@codyswann/lisa 2.171.0 → 2.171.1

package/dist/codex/scripts/install-pkgs.sh

@@ -11,16 +11,38 @@ if [ -d "node_modules" ] || [ ! -f "package.json" ]; then
   exit 0
 fi
 
-if [ -f "bun.lockb" ] || [ -f "bun.lock" ]; then
-  command -v bun >/dev/null 2>&1 && bun install
-elif [ -f "pnpm-lock.yaml" ]; then
-  command -v pnpm >/dev/null 2>&1 && pnpm install
-elif [ -f "yarn.lock" ]; then
-  command -v yarn >/dev/null 2>&1 && yarn install
-elif [ -f "package-lock.json" ]; then
-  command -v npm >/dev/null 2>&1 && npm install
-else
-  command -v npm >/dev/null 2>&1 && npm install
-fi
+# Detect the package manager this project wants, honoring explicit opt-outs.
+# Precedence: packageManager field > engines "please-use-<pm>" sentinel >
+# lockfile presence (minus any PM the engines forbid) > npm default.
+#
+# This must NOT key on lockfile presence alone. An npm-only project
+# (engines.bun = "please-use-npm", CI runs `npm ci`) that picks up a stray
+# bun.lock would otherwise get `bun install`, re-create the bun.lock, and break
+# — the SE-5221 regression. The engines/packageManager signals are
+# authoritative; lockfiles are only a fallback and never override an opt-out.
+detect_package_manager() {
+  _field="" _forced="" _forbidden=""
+  if [ -f package.json ] && command -v jq >/dev/null 2>&1; then
+    _field=$(jq -r '(.packageManager // "") | sub("@.*$";"")' package.json 2>/dev/null)
+    _forced=$(jq -r 'first((.engines // {})[] | strings | capture("please-use-(?<pm>bun|npm|yarn|pnpm)")?.pm) // ""' package.json 2>/dev/null)
+    _forbidden=$(jq -r '[(.engines // {}) | to_entries[] | select(((.value|strings) // "") | test("please-use|do-not-use";"i")) | .key] | join(" ")' package.json 2>/dev/null)
+  fi
+  case "$_field" in bun | npm | yarn | pnpm) printf '%s\n' "$_field"; return 0 ;; esac
+  case "$_forced" in bun | npm | yarn | pnpm) printf '%s\n' "$_forced"; return 0 ;; esac
+  _pm_allowed() { case " $_forbidden " in *" $1 "*) return 1 ;; *) return 0 ;; esac; }
+  if { [ -f bun.lockb ] || [ -f bun.lock ]; } && _pm_allowed bun; then printf 'bun\n'; return 0; fi
+  if [ -f pnpm-lock.yaml ] && _pm_allowed pnpm; then printf 'pnpm\n'; return 0; fi
+  if [ -f yarn.lock ] && _pm_allowed yarn; then printf 'yarn\n'; return 0; fi
+  if [ -f package-lock.json ] && _pm_allowed npm; then printf 'npm\n'; return 0; fi
+  printf 'npm\n'
+}
+
+PACKAGE_MANAGER="$(detect_package_manager)"
+case "$PACKAGE_MANAGER" in
+  bun) command -v bun >/dev/null 2>&1 && bun install ;;
+  pnpm) command -v pnpm >/dev/null 2>&1 && pnpm install ;;
+  yarn) command -v yarn >/dev/null 2>&1 && yarn install ;;
+  *) command -v npm >/dev/null 2>&1 && npm install ;;
+esac
 
 exit 0

package/dist/utils/package-manager-detect.d.ts

@@ -0,0 +1,66 @@
+/**
+ * Known package managers whose lockfiles must be regenerated when Lisa's apply
+ * mutates package.json (e.g., adds/updates resolutions or overrides entries).
+ */
+export type PackageManager = "bun" | "npm" | "pnpm" | "yarn";
+/**
+ * Description of a package manager's lockfile file + the command Lisa should run
+ * to rebuild the lockfile without running install scripts.
+ */
+export interface LockfileRegenPlan {
+    readonly pm: PackageManager;
+    readonly lockfile: string;
+    /** Additional lockfile names for the same PM (e.g. bun.lockb for bun). */
+    readonly lockfileAlternatives?: readonly string[];
+    readonly command: string;
+    readonly args: readonly string[];
+}
+/**
+ * Per-PM lockfile + regen command mapping. The regen commands are all
+ * "sync lockfile without running scripts" variants — we do NOT want to
+ * re-run lifecycle scripts (that would re-trigger the trampoline).
+ *
+ * bun: `bun install` is the canonical way to sync bun.lock after package.json
+ * changes. As of bun 1.x there is no `--lockfile-only` flag; `bun install`
+ * is already fast when node_modules is up-to-date and will simply update
+ * bun.lock to match package.json. We pass `--ignore-scripts` to avoid re-running
+ * the parent PM's lifecycle hooks (which triggered this trampoline to begin with).
+ */
+export declare const LOCKFILE_REGEN_PLANS: Readonly<Record<PackageManager, LockfileRegenPlan>>;
+/**
+ * Read the set of package managers a project explicitly opts OUT of via its
+ * package.json `engines` field. The repo-wide convention is to pin an unwanted
+ * package manager to a sentinel string such as `"please-use-npm"` (e.g. an
+ * npm-only project sets `engines.bun = "please-use-npm"`). Such a manager must
+ * never have its lockfile regenerated — even if a stray lockfile for it is
+ * present — because doing so re-creates the stray lockfile via that manager's
+ * `install`. That is the SE-5221 regression: a stray `bun.lock` in an npm-only
+ * project kept alive by `bun install`, which then misroutes the pre-push hook's
+ * package-manager detection to the bun branch.
+ * @param projectDir - Absolute path to the project directory
+ * @returns Set of package managers the project forbids (possibly empty)
+ */
+export declare function enginesForbiddenManagers(projectDir: string): ReadonlySet<PackageManager>;
+/**
+ * Detect which package managers the project uses based on lockfile presence,
+ * excluding any manager the project explicitly forbids via `engines`.
+ *
+ * A project may have more than one lockfile (the CDK dual-lockfile pattern
+ * keeps `bun.lock` for local dev while publishing `package-lock.json` for
+ * consumers), in which case every present lockfile must be regenerated so both
+ * stay in sync with package.json.
+ *
+ * Managers opted out via an `engines` sentinel (e.g. `bun = "please-use-npm"`)
+ * are dropped even when their lockfile is present, so the reconciliation never
+ * re-creates a stray lockfile the project deliberately disallows (SE-5221).
+ * @param projectDir - Absolute path to the project directory
+ * @returns Ordered list of detected package managers (possibly empty)
+ */
+export declare function detectPackageManagers(projectDir: string): readonly PackageManager[];
+/**
+ * Get the regen plan (command/args/lockfile) for a given package manager.
+ * @param pm - Package manager to look up
+ * @returns Regen plan describing which command to spawn
+ */
+export declare function getLockfileRegenPlan(pm: PackageManager): LockfileRegenPlan;
+//# sourceMappingURL=package-manager-detect.d.ts.map

package/dist/utils/package-manager-detect.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"package-manager-detect.d.ts","sourceRoot":"","sources":["../../src/utils/package-manager-detect.ts"],"names":[],"mappings":"AAWA;;;GAGG;AACH,MAAM,MAAM,cAAc,GAAG,KAAK,GAAG,KAAK,GAAG,MAAM,GAAG,MAAM,CAAC;AAE7D;;;GAGG;AACH,MAAM,WAAW,iBAAiB;IAChC,QAAQ,CAAC,EAAE,EAAE,cAAc,CAAC;IAC5B,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;IAC1B,0EAA0E;IAC1E,QAAQ,CAAC,oBAAoB,CAAC,EAAE,SAAS,MAAM,EAAE,CAAC;IAClD,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC;IACzB,QAAQ,CAAC,IAAI,EAAE,SAAS,MAAM,EAAE,CAAC;CAClC;AAKD;;;;;;;;;;GAUG;AACH,eAAO,MAAM,oBAAoB,EAAE,QAAQ,CACzC,MAAM,CAAC,cAAc,EAAE,iBAAiB,CAAC,CA2BjC,CAAC;AAEX;;;;;;;;;;;;GAYG;AACH,wBAAgB,wBAAwB,CACtC,UAAU,EAAE,MAAM,GACjB,WAAW,CAAC,cAAc,CAAC,CAmB7B;AAED;;;;;;;;;;;;;;GAcG;AACH,wBAAgB,qBAAqB,CACnC,UAAU,EAAE,MAAM,GACjB,SAAS,cAAc,EAAE,CAU3B;AAED;;;;GAIG;AACH,wBAAgB,oBAAoB,CAAC,EAAE,EAAE,cAAc,GAAG,iBAAiB,CAE1E"}

package/dist/utils/package-manager-detect.js

@@ -0,0 +1,109 @@
+/**
+ * @file package-manager-detect.ts
+ * @description Package-manager detection + lockfile-regen plans shared by the
+ * postinstall reconciliation trampoline. Split out from postinstall-trampoline
+ * so the detection surface (which manager a project actually uses, and which it
+ * explicitly forbids via `engines`) lives in one cohesive, well-tested module.
+ * @module utils
+ */
+import { existsSync, readFileSync } from "node:fs";
+import * as path from "node:path";
+const INSTALL = "install";
+const IGNORE_SCRIPTS = "--ignore-scripts";
+/**
+ * Per-PM lockfile + regen command mapping. The regen commands are all
+ * "sync lockfile without running scripts" variants — we do NOT want to
+ * re-run lifecycle scripts (that would re-trigger the trampoline).
+ *
+ * bun: `bun install` is the canonical way to sync bun.lock after package.json
+ * changes. As of bun 1.x there is no `--lockfile-only` flag; `bun install`
+ * is already fast when node_modules is up-to-date and will simply update
+ * bun.lock to match package.json. We pass `--ignore-scripts` to avoid re-running
+ * the parent PM's lifecycle hooks (which triggered this trampoline to begin with).
+ */
+export const LOCKFILE_REGEN_PLANS = {
+    bun: {
+        pm: "bun",
+        lockfile: "bun.lock",
+        lockfileAlternatives: ["bun.lockb"],
+        command: "bun",
+        args: [INSTALL, IGNORE_SCRIPTS],
+    },
+    npm: {
+        pm: "npm",
+        lockfile: "package-lock.json",
+        command: "npm",
+        args: [INSTALL, "--package-lock-only", IGNORE_SCRIPTS],
+    },
+    pnpm: {
+        pm: "pnpm",
+        lockfile: "pnpm-lock.yaml",
+        command: "pnpm",
+        args: [INSTALL, "--lockfile-only", IGNORE_SCRIPTS],
+    },
+    yarn: {
+        pm: "yarn",
+        lockfile: "yarn.lock",
+        command: "yarn",
+        args: [INSTALL, "--mode", "update-lockfile"],
+    },
+};
+/**
+ * Read the set of package managers a project explicitly opts OUT of via its
+ * package.json `engines` field. The repo-wide convention is to pin an unwanted
+ * package manager to a sentinel string such as `"please-use-npm"` (e.g. an
+ * npm-only project sets `engines.bun = "please-use-npm"`). Such a manager must
+ * never have its lockfile regenerated — even if a stray lockfile for it is
+ * present — because doing so re-creates the stray lockfile via that manager's
+ * `install`. That is the SE-5221 regression: a stray `bun.lock` in an npm-only
+ * project kept alive by `bun install`, which then misroutes the pre-push hook's
+ * package-manager detection to the bun branch.
+ * @param projectDir - Absolute path to the project directory
+ * @returns Set of package managers the project forbids (possibly empty)
+ */
+export function enginesForbiddenManagers(projectDir) {
+    try {
+        const pkg = JSON.parse(readFileSync(path.join(projectDir, "package.json"), "utf8"));
+        const engines = pkg.engines ?? {};
+        const managers = ["bun", "npm", "yarn", "pnpm"];
+        return new Set(managers.filter(pm => {
+            const value = engines[pm];
+            return (typeof value === "string" && /please-use|do-not-use/i.test(value));
+        }));
+    }
+    catch {
+        // No package.json, or it is unreadable/invalid — nothing is forbidden.
+        return new Set();
+    }
+}
+/**
+ * Detect which package managers the project uses based on lockfile presence,
+ * excluding any manager the project explicitly forbids via `engines`.
+ *
+ * A project may have more than one lockfile (the CDK dual-lockfile pattern
+ * keeps `bun.lock` for local dev while publishing `package-lock.json` for
+ * consumers), in which case every present lockfile must be regenerated so both
+ * stay in sync with package.json.
+ *
+ * Managers opted out via an `engines` sentinel (e.g. `bun = "please-use-npm"`)
+ * are dropped even when their lockfile is present, so the reconciliation never
+ * re-creates a stray lockfile the project deliberately disallows (SE-5221).
+ * @param projectDir - Absolute path to the project directory
+ * @returns Ordered list of detected package managers (possibly empty)
+ */
+export function detectPackageManagers(projectDir) {
+    const forbidden = enginesForbiddenManagers(projectDir);
+    return Object.values(LOCKFILE_REGEN_PLANS)
+        .filter(plan => [plan.lockfile, ...(plan.lockfileAlternatives ?? [])].some(f => existsSync(path.join(projectDir, f))))
+        .map(plan => plan.pm)
+        .filter(pm => !forbidden.has(pm));
+}
+/**
+ * Get the regen plan (command/args/lockfile) for a given package manager.
+ * @param pm - Package manager to look up
+ * @returns Regen plan describing which command to spawn
+ */
+export function getLockfileRegenPlan(pm) {
+    return LOCKFILE_REGEN_PLANS[pm];
+}
+//# sourceMappingURL=package-manager-detect.js.map

package/dist/utils/package-manager-detect.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"package-manager-detect.js","sourceRoot":"","sources":["../../src/utils/package-manager-detect.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AACH,OAAO,EAAE,UAAU,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AACnD,OAAO,KAAK,IAAI,MAAM,WAAW,CAAC;AAqBlC,MAAM,OAAO,GAAG,SAAS,CAAC;AAC1B,MAAM,cAAc,GAAG,kBAAkB,CAAC;AAE1C;;;;;;;;;;GAUG;AACH,MAAM,CAAC,MAAM,oBAAoB,GAE7B;IACF,GAAG,EAAE;QACH,EAAE,EAAE,KAAK;QACT,QAAQ,EAAE,UAAU;QACpB,oBAAoB,EAAE,CAAC,WAAW,CAAC;QACnC,OAAO,EAAE,KAAK;QACd,IAAI,EAAE,CAAC,OAAO,EAAE,cAAc,CAAC;KAChC;IACD,GAAG,EAAE;QACH,EAAE,EAAE,KAAK;QACT,QAAQ,EAAE,mBAAmB;QAC7B,OAAO,EAAE,KAAK;QACd,IAAI,EAAE,CAAC,OAAO,EAAE,qBAAqB,EAAE,cAAc,CAAC;KACvD;IACD,IAAI,EAAE;QACJ,EAAE,EAAE,MAAM;QACV,QAAQ,EAAE,gBAAgB;QAC1B,OAAO,EAAE,MAAM;QACf,IAAI,EAAE,CAAC,OAAO,EAAE,iBAAiB,EAAE,cAAc,CAAC;KACnD;IACD,IAAI,EAAE;QACJ,EAAE,EAAE,MAAM;QACV,QAAQ,EAAE,WAAW;QACrB,OAAO,EAAE,MAAM;QACf,IAAI,EAAE,CAAC,OAAO,EAAE,QAAQ,EAAE,iBAAiB,CAAC;KAC7C;CACO,CAAC;AAEX;;;;;;;;;;;;GAYG;AACH,MAAM,UAAU,wBAAwB,CACtC,UAAkB;IAElB,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CACpB,YAAY,CAAC,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,cAAc,CAAC,EAAE,MAAM,CAAC,CACV,CAAC;QACpD,MAAM,OAAO,GAAG,GAAG,CAAC,OAAO,IAAI,EAAE,CAAC;QAClC,MAAM,QAAQ,GAAG,CAAC,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,MAAM,CAAU,CAAC;QACzD,OAAO,IAAI,GAAG,CACZ,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC,EAAE;YACnB,MAAM,KAAK,GAAG,OAAO,CAAC,EAAE,CAAC,CAAC;YAC1B,OAAO,CACL,OAAO,KAAK,KAAK,QAAQ,IAAI,wBAAwB,CAAC,IAAI,CAAC,KAAK,CAAC,CAClE,CAAC;QACJ,CAAC,CAAC,CACH,CAAC;IACJ,CAAC;IAAC,MAAM,CAAC;QACP,uEAAuE;QACvE,OAAO,IAAI,GAAG,EAAE,CAAC;IACnB,CAAC;AACH,CAAC;AAED;;;;;;;;;;;;;;GAcG;AACH,MAAM,UAAU,qBAAqB,CACnC,UAAkB;IAElB,MAAM,SAAS,GAAG,wBAAwB,CAAC,UAAU,CAAC,CAAC;IACvD,OAAO,MAAM,CAAC,MAAM,CAAC,oBAAoB,CAAC;SACvC,MAAM,CAAC,IAAI,CAAC,EAAE,CACb,CAAC,IAAI,CAAC,QAAQ,EAAE,GAAG,CAAC,IAAI,CAAC,oBAAoB,IAAI,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAC7D,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,CAAC,CAAC,CAAC,CACrC,CACF;SACA,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC,IAAI,CAAC,EAAE,CAAC;SACpB,MAAM,CAAC,EAAE,CAAC,EAAE,CAAC,CAAC,SAAS,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC,CAAC;AACtC,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,oBAAoB,CAAC,EAAkB;IACrD,OAAO,oBAAoB,CAAC,EAAE,CAAC,CAAC;AAClC,CAAC"}

package/dist/utils/postinstall-trampoline.d.ts

@@ -1,19 +1,7 @@
 import { spawn } from "node:child_process";
-/**
- * Known package managers whose lockfiles must be regenerated when Lisa's apply
- * mutates package.json (e.g., adds/updates resolutions or overrides entries).
- */
-export type PackageManager = "bun" | "npm" | "pnpm" | "yarn";
-/**
- * Description of a package manager's lockfile file + the command Lisa should run
- * to rebuild the lockfile without running install scripts.
- */
-export interface LockfileRegenPlan {
-    readonly pm: PackageManager;
-    readonly lockfile: string;
-    readonly command: string;
-    readonly args: readonly string[];
-}
+import { type LockfileRegenPlan, type PackageManager, LOCKFILE_REGEN_PLANS, detectPackageManagers, enginesForbiddenManagers, getLockfileRegenPlan } from "./package-manager-detect.js";
+export { LOCKFILE_REGEN_PLANS, detectPackageManagers, enginesForbiddenManagers, getLockfileRegenPlan, };
+export type { LockfileRegenPlan, PackageManager };
 /**
  * Determine whether this Lisa invocation is running as a package-manager lifecycle
  * script (postinstall, prepare, etc.). Works across npm, bun, yarn, and pnpm since
@@ -70,23 +58,6 @@ export declare function shouldSchedulePostinstallReconciliation(dryRun: boolean)
  * @returns Absolute path to the Lisa dist directory
  */
 export declare function getLisaDistDir(moduleUrl: string): string;
-/**
- * Detect which package managers the project uses based on lockfile presence.
- *
- * A project may have more than one lockfile (the CDK dual-lockfile pattern
- * keeps `bun.lock` for local dev while publishing `package-lock.json` for
- * consumers), in which case every present lockfile must be regenerated so both
- * stay in sync with package.json.
- * @param projectDir - Absolute path to the project directory
- * @returns Ordered list of detected package managers (possibly empty)
- */
-export declare function detectPackageManagers(projectDir: string): readonly PackageManager[];
-/**
- * Get the regen plan (command/args/lockfile) for a given package manager.
- * @param pm - Package manager to look up
- * @returns Regen plan describing which command to spawn
- */
-export declare function getLockfileRegenPlan(pm: PackageManager): LockfileRegenPlan;
 /**
  * Hash a file's contents (sha256, hex-encoded). Returns null if the file
  * does not exist or cannot be read. Used to detect whether Lisa mutated

package/dist/utils/postinstall-trampoline.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"postinstall-trampoline.d.ts","sourceRoot":"","sources":["../../src/utils/postinstall-trampoline.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,KAAK,EAAE,MAAM,oBAAoB,CAAC;AAwC3C;;;GAGG;AACH,MAAM,MAAM,cAAc,GAAG,KAAK,GAAG,KAAK,GAAG,MAAM,GAAG,MAAM,CAAC;AAE7D;;;GAGG;AACH,MAAM,WAAW,iBAAiB;IAChC,QAAQ,CAAC,EAAE,EAAE,cAAc,CAAC;IAC5B,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;IAC1B,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC;IACzB,QAAQ,CAAC,IAAI,EAAE,SAAS,MAAM,EAAE,CAAC;CAClC;AA6DD;;;;;GAKG;AACH,wBAAgB,0BAA0B,IAAI,OAAO,CAEpD;AAED;;;;GAIG;AACH,wBAAgB,qBAAqB,IAAI,OAAO,CAE/C;AAED;;;;;;;;GAQG;AACH,wBAAgB,aAAa,IAAI,OAAO,CASvC;AAED;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,wBAAgB,uCAAuC,CACrD,MAAM,EAAE,OAAO,GACd,OAAO,CAYT;AAED;;;;;;;;;GASG;AACH,wBAAgB,cAAc,CAAC,SAAS,EAAE,MAAM,GAAG,MAAM,CAIxD;AAED;;;;;;;;;GASG;AACH,wBAAgB,qBAAqB,CACnC,UAAU,EAAE,MAAM,GACjB,SAAS,cAAc,EAAE,CAI3B;AAED;;;;GAIG;AACH,wBAAgB,oBAAoB,CAAC,EAAE,EAAE,cAAc,GAAG,iBAAiB,CAE1E;AAED;;;;;;GAMG;AACH,wBAAgB,QAAQ,CAAC,QAAQ,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI,CAOxD;AAED;;;;;;;;;;;;;;;;;;GAkBG;AACH,wBAAsB,4BAA4B,CAChD,UAAU,EAAE,MAAM,EAClB,OAAO,GAAE,OAAO,KAAa,GAC5B,OAAO,CAAC,IAAI,CAAC,CAgBf;AAED;;;;;;;;;;;;;;;;;;;GAmBG;AACH,wBAAsB,2BAA2B,CAC/C,UAAU,EAAE,MAAM,EAClB,WAAW,EAAE,MAAM,EACnB,SAAS,EAAE,MAAM,EAMjB,OAAO,GAAE,OAAO,KAAa,GAC5B,OAAO,CAAC,IAAI,CAAC,CAmCf"}
+{"version":3,"file":"postinstall-trampoline.d.ts","sourceRoot":"","sources":["../../src/utils/postinstall-trampoline.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,KAAK,EAAE,MAAM,oBAAoB,CAAC;AAU3C,OAAO,EACL,KAAK,iBAAiB,EACtB,KAAK,cAAc,EACnB,oBAAoB,EACpB,qBAAqB,EACrB,wBAAwB,EACxB,oBAAoB,EACrB,MAAM,6BAA6B,CAAC;AAkCrC,OAAO,EACL,oBAAoB,EACpB,qBAAqB,EACrB,wBAAwB,EACxB,oBAAoB,GACrB,CAAC;AACF,YAAY,EAAE,iBAAiB,EAAE,cAAc,EAAE,CAAC;AAkBlD;;;;;GAKG;AACH,wBAAgB,0BAA0B,IAAI,OAAO,CAEpD;AAED;;;;GAIG;AACH,wBAAgB,qBAAqB,IAAI,OAAO,CAE/C;AAED;;;;;;;;GAQG;AACH,wBAAgB,aAAa,IAAI,OAAO,CASvC;AAED;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,wBAAgB,uCAAuC,CACrD,MAAM,EAAE,OAAO,GACd,OAAO,CAYT;AAED;;;;;;;;;GASG;AACH,wBAAgB,cAAc,CAAC,SAAS,EAAE,MAAM,GAAG,MAAM,CAIxD;AAED;;;;;;GAMG;AACH,wBAAgB,QAAQ,CAAC,QAAQ,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI,CAOxD;AAED;;;;;;;;;;;;;;;;;;GAkBG;AACH,wBAAsB,4BAA4B,CAChD,UAAU,EAAE,MAAM,EAClB,OAAO,GAAE,OAAO,KAAa,GAC5B,OAAO,CAAC,IAAI,CAAC,CAgBf;AAED;;;;;;;;;;;;;;;;;;;GAmBG;AACH,wBAAsB,2BAA2B,CAC/C,UAAU,EAAE,MAAM,EAClB,WAAW,EAAE,MAAM,EACnB,SAAS,EAAE,MAAM,EAMjB,OAAO,GAAE,OAAO,KAAa,GAC5B,OAAO,CAAC,IAAI,CAAC,CAmCf"}

package/dist/utils/postinstall-trampoline.js

@@ -1,9 +1,10 @@
 import { spawn } from "node:child_process";
 import { createHash } from "node:crypto";
-import { existsSync, readFileSync } from "node:fs";
+import { readFileSync } from "node:fs";
 import * as path from "node:path";
 import { fileURLToPath } from "node:url";
 import { PM_PATH_ENV_NAMES, PM_PATH_ENV_PREFIXES, sanitizeEnvForReconciliation, } from "./pm-env.js";
+import { LOCKFILE_REGEN_PLANS, detectPackageManagers, enginesForbiddenManagers, getLockfileRegenPlan, } from "./package-manager-detect.js";
 /**
  * Env var set by npm/bun/yarn/pnpm when running lifecycle scripts (postinstall, etc.).
  * Used to detect whether Lisa was invoked as a postinstall child of a package manager.
@@ -28,45 +29,10 @@ const POLL_INTERVAL_MS = 100;
  * writes a moment to quiesce before Lisa re-applies its changes.
  */
 const SETTLE_DELAY_MS = 250;
-/**
- * Per-PM lockfile + regen command mapping. The regen commands are all
- * "sync lockfile without running scripts" variants — we do NOT want to
- * re-run lifecycle scripts (that would re-trigger the trampoline).
- *
- * bun: `bun install` is the canonical way to sync bun.lock after package.json
- * changes. As of bun 1.x there is no `--lockfile-only` flag; `bun install`
- * is already fast when node_modules is up-to-date and will simply update
- * bun.lock to match package.json. We pass `--ignore-scripts` to avoid re-running
- * the parent PM's lifecycle hooks (which triggered this trampoline to begin with).
- */
-const INSTALL = "install";
-const IGNORE_SCRIPTS = "--ignore-scripts";
-const LOCKFILE_REGEN_PLANS = {
-    bun: {
-        pm: "bun",
-        lockfile: "bun.lock",
-        command: "bun",
-        args: [INSTALL, IGNORE_SCRIPTS],
-    },
-    npm: {
-        pm: "npm",
-        lockfile: "package-lock.json",
-        command: "npm",
-        args: [INSTALL, "--package-lock-only", IGNORE_SCRIPTS],
-    },
-    pnpm: {
-        pm: "pnpm",
-        lockfile: "pnpm-lock.yaml",
-        command: "pnpm",
-        args: [INSTALL, "--lockfile-only", IGNORE_SCRIPTS],
-    },
-    yarn: {
-        pm: "yarn",
-        lockfile: "yarn.lock",
-        command: "yarn",
-        args: [INSTALL, "--mode", "update-lockfile"],
-    },
-};
+// Re-export the package-manager detection surface (imported above from
+// package-manager-detect.ts) so existing importers/tests can keep importing it
+// from this module.
+export { LOCKFILE_REGEN_PLANS, detectPackageManagers, enginesForbiddenManagers, getLockfileRegenPlan, };
 /**
  * Read an env var by name without widening the project-wide process.env ban.
  * Lisa's CLI isn't a Lambda handler or Nest service; it has to introspect its
@@ -171,29 +137,6 @@ export function getLisaDistDir(moduleUrl) {
     // Walk from <dist>/utils/postinstall-trampoline.js → <dist>
     return path.resolve(path.dirname(filename), "..");
 }
-/**
- * Detect which package managers the project uses based on lockfile presence.
- *
- * A project may have more than one lockfile (the CDK dual-lockfile pattern
- * keeps `bun.lock` for local dev while publishing `package-lock.json` for
- * consumers), in which case every present lockfile must be regenerated so both
- * stay in sync with package.json.
- * @param projectDir - Absolute path to the project directory
- * @returns Ordered list of detected package managers (possibly empty)
- */
-export function detectPackageManagers(projectDir) {
-    return Object.values(LOCKFILE_REGEN_PLANS)
-        .filter(plan => existsSync(path.join(projectDir, plan.lockfile)))
-        .map(plan => plan.pm);
-}
-/**
- * Get the regen plan (command/args/lockfile) for a given package manager.
- * @param pm - Package manager to look up
- * @returns Regen plan describing which command to spawn
- */
-export function getLockfileRegenPlan(pm) {
-    return LOCKFILE_REGEN_PLANS[pm];
-}
 /**
  * Hash a file's contents (sha256, hex-encoded). Returns null if the file
  * does not exist or cannot be read. Used to detect whether Lisa mutated
@@ -407,10 +350,24 @@ function buildTrampolineHelpers(literals) {
       catch { return null; }
     }
 
+    function enginesForbiddenManagers(dir) {
+      try {
+        const pkg = JSON.parse(readFileSync(path.join(dir, "package.json"), "utf8"));
+        const engines = (pkg && pkg.engines) || {};
+        return ["bun", "npm", "yarn", "pnpm"].filter(
+          (pm) => typeof engines[pm] === "string" && /please-use|do-not-use/i.test(engines[pm])
+        );
+      } catch {
+        return [];
+      }
+    }
+
     function detectPackageManagers(dir) {
+      const forbidden = enginesForbiddenManagers(dir);
       return Object.values(LOCKFILE_PLANS)
-        .filter((plan) => existsSync(path.join(dir, plan.lockfile)))
-        .map((plan) => plan.pm);
+        .filter((plan) => [plan.lockfile].concat(plan.lockfileAlternatives || []).some((f) => existsSync(path.join(dir, f))))
+        .map((plan) => plan.pm)
+        .filter((pm) => forbidden.indexOf(pm) === -1);
     }
 
     async function waitForParent() {

package/dist/utils/postinstall-trampoline.js.map

@@ -1 +1 @@
-{"version":3,"file":"postinstall-trampoline.js","sourceRoot":"","sources":["../../src/utils/postinstall-trampoline.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,KAAK,EAAE,MAAM,oBAAoB,CAAC;AAC3C,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AACzC,OAAO,EAAE,UAAU,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AACnD,OAAO,KAAK,IAAI,MAAM,WAAW,CAAC;AAClC,OAAO,EAAE,aAAa,EAAE,MAAM,UAAU,CAAC;AACzC,OAAO,EACL,iBAAiB,EACjB,oBAAoB,EACpB,4BAA4B,GAC7B,MAAM,aAAa,CAAC;AAErB;;;GAGG;AACH,MAAM,iBAAiB,GAAG,kBAAkB,CAAC;AAE7C;;;GAGG;AACH,MAAM,kBAAkB,GAAG,6BAA6B,CAAC;AAEzD;;;GAGG;AACH,MAAM,WAAW,GAAG,OAAO,CAAC;AAE5B;;GAEG;AACH,MAAM,gBAAgB,GAAG,GAAG,CAAC;AAE7B;;;GAGG;AACH,MAAM,eAAe,GAAG,GAAG,CAAC;AAmB5B;;;;;;;;;;GAUG;AACH,MAAM,OAAO,GAAG,SAAS,CAAC;AAC1B,MAAM,cAAc,GAAG,kBAAkB,CAAC;AAE1C,MAAM,oBAAoB,GAEtB;IACF,GAAG,EAAE;QACH,EAAE,EAAE,KAAK;QACT,QAAQ,EAAE,UAAU;QACpB,OAAO,EAAE,KAAK;QACd,IAAI,EAAE,CAAC,OAAO,EAAE,cAAc,CAAC;KAChC;IACD,GAAG,EAAE;QACH,EAAE,EAAE,KAAK;QACT,QAAQ,EAAE,mBAAmB;QAC7B,OAAO,EAAE,KAAK;QACd,IAAI,EAAE,CAAC,OAAO,EAAE,qBAAqB,EAAE,cAAc,CAAC;KACvD;IACD,IAAI,EAAE;QACJ,EAAE,EAAE,MAAM;QACV,QAAQ,EAAE,gBAAgB;QAC1B,OAAO,EAAE,MAAM;QACf,IAAI,EAAE,CAAC,OAAO,EAAE,iBAAiB,EAAE,cAAc,CAAC;KACnD;IACD,IAAI,EAAE;QACJ,EAAE,EAAE,MAAM;QACV,QAAQ,EAAE,WAAW;QACrB,OAAO,EAAE,MAAM;QACf,IAAI,EAAE,CAAC,OAAO,EAAE,QAAQ,EAAE,iBAAiB,CAAC;KAC7C;CACO,CAAC;AAEX;;;;;;;;;;GAUG;AACH,SAAS,OAAO,CAAC,IAAY;IAC3B,4IAA4I;IAC5I,OAAO,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;AAC3B,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,0BAA0B;IACxC,OAAO,OAAO,CAAC,OAAO,CAAC,iBAAiB,CAAC,CAAC,CAAC;AAC7C,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,qBAAqB;IACnC,OAAO,OAAO,CAAC,kBAAkB,CAAC,KAAK,GAAG,CAAC;AAC7C,CAAC;AAED;;;;;;;;GAQG;AACH,MAAM,UAAU,aAAa;IAC3B,IAAI,OAAO,CAAC,QAAQ,CAAC,KAAK,SAAS;QAAE,OAAO,KAAK,CAAC;IAClD,IAAI,OAAO,CAAC,gBAAgB,CAAC,KAAK,SAAS;QAAE,OAAO,KAAK,CAAC;IAC1D,OAAO,CACL,OAAO,CAAC,IAAI,CAAC,KAAK,MAAM;QACxB,OAAO,CAAC,IAAI,CAAC,KAAK,GAAG;QACrB,OAAO,CAAC,gBAAgB,CAAC,KAAK,MAAM;QACpC,OAAO,CAAC,wBAAwB,CAAC,KAAK,MAAM,CAC7C,CAAC;AACJ,CAAC;AAED;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,MAAM,UAAU,uCAAuC,CACrD,MAAe;IAEf,IAAI,MAAM;QAAE,OAAO,KAAK,CAAC;IACzB,IAAI,qBAAqB,EAAE;QAAE,OAAO,KAAK,CAAC;IAC1C,6EAA6E;IAC7E,2EAA2E;IAC3E,2EAA2E;IAC3E,gEAAgE;IAChE,wEAAwE;IACxE,yEAAyE;IACzE,IAAI,OAAO,CAAC,QAAQ,CAAC,KAAK,SAAS;QAAE,OAAO,KAAK,CAAC;IAClD,IAAI,OAAO,CAAC,gBAAgB,CAAC,KAAK,SAAS;QAAE,OAAO,KAAK,CAAC;IAC1D,OAAO,0BAA0B,EAAE,CAAC;AACtC,CAAC;AAED;;;;;;;;;GASG;AACH,MAAM,UAAU,cAAc,CAAC,SAAiB;IAC9C,MAAM,QAAQ,GAAG,aAAa,CAAC,SAAS,CAAC,CAAC;IAC1C,4DAA4D;IAC5D,OAAO,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,EAAE,IAAI,CAAC,CAAC;AACpD,CAAC;AAED;;;;;;;;;GASG;AACH,MAAM,UAAU,qBAAqB,CACnC,UAAkB;IAElB,OAAO,MAAM,CAAC,MAAM,CAAC,oBAAoB,CAAC;SACvC,MAAM,CAAC,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC;SAChE,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;AAC1B,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,oBAAoB,CAAC,EAAkB;IACrD,OAAO,oBAAoB,CAAC,EAAE,CAAC,CAAC;AAClC,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,QAAQ,CAAC,QAAgB;IACvC,IAAI,CAAC;QACH,MAAM,QAAQ,GAAG,YAAY,CAAC,QAAQ,CAAC,CAAC;QACxC,OAAO,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;IAC7D,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED;;;;;;;;;;;;;;;;;;GAkBG;AACH,MAAM,CAAC,KAAK,UAAU,4BAA4B,CAChD,UAAkB,EAClB,UAAwB,KAAK;IAE7B,KAAK,MAAM,EAAE,IAAI,qBAAqB,CAAC,UAAU,CAAC,EAAE,CAAC;QACnD,MAAM,IAAI,GAAG,oBAAoB,CAAC,EAAE,CAAC,CAAC;QACtC,MAAM,IAAI,OAAO,CAAO,OAAO,CAAC,EAAE;YAChC,IAAI,CAAC;gBACH,MAAM,KAAK,GAAG,OAAO,CAAC,IAAI,CAAC,OAAO,EAAE,CAAC,GAAG,IAAI,CAAC,IAAI,CAAC,EAAE;oBAClD,GAAG,EAAE,UAAU;oBACf,KAAK,EAAE,QAAQ;iBAChB,CAAC,CAAC;gBACH,KAAK,CAAC,EAAE,CAAC,MAAM,EAAE,GAAG,EAAE,CAAC,OAAO,EAAE,CAAC,CAAC;gBAClC,KAAK,CAAC,EAAE,CAAC,OAAO,EAAE,GAAG,EAAE,CAAC,OAAO,EAAE,CAAC,CAAC;YACrC,CAAC;YAAC,MAAM,CAAC;gBACP,OAAO,EAAE,CAAC;YACZ,CAAC;QACH,CAAC,CAAC,CAAC;IACL,CAAC;AACH,CAAC;AAED;;;;;;;;;;;;;;;;;;;GAmBG;AACH,MAAM,CAAC,KAAK,UAAU,2BAA2B,CAC/C,UAAkB,EAClB,WAAmB,EACnB,SAAiB;AACjB,yEAAyE;AACzE,4EAA4E;AAC5E,2EAA2E;AAC3E,wEAAwE;AACxE,0DAA0D;AAC1D,UAAwB,KAAK;IAE7B,MAAM,OAAO,GAAG,OAAO,CAAC,QAAQ,CAAC;IACjC,MAAM,SAAS,GAAG,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,UAAU,CAAC,CAAC;IAErD,MAAM,gBAAgB,GAAG,qBAAqB,CAAC;QAC7C,SAAS;QACT,cAAc,EAAE,gBAAgB;QAChC,SAAS,EAAE,WAAW;QACtB,aAAa,EAAE,eAAe;QAC9B,SAAS;QACT,UAAU;QACV,OAAO;QACP,gBAAgB,EAAE,kBAAkB;QACpC,kBAAkB,EAAE,oBAAoB;KACzC,CAAC,CAAC;IAEH,MAAM,KAAK,GAAG,OAAO,CAAC,OAAO,EAAE,CAAC,IAAI,EAAE,gBAAgB,CAAC,EAAE;QACvD,GAAG,EAAE,UAAU;QACf,QAAQ,EAAE,IAAI;QACd,KAAK,EAAE,QAAQ;QACf,GAAG,EAAE;YACH,0EAA0E;YAC1E,yEAAyE;YACzE,mFAAmF;YACnF,GAAG,4BAA4B,CAAC,YAAY,EAAE,CAAC;YAC/C,8EAA8E;YAC9E,6EAA6E;YAC7E,CAAC,iBAAiB,CAAC,EAAE,EAAE;YACvB,CAAC,kBAAkB,CAAC,EAAE,GAAG;SAC1B;KACF,CAAC,CAAC;IAEH,mEAAmE;IACnE,mEAAmE;IACnE,KAAK,CAAC,KAAK,EAAE,CAAC;AAChB,CAAC;AAED;;;;;;GAMG;AACH,SAAS,YAAY;IACnB,8JAA8J;IAC9J,OAAO,EAAE,GAAG,OAAO,CAAC,GAAG,EAAE,CAAC;AAC5B,CAAC;AAoBD;;;;;;;;;;;;;;GAcG;AACH,SAAS,qBAAqB,CAAC,MAA8B;IAC3D,wEAAwE;IACxE,MAAM,QAAQ,GAAG;QACf,SAAS,EAAE,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,SAAS,CAAC;QAC3C,cAAc,EAAE,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,cAAc,CAAC;QACrD,SAAS,EAAE,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,SAAS,CAAC;QAC3C,aAAa,EAAE,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,aAAa,CAAC;QACnD,SAAS,EAAE,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,SAAS,CAAC;QAC3C,UAAU,EAAE,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,UAAU,CAAC;QAC7C,OAAO,EAAE,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,OAAO,CAAC;QACvC,gBAAgB,EAAE,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,gBAAgB,CAAC;QACzD,aAAa,EAAE,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,kBAAkB,CAAC;QACxD,aAAa,EAAE,IAAI,CAAC,SAAS,CAAC,oBAAoB,CAAC;QACnD,UAAU,EAAE,IAAI,CAAC,SAAS,CAAC,iBAAiB,CAAC;KACrC,CAAC;IAEX,OAAO;QACL,sBAAsB,CAAC,QAAQ,CAAC;QAChC,sBAAsB,CAAC,QAAQ,CAAC;QAChC,mBAAmB,CAAC,QAAQ,CAAC;KAC9B,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AACf,CAAC;AAED;;;;;;;;;GASG;AACH,SAAS,sBAAsB,CAAC,QAI/B;IACC,OAAO;;;;;;6BAMoB,QAAQ,CAAC,aAAa;8BACrB,QAAQ,CAAC,aAAa;2BACzB,QAAQ,CAAC,UAAU;;;;;;GAM3C,CAAC;AACJ,CAAC;AAED;;;;;;;;;;;;;;GAcG;AACH,SAAS,sBAAsB,CAAC,QAQ/B;IACC,OAAO;;;;;;;;;;;;;;;;;;sCAkB6B,QAAQ,CAAC,SAAS;;uBAEjC,QAAQ,CAAC,SAAS;iDACQ,QAAQ,CAAC,cAAc;;;;;;;;;mBASrD,QAAQ,CAAC,UAAU;;8DAEwB,QAAQ,CAAC,gBAAgB;;;;;;;;;;;0BAW7D,QAAQ,CAAC,OAAO,MAAM,QAAQ,CAAC,SAAS,kCAAkC,QAAQ,CAAC,UAAU;;;;+CAIxE,QAAQ,CAAC,UAAU;;;;;;;;;GAS/D,CAAC;AACJ,CAAC;AAED;;;;;;;;;;;;;GAaG;AACH,SAAS,mBAAmB,CAAC,QAG5B;IACC,OAAO;;;;;;;iDAOwC,QAAQ,CAAC,aAAa;;oCAEnC,QAAQ,CAAC,UAAU;;;;;;;;;;;;;;;;;;GAkBpD,CAAC;AACJ,CAAC"}
+{"version":3,"file":"postinstall-trampoline.js","sourceRoot":"","sources":["../../src/utils/postinstall-trampoline.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,KAAK,EAAE,MAAM,oBAAoB,CAAC;AAC3C,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AACzC,OAAO,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AACvC,OAAO,KAAK,IAAI,MAAM,WAAW,CAAC;AAClC,OAAO,EAAE,aAAa,EAAE,MAAM,UAAU,CAAC;AACzC,OAAO,EACL,iBAAiB,EACjB,oBAAoB,EACpB,4BAA4B,GAC7B,MAAM,aAAa,CAAC;AACrB,OAAO,EAGL,oBAAoB,EACpB,qBAAqB,EACrB,wBAAwB,EACxB,oBAAoB,GACrB,MAAM,6BAA6B,CAAC;AAErC;;;GAGG;AACH,MAAM,iBAAiB,GAAG,kBAAkB,CAAC;AAE7C;;;GAGG;AACH,MAAM,kBAAkB,GAAG,6BAA6B,CAAC;AAEzD;;;GAGG;AACH,MAAM,WAAW,GAAG,OAAO,CAAC;AAE5B;;GAEG;AACH,MAAM,gBAAgB,GAAG,GAAG,CAAC;AAE7B;;;GAGG;AACH,MAAM,eAAe,GAAG,GAAG,CAAC;AAE5B,uEAAuE;AACvE,+EAA+E;AAC/E,oBAAoB;AACpB,OAAO,EACL,oBAAoB,EACpB,qBAAqB,EACrB,wBAAwB,EACxB,oBAAoB,GACrB,CAAC;AAGF;;;;;;;;;;GAUG;AACH,SAAS,OAAO,CAAC,IAAY;IAC3B,4IAA4I;IAC5I,OAAO,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;AAC3B,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,0BAA0B;IACxC,OAAO,OAAO,CAAC,OAAO,CAAC,iBAAiB,CAAC,CAAC,CAAC;AAC7C,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,qBAAqB;IACnC,OAAO,OAAO,CAAC,kBAAkB,CAAC,KAAK,GAAG,CAAC;AAC7C,CAAC;AAED;;;;;;;;GAQG;AACH,MAAM,UAAU,aAAa;IAC3B,IAAI,OAAO,CAAC,QAAQ,CAAC,KAAK,SAAS;QAAE,OAAO,KAAK,CAAC;IAClD,IAAI,OAAO,CAAC,gBAAgB,CAAC,KAAK,SAAS;QAAE,OAAO,KAAK,CAAC;IAC1D,OAAO,CACL,OAAO,CAAC,IAAI,CAAC,KAAK,MAAM;QACxB,OAAO,CAAC,IAAI,CAAC,KAAK,GAAG;QACrB,OAAO,CAAC,gBAAgB,CAAC,KAAK,MAAM;QACpC,OAAO,CAAC,wBAAwB,CAAC,KAAK,MAAM,CAC7C,CAAC;AACJ,CAAC;AAED;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,MAAM,UAAU,uCAAuC,CACrD,MAAe;IAEf,IAAI,MAAM;QAAE,OAAO,KAAK,CAAC;IACzB,IAAI,qBAAqB,EAAE;QAAE,OAAO,KAAK,CAAC;IAC1C,6EAA6E;IAC7E,2EAA2E;IAC3E,2EAA2E;IAC3E,gEAAgE;IAChE,wEAAwE;IACxE,yEAAyE;IACzE,IAAI,OAAO,CAAC,QAAQ,CAAC,KAAK,SAAS;QAAE,OAAO,KAAK,CAAC;IAClD,IAAI,OAAO,CAAC,gBAAgB,CAAC,KAAK,SAAS;QAAE,OAAO,KAAK,CAAC;IAC1D,OAAO,0BAA0B,EAAE,CAAC;AACtC,CAAC;AAED;;;;;;;;;GASG;AACH,MAAM,UAAU,cAAc,CAAC,SAAiB;IAC9C,MAAM,QAAQ,GAAG,aAAa,CAAC,SAAS,CAAC,CAAC;IAC1C,4DAA4D;IAC5D,OAAO,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,EAAE,IAAI,CAAC,CAAC;AACpD,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,QAAQ,CAAC,QAAgB;IACvC,IAAI,CAAC;QACH,MAAM,QAAQ,GAAG,YAAY,CAAC,QAAQ,CAAC,CAAC;QACxC,OAAO,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;IAC7D,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED;;;;;;;;;;;;;;;;;;GAkBG;AACH,MAAM,CAAC,KAAK,UAAU,4BAA4B,CAChD,UAAkB,EAClB,UAAwB,KAAK;IAE7B,KAAK,MAAM,EAAE,IAAI,qBAAqB,CAAC,UAAU,CAAC,EAAE,CAAC;QACnD,MAAM,IAAI,GAAG,oBAAoB,CAAC,EAAE,CAAC,CAAC;QACtC,MAAM,IAAI,OAAO,CAAO,OAAO,CAAC,EAAE;YAChC,IAAI,CAAC;gBACH,MAAM,KAAK,GAAG,OAAO,CAAC,IAAI,CAAC,OAAO,EAAE,CAAC,GAAG,IAAI,CAAC,IAAI,CAAC,EAAE;oBAClD,GAAG,EAAE,UAAU;oBACf,KAAK,EAAE,QAAQ;iBAChB,CAAC,CAAC;gBACH,KAAK,CAAC,EAAE,CAAC,MAAM,EAAE,GAAG,EAAE,CAAC,OAAO,EAAE,CAAC,CAAC;gBAClC,KAAK,CAAC,EAAE,CAAC,OAAO,EAAE,GAAG,EAAE,CAAC,OAAO,EAAE,CAAC,CAAC;YACrC,CAAC;YAAC,MAAM,CAAC;gBACP,OAAO,EAAE,CAAC;YACZ,CAAC;QACH,CAAC,CAAC,CAAC;IACL,CAAC;AACH,CAAC;AAED;;;;;;;;;;;;;;;;;;;GAmBG;AACH,MAAM,CAAC,KAAK,UAAU,2BAA2B,CAC/C,UAAkB,EAClB,WAAmB,EACnB,SAAiB;AACjB,yEAAyE;AACzE,4EAA4E;AAC5E,2EAA2E;AAC3E,wEAAwE;AACxE,0DAA0D;AAC1D,UAAwB,KAAK;IAE7B,MAAM,OAAO,GAAG,OAAO,CAAC,QAAQ,CAAC;IACjC,MAAM,SAAS,GAAG,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,UAAU,CAAC,CAAC;IAErD,MAAM,gBAAgB,GAAG,qBAAqB,CAAC;QAC7C,SAAS;QACT,cAAc,EAAE,gBAAgB;QAChC,SAAS,EAAE,WAAW;QACtB,aAAa,EAAE,eAAe;QAC9B,SAAS;QACT,UAAU;QACV,OAAO;QACP,gBAAgB,EAAE,kBAAkB;QACpC,kBAAkB,EAAE,oBAAoB;KACzC,CAAC,CAAC;IAEH,MAAM,KAAK,GAAG,OAAO,CAAC,OAAO,EAAE,CAAC,IAAI,EAAE,gBAAgB,CAAC,EAAE;QACvD,GAAG,EAAE,UAAU;QACf,QAAQ,EAAE,IAAI;QACd,KAAK,EAAE,QAAQ;QACf,GAAG,EAAE;YACH,0EAA0E;YAC1E,yEAAyE;YACzE,mFAAmF;YACnF,GAAG,4BAA4B,CAAC,YAAY,EAAE,CAAC;YAC/C,8EAA8E;YAC9E,6EAA6E;YAC7E,CAAC,iBAAiB,CAAC,EAAE,EAAE;YACvB,CAAC,kBAAkB,CAAC,EAAE,GAAG;SAC1B;KACF,CAAC,CAAC;IAEH,mEAAmE;IACnE,mEAAmE;IACnE,KAAK,CAAC,KAAK,EAAE,CAAC;AAChB,CAAC;AAED;;;;;;GAMG;AACH,SAAS,YAAY;IACnB,8JAA8J;IAC9J,OAAO,EAAE,GAAG,OAAO,CAAC,GAAG,EAAE,CAAC;AAC5B,CAAC;AAoBD;;;;;;;;;;;;;;GAcG;AACH,SAAS,qBAAqB,CAAC,MAA8B;IAC3D,wEAAwE;IACxE,MAAM,QAAQ,GAAG;QACf,SAAS,EAAE,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,SAAS,CAAC;QAC3C,cAAc,EAAE,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,cAAc,CAAC;QACrD,SAAS,EAAE,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,SAAS,CAAC;QAC3C,aAAa,EAAE,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,aAAa,CAAC;QACnD,SAAS,EAAE,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,SAAS,CAAC;QAC3C,UAAU,EAAE,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,UAAU,CAAC;QAC7C,OAAO,EAAE,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,OAAO,CAAC;QACvC,gBAAgB,EAAE,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,gBAAgB,CAAC;QACzD,aAAa,EAAE,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,kBAAkB,CAAC;QACxD,aAAa,EAAE,IAAI,CAAC,SAAS,CAAC,oBAAoB,CAAC;QACnD,UAAU,EAAE,IAAI,CAAC,SAAS,CAAC,iBAAiB,CAAC;KACrC,CAAC;IAEX,OAAO;QACL,sBAAsB,CAAC,QAAQ,CAAC;QAChC,sBAAsB,CAAC,QAAQ,CAAC;QAChC,mBAAmB,CAAC,QAAQ,CAAC;KAC9B,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AACf,CAAC;AAED;;;;;;;;;GASG;AACH,SAAS,sBAAsB,CAAC,QAI/B;IACC,OAAO;;;;;;6BAMoB,QAAQ,CAAC,aAAa;8BACrB,QAAQ,CAAC,aAAa;2BACzB,QAAQ,CAAC,UAAU;;;;;;GAM3C,CAAC;AACJ,CAAC;AAED;;;;;;;;;;;;;;GAcG;AACH,SAAS,sBAAsB,CAAC,QAQ/B;IACC,OAAO;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;sCAgC6B,QAAQ,CAAC,SAAS;;uBAEjC,QAAQ,CAAC,SAAS;iDACQ,QAAQ,CAAC,cAAc;;;;;;;;;mBASrD,QAAQ,CAAC,UAAU;;8DAEwB,QAAQ,CAAC,gBAAgB;;;;;;;;;;;0BAW7D,QAAQ,CAAC,OAAO,MAAM,QAAQ,CAAC,SAAS,kCAAkC,QAAQ,CAAC,UAAU;;;;+CAIxE,QAAQ,CAAC,UAAU;;;;;;;;;GAS/D,CAAC;AACJ,CAAC;AAED;;;;;;;;;;;;;GAaG;AACH,SAAS,mBAAmB,CAAC,QAG5B;IACC,OAAO;;;;;;;iDAOwC,QAAQ,CAAC,aAAa;;oCAEnC,QAAQ,CAAC,UAAU;;;;;;;;;;;;;;;;;;GAkBpD,CAAC;AACJ,CAAC"}

package/package.json

@@ -85,7 +85,7 @@
     "lodash": ">=4.18.1"
   },
   "name": "@codyswann/lisa",
-  "version": "2.171.0",
+  "version": "2.171.1",
   "description": "Claude Code governance framework that applies guardrails, guidance, and automated enforcement to projects",
   "main": "dist/index.js",
   "exports": {

package/plugins/lisa/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "lisa",
-  "version": "2.171.0",
+  "version": "2.171.1",
   "description": "Universal governance — agents, skills, commands, hooks, and rules for all projects",
   "author": {
     "name": "Cody Swann"

package/plugins/lisa/.codex-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "lisa",
-  "version": "2.171.0",
+  "version": "2.171.1",
   "description": "Universal governance: agents, skills, commands, hooks, and rules for all projects.",
   "author": {
     "name": "Cody Swann"

package/plugins/lisa/hooks/install-pkgs.sh

@@ -8,18 +8,40 @@ if [ -d "node_modules" ]; then
   exit 0
 fi
 
-# Detect package manager based on lock file presence
-if [ -f "bun.lockb" ] || [ -f "bun.lock" ]; then
-  bun install
-elif [ -f "pnpm-lock.yaml" ]; then
-  pnpm install
-elif [ -f "yarn.lock" ]; then
-  yarn install
-elif [ -f "package-lock.json" ]; then
-  npm install
-else
-  npm install
-fi
+# Detect the package manager this project wants, honoring explicit opt-outs.
+# Precedence: packageManager field > engines "please-use-<pm>" sentinel >
+# lockfile presence (minus any PM the engines forbid) > npm default.
+#
+# This must NOT key on lockfile presence alone. An npm-only project
+# (engines.bun = "please-use-npm", CI runs `npm ci`) that picks up a stray
+# bun.lock would otherwise get `bun install`, re-create the bun.lock, and break
+# — the SE-5221 regression. The engines/packageManager signals are
+# authoritative; lockfiles are only a fallback and never override an opt-out.
+detect_package_manager() {
+  _field="" _forced="" _forbidden=""
+  if [ -f package.json ] && command -v jq >/dev/null 2>&1; then
+    _field=$(jq -r '(.packageManager // "") | sub("@.*$";"")' package.json 2>/dev/null)
+    _forced=$(jq -r 'first((.engines // {})[] | strings | capture("please-use-(?<pm>bun|npm|yarn|pnpm)")?.pm) // ""' package.json 2>/dev/null)
+    _forbidden=$(jq -r '[(.engines // {}) | to_entries[] | select(((.value|strings) // "") | test("please-use|do-not-use";"i")) | .key] | join(" ")' package.json 2>/dev/null)
+  fi
+  case "$_field" in bun | npm | yarn | pnpm) printf '%s\n' "$_field"; return 0 ;; esac
+  case "$_forced" in bun | npm | yarn | pnpm) printf '%s\n' "$_forced"; return 0 ;; esac
+  _pm_allowed() { case " $_forbidden " in *" $1 "*) return 1 ;; *) return 0 ;; esac; }
+  if { [ -f bun.lockb ] || [ -f bun.lock ]; } && _pm_allowed bun; then printf 'bun\n'; return 0; fi
+  if [ -f pnpm-lock.yaml ] && _pm_allowed pnpm; then printf 'pnpm\n'; return 0; fi
+  if [ -f yarn.lock ] && _pm_allowed yarn; then printf 'yarn\n'; return 0; fi
+  if [ -f package-lock.json ] && _pm_allowed npm; then printf 'npm\n'; return 0; fi
+  printf 'npm\n'
+}
+
+PACKAGE_MANAGER="$(detect_package_manager)"
+echo "Detected package manager: ${PACKAGE_MANAGER}"
+case "$PACKAGE_MANAGER" in
+  bun) bun install ;;
+  pnpm) pnpm install ;;
+  yarn) yarn install ;;
+  *) npm install ;;
+esac
 
 # The tools below use Linux-specific binaries and paths — skip on other platforms.
 if [ "$(uname -s)" != "Linux" ]; then

package/plugins/lisa/skills/generate-claude-remote-build-script/SKILL.md

@@ -101,12 +101,34 @@ need() { command -v "$1" >/dev/null 2>&1; }
 require() { need "$1" || { echo "FATAL: required tool '$1' missing and install failed" >&2; exit 1; }; }
 
 # --- package manager (REQUIRED) ---
-if ! need bun; then
+# Resolve the PM from packageManager/engines/lockfiles — emit the manager the
+# `packageManager` inventory field reported, NEVER a hardcoded bun. An npm-only
+# project (engines.bun = "please-use-npm") must install with npm; emitting
+# `bun install` would create a stray bun.lock and break it (the SE-5221
+# regression). Only install/PATH-export the manager actually selected below.
+detect_package_manager() {
+  _field="" _forced="" _forbidden=""
+  if [ -f package.json ] && command -v jq >/dev/null 2>&1; then
+    _field=$(jq -r '(.packageManager // "") | sub("@.*$";"")' package.json 2>/dev/null)
+    _forced=$(jq -r 'first((.engines // {})[] | strings | capture("please-use-(?<pm>bun|npm|yarn|pnpm)")?.pm) // ""' package.json 2>/dev/null)
+    _forbidden=$(jq -r '[(.engines // {}) | to_entries[] | select(((.value|strings) // "") | test("please-use|do-not-use";"i")) | .key] | join(" ")' package.json 2>/dev/null)
+  fi
+  case "$_field" in bun | npm | yarn | pnpm) printf '%s\n' "$_field"; return 0 ;; esac
+  case "$_forced" in bun | npm | yarn | pnpm) printf '%s\n' "$_forced"; return 0 ;; esac
+  _pm_allowed() { case " $_forbidden " in *" $1 "*) return 1 ;; *) return 0 ;; esac; }
+  { [ -f bun.lockb ] || [ -f bun.lock ]; } && _pm_allowed bun && { printf 'bun\n'; return 0; }
+  [ -f pnpm-lock.yaml ] && _pm_allowed pnpm && { printf 'pnpm\n'; return 0; }
+  [ -f yarn.lock ] && _pm_allowed yarn && { printf 'yarn\n'; return 0; }
+  [ -f package-lock.json ] && _pm_allowed npm && { printf 'npm\n'; return 0; }
+  printf 'npm\n'
+}
+PM="$(detect_package_manager)"
+if [ "$PM" = "bun" ] && ! need bun; then
   curl -fsSL https://bun.sh/install | bash
+  export PATH="$HOME/.bun/bin:$PATH"
 fi
-export PATH="$HOME/.bun/bin:$PATH"
 # NOTE: bun has known proxy package-fetch issues in cloud sessions; retry to survive transient proxy errors.
-for i in 1 2 3; do bun install && break || sleep 5; done
+for i in 1 2 3; do "$PM" install && break || sleep 5; done
 
 # --- required CLIs ---
 need gh || (sudo apt-get update -y && sudo apt-get install -y gh)

package/plugins/lisa-agy/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "lisa",
-  "version": "2.171.0",
+  "version": "2.171.1",
   "description": "Universal governance — agents, skills, commands, hooks, and rules for all projects",
   "author": {
     "name": "Cody Swann"

package/plugins/lisa-agy/skills/generate-claude-remote-build-script/SKILL.md

@@ -101,12 +101,34 @@ need() { command -v "$1" >/dev/null 2>&1; }
 require() { need "$1" || { echo "FATAL: required tool '$1' missing and install failed" >&2; exit 1; }; }
 
 # --- package manager (REQUIRED) ---
-if ! need bun; then
+# Resolve the PM from packageManager/engines/lockfiles — emit the manager the
+# `packageManager` inventory field reported, NEVER a hardcoded bun. An npm-only
+# project (engines.bun = "please-use-npm") must install with npm; emitting
+# `bun install` would create a stray bun.lock and break it (the SE-5221
+# regression). Only install/PATH-export the manager actually selected below.
+detect_package_manager() {
+  _field="" _forced="" _forbidden=""
+  if [ -f package.json ] && command -v jq >/dev/null 2>&1; then
+    _field=$(jq -r '(.packageManager // "") | sub("@.*$";"")' package.json 2>/dev/null)
+    _forced=$(jq -r 'first((.engines // {})[] | strings | capture("please-use-(?<pm>bun|npm|yarn|pnpm)")?.pm) // ""' package.json 2>/dev/null)
+    _forbidden=$(jq -r '[(.engines // {}) | to_entries[] | select(((.value|strings) // "") | test("please-use|do-not-use";"i")) | .key] | join(" ")' package.json 2>/dev/null)
+  fi
+  case "$_field" in bun | npm | yarn | pnpm) printf '%s\n' "$_field"; return 0 ;; esac
+  case "$_forced" in bun | npm | yarn | pnpm) printf '%s\n' "$_forced"; return 0 ;; esac
+  _pm_allowed() { case " $_forbidden " in *" $1 "*) return 1 ;; *) return 0 ;; esac; }
+  { [ -f bun.lockb ] || [ -f bun.lock ]; } && _pm_allowed bun && { printf 'bun\n'; return 0; }
+  [ -f pnpm-lock.yaml ] && _pm_allowed pnpm && { printf 'pnpm\n'; return 0; }
+  [ -f yarn.lock ] && _pm_allowed yarn && { printf 'yarn\n'; return 0; }
+  [ -f package-lock.json ] && _pm_allowed npm && { printf 'npm\n'; return 0; }
+  printf 'npm\n'
+}
+PM="$(detect_package_manager)"
+if [ "$PM" = "bun" ] && ! need bun; then
   curl -fsSL https://bun.sh/install | bash
+  export PATH="$HOME/.bun/bin:$PATH"
 fi
-export PATH="$HOME/.bun/bin:$PATH"
 # NOTE: bun has known proxy package-fetch issues in cloud sessions; retry to survive transient proxy errors.
-for i in 1 2 3; do bun install && break || sleep 5; done
+for i in 1 2 3; do "$PM" install && break || sleep 5; done
 
 # --- required CLIs ---
 need gh || (sudo apt-get update -y && sudo apt-get install -y gh)

package/plugins/lisa-cdk/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "lisa-cdk",
-  "version": "2.171.0",
+  "version": "2.171.1",
   "description": "AWS CDK-specific plugin",
   "author": {
     "name": "Cody Swann"

package/plugins/lisa-cdk/.codex-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "lisa-cdk",
-  "version": "2.171.0",
+  "version": "2.171.1",
   "description": "AWS CDK-specific Lisa plugin.",
   "author": {
     "name": "Cody Swann"