@nick848/fet 0.1.0

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 nick848
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,44 @@
+# FET
+
+在项目中以 [OpenSpec](https://github.com/Fission-AI/OpenSpec) 为基座做**工作流编排**：`fet` 命令在前后挂钩子、管理 `openspec/fet-state.json`、生成上下文与工具技能（Cursor / OpenCode），并把 `openspec` CLI 透传执行。
+
+## 要求
+
+- Node.js **≥ 18**
+- 已安装 OpenSpec CLI（PATH 中的 `openspec`，否则将尝试 `npx @fission-ai/openspec`）
+
+## 安装
+
+```bash
+npm install -g @nick848/fet
+```
+
+## 常用命令
+
+| 命令 | 说明 |
+|------|------|
+| `fet init` | 初始化 OpenSpec + FET 状态、扫描上下文、生成工具文件（`--tool cursor \| opencode \| both`） |
+| `fet apply` / `fet validate` | 实施循环与任务校验 |
+| `fet verify` | 终验（`--auto` / `--done` 等） |
+| `fet doctor` | 诊断配置与 openspec 解析路径 |
+| `fet update-context` | 刷新 `AGENTS.md` 与 `openspec/config.yaml` 中的 FET 区块 |
+
+其余子命令多为对 `openspec` 的透传，详见 `fet --help`。
+
+## 文档
+
+仓库内 [DESIGN.md](./DESIGN.md) 为完整设计说明（威胁模型、状态机、与 OpenSpec 关系等）。
+
+## 维护者：发布到 npm
+
+1. 登录：`npm login`（首次）
+2. 确认版本号：编辑 `package.json` 的 `version`（语义化版本）
+3. 本地校验：`npm run build && npm test`
+4. 干跑包内容：`npm pack --dry-run`
+5. 发布（作用域包已设 `publishConfig.access: public`）：`npm publish`
+
+`prepublishOnly` 会在发布前自动执行 `npm run build && npm test`。
+
+## 开源协议
+
+MIT，见 [LICENSE](./LICENSE)。

package/dist/apply.d.ts

@@ -0,0 +1 @@
+export declare function runApply(cwd: string): Promise<void>;

package/dist/apply.js

@@ -0,0 +1,172 @@
+import chokidar from "chokidar";
+import { existsSync, readFileSync } from "node:fs";
+import { join } from "node:path";
+import { ensureAutoRunApproval } from "./approval.js";
+import { writeFileAtomicSameDirTmp } from "./atomic-write.js";
+import { computeCommandFingerprint } from "./fingerprint.js";
+import { FET_VERSION, getOpenSpecLaunch } from "./openspec.js";
+import { applyInstructionsPath, changeStatePath, tasksPath } from "./paths.js";
+import { defaultChangeState, readChangeState, readGlobalState, reconcileStates, writeChangeState, writeGlobalState, } from "./state.js";
+import { firstIncompleteTask } from "./tasks.js";
+import { resolveWatchRoots } from "./watch-paths.js";
+const APPLY_PHASES = new Set(["planned", "proposed", "implement"]);
+function buildApplyInstructions(params) {
+    const front = [
+        "---",
+        `generatedAt: ${new Date().toISOString()}`,
+        `fetVersion: ${FET_VERSION}`,
+        `changeId: ${params.changeId}`,
+        `taskId: ${params.taskId}`,
+        "---",
+        "",
+    ].join("\n");
+    const body = [
+        `# Apply: ${params.changeId}`,
+        "",
+        `## Current task (${params.taskId})`,
+        "",
+        params.taskTitle,
+        "",
+        "## Required context",
+        "",
+        "- Read `AGENTS.md` and `openspec/config.yaml` at repo root.",
+        `- Read change artifacts under \`openspec/changes/${params.changeId}/\` (proposal, specs, design, tasks).`,
+        "",
+        "## After coding",
+        "",
+        "Run in a **second terminal** (this session may be holding the watcher):",
+        "",
+        "```bash",
+        "fet validate",
+        "```",
+        "",
+    ].join("\n");
+    return front + body;
+}
+function resolveActiveChangeId(cwd) {
+    const g = readGlobalState(cwd);
+    if (g.activeChangeId)
+        return g.activeChangeId;
+    if (g.openChanges.length === 1)
+        return g.openChanges[0] ?? null;
+    return null;
+}
+export async function runApply(cwd) {
+    const launch = getOpenSpecLaunch();
+    console.log(`[fet] OpenSpec: ${launch.displayPath}`);
+    let global = readGlobalState(cwd);
+    const rec = reconcileStates(cwd, global);
+    global = rec.global;
+    for (const w of rec.warnings)
+        console.error(`[fet] ${w}`);
+    writeGlobalState(cwd, global);
+    const changeId = resolveActiveChangeId(cwd);
+    if (!changeId) {
+        console.error("[fet] No active change. Set openspec/fet-state.json activeChangeId or ensure a single open change.");
+        process.exitCode = 1;
+        return;
+    }
+    let cs = readChangeState(cwd, changeId);
+    if (!cs)
+        cs = defaultChangeState(changeId);
+    const phase = (cs.currentPhase || "implement").toLowerCase();
+    if (!APPLY_PHASES.has(phase)) {
+        console.error(`[fet] apply requires currentPhase in planned | proposed | implement (got "${cs.currentPhase}").`);
+        process.exitCode = 1;
+        return;
+    }
+    const tp = join(cwd, tasksPath(changeId));
+    if (!existsSync(tp)) {
+        console.error(`[fet] Missing tasks.md for change ${changeId}`);
+        process.exitCode = 1;
+        return;
+    }
+    const fpNow = computeCommandFingerprint(cwd);
+    if (global.autoRunApproval?.commandFingerprint !== fpNow) {
+        global = { ...global, autoRunApproval: undefined };
+        writeGlobalState(cwd, global);
+    }
+    try {
+        await ensureAutoRunApproval(cwd);
+    }
+    catch (e) {
+        console.error(e instanceof Error ? e.message : e);
+        process.exitCode = 1;
+        return;
+    }
+    const md = readFileSync(tp, "utf8");
+    const next = firstIncompleteTask(md);
+    if (!next) {
+        console.log(`[fet] All tasks appear complete for ${changeId}. Run fet verify when ready.`);
+        return;
+    }
+    const instructions = buildApplyInstructions({
+        changeId,
+        taskId: next.id,
+        taskTitle: next.title || "(no title)",
+    });
+    const outPath = join(cwd, applyInstructionsPath(changeId));
+    writeFileAtomicSameDirTmp(outPath, instructions);
+    cs = { ...cs, currentTaskId: next.id, currentPhase: phase };
+    writeChangeState(cwd, cs);
+    console.log(`[fet] Wrote ${applyInstructionsPath(changeId)} (atomic tmp → rename)`);
+    console.log(`[fet] Current task: ${next.id} (auto_next=${next.autoNext})`);
+    console.log("[fet] Watching for file activity. When all tasks are done (e.g. after validate), this process will exit. Ctrl+C to stop early.");
+    const stateFile = join(cwd, changeStatePath(changeId));
+    let debounce = null;
+    const roots = resolveWatchRoots(cwd);
+    const watched = [...roots, stateFile, join(cwd, tasksPath(changeId))];
+    const watcher = chokidar.watch(watched, {
+        ignored: /(node_modules|\.git|dist|build)/,
+        ignoreInitial: true,
+    });
+    const bump = (path) => {
+        if (debounce)
+            clearTimeout(debounce);
+        debounce = setTimeout(() => {
+            console.log(`[fet] (${path}) idle ~3s since last file change`);
+        }, 3000);
+    };
+    let allDone = false;
+    const checkAllTasksDone = () => {
+        try {
+            const t = readFileSync(join(cwd, tasksPath(changeId)), "utf8");
+            if (!firstIncompleteTask(t)) {
+                console.log("[fet] All tasks complete. Run `fet verify`. Apply watcher exiting.");
+                allDone = true;
+            }
+        }
+        catch {
+            /* ignore */
+        }
+    };
+    await new Promise((resolve) => {
+        let settled = false;
+        let poll = null;
+        const finish = () => {
+            if (settled)
+                return;
+            settled = true;
+            if (poll)
+                clearInterval(poll);
+            watcher.close().then(() => resolve(), () => resolve());
+        };
+        process.once("SIGINT", finish);
+        poll = setInterval(() => {
+            checkAllTasksDone();
+            if (allDone)
+                finish();
+        }, 2000);
+        watcher.on("all", (_ev, path) => {
+            if (path)
+                bump(String(path));
+            if (path && String(path).replace(/\\/g, "/").endsWith("tasks.md")) {
+                checkAllTasksDone();
+                if (allDone)
+                    finish();
+            }
+        });
+    });
+    if (debounce)
+        clearTimeout(debounce);
+}

package/dist/approval.d.ts

@@ -0,0 +1,2 @@
+/** DESIGN 6.2 / 14.7: shared auto-run approval for apply, validate, verify --auto */
+export declare function ensureAutoRunApproval(cwd: string): Promise<void>;

package/dist/approval.js

@@ -0,0 +1,26 @@
+import { readGlobalState, writeGlobalState } from "./state.js";
+import { collectScriptFingerprintParts, computeCommandFingerprint } from "./fingerprint.js";
+import { confirmAutoRun } from "./prompt.js";
+/** DESIGN 6.2 / 14.7: shared auto-run approval for apply, validate, verify --auto */
+export async function ensureAutoRunApproval(cwd) {
+    let global = readGlobalState(cwd);
+    const fp = computeCommandFingerprint(cwd);
+    if (global.autoRunApproval?.commandFingerprint === fp)
+        return;
+    const { parts } = collectScriptFingerprintParts(cwd);
+    console.log("[fet] The following may run non-sandboxed scripts (npm test / lint / tsc, etc.):");
+    for (const p of parts)
+        console.log(`  - ${p}`);
+    const ok = await confirmAutoRun("[fet] Approve auto-run?");
+    if (!ok)
+        throw new Error("Approval declined");
+    global = {
+        ...global,
+        autoRunApproval: {
+            confirmedAt: new Date().toISOString(),
+            commandFingerprint: fp,
+            packageManager: "npm",
+        },
+    };
+    writeGlobalState(cwd, global);
+}

package/dist/atomic-write.d.ts

@@ -0,0 +1,5 @@
+/** DESIGN 14.5: same-dir `*.tmp` then rename (e.g. apply-instructions.md.tmp). */
+export declare function writeFileAtomicSameDirTmp(targetPath: string, content: string): void;
+/** Write text atomically: temp file, fsync, rename (same directory). */
+export declare function writeFileAtomicSync(targetPath: string, content: string): void;
+export declare function backupIfExists(filePath: string): void;

package/dist/atomic-write.js

@@ -0,0 +1,41 @@
+import { closeSync, copyFileSync, existsSync, fsyncSync, mkdirSync, openSync, renameSync, writeSync, } from "node:fs";
+import { basename, dirname, join } from "node:path";
+/** DESIGN 14.5: same-dir `*.tmp` then rename (e.g. apply-instructions.md.tmp). */
+export function writeFileAtomicSameDirTmp(targetPath, content) {
+    const dir = dirname(targetPath);
+    const base = basename(targetPath);
+    const tmp = join(dir, `${base}.tmp`);
+    if (!existsSync(dir))
+        mkdirSync(dir, { recursive: true });
+    const fd = openSync(tmp, "w");
+    try {
+        writeSync(fd, content);
+        fsyncSync(fd);
+    }
+    finally {
+        closeSync(fd);
+    }
+    renameSync(tmp, targetPath);
+}
+/** Write text atomically: temp file, fsync, rename (same directory). */
+export function writeFileAtomicSync(targetPath, content) {
+    const dir = dirname(targetPath);
+    if (!existsSync(dir))
+        mkdirSync(dir, { recursive: true });
+    const tmp = `${targetPath}.${process.pid}.tmp`;
+    const fd = openSync(tmp, "w");
+    try {
+        writeSync(fd, content);
+        fsyncSync(fd);
+    }
+    finally {
+        closeSync(fd);
+    }
+    renameSync(tmp, targetPath);
+}
+export function backupIfExists(filePath) {
+    if (!existsSync(filePath))
+        return;
+    const bak = `${filePath}.bak`;
+    copyFileSync(filePath, bak);
+}

package/dist/cli.d.ts

@@ -0,0 +1,2 @@
+#!/usr/bin/env node
+export {};

package/dist/cli.js

@@ -0,0 +1,178 @@
+#!/usr/bin/env node
+import { readFileSync } from "node:fs";
+import { dirname, join } from "node:path";
+import { fileURLToPath } from "node:url";
+import { Command } from "commander";
+import { runApply } from "./apply.js";
+import { runDoctor } from "./doctor.js";
+import { assertChangeVerifiedForGate, runOpenSpecWithHooks } from "./hooks.js";
+import { runInit } from "./init.js";
+import { readGlobalState, positionalArgs } from "./state.js";
+import { runUpdateContext } from "./scanner.js";
+import { runValidate } from "./validate.js";
+import { runVerify } from "./verify.js";
+function tailAfter(sub) {
+    const a = process.argv;
+    const i = a.findIndex((v, idx) => idx >= 2 && v === sub);
+    if (i === -1)
+        return [];
+    return a.slice(i + 1);
+}
+function mapNewArgs(rest) {
+    if (rest[0] === "change")
+        return ["new", ...rest];
+    return ["new", "change", ...rest];
+}
+function readPkgVersion() {
+    try {
+        const root = dirname(dirname(fileURLToPath(import.meta.url)));
+        const raw = readFileSync(join(root, "package.json"), "utf8");
+        const j = JSON.parse(raw);
+        return j.version ?? "0.0.0";
+    }
+    catch {
+        return "0.0.0";
+    }
+}
+const PROXIES = [
+    "explore",
+    "propose",
+    "continue",
+    "ff",
+    "onboard",
+    "list",
+    "view",
+    "spec",
+    "config",
+    "show",
+    "update",
+    "feedback",
+    "status",
+    "instructions",
+    "templates",
+    "schemas",
+    "schema",
+    "change",
+    "completion",
+];
+const WORKFLOW_HINTS = new Set(["continue", "ff", "onboard"]);
+async function main() {
+    const program = new Command();
+    program.name("fet").description("FET — OpenSpec workflow orchestration").version(readPkgVersion());
+    program
+        .command("init")
+        .option("--tool <tool>", "Tooling: cursor | opencode | both (OpenCode: .opencode/skills/*/SKILL.md, see opencode.ai/docs/skills)", "cursor")
+        .option("--force", "overwrite Cursor skills/rules", false)
+        .action(async (opts) => {
+        await runInit(process.cwd(), { tool: opts.tool, force: opts.force });
+    });
+    program.command("doctor").action(() => {
+        runDoctor(process.cwd());
+    });
+    program.command("update-context").action(() => {
+        runUpdateContext(process.cwd());
+    });
+    program.command("apply").action(async () => {
+        await runApply(process.cwd());
+    });
+    program.command("validate").action(async () => {
+        await runValidate(process.cwd());
+    });
+    program
+        .command("verify")
+        .description("Final verification. Default: honest local trust (DESIGN 14.8). --auto runs validate+lint+tsc+test; not a cryptographic audit.")
+        .option("--auto", "run automated verify chain", false)
+        .option("--done", "record manual verify complete", false)
+        .option("--evidence <path>", "optional evidence file for --done")
+        .option("--strict", "strict manual verify (recorded in state)", false)
+        .action(async (opts) => {
+        await runVerify(process.cwd(), {
+            auto: opts.auto,
+            done: opts.done,
+            evidence: opts.evidence,
+            strict: opts.strict,
+        });
+    });
+    program.command("archive").action(async () => {
+        try {
+            const rest = tailAfter("archive");
+            const pos = positionalArgs(rest);
+            const cwd = process.cwd();
+            const gateId = pos.length ? (pos[pos.length - 1] ?? null) : readGlobalState(cwd).activeChangeId;
+            const removeId = gateId ?? readGlobalState(cwd).activeChangeId;
+            const code = await runOpenSpecWithHooks({ cwd }, ["archive", ...rest], {
+                pre: () => {
+                    assertChangeVerifiedForGate(cwd, gateId);
+                },
+                onSuccessRemoveChanges: removeId ? [removeId] : [],
+            });
+            process.exitCode = code;
+        }
+        catch (e) {
+            console.error(e instanceof Error ? e.message : e);
+            process.exitCode = 1;
+        }
+    });
+    program.command("bulk-archive").action(async () => {
+        try {
+            const rest = tailAfter("bulk-archive");
+            const ids = positionalArgs(rest);
+            const cwd = process.cwd();
+            if (!ids.length) {
+                console.error("[fet] bulk-archive requires at least one change id");
+                process.exitCode = 1;
+                return;
+            }
+            for (const id of ids) {
+                assertChangeVerifiedForGate(cwd, id);
+            }
+            const code = await runOpenSpecWithHooks({ cwd }, ["bulk-archive", ...rest], { onSuccessRemoveChanges: ids });
+            process.exitCode = code;
+        }
+        catch (e) {
+            console.error(e instanceof Error ? e.message : e);
+            process.exitCode = 1;
+        }
+    });
+    program.command("sync").action(async () => {
+        try {
+            if (!process.stdin.isTTY) {
+                console.error("[fet] sync requires an interactive terminal for OpenSpec conflict resolution (DESIGN 8.2).");
+                process.exitCode = 1;
+                return;
+            }
+            const rest = tailAfter("sync");
+            const cwd = process.cwd();
+            const pos = positionalArgs(rest);
+            const changeId = pos.length ? (pos[pos.length - 1] ?? null) : readGlobalState(cwd).activeChangeId;
+            const code = await runOpenSpecWithHooks({ cwd }, ["sync", ...rest], {
+                pre: () => {
+                    assertChangeVerifiedForGate(cwd, changeId);
+                },
+            });
+            process.exitCode = code;
+        }
+        catch (e) {
+            console.error(e instanceof Error ? e.message : e);
+            process.exitCode = 1;
+        }
+    });
+    program.command("new").action(async () => {
+        const rest = tailAfter("new");
+        const args = mapNewArgs(rest);
+        const code = await runOpenSpecWithHooks({ cwd: process.cwd() }, args, {});
+        process.exitCode = code;
+    });
+    for (const name of PROXIES) {
+        program.command(name).action(async () => {
+            const rest = tailAfter(name);
+            const code = await runOpenSpecWithHooks({ cwd: process.cwd() }, [name, ...rest], { workflowHint: WORKFLOW_HINTS.has(name) ? name : undefined });
+            process.exitCode = code;
+        });
+    }
+    await program.parseAsync(process.argv);
+}
+main().catch((e) => {
+    console.error(e);
+    process.exitCode = 1;
+});

package/dist/doctor.d.ts

@@ -0,0 +1 @@
+export declare function runDoctor(cwd: string): void;

package/dist/doctor.js

@@ -0,0 +1,93 @@
+import { existsSync, readFileSync, statSync } from "node:fs";
+import { join } from "node:path";
+import { computeCommandFingerprint } from "./fingerprint.js";
+import { getOpenSpecLaunch, openSpecVersionLine } from "./openspec.js";
+import { CONFIG_FILE, GLOBAL_STATE_FILE, changeDir, tasksPath } from "./paths.js";
+import { readChangeState, readGlobalState, reconcileStates, writeGlobalState } from "./state.js";
+const STALE_MS = 1000 * 60 * 60 * 24 * 30;
+const ARTIFACTS = ["proposal.md", "tasks.md", "design.md"];
+export function runDoctor(cwd) {
+    const issues = [];
+    const hints = [];
+    const launch = getOpenSpecLaunch();
+    console.log(`[fet] openspec launch: ${launch.displayPath}`);
+    const ver = openSpecVersionLine();
+    if (ver)
+        console.log(`[fet] openspec version: ${ver}`);
+    else
+        hints.push("Could not read openspec -V (network or npx may be slow)");
+    const gs = join(cwd, GLOBAL_STATE_FILE);
+    if (!existsSync(gs))
+        issues.push(`missing ${GLOBAL_STATE_FILE}`);
+    else {
+        try {
+            JSON.parse(readFileSync(gs, "utf8"));
+        }
+        catch {
+            issues.push(`${GLOBAL_STATE_FILE} is not valid JSON`);
+        }
+    }
+    const agents = join(cwd, "AGENTS.md");
+    if (existsSync(agents)) {
+        const mtime = statSync(agents).mtimeMs;
+        if (Date.now() - mtime > STALE_MS)
+            hints.push("AGENTS.md may be stale — consider fet update-context");
+    }
+    else
+        hints.push("AGENTS.md missing — run fet init / fet update-context");
+    const cfg = join(cwd, CONFIG_FILE);
+    if (existsSync(cfg)) {
+        const mtime = statSync(cfg).mtimeMs;
+        if (Date.now() - mtime > STALE_MS)
+            hints.push("openspec/config.yaml may be stale — consider fet update-context");
+    }
+    let g = readGlobalState(cwd);
+    const rec = reconcileStates(cwd, g);
+    g = rec.global;
+    writeGlobalState(cwd, g);
+    for (const w of rec.warnings)
+        hints.push(w);
+    const active = g.activeChangeId;
+    if (active) {
+        const cs = readChangeState(cwd, active);
+        if (cs?.verify?.status !== "done") {
+            hints.push(`Active change "${active}" is not verified — archive/sync will be blocked until fet verify --done or --auto`);
+        }
+        const changeRoot = join(cwd, changeDir(active));
+        if (existsSync(changeRoot)) {
+            for (const a of ARTIFACTS) {
+                const ap = join(changeRoot, a);
+                if (!existsSync(ap))
+                    hints.push(`Change "${active}" missing artifact: ${a} (optional depending on workflow)`);
+            }
+            const tp = join(cwd, tasksPath(active));
+            if (!existsSync(tp))
+                hints.push(`Change "${active}" has no tasks.md yet`);
+        }
+    }
+    const fp = computeCommandFingerprint(cwd);
+    if (g.autoRunApproval && g.autoRunApproval.commandFingerprint !== fp) {
+        hints.push("package.json scripts changed since last auto-run approval — next validate/verify --auto will re-prompt");
+    }
+    const cursorSkills = join(cwd, ".cursor", "skills");
+    if (!existsSync(cursorSkills))
+        hints.push("Cursor skills missing — run fet init --tool cursor");
+    const opencodeSkills = join(cwd, ".opencode", "skills");
+    if (!existsSync(opencodeSkills)) {
+        hints.push("OpenCode skills missing — run fet init --tool opencode (see https://opencode.ai/docs/skills )");
+    }
+    if (issues.length) {
+        console.error("[fet] doctor: issues:");
+        for (const i of issues)
+            console.error(`  - ${i}`);
+        process.exitCode = 1;
+    }
+    else {
+        console.log("[fet] doctor: no blocking issues.");
+    }
+    if (hints.length) {
+        console.log("[fet] doctor: hints:");
+        for (const h of hints)
+            console.log(`  - ${h}`);
+    }
+}

package/dist/fingerprint.d.ts

@@ -0,0 +1,6 @@
+/** Collect script literals for validate/verify-auto (DESIGN 14.7, monorepo workspaces). */
+export declare function collectScriptFingerprintParts(cwd: string): {
+    parts: string[];
+    lockfileHints: string[];
+};
+export declare function computeCommandFingerprint(cwd: string): string;

package/dist/fingerprint.js

@@ -0,0 +1,77 @@
+import { createHash } from "node:crypto";
+import { existsSync, readFileSync, readdirSync } from "node:fs";
+import { join, relative } from "node:path";
+function stableSerialize(obj) {
+    return JSON.stringify(obj, Object.keys(obj).sort());
+}
+function workspacePackageJsonFiles(cwd) {
+    const out = [];
+    const pkgPath = join(cwd, "package.json");
+    if (!existsSync(pkgPath))
+        return out;
+    try {
+        const pkg = JSON.parse(readFileSync(pkgPath, "utf8"));
+        const patterns = Array.isArray(pkg.workspaces)
+            ? pkg.workspaces
+            : (pkg.workspaces?.packages ?? []);
+        for (const pat of patterns) {
+            if (typeof pat !== "string")
+                continue;
+            if (pat.includes("*")) {
+                const packagesDir = join(cwd, "packages");
+                if (existsSync(packagesDir)) {
+                    for (const name of readdirSync(packagesDir)) {
+                        const p = join(packagesDir, name, "package.json");
+                        if (existsSync(p))
+                            out.push(p);
+                    }
+                }
+            }
+            else {
+                const p = join(cwd, pat, "package.json");
+                if (existsSync(p))
+                    out.push(p);
+            }
+        }
+    }
+    catch {
+        /* skip */
+    }
+    return out;
+}
+function scriptsFingerprintSlice(pkgPath, cwd) {
+    try {
+        const pkg = JSON.parse(readFileSync(pkgPath, "utf8"));
+        const scripts = pkg.scripts ?? {};
+        const keys = ["test", "lint", "build"].filter((k) => scripts[k] != null);
+        const ordered = {};
+        for (const k of keys.sort())
+            ordered[k] = scripts[k] ?? "";
+        const rel = relative(cwd, pkgPath).replace(/\\/g, "/");
+        return `${rel}:${stableSerialize(ordered)}`;
+    }
+    catch {
+        return `${pkgPath}:{}`;
+    }
+}
+/** Collect script literals for validate/verify-auto (DESIGN 14.7, monorepo workspaces). */
+export function collectScriptFingerprintParts(cwd) {
+    const parts = [];
+    const rootPkg = join(cwd, "package.json");
+    if (existsSync(rootPkg)) {
+        parts.push(scriptsFingerprintSlice(rootPkg, cwd));
+    }
+    for (const ws of workspacePackageJsonFiles(cwd)) {
+        parts.push(scriptsFingerprintSlice(ws, cwd));
+    }
+    const lockfiles = ["package-lock.json", "pnpm-lock.yaml", "yarn.lock"].filter((f) => existsSync(join(cwd, f)));
+    parts.push(...lockfiles.map((f) => `lock:${f}`));
+    return { parts, lockfileHints: lockfiles };
+}
+export function computeCommandFingerprint(cwd) {
+    const { parts } = collectScriptFingerprintParts(cwd);
+    const h = createHash("sha256");
+    for (const p of parts.sort())
+        h.update(p + "\n");
+    return h.digest("hex");
+}