@lumenflow/cli 2.6.0 → 2.8.0

package/dist/mem-signal.js

@@ -51,10 +51,8 @@ async function writeAuditLog(baseDir, entry) {
     try {
         const logPath = path.join(baseDir, LUMENFLOW_PATHS.AUDIT_LOG);
         const logDir = path.dirname(logPath);
-        // eslint-disable-next-line security/detect-non-literal-fs-filename -- CLI tool creates known directory
         await fs.mkdir(logDir, { recursive: true });
         const line = `${JSON.stringify(entry)}\n`;
-        // eslint-disable-next-line security/detect-non-literal-fs-filename -- CLI tool writes audit log
         await fs.appendFile(logPath, line, 'utf-8');
     }
     catch {

package/dist/mem-start.js

@@ -37,11 +37,9 @@ async function writeAuditLog(baseDir, entry) {
         const logPath = path.join(baseDir, LUMENFLOW_PATHS.AUDIT_LOG);
         const logDir = path.dirname(logPath);
         // Ensure telemetry directory exists
-        // eslint-disable-next-line security/detect-non-literal-fs-filename -- CLI tool creates known directory
         await fs.mkdir(logDir, { recursive: true });
         // Append NDJSON entry
         const line = `${JSON.stringify(entry)}\n`;
-        // eslint-disable-next-line security/detect-non-literal-fs-filename -- CLI tool writes audit log
         await fs.appendFile(logPath, line, 'utf-8');
     }
     catch {

package/dist/mem-summarize.js

@@ -72,10 +72,8 @@ async function writeAuditLog(baseDir, entry) {
     try {
         const logPath = path.join(baseDir, LUMENFLOW_PATHS.AUDIT_LOG);
         const logDir = path.dirname(logPath);
-        // eslint-disable-next-line security/detect-non-literal-fs-filename -- CLI tool creates known directory
         await fs.mkdir(logDir, { recursive: true });
         const line = `${JSON.stringify(entry)}\n`;
-        // eslint-disable-next-line security/detect-non-literal-fs-filename -- CLI tool writes audit log
         await fs.appendFile(logPath, line, 'utf-8');
     }
     catch {

package/dist/metrics-cli.js

@@ -158,7 +158,7 @@ async function loadGitCommits(weekStart, weekEnd) {
             const message = entry.message;
             const wuIdMatch = message.match(/\b(WU-\d+)\b/i);
             const wuId = wuIdMatch ? wuIdMatch[1].toUpperCase() : undefined;
-            const typeMatch = message.match(/^(feat|fix|docs|chore|refactor|test|style|perf|ci)[\(:]?/i);
+            const typeMatch = message.match(/^(feat|fix|docs|chore|refactor|test|style|perf|ci)[(:]?/i);
             const type = typeMatch ? typeMatch[1].toLowerCase() : undefined;
             commits.push({
                 hash: entry.hash,

package/dist/metrics-snapshot.js

@@ -145,7 +145,7 @@ async function loadGitCommits(weekStart, weekEnd) {
             const wuIdMatch = message.match(/\b(WU-\d+)\b/i);
             const wuId = wuIdMatch ? wuIdMatch[1].toUpperCase() : undefined;
             // Determine commit type from conventional commit prefix
-            const typeMatch = message.match(/^(feat|fix|docs|chore|refactor|test|style|perf|ci)[\(:]?/i);
+            const typeMatch = message.match(/^(feat|fix|docs|chore|refactor|test|style|perf|ci)[(:]?/i);
             const type = typeMatch ? typeMatch[1].toLowerCase() : undefined;
             commits.push({
                 hash: entry.hash,

package/dist/onboarding-smoke-test.js

@@ -174,22 +174,17 @@ export function validateLaneInferenceFormat(options) {
  * Initialize a git repository in the given directory
  */
 function initializeGitRepo(projectDir) {
-    // eslint-disable-next-line sonarjs/no-os-command-from-path -- Git binary from PATH is acceptable for smoke tests
     execFileSync(GIT_BINARY, ['init'], { cwd: projectDir, stdio: 'pipe' });
-    // eslint-disable-next-line sonarjs/no-os-command-from-path -- Git binary from PATH is acceptable for smoke tests
     execFileSync(GIT_BINARY, ['config', 'user.email', 'test@example.com'], {
         cwd: projectDir,
         stdio: 'pipe',
     });
-    // eslint-disable-next-line sonarjs/no-os-command-from-path -- Git binary from PATH is acceptable for smoke tests
     execFileSync(GIT_BINARY, ['config', 'user.name', 'Test User'], {
         cwd: projectDir,
         stdio: 'pipe',
     });
     // Create initial commit
-    // eslint-disable-next-line sonarjs/no-os-command-from-path -- Git binary from PATH is acceptable for smoke tests
     execFileSync(GIT_BINARY, ['add', '-A'], { cwd: projectDir, stdio: 'pipe' });
-    // eslint-disable-next-line sonarjs/no-os-command-from-path -- Git binary from PATH is acceptable for smoke tests
     execFileSync(GIT_BINARY, ['commit', '-m', 'Initial commit', '--allow-empty'], {
         cwd: projectDir,
         stdio: 'pipe',

package/dist/orchestrate-init-status.js

@@ -1,5 +1,4 @@
 #!/usr/bin/env node
-/* eslint-disable no-console -- CLI tool requires console output */
 /**
  * Orchestrate Initiative Status CLI
  *

package/dist/orchestrate-initiative.js

@@ -1,5 +1,4 @@
 #!/usr/bin/env node
-/* eslint-disable no-console -- CLI tool requires console output */
 /**
  * Orchestrate Initiative CLI
  *

package/dist/orchestrate-monitor.js

@@ -1,5 +1,4 @@
 #!/usr/bin/env node
-/* eslint-disable no-console -- CLI tool requires console output */
 /**
  * Orchestrate Monitor CLI (WU-1241)
  *

package/dist/plan-create.js

@@ -1,6 +1,4 @@
 #!/usr/bin/env node
-/* eslint-disable no-console -- CLI tool requires console output */
-/* eslint-disable security/detect-non-literal-fs-filename */
 /**
  * Plan Create Command (WU-1313)
  *

package/dist/plan-edit.js

@@ -1,6 +1,4 @@
 #!/usr/bin/env node
-/* eslint-disable no-console -- CLI tool requires console output */
-/* eslint-disable security/detect-non-literal-fs-filename */
 /**
  * Plan Edit Command (WU-1313)
  *

package/dist/plan-link.js

@@ -1,6 +1,4 @@
 #!/usr/bin/env node
-/* eslint-disable no-console -- CLI tool requires console output */
-/* eslint-disable security/detect-non-literal-fs-filename */
 /**
  * Plan Link Command (WU-1313)
  *

package/dist/plan-promote.js

@@ -1,6 +1,4 @@
 #!/usr/bin/env node
-/* eslint-disable no-console -- CLI tool requires console output */
-/* eslint-disable security/detect-non-literal-fs-filename */
 /**
  * Plan Promote Command (WU-1313)
  *

package/dist/signal-cleanup.js

@@ -1,5 +1,4 @@
 #!/usr/bin/env node
-/* eslint-disable no-console -- CLI tool requires console output */
 /**
  * Signal Cleanup CLI (WU-1204)
  *
@@ -94,10 +93,8 @@ async function writeAuditLog(baseDir, entry) {
     try {
         const logPath = path.join(baseDir, LUMENFLOW_PATHS.AUDIT_LOG);
         const logDir = path.dirname(logPath);
-        // eslint-disable-next-line security/detect-non-literal-fs-filename -- CLI tool creates known directory
         await fs.mkdir(logDir, { recursive: true });
         const line = `${JSON.stringify(entry)}\n`;
-        // eslint-disable-next-line security/detect-non-literal-fs-filename -- CLI tool writes audit log
         await fs.appendFile(logPath, line, 'utf-8');
     }
     catch {
@@ -142,7 +139,6 @@ async function getActiveWuIds(baseDir) {
         for (const file of wuFiles) {
             try {
                 const filePath = path.join(wuDir, file);
-                // eslint-disable-next-line security/detect-non-literal-fs-filename -- CLI tool reads known path
                 const content = await fs.readFile(filePath, 'utf-8');
                 const wu = parseYaml(content);
                 if (wu.id && wu.status && ACTIVE_WU_STATUSES.includes(wu.status)) {

package/dist/state-bootstrap.js

@@ -17,7 +17,6 @@ import { parse as parseYaml } from 'yaml';
 import { readFileSync } from 'node:fs';
 import { WU_PATHS } from '@lumenflow/core/dist/wu-paths.js';
 import { CLI_FLAGS, EXIT_CODES, EMOJI, STRING_LITERALS, } from '@lumenflow/core/dist/wu-constants.js';
-/* eslint-disable security/detect-non-literal-fs-filename */
 /** Log prefix for consistent output */
 const LOG_PREFIX = '[state-bootstrap]';
 /**

package/dist/state-cleanup.js

@@ -1,5 +1,4 @@
 #!/usr/bin/env node
-/* eslint-disable no-console -- CLI tool requires console output */
 /**
  * Unified State Cleanup CLI (WU-1208)
  *
@@ -111,10 +110,8 @@ async function writeAuditLog(baseDir, entry) {
     try {
         const logPath = path.join(baseDir, LUMENFLOW_PATHS.AUDIT_LOG);
         const logDir = path.dirname(logPath);
-        // eslint-disable-next-line security/detect-non-literal-fs-filename -- CLI tool creates known directory
         await fs.mkdir(logDir, { recursive: true });
         const line = `${JSON.stringify(entry)}\n`;
-        // eslint-disable-next-line security/detect-non-literal-fs-filename -- CLI tool writes audit log
         await fs.appendFile(logPath, line, 'utf-8');
     }
     catch {
@@ -150,7 +147,6 @@ async function getActiveWuIds(baseDir) {
         for (const file of wuFiles) {
             try {
                 const filePath = path.join(wuDir, file);
-                // eslint-disable-next-line security/detect-non-literal-fs-filename -- CLI tool reads known path
                 const content = await fs.readFile(filePath, 'utf-8');
                 const wu = parseYaml(content);
                 if (wu.id && wu.status && ACTIVE_WU_STATUSES.includes(wu.status)) {

package/dist/state-doctor-fix.js

@@ -7,9 +7,13 @@
  * 1. No direct file modifications on main branch
  * 2. Removal of stale WU references from backlog.md and status.md
  * 3. All changes pushed via merge, not direct file modification
+ * 4. WU-1362: Retry logic for push failures (inherited from withMicroWorktree)
+ *
+ * Retry behavior is configured via .lumenflow.config.yaml git.push_retry section.
+ * Default: 3 retries with exponential backoff and jitter.
  *
  * @see {@link ./state-doctor.ts} - Main CLI that uses these deps
- * @see {@link @lumenflow/core/dist/micro-worktree.js} - Micro-worktree infrastructure
+ * @see {@link @lumenflow/core/dist/micro-worktree.js} - Micro-worktree infrastructure with retry logic
  */
 import fs from 'node:fs/promises';
 import path from 'node:path';
@@ -56,7 +60,6 @@ function removeWuReferences(content, wuId) {
  */
 async function readFileSafe(filePath) {
     try {
-        // eslint-disable-next-line security/detect-non-literal-fs-filename -- Validated path from config
         return await fs.readFile(filePath, 'utf-8');
     }
     catch {
@@ -100,7 +103,6 @@ export function createStateDoctorFixDeps(_baseDir) {
                             return true; // Keep malformed lines
                         }
                     });
-                    // eslint-disable-next-line security/detect-non-literal-fs-filename -- Validated path
                     await fs.writeFile(signalsPath, lines.join('\n') + '\n', 'utf-8');
                     return {
                         commitMessage: `fix(state-doctor): remove dangling signal ${id}`,
@@ -139,7 +141,6 @@ export function createStateDoctorFixDeps(_baseDir) {
                                 return true; // Keep malformed lines
                             }
                         });
-                        // eslint-disable-next-line security/detect-non-literal-fs-filename -- Validated path
                         await fs.writeFile(eventsPath, lines.join('\n') + '\n', 'utf-8');
                         modifiedFiles.push(WU_EVENTS_FILE);
                     }
@@ -148,7 +149,6 @@ export function createStateDoctorFixDeps(_baseDir) {
                     const backlogContent = await readFileSafe(backlogPath);
                     if (backlogContent && backlogContent.includes(wuId)) {
                         const updatedBacklog = removeWuReferences(backlogContent, wuId);
-                        // eslint-disable-next-line security/detect-non-literal-fs-filename -- Validated path
                         await fs.writeFile(backlogPath, updatedBacklog, 'utf-8');
                         modifiedFiles.push(BACKLOG_FILE);
                     }
@@ -157,7 +157,6 @@ export function createStateDoctorFixDeps(_baseDir) {
                     const statusContent = await readFileSafe(statusPath);
                     if (statusContent && statusContent.includes(wuId)) {
                         const updatedStatus = removeWuReferences(statusContent, wuId);
-                        // eslint-disable-next-line security/detect-non-literal-fs-filename -- Validated path
                         await fs.writeFile(statusPath, updatedStatus, 'utf-8');
                         modifiedFiles.push(STATUS_FILE);
                     }
@@ -179,12 +178,10 @@ export function createStateDoctorFixDeps(_baseDir) {
                 pushOnly: true,
                 execute: async ({ worktreePath }) => {
                     const stampsDir = path.join(worktreePath, '.lumenflow/stamps');
-                    // eslint-disable-next-line security/detect-non-literal-fs-filename -- CLI tool creates known directory
                     await fs.mkdir(stampsDir, { recursive: true });
                     // Create stamp file in micro-worktree
                     const stampPath = path.join(stampsDir, `${wuId}.done`);
                     const stampContent = `# ${wuId} Done\n\nTitle: ${title}\nCreated by: state:doctor --fix\nTimestamp: ${new Date().toISOString()}\n`;
-                    // eslint-disable-next-line security/detect-non-literal-fs-filename -- Validated path
                     await fs.writeFile(stampPath, stampContent, 'utf-8');
                     return {
                         commitMessage: `fix(state-doctor): create missing stamp for ${wuId}`,

package/dist/state-doctor.js

@@ -1,5 +1,4 @@
 #!/usr/bin/env node
-/* eslint-disable no-console -- CLI tool requires console output */
 /**
  * State Doctor CLI (WU-1209)
  *
@@ -101,10 +100,8 @@ async function writeAuditLog(baseDir, entry) {
     try {
         const logPath = path.join(baseDir, LUMENFLOW_PATHS.AUDIT_LOG);
         const logDir = path.dirname(logPath);
-        // eslint-disable-next-line security/detect-non-literal-fs-filename -- CLI tool creates known directory
         await fs.mkdir(logDir, { recursive: true });
         const line = `${JSON.stringify(entry)}\n`;
-        // eslint-disable-next-line security/detect-non-literal-fs-filename -- CLI tool writes audit log
         await fs.appendFile(logPath, line, 'utf-8');
     }
     catch {
@@ -146,7 +143,6 @@ async function createDeps(baseDir) {
                 for (const file of wuFiles) {
                     try {
                         const filePath = path.join(wuDir, file);
-                        // eslint-disable-next-line security/detect-non-literal-fs-filename -- CLI tool reads known path
                         const content = await fs.readFile(filePath, 'utf-8');
                         const wu = parseYaml(content);
                         if (wu.id && wu.status) {
@@ -189,7 +185,6 @@ async function createDeps(baseDir) {
         listSignals: async () => {
             try {
                 const signalsPath = path.join(baseDir, SIGNALS_FILE);
-                // eslint-disable-next-line security/detect-non-literal-fs-filename -- CLI tool reads known path
                 const content = await fs.readFile(signalsPath, 'utf-8');
                 const signals = [];
                 for (const line of content.split('\n')) {
@@ -223,7 +218,6 @@ async function createDeps(baseDir) {
         listEvents: async () => {
             try {
                 const eventsPath = path.join(baseDir, WU_EVENTS_FILE);
-                // eslint-disable-next-line security/detect-non-literal-fs-filename -- CLI tool reads known path
                 const content = await fs.readFile(eventsPath, 'utf-8');
                 const events = [];
                 for (const line of content.split('\n')) {
@@ -255,7 +249,6 @@ async function createDeps(baseDir) {
          */
         removeSignal: async (id) => {
             const signalsPath = path.join(baseDir, SIGNALS_FILE);
-            // eslint-disable-next-line security/detect-non-literal-fs-filename -- CLI tool reads known path
             const content = await fs.readFile(signalsPath, 'utf-8');
             const lines = content.split('\n').filter((line) => {
                 if (!line.trim())
@@ -268,7 +261,6 @@ async function createDeps(baseDir) {
                     return true; // Keep malformed lines
                 }
             });
-            // eslint-disable-next-line security/detect-non-literal-fs-filename -- CLI tool writes known path
             await fs.writeFile(signalsPath, lines.join('\n') + '\n', 'utf-8');
         },
         /**
@@ -276,7 +268,6 @@ async function createDeps(baseDir) {
          */
         removeEvent: async (wuId) => {
             const eventsPath = path.join(baseDir, WU_EVENTS_FILE);
-            // eslint-disable-next-line security/detect-non-literal-fs-filename -- CLI tool reads known path
             const content = await fs.readFile(eventsPath, 'utf-8');
             const lines = content.split('\n').filter((line) => {
                 if (!line.trim())
@@ -289,7 +280,6 @@ async function createDeps(baseDir) {
                     return true; // Keep malformed lines
                 }
             });
-            // eslint-disable-next-line security/detect-non-literal-fs-filename -- CLI tool writes known path
             await fs.writeFile(eventsPath, lines.join('\n') + '\n', 'utf-8');
         },
         /**
@@ -297,7 +287,6 @@ async function createDeps(baseDir) {
          */
         createStamp: async (wuId, title) => {
             const stampsDir = path.join(baseDir, LUMENFLOW_PATHS.STAMPS_DIR);
-            // eslint-disable-next-line security/detect-non-literal-fs-filename -- CLI tool creates known directory
             await fs.mkdir(stampsDir, { recursive: true });
             await createStamp({
                 id: wuId,

package/dist/sync-templates.js

@@ -2,24 +2,29 @@
  * @file sync-templates.ts
  * Sync internal docs to CLI templates for release-cycle maintenance (WU-1123)
  *
+ * WU-1368: Fixed two bugs:
+ * 1. --check-drift flag now is truly read-only (compares without writing)
+ * 2. sync:templates uses micro-worktree isolation for safe atomic commits
+ *
  * This script syncs source docs from the hellmai/os repo to the templates
  * directory, applying template variable substitutions:
  * - Onboarding docs -> templates/core/ai/onboarding/
  * - Claude skills -> templates/vendors/claude/.claude/skills/
  * - Core docs (LUMENFLOW.md, constraints.md) -> templates/core/
  */
-/* eslint-disable no-console -- CLI tool requires console output */
-/* eslint-disable security/detect-non-literal-fs-filename -- CLI tool syncs templates from known paths */
-/* eslint-disable security/detect-non-literal-regexp -- Dynamic date pattern for template substitution */
 import * as fs from 'node:fs';
 import * as path from 'node:path';
-import { createWUParser } from '@lumenflow/core';
+import { createWUParser, withMicroWorktree } from '@lumenflow/core';
 // Directory name constants to avoid duplicate strings
 const LUMENFLOW_DIR = '.lumenflow';
 const CLAUDE_DIR = '.claude';
 const SKILLS_DIR = 'skills';
 // Template variable patterns
 const DATE_PATTERN = /\d{4}-\d{2}-\d{2}/g;
+// Log prefix for console output
+const LOG_PREFIX = '[sync-templates]';
+// Micro-worktree operation name
+const OPERATION_NAME = 'sync-templates';
 /**
  * CLI option definitions for sync-templates command
  */
@@ -212,7 +217,6 @@ function checkFileDrift(sourcePath, templatePath, projectRoot) {
  * to detect if templates have drifted out of sync. Used by CI to warn
  * when templates need to be re-synced.
  */
-// eslint-disable-next-line sonarjs/cognitive-complexity -- Multi-category drift check requires nested iteration
 export async function checkTemplateDrift(projectRoot) {
     const driftingFiles = [];
     const checkedFiles = [];
@@ -277,40 +281,145 @@ export async function checkTemplateDrift(projectRoot) {
     };
 }
 /**
- * CLI entry point
+ * Sync a single file to templates within a worktree path
+ *
+ * WU-1368: Internal helper for micro-worktree sync operations.
+ * Writes to worktreePath instead of projectRoot for isolation.
  */
-// eslint-disable-next-line sonarjs/cognitive-complexity -- CLI main() handles multiple modes and output formatting
-export async function main() {
-    const opts = parseSyncTemplatesOptions();
-    const projectRoot = process.cwd();
-    // Check-drift mode: verify templates match source without syncing
-    if (opts.checkDrift) {
-        console.log('[sync-templates] Checking for template drift...');
-        const drift = await checkTemplateDrift(projectRoot);
-        if (opts.verbose) {
-            console.log(`  Checked ${drift.checkedFiles.length} files`);
+function syncFileToWorktree(sourcePath, targetPath, projectRoot, result) {
+    try {
+        if (!fs.existsSync(sourcePath)) {
+            result.errors.push(`Source not found: ${sourcePath}`);
+            return;
         }
-        if (drift.hasDrift) {
-            console.log('\n[sync-templates] WARNING: Template drift detected!');
-            console.log('  The following templates are out of sync with their source:');
-            for (const file of drift.driftingFiles) {
-                console.log(`    - ${file}`);
-            }
-            console.log('\n  Run `pnpm sync:templates` to update templates.');
-            process.exitCode = 1;
+        const content = fs.readFileSync(sourcePath, 'utf-8');
+        const templateContent = convertToTemplate(content, projectRoot);
+        ensureDir(path.dirname(targetPath));
+        fs.writeFileSync(targetPath, templateContent);
+        // Store relative path from project root (not worktree path)
+        const relPath = targetPath.includes('templates/')
+            ? targetPath.substring(targetPath.indexOf('packages/'))
+            : path.basename(targetPath);
+        result.synced.push(relPath);
+    }
+    catch (error) {
+        result.errors.push(`Error syncing ${sourcePath}: ${error.message}`);
+    }
+}
+/**
+ * Sync templates using micro-worktree isolation (WU-1368)
+ *
+ * This function uses the micro-worktree pattern to atomically sync templates:
+ * 1. Create temp branch in micro-worktree
+ * 2. Sync all templates to micro-worktree
+ * 3. Commit and push atomically
+ * 4. Cleanup
+ *
+ * Benefits:
+ * - Never modifies main checkout directly
+ * - Atomic commit with all template changes
+ * - Race-safe with other operations
+ *
+ * @param {string} projectRoot - Project root directory (source for templates)
+ * @returns {Promise<SyncSummary>} Summary of synced files
+ */
+export async function syncTemplatesWithWorktree(projectRoot) {
+    // Generate unique operation ID using timestamp
+    const operationId = `templates-${Date.now()}`;
+    console.log(`${LOG_PREFIX} Using micro-worktree isolation for atomic sync...`);
+    // Set env var for pre-push hook
+    const previousWuTool = process.env.LUMENFLOW_WU_TOOL;
+    process.env.LUMENFLOW_WU_TOOL = OPERATION_NAME;
+    try {
+        let syncResult = {
+            onboarding: { synced: [], errors: [] },
+            skills: { synced: [], errors: [] },
+            core: { synced: [], errors: [] },
+        };
+        await withMicroWorktree({
+            operation: OPERATION_NAME,
+            id: operationId,
+            logPrefix: LOG_PREFIX,
+            execute: async ({ worktreePath }) => {
+                const templatesDir = path.join(worktreePath, 'packages', '@lumenflow', 'cli', 'templates');
+                // Sync core docs
+                const coreResult = { synced: [], errors: [] };
+                const lumenflowSource = path.join(projectRoot, 'LUMENFLOW.md');
+                const lumenflowTarget = path.join(templatesDir, 'core', 'LUMENFLOW.md.template');
+                syncFileToWorktree(lumenflowSource, lumenflowTarget, projectRoot, coreResult);
+                const constraintsSource = path.join(projectRoot, LUMENFLOW_DIR, 'constraints.md');
+                const constraintsTarget = path.join(templatesDir, 'core', LUMENFLOW_DIR, 'constraints.md.template');
+                syncFileToWorktree(constraintsSource, constraintsTarget, projectRoot, coreResult);
+                // Sync onboarding docs
+                const onboardingResult = { synced: [], errors: [] };
+                const onboardingSourceDir = path.join(projectRoot, 'docs', '04-operations', '_frameworks', 'lumenflow', 'agent', 'onboarding');
+                const onboardingTargetDir = path.join(templatesDir, 'core', 'ai', 'onboarding');
+                if (fs.existsSync(onboardingSourceDir)) {
+                    const files = fs.readdirSync(onboardingSourceDir).filter((f) => f.endsWith('.md'));
+                    for (const file of files) {
+                        const sourcePath = path.join(onboardingSourceDir, file);
+                        const targetPath = path.join(onboardingTargetDir, `${file}.template`);
+                        syncFileToWorktree(sourcePath, targetPath, projectRoot, onboardingResult);
+                    }
+                }
+                else {
+                    onboardingResult.errors.push(`Onboarding source directory not found: ${onboardingSourceDir}`);
+                }
+                // Sync skills
+                const skillsResult = { synced: [], errors: [] };
+                const skillsSourceDir = path.join(projectRoot, CLAUDE_DIR, SKILLS_DIR);
+                const skillsTargetDir = path.join(templatesDir, 'vendors', 'claude', CLAUDE_DIR, SKILLS_DIR);
+                if (fs.existsSync(skillsSourceDir)) {
+                    const skillDirs = fs
+                        .readdirSync(skillsSourceDir, { withFileTypes: true })
+                        .filter((d) => d.isDirectory())
+                        .map((d) => d.name);
+                    for (const skillName of skillDirs) {
+                        const skillFile = path.join(skillsSourceDir, skillName, 'SKILL.md');
+                        if (fs.existsSync(skillFile)) {
+                            const targetPath = path.join(skillsTargetDir, skillName, 'SKILL.md.template');
+                            syncFileToWorktree(skillFile, targetPath, projectRoot, skillsResult);
+                        }
+                    }
+                }
+                else {
+                    skillsResult.errors.push(`Skills source directory not found: ${skillsSourceDir}`);
+                }
+                syncResult = {
+                    onboarding: onboardingResult,
+                    skills: skillsResult,
+                    core: coreResult,
+                };
+                // Collect all synced files for commit
+                const allSyncedFiles = [
+                    ...coreResult.synced,
+                    ...onboardingResult.synced,
+                    ...skillsResult.synced,
+                ];
+                const totalSynced = allSyncedFiles.length;
+                const commitMessage = `chore(sync:templates): sync ${totalSynced} template files`;
+                return {
+                    commitMessage,
+                    files: allSyncedFiles,
+                };
+            },
+        });
+        return syncResult;
+    }
+    finally {
+        // Restore env var
+        if (previousWuTool === undefined) {
+            delete process.env.LUMENFLOW_WU_TOOL;
         }
         else {
-            console.log('[sync-templates] All templates are in sync.');
+            process.env.LUMENFLOW_WU_TOOL = previousWuTool;
         }
-        return;
-    }
-    // Sync mode: update templates from source
-    console.log('[sync-templates] Syncing internal docs to CLI templates...');
-    if (opts.dryRun) {
-        console.log('  (dry-run mode - no files will be written)');
     }
-    const result = await syncTemplates(projectRoot, opts.dryRun);
-    // Print results
+}
+/**
+ * Print sync results summary
+ */
+function printSyncResults(result) {
     const sections = [
         { name: 'Onboarding docs', data: result.onboarding },
         { name: 'Claude skills', data: result.skills },
@@ -331,7 +440,52 @@ export async function main() {
             }
         }
     }
-    console.log(`\n[sync-templates] Done! Synced ${totalSynced} files.`);
+    return { totalSynced, totalErrors };
+}
+/**
+ * CLI entry point
+ */
+export async function main() {
+    const opts = parseSyncTemplatesOptions();
+    const projectRoot = process.cwd();
+    // Check-drift mode: verify templates match source without syncing (read-only)
+    if (opts.checkDrift) {
+        console.log(`${LOG_PREFIX} Checking for template drift...`);
+        const drift = await checkTemplateDrift(projectRoot);
+        if (opts.verbose) {
+            console.log(`  Checked ${drift.checkedFiles.length} files`);
+        }
+        if (drift.hasDrift) {
+            console.log(`\n${LOG_PREFIX} WARNING: Template drift detected!`);
+            console.log('  The following templates are out of sync with their source:');
+            for (const file of drift.driftingFiles) {
+                console.log(`    - ${file}`);
+            }
+            console.log('\n  Run `pnpm sync:templates` to update templates.');
+            process.exitCode = 1;
+        }
+        else {
+            console.log(`${LOG_PREFIX} All templates are in sync.`);
+        }
+        return;
+    }
+    // Dry-run mode: show what would be synced without writing
+    if (opts.dryRun) {
+        console.log(`${LOG_PREFIX} Dry-run mode - showing what would be synced...`);
+        const result = await syncTemplates(projectRoot, true);
+        const { totalSynced, totalErrors } = printSyncResults(result);
+        console.log(`\n${LOG_PREFIX} Dry run complete. Would sync ${totalSynced} files.`);
+        if (totalErrors > 0) {
+            console.log(`  ${totalErrors} error(s) would occur.`);
+            process.exitCode = 1;
+        }
+        return;
+    }
+    // Sync mode: update templates using micro-worktree isolation (WU-1368)
+    console.log(`${LOG_PREFIX} Syncing internal docs to CLI templates...`);
+    const result = await syncTemplatesWithWorktree(projectRoot);
+    const { totalSynced, totalErrors } = printSyncResults(result);
+    console.log(`\n${LOG_PREFIX} Done! Synced ${totalSynced} files.`);
     if (totalErrors > 0) {
         console.log(`  ${totalErrors} error(s) occurred.`);
         process.exitCode = 1;