@visulima/vis 1.0.0-alpha.1 → 1.0.0-alpha.11

package/dist/packem_chunks/handler39.js

@@ -0,0 +1,574 @@
+import { createRequire as __cjs_createRequire } from "node:module";
+
+const __cjs_require = __cjs_createRequire(import.meta.url);
+
+const __cjs_getProcess = typeof globalThis !== "undefined" && typeof globalThis.process !== "undefined" ? globalThis.process : process;
+
+const __cjs_getBuiltinModule = (module) => {
+    // Check if we're in Node.js and version supports getBuiltinModule
+    if (typeof __cjs_getProcess !== "undefined" && __cjs_getProcess.versions && __cjs_getProcess.versions.node) {
+        const [major, minor] = __cjs_getProcess.versions.node.split(".").map(Number);
+        // Node.js 20.16.0+ and 22.3.0+
+        if (major > 22 || (major === 22 && minor >= 3) || (major === 20 && minor >= 16)) {
+            return __cjs_getProcess.getBuiltinModule(module);
+        }
+    }
+    // Fallback to createRequire
+    return __cjs_require(module);
+};
+
+import { dim, cyan, yellow, red, green } from '@visulima/colorize';
+import { writeFileSync, isAccessibleSync, readJsonSync, readFileSync } from '@visulima/fs';
+import { isAbsolute, relative, resolve, join } from '@visulima/path';
+import { redact } from '@visulima/redact';
+import { fingerprint, scan, scanFiles, inspectRuleset, listRules, listRequiredValidators } from '@visulima/secret-scanner';
+import { p as pail } from './bin.js';
+import { InteractiveManager, InteractiveStreamHook } from '@visulima/interactive-manager';
+import { Spinner } from '@visulima/spinner';
+const {
+  pathToFileURL
+} = __cjs_getBuiltinModule("node:url");
+const {
+  execFileSync
+} = __cjs_getBuiltinModule("node:child_process");
+
+const createSpinner = (options = {}) => {
+  const manager = new InteractiveManager(new InteractiveStreamHook(process.stdout), new InteractiveStreamHook(process.stderr));
+  return new Spinner(options, manager);
+};
+
+const toRelative = (file, root) => {
+  if (!isAbsolute(file)) {
+    return file;
+  }
+  const rel = relative(root, file);
+  return rel === "" || rel.startsWith("..") ? file : rel;
+};
+const toRelativeFinding = (f, root) => {
+  const relativeFile = toRelative(f.file, root);
+  return relativeFile === f.file ? f : { ...f, file: relativeFile };
+};
+const readBaseline = (baselinePath) => {
+  if (!isAccessibleSync(baselinePath)) {
+    return [];
+  }
+  try {
+    const parsed = readJsonSync(baselinePath);
+    return Array.isArray(parsed) ? parsed : [];
+  } catch {
+    return [];
+  }
+};
+const diffBaseline = (findings, baselinePath, root) => {
+  const existing = readBaseline(baselinePath).map((f) => toRelativeFinding(f, root));
+  const existingKeys = new Set(existing.map((f) => fingerprint(f)));
+  const currentRelative = findings.map((f) => toRelativeFinding(f, root));
+  const currentKeys = new Set(currentRelative.map((f) => fingerprint(f)));
+  return {
+    fresh: currentRelative.filter((f) => !existingKeys.has(fingerprint(f))),
+    resolved: existing.filter((f) => !currentKeys.has(fingerprint(f))),
+    surviving: currentRelative.filter((f) => existingKeys.has(fingerprint(f)))
+  };
+};
+const writeBaseline = (findings, baselinePath, root, options = {}) => {
+  const incoming = findings.map((f) => toRelativeFinding(f, root));
+  let final;
+  if (options.replace) {
+    final = incoming;
+  } else {
+    const existing = readBaseline(baselinePath).map((f) => toRelativeFinding(f, root));
+    const seen = /* @__PURE__ */ new Set();
+    final = [];
+    for (const f of [...existing, ...incoming]) {
+      const key = fingerprint(f);
+      if (seen.has(key)) {
+        continue;
+      }
+      seen.add(key);
+      final.push(f);
+    }
+  }
+  writeFileSync(baselinePath, `${JSON.stringify(final, null, 4)}
+`);
+  return final.length;
+};
+
+const CONTEXT_RADIUS = 1;
+const groupByFile = (findings) => {
+  const byFile = /* @__PURE__ */ new Map();
+  for (const f of findings) {
+    const list = byFile.get(f.file);
+    if (list) {
+      list.push(f);
+    } else {
+      byFile.set(f.file, [f]);
+    }
+  }
+  return byFile;
+};
+const loadLines = (file) => {
+  try {
+    return readFileSync(file).split(/\r?\n/);
+  } catch {
+    return void 0;
+  }
+};
+const caretFor = (line, col, len) => {
+  const clampedCol = Math.max(1, col);
+  const prefix = line.slice(0, clampedCol - 1).replaceAll(/[^\t]/g, " ");
+  return `${prefix}${"^".repeat(Math.max(1, len))}`;
+};
+const formatText = (findings, root, useColor, options = {}) => {
+  if (findings.length === 0) {
+    return useColor ? dim("No secrets detected.") : "No secrets detected.";
+  }
+  const color = useColor ? { cyan, dim, green, red, yellow } : {
+    cyan: (s) => s,
+    dim: (s) => s,
+    green: (s) => s,
+    red: (s) => s,
+    yellow: (s) => s
+  };
+  const lines = [];
+  const byFile = groupByFile(findings);
+  for (const [file, items] of byFile) {
+    const relativeFile = relative(root, file) || file;
+    lines.push(color.cyan(relativeFile));
+    const sourceLines = options.redact ? void 0 : loadLines(file);
+    for (const f of items) {
+      const provenance = [f.source, f.confidence].filter(Boolean).join(", ");
+      const provenanceSuffix = provenance ? ` ${color.dim(`(${provenance})`)}` : "";
+      const alternates = f.alternateMatches && f.alternateMatches.length > 0 ? ` ${color.dim(`also: ${f.alternateMatches.join(", ")}`)}` : "";
+      let validationBadge = "";
+      switch (f.validation) {
+        case "error": {
+          validationBadge = ` ${color.yellow("! error")}`;
+          break;
+        }
+        case "rejected": {
+          validationBadge = ` ${color.red("✗ rejected")}`;
+          break;
+        }
+        case "skipped": {
+          validationBadge = ` ${color.dim("— unverifiable")}`;
+          break;
+        }
+        case "verified": {
+          validationBadge = ` ${color.green("✓ verified")}`;
+          break;
+        }
+      }
+      lines.push(
+        `  ${color.red("✖")} ${color.yellow(`[${f.ruleId}]`)}${provenanceSuffix}${validationBadge} ${color.dim(`line ${String(f.startLine)}:${String(f.startColumn)}`)}${alternates}`
+      );
+      if (sourceLines) {
+        const start = Math.max(0, f.startLine - 1 - CONTEXT_RADIUS);
+        const end = Math.min(sourceLines.length, f.startLine + CONTEXT_RADIUS);
+        for (let n = start; n < end; n += 1) {
+          const lineNumber = String(n + 1).padStart(4, " ");
+          const isMatchLine = n + 1 === f.startLine;
+          const marker = isMatchLine ? color.red("▶") : " ";
+          lines.push(`    ${marker} ${color.dim(lineNumber)} │ ${sourceLines[n] ?? ""}`);
+          if (isMatchLine) {
+            const matchLen = Math.max(1, (f.endColumn ?? f.startColumn + 1) - f.startColumn);
+            const caret = caretFor(sourceLines[n] ?? "", f.startColumn, matchLen);
+            lines.push(`      ${color.dim("    │ ")}${color.red(caret)}`);
+          }
+        }
+      }
+      lines.push("");
+    }
+  }
+  return lines.join("\n").trimEnd();
+};
+const toSarifUri = (path, root) => {
+  if (!isAbsolute(path)) {
+    return path.replaceAll("\\", "/");
+  }
+  try {
+    return pathToFileURL(path).toString();
+  } catch {
+    return `file://${resolve(root, path).replaceAll("\\", "/")}`;
+  }
+};
+const shortText = (text, limit = 100) => {
+  if (text.length <= limit) {
+    return text;
+  }
+  return `${text.slice(0, limit - 1).trimEnd()}…`;
+};
+const formatSarif = (findings, toolVersion, root = process.cwd(), ruleMetadata = []) => {
+  const metaById = new Map(ruleMetadata.map((r) => [r.id, r]));
+  const seenIds = /* @__PURE__ */ new Set();
+  for (const f of findings) {
+    seenIds.add(f.ruleId);
+  }
+  const ruleIds = [.../* @__PURE__ */ new Set([...metaById.keys(), ...seenIds])].sort((a, b) => a.localeCompare(b));
+  const ruleIndex = new Map(ruleIds.map((id, i) => [id, i]));
+  return JSON.stringify(
+    {
+      $schema: "https://schemastore.azurewebsites.net/schemas/json/sarif-2.1.0.json",
+      runs: [
+        {
+          originalUriBaseIds: {
+            SRCROOT: { uri: pathToFileURL(root).toString() }
+          },
+          results: findings.map((f) => {
+            const properties = {};
+            if (f.source) {
+              properties["source"] = f.source;
+            }
+            if (f.confidence) {
+              properties["confidence"] = f.confidence;
+            }
+            if (f.alternateMatches && f.alternateMatches.length > 0) {
+              properties["alternateRules"] = f.alternateMatches;
+            }
+            if (f.validation) {
+              properties["validation"] = f.validation;
+            }
+            return {
+              level: "error",
+              locations: [
+                {
+                  physicalLocation: {
+                    artifactLocation: {
+                      uri: toSarifUri(f.file, root),
+                      uriBaseId: isAbsolute(f.file) ? void 0 : "SRCROOT"
+                    },
+                    region: {
+                      endColumn: f.endColumn,
+                      endLine: f.endLine,
+                      snippet: { text: f.match },
+                      startColumn: f.startColumn,
+                      startLine: f.startLine
+                    }
+                  }
+                }
+              ],
+              message: { text: f.description || f.ruleId },
+              properties: Object.keys(properties).length > 0 ? properties : void 0,
+              ruleId: f.ruleId,
+              ruleIndex: ruleIndex.get(f.ruleId) ?? -1
+            };
+          }),
+          tool: {
+            driver: {
+              informationUri: "https://visulima.com/packages/secret-scanner",
+              name: "visulima-secret-scanner",
+              rules: ruleIds.map((id) => {
+                const meta = metaById.get(id);
+                const description = meta?.description ?? `Detected by rule \`${id}\``;
+                const ruleProperties = {};
+                if (meta?.tags && meta.tags.length > 0) {
+                  ruleProperties["tags"] = meta.tags;
+                }
+                if (meta?.source) {
+                  ruleProperties["source"] = meta.source;
+                }
+                if (meta?.confidence) {
+                  ruleProperties["confidence"] = meta.confidence;
+                }
+                return {
+                  defaultConfiguration: { level: "error" },
+                  fullDescription: { text: description },
+                  helpUri: "https://visulima.com/packages/secret-scanner",
+                  id,
+                  name: id,
+                  properties: Object.keys(ruleProperties).length > 0 ? ruleProperties : void 0,
+                  shortDescription: { text: shortText(description) }
+                };
+              }),
+              version: toolVersion
+            }
+          }
+        }
+      ],
+      version: "2.1.0"
+    },
+    void 0,
+    2
+  );
+};
+
+const runGit = (root, args) => {
+  try {
+    return execFileSync("git", args, { cwd: root, encoding: "utf8", stdio: ["ignore", "pipe", "pipe"] }).trim();
+  } catch {
+    return "";
+  }
+};
+const splitFiles = (stdout) => stdout.split(/\r?\n/).map((line) => line.trim()).filter(Boolean);
+const stagedFiles = (root) => splitFiles(runGit(root, ["diff", "--cached", "--name-only", "--diff-filter=ACMR"])).map((p) => isAbsolute(p) ? p : join(root, p));
+const filesSince = (root, ref) => {
+  const stdout = runGit(root, ["diff", "--name-only", "--diff-filter=ACMR", `${ref}...HEAD`]);
+  const list = splitFiles(stdout);
+  if (list.length === 0) {
+    const fallback = runGit(root, ["diff", "--name-only", "--diff-filter=ACMR", ref]);
+    return splitFiles(fallback).map((p) => isAbsolute(p) ? p : join(root, p));
+  }
+  return list.map((p) => isAbsolute(p) ? p : join(root, p));
+};
+const hasGit = (root) => runGit(root, ["rev-parse", "--show-toplevel"]).length > 0;
+
+const DEFAULT_BASELINE = ".secrets-baseline.json";
+const toArray = (value) => {
+  if (!value) {
+    return [];
+  }
+  return Array.isArray(value) ? value : [value];
+};
+const validateFormat = (raw) => {
+  const allowed = /* @__PURE__ */ new Set(["json", "sarif", "text"]);
+  if (raw && !allowed.has(raw)) {
+    pail.error(`--format must be one of: ${[...allowed].join(", ")} (got "${raw}")`);
+    process.exit(2);
+  }
+  return raw ?? "text";
+};
+const validateConfidence = (raw) => {
+  if (raw === void 0) {
+    return void 0;
+  }
+  const allowed = /* @__PURE__ */ new Set(["high", "low", "medium"]);
+  if (!allowed.has(raw)) {
+    pail.error(`--min-confidence must be one of: ${[...allowed].join(", ")} (got "${raw}")`);
+    process.exit(2);
+  }
+  return raw;
+};
+const printListRules = async (scanOptions, useColor) => {
+  const rules = await listRules(scanOptions);
+  process.stdout.write(`${String(rules.length)} rules loaded
+
+`);
+  for (const rule of rules) {
+    const id = useColor ? yellow(rule.id) : rule.id;
+    const tags = rule.tags.length > 0 ? ` ${useColor ? dim(`[${rule.tags.join(", ")}]`) : `[${rule.tags.join(", ")}]`}` : "";
+    process.stdout.write(`${id}${tags}
+  ${rule.description}
+`);
+    if (rule.keywords.length > 0) {
+      const kw = `keywords: ${rule.keywords.slice(0, 6).join(", ")}${rule.keywords.length > 6 ? ", ..." : ""}`;
+      process.stdout.write(`  ${useColor ? dim(kw) : kw}
+`);
+    }
+    process.stdout.write("\n");
+  }
+};
+const printListValidators = async (scanOptions, useColor) => {
+  const report = await listRequiredValidators(scanOptions);
+  if (report.length === 0) {
+    process.stdout.write(
+      useColor ? `${dim("No non-HTTP validators required by the current ruleset.")}
+` : "No non-HTTP validators required by the current ruleset.\n"
+    );
+    return;
+  }
+  process.stdout.write(`${String(report.length)} non-HTTP validator type(s) referenced by the current ruleset:
+
+`);
+  for (const entry of report) {
+    const title = useColor ? yellow(entry.displayName) : entry.displayName;
+    const typeLabel = `(${entry.type}, ${String(entry.ruleCount)} rule${entry.ruleCount === 1 ? "" : "s"})`;
+    process.stdout.write(`${title} ${useColor ? dim(typeLabel) : typeLabel}
+`);
+    process.stdout.write(`  ${entry.summary}
+`);
+    const hint = entry.packageName ? `install: npm add ${entry.packageName}` : "no driver — bespoke implementation required";
+    process.stdout.write(`  ${useColor ? dim(hint) : hint}
+
+`);
+  }
+};
+const runInit = async (root, scanOptions, dryRun) => {
+  const baselinePath = join(root, DEFAULT_BASELINE);
+  if (!dryRun && isAccessibleSync(baselinePath)) {
+    pail.warn(`Detected existing ${DEFAULT_BASELINE} — refusing to overwrite. Delete it first to re-init.`);
+    process.exit(1);
+  }
+  pail.info(dryRun ? "[dry-run] Previewing init — no files will be written." : "Scanning workspace to seed baseline…");
+  const spinner = createSpinner();
+  spinner.start("scanning");
+  let findings;
+  try {
+    findings = await scan([root], scanOptions);
+    spinner.succeed();
+  } catch (error) {
+    spinner.failed();
+    throw error;
+  }
+  if (dryRun) {
+    pail.info(`[dry-run] Would create ${DEFAULT_BASELINE} with ${String(findings.length)} finding(s).`);
+    return;
+  }
+  const count = writeBaseline(findings, baselinePath, root, { replace: true });
+  pail.success(`Wrote ${DEFAULT_BASELINE} (${String(count)} findings).`);
+  pail.notice("Commit it. Use `vis secrets --baseline .secrets-baseline.json` in CI. Add path patterns to .gitignore to exclude directories from scanning.");
+};
+const resolveScanOptions = (flags, visSecrets, root) => {
+  const cfg = visSecrets ?? {};
+  const resolvePath = (p) => p ? resolve(root, p) : void 0;
+  const pickList = (flag, fallback) => {
+    const fromFlag = toArray(flag);
+    return fromFlag.length > 0 ? fromFlag : fallback;
+  };
+  const enableRules = pickList(flags.enableRule, cfg.rules?.enable);
+  const excludeRules = pickList(flags.excludeRule, cfg.rules?.exclude);
+  const includeRules = pickList(flags.includeRule, cfg.rules?.include);
+  const excludePatterns = pickList(flags.exclude, cfg.walk?.excludePatterns);
+  const excludeFromFlag = toArray(flags.excludeFrom).map((p) => resolve(root, p));
+  const excludeFromFiles = excludeFromFlag.length > 0 ? excludeFromFlag : cfg.walk?.excludeFromFiles?.map((p) => resolve(root, p));
+  const baselinePath = resolvePath(flags.baseline) ?? resolvePath(cfg.baseline);
+  const configPath = resolvePath(flags.config) ?? resolvePath(cfg.config?.path);
+  const minConfidence = validateConfidence(flags.minConfidence ?? cfg.config?.minConfidence);
+  return {
+    baseline: baselinePath,
+    concurrency: flags.concurrency,
+    config: {
+      extendBundled: flags.noExtendBundled ? false : cfg.config?.extendBundled,
+      inline: cfg.config?.inline,
+      minConfidence,
+      onlyVerified: flags.onlyVerified ?? cfg.config?.onlyVerified ?? false,
+      path: configPath,
+      validate: flags.validate ?? cfg.config?.validate ?? false
+    },
+    redact: flags.redact ?? cfg.redact,
+    rules: { enable: enableRules, exclude: excludeRules, include: includeRules },
+    verbose: flags.verbose ?? false,
+    walk: {
+      excludeFromFiles,
+      excludePatterns,
+      gitignore: flags.noGitignore ? false : cfg.walk?.gitignore ?? true,
+      includeHidden: flags.includeHidden ?? cfg.walk?.includeHidden,
+      maxFileSize: flags.maxSize ?? cfg.walk?.maxFileSize
+    }
+  };
+};
+const printDiff = (diff) => {
+  process.stderr.write(
+    `${dim("baseline diff: ")}${green(`+${String(diff.fresh.length)} new`)} · ${yellow(`${String(diff.surviving.length)} unchanged`)} · ${dim(`-${String(diff.resolved.length)} resolved`)}
+`
+  );
+};
+const chooseScanPaths = async (flags, args, root) => {
+  if (flags.staged) {
+    if (!hasGit(root)) {
+      pail.error("--staged requires a git working tree, and none was detected.");
+      process.exit(2);
+    }
+    return { files: stagedFiles(root) };
+  }
+  if (flags.since) {
+    if (!hasGit(root)) {
+      pail.error("--since requires a git working tree, and none was detected.");
+      process.exit(2);
+    }
+    return { files: filesSince(root, flags.since) };
+  }
+  if (flags.affected) {
+    if (!hasGit(root)) {
+      pail.warn("--affected requires git; falling back to full scan");
+      return { paths: args && args.length > 0 ? args.map((p) => resolve(root, p)) : [root] };
+    }
+    const baseRef = process.env["VIS_BASE"] ?? "HEAD~1";
+    return { files: filesSince(root, baseRef) };
+  }
+  return { paths: args && args.length > 0 ? args.map((p) => resolve(root, p)) : [root] };
+};
+const emitFindings = (findings, format, root, useColor, toolVersion, ruleMetadata, redactFindings) => {
+  switch (format) {
+    case "json": {
+      const view = findings.map((f) => toRelativeFinding(f, root));
+      process.stdout.write(`${JSON.stringify(view, null, 2)}
+`);
+      break;
+    }
+    case "sarif": {
+      process.stdout.write(`${formatSarif(findings, toolVersion, root, ruleMetadata)}
+`);
+      break;
+    }
+    default: {
+      process.stdout.write(`${formatText(findings, root, useColor, { redact: redactFindings })}
+`);
+    }
+  }
+};
+const execute = async ({ argument, options, visConfig, workspaceRoot }) => {
+  const flags = options;
+  const args = argument;
+  const root = workspaceRoot ?? process.cwd();
+  const useColor = !flags.quiet && process.stdout.isTTY;
+  const visSecrets = visConfig?.secrets;
+  const scanOptions = resolveScanOptions(flags, visSecrets, root);
+  const toolVersion = "0.0.0-alpha";
+  if (flags.listRules) {
+    await printListRules(scanOptions, useColor);
+    return;
+  }
+  if (flags.listValidators) {
+    await printListValidators(scanOptions, useColor);
+    return;
+  }
+  if (flags.init) {
+    await runInit(root, scanOptions, flags.dryRun ?? false);
+    return;
+  }
+  const target = await chooseScanPaths(flags, args ?? [], root);
+  if (target.files?.length === 0) {
+    if (!flags.quiet) {
+      pail.success("No files to scan.");
+    }
+    return;
+  }
+  const isInteractive = !flags.quiet && !["json", "sarif"].includes(flags.format ?? "text");
+  const spinner = createSpinner({ verbose: isInteractive });
+  spinner.start("scanning for secrets");
+  let findings;
+  try {
+    findings = target.files === void 0 ? await scan(target.paths ?? [root], scanOptions) : await scanFiles(target.files, scanOptions);
+    spinner.succeed();
+  } catch (error) {
+    spinner.failed();
+    pail.error(`secret scan failed: ${error instanceof Error ? error.message : String(error)}`);
+    process.exit(2);
+  }
+  if (flags.verbose) {
+    const skipped = await inspectRuleset(scanOptions);
+    if (skipped.length > 0) {
+      pail.warn(`${String(skipped.length)} rule(s) skipped due to invalid regex. First few:`);
+      for (const s of skipped.slice(0, 5)) {
+        process.stderr.write(`  - ${s.ruleId}: ${s.reason}
+`);
+      }
+    }
+  }
+  const baselineFullPath = scanOptions.baseline ?? join(root, DEFAULT_BASELINE);
+  const showDiff = !flags.quiet && isAccessibleSync(baselineFullPath);
+  if (flags.updateBaseline) {
+    const count = writeBaseline(findings, baselineFullPath, root, { replace: flags.replaceBaseline });
+    pail.success(`Baseline updated: ${relative(root, baselineFullPath) || baselineFullPath} now contains ${String(count)} entries.`);
+    return;
+  }
+  const format = validateFormat(flags.format);
+  const ruleMetadata = format === "sarif" ? await listRules(scanOptions).catch(() => []) : [];
+  const shouldRedact = scanOptions.redact === true;
+  const reportFindings = shouldRedact ? redact(findings, ["match", "secret"]) : findings;
+  emitFindings(reportFindings, format, root, useColor, toolVersion, ruleMetadata, shouldRedact);
+  if (format === "text" && showDiff) {
+    printDiff(diffBaseline(findings, baselineFullPath, root));
+  }
+  if (findings.length > 0) {
+    if (!flags.quiet) {
+      pail.warn(`${String(findings.length)} potential secret(s) found`);
+      pail.notice("Suppress individual lines with `gitleaks:allow` / `secret-scanner:allow`, or run `vis secrets --update-baseline`.");
+    }
+    process.exit(1);
+  }
+  if (!flags.quiet) {
+    pail.success("No secrets detected.");
+  }
+};
+
+export { execute as default };

package/dist/packem_chunks/handler4.js

@@ -0,0 +1,90 @@
+import { createRequire as __cjs_createRequire } from "node:module";
+
+const __cjs_require = __cjs_createRequire(import.meta.url);
+
+const __cjs_getProcess = typeof globalThis !== "undefined" && typeof globalThis.process !== "undefined" ? globalThis.process : process;
+
+const __cjs_getBuiltinModule = (module) => {
+    // Check if we're in Node.js and version supports getBuiltinModule
+    if (typeof __cjs_getProcess !== "undefined" && __cjs_getProcess.versions && __cjs_getProcess.versions.node) {
+        const [major, minor] = __cjs_getProcess.versions.node.split(".").map(Number);
+        // Node.js 20.16.0+ and 22.3.0+
+        if (major > 22 || (major === 22 && minor >= 3) || (major === 20 && minor >= 16)) {
+            return __cjs_getProcess.getBuiltinModule(module);
+        }
+    }
+    // Fallback to createRequire
+    return __cjs_require(module);
+};
+
+const {
+  spawnSync
+} = __cjs_getBuiltinModule("node:child_process");
+import { c as detectPm, p as pail, s as scanUnapprovedBuildScripts, e as syncAllowBuildsToNativeConfig } from './bin.js';
+
+const execute = async ({ options, visConfig, workspaceRoot: wsRoot }) => {
+  const cwd = wsRoot ?? process.cwd();
+  const pm = detectPm(cwd);
+  if (pm.name === "pnpm" && !options.scan) {
+    pail.info("Delegating to pnpm approve-builds...");
+    const pnpmArgs = ["approve-builds"];
+    if (options.all) {
+      pnpmArgs.push("--all");
+    }
+    const result = spawnSync("pnpm", pnpmArgs, { cwd, stdio: "inherit" });
+    if (result.error) {
+      throw new Error(`Failed to run pnpm approve-builds: ${result.error.message}`);
+    }
+    if (result.status !== 0 && result.status !== null) {
+      pail.error(`pnpm approve-builds exited with code ${result.status}`);
+      process.exitCode = result.status;
+    }
+    if (!options.syncNative) {
+      pail.notice("");
+      pail.notice("Tip: vis.config.ts security.allowBuilds may now be out of sync with pnpm-workspace.yaml.");
+      pail.notice("Run 'vis check --security-config' to compare, or copy the new entries into vis.config.ts.");
+      return;
+    }
+  } else {
+    const allowBuilds = visConfig?.security?.allowBuilds ?? {};
+    const unapproved = scanUnapprovedBuildScripts(cwd, allowBuilds);
+    if (unapproved.length === 0) {
+      pail.success("No unapproved build scripts found.");
+    } else {
+      pail.warn(`Found ${unapproved.length} package${unapproved.length === 1 ? "" : "s"} with unapproved build scripts:
+`);
+      for (const pkg of unapproved) {
+        pail.info(`  ${pkg}`);
+      }
+      pail.notice("");
+      pail.notice("To approve these packages, add them to vis.config.ts:");
+      pail.notice("");
+      pail.notice("  security: {");
+      pail.notice("    allowBuilds: {");
+      for (const pkg of unapproved) {
+        const name = pkg.split(" (")[0];
+        pail.notice(`      "${name}": true,`);
+      }
+      pail.notice("    },");
+      pail.notice("  },");
+      if (pm.name === "pnpm") {
+        pail.notice("");
+        pail.notice("Or run 'pnpm approve-builds' to update pnpm-workspace.yaml directly.");
+      }
+    }
+  }
+  if (options.syncNative) {
+    const allowBuilds = visConfig?.security?.allowBuilds ?? {};
+    if (Object.keys(allowBuilds).length === 0) {
+      pail.warn("No security.allowBuilds configured in vis.config.ts. Nothing to sync.");
+    } else {
+      const actions = syncAllowBuildsToNativeConfig(pm.name, cwd, allowBuilds);
+      pail.info("");
+      for (const action of actions) {
+        pail.success(action);
+      }
+    }
+  }
+};
+
+export { execute as default };