multimodel-dev-os 3.1.0 → 3.5.0

package/tests/fixtures/proposals/approved-create-file.md

@@ -0,0 +1,29 @@
+---
+id: proposal-20260611-000000
+created_at: 2026-06-11T00:00:00Z
+title: Approved Create File Proposal
+problem: Missing custom templates in tests.
+evidence: Directory is empty.
+risk_level: low
+affected_files:
+  - tests/fixtures/custom-template-example/new-file.md
+suggested_change: Create a new markdown file.
+verify_command: npm run verify
+rollback_plan: rm tests/fixtures/custom-template-example/new-file.md
+approval_status: approved
+---
+
+# Approved Create File Proposal
+
+```json
+{
+  "operations": [
+    {
+      "type": "create_file",
+      "path": "tests/fixtures/custom-template-example/new-file.md",
+      "content": "new file content\n",
+      "overwrite": true
+    }
+  ]
+}
+```

package/tests/fixtures/proposals/approved-replace-text.md

@@ -0,0 +1,30 @@
+---
+id: proposal-20260611-000002
+created_at: 2026-06-11T00:00:02Z
+title: Approved Replace Text Proposal
+problem: Test replace text behavior.
+evidence: N/A
+risk_level: low
+affected_files:
+  - tests/fixtures/custom-template-example/replace-target.md
+suggested_change: Replace placeholder in the target.
+verify_command: npm run verify
+rollback_plan: git checkout -- tests/fixtures/custom-template-example/replace-target.md
+approval_status: approved
+---
+
+# Approved Replace Text Proposal
+
+```json
+{
+  "operations": [
+    {
+      "type": "replace_text",
+      "path": "tests/fixtures/custom-template-example/replace-target.md",
+      "find": "placeholder",
+      "replace": "replaced content",
+      "allow_multiple": false
+    }
+  ]
+}
+```

package/tests/fixtures/proposals/existing-create-file-no-overwrite.md

@@ -0,0 +1,29 @@
+---
+id: proposal-20260611-000004
+created_at: 2026-06-11T00:00:04Z
+title: Existing Create File No Overwrite Proposal
+problem: Test existing file without overwrite flag.
+evidence: N/A
+risk_level: low
+affected_files:
+  - tests/fixtures/custom-template-example/existing.md
+suggested_change: Create file without overwrite flag.
+verify_command: npm run verify
+rollback_plan: N/A
+approval_status: approved
+---
+
+# Existing Create File No Overwrite Proposal
+
+```json
+{
+  "operations": [
+    {
+      "type": "create_file",
+      "path": "tests/fixtures/custom-template-example/existing.md",
+      "content": "new content\n",
+      "overwrite": false
+    }
+  ]
+}
+```

package/tests/fixtures/proposals/no-operations.md

@@ -0,0 +1,18 @@
+---
+id: proposal-20260611-333333
+created_at: 2026-06-11T33:33:33Z
+title: No Operations Proposal
+problem: Vague proposal without machine readable block.
+evidence: N/A
+risk_level: low
+affected_files:
+  - README.md
+suggested_change: Edit README.md manually.
+verify_command: npm run verify
+rollback_plan: git checkout -- README.md
+approval_status: approved
+---
+
+# No Operations Proposal
+
+Please edit the README.md to describe the codebase in more detail.

package/tests/fixtures/proposals/path-traversal.md

@@ -0,0 +1,29 @@
+---
+id: proposal-20260611-000003
+created_at: 2026-06-11T00:00:03Z
+title: Path Traversal Proposal
+problem: Test directory traversal boundaries check.
+evidence: N/A
+risk_level: low
+affected_files:
+  - ../outside.md
+suggested_change: Modify file outside root.
+verify_command: npm run verify
+rollback_plan: N/A
+approval_status: approved
+---
+
+# Path Traversal Proposal
+
+```json
+{
+  "operations": [
+    {
+      "type": "create_file",
+      "path": "../outside-file.md",
+      "content": "outside content\n",
+      "overwrite": true
+    }
+  ]
+}
+```

package/tests/fixtures/proposals/pending-proposal.md

@@ -0,0 +1,29 @@
+---
+id: proposal-20260611-111111
+created_at: 2026-06-11T11:11:11Z
+title: Pending Proposal
+problem: Test pending proposal.
+evidence: N/A
+risk_level: low
+affected_files:
+  - tests/fixtures/custom-template-example/pending.md
+suggested_change: Create pending file.
+verify_command: npm run verify
+rollback_plan: rm tests/fixtures/custom-template-example/pending.md
+approval_status: pending
+---
+
+# Pending Proposal
+
+```json
+{
+  "operations": [
+    {
+      "type": "create_file",
+      "path": "tests/fixtures/custom-template-example/pending.md",
+      "content": "pending\n",
+      "overwrite": true
+    }
+  ]
+}
+```

package/tests/fixtures/proposals/protected-path.md

@@ -0,0 +1,29 @@
+---
+id: proposal-20260611-222222
+created_at: 2026-06-11T22:22:22Z
+title: Protected Path Proposal
+problem: Try to modify protected path.
+evidence: N/A
+risk_level: low
+affected_files:
+  - .env
+suggested_change: Modify .env file.
+verify_command: npm run verify
+rollback_plan: git checkout -- .env
+approval_status: approved
+---
+
+# Protected Path Proposal
+
+```json
+{
+  "operations": [
+    {
+      "type": "create_file",
+      "path": ".env",
+      "content": "SECRET_KEY=stolen\n",
+      "overwrite": true
+    }
+  ]
+}
+```

package/tests/fixtures/proposals/replace-multiple-without-allow.md

@@ -0,0 +1,30 @@
+---
+id: proposal-20260611-000005
+created_at: 2026-06-11T00:00:05Z
+title: Replace Multiple Without Allow Proposal
+problem: Test replace text matching multiple times without allow_multiple.
+evidence: N/A
+risk_level: low
+affected_files:
+  - tests/fixtures/custom-template-example/multiple.md
+suggested_change: Replace multiple occurrences without allow_multiple flag.
+verify_command: npm run verify
+rollback_plan: N/A
+approval_status: approved
+---
+
+# Replace Multiple Without Allow Proposal
+
+```json
+{
+  "operations": [
+    {
+      "type": "replace_text",
+      "path": "tests/fixtures/custom-template-example/multiple.md",
+      "find": "target",
+      "replace": "replaced",
+      "allow_multiple": false
+    }
+  ]
+}
+```

package/tests/fixtures/registry-overrides/README.md

@@ -0,0 +1,20 @@
+# Registry Overrides Test Fixture Guide
+
+This fixture folder demonstrates and validates overriding the default model/adapter/template registries using custom YAML files and the `--registry` flag.
+
+## Files Structure
+
+For testing registry overrides, you can specify custom templates/adapters files:
+
+* `custom-templates.yaml`: Defines mock template profiles.
+* `custom-adapters.yaml`: Defines mock adapters setup.
+
+## Usage in Testing
+
+```bash
+# List templates from the custom templates fixture file
+node bin/multimodel-dev-os.js templates --registry tests/fixtures/registry-overrides/custom-templates.yaml
+
+# Run validations on a custom template entry
+node bin/multimodel-dev-os.js validate-template my-mock-template --registry tests/fixtures/registry-overrides/custom-templates.yaml
+```

package/tests/fixtures/signed-registries/README.md

@@ -0,0 +1,4 @@
+# Mock Registry Signing Fixtures (Test-Only)
+
+WARNING: The keys, manifests, and signatures in this directory are generated automatically for MultiModel Dev OS unit and E2E tests.
+DO NOT use these private/public keys in production. All keys are mock keys.

package/tests/fixtures/signed-registries/revoked-key/catalog.yaml

@@ -0,0 +1,8 @@
+
+# Catalog fixture
+catalog:
+  plugins:
+    - slug: test-plugin
+      version: 1.0.0
+      name: Test Plugin
+      description: A mock plugin for testing

package/tests/fixtures/signed-registries/revoked-key/expected-verdict.json

@@ -0,0 +1,7 @@
+{
+  "final_status": "untrusted",
+  "signature_status": "failed",
+  "errors": [
+    "Key ID 'test-key-revoked' is revoked (must be active)."
+  ]
+}

package/tests/fixtures/signed-registries/revoked-key/registry-manifest.yaml

@@ -0,0 +1,14 @@
+registry_name: "test-fixture-registry"
+publisher: "Mock Valid Publisher"
+version: "1.0.0"
+generated_at: "2026-06-20T12:00:00Z"
+minimum_mmdo_version: "3.2.0"
+safety_policy_version: "1.0.0"
+catalog_hash: "sha256:289e7ff82e8037b27471990d4106f76e7f8e44e26aeb049787c185a30249420e"
+files_hashes:
+    catalog.yaml: "sha256:289e7ff82e8037b27471990d4106f76e7f8e44e26aeb049787c185a30249420e"
+signature:
+    algorithm: "ed25519"
+    key_id: "test-key-revoked"
+    signature: "LyuSIQ72kyOuNVqie1P/vZVi2PqFsCS//Q6/mAstTG1zDQvGPd5HwH8t1FPEOtP7Sbb31udJ7NJY3cdCWpACCg=="
+    signed_fields: ["registry_name", "publisher", "version", "generated_at", "catalog_hash", "minimum_mmdo_version", "safety_policy_version"]

package/tests/fixtures/signed-registries/tampered-manifest/catalog.yaml

@@ -0,0 +1,8 @@
+
+# Catalog fixture
+catalog:
+  plugins:
+    - slug: test-plugin
+      version: 1.0.0
+      name: Test Plugin
+      description: A mock plugin for testing

package/tests/fixtures/signed-registries/tampered-manifest/expected-verdict.json

@@ -0,0 +1,7 @@
+{
+  "final_status": "untrusted",
+  "signature_status": "failed",
+  "errors": [
+    "Invalid Ed25519 signature for key_id 'test-key-valid'."
+  ]
+}

package/tests/fixtures/signed-registries/tampered-manifest/registry-manifest.yaml

@@ -0,0 +1,14 @@
+registry_name: "test-fixture-registry"
+publisher: "Mock Valid Publisher"
+version: "1.0.0"
+generated_at: "2026-06-20T12:00:00Z"
+minimum_mmdo_version: "3.2.0"
+safety_policy_version: "1.0.0"
+catalog_hash: "sha256:289e7ff82e8037b27471990d4106f76e7f8e44e26aeb049787c185a30249420e"
+files_hashes:
+    catalog.yaml: "sha256:289e7ff82e8037b27471990d4106f76e7f8e44e26aeb049787c185a30249420e"
+signature:
+    algorithm: "ed25519"
+    key_id: "test-key-valid"
+    signature: "MCowBQYDK2VwAyEA9vWwyE5+fY0dvEzl9S1UcvtoMkOAIDhDCzZAkP+CVNo="
+    signed_fields: ["registry_name", "publisher", "version", "generated_at", "catalog_hash", "minimum_mmdo_version", "safety_policy_version"]

package/tests/fixtures/signed-registries/trusted-keys.yaml

@@ -0,0 +1,23 @@
+
+# MultiModel Dev OS Test-Only Trusted Keys Fixture
+# WARNING: These keys are for unit testing and E2E verification validation only.
+# DO NOT USE IN PRODUCTION.
+trusted_publishers:
+  - key_id: test-key-valid
+    name: "Mock Valid Publisher"
+    algorithm: ed25519
+    public_key: "MCowBQYDK2VwAyEAU1uu8t1/5aXZRvNDNkKpBRJ2SgkKJtlX6pMmuF90tx8="
+    scopes: ["registry"]
+    status: "active"
+  - key_id: test-key-revoked
+    name: "Mock Revoked Publisher"
+    algorithm: ed25519
+    public_key: "MCowBQYDK2VwAyEAvcxhJeWu5VSDxdAva1GwtzgWspYFJ9U1TRJ1a7bUyRA="
+    scopes: ["registry"]
+    status: "revoked"
+  - key_id: test-key-disabled
+    name: "Mock Disabled Publisher"
+    algorithm: ed25519
+    public_key: "MCowBQYDK2VwAyEA9uWCD3w/zkUoQ9RTpQUZ52sib3ctl3fre1PZZowVmvg="
+    scopes: ["registry"]
+    status: "disabled"

package/tests/fixtures/signed-registries/unsigned-remote-required/catalog.yaml

@@ -0,0 +1,8 @@
+
+# Catalog fixture
+catalog:
+  plugins:
+    - slug: test-plugin
+      version: 1.0.0
+      name: Test Plugin
+      description: A mock plugin for testing

package/tests/fixtures/signed-registries/unsigned-remote-required/expected-verdict.json

@@ -0,0 +1,7 @@
+{
+  "final_status": "untrusted",
+  "signature_status": "failed",
+  "errors": [
+    "Unsigned remote registries are not allowed by policy."
+  ]
+}

package/tests/fixtures/signed-registries/unsigned-remote-required/registry-manifest.yaml

@@ -0,0 +1,9 @@
+registry_name: "test-fixture-registry"
+publisher: "Mock Valid Publisher"
+version: "1.0.0"
+generated_at: "2026-06-20T12:00:00Z"
+minimum_mmdo_version: "3.2.0"
+safety_policy_version: "1.0.0"
+catalog_hash: "sha256:289e7ff82e8037b27471990d4106f76e7f8e44e26aeb049787c185a30249420e"
+files_hashes:
+    catalog.yaml: "sha256:289e7ff82e8037b27471990d4106f76e7f8e44e26aeb049787c185a30249420e"

package/tests/fixtures/signed-registries/unsupported-algorithm/catalog.yaml

@@ -0,0 +1,8 @@
+
+# Catalog fixture
+catalog:
+  plugins:
+    - slug: test-plugin
+      version: 1.0.0
+      name: Test Plugin
+      description: A mock plugin for testing

package/tests/fixtures/signed-registries/unsupported-algorithm/expected-verdict.json

@@ -0,0 +1,7 @@
+{
+  "final_status": "untrusted",
+  "signature_status": "failed",
+  "errors": [
+    "Signature algorithm 'rsa-sha256' is not allowed by policy (allowed: ed25519, hmac-sha256)."
+  ]
+}

package/tests/fixtures/signed-registries/unsupported-algorithm/registry-manifest.yaml

@@ -0,0 +1,14 @@
+registry_name: "test-fixture-registry"
+publisher: "Mock Valid Publisher"
+version: "1.0.0"
+generated_at: "2026-06-20T12:00:00Z"
+minimum_mmdo_version: "3.2.0"
+safety_policy_version: "1.0.0"
+catalog_hash: "sha256:289e7ff82e8037b27471990d4106f76e7f8e44e26aeb049787c185a30249420e"
+files_hashes:
+    catalog.yaml: "sha256:289e7ff82e8037b27471990d4106f76e7f8e44e26aeb049787c185a30249420e"
+signature:
+    algorithm: "rsa-sha256"
+    key_id: "test-key-valid"
+    signature: "mock-sig"
+    signed_fields: ["registry_name", "publisher", "version", "generated_at", "catalog_hash", "minimum_mmdo_version", "safety_policy_version"]

package/tests/fixtures/signed-registries/valid-signed-registry/catalog.yaml

@@ -0,0 +1,8 @@
+
+# Catalog fixture
+catalog:
+  plugins:
+    - slug: test-plugin
+      version: 1.0.0
+      name: Test Plugin
+      description: A mock plugin for testing

package/tests/fixtures/signed-registries/valid-signed-registry/expected-verdict.json

@@ -0,0 +1,7 @@
+{
+  "final_status": "trusted",
+  "signature_status": "verified",
+  "trusted_publisher_status": "trusted",
+  "errors": [],
+  "warnings": []
+}

package/tests/fixtures/signed-registries/valid-signed-registry/registry-manifest.yaml

@@ -0,0 +1,14 @@
+registry_name: "test-fixture-registry"
+publisher: "Mock Valid Publisher"
+version: "1.0.0"
+generated_at: "2026-06-20T12:00:00Z"
+minimum_mmdo_version: "3.2.0"
+safety_policy_version: "1.0.0"
+catalog_hash: "sha256:289e7ff82e8037b27471990d4106f76e7f8e44e26aeb049787c185a30249420e"
+files_hashes:
+    catalog.yaml: "sha256:289e7ff82e8037b27471990d4106f76e7f8e44e26aeb049787c185a30249420e"
+signature:
+    algorithm: "ed25519"
+    key_id: "test-key-valid"
+    signature: "CjhqbNnmTh9wzBTBRlnkaCjZDTvxj8rImdtwOQIBOu0I+kCd8ec3x/jcNvJesy/Fqd2yl70vToqKAiVxD0GVAQ=="
+    signed_fields: ["registry_name", "publisher", "version", "generated_at", "catalog_hash", "minimum_mmdo_version", "safety_policy_version"]

package/tests/fixtures/signed-registries/wrong-key/catalog.yaml

@@ -0,0 +1,8 @@
+
+# Catalog fixture
+catalog:
+  plugins:
+    - slug: test-plugin
+      version: 1.0.0
+      name: Test Plugin
+      description: A mock plugin for testing

package/tests/fixtures/signed-registries/wrong-key/expected-verdict.json

@@ -0,0 +1,7 @@
+{
+  "final_status": "untrusted",
+  "signature_status": "failed",
+  "errors": [
+    "Key ID 'test-key-wrong' not found in trust store."
+  ]
+}

package/tests/fixtures/signed-registries/wrong-key/registry-manifest.yaml

@@ -0,0 +1,14 @@
+registry_name: "test-fixture-registry"
+publisher: "Mock Valid Publisher"
+version: "1.0.0"
+generated_at: "2026-06-20T12:00:00Z"
+minimum_mmdo_version: "3.2.0"
+safety_policy_version: "1.0.0"
+catalog_hash: "sha256:289e7ff82e8037b27471990d4106f76e7f8e44e26aeb049787c185a30249420e"
+files_hashes:
+    catalog.yaml: "sha256:289e7ff82e8037b27471990d4106f76e7f8e44e26aeb049787c185a30249420e"
+signature:
+    algorithm: "ed25519"
+    key_id: "test-key-wrong"
+    signature: "XChca7Nje+hM8QPfHHL8iwVjW8mL9wOeNhZBOo0hloV5CHhaFH9qm0k5e2xvFLMLOc3j+8CMCqJozPdWgiqxBw=="
+    signed_fields: ["registry_name", "publisher", "version", "generated_at", "catalog_hash", "minimum_mmdo_version", "safety_policy_version"]

package/tests/smoke/README.md

@@ -0,0 +1,37 @@
+# Smoke Tests Playbook
+
+Follow these quick manual verification commands to assert the functional integrity of `multimodel-dev-os` before pushing tag releases.
+
+---
+
+## 1. Quick Verification Pipeline
+
+Run the following actions sequentially inside a target sandbox:
+
+```bash
+# 1. Inspect version parameters and command menu
+node bin/multimodel-dev-os.js --help
+
+# 2. View all built-in configurations
+node bin/multimodel-dev-os.js templates
+
+# 3. Inspect a specific template's specifications
+node bin/multimodel-dev-os.js show-template nextjs-saas
+
+# 4. Dry-run scaffold inside the current repository
+node bin/multimodel-dev-os.js init --template general-app --dry-run
+
+# 5. Execute strict validation lints
+node bin/multimodel-dev-os.js validate --target .
+
+# 6. Execute diagnostic doctor checkups
+node bin/multimodel-dev-os.js doctor --target .
+```
+
+---
+
+## 2. Dry-Run Verification
+
+Assert that no physical files are created when running the `--dry-run` parameter:
+- Verify stdout logs indicate `[DRY-RUN] Would create...`
+- Confirm `git status` reports zero untracked files or modifications.

package/tests/smoke/cli-smoke.md

@@ -0,0 +1,49 @@
+# CLI Smoke Test Specification
+
+This document lists the essential CLI commands to execute when verifying the MultiModel Dev OS installation stability.
+
+## Sanity Commands
+
+```bash
+# Verify help output
+node bin/multimodel-dev-os.js --help
+
+# List templates
+node bin/multimodel-dev-os.js templates
+node bin/multimodel-dev-os.js templates --json
+
+# List models and adapters
+node bin/multimodel-dev-os.js models --json
+node bin/multimodel-dev-os.js adapters --json
+
+# List active skills
+node bin/multimodel-dev-os.js skills
+```
+
+## Validation & Doctor Commands
+
+```bash
+# Validate built-in resources
+node bin/multimodel-dev-os.js validate-template nextjs-saas
+node bin/multimodel-dev-os.js validate-adapter cursor
+node bin/multimodel-dev-os.js validate-skill custom-skill.example
+
+# Validate all registry entries
+node bin/multimodel-dev-os.js validate --all-registries
+
+# Release advisory checkup
+node bin/multimodel-dev-os.js doctor --release
+
+# Token budget checks
+node bin/multimodel-dev-os.js doctor --tokens --threshold 100KB
+```
+
+## Initialization Dry-Runs
+
+```bash
+# Dry-run general app init
+node bin/multimodel-dev-os.js init --dry-run --template general-app
+
+# Dry-run with adapter injections
+node bin/multimodel-dev-os.js init --dry-run --template nextjs-saas -a cursor -a claude
+```

package/tests/unit/build-output.test.js

@@ -0,0 +1,40 @@
+import { describe, it, expect } from 'vitest';
+import { existsSync, readFileSync } from 'fs';
+import { join } from 'path';
+import { execSync } from 'child_process';
+
+describe('Build Output Verification', () => {
+  const buildPath = join(process.cwd(), 'bin', 'multimodel-dev-os.js');
+
+  it('should compile the output file successfully', () => {
+    expect(existsSync(buildPath)).toBe(true);
+  });
+
+  it('should contain exactly one shebang at the top', () => {
+    const content = readFileSync(buildPath, 'utf8');
+    const totalShebangs = (content.match(/#!/g) || []).length;
+    
+    expect(content.startsWith('#!/usr/bin/env node')).toBe(true);
+    expect(totalShebangs).toBe(1);
+  });
+
+  it('should contain the generation warning header', () => {
+    const content = readFileSync(buildPath, 'utf8');
+    expect(content).toContain('// Generated from src/. Do not edit directly.');
+  });
+
+  it('should not contain dangerous registry URL interpolation', () => {
+    const content = readFileSync(buildPath, 'utf8');
+    
+    const hasUnsafeSync = content.includes("mod.get('${targetUrl}'") || (content.includes('execSync(`node -e "') && content.includes('${targetUrl}'));
+    expect(hasUnsafeSync).toBe(false);
+    
+    expect(content).toContain('execFileSync(process.execPath');
+  });
+
+  it('should be completely fresh and match the source modules', () => {
+    expect(() => {
+      execSync('node scripts/check-build-fresh.js', { stdio: 'ignore' });
+    }).not.toThrow();
+  });
+});

package/tests/unit/catalog-loader.test.js

@@ -0,0 +1,44 @@
+import { describe, it, expect, beforeAll, afterAll } from 'vitest';
+import { loadCatalogFromSource, loadCatalog } from '../../src/catalog/loader.js';
+import { existsSync, mkdirSync, writeFileSync, rmSync } from 'fs';
+import { join } from 'path';
+
+describe('Catalog Loader', () => {
+  const tempDir = join(process.cwd(), 'temp-catalog-test');
+  const localCatalogDir = join(tempDir, '.ai', 'plugins');
+  const localCatalogFile = join(localCatalogDir, 'catalog.yaml');
+
+  beforeAll(() => {
+    mkdirSync(localCatalogDir, { recursive: true });
+  });
+
+  afterAll(() => {
+    if (existsSync(tempDir)) {
+      rmSync(tempDir, { recursive: true, force: true });
+    }
+  });
+
+  it('should load bundled catalog from fallback or global if no target is specified', () => {
+    const catalog = loadCatalog();
+    expect(catalog).toBeDefined();
+    expect(Array.isArray(catalog.plugins)).toBe(true);
+  });
+
+  it('should load local catalog when source is "local"', () => {
+    const localYaml = `
+catalog:
+  plugins:
+    - name: local-plugin
+      slug: local-slug
+      version: 1.0.0
+      description: local test
+      author: test
+    `;
+    writeFileSync(localCatalogFile, localYaml, 'utf8');
+
+    const result = loadCatalogFromSource('local', { target: tempDir });
+    expect(result.plugins).toHaveLength(1);
+    expect(result.plugins[0].name).toBe('local-plugin');
+    expect(result.plugins[0]._source).toBe('local');
+  });
+});