@visulima/vis 1.0.0-alpha.21 → 1.0.0-alpha.23

package/dist/bin.js

@@ -1,2 +1,2 @@
 #!/usr/bin/env node
-import"./packem_chunks/bin.js";import"./packem_chunks/config.js";
+import"./packem_shared/index-CZX_II5N.js";import"./packem_chunks/bin.js";import"./packem_chunks/config.js";import"./packem_shared/readFileSync-CGmzMUF2-D6rUjGDn.js";

package/dist/binx.js

@@ -0,0 +1,3 @@
+#!/usr/bin/env node
+import{N as r,m as o,i as c,T as i,w as a,a as n}from"./packem_shared/index-CZX_II5N.js";r();process.argv.includes("--no-color")&&(process.env.NO_COLOR="1",process.env.FORCE_COLOR="0");process.argv.slice(2).some(s=>s==="--version"||s==="-v"||s==="-V")&&(process.stdout.write(`${o.version}
+`),process.exit(0));process.argv.splice(2,0,"dlx");c();const e=i("visx",{packageName:"visx",packageVersion:o.version}),p=process.argv.includes("--debug")||!!process.env.DEBUG;e.addPlugin(a({detailed:p,exitOnError:!1}));e.addCommand(n);(async()=>{try{await e.run({shouldExitProcess:!1})}catch{process.exitCode=process.exitCode||1}finally{process.exit(process.exitCode??0)}})();

package/dist/config/index.d.ts

@@ -21,7 +21,7 @@ interface SimilarDepFamily {
   prefixes?: string[];
 }
 type VersionManagerName = "asdf" | "corepack" | "fnm" | "mise" | "none" | "nvm" | "proto" | "self-activate" | "volta";
-type RuntimeTool = "bun" | "deno" | "go" | "node" | "npm" | "pnpm" | "python" | "ruby" | "rust" | "yarn";
+type RuntimeTool = "aube" | "bun" | "deno" | "go" | "node" | "npm" | "pnpm" | "python" | "ruby" | "rust" | "yarn";
 interface ToolchainConfig {
   /**
   * When a tool pin doesn't match the running version, try to fix it
@@ -651,6 +651,12 @@ interface ProjectJson {
   * - `tool` — CLI or developer tooling shipped as an executable.
   */
   projectType?: "application" | "library" | "service" | "tool";
+  /**
+  * Marks the project as write-restricted. Consumed by
+  * `vis sync codeowners --write-guard` to scope the generated
+  * Write Guard workflow to this project's paths.
+  */
+  restricted?: boolean;
   /** Source root, used for display and language inference. */
   sourceRoot?: string;
   /** Tech stack. */
@@ -856,9 +862,18 @@ interface VisConfig {
   };
   /**
   * Auto-create targets from detected config files (Project Crystal-style).
-  * Inferred targets sit *below* explicit ones — anything in
+  * On by default; set `false` to disable entirely, or use the object
+  * form to disable individual detectors.
+  *
+  * Inferred targets sit *below* explicit ones — the command from
   * `package.json#scripts`, `project.json#targets`, or `vis.task.ts`
-  * wins per-key, so opting in never overrides existing setups.
+  * always wins per-key, so opting in never changes what runs. As a
+  * caching aid, when a `package.json` script's command *is* a
+  * detector's command (optionally with extra flags, no shell
+  * chaining) and the script declares no `inputs`/`outputs`, the
+  * detector's `inputs`/`outputs` are adopted so the script target can
+  * cache precisely and restore its artifacts. Customised/compound
+  * scripts are left untouched.
   *
   * Built-in detectors and the targets they synthesize:
   *
@@ -912,7 +927,7 @@ interface VisConfig {
   * opt individual detectors in or out by name. Detectors omitted from
   * the object run at their default (enabled). Useful when one
   * detector misfires for a given workspace without disabling the rest.
-  * @default false
+  * @default true
   */
   inferTargets?: Record<string, boolean> | boolean;
   /**
@@ -1503,6 +1518,53 @@ interface VisConfig {
         */
         allowedHosts?: string[];
         /**
+        * Bloom-filter prefilter for OSV `MAL-*` (malicious-package)
+        * advisories. Probes a ~380 KB filter fetched from
+        * `endevco/osv-bloom` and escalates hits to the existing
+        * advisory query path for `(name, version)` confirmation.
+        *
+        * Cost: ~380 KB on the wire, refreshed every 10 minutes
+        * upstream. False-positive rate is ~0.1%, so a typical
+        * 1000-package lockfile triggers zero or one extra
+        * round trip per audit.
+        *
+        * Independent of `audit.advisories.source` / `verify` —
+        * those control the full OSV ingest. The bloom is
+        * MAL-* only and aimed at cold-start preflight and
+        * ephemeral CI runners that haven't synced the full DB.
+        */
+        bloom?: {
+          /**
+          * Extra hosts permitted as `bloom.source`. The
+          * built-in allowlist (`endevco.github.io`) is enforced
+          * even if this field is omitted; entries here add to it.
+          */
+          allowedHosts?: string[];
+          /**
+          * Prefilter mode:
+          * - `off`: never run the bloom check.
+          * - `on`: run when a local filter is cached; on
+          *   fetch failure, fall back to the cached filter or
+          *   skip the prefilter (audit continues against the
+          *   non-bloom path).
+          * - `required`: hard-fail the audit when the bloom
+          *   refresh fails or the local cache is missing.
+          *   Use in hardened CI together with
+          *   `audit.advisories.source`.
+          * @default "off"
+          */
+          mode?: "off" | "on" | "required";
+          /**
+          * Bloom mirror base URL (no trailing slash). Defaults
+          * to the public `endevco/osv-bloom` GH Pages site.
+          * Override only if you mirror the bloom artifacts
+          * internally; the hostname must appear in
+          * `allowedHosts`.
+          * @default "https://endevco.github.io/osv-bloom"
+          */
+          source?: string;
+        };
+        /**
         * Number of hours after `lastSyncIso` before `vis audit`
         * prints a "your advisory cache may be stale" notice.
         * `vis audit` never auto-syncs — the user runs
@@ -1564,6 +1626,25 @@ interface VisConfig {
         };
       };
       /**
+      * Vulnerability scanner backend.
+      *
+      * - `auto` (default): delegate to `aube audit` when aube is the
+      *   active installer (its scanner reads the same lockfile and
+      *   produces equivalent severity ratings); otherwise run vis's
+      *   own OSV/Socket scanner.
+      * - `aube`: always delegate to `aube audit`. Errors if `aube` is
+      *   not on PATH.
+      * - `vis`: always use vis's built-in scanner — never delegate.
+      *
+      * Delegation avoids redundant work (aube already has a
+      * full-fidelity audit pass that respects its own exclusions
+      * via `aube-workspace.yaml::auditConfig`) and lets users get
+      * a single, consistent result regardless of which entry point
+      * they invoke.
+      * @default "auto"
+      */
+      backend?: "aube" | "auto" | "vis";
+      /**
       * When true, `vis audit` skips network calls and queries the
       * offline cache. Equivalent to the CLI `--offline` flag.
       * @default false
@@ -1578,9 +1659,50 @@ interface VisConfig {
     */
     blockExoticSubdeps?: boolean;
     /**
+    * Package names exempted from the `blockExoticSubdeps` check.
+    * Bare names and a trailing `*` glob (`@scope/*`) are supported.
+    * Use for an internal package legitimately published as a git or
+    * tarball dependency.
+    * @example ["@myorg/legacy", "internal-*"]
+    */
+    exoticSubdepsAllow?: string[];
+    /**
+    * deps.dev (Google Open Source Insights) data-source configuration.
+    * Public, unauthenticated; pulls Scorecard data + advisories from
+    * `api.deps.dev`. Complements or replaces Socket.dev. Heavily cached.
+    * @see https://docs.deps.dev/api/v3/
+    */
+    depsDev?: {
+      /**
+      * Cache TTL for advisory entries (immutable once published). 7 days.
+      * @default 604800000
+      */
+      advisoryCacheTtlMs?: number;
+      /**
+      * Enable deps.dev scanning on install/update/check/audit commands.
+      * @default false
+      */
+      enabled?: boolean;
+      /**
+      * Cache TTL for OpenSSF Scorecard project data (refreshes weekly). 24 hours.
+      * @default 86400000
+      */
+      projectCacheTtlMs?: number;
+      /**
+      * Request timeout in milliseconds.
+      * @default 15000
+      */
+      timeoutMs?: number;
+      /**
+      * Cache TTL for npm version metadata (immutable). 7 days.
+      * @default 604800000
+      */
+      versionCacheTtlMs?: number;
+    };
+    /**
     * Pre-install marshall pipeline — packument-derived supply-chain
-    * gates (author, provenance, new-bin, metadata, downloads,
-    * expired-domains, signatures, archived-repo) that run before
+    * gates (author, provenance, s1ngularity, new-bin, metadata,
+    * downloads, expired-domains, signatures, archived-repo) that run before
     * `vis add` / `vis install &lt;pkg>` / `vis update &lt;pkg>` hand off to
     * the underlying package manager. Every entry is optional; omit a
     * key and the marshall runs with defaults. Set `enabled: false`
@@ -1609,6 +1731,11 @@ interface VisConfig {
         /** Days since the resolved version was published — warning threshold. */
         recentVersionWarnDays?: number;
       };
+      /** npm `deprecated`-flag check on the resolved version. */
+      deprecation?: {
+        allowlist?: string[];
+        enabled?: boolean;
+      };
       /** Monthly download-count floor. */
       downloads?: {
         allowlist?: string[];
@@ -1637,12 +1764,30 @@ interface VisConfig {
         allowlist?: string[];
         enabled?: boolean;
       };
+      /** Whole-package age heuristics (newly created / unmaintained). */
+      packageAge?: {
+        allowlist?: string[];
+        enabled?: boolean; /** Package created fewer than this many days ago → error. Default 22. */
+        newPackageDays?: number;
+        /** No publish within this many days → warning. Default 365. */
+        unmaintainedDays?: number;
+      };
       /** Provenance regression check. */
       provenance?: {
         allowlist?: string[];
         enabled?: boolean;
       };
       /**
+      * Composite "compromised-publish shape" detector — flags a single
+      * version that simultaneously introduced/changed an install hook
+      * AND dropped the provenance attestation a prior stable version
+      * carried (the August 2025 s1ngularity / Nx fingerprint).
+      */
+      s1ngularity?: {
+        allowlist?: string[];
+        enabled?: boolean;
+      };
+      /**
       * ECDSA P-256 verification against npm's signing keys. Disabled
       * by default because npm coverage still has gaps that produce
       * noisy warnings on legitimate packages.
@@ -1867,6 +2012,54 @@ interface VisConfig {
       };
     };
     /**
+    * Which provider wins merge conflicts when multiple are enabled (e.g.
+    * both Socket.dev and deps.dev return data for the same package). The
+    * primary provider's `score` is kept; alerts from secondaries are
+    * appended and deduped by `key`. Defaults to whichever provider is
+    * enabled first in this order: socket → deps-dev → snyk.
+    */
+    primaryProvider?: "deps-dev" | "snyk" | "socket";
+    /**
+    * Snyk data-source configuration. Snyk only contributes vulnerability
+    * data (no maintenance / quality / supply-chain / license signal);
+    * those axes stay neutral. Requires both an org id and an API token —
+    * if either is missing the provider is skipped.
+    * @see https://docs.snyk.io/snyk-api/using-specific-snyk-apis/issues-list-issues-for-a-package
+    */
+    snyk?: {
+      /**
+      * Snyk API token. Set via VIS_SNYK_TOKEN environment variable or
+      * here.
+      */
+      apiToken?: string;
+      /**
+      * Snyk REST API version date sent as the `version` query param.
+      * @default "2024-10-15"
+      */
+      apiVersion?: string;
+      /**
+      * Cache TTL in milliseconds for Snyk issue lookups. 6 hours.
+      * @default 21600000
+      */
+      cacheTtlMs?: number;
+      /**
+      * Enable Snyk security scanning on install/update/check/audit
+      * commands.
+      * @default false
+      */
+      enabled?: boolean;
+      /**
+      * Snyk organization id (the REST endpoint is org-scoped). Set via
+      * VIS_SNYK_ORG environment variable or here.
+      */
+      orgId?: string;
+      /**
+      * Request timeout in milliseconds for the Snyk API. 15 seconds.
+      * @default 15000
+      */
+      timeoutMs?: number;
+    };
+    /**
     * Socket.dev data-source configuration. Connection knobs only — score
     * thresholds and accepted-risk overrides moved to `policies.score` and
     * `security.acceptedRisks` respectively.
@@ -1879,8 +2072,8 @@ interface VisConfig {
       */
       apiToken?: string;
       /**
-      * Cache TTL in milliseconds for Socket.dev reports.
-      * @default 3_600_000 (1 hour)
+      * Cache TTL in milliseconds for Socket.dev reports. 1 hour.
+      * @default 3600000
       */
       cacheTtlMs?: number;
       /**
@@ -1889,8 +2082,8 @@ interface VisConfig {
       */
       enabled?: boolean;
       /**
-      * Request timeout in milliseconds for the Socket.dev API.
-      * @default 15_000 (15 seconds)
+      * Request timeout in milliseconds for the Socket.dev API. 15 seconds.
+      * @default 15000
       */
       timeoutMs?: number;
     };
@@ -2753,10 +2946,12 @@ declare const loadVisTaskConfig: (workspaceRoot: string, projectDirectory: strin
 declare const defineTaskConfig: (config: VisTaskConfig) => VisTaskConfig;
 /**
 * Type-safe helper for defining vis configuration.
-* Provides full TypeScript autocomplete when used in `vis.config.ts`.
 *
-* Secure defaults are applied automatically — you only need to specify overrides.
-* To see the active defaults, run `vis check --security-config`.
+* Pure typed-identity — returns its argument unchanged. The point is purely
+* editor autocomplete and structural type-checking on the literal you pass
+* in. Secure defaults are applied by `loadVisConfig` at load time, not here,
+* so wrapping vs. using `satisfies VisConfig` produces the exact same
+* runtime behavior. To see the active defaults, run `vis check --security-config`.
 * @example
 * ```typescript
 * // vis.config.ts — minimal config, fully secured by defaults
@@ -2775,21 +2970,6 @@ declare const defineTaskConfig: (config: VisTaskConfig) => VisTaskConfig;
 *     },
 * });
 * ```
-* @example
-* ```typescript
-* // vis.config.ts — override a default
-* import { defineConfig } from "@visulima/vis/config";
-*
-* export default defineConfig({
-*     security: {
-*         policies: {
-*             // Relax cooldown to 24 hours instead of the default 14 days
-*             firstSeen: { minutes: 1440 },
-*             installScripts: { allow: { esbuild: true } },
-*         },
-*     },
-* });
-* ```
 */
 declare const defineConfig: (config: VisConfig) => VisConfig;
 export { CONFIG_FILES, type OtelPluginOptions, SECURITY_DEFAULTS, TASK_CONFIG_FILES, type VisConfig, type VisHooks, type VisPlugin, type VisTaskConfig, applyDefaults, defineConfig, definePlugin, defineTaskConfig, findVisConfigFile, findVisTaskConfigFile, loadVisConfig, loadVisTaskConfig, otelPlugin };

package/dist/config/index.js

@@ -1 +1 @@
-import{h as s,l as f,V as o,y as e,c as n,a as l,j as C,G as g,e as d,r}from"../packem_chunks/config.js";import{definePlugin as T}from"../packem_shared/definePlugin-CWm4Dv_t.js";import{otelPlugin as t}from"../packem_shared/otelPlugin-CJR2T_lk.js";export{s as CONFIG_FILES,f as SECURITY_DEFAULTS,o as TASK_CONFIG_FILES,e as applyDefaults,n as defineConfig,T as definePlugin,l as defineTaskConfig,C as findVisConfigFile,g as findVisTaskConfigFile,d as loadVisConfig,r as loadVisTaskConfig,t as otelPlugin};
+import{h as s,l as f,V as o,m as e,c as n,a as l,j as C,G as g,e as d,r}from"../packem_chunks/config.js";import{definePlugin as T}from"../packem_shared/definePlugin-CWm4Dv_t.js";import{otelPlugin as t}from"../packem_shared/otelPlugin-CJR2T_lk.js";export{s as CONFIG_FILES,f as SECURITY_DEFAULTS,o as TASK_CONFIG_FILES,e as applyDefaults,n as defineConfig,T as definePlugin,l as defineTaskConfig,C as findVisConfigFile,g as findVisTaskConfigFile,d as loadVisConfig,r as loadVisTaskConfig,t as otelPlugin};