fix(installer): tighten hosted default-version check, flag legacy URL

- Replace the loose `latest` fragment check with per-format regex patterns
  in HOSTED_INSTALLER_DEFAULT_VERSION_PATTERNS so an unrelated occurrence
  of `latest` (comment, help text) cannot satisfy the staging guard. The
  patterns still tolerate whitespace variation, only the default-version
  assignment itself must be intact.
- Add a "Hosted endpoint status" callout in INSTALLATION_GUIDE.md before
  the curl examples. The documented `--version` flow does not work against
  the OSS URL today because it currently serves the legacy NVM-based
  installer; the callout points users at a local checkout until the next
  release sync.
- Tests: drop `latest` from the fragments equality assertion, add positive
  and negative regex coverage, add a failure-path case for sources whose
  default version is not `latest`, and pin the new guide markers so the
  callout cannot silently disappear.

Author: yiliang114

scripts/build-hosted-installation-assets.js

@@ -38,8 +38,15 @@ const HOSTED_INSTALLATION_ASSET_NAMES = HOSTED_INSTALLATION_ASSETS.map(
 const HOSTED_INSTALLER_REQUIRED_FRAGMENTS = [
   '--version',
   'QWEN_INSTALL_VERSION',
-  'latest',
 ];
+// Narrow regexes that pin the default-version assignment to `latest`.
+// Substring matching alone would let the word "latest" leak in via comments
+// or help text even when the actual default has been changed. The patterns
+// allow whitespace flexibility but require the literal default value.
+const HOSTED_INSTALLER_DEFAULT_VERSION_PATTERNS = {
+  'install-qwen.sh': /VERSION\s*=\s*"\$\{QWEN_INSTALL_VERSION:-latest\}"/,
+  'install-qwen.bat': /set\s+"VERSION=latest"/,
+};
 // SHA256SUMS is allowed in an existing output directory because every staging
 // run rewrites it from scratch after copying the hosted installer assets.
 const HOSTED_INSTALLATION_OUTPUT_NAMES = new Set([
@@ -133,6 +140,13 @@ function assertHostedInstallerSource(source, output) {
       `${output} is missing hosted installer behavior: ${missing.join(', ')}`,
     );
   }
+
+  const defaultPattern = HOSTED_INSTALLER_DEFAULT_VERSION_PATTERNS[output];
+  if (defaultPattern && !defaultPattern.test(contents)) {
+    fail(
+      `${output} default install version must be 'latest' for the hosted entrypoint`,
+    );
+  }
 }
 
 async function writeHostedSha256Sums(outDir) {
@@ -167,6 +181,7 @@ async function assertHostedInstallationAssetChecksums(outDir) {
 export {
   HOSTED_INSTALLATION_ASSETS,
   HOSTED_INSTALLATION_ASSET_NAMES,
+  HOSTED_INSTALLER_DEFAULT_VERSION_PATTERNS,
   HOSTED_INSTALLER_REQUIRED_FRAGMENTS,
   assertHostedInstallationAssetChecksums,
   buildHostedInstallationAssets,

scripts/installation/INSTALLATION_GUIDE.md

@@ -43,6 +43,13 @@ specific standalone release. This keeps the public install command on a stable
 hosted entrypoint while still allowing version pinning, rather than using
 per-release installer URLs.
 
+> **Hosted endpoint status**: Until the hosted endpoint is re-synced after the
+> next release, the URL below still serves the legacy NVM-based installer,
+> which does not honor `--version` or `QWEN_INSTALL_VERSION` in the way
+> documented here. To get the standalone-archive-first behavior immediately,
+> run `install-qwen-with-source.sh` from a local checkout of this repository.
+> The `--version` examples below describe the post-sync behavior.
+
 Latest hosted entrypoints used today:
 
 ```bash

scripts/tests/install-script.test.js

@@ -487,6 +487,7 @@ describe('standalone release packaging', () => {
     const {
       HOSTED_INSTALLATION_ASSET_NAMES,
       HOSTED_INSTALLATION_ASSETS,
+      HOSTED_INSTALLER_DEFAULT_VERSION_PATTERNS,
       HOSTED_INSTALLER_REQUIRED_FRAGMENTS,
       assertHostedInstallationAssetChecksums,
       buildHostedInstallationAssets,
@@ -511,8 +512,29 @@ describe('standalone release packaging', () => {
       expect(HOSTED_INSTALLER_REQUIRED_FRAGMENTS).toEqual([
         '--version',
         'QWEN_INSTALL_VERSION',
-        'latest',
       ]);
+      // The default-version regex pins `latest` semantically rather than as a
+      // loose substring, so a stray `latest` in a comment cannot satisfy it.
+      expect(
+        HOSTED_INSTALLER_DEFAULT_VERSION_PATTERNS['install-qwen.sh'].test(
+          'VERSION="${QWEN_INSTALL_VERSION:-latest}"',
+        ),
+      ).toBe(true);
+      expect(
+        HOSTED_INSTALLER_DEFAULT_VERSION_PATTERNS['install-qwen.sh'].test(
+          '# defaults to latest',
+        ),
+      ).toBe(false);
+      expect(
+        HOSTED_INSTALLER_DEFAULT_VERSION_PATTERNS['install-qwen.bat'].test(
+          'set "VERSION=latest"',
+        ),
+      ).toBe(true);
+      expect(
+        HOSTED_INSTALLER_DEFAULT_VERSION_PATTERNS['install-qwen.bat'].test(
+          'rem defaults to latest',
+        ),
+      ).toBe(false);
       expect(readScript(installSh)).toBe(
         readScript('scripts/installation/install-qwen-with-source.sh'),
       );
@@ -568,6 +590,42 @@ describe('standalone release packaging', () => {
     }
   });
 
+  it('rejects hosted installer sources whose default version is not latest', async () => {
+    const { buildHostedInstallationAssets } = await import(
+      hostedInstallationScriptUrl
+    );
+    const tmpRoot = mkdtempSync(path.join(tmpdir(), 'qwen-hosted-root-'));
+    const tmpDir = mkdtempSync(path.join(tmpdir(), 'qwen-hosted-install-'));
+    const sourceDir = path.join(tmpRoot, 'scripts', 'installation');
+
+    try {
+      mkdirSync(sourceDir, { recursive: true });
+      // Both fragments are present, but the default version was changed to
+      // something other than `latest`. The default-version pattern guard
+      // catches this, even though loose substring matching would not.
+      writeFileSync(
+        path.join(sourceDir, 'install-qwen-with-source.sh'),
+        '#!/usr/bin/env bash\n' +
+          '# Defaults to latest unless --version is passed.\n' +
+          'VERSION="${QWEN_INSTALL_VERSION:-stable}"\n' +
+          'case "$1" in --version) shift; VERSION="$1" ;; esac\n',
+      );
+      writeFileSync(
+        path.join(sourceDir, 'install-qwen-with-source.bat'),
+        '@echo off\r\nset "VERSION=stable"\r\n',
+      );
+
+      await expect(
+        buildHostedInstallationAssets(tmpDir, { root: tmpRoot }),
+      ).rejects.toThrow(
+        /install-qwen\.sh default install version must be 'latest'/,
+      );
+    } finally {
+      rmSync(tmpRoot, { recursive: true, force: true });
+      rmSync(tmpDir, { recursive: true, force: true });
+    }
+  });
+
   it('rejects stale hosted installation assets in the output directory', async () => {
     const { buildHostedInstallationAssets } = await import(
       hostedInstallationScriptUrl
@@ -848,6 +906,11 @@ describe('standalone release packaging', () => {
     expect(guide).toContain('installation/install-qwen.sh');
     expect(guide).toContain('installation/install-qwen.bat');
     expect(guide).toContain('release operators must sync these staged files');
+    // The hosted-endpoint status callout must keep flagging the transition
+    // window so users do not assume the documented --version flow works
+    // before the next OSS sync.
+    expect(guide).toContain('Hosted endpoint status');
+    expect(guide).toContain('legacy NVM-based installer');
     expect(guide).toContain('node-pty');
     expect(guide).toContain('clipboard');
   });