fix(create): validate --package-manager flag value

Validate that the --package-manager CLI argument is one of the known
package managers (pnpm, npm, yarn, bun) before using it. Previously
any string was accepted via an unchecked type cast.

Author: fengmk2

packages/cli/src/create/bin.ts

@@ -632,6 +632,16 @@ Use \`vp create --list\` to list all available templates, or run \`vp create --h
   }
 
   // Resolve package manager: workspace detection > CLI flag > interactive prompt/default
+  if (
+    options.packageManager &&
+    !Object.values(PackageManager).includes(options.packageManager as PackageManager)
+  ) {
+    const valid = Object.values(PackageManager).join(', ');
+    prompts.log.error(
+      `Invalid package manager: ${options.packageManager}. Must be one of: ${valid}`,
+    );
+    cancelAndExit('Invalid --package-manager value', 1);
+  }
   const packageManager =
     workspaceInfoOptional.packageManager ??
     (options.packageManager as PackageManager | undefined) ??