npm - @lumenflow/cli - Versions diffs - 3.16.0 → 3.17.0 - Mend

@lumenflow/cli 3.16.0 → 3.17.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (167) hide show

package/README.md +1 -3
package/dist/config-get.js +3 -3
package/dist/config-get.js.map +1 -1
package/dist/config-set.js +3 -3
package/dist/config-set.js.map +1 -1
package/dist/docs-sync.js +302 -57
package/dist/docs-sync.js.map +1 -1
package/dist/doctor.js +3 -3
package/dist/doctor.js.map +1 -1
package/dist/gate-defaults.js +3 -0
package/dist/gate-defaults.js.map +1 -1
package/dist/gates-plan-resolvers.js +3 -4
package/dist/gates-plan-resolvers.js.map +1 -1
package/dist/gates-runners.js +48 -0
package/dist/gates-runners.js.map +1 -1
package/dist/gates-utils.js +64 -3
package/dist/gates-utils.js.map +1 -1
package/dist/gates.js +2 -1
package/dist/gates.js.map +1 -1
package/dist/init-scaffolding.js +28 -1
package/dist/init-scaffolding.js.map +1 -1
package/dist/init-templates.js +6 -2
package/dist/init-templates.js.map +1 -1
package/dist/init.js +22 -25
package/dist/init.js.map +1 -1
package/dist/lane-create.js +2 -2
package/dist/lane-create.js.map +1 -1
package/dist/lane-edit.js +2 -2
package/dist/lane-edit.js.map +1 -1
package/dist/lane-lock.js +8 -6
package/dist/lane-lock.js.map +1 -1
package/dist/lane-setup.js +7 -5
package/dist/lane-setup.js.map +1 -1
package/dist/lane-status.js +7 -5
package/dist/lane-status.js.map +1 -1
package/dist/lane-validate.js +8 -6
package/dist/lane-validate.js.map +1 -1
package/dist/lumenflow-upgrade.js +22 -13
package/dist/lumenflow-upgrade.js.map +1 -1
package/dist/onboard.js +15 -16
package/dist/onboard.js.map +1 -1
package/dist/orchestrate-initiative.js +29 -8
package/dist/orchestrate-initiative.js.map +1 -1
package/dist/state-doctor.js +3 -4
package/dist/state-doctor.js.map +1 -1
package/dist/wu-done-policies.js +38 -0
package/dist/wu-done-policies.js.map +1 -1
package/dist/wu-edit-operations.js +27 -24
package/dist/wu-edit-operations.js.map +1 -1
package/dist/wu-edit-validators.js +68 -0
package/dist/wu-edit-validators.js.map +1 -1
package/dist/wu-edit.js +11 -3
package/dist/wu-edit.js.map +1 -1
package/package.json +8 -8
package/packs/sidekick/.turbo/turbo-build.log +1 -1
package/packs/sidekick/package.json +1 -1
package/packs/software-delivery/.turbo/turbo-build.log +1 -1
package/packs/software-delivery/package.json +1 -1
package/templates/core/AGENTS.md.template +2 -1
package/templates/core/LUMENFLOW.md.template +5 -1
package/templates/core/UPGRADING.md.template +14 -10
package/templates/core/ai/onboarding/initiative-orchestration.md.template +1 -1
package/templates/core/ai/onboarding/quick-ref-commands.md.template +11 -10
package/templates/core/ai/onboarding/starting-prompt.md.template +3 -3
package/templates/vendors/claude/.claude/CLAUDE.md.template +2 -1
package/templates/vendors/cursor/.cursor/rules/lumenflow.md.template +2 -1
package/templates/vendors/windsurf/.windsurf/rules/lumenflow.md.template +2 -1
package/dist/chunk-2D2VOCA4.js +0 -37
package/dist/chunk-2D5KFYGX.js +0 -284
package/dist/chunk-2GXVIN57.js +0 -14072
package/dist/chunk-2MQ7HZWZ.js +0 -26
package/dist/chunk-2UFQ3A3C.js +0 -643
package/dist/chunk-3RG5ZIWI.js +0 -10
package/dist/chunk-4N74J3UT.js +0 -15
package/dist/chunk-5GTOXFYR.js +0 -392
package/dist/chunk-5VY6MQMC.js +0 -240
package/dist/chunk-67XVPMRY.js +0 -1297
package/dist/chunk-6HO4GWJE.js +0 -164
package/dist/chunk-6W5XHWYV.js +0 -1890
package/dist/chunk-6X4EMYJQ.js +0 -64
package/dist/chunk-6XYXI2NQ.js +0 -772
package/dist/chunk-7ANSOV6Q.js +0 -285
package/dist/chunk-A624LFLB.js +0 -1380
package/dist/chunk-ADN5NHG4.js +0 -126
package/dist/chunk-B7YJYJKG.js +0 -33
package/dist/chunk-CCLHCPKG.js +0 -210
package/dist/chunk-CK36VROC.js +0 -1584
package/dist/chunk-D3UOFRSB.js +0 -81
package/dist/chunk-DFR4DJBM.js +0 -230
package/dist/chunk-DSYBDHYH.js +0 -79
package/dist/chunk-DWMLTXKQ.js +0 -1176
package/dist/chunk-E3REJTAJ.js +0 -28
package/dist/chunk-EA3IVO64.js +0 -633
package/dist/chunk-EK2AKZKD.js +0 -55
package/dist/chunk-ELD7JTTT.js +0 -343
package/dist/chunk-EX6TT2XI.js +0 -195
package/dist/chunk-EXINSFZE.js +0 -82
package/dist/chunk-EZ6ZBYBM.js +0 -510
package/dist/chunk-FBKAPTJ2.js +0 -16
package/dist/chunk-FVLV5RYH.js +0 -1118
package/dist/chunk-GDNSBQVK.js +0 -2485
package/dist/chunk-GPQHMBNN.js +0 -278
package/dist/chunk-GTFJB67L.js +0 -68
package/dist/chunk-HANJXVKW.js +0 -1127
package/dist/chunk-HEVS5YLD.js +0 -269
package/dist/chunk-HMEVZKPQ.js +0 -9
package/dist/chunk-HRGSYNLM.js +0 -3511
package/dist/chunk-ISZR5N4K.js +0 -60
package/dist/chunk-J6SUPR2C.js +0 -226
package/dist/chunk-JERYVEIZ.js +0 -244
package/dist/chunk-JHHWGL2N.js +0 -87
package/dist/chunk-JONWQUB5.js +0 -775
package/dist/chunk-K2DIWWDM.js +0 -1766
package/dist/chunk-KY4PGL5V.js +0 -969
package/dist/chunk-L737LQ4C.js +0 -1285
package/dist/chunk-LFTWYIB2.js +0 -497
package/dist/chunk-LV47RFNJ.js +0 -41
package/dist/chunk-MKSAITI7.js +0 -15
package/dist/chunk-MZ7RKIX4.js +0 -212
package/dist/chunk-NAP6CFSO.js +0 -84
package/dist/chunk-ND6MY37M.js +0 -16
package/dist/chunk-NMG736UR.js +0 -683
package/dist/chunk-NRAXROED.js +0 -32
package/dist/chunk-NRIZR3A7.js +0 -690
package/dist/chunk-NX43BG3M.js +0 -233
package/dist/chunk-O645XLSI.js +0 -297
package/dist/chunk-OMJD6A3S.js +0 -235
package/dist/chunk-QB6SJD4T.js +0 -430
package/dist/chunk-QFSTL4J3.js +0 -276
package/dist/chunk-QLGDFMFX.js +0 -212
package/dist/chunk-RIAAGL2E.js +0 -13
package/dist/chunk-RWO5XMZ6.js +0 -86
package/dist/chunk-RXRKBBSM.js +0 -149
package/dist/chunk-RZOZMML6.js +0 -363
package/dist/chunk-U7I7FS7T.js +0 -113
package/dist/chunk-UI42RODY.js +0 -717
package/dist/chunk-UTVMVSCO.js +0 -519
package/dist/chunk-V6OJGLBA.js +0 -1746
package/dist/chunk-W2JHVH7D.js +0 -152
package/dist/chunk-WD3Y7VQN.js +0 -280
package/dist/chunk-WOCTQ5MS.js +0 -303
package/dist/chunk-WZR3ZUNN.js +0 -696
package/dist/chunk-XGI665H7.js +0 -150
package/dist/chunk-XKY65P2T.js +0 -304
package/dist/chunk-Y4CQZY65.js +0 -57
package/dist/chunk-YFEXKLVE.js +0 -194
package/dist/chunk-YHO3HS5X.js +0 -287
package/dist/chunk-YLS7AZSX.js +0 -738
package/dist/chunk-ZE473AO6.js +0 -49
package/dist/chunk-ZF747T3O.js +0 -644
package/dist/chunk-ZHCZHZH3.js +0 -43
package/dist/chunk-ZZNZX2XY.js +0 -87
package/dist/constants-7QAP3VQ4.js +0 -23
package/dist/dist-IY3UUMWK.js +0 -33
package/dist/invariants-runner-W5RGHCSU.js +0 -27
package/dist/lane-lock-6J36HD5O.js +0 -35
package/dist/mem-checkpoint-core-EANG2GVN.js +0 -14
package/dist/mem-signal-core-2LZ2WYHW.js +0 -19
package/dist/memory-store-OLB5FO7K.js +0 -18
package/dist/service-6BYCOCO5.js +0 -13
package/dist/spawn-policy-resolver-NTSZYQ6R.js +0 -17
package/dist/spawn-task-builder-R4E2BHSW.js +0 -22
package/dist/wu-done-pr-WLFFFEPJ.js +0 -25
package/dist/wu-done-validation-3J5E36FE.js +0 -30
package/dist/wu-duplicate-id-detector-5S7JHELK.js +0 -232
package/packs/sidekick/.turbo/turbo-typecheck.log +0 -4
package/packs/software-delivery/.turbo/turbo-typecheck.log +0 -4

package/dist/chunk-HANJXVKW.js DELETED Viewed

@@ -1,1127 +0,0 @@
-// ../kernel/dist/shared-constants.js
-var UTF8_ENCODING = "utf8";
-var BASE64_ENCODING = "base64";
-var SHA256_ALGORITHM = "sha256";
-var SHA256_HEX_LENGTH = 64;
-var SHA256_HEX_REGEX = /^[a-f0-9]{64}$/;
-var SHA256_INTEGRITY_PREFIX = "sha256:";
-var SHA256_INTEGRITY_REGEX = /^sha256:[a-f0-9]{64}$/;
-var WORKSPACE_FILE_NAME = "workspace.yaml";
-var GIT_DIR_NAME = ".git";
-var PACKS_DIR_NAME = "packs";
-var PACK_MANIFEST_FILE_NAME = "manifest.yaml";
-var PACKAGES_DIR_NAME = "packages";
-var LUMENFLOW_SCOPE_NAME = "@lumenflow";
-var LUMENFLOW_DIR_NAME = ".lumenflow";
-var KERNEL_RUNTIME_ROOT_DIR_NAME = "kernel";
-var KERNEL_RUNTIME_TASKS_DIR_NAME = "tasks";
-var KERNEL_RUNTIME_EVENTS_DIR_NAME = "events";
-var KERNEL_RUNTIME_EVIDENCE_DIR_NAME = "evidence";
-var KERNEL_RUNTIME_EVENTS_FILE_NAME = "events.jsonl";
-var KERNEL_RUNTIME_EVENTS_LOCK_FILE_NAME = "events.lock";
-var RESERVED_FRAMEWORK_SCOPE_ROOT = LUMENFLOW_DIR_NAME;
-var RESERVED_FRAMEWORK_SCOPE_PREFIX = `${LUMENFLOW_DIR_NAME}/`;
-var RESERVED_FRAMEWORK_SCOPE_GLOB = `${LUMENFLOW_DIR_NAME}/**`;
-var DEFAULT_WORKSPACE_CONFIG_HASH = "0".repeat(SHA256_HEX_LENGTH);
-var DEFAULT_KERNEL_RUNTIME_VERSION = "kernel-dev";
-var WORKSPACE_CONFIG_HASH_CONTEXT_KEYS = {
-  WORKSPACE_FILE_MISSING: "workspace_file_missing"
-};
-var EXECUTION_METADATA_KEYS = {
-  WORKSPACE_ALLOWED_SCOPES: "workspace_allowed_scopes",
-  LANE_ALLOWED_SCOPES: "lane_allowed_scopes",
-  TASK_DECLARED_SCOPES: "task_declared_scopes",
-  WORKSPACE_CONFIG_HASH: "workspace_config_hash",
-  RUNTIME_VERSION: "runtime_version",
-  PACK_ID: "pack_id",
-  PACK_VERSION: "pack_version",
-  PACK_INTEGRITY: "pack_integrity"
-};
-var KERNEL_POLICY_IDS = {
-  ALLOW_ALL: "kernel.policy.allow-all",
-  RUNTIME_FALLBACK: "kernel.policy.runtime-fallback",
-  BUILTIN_DEFAULT: "kernel.policy.builtin-default",
-  PROC_EXEC_DEFAULT_DENY: "kernel.policy.proc-exec-default-deny",
-  SCOPE_RESERVED_PATH: "kernel.scope.reserved-path",
-  SCOPE_BOUNDARY: "kernel.scope.boundary",
-  RECONCILIATION: "kernel.reconciliation",
-  APPROVAL_REQUIRED: "kernel.policy.approval-required"
-};
-// ../kernel/dist/kernel.schemas.js
-import { z } from "zod";
-// ../kernel/dist/event-kinds.js
-var KERNEL_EVENT_KINDS = {
-  TASK_CREATED: "task_created",
-  TASK_CLAIMED: "task_claimed",
-  TASK_BLOCKED: "task_blocked",
-  TASK_UNBLOCKED: "task_unblocked",
-  TASK_WAITING: "task_waiting",
-  TASK_RESUMED: "task_resumed",
-  TASK_COMPLETED: "task_completed",
-  TASK_RELEASED: "task_released",
-  TASK_DELEGATED: "task_delegated",
-  RUN_STARTED: "run_started",
-  RUN_PAUSED: "run_paused",
-  RUN_FAILED: "run_failed",
-  RUN_SUCCEEDED: "run_succeeded",
-  WORKSPACE_UPDATED: "workspace_updated",
-  WORKSPACE_WARNING: "workspace_warning",
-  SPEC_TAMPERED: "spec_tampered",
-  CHECKPOINT: "checkpoint"
-};
-var TASK_EVENT_KINDS = [
-  KERNEL_EVENT_KINDS.TASK_CREATED,
-  KERNEL_EVENT_KINDS.TASK_CLAIMED,
-  KERNEL_EVENT_KINDS.TASK_BLOCKED,
-  KERNEL_EVENT_KINDS.TASK_UNBLOCKED,
-  KERNEL_EVENT_KINDS.TASK_WAITING,
-  KERNEL_EVENT_KINDS.TASK_RESUMED,
-  KERNEL_EVENT_KINDS.TASK_COMPLETED,
-  KERNEL_EVENT_KINDS.TASK_RELEASED,
-  KERNEL_EVENT_KINDS.TASK_DELEGATED
-];
-var RUN_LIFECYCLE_EVENT_KINDS = [
-  KERNEL_EVENT_KINDS.RUN_STARTED,
-  KERNEL_EVENT_KINDS.RUN_PAUSED,
-  KERNEL_EVENT_KINDS.RUN_FAILED,
-  KERNEL_EVENT_KINDS.RUN_SUCCEEDED
-];
-var TASK_EVENT_KIND_SET = new Set(TASK_EVENT_KINDS);
-var RUN_LIFECYCLE_EVENT_KIND_SET = new Set(RUN_LIFECYCLE_EVENT_KINDS);
-function isTaskEventKind(kind) {
-  return TASK_EVENT_KIND_SET.has(kind);
-}
-function isRunLifecycleEventKind(kind) {
-  return RUN_LIFECYCLE_EVENT_KIND_SET.has(kind);
-}
-var TOOL_TRACE_KINDS = {
-  TOOL_CALL_STARTED: "tool_call_started",
-  TOOL_CALL_FINISHED: "tool_call_finished"
-};
-// ../kernel/dist/kernel.schemas.js
-var ISO_DATETIME_SCHEMA = z.string().datetime();
-var SEMVER_REGEX = /^\d+\.\d+\.\d+(?:-[0-9A-Za-z-.]+)?(?:\+[0-9A-Za-z-.]+)?$/;
-var SEMVER_MESSAGE = "Expected semantic version";
-var RUN_STATUSES = {
-  PLANNED: "planned",
-  EXECUTING: "executing",
-  PAUSED: "paused",
-  FAILED: "failed",
-  SUCCEEDED: "succeeded"
-};
-var RUN_STATUS_VALUES = [
-  RUN_STATUSES.PLANNED,
-  RUN_STATUSES.EXECUTING,
-  RUN_STATUSES.PAUSED,
-  RUN_STATUSES.FAILED,
-  RUN_STATUSES.SUCCEEDED
-];
-var TOOL_HANDLER_KINDS = {
-  IN_PROCESS: "in-process",
-  SUBPROCESS: "subprocess"
-};
-var TOOL_HANDLER_KIND_VALUES = [
-  TOOL_HANDLER_KINDS.IN_PROCESS,
-  TOOL_HANDLER_KINDS.SUBPROCESS
-];
-var TOOL_ERROR_CODES = {
-  TOOL_NOT_FOUND: "TOOL_NOT_FOUND",
-  SCOPE_DENIED: "SCOPE_DENIED",
-  POLICY_DENIED: "POLICY_DENIED",
-  APPROVAL_REQUIRED: "APPROVAL_REQUIRED",
-  INVALID_INPUT: "INVALID_INPUT",
-  INVALID_OUTPUT: "INVALID_OUTPUT",
-  TOOL_EXECUTION_FAILED: "TOOL_EXECUTION_FAILED"
-};
-var ToolScopePathSchema = z.object({
-  type: z.literal("path"),
-  pattern: z.string().min(1),
-  access: z.enum(["read", "write"])
-});
-var ToolScopeNetworkBaseSchema = z.object({
-  type: z.literal("network"),
-  posture: z.enum(["off", "full", "allowlist"]),
-  allowlist_entries: z.array(z.string().min(1)).min(1).optional()
-});
-var ToolScopeNetworkSchema = ToolScopeNetworkBaseSchema.refine((data) => {
-  if (data.posture === "allowlist") {
-    return data.allowlist_entries !== void 0 && data.allowlist_entries.length > 0;
-  }
-  return true;
-}, { message: "allowlist_entries required when posture is allowlist" });
-var ToolScopeSchema = z.discriminatedUnion("type", [ToolScopePathSchema, ToolScopeNetworkBaseSchema]).refine((data) => {
-  if (data.type === "network" && data.posture === "allowlist") {
-    return data.allowlist_entries !== void 0 && data.allowlist_entries.length > 0;
-  }
-  return true;
-}, { message: "allowlist_entries required when posture is allowlist" });
-var AcceptanceSchema = z.union([
-  z.array(z.string().min(1)).min(1),
-  z.record(z.string().min(1), z.array(z.string().min(1)).min(1))
-]);
-var TaskSpecSchema = z.object({
-  id: z.string().min(1),
-  workspace_id: z.string().min(1),
-  lane_id: z.string().min(1),
-  domain: z.string().min(1),
-  title: z.string().min(1),
-  description: z.string().min(1),
-  acceptance: AcceptanceSchema,
-  declared_scopes: z.array(ToolScopeSchema),
-  expected_artifacts: z.array(z.string().min(1)).optional(),
-  risk: z.enum(["low", "medium", "high", "critical"]),
-  blocks: z.array(z.string().min(1)).optional(),
-  blocked_by: z.array(z.string().min(1)).optional(),
-  extensions: z.record(z.string(), z.unknown()).optional(),
-  type: z.string().min(1),
-  priority: z.enum(["P0", "P1", "P2", "P3"]),
-  created: z.string().date(),
-  labels: z.array(z.string().min(1)).optional()
-});
-var RunSchema = z.object({
-  run_id: z.string().min(1),
-  task_id: z.string().min(1),
-  status: z.enum(RUN_STATUS_VALUES),
-  started_at: ISO_DATETIME_SCHEMA,
-  completed_at: ISO_DATETIME_SCHEMA.optional(),
-  by: z.string().min(1),
-  session_id: z.string().min(1)
-});
-var TaskStateSchema = z.object({
-  task_id: z.string().min(1),
-  status: z.enum(["ready", "active", "blocked", "waiting", "done"]),
-  claimed_at: ISO_DATETIME_SCHEMA.optional(),
-  claimed_by: z.string().min(1).optional(),
-  session_id: z.string().min(1).optional(),
-  blocked_reason: z.string().min(1).optional(),
-  completed_at: ISO_DATETIME_SCHEMA.optional(),
-  current_run: RunSchema.optional(),
-  run_count: z.number().int().nonnegative(),
-  domain_state: z.record(z.string(), z.unknown()).optional()
-});
-var PackPinSchema = z.object({
-  id: z.string().min(1),
-  version: z.string().regex(SEMVER_REGEX, SEMVER_MESSAGE),
-  integrity: z.union([
-    z.literal("dev"),
-    z.string().regex(SHA256_INTEGRITY_REGEX, "Expected dev or sha256:<64-hex>")
-  ]),
-  source: z.enum(["local", "git", "registry"]),
-  url: z.string().url().optional(),
-  /** Registry base URL override. When omitted, uses PackLoader's defaultRegistryUrl. */
-  registry_url: z.string().url().optional()
-});
-var LaneSpecSchema = z.object({
-  id: z.string().min(1),
-  title: z.string().min(1),
-  allowed_scopes: z.array(ToolScopeSchema).default([]),
-  wip_limit: z.number().int().positive().optional(),
-  policy_overrides: z.record(z.string(), z.unknown()).optional()
-});
-var WorkspaceControlPlanePolicyModeSchema = z.enum([
-  "authoritative",
-  "tighten-only",
-  "dev-override"
-]);
-var CONTROL_PLANE_AUTH_TOKEN_ENV_PATTERN = /^[A-Z][A-Z0-9_]*$/;
-var WorkspaceControlPlaneAuthConfigSchema = z.object({
-  token_env: z.string().regex(CONTROL_PLANE_AUTH_TOKEN_ENV_PATTERN, "Expected uppercase environment variable name")
-}).strict();
-var WorkspaceControlPlaneConfigSchema = z.object({
-  endpoint: z.string().url(),
-  org_id: z.string().min(1),
-  project_id: z.string().min(1),
-  sync_interval: z.number().int().positive(),
-  policy_mode: WorkspaceControlPlanePolicyModeSchema,
-  auth: WorkspaceControlPlaneAuthConfigSchema
-}).strict();
-var WorkspaceSpecSchema = z.object({
-  id: z.string().min(1),
-  name: z.string().min(1),
-  packs: z.array(PackPinSchema),
-  lanes: z.array(LaneSpecSchema),
-  policies: z.record(z.string(), z.unknown()).optional(),
-  security: z.object({
-    allowed_scopes: z.array(ToolScopeSchema),
-    network_default: z.enum(["off", "full"]),
-    deny_overlays: z.array(z.string().min(1))
-  }),
-  software_delivery: z.record(z.string(), z.unknown()).optional(),
-  control_plane: WorkspaceControlPlaneConfigSchema.optional(),
-  memory_namespace: z.string().min(1),
-  event_namespace: z.string().min(1)
-});
-var KERNEL_OWNED_ROOT_KEYS = [
-  "id",
-  "name",
-  "packs",
-  "lanes",
-  "policies",
-  "security",
-  "control_plane",
-  "memory_namespace",
-  "event_namespace"
-];
-var KNOWN_PACK_CONFIG_KEY_MIGRATIONS = {
-  software_delivery: {
-    packId: "software-delivery",
-    packLabel: "software-delivery"
-  }
-};
-function validateWorkspaceRootKeys(workspaceData, packManifests, availableManifests = []) {
-  const kernelKeys = new Set(KERNEL_OWNED_ROOT_KEYS);
-  const packConfigKeys = /* @__PURE__ */ new Set();
-  for (const manifest of packManifests) {
-    if (manifest.config_key) {
-      packConfigKeys.add(manifest.config_key);
-    }
-  }
-  const errors = [];
-  for (const key of Object.keys(workspaceData)) {
-    if (kernelKeys.has(key)) {
-      continue;
-    }
-    if (packConfigKeys.has(key)) {
-      continue;
-    }
-    const migration = KNOWN_PACK_CONFIG_KEY_MIGRATIONS[key];
-    if (migration) {
-      const availableManifest = availableManifests.find((m) => m.id === migration.packId) ?? packManifests.find((m) => m.id === migration.packId);
-      const versionFlag = availableManifest ? `--version ${availableManifest.version}` : "--version latest";
-      errors.push(`Your workspace has a "${key}" config block but the ${migration.packLabel} pack is not pinned. Since LumenFlow 3.x, pack config keys require explicit pack pinning. Add the ${migration.packLabel} pack to your workspace:
-  pnpm pack:install --id ${migration.packId} --source registry ${versionFlag}`);
-      continue;
-    }
-    errors.push(`Unknown workspace root key "${key}". Only kernel-owned keys and pack-declared config_keys are allowed. If this key belongs to a pack, ensure the pack is pinned and declares config_key in its manifest.`);
-  }
-  return {
-    valid: errors.length === 0,
-    errors
-  };
-}
-var KernelEventBaseSchema = z.object({
-  schema_version: z.literal(1),
-  timestamp: ISO_DATETIME_SCHEMA
-});
-var TaskEventBaseSchema = KernelEventBaseSchema.extend({
-  task_id: z.string().min(1)
-});
-var RunEventBaseSchema = TaskEventBaseSchema.extend({
-  run_id: z.string().min(1)
-});
-var TaskCreatedEventSchema = TaskEventBaseSchema.extend({
-  kind: z.literal(KERNEL_EVENT_KINDS.TASK_CREATED),
-  spec_hash: z.string().regex(SHA256_HEX_REGEX)
-});
-var TaskClaimedEventSchema = TaskEventBaseSchema.extend({
-  kind: z.literal(KERNEL_EVENT_KINDS.TASK_CLAIMED),
-  by: z.string().min(1),
-  session_id: z.string().min(1),
-  domain_data: z.record(z.string(), z.unknown()).optional()
-});
-var TaskBlockedEventSchema = TaskEventBaseSchema.extend({
-  kind: z.literal(KERNEL_EVENT_KINDS.TASK_BLOCKED),
-  reason: z.string().min(1)
-});
-var TaskUnblockedEventSchema = TaskEventBaseSchema.extend({
-  kind: z.literal(KERNEL_EVENT_KINDS.TASK_UNBLOCKED)
-});
-var TaskWaitingEventSchema = TaskEventBaseSchema.extend({
-  kind: z.literal(KERNEL_EVENT_KINDS.TASK_WAITING),
-  reason: z.string().min(1),
-  wait_for: z.string().min(1).optional()
-});
-var TaskResumedEventSchema = TaskEventBaseSchema.extend({
-  kind: z.literal(KERNEL_EVENT_KINDS.TASK_RESUMED)
-});
-var TaskCompletedEventSchema = TaskEventBaseSchema.extend({
-  kind: z.literal(KERNEL_EVENT_KINDS.TASK_COMPLETED),
-  evidence_refs: z.array(z.string().min(1)).optional()
-});
-var TaskReleasedEventSchema = TaskEventBaseSchema.extend({
-  kind: z.literal(KERNEL_EVENT_KINDS.TASK_RELEASED),
-  reason: z.string().min(1)
-});
-var TaskDelegatedEventSchema = TaskEventBaseSchema.extend({
-  kind: z.literal(KERNEL_EVENT_KINDS.TASK_DELEGATED),
-  parent_task_id: z.string().min(1),
-  delegation_id: z.string().min(1)
-});
-var RunStartedEventSchema = RunEventBaseSchema.extend({
-  kind: z.literal(KERNEL_EVENT_KINDS.RUN_STARTED),
-  by: z.string().min(1),
-  session_id: z.string().min(1)
-});
-var RunPausedEventSchema = RunEventBaseSchema.extend({
-  kind: z.literal(KERNEL_EVENT_KINDS.RUN_PAUSED),
-  reason: z.string().min(1)
-});
-var RunFailedEventSchema = RunEventBaseSchema.extend({
-  kind: z.literal(KERNEL_EVENT_KINDS.RUN_FAILED),
-  reason: z.string().min(1),
-  evidence_refs: z.array(z.string().min(1)).optional()
-});
-var RunSucceededEventSchema = RunEventBaseSchema.extend({
-  kind: z.literal(KERNEL_EVENT_KINDS.RUN_SUCCEEDED),
-  evidence_refs: z.array(z.string().min(1)).optional()
-});
-var WorkspaceUpdatedEventSchema = KernelEventBaseSchema.extend({
-  kind: z.literal(KERNEL_EVENT_KINDS.WORKSPACE_UPDATED),
-  config_hash: z.string().regex(SHA256_HEX_REGEX),
-  changes_summary: z.string().min(1)
-});
-var WorkspaceWarningEventSchema = KernelEventBaseSchema.extend({
-  kind: z.literal(KERNEL_EVENT_KINDS.WORKSPACE_WARNING),
-  message: z.string().min(1)
-});
-var SpecTamperedEventSchema = KernelEventBaseSchema.extend({
-  kind: z.literal(KERNEL_EVENT_KINDS.SPEC_TAMPERED),
-  spec: z.enum(["task", "workspace"]),
-  id: z.string().min(1),
-  expected_hash: z.string().regex(SHA256_HEX_REGEX),
-  actual_hash: z.string().regex(SHA256_HEX_REGEX)
-});
-var CheckpointEventSchema = TaskEventBaseSchema.extend({
-  kind: z.literal(KERNEL_EVENT_KINDS.CHECKPOINT),
-  run_id: z.string().min(1).optional(),
-  note: z.string().min(1),
-  progress: z.string().min(1).optional()
-});
-var KernelEventSchema = z.discriminatedUnion("kind", [
-  TaskCreatedEventSchema,
-  TaskClaimedEventSchema,
-  TaskBlockedEventSchema,
-  TaskUnblockedEventSchema,
-  TaskWaitingEventSchema,
-  TaskResumedEventSchema,
-  TaskCompletedEventSchema,
-  TaskReleasedEventSchema,
-  TaskDelegatedEventSchema,
-  RunStartedEventSchema,
-  RunPausedEventSchema,
-  RunFailedEventSchema,
-  RunSucceededEventSchema,
-  WorkspaceUpdatedEventSchema,
-  WorkspaceWarningEventSchema,
-  SpecTamperedEventSchema,
-  CheckpointEventSchema
-]);
-var PolicyDecisionSchema = z.object({
-  policy_id: z.string().min(1),
-  decision: z.enum(["allow", "deny", "approval_required"]),
-  reason: z.string().min(1).optional()
-});
-var ToolCallStartedSchema = z.object({
-  schema_version: z.literal(1),
-  kind: z.literal(TOOL_TRACE_KINDS.TOOL_CALL_STARTED),
-  receipt_id: z.string().min(1),
-  run_id: z.string().min(1),
-  task_id: z.string().min(1),
-  session_id: z.string().min(1),
-  timestamp: ISO_DATETIME_SCHEMA,
-  tool_name: z.string().min(1),
-  execution_mode: z.enum(TOOL_HANDLER_KIND_VALUES),
-  scope_requested: z.array(ToolScopeSchema),
-  scope_allowed: z.array(ToolScopeSchema),
-  scope_enforced: z.array(ToolScopeSchema),
-  input_hash: z.string().regex(SHA256_HEX_REGEX),
-  input_ref: z.string().min(1),
-  tool_version: z.string().regex(SEMVER_REGEX, SEMVER_MESSAGE),
-  pack_id: z.string().min(1).optional(),
-  pack_version: z.string().regex(SEMVER_REGEX, SEMVER_MESSAGE).optional(),
-  pack_integrity: z.string().optional(),
-  workspace_config_hash: z.string().regex(SHA256_HEX_REGEX),
-  runtime_version: z.string().min(1)
-});
-var ToolCallFinishedSchema = z.object({
-  schema_version: z.literal(1),
-  kind: z.literal(TOOL_TRACE_KINDS.TOOL_CALL_FINISHED),
-  receipt_id: z.string().min(1),
-  timestamp: ISO_DATETIME_SCHEMA,
-  result: z.enum(["success", "failure", "denied", "crashed"]),
-  duration_ms: z.number().int().nonnegative(),
-  output_hash: z.string().regex(SHA256_HEX_REGEX).optional(),
-  output_ref: z.string().min(1).optional(),
-  redaction_summary: z.string().min(1).optional(),
-  scope_enforcement_note: z.string().min(1).optional(),
-  policy_decisions: z.array(PolicyDecisionSchema),
-  artifacts_written: z.array(z.string().min(1)).optional()
-});
-var ToolTraceEntrySchema = z.discriminatedUnion("kind", [
-  ToolCallStartedSchema,
-  ToolCallFinishedSchema
-]);
-var ToolErrorSchema = z.object({
-  code: z.string().min(1),
-  message: z.string().min(1),
-  details: z.record(z.string(), z.unknown()).optional()
-});
-var ToolOutputSchema = z.object({
-  success: z.boolean(),
-  data: z.unknown().optional(),
-  error: ToolErrorSchema.optional(),
-  metadata: z.record(z.string(), z.unknown()).optional()
-});
-var ExecutionContextSchema = z.object({
-  run_id: z.string().min(1),
-  task_id: z.string().min(1),
-  session_id: z.string().min(1),
-  allowed_scopes: z.array(ToolScopeSchema),
-  metadata: z.record(z.string(), z.unknown()).optional()
-});
-var ZodSchemaSchema = z.custom((value) => value instanceof z.ZodType, {
-  message: "Expected a Zod schema"
-});
-var InProcessToolHandlerSchema = z.object({
-  kind: z.literal(TOOL_HANDLER_KINDS.IN_PROCESS),
-  fn: z.custom((value) => typeof value === "function", {
-    message: "Expected an async tool function"
-  })
-});
-var SubprocessToolHandlerSchema = z.object({
-  kind: z.literal(TOOL_HANDLER_KINDS.SUBPROCESS),
-  entry: z.string().min(1)
-});
-var ToolHandlerSchema = z.discriminatedUnion("kind", [
-  InProcessToolHandlerSchema,
-  SubprocessToolHandlerSchema
-]);
-var ToolCapabilitySchema = z.object({
-  name: z.string().min(1),
-  domain: z.string().min(1),
-  version: z.string().regex(SEMVER_REGEX, SEMVER_MESSAGE),
-  input_schema: ZodSchemaSchema,
-  output_schema: ZodSchemaSchema.optional(),
-  permission: z.enum(["read", "write", "admin"]),
-  required_scopes: z.array(ToolScopeSchema),
-  handler: ToolHandlerSchema,
-  description: z.string().min(1),
-  pack: z.string().min(1).optional()
-});
-// ../kernel/dist/pack/hash.js
-import { createHash } from "crypto";
-import { readdir, readFile } from "fs/promises";
-import path from "path";
-var NULL_BYTE_BUFFER = Buffer.from([0]);
-var DEFAULT_EXCLUSIONS = ["node_modules/", `${GIT_DIR_NAME}/`, "dist/", ".DS_Store"];
-function normalizeRelativePath(root, absolutePath) {
-  return path.relative(root, absolutePath).split(path.sep).join("/");
-}
-function shouldExclude(relativePath, exclusions) {
-  return exclusions.some((excluded) => {
-    if (excluded.endsWith("/")) {
-      return relativePath.startsWith(excluded);
-    }
-    return relativePath === excluded || relativePath.endsWith(`/${excluded}`);
-  });
-}
-async function collectFilesRecursive(root, directory) {
-  const entries = await readdir(directory, { withFileTypes: true });
-  const sortedEntries = [...entries].sort((left, right) => left.name.localeCompare(right.name));
-  const files = [];
-  for (const entry of sortedEntries) {
-    const absolutePath = path.join(directory, entry.name);
-    const relativePath = normalizeRelativePath(root, absolutePath);
-    if (entry.isDirectory()) {
-      files.push(...await collectFilesRecursive(root, absolutePath));
-      continue;
-    }
-    files.push(relativePath);
-  }
-  return files;
-}
-async function listPackFiles(packRoot, exclusions = DEFAULT_EXCLUSIONS) {
-  const absoluteRoot = path.resolve(packRoot);
-  const allFiles = await collectFilesRecursive(absoluteRoot, absoluteRoot);
-  return allFiles.filter((relativePath) => !shouldExclude(relativePath, exclusions)).sort();
-}
-async function computeDeterministicPackHash(input) {
-  const absoluteRoot = path.resolve(input.packRoot);
-  const files = await listPackFiles(absoluteRoot, input.exclusions || DEFAULT_EXCLUSIONS);
-  const digestChunks = [];
-  for (const relativePath of files) {
-    const fileContents = await readFile(path.join(absoluteRoot, relativePath));
-    const fileHash = createHash(SHA256_ALGORITHM).update(fileContents).digest("hex");
-    digestChunks.push(Buffer.from(relativePath, UTF8_ENCODING));
-    digestChunks.push(NULL_BYTE_BUFFER);
-    digestChunks.push(Buffer.from(fileHash, UTF8_ENCODING));
-    digestChunks.push(NULL_BYTE_BUFFER);
-  }
-  return createHash(SHA256_ALGORITHM).update(digestChunks.length === 0 ? Buffer.alloc(0) : Buffer.concat(digestChunks)).digest("hex");
-}
-// ../kernel/dist/pack/manifest.js
-import { z as z2 } from "zod";
-// ../kernel/dist/policy/policy-engine.js
-var POLICY_TRIGGERS = {
-  ON_TOOL_REQUEST: "on_tool_request",
-  ON_CLAIM: "on_claim",
-  ON_COMPLETION: "on_completion",
-  ON_EVIDENCE_ADDED: "on_evidence_added"
-};
-var POLICY_LAYER_ORDER = ["workspace", "lane", "pack", "task"];
-function layerOrderScore(level) {
-  const index = POLICY_LAYER_ORDER.indexOf(level);
-  return index < 0 ? POLICY_LAYER_ORDER.length : index;
-}
-function matchingRules(layer, context) {
-  return layer.rules.filter((rule) => {
-    if (rule.trigger !== context.trigger) {
-      return false;
-    }
-    if (!rule.when) {
-      return true;
-    }
-    return rule.when(context);
-  });
-}
-function canLoosen(layer) {
-  return layer.allow_loosening === true;
-}
-var PolicyEngine = class {
-  layers;
-  constructor(options) {
-    this.layers = [...options.layers].sort((left, right) => layerOrderScore(left.level) - layerOrderScore(right.level));
-  }
-  async evaluate(context) {
-    let effectiveDecision = "deny";
-    let hasInitializedDecision = false;
-    let hasHardDeny = false;
-    let hasApprovalRequired = false;
-    const warnings = [];
-    const decisions = [];
-    for (const layer of this.layers) {
-      if (!hasInitializedDecision) {
-        if (layer.default_decision) {
-          effectiveDecision = layer.default_decision;
-        }
-        hasInitializedDecision = true;
-      } else if (layer.default_decision) {
-        if (effectiveDecision === "deny" && layer.default_decision === "allow" && !canLoosen(layer)) {
-          warnings.push(`Policy layer "${layer.level}" attempted loosening default decision without explicit opt-in.`);
-        } else {
-          effectiveDecision = layer.default_decision;
-        }
-      }
-      const layerRules = matchingRules(layer, context);
-      for (const rule of layerRules) {
-        decisions.push({
-          policy_id: rule.id,
-          decision: rule.decision,
-          reason: rule.reason
-        });
-        if (rule.decision === "deny") {
-          hasHardDeny = true;
-          effectiveDecision = "deny";
-          continue;
-        }
-        if (rule.decision === "approval_required") {
-          hasApprovalRequired = true;
-          if (effectiveDecision !== "deny" || canLoosen(layer)) {
-            effectiveDecision = "approval_required";
-          }
-          continue;
-        }
-        if (effectiveDecision === "deny" && !canLoosen(layer)) {
-          warnings.push(`Policy layer "${layer.level}" attempted loosening via rule "${rule.id}" without explicit opt-in.`);
-          continue;
-        }
-        effectiveDecision = "allow";
-      }
-    }
-    if (hasHardDeny) {
-      return { decision: "deny", decisions, warnings };
-    }
-    if (hasApprovalRequired) {
-      return { decision: "approval_required", decisions, warnings };
-    }
-    return { decision: effectiveDecision, decisions, warnings };
-  }
-};
-// ../kernel/dist/pack/manifest.js
-var SEMVER_REGEX2 = /^\d+\.\d+\.\d+(?:-[0-9A-Za-z-.]+)?(?:\+[0-9A-Za-z-.]+)?$/;
-var SEMVER_MESSAGE2 = "Expected semantic version";
-var NULL_BYTE = "\0";
-var SCOPE_TRAVERSAL_PATTERN = /(^|\/)\.\.(\/|$)/;
-var BROAD_WILDCARD_SCOPE_PATTERNS = /* @__PURE__ */ new Set(["*", "**", "**/*", "./**", "./**/*"]);
-var JsonSchemaObjectSchema = z2.record(z2.string(), z2.unknown());
-var DomainPackToolSchema = z2.object({
-  name: z2.string().min(1),
-  entry: z2.string().min(1),
-  permission: z2.enum(["read", "write", "admin"]).default("read"),
-  required_scopes: z2.array(ToolScopeSchema).min(1),
-  internal_only: z2.boolean().optional(),
-  /** Optional JSON Schema for tool input validation. */
-  input_schema: JsonSchemaObjectSchema.optional(),
-  /** Optional JSON Schema for tool output validation. */
-  output_schema: JsonSchemaObjectSchema.optional()
-});
-function isBroadWildcardScopePattern(pattern) {
-  return BROAD_WILDCARD_SCOPE_PATTERNS.has(pattern.trim());
-}
-function hasUnsafeScopePattern(pattern) {
-  return pattern.includes(NULL_BYTE) || SCOPE_TRAVERSAL_PATTERN.test(pattern);
-}
-function validateDomainPackToolSafety(tool) {
-  const issues = [];
-  for (const scope of tool.required_scopes) {
-    if (scope.type !== "path") {
-      continue;
-    }
-    if (hasUnsafeScopePattern(scope.pattern)) {
-      issues.push(`scope pattern "${scope.pattern}" contains unsafe traversal or null-byte content`);
-    }
-    if ((tool.permission === "write" || tool.permission === "admin") && scope.access === "write" && isBroadWildcardScopePattern(scope.pattern)) {
-      issues.push(`scope pattern "${scope.pattern}" is too broad for ${tool.permission} permission and write access`);
-    }
-  }
-  const inputSchemaType = tool.input_schema?.type;
-  if (inputSchemaType && inputSchemaType !== "object") {
-    issues.push(`input_schema.type must be "object" when provided, got "${String(inputSchemaType)}"`);
-  }
-  const outputSchemaType = tool.output_schema?.type;
-  if (outputSchemaType && outputSchemaType !== "object") {
-    issues.push(`output_schema.type must be "object" when provided, got "${String(outputSchemaType)}"`);
-  }
-  return issues;
-}
-var DomainPackPolicySchema = z2.object({
-  id: z2.string().min(1),
-  trigger: z2.enum([
-    POLICY_TRIGGERS.ON_TOOL_REQUEST,
-    POLICY_TRIGGERS.ON_CLAIM,
-    POLICY_TRIGGERS.ON_COMPLETION,
-    POLICY_TRIGGERS.ON_EVIDENCE_ADDED
-  ]),
-  decision: z2.enum(["allow", "deny"]),
-  reason: z2.string().min(1).optional()
-});
-var DomainPackLaneTemplateSchema = z2.object({
-  id: z2.string().min(1),
-  title: z2.string().min(1).optional(),
-  description: z2.string().min(1).optional()
-});
-var DomainPackManifestSchema = z2.object({
-  id: z2.string().min(1),
-  version: z2.string().regex(SEMVER_REGEX2, SEMVER_MESSAGE2),
-  task_types: z2.array(z2.string().min(1)).min(1),
-  tools: z2.array(DomainPackToolSchema),
-  policies: z2.array(DomainPackPolicySchema),
-  evidence_types: z2.array(z2.string().min(1)).default([]),
-  state_aliases: z2.record(z2.string().min(1), z2.string().min(1)).default({}),
-  lane_templates: z2.array(DomainPackLaneTemplateSchema).default([]),
-  /** Root key in workspace.yaml that this pack owns for its configuration namespace. */
-  config_key: z2.string().min(1).optional(),
-  /** Path to a JSON Schema file (relative to pack root) describing the pack config shape. */
-  config_schema: z2.string().optional()
-});
-// ../kernel/dist/pack/pack-loader.js
-import { builtinModules } from "module";
-import path2 from "path";
-import { access, mkdir, readFile as readFile2 } from "fs/promises";
-import { homedir } from "os";
-import YAML from "yaml";
-var PACK_CACHE_DIR_NAME = "pack-cache";
-var VERSION_TAG_PREFIX = "v";
-var DEFAULT_REGISTRY_URL = "https://registry.lumenflow.dev";
-var NODE_BUILTINS = new Set(builtinModules.map((moduleName) => moduleName.replace(/^node:/, "")));
-var ALLOWED_BARE_IMPORT_SPECIFIERS = /* @__PURE__ */ new Set(["simple-git"]);
-var IMPORT_SPECIFIER_PATTERNS = [
-  /\bimport\s+(?:[^'"]*?\sfrom\s*)?["']([^"']+)["']/,
-  /\bexport\s+[^'"]*?\sfrom\s*["']([^"']+)["']/,
-  /\bimport\(\s*["']([^"']+)["']\s*\)/
-];
-function isWithinRoot(root, candidatePath) {
-  const relative = path2.relative(root, candidatePath);
-  return relative === "" || !relative.startsWith("..") && !path2.isAbsolute(relative);
-}
-function isRuntimeSourceFile(relativePath) {
-  const normalizedPath = relativePath.replace(/\\/g, "/");
-  const extension = path2.extname(normalizedPath);
-  const isCodeFile = [".ts", ".tsx", ".mts", ".cts", ".js", ".mjs", ".cjs"].includes(extension);
-  if (!isCodeFile) {
-    return false;
-  }
-  if (normalizedPath.includes("/__tests__/")) {
-    return false;
-  }
-  return !/\.(test|spec)\.[cm]?[jt]sx?$/.test(normalizedPath);
-}
-function parseToolEntry(entry) {
-  const separator = entry.indexOf("#");
-  const modulePath = separator < 0 ? entry : entry.slice(0, separator);
-  const exportName = separator < 0 ? void 0 : entry.slice(separator + 1);
-  if (modulePath.trim().length === 0) {
-    throw new Error(`Pack tool entry "${entry}" is missing a module path.`);
-  }
-  if (exportName !== void 0 && exportName.trim().length === 0) {
-    throw new Error(`Pack tool entry "${entry}" has an empty export fragment.`);
-  }
-  return {
-    modulePath,
-    exportName
-  };
-}
-function resolvePackToolEntryPath(packRoot, entry) {
-  const absolutePackRoot = path2.resolve(packRoot);
-  const { modulePath, exportName } = parseToolEntry(entry);
-  const absoluteModulePath = path2.resolve(absolutePackRoot, modulePath);
-  if (!isWithinRoot(absolutePackRoot, absoluteModulePath)) {
-    throw new Error(`Pack tool entry "${entry}" resolves outside pack root.`);
-  }
-  return exportName ? `${absoluteModulePath}#${exportName}` : absoluteModulePath;
-}
-function extractImportSpecifiers(sourceCode) {
-  const specifiers = /* @__PURE__ */ new Set();
-  for (const pattern of IMPORT_SPECIFIER_PATTERNS) {
-    const globalPattern = new RegExp(pattern.source, "g");
-    for (const match of sourceCode.matchAll(globalPattern)) {
-      if (match[1]) {
-        specifiers.add(match[1]);
-      }
-    }
-  }
-  return [...specifiers];
-}
-function isAllowedKernelImport(specifier) {
-  return specifier === "@lumenflow/kernel" || specifier.startsWith("@lumenflow/kernel/");
-}
-function validateImportSpecifier(options) {
-  const { specifier, sourceFilePath, packRoot } = options;
-  if (specifier.startsWith("node:")) {
-    return;
-  }
-  if (NODE_BUILTINS.has(specifier)) {
-    return;
-  }
-  if (isAllowedKernelImport(specifier)) {
-    return;
-  }
-  if (specifier.startsWith("@lumenflow/")) {
-    throw new Error(`Import "${specifier}" in ${sourceFilePath} is not allowed; only @lumenflow/kernel and Node built-ins are permitted.`);
-  }
-  if (path2.isAbsolute(specifier)) {
-    throw new Error(`Import "${specifier}" in ${sourceFilePath} resolves outside pack root.`);
-  }
-  if (specifier.startsWith(".")) {
-    const absoluteFilePath = path2.resolve(packRoot, sourceFilePath);
-    const resolvedImport = path2.resolve(path2.dirname(absoluteFilePath), specifier);
-    if (!isWithinRoot(packRoot, resolvedImport)) {
-      throw new Error(`Import "${specifier}" in ${sourceFilePath} resolves outside pack root.`);
-    }
-    return;
-  }
-  if (ALLOWED_BARE_IMPORT_SPECIFIERS.has(specifier)) {
-    return;
-  }
-  throw new Error(`Bare package import "${specifier}" in ${sourceFilePath} is not allowed; only relative imports, @lumenflow/kernel, and Node built-ins are permitted.`);
-}
-async function validatePackImportBoundaries(packRoot, hashExclusions) {
-  const files = await listPackFiles(packRoot, hashExclusions);
-  const candidateFiles = files.filter((relativePath) => isRuntimeSourceFile(relativePath));
-  for (const relativePath of candidateFiles) {
-    const sourceCode = await readFile2(path2.join(packRoot, relativePath), UTF8_ENCODING);
-    const importSpecifiers = extractImportSpecifiers(sourceCode);
-    for (const specifier of importSpecifiers) {
-      validateImportSpecifier({
-        specifier,
-        sourceFilePath: relativePath,
-        packRoot
-      });
-    }
-  }
-}
-function resolvePackPin(workspaceSpec, packId) {
-  const pin = workspaceSpec.packs.find((candidate) => candidate.id === packId);
-  if (!pin) {
-    throw new Error(`Pack "${packId}" is not present in workspace PackPin entries.`);
-  }
-  return pin;
-}
-var PackLoader = class {
-  packsRoot;
-  manifestFileName;
-  hashExclusions;
-  runtimeEnvironment;
-  allowDevIntegrityInProduction;
-  packCacheDir;
-  gitClient;
-  registryClient;
-  defaultRegistryUrl;
-  constructor(options) {
-    this.packsRoot = path2.resolve(options.packsRoot);
-    this.manifestFileName = options.manifestFileName || PACK_MANIFEST_FILE_NAME;
-    this.hashExclusions = options.hashExclusions;
-    this.runtimeEnvironment = options.runtimeEnvironment ?? process.env.NODE_ENV ?? "development";
-    this.allowDevIntegrityInProduction = options.allowDevIntegrityInProduction ?? false;
-    this.packCacheDir = options.packCacheDir ?? path2.join(homedir(), LUMENFLOW_DIR_NAME, PACK_CACHE_DIR_NAME);
-    this.gitClient = options.gitClient;
-    this.registryClient = options.registryClient;
-    this.defaultRegistryUrl = options.defaultRegistryUrl ?? DEFAULT_REGISTRY_URL;
-  }
-  async load(input) {
-    const pin = resolvePackPin(input.workspaceSpec, input.packId);
-    const packRoot = await this.resolvePackRoot(pin);
-    return this.loadFromDisk(pin, packRoot, input);
-  }
-  /**
-   * Resolve the pack root directory based on the pin source.
-   * For local packs, resolves relative to packsRoot.
-   * For git packs, clones/pulls to the pack cache and checks out the version tag.
-   * For registry packs, fetches metadata and downloads tarball to the pack cache.
-   */
-  async resolvePackRoot(pin) {
-    if (pin.source === "git") {
-      return this.resolveGitPackRoot(pin);
-    }
-    if (pin.source === "registry") {
-      return this.resolveRegistryPackRoot(pin);
-    }
-    return path2.resolve(this.packsRoot, pin.id);
-  }
-  /**
-   * Resolve a git-sourced pack by cloning or pulling to the pack cache,
-   * then checking out the version tag.
-   */
-  async resolveGitPackRoot(pin) {
-    if (!pin.url) {
-      throw new Error(`Pack "${pin.id}" has source: git but no url field. Add a url field to the PackPin to specify the git repository.`);
-    }
-    if (!this.gitClient) {
-      throw new Error(`Pack "${pin.id}" has source: git but no gitClient was provided to PackLoader. Pass a gitClient in PackLoaderOptions to load git-sourced packs.`);
-    }
-    const packCachePath = path2.join(this.packCacheDir, `${pin.id}@${pin.version}`);
-    await mkdir(this.packCacheDir, { recursive: true });
-    const alreadyCached = await this.gitClient.isRepo(packCachePath);
-    if (alreadyCached) {
-      await this.gitClient.pull(packCachePath);
-    } else {
-      await this.gitClient.clone(pin.url, packCachePath);
-    }
-    const versionTag = `${VERSION_TAG_PREFIX}${pin.version}`;
-    await this.gitClient.checkout(packCachePath, versionTag);
-    return packCachePath;
-  }
-  /**
-   * Resolve a registry-sourced pack by fetching metadata and downloading the tarball
-   * to the pack cache. Skips download if the pack is already cached.
-   */
-  async resolveRegistryPackRoot(pin) {
-    if (!this.registryClient) {
-      throw new Error(`Pack "${pin.id}" has source: registry but no registryClient was provided to PackLoader. Pass a registryClient in PackLoaderOptions to load registry-sourced packs.`);
-    }
-    const packCachePath = path2.join(this.packCacheDir, `${pin.id}@${pin.version}`);
-    await mkdir(this.packCacheDir, { recursive: true });
-    const manifestCachePath = path2.join(packCachePath, this.manifestFileName);
-    const alreadyCached = await access(manifestCachePath).then(() => true).catch(() => false);
-    if (!alreadyCached) {
-      const registryUrl = pin.registry_url ?? this.defaultRegistryUrl;
-      const metadata = await this.registryClient.fetchMetadata(pin.id, pin.version, registryUrl);
-      await this.registryClient.downloadTarball(metadata.tarball_url, packCachePath);
-    }
-    return packCachePath;
-  }
-  /**
-   * Load pack from a resolved on-disk directory.
-   * Handles manifest parsing, tool entry validation, import boundary checks,
-   * integrity verification, and dev-mode warnings.
-   */
-  async loadFromDisk(pin, packRoot, input) {
-    const manifestPath = path2.join(packRoot, this.manifestFileName);
-    const manifestRaw = await readFile2(manifestPath, UTF8_ENCODING);
-    const manifest = DomainPackManifestSchema.parse(YAML.parse(manifestRaw));
-    if (manifest.id !== pin.id) {
-      throw new Error(`Pack manifest id mismatch: expected ${pin.id}, got ${manifest.id}`);
-    }
-    if (manifest.version !== pin.version) {
-      throw new Error(`Pack manifest version mismatch: expected ${pin.version}, got ${manifest.version}`);
-    }
-    for (const tool of manifest.tools) {
-      resolvePackToolEntryPath(packRoot, tool.entry);
-    }
-    await validatePackImportBoundaries(packRoot, this.hashExclusions);
-    const integrity = await computeDeterministicPackHash({
-      packRoot,
-      exclusions: this.hashExclusions
-    });
-    if (pin.integrity === "dev") {
-      if (this.runtimeEnvironment === "production" && !this.allowDevIntegrityInProduction) {
-        throw new Error(`Pack ${pin.id}@${pin.version} uses integrity: dev is not allowed in production.`);
-      }
-      input.onWorkspaceWarning?.({
-        schema_version: 1,
-        kind: KERNEL_EVENT_KINDS.WORKSPACE_WARNING,
-        timestamp: (/* @__PURE__ */ new Date()).toISOString(),
-        message: `Pack ${pin.id}@${pin.version} loaded with integrity: dev (verification skipped).`
-      });
-      return {
-        pin,
-        manifest,
-        packRoot,
-        integrity
-      };
-    }
-    const expectedIntegrity = pin.integrity.startsWith(SHA256_INTEGRITY_PREFIX) ? pin.integrity.slice(SHA256_INTEGRITY_PREFIX.length) : pin.integrity;
-    if (integrity !== expectedIntegrity) {
-      throw new Error(`Pack integrity mismatch for ${pin.id}: expected ${expectedIntegrity}, got ${integrity}`);
-    }
-    return {
-      pin,
-      manifest,
-      packRoot,
-      integrity
-    };
-  }
-};
-// ../kernel/dist/pack/pack-manifest-resolver.js
-import path3 from "path";
-import { existsSync, readFileSync } from "fs";
-import { homedir as homedir2 } from "os";
-import YAML2 from "yaml";
-var PACK_CACHE_DIR_NAME2 = "pack-cache";
-var NODE_MODULES_DIR_NAME = "node_modules";
-var DEFAULT_PACK_CACHE_DIR = path3.join(homedir2(), LUMENFLOW_DIR_NAME, PACK_CACHE_DIR_NAME2);
-function resolveManifestPath(projectRoot, pack, packCacheDir) {
-  const source = pack.source;
-  if (source === "registry") {
-    return path3.join(projectRoot, NODE_MODULES_DIR_NAME, LUMENFLOW_SCOPE_NAME, PACKS_DIR_NAME, pack.id, PACK_MANIFEST_FILE_NAME);
-  }
-  if (source === "git") {
-    return path3.join(packCacheDir, `${pack.id}@${pack.version}`, PACK_MANIFEST_FILE_NAME);
-  }
-  if (pack.path) {
-    return path3.join(projectRoot, pack.path, PACK_MANIFEST_FILE_NAME);
-  }
-  return path3.join(projectRoot, PACKAGES_DIR_NAME, LUMENFLOW_SCOPE_NAME, PACKS_DIR_NAME, pack.id, PACK_MANIFEST_FILE_NAME);
-}
-function resolvePackManifestPaths(input) {
-  const result = /* @__PURE__ */ new Map();
-  const { projectRoot, packs, packCacheDir } = input;
-  if (!Array.isArray(packs)) {
-    return result;
-  }
-  const effectiveCacheDir = packCacheDir ?? DEFAULT_PACK_CACHE_DIR;
-  for (const pack of packs) {
-    if (!pack || typeof pack !== "object" || !("id" in pack)) {
-      continue;
-    }
-    const packId = String(pack.id);
-    const manifestPath = resolveManifestPath(projectRoot, { ...pack, id: packId }, effectiveCacheDir);
-    if (!manifestPath || !existsSync(manifestPath)) {
-      continue;
-    }
-    try {
-      const manifestContent = readFileSync(manifestPath, "utf8");
-      const manifest = YAML2.parse(manifestContent);
-      if (manifest && typeof manifest.config_key === "string") {
-        result.set(manifest.config_key, packId);
-      }
-    } catch {
-    }
-  }
-  return result;
-}
-function resolvePackSchemaMetadata(input) {
-  const result = /* @__PURE__ */ new Map();
-  const { projectRoot, packs, packCacheDir } = input;
-  if (!Array.isArray(packs)) {
-    return result;
-  }
-  const effectiveCacheDir = packCacheDir ?? DEFAULT_PACK_CACHE_DIR;
-  for (const pack of packs) {
-    if (!pack || typeof pack !== "object" || !("id" in pack)) {
-      continue;
-    }
-    const packId = String(pack.id);
-    const manifestPath = resolveManifestPath(projectRoot, { ...pack, id: packId }, effectiveCacheDir);
-    if (!manifestPath || !existsSync(manifestPath)) {
-      continue;
-    }
-    try {
-      const manifestContent = readFileSync(manifestPath, "utf8");
-      const manifest = YAML2.parse(manifestContent);
-      if (!manifest)
-        continue;
-      const configSchema = manifest.config_schema;
-      if (typeof configSchema === "string" && configSchema.length > 0) {
-        const packRoot = path3.dirname(manifestPath);
-        const schemaAbsPath = path3.join(packRoot, configSchema);
-        result.set(packId, { hasSchema: true, schemaPath: schemaAbsPath });
-      } else {
-        const configKey = manifest.config_key;
-        if (typeof configKey === "string") {
-          result.set(packId, { hasSchema: false });
-        }
-      }
-    } catch {
-    }
-  }
-  return result;
-}
-export {
-  KERNEL_EVENT_KINDS,
-  isTaskEventKind,
-  isRunLifecycleEventKind,
-  TOOL_TRACE_KINDS,
-  UTF8_ENCODING,
-  BASE64_ENCODING,
-  SHA256_ALGORITHM,
-  SHA256_HEX_REGEX,
-  SHA256_INTEGRITY_PREFIX,
-  WORKSPACE_FILE_NAME,
-  PACKS_DIR_NAME,
-  PACK_MANIFEST_FILE_NAME,
-  PACKAGES_DIR_NAME,
-  LUMENFLOW_SCOPE_NAME,
-  LUMENFLOW_DIR_NAME,
-  KERNEL_RUNTIME_ROOT_DIR_NAME,
-  KERNEL_RUNTIME_TASKS_DIR_NAME,
-  KERNEL_RUNTIME_EVENTS_DIR_NAME,
-  KERNEL_RUNTIME_EVIDENCE_DIR_NAME,
-  KERNEL_RUNTIME_EVENTS_FILE_NAME,
-  KERNEL_RUNTIME_EVENTS_LOCK_FILE_NAME,
-  RESERVED_FRAMEWORK_SCOPE_ROOT,
-  RESERVED_FRAMEWORK_SCOPE_PREFIX,
-  RESERVED_FRAMEWORK_SCOPE_GLOB,
-  DEFAULT_WORKSPACE_CONFIG_HASH,
-  DEFAULT_KERNEL_RUNTIME_VERSION,
-  WORKSPACE_CONFIG_HASH_CONTEXT_KEYS,
-  EXECUTION_METADATA_KEYS,
-  KERNEL_POLICY_IDS,
-  RUN_STATUSES,
-  TOOL_HANDLER_KINDS,
-  TOOL_ERROR_CODES,
-  ToolScopeSchema,
-  TaskSpecSchema,
-  RunSchema,
-  TaskStateSchema,
-  WorkspaceControlPlaneConfigSchema,
-  WorkspaceSpecSchema,
-  validateWorkspaceRootKeys,
-  KernelEventSchema,
-  ToolTraceEntrySchema,
-  ToolOutputSchema,
-  ExecutionContextSchema,
-  ToolCapabilitySchema,
-  computeDeterministicPackHash,
-  POLICY_TRIGGERS,
-  PolicyEngine,
-  isBroadWildcardScopePattern,
-  validateDomainPackToolSafety,
-  DomainPackManifestSchema,
-  resolvePackToolEntryPath,
-  validatePackImportBoundaries,
-  PackLoader,
-  resolvePackManifestPaths,
-  resolvePackSchemaMetadata
-};