@opensip-cli/config 0.1.0

package/dist/document/cli-config.d.ts

@@ -0,0 +1,102 @@
+/**
+ * cli-config — the tool-agnostic `cli:` block of `opensip-cli.config.yml`.
+ *
+ * Owns three things, all relocated here under ADR-0023 §Amendment:
+ *   - {@link CliDefaults} — the structural type the CLI pre-action hook reads.
+ *   - {@link loadCliDefaults} — the permissive loader the hook calls to merge
+ *     project-wide defaults (`--report-to`, `--exclude`, `--json`, `--api-key`,
+ *     `verbose`, `debug`, the `cli.cloud` sync block) into Commander opts.
+ *   - {@link cliConfigSchema} — the Zod schema the host registers as the `cli`
+ *     document-level declaration so the composed whole-document validation
+ *     STRICT-rejects a typo in `cli:` before dispatch.
+ *
+ * Previously this lived in `@opensip-cli/contracts` (`cli-config.ts`) — a
+ * runtime YAML projection in a types-only package (the standing charter
+ * violation ADR-0023 names). It now lives in the config layer, beside the rest
+ * of the document blocks. The generic `readYamlFile` / `resolveProjectConfigPath`
+ * primitives stay in `core` (path/read primitives — the config-resolution
+ * decision in the ADR amendment); this module imports them from core.
+ *
+ * The loader is deliberately permissive — missing config, malformed YAML, or an
+ * absent `cli:` key all return `{}`. Strict validation is the composed
+ * document's job (the `cli` host declaration), not this reader's.
+ */
+import { z } from 'zod';
+/**
+ * Shape of the `cli:` block in `opensip-cli.config.yml` as the CLI pre-action
+ * hook reads it. The structural mirror of {@link cliConfigSchema}.
+ */
+export interface CliDefaults {
+    readonly exclude?: readonly string[];
+    readonly verbose?: boolean;
+    readonly json?: boolean;
+    readonly reportTo?: string;
+    readonly apiKey?: string;
+    readonly fileTypes?: readonly string[];
+    readonly ignore?: readonly string[];
+    readonly debug?: boolean;
+    /**
+     * Presentation settings (the `cli.ui:` sub-block). Currently just the
+     * banner size shown above each command. Unlike the other defaults this
+     * does NOT map onto a Commander flag — there is no `--banner`; it rides
+     * on `RunScope.ui` and is read by the render paths directly.
+     */
+    readonly ui?: {
+        /** Banner art: `mini` (default) | `lg` | `md` | `sm`. */
+        readonly banner?: 'lg' | 'md' | 'sm' | 'mini';
+    };
+    /**
+     * OpenSIP Cloud signal sync (ADR-0008). When the customer has an API key
+     * and is entitled to the storage tier, each run additionally emits its
+     * signals to OpenSIP Cloud (best-effort; local SQLite is unaffected).
+     * `sync` defaults to `true` when entitled — set `false` to opt out.
+     * `endpoint` overrides the built-in OpenSIP Cloud URL (must be https).
+     */
+    readonly cloud?: {
+        readonly sync?: boolean;
+        readonly endpoint?: string;
+    };
+}
+/**
+ * The Zod schema for the `cli:` document-level block. A superset of the legacy
+ * fitness `CliDefaultsSchema` (it additionally claims `debug` and the
+ * `cli.cloud` sub-block the permissive loader always read) so the composed
+ * STRICT validation never rejects a key the loader honours. Strictness is
+ * applied at the document level by the composer (`.strict()` on the namespace),
+ * so nested `ui`/`cloud` objects stay lenient — matching prior behaviour.
+ */
+export declare const cliConfigSchema: z.ZodObject<{
+    exclude: z.ZodOptional<z.ZodArray<z.ZodString>>;
+    verbose: z.ZodOptional<z.ZodBoolean>;
+    json: z.ZodOptional<z.ZodBoolean>;
+    reportTo: z.ZodOptional<z.ZodURL>;
+    apiKey: z.ZodOptional<z.ZodString>;
+    fileTypes: z.ZodOptional<z.ZodArray<z.ZodString>>;
+    ignore: z.ZodOptional<z.ZodArray<z.ZodString>>;
+    debug: z.ZodOptional<z.ZodBoolean>;
+    ui: z.ZodOptional<z.ZodObject<{
+        banner: z.ZodOptional<z.ZodEnum<{
+            lg: "lg";
+            md: "md";
+            sm: "sm";
+            mini: "mini";
+        }>>;
+    }, z.core.$strip>>;
+    cloud: z.ZodOptional<z.ZodObject<{
+        sync: z.ZodOptional<z.ZodBoolean>;
+        endpoint: z.ZodOptional<z.ZodString>;
+    }, z.core.$strip>>;
+}, z.core.$strip>;
+/**
+ * Best-effort load of the `cli:` block from `opensip-cli.config.yml`.
+ * Resolves the file via the core `resolveProjectConfigPath` primitive.
+ *
+ * Returns `{}` when the config is missing, unreadable, malformed, or has no
+ * `cli:` section — the merge step treats absence and "everything default" the
+ * same.
+ *
+ * @param cwd Project root for config resolution.
+ * @param explicitPath Optional `--config <path>` override.
+ */
+export declare function loadCliDefaults(cwd: string, explicitPath?: string): CliDefaults;
+//# sourceMappingURL=cli-config.d.ts.map

package/dist/document/cli-config.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"cli-config.d.ts","sourceRoot":"","sources":["../../src/document/cli-config.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;GAsBG;AAGH,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAExB;;;GAGG;AACH,MAAM,WAAW,WAAW;IAC1B,QAAQ,CAAC,OAAO,CAAC,EAAE,SAAS,MAAM,EAAE,CAAC;IACrC,QAAQ,CAAC,OAAO,CAAC,EAAE,OAAO,CAAC;IAC3B,QAAQ,CAAC,IAAI,CAAC,EAAE,OAAO,CAAC;IACxB,QAAQ,CAAC,QAAQ,CAAC,EAAE,MAAM,CAAC;IAC3B,QAAQ,CAAC,MAAM,CAAC,EAAE,MAAM,CAAC;IACzB,QAAQ,CAAC,SAAS,CAAC,EAAE,SAAS,MAAM,EAAE,CAAC;IACvC,QAAQ,CAAC,MAAM,CAAC,EAAE,SAAS,MAAM,EAAE,CAAC;IACpC,QAAQ,CAAC,KAAK,CAAC,EAAE,OAAO,CAAC;IACzB;;;;;OAKG;IACH,QAAQ,CAAC,EAAE,CAAC,EAAE;QACZ,yDAAyD;QACzD,QAAQ,CAAC,MAAM,CAAC,EAAE,IAAI,GAAG,IAAI,GAAG,IAAI,GAAG,MAAM,CAAC;KAC/C,CAAC;IACF;;;;;;OAMG;IACH,QAAQ,CAAC,KAAK,CAAC,EAAE;QACf,QAAQ,CAAC,IAAI,CAAC,EAAE,OAAO,CAAC;QACxB,QAAQ,CAAC,QAAQ,CAAC,EAAE,MAAM,CAAC;KAC5B,CAAC;CACH;AAED;;;;;;;GAOG;AACH,eAAO,MAAM,eAAe;;;;;;;;;;;;;;;;;;;;;iBAoB1B,CAAC;AA6DH;;;;;;;;;;GAUG;AACH,wBAAgB,eAAe,CAAC,GAAG,EAAE,MAAM,EAAE,YAAY,CAAC,EAAE,MAAM,GAAG,WAAW,CAa/E"}

package/dist/document/cli-config.js

@@ -0,0 +1,150 @@
+/**
+ * cli-config — the tool-agnostic `cli:` block of `opensip-cli.config.yml`.
+ *
+ * Owns three things, all relocated here under ADR-0023 §Amendment:
+ *   - {@link CliDefaults} — the structural type the CLI pre-action hook reads.
+ *   - {@link loadCliDefaults} — the permissive loader the hook calls to merge
+ *     project-wide defaults (`--report-to`, `--exclude`, `--json`, `--api-key`,
+ *     `verbose`, `debug`, the `cli.cloud` sync block) into Commander opts.
+ *   - {@link cliConfigSchema} — the Zod schema the host registers as the `cli`
+ *     document-level declaration so the composed whole-document validation
+ *     STRICT-rejects a typo in `cli:` before dispatch.
+ *
+ * Previously this lived in `@opensip-cli/contracts` (`cli-config.ts`) — a
+ * runtime YAML projection in a types-only package (the standing charter
+ * violation ADR-0023 names). It now lives in the config layer, beside the rest
+ * of the document blocks. The generic `readYamlFile` / `resolveProjectConfigPath`
+ * primitives stay in `core` (path/read primitives — the config-resolution
+ * decision in the ADR amendment); this module imports them from core.
+ *
+ * The loader is deliberately permissive — missing config, malformed YAML, or an
+ * absent `cli:` key all return `{}`. Strict validation is the composed
+ * document's job (the `cli` host declaration), not this reader's.
+ */
+import { readYamlFile, resolveProjectConfigPath } from '@opensip-cli/core';
+import { z } from 'zod';
+/**
+ * The Zod schema for the `cli:` document-level block. A superset of the legacy
+ * fitness `CliDefaultsSchema` (it additionally claims `debug` and the
+ * `cli.cloud` sub-block the permissive loader always read) so the composed
+ * STRICT validation never rejects a key the loader honours. Strictness is
+ * applied at the document level by the composer (`.strict()` on the namespace),
+ * so nested `ui`/`cloud` objects stay lenient — matching prior behaviour.
+ */
+export const cliConfigSchema = z.object({
+    exclude: z.array(z.string()).optional(),
+    verbose: z.boolean().optional(),
+    json: z.boolean().optional(),
+    reportTo: z.url().optional(),
+    apiKey: z.string().min(1).optional(),
+    fileTypes: z.array(z.string()).optional(),
+    ignore: z.array(z.string()).optional(),
+    debug: z.boolean().optional(),
+    ui: z
+        .object({
+        banner: z.enum(['lg', 'md', 'sm', 'mini']).optional(),
+    })
+        .optional(),
+    cloud: z
+        .object({
+        sync: z.boolean().optional(),
+        endpoint: z.string().optional(),
+    })
+        .optional(),
+});
+/** Valid `ui.banner` values; anything else is dropped (→ default applies). */
+const BANNER_VALUES = new Set(['lg', 'md', 'sm', 'mini']);
+/**
+ * Type guard for permissive YAML reading. We accept anything that
+ * looks like a plain object; everything else collapses to `{}`.
+ */
+function isPlainObject(v) {
+    return typeof v === 'object' && v !== null && !Array.isArray(v);
+}
+/** Coerce a YAML value into a `string[]` if it is one; otherwise drop it. */
+function asStringArray(value) {
+    if (!Array.isArray(value))
+        return undefined;
+    if (!value.every((v) => typeof v === 'string'))
+        return undefined;
+    return value;
+}
+/** Project an arbitrary YAML object into the typed `CliDefaults` shape. */
+function projectCliDefaults(raw) {
+    const out = {};
+    const exclude = asStringArray(raw.exclude);
+    if (exclude)
+        out.exclude = exclude;
+    if (typeof raw.verbose === 'boolean')
+        out.verbose = raw.verbose;
+    if (typeof raw.json === 'boolean')
+        out.json = raw.json;
+    if (typeof raw.reportTo === 'string')
+        out.reportTo = raw.reportTo;
+    if (typeof raw.apiKey === 'string')
+        out.apiKey = raw.apiKey;
+    const fileTypes = asStringArray(raw.fileTypes);
+    if (fileTypes)
+        out.fileTypes = fileTypes;
+    const ignore = asStringArray(raw.ignore);
+    if (ignore)
+        out.ignore = ignore;
+    if (typeof raw.debug === 'boolean')
+        out.debug = raw.debug;
+    const ui = projectUiDefaults(raw.ui);
+    if (ui)
+        out.ui = ui;
+    const cloud = projectCloudDefaults(raw.cloud);
+    if (cloud)
+        out.cloud = cloud;
+    return out;
+}
+/** Project the `cli.cloud:` sub-block (sync flag + endpoint override) into the typed shape. */
+function projectCloudDefaults(raw) {
+    if (!isPlainObject(raw))
+        return undefined;
+    const out = {};
+    if (typeof raw.sync === 'boolean')
+        out.sync = raw.sync;
+    if (typeof raw.endpoint === 'string')
+        out.endpoint = raw.endpoint;
+    return out.sync === undefined && out.endpoint === undefined ? undefined : out;
+}
+/** Project the `cli.ui:` sub-block into the typed shape; drop unknown banner values. */
+function projectUiDefaults(raw) {
+    if (!isPlainObject(raw))
+        return undefined;
+    if (typeof raw.banner === 'string' && BANNER_VALUES.has(raw.banner)) {
+        return { banner: raw.banner };
+    }
+    return undefined;
+}
+/**
+ * Best-effort load of the `cli:` block from `opensip-cli.config.yml`.
+ * Resolves the file via the core `resolveProjectConfigPath` primitive.
+ *
+ * Returns `{}` when the config is missing, unreadable, malformed, or has no
+ * `cli:` section — the merge step treats absence and "everything default" the
+ * same.
+ *
+ * @param cwd Project root for config resolution.
+ * @param explicitPath Optional `--config <path>` override.
+ */
+export function loadCliDefaults(cwd, explicitPath) {
+    let filePath;
+    try {
+        filePath = resolveProjectConfigPath(cwd, explicitPath);
+    }
+    catch {
+        // @fitness-ignore-next-line error-handling-quality -- documented contract (see JSDoc above): failure to resolve the project config is equivalent to "no cli: section" and treated identically by the merge step.
+        return {};
+    }
+    const doc = readYamlFile(filePath);
+    if (!isPlainObject(doc))
+        return {};
+    const cliBlock = doc.cli;
+    if (!isPlainObject(cliBlock))
+        return {};
+    return projectCliDefaults(cliBlock);
+}
+//# sourceMappingURL=cli-config.js.map

package/dist/document/cli-config.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"cli-config.js","sourceRoot":"","sources":["../../src/document/cli-config.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;GAsBG;AAEH,OAAO,EAAE,YAAY,EAAE,wBAAwB,EAAE,MAAM,mBAAmB,CAAC;AAC3E,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAsCxB;;;;;;;GAOG;AACH,MAAM,CAAC,MAAM,eAAe,GAAG,CAAC,CAAC,MAAM,CAAC;IACtC,OAAO,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,EAAE;IACvC,OAAO,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC,QAAQ,EAAE;IAC/B,IAAI,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC,QAAQ,EAAE;IAC5B,QAAQ,EAAE,CAAC,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE;IAC5B,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,QAAQ,EAAE;IACpC,SAAS,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,EAAE;IACzC,MAAM,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,EAAE;IACtC,KAAK,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC,QAAQ,EAAE;IAC7B,EAAE,EAAE,CAAC;SACF,MAAM,CAAC;QACN,MAAM,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,MAAM,CAAC,CAAC,CAAC,QAAQ,EAAE;KACtD,CAAC;SACD,QAAQ,EAAE;IACb,KAAK,EAAE,CAAC;SACL,MAAM,CAAC;QACN,IAAI,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC,QAAQ,EAAE;QAC5B,QAAQ,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;KAChC,CAAC;SACD,QAAQ,EAAE;CACd,CAAC,CAAC;AAEH,8EAA8E;AAC9E,MAAM,aAAa,GAAwB,IAAI,GAAG,CAAC,CAAC,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,MAAM,CAAC,CAAC,CAAC;AAE/E;;;GAGG;AACH,SAAS,aAAa,CAAC,CAAU;IAC/B,OAAO,OAAO,CAAC,KAAK,QAAQ,IAAI,CAAC,KAAK,IAAI,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC;AAClE,CAAC;AAED,6EAA6E;AAC7E,SAAS,aAAa,CAAC,KAAc;IACnC,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC;QAAE,OAAO,SAAS,CAAC;IAC5C,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,OAAO,CAAC,KAAK,QAAQ,CAAC;QAAE,OAAO,SAAS,CAAC;IACjE,OAAO,KAAK,CAAC;AACf,CAAC;AAED,2EAA2E;AAC3E,SAAS,kBAAkB,CAAC,GAA4B;IACtD,MAAM,GAAG,GAA2D,EAAE,CAAC;IACvE,MAAM,OAAO,GAAG,aAAa,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;IAC3C,IAAI,OAAO;QAAE,GAAG,CAAC,OAAO,GAAG,OAAO,CAAC;IACnC,IAAI,OAAO,GAAG,CAAC,OAAO,KAAK,SAAS;QAAE,GAAG,CAAC,OAAO,GAAG,GAAG,CAAC,OAAO,CAAC;IAChE,IAAI,OAAO,GAAG,CAAC,IAAI,KAAK,SAAS;QAAE,GAAG,CAAC,IAAI,GAAG,GAAG,CAAC,IAAI,CAAC;IACvD,IAAI,OAAO,GAAG,CAAC,QAAQ,KAAK,QAAQ;QAAE,GAAG,CAAC,QAAQ,GAAG,GAAG,CAAC,QAAQ,CAAC;IAClE,IAAI,OAAO,GAAG,CAAC,MAAM,KAAK,QAAQ;QAAE,GAAG,CAAC,MAAM,GAAG,GAAG,CAAC,MAAM,CAAC;IAC5D,MAAM,SAAS,GAAG,aAAa,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;IAC/C,IAAI,SAAS;QAAE,GAAG,CAAC,SAAS,GAAG,SAAS,CAAC;IACzC,MAAM,MAAM,GAAG,aAAa,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;IACzC,IAAI,MAAM;QAAE,GAAG,CAAC,MAAM,GAAG,MAAM,CAAC;IAChC,IAAI,OAAO,GAAG,CAAC,KAAK,KAAK,SAAS;QAAE,GAAG,CAAC,KAAK,GAAG,GAAG,CAAC,KAAK,CAAC;IAC1D,MAAM,EAAE,GAAG,iBAAiB,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IACrC,IAAI,EAAE;QAAE,GAAG,CAAC,EAAE,GAAG,EAAE,CAAC;IACpB,MAAM,KAAK,GAAG,oBAAoB,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;IAC9C,IAAI,KAAK;QAAE,GAAG,CAAC,KAAK,GAAG,KAAK,CAAC;IAC7B,OAAO,GAAG,CAAC;AACb,CAAC;AAED,+FAA+F;AAC/F,SAAS,oBAAoB,CAAC,GAAY;IACxC,IAAI,CAAC,aAAa,CAAC,GAAG,CAAC;QAAE,OAAO,SAAS,CAAC;IAC1C,MAAM,GAAG,GAEL,EAAE,CAAC;IACP,IAAI,OAAO,GAAG,CAAC,IAAI,KAAK,SAAS;QAAE,GAAG,CAAC,IAAI,GAAG,GAAG,CAAC,IAAI,CAAC;IACvD,IAAI,OAAO,GAAG,CAAC,QAAQ,KAAK,QAAQ;QAAE,GAAG,CAAC,QAAQ,GAAG,GAAG,CAAC,QAAQ,CAAC;IAClE,OAAO,GAAG,CAAC,IAAI,KAAK,SAAS,IAAI,GAAG,CAAC,QAAQ,KAAK,SAAS,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,GAAG,CAAC;AAChF,CAAC;AAED,wFAAwF;AACxF,SAAS,iBAAiB,CAAC,GAAY;IACrC,IAAI,CAAC,aAAa,CAAC,GAAG,CAAC;QAAE,OAAO,SAAS,CAAC;IAC1C,IAAI,OAAO,GAAG,CAAC,MAAM,KAAK,QAAQ,IAAI,aAAa,CAAC,GAAG,CAAC,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC;QACpE,OAAO,EAAE,MAAM,EAAE,GAAG,CAAC,MAAkD,EAAE,CAAC;IAC5E,CAAC;IACD,OAAO,SAAS,CAAC;AACnB,CAAC;AAED;;;;;;;;;;GAUG;AACH,MAAM,UAAU,eAAe,CAAC,GAAW,EAAE,YAAqB;IAChE,IAAI,QAAgB,CAAC;IACrB,IAAI,CAAC;QACH,QAAQ,GAAG,wBAAwB,CAAC,GAAG,EAAE,YAAY,CAAC,CAAC;IACzD,CAAC;IAAC,MAAM,CAAC;QACP,iNAAiN;QACjN,OAAO,EAAE,CAAC;IACZ,CAAC;IACD,MAAM,GAAG,GAAG,YAAY,CAAC,QAAQ,CAAC,CAAC;IACnC,IAAI,CAAC,aAAa,CAAC,GAAG,CAAC;QAAE,OAAO,EAAE,CAAC;IACnC,MAAM,QAAQ,GAAG,GAAG,CAAC,GAAG,CAAC;IACzB,IAAI,CAAC,aAAa,CAAC,QAAQ,CAAC;QAAE,OAAO,EAAE,CAAC;IACxC,OAAO,kBAAkB,CAAC,QAAQ,CAAC,CAAC;AACtC,CAAC"}

package/dist/document/dashboard.d.ts

@@ -0,0 +1,21 @@
+/**
+ * dashboard — the `dashboard:` document-level block of
+ * `opensip-cli.config.yml`.
+ *
+ * Currently just the editor protocol used by the Code Paths panel to build
+ * `vscode://` / `cursor://` deep links. `dashboard` is a CLI-owned
+ * composition-root command, not a Tool plugin (ADR-0023 §Amendment), so its
+ * config is a host document-level block — structurally identical to `cli`,
+ * registered beside it in {@link ./host-declarations}.
+ *
+ * Relocated here from fitness's `SignalersConfigSchema`. Fitness
+ * still reads `dashboard.editor` via `loadSignalersConfig` until it is repointed
+ * to the composed scope config (Phase 4); it imports this schema rather than
+ * re-defining it, so there is one definition of the block.
+ */
+import { z } from 'zod';
+/** The Zod schema for the `dashboard:` document-level block. */
+export declare const dashboardConfigSchema: z.ZodObject<{
+    editor: z.ZodOptional<z.ZodString>;
+}, z.core.$strip>;
+//# sourceMappingURL=dashboard.d.ts.map

package/dist/document/dashboard.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"dashboard.d.ts","sourceRoot":"","sources":["../../src/document/dashboard.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAEH,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAExB,gEAAgE;AAChE,eAAO,MAAM,qBAAqB;;iBAEhC,CAAC"}

package/dist/document/dashboard.js

@@ -0,0 +1,21 @@
+/**
+ * dashboard — the `dashboard:` document-level block of
+ * `opensip-cli.config.yml`.
+ *
+ * Currently just the editor protocol used by the Code Paths panel to build
+ * `vscode://` / `cursor://` deep links. `dashboard` is a CLI-owned
+ * composition-root command, not a Tool plugin (ADR-0023 §Amendment), so its
+ * config is a host document-level block — structurally identical to `cli`,
+ * registered beside it in {@link ./host-declarations}.
+ *
+ * Relocated here from fitness's `SignalersConfigSchema`. Fitness
+ * still reads `dashboard.editor` via `loadSignalersConfig` until it is repointed
+ * to the composed scope config (Phase 4); it imports this schema rather than
+ * re-defining it, so there is one definition of the block.
+ */
+import { z } from 'zod';
+/** The Zod schema for the `dashboard:` document-level block. */
+export const dashboardConfigSchema = z.object({
+    editor: z.string().min(1).max(64).optional(),
+});
+//# sourceMappingURL=dashboard.js.map

package/dist/document/dashboard.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"dashboard.js","sourceRoot":"","sources":["../../src/document/dashboard.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAEH,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAExB,gEAAgE;AAChE,MAAM,CAAC,MAAM,qBAAqB,GAAG,CAAC,CAAC,MAAM,CAAC;IAC5C,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC,QAAQ,EAAE;CAC7C,CAAC,CAAC"}

package/dist/document/global-config.d.ts

@@ -0,0 +1,101 @@
+/**
+ * global-config — read/write the user-level (`~/.opensip-cli/config.yml`)
+ * config that holds the cloud API key and per-user defaults.
+ *
+ * User-scoped config I/O is tool-agnostic, so it lives in the config layer
+ * (relocated here from the CLI's `bootstrap/`, ADR-0023). The CLI's
+ * pre-action hook reads it on every invocation (`mergeConfigDefaults` falls back
+ * to the saved API key when neither `--api-key` nor `OPENSIP_API_KEY` is
+ * present), and the `configure` command's prompt+UX wrapper — which stays in
+ * `cli/commands` — reads/writes I/O through this module.
+ *
+ * The file is YAML and is `chmod 0o600` on write — it stores a secret.
+ * Reads are tolerant of any failure (missing dir, malformed YAML); the
+ * pre-action hook treats absence and corruption the same as "no key
+ * configured".
+ */
+import { type EnvVarSpec } from '@opensip-cli/core';
+/**
+ * Config-layer environment variables (§5.12). Declared as an
+ * immutable spec table read through the {@link EnvRegistry} primitive, so the env
+ * surface is governed and documentable (the `env-via-registry` guardrail forbids
+ * raw `process.env` reads). Re-exported for the generated env-surface doc.
+ */
+export declare const CONFIG_ENV_SPECS: readonly EnvVarSpec<unknown>[];
+/** User-level config file path. */
+export declare const GLOBAL_CONFIG_PATH: string;
+/**
+ * Shape of `~/.opensip-cli/config.yml`. Open-ended on purpose — future
+ * per-user defaults (theme, last-used recipe, telemetry opt-in) can land
+ * here without a contract change.
+ */
+export interface GlobalConfig {
+    apiKey?: string;
+    /**
+     * User-level OpenSIP Cloud signal-sync control (ADR-0008). This is the
+     * machine-wide privacy opt-out: `cloud.sync: false` here disables signal
+     * sync for every project run from this account, regardless of any project's
+     * own `cli.cloud:` setting. `endpoint` overrides the cloud URL per user.
+     */
+    cloud?: {
+        sync?: boolean;
+        endpoint?: string;
+    };
+    [key: string]: unknown;
+}
+/**
+ * Read the user-level global config. Returns `{}` on any failure
+ * (missing file, malformed YAML, I/O error) — the merge step treats
+ * absence and "everything default" the same.
+ */
+export declare function readGlobalConfig(): GlobalConfig;
+/**
+ * Persist the user-level global config. Creates the parent directory if
+ * it doesn't exist, then writes via a same-directory temp file with mode
+ * `0o600` set at creation time and atomically renames into place.
+ *
+ * Why temp + rename instead of writeFile + chmod: writeFileSync would
+ * create the file using the process's umask (commonly 0o644), leaving a
+ * race window during which another local user could read the API key
+ * before chmodSync(..., 0o600) tightens permissions. openSync with mode
+ * 0o600 + O_EXCL ('wx') sets the permission atomically with the inode
+ * creation, and rename publishes the fully-written file in one step so
+ * readers never observe a partial file either.
+ */
+export declare function writeGlobalConfig(config: GlobalConfig): void;
+/**
+ * Resolve the OpenSIP Cloud API key from the highest-precedence source
+ * available. Resolution order:
+ *
+ *   1. CLI flag (`--api-key`).
+ *   2. Environment variable (`OPENSIP_API_KEY`).
+ *   3. User-level global config (`~/.opensip-cli/config.yml#apiKey`).
+ *
+ * The pre-action hook calls this for the global merge step; the
+ * `configure` command calls it for the "current key" hint at the
+ * prompt.
+ */
+export declare function resolveApiKey(cliFlag?: string): string | undefined;
+/**
+ * Resolve the effective cloud config for a run by layering the user-level
+ * cloud block (`~/.opensip-cli/config.yml#cloud`) over the project-level
+ * `cli.cloud:` block — the missing piece behind audit P0-2, where the
+ * documented user opt-out was read for the API key but never for `cloud`.
+ *
+ * Semantics (a data-egress control, so opt-out is sticky):
+ *   - `sync` is `false` if EITHER the user (privacy opt-out) or the project
+ *     (policy opt-out) sets it `false` — the more restrictive wins, neither
+ *     silently overrides the other. Otherwise the user's explicit value, then
+ *     the project's.
+ *   - `endpoint` takes the user override, then the project's.
+ *   - the per-invocation `--no-cloud` flag overrides everything (applied
+ *     separately, in resolveSignalSink's `noCloud`).
+ */
+export declare function resolveEffectiveCloudConfig(projectCloud?: {
+    readonly sync?: boolean;
+    readonly endpoint?: string;
+}): {
+    sync?: boolean;
+    endpoint?: string;
+} | undefined;
+//# sourceMappingURL=global-config.d.ts.map

package/dist/document/global-config.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"global-config.d.ts","sourceRoot":"","sources":["../../src/document/global-config.ts"],"names":[],"mappings":"AAEA;;;;;;;;;;;;;;;GAeG;AAgBH,OAAO,EAAe,KAAK,UAAU,EAAE,MAAM,mBAAmB,CAAC;AAGjE;;;;;GAKG;AACH,eAAO,MAAM,gBAAgB,EAAE,SAAS,UAAU,CAAC,OAAO,CAAC,EAK1D,CAAC;AAKF,mCAAmC;AACnC,eAAO,MAAM,kBAAkB,QAAkC,CAAC;AAElE;;;;GAIG;AACH,MAAM,WAAW,YAAY;IAC3B,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB;;;;;OAKG;IACH,KAAK,CAAC,EAAE;QAAE,IAAI,CAAC,EAAE,OAAO,CAAC;QAAC,QAAQ,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC;IAC9C,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC;CACxB;AAED;;;;GAIG;AACH,wBAAgB,gBAAgB,IAAI,YAAY,CAQ/C;AAED;;;;;;;;;;;;GAYG;AACH,wBAAgB,iBAAiB,CAAC,MAAM,EAAE,YAAY,GAAG,IAAI,CAsB5D;AAED;;;;;;;;;;;GAWG;AACH,wBAAgB,aAAa,CAAC,OAAO,CAAC,EAAE,MAAM,GAAG,MAAM,GAAG,SAAS,CAQlE;AAaD;;;;;;;;;;;;;;GAcG;AACH,wBAAgB,2BAA2B,CAAC,YAAY,CAAC,EAAE;IACzD,QAAQ,CAAC,IAAI,CAAC,EAAE,OAAO,CAAC;IACxB,QAAQ,CAAC,QAAQ,CAAC,EAAE,MAAM,CAAC;CAC5B,GAAG;IAAE,IAAI,CAAC,EAAE,OAAO,CAAC;IAAC,QAAQ,CAAC,EAAE,MAAM,CAAA;CAAE,GAAG,SAAS,CAYpD"}

package/dist/document/global-config.js

@@ -0,0 +1,163 @@
+// @fitness-ignore-file error-handling-quality -- readGlobalConfig returns {} on any failure by documented contract (absent file and "everything default" are equivalent to the merge step); writeGlobalConfig's inner unlink is cleanup-of-cleanup where the meaningful rename error is already thrown on the next line.
+// @fitness-ignore-file unbounded-memory -- reads ~/.opensip-cli/config.yml, a small user-config file bounded by configuration shape
+/**
+ * global-config — read/write the user-level (`~/.opensip-cli/config.yml`)
+ * config that holds the cloud API key and per-user defaults.
+ *
+ * User-scoped config I/O is tool-agnostic, so it lives in the config layer
+ * (relocated here from the CLI's `bootstrap/`, ADR-0023). The CLI's
+ * pre-action hook reads it on every invocation (`mergeConfigDefaults` falls back
+ * to the saved API key when neither `--api-key` nor `OPENSIP_API_KEY` is
+ * present), and the `configure` command's prompt+UX wrapper — which stays in
+ * `cli/commands` — reads/writes I/O through this module.
+ *
+ * The file is YAML and is `chmod 0o600` on write — it stores a secret.
+ * Reads are tolerant of any failure (missing dir, malformed YAML); the
+ * pre-action hook treats absence and corruption the same as "no key
+ * configured".
+ */
+import { randomBytes } from 'node:crypto';
+import { closeSync, existsSync, mkdirSync, openSync, readFileSync, renameSync, unlinkSync, writeSync, } from 'node:fs';
+import { homedir } from 'node:os';
+import { join } from 'node:path';
+import { EnvRegistry } from '@opensip-cli/core';
+import { parse as parseYaml, stringify as stringifyYaml } from 'yaml';
+/**
+ * Config-layer environment variables (§5.12). Declared as an
+ * immutable spec table read through the {@link EnvRegistry} primitive, so the env
+ * surface is governed and documentable (the `env-via-registry` guardrail forbids
+ * raw `process.env` reads). Re-exported for the generated env-surface doc.
+ */
+export const CONFIG_ENV_SPECS = [
+    {
+        canonical: 'OPENSIP_API_KEY',
+        docs: 'OpenSIP Cloud API key. Overrides the apiKey stored in ~/.opensip-cli/config.yml.',
+    },
+];
+const CONFIG_ENV = new EnvRegistry(CONFIG_ENV_SPECS);
+/** User-level OpenSIP root directory. */
+const OPENSIP_DIR = join(homedir(), '.opensip-cli');
+/** User-level config file path. */
+export const GLOBAL_CONFIG_PATH = join(OPENSIP_DIR, 'config.yml');
+/**
+ * Read the user-level global config. Returns `{}` on any failure
+ * (missing file, malformed YAML, I/O error) — the merge step treats
+ * absence and "everything default" the same.
+ */
+export function readGlobalConfig() {
+    if (!existsSync(GLOBAL_CONFIG_PATH))
+        return {};
+    try {
+        const raw = readFileSync(GLOBAL_CONFIG_PATH, 'utf8');
+        return parseYaml(raw) ?? {};
+    }
+    catch {
+        return {};
+    }
+}
+/**
+ * Persist the user-level global config. Creates the parent directory if
+ * it doesn't exist, then writes via a same-directory temp file with mode
+ * `0o600` set at creation time and atomically renames into place.
+ *
+ * Why temp + rename instead of writeFile + chmod: writeFileSync would
+ * create the file using the process's umask (commonly 0o644), leaving a
+ * race window during which another local user could read the API key
+ * before chmodSync(..., 0o600) tightens permissions. openSync with mode
+ * 0o600 + O_EXCL ('wx') sets the permission atomically with the inode
+ * creation, and rename publishes the fully-written file in one step so
+ * readers never observe a partial file either.
+ */
+export function writeGlobalConfig(config) {
+    if (!existsSync(OPENSIP_DIR)) {
+        mkdirSync(OPENSIP_DIR, { recursive: true });
+    }
+    const tmpPath = join(OPENSIP_DIR, `.config-${randomBytes(6).toString('hex')}.yml.tmp`);
+    const fd = openSync(tmpPath, 'wx', 0o600);
+    try {
+        writeSync(fd, stringifyYaml(config), 0, 'utf8');
+    }
+    finally {
+        closeSync(fd);
+    }
+    try {
+        renameSync(tmpPath, GLOBAL_CONFIG_PATH);
+    }
+    catch (error) {
+        // Clean up the temp file on rename failure so it doesn't linger.
+        try {
+            unlinkSync(tmpPath);
+        }
+        catch {
+            // Swallow secondary failure — original error is the one that matters.
+        }
+        throw error;
+    }
+}
+/**
+ * Resolve the OpenSIP Cloud API key from the highest-precedence source
+ * available. Resolution order:
+ *
+ *   1. CLI flag (`--api-key`).
+ *   2. Environment variable (`OPENSIP_API_KEY`).
+ *   3. User-level global config (`~/.opensip-cli/config.yml#apiKey`).
+ *
+ * The pre-action hook calls this for the global merge step; the
+ * `configure` command calls it for the "current key" hint at the
+ * prompt.
+ */
+export function resolveApiKey(cliFlag) {
+    if (cliFlag)
+        return cliFlag;
+    // Env override (read through the registry; truthy so an empty value falls
+    // through to the config file, byte-identical to the prior `process.env` check).
+    const fromEnv = CONFIG_ENV.get('OPENSIP_API_KEY');
+    if (fromEnv)
+        return fromEnv;
+    const config = readGlobalConfig();
+    return config.apiKey ?? undefined;
+}
+/** Read + validate the user-level `cloud:` block, defensively. */
+function readUserCloudConfig() {
+    const raw = readGlobalConfig().cloud;
+    if (!raw || typeof raw !== 'object')
+        return undefined;
+    const r = raw;
+    const out = {};
+    if (typeof r.sync === 'boolean')
+        out.sync = r.sync;
+    if (typeof r.endpoint === 'string')
+        out.endpoint = r.endpoint;
+    return out.sync === undefined && out.endpoint === undefined ? undefined : out;
+}
+/**
+ * Resolve the effective cloud config for a run by layering the user-level
+ * cloud block (`~/.opensip-cli/config.yml#cloud`) over the project-level
+ * `cli.cloud:` block — the missing piece behind audit P0-2, where the
+ * documented user opt-out was read for the API key but never for `cloud`.
+ *
+ * Semantics (a data-egress control, so opt-out is sticky):
+ *   - `sync` is `false` if EITHER the user (privacy opt-out) or the project
+ *     (policy opt-out) sets it `false` — the more restrictive wins, neither
+ *     silently overrides the other. Otherwise the user's explicit value, then
+ *     the project's.
+ *   - `endpoint` takes the user override, then the project's.
+ *   - the per-invocation `--no-cloud` flag overrides everything (applied
+ *     separately, in resolveSignalSink's `noCloud`).
+ */
+export function resolveEffectiveCloudConfig(projectCloud) {
+    const userCloud = readUserCloudConfig();
+    if (!userCloud && !projectCloud)
+        return undefined;
+    const out = {};
+    const sync = userCloud?.sync === false || projectCloud?.sync === false
+        ? false
+        : (userCloud?.sync ?? projectCloud?.sync);
+    const endpoint = userCloud?.endpoint ?? projectCloud?.endpoint;
+    if (sync !== undefined)
+        out.sync = sync;
+    if (endpoint !== undefined)
+        out.endpoint = endpoint;
+    return out.sync === undefined && out.endpoint === undefined ? undefined : out;
+}
+//# sourceMappingURL=global-config.js.map

package/dist/document/global-config.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"global-config.js","sourceRoot":"","sources":["../../src/document/global-config.ts"],"names":[],"mappings":"AAAA,yTAAyT;AACzT,oIAAoI;AACpI;;;;;;;;;;;;;;;GAeG;AAEH,OAAO,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAC1C,OAAO,EACL,SAAS,EACT,UAAU,EACV,SAAS,EACT,QAAQ,EACR,YAAY,EACZ,UAAU,EACV,UAAU,EACV,SAAS,GACV,MAAM,SAAS,CAAC;AACjB,OAAO,EAAE,OAAO,EAAE,MAAM,SAAS,CAAC;AAClC,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AAEjC,OAAO,EAAE,WAAW,EAAmB,MAAM,mBAAmB,CAAC;AACjE,OAAO,EAAE,KAAK,IAAI,SAAS,EAAE,SAAS,IAAI,aAAa,EAAE,MAAM,MAAM,CAAC;AAEtE;;;;;GAKG;AACH,MAAM,CAAC,MAAM,gBAAgB,GAAmC;IAC9D;QACE,SAAS,EAAE,iBAAiB;QAC5B,IAAI,EAAE,kFAAkF;KACzF;CACF,CAAC;AACF,MAAM,UAAU,GAAG,IAAI,WAAW,CAAC,gBAAgB,CAAC,CAAC;AAErD,yCAAyC;AACzC,MAAM,WAAW,GAAG,IAAI,CAAC,OAAO,EAAE,EAAE,cAAc,CAAC,CAAC;AACpD,mCAAmC;AACnC,MAAM,CAAC,MAAM,kBAAkB,GAAG,IAAI,CAAC,WAAW,EAAE,YAAY,CAAC,CAAC;AAmBlE;;;;GAIG;AACH,MAAM,UAAU,gBAAgB;IAC9B,IAAI,CAAC,UAAU,CAAC,kBAAkB,CAAC;QAAE,OAAO,EAAE,CAAC;IAC/C,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,YAAY,CAAC,kBAAkB,EAAE,MAAM,CAAC,CAAC;QACrD,OAAQ,SAAS,CAAC,GAAG,CAAkB,IAAI,EAAE,CAAC;IAChD,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,CAAC;IACZ,CAAC;AACH,CAAC;AAED;;;;;;;;;;;;GAYG;AACH,MAAM,UAAU,iBAAiB,CAAC,MAAoB;IACpD,IAAI,CAAC,UAAU,CAAC,WAAW,CAAC,EAAE,CAAC;QAC7B,SAAS,CAAC,WAAW,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IAC9C,CAAC;IACD,MAAM,OAAO,GAAG,IAAI,CAAC,WAAW,EAAE,WAAW,WAAW,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,UAAU,CAAC,CAAC;IACvF,MAAM,EAAE,GAAG,QAAQ,CAAC,OAAO,EAAE,IAAI,EAAE,KAAK,CAAC,CAAC;IAC1C,IAAI,CAAC;QACH,SAAS,CAAC,EAAE,EAAE,aAAa,CAAC,MAAM,CAAC,EAAE,CAAC,EAAE,MAAM,CAAC,CAAC;IAClD,CAAC;YAAS,CAAC;QACT,SAAS,CAAC,EAAE,CAAC,CAAC;IAChB,CAAC;IACD,IAAI,CAAC;QACH,UAAU,CAAC,OAAO,EAAE,kBAAkB,CAAC,CAAC;IAC1C,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,iEAAiE;QACjE,IAAI,CAAC;YACH,UAAU,CAAC,OAAO,CAAC,CAAC;QACtB,CAAC;QAAC,MAAM,CAAC;YACP,sEAAsE;QACxE,CAAC;QACD,MAAM,KAAK,CAAC;IACd,CAAC;AACH,CAAC;AAED;;;;;;;;;;;GAWG;AACH,MAAM,UAAU,aAAa,CAAC,OAAgB;IAC5C,IAAI,OAAO;QAAE,OAAO,OAAO,CAAC;IAC5B,0EAA0E;IAC1E,gFAAgF;IAChF,MAAM,OAAO,GAAG,UAAU,CAAC,GAAG,CAAS,iBAAiB,CAAC,CAAC;IAC1D,IAAI,OAAO;QAAE,OAAO,OAAO,CAAC;IAC5B,MAAM,MAAM,GAAG,gBAAgB,EAAE,CAAC;IAClC,OAAO,MAAM,CAAC,MAAM,IAAI,SAAS,CAAC;AACpC,CAAC;AAED,kEAAkE;AAClE,SAAS,mBAAmB;IAC1B,MAAM,GAAG,GAAG,gBAAgB,EAAE,CAAC,KAAK,CAAC;IACrC,IAAI,CAAC,GAAG,IAAI,OAAO,GAAG,KAAK,QAAQ;QAAE,OAAO,SAAS,CAAC;IACtD,MAAM,CAAC,GAAG,GAA8B,CAAC;IACzC,MAAM,GAAG,GAA0C,EAAE,CAAC;IACtD,IAAI,OAAO,CAAC,CAAC,IAAI,KAAK,SAAS;QAAE,GAAG,CAAC,IAAI,GAAG,CAAC,CAAC,IAAI,CAAC;IACnD,IAAI,OAAO,CAAC,CAAC,QAAQ,KAAK,QAAQ;QAAE,GAAG,CAAC,QAAQ,GAAG,CAAC,CAAC,QAAQ,CAAC;IAC9D,OAAO,GAAG,CAAC,IAAI,KAAK,SAAS,IAAI,GAAG,CAAC,QAAQ,KAAK,SAAS,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,GAAG,CAAC;AAChF,CAAC;AAED;;;;;;;;;;;;;;GAcG;AACH,MAAM,UAAU,2BAA2B,CAAC,YAG3C;IACC,MAAM,SAAS,GAAG,mBAAmB,EAAE,CAAC;IACxC,IAAI,CAAC,SAAS,IAAI,CAAC,YAAY;QAAE,OAAO,SAAS,CAAC;IAClD,MAAM,GAAG,GAA0C,EAAE,CAAC;IACtD,MAAM,IAAI,GACR,SAAS,EAAE,IAAI,KAAK,KAAK,IAAI,YAAY,EAAE,IAAI,KAAK,KAAK;QACvD,CAAC,CAAC,KAAK;QACP,CAAC,CAAC,CAAC,SAAS,EAAE,IAAI,IAAI,YAAY,EAAE,IAAI,CAAC,CAAC;IAC9C,MAAM,QAAQ,GAAG,SAAS,EAAE,QAAQ,IAAI,YAAY,EAAE,QAAQ,CAAC;IAC/D,IAAI,IAAI,KAAK,SAAS;QAAE,GAAG,CAAC,IAAI,GAAG,IAAI,CAAC;IACxC,IAAI,QAAQ,KAAK,SAAS;QAAE,GAAG,CAAC,QAAQ,GAAG,QAAQ,CAAC;IACpD,OAAO,GAAG,CAAC,IAAI,KAAK,SAAS,IAAI,GAAG,CAAC,QAAQ,KAAK,SAAS,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,GAAG,CAAC;AAChF,CAAC"}

package/dist/document/host-declarations.d.ts

@@ -0,0 +1,44 @@
+/**
+ * host-declarations — the document-level config blocks owned by the host
+ * (the config package itself), not by any Tool plugin.
+ *
+ * Each tool contributes a namespaced {@link ToolConfigDeclaration}
+ * (`fitness`/`graph`/`simulation`) that the composer strict-validates. The
+ * tool-agnostic blocks — `cli`, `dashboard`, `schemaVersion`, `plugins`, and
+ * (from Phase 1) `targets`/`globalExcludes`/`checkOverrides` — are owned by no
+ * tool. They are returned here as `ToolConfigDeclaration`s and composed BESIDE
+ * the tool declarations (the composer is namespace-agnostic), turning the
+ * previously-`.catchall`-tolerated top-level keys into claimed, strict
+ * namespaces (ADR-0023).
+ *
+ * `schemaVersion` is claimed as a permissive top-level `number` so the
+ * composed document does not reject it — but the version-COMPAT decision
+ * (`readConfigSchemaVersion` + `checkSchemaCompat`) stays in `core`, run in the
+ * pre-action gate BEFORE validation (ADR-0023 §Amendment).
+ */
+import { type PluginConfigKeyDeclaration } from './targeting.js';
+import type { ToolConfigDeclaration } from '../declaration.js';
+/**
+ * Options for {@link hostConfigDeclarations}.
+ *
+ * The host's document-level declarations are mostly static, but the `plugins.*`
+ * namespace is dynamic — a plugin may contribute its own typed config keys. The
+ * composition root collects those and passes them here so the composed schema
+ * validates declared plugin keys strictly.
+ */
+export interface HostConfigDeclarationOptions {
+    /**
+     * Per-plugin config-key declarations discovered for this run. Each becomes a
+     * strictly-validated key under the `plugins.<id>` namespace. Omitted (or
+     * empty) when no plugin contributes config.
+     */
+    readonly pluginConfigKeys?: readonly PluginConfigKeyDeclaration[];
+}
+/**
+ * The host's document-level declarations. Grows in Phase 1 (targeting).
+ *
+ * Returned as a fresh array per call (no shared mutable state); the
+ * composition root concatenates these with the per-tool declarations.
+ */
+export declare function hostConfigDeclarations(options?: HostConfigDeclarationOptions): readonly ToolConfigDeclaration[];
+//# sourceMappingURL=host-declarations.d.ts.map

package/dist/document/host-declarations.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"host-declarations.d.ts","sourceRoot":"","sources":["../../src/document/host-declarations.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;GAiBG;AAMH,OAAO,EAKL,KAAK,0BAA0B,EAChC,MAAM,gBAAgB,CAAC;AAExB,OAAO,KAAK,EAAE,qBAAqB,EAAE,MAAM,mBAAmB,CAAC;AAE/D;;;;;;;GAOG;AACH,MAAM,WAAW,4BAA4B;IAC3C;;;;OAIG;IACH,QAAQ,CAAC,gBAAgB,CAAC,EAAE,SAAS,0BAA0B,EAAE,CAAC;CACnE;AAED;;;;;GAKG;AACH,wBAAgB,sBAAsB,CACpC,OAAO,GAAE,4BAAiC,GACzC,SAAS,qBAAqB,EAAE,CAkBlC"}