@visulima/vis 1.0.0-alpha.17 → 1.0.0-alpha.19

package/CHANGELOG.md

@@ -1,3 +1,61 @@
+## @visulima/vis [1.0.0-alpha.19](https://github.com/visulima/visulima/compare/@visulima/vis@1.0.0-alpha.18...@visulima/vis@1.0.0-alpha.19) (2026-05-11)
+
+### ⚠ BREAKING CHANGES
+
+* **vis:** replace prek runner with in-process hook dispatcher
+* **vis:** vis sbom now emits CycloneDX 1.7. Downstream consumers
+pinned to a 1.6 validator must upgrade.
+
+Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
+
+### Features
+
+* **vis:** bump sbom to cyclonedx 1.7 ([904075f](https://github.com/visulima/visulima/commit/904075fd9353e40b593d5a13f53307c584e31da7))
+* **vis:** replace prek runner with in-process hook dispatcher ([659ba07](https://github.com/visulima/visulima/commit/659ba07fc311c36783e8900188b9753276a961fe))
+
+
+### Dependencies
+
+* **@visulima/tui:** upgraded to 1.0.0-alpha.14
+* **@visulima/cerebro:** upgraded to 3.0.0-alpha.22
+* **@visulima/fs:** upgraded to 5.0.0-alpha.21
+* **@visulima/package:** upgraded to 5.0.0-alpha.20
+
+## @visulima/vis [1.0.0-alpha.18](https://github.com/visulima/visulima/compare/@visulima/vis@1.0.0-alpha.17...@visulima/vis@1.0.0-alpha.18) (2026-05-11)
+
+### Features
+
+* **task-runner:** add resolveTurboEnvCompat helper ([a8e73ef](https://github.com/visulima/visulima/commit/a8e73ef324dd8d1bc1f1f471f59f9292f9f01745))
+* **vis:** add vis-mcp post-command promotion nudge ([9244fad](https://github.com/visulima/visulima/commit/9244fad8a8f9164ce99b2ab3cb771d53f926e788))
+* **vis:** expand secrets.config.presets to tag selectors ([77b8d2b](https://github.com/visulima/visulima/commit/77b8d2bbc951d5180753f37a45d2313c01fcf47f))
+* **vis:** honour TURBO_API/TURBO_TOKEN/TURBO_TEAM env vars ([0d4fc8c](https://github.com/visulima/visulima/commit/0d4fc8c1ad617ba27c436e40e520ddcbb19ebeca))
+* **vis:** show flakiness table on successful runs too ([085b219](https://github.com/visulima/visulima/commit/085b219a4472ceb0fd2f507c7bc3b3b1780a014a))
+* **vis:** surface retried-but-passed tasks and add CI log grouping ([2bdceaa](https://github.com/visulima/visulima/commit/2bdceaacf3f69c99a08c9e1b3b6eda0ee3528cd2))
+
+### Bug Fixes
+
+* **vis:** raise timeout for exposed-files preset tests to 15s ([433db73](https://github.com/visulima/visulima/commit/433db7319ecf4720664bc199582d571ea6a3630b))
+* **vis:** warm default ruleset for exposed-files preset tests ([9c76250](https://github.com/visulima/visulima/commit/9c76250d2ee6e8e2be878e5dcfb149d38126d60d))
+
+### Documentation
+
+* **vis:** mention TURBO_API fallback in help text and migrate hint ([f9bd7ac](https://github.com/visulima/visulima/commit/f9bd7acd7a53837e40376f9b0dcf54040bbc50a1))
+
+### Miscellaneous Chores
+
+* added fixtures to prettier ignore ([13bda29](https://github.com/visulima/visulima/commit/13bda2942d5d95fedeec7c07937fdfc37cf960c7))
+* **vis:** apply eslint and formatter sweep ([d3a48c5](https://github.com/visulima/visulima/commit/d3a48c577a77864b1aae52e6061a8aad1554f273))
+
+
+### Dependencies
+
+* **@visulima/secret-scanner:** upgraded to 1.0.0-alpha.2
+* **@visulima/task-runner:** upgraded to 1.0.0-alpha.13
+* **@visulima/tui:** upgraded to 1.0.0-alpha.13
+* **@visulima/cerebro:** upgraded to 3.0.0-alpha.21
+* **@visulima/fs:** upgraded to 5.0.0-alpha.20
+* **@visulima/package:** upgraded to 5.0.0-alpha.19
+
 ## @visulima/vis [1.0.0-alpha.17](https://github.com/visulima/visulima/compare/@visulima/vis@1.0.0-alpha.16...@visulima/vis@1.0.0-alpha.17) (2026-05-10)
 
 ### Features

package/README.md

@@ -36,19 +36,59 @@
 
 ## Features
 
-- **Workspace-aware**: Automatically discovers projects from `pnpm-workspace.yaml` or `package.json` workspaces
-- **Task caching**: Powered by `@visulima/task-runner` with local and remote caching support
-- **Dependency-aware scheduling**: Runs tasks in topological order with configurable parallelism
-- **Affected detection**: Only runs tasks for projects changed since a given git ref
-- **Pluggable installer**: Defaults to the lockfile-detected PM (pnpm/npm/yarn/bun); auto-uses [aube](https://github.com/endevco/aube) when on `PATH`, with a single switch (`install.backend` / `--installer` / `--no-aube`) to pin or bypass it
-- **Catalog management**: Check and update dependencies in pnpm/bun workspace catalogs
-- **Security scanning**: Check for known vulnerabilities via OSV.dev
-- **Graph visualization**: View your project dependency graph in ASCII, DOT, JSON, or HTML
-- **Git hooks**: Install, manage, and migrate git hooks (husky migration supported)
-- **Configurable**: `vis.json` for target defaults, cache settings, and task runner options
-- **Inferred targets**: Optional Project Crystal-style synthesis of `build`/`test`/`dev`/`lint`/`format` from 36 tools (Vite, Vitest, Next, Nuxt, packem, ESLint, Biome, Prisma, …). Opt in with `inferTargets: true`; explicit scripts and `project.json`/`vis.task.ts` overrides always win
-- **URI-based input format**: `inputs` accepts `file://`, `glob://`, `env://`, `func://`, `dep://` strings as forward-compat sugar for the structured object form
-- **Built on Cerebro**: Uses `@visulima/cerebro` for a robust CLI experience with built-in help, version, and completion
+### Built for AI agents
+
+- **MCP server** — `@visulima/vis-mcp` exposes 8 read-only introspection tools to Claude / Cursor / Copilot (project graph, target list, run logs, cache-why, template schema), plus a paired Claude Skill that documents optimal usage
+- **`vis ai heal`** — reads failing tasks, asks the configured AI provider for a structured patch, validates by re-running, posts a markdown comment to the PR/MR. `/vis heal accept` from an allow-listed maintainer lands the fix as a signed commit (GitHub Actions, GitLab CI, Buildkite)
+- **Worktree-aware shared cache** — N parallel agents in N sibling git worktrees automatically share one cache instead of rebuilding the same hash N times
+
+### Production-grade caching
+
+- **REAPI gRPC + HTTP backends** — drop-in support for [bazel-remote](https://github.com/buchgr/bazel-remote), BuildBuddy, BuildBarn, EngFlow alongside Turbo-compatible HTTP. `vis cache doctor` probes reachability, capabilities, and latency for CI gating
+- **`vis cache why <task>`** — diff hash buckets (`command`, `nodes`, `runtime`, `implicitDeps`) against the previous run to pinpoint exactly what rotated the hash
+- **HMAC-SHA256 signed artifacts** — `verifyOnDownload` locks production caches against tampering with constant-time comparison
+- **Cache restoration fidelity** — preserves mtime + permission bits + colorized output; `vis cache verify <task>` flags drift between cached archive and live workspace
+- **Retention controls** — `vis cache prune --keep-last/--max-age-days/--max-size`
+
+### Cross-invocation devloop
+
+- **`vis service start|stop|list`** — long-lived DB / mock / devserver lifecycle that survives across `vis run` calls within a shell session; auto-attached when targets declare `service:` in their config (no more "I keep restarting Postgres between every test run")
+- **`vis run --watch`** — Vitest-style keybinds (`r/Enter/a/p/q/Ctrl+C/h/?`), Windows-clean SIGINT
+- **`vis run --output-style=quiet`** — swallow stdout from successful and cached tasks, keep failures fully visible
+
+### Workspace orchestration
+
+- **Workspace-aware** — discovers projects from `pnpm-workspace.yaml`, `package.json` workspaces, and bun
+- **Topological scheduling** with configurable parallelism and runner-tag filtering
+- **Affected detection** — `vis affected <target>`, plus `${affected.files}` / `$AFFECTED_FILES` token forwarding to the underlying script
+- **Conditional + finally tasks** — `when:` (os/env/branch/ci) and top-level `always: true`
+- **Per-package overlay + extends chain** — root `vis-config.ts` + per-project `vis.task.ts`, with bare-specifier preset resolution
+- **Inferred targets** (Project Crystal-style) — optional synthesis of `build`/`test`/`dev`/`lint`/`format` from 36 tools (Vite, Vitest, Next, Nuxt, packem, ESLint, Biome, Prisma, …). Opt in with `inferTargets: true`; explicit scripts and `project.json`/`vis.task.ts` overrides always win
+- **URI-based input format** — `inputs` accepts `file://`, `glob://`, `env://`, `func://`, `dep://` strings as forward-compat sugar
+- **Plugin / fingerprint hooks** — 14 typed hooks via `definePlugin` (lifecycle, streaming, retry, fingerprint, services), built on `hookable`
+- **Strict env mode** — `--strict-env` extracts `${VAR}` references from each command and fails the task if any are unset
+- **Lockfile preflight** — warns in TTY, hard-fails in CI when the lockfile is newer than the install marker
+- **Project graph** — view dependencies in ASCII, DOT, JSON, or HTML
+
+### Adjacent tooling that ships in-box
+
+- **`vis catalog check / update`** — pnpm + bun workspace catalog management
+- **`vis secrets`** — Rust-native secret scanning (gitleaks detection engine)
+- **`vis audit`** — OSV.dev vulnerability scanning
+- **`vis docker scaffold`** — lockfile pruning for pnpm / npm / yarn classic + berry / bun, matching turbo's killer Docker-cache feature
+- **`vis hook install / migrate`** — git hooks (husky migration supported)
+- **`vis staged`** — built-in `lint-staged` replacement, no peer dependency
+- **`vis migrate gitleaks|secretlint`** — incremental migration paths
+- **`vis replay <runId>`** — re-render any past run summary without re-execution
+
+### Toolchain & runtime
+
+- **Pluggable installer** — defaults to the lockfile-detected PM (pnpm/npm/yarn/bun); auto-uses [aube](https://github.com/endevco/aube) when on `PATH`, with a single switch (`install.backend` / `--installer` / `--no-aube`) to pin or bypass it
+- **Cold-start one-liner** — `curl -fsSL https://visulima.com/install.sh | bash` (Linux/macOS/WSL) or PowerShell equivalent installs a version manager, Node LTS, and `vis`
+- **`vis toolchain`** — delegates to proto / mise / fnm / volta
+- **Built on Cerebro** — robust CLI with built-in help, version, and shell completion
+
+> **New to vis?** See [Why vis vs. Vite Task / Turbo / Nx / moon](./docs/guides/why-vis.mdx) for the side-by-side capability matrix.
 
 ## Install
 
@@ -366,19 +406,19 @@ If you would like to help take a look at the [list of issues](https://github.com
 
 `vis migrate` ports configuration, scripts, and hooks from the following projects. Huge thanks to their authors and maintainers for the prior art that shaped vis's surface area.
 
-| Project                                                              | Migrates with         | Replaces                          |
-| -------------------------------------------------------------------- | --------------------- | --------------------------------- |
-| [Husky](https://github.com/typicode/husky)                           | `vis hook migrate`    | Git hook manager                  |
-| [lint-staged](https://github.com/lint-staged/lint-staged)            | `vis migrate lint-staged` | Pre-commit task runner        |
-| [nano-staged](https://github.com/usmanyunusov/nano-staged)           | `vis migrate nano-staged` | Pre-commit task runner        |
-| [Turborepo](https://github.com/vercel/turborepo)                     | `vis migrate turborepo` | Monorepo task runner            |
-| [Nx](https://github.com/nrwl/nx)                                     | `vis migrate nx`      | Monorepo task runner              |
-| [Moon](https://github.com/moonrepo/moon)                             | `vis migrate moon`    | Monorepo task runner              |
-| [Gitleaks](https://github.com/gitleaks/gitleaks)                     | `vis migrate gitleaks` | Secret scanner                   |
-| [Kingfisher](https://github.com/mongodb/kingfisher)                  | `vis migrate kingfisher` | Secret scanner (MongoDB)       |
-| [Secretlint](https://github.com/secretlint/secretlint)               | `vis migrate secretlint` | Secret linter                  |
-| [Syncpack](https://github.com/JamieMason/syncpack)                   | `vis migrate syncpack` | Workspace dependency policy      |
-| [Sherif](https://github.com/QuiiBz/sherif)                           | `vis migrate sherif`  | Monorepo linter                   |
+| Project                                                    | Migrates with             | Replaces                    |
+| ---------------------------------------------------------- | ------------------------- | --------------------------- |
+| [Husky](https://github.com/typicode/husky)                 | `vis hook migrate`        | Git hook manager            |
+| [lint-staged](https://github.com/lint-staged/lint-staged)  | `vis migrate lint-staged` | Pre-commit task runner      |
+| [nano-staged](https://github.com/usmanyunusov/nano-staged) | `vis migrate nano-staged` | Pre-commit task runner      |
+| [Turborepo](https://github.com/vercel/turborepo)           | `vis migrate turborepo`   | Monorepo task runner        |
+| [Nx](https://github.com/nrwl/nx)                           | `vis migrate nx`          | Monorepo task runner        |
+| [Moon](https://github.com/moonrepo/moon)                   | `vis migrate moon`        | Monorepo task runner        |
+| [Gitleaks](https://github.com/gitleaks/gitleaks)           | `vis migrate gitleaks`    | Secret scanner              |
+| [Kingfisher](https://github.com/mongodb/kingfisher)        | `vis migrate kingfisher`  | Secret scanner (MongoDB)    |
+| [Secretlint](https://github.com/secretlint/secretlint)     | `vis migrate secretlint`  | Secret linter               |
+| [Syncpack](https://github.com/JamieMason/syncpack)         | `vis migrate syncpack`    | Workspace dependency policy |
+| [Sherif](https://github.com/QuiiBz/sherif)                 | `vis migrate sherif`      | Monorepo linter             |
 
 ## Made with ❤️ at Anolilab
 

package/dist/config/index.d.ts

@@ -416,6 +416,26 @@ interface VisHooks {
     workspaceRoot: string;
   }) => Promise<void> | void;
   /**
+  * Fired after `vis run` auto-attaches to one or more registered
+  * services. `taskIds` lists the in-graph dependents that consumed
+  * the service's `env` block; an empty array means the service was
+  * registered but no kept task depended on it.
+  */
+  "service:attach": (entry: ServiceEntry, taskIds: ReadonlyArray<string>) => Promise<void> | void;
+  /**
+  * Fired after a service is registered and its readiness probe
+  * succeeds. Sourced from both `vis service start` (and `restart`'s
+  * post-start phase) and any future programmatic call sites.
+  */
+  "service:start": (entry: ServiceEntry) => Promise<void> | void;
+  /**
+  * Fired after a registered service is stopped (SIGTERM/SIGKILL
+  * acknowledged, registry entry deleted). Not fired when stop is
+  * called against an unknown id — only when there was an alive
+  * entry to terminate.
+  */
+  "service:stop": (entry: ServiceEntry) => Promise<void> | void;
+  /**
   * Fired after a task completes (success, failure, or cache hit).
   * Receives the final {@link TaskResult}.
   */
@@ -435,17 +455,6 @@ interface VisHooks {
   /** Fired when a task exits non-zero. */
   "task:failure": (task: Task, result: TaskResult) => Promise<void> | void;
   /**
-  * Fired with a stderr chunk as a running task emits it. Plugins
-  * that ship logs live (Slack, Datadog) should prefer this over
-  * `task:after` so they don't wait for the full buffer.
-  */
-  "task:stderr": (task: Task, chunk: string) => Promise<void> | void;
-  /**
-  * Fired with a stdout chunk as a running task emits it. See
-  * `task:stderr` for semantics.
-  */
-  "task:stdout": (task: Task, chunk: string) => Promise<void> | void;
-  /**
   * Fired during fingerprint construction, after built-in inputs are
   * gathered and before the hash is sealed. Plugins call
   * `contributor.contribute(key, value)` to mix arbitrary strings
@@ -470,25 +479,16 @@ interface VisHooks {
   */
   "task:retry": (task: Task, attempt: number, prevExitCode: number) => Promise<void> | void;
   /**
-  * Fired after `vis run` auto-attaches to one or more registered
-  * services. `taskIds` lists the in-graph dependents that consumed
-  * the service's `env` block; an empty array means the service was
-  * registered but no kept task depended on it.
-  */
-  "service:attach": (entry: ServiceEntry, taskIds: ReadonlyArray<string>) => Promise<void> | void;
-  /**
-  * Fired after a service is registered and its readiness probe
-  * succeeds. Sourced from both `vis service start` (and `restart`'s
-  * post-start phase) and any future programmatic call sites.
+  * Fired with a stderr chunk as a running task emits it. Plugins
+  * that ship logs live (Slack, Datadog) should prefer this over
+  * `task:after` so they don't wait for the full buffer.
   */
-  "service:start": (entry: ServiceEntry) => Promise<void> | void;
+  "task:stderr": (task: Task, chunk: string) => Promise<void> | void;
   /**
-  * Fired after a registered service is stopped (SIGTERM/SIGKILL
-  * acknowledged, registry entry deleted). Not fired when stop is
-  * called against an unknown id — only when there was an alive
-  * entry to terminate.
+  * Fired with a stdout chunk as a running task emits it. See
+  * `task:stderr` for semantics.
   */
-  "service:stop": (entry: ServiceEntry) => Promise<void> | void;
+  "task:stdout": (task: Task, chunk: string) => Promise<void> | void;
 }
 /**
 * Public plugin contract. Implementations register handlers by
@@ -919,6 +919,27 @@ interface VisConfig {
     corepack?: "auto" | boolean;
   };
   /**
+  * `vis-mcp` promotion notice shown after successful commands when an
+  * AI CLI (Claude Code, Cursor, Windsurf, Continue, Zed, Cline) is
+  * installed but `@visulima/vis-mcp` is not wired into its config.
+  *
+  * Shown at most once every 14 days; skipped in CI, non-TTY shells,
+  * during `--help`/`--version`/`ai`/`mcp` invocations, and when
+  * `VIS_NO_MCP_PROMOTE=1` is set. Set `enabled: false` to silence
+  * permanently for this workspace.
+  * @example
+  * ```
+  * mcpPromote: { enabled: false }
+  * ```
+  */
+  mcpPromote?: {
+    /**
+    * Show the vis-mcp promotion notice on successful command completion.
+    * @default true
+    */
+    enabled?: boolean;
+  };
+  /**
   * Named input patterns inherited by every project target. Equivalent
   * to task-runner's `namedInputs` but configurable from the vis config.
   */
@@ -1234,10 +1255,33 @@ interface VisConfig {
   };
   /**
   * Behavior of `vis run` when invoked tasks declare service dependencies
-  * that aren't running in the workspace registry. CLI `--services=<mode>`
+  * that aren't running in the workspace registry. CLI `--services=&lt;mode>`
   * overrides this block.
   */
   run?: {
+    /**
+    * Wrap each task's CI log block in collapsible groups so users
+    * can fold/unfold per-task output in the host CI's web UI.
+    * Failed tasks always render expanded so the failure is visible
+    * without an extra click.
+    *
+    * - `auto` (default): pick the format from the detected runner —
+    *   `GITHUB_ACTIONS=true` → `github` (`::group::`),
+    *   `GITLAB_CI=true` → `gitlab` (`section_start:` ANSI sequences),
+    *   `BUILDKITE=true` → `buildkite` (`---` collapsed headers),
+    *   `TF_BUILD=True` → `azure` (`##[group]`),
+    *   no grouping otherwise.
+    * - `off`: never group (raw separators only — useful when
+    *   piping through tools that mangle the directives).
+    * - `azure` / `buildkite` / `github` / `gitlab`: force the format
+    *   regardless of detected environment (useful for self-hosted
+    *   runners that don't set the standard env vars).
+    *
+    * CircleCI is intentionally not auto-detected: its 2.0+ format
+    * has no inline grouping directive — steps auto-group in the
+    * web UI without any markup from the runner.
+    */
+    ciGrouping?: "auto" | "azure" | "buildkite" | "github" | "gitlab" | "off";
     /**
     * One knob controlling auto-start of missing service deps.
     * - `auto` (default in TTY): pick by task — `dev` → ephemeral,