multimodel-dev-os 3.1.0 → 3.2.0

package/src/core/globals.js

@@ -0,0 +1,52 @@
+import { existsSync, readFileSync } from 'fs';
+import { join, resolve, dirname } from 'path';
+import { fileURLToPath } from 'url';
+import { parseYaml } from './yaml.js';
+
+const __filename = fileURLToPath(import.meta.url);
+const __dirname = dirname(__filename);
+
+// When bundled, __dirname will resolve to F:\multimodel-dev-os\bin or equivalent
+// So resolving '..' will give the project root directory
+export const sourceRoot = resolve(__dirname, '..');
+
+let pkgVersion = '3.0.2';
+try {
+  const pkgData = JSON.parse(readFileSync(resolve(sourceRoot, 'package.json'), 'utf8'));
+  pkgVersion = pkgData.version;
+} catch (e) {}
+
+export const version = pkgVersion;
+
+export function loadTemplates(customPath) {
+  let path = customPath || join(sourceRoot, '.ai', 'templates', 'registry.yaml');
+  try {
+    if (existsSync(path)) {
+      const templatesRegistry = parseYaml(readFileSync(path, 'utf8'));
+      return templatesRegistry.templates || {};
+    }
+  } catch (e) {}
+  return {
+    'general-app': {
+      name: 'general-app',
+      description: 'Baseline generic fallback profile for standard backend systems.',
+      stack: 'Universal backends baseline structure',
+      skill: 'example-skill.md',
+      skillDesc: 'Generic baseline instructions and coding standards.',
+      status: 'stable',
+      maturity: 'production-ready',
+      required_files: ['AGENTS.md', 'MEMORY.md', 'TASKS.md', 'RUNBOOK.md', '.ai/config.yaml']
+    }
+  };
+}
+
+export function loadAdapters(customPath) {
+  let path = customPath || join(sourceRoot, '.ai', 'adapters', 'registry.yaml');
+  try {
+    if (existsSync(path)) {
+      const adaptersRegistry = parseYaml(readFileSync(path, 'utf8'));
+      return adaptersRegistry.adapters || {};
+    }
+  } catch (e) {}
+  return {};
+}

package/src/core/hashes.js

@@ -0,0 +1,15 @@
+import { createHash } from 'crypto';
+import { readFileSync } from 'fs';
+
+export function computeSHA256(content) {
+  return createHash('sha256').update(content, 'utf8').digest('hex');
+}
+
+export function hashFile(filePath) {
+  try {
+    const data = readFileSync(filePath);
+    return createHash('sha256').update(data).digest('hex');
+  } catch (e) {
+    return '';
+  }
+}

package/src/core/policy.js

@@ -0,0 +1,36 @@
+import { existsSync, readFileSync } from 'fs';
+import { join } from 'path';
+import { sourceRoot } from './globals.js';
+import { parseYaml } from './yaml.js';
+
+export function loadRegistryPolicy(targetDir) {
+  const defaults = {
+    allow_remote_registries: false,
+    allow_http_localhost: false,
+    require_approval_for_remote_sync: true,
+    require_checksum: true,
+    require_signature: false,
+    allow_untrusted_install: false,
+    allowed_write_roots: ['.ai/', 'adapters/'],
+    blocked_paths: ['.env', '.npmrc', '.git/', 'node_modules/', 'package.json', 'package-lock.json', 'pnpm-lock.yaml', 'yarn.lock'],
+    max_plugin_files: 20,
+    max_plugin_size_kb: 100,
+    max_registry_cache_size_kb: 512,
+    allowed_file_extensions: ['.md', '.yaml', '.yml', '.json']
+  };
+  const paths = [];
+  if (targetDir) {
+    paths.push(join(targetDir, '.ai', 'policies', 'registry-policy.yaml'));
+  }
+  paths.push(join(sourceRoot, '.ai', 'policies', 'registry-policy.yaml'));
+
+  for (const p of paths) {
+    if (existsSync(p)) {
+      try {
+        const parsed = parseYaml(readFileSync(p, 'utf8'));
+        return { ...defaults, ...parsed };
+      } catch (e) {}
+    }
+  }
+  return defaults;
+}

package/src/core/security.js

@@ -0,0 +1,61 @@
+export function shouldIgnorePath(relPath) {
+  const normalized = relPath.replace(/\\/g, '/');
+  const segments = normalized.split('/');
+  
+  // Ignored folders
+  const ignoredFolders = ['node_modules', '.git', 'dist', 'build', '.next', 'coverage'];
+  for (const seg of segments) {
+    if (ignoredFolders.includes(seg)) return true;
+  }
+  
+  // Special check for docs/.vitepress/dist and docs/.vitepress/cache
+  if (normalized.includes('docs/.vitepress/dist') || normalized.includes('docs/.vitepress/cache')) {
+    return true;
+  }
+  
+  // Ignore generated memory and intelligence runtime files
+  if (
+    normalized.endsWith('memory.hash.json') ||
+    normalized.endsWith('memory.summary.md') ||
+    normalized.endsWith('feedback-log.jsonl') ||
+    normalized.endsWith('learning-rules.md') ||
+    normalized.endsWith('apply-log.jsonl') ||
+    normalized.includes('.ai/proposals/')
+  ) {
+    return true;
+  }
+  
+  // Skip secret-like files/patterns
+  const lower = normalized.toLowerCase();
+  const filePart = segments[segments.length - 1];
+  if (
+    lower.endsWith('.env') ||
+    lower.includes('.env.') ||
+    lower.endsWith('.npmrc') ||
+    lower.endsWith('.keystore') ||
+    lower.endsWith('.jks') ||
+    lower.endsWith('.key') ||
+    lower.endsWith('.pem') ||
+    lower.endsWith('credentials.json') ||
+    filePart === 'id_rsa' ||
+    filePart === 'id_dsa' ||
+    filePart === 'id_ecdsa' ||
+    filePart === 'id_ed25519'
+  ) {
+    return true;
+  }
+  
+  return false;
+}
+
+export function isSafePath(filePath, policy = {}) {
+  const normPath = filePath.replace(/\\/g, '/').trim();
+  const allowed_write_roots = policy.allowed_write_roots || ['.ai/', 'adapters/'];
+  const blocked_paths = policy.blocked_paths || ['.env', '.npmrc', '.git/', 'node_modules/', 'package.json', 'package-lock.json', 'pnpm-lock.yaml', 'yarn.lock'];
+
+  const isSafeSubdir = allowed_write_roots.some(prefix => normPath.startsWith(prefix));
+  const hasTraversal = normPath.includes('..') || normPath.startsWith('/') || /^[a-zA-Z]:/.test(normPath);
+  const isBlacklisted = blocked_paths.some(black => normPath.includes(black) || normPath.split('/').includes(black.replace(/\/$/, '')));
+
+  return isSafeSubdir && !hasTraversal && !isBlacklisted;
+}

package/src/core/yaml.js

@@ -0,0 +1,136 @@
+export function parseFlowArray(str) {
+  const contents = str.slice(1, -1).trim();
+  if (!contents) return [];
+
+  const result = [];
+  const regex = /"((?:[^"\\]|\\.)*)"|'((?:[^'\\]|\\.)*)'|([^,\s][^,]*[^,\s]|[^,\s])/g;
+  let match;
+  while ((match = regex.exec(contents)) !== null) {
+    if (match[1] !== undefined) {
+      result.push(match[1].replace(/\\"/g, '"').replace(/\\\\/g, '\\'));
+    } else if (match[2] !== undefined) {
+      result.push(match[2].replace(/\\'/g, "'").replace(/\\\\/g, '\\'));
+    } else if (match[3] !== undefined) {
+      let val = match[3].trim();
+      if (val === 'true') val = true;
+      else if (val === 'false') val = false;
+      else if (val === 'null') val = null;
+      else if (/^-?\d+$/.test(val)) val = parseInt(val, 10);
+      result.push(val);
+    }
+  }
+  return result;
+}
+
+export function parseYaml(content) {
+  try {
+    const root = {};
+    const stack = [{ obj: root, indent: -1, key: null, isArray: false }];
+
+    const lines = content.split(/\r?\n/);
+    for (let line of lines) {
+      // Find comment index outside quotes
+      let commentIdx = -1;
+      let insideDouble = false;
+      let insideSingle = false;
+      for (let i = 0; i < line.length; i++) {
+        const char = line[i];
+        if (char === '"' && (i === 0 || line[i-1] !== '\\')) {
+          insideDouble = !insideDouble;
+        } else if (char === "'" && (i === 0 || line[i-1] !== '\\')) {
+          insideSingle = !insideSingle;
+        } else if (char === '#' && !insideDouble && !insideSingle) {
+          commentIdx = i;
+          break;
+        }
+      }
+      if (commentIdx !== -1) {
+        line = line.substring(0, commentIdx);
+      }
+      line = line.trimEnd();
+      if (!line.trim()) continue;
+
+      const indent = line.match(/^ */)[0].length;
+      let trimmed = line.trim();
+
+      while (stack.length > 1 && indent <= stack[stack.length - 1].indent) {
+        stack.pop();
+      }
+
+      const parent = stack[stack.length - 1];
+
+      if (trimmed.startsWith('-')) {
+        trimmed = trimmed.substring(1).trim();
+        if (!Array.isArray(parent.obj)) {
+          const grandparent = stack[stack.length - 2];
+          if (grandparent) {
+            grandparent.obj[parent.key] = [];
+            parent.obj = grandparent.obj[parent.key];
+          }
+        }
+        
+        const colonIdx = trimmed.indexOf(':');
+        if (colonIdx === -1) {
+          let val = trimmed;
+          if ((val.startsWith('"') && val.endsWith('"')) || (val.startsWith("'") && val.endsWith("'"))) {
+            val = val.substring(1, val.length - 1);
+          }
+          if (val.startsWith('[') && val.endsWith(']')) {
+            val = parseFlowArray(val);
+          }
+          parent.obj.push(val);
+        } else {
+          const key = trimmed.substring(0, colonIdx).trim();
+          let val = trimmed.substring(colonIdx + 1).trim();
+          let isQuoted = false;
+          if ((val.startsWith('"') && val.endsWith('"')) || (val.startsWith("'") && val.endsWith("'"))) {
+            val = val.substring(1, val.length - 1);
+            isQuoted = true;
+          }
+          if (val.startsWith('[') && val.endsWith(']')) {
+            val = parseFlowArray(val);
+          } else if (!isQuoted) {
+            if (val === 'true') val = true;
+            else if (val === 'false') val = false;
+            else if (val === 'null') val = null;
+            else if (/^-?\d+$/.test(val)) val = parseInt(val, 10);
+          }
+
+          const newObj = { [key]: val };
+          parent.obj.push(newObj);
+          stack.push({ obj: newObj, indent: indent, key: key, isArray: false });
+        }
+      } else {
+        const colonIdx = trimmed.indexOf(':');
+        if (colonIdx === -1) continue;
+
+        const key = trimmed.substring(0, colonIdx).trim();
+        let val = trimmed.substring(colonIdx + 1).trim();
+        let isQuoted = false;
+        if ((val.startsWith('"') && val.endsWith('"')) || (val.startsWith("'") && val.endsWith("'"))) {
+          val = val.substring(1, val.length - 1);
+          isQuoted = true;
+        }
+        if (val.startsWith('[') && val.endsWith(']')) {
+          val = parseFlowArray(val);
+        } else if (!isQuoted) {
+          if (val === 'true') val = true;
+          else if (val === 'false') val = false;
+          else if (val === 'null') val = null;
+          else if (/^-?\d+$/.test(val)) val = parseInt(val, 10);
+        }
+
+        if (val === '') {
+          parent.obj[key] = {};
+          stack.push({ obj: parent.obj[key], indent: indent, key: key, isArray: false });
+        } else {
+          parent.obj[key] = val;
+        }
+      }
+    }
+    return root;
+  } catch (e) {
+    console.warn(`\x1b[33m[WARNING] Failed to parse YAML: ${e.message}\x1b[0m`);
+    return {};
+  }
+}

package/src/plugin/manifest.js

@@ -0,0 +1,95 @@
+export function validatePluginManifest(manifestObj) {
+  const errors = [];
+
+  const reqKeys = ['name', 'slug', 'version', 'description', 'author'];
+  reqKeys.forEach(k => {
+    if (manifestObj[k] === undefined || manifestObj[k] === null) {
+      errors.push(`Missing required key: ${k}`);
+    } else if (typeof manifestObj[k] !== 'string') {
+      errors.push(`Key '${k}' must be a string`);
+    } else if (k === 'slug') {
+      if (!/^[a-z0-9-_]+$/i.test(manifestObj[k])) {
+        errors.push(`Key 'slug' must be alphanumeric with dashes or underscores only`);
+      }
+    }
+  });
+
+  if (manifestObj.allowed_file_patterns !== undefined) {
+    if (!Array.isArray(manifestObj.allowed_file_patterns)) {
+      errors.push(`allowed_file_patterns must be an array`);
+    } else {
+      manifestObj.allowed_file_patterns.forEach(pat => {
+        if (typeof pat !== 'string') {
+          errors.push(`allowed_file_patterns item must be a string: ${pat}`);
+          return;
+        }
+        const normPattern = pat.replace(/\\/g, '/').trim();
+        const isSafeSubdir = [
+          '.ai/plugins/',
+          '.ai/registries/',
+          '.ai/templates/',
+          '.ai/skills/',
+          '.ai/checks/',
+          '.ai/prompts/',
+          '.ai/adapters/',
+          'adapters/'
+        ].some(prefix => normPattern.startsWith(prefix));
+
+        const hasTraversal = normPattern.includes('..') || normPattern.startsWith('/');
+        const isBlacklisted = [
+          '.env',
+          '.npmrc',
+          '.git/',
+          'node_modules/',
+          'package.json',
+          'package-lock.json'
+        ].some(black => normPattern.includes(black));
+
+        if (!isSafeSubdir || hasTraversal || isBlacklisted) {
+          errors.push(`File pattern '${pat}' violates safety boundaries`);
+        }
+      });
+    }
+  }
+
+  if (manifestObj.denied_file_patterns !== undefined) {
+    if (!Array.isArray(manifestObj.denied_file_patterns)) {
+      errors.push(`denied_file_patterns must be an array`);
+    } else {
+      manifestObj.denied_file_patterns.forEach(pat => {
+        if (typeof pat !== 'string') {
+          errors.push(`denied_file_patterns item must be a string: ${pat}`);
+        }
+      });
+    }
+  }
+
+  if (manifestObj.workflows !== undefined) {
+    if (typeof manifestObj.workflows !== 'object' || Array.isArray(manifestObj.workflows)) {
+      errors.push(`workflows must be an object`);
+    }
+  }
+
+  if (manifestObj.templates !== undefined) {
+    if (typeof manifestObj.templates !== 'object' || Array.isArray(manifestObj.templates)) {
+      errors.push(`templates must be an object`);
+    }
+  }
+
+  if (manifestObj.adapters !== undefined) {
+    if (typeof manifestObj.adapters !== 'object' || Array.isArray(manifestObj.adapters)) {
+      errors.push(`adapters must be an object`);
+    }
+  }
+
+  if (manifestObj.safety_notes !== undefined) {
+    if (typeof manifestObj.safety_notes !== 'string') {
+      errors.push(`safety_notes must be a string`);
+    }
+  }
+
+  return {
+    success: errors.length === 0,
+    errors
+  };
+}

package/src/registry/sources.js

@@ -0,0 +1,40 @@
+import { existsSync, readFileSync, writeFileSync } from 'fs';
+import { join } from 'path';
+import { sourceRoot } from '../core/globals.js';
+import { parseYaml } from '../core/yaml.js';
+
+export function loadRegistrySources() {
+  const paths = [
+    join(sourceRoot, '.ai', 'registries', 'sources.yaml')
+  ];
+  for (const p of paths) {
+    if (existsSync(p)) {
+      try {
+        const parsed = parseYaml(readFileSync(p, 'utf8'));
+        return parsed.sources || [];
+      } catch (e) {}
+    }
+  }
+  return [{ name: 'bundled', type: 'local', url: '.ai/plugins/catalog.yaml', enabled: true, trust_level: 'trusted', safety_policy: 'sandboxed', signature_required: false, checksum_required: false }];
+}
+
+export function saveRegistrySources(sources) {
+  const path = join(sourceRoot, '.ai', 'registries', 'sources.yaml');
+  let yaml = '# Registry Sources Configuration\n';
+  yaml += '# Remote registries are DISABLED by default.\n';
+  yaml += '# Enable via .ai/policies/registry-policy.yaml (set allow_remote_registries: true)\n\n';
+  yaml += 'sources:\n';
+  sources.forEach(s => {
+    yaml += `  - name: "${s.name}"\n`;
+    yaml += `    type: "${s.type}"\n`;
+    yaml += `    url: "${s.url}"\n`;
+    yaml += `    enabled: ${s.enabled}\n`;
+    yaml += `    trust_level: "${s.trust_level}"\n`;
+    yaml += `    safety_policy: "${s.safety_policy}"\n`;
+    yaml += `    signature_required: ${s.signature_required}\n`;
+    yaml += `    checksum_required: ${s.checksum_required}\n`;
+    if (s.last_synced_at) yaml += `    last_synced_at: "${s.last_synced_at}"\n`;
+    if (s.pinned_commit_or_hash) yaml += `    pinned_commit_or_hash: "${s.pinned_commit_or_hash}"\n`;
+  });
+  writeFileSync(path, yaml, 'utf8');
+}

package/src/registry/validation.js

@@ -0,0 +1,45 @@
+export function validateRegistryUrl(urlStr, policy = {}) {
+  if (!urlStr || typeof urlStr !== 'string') {
+    throw new Error('Registry URL must be a non-empty string.');
+  }
+
+  // Reject empty/whitespace/control characters
+  if (urlStr.trim() === '' || /\s/.test(urlStr) || /[\x00-\x1F\x7F-\x9F]/.test(urlStr)) {
+    throw new Error('Registry URL must not contain whitespace or control characters.');
+  }
+
+  // Reject single quotes, double quotes, backticks
+  if (/['"`]/.test(urlStr)) {
+    throw new Error('Registry URL must not contain quotes or backticks.');
+  }
+
+  // Reject shell metacharacters
+  if (/[\$\;\&\|<>\(\)\*]/.test(urlStr)) {
+    throw new Error('Registry URL must not contain shell metacharacters.');
+  }
+
+  let parsedUrl;
+  try {
+    parsedUrl = new URL(urlStr);
+  } catch (e) {
+    throw new Error('Registry URL is malformed or invalid.');
+  }
+
+  // Reject username/password credentials
+  if (parsedUrl.username || parsedUrl.password) {
+    throw new Error('Registry URL must not contain credentials.');
+  }
+
+  const protocol = parsedUrl.protocol;
+  const allowedProtocols = ['https:'];
+
+  if (policy.allow_http_localhost === true) {
+    if (parsedUrl.hostname === 'localhost' || parsedUrl.hostname === '127.0.0.1') {
+      allowedProtocols.push('http:');
+    }
+  }
+
+  if (!allowedProtocols.includes(protocol)) {
+    throw new Error(`Registry URL protocol '${protocol}' is not allowed. Only HTTPS is permitted.`);
+  }
+}

package/tests/README.md

@@ -0,0 +1,37 @@
+# MultiModel Dev OS Testing Suite
+
+This directory contains the testing manuals, schemas, and smoke routines to protect the code quality of `multimodel-dev-os`.
+
+---
+
+## 1. Testing Strategy
+
+We enforce a multi-tiered validation approach to protect release packaging:
+
+```
+┌────────────────────────────────────────────────────────┐
+│ Tier 1: Structural Verification (scripts/verify.js)     │
+│ Enforces 100+ files and contract schemas checkouts     │
+└──────────────────────────┬─────────────────────────────┘
+                           │
+┌──────────────────────────▼─────────────────────────────┐
+│ Tier 2: CLI Smoke Checks (bin/multimodel-dev-os.js)     │
+│ Validates command signature help and version trackers  │
+└──────────────────────────┬─────────────────────────────┘
+                           │
+┌──────────────────────────▼─────────────────────────────┐
+│ Tier 3: Template QA checks                             │
+│ Scaffolds tech templates to confirm zero-warnings runs │
+└────────────────────────────────────────────────────────┘
+```
+
+---
+
+## 2. Running the Linter Verification
+
+Always execute the strict linter before committing or tagging:
+```bash
+npm run verify
+```
+
+This dynamic zero-dependency Node.js pipeline audits files structures, config directories, schemas, and package dry-run tarball footprint constraints.

package/tests/fixtures/README.md

@@ -0,0 +1,22 @@
+# Integration Fixture Strategy
+
+To confirm that `multimodel-dev-os` behaves consistently across distinct operating systems and target directory boundaries, future automated integrations tests should utilize the fixtures detailed here.
+
+---
+
+## 1. Planned Fixtures Layout
+
+1. **`tests/fixtures/pristine/`**:
+   - Representing an empty repository where `init` command can execute with zero conflict.
+2. **`tests/fixtures/cluttered/`**:
+   - Represents a repository containing legacy rule files to test conflict resolution and `-f, --force` parameters.
+3. **`tests/fixtures/broken-config/`**:
+   - Formatted with syntactic invalid config configurations to verify validate catches and exits with appropriate non-zero error logs.
+
+---
+
+## 2. Dynamic Fixture Auditing
+
+When writing assertions:
+- Never commit active `.cursorrules` or `.gemini/` folders directly inside the templates' fixture folders to avoid index pollutions.
+- Use dry-run actions (`-d, --dry-run`) to assert targeted writes without mutative writes to actual testing paths.

package/tests/fixtures/custom-template-example/README.md

@@ -0,0 +1,10 @@
+# Custom Template Test Fixture
+
+This directory serves as a fixture for testing custom template validation and initialization flows.
+It contains the bare minimum files to simulate a template source package:
+
+* AGENTS.md
+* MEMORY.md
+* TASKS.md
+* RUNBOOK.md
+* .ai/config.yaml

package/tests/fixtures/proposals/approved-append-line.md

@@ -0,0 +1,28 @@
+---
+id: proposal-20260611-000001
+created_at: 2026-06-11T00:00:01Z
+title: Approved Append Line Proposal
+problem: Test append line behavior.
+evidence: N/A
+risk_level: low
+affected_files:
+  - tests/fixtures/custom-template-example/append-target.md
+suggested_change: Append a line to the target.
+verify_command: npm run verify
+rollback_plan: git checkout -- tests/fixtures/custom-template-example/append-target.md
+approval_status: approved
+---
+
+# Approved Append Line Proposal
+
+```json
+{
+  "operations": [
+    {
+      "type": "append_line",
+      "path": "tests/fixtures/custom-template-example/append-target.md",
+      "line": "added line content"
+    }
+  ]
+}
+```

package/tests/fixtures/proposals/approved-create-file.md

@@ -0,0 +1,29 @@
+---
+id: proposal-20260611-000000
+created_at: 2026-06-11T00:00:00Z
+title: Approved Create File Proposal
+problem: Missing custom templates in tests.
+evidence: Directory is empty.
+risk_level: low
+affected_files:
+  - tests/fixtures/custom-template-example/new-file.md
+suggested_change: Create a new markdown file.
+verify_command: npm run verify
+rollback_plan: rm tests/fixtures/custom-template-example/new-file.md
+approval_status: approved
+---
+
+# Approved Create File Proposal
+
+```json
+{
+  "operations": [
+    {
+      "type": "create_file",
+      "path": "tests/fixtures/custom-template-example/new-file.md",
+      "content": "new file content\n",
+      "overwrite": true
+    }
+  ]
+}
+```

package/tests/fixtures/proposals/approved-replace-text.md

@@ -0,0 +1,30 @@
+---
+id: proposal-20260611-000002
+created_at: 2026-06-11T00:00:02Z
+title: Approved Replace Text Proposal
+problem: Test replace text behavior.
+evidence: N/A
+risk_level: low
+affected_files:
+  - tests/fixtures/custom-template-example/replace-target.md
+suggested_change: Replace placeholder in the target.
+verify_command: npm run verify
+rollback_plan: git checkout -- tests/fixtures/custom-template-example/replace-target.md
+approval_status: approved
+---
+
+# Approved Replace Text Proposal
+
+```json
+{
+  "operations": [
+    {
+      "type": "replace_text",
+      "path": "tests/fixtures/custom-template-example/replace-target.md",
+      "find": "placeholder",
+      "replace": "replaced content",
+      "allow_multiple": false
+    }
+  ]
+}
+```

package/tests/fixtures/proposals/existing-create-file-no-overwrite.md

@@ -0,0 +1,29 @@
+---
+id: proposal-20260611-000004
+created_at: 2026-06-11T00:00:04Z
+title: Existing Create File No Overwrite Proposal
+problem: Test existing file without overwrite flag.
+evidence: N/A
+risk_level: low
+affected_files:
+  - tests/fixtures/custom-template-example/existing.md
+suggested_change: Create file without overwrite flag.
+verify_command: npm run verify
+rollback_plan: N/A
+approval_status: approved
+---
+
+# Existing Create File No Overwrite Proposal
+
+```json
+{
+  "operations": [
+    {
+      "type": "create_file",
+      "path": "tests/fixtures/custom-template-example/existing.md",
+      "content": "new content\n",
+      "overwrite": false
+    }
+  ]
+}
+```