multimodel-dev-os 3.0.0 → 3.0.1

package/README.md

@@ -48,7 +48,7 @@ Your workspace now has a **single source of truth** that every AI coding tool re
 | 🧠 | **Intelligence Engine** | Hash-compressed memory, feedback learning, self-improvement proposals with HITL safety gates |
 | 📁 | **Repo Onboarding** | Analyze existing projects, recommend templates, and bootstrap configs without breaking anything |
 | 🔧 | **Zero Dependencies** | Pure Node.js CLI — no runtime, no build step, no package manager lock-in |
-| 🛡️ | **214+ Quality Gates** | Built-in `validate`, `doctor`, and `verify` commands with strict structural assertions |
+| 🛡️ | **248+ Quality Gates** | Built-in `validate`, `doctor`, and `verify` commands with strict structural assertions |
 
 ---
 
@@ -158,8 +158,9 @@ npx multimodel-dev-os@latest handoff build
 | **v2.8.0 / v2.8.1** | Interactive TUI Dashboard & Plugin Hooks | ✅ Released |
 | **v2.9.0** | Local Workflow Marketplace & Plugin Catalog | ✅ Released |
 | **v3.0.0** | Trusted Remote Catalog & Registry Governance Layer | ✅ Released |
+| **v3.0.1** | Registry UX & Policy Safety Patch | ✅ Released |
 
-**[Full Roadmap →](https://rizvee.github.io/multimodel-dev-os/v2-roadmap)**
+**[Full Roadmap →](https://rizvee.github.io/multimodel-dev-os/v3-roadmap)**
 
 ---
 

package/bin/multimodel-dev-os.js

@@ -5672,22 +5672,24 @@ function handleRegistryList(options) {
 
   console.log(`\n🗂️  \x1b[36mRegistry Sources [v${version}]\x1b[0m`);
   console.log('==================================================');
-  console.log(`Policy: allow_remote_registries = \x1b[${policy.allow_remote_registries ? '32mtrue' : '33mfalse'}\x1b[0m\n`);
+  console.log(`Policy Status: allow_remote_registries = \x1b[${policy.allow_remote_registries ? '32mtrue' : '33mfalse'}\x1b[0m (Remote registries are disabled by default for safety)\n`);
 
   sources.forEach(s => {
     const status = s.enabled ? '\x1b[32m● enabled\x1b[0m' : '\x1b[90m○ disabled\x1b[0m';
-    console.log(`  \x1b[32m${s.name}\x1b[0m  ${status}`);
+    const label = s.name === 'bundled' ? 'bundled' : s.type === 'local' ? `local:${s.name}` : `remote:${s.name}`;
+    console.log(`  \x1b[32m${s.name}\x1b[0m [${label}]  ${status}`);
     console.log(`    type:           ${s.type}`);
     console.log(`    url:            ${s.url}`);
     console.log(`    trust_level:    ${s.trust_level}`);
     console.log(`    safety_policy:  ${s.safety_policy}`);
-    console.log(`    checksum:       ${s.checksum_required ? 'required' : 'not required'}`);
-    console.log(`    signature:      ${s.signature_required ? 'required' : 'not required'}`);
+    console.log(`    checksum:       ${s.checksum_required ? 'required (SHA-256 integrity)' : 'not required'}`);
+    console.log(`    signature:      ${s.signature_required ? 'required' : 'not required (v3.0.1)'}`);
     if (s.last_synced_at) console.log(`    last_synced:    ${s.last_synced_at}`);
   });
 
-  console.log('\nUse \x1b[36mregistry show <name>\x1b[0m to view detailed source metadata.');
-  console.log('Use \x1b[36mregistry status\x1b[0m to see cache health and sync timestamps.\n');
+  console.log('\nUse \x1b[36mregistry show <name>\x1b[0m to view detailed source configuration.');
+  console.log('Use \x1b[36mregistry status\x1b[0m to see policy states and cache health.');
+  console.log('Use \x1b[36mregistry verify <name>\x1b[0m to perform integrity checks.\n');
 }
 
 function handleRegistryAdd(name, url, options) {
@@ -5706,7 +5708,7 @@ function handleRegistryAdd(name, url, options) {
     console.log(`  URL:         ${url}`);
     console.log(`  Type:        https`);
     console.log(`  Trust Level: community`);
-    console.log(`  Checksum:    required`);
+    console.log(`  Checksum:    required (SHA-256)`);
     console.log(`\nRun with --approved to apply:\n  npx multimodel-dev-os registry add ${name} ${url} --approved\n`);
     process.exit(1);
   }
@@ -5796,8 +5798,10 @@ function handleRegistrySync(name, options) {
   const source = sources.find(s => s.name === name);
 
   if (!source) {
-    console.error(`\x1b[31mError: Registry '${name}' not found in sources.\x1b[0m`);
-    console.log('Use \x1b[36mregistry list\x1b[0m to view configured sources.');
+    console.error(`\x1b[31mError: Registry '${name}' not found in configured sources.\x1b[0m`);
+    console.log('Available configured sources:');
+    sources.forEach(s => console.log(`  - ${s.name} (${s.type})`));
+    console.log('\nUse \x1b[36mregistry list\x1b[0m to view configured sources.');
     process.exit(1);
   }
 
@@ -5814,25 +5818,25 @@ function handleRegistrySync(name, options) {
   }
 
   if (!options.approved) {
-    console.log(`\n⚠️  \x1b[33mRegistry Sync Refused — Approval Required\x1b[0m`);
+    console.log(`\n⚠️  \x1b[33mRegistry Sync Refused — Explicit Approval Required\x1b[0m`);
     console.log('==================================================');
+    console.log(`Syncing remote registries requires the explicit \x1b[33m--approved\x1b[0m flag to download metadata and files.`);
     console.log(`Registry:       \x1b[32m${name}\x1b[0m`);
     console.log(`URL:            ${source.url}`);
     console.log(`Trust Level:    ${source.trust_level}`);
-    console.log(`Checksum:       ${source.checksum_required ? 'Required (SHA256)' : 'Not required'}`);
-    console.log(`Signature:      ${source.signature_required ? 'Required' : 'Not required (v3.0.0)'}`);
+    console.log(`Checksums:      ${source.checksum_required ? 'Enforced (SHA-256)' : 'Not enforced'}`);
+    console.log(`Signatures:     ${source.signature_required ? 'Required' : 'Disabled (SHA-256 fallback)'}`);
     console.log(`\n\x1b[33mPlanned Actions:\x1b[0m`);
     console.log(`  [DOWNLOAD] catalog.yaml    → .ai/registry-cache/${name}/catalog.yaml`);
     console.log(`  [DOWNLOAD] manifest.json   → .ai/registry-cache/${name}/manifest.json`);
     console.log(`  [COMPUTE]  checksums.json  → .ai/registry-cache/${name}/checksums.json`);
-    console.log(`\n\x1b[33mPost-Sync:\x1b[0m`);
-    console.log(`  • No files are installed automatically.`);
-    console.log(`  • No plugins are activated automatically.`);
-    console.log(`  • Use 'catalog list --source remote:${name}' to browse cached entries.`);
-    console.log(`  • Use 'catalog install <slug> --approved' to install individual plugins.`);
-    console.log(`\nPolicy Status: allow_remote_registries=${policy.allow_remote_registries}, require_checksum=${policy.require_checksum}`);
-    console.log(`\nRun with --approved to proceed:`);
-    console.log(`  npx multimodel-dev-os registry sync ${name} --approved\n`);
+    console.log(`\n\x1b[33mSecurity & Safety Boundaries:\x1b[0m`);
+    console.log(`  • \x1b[32mNo automated installs:\x1b[0m Syncing only updates the local cache. No plugins are installed or run.`);
+    console.log(`  • \x1b[32mNo arbitrary code execution:\x1b[0m Registries cannot run shell scripts, commands, or packages.`);
+    console.log(`  • \x1b[32mSandboxed write paths:\x1b[0m Cache files are written strictly to .ai/registry-cache/${name}/.`);
+    console.log(`  • \x1b[32mTo install afterwards:\x1b[0m Use 'catalog install <slug> --approved' to deploy a plugin.`);
+    console.log(`\nTo execute this sync operation, run:`);
+    console.log(`  \x1b[36mnpx multimodel-dev-os registry sync ${name} --approved\x1b[0m\n`);
     process.exit(1);
   }
 
@@ -6015,23 +6019,24 @@ function handleRegistryStatus(options) {
 
   console.log(`\n📊 \x1b[36mRegistry Status [v${version}]\x1b[0m`);
   console.log('==================================================');
-  console.log(`\x1b[33mPolicy:\x1b[0m`);
-  console.log(`  allow_remote_registries:  \x1b[${policy.allow_remote_registries ? '32mtrue' : '33mfalse'}\x1b[0m`);
-  console.log(`  require_checksum:         ${policy.require_checksum}`);
-  console.log(`  require_signature:        ${policy.require_signature}`);
-  console.log(`  allow_untrusted_install:  ${policy.allow_untrusted_install}`);
+  console.log(`\x1b[33mPolicy State:\x1b[0m`);
+  console.log(`  allow_remote_registries:  \x1b[${policy.allow_remote_registries ? '32mtrue' : '33mfalse'}\x1b[0m (Disabled by default)`);
+  console.log(`  require_checksum:         ${policy.require_checksum ? '\x1b[32mtrue\x1b[0m (SHA256 integrity enforced)' : '\x1b[33mfalse\x1b[0m'}`);
+  console.log(`  require_signature:        ${policy.require_signature ? '\x1b[32mtrue\x1b[0m' : '\x1b[90mfalse (not enforced in v3.0)\x1b[0m'}`);
+  console.log(`  allow_untrusted_install:  ${policy.allow_untrusted_install ? '\x1b[33mtrue\x1b[0m' : '\x1b[32mfalse\x1b[0m (secured)'}`);
   console.log(`  max_plugin_files:         ${policy.max_plugin_files}`);
-  console.log(`  max_plugin_size_kb:       ${policy.max_plugin_size_kb}`);
+  console.log(`  max_plugin_size_kb:       ${policy.max_plugin_size_kb}KB`);
   console.log(`  max_registry_cache_size:  ${policy.max_registry_cache_size_kb}KB`);
 
   console.log(`\n\x1b[33mSources:\x1b[0m`);
   sources.forEach(s => {
     const status = s.enabled ? '\x1b[32m● enabled\x1b[0m' : '\x1b[90m○ disabled\x1b[0m';
+    const label = s.name === 'bundled' ? 'bundled' : s.type === 'local' ? `local:${s.name}` : `remote:${s.name}`;
     const synced = s.last_synced_at ? `synced: ${s.last_synced_at}` : 'never synced';
     const cacheDir = join(sourceRoot, '.ai', 'registry-cache', s.name);
     const hasCache = s.type !== 'local' && existsSync(cacheDir);
 
-    console.log(`  ${s.name}  ${status}  (${s.type}, ${s.trust_level})`);
+    console.log(`  ${s.name}  ${status}  [${label}]  (${s.type}, ${s.trust_level})`);
     if (s.type !== 'local') {
       console.log(`    URL:    ${s.url}`);
       console.log(`    Cache:  ${hasCache ? '\x1b[32mcached\x1b[0m' : '\x1b[90mnot cached\x1b[0m'}`);
@@ -6039,7 +6044,8 @@ function handleRegistryStatus(options) {
     }
   });
 
-  console.log('\nUse \x1b[36mregistry verify <name>\x1b[0m to check cache integrity.');
+  console.log('\nUse \x1b[36mregistry list\x1b[0m to view configured registry sources.');
+  console.log('Use \x1b[36mregistry verify <name>\x1b[0m to check cache integrity offline.');
   console.log('Use \x1b[36mregistry sync <name> --approved\x1b[0m to refresh a remote cache.\n');
 }
 
@@ -6055,16 +6061,17 @@ function handleRegistryVerify(name, options) {
     }
     const content = readFileSync(catalogPath, 'utf8');
     const hash = computeSHA256(content);
-    console.log(`  File:     .ai/plugins/catalog.yaml`);
-    console.log(`  SHA256:   ${hash}`);
-    console.log(`  Status:   \x1b[32m✓ Present and readable\x1b[0m`);
+    console.log(`  Verification Type: Local verification (no network required)`);
+    console.log(`  File:              .ai/plugins/catalog.yaml`);
+    console.log(`  SHA256 Checksum:   ${hash}`);
+    console.log(`  Status:            \x1b[32m✓ Present and readable (Integrity Verified)\x1b[0m`);
 
     // Verify it parses
     try {
       const parsed = parseYaml(content);
       const pluginCount = ((parsed.catalog || {}).plugins || []).length;
-      console.log(`  Plugins:  ${pluginCount} entries parsed successfully`);
-      console.log(`\n\x1b[32m✔ Bundled registry verification passed.\x1b[0m\n`);
+      console.log(`  Plugins:           ${pluginCount} entries parsed successfully`);
+      console.log(`\n\x1b[32m✔ Bundled registry verification passed. (Offline & Secure)\x1b[0m\n`);
     } catch (e) {
       console.error(`\n\x1b[31m✗ Bundled registry verification failed: ${e.message}\x1b[0m\n`);
       process.exit(1);
@@ -6099,7 +6106,7 @@ function handleRegistryVerify(name, options) {
       const content = readFileSync(filePath, 'utf8');
       const actualHash = `sha256:${computeSHA256(content)}`;
       if (actualHash === expectedHash) {
-        console.log(`  \x1b[32m✓ ${file}: VERIFIED\x1b[0m`);
+        console.log(`  \x1b[32m✓ ${file}: VERIFIED (Integrity check matched via SHA-256)\x1b[0m`);
       } else {
         console.log(`  \x1b[31m✗ ${file}: MISMATCH\x1b[0m`);
         console.log(`    Expected: ${expectedHash}`);
@@ -6125,7 +6132,11 @@ function handleRegistryShow(name, options) {
   const source = sources.find(s => s.name === name);
 
   if (!source) {
-    console.error(`\x1b[31mError: Registry '${name}' not found.\x1b[0m`);
+    console.error(`\x1b[31mError: Registry source '${name}' is not configured.\x1b[0m`);
+    console.log('Available configured sources:');
+    sources.forEach(s => console.log(`  - ${s.name} (${s.type})`));
+    console.log('\nTo add a remote source, run:');
+    console.log(`  npx multimodel-dev-os registry add <name> <url> --approved`);
     process.exit(1);
   }
 
@@ -6134,16 +6145,19 @@ function handleRegistryShow(name, options) {
     return;
   }
 
+  const label = source.name === 'bundled' ? 'bundled' : source.type === 'local' ? `local:${source.name}` : `remote:${source.name}`;
+
   console.log(`\n🔍 \x1b[36mRegistry Source: ${name}\x1b[0m`);
   console.log('==================================================');
   console.log(`\x1b[33mName:\x1b[0m           ${source.name}`);
+  console.log(`\x1b[33mSource Label:\x1b[0m   ${label}`);
   console.log(`\x1b[33mType:\x1b[0m           ${source.type}`);
   console.log(`\x1b[33mURL:\x1b[0m            ${source.url}`);
   console.log(`\x1b[33mEnabled:\x1b[0m        ${source.enabled}`);
   console.log(`\x1b[33mTrust Level:\x1b[0m    ${source.trust_level}`);
   console.log(`\x1b[33mSafety Policy:\x1b[0m  ${source.safety_policy}`);
-  console.log(`\x1b[33mChecksum:\x1b[0m       ${source.checksum_required ? 'Required' : 'Not required'}`);
-  console.log(`\x1b[33mSignature:\x1b[0m      ${source.signature_required ? 'Required' : 'Not required'}`);
+  console.log(`\x1b[33mChecksum:\x1b[0m       ${source.checksum_required ? 'Required (SHA-256 integrity)' : 'Not required'}`);
+  console.log(`\x1b[33mSignature:\x1b[0m      ${source.signature_required ? 'Required' : 'Not required (v3.0.1)'}`);
 
   if (source.last_synced_at) {
     console.log(`\x1b[33mLast Synced:\x1b[0m    ${source.last_synced_at}`);
@@ -6173,6 +6187,14 @@ function handleRegistryShow(name, options) {
     }
   }
 
+  console.log('\nNext steps:');
+  console.log(`  Verify:  npx multimodel-dev-os registry verify ${name}`);
+  if (source.type !== 'local') {
+    console.log(`  Sync:    npx multimodel-dev-os registry sync ${name} --approved`);
+    console.log(`  Browse:  npx multimodel-dev-os catalog list --source remote:${name}`);
+  } else {
+    console.log(`  Browse:  npx multimodel-dev-os catalog list --source ${name}`);
+  }
   console.log('');
 }
 

package/docs/.vitepress/config.js

@@ -32,7 +32,7 @@ export default {
         'license': 'https://opensource.org/licenses/MIT',
         'url': 'https://github.com/rizvee/multimodel-dev-os',
         'downloadUrl': 'https://www.npmjs.com/package/multimodel-dev-os',
-        'softwareVersion': '3.0.0',
+        'softwareVersion': '3.0.1',
         'description': 'Portable, vendor-neutral AI Developer OS for multi-agent coding workflows.'
       })
     ]
@@ -196,7 +196,7 @@ export default {
           { text: 'Public Launch Checklist', link: '/launch-checklist' },
           { text: 'Launch & Sharing Kit', link: '/launch-kit' },
           { text: 'CLI Roadmap', link: '/cli-roadmap' },
-          { text: 'v2 Roadmap', link: '/v2-roadmap' },
+          { text: 'v3 Roadmap', link: '/v3-roadmap' },
           { text: 'Release Policy', link: '/release-policy' },
           { text: 'Support Policy', link: '/support-policy' },
           { text: 'Pre-flight Release Testing', link: '/testing-v0.2' },

package/docs/catalog.md

@@ -52,7 +52,7 @@ npx multimodel-dev-os catalog status
 
 ## Source Filtering
 
-By default, catalog commands query the bundled first-party catalog. In `v3.0.0`, you can filter queries by source or merge all enabled registry sources:
+By default, catalog commands query the bundled first-party catalog. In `v3.0.0+`, you can filter queries by source or merge all enabled registry sources:
 
 * **Filter by a specific source:**
   ```bash

package/docs/npm-publishing.md

@@ -12,13 +12,13 @@ Before publishing, always test the built package locally by compiling a compress
    ```bash
    npm pack
    ```
-   This creates a file named like `multimodel-dev-os-2.6.0.tgz` in your directory root.
+   This creates a file named like `multimodel-dev-os-3.0.1.tgz` in your directory root.
 
 2. **Verify bundle contents:**
    Create an empty temporary workspace, extract the tarball, and confirm that only required scaffold folders are included (no `.github/`, test configurations, or local system files):
    ```bash
    mkdir -p /tmp/package-test && cd /tmp/package-test
-   tar -xzf /path/to/multimodel-dev-os-2.6.0.tgz
+   tar -xzf /path/to/multimodel-dev-os-3.0.1.tgz
    ls -la package/
    ```
 
@@ -34,7 +34,7 @@ Before publishing, always test the built package locally by compiling a compress
 Execute these validation actions strictly in sequence before triggering a release:
 
 1. **Verify structural health:**
-   Ensure all 214+ assertions in our verification script pass successfully:
+   Ensure all 248+ assertions in our verification script pass successfully:
    ```bash
    npm run verify
    ```
@@ -78,17 +78,17 @@ Execute these validation actions strictly in sequence before triggering a releas
 ## 4. Prepublish Safety Guard
 
 > [!IMPORTANT]
-> **v2.6.0 is the active stable release.** NPM publishing is live.
+> **v3.0.1 is the active stable release.** NPM publishing is live.
 
 ### Source vs. Registry Strategy
-* **GitHub main branch (Source)**: Contains the current stable `v2.6.0` codebase.
+* **GitHub main branch (Source)**: Contains the current stable `v3.0.1` codebase.
 * **npm latest (Registry)**: Pulled and installed globally or via npx.
 
 ### Prepublish Safety Guard
 To prevent accidental `npm publish` executions on developer environments, a local validation script has been added to package hooks. If you run `npm publish`, it is blocked by default.
 
 To bypass this check during approved release windows:
-1. Ensure the version in `package.json` starts with `2.` (e.g. `2.0.1`).
+1. Ensure the version in `package.json` is a valid stable major version >= 2 (e.g., v3.0.1).
 2. Run publication with the override env variable:
    ```powershell
    # PowerShell

package/docs/public/llms-full.txt

@@ -1,4 +1,4 @@
-# MultiModel Dev OS — Comprehensive AI Assistant Discoverability Guide (v3.0.0 Stable Release)
+# MultiModel Dev OS — Comprehensive AI Assistant Discoverability Guide (v3.0.1 Stable Release)
 
 MultiModel Dev OS is a repository-level porting specification designed to align context and instructions across diverse developer tools and AI models.
 
@@ -136,7 +136,7 @@ npx multimodel-dev-os@latest init --caveman
 - **Documentation site**: https://rizvee.github.io/multimodel-dev-os/
 - **Guided Demo Workflows**: https://rizvee.github.io/multimodel-dev-os/demos/
 - **GitHub Codebase**: https://github.com/rizvee/multimodel-dev-os
-- **v2.0.0 Roadmap**: https://rizvee.github.io/multimodel-dev-os/v2-roadmap
+- **v3.0.0 Roadmap**: https://rizvee.github.io/multimodel-dev-os/v3-roadmap
 - **Release Policies**: https://rizvee.github.io/multimodel-dev-os/release-policy
 - **Upgrade Playbook**: https://rizvee.github.io/multimodel-dev-os/migration-guide
 - **Model Compatibility**: https://rizvee.github.io/multimodel-dev-os/model-compatibility

package/docs/public/llms.txt

@@ -1,4 +1,4 @@
-# MultiModel Dev OS (v3.0.0 Stable Release)
+# MultiModel Dev OS (v3.0.1 Stable Release)
 
 Portable, vendor-neutral workspace configuration standard for multi-agent AI pair-programming workflows.
 

package/docs/registry-security.md

@@ -2,7 +2,7 @@
 
 MultiModel Dev OS is designed with a **zero-trust architecture** for remote registries and plugins. Because plugins configure coding guidelines, workflows, and prompts for AI coding agents, securing the distribution channel is critical.
 
-This document describes the threat model, safety boundaries, and mitigation strategies implemented in `v3.0.0`.
+This document describes the threat model, safety boundaries, and mitigation strategies implemented in `v3.0.0+`.
 
 ---
 

package/docs/v3-roadmap.md

@@ -0,0 +1,85 @@
+# MultiModel Dev OS — Roadmap: v3.x
+
+This document outlines the development path, completed milestones, and future plans for MultiModel Dev OS.
+
+---
+
+## 1. Current Status
+
+> [!IMPORTANT]
+> **v3.0.1 is the active stable release** on the public npm registry. All features below marked ✅ are shipped and production-ready.
+
+---
+
+## 2. Completed Milestones
+
+### v3.0.1 — Registry UX & Policy Safety Patch ✅
+- **Registry Command UX**: Improved formatting and next-step actions for `registry status`, `registry list`, `registry show`, `registry verify`, and `registry sync`.
+- **Policy Safety Messaging**: Clarified sandboxing, offline verification capabilities, checksum verification, and approval gates.
+- **Safety Hardening**: Explicitly documented remote registry sync boundaries (offline verify, no automated installs, path sandboxing, zero shell/code execution from catalogs).
+- **Cleanup**: Purged local build artifacts, logs, and unused stubs.
+
+### v3.0.0 — Trusted Remote Catalog & Registry Governance ✅
+- **Trusted Remote Registry Sync**: Introduced the `registry` CLI command suite allowing users to optionally sync remote catalogs (`list`, `add`, `remove`, `sync`, `status`, `verify`, `show`, `cache clear`).
+- **Declarative Security Policy Engine**: Implemented `.ai/policies/registry-policy.yaml` governing remote registries, with opt-in defaults, permitted write directories, blocked file paths, size limits, allowed extensions, and registry trust levels.
+- **SHA256 Integrity Verification**: Standardized SHA256 integrity verification inside registry manifest files, verified on sync and installation, using Node's native `crypto` module.
+- **Source-Aware Catalog Loading**: Extended `loadCatalog` and existing `catalog` commands with `--source` and `--all-sources` flags, ensuring seamless prioritization across bundled, local, and synced remote registries.
+- **TUI Dashboard Integration**: Added a read-only "Registry Sources & Cache" submenu to the dashboard.
+- **Zero-Dependency Core**: Deployed the remote integration layer natively using Node's built-in modules (`https`, `crypto`, `fs`, `path`).
+
+### v2.9.0 — Local Workflow Marketplace & Plugin Catalog ✅
+- **Workflow Marketplace**: Curated index catalog packaging 6 first-party plugins for Git, SEO, WordPress, Next.js, E-commerce, and releases.
+- **Catalog CLI Commands**: Added `catalog list`, `catalog search`, `catalog show`, `catalog categories`, `catalog recommend`, `catalog install`, and `catalog status` to the zero-dependency CLI.
+- **Recommendation Engine**: Automatically ranks and recommends marketplace plugins using package scripts, frameworks, languages, and repo type heuristics.
+- **TUI Dashboard Integration**: Integrated read-only catalog actions (list, search, recommend, status) directly into the interactive command center.
+
+### v2.8.0 / v2.8.1 — Interactive TUI Dashboard & Plugin Hooks ✅
+- **Interactive TUI Dashboard**: Added `dashboard`/`ui` command launching a zero-dependency keyboard-interactive command center built with Node's native `readline` module.
+- **Declarative Plugin Hooks**: Added `plugin` command suite (`list`, `show`, `validate`, `install`, `status`) and JSON schema to securely extend workspace templates, workflows, and skills.
+- **Secure Plugin Installer**: Supports `--approved` execution gate, path whitelisting to `.ai/` and `adapters/` directories, and automatic conflict `.bak` backups.
+- **Path Traversal Hardening**: Enforce alphanumeric slug checks (`/^[a-z0-9-_]+$/i`) and pattern validation bounds to block traversal vectors.
+
+### v2.0.0 → v2.7.0 — Core Foundation ✅
+- Unified autonomous co-pilot adapters and root contracts.
+- Codebase scanner (`scan`) and hash-compressed memory engine (`memory build`).
+- Feedback learning (`feedback add`) and proposal engine (`improve propose` / `apply`).
+- Interactive demo workflow pages and website distribution system.
+
+---
+
+## 3. Publishing Workflow
+
+All releases follow this strict publishing checklist:
+
+1. Bump version in `package.json`
+2. Run `npm run verify` (248+ assertions must pass)
+3. Run `npm run docs:build` to verify documentation
+4. Run `npm pack --dry-run` to review package hygiene
+5. Set `MMDO_ALLOW_PUBLISH=true` and publish manually:
+   ```bash
+   MMDO_ALLOW_PUBLISH=true npm publish --access public
+   ```
+
+---
+
+## 4. Upcoming: v3.1.0 — Cryptographic Catalog Signing
+
+*   **Asymmetric Key Signatures**: Cryptographic signature validation for remote registries using public/private key pairs.
+*   **Decentralized Trust Anchors**: Trust anchors configuration allowing teams to pin public keys of verified catalog authors.
+*   **Tamper-Proof Audit Chain**: Signed change logs and history verification.
+
+---
+
+## 5. Future Plan: v4.0.0 — Unified Autonomous Co-Pilot Ecosystem
+
+*   **Full Multi-Agent Orchestration**: Dynamic task handoffs between specialized agents.
+*   **Real-Time Collaboration**: Live workspace state sharing between agents and developers.
+*   **Cloud-Native Intelligence**: Optional cloud-backed memory and feedback aggregation.
+
+---
+
+## 6. Migration Notes
+
+* **From any v3.x or v2.x**: Run `npx multimodel-dev-os@latest init --force` to pull the latest configuration files. Existing files are backed up automatically as `.bak`.
+* **From v1.x**: See the [Migration Guide](/migration-guide) for the upgrade path.
+* **Fresh install**: Simply run `npx multimodel-dev-os@latest init` — no prior setup required.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "multimodel-dev-os",
-  "version": "3.0.0",
+  "version": "3.0.1",
   "bin": {
     "multimodel-dev-os": "bin/multimodel-dev-os.js"
   },

package/scripts/install.ps1

@@ -11,7 +11,7 @@ param(
   [switch]$Help
 )
 
-$Version = "3.0.0"
+$Version = "3.0.1"
 $RepoUrl = "https://raw.githubusercontent.com/rizvee/multimodel-dev-os/main"
 
 if ($Help) {

package/scripts/install.sh

@@ -7,7 +7,7 @@ set -euo pipefail
 #        --all      (install all adapters)
 #        --dry-run  (show what would be created without creating)
 
-VERSION="3.0.0"
+VERSION="3.0.1"
 REPO_URL="https://raw.githubusercontent.com/rizvee/multimodel-dev-os/main"
 CAVEMAN=false
 DRY_RUN=false

package/scripts/verify.js

@@ -224,7 +224,7 @@ checkFile('docs/agent-compatibility.md');
 checkFile('docs/adapter-authoring.md');
 checkFile('docs/token-optimization.md');
 checkFile('docs/mobile-android.md');
-checkFile('docs/v2-roadmap.md');
+checkFile('docs/v3-roadmap.md');
 checkFile('docs/template-authoring.md');
 checkFile('docs/skill-authoring.md');
 checkFile('docs/registry-contribution.md');
@@ -549,7 +549,7 @@ try {
     }
   }
 
-  // Test 2: Allows version 3.0.0 with MMDO_ALLOW_PUBLISH=true
+  // Test 2: Allows version 3.0.1 with MMDO_ALLOW_PUBLISH=true
   try {
     const output = execSync('node scripts/prepublish-guard.js', { 
       cwd: projectRoot, 
@@ -557,7 +557,7 @@ try {
       encoding: 'utf8' 
     });
     if (output.includes('Prepublish guard passed')) {
-      console.log(`  ${GREEN}✓${NC} prepublish guard allows version 3.0.0 when MMDO_ALLOW_PUBLISH=true`);
+      console.log(`  ${GREEN}✓${NC} prepublish guard allows version 3.0.1 when MMDO_ALLOW_PUBLISH=true`);
       pass++;
     } else {
       console.error(`  ${RED}✗${NC} prepublish guard passed but stdout missing success indicator`);
@@ -565,7 +565,7 @@ try {
     }
   } catch (err) {
     const errText = err.stderr ? err.stderr.toString() : '';
-    console.error(`  ${RED}✗${NC} prepublish guard blocked version 3.0.0: ${errText || err.message}`);
+    console.error(`  ${RED}✗${NC} prepublish guard blocked version 3.0.1: ${errText || err.message}`);
     fail++;
   }
 
@@ -579,12 +579,12 @@ try {
     pass++;
   }
 
-  // Test 4: Package.json version is exactly 3.0.0
-  if (expectedVersion === '3.0.0') {
-    console.log(`  ${GREEN}✓${NC} package.json version is exactly 3.0.0`);
+  // Test 4: Package.json version is exactly 3.0.1
+  if (expectedVersion === '3.0.1') {
+    console.log(`  ${GREEN}✓${NC} package.json version is exactly 3.0.1`);
     pass++;
   } else {
-    console.error(`  ${RED}✗${NC} package.json version is not 3.0.0 (found ${expectedVersion})`);
+    console.error(`  ${RED}✗${NC} package.json version is not 3.0.1 (found ${expectedVersion})`);
     fail++;
   }
 } catch (e) {

package/docs/v2-roadmap.md

@@ -1,116 +0,0 @@
-# MultiModel Dev OS — Roadmap: v2.x → v3.0
-
-This document outlines the development path, completed milestones, and future plans for MultiModel Dev OS.
-
----
-
-## 1. Current Status
-
-> [!IMPORTANT]
-> **v2.9.0 is the active stable release** on the public npm registry. All features below marked ✅ are shipped and production-ready.
-
----
-
-## 2. Completed Milestones
-
-### v2.0.0 — Template Galaxy & Model Registry ✅
-- Standardized model registries under `.ai/models/` (registry, providers, routing presets, local models)
-- Adapter registry expansion under `.ai/adapters/registry.yaml`
-- Android Expo mobile template (`examples/expo-react-native-android/`)
-- CLI registry subcommands: `models`, `show-model`, `providers`, `route-model`, `adapters`, `show-adapter`, `skills`, `show-skill`
-- Stable npm publication resumed
-
-### v2.2.0 — Codebase Scanner & Memory Engine ✅
-- `scan` command to inspect frameworks, package managers, and AI Dev OS files
-- `memory build`, `memory refresh`, and `memory diff` commands
-- Hash-compressed memory indexing to `.ai/intelligence/memory.hash.json`
-- Secret-safety exclusions for `.env`, `.npmrc`, `.keystore` files
-
-### v2.3.0 — Feedback Learning & Proposal Engine ✅
-- `feedback add`, `feedback list`, `feedback summarize` commands
-- `improve propose`, `improve review`, `improve status` commands
-- Read-only proposal drafting with safety gates
-- Feedback logs and learning rules compilation
-
-### v2.4.0 — Approved Proposal Application Engine ✅
-- `improve validate`, `improve diff`, `improve apply` subcommands
-- 12 strict safety gates including path boundary, protected paths, idempotency
-- Applied Proposals Audit Log (`apply-log.jsonl`) with SHA-256 hashing
-- Deterministic operations: `create_file`, `append_line`, `replace_text`
-
-### v2.5.0 — Repository Intelligence Command Center ✅
-- `status` command — compact operational dashboard
-- `workflow list`, `show`, `plan`, `run` — multi-agent workflow orchestration
-- `handoff build`, `handoff show` — token-compressed session context
-- Safe execution boundaries — no destructive operations from workflows
-
-### v2.6.0 — Real-Repo Onboarding & Adapter Sync ✅
-- `onboard analyze`, `recommend`, `plan`, `apply`, `status` — existing repo onboarding
-- `adapter status`, `diff`, `sync` — IDE adapter rule file synchronization
-- Template recommendation heuristics with confidence scores
-- Safety overwrites with automatic `.bak` backups
-- `doctor --onboarding` diagnostics
-
-### v2.7.0 — Website, Demo & Distribution System ✅
-- Restructured homepage as a product conversion funnel
-- Created 5 structured, copy-paste interactive demo workflow pages
-- Documented comprehensive distribution and release workflows
-- Added new SVG visual assets for onboarding and adapter sync flows
-- Created docs-first examples for key developer workflows
-- Updated sitemaps, model registries, and search indices
-
-### v2.8.0 / v2.8.1 — Interactive TUI Dashboard & Plugin Hooks ✅
-- **Interactive TUI Dashboard**: Added `dashboard`/`ui` command launching a zero-dependency keyboard-interactive command center built with Node's native `readline` module.
-- **Declarative Plugin Hooks**: Added `plugin` command suite (`list`, `show`, `validate`, `install`, `status`) and JSON schema to securely extend workspace templates, workflows, and skills.
-- **Secure Plugin Installer**: Supports `--approved` execution gate, path whitelisting to `.ai/` and `adapters/` directories, and automatic conflict `.bak` backups.
-- **Headless Fallback & CI Polish**: Polish dry-run outputs and added `--list-actions` parameter to prevent TUI hangs in CI.
-- **Path Traversal Hardening**: Enforce alphanumeric slug checks (`/^[a-z0-9-_]+$/i`) and pattern validation bounds to block traversal vectors.
-
-### v2.9.0 — Local Workflow Marketplace & Plugin Catalog ✅
-- **Workflow Marketplace**: Curated index catalog (`catalog.yaml` and `.ai/plugins/catalog/`) packaging 6 first-party plugins for Git, SEO, WordPress, Next.js, E-commerce, and releases.
-- **Catalog CLI Commands**: Added `catalog list`, `catalog search`, `catalog show`, `catalog categories`, `catalog recommend`, `catalog install`, and `catalog status` to the zero-dependency CLI.
-- **Recommendation Engine**: Automatically ranks and recommends marketplace plugins using package scripts, frameworks, languages, and repo type heuristics.
-- **TUI Dashboard Integration**: Integrated read-only catalog actions (list, search, recommend, status) directly into the interactive command center.
-- **Robust Safety Boundaries**: Reuses the plugin installer validations (traversal protection, whitelist directories, backup overwrites, and exit code 1 gates).
-
----
-
-## 3. Publishing Workflow
-
-All releases follow this strict publishing checklist:
-
-1. Bump version in `package.json`
-2. Run `npm run verify` (220+ assertions must pass)
-3. Run `npm run docs:build` to verify documentation
-4. Run `npm publish --dry-run` to review package hygiene
-5. Set `MMDO_ALLOW_PUBLISH=true` and publish:
-   ```bash
-   MMDO_ALLOW_PUBLISH=true npm publish --access public
-   ```
-
----
-
-## 4. Upcoming: v3.0.0 — Unified Autonomous Co-Pilot Ecosystem
-
-*   **Full Multi-Agent Orchestration**: Dynamic task handoffs between specialized agents.
-*   **Distributed Registry Syncing**: Team-wide configuration synchronization.
-*   **Cryptographic Proposal Signing**: Tamper-proof improvement proposals.
-*   **Real-Time Collaboration**: Live workspace state sharing between agents and developers.
-
----
-
-## 5. Future: v3.0.0 — Unified Autonomous Co-Pilot Ecosystem
-
-*   **Full Multi-Agent Orchestration**: Dynamic task handoffs between specialized agents
-*   **Distributed Registry Syncing**: Team-wide configuration synchronization
-*   **Cryptographic Proposal Signing**: Tamper-proof improvement proposals
-*   **Real-Time Collaboration**: Live workspace state sharing between agents and developers
-*   **Cloud-Native Intelligence**: Optional cloud-backed memory and feedback aggregation
-
----
-
-## 6. Migration Notes
-
-* **From any v2.x**: Run `npx multimodel-dev-os@latest init --force` to pull latest configuration files. Existing files are backed up automatically.
-* **From v1.x**: See the [Migration Guide](/migration-guide) for the upgrade path.
-* **Fresh install**: Simply run `npx multimodel-dev-os@latest init` — no prior setup required.