@mandujs/core 0.12.2 → 0.13.1

package/src/filling/index.ts

@@ -8,6 +8,8 @@ export { ManduContext, ValidationError, CookieManager } from "./context";
 export type { CookieOptions } from "./context";
 export { ManduFilling, ManduFillingFactory, LoaderTimeoutError } from "./filling";
 export type { Handler, Guard, HttpMethod, Loader, LoaderOptions } from "./filling";
+export { SSEConnection, createSSEConnection } from "./sse";
+export type { SSEOptions, SSESendOptions, SSECleanup } from "./sse";
 
 // Auth Guards
 export {

package/src/filling/sse.test.ts

@@ -0,0 +1,168 @@
+import { describe, it, expect, mock } from "bun:test";
+import { createSSEConnection } from "./sse";
+import { ManduContext } from "./context";
+
+async function readChunk(response: Response): Promise<string> {
+  const reader = response.body?.getReader();
+  if (!reader) throw new Error("Missing response body");
+
+  const { value, done } = await reader.read();
+  if (done || !value) return "";
+  return new TextDecoder().decode(value);
+}
+
+describe("SSEConnection", () => {
+  it("streams real-time chunks and finishes with done=true after close", async () => {
+    const server = Bun.serve({
+      port: 0,
+      fetch(req) {
+        const ctx = new ManduContext(req);
+        return ctx.sse(async (sse) => {
+          sse.event("tick", { step: 1 }, { id: "1" });
+          await new Promise((resolve) => setTimeout(resolve, 20));
+          sse.event("tick", { step: 2 }, { id: "2" });
+          await sse.close();
+        });
+      },
+    });
+
+    try {
+      const response = await fetch(`http://127.0.0.1:${server.port}/stream`);
+      expect(response.headers.get("content-type")).toContain("text/event-stream");
+
+      const reader = response.body?.getReader();
+      if (!reader) throw new Error("Missing response body");
+
+      const firstRead = await reader.read();
+      expect(firstRead.done).toBe(false);
+      const firstChunk = new TextDecoder().decode(firstRead.value);
+      expect(firstChunk).toContain("event: tick");
+      expect(firstChunk).toContain('data: {"step":1}');
+
+      const secondRead = await reader.read();
+      expect(secondRead.done).toBe(false);
+      const secondChunk = new TextDecoder().decode(secondRead.value);
+      expect(secondChunk).toContain('data: {"step":2}');
+
+      const finalRead = await reader.read();
+      expect(finalRead.done).toBe(true);
+    } finally {
+      server.stop(true);
+    }
+  });
+
+  it("closes stream when context-level SSE setup throws (error path)", async () => {
+    const ctx = new ManduContext(new Request("http://localhost/realtime-error"));
+
+    const response = ctx.sse(async () => {
+      throw new Error("setup failed");
+    });
+
+    const reader = response.body?.getReader();
+    if (!reader) throw new Error("Missing response body");
+
+    // setup error is swallowed intentionally, but stream must close cleanly.
+    await Promise.resolve();
+    const read = await reader.read();
+    expect(read.done).toBe(true);
+  });
+  it("sends SSE event payload with metadata", async () => {
+    const sse = createSSEConnection();
+
+    sse.send({ ok: true }, { event: "ready", id: "1", retry: 3000 });
+    const chunk = await readChunk(sse.response);
+
+    expect(chunk).toContain("event: ready");
+    expect(chunk).toContain("id: 1");
+    expect(chunk).toContain("retry: 3000");
+    expect(chunk).toContain('data: {"ok":true}');
+  });
+
+  it("sanitizes event/id fields to prevent SSE injection", async () => {
+    const sse = createSSEConnection();
+
+    sse.send("payload", {
+      event: "update\nretry:0",
+      id: "abc\r\ndata: injected",
+    });
+
+    const chunk = await readChunk(sse.response);
+    expect(chunk).toContain("event: update retry:0");
+    expect(chunk).toContain("id: abc data: injected");
+    expect(chunk).not.toContain("\nevent: update\nretry:0\n");
+  });
+
+  it("normalizes payload lines across CR/LF variants", async () => {
+    const sse = createSSEConnection();
+
+    sse.send("a\rb\nc\r\nd");
+    const chunk = await readChunk(sse.response);
+
+    expect(chunk).toContain("data: a");
+    expect(chunk).toContain("data: b");
+    expect(chunk).toContain("data: c");
+    expect(chunk).toContain("data: d");
+  });
+
+  it("registers heartbeat and cleanup on close", async () => {
+    const sse = createSSEConnection();
+    const cleanup = mock(() => {});
+
+    const stop = sse.heartbeat(1000, "ping");
+    sse.onClose(cleanup);
+
+    await sse.close();
+
+    expect(cleanup).toHaveBeenCalledTimes(1);
+    expect(typeof stop).toBe("function");
+  });
+
+  it("continues closing when cleanup handlers throw", async () => {
+    const sse = createSSEConnection();
+    const badCleanup = mock(() => {
+      throw new Error("cleanup failed");
+    });
+    const goodCleanup = mock(() => {});
+
+    sse.onClose(badCleanup);
+    sse.onClose(goodCleanup);
+
+    await expect(sse.close()).resolves.toBeUndefined();
+    expect(badCleanup).toHaveBeenCalledTimes(1);
+    expect(goodCleanup).toHaveBeenCalledTimes(1);
+  });
+
+  it("does not throw when registering onClose after already closed", async () => {
+    const sse = createSSEConnection();
+    await sse.close();
+
+    const badCleanup = () => Promise.reject(new Error("late cleanup failed"));
+    expect(() => sse.onClose(badCleanup)).not.toThrow();
+  });
+
+  it("closes automatically when request signal aborts", async () => {
+    const controller = new AbortController();
+    const sse = createSSEConnection(controller.signal);
+    const cleanup = mock(() => {});
+
+    sse.onClose(cleanup);
+    controller.abort();
+
+    await Promise.resolve();
+
+    expect(cleanup).toHaveBeenCalledTimes(1);
+  });
+
+  it("supports context-level SSE response helper", async () => {
+    const ctx = new ManduContext(new Request("http://localhost/realtime"));
+
+    const response = ctx.sse((sse) => {
+      sse.event("message", "hello");
+    });
+
+    expect(response.headers.get("content-type")).toContain("text/event-stream");
+    const chunk = await readChunk(response);
+    expect(chunk).toContain("event: message");
+    expect(chunk).toContain("data: hello");
+  });
+});

package/src/filling/sse.ts

@@ -0,0 +1,162 @@
+export interface SSEOptions {
+  /** Additional headers merged into default SSE headers */
+  headers?: HeadersInit;
+  /** HTTP status code (default: 200) */
+  status?: number;
+}
+
+export interface SSESendOptions {
+  event?: string;
+  id?: string;
+  retry?: number;
+}
+
+export type SSECleanup = () => void | Promise<void>;
+
+function sanitizeSingleLineField(value: string): string {
+  return value.replace(/[\r\n]+/g, " ").trim();
+}
+
+function splitSSELines(value: string): string[] {
+  return value.split(/\r\n|[\r\n]/);
+}
+
+const DEFAULT_SSE_HEADERS: HeadersInit = {
+  "Content-Type": "text/event-stream; charset=utf-8",
+  "Cache-Control": "no-cache, no-transform",
+  Connection: "keep-alive",
+  "X-Accel-Buffering": "no",
+};
+
+export class SSEConnection {
+  readonly response: Response;
+
+  private controller: ReadableStreamDefaultController<Uint8Array> | null = null;
+  private encoder = new TextEncoder();
+  private pending: string[] = [];
+  private closed = false;
+  private cleanupHandlers: SSECleanup[] = [];
+
+  constructor(signal?: AbortSignal, options: SSEOptions = {}) {
+    const stream = new ReadableStream<Uint8Array>({
+      start: (controller) => {
+        this.controller = controller;
+        for (const chunk of this.pending) {
+          controller.enqueue(this.encoder.encode(chunk));
+        }
+        this.pending = [];
+      },
+      cancel: () => {
+        this.close();
+      },
+    });
+
+    const headers = new Headers(DEFAULT_SSE_HEADERS);
+    if (options.headers) {
+      const extra = new Headers(options.headers);
+      extra.forEach((value, key) => headers.set(key, value));
+    }
+
+    this.response = new Response(stream, {
+      status: options.status ?? 200,
+      headers,
+    });
+
+    signal?.addEventListener("abort", () => this.close(), { once: true });
+  }
+
+  send(data: unknown, options: SSESendOptions = {}): void {
+    if (this.closed) return;
+
+    const lines: string[] = [];
+
+    if (options.event) {
+      const safeEvent = sanitizeSingleLineField(options.event);
+      if (safeEvent) lines.push(`event: ${safeEvent}`);
+    }
+    if (options.id) {
+      const safeId = sanitizeSingleLineField(options.id);
+      if (safeId) lines.push(`id: ${safeId}`);
+    }
+    if (typeof options.retry === "number") lines.push(`retry: ${Math.max(0, Math.floor(options.retry))}`);
+
+    const payload = typeof data === "string" ? data : JSON.stringify(data);
+    const payloadLines = splitSSELines(payload);
+    for (const line of payloadLines) {
+      lines.push(`data: ${line}`);
+    }
+
+    this.enqueue(`${lines.join("\n")}\n\n`);
+  }
+
+  event(name: string, data: unknown, options: Omit<SSESendOptions, "event"> = {}): void {
+    this.send(data, { ...options, event: name });
+  }
+
+  comment(text: string): void {
+    if (this.closed) return;
+    const lines = splitSSELines(text).map((line) => `: ${line}`);
+    this.enqueue(`${lines.join("\n")}\n\n`);
+  }
+
+  heartbeat(intervalMs = 15000, comment = "heartbeat"): () => void {
+    const timer = setInterval(() => {
+      if (this.closed) return;
+      this.comment(comment);
+    }, Math.max(1000, intervalMs));
+
+    const stop = () => clearInterval(timer);
+    this.onClose(stop);
+    return stop;
+  }
+
+  onClose(handler: SSECleanup): void {
+    if (this.closed) {
+      void Promise.resolve(handler()).catch(() => {
+        // ignore cleanup errors after close
+      });
+      return;
+    }
+    this.cleanupHandlers.push(handler);
+  }
+
+  async close(): Promise<void> {
+    if (this.closed) return;
+    this.closed = true;
+
+    try {
+      this.controller?.close();
+    } catch {
+      // no-op
+    }
+
+    const handlers = [...this.cleanupHandlers];
+    this.cleanupHandlers = [];
+    for (const handler of handlers) {
+      try {
+        await handler();
+      } catch {
+        // continue running remaining cleanup handlers
+      }
+    }
+  }
+
+  private enqueue(chunk: string): void {
+    if (this.controller) {
+      try {
+        this.controller.enqueue(this.encoder.encode(chunk));
+      } catch {
+        void this.close();
+      }
+      return;
+    }
+    this.pending.push(chunk);
+  }
+}
+
+/**
+ * Create a production-safe Server-Sent Events connection helper.
+ */
+export function createSSEConnection(signal?: AbortSignal, options: SSEOptions = {}): SSEConnection {
+  return new SSEConnection(signal, options);
+}

package/src/generator/contract-glue.ts

@@ -4,6 +4,7 @@
  */
 
 import type { RouteSpec } from "../spec/schema";
+import { GENERATED_RELATIVE_PATHS } from "../paths";
 
 /**
  * Convert string to PascalCase
@@ -63,7 +64,7 @@ function computeRelativePath(fromDir: string, toPath: string): string {
  */
 export function generateContractTypeGlue(
   route: RouteSpec,
-  typesDir: string = "apps/server/generated/types"
+  typesDir: string = GENERATED_RELATIVE_PATHS.types
 ): string {
   if (!route.contractModule) {
     return "";

package/src/generator/generate.ts

@@ -3,6 +3,7 @@ import { generateApiHandler, generatePageComponent, generateSlotLogic } from "./
 import { generateContractTypeGlue, generateContractTemplate, generateContractTypesIndex } from "./contract-glue";
 import { computeHash } from "../spec/lock";
 import { getWatcher } from "../watcher/watcher";
+import { resolveGeneratedPaths, GENERATED_RELATIVE_PATHS } from "../paths";
 import path from "path";
 import fs from "fs/promises";
 import fsSync from "fs";
@@ -141,10 +142,11 @@ export async function generateRoutes(
   const watcher = getWatcher();
   watcher?.suppress();
 
-  const serverRoutesDir = path.join(rootDir, "apps/server/generated/routes");
-  const webRoutesDir = path.join(rootDir, "apps/web/generated/routes");
-  const typesDir = path.join(rootDir, "apps/server/generated/types");
-  const mapDir = path.join(rootDir, "packages/core/map");
+  const generatedPaths = resolveGeneratedPaths(rootDir);
+  const serverRoutesDir = generatedPaths.serverRoutesDir;
+  const webRoutesDir = generatedPaths.webRoutesDir;
+  const typesDir = generatedPaths.typesDir;
+  const mapDir = generatedPaths.mapDir;
 
   await ensureDir(serverRoutesDir);
   await ensureDir(webRoutesDir);
@@ -155,7 +157,7 @@ export async function generateRoutes(
     version: manifest.version,
     generatedAt: new Date().toISOString(),
     specSource: {
-      path: "spec/routes.manifest.json",
+      path: ".mandu/routes.manifest.json",
       hash: computeHash(manifest),
     },
     files: {},
@@ -177,7 +179,7 @@ export async function generateRoutes(
     try {
       // Spec 위치 정보
       const specLocation: SpecLocation = {
-        file: "spec/routes.manifest.json",
+        file: ".mandu/routes.manifest.json",
         routeIndex,
         jsonPath: `routes[${routeIndex}]`,
       };
@@ -221,19 +223,19 @@ export async function generateRoutes(
         const typeFilePath = path.join(typesDir, typeFileName);
         expectedTypeFiles.add(typeFileName);
 
-        const typeGlueContent = generateContractTypeGlue(route, "apps/server/generated/types");
+        const typeGlueContent = generateContractTypeGlue(route, GENERATED_RELATIVE_PATHS.types);
         await Bun.write(typeFilePath, typeGlueContent);
         result.created.push(typeFilePath);
 
         contractMapping = {
           contractPath: route.contractModule,
-          typeGluePath: `apps/server/generated/types/${typeFileName}`,
+          typeGluePath: `${GENERATED_RELATIVE_PATHS.types}/${typeFileName}`,
         };
 
         routesWithContracts.push(route.id);
       }
 
-      generatedMap.files[`apps/server/generated/routes/${serverFileName}`] = {
+      generatedMap.files[`${GENERATED_RELATIVE_PATHS.serverRoutes}/${serverFileName}`] = {
         routeId: route.id,
         kind: route.kind as "api" | "page",
         specLocation,
@@ -269,7 +271,7 @@ export async function generateRoutes(
         await Bun.write(webFilePath, componentContent);
         result.created.push(webFilePath);
 
-        generatedMap.files[`apps/web/generated/routes/${webFileName}`] = {
+        generatedMap.files[`${GENERATED_RELATIVE_PATHS.webRoutes}/${webFileName}`] = {
           routeId: route.id,
           kind: route.kind,
           specLocation,

package/src/generator/templates.ts

@@ -1,4 +1,5 @@
 import type { RouteSpec } from "../spec/schema";
+import { GENERATED_RELATIVE_PATHS } from "../paths";
 
 export function generateApiHandler(route: RouteSpec): string {
   // contractModule + slotModule이 있으면 contract 검증 버전 생성
@@ -29,7 +30,7 @@ export default function handler(req: Request, params: Record<string, string>): R
 }
 
 export function generateApiHandlerWithSlot(route: RouteSpec): string {
-  const slotImportPath = computeSlotImportPath(route.slotModule!, "apps/server/generated/routes");
+  const slotImportPath = computeSlotImportPath(route.slotModule!, GENERATED_RELATIVE_PATHS.serverRoutes);
 
   return `// Generated by Mandu - DO NOT EDIT DIRECTLY
 // Route ID: ${route.id}
@@ -49,8 +50,8 @@ export default async function handler(
 }
 
 export function generateApiHandlerWithContract(route: RouteSpec): string {
-  const slotImportPath = computeSlotImportPath(route.slotModule!, "apps/server/generated/routes");
-  const contractImportPath = computeSlotImportPath(route.contractModule!, "apps/server/generated/routes");
+  const slotImportPath = computeSlotImportPath(route.slotModule!, GENERATED_RELATIVE_PATHS.serverRoutes);
+  const contractImportPath = computeSlotImportPath(route.contractModule!, GENERATED_RELATIVE_PATHS.serverRoutes);
 
   return `// Generated by Mandu - DO NOT EDIT DIRECTLY
 // Route ID: ${route.id}
@@ -110,14 +111,14 @@ export default async function handler(
 `;
 }
 
-export function generateSlotLogic(route: RouteSpec): string {
-  if (route.contractModule) {
-    return generateSlotLogicWithContract(route);
-  }
-
-  return `// 🥟 Mandu Filling - ${route.id}
-// Pattern: ${route.pattern}
-// 이 파일에서 비즈니스 로직을 구현하세요.
+export function generateSlotLogic(route: RouteSpec): string {
+  if (route.contractModule) {
+    return generateSlotLogicWithContract(route);
+  }
+
+  return `// 🥟 Mandu Filling - ${route.id}
+// Pattern: ${route.pattern}
+// 이 파일에서 비즈니스 로직을 구현하세요.
 
 import { Mandu } from "@mandujs/core";
 
@@ -149,67 +150,67 @@ export default Mandu.filling()
 // 💡 Context (ctx) API:
 // ctx.query            - Query parameters { name: 'value' }
 // ctx.params           - Path parameters { id: '123' }
-// ctx.body()           - Request body (자동 파싱)
-// ctx.body(zodSchema)  - Body with validation
-// ctx.headers          - Request headers
-// ctx.ok(data)         - 200 OK
-// ctx.created(data)    - 201 Created
-// ctx.error(msg)       - 400 Bad Request
-// ctx.notFound(msg)    - 404 Not Found
-// ctx.set(key, value)  - Guard에서 Handler로 데이터 전달
-// ctx.get(key)         - Guard에서 설정한 데이터 읽기
-`;
-}
-
-export function generateSlotLogicWithContract(route: RouteSpec): string {
-  const contractImportPath = computeSlotImportPath(
-    route.contractModule!,
-    pathDirname(route.slotModule ?? "spec/slots")
-  );
-
-  return `// 🥟 Mandu Filling - ${route.id}
-// Pattern: ${route.pattern}
-// Contract Module: ${route.contractModule}
-// 이 파일에서 비즈니스 로직을 구현하세요.
-
-import { Mandu } from "@mandujs/core";
-import contract from "${contractImportPath}";
-
-export default Mandu.filling()
-  // 📋 GET ${route.pattern}
-  .get(async (ctx) => {
-    const input = await ctx.input(contract, "GET", ctx.params);
-    // TODO: 계약의 응답 코드에 맞게 status를 조정하세요
-    return ctx.output(contract, 200, {
-      message: "Hello from ${route.id}!",
-      input,
-      timestamp: new Date().toISOString(),
-    });
-  })
-
-  // ➕ POST ${route.pattern}
-  .post(async (ctx) => {
-    const input = await ctx.input(contract, "POST", ctx.params);
-    // TODO: 계약의 응답 코드에 맞게 status를 조정하세요
-    return ctx.output(contract, 201, {
-      message: "Created!",
-      input,
-      timestamp: new Date().toISOString(),
-    });
-  });
-
-// 💡 Contract 기반 사용법:
-// ctx.input(contract, "GET")  - Contract로 요청 검증 + 정규화
-// ctx.output(contract, 200, data) - Contract로 응답 검증
-// ctx.okContract(contract, data)  - 200 OK (Contract 검증)
-// ctx.createdContract(contract, data) - 201 Created (Contract 검증)
-`;
-}
+// ctx.body()           - Request body (자동 파싱)
+// ctx.body(zodSchema)  - Body with validation
+// ctx.headers          - Request headers
+// ctx.ok(data)         - 200 OK
+// ctx.created(data)    - 201 Created
+// ctx.error(msg)       - 400 Bad Request
+// ctx.notFound(msg)    - 404 Not Found
+// ctx.set(key, value)  - Guard에서 Handler로 데이터 전달
+// ctx.get(key)         - Guard에서 설정한 데이터 읽기
+`;
+}
+
+export function generateSlotLogicWithContract(route: RouteSpec): string {
+  const contractImportPath = computeSlotImportPath(
+    route.contractModule!,
+    pathDirname(route.slotModule ?? "spec/slots")
+  );
+
+  return `// 🥟 Mandu Filling - ${route.id}
+// Pattern: ${route.pattern}
+// Contract Module: ${route.contractModule}
+// 이 파일에서 비즈니스 로직을 구현하세요.
+
+import { Mandu } from "@mandujs/core";
+import contract from "${contractImportPath}";
+
+export default Mandu.filling()
+  // 📋 GET ${route.pattern}
+  .get(async (ctx) => {
+    const input = await ctx.input(contract, "GET", ctx.params);
+    // TODO: 계약의 응답 코드에 맞게 status를 조정하세요
+    return ctx.output(contract, 200, {
+      message: "Hello from ${route.id}!",
+      input,
+      timestamp: new Date().toISOString(),
+    });
+  })
+
+  // ➕ POST ${route.pattern}
+  .post(async (ctx) => {
+    const input = await ctx.input(contract, "POST", ctx.params);
+    // TODO: 계약의 응답 코드에 맞게 status를 조정하세요
+    return ctx.output(contract, 201, {
+      message: "Created!",
+      input,
+      timestamp: new Date().toISOString(),
+    });
+  });
+
+// 💡 Contract 기반 사용법:
+// ctx.input(contract, "GET")  - Contract로 요청 검증 + 정규화
+// ctx.output(contract, 200, data) - Contract로 응답 검증
+// ctx.okContract(contract, data)  - 200 OK (Contract 검증)
+// ctx.createdContract(contract, data) - 201 Created (Contract 검증)
+`;
+}
 
 function computeSlotImportPath(slotModule: string, fromDir: string): string {
-  // slotModule: "apps/server/slots/users.logic.ts"
-  // fromDir: "apps/server/generated/routes"
-  // result: "../../slots/users.logic"
+  // slotModule: "spec/slots/users.slot.ts"
+  // fromDir: ".mandu/generated/server/routes"
+  // result: "../../../../spec/slots/users.slot"
 
   const slotParts = slotModule.replace(/\\/g, "/").split("/");
   const fromParts = fromDir.replace(/\\/g, "/").split("/");
@@ -280,11 +281,11 @@ export default function ${pageName}Page({ params }: Props): React.ReactElement {
  */
 export function generatePageComponentWithIsland(route: RouteSpec): string {
   const pageName = toPascalCase(route.id);
-  const clientImportPath = computeSlotImportPath(route.clientModule!, "apps/web/generated/routes");
+  const clientImportPath = computeSlotImportPath(route.clientModule!, GENERATED_RELATIVE_PATHS.webRoutes);
 
   // clientModule + slotModule → PageRegistration 형식
   if (route.slotModule) {
-    const slotImportPath = computeSlotImportPath(route.slotModule!, "apps/web/generated/routes");
+    const slotImportPath = computeSlotImportPath(route.slotModule!, GENERATED_RELATIVE_PATHS.webRoutes);
 
     return `// Generated by Mandu - DO NOT EDIT DIRECTLY
 // Island-First Rendering + Slot Module
@@ -346,7 +347,7 @@ export default function ${pageName}Page({ params, loaderData }: Props): React.Re
  */
 export function generatePageHandlerWithSlot(route: RouteSpec): string {
   const pageName = toPascalCase(route.id);
-  const slotImportPath = computeSlotImportPath(route.slotModule!, "apps/server/generated/routes");
+  const slotImportPath = computeSlotImportPath(route.slotModule!, GENERATED_RELATIVE_PATHS.serverRoutes);
 
   return `// Generated by Mandu - DO NOT EDIT DIRECTLY
 // Route ID: ${route.id}
@@ -383,13 +384,13 @@ export default {
  * "todo-page" → "TodoPage"
  * "user_profile" → "UserProfile"
  */
-function toPascalCase(str: string): string {
+function toPascalCase(str: string): string {
   return str
     .split(/[-_]/)
     .map((part) => part.charAt(0).toUpperCase() + part.slice(1))
     .join("");
-}
-
-function pathDirname(filePath: string): string {
-  return filePath.replace(/\\/g, "/").split("/").slice(0, -1).join("/");
-}
+}
+
+function pathDirname(filePath: string): string {
+  return filePath.replace(/\\/g, "/").split("/").slice(0, -1).join("/");
+}

package/src/guard/auto-correct.ts

@@ -172,7 +172,7 @@ async function correctSpecHashMismatch(
   rootDir: string
 ): Promise<AutoCorrectStep> {
   try {
-    const lockPath = path.join(rootDir, "spec/spec.lock.json");
+    const lockPath = path.join(rootDir, ".mandu/spec.lock.json");
     await writeLock(lockPath, manifest);
 
     return {