Synopsis
$ phrony bundles validate BUNDLE [--require-lock]Description
Parses the Bundle manifest (including required metadata.version semver) and runs the closure walk locally. Does not publish anything.
Vendored-only bundles never contact the runtime. When the closure includes pinned external refs, validation resolves external content_hash values from the catalog (same --runtime-addr / PHRONY_RUNTIME_ADDR contract as bundle lock) before comparing the lock.
When bundle.lock.json exists beside the bundle, validation compares the committed lock to the recomputed closure and fails on drift with an actionable message—re-run bundle lock (with --runtime-addr when externals are present).
| Flag | Effect |
|---|---|
--require-lock | Fail when bundle.lock.json is missing (recommended for CI) |
Without --require-lock, validation still passes when no lock exists (first-time authoring).
Validation also checks the secret union across closure members. If two members declare the same secret name with different fromEnv values, validation fails (same rule as bundle lock and publish). Unset fromEnv variables on vendored members still produce warnings only.
Passing a bundle manifest to phrony agents validate fails with a hint to use phrony bundles validate instead.
Example
$ phrony bundles validate ./support/bundle.yaml --require-lockOn success:
valid: support/support sha256:…
members: 3 (root: orchestrator)Up next