@lumenflow/cli 3.16.0 → 3.17.0

package/templates/core/AGENTS.md.template

@@ -3,6 +3,7 @@
 **Last updated:** {{DATE}}
 
 This project uses LumenFlow workflow. For complete documentation, see [LUMENFLOW.md](LUMENFLOW.md).
+If `LUMENFLOW.local.md` exists, read it after LUMENFLOW.md for project-specific additions.
 
 ---
 
@@ -61,7 +62,7 @@ This is the single most forgotten step. See [LUMENFLOW.md](LUMENFLOW.md) for det
 | `pnpm wu:prep`            | Run gates in worktree, prep for wu:done               |
 | `pnpm wu:done`            | Complete WU (merge or PR, stamp, cleanup)             |
 | `pnpm wu:status`          | Show WU status, location, valid commands              |
-| `pnpm wu:brief`           | Generate handoff prompt + record evidence             |
+| `pnpm wu:brief`           | **MANDATORY after wu:claim.** Generate handoff prompt + record evidence |
 | `pnpm wu:delegate`        | Generate prompt + record delegation lineage           |
 | `pnpm wu:recover`         | Analyze and fix WU state inconsistencies              |
 | `pnpm wu:escalate`        | Show or resolve WU escalation status                  |

package/templates/core/LUMENFLOW.md.template

@@ -2,6 +2,10 @@
 
 **Last updated:** {{DATE}}
 
+> **This file is managed by LumenFlow.** Do not edit — it will be overwritten on upgrade.
+> For project-specific additions, create `LUMENFLOW.local.md` (never overwritten).
+> If `LUMENFLOW.local.md` exists, agents should read it after this file.
+
 LumenFlow is a vendor-agnostic workflow framework for AI-native software development.
 
 > **Context Safety**: When approaching context limits (80% usage, 50+ tool calls), spawn a fresh agent instead of continuing after compaction. See [wu-sizing-guide.md]({{DOCS_ONBOARDING_PATH}}/wu-sizing-guide.md).
@@ -261,7 +265,7 @@ For the full worktree lifecycle (parallel execution, bootstrap, isolation guaran
 | `pnpm wu:block`           | Block WU (transitions to blocked, frees lane)             |
 | `pnpm wu:unblock`         | Unblock WU (transitions to in_progress)                   |
 | `pnpm wu:release`         | Release orphaned WU (in_progress to ready for reclaim)    |
-| `pnpm wu:brief`           | Generate handoff prompt + record evidence                 |
+| `pnpm wu:brief`           | **MANDATORY after wu:claim.** Generate handoff prompt + record evidence |
 | `pnpm wu:delegate`        | Generate prompt + record lineage + brief hash attestation |
 | `pnpm wu:escalate`        | Show or resolve WU escalation status                      |
 | `pnpm wu:verify`          | Verify WU completion (stamp, commit, clean tree)          |

package/templates/core/UPGRADING.md.template

@@ -10,14 +10,15 @@ pnpm outdated @lumenflow/*
 
 # Update all LumenFlow packages atomically
 pnpm lumenflow:upgrade --latest
-
-# Refresh core docs, onboarding docs, and vendor assets
-pnpm docs:sync --force
 ```
 
-Package upgrades change the runtime `wu:brief` defaults immediately. `lumenflow:upgrade` prints a
-staleness warning after the upgrade completes if any core docs (LUMENFLOW.md, AGENTS.md,
-constraints.md) differ from the latest templates. Run `pnpm docs:sync --force` to refresh them.
+Package upgrades change the runtime `wu:brief` defaults immediately. `lumenflow:upgrade` automatically
+syncs managed docs (LUMENFLOW.md, .lumenflow/constraints.md) from templates. Bootstrap files
+(AGENTS.md, vendor overlays) are updated via merge-block markers — only the LumenFlow-managed
+section between `<!-- LUMENFLOW:START -->` / `<!-- LUMENFLOW:END -->` is replaced; your content
+outside markers is preserved.
+
+If you have project-specific workflow additions, put them in `LUMENFLOW.local.md` (never overwritten).
 Project-local `.lumenflow/templates/` remains optional unless you want custom overrides.
 
 ## Version Compatibility
@@ -57,17 +58,20 @@ pnpm lumenflow:upgrade --version 1.2.0
 
 ### 4. Sync Documentation
 
-After upgrading, sync agent onboarding documentation:
+`lumenflow:upgrade` already syncs the shipped docs surfaces inside the upgrade transaction:
 
 ```bash
-pnpm docs:sync --force
+pnpm lumenflow:upgrade --latest
 ```
 
 This updates:
 
 - Core docs: LUMENFLOW.md, AGENTS.md, .lumenflow/constraints.md
 - Scaffolded onboarding documentation
-- Supported vendor assets such as Claude skills
+- Already-present or configured vendor bootstraps
+- Reserved Claude skills when Claude assets are configured
+
+Run `pnpm docs:sync --vendor <type>` only when you want to refresh a specific vendor/bootstrap surface outside the upgrade flow.
 
 ## Defaults vs Overrides
 
@@ -113,7 +117,7 @@ pnpm install
 
 ### Template Conflicts
 
-If `docs:sync` reports conflicts:
+If a merge-block bootstrap file needs manual review:
 
 1. Review the diff for each conflicting file
 2. Merge manually or accept incoming changes

package/templates/core/ai/onboarding/initiative-orchestration.md.template

@@ -382,7 +382,7 @@ pnpm delegation:list --initiative INIT-XXX --json
 | `pnpm orchestrate:initiative -i INIT-XXX`           | Execute all waves continuously                                |
 | `pnpm orchestrate:init-status -i INIT-XXX`          | Compact progress view                                         |
 | `pnpm orchestrate:monitor`                          | Detect stuck agents and zombie locks                          |
-| `pnpm wu:brief --id WU-XXX --client <client>`       | Generate handoff prompt + record evidence                     |
+| `pnpm wu:brief --id WU-XXX --client <client>`       | **MANDATORY after wu:claim.** Generate prompt + evidence      |
 | `pnpm wu:delegate --id WU-XXX --parent-wu <P>`      | Generate prompt + record delegation                           |
 | `pnpm delegation:list --initiative INIT-XXX`        | View delegation tree                                          |
 | `pnpm mem:signal "msg" --wu WU-XXX`                 | Broadcast coordination signal                                 |

package/templates/core/ai/onboarding/quick-ref-commands.md.template

@@ -68,7 +68,7 @@ Run `--help` first, then run the real command with explicit flags.
 | `pnpm exec lumenflow init`                         | Scaffold LumenFlow in a project                                |
 | `pnpm exec lumenflow init --docs-structure simple` | Use simple docs structure (`docs/tasks`)                       |
 | `pnpm exec lumenflow init --docs-structure arc42`  | Use arc42 docs structure (`{{DOCS_OPERATIONS_PATH}}`)                |
-| `pnpm docs:sync --force`                           | Refresh core docs, onboarding docs, and supported vendor assets |
+| `pnpm docs:sync --vendor <type>`                  | Refresh selected vendor bootstrap assets outside upgrade |
 | `pnpm sync:templates`                              | Sync repo docs into bundled templates                          |
 | `pnpm lumenflow:upgrade`                           | Upgrade LumenFlow packages                                     |
 | `pnpm lumenflow:doctor`                            | Diagnose LumenFlow configuration                               |
@@ -106,21 +106,22 @@ commit and push atomically. Do NOT wrap them in a WU or use raw `pnpm update`/`g
 | `pnpm config:set --key <dotpath> --value <value>` | Set workspace.yaml config (Zod-validated)        |
 | `pnpm config:get --key <dotpath>`                 | Read workspace.yaml config                       |
 | `pnpm cloud:connect`                              | Configure cloud control-plane access             |
-| `pnpm docs:sync --force`                          | Refresh core docs, onboarding docs, and vendor assets after upgrade |
+| `pnpm docs:sync --vendor <type>`                 | Optional targeted refresh for vendor/bootstrap assets |
 | `pnpm sync:templates`                             | Sync repo docs into bundled templates            |
 
 **Key principle:** If a LumenFlow CLI command exists for the operation, use it instead of
 raw pnpm/git. These tooling commands commit directly to main via micro-worktree — no dirty
 files, no manual git, no WU ceremony. Only actual **code changes** need WUs.
 
-`docs:sync` refreshes core docs (LUMENFLOW.md, AGENTS.md, constraints.md), the scaffolded
-onboarding set, and supported vendor assets. Existing docs are skipped by default; use `--force`
-when you intentionally want the refresh.
+`docs:sync` refreshes managed docs, the scaffolded onboarding set, and selected vendor bootstrap
+assets. Managed docs are refreshed automatically during `pnpm lumenflow:upgrade --latest`, and
+bootstrap files update safely via merge-block markers.
 
-For existing installs, upgrade packages first with `pnpm lumenflow:upgrade --latest`, then run
-`pnpm docs:sync --force` if you want refreshed core docs, onboarding docs, and vendor assets. The improved
-default `wu:brief` behavior comes from the package upgrade itself. New installs get those defaults
-automatically, and `.lumenflow/templates/` remains optional unless you want custom overrides.
+For existing installs, upgrade packages first with `pnpm lumenflow:upgrade --latest`. That command
+automatically syncs managed docs, onboarding docs, and configured vendor assets. Use
+`pnpm docs:sync --vendor <type>` only when you want an additional targeted refresh outside upgrade.
+The improved default `wu:brief` behavior comes from the package upgrade itself. New installs get
+those defaults automatically, and `.lumenflow/templates/` remains optional unless you want custom overrides.
 
 > **Anti-pattern:** Do NOT use `pnpm update @lumenflow/*` to upgrade packages.
 > This leaves dirty `package.json` and `pnpm-lock.yaml` on main.
@@ -147,7 +148,7 @@ automatically, and `.lumenflow/templates/` remains optional unless you want cust
 | `pnpm wu:unblock --id WU-XXX`                                  | Unblock WU                                                            |
 | `pnpm wu:release --id WU-XXX`                                  | Release orphaned WU (in_progress to ready)                            |
 | `pnpm wu:status --id WU-XXX`                                   | Show WU status, location, valid commands                              |
-| `pnpm wu:brief --id WU-XXX --client <client>`                  | Generate handoff prompt + record evidence (claimed workspace/branch)  |
+| `pnpm wu:brief --id WU-XXX --client <client>`                  | **MANDATORY after wu:claim.** Generate handoff prompt + record evidence. wu:done blocks without this |
 | `pnpm wu:brief --id WU-XXX --no-context`                       | Generate prompt without memory context injection                      |
 | `pnpm wu:delegate --id WU-XXX --parent-wu <P>`                 | Generate prompt, record lineage, and store brief hash attestation     |
 | `pnpm wu:sandbox --id WU-XXX -- <cmd>`                         | Run command through hardened WU sandbox backend                       |

package/templates/core/ai/onboarding/starting-prompt.md.template

@@ -520,8 +520,8 @@ extra project commands, or client-specific overrides.
 
 - New installs get the current defaults automatically.
 - Existing installs get the runtime defaults after `pnpm lumenflow:upgrade --latest`.
-- Run `pnpm docs:sync --force` when you also want refreshed core docs, onboarding docs, and
-  supported vendor assets.
+- `pnpm lumenflow:upgrade --latest` already refreshes managed docs, onboarding docs, and configured
+  vendor assets. Use `pnpm docs:sync --vendor <type>` only for an extra targeted refresh.
 
 Default profiles:
 
@@ -556,7 +556,7 @@ Domain-specific commands must come from local configuration, not core framework
 | `pnpm wu:claim --id WU-XXX --lane "Lane"`      | Claim WU and create worktree (default)           | Start working (local)       |
 | `pnpm wu:claim --id WU-XXX --lane "L" --cloud` | Claim WU in branch-pr mode (no worktree)         | Start working (cloud)       |
 | `pnpm wu:edit --id WU-XXX --field value`       | Edit WU spec fields                              | Update notes/desc           |
-| `pnpm wu:brief --id WU-XXX --client <client>`  | Generate handoff prompt + record evidence        | Delegation or self-impl     |
+| `pnpm wu:brief --id WU-XXX --client <client>`  | **MANDATORY after wu:claim.** Generate prompt + evidence | Delegation or self-impl     |
 | `pnpm wu:delegate --id WU-XXX --parent-wu P`   | Generate prompt + record delegation              | Auditable delegation flows  |
 | `pnpm wu:prep --id WU-XXX`                     | Run gates in claimed workspace, prep completion  | Before wu:done              |
 | `pnpm wu:done --id WU-XXX`                     | Complete WU (merge or PR, cleanup)               | After gates pass            |

package/templates/vendors/claude/.claude/CLAUDE.md.template

@@ -3,6 +3,7 @@
 **Last updated:** {{DATE}}
 
 This project uses LumenFlow workflow. For workflow documentation, see [LUMENFLOW.md](../LUMENFLOW.md).
+If `LUMENFLOW.local.md` exists, read it after LUMENFLOW.md for project-specific additions.
 
 ---
 
@@ -48,7 +49,7 @@ Essential commands for multi-agent coordination and context management:
 | `pnpm mem:inbox --since 30m`               | Check coordination signals        |
 | `pnpm mem:signal "msg" --wu WU-XXX`        | Broadcast signal to other agents  |
 | `pnpm mem:create "msg" --wu WU-XXX`        | Create memory node (bug capture)  |
-| `pnpm wu:brief --id WU-XXX --client claude-code` | Generate handoff prompt + record evidence |
+| `pnpm wu:brief --id WU-XXX --client claude-code` | **MANDATORY after wu:claim.** Generate prompt + evidence |
 
 **When to checkpoint:**
 - After each acceptance criterion completed

package/templates/vendors/cursor/.cursor/rules/lumenflow.md.template

@@ -1,6 +1,7 @@
 # Cursor LumenFlow Rules
 
 **Read first:** [AGENTS.md](../../AGENTS.md) for universal startup rules, then [LUMENFLOW.md](../../LUMENFLOW.md) for the canonical workflow, commands, and safety rules.
+If `LUMENFLOW.local.md` exists, read it after LUMENFLOW.md for project-specific additions.
 
 This file contains Cursor-specific overrides only. Do not duplicate workflow rules from LUMENFLOW.md here.
 
@@ -51,7 +52,7 @@ pnpm wu:done --id WU-XXX
 | `pnpm wu:claim --id WU-XXX --lane <Lane>`      | Claim WU and create worktree                |
 | `pnpm wu:prep --id WU-XXX`                     | Run gates in worktree                       |
 | `pnpm wu:done --id WU-XXX`                     | Complete WU (from main)                     |
-| `pnpm wu:brief --id WU-XXX --client <client>`  | Generate handoff prompt + record evidence   |
+| `pnpm wu:brief --id WU-XXX --client <client>`  | **MANDATORY after wu:claim.** Generate prompt + evidence |
 | `pnpm wu:delegate --id WU-XXX --parent-wu <P>` | Generate prompt + record delegation lineage |
 | `pnpm wu:recover --id WU-XXX`                  | Fix WU state inconsistencies                |
 | `pnpm wu:escalate --id WU-XXX`                 | Show or resolve WU escalation status        |

package/templates/vendors/windsurf/.windsurf/rules/lumenflow.md.template

@@ -1,6 +1,7 @@
 # Windsurf LumenFlow Rules
 
 **Read first:** [AGENTS.md](../../AGENTS.md) for universal startup rules, then [LUMENFLOW.md](../../LUMENFLOW.md) for the canonical workflow, commands, and safety rules.
+If `LUMENFLOW.local.md` exists, read it after LUMENFLOW.md for project-specific additions.
 
 This file contains Windsurf-specific overrides only. Do not duplicate workflow rules from LUMENFLOW.md here.
 
@@ -51,7 +52,7 @@ pnpm wu:done --id WU-XXX
 | `pnpm wu:claim --id WU-XXX --lane <Lane>`      | Claim WU and create worktree                |
 | `pnpm wu:prep --id WU-XXX`                     | Run gates in worktree                       |
 | `pnpm wu:done --id WU-XXX`                     | Complete WU (from main)                     |
-| `pnpm wu:brief --id WU-XXX --client <client>`  | Generate handoff prompt + record evidence   |
+| `pnpm wu:brief --id WU-XXX --client <client>`  | **MANDATORY after wu:claim.** Generate prompt + evidence |
 | `pnpm wu:delegate --id WU-XXX --parent-wu <P>` | Generate prompt + record delegation lineage |
 | `pnpm wu:recover --id WU-XXX`                  | Fix WU state inconsistencies                |
 | `pnpm wu:escalate --id WU-XXX`                 | Show or resolve WU escalation status        |

package/dist/chunk-2D2VOCA4.js

@@ -1,37 +0,0 @@
-import {
-  TEST_TYPES,
-  WU_TYPES
-} from "./chunk-V6OJGLBA.js";
-
-// ../core/dist/wu-type-helpers.js
-function isNonEmptyArray(value) {
-  return Array.isArray(value) && value.length > 0;
-}
-function isDocumentationType(type) {
-  return typeof type === "string" && type === WU_TYPES.DOCUMENTATION;
-}
-function isProcessType(type) {
-  return typeof type === "string" && type === WU_TYPES.PROCESS;
-}
-function isDocsOrProcessType(type) {
-  return isDocumentationType(type) || isProcessType(type);
-}
-function hasAnyTests(tests) {
-  if (!tests || typeof tests !== "object")
-    return false;
-  const t = tests;
-  return isNonEmptyArray(t[TEST_TYPES.MANUAL]) || isNonEmptyArray(t[TEST_TYPES.UNIT]) || isNonEmptyArray(t[TEST_TYPES.E2E]) || isNonEmptyArray(t[TEST_TYPES.INTEGRATION]);
-}
-function hasManualTests(tests) {
-  if (!tests || typeof tests !== "object")
-    return false;
-  const t = tests;
-  return isNonEmptyArray(t[TEST_TYPES.MANUAL]);
-}
-
-export {
-  isDocumentationType,
-  isDocsOrProcessType,
-  hasAnyTests,
-  hasManualTests
-};

package/dist/chunk-2D5KFYGX.js

@@ -1,284 +0,0 @@
-import {
-  DomainPackManifestSchema,
-  PACK_MANIFEST_FILE_NAME,
-  UTF8_ENCODING,
-  computeDeterministicPackHash,
-  isBroadWildcardScopePattern,
-  resolvePackToolEntryPath,
-  validateDomainPackToolSafety,
-  validatePackImportBoundaries
-} from "./chunk-HANJXVKW.js";
-import {
-  WU_OPTIONS,
-  createWUParser,
-  runCLI
-} from "./chunk-2GXVIN57.js";
-
-// src/pack-validate.ts
-import { readFile } from "fs/promises";
-import { join, resolve } from "path";
-import YAML from "yaml";
-var LOG_PREFIX = "[pack:validate]";
-var DEFAULT_PACKS_ROOT = "packages/@lumenflow/packs";
-var HTTPS_PROTOCOL = "https:";
-var NETWORK_URL_PROPERTY = "url";
-var SECURITY_LINT_ERROR = {
-  PERMISSION_SCOPE_READ_WRITE: "permission/scope mismatch: read-permission tool cannot request write path access.",
-  PERMISSION_SCOPE_WRITE_MISSING: "permission/scope mismatch: write-permission tool must include at least one write path scope.",
-  WILDCARD_WRITE: "forbidden wildcard write scope. Replace with constrained path pattern (for example reports/**/*.md).",
-  NETWORK_URL_REQUIRED: "network-scoped tools must constrain input_schema.properties.url via const/enum https URL allow-list.",
-  NETWORK_URL_INVALID: "network-scoped tool has invalid URL in input_schema.properties.url.",
-  NETWORK_URL_SCHEME: "network-scoped tool URL must use https:// in input_schema.properties.url."
-};
-async function validatePack(options) {
-  const { packRoot, hashExclusions } = options;
-  const absolutePackRoot = resolve(packRoot);
-  let manifest;
-  const manifestResult = await validateManifest(absolutePackRoot);
-  if (manifestResult.status === "pass" && manifestResult.manifest) {
-    manifest = manifestResult.manifest;
-  }
-  const toolEntriesResult = manifest ? validateToolEntries(absolutePackRoot, manifest) : { status: "skip", error: "Skipped: manifest validation failed" };
-  const importBoundariesResult = await checkImportBoundaries(absolutePackRoot, hashExclusions);
-  const securityLintResult = manifest ? runSecurityLint(manifest) : { status: "skip", error: "Skipped: manifest validation failed" };
-  const integrityResult = await computeIntegrity(absolutePackRoot, hashExclusions);
-  const allPassed = manifestResult.status === "pass" && toolEntriesResult.status === "pass" && importBoundariesResult.status === "pass" && securityLintResult.status === "pass" && integrityResult.status === "pass";
-  return {
-    manifest: manifestResult,
-    importBoundaries: importBoundariesResult,
-    toolEntries: toolEntriesResult,
-    securityLint: securityLintResult,
-    integrity: integrityResult,
-    allPassed
-  };
-}
-async function validateManifest(packRoot) {
-  try {
-    const manifestPath = join(packRoot, PACK_MANIFEST_FILE_NAME);
-    const manifestRaw = await readFile(manifestPath, UTF8_ENCODING);
-    const parsed = YAML.parse(manifestRaw);
-    const manifest = DomainPackManifestSchema.parse(parsed);
-    return { status: "pass", manifest };
-  } catch (err) {
-    const message = err instanceof Error ? err.message : String(err);
-    return { status: "fail", error: message };
-  }
-}
-function validateToolEntries(packRoot, manifest) {
-  try {
-    for (const tool of manifest.tools) {
-      resolvePackToolEntryPath(packRoot, tool.entry);
-    }
-    return { status: "pass" };
-  } catch (err) {
-    const message = err instanceof Error ? err.message : String(err);
-    return { status: "fail", error: message };
-  }
-}
-async function checkImportBoundaries(packRoot, hashExclusions) {
-  try {
-    await validatePackImportBoundaries(packRoot, hashExclusions);
-    return { status: "pass" };
-  } catch (err) {
-    const message = err instanceof Error ? err.message : String(err);
-    return { status: "fail", error: message };
-  }
-}
-async function computeIntegrity(packRoot, hashExclusions) {
-  try {
-    const hash = await computeDeterministicPackHash({
-      packRoot,
-      exclusions: hashExclusions
-    });
-    return { status: "pass", hash };
-  } catch (err) {
-    const message = err instanceof Error ? err.message : String(err);
-    return { status: "fail", error: message };
-  }
-}
-function isObjectRecord(value) {
-  return typeof value === "object" && value !== null;
-}
-function extractNetworkUrls(tool) {
-  const inputSchema = tool.input_schema;
-  if (!isObjectRecord(inputSchema)) {
-    return [];
-  }
-  const properties = inputSchema.properties;
-  if (!isObjectRecord(properties)) {
-    return [];
-  }
-  const urlSchema = properties[NETWORK_URL_PROPERTY];
-  if (!isObjectRecord(urlSchema)) {
-    return [];
-  }
-  if (typeof urlSchema.const === "string") {
-    return [urlSchema.const];
-  }
-  if (!Array.isArray(urlSchema.enum)) {
-    return [];
-  }
-  return urlSchema.enum.filter((candidate) => typeof candidate === "string");
-}
-function lintPermissionScopeConsistency(tool) {
-  const pathScopes = tool.required_scopes.filter(
-    (scope) => scope.type === "path"
-  );
-  const hasWritePathScope = pathScopes.some((scope) => scope.access === "write");
-  const issues = [];
-  if (tool.permission === "read" && hasWritePathScope) {
-    issues.push(SECURITY_LINT_ERROR.PERMISSION_SCOPE_READ_WRITE);
-  }
-  if (tool.permission === "write" && pathScopes.length > 0 && !hasWritePathScope) {
-    issues.push(SECURITY_LINT_ERROR.PERMISSION_SCOPE_WRITE_MISSING);
-  }
-  return issues;
-}
-function runSecurityLint(manifest) {
-  const issues = /* @__PURE__ */ new Set();
-  for (const tool of manifest.tools) {
-    for (const issue of lintPermissionScopeConsistency(tool)) {
-      issues.add(`Tool "${tool.name}": ${issue}`);
-    }
-    for (const issue of validateDomainPackToolSafety(tool)) {
-      issues.add(`Tool "${tool.name}": ${issue}`);
-    }
-    const hasNetworkScope = tool.required_scopes.some((scope) => scope.type === "network");
-    for (const scope of tool.required_scopes) {
-      if (scope.type !== "path") {
-        continue;
-      }
-      if ((tool.permission === "write" || tool.permission === "admin") && scope.access === "write" && isBroadWildcardScopePattern(scope.pattern)) {
-        issues.add(`Tool "${tool.name}": ${SECURITY_LINT_ERROR.WILDCARD_WRITE}`);
-      }
-    }
-    if (!hasNetworkScope) {
-      continue;
-    }
-    const allowedUrls = extractNetworkUrls(tool);
-    if (allowedUrls.length === 0) {
-      issues.add(`Tool "${tool.name}": ${SECURITY_LINT_ERROR.NETWORK_URL_REQUIRED}`);
-      continue;
-    }
-    for (const allowedUrl of allowedUrls) {
-      let parsedUrl;
-      try {
-        parsedUrl = new URL(allowedUrl);
-      } catch {
-        issues.add(
-          `Tool "${tool.name}" URL "${allowedUrl}": ${SECURITY_LINT_ERROR.NETWORK_URL_INVALID}`
-        );
-        continue;
-      }
-      if (parsedUrl.protocol !== HTTPS_PROTOCOL) {
-        issues.add(
-          `Tool "${tool.name}" URL "${allowedUrl}": ${SECURITY_LINT_ERROR.NETWORK_URL_SCHEME}`
-        );
-      }
-    }
-  }
-  if (issues.size > 0) {
-    return {
-      status: "fail",
-      error: [...issues].join("\n")
-    };
-  }
-  return { status: "pass" };
-}
-var CHECK_LABELS = {
-  manifest: "Manifest schema",
-  importBoundaries: "Import boundaries",
-  toolEntries: "Tool entry resolution",
-  securityLint: "Security lint",
-  integrity: "Integrity hash"
-};
-var STATUS_INDICATORS = {
-  pass: "PASS",
-  fail: "FAIL",
-  skip: "SKIP"
-};
-function formatValidationReport(result) {
-  const lines = [];
-  lines.push("Pack Validation Report");
-  lines.push("=====================");
-  lines.push("");
-  const checks = [
-    ["manifest", result.manifest],
-    ["importBoundaries", result.importBoundaries],
-    ["toolEntries", result.toolEntries],
-    ["securityLint", result.securityLint],
-    ["integrity", result.integrity]
-  ];
-  for (const [key, check] of checks) {
-    const label = CHECK_LABELS[key];
-    const indicator = STATUS_INDICATORS[check.status];
-    lines.push(`  [${indicator}] ${label}`);
-    if (check.status === "fail" && check.error) {
-      lines.push(`         Error: ${check.error}`);
-    }
-    if (key === "integrity" && "hash" in check && check.hash) {
-      lines.push(`         Hash: sha256:${check.hash}`);
-    }
-  }
-  lines.push("");
-  lines.push(`Result: ${result.allPassed ? "ALL CHECKS PASSED" : "VALIDATION FAILED"}`);
-  return lines.join("\n");
-}
-var PACK_VALIDATE_OPTIONS = {
-  packId: {
-    name: "id",
-    flags: "--id <packId>",
-    description: "Pack ID to validate (resolves under --packs-root)"
-  },
-  packsRoot: {
-    name: "packsRoot",
-    flags: "--packs-root <dir>",
-    description: `Root directory containing packs (default: "${DEFAULT_PACKS_ROOT}")`
-  },
-  packRoot: {
-    name: "packRoot",
-    flags: "--pack-root <dir>",
-    description: "Direct path to pack directory (overrides --id and --packs-root)"
-  }
-};
-async function main() {
-  const opts = createWUParser({
-    name: "pack-validate",
-    description: "Validate a LumenFlow domain pack for integrity",
-    options: [
-      PACK_VALIDATE_OPTIONS.packId,
-      PACK_VALIDATE_OPTIONS.packsRoot,
-      PACK_VALIDATE_OPTIONS.packRoot,
-      WU_OPTIONS.force
-    ]
-  });
-  const packId = opts.id;
-  const packsRoot = opts.packsRoot ?? DEFAULT_PACKS_ROOT;
-  const directPackRoot = opts.packRoot;
-  let resolvedPackRoot;
-  if (directPackRoot) {
-    resolvedPackRoot = resolve(directPackRoot);
-  } else if (packId) {
-    resolvedPackRoot = resolve(packsRoot, packId);
-  } else {
-    console.error(`${LOG_PREFIX} Error: Provide --id <packId> or --pack-root <dir>`);
-    process.exit(1);
-  }
-  console.log(`${LOG_PREFIX} Validating pack at: ${resolvedPackRoot}`);
-  const result = await validatePack({ packRoot: resolvedPackRoot });
-  const report = formatValidationReport(result);
-  console.log(report);
-  if (!result.allPassed) {
-    process.exit(1);
-  }
-}
-if (import.meta.main) {
-  void runCLI(main);
-}
-
-export {
-  LOG_PREFIX,
-  validatePack,
-  formatValidationReport,
-  main
-};