@visulima/vis 1.0.0-alpha.4 → 1.0.0-alpha.41

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (347) hide show
  1. package/CHANGELOG.md +1243 -78
  2. package/LICENSE.md +13068 -6
  3. package/README.md +388 -26
  4. package/dashboard/dist/index.html +152 -0
  5. package/dist/bin.js +1 -853
  6. package/dist/binx.js +3 -0
  7. package/dist/config/index.d.ts +3276 -0
  8. package/dist/config/index.js +1 -0
  9. package/dist/generate/index.d.ts +157 -0
  10. package/dist/generate/index.js +1 -0
  11. package/dist/packem_chunks/DEFAULT_CLEAN_KEEP.js +1 -0
  12. package/dist/packem_chunks/bin.js +1198 -0
  13. package/dist/packem_chunks/bloom-status.js +2 -0
  14. package/dist/packem_chunks/bloom-sync.js +2 -0
  15. package/dist/packem_chunks/cache-attestation.js +1 -0
  16. package/dist/packem_chunks/catalog-detector.js +1 -0
  17. package/dist/packem_chunks/config.js +21 -0
  18. package/dist/packem_chunks/detect.js +3 -0
  19. package/dist/packem_chunks/detect2.js +8 -0
  20. package/dist/packem_chunks/devtools.js +81 -0
  21. package/dist/packem_chunks/discord.js +4 -0
  22. package/dist/packem_chunks/doctor-probe.js +2 -0
  23. package/dist/packem_chunks/dynamic-import.js +1 -0
  24. package/dist/packem_chunks/extra-files.js +3 -0
  25. package/dist/packem_chunks/fix.js +11 -0
  26. package/dist/packem_chunks/git.js +3 -0
  27. package/dist/packem_chunks/handler.js +1 -0
  28. package/dist/packem_chunks/handler10.js +1 -0
  29. package/dist/packem_chunks/handler11.js +5 -0
  30. package/dist/packem_chunks/handler12.js +1 -0
  31. package/dist/packem_chunks/handler13.js +27 -0
  32. package/dist/packem_chunks/handler14.js +5 -0
  33. package/dist/packem_chunks/handler15.js +1 -0
  34. package/dist/packem_chunks/handler16.js +1 -0
  35. package/dist/packem_chunks/handler17.js +1 -0
  36. package/dist/packem_chunks/handler18.js +1 -0
  37. package/dist/packem_chunks/handler19.js +1 -0
  38. package/dist/packem_chunks/handler2.js +4 -0
  39. package/dist/packem_chunks/handler20.js +5 -0
  40. package/dist/packem_chunks/handler21.js +2 -0
  41. package/dist/packem_chunks/handler22.js +2 -0
  42. package/dist/packem_chunks/handler23.js +1 -0
  43. package/dist/packem_chunks/handler24.js +1 -0
  44. package/dist/packem_chunks/handler25.js +1 -0
  45. package/dist/packem_chunks/handler26.js +5 -0
  46. package/dist/packem_chunks/handler27.js +1 -0
  47. package/dist/packem_chunks/handler28.js +3 -0
  48. package/dist/packem_chunks/handler29.js +1 -0
  49. package/dist/packem_chunks/handler3.js +4 -0
  50. package/dist/packem_chunks/handler30.js +1 -0
  51. package/dist/packem_chunks/handler31.js +2 -0
  52. package/dist/packem_chunks/handler32.js +2 -0
  53. package/dist/packem_chunks/handler33.js +2 -0
  54. package/dist/packem_chunks/handler34.js +3 -0
  55. package/dist/packem_chunks/handler35.js +6 -0
  56. package/dist/packem_chunks/handler36.js +1 -0
  57. package/dist/packem_chunks/handler37.js +42 -0
  58. package/dist/packem_chunks/handler38.js +8 -0
  59. package/dist/packem_chunks/handler39.js +9 -0
  60. package/dist/packem_chunks/handler4.js +6 -0
  61. package/dist/packem_chunks/handler40.js +75 -0
  62. package/dist/packem_chunks/handler41.js +5 -0
  63. package/dist/packem_chunks/handler42.js +4 -0
  64. package/dist/packem_chunks/handler43.js +3 -0
  65. package/dist/packem_chunks/handler44.js +2 -0
  66. package/dist/packem_chunks/handler45.js +1 -0
  67. package/dist/packem_chunks/handler46.js +1 -0
  68. package/dist/packem_chunks/handler47.js +1 -0
  69. package/dist/packem_chunks/handler48.js +3 -0
  70. package/dist/packem_chunks/handler49.js +1 -0
  71. package/dist/packem_chunks/handler5.js +8 -0
  72. package/dist/packem_chunks/handler50.js +7 -0
  73. package/dist/packem_chunks/handler51.js +33 -0
  74. package/dist/packem_chunks/handler52.js +3 -0
  75. package/dist/packem_chunks/handler53.js +8 -0
  76. package/dist/packem_chunks/handler54.js +4 -0
  77. package/dist/packem_chunks/handler55.js +1 -0
  78. package/dist/packem_chunks/handler56.js +12 -0
  79. package/dist/packem_chunks/handler57.js +7 -0
  80. package/dist/packem_chunks/handler58.js +5 -0
  81. package/dist/packem_chunks/handler59.js +11 -0
  82. package/dist/packem_chunks/handler6.js +1 -0
  83. package/dist/packem_chunks/handler60.js +3 -0
  84. package/dist/packem_chunks/handler61.js +22 -0
  85. package/dist/packem_chunks/handler62.js +61 -0
  86. package/dist/packem_chunks/handler63.js +3 -0
  87. package/dist/packem_chunks/handler64.js +6 -0
  88. package/dist/packem_chunks/handler65.js +708 -0
  89. package/dist/packem_chunks/handler66.js +24 -0
  90. package/dist/packem_chunks/handler67.js +25 -0
  91. package/dist/packem_chunks/handler68.js +153 -0
  92. package/dist/packem_chunks/handler69.js +10 -0
  93. package/dist/packem_chunks/handler7.js +1 -0
  94. package/dist/packem_chunks/handler70.js +24 -0
  95. package/dist/packem_chunks/handler71.js +322 -0
  96. package/dist/packem_chunks/handler72.js +48 -0
  97. package/dist/packem_chunks/handler73.js +27 -0
  98. package/dist/packem_chunks/handler74.js +3 -0
  99. package/dist/packem_chunks/handler75.js +190 -0
  100. package/dist/packem_chunks/handler76.js +38 -0
  101. package/dist/packem_chunks/handler8.js +1 -0
  102. package/dist/packem_chunks/handler9.js +1 -0
  103. package/dist/packem_chunks/heal-accept.js +10 -0
  104. package/dist/packem_chunks/heal.js +14 -0
  105. package/dist/packem_chunks/help-command.js +31 -0
  106. package/dist/packem_chunks/index.js +1 -0
  107. package/dist/packem_chunks/index2.js +7 -0
  108. package/dist/packem_chunks/interface.js +2 -0
  109. package/dist/packem_chunks/keys-refresh.js +4 -0
  110. package/dist/packem_chunks/list.js +3 -0
  111. package/dist/packem_chunks/loader.js +4 -0
  112. package/dist/packem_chunks/loader2.js +1 -0
  113. package/dist/packem_chunks/orchestrator.js +39 -0
  114. package/dist/packem_chunks/pre-mode.js +2 -0
  115. package/dist/packem_chunks/print-config.js +2 -0
  116. package/dist/packem_chunks/prompts.js +7 -0
  117. package/dist/packem_chunks/prune.js +3 -0
  118. package/dist/packem_chunks/publish-guards.js +1 -0
  119. package/dist/packem_chunks/registry.js +48 -0
  120. package/dist/packem_chunks/resolveFormatter.js +9 -0
  121. package/dist/packem_chunks/run.js +1 -0
  122. package/dist/packem_chunks/security.js +1 -0
  123. package/dist/packem_chunks/shell-runner.js +1 -0
  124. package/dist/packem_chunks/slack.js +2 -0
  125. package/dist/packem_chunks/snapshot.js +2 -0
  126. package/dist/packem_chunks/stage-publisher.js +1 -0
  127. package/dist/packem_chunks/staged-registry.js +2 -0
  128. package/dist/packem_chunks/state.js +3 -0
  129. package/dist/packem_chunks/status.js +2 -0
  130. package/dist/packem_chunks/success-walk.js +8 -0
  131. package/dist/packem_chunks/sync.js +2 -0
  132. package/dist/packem_chunks/sync2.js +2 -0
  133. package/dist/packem_chunks/tar.js +3 -0
  134. package/dist/packem_chunks/tripwire.js +2 -0
  135. package/dist/packem_chunks/verify-lockfile.js +2 -0
  136. package/dist/packem_chunks/version-resolver.js +2 -0
  137. package/dist/packem_chunks/webhook.js +1 -0
  138. package/dist/packem_chunks/workflow-templates.js +167 -0
  139. package/dist/packem_chunks/workspace.js +2 -0
  140. package/dist/packem_shared/AfterAllProjectsVersioned-CAKI2nWf.js +1 -0
  141. package/dist/packem_shared/CONFIG_FILES-BfaR0jKT.js +1 -0
  142. package/dist/packem_shared/MultiSpinner-B9U0-aE3-B-gIXhFk.js +3 -0
  143. package/dist/packem_shared/ReleaseClient-YHzBIxYS.js +1 -0
  144. package/dist/packem_shared/Table-CcVkyULl-B_ef6zfS.js +35 -0
  145. package/dist/packem_shared/VisReleaseError-DMGRBTNO.js +1 -0
  146. package/dist/packem_shared/_commonjsHelpers-B5Y90VFO.js +1 -0
  147. package/dist/packem_shared/advisories-DLeO5KMN.js +1 -0
  148. package/dist/packem_shared/affected-shas-cVnX8-zs.js +1 -0
  149. package/dist/packem_shared/ai-analysis-BUeX2J2H.js +68 -0
  150. package/dist/packem_shared/ai-fix-9Vzlp6XU.js +43 -0
  151. package/dist/packem_shared/anolilab-text-CAM_E6uK.js +13 -0
  152. package/dist/packem_shared/api.d-BPftyU9r.d.ts +27 -0
  153. package/dist/packem_shared/build-scripts-CCCi8U66.js +1 -0
  154. package/dist/packem_shared/command-runtime-CR70qSUM.js +1 -0
  155. package/dist/packem_shared/createAdapter-bU4DIP3F.js +1 -0
  156. package/dist/packem_shared/createVersionActions-BK43SNDH.js +1 -0
  157. package/dist/packem_shared/cyclonedx-Cadls41z.js +4 -0
  158. package/dist/packem_shared/defineFormatter-D5dCp6Kv.js +1 -0
  159. package/dist/packem_shared/definePlugin-DoUcoYSy.js +1 -0
  160. package/dist/packem_shared/dependency-scan-DnTgYleU.js +1 -0
  161. package/dist/packem_shared/docker-BMLrNtWm.js +59 -0
  162. package/dist/packem_shared/failure-log-CEWP3bP0.js +2 -0
  163. package/dist/packem_shared/giget-DHY1sQZC.js +2 -0
  164. package/dist/packem_shared/glob-fqg4KepW-B7EjLRvw.js +1 -0
  165. package/dist/packem_shared/index-3jMNqQom.js +1 -0
  166. package/dist/packem_shared/index-BDmTbWX1.js +19 -0
  167. package/dist/packem_shared/index-Bt521H5J.js +30 -0
  168. package/dist/packem_shared/index-DGSsjmpV.js +1 -0
  169. package/dist/packem_shared/interface.d-B7VK2rcH.d.ts +148 -0
  170. package/dist/packem_shared/interface.d-Cezzifoh.d.ts +106 -0
  171. package/dist/packem_shared/license-t5KnNX6v.js +1 -0
  172. package/dist/packem_shared/lifecycle-4z9hHE5b.js +2 -0
  173. package/dist/packem_shared/lockfile-C8Q1_4KK.js +1 -0
  174. package/dist/packem_shared/manifests-Dj3pRKBT.js +1 -0
  175. package/dist/packem_shared/min-release-age-D1alDE3K.js +34 -0
  176. package/dist/packem_shared/missing-package-json-8vNHwbqw.js +1 -0
  177. package/dist/packem_shared/native-config-sync-BEkJW7g3.js +21 -0
  178. package/dist/packem_shared/osv-bloom-B03tUWf3.js +2 -0
  179. package/dist/packem_shared/otelPlugin-DmKDBaPo.js +1 -0
  180. package/dist/packem_shared/peer-warnings-BXAzXqY3.js +1 -0
  181. package/dist/packem_shared/pm-runner-BKZQo7Ts.js +1 -0
  182. package/dist/packem_shared/provenance-BFEwKgI3.js +1 -0
  183. package/dist/packem_shared/public-api-WqUCiyIe.js +131 -0
  184. package/dist/packem_shared/registry-keys-BfFto6vI.js +1 -0
  185. package/dist/packem_shared/resolve-explicit-C6WM-I2u.js +5 -0
  186. package/dist/packem_shared/runtime-check-Stc9AI78.js +1 -0
  187. package/dist/packem_shared/s1ngularity-DCPmPE5M.js +1 -0
  188. package/dist/packem_shared/scan-progress-CFhc0CMj.js +2 -0
  189. package/dist/packem_shared/selectors-GCJIe342.js +3 -0
  190. package/dist/packem_shared/signatures-Xpd6HjG_.js +2 -0
  191. package/dist/packem_shared/slug-DoueYuLo.js +1 -0
  192. package/dist/packem_shared/spinner-CV3WVJLv.js +1 -0
  193. package/dist/packem_shared/sticky-comment-D6_7-w8T.js +1 -0
  194. package/dist/packem_shared/subtree-C7bZuiSQ.js +2 -0
  195. package/dist/packem_shared/symbols-DPTlrJ3B.js +1 -0
  196. package/dist/packem_shared/tabs-BuTy5gPV.js +1 -0
  197. package/dist/packem_shared/toolchain-pR7AJ-tB.js +5 -0
  198. package/dist/packem_shared/typosquats-DN78xx1x.js +1 -0
  199. package/dist/packem_shared/use-measured-height-_eVGWtWt.js +1 -0
  200. package/dist/packem_shared/utils-Cxree603.js +1 -0
  201. package/dist/packem_shared/verify-6WCmFmy8.js +1 -0
  202. package/dist/packem_shared/vis-update-app-k3fDxech.js +1 -0
  203. package/dist/packem_shared/watch-BvIwLG4N.js +1 -0
  204. package/dist/packem_shared/watch-loop-DWkvv2tK.js +11 -0
  205. package/dist/release/core/changelog/index.d.ts +5 -0
  206. package/dist/release/core/changelog/index.js +1 -0
  207. package/dist/release/core/package-managers/index.d.ts +6 -0
  208. package/dist/release/core/package-managers/index.js +1 -0
  209. package/dist/release/core/version-actions/index.d.ts +14 -0
  210. package/dist/release/core/version-actions/index.js +1 -0
  211. package/dist/release/index.d.ts +196 -0
  212. package/dist/release/index.js +1 -0
  213. package/dist/release/plugin-sdk.d.ts +127 -0
  214. package/dist/release/plugin-sdk.js +1 -0
  215. package/dist/release/presets.d.ts +225 -0
  216. package/dist/release/presets.js +1 -0
  217. package/dist/release/types.d.ts +1377 -0
  218. package/dist/release/types.js +1 -0
  219. package/index.d.ts +436 -0
  220. package/index.js +80 -57
  221. package/package.json +109 -45
  222. package/schemas/project.schema.json +991 -0
  223. package/schemas/vis-config.schema.json +6389 -0
  224. package/schemas/vis-release-config.schema.json +1390 -0
  225. package/skills/vis/SKILL.md +96 -0
  226. package/templates/buildkite-ci/.buildkite/pipeline.yml.tera +85 -0
  227. package/templates/buildkite-ci/template.yml +20 -0
  228. package/dist/ai-analysis.d.ts +0 -40
  229. package/dist/ai-cache.d.ts +0 -21
  230. package/dist/audit-config.d.ts +0 -24
  231. package/dist/bin.d.ts +0 -1
  232. package/dist/catalog.d.ts +0 -118
  233. package/dist/commands/add.d.ts +0 -3
  234. package/dist/commands/affected.d.ts +0 -3
  235. package/dist/commands/ai.d.ts +0 -3
  236. package/dist/commands/analyze.d.ts +0 -3
  237. package/dist/commands/approve-builds.d.ts +0 -3
  238. package/dist/commands/audit.d.ts +0 -23
  239. package/dist/commands/check.d.ts +0 -3
  240. package/dist/commands/clean.d.ts +0 -3
  241. package/dist/commands/create/discovery.d.ts +0 -42
  242. package/dist/commands/create/index.d.ts +0 -13
  243. package/dist/commands/create/prompts.d.ts +0 -31
  244. package/dist/commands/create/random-name.d.ts +0 -15
  245. package/dist/commands/create/templates/builtin.d.ts +0 -15
  246. package/dist/commands/create/templates/generator.d.ts +0 -14
  247. package/dist/commands/create/templates/index.d.ts +0 -13
  248. package/dist/commands/create/templates/monorepo.d.ts +0 -16
  249. package/dist/commands/create/templates/remote.d.ts +0 -41
  250. package/dist/commands/create/templates/types.d.ts +0 -46
  251. package/dist/commands/create/utils.d.ts +0 -42
  252. package/dist/commands/dedupe.d.ts +0 -3
  253. package/dist/commands/devcontainer.d.ts +0 -3
  254. package/dist/commands/dlx.d.ts +0 -3
  255. package/dist/commands/doctor.d.ts +0 -15
  256. package/dist/commands/exec.d.ts +0 -3
  257. package/dist/commands/graph.d.ts +0 -3
  258. package/dist/commands/hook/constants.d.ts +0 -8
  259. package/dist/commands/hook/index.d.ts +0 -3
  260. package/dist/commands/hook/install.d.ts +0 -7
  261. package/dist/commands/hook/migrate.d.ts +0 -27
  262. package/dist/commands/hook/uninstall.d.ts +0 -3
  263. package/dist/commands/implode.d.ts +0 -3
  264. package/dist/commands/init.d.ts +0 -14
  265. package/dist/commands/install.d.ts +0 -3
  266. package/dist/commands/link.d.ts +0 -3
  267. package/dist/commands/migrate/constants.d.ts +0 -12
  268. package/dist/commands/migrate/deps.d.ts +0 -32
  269. package/dist/commands/migrate/index.d.ts +0 -3
  270. package/dist/commands/migrate/json.d.ts +0 -20
  271. package/dist/commands/migrate/lint-staged.d.ts +0 -62
  272. package/dist/commands/migrate/types.d.ts +0 -20
  273. package/dist/commands/optimize.d.ts +0 -38
  274. package/dist/commands/pm.d.ts +0 -3
  275. package/dist/commands/remove.d.ts +0 -3
  276. package/dist/commands/run.d.ts +0 -3
  277. package/dist/commands/sort-package-json.d.ts +0 -3
  278. package/dist/commands/staged.d.ts +0 -3
  279. package/dist/commands/unlink.d.ts +0 -3
  280. package/dist/commands/update.d.ts +0 -3
  281. package/dist/commands/upgrade.d.ts +0 -3
  282. package/dist/commands/why.d.ts +0 -3
  283. package/dist/config.d.ts +0 -67
  284. package/dist/config.js +0 -1
  285. package/dist/native-binding.d.ts +0 -151
  286. package/dist/output.d.ts +0 -40
  287. package/dist/overrides.d.ts +0 -82
  288. package/dist/package-manager.d.ts +0 -23
  289. package/dist/plugins/config-loader.d.ts +0 -3
  290. package/dist/plugins/post-command.d.ts +0 -3
  291. package/dist/plugins/security-enforcement.d.ts +0 -3
  292. package/dist/pm-runner.d.ts +0 -23
  293. package/dist/security.d.ts +0 -64
  294. package/dist/socket-security.d.ts +0 -129
  295. package/dist/tips.d.ts +0 -41
  296. package/dist/tui/components/CheckProgressApp.d.ts +0 -6
  297. package/dist/tui/components/CommandSummary.d.ts +0 -17
  298. package/dist/tui/components/Header.d.ts +0 -13
  299. package/dist/tui/components/OutputPanel.d.ts +0 -16
  300. package/dist/tui/components/QuitDialog.d.ts +0 -15
  301. package/dist/tui/components/TaskListPanel.d.ts +0 -19
  302. package/dist/tui/components/TaskRow.d.ts +0 -12
  303. package/dist/tui/components/TaskStore.d.ts +0 -80
  304. package/dist/tui/components/VisTaskRunnerApp.d.ts +0 -17
  305. package/dist/tui/components/devcontainer/DevcontainerStore.d.ts +0 -66
  306. package/dist/tui/components/devcontainer/VisDevcontainerApp.d.ts +0 -9
  307. package/dist/tui/components/devcontainer/catalogs/extensions.d.ts +0 -8
  308. package/dist/tui/components/devcontainer/catalogs/features.d.ts +0 -8
  309. package/dist/tui/components/devcontainer/catalogs/filters.d.ts +0 -4
  310. package/dist/tui/components/devcontainer/catalogs/mount-suggestions.d.ts +0 -19
  311. package/dist/tui/components/devcontainer/catalogs/templates.d.ts +0 -8
  312. package/dist/tui/components/devcontainer/devcontainer-io.d.ts +0 -14
  313. package/dist/tui/components/devcontainer/sections/DockerComposeSection.d.ts +0 -11
  314. package/dist/tui/components/devcontainer/sections/EnvironmentSection.d.ts +0 -16
  315. package/dist/tui/components/devcontainer/sections/ExtensionsSection.d.ts +0 -11
  316. package/dist/tui/components/devcontainer/sections/FeaturesSection.d.ts +0 -11
  317. package/dist/tui/components/devcontainer/sections/GeneralSection.d.ts +0 -12
  318. package/dist/tui/components/devcontainer/sections/LifecycleSection.d.ts +0 -13
  319. package/dist/tui/components/devcontainer/sections/MountsSection.d.ts +0 -16
  320. package/dist/tui/components/devcontainer/sections/PortsSection.d.ts +0 -10
  321. package/dist/tui/components/devcontainer/sections/PreviewPanel.d.ts +0 -11
  322. package/dist/tui/components/devcontainer/types.d.ts +0 -53
  323. package/dist/tui/components/devcontainer/validate.d.ts +0 -16
  324. package/dist/tui/components/graph/GraphStore.d.ts +0 -42
  325. package/dist/tui/components/graph/ProjectDetailPanel.d.ts +0 -10
  326. package/dist/tui/components/graph/ProjectListPanel.d.ts +0 -20
  327. package/dist/tui/components/graph/VisGraphApp.d.ts +0 -8
  328. package/dist/tui/components/optimize/OptimizeDetailPanel.d.ts +0 -9
  329. package/dist/tui/components/optimize/OptimizeListPanel.d.ts +0 -16
  330. package/dist/tui/components/optimize/OptimizeStore.d.ts +0 -50
  331. package/dist/tui/components/optimize/VisOptimizeApp.d.ts +0 -8
  332. package/dist/tui/components/optimize/constants.d.ts +0 -7
  333. package/dist/tui/components/update/PackageDetailPanel.d.ts +0 -12
  334. package/dist/tui/components/update/PackageListPanel.d.ts +0 -18
  335. package/dist/tui/components/update/UpdateStore.d.ts +0 -62
  336. package/dist/tui/components/update/VisUpdateApp.d.ts +0 -11
  337. package/dist/tui/dynamic-life-cycle.d.ts +0 -21
  338. package/dist/tui/formatting-utils.d.ts +0 -17
  339. package/dist/tui/pretty-time.d.ts +0 -8
  340. package/dist/tui/static-life-cycle.d.ts +0 -22
  341. package/dist/tui/status-utils.d.ts +0 -20
  342. package/dist/tui/symbols.d.ts +0 -7
  343. package/dist/tui/types.d.ts +0 -11
  344. package/dist/typosquats.d.ts +0 -70
  345. package/dist/upgrade-check.d.ts +0 -30
  346. package/dist/utils.d.ts +0 -22
  347. package/dist/workspace.d.ts +0 -315
@@ -0,0 +1,3276 @@
1
+ import { TargetConfiguration, TaskResult, Task, FingerprintContributor, ConstraintsConfig, NamedInputs, TaskRunnerOptions } from '@visulima/task-runner';
2
+ export type { FingerprintContributor } from '@visulima/task-runner';
3
+ import { VisReleaseConfig } from "../release/types.js";
4
+ /**
5
+ * One family of upstream-coupled packages.
6
+ *
7
+ * `members` is an exact-match list. `prefixes` accept any dep whose
8
+ * name starts with the prefix — useful for monorepos that ship many
9
+ * subpackages under one scope (e.g. `@babel/`, `@storybook/`,
10
+ * `@nx/`). A family can use either or both; a dep matching either
11
+ * list belongs to the family.
12
+ */
13
+ interface SimilarDepFamily {
14
+ /** Stable id; used in report output and config overrides. */
15
+ id: string;
16
+ /** Pretty label for the report. Defaults to `id` when omitted. */
17
+ label?: string;
18
+ /** Dep names that belong to this family verbatim. */
19
+ members?: string[];
20
+ /** Dep-name prefixes (literal, no glob). Match if `depName.startsWith(prefix)`. */
21
+ prefixes?: string[];
22
+ }
23
+ /** Adapter IDs that can format (adapter `kind` is `"fmt"` or `"both"`). */
24
+ type FmtAdapterId = "biome" | "deno-fmt" | "dprint" | "oxfmt" | "prettier" | "ruff-fmt";
25
+ /** Adapter IDs that can lint (adapter `kind` is `"lint"` or `"both"`). */
26
+ type LintAdapterId = "biome" | "deno-lint" | "eslint" | "markdownlint" | "oxlint" | "ruff-check" | "shellcheck" | "stylelint";
27
+ /**
28
+ * Runtime adapter contract for the cross-runtime multi-tool (see
29
+ * `rfc/design-runtime-multitool.md`). Phase 0 defines the identity +
30
+ * detection metadata; Phase 1 extends adapters with the spawn-building
31
+ * methods (`runFile` / `runScript` / `install` / `exec`) that route through
32
+ * `pm-runner`. Deno is a planned third adapter — deliberately not a
33
+ * `RuntimeId` yet (it carries permission + no-`node_modules` semantics that
34
+ * the first cut omits).
35
+ */
36
+ /** JS runtimes vis can target today. `"deno"` is deferred. */
37
+ type RuntimeId = "bun" | "node";
38
+ type VersionManagerName = "asdf" | "corepack" | "fnm" | "mise" | "none" | "nvm" | "proto" | "self-activate" | "volta";
39
+ type RuntimeTool = "aube" | "bun" | "deno" | "go" | "node" | "npm" | "pnpm" | "python" | "ruby" | "rust" | "yarn";
40
+ interface ToolchainConfig {
41
+ /**
42
+ * When a tool pin doesn't match the running version, try to fix it
43
+ * automatically before `vis run` / `vis ci` proceed. Defaults to
44
+ * `true` when {@link findInstalledManagers} reports at least one
45
+ * installed manager, `false` otherwise.
46
+ *
47
+ * Set to `false` to keep the doctor-style warning behaviour and
48
+ * make users run `vis toolchain install` themselves.
49
+ */
50
+ readonly autoInstall?: boolean;
51
+ /** Explicit manager override, useful in CI. */
52
+ readonly preferredManager?: VersionManagerName;
53
+ /** Overrides for engines/packageManager-derived pins. */
54
+ readonly tools?: Partial<Record<RuntimeTool, string>>;
55
+ }
56
+ /**
57
+ * Custom task form — `{ title, task }` — analogous to lint-staged's
58
+ * listr-style task objects. `task` receives the matched absolute paths
59
+ * and returns a promise that resolves on success or rejects on failure.
60
+ */
61
+ interface CustomTask {
62
+ readonly task: (files: string[]) => unknown;
63
+ readonly title: string;
64
+ }
65
+ /**
66
+ * Object form of a command task. Unlike a bare command string it carries
67
+ * execution options:
68
+ *
69
+ * - `perPackage` runs the command once per workspace package that owns the
70
+ * matched files, with `cwd` set to that package's directory and file paths
71
+ * made relative to it. Use it for tools that resolve their config or
72
+ * plugins from the nearest `package.json` — e.g. eslint with a
73
+ * cwd-sensitive shareable config. Files that sit under no workspace
74
+ * package fall back to a single run from the workspace root.
75
+ * - `cwd` pins the command to a fixed directory (relative to the workspace
76
+ * root, or absolute) and passes the matched files as absolute paths so
77
+ * they resolve regardless of where the command runs. Ignored when
78
+ * `perPackage` is set — that derives the cwd per package instead.
79
+ *
80
+ * A command task is distinguished from {@link CustomTask} by carrying a
81
+ * `command` string and no `task` function.
82
+ */
83
+ interface CommandTask {
84
+ readonly command: string;
85
+ readonly cwd?: string;
86
+ readonly perPackage?: boolean;
87
+ }
88
+ /**
89
+ * A task value as authored by the user. Command strings are split into
90
+ * argv and invoked with the matched file paths appended. `{ command, … }`
91
+ * objects do the same with per-task execution options (cwd / perPackage).
92
+ * Arrays run serially. Functions receive the matched paths and return
93
+ * further task values (possibly async). `{ title, task }` objects run
94
+ * `task` directly with no argv construction.
95
+ */
96
+ type StagedTask = CommandTask | CustomTask | StagedTaskFunction | string | ReadonlyArray<CommandTask | CustomTask | StagedTaskFunction | string>;
97
+ type StagedTaskFunction = (files: string[]) => Promise<StagedTaskResult> | StagedTaskResult;
98
+ type StagedTaskResult = CommandTask | CustomTask | string | ReadonlyArray<CommandTask | CustomTask | string>;
99
+ /**
100
+ * Config object mapping glob patterns (basename or path-style) to tasks.
101
+ * A top-level function form lets the user generate the entire config
102
+ * from the staged file list.
103
+ */
104
+ type StagedConfig = Readonly<Record<string, StagedTask>> | StagedConfigFunction;
105
+ type StagedConfigFunction = (files: string[]) => Promise<Record<string, StagedTask>> | Record<string, StagedTask>;
106
+ /**
107
+ * Configuration block declared on a target to mark it as a long-lived
108
+ * "service" — eligible to be started/stopped via `vis service` and
109
+ * auto-attached when other tasks depend on it.
110
+ *
111
+ * Targets must also carry `preset: "server"` (or the equivalent
112
+ * `persistent: true`) for the service-mode lifecycle to apply.
113
+ */
114
+ interface ServiceConfig {
115
+ /**
116
+ * Env vars to expose to dependent tasks when this service is
117
+ * registered. Merged into the dependent task's env after the task's
118
+ * own envFile and before the task's explicit `env` overrides — the
119
+ * dependent task wins on key collisions.
120
+ *
121
+ * Note: only this `env` map propagates to dependents. The service
122
+ * target's own `envFile` is loaded into the **service process** at
123
+ * start time but is *not* forwarded — dependents must declare any
124
+ * shared values they need either here or in their own envFile. This
125
+ * boundary is intentional: envFiles often contain operator-only
126
+ * secrets (deploy keys, admin tokens) that should not leak into
127
+ * downstream test commands.
128
+ */
129
+ env?: Record<string, string>;
130
+ /**
131
+ * Grace period in milliseconds between SIGTERM and SIGKILL when the
132
+ * service is stopped.
133
+ * @default 5000
134
+ */
135
+ killGracePeriodMs?: number;
136
+ /**
137
+ * Optional port the service listens on. Used as the default for
138
+ * `readiness.tcp.port` when no explicit probe is configured, and
139
+ * surfaced by `vis service list`.
140
+ */
141
+ port?: number;
142
+ /** Readiness probe configuration. v1 supports TCP only. */
143
+ readiness?: {
144
+ tcp: {
145
+ host?: string;
146
+ port: number;
147
+ timeoutMs?: number;
148
+ };
149
+ };
150
+ }
151
+ /**
152
+ * Persisted registry entry. One JSON file per running service in
153
+ * `~/.vis-services/&lt;workspaceHash>/&lt;slug>.json`.
154
+ */
155
+ interface ServiceEntry {
156
+ /** Resolved command actually spawned. Used for stale-PID detection. */
157
+ command: string;
158
+ /** Service config captured at start time. */
159
+ config: ServiceConfig;
160
+ cwd: string;
161
+ /**
162
+ * Env vars to forward to dependents. Resolved at start time —
163
+ * defaults to `config.env`, but a future `--env-from` flag could
164
+ * extend this without touching the registry consumer.
165
+ */
166
+ env: Record<string, string>;
167
+ /** Target id, e.g. `apps/api:db`. */
168
+ id: string;
169
+ /** Absolute path to the captured stdout/stderr log file. */
170
+ logFile: string;
171
+ pid: number;
172
+ /**
173
+ * Filesystem-safe slug of `id`. `apps/api:db` → `apps_api__db`.
174
+ * Used as the entry's filename so registry reads can map slug → entry.
175
+ */
176
+ slug: string;
177
+ /** ISO 8601 timestamp of when the service was started. */
178
+ startedAt: string;
179
+ /**
180
+ * vis version that started this service. Auto-attach refuses entries
181
+ * from a mismatched version — protects against schema drift.
182
+ */
183
+ visVersion: string;
184
+ }
185
+ /**
186
+ * First-class task arguments: a declarative schema per target that lets a
187
+ * task define its named/positional arguments, validate what the user passes
188
+ * on the CLI, and render a per-task `--help`. The validated values are also
189
+ * exposed to the command as `VIS_ARG_&lt;NAME>` environment variables so the
190
+ * underlying script can read them without re-parsing argv.
191
+ *
192
+ * This module is intentionally pure (no IO) so it is trivially unit-testable;
193
+ * the run handler wires it to the forwarded-args vector and the task env.
194
+ */
195
+ /** Value type a {@link TaskArgument} coerces to and validates against. */
196
+ type TaskArgumentType = "boolean" | "enum" | "number" | "string";
197
+ /** A coerced task-argument value. */
198
+ type TaskArgumentValue = boolean | number | string;
199
+ /** A single declared argument for a task target. */
200
+ interface TaskArgument {
201
+ /**
202
+ * Short single-character alias (e.g. `r` for `--reporter`, used as `-r`).
203
+ * Must be exactly one character — enforced at run time by
204
+ * {@link validateArgumentSchema}.
205
+ */
206
+ alias?: string;
207
+ /**
208
+ * Allowed values when {@link TaskArgument.type} is `"enum"`. Must be
209
+ * non-empty (and is required) for `enum` — enforced at run time by
210
+ * {@link validateArgumentSchema}.
211
+ */
212
+ choices?: string[];
213
+ /** Value applied when the argument is omitted. Skips the required check. */
214
+ default?: TaskArgumentValue;
215
+ /** One-line help text surfaced by per-task `--help`. */
216
+ description?: string;
217
+ /**
218
+ * Canonical name, without the leading `--` (kebab-case by convention).
219
+ * Must start with a letter and contain only letters, digits, `-`, `_` —
220
+ * enforced at run time by {@link validateArgumentSchema}.
221
+ */
222
+ name: string;
223
+ /**
224
+ * Consume the value from the next free positional argument instead of a
225
+ * `--flag`. Positional args are filled in declaration order.
226
+ */
227
+ positional?: boolean;
228
+ /** Fail the task when the argument is absent and has no `default`. */
229
+ required?: boolean;
230
+ /** Value type for coercion + validation. Defaults to `"string"`. */
231
+ type?: TaskArgumentType;
232
+ }
233
+ /**
234
+ * Semantic classification for a target.
235
+ * - `build`: Generates one or more artifacts; cached by default.
236
+ * - `test`: Validation task (lint, typecheck, unit test). Default type.
237
+ * - `run`: One-off or long-running process. Not cached by default.
238
+ */
239
+ type TargetType = "build" | "run" | "test";
240
+ /**
241
+ * Preset bundles of target options.
242
+ * - `server`: Long-running local dev server — caching off, not in CI,
243
+ * interactive, persistent.
244
+ * - `utility`: Short-lived helper — caching off, not in CI.
245
+ */
246
+ type TargetPreset = "server" | "utility";
247
+ /**
248
+ * Controls whether a target runs in CI.
249
+ * - `true` (default): Always run.
250
+ * - `false`: Never run in CI (local-only).
251
+ * - `"affected"`: Only when the project is affected by the current change set.
252
+ * - `"always"`: Always run, even if unaffected.
253
+ */
254
+ type RunInCI = "affected" | "always" | boolean;
255
+ /**
256
+ * Controls how affected files are forwarded to a task.
257
+ * - `false` (default): Do not forward.
258
+ * - `"args"`: Append affected paths as additional command arguments.
259
+ * - `"env"`: Expose them via `VIS_AFFECTED_FILES` environment variable.
260
+ * - `"both"`: Both of the above.
261
+ */
262
+ type AffectedFilesMode = "args" | "both" | "env" | false;
263
+ /**
264
+ * Vis-specific target options that extend the task-runner's
265
+ * base `TargetConfiguration`. These live under `target.options` and are
266
+ * interpreted by vis before handing the task off to task-runner.
267
+ *
268
+ * Conditional execution (`when:`) and finally tasks (`always:`) live at
269
+ * the target top level, not under `options` — they're handled by the
270
+ * task-runner orchestrator. See `@visulima/task-runner`'s `WhenCondition`.
271
+ */
272
+ interface VisTargetOptions {
273
+ /**
274
+ * How to forward affected files to the task process.
275
+ * Only used when invoked via `vis affected &lt;target>`.
276
+ * @default false
277
+ */
278
+ affectedFiles?: AffectedFilesMode;
279
+ /**
280
+ * Load environment variables from dotenv file(s) before running.
281
+ * - `string`: a single file path (relative to project root).
282
+ * - `string[]`: multiple files — later entries override earlier ones,
283
+ * so put more-specific files last (e.g. `[".env", ".env.local"]`).
284
+ * - `true`: auto-cascade in the Next/Vite order:
285
+ * `.env` → `.env.{NODE_ENV}` → `.env.local` → `.env.{NODE_ENV}.local`.
286
+ * Skips `.env.local` when NODE_ENV is `test`, matching Next.js.
287
+ */
288
+ envFile?: boolean | string | string[];
289
+ /**
290
+ * When true, the task is serialized with respect to parallel execution
291
+ * and must be run on the main process (claims stdin). Used for commands
292
+ * that read from the terminal.
293
+ * @default false
294
+ */
295
+ interactive?: boolean;
296
+ /**
297
+ * When true, the task is hidden from CLI listings and can only be invoked
298
+ * as a dependency of another task.
299
+ * @default false
300
+ */
301
+ internal?: boolean;
302
+ /**
303
+ * Milliseconds the timeout watchdog waits between sending SIGTERM
304
+ * and SIGKILL when the `timeout` budget fires. Tasks that ignore
305
+ * SIGTERM (e.g. test runners holding open child processes) get
306
+ * force-killed after this grace window so a stuck task can't outlive
307
+ * its budget.
308
+ *
309
+ * Set to `0` to skip escalation and rely on SIGTERM only.
310
+ * @default 5000
311
+ */
312
+ killGracePeriodMs?: number;
313
+ /**
314
+ * Serializes all tasks that share the same mutex name. Useful for tasks
315
+ * that contend on a shared resource (e.g., a database migration).
316
+ */
317
+ mutex?: string;
318
+ /**
319
+ * Per-target output verbosity. Overrides the global `--output-style`
320
+ * flag for this specific target.
321
+ *
322
+ * - `"normal"` (default): print every task's terminal output
323
+ * - `"quiet"`: only print output when the task fails. Successful
324
+ * and cached tasks contribute their status line and timing, but
325
+ * their captured stdout/stderr is suppressed.
326
+ *
327
+ * Useful when a routinely-noisy task (a linter or test runner with
328
+ * verbose progress output) should stay quiet during green builds
329
+ * but reveal everything when it fails.
330
+ */
331
+ outputStyle?: "normal" | "quiet";
332
+ /**
333
+ * When true, the task is a long-running / never-ending process.
334
+ * Persistent tasks are scheduled last, execute after all cacheable
335
+ * tasks complete, and are never cached.
336
+ * @default false
337
+ */
338
+ persistent?: boolean;
339
+ /**
340
+ * A preset that pre-fills a common bundle of options.
341
+ * User-provided fields always take precedence over the preset.
342
+ */
343
+ preset?: TargetPreset;
344
+ /**
345
+ * Run the task through a pseudo-terminal so color-aware tools
346
+ * (vitest, eslint, biome, …) render as if attached to a real TTY
347
+ * instead of a pipe. Output is captured via task-runner's
348
+ * `TerminalBuffer` so ANSI escapes are normalized into the final
349
+ * rendered state before reaching the reporter.
350
+ *
351
+ * Forces cache to off — PTY output can include timing-dependent
352
+ * frames (spinners) that aren't safe to replay from a cache.
353
+ * @default false
354
+ */
355
+ pty?: boolean;
356
+ /**
357
+ * Number of times to retry the task on failure. Uses an exponential
358
+ * backoff by default (1s, 2s, 4s, ...).
359
+ * @default 0
360
+ */
361
+ retryCount?: number;
362
+ /**
363
+ * Delay between retry attempts in milliseconds, or `"exponential"`
364
+ * for 2^attempt * 1000 ms.
365
+ * @default "exponential"
366
+ */
367
+ retryDelay?: number | "exponential";
368
+ /**
369
+ * When true, the command executes with the workspace root as CWD
370
+ * instead of the project root.
371
+ * @default false
372
+ */
373
+ runFromWorkspaceRoot?: boolean;
374
+ /**
375
+ * Controls whether the task runs in CI environments.
376
+ * @default true
377
+ */
378
+ runInCI?: RunInCI;
379
+ /**
380
+ * Capability tags that gate this task to runners advertising the
381
+ * same tag. The CLI's `--runner-tags=gpu,slow` flag (or
382
+ * `VIS_RUNNER_TAGS` env var) tells vis what the current runner
383
+ * supports; tasks whose `runnerTags` share at least one tag with
384
+ * the runner set are eligible. Untagged tasks (no `runnerTags` or
385
+ * an empty array) are general-purpose and always run.
386
+ *
387
+ * Use this for special-purpose CI lanes — e.g. a GPU runner that
388
+ * should only pick up visual-regression suites, or a nightly job
389
+ * that runs `slow` integration tests. When neither flag nor env
390
+ * is set, the filter is inactive and every task runs.
391
+ */
392
+ runnerTags?: string[];
393
+ /**
394
+ * Marks this target as a long-lived service that can be started via
395
+ * `vis service start &lt;id>` and auto-attached when other tasks declare
396
+ * it in `dependsOn`. Implies persistent + non-cacheable behaviour
397
+ * (set `preset: "server"` to inherit the rest of the bundle).
398
+ *
399
+ * The presence of this block — not `preset: "server"` alone — is
400
+ * what makes a target eligible for the cross-invocation registry.
401
+ * `preset: "server"` without `service` keeps today's in-run-only
402
+ * behaviour.
403
+ */
404
+ service?: ServiceConfig;
405
+ /**
406
+ * Per-target shell override. When set, the command runs through this
407
+ * shell instead of the platform default.
408
+ */
409
+ shell?: string;
410
+ /**
411
+ * Arguments passed to the per-target shell/interpreter before the command
412
+ * string. Defaults to `["-c"]` (POSIX shells, pwsh). Set this to run the
413
+ * command under an interpreter that uses a different flag — e.g.
414
+ * `shell: "node", shellArgs: ["-e"]` runs the command as inline JS
415
+ * ("script mode"), or `shellArgs: ["-lc"]` for a login shell. Only applies
416
+ * when `shell`/`unixShell`/`windowsShell` resolves to a custom shell.
417
+ *
418
+ * Must be non-empty when set — an empty array would drop the interpreter
419
+ * flag entirely, so the runtime falls back to `-c` defensively.
420
+ */
421
+ shellArgs?: string[];
422
+ /**
423
+ * Override the workspace `strictEnv` setting for this target. When
424
+ * truthy, the target fails if its command references an env var
425
+ * that resolves to neither the task's effective env nor
426
+ * `process.env`. When `false`, the target opts out of a workspace
427
+ * `strictEnv: true` (e.g. for a one-off command that legitimately
428
+ * tolerates an unset variable).
429
+ * @see VisConfig.strictEnv
430
+ */
431
+ strictEnv?: boolean;
432
+ /**
433
+ * Maximum wall-clock milliseconds a single task run is allowed to
434
+ * take before being killed. `0` / `undefined` means no timeout.
435
+ *
436
+ * When the timeout fires the task is sent SIGTERM and, if it has
437
+ * not exited within `killGracePeriodMs`, SIGKILL. The task exits
438
+ * with a failure status carrying the `[timeout]` marker in
439
+ * `terminalOutput`. Retries count per-attempt, not cumulatively.
440
+ *
441
+ * Use this to prevent runaway tasks from eating CI wall-clock time
442
+ * up to the job-level cutoff.
443
+ */
444
+ timeout?: number;
445
+ /**
446
+ * Per-target unix shell override, used on Linux and macOS.
447
+ * Takes precedence over `shell` on unix-like systems.
448
+ */
449
+ unixShell?: string;
450
+ /**
451
+ * Per-target windows shell override, used on Windows.
452
+ * Takes precedence over `shell` on Windows.
453
+ */
454
+ windowsShell?: string;
455
+ }
456
+ /**
457
+ * An extended target configuration that adds the vis-specific options
458
+ * on top of task-runner's `TargetConfiguration`.
459
+ */
460
+ interface VisTargetConfiguration extends Omit<TargetConfiguration, "options"> {
461
+ /**
462
+ * Alternate names that resolve to this target on the CLI. Useful
463
+ * for shortening long canonical names (`test` ↔ `t`) or for
464
+ * offering migration-friendly aliases when renaming targets.
465
+ * Aliases must be globally unique within the workspace.
466
+ */
467
+ aliases?: string[];
468
+ /**
469
+ * Declarative argument schema for this target. Forwarded CLI args
470
+ * (`vis run &lt;target> -- --flag value`) are validated against it, surfaced
471
+ * by per-task `--help`, and exposed to the command as `VIS_ARG_&lt;NAME>`
472
+ * environment variables.
473
+ */
474
+ arguments?: TaskArgument[];
475
+ /**
476
+ * One-line description surfaced by `vis list` and per-task `--help`.
477
+ * Kept short — longer docs belong in project READMEs or
478
+ * vis.config.ts comments.
479
+ */
480
+ description?: string;
481
+ /**
482
+ * True when the target was synthesized by a Project Crystal-style
483
+ * detector (see {@link ../inference}) rather than declared by a
484
+ * package.json script, project.json, or vis.task.ts file. Surfaced
485
+ * by `vis list --inferred` and used by tooling to distinguish
486
+ * implicit defaults from explicit user intent.
487
+ */
488
+ inferred?: boolean;
489
+ /** Vis-specific target options. */
490
+ options?: VisTargetOptions;
491
+ /** Preset applied before user-specified options. */
492
+ preset?: TargetPreset;
493
+ /**
494
+ * Semantic task type. Affects caching defaults and CI filtering.
495
+ * @default "test"
496
+ */
497
+ type?: TargetType;
498
+ }
499
+ type HookCallback = (...arguments_: any) => Promise<void> | void;
500
+ type HookKeys<T> = keyof T & string;
501
+ type DeprecatedHook<T> = {
502
+ message?: string;
503
+ to: HookKeys<T>;
504
+ };
505
+ type ValueOf<C> = C extends Record<any, any> ? C[keyof C] : never;
506
+ type Strings<T> = Exclude<keyof T, number | symbol>;
507
+ type KnownKeys<T> = keyof { [K in keyof T as string extends K ? never : number extends K ? never : K]: never };
508
+ type StripGeneric<T> = Pick<T, KnownKeys<T> extends keyof T ? KnownKeys<T> : never>;
509
+ type OnlyGeneric<T> = Omit<T, KnownKeys<T> extends keyof T ? KnownKeys<T> : never>;
510
+ type Namespaces<T> = ValueOf<{ [key in Strings<T>]: key extends `${infer Namespace}:${string}` ? Namespace : never }>;
511
+ type BareHooks<T> = ValueOf<{ [key in Strings<T>]: key extends `${string}:${string}` ? never : key }>;
512
+ type HooksInNamespace<T, Namespace extends string> = ValueOf<{ [key in Strings<T>]: key extends `${Namespace}:${infer HookName}` ? HookName : never }>;
513
+ type WithoutNamespace<T, Namespace extends string> = { [key in HooksInNamespace<T, Namespace>]: `${Namespace}:${key}` extends keyof T ? T[`${Namespace}:${key}`] : never };
514
+ type NestedHooks<T> = (Partial<StripGeneric<T>> | Partial<OnlyGeneric<T>>) & Partial<{ [key in Namespaces<StripGeneric<T>>]: NestedHooks<WithoutNamespace<T, key>> }> & Partial<{ [key in BareHooks<StripGeneric<T>>]: T[key] }>;
515
+ type InferCallback<HT, HN extends keyof HT> = HT[HN] extends HookCallback ? HT[HN] : never;
516
+ type InferSpyEvent<HT extends Record<string, any>> = { [key in keyof HT]: {
517
+ name: key;
518
+ args: Parameters<HT[key]>;
519
+ context: Record<string, any>;
520
+ } }[keyof HT];
521
+ declare class Hookable<HooksT extends Record<string, any> = Record<string, HookCallback>, HookNameT extends HookKeys<HooksT> = HookKeys<HooksT>> {
522
+ private _hooks;
523
+ private _before?;
524
+ private _after?;
525
+ private _deprecatedHooks;
526
+ private _deprecatedMessages?;
527
+ constructor();
528
+ hook<NameT extends HookNameT>(name: NameT, function_: InferCallback<HooksT, NameT>, options?: {
529
+ allowDeprecated?: boolean;
530
+ }): () => void;
531
+ hookOnce<NameT extends HookNameT>(name: NameT, function_: InferCallback<HooksT, NameT>): () => void;
532
+ removeHook<NameT extends HookNameT>(name: NameT, function_: InferCallback<HooksT, NameT>): void;
533
+ clearHook<NameT extends HookNameT>(name: NameT): void;
534
+ deprecateHook<NameT extends HookNameT>(name: NameT, deprecated: HookKeys<HooksT> | DeprecatedHook<HooksT>): void;
535
+ deprecateHooks(deprecatedHooks: Partial<Record<HookNameT, DeprecatedHook<HooksT>>>): void;
536
+ addHooks(configHooks: NestedHooks<HooksT>): () => void;
537
+ removeHooks(configHooks: NestedHooks<HooksT>): void;
538
+ removeAllHooks(): void;
539
+ callHook<NameT extends HookNameT>(name: NameT, ...args: Parameters<InferCallback<HooksT, NameT>>): Promise<any> | void;
540
+ callHookParallel<NameT extends HookNameT>(name: NameT, ...args: Parameters<InferCallback<HooksT, NameT>>): Promise<any[]> | void;
541
+ callHookWith<NameT extends HookNameT, CallFunction extends (hooks: HookCallback[], args: Parameters<InferCallback<HooksT, NameT>>, name: NameT) => any>(caller: CallFunction, name: NameT, args: Parameters<InferCallback<HooksT, NameT>>): ReturnType<CallFunction>;
542
+ beforeEach(function_: (event: InferSpyEvent<HooksT>) => void): () => void;
543
+ afterEach(function_: (event: InferSpyEvent<HooksT>) => void): () => void;
544
+ }
545
+ type CreateTask = (name?: string) => {
546
+ run: (function_: () => Promise<any> | any) => Promise<any> | any;
547
+ };
548
+ declare global {
549
+ interface Console {
550
+ createTask?: CreateTask;
551
+ }
552
+ }
553
+ /** @deprecated */
554
+ /**
555
+ * Typed hook surface exposed to vis plugins.
556
+ *
557
+ * Plugins subscribe via `hooks.hook(name, handler)` — handlers are
558
+ * awaited sequentially in registration order. Returning a promise
559
+ * delays the next hook firing until it resolves, so plugins can
560
+ * safely perform async setup/teardown.
561
+ *
562
+ * Naming deliberately mirrors vite-task / webpack-style verbs:
563
+ * before/after for boundaries, on&lt;Event> for passive observation.
564
+ */
565
+ interface VisHooks {
566
+ /**
567
+ * Fired after the entire task graph completes (including any
568
+ * failures). `results` maps task ID → {@link TaskResult}.
569
+ */
570
+ "run:after": (results: Map<string, TaskResult>) => Promise<void> | void;
571
+ /**
572
+ * Fired once before any task in the graph starts, after workspace
573
+ * discovery and graph construction. Throwing aborts the run.
574
+ */
575
+ "run:before": (context: {
576
+ tasks: Task[];
577
+ workspaceRoot: string;
578
+ }) => Promise<void> | void;
579
+ /**
580
+ * Fired after `vis run` auto-attaches to one or more registered
581
+ * services. `taskIds` lists the in-graph dependents that consumed
582
+ * the service's `env` block; an empty array means the service was
583
+ * registered but no kept task depended on it.
584
+ */
585
+ "service:attach": (entry: ServiceEntry, taskIds: ReadonlyArray<string>) => Promise<void> | void;
586
+ /**
587
+ * Fired after a service is registered and its readiness probe
588
+ * succeeds. Sourced from both `vis service start` (and `restart`'s
589
+ * post-start phase) and any future programmatic call sites.
590
+ */
591
+ "service:start": (entry: ServiceEntry) => Promise<void> | void;
592
+ /**
593
+ * Fired after a registered service is stopped (SIGTERM/SIGKILL
594
+ * acknowledged, registry entry deleted). Not fired when stop is
595
+ * called against an unknown id — only when there was an alive
596
+ * entry to terminate.
597
+ */
598
+ "service:stop": (entry: ServiceEntry) => Promise<void> | void;
599
+ /**
600
+ * Fired after a task completes (success, failure, or cache hit).
601
+ * Receives the final {@link TaskResult}.
602
+ */
603
+ "task:after": (task: Task, result: TaskResult) => Promise<void> | void;
604
+ /**
605
+ * Fired before each task begins execution — after scheduling, before
606
+ * the executor runs the command. Throwing aborts that single task.
607
+ */
608
+ "task:before": (task: Task) => Promise<void> | void;
609
+ /** Fired when a task hit the local or remote cache. */
610
+ "task:cacheHit": (task: Task, result: TaskResult) => Promise<void> | void;
611
+ /**
612
+ * Fired when auto-fingerprint cache diagnostics reports a miss,
613
+ * carrying the human-readable reason string.
614
+ */
615
+ "task:cacheMiss": (task: Task, reasons: string) => Promise<void> | void;
616
+ /** Fired when a task exits non-zero. */
617
+ "task:failure": (task: Task, result: TaskResult) => Promise<void> | void;
618
+ /**
619
+ * Fired during fingerprint construction, after built-in inputs are
620
+ * gathered and before the hash is sealed. Plugins call
621
+ * `contributor.contribute(key, value)` to mix arbitrary strings
622
+ * into the task hash — the hasher namespaces and sorts contributions
623
+ * deterministically so call order doesn't change the result.
624
+ *
625
+ * Throwing aborts hashing for the offending task and surfaces as a
626
+ * task failure before any cache lookup runs. Use this to guarantee
627
+ * a buggy plugin can't quietly poison cache state.
628
+ */
629
+ "task:fingerprint": (task: Task, contributor: FingerprintContributor) => Promise<void> | void;
630
+ /**
631
+ * Fired right before a failed task is re-spawned by the retry
632
+ * controller. `attempt` is 1-indexed and counts the retry that's
633
+ * about to start (so the original failed run was attempt 0).
634
+ * `prevExitCode` is the failing exit status that triggered the
635
+ * retry (the full TaskResult isn't materialized at the retry
636
+ * boundary — only the per-attempt close event is available).
637
+ *
638
+ * Throwing aborts the retry; the previous failure becomes the final
639
+ * result.
640
+ */
641
+ "task:retry": (task: Task, attempt: number, prevExitCode: number) => Promise<void> | void;
642
+ /**
643
+ * Fired with a stderr chunk as a running task emits it. Plugins
644
+ * that ship logs live (Slack, Datadog) should prefer this over
645
+ * `task:after` so they don't wait for the full buffer.
646
+ */
647
+ "task:stderr": (task: Task, chunk: string) => Promise<void> | void;
648
+ /**
649
+ * Fired with a stdout chunk as a running task emits it. See
650
+ * `task:stderr` for semantics.
651
+ */
652
+ "task:stdout": (task: Task, chunk: string) => Promise<void> | void;
653
+ }
654
+ /**
655
+ * Public plugin contract. Implementations register handlers by
656
+ * returning a partial {@link VisHooks} map from `hooks`, or by
657
+ * mutating the Hookable instance directly via `setup(hooks)` for
658
+ * advanced cases (dynamic registration, removeHook, etc.).
659
+ *
660
+ * Plugins are loaded in the order they appear in `visConfig.plugins`.
661
+ * Handler execution order within a hook follows registration order,
662
+ * so earlier plugins see events first.
663
+ */
664
+ interface VisPlugin {
665
+ /**
666
+ * Declarative handlers — the common shape. One entry per hook
667
+ * name; pass a function or an array of functions (all run serially
668
+ * in order).
669
+ */
670
+ hooks?: Partial<{ [K in keyof VisHooks]: VisHooks[K] | VisHooks[K][] }>;
671
+ /** Plugin name — surfaced in debug logs. */
672
+ name: string;
673
+ /**
674
+ * Imperative setup — receives the shared Hookable instance so the
675
+ * plugin can register hooks conditionally, unregister later, or
676
+ * use advanced APIs like `hookOnce`/`beforeEach`/`afterEach`.
677
+ */
678
+ setup?: (hooks: Hookable<VisHooks>) => Promise<void> | void;
679
+ }
680
+ /**
681
+ * Per-adapter override applied by `vis lint` / `vis fmt`. Keyed by
682
+ * adapter id under `lint.adapters` / `fmt.adapters`. Every field is
683
+ * optional — set only what you need to change.
684
+ */
685
+ interface LintFmtAdapterOverride {
686
+ /**
687
+ * Set to `false` to skip this adapter even when its config file or
688
+ * package.json entry is detected. Defaults to `true` (run when
689
+ * detected).
690
+ */
691
+ enabled?: boolean;
692
+ /**
693
+ * Extra arguments appended verbatim to every invocation of this
694
+ * adapter. Useful for tool-specific flags vis doesn't expose
695
+ * directly (e.g. `eslint --rulesdir`).
696
+ */
697
+ extraArgs?: string[];
698
+ }
699
+ /**
700
+ * The 8 Socket.dev-style supply-chain policies. Used in `security.policies`
701
+ * and `security.acceptedRisks[*].policies`. Kept as a const tuple so callers
702
+ * can import the runtime array (`POLICY_NAMES`) for iteration without
703
+ * drifting from the union type.
704
+ */
705
+ declare const POLICY_NAMES: readonly ["firstSeen", "installScripts", "license", "malware", "publisherChange", "score", "unexpectedDeps", "vulnerability"];
706
+ type PolicyName = (typeof POLICY_NAMES)[number];
707
+ /**
708
+ * Recognised input sources for the codeowners aggregator.
709
+ *
710
+ * - `project-json` — owners declared on each project's `project.json`.
711
+ * Canonical source; takes precedence over the other two on path conflicts.
712
+ * - `nested-codeowners` — `CODEOWNERS` files placed at arbitrary depth
713
+ * in the workspace tree (excluding the generated root file).
714
+ * - `package-json-maintainers` — fallback that reads each project's
715
+ * `package.json#maintainers` and emits one entry per project root for
716
+ * projects with no `project.json owners`. GitHub handles are extracted
717
+ * from each maintainer's `url` (e.g. `https://github.com/&lt;handle&gt;`).
718
+ */
719
+ type CodeownersSource = "nested-codeowners" | "package-json-maintainers" | "project-json";
720
+ interface CodeownersConfig {
721
+ /** Markers that bracket the generated block when `preserveBlock` is set. */
722
+ blockMarker?: {
723
+ begin: string;
724
+ end: string;
725
+ };
726
+ /** Workspace-level paths that apply outside any project (e.g., `.github/**`). */
727
+ globalPaths?: Record<string, string[]>;
728
+ /** Glob patterns used to discover nested `CODEOWNERS` files. Defaults to `["**\/CODEOWNERS"]`. */
729
+ nestedIncludes?: string[];
730
+ /** Sort order for generated entries — mirrors moon's `orderBy`. */
731
+ orderBy?: "file-source" | "project-id";
732
+ /**
733
+ * When set, the generated content is spliced between
734
+ * {@link CodeownersConfig.blockMarker} markers in the existing file
735
+ * (markers are appended if missing) instead of overwriting the file.
736
+ */
737
+ preserveBlock?: boolean;
738
+ /** Provider determines whether `channel` is emitted (GitHub supports it via comment). */
739
+ provider?: "bitbucket" | "github" | "gitlab" | "other";
740
+ /**
741
+ * Header instruction shown to reviewers. Replaces the default
742
+ * "Update each project's project.json `owners` field…" line. Useful
743
+ * when the canonical regenerate path is a custom script.
744
+ */
745
+ regenerationCommand?: string;
746
+ /** Enabled input sources. Defaults to `["project-json"]`. */
747
+ sources?: CodeownersSource[];
748
+ }
749
+ /**
750
+ * One user-declared customTypes entry. See `policy.customTypes.extraTypes`
751
+ * for the full contract — this is just the row shape.
752
+ */
753
+ interface ExtraCustomType {
754
+ /**
755
+ * Required when `strategy === "string"`. The dep-cluster key the bare
756
+ * version string at `path` should be associated with.
757
+ */
758
+ depName?: string;
759
+ /**
760
+ * Display name for this customType. Used as the cluster key prefix in
761
+ * lint output and JSON. Must not collide with the built-in names.
762
+ */
763
+ name: string;
764
+ /** Dot-separated walk into package.json (e.g. `pnpm.overrides`, `myTool.runtime`). */
765
+ path: string;
766
+ /**
767
+ * How to interpret the JSON found at `path`.
768
+ * - `name@version` — single string `pnpm@9.0.0` (with optional `+sha512.…` hash).
769
+ * - `name~version` — single string `node~20.0.0`, mirrors syncpack's tilde form.
770
+ * - `string` — bare version literal (requires `depName`).
771
+ * - `versionsByName` — `{ name: version }` object such as `engines`.
772
+ */
773
+ strategy: "name@version" | "name~version" | "string" | "versionsByName";
774
+ }
775
+ /**
776
+ * Declared code-owner assignment for a path glob within a project.
777
+ * Mirrors moon's `owners` shape so migrations can round-trip cleanly.
778
+ */
779
+ interface OwnersEntry {
780
+ /** Optional notification channel (e.g. Slack, Teams). */
781
+ channel?: string;
782
+ /** Owner handles (e.g. `@visulima/core-team`). */
783
+ owners: string[];
784
+ /** File/glob pattern relative to the project root. */
785
+ path: string;
786
+ }
787
+ /**
788
+ * Per-project TypeScript overlay loaded from `vis.task.ts`. Adds a
789
+ * dynamic, type-safe layer for target overrides on top of `project.json`,
790
+ * which stays the canonical home for static metadata (`tags`, `layer`,
791
+ * `stack`, `language`, `owners`, `projectType`, `sourceRoot`,
792
+ * `implicitDependencies`).
793
+ *
794
+ * `vis.task.ts` is opt-in. A package without one behaves identically to
795
+ * before its introduction. Targets defined here merge over `project.json`'s
796
+ * `targets` block — see `design-config-layering.md` for the full
797
+ * precedence stack.
798
+ */
799
+ interface VisTaskConfig {
800
+ /** Per-target overrides — same shape as `project.json#targets`. */
801
+ tasks?: Record<string, VisTargetConfiguration>;
802
+ }
803
+ /**
804
+ * Per-project metadata surfaced by `project.json`. Extended beyond the
805
+ * minimal `projectType` / `tags` / `sourceRoot` fields we historically
806
+ * parsed to include targets, owners, and layer/stack classification.
807
+ */
808
+ interface ProjectJson {
809
+ /** Implicit dependencies on other projects. */
810
+ implicitDependencies?: string[];
811
+ /** Primary language — informational and query-able. */
812
+ language?: string;
813
+ /** Project layer, used for constraint inheritance and query filtering. */
814
+ layer?: "application" | "automation" | "configuration" | "library" | "scaffolding" | "tool";
815
+ /**
816
+ * Project name. When set, takes precedence over `package.json#name`
817
+ * as the project's identity in the workspace graph and CLI filters.
818
+ * Falls back to `package.json#name` when omitted.
819
+ */
820
+ name?: string;
821
+ /** Code owners for paths inside this project. */
822
+ owners?: OwnersEntry[];
823
+ /** Project-level metadata. */
824
+ project?: {
825
+ channel?: string;
826
+ description?: string;
827
+ maintainers?: string[];
828
+ owner?: string;
829
+ title?: string;
830
+ };
831
+ /**
832
+ * Project type — `library`, `application`, `service`, or `tool`.
833
+ *
834
+ * - `library` — reusable code consumed by other workspace projects.
835
+ * - `application` — end-user-facing build target (web app, mobile app).
836
+ * - `service` — long-running HTTP / worker process deployed independently.
837
+ * - `tool` — CLI or developer tooling shipped as an executable.
838
+ */
839
+ projectType?: "application" | "library" | "service" | "tool";
840
+ /**
841
+ * Marks the project as write-restricted. Consumed by
842
+ * `vis sync codeowners --write-guard` to scope the generated
843
+ * Write Guard workflow to this project's paths.
844
+ */
845
+ restricted?: boolean;
846
+ /** Source root, used for display and language inference. */
847
+ sourceRoot?: string;
848
+ /** Tech stack. */
849
+ stack?: "backend" | "data" | "frontend" | "infrastructure" | "systems";
850
+ /** Filterable tags. */
851
+ tags?: string[];
852
+ /** Vis-style target definitions (merged on top of package.json scripts). */
853
+ targets?: Record<string, VisTargetConfiguration>;
854
+ }
855
+ /**
856
+ * A predicate used by {@link VisConfig.scopedTasks}.
857
+ * All listed constraints must match for the block to apply.
858
+ */
859
+ interface ScopedTasksMatch {
860
+ /** Match on primary language. */
861
+ language?: string | string[];
862
+ /** Match on project layer. */
863
+ layer?: ProjectJson["layer"] | ProjectJson["layer"][];
864
+ /** Match on project type. */
865
+ projectType?: "application" | "library" | "service" | "tool";
866
+ /** Match on project stack. */
867
+ stack?: ProjectJson["stack"] | ProjectJson["stack"][];
868
+ /** Match projects tagged with any of these tags. */
869
+ tags?: string[];
870
+ }
871
+ /**
872
+ * A single scoped-tasks block — a set of task defaults gated by an
873
+ * optional match predicate.
874
+ */
875
+ interface ScopedTasksBlock {
876
+ /** Optional match predicate; if omitted, the block applies universally. */
877
+ match?: ScopedTasksMatch;
878
+ /** Task default configurations, keyed by target name. */
879
+ tasks: Record<string, Partial<VisTargetConfiguration>>;
880
+ }
881
+ interface VisConfig {
882
+ /** AI analysis configuration */
883
+ ai?: {
884
+ /** Cache TTL in milliseconds. Overrides default (1h / 30min for security). */
885
+ cacheTtl?: number;
886
+ /** Override default provider priority. Higher number = preferred. */
887
+ priority?: Record<string, number>;
888
+ /** Use a specific provider instead of auto-detecting (e.g., `"claude"`, `"gemini"`). */
889
+ provider?: string;
890
+ };
891
+ /**
892
+ * Scope the task-runner cache directory by the current git branch.
893
+ * When `true`, caches are stored under `&lt;cacheDir>/branches/&lt;slug>`
894
+ * so `main` and feature branches stop thrashing each other —
895
+ * generated artefacts (schemas, `.d.ts` snapshots) that legitimately
896
+ * differ across branches no longer oscillate the cache contents.
897
+ *
898
+ * Falls back to the unscoped path on detached HEAD, non-git
899
+ * workspaces, or when git isn't available.
900
+ * @default false
901
+ */
902
+ branchScopedCache?: boolean;
903
+ /**
904
+ * Code ownership configuration. Controls how `vis sync codeowners`
905
+ * renders the generated CODEOWNERS file.
906
+ */
907
+ codeowners?: CodeownersConfig;
908
+ /**
909
+ * Project dependency constraints.
910
+ * Enforced after building the project graph, before running tasks.
911
+ */
912
+ constraints?: ConstraintsConfig;
913
+ /**
914
+ * Configuration for the `vis create` scaffolding command.
915
+ * Controls template downloads (via giget), default options, and
916
+ * post-creation behavior.
917
+ */
918
+ create?: {
919
+ /**
920
+ * Authorization token for downloading private repository templates.
921
+ * Passed as Bearer token to the git host API.
922
+ * Can also be set via GIGET_AUTH, GITHUB_TOKEN, or GH_TOKEN environment variables.
923
+ */
924
+ auth?: string;
925
+ /**
926
+ * Default editor to configure after scaffolding.
927
+ * When set, `vis create` automatically generates editor config files.
928
+ * @example "vscode"
929
+ */
930
+ defaultEditor?: "vscode";
931
+ /**
932
+ * Default package manager for new standalone projects.
933
+ * When set, skips the PM selection prompt in interactive mode.
934
+ */
935
+ defaultPm?: "bun" | "npm" | "pnpm" | "yarn";
936
+ /**
937
+ * Default giget provider for `owner/repo` shorthand inputs.
938
+ * @default "github"
939
+ */
940
+ defaultProvider?: "bitbucket" | "github" | "gitlab" | "sourcehut";
941
+ /**
942
+ * Initialize a git repository after scaffolding standalone projects.
943
+ * @default false
944
+ */
945
+ gitInit?: boolean;
946
+ /**
947
+ * Install dependencies automatically after scaffolding.
948
+ * @default true
949
+ */
950
+ install?: boolean;
951
+ /**
952
+ * Prefer locally cached templates over re-downloading.
953
+ * Useful for offline development or slow connections.
954
+ * @default false
955
+ */
956
+ preferOffline?: boolean;
957
+ /**
958
+ * Custom template registry URL.
959
+ * When set, giget checks this registry for template metadata
960
+ * before falling back to direct provider resolution.
961
+ * Set to `false` to disable registry lookup entirely.
962
+ * @see https://github.com/unjs/giget#custom-registry
963
+ */
964
+ registry?: false | string;
965
+ /**
966
+ * Named template aliases for quick access.
967
+ * Maps short names to full giget source strings.
968
+ * @example
969
+ * ```
970
+ * templates: {
971
+ * "react": "github:vitejs/vite/packages/create-vite/template-react-ts",
972
+ * "lib": "github:my-org/lib-template",
973
+ * "internal": "gitlab:company/templates/node-service",
974
+ * }
975
+ * ```
976
+ */
977
+ templates?: Record<string, string>;
978
+ };
979
+ /**
980
+ * Default base branch used by `vis affected`, `vis ci`, and `vis run --affected`
981
+ * when no explicit `--base` is passed and no CI smart-resolver fires.
982
+ *
983
+ * Resolved as `origin/&lt;defaultBase>` against the local clone; should be a
984
+ * branch name (not a fully-qualified ref) such as `main`, `master`, or `trunk`.
985
+ * Falls back to `main` when omitted.
986
+ *
987
+ * Migrated automatically from `nx.json#affected.defaultBase` /
988
+ * `nx.json#defaultBase` by `vis migrate nx`.
989
+ * @default "main"
990
+ */
991
+ defaultBase?: string;
992
+ /**
993
+ * Discover `.editorconfig` for indent / line-ending defaults during
994
+ * file transformations (sort-package-json, migrate, hook, pm overrides,
995
+ * workspace catalog rewrites). Per-command flags can still override.
996
+ * @default true
997
+ */
998
+ editorconfig?: boolean;
999
+ /**
1000
+ * Inherit configuration from one or more parent configs. Entries are
1001
+ * resolved left-to-right (later wins) and the consumer's own values
1002
+ * always override anything pulled in from `extends`.
1003
+ *
1004
+ * Each entry is either:
1005
+ * - a relative path (`./shared.config.ts`, `../shared.config.ts`) —
1006
+ * resolved against the file declaring `extends`;
1007
+ * - an npm package name (`@acme/vis-preset`) — resolved via Node.js
1008
+ * module resolution from the consumer file.
1009
+ *
1010
+ * Absolute paths are rejected — they break across machines and CI.
1011
+ * Cycles raise `VisConfigCycleError` during load.
1012
+ * @example
1013
+ * ```
1014
+ * extends: ["@acme/vis-preset", "./shared/security.config.ts"]
1015
+ * ```
1016
+ */
1017
+ extends?: string | string[];
1018
+ /**
1019
+ * Named file-group patterns, reusable from target `inputs` via the
1020
+ * `@filegroup:&lt;name>` token. File groups are resolved relative to each
1021
+ * project root at discovery time.
1022
+ * @example
1023
+ * ```
1024
+ * fileGroups: {
1025
+ * sources: ["src/**\/*.ts", "!src/**\/*.test.ts"],
1026
+ * tests: ["**\/*.test.ts"],
1027
+ * }
1028
+ * ```
1029
+ */
1030
+ fileGroups?: Record<string, string[]>;
1031
+ /**
1032
+ * Configuration for `vis fmt` — the formatter orchestrator.
1033
+ *
1034
+ * Tunes adapter detection precedence, per-extension routing, and
1035
+ * per-adapter overrides. Flags on the CLI always win over config.
1036
+ *
1037
+ * The default fmt precedence is `oxfmt → biome → dprint → prettier
1038
+ * → deno-fmt`. When multiple adapters claim the same extension,
1039
+ * the first in this order owns it unless overridden here.
1040
+ * @example
1041
+ * ```
1042
+ * fmt: {
1043
+ * order: ["biome", "prettier"],
1044
+ * extensionOverrides: { md: "dprint" },
1045
+ * adapters: { "deno-fmt": { enabled: false } },
1046
+ * }
1047
+ * ```
1048
+ */
1049
+ fmt?: {
1050
+ /**
1051
+ * Per-adapter overrides. Keyed by `AdapterId`. Set
1052
+ * `enabled: false` to skip an adapter even when detected, or
1053
+ * `extraArgs` to append flags verbatim.
1054
+ */
1055
+ adapters?: Partial<Record<FmtAdapterId, LintFmtAdapterOverride>>;
1056
+ /**
1057
+ * Pin a file extension (without the leading dot) to a specific
1058
+ * adapter, overriding the registry's "first detected adapter
1059
+ * wins" routing. Use to e.g. send `.md` to `dprint` even when
1060
+ * both prettier and dprint are present.
1061
+ */
1062
+ extensionOverrides?: Record<string, FmtAdapterId>;
1063
+ /**
1064
+ * Override the adapter precedence order. Adapters omitted from
1065
+ * this list still run (appended at the end in registry order),
1066
+ * but those listed earlier get priority for extension routing.
1067
+ */
1068
+ order?: FmtAdapterId[];
1069
+ };
1070
+ /**
1071
+ * Configuration for the `vis generate` in-repo scaffolding command.
1072
+ * Points at additional template directories beyond the defaults
1073
+ * (`.vis/templates/` and `.moon/templates/`).
1074
+ */
1075
+ generator?: {
1076
+ /**
1077
+ * Authorization token forwarded to giget when fetching
1078
+ * `git://`/`npm://` remote templates. Falls back to
1079
+ * `GIGET_AUTH` / `GITHUB_TOKEN` / `GH_TOKEN` env vars.
1080
+ */
1081
+ auth?: string;
1082
+ /**
1083
+ * Prefer locally cached remote templates over re-downloading.
1084
+ * Overridable per invocation via `--prefer-offline`.
1085
+ * @default false
1086
+ */
1087
+ preferOffline?: boolean;
1088
+ /**
1089
+ * Extra directories to scan for templates. Each directory is
1090
+ * checked for both native templates (`&lt;name>.ts`) and
1091
+ * moon-format directories (containing `template.yml`).
1092
+ * @example
1093
+ * ```
1094
+ * generator: {
1095
+ * templates: ["./tools/generators", "./packages/scaffolding/templates"],
1096
+ * }
1097
+ * ```
1098
+ */
1099
+ templates?: string[];
1100
+ };
1101
+ /**
1102
+ * Auto-create targets from detected config files (Project Crystal-style).
1103
+ * On by default; set `false` to disable entirely, or use the object
1104
+ * form to disable individual detectors.
1105
+ *
1106
+ * Inferred targets sit *below* explicit ones — the command from
1107
+ * `package.json#scripts`, `project.json#targets`, or `vis.task.ts`
1108
+ * always wins per-key, so opting in never changes what runs. As a
1109
+ * caching aid, when a `package.json` script's command *is* a
1110
+ * detector's command (optionally with extra flags, no shell
1111
+ * chaining) and the script declares no `inputs`/`outputs`, the
1112
+ * detector's `inputs`/`outputs` are adopted so the script target can
1113
+ * cache precisely and restore its artifacts. Customised/compound
1114
+ * scripts are left untouched.
1115
+ *
1116
+ * Built-in detectors and the targets they synthesize:
1117
+ *
1118
+ * - **App frameworks** — `nuxt` (build/dev/preview/generate),
1119
+ * `next` (build/dev/start), `remix` (build/dev/start), `astro`
1120
+ * (build/dev), `gatsby` (build/develop/serve), `docusaurus`
1121
+ * (build/start/serve).
1122
+ * - **Bundlers** — `vite` (build/dev/preview), `rolldown` (build),
1123
+ * `tsdown` (build), `tsup` (build), `packem` (build), `rollup`
1124
+ * (build), `webpack` (build).
1125
+ * - **Docs sites** — `vitepress` (docs:build/docs:dev/docs:preview),
1126
+ * `typedoc` (docs).
1127
+ * - **Server frameworks** — `nest` (build/start/start:dev).
1128
+ * - **Test runners** — `vitest` (test/test:watch), `jest`
1129
+ * (test/test:watch), `bun` (test), `playwright` (test:e2e),
1130
+ * `cypress` (test:e2e/cypress:open).
1131
+ * - **Stories** — `storybook` (storybook/build-storybook).
1132
+ * - **Type checking** — `typescript` (typecheck via `tsc --noEmit`).
1133
+ * - **Lint / format** — `eslint` (lint), `prettier` (format /
1134
+ * format:check), `biome` (lint, format), `oxlint` (lint),
1135
+ * `oxfmt` (format / format:check), `stylelint` (lint:css),
1136
+ * `knip` (knip).
1137
+ * - **Runtimes** — `deno` (test/lint/fmt/check).
1138
+ * - **Database tooling** — `prisma` (db:generate/db:migrate/
1139
+ * db:push/db:studio), `drizzle` (db:generate/db:migrate/
1140
+ * db:push/db:studio).
1141
+ * - **Codegen / release** — `graphql-codegen` (codegen),
1142
+ * `api-extractor` (api-extract), `changeset` (changeset:version /
1143
+ * changeset:publish / changeset:status).
1144
+ *
1145
+ * Trigger: presence of any matching config file in the project root.
1146
+ * Most detectors additionally match when their framework appears in
1147
+ * `dependencies` / `devDependencies` / `peerDependencies` /
1148
+ * `optionalDependencies` — covering convention-only setups (e.g.
1149
+ * vitest with default config). Detectors that intentionally require
1150
+ * a config file (because the package frequently appears transitively
1151
+ * and a dep-only match would synthesize broken commands): `vite`,
1152
+ * `rolldown`, `rollup`, `webpack`, `storybook`, `nest`, `remix`,
1153
+ * `vitepress`, `bun`, `deno`, `changeset`.
1154
+ *
1155
+ * Conflict resolution: detectors are evaluated in registration order
1156
+ * (see `BUILT_IN_DETECTORS`) and the first to claim a target name
1157
+ * wins. Per-name priorities: `build` → nuxt > next > remix > astro
1158
+ * > gatsby > docusaurus > vite > nest > rolldown > tsdown > tsup >
1159
+ * packem > rollup > webpack; `test` → vitest > jest > bun > deno;
1160
+ * `test:e2e` → playwright > cypress; `lint` → eslint > biome >
1161
+ * oxlint > deno; `format` → prettier > biome > oxfmt; `db:*` →
1162
+ * prisma > drizzle.
1163
+ *
1164
+ * Also accepts an object form (`{ vite: false, vitest: true }`) to
1165
+ * opt individual detectors in or out by name. Detectors omitted from
1166
+ * the object run at their default (enabled). Useful when one
1167
+ * detector misfires for a given workspace without disabling the rest.
1168
+ * @default true
1169
+ */
1170
+ inferTargets?: Record<string, boolean> | boolean;
1171
+ /**
1172
+ * Installer backend selection for `vis install` / `vis add` /
1173
+ * `vis remove` / `vis update` / `vis ci`.
1174
+ *
1175
+ * Lets users opt into [aube](https://github.com/endevco/aube) — a
1176
+ * Rust-native package manager that reads/writes pnpm/npm/yarn/bun
1177
+ * lockfiles in place — as the default installer, while keeping a
1178
+ * single switch to fall back to the conventional PM detected from
1179
+ * the lockfile.
1180
+ *
1181
+ * Resolution precedence (highest first):
1182
+ * 1. CLI flag (`--installer &lt;name>` / `--no-aube`)
1183
+ * 2. Env var `VIS_INSTALLER`
1184
+ * 3. This config field
1185
+ * 4. Auto-detect (the default)
1186
+ *
1187
+ * Aube must be installed separately — `vis` does not bundle it.
1188
+ * Install via npm (`@endevco/aube`), `mise use -g aube`, or
1189
+ * `brew install endevco/tap/aube`.
1190
+ */
1191
+ install?: {
1192
+ /**
1193
+ * Which package manager performs install/add/remove/etc.
1194
+ * - `auto` (default): use `aube` when it is on PATH; otherwise
1195
+ * fall back to the lockfile-detected PM.
1196
+ * - explicit name: always use that PM. Errors when the named
1197
+ * binary is missing rather than silently falling back.
1198
+ * @default "auto"
1199
+ */
1200
+ backend?: "aube" | "auto" | "bun" | "npm" | "pnpm" | "yarn";
1201
+ /**
1202
+ * Whether to dispatch PM invocations through `corepack`.
1203
+ * - `"auto"` (default): use corepack only when the workspace
1204
+ * pins a PM via the `packageManager` field AND `corepack` is
1205
+ * on PATH AND the PM is one corepack manages (pnpm/yarn/npm).
1206
+ * - `true`: always prefix `corepack` when the binary is on PATH
1207
+ * and the PM is corepack-managed (errors loudly otherwise).
1208
+ * - `false`: never go through corepack — invoke the PM directly.
1209
+ *
1210
+ * Mirrors nypm's `corepack: true` flag. Bun, deno, and aube are
1211
+ * never wrapped — corepack does not manage them.
1212
+ * @default "auto"
1213
+ */
1214
+ corepack?: "auto" | boolean;
1215
+ };
1216
+ /**
1217
+ * Configuration for `vis lint` — the linter orchestrator.
1218
+ *
1219
+ * Tunes adapter detection precedence and per-adapter overrides.
1220
+ * Flags on the CLI always win over config.
1221
+ *
1222
+ * The default lint precedence is `oxlint → biome → eslint →
1223
+ * stylelint → deno-lint`. Override with `order` to e.g. let biome
1224
+ * fire before oxlint when the workspace standardises on biome.
1225
+ * @example
1226
+ * ```
1227
+ * lint: {
1228
+ * order: ["biome", "eslint"],
1229
+ * adapters: { "deno-lint": { enabled: false } },
1230
+ * }
1231
+ * ```
1232
+ */
1233
+ lint?: {
1234
+ /**
1235
+ * Per-adapter overrides. Keyed by `AdapterId`. Set
1236
+ * `enabled: false` to skip an adapter even when detected, or
1237
+ * `extraArgs` to append flags verbatim.
1238
+ */
1239
+ adapters?: Partial<Record<LintAdapterId, LintFmtAdapterOverride>>;
1240
+ /**
1241
+ * Override the adapter precedence order. Adapters omitted from
1242
+ * this list still run (appended at the end in registry order)
1243
+ * unless explicitly disabled under `adapters[id].enabled`.
1244
+ */
1245
+ order?: LintAdapterId[];
1246
+ };
1247
+ /**
1248
+ * `vis-mcp` promotion notice shown after successful commands when an
1249
+ * AI CLI (Claude Code, Cursor, Windsurf, Continue, Zed, Cline) is
1250
+ * installed but `@visulima/vis-mcp` is not wired into its config.
1251
+ *
1252
+ * Shown at most once every 14 days; skipped in CI, non-TTY shells,
1253
+ * during `--help`/`--version`/`ai`/`mcp` invocations, and when
1254
+ * `VIS_NO_MCP_PROMOTE=1` is set. Set `enabled: false` to silence
1255
+ * permanently for this workspace.
1256
+ * @example
1257
+ * ```
1258
+ * mcpPromote: { enabled: false }
1259
+ * ```
1260
+ */
1261
+ mcpPromote?: {
1262
+ /**
1263
+ * Show the vis-mcp promotion notice on successful command completion.
1264
+ * @default true
1265
+ */
1266
+ enabled?: boolean;
1267
+ };
1268
+ /**
1269
+ * Named input patterns inherited by every project target. Equivalent
1270
+ * to task-runner's `namedInputs` but configurable from the vis config.
1271
+ */
1272
+ namedInputs?: NamedInputs;
1273
+ /** Package override mappings applied during migration (e.g., `{ "lodash": "lodash-es" }`) */
1274
+ overrides?: Record<string, string>;
1275
+ /**
1276
+ * Plugins — each plugin registers typed hooks that fire at run /
1277
+ * task / cache boundaries. See {@link VisPlugin} for the contract.
1278
+ * Prefer plugins over per-target shell hooks when behaviour needs
1279
+ * access to task metadata, results, or cache state.
1280
+ */
1281
+ plugins?: VisPlugin[];
1282
+ /**
1283
+ * Workspace dep-policy lints exposed via `vis lint`. Each block opts in
1284
+ * to a single rule; the command flags (`--workspace-protocol`,
1285
+ * `--no-redefine-root`, `--banned-deps`) toggle them per-run.
1286
+ */
1287
+ policy?: {
1288
+ /**
1289
+ * Map of dep names or globs → reason (or `{ reason, replacement, packages?, paths? }`).
1290
+ * Internal/workspace deps are never flagged here; the
1291
+ * workspace-protocol lint owns those.
1292
+ *
1293
+ * Optional `packages` (globs over the declaring package's `name`) and
1294
+ * `paths` (globs over the workspace-relative `packageDir`) narrow where
1295
+ * the rule applies. With both set, either match is enough. Omit both
1296
+ * to ban anywhere — the default.
1297
+ * @example
1298
+ * ```
1299
+ * bannedDeps: {
1300
+ * request: "deprecated; use undici",
1301
+ * moment: { reason: "huge bundle, frozen upstream", replacement: "date-fns" },
1302
+ * "@radix-ui/*": "we standardized on shadcn",
1303
+ * react: { reason: "no react in shared libs", paths: ["packages/shared/*"] },
1304
+ * "next": { reason: "apps only", packages: ["@app/*"] },
1305
+ * }
1306
+ * ```
1307
+ */
1308
+ bannedDeps?: Record<string, string | {
1309
+ packages?: string[];
1310
+ paths?: string[];
1311
+ reason: string;
1312
+ replacement?: string;
1313
+ }>;
1314
+ /**
1315
+ * Tweak the custom-types lint that flags drift in `engines.{node,pnpm,...}`,
1316
+ * `packageManager`, `volta.{node,pnpm,yarn}`, and the proposed
1317
+ * `devEngines.{runtime,packageManager}` array form.
1318
+ *
1319
+ * Each (customType × name) cluster is tracked independently —
1320
+ * `engines.node` and `volta.node` don't cross-couple here. Use a
1321
+ * versionGroup once that lands if you need to enforce they agree.
1322
+ */
1323
+ customTypes?: {
1324
+ /**
1325
+ * Three-state autofix opt-out. See `workspaceProtocol.autofix`
1326
+ * for the contract — same semantics, applied to drift rewrites
1327
+ * across engines / packageManager / volta / devEngines.
1328
+ *
1329
+ * Note: `--fix` strips any `+sha512.&lt;hash&gt;` suffix from
1330
+ * `packageManager` on bump — content-integrity hashes are tied
1331
+ * to a specific package, not a version, so users must regenerate
1332
+ * via their PM (`pnpm install` re-pins; `corepack use pnpm@X` etc.).
1333
+ * @default true
1334
+ */
1335
+ autofix?: "prompt" | boolean;
1336
+ /**
1337
+ * User-defined custom-type pin locations. Each entry tells the
1338
+ * customTypes lint to read additional version pins from a
1339
+ * non-standard JSON path inside every workspace package.json,
1340
+ * cluster them by `(name × depName)` like the built-in types,
1341
+ * and rewrite them with `--fix`.
1342
+ *
1343
+ * The original built-ins (`engines`, `volta`, `packageManager`,
1344
+ * `devEngines.runtime`, `devEngines.packageManager`) keep
1345
+ * running unconditionally — these layer on top.
1346
+ *
1347
+ * Strategies:
1348
+ * - `versionsByName`: the JSON at `path` is `{ [depName]: version }`
1349
+ * (like `engines` or `pnpm.overrides`).
1350
+ * - `name@version`: the JSON at `path` is a string of the form
1351
+ * `name@version` (like `packageManager`). The leading `name@`
1352
+ * is preserved; only the version segment is rewritten.
1353
+ * - `string`: the JSON at `path` is a bare version string. The
1354
+ * `depName` field is required and identifies the dep cluster.
1355
+ *
1356
+ * `name` must not collide with a built-in type name. `path` is
1357
+ * a dot-separated walk into the package.json (e.g. `pnpm.overrides`).
1358
+ * @example
1359
+ * ```ts
1360
+ * extraTypes: [
1361
+ * { name: "pnpmOverridesLegacy", path: "pnpm.overrides", strategy: "versionsByName" },
1362
+ * { name: "myToolPin", path: "myTool.runtime", strategy: "name@version" },
1363
+ * { name: "minNode", path: "config.minNode", strategy: "string", depName: "node" },
1364
+ * ]
1365
+ * ```
1366
+ */
1367
+ extraTypes?: ExtraCustomType[];
1368
+ /**
1369
+ * Dep names exempt from the drift check (exact match against the
1370
+ * field name within the block — e.g. `node`, `pnpm`).
1371
+ */
1372
+ ignore?: string[];
1373
+ /**
1374
+ * Resolution strategy used when `--fix` runs.
1375
+ * - `highest` (default): align every drifting instance to the
1376
+ * highest declared version.
1377
+ * - `lowest`: align to the lowest.
1378
+ * @default "highest"
1379
+ */
1380
+ resolve?: "highest" | "lowest";
1381
+ };
1382
+ /**
1383
+ * Tweak the dead-workspace-patterns lint that flags entries in
1384
+ * `pnpm-workspace.yaml#packages` / `package.json#workspaces` which
1385
+ * resolve to zero on-disk directories.
1386
+ */
1387
+ deadWorkspacePatterns?: {
1388
+ /**
1389
+ * Three-state autofix opt-out. See `workspaceProtocol.autofix`
1390
+ * for the contract — applied here to dropping unmatched patterns
1391
+ * from the workspace config file.
1392
+ * @default true
1393
+ */
1394
+ autofix?: "prompt" | boolean;
1395
+ };
1396
+ /**
1397
+ * Tweak the empty-deps lint that flags empty `dependencies` /
1398
+ * `devDependencies` / `peerDependencies` / `optionalDependencies`
1399
+ * blocks across the workspace.
1400
+ */
1401
+ emptyDeps?: {
1402
+ /**
1403
+ * Three-state autofix opt-out. See `workspaceProtocol.autofix`
1404
+ * for the contract — applied here to removing the empty key.
1405
+ * @default true
1406
+ */
1407
+ autofix?: "prompt" | boolean;
1408
+ /**
1409
+ * Block names exempt from the rule (e.g. `["peerDependencies"]`
1410
+ * to keep the key around as a marker even when empty).
1411
+ */
1412
+ ignoreBlocks?: ("dependencies" | "devDependencies" | "optionalDependencies" | "peerDependencies")[];
1413
+ };
1414
+ /**
1415
+ * Tweak the redefine-root lint that flags non-root packages duplicating
1416
+ * deps already pinned at the workspace root.
1417
+ */
1418
+ redefineRoot?: {
1419
+ /** Dep names that are exempt from the redefine-root rule (exact match). */
1420
+ ignore?: string[];
1421
+ };
1422
+ /**
1423
+ * Tweak the root-deps lint that flags runtime `dependencies` declared
1424
+ * on the private workspace root (they should live in `devDependencies`).
1425
+ */
1426
+ rootDeps?: {
1427
+ /**
1428
+ * Three-state autofix opt-out. See `workspaceProtocol.autofix`
1429
+ * for the contract — applied here to moving entries from
1430
+ * `dependencies` to `devDependencies` on the root package.json.
1431
+ * @default true
1432
+ */
1433
+ autofix?: "prompt" | boolean;
1434
+ };
1435
+ /**
1436
+ * Tweak the root-package-manager lint that flags a missing or
1437
+ * malformed `packageManager` field on the workspace root.
1438
+ */
1439
+ rootPackageManager?: {
1440
+ /**
1441
+ * Three-state autofix opt-out. See `workspaceProtocol.autofix`
1442
+ * for the contract. `--fix` only writes when `suggested` is set —
1443
+ * a missing `packageManager` field has no canonical default.
1444
+ * @default true
1445
+ */
1446
+ autofix?: "prompt" | boolean;
1447
+ /**
1448
+ * Canonical specifier (`name@version`) to write when `--fix` runs
1449
+ * and the field is absent. Required to enable autofix —
1450
+ * vis won't guess the workspace's preferred manager.
1451
+ * @example "pnpm@10.32.1"
1452
+ */
1453
+ suggested?: string;
1454
+ };
1455
+ /**
1456
+ * Tweak the root-private lint that flags a workspace root package.json
1457
+ * missing `"private": true`. Only fires when the root looks like a
1458
+ * workspace (npm/yarn/bun `workspaces` field or `pnpm-workspace.yaml`).
1459
+ */
1460
+ rootPrivate?: {
1461
+ /**
1462
+ * Three-state autofix opt-out. See `workspaceProtocol.autofix`
1463
+ * for the contract — applied here to inserting `"private": true`.
1464
+ * @default true
1465
+ */
1466
+ autofix?: "prompt" | boolean;
1467
+ };
1468
+ /**
1469
+ * Tweak the similar-deps lint that flags drift across related dep
1470
+ * families (e.g. `react` and `react-dom`, all of `@babel/*`).
1471
+ *
1472
+ * The lint is report-only — aligning a family requires picking a
1473
+ * single canonical specifier across heterogeneous range syntaxes
1474
+ * (`^`, `~`, exact), which is too lossy without user input.
1475
+ */
1476
+ similarDeps?: {
1477
+ /**
1478
+ * Additional families merged with the built-ins. Same `id` wins
1479
+ * → user override fully replaces the built-in entry.
1480
+ * @example
1481
+ * ```
1482
+ * extraFamilies: [
1483
+ * { id: "vue", label: "Vue", members: ["vue", "vue-router", "pinia"] },
1484
+ * ]
1485
+ * ```
1486
+ */
1487
+ extraFamilies?: SimilarDepFamily[];
1488
+ /** Family ids to skip entirely (matches `SimilarDepFamily.id`). */
1489
+ ignoreFamilies?: string[];
1490
+ };
1491
+ /**
1492
+ * Tweak the types-in-deps lint that flags `@types/*` declared in
1493
+ * `dependencies` on a private package (they belong in
1494
+ * `devDependencies` since the package never ships).
1495
+ */
1496
+ typesInDeps?: {
1497
+ /**
1498
+ * Three-state autofix opt-out. See `workspaceProtocol.autofix`
1499
+ * for the contract — applied here to moving the entry to
1500
+ * `devDependencies`. Existing dev pins are preserved on conflict.
1501
+ * @default true
1502
+ */
1503
+ autofix?: "prompt" | boolean;
1504
+ /** Dep names exempt from the rule (exact match, e.g. `@types/node`). */
1505
+ ignore?: string[];
1506
+ };
1507
+ /**
1508
+ * Tweak the workspace-protocol lint that flags internal deps not
1509
+ * using the `workspace:` protocol.
1510
+ */
1511
+ workspaceProtocol?: {
1512
+ /**
1513
+ * Three-state autofix opt-out. Some workspaces want detection
1514
+ * without rewrite (e.g. dual-licensed packages where `workspace:*`
1515
+ * is unsafe).
1516
+ * - `true` (default): `--fix` rewrites the specifier.
1517
+ * - `false`: never rewrite — report the violation only.
1518
+ * - `"prompt"`: ask before each rewrite. Falls back to report-only
1519
+ * when stdin isn't a TTY (CI). Reserved; not yet implemented.
1520
+ *
1521
+ * Note: when `false` (or `"prompt"`), `--fix` still **fails CI** on
1522
+ * detected violations — the rule is "report only", not "ignore".
1523
+ * Drop the rule from the lint selection if you want a clean exit.
1524
+ * @default true
1525
+ * @example
1526
+ * ```
1527
+ * policy: {
1528
+ * workspaceProtocol: { autofix: false },
1529
+ * }
1530
+ * ```
1531
+ */
1532
+ autofix?: "prompt" | boolean;
1533
+ };
1534
+ /**
1535
+ * Tweak the workspace-versions lint that flags external deps declared
1536
+ * at inconsistent versions across the workspace.
1537
+ */
1538
+ workspaceVersions?: {
1539
+ /**
1540
+ * Three-state autofix opt-out. See `workspaceProtocol.autofix`
1541
+ * for the contract — same semantics, applied to drift rewrites.
1542
+ *
1543
+ * Also gates the `--propose-min` catalog suggestion writer:
1544
+ * when `false` / `"prompt"`, `--fix --propose-min` reports the
1545
+ * proposed catalog entries but does not write
1546
+ * `pnpm-workspace.yaml`. Same "report only, still fails CI"
1547
+ * note applies as on `workspaceProtocol.autofix`.
1548
+ * @default true
1549
+ */
1550
+ autofix?: "prompt" | boolean;
1551
+ /** Dep names exempt from the version-drift check (exact match). */
1552
+ ignore?: string[];
1553
+ /**
1554
+ * Resolution strategy used when `--fix` runs.
1555
+ * - `highest` (default): rewrite every drifting instance to the
1556
+ * highest sibling specifier.
1557
+ * - `lowest`: rewrite to the lowest.
1558
+ * - `catalog`: rewrite any dep already pinned in a workspace catalog
1559
+ * to `catalog:` / `catalog:&lt;name>`. Catalog must exist; this lint
1560
+ * does not create the catalog (see `vis lint --resolve catalog --propose`).
1561
+ * @default "highest"
1562
+ */
1563
+ resolve?: "catalog" | "highest" | "lowest";
1564
+ };
1565
+ };
1566
+ /**
1567
+ * Pre-flight checks fired before `vis run` starts the orchestrator.
1568
+ * Each check is opt-out (`false`) — defaults are sensible for the
1569
+ * common monorepo case.
1570
+ */
1571
+ preflight?: {
1572
+ /**
1573
+ * Detect "lockfile changed but `node_modules` is stale" before
1574
+ * running tasks. Compares lockfile mtime against the
1575
+ * package-manager-specific install marker
1576
+ * (`node_modules/.modules.yaml` for pnpm, `.package-lock.json`
1577
+ * for npm, etc.). Warns in TTY, hard-fails in CI.
1578
+ * @default true
1579
+ */
1580
+ lockfile?: boolean;
1581
+ };
1582
+ /**
1583
+ * Configuration for the `vis release` subsystem. Controls change-file
1584
+ * authoring, version computation, channel routing, publish behavior,
1585
+ * and CI integration. See `packages/tooling/vis/rfc/design-release-manager.md`.
1586
+ */
1587
+ release?: VisReleaseConfig;
1588
+ /**
1589
+ * Behavior of `vis run` when invoked tasks declare service dependencies
1590
+ * that aren't running in the workspace registry. CLI `--services=&lt;mode>`
1591
+ * overrides this block.
1592
+ */
1593
+ run?: {
1594
+ /**
1595
+ * Wrap each task's CI log block in collapsible groups so users
1596
+ * can fold/unfold per-task output in the host CI's web UI.
1597
+ * Failed tasks always render expanded so the failure is visible
1598
+ * without an extra click.
1599
+ *
1600
+ * - `auto` (default): pick the format from the detected runner —
1601
+ * `GITHUB_ACTIONS=true` → `github` (`::group::`),
1602
+ * `GITLAB_CI=true` → `gitlab` (`section_start:` ANSI sequences),
1603
+ * `BUILDKITE=true` → `buildkite` (`---` collapsed headers),
1604
+ * `TF_BUILD=True` → `azure` (`##[group]`),
1605
+ * no grouping otherwise.
1606
+ * - `off`: never group (raw separators only — useful when
1607
+ * piping through tools that mangle the directives).
1608
+ * - `azure` / `buildkite` / `github` / `gitlab`: force the format
1609
+ * regardless of detected environment (useful for self-hosted
1610
+ * runners that don't set the standard env vars).
1611
+ *
1612
+ * CircleCI is intentionally not auto-detected: its 2.0+ format
1613
+ * has no inline grouping directive — steps auto-group in the
1614
+ * web UI without any markup from the runner.
1615
+ */
1616
+ ciGrouping?: "auto" | "azure" | "buildkite" | "github" | "gitlab" | "off";
1617
+ /**
1618
+ * Stay quiet when a run succeeds. When enabled:
1619
+ * - non-interactive output suppresses successful and cached tasks
1620
+ * and prints only failures (failed tasks always render in full —
1621
+ * in CI as expanded log blocks), equivalent to
1622
+ * `--output-style=quiet`; and
1623
+ * - the interactive TUI auto-closes a few seconds after a clean run
1624
+ * via a countdown dialog. A run with any failure stays open so the
1625
+ * user can inspect it.
1626
+ *
1627
+ * The explicit `--output-style` CLI flag overrides the output side,
1628
+ * a per-target `options.outputStyle` overrides both, and
1629
+ * `tui.autoExit` overrides the auto-close countdown.
1630
+ *
1631
+ * Default: `false` — every task's output is echoed and the TUI waits
1632
+ * for the user. Set to `true` to opt into quiet, auto-closing runs.
1633
+ */
1634
+ quietOnSuccess?: boolean;
1635
+ /**
1636
+ * One knob controlling auto-start of missing service deps.
1637
+ * - `auto` (default in TTY): pick by task — `dev` → ephemeral,
1638
+ * others → persistent.
1639
+ * - `ephemeral`: services die with the run (no registry entry).
1640
+ * - `persistent`: services persist across runs in the registry.
1641
+ * - `off` (default in CI / non-TTY): print diagnostics and abort.
1642
+ */
1643
+ services?: "auto" | "ephemeral" | "off" | "persistent";
1644
+ };
1645
+ /**
1646
+ * Target JS runtime for this workspace/project — `"node"` (default) or
1647
+ * `"bun"`. Overridden by the `--runtime` flag and the `VIS_RUNTIME` env
1648
+ * var; falls back to lockfile detection when unset. Part of the
1649
+ * cross-runtime multi-tool (see `rfc/design-runtime-multitool.md`).
1650
+ */
1651
+ runtime?: RuntimeId;
1652
+ /**
1653
+ * Cascading scoped-task blocks. Each block may narrow its tasks to a
1654
+ * subset of projects via `match`. Blocks are evaluated in order; later
1655
+ * blocks override earlier ones when the same field is set.
1656
+ *
1657
+ * Match predicates are additive — if `match` is omitted, the block applies
1658
+ * to every project.
1659
+ * @example
1660
+ * ```
1661
+ * scopedTasks: [
1662
+ * { match: { tags: ["frontend"] }, tasks: { build: { cache: true } } },
1663
+ * { match: { projectType: "library" }, tasks: { lint: { cache: true } } },
1664
+ * ]
1665
+ * ```
1666
+ */
1667
+ scopedTasks?: ScopedTasksBlock[];
1668
+ /**
1669
+ * Default options for `vis secrets`. CLI flags always take precedence;
1670
+ * this block provides workspace-wide defaults so teams can commit config
1671
+ * once and every invocation picks it up.
1672
+ */
1673
+ secrets?: {
1674
+ /** Path to a baseline of previously-triaged findings (relative to workspace root). */
1675
+ baseline?: string;
1676
+ /** Where the ruleset comes from. Omit for the bundled gitleaks default. */
1677
+ config?: {
1678
+ /** Layer the user's rules on top of the bundled ruleset. Default: `true`. */
1679
+ extendBundled?: boolean;
1680
+ /** Inline rule overrides. Wins over `path` when both are set. */
1681
+ inline?: {
1682
+ allowlist?: unknown;
1683
+ allowlists?: unknown[];
1684
+ description?: string;
1685
+ rules?: unknown[];
1686
+ title?: string;
1687
+ };
1688
+ /** Path to a JSON config (gitleaks-compatible). */
1689
+ path?: string;
1690
+ /** Bundled presets layered on top of the default ruleset (e.g. `"weak-passwords"`). */
1691
+ presets?: string[];
1692
+ };
1693
+ /** Redact secret values in findings. */
1694
+ redact?: boolean;
1695
+ /** Rule-id filters applied after scanning. */
1696
+ rules?: {
1697
+ /** Drop findings whose ruleId matches. */
1698
+ exclude?: string[];
1699
+ /** Only report findings whose ruleId matches. */
1700
+ include?: string[];
1701
+ };
1702
+ /** Walker / filesystem traversal. */
1703
+ walk?: {
1704
+ /**
1705
+ * Paths to additional `.gitignore`-syntax files (e.g. `.secretsignore`).
1706
+ */
1707
+ excludeFromFiles?: string[];
1708
+ /**
1709
+ * Gitignore-syntax patterns (supports negation, directory markers, leading `/`).
1710
+ * Applied on top of `.gitignore`.
1711
+ */
1712
+ excludePatterns?: string[];
1713
+ /** Respect `.gitignore`. Default: `true`. */
1714
+ gitignore?: boolean;
1715
+ /** Include hidden (dotfile) entries. Default: `false`. */
1716
+ includeHidden?: boolean;
1717
+ /** Max file size in bytes. Default 10 MiB. */
1718
+ maxFileSize?: number;
1719
+ };
1720
+ };
1721
+ /**
1722
+ * Supply chain security settings.
1723
+ * These settings are inspired by pnpm's security features and are applied
1724
+ * universally across all package managers (pnpm, npm, yarn, bun).
1725
+ *
1726
+ * For pnpm users: these map directly to pnpm-workspace.yaml settings.
1727
+ * For npm/yarn/bun users: vis enforces these at the vis layer since
1728
+ * those package managers lack native support.
1729
+ */
1730
+ security?: {
1731
+ /**
1732
+ * Packages whose policy findings have been reviewed and explicitly
1733
+ * accepted. Matched against every policy unless `policies` narrows the
1734
+ * scope. Replaces the legacy `security.socket.acceptedRisks` map.
1735
+ *
1736
+ * Key format: package name (`"lodash"`), name@version
1737
+ * (`"lodash@4.17.21"`), or glob (`"@myorg/*"`). Unversioned keys match
1738
+ * all versions of that package.
1739
+ * @example
1740
+ * ```
1741
+ * acceptedRisks: {
1742
+ * "some-risky-pkg": {
1743
+ * reason: "Internal fork, low score expected",
1744
+ * acceptedAt: "2026-03-15T10:00:00Z",
1745
+ * acceptedScore: 0.25,
1746
+ * policies: ["score"],
1747
+ * expiresAt: "2026-12-31",
1748
+ * },
1749
+ * }
1750
+ * ```
1751
+ */
1752
+ acceptedRisks?: Record<string, {
1753
+ /** ISO 8601 timestamp when the risk was accepted. */
1754
+ acceptedAt: string;
1755
+ /**
1756
+ * The overall Socket.dev score at the time of acceptance,
1757
+ * in the range `[0, 1]` (mirrors `policies.score.minimum`).
1758
+ * Only relevant for the `score` policy; ignored elsewhere.
1759
+ */
1760
+ acceptedScore?: number;
1761
+ /**
1762
+ * ISO 8601 date (or datetime). After this point the acceptance
1763
+ * stops applying and vis emits a warning. Leave undefined for
1764
+ * non-expiring entries. Values that fail to parse as a Date
1765
+ * are rejected by the loader rather than silently treated as
1766
+ * "always expired".
1767
+ */
1768
+ expiresAt?: string;
1769
+ /**
1770
+ * Which policies this acceptance covers. When undefined the
1771
+ * acceptance applies to every policy finding on this package.
1772
+ */
1773
+ policies?: PolicyName[];
1774
+ /** User-provided reason for accepting the risk. */
1775
+ reason: string;
1776
+ }>;
1777
+ /**
1778
+ * Map of bin names (or `pkg#bin` qualifiers) blessed for shadowing.
1779
+ * When two installed packages expose the same bin name, vis flags
1780
+ * the collision in `vis security list` and the post-install drift
1781
+ * report — set the bin (or `pkg#bin`) to `true` here to suppress
1782
+ * the warning once you've reviewed the conflict.
1783
+ *
1784
+ * Port of LavaMoat allow-scripts' experimental `allowBins`.
1785
+ * Bare names match any conflicting bin with that name; the
1786
+ * `pkg#bin` form scopes the approval to a single package's bin.
1787
+ * @example
1788
+ * ```
1789
+ * allowBins: {
1790
+ * tsc: true, // bless any 'tsc' bin
1791
+ * "typescript#tsc": true, // bless only typescript's 'tsc'
1792
+ * }
1793
+ * ```
1794
+ */
1795
+ allowBins?: Record<string, boolean>;
1796
+ /**
1797
+ * Offline OSV advisory + `vis audit` configuration.
1798
+ *
1799
+ * Controls `vis audit --offline` and `vis advisories sync` behavior:
1800
+ * - `audit.advisories.source` is the OSV mirror to download from. It
1801
+ * must be `https://` and resolve to a host in `allowedHosts` (or one
1802
+ * of the built-in defaults).
1803
+ * - `audit.offlineByDefault` flips the default of `--offline`.
1804
+ *
1805
+ * Vulnerability severity gating and reachability filtering live under
1806
+ * `policies.vulnerability` (see below).
1807
+ */
1808
+ audit?: {
1809
+ /**
1810
+ * Offline advisory cache settings.
1811
+ */
1812
+ advisories?: {
1813
+ /**
1814
+ * Extra hosts permitted as `audit.advisories.source`. The
1815
+ * built-in allowlist is enforced even if this field is
1816
+ * omitted; entries here add to it.
1817
+ * @example ["mirror.corp.example.com"]
1818
+ */
1819
+ allowedHosts?: string[];
1820
+ /**
1821
+ * Bloom-filter prefilter for OSV `MAL-*` (malicious-package)
1822
+ * advisories. Probes a ~380 KB filter fetched from
1823
+ * `endevco/osv-bloom` and escalates hits to the existing
1824
+ * advisory query path for `(name, version)` confirmation.
1825
+ *
1826
+ * Cost: ~380 KB on the wire, refreshed every 10 minutes
1827
+ * upstream. False-positive rate is ~0.1%, so a typical
1828
+ * 1000-package lockfile triggers zero or one extra
1829
+ * round trip per audit.
1830
+ *
1831
+ * Independent of `audit.advisories.source` / `verify` —
1832
+ * those control the full OSV ingest. The bloom is
1833
+ * MAL-* only and aimed at cold-start preflight and
1834
+ * ephemeral CI runners that haven't synced the full DB.
1835
+ */
1836
+ bloom?: {
1837
+ /**
1838
+ * Extra hosts permitted as `bloom.source`. The
1839
+ * built-in allowlist (`endevco.github.io`) is enforced
1840
+ * even if this field is omitted; entries here add to it.
1841
+ */
1842
+ allowedHosts?: string[];
1843
+ /**
1844
+ * Prefilter mode:
1845
+ * - `off`: never run the bloom check.
1846
+ * - `on`: run when a local filter is cached; on
1847
+ * fetch failure, fall back to the cached filter or
1848
+ * skip the prefilter (audit continues against the
1849
+ * non-bloom path).
1850
+ * - `required`: hard-fail the audit when the bloom
1851
+ * refresh fails or the local cache is missing.
1852
+ * Use in hardened CI together with
1853
+ * `audit.advisories.source`.
1854
+ * @default "off"
1855
+ */
1856
+ mode?: "off" | "on" | "required";
1857
+ /**
1858
+ * Bloom mirror base URL (no trailing slash). Defaults
1859
+ * to the public `endevco/osv-bloom` GH Pages site.
1860
+ * Override only if you mirror the bloom artifacts
1861
+ * internally; the hostname must appear in
1862
+ * `allowedHosts`.
1863
+ * @default "https://endevco.github.io/osv-bloom"
1864
+ */
1865
+ source?: string;
1866
+ };
1867
+ /**
1868
+ * Number of hours after `lastSyncIso` before `vis audit`
1869
+ * prints a "your advisory cache may be stale" notice.
1870
+ * `vis audit` never auto-syncs — the user runs
1871
+ * `vis advisories sync` themselves.
1872
+ * @default 24
1873
+ */
1874
+ refreshIntervalHours?: number;
1875
+ /**
1876
+ * OSV mirror base URL (no trailing slash). Defaults to the
1877
+ * public Google Cloud Storage bucket. Override to point at a
1878
+ * corporate mirror; the hostname must appear in `allowedHosts`
1879
+ * (or one of the built-in defaults) and the scheme must be
1880
+ * `https://`.
1881
+ * @default "https://osv-vulnerabilities.storage.googleapis.com"
1882
+ */
1883
+ source?: string;
1884
+ /**
1885
+ * Sigstore signature verification for the OSV dump.
1886
+ * Requires the native binding to be built with the
1887
+ * `verify-signatures` Cargo feature (default in the release
1888
+ * build). Off by default — the upstream OSV bucket does not
1889
+ * ship signatures today.
1890
+ */
1891
+ verify?: {
1892
+ /**
1893
+ * Enable signature verification. The sync flow downloads
1894
+ * `&lt;eco>/all.zip.sig` next to the zip and aborts if it
1895
+ * cannot verify against `expectedIssuer` / `expectedSubject`.
1896
+ * @default false
1897
+ */
1898
+ enabled?: boolean;
1899
+ /** OIDC issuer that signed the bundle. */
1900
+ expectedIssuer?: string;
1901
+ /** OIDC subject (workload identity) that signed the bundle. */
1902
+ expectedSubject?: string;
1903
+ };
1904
+ };
1905
+ /**
1906
+ * Gates for the auto-fix flow (`vis audit --fix` /
1907
+ * `--fix-transitive`). The CLI prompts outside CI; inside CI
1908
+ * the flags refuse to run unless `--yes` is set and, for
1909
+ * transitives, `apply.transitive.enabled = true`.
1910
+ */
1911
+ apply?: {
1912
+ /**
1913
+ * Gates for `vis audit --fix-transitive`. Two-lock: the
1914
+ * CLI requires `--yes` AND this flag set to `true` before
1915
+ * it will rewrite override entries in CI.
1916
+ */
1917
+ transitive?: {
1918
+ /**
1919
+ * When true, allows `--fix-transitive` to run in CI
1920
+ * environments. Defaults to false because rewriting
1921
+ * overrides is a higher blast radius than bumping a
1922
+ * direct dep.
1923
+ * @default false
1924
+ */
1925
+ enabled?: boolean;
1926
+ };
1927
+ };
1928
+ /**
1929
+ * Vulnerability scanner backend.
1930
+ *
1931
+ * - `auto` (default): delegate to `aube audit` when aube is the
1932
+ * active installer (its scanner reads the same lockfile and
1933
+ * produces equivalent severity ratings); otherwise run vis's
1934
+ * own OSV/Socket scanner.
1935
+ * - `aube`: always delegate to `aube audit`. Errors if `aube` is
1936
+ * not on PATH.
1937
+ * - `vis`: always use vis's built-in scanner — never delegate.
1938
+ *
1939
+ * Delegation avoids redundant work (aube already has a
1940
+ * full-fidelity audit pass that respects its own exclusions
1941
+ * via `aube-workspace.yaml::auditConfig`) and lets users get
1942
+ * a single, consistent result regardless of which entry point
1943
+ * they invoke.
1944
+ * @default "auto"
1945
+ */
1946
+ backend?: "aube" | "auto" | "vis";
1947
+ /**
1948
+ * When true, `vis audit` skips network calls and queries the
1949
+ * offline cache. Equivalent to the CLI `--offline` flag.
1950
+ * @default false
1951
+ */
1952
+ offlineByDefault?: boolean;
1953
+ };
1954
+ /**
1955
+ * When true, prevents transitive dependencies from using exotic sources
1956
+ * (git repositories, direct tarball URLs). Only direct dependencies may
1957
+ * use such sources. Equivalent to pnpm's `blockExoticSubdeps`.
1958
+ * @default false
1959
+ */
1960
+ blockExoticSubdeps?: boolean;
1961
+ /**
1962
+ * deps.dev (Google Open Source Insights) data-source configuration.
1963
+ * Public, unauthenticated; pulls Scorecard data + advisories from
1964
+ * `api.deps.dev`. Complements or replaces Socket.dev. Heavily cached.
1965
+ * @see https://docs.deps.dev/api/v3/
1966
+ */
1967
+ depsDev?: {
1968
+ /**
1969
+ * Cache TTL for advisory entries (immutable once published). 7 days.
1970
+ * @default 604800000
1971
+ */
1972
+ advisoryCacheTtlMs?: number;
1973
+ /**
1974
+ * Enable deps.dev scanning on install/update/check/audit commands.
1975
+ * @default false
1976
+ */
1977
+ enabled?: boolean;
1978
+ /**
1979
+ * Cache TTL for OpenSSF Scorecard project data (refreshes weekly). 24 hours.
1980
+ * @default 86400000
1981
+ */
1982
+ projectCacheTtlMs?: number;
1983
+ /**
1984
+ * Request timeout in milliseconds.
1985
+ * @default 15000
1986
+ */
1987
+ timeoutMs?: number;
1988
+ /**
1989
+ * Cache TTL for npm version metadata (immutable). 7 days.
1990
+ * @default 604800000
1991
+ */
1992
+ versionCacheTtlMs?: number;
1993
+ };
1994
+ /**
1995
+ * Package names exempted from the `blockExoticSubdeps` check.
1996
+ * Bare names and a trailing `*` glob (`@scope/*`) are supported.
1997
+ * Use for an internal package legitimately published as a git or
1998
+ * tarball dependency.
1999
+ * @example ["@myorg/legacy", "internal-*"]
2000
+ */
2001
+ exoticSubdepsAllow?: string[];
2002
+ /**
2003
+ * Pre-install marshall pipeline — packument-derived supply-chain
2004
+ * gates (author, provenance, s1ngularity, new-bin, metadata,
2005
+ * downloads, expired-domains, signatures, archived-repo) that run before
2006
+ * `vis add` / `vis install &lt;pkg>` / `vis update &lt;pkg>` hand off to
2007
+ * the underlying package manager. Every entry is optional; omit a
2008
+ * key and the marshall runs with defaults. Set `enabled: false`
2009
+ * on a specific marshall to skip it without touching env vars.
2010
+ */
2011
+ marshalls?: {
2012
+ /** Archived-repo marshall (GitHub repository status). */
2013
+ archivedRepo?: {
2014
+ /** Package names to skip. */
2015
+ allowlist?: string[];
2016
+ /** Default: marshall is on. Set false to disable. */
2017
+ enabled?: boolean;
2018
+ /** GitHub PAT for the API call (5k/hr vs 60/hr). */
2019
+ githubToken?: string;
2020
+ };
2021
+ /** Author / publisher heuristics. */
2022
+ author?: {
2023
+ allowlist?: string[]; /** Days since the publisher's last release before flagging as error. */
2024
+ dormantErrorDays?: number;
2025
+ /** Days since the publisher's last release before flagging as warning. */
2026
+ dormantWarnDays?: number;
2027
+ enabled?: boolean; /** Window for the "new publisher on an established package" check. */
2028
+ newPublisherWindowDays?: number;
2029
+ /** Days since the resolved version was published — error threshold. */
2030
+ recentVersionErrorDays?: number;
2031
+ /** Days since the resolved version was published — warning threshold. */
2032
+ recentVersionWarnDays?: number;
2033
+ };
2034
+ /** npm `deprecated`-flag check on the resolved version. */
2035
+ deprecation?: {
2036
+ allowlist?: string[];
2037
+ enabled?: boolean;
2038
+ };
2039
+ /** Monthly download-count floor. */
2040
+ downloads?: {
2041
+ allowlist?: string[];
2042
+ enabled?: boolean; /** Below this monthly count → error (default: 20). */
2043
+ errorThreshold?: number;
2044
+ /** Below this monthly count → warning (default: 1000). */
2045
+ warnThreshold?: number;
2046
+ };
2047
+ /** Maintainer-email-domain NS lookup. */
2048
+ expiredDomains?: {
2049
+ /** Domains exempted from the check (legacy / internal). */
2050
+ allowDomains?: string[];
2051
+ allowlist?: string[]; /** DNS resolvers to query (default: system). */
2052
+ dnsServers?: string[];
2053
+ enabled?: boolean; /** Per-domain DNS timeout (default: 5000). */
2054
+ timeoutMs?: number;
2055
+ };
2056
+ /** README / license / repository presence checks. */
2057
+ metadata?: {
2058
+ allowlist?: string[]; /** Subset of checks to run. Default: all three. */
2059
+ checks?: ("license" | "readme" | "repo")[];
2060
+ enabled?: boolean;
2061
+ };
2062
+ /** New CLI-bin script introduced in this version. */
2063
+ newBin?: {
2064
+ allowlist?: string[];
2065
+ enabled?: boolean;
2066
+ };
2067
+ /** Whole-package age heuristics (newly created / unmaintained). */
2068
+ packageAge?: {
2069
+ allowlist?: string[];
2070
+ enabled?: boolean; /** Package created fewer than this many days ago → error. Default 22. */
2071
+ newPackageDays?: number;
2072
+ /** No publish within this many days → warning. Default 365. */
2073
+ unmaintainedDays?: number;
2074
+ };
2075
+ /** Provenance regression check. */
2076
+ provenance?: {
2077
+ allowlist?: string[];
2078
+ enabled?: boolean;
2079
+ };
2080
+ /**
2081
+ * Composite "compromised-publish shape" detector — flags a single
2082
+ * version that simultaneously introduced/changed an install hook
2083
+ * AND dropped the provenance attestation a prior stable version
2084
+ * carried (the August 2025 s1ngularity / Nx fingerprint).
2085
+ */
2086
+ s1ngularity?: {
2087
+ allowlist?: string[];
2088
+ enabled?: boolean;
2089
+ };
2090
+ /**
2091
+ * ECDSA P-256 verification against npm's signing keys. Disabled
2092
+ * by default because npm coverage still has gaps that produce
2093
+ * noisy warnings on legitimate packages.
2094
+ */
2095
+ signatures?: {
2096
+ allowlist?: string[]; /** Default: marshall is *off*. Set true to enable. */
2097
+ enabled?: boolean;
2098
+ /** Override the keys endpoint (default: npm registry). */
2099
+ keysUrl?: string;
2100
+ /** How to treat an expired-but-known key. Default: "warning". */
2101
+ treatExpiredAs?: "error" | "warning";
2102
+ };
2103
+ };
2104
+ /**
2105
+ * When true, `security.policies.installScripts.allow` keys are matched
2106
+ * as `name@version`. A version bump on an approved package drops it from
2107
+ * the allowlist until the new version is explicitly re-approved (port
2108
+ * of LavaMoat allow-scripts' version-aware policy matcher).
2109
+ *
2110
+ * After a version bump, run `vis approve-builds` or `vis security list`
2111
+ * — both surface a "Version drift" block with the suggested new key
2112
+ * (`old-key → new-key`) so you can update `vis.config.ts` by hand.
2113
+ * @default false
2114
+ */
2115
+ pinVersions?: boolean;
2116
+ /**
2117
+ * Supply-chain policy gates. Each sub-block enables one policy and
2118
+ * configures its behavior. When a sub-block is omitted the policy is
2119
+ * inactive. `acceptedRisks` (above) silences specific packages without
2120
+ * disabling a policy globally.
2121
+ *
2122
+ * The 8 policies are inspired by Socket.dev's classification:
2123
+ * - `malware` — Socket-flagged malicious packages
2124
+ * - `firstSeen` — packages published less than N minutes ago
2125
+ * - `unexpectedDeps` — packages outside an allow-list / baseline
2126
+ * - `publisherChange` — maintainer set changed between installs
2127
+ * - `installScripts` — preinstall/install/postinstall scripts
2128
+ * - `score` — Socket overall score below threshold
2129
+ * - `vulnerability` — OSV vulnerability findings
2130
+ * - `license` — SPDX allow / deny lists
2131
+ */
2132
+ policies?: {
2133
+ /**
2134
+ * Minimum number of minutes that must pass after a version is
2135
+ * published before vis will allow installation. Migrated from
2136
+ * the legacy `security.minimumReleaseAge` field. Equivalent to
2137
+ * pnpm's `minimumReleaseAge`.
2138
+ * @default 0
2139
+ * @example { minutes: 1440, exclude: ["@myorg/*"] } // 24 hours
2140
+ */
2141
+ firstSeen?: {
2142
+ /**
2143
+ * Package names/patterns excluded from the firstSeen check.
2144
+ * Equivalent to pnpm's `minimumReleaseAgeExclude`.
2145
+ * @example ["webpack", "react", "@myorg/*"]
2146
+ */
2147
+ exclude?: string[];
2148
+ /** Minutes after publish before install is allowed. */
2149
+ minutes?: number;
2150
+ };
2151
+ /**
2152
+ * Build-script (pre/install/postinstall/prepare) controls.
2153
+ * Migrated from the legacy `security.allowBuilds` /
2154
+ * `security.strictDepBuilds` fields.
2155
+ * @example { allow: { esbuild: true }, strict: true }
2156
+ */
2157
+ installScripts?: {
2158
+ /**
2159
+ * Map of package names/patterns to allow (true) or deny
2160
+ * (false) build scripts. Packages not listed are denied
2161
+ * by default. Equivalent to pnpm's `allowBuilds`.
2162
+ */
2163
+ allow?: Record<string, boolean>;
2164
+ /**
2165
+ * When true, installation will fail (exit non-zero) if any
2166
+ * dependencies have unreviewed build scripts. Equivalent to
2167
+ * pnpm's `strictDepBuilds`.
2168
+ * @default false
2169
+ */
2170
+ strict?: boolean;
2171
+ };
2172
+ /**
2173
+ * SPDX license allow / deny lists. Deny wins on any sub-license
2174
+ * match in SPDX expressions (`(MIT OR GPL-3.0)` against
2175
+ * `deny: ["GPL-3.0"]` is blocked). Packages with no declared
2176
+ * license are flagged when `allow` is set.
2177
+ * @example
2178
+ * ```
2179
+ * license: {
2180
+ * allow: ["MIT", "Apache-2.0", "BSD-3-Clause"],
2181
+ * deny: ["GPL-3.0", "AGPL-3.0"],
2182
+ * }
2183
+ * ```
2184
+ */
2185
+ license?: {
2186
+ /**
2187
+ * SPDX identifiers that are explicitly permitted. When set,
2188
+ * any package whose declared license is not on this list is
2189
+ * blocked.
2190
+ */
2191
+ allow?: string[];
2192
+ /**
2193
+ * SPDX identifiers that are explicitly forbidden. Always
2194
+ * wins over `allow` when both reference the same identifier.
2195
+ */
2196
+ deny?: string[];
2197
+ };
2198
+ /**
2199
+ * Behavior when the Socket.dev feed flags a package as malicious
2200
+ * (`alerts[].type === "Malware"`).
2201
+ *
2202
+ * The default is cross-field: `{ mode: "block" }` whenever
2203
+ * `security.socket.enabled !== false` (the engine cannot evaluate
2204
+ * malware without Socket data), and `"off"` otherwise. Consumers
2205
+ * resolve this default at evaluation time.
2206
+ */
2207
+ malware?: {
2208
+ /**
2209
+ * - `"block"` — emit a block decision.
2210
+ * - `"warn"` — surface as a warning; do not gate exit code.
2211
+ * - `"off"` — disable the policy entirely.
2212
+ */
2213
+ mode?: "block" | "off" | "warn";
2214
+ };
2215
+ /**
2216
+ * Trust-level checking for package publishing. Migrated from the
2217
+ * legacy `security.trustPolicy*` fields. Equivalent to pnpm's
2218
+ * `trustPolicy`.
2219
+ * @example { mode: "no-downgrade", ignoreAfter: 43200 } // 30 days
2220
+ */
2221
+ publisherChange?: {
2222
+ /**
2223
+ * Package selectors excluded from the check.
2224
+ * Equivalent to pnpm's `trustPolicyExclude`.
2225
+ * @example ["chokidar@4.0.3"]
2226
+ */
2227
+ exclude?: string[];
2228
+ /**
2229
+ * Ignore packages published more than N minutes ago. Useful
2230
+ * for older packages that pre-date provenance support.
2231
+ * Equivalent to pnpm's `trustPolicyIgnoreAfter`.
2232
+ */
2233
+ ignoreAfter?: number;
2234
+ /**
2235
+ * - `"off"` — no trust checking (default).
2236
+ * - `"no-downgrade"` — block when a package's trust level
2237
+ * has decreased compared to previous releases (e.g., was
2238
+ * published by trusted publisher, now only has provenance).
2239
+ */
2240
+ mode?: "no-downgrade" | "off";
2241
+ };
2242
+ /**
2243
+ * Socket.dev overall-score threshold. Packages scoring below
2244
+ * `minimum` trigger a block decision (or interactive prompt
2245
+ * during `vis add`). Migrated from the legacy
2246
+ * `security.socket.minimumScore` field.
2247
+ * @example { minimum: 0.4 }
2248
+ */
2249
+ score?: {
2250
+ /**
2251
+ * Minimum overall Socket.dev score (0–1). Set to 0 to
2252
+ * disable the gate while keeping Socket data fetched.
2253
+ *
2254
+ * Consulted by `vis add`, `audit`, `doctor`, `check`, and
2255
+ * `update`; resolved once in `buildSocketOptions`, then
2256
+ * threaded through every consumer. Falls back to
2257
+ * `DEFAULT_LOW_SCORE_THRESHOLD` (`0.4`) when unset.
2258
+ */
2259
+ minimum?: number;
2260
+ };
2261
+ /**
2262
+ * Net-new transitive dependency detection. Either provide a
2263
+ * static allow-list, a baseline lockfile path (recommended), or
2264
+ * both — the intersection is enforced.
2265
+ * @example { baselineLockfile: "./security/lockfile.baseline.yaml" }
2266
+ */
2267
+ unexpectedDeps?: {
2268
+ /**
2269
+ * Allow-list of dependency names that may appear in the
2270
+ * resolved package set. Glob patterns are supported.
2271
+ * @example ["lodash", "axios", "@myorg/*"]
2272
+ */
2273
+ allow?: string[];
2274
+ /**
2275
+ * Path (absolute or relative to the workspace root) to a
2276
+ * baseline lockfile snapshot. The policy diffs the current
2277
+ * lockfile against this baseline and flags any package that
2278
+ * didn't exist before.
2279
+ * @example "./security/lockfile.baseline.yaml"
2280
+ */
2281
+ baselineLockfile?: string;
2282
+ };
2283
+ /**
2284
+ * OSV vulnerability gating. Migrated from the legacy
2285
+ * `security.audit.failOn` + `security.audit.usage` fields.
2286
+ */
2287
+ vulnerability?: {
2288
+ /**
2289
+ * Severity threshold that makes `vis audit` exit non-zero.
2290
+ * Equivalent to the CLI `--fail-on` flag.
2291
+ * @example "high"
2292
+ */
2293
+ failOn?: "critical" | "high" | "low" | "medium";
2294
+ /**
2295
+ * Reachability filter — only report vulnerabilities in
2296
+ * packages the workspace statically imports.
2297
+ */
2298
+ usage?: {
2299
+ /**
2300
+ * Packages to always treat as reachable even if no
2301
+ * static import is found.
2302
+ * @example ["esbuild", "webpack-cli"]
2303
+ */
2304
+ alwaysAssumeUsed?: string[];
2305
+ /**
2306
+ * Enable the reachability filter by default. Equivalent
2307
+ * to `--usage` on the CLI; `--no-usage` disables.
2308
+ * @default false
2309
+ */
2310
+ enabled?: boolean;
2311
+ };
2312
+ };
2313
+ };
2314
+ /**
2315
+ * Which provider wins merge conflicts when multiple are enabled (e.g.
2316
+ * both Socket.dev and deps.dev return data for the same package). The
2317
+ * primary provider's `score` is kept; alerts from secondaries are
2318
+ * appended and deduped by `key`. Defaults to whichever provider is
2319
+ * enabled first in this order: socket → deps-dev → snyk.
2320
+ */
2321
+ primaryProvider?: "deps-dev" | "snyk" | "socket";
2322
+ /**
2323
+ * Snyk data-source configuration. Snyk only contributes vulnerability
2324
+ * data (no maintenance / quality / supply-chain / license signal);
2325
+ * those axes stay neutral. Requires both an org id and an API token —
2326
+ * if either is missing the provider is skipped.
2327
+ * @see https://docs.snyk.io/snyk-api/using-specific-snyk-apis/issues-list-issues-for-a-package
2328
+ */
2329
+ snyk?: {
2330
+ /**
2331
+ * Snyk API token. Set via VIS_SNYK_TOKEN environment variable or
2332
+ * here.
2333
+ */
2334
+ apiToken?: string;
2335
+ /**
2336
+ * Snyk REST API version date sent as the `version` query param.
2337
+ * @default "2024-10-15"
2338
+ */
2339
+ apiVersion?: string;
2340
+ /**
2341
+ * Cache TTL in milliseconds for Snyk issue lookups. 6 hours.
2342
+ * @default 21600000
2343
+ */
2344
+ cacheTtlMs?: number;
2345
+ /**
2346
+ * Enable Snyk security scanning on install/update/check/audit
2347
+ * commands.
2348
+ * @default false
2349
+ */
2350
+ enabled?: boolean;
2351
+ /**
2352
+ * Snyk organization id (the REST endpoint is org-scoped). Set via
2353
+ * VIS_SNYK_ORG environment variable or here.
2354
+ */
2355
+ orgId?: string;
2356
+ /**
2357
+ * Request timeout in milliseconds for the Snyk API. 15 seconds.
2358
+ * @default 15000
2359
+ */
2360
+ timeoutMs?: number;
2361
+ };
2362
+ /**
2363
+ * Socket.dev data-source configuration. Connection knobs only — score
2364
+ * thresholds and accepted-risk overrides moved to `policies.score` and
2365
+ * `security.acceptedRisks` respectively.
2366
+ * @see https://socket.dev
2367
+ */
2368
+ socket?: {
2369
+ /**
2370
+ * Custom Socket.dev API token. Falls back to the public API token.
2371
+ * Set via VIS_SOCKET_TOKEN environment variable or here.
2372
+ */
2373
+ apiToken?: string;
2374
+ /**
2375
+ * Cache TTL in milliseconds for Socket.dev reports. 1 hour.
2376
+ * @default 3600000
2377
+ */
2378
+ cacheTtlMs?: number;
2379
+ /**
2380
+ * Enable Socket.dev security scanning on install/update/check commands.
2381
+ * @default false
2382
+ */
2383
+ enabled?: boolean;
2384
+ /**
2385
+ * Request timeout in milliseconds for the Socket.dev API. 15 seconds.
2386
+ * @default 15000
2387
+ */
2388
+ timeoutMs?: number;
2389
+ };
2390
+ /**
2391
+ * Package names to skip during typosquat detection.
2392
+ * Use this for internal packages or known-safe names that happen to
2393
+ * look similar to popular packages.
2394
+ * @example ["my-internal-axois", "@myorg/recat"]
2395
+ */
2396
+ typosquatAllowlist?: string[];
2397
+ };
2398
+ /**
2399
+ * Share the cache between sibling git worktrees. When the workspace is a
2400
+ * linked worktree (created with `git worktree add`), the cache root is
2401
+ * relocated from `&lt;linkedRoot>/.vis/cache` to the *main*
2402
+ * worktree's `.vis/cache`. Multiple parallel agents working in
2403
+ * sibling worktrees then share a single cache instead of rebuilding the
2404
+ * same hash N times.
2405
+ *
2406
+ * Single-checkout repos (where `.git` is a directory) are unaffected.
2407
+ *
2408
+ * Set to `false` to opt out — useful when worktrees deliberately need
2409
+ * independent caches, e.g. for hermetic experiments.
2410
+ * @default true
2411
+ */
2412
+ sharedWorktreeCache?: boolean;
2413
+ /** sort-package-json command defaults */
2414
+ sortPackageJson?: {
2415
+ /** Discover `.editorconfig` for indent / line-ending defaults (default: true). */
2416
+ editorconfig?: boolean;
2417
+ /** Collapse `bugs: { url }` to the bare string form when `url` is the only field (default: true). */
2418
+ formatBugs?: boolean;
2419
+ /** Collapse `repository: { type, url }` to the GitHub `owner/repo` shorthand (default: true). */
2420
+ formatRepository?: boolean;
2421
+ /** Sort `exports` condition keys in canonical order (default: true). */
2422
+ sortExports?: boolean;
2423
+ /** Alphabetize script commands (default: false) */
2424
+ sortScripts?: boolean;
2425
+ };
2426
+ /**
2427
+ * Sponsorship notice shown after successful commands.
2428
+ *
2429
+ * vis prints a one-line "consider sponsoring visulima" notice at most
2430
+ * once every 14 days (skipped in CI, non-TTY, and when
2431
+ * `VIS_NO_SPONSOR=1` is set). Set `enabled: false` to silence it
2432
+ * permanently for this workspace.
2433
+ * @example
2434
+ * ```
2435
+ * sponsor: { enabled: false }
2436
+ * ```
2437
+ */
2438
+ sponsor?: {
2439
+ /**
2440
+ * Show the sponsor notice on successful command completion.
2441
+ * @default true
2442
+ */
2443
+ enabled?: boolean;
2444
+ };
2445
+ /**
2446
+ * Staged file patterns and commands (replaces lint-staged).
2447
+ *
2448
+ * Accepts all lint-staged config forms:
2449
+ * - `string` or `string[]` commands
2450
+ * - Sync/async functions returning `string | string[]`
2451
+ * - `{ title, task }` objects for named side-effect tasks
2452
+ * - `{ command, perPackage }` to run a command once per owning workspace package (cwd = that package dir), and `{ command, cwd }` to pin a command to a fixed directory
2453
+ * - Mixed arrays of strings and functions
2454
+ * - A top-level generate-task function
2455
+ */
2456
+ staged?: StagedConfig;
2457
+ /**
2458
+ * When `true`, every task command is scanned for `${VAR}` / `$VAR`
2459
+ * references before spawn. If a referenced var is unset in the
2460
+ * task's effective env (envFile + service env + per-task `env` +
2461
+ * `process.env`), the task fails with an actionable error
2462
+ * naming the missing variable, instead of letting the shell
2463
+ * silently substitute an empty string.
2464
+ *
2465
+ * Override per run with `--strict-env` / `--no-strict-env`.
2466
+ * Override per target with `options.strictEnv`.
2467
+ * @default false
2468
+ */
2469
+ strictEnv?: boolean;
2470
+ /**
2471
+ * Named bundles of target dependencies, referenceable from any task's
2472
+ * `dependsOn`. `dependsOn: [{ group: "lint" }]` expands to every entry
2473
+ * in the named group; nested groups are resolved recursively and a
2474
+ * cycle raises during discovery.
2475
+ */
2476
+ taskGroups?: Record<string, (string | {
2477
+ dependencies?: boolean;
2478
+ projects?: string | string[];
2479
+ target: string;
2480
+ } | {
2481
+ group: string;
2482
+ })[]>;
2483
+ /**
2484
+ * Task runner options forwarded verbatim to `defaultTaskRunner`.
2485
+ *
2486
+ * Includes `remoteCache` (HTTP or REAPI gRPC backend), `cacheDirectory`,
2487
+ * `parallel`, `globalEnv`, `globalInputs`, etc.
2488
+ * See `TaskRunnerOptions` for the full surface.
2489
+ */
2490
+ taskRunner?: Partial<TaskRunnerOptions>;
2491
+ /**
2492
+ * Workspace-wide task defaults keyed by target name. Applied universally
2493
+ * to every project that exposes a matching target. Use `scopedTasks` when
2494
+ * defaults should only apply to a subset of projects.
2495
+ */
2496
+ tasks?: Record<string, Partial<VisTargetConfiguration>>;
2497
+ /**
2498
+ * Toolchain (Node / pnpm / python / rust / ...) management. vis
2499
+ * delegates to whichever version manager (proto, mise, fnm, volta,
2500
+ * asdf, nvm, corepack) the developer already has — it does not ship
2501
+ * its own.
2502
+ *
2503
+ * Re-exported from `./toolchain` so the public config type stays
2504
+ * in lockstep with the resolver implementation. `self-activate` is
2505
+ * narrowed out of `preferredManager` here — it's auto-resolved for
2506
+ * pnpm/yarn `packageManager` pins and isn't meaningful as an
2507
+ * override.
2508
+ */
2509
+ toolchain?: Omit<ToolchainConfig, "preferredManager"> & {
2510
+ readonly preferredManager?: Exclude<VersionManagerName, "self-activate">;
2511
+ };
2512
+ /** Terminal UI configuration */
2513
+ tui?: {
2514
+ /**
2515
+ * Auto-exit the TUI after tasks complete.
2516
+ * - `false`: Stay open until the user presses `q` (default)
2517
+ * - `true`: Show quit dialog with 3-second countdown after completion
2518
+ * - `number`: Show quit dialog with custom countdown in seconds
2519
+ */
2520
+ autoExit?: boolean | number;
2521
+ };
2522
+ /** Update command defaults */
2523
+ update?: {
2524
+ /**
2525
+ * Dependency fields to scan for outdated packages.
2526
+ * Beyond the standard fields, supports:
2527
+ * - `"overrides"` (npm)
2528
+ * - `"resolutions"` (yarn)
2529
+ * - `"pnpm.overrides"`
2530
+ * @default ["dependencies", "devDependencies", "optionalDependencies", "peerDependencies"]
2531
+ */
2532
+ depFields?: string[];
2533
+ exclude?: string[];
2534
+ format?: "json" | "minimal" | "table";
2535
+ /**
2536
+ * Package names or glob patterns to permanently ignore during updates.
2537
+ * Ignored packages are skipped and listed in the output so you know
2538
+ * they were not checked.
2539
+ * @example ["eslint", "@types/*"]
2540
+ */
2541
+ ignore?: string[];
2542
+ include?: string[];
2543
+ /**
2544
+ * Include packages with pinned/exact versions (no `^` or `~` prefix).
2545
+ * By default, pinned versions are skipped during update checks.
2546
+ * @default false
2547
+ */
2548
+ includeLocked?: boolean;
2549
+ install?: boolean;
2550
+ /**
2551
+ * Maximum number of concurrent registry requests during outdated checks.
2552
+ * Higher values speed up large workspaces but risk hitting registry rate
2553
+ * limits or self-hosted Verdaccio caps.
2554
+ * @default 8
2555
+ */
2556
+ maxConcurrentRequests?: number;
2557
+ /**
2558
+ * Minimum number of minutes since a version was published before
2559
+ * vis will consider it for updates. This mirrors pnpm's
2560
+ * `minimumReleaseAge` — a single setting that applies to both
2561
+ * install and update.
2562
+ *
2563
+ * Not set by default. If your package manager config
2564
+ * (`pnpm-workspace.yaml`) has `minimumReleaseAge`, vis will
2565
+ * read it from there as a fallback.
2566
+ * @example 1440 // 24 hours
2567
+ */
2568
+ minimumReleaseAge?: number;
2569
+ /**
2570
+ * Package names/patterns excluded from the minimumReleaseAge check.
2571
+ * @example ["webpack", "@myorg/*"]
2572
+ */
2573
+ minimumReleaseAgeExclude?: string[];
2574
+ /**
2575
+ * Per-package or per-pattern update target overrides.
2576
+ * Keys are exact package names, glob patterns, or regex patterns
2577
+ * wrapped in `/` (e.g., `/^@vue/`).
2578
+ * Values are `"latest"`, `"minor"`, or `"patch"`.
2579
+ * @example { "typescript": "minor", "/^@vue/": "patch" }
2580
+ */
2581
+ packageMode?: Record<string, "latest" | "minor" | "patch">;
2582
+ prerelease?: boolean;
2583
+ /**
2584
+ * Which release channels to consider when picking the target version.
2585
+ * - `"stable"` (default) — only ship stable releases (no prereleases).
2586
+ * - `"same"` — match the prerelease channel of the *current* range:
2587
+ * if you're on `react@19.0.0-rc.1`, only `rc.*` candidates qualify;
2588
+ * if you're on a stable, only stable candidates. Prevents
2589
+ * accidentally promoting a prerelease pin to a stable major bump.
2590
+ * - `"any"` — equivalent to `--prerelease`. Any channel is fair game.
2591
+ *
2592
+ * `--release-channel` on the CLI overrides this. If `prerelease: true`
2593
+ * is set without `releaseChannel`, vis treats it as `"any"`.
2594
+ * @default "stable"
2595
+ */
2596
+ releaseChannel?: "any" | "same" | "stable";
2597
+ security?: boolean;
2598
+ target?: "latest" | "minor" | "patch";
2599
+ };
2600
+ /**
2601
+ * Minimum vis CLI version required by this workspace. When the
2602
+ * running vis binary is older than this constraint, vis exits with
2603
+ * an actionable error before executing any command.
2604
+ *
2605
+ * Accepts a semver range string (e.g. `">=1.0.0"`, `"^1.2.0"`).
2606
+ * @example ">=1.0.0"
2607
+ */
2608
+ versionConstraint?: string;
2609
+ }
2610
+ /**
2611
+ * @since 1.0.0
2612
+ */
2613
+ interface Context {
2614
+ /**
2615
+ * Get a value from the context.
2616
+ *
2617
+ * @param key key which identifies a context value
2618
+ */
2619
+ getValue(key: symbol): unknown;
2620
+ /**
2621
+ * Create a new context which inherits from this context and has
2622
+ * the given key set to the given value.
2623
+ *
2624
+ * @param key context key for which to set the value
2625
+ * @param value value to set for the given key
2626
+ */
2627
+ setValue(key: symbol, value: unknown): Context;
2628
+ /**
2629
+ * Return a new context which inherits from this context but does
2630
+ * not contain a value for the given key.
2631
+ *
2632
+ * @param key context key for which to clear a value
2633
+ */
2634
+ deleteValue(key: symbol): Context;
2635
+ }
2636
+ /**
2637
+ * Attributes is a map from string to attribute values.
2638
+ *
2639
+ * Note: only the own enumerable keys are counted as valid attribute keys.
2640
+ *
2641
+ * @since 1.3.0
2642
+ */
2643
+ interface Attributes {
2644
+ [attributeKey: string]: AttributeValue | undefined;
2645
+ }
2646
+ /**
2647
+ * Attribute values may be any non-nullish primitive value except an object.
2648
+ *
2649
+ * null or undefined attribute values are invalid and will result in undefined behavior.
2650
+ *
2651
+ * @since 1.3.0
2652
+ */
2653
+ type AttributeValue = string | number | boolean | Array<null | undefined | string> | Array<null | undefined | number> | Array<null | undefined | boolean>;
2654
+ interface ExceptionWithCode {
2655
+ code: string | number;
2656
+ name?: string;
2657
+ message?: string;
2658
+ stack?: string;
2659
+ }
2660
+ interface ExceptionWithMessage {
2661
+ code?: string | number;
2662
+ message: string;
2663
+ name?: string;
2664
+ stack?: string;
2665
+ }
2666
+ interface ExceptionWithName {
2667
+ code?: string | number;
2668
+ message?: string;
2669
+ name: string;
2670
+ stack?: string;
2671
+ }
2672
+ /**
2673
+ * Defines Exception.
2674
+ *
2675
+ * string or an object with one of (message or name or code) and optional stack
2676
+ *
2677
+ * @since 1.0.0
2678
+ */
2679
+ type Exception = ExceptionWithCode | ExceptionWithMessage | ExceptionWithName | string;
2680
+ /**
2681
+ * Defines High-Resolution Time.
2682
+ *
2683
+ * The first number, HrTime[0], is UNIX Epoch time in seconds since 00:00:00 UTC on 1 January 1970.
2684
+ * The second number, HrTime[1], represents the partial second elapsed since Unix Epoch time represented by first number in nanoseconds.
2685
+ * For example, 2021-01-01T12:30:10.150Z in UNIX Epoch time in milliseconds is represented as 1609504210150.
2686
+ * The first number is calculated by converting and truncating the Epoch time in milliseconds to seconds:
2687
+ * HrTime[0] = Math.trunc(1609504210150 / 1000) = 1609504210.
2688
+ * The second number is calculated by converting the digits after the decimal point of the subtraction, (1609504210150 / 1000) - HrTime[0], to nanoseconds:
2689
+ * HrTime[1] = Number((1609504210.150 - HrTime[0]).toFixed(9)) * 1e9 = 150000000.
2690
+ * This is represented in HrTime format as [1609504210, 150000000].
2691
+ *
2692
+ * @since 1.0.0
2693
+ */
2694
+ type HrTime = [number, number];
2695
+ /**
2696
+ * Defines TimeInput.
2697
+ *
2698
+ * hrtime, epoch milliseconds, performance.now() or Date
2699
+ *
2700
+ * @since 1.0.0
2701
+ */
2702
+ type TimeInput = HrTime | number | Date;
2703
+ /**
2704
+ * @deprecated please use {@link Attributes}
2705
+ * @since 1.0.0
2706
+ */
2707
+ type SpanAttributes = Attributes;
2708
+ /**
2709
+ * @deprecated please use {@link AttributeValue}
2710
+ * @since 1.0.0
2711
+ */
2712
+ type SpanAttributeValue = AttributeValue;
2713
+ /**
2714
+ * @since 1.0.0
2715
+ */
2716
+ interface TraceState {
2717
+ /**
2718
+ * Create a new TraceState which inherits from this TraceState and has the
2719
+ * given key set.
2720
+ * The new entry will always be added in the front of the list of states.
2721
+ *
2722
+ * @param key key of the TraceState entry.
2723
+ * @param value value of the TraceState entry.
2724
+ */
2725
+ set(key: string, value: string): TraceState;
2726
+ /**
2727
+ * Return a new TraceState which inherits from this TraceState but does not
2728
+ * contain the given key.
2729
+ *
2730
+ * @param key the key for the TraceState entry to be removed.
2731
+ */
2732
+ unset(key: string): TraceState;
2733
+ /**
2734
+ * Returns the value to which the specified key is mapped, or `undefined` if
2735
+ * this map contains no mapping for the key.
2736
+ *
2737
+ * @param key with which the specified value is to be associated.
2738
+ * @returns the value to which the specified key is mapped, or `undefined` if
2739
+ * this map contains no mapping for the key.
2740
+ */
2741
+ get(key: string): string | undefined;
2742
+ /**
2743
+ * Serializes the TraceState to a `list` as defined below. The `list` is a
2744
+ * series of `list-members` separated by commas `,`, and a list-member is a
2745
+ * key/value pair separated by an equals sign `=`. Spaces and horizontal tabs
2746
+ * surrounding `list-members` are ignored. There can be a maximum of 32
2747
+ * `list-members` in a `list`.
2748
+ *
2749
+ * @returns the serialized string.
2750
+ */
2751
+ serialize(): string;
2752
+ }
2753
+ /**
2754
+ * A SpanContext represents the portion of a {@link Span} which must be
2755
+ * serialized and propagated along side of a {@link Baggage}.
2756
+ *
2757
+ * @since 1.0.0
2758
+ */
2759
+ interface SpanContext {
2760
+ /**
2761
+ * The ID of the trace that this span belongs to. It is worldwide unique
2762
+ * with practically sufficient probability by being made as 16 randomly
2763
+ * generated bytes, encoded as a 32 lowercase hex characters corresponding to
2764
+ * 128 bits.
2765
+ */
2766
+ traceId: string;
2767
+ /**
2768
+ * The ID of the Span. It is globally unique with practically sufficient
2769
+ * probability by being made as 8 randomly generated bytes, encoded as a 16
2770
+ * lowercase hex characters corresponding to 64 bits.
2771
+ */
2772
+ spanId: string;
2773
+ /**
2774
+ * Only true if the SpanContext was propagated from a remote parent.
2775
+ */
2776
+ isRemote?: boolean;
2777
+ /**
2778
+ * Trace flags to propagate.
2779
+ *
2780
+ * It is represented as 1 byte (bitmap). Bit to represent whether trace is
2781
+ * sampled or not. When set, the least significant bit documents that the
2782
+ * caller may have recorded trace data. A caller who does not record trace
2783
+ * data out-of-band leaves this flag unset.
2784
+ *
2785
+ * see {@link TraceFlags} for valid flag values.
2786
+ */
2787
+ traceFlags: number;
2788
+ /**
2789
+ * Tracing-system-specific info to propagate.
2790
+ *
2791
+ * The tracestate field value is a `list` as defined below. The `list` is a
2792
+ * series of `list-members` separated by commas `,`, and a list-member is a
2793
+ * key/value pair separated by an equals sign `=`. Spaces and horizontal tabs
2794
+ * surrounding `list-members` are ignored. There can be a maximum of 32
2795
+ * `list-members` in a `list`.
2796
+ * More Info: https://www.w3.org/TR/trace-context/#tracestate-field
2797
+ *
2798
+ * Examples:
2799
+ * Single tracing system (generic format):
2800
+ * tracestate: rojo=00f067aa0ba902b7
2801
+ * Multiple tracing systems (with different formatting):
2802
+ * tracestate: rojo=00f067aa0ba902b7,congo=t61rcWkgMzE
2803
+ */
2804
+ traceState?: TraceState;
2805
+ }
2806
+ /**
2807
+ * @since 1.0.0
2808
+ */
2809
+ interface SpanStatus {
2810
+ /** The status code of this message. */
2811
+ code: SpanStatusCode;
2812
+ /** A developer-facing error message. */
2813
+ message?: string;
2814
+ }
2815
+ /**
2816
+ * An enumeration of status codes.
2817
+ *
2818
+ * @since 1.0.0
2819
+ */
2820
+ declare enum SpanStatusCode {
2821
+ /**
2822
+ * The default status.
2823
+ */
2824
+ UNSET = 0,
2825
+ /**
2826
+ * The operation has been validated by an Application developer or
2827
+ * Operator to have completed successfully.
2828
+ */
2829
+ OK = 1,
2830
+ /**
2831
+ * The operation contains an error.
2832
+ */
2833
+ ERROR = 2,
2834
+ }
2835
+ /**
2836
+ * A pointer from the current {@link Span} to another span in the same trace or
2837
+ * in a different trace.
2838
+ * Few examples of Link usage.
2839
+ * 1. Batch Processing: A batch of elements may contain elements associated
2840
+ * with one or more traces/spans. Since there can only be one parent
2841
+ * SpanContext, Link is used to keep reference to SpanContext of all
2842
+ * elements in the batch.
2843
+ * 2. Public Endpoint: A SpanContext in incoming client request on a public
2844
+ * endpoint is untrusted from service provider perspective. In such case it
2845
+ * is advisable to start a new trace with appropriate sampling decision.
2846
+ * However, it is desirable to associate incoming SpanContext to new trace
2847
+ * initiated on service provider side so two traces (from Client and from
2848
+ * Service Provider) can be correlated.
2849
+ *
2850
+ * @since 1.0.0
2851
+ */
2852
+ interface Link {
2853
+ /** The {@link SpanContext} of a linked span. */
2854
+ context: SpanContext;
2855
+ /** A set of {@link SpanAttributes} on the link. */
2856
+ attributes?: SpanAttributes;
2857
+ /** Count of attributes of the link that were dropped due to collection limits */
2858
+ droppedAttributesCount?: number;
2859
+ }
2860
+ /**
2861
+ * An interface that represents a span. A span represents a single operation
2862
+ * within a trace. Examples of span might include remote procedure calls or a
2863
+ * in-process function calls to sub-components. A Trace has a single, top-level
2864
+ * "root" Span that in turn may have zero or more child Spans, which in turn
2865
+ * may have children.
2866
+ *
2867
+ * Spans are created by the {@link Tracer.startSpan} method.
2868
+ *
2869
+ * @since 1.0.0
2870
+ */
2871
+ interface Span {
2872
+ /**
2873
+ * Returns the {@link SpanContext} object associated with this Span.
2874
+ *
2875
+ * Get an immutable, serializable identifier for this span that can be used
2876
+ * to create new child spans. Returned SpanContext is usable even after the
2877
+ * span ends.
2878
+ *
2879
+ * @returns the SpanContext object associated with this Span.
2880
+ */
2881
+ spanContext(): SpanContext;
2882
+ /**
2883
+ * Sets an attribute to the span.
2884
+ *
2885
+ * Sets a single Attribute with the key and value passed as arguments.
2886
+ *
2887
+ * @param key the key for this attribute.
2888
+ * @param value the value for this attribute. Setting a value null or
2889
+ * undefined is invalid and will result in undefined behavior.
2890
+ */
2891
+ setAttribute(key: string, value: SpanAttributeValue): this;
2892
+ /**
2893
+ * Sets attributes to the span.
2894
+ *
2895
+ * @param attributes the attributes that will be added.
2896
+ * null or undefined attribute values
2897
+ * are invalid and will result in undefined behavior.
2898
+ */
2899
+ setAttributes(attributes: SpanAttributes): this;
2900
+ /**
2901
+ * Adds an event to the Span.
2902
+ *
2903
+ * @param name the name of the event.
2904
+ * @param [attributesOrStartTime] the attributes that will be added; these are
2905
+ * associated with this event. Can be also a start time
2906
+ * if type is {@type TimeInput} and 3rd param is undefined
2907
+ * @param [startTime] start time of the event.
2908
+ */
2909
+ addEvent(name: string, attributesOrStartTime?: SpanAttributes | TimeInput, startTime?: TimeInput): this;
2910
+ /**
2911
+ * Adds a single link to the span.
2912
+ *
2913
+ * Links added after the creation will not affect the sampling decision.
2914
+ * It is preferred span links be added at span creation.
2915
+ *
2916
+ * @param link the link to add.
2917
+ */
2918
+ addLink(link: Link): this;
2919
+ /**
2920
+ * Adds multiple links to the span.
2921
+ *
2922
+ * Links added after the creation will not affect the sampling decision.
2923
+ * It is preferred span links be added at span creation.
2924
+ *
2925
+ * @param links the links to add.
2926
+ */
2927
+ addLinks(links: Link[]): this;
2928
+ /**
2929
+ * Sets the status of the span.
2930
+ *
2931
+ * By default, a span has status {@link SpanStatusCode.UNSET}.
2932
+ * Calling this method overrides that default.
2933
+ *
2934
+ * The status codes have a total order: `OK > ERROR > UNSET`.
2935
+ *
2936
+ * - Once {@link SpanStatusCode.OK} is set, any further attempts to change
2937
+ * the status are ignored.
2938
+ * - Any attempt to set {@link SpanStatusCode.UNSET} is always ignored.
2939
+ *
2940
+ * The `message` field is only used when {@link SpanStatusCode.ERROR} is set.
2941
+ * For all other status codes, `message` is ignored.
2942
+ *
2943
+ * @param status The {@link SpanStatus} to set.
2944
+ */
2945
+ setStatus(status: SpanStatus): this;
2946
+ /**
2947
+ * Updates the Span name.
2948
+ *
2949
+ * This will override the name provided via {@link Tracer.startSpan}.
2950
+ *
2951
+ * Upon this update, any sampling behavior based on Span name will depend on
2952
+ * the implementation.
2953
+ *
2954
+ * @param name the Span name.
2955
+ */
2956
+ updateName(name: string): this;
2957
+ /**
2958
+ * Marks the end of Span execution.
2959
+ *
2960
+ * Call to End of a Span MUST not have any effects on child spans. Those may
2961
+ * still be running and can be ended later.
2962
+ *
2963
+ * Do not return `this`. The Span generally should not be used after it
2964
+ * is ended so chaining is not desired in this context.
2965
+ *
2966
+ * @param [endTime] the time to set as Span's end time. If not provided,
2967
+ * use the current time as the span's end time.
2968
+ */
2969
+ end(endTime?: TimeInput): void;
2970
+ /**
2971
+ * Returns the flag whether this span will be recorded.
2972
+ *
2973
+ * @returns true if this Span is active and recording information like events
2974
+ * with the `AddEvent` operation and attributes using `setAttributes`.
2975
+ */
2976
+ isRecording(): boolean;
2977
+ /**
2978
+ * Sets exception as a span event
2979
+ * @param exception the exception the only accepted values are string or Error
2980
+ * @param [time] the time to set as Span's event time. If not provided,
2981
+ * use the current time.
2982
+ */
2983
+ recordException(exception: Exception, time?: TimeInput): void;
2984
+ }
2985
+ /**
2986
+ * @since 1.0.0
2987
+ */
2988
+ declare enum SpanKind {
2989
+ /** Default value. Indicates that the span is used internally. */
2990
+ INTERNAL = 0,
2991
+ /**
2992
+ * Indicates that the span covers server-side handling of an RPC or other
2993
+ * remote request.
2994
+ */
2995
+ SERVER = 1,
2996
+ /**
2997
+ * Indicates that the span covers the client-side wrapper around an RPC or
2998
+ * other remote request.
2999
+ */
3000
+ CLIENT = 2,
3001
+ /**
3002
+ * Indicates that the span describes producer sending a message to a
3003
+ * broker. Unlike client and server, there is no direct critical path latency
3004
+ * relationship between producer and consumer spans.
3005
+ */
3006
+ PRODUCER = 3,
3007
+ /**
3008
+ * Indicates that the span describes consumer receiving a message from a
3009
+ * broker. Unlike client and server, there is no direct critical path latency
3010
+ * relationship between producer and consumer spans.
3011
+ */
3012
+ CONSUMER = 4,
3013
+ }
3014
+ /**
3015
+ * Options needed for span creation
3016
+ *
3017
+ * @since 1.0.0
3018
+ */
3019
+ interface SpanOptions {
3020
+ /**
3021
+ * The SpanKind of a span
3022
+ * @default {@link SpanKind.INTERNAL}
3023
+ */
3024
+ kind?: SpanKind;
3025
+ /** A span's attributes */
3026
+ attributes?: Attributes;
3027
+ /** {@link Link}s span to other spans */
3028
+ links?: Link[];
3029
+ /** A manually specified start time for the created `Span` object. */
3030
+ startTime?: TimeInput;
3031
+ /** The new span should be a root span. (Ignore parent from context). */
3032
+ root?: boolean;
3033
+ }
3034
+ /**
3035
+ * Tracer provides an interface for creating {@link Span}s.
3036
+ *
3037
+ * @since 1.0.0
3038
+ */
3039
+ interface Tracer {
3040
+ /**
3041
+ * Starts a new {@link Span}. Start the span without setting it on context.
3042
+ *
3043
+ * This method do NOT modify the current Context.
3044
+ *
3045
+ * @param name The name of the span
3046
+ * @param [options] SpanOptions used for span creation
3047
+ * @param [context] Context to use to extract parent
3048
+ * @returns Span The newly created span
3049
+ * @example
3050
+ * const span = tracer.startSpan('op');
3051
+ * span.setAttribute('key', 'value');
3052
+ * span.end();
3053
+ */
3054
+ startSpan(name: string, options?: SpanOptions, context?: Context): Span;
3055
+ /**
3056
+ * Starts a new {@link Span} and calls the given function passing it the
3057
+ * created span as first argument.
3058
+ * Additionally the new span gets set in context and this context is activated
3059
+ * for the duration of the function call.
3060
+ *
3061
+ * @param name The name of the span
3062
+ * @param [options] SpanOptions used for span creation
3063
+ * @param [context] Context to use to extract parent
3064
+ * @param fn function called in the context of the span and receives the newly created span as an argument
3065
+ * @returns return value of fn
3066
+ * @example
3067
+ * const something = tracer.startActiveSpan('op', span => {
3068
+ * try {
3069
+ * do some work
3070
+ * span.setStatus({code: SpanStatusCode.OK});
3071
+ * return something;
3072
+ * } catch (err) {
3073
+ * span.setStatus({
3074
+ * code: SpanStatusCode.ERROR,
3075
+ * message: err.message,
3076
+ * });
3077
+ * throw err;
3078
+ * } finally {
3079
+ * span.end();
3080
+ * }
3081
+ * });
3082
+ *
3083
+ * @example
3084
+ * const span = tracer.startActiveSpan('op', span => {
3085
+ * try {
3086
+ * do some work
3087
+ * return span;
3088
+ * } catch (err) {
3089
+ * span.setStatus({
3090
+ * code: SpanStatusCode.ERROR,
3091
+ * message: err.message,
3092
+ * });
3093
+ * throw err;
3094
+ * }
3095
+ * });
3096
+ * do some more work
3097
+ * span.end();
3098
+ */
3099
+ startActiveSpan<F extends (span: Span) => unknown>(name: string, fn: F): ReturnType<F>;
3100
+ startActiveSpan<F extends (span: Span) => unknown>(name: string, options: SpanOptions, fn: F): ReturnType<F>;
3101
+ startActiveSpan<F extends (span: Span) => unknown>(name: string, options: SpanOptions, context: Context, fn: F): ReturnType<F>;
3102
+ }
3103
+ interface OtelPluginOptions {
3104
+ /**
3105
+ * Rename incoming `project:target` IDs before they become OTel
3106
+ * span names. Defaults to passing the id through unchanged.
3107
+ */
3108
+ renameSpan?: (task: Task) => string;
3109
+ /** Tracer used to emit spans. Pass the one from `@opentelemetry/api`'s `trace.getTracer("vis")`. */
3110
+ tracer: Tracer;
3111
+ }
3112
+ /**
3113
+ * Reference plugin that maps vis hook lifecycle events to OTel spans.
3114
+ *
3115
+ * Emits:
3116
+ * - one **root span** named `vis.run` spanning `run:before` → `run:after`
3117
+ * - one **child span** per task spanning `task:before` → `task:after`
3118
+ * with attributes `vis.task.id`, `vis.task.project`, `vis.task.target`,
3119
+ * `vis.task.cache_status`, `vis.task.exit_code`
3120
+ * - `task:failure` sets span status to ERROR and records the exit code
3121
+ *
3122
+ * Streaming stdout/stderr events are intentionally **not** emitted as
3123
+ * span events — high-frequency chunks would blow up OTel backends. Use
3124
+ * a log exporter if you need stream-level visibility.
3125
+ * @example
3126
+ * ```ts
3127
+ * import { trace } from "@opentelemetry/api";
3128
+ * import { defineConfig } from "@visulima/vis/config";
3129
+ * import { otelPlugin } from "@visulima/vis/plugins/otel";
3130
+ *
3131
+ * const tracer = trace.getTracer("vis", "1.0.0");
3132
+ *
3133
+ * export default defineConfig({
3134
+ * plugins: [otelPlugin({ tracer })],
3135
+ * });
3136
+ * ```
3137
+ */
3138
+ declare const otelPlugin: (options: OtelPluginOptions) => VisPlugin;
3139
+ /**
3140
+ * Type-safe helper for defining a vis plugin. Pure identity — exists
3141
+ * only so plugin authors get inference from the `VisPlugin` contract
3142
+ * without needing a `satisfies` annotation.
3143
+ *
3144
+ * Lives in its own module so plugins can import it without going
3145
+ * through `config.ts`, which re-exports plugins like `otelPlugin` and
3146
+ * would otherwise form an import cycle.
3147
+ */
3148
+ declare const definePlugin: (plugin: VisPlugin) => VisPlugin;
3149
+ /** Supported config file names, checked in priority order. */
3150
+ declare const CONFIG_FILES: string[];
3151
+ /** Per-package overlay file names, checked in priority order. */
3152
+ declare const TASK_CONFIG_FILES: string[];
3153
+ /**
3154
+ * Default `security.policies.firstSeen.minutes` applied by `vis init`.
3155
+ * 2 days — long enough to filter out most rage-published malware while
3156
+ * staying short enough that genuine fixes still land in a working week.
3157
+ *
3158
+ * Note: this is NOT merged into `SECURITY_DEFAULTS` — leaving it undefined
3159
+ * preserves the "no opinion" semantics that downstream drift checks rely
3160
+ * on. `vis init` writes the value explicitly into the generated config.
3161
+ */
3162
+
3163
+ /**
3164
+ * Secure-by-default security settings based on npm supply chain best practices.
3165
+ *
3166
+ * Applied automatically when using `defineConfig()` or `loadVisConfig()`.
3167
+ * Users can override any value — their settings always take precedence.
3168
+ * @see https://github.com/lirantal/awesome-npm-security-best-practices
3169
+ */
3170
+ declare const SECURITY_DEFAULTS: NonNullable<VisConfig["security"]>;
3171
+ /**
3172
+ * Apply secure defaults to a raw config object.
3173
+ * Merges `SECURITY_DEFAULTS` into `config.security`, preserving all user overrides.
3174
+ */
3175
+ declare const applyDefaults: (config: VisConfig) => VisConfig;
3176
+ /**
3177
+ * Find the vis config file in a directory.
3178
+ *
3179
+ * Reads the directory listing once and intersects it with the known
3180
+ * config filenames rather than `stat`-ing each candidate — one syscall
3181
+ * instead of up to six. Priority order is preserved via
3182
+ * `CONFIG_FILES` so `.ts` still wins over `.mjs` when both exist.
3183
+ * @param directory The directory to search in.
3184
+ * @returns The absolute path to the config file, or `undefined` if not found.
3185
+ */
3186
+ declare const findVisConfigFile: (directory: string) => string | undefined;
3187
+ /**
3188
+ * Find the per-package `vis.task.ts` overlay in a project directory.
3189
+ * Same single-readdir lookup pattern as {@link findVisConfigFile}.
3190
+ */
3191
+ declare const findVisTaskConfigFile: (projectDirectory: string) => string | undefined;
3192
+ /**
3193
+ * Load the vis configuration from a `vis.config.ts` (or `.js`, `.mjs`, `.cjs`, `.mts`, `.cts`) file.
3194
+ *
3195
+ * Resolves the entire `extends` chain, post-order, and folds it into a
3196
+ * single merged config (extends first, root last — child wins). The
3197
+ * cache key covers every file in the chain, so editing any extended
3198
+ * file invalidates the cache.
3199
+ *
3200
+ * Falls back to secure defaults if no config file is found.
3201
+ * @param workspaceRoot The workspace root directory to search for the config file.
3202
+ * @param options Optional loader options.
3203
+ * @param options.explicitConfigPath Overrides discovery — used by the
3204
+ * global `--config` flag so users can point at any file regardless of
3205
+ * cwd. The path must exist; otherwise an error is thrown so the
3206
+ * config-loader plugin can surface it to the user.
3207
+ * @returns The loaded and resolved configuration with secure defaults applied.
3208
+ */
3209
+ declare const loadVisConfig: (workspaceRoot: string, options?: {
3210
+ explicitConfigPath?: string;
3211
+ }) => Promise<VisConfig>;
3212
+ /**
3213
+ * Load the per-package `vis.task.ts` overlay for a project, if any.
3214
+ *
3215
+ * Returns `undefined` when no overlay file exists. Otherwise compiles
3216
+ * the file via jiti and caches the result under
3217
+ * `node_modules/.cache/vis/task-configs/&lt;project>.json`, keyed by the
3218
+ * file's content hash. Editing one project's overlay does not invalidate
3219
+ * the root config cache.
3220
+ *
3221
+ * Errors thrown by the file are wrapped in `VisConfigLoadError` so the
3222
+ * source path is reported instead of an opaque workspace.ts failure.
3223
+ * @param workspaceRoot Absolute workspace root path (cache scope).
3224
+ * @param projectDirectory Absolute path of the project to probe.
3225
+ * @param projectName Project identifier — used to scope the cache file.
3226
+ */
3227
+ declare const loadVisTaskConfig: (workspaceRoot: string, projectDirectory: string, projectName: string) => Promise<VisTaskConfig | undefined>;
3228
+ /**
3229
+ * Type-safe helper for defining a per-package `vis.task.ts` overlay.
3230
+ * Pure identity — exists only so users get type inference and
3231
+ * autocomplete from the `VisTaskConfig` shape.
3232
+ * @example
3233
+ * ```typescript
3234
+ * // packages/api/crud/vis.task.ts
3235
+ * import { defineTaskConfig } from "@visulima/vis/config";
3236
+ *
3237
+ * export default defineTaskConfig({
3238
+ * targets: {
3239
+ * build: {
3240
+ * inputs: ["@inherit", "src/proto/**\/*.proto"],
3241
+ * outputs: ["dist/**\/*"],
3242
+ * },
3243
+ * },
3244
+ * });
3245
+ * ```
3246
+ */
3247
+ declare const defineTaskConfig: (config: VisTaskConfig) => VisTaskConfig;
3248
+ /**
3249
+ * Type-safe helper for defining vis configuration.
3250
+ *
3251
+ * Pure typed-identity — returns its argument unchanged. The point is purely
3252
+ * editor autocomplete and structural type-checking on the literal you pass
3253
+ * in. Secure defaults are applied by `loadVisConfig` at load time, not here,
3254
+ * so wrapping vs. using `satisfies VisConfig` produces the exact same
3255
+ * runtime behavior. To see the active defaults, run `vis check --security-config`.
3256
+ * @example
3257
+ * ```typescript
3258
+ * // vis.config.ts — minimal config, fully secured by defaults
3259
+ * import { defineConfig } from "@visulima/vis/config";
3260
+ *
3261
+ * export default defineConfig({
3262
+ * security: {
3263
+ * policies: {
3264
+ * installScripts: {
3265
+ * allow: {
3266
+ * esbuild: true,
3267
+ * "@prisma/client": true,
3268
+ * },
3269
+ * },
3270
+ * },
3271
+ * },
3272
+ * });
3273
+ * ```
3274
+ */
3275
+ declare const defineConfig: (config: VisConfig) => VisConfig;
3276
+ export { CONFIG_FILES, type OtelPluginOptions, SECURITY_DEFAULTS, TASK_CONFIG_FILES, type VisConfig, type VisHooks, type VisPlugin, type VisTaskConfig, applyDefaults, defineConfig, definePlugin, defineTaskConfig, findVisConfigFile, findVisTaskConfigFile, loadVisConfig, loadVisTaskConfig, otelPlugin };