@truefoundry/tfy-infra-engine 0.1.3 → 0.1.4

package/README.md

@@ -100,15 +100,21 @@ if (!result.driftReport.valid) {
 
 ### `engine.upgrade(envelope, currentFiles, previousManifest)`
 
-Update platform files to new template versions. Performs pre-upgrade drift detection and source mismatch blocking.
+Update platform files to new template versions. Always renders new files and returns a pre-upgrade drift report. The `sourceBlocked` flag indicates a template source mismatch -- callers enforce blocking policy (FR-029).
 
 ```typescript
 const result = await engine.upgrade(envelope, currentFiles, previousManifest);
+
 if (result.sourceBlocked) {
-  console.log('Upgrade blocked: template source mismatch');
-} else if (!result.driftReport.valid) {
+  // Template source changed -- caller decides whether to proceed
+  console.log('Source mismatch detected');
+}
+if (!result.driftReport.valid) {
+  // Managed files were modified since last render
   console.log('Pre-upgrade drift detected');
 }
+
+// result.files always contains newly rendered files, even when sourceBlocked
 ```
 
 ### `engine.hashOnly(envelope)`
@@ -146,15 +152,15 @@ if (!result.valid) {
 // inputs now has defaults applied in-place
 ```
 
-### Template JSON Validation
+### Bundle Validation
 
-Validate the top-level structure of a `template.json` file:
+Validate the top-level structure of a `bundle.json` file:
 
 ```typescript
-import { validateTemplateJson } from '@truefoundry/tfy-infra-engine';
+import { validateBundle } from '@truefoundry/tfy-infra-engine';
 
-const parsed = JSON.parse(fs.readFileSync('template.json', 'utf-8'));
-const { metadata, jsonSchema } = validateTemplateJson(parsed);
+const parsed = JSON.parse(fs.readFileSync('bundle.json', 'utf-8'));
+const { metadata, jsonSchema } = validateBundle(parsed);
 // metadata: { name, version, description? }
 // jsonSchema: the raw JSON Schema object
 ```
@@ -269,11 +275,11 @@ try {
       case EngineErrorCode.INPUT_VALIDATION_FAILED:
         console.log('Invalid inputs:', error.details);
         break;
-      case EngineErrorCode.TEMPLATE_JSON_NOT_FOUND:
-        console.log('template.json not found in template directory');
+      case EngineErrorCode.BUNDLE_NOT_FOUND:
+        console.log('bundle.json not found in template directory');
         break;
-      case EngineErrorCode.TEMPLATE_JSON_INVALID:
-        console.log('template.json has invalid structure:', error.message);
+      case EngineErrorCode.BUNDLE_INVALID:
+        console.log('bundle.json has invalid structure:', error.message);
         break;
       case EngineErrorCode.TOFU_NOT_FOUND:
         console.log('Install OpenTofu or use skipFormat option');

package/dist/index.d.mts

@@ -4,14 +4,12 @@
 declare enum EngineErrorCode {
     TEMPLATE_NOT_FOUND = "TEMPLATE_NOT_FOUND",
     NETWORK_ERROR = "NETWORK_ERROR",
-    GITHUB_NOT_FOUND = "GITHUB_NOT_FOUND",
-    GITHUB_RATE_LIMITED = "GITHUB_RATE_LIMITED",
     FILE_NOT_FOUND = "FILE_NOT_FOUND",
     HTTPS_AUTH_FAILED = "HTTPS_AUTH_FAILED",
     SCHEMA_INVALID = "SCHEMA_INVALID",
     INPUT_VALIDATION_FAILED = "INPUT_VALIDATION_FAILED",
-    TEMPLATE_JSON_NOT_FOUND = "TEMPLATE_JSON_NOT_FOUND",
-    TEMPLATE_JSON_INVALID = "TEMPLATE_JSON_INVALID",
+    BUNDLE_NOT_FOUND = "BUNDLE_NOT_FOUND",
+    BUNDLE_INVALID = "BUNDLE_INVALID",
     TEMPLATE_SYNTAX_ERROR = "TEMPLATE_SYNTAX_ERROR",
     TOFU_NOT_FOUND = "TOFU_NOT_FOUND",
     TOFU_FMT_FAILED = "TOFU_FMT_FAILED",
@@ -42,7 +40,7 @@ declare class EngineError extends Error {
  *
  * CHANGE (008): All Zod-based converter functions and zod-to-json-schema
  * import removed. Only the JSONSchema7 type interface remains.
- * Templates provide JSON Schema directly via template.json.
+ * Templates provide JSON Schema directly via bundle.json.
  */
 /**
  * JSON Schema Draft-07 type.
@@ -174,7 +172,7 @@ interface RenderOptions {
     skipFormat?: boolean;
 }
 /**
- * Metadata about a template, sourced from the "template" key in template.json.
+ * Metadata about a template, sourced from the "metadata" key in bundle.json.
  */
 interface TemplateMetadata {
     /** Template name */
@@ -188,12 +186,12 @@ interface TemplateMetadata {
  * A remote template package containing source files and schema.
  *
  * CHANGE (008): Replaced `schema: TemplateSchema` with `metadata` + `jsonSchema`.
- * Metadata comes from template.json "template" key; schema from "schema" key.
+ * Metadata comes from bundle.json "metadata" key; schema from "jsonSchema" key.
  */
 interface Template {
-    /** Template metadata from template.json → "template" key */
+    /** Template metadata from bundle.json → "metadata" key */
     metadata: TemplateMetadata;
-    /** JSON Schema Draft-07 from template.json → "schema" key */
+    /** JSON Schema Draft-07 from bundle.json → "jsonSchema" key */
     jsonSchema: JSONSchema7;
     /** Map of output paths to HBS content (rendered via Handlebars) */
     files: Map<string, string>;
@@ -423,36 +421,36 @@ interface HclEngine {
 }
 
 /**
- * Template JSON structure validation using AJV.
+ * Bundle structure validation using AJV.
  *
- * Validates the top-level structure of template.json against the
- * templateJsonSchema (JSON Schema Draft-07) defined in template-json-schema.ts.
+ * Validates the top-level structure of a bundle against the
+ * bundleSchema (JSON Schema Draft-07) defined in bundle-schema.ts.
  *
  * Reference: R-006, data-model.md validator.ts
  */
 
 /**
- * Result of validating a template.json file.
+ * Result of validating a bundle.
  */
-interface TemplateJsonResult {
+interface BundleValidationResult {
     metadata: TemplateMetadata;
     jsonSchema: JSONSchema7;
 }
 /**
- * Validate the structure of a parsed template.json file.
+ * Validate the structure of a parsed bundle.
  *
  * Checks:
- *   - Data is an object with "template" and "schema" keys
- *   - template.name is a non-empty string
- *   - template.version is a semver string (x.y.z)
- *   - template.description is an optional string
- *   - schema is a non-null object with type: "object" and properties
+ *   - Data is an object with "metadata" and "jsonSchema" keys
+ *   - metadata.name is a non-empty string
+ *   - metadata.version is a semver string (x.y.z)
+ *   - metadata.description is an optional string
+ *   - jsonSchema is a non-null object with type: "object" and properties
  *
- * @param data - Parsed JSON content from template.json
+ * @param data - Parsed JSON content from a bundle
  * @returns Validated metadata and JSON Schema
- * @throws EngineError with TEMPLATE_JSON_INVALID on failure
+ * @throws EngineError with BUNDLE_INVALID on failure
  */
-declare function validateTemplateJson(data: unknown): TemplateJsonResult;
+declare function validateBundle(data: unknown): BundleValidationResult;
 
 /**
  * AJV-based JSON Schema input validation.
@@ -480,20 +478,20 @@ declare function validateTemplateJson(data: unknown): TemplateJsonResult;
 declare function validateJsonSchemaStructure(schema: JSONSchema7): void;
 
 /**
- * JSON Schema (Draft-07) for template.json files.
+ * JSON Schema (Draft-07) for bundle.json files.
  *
- * This is the source of truth for template.json validation.
+ * This is the source of truth for bundle structure validation.
  * Used by validator.ts via AJV for runtime validation.
  *
  * Validates:
- *   - "template" key: name (required, non-empty), version (semver, required), description (optional string)
- *   - "schema" key: must be a JSON Schema object with type: "object" and a properties key
+ *   - "metadata" key: name (required, non-empty), version (semver, required), description (optional string)
+ *   - "jsonSchema" key: must be a JSON Schema object with type: "object" and a properties key
  *
- * Note: No additionalProperties: false at root level — extra top-level keys are allowed
- * for forward compatibility.
+ * Note: No additionalProperties: false at root level -- extra top-level keys are allowed
+ * for forward compatibility (e.g., uiSchema, files, staticFiles, version).
  */
 
-declare const templateJsonSchema: JSONSchema7;
+declare const bundleSchema: JSONSchema7;
 
 /**
  * Check if tofu is available in the system.
@@ -627,4 +625,4 @@ declare function parseHeader(content: string): TfyStatusHeader | undefined;
  */
 declare function createEngine(): HclEngine;
 
-export { DEFAULT_PREFIX, type DriftReport, type DriftType, EngineError, EngineErrorCode, type Envelope, type FileEntry, type FileMap, type HashOnlyResult, type InstallResult, type JSONSchema7, type Manifest, type Resolver, type ResolverOptions, type Template, type UpgradeResult, type VerifyResult, type VersionInfo, canonicalHash, classifyFile, createEngine, getCanonicalHashScriptPath, isTofuAvailable, parseHeader, templateJsonSchema, validateJsonSchemaStructure, validateTemplateJson };
+export { type BundleValidationResult, DEFAULT_PREFIX, type DriftReport, type DriftType, EngineError, EngineErrorCode, type Envelope, type FileEntry, type FileMap, type HashOnlyResult, type InstallResult, type JSONSchema7, type Manifest, type Resolver, type ResolverOptions, type Template, type TemplateMetadata, type UpgradeResult, type VerifyResult, type VersionInfo, bundleSchema, canonicalHash, classifyFile, createEngine, getCanonicalHashScriptPath, isTofuAvailable, parseHeader, validateBundle, validateJsonSchemaStructure };

package/dist/index.d.ts

@@ -4,14 +4,12 @@
 declare enum EngineErrorCode {
     TEMPLATE_NOT_FOUND = "TEMPLATE_NOT_FOUND",
     NETWORK_ERROR = "NETWORK_ERROR",
-    GITHUB_NOT_FOUND = "GITHUB_NOT_FOUND",
-    GITHUB_RATE_LIMITED = "GITHUB_RATE_LIMITED",
     FILE_NOT_FOUND = "FILE_NOT_FOUND",
     HTTPS_AUTH_FAILED = "HTTPS_AUTH_FAILED",
     SCHEMA_INVALID = "SCHEMA_INVALID",
     INPUT_VALIDATION_FAILED = "INPUT_VALIDATION_FAILED",
-    TEMPLATE_JSON_NOT_FOUND = "TEMPLATE_JSON_NOT_FOUND",
-    TEMPLATE_JSON_INVALID = "TEMPLATE_JSON_INVALID",
+    BUNDLE_NOT_FOUND = "BUNDLE_NOT_FOUND",
+    BUNDLE_INVALID = "BUNDLE_INVALID",
     TEMPLATE_SYNTAX_ERROR = "TEMPLATE_SYNTAX_ERROR",
     TOFU_NOT_FOUND = "TOFU_NOT_FOUND",
     TOFU_FMT_FAILED = "TOFU_FMT_FAILED",
@@ -42,7 +40,7 @@ declare class EngineError extends Error {
  *
  * CHANGE (008): All Zod-based converter functions and zod-to-json-schema
  * import removed. Only the JSONSchema7 type interface remains.
- * Templates provide JSON Schema directly via template.json.
+ * Templates provide JSON Schema directly via bundle.json.
  */
 /**
  * JSON Schema Draft-07 type.
@@ -174,7 +172,7 @@ interface RenderOptions {
     skipFormat?: boolean;
 }
 /**
- * Metadata about a template, sourced from the "template" key in template.json.
+ * Metadata about a template, sourced from the "metadata" key in bundle.json.
  */
 interface TemplateMetadata {
     /** Template name */
@@ -188,12 +186,12 @@ interface TemplateMetadata {
  * A remote template package containing source files and schema.
  *
  * CHANGE (008): Replaced `schema: TemplateSchema` with `metadata` + `jsonSchema`.
- * Metadata comes from template.json "template" key; schema from "schema" key.
+ * Metadata comes from bundle.json "metadata" key; schema from "jsonSchema" key.
  */
 interface Template {
-    /** Template metadata from template.json → "template" key */
+    /** Template metadata from bundle.json → "metadata" key */
     metadata: TemplateMetadata;
-    /** JSON Schema Draft-07 from template.json → "schema" key */
+    /** JSON Schema Draft-07 from bundle.json → "jsonSchema" key */
     jsonSchema: JSONSchema7;
     /** Map of output paths to HBS content (rendered via Handlebars) */
     files: Map<string, string>;
@@ -423,36 +421,36 @@ interface HclEngine {
 }
 
 /**
- * Template JSON structure validation using AJV.
+ * Bundle structure validation using AJV.
  *
- * Validates the top-level structure of template.json against the
- * templateJsonSchema (JSON Schema Draft-07) defined in template-json-schema.ts.
+ * Validates the top-level structure of a bundle against the
+ * bundleSchema (JSON Schema Draft-07) defined in bundle-schema.ts.
  *
  * Reference: R-006, data-model.md validator.ts
  */
 
 /**
- * Result of validating a template.json file.
+ * Result of validating a bundle.
  */
-interface TemplateJsonResult {
+interface BundleValidationResult {
     metadata: TemplateMetadata;
     jsonSchema: JSONSchema7;
 }
 /**
- * Validate the structure of a parsed template.json file.
+ * Validate the structure of a parsed bundle.
  *
  * Checks:
- *   - Data is an object with "template" and "schema" keys
- *   - template.name is a non-empty string
- *   - template.version is a semver string (x.y.z)
- *   - template.description is an optional string
- *   - schema is a non-null object with type: "object" and properties
+ *   - Data is an object with "metadata" and "jsonSchema" keys
+ *   - metadata.name is a non-empty string
+ *   - metadata.version is a semver string (x.y.z)
+ *   - metadata.description is an optional string
+ *   - jsonSchema is a non-null object with type: "object" and properties
  *
- * @param data - Parsed JSON content from template.json
+ * @param data - Parsed JSON content from a bundle
  * @returns Validated metadata and JSON Schema
- * @throws EngineError with TEMPLATE_JSON_INVALID on failure
+ * @throws EngineError with BUNDLE_INVALID on failure
  */
-declare function validateTemplateJson(data: unknown): TemplateJsonResult;
+declare function validateBundle(data: unknown): BundleValidationResult;
 
 /**
  * AJV-based JSON Schema input validation.
@@ -480,20 +478,20 @@ declare function validateTemplateJson(data: unknown): TemplateJsonResult;
 declare function validateJsonSchemaStructure(schema: JSONSchema7): void;
 
 /**
- * JSON Schema (Draft-07) for template.json files.
+ * JSON Schema (Draft-07) for bundle.json files.
  *
- * This is the source of truth for template.json validation.
+ * This is the source of truth for bundle structure validation.
  * Used by validator.ts via AJV for runtime validation.
  *
  * Validates:
- *   - "template" key: name (required, non-empty), version (semver, required), description (optional string)
- *   - "schema" key: must be a JSON Schema object with type: "object" and a properties key
+ *   - "metadata" key: name (required, non-empty), version (semver, required), description (optional string)
+ *   - "jsonSchema" key: must be a JSON Schema object with type: "object" and a properties key
  *
- * Note: No additionalProperties: false at root level — extra top-level keys are allowed
- * for forward compatibility.
+ * Note: No additionalProperties: false at root level -- extra top-level keys are allowed
+ * for forward compatibility (e.g., uiSchema, files, staticFiles, version).
  */
 
-declare const templateJsonSchema: JSONSchema7;
+declare const bundleSchema: JSONSchema7;
 
 /**
  * Check if tofu is available in the system.
@@ -627,4 +625,4 @@ declare function parseHeader(content: string): TfyStatusHeader | undefined;
  */
 declare function createEngine(): HclEngine;
 
-export { DEFAULT_PREFIX, type DriftReport, type DriftType, EngineError, EngineErrorCode, type Envelope, type FileEntry, type FileMap, type HashOnlyResult, type InstallResult, type JSONSchema7, type Manifest, type Resolver, type ResolverOptions, type Template, type UpgradeResult, type VerifyResult, type VersionInfo, canonicalHash, classifyFile, createEngine, getCanonicalHashScriptPath, isTofuAvailable, parseHeader, templateJsonSchema, validateJsonSchemaStructure, validateTemplateJson };
+export { type BundleValidationResult, DEFAULT_PREFIX, type DriftReport, type DriftType, EngineError, EngineErrorCode, type Envelope, type FileEntry, type FileMap, type HashOnlyResult, type InstallResult, type JSONSchema7, type Manifest, type Resolver, type ResolverOptions, type Template, type TemplateMetadata, type UpgradeResult, type VerifyResult, type VersionInfo, bundleSchema, canonicalHash, classifyFile, createEngine, getCanonicalHashScriptPath, isTofuAvailable, parseHeader, validateBundle, validateJsonSchemaStructure };

package/dist/index.js

@@ -33,15 +33,15 @@ __export(index_exports, {
   DEFAULT_PREFIX: () => DEFAULT_PREFIX,
   EngineError: () => EngineError,
   EngineErrorCode: () => EngineErrorCode,
+  bundleSchema: () => bundleSchema,
   canonicalHash: () => canonicalHash,
   classifyFile: () => classifyFile,
   createEngine: () => createEngine,
   getCanonicalHashScriptPath: () => getCanonicalHashScriptPath,
   isTofuAvailable: () => isTofuAvailable,
   parseHeader: () => parseHeader,
-  templateJsonSchema: () => templateJsonSchema,
-  validateJsonSchemaStructure: () => validateJsonSchemaStructure,
-  validateTemplateJson: () => validateTemplateJson
+  validateBundle: () => validateBundle,
+  validateJsonSchemaStructure: () => validateJsonSchemaStructure
 });
 module.exports = __toCommonJS(index_exports);
 
@@ -49,14 +49,12 @@ module.exports = __toCommonJS(index_exports);
 var EngineErrorCode = /* @__PURE__ */ ((EngineErrorCode2) => {
   EngineErrorCode2["TEMPLATE_NOT_FOUND"] = "TEMPLATE_NOT_FOUND";
   EngineErrorCode2["NETWORK_ERROR"] = "NETWORK_ERROR";
-  EngineErrorCode2["GITHUB_NOT_FOUND"] = "GITHUB_NOT_FOUND";
-  EngineErrorCode2["GITHUB_RATE_LIMITED"] = "GITHUB_RATE_LIMITED";
   EngineErrorCode2["FILE_NOT_FOUND"] = "FILE_NOT_FOUND";
   EngineErrorCode2["HTTPS_AUTH_FAILED"] = "HTTPS_AUTH_FAILED";
   EngineErrorCode2["SCHEMA_INVALID"] = "SCHEMA_INVALID";
   EngineErrorCode2["INPUT_VALIDATION_FAILED"] = "INPUT_VALIDATION_FAILED";
-  EngineErrorCode2["TEMPLATE_JSON_NOT_FOUND"] = "TEMPLATE_JSON_NOT_FOUND";
-  EngineErrorCode2["TEMPLATE_JSON_INVALID"] = "TEMPLATE_JSON_INVALID";
+  EngineErrorCode2["BUNDLE_NOT_FOUND"] = "BUNDLE_NOT_FOUND";
+  EngineErrorCode2["BUNDLE_INVALID"] = "BUNDLE_INVALID";
   EngineErrorCode2["TEMPLATE_SYNTAX_ERROR"] = "TEMPLATE_SYNTAX_ERROR";
   EngineErrorCode2["TOFU_NOT_FOUND"] = "TOFU_NOT_FOUND";
   EngineErrorCode2["TOFU_FMT_FAILED"] = "TOFU_FMT_FAILED";
@@ -101,12 +99,12 @@ var EngineError = class _EngineError extends Error {
 // src/schema/validator.ts
 var import_ajv = __toESM(require("ajv"));
 
-// src/schema/template-json-schema.ts
-var templateJsonSchema = {
+// src/schema/bundle-schema.ts
+var bundleSchema = {
   $schema: "http://json-schema.org/draft-07/schema#",
   type: "object",
   properties: {
-    template: {
+    metadata: {
       type: "object",
       properties: {
         name: { type: "string", minLength: 1 },
@@ -116,7 +114,7 @@ var templateJsonSchema = {
       required: ["name", "version"],
       additionalProperties: false
     },
-    schema: {
+    jsonSchema: {
       type: "object",
       description: "JSON Schema Draft-07 defining template inputs",
       properties: {
@@ -127,7 +125,7 @@ var templateJsonSchema = {
       required: ["type", "properties"]
     }
   },
-  required: ["template", "schema"]
+  required: ["metadata", "jsonSchema"]
 };
 
 // src/schema/validator.ts
@@ -136,54 +134,51 @@ var ajv = new import_ajv.default({
   strict: false,
   validateSchema: false
 });
-var validate = ajv.compile(templateJsonSchema);
-function validateTemplateJson(data) {
+var validate = ajv.compile(bundleSchema);
+function validateBundle(data) {
   if (!data || typeof data !== "object" || Array.isArray(data)) {
-    throw new EngineError(
-      "template.json must be a JSON object",
-      "TEMPLATE_JSON_INVALID" /* TEMPLATE_JSON_INVALID */
-    );
+    throw new EngineError("bundle must be a JSON object", "BUNDLE_INVALID" /* BUNDLE_INVALID */);
   }
   const valid = validate(data);
   if (!valid) {
     const message = formatAjvErrors(validate.errors ?? []);
-    throw new EngineError(message, "TEMPLATE_JSON_INVALID" /* TEMPLATE_JSON_INVALID */);
+    throw new EngineError(message, "BUNDLE_INVALID" /* BUNDLE_INVALID */);
   }
   const record = data;
-  const templateBlock = record["template"];
+  const metadataBlock = record["metadata"];
   const metadata = {
-    name: templateBlock["name"],
-    version: templateBlock["version"],
-    ...templateBlock["description"] !== void 0 ? { description: templateBlock["description"] } : {}
+    name: metadataBlock["name"],
+    version: metadataBlock["version"],
+    ...metadataBlock["description"] !== void 0 ? { description: metadataBlock["description"] } : {}
   };
-  const jsonSchema = record["schema"];
+  const jsonSchema = record["jsonSchema"];
   return { metadata, jsonSchema };
 }
 function formatAjvErrors(errors) {
   const first = errors[0];
   if (!first) {
-    return "template.json validation failed";
+    return "bundle validation failed";
   }
   const path = first.instancePath || "";
   if (first.keyword === "required") {
     const prop = first.params["missingProperty"];
-    return `template.json must have a "${prop}" key`;
+    return `bundle must have a "${prop}" key`;
   }
   if (first.keyword === "type") {
     const expected = first.params["type"];
-    return `template.json${path ? ` "${dotPath(path)}"` : ""} must be ${expected}`;
+    return `bundle${path ? ` "${dotPath(path)}"` : ""} must be ${expected}`;
   }
-  if (first.keyword === "pattern" && path === "/template/version") {
-    return `template.json "template.version" must be semver format (x.y.z)`;
+  if (first.keyword === "pattern" && path === "/metadata/version") {
+    return `bundle "metadata.version" must be semver format (x.y.z)`;
   }
-  if (first.keyword === "minLength" && path === "/template/name") {
-    return `template.json "template.name" must be a non-empty string`;
+  if (first.keyword === "minLength" && path === "/metadata/name") {
+    return `bundle "metadata.name" must be a non-empty string`;
   }
   if (first.keyword === "const") {
     const expected = first.params["allowedValue"];
-    return `template.json "${dotPath(path)}" must be ${JSON.stringify(expected)}`;
+    return `bundle "${dotPath(path)}" must be ${JSON.stringify(expected)}`;
   }
-  return `template.json validation failed at ${path || "/"}: ${first.message ?? "unknown error"}`;
+  return `bundle validation failed at ${path || "/"}: ${first.message ?? "unknown error"}`;
 }
 function dotPath(jsonPointer) {
   return jsonPointer.replace(/^\//, "").replace(/\//g, ".");
@@ -701,7 +696,7 @@ function computeAggregateHash(files) {
 }
 
 // src/render/manifest.ts
-var ENGINE_VERSION = "0.1.3";
+var ENGINE_VERSION = "0.1.4";
 function generateManifest(opts) {
   const { files, template, inputs, formatted, intentId, platformPrefix = "tfy_" } = opts;
   const manifestFiles = [];
@@ -1006,8 +1001,11 @@ var HclEngineImpl = class {
   /**
    * Upgrade: Update an existing cluster to new templates.
    *
-   * Pipeline: validate envelope → drift detection (FR-028) → if source mismatch,
-   * short-circuit → validate inputs → render → format → hash + manifest.
+   * Pipeline: validate envelope → drift detection (FR-028) → validate inputs →
+   * render → format → hash + manifest.
+   *
+   * The engine always renders new files regardless of source mismatch.
+   * Callers (CLI/Server) enforce blocking policy via `sourceBlocked` flag (FR-029).
    */
   async upgrade(envelope, currentFiles, previousManifest) {
     const validatedEnvelope = this.validateEnvelopeOrThrow(envelope);
@@ -1016,14 +1014,6 @@ var HclEngineImpl = class {
     const incomingSource = validatedEnvelope.template.source;
     const driftReport = buildDriftReport(currentFiles, previousManifest, prefix, incomingSource);
     const sourceBlocked = driftReport.summary.sourceMismatches > 0;
-    if (sourceBlocked) {
-      return {
-        files: currentFiles,
-        manifest: previousManifest,
-        driftReport,
-        sourceBlocked: true
-      };
-    }
     const { renderedFiles, template, formatted, inputsWithDefaults } = await this.renderPipeline(
       validatedEnvelope,
       options
@@ -1036,7 +1026,7 @@ var HclEngineImpl = class {
       formatted,
       prefix
     );
-    return { files: fileMap, manifest, driftReport, sourceBlocked: false };
+    return { files: fileMap, manifest, driftReport, sourceBlocked };
   }
   /**
    * Verify: Check integrity of existing files against a Manifest.
@@ -1195,14 +1185,14 @@ function createEngine() {
   DEFAULT_PREFIX,
   EngineError,
   EngineErrorCode,
+  bundleSchema,
   canonicalHash,
   classifyFile,
   createEngine,
   getCanonicalHashScriptPath,
   isTofuAvailable,
   parseHeader,
-  templateJsonSchema,
-  validateJsonSchemaStructure,
-  validateTemplateJson
+  validateBundle,
+  validateJsonSchemaStructure
 });
 //# sourceMappingURL=index.js.map