npm - @lunora/config - Versions diffs - 0.0.0 → 1.0.0-alpha.1 - Mend

@lunora/config 0.0.0 → 1.0.0-alpha.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (39) hide show

package/LICENSE.md +105 -0
package/README.md +115 -9
package/__assets__/package-og.svg +14 -0
package/dist/index.d.mts +1075 -0
package/dist/index.d.ts +1075 -0
package/dist/index.mjs +20 -0
package/dist/packem_shared/AGENT_RULES_DIR-lcgC08aE.mjs +40 -0
package/dist/packem_shared/DEV_VARS_EXAMPLE_FILE-dJPNTEnK.mjs +37 -0
package/dist/packem_shared/LINKED_PROJECT_DIR-CXwXzV_C.mjs +52 -0
package/dist/packem_shared/PACKAGE_SECRETS_REGISTRY-CySy5vR_.mjs +62 -0
package/dist/packem_shared/REQUIRED_COMPATIBILITY_DATE-Dd1suoit.mjs +476 -0
package/dist/packem_shared/applyAdditiveEdit-C-snTFEV.mjs +228 -0
package/dist/packem_shared/buildPackageSecretsBlock-S74dgmwy.mjs +187 -0
package/dist/packem_shared/classifyPolicyEdit-BHeAqF8P.mjs +99 -0
package/dist/packem_shared/createConfirm-fvpdgJ9s.mjs +100 -0
package/dist/packem_shared/detectFramework-Br-BcPBq.mjs +41 -0
package/dist/packem_shared/discoverContainerInfo-BXFs6Wav.mjs +19 -0
package/dist/packem_shared/discoverSchemaInfo-DWtypqpP.mjs +25 -0
package/dist/packem_shared/discoverWorkflowInfo-CedvR0mn.mjs +19 -0
package/dist/packem_shared/findWranglerFile-DwSuC-Kn.mjs +25 -0
package/dist/packem_shared/formatLunoraEvent-D2fDeGB6.mjs +86 -0
package/dist/packem_shared/handlePolicyScaffoldRequest-CiC2IGKx.mjs +103 -0
package/dist/packem_shared/handleSchemaEditRequest-Df-Wrix-.mjs +99 -0
package/dist/packem_shared/handleSeedRequest-DVCjaGO-.mjs +61 -0
package/dist/packem_shared/inferLunoraBindings-0W3eRdIP.mjs +302 -0
package/dist/packem_shared/injectRemoteFlags-C-WZAKLY.mjs +105 -0
package/dist/packem_shared/interpretRemote-CtcIcB5-.mjs +34 -0
package/dist/packem_shared/parseDevVariable-CJiq2IwE.mjs +30 -0
package/dist/packem_shared/parseSchema-DSeyktvG.mjs +107 -0
package/dist/packem_shared/policy-scaffold.d-DCmwn7zQ.d.mts +74 -0
package/dist/packem_shared/policy-scaffold.d-DCmwn7zQ.d.ts +74 -0
package/dist/packem_shared/reconcileWranglerBindings-ByJk3yLU.mjs +277 -0
package/dist/packem_shared/renderStudioHtml-449Ysn75.mjs +37 -0
package/dist/packem_shared/serveJsonHandler-B4OLTGLS.mjs +86 -0
package/dist/packem_shared/studioAssetsStamp-Csk5RS4E.mjs +28 -0
package/dist/studio-host/index.d.mts +227 -0
package/dist/studio-host/index.d.ts +227 -0
package/dist/studio-host/index.mjs +7 -0
package/package.json +57 -17

package/dist/index.d.mts ADDED Viewed

@@ -0,0 +1,1075 @@
+import { ContainerIR, WorkflowIR } from '@lunora/codegen';
+export type { ContainerIR, WorkflowIR } from '@lunora/codegen';
+import 'ts-morph';
+export { type A as AdditivePolicyEdit, type D as DestructivePolicyEdit, type P as PolicyEdit, type a as PolicyScaffoldFailureReason, type b as ScaffoldFileResult, type S as ScaffoldPolicyEdit, type c as WireResult, type W as WireRlsEdit, d as classifyPolicyEdit, s as scaffoldPolicyFile, w as wireRlsIntoProcedure } from "./packem_shared/policy-scaffold.d-DCmwn7zQ.mjs";
+/**
+* Project-relative directory the Lunora agent skills ("rules") install into.
+* This is the portable [Agent Skills](https://tanstack.com/intent/latest/docs/registry)
+* location — Cursor, Claude Code, and GitHub Copilot all discover skills here.
+*/
+declare const AGENT_RULES_DIR = ".agents/skills";
+/** Env var the once-per-process-tree hint guard ({@link claimAgentRulesHint}) sets. */
+declare const AGENT_RULES_HINT_ENV = "LUNORA_RULES_HINT_SHOWN";
+/**
+* The Lunora agent skills shipped by `@lunora/cli`. The first entry (`lunora`)
+* is the router skill — its presence is what {@link detectAgentRules} treats as
+* "rules installed", since every other skill is reachable through it.
+*/
+declare const LUNORA_SKILL_NAMES: ReadonlyArray<string>;
+/** The router skill whose presence marks the rule set as installed. */
+declare const ROOT_SKILL_NAME = "lunora";
+/**
+* The single "rules not installed" message shared by every surface (the CLI
+* `lunora dev` summary and the Vite dev plugin), so the wording and the
+* pointer at `lunora rules install` stay identical wherever it appears.
+*/
+declare const AGENT_RULES_HINT = "Lunora AI rules not installed — run `lunora rules install` so your coding agent knows how to use Lunora.";
+/**
+* Process-tree guard so the hint is emitted at most once. The first surface to
+* print it sets {@link AGENT_RULES_HINT_ENV} on `process.env`; later surfaces (a
+* Vite dev-server restart, or a child process that inherited the env) read it
+* and stay quiet. Returns `true` the first time, `false` afterwards.
+*/
+declare const claimAgentRulesHint: () => boolean;
+interface AgentRulesStatus {
+  /**
+  * True when the `lunora` router skill is installed. We key on the router
+  * (not "all nine present") so a project that intentionally trims the set
+  * still counts as installed and isn't nagged.
+  */
+  readonly installed: boolean;
+  /** Skill names with no `SKILL.md` under `&lt;root>/.agents/skills/&lt;name>/`. */
+  readonly missing: ReadonlyArray<string>;
+  /** Skill names found under `&lt;root>/.agents/skills/&lt;name>/SKILL.md`. */
+  readonly present: ReadonlyArray<string>;
+}
+/**
+* Detect whether the Lunora agent skills are installed in `projectRoot` by
+* checking the skills folder for each `SKILL.md`. Pure filesystem reads, safe to
+* call on every dev-server / CLI startup — the CLI, the Vite plugin, and the
+* studio host all use it to decide whether to surface the "rules not installed"
+* hint.
+*/
+declare const detectAgentRules: (projectRoot: string) => AgentRulesStatus;
+interface DiscoverContainerInfoResult {
+  /** Discovered container definitions; `[]` when none are declared or parsing failed. */
+  containers: ReadonlyArray<ContainerIR>;
+  /** Parse error message, when `lunora/containers.ts` exists but could not be analyzed. */
+  error?: string;
+}
+/**
+* Discover the project's `defineContainer` declarations. Returns
+* `{ containers: [] }` when the project has no `lunora/containers.ts` (not an
+* error), or `{ containers: [], error }` when the file exists but could not be
+* parsed — callers decide whether that is a warning (validator) or ignorable
+* (inference).
+*/
+declare const discoverContainerInfo: (projectRoot: string, schemaDirectory: string) => DiscoverContainerInfoResult;
+/**
+* The meta-frameworks Lunora can compose with, plus `"none"` for a standalone
+* SPA / SSR-less project (the current default). Mirrors PLAN4 §2.4.
+*/
+type DetectedFramework = "astro" | "none" | "nuxt" | "react-router" | "solid-start" | "sveltekit" | "tanstack-start" | "tanstack-start-solid";
+/**
+* void's class model (PLAN4 §3). Class A is Vite-native and Lunora owns the
+* worker entry (`createWorker({ httpRouter })`). Class B frameworks own their own
+* Cloudflare adapter, so Lunora injects its worker composition into the
+* framework's server entry via hooks (PLAN4 M4). Class C is non-CF / SSR-less —
+* ship the client adapter + a standalone Lunora worker (today's default).
+*/
+type FrameworkClass = "A" | "B" | "C";
+interface FrameworkDetection {
+  /** void's composition class for the detected framework. */
+  class: FrameworkClass;
+  /** The detected meta-framework, or `"none"` when no known one is present. */
+  framework: DetectedFramework;
+}
+/**
+* Detect which meta-framework a project uses by inspecting its `package.json`
+* dependencies, and classify it under void's class-A/B/C model (PLAN4 §3).
+*
+* Pure and best-effort: never throws. An unknown / missing / malformed
+* `package.json` yields `{ framework: "none", class: "C" }` so the standalone
+* SPA flow is preserved.
+*/
+declare const detectFramework: (root: string) => FrameworkDetection;
+/**
+* The `.dev.vars` line grammar — one owner, shared by every reader/writer of the
+* file so the format can't drift between packages. `@lunora/cli`'s `env`
+* command (parse/serialize) and `@lunora/config`'s scaffolder (comment-
+* preserving rewrite) do different *transforms*, but they agree on these
+* primitives: the filename, what a `KEY` looks like, how lines split, and how
+* quotes strip.
+*/
+/** The conventional filename for local Cloudflare dev secrets (gitignored). */
+declare const DEV_VARS_FILE: string;
+/** Its committed, secret-free counterpart that scaffolding reads from. */
+declare const DEV_VARS_EXAMPLE_FILE: string;
+/** A bare `KEY` identifier — the part left of `=` in a `.dev.vars` line. */
+declare const DEV_VARS_KEY_PATTERN: RegExp;
+/** Splits file content into lines on either newline style. */
+/**
+* Parse `.dev.vars` content into its `{ key, value }` entries, in file order,
+* with values unquoted and comments/blank/invalid lines dropped. The canonical
+* read of the whole file — callers that just want the variables (rather than a
+* comment-preserving rewrite) use this instead of hand-rolling the split loop.
+*/
+declare const parseDevVariableEntries: (content: string) => {
+  key: string;
+  value: string;
+}[];
+interface DiscoverWorkflowInfoResult {
+  /** Parse error message, when `lunora/workflows.ts` exists but could not be analyzed. */
+  error?: string;
+  /** Discovered workflow definitions; `[]` when none are declared or parsing failed. */
+  workflows: ReadonlyArray<WorkflowIR>;
+}
+/**
+* Discover the project's `defineWorkflow` declarations. Returns
+* `{ workflows: [] }` when the project has no `lunora/workflows.ts` (not an
+* error), or `{ workflows: [], error }` when the file exists but could not be
+* parsed — callers decide whether that is a warning (validator) or ignorable
+* (inference).
+*/
+declare const discoverWorkflowInfo: (projectRoot: string, schemaDirectory: string) => DiscoverWorkflowInfoResult;
+interface DurableObjectSpec {
+  binding: string;
+  className: string;
+}
+/**
+* A `defineContainer` declaration plus whether its generated DO class is
+* exported by the worker entry. Only exported containers are safe to
+* provision — wrangler rejects a `containers[].class_name` (and its Durable
+* Object binding) that the worker doesn't export.
+*/
+interface InferredContainer extends ContainerIR {
+  exported: boolean;
+}
+/**
+* A `defineWorkflow` declaration plus whether its generated
+* `WorkflowEntrypoint` class is exported by the worker entry. Only exported
+* workflows are safe to provision — wrangler rejects a `workflows[].class_name`
+* the worker doesn't export. Workflows are NOT Durable Objects, so this never
+* implies a `durable_objects` binding or migration.
+*/
+interface InferredWorkflow extends WorkflowIR {
+  exported: boolean;
+}
+interface InferredBindings {
+  /** Containers declared in `lunora/containers.ts` (exported or not — see {@link InferredContainer.exported}). */
+  containers: InferredContainer[];
+  /** Durable Objects the worker entry exports → safe to bind. */
+  durableObjects: DurableObjectSpec[];
+  /** Schema declares a `.global()` table → needs the `DB` D1 binding. */
+  needsD1: boolean;
+  /** Human-readable provenance for each inferred binding / hint, for logging. */
+  signals: string[];
+  /** `@lunora/ai` is imported or `env.AI` is used → needs the `ai` Workers AI binding. */
+  usesAi: boolean;
+  /** `@lunora/analytics` is imported → self-describing `analytics_engine_datasets` binding (auto-writeable). */
+  usesAnalytics: boolean;
+  /** `@lunora/auth` is imported (sessions may be D1- or `SessionDO`-backed). */
+  usesAuth: boolean;
+  /** `@lunora/browser` is imported → self-describing `browser` binding (auto-writeable). */
+  usesBrowser: boolean;
+  /** `@lunora/hyperdrive` is imported (binding needs an un-mintable remote `id`; hint-only). */
+  usesHyperdrive: boolean;
+  /** `@lunora/images` is imported → self-describing `images` binding (auto-writeable). */
+  usesImages: boolean;
+  /** `@lunora/kv` is imported (namespace binding name + id are user-defined; hint-only). */
+  usesKv: boolean;
+  /** `@lunora/mail` is imported (Resend API key must be set in `.dev.vars`; no binding). */
+  usesMail: boolean;
+  /** `@lunora/payment` is imported (provider secrets must be set in `.dev.vars`; no binding). */
+  usesPayment: boolean;
+  /** `@lunora/pipelines` is imported (binding needs an un-mintable remote pipeline name; hint-only). */
+  usesPipelines: boolean;
+  /** `@lunora/scheduler` is imported. */
+  usesScheduler: boolean;
+  /** `@lunora/storage` is imported (R2 bucket binding name is user-defined). */
+  usesStorage: boolean;
+  /** Workflows declared in `lunora/workflows.ts` (exported or not — see {@link InferredWorkflow.exported}). */
+  workflows: InferredWorkflow[];
+}
+interface InferOptions {
+  projectRoot: string;
+  /** Directories (relative to root) to scan. Defaults to `lunora` + `src`. */
+  scanDirs?: ReadonlyArray<string>;
+  /** Lunora source directory holding `schema.ts`. Defaults to `lunora`. */
+  schemaDir?: string;
+}
+/**
+* Scan a Lunora project and report which Cloudflare bindings its code implies.
+* Read-only: performs no writes. Binding provisioning is driven by the worker
+* entry's Durable Object exports plus the schema's D1 need; capability imports
+* surface as hints.
+*/
+declare const inferLunoraBindings: (options: InferOptions) => Promise<InferredBindings>;
+/**
+* Derive the list of `@lunora/*` package names that are actively used by a
+* project, based on its already-resolved {@link InferredBindings}.
+*
+* This is the canonical bridge between binding inference and the package-aware
+* `.dev.vars.example` scaffolding in `scaffold-dev-variables.ts`. The result is
+* a stable, predictable slice of {@link CAPABILITY_SOURCES} source values,
+* filtered to the flags that are `true` in `bindings` — in CAPABILITY_SOURCES
+* declaration order.
+*/
+declare const packageNamesFromBindings: (bindings: InferredBindings) => string[];
+/** Directory holding per-checkout Lunora state (gitignored by convention). */
+declare const LINKED_PROJECT_DIR = ".lunora";
+/** The canonical link filename, relative to the project root. */
+declare const LINKED_PROJECT_FILE: string;
+/**
+* The link record persisted to `.lunora/project.json`. Every field is optional
+* so a partially-populated link (e.g. a worker name with no URL yet) still
+* round-trips. `linkedAt` is an ISO-8601 stamp written at link time, purely
+* informational.
+*/
+interface LinkedProject {
+  /** Cloudflare account id the worker lives under, when known. */
+  account?: string;
+  /** Cloudflare environment name (`wrangler … --env &lt;env>`), when scoped. */
+  env?: string;
+  /** ISO-8601 timestamp recorded when the link was written. */
+  linkedAt?: string;
+  /** The deployed Worker's name (matches `name` in wrangler config). */
+  workerName?: string;
+  /** The deployed Worker's public URL (e.g. `https://app.acme.workers.dev`). */
+  workerUrl?: string;
+}
+/**
+* Read the link record from `.lunora/project.json`, or `undefined` when there
+* is no usable link. Best-effort: a missing file, parse error, or unexpected
+* shape all collapse to `undefined`.
+*/
+declare const readLinkedProject: (projectRoot: string) => LinkedProject | undefined;
+/**
+* Write the link record to `.lunora/project.json`, creating the `.lunora/`
+* directory when absent. Only defined fields are persisted (so an empty value
+* never clobbers a known one). Returns the absolute path written.
+*/
+declare const writeLinkedProject: (projectRoot: string, link: LinkedProject) => string;
+/**
+* Shared formatter for the structured log events the Lunora runtime emits to the
+* worker's `console` during development. Both the CLI `dev` command and the Vite
+* plugin pipe worker output through `formatLunoraEvent` so a developer sees
+* attributed, readable lines instead of raw JSON.
+*
+* The runtime emits two event shapes, each a single `console` line tagged
+* `source: "lunora"` (see `@lunora/do`'s `request-log.ts`): a `type: "log"`
+* event per `ctx.log.*` call, and a `type: "request"` event per RPC dispatch
+* (opt-in for successful calls, always for errors).
+*
+* This module is intentionally dependency-free and colour-free: it returns the
+* severity plus a plain display string, leaving ANSI/level colouring to each
+* caller (the CLI routes through its `pail` logger; the Vite plugin dims inline).
+* Any line that is not a lunora event returns `undefined`, signalling the caller
+* to pass it through unchanged.
+*/
+/** Severity a formatted line should be surfaced at, mapped onto the three logger channels. */
+type LunoraLineLevel = "error" | "info" | "warn";
+/** A formatted lunora event: the channel to surface it on, the display text, and which event produced it. */
+interface LunoraFormattedLine {
+  /** `"log"` for a `ctx.log.*` line, `"rpc"` for a dispatch summary. */
+  kind: "log" | "rpc";
+  /** Logger channel — callers colour by this. */
+  level: LunoraLineLevel;
+  /** Human-readable, colour-free line content (no `[lunora]` tag — callers add their own). */
+  text: string;
+}
+/** Stable `source` tag every lunora console event carries. Mirrors `REQUEST_LOG_EVENT_SOURCE` in `@lunora/do`. */
+declare const LUNORA_EVENT_SOURCE = "lunora";
+/**
+* Parse a single worker-output line and, when it is a lunora structured event,
+* return its severity plus display text. Returns `undefined` for anything else —
+* non-JSON lines, JSON that isn't a lunora event, or an unrecognised event type
+* — so the caller passes the original line through untouched. Pure and total.
+*/
+declare const formatLunoraEvent: (line: string) => LunoraFormattedLine | undefined;
+/**
+* Per-package secret-requirements registry for `.dev.vars` scaffolding.
+*
+* Each entry maps a `@lunora/*` package name → the secrets it requires at
+* runtime, expressed as `{ key, description, docsUrl }` records. The scaffolder
+* in {@link ./scaffold-dev-variables} reads this registry to emit package-aware
+* `.dev.vars.example` entries (placeholders + inline doc-pointer comments).
+*
+* ## Adding a new add-on
+*
+* When a new `@lunora/*` package requires runtime secrets, add one entry to
+* {@link PACKAGE_SECRETS_REGISTRY} keyed by its exact npm package name. Each
+* `SecretEntry` in the array needs:
+*
+* - `key`         — the env-var name the package reads from `env` (e.g. `RESEND_API_KEY`).
+* - `description` — one line describing the secret and how to obtain it.
+* - `docsUrl`     — a stable URL to the package/provider docs.
+*
+* The registry lives in `@lunora/config` so that add-ons themselves never need
+* to depend on it (no circular coupling). Add-ons document their secrets in
+* their own READMEs; the registry duplicates that knowledge in a machine-readable
+* form that the scaffolder can consume.
+*
+* **Never write a real secret value** in this file — `placeholderValue` entries
+* are the only allowed values (they must pass `isPlaceholderValue` from
+* scaffold-dev-variables).
+*/
+/** A single secret variable required by a package. */
+interface SecretEntry {
+  /** One sentence describing what this secret is and how to obtain it. */
+  description: string;
+  /** URL to the package or provider docs for this secret. */
+  docsUrl: string;
+  /** The env-var key as it appears in `.dev.vars`, e.g. `AUTH_SECRET`. */
+  key: string;
+  /**
+  * The placeholder value written into `.dev.vars.example`.
+  * Must pass `isPlaceholderValue` from scaffold-dev-variables so the
+  * scaffolder regenerates it when generating `.dev.vars`. Use angle-bracket
+  * conventions or a recognised marker like `replace-with-openssl-rand-hex-32`.
+  * Non-secret env-vars (e.g. `AUTH_URL`) may carry a real default value.
+  */
+  placeholderValue: string;
+}
+/**
+* The canonical registry of per-package secret requirements.
+*
+* Keys are exact npm package names (e.g. `"@lunora/auth"`). Values are
+* non-empty arrays of {@link SecretEntry} — one entry per required secret key.
+*
+* The scaffolder in `scaffold-dev-variables.ts` calls
+* {@link secretsForPackages} to resolve the applicable entries from this map
+* given the set of detected capability package names.
+*/
+declare const PACKAGE_SECRETS_REGISTRY: Readonly<Record<string, ReadonlyArray<SecretEntry>>>;
+/**
+* Collect all secret entries required by the given set of package names. The
+* order follows the order of `packageNames` (stable, predictable output), and
+* within each package the entries are returned in registry declaration order.
+*
+* Only packages present in {@link PACKAGE_SECRETS_REGISTRY} contribute entries;
+* unknown package names are silently ignored — this makes the call site resilient
+* to future capability flags whose packages have no secrets.
+*/
+declare const secretsForPackages: (packageNames: ReadonlyArray<string>) => SecretEntry[];
+/** The canonical project-config filename probed at the project root. */
+declare const LUNORA_CONFIG_FILE = "lunora.json";
+/**
+* The parsed `remote` preference from `lunora.json`:
+*
+* - `true` / `false` — the boolean form: enable or explicitly disable remote dev.
+* - `undefined` — no usable preference (file absent, key absent, or malformed).
+*
+* The object form (scoping which binding kinds go remote) is reserved for a
+* future increment; for now an object value is treated as "enabled" (truthy
+* presence) so forward-written configs still turn remote on.
+*/
+type RemotePreference = boolean | undefined;
+/** The structural slice of `lunora.json` Lunora reads. */
+interface LunoraProjectConfig {
+  remote?: unknown;
+}
+/**
+* Interpret a raw `remote` value into a tri-state preference. A boolean passes
+* through; an object is treated as enabled (the documented-but-not-yet-honored
+* scoping form is still an opt-in); anything else (string, number, null) is no
+* preference.
+*/
+declare const interpretRemote: (value: unknown) => RemotePreference;
+/**
+* Read the project's `remote` preference from `lunora.json`, or `undefined` when
+* there's no usable preference. Best-effort: never throws — a missing file,
+* parse error, or unexpected shape all collapse to `undefined` so the caller
+* falls through to the env/flag layers.
+*/
+declare const readProjectRemotePreference: (projectRoot: string) => RemotePreference;
+/**
+* Whether we can interactively prompt — stdin must be a TTY. In CI / piped
+* contexts this is false, and callers should fall back to a non-interactive
+* default (skip, or require an explicit `--yes`) rather than hang on a read.
+*/
+declare const isInteractive: () => boolean;
+/**
+* Ask a yes/no question on stdin. With `defaultYes`, an empty answer (just
+* Enter) counts as yes and the prompt should read `[Y/n]`; otherwise empty is
+* no (`[y/N]`). Shared by the CLI (`reset`, `dev`) and the Vite dev server.
+*/
+declare const promptYesNo: (prompt: string, options?: {
+  defaultYes?: boolean;
+}) => Promise<boolean>;
+/**
+* Build a default-yes `confirm(message)` for the scaffolders' `ensureDevVariables`:
+* an interactive `[Y/n]` prompt (optionally prefixed, e.g. `"[lunora] "`) when
+* stdin is a TTY, or an immediate `false` otherwise — so CI declines silently
+* instead of blocking. Keeps the "non-interactive ⇒ decline" policy in one place
+* rather than re-stated at every call site.
+*/
+declare const createConfirm: (prefix?: string) => ((message: string) => Promise<boolean>);
+/** One choice in a {@link promptSelect} list. `value` is returned; `label` (and optional `description`) are shown. */
+interface SelectOption<T extends string> {
+  description?: string;
+  label: string;
+  value: T;
+}
+/**
+* Ask the user to pick one option from a numbered list on stdin. Accepts the
+* 1-based number or the option's `value`/`label` typed verbatim; an empty answer
+* (just Enter) takes `settings.default`. In a non-interactive context (CI /
+* piped — no TTY) it never reads and returns `settings.default` (or `undefined`),
+* mirroring {@link createConfirm}'s "non-interactive ⇒ fall back" policy so
+* automation never blocks.
+*/
+declare const promptSelect: <T extends string>(message: string, options: ReadonlyArray<SelectOption<T>>, settings?: {
+  default?: T;
+}) => Promise<T | undefined>;
+/** One choice in a {@link promptMultiSelect} list. Identical shape to {@link SelectOption}; `value` is returned when picked. */
+type MultiSelectOption<T extends string> = SelectOption<T>;
+/**
+* Ask the user to pick zero or more options from a numbered list on stdin.
+* Accepts a comma- or space-separated list of 1-based numbers and/or option
+* `value`/`label`s typed verbatim; an empty answer (just Enter) takes
+* `settings.defaults`. In a non-interactive context (CI / piped — no TTY) it
+* never reads and returns `settings.defaults ?? []`, mirroring {@link promptSelect}'s
+* "non-interactive ⇒ fall back" policy so automation never blocks. Unknown
+* tokens are ignored; the returned list is de-duplicated and preserves option
+* order.
+*/
+declare const promptMultiSelect: <T extends string>(message: string, options: ReadonlyArray<MultiSelectOption<T>>, settings?: {
+  defaults?: ReadonlyArray<T>;
+}) => Promise<T[]>;
+/**
+* A container/workflow that is declared (so codegen emits its class) but the
+* worker entry never re-exports — the one wiring step the generators can't always
+* do for the developer. wrangler rejects a `class_name` the deployed worker
+* doesn't export, so a deploy fails late on this; surfacing it as structured data
+* lets the Vite plugin raise it in the dev error overlay (not just the console)
+* the moment the gap appears. The human-readable form is also folded into
+* {@link ReconcileBindingsResult.warnings}.
+*/
+interface ExportGap {
+  /** Generated class wrangler needs exported, e.g. `OrderPipelineWorkflow`. */
+  className: string;
+  /** The `lunora/{containers,workflows}.ts` export name, e.g. `orderPipeline`. */
+  exportName: string;
+  /** Which declaration is unexported. */
+  kind: "container" | "workflow";
+  /** The `_generated/{module}` to re-export from, e.g. `workflows`. */
+  module: "containers" | "workflows";
+}
+interface ReconcileBindingsResult {
+  /** Short labels for each binding written (e.g. `"SCHEDULER/SchedulerDO"`). */
+  added: string[];
+  /** `true` when `wrangler.jsonc` was rewritten. */
+  changed: boolean;
+  /**
+  * Declared containers/workflows the worker entry doesn't re-export — the
+  * structured form of the corresponding `warnings` entries, for the dev error
+  * overlay. Empty when every declaration is wired.
+  */
+  exportGaps: ExportGap[];
+  /** Reason reconciliation was skipped, for logging. */
+  reason?: string;
+  /** Non-fatal hints for capabilities that cannot be auto-provisioned. */
+  warnings: string[];
+  /** Resolved wrangler path, or `undefined` when none was found. */
+  wranglerPath?: string;
+}
+/**
+* Reconcile inferred Durable Object / D1 bindings into `wrangler.jsonc`.
+*
+* Writes only when something is missing; returns `changed: false` when the
+* config already satisfies the inferred needs.
+*/
+declare const reconcileWranglerBindings: (projectRoot: string, inferred: InferredBindings) => ReconcileBindingsResult;
+/**
+* The wrangler config sections Lunora can safely flip to remote mode in dev,
+* each with the human label used in logs and the structural `shape` the entry
+* lives in.
+*
+* `"array"` is a top-level array of binding objects (`d1_databases`,
+* `kv_namespaces`, `r2_buckets`, `vectorize`, `services`). `"producers"` is
+* `queues.producers[]` — consumers are NOT remoted (their schema has no `remote`
+* field) and the edit path is two levels deep. `"object"` is a single binding
+* object, not an array (`ai`), whose edit path targets the section key directly.
+*
+* Every kind here was confirmed against `wrangler/config-schema.json`: the
+* entry's schema declares a `remote` property. Deliberately omits
+* `durable_objects` (no CF remote-DO mode; shards stay local) and sections whose
+* schema has no `remote` field (`hyperdrive`, `analytics_engine_datasets`,
+* `secrets_store_secrets`, queue consumers, …). Widening further is a one-line
+* table edit.
+*/
+declare const REMOTE_ELIGIBLE_KEYS: {
+  readonly ai: {
+    readonly label: "AI";
+    readonly shape: "object";
+  };
+  readonly d1_databases: {
+    readonly label: "D1";
+    readonly shape: "array";
+  };
+  readonly kv_namespaces: {
+    readonly label: "KV";
+    readonly shape: "array";
+  };
+  readonly queues: {
+    readonly label: "Queue";
+    readonly shape: "producers";
+  };
+  readonly r2_buckets: {
+    readonly label: "R2";
+    readonly shape: "array";
+  };
+  readonly services: {
+    readonly label: "Service";
+    readonly shape: "array";
+  };
+  readonly vectorize: {
+    readonly label: "Vectorize";
+    readonly shape: "array";
+  };
+};
+type RemoteEligibleKey = keyof typeof REMOTE_ELIGIBLE_KEYS;
+/** One binding object as it appears in any eligible section. */
+interface BindingEntry {
+  binding?: string;
+  remote?: boolean;
+}
+/** One binding entry we mark remote, with enough provenance to log + edit it. */
+interface RemoteBindingPlan {
+  /** The binding name as declared in the config (e.g. `"DB"`, `"FILES"`). */
+  binding: string;
+  /** Short kind label for logging (`"D1"`, `"KV"`, `"R2"`, `"Vectorize"`, …). */
+  kind: string;
+  /**
+  * The jsonc edit path within {@link RemoteBindingPlan.section}, relative to
+  * the section key: `[index]` for an `"array"` section, `["producers", index]`
+  * for a queue producer, or `[]` for the single-object `ai` section. The
+  * materializer prepends the section key and appends `"remote"`.
+  */
+  path: ReadonlyArray<number | string>;
+  /** The wrangler config key the entry lives under. */
+  section: RemoteEligibleKey;
+}
+/** The structural slice of a wrangler config the remote planner reads. */
+interface RemoteWranglerShape {
+  ai?: BindingEntry | null;
+  d1_databases?: ReadonlyArray<BindingEntry | null | undefined>;
+  kv_namespaces?: ReadonlyArray<BindingEntry | null | undefined>;
+  queues?: {
+    producers?: ReadonlyArray<BindingEntry | null | undefined>;
+  } | null;
+  r2_buckets?: ReadonlyArray<BindingEntry | null | undefined>;
+  services?: ReadonlyArray<BindingEntry | null | undefined>;
+  vectorize?: ReadonlyArray<BindingEntry | null | undefined>;
+}
+/**
+* Inspect a parsed wrangler config and list every eligible binding that should
+* be flipped to remote mode. Pure — no file-system access, no mutation. An
+* entry already carrying `"remote": true` is still reported (so logging is
+* complete) but the materializer's edit is a harmless no-op for it.
+*/
+declare const planRemoteBindings: (parsed: RemoteWranglerShape) => RemoteBindingPlan[];
+/**
+* Inject `"remote": true` onto each planned binding in the config `text`,
+* comment-preservingly via jsonc edits. Pure string→string; the edits target
+* disjoint entries so applying them sequentially is safe. The edit path is
+* `[section, ...plan.path, "remote"]`, which resolves to the array element, the
+* `queues.producers[i]` entry, or the single `ai` object as the plan demands.
+*/
+declare const injectRemoteFlags: (text: string, plans: ReadonlyArray<RemoteBindingPlan>) => string;
+interface MaterializeOptions {
+  /** When `false`, the call is a no-op (returns `enabled: false`). */
+  enabled: boolean;
+  projectRoot: string;
+}
+interface MaterializeResult {
+  /**
+  * Removes the generated temp config file. Always present and always safe to
+  * call: it is idempotent, a no-op when nothing was written (disabled /
+  * fall-through cases), and never throws if the path is already gone. The dev
+  * command calls this on every exit path (normal, signal, error).
+  */
+  cleanup: () => void;
+  /**
+  * Absolute path to the generated temp config to pass to
+  * `wrangler dev --config`. `undefined` when remote mode is disabled, no
+  * wrangler config was found, it failed to parse, or it declared no eligible
+  * binding (nothing to remote — run plain local dev).
+  */
+  configPath?: string;
+  /** Whether remote mode was requested at all. */
+  enabled: boolean;
+  /** Why no temp config was produced, for logging (only set when none was). */
+  reason?: string;
+  /** The bindings flipped to remote, for the dev banner. */
+  remoteBindings: RemoteBindingPlan[];
+}
+/**
+* Produce a temporary wrangler config with `"remote": true` on every eligible
+* binding, so `lunora dev` can run `wrangler dev --config &lt;temp>` against the
+* deployed D1/KV/R2 without touching the user's file.
+*
+* The temp file is written as a sibling of the source `wrangler.jsonc` (in the
+* project root), NOT an OS temp dir: wrangler resolves a config's relative paths
+* (`main`, `assets`, `migrations_dir`, …) against the **config file's own
+* directory**, so a temp config in `/tmp` would make wrangler look for
+* `/tmp/src/server.ts` and fail to start the worker. Keeping it beside the real
+* config preserves those relative paths. Returns `configPath: undefined` (with a
+* `reason`) for every fall-through case so the caller degrades to plain local
+* dev instead of failing.
+*/
+declare const materializeRemoteWranglerConfig: (options: MaterializeOptions) => MaterializeResult;
+/**
+* Parse a `LUNORA_REMOTE` env value into the on/off decision. Truthy when set to
+* `"1"` or `"true"` (case-insensitive); anything else — unset, `"0"`, `"false"`,
+* empty — is off. Mirrors the `"1" | "true"` convention used across the runtime.
+*/
+declare const isRemoteEnvEnabled: (value: string | undefined) => boolean;
+/** The three inputs that can switch remote-binding dev on, in precedence order. */
+interface RemoteEnableInputs {
+  /**
+  * The `remote` preference from `lunora.json` (the lowest-priority signal).
+  * `undefined` means "no project preference"; an explicit `false` here loses
+  * to neither the flag nor the env when those are absent — it just stays off.
+  */
+  configPreference?: boolean;
+  /** The raw `LUNORA_REMOTE` env value (parsed with {@link isRemoteEnvEnabled}). */
+  envValue?: string;
+  /** The explicit `--remote` CLI flag — `true` when passed, `undefined`/`false` otherwise. */
+  flag?: boolean;
+}
+/**
+* Resolve whether remote-binding dev is on, with a clear precedence:
+*
+* 1. an explicit `--remote` flag (highest — a deliberate per-invocation choice),
+* 2. then `LUNORA_REMOTE` in the environment,
+* 3. then the `remote` key in `lunora.json` (lowest — a project default).
+*
+* The flag and env are one-directional (they can only turn remote *on*); only
+* the config preference carries a meaningful `false`, and it applies solely when
+* neither stronger signal is present. So a project that sets `"remote": false`
+* is still overridable per-run by `--remote` or `LUNORA_REMOTE=1`.
+*/
+declare const resolveRemoteEnabled: (inputs: RemoteEnableInputs) => boolean;
+/**
+* Whether an (already-unquoted) value looks like a fill-me-in placeholder —
+* empty, angle-bracketed, or containing a known marker — rather than a real
+* value. Used both when scaffolding (which values to regenerate) and by
+* `lunora env doctor` (which set values are still unfilled).
+*/
+declare const isPlaceholderValue: (value: string) => boolean;
+/**
+* The outcome of planning a scaffold — a discriminated union so the orchestrator
+* never has to re-derive whether `content` is present.
+*
+* `exists`: `.dev.vars` is already there; nothing to do.
+* `no-example`: nothing to scaffold from (stay silent — the project may not use secrets).
+* `generate`: write `content`, a copy of the example with secret-looking placeholders replaced by fresh random hex (`generatedKeys` lists which).
+*/
+type ScaffoldPlan = {
+  content: string;
+  generatedKeys: string[];
+  status: "generate";
+} | {
+  status: "exists";
+} | {
+  status: "no-example";
+};
+/** Decide whether (and what) to scaffold. Pure — given the current state of the two files. */
+declare const planDevVariablesScaffold: (input: {
+  devVarsExists: boolean;
+  exampleContent: string | undefined; /** Injectable for deterministic tests; defaults to `crypto.randomBytes`. */
+  randomHex?: (bytes: number) => string;
+}) => ScaffoldPlan;
+interface AugmentPlan {
+  /** The `.dev.vars` lines to append, in example order. */
+  additions: string[];
+  /** The subset of `missingKeys` whose values were freshly generated. */
+  generatedKeys: string[];
+  /** Keys present in the example but absent from the current `.dev.vars`. */
+  missingKeys: string[];
+}
+/**
+* Plan how to top up an existing `.dev.vars` from the example: every example key
+* not already present becomes an appended line (secret placeholders filled with
+* fresh random hex, other values copied). Pure — no I/O. Empty `missingKeys`
+* means the file is already complete.
+*/
+declare const planDevVariablesAugment: (input: {
+  exampleContent: string;
+  existingContent: string; /** Injectable for deterministic tests; defaults to `crypto.randomBytes`. */
+  randomHex?: (bytes: number) => string;
+}) => AugmentPlan;
+interface EnsureDevVariablesDeps {
+  /**
+  * Ask the user to confirm generating the file. Return `true` to generate.
+  * Consumers pass a TTY-aware prompt; in non-interactive contexts they should
+  * resolve `false` (we then report `"declined"` and the caller can hint).
+  */
+  confirm: (message: string) => Promise<boolean>;
+  cwd: string;
+  /** Emit a human-facing line (success / hint). */
+  info: (message: string) => void;
+  /** Injectable for tests; defaults to `crypto.randomBytes` hex. */
+  randomHex?: (bytes: number) => string;
+  /** Generate without prompting (e.g. a `--yes` flag). */
+  yes?: boolean;
+}
+type EnsureDevVariablesStatus = "augmented" | "declined" | "exists" | "generated" | "no-example" | "skipped-exists";
+interface EnsureDevVariablesResult {
+  /** Keys appended to an existing file, when `status` is `"augmented"`. */
+  addedKeys: string[];
+  /** Keys whose values were freshly generated, when `status` is `"generated"`/`"augmented"`. */
+  generatedKeys: string[];
+  status: EnsureDevVariablesStatus;
+}
+/**
+* Reconcile the project's `.dev.vars` with its `.dev.vars.example`:
+*
+* - file missing → offer to generate it (secret placeholders auto-filled);
+* - file present but missing keys the example lists → offer to append them;
+* - file present and complete → nothing to do.
+*
+* Prompts via `confirm` (skipped when `yes`); never overwrites existing values.
+* Returns what happened so the caller can tailor any follow-up. Shared by
+* `lunora dev` and the `@lunora/vite` dev server. All side effects funnel
+* through `confirm`/`info`/`randomHex`.
+*/
+declare const ensureDevVariables: (deps: EnsureDevVariablesDeps) => Promise<EnsureDevVariablesResult>;
+/**
+* Build the text that should be merged into `.dev.vars.example` for the given
+* set of package names. Only entries whose key is not already present in
+* `existingKeys` are included (additive / idempotent). Returns an empty string
+* when there is nothing to add.
+*
+* The output is grouped by package with a blank-line separator so the file
+* reads cleanly when multiple packages each contribute several keys.
+*
+* **Safety invariant:** this function never writes a real secret — every value
+* in the output is the entry's `placeholderValue`.
+*/
+declare const buildPackageSecretsBlock: (packageNames: ReadonlyArray<string>, existingKeys: ReadonlySet<string>) => string;
+/**
+* Write (or update) `.dev.vars.example` so that it contains the secrets
+* required by `packageNames`. Existing lines are never removed or rewritten;
+* new entries are appended (with a blank-line separator after existing content).
+*
+* Idempotent: re-running with the same `packageNames` does not duplicate keys
+* already in the file. Returns the list of keys that were actually appended.
+*
+* **Safety invariant:** only placeholder values are written — no real secrets.
+*/
+declare const ensureDevVariablesExample: (cwd: string, packageNames: ReadonlyArray<string>) => string[];
+/** Add a new table to `defineSchema({ ... })`. */
+interface AddTableEdit {
+  readonly kind: "addTable";
+  readonly table: string;
+}
+/** Add an `v.optional(...)` column to an existing table. */
+interface AddOptionalColumnEdit {
+  readonly column: string;
+  readonly kind: "addOptionalColumn";
+  readonly table: string;
+  /**
+  * Inner validator expression text WITHOUT the `v.optional(...)` wrapper, e.g.
+  * `v.string()`. Always wrapped in `v.optional(...)` on apply, because only
+  * optional columns are additive-safe (a required column needs a backfill
+  * migration).
+  */
+  readonly validator: string;
+}
+/** Add a secondary index to an existing table. */
+interface AddIndexEdit {
+  readonly fields: ReadonlyArray<string>;
+  readonly kind: "addIndex";
+  readonly name: string;
+  readonly table: string;
+  readonly unique?: boolean;
+}
+/** Additive edits — the only requests {@link applyAdditiveEdit} applies. */
+type AdditiveEdit = AddIndexEdit | AddOptionalColumnEdit | AddTableEdit;
+/**
+* Destructive edits — never applied directly; routed to the migration handoff
+* (plan 024 Item 5). Carried as data so the editor can describe the request.
+*/
+interface DestructiveEdit {
+  readonly column?: string;
+  readonly kind: "changeColumnType" | "dropColumn" | "dropTable" | "makeRequired" | "renameColumn";
+  readonly newName?: string;
+  readonly table: string;
+  readonly validator?: string;
+}
+/** Any edit the editor can request. */
+type SchemaEdit = AdditiveEdit | DestructiveEdit;
+/**
+* Classify an edit request. Additive edits ({@link AdditiveEdit}) apply
+* directly; everything else changes stored data and is destructive.
+*/
+declare const classifyEdit: (edit: SchemaEdit) => "additive" | "destructive";
+/** Failure reasons an additive edit can report. */
+type ApplyFailureReason = "aliased-define-schema" | "destructive" | "duplicate-column" | "duplicate-index" | "duplicate-table" | "invalid-identifier" | "invalid-validator" | "no-define-schema" | "non-object-argument" | "unknown-table";
+/** Tagged result of applying an additive edit. */
+type ApplyEditResult = {
+  ok: false;
+  reason: ApplyFailureReason;
+} | {
+  ok: true;
+  text: string;
+};
+/**
+* Apply an **additive** edit to a schema source string, preserving formatting.
+* Destructive edits are refused with `{ ok: false, reason: "destructive" }`;
+* route them through the migration handoff (plan 024 Item 5).
+*/
+declare const applyAdditiveEdit: (source: string, edit: SchemaEdit) => ApplyEditResult;
+/** A single declared column: its name and the raw validator expression text. */
+interface SchemaColumn {
+  /** Column key (quotes stripped). */
+  readonly name: string;
+  /** Whether the validator is wrapped in `v.optional(...)`. */
+  readonly optional: boolean;
+  /** Raw validator expression text, e.g. `v.string()` or `v.optional(v.number())`. */
+  readonly validator: string;
+}
+/** A declared secondary index on a table. */
+interface SchemaIndex {
+  /** Fields the index covers, in declaration order. */
+  readonly fields: ReadonlyArray<string>;
+  /** Index name. */
+  readonly name: string;
+  /** Whether the index was declared `{ unique: true }`. */
+  readonly unique: boolean;
+}
+/** One table parsed from `defineSchema({ ... })`. */
+interface SchemaTable {
+  readonly columns: ReadonlyArray<SchemaColumn>;
+  /** Whether the table is `.global()`. */
+  readonly global: boolean;
+  readonly indexes: ReadonlyArray<SchemaIndex>;
+  readonly name: string;
+  /** The `.shardBy("field")` key, if any. */
+  readonly shardBy?: string;
+}
+/** Result of parsing a schema source string. */
+type ParseSchemaResult = {
+  ok: false;
+  reason: "aliased-define-schema" | "no-define-schema" | "non-object-argument";
+} | {
+  ok: true;
+  tables: ReadonlyArray<SchemaTable>;
+};
+/**
+* Every `CallExpression` at or below a node. `getDescendantsOfKind` excludes the
+* node itself, but a table initializer often is the outermost call in the
+* `defineTable(...).global().index(...)` chain, so include it explicitly.
+*/
+/**
+* Parse the tables (with typed columns + indexes) out of a `lunora/schema.ts`
+* source string. Returns a tagged result so callers can render a helpful
+* message per failure mode without throwing.
+*/
+declare const parseSchema: (source: string) => ParseSchemaResult;
+interface SchemaInfo {
+  /** Whether the lunora schema declares any `.global()` table. */
+  hasGlobalTable: boolean;
+  /** Names of vector indexes declared via `.vectorize()` / `defineVectorIndex()`. */
+  vectorIndexNames?: ReadonlyArray<string>;
+}
+interface DiscoverSchemaInfoResult {
+  /** Parse error message, when the schema exists but could not be analyzed. */
+  error?: string;
+  /** Schema facts, or `undefined` when no `schema.ts` exists or parsing failed. */
+  info: SchemaInfo | undefined;
+}
+/**
+* Discover {@link SchemaInfo} for a project. Returns `{ info: undefined }` when
+* the project declares no `schema.ts` (not an error), or `{ info: undefined,
+* error }` when a present schema could not be parsed — callers decide whether a
+* parse failure is a warning (validator) or simply ignorable (inference).
+*/
+declare const discoverSchemaInfo: (projectRoot: string, schemaDirectory: string) => DiscoverSchemaInfoResult;
+/** Candidate wrangler config filenames, in the order every consumer probes them. */
+declare const WRANGLER_FILES: readonly ["wrangler.jsonc", "wrangler.json"];
+/** Locate the project's wrangler config, or `undefined` when none exists. */
+declare const findWranglerFile: (projectRoot: string) => string | undefined;
+interface ReadWranglerResult<T> {
+  /** Parsed config, or `undefined` when the file was not valid JSONC. */
+  parsed: T | undefined;
+  /** Raw file text — needed for comment-preserving `modify`/`applyEdits`. */
+  text: string;
+}
+/**
+* Read and JSONC-parse a wrangler config file. Returns the raw `text` (for
+* structural edits) alongside `parsed`, which is `undefined` when the file is
+* not valid JSONC or does not parse to an object. Allows trailing commas, as
+* wrangler does.
+*/
+declare const readWranglerJsonc: <T = unknown>(wranglerPath: string) => ReadWranglerResult<T>;
+declare const REQUIRED_COMPATIBILITY_DATE: string;
+declare const REQUIRED_FLAG: string;
+interface WranglerDurableObjectBinding {
+  class_name?: string;
+  name?: string;
+}
+/**
+* A `tail_consumers` entry: a Worker that receives this Worker's tail events
+* (logs, exceptions, fetch metadata) for forwarding to an external sink. See
+* `withTailConsumer` for the wiring helper.
+*/
+interface TailConsumer {
+  /** Optional Cloudflare environment of the consumer Worker. */
+  environment?: string;
+  /** Name of the Worker that consumes tail events. */
+  service?: string;
+}
+/** A wrangler `containers[]` entry (parsed from untrusted JSONC). */
+interface WranglerContainerEntry {
+  class_name?: string;
+  image?: string;
+  instance_type?: string | {
+    disk_mb?: number;
+    memory_mib?: number;
+    vcpu?: number;
+  };
+  max_instances?: number;
+}
+/**
+* A wrangler `workflows[]` entry (parsed from untrusted JSONC). Unlike
+* containers, workflows are NOT Durable Objects — the entry stands alone (no
+* `durable_objects` binding, no migration class).
+*/
+interface WranglerWorkflowEntry {
+  binding?: string;
+  class_name?: string;
+  name?: string;
+}
+interface WranglerConfig {
+  analytics_engine_datasets?: ReadonlyArray<{
+    binding?: string;
+    dataset?: string;
+  } | null | undefined>;
+  assets?: {
+    binding?: string;
+    directory?: string;
+    html_handling?: string;
+    not_found_handling?: string;
+  };
+  browser?: {
+    binding?: string;
+  };
+  compatibility_date?: string;
+  compatibility_flags?: ReadonlyArray<string>;
+  containers?: ReadonlyArray<WranglerContainerEntry | null | undefined>;
+  d1_databases?: ReadonlyArray<{
+    binding?: string;
+  }>;
+  dispatch_namespaces?: ReadonlyArray<{
+    binding?: string;
+    namespace?: string;
+    outbound?: unknown;
+  } | null | undefined>;
+  durable_objects?: {
+    bindings?: ReadonlyArray<WranglerDurableObjectBinding>;
+  };
+  hyperdrive?: ReadonlyArray<{
+    binding?: string;
+    id?: string;
+    localConnectionString?: string;
+  } | null | undefined>;
+  images?: {
+    binding?: string;
+  };
+  kv_namespaces?: ReadonlyArray<{
+    binding?: string;
+    id?: string;
+  } | null | undefined>;
+  logpush?: boolean;
+  migrations?: ReadonlyArray<{
+    new_classes?: ReadonlyArray<string>;
+    new_sqlite_classes?: ReadonlyArray<string>;
+  } | null | undefined>;
+  mtls_certificates?: ReadonlyArray<{
+    binding?: string;
+    certificate_id?: string;
+  } | null | undefined>;
+  observability?: {
+    enabled?: boolean;
+    head_sampling_rate?: number;
+    logs?: {
+      enabled?: boolean;
+      head_sampling_rate?: number;
+    };
+  };
+  pipelines?: ReadonlyArray<{
+    binding?: string;
+    pipeline?: string;
+  } | null | undefined>;
+  placement?: {
+    mode?: string;
+  };
+  r2_buckets?: ReadonlyArray<{
+    binding?: string;
+  }>;
+  send_email?: ReadonlyArray<{
+    allowed_destination_addresses?: ReadonlyArray<string>;
+    destination_address?: string;
+    name?: string;
+  } | null | undefined>;
+  services?: ReadonlyArray<{
+    binding?: string;
+    entrypoint?: string;
+    environment?: string;
+    service?: string;
+  } | null | undefined>;
+  tail_consumers?: ReadonlyArray<TailConsumer | null | undefined>;
+  vars?: Record<string, unknown>;
+  vectorize?: ReadonlyArray<{
+    binding?: string;
+    index_name?: string;
+  } | null | undefined>;
+  workflows?: ReadonlyArray<WranglerWorkflowEntry | null | undefined>;
+}
+interface WranglerValidationReport {
+  errors: string[];
+  valid: boolean;
+  warnings: string[];
+}
+/**
+* Return a new `WranglerConfig` with `consumer` present in `tail_consumers`,
+* wiring this Worker to forward its tail events (logs/exceptions) to another
+* Worker that fans them out to an external sink. Pure and idempotent: an
+* existing entry with the same `service` + `environment` is left untouched
+* rather than duplicated, so it is safe to call on every codegen/deploy.
+*/
+declare const withTailConsumer: (wrangler: WranglerConfig, consumer: TailConsumer) => WranglerConfig;
+/**
+* Pure validator: given a parsed `WranglerConfig` object and an optional
+* `SchemaInfo`, produce a structured report. Performs no I/O.
+*/
+declare const validateWranglerConfig: (wrangler: WranglerConfig | undefined, schema?: SchemaInfo) => WranglerValidationReport;
+/**
+* Convenience alias matching the original task-spec signature
+* `validateWrangler(wranglerJson, schema)` returning
+* `{ valid, errors, warnings }`.
+*/
+declare const validateWrangler: typeof validateWranglerConfig;
+interface WranglerProjectValidationOptions {
+  projectRoot: string;
+  schemaDir?: string;
+}
+interface WranglerProjectValidationResult {
+  problems: ReadonlyArray<string>;
+  report: WranglerValidationReport;
+  wranglerPath: string | undefined;
+}
+/**
+* File-system aware variant: reads `wrangler.jsonc`/`wrangler.json` from
+* the given project root, discovers the schema (if any), and delegates to
+* `validateWranglerConfig`. Returns the legacy
+* `{ problems, wranglerPath }` shape plus the structured `report`.
+*/
+declare const validateWranglerProject: (options: WranglerProjectValidationOptions) => WranglerProjectValidationResult;
+export { AGENT_RULES_DIR, AGENT_RULES_HINT, AGENT_RULES_HINT_ENV, type AddIndexEdit, type AddOptionalColumnEdit, type AddTableEdit, type AdditiveEdit, type AgentRulesStatus, type ApplyEditResult, type ApplyFailureReason, type AugmentPlan, DEV_VARS_EXAMPLE_FILE, DEV_VARS_FILE, DEV_VARS_KEY_PATTERN, type DestructiveEdit, type DetectedFramework, type DiscoverContainerInfoResult, type DiscoverSchemaInfoResult, type DiscoverWorkflowInfoResult, type EnsureDevVariablesDeps, type EnsureDevVariablesResult, type EnsureDevVariablesStatus, type ExportGap, type FrameworkClass, type FrameworkDetection, type InferOptions, type InferredBindings, type InferredContainer, type InferredWorkflow, LINKED_PROJECT_DIR, LINKED_PROJECT_FILE, LUNORA_CONFIG_FILE, LUNORA_EVENT_SOURCE, LUNORA_SKILL_NAMES, type LinkedProject, type LunoraFormattedLine, type LunoraLineLevel, type LunoraProjectConfig, type MaterializeOptions, type MaterializeResult, type MultiSelectOption, PACKAGE_SECRETS_REGISTRY, type ParseSchemaResult, REMOTE_ELIGIBLE_KEYS, REQUIRED_COMPATIBILITY_DATE, REQUIRED_FLAG, ROOT_SKILL_NAME, type ReadWranglerResult, type ReconcileBindingsResult, type RemoteBindingPlan, type RemoteEnableInputs, type RemotePreference, type RemoteWranglerShape, type ScaffoldPlan, type SchemaColumn, type SchemaEdit, type SchemaIndex, type SchemaInfo, type SchemaTable, type SecretEntry, type SelectOption, type TailConsumer, WRANGLER_FILES, type WranglerConfig, type WranglerContainerEntry, type WranglerProjectValidationOptions, type WranglerProjectValidationResult, type WranglerValidationReport, type WranglerWorkflowEntry, applyAdditiveEdit, buildPackageSecretsBlock, claimAgentRulesHint, classifyEdit, createConfirm, detectAgentRules, detectFramework, discoverContainerInfo, discoverSchemaInfo, discoverWorkflowInfo, ensureDevVariables, ensureDevVariablesExample as ensureDevVarsExample, findWranglerFile, formatLunoraEvent, inferLunoraBindings, injectRemoteFlags, interpretRemote, isInteractive, isPlaceholderValue, isRemoteEnvEnabled, materializeRemoteWranglerConfig, packageNamesFromBindings, parseDevVariableEntries, parseSchema, planDevVariablesAugment, planDevVariablesScaffold, planRemoteBindings, promptMultiSelect, promptSelect, promptYesNo, readLinkedProject, readProjectRemotePreference, readWranglerJsonc, reconcileWranglerBindings, resolveRemoteEnabled, secretsForPackages, validateWrangler, validateWranglerConfig, validateWranglerProject, withTailConsumer, writeLinkedProject };