limina 0.0.2 → 0.0.4

package/cli.js

@@ -1,18 +1,18 @@
 #!/usr/bin/env node
 import "./chunks/dep-lkQg1P9Q.js";
-import { d as normalizeSlashes, f as normalizeWorkspacePath, h as toRelativePath, i as loadConfig, l as isPathInsideDirectory, m as toPosixPath, n as getActiveCheckerExtensions, p as toAbsolutePath, r as getActiveCheckers, u as normalizeAbsolutePath } from "./chunks/dep-jgc7X0zw.js";
-import { A as shouldResolveThroughGraph$1, B as createExtensionPattern, C as formatArtifactDependencyPolicy, D as isRelativeSpecifier, E as isDtsProjectConfig, F as collectCheckerEntryProjectRoutes, G as isDtsConfigPath, H as formatReferences, I as collectGraphProjectRoute, J as parseProjectFileNamesForExtensions, K as isOrdinaryTypecheckConfigPath, L as collectGraphProjectRouteFromRoot, M as collectWorkspacePackages, N as findPackageForSpecifier, O as parseProject$1, P as getPackageRootSpecifier, R as collectGraphProjectRoutes, S as findTargetProject, T as inferPackageProject$1, U as getDtsCompanionConfigPath, V as createFormatHost, W as getRawReferencePaths, X as resolveProjectConfigPath, Y as readJsonConfig, Z as resolveReferencePath, _ as normalizeGraphRules, a as runSourceCheck, b as findImporterForFile$1, c as GraphLogger, d as ProofLogger, f as clearCliScreen, g as getDeniedRefRule, h as getDeniedDepRuleForSpecifier, i as runCheckerTypecheck, j as collectImporters, k as resolveInternalImport$1, l as PackageLogger, m as getDeniedDepRuleForPackage, n as createLiminaFlowReporter, o as runInit, p as formatErrorMessage$1, q as parseProjectFileNames, r as runCheckerBuild, s as CliLogger, u as PathsLogger, v as collectImportsFromFile$1, w as getTypecheckConfigPath, x as findPackageForFile, y as createFileOwnerLookup$1 } from "./chunks/dep-uPXyoC0V.js";
-import { builtinModules } from "node:module";
+import { c as getCheckerAdapter, d as normalizeAbsolutePath, f as normalizeSlashes, g as toRelativePath, h as toPosixPath, i as loadConfig, l as normalizeExtensions, m as toAbsolutePath, n as getActiveCheckerExtensions, p as normalizeWorkspacePath, r as getActiveCheckers, u as isPathInsideDirectory } from "./chunks/dep-DzYrmtQJ.js";
+import { $ as resolveReferencePath, A as resolveInternalImport$1, B as collectGraphProjectRouteFromRoot, C as findTargetProject, D as isDtsProjectConfig, E as inferPackageProject$1, F as getPackageRootSpecifier, G as createFormatHost, H as collectSourceGraphProjectExtensions, I as getPublishDependencySections, J as getRawReferencePaths, K as formatReferences, L as isWorkspaceDependencySpecifier, M as collectImporters, N as collectWorkspacePackages, O as isRelativeSpecifier, P as findPackageForSpecifier, Q as resolveProjectConfigPath, R as collectCheckerEntryProjectRoutes, S as findPackageForFile, T as getTypecheckConfigPath, U as createExtensionPattern, V as collectGraphProjectRoutes, W as createExtraFileExtensions, X as parseProjectFileNamesForExtensions, Y as isOrdinaryTypecheckConfigPath, Z as readJsonConfig, _ as getDeniedRefRule, a as runSourceCheck, b as createFileOwnerLookup$1, c as GraphLogger, d as ProofLogger, f as ReleaseLogger, g as getDeniedDepRuleForSpecifier, h as getDeniedDepRuleForPackage, i as runCheckerTypecheck, j as shouldResolveThroughGraph$1, k as parseProject$1, l as PackageLogger, m as formatErrorMessage$1, n as createLiminaFlowReporter, o as runInit, p as clearCliScreen, q as getDtsCompanionConfigPath, r as runCheckerBuild, s as CliLogger, u as PathsLogger, v as normalizeGraphRules, w as formatArtifactDependencyPolicy, x as findImporterForFile$1, y as collectImportsFromFile$1, z as collectGraphProjectRoute } from "./chunks/dep-ZRIm_-Zk.js";
+import { builtinModules, createRequire } from "node:module";
 import { cac } from "cac";
 import { createElapsedTimer } from "logaria/helper";
 import { existsSync, readFileSync } from "node:fs";
 import path from "node:path";
 import ts from "typescript";
-import { spawn, spawnSync } from "node:child_process";
+import { execFile, spawn, spawnSync } from "node:child_process";
 import { glob } from "tinyglobby";
 import { mkdir, mkdtemp, readFile, readdir, rm, writeFile } from "node:fs/promises";
 import { checkPackage, createPackageFromTarballData } from "@arethetypeswrong/core";
-import { pack } from "@publint/pack";
+import { pack, unpack } from "@publint/pack";
 import { init, parse } from "es-module-lexer";
 import { tmpdir } from "node:os";
 import { publint } from "publint";
@@ -112,7 +112,7 @@ function addTypecheckParityProblems(config, dtsProject, problems) {
 		].join("\n"));
 		return;
 	}
-	const typecheckProject = parseProject$1(config, typecheckConfigPath);
+	const typecheckProject = parseProject$1(config, typecheckConfigPath, dtsProject.extensions);
 	for (const optionName of comparableTypecheckOptions) {
 		const buildValue = dtsProject.options[optionName];
 		const typecheckValue = typecheckProject.options[optionName];
@@ -224,9 +224,9 @@ function addWorkspaceReferenceDependencyProblems(config, project, projectsByPath
 	}
 }
 async function runGraphCheckInternal(config, options = {}) {
-	const graphRoute = collectGraphProjectRoute(config);
-	const projectPaths = graphRoute.projectPaths;
-	const projects = projectPaths.map((projectPath) => parseProject$1(config, projectPath));
+	const graphRoute = collectSourceGraphProjectExtensions(config);
+	const projectPaths = [...graphRoute.projectExtensionsByPath.keys()].sort();
+	const projects = projectPaths.map((projectPath) => parseProject$1(config, projectPath, graphRoute.projectExtensionsByPath.get(projectPath)));
 	const projectsByPath = new Map(projects.map((project) => [project.configPath, project]));
 	const fileOwnerLookup = createFileOwnerLookup$1(projects);
 	const packages = await collectWorkspacePackages(config);
@@ -255,7 +255,7 @@ async function runGraphCheckInternal(config, options = {}) {
 			rules: graphRules
 		});
 		addWorkspaceReferenceDependencyProblems(config, project, projectsByPath, packages, importers, problems);
-		for (const filePath of project.fileNames) for (const importRecord of collectImportsFromFile$1(filePath)) {
+		for (const filePath of project.fileNames) for (const importRecord of collectImportsFromFile$1(filePath, config.rootDir)) {
 			const rawDeniedDepRule = getDeniedDepRuleForSpecifier(graphRules, project.label, importRecord.specifier);
 			if (rawDeniedDepRule) {
 				addDeniedDepImportProblem({
@@ -267,7 +267,7 @@ async function runGraphCheckInternal(config, options = {}) {
 				});
 				continue;
 			}
-			const resolvedFilePath = resolveInternalImport$1(importRecord.specifier, filePath, project.options);
+			const resolvedFilePath = resolveInternalImport$1(importRecord.specifier, filePath, project.options, project.extensions);
 			const targetPackage = findPackageForSpecifier(importRecord.specifier, packages);
 			const importer = findImporterForFile$1(importRecord.filePath, importers);
 			if (!resolvedFilePath) {
@@ -436,8 +436,7 @@ const ATTW_PROFILE_IGNORED_RESOLUTIONS = {
 	"esm-only": ["node16-cjs"]
 };
 const nodeBuiltinSpecifiers = new Set(builtinModules.flatMap((specifier) => specifier.startsWith("node:") ? [specifier, specifier.slice(5)] : [specifier, `node:${specifier}`]));
-const REQUIRED_PUBLIC_PACKAGE_FILES = ["README.md", "LICENSE.md"];
-function isRecord(value) {
+function isRecord$1(value) {
 	return typeof value === "object" && value !== null && !Array.isArray(value);
 }
 function isPackageCheckTool(value) {
@@ -452,7 +451,7 @@ function toArrayBuffer(buffer) {
 function collectSelfSpecifierMatchers(packageName, exportsField) {
 	const exact = new Set([packageName]);
 	const prefixes = [];
-	if (!isRecord(exportsField)) return {
+	if (!isRecord$1(exportsField)) return {
 		exact,
 		prefixes
 	};
@@ -535,8 +534,8 @@ function formatAttwProblem(problem) {
 		default: return `Unknown ATTW problem: ${JSON.stringify(problem)}`;
 	}
 }
-function normalizeTargetChecks(target) {
-	const checks = target.checks ?? DEFAULT_PACKAGE_CHECKS;
+function normalizeEntryChecks(entry) {
+	const checks = entry.checks ?? DEFAULT_PACKAGE_CHECKS;
 	const normalizedChecks = [];
 	for (const check of checks) {
 		if (!isPackageCheckTool(check)) throw new Error(`Invalid package check "${check}". Expected one of: publint, attw, boundary.`);
@@ -544,8 +543,8 @@ function normalizeTargetChecks(target) {
 	}
 	return normalizedChecks;
 }
-function selectTargetChecks(target, requestedTool) {
-	const configuredChecks = normalizeTargetChecks(target);
+function selectEntryChecks(entry, requestedTool) {
+	const configuredChecks = normalizeEntryChecks(entry);
 	if (!requestedTool || requestedTool === "all") return configuredChecks;
 	return configuredChecks.includes(requestedTool) ? [requestedTool] : [];
 }
@@ -573,61 +572,84 @@ function readCwdPackageName(cwd, rootDir) {
 		throw new Error(`Unable to read package name from ${packageJsonPath}: ${formatErrorMessage$1(error)}`);
 	}
 }
-function formatConfiguredTargetNames(targets) {
-	const names = targets.map((target) => target.name).filter((name) => Boolean(name));
+function formatConfiguredPackageEntryNames(entries) {
+	const names = entries.map((entry) => entry.name).filter(Boolean);
 	return names.length > 0 ? names.join(", ") : "(none)";
 }
-function resolveTargetOutDir(options) {
-	const outDir = options.target.outDir;
-	if (typeof outDir !== "string" || outDir.trim().length === 0) throw new Error(`Invalid package check target at packageChecks.targets[${options.targetIndex}].outDir. Expected a non-empty string.`);
+function getConfiguredPackageEntries(config) {
+	return config.package?.entries ?? [];
+}
+function normalizePackageNameFilters(packageNames) {
+	const normalizedNames = [];
+	for (const packageName of packageNames ?? []) {
+		const normalizedName = packageName.trim();
+		if (normalizedName && !normalizedNames.includes(normalizedName)) normalizedNames.push(normalizedName);
+	}
+	return normalizedNames;
+}
+function resolvePackageEntryOutDir(options) {
+	const outDir = options.entry.outDir;
+	if (typeof outDir !== "string" || outDir.trim().length === 0) throw new Error(`Invalid package entry at package.entries[${options.entryIndex}].outDir. Expected a non-empty string.`);
 	return path.resolve(options.config.rootDir, outDir);
 }
-function getTargetLabel(config, target, outDir) {
-	return target.name ?? toRelativePath(config.rootDir, outDir);
+function getPackageEntryLabel(options) {
+	const name = options.entry.name;
+	if (typeof name !== "string" || name.trim().length === 0) throw new Error(`Invalid package entry at package.entries[${options.entryIndex}].name. Expected a non-empty string.`);
+	return name.trim();
 }
-function createTargetPlan(options) {
-	const outDir = resolveTargetOutDir({
+function createEntryPlan(options) {
+	const outDir = resolvePackageEntryOutDir({
 		config: options.config,
-		target: options.target,
-		targetIndex: options.targetIndex
+		entry: options.entry,
+		entryIndex: options.entryIndex
 	});
 	return {
-		checks: selectTargetChecks(options.target, options.requestedTool),
-		label: getTargetLabel(options.config, options.target, outDir),
+		checks: selectEntryChecks(options.entry, options.requestedTool),
+		entryIndex: options.entryIndex,
+		label: getPackageEntryLabel({
+			entry: options.entry,
+			entryIndex: options.entryIndex
+		}),
 		outDir,
-		rawTarget: options.target
+		rawEntry: options.entry
 	};
 }
-function createPackageCheckPlan(options) {
-	const targets = options.config.packageChecks?.targets ?? [];
-	if (targets.length === 0) throw new Error("No package check targets are configured.");
-	let selectedTargets;
+function createPackageEntrySelectionPlan(options) {
+	const entries = getConfiguredPackageEntries(options.config);
+	if (entries.length === 0) throw new Error("No package entries are configured.");
+	let selectedEntries;
 	let selectionReason;
-	if (options.targetName) {
-		selectedTargets = targets.filter((target) => target.name === options.targetName);
-		if (selectedTargets.length === 0) throw new Error([`No package check target named "${options.targetName}" is configured.`, `Configured target names: ${formatConfiguredTargetNames(targets)}.`].join(" "));
-		selectionReason = `--package "${options.targetName}" matched configured target name.`;
+	const packageNames = normalizePackageNameFilters(options.packageNames);
+	if (packageNames.length > 0) {
+		selectedEntries = packageNames.map((packageName) => {
+			const entry = entries.find((candidate) => candidate.name === packageName);
+			if (!entry) throw new Error([`No package entry named "${packageName}" is configured.`, `Configured package entries: ${formatConfiguredPackageEntryNames(entries)}.`].join(" "));
+			return entry;
+		});
+		selectionReason = `--package matched configured package entry name(s): ${packageNames.join(", ")}.`;
 	} else {
 		const cwdPackageName = readCwdPackageName(options.cwd, options.config.rootDir);
 		if (cwdPackageName) {
-			selectedTargets = targets.filter((target) => target.name === cwdPackageName);
-			if (selectedTargets.length > 0) selectionReason = `nearest package.json name "${cwdPackageName}" matched configured target name.`;
+			selectedEntries = entries.filter((entry) => entry.name === cwdPackageName);
+			if (selectedEntries.length > 0) selectionReason = `nearest package.json name "${cwdPackageName}" matched configured package entry name.`;
+			else if (options.strictCwd) throw new Error([`Nearest package.json name "${cwdPackageName}" does not match a configured package entry.`, `Configured package entries: ${formatConfiguredPackageEntryNames(entries)}.`].join(" "));
 			else {
-				selectedTargets = targets;
-				selectionReason = `nearest package.json name "${cwdPackageName}" did not match configured target names; running all configured targets.`;
+				selectedEntries = entries;
+				selectionReason = `nearest package.json name "${cwdPackageName}" did not match configured package entries; running all configured entries.`;
 			}
-		} else {
-			selectedTargets = targets;
-			selectionReason = "No package name was found from cwd up to the workspace root; running all configured targets.";
+		} else if (options.strictCwd) throw new Error(["No package name was found from cwd up to the workspace root.", "Run from a configured package directory or pass --package <name>."].join(" "));
+		else {
+			selectedEntries = entries;
+			selectionReason = "No package name was found from cwd up to the workspace root; running all configured entries.";
 		}
 	}
 	return {
 		selectionReason,
-		targets: selectedTargets.map((target) => createTargetPlan({
+		entries: selectedEntries.map((entry) => createEntryPlan({
 			config: options.config,
-			requestedTool: options.tool,
-			target,
-			targetIndex: targets.indexOf(target)
+			entry,
+			entryIndex: entries.indexOf(entry),
+			requestedTool: options.tool
 		}))
 	};
 }
@@ -637,11 +659,11 @@ function logPackageCheckPlan(options) {
 		`  config: ${toRelativePath(options.config.rootDir, options.config.configPath)}`,
 		`  cwd: ${toRelativePath(options.config.rootDir, options.cwd)}`,
 		`  selection: ${options.plan.selectionReason}`,
-		"  targets:",
-		...options.plan.targets.map((target) => [
-			`    - ${target.label}`,
-			`      outDir: ${toRelativePath(options.config.rootDir, target.outDir)}`,
-			`      checks: ${target.checks.length > 0 ? target.checks.join(", ") : "(none)"}`
+		"  entries:",
+		...options.plan.entries.map((entry) => [
+			`    - ${entry.label}`,
+			`      outDir: ${toRelativePath(options.config.rootDir, entry.outDir)}`,
+			`      checks: ${entry.checks.length > 0 ? entry.checks.join(", ") : "(none)"}`
 		].join("\n"))
 	].join("\n"));
 }
@@ -665,16 +687,6 @@ async function readDistPackageJson(options) {
 	if (!existsSync(options.packageJsonPath)) throw new Error(`outDir package.json not found${options.label ? ` for ${options.label}` : ""} at ${options.config ? toRelativePath(options.config.rootDir, options.packageJsonPath) : options.packageJsonPath}. Run the package build first.`);
 	return JSON.parse(await readFile(options.packageJsonPath, "utf8"));
 }
-async function assertPublicPackageMetadata(options) {
-	if ((await readDistPackageJson({
-		config: options.config,
-		label: options.label,
-		packageJsonPath: options.packageJsonPath
-	})).private === true) return;
-	const missingFiles = REQUIRED_PUBLIC_PACKAGE_FILES.filter((fileName) => !existsSync(path.join(options.outDir, fileName)));
-	if (missingFiles.length === 0) return;
-	throw new Error(`publishable package output for ${options.label} at ${toRelativePath(options.config.rootDir, options.outDir)} is missing required file(s): ${missingFiles.join(", ")}. Add them to the built output or set "private": true in the output package.json.`);
-}
 async function runPublintCheck(options) {
 	const task = options.flow?.start(`publint: ${options.label}`, { depth: options.flowDepth ?? 0 });
 	PackageLogger.info(`publint started: ${options.label}`);
@@ -745,20 +757,19 @@ async function runBoundaryCheck(target, label, options = {}) {
 	task?.fail(`package boundary found ${violations.length} issue(s): ${label}`);
 	return false;
 }
-async function runPackageCheckTarget(options) {
-	const target = {
-		...options.rawTarget,
+async function runPackageCheckEntry(options) {
+	const entry = {
+		...options.rawEntry,
 		outDir: options.outDir
 	};
 	const label = options.label;
-	const outputPackageJsonPath = path.join(target.outDir, "package.json");
-	const task = options.flow?.start(`package target: ${label}`, { depth: options.flowDepth ?? 0 });
+	const outputPackageJsonPath = path.join(entry.outDir, "package.json");
+	const task = options.flow?.start(`package entry: ${label}`, { depth: options.flowDepth ?? 0 });
 	let packedDist;
 	try {
-		await assertPublicPackageMetadata({
+		await readDistPackageJson({
 			config: options.config,
 			label,
-			outDir: target.outDir,
 			packageJsonPath: outputPackageJsonPath
 		});
 		if (options.checks.includes("publint") || options.checks.includes("attw")) {
@@ -766,7 +777,7 @@ async function runPackageCheckTarget(options) {
 			PackageLogger.info(`package tarball packing started: ${label}`);
 			const packElapsed = createElapsedTimer();
 			try {
-				packedDist = await packOutputTarball(target.outDir);
+				packedDist = await packOutputTarball(entry.outDir);
 			} catch (error) {
 				PackageLogger.error(`package tarball failed: ${label}: ${formatErrorMessage$1(error)}`, packElapsed());
 				packTask?.fail(`package tarball failed: ${label}`, { error });
@@ -780,19 +791,19 @@ async function runPackageCheckTarget(options) {
 			flow: options.flow,
 			flowDepth: (options.flowDepth ?? 0) + 1,
 			label,
-			strict: target.publint?.strict ?? true,
+			strict: entry.publint?.strict ?? true,
 			tarball: packedDist.tarball
 		}) && passed;
 		if (options.checks.includes("attw")) passed = await runAttwCheck({
 			flow: options.flow,
 			flowDepth: (options.flowDepth ?? 0) + 1,
 			label,
-			profile: options.attwProfile ?? target.attw?.profile ?? "esm-only",
+			profile: options.attwProfile ?? entry.attw?.profile ?? "esm-only",
 			tarball: packedDist.tarball
 		}) && passed;
 		if (options.checks.includes("boundary")) passed = await runBoundaryCheck({
-			...target.boundary,
-			outDir: target.outDir
+			...entry.boundary,
+			outDir: entry.outDir
 		}, label, {
 			flow: options.flow,
 			flowDepth: (options.flowDepth ?? 0) + 1
@@ -859,10 +870,11 @@ async function runPackageCheck(options) {
 	const task = options.flow?.start("package check", { depth: options.flowDepth ?? 0 });
 	try {
 		PackageLogger.info("package check started");
-		const plan = createPackageCheckPlan({
+		const plan = createPackageEntrySelectionPlan({
 			config: options.config,
 			cwd,
-			targetName: options.targetName,
+			packageNames: options.packageNames,
+			strictCwd: false,
 			tool: options.tool
 		});
 		logPackageCheckPlan({
@@ -870,18 +882,18 @@ async function runPackageCheck(options) {
 			cwd,
 			plan
 		});
-		const runnableTargets = plan.targets.filter((target) => target.checks.length > 0);
-		if (runnableTargets.length === 0) throw new Error(options.tool && options.tool !== "all" ? `No package check targets have "${options.tool}" enabled.` : "No package checks are enabled.");
+		const runnableEntries = plan.entries.filter((entry) => entry.checks.length > 0);
+		if (runnableEntries.length === 0) throw new Error(options.tool && options.tool !== "all" ? `No package entries have "${options.tool}" enabled.` : "No package checks are enabled.");
 		let passed = true;
-		for (const target of runnableTargets) passed = await runPackageCheckTarget({
+		for (const entry of runnableEntries) passed = await runPackageCheckEntry({
 			attwProfile: options.attwProfile,
-			checks: target.checks,
+			checks: entry.checks,
 			config: options.config,
 			flow: options.flow,
 			flowDepth: (options.flowDepth ?? 0) + 1,
-			label: target.label,
-			outDir: target.outDir,
-			rawTarget: target.rawTarget
+			label: entry.label,
+			outDir: entry.outDir,
+			rawEntry: entry.rawEntry
 		}) && passed;
 		if (passed) {
 			if (!options.flow?.interactive) PackageLogger.success("package check finished", elapsed());
@@ -1444,6 +1456,14 @@ const ignoredSemanticCompilerOptions = new Set([
 	"sourceRoot",
 	"tsBuildInfoFile"
 ]);
+const typeScriptCheckerExtensions = getCheckerAdapter("tsc")?.defaultExtensions ?? [];
+function getFirstClassCoverageExtensions(extensions) {
+	return normalizeExtensions([...typeScriptCheckerExtensions, ...extensions]);
+}
+function getCheckerCoverageExtensions(checker) {
+	if (!getCheckerAdapter(checker.preset)?.sourceGraph) return checker.extensions;
+	return getFirstClassCoverageExtensions(checker.extensions);
+}
 async function collectTsconfigPaths(config, pattern) {
 	return (await glob(pattern, {
 		cwd: config.rootDir,
@@ -1605,24 +1625,19 @@ function addCoverage(coverageByFile, filePath, source) {
 }
 function collectCoverage(options) {
 	const coverageByFile = /* @__PURE__ */ new Map();
-	const proofFilePattern = createExtensionPattern(getActiveCheckerExtensions(options.config));
-	const typeScriptChecker = getActiveCheckers(options.config).find((checker) => checker.preset === "tsc");
-	for (const graphProjectPath of options.graphProjectPaths) for (const filePath of parseProjectFileNames(options.config, graphProjectPath, proofFilePattern)) {
+	for (const route of options.graphRoutes) for (const graphProjectPath of route.projectPaths) for (const filePath of parseProjectFileNamesForExtensions(options.config, graphProjectPath, getFirstClassCoverageExtensions(route.extensions))) {
 		if (!options.sourceFiles.has(filePath)) continue;
 		addCoverage(coverageByFile, filePath, {
 			label: toRelativePath(options.config.rootDir, graphProjectPath),
 			type: "graph"
 		});
 	}
-	for (const checkerTarget of options.checkerTargets) {
-		const checkerExtensions = [...typeScriptChecker?.extensions ?? [], ...checkerTarget.checker.extensions];
-		for (const configPath of checkerTarget.coverageConfigPaths) for (const filePath of parseProjectFileNamesForExtensions(options.config, configPath, checkerExtensions)) {
-			if (!options.sourceFiles.has(filePath)) continue;
-			addCoverage(coverageByFile, filePath, {
-				label: `${toRelativePath(options.config.rootDir, configPath)} via ${checkerTarget.label}`,
-				type: "checker"
-			});
-		}
+	for (const checkerTarget of options.checkerTargets) for (const configPath of checkerTarget.coverageConfigPaths) for (const filePath of parseProjectFileNamesForExtensions(options.config, configPath, getCheckerCoverageExtensions(checkerTarget.checker))) {
+		if (!options.sourceFiles.has(filePath)) continue;
+		addCoverage(coverageByFile, filePath, {
+			label: `${toRelativePath(options.config.rootDir, configPath)} via ${checkerTarget.label}`,
+			type: "checker"
+		});
 	}
 	if (options.includeAllowlist !== false) for (const entry of options.allowlistEntries) {
 		if (!options.sourceFiles.has(entry.filePath)) continue;
@@ -1633,15 +1648,19 @@ function collectCoverage(options) {
 	}
 	return coverageByFile;
 }
-function parseConfig(config, configPath) {
+function collectProjectExtensionsByPath(routes) {
+	const projectExtensionsByPath = /* @__PURE__ */ new Map();
+	for (const route of routes) for (const projectPath of route.projectPaths) {
+		const extensions = new Set([...projectExtensionsByPath.get(projectPath) ?? [], ...route.extensions]);
+		projectExtensionsByPath.set(projectPath, [...extensions].sort());
+	}
+	return projectExtensionsByPath;
+}
+function parseConfig(config, configPath, extensions = []) {
 	const diagnostics = [];
-	const parsed = ts.getParsedCommandLineOfConfigFile(configPath, {}, {
-		...ts.sys,
-		onUnRecoverableConfigFileDiagnostic: (diagnostic) => {
-			diagnostics.push(diagnostic);
-		}
-	});
-	if (!parsed) throw new Error(ts.formatDiagnosticsWithColorAndContext(diagnostics, createFormatHost(config.rootDir)));
+	const configObject = readJsonConfig(config, configPath);
+	const parsed = ts.parseJsonConfigFileContent(configObject, ts.sys, path.dirname(configPath), {}, configPath, void 0, createExtraFileExtensions(extensions));
+	if (diagnostics.length > 0) throw new Error(ts.formatDiagnosticsWithColorAndContext(diagnostics, createFormatHost(config.rootDir)));
 	if (parsed.errors.length > 0) throw new Error(ts.formatDiagnosticsWithColorAndContext(parsed.errors, createFormatHost(config.rootDir)));
 	return {
 		fileNames: parsed.fileNames.map(normalizeAbsolutePath).sort(),
@@ -1704,8 +1723,9 @@ function addDtsConfigProblems(options) {
 			].join("\n"));
 			continue;
 		}
-		const dtsConfig = parseConfig(options.config, configPath);
-		const localConfig = parseConfig(options.config, localConfigPath);
+		const extensions = options.projectExtensionsByPath.get(configPath) ?? [];
+		const dtsConfig = parseConfig(options.config, configPath, extensions);
+		const localConfig = parseConfig(options.config, localConfigPath, extensions);
 		if (dtsConfig.options.composite !== true) options.problems.push([
 			"DTS config is not valid for tsc -b:",
 			`  config: ${toRelativePath(options.config.rootDir, configPath)}`,
@@ -1846,12 +1866,11 @@ function addDefaultTsconfigEnvironmentProblems(options) {
 		].join("\n"));
 	}
 }
-function collectConfigFileOwners(config, configPaths, sourceFiles) {
+function collectConfigFileOwners(config, graphRoutes, sourceFiles) {
 	const ownersByFile = /* @__PURE__ */ new Map();
-	const proofFilePattern = createExtensionPattern(getActiveCheckerExtensions(config));
-	for (const configPath of configPaths) {
+	for (const route of graphRoutes) for (const configPath of route.projectPaths) {
 		if (!existsSync(configPath)) continue;
-		for (const filePath of parseProjectFileNames(config, configPath, proofFilePattern)) {
+		for (const filePath of parseProjectFileNamesForExtensions(config, configPath, route.extensions)) {
 			if (!sourceFiles.has(filePath)) continue;
 			const owners = ownersByFile.get(filePath) ?? [];
 			owners.push(configPath);
@@ -1873,19 +1892,6 @@ function addDuplicateGraphCoverageProblems(options) {
 		].join("\n"));
 	}
 }
-function addDuplicateGraphOwnerProblems(options) {
-	for (const [configPath, ownerCheckerNames] of options.graphOwnersByConfigPath.entries()) {
-		const uniqueOwnerCheckerNames = [...new Set(ownerCheckerNames)].sort();
-		if (uniqueOwnerCheckerNames.length <= 1) continue;
-		options.problems.push([
-			"Duplicate checker graph declaration owner:",
-			`  config: ${toRelativePath(options.config.rootDir, configPath)}`,
-			"  owned by:",
-			...uniqueOwnerCheckerNames.map((checkerName) => `    - ${checkerName}`),
-			"  reason: each tsconfig*.dts.json must be reached by exactly one graph-capable checker entry."
-		].join("\n"));
-	}
-}
 function addAllowlistProblems(options) {
 	for (const entry of options.allowlistEntries) {
 		if (!existsSync(entry.filePath)) {
@@ -1913,34 +1919,25 @@ function addUncoveredSourceProblems(options) {
 		"  reason: every file in config.source must be covered by a checker entry or an explicit allowlist entry."
 	].filter(Boolean).join("\n"));
 }
-function addGraphOwner(ownersByConfigPath, configPath, checkerName) {
-	const owners = ownersByConfigPath.get(configPath) ?? [];
-	owners.push(checkerName);
-	ownersByConfigPath.set(configPath, owners);
-}
 async function runProofCheckInternal(config, options = {}) {
 	const problems = [];
 	const graphRouteCollection = collectGraphProjectRoutes(config);
 	const entryRouteCollection = collectCheckerEntryProjectRoutes(config);
-	const graphProjectPaths = [...new Set(graphRouteCollection.routes.flatMap((route) => route.projectPaths))].sort();
 	const entryProjectPaths = [...new Set(entryRouteCollection.routes.flatMap((route) => route.projectPaths))].sort();
 	const entryProjectPathSet = new Set(entryProjectPaths);
+	const entryProjectExtensionsByPath = collectProjectExtensionsByPath(entryRouteCollection.routes);
 	const dtsConfigPaths = await collectDtsConfigPaths(config);
 	const buildGraphConfigPaths = await collectBuildGraphConfigPaths(config);
 	const defaultTsconfigPaths = await collectDefaultTsconfigPaths(config);
 	const ordinaryTypecheckConfigPaths = await collectOrdinaryTypecheckConfigPaths(config);
-	const graphOwnersByConfigPath = /* @__PURE__ */ new Map();
 	problems.push(...graphRouteCollection.problems);
 	problems.push(...entryRouteCollection.problems);
-	for (const route of graphRouteCollection.routes) for (const projectPath of route.projectPaths) {
-		if (!isDtsConfigPath(projectPath)) continue;
-		addGraphOwner(graphOwnersByConfigPath, projectPath, route.checkerName);
-	}
 	addDtsConfigProblems({
 		config,
 		dtsConfigPaths,
 		graphProjectPaths: entryProjectPathSet,
-		problems
+		problems,
+		projectExtensionsByPath: entryProjectExtensionsByPath
 	});
 	addBuildGraphConfigProblems({
 		buildGraphConfigPaths,
@@ -1957,11 +1954,6 @@ async function runProofCheckInternal(config, options = {}) {
 		ordinaryConfigPaths: ordinaryTypecheckConfigPaths,
 		problems
 	});
-	addDuplicateGraphOwnerProblems({
-		config,
-		graphOwnersByConfigPath,
-		problems
-	});
 	if (problems.length > 0) {
 		ProofLogger.error(problems.join("\n\n"));
 		return false;
@@ -1981,7 +1973,7 @@ async function runProofCheckInternal(config, options = {}) {
 		allowlistEntries,
 		checkerTargets,
 		config,
-		graphProjectPaths,
+		graphRoutes: graphRouteCollection.routes,
 		includeAllowlist: false,
 		sourceFiles
 	});
@@ -1989,12 +1981,12 @@ async function runProofCheckInternal(config, options = {}) {
 		allowlistEntries,
 		checkerTargets,
 		config,
-		graphProjectPaths,
+		graphRoutes: graphRouteCollection.routes,
 		sourceFiles
 	});
 	addDuplicateGraphCoverageProblems({
 		config,
-		ownersByFile: collectConfigFileOwners(config, graphProjectPaths, sourceFiles),
+		ownersByFile: collectConfigFileOwners(config, graphRouteCollection.routes, sourceFiles),
 		problems
 	});
 	addAllowlistProblems({
@@ -2047,6 +2039,545 @@ async function runProofCheck(config, options = {}) {
 	}
 }
 
+//#endregion
+//#region src/package-release-consistency.ts
+var PackageReleaseConsistencyError = class extends Error {
+	name = "PackageReleaseConsistencyError";
+};
+const semver = createRequire(import.meta.url)("semver");
+const REQUIRED_RELEASE_FILES = ["README.md", "LICENSE.md"];
+const SOURCE_MAPPING_URL_PATTERN = /(?:\/\/\s*#\s*sourceMappingURL\s*=|\/\*\s*#\s*sourceMappingURL\s*=)/u;
+function isRecord(value) {
+	return typeof value === "object" && value !== null && !Array.isArray(value);
+}
+function isLinkDependencySpecifier(specifier) {
+	return specifier.startsWith("link:");
+}
+function createReleaseConsistencyState() {
+	return {
+		directWorkspaceDependencies: [],
+		edges: /* @__PURE__ */ new Map(),
+		missingWorkspaceDependencies: [],
+		packedManifestProblems: [],
+		privateWorkspaceDependencies: [],
+		releaseHygieneProblems: [],
+		registryMetadataCache: /* @__PURE__ */ new Map(),
+		registryProblems: [],
+		sourceLinkDependencies: [],
+		unpublishedPackageNames: /* @__PURE__ */ new Set(),
+		visitedPackages: /* @__PURE__ */ new Set()
+	};
+}
+function collectPublishDependencyEntries(manifest) {
+	const entries = [];
+	for (const { dependencies, name } of getPublishDependencySections(manifest)) for (const [dependencyName, specifier] of Object.entries(dependencies)) entries.push({
+		dependencyName,
+		sectionName: name,
+		specifier
+	});
+	return entries;
+}
+function addEdge(edges, importerName, dependencyName) {
+	const dependencies = edges.get(importerName) ?? /* @__PURE__ */ new Set();
+	dependencies.add(dependencyName);
+	edges.set(importerName, dependencies);
+}
+function formatDependencyLocation(problem) {
+	const dependency = problem.dependencyName ? ` -> ${problem.dependencyName}` : "";
+	const section = problem.sectionName ? ` [${problem.sectionName}]` : "";
+	const specifier = problem.specifier ? ` (${problem.specifier})` : "";
+	return `${problem.importerName}${dependency}${section}${specifier}`;
+}
+function formatProblemLines(title, problems) {
+	if (problems.length === 0) return [];
+	return [
+		"",
+		title,
+		...problems.map((problem) => `  - ${formatDependencyLocation(problem)}: ${problem.message}`)
+	];
+}
+function getPackedDependencySpecifier(manifest, dependencyName) {
+	for (const { dependencies } of getPublishDependencySections(manifest)) {
+		const specifier = dependencies[dependencyName];
+		if (specifier) return specifier;
+	}
+}
+function getNpmPackageMetadataUrl(packageName) {
+	return `https://registry.npmjs.org/${encodeURIComponent(packageName)}`;
+}
+async function fetchRegistryPackageMetadata(packageName, state) {
+	if (state.registryMetadataCache.has(packageName)) return state.registryMetadataCache.get(packageName) ?? null;
+	const response = await fetch(getNpmPackageMetadataUrl(packageName), { headers: { accept: "application/json" } });
+	if (!response.ok) {
+		state.registryMetadataCache.set(packageName, null);
+		return null;
+	}
+	const metadata = await response.json();
+	const registryMetadata = isRecord(metadata) ? metadata : null;
+	state.registryMetadataCache.set(packageName, registryMetadata);
+	return registryMetadata;
+}
+function findRegistryVersionMetadata(metadata, version) {
+	if (!isRecord(metadata.versions)) return null;
+	const versionMetadata = metadata.versions[version];
+	return isRecord(versionMetadata) ? versionMetadata : null;
+}
+function execGitCommand(config, args) {
+	return new Promise((resolve, reject) => {
+		execFile("git", [
+			"-C",
+			config.rootDir,
+			...args
+		], {
+			encoding: "utf8",
+			maxBuffer: 10 * 1024 * 1024
+		}, (error, stdout) => {
+			if (error) {
+				reject(error);
+				return;
+			}
+			resolve(stdout);
+		});
+	});
+}
+async function hasWorkspacePackageChangesSinceGitHead(options) {
+	const relativeDirectory = toRelativePath(options.config.rootDir, options.workspacePackage.directory);
+	try {
+		await execGitCommand(options.config, [
+			"diff",
+			"--quiet",
+			options.gitHead,
+			"--",
+			relativeDirectory
+		]);
+	} catch (error) {
+		if (isRecord(error) && error.code === 1) return true;
+		throw error;
+	}
+	return (await execGitCommand(options.config, [
+		"ls-files",
+		"--others",
+		"--exclude-standard",
+		"--",
+		relativeDirectory
+	])).trim().length > 0;
+}
+async function verifyWorkspacePackagePublished(options) {
+	const { state, workspacePackage } = options;
+	const version = workspacePackage.manifest.version;
+	if (!version || !semver.valid(version)) {
+		state.unpublishedPackageNames.add(workspacePackage.name);
+		state.registryProblems.push({
+			importerName: workspacePackage.name,
+			message: ["workspace package must declare a valid semver version", "before another publishable package can depend on it"].join(" "),
+			packageName: workspacePackage.name
+		});
+		return;
+	}
+	let metadata;
+	try {
+		metadata = await fetchRegistryPackageMetadata(workspacePackage.name, state);
+	} catch (error) {
+		state.unpublishedPackageNames.add(workspacePackage.name);
+		state.registryProblems.push({
+			importerName: workspacePackage.name,
+			message: [`unable to read npm registry metadata for ${workspacePackage.name}@${version}:`, formatErrorMessage$1(error)].join(" "),
+			packageName: workspacePackage.name
+		});
+		return;
+	}
+	if (!metadata) {
+		state.unpublishedPackageNames.add(workspacePackage.name);
+		state.registryProblems.push({
+			importerName: workspacePackage.name,
+			message: `${workspacePackage.name}@${version} is not published to the npm registry`,
+			packageName: workspacePackage.name
+		});
+		return;
+	}
+	const versionMetadata = findRegistryVersionMetadata(metadata, version);
+	if (!versionMetadata) {
+		state.unpublishedPackageNames.add(workspacePackage.name);
+		state.registryProblems.push({
+			importerName: workspacePackage.name,
+			message: `${workspacePackage.name}@${version} is not published to the npm registry`,
+			packageName: workspacePackage.name
+		});
+		return;
+	}
+	if (typeof versionMetadata.gitHead !== "string" || versionMetadata.gitHead.trim().length === 0) {
+		state.unpublishedPackageNames.add(workspacePackage.name);
+		state.registryProblems.push({
+			importerName: workspacePackage.name,
+			message: [`${workspacePackage.name}@${version} registry metadata has no gitHead,`, "so limina cannot prove the published source baseline"].join(" "),
+			packageName: workspacePackage.name
+		});
+		return;
+	}
+	let hasChanges;
+	try {
+		hasChanges = await hasWorkspacePackageChangesSinceGitHead({
+			config: options.config,
+			gitHead: versionMetadata.gitHead,
+			workspacePackage
+		});
+	} catch (error) {
+		state.unpublishedPackageNames.add(workspacePackage.name);
+		state.registryProblems.push({
+			importerName: workspacePackage.name,
+			message: [
+				`unable to compare ${workspacePackage.name}@${version}`,
+				`against published gitHead ${versionMetadata.gitHead}:`,
+				formatErrorMessage$1(error)
+			].join(" "),
+			packageName: workspacePackage.name
+		});
+		return;
+	}
+	if (hasChanges) {
+		state.unpublishedPackageNames.add(workspacePackage.name);
+		state.registryProblems.push({
+			importerName: workspacePackage.name,
+			message: [`${workspacePackage.name}@${version} has workspace changes`, `after the published npm registry gitHead ${versionMetadata.gitHead}`].join(" "),
+			packageName: workspacePackage.name
+		});
+	}
+}
+async function visitWorkspacePackageDependencies(options) {
+	const { config, importerName, isRoot, manifest, state, workspacePackagesByName } = options;
+	for (const entry of collectPublishDependencyEntries(manifest)) {
+		if (isLinkDependencySpecifier(entry.specifier)) {
+			state.sourceLinkDependencies.push({
+				dependencyName: entry.dependencyName,
+				importerName,
+				message: "publishable dependency sections must not use link:",
+				sectionName: entry.sectionName,
+				specifier: entry.specifier
+			});
+			continue;
+		}
+		if (!isWorkspaceDependencySpecifier(entry.specifier)) continue;
+		const targetPackage = workspacePackagesByName.get(entry.dependencyName);
+		if (!targetPackage) {
+			state.missingWorkspaceDependencies.push({
+				dependencyName: entry.dependencyName,
+				importerName,
+				message: "workspace: publish dependency does not match a named workspace package",
+				sectionName: entry.sectionName,
+				specifier: entry.specifier
+			});
+			continue;
+		}
+		addEdge(state.edges, importerName, targetPackage.name);
+		if (isRoot) state.directWorkspaceDependencies.push({
+			dependencyName: entry.dependencyName,
+			sectionName: entry.sectionName,
+			targetPackage
+		});
+		if (targetPackage.manifest.private === true) {
+			state.privateWorkspaceDependencies.push({
+				dependencyName: entry.dependencyName,
+				importerName,
+				message: "publishable packages cannot depend on a private workspace package",
+				packageName: targetPackage.name,
+				sectionName: entry.sectionName,
+				specifier: entry.specifier
+			});
+			continue;
+		}
+		if (!state.visitedPackages.has(targetPackage.name)) {
+			state.visitedPackages.add(targetPackage.name);
+			await verifyWorkspacePackagePublished({
+				config,
+				state,
+				workspacePackage: targetPackage
+			});
+			await visitWorkspacePackageDependencies({
+				config,
+				importerName: targetPackage.name,
+				isRoot: false,
+				manifest: targetPackage.manifest,
+				state,
+				workspacePackagesByName
+			});
+		}
+	}
+}
+async function unpackPackedPackage(tarball) {
+	return await unpack(tarball);
+}
+function getPackedContentFiles(packedPackage) {
+	const rootPrefix = `${packedPackage.rootDir}/`;
+	const files = [];
+	for (const file of packedPackage.files) {
+		if (!file.name.startsWith(rootPrefix)) continue;
+		files.push({
+			data: file.data,
+			relativePath: file.name.slice(rootPrefix.length).replaceAll("\\", "/")
+		});
+	}
+	return files;
+}
+function readPackedPackageJson(options) {
+	const packageJsonFile = options.contentFiles.find((file) => file.relativePath === "package.json");
+	if (!packageJsonFile) {
+		options.state.releaseHygieneProblems.push({
+			importerName: options.rootPackageName,
+			message: "tarball does not contain package.json"
+		});
+		return null;
+	}
+	try {
+		return JSON.parse(Buffer.from(packageJsonFile.data).toString("utf8"));
+	} catch (error) {
+		options.state.releaseHygieneProblems.push({
+			importerName: options.rootPackageName,
+			message: `tarball package.json is not valid JSON: ${formatErrorMessage$1(error)}`
+		});
+		return null;
+	}
+}
+function isJavaScriptPackageFile(relativePath) {
+	return /\.(?:cjs|mjs|js)$/u.test(relativePath);
+}
+function validateReleaseTarballHygiene(options) {
+	const filePaths = new Set(options.contentFiles.map((file) => file.relativePath));
+	const missingReleaseFiles = REQUIRED_RELEASE_FILES.filter((fileName) => !filePaths.has(fileName));
+	if (missingReleaseFiles.length > 0) options.state.releaseHygieneProblems.push({
+		importerName: options.rootPackageName,
+		message: `tarball is missing required file(s): ${missingReleaseFiles.join(", ")}`
+	});
+	for (const file of options.contentFiles) {
+		if (/\.map$/u.test(file.relativePath)) {
+			options.state.releaseHygieneProblems.push({
+				importerName: options.rootPackageName,
+				message: `tarball contains source map file: ${file.relativePath}`
+			});
+			continue;
+		}
+		if (!isJavaScriptPackageFile(file.relativePath)) continue;
+		const source = Buffer.from(file.data).toString("utf8");
+		if (SOURCE_MAPPING_URL_PATTERN.test(source)) options.state.releaseHygieneProblems.push({
+			importerName: options.rootPackageName,
+			message: `tarball JavaScript file contains sourceMappingURL directive: ${file.relativePath}`
+		});
+	}
+}
+function validatePackedManifest(options) {
+	const { manifest, rootPackageName, state } = options;
+	for (const entry of collectPublishDependencyEntries(manifest)) if (isWorkspaceDependencySpecifier(entry.specifier) || isLinkDependencySpecifier(entry.specifier)) state.packedManifestProblems.push({
+		dependencyName: entry.dependencyName,
+		importerName: rootPackageName,
+		message: "packed package manifest must not expose workspace: or link: dependency specifiers",
+		sectionName: entry.sectionName,
+		specifier: entry.specifier
+	});
+	for (const dependency of state.directWorkspaceDependencies) {
+		const packedSpecifier = getPackedDependencySpecifier(manifest, dependency.dependencyName);
+		if (!packedSpecifier) {
+			state.packedManifestProblems.push({
+				dependencyName: dependency.dependencyName,
+				importerName: rootPackageName,
+				message: "packed package manifest must keep every source workspace publish dependency",
+				sectionName: dependency.sectionName
+			});
+			continue;
+		}
+		if (isWorkspaceDependencySpecifier(packedSpecifier) || isLinkDependencySpecifier(packedSpecifier)) continue;
+		const targetVersion = dependency.targetPackage.manifest.version;
+		if (!targetVersion || !semver.satisfies(targetVersion, packedSpecifier, { includePrerelease: true })) state.packedManifestProblems.push({
+			dependencyName: dependency.dependencyName,
+			importerName: rootPackageName,
+			message: `packed dependency range must include ${dependency.targetPackage.name}@${targetVersion ?? "(missing version)"}`,
+			sectionName: dependency.sectionName,
+			specifier: packedSpecifier
+		});
+	}
+}
+function createPublishOrder(rootPackageName, state) {
+	const publishOrder = [];
+	const seen = /* @__PURE__ */ new Set();
+	function visit(packageName) {
+		if (seen.has(packageName)) return;
+		seen.add(packageName);
+		for (const dependencyName of state.edges.get(packageName) ?? []) visit(dependencyName);
+		if (packageName === rootPackageName || state.unpublishedPackageNames.has(packageName)) publishOrder.push(packageName);
+	}
+	visit(rootPackageName);
+	return publishOrder;
+}
+function createReleaseConsistencyError(options) {
+	const { config, label, outDir, rootPackageName, state } = options;
+	if (state.sourceLinkDependencies.length + state.privateWorkspaceDependencies.length + state.missingWorkspaceDependencies.length + state.registryProblems.length + state.releaseHygieneProblems.length + state.packedManifestProblems.length === 0) return null;
+	const publishOrder = createPublishOrder(rootPackageName, state);
+	const lines = [
+		`package release check failed for ${label}:`,
+		`  output: ${toRelativePath(config.rootDir, outDir)}`,
+		...formatProblemLines("Release tarball is not publishable:", state.releaseHygieneProblems),
+		...formatProblemLines("Source manifest contains local link: publish dependencies:", state.sourceLinkDependencies),
+		...formatProblemLines("Source manifest depends on private workspace packages:", state.privateWorkspaceDependencies),
+		...formatProblemLines("Source manifest has invalid workspace: publish dependencies:", state.missingWorkspaceDependencies),
+		...formatProblemLines("Workspace packages must be published before this package:", state.registryProblems),
+		...formatProblemLines("Packed package manifest is inconsistent with workspace publish dependencies:", state.packedManifestProblems)
+	];
+	if (publishOrder.length > 1) lines.push("", `Suggested publish order: ${publishOrder.join(" -> ")}`);
+	return new PackageReleaseConsistencyError(lines.join("\n"));
+}
+async function assertPackageReleaseConsistency(options) {
+	const workspacePackages = await collectWorkspacePackages(options.config);
+	const sourcePackage = workspacePackages.find((workspacePackage) => workspacePackage.name === options.outputManifest.name);
+	const state = createReleaseConsistencyState();
+	if (sourcePackage) {
+		state.visitedPackages.add(sourcePackage.name);
+		await visitWorkspacePackageDependencies({
+			config: options.config,
+			importerName: sourcePackage.name,
+			isRoot: true,
+			manifest: sourcePackage.manifest,
+			state,
+			workspacePackagesByName: new Map(workspacePackages.map((workspacePackage) => [workspacePackage.name, workspacePackage]))
+		});
+	}
+	const contentFiles = getPackedContentFiles(await unpackPackedPackage(options.packedTarball));
+	validateReleaseTarballHygiene({
+		contentFiles,
+		rootPackageName: options.outputManifest.name,
+		state
+	});
+	const packedManifest = readPackedPackageJson({
+		contentFiles,
+		rootPackageName: options.outputManifest.name,
+		state
+	});
+	if (packedManifest) validatePackedManifest({
+		manifest: packedManifest,
+		rootPackageName: options.outputManifest.name,
+		state
+	});
+	const error = createReleaseConsistencyError({
+		config: options.config,
+		label: options.label,
+		outDir: options.outDir,
+		rootPackageName: options.outputManifest.name,
+		state
+	});
+	if (error) throw error;
+}
+
+//#endregion
+//#region src/commands/release.ts
+function logReleaseCheckPlan(options) {
+	ReleaseLogger.info([
+		"Release check plan:",
+		`  config: ${toRelativePath(options.config.rootDir, options.config.configPath)}`,
+		`  cwd: ${toRelativePath(options.config.rootDir, options.cwd)}`,
+		`  selection: ${options.plan.selectionReason}`,
+		"  entries:",
+		...options.plan.entries.map((entry) => [`    - ${entry.label}`, `      outDir: ${toRelativePath(options.config.rootDir, entry.outDir)}`].join("\n"))
+	].join("\n"));
+}
+async function packReleaseTarball(options) {
+	const packTask = options.flow?.start(`release tarball: ${options.label}`, { depth: options.flowDepth ?? 0 });
+	ReleaseLogger.info(`release tarball packing started: ${options.label}`);
+	const packElapsed = createElapsedTimer();
+	try {
+		const packedDist = await packOutputTarball(options.outDir);
+		if (!options.flow?.interactive) ReleaseLogger.success(`release tarball packed: ${options.label}`, packElapsed());
+		packTask?.pass();
+		return packedDist;
+	} catch (error) {
+		ReleaseLogger.error(`release tarball failed: ${options.label}: ${formatErrorMessage$1(error)}`, packElapsed());
+		packTask?.fail(`release tarball failed: ${options.label}`, { error });
+		throw error;
+	}
+}
+async function runReleaseCheckEntry(options) {
+	const task = options.flow?.start(`release entry: ${options.label}`, { depth: options.flowDepth ?? 0 });
+	let packedDist;
+	try {
+		const outputPackageJsonPath = path.join(options.outDir, "package.json");
+		const outputManifest = await readDistPackageJson({
+			config: options.config,
+			label: options.label,
+			packageJsonPath: outputPackageJsonPath
+		});
+		if (outputManifest.private === true) throw new PackageReleaseConsistencyError([
+			`package release check failed for ${options.label}:`,
+			`  output: ${toRelativePath(options.config.rootDir, options.outDir)}`,
+			"",
+			"Release tarball is not publishable:",
+			`  - ${outputManifest.name}: selected release package has "private": true; npm publish would reject it`
+		].join("\n"));
+		packedDist = await packReleaseTarball({
+			flow: options.flow,
+			flowDepth: (options.flowDepth ?? 0) + 1,
+			label: options.label,
+			outDir: options.outDir
+		});
+		await assertPackageReleaseConsistency({
+			config: options.config,
+			label: options.label,
+			outDir: options.outDir,
+			outputManifest,
+			packedTarball: packedDist.tarball
+		});
+		if (!options.flow?.interactive) ReleaseLogger.success(`release checks passed: ${options.label}`);
+		task?.pass();
+		return true;
+	} catch (error) {
+		if (error instanceof PackageReleaseConsistencyError) {
+			ReleaseLogger.error(formatErrorMessage$1(error));
+			task?.fail(`release checks failed: ${options.label}`);
+			return false;
+		}
+		ReleaseLogger.error(`release checks failed: ${options.label}: ${formatErrorMessage$1(error)}`);
+		task?.fail(`release checks failed: ${options.label}`, { error });
+		throw error;
+	} finally {
+		if (packedDist) await packedDist.cleanup();
+	}
+}
+async function runReleaseCheck(options) {
+	if (options.clearScreen ?? true) clearCliScreen();
+	const elapsed = createElapsedTimer();
+	const cwd = path.resolve(options.cwd ?? process.cwd());
+	const task = options.flow?.start("release check", { depth: options.flowDepth ?? 0 });
+	try {
+		ReleaseLogger.info("release check started");
+		const plan = createPackageEntrySelectionPlan({
+			config: options.config,
+			cwd,
+			packageNames: options.packageNames,
+			strictCwd: true
+		});
+		logReleaseCheckPlan({
+			config: options.config,
+			cwd,
+			plan
+		});
+		let passed = true;
+		for (const entry of plan.entries) passed = await runReleaseCheckEntry({
+			config: options.config,
+			flow: options.flow,
+			flowDepth: (options.flowDepth ?? 0) + 1,
+			label: entry.label,
+			outDir: entry.outDir
+		}) && passed;
+		if (passed) {
+			if (!options.flow?.interactive) ReleaseLogger.success("release check finished", elapsed());
+			task?.pass();
+		} else {
+			ReleaseLogger.error("release check finished with failures", elapsed());
+			task?.fail("release check finished with failures");
+		}
+		return passed;
+	} catch (error) {
+		ReleaseLogger.error(`release check failed: ${formatErrorMessage$1(error)}`, elapsed());
+		task?.fail("release check failed", { error });
+		throw error;
+	}
+}
+
 //#endregion
 //#region src/pipeline.ts
 const builtInTaskNames = new Set([
@@ -2055,14 +2586,33 @@ const builtInTaskNames = new Set([
 	"graph:check",
 	"package:check",
 	"proof:check",
+	"release:check",
 	"source:check"
 ]);
 const defaultCheckPipeline = [
 	"graph:check",
 	"source:check",
 	"proof:check",
+	"checker:build",
 	"checker:typecheck"
 ];
+function reportCheckerCapabilities(config, flow) {
+	if (!flow) return;
+	const firstClass = [];
+	const sourceOnly = [];
+	for (const checker of getActiveCheckers(config)) {
+		const adapter = getCheckerAdapter(checker.preset);
+		const label = `${checker.name} (${checker.preset})`;
+		if (adapter?.tier === "first-class") firstClass.push(label);
+		else if (adapter?.tier === "source-only") sourceOnly.push(label);
+	}
+	flow.info([
+		"checker capability summary:",
+		`  first-class: ${firstClass.length > 0 ? firstClass.join(", ") : "(none)"}`,
+		`  source-only: ${sourceOnly.length > 0 ? sourceOnly.join(", ") : "(none)"}`,
+		...sourceOnly.length > 0 ? ["  note: source-only checkers get coverage proof and direct typecheck, but Limina does not parse their internal import graph."] : []
+	].join("\n"), { depth: 1 });
+}
 function isBuiltinTaskName(value) {
 	return builtInTaskNames.has(value);
 }
@@ -2092,7 +2642,16 @@ async function runBuiltinTask(config, taskName, options = {}) {
 			config,
 			cwd: options.cwd,
 			flow: options.flow,
-			flowDepth: 1
+			flowDepth: 1,
+			packageNames: options.packageNames
+		});
+		case "release:check": return runReleaseCheck({
+			clearScreen: false,
+			config,
+			cwd: options.cwd,
+			flow: options.flow,
+			flowDepth: 1,
+			packageNames: options.packageNames
 		});
 		case "checker:typecheck": return (await runCheckerTypecheck({
 			clearScreen: false,
@@ -2191,6 +2750,7 @@ async function runPipeline(config, pipelineName, options = {}) {
 async function runDefaultCheck(config, options = {}) {
 	const normalizedSteps = defaultCheckPipeline.map(normalizePipelineStep);
 	const pipelineTask = options.flow?.start("default check", { collapseOnSuccess: false });
+	reportCheckerCapabilities(config, options.flow);
 	for (const [stepIndex, step] of normalizedSteps.entries()) if (!(step.type === "task" ? await runBuiltinTask(config, step.name, options) : await runCommandStep(config, step, options))) {
 		const label = getPipelineStepLabel(step);
 		pipelineTask?.fail(`default check blocked at ${label}`);
@@ -2221,11 +2781,10 @@ function parsePackageAttwProfile(profile) {
 	if (profile === "strict" || profile === "node16" || profile === "esm-only") return profile;
 	throw new Error(`Invalid package check --attw-profile "${profile}". Expected one of: strict, node16, esm-only.`);
 }
-function parseConcurrency(value) {
-	if (value === void 0) return;
-	const parsed = Number(value);
-	if (!Number.isInteger(parsed) || parsed < 1) throw new Error("Invalid --concurrency value. Expected a positive integer.");
-	return parsed;
+function parsePackageNames(packageName) {
+	if (!packageName) return;
+	const packageNames = (Array.isArray(packageName) ? packageName : [packageName]).map((name) => name.trim()).filter(Boolean);
+	return packageNames.length > 0 ? packageNames : void 0;
 }
 function createCliFlow() {
 	clearCliScreen();
@@ -2247,13 +2806,14 @@ async function main() {
 		});
 		flow.outro("limina init finished");
 	});
-	cli.command("check [pipeline]", "Run the default check or a configured pipeline").action(async (pipeline, flags) => {
+	cli.command("check [pipeline]", "Run the default check or a configured pipeline").option("-p, --package <name>", "Run package-aware pipeline tasks for one package entry").action(async (pipeline, flags) => {
 		const flow = createCliFlow();
 		flow.intro("limina check");
 		const config = await load(flags, "check");
 		const passed = pipeline ? await runPipeline(config, pipeline, {
 			cwd: process.cwd(),
-			flow
+			flow,
+			packageNames: parsePackageNames(flags.package)
 		}) : await runDefaultCheck(config, {
 			cwd: process.cwd(),
 			flow
@@ -2306,8 +2866,8 @@ async function main() {
 		if (!passed) process.exitCode = 1;
 		flow.outro(passed ? "limina source passed" : "limina source failed");
 	});
-	cli.command("checker <action>", "Run configured checker typecheck or build entries").option("--concurrency <n>", "Maximum concurrent checker processes").action(async (action, flags) => {
-		if (action !== "typecheck" && action !== "build") throw new Error(`Unknown checker action "${action}". Expected typecheck or build.`);
+	cli.command("checker <action>", "Run configured checker build or typecheck entries").action(async (action, flags) => {
+		if (action !== "typecheck" && action !== "build") throw new Error(`Unknown checker action "${action}". Expected build or typecheck.`);
 		const flow = createCliFlow();
 		flow.intro(`limina checker ${action}`);
 		if (action === "build") {
@@ -2324,14 +2884,13 @@ async function main() {
 		const result = await runCheckerTypecheck({
 			clearScreen: false,
 			config: await load(flags, "check"),
-			concurrency: parseConcurrency(flags.concurrency),
 			cwd: process.cwd(),
 			flow
 		});
 		if (!result.passed) process.exitCode = 1;
 		flow.outro(result.passed ? "limina checker passed" : "limina checker failed");
 	});
-	cli.command("package <action>", "Check configured published package outputs").option("-p, --package <name>", "Run a single package check target").option("--tool <tool>", "Run one package check tool").option("--attw-profile <profile>", "Override the configured ATTW profile").action(async (action, flags) => {
+	cli.command("package <action>", "Check configured published package outputs").option("-p, --package <name>", "Run one package check entry").option("--tool <tool>", "Run one package check tool").option("--attw-profile <profile>", "Override the configured ATTW profile").action(async (action, flags) => {
 		if (action !== "check") throw new Error(`Unknown package action "${action}". Expected check.`);
 		const flow = createCliFlow();
 		flow.intro("limina package check");
@@ -2342,12 +2901,26 @@ async function main() {
 			config,
 			cwd: process.cwd(),
 			flow,
-			targetName: flags.package,
+			packageNames: parsePackageNames(flags.package),
 			tool: parsePackageTool(flags.tool)
 		});
 		if (!passed) process.exitCode = 1;
 		flow.outro(passed ? "limina package passed" : "limina package failed");
 	});
+	cli.command("release <action>", "Check package release readiness").option("-p, --package <name>", "Run one release check package entry").action(async (action, flags) => {
+		if (action !== "check") throw new Error(`Unknown release action "${action}". Expected check.`);
+		const flow = createCliFlow();
+		flow.intro("limina release check");
+		const passed = await runReleaseCheck({
+			clearScreen: false,
+			config: await load(flags, "release"),
+			cwd: process.cwd(),
+			flow,
+			packageNames: parsePackageNames(flags.package)
+		});
+		if (!passed) process.exitCode = 1;
+		flow.outro(passed ? "limina release passed" : "limina release failed");
+	});
 	cli.parse(process.argv, { run: false });
 	try {
 		await cli.runMatchedCommand();