@truefoundry/tfy-infra-engine 0.1.3-canary.abfd26a → 0.1.3

package/README.md

@@ -100,21 +100,15 @@ if (!result.driftReport.valid) {
 
 ### `engine.upgrade(envelope, currentFiles, previousManifest)`
 
-Update platform files to new template versions. Always renders new files and returns a pre-upgrade drift report. The `sourceBlocked` flag indicates a template source mismatch -- callers enforce blocking policy (FR-029).
+Update platform files to new template versions. Performs pre-upgrade drift detection and source mismatch blocking.
 
 ```typescript
 const result = await engine.upgrade(envelope, currentFiles, previousManifest);
-
 if (result.sourceBlocked) {
-  // Template source changed -- caller decides whether to proceed
-  console.log('Source mismatch detected');
-}
-if (!result.driftReport.valid) {
-  // Managed files were modified since last render
+  console.log('Upgrade blocked: template source mismatch');
+} else if (!result.driftReport.valid) {
   console.log('Pre-upgrade drift detected');
 }
-
-// result.files always contains newly rendered files, even when sourceBlocked
 ```
 
 ### `engine.hashOnly(envelope)`
@@ -152,15 +146,15 @@ if (!result.valid) {
 // inputs now has defaults applied in-place
 ```
 
-### Bundle Validation
+### Template JSON Validation
 
-Validate the top-level structure of a `bundle.json` file:
+Validate the top-level structure of a `template.json` file:
 
 ```typescript
-import { validateBundle } from '@truefoundry/tfy-infra-engine';
+import { validateTemplateJson } from '@truefoundry/tfy-infra-engine';
 
-const parsed = JSON.parse(fs.readFileSync('bundle.json', 'utf-8'));
-const { metadata, jsonSchema } = validateBundle(parsed);
+const parsed = JSON.parse(fs.readFileSync('template.json', 'utf-8'));
+const { metadata, jsonSchema } = validateTemplateJson(parsed);
 // metadata: { name, version, description? }
 // jsonSchema: the raw JSON Schema object
 ```
@@ -275,11 +269,11 @@ try {
       case EngineErrorCode.INPUT_VALIDATION_FAILED:
         console.log('Invalid inputs:', error.details);
         break;
-      case EngineErrorCode.BUNDLE_NOT_FOUND:
-        console.log('bundle.json not found in template directory');
+      case EngineErrorCode.TEMPLATE_JSON_NOT_FOUND:
+        console.log('template.json not found in template directory');
         break;
-      case EngineErrorCode.BUNDLE_INVALID:
-        console.log('bundle.json has invalid structure:', error.message);
+      case EngineErrorCode.TEMPLATE_JSON_INVALID:
+        console.log('template.json has invalid structure:', error.message);
         break;
       case EngineErrorCode.TOFU_NOT_FOUND:
         console.log('Install OpenTofu or use skipFormat option');

package/dist/index.d.mts

@@ -4,12 +4,14 @@
 declare enum EngineErrorCode {
     TEMPLATE_NOT_FOUND = "TEMPLATE_NOT_FOUND",
     NETWORK_ERROR = "NETWORK_ERROR",
+    GITHUB_NOT_FOUND = "GITHUB_NOT_FOUND",
+    GITHUB_RATE_LIMITED = "GITHUB_RATE_LIMITED",
     FILE_NOT_FOUND = "FILE_NOT_FOUND",
     HTTPS_AUTH_FAILED = "HTTPS_AUTH_FAILED",
     SCHEMA_INVALID = "SCHEMA_INVALID",
     INPUT_VALIDATION_FAILED = "INPUT_VALIDATION_FAILED",
-    BUNDLE_NOT_FOUND = "BUNDLE_NOT_FOUND",
-    BUNDLE_INVALID = "BUNDLE_INVALID",
+    TEMPLATE_JSON_NOT_FOUND = "TEMPLATE_JSON_NOT_FOUND",
+    TEMPLATE_JSON_INVALID = "TEMPLATE_JSON_INVALID",
     TEMPLATE_SYNTAX_ERROR = "TEMPLATE_SYNTAX_ERROR",
     TOFU_NOT_FOUND = "TOFU_NOT_FOUND",
     TOFU_FMT_FAILED = "TOFU_FMT_FAILED",
@@ -40,7 +42,7 @@ declare class EngineError extends Error {
  *
  * CHANGE (008): All Zod-based converter functions and zod-to-json-schema
  * import removed. Only the JSONSchema7 type interface remains.
- * Templates provide JSON Schema directly via bundle.json.
+ * Templates provide JSON Schema directly via template.json.
  */
 /**
  * JSON Schema Draft-07 type.
@@ -172,7 +174,7 @@ interface RenderOptions {
     skipFormat?: boolean;
 }
 /**
- * Metadata about a template, sourced from the "metadata" key in bundle.json.
+ * Metadata about a template, sourced from the "template" key in template.json.
  */
 interface TemplateMetadata {
     /** Template name */
@@ -186,12 +188,12 @@ interface TemplateMetadata {
  * A remote template package containing source files and schema.
  *
  * CHANGE (008): Replaced `schema: TemplateSchema` with `metadata` + `jsonSchema`.
- * Metadata comes from bundle.json "metadata" key; schema from "jsonSchema" key.
+ * Metadata comes from template.json "template" key; schema from "schema" key.
  */
 interface Template {
-    /** Template metadata from bundle.json → "metadata" key */
+    /** Template metadata from template.json → "template" key */
     metadata: TemplateMetadata;
-    /** JSON Schema Draft-07 from bundle.json → "jsonSchema" key */
+    /** JSON Schema Draft-07 from template.json → "schema" key */
     jsonSchema: JSONSchema7;
     /** Map of output paths to HBS content (rendered via Handlebars) */
     files: Map<string, string>;
@@ -421,36 +423,36 @@ interface HclEngine {
 }
 
 /**
- * Bundle structure validation using AJV.
+ * Template JSON structure validation using AJV.
  *
- * Validates the top-level structure of a bundle against the
- * bundleSchema (JSON Schema Draft-07) defined in bundle-schema.ts.
+ * Validates the top-level structure of template.json against the
+ * templateJsonSchema (JSON Schema Draft-07) defined in template-json-schema.ts.
  *
  * Reference: R-006, data-model.md validator.ts
  */
 
 /**
- * Result of validating a bundle.
+ * Result of validating a template.json file.
  */
-interface BundleValidationResult {
+interface TemplateJsonResult {
     metadata: TemplateMetadata;
     jsonSchema: JSONSchema7;
 }
 /**
- * Validate the structure of a parsed bundle.
+ * Validate the structure of a parsed template.json file.
  *
  * Checks:
- *   - Data is an object with "metadata" and "jsonSchema" keys
- *   - metadata.name is a non-empty string
- *   - metadata.version is a semver string (x.y.z)
- *   - metadata.description is an optional string
- *   - jsonSchema is a non-null object with type: "object" and properties
+ *   - Data is an object with "template" and "schema" keys
+ *   - template.name is a non-empty string
+ *   - template.version is a semver string (x.y.z)
+ *   - template.description is an optional string
+ *   - schema is a non-null object with type: "object" and properties
  *
- * @param data - Parsed JSON content from a bundle
+ * @param data - Parsed JSON content from template.json
  * @returns Validated metadata and JSON Schema
- * @throws EngineError with BUNDLE_INVALID on failure
+ * @throws EngineError with TEMPLATE_JSON_INVALID on failure
  */
-declare function validateBundle(data: unknown): BundleValidationResult;
+declare function validateTemplateJson(data: unknown): TemplateJsonResult;
 
 /**
  * AJV-based JSON Schema input validation.
@@ -478,20 +480,20 @@ declare function validateBundle(data: unknown): BundleValidationResult;
 declare function validateJsonSchemaStructure(schema: JSONSchema7): void;
 
 /**
- * JSON Schema (Draft-07) for bundle.json files.
+ * JSON Schema (Draft-07) for template.json files.
  *
- * This is the source of truth for bundle structure validation.
+ * This is the source of truth for template.json validation.
  * Used by validator.ts via AJV for runtime validation.
  *
  * Validates:
- *   - "metadata" key: name (required, non-empty), version (semver, required), description (optional string)
- *   - "jsonSchema" key: must be a JSON Schema object with type: "object" and a properties key
+ *   - "template" key: name (required, non-empty), version (semver, required), description (optional string)
+ *   - "schema" key: must be a JSON Schema object with type: "object" and a properties key
  *
- * Note: No additionalProperties: false at root level -- extra top-level keys are allowed
- * for forward compatibility (e.g., uiSchema, files, staticFiles, version).
+ * Note: No additionalProperties: false at root level — extra top-level keys are allowed
+ * for forward compatibility.
  */
 
-declare const bundleSchema: JSONSchema7;
+declare const templateJsonSchema: JSONSchema7;
 
 /**
  * Check if tofu is available in the system.
@@ -625,4 +627,4 @@ declare function parseHeader(content: string): TfyStatusHeader | undefined;
  */
 declare function createEngine(): HclEngine;
 
-export { type BundleValidationResult, DEFAULT_PREFIX, type DriftReport, type DriftType, EngineError, EngineErrorCode, type Envelope, type FileEntry, type FileMap, type HashOnlyResult, type InstallResult, type JSONSchema7, type Manifest, type Resolver, type ResolverOptions, type Template, type TemplateMetadata, type UpgradeResult, type VerifyResult, type VersionInfo, bundleSchema, canonicalHash, classifyFile, createEngine, getCanonicalHashScriptPath, isTofuAvailable, parseHeader, validateBundle, validateJsonSchemaStructure };
+export { DEFAULT_PREFIX, type DriftReport, type DriftType, EngineError, EngineErrorCode, type Envelope, type FileEntry, type FileMap, type HashOnlyResult, type InstallResult, type JSONSchema7, type Manifest, type Resolver, type ResolverOptions, type Template, type UpgradeResult, type VerifyResult, type VersionInfo, canonicalHash, classifyFile, createEngine, getCanonicalHashScriptPath, isTofuAvailable, parseHeader, templateJsonSchema, validateJsonSchemaStructure, validateTemplateJson };

package/dist/index.d.ts

@@ -4,12 +4,14 @@
 declare enum EngineErrorCode {
     TEMPLATE_NOT_FOUND = "TEMPLATE_NOT_FOUND",
     NETWORK_ERROR = "NETWORK_ERROR",
+    GITHUB_NOT_FOUND = "GITHUB_NOT_FOUND",
+    GITHUB_RATE_LIMITED = "GITHUB_RATE_LIMITED",
     FILE_NOT_FOUND = "FILE_NOT_FOUND",
     HTTPS_AUTH_FAILED = "HTTPS_AUTH_FAILED",
     SCHEMA_INVALID = "SCHEMA_INVALID",
     INPUT_VALIDATION_FAILED = "INPUT_VALIDATION_FAILED",
-    BUNDLE_NOT_FOUND = "BUNDLE_NOT_FOUND",
-    BUNDLE_INVALID = "BUNDLE_INVALID",
+    TEMPLATE_JSON_NOT_FOUND = "TEMPLATE_JSON_NOT_FOUND",
+    TEMPLATE_JSON_INVALID = "TEMPLATE_JSON_INVALID",
     TEMPLATE_SYNTAX_ERROR = "TEMPLATE_SYNTAX_ERROR",
     TOFU_NOT_FOUND = "TOFU_NOT_FOUND",
     TOFU_FMT_FAILED = "TOFU_FMT_FAILED",
@@ -40,7 +42,7 @@ declare class EngineError extends Error {
  *
  * CHANGE (008): All Zod-based converter functions and zod-to-json-schema
  * import removed. Only the JSONSchema7 type interface remains.
- * Templates provide JSON Schema directly via bundle.json.
+ * Templates provide JSON Schema directly via template.json.
  */
 /**
  * JSON Schema Draft-07 type.
@@ -172,7 +174,7 @@ interface RenderOptions {
     skipFormat?: boolean;
 }
 /**
- * Metadata about a template, sourced from the "metadata" key in bundle.json.
+ * Metadata about a template, sourced from the "template" key in template.json.
  */
 interface TemplateMetadata {
     /** Template name */
@@ -186,12 +188,12 @@ interface TemplateMetadata {
  * A remote template package containing source files and schema.
  *
  * CHANGE (008): Replaced `schema: TemplateSchema` with `metadata` + `jsonSchema`.
- * Metadata comes from bundle.json "metadata" key; schema from "jsonSchema" key.
+ * Metadata comes from template.json "template" key; schema from "schema" key.
  */
 interface Template {
-    /** Template metadata from bundle.json → "metadata" key */
+    /** Template metadata from template.json → "template" key */
     metadata: TemplateMetadata;
-    /** JSON Schema Draft-07 from bundle.json → "jsonSchema" key */
+    /** JSON Schema Draft-07 from template.json → "schema" key */
     jsonSchema: JSONSchema7;
     /** Map of output paths to HBS content (rendered via Handlebars) */
     files: Map<string, string>;
@@ -421,36 +423,36 @@ interface HclEngine {
 }
 
 /**
- * Bundle structure validation using AJV.
+ * Template JSON structure validation using AJV.
  *
- * Validates the top-level structure of a bundle against the
- * bundleSchema (JSON Schema Draft-07) defined in bundle-schema.ts.
+ * Validates the top-level structure of template.json against the
+ * templateJsonSchema (JSON Schema Draft-07) defined in template-json-schema.ts.
  *
  * Reference: R-006, data-model.md validator.ts
  */
 
 /**
- * Result of validating a bundle.
+ * Result of validating a template.json file.
  */
-interface BundleValidationResult {
+interface TemplateJsonResult {
     metadata: TemplateMetadata;
     jsonSchema: JSONSchema7;
 }
 /**
- * Validate the structure of a parsed bundle.
+ * Validate the structure of a parsed template.json file.
  *
  * Checks:
- *   - Data is an object with "metadata" and "jsonSchema" keys
- *   - metadata.name is a non-empty string
- *   - metadata.version is a semver string (x.y.z)
- *   - metadata.description is an optional string
- *   - jsonSchema is a non-null object with type: "object" and properties
+ *   - Data is an object with "template" and "schema" keys
+ *   - template.name is a non-empty string
+ *   - template.version is a semver string (x.y.z)
+ *   - template.description is an optional string
+ *   - schema is a non-null object with type: "object" and properties
  *
- * @param data - Parsed JSON content from a bundle
+ * @param data - Parsed JSON content from template.json
  * @returns Validated metadata and JSON Schema
- * @throws EngineError with BUNDLE_INVALID on failure
+ * @throws EngineError with TEMPLATE_JSON_INVALID on failure
  */
-declare function validateBundle(data: unknown): BundleValidationResult;
+declare function validateTemplateJson(data: unknown): TemplateJsonResult;
 
 /**
  * AJV-based JSON Schema input validation.
@@ -478,20 +480,20 @@ declare function validateBundle(data: unknown): BundleValidationResult;
 declare function validateJsonSchemaStructure(schema: JSONSchema7): void;
 
 /**
- * JSON Schema (Draft-07) for bundle.json files.
+ * JSON Schema (Draft-07) for template.json files.
  *
- * This is the source of truth for bundle structure validation.
+ * This is the source of truth for template.json validation.
  * Used by validator.ts via AJV for runtime validation.
  *
  * Validates:
- *   - "metadata" key: name (required, non-empty), version (semver, required), description (optional string)
- *   - "jsonSchema" key: must be a JSON Schema object with type: "object" and a properties key
+ *   - "template" key: name (required, non-empty), version (semver, required), description (optional string)
+ *   - "schema" key: must be a JSON Schema object with type: "object" and a properties key
  *
- * Note: No additionalProperties: false at root level -- extra top-level keys are allowed
- * for forward compatibility (e.g., uiSchema, files, staticFiles, version).
+ * Note: No additionalProperties: false at root level — extra top-level keys are allowed
+ * for forward compatibility.
  */
 
-declare const bundleSchema: JSONSchema7;
+declare const templateJsonSchema: JSONSchema7;
 
 /**
  * Check if tofu is available in the system.
@@ -625,4 +627,4 @@ declare function parseHeader(content: string): TfyStatusHeader | undefined;
  */
 declare function createEngine(): HclEngine;
 
-export { type BundleValidationResult, DEFAULT_PREFIX, type DriftReport, type DriftType, EngineError, EngineErrorCode, type Envelope, type FileEntry, type FileMap, type HashOnlyResult, type InstallResult, type JSONSchema7, type Manifest, type Resolver, type ResolverOptions, type Template, type TemplateMetadata, type UpgradeResult, type VerifyResult, type VersionInfo, bundleSchema, canonicalHash, classifyFile, createEngine, getCanonicalHashScriptPath, isTofuAvailable, parseHeader, validateBundle, validateJsonSchemaStructure };
+export { DEFAULT_PREFIX, type DriftReport, type DriftType, EngineError, EngineErrorCode, type Envelope, type FileEntry, type FileMap, type HashOnlyResult, type InstallResult, type JSONSchema7, type Manifest, type Resolver, type ResolverOptions, type Template, type UpgradeResult, type VerifyResult, type VersionInfo, canonicalHash, classifyFile, createEngine, getCanonicalHashScriptPath, isTofuAvailable, parseHeader, templateJsonSchema, validateJsonSchemaStructure, validateTemplateJson };

package/dist/index.js

@@ -33,15 +33,15 @@ __export(index_exports, {
   DEFAULT_PREFIX: () => DEFAULT_PREFIX,
   EngineError: () => EngineError,
   EngineErrorCode: () => EngineErrorCode,
-  bundleSchema: () => bundleSchema,
   canonicalHash: () => canonicalHash,
   classifyFile: () => classifyFile,
   createEngine: () => createEngine,
   getCanonicalHashScriptPath: () => getCanonicalHashScriptPath,
   isTofuAvailable: () => isTofuAvailable,
   parseHeader: () => parseHeader,
-  validateBundle: () => validateBundle,
-  validateJsonSchemaStructure: () => validateJsonSchemaStructure
+  templateJsonSchema: () => templateJsonSchema,
+  validateJsonSchemaStructure: () => validateJsonSchemaStructure,
+  validateTemplateJson: () => validateTemplateJson
 });
 module.exports = __toCommonJS(index_exports);
 
@@ -49,12 +49,14 @@ module.exports = __toCommonJS(index_exports);
 var EngineErrorCode = /* @__PURE__ */ ((EngineErrorCode2) => {
   EngineErrorCode2["TEMPLATE_NOT_FOUND"] = "TEMPLATE_NOT_FOUND";
   EngineErrorCode2["NETWORK_ERROR"] = "NETWORK_ERROR";
+  EngineErrorCode2["GITHUB_NOT_FOUND"] = "GITHUB_NOT_FOUND";
+  EngineErrorCode2["GITHUB_RATE_LIMITED"] = "GITHUB_RATE_LIMITED";
   EngineErrorCode2["FILE_NOT_FOUND"] = "FILE_NOT_FOUND";
   EngineErrorCode2["HTTPS_AUTH_FAILED"] = "HTTPS_AUTH_FAILED";
   EngineErrorCode2["SCHEMA_INVALID"] = "SCHEMA_INVALID";
   EngineErrorCode2["INPUT_VALIDATION_FAILED"] = "INPUT_VALIDATION_FAILED";
-  EngineErrorCode2["BUNDLE_NOT_FOUND"] = "BUNDLE_NOT_FOUND";
-  EngineErrorCode2["BUNDLE_INVALID"] = "BUNDLE_INVALID";
+  EngineErrorCode2["TEMPLATE_JSON_NOT_FOUND"] = "TEMPLATE_JSON_NOT_FOUND";
+  EngineErrorCode2["TEMPLATE_JSON_INVALID"] = "TEMPLATE_JSON_INVALID";
   EngineErrorCode2["TEMPLATE_SYNTAX_ERROR"] = "TEMPLATE_SYNTAX_ERROR";
   EngineErrorCode2["TOFU_NOT_FOUND"] = "TOFU_NOT_FOUND";
   EngineErrorCode2["TOFU_FMT_FAILED"] = "TOFU_FMT_FAILED";
@@ -99,12 +101,12 @@ var EngineError = class _EngineError extends Error {
 // src/schema/validator.ts
 var import_ajv = __toESM(require("ajv"));
 
-// src/schema/bundle-schema.ts
-var bundleSchema = {
+// src/schema/template-json-schema.ts
+var templateJsonSchema = {
   $schema: "http://json-schema.org/draft-07/schema#",
   type: "object",
   properties: {
-    metadata: {
+    template: {
       type: "object",
       properties: {
         name: { type: "string", minLength: 1 },
@@ -114,7 +116,7 @@ var bundleSchema = {
       required: ["name", "version"],
       additionalProperties: false
     },
-    jsonSchema: {
+    schema: {
       type: "object",
       description: "JSON Schema Draft-07 defining template inputs",
       properties: {
@@ -125,7 +127,7 @@ var bundleSchema = {
       required: ["type", "properties"]
     }
   },
-  required: ["metadata", "jsonSchema"]
+  required: ["template", "schema"]
 };
 
 // src/schema/validator.ts
@@ -134,51 +136,54 @@ var ajv = new import_ajv.default({
   strict: false,
   validateSchema: false
 });
-var validate = ajv.compile(bundleSchema);
-function validateBundle(data) {
+var validate = ajv.compile(templateJsonSchema);
+function validateTemplateJson(data) {
   if (!data || typeof data !== "object" || Array.isArray(data)) {
-    throw new EngineError("bundle must be a JSON object", "BUNDLE_INVALID" /* BUNDLE_INVALID */);
+    throw new EngineError(
+      "template.json must be a JSON object",
+      "TEMPLATE_JSON_INVALID" /* TEMPLATE_JSON_INVALID */
+    );
   }
   const valid = validate(data);
   if (!valid) {
     const message = formatAjvErrors(validate.errors ?? []);
-    throw new EngineError(message, "BUNDLE_INVALID" /* BUNDLE_INVALID */);
+    throw new EngineError(message, "TEMPLATE_JSON_INVALID" /* TEMPLATE_JSON_INVALID */);
   }
   const record = data;
-  const metadataBlock = record["metadata"];
+  const templateBlock = record["template"];
   const metadata = {
-    name: metadataBlock["name"],
-    version: metadataBlock["version"],
-    ...metadataBlock["description"] !== void 0 ? { description: metadataBlock["description"] } : {}
+    name: templateBlock["name"],
+    version: templateBlock["version"],
+    ...templateBlock["description"] !== void 0 ? { description: templateBlock["description"] } : {}
   };
-  const jsonSchema = record["jsonSchema"];
+  const jsonSchema = record["schema"];
   return { metadata, jsonSchema };
 }
 function formatAjvErrors(errors) {
   const first = errors[0];
   if (!first) {
-    return "bundle validation failed";
+    return "template.json validation failed";
   }
   const path = first.instancePath || "";
   if (first.keyword === "required") {
     const prop = first.params["missingProperty"];
-    return `bundle must have a "${prop}" key`;
+    return `template.json must have a "${prop}" key`;
   }
   if (first.keyword === "type") {
     const expected = first.params["type"];
-    return `bundle${path ? ` "${dotPath(path)}"` : ""} must be ${expected}`;
+    return `template.json${path ? ` "${dotPath(path)}"` : ""} must be ${expected}`;
   }
-  if (first.keyword === "pattern" && path === "/metadata/version") {
-    return `bundle "metadata.version" must be semver format (x.y.z)`;
+  if (first.keyword === "pattern" && path === "/template/version") {
+    return `template.json "template.version" must be semver format (x.y.z)`;
   }
-  if (first.keyword === "minLength" && path === "/metadata/name") {
-    return `bundle "metadata.name" must be a non-empty string`;
+  if (first.keyword === "minLength" && path === "/template/name") {
+    return `template.json "template.name" must be a non-empty string`;
   }
   if (first.keyword === "const") {
     const expected = first.params["allowedValue"];
-    return `bundle "${dotPath(path)}" must be ${JSON.stringify(expected)}`;
+    return `template.json "${dotPath(path)}" must be ${JSON.stringify(expected)}`;
   }
-  return `bundle validation failed at ${path || "/"}: ${first.message ?? "unknown error"}`;
+  return `template.json validation failed at ${path || "/"}: ${first.message ?? "unknown error"}`;
 }
 function dotPath(jsonPointer) {
   return jsonPointer.replace(/^\//, "").replace(/\//g, ".");
@@ -696,7 +701,7 @@ function computeAggregateHash(files) {
 }
 
 // src/render/manifest.ts
-var ENGINE_VERSION = "0.1.3-canary.abfd26a";
+var ENGINE_VERSION = "0.1.3";
 function generateManifest(opts) {
   const { files, template, inputs, formatted, intentId, platformPrefix = "tfy_" } = opts;
   const manifestFiles = [];
@@ -1001,11 +1006,8 @@ var HclEngineImpl = class {
   /**
    * Upgrade: Update an existing cluster to new templates.
    *
-   * Pipeline: validate envelope → drift detection (FR-028) → validate inputs →
-   * render → format → hash + manifest.
-   *
-   * The engine always renders new files regardless of source mismatch.
-   * Callers (CLI/Server) enforce blocking policy via `sourceBlocked` flag (FR-029).
+   * Pipeline: validate envelope → drift detection (FR-028) → if source mismatch,
+   * short-circuit → validate inputs → render → format → hash + manifest.
    */
   async upgrade(envelope, currentFiles, previousManifest) {
     const validatedEnvelope = this.validateEnvelopeOrThrow(envelope);
@@ -1014,6 +1016,14 @@ var HclEngineImpl = class {
     const incomingSource = validatedEnvelope.template.source;
     const driftReport = buildDriftReport(currentFiles, previousManifest, prefix, incomingSource);
     const sourceBlocked = driftReport.summary.sourceMismatches > 0;
+    if (sourceBlocked) {
+      return {
+        files: currentFiles,
+        manifest: previousManifest,
+        driftReport,
+        sourceBlocked: true
+      };
+    }
     const { renderedFiles, template, formatted, inputsWithDefaults } = await this.renderPipeline(
       validatedEnvelope,
       options
@@ -1026,7 +1036,7 @@ var HclEngineImpl = class {
       formatted,
       prefix
     );
-    return { files: fileMap, manifest, driftReport, sourceBlocked };
+    return { files: fileMap, manifest, driftReport, sourceBlocked: false };
   }
   /**
    * Verify: Check integrity of existing files against a Manifest.
@@ -1185,14 +1195,14 @@ function createEngine() {
   DEFAULT_PREFIX,
   EngineError,
   EngineErrorCode,
-  bundleSchema,
   canonicalHash,
   classifyFile,
   createEngine,
   getCanonicalHashScriptPath,
   isTofuAvailable,
   parseHeader,
-  validateBundle,
-  validateJsonSchemaStructure
+  templateJsonSchema,
+  validateJsonSchemaStructure,
+  validateTemplateJson
 });
 //# sourceMappingURL=index.js.map