: "1.0.0"`) to prevent them from being incorrectly converted to integers or floats.
+3. **Quoted Hash Characters**: Quoted strings containing `#` symbols (e.g., `description: "Includes # tag"`) are parsed safely without stripping the hash character.

package/docs/catalog.md

@@ -0,0 +1,72 @@
+# local-first Workflow Marketplace & Plugin Catalog
+
+MultiModel Dev OS includes an offline, sandboxed **Workflow Marketplace** that lets you discover, inspect, and install curated plugins and workflow packs.
+
+## Catalog CLI Commands
+
+### 1. List Available Plugins
+List all plugins registered in the local marketplace.
+```bash
+npx multimodel-dev-os catalog list
+```
+To filter by category:
+```bash
+npx multimodel-dev-os catalog list --category git
+```
+
+### 2. Search Catalog
+Search for plugins matching a query string in names, slugs, descriptions, or tags.
+```bash
+npx multimodel-dev-os catalog search <query>
+```
+
+### 3. Show Plugin Specifications
+Inspect detailed specifications, category, use cases, safety logs, and files previewed for a catalog plugin.
+```bash
+npx multimodel-dev-os catalog show <slug>
+```
+
+### 4. Get Recommendations
+Analyze the current workspace framework and language signals to suggest optimal plugins.
+```bash
+npx multimodel-dev-os catalog recommend
+```
+
+### 5. Install a Catalog Plugin
+Install the plugin manifest and all declared assets to the current workspace.
+```bash
+npx multimodel-dev-os catalog install <slug> --approved
+```
+To overwrite existing assets (creating `.bak` backups):
+```bash
+npx multimodel-dev-os catalog install <slug> --approved --force
+```
+
+### 6. Audit Installed Catalog Status
+Check which catalog plugins are installed and if any of their declared files are missing.
+```bash
+npx multimodel-dev-os catalog status
+```
+
+---
+
+## Source Filtering
+
+By default, catalog commands query the bundled first-party catalog. In `v3.0.0`, you can filter queries by source or merge all enabled registry sources:
+
+* **Filter by a specific source:**
+  ```bash
+  npx multimodel-dev-os catalog list --source remote:partner-registry
+  npx multimodel-dev-os catalog search nextjs --source local
+  ```
+* **Query all enabled sources:**
+  ```bash
+  npx multimodel-dev-os catalog list --all-sources
+  npx multimodel-dev-os catalog recommend --all-sources
+  ```
+
+Supported values for `--source` are:
+* `bundled`: The default offline catalog shipped with the package.
+* `local`: The local workspace catalog at `.ai/plugins/catalog.yaml`.
+* `remote:<name>`: A cached registry catalog index synced from a remote source.
+

package/docs/comparison.md

@@ -18,6 +18,7 @@ Selecting how to manage AI instructions inside a codebase impacts developer spee
 | **Onboarding existing repos** | ❌ Manual setup | ❌ Manual setup | ❌ Manual setup | ✅ **`onboard analyze` workflow** |
 | **Interactive TUI Dashboard** | ❌ None | ❌ None | ❌ None | ✅ **Zero-dependency TUI Menu** |
 | **Declarative Plugins** | ❌ None | ❌ None | ❌ None | ✅ **Safe whitelist YAML plugins** |
+| **Workflow Marketplace** | ❌ None | ❌ None | ❌ None | ✅ **Local curated plugin catalog** |
 | **Cost** | Free | Free | Free–Paid | ✅ **Free & open source** |
 
 ---

package/docs/dashboard.md

@@ -37,6 +37,8 @@ graph TD
     Dashboard --> Adapter[Adapter Synchronization...]
     Dashboard --> Memory[Memory & Intelligence...]
     Dashboard --> Feedback[Developer Feedback Loops...]
+    Dashboard --> Catalog[Workflow Marketplace Catalog...]
+    Dashboard --> Registry[Registry Sources & Cache...]
     Dashboard --> Quality[Quality Gates & Diagnostics...]
     Dashboard --> Plugins[Plugins Status Overview]
 ```
@@ -67,11 +69,20 @@ graph TD
    * Summarize feedback logs (`feedback summarize`)
    * Propose improvement proposal (`improve propose`)
    * Review active proposals list (`improve review`)
-7. **Quality Gates & Diagnostics**:
+7. **Workflow Marketplace Catalog**:
+   * Catalog List (`catalog list`)
+   * Catalog Recommend (`catalog recommend`)
+   * Catalog Status (`catalog status`)
+8. **Registry Sources & Cache**:
+   * List configured sources (`registry list`)
+   * Show sync status (`registry status`)
+   * Verify cache integrity (`registry verify bundled`)
+   * Show policy status (`registry status` output)
+9. **Quality Gates & Diagnostics**:
    * Run Advisory Diagnostics (`doctor`)
    * Strict Schema Compliance (`validate`)
    * Run Release verification tests (`verify`)
-8. **Plugins Status Overview**: Checks the status of all installed declarative plugins (`plugin status`).
+10. **Plugins Status Overview**: Checks the status of all installed declarative plugins (`plugin status`).
 
 ---
 

package/docs/faq.md

@@ -102,6 +102,25 @@ No. The dashboard detects when stdin or stdout is non-interactive. In non-TTY en
 **How secure is the Declarative Plugin system?**
 Extremely secure. Plugins are strictly configuration-based (YAML manifest files). They cannot run arbitrary bash commands, execute node scripts, download npm packages, or make network calls. File copies are restricted to whitelisted `.ai/` and `adapters/` directories, and blacklists protect files like `.env`, `.git/`, `package.json`, and source code folders. Overwriting existing files requires `--force` and automatically generates backups.
 
+**How does the local Workflow Marketplace / Plugin Catalog work?**
+It is a bundled registry catalog (`catalog.yaml`) containing safe first-party declarative plugins. You can discover them using `catalog list`, search via `catalog search`, and get recommendations via `catalog recommend`. Installing them copies their declarative manifests and assets (like skills and checks) into target directories, reusing all security validation and copy gates of local plugin installations.
+
+---
+
+## Trusted Registries & Governance
+
+**Are remote registries enabled by default?**
+No. Remote registries are completely disabled out-of-the-box. You must explicitly configure `.ai/policies/registry-policy.yaml` (set `allow_remote_registries: true`) before you can add, sync, or install plugins from any remote registry.
+
+**Does `registry sync` download or run arbitrary code?**
+Never. Remote sync only downloads declarative YAML and JSON files (catalogs, manifests, and plugin assets). These are written to a strictly segregated, gitignored directory (`.ai/registry-cache/`). The sync process never runs npm package scripts, invokes compilers, or executes binary code.
+
+**How does checksum verification work?**
+The publisher of a remote registry includes a signed manifest (`manifest.json`) listing all registry files and their SHA256 hashes. When synchronizing, the client computes local SHA256 hashes of all downloaded assets and verifies them against the manifest. If a hash mismatch is detected, the synchronization fails immediately.
+
+**Can I restrict which paths a remote plugin can write to?**
+Yes. The registry policy file (`registry-policy.yaml`) Whitelists allowed directories (`allowed_write_roots`) and blacklists sensitive targets (`blocked_paths`). Any plugin that attempts to write outside the whitelist or overwrite a blacklisted file (such as `.env` or `package.json`) will be blocked by the installer.
+
 ---
 
 ## Diagnostics & Validation

package/docs/plugin-authoring.md

@@ -97,3 +97,9 @@ To install this plugin locally, users run:
 ```bash
 npx multimodel-dev-os@latest plugin install your-plugin-folder/plugin.yaml --approved
 ```
+
+---
+
+## Contributing to the Marketplace Catalog
+
+If you are developing first-party plugins for inclusion in the curated catalog, follow the guidelines in the [Catalog Authoring Guide](/catalog-authoring).

package/docs/plugin-catalog.md

@@ -0,0 +1,35 @@
+# Curated Plugin Registry Catalog
+
+The MultiModel Dev OS Workflow Marketplace packages 6 curated first-party plugins:
+
+## Curated Plugins
+
+### 1. Git Workflows & Verification (`git-workflows`)
+* **Category:** `git`
+* **Purpose:** Automates pre-commit quality checks and repository cleanliness audits.
+* **Assets:** Adds `.ai/skills/git-operations.md` and `.ai/checks/pre-commit-gate.md`.
+
+### 2. SEO Audit & Optimization (`seo-workflows`)
+* **Category:** `seo`
+* **Purpose:** Validates semantic heading hierarchies, metadata tags, and sitemaps.
+* **Assets:** Adds `.ai/skills/seo-audit-ops.md`.
+
+### 3. WordPress Theme & Plugin Helper (`wordpress-workflows`)
+* **Category:** `wordpress`
+* **Purpose:** Enforces WordPress PHP Coding Standards and security/nonce escape checks.
+* **Assets:** Adds `.ai/skills/wp-helper.md`.
+
+### 4. Next.js Route & Action Builder (`nextjs-workflows`)
+* **Category:** `nextjs`
+* **Purpose:** Validates server actions input payloads and route handler formats.
+* **Assets:** Adds `.ai/skills/nextjs-builder.md`.
+
+### 5. E-Commerce Webhook & Gateway Audits (`ecommerce-workflows`)
+* **Category:** `ecommerce`
+* **Purpose:** Checks webhook signature verification routines for payment processors.
+* **Assets:** Adds `.ai/skills/checkout-ops.md`.
+
+### 6. Release Preparation & Package Audit (`release-workflows`)
+* **Category:** `release`
+* **Purpose:** Automates release-prep version audits and NPM publishing pre-flight checks.
+* **Assets:** Adds `.ai/skills/release-ops.md`.

package/docs/plugin-hooks.md

@@ -87,3 +87,9 @@ To prevent path traversal and enforce robust script auditing:
 * **Alphanumeric Slug Constraints**: Slugs are validated against `/^[a-z0-9-_]+$/i` to block directory escapes when writing to `.ai/plugins/<slug>.yaml`.
 * **Path Boundary checks**: The `plugin validate` CLI command automatically parses `allowed_file_patterns` to assert they fit within whitelisted `.ai/` and `adapters/` folders, checking that no `..` traversal or blacklisted files are referenced.
 * **Non-zero CI exit codes**: If `plugin install` is called without the `--approved` flag, it prints planned actions and exits with **exit code 1** to abort scripting pipelines safely.
+
+---
+
+## Workflow Marketplace & Plugin Catalog
+
+In `v2.9.0`, MultiModel Dev OS introduces a curated local **Workflow Marketplace & Plugin Catalog** for discoverability of safe first-party plugins. For catalog operations, see the [Workflow Marketplace Catalog Guide](/catalog).

package/docs/public/llms-full.txt

@@ -1,4 +1,4 @@
-# MultiModel Dev OS — Comprehensive AI Assistant Discoverability Guide (v2.8.1 Stable Release)
+# MultiModel Dev OS — Comprehensive AI Assistant Discoverability Guide (v3.0.0 Stable Release)
 
 MultiModel Dev OS is a repository-level porting specification designed to align context and instructions across diverse developer tools and AI models.
 
@@ -80,6 +80,23 @@ All compliant MultiModel Dev OS CLIs strictly enforce the following command cont
   - `validate <path>`: Validates a YAML config file against the plugin JSON schema.
   - `install <path>`: Previews file copy actions, and copies them to whitelisted paths under `.ai/` or `adapters/` if `--approved` is specified.
   - `status`: Audits target directory to ensure all declared plugin assets are present.
+- **`catalog`**: Manage the local Workflow Marketplace & Plugin Catalog. Subcommands:
+  - `list`: Lists all catalog plugins (supports `--category`).
+  - `search <query>`: Case-insensitively searches catalog plugins.
+  - `show <slug>`: Displays catalog plugin metadata and file previews.
+  - `categories`: Lists all unique categories in the catalog.
+  - `recommend`: Scans repo signals to recommend matching catalog plugins.
+  - `install <slug>`: Installs a catalog plugin to the target repo (requires `--approved`).
+  - `status`: Audits installation status of catalog entries.
+- **`registry`**: Manage trusted remote catalog registries (v3.0.0+). Subcommands:
+  - `list`: Lists all configured registry sources from `sources.yaml`.
+  - `add <name> <url>`: Adds a new remote registry source (requires `--approved`).
+  - `remove <name>`: Removes a registry source and its cache (requires `--approved`).
+  - `sync <name>`: Fetches remote `catalog.yaml` and `manifest.json` into `.ai/registry-cache/<name>/` (requires `--approved`).
+  - `status`: Shows all sources, sync timestamps, cache health, and policy status.
+  - `verify <name>`: Verifies SHA256 checksums of cached files against `checksums.json`.
+  - `show <name>`: Shows detailed metadata and policies of a specific registry source.
+  - `cache clear`: Deletes all files in `.ai/registry-cache/` (requires `--approved`).
 - **`verify`**: Automated release script that checks structure integrity.
 - **`templates`**: Lists built-in template profiles (supports overrides via `--registry <path>`).
 - **`validate`**: Strict Quality Gate checking the layout rules on disk (supports `--all-registries`).

package/docs/public/llms.txt

@@ -1,4 +1,4 @@
-# MultiModel Dev OS (v2.8.1 Stable Release)
+# MultiModel Dev OS (v3.0.0 Stable Release)
 
 Portable, vendor-neutral workspace configuration standard for multi-agent AI pair-programming workflows.
 
@@ -18,6 +18,22 @@ npx multimodel-dev-os@latest plugin validate path/to/plugin.yaml
 npx multimodel-dev-os@latest plugin install path/to/plugin.yaml --approved
 npx multimodel-dev-os@latest plugin status
 
+# Discover, recommend, and install curated plugin catalogs
+npx multimodel-dev-os@latest catalog list
+npx multimodel-dev-os@latest catalog recommend
+npx multimodel-dev-os@latest catalog show git-workflows
+npx multimodel-dev-os@latest catalog install git-workflows --approved
+npx multimodel-dev-os@latest catalog status
+
+# Manage trusted remote catalog registries (v3.0.0+)
+npx multimodel-dev-os@latest registry list
+npx multimodel-dev-os@latest registry status
+npx multimodel-dev-os@latest registry verify bundled
+npx multimodel-dev-os@latest registry show bundled
+npx multimodel-dev-os@latest registry add official https://example.com/catalog.yaml --approved
+npx multimodel-dev-os@latest registry sync official --approved
+npx multimodel-dev-os@latest registry cache clear --approved
+
 # Scan codebase signals & check status
 npx multimodel-dev-os@latest scan
 npx multimodel-dev-os@latest status