Generation-time enforcement

Contracts are enforced before UI ships. Generation uses the contract ban list (for example, shell-owned navigation) plus a pre-emit checker for immediate visibility:

# Block shell-owned primitives (e.g., navigation) before writing output
node tools/check-generation-boundaries.mjs \
  --contract contracts/surfaces.web.contract.json \
  --descriptor out/generated-descriptor.json

# Descriptor payloads may include icon sources (e.g., lucide-react).
# Icon-source policy is authoritative in CI/CD workspace validation in this increment.

# Then run validator
pnpm validate:local

If a surface emits a shell-owned primitive, the checker fails fast. Icon-source findings (`icon.source-disallowed`) are enforced in CI/CD workspace checks (see /demos/ci), not by generation guard in this increment.