ldy26098
/
BMAD-METHOD
mirror of https://github.com/bmad-code-org/BMAD-METHOD.git
1
0
Fork 0
Code Packages Projects Releases Wiki Activity
BMAD-METHOD/tools/installer
History
Brian Madison fb57c81176 fix(installer): address third-round PR #2353 review comments 
(J) Prototype pollution guard (CodeRabbit major).
`--set __proto__.x=1` previously mutated Object.prototype because
`overrides.__proto__` returned Object.prototype on a plain object,
and assigning `[key]=value` polluted every plain object in the process.
Verified the attack reproduces on f1c9e12 and is now blocked: parser
rejects __proto__/prototype/constructor segments, and the maps are
Object.create(null) for defense-in-depth.

(I) Non-zero exit when --list-options <module>'s yaml is unparseable
(CodeRabbit major). formatOptionsList tracks moduleScopedFailure and
returns ok:false in that case; install.js exits 1.

(F) Dynamic defaults can now see --set sibling values (Augment medium).
buildQuestion's function default falls back to
`this.collectedConfig[mod][otherKey]`, but overrides were only in
`allAnswers` (local) at default-evaluation time. Pre-write override
raw values to collectedConfig before the prompt batch so the
fallback resolves. Post-prompt template processing overwrites with
the rendered version.

(E) applyOverridesAfterSeeding no longer bypasses carry-forward when
the schema can't be loaded (Augment low). Restructured: schema-load
is now best-effort; without schema, declaredKeys is an empty Set, so
all overrides are flagged as "unknown" and carry-forward runs against
every prior key. Comment now matches behavior.

(G) Flag placeholder --set <spec> instead of <module.key=value>
(Augment low) — angle brackets in the placeholder were misleading;
the description spells out the spec format.

(H) README wording: "every available key" → "locally-known official
keys (built-in modules plus any external officials cached on this
machine)" (CodeRabbit minor) — accurately reflects scope.

Tests: +2 cases for prototype-pollution rejection. Total 343 passing.
 		2026-04-28 11:42:07 -05:00
..
commands fix(installer): address third-round PR #2353 review comments 2026-04-28 11:42:07 -05:00
core feat(installer): add --set and --list-options for non-interactive config (#1663) 2026-04-28 09:54:34 -05:00
ide fix(installer): require --tools for fresh --yes installs; remove --tools none (#2346) 2026-04-27 23:01:23 -05:00
modules fix(installer): address third-round PR #2353 review comments 2026-04-28 11:42:07 -05:00
README.md refactor(installer): restructure installer with clean separation of concerns (#2129) 2026-03-27 06:50:07 -06:00
bmad-cli.js fix(publish): advance @next dist-tag after stable release (#2320) 2026-04-26 10:30:41 -05:00
cli-utils.js chore(installer): remove 1,683 lines of dead code (#2247) 2026-04-10 20:24:50 -07:00
file-ops.js fix(installer): replace fs-extra with native node:fs to prevent file loss 2026-04-13 00:44:28 -05:00
fs-native.js fix(installer): add missing sync and async methods to fs-native wrapper 2026-04-13 09:59:41 -05:00
install-messages.yaml feat(installer): overhaul branding, versioning, and skill cleanup (#2223) 2026-04-07 02:31:36 -05:00
list-options.js fix(installer): address third-round PR #2353 review comments 2026-04-28 11:42:07 -05:00
message-loader.js fix(installer): replace fs-extra with native node:fs to prevent file loss 2026-04-13 00:44:28 -05:00
project-root.js fix(installer): route community installs through PluginResolver when marketplace.json ships (#2331) 2026-04-26 22:50:47 -05:00
prompts.js chore(installer): remove 1,683 lines of dead code (#2247) 2026-04-10 20:24:50 -07:00
set-overrides.js fix(installer): address third-round PR #2353 review comments 2026-04-28 11:42:07 -05:00
ui.js fix(installer): address PR #2353 review comments 2026-04-28 10:27:37 -05:00
yaml-format.js refactor(installer): restructure installer with clean separation of concerns (#2129) 2026-03-27 06:50:07 -06:00

README.md

BMad CLI Tool

Installing external repo BMad official modules

For external official modules to be discoverable during install, ensure an entry for the external repo is added to external-official-modules.yaml.

For community modules - this will be handled in a different way. This file is only for registration of modules under the bmad-code-org.

Post-Install Notes

Modules can display setup guidance to users after configuration is collected during npx bmad-method install. Notes are defined in the module's own module.yaml — no changes to the installer are needed.

Simple Format

Always displayed after the module is configured:

post-install-notes: |
  Thank you for choosing the XYZ Cool Module
  For Support about this Module call 555-1212

Conditional Format

Display different messages based on a config question's answer:

post-install-notes:
  config_key_name:
    value1: |
      Instructions for value1...      
    value2: |
      Instructions for value2...

Values without an entry (e.g., none) display nothing. Multiple config keys can each have their own conditional notes.

Example: TEA Module

The TEA module uses the conditional format keyed on tea_browser_automation:

post-install-notes:
  tea_browser_automation:
    cli: |
      Playwright CLI Setup:
        npm install -g @playwright/cli@latest
        playwright-cli install --skills      
    mcp: |
      Playwright MCP Setup (two servers):
        1. playwright    — npx @playwright/mcp@latest
        2. playwright-test — npx playwright run-test-mcp-server      
    auto: |
      Playwright CLI Setup:
        ...
      Playwright MCP Setup (two servers):
        ...

When a user selects auto, they see both CLI and MCP instructions. When they select none, nothing is shown.