npm - @vibe-validate/config - Versions diffs - 0.16.1 → 0.17.0-rc.10 - Mend

@vibe-validate/config 0.16.1 → 0.17.0-rc.10

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (11) hide show

package/config.schema.json +90 -0
package/dist/index.d.ts +2 -1
package/dist/index.d.ts.map +1 -1
package/dist/index.js +3 -1
package/dist/schema-utils.d.ts +57 -0
package/dist/schema-utils.d.ts.map +1 -0
package/dist/schema-utils.js +66 -0
package/dist/schema.d.ts +406 -35
package/dist/schema.d.ts.map +1 -1
package/dist/schema.js +89 -28
package/package.json +1 -1

package/config.schema.json CHANGED Viewed

@@ -210,6 +210,96 @@
             "concurrencyScope": "directory"
           }
         },
+        "extractors": {
+          "type": "object",
+          "properties": {
+            "builtins": {
+              "type": "object",
+              "properties": {
+                "trust": {
+                  "type": "string",
+                  "enum": [
+                    "full",
+                    "sandbox"
+                  ]
+                },
+                "disable": {
+                  "type": "array",
+                  "items": {
+                    "type": "string"
+                  },
+                  "default": []
+                }
+              },
+              "additionalProperties": false,
+              "default": {
+                "trust": "full",
+                "disable": []
+              }
+            },
+            "localPlugins": {
+              "type": "object",
+              "properties": {
+                "trust": {
+                  "type": "string",
+                  "enum": [
+                    "full",
+                    "sandbox"
+                  ]
+                },
+                "disable": {
+                  "type": "array",
+                  "items": {
+                    "type": "string"
+                  },
+                  "default": []
+                }
+              },
+              "additionalProperties": false,
+              "default": {
+                "trust": "sandbox",
+                "disable": []
+              }
+            },
+            "external": {
+              "type": "array",
+              "items": {
+                "type": "object",
+                "properties": {
+                  "package": {
+                    "type": "string",
+                    "minLength": 1
+                  },
+                  "trust": {
+                    "type": "string",
+                    "enum": [
+                      "full",
+                      "sandbox"
+                    ],
+                    "default": "sandbox"
+                  }
+                },
+                "required": [
+                  "package"
+                ],
+                "additionalProperties": false
+              },
+              "default": []
+            }
+          },
+          "additionalProperties": false,
+          "default": {
+            "builtins": {
+              "trust": "full",
+              "disable": []
+            },
+            "localPlugins": {
+              "trust": "sandbox",
+              "disable": []
+            },
+            "external": []
+          }
+        },
         "developerFeedback": {
           "type": "boolean",
           "default": false

package/dist/index.d.ts CHANGED Viewed

@@ -21,8 +21,9 @@
  *           command: tsc --noEmit
  * ```
  */
-export { type ValidationStep, type ValidationPhase, type ValidationConfig, type GitConfig, type CIConfig, type HooksConfig, type SecretScanningConfig, type VibeValidateConfig, ValidationStepSchema, ValidationPhaseSchema, ValidationConfigSchema, GitConfigSchema, CIConfigSchema, HooksConfigSchema, SecretScanningSchema, VibeValidateConfigSchema, validateConfig, safeValidateConfig, } from './schema.js';
+export { type ValidationStep, type ValidationPhase, type ValidationConfig, type GitConfig, type CIConfig, type HooksConfig, type SecretScanningConfig, type ExtractorTrustLevel, type ExtractorCategoryConfig, type ExternalExtractorConfig, type ExtractorsConfig, type VibeValidateConfig, ValidationStepSchema, ValidationPhaseSchema, ValidationConfigSchema, GitConfigSchema, CIConfigSchema, HooksConfigSchema, SecretScanningSchema, ExtractorTrustLevelSchema, ExtractorCategoryConfigSchema, ExternalExtractorConfigSchema, ExtractorsConfigSchema, VibeValidateConfigSchema, validateConfig, safeValidateConfig, } from './schema.js';
 export { CONFIG_FILE_NAME, loadConfigFromFile, findAndLoadConfig, } from './loader.js';
 export { GIT_DEFAULTS } from './constants.js';
 export { getRemoteBranch, getMainBranch, getRemoteOrigin } from './git-helpers.js';
+export { createSafeValidator, createStrictValidator } from './schema-utils.js';
 //# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;GAsBG;AAGH,OAAO,EACL,KAAK,cAAc,EACnB,KAAK,eAAe,EACpB,KAAK,gBAAgB,EACrB,KAAK,SAAS,EACd,KAAK,QAAQ,EACb,KAAK,WAAW,EAChB,KAAK,oBAAoB,EACzB,KAAK,kBAAkB,EACvB,oBAAoB,EACpB,qBAAqB,EACrB,sBAAsB,EACtB,eAAe,EACf,cAAc,EACd,iBAAiB,EACjB,oBAAoB,EACpB,wBAAwB,EACxB,cAAc,EACd,kBAAkB,GACnB,MAAM,aAAa,CAAC;AAGrB,OAAO,EACL,gBAAgB,EAChB,kBAAkB,EAClB,iBAAiB,GAClB,MAAM,aAAa,CAAC;AAGrB,OAAO,EAAE,YAAY,EAAE,MAAM,gBAAgB,CAAC;AAC9C,OAAO,EAAE,eAAe,EAAE,aAAa,EAAE,eAAe,EAAE,MAAM,kBAAkB,CAAC"}
1	+ {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;GAsBG;AAGH,OAAO,EACL,KAAK,cAAc,EACnB,KAAK,eAAe,EACpB,KAAK,gBAAgB,EACrB,KAAK,SAAS,EACd,KAAK,QAAQ,EACb,KAAK,WAAW,EAChB,KAAK,oBAAoB,EACzB,KAAK,mBAAmB,EACxB,KAAK,uBAAuB,EAC5B,KAAK,uBAAuB,EAC5B,KAAK,gBAAgB,EACrB,KAAK,kBAAkB,EACvB,oBAAoB,EACpB,qBAAqB,EACrB,sBAAsB,EACtB,eAAe,EACf,cAAc,EACd,iBAAiB,EACjB,oBAAoB,EACpB,yBAAyB,EACzB,6BAA6B,EAC7B,6BAA6B,EAC7B,sBAAsB,EACtB,wBAAwB,EACxB,cAAc,EACd,kBAAkB,GACnB,MAAM,aAAa,CAAC;AAGrB,OAAO,EACL,gBAAgB,EAChB,kBAAkB,EAClB,iBAAiB,GAClB,MAAM,aAAa,CAAC;AAGrB,OAAO,EAAE,YAAY,EAAE,MAAM,gBAAgB,CAAC;AAC9C,OAAO,EAAE,eAAe,EAAE,aAAa,EAAE,eAAe,EAAE,MAAM,kBAAkB,CAAC;AAGnF,OAAO,EAAE,mBAAmB,EAAE,qBAAqB,EAAE,MAAM,mBAAmB,CAAC"}

package/dist/index.js CHANGED Viewed

@@ -22,9 +22,11 @@
  * ```
  */
 // Core schema types and validation
-export { ValidationStepSchema, ValidationPhaseSchema, ValidationConfigSchema, GitConfigSchema, CIConfigSchema, HooksConfigSchema, SecretScanningSchema, VibeValidateConfigSchema, validateConfig, safeValidateConfig, } from './schema.js';
+export { ValidationStepSchema, ValidationPhaseSchema, ValidationConfigSchema, GitConfigSchema, CIConfigSchema, HooksConfigSchema, SecretScanningSchema, ExtractorTrustLevelSchema, ExtractorCategoryConfigSchema, ExternalExtractorConfigSchema, ExtractorsConfigSchema, VibeValidateConfigSchema, validateConfig, safeValidateConfig, } from './schema.js';
 // Config loading
 export { CONFIG_FILE_NAME, loadConfigFromFile, findAndLoadConfig, } from './loader.js';
 // Git configuration constants and helpers
 export { GIT_DEFAULTS } from './constants.js';
 export { getRemoteBranch, getMainBranch, getRemoteOrigin } from './git-helpers.js';
+// Shared schema utilities (foundational - no dependencies)
+export { createSafeValidator, createStrictValidator } from './schema-utils.js';

package/dist/schema-utils.d.ts ADDED Viewed

@@ -0,0 +1,57 @@
+/**
+ * Zod Schema Utilities
+ *
+ * Shared validation helpers for consistent error handling across packages.
+ *
+ * @packageDocumentation
+ */
+import type { z } from 'zod';
+/**
+ * Create a type-safe validator function from a Zod schema
+ *
+ * Provides consistent error formatting across all schema validations.
+ * Error messages include full path (e.g., "phases.0.steps.2.command: Required")
+ *
+ * @param schema - Zod schema to validate against
+ * @returns Safe validation function with success/error union type
+ *
+ * @example
+ * ```typescript
+ * const safeValidateResult = createSafeValidator(ValidationResultSchema);
+ *
+ * const result = safeValidateResult(data);
+ * if (result.success) {
+ *   console.log(result.data); // Typed as ValidationResult
+ * } else {
+ *   console.error(result.errors); // Array of formatted error messages
+ * }
+ * ```
+ */
+export declare function createSafeValidator<T extends z.ZodType>(schema: T): (data: unknown) => {
+    success: true;
+    data: z.infer<T>;
+} | {
+    success: false;
+    errors: string[];
+};
+/**
+ * Create a strict validator function from a Zod schema
+ *
+ * Throws on validation failure (useful when invalid data is a critical error).
+ *
+ * @param schema - Zod schema to validate against
+ * @returns Strict validation function that throws on error
+ *
+ * @example
+ * ```typescript
+ * const validateResult = createStrictValidator(ValidationResultSchema);
+ *
+ * try {
+ *   const result = validateResult(data); // Typed as ValidationResult
+ * } catch (error) {
+ *   console.error('Invalid data:', error);
+ * }
+ * ```
+ */
+export declare function createStrictValidator<T extends z.ZodType>(schema: T): (data: unknown) => z.infer<T>;
+//# sourceMappingURL=schema-utils.d.ts.map

package/dist/schema-utils.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"schema-utils.d.ts","sourceRoot":"","sources":["../src/schema-utils.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,KAAK,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAE7B;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,wBAAgB,mBAAmB,CAAC,CAAC,SAAS,CAAC,CAAC,OAAO,EAAE,MAAM,EAAE,CAAC,IACnC,MAAM,OAAO,KACtC;IAAE,OAAO,EAAE,IAAI,CAAC;IAAC,IAAI,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAA;CAAE,GACnC;IAAE,OAAO,EAAE,KAAK,CAAC;IAAC,MAAM,EAAE,MAAM,EAAE,CAAA;CAAE,CAezC;AAED;;;;;;;;;;;;;;;;;;GAkBG;AACH,wBAAgB,qBAAqB,CAAC,CAAC,SAAS,CAAC,CAAC,OAAO,EAAE,MAAM,EAAE,CAAC,IACzC,MAAM,OAAO,KAAG,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAGpD"}

package/dist/schema-utils.js ADDED Viewed

@@ -0,0 +1,66 @@
+/**
+ * Zod Schema Utilities
+ *
+ * Shared validation helpers for consistent error handling across packages.
+ *
+ * @packageDocumentation
+ */
+/**
+ * Create a type-safe validator function from a Zod schema
+ *
+ * Provides consistent error formatting across all schema validations.
+ * Error messages include full path (e.g., "phases.0.steps.2.command: Required")
+ *
+ * @param schema - Zod schema to validate against
+ * @returns Safe validation function with success/error union type
+ *
+ * @example
+ * ```typescript
+ * const safeValidateResult = createSafeValidator(ValidationResultSchema);
+ *
+ * const result = safeValidateResult(data);
+ * if (result.success) {
+ *   console.log(result.data); // Typed as ValidationResult
+ * } else {
+ *   console.error(result.errors); // Array of formatted error messages
+ * }
+ * ```
+ */
+export function createSafeValidator(schema) {
+    return function safeValidate(data) {
+        const result = schema.safeParse(data);
+        if (result.success) {
+            return { success: true, data: result.data };
+        }
+        // Extract error messages with full path
+        const errors = result.error.errors.map(err => {
+            const path = err.path.join('.');
+            return path ? `${path}: ${err.message}` : err.message;
+        });
+        return { success: false, errors };
+    };
+}
+/**
+ * Create a strict validator function from a Zod schema
+ *
+ * Throws on validation failure (useful when invalid data is a critical error).
+ *
+ * @param schema - Zod schema to validate against
+ * @returns Strict validation function that throws on error
+ *
+ * @example
+ * ```typescript
+ * const validateResult = createStrictValidator(ValidationResultSchema);
+ *
+ * try {
+ *   const result = validateResult(data); // Typed as ValidationResult
+ * } catch (error) {
+ *   console.error('Invalid data:', error);
+ * }
+ * ```
+ */
+export function createStrictValidator(schema) {
+    return function validate(data) {
+        return schema.parse(data);
+    };
+}

package/dist/schema.d.ts CHANGED Viewed

@@ -23,7 +23,7 @@ export declare const ValidationStepSchema: z.ZodObject<{
     continueOnError: z.ZodOptional<z.ZodBoolean>;
     /** Optional: Environment variables for this step */
     env: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodString>>;
-    /** Optional: Working directory for this step (default: project root) */
+    /** Optional: Working directory for this step, relative to git root (default: git root) */
     cwd: z.ZodOptional<z.ZodString>;
 }, "strict", z.ZodTypeAny, {
     name: string;
@@ -68,7 +68,7 @@ export declare const ValidationPhaseSchema: z.ZodObject<{
         continueOnError: z.ZodOptional<z.ZodBoolean>;
         /** Optional: Environment variables for this step */
         env: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodString>>;
-        /** Optional: Working directory for this step (default: project root) */
+        /** Optional: Working directory for this step, relative to git root (default: git root) */
         cwd: z.ZodOptional<z.ZodString>;
     }, "strict", z.ZodTypeAny, {
         name: string;
@@ -145,7 +145,7 @@ export declare const ValidationConfigSchema: z.ZodObject<{
             continueOnError: z.ZodOptional<z.ZodBoolean>;
             /** Optional: Environment variables for this step */
             env: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodString>>;
-            /** Optional: Working directory for this step (default: project root) */
+            /** Optional: Working directory for this step, relative to git root (default: git root) */
             cwd: z.ZodOptional<z.ZodString>;
         }, "strict", z.ZodTypeAny, {
             name: string;
@@ -286,10 +286,20 @@ export type CIConfig = z.infer<typeof CIConfigSchema>;
 /**
  * Secret Scanning Configuration Schema
  */
-export declare const SecretScanningSchema: z.ZodEffects<z.ZodObject<{
+export declare const SecretScanningSchema: z.ZodObject<{
     /** Enable secret scanning in pre-commit (default: true) */
     enabled: z.ZodDefault<z.ZodBoolean>;
-    /** Command to run for secret scanning (required when enabled) */
+    /**
+     * Command to run for secret scanning (optional)
+     * - Explicit command: "gitleaks protect --staged --verbose"
+     * - Omit or "autodetect": Automatically detect and run available tools
+     *
+     * Default: autodetect (runs tools based on config file presence)
+     * - Checks for .gitleaks.toml/.gitleaksignore and .secretlintrc.json
+     * - Runs gitleaks if available and configured
+     * - Runs secretlint (via npx) if configured
+     * - Falls back to gitleaks or secretlint if no config files present
+     */
     scanCommand: z.ZodOptional<z.ZodString>;
 }, "strict", z.ZodTypeAny, {
     enabled: boolean;
@@ -297,12 +307,6 @@ export declare const SecretScanningSchema: z.ZodEffects<z.ZodObject<{
 }, {
     enabled?: boolean | undefined;
     scanCommand?: string | undefined;
-}>, {
-    enabled: boolean;
-    scanCommand?: string | undefined;
-}, {
-    enabled?: boolean | undefined;
-    scanCommand?: string | undefined;
 }>;
 export type SecretScanningConfig = z.infer<typeof SecretScanningSchema>;
 /**
@@ -316,10 +320,20 @@ export declare const HooksConfigSchema: z.ZodObject<{
         /** Custom pre-commit command (default: 'npx vibe-validate pre-commit') */
         command: z.ZodDefault<z.ZodString>;
         /** Secret scanning configuration (optional) */
-        secretScanning: z.ZodOptional<z.ZodEffects<z.ZodObject<{
+        secretScanning: z.ZodOptional<z.ZodObject<{
             /** Enable secret scanning in pre-commit (default: true) */
             enabled: z.ZodDefault<z.ZodBoolean>;
-            /** Command to run for secret scanning (required when enabled) */
+            /**
+             * Command to run for secret scanning (optional)
+             * - Explicit command: "gitleaks protect --staged --verbose"
+             * - Omit or "autodetect": Automatically detect and run available tools
+             *
+             * Default: autodetect (runs tools based on config file presence)
+             * - Checks for .gitleaks.toml/.gitleaksignore and .secretlintrc.json
+             * - Runs gitleaks if available and configured
+             * - Runs secretlint (via npx) if configured
+             * - Falls back to gitleaks or secretlint if no config files present
+             */
             scanCommand: z.ZodOptional<z.ZodString>;
         }, "strict", z.ZodTypeAny, {
             enabled: boolean;
@@ -327,12 +341,6 @@ export declare const HooksConfigSchema: z.ZodObject<{
         }, {
             enabled?: boolean | undefined;
             scanCommand?: string | undefined;
-        }>, {
-            enabled: boolean;
-            scanCommand?: string | undefined;
-        }, {
-            enabled?: boolean | undefined;
-            scanCommand?: string | undefined;
         }>>;
     }, "strict", z.ZodTypeAny, {
         command: string;
@@ -399,6 +407,133 @@ export declare const LockingConfigSchema: z.ZodObject<{
     projectId?: string | undefined;
 }>;
 export type LockingConfig = z.infer<typeof LockingConfigSchema>;
+/**
+ * Extractor Trust Level
+ *
+ * Controls security sandbox behavior for extractors:
+ * - 'full': Run with full Node.js access (trusted code)
+ * - 'sandbox': Run in isolated V8 context with limited API access (untrusted code)
+ */
+export declare const ExtractorTrustLevelSchema: z.ZodEnum<["full", "sandbox"]>;
+export type ExtractorTrustLevel = z.infer<typeof ExtractorTrustLevelSchema>;
+/**
+ * Extractor Category Config Schema
+ *
+ * Shared configuration for built-in and local plugin extractors.
+ */
+export declare const ExtractorCategoryConfigSchema: z.ZodObject<{
+    /** Trust level for extractors in this category (default varies by category) */
+    trust: z.ZodOptional<z.ZodEnum<["full", "sandbox"]>>;
+    /** List of extractor names to disable (default: []) */
+    disable: z.ZodDefault<z.ZodOptional<z.ZodArray<z.ZodString, "many">>>;
+}, "strict", z.ZodTypeAny, {
+    disable: string[];
+    trust?: "full" | "sandbox" | undefined;
+}, {
+    trust?: "full" | "sandbox" | undefined;
+    disable?: string[] | undefined;
+}>;
+export type ExtractorCategoryConfig = z.infer<typeof ExtractorCategoryConfigSchema>;
+/**
+ * External Extractor Config Schema
+ *
+ * Configuration for an explicit npm package extractor.
+ */
+export declare const ExternalExtractorConfigSchema: z.ZodObject<{
+    /** npm package name (e.g., '@my-org/vibe-validate-plugin-gradle') */
+    package: z.ZodString;
+    /** Trust level (default: 'sandbox') */
+    trust: z.ZodDefault<z.ZodOptional<z.ZodEnum<["full", "sandbox"]>>>;
+}, "strict", z.ZodTypeAny, {
+    trust: "full" | "sandbox";
+    package: string;
+}, {
+    package: string;
+    trust?: "full" | "sandbox" | undefined;
+}>;
+export type ExternalExtractorConfig = z.infer<typeof ExternalExtractorConfigSchema>;
+/**
+ * Extractors Configuration Schema
+ *
+ * Controls extractor plugin loading, trust levels, and selective disabling.
+ */
+export declare const ExtractorsConfigSchema: z.ZodObject<{
+    /**
+     * Built-in extractors configuration
+     * Default: { trust: 'full', disable: [] }
+     */
+    builtins: z.ZodDefault<z.ZodOptional<z.ZodObject<{
+        /** Trust level for extractors in this category (default varies by category) */
+        trust: z.ZodOptional<z.ZodEnum<["full", "sandbox"]>>;
+        /** List of extractor names to disable (default: []) */
+        disable: z.ZodDefault<z.ZodOptional<z.ZodArray<z.ZodString, "many">>>;
+    }, "strict", z.ZodTypeAny, {
+        disable: string[];
+        trust?: "full" | "sandbox" | undefined;
+    }, {
+        trust?: "full" | "sandbox" | undefined;
+        disable?: string[] | undefined;
+    }>>>;
+    /**
+     * Local plugins configuration (auto-discovered from vibe-validate-local-plugins/)
+     * Default: { trust: 'sandbox', disable: [] }
+     */
+    localPlugins: z.ZodDefault<z.ZodOptional<z.ZodObject<{
+        /** Trust level for extractors in this category (default varies by category) */
+        trust: z.ZodOptional<z.ZodEnum<["full", "sandbox"]>>;
+        /** List of extractor names to disable (default: []) */
+        disable: z.ZodDefault<z.ZodOptional<z.ZodArray<z.ZodString, "many">>>;
+    }, "strict", z.ZodTypeAny, {
+        disable: string[];
+        trust?: "full" | "sandbox" | undefined;
+    }, {
+        trust?: "full" | "sandbox" | undefined;
+        disable?: string[] | undefined;
+    }>>>;
+    /**
+     * External npm package extractors (explicit registration required)
+     * Default: []
+     */
+    external: z.ZodDefault<z.ZodOptional<z.ZodArray<z.ZodObject<{
+        /** npm package name (e.g., '@my-org/vibe-validate-plugin-gradle') */
+        package: z.ZodString;
+        /** Trust level (default: 'sandbox') */
+        trust: z.ZodDefault<z.ZodOptional<z.ZodEnum<["full", "sandbox"]>>>;
+    }, "strict", z.ZodTypeAny, {
+        trust: "full" | "sandbox";
+        package: string;
+    }, {
+        package: string;
+        trust?: "full" | "sandbox" | undefined;
+    }>, "many">>>;
+}, "strict", z.ZodTypeAny, {
+    builtins: {
+        disable: string[];
+        trust?: "full" | "sandbox" | undefined;
+    };
+    localPlugins: {
+        disable: string[];
+        trust?: "full" | "sandbox" | undefined;
+    };
+    external: {
+        trust: "full" | "sandbox";
+        package: string;
+    }[];
+}, {
+    builtins?: {
+        trust?: "full" | "sandbox" | undefined;
+        disable?: string[] | undefined;
+    } | undefined;
+    localPlugins?: {
+        trust?: "full" | "sandbox" | undefined;
+        disable?: string[] | undefined;
+    } | undefined;
+    external?: {
+        package: string;
+        trust?: "full" | "sandbox" | undefined;
+    }[] | undefined;
+}>;
+export type ExtractorsConfig = z.infer<typeof ExtractorsConfigSchema>;
 /**
  * Full Configuration Schema
  *
@@ -427,7 +562,7 @@ export declare const VibeValidateConfigSchema: z.ZodObject<{
                 continueOnError: z.ZodOptional<z.ZodBoolean>;
                 /** Optional: Environment variables for this step */
                 env: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodString>>;
-                /** Optional: Working directory for this step (default: project root) */
+                /** Optional: Working directory for this step, relative to git root (default: git root) */
                 cwd: z.ZodOptional<z.ZodString>;
             }, "strict", z.ZodTypeAny, {
                 name: string;
@@ -567,10 +702,20 @@ export declare const VibeValidateConfigSchema: z.ZodObject<{
             /** Custom pre-commit command (default: 'npx vibe-validate pre-commit') */
             command: z.ZodDefault<z.ZodString>;
             /** Secret scanning configuration (optional) */
-            secretScanning: z.ZodOptional<z.ZodEffects<z.ZodObject<{
+            secretScanning: z.ZodOptional<z.ZodObject<{
                 /** Enable secret scanning in pre-commit (default: true) */
                 enabled: z.ZodDefault<z.ZodBoolean>;
-                /** Command to run for secret scanning (required when enabled) */
+                /**
+                 * Command to run for secret scanning (optional)
+                 * - Explicit command: "gitleaks protect --staged --verbose"
+                 * - Omit or "autodetect": Automatically detect and run available tools
+                 *
+                 * Default: autodetect (runs tools based on config file presence)
+                 * - Checks for .gitleaks.toml/.gitleaksignore and .secretlintrc.json
+                 * - Runs gitleaks if available and configured
+                 * - Runs secretlint (via npx) if configured
+                 * - Falls back to gitleaks or secretlint if no config files present
+                 */
                 scanCommand: z.ZodOptional<z.ZodString>;
             }, "strict", z.ZodTypeAny, {
                 enabled: boolean;
@@ -578,12 +723,6 @@ export declare const VibeValidateConfigSchema: z.ZodObject<{
             }, {
                 enabled?: boolean | undefined;
                 scanCommand?: string | undefined;
-            }>, {
-                enabled: boolean;
-                scanCommand?: string | undefined;
-            }, {
-                enabled?: boolean | undefined;
-                scanCommand?: string | undefined;
             }>>;
         }, "strict", z.ZodTypeAny, {
             command: string;
@@ -644,6 +783,92 @@ export declare const VibeValidateConfigSchema: z.ZodObject<{
         concurrencyScope?: "directory" | "project" | undefined;
         projectId?: string | undefined;
     }>>>;
+    /**
+     * Extractor plugins configuration (optional)
+     *
+     * Controls trust levels and selective disabling for extractors:
+     * - Built-in extractors (shipped with vibe-validate)
+     * - Local plugins (auto-discovered from vibe-validate-local-plugins/)
+     * - External npm packages (explicit registration required)
+     *
+     * Default: { builtins: { trust: 'full', disable: [] }, localPlugins: { trust: 'sandbox', disable: [] }, external: [] }
+     */
+    extractors: z.ZodDefault<z.ZodOptional<z.ZodObject<{
+        /**
+         * Built-in extractors configuration
+         * Default: { trust: 'full', disable: [] }
+         */
+        builtins: z.ZodDefault<z.ZodOptional<z.ZodObject<{
+            /** Trust level for extractors in this category (default varies by category) */
+            trust: z.ZodOptional<z.ZodEnum<["full", "sandbox"]>>;
+            /** List of extractor names to disable (default: []) */
+            disable: z.ZodDefault<z.ZodOptional<z.ZodArray<z.ZodString, "many">>>;
+        }, "strict", z.ZodTypeAny, {
+            disable: string[];
+            trust?: "full" | "sandbox" | undefined;
+        }, {
+            trust?: "full" | "sandbox" | undefined;
+            disable?: string[] | undefined;
+        }>>>;
+        /**
+         * Local plugins configuration (auto-discovered from vibe-validate-local-plugins/)
+         * Default: { trust: 'sandbox', disable: [] }
+         */
+        localPlugins: z.ZodDefault<z.ZodOptional<z.ZodObject<{
+            /** Trust level for extractors in this category (default varies by category) */
+            trust: z.ZodOptional<z.ZodEnum<["full", "sandbox"]>>;
+            /** List of extractor names to disable (default: []) */
+            disable: z.ZodDefault<z.ZodOptional<z.ZodArray<z.ZodString, "many">>>;
+        }, "strict", z.ZodTypeAny, {
+            disable: string[];
+            trust?: "full" | "sandbox" | undefined;
+        }, {
+            trust?: "full" | "sandbox" | undefined;
+            disable?: string[] | undefined;
+        }>>>;
+        /**
+         * External npm package extractors (explicit registration required)
+         * Default: []
+         */
+        external: z.ZodDefault<z.ZodOptional<z.ZodArray<z.ZodObject<{
+            /** npm package name (e.g., '@my-org/vibe-validate-plugin-gradle') */
+            package: z.ZodString;
+            /** Trust level (default: 'sandbox') */
+            trust: z.ZodDefault<z.ZodOptional<z.ZodEnum<["full", "sandbox"]>>>;
+        }, "strict", z.ZodTypeAny, {
+            trust: "full" | "sandbox";
+            package: string;
+        }, {
+            package: string;
+            trust?: "full" | "sandbox" | undefined;
+        }>, "many">>>;
+    }, "strict", z.ZodTypeAny, {
+        builtins: {
+            disable: string[];
+            trust?: "full" | "sandbox" | undefined;
+        };
+        localPlugins: {
+            disable: string[];
+            trust?: "full" | "sandbox" | undefined;
+        };
+        external: {
+            trust: "full" | "sandbox";
+            package: string;
+        }[];
+    }, {
+        builtins?: {
+            trust?: "full" | "sandbox" | undefined;
+            disable?: string[] | undefined;
+        } | undefined;
+        localPlugins?: {
+            trust?: "full" | "sandbox" | undefined;
+            disable?: string[] | undefined;
+        } | undefined;
+        external?: {
+            package: string;
+            trust?: "full" | "sandbox" | undefined;
+        }[] | undefined;
+    }>>>;
     /**
      * Developer feedback for continuous quality improvement (optional, default: false)
      *
@@ -694,6 +919,20 @@ export declare const VibeValidateConfigSchema: z.ZodObject<{
         concurrencyScope: "directory" | "project";
         projectId?: string | undefined;
     };
+    extractors: {
+        builtins: {
+            disable: string[];
+            trust?: "full" | "sandbox" | undefined;
+        };
+        localPlugins: {
+            disable: string[];
+            trust?: "full" | "sandbox" | undefined;
+        };
+        external: {
+            trust: "full" | "sandbox";
+            package: string;
+        }[];
+    };
     developerFeedback: boolean;
     ci?: {
         failFast?: boolean | undefined;
@@ -747,6 +986,20 @@ export declare const VibeValidateConfigSchema: z.ZodObject<{
         concurrencyScope?: "directory" | "project" | undefined;
         projectId?: string | undefined;
     } | undefined;
+    extractors?: {
+        builtins?: {
+            trust?: "full" | "sandbox" | undefined;
+            disable?: string[] | undefined;
+        } | undefined;
+        localPlugins?: {
+            trust?: "full" | "sandbox" | undefined;
+            disable?: string[] | undefined;
+        } | undefined;
+        external?: {
+            package: string;
+            trust?: "full" | "sandbox" | undefined;
+        }[] | undefined;
+    } | undefined;
     developerFeedback?: boolean | undefined;
 }>;
 export type VibeValidateConfig = z.input<typeof VibeValidateConfigSchema>;
@@ -757,20 +1010,138 @@ export type VibeValidateConfig = z.input<typeof VibeValidateConfigSchema>;
  * @returns Validated configuration with defaults applied
  * @throws ZodError if validation fails
  */
-export declare function validateConfig(config: unknown): VibeValidateConfig;
+export declare const validateConfig: (data: unknown) => {
+    validation: {
+        failFast: boolean;
+        phases: {
+            name: string;
+            timeout: number;
+            parallel: boolean;
+            steps: {
+                name: string;
+                command: string;
+                description?: string | undefined;
+                timeout?: number | undefined;
+                continueOnError?: boolean | undefined;
+                env?: Record<string, string> | undefined;
+                cwd?: string | undefined;
+            }[];
+            failFast: boolean;
+        }[];
+    };
+    git: {
+        mainBranch: string;
+        remoteOrigin: string;
+        autoSync: boolean;
+        warnIfBehind: boolean;
+    };
+    hooks: {
+        preCommit: {
+            command: string;
+            enabled: boolean;
+            secretScanning?: {
+                enabled: boolean;
+                scanCommand?: string | undefined;
+            } | undefined;
+        };
+    };
+    locking: {
+        enabled: boolean;
+        concurrencyScope: "directory" | "project";
+        projectId?: string | undefined;
+    };
+    extractors: {
+        builtins: {
+            disable: string[];
+            trust?: "full" | "sandbox" | undefined;
+        };
+        localPlugins: {
+            disable: string[];
+            trust?: "full" | "sandbox" | undefined;
+        };
+        external: {
+            trust: "full" | "sandbox";
+            package: string;
+        }[];
+    };
+    developerFeedback: boolean;
+    ci?: {
+        failFast?: boolean | undefined;
+        nodeVersions?: string[] | undefined;
+        os?: string[] | undefined;
+        coverage?: boolean | undefined;
+    } | undefined;
+};
 /**
  * Safe validation function for VibeValidateConfig
  *
- * NOTE: This duplicates the pattern from @vibe-validate/core's createSafeValidator.
- * We can't import from core here due to circular dependency (core → config).
- * This is an acceptable trade-off for a foundational package.
- *
  * @param config - Configuration data to validate
  * @returns Validation result with success/error information
  */
-export declare function safeValidateConfig(config: unknown): {
+export declare const safeValidateConfig: (data: unknown) => {
     success: true;
-    data: VibeValidateConfig;
+    data: {
+        validation: {
+            failFast: boolean;
+            phases: {
+                name: string;
+                timeout: number;
+                parallel: boolean;
+                steps: {
+                    name: string;
+                    command: string;
+                    description?: string | undefined;
+                    timeout?: number | undefined;
+                    continueOnError?: boolean | undefined;
+                    env?: Record<string, string> | undefined;
+                    cwd?: string | undefined;
+                }[];
+                failFast: boolean;
+            }[];
+        };
+        git: {
+            mainBranch: string;
+            remoteOrigin: string;
+            autoSync: boolean;
+            warnIfBehind: boolean;
+        };
+        hooks: {
+            preCommit: {
+                command: string;
+                enabled: boolean;
+                secretScanning?: {
+                    enabled: boolean;
+                    scanCommand?: string | undefined;
+                } | undefined;
+            };
+        };
+        locking: {
+            enabled: boolean;
+            concurrencyScope: "directory" | "project";
+            projectId?: string | undefined;
+        };
+        extractors: {
+            builtins: {
+                disable: string[];
+                trust?: "full" | "sandbox" | undefined;
+            };
+            localPlugins: {
+                disable: string[];
+                trust?: "full" | "sandbox" | undefined;
+            };
+            external: {
+                trust: "full" | "sandbox";
+                package: string;
+            }[];
+        };
+        developerFeedback: boolean;
+        ci?: {
+            failFast?: boolean | undefined;
+            nodeVersions?: string[] | undefined;
+            os?: string[] | undefined;
+            coverage?: boolean | undefined;
+        } | undefined;
+    };
 } | {
     success: false;
     errors: string[];

package/dist/schema.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"schema.d.ts","sourceRoot":"","sources":["../src/schema.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;~~AAGxB~~;;;;GAIG;AACH,eAAO,MAAM,oBAAoB;IAC/B,kEAAkE;;IAGlE,qDAAqD;;IAGrD,uEAAuE;;IAGvE,+EAA+E;;IAG/E,qDAAqD;;IAGrD,oDAAoD;;IAGpD,~~wEAAwE~~;;;;;;;;;;;;;;;;;;~~EAE/D~~,CAAC;AAEZ,MAAM,MAAM,cAAc,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,oBAAoB,CAAC,CAAC;AAElE;;;;;GAKG;AACH,eAAO,MAAM,qBAAqB;IAChC,wDAAwD;;IAGxD,iDAAiD;;IAGjD,qCAAqC;;QArCrC,kEAAkE;;QAGlE,qDAAqD;;QAGrD,uEAAuE;;QAGvE,+EAA+E;;QAG/E,qDAAqD;;QAGrD,oDAAoD;;QAGpD,~~wEAAwE~~;;;;;;;;;;;;;;;;;;;~~IAsBxE~~,qFAAqF;;IAGrF,gEAAgE;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAEvD,CAAC;AAGZ,MAAM,MAAM,eAAe,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,qBAAqB,CAAC,CAAC;AAEpE;;GAEG;AACH,eAAO,MAAM,sBAAsB;IACjC,mCAAmC;;QAvBnC,wDAAwD;;QAGxD,iDAAiD;;QAGjD,qCAAqC;;YArCrC,kEAAkE;;YAGlE,qDAAqD;;YAGrD,uEAAuE;;YAGvE,+EAA+E;;YAG/E,qDAAqD;;YAGrD,oDAAoD;;YAGpD,~~wEAAwE~~;;;;;;;;;;;;;;;;;;;~~QAsBxE~~,qFAAqF;;QAGrF,gEAAgE;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;IAchE,uFAAuF;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAE9E,CAAC;AAGZ,MAAM,MAAM,gBAAgB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,sBAAsB,CAAC,CAAC;AAEtE;;GAEG;AACH,eAAO,MAAM,eAAe;IAC1B,uCAAuC;;IAGvC,oCAAoC;;IAGpC,6CAA6C;;IAG7C,sDAAsD;;;;;;;;;;;;EAE7C,CAAC;AAEZ,MAAM,MAAM,SAAS,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,eAAe,CAAC,CAAC;AAExD;;GAEG;AACH,eAAO,MAAM,cAAc;IACzB,6DAA6D;;IAG7D,mEAAmE;;IAGnE,oDAAoD;;IAGpD,iDAAiD;;;;;;;;;;;;EAExC,CAAC;AAEZ,MAAM,MAAM,QAAQ,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,cAAc,CAAC,CAAC;AAEtD;;GAEG;AACH,eAAO,MAAM,oBAAoB;IAC/B,2DAA2D;;IAG3D,~~iEAAiE;;;;;;;;;;;;;;EAWlE,~~CAAC;~~AAEF~~,MAAM,MAAM,oBAAoB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,oBAAoB,CAAC,CAAC;AAExE;;GAEG;AACH,eAAO,MAAM,iBAAiB;IAC5B,oCAAoC;;QAElC,sDAAsD;;QAGtD,0EAA0E;;QAG1E,+CAA+C;;~~YA9BjD~~,2DAA2D;;YAG3D,~~iEAAiE;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAiCxD,~~CAAC;AAEZ,MAAM,MAAM,WAAW,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,iBAAiB,CAAC,CAAC;AAE5D;;;;GAIG;AACH,eAAO,MAAM,mBAAmB;IAC9B,uEAAuE;;IAGvE;;;;OAIG;;IAGH;;;;OAIG;;;;;;;;;;EAEM,CAAC;AAEZ,MAAM,MAAM,aAAa,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,mBAAmB,CAAC,CAAC;AAEhE;;;;GAIG;AACH,eAAO,MAAM,wBAAwB;IACnC,+BAA+B;;~~QA5H~~/B,mCAAmC;;YAvBnC,wDAAwD;;YAGxD,iDAAiD;;YAGjD,qCAAqC;;gBArCrC,kEAAkE;;gBAGlE,qDAAqD;;gBAGrD,uEAAuE;;gBAGvE,+EAA+E;;gBAG/E,qDAAqD;;gBAGrD,oDAAoD;;gBAGpD,~~wEAAwE~~;;;;;;;;;;;;;;;;;;;~~YAsBxE~~,qFAAqF;;YAGrF,gEAAgE;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;QAchE,uFAAuF;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;~~IA4HvF~~,oCAAoC;;~~QAjHpC~~,uCAAuC;;QAGvC,oCAAoC;;QAGpC,6CAA6C;;QAG7C,sDAAsD;;;;;;;;;;;;;~~IAgHtD~~,mEAAmE;;~~QAtGnE~~,6DAA6D;;QAG7D,mEAAmE;;QAGnE,oDAAoD;;QAGpD,iDAAiD;;;;;;;;;;;;;~~IAgGjD~~,6CAA6C;;~~QAhE7C~~,oCAAoC;;YAElC,sDAAsD;;YAGtD,0EAA0E;;YAG1E,+CAA+C;;~~gBA9BjD~~,2DAA2D;;gBAG3D,~~iEAAiE;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;IA2FjE,~~kDAAkD;;~~QAhDlD~~,uEAAuE;;QAGvE;;;;WAIG;;QAGH;;;;WAIG;;;;;;;;;;;~~IAwCH~~;;;;;;;;OAQG~~;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;~~EAEM,CAAC;AAGZ,MAAM,MAAM,kBAAkB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,wBAAwB,CAAC,CAAC;AAE1E;;;;;;GAMG;AACH,~~wBAAgB~~,cAAc,CAAC~~,MAAM,EAAE,OAAO,GAAG,kBAAkB,CAElE~~;~~AAED;;;;;;;;;GASG~~;AACH,~~wBAAgB~~,~~kBAAkB,CAAC,~~MAAM,~~EAAE,OAAO,GAC9C;IAAE,OAAO,EAAE,IAAI,CAAC;IAAC,IAAI,EAAE,~~kBAAkB,~~CAAA;CAAE,GAC3C;IAAE,OAAO,EAAE,KAAK,~~CAAC~~;IAAC,MAAM,EAAE,MAAM,EAAE,CAAA;CAAE,CAcvC~~"}
1	+ {"version":3,"file":"schema.d.ts","sourceRoot":"","sources":["../src/schema.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAIxB;;;;GAIG;AACH,eAAO,MAAM,oBAAoB;IAC/B,kEAAkE;;IAGlE,qDAAqD;;IAGrD,uEAAuE;;IAGvE,+EAA+E;;IAG/E,qDAAqD;;IAGrD,oDAAoD;;IAGpD,0FAA0F;;;;;;;;;;;;;;;;;;EAEjF,CAAC;AAEZ,MAAM,MAAM,cAAc,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,oBAAoB,CAAC,CAAC;AAElE;;;;;GAKG;AACH,eAAO,MAAM,qBAAqB;IAChC,wDAAwD;;IAGxD,iDAAiD;;IAGjD,qCAAqC;;QArCrC,kEAAkE;;QAGlE,qDAAqD;;QAGrD,uEAAuE;;QAGvE,+EAA+E;;QAG/E,qDAAqD;;QAGrD,oDAAoD;;QAGpD,0FAA0F;;;;;;;;;;;;;;;;;;;IAsB1F,qFAAqF;;IAGrF,gEAAgE;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAEvD,CAAC;AAGZ,MAAM,MAAM,eAAe,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,qBAAqB,CAAC,CAAC;AAEpE;;GAEG;AACH,eAAO,MAAM,sBAAsB;IACjC,mCAAmC;;QAvBnC,wDAAwD;;QAGxD,iDAAiD;;QAGjD,qCAAqC;;YArCrC,kEAAkE;;YAGlE,qDAAqD;;YAGrD,uEAAuE;;YAGvE,+EAA+E;;YAG/E,qDAAqD;;YAGrD,oDAAoD;;YAGpD,0FAA0F;;;;;;;;;;;;;;;;;;;QAsB1F,qFAAqF;;QAGrF,gEAAgE;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;IAchE,uFAAuF;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAE9E,CAAC;AAGZ,MAAM,MAAM,gBAAgB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,sBAAsB,CAAC,CAAC;AAEtE;;GAEG;AACH,eAAO,MAAM,eAAe;IAC1B,uCAAuC;;IAGvC,oCAAoC;;IAGpC,6CAA6C;;IAG7C,sDAAsD;;;;;;;;;;;;EAE7C,CAAC;AAEZ,MAAM,MAAM,SAAS,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,eAAe,CAAC,CAAC;AAExD;;GAEG;AACH,eAAO,MAAM,cAAc;IACzB,6DAA6D;;IAG7D,mEAAmE;;IAGnE,oDAAoD;;IAGpD,iDAAiD;;;;;;;;;;;;EAExC,CAAC;AAEZ,MAAM,MAAM,QAAQ,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,cAAc,CAAC,CAAC;AAEtD;;GAEG;AACH,eAAO,MAAM,oBAAoB;IAC/B,2DAA2D;;IAG3D;;;;;;;;;;OAUG;;;;;;;;EAEM,CAAC;AAEZ,MAAM,MAAM,oBAAoB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,oBAAoB,CAAC,CAAC;AAExE;;GAEG;AACH,eAAO,MAAM,iBAAiB;IAC5B,oCAAoC;;QAElC,sDAAsD;;QAGtD,0EAA0E;;QAG1E,+CAA+C;;YA/BjD,2DAA2D;;YAG3D;;;;;;;;;;eAUG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAwBM,CAAC;AAEZ,MAAM,MAAM,WAAW,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,iBAAiB,CAAC,CAAC;AAE5D;;;;GAIG;AACH,eAAO,MAAM,mBAAmB;IAC9B,uEAAuE;;IAGvE;;;;OAIG;;IAGH;;;;OAIG;;;;;;;;;;EAEM,CAAC;AAEZ,MAAM,MAAM,aAAa,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,mBAAmB,CAAC,CAAC;AAEhE;;;;;;GAMG;AACH,eAAO,MAAM,yBAAyB,gCAA8B,CAAC;AAErE,MAAM,MAAM,mBAAmB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,yBAAyB,CAAC,CAAC;AAE5E;;;;GAIG;AACH,eAAO,MAAM,6BAA6B;IACxC,+EAA+E;;IAG/E,uDAAuD;;;;;;;;EAE9C,CAAC;AAEZ,MAAM,MAAM,uBAAuB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,6BAA6B,CAAC,CAAC;AAEpF;;;;GAIG;AACH,eAAO,MAAM,6BAA6B;IACxC,qEAAqE;;IAGrE,uCAAuC;;;;;;;;EAE9B,CAAC;AAEZ,MAAM,MAAM,uBAAuB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,6BAA6B,CAAC,CAAC;AAEpF;;;;GAIG;AACH,eAAO,MAAM,sBAAsB;IACjC;;;OAGG;;QAjCH,+EAA+E;;QAG/E,uDAAuD;;;;;;;;;IAoCvD;;;OAGG;;QA1CH,+EAA+E;;QAG/E,uDAAuD;;;;;;;;;IA6CvD;;;OAGG;;QApCH,qEAAqE;;QAGrE,uCAAuC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAmC9B,CAAC;AAEZ,MAAM,MAAM,gBAAgB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,sBAAsB,CAAC,CAAC;AAEtE;;;;GAIG;AACH,eAAO,MAAM,wBAAwB;IACnC,+BAA+B;;QAvM/B,mCAAmC;;YAvBnC,wDAAwD;;YAGxD,iDAAiD;;YAGjD,qCAAqC;;gBArCrC,kEAAkE;;gBAGlE,qDAAqD;;gBAGrD,uEAAuE;;gBAGvE,+EAA+E;;gBAG/E,qDAAqD;;gBAGrD,oDAAoD;;gBAGpD,0FAA0F;;;;;;;;;;;;;;;;;;;YAsB1F,qFAAqF;;YAGrF,gEAAgE;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;QAchE,uFAAuF;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;IAuMvF,oCAAoC;;QA5LpC,uCAAuC;;QAGvC,oCAAoC;;QAGpC,6CAA6C;;QAG7C,sDAAsD;;;;;;;;;;;;;IA2LtD,mEAAmE;;QAjLnE,6DAA6D;;QAG7D,mEAAmE;;QAGnE,oDAAoD;;QAGpD,iDAAiD;;;;;;;;;;;;;IA2KjD,6CAA6C;;QA1I7C,oCAAoC;;YAElC,sDAAsD;;YAGtD,0EAA0E;;YAG1E,+CAA+C;;gBA/BjD,2DAA2D;;gBAG3D;;;;;;;;;;mBAUG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;IA4JH,kDAAkD;;QA1HlD,uEAAuE;;QAGvE;;;;WAIG;;QAGH;;;;WAIG;;;;;;;;;;;IAkHH;;;;;;;;;OASG;;QAtEH;;;WAGG;;YAjCH,+EAA+E;;YAG/E,uDAAuD;;;;;;;;;QAoCvD;;;WAGG;;YA1CH,+EAA+E;;YAG/E,uDAAuD;;;;;;;;;QA6CvD;;;WAGG;;YApCH,qEAAqE;;YAGrE,uCAAuC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;IAyFvC;;;;;;;;OAQG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAEM,CAAC;AAGZ,MAAM,MAAM,kBAAkB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,wBAAwB,CAAC,CAAC;AAE1E;;;;;;GAMG;AACH,eAAO,MAAM,cAAc;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAAkD,CAAC;AAE9E;;;;;GAKG;AACH,eAAO,MAAM,kBAAkB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAAgD,CAAC"}

package/dist/schema.js CHANGED Viewed

@@ -5,6 +5,7 @@
  * Provides runtime validation and type safety for all configuration options.
  */
 import { z } from 'zod';
+import { createSafeValidator, createStrictValidator } from './schema-utils.js';
 import { GIT_DEFAULTS } from './constants.js';
 /**
  * Validation Step Schema
@@ -24,7 +25,7 @@ export const ValidationStepSchema = z.object({
     continueOnError: z.boolean().optional(),
     /** Optional: Environment variables for this step */
     env: z.record(z.string(), z.string()).optional(),
-    /** Optional: Working directory for this step (default: project root) */
+    /** Optional: Working directory for this step, relative to git root (default: git root) */
     cwd: z.string().optional(),
 }).strict();
 /**
@@ -86,15 +87,19 @@ export const CIConfigSchema = z.object({
 export const SecretScanningSchema = z.object({
     /** Enable secret scanning in pre-commit (default: true) */
     enabled: z.boolean().default(true),
-    /** Command to run for secret scanning (required when enabled) */
+    /**
+     * Command to run for secret scanning (optional)
+     * - Explicit command: "gitleaks protect --staged --verbose"
+     * - Omit or "autodetect": Automatically detect and run available tools
+     *
+     * Default: autodetect (runs tools based on config file presence)
+     * - Checks for .gitleaks.toml/.gitleaksignore and .secretlintrc.json
+     * - Runs gitleaks if available and configured
+     * - Runs secretlint (via npx) if configured
+     * - Falls back to gitleaks or secretlint if no config files present
+     */
     scanCommand: z.string().min(1, 'scanCommand cannot be empty').optional(),
-}).strict().refine((data) => {
-    // If enabled is true, scanCommand must be provided
-    return !data.enabled || !!data.scanCommand;
-}, {
-    message: 'scanCommand is required when secret scanning is enabled',
-    path: ['scanCommand'],
-});
+}).strict();
 /**
  * Hooks Configuration Schema
  */
@@ -133,6 +138,64 @@ export const LockingConfigSchema = z.object({
      */
     projectId: z.string().optional(),
 }).strict();
+/**
+ * Extractor Trust Level
+ *
+ * Controls security sandbox behavior for extractors:
+ * - 'full': Run with full Node.js access (trusted code)
+ * - 'sandbox': Run in isolated V8 context with limited API access (untrusted code)
+ */
+export const ExtractorTrustLevelSchema = z.enum(['full', 'sandbox']);
+/**
+ * Extractor Category Config Schema
+ *
+ * Shared configuration for built-in and local plugin extractors.
+ */
+export const ExtractorCategoryConfigSchema = z.object({
+    /** Trust level for extractors in this category (default varies by category) */
+    trust: ExtractorTrustLevelSchema.optional(),
+    /** List of extractor names to disable (default: []) */
+    disable: z.array(z.string()).optional().default([]),
+}).strict();
+/**
+ * External Extractor Config Schema
+ *
+ * Configuration for an explicit npm package extractor.
+ */
+export const ExternalExtractorConfigSchema = z.object({
+    /** npm package name (e.g., '@my-org/vibe-validate-plugin-gradle') */
+    package: z.string().min(1, 'Package name cannot be empty'),
+    /** Trust level (default: 'sandbox') */
+    trust: ExtractorTrustLevelSchema.optional().default('sandbox'),
+}).strict();
+/**
+ * Extractors Configuration Schema
+ *
+ * Controls extractor plugin loading, trust levels, and selective disabling.
+ */
+export const ExtractorsConfigSchema = z.object({
+    /**
+     * Built-in extractors configuration
+     * Default: { trust: 'full', disable: [] }
+     */
+    builtins: ExtractorCategoryConfigSchema.optional().default({
+        trust: 'full',
+        disable: [],
+    }),
+    /**
+     * Local plugins configuration (auto-discovered from vibe-validate-local-plugins/)
+     * Default: { trust: 'sandbox', disable: [] }
+     */
+    localPlugins: ExtractorCategoryConfigSchema.optional().default({
+        trust: 'sandbox',
+        disable: [],
+    }),
+    /**
+     * External npm package extractors (explicit registration required)
+     * Default: []
+     */
+    external: z.array(ExternalExtractorConfigSchema).optional().default([]),
+}).strict();
 /**
  * Full Configuration Schema
  *
@@ -162,6 +225,21 @@ export const VibeValidateConfigSchema = z.object({
         enabled: true,
         concurrencyScope: 'directory',
     }),
+    /**
+     * Extractor plugins configuration (optional)
+     *
+     * Controls trust levels and selective disabling for extractors:
+     * - Built-in extractors (shipped with vibe-validate)
+     * - Local plugins (auto-discovered from vibe-validate-local-plugins/)
+     * - External npm packages (explicit registration required)
+     *
+     * Default: { builtins: { trust: 'full', disable: [] }, localPlugins: { trust: 'sandbox', disable: [] }, external: [] }
+     */
+    extractors: ExtractorsConfigSchema.optional().default({
+        builtins: { trust: 'full', disable: [] },
+        localPlugins: { trust: 'sandbox', disable: [] },
+        external: [],
+    }),
     /**
      * Developer feedback for continuous quality improvement (optional, default: false)
      *
@@ -180,28 +258,11 @@ export const VibeValidateConfigSchema = z.object({
  * @returns Validated configuration with defaults applied
  * @throws ZodError if validation fails
  */
-export function validateConfig(config) {
-    return VibeValidateConfigSchema.parse(config);
-}
+export const validateConfig = createStrictValidator(VibeValidateConfigSchema);
 /**
  * Safe validation function for VibeValidateConfig
  *
- * NOTE: This duplicates the pattern from @vibe-validate/core's createSafeValidator.
- * We can't import from core here due to circular dependency (core → config).
- * This is an acceptable trade-off for a foundational package.
- *
  * @param config - Configuration data to validate
  * @returns Validation result with success/error information
  */
-export function safeValidateConfig(config) {
-    const result = VibeValidateConfigSchema.safeParse(config);
-    if (result.success) {
-        return { success: true, data: result.data };
-    }
-    // Extract error messages with full path
-    const errors = result.error.errors.map(err => {
-        const path = err.path.join('.');
-        return path ? `${path}: ${err.message}` : err.message;
-    });
-    return { success: false, errors };
-}
+export const safeValidateConfig = createSafeValidator(VibeValidateConfigSchema);

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@vibe-validate/config",
-  "version": "0.16.1",
+  "version": "0.17.0-rc.10",
   "description": "Configuration system for vibe-validate with TypeScript-first design and config templates",
   "type": "module",
   "main": "./dist/index.js",