npm - @lumenflow/cli - Versions diffs - 4.24.0 → 5.0.0 - Mend

@lumenflow/cli 4.24.0 → 5.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (294) hide show

package/README.md +54 -52
package/dist/agent-issues-query.js +10 -2
package/dist/agent-issues-query.js.map +1 -1
package/dist/agent-runtime-enrollment-events.js +44 -0
package/dist/agent-runtime-enrollment-events.js.map +1 -0
package/dist/agent-session-end.js +47 -0
package/dist/agent-session-end.js.map +1 -1
package/dist/agent-session-heartbeat.js +250 -0
package/dist/agent-session-heartbeat.js.map +1 -0
package/dist/agent-session.js +299 -5
package/dist/agent-session.js.map +1 -1
package/dist/capacity-snapshot-emitter.js +73 -0
package/dist/capacity-snapshot-emitter.js.map +1 -0
package/dist/claim-queue.js +276 -0
package/dist/claim-queue.js.map +1 -0
package/dist/config-set.js +22 -3
package/dist/config-set.js.map +1 -1
package/dist/control-plane-sidecar-runner.js +145 -0
package/dist/control-plane-sidecar-runner.js.map +1 -0
package/dist/delegation-list.js +160 -1
package/dist/delegation-list.js.map +1 -1
package/dist/delegation-role-resolver.js +69 -0
package/dist/delegation-role-resolver.js.map +1 -0
package/dist/docs-generate-pack-reference.js +500 -0
package/dist/docs-generate-pack-reference.js.map +1 -0
package/dist/docs-sync.js +116 -1
package/dist/docs-sync.js.map +1 -1
package/dist/file-edit.js +28 -8
package/dist/file-edit.js.map +1 -1
package/dist/file-write.js +29 -5
package/dist/file-write.js.map +1 -1
package/dist/gate-co-change.js +25 -7
package/dist/gate-co-change.js.map +1 -1
package/dist/gate-conditional.js +19 -7
package/dist/gate-conditional.js.map +1 -1
package/dist/gates-runners.js +42 -33
package/dist/gates-runners.js.map +1 -1
package/dist/gates-utils.js +34 -20
package/dist/gates-utils.js.map +1 -1
package/dist/gates.js +79 -7
package/dist/gates.js.map +1 -1
package/dist/hooks/config-resolver.js +10 -1
package/dist/hooks/config-resolver.js.map +1 -1
package/dist/init-package-config.js +1 -1
package/dist/init-package-config.js.map +1 -1
package/dist/init-scaffolding.js +5 -1
package/dist/init-scaffolding.js.map +1 -1
package/dist/init-templates.js +10 -0
package/dist/init-templates.js.map +1 -1
package/dist/init.js +1 -1
package/dist/init.js.map +1 -1
package/dist/initiative-create.js +17 -0
package/dist/initiative-create.js.map +1 -1
package/dist/initiative-remove-wu.js +17 -3
package/dist/initiative-remove-wu.js.map +1 -1
package/dist/kernel-event-sync/emitters.js +104 -0
package/dist/kernel-event-sync/emitters.js.map +1 -0
package/dist/kernel-event-sync/index.js +13 -0
package/dist/kernel-event-sync/index.js.map +1 -0
package/dist/kernel-event-sync/lifecycle-emitters.js +160 -0
package/dist/kernel-event-sync/lifecycle-emitters.js.map +1 -0
package/dist/kernel-event-sync/narrow-emissions.js +89 -0
package/dist/kernel-event-sync/narrow-emissions.js.map +1 -0
package/dist/kernel-event-sync/software-delivery-emitters.js +297 -0
package/dist/kernel-event-sync/software-delivery-emitters.js.map +1 -0
package/dist/lane-lock.js +14 -1
package/dist/lane-lock.js.map +1 -1
package/dist/lane-suggest.js +21 -0
package/dist/lane-suggest.js.map +1 -1
package/dist/lumenflow-upgrade.js +7 -5
package/dist/lumenflow-upgrade.js.map +1 -1
package/dist/mem-context.js +145 -0
package/dist/mem-context.js.map +1 -1
package/dist/mem-create.js +39 -6
package/dist/mem-create.js.map +1 -1
package/dist/mem-inbox.js +16 -0
package/dist/mem-inbox.js.map +1 -1
package/dist/mem-roster.js +95 -0
package/dist/mem-roster.js.map +1 -0
package/dist/mem-signal.js +97 -2
package/dist/mem-signal.js.map +1 -1
package/dist/metrics-snapshot.js +3 -2
package/dist/metrics-snapshot.js.map +1 -1
package/dist/orchestrate-init-status.js +117 -2
package/dist/orchestrate-init-status.js.map +1 -1
package/dist/orchestrate-initiative.js +83 -10
package/dist/orchestrate-initiative.js.map +1 -1
package/dist/orchestrate-monitor-quality.js +289 -0
package/dist/orchestrate-monitor-quality.js.map +1 -0
package/dist/orchestrate-monitor.js +85 -0
package/dist/orchestrate-monitor.js.map +1 -1
package/dist/pack-validate.js +127 -2
package/dist/pack-validate.js.map +1 -1
package/dist/plan-create.js +18 -0
package/dist/plan-create.js.map +1 -1
package/dist/plan-link.js +13 -0
package/dist/plan-link.js.map +1 -1
package/dist/plan-promote.js +14 -0
package/dist/plan-promote.js.map +1 -1
package/dist/pre-commit-check.js +4 -3
package/dist/pre-commit-check.js.map +1 -1
package/dist/public-manifest.js +17 -3
package/dist/public-manifest.js.map +1 -1
package/dist/release.js +10 -10
package/dist/release.js.map +1 -1
package/dist/session-cross-link.js +139 -0
package/dist/session-cross-link.js.map +1 -0
package/dist/sidecar-manager.js +208 -0
package/dist/sidecar-manager.js.map +1 -0
package/dist/state-path-resolvers.js +18 -0
package/dist/state-path-resolvers.js.map +1 -1
package/dist/stream-heartbeat.js +151 -0
package/dist/stream-heartbeat.js.map +1 -0
package/dist/sync-templates.js +56 -2
package/dist/sync-templates.js.map +1 -1
package/dist/wu-block.js +47 -5
package/dist/wu-block.js.map +1 -1
package/dist/wu-claim-branch.js +8 -4
package/dist/wu-claim-branch.js.map +1 -1
package/dist/wu-claim-state.js +5 -3
package/dist/wu-claim-state.js.map +1 -1
package/dist/wu-claim-worktree.js +5 -3
package/dist/wu-claim-worktree.js.map +1 -1
package/dist/wu-claim.js +261 -9
package/dist/wu-claim.js.map +1 -1
package/dist/wu-done-auto-cleanup.js +3 -2
package/dist/wu-done-auto-cleanup.js.map +1 -1
package/dist/wu-done-git-ops.js +12 -8
package/dist/wu-done-git-ops.js.map +1 -1
package/dist/wu-done-preflight.js +3 -3
package/dist/wu-done-preflight.js.map +1 -1
package/dist/wu-done.js +46 -10
package/dist/wu-done.js.map +1 -1
package/dist/wu-lifecycle-sync/gate-scope-resolver.js +16 -0
package/dist/wu-lifecycle-sync/gate-scope-resolver.js.map +1 -0
package/dist/wu-lifecycle-sync/kernel-event-sync-shim.js +10 -0
package/dist/wu-lifecycle-sync/kernel-event-sync-shim.js.map +1 -0
package/dist/wu-prep.js +363 -22
package/dist/wu-prep.js.map +1 -1
package/dist/wu-prune.js +68 -27
package/dist/wu-prune.js.map +1 -1
package/dist/wu-release.js +34 -3
package/dist/wu-release.js.map +1 -1
package/dist/wu-review.js +167 -0
package/dist/wu-review.js.map +1 -0
package/dist/wu-spawn-prompt-builders.js +296 -40
package/dist/wu-spawn-prompt-builders.js.map +1 -1
package/dist/wu-spawn-strategy-resolver.js +126 -14
package/dist/wu-spawn-strategy-resolver.js.map +1 -1
package/dist/wu-unblock.js +52 -22
package/dist/wu-unblock.js.map +1 -1
package/package.json +13 -8
package/packs/agent-runtime/.turbo/turbo-build.log +1 -1
package/packs/agent-runtime/.turbo/turbo-test.log +25 -0
package/packs/agent-runtime/.turbo/turbo-typecheck.log +4 -0
package/packs/agent-runtime/agent-heartbeat.ts +163 -0
package/packs/agent-runtime/auto-session-integration.ts +874 -0
package/packs/agent-runtime/delegation-registry-schema.ts +220 -0
package/packs/agent-runtime/delegation-registry-store.ts +269 -0
package/packs/agent-runtime/delegation-tree.ts +328 -0
package/packs/agent-runtime/index.ts +9 -0
package/packs/agent-runtime/manifest.ts +103 -19
package/packs/agent-runtime/manifest.yaml +132 -0
package/packs/agent-runtime/memory-coordination-contract.ts +86 -0
package/packs/agent-runtime/memory.d.ts +19 -0
package/packs/agent-runtime/orchestration.ts +238 -23
package/packs/agent-runtime/package.json +11 -2
package/packs/agent-runtime/remote-controls/index.ts +7 -0
package/packs/agent-runtime/remote-controls/operations.ts +399 -0
package/packs/agent-runtime/remote-controls/port.ts +48 -0
package/packs/agent-runtime/remote-controls/state-store.ts +258 -0
package/packs/agent-runtime/remote-controls/types.ts +105 -0
package/packs/agent-runtime/session-schema.ts +423 -0
package/packs/agent-runtime/tool-impl/index.ts +1 -0
package/packs/agent-runtime/tool-impl/remote-controls.mock.ts +252 -0
package/packs/agent-runtime/tool-impl/remote-controls.ts +273 -0
package/packs/agent-runtime/tsconfig.json +1 -1
package/packs/agent-runtime/turn-lifecycle-events.ts +501 -0
package/packs/sidekick/.lumenflow/state/conductor/outbox/sidekick-events.jsonl +213 -0
package/packs/sidekick/.turbo/turbo-build.log +1 -1
package/packs/sidekick/.turbo/turbo-test.log +25 -0
package/packs/sidekick/.turbo/turbo-typecheck.log +4 -0
package/packs/sidekick/channel-ingress.ts +137 -0
package/packs/sidekick/manifest.ts +74 -0
package/packs/sidekick/manifest.yaml +88 -0
package/packs/sidekick/package.json +3 -1
package/packs/sidekick/sidekick-events.ts +517 -0
package/packs/sidekick/src/adapters/cloud-queue.ts +101 -0
package/packs/sidekick/src/adapters/control-plane-bridge.adapter.ts +378 -0
package/packs/sidekick/src/adapters/filesystem-bridge.adapter.ts +224 -0
package/packs/sidekick/src/domain/channel.types.ts +84 -0
package/packs/sidekick/src/ports/channel-bridge.port.ts +75 -0
package/packs/sidekick/src/routines/commit.ts +74 -0
package/packs/sidekick/tool-impl/channel-tools.ts +47 -0
package/packs/sidekick/tool-impl/memory-tools.ts +17 -0
package/packs/sidekick/tool-impl/routine-commit.ts +102 -0
package/packs/sidekick/tool-impl/routine-tools.ts +67 -7
package/packs/sidekick/tool-impl/runtime-context.ts +4 -0
package/packs/sidekick/tool-impl/storage.ts +3 -0
package/packs/sidekick/tool-impl/system-tools.ts +7 -0
package/packs/sidekick/tool-impl/task-tools.ts +46 -0
package/packs/sidekick/tsconfig.json +1 -1
package/packs/software-delivery/.turbo/turbo-build.log +1 -1
package/packs/software-delivery/.turbo/turbo-test.log +63 -0
package/packs/software-delivery/.turbo/turbo-typecheck.log +4 -0
package/packs/software-delivery/manifest-schema.ts +30 -0
package/packs/software-delivery/manifest.ts +99 -1
package/packs/software-delivery/manifest.yaml +46 -0
package/packs/software-delivery/package.json +88 -3
package/packs/software-delivery/src/commands/index.ts +5 -0
package/packs/software-delivery/src/config/delivery-review-contract.ts +20 -0
package/packs/software-delivery/src/config/env-accessors.ts +19 -0
package/packs/software-delivery/src/config/index.ts +8 -0
package/packs/software-delivery/src/config/normalize-config-keys.ts +19 -0
package/packs/software-delivery/src/config/schemas/lumenflow-config-schema-types.ts +436 -0
package/packs/software-delivery/src/config/workspace-reader.ts +310 -0
package/packs/software-delivery/src/constants/backlog-patterns.ts +31 -0
package/packs/software-delivery/src/constants/client-ids.ts +19 -0
package/packs/software-delivery/src/constants/config-contract.ts +7 -0
package/packs/software-delivery/src/constants/docs-layout-presets.ts +50 -0
package/packs/software-delivery/src/constants/duration-constants.ts +20 -0
package/packs/software-delivery/src/constants/gate-constants.ts +32 -0
package/packs/software-delivery/src/constants/index.ts +29 -0
package/packs/software-delivery/src/constants/lock-constants.ts +35 -0
package/packs/software-delivery/src/constants/object-guards.ts +12 -0
package/packs/software-delivery/src/constants/section-headings.ts +107 -0
package/packs/software-delivery/src/constants/wu-cli-constants.ts +485 -0
package/packs/software-delivery/src/constants/wu-domain-constants.ts +466 -0
package/packs/software-delivery/src/constants/wu-git-constants.ts +7 -0
package/packs/software-delivery/src/constants/wu-id-format.ts +327 -0
package/packs/software-delivery/src/constants/wu-paths-constants.ts +358 -0
package/packs/software-delivery/src/constants/wu-statuses.ts +287 -0
package/packs/software-delivery/src/constants/wu-type-helpers.ts +67 -0
package/packs/software-delivery/src/constants/wu-ui-constants.ts +267 -0
package/packs/software-delivery/src/constants/wu-validation-constants.ts +73 -0
package/packs/software-delivery/src/domain/index.ts +5 -0
package/packs/software-delivery/src/domain/orchestration.constants.ts +168 -0
package/packs/software-delivery/src/domain/orchestration.schemas.ts +239 -0
package/packs/software-delivery/src/domain/orchestration.types.ts +178 -0
package/packs/software-delivery/src/methodology/incremental-test.ts +90 -0
package/packs/software-delivery/src/methodology/index.ts +6 -0
package/packs/software-delivery/src/methodology/manual-test-validator.ts +292 -0
package/packs/software-delivery/src/policy/coverage-gate.ts +270 -0
package/packs/software-delivery/src/policy/gates-agent-mode.ts +223 -0
package/packs/software-delivery/src/policy/gates-config-internal.ts +121 -0
package/packs/software-delivery/src/policy/gates-config.ts +293 -0
package/packs/software-delivery/src/policy/gates-coverage.ts +247 -0
package/packs/software-delivery/src/policy/gates-presets.ts +134 -0
package/packs/software-delivery/src/policy/gates-schemas.ts +173 -0
package/packs/software-delivery/src/policy/index.ts +22 -0
package/packs/software-delivery/src/policy/package-manager-resolver.ts +319 -0
package/packs/software-delivery/src/policy/resolve-policy.ts +518 -0
package/packs/software-delivery/src/ports/config.ports.ts +90 -0
package/packs/software-delivery/src/ports/dashboard-renderer.port.ts +125 -0
package/packs/software-delivery/src/ports/index.ts +10 -0
package/packs/software-delivery/src/ports/sync-validator.ports.ts +59 -0
package/packs/software-delivery/src/ports/wu-helpers.ports.ts +168 -0
package/packs/software-delivery/src/ports/wu-state.ports.ts +241 -0
package/packs/software-delivery/src/primitives/index.ts +5 -0
package/packs/software-delivery/src/runtime/index.ts +6 -0
package/packs/software-delivery/src/runtime/work-classifier.ts +561 -0
package/packs/software-delivery/src/sandbox/index.ts +10 -0
package/packs/software-delivery/src/sandbox/sandbox-allowlist.ts +118 -0
package/packs/software-delivery/src/sandbox/sandbox-backend-linux.ts +88 -0
package/packs/software-delivery/src/sandbox/sandbox-backend-macos.ts +154 -0
package/packs/software-delivery/src/sandbox/sandbox-backend-windows.ts +47 -0
package/packs/software-delivery/src/sandbox/sandbox-profile.ts +153 -0
package/packs/software-delivery/src/schemas/index.ts +5 -0
package/packs/software-delivery/src/state/date-utils.ts +158 -0
package/packs/software-delivery/src/state/index.ts +15 -0
package/packs/software-delivery/src/state/state-machine.ts +119 -0
package/packs/software-delivery/src/state/wu-doc-types.ts +51 -0
package/packs/software-delivery/src/state/wu-paths.ts +381 -0
package/packs/software-delivery/src/state/wu-schema.ts +1139 -0
package/packs/software-delivery/src/state/wu-state-schema.ts +255 -0
package/packs/software-delivery/src/state/wu-yaml.ts +338 -0
package/packs/software-delivery/src/types.d.ts +16 -0
package/packs/software-delivery/tool-impl/wu-lifecycle-tools.ts +18 -0
package/packs/software-delivery/tsconfig.json +28 -2
package/templates/core/AGENTS.md.template +76 -17
package/templates/core/LUMENFLOW.md.template +265 -66
package/templates/core/_frameworks/lumenflow/wu-sizing-guide.md.template +180 -116
package/templates/core/ai/onboarding/agent-invocation-guide.md.template +26 -8
package/templates/core/ai/onboarding/existing-project-bootstrap.md.template +171 -0
package/templates/core/ai/onboarding/first-15-mins.md.template +3 -1
package/templates/core/ai/onboarding/first-wu-mistakes.md.template +1 -1
package/templates/core/ai/onboarding/initiative-orchestration.md.template +46 -30
package/templates/core/ai/onboarding/quick-ref-commands.md.template +36 -33
package/templates/core/ai/onboarding/release-process.md.template +8 -7
package/templates/core/ai/onboarding/starting-prompt.md.template +2 -0
package/templates/core/ai/onboarding/troubleshooting-wu-done.md.template +62 -0
package/templates/vendors/claude/.claude/CLAUDE.md.template +29 -54
package/templates/vendors/cursor/.cursor/rules/lumenflow.md.template +24 -52
package/templates/vendors/windsurf/.windsurf/rules/lumenflow.md.template +24 -52

package/packs/software-delivery/src/sandbox/sandbox-backend-linux.ts ADDED Viewed

@@ -0,0 +1,88 @@
+// Copyright (c) 2026 Hellmai Ltd
+// SPDX-License-Identifier: AGPL-3.0-only
+import { spawnSync } from 'node:child_process';
+import {
+  SANDBOX_BACKEND_IDS,
+  type SandboxBackend,
+  type SandboxExecutionPlan,
+  type SandboxExecutionRequest,
+} from './sandbox-profile.js';
+export interface LinuxSandboxBackendOptions {
+  commandExists?: (binary: string) => boolean;
+}
+const LINUX_SANDBOX_BINARY = 'bwrap';
+function defaultCommandExists(binary: string): boolean {
+  const probe = spawnSync(binary, ['--help'], { stdio: 'ignore' });
+  return !probe.error;
+}
+function buildUnavailablePlan(request: SandboxExecutionRequest): SandboxExecutionPlan {
+  if (request.allowUnsandboxedFallback) {
+    return {
+      backendId: SANDBOX_BACKEND_IDS.LINUX,
+      enforced: false,
+      failClosed: false,
+      warning:
+        'Running unsandboxed because bwrap is unavailable and fallback was explicitly enabled.',
+    };
+  }
+  return {
+    backendId: SANDBOX_BACKEND_IDS.LINUX,
+    enforced: false,
+    failClosed: true,
+    reason: 'Linux sandbox backend unavailable: required binary "bwrap" was not found.',
+  };
+}
+function buildInvocation(request: SandboxExecutionRequest) {
+  const writableBinds = request.profile.allowlist.writableRoots.flatMap((entry) => [
+    '--bind',
+    entry.normalizedPath,
+    entry.normalizedPath,
+  ]);
+  return {
+    command: LINUX_SANDBOX_BINARY,
+    args: [
+      '--die-with-parent',
+      '--new-session',
+      '--ro-bind',
+      '/',
+      '/',
+      ...writableBinds,
+      '--proc',
+      '/proc',
+      '--dev',
+      '/dev',
+      '--',
+      ...request.command,
+    ],
+  };
+}
+export function createLinuxSandboxBackend(
+  options: LinuxSandboxBackendOptions = {},
+): SandboxBackend {
+  const commandExists = options.commandExists || defaultCommandExists;
+  return {
+    id: SANDBOX_BACKEND_IDS.LINUX,
+    resolveExecution(request: SandboxExecutionRequest): SandboxExecutionPlan {
+      if (!commandExists(LINUX_SANDBOX_BINARY)) {
+        return buildUnavailablePlan(request);
+      }
+      return {
+        backendId: SANDBOX_BACKEND_IDS.LINUX,
+        enforced: true,
+        failClosed: false,
+        invocation: buildInvocation(request),
+      };
+    },
+  };
+}

package/packs/software-delivery/src/sandbox/sandbox-backend-macos.ts ADDED Viewed

@@ -0,0 +1,154 @@
+// Copyright (c) 2026 Hellmai Ltd
+// SPDX-License-Identifier: AGPL-3.0-only
+import { spawnSync } from 'node:child_process';
+import os from 'node:os';
+import {
+  SANDBOX_BACKEND_IDS,
+  type SandboxBackend,
+  type SandboxExecutionPlan,
+  type SandboxExecutionRequest,
+} from './sandbox-profile.js';
+export interface MacosSandboxBackendOptions {
+  commandExists?: (binary: string) => boolean;
+}
+const MACOS_SANDBOX_BINARY = 'sandbox-exec';
+function defaultCommandExists(binary: string): boolean {
+  const probe = spawnSync(binary, ['-h'], { stdio: 'ignore' });
+  return !probe.error;
+}
+function escapePolicyPath(targetPath: string): string {
+  return targetPath.replace(/\\/g, '\\\\').replace(/"/g, '\\"');
+}
+function buildNetworkRules(profile: SandboxExecutionRequest['profile']): string[] {
+  const posture = profile.networkPosture ?? 'full';
+  if (posture === 'off') {
+    return ['(deny network*)'];
+  }
+  if (posture === 'allowlist') {
+    const rules: string[] = ['(deny network*)'];
+    for (const host of profile.networkAllowlist) {
+      rules.push(`(allow network-outbound (remote ip "${host}"))`);
+    }
+    return rules;
+  }
+  // posture === 'full'
+  return ['(allow network*)'];
+}
+/** macOS system paths required for process execution (parity with bwrap --ro-bind /) */
+const MACOS_SYSTEM_READ_PATHS = [
+  '/usr',
+  '/System',
+  '/Library',
+  '/bin',
+  '/sbin',
+  '/private',
+  '/dev',
+  '/tmp',
+];
+/** Sensitive paths denied from read access (parity with bwrap deny overlays) */
+const SENSITIVE_DENY_PATHS = ['.ssh', '.aws', '.gnupg'];
+function buildReadRules(profile: SandboxExecutionRequest['profile']): string[] {
+  const readPaths = new Set<string>();
+  // Workspace root (covers worktree, state, WU YAML)
+  readPaths.add(profile.projectRoot);
+  // System paths required for process execution
+  for (const systemPath of MACOS_SYSTEM_READ_PATHS) {
+    readPaths.add(systemPath);
+  }
+  // Temp path from profile
+  readPaths.add(profile.tempPath);
+  return [...readPaths].map(
+    (readPath) => `(allow file-read* (subpath "${escapePolicyPath(readPath)}"))`,
+  );
+}
+function buildDenyOverlays(): string[] {
+  const homeDir = os.homedir();
+  return SENSITIVE_DENY_PATHS.map(
+    (sensitivePath) =>
+      `(deny file-read* (subpath "${escapePolicyPath(homeDir)}/${sensitivePath}"))`,
+  );
+}
+function buildPolicy(profile: SandboxExecutionRequest['profile']): string {
+  const writableRules = profile.allowlist.writableRoots.map(
+    (entry) => `(allow file-write* (subpath "${escapePolicyPath(entry.normalizedPath)}"))`,
+  );
+  return [
+    '(version 1)',
+    '(deny default)',
+    '(allow process*)',
+    ...buildReadRules(profile),
+    ...buildDenyOverlays(),
+    '(allow sysctl-read)',
+    '(allow mach-lookup)',
+    ...buildNetworkRules(profile),
+    '(allow signal)',
+    ...writableRules,
+  ].join(' ');
+}
+function buildUnavailablePlan(request: SandboxExecutionRequest): SandboxExecutionPlan {
+  if (request.allowUnsandboxedFallback) {
+    return {
+      backendId: SANDBOX_BACKEND_IDS.MACOS,
+      enforced: false,
+      failClosed: false,
+      warning:
+        'Running unsandboxed because sandbox-exec is unavailable and fallback was explicitly enabled.',
+    };
+  }
+  return {
+    backendId: SANDBOX_BACKEND_IDS.MACOS,
+    enforced: false,
+    failClosed: true,
+    reason: 'macOS sandbox backend unavailable: required binary "sandbox-exec" was not found.',
+  };
+}
+function buildInvocation(request: SandboxExecutionRequest) {
+  return {
+    command: MACOS_SANDBOX_BINARY,
+    args: ['-p', buildPolicy(request.profile), ...request.command],
+  };
+}
+export function createMacosSandboxBackend(
+  options: MacosSandboxBackendOptions = {},
+): SandboxBackend {
+  const commandExists = options.commandExists || defaultCommandExists;
+  return {
+    id: SANDBOX_BACKEND_IDS.MACOS,
+    resolveExecution(request: SandboxExecutionRequest): SandboxExecutionPlan {
+      if (!commandExists(MACOS_SANDBOX_BINARY)) {
+        return buildUnavailablePlan(request);
+      }
+      return {
+        backendId: SANDBOX_BACKEND_IDS.MACOS,
+        enforced: true,
+        failClosed: false,
+        invocation: buildInvocation(request),
+      };
+    },
+  };
+}

package/packs/software-delivery/src/sandbox/sandbox-backend-windows.ts ADDED Viewed

@@ -0,0 +1,47 @@
+// Copyright (c) 2026 Hellmai Ltd
+// SPDX-License-Identifier: AGPL-3.0-only
+import {
+  SANDBOX_BACKEND_IDS,
+  type SandboxBackend,
+  type SandboxExecutionPlan,
+  type SandboxExecutionRequest,
+} from './sandbox-profile.js';
+export interface WindowsSandboxBackendOptions {
+  commandExists?: (binary: string) => boolean;
+}
+const WINDOWS_ENFORCEMENT_UNAVAILABLE_REASON =
+  'Windows sandbox backend unavailable: write enforcement is not yet available on Windows.';
+const WINDOWS_ENFORCEMENT_UNAVAILABLE_WARNING =
+  'Running unsandboxed because write enforcement is not yet available on Windows and fallback was explicitly enabled.';
+function buildNotImplementedPlan(request: SandboxExecutionRequest): SandboxExecutionPlan {
+  if (request.allowUnsandboxedFallback) {
+    return {
+      backendId: SANDBOX_BACKEND_IDS.WINDOWS,
+      enforced: false,
+      failClosed: false,
+      warning: WINDOWS_ENFORCEMENT_UNAVAILABLE_WARNING,
+    };
+  }
+  return {
+    backendId: SANDBOX_BACKEND_IDS.WINDOWS,
+    enforced: false,
+    failClosed: true,
+    reason: WINDOWS_ENFORCEMENT_UNAVAILABLE_REASON,
+  };
+}
+export function createWindowsSandboxBackend(
+  _options: WindowsSandboxBackendOptions = {},
+): SandboxBackend {
+  return {
+    id: SANDBOX_BACKEND_IDS.WINDOWS,
+    resolveExecution(request: SandboxExecutionRequest): SandboxExecutionPlan {
+      return buildNotImplementedPlan(request);
+    },
+  };
+}

package/packs/software-delivery/src/sandbox/sandbox-profile.ts ADDED Viewed

@@ -0,0 +1,153 @@
+// Copyright (c) 2026 Hellmai Ltd
+// SPDX-License-Identifier: AGPL-3.0-only
+import os from 'node:os';
+import path from 'node:path';
+import {
+  buildSandboxAllowlist,
+  type SandboxAllowlist,
+  type BuildSandboxAllowlistInput,
+} from './sandbox-allowlist.js';
+import { LUMENFLOW_PATHS } from '../constants/wu-paths-constants.js';
+import { createWuPaths } from '../state/wu-paths.js';
+export const SANDBOX_BACKEND_IDS = {
+  LINUX: 'linux',
+  MACOS: 'macos',
+  WINDOWS: 'windows',
+  UNSUPPORTED: 'unsupported',
+} as const;
+export type SandboxBackendId = (typeof SANDBOX_BACKEND_IDS)[keyof typeof SANDBOX_BACKEND_IDS];
+export type SandboxNetworkPosture = 'off' | 'allowlist' | 'full';
+export interface SandboxProfile {
+  projectRoot: string;
+  worktreePath: string;
+  wuId: string;
+  wuYamlPath: string;
+  statePath: string;
+  tempPath: string;
+  allowlist: SandboxAllowlist;
+  networkPosture: SandboxNetworkPosture;
+  networkAllowlist: string[];
+}
+export interface BuildSandboxProfileInput {
+  projectRoot: string;
+  worktreePath: string;
+  wuId: string;
+  tempPath?: string;
+  extraWritableRoots?: string[];
+  networkPosture?: SandboxNetworkPosture;
+  networkAllowlist?: string[];
+}
+export interface SandboxBackendResolution {
+  id: SandboxBackendId;
+  platform: NodeJS.Platform | string;
+  supported: boolean;
+}
+export interface SandboxInvocation {
+  command: string;
+  args: string[];
+}
+export interface SandboxExecutionRequest {
+  profile: SandboxProfile;
+  command: string[];
+  allowUnsandboxedFallback: boolean;
+}
+export interface SandboxExecutionPlan {
+  backendId: SandboxBackendId;
+  enforced: boolean;
+  failClosed: boolean;
+  invocation?: SandboxInvocation;
+  reason?: string;
+  warning?: string;
+}
+export interface SandboxBackend {
+  id: SandboxBackendId;
+  resolveExecution: (request: SandboxExecutionRequest) => SandboxExecutionPlan;
+}
+function resolveWorktreePath(projectRoot: string, worktreePath: string): string {
+  if (path.isAbsolute(worktreePath)) {
+    return path.resolve(worktreePath);
+  }
+  return path.resolve(projectRoot, worktreePath);
+}
+function buildDefaultWritableRoots(profile: {
+  worktreePath: string;
+  statePath: string;
+  wuYamlPath: string;
+  tempPath: string;
+}): string[] {
+  return [profile.worktreePath, profile.statePath, profile.wuYamlPath, profile.tempPath];
+}
+export function buildSandboxProfile(input: BuildSandboxProfileInput): SandboxProfile {
+  const projectRoot = path.resolve(input.projectRoot);
+  const worktreePath = resolveWorktreePath(projectRoot, input.worktreePath);
+  const wuYamlPath = path.resolve(projectRoot, createWuPaths({ projectRoot }).WU(input.wuId));
+  const statePath = path.resolve(projectRoot, LUMENFLOW_PATHS.STATE_DIR);
+  const tempPath = path.resolve(input.tempPath || os.tmpdir());
+  const writableRoots = buildDefaultWritableRoots({
+    worktreePath,
+    statePath,
+    wuYamlPath,
+    tempPath,
+  });
+  if (input.extraWritableRoots && input.extraWritableRoots.length > 0) {
+    writableRoots.push(...input.extraWritableRoots);
+  }
+  const allowlistInput: BuildSandboxAllowlistInput = {
+    projectRoot,
+    writableRoots,
+  };
+  const allowlist = buildSandboxAllowlist(allowlistInput);
+  const networkPosture: SandboxNetworkPosture = input.networkPosture ?? 'full';
+  const networkAllowlist: string[] =
+    networkPosture === 'allowlist' && input.networkAllowlist ? [...input.networkAllowlist] : [];
+  return {
+    projectRoot,
+    worktreePath,
+    wuId: input.wuId,
+    wuYamlPath,
+    statePath,
+    tempPath,
+    allowlist,
+    networkPosture,
+    networkAllowlist,
+  };
+}
+export function resolveSandboxBackendForPlatform(
+  platform: NodeJS.Platform | string = process.platform,
+): SandboxBackendResolution {
+  if (platform === 'linux') {
+    return { id: SANDBOX_BACKEND_IDS.LINUX, platform, supported: true };
+  }
+  if (platform === 'darwin') {
+    return { id: SANDBOX_BACKEND_IDS.MACOS, platform, supported: true };
+  }
+  if (platform === 'win32') {
+    return { id: SANDBOX_BACKEND_IDS.WINDOWS, platform, supported: true };
+  }
+  return { id: SANDBOX_BACKEND_IDS.UNSUPPORTED, platform, supported: false };
+}

package/packs/software-delivery/src/schemas/index.ts ADDED Viewed

@@ -0,0 +1,5 @@
+// Copyright (c) 2026 Hellmai Ltd
+// SPDX-License-Identifier: AGPL-3.0-only
+// Barrel for pack-static-data schemas. Populated by Layer 2 of INIT-058.
+export {};

package/packs/software-delivery/src/state/date-utils.ts ADDED Viewed

@@ -0,0 +1,158 @@
+// Copyright (c) 2026 Hellmai Ltd
+// SPDX-License-Identifier: AGPL-3.0-only
+/**
+ * @file date-utils.ts
+ * @description Date formatting utilities using date-fns library
+ * WU-1082: Extract shared utilities (eliminate date formatting duplication)
+ *
+ * Replaces manual date formatting in:
+ * - tools/wu-block.ts (todayISO)
+ * - tools/wu-unblock.ts (todayISO)
+ * - tools/wu-done.ts (todayISO - already uses date-fns)
+ */
+import { format } from 'date-fns';
+/**
+ * Get current date in ISO format (YYYY-MM-DD)
+ * @returns {string} Current date in YYYY-MM-DD format
+ * @example
+ * todayISO(); // "2025-11-12"
+ */
+export function todayISO() {
+  return format(new Date(), 'yyyy-MM-dd');
+}
+/**
+ * Format a date with a custom format string
+ * @param {Date|string|number} date - Date to format
+ * @param {string} formatString - date-fns format string
+ * @returns {string} Formatted date string
+ * @example
+ * formatDate(new Date(), 'yyyy-MM-dd HH:mm:ss');
+ * formatDate('2025-11-12', 'MMMM d, yyyy'); // "November 12, 2025"
+ */
+export function formatDate(date: Date | string | number, formatString: string) {
+  return format(new Date(date), formatString);
+}
+/**
+ * Date format constant for YYYY-MM-DD
+ * @constant {string}
+ */
+const DATE_FORMAT_ISO = 'yyyy-MM-dd';
+/**
+ * Normalize a Date object or ISO timestamp string to YYYY-MM-DD format
+ *
+ * WU-1442: Fix date corruption when js-yaml parses YYYY-MM-DD as Date objects
+ * Library-First: Uses date-fns for date formatting (no manual parsing)
+ *
+ * Use case: js-yaml parses `created: 2025-12-04` (unquoted) as a Date object.
+ * When yaml.dump() serializes it back, it outputs `2025-12-04T00:00:00.000Z`.
+ * This function normalizes Date objects back to YYYY-MM-DD string format.
+ *
+ * Handles:
+ * - Date objects → YYYY-MM-DD string
+ * - ISO timestamp strings → YYYY-MM-DD string (date portion)
+ * - YYYY-MM-DD strings → preserved as-is
+ * - undefined/null → preserved as undefined
+ *
+ * @param {Date|string|undefined|null} value - Date value to normalize
+ * @returns {string|undefined} Date in YYYY-MM-DD format or undefined
+ *
+ * @example
+ * normalizeToDateString(new Date('2025-12-04')); // '2025-12-04'
+ * normalizeToDateString('2025-12-04T00:00:00.000Z'); // '2025-12-04'
+ * normalizeToDateString('2025-12-04'); // '2025-12-04'
+ * normalizeToDateString(undefined); // undefined
+ */
+export function normalizeToDateString(value: unknown) {
+  // Preserve undefined/null
+  if (value == null) {
+    return undefined;
+  }
+  // If already a YYYY-MM-DD string, return as-is
+  if (typeof value === 'string' && /^\d{4}-\d{2}-\d{2}$/.test(value)) {
+    return value;
+  }
+  // Convert Date objects or timestamp strings to YYYY-MM-DD
+  if (value instanceof Date) {
+    return format(value, DATE_FORMAT_ISO);
+  }
+  // Handle ISO timestamp strings (e.g., '2025-12-04T00:00:00.000Z')
+  if (typeof value === 'string' && /^\d{4}-\d{2}-\d{2}T/.test(value)) {
+    return format(new Date(value), DATE_FORMAT_ISO);
+  }
+  // Fallback: try to parse and format (coerce to string for Date constructor)
+  try {
+    const date = new Date(String(value));
+    if (!isNaN(date.getTime())) {
+      return format(date, DATE_FORMAT_ISO);
+    }
+  } catch {
+    // Invalid date - return undefined
+  }
+  return undefined;
+}
+/**
+ * Normalize various date formats to ISO 8601 datetime (YYYY-MM-DDTHH:mm:ss.sssZ)
+ *
+ * WU-1337: Auto-repair date fields in WU YAML to consistent format
+ * Library-First: Uses date-fns for date handling (no manual parsing)
+ *
+ * Handles:
+ * - ISO date strings (YYYY-MM-DD) → midnight UTC
+ * - ISO datetime strings (already valid) → preserved
+ * - Unix timestamps (milliseconds) → converted
+ * - undefined/null → preserved as undefined
+ *
+ * @param {string|number|undefined|null} value - Date value to normalize
+ * @returns {string|undefined} ISO datetime string or undefined
+ *
+ * @example
+ * normalizeISODateTime('2025-11-29'); // '2025-11-29T00:00:00.000Z'
+ * normalizeISODateTime('2025-11-29T14:30:00.000Z'); // '2025-11-29T14:30:00.000Z'
+ * normalizeISODateTime(1732896000000); // '2024-11-29T16:00:00.000Z'
+ * normalizeISODateTime(undefined); // undefined
+ */
+export function normalizeISODateTime(value: string | number | null | undefined) {
+  // Preserve undefined/null (optional fields)
+  if (value == null) {
+    return undefined;
+  }
+  // If already a valid ISO datetime format, preserve it
+  // Pattern: YYYY-MM-DDTHH:mm:ss.sssZ
+  if (typeof value === 'string' && /^\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}\.\d{3}Z$/.test(value)) {
+    return value;
+  }
+  // Handle Unix timestamps as strings (convert to number first)
+  let dateInput = value;
+  if (typeof value === 'string' && /^\d+$/.test(value)) {
+    // Numeric string - treat as Unix timestamp in milliseconds
+    dateInput = Number(value);
+  }
+  // Parse and convert to ISO datetime
+  // date-fns/Date handles: ISO dates, ISO datetimes, Unix timestamps
+  const date = new Date(dateInput);
+  // Check for invalid date
+  if (isNaN(date.getTime())) {
+    // Fallback: return undefined for unparseable dates
+    // Zod schema will catch invalid dates separately
+    return undefined;
+  }
+  // Convert to ISO 8601 datetime format
+  return date.toISOString();
+}

package/packs/software-delivery/src/state/index.ts ADDED Viewed

@@ -0,0 +1,15 @@
+// Copyright (c) 2026 Hellmai Ltd
+// SPDX-License-Identifier: AGPL-3.0-only
+// Barrel for pack-local WU state modules. Populated by Layer 4 of INIT-058.
+// WU-2687 (narrowed): moved wu-state-schema, wu-doc-types from @lumenflow/core.
+// WU-2689 (L4 cascade): moved wu-paths, wu-yaml, wu-schema, date-utils from @lumenflow/core
+//   after WU-2690 added getDirectories/getStatePaths to the pack workspace-reader.
+export * from './wu-state-schema.js';
+export * from './wu-doc-types.js';
+export * from './date-utils.js';
+export * from './wu-paths.js';
+export * from './wu-schema.js';
+export * from './wu-yaml.js';
+// WU-2699 (L4): moved state-machine (SDLC residue) from @lumenflow/core.
+export * from './state-machine.js';