@luquimbo/bi-superpowers 4.1.2 → 4.1.4

package/skills/report-design/scripts/create-visual.js

@@ -679,6 +679,66 @@ function nextInt(existing, key) {
   return max + 1;
 }
 
+function validateVisualName(name) {
+  if (typeof name !== 'string' || name.trim() === '') {
+    fail('--name must be a non-empty visual folder name');
+  }
+
+  if (name !== name.trim()) {
+    fail(`--name must not have leading or trailing whitespace (got: ${JSON.stringify(name)})`);
+  }
+
+  if (
+    name === '.' ||
+    name === '..' ||
+    /[\\/]/.test(name) ||
+    path.basename(name) !== name ||
+    path.win32.basename(name) !== name ||
+    path.posix.basename(name) !== name
+  ) {
+    fail(`--name must be a single visual folder name, not a path (got: ${JSON.stringify(name)})`);
+  }
+
+  if (/[\u0000-\u001f<>:"|?*]/.test(name)) {
+    fail(`--name contains characters that are not valid in a Windows folder name (got: ${JSON.stringify(name)})`);
+  }
+}
+
+function validateNumericOptions(args) {
+  const numericOptions = [
+    ['x', '--x'],
+    ['y', '--y'],
+    ['z', '-z'],
+    ['width', '--width'],
+    ['height', '--height'],
+    ['tabOrder', '--tab-order'],
+  ];
+
+  for (const [key, flag] of numericOptions) {
+    if (args[key] != null && !Number.isFinite(args[key])) {
+      fail(`${flag} must be a finite number`);
+    }
+  }
+
+  for (const [key, flag] of [
+    ['width', '--width'],
+    ['height', '--height'],
+  ]) {
+    if (args[key] != null && args[key] <= 0) {
+      fail(`${flag} must be greater than 0`);
+    }
+  }
+}
+
+function assertPathInside(childPath, parentPath, label) {
+  const parent = path.resolve(parentPath);
+  const child = path.resolve(childPath);
+  const relative = path.relative(parent, child);
+  if (!relative || relative.startsWith('..') || path.isAbsolute(relative)) {
+    fail(`${label} resolved outside the expected directory: ${child}`);
+  }
+}
+
 // ---------------------------------------------------------------------------
 // main()
 // ---------------------------------------------------------------------------
@@ -698,6 +758,7 @@ function main() {
   if (!args.reportPath) fail('--report-path is required');
   if (!args.page) fail('--page is required');
   if (!args.type) fail('--type is required (use --list-types to see options)');
+  validateNumericOptions(args);
 
   // ---- type validation with friendly errors for known non-native aliases
   if (KNOWN_NON_NATIVE_TYPES[args.type]) {
@@ -727,8 +788,11 @@ function main() {
     } while (existing.some((v) => v.name === candidate));
     name = candidate;
   }
+  validateVisualName(name);
 
-  const visualDir = path.join(pageDir, 'visuals', name);
+  const visualsDir = path.join(pageDir, 'visuals');
+  const visualDir = path.join(visualsDir, name);
+  assertPathInside(visualDir, visualsDir, '--name');
   const visualJsonPath = path.join(visualDir, 'visual.json');
   if (fs.existsSync(visualJsonPath)) {
     fail(

package/skills/report-design/scripts/update-check.js

@@ -47,7 +47,7 @@ const HTTPS_TIMEOUT_MS = 5000;
 // Rewritten at generation time when this helper is copied into
 // `skills/<name>/scripts/update-check.js`. In the canonical source under
 // `bin/commands/`, it stays null and we fall back to package.json.
-const BUNDLED_INSTALLED_VERSION = "4.1.2";
+const BUNDLED_INSTALLED_VERSION = "4.1.4";
 
 // ---------------------------------------------------------------------------
 // Argument parsing

package/skills/report-design/scripts/validate-pbir.js

@@ -130,6 +130,33 @@ function boundRoles(visualData) {
   return bound;
 }
 
+function validatePosition(position) {
+  const errors = [];
+  const requiredFields = ['x', 'y', 'z', 'height', 'width', 'tabOrder'];
+
+  if (!position || typeof position !== 'object') {
+    return requiredFields.map((field) => ({
+      severity: 'error',
+      rule: 'position-number',
+      field,
+      message: `position.${field} must be a finite number`,
+    }));
+  }
+
+  for (const field of requiredFields) {
+    if (!Number.isFinite(position[field])) {
+      errors.push({
+        severity: 'error',
+        rule: 'position-number',
+        field,
+        message: `position.${field} must be a finite number`,
+      });
+    }
+  }
+
+  return errors;
+}
+
 function validateVisual(visual) {
   const errors = [];
   const { data, path: filePath } = visual;
@@ -148,6 +175,8 @@ function validateVisual(visual) {
     errors.push({ severity: 'error', rule: 'name', message: 'missing "name"' });
   }
 
+  errors.push(...validatePosition(data.position));
+
   const vt = data.visual && data.visual.visualType;
   if (!vt) {
     errors.push({ severity: 'error', rule: 'visual-type', message: 'missing visualType' });

package/src/content/base.md

@@ -142,7 +142,7 @@ AI Assistant → microsoft-learn HTTP MCP → learn.microsoft.com docs
 
 ### Practical guidance
 
-- Prefer `.mcp.json` in the plugin root over tool-specific MCP config files.
+- Prefer user-level agent MCP config files written by `super install`. Use project-root `.mcp.json` only when the user explicitly uses an optional local Claude Code plugin.
 - Never invent or hardcode local ports for the official Modeling MCP flow.
 - On macOS/Linux, explain that the local Modeling MCP is unavailable and fall back to `microsoft-learn` for docs. Live editing of a local model requires Windows.
 

package/src/content/routing.md

@@ -52,7 +52,7 @@ Scan current directory for relevant files:
 |----------------|-----------------|
 | `.pbix` / `.pbip` / `.tmdl` files | `/project-kickoff` (if not analyzed) |
 | `.xlsx` / `.xlsm` files | `/project-kickoff` |
-| No plugin `.mcp.json` found when user asks about Power BI | `/pbi-connect` |
+| Agent MCP config missing when user asks about Power BI | `/pbi-connect` |
 
 ### 4. CHECK KEYWORDS
 

package/src/content/skills/bi-start.md

@@ -49,7 +49,7 @@ Interpret the single-line output:
     ```bash
     super upgrade
     ```
-    After it finishes, remind: _"Si instalaste skills en el perfil del agente, corré `super install --yes`. Si además usás un plugin local generado con `super kickoff`, corré `super recharge` dentro de ese repo."_
+  After it finishes, remind: _"Corré `super install --all --yes` para refrescar la instalación user-level de todos los agentes. Solo si además mantenés un plugin local de Claude Code generado con `super kickoff`, corré `super recharge` dentro de ese repo."_
 
   On `no` — respect it, continue to PHASE 1 silently. The update-state.json already tracks the user's snooze per `update-check.js` semantics.
 
@@ -80,7 +80,7 @@ Do these detections in order:
    ```
    (or equivalent). `$pbiDesktopRunning = true` if present.
 
-4. **MCP configured**: look for `.mcp.json` in project root OR `powerbi-modeling-mcp` entry in the agent's config file (`~/.claude.json`, `~/.codex/config.toml`, etc). Keep the check shallow — no need to deep-diff.
+4. **MCP configured**: look first for `powerbi-modeling-mcp` in the agent's user-level config file (`~/.claude.json`, `~/.codex/config.toml`, etc). Only check project-root `.mcp.json` when the user explicitly says they use a local Claude Code plugin. Keep the check shallow — no need to deep-diff.
 
 ### Emit the context in 3-4 lines max
 
@@ -174,7 +174,7 @@ Stop. Don't hover. The user will tell you what they want next.
 - **Project analysis or setup**: that's `/project-kickoff`. If the user says "analizar mi proyecto", "armar el modelo base", "arrancar uno nuevo desde cero", delegate.
 - **MCP wiring details**: that's `/pbi-connect`. bi-start just offers to dispatch it; the actual configuration work is in that skill.
 - **Report authoring**: that's `/report-design`. Same pattern.
-- **Running the update**: bi-start offers + dispatches `super upgrade`; the actual refresh path after eso (`/plugin update bi-superpowers`, `super install --yes`, o `super recharge`) is owned by `/bin/cli.js`.
+- **Running the update**: bi-start offers + dispatches `super upgrade`; the actual refresh path after eso (`/plugin update bi-superpowers`, `super install --all --yes`, o `super recharge` only for local Claude Code plugins) is owned by `/bin/cli.js`.
 
 ## Related Skills
 

package/src/content/skills/pbi-connect.md

@@ -9,10 +9,10 @@ Activate this skill when user mentions:
 - "can't connect to Power BI", "connection error", "MCP not working"
 
 ## Identity
-You are a **Power BI MCP Connection Specialist**. Your job is to help the user connect their AI agent to Power BI Desktop using the official Microsoft MCP servers shipped with bi-superpowers, with a plugin-first workflow.
+You are a **Power BI MCP Connection Specialist**. Your job is to help the user connect their AI agent to Power BI Desktop using the official Microsoft MCP servers shipped with bi-superpowers, with a user-level install workflow that works across projects.
 
 ## MANDATORY RULES
-1. **PLUGIN-FIRST.** Prefer `.mcp.json` in the Claude Code plugin root.
+1. **USER-LEVEL FIRST.** Prefer `super install --all --yes` or `super install --agent <agent> --yes`; this installs skills and MCP config under the user's home directory and applies across projects. `.mcp.json` is only for an optional repo-local Claude Code plugin.
 2. **OFFICIAL SERVERS ONLY.** Use `powerbi-modeling-mcp` (local) and `microsoft-learn` (HTTP). Do not invent or recommend unofficial MCPs.
 3. **WINDOWS LIMITATION.** Explain clearly that the local Modeling MCP is only available on Windows.
 4. **NO PORT INVENTION.** Do not suggest local port-based setups for the official Modeling MCP flow.
@@ -33,7 +33,8 @@ I'll help you connect your AI agent using the official Microsoft MCP servers.
 What do you need?
 
 1. Connect to Power BI Desktop on this machine (Windows)
-2. Verify that my plugin `.mcp.json` is configured correctly
+2. Verify that my agent MCP config is installed correctly
+3. Verify an optional local Claude Code plugin `.mcp.json`
 ```
 
 ---
@@ -56,11 +57,21 @@ Before we continue:
 
 ### If the user is on Windows and installed the extension
 
-Guide them to:
+Guide them to the user-level install:
 
-1. Run `bi-superpowers mcp-setup`
-2. Confirm `.mcp.json` contains `powerbi-modeling-mcp`
-3. Restart or refresh Claude Code
+1. Run `super install --all --yes`, or for one agent run `super install --agent codex --yes` / `super install --agent claude-code --yes` / etc.
+2. Confirm the agent config contains `powerbi-modeling-mcp` and `microsoft-learn`.
+3. Restart or refresh the AI agent so it reloads skills and MCP servers.
+
+Use these config locations:
+
+| Agent | Skill path | MCP config |
+| --- | --- | --- |
+| Claude Code | `~/.claude/skills` or `~/.agents/skills` | `~/.claude.json` |
+| GitHub Copilot | `~/.copilot/skills` | `~/.copilot/mcp-config.json` |
+| Codex | `~/.agents/skills` | `~/.codex/config.toml` |
+| Gemini CLI | `~/.gemini/skills` | `~/.gemini/settings.json` |
+| Kilo Code | `~/.kilo/skills` | `~/.kilo/mcp_settings.json` |
 
 Use this explanation:
 
@@ -72,18 +83,13 @@ and starts it with `--start`.
 
 If the user wants a config example, show:
 
-```json
-{
-  "powerbi-modeling-mcp": {
-    "type": "stdio",
-    "command": "node",
-    "args": ["${CLAUDE_PLUGIN_ROOT}/bin/mcp/powerbi-modeling-launcher.js"]
-  },
-  "microsoft-learn": {
-    "type": "http",
-    "url": "https://learn.microsoft.com/api/mcp"
-  }
-}
+```toml
+[mcp_servers.powerbi-modeling-mcp]
+command = "node"
+args = ["<package-dir>/bin/mcp/powerbi-modeling-launcher.js"]
+
+[mcp_servers.microsoft-learn]
+url = "https://learn.microsoft.com/api/mcp"
 ```
 
 ### If the user installed the executable manually
@@ -97,9 +103,11 @@ BI_SUPERPOWERS_POWERBI_MODELING_MCP_PATH
 Then re-run:
 
 ```bash
-super mcp-setup
+super install --all --yes
 ```
 
+If they are intentionally maintaining a repo-local Claude Code plugin, they can run `super mcp-setup` inside that plugin project instead.
+
 ### If the user is on macOS or Linux
 
 Say:
@@ -114,15 +122,41 @@ For live editing of a local semantic model, you need a Windows environment.
 
 ---
 
-## PHASE 2: Verify Plugin Config
+## PHASE 2: Verify Agent MCP Config
 
 If the user chooses option 2:
 
+Check the config for the agent they use:
+
+- Claude Code: `~/.claude.json`
+- GitHub Copilot: `~/.copilot/mcp-config.json`
+- Codex: `~/.codex/config.toml`
+- Gemini CLI: `~/.gemini/settings.json`
+- Kilo Code: `~/.kilo/mcp_settings.json`
+
+Confirm:
+
+- skills are installed under the agent's user-level skill directory
+- config includes `powerbi-modeling-mcp`
+- config includes `microsoft-learn`
+
+If anything is missing, recommend:
+
+```bash
+super install --agent <agent-id> --yes
+```
+
+Then restart or refresh the agent.
+
+## PHASE 3: Verify Optional Local Claude Code Plugin Config
+
+If the user chooses option 3, or explicitly says they use `super kickoff` / `claude --plugin-dir`:
+
 Check these files in order:
 
 1. `.claude-plugin/plugin.json`
 2. `.mcp.json`
-3. `.bi-superpowers.json` if present
+3. `.bi-superpowers.json`
 
 Confirm:
 
@@ -151,7 +185,8 @@ claude --plugin-dir .
 | --- | --- |
 | Modeling MCP missing on Windows | Install the Microsoft extension in VS Code or Cursor |
 | Modeling MCP installed manually | Set `BI_SUPERPOWERS_POWERBI_MODELING_MCP_PATH` |
-| Plugin not loading MCPs | Re-run `bi-superpowers mcp-setup` and restart Claude Code |
+| Agent not loading MCPs | Re-run `super install --agent <agent-id> --yes` and restart the agent |
+| Local Claude Code plugin not loading MCPs | Re-run `super mcp-setup` inside the plugin project and restart Claude Code |
 | macOS/Linux local modeling request | Use `microsoft-learn` for docs; live editing requires Windows |
 | User asks about Excel MCP | Explain Excel remains supported through skills and library content, not a default MCP |
 
@@ -163,7 +198,8 @@ claude --plugin-dir .
 | --- | --- | --- |
 | Recommend `uvx` for Modeling MCP | Not the official Microsoft installation path | Use the official executable via the local launcher |
 | Ask the user to find a localhost port | Not required in the new flow | Use the official Modeling MCP launcher |
-| Put plugin MCP config in `.claude/settings.json` first | Plugin-first flow uses `.mcp.json` | Prefer `.mcp.json` at the plugin root |
+| Run `super kickoff` for Codex/GitHub Copilot/Gemini/Kilo setup | `kickoff` creates repo-local Claude Code plugin files | Use `super install --agent <agent-id> --yes` |
+| Treat `.mcp.json` as the default install target | It is only for optional local Claude Code plugins | Use the agent's user-level MCP config |
 | Invent unofficial MCPs (remote, fabric, etc.) | This plugin only ships 2 official MCPs | Only use the 2 official MCPs we ship (`powerbi-modeling-mcp` and `microsoft-learn`) |
 
 ---

package/src/content/skills/report-design/SKILL.md

@@ -266,7 +266,7 @@ Do NOT hand-author `report.json` theme metadata. The canonical PBIR shape (for r
 - `resourcePackages` includes a `{name: "RegisteredResources", type: "RegisteredResources"}` package whose `items[]` has `{name: "<file>.json", path: "<file>.json", type: "CustomTheme"}`
 - the theme file itself lives at `<reportPath>/StaticResources/RegisteredResources/<file>.json`
 
-**Conditional formatting (variance KPI green/red, diverging matrix gradients, signed-color bars) is DEFERRED to v4.1.** The layouts mention conditional color in design notes; in v4.0.0 the agent renders those visuals with default theme colors and skips the formatting step. Do not call `pbi format` from this skill in v4.0.0 — the `pbi format` syntax is not yet documented or tested for our use cases. Better a plain report that renders than a fancy one that breaks.
+**Conditional formatting note.** Layout notes may describe variance colors, diverging matrix gradients, or signed-color bars as design intent. The current `report-design` flow does not author those formatting rules. Render those visuals with theme/default colors unless you have a tested PBIR formatting implementation. Do not invent `pbi format` calls from this skill.
 
 ### 4.4 Validate (two layers)
 

package/src/content/skills/report-design/references/layouts/finance.md

@@ -28,7 +28,7 @@ Roles used below (to be resolved via the MCP):
 | Scenario slicer | slicer (manual JSON — see `references/slicer.md`) | 848, 312, 336, 80 | `Scenario[Scenario]` |
 
 **Design notes:**
-- Variance KPI: conditional formatting (green positive, red negative) is deferred to v4.1 — render as plain card for v4.0.0.
+- Variance KPI: green/red conditional coloring is design intent only. Render as a plain card with theme/default colors unless a tested PBIR formatting implementation is available.
 - Year slicer default: current year (single-select).
 
 ---
@@ -61,5 +61,5 @@ Roles used below (to be resolved via the MCP):
 | Account × Month matrix | matrix | 16, 512, 1168, 144 | rows: `account-dim-column`, cols: `'Date'[Month]`, values: `variance-measure` with diverging gradient |
 
 **Design notes:**
-- Variance-sign coloring (diverging palette) is deferred to v4.1 — render bars/matrix with default theme colors for v4.0.0.
+- Variance-sign coloring (diverging palette) is design intent only. Render bars/matrix with theme/default colors unless a tested PBIR formatting implementation is available.
 - The bottom matrix is short (144px) so it acts as a "heatmap strip" rather than a scrollable table.

package/src/content/skills/report-design/references/native-visuals.md

@@ -311,7 +311,7 @@ Si PBI Desktop introduce un visualType nuevo (o encontrás uno nativo que falta
 
 ## Features de `visual.json` que `create-visual.js` NO soporta todavía
 
-Descubiertos al regenerar la smoke-test "Galería de Visuales" end-to-end con el script (backlog item 2, cycle v4.1). No bloquean el authoring — la shape que emite el script pasa `pbi report validate` y `validate-pbir.js` — pero sí dejan regresiones visuales si el `visual.json` hand-written aprovechaba alguno de estos features:
+Descubiertos al regenerar la smoke-test "Galería de Visuales" end-to-end con el script. No bloquean el authoring — la shape que emite el script pasa `pbi report validate` y `validate-pbir.js` — pero sí dejan regresiones visuales si el `visual.json` hand-written aprovechaba alguno de estos features:
 
 1. **`query.sortDefinition`** — sort explícito por medida/columna con dirección. `create-visual.js` no lo emite, así que un visual "ranking" tipo barChart ordenado descendente por una medida pierde el orden en la regeneración. **Workaround**: ordenar en Desktop manualmente después del `.pbip` abrir, o hand-extender el `visual.json` con `sortDefinition` post-creación. **Fix futuro**: `--sort-by "Role:Field" --sort-dir descending` en `create-visual.js`.
 
@@ -319,7 +319,7 @@ Descubiertos al regenerar la smoke-test "Galería de Visuales" end-to-end con el
 
 3. **`queryState.<Role>.projections[].active`** — las columnas siempre salen con `active: true`, las medidas nunca. Si un visual hand-written tenía `active: true` en una medida (para indicar que la medida es la "default Y") o `active: false` en una columna (hidden projection), el script normaliza. Rara vez significativo para el render pero cambia el shape JSON.
 
-4. **Formato condicional**: colores signados (positivo verde / negativo rojo), gradientes en matriz, data bars en tabla. Ninguno de estos expresa shape via `create-visual.js`. Quedó deferido a v4.1+ en `SKILL.md` PHASE 4.3.
+4. **Formato condicional**: colores signados (positivo verde / negativo rojo), gradientes en matriz, data bars en tabla. Ninguno de estos expresa shape via `create-visual.js`; tratarlos como diseño previsto hasta que exista una implementación PBIR testeada.
 
 Cualquier cambio en el script que cubra estos gaps debe: (a) agregar el flag a `parseArgs`, (b) cubrirlo con tests en `create-visual.test.js`, (c) documentarlo en este archivo, (d) regenerar la Galería para que ejercite el feature.
 

package/src/content/skills/report-design/references/slicer.md

@@ -86,4 +86,4 @@ cat > "<reportPath>/definition/pages/<pageName>/visuals/<visualName>/visual.json
 EOF
 ```
 
-A reusable helper script (`scripts/write-slicer.sh`) is a v4.1 candidate; v4.0.0 ships with the heredoc pattern.
+Prefer `scripts/create-visual.js --type slicer` for new slicers. Keep the heredoc pattern above only as a fallback when the helper script is unavailable.

package/src/content/skills/report-design/references/textbox.md

@@ -98,4 +98,4 @@ cat > "<reportPath>/definition/pages/<pageName>/visuals/<visualName>/visual.json
 EOF
 ```
 
-A reusable helper script (`scripts/write-textbox.sh`) is a v4.1 candidate; v4.0.0 ships with the heredoc pattern.
+Prefer `scripts/create-visual.js --type textbox` for new textboxes. Keep the heredoc pattern above only as a fallback when the helper script is unavailable.

package/src/content/skills/report-design/scripts/create-visual.js

@@ -679,6 +679,66 @@ function nextInt(existing, key) {
   return max + 1;
 }
 
+function validateVisualName(name) {
+  if (typeof name !== 'string' || name.trim() === '') {
+    fail('--name must be a non-empty visual folder name');
+  }
+
+  if (name !== name.trim()) {
+    fail(`--name must not have leading or trailing whitespace (got: ${JSON.stringify(name)})`);
+  }
+
+  if (
+    name === '.' ||
+    name === '..' ||
+    /[\\/]/.test(name) ||
+    path.basename(name) !== name ||
+    path.win32.basename(name) !== name ||
+    path.posix.basename(name) !== name
+  ) {
+    fail(`--name must be a single visual folder name, not a path (got: ${JSON.stringify(name)})`);
+  }
+
+  if (/[\u0000-\u001f<>:"|?*]/.test(name)) {
+    fail(`--name contains characters that are not valid in a Windows folder name (got: ${JSON.stringify(name)})`);
+  }
+}
+
+function validateNumericOptions(args) {
+  const numericOptions = [
+    ['x', '--x'],
+    ['y', '--y'],
+    ['z', '-z'],
+    ['width', '--width'],
+    ['height', '--height'],
+    ['tabOrder', '--tab-order'],
+  ];
+
+  for (const [key, flag] of numericOptions) {
+    if (args[key] != null && !Number.isFinite(args[key])) {
+      fail(`${flag} must be a finite number`);
+    }
+  }
+
+  for (const [key, flag] of [
+    ['width', '--width'],
+    ['height', '--height'],
+  ]) {
+    if (args[key] != null && args[key] <= 0) {
+      fail(`${flag} must be greater than 0`);
+    }
+  }
+}
+
+function assertPathInside(childPath, parentPath, label) {
+  const parent = path.resolve(parentPath);
+  const child = path.resolve(childPath);
+  const relative = path.relative(parent, child);
+  if (!relative || relative.startsWith('..') || path.isAbsolute(relative)) {
+    fail(`${label} resolved outside the expected directory: ${child}`);
+  }
+}
+
 // ---------------------------------------------------------------------------
 // main()
 // ---------------------------------------------------------------------------
@@ -698,6 +758,7 @@ function main() {
   if (!args.reportPath) fail('--report-path is required');
   if (!args.page) fail('--page is required');
   if (!args.type) fail('--type is required (use --list-types to see options)');
+  validateNumericOptions(args);
 
   // ---- type validation with friendly errors for known non-native aliases
   if (KNOWN_NON_NATIVE_TYPES[args.type]) {
@@ -727,8 +788,11 @@ function main() {
     } while (existing.some((v) => v.name === candidate));
     name = candidate;
   }
+  validateVisualName(name);
 
-  const visualDir = path.join(pageDir, 'visuals', name);
+  const visualsDir = path.join(pageDir, 'visuals');
+  const visualDir = path.join(visualsDir, name);
+  assertPathInside(visualDir, visualsDir, '--name');
   const visualJsonPath = path.join(visualDir, 'visual.json');
   if (fs.existsSync(visualJsonPath)) {
     fail(

package/src/content/skills/report-design/scripts/validate-pbir.js

@@ -130,6 +130,33 @@ function boundRoles(visualData) {
   return bound;
 }
 
+function validatePosition(position) {
+  const errors = [];
+  const requiredFields = ['x', 'y', 'z', 'height', 'width', 'tabOrder'];
+
+  if (!position || typeof position !== 'object') {
+    return requiredFields.map((field) => ({
+      severity: 'error',
+      rule: 'position-number',
+      field,
+      message: `position.${field} must be a finite number`,
+    }));
+  }
+
+  for (const field of requiredFields) {
+    if (!Number.isFinite(position[field])) {
+      errors.push({
+        severity: 'error',
+        rule: 'position-number',
+        field,
+        message: `position.${field} must be a finite number`,
+      });
+    }
+  }
+
+  return errors;
+}
+
 function validateVisual(visual) {
   const errors = [];
   const { data, path: filePath } = visual;
@@ -148,6 +175,8 @@ function validateVisual(visual) {
     errors.push({ severity: 'error', rule: 'name', message: 'missing "name"' });
   }
 
+  errors.push(...validatePosition(data.position));
+
   const vt = data.visual && data.visual.visualType;
   if (!vt) {
     errors.push({ severity: 'error', rule: 'visual-type', message: 'missing visualType' });