@lumenflow/cli 3.18.1 → 3.20.0

package/dist/chunk-HANJXVKW.js

@@ -1,1127 +0,0 @@
-// ../kernel/dist/shared-constants.js
-var UTF8_ENCODING = "utf8";
-var BASE64_ENCODING = "base64";
-var SHA256_ALGORITHM = "sha256";
-var SHA256_HEX_LENGTH = 64;
-var SHA256_HEX_REGEX = /^[a-f0-9]{64}$/;
-var SHA256_INTEGRITY_PREFIX = "sha256:";
-var SHA256_INTEGRITY_REGEX = /^sha256:[a-f0-9]{64}$/;
-var WORKSPACE_FILE_NAME = "workspace.yaml";
-var GIT_DIR_NAME = ".git";
-var PACKS_DIR_NAME = "packs";
-var PACK_MANIFEST_FILE_NAME = "manifest.yaml";
-var PACKAGES_DIR_NAME = "packages";
-var LUMENFLOW_SCOPE_NAME = "@lumenflow";
-var LUMENFLOW_DIR_NAME = ".lumenflow";
-var KERNEL_RUNTIME_ROOT_DIR_NAME = "kernel";
-var KERNEL_RUNTIME_TASKS_DIR_NAME = "tasks";
-var KERNEL_RUNTIME_EVENTS_DIR_NAME = "events";
-var KERNEL_RUNTIME_EVIDENCE_DIR_NAME = "evidence";
-var KERNEL_RUNTIME_EVENTS_FILE_NAME = "events.jsonl";
-var KERNEL_RUNTIME_EVENTS_LOCK_FILE_NAME = "events.lock";
-var RESERVED_FRAMEWORK_SCOPE_ROOT = LUMENFLOW_DIR_NAME;
-var RESERVED_FRAMEWORK_SCOPE_PREFIX = `${LUMENFLOW_DIR_NAME}/`;
-var RESERVED_FRAMEWORK_SCOPE_GLOB = `${LUMENFLOW_DIR_NAME}/**`;
-var DEFAULT_WORKSPACE_CONFIG_HASH = "0".repeat(SHA256_HEX_LENGTH);
-var DEFAULT_KERNEL_RUNTIME_VERSION = "kernel-dev";
-var WORKSPACE_CONFIG_HASH_CONTEXT_KEYS = {
-  WORKSPACE_FILE_MISSING: "workspace_file_missing"
-};
-var EXECUTION_METADATA_KEYS = {
-  WORKSPACE_ALLOWED_SCOPES: "workspace_allowed_scopes",
-  LANE_ALLOWED_SCOPES: "lane_allowed_scopes",
-  TASK_DECLARED_SCOPES: "task_declared_scopes",
-  WORKSPACE_CONFIG_HASH: "workspace_config_hash",
-  RUNTIME_VERSION: "runtime_version",
-  PACK_ID: "pack_id",
-  PACK_VERSION: "pack_version",
-  PACK_INTEGRITY: "pack_integrity"
-};
-var KERNEL_POLICY_IDS = {
-  ALLOW_ALL: "kernel.policy.allow-all",
-  RUNTIME_FALLBACK: "kernel.policy.runtime-fallback",
-  BUILTIN_DEFAULT: "kernel.policy.builtin-default",
-  PROC_EXEC_DEFAULT_DENY: "kernel.policy.proc-exec-default-deny",
-  SCOPE_RESERVED_PATH: "kernel.scope.reserved-path",
-  SCOPE_BOUNDARY: "kernel.scope.boundary",
-  RECONCILIATION: "kernel.reconciliation",
-  APPROVAL_REQUIRED: "kernel.policy.approval-required"
-};
-
-// ../kernel/dist/kernel.schemas.js
-import { z } from "zod";
-
-// ../kernel/dist/event-kinds.js
-var KERNEL_EVENT_KINDS = {
-  TASK_CREATED: "task_created",
-  TASK_CLAIMED: "task_claimed",
-  TASK_BLOCKED: "task_blocked",
-  TASK_UNBLOCKED: "task_unblocked",
-  TASK_WAITING: "task_waiting",
-  TASK_RESUMED: "task_resumed",
-  TASK_COMPLETED: "task_completed",
-  TASK_RELEASED: "task_released",
-  TASK_DELEGATED: "task_delegated",
-  RUN_STARTED: "run_started",
-  RUN_PAUSED: "run_paused",
-  RUN_FAILED: "run_failed",
-  RUN_SUCCEEDED: "run_succeeded",
-  WORKSPACE_UPDATED: "workspace_updated",
-  WORKSPACE_WARNING: "workspace_warning",
-  SPEC_TAMPERED: "spec_tampered",
-  CHECKPOINT: "checkpoint"
-};
-var TASK_EVENT_KINDS = [
-  KERNEL_EVENT_KINDS.TASK_CREATED,
-  KERNEL_EVENT_KINDS.TASK_CLAIMED,
-  KERNEL_EVENT_KINDS.TASK_BLOCKED,
-  KERNEL_EVENT_KINDS.TASK_UNBLOCKED,
-  KERNEL_EVENT_KINDS.TASK_WAITING,
-  KERNEL_EVENT_KINDS.TASK_RESUMED,
-  KERNEL_EVENT_KINDS.TASK_COMPLETED,
-  KERNEL_EVENT_KINDS.TASK_RELEASED,
-  KERNEL_EVENT_KINDS.TASK_DELEGATED
-];
-var RUN_LIFECYCLE_EVENT_KINDS = [
-  KERNEL_EVENT_KINDS.RUN_STARTED,
-  KERNEL_EVENT_KINDS.RUN_PAUSED,
-  KERNEL_EVENT_KINDS.RUN_FAILED,
-  KERNEL_EVENT_KINDS.RUN_SUCCEEDED
-];
-var TASK_EVENT_KIND_SET = new Set(TASK_EVENT_KINDS);
-var RUN_LIFECYCLE_EVENT_KIND_SET = new Set(RUN_LIFECYCLE_EVENT_KINDS);
-function isTaskEventKind(kind) {
-  return TASK_EVENT_KIND_SET.has(kind);
-}
-function isRunLifecycleEventKind(kind) {
-  return RUN_LIFECYCLE_EVENT_KIND_SET.has(kind);
-}
-var TOOL_TRACE_KINDS = {
-  TOOL_CALL_STARTED: "tool_call_started",
-  TOOL_CALL_FINISHED: "tool_call_finished"
-};
-
-// ../kernel/dist/kernel.schemas.js
-var ISO_DATETIME_SCHEMA = z.string().datetime();
-var SEMVER_REGEX = /^\d+\.\d+\.\d+(?:-[0-9A-Za-z-.]+)?(?:\+[0-9A-Za-z-.]+)?$/;
-var SEMVER_MESSAGE = "Expected semantic version";
-var RUN_STATUSES = {
-  PLANNED: "planned",
-  EXECUTING: "executing",
-  PAUSED: "paused",
-  FAILED: "failed",
-  SUCCEEDED: "succeeded"
-};
-var RUN_STATUS_VALUES = [
-  RUN_STATUSES.PLANNED,
-  RUN_STATUSES.EXECUTING,
-  RUN_STATUSES.PAUSED,
-  RUN_STATUSES.FAILED,
-  RUN_STATUSES.SUCCEEDED
-];
-var TOOL_HANDLER_KINDS = {
-  IN_PROCESS: "in-process",
-  SUBPROCESS: "subprocess"
-};
-var TOOL_HANDLER_KIND_VALUES = [
-  TOOL_HANDLER_KINDS.IN_PROCESS,
-  TOOL_HANDLER_KINDS.SUBPROCESS
-];
-var TOOL_ERROR_CODES = {
-  TOOL_NOT_FOUND: "TOOL_NOT_FOUND",
-  SCOPE_DENIED: "SCOPE_DENIED",
-  POLICY_DENIED: "POLICY_DENIED",
-  APPROVAL_REQUIRED: "APPROVAL_REQUIRED",
-  INVALID_INPUT: "INVALID_INPUT",
-  INVALID_OUTPUT: "INVALID_OUTPUT",
-  TOOL_EXECUTION_FAILED: "TOOL_EXECUTION_FAILED"
-};
-var ToolScopePathSchema = z.object({
-  type: z.literal("path"),
-  pattern: z.string().min(1),
-  access: z.enum(["read", "write"])
-});
-var ToolScopeNetworkBaseSchema = z.object({
-  type: z.literal("network"),
-  posture: z.enum(["off", "full", "allowlist"]),
-  allowlist_entries: z.array(z.string().min(1)).min(1).optional()
-});
-var ToolScopeNetworkSchema = ToolScopeNetworkBaseSchema.refine((data) => {
-  if (data.posture === "allowlist") {
-    return data.allowlist_entries !== void 0 && data.allowlist_entries.length > 0;
-  }
-  return true;
-}, { message: "allowlist_entries required when posture is allowlist" });
-var ToolScopeSchema = z.discriminatedUnion("type", [ToolScopePathSchema, ToolScopeNetworkBaseSchema]).refine((data) => {
-  if (data.type === "network" && data.posture === "allowlist") {
-    return data.allowlist_entries !== void 0 && data.allowlist_entries.length > 0;
-  }
-  return true;
-}, { message: "allowlist_entries required when posture is allowlist" });
-var AcceptanceSchema = z.union([
-  z.array(z.string().min(1)).min(1),
-  z.record(z.string().min(1), z.array(z.string().min(1)).min(1))
-]);
-var TaskSpecSchema = z.object({
-  id: z.string().min(1),
-  workspace_id: z.string().min(1),
-  lane_id: z.string().min(1),
-  domain: z.string().min(1),
-  title: z.string().min(1),
-  description: z.string().min(1),
-  acceptance: AcceptanceSchema,
-  declared_scopes: z.array(ToolScopeSchema),
-  expected_artifacts: z.array(z.string().min(1)).optional(),
-  risk: z.enum(["low", "medium", "high", "critical"]),
-  blocks: z.array(z.string().min(1)).optional(),
-  blocked_by: z.array(z.string().min(1)).optional(),
-  extensions: z.record(z.string(), z.unknown()).optional(),
-  type: z.string().min(1),
-  priority: z.enum(["P0", "P1", "P2", "P3"]),
-  created: z.string().date(),
-  labels: z.array(z.string().min(1)).optional()
-});
-var RunSchema = z.object({
-  run_id: z.string().min(1),
-  task_id: z.string().min(1),
-  status: z.enum(RUN_STATUS_VALUES),
-  started_at: ISO_DATETIME_SCHEMA,
-  completed_at: ISO_DATETIME_SCHEMA.optional(),
-  by: z.string().min(1),
-  session_id: z.string().min(1)
-});
-var TaskStateSchema = z.object({
-  task_id: z.string().min(1),
-  status: z.enum(["ready", "active", "blocked", "waiting", "done"]),
-  claimed_at: ISO_DATETIME_SCHEMA.optional(),
-  claimed_by: z.string().min(1).optional(),
-  session_id: z.string().min(1).optional(),
-  blocked_reason: z.string().min(1).optional(),
-  completed_at: ISO_DATETIME_SCHEMA.optional(),
-  current_run: RunSchema.optional(),
-  run_count: z.number().int().nonnegative(),
-  domain_state: z.record(z.string(), z.unknown()).optional()
-});
-var PackPinSchema = z.object({
-  id: z.string().min(1),
-  version: z.string().regex(SEMVER_REGEX, SEMVER_MESSAGE),
-  integrity: z.union([
-    z.literal("dev"),
-    z.string().regex(SHA256_INTEGRITY_REGEX, "Expected dev or sha256:<64-hex>")
-  ]),
-  source: z.enum(["local", "git", "registry"]),
-  url: z.string().url().optional(),
-  /** Registry base URL override. When omitted, uses PackLoader's defaultRegistryUrl. */
-  registry_url: z.string().url().optional()
-});
-var LaneSpecSchema = z.object({
-  id: z.string().min(1),
-  title: z.string().min(1),
-  allowed_scopes: z.array(ToolScopeSchema).default([]),
-  wip_limit: z.number().int().positive().optional(),
-  policy_overrides: z.record(z.string(), z.unknown()).optional()
-});
-var WorkspaceControlPlanePolicyModeSchema = z.enum([
-  "authoritative",
-  "tighten-only",
-  "dev-override"
-]);
-var CONTROL_PLANE_AUTH_TOKEN_ENV_PATTERN = /^[A-Z][A-Z0-9_]*$/;
-var WorkspaceControlPlaneAuthConfigSchema = z.object({
-  token_env: z.string().regex(CONTROL_PLANE_AUTH_TOKEN_ENV_PATTERN, "Expected uppercase environment variable name")
-}).strict();
-var WorkspaceControlPlaneConfigSchema = z.object({
-  endpoint: z.string().url(),
-  org_id: z.string().min(1),
-  project_id: z.string().min(1),
-  sync_interval: z.number().int().positive(),
-  policy_mode: WorkspaceControlPlanePolicyModeSchema,
-  auth: WorkspaceControlPlaneAuthConfigSchema
-}).strict();
-var WorkspaceSpecSchema = z.object({
-  id: z.string().min(1),
-  name: z.string().min(1),
-  packs: z.array(PackPinSchema),
-  lanes: z.array(LaneSpecSchema),
-  policies: z.record(z.string(), z.unknown()).optional(),
-  security: z.object({
-    allowed_scopes: z.array(ToolScopeSchema),
-    network_default: z.enum(["off", "full"]),
-    deny_overlays: z.array(z.string().min(1))
-  }),
-  software_delivery: z.record(z.string(), z.unknown()).optional(),
-  control_plane: WorkspaceControlPlaneConfigSchema.optional(),
-  memory_namespace: z.string().min(1),
-  event_namespace: z.string().min(1)
-});
-var KERNEL_OWNED_ROOT_KEYS = [
-  "id",
-  "name",
-  "packs",
-  "lanes",
-  "policies",
-  "security",
-  "control_plane",
-  "memory_namespace",
-  "event_namespace"
-];
-var KNOWN_PACK_CONFIG_KEY_MIGRATIONS = {
-  software_delivery: {
-    packId: "software-delivery",
-    packLabel: "software-delivery"
-  }
-};
-function validateWorkspaceRootKeys(workspaceData, packManifests, availableManifests = []) {
-  const kernelKeys = new Set(KERNEL_OWNED_ROOT_KEYS);
-  const packConfigKeys = /* @__PURE__ */ new Set();
-  for (const manifest of packManifests) {
-    if (manifest.config_key) {
-      packConfigKeys.add(manifest.config_key);
-    }
-  }
-  const errors = [];
-  for (const key of Object.keys(workspaceData)) {
-    if (kernelKeys.has(key)) {
-      continue;
-    }
-    if (packConfigKeys.has(key)) {
-      continue;
-    }
-    const migration = KNOWN_PACK_CONFIG_KEY_MIGRATIONS[key];
-    if (migration) {
-      const availableManifest = availableManifests.find((m) => m.id === migration.packId) ?? packManifests.find((m) => m.id === migration.packId);
-      const versionFlag = availableManifest ? `--version ${availableManifest.version}` : "--version latest";
-      errors.push(`Your workspace has a "${key}" config block but the ${migration.packLabel} pack is not pinned. Since LumenFlow 3.x, pack config keys require explicit pack pinning. Add the ${migration.packLabel} pack to your workspace:
-
-  pnpm pack:install --id ${migration.packId} --source registry ${versionFlag}`);
-      continue;
-    }
-    errors.push(`Unknown workspace root key "${key}". Only kernel-owned keys and pack-declared config_keys are allowed. If this key belongs to a pack, ensure the pack is pinned and declares config_key in its manifest.`);
-  }
-  return {
-    valid: errors.length === 0,
-    errors
-  };
-}
-var KernelEventBaseSchema = z.object({
-  schema_version: z.literal(1),
-  timestamp: ISO_DATETIME_SCHEMA
-});
-var TaskEventBaseSchema = KernelEventBaseSchema.extend({
-  task_id: z.string().min(1)
-});
-var RunEventBaseSchema = TaskEventBaseSchema.extend({
-  run_id: z.string().min(1)
-});
-var TaskCreatedEventSchema = TaskEventBaseSchema.extend({
-  kind: z.literal(KERNEL_EVENT_KINDS.TASK_CREATED),
-  spec_hash: z.string().regex(SHA256_HEX_REGEX)
-});
-var TaskClaimedEventSchema = TaskEventBaseSchema.extend({
-  kind: z.literal(KERNEL_EVENT_KINDS.TASK_CLAIMED),
-  by: z.string().min(1),
-  session_id: z.string().min(1),
-  domain_data: z.record(z.string(), z.unknown()).optional()
-});
-var TaskBlockedEventSchema = TaskEventBaseSchema.extend({
-  kind: z.literal(KERNEL_EVENT_KINDS.TASK_BLOCKED),
-  reason: z.string().min(1)
-});
-var TaskUnblockedEventSchema = TaskEventBaseSchema.extend({
-  kind: z.literal(KERNEL_EVENT_KINDS.TASK_UNBLOCKED)
-});
-var TaskWaitingEventSchema = TaskEventBaseSchema.extend({
-  kind: z.literal(KERNEL_EVENT_KINDS.TASK_WAITING),
-  reason: z.string().min(1),
-  wait_for: z.string().min(1).optional()
-});
-var TaskResumedEventSchema = TaskEventBaseSchema.extend({
-  kind: z.literal(KERNEL_EVENT_KINDS.TASK_RESUMED)
-});
-var TaskCompletedEventSchema = TaskEventBaseSchema.extend({
-  kind: z.literal(KERNEL_EVENT_KINDS.TASK_COMPLETED),
-  evidence_refs: z.array(z.string().min(1)).optional()
-});
-var TaskReleasedEventSchema = TaskEventBaseSchema.extend({
-  kind: z.literal(KERNEL_EVENT_KINDS.TASK_RELEASED),
-  reason: z.string().min(1)
-});
-var TaskDelegatedEventSchema = TaskEventBaseSchema.extend({
-  kind: z.literal(KERNEL_EVENT_KINDS.TASK_DELEGATED),
-  parent_task_id: z.string().min(1),
-  delegation_id: z.string().min(1)
-});
-var RunStartedEventSchema = RunEventBaseSchema.extend({
-  kind: z.literal(KERNEL_EVENT_KINDS.RUN_STARTED),
-  by: z.string().min(1),
-  session_id: z.string().min(1)
-});
-var RunPausedEventSchema = RunEventBaseSchema.extend({
-  kind: z.literal(KERNEL_EVENT_KINDS.RUN_PAUSED),
-  reason: z.string().min(1)
-});
-var RunFailedEventSchema = RunEventBaseSchema.extend({
-  kind: z.literal(KERNEL_EVENT_KINDS.RUN_FAILED),
-  reason: z.string().min(1),
-  evidence_refs: z.array(z.string().min(1)).optional()
-});
-var RunSucceededEventSchema = RunEventBaseSchema.extend({
-  kind: z.literal(KERNEL_EVENT_KINDS.RUN_SUCCEEDED),
-  evidence_refs: z.array(z.string().min(1)).optional()
-});
-var WorkspaceUpdatedEventSchema = KernelEventBaseSchema.extend({
-  kind: z.literal(KERNEL_EVENT_KINDS.WORKSPACE_UPDATED),
-  config_hash: z.string().regex(SHA256_HEX_REGEX),
-  changes_summary: z.string().min(1)
-});
-var WorkspaceWarningEventSchema = KernelEventBaseSchema.extend({
-  kind: z.literal(KERNEL_EVENT_KINDS.WORKSPACE_WARNING),
-  message: z.string().min(1)
-});
-var SpecTamperedEventSchema = KernelEventBaseSchema.extend({
-  kind: z.literal(KERNEL_EVENT_KINDS.SPEC_TAMPERED),
-  spec: z.enum(["task", "workspace"]),
-  id: z.string().min(1),
-  expected_hash: z.string().regex(SHA256_HEX_REGEX),
-  actual_hash: z.string().regex(SHA256_HEX_REGEX)
-});
-var CheckpointEventSchema = TaskEventBaseSchema.extend({
-  kind: z.literal(KERNEL_EVENT_KINDS.CHECKPOINT),
-  run_id: z.string().min(1).optional(),
-  note: z.string().min(1),
-  progress: z.string().min(1).optional()
-});
-var KernelEventSchema = z.discriminatedUnion("kind", [
-  TaskCreatedEventSchema,
-  TaskClaimedEventSchema,
-  TaskBlockedEventSchema,
-  TaskUnblockedEventSchema,
-  TaskWaitingEventSchema,
-  TaskResumedEventSchema,
-  TaskCompletedEventSchema,
-  TaskReleasedEventSchema,
-  TaskDelegatedEventSchema,
-  RunStartedEventSchema,
-  RunPausedEventSchema,
-  RunFailedEventSchema,
-  RunSucceededEventSchema,
-  WorkspaceUpdatedEventSchema,
-  WorkspaceWarningEventSchema,
-  SpecTamperedEventSchema,
-  CheckpointEventSchema
-]);
-var PolicyDecisionSchema = z.object({
-  policy_id: z.string().min(1),
-  decision: z.enum(["allow", "deny", "approval_required"]),
-  reason: z.string().min(1).optional()
-});
-var ToolCallStartedSchema = z.object({
-  schema_version: z.literal(1),
-  kind: z.literal(TOOL_TRACE_KINDS.TOOL_CALL_STARTED),
-  receipt_id: z.string().min(1),
-  run_id: z.string().min(1),
-  task_id: z.string().min(1),
-  session_id: z.string().min(1),
-  timestamp: ISO_DATETIME_SCHEMA,
-  tool_name: z.string().min(1),
-  execution_mode: z.enum(TOOL_HANDLER_KIND_VALUES),
-  scope_requested: z.array(ToolScopeSchema),
-  scope_allowed: z.array(ToolScopeSchema),
-  scope_enforced: z.array(ToolScopeSchema),
-  input_hash: z.string().regex(SHA256_HEX_REGEX),
-  input_ref: z.string().min(1),
-  tool_version: z.string().regex(SEMVER_REGEX, SEMVER_MESSAGE),
-  pack_id: z.string().min(1).optional(),
-  pack_version: z.string().regex(SEMVER_REGEX, SEMVER_MESSAGE).optional(),
-  pack_integrity: z.string().optional(),
-  workspace_config_hash: z.string().regex(SHA256_HEX_REGEX),
-  runtime_version: z.string().min(1)
-});
-var ToolCallFinishedSchema = z.object({
-  schema_version: z.literal(1),
-  kind: z.literal(TOOL_TRACE_KINDS.TOOL_CALL_FINISHED),
-  receipt_id: z.string().min(1),
-  timestamp: ISO_DATETIME_SCHEMA,
-  result: z.enum(["success", "failure", "denied", "crashed"]),
-  duration_ms: z.number().int().nonnegative(),
-  output_hash: z.string().regex(SHA256_HEX_REGEX).optional(),
-  output_ref: z.string().min(1).optional(),
-  redaction_summary: z.string().min(1).optional(),
-  scope_enforcement_note: z.string().min(1).optional(),
-  policy_decisions: z.array(PolicyDecisionSchema),
-  artifacts_written: z.array(z.string().min(1)).optional()
-});
-var ToolTraceEntrySchema = z.discriminatedUnion("kind", [
-  ToolCallStartedSchema,
-  ToolCallFinishedSchema
-]);
-var ToolErrorSchema = z.object({
-  code: z.string().min(1),
-  message: z.string().min(1),
-  details: z.record(z.string(), z.unknown()).optional()
-});
-var ToolOutputSchema = z.object({
-  success: z.boolean(),
-  data: z.unknown().optional(),
-  error: ToolErrorSchema.optional(),
-  metadata: z.record(z.string(), z.unknown()).optional()
-});
-var ExecutionContextSchema = z.object({
-  run_id: z.string().min(1),
-  task_id: z.string().min(1),
-  session_id: z.string().min(1),
-  allowed_scopes: z.array(ToolScopeSchema),
-  metadata: z.record(z.string(), z.unknown()).optional()
-});
-var ZodSchemaSchema = z.custom((value) => value instanceof z.ZodType, {
-  message: "Expected a Zod schema"
-});
-var InProcessToolHandlerSchema = z.object({
-  kind: z.literal(TOOL_HANDLER_KINDS.IN_PROCESS),
-  fn: z.custom((value) => typeof value === "function", {
-    message: "Expected an async tool function"
-  })
-});
-var SubprocessToolHandlerSchema = z.object({
-  kind: z.literal(TOOL_HANDLER_KINDS.SUBPROCESS),
-  entry: z.string().min(1)
-});
-var ToolHandlerSchema = z.discriminatedUnion("kind", [
-  InProcessToolHandlerSchema,
-  SubprocessToolHandlerSchema
-]);
-var ToolCapabilitySchema = z.object({
-  name: z.string().min(1),
-  domain: z.string().min(1),
-  version: z.string().regex(SEMVER_REGEX, SEMVER_MESSAGE),
-  input_schema: ZodSchemaSchema,
-  output_schema: ZodSchemaSchema.optional(),
-  permission: z.enum(["read", "write", "admin"]),
-  required_scopes: z.array(ToolScopeSchema),
-  handler: ToolHandlerSchema,
-  description: z.string().min(1),
-  pack: z.string().min(1).optional()
-});
-
-// ../kernel/dist/pack/hash.js
-import { createHash } from "crypto";
-import { readdir, readFile } from "fs/promises";
-import path from "path";
-var NULL_BYTE_BUFFER = Buffer.from([0]);
-var DEFAULT_EXCLUSIONS = ["node_modules/", `${GIT_DIR_NAME}/`, "dist/", ".DS_Store"];
-function normalizeRelativePath(root, absolutePath) {
-  return path.relative(root, absolutePath).split(path.sep).join("/");
-}
-function shouldExclude(relativePath, exclusions) {
-  return exclusions.some((excluded) => {
-    if (excluded.endsWith("/")) {
-      return relativePath.startsWith(excluded);
-    }
-    return relativePath === excluded || relativePath.endsWith(`/${excluded}`);
-  });
-}
-async function collectFilesRecursive(root, directory) {
-  const entries = await readdir(directory, { withFileTypes: true });
-  const sortedEntries = [...entries].sort((left, right) => left.name.localeCompare(right.name));
-  const files = [];
-  for (const entry of sortedEntries) {
-    const absolutePath = path.join(directory, entry.name);
-    const relativePath = normalizeRelativePath(root, absolutePath);
-    if (entry.isDirectory()) {
-      files.push(...await collectFilesRecursive(root, absolutePath));
-      continue;
-    }
-    files.push(relativePath);
-  }
-  return files;
-}
-async function listPackFiles(packRoot, exclusions = DEFAULT_EXCLUSIONS) {
-  const absoluteRoot = path.resolve(packRoot);
-  const allFiles = await collectFilesRecursive(absoluteRoot, absoluteRoot);
-  return allFiles.filter((relativePath) => !shouldExclude(relativePath, exclusions)).sort();
-}
-async function computeDeterministicPackHash(input) {
-  const absoluteRoot = path.resolve(input.packRoot);
-  const files = await listPackFiles(absoluteRoot, input.exclusions || DEFAULT_EXCLUSIONS);
-  const digestChunks = [];
-  for (const relativePath of files) {
-    const fileContents = await readFile(path.join(absoluteRoot, relativePath));
-    const fileHash = createHash(SHA256_ALGORITHM).update(fileContents).digest("hex");
-    digestChunks.push(Buffer.from(relativePath, UTF8_ENCODING));
-    digestChunks.push(NULL_BYTE_BUFFER);
-    digestChunks.push(Buffer.from(fileHash, UTF8_ENCODING));
-    digestChunks.push(NULL_BYTE_BUFFER);
-  }
-  return createHash(SHA256_ALGORITHM).update(digestChunks.length === 0 ? Buffer.alloc(0) : Buffer.concat(digestChunks)).digest("hex");
-}
-
-// ../kernel/dist/pack/manifest.js
-import { z as z2 } from "zod";
-
-// ../kernel/dist/policy/policy-engine.js
-var POLICY_TRIGGERS = {
-  ON_TOOL_REQUEST: "on_tool_request",
-  ON_CLAIM: "on_claim",
-  ON_COMPLETION: "on_completion",
-  ON_EVIDENCE_ADDED: "on_evidence_added"
-};
-var POLICY_LAYER_ORDER = ["workspace", "lane", "pack", "task"];
-function layerOrderScore(level) {
-  const index = POLICY_LAYER_ORDER.indexOf(level);
-  return index < 0 ? POLICY_LAYER_ORDER.length : index;
-}
-function matchingRules(layer, context) {
-  return layer.rules.filter((rule) => {
-    if (rule.trigger !== context.trigger) {
-      return false;
-    }
-    if (!rule.when) {
-      return true;
-    }
-    return rule.when(context);
-  });
-}
-function canLoosen(layer) {
-  return layer.allow_loosening === true;
-}
-var PolicyEngine = class {
-  layers;
-  constructor(options) {
-    this.layers = [...options.layers].sort((left, right) => layerOrderScore(left.level) - layerOrderScore(right.level));
-  }
-  async evaluate(context) {
-    let effectiveDecision = "deny";
-    let hasInitializedDecision = false;
-    let hasHardDeny = false;
-    let hasApprovalRequired = false;
-    const warnings = [];
-    const decisions = [];
-    for (const layer of this.layers) {
-      if (!hasInitializedDecision) {
-        if (layer.default_decision) {
-          effectiveDecision = layer.default_decision;
-        }
-        hasInitializedDecision = true;
-      } else if (layer.default_decision) {
-        if (effectiveDecision === "deny" && layer.default_decision === "allow" && !canLoosen(layer)) {
-          warnings.push(`Policy layer "${layer.level}" attempted loosening default decision without explicit opt-in.`);
-        } else {
-          effectiveDecision = layer.default_decision;
-        }
-      }
-      const layerRules = matchingRules(layer, context);
-      for (const rule of layerRules) {
-        decisions.push({
-          policy_id: rule.id,
-          decision: rule.decision,
-          reason: rule.reason
-        });
-        if (rule.decision === "deny") {
-          hasHardDeny = true;
-          effectiveDecision = "deny";
-          continue;
-        }
-        if (rule.decision === "approval_required") {
-          hasApprovalRequired = true;
-          if (effectiveDecision !== "deny" || canLoosen(layer)) {
-            effectiveDecision = "approval_required";
-          }
-          continue;
-        }
-        if (effectiveDecision === "deny" && !canLoosen(layer)) {
-          warnings.push(`Policy layer "${layer.level}" attempted loosening via rule "${rule.id}" without explicit opt-in.`);
-          continue;
-        }
-        effectiveDecision = "allow";
-      }
-    }
-    if (hasHardDeny) {
-      return { decision: "deny", decisions, warnings };
-    }
-    if (hasApprovalRequired) {
-      return { decision: "approval_required", decisions, warnings };
-    }
-    return { decision: effectiveDecision, decisions, warnings };
-  }
-};
-
-// ../kernel/dist/pack/manifest.js
-var SEMVER_REGEX2 = /^\d+\.\d+\.\d+(?:-[0-9A-Za-z-.]+)?(?:\+[0-9A-Za-z-.]+)?$/;
-var SEMVER_MESSAGE2 = "Expected semantic version";
-var NULL_BYTE = "\0";
-var SCOPE_TRAVERSAL_PATTERN = /(^|\/)\.\.(\/|$)/;
-var BROAD_WILDCARD_SCOPE_PATTERNS = /* @__PURE__ */ new Set(["*", "**", "**/*", "./**", "./**/*"]);
-var JsonSchemaObjectSchema = z2.record(z2.string(), z2.unknown());
-var DomainPackToolSchema = z2.object({
-  name: z2.string().min(1),
-  entry: z2.string().min(1),
-  permission: z2.enum(["read", "write", "admin"]).default("read"),
-  required_scopes: z2.array(ToolScopeSchema).min(1),
-  internal_only: z2.boolean().optional(),
-  /** Optional JSON Schema for tool input validation. */
-  input_schema: JsonSchemaObjectSchema.optional(),
-  /** Optional JSON Schema for tool output validation. */
-  output_schema: JsonSchemaObjectSchema.optional()
-});
-function isBroadWildcardScopePattern(pattern) {
-  return BROAD_WILDCARD_SCOPE_PATTERNS.has(pattern.trim());
-}
-function hasUnsafeScopePattern(pattern) {
-  return pattern.includes(NULL_BYTE) || SCOPE_TRAVERSAL_PATTERN.test(pattern);
-}
-function validateDomainPackToolSafety(tool) {
-  const issues = [];
-  for (const scope of tool.required_scopes) {
-    if (scope.type !== "path") {
-      continue;
-    }
-    if (hasUnsafeScopePattern(scope.pattern)) {
-      issues.push(`scope pattern "${scope.pattern}" contains unsafe traversal or null-byte content`);
-    }
-    if ((tool.permission === "write" || tool.permission === "admin") && scope.access === "write" && isBroadWildcardScopePattern(scope.pattern)) {
-      issues.push(`scope pattern "${scope.pattern}" is too broad for ${tool.permission} permission and write access`);
-    }
-  }
-  const inputSchemaType = tool.input_schema?.type;
-  if (inputSchemaType && inputSchemaType !== "object") {
-    issues.push(`input_schema.type must be "object" when provided, got "${String(inputSchemaType)}"`);
-  }
-  const outputSchemaType = tool.output_schema?.type;
-  if (outputSchemaType && outputSchemaType !== "object") {
-    issues.push(`output_schema.type must be "object" when provided, got "${String(outputSchemaType)}"`);
-  }
-  return issues;
-}
-var DomainPackPolicySchema = z2.object({
-  id: z2.string().min(1),
-  trigger: z2.enum([
-    POLICY_TRIGGERS.ON_TOOL_REQUEST,
-    POLICY_TRIGGERS.ON_CLAIM,
-    POLICY_TRIGGERS.ON_COMPLETION,
-    POLICY_TRIGGERS.ON_EVIDENCE_ADDED
-  ]),
-  decision: z2.enum(["allow", "deny"]),
-  reason: z2.string().min(1).optional()
-});
-var DomainPackLaneTemplateSchema = z2.object({
-  id: z2.string().min(1),
-  title: z2.string().min(1).optional(),
-  description: z2.string().min(1).optional()
-});
-var DomainPackManifestSchema = z2.object({
-  id: z2.string().min(1),
-  version: z2.string().regex(SEMVER_REGEX2, SEMVER_MESSAGE2),
-  task_types: z2.array(z2.string().min(1)).min(1),
-  tools: z2.array(DomainPackToolSchema),
-  policies: z2.array(DomainPackPolicySchema),
-  evidence_types: z2.array(z2.string().min(1)).default([]),
-  state_aliases: z2.record(z2.string().min(1), z2.string().min(1)).default({}),
-  lane_templates: z2.array(DomainPackLaneTemplateSchema).default([]),
-  /** Root key in workspace.yaml that this pack owns for its configuration namespace. */
-  config_key: z2.string().min(1).optional(),
-  /** Path to a JSON Schema file (relative to pack root) describing the pack config shape. */
-  config_schema: z2.string().optional()
-});
-
-// ../kernel/dist/pack/pack-loader.js
-import { builtinModules } from "module";
-import path2 from "path";
-import { access, mkdir, readFile as readFile2 } from "fs/promises";
-import { homedir } from "os";
-import YAML from "yaml";
-var PACK_CACHE_DIR_NAME = "pack-cache";
-var VERSION_TAG_PREFIX = "v";
-var DEFAULT_REGISTRY_URL = "https://registry.lumenflow.dev";
-var NODE_BUILTINS = new Set(builtinModules.map((moduleName) => moduleName.replace(/^node:/, "")));
-var ALLOWED_BARE_IMPORT_SPECIFIERS = /* @__PURE__ */ new Set(["simple-git"]);
-var IMPORT_SPECIFIER_PATTERNS = [
-  /\bimport\s+(?:[^'"]*?\sfrom\s*)?["']([^"']+)["']/,
-  /\bexport\s+[^'"]*?\sfrom\s*["']([^"']+)["']/,
-  /\bimport\(\s*["']([^"']+)["']\s*\)/
-];
-function isWithinRoot(root, candidatePath) {
-  const relative = path2.relative(root, candidatePath);
-  return relative === "" || !relative.startsWith("..") && !path2.isAbsolute(relative);
-}
-function isRuntimeSourceFile(relativePath) {
-  const normalizedPath = relativePath.replace(/\\/g, "/");
-  const extension = path2.extname(normalizedPath);
-  const isCodeFile = [".ts", ".tsx", ".mts", ".cts", ".js", ".mjs", ".cjs"].includes(extension);
-  if (!isCodeFile) {
-    return false;
-  }
-  if (normalizedPath.includes("/__tests__/")) {
-    return false;
-  }
-  return !/\.(test|spec)\.[cm]?[jt]sx?$/.test(normalizedPath);
-}
-function parseToolEntry(entry) {
-  const separator = entry.indexOf("#");
-  const modulePath = separator < 0 ? entry : entry.slice(0, separator);
-  const exportName = separator < 0 ? void 0 : entry.slice(separator + 1);
-  if (modulePath.trim().length === 0) {
-    throw new Error(`Pack tool entry "${entry}" is missing a module path.`);
-  }
-  if (exportName !== void 0 && exportName.trim().length === 0) {
-    throw new Error(`Pack tool entry "${entry}" has an empty export fragment.`);
-  }
-  return {
-    modulePath,
-    exportName
-  };
-}
-function resolvePackToolEntryPath(packRoot, entry) {
-  const absolutePackRoot = path2.resolve(packRoot);
-  const { modulePath, exportName } = parseToolEntry(entry);
-  const absoluteModulePath = path2.resolve(absolutePackRoot, modulePath);
-  if (!isWithinRoot(absolutePackRoot, absoluteModulePath)) {
-    throw new Error(`Pack tool entry "${entry}" resolves outside pack root.`);
-  }
-  return exportName ? `${absoluteModulePath}#${exportName}` : absoluteModulePath;
-}
-function extractImportSpecifiers(sourceCode) {
-  const specifiers = /* @__PURE__ */ new Set();
-  for (const pattern of IMPORT_SPECIFIER_PATTERNS) {
-    const globalPattern = new RegExp(pattern.source, "g");
-    for (const match of sourceCode.matchAll(globalPattern)) {
-      if (match[1]) {
-        specifiers.add(match[1]);
-      }
-    }
-  }
-  return [...specifiers];
-}
-function isAllowedKernelImport(specifier) {
-  return specifier === "@lumenflow/kernel" || specifier.startsWith("@lumenflow/kernel/");
-}
-function validateImportSpecifier(options) {
-  const { specifier, sourceFilePath, packRoot } = options;
-  if (specifier.startsWith("node:")) {
-    return;
-  }
-  if (NODE_BUILTINS.has(specifier)) {
-    return;
-  }
-  if (isAllowedKernelImport(specifier)) {
-    return;
-  }
-  if (specifier.startsWith("@lumenflow/")) {
-    throw new Error(`Import "${specifier}" in ${sourceFilePath} is not allowed; only @lumenflow/kernel and Node built-ins are permitted.`);
-  }
-  if (path2.isAbsolute(specifier)) {
-    throw new Error(`Import "${specifier}" in ${sourceFilePath} resolves outside pack root.`);
-  }
-  if (specifier.startsWith(".")) {
-    const absoluteFilePath = path2.resolve(packRoot, sourceFilePath);
-    const resolvedImport = path2.resolve(path2.dirname(absoluteFilePath), specifier);
-    if (!isWithinRoot(packRoot, resolvedImport)) {
-      throw new Error(`Import "${specifier}" in ${sourceFilePath} resolves outside pack root.`);
-    }
-    return;
-  }
-  if (ALLOWED_BARE_IMPORT_SPECIFIERS.has(specifier)) {
-    return;
-  }
-  throw new Error(`Bare package import "${specifier}" in ${sourceFilePath} is not allowed; only relative imports, @lumenflow/kernel, and Node built-ins are permitted.`);
-}
-async function validatePackImportBoundaries(packRoot, hashExclusions) {
-  const files = await listPackFiles(packRoot, hashExclusions);
-  const candidateFiles = files.filter((relativePath) => isRuntimeSourceFile(relativePath));
-  for (const relativePath of candidateFiles) {
-    const sourceCode = await readFile2(path2.join(packRoot, relativePath), UTF8_ENCODING);
-    const importSpecifiers = extractImportSpecifiers(sourceCode);
-    for (const specifier of importSpecifiers) {
-      validateImportSpecifier({
-        specifier,
-        sourceFilePath: relativePath,
-        packRoot
-      });
-    }
-  }
-}
-function resolvePackPin(workspaceSpec, packId) {
-  const pin = workspaceSpec.packs.find((candidate) => candidate.id === packId);
-  if (!pin) {
-    throw new Error(`Pack "${packId}" is not present in workspace PackPin entries.`);
-  }
-  return pin;
-}
-var PackLoader = class {
-  packsRoot;
-  manifestFileName;
-  hashExclusions;
-  runtimeEnvironment;
-  allowDevIntegrityInProduction;
-  packCacheDir;
-  gitClient;
-  registryClient;
-  defaultRegistryUrl;
-  constructor(options) {
-    this.packsRoot = path2.resolve(options.packsRoot);
-    this.manifestFileName = options.manifestFileName || PACK_MANIFEST_FILE_NAME;
-    this.hashExclusions = options.hashExclusions;
-    this.runtimeEnvironment = options.runtimeEnvironment ?? process.env.NODE_ENV ?? "development";
-    this.allowDevIntegrityInProduction = options.allowDevIntegrityInProduction ?? false;
-    this.packCacheDir = options.packCacheDir ?? path2.join(homedir(), LUMENFLOW_DIR_NAME, PACK_CACHE_DIR_NAME);
-    this.gitClient = options.gitClient;
-    this.registryClient = options.registryClient;
-    this.defaultRegistryUrl = options.defaultRegistryUrl ?? DEFAULT_REGISTRY_URL;
-  }
-  async load(input) {
-    const pin = resolvePackPin(input.workspaceSpec, input.packId);
-    const packRoot = await this.resolvePackRoot(pin);
-    return this.loadFromDisk(pin, packRoot, input);
-  }
-  /**
-   * Resolve the pack root directory based on the pin source.
-   * For local packs, resolves relative to packsRoot.
-   * For git packs, clones/pulls to the pack cache and checks out the version tag.
-   * For registry packs, fetches metadata and downloads tarball to the pack cache.
-   */
-  async resolvePackRoot(pin) {
-    if (pin.source === "git") {
-      return this.resolveGitPackRoot(pin);
-    }
-    if (pin.source === "registry") {
-      return this.resolveRegistryPackRoot(pin);
-    }
-    return path2.resolve(this.packsRoot, pin.id);
-  }
-  /**
-   * Resolve a git-sourced pack by cloning or pulling to the pack cache,
-   * then checking out the version tag.
-   */
-  async resolveGitPackRoot(pin) {
-    if (!pin.url) {
-      throw new Error(`Pack "${pin.id}" has source: git but no url field. Add a url field to the PackPin to specify the git repository.`);
-    }
-    if (!this.gitClient) {
-      throw new Error(`Pack "${pin.id}" has source: git but no gitClient was provided to PackLoader. Pass a gitClient in PackLoaderOptions to load git-sourced packs.`);
-    }
-    const packCachePath = path2.join(this.packCacheDir, `${pin.id}@${pin.version}`);
-    await mkdir(this.packCacheDir, { recursive: true });
-    const alreadyCached = await this.gitClient.isRepo(packCachePath);
-    if (alreadyCached) {
-      await this.gitClient.pull(packCachePath);
-    } else {
-      await this.gitClient.clone(pin.url, packCachePath);
-    }
-    const versionTag = `${VERSION_TAG_PREFIX}${pin.version}`;
-    await this.gitClient.checkout(packCachePath, versionTag);
-    return packCachePath;
-  }
-  /**
-   * Resolve a registry-sourced pack by fetching metadata and downloading the tarball
-   * to the pack cache. Skips download if the pack is already cached.
-   */
-  async resolveRegistryPackRoot(pin) {
-    if (!this.registryClient) {
-      throw new Error(`Pack "${pin.id}" has source: registry but no registryClient was provided to PackLoader. Pass a registryClient in PackLoaderOptions to load registry-sourced packs.`);
-    }
-    const packCachePath = path2.join(this.packCacheDir, `${pin.id}@${pin.version}`);
-    await mkdir(this.packCacheDir, { recursive: true });
-    const manifestCachePath = path2.join(packCachePath, this.manifestFileName);
-    const alreadyCached = await access(manifestCachePath).then(() => true).catch(() => false);
-    if (!alreadyCached) {
-      const registryUrl = pin.registry_url ?? this.defaultRegistryUrl;
-      const metadata = await this.registryClient.fetchMetadata(pin.id, pin.version, registryUrl);
-      await this.registryClient.downloadTarball(metadata.tarball_url, packCachePath);
-    }
-    return packCachePath;
-  }
-  /**
-   * Load pack from a resolved on-disk directory.
-   * Handles manifest parsing, tool entry validation, import boundary checks,
-   * integrity verification, and dev-mode warnings.
-   */
-  async loadFromDisk(pin, packRoot, input) {
-    const manifestPath = path2.join(packRoot, this.manifestFileName);
-    const manifestRaw = await readFile2(manifestPath, UTF8_ENCODING);
-    const manifest = DomainPackManifestSchema.parse(YAML.parse(manifestRaw));
-    if (manifest.id !== pin.id) {
-      throw new Error(`Pack manifest id mismatch: expected ${pin.id}, got ${manifest.id}`);
-    }
-    if (manifest.version !== pin.version) {
-      throw new Error(`Pack manifest version mismatch: expected ${pin.version}, got ${manifest.version}`);
-    }
-    for (const tool of manifest.tools) {
-      resolvePackToolEntryPath(packRoot, tool.entry);
-    }
-    await validatePackImportBoundaries(packRoot, this.hashExclusions);
-    const integrity = await computeDeterministicPackHash({
-      packRoot,
-      exclusions: this.hashExclusions
-    });
-    if (pin.integrity === "dev") {
-      if (this.runtimeEnvironment === "production" && !this.allowDevIntegrityInProduction) {
-        throw new Error(`Pack ${pin.id}@${pin.version} uses integrity: dev is not allowed in production.`);
-      }
-      input.onWorkspaceWarning?.({
-        schema_version: 1,
-        kind: KERNEL_EVENT_KINDS.WORKSPACE_WARNING,
-        timestamp: (/* @__PURE__ */ new Date()).toISOString(),
-        message: `Pack ${pin.id}@${pin.version} loaded with integrity: dev (verification skipped).`
-      });
-      return {
-        pin,
-        manifest,
-        packRoot,
-        integrity
-      };
-    }
-    const expectedIntegrity = pin.integrity.startsWith(SHA256_INTEGRITY_PREFIX) ? pin.integrity.slice(SHA256_INTEGRITY_PREFIX.length) : pin.integrity;
-    if (integrity !== expectedIntegrity) {
-      throw new Error(`Pack integrity mismatch for ${pin.id}: expected ${expectedIntegrity}, got ${integrity}`);
-    }
-    return {
-      pin,
-      manifest,
-      packRoot,
-      integrity
-    };
-  }
-};
-
-// ../kernel/dist/pack/pack-manifest-resolver.js
-import path3 from "path";
-import { existsSync, readFileSync } from "fs";
-import { homedir as homedir2 } from "os";
-import YAML2 from "yaml";
-var PACK_CACHE_DIR_NAME2 = "pack-cache";
-var NODE_MODULES_DIR_NAME = "node_modules";
-var DEFAULT_PACK_CACHE_DIR = path3.join(homedir2(), LUMENFLOW_DIR_NAME, PACK_CACHE_DIR_NAME2);
-function resolveManifestPath(projectRoot, pack, packCacheDir) {
-  const source = pack.source;
-  if (source === "registry") {
-    return path3.join(projectRoot, NODE_MODULES_DIR_NAME, LUMENFLOW_SCOPE_NAME, PACKS_DIR_NAME, pack.id, PACK_MANIFEST_FILE_NAME);
-  }
-  if (source === "git") {
-    return path3.join(packCacheDir, `${pack.id}@${pack.version}`, PACK_MANIFEST_FILE_NAME);
-  }
-  if (pack.path) {
-    return path3.join(projectRoot, pack.path, PACK_MANIFEST_FILE_NAME);
-  }
-  return path3.join(projectRoot, PACKAGES_DIR_NAME, LUMENFLOW_SCOPE_NAME, PACKS_DIR_NAME, pack.id, PACK_MANIFEST_FILE_NAME);
-}
-function resolvePackManifestPaths(input) {
-  const result = /* @__PURE__ */ new Map();
-  const { projectRoot, packs, packCacheDir } = input;
-  if (!Array.isArray(packs)) {
-    return result;
-  }
-  const effectiveCacheDir = packCacheDir ?? DEFAULT_PACK_CACHE_DIR;
-  for (const pack of packs) {
-    if (!pack || typeof pack !== "object" || !("id" in pack)) {
-      continue;
-    }
-    const packId = String(pack.id);
-    const manifestPath = resolveManifestPath(projectRoot, { ...pack, id: packId }, effectiveCacheDir);
-    if (!manifestPath || !existsSync(manifestPath)) {
-      continue;
-    }
-    try {
-      const manifestContent = readFileSync(manifestPath, "utf8");
-      const manifest = YAML2.parse(manifestContent);
-      if (manifest && typeof manifest.config_key === "string") {
-        result.set(manifest.config_key, packId);
-      }
-    } catch {
-    }
-  }
-  return result;
-}
-function resolvePackSchemaMetadata(input) {
-  const result = /* @__PURE__ */ new Map();
-  const { projectRoot, packs, packCacheDir } = input;
-  if (!Array.isArray(packs)) {
-    return result;
-  }
-  const effectiveCacheDir = packCacheDir ?? DEFAULT_PACK_CACHE_DIR;
-  for (const pack of packs) {
-    if (!pack || typeof pack !== "object" || !("id" in pack)) {
-      continue;
-    }
-    const packId = String(pack.id);
-    const manifestPath = resolveManifestPath(projectRoot, { ...pack, id: packId }, effectiveCacheDir);
-    if (!manifestPath || !existsSync(manifestPath)) {
-      continue;
-    }
-    try {
-      const manifestContent = readFileSync(manifestPath, "utf8");
-      const manifest = YAML2.parse(manifestContent);
-      if (!manifest)
-        continue;
-      const configSchema = manifest.config_schema;
-      if (typeof configSchema === "string" && configSchema.length > 0) {
-        const packRoot = path3.dirname(manifestPath);
-        const schemaAbsPath = path3.join(packRoot, configSchema);
-        result.set(packId, { hasSchema: true, schemaPath: schemaAbsPath });
-      } else {
-        const configKey = manifest.config_key;
-        if (typeof configKey === "string") {
-          result.set(packId, { hasSchema: false });
-        }
-      }
-    } catch {
-    }
-  }
-  return result;
-}
-
-export {
-  KERNEL_EVENT_KINDS,
-  isTaskEventKind,
-  isRunLifecycleEventKind,
-  TOOL_TRACE_KINDS,
-  UTF8_ENCODING,
-  BASE64_ENCODING,
-  SHA256_ALGORITHM,
-  SHA256_HEX_REGEX,
-  SHA256_INTEGRITY_PREFIX,
-  WORKSPACE_FILE_NAME,
-  PACKS_DIR_NAME,
-  PACK_MANIFEST_FILE_NAME,
-  PACKAGES_DIR_NAME,
-  LUMENFLOW_SCOPE_NAME,
-  LUMENFLOW_DIR_NAME,
-  KERNEL_RUNTIME_ROOT_DIR_NAME,
-  KERNEL_RUNTIME_TASKS_DIR_NAME,
-  KERNEL_RUNTIME_EVENTS_DIR_NAME,
-  KERNEL_RUNTIME_EVIDENCE_DIR_NAME,
-  KERNEL_RUNTIME_EVENTS_FILE_NAME,
-  KERNEL_RUNTIME_EVENTS_LOCK_FILE_NAME,
-  RESERVED_FRAMEWORK_SCOPE_ROOT,
-  RESERVED_FRAMEWORK_SCOPE_PREFIX,
-  RESERVED_FRAMEWORK_SCOPE_GLOB,
-  DEFAULT_WORKSPACE_CONFIG_HASH,
-  DEFAULT_KERNEL_RUNTIME_VERSION,
-  WORKSPACE_CONFIG_HASH_CONTEXT_KEYS,
-  EXECUTION_METADATA_KEYS,
-  KERNEL_POLICY_IDS,
-  RUN_STATUSES,
-  TOOL_HANDLER_KINDS,
-  TOOL_ERROR_CODES,
-  ToolScopeSchema,
-  TaskSpecSchema,
-  RunSchema,
-  TaskStateSchema,
-  WorkspaceControlPlaneConfigSchema,
-  WorkspaceSpecSchema,
-  validateWorkspaceRootKeys,
-  KernelEventSchema,
-  ToolTraceEntrySchema,
-  ToolOutputSchema,
-  ExecutionContextSchema,
-  ToolCapabilitySchema,
-  computeDeterministicPackHash,
-  POLICY_TRIGGERS,
-  PolicyEngine,
-  isBroadWildcardScopePattern,
-  validateDomainPackToolSafety,
-  DomainPackManifestSchema,
-  resolvePackToolEntryPath,
-  validatePackImportBoundaries,
-  PackLoader,
-  resolvePackManifestPaths,
-  resolvePackSchemaMetadata
-};