@visulima/vis 1.0.0-alpha.4 → 1.0.0-alpha.40

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (345) hide show
  1. package/CHANGELOG.md +1216 -78
  2. package/LICENSE.md +13068 -6
  3. package/README.md +388 -26
  4. package/dashboard/dist/index.html +152 -0
  5. package/dist/bin.js +1 -853
  6. package/dist/binx.js +3 -0
  7. package/dist/config/index.d.ts +3258 -0
  8. package/dist/config/index.js +1 -0
  9. package/dist/generate/index.d.ts +157 -0
  10. package/dist/generate/index.js +1 -0
  11. package/dist/packem_chunks/DEFAULT_CLEAN_KEEP.js +1 -0
  12. package/dist/packem_chunks/bin.js +1198 -0
  13. package/dist/packem_chunks/bloom-status.js +2 -0
  14. package/dist/packem_chunks/bloom-sync.js +2 -0
  15. package/dist/packem_chunks/cache-attestation.js +1 -0
  16. package/dist/packem_chunks/catalog-detector.js +1 -0
  17. package/dist/packem_chunks/config.js +21 -0
  18. package/dist/packem_chunks/detect.js +3 -0
  19. package/dist/packem_chunks/detect2.js +8 -0
  20. package/dist/packem_chunks/devtools.js +81 -0
  21. package/dist/packem_chunks/discord.js +4 -0
  22. package/dist/packem_chunks/doctor-probe.js +2 -0
  23. package/dist/packem_chunks/dynamic-import.js +1 -0
  24. package/dist/packem_chunks/extra-files.js +3 -0
  25. package/dist/packem_chunks/fix.js +11 -0
  26. package/dist/packem_chunks/git.js +3 -0
  27. package/dist/packem_chunks/handler.js +1 -0
  28. package/dist/packem_chunks/handler10.js +1 -0
  29. package/dist/packem_chunks/handler11.js +5 -0
  30. package/dist/packem_chunks/handler12.js +1 -0
  31. package/dist/packem_chunks/handler13.js +27 -0
  32. package/dist/packem_chunks/handler14.js +5 -0
  33. package/dist/packem_chunks/handler15.js +1 -0
  34. package/dist/packem_chunks/handler16.js +1 -0
  35. package/dist/packem_chunks/handler17.js +1 -0
  36. package/dist/packem_chunks/handler18.js +1 -0
  37. package/dist/packem_chunks/handler19.js +1 -0
  38. package/dist/packem_chunks/handler2.js +4 -0
  39. package/dist/packem_chunks/handler20.js +5 -0
  40. package/dist/packem_chunks/handler21.js +2 -0
  41. package/dist/packem_chunks/handler22.js +2 -0
  42. package/dist/packem_chunks/handler23.js +1 -0
  43. package/dist/packem_chunks/handler24.js +1 -0
  44. package/dist/packem_chunks/handler25.js +1 -0
  45. package/dist/packem_chunks/handler26.js +5 -0
  46. package/dist/packem_chunks/handler27.js +1 -0
  47. package/dist/packem_chunks/handler28.js +3 -0
  48. package/dist/packem_chunks/handler29.js +1 -0
  49. package/dist/packem_chunks/handler3.js +4 -0
  50. package/dist/packem_chunks/handler30.js +2 -0
  51. package/dist/packem_chunks/handler31.js +2 -0
  52. package/dist/packem_chunks/handler32.js +2 -0
  53. package/dist/packem_chunks/handler33.js +3 -0
  54. package/dist/packem_chunks/handler34.js +6 -0
  55. package/dist/packem_chunks/handler35.js +1 -0
  56. package/dist/packem_chunks/handler36.js +42 -0
  57. package/dist/packem_chunks/handler37.js +8 -0
  58. package/dist/packem_chunks/handler38.js +9 -0
  59. package/dist/packem_chunks/handler39.js +75 -0
  60. package/dist/packem_chunks/handler4.js +6 -0
  61. package/dist/packem_chunks/handler40.js +5 -0
  62. package/dist/packem_chunks/handler41.js +4 -0
  63. package/dist/packem_chunks/handler42.js +3 -0
  64. package/dist/packem_chunks/handler43.js +2 -0
  65. package/dist/packem_chunks/handler44.js +1 -0
  66. package/dist/packem_chunks/handler45.js +1 -0
  67. package/dist/packem_chunks/handler46.js +1 -0
  68. package/dist/packem_chunks/handler47.js +3 -0
  69. package/dist/packem_chunks/handler48.js +1 -0
  70. package/dist/packem_chunks/handler49.js +7 -0
  71. package/dist/packem_chunks/handler5.js +8 -0
  72. package/dist/packem_chunks/handler50.js +33 -0
  73. package/dist/packem_chunks/handler51.js +3 -0
  74. package/dist/packem_chunks/handler52.js +8 -0
  75. package/dist/packem_chunks/handler53.js +4 -0
  76. package/dist/packem_chunks/handler54.js +1 -0
  77. package/dist/packem_chunks/handler55.js +12 -0
  78. package/dist/packem_chunks/handler56.js +7 -0
  79. package/dist/packem_chunks/handler57.js +5 -0
  80. package/dist/packem_chunks/handler58.js +11 -0
  81. package/dist/packem_chunks/handler59.js +3 -0
  82. package/dist/packem_chunks/handler6.js +1 -0
  83. package/dist/packem_chunks/handler60.js +22 -0
  84. package/dist/packem_chunks/handler61.js +61 -0
  85. package/dist/packem_chunks/handler62.js +3 -0
  86. package/dist/packem_chunks/handler63.js +6 -0
  87. package/dist/packem_chunks/handler64.js +708 -0
  88. package/dist/packem_chunks/handler65.js +24 -0
  89. package/dist/packem_chunks/handler66.js +25 -0
  90. package/dist/packem_chunks/handler67.js +153 -0
  91. package/dist/packem_chunks/handler68.js +10 -0
  92. package/dist/packem_chunks/handler69.js +24 -0
  93. package/dist/packem_chunks/handler7.js +1 -0
  94. package/dist/packem_chunks/handler70.js +322 -0
  95. package/dist/packem_chunks/handler71.js +48 -0
  96. package/dist/packem_chunks/handler72.js +27 -0
  97. package/dist/packem_chunks/handler73.js +3 -0
  98. package/dist/packem_chunks/handler74.js +190 -0
  99. package/dist/packem_chunks/handler75.js +38 -0
  100. package/dist/packem_chunks/handler8.js +1 -0
  101. package/dist/packem_chunks/handler9.js +1 -0
  102. package/dist/packem_chunks/heal-accept.js +10 -0
  103. package/dist/packem_chunks/heal.js +14 -0
  104. package/dist/packem_chunks/help-command.js +31 -0
  105. package/dist/packem_chunks/index.js +1 -0
  106. package/dist/packem_chunks/index2.js +7 -0
  107. package/dist/packem_chunks/interface.js +2 -0
  108. package/dist/packem_chunks/keys-refresh.js +4 -0
  109. package/dist/packem_chunks/list.js +3 -0
  110. package/dist/packem_chunks/loader.js +4 -0
  111. package/dist/packem_chunks/loader2.js +1 -0
  112. package/dist/packem_chunks/orchestrator.js +39 -0
  113. package/dist/packem_chunks/pre-mode.js +2 -0
  114. package/dist/packem_chunks/print-config.js +2 -0
  115. package/dist/packem_chunks/prompts.js +7 -0
  116. package/dist/packem_chunks/prune.js +3 -0
  117. package/dist/packem_chunks/publish-guards.js +1 -0
  118. package/dist/packem_chunks/registry.js +48 -0
  119. package/dist/packem_chunks/resolveFormatter.js +9 -0
  120. package/dist/packem_chunks/run.js +1 -0
  121. package/dist/packem_chunks/security.js +1 -0
  122. package/dist/packem_chunks/shell-runner.js +1 -0
  123. package/dist/packem_chunks/slack.js +2 -0
  124. package/dist/packem_chunks/snapshot.js +2 -0
  125. package/dist/packem_chunks/stage-publisher.js +1 -0
  126. package/dist/packem_chunks/staged-registry.js +2 -0
  127. package/dist/packem_chunks/state.js +3 -0
  128. package/dist/packem_chunks/status.js +2 -0
  129. package/dist/packem_chunks/success-walk.js +8 -0
  130. package/dist/packem_chunks/sync.js +2 -0
  131. package/dist/packem_chunks/sync2.js +2 -0
  132. package/dist/packem_chunks/tar.js +3 -0
  133. package/dist/packem_chunks/tripwire.js +2 -0
  134. package/dist/packem_chunks/verify-lockfile.js +2 -0
  135. package/dist/packem_chunks/version-resolver.js +2 -0
  136. package/dist/packem_chunks/webhook.js +1 -0
  137. package/dist/packem_chunks/workflow-templates.js +167 -0
  138. package/dist/packem_chunks/workspace.js +2 -0
  139. package/dist/packem_shared/AfterAllProjectsVersioned-CAKI2nWf.js +1 -0
  140. package/dist/packem_shared/CONFIG_FILES-BfaR0jKT.js +1 -0
  141. package/dist/packem_shared/MultiSpinner-B9U0-aE3-B-gIXhFk.js +3 -0
  142. package/dist/packem_shared/ReleaseClient-YHzBIxYS.js +1 -0
  143. package/dist/packem_shared/Table-CcVkyULl-B_ef6zfS.js +35 -0
  144. package/dist/packem_shared/VisReleaseError-DMGRBTNO.js +1 -0
  145. package/dist/packem_shared/_commonjsHelpers-B5Y90VFO.js +1 -0
  146. package/dist/packem_shared/advisories-DLeO5KMN.js +1 -0
  147. package/dist/packem_shared/affected-shas-cVnX8-zs.js +1 -0
  148. package/dist/packem_shared/ai-analysis-BUeX2J2H.js +68 -0
  149. package/dist/packem_shared/ai-fix-9Vzlp6XU.js +43 -0
  150. package/dist/packem_shared/anolilab-text-CAM_E6uK.js +13 -0
  151. package/dist/packem_shared/api.d-BPftyU9r.d.ts +27 -0
  152. package/dist/packem_shared/build-scripts-CCCi8U66.js +1 -0
  153. package/dist/packem_shared/createAdapter-bU4DIP3F.js +1 -0
  154. package/dist/packem_shared/createVersionActions-BK43SNDH.js +1 -0
  155. package/dist/packem_shared/cyclonedx-kYozDyxp.js +4 -0
  156. package/dist/packem_shared/defineFormatter-D5dCp6Kv.js +1 -0
  157. package/dist/packem_shared/definePlugin-DoUcoYSy.js +1 -0
  158. package/dist/packem_shared/dependency-scan-DnTgYleU.js +1 -0
  159. package/dist/packem_shared/docker-BMLrNtWm.js +59 -0
  160. package/dist/packem_shared/failure-log-CEWP3bP0.js +2 -0
  161. package/dist/packem_shared/giget-DHY1sQZC.js +2 -0
  162. package/dist/packem_shared/glob-fqg4KepW-B7EjLRvw.js +1 -0
  163. package/dist/packem_shared/index-BDmTbWX1.js +19 -0
  164. package/dist/packem_shared/index-CgcF6_wo.js +1 -0
  165. package/dist/packem_shared/index-Du8RWawQ.js +1 -0
  166. package/dist/packem_shared/index-yBikBkHT.js +30 -0
  167. package/dist/packem_shared/interface.d-B7VK2rcH.d.ts +148 -0
  168. package/dist/packem_shared/interface.d-Cezzifoh.d.ts +106 -0
  169. package/dist/packem_shared/license-t5KnNX6v.js +1 -0
  170. package/dist/packem_shared/lifecycle-4z9hHE5b.js +2 -0
  171. package/dist/packem_shared/lockfile-C8Q1_4KK.js +1 -0
  172. package/dist/packem_shared/manifests-Dj3pRKBT.js +1 -0
  173. package/dist/packem_shared/min-release-age-D1alDE3K.js +34 -0
  174. package/dist/packem_shared/missing-package-json-8vNHwbqw.js +1 -0
  175. package/dist/packem_shared/native-config-sync-BEkJW7g3.js +21 -0
  176. package/dist/packem_shared/osv-bloom-B03tUWf3.js +2 -0
  177. package/dist/packem_shared/otelPlugin-DmKDBaPo.js +1 -0
  178. package/dist/packem_shared/peer-warnings-BXAzXqY3.js +1 -0
  179. package/dist/packem_shared/pm-runner-OGResYrA.js +1 -0
  180. package/dist/packem_shared/provenance-_CJjMKwu.js +1 -0
  181. package/dist/packem_shared/public-api-WqUCiyIe.js +131 -0
  182. package/dist/packem_shared/registry-keys-BfFto6vI.js +1 -0
  183. package/dist/packem_shared/resolve-explicit-CMDl55Nz.js +5 -0
  184. package/dist/packem_shared/runtime-check-Stc9AI78.js +1 -0
  185. package/dist/packem_shared/s1ngularity-Dhr3bPk0.js +1 -0
  186. package/dist/packem_shared/scan-progress-CFhc0CMj.js +2 -0
  187. package/dist/packem_shared/selectors-GCJIe342.js +3 -0
  188. package/dist/packem_shared/signatures-C730vkyK.js +2 -0
  189. package/dist/packem_shared/slug-DoueYuLo.js +1 -0
  190. package/dist/packem_shared/spinner-CV3WVJLv.js +1 -0
  191. package/dist/packem_shared/sticky-comment-D6_7-w8T.js +1 -0
  192. package/dist/packem_shared/subtree-C7bZuiSQ.js +2 -0
  193. package/dist/packem_shared/symbols-DPTlrJ3B.js +1 -0
  194. package/dist/packem_shared/tabs-BuTy5gPV.js +1 -0
  195. package/dist/packem_shared/toolchain-pR7AJ-tB.js +5 -0
  196. package/dist/packem_shared/typosquats-DN78xx1x.js +1 -0
  197. package/dist/packem_shared/use-measured-height-_eVGWtWt.js +1 -0
  198. package/dist/packem_shared/utils-Cxree603.js +1 -0
  199. package/dist/packem_shared/verify-6WCmFmy8.js +1 -0
  200. package/dist/packem_shared/vis-update-app-k3fDxech.js +1 -0
  201. package/dist/packem_shared/watch-BvIwLG4N.js +1 -0
  202. package/dist/packem_shared/watch-loop-DWkvv2tK.js +11 -0
  203. package/dist/release/core/changelog/index.d.ts +5 -0
  204. package/dist/release/core/changelog/index.js +1 -0
  205. package/dist/release/core/package-managers/index.d.ts +6 -0
  206. package/dist/release/core/package-managers/index.js +1 -0
  207. package/dist/release/core/version-actions/index.d.ts +14 -0
  208. package/dist/release/core/version-actions/index.js +1 -0
  209. package/dist/release/index.d.ts +196 -0
  210. package/dist/release/index.js +1 -0
  211. package/dist/release/plugin-sdk.d.ts +127 -0
  212. package/dist/release/plugin-sdk.js +1 -0
  213. package/dist/release/presets.d.ts +225 -0
  214. package/dist/release/presets.js +1 -0
  215. package/dist/release/types.d.ts +1377 -0
  216. package/dist/release/types.js +1 -0
  217. package/index.d.ts +436 -0
  218. package/index.js +80 -57
  219. package/package.json +109 -45
  220. package/schemas/project.schema.json +991 -0
  221. package/schemas/vis-config.schema.json +6377 -0
  222. package/schemas/vis-release-config.schema.json +1390 -0
  223. package/skills/vis/SKILL.md +96 -0
  224. package/templates/buildkite-ci/.buildkite/pipeline.yml.tera +85 -0
  225. package/templates/buildkite-ci/template.yml +20 -0
  226. package/dist/ai-analysis.d.ts +0 -40
  227. package/dist/ai-cache.d.ts +0 -21
  228. package/dist/audit-config.d.ts +0 -24
  229. package/dist/bin.d.ts +0 -1
  230. package/dist/catalog.d.ts +0 -118
  231. package/dist/commands/add.d.ts +0 -3
  232. package/dist/commands/affected.d.ts +0 -3
  233. package/dist/commands/ai.d.ts +0 -3
  234. package/dist/commands/analyze.d.ts +0 -3
  235. package/dist/commands/approve-builds.d.ts +0 -3
  236. package/dist/commands/audit.d.ts +0 -23
  237. package/dist/commands/check.d.ts +0 -3
  238. package/dist/commands/clean.d.ts +0 -3
  239. package/dist/commands/create/discovery.d.ts +0 -42
  240. package/dist/commands/create/index.d.ts +0 -13
  241. package/dist/commands/create/prompts.d.ts +0 -31
  242. package/dist/commands/create/random-name.d.ts +0 -15
  243. package/dist/commands/create/templates/builtin.d.ts +0 -15
  244. package/dist/commands/create/templates/generator.d.ts +0 -14
  245. package/dist/commands/create/templates/index.d.ts +0 -13
  246. package/dist/commands/create/templates/monorepo.d.ts +0 -16
  247. package/dist/commands/create/templates/remote.d.ts +0 -41
  248. package/dist/commands/create/templates/types.d.ts +0 -46
  249. package/dist/commands/create/utils.d.ts +0 -42
  250. package/dist/commands/dedupe.d.ts +0 -3
  251. package/dist/commands/devcontainer.d.ts +0 -3
  252. package/dist/commands/dlx.d.ts +0 -3
  253. package/dist/commands/doctor.d.ts +0 -15
  254. package/dist/commands/exec.d.ts +0 -3
  255. package/dist/commands/graph.d.ts +0 -3
  256. package/dist/commands/hook/constants.d.ts +0 -8
  257. package/dist/commands/hook/index.d.ts +0 -3
  258. package/dist/commands/hook/install.d.ts +0 -7
  259. package/dist/commands/hook/migrate.d.ts +0 -27
  260. package/dist/commands/hook/uninstall.d.ts +0 -3
  261. package/dist/commands/implode.d.ts +0 -3
  262. package/dist/commands/init.d.ts +0 -14
  263. package/dist/commands/install.d.ts +0 -3
  264. package/dist/commands/link.d.ts +0 -3
  265. package/dist/commands/migrate/constants.d.ts +0 -12
  266. package/dist/commands/migrate/deps.d.ts +0 -32
  267. package/dist/commands/migrate/index.d.ts +0 -3
  268. package/dist/commands/migrate/json.d.ts +0 -20
  269. package/dist/commands/migrate/lint-staged.d.ts +0 -62
  270. package/dist/commands/migrate/types.d.ts +0 -20
  271. package/dist/commands/optimize.d.ts +0 -38
  272. package/dist/commands/pm.d.ts +0 -3
  273. package/dist/commands/remove.d.ts +0 -3
  274. package/dist/commands/run.d.ts +0 -3
  275. package/dist/commands/sort-package-json.d.ts +0 -3
  276. package/dist/commands/staged.d.ts +0 -3
  277. package/dist/commands/unlink.d.ts +0 -3
  278. package/dist/commands/update.d.ts +0 -3
  279. package/dist/commands/upgrade.d.ts +0 -3
  280. package/dist/commands/why.d.ts +0 -3
  281. package/dist/config.d.ts +0 -67
  282. package/dist/config.js +0 -1
  283. package/dist/native-binding.d.ts +0 -151
  284. package/dist/output.d.ts +0 -40
  285. package/dist/overrides.d.ts +0 -82
  286. package/dist/package-manager.d.ts +0 -23
  287. package/dist/plugins/config-loader.d.ts +0 -3
  288. package/dist/plugins/post-command.d.ts +0 -3
  289. package/dist/plugins/security-enforcement.d.ts +0 -3
  290. package/dist/pm-runner.d.ts +0 -23
  291. package/dist/security.d.ts +0 -64
  292. package/dist/socket-security.d.ts +0 -129
  293. package/dist/tips.d.ts +0 -41
  294. package/dist/tui/components/CheckProgressApp.d.ts +0 -6
  295. package/dist/tui/components/CommandSummary.d.ts +0 -17
  296. package/dist/tui/components/Header.d.ts +0 -13
  297. package/dist/tui/components/OutputPanel.d.ts +0 -16
  298. package/dist/tui/components/QuitDialog.d.ts +0 -15
  299. package/dist/tui/components/TaskListPanel.d.ts +0 -19
  300. package/dist/tui/components/TaskRow.d.ts +0 -12
  301. package/dist/tui/components/TaskStore.d.ts +0 -80
  302. package/dist/tui/components/VisTaskRunnerApp.d.ts +0 -17
  303. package/dist/tui/components/devcontainer/DevcontainerStore.d.ts +0 -66
  304. package/dist/tui/components/devcontainer/VisDevcontainerApp.d.ts +0 -9
  305. package/dist/tui/components/devcontainer/catalogs/extensions.d.ts +0 -8
  306. package/dist/tui/components/devcontainer/catalogs/features.d.ts +0 -8
  307. package/dist/tui/components/devcontainer/catalogs/filters.d.ts +0 -4
  308. package/dist/tui/components/devcontainer/catalogs/mount-suggestions.d.ts +0 -19
  309. package/dist/tui/components/devcontainer/catalogs/templates.d.ts +0 -8
  310. package/dist/tui/components/devcontainer/devcontainer-io.d.ts +0 -14
  311. package/dist/tui/components/devcontainer/sections/DockerComposeSection.d.ts +0 -11
  312. package/dist/tui/components/devcontainer/sections/EnvironmentSection.d.ts +0 -16
  313. package/dist/tui/components/devcontainer/sections/ExtensionsSection.d.ts +0 -11
  314. package/dist/tui/components/devcontainer/sections/FeaturesSection.d.ts +0 -11
  315. package/dist/tui/components/devcontainer/sections/GeneralSection.d.ts +0 -12
  316. package/dist/tui/components/devcontainer/sections/LifecycleSection.d.ts +0 -13
  317. package/dist/tui/components/devcontainer/sections/MountsSection.d.ts +0 -16
  318. package/dist/tui/components/devcontainer/sections/PortsSection.d.ts +0 -10
  319. package/dist/tui/components/devcontainer/sections/PreviewPanel.d.ts +0 -11
  320. package/dist/tui/components/devcontainer/types.d.ts +0 -53
  321. package/dist/tui/components/devcontainer/validate.d.ts +0 -16
  322. package/dist/tui/components/graph/GraphStore.d.ts +0 -42
  323. package/dist/tui/components/graph/ProjectDetailPanel.d.ts +0 -10
  324. package/dist/tui/components/graph/ProjectListPanel.d.ts +0 -20
  325. package/dist/tui/components/graph/VisGraphApp.d.ts +0 -8
  326. package/dist/tui/components/optimize/OptimizeDetailPanel.d.ts +0 -9
  327. package/dist/tui/components/optimize/OptimizeListPanel.d.ts +0 -16
  328. package/dist/tui/components/optimize/OptimizeStore.d.ts +0 -50
  329. package/dist/tui/components/optimize/VisOptimizeApp.d.ts +0 -8
  330. package/dist/tui/components/optimize/constants.d.ts +0 -7
  331. package/dist/tui/components/update/PackageDetailPanel.d.ts +0 -12
  332. package/dist/tui/components/update/PackageListPanel.d.ts +0 -18
  333. package/dist/tui/components/update/UpdateStore.d.ts +0 -62
  334. package/dist/tui/components/update/VisUpdateApp.d.ts +0 -11
  335. package/dist/tui/dynamic-life-cycle.d.ts +0 -21
  336. package/dist/tui/formatting-utils.d.ts +0 -17
  337. package/dist/tui/pretty-time.d.ts +0 -8
  338. package/dist/tui/static-life-cycle.d.ts +0 -22
  339. package/dist/tui/status-utils.d.ts +0 -20
  340. package/dist/tui/symbols.d.ts +0 -7
  341. package/dist/tui/types.d.ts +0 -11
  342. package/dist/typosquats.d.ts +0 -70
  343. package/dist/upgrade-check.d.ts +0 -30
  344. package/dist/utils.d.ts +0 -22
  345. package/dist/workspace.d.ts +0 -315
@@ -0,0 +1,3258 @@
1
+ import { TargetConfiguration, TaskResult, Task, FingerprintContributor, ConstraintsConfig, NamedInputs, TaskRunnerOptions } from '@visulima/task-runner';
2
+ export type { FingerprintContributor } from '@visulima/task-runner';
3
+ import { VisReleaseConfig } from "../release/types.js";
4
+ /**
5
+ * One family of upstream-coupled packages.
6
+ *
7
+ * `members` is an exact-match list. `prefixes` accept any dep whose
8
+ * name starts with the prefix — useful for monorepos that ship many
9
+ * subpackages under one scope (e.g. `@babel/`, `@storybook/`,
10
+ * `@nx/`). A family can use either or both; a dep matching either
11
+ * list belongs to the family.
12
+ */
13
+ interface SimilarDepFamily {
14
+ /** Stable id; used in report output and config overrides. */
15
+ id: string;
16
+ /** Pretty label for the report. Defaults to `id` when omitted. */
17
+ label?: string;
18
+ /** Dep names that belong to this family verbatim. */
19
+ members?: string[];
20
+ /** Dep-name prefixes (literal, no glob). Match if `depName.startsWith(prefix)`. */
21
+ prefixes?: string[];
22
+ }
23
+ /** Adapter IDs that can format (adapter `kind` is `"fmt"` or `"both"`). */
24
+ type FmtAdapterId = "biome" | "deno-fmt" | "dprint" | "oxfmt" | "prettier" | "ruff-fmt";
25
+ /** Adapter IDs that can lint (adapter `kind` is `"lint"` or `"both"`). */
26
+ type LintAdapterId = "biome" | "deno-lint" | "eslint" | "markdownlint" | "oxlint" | "ruff-check" | "shellcheck" | "stylelint";
27
+ type VersionManagerName = "asdf" | "corepack" | "fnm" | "mise" | "none" | "nvm" | "proto" | "self-activate" | "volta";
28
+ type RuntimeTool = "aube" | "bun" | "deno" | "go" | "node" | "npm" | "pnpm" | "python" | "ruby" | "rust" | "yarn";
29
+ interface ToolchainConfig {
30
+ /**
31
+ * When a tool pin doesn't match the running version, try to fix it
32
+ * automatically before `vis run` / `vis ci` proceed. Defaults to
33
+ * `true` when {@link findInstalledManagers} reports at least one
34
+ * installed manager, `false` otherwise.
35
+ *
36
+ * Set to `false` to keep the doctor-style warning behaviour and
37
+ * make users run `vis toolchain install` themselves.
38
+ */
39
+ readonly autoInstall?: boolean;
40
+ /** Explicit manager override, useful in CI. */
41
+ readonly preferredManager?: VersionManagerName;
42
+ /** Overrides for engines/packageManager-derived pins. */
43
+ readonly tools?: Partial<Record<RuntimeTool, string>>;
44
+ }
45
+ /**
46
+ * Custom task form — `{ title, task }` — analogous to lint-staged's
47
+ * listr-style task objects. `task` receives the matched absolute paths
48
+ * and returns a promise that resolves on success or rejects on failure.
49
+ */
50
+ interface CustomTask {
51
+ readonly task: (files: string[]) => unknown;
52
+ readonly title: string;
53
+ }
54
+ /**
55
+ * Object form of a command task. Unlike a bare command string it carries
56
+ * execution options:
57
+ *
58
+ * - `perPackage` runs the command once per workspace package that owns the
59
+ * matched files, with `cwd` set to that package's directory and file paths
60
+ * made relative to it. Use it for tools that resolve their config or
61
+ * plugins from the nearest `package.json` — e.g. eslint with a
62
+ * cwd-sensitive shareable config. Files that sit under no workspace
63
+ * package fall back to a single run from the workspace root.
64
+ * - `cwd` pins the command to a fixed directory (relative to the workspace
65
+ * root, or absolute) and passes the matched files as absolute paths so
66
+ * they resolve regardless of where the command runs. Ignored when
67
+ * `perPackage` is set — that derives the cwd per package instead.
68
+ *
69
+ * A command task is distinguished from {@link CustomTask} by carrying a
70
+ * `command` string and no `task` function.
71
+ */
72
+ interface CommandTask {
73
+ readonly command: string;
74
+ readonly cwd?: string;
75
+ readonly perPackage?: boolean;
76
+ }
77
+ /**
78
+ * A task value as authored by the user. Command strings are split into
79
+ * argv and invoked with the matched file paths appended. `{ command, … }`
80
+ * objects do the same with per-task execution options (cwd / perPackage).
81
+ * Arrays run serially. Functions receive the matched paths and return
82
+ * further task values (possibly async). `{ title, task }` objects run
83
+ * `task` directly with no argv construction.
84
+ */
85
+ type StagedTask = CommandTask | CustomTask | StagedTaskFunction | string | ReadonlyArray<CommandTask | CustomTask | StagedTaskFunction | string>;
86
+ type StagedTaskFunction = (files: string[]) => Promise<StagedTaskResult> | StagedTaskResult;
87
+ type StagedTaskResult = CommandTask | CustomTask | string | ReadonlyArray<CommandTask | CustomTask | string>;
88
+ /**
89
+ * Config object mapping glob patterns (basename or path-style) to tasks.
90
+ * A top-level function form lets the user generate the entire config
91
+ * from the staged file list.
92
+ */
93
+ type StagedConfig = Readonly<Record<string, StagedTask>> | StagedConfigFunction;
94
+ type StagedConfigFunction = (files: string[]) => Promise<Record<string, StagedTask>> | Record<string, StagedTask>;
95
+ /**
96
+ * Configuration block declared on a target to mark it as a long-lived
97
+ * "service" — eligible to be started/stopped via `vis service` and
98
+ * auto-attached when other tasks depend on it.
99
+ *
100
+ * Targets must also carry `preset: "server"` (or the equivalent
101
+ * `persistent: true`) for the service-mode lifecycle to apply.
102
+ */
103
+ interface ServiceConfig {
104
+ /**
105
+ * Env vars to expose to dependent tasks when this service is
106
+ * registered. Merged into the dependent task's env after the task's
107
+ * own envFile and before the task's explicit `env` overrides — the
108
+ * dependent task wins on key collisions.
109
+ *
110
+ * Note: only this `env` map propagates to dependents. The service
111
+ * target's own `envFile` is loaded into the **service process** at
112
+ * start time but is *not* forwarded — dependents must declare any
113
+ * shared values they need either here or in their own envFile. This
114
+ * boundary is intentional: envFiles often contain operator-only
115
+ * secrets (deploy keys, admin tokens) that should not leak into
116
+ * downstream test commands.
117
+ */
118
+ env?: Record<string, string>;
119
+ /**
120
+ * Grace period in milliseconds between SIGTERM and SIGKILL when the
121
+ * service is stopped.
122
+ * @default 5000
123
+ */
124
+ killGracePeriodMs?: number;
125
+ /**
126
+ * Optional port the service listens on. Used as the default for
127
+ * `readiness.tcp.port` when no explicit probe is configured, and
128
+ * surfaced by `vis service list`.
129
+ */
130
+ port?: number;
131
+ /** Readiness probe configuration. v1 supports TCP only. */
132
+ readiness?: {
133
+ tcp: {
134
+ host?: string;
135
+ port: number;
136
+ timeoutMs?: number;
137
+ };
138
+ };
139
+ }
140
+ /**
141
+ * Persisted registry entry. One JSON file per running service in
142
+ * `~/.vis-services/&lt;workspaceHash>/&lt;slug>.json`.
143
+ */
144
+ interface ServiceEntry {
145
+ /** Resolved command actually spawned. Used for stale-PID detection. */
146
+ command: string;
147
+ /** Service config captured at start time. */
148
+ config: ServiceConfig;
149
+ cwd: string;
150
+ /**
151
+ * Env vars to forward to dependents. Resolved at start time —
152
+ * defaults to `config.env`, but a future `--env-from` flag could
153
+ * extend this without touching the registry consumer.
154
+ */
155
+ env: Record<string, string>;
156
+ /** Target id, e.g. `apps/api:db`. */
157
+ id: string;
158
+ /** Absolute path to the captured stdout/stderr log file. */
159
+ logFile: string;
160
+ pid: number;
161
+ /**
162
+ * Filesystem-safe slug of `id`. `apps/api:db` → `apps_api__db`.
163
+ * Used as the entry's filename so registry reads can map slug → entry.
164
+ */
165
+ slug: string;
166
+ /** ISO 8601 timestamp of when the service was started. */
167
+ startedAt: string;
168
+ /**
169
+ * vis version that started this service. Auto-attach refuses entries
170
+ * from a mismatched version — protects against schema drift.
171
+ */
172
+ visVersion: string;
173
+ }
174
+ /**
175
+ * First-class task arguments: a declarative schema per target that lets a
176
+ * task define its named/positional arguments, validate what the user passes
177
+ * on the CLI, and render a per-task `--help`. The validated values are also
178
+ * exposed to the command as `VIS_ARG_&lt;NAME>` environment variables so the
179
+ * underlying script can read them without re-parsing argv.
180
+ *
181
+ * This module is intentionally pure (no IO) so it is trivially unit-testable;
182
+ * the run handler wires it to the forwarded-args vector and the task env.
183
+ */
184
+ /** Value type a {@link TaskArgument} coerces to and validates against. */
185
+ type TaskArgumentType = "boolean" | "enum" | "number" | "string";
186
+ /** A coerced task-argument value. */
187
+ type TaskArgumentValue = boolean | number | string;
188
+ /** A single declared argument for a task target. */
189
+ interface TaskArgument {
190
+ /**
191
+ * Short single-character alias (e.g. `r` for `--reporter`, used as `-r`).
192
+ * Must be exactly one character — enforced at run time by
193
+ * {@link validateArgumentSchema}.
194
+ */
195
+ alias?: string;
196
+ /**
197
+ * Allowed values when {@link TaskArgument.type} is `"enum"`. Must be
198
+ * non-empty (and is required) for `enum` — enforced at run time by
199
+ * {@link validateArgumentSchema}.
200
+ */
201
+ choices?: string[];
202
+ /** Value applied when the argument is omitted. Skips the required check. */
203
+ default?: TaskArgumentValue;
204
+ /** One-line help text surfaced by per-task `--help`. */
205
+ description?: string;
206
+ /**
207
+ * Canonical name, without the leading `--` (kebab-case by convention).
208
+ * Must start with a letter and contain only letters, digits, `-`, `_` —
209
+ * enforced at run time by {@link validateArgumentSchema}.
210
+ */
211
+ name: string;
212
+ /**
213
+ * Consume the value from the next free positional argument instead of a
214
+ * `--flag`. Positional args are filled in declaration order.
215
+ */
216
+ positional?: boolean;
217
+ /** Fail the task when the argument is absent and has no `default`. */
218
+ required?: boolean;
219
+ /** Value type for coercion + validation. Defaults to `"string"`. */
220
+ type?: TaskArgumentType;
221
+ }
222
+ /**
223
+ * Semantic classification for a target.
224
+ * - `build`: Generates one or more artifacts; cached by default.
225
+ * - `test`: Validation task (lint, typecheck, unit test). Default type.
226
+ * - `run`: One-off or long-running process. Not cached by default.
227
+ */
228
+ type TargetType = "build" | "run" | "test";
229
+ /**
230
+ * Preset bundles of target options.
231
+ * - `server`: Long-running local dev server — caching off, not in CI,
232
+ * interactive, persistent.
233
+ * - `utility`: Short-lived helper — caching off, not in CI.
234
+ */
235
+ type TargetPreset = "server" | "utility";
236
+ /**
237
+ * Controls whether a target runs in CI.
238
+ * - `true` (default): Always run.
239
+ * - `false`: Never run in CI (local-only).
240
+ * - `"affected"`: Only when the project is affected by the current change set.
241
+ * - `"always"`: Always run, even if unaffected.
242
+ */
243
+ type RunInCI = "affected" | "always" | boolean;
244
+ /**
245
+ * Controls how affected files are forwarded to a task.
246
+ * - `false` (default): Do not forward.
247
+ * - `"args"`: Append affected paths as additional command arguments.
248
+ * - `"env"`: Expose them via `VIS_AFFECTED_FILES` environment variable.
249
+ * - `"both"`: Both of the above.
250
+ */
251
+ type AffectedFilesMode = "args" | "both" | "env" | false;
252
+ /**
253
+ * Vis-specific target options that extend the task-runner's
254
+ * base `TargetConfiguration`. These live under `target.options` and are
255
+ * interpreted by vis before handing the task off to task-runner.
256
+ *
257
+ * Conditional execution (`when:`) and finally tasks (`always:`) live at
258
+ * the target top level, not under `options` — they're handled by the
259
+ * task-runner orchestrator. See `@visulima/task-runner`'s `WhenCondition`.
260
+ */
261
+ interface VisTargetOptions {
262
+ /**
263
+ * How to forward affected files to the task process.
264
+ * Only used when invoked via `vis affected &lt;target>`.
265
+ * @default false
266
+ */
267
+ affectedFiles?: AffectedFilesMode;
268
+ /**
269
+ * Load environment variables from dotenv file(s) before running.
270
+ * - `string`: a single file path (relative to project root).
271
+ * - `string[]`: multiple files — later entries override earlier ones,
272
+ * so put more-specific files last (e.g. `[".env", ".env.local"]`).
273
+ * - `true`: auto-cascade in the Next/Vite order:
274
+ * `.env` → `.env.{NODE_ENV}` → `.env.local` → `.env.{NODE_ENV}.local`.
275
+ * Skips `.env.local` when NODE_ENV is `test`, matching Next.js.
276
+ */
277
+ envFile?: boolean | string | string[];
278
+ /**
279
+ * When true, the task is serialized with respect to parallel execution
280
+ * and must be run on the main process (claims stdin). Used for commands
281
+ * that read from the terminal.
282
+ * @default false
283
+ */
284
+ interactive?: boolean;
285
+ /**
286
+ * When true, the task is hidden from CLI listings and can only be invoked
287
+ * as a dependency of another task.
288
+ * @default false
289
+ */
290
+ internal?: boolean;
291
+ /**
292
+ * Milliseconds the timeout watchdog waits between sending SIGTERM
293
+ * and SIGKILL when the `timeout` budget fires. Tasks that ignore
294
+ * SIGTERM (e.g. test runners holding open child processes) get
295
+ * force-killed after this grace window so a stuck task can't outlive
296
+ * its budget.
297
+ *
298
+ * Set to `0` to skip escalation and rely on SIGTERM only.
299
+ * @default 5000
300
+ */
301
+ killGracePeriodMs?: number;
302
+ /**
303
+ * Serializes all tasks that share the same mutex name. Useful for tasks
304
+ * that contend on a shared resource (e.g., a database migration).
305
+ */
306
+ mutex?: string;
307
+ /**
308
+ * Per-target output verbosity. Overrides the global `--output-style`
309
+ * flag for this specific target.
310
+ *
311
+ * - `"normal"` (default): print every task's terminal output
312
+ * - `"quiet"`: only print output when the task fails. Successful
313
+ * and cached tasks contribute their status line and timing, but
314
+ * their captured stdout/stderr is suppressed.
315
+ *
316
+ * Useful when a routinely-noisy task (a linter or test runner with
317
+ * verbose progress output) should stay quiet during green builds
318
+ * but reveal everything when it fails.
319
+ */
320
+ outputStyle?: "normal" | "quiet";
321
+ /**
322
+ * When true, the task is a long-running / never-ending process.
323
+ * Persistent tasks are scheduled last, execute after all cacheable
324
+ * tasks complete, and are never cached.
325
+ * @default false
326
+ */
327
+ persistent?: boolean;
328
+ /**
329
+ * A preset that pre-fills a common bundle of options.
330
+ * User-provided fields always take precedence over the preset.
331
+ */
332
+ preset?: TargetPreset;
333
+ /**
334
+ * Run the task through a pseudo-terminal so color-aware tools
335
+ * (vitest, eslint, biome, …) render as if attached to a real TTY
336
+ * instead of a pipe. Output is captured via task-runner's
337
+ * `TerminalBuffer` so ANSI escapes are normalized into the final
338
+ * rendered state before reaching the reporter.
339
+ *
340
+ * Forces cache to off — PTY output can include timing-dependent
341
+ * frames (spinners) that aren't safe to replay from a cache.
342
+ * @default false
343
+ */
344
+ pty?: boolean;
345
+ /**
346
+ * Number of times to retry the task on failure. Uses an exponential
347
+ * backoff by default (1s, 2s, 4s, ...).
348
+ * @default 0
349
+ */
350
+ retryCount?: number;
351
+ /**
352
+ * Delay between retry attempts in milliseconds, or `"exponential"`
353
+ * for 2^attempt * 1000 ms.
354
+ * @default "exponential"
355
+ */
356
+ retryDelay?: number | "exponential";
357
+ /**
358
+ * When true, the command executes with the workspace root as CWD
359
+ * instead of the project root.
360
+ * @default false
361
+ */
362
+ runFromWorkspaceRoot?: boolean;
363
+ /**
364
+ * Controls whether the task runs in CI environments.
365
+ * @default true
366
+ */
367
+ runInCI?: RunInCI;
368
+ /**
369
+ * Capability tags that gate this task to runners advertising the
370
+ * same tag. The CLI's `--runner-tags=gpu,slow` flag (or
371
+ * `VIS_RUNNER_TAGS` env var) tells vis what the current runner
372
+ * supports; tasks whose `runnerTags` share at least one tag with
373
+ * the runner set are eligible. Untagged tasks (no `runnerTags` or
374
+ * an empty array) are general-purpose and always run.
375
+ *
376
+ * Use this for special-purpose CI lanes — e.g. a GPU runner that
377
+ * should only pick up visual-regression suites, or a nightly job
378
+ * that runs `slow` integration tests. When neither flag nor env
379
+ * is set, the filter is inactive and every task runs.
380
+ */
381
+ runnerTags?: string[];
382
+ /**
383
+ * Marks this target as a long-lived service that can be started via
384
+ * `vis service start &lt;id>` and auto-attached when other tasks declare
385
+ * it in `dependsOn`. Implies persistent + non-cacheable behaviour
386
+ * (set `preset: "server"` to inherit the rest of the bundle).
387
+ *
388
+ * The presence of this block — not `preset: "server"` alone — is
389
+ * what makes a target eligible for the cross-invocation registry.
390
+ * `preset: "server"` without `service` keeps today's in-run-only
391
+ * behaviour.
392
+ */
393
+ service?: ServiceConfig;
394
+ /**
395
+ * Per-target shell override. When set, the command runs through this
396
+ * shell instead of the platform default.
397
+ */
398
+ shell?: string;
399
+ /**
400
+ * Arguments passed to the per-target shell/interpreter before the command
401
+ * string. Defaults to `["-c"]` (POSIX shells, pwsh). Set this to run the
402
+ * command under an interpreter that uses a different flag — e.g.
403
+ * `shell: "node", shellArgs: ["-e"]` runs the command as inline JS
404
+ * ("script mode"), or `shellArgs: ["-lc"]` for a login shell. Only applies
405
+ * when `shell`/`unixShell`/`windowsShell` resolves to a custom shell.
406
+ *
407
+ * Must be non-empty when set — an empty array would drop the interpreter
408
+ * flag entirely, so the runtime falls back to `-c` defensively.
409
+ */
410
+ shellArgs?: string[];
411
+ /**
412
+ * Override the workspace `strictEnv` setting for this target. When
413
+ * truthy, the target fails if its command references an env var
414
+ * that resolves to neither the task's effective env nor
415
+ * `process.env`. When `false`, the target opts out of a workspace
416
+ * `strictEnv: true` (e.g. for a one-off command that legitimately
417
+ * tolerates an unset variable).
418
+ * @see VisConfig.strictEnv
419
+ */
420
+ strictEnv?: boolean;
421
+ /**
422
+ * Maximum wall-clock milliseconds a single task run is allowed to
423
+ * take before being killed. `0` / `undefined` means no timeout.
424
+ *
425
+ * When the timeout fires the task is sent SIGTERM and, if it has
426
+ * not exited within `killGracePeriodMs`, SIGKILL. The task exits
427
+ * with a failure status carrying the `[timeout]` marker in
428
+ * `terminalOutput`. Retries count per-attempt, not cumulatively.
429
+ *
430
+ * Use this to prevent runaway tasks from eating CI wall-clock time
431
+ * up to the job-level cutoff.
432
+ */
433
+ timeout?: number;
434
+ /**
435
+ * Per-target unix shell override, used on Linux and macOS.
436
+ * Takes precedence over `shell` on unix-like systems.
437
+ */
438
+ unixShell?: string;
439
+ /**
440
+ * Per-target windows shell override, used on Windows.
441
+ * Takes precedence over `shell` on Windows.
442
+ */
443
+ windowsShell?: string;
444
+ }
445
+ /**
446
+ * An extended target configuration that adds the vis-specific options
447
+ * on top of task-runner's `TargetConfiguration`.
448
+ */
449
+ interface VisTargetConfiguration extends Omit<TargetConfiguration, "options"> {
450
+ /**
451
+ * Alternate names that resolve to this target on the CLI. Useful
452
+ * for shortening long canonical names (`test` ↔ `t`) or for
453
+ * offering migration-friendly aliases when renaming targets.
454
+ * Aliases must be globally unique within the workspace.
455
+ */
456
+ aliases?: string[];
457
+ /**
458
+ * Declarative argument schema for this target. Forwarded CLI args
459
+ * (`vis run &lt;target> -- --flag value`) are validated against it, surfaced
460
+ * by per-task `--help`, and exposed to the command as `VIS_ARG_&lt;NAME>`
461
+ * environment variables.
462
+ */
463
+ arguments?: TaskArgument[];
464
+ /**
465
+ * One-line description surfaced by `vis list` and per-task `--help`.
466
+ * Kept short — longer docs belong in project READMEs or
467
+ * vis.config.ts comments.
468
+ */
469
+ description?: string;
470
+ /**
471
+ * True when the target was synthesized by a Project Crystal-style
472
+ * detector (see {@link ../inference}) rather than declared by a
473
+ * package.json script, project.json, or vis.task.ts file. Surfaced
474
+ * by `vis list --inferred` and used by tooling to distinguish
475
+ * implicit defaults from explicit user intent.
476
+ */
477
+ inferred?: boolean;
478
+ /** Vis-specific target options. */
479
+ options?: VisTargetOptions;
480
+ /** Preset applied before user-specified options. */
481
+ preset?: TargetPreset;
482
+ /**
483
+ * Semantic task type. Affects caching defaults and CI filtering.
484
+ * @default "test"
485
+ */
486
+ type?: TargetType;
487
+ }
488
+ type HookCallback = (...arguments_: any) => Promise<void> | void;
489
+ type HookKeys<T> = keyof T & string;
490
+ type DeprecatedHook<T> = {
491
+ message?: string;
492
+ to: HookKeys<T>;
493
+ };
494
+ type ValueOf<C> = C extends Record<any, any> ? C[keyof C] : never;
495
+ type Strings<T> = Exclude<keyof T, number | symbol>;
496
+ type KnownKeys<T> = keyof { [K in keyof T as string extends K ? never : number extends K ? never : K]: never };
497
+ type StripGeneric<T> = Pick<T, KnownKeys<T> extends keyof T ? KnownKeys<T> : never>;
498
+ type OnlyGeneric<T> = Omit<T, KnownKeys<T> extends keyof T ? KnownKeys<T> : never>;
499
+ type Namespaces<T> = ValueOf<{ [key in Strings<T>]: key extends `${infer Namespace}:${string}` ? Namespace : never }>;
500
+ type BareHooks<T> = ValueOf<{ [key in Strings<T>]: key extends `${string}:${string}` ? never : key }>;
501
+ type HooksInNamespace<T, Namespace extends string> = ValueOf<{ [key in Strings<T>]: key extends `${Namespace}:${infer HookName}` ? HookName : never }>;
502
+ type WithoutNamespace<T, Namespace extends string> = { [key in HooksInNamespace<T, Namespace>]: `${Namespace}:${key}` extends keyof T ? T[`${Namespace}:${key}`] : never };
503
+ type NestedHooks<T> = (Partial<StripGeneric<T>> | Partial<OnlyGeneric<T>>) & Partial<{ [key in Namespaces<StripGeneric<T>>]: NestedHooks<WithoutNamespace<T, key>> }> & Partial<{ [key in BareHooks<StripGeneric<T>>]: T[key] }>;
504
+ type InferCallback<HT, HN extends keyof HT> = HT[HN] extends HookCallback ? HT[HN] : never;
505
+ type InferSpyEvent<HT extends Record<string, any>> = { [key in keyof HT]: {
506
+ name: key;
507
+ args: Parameters<HT[key]>;
508
+ context: Record<string, any>;
509
+ } }[keyof HT];
510
+ declare class Hookable<HooksT extends Record<string, any> = Record<string, HookCallback>, HookNameT extends HookKeys<HooksT> = HookKeys<HooksT>> {
511
+ private _hooks;
512
+ private _before?;
513
+ private _after?;
514
+ private _deprecatedHooks;
515
+ private _deprecatedMessages?;
516
+ constructor();
517
+ hook<NameT extends HookNameT>(name: NameT, function_: InferCallback<HooksT, NameT>, options?: {
518
+ allowDeprecated?: boolean;
519
+ }): () => void;
520
+ hookOnce<NameT extends HookNameT>(name: NameT, function_: InferCallback<HooksT, NameT>): () => void;
521
+ removeHook<NameT extends HookNameT>(name: NameT, function_: InferCallback<HooksT, NameT>): void;
522
+ clearHook<NameT extends HookNameT>(name: NameT): void;
523
+ deprecateHook<NameT extends HookNameT>(name: NameT, deprecated: HookKeys<HooksT> | DeprecatedHook<HooksT>): void;
524
+ deprecateHooks(deprecatedHooks: Partial<Record<HookNameT, DeprecatedHook<HooksT>>>): void;
525
+ addHooks(configHooks: NestedHooks<HooksT>): () => void;
526
+ removeHooks(configHooks: NestedHooks<HooksT>): void;
527
+ removeAllHooks(): void;
528
+ callHook<NameT extends HookNameT>(name: NameT, ...args: Parameters<InferCallback<HooksT, NameT>>): Promise<any> | void;
529
+ callHookParallel<NameT extends HookNameT>(name: NameT, ...args: Parameters<InferCallback<HooksT, NameT>>): Promise<any[]> | void;
530
+ callHookWith<NameT extends HookNameT, CallFunction extends (hooks: HookCallback[], args: Parameters<InferCallback<HooksT, NameT>>, name: NameT) => any>(caller: CallFunction, name: NameT, args: Parameters<InferCallback<HooksT, NameT>>): ReturnType<CallFunction>;
531
+ beforeEach(function_: (event: InferSpyEvent<HooksT>) => void): () => void;
532
+ afterEach(function_: (event: InferSpyEvent<HooksT>) => void): () => void;
533
+ }
534
+ type CreateTask = (name?: string) => {
535
+ run: (function_: () => Promise<any> | any) => Promise<any> | any;
536
+ };
537
+ declare global {
538
+ interface Console {
539
+ createTask?: CreateTask;
540
+ }
541
+ }
542
+ /** @deprecated */
543
+ /**
544
+ * Typed hook surface exposed to vis plugins.
545
+ *
546
+ * Plugins subscribe via `hooks.hook(name, handler)` — handlers are
547
+ * awaited sequentially in registration order. Returning a promise
548
+ * delays the next hook firing until it resolves, so plugins can
549
+ * safely perform async setup/teardown.
550
+ *
551
+ * Naming deliberately mirrors vite-task / webpack-style verbs:
552
+ * before/after for boundaries, on&lt;Event> for passive observation.
553
+ */
554
+ interface VisHooks {
555
+ /**
556
+ * Fired after the entire task graph completes (including any
557
+ * failures). `results` maps task ID → {@link TaskResult}.
558
+ */
559
+ "run:after": (results: Map<string, TaskResult>) => Promise<void> | void;
560
+ /**
561
+ * Fired once before any task in the graph starts, after workspace
562
+ * discovery and graph construction. Throwing aborts the run.
563
+ */
564
+ "run:before": (context: {
565
+ tasks: Task[];
566
+ workspaceRoot: string;
567
+ }) => Promise<void> | void;
568
+ /**
569
+ * Fired after `vis run` auto-attaches to one or more registered
570
+ * services. `taskIds` lists the in-graph dependents that consumed
571
+ * the service's `env` block; an empty array means the service was
572
+ * registered but no kept task depended on it.
573
+ */
574
+ "service:attach": (entry: ServiceEntry, taskIds: ReadonlyArray<string>) => Promise<void> | void;
575
+ /**
576
+ * Fired after a service is registered and its readiness probe
577
+ * succeeds. Sourced from both `vis service start` (and `restart`'s
578
+ * post-start phase) and any future programmatic call sites.
579
+ */
580
+ "service:start": (entry: ServiceEntry) => Promise<void> | void;
581
+ /**
582
+ * Fired after a registered service is stopped (SIGTERM/SIGKILL
583
+ * acknowledged, registry entry deleted). Not fired when stop is
584
+ * called against an unknown id — only when there was an alive
585
+ * entry to terminate.
586
+ */
587
+ "service:stop": (entry: ServiceEntry) => Promise<void> | void;
588
+ /**
589
+ * Fired after a task completes (success, failure, or cache hit).
590
+ * Receives the final {@link TaskResult}.
591
+ */
592
+ "task:after": (task: Task, result: TaskResult) => Promise<void> | void;
593
+ /**
594
+ * Fired before each task begins execution — after scheduling, before
595
+ * the executor runs the command. Throwing aborts that single task.
596
+ */
597
+ "task:before": (task: Task) => Promise<void> | void;
598
+ /** Fired when a task hit the local or remote cache. */
599
+ "task:cacheHit": (task: Task, result: TaskResult) => Promise<void> | void;
600
+ /**
601
+ * Fired when auto-fingerprint cache diagnostics reports a miss,
602
+ * carrying the human-readable reason string.
603
+ */
604
+ "task:cacheMiss": (task: Task, reasons: string) => Promise<void> | void;
605
+ /** Fired when a task exits non-zero. */
606
+ "task:failure": (task: Task, result: TaskResult) => Promise<void> | void;
607
+ /**
608
+ * Fired during fingerprint construction, after built-in inputs are
609
+ * gathered and before the hash is sealed. Plugins call
610
+ * `contributor.contribute(key, value)` to mix arbitrary strings
611
+ * into the task hash — the hasher namespaces and sorts contributions
612
+ * deterministically so call order doesn't change the result.
613
+ *
614
+ * Throwing aborts hashing for the offending task and surfaces as a
615
+ * task failure before any cache lookup runs. Use this to guarantee
616
+ * a buggy plugin can't quietly poison cache state.
617
+ */
618
+ "task:fingerprint": (task: Task, contributor: FingerprintContributor) => Promise<void> | void;
619
+ /**
620
+ * Fired right before a failed task is re-spawned by the retry
621
+ * controller. `attempt` is 1-indexed and counts the retry that's
622
+ * about to start (so the original failed run was attempt 0).
623
+ * `prevExitCode` is the failing exit status that triggered the
624
+ * retry (the full TaskResult isn't materialized at the retry
625
+ * boundary — only the per-attempt close event is available).
626
+ *
627
+ * Throwing aborts the retry; the previous failure becomes the final
628
+ * result.
629
+ */
630
+ "task:retry": (task: Task, attempt: number, prevExitCode: number) => Promise<void> | void;
631
+ /**
632
+ * Fired with a stderr chunk as a running task emits it. Plugins
633
+ * that ship logs live (Slack, Datadog) should prefer this over
634
+ * `task:after` so they don't wait for the full buffer.
635
+ */
636
+ "task:stderr": (task: Task, chunk: string) => Promise<void> | void;
637
+ /**
638
+ * Fired with a stdout chunk as a running task emits it. See
639
+ * `task:stderr` for semantics.
640
+ */
641
+ "task:stdout": (task: Task, chunk: string) => Promise<void> | void;
642
+ }
643
+ /**
644
+ * Public plugin contract. Implementations register handlers by
645
+ * returning a partial {@link VisHooks} map from `hooks`, or by
646
+ * mutating the Hookable instance directly via `setup(hooks)` for
647
+ * advanced cases (dynamic registration, removeHook, etc.).
648
+ *
649
+ * Plugins are loaded in the order they appear in `visConfig.plugins`.
650
+ * Handler execution order within a hook follows registration order,
651
+ * so earlier plugins see events first.
652
+ */
653
+ interface VisPlugin {
654
+ /**
655
+ * Declarative handlers — the common shape. One entry per hook
656
+ * name; pass a function or an array of functions (all run serially
657
+ * in order).
658
+ */
659
+ hooks?: Partial<{ [K in keyof VisHooks]: VisHooks[K] | VisHooks[K][] }>;
660
+ /** Plugin name — surfaced in debug logs. */
661
+ name: string;
662
+ /**
663
+ * Imperative setup — receives the shared Hookable instance so the
664
+ * plugin can register hooks conditionally, unregister later, or
665
+ * use advanced APIs like `hookOnce`/`beforeEach`/`afterEach`.
666
+ */
667
+ setup?: (hooks: Hookable<VisHooks>) => Promise<void> | void;
668
+ }
669
+ /**
670
+ * Per-adapter override applied by `vis lint` / `vis fmt`. Keyed by
671
+ * adapter id under `lint.adapters` / `fmt.adapters`. Every field is
672
+ * optional — set only what you need to change.
673
+ */
674
+ interface LintFmtAdapterOverride {
675
+ /**
676
+ * Set to `false` to skip this adapter even when its config file or
677
+ * package.json entry is detected. Defaults to `true` (run when
678
+ * detected).
679
+ */
680
+ enabled?: boolean;
681
+ /**
682
+ * Extra arguments appended verbatim to every invocation of this
683
+ * adapter. Useful for tool-specific flags vis doesn't expose
684
+ * directly (e.g. `eslint --rulesdir`).
685
+ */
686
+ extraArgs?: string[];
687
+ }
688
+ /**
689
+ * The 8 Socket.dev-style supply-chain policies. Used in `security.policies`
690
+ * and `security.acceptedRisks[*].policies`. Kept as a const tuple so callers
691
+ * can import the runtime array (`POLICY_NAMES`) for iteration without
692
+ * drifting from the union type.
693
+ */
694
+ declare const POLICY_NAMES: readonly ["firstSeen", "installScripts", "license", "malware", "publisherChange", "score", "unexpectedDeps", "vulnerability"];
695
+ type PolicyName = (typeof POLICY_NAMES)[number];
696
+ /**
697
+ * Recognised input sources for the codeowners aggregator.
698
+ *
699
+ * - `project-json` — owners declared on each project's `project.json`.
700
+ * Canonical source; takes precedence over the other two on path conflicts.
701
+ * - `nested-codeowners` — `CODEOWNERS` files placed at arbitrary depth
702
+ * in the workspace tree (excluding the generated root file).
703
+ * - `package-json-maintainers` — fallback that reads each project's
704
+ * `package.json#maintainers` and emits one entry per project root for
705
+ * projects with no `project.json owners`. GitHub handles are extracted
706
+ * from each maintainer's `url` (e.g. `https://github.com/&lt;handle&gt;`).
707
+ */
708
+ type CodeownersSource = "nested-codeowners" | "package-json-maintainers" | "project-json";
709
+ interface CodeownersConfig {
710
+ /** Markers that bracket the generated block when `preserveBlock` is set. */
711
+ blockMarker?: {
712
+ begin: string;
713
+ end: string;
714
+ };
715
+ /** Workspace-level paths that apply outside any project (e.g., `.github/**`). */
716
+ globalPaths?: Record<string, string[]>;
717
+ /** Glob patterns used to discover nested `CODEOWNERS` files. Defaults to `["**\/CODEOWNERS"]`. */
718
+ nestedIncludes?: string[];
719
+ /** Sort order for generated entries — mirrors moon's `orderBy`. */
720
+ orderBy?: "file-source" | "project-id";
721
+ /**
722
+ * When set, the generated content is spliced between
723
+ * {@link CodeownersConfig.blockMarker} markers in the existing file
724
+ * (markers are appended if missing) instead of overwriting the file.
725
+ */
726
+ preserveBlock?: boolean;
727
+ /** Provider determines whether `channel` is emitted (GitHub supports it via comment). */
728
+ provider?: "bitbucket" | "github" | "gitlab" | "other";
729
+ /**
730
+ * Header instruction shown to reviewers. Replaces the default
731
+ * "Update each project's project.json `owners` field…" line. Useful
732
+ * when the canonical regenerate path is a custom script.
733
+ */
734
+ regenerationCommand?: string;
735
+ /** Enabled input sources. Defaults to `["project-json"]`. */
736
+ sources?: CodeownersSource[];
737
+ }
738
+ /**
739
+ * One user-declared customTypes entry. See `policy.customTypes.extraTypes`
740
+ * for the full contract — this is just the row shape.
741
+ */
742
+ interface ExtraCustomType {
743
+ /**
744
+ * Required when `strategy === "string"`. The dep-cluster key the bare
745
+ * version string at `path` should be associated with.
746
+ */
747
+ depName?: string;
748
+ /**
749
+ * Display name for this customType. Used as the cluster key prefix in
750
+ * lint output and JSON. Must not collide with the built-in names.
751
+ */
752
+ name: string;
753
+ /** Dot-separated walk into package.json (e.g. `pnpm.overrides`, `myTool.runtime`). */
754
+ path: string;
755
+ /**
756
+ * How to interpret the JSON found at `path`.
757
+ * - `name@version` — single string `pnpm@9.0.0` (with optional `+sha512.…` hash).
758
+ * - `name~version` — single string `node~20.0.0`, mirrors syncpack's tilde form.
759
+ * - `string` — bare version literal (requires `depName`).
760
+ * - `versionsByName` — `{ name: version }` object such as `engines`.
761
+ */
762
+ strategy: "name@version" | "name~version" | "string" | "versionsByName";
763
+ }
764
+ /**
765
+ * Declared code-owner assignment for a path glob within a project.
766
+ * Mirrors moon's `owners` shape so migrations can round-trip cleanly.
767
+ */
768
+ interface OwnersEntry {
769
+ /** Optional notification channel (e.g. Slack, Teams). */
770
+ channel?: string;
771
+ /** Owner handles (e.g. `@visulima/core-team`). */
772
+ owners: string[];
773
+ /** File/glob pattern relative to the project root. */
774
+ path: string;
775
+ }
776
+ /**
777
+ * Per-project TypeScript overlay loaded from `vis.task.ts`. Adds a
778
+ * dynamic, type-safe layer for target overrides on top of `project.json`,
779
+ * which stays the canonical home for static metadata (`tags`, `layer`,
780
+ * `stack`, `language`, `owners`, `projectType`, `sourceRoot`,
781
+ * `implicitDependencies`).
782
+ *
783
+ * `vis.task.ts` is opt-in. A package without one behaves identically to
784
+ * before its introduction. Targets defined here merge over `project.json`'s
785
+ * `targets` block — see `design-config-layering.md` for the full
786
+ * precedence stack.
787
+ */
788
+ interface VisTaskConfig {
789
+ /** Per-target overrides — same shape as `project.json#targets`. */
790
+ tasks?: Record<string, VisTargetConfiguration>;
791
+ }
792
+ /**
793
+ * Per-project metadata surfaced by `project.json`. Extended beyond the
794
+ * minimal `projectType` / `tags` / `sourceRoot` fields we historically
795
+ * parsed to include targets, owners, and layer/stack classification.
796
+ */
797
+ interface ProjectJson {
798
+ /** Implicit dependencies on other projects. */
799
+ implicitDependencies?: string[];
800
+ /** Primary language — informational and query-able. */
801
+ language?: string;
802
+ /** Project layer, used for constraint inheritance and query filtering. */
803
+ layer?: "application" | "automation" | "configuration" | "library" | "scaffolding" | "tool";
804
+ /**
805
+ * Project name. When set, takes precedence over `package.json#name`
806
+ * as the project's identity in the workspace graph and CLI filters.
807
+ * Falls back to `package.json#name` when omitted.
808
+ */
809
+ name?: string;
810
+ /** Code owners for paths inside this project. */
811
+ owners?: OwnersEntry[];
812
+ /** Project-level metadata. */
813
+ project?: {
814
+ channel?: string;
815
+ description?: string;
816
+ maintainers?: string[];
817
+ owner?: string;
818
+ title?: string;
819
+ };
820
+ /**
821
+ * Project type — `library`, `application`, `service`, or `tool`.
822
+ *
823
+ * - `library` — reusable code consumed by other workspace projects.
824
+ * - `application` — end-user-facing build target (web app, mobile app).
825
+ * - `service` — long-running HTTP / worker process deployed independently.
826
+ * - `tool` — CLI or developer tooling shipped as an executable.
827
+ */
828
+ projectType?: "application" | "library" | "service" | "tool";
829
+ /**
830
+ * Marks the project as write-restricted. Consumed by
831
+ * `vis sync codeowners --write-guard` to scope the generated
832
+ * Write Guard workflow to this project's paths.
833
+ */
834
+ restricted?: boolean;
835
+ /** Source root, used for display and language inference. */
836
+ sourceRoot?: string;
837
+ /** Tech stack. */
838
+ stack?: "backend" | "data" | "frontend" | "infrastructure" | "systems";
839
+ /** Filterable tags. */
840
+ tags?: string[];
841
+ /** Vis-style target definitions (merged on top of package.json scripts). */
842
+ targets?: Record<string, VisTargetConfiguration>;
843
+ }
844
+ /**
845
+ * A predicate used by {@link VisConfig.scopedTasks}.
846
+ * All listed constraints must match for the block to apply.
847
+ */
848
+ interface ScopedTasksMatch {
849
+ /** Match on primary language. */
850
+ language?: string | string[];
851
+ /** Match on project layer. */
852
+ layer?: ProjectJson["layer"] | ProjectJson["layer"][];
853
+ /** Match on project type. */
854
+ projectType?: "application" | "library" | "service" | "tool";
855
+ /** Match on project stack. */
856
+ stack?: ProjectJson["stack"] | ProjectJson["stack"][];
857
+ /** Match projects tagged with any of these tags. */
858
+ tags?: string[];
859
+ }
860
+ /**
861
+ * A single scoped-tasks block — a set of task defaults gated by an
862
+ * optional match predicate.
863
+ */
864
+ interface ScopedTasksBlock {
865
+ /** Optional match predicate; if omitted, the block applies universally. */
866
+ match?: ScopedTasksMatch;
867
+ /** Task default configurations, keyed by target name. */
868
+ tasks: Record<string, Partial<VisTargetConfiguration>>;
869
+ }
870
+ interface VisConfig {
871
+ /** AI analysis configuration */
872
+ ai?: {
873
+ /** Cache TTL in milliseconds. Overrides default (1h / 30min for security). */
874
+ cacheTtl?: number;
875
+ /** Override default provider priority. Higher number = preferred. */
876
+ priority?: Record<string, number>;
877
+ /** Use a specific provider instead of auto-detecting (e.g., `"claude"`, `"gemini"`). */
878
+ provider?: string;
879
+ };
880
+ /**
881
+ * Scope the task-runner cache directory by the current git branch.
882
+ * When `true`, caches are stored under `&lt;cacheDir>/branches/&lt;slug>`
883
+ * so `main` and feature branches stop thrashing each other —
884
+ * generated artefacts (schemas, `.d.ts` snapshots) that legitimately
885
+ * differ across branches no longer oscillate the cache contents.
886
+ *
887
+ * Falls back to the unscoped path on detached HEAD, non-git
888
+ * workspaces, or when git isn't available.
889
+ * @default false
890
+ */
891
+ branchScopedCache?: boolean;
892
+ /**
893
+ * Code ownership configuration. Controls how `vis sync codeowners`
894
+ * renders the generated CODEOWNERS file.
895
+ */
896
+ codeowners?: CodeownersConfig;
897
+ /**
898
+ * Project dependency constraints.
899
+ * Enforced after building the project graph, before running tasks.
900
+ */
901
+ constraints?: ConstraintsConfig;
902
+ /**
903
+ * Configuration for the `vis create` scaffolding command.
904
+ * Controls template downloads (via giget), default options, and
905
+ * post-creation behavior.
906
+ */
907
+ create?: {
908
+ /**
909
+ * Authorization token for downloading private repository templates.
910
+ * Passed as Bearer token to the git host API.
911
+ * Can also be set via GIGET_AUTH, GITHUB_TOKEN, or GH_TOKEN environment variables.
912
+ */
913
+ auth?: string;
914
+ /**
915
+ * Default editor to configure after scaffolding.
916
+ * When set, `vis create` automatically generates editor config files.
917
+ * @example "vscode"
918
+ */
919
+ defaultEditor?: "vscode";
920
+ /**
921
+ * Default package manager for new standalone projects.
922
+ * When set, skips the PM selection prompt in interactive mode.
923
+ */
924
+ defaultPm?: "bun" | "npm" | "pnpm" | "yarn";
925
+ /**
926
+ * Default giget provider for `owner/repo` shorthand inputs.
927
+ * @default "github"
928
+ */
929
+ defaultProvider?: "bitbucket" | "github" | "gitlab" | "sourcehut";
930
+ /**
931
+ * Initialize a git repository after scaffolding standalone projects.
932
+ * @default false
933
+ */
934
+ gitInit?: boolean;
935
+ /**
936
+ * Install dependencies automatically after scaffolding.
937
+ * @default true
938
+ */
939
+ install?: boolean;
940
+ /**
941
+ * Prefer locally cached templates over re-downloading.
942
+ * Useful for offline development or slow connections.
943
+ * @default false
944
+ */
945
+ preferOffline?: boolean;
946
+ /**
947
+ * Custom template registry URL.
948
+ * When set, giget checks this registry for template metadata
949
+ * before falling back to direct provider resolution.
950
+ * Set to `false` to disable registry lookup entirely.
951
+ * @see https://github.com/unjs/giget#custom-registry
952
+ */
953
+ registry?: false | string;
954
+ /**
955
+ * Named template aliases for quick access.
956
+ * Maps short names to full giget source strings.
957
+ * @example
958
+ * ```
959
+ * templates: {
960
+ * "react": "github:vitejs/vite/packages/create-vite/template-react-ts",
961
+ * "lib": "github:my-org/lib-template",
962
+ * "internal": "gitlab:company/templates/node-service",
963
+ * }
964
+ * ```
965
+ */
966
+ templates?: Record<string, string>;
967
+ };
968
+ /**
969
+ * Default base branch used by `vis affected`, `vis ci`, and `vis run --affected`
970
+ * when no explicit `--base` is passed and no CI smart-resolver fires.
971
+ *
972
+ * Resolved as `origin/&lt;defaultBase>` against the local clone; should be a
973
+ * branch name (not a fully-qualified ref) such as `main`, `master`, or `trunk`.
974
+ * Falls back to `main` when omitted.
975
+ *
976
+ * Migrated automatically from `nx.json#affected.defaultBase` /
977
+ * `nx.json#defaultBase` by `vis migrate nx`.
978
+ * @default "main"
979
+ */
980
+ defaultBase?: string;
981
+ /**
982
+ * Discover `.editorconfig` for indent / line-ending defaults during
983
+ * file transformations (sort-package-json, migrate, hook, pm overrides,
984
+ * workspace catalog rewrites). Per-command flags can still override.
985
+ * @default true
986
+ */
987
+ editorconfig?: boolean;
988
+ /**
989
+ * Inherit configuration from one or more parent configs. Entries are
990
+ * resolved left-to-right (later wins) and the consumer's own values
991
+ * always override anything pulled in from `extends`.
992
+ *
993
+ * Each entry is either:
994
+ * - a relative path (`./shared.config.ts`, `../shared.config.ts`) —
995
+ * resolved against the file declaring `extends`;
996
+ * - an npm package name (`@acme/vis-preset`) — resolved via Node.js
997
+ * module resolution from the consumer file.
998
+ *
999
+ * Absolute paths are rejected — they break across machines and CI.
1000
+ * Cycles raise `VisConfigCycleError` during load.
1001
+ * @example
1002
+ * ```
1003
+ * extends: ["@acme/vis-preset", "./shared/security.config.ts"]
1004
+ * ```
1005
+ */
1006
+ extends?: string | string[];
1007
+ /**
1008
+ * Named file-group patterns, reusable from target `inputs` via the
1009
+ * `@filegroup:&lt;name>` token. File groups are resolved relative to each
1010
+ * project root at discovery time.
1011
+ * @example
1012
+ * ```
1013
+ * fileGroups: {
1014
+ * sources: ["src/**\/*.ts", "!src/**\/*.test.ts"],
1015
+ * tests: ["**\/*.test.ts"],
1016
+ * }
1017
+ * ```
1018
+ */
1019
+ fileGroups?: Record<string, string[]>;
1020
+ /**
1021
+ * Configuration for `vis fmt` — the formatter orchestrator.
1022
+ *
1023
+ * Tunes adapter detection precedence, per-extension routing, and
1024
+ * per-adapter overrides. Flags on the CLI always win over config.
1025
+ *
1026
+ * The default fmt precedence is `oxfmt → biome → dprint → prettier
1027
+ * → deno-fmt`. When multiple adapters claim the same extension,
1028
+ * the first in this order owns it unless overridden here.
1029
+ * @example
1030
+ * ```
1031
+ * fmt: {
1032
+ * order: ["biome", "prettier"],
1033
+ * extensionOverrides: { md: "dprint" },
1034
+ * adapters: { "deno-fmt": { enabled: false } },
1035
+ * }
1036
+ * ```
1037
+ */
1038
+ fmt?: {
1039
+ /**
1040
+ * Per-adapter overrides. Keyed by `AdapterId`. Set
1041
+ * `enabled: false` to skip an adapter even when detected, or
1042
+ * `extraArgs` to append flags verbatim.
1043
+ */
1044
+ adapters?: Partial<Record<FmtAdapterId, LintFmtAdapterOverride>>;
1045
+ /**
1046
+ * Pin a file extension (without the leading dot) to a specific
1047
+ * adapter, overriding the registry's "first detected adapter
1048
+ * wins" routing. Use to e.g. send `.md` to `dprint` even when
1049
+ * both prettier and dprint are present.
1050
+ */
1051
+ extensionOverrides?: Record<string, FmtAdapterId>;
1052
+ /**
1053
+ * Override the adapter precedence order. Adapters omitted from
1054
+ * this list still run (appended at the end in registry order),
1055
+ * but those listed earlier get priority for extension routing.
1056
+ */
1057
+ order?: FmtAdapterId[];
1058
+ };
1059
+ /**
1060
+ * Configuration for the `vis generate` in-repo scaffolding command.
1061
+ * Points at additional template directories beyond the defaults
1062
+ * (`.vis/templates/` and `.moon/templates/`).
1063
+ */
1064
+ generator?: {
1065
+ /**
1066
+ * Authorization token forwarded to giget when fetching
1067
+ * `git://`/`npm://` remote templates. Falls back to
1068
+ * `GIGET_AUTH` / `GITHUB_TOKEN` / `GH_TOKEN` env vars.
1069
+ */
1070
+ auth?: string;
1071
+ /**
1072
+ * Prefer locally cached remote templates over re-downloading.
1073
+ * Overridable per invocation via `--prefer-offline`.
1074
+ * @default false
1075
+ */
1076
+ preferOffline?: boolean;
1077
+ /**
1078
+ * Extra directories to scan for templates. Each directory is
1079
+ * checked for both native templates (`&lt;name>.ts`) and
1080
+ * moon-format directories (containing `template.yml`).
1081
+ * @example
1082
+ * ```
1083
+ * generator: {
1084
+ * templates: ["./tools/generators", "./packages/scaffolding/templates"],
1085
+ * }
1086
+ * ```
1087
+ */
1088
+ templates?: string[];
1089
+ };
1090
+ /**
1091
+ * Auto-create targets from detected config files (Project Crystal-style).
1092
+ * On by default; set `false` to disable entirely, or use the object
1093
+ * form to disable individual detectors.
1094
+ *
1095
+ * Inferred targets sit *below* explicit ones — the command from
1096
+ * `package.json#scripts`, `project.json#targets`, or `vis.task.ts`
1097
+ * always wins per-key, so opting in never changes what runs. As a
1098
+ * caching aid, when a `package.json` script's command *is* a
1099
+ * detector's command (optionally with extra flags, no shell
1100
+ * chaining) and the script declares no `inputs`/`outputs`, the
1101
+ * detector's `inputs`/`outputs` are adopted so the script target can
1102
+ * cache precisely and restore its artifacts. Customised/compound
1103
+ * scripts are left untouched.
1104
+ *
1105
+ * Built-in detectors and the targets they synthesize:
1106
+ *
1107
+ * - **App frameworks** — `nuxt` (build/dev/preview/generate),
1108
+ * `next` (build/dev/start), `remix` (build/dev/start), `astro`
1109
+ * (build/dev), `gatsby` (build/develop/serve), `docusaurus`
1110
+ * (build/start/serve).
1111
+ * - **Bundlers** — `vite` (build/dev/preview), `rolldown` (build),
1112
+ * `tsdown` (build), `tsup` (build), `packem` (build), `rollup`
1113
+ * (build), `webpack` (build).
1114
+ * - **Docs sites** — `vitepress` (docs:build/docs:dev/docs:preview),
1115
+ * `typedoc` (docs).
1116
+ * - **Server frameworks** — `nest` (build/start/start:dev).
1117
+ * - **Test runners** — `vitest` (test/test:watch), `jest`
1118
+ * (test/test:watch), `bun` (test), `playwright` (test:e2e),
1119
+ * `cypress` (test:e2e/cypress:open).
1120
+ * - **Stories** — `storybook` (storybook/build-storybook).
1121
+ * - **Type checking** — `typescript` (typecheck via `tsc --noEmit`).
1122
+ * - **Lint / format** — `eslint` (lint), `prettier` (format /
1123
+ * format:check), `biome` (lint, format), `oxlint` (lint),
1124
+ * `oxfmt` (format / format:check), `stylelint` (lint:css),
1125
+ * `knip` (knip).
1126
+ * - **Runtimes** — `deno` (test/lint/fmt/check).
1127
+ * - **Database tooling** — `prisma` (db:generate/db:migrate/
1128
+ * db:push/db:studio), `drizzle` (db:generate/db:migrate/
1129
+ * db:push/db:studio).
1130
+ * - **Codegen / release** — `graphql-codegen` (codegen),
1131
+ * `api-extractor` (api-extract), `changeset` (changeset:version /
1132
+ * changeset:publish / changeset:status).
1133
+ *
1134
+ * Trigger: presence of any matching config file in the project root.
1135
+ * Most detectors additionally match when their framework appears in
1136
+ * `dependencies` / `devDependencies` / `peerDependencies` /
1137
+ * `optionalDependencies` — covering convention-only setups (e.g.
1138
+ * vitest with default config). Detectors that intentionally require
1139
+ * a config file (because the package frequently appears transitively
1140
+ * and a dep-only match would synthesize broken commands): `vite`,
1141
+ * `rolldown`, `rollup`, `webpack`, `storybook`, `nest`, `remix`,
1142
+ * `vitepress`, `bun`, `deno`, `changeset`.
1143
+ *
1144
+ * Conflict resolution: detectors are evaluated in registration order
1145
+ * (see `BUILT_IN_DETECTORS`) and the first to claim a target name
1146
+ * wins. Per-name priorities: `build` → nuxt > next > remix > astro
1147
+ * > gatsby > docusaurus > vite > nest > rolldown > tsdown > tsup >
1148
+ * packem > rollup > webpack; `test` → vitest > jest > bun > deno;
1149
+ * `test:e2e` → playwright > cypress; `lint` → eslint > biome >
1150
+ * oxlint > deno; `format` → prettier > biome > oxfmt; `db:*` →
1151
+ * prisma > drizzle.
1152
+ *
1153
+ * Also accepts an object form (`{ vite: false, vitest: true }`) to
1154
+ * opt individual detectors in or out by name. Detectors omitted from
1155
+ * the object run at their default (enabled). Useful when one
1156
+ * detector misfires for a given workspace without disabling the rest.
1157
+ * @default true
1158
+ */
1159
+ inferTargets?: Record<string, boolean> | boolean;
1160
+ /**
1161
+ * Installer backend selection for `vis install` / `vis add` /
1162
+ * `vis remove` / `vis update` / `vis ci`.
1163
+ *
1164
+ * Lets users opt into [aube](https://github.com/endevco/aube) — a
1165
+ * Rust-native package manager that reads/writes pnpm/npm/yarn/bun
1166
+ * lockfiles in place — as the default installer, while keeping a
1167
+ * single switch to fall back to the conventional PM detected from
1168
+ * the lockfile.
1169
+ *
1170
+ * Resolution precedence (highest first):
1171
+ * 1. CLI flag (`--installer &lt;name>` / `--no-aube`)
1172
+ * 2. Env var `VIS_INSTALLER`
1173
+ * 3. This config field
1174
+ * 4. Auto-detect (the default)
1175
+ *
1176
+ * Aube must be installed separately — `vis` does not bundle it.
1177
+ * Install via npm (`@endevco/aube`), `mise use -g aube`, or
1178
+ * `brew install endevco/tap/aube`.
1179
+ */
1180
+ install?: {
1181
+ /**
1182
+ * Which package manager performs install/add/remove/etc.
1183
+ * - `auto` (default): use `aube` when it is on PATH; otherwise
1184
+ * fall back to the lockfile-detected PM.
1185
+ * - explicit name: always use that PM. Errors when the named
1186
+ * binary is missing rather than silently falling back.
1187
+ * @default "auto"
1188
+ */
1189
+ backend?: "aube" | "auto" | "bun" | "npm" | "pnpm" | "yarn";
1190
+ /**
1191
+ * Whether to dispatch PM invocations through `corepack`.
1192
+ * - `"auto"` (default): use corepack only when the workspace
1193
+ * pins a PM via the `packageManager` field AND `corepack` is
1194
+ * on PATH AND the PM is one corepack manages (pnpm/yarn/npm).
1195
+ * - `true`: always prefix `corepack` when the binary is on PATH
1196
+ * and the PM is corepack-managed (errors loudly otherwise).
1197
+ * - `false`: never go through corepack — invoke the PM directly.
1198
+ *
1199
+ * Mirrors nypm's `corepack: true` flag. Bun, deno, and aube are
1200
+ * never wrapped — corepack does not manage them.
1201
+ * @default "auto"
1202
+ */
1203
+ corepack?: "auto" | boolean;
1204
+ };
1205
+ /**
1206
+ * Configuration for `vis lint` — the linter orchestrator.
1207
+ *
1208
+ * Tunes adapter detection precedence and per-adapter overrides.
1209
+ * Flags on the CLI always win over config.
1210
+ *
1211
+ * The default lint precedence is `oxlint → biome → eslint →
1212
+ * stylelint → deno-lint`. Override with `order` to e.g. let biome
1213
+ * fire before oxlint when the workspace standardises on biome.
1214
+ * @example
1215
+ * ```
1216
+ * lint: {
1217
+ * order: ["biome", "eslint"],
1218
+ * adapters: { "deno-lint": { enabled: false } },
1219
+ * }
1220
+ * ```
1221
+ */
1222
+ lint?: {
1223
+ /**
1224
+ * Per-adapter overrides. Keyed by `AdapterId`. Set
1225
+ * `enabled: false` to skip an adapter even when detected, or
1226
+ * `extraArgs` to append flags verbatim.
1227
+ */
1228
+ adapters?: Partial<Record<LintAdapterId, LintFmtAdapterOverride>>;
1229
+ /**
1230
+ * Override the adapter precedence order. Adapters omitted from
1231
+ * this list still run (appended at the end in registry order)
1232
+ * unless explicitly disabled under `adapters[id].enabled`.
1233
+ */
1234
+ order?: LintAdapterId[];
1235
+ };
1236
+ /**
1237
+ * `vis-mcp` promotion notice shown after successful commands when an
1238
+ * AI CLI (Claude Code, Cursor, Windsurf, Continue, Zed, Cline) is
1239
+ * installed but `@visulima/vis-mcp` is not wired into its config.
1240
+ *
1241
+ * Shown at most once every 14 days; skipped in CI, non-TTY shells,
1242
+ * during `--help`/`--version`/`ai`/`mcp` invocations, and when
1243
+ * `VIS_NO_MCP_PROMOTE=1` is set. Set `enabled: false` to silence
1244
+ * permanently for this workspace.
1245
+ * @example
1246
+ * ```
1247
+ * mcpPromote: { enabled: false }
1248
+ * ```
1249
+ */
1250
+ mcpPromote?: {
1251
+ /**
1252
+ * Show the vis-mcp promotion notice on successful command completion.
1253
+ * @default true
1254
+ */
1255
+ enabled?: boolean;
1256
+ };
1257
+ /**
1258
+ * Named input patterns inherited by every project target. Equivalent
1259
+ * to task-runner's `namedInputs` but configurable from the vis config.
1260
+ */
1261
+ namedInputs?: NamedInputs;
1262
+ /** Package override mappings applied during migration (e.g., `{ "lodash": "lodash-es" }`) */
1263
+ overrides?: Record<string, string>;
1264
+ /**
1265
+ * Plugins — each plugin registers typed hooks that fire at run /
1266
+ * task / cache boundaries. See {@link VisPlugin} for the contract.
1267
+ * Prefer plugins over per-target shell hooks when behaviour needs
1268
+ * access to task metadata, results, or cache state.
1269
+ */
1270
+ plugins?: VisPlugin[];
1271
+ /**
1272
+ * Workspace dep-policy lints exposed via `vis lint`. Each block opts in
1273
+ * to a single rule; the command flags (`--workspace-protocol`,
1274
+ * `--no-redefine-root`, `--banned-deps`) toggle them per-run.
1275
+ */
1276
+ policy?: {
1277
+ /**
1278
+ * Map of dep names or globs → reason (or `{ reason, replacement, packages?, paths? }`).
1279
+ * Internal/workspace deps are never flagged here; the
1280
+ * workspace-protocol lint owns those.
1281
+ *
1282
+ * Optional `packages` (globs over the declaring package's `name`) and
1283
+ * `paths` (globs over the workspace-relative `packageDir`) narrow where
1284
+ * the rule applies. With both set, either match is enough. Omit both
1285
+ * to ban anywhere — the default.
1286
+ * @example
1287
+ * ```
1288
+ * bannedDeps: {
1289
+ * request: "deprecated; use undici",
1290
+ * moment: { reason: "huge bundle, frozen upstream", replacement: "date-fns" },
1291
+ * "@radix-ui/*": "we standardized on shadcn",
1292
+ * react: { reason: "no react in shared libs", paths: ["packages/shared/*"] },
1293
+ * "next": { reason: "apps only", packages: ["@app/*"] },
1294
+ * }
1295
+ * ```
1296
+ */
1297
+ bannedDeps?: Record<string, string | {
1298
+ packages?: string[];
1299
+ paths?: string[];
1300
+ reason: string;
1301
+ replacement?: string;
1302
+ }>;
1303
+ /**
1304
+ * Tweak the custom-types lint that flags drift in `engines.{node,pnpm,...}`,
1305
+ * `packageManager`, `volta.{node,pnpm,yarn}`, and the proposed
1306
+ * `devEngines.{runtime,packageManager}` array form.
1307
+ *
1308
+ * Each (customType × name) cluster is tracked independently —
1309
+ * `engines.node` and `volta.node` don't cross-couple here. Use a
1310
+ * versionGroup once that lands if you need to enforce they agree.
1311
+ */
1312
+ customTypes?: {
1313
+ /**
1314
+ * Three-state autofix opt-out. See `workspaceProtocol.autofix`
1315
+ * for the contract — same semantics, applied to drift rewrites
1316
+ * across engines / packageManager / volta / devEngines.
1317
+ *
1318
+ * Note: `--fix` strips any `+sha512.&lt;hash&gt;` suffix from
1319
+ * `packageManager` on bump — content-integrity hashes are tied
1320
+ * to a specific package, not a version, so users must regenerate
1321
+ * via their PM (`pnpm install` re-pins; `corepack use pnpm@X` etc.).
1322
+ * @default true
1323
+ */
1324
+ autofix?: "prompt" | boolean;
1325
+ /**
1326
+ * User-defined custom-type pin locations. Each entry tells the
1327
+ * customTypes lint to read additional version pins from a
1328
+ * non-standard JSON path inside every workspace package.json,
1329
+ * cluster them by `(name × depName)` like the built-in types,
1330
+ * and rewrite them with `--fix`.
1331
+ *
1332
+ * The original built-ins (`engines`, `volta`, `packageManager`,
1333
+ * `devEngines.runtime`, `devEngines.packageManager`) keep
1334
+ * running unconditionally — these layer on top.
1335
+ *
1336
+ * Strategies:
1337
+ * - `versionsByName`: the JSON at `path` is `{ [depName]: version }`
1338
+ * (like `engines` or `pnpm.overrides`).
1339
+ * - `name@version`: the JSON at `path` is a string of the form
1340
+ * `name@version` (like `packageManager`). The leading `name@`
1341
+ * is preserved; only the version segment is rewritten.
1342
+ * - `string`: the JSON at `path` is a bare version string. The
1343
+ * `depName` field is required and identifies the dep cluster.
1344
+ *
1345
+ * `name` must not collide with a built-in type name. `path` is
1346
+ * a dot-separated walk into the package.json (e.g. `pnpm.overrides`).
1347
+ * @example
1348
+ * ```ts
1349
+ * extraTypes: [
1350
+ * { name: "pnpmOverridesLegacy", path: "pnpm.overrides", strategy: "versionsByName" },
1351
+ * { name: "myToolPin", path: "myTool.runtime", strategy: "name@version" },
1352
+ * { name: "minNode", path: "config.minNode", strategy: "string", depName: "node" },
1353
+ * ]
1354
+ * ```
1355
+ */
1356
+ extraTypes?: ExtraCustomType[];
1357
+ /**
1358
+ * Dep names exempt from the drift check (exact match against the
1359
+ * field name within the block — e.g. `node`, `pnpm`).
1360
+ */
1361
+ ignore?: string[];
1362
+ /**
1363
+ * Resolution strategy used when `--fix` runs.
1364
+ * - `highest` (default): align every drifting instance to the
1365
+ * highest declared version.
1366
+ * - `lowest`: align to the lowest.
1367
+ * @default "highest"
1368
+ */
1369
+ resolve?: "highest" | "lowest";
1370
+ };
1371
+ /**
1372
+ * Tweak the dead-workspace-patterns lint that flags entries in
1373
+ * `pnpm-workspace.yaml#packages` / `package.json#workspaces` which
1374
+ * resolve to zero on-disk directories.
1375
+ */
1376
+ deadWorkspacePatterns?: {
1377
+ /**
1378
+ * Three-state autofix opt-out. See `workspaceProtocol.autofix`
1379
+ * for the contract — applied here to dropping unmatched patterns
1380
+ * from the workspace config file.
1381
+ * @default true
1382
+ */
1383
+ autofix?: "prompt" | boolean;
1384
+ };
1385
+ /**
1386
+ * Tweak the empty-deps lint that flags empty `dependencies` /
1387
+ * `devDependencies` / `peerDependencies` / `optionalDependencies`
1388
+ * blocks across the workspace.
1389
+ */
1390
+ emptyDeps?: {
1391
+ /**
1392
+ * Three-state autofix opt-out. See `workspaceProtocol.autofix`
1393
+ * for the contract — applied here to removing the empty key.
1394
+ * @default true
1395
+ */
1396
+ autofix?: "prompt" | boolean;
1397
+ /**
1398
+ * Block names exempt from the rule (e.g. `["peerDependencies"]`
1399
+ * to keep the key around as a marker even when empty).
1400
+ */
1401
+ ignoreBlocks?: ("dependencies" | "devDependencies" | "optionalDependencies" | "peerDependencies")[];
1402
+ };
1403
+ /**
1404
+ * Tweak the redefine-root lint that flags non-root packages duplicating
1405
+ * deps already pinned at the workspace root.
1406
+ */
1407
+ redefineRoot?: {
1408
+ /** Dep names that are exempt from the redefine-root rule (exact match). */
1409
+ ignore?: string[];
1410
+ };
1411
+ /**
1412
+ * Tweak the root-deps lint that flags runtime `dependencies` declared
1413
+ * on the private workspace root (they should live in `devDependencies`).
1414
+ */
1415
+ rootDeps?: {
1416
+ /**
1417
+ * Three-state autofix opt-out. See `workspaceProtocol.autofix`
1418
+ * for the contract — applied here to moving entries from
1419
+ * `dependencies` to `devDependencies` on the root package.json.
1420
+ * @default true
1421
+ */
1422
+ autofix?: "prompt" | boolean;
1423
+ };
1424
+ /**
1425
+ * Tweak the root-package-manager lint that flags a missing or
1426
+ * malformed `packageManager` field on the workspace root.
1427
+ */
1428
+ rootPackageManager?: {
1429
+ /**
1430
+ * Three-state autofix opt-out. See `workspaceProtocol.autofix`
1431
+ * for the contract. `--fix` only writes when `suggested` is set —
1432
+ * a missing `packageManager` field has no canonical default.
1433
+ * @default true
1434
+ */
1435
+ autofix?: "prompt" | boolean;
1436
+ /**
1437
+ * Canonical specifier (`name@version`) to write when `--fix` runs
1438
+ * and the field is absent. Required to enable autofix —
1439
+ * vis won't guess the workspace's preferred manager.
1440
+ * @example "pnpm@10.32.1"
1441
+ */
1442
+ suggested?: string;
1443
+ };
1444
+ /**
1445
+ * Tweak the root-private lint that flags a workspace root package.json
1446
+ * missing `"private": true`. Only fires when the root looks like a
1447
+ * workspace (npm/yarn/bun `workspaces` field or `pnpm-workspace.yaml`).
1448
+ */
1449
+ rootPrivate?: {
1450
+ /**
1451
+ * Three-state autofix opt-out. See `workspaceProtocol.autofix`
1452
+ * for the contract — applied here to inserting `"private": true`.
1453
+ * @default true
1454
+ */
1455
+ autofix?: "prompt" | boolean;
1456
+ };
1457
+ /**
1458
+ * Tweak the similar-deps lint that flags drift across related dep
1459
+ * families (e.g. `react` and `react-dom`, all of `@babel/*`).
1460
+ *
1461
+ * The lint is report-only — aligning a family requires picking a
1462
+ * single canonical specifier across heterogeneous range syntaxes
1463
+ * (`^`, `~`, exact), which is too lossy without user input.
1464
+ */
1465
+ similarDeps?: {
1466
+ /**
1467
+ * Additional families merged with the built-ins. Same `id` wins
1468
+ * → user override fully replaces the built-in entry.
1469
+ * @example
1470
+ * ```
1471
+ * extraFamilies: [
1472
+ * { id: "vue", label: "Vue", members: ["vue", "vue-router", "pinia"] },
1473
+ * ]
1474
+ * ```
1475
+ */
1476
+ extraFamilies?: SimilarDepFamily[];
1477
+ /** Family ids to skip entirely (matches `SimilarDepFamily.id`). */
1478
+ ignoreFamilies?: string[];
1479
+ };
1480
+ /**
1481
+ * Tweak the types-in-deps lint that flags `@types/*` declared in
1482
+ * `dependencies` on a private package (they belong in
1483
+ * `devDependencies` since the package never ships).
1484
+ */
1485
+ typesInDeps?: {
1486
+ /**
1487
+ * Three-state autofix opt-out. See `workspaceProtocol.autofix`
1488
+ * for the contract — applied here to moving the entry to
1489
+ * `devDependencies`. Existing dev pins are preserved on conflict.
1490
+ * @default true
1491
+ */
1492
+ autofix?: "prompt" | boolean;
1493
+ /** Dep names exempt from the rule (exact match, e.g. `@types/node`). */
1494
+ ignore?: string[];
1495
+ };
1496
+ /**
1497
+ * Tweak the workspace-protocol lint that flags internal deps not
1498
+ * using the `workspace:` protocol.
1499
+ */
1500
+ workspaceProtocol?: {
1501
+ /**
1502
+ * Three-state autofix opt-out. Some workspaces want detection
1503
+ * without rewrite (e.g. dual-licensed packages where `workspace:*`
1504
+ * is unsafe).
1505
+ * - `true` (default): `--fix` rewrites the specifier.
1506
+ * - `false`: never rewrite — report the violation only.
1507
+ * - `"prompt"`: ask before each rewrite. Falls back to report-only
1508
+ * when stdin isn't a TTY (CI). Reserved; not yet implemented.
1509
+ *
1510
+ * Note: when `false` (or `"prompt"`), `--fix` still **fails CI** on
1511
+ * detected violations — the rule is "report only", not "ignore".
1512
+ * Drop the rule from the lint selection if you want a clean exit.
1513
+ * @default true
1514
+ * @example
1515
+ * ```
1516
+ * policy: {
1517
+ * workspaceProtocol: { autofix: false },
1518
+ * }
1519
+ * ```
1520
+ */
1521
+ autofix?: "prompt" | boolean;
1522
+ };
1523
+ /**
1524
+ * Tweak the workspace-versions lint that flags external deps declared
1525
+ * at inconsistent versions across the workspace.
1526
+ */
1527
+ workspaceVersions?: {
1528
+ /**
1529
+ * Three-state autofix opt-out. See `workspaceProtocol.autofix`
1530
+ * for the contract — same semantics, applied to drift rewrites.
1531
+ *
1532
+ * Also gates the `--propose-min` catalog suggestion writer:
1533
+ * when `false` / `"prompt"`, `--fix --propose-min` reports the
1534
+ * proposed catalog entries but does not write
1535
+ * `pnpm-workspace.yaml`. Same "report only, still fails CI"
1536
+ * note applies as on `workspaceProtocol.autofix`.
1537
+ * @default true
1538
+ */
1539
+ autofix?: "prompt" | boolean;
1540
+ /** Dep names exempt from the version-drift check (exact match). */
1541
+ ignore?: string[];
1542
+ /**
1543
+ * Resolution strategy used when `--fix` runs.
1544
+ * - `highest` (default): rewrite every drifting instance to the
1545
+ * highest sibling specifier.
1546
+ * - `lowest`: rewrite to the lowest.
1547
+ * - `catalog`: rewrite any dep already pinned in a workspace catalog
1548
+ * to `catalog:` / `catalog:&lt;name>`. Catalog must exist; this lint
1549
+ * does not create the catalog (see `vis lint --resolve catalog --propose`).
1550
+ * @default "highest"
1551
+ */
1552
+ resolve?: "catalog" | "highest" | "lowest";
1553
+ };
1554
+ };
1555
+ /**
1556
+ * Pre-flight checks fired before `vis run` starts the orchestrator.
1557
+ * Each check is opt-out (`false`) — defaults are sensible for the
1558
+ * common monorepo case.
1559
+ */
1560
+ preflight?: {
1561
+ /**
1562
+ * Detect "lockfile changed but `node_modules` is stale" before
1563
+ * running tasks. Compares lockfile mtime against the
1564
+ * package-manager-specific install marker
1565
+ * (`node_modules/.modules.yaml` for pnpm, `.package-lock.json`
1566
+ * for npm, etc.). Warns in TTY, hard-fails in CI.
1567
+ * @default true
1568
+ */
1569
+ lockfile?: boolean;
1570
+ };
1571
+ /**
1572
+ * Configuration for the `vis release` subsystem. Controls change-file
1573
+ * authoring, version computation, channel routing, publish behavior,
1574
+ * and CI integration. See `packages/tooling/vis/rfc/design-release-manager.md`.
1575
+ */
1576
+ release?: VisReleaseConfig;
1577
+ /**
1578
+ * Behavior of `vis run` when invoked tasks declare service dependencies
1579
+ * that aren't running in the workspace registry. CLI `--services=&lt;mode>`
1580
+ * overrides this block.
1581
+ */
1582
+ run?: {
1583
+ /**
1584
+ * Wrap each task's CI log block in collapsible groups so users
1585
+ * can fold/unfold per-task output in the host CI's web UI.
1586
+ * Failed tasks always render expanded so the failure is visible
1587
+ * without an extra click.
1588
+ *
1589
+ * - `auto` (default): pick the format from the detected runner —
1590
+ * `GITHUB_ACTIONS=true` → `github` (`::group::`),
1591
+ * `GITLAB_CI=true` → `gitlab` (`section_start:` ANSI sequences),
1592
+ * `BUILDKITE=true` → `buildkite` (`---` collapsed headers),
1593
+ * `TF_BUILD=True` → `azure` (`##[group]`),
1594
+ * no grouping otherwise.
1595
+ * - `off`: never group (raw separators only — useful when
1596
+ * piping through tools that mangle the directives).
1597
+ * - `azure` / `buildkite` / `github` / `gitlab`: force the format
1598
+ * regardless of detected environment (useful for self-hosted
1599
+ * runners that don't set the standard env vars).
1600
+ *
1601
+ * CircleCI is intentionally not auto-detected: its 2.0+ format
1602
+ * has no inline grouping directive — steps auto-group in the
1603
+ * web UI without any markup from the runner.
1604
+ */
1605
+ ciGrouping?: "auto" | "azure" | "buildkite" | "github" | "gitlab" | "off";
1606
+ /**
1607
+ * Stay quiet when a run succeeds. When enabled:
1608
+ * - non-interactive output suppresses successful and cached tasks
1609
+ * and prints only failures (failed tasks always render in full —
1610
+ * in CI as expanded log blocks), equivalent to
1611
+ * `--output-style=quiet`; and
1612
+ * - the interactive TUI auto-closes a few seconds after a clean run
1613
+ * via a countdown dialog. A run with any failure stays open so the
1614
+ * user can inspect it.
1615
+ *
1616
+ * The explicit `--output-style` CLI flag overrides the output side,
1617
+ * a per-target `options.outputStyle` overrides both, and
1618
+ * `tui.autoExit` overrides the auto-close countdown.
1619
+ *
1620
+ * Default: `false` — every task's output is echoed and the TUI waits
1621
+ * for the user. Set to `true` to opt into quiet, auto-closing runs.
1622
+ */
1623
+ quietOnSuccess?: boolean;
1624
+ /**
1625
+ * One knob controlling auto-start of missing service deps.
1626
+ * - `auto` (default in TTY): pick by task — `dev` → ephemeral,
1627
+ * others → persistent.
1628
+ * - `ephemeral`: services die with the run (no registry entry).
1629
+ * - `persistent`: services persist across runs in the registry.
1630
+ * - `off` (default in CI / non-TTY): print diagnostics and abort.
1631
+ */
1632
+ services?: "auto" | "ephemeral" | "off" | "persistent";
1633
+ };
1634
+ /**
1635
+ * Cascading scoped-task blocks. Each block may narrow its tasks to a
1636
+ * subset of projects via `match`. Blocks are evaluated in order; later
1637
+ * blocks override earlier ones when the same field is set.
1638
+ *
1639
+ * Match predicates are additive — if `match` is omitted, the block applies
1640
+ * to every project.
1641
+ * @example
1642
+ * ```
1643
+ * scopedTasks: [
1644
+ * { match: { tags: ["frontend"] }, tasks: { build: { cache: true } } },
1645
+ * { match: { projectType: "library" }, tasks: { lint: { cache: true } } },
1646
+ * ]
1647
+ * ```
1648
+ */
1649
+ scopedTasks?: ScopedTasksBlock[];
1650
+ /**
1651
+ * Default options for `vis secrets`. CLI flags always take precedence;
1652
+ * this block provides workspace-wide defaults so teams can commit config
1653
+ * once and every invocation picks it up.
1654
+ */
1655
+ secrets?: {
1656
+ /** Path to a baseline of previously-triaged findings (relative to workspace root). */
1657
+ baseline?: string;
1658
+ /** Where the ruleset comes from. Omit for the bundled gitleaks default. */
1659
+ config?: {
1660
+ /** Layer the user's rules on top of the bundled ruleset. Default: `true`. */
1661
+ extendBundled?: boolean;
1662
+ /** Inline rule overrides. Wins over `path` when both are set. */
1663
+ inline?: {
1664
+ allowlist?: unknown;
1665
+ allowlists?: unknown[];
1666
+ description?: string;
1667
+ rules?: unknown[];
1668
+ title?: string;
1669
+ };
1670
+ /** Path to a JSON config (gitleaks-compatible). */
1671
+ path?: string;
1672
+ /** Bundled presets layered on top of the default ruleset (e.g. `"weak-passwords"`). */
1673
+ presets?: string[];
1674
+ };
1675
+ /** Redact secret values in findings. */
1676
+ redact?: boolean;
1677
+ /** Rule-id filters applied after scanning. */
1678
+ rules?: {
1679
+ /** Drop findings whose ruleId matches. */
1680
+ exclude?: string[];
1681
+ /** Only report findings whose ruleId matches. */
1682
+ include?: string[];
1683
+ };
1684
+ /** Walker / filesystem traversal. */
1685
+ walk?: {
1686
+ /**
1687
+ * Paths to additional `.gitignore`-syntax files (e.g. `.secretsignore`).
1688
+ */
1689
+ excludeFromFiles?: string[];
1690
+ /**
1691
+ * Gitignore-syntax patterns (supports negation, directory markers, leading `/`).
1692
+ * Applied on top of `.gitignore`.
1693
+ */
1694
+ excludePatterns?: string[];
1695
+ /** Respect `.gitignore`. Default: `true`. */
1696
+ gitignore?: boolean;
1697
+ /** Include hidden (dotfile) entries. Default: `false`. */
1698
+ includeHidden?: boolean;
1699
+ /** Max file size in bytes. Default 10 MiB. */
1700
+ maxFileSize?: number;
1701
+ };
1702
+ };
1703
+ /**
1704
+ * Supply chain security settings.
1705
+ * These settings are inspired by pnpm's security features and are applied
1706
+ * universally across all package managers (pnpm, npm, yarn, bun).
1707
+ *
1708
+ * For pnpm users: these map directly to pnpm-workspace.yaml settings.
1709
+ * For npm/yarn/bun users: vis enforces these at the vis layer since
1710
+ * those package managers lack native support.
1711
+ */
1712
+ security?: {
1713
+ /**
1714
+ * Packages whose policy findings have been reviewed and explicitly
1715
+ * accepted. Matched against every policy unless `policies` narrows the
1716
+ * scope. Replaces the legacy `security.socket.acceptedRisks` map.
1717
+ *
1718
+ * Key format: package name (`"lodash"`), name@version
1719
+ * (`"lodash@4.17.21"`), or glob (`"@myorg/*"`). Unversioned keys match
1720
+ * all versions of that package.
1721
+ * @example
1722
+ * ```
1723
+ * acceptedRisks: {
1724
+ * "some-risky-pkg": {
1725
+ * reason: "Internal fork, low score expected",
1726
+ * acceptedAt: "2026-03-15T10:00:00Z",
1727
+ * acceptedScore: 0.25,
1728
+ * policies: ["score"],
1729
+ * expiresAt: "2026-12-31",
1730
+ * },
1731
+ * }
1732
+ * ```
1733
+ */
1734
+ acceptedRisks?: Record<string, {
1735
+ /** ISO 8601 timestamp when the risk was accepted. */
1736
+ acceptedAt: string;
1737
+ /**
1738
+ * The overall Socket.dev score at the time of acceptance,
1739
+ * in the range `[0, 1]` (mirrors `policies.score.minimum`).
1740
+ * Only relevant for the `score` policy; ignored elsewhere.
1741
+ */
1742
+ acceptedScore?: number;
1743
+ /**
1744
+ * ISO 8601 date (or datetime). After this point the acceptance
1745
+ * stops applying and vis emits a warning. Leave undefined for
1746
+ * non-expiring entries. Values that fail to parse as a Date
1747
+ * are rejected by the loader rather than silently treated as
1748
+ * "always expired".
1749
+ */
1750
+ expiresAt?: string;
1751
+ /**
1752
+ * Which policies this acceptance covers. When undefined the
1753
+ * acceptance applies to every policy finding on this package.
1754
+ */
1755
+ policies?: PolicyName[];
1756
+ /** User-provided reason for accepting the risk. */
1757
+ reason: string;
1758
+ }>;
1759
+ /**
1760
+ * Map of bin names (or `pkg#bin` qualifiers) blessed for shadowing.
1761
+ * When two installed packages expose the same bin name, vis flags
1762
+ * the collision in `vis security list` and the post-install drift
1763
+ * report — set the bin (or `pkg#bin`) to `true` here to suppress
1764
+ * the warning once you've reviewed the conflict.
1765
+ *
1766
+ * Port of LavaMoat allow-scripts' experimental `allowBins`.
1767
+ * Bare names match any conflicting bin with that name; the
1768
+ * `pkg#bin` form scopes the approval to a single package's bin.
1769
+ * @example
1770
+ * ```
1771
+ * allowBins: {
1772
+ * tsc: true, // bless any 'tsc' bin
1773
+ * "typescript#tsc": true, // bless only typescript's 'tsc'
1774
+ * }
1775
+ * ```
1776
+ */
1777
+ allowBins?: Record<string, boolean>;
1778
+ /**
1779
+ * Offline OSV advisory + `vis audit` configuration.
1780
+ *
1781
+ * Controls `vis audit --offline` and `vis advisories sync` behavior:
1782
+ * - `audit.advisories.source` is the OSV mirror to download from. It
1783
+ * must be `https://` and resolve to a host in `allowedHosts` (or one
1784
+ * of the built-in defaults).
1785
+ * - `audit.offlineByDefault` flips the default of `--offline`.
1786
+ *
1787
+ * Vulnerability severity gating and reachability filtering live under
1788
+ * `policies.vulnerability` (see below).
1789
+ */
1790
+ audit?: {
1791
+ /**
1792
+ * Offline advisory cache settings.
1793
+ */
1794
+ advisories?: {
1795
+ /**
1796
+ * Extra hosts permitted as `audit.advisories.source`. The
1797
+ * built-in allowlist is enforced even if this field is
1798
+ * omitted; entries here add to it.
1799
+ * @example ["mirror.corp.example.com"]
1800
+ */
1801
+ allowedHosts?: string[];
1802
+ /**
1803
+ * Bloom-filter prefilter for OSV `MAL-*` (malicious-package)
1804
+ * advisories. Probes a ~380 KB filter fetched from
1805
+ * `endevco/osv-bloom` and escalates hits to the existing
1806
+ * advisory query path for `(name, version)` confirmation.
1807
+ *
1808
+ * Cost: ~380 KB on the wire, refreshed every 10 minutes
1809
+ * upstream. False-positive rate is ~0.1%, so a typical
1810
+ * 1000-package lockfile triggers zero or one extra
1811
+ * round trip per audit.
1812
+ *
1813
+ * Independent of `audit.advisories.source` / `verify` —
1814
+ * those control the full OSV ingest. The bloom is
1815
+ * MAL-* only and aimed at cold-start preflight and
1816
+ * ephemeral CI runners that haven't synced the full DB.
1817
+ */
1818
+ bloom?: {
1819
+ /**
1820
+ * Extra hosts permitted as `bloom.source`. The
1821
+ * built-in allowlist (`endevco.github.io`) is enforced
1822
+ * even if this field is omitted; entries here add to it.
1823
+ */
1824
+ allowedHosts?: string[];
1825
+ /**
1826
+ * Prefilter mode:
1827
+ * - `off`: never run the bloom check.
1828
+ * - `on`: run when a local filter is cached; on
1829
+ * fetch failure, fall back to the cached filter or
1830
+ * skip the prefilter (audit continues against the
1831
+ * non-bloom path).
1832
+ * - `required`: hard-fail the audit when the bloom
1833
+ * refresh fails or the local cache is missing.
1834
+ * Use in hardened CI together with
1835
+ * `audit.advisories.source`.
1836
+ * @default "off"
1837
+ */
1838
+ mode?: "off" | "on" | "required";
1839
+ /**
1840
+ * Bloom mirror base URL (no trailing slash). Defaults
1841
+ * to the public `endevco/osv-bloom` GH Pages site.
1842
+ * Override only if you mirror the bloom artifacts
1843
+ * internally; the hostname must appear in
1844
+ * `allowedHosts`.
1845
+ * @default "https://endevco.github.io/osv-bloom"
1846
+ */
1847
+ source?: string;
1848
+ };
1849
+ /**
1850
+ * Number of hours after `lastSyncIso` before `vis audit`
1851
+ * prints a "your advisory cache may be stale" notice.
1852
+ * `vis audit` never auto-syncs — the user runs
1853
+ * `vis advisories sync` themselves.
1854
+ * @default 24
1855
+ */
1856
+ refreshIntervalHours?: number;
1857
+ /**
1858
+ * OSV mirror base URL (no trailing slash). Defaults to the
1859
+ * public Google Cloud Storage bucket. Override to point at a
1860
+ * corporate mirror; the hostname must appear in `allowedHosts`
1861
+ * (or one of the built-in defaults) and the scheme must be
1862
+ * `https://`.
1863
+ * @default "https://osv-vulnerabilities.storage.googleapis.com"
1864
+ */
1865
+ source?: string;
1866
+ /**
1867
+ * Sigstore signature verification for the OSV dump.
1868
+ * Requires the native binding to be built with the
1869
+ * `verify-signatures` Cargo feature (default in the release
1870
+ * build). Off by default — the upstream OSV bucket does not
1871
+ * ship signatures today.
1872
+ */
1873
+ verify?: {
1874
+ /**
1875
+ * Enable signature verification. The sync flow downloads
1876
+ * `&lt;eco>/all.zip.sig` next to the zip and aborts if it
1877
+ * cannot verify against `expectedIssuer` / `expectedSubject`.
1878
+ * @default false
1879
+ */
1880
+ enabled?: boolean;
1881
+ /** OIDC issuer that signed the bundle. */
1882
+ expectedIssuer?: string;
1883
+ /** OIDC subject (workload identity) that signed the bundle. */
1884
+ expectedSubject?: string;
1885
+ };
1886
+ };
1887
+ /**
1888
+ * Gates for the auto-fix flow (`vis audit --fix` /
1889
+ * `--fix-transitive`). The CLI prompts outside CI; inside CI
1890
+ * the flags refuse to run unless `--yes` is set and, for
1891
+ * transitives, `apply.transitive.enabled = true`.
1892
+ */
1893
+ apply?: {
1894
+ /**
1895
+ * Gates for `vis audit --fix-transitive`. Two-lock: the
1896
+ * CLI requires `--yes` AND this flag set to `true` before
1897
+ * it will rewrite override entries in CI.
1898
+ */
1899
+ transitive?: {
1900
+ /**
1901
+ * When true, allows `--fix-transitive` to run in CI
1902
+ * environments. Defaults to false because rewriting
1903
+ * overrides is a higher blast radius than bumping a
1904
+ * direct dep.
1905
+ * @default false
1906
+ */
1907
+ enabled?: boolean;
1908
+ };
1909
+ };
1910
+ /**
1911
+ * Vulnerability scanner backend.
1912
+ *
1913
+ * - `auto` (default): delegate to `aube audit` when aube is the
1914
+ * active installer (its scanner reads the same lockfile and
1915
+ * produces equivalent severity ratings); otherwise run vis's
1916
+ * own OSV/Socket scanner.
1917
+ * - `aube`: always delegate to `aube audit`. Errors if `aube` is
1918
+ * not on PATH.
1919
+ * - `vis`: always use vis's built-in scanner — never delegate.
1920
+ *
1921
+ * Delegation avoids redundant work (aube already has a
1922
+ * full-fidelity audit pass that respects its own exclusions
1923
+ * via `aube-workspace.yaml::auditConfig`) and lets users get
1924
+ * a single, consistent result regardless of which entry point
1925
+ * they invoke.
1926
+ * @default "auto"
1927
+ */
1928
+ backend?: "aube" | "auto" | "vis";
1929
+ /**
1930
+ * When true, `vis audit` skips network calls and queries the
1931
+ * offline cache. Equivalent to the CLI `--offline` flag.
1932
+ * @default false
1933
+ */
1934
+ offlineByDefault?: boolean;
1935
+ };
1936
+ /**
1937
+ * When true, prevents transitive dependencies from using exotic sources
1938
+ * (git repositories, direct tarball URLs). Only direct dependencies may
1939
+ * use such sources. Equivalent to pnpm's `blockExoticSubdeps`.
1940
+ * @default false
1941
+ */
1942
+ blockExoticSubdeps?: boolean;
1943
+ /**
1944
+ * deps.dev (Google Open Source Insights) data-source configuration.
1945
+ * Public, unauthenticated; pulls Scorecard data + advisories from
1946
+ * `api.deps.dev`. Complements or replaces Socket.dev. Heavily cached.
1947
+ * @see https://docs.deps.dev/api/v3/
1948
+ */
1949
+ depsDev?: {
1950
+ /**
1951
+ * Cache TTL for advisory entries (immutable once published). 7 days.
1952
+ * @default 604800000
1953
+ */
1954
+ advisoryCacheTtlMs?: number;
1955
+ /**
1956
+ * Enable deps.dev scanning on install/update/check/audit commands.
1957
+ * @default false
1958
+ */
1959
+ enabled?: boolean;
1960
+ /**
1961
+ * Cache TTL for OpenSSF Scorecard project data (refreshes weekly). 24 hours.
1962
+ * @default 86400000
1963
+ */
1964
+ projectCacheTtlMs?: number;
1965
+ /**
1966
+ * Request timeout in milliseconds.
1967
+ * @default 15000
1968
+ */
1969
+ timeoutMs?: number;
1970
+ /**
1971
+ * Cache TTL for npm version metadata (immutable). 7 days.
1972
+ * @default 604800000
1973
+ */
1974
+ versionCacheTtlMs?: number;
1975
+ };
1976
+ /**
1977
+ * Package names exempted from the `blockExoticSubdeps` check.
1978
+ * Bare names and a trailing `*` glob (`@scope/*`) are supported.
1979
+ * Use for an internal package legitimately published as a git or
1980
+ * tarball dependency.
1981
+ * @example ["@myorg/legacy", "internal-*"]
1982
+ */
1983
+ exoticSubdepsAllow?: string[];
1984
+ /**
1985
+ * Pre-install marshall pipeline — packument-derived supply-chain
1986
+ * gates (author, provenance, s1ngularity, new-bin, metadata,
1987
+ * downloads, expired-domains, signatures, archived-repo) that run before
1988
+ * `vis add` / `vis install &lt;pkg>` / `vis update &lt;pkg>` hand off to
1989
+ * the underlying package manager. Every entry is optional; omit a
1990
+ * key and the marshall runs with defaults. Set `enabled: false`
1991
+ * on a specific marshall to skip it without touching env vars.
1992
+ */
1993
+ marshalls?: {
1994
+ /** Archived-repo marshall (GitHub repository status). */
1995
+ archivedRepo?: {
1996
+ /** Package names to skip. */
1997
+ allowlist?: string[];
1998
+ /** Default: marshall is on. Set false to disable. */
1999
+ enabled?: boolean;
2000
+ /** GitHub PAT for the API call (5k/hr vs 60/hr). */
2001
+ githubToken?: string;
2002
+ };
2003
+ /** Author / publisher heuristics. */
2004
+ author?: {
2005
+ allowlist?: string[]; /** Days since the publisher's last release before flagging as error. */
2006
+ dormantErrorDays?: number;
2007
+ /** Days since the publisher's last release before flagging as warning. */
2008
+ dormantWarnDays?: number;
2009
+ enabled?: boolean; /** Window for the "new publisher on an established package" check. */
2010
+ newPublisherWindowDays?: number;
2011
+ /** Days since the resolved version was published — error threshold. */
2012
+ recentVersionErrorDays?: number;
2013
+ /** Days since the resolved version was published — warning threshold. */
2014
+ recentVersionWarnDays?: number;
2015
+ };
2016
+ /** npm `deprecated`-flag check on the resolved version. */
2017
+ deprecation?: {
2018
+ allowlist?: string[];
2019
+ enabled?: boolean;
2020
+ };
2021
+ /** Monthly download-count floor. */
2022
+ downloads?: {
2023
+ allowlist?: string[];
2024
+ enabled?: boolean; /** Below this monthly count → error (default: 20). */
2025
+ errorThreshold?: number;
2026
+ /** Below this monthly count → warning (default: 1000). */
2027
+ warnThreshold?: number;
2028
+ };
2029
+ /** Maintainer-email-domain NS lookup. */
2030
+ expiredDomains?: {
2031
+ /** Domains exempted from the check (legacy / internal). */
2032
+ allowDomains?: string[];
2033
+ allowlist?: string[]; /** DNS resolvers to query (default: system). */
2034
+ dnsServers?: string[];
2035
+ enabled?: boolean; /** Per-domain DNS timeout (default: 5000). */
2036
+ timeoutMs?: number;
2037
+ };
2038
+ /** README / license / repository presence checks. */
2039
+ metadata?: {
2040
+ allowlist?: string[]; /** Subset of checks to run. Default: all three. */
2041
+ checks?: ("license" | "readme" | "repo")[];
2042
+ enabled?: boolean;
2043
+ };
2044
+ /** New CLI-bin script introduced in this version. */
2045
+ newBin?: {
2046
+ allowlist?: string[];
2047
+ enabled?: boolean;
2048
+ };
2049
+ /** Whole-package age heuristics (newly created / unmaintained). */
2050
+ packageAge?: {
2051
+ allowlist?: string[];
2052
+ enabled?: boolean; /** Package created fewer than this many days ago → error. Default 22. */
2053
+ newPackageDays?: number;
2054
+ /** No publish within this many days → warning. Default 365. */
2055
+ unmaintainedDays?: number;
2056
+ };
2057
+ /** Provenance regression check. */
2058
+ provenance?: {
2059
+ allowlist?: string[];
2060
+ enabled?: boolean;
2061
+ };
2062
+ /**
2063
+ * Composite "compromised-publish shape" detector — flags a single
2064
+ * version that simultaneously introduced/changed an install hook
2065
+ * AND dropped the provenance attestation a prior stable version
2066
+ * carried (the August 2025 s1ngularity / Nx fingerprint).
2067
+ */
2068
+ s1ngularity?: {
2069
+ allowlist?: string[];
2070
+ enabled?: boolean;
2071
+ };
2072
+ /**
2073
+ * ECDSA P-256 verification against npm's signing keys. Disabled
2074
+ * by default because npm coverage still has gaps that produce
2075
+ * noisy warnings on legitimate packages.
2076
+ */
2077
+ signatures?: {
2078
+ allowlist?: string[]; /** Default: marshall is *off*. Set true to enable. */
2079
+ enabled?: boolean;
2080
+ /** Override the keys endpoint (default: npm registry). */
2081
+ keysUrl?: string;
2082
+ /** How to treat an expired-but-known key. Default: "warning". */
2083
+ treatExpiredAs?: "error" | "warning";
2084
+ };
2085
+ };
2086
+ /**
2087
+ * When true, `security.policies.installScripts.allow` keys are matched
2088
+ * as `name@version`. A version bump on an approved package drops it from
2089
+ * the allowlist until the new version is explicitly re-approved (port
2090
+ * of LavaMoat allow-scripts' version-aware policy matcher).
2091
+ *
2092
+ * After a version bump, run `vis approve-builds` or `vis security list`
2093
+ * — both surface a "Version drift" block with the suggested new key
2094
+ * (`old-key → new-key`) so you can update `vis.config.ts` by hand.
2095
+ * @default false
2096
+ */
2097
+ pinVersions?: boolean;
2098
+ /**
2099
+ * Supply-chain policy gates. Each sub-block enables one policy and
2100
+ * configures its behavior. When a sub-block is omitted the policy is
2101
+ * inactive. `acceptedRisks` (above) silences specific packages without
2102
+ * disabling a policy globally.
2103
+ *
2104
+ * The 8 policies are inspired by Socket.dev's classification:
2105
+ * - `malware` — Socket-flagged malicious packages
2106
+ * - `firstSeen` — packages published less than N minutes ago
2107
+ * - `unexpectedDeps` — packages outside an allow-list / baseline
2108
+ * - `publisherChange` — maintainer set changed between installs
2109
+ * - `installScripts` — preinstall/install/postinstall scripts
2110
+ * - `score` — Socket overall score below threshold
2111
+ * - `vulnerability` — OSV vulnerability findings
2112
+ * - `license` — SPDX allow / deny lists
2113
+ */
2114
+ policies?: {
2115
+ /**
2116
+ * Minimum number of minutes that must pass after a version is
2117
+ * published before vis will allow installation. Migrated from
2118
+ * the legacy `security.minimumReleaseAge` field. Equivalent to
2119
+ * pnpm's `minimumReleaseAge`.
2120
+ * @default 0
2121
+ * @example { minutes: 1440, exclude: ["@myorg/*"] } // 24 hours
2122
+ */
2123
+ firstSeen?: {
2124
+ /**
2125
+ * Package names/patterns excluded from the firstSeen check.
2126
+ * Equivalent to pnpm's `minimumReleaseAgeExclude`.
2127
+ * @example ["webpack", "react", "@myorg/*"]
2128
+ */
2129
+ exclude?: string[];
2130
+ /** Minutes after publish before install is allowed. */
2131
+ minutes?: number;
2132
+ };
2133
+ /**
2134
+ * Build-script (pre/install/postinstall/prepare) controls.
2135
+ * Migrated from the legacy `security.allowBuilds` /
2136
+ * `security.strictDepBuilds` fields.
2137
+ * @example { allow: { esbuild: true }, strict: true }
2138
+ */
2139
+ installScripts?: {
2140
+ /**
2141
+ * Map of package names/patterns to allow (true) or deny
2142
+ * (false) build scripts. Packages not listed are denied
2143
+ * by default. Equivalent to pnpm's `allowBuilds`.
2144
+ */
2145
+ allow?: Record<string, boolean>;
2146
+ /**
2147
+ * When true, installation will fail (exit non-zero) if any
2148
+ * dependencies have unreviewed build scripts. Equivalent to
2149
+ * pnpm's `strictDepBuilds`.
2150
+ * @default false
2151
+ */
2152
+ strict?: boolean;
2153
+ };
2154
+ /**
2155
+ * SPDX license allow / deny lists. Deny wins on any sub-license
2156
+ * match in SPDX expressions (`(MIT OR GPL-3.0)` against
2157
+ * `deny: ["GPL-3.0"]` is blocked). Packages with no declared
2158
+ * license are flagged when `allow` is set.
2159
+ * @example
2160
+ * ```
2161
+ * license: {
2162
+ * allow: ["MIT", "Apache-2.0", "BSD-3-Clause"],
2163
+ * deny: ["GPL-3.0", "AGPL-3.0"],
2164
+ * }
2165
+ * ```
2166
+ */
2167
+ license?: {
2168
+ /**
2169
+ * SPDX identifiers that are explicitly permitted. When set,
2170
+ * any package whose declared license is not on this list is
2171
+ * blocked.
2172
+ */
2173
+ allow?: string[];
2174
+ /**
2175
+ * SPDX identifiers that are explicitly forbidden. Always
2176
+ * wins over `allow` when both reference the same identifier.
2177
+ */
2178
+ deny?: string[];
2179
+ };
2180
+ /**
2181
+ * Behavior when the Socket.dev feed flags a package as malicious
2182
+ * (`alerts[].type === "Malware"`).
2183
+ *
2184
+ * The default is cross-field: `{ mode: "block" }` whenever
2185
+ * `security.socket.enabled !== false` (the engine cannot evaluate
2186
+ * malware without Socket data), and `"off"` otherwise. Consumers
2187
+ * resolve this default at evaluation time.
2188
+ */
2189
+ malware?: {
2190
+ /**
2191
+ * - `"block"` — emit a block decision.
2192
+ * - `"warn"` — surface as a warning; do not gate exit code.
2193
+ * - `"off"` — disable the policy entirely.
2194
+ */
2195
+ mode?: "block" | "off" | "warn";
2196
+ };
2197
+ /**
2198
+ * Trust-level checking for package publishing. Migrated from the
2199
+ * legacy `security.trustPolicy*` fields. Equivalent to pnpm's
2200
+ * `trustPolicy`.
2201
+ * @example { mode: "no-downgrade", ignoreAfter: 43200 } // 30 days
2202
+ */
2203
+ publisherChange?: {
2204
+ /**
2205
+ * Package selectors excluded from the check.
2206
+ * Equivalent to pnpm's `trustPolicyExclude`.
2207
+ * @example ["chokidar@4.0.3"]
2208
+ */
2209
+ exclude?: string[];
2210
+ /**
2211
+ * Ignore packages published more than N minutes ago. Useful
2212
+ * for older packages that pre-date provenance support.
2213
+ * Equivalent to pnpm's `trustPolicyIgnoreAfter`.
2214
+ */
2215
+ ignoreAfter?: number;
2216
+ /**
2217
+ * - `"off"` — no trust checking (default).
2218
+ * - `"no-downgrade"` — block when a package's trust level
2219
+ * has decreased compared to previous releases (e.g., was
2220
+ * published by trusted publisher, now only has provenance).
2221
+ */
2222
+ mode?: "no-downgrade" | "off";
2223
+ };
2224
+ /**
2225
+ * Socket.dev overall-score threshold. Packages scoring below
2226
+ * `minimum` trigger a block decision (or interactive prompt
2227
+ * during `vis add`). Migrated from the legacy
2228
+ * `security.socket.minimumScore` field.
2229
+ * @example { minimum: 0.4 }
2230
+ */
2231
+ score?: {
2232
+ /**
2233
+ * Minimum overall Socket.dev score (0–1). Set to 0 to
2234
+ * disable the gate while keeping Socket data fetched.
2235
+ *
2236
+ * Consulted by `vis add`, `audit`, `doctor`, `check`, and
2237
+ * `update`; resolved once in `buildSocketOptions`, then
2238
+ * threaded through every consumer. Falls back to
2239
+ * `DEFAULT_LOW_SCORE_THRESHOLD` (`0.4`) when unset.
2240
+ */
2241
+ minimum?: number;
2242
+ };
2243
+ /**
2244
+ * Net-new transitive dependency detection. Either provide a
2245
+ * static allow-list, a baseline lockfile path (recommended), or
2246
+ * both — the intersection is enforced.
2247
+ * @example { baselineLockfile: "./security/lockfile.baseline.yaml" }
2248
+ */
2249
+ unexpectedDeps?: {
2250
+ /**
2251
+ * Allow-list of dependency names that may appear in the
2252
+ * resolved package set. Glob patterns are supported.
2253
+ * @example ["lodash", "axios", "@myorg/*"]
2254
+ */
2255
+ allow?: string[];
2256
+ /**
2257
+ * Path (absolute or relative to the workspace root) to a
2258
+ * baseline lockfile snapshot. The policy diffs the current
2259
+ * lockfile against this baseline and flags any package that
2260
+ * didn't exist before.
2261
+ * @example "./security/lockfile.baseline.yaml"
2262
+ */
2263
+ baselineLockfile?: string;
2264
+ };
2265
+ /**
2266
+ * OSV vulnerability gating. Migrated from the legacy
2267
+ * `security.audit.failOn` + `security.audit.usage` fields.
2268
+ */
2269
+ vulnerability?: {
2270
+ /**
2271
+ * Severity threshold that makes `vis audit` exit non-zero.
2272
+ * Equivalent to the CLI `--fail-on` flag.
2273
+ * @example "high"
2274
+ */
2275
+ failOn?: "critical" | "high" | "low" | "medium";
2276
+ /**
2277
+ * Reachability filter — only report vulnerabilities in
2278
+ * packages the workspace statically imports.
2279
+ */
2280
+ usage?: {
2281
+ /**
2282
+ * Packages to always treat as reachable even if no
2283
+ * static import is found.
2284
+ * @example ["esbuild", "webpack-cli"]
2285
+ */
2286
+ alwaysAssumeUsed?: string[];
2287
+ /**
2288
+ * Enable the reachability filter by default. Equivalent
2289
+ * to `--usage` on the CLI; `--no-usage` disables.
2290
+ * @default false
2291
+ */
2292
+ enabled?: boolean;
2293
+ };
2294
+ };
2295
+ };
2296
+ /**
2297
+ * Which provider wins merge conflicts when multiple are enabled (e.g.
2298
+ * both Socket.dev and deps.dev return data for the same package). The
2299
+ * primary provider's `score` is kept; alerts from secondaries are
2300
+ * appended and deduped by `key`. Defaults to whichever provider is
2301
+ * enabled first in this order: socket → deps-dev → snyk.
2302
+ */
2303
+ primaryProvider?: "deps-dev" | "snyk" | "socket";
2304
+ /**
2305
+ * Snyk data-source configuration. Snyk only contributes vulnerability
2306
+ * data (no maintenance / quality / supply-chain / license signal);
2307
+ * those axes stay neutral. Requires both an org id and an API token —
2308
+ * if either is missing the provider is skipped.
2309
+ * @see https://docs.snyk.io/snyk-api/using-specific-snyk-apis/issues-list-issues-for-a-package
2310
+ */
2311
+ snyk?: {
2312
+ /**
2313
+ * Snyk API token. Set via VIS_SNYK_TOKEN environment variable or
2314
+ * here.
2315
+ */
2316
+ apiToken?: string;
2317
+ /**
2318
+ * Snyk REST API version date sent as the `version` query param.
2319
+ * @default "2024-10-15"
2320
+ */
2321
+ apiVersion?: string;
2322
+ /**
2323
+ * Cache TTL in milliseconds for Snyk issue lookups. 6 hours.
2324
+ * @default 21600000
2325
+ */
2326
+ cacheTtlMs?: number;
2327
+ /**
2328
+ * Enable Snyk security scanning on install/update/check/audit
2329
+ * commands.
2330
+ * @default false
2331
+ */
2332
+ enabled?: boolean;
2333
+ /**
2334
+ * Snyk organization id (the REST endpoint is org-scoped). Set via
2335
+ * VIS_SNYK_ORG environment variable or here.
2336
+ */
2337
+ orgId?: string;
2338
+ /**
2339
+ * Request timeout in milliseconds for the Snyk API. 15 seconds.
2340
+ * @default 15000
2341
+ */
2342
+ timeoutMs?: number;
2343
+ };
2344
+ /**
2345
+ * Socket.dev data-source configuration. Connection knobs only — score
2346
+ * thresholds and accepted-risk overrides moved to `policies.score` and
2347
+ * `security.acceptedRisks` respectively.
2348
+ * @see https://socket.dev
2349
+ */
2350
+ socket?: {
2351
+ /**
2352
+ * Custom Socket.dev API token. Falls back to the public API token.
2353
+ * Set via VIS_SOCKET_TOKEN environment variable or here.
2354
+ */
2355
+ apiToken?: string;
2356
+ /**
2357
+ * Cache TTL in milliseconds for Socket.dev reports. 1 hour.
2358
+ * @default 3600000
2359
+ */
2360
+ cacheTtlMs?: number;
2361
+ /**
2362
+ * Enable Socket.dev security scanning on install/update/check commands.
2363
+ * @default false
2364
+ */
2365
+ enabled?: boolean;
2366
+ /**
2367
+ * Request timeout in milliseconds for the Socket.dev API. 15 seconds.
2368
+ * @default 15000
2369
+ */
2370
+ timeoutMs?: number;
2371
+ };
2372
+ /**
2373
+ * Package names to skip during typosquat detection.
2374
+ * Use this for internal packages or known-safe names that happen to
2375
+ * look similar to popular packages.
2376
+ * @example ["my-internal-axois", "@myorg/recat"]
2377
+ */
2378
+ typosquatAllowlist?: string[];
2379
+ };
2380
+ /**
2381
+ * Share the cache between sibling git worktrees. When the workspace is a
2382
+ * linked worktree (created with `git worktree add`), the cache root is
2383
+ * relocated from `&lt;linkedRoot>/.vis/cache` to the *main*
2384
+ * worktree's `.vis/cache`. Multiple parallel agents working in
2385
+ * sibling worktrees then share a single cache instead of rebuilding the
2386
+ * same hash N times.
2387
+ *
2388
+ * Single-checkout repos (where `.git` is a directory) are unaffected.
2389
+ *
2390
+ * Set to `false` to opt out — useful when worktrees deliberately need
2391
+ * independent caches, e.g. for hermetic experiments.
2392
+ * @default true
2393
+ */
2394
+ sharedWorktreeCache?: boolean;
2395
+ /** sort-package-json command defaults */
2396
+ sortPackageJson?: {
2397
+ /** Discover `.editorconfig` for indent / line-ending defaults (default: true). */
2398
+ editorconfig?: boolean;
2399
+ /** Collapse `bugs: { url }` to the bare string form when `url` is the only field (default: true). */
2400
+ formatBugs?: boolean;
2401
+ /** Collapse `repository: { type, url }` to the GitHub `owner/repo` shorthand (default: true). */
2402
+ formatRepository?: boolean;
2403
+ /** Sort `exports` condition keys in canonical order (default: true). */
2404
+ sortExports?: boolean;
2405
+ /** Alphabetize script commands (default: false) */
2406
+ sortScripts?: boolean;
2407
+ };
2408
+ /**
2409
+ * Sponsorship notice shown after successful commands.
2410
+ *
2411
+ * vis prints a one-line "consider sponsoring visulima" notice at most
2412
+ * once every 14 days (skipped in CI, non-TTY, and when
2413
+ * `VIS_NO_SPONSOR=1` is set). Set `enabled: false` to silence it
2414
+ * permanently for this workspace.
2415
+ * @example
2416
+ * ```
2417
+ * sponsor: { enabled: false }
2418
+ * ```
2419
+ */
2420
+ sponsor?: {
2421
+ /**
2422
+ * Show the sponsor notice on successful command completion.
2423
+ * @default true
2424
+ */
2425
+ enabled?: boolean;
2426
+ };
2427
+ /**
2428
+ * Staged file patterns and commands (replaces lint-staged).
2429
+ *
2430
+ * Accepts all lint-staged config forms:
2431
+ * - `string` or `string[]` commands
2432
+ * - Sync/async functions returning `string | string[]`
2433
+ * - `{ title, task }` objects for named side-effect tasks
2434
+ * - `{ command, perPackage }` to run a command once per owning workspace package (cwd = that package dir), and `{ command, cwd }` to pin a command to a fixed directory
2435
+ * - Mixed arrays of strings and functions
2436
+ * - A top-level generate-task function
2437
+ */
2438
+ staged?: StagedConfig;
2439
+ /**
2440
+ * When `true`, every task command is scanned for `${VAR}` / `$VAR`
2441
+ * references before spawn. If a referenced var is unset in the
2442
+ * task's effective env (envFile + service env + per-task `env` +
2443
+ * `process.env`), the task fails with an actionable error
2444
+ * naming the missing variable, instead of letting the shell
2445
+ * silently substitute an empty string.
2446
+ *
2447
+ * Override per run with `--strict-env` / `--no-strict-env`.
2448
+ * Override per target with `options.strictEnv`.
2449
+ * @default false
2450
+ */
2451
+ strictEnv?: boolean;
2452
+ /**
2453
+ * Named bundles of target dependencies, referenceable from any task's
2454
+ * `dependsOn`. `dependsOn: [{ group: "lint" }]` expands to every entry
2455
+ * in the named group; nested groups are resolved recursively and a
2456
+ * cycle raises during discovery.
2457
+ */
2458
+ taskGroups?: Record<string, (string | {
2459
+ dependencies?: boolean;
2460
+ projects?: string | string[];
2461
+ target: string;
2462
+ } | {
2463
+ group: string;
2464
+ })[]>;
2465
+ /**
2466
+ * Task runner options forwarded verbatim to `defaultTaskRunner`.
2467
+ *
2468
+ * Includes `remoteCache` (HTTP or REAPI gRPC backend), `cacheDirectory`,
2469
+ * `parallel`, `globalEnv`, `globalInputs`, etc.
2470
+ * See `TaskRunnerOptions` for the full surface.
2471
+ */
2472
+ taskRunner?: Partial<TaskRunnerOptions>;
2473
+ /**
2474
+ * Workspace-wide task defaults keyed by target name. Applied universally
2475
+ * to every project that exposes a matching target. Use `scopedTasks` when
2476
+ * defaults should only apply to a subset of projects.
2477
+ */
2478
+ tasks?: Record<string, Partial<VisTargetConfiguration>>;
2479
+ /**
2480
+ * Toolchain (Node / pnpm / python / rust / ...) management. vis
2481
+ * delegates to whichever version manager (proto, mise, fnm, volta,
2482
+ * asdf, nvm, corepack) the developer already has — it does not ship
2483
+ * its own.
2484
+ *
2485
+ * Re-exported from `./toolchain` so the public config type stays
2486
+ * in lockstep with the resolver implementation. `self-activate` is
2487
+ * narrowed out of `preferredManager` here — it's auto-resolved for
2488
+ * pnpm/yarn `packageManager` pins and isn't meaningful as an
2489
+ * override.
2490
+ */
2491
+ toolchain?: Omit<ToolchainConfig, "preferredManager"> & {
2492
+ readonly preferredManager?: Exclude<VersionManagerName, "self-activate">;
2493
+ };
2494
+ /** Terminal UI configuration */
2495
+ tui?: {
2496
+ /**
2497
+ * Auto-exit the TUI after tasks complete.
2498
+ * - `false`: Stay open until the user presses `q` (default)
2499
+ * - `true`: Show quit dialog with 3-second countdown after completion
2500
+ * - `number`: Show quit dialog with custom countdown in seconds
2501
+ */
2502
+ autoExit?: boolean | number;
2503
+ };
2504
+ /** Update command defaults */
2505
+ update?: {
2506
+ /**
2507
+ * Dependency fields to scan for outdated packages.
2508
+ * Beyond the standard fields, supports:
2509
+ * - `"overrides"` (npm)
2510
+ * - `"resolutions"` (yarn)
2511
+ * - `"pnpm.overrides"`
2512
+ * @default ["dependencies", "devDependencies", "optionalDependencies", "peerDependencies"]
2513
+ */
2514
+ depFields?: string[];
2515
+ exclude?: string[];
2516
+ format?: "json" | "minimal" | "table";
2517
+ /**
2518
+ * Package names or glob patterns to permanently ignore during updates.
2519
+ * Ignored packages are skipped and listed in the output so you know
2520
+ * they were not checked.
2521
+ * @example ["eslint", "@types/*"]
2522
+ */
2523
+ ignore?: string[];
2524
+ include?: string[];
2525
+ /**
2526
+ * Include packages with pinned/exact versions (no `^` or `~` prefix).
2527
+ * By default, pinned versions are skipped during update checks.
2528
+ * @default false
2529
+ */
2530
+ includeLocked?: boolean;
2531
+ install?: boolean;
2532
+ /**
2533
+ * Maximum number of concurrent registry requests during outdated checks.
2534
+ * Higher values speed up large workspaces but risk hitting registry rate
2535
+ * limits or self-hosted Verdaccio caps.
2536
+ * @default 8
2537
+ */
2538
+ maxConcurrentRequests?: number;
2539
+ /**
2540
+ * Minimum number of minutes since a version was published before
2541
+ * vis will consider it for updates. This mirrors pnpm's
2542
+ * `minimumReleaseAge` — a single setting that applies to both
2543
+ * install and update.
2544
+ *
2545
+ * Not set by default. If your package manager config
2546
+ * (`pnpm-workspace.yaml`) has `minimumReleaseAge`, vis will
2547
+ * read it from there as a fallback.
2548
+ * @example 1440 // 24 hours
2549
+ */
2550
+ minimumReleaseAge?: number;
2551
+ /**
2552
+ * Package names/patterns excluded from the minimumReleaseAge check.
2553
+ * @example ["webpack", "@myorg/*"]
2554
+ */
2555
+ minimumReleaseAgeExclude?: string[];
2556
+ /**
2557
+ * Per-package or per-pattern update target overrides.
2558
+ * Keys are exact package names, glob patterns, or regex patterns
2559
+ * wrapped in `/` (e.g., `/^@vue/`).
2560
+ * Values are `"latest"`, `"minor"`, or `"patch"`.
2561
+ * @example { "typescript": "minor", "/^@vue/": "patch" }
2562
+ */
2563
+ packageMode?: Record<string, "latest" | "minor" | "patch">;
2564
+ prerelease?: boolean;
2565
+ /**
2566
+ * Which release channels to consider when picking the target version.
2567
+ * - `"stable"` (default) — only ship stable releases (no prereleases).
2568
+ * - `"same"` — match the prerelease channel of the *current* range:
2569
+ * if you're on `react@19.0.0-rc.1`, only `rc.*` candidates qualify;
2570
+ * if you're on a stable, only stable candidates. Prevents
2571
+ * accidentally promoting a prerelease pin to a stable major bump.
2572
+ * - `"any"` — equivalent to `--prerelease`. Any channel is fair game.
2573
+ *
2574
+ * `--release-channel` on the CLI overrides this. If `prerelease: true`
2575
+ * is set without `releaseChannel`, vis treats it as `"any"`.
2576
+ * @default "stable"
2577
+ */
2578
+ releaseChannel?: "any" | "same" | "stable";
2579
+ security?: boolean;
2580
+ target?: "latest" | "minor" | "patch";
2581
+ };
2582
+ /**
2583
+ * Minimum vis CLI version required by this workspace. When the
2584
+ * running vis binary is older than this constraint, vis exits with
2585
+ * an actionable error before executing any command.
2586
+ *
2587
+ * Accepts a semver range string (e.g. `">=1.0.0"`, `"^1.2.0"`).
2588
+ * @example ">=1.0.0"
2589
+ */
2590
+ versionConstraint?: string;
2591
+ }
2592
+ /**
2593
+ * @since 1.0.0
2594
+ */
2595
+ interface Context {
2596
+ /**
2597
+ * Get a value from the context.
2598
+ *
2599
+ * @param key key which identifies a context value
2600
+ */
2601
+ getValue(key: symbol): unknown;
2602
+ /**
2603
+ * Create a new context which inherits from this context and has
2604
+ * the given key set to the given value.
2605
+ *
2606
+ * @param key context key for which to set the value
2607
+ * @param value value to set for the given key
2608
+ */
2609
+ setValue(key: symbol, value: unknown): Context;
2610
+ /**
2611
+ * Return a new context which inherits from this context but does
2612
+ * not contain a value for the given key.
2613
+ *
2614
+ * @param key context key for which to clear a value
2615
+ */
2616
+ deleteValue(key: symbol): Context;
2617
+ }
2618
+ /**
2619
+ * Attributes is a map from string to attribute values.
2620
+ *
2621
+ * Note: only the own enumerable keys are counted as valid attribute keys.
2622
+ *
2623
+ * @since 1.3.0
2624
+ */
2625
+ interface Attributes {
2626
+ [attributeKey: string]: AttributeValue | undefined;
2627
+ }
2628
+ /**
2629
+ * Attribute values may be any non-nullish primitive value except an object.
2630
+ *
2631
+ * null or undefined attribute values are invalid and will result in undefined behavior.
2632
+ *
2633
+ * @since 1.3.0
2634
+ */
2635
+ type AttributeValue = string | number | boolean | Array<null | undefined | string> | Array<null | undefined | number> | Array<null | undefined | boolean>;
2636
+ interface ExceptionWithCode {
2637
+ code: string | number;
2638
+ name?: string;
2639
+ message?: string;
2640
+ stack?: string;
2641
+ }
2642
+ interface ExceptionWithMessage {
2643
+ code?: string | number;
2644
+ message: string;
2645
+ name?: string;
2646
+ stack?: string;
2647
+ }
2648
+ interface ExceptionWithName {
2649
+ code?: string | number;
2650
+ message?: string;
2651
+ name: string;
2652
+ stack?: string;
2653
+ }
2654
+ /**
2655
+ * Defines Exception.
2656
+ *
2657
+ * string or an object with one of (message or name or code) and optional stack
2658
+ *
2659
+ * @since 1.0.0
2660
+ */
2661
+ type Exception = ExceptionWithCode | ExceptionWithMessage | ExceptionWithName | string;
2662
+ /**
2663
+ * Defines High-Resolution Time.
2664
+ *
2665
+ * The first number, HrTime[0], is UNIX Epoch time in seconds since 00:00:00 UTC on 1 January 1970.
2666
+ * The second number, HrTime[1], represents the partial second elapsed since Unix Epoch time represented by first number in nanoseconds.
2667
+ * For example, 2021-01-01T12:30:10.150Z in UNIX Epoch time in milliseconds is represented as 1609504210150.
2668
+ * The first number is calculated by converting and truncating the Epoch time in milliseconds to seconds:
2669
+ * HrTime[0] = Math.trunc(1609504210150 / 1000) = 1609504210.
2670
+ * The second number is calculated by converting the digits after the decimal point of the subtraction, (1609504210150 / 1000) - HrTime[0], to nanoseconds:
2671
+ * HrTime[1] = Number((1609504210.150 - HrTime[0]).toFixed(9)) * 1e9 = 150000000.
2672
+ * This is represented in HrTime format as [1609504210, 150000000].
2673
+ *
2674
+ * @since 1.0.0
2675
+ */
2676
+ type HrTime = [number, number];
2677
+ /**
2678
+ * Defines TimeInput.
2679
+ *
2680
+ * hrtime, epoch milliseconds, performance.now() or Date
2681
+ *
2682
+ * @since 1.0.0
2683
+ */
2684
+ type TimeInput = HrTime | number | Date;
2685
+ /**
2686
+ * @deprecated please use {@link Attributes}
2687
+ * @since 1.0.0
2688
+ */
2689
+ type SpanAttributes = Attributes;
2690
+ /**
2691
+ * @deprecated please use {@link AttributeValue}
2692
+ * @since 1.0.0
2693
+ */
2694
+ type SpanAttributeValue = AttributeValue;
2695
+ /**
2696
+ * @since 1.0.0
2697
+ */
2698
+ interface TraceState {
2699
+ /**
2700
+ * Create a new TraceState which inherits from this TraceState and has the
2701
+ * given key set.
2702
+ * The new entry will always be added in the front of the list of states.
2703
+ *
2704
+ * @param key key of the TraceState entry.
2705
+ * @param value value of the TraceState entry.
2706
+ */
2707
+ set(key: string, value: string): TraceState;
2708
+ /**
2709
+ * Return a new TraceState which inherits from this TraceState but does not
2710
+ * contain the given key.
2711
+ *
2712
+ * @param key the key for the TraceState entry to be removed.
2713
+ */
2714
+ unset(key: string): TraceState;
2715
+ /**
2716
+ * Returns the value to which the specified key is mapped, or `undefined` if
2717
+ * this map contains no mapping for the key.
2718
+ *
2719
+ * @param key with which the specified value is to be associated.
2720
+ * @returns the value to which the specified key is mapped, or `undefined` if
2721
+ * this map contains no mapping for the key.
2722
+ */
2723
+ get(key: string): string | undefined;
2724
+ /**
2725
+ * Serializes the TraceState to a `list` as defined below. The `list` is a
2726
+ * series of `list-members` separated by commas `,`, and a list-member is a
2727
+ * key/value pair separated by an equals sign `=`. Spaces and horizontal tabs
2728
+ * surrounding `list-members` are ignored. There can be a maximum of 32
2729
+ * `list-members` in a `list`.
2730
+ *
2731
+ * @returns the serialized string.
2732
+ */
2733
+ serialize(): string;
2734
+ }
2735
+ /**
2736
+ * A SpanContext represents the portion of a {@link Span} which must be
2737
+ * serialized and propagated along side of a {@link Baggage}.
2738
+ *
2739
+ * @since 1.0.0
2740
+ */
2741
+ interface SpanContext {
2742
+ /**
2743
+ * The ID of the trace that this span belongs to. It is worldwide unique
2744
+ * with practically sufficient probability by being made as 16 randomly
2745
+ * generated bytes, encoded as a 32 lowercase hex characters corresponding to
2746
+ * 128 bits.
2747
+ */
2748
+ traceId: string;
2749
+ /**
2750
+ * The ID of the Span. It is globally unique with practically sufficient
2751
+ * probability by being made as 8 randomly generated bytes, encoded as a 16
2752
+ * lowercase hex characters corresponding to 64 bits.
2753
+ */
2754
+ spanId: string;
2755
+ /**
2756
+ * Only true if the SpanContext was propagated from a remote parent.
2757
+ */
2758
+ isRemote?: boolean;
2759
+ /**
2760
+ * Trace flags to propagate.
2761
+ *
2762
+ * It is represented as 1 byte (bitmap). Bit to represent whether trace is
2763
+ * sampled or not. When set, the least significant bit documents that the
2764
+ * caller may have recorded trace data. A caller who does not record trace
2765
+ * data out-of-band leaves this flag unset.
2766
+ *
2767
+ * see {@link TraceFlags} for valid flag values.
2768
+ */
2769
+ traceFlags: number;
2770
+ /**
2771
+ * Tracing-system-specific info to propagate.
2772
+ *
2773
+ * The tracestate field value is a `list` as defined below. The `list` is a
2774
+ * series of `list-members` separated by commas `,`, and a list-member is a
2775
+ * key/value pair separated by an equals sign `=`. Spaces and horizontal tabs
2776
+ * surrounding `list-members` are ignored. There can be a maximum of 32
2777
+ * `list-members` in a `list`.
2778
+ * More Info: https://www.w3.org/TR/trace-context/#tracestate-field
2779
+ *
2780
+ * Examples:
2781
+ * Single tracing system (generic format):
2782
+ * tracestate: rojo=00f067aa0ba902b7
2783
+ * Multiple tracing systems (with different formatting):
2784
+ * tracestate: rojo=00f067aa0ba902b7,congo=t61rcWkgMzE
2785
+ */
2786
+ traceState?: TraceState;
2787
+ }
2788
+ /**
2789
+ * @since 1.0.0
2790
+ */
2791
+ interface SpanStatus {
2792
+ /** The status code of this message. */
2793
+ code: SpanStatusCode;
2794
+ /** A developer-facing error message. */
2795
+ message?: string;
2796
+ }
2797
+ /**
2798
+ * An enumeration of status codes.
2799
+ *
2800
+ * @since 1.0.0
2801
+ */
2802
+ declare enum SpanStatusCode {
2803
+ /**
2804
+ * The default status.
2805
+ */
2806
+ UNSET = 0,
2807
+ /**
2808
+ * The operation has been validated by an Application developer or
2809
+ * Operator to have completed successfully.
2810
+ */
2811
+ OK = 1,
2812
+ /**
2813
+ * The operation contains an error.
2814
+ */
2815
+ ERROR = 2,
2816
+ }
2817
+ /**
2818
+ * A pointer from the current {@link Span} to another span in the same trace or
2819
+ * in a different trace.
2820
+ * Few examples of Link usage.
2821
+ * 1. Batch Processing: A batch of elements may contain elements associated
2822
+ * with one or more traces/spans. Since there can only be one parent
2823
+ * SpanContext, Link is used to keep reference to SpanContext of all
2824
+ * elements in the batch.
2825
+ * 2. Public Endpoint: A SpanContext in incoming client request on a public
2826
+ * endpoint is untrusted from service provider perspective. In such case it
2827
+ * is advisable to start a new trace with appropriate sampling decision.
2828
+ * However, it is desirable to associate incoming SpanContext to new trace
2829
+ * initiated on service provider side so two traces (from Client and from
2830
+ * Service Provider) can be correlated.
2831
+ *
2832
+ * @since 1.0.0
2833
+ */
2834
+ interface Link {
2835
+ /** The {@link SpanContext} of a linked span. */
2836
+ context: SpanContext;
2837
+ /** A set of {@link SpanAttributes} on the link. */
2838
+ attributes?: SpanAttributes;
2839
+ /** Count of attributes of the link that were dropped due to collection limits */
2840
+ droppedAttributesCount?: number;
2841
+ }
2842
+ /**
2843
+ * An interface that represents a span. A span represents a single operation
2844
+ * within a trace. Examples of span might include remote procedure calls or a
2845
+ * in-process function calls to sub-components. A Trace has a single, top-level
2846
+ * "root" Span that in turn may have zero or more child Spans, which in turn
2847
+ * may have children.
2848
+ *
2849
+ * Spans are created by the {@link Tracer.startSpan} method.
2850
+ *
2851
+ * @since 1.0.0
2852
+ */
2853
+ interface Span {
2854
+ /**
2855
+ * Returns the {@link SpanContext} object associated with this Span.
2856
+ *
2857
+ * Get an immutable, serializable identifier for this span that can be used
2858
+ * to create new child spans. Returned SpanContext is usable even after the
2859
+ * span ends.
2860
+ *
2861
+ * @returns the SpanContext object associated with this Span.
2862
+ */
2863
+ spanContext(): SpanContext;
2864
+ /**
2865
+ * Sets an attribute to the span.
2866
+ *
2867
+ * Sets a single Attribute with the key and value passed as arguments.
2868
+ *
2869
+ * @param key the key for this attribute.
2870
+ * @param value the value for this attribute. Setting a value null or
2871
+ * undefined is invalid and will result in undefined behavior.
2872
+ */
2873
+ setAttribute(key: string, value: SpanAttributeValue): this;
2874
+ /**
2875
+ * Sets attributes to the span.
2876
+ *
2877
+ * @param attributes the attributes that will be added.
2878
+ * null or undefined attribute values
2879
+ * are invalid and will result in undefined behavior.
2880
+ */
2881
+ setAttributes(attributes: SpanAttributes): this;
2882
+ /**
2883
+ * Adds an event to the Span.
2884
+ *
2885
+ * @param name the name of the event.
2886
+ * @param [attributesOrStartTime] the attributes that will be added; these are
2887
+ * associated with this event. Can be also a start time
2888
+ * if type is {@type TimeInput} and 3rd param is undefined
2889
+ * @param [startTime] start time of the event.
2890
+ */
2891
+ addEvent(name: string, attributesOrStartTime?: SpanAttributes | TimeInput, startTime?: TimeInput): this;
2892
+ /**
2893
+ * Adds a single link to the span.
2894
+ *
2895
+ * Links added after the creation will not affect the sampling decision.
2896
+ * It is preferred span links be added at span creation.
2897
+ *
2898
+ * @param link the link to add.
2899
+ */
2900
+ addLink(link: Link): this;
2901
+ /**
2902
+ * Adds multiple links to the span.
2903
+ *
2904
+ * Links added after the creation will not affect the sampling decision.
2905
+ * It is preferred span links be added at span creation.
2906
+ *
2907
+ * @param links the links to add.
2908
+ */
2909
+ addLinks(links: Link[]): this;
2910
+ /**
2911
+ * Sets the status of the span.
2912
+ *
2913
+ * By default, a span has status {@link SpanStatusCode.UNSET}.
2914
+ * Calling this method overrides that default.
2915
+ *
2916
+ * The status codes have a total order: `OK > ERROR > UNSET`.
2917
+ *
2918
+ * - Once {@link SpanStatusCode.OK} is set, any further attempts to change
2919
+ * the status are ignored.
2920
+ * - Any attempt to set {@link SpanStatusCode.UNSET} is always ignored.
2921
+ *
2922
+ * The `message` field is only used when {@link SpanStatusCode.ERROR} is set.
2923
+ * For all other status codes, `message` is ignored.
2924
+ *
2925
+ * @param status The {@link SpanStatus} to set.
2926
+ */
2927
+ setStatus(status: SpanStatus): this;
2928
+ /**
2929
+ * Updates the Span name.
2930
+ *
2931
+ * This will override the name provided via {@link Tracer.startSpan}.
2932
+ *
2933
+ * Upon this update, any sampling behavior based on Span name will depend on
2934
+ * the implementation.
2935
+ *
2936
+ * @param name the Span name.
2937
+ */
2938
+ updateName(name: string): this;
2939
+ /**
2940
+ * Marks the end of Span execution.
2941
+ *
2942
+ * Call to End of a Span MUST not have any effects on child spans. Those may
2943
+ * still be running and can be ended later.
2944
+ *
2945
+ * Do not return `this`. The Span generally should not be used after it
2946
+ * is ended so chaining is not desired in this context.
2947
+ *
2948
+ * @param [endTime] the time to set as Span's end time. If not provided,
2949
+ * use the current time as the span's end time.
2950
+ */
2951
+ end(endTime?: TimeInput): void;
2952
+ /**
2953
+ * Returns the flag whether this span will be recorded.
2954
+ *
2955
+ * @returns true if this Span is active and recording information like events
2956
+ * with the `AddEvent` operation and attributes using `setAttributes`.
2957
+ */
2958
+ isRecording(): boolean;
2959
+ /**
2960
+ * Sets exception as a span event
2961
+ * @param exception the exception the only accepted values are string or Error
2962
+ * @param [time] the time to set as Span's event time. If not provided,
2963
+ * use the current time.
2964
+ */
2965
+ recordException(exception: Exception, time?: TimeInput): void;
2966
+ }
2967
+ /**
2968
+ * @since 1.0.0
2969
+ */
2970
+ declare enum SpanKind {
2971
+ /** Default value. Indicates that the span is used internally. */
2972
+ INTERNAL = 0,
2973
+ /**
2974
+ * Indicates that the span covers server-side handling of an RPC or other
2975
+ * remote request.
2976
+ */
2977
+ SERVER = 1,
2978
+ /**
2979
+ * Indicates that the span covers the client-side wrapper around an RPC or
2980
+ * other remote request.
2981
+ */
2982
+ CLIENT = 2,
2983
+ /**
2984
+ * Indicates that the span describes producer sending a message to a
2985
+ * broker. Unlike client and server, there is no direct critical path latency
2986
+ * relationship between producer and consumer spans.
2987
+ */
2988
+ PRODUCER = 3,
2989
+ /**
2990
+ * Indicates that the span describes consumer receiving a message from a
2991
+ * broker. Unlike client and server, there is no direct critical path latency
2992
+ * relationship between producer and consumer spans.
2993
+ */
2994
+ CONSUMER = 4,
2995
+ }
2996
+ /**
2997
+ * Options needed for span creation
2998
+ *
2999
+ * @since 1.0.0
3000
+ */
3001
+ interface SpanOptions {
3002
+ /**
3003
+ * The SpanKind of a span
3004
+ * @default {@link SpanKind.INTERNAL}
3005
+ */
3006
+ kind?: SpanKind;
3007
+ /** A span's attributes */
3008
+ attributes?: Attributes;
3009
+ /** {@link Link}s span to other spans */
3010
+ links?: Link[];
3011
+ /** A manually specified start time for the created `Span` object. */
3012
+ startTime?: TimeInput;
3013
+ /** The new span should be a root span. (Ignore parent from context). */
3014
+ root?: boolean;
3015
+ }
3016
+ /**
3017
+ * Tracer provides an interface for creating {@link Span}s.
3018
+ *
3019
+ * @since 1.0.0
3020
+ */
3021
+ interface Tracer {
3022
+ /**
3023
+ * Starts a new {@link Span}. Start the span without setting it on context.
3024
+ *
3025
+ * This method do NOT modify the current Context.
3026
+ *
3027
+ * @param name The name of the span
3028
+ * @param [options] SpanOptions used for span creation
3029
+ * @param [context] Context to use to extract parent
3030
+ * @returns Span The newly created span
3031
+ * @example
3032
+ * const span = tracer.startSpan('op');
3033
+ * span.setAttribute('key', 'value');
3034
+ * span.end();
3035
+ */
3036
+ startSpan(name: string, options?: SpanOptions, context?: Context): Span;
3037
+ /**
3038
+ * Starts a new {@link Span} and calls the given function passing it the
3039
+ * created span as first argument.
3040
+ * Additionally the new span gets set in context and this context is activated
3041
+ * for the duration of the function call.
3042
+ *
3043
+ * @param name The name of the span
3044
+ * @param [options] SpanOptions used for span creation
3045
+ * @param [context] Context to use to extract parent
3046
+ * @param fn function called in the context of the span and receives the newly created span as an argument
3047
+ * @returns return value of fn
3048
+ * @example
3049
+ * const something = tracer.startActiveSpan('op', span => {
3050
+ * try {
3051
+ * do some work
3052
+ * span.setStatus({code: SpanStatusCode.OK});
3053
+ * return something;
3054
+ * } catch (err) {
3055
+ * span.setStatus({
3056
+ * code: SpanStatusCode.ERROR,
3057
+ * message: err.message,
3058
+ * });
3059
+ * throw err;
3060
+ * } finally {
3061
+ * span.end();
3062
+ * }
3063
+ * });
3064
+ *
3065
+ * @example
3066
+ * const span = tracer.startActiveSpan('op', span => {
3067
+ * try {
3068
+ * do some work
3069
+ * return span;
3070
+ * } catch (err) {
3071
+ * span.setStatus({
3072
+ * code: SpanStatusCode.ERROR,
3073
+ * message: err.message,
3074
+ * });
3075
+ * throw err;
3076
+ * }
3077
+ * });
3078
+ * do some more work
3079
+ * span.end();
3080
+ */
3081
+ startActiveSpan<F extends (span: Span) => unknown>(name: string, fn: F): ReturnType<F>;
3082
+ startActiveSpan<F extends (span: Span) => unknown>(name: string, options: SpanOptions, fn: F): ReturnType<F>;
3083
+ startActiveSpan<F extends (span: Span) => unknown>(name: string, options: SpanOptions, context: Context, fn: F): ReturnType<F>;
3084
+ }
3085
+ interface OtelPluginOptions {
3086
+ /**
3087
+ * Rename incoming `project:target` IDs before they become OTel
3088
+ * span names. Defaults to passing the id through unchanged.
3089
+ */
3090
+ renameSpan?: (task: Task) => string;
3091
+ /** Tracer used to emit spans. Pass the one from `@opentelemetry/api`'s `trace.getTracer("vis")`. */
3092
+ tracer: Tracer;
3093
+ }
3094
+ /**
3095
+ * Reference plugin that maps vis hook lifecycle events to OTel spans.
3096
+ *
3097
+ * Emits:
3098
+ * - one **root span** named `vis.run` spanning `run:before` → `run:after`
3099
+ * - one **child span** per task spanning `task:before` → `task:after`
3100
+ * with attributes `vis.task.id`, `vis.task.project`, `vis.task.target`,
3101
+ * `vis.task.cache_status`, `vis.task.exit_code`
3102
+ * - `task:failure` sets span status to ERROR and records the exit code
3103
+ *
3104
+ * Streaming stdout/stderr events are intentionally **not** emitted as
3105
+ * span events — high-frequency chunks would blow up OTel backends. Use
3106
+ * a log exporter if you need stream-level visibility.
3107
+ * @example
3108
+ * ```ts
3109
+ * import { trace } from "@opentelemetry/api";
3110
+ * import { defineConfig } from "@visulima/vis/config";
3111
+ * import { otelPlugin } from "@visulima/vis/plugins/otel";
3112
+ *
3113
+ * const tracer = trace.getTracer("vis", "1.0.0");
3114
+ *
3115
+ * export default defineConfig({
3116
+ * plugins: [otelPlugin({ tracer })],
3117
+ * });
3118
+ * ```
3119
+ */
3120
+ declare const otelPlugin: (options: OtelPluginOptions) => VisPlugin;
3121
+ /**
3122
+ * Type-safe helper for defining a vis plugin. Pure identity — exists
3123
+ * only so plugin authors get inference from the `VisPlugin` contract
3124
+ * without needing a `satisfies` annotation.
3125
+ *
3126
+ * Lives in its own module so plugins can import it without going
3127
+ * through `config.ts`, which re-exports plugins like `otelPlugin` and
3128
+ * would otherwise form an import cycle.
3129
+ */
3130
+ declare const definePlugin: (plugin: VisPlugin) => VisPlugin;
3131
+ /** Supported config file names, checked in priority order. */
3132
+ declare const CONFIG_FILES: string[];
3133
+ /** Per-package overlay file names, checked in priority order. */
3134
+ declare const TASK_CONFIG_FILES: string[];
3135
+ /**
3136
+ * Default `security.policies.firstSeen.minutes` applied by `vis init`.
3137
+ * 2 days — long enough to filter out most rage-published malware while
3138
+ * staying short enough that genuine fixes still land in a working week.
3139
+ *
3140
+ * Note: this is NOT merged into `SECURITY_DEFAULTS` — leaving it undefined
3141
+ * preserves the "no opinion" semantics that downstream drift checks rely
3142
+ * on. `vis init` writes the value explicitly into the generated config.
3143
+ */
3144
+
3145
+ /**
3146
+ * Secure-by-default security settings based on npm supply chain best practices.
3147
+ *
3148
+ * Applied automatically when using `defineConfig()` or `loadVisConfig()`.
3149
+ * Users can override any value — their settings always take precedence.
3150
+ * @see https://github.com/lirantal/awesome-npm-security-best-practices
3151
+ */
3152
+ declare const SECURITY_DEFAULTS: NonNullable<VisConfig["security"]>;
3153
+ /**
3154
+ * Apply secure defaults to a raw config object.
3155
+ * Merges `SECURITY_DEFAULTS` into `config.security`, preserving all user overrides.
3156
+ */
3157
+ declare const applyDefaults: (config: VisConfig) => VisConfig;
3158
+ /**
3159
+ * Find the vis config file in a directory.
3160
+ *
3161
+ * Reads the directory listing once and intersects it with the known
3162
+ * config filenames rather than `stat`-ing each candidate — one syscall
3163
+ * instead of up to six. Priority order is preserved via
3164
+ * `CONFIG_FILES` so `.ts` still wins over `.mjs` when both exist.
3165
+ * @param directory The directory to search in.
3166
+ * @returns The absolute path to the config file, or `undefined` if not found.
3167
+ */
3168
+ declare const findVisConfigFile: (directory: string) => string | undefined;
3169
+ /**
3170
+ * Find the per-package `vis.task.ts` overlay in a project directory.
3171
+ * Same single-readdir lookup pattern as {@link findVisConfigFile}.
3172
+ */
3173
+ declare const findVisTaskConfigFile: (projectDirectory: string) => string | undefined;
3174
+ /**
3175
+ * Load the vis configuration from a `vis.config.ts` (or `.js`, `.mjs`, `.cjs`, `.mts`, `.cts`) file.
3176
+ *
3177
+ * Resolves the entire `extends` chain, post-order, and folds it into a
3178
+ * single merged config (extends first, root last — child wins). The
3179
+ * cache key covers every file in the chain, so editing any extended
3180
+ * file invalidates the cache.
3181
+ *
3182
+ * Falls back to secure defaults if no config file is found.
3183
+ * @param workspaceRoot The workspace root directory to search for the config file.
3184
+ * @param options Optional loader options.
3185
+ * @param options.explicitConfigPath Overrides discovery — used by the
3186
+ * global `--config` flag so users can point at any file regardless of
3187
+ * cwd. The path must exist; otherwise an error is thrown so the
3188
+ * config-loader plugin can surface it to the user.
3189
+ * @returns The loaded and resolved configuration with secure defaults applied.
3190
+ */
3191
+ declare const loadVisConfig: (workspaceRoot: string, options?: {
3192
+ explicitConfigPath?: string;
3193
+ }) => Promise<VisConfig>;
3194
+ /**
3195
+ * Load the per-package `vis.task.ts` overlay for a project, if any.
3196
+ *
3197
+ * Returns `undefined` when no overlay file exists. Otherwise compiles
3198
+ * the file via jiti and caches the result under
3199
+ * `node_modules/.cache/vis/task-configs/&lt;project>.json`, keyed by the
3200
+ * file's content hash. Editing one project's overlay does not invalidate
3201
+ * the root config cache.
3202
+ *
3203
+ * Errors thrown by the file are wrapped in `VisConfigLoadError` so the
3204
+ * source path is reported instead of an opaque workspace.ts failure.
3205
+ * @param workspaceRoot Absolute workspace root path (cache scope).
3206
+ * @param projectDirectory Absolute path of the project to probe.
3207
+ * @param projectName Project identifier — used to scope the cache file.
3208
+ */
3209
+ declare const loadVisTaskConfig: (workspaceRoot: string, projectDirectory: string, projectName: string) => Promise<VisTaskConfig | undefined>;
3210
+ /**
3211
+ * Type-safe helper for defining a per-package `vis.task.ts` overlay.
3212
+ * Pure identity — exists only so users get type inference and
3213
+ * autocomplete from the `VisTaskConfig` shape.
3214
+ * @example
3215
+ * ```typescript
3216
+ * // packages/api/crud/vis.task.ts
3217
+ * import { defineTaskConfig } from "@visulima/vis/config";
3218
+ *
3219
+ * export default defineTaskConfig({
3220
+ * targets: {
3221
+ * build: {
3222
+ * inputs: ["@inherit", "src/proto/**\/*.proto"],
3223
+ * outputs: ["dist/**\/*"],
3224
+ * },
3225
+ * },
3226
+ * });
3227
+ * ```
3228
+ */
3229
+ declare const defineTaskConfig: (config: VisTaskConfig) => VisTaskConfig;
3230
+ /**
3231
+ * Type-safe helper for defining vis configuration.
3232
+ *
3233
+ * Pure typed-identity — returns its argument unchanged. The point is purely
3234
+ * editor autocomplete and structural type-checking on the literal you pass
3235
+ * in. Secure defaults are applied by `loadVisConfig` at load time, not here,
3236
+ * so wrapping vs. using `satisfies VisConfig` produces the exact same
3237
+ * runtime behavior. To see the active defaults, run `vis check --security-config`.
3238
+ * @example
3239
+ * ```typescript
3240
+ * // vis.config.ts — minimal config, fully secured by defaults
3241
+ * import { defineConfig } from "@visulima/vis/config";
3242
+ *
3243
+ * export default defineConfig({
3244
+ * security: {
3245
+ * policies: {
3246
+ * installScripts: {
3247
+ * allow: {
3248
+ * esbuild: true,
3249
+ * "@prisma/client": true,
3250
+ * },
3251
+ * },
3252
+ * },
3253
+ * },
3254
+ * });
3255
+ * ```
3256
+ */
3257
+ declare const defineConfig: (config: VisConfig) => VisConfig;
3258
+ export { CONFIG_FILES, type OtelPluginOptions, SECURITY_DEFAULTS, TASK_CONFIG_FILES, type VisConfig, type VisHooks, type VisPlugin, type VisTaskConfig, applyDefaults, defineConfig, definePlugin, defineTaskConfig, findVisConfigFile, findVisTaskConfigFile, loadVisConfig, loadVisTaskConfig, otelPlugin };