multimodel-dev-os 3.0.1 → 3.2.0

package/docs/.vitepress/config.js

@@ -32,7 +32,7 @@ export default {
         'license': 'https://opensource.org/licenses/MIT',
         'url': 'https://github.com/rizvee/multimodel-dev-os',
         'downloadUrl': 'https://www.npmjs.com/package/multimodel-dev-os',
-        'softwareVersion': '3.0.1',
+        'softwareVersion': '3.2.0',
         'description': 'Portable, vendor-neutral AI Developer OS for multi-agent coding workflows.'
       })
     ]
@@ -199,7 +199,7 @@ export default {
           { text: 'v3 Roadmap', link: '/v3-roadmap' },
           { text: 'Release Policy', link: '/release-policy' },
           { text: 'Support Policy', link: '/support-policy' },
-          { text: 'Pre-flight Release Testing', link: '/testing-v0.2' },
+          { text: 'Pre-flight Release Testing', link: '/testing' },
           { text: 'Final Launch Guidelines', link: '/final-launch' },
           { text: 'v1.0.0 Release Checklist', link: '/v1-checklist' }
         ]

package/docs/index.md

@@ -214,12 +214,12 @@ You use **Cursor** for autocomplete, **Claude Code** for terminal ops, **Gemini*
 
 <div class="highlight-box">
 
-### 🆕 What's New in v2.7
+### 🆕 What's New in v3.2
 
-- 🎬 **Demo Workflow Pages** — 5 copy-paste guided workflows for onboarding, adapter sync, improvement loops, handoffs, and release checks
-- 📖 **Distribution Guide** — comprehensive release, verification, and package hygiene documentation
-- 🖼️ **Visual Flow Diagrams** — SVG assets for onboarding and adapter sync flows
-- 📁 **Docs-First Examples** — 4 new example workflows with commands and expected output
+- 🏗️ **Modular Source Layout** — Pure ES modules under `src/` cleanly isolate core, CLI routing, catalog engines, and security systems.
+- 🧪 **Formal Unit Testing** — Integrated a Vitest-powered test suite executing 45 unit tests covering path safety, sandbox boundaries, and policy validation.
+- ⚙️ **Build Freshness Guard** — Automated build auditing checks to ensure the generated CLI binary is always synchronized with the source modules.
+- 🛡️ **Hardened Registry Sync** — Strict HTTPS-only URL syntax parsing and argument-isolated sub-process executors prevent shell injection vulnerabilities.
 
 </div>
 

package/docs/npm-publishing.md

@@ -12,13 +12,13 @@ Before publishing, always test the built package locally by compiling a compress
    ```bash
    npm pack
    ```
-   This creates a file named like `multimodel-dev-os-3.0.1.tgz` in your directory root.
+   This creates a file named like `multimodel-dev-os-3.2.0.tgz` in your directory root.
 
 2. **Verify bundle contents:**
    Create an empty temporary workspace, extract the tarball, and confirm that only required scaffold folders are included (no `.github/`, test configurations, or local system files):
    ```bash
    mkdir -p /tmp/package-test && cd /tmp/package-test
-   tar -xzf /path/to/multimodel-dev-os-3.0.1.tgz
+   tar -xzf /path/to/multimodel-dev-os-3.2.0.tgz
    ls -la package/
    ```
 
@@ -78,17 +78,17 @@ Execute these validation actions strictly in sequence before triggering a releas
 ## 4. Prepublish Safety Guard
 
 > [!IMPORTANT]
-> **v3.0.1 is the active stable release.** NPM publishing is live.
+> **v3.2.0 is the active stable release.** NPM publishing is live.
 
 ### Source vs. Registry Strategy
-* **GitHub main branch (Source)**: Contains the current stable `v3.0.1` codebase.
+* **GitHub main branch (Source)**: Contains the current stable `v3.2.0` codebase.
 * **npm latest (Registry)**: Pulled and installed globally or via npx.
 
 ### Prepublish Safety Guard
 To prevent accidental `npm publish` executions on developer environments, a local validation script has been added to package hooks. If you run `npm publish`, it is blocked by default.
 
 To bypass this check during approved release windows:
-1. Ensure the version in `package.json` is a valid stable major version >= 2 (e.g., v3.0.1).
+1. Ensure the version in `package.json` is a valid stable major version >= 2 (e.g., v3.2.0).
 2. Run publication with the override env variable:
    ```powershell
    # PowerShell

package/docs/package-safety.md

@@ -27,3 +27,27 @@ The project release audit scripts strictly enforce these checks:
 npm run verify
 ```
 Any violation will cause verification and build pipelines to fail immediately.
+
+## Registry Security Update (v3.0.2)
+
+A security hotfix has been applied in `v3.0.2` to secure the registry synchronization and validation channels:
+* **Remediation of Command Injection Risk:** Removed shell-based url interpolation. Sub-process fetches now use safe, argument-based `execFileSync` invocations, isolating URL arguments from evaluated code context.
+* **Registry URL Sanitization:** Enforces strict validation of remote registry URLs using Node's `URL` parser. URLs must use HTTPS by default. Control characters, credentials, spaces, quotes, and shell metacharacters are strictly rejected.
+* **Upgrade Guidance:** Users running `v3.0.0` or `v3.0.1` must upgrade to `v3.0.2` immediately.
+* **Safety Boundaries Preserved:** Remote registries remain disabled by default, sync operations are cache-only (never installing or running plugins), and conflict checks on sensitive files (`.env`, `.npmrc`, package configuration files) are strictly enforced.
+
+## Package Governance Policies
+
+1. **Zero Runtime Dependencies:**
+   * The runtime package is strictly zero-dependency to ensure minimal installation footprint and maximum security.
+   * All compilation, testing, and dev tools (e.g., `esbuild`, `vitest`, `vitepress`) are restricted to `devDependencies` only.
+
+2. **Open-Source Transparency:**
+   * The complete modular source files (`src/`) and testing suites (`tests/`) are intentionally included in the published NPM package, allowing for visual auditing, validation, and debugging.
+
+3. **Manual NPM Publishing Only:**
+   * Automated publishing via CI is disabled. NPM publish is performed manually by maintainers using verification guards.
+
+4. **Milestone-Based Releases:**
+   * Patch-level releases are kept internal by default for stabilization sprints (such as `v3.2.0-prep`).
+   * Public updates are batched into stable, fully-audited milestone releases (e.g., `v3.2.0`). Critical security hotfixes are the only exception.

package/docs/public/llms-full.txt

@@ -1,4 +1,4 @@
-# MultiModel Dev OS — Comprehensive AI Assistant Discoverability Guide (v3.0.1 Stable Release)
+# MultiModel Dev OS — Comprehensive AI Assistant Discoverability Guide (v3.2.0 Stable Release)
 
 MultiModel Dev OS is a repository-level porting specification designed to align context and instructions across diverse developer tools and AI models.
 

package/docs/public/llms.txt

@@ -1,4 +1,4 @@
-# MultiModel Dev OS (v3.0.1 Stable Release)
+# MultiModel Dev OS (v3.2.0 Stable Release)
 
 Portable, vendor-neutral workspace configuration standard for multi-agent AI pair-programming workflows.
 

package/docs/public/sitemap.xml

@@ -245,4 +245,14 @@
     <changefreq>weekly</changefreq>
     <priority>0.7</priority>
   </url>
+  <url>
+    <loc>https://rizvee.github.io/multimodel-dev-os/testing</loc>
+    <changefreq>weekly</changefreq>
+    <priority>0.7</priority>
+  </url>
+  <url>
+    <loc>https://rizvee.github.io/multimodel-dev-os/release-policy</loc>
+    <changefreq>weekly</changefreq>
+    <priority>0.7</priority>
+  </url>
 </urlset>

package/docs/registry-policy.md

@@ -35,6 +35,10 @@ Here is a list of all fields supported in `.ai/policies/registry-policy.yaml`:
 * **Default:** `false`
 * **Description:** When `false`, blocks installation of plugins originating from registries with `trust_level` set to `community` or `untrusted`.
 
+### `allow_http_localhost` (Boolean)
+* **Default:** `false`
+* **Description:** (Added in `v3.0.2`) When `true`, optionally permits remote registry URLs to use unencrypted `http://localhost` or `http://127.0.0.1` endpoints. Intended strictly for local development and testing.
+
 ### `allowed_write_roots` (Array of Strings)
 * **Default:** `['.ai/', 'adapters/']`
 * **Description:** A whitelist of directory paths relative to the project root. Plugins are only permitted to write files into these directories.

package/docs/registry-security.md

@@ -41,6 +41,13 @@ Threat: Malicious Remote Registry
   * **In-process verification:** The `registry verify` command performs SHA256 checksum checks against the manifest.
   * **ReadOnly Dashboard:** The interactive TUI Dashboard is completely read-only for registry and plugin operations, preventing UI-driven privilege escalation.
 
+### 5. Sync Command Injection & URL Validation (Patched in v3.0.2)
+* **Threat:** A compromised or malicious remote registry URL is pre-configured in `.ai/registries/sources.yaml` to execute command injection payloads (e.g. via quotes or shell metacharacters) during sync.
+* **Mitigation:**
+  * **No Shell Execution:** Remote synchronization (`registry sync`) does not invoke shell interpreters. It spawns the Node sub-process using the safe `execFileSync` API, passing the target URL as arguments (`process.argv[1]`) rather than string-interpolating it into evaluated code.
+  * **Strict URL Sanitization:** URLs are validated using the native `URL` class. Remote registry URLs must use HTTPS by default. Credentials, quotes (`'`, `"`, `` ` ``), spaces, and shell metacharacters (`$`, `;`, `&`, `|`, `<`, `>`, `(`, `)`, `*`) are strictly blocked.
+  * **HTTP Localhost Exception:** The `allow_http_localhost` policy flag (defaulting to `false`) optionally allows local development registries using `http://localhost` or `http://127.0.0.1`.
+
 ---
 
 ## Safety Boundaries Matrix

package/docs/registry-sync.md

@@ -51,6 +51,12 @@ Run the `registry add` command with the `--approved` flag to define a new regist
 npx multimodel-dev-os registry add partner-registry https://registry.example.com/catalog.yaml --approved
 ```
 
+> [!IMPORTANT]
+> **Strict URL Constraints (v3.0.2+)**
+> * All remote registry URLs must be valid and must use HTTPS by default to prevent sniffing and tampering.
+> * URLs containing quotes (`'`, `"`, `` ` ``), spaces, or shell metacharacters (`$`, `;`, etc.) are rejected to eliminate command injection risks.
+> * Local testing via HTTP localhost can be enabled if `allow_http_localhost` is set to `true` inside `registry-policy.yaml`.
+
 ### 3. Synchronize Registry Data
 
 To fetch the remote catalog, run `registry sync`. Executing without the approval flag displays a safety audit preview:

package/docs/release-policy.md

@@ -34,9 +34,10 @@ No package shall be merged or released without:
 
 ---
 
-## 4. Release Channel & Staging Controls
+## 4. Release Strategy & Staging Controls
 
-MultiModel Dev OS releases new versions directly to the public NPM registry:
-*   **Stable Releases (`npx multimodel-dev-os`)**: Published to the public registry under semantic version categories (e.g. `2.0.0`, `2.0.1`).
-*   **Release Candidates**: Built and validated locally via the automated verification script (`scripts/verify.js`) before tags or packaging runs.
-*   **Staging Verification**: To test new configurations prior to publishing, package the bundle locally (`npm pack`) and run CLI checkups in clean test directories.
+To ensure developer stability and avoid package version fatigue, MultiModel Dev OS enforces the following distribution strategy:
+- **Internal Stabilization Sprints**: Patch-level work (e.g. bug fixes, refactoring, test stability, documentation formatting) is treated as internal by default and committed directly to `main` without bumping versions or publishing to npm.
+- **Batched Milestone Releases**: Public npm and GitHub releases are batched into stable milestone releases (e.g., `v3.2.0`, `v3.3.0`, `v4.0.0`).
+- **Security Hotfix Exceptions**: Critical security hotfixes (e.g., remote execution, command injection remediations) bypass the batching policy and are published immediately as public patch releases.
+- **Staging Verification**: To test new configurations prior to publishing, package the bundle locally (`npm pack`) and run CLI checkups in clean test directories (`C:\mmdo-smoke`).

package/docs/testing.md

@@ -0,0 +1,133 @@
+# MultiModel Dev OS — Testing Guide (v3.2.0+)
+
+This document outlines the testing strategy, tools, and execution processes for MultiModel Dev OS.
+
+---
+
+## 1. Testing Architecture
+
+MultiModel Dev OS implements a two-tier testing strategy to ensure safety, correctness, and compatibility:
+
+```
+┌──────────────────────────────────────────────────────────┐
+│              Tier 1: Unit Tests (Vitest)                 │
+│  Validates parser logic, URL rules, path safety, and    │
+│  manifest schemas in isolation.                          │
+└────────────────────────────┬─────────────────────────────┘
+                             │
+┌────────────────────────────▼─────────────────────────────┐
+│          Tier 2: Release Verification (Verify.js)        │
+│  Executes integration checks, CLI commands, packaging    │
+│  pre-flights, and repository structure audits.           │
+└──────────────────────────────────────────────────────────┘
+```
+
+---
+
+## 2. Tier 1: Unit Testing (Vitest)
+
+Unit tests target pure logic and utility functions to verify behavior under edge cases. The test suite is powered by **Vitest** and located under `tests/unit/`.
+
+### Run Unit Tests
+```bash
+npm test
+```
+
+### Coverage Areas
+
+1. **YAML Parser Flow (`tests/unit/yaml.test.js`)**
+   - Stripping comments outside quotes.
+   - Flow arrays (`["item1", "item2"]`).
+   - Quoted booleans/numbers type preservation.
+   - Malformed YAML error handling.
+
+2. **Registry URL Validation (`tests/unit/registry-url-validation.test.js`)**
+   - Rejects non-HTTPS protocols (except localhost/127.0.0.1 under policy).
+   - Rejects URLs containing quotes, backticks, or shell injection characters.
+   - Rejects credential embedding in URLs.
+
+3. **Registry Policy Rules (`tests/unit/registry-policy.test.js`)**
+   - Correct default policy initialization.
+   - Verification of `allow_remote_registries`, `allowed_write_roots`, and `blocked_paths`.
+
+4. **Path & Sandbox Safety (`tests/unit/path-safety.test.js`)**
+   - Rejects path traversal (`../`).
+   - Rejects blocked files (`.env`, `package.json`).
+   - Ensures writes are restricted to whitelisted boundaries.
+
+5. **Plugin Manifest Validation (`tests/unit/plugin-manifest.test.js`)**
+   - Asserts required keys (`name`, `slug`, `version`, `author`, `description`).
+   - Validates alphanumeric slugs.
+   - Verifies sandboxed path prefixes (`.ai/` and `adapters/`).
+
+6. **Prepublish Guard Logic (`tests/unit/prepublish-guard.test.js`)**
+   - Asserts that publishing blocks without `MMDO_ALLOW_PUBLISH=true`.
+   - Permits stable major versions >= 2.
+
+---
+
+## 3. Tier 2: Release Verification Audit
+
+The release verification script (`scripts/verify.js`) checks that the codebase matches packaging rules, CLI commands execute cleanly, and no temporary development artifacts are committed.
+
+### Run Verification Audit
+```bash
+# Deploys build step, executes unit tests, and runs integration verification
+npm run verify
+```
+
+### Key Audit Gates
+- **Structure Check**: Verifies presence of all required configuration, documentation, templates, and adapter files.
+- **CLI Help**: Asserts that `node bin/multimodel-dev-os.js --help` outputs the correct version and all available commands.
+- **TUI Dashboard Dry-Run**: Validates that `--dry-run` and `--list-actions` flags execute without TTY dependencies.
+- **Catalog Integrities**: Scans and validates all bundled catalog plugin manifests.
+- **Security Hotfix Verifications**: Bypasses and checks that registry sync url checks prevent shell escapes.
+
+---
+
+## 4. Build System Testing
+
+Since version `v3.1.0` introduces a modular source layout under `src/`, development happens in modules and is compiled into a single executable `bin/multimodel-dev-os.js`.
+
+### Run Build Step
+```bash
+npm run build
+```
+
+The build runner uses `scripts/build-cli.js` (powered by `esbuild` in devDependencies) to bundle source modules programmatically while preserving shebang, execution permissions, and adding a warning header.
+
+---
+
+## 5. Tarball Smoke Testing
+
+To ensure the npm package functions flawlessly after installation, we run a local tarball smoke test:
+
+1. **Pack the release package**:
+   ```bash
+   npm pack
+   ```
+2. **Setup a clean test directory**:
+   ```bash
+   mkdir C:\mmdo-smoke-test
+   cd C:\mmdo-smoke-test
+   npm init -y
+   ```
+3. **Install the generated tarball locally**:
+   ```bash
+   npm install F:\multimodel-dev-os\multimodel-dev-os-3.2.0.tgz --no-audit --no-fund
+   ```
+4. **Validate npx invocation**:
+   ```bash
+   npx multimodel-dev-os --help
+   npx multimodel-dev-os doctor
+   ```
+
+---
+
+## 6. Maintainer Guidelines
+
+For contributors and maintainers modifying the codebase:
+1. **Always edit source modules** located under `src/`. Do NOT make manual edits to `bin/multimodel-dev-os.js` directly, as it will be overwritten during compilation.
+2. **Execute the build script** via `npm run build` after completing modifications to compile the single-file binary.
+3. **Execute Vitest unit tests** (`npm test`) to ensure all core modules pass verification gates in isolation.
+4. **Execute release verification** (`npm run verify`) to run the strict verification pipeline (250+ assertions check compiled binary, folder layouts, sitemaps, etc.).

package/docs/trusted-registries.md

@@ -31,6 +31,10 @@ graph TD
 * **Safety:** Sandboxed logic, restricted file paths.
 * **Installation:** Refused unless `allow_untrusted_install: true` is configured in `.ai/policies/registry-policy.yaml`.
 
+> [!IMPORTANT]
+> **HTTPS Transport Enforcement (v3.0.2+)**
+> All remote community or verified registries must use secure `https:` transport URLs. URLs are validated strictly against injection risks. Unencrypted `http:` transport is strictly rejected, except for localhost testing if `allow_http_localhost` is enabled.
+
 ### 4. Untrusted
 * **Source:** Unknown or flagged endpoints.
 * **Verification:** None.

package/docs/v3-roadmap.md

@@ -7,12 +7,30 @@ This document outlines the development path, completed milestones, and future pl
 ## 1. Current Status
 
 > [!IMPORTANT]
-> **v3.0.1 is the active stable release** on the public npm registry. All features below marked ✅ are shipped and production-ready.
+> **v3.2.0 is the active stable release** on the public npm registry. All features below marked ✅ are shipped and production-ready.
 
 ---
 
 ## 2. Completed Milestones
 
+### v3.2.0 — Stable Modular Build + Package Governance ✅
+- **Build Freshness Auditing**: Integrated `check-build-fresh.js` to ensure the generated single-file CLI binary matches standard ES modules under `src/` dynamically.
+- **Hardened Package Governance**: Configured the NPM manifest (`package.json`) to include the modular source folder (`src/`) and unit test suites (`tests/unit/`) for developer auditability, while verifying the strict exclusion of sensitive and temporary files.
+- **Cross-Platform CI Pipeline**: Configured a complete multi-platform CI verification matrix on GitHub Actions covering Windows, Linux, and macOS across Node.js versions `20.x` and `22.x`.
+- **Harden Build & Verification Gates**: Applied post-build validations asserting shebang count uniqueness, warning headers, and URL shell-injection safety, while expanding integration audits to 269 assertions.
+
+### v3.1.0 — Modular Source Layout + Formal Unit Tests ✅
+- **Modular Source Layout**: Refactored the monolithic CLI structure into isolated, clean modules under `src/` (core, registry, catalog, plugin, cli).
+- **Programmatic Compiler**: Programmed `scripts/build-cli.js` using `esbuild` to compile modules into a single zero-dependency executable (`bin/multimodel-dev-os.js`) with shebang preservation.
+- **Formal Unit Testing**: Integrated `vitest` unit test suites covering isolated YAML parsing, registry URL validation, policy checks, path safety boundaries, plugin manifest validations, and prepublish guard checks.
+- **Improved Integration Verification**: Hooked the unit test runner and build step directly into the release audit `npm run verify` verification gate.
+
+### v3.0.2 — Registry Sync Security Hotfix ✅
+- **Registry Sync Command Injection Remediation**: Replaced shell-based URL interpolation in fetch helper with safe process arguments passed via `execFileSync`.
+- **Strict URL Validation**: Implemented strict syntax checks using `new URL()` and HTTPS-only transport requirements.
+- **Diagnostics Security**: Hardened URL validations on diagnostics commands (`registry show` and `registry verify`).
+- **HTTP localhost Exception**: Added the `allow_http_localhost` policy flag to optionally support local HTTP development testing.
+
 ### v3.0.1 — Registry UX & Policy Safety Patch ✅
 - **Registry Command UX**: Improved formatting and next-step actions for `registry status`, `registry list`, `registry show`, `registry verify`, and `registry sync`.
 - **Policy Safety Messaging**: Clarified sandboxing, offline verification capabilities, checksum verification, and approval gates.
@@ -62,7 +80,7 @@ All releases follow this strict publishing checklist:
 
 ---
 
-## 4. Upcoming: v3.1.0 — Cryptographic Catalog Signing
+## 4. Upcoming: v3.3.0 stable candidate — Asymmetric Key Signatures
 
 *   **Asymmetric Key Signatures**: Cryptographic signature validation for remote registries using public/private key pairs.
 *   **Decentralized Trust Anchors**: Trust anchors configuration allowing teams to pin public keys of verified catalog authors.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "multimodel-dev-os",
-  "version": "3.0.1",
+  "version": "3.2.0",
   "bin": {
     "multimodel-dev-os": "bin/multimodel-dev-os.js"
   },
@@ -35,10 +35,15 @@
     "!docs/.vitepress/cache/",
     "examples/",
     "bin/",
+    "src/",
+    "tests/",
     "assets/"
   ],
   "scripts": {
-    "verify": "node scripts/verify.js",
+    "build": "node scripts/build-cli.js",
+    "check:build": "node scripts/check-build-fresh.js",
+    "test": "vitest run",
+    "verify": "npm run check:build && npm test && node scripts/verify.js",
     "verify:bash": "bash scripts/verify.sh",
     "test:cli": "node bin/multimodel-dev-os.js verify",
     "pack:template": "bash scripts/pack-template.sh",
@@ -49,6 +54,8 @@
     "prepublishOnly": "node scripts/prepublish-guard.js"
   },
   "devDependencies": {
-    "vitepress": "^1.6.4"
+    "esbuild": "^0.20.2",
+    "vitepress": "^1.6.4",
+    "vitest": "^1.4.0"
   }
 }

package/scripts/build-cli.js

@@ -0,0 +1,59 @@
+import esbuild from 'esbuild';
+import { existsSync, chmodSync, readFileSync } from 'fs';
+
+const entryPoint = 'src/cli/main.js';
+const outfile = 'bin/multimodel-dev-os.js';
+
+if (!existsSync(entryPoint)) {
+  console.error(`[ERROR] Entrypoint file not found: ${entryPoint}`);
+  process.exit(1);
+}
+
+esbuild.build({
+  entryPoints: [entryPoint],
+  bundle: true,
+  platform: 'node',
+  format: 'esm',
+  outfile: outfile,
+  banner: {
+    js: `#!/usr/bin/env node\n// Generated from src/. Do not edit directly.\n`
+  }
+}).then(() => {
+  // Post-build validation & hardening
+  try {
+    const content = readFileSync(outfile, 'utf8');
+    
+    // 1. Check shebang counts
+    const shebangMatches = content.match(/^#!/g) || [];
+    const totalShebangs = (content.match(/#!/g) || []).length;
+    
+    // We expect exactly one shebang at the very top
+    if (totalShebangs !== 1 || !content.startsWith('#!/usr/bin/env node')) {
+      console.error('[ERROR] Compiled output has invalid shebang configuration.');
+      process.exit(1);
+    }
+    
+    // 2. Check warning header
+    if (!content.includes('// Generated from src/. Do not edit directly.')) {
+      console.error('[ERROR] Compiled output is missing the generation warning header.');
+      process.exit(1);
+    }
+    
+    // 3. Check for unsafe URL interpolation patterns
+    if (content.includes("mod.get('${targetUrl}'") || (content.includes('execSync(`node -e "') && content.includes('${targetUrl}'))) {
+      console.error('[ERROR] Compiled output contains unsafe registry URL interpolation!');
+      process.exit(1);
+    }
+
+    // 4. Set execution permissions (0755)
+    chmodSync(outfile, 0o755);
+    
+    console.log('Build succeeded.');
+  } catch (e) {
+    console.error('Post-build verification failed:', e.message);
+    process.exit(1);
+  }
+}).catch((err) => {
+  console.error('Build failed:', err);
+  process.exit(1);
+});

package/scripts/check-build-fresh.js

@@ -0,0 +1,52 @@
+import esbuild from 'esbuild';
+import { readFileSync, unlinkSync, existsSync } from 'fs';
+
+const entryPoint = 'src/cli/main.js';
+const currentFile = 'bin/multimodel-dev-os.js';
+const tempFile = 'bin/multimodel-dev-os.tmp.js';
+
+if (!existsSync(entryPoint)) {
+  console.error(`[ERROR] Entrypoint file not found: ${entryPoint}`);
+  process.exit(1);
+}
+
+if (!existsSync(currentFile)) {
+  console.error(`[ERROR] Current build file not found: ${currentFile}`);
+  console.error('Generated CLI is stale. Run npm run build and commit bin/multimodel-dev-os.js.');
+  process.exit(1);
+}
+
+try {
+  await esbuild.build({
+    entryPoints: [entryPoint],
+    bundle: true,
+    platform: 'node',
+    format: 'esm',
+    outfile: tempFile,
+    banner: {
+      js: `#!/usr/bin/env node\n// Generated from src/. Do not edit directly.\n`
+    }
+  });
+
+  const currentContent = readFileSync(currentFile, 'utf8');
+  const tempContent = readFileSync(tempFile, 'utf8');
+
+  // Clean up temp file immediately
+  unlinkSync(tempFile);
+
+  const normalize = str => str.replace(/\r\n/g, '\n');
+
+  if (normalize(currentContent) !== normalize(tempContent)) {
+    console.error('[ERROR] Generated CLI is stale. Run npm run build and commit bin/multimodel-dev-os.js.');
+    process.exit(1);
+  }
+
+  console.log('Generated CLI is fresh.');
+  process.exit(0);
+} catch (err) {
+  console.error('Build freshness check failed:', err);
+  if (existsSync(tempFile)) {
+    unlinkSync(tempFile);
+  }
+  process.exit(1);
+}

package/scripts/install.ps1

@@ -11,7 +11,7 @@ param(
   [switch]$Help
 )
 
-$Version = "3.0.1"
+$Version = "3.2.0"
 $RepoUrl = "https://raw.githubusercontent.com/rizvee/multimodel-dev-os/main"
 
 if ($Help) {

package/scripts/install.sh

@@ -7,7 +7,7 @@ set -euo pipefail
 #        --all      (install all adapters)
 #        --dry-run  (show what would be created without creating)
 
-VERSION="3.0.1"
+VERSION="3.2.0"
 REPO_URL="https://raw.githubusercontent.com/rizvee/multimodel-dev-os/main"
 CAVEMAN=false
 DRY_RUN=false