@prompd/cli 0.3.3

package/dist/commands/package.js

@@ -0,0 +1,746 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.createPackageCommand = createPackageCommand;
+exports.createPackCommand = createPackCommand;
+exports.createPackageFromPrompdJson = createPackageFromPrompdJson;
+const commander_1 = require("commander");
+const chalk_1 = __importDefault(require("chalk"));
+const fs = __importStar(require("fs-extra"));
+const path = __importStar(require("path"));
+const archiver_1 = __importDefault(require("archiver"));
+const crypto_1 = require("crypto");
+const security_1 = require("../lib/security");
+const compiler_1 = require("../lib/compiler");
+const index_js_1 = require("../types/index.js");
+/**
+ * Shared package creation logic (used by both 'package create' and 'pack')
+ */
+async function handlePackageCreate(source, output, options) {
+    const sourcePath = path.resolve(source);
+    // Check if source exists
+    if (!await fs.pathExists(sourcePath)) {
+        console.error(chalk_1.default.red(`Source not found: ${sourcePath}`));
+        process.exit(1);
+    }
+    // Check if source is a directory
+    const stat = await fs.stat(sourcePath);
+    if (!stat.isDirectory()) {
+        console.error(chalk_1.default.red(`Source must be a directory: ${sourcePath}`));
+        process.exit(1);
+    }
+    // Directory mode - requires manual parameters
+    if (!options?.name || !options?.version || !options?.description) {
+        console.error(chalk_1.default.red('Package creation requires -n/--name, -v/--pkg-version, and -d/--description options'));
+        process.exit(1);
+    }
+    await packageFromDirectory(sourcePath, output, options);
+}
+function createPackageCommand() {
+    const command = new commander_1.Command('package');
+    command.description('Package management commands');
+    // Create subcommand
+    const createCommand = new commander_1.Command('create');
+    createCommand
+        .description('Create a .pdpkg package from a directory')
+        .argument('<source>', 'Source directory')
+        .argument('[output]', 'Output .pdpkg file path (optional)')
+        .option('-n, --name <name>', 'Package name')
+        .option('-v, --pkg-version <version>', 'Package version')
+        .option('-d, --description <description>', 'Package description')
+        .option('-a, --author <author>', 'Package author')
+        .action(async (source, output, options) => {
+        try {
+            // Map pkgVersion to version for backwards compatibility
+            if (options?.pkgVersion) {
+                options.version = options.pkgVersion;
+            }
+            await handlePackageCreate(source, output, options);
+        }
+        catch (error) {
+            console.error(chalk_1.default.red(`❌ Package creation failed: ${error.message}`));
+            process.exit(1);
+        }
+    });
+    // Validate subcommand
+    const validateCommand = new commander_1.Command('validate');
+    validateCommand
+        .description('Validate a .pdpkg package archive')
+        .argument('<file>', '.pdpkg package file to validate')
+        .action(async (filePath) => {
+        try {
+            const fullPath = path.resolve(filePath);
+            // Check if file exists
+            if (!await fs.pathExists(fullPath)) {
+                console.error(chalk_1.default.red(`❌ File not found: ${fullPath}`));
+                process.exit(1);
+            }
+            // Only accept .pdpkg files - packages are archives, not individual .prmd files
+            if (!fullPath.endsWith('.pdpkg')) {
+                console.error(chalk_1.default.red('❌ Invalid package format!'));
+                console.error(chalk_1.default.gray(`   File: ${path.basename(filePath)}`));
+                console.error(chalk_1.default.gray('   Expected: .pdpkg archive file'));
+                console.error(chalk_1.default.gray('   Note: .prmd files are individual prompts, not packages'));
+                console.error(chalk_1.default.gray('   Use \'prompd validate\' to validate individual .prmd files'));
+                process.exit(1);
+            }
+            // Validate .pdpkg file structure
+            await validatePdpkgFile(fullPath);
+            console.log(chalk_1.default.green(`✅ Package validation passed: ${path.basename(filePath)}`));
+        }
+        catch (error) {
+            console.error(chalk_1.default.red(`❌ Package validation failed: ${error.message}`));
+            process.exit(1);
+        }
+    });
+    command.addCommand(createCommand);
+    command.addCommand(validateCommand);
+    return command;
+}
+async function packageFromDirectory(sourceDir, outputPath, options = {}) {
+    const { name, version, description, author } = options;
+    // Generate output path if not provided
+    if (!outputPath) {
+        outputPath = `${name.toLowerCase().replace(/\s+/g, '-')}-v${version}.pdpkg`;
+    }
+    // Ensure .pdpkg extension
+    if (!outputPath.endsWith('.pdpkg')) {
+        outputPath += '.pdpkg';
+    }
+    const manifest = {
+        name,
+        version,
+        description,
+        author,
+        type: 'package'
+    };
+    // Create package with default exclusions
+    const exclusions = {
+        directories: ['.git', '.prmd', 'node_modules', '__pycache__'],
+        patterns: ['*.log', '*.tmp', '*.cache', '.env*']
+    };
+    await createPackage(sourceDir, outputPath, manifest, exclusions);
+    console.log(chalk_1.default.green('✓ Package created successfully!'));
+    console.log(chalk_1.default.cyan(`   Package: ${outputPath}`));
+    try {
+        const stats = await fs.stat(outputPath);
+        const sizeKB = (stats.size / 1024).toFixed(1);
+        console.log(chalk_1.default.gray(`   Size: ${sizeKB} KB`));
+    }
+    catch (error) {
+        // Ignore stat errors
+    }
+}
+async function createPackage(sourceDir, outputPath, manifest, exclusions) {
+    // First pass: scan for secrets
+    const secretsFound = [];
+    const scanDir = async (dir, relativePath = '') => {
+        const items = await fs.readdir(dir);
+        for (const item of items) {
+            const itemPath = path.join(dir, item);
+            const itemRelPath = path.join(relativePath, item);
+            const stat = await fs.stat(itemPath);
+            if (shouldExclude(itemRelPath, stat.isDirectory(), exclusions)) {
+                continue;
+            }
+            if (stat.isDirectory()) {
+                await scanDir(itemPath, itemRelPath);
+            }
+            else {
+                // Scan text files for secrets
+                const ext = path.extname(itemPath).toLowerCase();
+                const textExtensions = ['.prmd', '.txt', '.json', '.yaml', '.yml', '.md', '.js', '.ts', '.py', '.sh', '.env'];
+                if (textExtensions.includes(ext)) {
+                    const scanResult = await security_1.SecurityManager.scanFileForSecrets(itemPath);
+                    if (scanResult.hasSecrets) {
+                        scanResult.secrets.forEach(secret => {
+                            secretsFound.push({
+                                file: itemRelPath,
+                                type: secret.type,
+                                line: secret.line
+                            });
+                        });
+                    }
+                }
+            }
+        }
+    };
+    // Scan for secrets before packaging
+    await scanDir(sourceDir);
+    if (secretsFound.length > 0) {
+        console.error(chalk_1.default.red.bold('\n⚠️  SECURITY WARNING: Potential secrets detected!'));
+        console.error(chalk_1.default.yellow('\nThe following files contain potential secrets:'));
+        secretsFound.forEach(({ file, type, line }) => {
+            console.error(chalk_1.default.yellow(`  • ${file}:${line} - ${type}`));
+        });
+        console.error(chalk_1.default.red('\n❌ Package creation blocked to prevent secret exposure.'));
+        console.error(chalk_1.default.gray('Please remove secrets from these files before packaging.'));
+        console.error(chalk_1.default.gray('Use environment variables or secure vaults for sensitive data.\n'));
+        throw new Error('Secrets detected in package contents');
+    }
+    // Second pass: collect files, apply frontmatter, and compute hashes
+    const fileHashes = {};
+    const fileContents = [];
+    const collectFiles = (dir, relativePath = '') => {
+        const items = fs.readdirSync(dir);
+        for (const item of items) {
+            const itemPath = path.join(dir, item);
+            const itemRelPath = path.join(relativePath, item);
+            const stat = fs.statSync(itemPath);
+            if (shouldExclude(itemRelPath, stat.isDirectory(), exclusions)) {
+                continue;
+            }
+            if (stat.isDirectory()) {
+                collectFiles(itemPath, itemRelPath);
+            }
+            else {
+                const zipPath = itemRelPath.replace(/\\/g, '/');
+                // For code files, add frontmatter protection
+                if ((0, index_js_1.needsFrontmatterProtection)(itemPath)) {
+                    const content = fs.readFileSync(itemPath, 'utf-8');
+                    const filename = path.basename(itemPath);
+                    const protectedContent = addContentFrontmatter(content, filename);
+                    fileHashes[zipPath] = (0, crypto_1.createHash)('sha256').update(protectedContent).digest('hex');
+                    fileContents.push({ zipPath, content: protectedContent });
+                }
+                else {
+                    // For non-code files, read content for hashing
+                    const content = fs.readFileSync(itemPath);
+                    fileHashes[zipPath] = (0, crypto_1.createHash)('sha256').update(content).digest('hex');
+                    fileContents.push({ zipPath, content });
+                }
+            }
+        }
+    };
+    collectFiles(sourceDir);
+    // Third pass: create the package with integrity hashes
+    return new Promise((resolve, reject) => {
+        const output = fs.createWriteStream(outputPath);
+        const archive = (0, archiver_1.default)('zip', { zlib: { level: 9 } });
+        output.on('close', () => resolve());
+        archive.on('error', (err) => reject(err));
+        archive.pipe(output);
+        // Add prompd.json with integrity hashes
+        const fullManifest = {
+            ...manifest,
+            integrity: {
+                algorithm: 'sha256',
+                files: fileHashes
+            }
+        };
+        archive.append(JSON.stringify(fullManifest, null, 2), { name: 'prompd.json' });
+        // Add all files to archive
+        for (const { zipPath, content } of fileContents) {
+            archive.append(content, { name: zipPath });
+        }
+        archive.finalize();
+    });
+}
+function shouldExclude(relPath, isDirectory, exclusions) {
+    const fileName = path.basename(relPath);
+    // Always exclude .pdproj files - they're only for packaging metadata
+    if (fileName.endsWith('.pdproj')) {
+        return true;
+    }
+    // Check directory exclusions
+    if (isDirectory && exclusions.directories) {
+        for (const excl of exclusions.directories) {
+            if (fileName === excl) {
+                return true;
+            }
+        }
+    }
+    // Check pattern exclusions
+    if (exclusions.patterns) {
+        for (const pattern of exclusions.patterns) {
+            // Convert glob pattern to regex
+            const regex = new RegExp('^' + pattern.replace(/\*/g, '.*').replace(/\?/g, '.') + '$');
+            if (regex.test(fileName)) {
+                return true;
+            }
+        }
+    }
+    return false;
+}
+async function validatePdpkgFile(filePath) {
+    // For .pdpkg files (ZIP archives), we need to check the structure
+    const AdmZip = require('adm-zip');
+    let zip;
+    try {
+        zip = new AdmZip(filePath);
+    }
+    catch (error) {
+        throw new Error(`Failed to open ZIP file: ${error.message}`);
+    }
+    const entries = zip.getEntries();
+    // SECURITY: Check for ZIP slip/directory traversal attacks
+    for (const entry of entries) {
+        const entryName = entry.entryName;
+        const normalizedPath = path.normalize(entryName);
+        // Check for path traversal
+        if (normalizedPath.includes('..') || path.isAbsolute(entryName)) {
+            throw new Error(`Security violation: Path traversal detected in ${entryName}`);
+        }
+    }
+    // Check for prompd.json (or legacy manifest.json for backwards compatibility)
+    let manifestFound = false;
+    for (const entry of entries) {
+        if (entry.entryName === 'prompd.json' || entry.entryName === 'manifest.json') {
+            manifestFound = true;
+            // Read and validate manifest
+            const manifestContent = entry.getData().toString('utf8');
+            let manifest;
+            try {
+                manifest = JSON.parse(manifestContent);
+            }
+            catch (error) {
+                const message = error instanceof Error ? error.message : 'Unknown error';
+                throw new Error(`Invalid ${entry.entryName}: ${message}`);
+            }
+            // Validate required fields
+            if (!manifest.name) {
+                throw new Error(`Missing 'name' in ${entry.entryName}`);
+            }
+            if (!manifest.version) {
+                throw new Error(`Missing 'version' in ${entry.entryName}`);
+            }
+            if (!manifest.description) {
+                throw new Error(`Missing 'description' in ${entry.entryName}`);
+            }
+            break;
+        }
+    }
+    if (!manifestFound) {
+        throw new Error('Missing prompd.json in package');
+    }
+}
+/**
+ * Creates the 'pack' command (alias for 'package create')
+ * Convenient shorthand like 'npm pack'
+ */
+function createPackCommand() {
+    const packCommand = new commander_1.Command('pack');
+    packCommand
+        .description('Create a .pdpkg package (alias for "package create")')
+        .argument('<source>', 'Source .pdproj file or directory')
+        .argument('[output]', 'Output .pdpkg file path (optional)')
+        .option('--name <name>', 'Package name (overrides .pdproj)')
+        .option('-n, --name <name>', 'Package name (overrides .pdproj)')
+        .option('--version <version>', 'Package version (overrides .pdproj)')
+        .option('-V, --version <version>', 'Package version (overrides .pdproj)')
+        .option('--description <description>', 'Package description (overrides .pdproj)')
+        .option('-d, --description <description>', 'Package description (overrides .pdproj)')
+        .option('--author <author>', 'Package author (overrides .pdproj)')
+        .option('-a, --author <author>', 'Package author (overrides .pdproj)')
+        .action(async (source, output, options) => {
+        try {
+            await handlePackageCreate(source, output, options);
+        }
+        catch (error) {
+            console.error(chalk_1.default.red(`❌ Package creation failed: ${error.message}`));
+            process.exit(1);
+        }
+    });
+    return packCommand;
+}
+/** Default file extensions that are valid for packaging */
+const PACKABLE_EXTENSIONS = [
+    '.prmd', '.prompd', '.pdflow', // Prompd files
+    '.md', '.txt', // Documentation
+    '.json', '.yaml', '.yml', // Config/data files
+    '.js', '.ts', '.mjs', '.cjs', // JavaScript/TypeScript
+    '.py', '.sh', '.bash', // Scripts
+    '.csv', '.xml', // Data files
+];
+/** Directories to always exclude */
+const DEFAULT_EXCLUDE_DIRS = [
+    'node_modules', '.git', '.prompd', '__pycache__', '.venv', 'venv',
+    'dist', 'build', 'out', '.next', '.nuxt', 'coverage', '.nyc_output',
+    '.idea', '.vscode', '.vs',
+];
+/** Patterns to always exclude */
+const DEFAULT_EXCLUDE_PATTERNS = [
+    '.env', '.env.*', '*.log', '*.tmp', '*.cache', '*.lock',
+    'package-lock.json', 'yarn.lock', 'pnpm-lock.yaml',
+    '.DS_Store', 'Thumbs.db', '*.pdpkg', '*.pdproj',
+    'dist/**', '.prompd/**', // Build output and installed dependencies
+    'prompd.json', // Excluded - we generate this in the archive with populated files array
+];
+/**
+ * Check if a file path matches any of the ignore patterns
+ */
+function matchesIgnorePattern(filePath, patterns) {
+    const fileName = path.basename(filePath);
+    const normalizedPath = filePath.replace(/\\/g, '/');
+    for (const pattern of patterns) {
+        // Simple glob matching
+        const regexPattern = pattern
+            .replace(/\./g, '\\.') // Escape dots
+            .replace(/\*\*/g, '<<<GLOBSTAR>>>') // Placeholder for **
+            .replace(/\*/g, '[^/]*') // Single * = any chars except /
+            .replace(/<<<GLOBSTAR>>>/g, '.*') // ** = any path including /
+            .replace(/\?/g, '.'); // ? = single char
+        const regex = new RegExp(`^${regexPattern}$|/${regexPattern}$|^${regexPattern}/|/${regexPattern}/`);
+        if (regex.test(normalizedPath) || regex.test(fileName)) {
+            return true;
+        }
+        // Also check exact match
+        if (fileName === pattern || normalizedPath === pattern || normalizedPath.endsWith('/' + pattern)) {
+            return true;
+        }
+    }
+    return false;
+}
+/**
+ * Discover all packable files in a workspace, applying ignore patterns
+ */
+async function discoverPackableFiles(workspacePath, ignorePatterns = []) {
+    const files = [];
+    // Combine default and custom ignore patterns
+    const allIgnorePatterns = [
+        ...DEFAULT_EXCLUDE_PATTERNS,
+        ...ignorePatterns
+    ];
+    const walkDir = async (dir, relativePath = '') => {
+        let items;
+        try {
+            items = await fs.readdir(dir);
+        }
+        catch (err) {
+            return; // Skip unreadable directories
+        }
+        for (const item of items) {
+            const itemPath = path.join(dir, item);
+            const itemRelPath = relativePath ? path.join(relativePath, item) : item;
+            let stat;
+            try {
+                stat = await fs.stat(itemPath);
+            }
+            catch (err) {
+                continue; // Skip unreadable files
+            }
+            if (stat.isDirectory()) {
+                // Skip default excluded directories
+                if (DEFAULT_EXCLUDE_DIRS.includes(item)) {
+                    continue;
+                }
+                // Skip directories matching ignore patterns
+                if (matchesIgnorePattern(itemRelPath, allIgnorePatterns)) {
+                    continue;
+                }
+                await walkDir(itemPath, itemRelPath);
+            }
+            else {
+                // Skip files matching ignore patterns
+                if (matchesIgnorePattern(itemRelPath, allIgnorePatterns)) {
+                    continue;
+                }
+                // Check if file extension is packable
+                const ext = path.extname(item).toLowerCase();
+                if (PACKABLE_EXTENSIONS.includes(ext)) {
+                    // Use forward slashes for consistency
+                    files.push(itemRelPath.replace(/\\/g, '/'));
+                }
+            }
+        }
+    };
+    await walkDir(workspacePath);
+    return files.sort();
+}
+async function createPackageFromPrompdJson(workspacePath, outputDir) {
+    const prompdJsonPath = path.join(workspacePath, 'prompd.json');
+    // 1. Check prompd.json exists
+    if (!await fs.pathExists(prompdJsonPath)) {
+        return {
+            success: false,
+            error: 'No prompd.json found in workspace root. Create a prompd.json file first.'
+        };
+    }
+    // 2. Parse prompd.json
+    let prompdJson;
+    try {
+        prompdJson = await fs.readJson(prompdJsonPath);
+    }
+    catch (parseErr) {
+        return {
+            success: false,
+            error: `Invalid prompd.json: ${parseErr.message}`
+        };
+    }
+    // 3. Validate required fields
+    if (!prompdJson.name) {
+        return { success: false, error: 'prompd.json is missing required field: name' };
+    }
+    if (!prompdJson.version) {
+        return { success: false, error: 'prompd.json is missing required field: version' };
+    }
+    if (!prompdJson.description || prompdJson.description.length < 10) {
+        return { success: false, error: 'prompd.json description must be at least 10 characters' };
+    }
+    if (!prompdJson.main) {
+        return { success: false, error: 'prompd.json is missing required field: main (main .prmd entry point)' };
+    }
+    // 4. Auto-discover files if files array is empty or missing
+    let filesToPackage = prompdJson.files || [];
+    let autoDiscovered = false;
+    if (!Array.isArray(filesToPackage) || filesToPackage.length === 0) {
+        // Auto-discover packable files using ignore patterns
+        const ignorePatterns = prompdJson.ignore || [];
+        filesToPackage = await discoverPackableFiles(workspacePath, ignorePatterns);
+        autoDiscovered = true;
+        if (filesToPackage.length === 0) {
+            return {
+                success: false,
+                error: 'No packable files found in workspace. Add .prmd, .md, .json, or other valid files.'
+            };
+        }
+    }
+    // 5. Validate main file exists
+    const mainFilePath = path.join(workspacePath, prompdJson.main);
+    if (!await fs.pathExists(mainFilePath)) {
+        return { success: false, error: `Main file not found: ${prompdJson.main}` };
+    }
+    // Ensure main file is included in the files to package
+    const mainFileNormalized = prompdJson.main.replace(/\\/g, '/');
+    if (!filesToPackage.includes(mainFileNormalized)) {
+        filesToPackage.unshift(mainFileNormalized);
+    }
+    // 6. Validate all files exist and scan for secrets
+    const secretsFound = [];
+    const missingFiles = [];
+    for (const filePath of filesToPackage) {
+        const fullPath = path.join(workspacePath, filePath);
+        // Check file exists
+        if (!await fs.pathExists(fullPath)) {
+            missingFiles.push(filePath);
+            continue;
+        }
+        // Scan for secrets in text files
+        const ext = path.extname(filePath).toLowerCase();
+        const textExtensions = ['.prmd', '.txt', '.json', '.yaml', '.yml', '.md', '.js', '.ts', '.py', '.sh', '.env'];
+        if (textExtensions.includes(ext)) {
+            try {
+                const scanResult = await security_1.SecurityManager.scanFileForSecrets(fullPath);
+                if (scanResult.hasSecrets) {
+                    scanResult.secrets.forEach((secret) => {
+                        secretsFound.push({
+                            file: filePath,
+                            type: secret.type,
+                            line: secret.line
+                        });
+                    });
+                }
+            }
+            catch (scanErr) {
+                console.warn(`[Package] Secret scan failed for ${filePath}: ${scanErr.message}`);
+            }
+        }
+    }
+    if (missingFiles.length > 0) {
+        return {
+            success: false,
+            error: `Missing files:\n${missingFiles.map(f => '  - ' + f).join('\n')}`
+        };
+    }
+    if (secretsFound.length > 0) {
+        const secretsList = secretsFound.map(s => `  - ${s.file}:${s.line} (${s.type})`).join('\n');
+        return {
+            success: false,
+            error: `Secrets detected! Remove before packaging:\n${secretsList}`
+        };
+    }
+    // 6b. Validate all .prmd files compile without errors (check inherits, parameters, etc.)
+    const prmdValidationErrors = [];
+    const compiler = new compiler_1.PrompdCompiler();
+    const fileSystem = new compiler_1.NodeFileSystem();
+    for (const filePath of filesToPackage) {
+        if (!filePath.endsWith('.prmd'))
+            continue;
+        const fullPath = path.join(workspacePath, filePath);
+        try {
+            const context = await compiler.compileWithContext(fullPath, {
+                outputFormat: 'markdown',
+                fileSystem,
+                workspaceRoot: workspacePath
+            });
+            // Collect errors from compilation
+            const errors = context.getDiagnostics()
+                .filter(d => d.severity === 'error')
+                .map(d => {
+                const location = d.line ? ` (line ${d.line})` : '';
+                return `${d.message}${location}`;
+            });
+            if (errors.length > 0) {
+                prmdValidationErrors.push({ file: filePath, errors });
+            }
+        }
+        catch (compileErr) {
+            prmdValidationErrors.push({
+                file: filePath,
+                errors: [compileErr.message || 'Compilation failed']
+            });
+        }
+    }
+    if (prmdValidationErrors.length > 0) {
+        const errorList = prmdValidationErrors.map(e => `  ${e.file}:\n${e.errors.map(err => `    - ${err}`).join('\n')}`).join('\n');
+        return {
+            success: false,
+            error: `Validation errors in .prmd files:\n${errorList}`
+        };
+    }
+    // 7. Create output directory
+    const distDir = outputDir || path.join(workspacePath, 'dist');
+    await fs.ensureDir(distDir);
+    // 8. Generate output filename (strip namespace for scoped packages)
+    const packageName = prompdJson.name.includes('/')
+        ? prompdJson.name.split('/')[1]
+        : prompdJson.name;
+    const outputFileName = `${packageName}-v${prompdJson.version}.pdpkg`;
+    const outputPath = path.join(distDir, outputFileName);
+    // 9. Create manifest for package (includes files array for archive only)
+    const manifest = {
+        name: prompdJson.name,
+        version: prompdJson.version,
+        description: prompdJson.description,
+        author: prompdJson.author
+    };
+    // 10. Create the package
+    try {
+        // Instead of createPackage (which walks all files), we only include files from the array
+        await createPackageFromFiles(workspacePath, outputPath, manifest, filesToPackage, prompdJson.main, prompdJson.readme, prompdJson.ignore // Pass ignore patterns for archive manifest
+        );
+        const stats = await fs.stat(outputPath);
+        const sizeKB = (stats.size / 1024).toFixed(1);
+        const autoNote = autoDiscovered ? ' (auto-discovered)' : '';
+        // Build detailed log for raw output display
+        const logLines = [
+            `Package: ${prompdJson.name}@${prompdJson.version}`,
+            `Output: dist/${outputFileName}`,
+            `Size: ${sizeKB} KB`,
+            '',
+            `Files included (${filesToPackage.length}):`,
+            ...filesToPackage.map(f => `  - ${f}`)
+        ];
+        return {
+            success: true,
+            outputPath: outputPath,
+            fileName: outputFileName,
+            size: stats.size,
+            fileCount: filesToPackage.length,
+            message: `Package created: dist/${outputFileName} (${sizeKB} KB, ${filesToPackage.length} files${autoNote})`,
+            log: logLines.join('\n')
+        };
+    }
+    catch (err) {
+        return {
+            success: false,
+            error: err.message || 'Package creation failed'
+        };
+    }
+}
+/**
+ * Add prompd content frontmatter to a file for security.
+ * This makes code files non-executable (frontmatter breaks parsing).
+ */
+function addContentFrontmatter(content, filename) {
+    const contentType = (0, index_js_1.getContentType)(filename);
+    const frontmatter = `---
+prompd_content_file: true
+original_filename: ${filename}
+content_type: ${contentType}
+---
+`;
+    return frontmatter + content;
+}
+/**
+ * Create package from specific file list (not directory walk)
+ * The files array is written to the archive's prompd.json (not the filesystem)
+ */
+async function createPackageFromFiles(workspacePath, outputPath, manifest, files, mainFile, readmeFile, ignorePatterns) {
+    return new Promise((resolve, reject) => {
+        const output = fs.createWriteStream(outputPath);
+        const archive = (0, archiver_1.default)('zip', { zlib: { level: 9 } });
+        output.on('close', () => resolve());
+        archive.on('error', (err) => reject(err));
+        archive.pipe(output);
+        // Files array uses original paths (no transformation needed with frontmatter approach)
+        const normalizedFiles = files.map(f => f.replace(/\\/g, '/'));
+        // Collect file contents and compute integrity hashes
+        const fileHashes = {};
+        const fileContents = [];
+        for (const filePath of files) {
+            const fullPath = path.join(workspacePath, filePath);
+            const zipPath = filePath.replace(/\\/g, '/');
+            // For code files, add frontmatter protection
+            if ((0, index_js_1.needsFrontmatterProtection)(filePath)) {
+                const content = fs.readFileSync(fullPath, 'utf-8');
+                const filename = path.basename(filePath);
+                const protectedContent = addContentFrontmatter(content, filename);
+                // Hash the protected content (with frontmatter) - matches what's in archive
+                fileHashes[zipPath] = (0, crypto_1.createHash)('sha256').update(protectedContent).digest('hex');
+                fileContents.push({ zipPath, content: protectedContent });
+            }
+            else {
+                // For non-code files, read content for hashing
+                const content = fs.readFileSync(fullPath);
+                fileHashes[zipPath] = (0, crypto_1.createHash)('sha256').update(content).digest('hex');
+                fileContents.push({ zipPath, content });
+            }
+        }
+        // Add prompd.json (inside the package) with files array and integrity hashes
+        // This writes the files array to the archive only, not the filesystem
+        const fullManifest = {
+            ...manifest,
+            main: mainFile,
+            readme: readmeFile,
+            files: normalizedFiles,
+            integrity: {
+                algorithm: 'sha256',
+                files: fileHashes
+            },
+            ...(ignorePatterns && ignorePatterns.length > 0 ? { ignore: ignorePatterns } : {})
+        };
+        archive.append(JSON.stringify(fullManifest, null, 2), { name: 'prompd.json' });
+        // Add all files to archive
+        for (const { zipPath, content } of fileContents) {
+            archive.append(content, { name: zipPath });
+        }
+        archive.finalize();
+    });
+}
+//# sourceMappingURL=package.js.map