@visulima/vis 1.0.0-alpha.20 → 1.0.0-alpha.22

package/dist/config/index.d.ts

@@ -21,7 +21,7 @@ interface SimilarDepFamily {
   prefixes?: string[];
 }
 type VersionManagerName = "asdf" | "corepack" | "fnm" | "mise" | "none" | "nvm" | "proto" | "self-activate" | "volta";
-type RuntimeTool = "bun" | "deno" | "go" | "node" | "npm" | "pnpm" | "python" | "ruby" | "rust" | "yarn";
+type RuntimeTool = "aube" | "bun" | "deno" | "go" | "node" | "npm" | "pnpm" | "python" | "ruby" | "rust" | "yarn";
 interface ToolchainConfig {
   /**
   * When a tool pin doesn't match the running version, try to fix it
@@ -651,6 +651,12 @@ interface ProjectJson {
   * - `tool` — CLI or developer tooling shipped as an executable.
   */
   projectType?: "application" | "library" | "service" | "tool";
+  /**
+  * Marks the project as write-restricted. Consumed by
+  * `vis sync codeowners --write-guard` to scope the generated
+  * Write Guard workflow to this project's paths.
+  */
+  restricted?: boolean;
   /** Source root, used for display and language inference. */
   sourceRoot?: string;
   /** Tech stack. */
@@ -856,9 +862,18 @@ interface VisConfig {
   };
   /**
   * Auto-create targets from detected config files (Project Crystal-style).
-  * Inferred targets sit *below* explicit ones — anything in
+  * On by default; set `false` to disable entirely, or use the object
+  * form to disable individual detectors.
+  *
+  * Inferred targets sit *below* explicit ones — the command from
   * `package.json#scripts`, `project.json#targets`, or `vis.task.ts`
-  * wins per-key, so opting in never overrides existing setups.
+  * always wins per-key, so opting in never changes what runs. As a
+  * caching aid, when a `package.json` script's command *is* a
+  * detector's command (optionally with extra flags, no shell
+  * chaining) and the script declares no `inputs`/`outputs`, the
+  * detector's `inputs`/`outputs` are adopted so the script target can
+  * cache precisely and restore its artifacts. Customised/compound
+  * scripts are left untouched.
   *
   * Built-in detectors and the targets they synthesize:
   *
@@ -912,7 +927,7 @@ interface VisConfig {
   * opt individual detectors in or out by name. Detectors omitted from
   * the object run at their default (enabled). Useful when one
   * detector misfires for a given workspace without disabling the rest.
-  * @default false
+  * @default true
   */
   inferTargets?: Record<string, boolean> | boolean;
   /**
@@ -1503,6 +1518,53 @@ interface VisConfig {
         */
         allowedHosts?: string[];
         /**
+        * Bloom-filter prefilter for OSV `MAL-*` (malicious-package)
+        * advisories. Probes a ~380 KB filter fetched from
+        * `endevco/osv-bloom` and escalates hits to the existing
+        * advisory query path for `(name, version)` confirmation.
+        *
+        * Cost: ~380 KB on the wire, refreshed every 10 minutes
+        * upstream. False-positive rate is ~0.1%, so a typical
+        * 1000-package lockfile triggers zero or one extra
+        * round trip per audit.
+        *
+        * Independent of `audit.advisories.source` / `verify` —
+        * those control the full OSV ingest. The bloom is
+        * MAL-* only and aimed at cold-start preflight and
+        * ephemeral CI runners that haven't synced the full DB.
+        */
+        bloom?: {
+          /**
+          * Extra hosts permitted as `bloom.source`. The
+          * built-in allowlist (`endevco.github.io`) is enforced
+          * even if this field is omitted; entries here add to it.
+          */
+          allowedHosts?: string[];
+          /**
+          * Prefilter mode:
+          * - `off`: never run the bloom check.
+          * - `on`: run when a local filter is cached; on
+          *   fetch failure, fall back to the cached filter or
+          *   skip the prefilter (audit continues against the
+          *   non-bloom path).
+          * - `required`: hard-fail the audit when the bloom
+          *   refresh fails or the local cache is missing.
+          *   Use in hardened CI together with
+          *   `audit.advisories.source`.
+          * @default "off"
+          */
+          mode?: "off" | "on" | "required";
+          /**
+          * Bloom mirror base URL (no trailing slash). Defaults
+          * to the public `endevco/osv-bloom` GH Pages site.
+          * Override only if you mirror the bloom artifacts
+          * internally; the hostname must appear in
+          * `allowedHosts`.
+          * @default "https://endevco.github.io/osv-bloom"
+          */
+          source?: string;
+        };
+        /**
         * Number of hours after `lastSyncIso` before `vis audit`
         * prints a "your advisory cache may be stale" notice.
         * `vis audit` never auto-syncs — the user runs
@@ -1564,6 +1626,25 @@ interface VisConfig {
         };
       };
       /**
+      * Vulnerability scanner backend.
+      *
+      * - `auto` (default): delegate to `aube audit` when aube is the
+      *   active installer (its scanner reads the same lockfile and
+      *   produces equivalent severity ratings); otherwise run vis's
+      *   own OSV/Socket scanner.
+      * - `aube`: always delegate to `aube audit`. Errors if `aube` is
+      *   not on PATH.
+      * - `vis`: always use vis's built-in scanner — never delegate.
+      *
+      * Delegation avoids redundant work (aube already has a
+      * full-fidelity audit pass that respects its own exclusions
+      * via `aube-workspace.yaml::auditConfig`) and lets users get
+      * a single, consistent result regardless of which entry point
+      * they invoke.
+      * @default "auto"
+      */
+      backend?: "aube" | "auto" | "vis";
+      /**
       * When true, `vis audit` skips network calls and queries the
       * offline cache. Equivalent to the CLI `--offline` flag.
       * @default false
@@ -1578,9 +1659,50 @@ interface VisConfig {
     */
     blockExoticSubdeps?: boolean;
     /**
+    * Package names exempted from the `blockExoticSubdeps` check.
+    * Bare names and a trailing `*` glob (`@scope/*`) are supported.
+    * Use for an internal package legitimately published as a git or
+    * tarball dependency.
+    * @example ["@myorg/legacy", "internal-*"]
+    */
+    exoticSubdepsAllow?: string[];
+    /**
+    * deps.dev (Google Open Source Insights) data-source configuration.
+    * Public, unauthenticated; pulls Scorecard data + advisories from
+    * `api.deps.dev`. Complements or replaces Socket.dev. Heavily cached.
+    * @see https://docs.deps.dev/api/v3/
+    */
+    depsDev?: {
+      /**
+      * Cache TTL for advisory entries (immutable once published).
+      * @default 604_800_000 (7 days)
+      */
+      advisoryCacheTtlMs?: number;
+      /**
+      * Enable deps.dev scanning on install/update/check/audit commands.
+      * @default false
+      */
+      enabled?: boolean;
+      /**
+      * Cache TTL for OpenSSF Scorecard project data (refreshes weekly).
+      * @default 86_400_000 (24 hours)
+      */
+      projectCacheTtlMs?: number;
+      /**
+      * Request timeout in milliseconds.
+      * @default 15_000
+      */
+      timeoutMs?: number;
+      /**
+      * Cache TTL for npm version metadata (immutable).
+      * @default 604_800_000 (7 days)
+      */
+      versionCacheTtlMs?: number;
+    };
+    /**
     * Pre-install marshall pipeline — packument-derived supply-chain
-    * gates (author, provenance, new-bin, metadata, downloads,
-    * expired-domains, signatures, archived-repo) that run before
+    * gates (author, provenance, s1ngularity, new-bin, metadata,
+    * downloads, expired-domains, signatures, archived-repo) that run before
     * `vis add` / `vis install &lt;pkg>` / `vis update &lt;pkg>` hand off to
     * the underlying package manager. Every entry is optional; omit a
     * key and the marshall runs with defaults. Set `enabled: false`
@@ -1609,6 +1731,11 @@ interface VisConfig {
         /** Days since the resolved version was published — warning threshold. */
         recentVersionWarnDays?: number;
       };
+      /** npm `deprecated`-flag check on the resolved version. */
+      deprecation?: {
+        allowlist?: string[];
+        enabled?: boolean;
+      };
       /** Monthly download-count floor. */
       downloads?: {
         allowlist?: string[];
@@ -1637,12 +1764,30 @@ interface VisConfig {
         allowlist?: string[];
         enabled?: boolean;
       };
+      /** Whole-package age heuristics (newly created / unmaintained). */
+      packageAge?: {
+        allowlist?: string[];
+        enabled?: boolean; /** Package created fewer than this many days ago → error. Default 22. */
+        newPackageDays?: number;
+        /** No publish within this many days → warning. Default 365. */
+        unmaintainedDays?: number;
+      };
       /** Provenance regression check. */
       provenance?: {
         allowlist?: string[];
         enabled?: boolean;
       };
       /**
+      * Composite "compromised-publish shape" detector — flags a single
+      * version that simultaneously introduced/changed an install hook
+      * AND dropped the provenance attestation a prior stable version
+      * carried (the August 2025 s1ngularity / Nx fingerprint).
+      */
+      s1ngularity?: {
+        allowlist?: string[];
+        enabled?: boolean;
+      };
+      /**
       * ECDSA P-256 verification against npm's signing keys. Disabled
       * by default because npm coverage still has gaps that produce
       * noisy warnings on legitimate packages.
@@ -1867,6 +2012,54 @@ interface VisConfig {
       };
     };
     /**
+    * Which provider wins merge conflicts when multiple are enabled (e.g.
+    * both Socket.dev and deps.dev return data for the same package). The
+    * primary provider's `score` is kept; alerts from secondaries are
+    * appended and deduped by `key`. Defaults to whichever provider is
+    * enabled first in this order: socket → deps-dev → snyk.
+    */
+    primaryProvider?: "deps-dev" | "snyk" | "socket";
+    /**
+    * Snyk data-source configuration. Snyk only contributes vulnerability
+    * data (no maintenance / quality / supply-chain / license signal);
+    * those axes stay neutral. Requires both an org id and an API token —
+    * if either is missing the provider is skipped.
+    * @see https://docs.snyk.io/snyk-api/using-specific-snyk-apis/issues-list-issues-for-a-package
+    */
+    snyk?: {
+      /**
+      * Snyk API token. Set via VIS_SNYK_TOKEN environment variable or
+      * here.
+      */
+      apiToken?: string;
+      /**
+      * Snyk REST API version date sent as the `version` query param.
+      * @default "2024-10-15"
+      */
+      apiVersion?: string;
+      /**
+      * Cache TTL in milliseconds for Snyk issue lookups.
+      * @default 21_600_000 (6 hours)
+      */
+      cacheTtlMs?: number;
+      /**
+      * Enable Snyk security scanning on install/update/check/audit
+      * commands.
+      * @default false
+      */
+      enabled?: boolean;
+      /**
+      * Snyk organization id (the REST endpoint is org-scoped). Set via
+      * VIS_SNYK_ORG environment variable or here.
+      */
+      orgId?: string;
+      /**
+      * Request timeout in milliseconds for the Snyk API.
+      * @default 15_000 (15 seconds)
+      */
+      timeoutMs?: number;
+    };
+    /**
     * Socket.dev data-source configuration. Connection knobs only — score
     * thresholds and accepted-risk overrides moved to `policies.score` and
     * `security.acceptedRisks` respectively.