@ojokesusu/lintasai 1.1.2

package/lib/git-helpers.ps1

@@ -0,0 +1,104 @@
+<#
+.SYNOPSIS
+  lib/git-helpers.ps1 - Git metadata cleanup + Mark-of-the-Web unblock helpers
+  untuk lintasAI kit scripts.
+
+.DESCRIPTION
+  Modul ini berisi dua helper yang sebelumnya tertanam inline di setup-pola-b.ps1
+  (dan kemungkinan di-share dengan update-kit.ps1 / install-windows.ps1):
+
+    - Remove-GitMetadata : Hapus folder .git/ di dalam kit directory.
+                           Penting karena kalau kit di-CLONE (bukan zip-extract),
+                           folder .git/ ikut ke project user. Itu menyebabkan:
+                             * Bloat (history kit-dev, potensial ratusan MB)
+                             * Expose history internal kit-dev ke user repo
+                             * User accidentally bikin `git submodule` /
+                               confuse `git log`
+                           Idempotent: skip kalau folder .git/ tidak ada.
+
+    - Remove-MotwBlock    : Unblock-File recursive untuk semua file di kit.
+                           Mark-of-the-Web (MOTW) = NTFS Alternate Data Stream
+                           Zone.Identifier yang di-set Windows kalau file
+                           di-download dari internet (zip dari GitHub, dst.).
+                           File MOTW-blocked = script .ps1 di-reject oleh
+                           ExecutionPolicy walaupun signed. Unblock = strip
+                           Zone.Identifier ADS supaya kit bisa di-eksekusi.
+
+  Behavior umum:
+    - Best-effort: gagal hapus / gagal unblock TIDAK throw — return $false.
+                   Caller bisa pilih lanjut atau abort. Konsisten dengan
+                   pattern inline di setup-pola-b.ps1 (try/catch + warn).
+    - PowerShell 5.1 compatible: tidak pakai operator $?:, ??, ?., -AsHashtable,
+                                 atau syntax PS 7+ lainnya.
+    - Verbose logging via Write-Verbose (silent secara default). Caller bisa
+      enable dengan -Verbose untuk debugging.
+
+.NOTES
+  Versi  : 1.0.0
+  Tanggal: 2026-06-06
+  Extracted from: setup-pola-b.ps1 v1.9 (lines 173-200)
+  Compat: PowerShell 5.1+
+#>
+
+# ---- Remove-GitMetadata ----
+# Hapus folder .git/ di -Path. Idempotent (skip kalau tidak ada).
+# Return: $true kalau sukses ATAU folder .git/ tidak ada (no-op success).
+#         $false kalau gagal hapus (folder ada tapi Remove-Item throw).
+function Remove-GitMetadata {
+    [CmdletBinding()]
+    param(
+        [Parameter(Mandatory = $true)]
+        [string]$Path
+    )
+
+    if (-not (Test-Path -LiteralPath $Path)) {
+        Write-Verbose ("Remove-GitMetadata: Path tidak ada, skip: {0}" -f $Path)
+        return $true
+    }
+
+    $gitDir = Join-Path $Path '.git'
+    if (-not (Test-Path -LiteralPath $gitDir)) {
+        Write-Verbose ("Remove-GitMetadata: .git/ tidak ada di {0}, no-op." -f $Path)
+        return $true
+    }
+
+    try {
+        Remove-Item -Recurse -Force -LiteralPath $gitDir -ErrorAction Stop
+        Write-Verbose ("Remove-GitMetadata: .git/ removed dari {0}" -f $Path)
+        return $true
+    } catch {
+        Write-Warning ("Remove-GitMetadata: gagal hapus {0}: {1}" -f $gitDir, $_)
+        Write-Warning ("  Fix manual: Remove-Item -Recurse -Force '{0}'" -f $gitDir)
+        return $false
+    }
+}
+
+# ---- Remove-MotwBlock ----
+# Recursive Unblock-File untuk semua file di -Path. Best-effort.
+# Return: $true kalau semua file ter-unblock (atau tidak ada file sama sekali).
+#         $false kalau Unblock-File throw error fatal di top-level enumeration.
+# Individual file fail = silent (Unblock-File -ErrorAction SilentlyContinue),
+# konsisten dengan pattern inline di setup-pola-b.ps1.
+function Remove-MotwBlock {
+    [CmdletBinding()]
+    param(
+        [Parameter(Mandatory = $true)]
+        [string]$Path
+    )
+
+    if (-not (Test-Path -LiteralPath $Path)) {
+        Write-Verbose ("Remove-MotwBlock: Path tidak ada, skip: {0}" -f $Path)
+        return $true
+    }
+
+    try {
+        Get-ChildItem -LiteralPath $Path -Recurse -File -ErrorAction SilentlyContinue |
+            Unblock-File -ErrorAction SilentlyContinue
+        Write-Verbose ("Remove-MotwBlock: MOTW di-unblock untuk semua file di {0}" -f $Path)
+        return $true
+    } catch {
+        Write-Warning ("Remove-MotwBlock: Unblock-File gagal di {0}: {1}" -f $Path, $_)
+        Write-Warning "  Script tetap bisa lanjut, tapi mungkin perlu Unblock-File manual."
+        return $false
+    }
+}

package/lib/kit-files.psd1

@@ -0,0 +1,133 @@
+# kit-files.psd1 - SINGLE SOURCE OF TRUTH untuk file kit
+# Update file ini WHEN add/rename/remove file kit
+# Konsumen: setup-pola-b.ps1, kit.ps1 doctor, install-windows.ps1, uninstall.ps1
+
+@{
+    schema_version = 1
+
+    # Tier 1: CORE prompts (selalu deploy, wajib ada)
+    core_prompts = @(
+        'MULAI_DI_SINI.md',
+        'JALANKAN_KIT.md',
+        'UPDATE_KIT_PROMPT_v1.md',
+        'AUDIT_POST_SETUP_PROMPT_v1.md',
+        'PROJECT_LIFECYCLE_PROMPT_v1.md',
+        'SPLIT_REPO_MIGRATION_PROMPT_v1.md'
+    )
+
+    # Tier 2: Universal rules (auto-loaded AI tiap sesi)
+    universal_rules = @(
+        'CLAUDE_universal_v1.md',
+        'AGENTS.md.template'
+    )
+
+    # Tier 3: PowerShell scripts
+    scripts = @(
+        'kit.ps1',
+        'setup-pola-b.ps1',
+        'update-kit.ps1',
+        'uninstall.ps1',
+        'install-windows.ps1'
+    )
+
+    # Tier 4: Lib modules
+    lib_files = @(
+        'lib/rollback.ps1',
+        'lib/safety.ps1',
+        'lib/manifest-signing.ps1'
+    )
+
+    # Tier 5: Templates (deployed to project saat setup)
+    templates = @(
+        'templates/PROMPT_LIBRARY.md',
+        'templates/ANALOGI_LIBRARY.md',
+        'templates/UPDATE_GUIDE.md',
+        'templates/glossary.md',
+        'templates/INDEX.md',
+        'templates/SPLIT_REPO_AGENTS_TEMPLATES.md',
+        'templates/SPLIT_REPO_NON_PROGRAMMER_PROMPTS.md',
+        'templates/SPLIT_REPO_TOOLS_SETUP.md',
+        'templates/DISCORD_BOT_INTEGRATION.md',
+        'templates/STACK_DETECTION_PATTERN.md',
+        'templates/PROJECT_STARTER_TEMPLATES.md',
+        'templates/split-agents/FRONTEND.md',
+        'templates/split-agents/BACKEND.md',
+        'templates/split-agents/SHARED.md',
+        'templates/split-agents/TOOLS.md',
+        'templates/CROSS_REPO_TYPES_PIPELINE.md',
+        'templates/github/RENOVATE_FRONTEND.json',
+        'templates/github/PUBLISH_SHARED_WORKFLOW.yml',
+        'templates/github/GENERATE_TYPES_SCRIPT.md',
+        'templates/github/TRIGGER_FRONTEND_UPDATE.yml',
+        'templates/github/RECEIVE_BACKEND_UPDATE.yml',
+        'templates/architecture.md',
+        'templates/architecture_auto.md',
+        'templates/CLAUDE_TEAM_GUIDE.md',
+        'templates/feature-flags-advanced.md',
+        'templates/MCP_SETUP.md',
+        'templates/ONBOARDING.md',
+        'templates/RLS_SETUP_PROMPT.md',
+        'templates/STACK_GUIDE.md',
+        'templates/STACK_VERSIONS.md',
+        'templates/MIGRATE_TO_SUBFOLDER_PROMPT_v1.md',
+        'templates/_EXAMPLE.md',
+        'templates/_PATTERNS.md',
+        'templates/STACK_MIGRATION_GUIDE.md',
+        'templates/GLOSSARY_NON_PROGRAMMER.md',
+        'templates/SECURITY_INCIDENT_PLAYBOOK.md',
+        'templates/DB_SCHEMA_SCAN_PROMPT.md'
+    )
+
+    # Tier 5b: Deprecated stubs (legacy prompts, still on disk, akan dihapus)
+    deprecated_stubs = @(
+        'BOOTSTRAP_PROJECT_DOCS_PROMPT_v1.md',
+        'FIRST_SESSION_PROMPT_v1.md',
+        'PROJECT_KICKOFF_PROMPT_v1.md',
+        'PROJECT_MIGRATION_PROMPT_v1.md',
+        'SETUP_POLA_B_PROMPT_v1.md',
+        'TEAM_ROLLOUT_GUIDE_v1.md',
+        'UPDATE_DOCS_PROMPT_v1.md'
+    )
+
+    # Tier 5c: Decisions / ADR templates
+    decisions = @(
+        'templates/decisions/_TEMPLATE.md',
+        'templates/decisions/README.md'
+    )
+
+    # Tier 5d: GitHub assets (CODEOWNERS, PR template, workflows, scripts)
+    github_assets = @(
+        'templates/github/CODEOWNERS.template',
+        'templates/github/pull_request_template.md',
+        'templates/github/scripts/ai-review.js',
+        'templates/github/workflows/ai-review.yml',
+        'templates/github/workflows/backup-schemas.yml'
+    )
+
+    # Tier 6: Docs
+    docs = @(
+        'docs/SIGNED_RELEASE.md'
+    )
+
+    # Tier 7: Tests
+    tests = @(
+        'tests/Run-Tests.ps1',
+        'tests/lib-safety.Tests.ps1',
+        'tests/rollback.Tests.ps1',
+        'tests/update-kit.Tests.ps1',
+        'tests/uninstall.Tests.ps1'
+    )
+
+    # Tier 8: CI
+    ci = @(
+        '.github/workflows/validate.yml'
+    )
+
+    # Tier 9: Project meta
+    meta = @(
+        'CHANGELOG.md',
+        'README.md',
+        'LICENSE',
+        'CONTRIBUTING.md'
+    )
+}

package/lib/manifest-signing.ps1

@@ -0,0 +1,65 @@
+#!/usr/bin/env pwsh
+<#
+.SYNOPSIS
+  Manifest HMAC signing untuk prevent tampering attack.
+.DESCRIPTION
+  Sign .install-manifest.json dengan HMAC-SHA256 pakai salt derived dari
+  kit version constant. Verify signature sebelum trust manifest entries.
+
+  HMAC = anti-EDIT detection (manifest tidak diam-diam dimodifikasi),
+  BUKAN forge-proof secret. Pakai detached signature kalau perlu real secret.
+#>
+
+function Get-ManifestSecret {
+    param([string]$KitVersion)
+
+    if ($env:LINTASAI_MANIFEST_SECRET) {
+        return $env:LINTASAI_MANIFEST_SECRET
+    }
+
+    # Constant kit-version-based key (anti-EDIT, BUKAN forge-proof secret)
+    # Same kit version = same key = manifest portable across machines
+    $material = "lintasAI-manifest-v1|$KitVersion|signed-2026"
+    $bytes = [System.Text.Encoding]::UTF8.GetBytes($material)
+    $hash = [System.Security.Cryptography.SHA256]::Create().ComputeHash($bytes)
+    return [Convert]::ToBase64String($hash)
+}
+
+function New-ManifestSignature {
+    param(
+        [Parameter(Mandatory)][hashtable]$Manifest,
+        [Parameter(Mandatory)][string]$KitVersion
+    )
+
+    $secret = Get-ManifestSecret -KitVersion $KitVersion
+    $secretBytes = [System.Text.Encoding]::UTF8.GetBytes($secret)
+
+    # Sign canonical JSON (sort keys recursively)
+    $canonical = $Manifest | ConvertTo-Json -Depth 10 -Compress
+    $canonicalBytes = [System.Text.Encoding]::UTF8.GetBytes($canonical)
+
+    $hmac = New-Object System.Security.Cryptography.HMACSHA256
+    $hmac.Key = $secretBytes
+    $signature = $hmac.ComputeHash($canonicalBytes)
+    return [Convert]::ToBase64String($signature)
+}
+
+function Test-ManifestSignature {
+    param(
+        [Parameter(Mandatory)][hashtable]$Manifest,
+        [Parameter(Mandatory)][string]$KitVersion,
+        [Parameter(Mandatory)][string]$ExpectedSignature
+    )
+
+    $actualSignature = New-ManifestSignature -Manifest $Manifest -KitVersion $KitVersion
+
+    # Constant-time compare untuk prevent timing attack
+    if ($actualSignature.Length -ne $ExpectedSignature.Length) { return $false }
+    $equal = $true
+    for ($i = 0; $i -lt $actualSignature.Length; $i++) {
+        if ($actualSignature[$i] -ne $ExpectedSignature[$i]) { $equal = $false }
+    }
+    return $equal
+}
+
+# Functions auto-exposed via dot-source (no Export-ModuleMember karena .ps1)

package/lib/manifest.ps1

@@ -0,0 +1,267 @@
+# =============================================================================
+# Manifest helpers - extracted from setup-pola-b.ps1 v1.1.0
+# =============================================================================
+# Tujuan:
+#   Helper functions untuk build + sign install manifest (.install-manifest.json)
+#   yang dipakai uninstall.ps1 untuk safe-delete (hash-based pristine detection).
+#
+# Beda dengan versi inline di setup-pola-b.ps1:
+#   - TIDAK pakai $script: scope variables. Setiap function terima parameter
+#     eksplisit -> reusable dari script manapun (setup, update-kit, kit.ps1).
+#   - State (installedItems + createdDirs) diwakili object [pscustomobject]
+#     yang di-init via Initialize-Manifest, lalu di-mutate via Add-ToManifest /
+#     Add-DirToManifest, lalu di-flush via Save-Manifest.
+#
+# PowerShell 5.1 compatible (no ternary, no null-coalescing, no class syntax).
+#
+# Public API:
+#   - Initialize-Manifest -ProjectRoot <path>
+#       -> returns [pscustomobject] state container
+#   - Get-FileSha256 -FilePath <path>
+#       -> returns hex SHA-256 string (uppercase, no separator)
+#   - Add-ToManifest  -State <obj> -FilePath <path> -Kind <string> [-From <string>]
+#       -> append file entry (path/kind/sha256[/from]) ke State.Files
+#   - Add-DirToManifest -State <obj> -DirPath <path>
+#       -> append dir relative path ke State.Directories (dedup)
+#   - Save-Manifest -State <obj> -KitDir <path> -KitVersion <string> -ProjectName <string>
+#                   [-PreserveExisting] [-SignManifest]
+#       -> merge dengan manifest sebelumnya (kalau ada), HMAC sign, write JSON
+#       -> returns [pscustomobject] dengan FilesCount, DirsCount, Merged, Signed, ManifestPath
+#
+# Catatan path:
+#   - State.ProjectRoot disimpan supaya Add-ToManifest bisa compute relative path
+#     tanpa minta caller pass ulang setiap call.
+#   - Relative path pakai forward slash (portable di JSON, sama dengan setup-pola-b.ps1).
+# =============================================================================
+
+Set-StrictMode -Version Latest
+
+function Initialize-Manifest {
+    <#
+    .SYNOPSIS
+        Buat state container baru untuk tracking install manifest.
+    .PARAMETER ProjectRoot
+        Absolute path ke root proyek (dipakai untuk compute relative paths).
+    #>
+    param(
+        [Parameter(Mandatory)][string]$ProjectRoot
+    )
+    return [pscustomobject]@{
+        ProjectRoot = $ProjectRoot
+        Files       = @()
+        Directories = @()
+    }
+}
+
+function Get-FileSha256 {
+    <#
+    .SYNOPSIS
+        Compute SHA-256 hash file (hex uppercase, no separator).
+    .PARAMETER FilePath
+        Path ke file yang mau di-hash. Pakai -LiteralPath (no glob expansion).
+    .OUTPUTS
+        [string] hex SHA-256, atau $null kalau file tidak ada.
+    #>
+    param(
+        [Parameter(Mandatory)][string]$FilePath
+    )
+    if (-not (Test-Path -LiteralPath $FilePath)) { return $null }
+    return (Get-FileHash -LiteralPath $FilePath -Algorithm SHA256).Hash
+}
+
+function ConvertTo-ManifestRelativePath {
+    <#
+    .SYNOPSIS
+        Convert absolute path -> relative path (forward slash, no leading slash).
+    .NOTES
+        Helper internal. Sengaja TIDAK di-export dari API publik karena
+        tightly coupled dengan State.ProjectRoot.
+    #>
+    param(
+        [Parameter(Mandatory)][string]$AbsolutePath,
+        [Parameter(Mandatory)][string]$ProjectRoot
+    )
+    $rel = $AbsolutePath.Replace($ProjectRoot, '')
+    $rel = $rel.TrimStart('\','/')
+    return $rel.Replace('\','/')
+}
+
+function Add-ToManifest {
+    <#
+    .SYNOPSIS
+        Track file ke manifest state dengan sha256 hash.
+    .PARAMETER State
+        Object dari Initialize-Manifest.
+    .PARAMETER FilePath
+        Absolute path file (yang sudah di-copy ke project).
+    .PARAMETER Kind
+        Kategori file (mis. 'lib', 'backup', 'filled_template', 'skeleton', 'team_file').
+        Dipakai uninstall.ps1 untuk decide treatment per kategori.
+    .PARAMETER From
+        Opsional source label (mis. 'AGENTS.md.template'). Disimpan ke field 'from'
+        di manifest entry untuk audit trail.
+    #>
+    param(
+        [Parameter(Mandatory)][pscustomobject]$State,
+        [Parameter(Mandatory)][string]$FilePath,
+        [Parameter(Mandatory)][string]$Kind,
+        [string]$From
+    )
+    if (-not (Test-Path -LiteralPath $FilePath)) { return }
+
+    $sha = Get-FileSha256 -FilePath $FilePath
+    $relPath = ConvertTo-ManifestRelativePath -AbsolutePath $FilePath -ProjectRoot $State.ProjectRoot
+
+    $entry = [ordered]@{
+        path   = $relPath
+        kind   = $Kind
+        sha256 = $sha
+    }
+    if ($From) { $entry.from = $From }
+
+    $State.Files += $entry
+}
+
+function Add-DirToManifest {
+    <#
+    .SYNOPSIS
+        Track directory ke manifest state (dedup).
+    .PARAMETER State
+        Object dari Initialize-Manifest.
+    .PARAMETER DirPath
+        Absolute path directory yang baru dibuat kit.
+    #>
+    param(
+        [Parameter(Mandatory)][pscustomobject]$State,
+        [Parameter(Mandatory)][string]$DirPath
+    )
+    if (-not (Test-Path -LiteralPath $DirPath)) { return }
+
+    $relPath = ConvertTo-ManifestRelativePath -AbsolutePath $DirPath -ProjectRoot $State.ProjectRoot
+    if ($State.Directories -notcontains $relPath) {
+        $State.Directories += $relPath
+    }
+}
+
+function Save-Manifest {
+    <#
+    .SYNOPSIS
+        Merge dengan manifest sebelumnya (kalau ada), HMAC sign, write JSON ke disk.
+    .PARAMETER State
+        Object dari Initialize-Manifest (sudah di-populate via Add-ToManifest / Add-DirToManifest).
+    .PARAMETER KitDir
+        Absolute path ke folder kit (mis. <project>/.claude-kit). Manifest ditulis ke
+        $KitDir/.install-manifest.json.
+    .PARAMETER KitVersion
+        Versi kit (mis. 'v1.1.0' atau 'pre-launch (testing)'). Disimpan di metadata
+        + dipakai untuk HMAC signing key derivation.
+    .PARAMETER ProjectName
+        Nama proyek (leaf dari ProjectRoot). Disimpan ke manifest untuk audit.
+    .PARAMETER PreserveExisting
+        Kalau di-set: merge dengan manifest sebelumnya — preserve entries yang file-nya
+        masih ada di disk + path-nya tidak konflik dengan entry baru. Default: ON.
+    .PARAMETER SignManifest
+        Kalau di-set: HMAC sign manifest via lib/manifest-signing.ps1. Default: ON.
+        Set -SignManifest:$false untuk skip (mis. test mode).
+    .OUTPUTS
+        [pscustomobject] dengan: ManifestPath, FilesCount, DirsCount, Merged, Signed.
+    #>
+    param(
+        [Parameter(Mandatory)][pscustomobject]$State,
+        [Parameter(Mandatory)][string]$KitDir,
+        [Parameter(Mandatory)][string]$KitVersion,
+        [Parameter(Mandatory)][string]$ProjectName,
+        [switch]$PreserveExisting = $true,
+        [switch]$SignManifest = $true
+    )
+
+    $manifestPath = Join-Path $KitDir '.install-manifest.json'
+    $merged = $false
+
+    # ---- Baca manifest sebelumnya (kalau ada) untuk merge ----
+    $previous = $null
+    if ($PreserveExisting -and (Test-Path $manifestPath)) {
+        try {
+            $previous = Get-Content $manifestPath -Raw -Encoding UTF8 | ConvertFrom-Json
+        } catch {
+            Write-Host "WARN  Manifest sebelumnya corrupt, akan di-overwrite: $_" -ForegroundColor Yellow
+        }
+    }
+
+    # ---- Merge files: preserve entries dari manifest sebelumnya yang masih ada di disk ----
+    if ($previous -and $previous.PSObject.Properties.Name -contains 'files' -and $previous.files) {
+        $newPaths = @($State.Files | ForEach-Object { $_.path })
+        foreach ($prevEntry in $previous.files) {
+            if ($newPaths -contains $prevEntry.path) { continue }
+            $fullPath = Join-Path $State.ProjectRoot (([string]$prevEntry.path) -replace '/', '\')
+            if (Test-Path -LiteralPath $fullPath) {
+                $entry = [ordered]@{
+                    path   = [string]$prevEntry.path
+                    kind   = [string]$prevEntry.kind
+                    sha256 = [string]$prevEntry.sha256
+                }
+                if ($prevEntry.PSObject.Properties.Name -contains 'from' -and $prevEntry.from) {
+                    $entry.from = [string]$prevEntry.from
+                }
+                $State.Files += $entry
+                $merged = $true
+            }
+        }
+    }
+
+    # ---- Merge dirs: preserve yang masih ada ----
+    if ($previous -and $previous.PSObject.Properties.Name -contains 'directories_created' -and $previous.directories_created) {
+        foreach ($prevDir in $previous.directories_created) {
+            $prevDirStr = [string]$prevDir
+            if ($State.Directories -contains $prevDirStr) { continue }
+            $fullDir = Join-Path $State.ProjectRoot ($prevDirStr -replace '/', '\')
+            if (Test-Path -LiteralPath $fullDir) {
+                $State.Directories += $prevDirStr
+                $merged = $true
+            }
+        }
+    }
+
+    # ---- Build manifest object (anonymized project_root + installed_by) ----
+    $manifestMetadata = [ordered]@{
+        kit_version  = $KitVersion
+        installed_at = (Get-Date -Format 'yyyy-MM-ddTHH:mm:ssZ')
+        installer    = 'setup-pola-b.ps1'
+    }
+    $manifest = [ordered]@{
+        schema_version      = 1
+        kit_version         = $KitVersion
+        installed_at        = (Get-Date -Format 'yyyy-MM-ddTHH:mm:ss')
+        installed_by        = '<USER>'
+        project_name        = $ProjectName
+        project_root        = '<PROJECT_ROOT>'
+        metadata            = $manifestMetadata
+        files               = $State.Files
+        directories_created = $State.Directories
+    }
+
+    # ---- HMAC sign (optional) ----
+    $signed = $false
+    if ($SignManifest) {
+        try {
+            . (Join-Path $KitDir 'lib\manifest-signing.ps1')
+            $manifest.metadata.signature = New-ManifestSignature -Manifest $manifest -KitVersion $KitVersion
+            $signed = $true
+        } catch {
+            Write-Host "WARN  Gagal sign manifest (manifest-signing.ps1 issue): $_" -ForegroundColor Yellow
+            Write-Host "      Manifest tetap ditulis tanpa signature. Uninstall akan prompt karena unsigned." -ForegroundColor Yellow
+        }
+    }
+
+    # ---- Write JSON (UTF-8 NO BOM, supaya hash deterministic + git-friendly) ----
+    $json = $manifest | ConvertTo-Json -Depth 10
+    [System.IO.File]::WriteAllText($manifestPath, $json, (New-Object System.Text.UTF8Encoding $false))
+
+    return [pscustomobject]@{
+        ManifestPath = $manifestPath
+        FilesCount   = $State.Files.Count
+        DirsCount    = $State.Directories.Count
+        Merged       = $merged
+        Signed       = $signed
+    }
+}