@topogram/cli 0.3.85 → 0.3.87

package/src/cli/commands/import/plan.js

@@ -3,6 +3,7 @@
 import fs from "node:fs";
 import path from "node:path";
 
+import { readExtractionContext } from "../../../extraction-context.js";
 import { runWorkflow } from "../../../workflows.js";
 import {
   countByField,
@@ -60,6 +61,73 @@ export const BROWNFIELD_BROAD_ADOPT_SELECTORS = [
   }
 ];
 
+/**
+ * @param {AnyRecord|null|undefined} extractionContext
+ * @param {AnyRecord[]} bundleSurfaces
+ * @param {string} bundleSlug
+ * @returns {string[]}
+ */
+function tracksForBundle(extractionContext, bundleSurfaces, bundleSlug) {
+  const tracks = new Set(bundleSurfaces.map((surface) => surface.track).filter(Boolean));
+  if (bundleSlug === "database" || bundleSlug.includes("db")) tracks.add("db");
+  if (bundleSlug === "cli") tracks.add("cli");
+  if (bundleSlug === "ui") tracks.add("ui");
+  if (bundleSlug.includes("api")) tracks.add("api");
+  const knownTracks = new Set(Array.isArray(extractionContext?.tracks) ? extractionContext.tracks : []);
+  return [...tracks].filter((track) => knownTracks.size === 0 || knownTracks.has(track)).sort((left, right) => left.localeCompare(right));
+}
+
+/**
+ * @param {AnyRecord} extractor
+ * @param {Set<string>} tracks
+ * @returns {boolean}
+ */
+function extractorMatchesTracks(extractor, tracks) {
+  const extractorTracks = Array.isArray(extractor.tracks) ? extractor.tracks : [];
+  return tracks.size === 0 || extractorTracks.length === 0 || extractorTracks.some((track) => tracks.has(track));
+}
+
+/**
+ * @param {AnyRecord|null|undefined} extractionContext
+ * @param {AnyRecord[]} bundleSurfaces
+ * @param {string} bundleSlug
+ * @returns {AnyRecord|null}
+ */
+function extractorContextForBundle(extractionContext, bundleSurfaces, bundleSlug) {
+  if (!extractionContext) {
+    return null;
+  }
+  const tracks = tracksForBundle(extractionContext, bundleSurfaces, bundleSlug);
+  const trackSet = new Set(tracks);
+  const packageBackedExtractors = (extractionContext.package_backed_extractors || [])
+    .filter((/** @type {AnyRecord} */ extractor) => extractorMatchesTracks(extractor, trackSet))
+    .map((/** @type {AnyRecord} */ extractor) => ({
+      id: extractor.id || null,
+      version: extractor.version || null,
+      packageName: extractor.packageName || null,
+      extractors: Array.isArray(extractor.extractors) ? extractor.extractors : [],
+      tracks: Array.isArray(extractor.tracks) ? extractor.tracks : []
+    }));
+  const bundledExtractors = (extractionContext.bundled_extractors || [])
+    .filter((/** @type {AnyRecord} */ extractor) => extractorMatchesTracks(extractor, trackSet))
+    .map((/** @type {AnyRecord} */ extractor) => ({
+      id: extractor.id || null,
+      version: extractor.version || null,
+      extractors: Array.isArray(extractor.extractors) ? extractor.extractors : [],
+      tracks: Array.isArray(extractor.tracks) ? extractor.tracks : []
+    }));
+  if (packageBackedExtractors.length === 0 && bundledExtractors.length === 0) {
+    return null;
+  }
+  return {
+    tracks,
+    packageBackedExtractors,
+    bundledExtractors,
+    candidateCounts: extractionContext.candidate_counts || {},
+    safetyNotes: extractionContext.safety_notes || []
+  };
+}
+
 /**
  * @param {string} inputPath
  * @returns {AnyRecord}
@@ -84,7 +152,8 @@ export function readImportAdoptionArtifacts(inputPath) {
     paths,
     adoptionPlan: JSON.parse(fs.readFileSync(paths.adoptionPlanAgent, "utf8")),
     adoptionStatus: readJsonIfExists(paths.adoptionStatus),
-    reconcileReport: readJsonIfExists(paths.reconcileReport)
+    reconcileReport: readJsonIfExists(paths.reconcileReport),
+    extractionContext: readExtractionContext(topogramRoot)
   };
 }
 
@@ -118,9 +187,10 @@ export function buildBrownfieldBroadAdoptSelectors(projectRoot, adoptionPlan) {
  * @param {AnyRecord} adoptionPlan
  * @param {AnyRecord} adoptionStatus
  * @param {string} projectRoot
+ * @param {AnyRecord|null|undefined} extractionContext
  * @returns {AnyRecord}
  */
-export function summarizeImportAdoption(adoptionPlan, adoptionStatus, projectRoot) {
+export function summarizeImportAdoption(adoptionPlan, adoptionStatus, projectRoot, extractionContext = null) {
   const surfaces = adoptionPlan.imported_proposal_surfaces || [];
   /** @type {string[]} */
   const slugs = [];
@@ -162,7 +232,8 @@ export function summarizeImportAdoption(adoptionPlan, adoptionStatus, projectRoo
       complete: Boolean(priority?.is_complete) || (pendingItems.length === 0 && blockedItems.length === 0 && appliedItems.length > 0),
       evidenceScore: priority?.evidence_score || 0,
       why: priority?.operator_summary?.whyThisBundle || null,
-      nextCommand: importAdoptCommand(projectRoot, `bundle:${slug}`, false)
+      nextCommand: importAdoptCommand(projectRoot, `bundle:${slug}`, false),
+      extractorContext: extractorContextForBundle(extractionContext, bundleSurfaces, slug)
     };
   });
   const nextBundle = bundles.find((bundle) => !bundle.complete && bundle.pendingItemCount > 0) || bundles.find((bundle) => !bundle.complete) || bundles[0] || null;
@@ -196,7 +267,7 @@ export function summarizeImportAdoption(adoptionPlan, adoptionStatus, projectRoo
 export function buildBrownfieldImportPlanPayload(inputPath) {
   const artifacts = readImportAdoptionArtifacts(inputPath);
   const adoptionStatus = runWorkflow("adoption-status", artifacts.projectRoot).summary || artifacts.adoptionStatus || {};
-  const adoption = summarizeImportAdoption(artifacts.adoptionPlan, adoptionStatus, artifacts.projectRoot);
+  const adoption = summarizeImportAdoption(artifacts.adoptionPlan, adoptionStatus, artifacts.projectRoot, artifacts.extractionContext);
   return {
     ok: true,
     projectRoot: artifacts.projectRoot,
@@ -207,6 +278,14 @@ export function buildBrownfieldImportPlanPayload(inputPath) {
       adoptionStatus: artifacts.paths.adoptionStatus,
       reconcileReport: artifacts.paths.reconcileReport
     },
+    extractorContext: artifacts.extractionContext ? {
+      provenancePath: artifacts.extractionContext.provenance_path,
+      packageBackedExtractors: artifacts.extractionContext.package_backed_extractors,
+      bundledExtractors: artifacts.extractionContext.bundled_extractors,
+      candidateCounts: artifacts.extractionContext.candidate_counts,
+      safetyNotes: artifacts.extractionContext.safety_notes,
+      summary: artifacts.extractionContext.summary
+    } : null,
     ...adoption,
     commands: {
       check: `topogram extract check ${importProjectCommandPath(artifacts.projectRoot)}`,
@@ -229,6 +308,14 @@ export function printBrownfieldImportPlan(payload) {
     if (bundle.why) {
       console.log(`  ${bundle.why}`);
     }
+    if (bundle.extractorContext?.packageBackedExtractors?.length > 0) {
+      const names = bundle.extractorContext.packageBackedExtractors
+        .map((/** @type {AnyRecord} */ extractor) => extractor.packageName || extractor.id)
+        .filter(Boolean)
+        .join(", ");
+      console.log(`  Extractors: ${names}`);
+      console.log("  Safety: package-backed extractor candidates are review-only; run dry-run adoption before --write.");
+    }
     console.log(`  Preview: ${bundle.nextCommand}`);
   }
   if (payload.risks.length > 0) {
@@ -257,6 +344,7 @@ export function buildBrownfieldImportAdoptListPayload(inputPath) {
     appliedItemCount: bundle.appliedItemCount,
     blockedItemCount: bundle.blockedItemCount,
     complete: bundle.complete,
+    extractorContext: bundle.extractorContext || null,
     previewCommand: importAdoptCommand(plan.projectRoot, `bundle:${bundle.bundle}`, false),
     writeCommand: importAdoptCommand(plan.projectRoot, `bundle:${bundle.bundle}`, true)
   }));
@@ -270,6 +358,7 @@ export function buildBrownfieldImportAdoptListPayload(inputPath) {
     selectors,
     broadSelectorCount: broadSelectors.length,
     broadSelectors,
+    extractorContext: plan.extractorContext,
     nextCommand: selectors.find((/** @type {AnyRecord} */ selector) => !selector.complete)?.previewCommand || plan.commands.status
   };
 }
@@ -286,6 +375,14 @@ export function printBrownfieldImportAdoptList(payload) {
   }
   for (const selector of payload.selectors) {
     console.log(`- ${selector.selector}: ${selector.itemCount} item(s), ${selector.pendingItemCount} pending, ${selector.appliedItemCount} applied`);
+    if (selector.extractorContext?.packageBackedExtractors?.length > 0) {
+      const names = selector.extractorContext.packageBackedExtractors
+        .map((/** @type {AnyRecord} */ extractor) => extractor.packageName || extractor.id)
+        .filter(Boolean)
+        .join(", ");
+      console.log(`  Extractors: ${names}`);
+      console.log("  Safety: package-backed extractor candidates are review-only; run dry-run adoption before --write.");
+    }
     console.log(`  Preview: ${selector.previewCommand}`);
     console.log(`  Write: ${selector.writeCommand}`);
   }

package/src/cli/commands/query/workspace.js

@@ -4,9 +4,9 @@ import fs from "node:fs";
 import path from "node:path";
 
 import { generateWorkspace } from "../../../generator.js";
-import { TOPOGRAM_IMPORT_FILE } from "../../../import/provenance.js";
 import { formatValidationErrors } from "../../../validator.js";
 import { buildChangePlanPayload } from "../../../agent-ops/query-builders.js";
+import { buildExtractionContext, readExtractionContext } from "../../../extraction-context.js";
 import { resolveTopoRoot } from "../../../workspace-paths.js";
 
 /**
@@ -197,72 +197,7 @@ export function readJson(filePath) {
   return JSON.parse(fs.readFileSync(filePath, "utf8"));
 }
 
-/**
- * @param {AnyRecord} record
- * @param {string} provenancePath
- * @returns {AnyRecord}
- */
-export function buildExtractionContext(record, provenancePath) {
-  const extractorPackages = /** @type {AnyRecord[]} */ (Array.isArray(record.extract?.extractorPackages)
-    ? record.extract.extractorPackages
-    : []);
-  const packageBackedExtractors = extractorPackages
-    .filter((entry) => entry?.source === "package")
-    .map((entry) => ({
-      id: entry.id || null,
-      version: entry.version || null,
-      packageName: entry.packageName || null,
-      extractors: Array.isArray(entry.extractors) ? entry.extractors : [],
-      manifestPath: entry.manifestPath || null
-    }));
-  const bundledExtractors = extractorPackages
-    .filter((entry) => entry?.source === "bundled")
-    .map((entry) => ({
-      id: entry.id || null,
-      version: entry.version || null,
-      extractors: Array.isArray(entry.extractors) ? entry.extractors : []
-    }));
-  return {
-    type: "extraction_context",
-    provenance_path: provenancePath,
-    kind: record.kind || null,
-    extracted_at: record.extractedAt || null,
-    refreshed_at: record.refreshedAt || null,
-    source_path: record.source?.path || null,
-    tracks: Array.isArray(record.extract?.tracks) ? record.extract.tracks : [],
-    findings_count: record.extract?.findingsCount || 0,
-    candidate_counts: record.extract?.candidateCounts || {},
-    package_backed_extractors: packageBackedExtractors,
-    bundled_extractors: bundledExtractors,
-    summary: {
-      package_backed_extractor_count: packageBackedExtractors.length,
-      bundled_extractor_count: bundledExtractors.length,
-      source_file_count: Array.isArray(record.files) ? record.files.length : 0
-    },
-    next_commands: [
-      "topogram extract check",
-      "topogram extract plan",
-      "topogram adopt --list",
-      "topogram adopt <selector> --dry-run"
-    ],
-    safety_notes: [
-      "Extractor packages are evidence producers only; review candidates before canonical adoption.",
-      "Use dry-run adoption before --write, especially when package-backed extractors contributed candidates."
-    ]
-  };
-}
-
-/**
- * @param {string} topogramRoot
- * @returns {AnyRecord|null}
- */
-export function readExtractionContext(topogramRoot) {
-  const provenancePath = path.join(path.dirname(topogramRoot), TOPOGRAM_IMPORT_FILE);
-  if (!fs.existsSync(provenancePath)) {
-    return null;
-  }
-  return buildExtractionContext(readJson(provenancePath), provenancePath);
-}
+export { buildExtractionContext, readExtractionContext };
 
 /**
  * @param {AnyRecord} options

package/src/extraction-context.js

@@ -0,0 +1,79 @@
+// @ts-check
+
+import fs from "node:fs";
+import path from "node:path";
+
+import { TOPOGRAM_IMPORT_FILE } from "./import/provenance.js";
+
+/**
+ * @typedef {Record<string, any>} AnyRecord
+ */
+
+/**
+ * @param {AnyRecord} record
+ * @param {string} provenancePath
+ * @returns {AnyRecord}
+ */
+export function buildExtractionContext(record, provenancePath) {
+  const extractorPackages = /** @type {AnyRecord[]} */ (Array.isArray(record.extract?.extractorPackages)
+    ? record.extract.extractorPackages
+    : []);
+  const packageBackedExtractors = extractorPackages
+    .filter((entry) => entry?.source === "package")
+    .map((entry) => ({
+      id: entry.id || null,
+      version: entry.version || null,
+      packageName: entry.packageName || null,
+      extractors: Array.isArray(entry.extractors) ? entry.extractors : [],
+      tracks: Array.isArray(entry.tracks) ? entry.tracks : [],
+      manifestPath: entry.manifestPath || null
+    }));
+  const bundledExtractors = extractorPackages
+    .filter((entry) => entry?.source === "bundled")
+    .map((entry) => ({
+      id: entry.id || null,
+      version: entry.version || null,
+      extractors: Array.isArray(entry.extractors) ? entry.extractors : [],
+      tracks: Array.isArray(entry.tracks) ? entry.tracks : []
+    }));
+  return {
+    type: "extraction_context",
+    provenance_path: provenancePath,
+    kind: record.kind || null,
+    extracted_at: record.extractedAt || null,
+    refreshed_at: record.refreshedAt || null,
+    source_path: record.source?.path || null,
+    tracks: Array.isArray(record.extract?.tracks) ? record.extract.tracks : [],
+    findings_count: record.extract?.findingsCount || 0,
+    candidate_counts: record.extract?.candidateCounts || {},
+    package_backed_extractors: packageBackedExtractors,
+    bundled_extractors: bundledExtractors,
+    summary: {
+      package_backed_extractor_count: packageBackedExtractors.length,
+      bundled_extractor_count: bundledExtractors.length,
+      source_file_count: Array.isArray(record.files) ? record.files.length : 0
+    },
+    next_commands: [
+      "topogram extract check",
+      "topogram extract plan",
+      "topogram adopt --list",
+      "topogram adopt <selector> --dry-run"
+    ],
+    safety_notes: [
+      "Extractor packages are evidence producers only; review candidates before canonical adoption.",
+      "Use dry-run adoption before --write, especially when package-backed extractors contributed candidates."
+    ]
+  };
+}
+
+/**
+ * @param {string} topogramRoot
+ * @returns {AnyRecord|null}
+ */
+export function readExtractionContext(topogramRoot) {
+  const provenancePath = path.join(path.dirname(topogramRoot), TOPOGRAM_IMPORT_FILE);
+  if (!fs.existsSync(provenancePath)) {
+    return null;
+  }
+  return buildExtractionContext(JSON.parse(fs.readFileSync(provenancePath, "utf8")), provenancePath);
+}

package/src/extractor/packages.js

@@ -228,13 +228,19 @@ export function packageExtractorsForContext(context) {
     const bundledPack = getBundledExtractorPack(spec);
     if (bundledPack) {
       extractors.push(...bundledPack.extractors);
-      provenance.push({ source: "bundled", id: bundledPack.manifest.id, version: bundledPack.manifest.version, extractors: bundledPack.manifest.extractors });
+      provenance.push({
+        source: "bundled",
+        id: bundledPack.manifest.id,
+        version: bundledPack.manifest.version,
+        tracks: bundledPack.manifest.tracks || [],
+        extractors: bundledPack.manifest.extractors
+      });
       continue;
     }
     const bundledExtractor = getBundledExtractorById(spec);
     if (bundledExtractor) {
       extractors.push(bundledExtractor);
-      provenance.push({ source: "bundled", id: bundledExtractor.id, version: "1", extractors: [bundledExtractor.id] });
+      provenance.push({ source: "bundled", id: bundledExtractor.id, version: "1", tracks: bundledExtractor.track ? [bundledExtractor.track] : [], extractors: [bundledExtractor.id] });
       continue;
     }
     const packageManifest = loadExtractorPackageManifestForSpec(spec, { cwd });
@@ -273,6 +279,7 @@ export function packageExtractorsForContext(context) {
       id: packageManifest.manifest.id,
       version: packageManifest.manifest.version,
       packageName,
+      tracks: packageManifest.manifest.tracks || [],
       manifestPath: packageManifest.manifestPath,
       packageRoot: packageManifest.packageRoot,
       extractors: packageManifest.manifest.extractors

package/src/github-client.js

@@ -2,9 +2,12 @@
 
 import childProcess from "node:child_process";
 
+import { remotePayloadMaxBytes } from "./remote-payload-limits.js";
+
 const DEFAULT_GITHUB_API_BASE_URL = "https://api.github.com";
 const GITHUB_REST_SCRIPT = `
 const request = JSON.parse(process.argv[1]);
+const maxBytes = Number.parseInt(String(request.maxBytes || ""), 10) || 5242880;
 const base = String(request.baseUrl || "https://api.github.com").replace(/\\/+$/, "") + "/";
 const path = String(request.path || "").replace(/^\\/+/, "");
 const url = new URL(path, base);
@@ -24,6 +27,39 @@ const headers = {
 if (request.token && canAttachToken(url)) {
   headers.authorization = "Bearer " + request.token;
 }
+async function readResponseText(response) {
+  const declaredLength = Number.parseInt(response.headers.get("content-length") || "", 10);
+  if (Number.isFinite(declaredLength) && declaredLength > maxBytes) {
+    throw new Error("GitHub REST response exceeded " + maxBytes + " byte limit.");
+  }
+  if (!response.body) {
+    const text = await response.text();
+    if (Buffer.byteLength(text, "utf8") > maxBytes) {
+      throw new Error("GitHub REST response exceeded " + maxBytes + " byte limit.");
+    }
+    return text;
+  }
+  const reader = response.body.getReader();
+  const decoder = new TextDecoder();
+  const chunks = [];
+  let total = 0;
+  while (true) {
+    const { value, done } = await reader.read();
+    if (done) {
+      break;
+    }
+    total += value.byteLength;
+    if (total > maxBytes) {
+      try {
+        await reader.cancel();
+      } catch {}
+      throw new Error("GitHub REST response exceeded " + maxBytes + " byte limit.");
+    }
+    chunks.push(decoder.decode(value, { stream: true }));
+  }
+  chunks.push(decoder.decode());
+  return chunks.join("");
+}
 if (process.env.TOPOGRAM_GITHUB_API_FIXTURE_ROOT) {
   const fs = await import("node:fs");
   const pathModule = await import("node:path");
@@ -50,6 +86,11 @@ if (process.env.TOPOGRAM_GITHUB_API_FIXTURE_ROOT) {
     }));
     process.exit(2);
   }
+  const fixtureSize = fs.statSync(fixturePath).size;
+  if (fixtureSize > maxBytes) {
+    process.stderr.write("GitHub REST fixture response exceeded " + maxBytes + " byte limit.");
+    process.exit(1);
+  }
   process.stdout.write(JSON.stringify({
     status: 200,
     body: fs.readFileSync(fixturePath, "utf8"),
@@ -59,7 +100,7 @@ if (process.env.TOPOGRAM_GITHUB_API_FIXTURE_ROOT) {
 }
 try {
   const response = await fetch(url, { headers });
-  const text = await response.text();
+  const text = await readResponseText(response);
   if (!response.ok) {
     process.stderr.write(JSON.stringify({
       status: response.status,
@@ -150,6 +191,11 @@ function shouldUseRestApi() {
  * @returns {any}
  */
 function githubRequestJson(path, options = {}) {
+  const maxBytes = remotePayloadMaxBytes(
+    ["TOPOGRAM_GITHUB_FETCH_MAX_BYTES", "TOPOGRAM_REMOTE_FETCH_MAX_BYTES"],
+    undefined,
+    ["githubFetchMaxBytes", "remoteFetchMaxBytes"]
+  );
   const result = childProcess.spawnSync(process.execPath, [
     "--input-type=module",
     "-e",
@@ -158,10 +204,12 @@ function githubRequestJson(path, options = {}) {
       baseUrl: githubApiBaseUrl(),
       path,
       query: options.query || {},
-      token: githubTokenFromEnv() || ""
+      token: githubTokenFromEnv() || "",
+      maxBytes
     })
   ], {
     encoding: "utf8",
+    maxBuffer: (maxBytes * 2) + 8192,
     env: {
       ...process.env,
       PATH: process.env.PATH || ""
@@ -479,9 +527,15 @@ function normalizeWorkflowJob(job) {
  * @returns {ReturnType<typeof childProcess.spawnSync>}
  */
 function runGh(args, cwd = process.cwd()) {
+  const maxBytes = remotePayloadMaxBytes(
+    ["TOPOGRAM_GITHUB_FETCH_MAX_BYTES", "TOPOGRAM_REMOTE_FETCH_MAX_BYTES"],
+    undefined,
+    ["githubFetchMaxBytes", "remoteFetchMaxBytes"]
+  );
   return childProcess.spawnSync("gh", args, {
     cwd,
     encoding: "utf8",
+    maxBuffer: maxBytes + 4096,
     env: {
       ...process.env,
       GH_TOKEN: process.env.GH_TOKEN || process.env.GITHUB_TOKEN || "",

package/src/import/core/shared/files.js

@@ -50,14 +50,35 @@ export function listFilesRecursive(rootDir, predicate = () => true, options = {}
     return [];
   }
   const ignoredDirs = options.ignoredDirs || DEFAULT_IGNORED_DIRS;
+  let rootRealPath;
+  try {
+    rootRealPath = fs.realpathSync(rootDir);
+  } catch {
+    return [];
+  }
+  const visitedDirs = new Set([rootRealPath]);
   const files = /** @type {any[]} */ ([]);
   const walk = /** @param {any} currentDir */ (currentDir) => {
     for (const entry of fs.readdirSync(currentDir, { withFileTypes: true })) {
       const childPath = path.join(currentDir, entry.name);
+      if (entry.isSymbolicLink()) {
+        continue;
+      }
       if (entry.isDirectory()) {
         if (ignoredDirs.has(entry.name)) {
           continue;
         }
+        let childRealPath;
+        try {
+          childRealPath = fs.realpathSync(childPath);
+        } catch {
+          continue;
+        }
+        const relativeToRoot = path.relative(rootRealPath, childRealPath);
+        if (relativeToRoot.startsWith("..") || path.isAbsolute(relativeToRoot) || visitedDirs.has(childRealPath)) {
+          continue;
+        }
+        visitedDirs.add(childRealPath);
         walk(childPath);
         continue;
       }

package/src/remote-payload-limits.js

@@ -0,0 +1,40 @@
+// @ts-check
+
+import { topogramRuntimeConfig } from "./topogram-config.js";
+
+export const DEFAULT_REMOTE_FETCH_MAX_BYTES = 5 * 1024 * 1024;
+
+/**
+ * @param {string|null|undefined} value
+ * @returns {number|null}
+ */
+function parsePositiveInteger(value) {
+  if (!value) {
+    return null;
+  }
+  const parsed = Number.parseInt(String(value), 10);
+  return Number.isFinite(parsed) && parsed > 0 ? parsed : null;
+}
+
+/**
+ * @param {string[]} envNames
+ * @param {number} [fallback]
+ * @param {Array<"remoteFetchMaxBytes"|"catalogFetchMaxBytes"|"githubFetchMaxBytes">} [configKeys]
+ * @returns {number}
+ */
+export function remotePayloadMaxBytes(envNames, fallback = DEFAULT_REMOTE_FETCH_MAX_BYTES, configKeys = []) {
+  for (const envName of envNames) {
+    const parsed = parsePositiveInteger(process.env[envName]);
+    if (parsed) {
+      return parsed;
+    }
+  }
+  const limits = topogramRuntimeConfig(process.cwd()).limits;
+  for (const configKey of configKeys) {
+    const parsed = parsePositiveInteger(String(limits[configKey] || ""));
+    if (parsed) {
+      return parsed;
+    }
+  }
+  return fallback;
+}

package/src/template-trust/constants.js

@@ -35,7 +35,7 @@ export function unsupportedImplementationSymlinkMessage(relativePath) {
  * @returns {string}
  */
 export function implementationOutsideRootMessage(modulePath) {
-  return `Template implementation module '${modulePath}' must be under implementation/ for template-attached projects. Keep executable template code inside implementation/ so the trust record covers what topogram generate may load. Move the module back under implementation/, then run ${TRUST_REVIEW_COMMANDS} after review.`;
+  return `Template implementation module '${modulePath}' must be under implementation/. Keep executable template code inside implementation/ so the trust record covers what topogram generate may load. Move the module back under implementation/, then run ${TRUST_REVIEW_COMMANDS} after review.`;
 }
 
 /**

package/src/template-trust/policy.js

@@ -43,10 +43,9 @@ export function projectHasTemplateAttachment(projectConfig) {
  * @returns {boolean}
  */
 export function implementationRequiresTrust(implementationInfo, projectConfig = null) {
-  const fingerprint = implementationTrustFingerprint(implementationInfo.config);
-  const modulePath = path.resolve(implementationInfo.configDir, fingerprint.module);
-  const implementationRoot = path.resolve(implementationInfo.configDir, "implementation");
-  return isSameOrInside(implementationRoot, modulePath) || projectHasTemplateAttachment(projectConfig);
+  void projectConfig;
+  implementationTrustFingerprint(implementationInfo.config);
+  return true;
 }
 
 /**

package/src/template-trust/status.js

@@ -16,8 +16,7 @@ import {
 import {
   implementationModuleIsUnderRoot,
   implementationRequiresTrust,
-  implementationTrustFingerprint,
-  projectHasTemplateAttachment
+  implementationTrustFingerprint
 } from "./policy.js";
 import { readTemplateTrustRecord } from "./record.js";
 
@@ -44,7 +43,6 @@ export function assertTrustedImplementation(implementationInfo, projectConfig =
  * @returns {{ ok: boolean, requiresTrust: boolean, trustPath: string, trustRecord: import("./record.js").TemplateTrustRecord|null, template: { id: string|null, version: string|null, source: string|null, sourceSpec: string|null, requested: string|null, sourceRoot: string|null, catalog?: Record<string, any>|null, includesExecutableImplementation: boolean|null }, implementation: { id: string|null, module: string|null, export: string|null }, content: { trustedDigest: string|null, currentDigest: string|null, added: string[], removed: string[], changed: string[] }, issues: string[] }}
  */
 export function getTemplateTrustStatus(implementationInfo, projectConfig = null) {
-  const templateAttached = projectHasTemplateAttachment(projectConfig);
   if (!implementationRequiresTrust(implementationInfo, projectConfig)) {
     return {
       ok: true,
@@ -68,7 +66,7 @@ export function getTemplateTrustStatus(implementationInfo, projectConfig = null)
   /** @type {{ trustedDigest: string|null, currentDigest: string|null, added: string[], removed: string[], changed: string[] }} */
   const contentStatus = { trustedDigest: null, currentDigest: null, added: [], removed: [], changed: [] };
 
-  if (templateAttached && !moduleInsideImplementation) {
+  if (!moduleInsideImplementation) {
     issues.push(implementationOutsideRootMessage(fingerprint.module));
   }