Problem
`wfctl plugin install @` correctly recursively resolves + installs declared `manifest.Dependencies` (`cmd/wfctl/plugin_deps.go:201 resolveDependencies`), but only the parent plugin gets a `.wfctl-lock.yaml` entry (`cmd/wfctl/plugin_install.go:255-266`). Transitively-installed deps are written to disk but NOT recorded in the lockfile.
Additionally, plain `wfctl plugin install ` (no @Version) skips lockfile update entirely (`if _, ver := parseNameVersion(nameArg); ver != "" { ... }` gate). The resolved registry version isn't captured.
Impact
- Reproducibility: a fresh `wfctl plugin install` from a project with .wfctl-lock.yaml restores the parent but resolves deps fresh from the registry — risking version drift if the registry has moved.
- Audit trail: no record of which transitive versions were actually installed; `wfctl plugin list` shows installed-on-disk but lockfile doesn't reflect it.
- Integrity checks: parent has SHA256 lockfile checksum, deps don't — partial coverage.
Acceptance criteria
- `resolveDependencies` (cmd/wfctl/plugin_deps.go) calls `updateLockfileWithChecksum` after each successful dep install (after line 270 `resolved[dep.Name] = depManifest.Version`).
- Plain `wfctl plugin install ` (no @Version) also updates the lockfile with the resolved registry version (not just `name@version` form).
- Tests cover: parent+dep tracked, transitive chain tracked, version-pinned dep tracked, no-version-explicit install tracked.
- Lockfile format unchanged — existing `.wfctl-lock.yaml` files continue to parse.
Out of scope
- `wfctl plugin remove` lockfile-cleanup behavior (separate concern).
- Lockfile validation against installed state (covered by other tooling).
- Lockfile schema migration (additive only).
Files
- `cmd/wfctl/plugin_deps.go:268-270` (resolveDependencies dep install path)
- `cmd/wfctl/plugin_install.go:255-266` (parent install path; drop name@version gate)
- `cmd/wfctl/plugin_install_lockfile_test.go` + new test for transitive coverage
Problem
`wfctl plugin install @` correctly recursively resolves + installs declared `manifest.Dependencies` (`cmd/wfctl/plugin_deps.go:201 resolveDependencies`), but only the parent plugin gets a `.wfctl-lock.yaml` entry (`cmd/wfctl/plugin_install.go:255-266`). Transitively-installed deps are written to disk but NOT recorded in the lockfile.
Additionally, plain `wfctl plugin install ` (no @Version) skips lockfile update entirely (`if _, ver := parseNameVersion(nameArg); ver != "" { ... }` gate). The resolved registry version isn't captured.
Impact
Acceptance criteria
Out of scope
Files