@visulima/vis 1.0.0-alpha.8 → 1.0.0-alpha.9

package/dist/plugins/config-loader.d.ts

@@ -1,3 +0,0 @@
-import type { Plugin } from "@visulima/cerebro";
-declare const configLoaderPlugin: Plugin;
-export default configLoaderPlugin;

package/dist/plugins/otel.d.ts

@@ -1,63 +0,0 @@
-import type { Task } from "@visulima/task-runner";
-import type { VisPlugin } from "../hooks.d.ts";
-/**
- * Minimal OTel-shaped span. Deliberately structural so users can pass
- * an `@opentelemetry/api` Tracer, an `@opentelemetry/sdk-node` one, or
- * a custom implementation without the plugin depending on any
- * particular OTel package.
- */
-export interface OtelSpan {
-    end: () => void;
-    recordException?: (error: unknown) => void;
-    setAttribute?: (key: string, value: boolean | number | string) => void;
-    setStatus?: (status: {
-        code: number;
-        message?: string;
-    }) => void;
-}
-/**
- * Minimal Tracer contract. Accepts the real
- * `@opentelemetry/api`'s `Tracer.startSpan(name, options?)` shape —
- * the plugin only calls the two methods it strictly needs.
- */
-export interface OtelTracer {
-    startSpan: (name: string, options?: {
-        attributes?: Record<string, string | number | boolean>;
-    }) => OtelSpan;
-}
-export interface OtelPluginOptions {
-    /**
-     * Rename incoming `project:target` IDs before they become OTel
-     * span names. Defaults to passing the id through unchanged.
-     */
-    renameSpan?: (task: Task) => string;
-    /** Tracer used to emit spans. Required — pass the one from `@opentelemetry/api`'s `trace.getTracer("vis")`. */
-    tracer: OtelTracer;
-}
-/**
- * Reference plugin that maps vis hook lifecycle events to OTel spans.
- *
- * Emits:
- * - one **root span** named `vis.run` spanning `run:before` → `run:after`
- * - one **child span** per task spanning `task:before` → `task:after`
- *   with attributes `vis.task.id`, `vis.task.project`, `vis.task.target`,
- *   `vis.task.cache_status`, `vis.task.exit_code`
- * - `task:failure` sets span status to ERROR and records the exit code
- *
- * Streaming stdout/stderr events are intentionally **not** emitted as
- * span events — high-frequency chunks would blow up OTel backends. Use
- * a log exporter if you need stream-level visibility.
- * @example
- * ```ts
- * import { trace } from "@opentelemetry/api";
- * import { defineConfig } from "@visulima/vis/config";
- * import { otelPlugin } from "@visulima/vis/plugins/otel";
- *
- * const tracer = trace.getTracer("vis", "1.0.0");
- *
- * export default defineConfig({
- *     plugins: [otelPlugin({ tracer })],
- * });
- * ```
- */
-export declare const otelPlugin: (options: OtelPluginOptions) => VisPlugin;

package/dist/plugins/post-command.d.ts

@@ -1,3 +0,0 @@
-import type { Plugin } from "@visulima/cerebro";
-declare const postCommandPlugin: (upgradeCheckCallback?: () => void) => Plugin;
-export default postCommandPlugin;

package/dist/plugins/security-enforcement.d.ts

@@ -1,3 +0,0 @@
-import type { Plugin } from "@visulima/cerebro";
-declare const securityEnforcementPlugin: Plugin;
-export default securityEnforcementPlugin;

package/dist/pm-runner.d.ts

@@ -1,44 +0,0 @@
-/**
- * Shared helper for executing package manager commands via native Rust bindings.
- * Falls back to JS-based detection when native bindings are unavailable.
- */
-import type { AddOptions, DlxOptions, ExecOptions, InstallOptions, OutdatedOptions, RemoveOptions, ResolvedCommand, WhyOptions } from "./native-binding.d.ts";
-interface PmInfo {
-    name: "bun" | "npm" | "pnpm" | "yarn";
-    version: string;
-}
-declare const detectPm: (cwd: string) => PmInfo;
-declare const runInstall: (pm: PmInfo, options: InstallOptions, cwd: string, logger: Console) => number;
-declare const runAdd: (pm: PmInfo, options: AddOptions, cwd: string, logger: Console) => number;
-declare const runRemove: (pm: PmInfo, options: RemoveOptions, cwd: string, logger: Console) => number;
-declare const runDedupe: (pm: PmInfo, check: boolean, cwd: string, logger: Console) => number;
-declare const runWhy: (pm: PmInfo, options: WhyOptions, cwd: string, logger: Console) => number;
-declare const runOutdated: (pm: PmInfo, options: OutdatedOptions, cwd: string, logger: Console) => number;
-interface InfoOptions {
-    fields: string[];
-    json: boolean;
-    package: string;
-}
-/**
- * Resolves a registry metadata lookup to a runnable command. Built in TS
- * rather than the Rust resolver because bun needs `pm view` (two-word
- * subcommand) and yarn berry needs `yarn npm info` — both shapes the existing
- * `resolve_pm_command` view branch gets wrong.
- *
- * Pure function — exported for unit testing.
- */
-declare const resolveInfo: (pm: PmInfo, options: InfoOptions) => ResolvedCommand;
-declare const runInfo: (pm: PmInfo, options: InfoOptions, cwd: string, logger: Console) => number;
-/**
- * Resolves and runs a PM `link` operation. Passes `pm.version` to the native
- * resolver so it can warn about pnpm v11 restrictions (arg-less link and
- * global-store name resolution were removed). `target` is `null` for arg-less
- * link, or a package name / path string.
- */
-declare const runLink: (pm: PmInfo, target: string | null, cwd: string, logger: Console) => number;
-declare const runUnlink: (pm: PmInfo, packages: string[], recursive: boolean, cwd: string, logger: Console) => number;
-declare const runDlx: (pm: PmInfo, options: DlxOptions, cwd: string, logger: Console) => number;
-declare const runExec: (pm: PmInfo, options: ExecOptions, cwd: string, logger: Console) => number;
-declare const runPmSubcommand: (pm: PmInfo, subcommand: string, args: string[], cwd: string, logger: Console) => number;
-export type { InfoOptions, PmInfo };
-export { detectPm, resolveInfo, runAdd, runDedupe, runDlx, runExec, runInfo, runInstall, runLink, runOutdated, runPmSubcommand, runRemove, runUnlink, runWhy };

package/dist/run-report.d.ts

@@ -1,40 +0,0 @@
-import type { TaskResults } from "@visulima/task-runner";
-/**
- * Formats a compact one-line timing summary for display after a run.
- * @param results Task execution results.
- * @param durationMs Total wall-clock duration in milliseconds.
- * @returns A formatted summary string, e.g. "3 succeeded · 1 cached · 0 failed · 2.4s"
- */
-export declare const formatTimingSummary: (results: TaskResults, durationMs: number) => string;
-/**
- * Shape of a persisted run summary — only the fields this module + the
- * flakiness analyzer consume. Kept narrow so both consumers can share
- * one loader without pulling in the full `RunSummary` type from
- * task-runner.
- */
-export interface LoadedRunSummary {
-    [key: string]: unknown;
-    duration?: number;
-    startTime?: string;
-    tasks?: unknown[];
-}
-/**
- * Reads every `.task-runner/runs/*.json` once and returns the parsed
- * array. Callers that need to iterate historical runs (timing average,
- * flakiness analysis) should call this once per command and feed the
- * result into the downstream helpers rather than re-reading the
- * directory multiple times.
- *
- * Corrupt or unreadable files are skipped silently — a single bad
- * summary shouldn't take down the whole analysis.
- */
-export declare const loadRunSummaries: (workspaceRoot: string) => LoadedRunSummary[];
-/**
- * Loads durations from historical run summaries and computes the
- * average. Returns the comparison string or `undefined` if no history.
- *
- * Pass `summaries` (from {@link loadRunSummaries}) when the caller
- * has already loaded the history for another purpose (e.g. flakiness
- * analysis on a failing run) to avoid re-reading the same files.
- */
-export declare const compareDuration: (workspaceRoot: string, currentDurationMs: number, summaries?: LoadedRunSummary[]) => string | undefined;

package/dist/runtime-check.d.ts

@@ -1,27 +0,0 @@
-/**
- * Runtime-version mismatch finding. vis doesn't manage runtimes directly,
- * but it can warn when the currently running Node/Bun/Deno doesn't match
- * whatever the repo has declared — usually a sign the user forgot to
- * switch runtimes for this workspace.
- */
-export interface RuntimeFinding {
-    actual: string;
-    expected: string;
-    kind: "node" | "packageManager";
-    message: string;
-    severity: "error" | "warning";
-}
-/**
- * Evaluates a minimal subset of semver ranges: `>=X`, `X.Y`, `X.Y.Z`,
- * and compound `>=X <Y`. Returns true if `actual` satisfies the range.
- * Falls back to "true" for unrecognised syntax rather than false so we
- * don't spam warnings on exotic ranges.
- */
-export declare const satisfiesRange: (actual: string, range: string) => boolean;
-/**
- * Checks `engines.node`, `.nvmrc`, `.node-version`, and `packageManager`
- * against the running process.
- * @param workspaceRoot Absolute path to the workspace root.
- * @returns Findings; an empty array means everything matches.
- */
-export declare const checkRuntimeVersions: (workspaceRoot: string) => RuntimeFinding[];

package/dist/sbom/cyclonedx.d.ts

@@ -1,39 +0,0 @@
-import type { ProjectGraph, WorkspaceConfiguration } from "@visulima/task-runner";
-import type { CycloneDxBom } from "./types.d.ts";
-export interface BuildSbomOptions {
-    /** If set, limit the emitted BOM to these projects + their transitive closure. */
-    focus?: string[];
-    /** Optional package.json version of vis itself — stamped into `metadata.tools`. */
-    generatorVersion?: string;
-    /** Include devDependencies in the emitted BOM (default: false — production only). */
-    includeDev?: boolean;
-    /**
-     * Override the `serialNumber`. Useful for deterministic tests; in
-     * production the builder generates one per call.
-     */
-    now?: Date;
-    /** Project graph used for resolving focus closure and dependency edges. */
-    projectGraph: ProjectGraph;
-    /** Override the `serialNumber` (defaults to a fresh UUID). */
-    serialNumber?: string;
-    /** Workspace configuration with resolved project roots. */
-    workspace: WorkspaceConfiguration;
-    /** Workspace root on disk. */
-    workspaceRoot: string;
-}
-/**
- * Builds the BOM from workspace + lockfile data. Pure function — all
- * I/O is relative to `workspaceRoot` so tests point it at a temp dir.
- */
-export declare const buildCycloneDxBom: (options: BuildSbomOptions) => CycloneDxBom;
-/**
- * Serialises a {@link CycloneDxBom} document to CycloneDX 1.6 XML.
- *
- * Delegates all escaping, indentation, and attribute serialisation to
- * the project-standard `jstoxml` library (already used elsewhere in
- * the monorepo — see `packages/api/api-platform` and
- * `packages/error-debugging/error-handler`). We only translate our
- * typed JSON-shaped BOM into jstoxml's `{ _name, _attrs, _content }`
- * tree.
- */
-export declare const serializeBomToXml: (bom: CycloneDxBom) => string;

package/dist/sbom/installed-package.d.ts

@@ -1,49 +0,0 @@
-/**
- * Per-version metadata lookup for installed packages.
- *
- * An SBOM needs each `name@version` component to declare its own
- * licence, description, and author — not the top-level project's.
- * Different versions of the same package can ship different licence
- * texts (common during a licence migration, e.g. `foo@4` is MIT but
- * `foo@5` is Apache-2.0), so we resolve the metadata against the
- * specific on-disk install tree rather than the lockfile or a single
- * hoisted copy.
- *
- * The helper is best-effort: we try common install-tree layouts in
- * order and return `undefined` the moment we fail to find a match. A
- * missing metadata doesn't block SBOM generation — the component is
- * just emitted without licence/author/description decoration.
- */
-import type { RawLicenseInput } from "./license.d.ts";
-/** Subset of `package.json` surfaced onto installed-package components. */
-export interface InstalledPackageMetadata extends RawLicenseInput {
-    author?: string | {
-        email?: string;
-        name?: string;
-        url?: string;
-    };
-    bugs?: string | {
-        url?: string;
-    };
-    description?: string;
-    homepage?: string;
-    name?: string;
-    repository?: string | {
-        type?: string;
-        url?: string;
-    };
-    version?: string;
-}
-/**
- * Looks up the installed `package.json` for a specific `name@version`.
- * Tries pnpm's virtual store first (exact match by construction), then
- * falls back to the hoisted `node_modules/<name>/package.json` if its
- * version matches.
- *
- * Returns `undefined` if nothing on disk matches the requested version,
- * **or if `name`/`version` contains characters that could be used for
- * path traversal**. A malicious lockfile carrying e.g.
- * `version: "../../../etc"` would otherwise escape `workspaceRoot`
- * because `join` collapses `..` segments.
- */
-export declare const readInstalledPackageMetadata: (workspaceRoot: string, name: string, version: string) => InstalledPackageMetadata | undefined;

package/dist/sbom/license.d.ts

@@ -1,31 +0,0 @@
-import type { LicenseChoice } from "./types.d.ts";
-/**
- * Case-insensitively resolves a raw licence string to its canonical
- * SPDX ID, or `undefined` if the input doesn't match anything we know
- * about.
- */
-export declare const normalizeSpdxId: (raw: string) => string | undefined;
-/** Shape we accept from raw `package.json` metadata. */
-export interface RawLicenseInput {
-    /** Legacy `license: { type: "MIT" }` form. */
-    license?: {
-        type?: string;
-    } | string;
-    /** Legacy `licenses: [{ type: "MIT" }]` array form. */
-    licenses?: {
-        type?: string;
-    }[];
-}
-/**
- * Extracts a single licence declaration from a `package.json` (or
- * similar), converting it to the CycloneDX {@link LicenseChoice}
- * shape. Supports the three encodings npm has historically blessed:
- *
- * - `license: "MIT"` (string)
- * - `license: "(MIT OR Apache-2.0)"` (SPDX expression)
- * - `license: { type: "MIT" }` (object, deprecated but common)
- * - `licenses: [{ type: "MIT" }, …]` (array, deprecated)
- *
- * Returns `undefined` if no licence was declared.
- */
-export declare const extractLicenseChoice: (input: RawLicenseInput) => LicenseChoice | undefined;

package/dist/sbom/lockfile.d.ts

@@ -1,34 +0,0 @@
-/**
- * Thin CycloneDX-shaped adapter over the shared lockfile parser in
- * `@visulima/package`. The cross-package parser returns a
- * package-manager-agnostic `{ name, version, integrity: { algorithm, hex } }`
- * shape; CycloneDX 1.6 expects hashes as `{ alg: "SHA-256" | …, content }`,
- * so we translate the algorithm casing here.
- */
-import type { LockFileType } from "@visulima/package";
-import type { Hash } from "./types.d.ts";
-/** Exposed so downstream callers (and tests) can stay decoupled from `@visulima/package`. */
-/** Resolved package in the shape the SBOM builder consumes. */
-export interface ResolvedPackage {
-    /**
-     * Declared runtime deps — `name → specifier[]` from the lockfile.
-     * Arrays preserve pnpm v9+ peer-context variants that resolve the
-     * same dep name to different versions.
-     */
-    dependencies?: Record<string, string[]>;
-    hash?: Hash;
-    name: string;
-    optionalDependencies?: Record<string, string[]>;
-    peerDependencies?: Record<string, string[]>;
-    version: string;
-}
-/**
- * Reads the lockfile at `workspaceRoot` (not ancestors — workspaces
- * own their lockfile) and returns entries keyed by `name@version`.
- * Returns `undefined` if no supported lockfile is present.
- */
-export declare const readLockfilePackages: (workspaceRoot: string) => {
-    packages: Map<string, ResolvedPackage>;
-    type: LockFileType;
-} | undefined;
-export { type LockFileType } from "@visulima/package";

package/dist/sbom/purl.d.ts

@@ -1,25 +0,0 @@
-/**
- * Zero-dependency implementation of the Package URL (PURL) spec, scoped
- * to the `pkg:npm/…` type — the only scheme CycloneDX 1.6 needs for
- * npm-ecosystem SBOMs.
- *
- * Reference: https://github.com/package-url/purl-spec/blob/master/PURL-TYPES.rst#npm
- *
- * Rules we implement:
- *
- * 1. The `name` segment is **lowercased** for `pkg:npm` (npm package
- *    names are already case-insensitive in the registry).
- * 2. Scope is carried as a PURL **namespace** (`pkg:npm/@scope/name`)
- *    with the `@` percent-encoded per RFC 3986 (→ `%40`).
- * 3. `name`, `namespace`, and `version` segments are percent-encoded
- *    using the "unreserved characters + colon/slash inside version"
- *    ruleset — we keep this small and conservative (encode anything
- *    outside `[A-Za-z0-9._~-]`).
- */
-/**
- * Builds a `pkg:npm/…` Package URL from an npm package name + version.
- * @param packageName The npm package name, scoped or unscoped.
- * @param version The resolved exact version.
- * @returns A well-formed PURL string.
- */
-export declare const toNpmPurl: (packageName: string, version: string) => string;

package/dist/sbom/resolve-specifier.d.ts

@@ -1,24 +0,0 @@
-/**
- * Resolves `name + specifier` to a concrete `name@version` install from
- * a lockfile-derived index.
- *
- * Lockfiles don't encode every edge uniformly:
- *
- * - pnpm stores **resolved** versions in each entry's `dependencies`
- *   sub-map, so the specifier is already the install's exact version.
- * - npm / yarn / bun store **semver ranges** (or dist-tags); we have
- *   to match the range against the set of versions we know exist for
- *   the given `name`.
- *
- * We try exact match first (cheap, handles pnpm), then fall back to
- * `semver.maxSatisfying` over every known version of `name`, and
- * finally to "pick one version" so a partial-lockfile input still
- * produces a best-effort edge.
- */
-/** `name → Set<version>` index built from every lockfile entry. */
-export type VersionIndex = Map<string, Set<string>>;
-/**
- * Resolves a single `name + specifier` pair to a concrete version, or
- * `undefined` if the name isn't in the lockfile at all.
- */
-export declare const resolveSpecifier: (name: string, specifier: string, index: VersionIndex) => string | undefined;

package/dist/sbom/types.d.ts

@@ -1,196 +0,0 @@
-/**
- * TypeScript types for the subset of CycloneDX 1.6 that `vis sbom` emits.
- *
- * These types are hand-maintained against the vendored schema at
- * `__tests__/sbom/schemas/bom-1.6.schema.json` (upstream tag 1.6.1). They
- * intentionally cover only the shapes the SBOM generator produces —
- * `services`, `vulnerabilities`, `compositions`, `annotations`,
- * `formulation`, `declarations`, `signature`, `pedigree`, `evidence`,
- * `modelCard`, and crypto-asset fields are omitted.
- *
- * The schema is still the source of truth: see
- * `__tests__/sbom/schema-conformance.test.ts` for the ajv-backed validator
- * that runs on every emitted BOM.
- */
-/** Hash algorithms permitted by CycloneDX 1.6. */
-export type HashAlgorithm = "BLAKE2b-256" | "BLAKE2b-384" | "BLAKE2b-512" | "BLAKE3" | "MD5" | "SHA-1" | "SHA-256" | "SHA-384" | "SHA-512" | "SHA3-256" | "SHA3-384" | "SHA3-512";
-/** A single hash entry on a component. */
-export interface Hash {
-    alg: HashAlgorithm;
-    /** Hex-encoded digest (no `sha512-` prefix; integrity strings from npm lockfiles must be stripped + base64-decoded first). */
-    content: string;
-}
-/** Component type enumeration. */
-export type ComponentType = "application" | "container" | "cryptographic-asset" | "data" | "device" | "device-driver" | "file" | "firmware" | "framework" | "library" | "machine-learning-model" | "operating-system" | "platform";
-/** Dependency scope on a component. */
-export type ComponentScope = "excluded" | "optional" | "required";
-/** License acknowledgement status. */
-export type LicenseAcknowledgement = "concluded" | "declared";
-/** Fields shared by every licence variant. */
-export interface LicenseBase {
-    acknowledgement?: LicenseAcknowledgement;
-    "bom-ref"?: string;
-    text?: Attachment;
-    url?: string;
-}
-/**
- * A named or SPDX-identified licence.
- *
- * The schema requires exactly one of `id` or `name` to be present; this is
- * modelled as a discriminated union so the constraint is enforced at the
- * type level rather than just at ajv-validation time.
- */
-export type License = NamedLicense | SpdxLicense;
-/** SPDX-identified licence (`id` is a valid SPDX licence identifier). */
-export interface SpdxLicense extends LicenseBase {
-    /** SPDX licence identifier (e.g. `"MIT"`). */
-    id: string;
-    name?: never;
-}
-/** Free-form licence where no SPDX identifier matches. */
-export interface NamedLicense extends LicenseBase {
-    id?: never;
-    /** Free-form licence name. */
-    name: string;
-}
-/** A single licence entry in the `licenses` array. */
-export interface LicenseEntry {
-    license: License;
-}
-/** A single-element tuple carrying an SPDX expression. */
-export interface LicenseExpressionEntry {
-    acknowledgement?: LicenseAcknowledgement;
-    "bom-ref"?: string;
-    expression: string;
-}
-/**
- * Per the spec, `licenses` is EITHER a list of `{ license }` entries OR a
- * one-element tuple carrying an SPDX expression — never mixed.
- */
-export type LicenseChoice = LicenseEntry[] | [LicenseExpressionEntry];
-/** Attachment (inline blob) used for licence texts, etc. */
-export interface Attachment {
-    content: string;
-    contentType?: string;
-    encoding?: "base64";
-}
-/** Individual contact within an organisation. */
-export interface OrganizationalContact {
-    "bom-ref"?: string;
-    email?: string;
-    name?: string;
-    phone?: string;
-}
-/** Postal address attached to an organisation. */
-export interface PostalAddress {
-    "bom-ref"?: string;
-    country?: string;
-    locality?: string;
-    postalCode?: string;
-    region?: string;
-    streetAddress?: string;
-}
-/** Company / organisation metadata. */
-export interface OrganizationalEntity {
-    address?: PostalAddress;
-    "bom-ref"?: string;
-    contact?: OrganizationalContact[];
-    name?: string;
-    url?: string[];
-}
-/**
- * All 43 values from the CycloneDX 1.6 `externalReferenceType` enum. Kept
- * exhaustive so any spec-legal reference type type-checks.
- */
-export type ExternalReferenceType = "adversary-model" | "advisories" | "attestation" | "bom" | "build-meta" | "build-system" | "certification-report" | "chat" | "codified-infrastructure" | "component-analysis-report" | "configuration" | "digital-signature" | "distribution" | "distribution-intake" | "documentation" | "dynamic-analysis-report" | "electronic-signature" | "evidence" | "exploitability-statement" | "formulation" | "issue-tracker" | "license" | "log" | "mailing-list" | "maturity-report" | "model-card" | "other" | "pentest-report" | "poam" | "quality-metrics" | "release-notes" | "rfc-9116" | "risk-assessment" | "runtime-analysis-report" | "security-contact" | "social" | "source-distribution" | "static-analysis-report" | "support" | "threat-model" | "vcs" | "vulnerability-assertion" | "website";
-/** External reference (website, VCS, distribution, etc.). */
-export interface ExternalReference {
-    comment?: string;
-    hashes?: Hash[];
-    type: ExternalReferenceType;
-    url: string;
-}
-/**
- * A software component in the BOM. This is the shape `vis sbom` emits —
- * it's a strict subset of the CycloneDX definition.
- */
-export interface Component {
-    author?: string;
-    "bom-ref"?: string;
-    components?: Component[];
-    copyright?: string;
-    cpe?: string;
-    description?: string;
-    externalReferences?: ExternalReference[];
-    group?: string;
-    hashes?: Hash[];
-    licenses?: LicenseChoice;
-    manufacturer?: OrganizationalEntity;
-    "mime-type"?: string;
-    name: string;
-    properties?: Property[];
-    publisher?: string;
-    /** Package URL, e.g. `pkg:npm/@scope/name@1.2.3`. */
-    purl?: string;
-    scope?: ComponentScope;
-    supplier?: OrganizationalEntity;
-    tags?: string[];
-    type: ComponentType;
-    version?: string;
-}
-/** Arbitrary key-value metadata attachable to components and BOMs. */
-export interface Property {
-    name: string;
-    value?: string;
-}
-/**
- * CycloneDX 1.5+ form of `metadata.tools`: a bag of tool components and
- * (optionally) services. The legacy array form is intentionally not
- * supported — new BOMs should use this shape.
- */
-export interface ToolsAggregate {
-    components?: Component[];
-}
-/** BOM lifecycle phase (pre-defined names in the spec). */
-export type LifecyclePhase = "build" | "decommission" | "design" | "discovery" | "operations" | "post-build" | "pre-build";
-export interface Lifecycle {
-    description?: string;
-    name?: string;
-    phase?: LifecyclePhase;
-}
-export interface Metadata {
-    authors?: OrganizationalContact[];
-    component?: Component;
-    licenses?: LicenseChoice;
-    lifecycles?: Lifecycle[];
-    manufacturer?: OrganizationalEntity;
-    properties?: Property[];
-    supplier?: OrganizationalEntity;
-    /** ISO 8601 timestamp describing when the BOM was created. */
-    timestamp?: string;
-    tools?: ToolsAggregate;
-}
-/** A single edge in the dependency graph. */
-export interface Dependency {
-    /** `bom-ref`s of components this component directly depends on. */
-    dependsOn?: string[];
-    /** `bom-ref`s of components this component provides (conformance claims). */
-    provides?: string[];
-    /** `bom-ref` of the subject component. */
-    ref: string;
-}
-/** The root CycloneDX 1.6 BOM document. */
-export interface CycloneDxBom {
-    $schema?: string;
-    bomFormat: "CycloneDX";
-    components?: Component[];
-    dependencies?: Dependency[];
-    externalReferences?: ExternalReference[];
-    metadata?: Metadata;
-    properties?: Property[];
-    /** `urn:uuid:<rfc-4122>` — unique identifier for this specific BOM revision. */
-    serialNumber?: string;
-    specVersion: "1.6";
-    /** Monotonically increasing integer for BOM revisions (starts at 1). */
-    version?: number;
-}

package/dist/secrets/baseline.d.ts

@@ -1,20 +0,0 @@
-import type { Finding } from "@visulima/secret-scanner";
-/** Convert a finding to the shape we persist in baselines (with paths relative to root). */
-export declare const toRelativeFinding: (f: Finding, root: string) => Finding;
-export interface BaselineDiff {
-    fresh: Finding[];
-    resolved: Finding[];
-    surviving: Finding[];
-}
-/** Compare current findings against an existing baseline. */
-export declare const diffBaseline: (findings: Finding[], baselinePath: string, root: string) => BaselineDiff;
-export interface WriteBaselineOptions {
-    /** If true, replace the file instead of merging with existing entries. */
-    replace?: boolean;
-}
-/**
- * Write `findings` to `baselinePath` with paths relative to `root`. By default
- * merges with any existing baseline (so prior triage decisions for files not
- * rescanned this run are preserved). Pass `replace: true` to overwrite.
- */
-export declare const writeBaseline: (findings: Finding[], baselinePath: string, root: string, options?: WriteBaselineOptions) => number;

package/dist/secrets/format.d.ts

@@ -1,14 +0,0 @@
-import type { Finding, RuleInfo } from "@visulima/secret-scanner";
-/** Pretty grouped text output with file headers, context lines, and carets. */
-export declare const formatText: (findings: Finding[], root: string, useColor: boolean) => string;
-/**
- * Structured SARIF v2.1.0 output for GitHub / GitLab code-scanning.
- *
- * Polished for spec compliance:
- *   - `artifactLocation.uri` emits `file://` URIs for absolute paths (SARIF §3.4.2).
- *   - `tool.driver.rules` lists every rule that triggered, with `shortDescription` +
- *     `fullDescription` + `helpUri` so consumer UIs can render rule detail pages.
- *   - `result.level` stays `"error"` (everything we surface is an actionable leak).
- *   - `result.ruleIndex` cross-references into `tool.driver.rules` per SARIF §3.27.6.
- */
-export declare const formatSarif: (findings: Finding[], toolVersion: string, root?: string, ruleMetadata?: RuleInfo[]) => string;

package/dist/secrets/git.d.ts

@@ -1,6 +0,0 @@
-/** Absolute paths of files currently staged for commit (A/C/M/R only). */
-export declare const stagedFiles: (root: string) => string[];
-/** Absolute paths of files changed since `ref` (defaults to upstream/HEAD~1). */
-export declare const filesSince: (root: string, ref: string) => string[];
-/** True if `git` is on PATH and `root` is a working tree. */
-export declare const hasGit: (root: string) => boolean;

package/dist/secrets/spinner.d.ts

@@ -1,9 +0,0 @@
-export interface Spinner {
-    stop: (finalMessage?: string) => void;
-    update: (message: string) => void;
-}
-/**
- * Minimal stderr spinner for TTY sessions. No-op when stderr isn't a TTY
- * (CI, piped output). No dependencies beyond node stdlib.
- */
-export declare const startSpinner: (message: string) => Spinner;