diff --git a/bun.lock b/bun.lock
index d957745..d41687e 100644
--- a/bun.lock
+++ b/bun.lock
@@ -159,6 +159,7 @@
         "@aqa/kit": "workspace:*",
         "@aqa/schemas": "workspace:*",
         "@aqa/store": "workspace:*",
+        "yaml": "^2.9.0",
       },
     },
     "packages/store": {
diff --git a/docs/internal/admin-placeholder-audit.md b/docs/internal/admin-placeholder-audit.md
index ac60d3e..4992a8d 100644
--- a/docs/internal/admin-placeholder-audit.md
+++ b/docs/internal/admin-placeholder-audit.md
@@ -54,7 +54,7 @@ The line numbers below were captured against commit `~v1.6.0` (post-merge of PR
 
 ### Packs (lines ~6850-7040)
 
-- ~~`6850`, `6853` — top-bar "Import manifest" / "Install pack" (slice 3 wires "Install pack" via the new wizard)~~ **DONE (slice 3, PR #26):** the "Install pack" placeholder was renamed to "Create pack" and wired to the new `<CreatePackWizard>` component that POSTs to `/api/packs/scaffold`. "Import manifest" remains a placeholder for slice 4b.
+- ~~`6850`, `6853` — top-bar "Import manifest" / "Install pack"~~ **DONE:** "Install pack" → "Create pack" wizard (slice 3, PR #26) wired to `POST /api/packs/scaffold`; "Import manifest" wired in slice 4b (PR #28) to a new `<ImportManifestWizard>` that calls `POST /api/packs/import` — server parses YAML, validates against `@aqa/schemas/PackManifest`, installs via store. 4 Playwright e2e tests cover open/disabled, happy-path 201, schema-validation 400, 409-duplicate-with-force-retry path. 8 server unit tests cover the endpoint contract.
 - `6910`, `6914`, `6925` — pack row actions (toggle / inspect)
 - `6986` — pack detail actions
 - `7028`, `7033`, `7038` — scenario picker inside pack detail
@@ -72,7 +72,7 @@ Not yet line-counted — comes after the first 49 fit.
 Doing all 81 in one PR is unreviewable. Plan: **one PR per page** so each is a manageable review surface.
 
 1. ~~**slice 4a — Findings page actions** (verify, reject, mark-fixed, mark-duplicate row actions). Needs `PATCH /api/findings/:id/status` (already exists in `packages/server` from v1.4). Just wire the UI buttons.~~ **SHIPPED (PR #27).** Kanban terminal-transition modal wired to `POST /api/findings/:id/status`. Drag-and-drop, required-reason capture, error-on-fail, optimistic UI only after server confirmation. The server *persists* the new status to the store; appending a corresponding `finding.status_changed` event to the audit chain is a separate task tracked as a v1.7.x follow-up (requires extending the `EventKind` enum in `@aqa/schemas` and the store's `updateFindingStatus` to append the event). Remaining row actions in clusters/list views (verify/reject inline buttons) also deferred to a follow-up PR — today the kanban is the canonical status-change surface.
-2. **slice 4b — Packs page** (Import manifest, Install pack). "Install pack" delegates to the wizard from slice 3; "Import manifest" needs a `POST /api/packs/import` route.
+2. ~~**slice 4b — Packs page** (Import manifest, Install pack). "Install pack" delegates to the wizard from slice 3; "Import manifest" needs a `POST /api/packs/import` route.~~ **SHIPPED (PR #28).** `POST /api/packs/import` accepts YAML text, parses + validates against the canonical `PackManifest` schema, installs via store. Admin `<ImportManifestWizard>` lets users paste YAML or load a file from disk, surfaces 4xx/5xx errors inline, and offers a Force-overwrite path on 409.
 3. **slice 4c — Scenarios / Risks / Profiles CRUD** (edit/save/clone/delete). Heaviest slice — needs full CRUD flows on three resources.
 4. **slice 4d — Agents page** (install-instructions copy, "Install for X"). Mostly client-side (copy to clipboard, download files).
 5. **slice 4e — Replay / Audit / Cost / Queue / Notifications** (export CSV, mark-read, drain, pause). Mix of W + C.
diff --git a/packages/admin/src/app.tsx b/packages/admin/src/app.tsx
index 49862b7..c90c60d 100644
--- a/packages/admin/src/app.tsx
+++ b/packages/admin/src/app.tsx
@@ -4434,7 +4434,7 @@ function CreatePackWizard({ open, onClose }) {
         ...(license.trim() ? { license: license.trim() } : {}),
         ...(force ? { force: true } : {}),
       };
-      const res = await fetch('/api/packs/scaffold', {
+      const res = await fetch(apiUrl('/api/packs/scaffold'), {
         method: 'POST',
         headers: { 'Content-Type': 'application/json' },
         body: JSON.stringify(body),
@@ -4671,6 +4671,241 @@ function CreatePackWizard({ open, onClose }) {
 }
 Object.assign(window, { CreatePackWizard });
 
+// =============================================================
+// Import-manifest wizard (v1.7 slice 4b)
+// =============================================================
+// Front-end for POST /api/packs/import. Lets a maintainer paste a
+// pack.yaml manifest text (or load a file from disk via the native
+// file input), then POSTs the YAML body to the server which parses,
+// validates against `@aqa/schemas/PackManifest`, and installs into
+// the store. The wizard is deliberately thin — the server is the
+// source of truth for validation; client only does empty/whitespace
+// checks to avoid wasting a round-trip on obvious failures.
+function ImportManifestWizard({ open, onClose }) {
+  const [yamlText, setYamlText] = React.useState('');
+  const [force, setForce] = React.useState(false);
+  const [submitting, setSubmitting] = React.useState(false);
+  const [error, setError] = React.useState(null);
+  const [result, setResult] = React.useState(null);
+  const toast = useToast();
+
+  const trimmed = yamlText.trim();
+  const canSubmit = trimmed !== '' && !submitting;
+
+  function reset() {
+    setYamlText('');
+    setForce(false);
+    setError(null);
+    setResult(null);
+    setSubmitting(false);
+  }
+  function handleClose() {
+    if (submitting) return;
+    reset();
+    onClose?.();
+  }
+
+  async function handleFileChange(e) {
+    const fileInput = e.target;
+    const file = fileInput.files?.[0];
+    if (!file) return;
+    try {
+      const text = await file.text();
+      setYamlText(text);
+      // Clear any stale "could not read file" error from a previous
+      // failed selection so the user isn't confused by an obsolete
+      // message that's no longer relevant.
+      setError(null);
+    } catch (err) {
+      const msg = err instanceof Error ? err.message : String(err);
+      setError(`Could not read file: ${msg}`);
+    } finally {
+      // Reset the input value so selecting the same file again
+      // reliably re-fires `onChange` in every browser. Without this,
+      // Chrome/Edge skip the event on identical re-selection (the
+      // input still references the previous File object).
+      fileInput.value = '';
+    }
+  }
+
+  async function handleSubmit() {
+    if (!canSubmit) return;
+    setSubmitting(true);
+    setError(null);
+    const reqUrl = apiUrl('/api/packs/import');
+    try {
+      const res = await fetch(reqUrl, {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/json' },
+        body: JSON.stringify({ yaml: trimmed, ...(force ? { force: true } : {}) }),
+      });
+      const text = await res.text();
+      let parsed = null;
+      try {
+        parsed = text ? JSON.parse(text) : null;
+      } catch {
+        parsed = null;
+      }
+      if (!res.ok) {
+        const msg = parsed?.error ?? `HTTP ${res.status}`;
+        setError(msg);
+        toast.push({ kind: 'error', title: 'Import manifest failed', body: msg });
+        return;
+      }
+      // 2xx but body is empty / not JSON / missing the documented
+      // `pack` shape is treated as an integration failure rather
+      // than silently dropping to the form state. Otherwise the
+      // toast would announce success while the wizard stays in
+      // form mode (since `result` is falsy), confusing the user.
+      if (!parsed || typeof parsed !== 'object' || !('pack' in parsed)) {
+        const msg = `Server returned ${res.status} but the response body is missing the expected \`pack\` object (got ${text ? text.slice(0, 80) : 'empty body'}).`;
+        setError(msg);
+        toast.push({ kind: 'error', title: 'Import manifest failed', body: msg });
+        return;
+      }
+      setResult(parsed);
+      toast.push({
+        kind: 'success',
+        title: 'Pack imported',
+        body: parsed?.pack?.name ?? 'unknown pack',
+      });
+    } catch (e) {
+      const msg = e instanceof Error ? e.message : String(e);
+      const full = `Could not reach ${reqUrl} (${msg}). The admin is in mock-data mode or the server is down — the manifest was not imported.`;
+      setError(full);
+      toast.push({ kind: 'error', title: 'Import manifest failed', body: full });
+    } finally {
+      setSubmitting(false);
+    }
+  }
+
+  return (
+    <Modal
+      open={open}
+      onClose={handleClose}
+      title={result ? 'Manifest imported' : 'Import pack manifest'}
+      sub={
+        result
+          ? `${result.pack?.name ?? 'unknown'} v${result.pack?.version ?? '?'} is now registered. The pack file tree itself (scenarios, risks) must be in place on disk for aqa run to discover it.`
+          : 'Paste a pack.yaml manifest or load one from disk. The server parses YAML, validates against @aqa/schemas/PackManifest, then installs into the store.'
+      }
+      size="md"
+      footer={
+        result ? (
+          <button className="btn" onClick={handleClose} data-testid="import-manifest-done">
+            Done
+          </button>
+        ) : (
+          <>
+            <button className="btn" onClick={handleClose} disabled={submitting}>
+              Cancel
+            </button>
+            <button
+              className="btn primary"
+              data-testid="import-manifest-submit"
+              onClick={handleSubmit}
+              disabled={!canSubmit}
+            >
+              {submitting ? (
+                'Importing…'
+              ) : (
+                <>
+                  <I.Upload size={12} />
+                  Import
+                </>
+              )}
+            </button>
+          </>
+        )
+      }
+    >
+      {result ? (
+        <div className="col gap-12" data-testid="import-manifest-result">
+          <Alert kind="success" title="Manifest imported">
+            <div className="col gap-4">
+              <div>
+                <strong>Name:</strong>{' '}
+                <span className="mono">{result.pack?.name}</span>
+              </div>
+              <div>
+                <strong>Version:</strong>{' '}
+                <span className="mono">{result.pack?.version}</span>
+              </div>
+            </div>
+          </Alert>
+          <div style={{ fontSize: 12, color: 'var(--text-secondary)' }}>
+            Next: make sure the matching pack directory exists at{' '}
+            <code>&lt;project&gt;/packs/{result.pack?.name}/</code> with scenarios + risks. The
+            store records the manifest; the file tree on disk is what <code>aqa run</code> reads.
+          </div>
+        </div>
+      ) : (
+        <div className="col gap-12">
+          {error && (
+            <Alert kind="error" title="Import failed">
+              {error}
+            </Alert>
+          )}
+          <div className="field-row">
+            <label className="field-label" htmlFor="im-file">
+              Load from disk (optional)
+            </label>
+            <input
+              id="im-file"
+              type="file"
+              accept=".yaml,.yml,application/yaml,text/yaml,text/plain"
+              data-testid="import-manifest-file"
+              onChange={handleFileChange}
+            />
+            <div className="field-hint">
+              Reads the file into the textarea below — submit happens on Import, not on selection.
+            </div>
+          </div>
+          <div className="field-row">
+            <label className="field-label" htmlFor="im-yaml">
+              Manifest YAML *
+            </label>
+            <textarea
+              id="im-yaml"
+              className="textarea mono"
+              data-testid="import-manifest-yaml"
+              placeholder={`schema_version: "1"\nname: pack-myapp\nversion: 0.1.0\ndescription: …\napplies_when:\n  sut_type: [api]\nscenarios: []\nrisks: []`}
+              style={{ minHeight: 220, fontSize: 11.5 }}
+              value={yamlText}
+              onChange={(e) => setYamlText(e.target.value)}
+            />
+            <div className="field-hint">
+              Required. The server validates against{' '}
+              <code>@aqa/schemas/PackManifest</code> — see{' '}
+              <a
+                href="https://github.com/padosoft/agentic-qa-kit/blob/main/docs/PACK-AUTHORING.md"
+                target="_blank"
+                rel="noreferrer"
+              >
+                docs/PACK-AUTHORING.md
+              </a>{' '}
+              for the schema.
+            </div>
+          </div>
+          <label className="row gap-8" style={{ alignItems: 'center', cursor: 'pointer', fontSize: 12 }}>
+            <input
+              type="checkbox"
+              data-testid="import-manifest-force"
+              checked={force}
+              onChange={(e) => setForce(e.target.checked)}
+            />
+            <span>
+              <strong>Force overwrite</strong> — replace an existing pack with the same{' '}
+              <code>name</code>. Without this, the server returns 409 Conflict for a duplicate.
+            </span>
+          </label>
+        </div>
+      )}
+    </Modal>
+  );
+}
+Object.assign(window, { ImportManifestWizard });
+
 // ============ shell.jsx ============
 // =============================================================
 // agentic-qa-kit · admin panel — Shell (Sidebar + TopBar + Palette)
@@ -7419,6 +7654,7 @@ Object.assign(window, { PageFindings, PageFindingDetail, PageRiskMap, PageRiskEd
 // ---------------- Packs ----------------
 function PagePacks({ onNavigate, onOpenPack }) {
   const [createOpen, setCreateOpen] = React.useState(false);
+  const [importOpen, setImportOpen] = React.useState(false);
   return (
     <div className="page" data-screen-label="09 Packs">
       <PageHeader
@@ -7426,7 +7662,11 @@ function PagePacks({ onNavigate, onOpenPack }) {
         sub={`${PACKS.length} installed · ${PACKS.filter((p) => p.signed).length} signed · ${PACKS.filter((p) => !p.signed).length} unsigned`}
         actions={
           <>
-            <button className="btn sm">
+            <button
+              className="btn sm"
+              data-testid="packs-import-btn"
+              onClick={() => setImportOpen(true)}
+            >
               <I.Upload size={12} />
               Import manifest
             </button>
@@ -7442,6 +7682,7 @@ function PagePacks({ onNavigate, onOpenPack }) {
         }
       />
       <CreatePackWizard open={createOpen} onClose={() => setCreateOpen(false)} />
+      <ImportManifestWizard open={importOpen} onClose={() => setImportOpen(false)} />
 
       <Alert kind="warning" title="One pack is unsigned">
         <span className="mono">community-stripe@0.3.1</span> is installed without signature
diff --git a/packages/admin/test/e2e/import-manifest.e2e.ts b/packages/admin/test/e2e/import-manifest.e2e.ts
new file mode 100644
index 0000000..00fa889
--- /dev/null
+++ b/packages/admin/test/e2e/import-manifest.e2e.ts
@@ -0,0 +1,162 @@
+import { expect, test } from '@playwright/test';
+
+/**
+ * v1.7 slice 4b — Admin "Import manifest" wizard.
+ *
+ * Covers:
+ * - clicking "Import manifest" opens the wizard
+ * - Submit is disabled until YAML text is provided
+ * - happy path: POSTs { yaml, force? } to /api/packs/import and shows
+ *   the success panel with pack name + version on 201
+ * - 400 (schema validation): wizard stays open with the server error
+ * - 409 (duplicate): wizard stays open; toggling "Force overwrite"
+ *   reveals the path the user takes to retry
+ *
+ * Admin runs in mock-data mode under Playwright; we stub the
+ * endpoint with `page.route`. The server-side unit tests in
+ * @aqa/server prove the endpoint contract; this e2e proves the
+ * wizard talks to it correctly.
+ */
+
+const VALID_YAML = `schema_version: "1"
+name: pack-imported-e2e
+version: 0.1.0
+description: e2e-imported pack
+author: Test
+license: Apache-2.0
+applies_when:
+  sut_type: [api]
+templates: []
+scenarios: []
+risks: []
+oracles: []
+probes: []
+`;
+
+async function navigateToPacks(page: import('@playwright/test').Page): Promise<void> {
+  await page.goto('/');
+  await expect(page.locator('.sidebar')).toBeVisible();
+  await page
+    .locator('.nav-item', { hasText: /^Packs/i })
+    .first()
+    .click();
+  await expect(page.locator('.page-title, h1').first()).toContainText(/Packs/i);
+}
+
+test.describe('Import-manifest wizard', () => {
+  test('Import-manifest button opens the wizard with disabled submit', async ({ page }) => {
+    await navigateToPacks(page);
+    await page.getByTestId('packs-import-btn').click();
+    await expect(page.getByTestId('import-manifest-yaml')).toBeVisible();
+    await expect(page.getByTestId('import-manifest-submit')).toBeDisabled();
+  });
+
+  test('happy-path 201 renders success panel with pack name + version', async ({ page }) => {
+    type PostedBody = { yaml?: string; force?: boolean };
+    const captured: { value: PostedBody | null } = { value: null };
+    await page.route('**/api/packs/import', async (route) => {
+      captured.value = route.request().postDataJSON() as PostedBody;
+      await route.fulfill({
+        status: 201,
+        contentType: 'application/json',
+        body: JSON.stringify({
+          pack: { name: 'pack-imported-e2e', version: '0.1.0' },
+        }),
+      });
+    });
+    await navigateToPacks(page);
+    await page.getByTestId('packs-import-btn').click();
+    await page.getByTestId('import-manifest-yaml').fill(VALID_YAML);
+    await page.getByTestId('import-manifest-submit').click();
+    const result = page.getByTestId('import-manifest-result');
+    await expect(result).toBeVisible();
+    await expect(result).toContainText('pack-imported-e2e');
+    await expect(result).toContainText('0.1.0');
+    expect(captured.value?.yaml).toContain('pack-imported-e2e');
+  });
+
+  test('2xx response with empty/non-JSON body is treated as failure', async ({ page }) => {
+    // Regression test for PR #28 iter 1 (Copilot):
+    // A 200 response with empty/non-JSON body used to set
+    // result=null (falsy), leaving the wizard in form-state while
+    // toasting success. Now the wizard explicitly checks for the
+    // `pack` object in the response and surfaces an error if it's
+    // missing.
+    await page.route('**/api/packs/import', async (route) => {
+      // 200 OK but the body is empty — not what the documented
+      // contract returns.
+      await route.fulfill({ status: 200, contentType: 'application/json', body: '' });
+    });
+    await navigateToPacks(page);
+    await page.getByTestId('packs-import-btn').click();
+    await page.getByTestId('import-manifest-yaml').fill(VALID_YAML);
+    await page.getByTestId('import-manifest-submit').click();
+    // Wizard stays open with an explicit error explaining the
+    // missing `pack` field — not a success panel.
+    await expect(
+      page.locator('.modal-body .alert', { hasText: /missing the expected `pack`/i }),
+    ).toBeVisible();
+    await expect(page.getByTestId('import-manifest-result')).toHaveCount(0);
+  });
+
+  test('schema-validation 400 keeps wizard open with error inline', async ({ page }) => {
+    await page.route('**/api/packs/import', async (route) => {
+      await route.fulfill({
+        status: 400,
+        contentType: 'application/json',
+        body: JSON.stringify({
+          error: 'manifest failed schema validation: name: Required',
+          code: 'EINVAL',
+        }),
+      });
+    });
+    await navigateToPacks(page);
+    await page.getByTestId('packs-import-btn').click();
+    await page.getByTestId('import-manifest-yaml').fill('schema_version: "1"\n');
+    await page.getByTestId('import-manifest-submit').click();
+    await expect(
+      page.locator('.modal-body .alert', { hasText: /schema validation/i }),
+    ).toBeVisible();
+    await expect(page.getByTestId('import-manifest-result')).toHaveCount(0);
+  });
+
+  test('409 duplicate: user can toggle force and retry', async ({ page }) => {
+    type PostedBody = { yaml?: string; force?: boolean };
+    let callCount = 0;
+    const last: { value: PostedBody | null } = { value: null };
+    await page.route('**/api/packs/import', async (route) => {
+      callCount += 1;
+      last.value = route.request().postDataJSON() as PostedBody;
+      if (callCount === 1) {
+        await route.fulfill({
+          status: 409,
+          contentType: 'application/json',
+          body: JSON.stringify({
+            error:
+              'pack "pack-imported-e2e" already exists (currently version 0.1.0); pass force=true to overwrite',
+            code: 'EEXIST',
+          }),
+        });
+      } else {
+        await route.fulfill({
+          status: 201,
+          contentType: 'application/json',
+          body: JSON.stringify({ pack: { name: 'pack-imported-e2e', version: '0.2.0' } }),
+        });
+      }
+    });
+    await navigateToPacks(page);
+    await page.getByTestId('packs-import-btn').click();
+    await page.getByTestId('import-manifest-yaml').fill(VALID_YAML);
+    await page.getByTestId('import-manifest-submit').click();
+    // First call: 409 — error visible, wizard still open.
+    await expect(page.locator('.modal-body .alert', { hasText: /already exists/i })).toBeVisible();
+    expect(last.value?.force).toBeUndefined();
+    // Toggle force and resubmit.
+    await page.getByTestId('import-manifest-force').check();
+    await page.getByTestId('import-manifest-submit').click();
+    await expect(page.getByTestId('import-manifest-result')).toBeVisible();
+    expect(last.value?.force).toBe(true);
+    expect(callCount).toBe(2);
+  });
+});
diff --git a/packages/server/package.json b/packages/server/package.json
index 70155e6..90af60a 100644
--- a/packages/server/package.json
+++ b/packages/server/package.json
@@ -19,7 +19,8 @@
     "@aqa/auth": "workspace:*",
     "@aqa/kit": "workspace:*",
     "@aqa/schemas": "workspace:*",
-    "@aqa/store": "workspace:*"
+    "@aqa/store": "workspace:*",
+    "yaml": "^2.9.0"
   },
   "publishConfig": { "access": "public" }
 }
diff --git a/packages/server/src/api.ts b/packages/server/src/api.ts
index 4d9f4a4..e463ae3 100644
--- a/packages/server/src/api.ts
+++ b/packages/server/src/api.ts
@@ -1,6 +1,7 @@
 import type { User, allows } from '@aqa/auth';
 import { runPackNew } from '@aqa/kit';
 import type { PackNewErrorCode } from '@aqa/kit';
+import { PackManifest as PackManifestSchema } from '@aqa/schemas';
 import type {
   ApiToken,
   CostSummary,
@@ -16,6 +17,7 @@ import type {
   Tenancy,
 } from '@aqa/schemas';
 import type { StoreProvider } from '@aqa/store';
+import { parse as yamlParse } from 'yaml';
 import type { RunnerQueue } from './runner-queue.js';
 
 export interface ApiContext {
@@ -87,6 +89,29 @@ function errorCodeToStatus(code: PackNewErrorCode | undefined): number {
   }
 }
 
+/**
+ * Format a Zod safeParse failure as a concise list of `path: message`
+ * lines. The default `error.message` is the full Zod dump (multi-line
+ * JSON-ish output), which is verbose and hard to read in the admin's
+ * inline alert. Walking `error.issues` lets us surface just the
+ * actionable bits: "applies_when.sut_type: Required", etc.
+ *
+ * Falls back to the original message if `issues` is empty or malformed
+ * — the message is then truncated to a sane length so we don't dump a
+ * 5KB Zod blob into a toast.
+ */
+function formatZodError(err: {
+  issues?: Array<{ path: Array<string | number>; message: string }>;
+  message?: string;
+}): string {
+  if (Array.isArray(err.issues) && err.issues.length > 0) {
+    return err.issues
+      .map((iss) => `${iss.path.length > 0 ? iss.path.join('.') : '<root>'}: ${iss.message}`)
+      .join('; ');
+  }
+  return (err.message ?? 'unknown schema error').slice(0, 500);
+}
+
 function requireScope(req: ApiRequest): { org: string; project: string } | ApiResponse {
   const s = scope(req);
   if (!s.org || !s.project) {
@@ -267,6 +292,17 @@ export function makeApi(): ApiHandler[] {
       path: '/api/packs',
       requires: 'packs:install',
       async handle(req, ctx) {
+        // NOTE: this v1.4 endpoint accepts a pre-parsed JSON manifest
+        // and currently does NOT validate against the schema or
+        // detect duplicates — `MemoryStore.installPack` silently
+        // overwrites. The newer `POST /api/packs/import` (slice 4b)
+        // adds full validation + conflict detection on a YAML body.
+        // Consolidating both onto a shared helper (validate-then-
+        // install, with `force` semantics) is tracked as a v1.7.x
+        // follow-up; doing it here would change long-standing
+        // behavior callers may depend on, so it's intentionally
+        // out of scope for this slice. Until then, callers wanting
+        // safety guarantees should prefer `/api/packs/import`.
         const manifest = req.body as PackManifest.PackManifest;
         await ctx.store.installPack(manifest);
         return asResponse({ pack: manifest }, 201);
@@ -405,6 +441,84 @@ export function makeApi(): ApiHandler[] {
       },
     },
 
+    {
+      // v1.7 slice 4b — admin "Import manifest" wizard:
+      // accepts a YAML manifest as a string, parses + validates it
+      // against `@aqa/schemas/PackManifest`, then installs into the
+      // store via `installPack`. Separate from `POST /api/packs`
+      // (which takes pre-parsed JSON) so the admin can hand the
+      // server a raw `pack.yaml` blob without parsing client-side.
+      method: 'POST',
+      path: '/api/packs/import',
+      requires: 'packs:install',
+      async handle(req, ctx) {
+        const body = (req.body ?? {}) as Record<string, unknown>;
+        if (typeof body.yaml !== 'string' || body.yaml.trim() === '') {
+          return asResponse(
+            {
+              error: 'body.yaml is required (non-empty string containing the pack manifest YAML)',
+              code: 'EINVAL' satisfies PackNewErrorCode,
+            },
+            400,
+          );
+        }
+        if (body.force !== undefined && typeof body.force !== 'boolean') {
+          return asResponse(
+            {
+              error: 'force must be a boolean when provided (got non-boolean)',
+              code: 'EINVAL' satisfies PackNewErrorCode,
+            },
+            400,
+          );
+        }
+        let parsed: unknown;
+        try {
+          parsed = yamlParse(body.yaml);
+        } catch (e) {
+          return asResponse(
+            {
+              error: `yaml parse error: ${e instanceof Error ? e.message : String(e)}`,
+              code: 'EINVAL' satisfies PackNewErrorCode,
+            },
+            400,
+          );
+        }
+        const validated = PackManifestSchema.PackManifest.safeParse(parsed);
+        if (!validated.success) {
+          return asResponse(
+            {
+              error: `manifest failed schema validation: ${formatZodError(validated.error)}`,
+              code: 'EINVAL' satisfies PackNewErrorCode,
+            },
+            400,
+          );
+        }
+        const manifest = validated.data;
+        const existing = await ctx.store.loadPack(manifest.name);
+        if (existing && body.force !== true) {
+          return asResponse(
+            {
+              error: `pack "${manifest.name}" already exists (currently version ${existing.version}); pass force=true to overwrite`,
+              code: 'EEXIST' satisfies PackNewErrorCode,
+            },
+            409,
+          );
+        }
+        try {
+          await ctx.store.installPack(manifest);
+        } catch (e) {
+          return asResponse(
+            {
+              error: `installPack failed: ${e instanceof Error ? e.message : String(e)}`,
+              code: 'EIO' satisfies PackNewErrorCode,
+            },
+            500,
+          );
+        }
+        return asResponse({ pack: manifest }, 201);
+      },
+    },
+
     // ============ Profiles ============
     {
       method: 'GET',
diff --git a/packages/server/test/api.test.ts b/packages/server/test/api.test.ts
index 4bb3093..ff8f834 100644
--- a/packages/server/test/api.test.ts
+++ b/packages/server/test/api.test.ts
@@ -162,6 +162,128 @@ describe('makeApi', () => {
     assert.deepEqual((res?.body as { orgs: unknown[] }).orgs, []);
   });
 
+  // ============ v1.7 slice 4b — Pack import (admin "Import manifest") ============
+
+  describe('POST /api/packs/import', () => {
+    const VALID_YAML = `schema_version: "1"
+name: pack-imported
+version: 0.1.0
+description: "An imported pack"
+author: "Test"
+license: Apache-2.0
+applies_when:
+  sut_type: [api]
+templates: []
+scenarios: []
+risks: []
+oracles: []
+probes: []
+`;
+    it('parses YAML body, validates, and installs the manifest (201)', async () => {
+      const c = ctx();
+      const route = makeApi().find((r) => r.method === 'POST' && r.path === '/api/packs/import');
+      assert.ok(route, 'POST /api/packs/import must exist');
+      const res = await route?.handle({ headers: {}, params: {}, body: { yaml: VALID_YAML } }, c);
+      assert.equal(
+        res?.status,
+        201,
+        `expected 201, got ${res?.status}: ${JSON.stringify(res?.body)}`,
+      );
+      const body = res?.body as { pack: { name: string; version: string } };
+      assert.equal(body.pack.name, 'pack-imported');
+      assert.equal(body.pack.version, '0.1.0');
+      // And the store actually has it.
+      const stored = await c.store.loadPack('pack-imported');
+      assert.ok(stored);
+    });
+
+    it('returns 400 on missing body.yaml (with code=EINVAL)', async () => {
+      const c = ctx();
+      const route = makeApi().find((r) => r.method === 'POST' && r.path === '/api/packs/import');
+      const res = await route?.handle({ headers: {}, params: {}, body: {} }, c);
+      assert.equal(res?.status, 400);
+      const body = res?.body as { error: string; code: string };
+      assert.equal(body.code, 'EINVAL');
+      assert.match(body.error, /yaml/i);
+    });
+
+    it('returns 400 on YAML that does not parse (code=EINVAL)', async () => {
+      const c = ctx();
+      const route = makeApi().find((r) => r.method === 'POST' && r.path === '/api/packs/import');
+      const res = await route?.handle(
+        { headers: {}, params: {}, body: { yaml: 'this is: not\n  valid: [yaml' } },
+        c,
+      );
+      assert.equal(res?.status, 400);
+      const body = res?.body as { error: string; code: string };
+      assert.match(body.error, /parse|yaml/i);
+      assert.equal(body.code, 'EINVAL');
+    });
+
+    it('returns 400 on schema-invalid manifest (code=EINVAL, concise path:msg list)', async () => {
+      const c = ctx();
+      const route = makeApi().find((r) => r.method === 'POST' && r.path === '/api/packs/import');
+      // Missing required `name` field.
+      const yaml = `schema_version: "1"\nversion: 0.1.0\ndescription: missing name\nauthor: X\nlicense: Apache-2.0\napplies_when: { sut_type: [api] }\ntemplates: []\nscenarios: []\nrisks: []\noracles: []\nprobes: []\n`;
+      const res = await route?.handle({ headers: {}, params: {}, body: { yaml } }, c);
+      assert.equal(res?.status, 400);
+      const body = res?.body as { error: string; code: string };
+      assert.match(body.error, /schema|name|required/i);
+      assert.equal(body.code, 'EINVAL');
+      // The improved error format walks Zod issues into `path: message`
+      // pairs separated by `; ` — much more actionable than the default
+      // multi-line Zod dump. Assert the format so a regression to the
+      // verbose form is caught.
+      assert.ok(
+        !body.error.includes('\n') || body.error.split('\n').length <= 2,
+        `error should be concise, got multi-line dump: ${body.error}`,
+      );
+    });
+
+    it('returns 409 when a pack with that name already exists', async () => {
+      const c = ctx();
+      const route = makeApi().find((r) => r.method === 'POST' && r.path === '/api/packs/import');
+      const first = await route?.handle({ headers: {}, params: {}, body: { yaml: VALID_YAML } }, c);
+      assert.equal(first?.status, 201);
+      const second = await route?.handle(
+        { headers: {}, params: {}, body: { yaml: VALID_YAML } },
+        c,
+      );
+      assert.equal(second?.status, 409);
+      assert.equal((second?.body as { code: string }).code, 'EEXIST');
+    });
+
+    it('overwrites an existing pack when force=true', async () => {
+      const c = ctx();
+      const route = makeApi().find((r) => r.method === 'POST' && r.path === '/api/packs/import');
+      await route?.handle({ headers: {}, params: {}, body: { yaml: VALID_YAML } }, c);
+      const newer = VALID_YAML.replace('version: 0.1.0', 'version: 0.2.0');
+      const res = await route?.handle(
+        { headers: {}, params: {}, body: { yaml: newer, force: true } },
+        c,
+      );
+      assert.equal(res?.status, 201);
+      const stored = await c.store.loadPack('pack-imported');
+      assert.equal(stored?.version, '0.2.0');
+    });
+
+    it('rejects non-boolean force with 400', async () => {
+      const c = ctx();
+      const route = makeApi().find((r) => r.method === 'POST' && r.path === '/api/packs/import');
+      const res = await route?.handle(
+        { headers: {}, params: {}, body: { yaml: VALID_YAML, force: 'yes' } },
+        c,
+      );
+      assert.equal(res?.status, 400);
+      assert.match((res?.body as { error: string }).error, /force.*boolean/i);
+    });
+
+    it('requires the packs:install permission', () => {
+      const route = makeApi().find((r) => r.method === 'POST' && r.path === '/api/packs/import');
+      assert.equal(route?.requires, 'packs:install');
+    });
+  });
+
   // ============ v1.7 slice 3 — Pack scaffolding (Admin Create-pack wizard) ============
 
   describe('POST /api/packs/scaffold', () => {