@lumenflow/cli 2.7.0 → 2.9.0

package/dist/sync-templates.js

@@ -2,24 +2,29 @@
  * @file sync-templates.ts
  * Sync internal docs to CLI templates for release-cycle maintenance (WU-1123)
  *
+ * WU-1368: Fixed two bugs:
+ * 1. --check-drift flag now is truly read-only (compares without writing)
+ * 2. sync:templates uses micro-worktree isolation for safe atomic commits
+ *
  * This script syncs source docs from the hellmai/os repo to the templates
  * directory, applying template variable substitutions:
  * - Onboarding docs -> templates/core/ai/onboarding/
  * - Claude skills -> templates/vendors/claude/.claude/skills/
  * - Core docs (LUMENFLOW.md, constraints.md) -> templates/core/
  */
-/* eslint-disable no-console -- CLI tool requires console output */
-/* eslint-disable security/detect-non-literal-fs-filename -- CLI tool syncs templates from known paths */
-/* eslint-disable security/detect-non-literal-regexp -- Dynamic date pattern for template substitution */
 import * as fs from 'node:fs';
 import * as path from 'node:path';
-import { createWUParser } from '@lumenflow/core';
+import { createWUParser, withMicroWorktree } from '@lumenflow/core';
 // Directory name constants to avoid duplicate strings
 const LUMENFLOW_DIR = '.lumenflow';
 const CLAUDE_DIR = '.claude';
 const SKILLS_DIR = 'skills';
 // Template variable patterns
 const DATE_PATTERN = /\d{4}-\d{2}-\d{2}/g;
+// Log prefix for console output
+const LOG_PREFIX = '[sync-templates]';
+// Micro-worktree operation name
+const OPERATION_NAME = 'sync-templates';
 /**
  * CLI option definitions for sync-templates command
  */
@@ -212,7 +217,6 @@ function checkFileDrift(sourcePath, templatePath, projectRoot) {
  * to detect if templates have drifted out of sync. Used by CI to warn
  * when templates need to be re-synced.
  */
-// eslint-disable-next-line sonarjs/cognitive-complexity -- Multi-category drift check requires nested iteration
 export async function checkTemplateDrift(projectRoot) {
     const driftingFiles = [];
     const checkedFiles = [];
@@ -277,40 +281,145 @@ export async function checkTemplateDrift(projectRoot) {
     };
 }
 /**
- * CLI entry point
+ * Sync a single file to templates within a worktree path
+ *
+ * WU-1368: Internal helper for micro-worktree sync operations.
+ * Writes to worktreePath instead of projectRoot for isolation.
  */
-// eslint-disable-next-line sonarjs/cognitive-complexity -- CLI main() handles multiple modes and output formatting
-export async function main() {
-    const opts = parseSyncTemplatesOptions();
-    const projectRoot = process.cwd();
-    // Check-drift mode: verify templates match source without syncing
-    if (opts.checkDrift) {
-        console.log('[sync-templates] Checking for template drift...');
-        const drift = await checkTemplateDrift(projectRoot);
-        if (opts.verbose) {
-            console.log(`  Checked ${drift.checkedFiles.length} files`);
+function syncFileToWorktree(sourcePath, targetPath, projectRoot, result) {
+    try {
+        if (!fs.existsSync(sourcePath)) {
+            result.errors.push(`Source not found: ${sourcePath}`);
+            return;
         }
-        if (drift.hasDrift) {
-            console.log('\n[sync-templates] WARNING: Template drift detected!');
-            console.log('  The following templates are out of sync with their source:');
-            for (const file of drift.driftingFiles) {
-                console.log(`    - ${file}`);
-            }
-            console.log('\n  Run `pnpm sync:templates` to update templates.');
-            process.exitCode = 1;
+        const content = fs.readFileSync(sourcePath, 'utf-8');
+        const templateContent = convertToTemplate(content, projectRoot);
+        ensureDir(path.dirname(targetPath));
+        fs.writeFileSync(targetPath, templateContent);
+        // Store relative path from project root (not worktree path)
+        const relPath = targetPath.includes('templates/')
+            ? targetPath.substring(targetPath.indexOf('packages/'))
+            : path.basename(targetPath);
+        result.synced.push(relPath);
+    }
+    catch (error) {
+        result.errors.push(`Error syncing ${sourcePath}: ${error.message}`);
+    }
+}
+/**
+ * Sync templates using micro-worktree isolation (WU-1368)
+ *
+ * This function uses the micro-worktree pattern to atomically sync templates:
+ * 1. Create temp branch in micro-worktree
+ * 2. Sync all templates to micro-worktree
+ * 3. Commit and push atomically
+ * 4. Cleanup
+ *
+ * Benefits:
+ * - Never modifies main checkout directly
+ * - Atomic commit with all template changes
+ * - Race-safe with other operations
+ *
+ * @param {string} projectRoot - Project root directory (source for templates)
+ * @returns {Promise<SyncSummary>} Summary of synced files
+ */
+export async function syncTemplatesWithWorktree(projectRoot) {
+    // Generate unique operation ID using timestamp
+    const operationId = `templates-${Date.now()}`;
+    console.log(`${LOG_PREFIX} Using micro-worktree isolation for atomic sync...`);
+    // Set env var for pre-push hook
+    const previousWuTool = process.env.LUMENFLOW_WU_TOOL;
+    process.env.LUMENFLOW_WU_TOOL = OPERATION_NAME;
+    try {
+        let syncResult = {
+            onboarding: { synced: [], errors: [] },
+            skills: { synced: [], errors: [] },
+            core: { synced: [], errors: [] },
+        };
+        await withMicroWorktree({
+            operation: OPERATION_NAME,
+            id: operationId,
+            logPrefix: LOG_PREFIX,
+            execute: async ({ worktreePath }) => {
+                const templatesDir = path.join(worktreePath, 'packages', '@lumenflow', 'cli', 'templates');
+                // Sync core docs
+                const coreResult = { synced: [], errors: [] };
+                const lumenflowSource = path.join(projectRoot, 'LUMENFLOW.md');
+                const lumenflowTarget = path.join(templatesDir, 'core', 'LUMENFLOW.md.template');
+                syncFileToWorktree(lumenflowSource, lumenflowTarget, projectRoot, coreResult);
+                const constraintsSource = path.join(projectRoot, LUMENFLOW_DIR, 'constraints.md');
+                const constraintsTarget = path.join(templatesDir, 'core', LUMENFLOW_DIR, 'constraints.md.template');
+                syncFileToWorktree(constraintsSource, constraintsTarget, projectRoot, coreResult);
+                // Sync onboarding docs
+                const onboardingResult = { synced: [], errors: [] };
+                const onboardingSourceDir = path.join(projectRoot, 'docs', '04-operations', '_frameworks', 'lumenflow', 'agent', 'onboarding');
+                const onboardingTargetDir = path.join(templatesDir, 'core', 'ai', 'onboarding');
+                if (fs.existsSync(onboardingSourceDir)) {
+                    const files = fs.readdirSync(onboardingSourceDir).filter((f) => f.endsWith('.md'));
+                    for (const file of files) {
+                        const sourcePath = path.join(onboardingSourceDir, file);
+                        const targetPath = path.join(onboardingTargetDir, `${file}.template`);
+                        syncFileToWorktree(sourcePath, targetPath, projectRoot, onboardingResult);
+                    }
+                }
+                else {
+                    onboardingResult.errors.push(`Onboarding source directory not found: ${onboardingSourceDir}`);
+                }
+                // Sync skills
+                const skillsResult = { synced: [], errors: [] };
+                const skillsSourceDir = path.join(projectRoot, CLAUDE_DIR, SKILLS_DIR);
+                const skillsTargetDir = path.join(templatesDir, 'vendors', 'claude', CLAUDE_DIR, SKILLS_DIR);
+                if (fs.existsSync(skillsSourceDir)) {
+                    const skillDirs = fs
+                        .readdirSync(skillsSourceDir, { withFileTypes: true })
+                        .filter((d) => d.isDirectory())
+                        .map((d) => d.name);
+                    for (const skillName of skillDirs) {
+                        const skillFile = path.join(skillsSourceDir, skillName, 'SKILL.md');
+                        if (fs.existsSync(skillFile)) {
+                            const targetPath = path.join(skillsTargetDir, skillName, 'SKILL.md.template');
+                            syncFileToWorktree(skillFile, targetPath, projectRoot, skillsResult);
+                        }
+                    }
+                }
+                else {
+                    skillsResult.errors.push(`Skills source directory not found: ${skillsSourceDir}`);
+                }
+                syncResult = {
+                    onboarding: onboardingResult,
+                    skills: skillsResult,
+                    core: coreResult,
+                };
+                // Collect all synced files for commit
+                const allSyncedFiles = [
+                    ...coreResult.synced,
+                    ...onboardingResult.synced,
+                    ...skillsResult.synced,
+                ];
+                const totalSynced = allSyncedFiles.length;
+                const commitMessage = `chore(sync:templates): sync ${totalSynced} template files`;
+                return {
+                    commitMessage,
+                    files: allSyncedFiles,
+                };
+            },
+        });
+        return syncResult;
+    }
+    finally {
+        // Restore env var
+        if (previousWuTool === undefined) {
+            delete process.env.LUMENFLOW_WU_TOOL;
         }
         else {
-            console.log('[sync-templates] All templates are in sync.');
+            process.env.LUMENFLOW_WU_TOOL = previousWuTool;
         }
-        return;
-    }
-    // Sync mode: update templates from source
-    console.log('[sync-templates] Syncing internal docs to CLI templates...');
-    if (opts.dryRun) {
-        console.log('  (dry-run mode - no files will be written)');
     }
-    const result = await syncTemplates(projectRoot, opts.dryRun);
-    // Print results
+}
+/**
+ * Print sync results summary
+ */
+function printSyncResults(result) {
     const sections = [
         { name: 'Onboarding docs', data: result.onboarding },
         { name: 'Claude skills', data: result.skills },
@@ -331,7 +440,52 @@ export async function main() {
             }
         }
     }
-    console.log(`\n[sync-templates] Done! Synced ${totalSynced} files.`);
+    return { totalSynced, totalErrors };
+}
+/**
+ * CLI entry point
+ */
+export async function main() {
+    const opts = parseSyncTemplatesOptions();
+    const projectRoot = process.cwd();
+    // Check-drift mode: verify templates match source without syncing (read-only)
+    if (opts.checkDrift) {
+        console.log(`${LOG_PREFIX} Checking for template drift...`);
+        const drift = await checkTemplateDrift(projectRoot);
+        if (opts.verbose) {
+            console.log(`  Checked ${drift.checkedFiles.length} files`);
+        }
+        if (drift.hasDrift) {
+            console.log(`\n${LOG_PREFIX} WARNING: Template drift detected!`);
+            console.log('  The following templates are out of sync with their source:');
+            for (const file of drift.driftingFiles) {
+                console.log(`    - ${file}`);
+            }
+            console.log('\n  Run `pnpm sync:templates` to update templates.');
+            process.exitCode = 1;
+        }
+        else {
+            console.log(`${LOG_PREFIX} All templates are in sync.`);
+        }
+        return;
+    }
+    // Dry-run mode: show what would be synced without writing
+    if (opts.dryRun) {
+        console.log(`${LOG_PREFIX} Dry-run mode - showing what would be synced...`);
+        const result = await syncTemplates(projectRoot, true);
+        const { totalSynced, totalErrors } = printSyncResults(result);
+        console.log(`\n${LOG_PREFIX} Dry run complete. Would sync ${totalSynced} files.`);
+        if (totalErrors > 0) {
+            console.log(`  ${totalErrors} error(s) would occur.`);
+            process.exitCode = 1;
+        }
+        return;
+    }
+    // Sync mode: update templates using micro-worktree isolation (WU-1368)
+    console.log(`${LOG_PREFIX} Syncing internal docs to CLI templates...`);
+    const result = await syncTemplatesWithWorktree(projectRoot);
+    const { totalSynced, totalErrors } = printSyncResults(result);
+    console.log(`\n${LOG_PREFIX} Done! Synced ${totalSynced} files.`);
     if (totalErrors > 0) {
         console.log(`  ${totalErrors} error(s) occurred.`);
         process.exitCode = 1;

package/dist/wu-block.js

@@ -1,5 +1,4 @@
 #!/usr/bin/env node
-/* eslint-disable no-console -- CLI tool requires console output */
 /**
  * WU Block Helper
  *
@@ -29,7 +28,7 @@ import { readWU, writeWU, appendNote } from '@lumenflow/core/dist/wu-yaml.js';
 import { BRANCHES, REMOTES, WU_STATUS, STATUS_SECTIONS, PATTERNS, LOG_PREFIX, FILE_SYSTEM, EXIT_CODES, STRING_LITERALS, MICRO_WORKTREE_OPERATIONS, } from '@lumenflow/core/dist/wu-constants.js';
 import { ensureOnMain } from '@lumenflow/core/dist/wu-helpers.js';
 import { ensureStaged } from '@lumenflow/core/dist/git-staged-validator.js';
-import { withMicroWorktree } from '@lumenflow/core/dist/micro-worktree.js';
+import { withMicroWorktree, LUMENFLOW_WU_TOOL_ENV } from '@lumenflow/core/dist/micro-worktree.js';
 import { WUStateStore } from '@lumenflow/core/dist/wu-state-store.js';
 // WU-1603: Atomic lane locking - release lock when WU is blocked
 import { releaseLaneLock } from '@lumenflow/core/dist/lane-lock.js';
@@ -38,6 +37,30 @@ import { getLockPolicyForLane } from '@lumenflow/core/dist/lane-checker.js';
 // ensureOnMain() moved to wu-helpers.ts (WU-1256)
 // ensureStaged() moved to git-staged-validator.ts (WU-1341)
 // defaultWorktreeFrom() moved to wu-paths.ts (WU-1341)
+/**
+ * WU-1365: Execute a function with LUMENFLOW_WU_TOOL set, restoring afterwards
+ *
+ * Sets the LUMENFLOW_WU_TOOL env var to allow pre-push hook bypass, then
+ * restores the original value (or deletes it) after execution completes.
+ *
+ * @param toolName - Value to set for LUMENFLOW_WU_TOOL
+ * @param fn - Async function to execute
+ */
+async function withWuToolEnv(toolName, fn) {
+    const previousWuTool = process.env[LUMENFLOW_WU_TOOL_ENV];
+    process.env[LUMENFLOW_WU_TOOL_ENV] = toolName;
+    try {
+        return await fn();
+    }
+    finally {
+        if (previousWuTool === undefined) {
+            Reflect.deleteProperty(process.env, LUMENFLOW_WU_TOOL_ENV);
+        }
+        else {
+            process.env[LUMENFLOW_WU_TOOL_ENV] = previousWuTool;
+        }
+    }
+}
 /**
  * Remove WU entry from in-progress section of lines array
  */
@@ -47,7 +70,6 @@ function removeFromInProgressSection(lines, inProgIdx, rel, id) {
     let endIdx = lines.slice(inProgIdx + 1).findIndex((l) => l.startsWith('## '));
     endIdx = endIdx === -1 ? lines.length : inProgIdx + 1 + endIdx;
     for (let i = inProgIdx + 1; i < endIdx; i++) {
-        // eslint-disable-next-line security/detect-object-injection -- array index loop
         if (lines[i] && (lines[i].includes(rel) || lines[i].includes(`[${id}`))) {
             lines.splice(i, 1);
             endIdx--;
@@ -58,6 +80,31 @@ function removeFromInProgressSection(lines, inProgIdx, rel, id) {
     if (section.length === 0)
         lines.splice(endIdx, 0, '', '(No items currently in progress)', '');
 }
+/**
+ * WU-1365: Create missing blocked section in status.md
+ *
+ * Extracts this logic to reduce cognitive complexity of moveFromInProgressToBlocked.
+ *
+ * @param lines - Array of lines from status.md
+ * @param inProgIdx - Index of "## In Progress" header (-1 if not found)
+ * @returns Index of the blocked section header after creation
+ */
+function createMissingBlockedSection(lines, inProgIdx) {
+    console.log(`${LOG_PREFIX.BLOCK} Creating missing "${STATUS_SECTIONS.BLOCKED}" section in status.md`);
+    // Find a good insertion point - after in_progress section or at end
+    const insertIdx = inProgIdx !== -1 ? inProgIdx + 1 : lines.length;
+    // Skip to end of in_progress section content if it exists
+    let insertPoint = insertIdx;
+    if (inProgIdx !== -1) {
+        // Find where the next section starts
+        const nextSectionIdx = lines.slice(inProgIdx + 1).findIndex((l) => l.startsWith('## '));
+        insertPoint = nextSectionIdx === -1 ? lines.length : inProgIdx + 1 + nextSectionIdx;
+    }
+    // Insert the blocked section
+    lines.splice(insertPoint, 0, '', STATUS_SECTIONS.BLOCKED, '');
+    // Return the index of the newly created section header
+    return insertPoint + 1;
+}
 async function moveFromInProgressToBlocked(statusPath, id, title, reason) {
     // Check file exists
     const fileExists = await access(statusPath)
@@ -66,23 +113,25 @@ async function moveFromInProgressToBlocked(statusPath, id, title, reason) {
     if (!fileExists)
         die(`Missing ${statusPath}`);
     const rel = `wu/${id}.yaml`;
-    // eslint-disable-next-line security/detect-non-literal-fs-filename -- CLI tool validates status file
     const content = await readFile(statusPath, { encoding: FILE_SYSTEM.UTF8 });
     const lines = content.split(/\r?\n/);
     const findHeader = (h) => lines.findIndex((l) => l.trim().toLowerCase() === h.toLowerCase());
     const inProgIdx = findHeader(STATUS_SECTIONS.IN_PROGRESS);
-    const blockedIdx = findHeader(STATUS_SECTIONS.BLOCKED);
-    if (blockedIdx === -1)
-        die(`Could not find "${STATUS_SECTIONS.BLOCKED}" in status.md`);
+    let blockedIdx = findHeader(STATUS_SECTIONS.BLOCKED);
+    // WU-1365: Handle missing blocked section gracefully by creating it
+    if (blockedIdx === -1) {
+        blockedIdx = createMissingBlockedSection(lines, inProgIdx);
+    }
     removeFromInProgressSection(lines, inProgIdx, rel, id);
     // Add bullet to blocked
     const reasonSuffix = reason ? ` — ${reason}` : '';
     const bullet = `- [${id} — ${title}](${rel})${reasonSuffix}`;
+    // Recalculate blockedIdx after removeFromInProgressSection may have changed line positions
+    blockedIdx = findHeader(STATUS_SECTIONS.BLOCKED);
     const sectionStart = blockedIdx + 1;
     if (lines.slice(sectionStart).some((l) => l.includes(rel)))
         return; // already listed
     lines.splice(sectionStart, 0, '', bullet);
-    // eslint-disable-next-line security/detect-non-literal-fs-filename -- CLI tool writes status file
     await writeFile(statusPath, lines.join(STRING_LITERALS.NEWLINE), {
         encoding: FILE_SYSTEM.UTF8,
     });
@@ -169,47 +218,50 @@ async function main() {
     const baseMsg = `wu(${id.toLowerCase()}): block`;
     const commitMsg = args.reason ? `${baseMsg} — ${args.reason}` : baseMsg;
     if (!args.noAuto) {
-        // Use micro-worktree pattern to avoid pre-commit hook blocking commits to main
-        await withMicroWorktree({
-            operation: MICRO_WORKTREE_OPERATIONS.WU_BLOCK,
-            id,
-            logPrefix: LOG_PREFIX.BLOCK,
-            pushOnly: true, // Push directly to origin/main without touching local main
-            execute: async ({ worktreePath }) => {
-                // Build paths relative to micro-worktree
-                const microWUPath = path.join(worktreePath, WU_PATHS.WU(id));
-                const microStatusPath = path.join(worktreePath, WU_PATHS.STATUS());
-                const microBacklogPath = path.join(worktreePath, WU_PATHS.BACKLOG());
-                // Update WU YAML in micro-worktree
-                const microDoc = readWU(microWUPath, id);
-                microDoc.status = WU_STATUS.BLOCKED;
-                const noteLine = args.reason
-                    ? `Blocked (${todayISO()}): ${args.reason}`
-                    : `Blocked (${todayISO()})`;
-                appendNote(microDoc, noteLine);
-                writeWU(microWUPath, microDoc);
-                // Update status.md in micro-worktree
-                await moveFromInProgressToBlocked(microStatusPath, id, title, args.reason);
-                // Update backlog.md in micro-worktree (WU-1574: regenerate from state store)
-                await regenerateBacklogFromState(microBacklogPath);
-                // Append block event to WUStateStore (WU-1573)
-                const stateDir = path.join(worktreePath, '.lumenflow', 'state');
-                const store = new WUStateStore(stateDir);
-                await store.load();
-                await store.block(id, args.reason || 'No reason provided');
-                return {
-                    commitMessage: commitMsg,
-                    files: [
-                        WU_PATHS.WU(id),
-                        WU_PATHS.STATUS(),
-                        WU_PATHS.BACKLOG(),
-                        '.lumenflow/state/wu-events.jsonl',
-                    ],
-                };
-            },
+        // WU-1365: Set LUMENFLOW_WU_TOOL to allow pre-push hook bypass for micro-worktree pushes
+        await withWuToolEnv(MICRO_WORKTREE_OPERATIONS.WU_BLOCK, async () => {
+            // Use micro-worktree pattern to avoid pre-commit hook blocking commits to main
+            await withMicroWorktree({
+                operation: MICRO_WORKTREE_OPERATIONS.WU_BLOCK,
+                id,
+                logPrefix: LOG_PREFIX.BLOCK,
+                pushOnly: true, // Push directly to origin/main without touching local main
+                execute: async ({ worktreePath }) => {
+                    // Build paths relative to micro-worktree
+                    const microWUPath = path.join(worktreePath, WU_PATHS.WU(id));
+                    const microStatusPath = path.join(worktreePath, WU_PATHS.STATUS());
+                    const microBacklogPath = path.join(worktreePath, WU_PATHS.BACKLOG());
+                    // Update WU YAML in micro-worktree
+                    const microDoc = readWU(microWUPath, id);
+                    microDoc.status = WU_STATUS.BLOCKED;
+                    const noteLine = args.reason
+                        ? `Blocked (${todayISO()}): ${args.reason}`
+                        : `Blocked (${todayISO()})`;
+                    appendNote(microDoc, noteLine);
+                    writeWU(microWUPath, microDoc);
+                    // Update status.md in micro-worktree
+                    await moveFromInProgressToBlocked(microStatusPath, id, title, args.reason);
+                    // Update backlog.md in micro-worktree (WU-1574: regenerate from state store)
+                    await regenerateBacklogFromState(microBacklogPath);
+                    // Append block event to WUStateStore (WU-1573)
+                    const stateDir = path.join(worktreePath, '.lumenflow', 'state');
+                    const store = new WUStateStore(stateDir);
+                    await store.load();
+                    await store.block(id, args.reason || 'No reason provided');
+                    return {
+                        commitMessage: commitMsg,
+                        files: [
+                            WU_PATHS.WU(id),
+                            WU_PATHS.STATUS(),
+                            WU_PATHS.BACKLOG(),
+                            '.lumenflow/state/wu-events.jsonl',
+                        ],
+                    };
+                },
+            });
+            // Fetch to update local main tracking
+            await getGitForCwd().fetch(REMOTES.ORIGIN, BRANCHES.MAIN);
         });
-        // Fetch to update local main tracking
-        await getGitForCwd().fetch(REMOTES.ORIGIN, BRANCHES.MAIN);
     }
     else {
         // Manual mode: expect files already staged

package/dist/wu-claim.js

@@ -1,5 +1,4 @@
 #!/usr/bin/env node
-/* eslint-disable no-console -- CLI tool requires console output */
 /**
  * WU Claim Helper
  *
@@ -27,9 +26,7 @@ import { checkLaneFree, validateLaneFormat, checkWipJustification, } from '@lume
 import { acquireLaneLock, releaseLaneLock, checkLaneLock, forceRemoveStaleLock, } from '@lumenflow/core/dist/lane-lock.js';
 // WU-1825: Import from unified code-path-validator (consolidates 3 validators)
 // WU-1213: Using deprecated sync API - async validate() requires larger refactor (separate WU)
-import { 
-// eslint-disable-next-line sonarjs/deprecation -- sync API required for current architecture
-validateLaneCodePaths, logLaneValidationWarnings, } from '@lumenflow/core/dist/code-path-validator.js';
+import { validateLaneCodePaths, logLaneValidationWarnings, } from '@lumenflow/core/dist/code-path-validator.js';
 // WU-1574: parseBacklogFrontmatter/getSectionHeadings removed - state store replaces backlog parsing
 import { detectConflicts } from '@lumenflow/core/dist/code-paths-overlap.js';
 import { getGitForCwd, createGitForPath } from '@lumenflow/core/dist/git-adapter.js';
@@ -86,7 +83,6 @@ const PREFIX = LOG_PREFIX.CLAIM;
  */
 function preflightValidateWU(WU_PATH, id) {
     // Check file exists
-    // eslint-disable-next-line security/detect-non-literal-fs-filename -- CLI tool validates WU files
     if (!existsSync(WU_PATH)) {
         die(`WU file not found: ${WU_PATH}\n\n` +
             `Cannot claim a WU that doesn't exist.\n\n` +
@@ -96,7 +92,6 @@ function preflightValidateWU(WU_PATH, id) {
             `  3. Check if the WU file was moved or deleted`);
     }
     // Parse and validate YAML structure
-    // eslint-disable-next-line security/detect-non-literal-fs-filename -- CLI tool validates WU files
     const text = readFileSync(WU_PATH, { encoding: FILE_SYSTEM.UTF8 });
     let doc;
     try {
@@ -189,7 +184,6 @@ async function updateWUYaml(WU_PATH, id, lane, claimedMode = 'worktree', worktre
     // Read file
     let text;
     try {
-        // eslint-disable-next-line security/detect-non-literal-fs-filename -- CLI tool validates WU files
         text = await readFile(WU_PATH, { encoding: FILE_SYSTEM.UTF8 });
     }
     catch (e) {
@@ -266,7 +260,6 @@ async function updateWUYaml(WU_PATH, id, lane, claimedMode = 'worktree', worktre
     // WU-1352: Use centralized stringify for consistent output
     const out = stringifyYAML(doc);
     // Write file
-    // eslint-disable-next-line security/detect-non-literal-fs-filename -- CLI tool writes WU files
     await writeFile(WU_PATH, out, { encoding: FILE_SYSTEM.UTF8 });
     // WU-1211: Return both title and initiative for status progression check
     return { title: doc.title || '', initiative: doc.initiative || null };
@@ -326,7 +319,6 @@ async function addOrReplaceInProgressStatus(statusPath, id, title) {
     const rel = `wu/${id}.yaml`;
     const bullet = `- [${id} — ${title}](${rel})`;
     // Read file
-    // eslint-disable-next-line security/detect-non-literal-fs-filename -- CLI tool validates status file
     const content = await readFile(statusPath, { encoding: FILE_SYSTEM.UTF8 });
     const lines = content.split(STRING_LITERALS.NEWLINE);
     const findHeader = (h) => lines.findIndex((l) => l.trim().toLowerCase() === h.toLowerCase());
@@ -344,7 +336,6 @@ async function addOrReplaceInProgressStatus(statusPath, id, title) {
         return; // already listed
     // Remove "No items" marker if present
     for (let i = startIdx + 1; i < endIdx; i++) {
-        // eslint-disable-next-line security/detect-object-injection -- array index loop
         if (lines[i] && lines[i].includes('No items currently in progress')) {
             lines.splice(i, 1);
             endIdx--;
@@ -354,7 +345,6 @@ async function addOrReplaceInProgressStatus(statusPath, id, title) {
     // Insert bullet right after header
     lines.splice(startIdx + 1, 0, '', bullet);
     // Write file
-    // eslint-disable-next-line security/detect-non-literal-fs-filename -- CLI tool writes status file
     await writeFile(statusPath, lines.join(STRING_LITERALS.NEWLINE), {
         encoding: FILE_SYSTEM.UTF8,
     });
@@ -444,10 +434,8 @@ async function applyStagedChangesToMicroWorktree(worktreePath, stagedChanges) {
             continue;
         }
         const sourcePath = path.join(process.cwd(), filePath);
-        // eslint-disable-next-line security/detect-non-literal-fs-filename -- CLI tool applies staged files
         const contents = await readFile(sourcePath, { encoding: FILE_SYSTEM.UTF8 });
         await mkdir(path.dirname(targetPath), { recursive: true });
-        // eslint-disable-next-line security/detect-non-literal-fs-filename -- CLI tool applies staged files
         await writeFile(targetPath, contents, { encoding: FILE_SYSTEM.UTF8 });
     }
 }
@@ -520,11 +508,9 @@ async function readWUTitle(id) {
         return null;
     }
     // Read file
-    // eslint-disable-next-line security/detect-non-literal-fs-filename -- CLI tool validates WU files
     const text = await readFile(p, { encoding: FILE_SYSTEM.UTF8 });
     // Match title field - use RegExp.exec for sonarjs/prefer-regexp-exec compliance
     // Regex is safe: runs on trusted WU YAML files with bounded input
-    // eslint-disable-next-line sonarjs/slow-regex -- Bounded input from WU YAML files
     const titlePattern = /^title:\s*"?([^"\n]+)"?$/m;
     const m = titlePattern.exec(text);
     return m ? m[1] : null;
@@ -546,7 +532,6 @@ async function checkExistingBranchOnlyWU(statusPath, currentWU) {
         return { hasBranchOnly: false, existingWU: null };
     }
     // Read file
-    // eslint-disable-next-line security/detect-non-literal-fs-filename -- CLI tool validates status file
     const content = await readFile(statusPath, { encoding: FILE_SYSTEM.UTF8 });
     const lines = content.split(STRING_LITERALS.NEWLINE);
     // Find "In Progress" section
@@ -581,7 +566,6 @@ async function checkExistingBranchOnlyWU(statusPath, currentWU) {
         }
         try {
             // Read file
-            // eslint-disable-next-line security/detect-non-literal-fs-filename -- CLI tool validates WU files
             const text = await readFile(wuPath, { encoding: FILE_SYSTEM.UTF8 });
             const doc = parseYAML(text);
             if (doc && doc.claimed_mode === CLAIMED_MODES.BRANCH_ONLY) {
@@ -705,10 +689,8 @@ function handleLaneOccupancy(laneCheck, lane, id, force) {
  * Handle code path overlap detection (WU-901)
  */
 function handleCodePathOverlap(WU_PATH, STATUS_PATH, id, args) {
-    // eslint-disable-next-line security/detect-non-literal-fs-filename -- CLI tool validates WU files
     if (!existsSync(WU_PATH))
         return;
-    // eslint-disable-next-line security/detect-non-literal-fs-filename -- CLI tool validates WU files
     const wuContent = readFileSync(WU_PATH, { encoding: FILE_SYSTEM.UTF8 });
     const wuDoc = parseYAML(wuContent);
     const codePaths = wuDoc.code_paths || [];
@@ -846,7 +828,6 @@ async function claimBranchOnlyMode(ctx) {
     console.log(`\n${PREFIX} For sub-agent execution:`);
     console.log(`  /wu-prompt ${id}  (generates full context prompt)`);
     // Emit mandatory agent advisory based on code_paths (WU-1324)
-    // eslint-disable-next-line security/detect-non-literal-fs-filename -- CLI tool validates WU files
     const wuContent = await readFile(WU_PATH, { encoding: FILE_SYSTEM.UTF8 });
     const wuDoc = parseYAML(wuContent);
     const codePaths = wuDoc.code_paths || [];
@@ -1008,7 +989,6 @@ async function claimWorktreeMode(ctx) {
     // Emit mandatory agent advisory based on code_paths (WU-1324)
     // Read from worktree since that's where the updated YAML is
     const wtWUPathForAdvisory = path.join(worktreePath, WU_PATH);
-    // eslint-disable-next-line security/detect-non-literal-fs-filename -- CLI tool validates WU files
     const wuContent = await readFile(wtWUPathForAdvisory, {
         encoding: FILE_SYSTEM.UTF8,
     });
@@ -1226,7 +1206,6 @@ async function main() {
         console.warn(`${PREFIX} ${wipJustificationCheck.warning}`);
     }
     // WU-1372: Lane-to-code_paths consistency check (advisory only, never blocks)
-    // eslint-disable-next-line sonarjs/deprecation -- sync API required for current architecture
     const laneValidation = validateLaneCodePaths(doc, args.lane);
     logLaneValidationWarnings(laneValidation, PREFIX);
     // WU-1361: YAML schema validation at claim time

package/dist/wu-cleanup.js

@@ -29,7 +29,6 @@ import { isGhCliAvailable } from '@lumenflow/core/dist/wu-done-pr.js';
 import { BOX, CLEANUP_GUARD, EXIT_CODES, FILE_SYSTEM, LOG_PREFIX, REMOTES, STRING_LITERALS, WU_STATUS, } from '@lumenflow/core/dist/wu-constants.js';
 // WU-2278: Import ownership validation for cross-agent protection
 import { validateWorktreeOwnership } from '@lumenflow/core/dist/worktree-ownership.js';
-/* eslint-disable security/detect-non-literal-fs-filename */
 const CLEANUP_OPTIONS = {
     artifacts: {
         name: 'artifacts',

package/dist/wu-create.js

@@ -1,5 +1,4 @@
 #!/usr/bin/env node
-/* eslint-disable no-console -- CLI tool requires console output */
 /**
  * WU Create Helper (WU-1262, WU-1439)
  *
@@ -491,7 +490,6 @@ async function getDefaultAssignedTo() {
         return '';
     }
 }
-// eslint-disable-next-line sonarjs/cognitive-complexity -- main() orchestrates multi-step WU creation workflow
 async function main() {
     const args = createWUParser({
         name: 'wu-create',