@lumenflow/packs-software-delivery 4.24.0 → 5.0.1

package/dist/src/sandbox/sandbox-backend-macos.js

@@ -0,0 +1,112 @@
+// Copyright (c) 2026 Hellmai Ltd
+// SPDX-License-Identifier: AGPL-3.0-only
+import { spawnSync } from 'node:child_process';
+import os from 'node:os';
+import { SANDBOX_BACKEND_IDS, } from './sandbox-profile.js';
+const MACOS_SANDBOX_BINARY = 'sandbox-exec';
+function defaultCommandExists(binary) {
+    const probe = spawnSync(binary, ['-h'], { stdio: 'ignore' });
+    return !probe.error;
+}
+function escapePolicyPath(targetPath) {
+    return targetPath.replace(/\\/g, '\\\\').replace(/"/g, '\\"');
+}
+function buildNetworkRules(profile) {
+    const posture = profile.networkPosture ?? 'full';
+    if (posture === 'off') {
+        return ['(deny network*)'];
+    }
+    if (posture === 'allowlist') {
+        const rules = ['(deny network*)'];
+        for (const host of profile.networkAllowlist) {
+            rules.push(`(allow network-outbound (remote ip "${host}"))`);
+        }
+        return rules;
+    }
+    // posture === 'full'
+    return ['(allow network*)'];
+}
+/** macOS system paths required for process execution (parity with bwrap --ro-bind /) */
+const MACOS_SYSTEM_READ_PATHS = [
+    '/usr',
+    '/System',
+    '/Library',
+    '/bin',
+    '/sbin',
+    '/private',
+    '/dev',
+    '/tmp',
+];
+/** Sensitive paths denied from read access (parity with bwrap deny overlays) */
+const SENSITIVE_DENY_PATHS = ['.ssh', '.aws', '.gnupg'];
+function buildReadRules(profile) {
+    const readPaths = new Set();
+    // Workspace root (covers worktree, state, WU YAML)
+    readPaths.add(profile.projectRoot);
+    // System paths required for process execution
+    for (const systemPath of MACOS_SYSTEM_READ_PATHS) {
+        readPaths.add(systemPath);
+    }
+    // Temp path from profile
+    readPaths.add(profile.tempPath);
+    return [...readPaths].map((readPath) => `(allow file-read* (subpath "${escapePolicyPath(readPath)}"))`);
+}
+function buildDenyOverlays() {
+    const homeDir = os.homedir();
+    return SENSITIVE_DENY_PATHS.map((sensitivePath) => `(deny file-read* (subpath "${escapePolicyPath(homeDir)}/${sensitivePath}"))`);
+}
+function buildPolicy(profile) {
+    const writableRules = profile.allowlist.writableRoots.map((entry) => `(allow file-write* (subpath "${escapePolicyPath(entry.normalizedPath)}"))`);
+    return [
+        '(version 1)',
+        '(deny default)',
+        '(allow process*)',
+        ...buildReadRules(profile),
+        ...buildDenyOverlays(),
+        '(allow sysctl-read)',
+        '(allow mach-lookup)',
+        ...buildNetworkRules(profile),
+        '(allow signal)',
+        ...writableRules,
+    ].join(' ');
+}
+function buildUnavailablePlan(request) {
+    if (request.allowUnsandboxedFallback) {
+        return {
+            backendId: SANDBOX_BACKEND_IDS.MACOS,
+            enforced: false,
+            failClosed: false,
+            warning: 'Running unsandboxed because sandbox-exec is unavailable and fallback was explicitly enabled.',
+        };
+    }
+    return {
+        backendId: SANDBOX_BACKEND_IDS.MACOS,
+        enforced: false,
+        failClosed: true,
+        reason: 'macOS sandbox backend unavailable: required binary "sandbox-exec" was not found.',
+    };
+}
+function buildInvocation(request) {
+    return {
+        command: MACOS_SANDBOX_BINARY,
+        args: ['-p', buildPolicy(request.profile), ...request.command],
+    };
+}
+export function createMacosSandboxBackend(options = {}) {
+    const commandExists = options.commandExists || defaultCommandExists;
+    return {
+        id: SANDBOX_BACKEND_IDS.MACOS,
+        resolveExecution(request) {
+            if (!commandExists(MACOS_SANDBOX_BINARY)) {
+                return buildUnavailablePlan(request);
+            }
+            return {
+                backendId: SANDBOX_BACKEND_IDS.MACOS,
+                enforced: true,
+                failClosed: false,
+                invocation: buildInvocation(request),
+            };
+        },
+    };
+}
+//# sourceMappingURL=sandbox-backend-macos.js.map

package/dist/src/sandbox/sandbox-backend-macos.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"sandbox-backend-macos.js","sourceRoot":"","sources":["../../../src/sandbox/sandbox-backend-macos.ts"],"names":[],"mappings":"AAAA,iCAAiC;AACjC,yCAAyC;AAEzC,OAAO,EAAE,SAAS,EAAE,MAAM,oBAAoB,CAAC;AAC/C,OAAO,EAAE,MAAM,SAAS,CAAC;AACzB,OAAO,EACL,mBAAmB,GAIpB,MAAM,sBAAsB,CAAC;AAM9B,MAAM,oBAAoB,GAAG,cAAc,CAAC;AAE5C,SAAS,oBAAoB,CAAC,MAAc;IAC1C,MAAM,KAAK,GAAG,SAAS,CAAC,MAAM,EAAE,CAAC,IAAI,CAAC,EAAE,EAAE,KAAK,EAAE,QAAQ,EAAE,CAAC,CAAC;IAC7D,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC;AACtB,CAAC;AAED,SAAS,gBAAgB,CAAC,UAAkB;IAC1C,OAAO,UAAU,CAAC,OAAO,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC;AAChE,CAAC;AAED,SAAS,iBAAiB,CAAC,OAA2C;IACpE,MAAM,OAAO,GAAG,OAAO,CAAC,cAAc,IAAI,MAAM,CAAC;IAEjD,IAAI,OAAO,KAAK,KAAK,EAAE,CAAC;QACtB,OAAO,CAAC,iBAAiB,CAAC,CAAC;IAC7B,CAAC;IAED,IAAI,OAAO,KAAK,WAAW,EAAE,CAAC;QAC5B,MAAM,KAAK,GAAa,CAAC,iBAAiB,CAAC,CAAC;QAC5C,KAAK,MAAM,IAAI,IAAI,OAAO,CAAC,gBAAgB,EAAE,CAAC;YAC5C,KAAK,CAAC,IAAI,CAAC,uCAAuC,IAAI,KAAK,CAAC,CAAC;QAC/D,CAAC;QACD,OAAO,KAAK,CAAC;IACf,CAAC;IAED,qBAAqB;IACrB,OAAO,CAAC,kBAAkB,CAAC,CAAC;AAC9B,CAAC;AAED,wFAAwF;AACxF,MAAM,uBAAuB,GAAG;IAC9B,MAAM;IACN,SAAS;IACT,UAAU;IACV,MAAM;IACN,OAAO;IACP,UAAU;IACV,MAAM;IACN,MAAM;CACP,CAAC;AAEF,gFAAgF;AAChF,MAAM,oBAAoB,GAAG,CAAC,MAAM,EAAE,MAAM,EAAE,QAAQ,CAAC,CAAC;AAExD,SAAS,cAAc,CAAC,OAA2C;IACjE,MAAM,SAAS,GAAG,IAAI,GAAG,EAAU,CAAC;IAEpC,mDAAmD;IACnD,SAAS,CAAC,GAAG,CAAC,OAAO,CAAC,WAAW,CAAC,CAAC;IAEnC,8CAA8C;IAC9C,KAAK,MAAM,UAAU,IAAI,uBAAuB,EAAE,CAAC;QACjD,SAAS,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;IAC5B,CAAC;IAED,yBAAyB;IACzB,SAAS,CAAC,GAAG,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC;IAEhC,OAAO,CAAC,GAAG,SAAS,CAAC,CAAC,GAAG,CACvB,CAAC,QAAQ,EAAE,EAAE,CAAC,+BAA+B,gBAAgB,CAAC,QAAQ,CAAC,KAAK,CAC7E,CAAC;AACJ,CAAC;AAED,SAAS,iBAAiB;IACxB,MAAM,OAAO,GAAG,EAAE,CAAC,OAAO,EAAE,CAAC;IAC7B,OAAO,oBAAoB,CAAC,GAAG,CAC7B,CAAC,aAAa,EAAE,EAAE,CAChB,8BAA8B,gBAAgB,CAAC,OAAO,CAAC,IAAI,aAAa,KAAK,CAChF,CAAC;AACJ,CAAC;AAED,SAAS,WAAW,CAAC,OAA2C;IAC9D,MAAM,aAAa,GAAG,OAAO,CAAC,SAAS,CAAC,aAAa,CAAC,GAAG,CACvD,CAAC,KAAK,EAAE,EAAE,CAAC,gCAAgC,gBAAgB,CAAC,KAAK,CAAC,cAAc,CAAC,KAAK,CACvF,CAAC;IAEF,OAAO;QACL,aAAa;QACb,gBAAgB;QAChB,kBAAkB;QAClB,GAAG,cAAc,CAAC,OAAO,CAAC;QAC1B,GAAG,iBAAiB,EAAE;QACtB,qBAAqB;QACrB,qBAAqB;QACrB,GAAG,iBAAiB,CAAC,OAAO,CAAC;QAC7B,gBAAgB;QAChB,GAAG,aAAa;KACjB,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;AACd,CAAC;AAED,SAAS,oBAAoB,CAAC,OAAgC;IAC5D,IAAI,OAAO,CAAC,wBAAwB,EAAE,CAAC;QACrC,OAAO;YACL,SAAS,EAAE,mBAAmB,CAAC,KAAK;YACpC,QAAQ,EAAE,KAAK;YACf,UAAU,EAAE,KAAK;YACjB,OAAO,EACL,8FAA8F;SACjG,CAAC;IACJ,CAAC;IAED,OAAO;QACL,SAAS,EAAE,mBAAmB,CAAC,KAAK;QACpC,QAAQ,EAAE,KAAK;QACf,UAAU,EAAE,IAAI;QAChB,MAAM,EAAE,kFAAkF;KAC3F,CAAC;AACJ,CAAC;AAED,SAAS,eAAe,CAAC,OAAgC;IACvD,OAAO;QACL,OAAO,EAAE,oBAAoB;QAC7B,IAAI,EAAE,CAAC,IAAI,EAAE,WAAW,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,GAAG,OAAO,CAAC,OAAO,CAAC;KAC/D,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,yBAAyB,CACvC,UAAsC,EAAE;IAExC,MAAM,aAAa,GAAG,OAAO,CAAC,aAAa,IAAI,oBAAoB,CAAC;IAEpE,OAAO;QACL,EAAE,EAAE,mBAAmB,CAAC,KAAK;QAC7B,gBAAgB,CAAC,OAAgC;YAC/C,IAAI,CAAC,aAAa,CAAC,oBAAoB,CAAC,EAAE,CAAC;gBACzC,OAAO,oBAAoB,CAAC,OAAO,CAAC,CAAC;YACvC,CAAC;YAED,OAAO;gBACL,SAAS,EAAE,mBAAmB,CAAC,KAAK;gBACpC,QAAQ,EAAE,IAAI;gBACd,UAAU,EAAE,KAAK;gBACjB,UAAU,EAAE,eAAe,CAAC,OAAO,CAAC;aACrC,CAAC;QACJ,CAAC;KACF,CAAC;AACJ,CAAC"}

package/dist/src/sandbox/sandbox-backend-windows.d.ts

@@ -0,0 +1,6 @@
+import { type SandboxBackend } from './sandbox-profile.js';
+export interface WindowsSandboxBackendOptions {
+    commandExists?: (binary: string) => boolean;
+}
+export declare function createWindowsSandboxBackend(_options?: WindowsSandboxBackendOptions): SandboxBackend;
+//# sourceMappingURL=sandbox-backend-windows.d.ts.map

package/dist/src/sandbox/sandbox-backend-windows.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"sandbox-backend-windows.d.ts","sourceRoot":"","sources":["../../../src/sandbox/sandbox-backend-windows.ts"],"names":[],"mappings":"AAGA,OAAO,EAEL,KAAK,cAAc,EAGpB,MAAM,sBAAsB,CAAC;AAE9B,MAAM,WAAW,4BAA4B;IAC3C,aAAa,CAAC,EAAE,CAAC,MAAM,EAAE,MAAM,KAAK,OAAO,CAAC;CAC7C;AAyBD,wBAAgB,2BAA2B,CACzC,QAAQ,GAAE,4BAAiC,GAC1C,cAAc,CAOhB"}

package/dist/src/sandbox/sandbox-backend-windows.js

@@ -0,0 +1,30 @@
+// Copyright (c) 2026 Hellmai Ltd
+// SPDX-License-Identifier: AGPL-3.0-only
+import { SANDBOX_BACKEND_IDS, } from './sandbox-profile.js';
+const WINDOWS_ENFORCEMENT_UNAVAILABLE_REASON = 'Windows sandbox backend unavailable: write enforcement is not yet available on Windows.';
+const WINDOWS_ENFORCEMENT_UNAVAILABLE_WARNING = 'Running unsandboxed because write enforcement is not yet available on Windows and fallback was explicitly enabled.';
+function buildNotImplementedPlan(request) {
+    if (request.allowUnsandboxedFallback) {
+        return {
+            backendId: SANDBOX_BACKEND_IDS.WINDOWS,
+            enforced: false,
+            failClosed: false,
+            warning: WINDOWS_ENFORCEMENT_UNAVAILABLE_WARNING,
+        };
+    }
+    return {
+        backendId: SANDBOX_BACKEND_IDS.WINDOWS,
+        enforced: false,
+        failClosed: true,
+        reason: WINDOWS_ENFORCEMENT_UNAVAILABLE_REASON,
+    };
+}
+export function createWindowsSandboxBackend(_options = {}) {
+    return {
+        id: SANDBOX_BACKEND_IDS.WINDOWS,
+        resolveExecution(request) {
+            return buildNotImplementedPlan(request);
+        },
+    };
+}
+//# sourceMappingURL=sandbox-backend-windows.js.map

package/dist/src/sandbox/sandbox-backend-windows.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"sandbox-backend-windows.js","sourceRoot":"","sources":["../../../src/sandbox/sandbox-backend-windows.ts"],"names":[],"mappings":"AAAA,iCAAiC;AACjC,yCAAyC;AAEzC,OAAO,EACL,mBAAmB,GAIpB,MAAM,sBAAsB,CAAC;AAM9B,MAAM,sCAAsC,GAC1C,yFAAyF,CAAC;AAC5F,MAAM,uCAAuC,GAC3C,oHAAoH,CAAC;AAEvH,SAAS,uBAAuB,CAAC,OAAgC;IAC/D,IAAI,OAAO,CAAC,wBAAwB,EAAE,CAAC;QACrC,OAAO;YACL,SAAS,EAAE,mBAAmB,CAAC,OAAO;YACtC,QAAQ,EAAE,KAAK;YACf,UAAU,EAAE,KAAK;YACjB,OAAO,EAAE,uCAAuC;SACjD,CAAC;IACJ,CAAC;IAED,OAAO;QACL,SAAS,EAAE,mBAAmB,CAAC,OAAO;QACtC,QAAQ,EAAE,KAAK;QACf,UAAU,EAAE,IAAI;QAChB,MAAM,EAAE,sCAAsC;KAC/C,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,2BAA2B,CACzC,WAAyC,EAAE;IAE3C,OAAO;QACL,EAAE,EAAE,mBAAmB,CAAC,OAAO;QAC/B,gBAAgB,CAAC,OAAgC;YAC/C,OAAO,uBAAuB,CAAC,OAAO,CAAC,CAAC;QAC1C,CAAC;KACF,CAAC;AACJ,CAAC"}

package/dist/src/sandbox/sandbox-profile.d.ts

@@ -0,0 +1,58 @@
+import { type SandboxAllowlist } from './sandbox-allowlist.js';
+export declare const SANDBOX_BACKEND_IDS: {
+    readonly LINUX: "linux";
+    readonly MACOS: "macos";
+    readonly WINDOWS: "windows";
+    readonly UNSUPPORTED: "unsupported";
+};
+export type SandboxBackendId = (typeof SANDBOX_BACKEND_IDS)[keyof typeof SANDBOX_BACKEND_IDS];
+export type SandboxNetworkPosture = 'off' | 'allowlist' | 'full';
+export interface SandboxProfile {
+    projectRoot: string;
+    worktreePath: string;
+    wuId: string;
+    wuYamlPath: string;
+    statePath: string;
+    tempPath: string;
+    allowlist: SandboxAllowlist;
+    networkPosture: SandboxNetworkPosture;
+    networkAllowlist: string[];
+}
+export interface BuildSandboxProfileInput {
+    projectRoot: string;
+    worktreePath: string;
+    wuId: string;
+    tempPath?: string;
+    extraWritableRoots?: string[];
+    networkPosture?: SandboxNetworkPosture;
+    networkAllowlist?: string[];
+}
+export interface SandboxBackendResolution {
+    id: SandboxBackendId;
+    platform: NodeJS.Platform | string;
+    supported: boolean;
+}
+export interface SandboxInvocation {
+    command: string;
+    args: string[];
+}
+export interface SandboxExecutionRequest {
+    profile: SandboxProfile;
+    command: string[];
+    allowUnsandboxedFallback: boolean;
+}
+export interface SandboxExecutionPlan {
+    backendId: SandboxBackendId;
+    enforced: boolean;
+    failClosed: boolean;
+    invocation?: SandboxInvocation;
+    reason?: string;
+    warning?: string;
+}
+export interface SandboxBackend {
+    id: SandboxBackendId;
+    resolveExecution: (request: SandboxExecutionRequest) => SandboxExecutionPlan;
+}
+export declare function buildSandboxProfile(input: BuildSandboxProfileInput): SandboxProfile;
+export declare function resolveSandboxBackendForPlatform(platform?: NodeJS.Platform | string): SandboxBackendResolution;
+//# sourceMappingURL=sandbox-profile.d.ts.map

package/dist/src/sandbox/sandbox-profile.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"sandbox-profile.d.ts","sourceRoot":"","sources":["../../../src/sandbox/sandbox-profile.ts"],"names":[],"mappings":"AAKA,OAAO,EAEL,KAAK,gBAAgB,EAEtB,MAAM,wBAAwB,CAAC;AAIhC,eAAO,MAAM,mBAAmB;;;;;CAKtB,CAAC;AAEX,MAAM,MAAM,gBAAgB,GAAG,CAAC,OAAO,mBAAmB,CAAC,CAAC,MAAM,OAAO,mBAAmB,CAAC,CAAC;AAE9F,MAAM,MAAM,qBAAqB,GAAG,KAAK,GAAG,WAAW,GAAG,MAAM,CAAC;AAEjE,MAAM,WAAW,cAAc;IAC7B,WAAW,EAAE,MAAM,CAAC;IACpB,YAAY,EAAE,MAAM,CAAC;IACrB,IAAI,EAAE,MAAM,CAAC;IACb,UAAU,EAAE,MAAM,CAAC;IACnB,SAAS,EAAE,MAAM,CAAC;IAClB,QAAQ,EAAE,MAAM,CAAC;IACjB,SAAS,EAAE,gBAAgB,CAAC;IAC5B,cAAc,EAAE,qBAAqB,CAAC;IACtC,gBAAgB,EAAE,MAAM,EAAE,CAAC;CAC5B;AAED,MAAM,WAAW,wBAAwB;IACvC,WAAW,EAAE,MAAM,CAAC;IACpB,YAAY,EAAE,MAAM,CAAC;IACrB,IAAI,EAAE,MAAM,CAAC;IACb,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,kBAAkB,CAAC,EAAE,MAAM,EAAE,CAAC;IAC9B,cAAc,CAAC,EAAE,qBAAqB,CAAC;IACvC,gBAAgB,CAAC,EAAE,MAAM,EAAE,CAAC;CAC7B;AAED,MAAM,WAAW,wBAAwB;IACvC,EAAE,EAAE,gBAAgB,CAAC;IACrB,QAAQ,EAAE,MAAM,CAAC,QAAQ,GAAG,MAAM,CAAC;IACnC,SAAS,EAAE,OAAO,CAAC;CACpB;AAED,MAAM,WAAW,iBAAiB;IAChC,OAAO,EAAE,MAAM,CAAC;IAChB,IAAI,EAAE,MAAM,EAAE,CAAC;CAChB;AAED,MAAM,WAAW,uBAAuB;IACtC,OAAO,EAAE,cAAc,CAAC;IACxB,OAAO,EAAE,MAAM,EAAE,CAAC;IAClB,wBAAwB,EAAE,OAAO,CAAC;CACnC;AAED,MAAM,WAAW,oBAAoB;IACnC,SAAS,EAAE,gBAAgB,CAAC;IAC5B,QAAQ,EAAE,OAAO,CAAC;IAClB,UAAU,EAAE,OAAO,CAAC;IACpB,UAAU,CAAC,EAAE,iBAAiB,CAAC;IAC/B,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB;AAED,MAAM,WAAW,cAAc;IAC7B,EAAE,EAAE,gBAAgB,CAAC;IACrB,gBAAgB,EAAE,CAAC,OAAO,EAAE,uBAAuB,KAAK,oBAAoB,CAAC;CAC9E;AAmBD,wBAAgB,mBAAmB,CAAC,KAAK,EAAE,wBAAwB,GAAG,cAAc,CAwCnF;AAED,wBAAgB,gCAAgC,CAC9C,QAAQ,GAAE,MAAM,CAAC,QAAQ,GAAG,MAAyB,GACpD,wBAAwB,CAc1B"}

package/dist/src/sandbox/sandbox-profile.js

@@ -0,0 +1,69 @@
+// Copyright (c) 2026 Hellmai Ltd
+// SPDX-License-Identifier: AGPL-3.0-only
+import os from 'node:os';
+import path from 'node:path';
+import { buildSandboxAllowlist, } from './sandbox-allowlist.js';
+import { LUMENFLOW_PATHS } from '../constants/wu-paths-constants.js';
+import { createWuPaths } from '../state/wu-paths.js';
+export const SANDBOX_BACKEND_IDS = {
+    LINUX: 'linux',
+    MACOS: 'macos',
+    WINDOWS: 'windows',
+    UNSUPPORTED: 'unsupported',
+};
+function resolveWorktreePath(projectRoot, worktreePath) {
+    if (path.isAbsolute(worktreePath)) {
+        return path.resolve(worktreePath);
+    }
+    return path.resolve(projectRoot, worktreePath);
+}
+function buildDefaultWritableRoots(profile) {
+    return [profile.worktreePath, profile.statePath, profile.wuYamlPath, profile.tempPath];
+}
+export function buildSandboxProfile(input) {
+    const projectRoot = path.resolve(input.projectRoot);
+    const worktreePath = resolveWorktreePath(projectRoot, input.worktreePath);
+    const wuYamlPath = path.resolve(projectRoot, createWuPaths({ projectRoot }).WU(input.wuId));
+    const statePath = path.resolve(projectRoot, LUMENFLOW_PATHS.STATE_DIR);
+    const tempPath = path.resolve(input.tempPath || os.tmpdir());
+    const writableRoots = buildDefaultWritableRoots({
+        worktreePath,
+        statePath,
+        wuYamlPath,
+        tempPath,
+    });
+    if (input.extraWritableRoots && input.extraWritableRoots.length > 0) {
+        writableRoots.push(...input.extraWritableRoots);
+    }
+    const allowlistInput = {
+        projectRoot,
+        writableRoots,
+    };
+    const allowlist = buildSandboxAllowlist(allowlistInput);
+    const networkPosture = input.networkPosture ?? 'full';
+    const networkAllowlist = networkPosture === 'allowlist' && input.networkAllowlist ? [...input.networkAllowlist] : [];
+    return {
+        projectRoot,
+        worktreePath,
+        wuId: input.wuId,
+        wuYamlPath,
+        statePath,
+        tempPath,
+        allowlist,
+        networkPosture,
+        networkAllowlist,
+    };
+}
+export function resolveSandboxBackendForPlatform(platform = process.platform) {
+    if (platform === 'linux') {
+        return { id: SANDBOX_BACKEND_IDS.LINUX, platform, supported: true };
+    }
+    if (platform === 'darwin') {
+        return { id: SANDBOX_BACKEND_IDS.MACOS, platform, supported: true };
+    }
+    if (platform === 'win32') {
+        return { id: SANDBOX_BACKEND_IDS.WINDOWS, platform, supported: true };
+    }
+    return { id: SANDBOX_BACKEND_IDS.UNSUPPORTED, platform, supported: false };
+}
+//# sourceMappingURL=sandbox-profile.js.map

package/dist/src/sandbox/sandbox-profile.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"sandbox-profile.js","sourceRoot":"","sources":["../../../src/sandbox/sandbox-profile.ts"],"names":[],"mappings":"AAAA,iCAAiC;AACjC,yCAAyC;AAEzC,OAAO,EAAE,MAAM,SAAS,CAAC;AACzB,OAAO,IAAI,MAAM,WAAW,CAAC;AAC7B,OAAO,EACL,qBAAqB,GAGtB,MAAM,wBAAwB,CAAC;AAChC,OAAO,EAAE,eAAe,EAAE,MAAM,oCAAoC,CAAC;AACrE,OAAO,EAAE,aAAa,EAAE,MAAM,sBAAsB,CAAC;AAErD,MAAM,CAAC,MAAM,mBAAmB,GAAG;IACjC,KAAK,EAAE,OAAO;IACd,KAAK,EAAE,OAAO;IACd,OAAO,EAAE,SAAS;IAClB,WAAW,EAAE,aAAa;CAClB,CAAC;AA2DX,SAAS,mBAAmB,CAAC,WAAmB,EAAE,YAAoB;IACpE,IAAI,IAAI,CAAC,UAAU,CAAC,YAAY,CAAC,EAAE,CAAC;QAClC,OAAO,IAAI,CAAC,OAAO,CAAC,YAAY,CAAC,CAAC;IACpC,CAAC;IAED,OAAO,IAAI,CAAC,OAAO,CAAC,WAAW,EAAE,YAAY,CAAC,CAAC;AACjD,CAAC;AAED,SAAS,yBAAyB,CAAC,OAKlC;IACC,OAAO,CAAC,OAAO,CAAC,YAAY,EAAE,OAAO,CAAC,SAAS,EAAE,OAAO,CAAC,UAAU,EAAE,OAAO,CAAC,QAAQ,CAAC,CAAC;AACzF,CAAC;AAED,MAAM,UAAU,mBAAmB,CAAC,KAA+B;IACjE,MAAM,WAAW,GAAG,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,WAAW,CAAC,CAAC;IACpD,MAAM,YAAY,GAAG,mBAAmB,CAAC,WAAW,EAAE,KAAK,CAAC,YAAY,CAAC,CAAC;IAC1E,MAAM,UAAU,GAAG,IAAI,CAAC,OAAO,CAAC,WAAW,EAAE,aAAa,CAAC,EAAE,WAAW,EAAE,CAAC,CAAC,EAAE,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC;IAC5F,MAAM,SAAS,GAAG,IAAI,CAAC,OAAO,CAAC,WAAW,EAAE,eAAe,CAAC,SAAS,CAAC,CAAC;IACvE,MAAM,QAAQ,GAAG,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,QAAQ,IAAI,EAAE,CAAC,MAAM,EAAE,CAAC,CAAC;IAE7D,MAAM,aAAa,GAAG,yBAAyB,CAAC;QAC9C,YAAY;QACZ,SAAS;QACT,UAAU;QACV,QAAQ;KACT,CAAC,CAAC;IAEH,IAAI,KAAK,CAAC,kBAAkB,IAAI,KAAK,CAAC,kBAAkB,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACpE,aAAa,CAAC,IAAI,CAAC,GAAG,KAAK,CAAC,kBAAkB,CAAC,CAAC;IAClD,CAAC;IAED,MAAM,cAAc,GAA+B;QACjD,WAAW;QACX,aAAa;KACd,CAAC;IAEF,MAAM,SAAS,GAAG,qBAAqB,CAAC,cAAc,CAAC,CAAC;IAExD,MAAM,cAAc,GAA0B,KAAK,CAAC,cAAc,IAAI,MAAM,CAAC;IAC7E,MAAM,gBAAgB,GACpB,cAAc,KAAK,WAAW,IAAI,KAAK,CAAC,gBAAgB,CAAC,CAAC,CAAC,CAAC,GAAG,KAAK,CAAC,gBAAgB,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;IAE9F,OAAO;QACL,WAAW;QACX,YAAY;QACZ,IAAI,EAAE,KAAK,CAAC,IAAI;QAChB,UAAU;QACV,SAAS;QACT,QAAQ;QACR,SAAS;QACT,cAAc;QACd,gBAAgB;KACjB,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,gCAAgC,CAC9C,WAAqC,OAAO,CAAC,QAAQ;IAErD,IAAI,QAAQ,KAAK,OAAO,EAAE,CAAC;QACzB,OAAO,EAAE,EAAE,EAAE,mBAAmB,CAAC,KAAK,EAAE,QAAQ,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC;IACtE,CAAC;IAED,IAAI,QAAQ,KAAK,QAAQ,EAAE,CAAC;QAC1B,OAAO,EAAE,EAAE,EAAE,mBAAmB,CAAC,KAAK,EAAE,QAAQ,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC;IACtE,CAAC;IAED,IAAI,QAAQ,KAAK,OAAO,EAAE,CAAC;QACzB,OAAO,EAAE,EAAE,EAAE,mBAAmB,CAAC,OAAO,EAAE,QAAQ,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC;IACxE,CAAC;IAED,OAAO,EAAE,EAAE,EAAE,mBAAmB,CAAC,WAAW,EAAE,QAAQ,EAAE,SAAS,EAAE,KAAK,EAAE,CAAC;AAC7E,CAAC"}

package/dist/src/schemas/index.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=index.d.ts.map

package/dist/src/schemas/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/schemas/index.ts"],"names":[],"mappings":"AAIA,OAAO,EAAE,CAAC"}

package/dist/src/schemas/index.js

@@ -0,0 +1,5 @@
+// Copyright (c) 2026 Hellmai Ltd
+// SPDX-License-Identifier: AGPL-3.0-only
+// Barrel for pack-static-data schemas. Populated by Layer 2 of INIT-058.
+export {};
+//# sourceMappingURL=index.js.map

package/dist/src/schemas/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/schemas/index.ts"],"names":[],"mappings":"AAAA,iCAAiC;AACjC,yCAAyC;AAEzC,yEAAyE;AACzE,OAAO,EAAE,CAAC"}

package/dist/src/state/date-utils.d.ts

@@ -0,0 +1,66 @@
+/**
+ * Get current date in ISO format (YYYY-MM-DD)
+ * @returns {string} Current date in YYYY-MM-DD format
+ * @example
+ * todayISO(); // "2025-11-12"
+ */
+export declare function todayISO(): string;
+/**
+ * Format a date with a custom format string
+ * @param {Date|string|number} date - Date to format
+ * @param {string} formatString - date-fns format string
+ * @returns {string} Formatted date string
+ * @example
+ * formatDate(new Date(), 'yyyy-MM-dd HH:mm:ss');
+ * formatDate('2025-11-12', 'MMMM d, yyyy'); // "November 12, 2025"
+ */
+export declare function formatDate(date: Date | string | number, formatString: string): string;
+/**
+ * Normalize a Date object or ISO timestamp string to YYYY-MM-DD format
+ *
+ * WU-1442: Fix date corruption when js-yaml parses YYYY-MM-DD as Date objects
+ * Library-First: Uses date-fns for date formatting (no manual parsing)
+ *
+ * Use case: js-yaml parses `created: 2025-12-04` (unquoted) as a Date object.
+ * When yaml.dump() serializes it back, it outputs `2025-12-04T00:00:00.000Z`.
+ * This function normalizes Date objects back to YYYY-MM-DD string format.
+ *
+ * Handles:
+ * - Date objects → YYYY-MM-DD string
+ * - ISO timestamp strings → YYYY-MM-DD string (date portion)
+ * - YYYY-MM-DD strings → preserved as-is
+ * - undefined/null → preserved as undefined
+ *
+ * @param {Date|string|undefined|null} value - Date value to normalize
+ * @returns {string|undefined} Date in YYYY-MM-DD format or undefined
+ *
+ * @example
+ * normalizeToDateString(new Date('2025-12-04')); // '2025-12-04'
+ * normalizeToDateString('2025-12-04T00:00:00.000Z'); // '2025-12-04'
+ * normalizeToDateString('2025-12-04'); // '2025-12-04'
+ * normalizeToDateString(undefined); // undefined
+ */
+export declare function normalizeToDateString(value: unknown): string | undefined;
+/**
+ * Normalize various date formats to ISO 8601 datetime (YYYY-MM-DDTHH:mm:ss.sssZ)
+ *
+ * WU-1337: Auto-repair date fields in WU YAML to consistent format
+ * Library-First: Uses date-fns for date handling (no manual parsing)
+ *
+ * Handles:
+ * - ISO date strings (YYYY-MM-DD) → midnight UTC
+ * - ISO datetime strings (already valid) → preserved
+ * - Unix timestamps (milliseconds) → converted
+ * - undefined/null → preserved as undefined
+ *
+ * @param {string|number|undefined|null} value - Date value to normalize
+ * @returns {string|undefined} ISO datetime string or undefined
+ *
+ * @example
+ * normalizeISODateTime('2025-11-29'); // '2025-11-29T00:00:00.000Z'
+ * normalizeISODateTime('2025-11-29T14:30:00.000Z'); // '2025-11-29T14:30:00.000Z'
+ * normalizeISODateTime(1732896000000); // '2024-11-29T16:00:00.000Z'
+ * normalizeISODateTime(undefined); // undefined
+ */
+export declare function normalizeISODateTime(value: string | number | null | undefined): string | undefined;
+//# sourceMappingURL=date-utils.d.ts.map

package/dist/src/state/date-utils.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"date-utils.d.ts","sourceRoot":"","sources":["../../../src/state/date-utils.ts"],"names":[],"mappings":"AAgBA;;;;;GAKG;AACH,wBAAgB,QAAQ,WAEvB;AAED;;;;;;;;GAQG;AACH,wBAAgB,UAAU,CAAC,IAAI,EAAE,IAAI,GAAG,MAAM,GAAG,MAAM,EAAE,YAAY,EAAE,MAAM,UAE5E;AAQD;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AACH,wBAAgB,qBAAqB,CAAC,KAAK,EAAE,OAAO,sBAgCnD;AAED;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,wBAAgB,oBAAoB,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI,GAAG,SAAS,sBAgC7E"}

package/dist/src/state/date-utils.js

@@ -0,0 +1,143 @@
+// Copyright (c) 2026 Hellmai Ltd
+// SPDX-License-Identifier: AGPL-3.0-only
+/**
+ * @file date-utils.ts
+ * @description Date formatting utilities using date-fns library
+ * WU-1082: Extract shared utilities (eliminate date formatting duplication)
+ *
+ * Replaces manual date formatting in:
+ * - tools/wu-block.ts (todayISO)
+ * - tools/wu-unblock.ts (todayISO)
+ * - tools/wu-done.ts (todayISO - already uses date-fns)
+ */
+import { format } from 'date-fns';
+/**
+ * Get current date in ISO format (YYYY-MM-DD)
+ * @returns {string} Current date in YYYY-MM-DD format
+ * @example
+ * todayISO(); // "2025-11-12"
+ */
+export function todayISO() {
+    return format(new Date(), 'yyyy-MM-dd');
+}
+/**
+ * Format a date with a custom format string
+ * @param {Date|string|number} date - Date to format
+ * @param {string} formatString - date-fns format string
+ * @returns {string} Formatted date string
+ * @example
+ * formatDate(new Date(), 'yyyy-MM-dd HH:mm:ss');
+ * formatDate('2025-11-12', 'MMMM d, yyyy'); // "November 12, 2025"
+ */
+export function formatDate(date, formatString) {
+    return format(new Date(date), formatString);
+}
+/**
+ * Date format constant for YYYY-MM-DD
+ * @constant {string}
+ */
+const DATE_FORMAT_ISO = 'yyyy-MM-dd';
+/**
+ * Normalize a Date object or ISO timestamp string to YYYY-MM-DD format
+ *
+ * WU-1442: Fix date corruption when js-yaml parses YYYY-MM-DD as Date objects
+ * Library-First: Uses date-fns for date formatting (no manual parsing)
+ *
+ * Use case: js-yaml parses `created: 2025-12-04` (unquoted) as a Date object.
+ * When yaml.dump() serializes it back, it outputs `2025-12-04T00:00:00.000Z`.
+ * This function normalizes Date objects back to YYYY-MM-DD string format.
+ *
+ * Handles:
+ * - Date objects → YYYY-MM-DD string
+ * - ISO timestamp strings → YYYY-MM-DD string (date portion)
+ * - YYYY-MM-DD strings → preserved as-is
+ * - undefined/null → preserved as undefined
+ *
+ * @param {Date|string|undefined|null} value - Date value to normalize
+ * @returns {string|undefined} Date in YYYY-MM-DD format or undefined
+ *
+ * @example
+ * normalizeToDateString(new Date('2025-12-04')); // '2025-12-04'
+ * normalizeToDateString('2025-12-04T00:00:00.000Z'); // '2025-12-04'
+ * normalizeToDateString('2025-12-04'); // '2025-12-04'
+ * normalizeToDateString(undefined); // undefined
+ */
+export function normalizeToDateString(value) {
+    // Preserve undefined/null
+    if (value == null) {
+        return undefined;
+    }
+    // If already a YYYY-MM-DD string, return as-is
+    if (typeof value === 'string' && /^\d{4}-\d{2}-\d{2}$/.test(value)) {
+        return value;
+    }
+    // Convert Date objects or timestamp strings to YYYY-MM-DD
+    if (value instanceof Date) {
+        return format(value, DATE_FORMAT_ISO);
+    }
+    // Handle ISO timestamp strings (e.g., '2025-12-04T00:00:00.000Z')
+    if (typeof value === 'string' && /^\d{4}-\d{2}-\d{2}T/.test(value)) {
+        return format(new Date(value), DATE_FORMAT_ISO);
+    }
+    // Fallback: try to parse and format (coerce to string for Date constructor)
+    try {
+        const date = new Date(String(value));
+        if (!isNaN(date.getTime())) {
+            return format(date, DATE_FORMAT_ISO);
+        }
+    }
+    catch {
+        // Invalid date - return undefined
+    }
+    return undefined;
+}
+/**
+ * Normalize various date formats to ISO 8601 datetime (YYYY-MM-DDTHH:mm:ss.sssZ)
+ *
+ * WU-1337: Auto-repair date fields in WU YAML to consistent format
+ * Library-First: Uses date-fns for date handling (no manual parsing)
+ *
+ * Handles:
+ * - ISO date strings (YYYY-MM-DD) → midnight UTC
+ * - ISO datetime strings (already valid) → preserved
+ * - Unix timestamps (milliseconds) → converted
+ * - undefined/null → preserved as undefined
+ *
+ * @param {string|number|undefined|null} value - Date value to normalize
+ * @returns {string|undefined} ISO datetime string or undefined
+ *
+ * @example
+ * normalizeISODateTime('2025-11-29'); // '2025-11-29T00:00:00.000Z'
+ * normalizeISODateTime('2025-11-29T14:30:00.000Z'); // '2025-11-29T14:30:00.000Z'
+ * normalizeISODateTime(1732896000000); // '2024-11-29T16:00:00.000Z'
+ * normalizeISODateTime(undefined); // undefined
+ */
+export function normalizeISODateTime(value) {
+    // Preserve undefined/null (optional fields)
+    if (value == null) {
+        return undefined;
+    }
+    // If already a valid ISO datetime format, preserve it
+    // Pattern: YYYY-MM-DDTHH:mm:ss.sssZ
+    if (typeof value === 'string' && /^\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}\.\d{3}Z$/.test(value)) {
+        return value;
+    }
+    // Handle Unix timestamps as strings (convert to number first)
+    let dateInput = value;
+    if (typeof value === 'string' && /^\d+$/.test(value)) {
+        // Numeric string - treat as Unix timestamp in milliseconds
+        dateInput = Number(value);
+    }
+    // Parse and convert to ISO datetime
+    // date-fns/Date handles: ISO dates, ISO datetimes, Unix timestamps
+    const date = new Date(dateInput);
+    // Check for invalid date
+    if (isNaN(date.getTime())) {
+        // Fallback: return undefined for unparseable dates
+        // Zod schema will catch invalid dates separately
+        return undefined;
+    }
+    // Convert to ISO 8601 datetime format
+    return date.toISOString();
+}
+//# sourceMappingURL=date-utils.js.map

package/dist/src/state/date-utils.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"date-utils.js","sourceRoot":"","sources":["../../../src/state/date-utils.ts"],"names":[],"mappings":"AAAA,iCAAiC;AACjC,yCAAyC;AAEzC;;;;;;;;;GASG;AAEH,OAAO,EAAE,MAAM,EAAE,MAAM,UAAU,CAAC;AAElC;;;;;GAKG;AACH,MAAM,UAAU,QAAQ;IACtB,OAAO,MAAM,CAAC,IAAI,IAAI,EAAE,EAAE,YAAY,CAAC,CAAC;AAC1C,CAAC;AAED;;;;;;;;GAQG;AACH,MAAM,UAAU,UAAU,CAAC,IAA4B,EAAE,YAAoB;IAC3E,OAAO,MAAM,CAAC,IAAI,IAAI,CAAC,IAAI,CAAC,EAAE,YAAY,CAAC,CAAC;AAC9C,CAAC;AAED;;;GAGG;AACH,MAAM,eAAe,GAAG,YAAY,CAAC;AAErC;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AACH,MAAM,UAAU,qBAAqB,CAAC,KAAc;IAClD,0BAA0B;IAC1B,IAAI,KAAK,IAAI,IAAI,EAAE,CAAC;QAClB,OAAO,SAAS,CAAC;IACnB,CAAC;IAED,+CAA+C;IAC/C,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,qBAAqB,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC;QACnE,OAAO,KAAK,CAAC;IACf,CAAC;IAED,0DAA0D;IAC1D,IAAI,KAAK,YAAY,IAAI,EAAE,CAAC;QAC1B,OAAO,MAAM,CAAC,KAAK,EAAE,eAAe,CAAC,CAAC;IACxC,CAAC;IAED,kEAAkE;IAClE,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,qBAAqB,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC;QACnE,OAAO,MAAM,CAAC,IAAI,IAAI,CAAC,KAAK,CAAC,EAAE,eAAe,CAAC,CAAC;IAClD,CAAC;IAED,4EAA4E;IAC5E,IAAI,CAAC;QACH,MAAM,IAAI,GAAG,IAAI,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC;QACrC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,OAAO,EAAE,CAAC,EAAE,CAAC;YAC3B,OAAO,MAAM,CAAC,IAAI,EAAE,eAAe,CAAC,CAAC;QACvC,CAAC;IACH,CAAC;IAAC,MAAM,CAAC;QACP,kCAAkC;IACpC,CAAC;IAED,OAAO,SAAS,CAAC;AACnB,CAAC;AAED;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,MAAM,UAAU,oBAAoB,CAAC,KAAyC;IAC5E,4CAA4C;IAC5C,IAAI,KAAK,IAAI,IAAI,EAAE,CAAC;QAClB,OAAO,SAAS,CAAC;IACnB,CAAC;IAED,sDAAsD;IACtD,oCAAoC;IACpC,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,+CAA+C,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC;QAC7F,OAAO,KAAK,CAAC;IACf,CAAC;IAED,8DAA8D;IAC9D,IAAI,SAAS,GAAG,KAAK,CAAC;IACtB,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC;QACrD,2DAA2D;QAC3D,SAAS,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC;IAC5B,CAAC;IAED,oCAAoC;IACpC,mEAAmE;IACnE,MAAM,IAAI,GAAG,IAAI,IAAI,CAAC,SAAS,CAAC,CAAC;IAEjC,yBAAyB;IACzB,IAAI,KAAK,CAAC,IAAI,CAAC,OAAO,EAAE,CAAC,EAAE,CAAC;QAC1B,mDAAmD;QACnD,iDAAiD;QACjD,OAAO,SAAS,CAAC;IACnB,CAAC;IAED,sCAAsC;IACtC,OAAO,IAAI,CAAC,WAAW,EAAE,CAAC;AAC5B,CAAC"}

package/dist/src/state/index.d.ts

@@ -0,0 +1,8 @@
+export * from './wu-state-schema.js';
+export * from './wu-doc-types.js';
+export * from './date-utils.js';
+export * from './wu-paths.js';
+export * from './wu-schema.js';
+export * from './wu-yaml.js';
+export * from './state-machine.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/src/state/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/state/index.ts"],"names":[],"mappings":"AAOA,cAAc,sBAAsB,CAAC;AACrC,cAAc,mBAAmB,CAAC;AAClC,cAAc,iBAAiB,CAAC;AAChC,cAAc,eAAe,CAAC;AAC9B,cAAc,gBAAgB,CAAC;AAC/B,cAAc,cAAc,CAAC;AAE7B,cAAc,oBAAoB,CAAC"}

package/dist/src/state/index.js

@@ -0,0 +1,15 @@
+// Copyright (c) 2026 Hellmai Ltd
+// SPDX-License-Identifier: AGPL-3.0-only
+// Barrel for pack-local WU state modules. Populated by Layer 4 of INIT-058.
+// WU-2687 (narrowed): moved wu-state-schema, wu-doc-types from @lumenflow/core.
+// WU-2689 (L4 cascade): moved wu-paths, wu-yaml, wu-schema, date-utils from @lumenflow/core
+//   after WU-2690 added getDirectories/getStatePaths to the pack workspace-reader.
+export * from './wu-state-schema.js';
+export * from './wu-doc-types.js';
+export * from './date-utils.js';
+export * from './wu-paths.js';
+export * from './wu-schema.js';
+export * from './wu-yaml.js';
+// WU-2699 (L4): moved state-machine (SDLC residue) from @lumenflow/core.
+export * from './state-machine.js';
+//# sourceMappingURL=index.js.map

package/dist/src/state/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/state/index.ts"],"names":[],"mappings":"AAAA,iCAAiC;AACjC,yCAAyC;AAEzC,4EAA4E;AAC5E,gFAAgF;AAChF,4FAA4F;AAC5F,mFAAmF;AACnF,cAAc,sBAAsB,CAAC;AACrC,cAAc,mBAAmB,CAAC;AAClC,cAAc,iBAAiB,CAAC;AAChC,cAAc,eAAe,CAAC;AAC9B,cAAc,gBAAgB,CAAC;AAC/B,cAAc,cAAc,CAAC;AAC7B,yEAAyE;AACzE,cAAc,oBAAoB,CAAC"}

package/dist/src/state/state-machine.d.ts

@@ -0,0 +1,14 @@
+/**
+ * Validates a SDLC WU state transition and throws if illegal.
+ *
+ * Delegates graph evaluation to `@lumenflow/kernel/primitives/state-machine`
+ * and rewraps kernel errors with the `STATE_ERROR` error code that core
+ * callers already rely on.
+ *
+ * @param from  Current WU status (e.g., `in_progress`, `blocked`).
+ * @param to    Desired WU status.
+ * @param wuid  Work Unit ID (e.g., `WU-416`) used in error messages.
+ * @throws Error with `code === 'STATE_ERROR'` for invalid/illegal transitions.
+ */
+export declare function assertTransition(from: string | null | undefined, to: string | null | undefined, wuid: string): void;
+//# sourceMappingURL=state-machine.d.ts.map

package/dist/src/state/state-machine.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"state-machine.d.ts","sourceRoot":"","sources":["../../../src/state/state-machine.ts"],"names":[],"mappings":"AAkFA;;;;;;;;;;;GAWG;AACH,wBAAgB,gBAAgB,CAC9B,IAAI,EAAE,MAAM,GAAG,IAAI,GAAG,SAAS,EAC/B,EAAE,EAAE,MAAM,GAAG,IAAI,GAAG,SAAS,EAC7B,IAAI,EAAE,MAAM,GACX,IAAI,CAoBN"}