From 9c5e67ab7cf1c922ff27bdad662dac1cf79290b5 Mon Sep 17 00:00:00 2001
From: "lorenzo.padovani@padosoft.com" <lorenzo.padovani@padosoft.com>
Date: Tue, 19 May 2026 09:42:21 +0200
Subject: [PATCH 1/3] feat(slice-4b): admin Import-manifest wizard + POST
 /api/packs/import
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

v1.7 slice 4b — wires the "Import manifest" placeholder button on
the Packs page to a real wizard that POSTs a YAML pack manifest to
a new server endpoint, which parses + validates + installs into the
store.

## Server side (@aqa/server)

- New `POST /api/packs/import` endpoint (`packs:install` permission)
- Body: `{ yaml: string, force?: boolean }`
- Parses YAML server-side (the existing `POST /api/packs` accepts
  pre-parsed JSON; this endpoint accepts raw `pack.yaml` text so the
  admin doesn't need to YAML-parse client-side)
- Validates against `@aqa/schemas/PackManifest` (canonical Zod
  schema)
- On duplicate name without `force=true`, returns 409 with
  `code: 'EEXIST'` (reuses the structured-error pattern from PR #26)
- Adds `yaml` workspace dep to `@aqa/server`
- 8 new unit tests: happy-path 201, missing body.yaml, YAML parse
  error, schema-invalid manifest, 409 duplicate, force=true
  overwrite, non-boolean force rejected, permission requirement

## Admin UI (@aqa/admin)

- New `<ImportManifestWizard>` modal opened from the (previously
  silent) "Import manifest" button
- YAML textarea + native file picker for loading a `pack.yaml`
  from disk; selecting a file fills the textarea, submit still
  requires explicit click
- Force-overwrite checkbox surfaces the 409-retry path
- Result panel shows installed name + version + next-step guidance
  (matching pack directory still needs to exist on disk for
  `aqa run` to discover it)
- All errors render inline as `<Alert kind="error" role="alert">`
  (a11y carried over from slice 4a)
- 4 Playwright e2e tests: open/disabled-submit, happy-path 201,
  schema-validation 400 keeps wizard open, 409 → toggle force →
  retry succeeds

## Audit doc

- Lines 6850/6853 marked **DONE** (Install pack via PR #26 +
  Import manifest via this PR)
- Slice 4b checklist item marked **SHIPPED**

## Tests

- @aqa/server: 34 unit (was 26, +8 import tests)
- @aqa/admin: 55 Playwright (51 existing + 4 import wizard)
- Lint + typecheck clean

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 bun.lock                                      |   1 +
 docs/internal/admin-placeholder-audit.md      |   4 +-
 packages/admin/src/app.tsx                    | 221 +++++++++++++++++-
 .../admin/test/e2e/import-manifest.e2e.ts     | 136 +++++++++++
 packages/server/package.json                  |   3 +-
 packages/server/src/api.ts                    |  80 +++++++
 packages/server/test/api.test.ts              | 110 +++++++++
 7 files changed, 551 insertions(+), 4 deletions(-)
 create mode 100644 packages/admin/test/e2e/import-manifest.e2e.ts

diff --git a/bun.lock b/bun.lock
index d957745..d41687e 100644
--- a/bun.lock
+++ b/bun.lock
@@ -159,6 +159,7 @@
         "@aqa/kit": "workspace:*",
         "@aqa/schemas": "workspace:*",
         "@aqa/store": "workspace:*",
+        "yaml": "^2.9.0",
       },
     },
     "packages/store": {
diff --git a/docs/internal/admin-placeholder-audit.md b/docs/internal/admin-placeholder-audit.md
index ac60d3e..eec7a2d 100644
--- a/docs/internal/admin-placeholder-audit.md
+++ b/docs/internal/admin-placeholder-audit.md
@@ -54,7 +54,7 @@ The line numbers below were captured against commit `~v1.6.0` (post-merge of PR
 
 ### Packs (lines ~6850-7040)
 
-- ~~`6850`, `6853` — top-bar "Import manifest" / "Install pack" (slice 3 wires "Install pack" via the new wizard)~~ **DONE (slice 3, PR #26):** the "Install pack" placeholder was renamed to "Create pack" and wired to the new `<CreatePackWizard>` component that POSTs to `/api/packs/scaffold`. "Import manifest" remains a placeholder for slice 4b.
+- ~~`6850`, `6853` — top-bar "Import manifest" / "Install pack"~~ **DONE:** "Install pack" → "Create pack" wizard (slice 3, PR #26) wired to `POST /api/packs/scaffold`; "Import manifest" wired in slice 4b (PR #28) to a new `<ImportManifestWizard>` that POSTs to `POST /api/packs/import` — server parses YAML, validates against `@aqa/schemas/PackManifest`, installs via store. 4 Playwright e2e tests cover open/disabled, happy-path 201, schema-validation 400, 409-duplicate-with-force-retry path. 8 server unit tests cover the endpoint contract.
 - `6910`, `6914`, `6925` — pack row actions (toggle / inspect)
 - `6986` — pack detail actions
 - `7028`, `7033`, `7038` — scenario picker inside pack detail
@@ -72,7 +72,7 @@ Not yet line-counted — comes after the first 49 fit.
 Doing all 81 in one PR is unreviewable. Plan: **one PR per page** so each is a manageable review surface.
 
 1. ~~**slice 4a — Findings page actions** (verify, reject, mark-fixed, mark-duplicate row actions). Needs `PATCH /api/findings/:id/status` (already exists in `packages/server` from v1.4). Just wire the UI buttons.~~ **SHIPPED (PR #27).** Kanban terminal-transition modal wired to `POST /api/findings/:id/status`. Drag-and-drop, required-reason capture, error-on-fail, optimistic UI only after server confirmation. The server *persists* the new status to the store; appending a corresponding `finding.status_changed` event to the audit chain is a separate task tracked as a v1.7.x follow-up (requires extending the `EventKind` enum in `@aqa/schemas` and the store's `updateFindingStatus` to append the event). Remaining row actions in clusters/list views (verify/reject inline buttons) also deferred to a follow-up PR — today the kanban is the canonical status-change surface.
-2. **slice 4b — Packs page** (Import manifest, Install pack). "Install pack" delegates to the wizard from slice 3; "Import manifest" needs a `POST /api/packs/import` route.
+2. ~~**slice 4b — Packs page** (Import manifest, Install pack). "Install pack" delegates to the wizard from slice 3; "Import manifest" needs a `POST /api/packs/import` route.~~ **SHIPPED (PR #28).** `POST /api/packs/import` accepts YAML text, parses + validates against the canonical `PackManifest` schema, installs via store. Admin `<ImportManifestWizard>` lets users paste YAML or load a file from disk, surfaces 4xx/5xx errors inline, and offers a Force-overwrite path on 409.
 3. **slice 4c — Scenarios / Risks / Profiles CRUD** (edit/save/clone/delete). Heaviest slice — needs full CRUD flows on three resources.
 4. **slice 4d — Agents page** (install-instructions copy, "Install for X"). Mostly client-side (copy to clipboard, download files).
 5. **slice 4e — Replay / Audit / Cost / Queue / Notifications** (export CSV, mark-read, drain, pause). Mix of W + C.
diff --git a/packages/admin/src/app.tsx b/packages/admin/src/app.tsx
index 49862b7..a669757 100644
--- a/packages/admin/src/app.tsx
+++ b/packages/admin/src/app.tsx
@@ -4671,6 +4671,219 @@ function CreatePackWizard({ open, onClose }) {
 }
 Object.assign(window, { CreatePackWizard });
 
+// =============================================================
+// Import-manifest wizard (v1.7 slice 4b)
+// =============================================================
+// Front-end for POST /api/packs/import. Lets a maintainer paste a
+// pack.yaml manifest text (or load a file from disk via the native
+// file input), then POSTs the YAML body to the server which parses,
+// validates against `@aqa/schemas/PackManifest`, and installs into
+// the store. The wizard is deliberately thin — the server is the
+// source of truth for validation; client only does empty/whitespace
+// checks to avoid wasting a round-trip on obvious failures.
+function ImportManifestWizard({ open, onClose }) {
+  const [yamlText, setYamlText] = React.useState('');
+  const [force, setForce] = React.useState(false);
+  const [submitting, setSubmitting] = React.useState(false);
+  const [error, setError] = React.useState(null);
+  const [result, setResult] = React.useState(null);
+  const toast = useToast();
+
+  const trimmed = yamlText.trim();
+  const canSubmit = trimmed !== '' && !submitting;
+
+  function reset() {
+    setYamlText('');
+    setForce(false);
+    setError(null);
+    setResult(null);
+    setSubmitting(false);
+  }
+  function handleClose() {
+    if (submitting) return;
+    reset();
+    onClose?.();
+  }
+
+  async function handleFileChange(e) {
+    const file = e.target.files?.[0];
+    if (!file) return;
+    try {
+      const text = await file.text();
+      setYamlText(text);
+    } catch (err) {
+      const msg = err instanceof Error ? err.message : String(err);
+      setError(`Could not read file: ${msg}`);
+    }
+  }
+
+  async function handleSubmit() {
+    if (!canSubmit) return;
+    setSubmitting(true);
+    setError(null);
+    const reqUrl = apiUrl('/api/packs/import');
+    try {
+      const res = await fetch(reqUrl, {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/json' },
+        body: JSON.stringify({ yaml: trimmed, ...(force ? { force: true } : {}) }),
+      });
+      const text = await res.text();
+      let parsed = null;
+      try {
+        parsed = text ? JSON.parse(text) : null;
+      } catch {
+        parsed = null;
+      }
+      if (!res.ok) {
+        const msg = parsed?.error ?? `HTTP ${res.status}`;
+        setError(msg);
+        toast.push({ kind: 'error', title: 'Import manifest failed', body: msg });
+        return;
+      }
+      setResult(parsed);
+      toast.push({
+        kind: 'success',
+        title: 'Pack imported',
+        body: parsed?.pack?.name ?? 'unknown pack',
+      });
+    } catch (e) {
+      const msg = e instanceof Error ? e.message : String(e);
+      const full = `Could not reach ${reqUrl} (${msg}). The admin is in mock-data mode or the server is down — the manifest was not imported.`;
+      setError(full);
+      toast.push({ kind: 'error', title: 'Import manifest failed', body: full });
+    } finally {
+      setSubmitting(false);
+    }
+  }
+
+  return (
+    <Modal
+      open={open}
+      onClose={handleClose}
+      title={result ? 'Manifest imported' : 'Import pack manifest'}
+      sub={
+        result
+          ? `${result.pack?.name ?? 'unknown'} v${result.pack?.version ?? '?'} is now registered. The pack file tree itself (scenarios, risks) must be in place on disk for aqa run to discover it.`
+          : 'Paste a pack.yaml manifest or load one from disk. The server parses YAML, validates against @aqa/schemas/PackManifest, then installs into the store.'
+      }
+      size="md"
+      footer={
+        result ? (
+          <button className="btn" onClick={handleClose} data-testid="import-manifest-done">
+            Done
+          </button>
+        ) : (
+          <>
+            <button className="btn" onClick={handleClose} disabled={submitting}>
+              Cancel
+            </button>
+            <button
+              className="btn primary"
+              data-testid="import-manifest-submit"
+              onClick={handleSubmit}
+              disabled={!canSubmit}
+            >
+              {submitting ? (
+                'Importing…'
+              ) : (
+                <>
+                  <I.Upload size={12} />
+                  Import
+                </>
+              )}
+            </button>
+          </>
+        )
+      }
+    >
+      {result ? (
+        <div className="col gap-12" data-testid="import-manifest-result">
+          <Alert kind="success" title="Manifest imported">
+            <div className="col gap-4">
+              <div>
+                <strong>Name:</strong>{' '}
+                <span className="mono">{result.pack?.name}</span>
+              </div>
+              <div>
+                <strong>Version:</strong>{' '}
+                <span className="mono">{result.pack?.version}</span>
+              </div>
+            </div>
+          </Alert>
+          <div style={{ fontSize: 12, color: 'var(--text-secondary)' }}>
+            Next: make sure the matching pack directory exists at{' '}
+            <code>&lt;project&gt;/packs/{result.pack?.name}/</code> with scenarios + risks. The
+            store records the manifest; the file tree on disk is what <code>aqa run</code> reads.
+          </div>
+        </div>
+      ) : (
+        <div className="col gap-12">
+          {error && (
+            <Alert kind="error" title="Import failed">
+              {error}
+            </Alert>
+          )}
+          <div className="field-row">
+            <label className="field-label" htmlFor="im-file">
+              Load from disk (optional)
+            </label>
+            <input
+              id="im-file"
+              type="file"
+              accept=".yaml,.yml,application/yaml,text/yaml,text/plain"
+              data-testid="import-manifest-file"
+              onChange={handleFileChange}
+            />
+            <div className="field-hint">
+              Reads the file into the textarea below — submit happens on Import, not on selection.
+            </div>
+          </div>
+          <div className="field-row">
+            <label className="field-label" htmlFor="im-yaml">
+              Manifest YAML *
+            </label>
+            <textarea
+              id="im-yaml"
+              className="textarea mono"
+              data-testid="import-manifest-yaml"
+              placeholder={`schema_version: "1"\nname: pack-myapp\nversion: 0.1.0\ndescription: …\napplies_when:\n  sut_type: [api]\nscenarios: []\nrisks: []`}
+              style={{ minHeight: 220, fontSize: 11.5 }}
+              value={yamlText}
+              onChange={(e) => setYamlText(e.target.value)}
+            />
+            <div className="field-hint">
+              Required. The server validates against{' '}
+              <code>@aqa/schemas/PackManifest</code> — see{' '}
+              <a
+                href="https://github.com/padosoft/agentic-qa-kit/blob/main/docs/PACK-AUTHORING.md"
+                target="_blank"
+                rel="noreferrer"
+              >
+                docs/PACK-AUTHORING.md
+              </a>{' '}
+              for the schema.
+            </div>
+          </div>
+          <label className="row gap-8" style={{ alignItems: 'center', cursor: 'pointer', fontSize: 12 }}>
+            <input
+              type="checkbox"
+              data-testid="import-manifest-force"
+              checked={force}
+              onChange={(e) => setForce(e.target.checked)}
+            />
+            <span>
+              <strong>Force overwrite</strong> — replace an existing pack with the same{' '}
+              <code>name</code>. Without this, the server returns 409 Conflict for a duplicate.
+            </span>
+          </label>
+        </div>
+      )}
+    </Modal>
+  );
+}
+Object.assign(window, { ImportManifestWizard });
+
 // ============ shell.jsx ============
 // =============================================================
 // agentic-qa-kit · admin panel — Shell (Sidebar + TopBar + Palette)
@@ -7419,6 +7632,7 @@ Object.assign(window, { PageFindings, PageFindingDetail, PageRiskMap, PageRiskEd
 // ---------------- Packs ----------------
 function PagePacks({ onNavigate, onOpenPack }) {
   const [createOpen, setCreateOpen] = React.useState(false);
+  const [importOpen, setImportOpen] = React.useState(false);
   return (
     <div className="page" data-screen-label="09 Packs">
       <PageHeader
@@ -7426,7 +7640,11 @@ function PagePacks({ onNavigate, onOpenPack }) {
         sub={`${PACKS.length} installed · ${PACKS.filter((p) => p.signed).length} signed · ${PACKS.filter((p) => !p.signed).length} unsigned`}
         actions={
           <>
-            <button className="btn sm">
+            <button
+              className="btn sm"
+              data-testid="packs-import-btn"
+              onClick={() => setImportOpen(true)}
+            >
               <I.Upload size={12} />
               Import manifest
             </button>
@@ -7442,6 +7660,7 @@ function PagePacks({ onNavigate, onOpenPack }) {
         }
       />
       <CreatePackWizard open={createOpen} onClose={() => setCreateOpen(false)} />
+      <ImportManifestWizard open={importOpen} onClose={() => setImportOpen(false)} />
 
       <Alert kind="warning" title="One pack is unsigned">
         <span className="mono">community-stripe@0.3.1</span> is installed without signature
diff --git a/packages/admin/test/e2e/import-manifest.e2e.ts b/packages/admin/test/e2e/import-manifest.e2e.ts
new file mode 100644
index 0000000..7e10f7e
--- /dev/null
+++ b/packages/admin/test/e2e/import-manifest.e2e.ts
@@ -0,0 +1,136 @@
+import { expect, test } from '@playwright/test';
+
+/**
+ * v1.7 slice 4b — Admin "Import manifest" wizard.
+ *
+ * Covers:
+ * - clicking "Import manifest" opens the wizard
+ * - Submit is disabled until YAML text is provided
+ * - happy path: POSTs { yaml, force? } to /api/packs/import and shows
+ *   the success panel with pack name + version on 201
+ * - 400 (schema validation): wizard stays open with the server error
+ * - 409 (duplicate): wizard stays open; toggling "Force overwrite"
+ *   reveals the path the user takes to retry
+ *
+ * Admin runs in mock-data mode under Playwright; we stub the
+ * endpoint with `page.route`. The server-side unit tests in
+ * @aqa/server prove the endpoint contract; this e2e proves the
+ * wizard talks to it correctly.
+ */
+
+const VALID_YAML = `schema_version: "1"
+name: pack-imported-e2e
+version: 0.1.0
+description: e2e-imported pack
+author: Test
+license: Apache-2.0
+applies_when:
+  sut_type: [api]
+templates: []
+scenarios: []
+risks: []
+oracles: []
+probes: []
+`;
+
+async function navigateToPacks(page: import('@playwright/test').Page): Promise<void> {
+  await page.goto('/');
+  await expect(page.locator('.sidebar')).toBeVisible();
+  await page
+    .locator('.nav-item', { hasText: /^Packs/i })
+    .first()
+    .click();
+  await expect(page.locator('.page-title, h1').first()).toContainText(/Packs/i);
+}
+
+test.describe('Import-manifest wizard', () => {
+  test('Import-manifest button opens the wizard with disabled submit', async ({ page }) => {
+    await navigateToPacks(page);
+    await page.getByTestId('packs-import-btn').click();
+    await expect(page.getByTestId('import-manifest-yaml')).toBeVisible();
+    await expect(page.getByTestId('import-manifest-submit')).toBeDisabled();
+  });
+
+  test('happy-path 201 renders success panel with pack name + version', async ({ page }) => {
+    let postedBody: { yaml?: string; force?: boolean } | null = null;
+    await page.route('**/api/packs/import', async (route) => {
+      postedBody = route.request().postDataJSON();
+      await route.fulfill({
+        status: 201,
+        contentType: 'application/json',
+        body: JSON.stringify({
+          pack: { name: 'pack-imported-e2e', version: '0.1.0' },
+        }),
+      });
+    });
+    await navigateToPacks(page);
+    await page.getByTestId('packs-import-btn').click();
+    await page.getByTestId('import-manifest-yaml').fill(VALID_YAML);
+    await page.getByTestId('import-manifest-submit').click();
+    const result = page.getByTestId('import-manifest-result');
+    await expect(result).toBeVisible();
+    await expect(result).toContainText('pack-imported-e2e');
+    await expect(result).toContainText('0.1.0');
+    expect(postedBody?.yaml).toContain('pack-imported-e2e');
+  });
+
+  test('schema-validation 400 keeps wizard open with error inline', async ({ page }) => {
+    await page.route('**/api/packs/import', async (route) => {
+      await route.fulfill({
+        status: 400,
+        contentType: 'application/json',
+        body: JSON.stringify({
+          error: 'manifest failed schema validation: name: Required',
+          code: 'EINVAL',
+        }),
+      });
+    });
+    await navigateToPacks(page);
+    await page.getByTestId('packs-import-btn').click();
+    await page.getByTestId('import-manifest-yaml').fill('schema_version: "1"\n');
+    await page.getByTestId('import-manifest-submit').click();
+    await expect(
+      page.locator('.modal-body .alert', { hasText: /schema validation/i }),
+    ).toBeVisible();
+    await expect(page.getByTestId('import-manifest-result')).toHaveCount(0);
+  });
+
+  test('409 duplicate: user can toggle force and retry', async ({ page }) => {
+    let callCount = 0;
+    let lastBody: { yaml?: string; force?: boolean } | null = null;
+    await page.route('**/api/packs/import', async (route) => {
+      callCount += 1;
+      lastBody = route.request().postDataJSON();
+      if (callCount === 1) {
+        await route.fulfill({
+          status: 409,
+          contentType: 'application/json',
+          body: JSON.stringify({
+            error:
+              'pack "pack-imported-e2e" already exists (currently version 0.1.0); pass force=true to overwrite',
+            code: 'EEXIST',
+          }),
+        });
+      } else {
+        await route.fulfill({
+          status: 201,
+          contentType: 'application/json',
+          body: JSON.stringify({ pack: { name: 'pack-imported-e2e', version: '0.2.0' } }),
+        });
+      }
+    });
+    await navigateToPacks(page);
+    await page.getByTestId('packs-import-btn').click();
+    await page.getByTestId('import-manifest-yaml').fill(VALID_YAML);
+    await page.getByTestId('import-manifest-submit').click();
+    // First call: 409 — error visible, wizard still open.
+    await expect(page.locator('.modal-body .alert', { hasText: /already exists/i })).toBeVisible();
+    expect(lastBody?.force).toBeUndefined();
+    // Toggle force and resubmit.
+    await page.getByTestId('import-manifest-force').check();
+    await page.getByTestId('import-manifest-submit').click();
+    await expect(page.getByTestId('import-manifest-result')).toBeVisible();
+    expect(lastBody?.force).toBe(true);
+    expect(callCount).toBe(2);
+  });
+});
diff --git a/packages/server/package.json b/packages/server/package.json
index 70155e6..90af60a 100644
--- a/packages/server/package.json
+++ b/packages/server/package.json
@@ -19,7 +19,8 @@
     "@aqa/auth": "workspace:*",
     "@aqa/kit": "workspace:*",
     "@aqa/schemas": "workspace:*",
-    "@aqa/store": "workspace:*"
+    "@aqa/store": "workspace:*",
+    "yaml": "^2.9.0"
   },
   "publishConfig": { "access": "public" }
 }
diff --git a/packages/server/src/api.ts b/packages/server/src/api.ts
index 4d9f4a4..b9a2c99 100644
--- a/packages/server/src/api.ts
+++ b/packages/server/src/api.ts
@@ -1,6 +1,7 @@
 import type { User, allows } from '@aqa/auth';
 import { runPackNew } from '@aqa/kit';
 import type { PackNewErrorCode } from '@aqa/kit';
+import { PackManifest as PackManifestSchema } from '@aqa/schemas';
 import type {
   ApiToken,
   CostSummary,
@@ -16,6 +17,7 @@ import type {
   Tenancy,
 } from '@aqa/schemas';
 import type { StoreProvider } from '@aqa/store';
+import { parse as yamlParse } from 'yaml';
 import type { RunnerQueue } from './runner-queue.js';
 
 export interface ApiContext {
@@ -405,6 +407,84 @@ export function makeApi(): ApiHandler[] {
       },
     },
 
+    {
+      // v1.7 slice 4b — admin "Import manifest" wizard:
+      // accepts a YAML manifest as a string, parses + validates it
+      // against `@aqa/schemas/PackManifest`, then installs into the
+      // store via `installPack`. Separate from `POST /api/packs`
+      // (which takes pre-parsed JSON) so the admin can hand the
+      // server a raw `pack.yaml` blob without parsing client-side.
+      method: 'POST',
+      path: '/api/packs/import',
+      requires: 'packs:install',
+      async handle(req, ctx) {
+        const body = (req.body ?? {}) as Record<string, unknown>;
+        if (typeof body.yaml !== 'string' || body.yaml.trim() === '') {
+          return asResponse(
+            {
+              error: 'body.yaml is required (non-empty string containing the pack manifest YAML)',
+              code: 'EINVAL' satisfies PackNewErrorCode,
+            },
+            400,
+          );
+        }
+        if (body.force !== undefined && typeof body.force !== 'boolean') {
+          return asResponse(
+            {
+              error: 'force must be a boolean when provided (got non-boolean)',
+              code: 'EINVAL' satisfies PackNewErrorCode,
+            },
+            400,
+          );
+        }
+        let parsed: unknown;
+        try {
+          parsed = yamlParse(body.yaml);
+        } catch (e) {
+          return asResponse(
+            {
+              error: `yaml parse error: ${e instanceof Error ? e.message : String(e)}`,
+              code: 'EINVAL' satisfies PackNewErrorCode,
+            },
+            400,
+          );
+        }
+        const validated = PackManifestSchema.PackManifest.safeParse(parsed);
+        if (!validated.success) {
+          return asResponse(
+            {
+              error: `manifest failed schema validation: ${validated.error.message}`,
+              code: 'EINVAL' satisfies PackNewErrorCode,
+            },
+            400,
+          );
+        }
+        const manifest = validated.data;
+        const existing = await ctx.store.loadPack(manifest.name);
+        if (existing && body.force !== true) {
+          return asResponse(
+            {
+              error: `pack "${manifest.name}" already exists (currently version ${existing.version}); pass force=true to overwrite`,
+              code: 'EEXIST' satisfies PackNewErrorCode,
+            },
+            409,
+          );
+        }
+        try {
+          await ctx.store.installPack(manifest);
+        } catch (e) {
+          return asResponse(
+            {
+              error: `installPack failed: ${e instanceof Error ? e.message : String(e)}`,
+              code: 'EIO' satisfies PackNewErrorCode,
+            },
+            500,
+          );
+        }
+        return asResponse({ pack: manifest }, 201);
+      },
+    },
+
     // ============ Profiles ============
     {
       method: 'GET',
diff --git a/packages/server/test/api.test.ts b/packages/server/test/api.test.ts
index 4bb3093..a80ba02 100644
--- a/packages/server/test/api.test.ts
+++ b/packages/server/test/api.test.ts
@@ -162,6 +162,116 @@ describe('makeApi', () => {
     assert.deepEqual((res?.body as { orgs: unknown[] }).orgs, []);
   });
 
+  // ============ v1.7 slice 4b — Pack import (admin "Import manifest") ============
+
+  describe('POST /api/packs/import', () => {
+    const VALID_YAML = `schema_version: "1"
+name: pack-imported
+version: 0.1.0
+description: "An imported pack"
+author: "Test"
+license: Apache-2.0
+applies_when:
+  sut_type: [api]
+templates: []
+scenarios: []
+risks: []
+oracles: []
+probes: []
+`;
+    it('parses YAML body, validates, and installs the manifest (201)', async () => {
+      const c = ctx();
+      const route = makeApi().find((r) => r.method === 'POST' && r.path === '/api/packs/import');
+      assert.ok(route, 'POST /api/packs/import must exist');
+      const res = await route?.handle({ headers: {}, params: {}, body: { yaml: VALID_YAML } }, c);
+      assert.equal(
+        res?.status,
+        201,
+        `expected 201, got ${res?.status}: ${JSON.stringify(res?.body)}`,
+      );
+      const body = res?.body as { pack: { name: string; version: string } };
+      assert.equal(body.pack.name, 'pack-imported');
+      assert.equal(body.pack.version, '0.1.0');
+      // And the store actually has it.
+      const stored = await c.store.loadPack('pack-imported');
+      assert.ok(stored);
+    });
+
+    it('returns 400 on missing body.yaml (with code=EINVAL)', async () => {
+      const c = ctx();
+      const route = makeApi().find((r) => r.method === 'POST' && r.path === '/api/packs/import');
+      const res = await route?.handle({ headers: {}, params: {}, body: {} }, c);
+      assert.equal(res?.status, 400);
+      const body = res?.body as { error: string; code: string };
+      assert.equal(body.code, 'EINVAL');
+      assert.match(body.error, /yaml/i);
+    });
+
+    it('returns 400 on YAML that does not parse', async () => {
+      const c = ctx();
+      const route = makeApi().find((r) => r.method === 'POST' && r.path === '/api/packs/import');
+      const res = await route?.handle(
+        { headers: {}, params: {}, body: { yaml: 'this is: not\n  valid: [yaml' } },
+        c,
+      );
+      assert.equal(res?.status, 400);
+      assert.match((res?.body as { error: string }).error, /parse|yaml/i);
+    });
+
+    it('returns 400 on schema-invalid manifest', async () => {
+      const c = ctx();
+      const route = makeApi().find((r) => r.method === 'POST' && r.path === '/api/packs/import');
+      // Missing required `name` field.
+      const yaml = `schema_version: "1"\nversion: 0.1.0\ndescription: missing name\nauthor: X\nlicense: Apache-2.0\napplies_when: { sut_type: [api] }\ntemplates: []\nscenarios: []\nrisks: []\noracles: []\nprobes: []\n`;
+      const res = await route?.handle({ headers: {}, params: {}, body: { yaml } }, c);
+      assert.equal(res?.status, 400);
+      assert.match((res?.body as { error: string }).error, /schema|name|required/i);
+    });
+
+    it('returns 409 when a pack with that name already exists', async () => {
+      const c = ctx();
+      const route = makeApi().find((r) => r.method === 'POST' && r.path === '/api/packs/import');
+      const first = await route?.handle({ headers: {}, params: {}, body: { yaml: VALID_YAML } }, c);
+      assert.equal(first?.status, 201);
+      const second = await route?.handle(
+        { headers: {}, params: {}, body: { yaml: VALID_YAML } },
+        c,
+      );
+      assert.equal(second?.status, 409);
+      assert.equal((second?.body as { code: string }).code, 'EEXIST');
+    });
+
+    it('overwrites an existing pack when force=true', async () => {
+      const c = ctx();
+      const route = makeApi().find((r) => r.method === 'POST' && r.path === '/api/packs/import');
+      await route?.handle({ headers: {}, params: {}, body: { yaml: VALID_YAML } }, c);
+      const newer = VALID_YAML.replace('version: 0.1.0', 'version: 0.2.0');
+      const res = await route?.handle(
+        { headers: {}, params: {}, body: { yaml: newer, force: true } },
+        c,
+      );
+      assert.equal(res?.status, 201);
+      const stored = await c.store.loadPack('pack-imported');
+      assert.equal(stored?.version, '0.2.0');
+    });
+
+    it('rejects non-boolean force with 400', async () => {
+      const c = ctx();
+      const route = makeApi().find((r) => r.method === 'POST' && r.path === '/api/packs/import');
+      const res = await route?.handle(
+        { headers: {}, params: {}, body: { yaml: VALID_YAML, force: 'yes' } },
+        c,
+      );
+      assert.equal(res?.status, 400);
+      assert.match((res?.body as { error: string }).error, /force.*boolean/i);
+    });
+
+    it('requires the packs:install permission', () => {
+      const route = makeApi().find((r) => r.method === 'POST' && r.path === '/api/packs/import');
+      assert.equal(route?.requires, 'packs:install');
+    });
+  });
+
   // ============ v1.7 slice 3 — Pack scaffolding (Admin Create-pack wizard) ============
 
   describe('POST /api/packs/scaffold', () => {

From c8fede746ed811bf0001908d57f7bfb8122c7026 Mon Sep 17 00:00:00 2001
From: "lorenzo.padovani@padosoft.com" <lorenzo.padovani@padosoft.com>
Date: Tue, 19 May 2026 09:53:44 +0200
Subject: [PATCH 2/3] fix(slice-4b): 2xx-without-pack as error, file-input
 cleanup, TS narrowing
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

PR #28 iter 1 review fixes (Copilot — 2 real items + CI typecheck):

## Workspace TS narrowing (CI)

`let posted: T | null = null` inside a `page.route` closure narrows
to `null` in the outer scope under the workspace TS config, so
`posted?.yaml` becomes a `never` property access. Same pattern + fix
as PR #27 iter 2: use a `const captured = { value: ... }` wrapper —
TS doesn't narrow object properties through closures. Applied to
both `happy-path` and `409 duplicate` tests.

## Real iter-1 fixes

1. **2xx + empty/non-JSON body treated as success** (Copilot
   app.tsx:4735): a 200 response with empty body left
   `parsed = null` (falsy), so `setResult(null)` kept the wizard
   in form-state while the success toast fired. The user saw a
   success notification but the modal didn't transition to the
   result panel — confusing.

   Now the wizard explicitly checks for the documented
   `{pack: {...}}` shape in the response. If it's missing
   (empty body, non-JSON, or unexpected shape) we treat it as an
   integration error and surface a clear message. New regression
   test: a 200 with empty body shows the error alert and does NOT
   show the result panel.

2. **File-input UX** (Copilot app.tsx:4716): after successfully
   reading a file into the textarea, the wizard didn't clear a
   stale "could not read file" error from a prior selection.
   Additionally, the `<input type="file">` value persisted, so
   re-selecting the same file didn't fire `onChange` in
   Chrome/Edge. Both fixed: `setError(null)` on success, and
   `fileInput.value = ''` in a `finally` block so re-selection
   works reliably.

Tests: @aqa/admin 56 Playwright (was 55, +1 for 2xx-without-pack).
Lint + typecheck clean (locally + workspace-wide).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 packages/admin/src/app.tsx                    | 24 ++++++++++-
 .../admin/test/e2e/import-manifest.e2e.ts     | 40 +++++++++++++++----
 2 files changed, 56 insertions(+), 8 deletions(-)

diff --git a/packages/admin/src/app.tsx b/packages/admin/src/app.tsx
index a669757..ec70c38 100644
--- a/packages/admin/src/app.tsx
+++ b/packages/admin/src/app.tsx
@@ -4706,14 +4706,25 @@ function ImportManifestWizard({ open, onClose }) {
   }
 
   async function handleFileChange(e) {
-    const file = e.target.files?.[0];
+    const fileInput = e.target;
+    const file = fileInput.files?.[0];
     if (!file) return;
     try {
       const text = await file.text();
       setYamlText(text);
+      // Clear any stale "could not read file" error from a previous
+      // failed selection so the user isn't confused by an obsolete
+      // message that's no longer relevant.
+      setError(null);
     } catch (err) {
       const msg = err instanceof Error ? err.message : String(err);
       setError(`Could not read file: ${msg}`);
+    } finally {
+      // Reset the input value so selecting the same file again
+      // reliably re-fires `onChange` in every browser. Without this,
+      // Chrome/Edge skip the event on identical re-selection (the
+      // input still references the previous File object).
+      fileInput.value = '';
     }
   }
 
@@ -4741,6 +4752,17 @@ function ImportManifestWizard({ open, onClose }) {
         toast.push({ kind: 'error', title: 'Import manifest failed', body: msg });
         return;
       }
+      // 2xx but body is empty / not JSON / missing the documented
+      // `pack` shape is treated as an integration failure rather
+      // than silently dropping to the form state. Otherwise the
+      // toast would announce success while the wizard stays in
+      // form mode (since `result` is falsy), confusing the user.
+      if (!parsed || typeof parsed !== 'object' || !('pack' in parsed)) {
+        const msg = `Server returned ${res.status} but the response body is missing the expected \`pack\` object (got ${text ? text.slice(0, 80) : 'empty body'}).`;
+        setError(msg);
+        toast.push({ kind: 'error', title: 'Import manifest failed', body: msg });
+        return;
+      }
       setResult(parsed);
       toast.push({
         kind: 'success',
diff --git a/packages/admin/test/e2e/import-manifest.e2e.ts b/packages/admin/test/e2e/import-manifest.e2e.ts
index 7e10f7e..00fa889 100644
--- a/packages/admin/test/e2e/import-manifest.e2e.ts
+++ b/packages/admin/test/e2e/import-manifest.e2e.ts
@@ -52,9 +52,10 @@ test.describe('Import-manifest wizard', () => {
   });
 
   test('happy-path 201 renders success panel with pack name + version', async ({ page }) => {
-    let postedBody: { yaml?: string; force?: boolean } | null = null;
+    type PostedBody = { yaml?: string; force?: boolean };
+    const captured: { value: PostedBody | null } = { value: null };
     await page.route('**/api/packs/import', async (route) => {
-      postedBody = route.request().postDataJSON();
+      captured.value = route.request().postDataJSON() as PostedBody;
       await route.fulfill({
         status: 201,
         contentType: 'application/json',
@@ -71,7 +72,31 @@ test.describe('Import-manifest wizard', () => {
     await expect(result).toBeVisible();
     await expect(result).toContainText('pack-imported-e2e');
     await expect(result).toContainText('0.1.0');
-    expect(postedBody?.yaml).toContain('pack-imported-e2e');
+    expect(captured.value?.yaml).toContain('pack-imported-e2e');
+  });
+
+  test('2xx response with empty/non-JSON body is treated as failure', async ({ page }) => {
+    // Regression test for PR #28 iter 1 (Copilot):
+    // A 200 response with empty/non-JSON body used to set
+    // result=null (falsy), leaving the wizard in form-state while
+    // toasting success. Now the wizard explicitly checks for the
+    // `pack` object in the response and surfaces an error if it's
+    // missing.
+    await page.route('**/api/packs/import', async (route) => {
+      // 200 OK but the body is empty — not what the documented
+      // contract returns.
+      await route.fulfill({ status: 200, contentType: 'application/json', body: '' });
+    });
+    await navigateToPacks(page);
+    await page.getByTestId('packs-import-btn').click();
+    await page.getByTestId('import-manifest-yaml').fill(VALID_YAML);
+    await page.getByTestId('import-manifest-submit').click();
+    // Wizard stays open with an explicit error explaining the
+    // missing `pack` field — not a success panel.
+    await expect(
+      page.locator('.modal-body .alert', { hasText: /missing the expected `pack`/i }),
+    ).toBeVisible();
+    await expect(page.getByTestId('import-manifest-result')).toHaveCount(0);
   });
 
   test('schema-validation 400 keeps wizard open with error inline', async ({ page }) => {
@@ -96,11 +121,12 @@ test.describe('Import-manifest wizard', () => {
   });
 
   test('409 duplicate: user can toggle force and retry', async ({ page }) => {
+    type PostedBody = { yaml?: string; force?: boolean };
     let callCount = 0;
-    let lastBody: { yaml?: string; force?: boolean } | null = null;
+    const last: { value: PostedBody | null } = { value: null };
     await page.route('**/api/packs/import', async (route) => {
       callCount += 1;
-      lastBody = route.request().postDataJSON();
+      last.value = route.request().postDataJSON() as PostedBody;
       if (callCount === 1) {
         await route.fulfill({
           status: 409,
@@ -125,12 +151,12 @@ test.describe('Import-manifest wizard', () => {
     await page.getByTestId('import-manifest-submit').click();
     // First call: 409 — error visible, wizard still open.
     await expect(page.locator('.modal-body .alert', { hasText: /already exists/i })).toBeVisible();
-    expect(lastBody?.force).toBeUndefined();
+    expect(last.value?.force).toBeUndefined();
     // Toggle force and resubmit.
     await page.getByTestId('import-manifest-force').check();
     await page.getByTestId('import-manifest-submit').click();
     await expect(page.getByTestId('import-manifest-result')).toBeVisible();
-    expect(lastBody?.force).toBe(true);
+    expect(last.value?.force).toBe(true);
     expect(callCount).toBe(2);
   });
 });

From 866867ea7f7a85b0f65488193c62f4575c4a1d03 Mon Sep 17 00:00:00 2001
From: "lorenzo.padovani@padosoft.com" <lorenzo.padovani@padosoft.com>
Date: Tue, 19 May 2026 10:07:26 +0200
Subject: [PATCH 3/3] fix(slice-4b): concise Zod errors, code assertions,
 apiUrl in Create-pack, audit doc
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

PR #28 iter 2 review fixes (Copilot — 6 real new items + 2 stale re-flags):

## Real fixes

1. **Verbose Zod error.message** (Copilot api.ts:456): the
   schema-invalid response surfaced `validated.error.message`, which
   is a multi-line JSON-ish dump (often 5KB+) and unreadable in the
   admin's inline alert. New `formatZodError(err)` helper walks
   `err.issues` and produces a concise `path: message; path: message`
   list ("applies_when.sut_type: Required" etc). Falls back to a
   truncated `message` if `issues` is missing. Test asserts the
   error is not a multi-line dump.

2. **Test code-field assertions** (Copilot api.test.ts:214 + 228):
   the YAML-parse-failure and schema-invalid-manifest tests asserted
   only the status + error string, not the structured `code` field.
   Both now assert `code === 'EINVAL'` to lock the contract.

3. **CreatePackWizard didn't use apiUrl()** (Copilot app.tsx:4739):
   ImportManifestWizard correctly used `apiUrl(...)` to honor
   VITE_AQA_SERVER_URL, but CreatePackWizard still hard-coded the
   relative path. Now both pack wizards go through `apiUrl()`,
   keeping the deployment story consistent.

4. **`POST POST` in audit doc** (Copilot audit-doc:57): the wizard
   description double-prefixed "POSTs to `POST /api/packs/import`".
   Reworded to "calls `POST /api/packs/import`".

5. **Endpoint-consolidation note** (Copilot api.ts:466): the
   pre-existing `POST /api/packs` route doesn't validate or
   conflict-check (MemoryStore.installPack silently overwrites),
   while `/api/packs/import` does both. Consolidating onto a
   shared validate-then-install helper is the right architectural
   move, but it'd change long-standing behavior in the JSON route
   that callers may depend on — out of scope for this slice. Added
   an inline NOTE on the `POST /api/packs` handler tracking it as
   a v1.7.x follow-up and steering callers toward `/api/packs/import`
   for safety guarantees.

## Stale re-flags (no action)

`app.tsx:4746` (2xx-without-pack as error) and `app.tsx:4721`
(file-input clear-error + reset-value) were both addressed in
iter 2's c8fede7 push — Copilot's iter-2 review re-flagged
them based on stale line numbers.

Tests: @aqa/server 34 (unchanged count; 2 tests upgraded to assert
`code`). @aqa/admin 56 Playwright. Lint + typecheck clean.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 docs/internal/admin-placeholder-audit.md |  2 +-
 packages/admin/src/app.tsx               |  2 +-
 packages/server/src/api.ts               | 36 +++++++++++++++++++++++-
 packages/server/test/api.test.ts         | 20 ++++++++++---
 4 files changed, 53 insertions(+), 7 deletions(-)

diff --git a/docs/internal/admin-placeholder-audit.md b/docs/internal/admin-placeholder-audit.md
index eec7a2d..4992a8d 100644
--- a/docs/internal/admin-placeholder-audit.md
+++ b/docs/internal/admin-placeholder-audit.md
@@ -54,7 +54,7 @@ The line numbers below were captured against commit `~v1.6.0` (post-merge of PR
 
 ### Packs (lines ~6850-7040)
 
-- ~~`6850`, `6853` — top-bar "Import manifest" / "Install pack"~~ **DONE:** "Install pack" → "Create pack" wizard (slice 3, PR #26) wired to `POST /api/packs/scaffold`; "Import manifest" wired in slice 4b (PR #28) to a new `<ImportManifestWizard>` that POSTs to `POST /api/packs/import` — server parses YAML, validates against `@aqa/schemas/PackManifest`, installs via store. 4 Playwright e2e tests cover open/disabled, happy-path 201, schema-validation 400, 409-duplicate-with-force-retry path. 8 server unit tests cover the endpoint contract.
+- ~~`6850`, `6853` — top-bar "Import manifest" / "Install pack"~~ **DONE:** "Install pack" → "Create pack" wizard (slice 3, PR #26) wired to `POST /api/packs/scaffold`; "Import manifest" wired in slice 4b (PR #28) to a new `<ImportManifestWizard>` that calls `POST /api/packs/import` — server parses YAML, validates against `@aqa/schemas/PackManifest`, installs via store. 4 Playwright e2e tests cover open/disabled, happy-path 201, schema-validation 400, 409-duplicate-with-force-retry path. 8 server unit tests cover the endpoint contract.
 - `6910`, `6914`, `6925` — pack row actions (toggle / inspect)
 - `6986` — pack detail actions
 - `7028`, `7033`, `7038` — scenario picker inside pack detail
diff --git a/packages/admin/src/app.tsx b/packages/admin/src/app.tsx
index ec70c38..c90c60d 100644
--- a/packages/admin/src/app.tsx
+++ b/packages/admin/src/app.tsx
@@ -4434,7 +4434,7 @@ function CreatePackWizard({ open, onClose }) {
         ...(license.trim() ? { license: license.trim() } : {}),
         ...(force ? { force: true } : {}),
       };
-      const res = await fetch('/api/packs/scaffold', {
+      const res = await fetch(apiUrl('/api/packs/scaffold'), {
         method: 'POST',
         headers: { 'Content-Type': 'application/json' },
         body: JSON.stringify(body),
diff --git a/packages/server/src/api.ts b/packages/server/src/api.ts
index b9a2c99..e463ae3 100644
--- a/packages/server/src/api.ts
+++ b/packages/server/src/api.ts
@@ -89,6 +89,29 @@ function errorCodeToStatus(code: PackNewErrorCode | undefined): number {
   }
 }
 
+/**
+ * Format a Zod safeParse failure as a concise list of `path: message`
+ * lines. The default `error.message` is the full Zod dump (multi-line
+ * JSON-ish output), which is verbose and hard to read in the admin's
+ * inline alert. Walking `error.issues` lets us surface just the
+ * actionable bits: "applies_when.sut_type: Required", etc.
+ *
+ * Falls back to the original message if `issues` is empty or malformed
+ * — the message is then truncated to a sane length so we don't dump a
+ * 5KB Zod blob into a toast.
+ */
+function formatZodError(err: {
+  issues?: Array<{ path: Array<string | number>; message: string }>;
+  message?: string;
+}): string {
+  if (Array.isArray(err.issues) && err.issues.length > 0) {
+    return err.issues
+      .map((iss) => `${iss.path.length > 0 ? iss.path.join('.') : '<root>'}: ${iss.message}`)
+      .join('; ');
+  }
+  return (err.message ?? 'unknown schema error').slice(0, 500);
+}
+
 function requireScope(req: ApiRequest): { org: string; project: string } | ApiResponse {
   const s = scope(req);
   if (!s.org || !s.project) {
@@ -269,6 +292,17 @@ export function makeApi(): ApiHandler[] {
       path: '/api/packs',
       requires: 'packs:install',
       async handle(req, ctx) {
+        // NOTE: this v1.4 endpoint accepts a pre-parsed JSON manifest
+        // and currently does NOT validate against the schema or
+        // detect duplicates — `MemoryStore.installPack` silently
+        // overwrites. The newer `POST /api/packs/import` (slice 4b)
+        // adds full validation + conflict detection on a YAML body.
+        // Consolidating both onto a shared helper (validate-then-
+        // install, with `force` semantics) is tracked as a v1.7.x
+        // follow-up; doing it here would change long-standing
+        // behavior callers may depend on, so it's intentionally
+        // out of scope for this slice. Until then, callers wanting
+        // safety guarantees should prefer `/api/packs/import`.
         const manifest = req.body as PackManifest.PackManifest;
         await ctx.store.installPack(manifest);
         return asResponse({ pack: manifest }, 201);
@@ -453,7 +487,7 @@ export function makeApi(): ApiHandler[] {
         if (!validated.success) {
           return asResponse(
             {
-              error: `manifest failed schema validation: ${validated.error.message}`,
+              error: `manifest failed schema validation: ${formatZodError(validated.error)}`,
               code: 'EINVAL' satisfies PackNewErrorCode,
             },
             400,
diff --git a/packages/server/test/api.test.ts b/packages/server/test/api.test.ts
index a80ba02..ff8f834 100644
--- a/packages/server/test/api.test.ts
+++ b/packages/server/test/api.test.ts
@@ -207,7 +207,7 @@ probes: []
       assert.match(body.error, /yaml/i);
     });
 
-    it('returns 400 on YAML that does not parse', async () => {
+    it('returns 400 on YAML that does not parse (code=EINVAL)', async () => {
       const c = ctx();
       const route = makeApi().find((r) => r.method === 'POST' && r.path === '/api/packs/import');
       const res = await route?.handle(
@@ -215,17 +215,29 @@ probes: []
         c,
       );
       assert.equal(res?.status, 400);
-      assert.match((res?.body as { error: string }).error, /parse|yaml/i);
+      const body = res?.body as { error: string; code: string };
+      assert.match(body.error, /parse|yaml/i);
+      assert.equal(body.code, 'EINVAL');
     });
 
-    it('returns 400 on schema-invalid manifest', async () => {
+    it('returns 400 on schema-invalid manifest (code=EINVAL, concise path:msg list)', async () => {
       const c = ctx();
       const route = makeApi().find((r) => r.method === 'POST' && r.path === '/api/packs/import');
       // Missing required `name` field.
       const yaml = `schema_version: "1"\nversion: 0.1.0\ndescription: missing name\nauthor: X\nlicense: Apache-2.0\napplies_when: { sut_type: [api] }\ntemplates: []\nscenarios: []\nrisks: []\noracles: []\nprobes: []\n`;
       const res = await route?.handle({ headers: {}, params: {}, body: { yaml } }, c);
       assert.equal(res?.status, 400);
-      assert.match((res?.body as { error: string }).error, /schema|name|required/i);
+      const body = res?.body as { error: string; code: string };
+      assert.match(body.error, /schema|name|required/i);
+      assert.equal(body.code, 'EINVAL');
+      // The improved error format walks Zod issues into `path: message`
+      // pairs separated by `; ` — much more actionable than the default
+      // multi-line Zod dump. Assert the format so a regression to the
+      // verbose form is caught.
+      assert.ok(
+        !body.error.includes('\n') || body.error.split('\n').length <= 2,
+        `error should be concise, got multi-line dump: ${body.error}`,
+      );
     });
 
     it('returns 409 when a pack with that name already exists', async () => {