* refactor(config): unify flag registry, phase-split resolveConfig

Consolidate CLI (string[]) and programmatic (PkgExecOptions) entry points
through a single canonical ParsedInput shape, dropping the
options->argv->parseArgs round trip. Split resolveConfig into named phase
helpers (resolveInput, resolveConfigFile, resolveOutput, resolveTargetList,
assignTargetOutputs). Fully resolve flags in the config layer: compress
becomes CompressType enum, targets becomes NodeTarget[] with per-target
output paths and input-overwrite guards applied. Expose effective merged
pkg on ResolvedConfig so index.ts no longer duplicates precedence logic.
Drop unused minimist dep; util.parseArgs drives CLI parsing.

* test(config): add pure-unit regression guard for parseInput/resolveFlags

Integration-only coverage (test-50-config-flags) exercises a handful of
end-to-end paths via real binaries and takes seconds. This test requires
lib-es5/config directly and runs 78 assertions in ~200ms covering:

- CLI parseInput: positionals, short-circuits, all flag kinds (bool/string/
  list), short aliases, alias collapsing (target/targets, out-path/outdir/
  out-dir), every FLAG_SPECS bool negation, positional/negation last-wins,
  unknown-option rejection
- Programmatic parseInput: type guards, input validation, bakeOptions/
  publicPackages/noDictionary/targets array-join, empty-array behavior
- resolveFlags: CLI>config>default merge for every flag, three-state
  override (CLI false beats config true), list empty-clear, whitespace
  trimming, csv parsing, '*' preservation, all compress aliases
- validatePkgConfig: unknown-key warn, known-key silence, type mismatches
  for bool/string/list, mixed-array rejection

* fix(config): address PR review feedback

- Validate `pkg` config field is a plain object (reject string/array/null)
  with a clear error message instead of silently falling back to defaults
- types.ts: `PkgCompressType` now excludes numeric reverse-mapping keys
  from the enum (`Exclude<keyof typeof CompressType, number>`)
- help.ts: add `--no-signature` to the options section; list
  `native-build` and `sea` in the config-overridable flags note
- docs: correct `targets` type (`string | string[]`) and rename
  `deployAssets` row to `deployFiles` (matches actual code/types)
- test-80-compression fixture: swap `minimist` require for `picomatch`
  (direct dep — minimist was removed from package.json)
- test-50-config-flags: new `pkg.not-object.json` fixture + assertion
  for the non-object pkg rejection

* refactor(config): enhance type safety for CLI argument parsing

* refactor(config): improve type safety and clarity in CLI argument handling

* fix(config): address Copilot review feedback

- fix "give" → "given" typo in --sea help text
- preserve last-wins order for --target/--targets aliases via token walk
- narrow PkgOptions.deployFiles to `[from, to]` / `[from, to, 'directory']` tuples
- force-require picomatch/picocolors in compression fixture for real VFS payload

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* refactor(config): drop resolveTargetAlias helper

Both --target and --targets are niche aliases; last-wins token walk
is overkill. Revert to simple nullish collapse.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* fix(config): address deep-review feedback

- Merge resolved flag values back into pkg via applyResolvedFlags so
  pkgOptions consumers observe CLI overrides (not just the raw config).
- Reject `--target` + `--targets` together instead of silently preferring
  one alias regardless of order.
- Move validatePkgConfig out of resolveFlags into resolveConfig so
  resolveFlags is a pure merge.
- Simplify resolveOutput: read outputPath from the resolved pkg instead
  of re-walking configJson.pkg / inputJson.pkg.
- Throw on bad-type exec() options (boolean/string/list) instead of
  silently dropping them at the programmatic boundary.
- Drop redundant String() in resolveList's trim.
- Clean up test-80 compression fixture: remove dead loremIpsum and the
  /* eslint-disable no-unused-vars */ it required.
- Add test-50-config-flags coverage for the --target/--targets conflict.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* fix(config): address Copilot review feedback

- Set log.debugMode unconditionally from flags.debug so a prior exec()
  call with debug:true does not leak debug logging into a later
  debug:false invocation (the programmatic API may run exec multiple
  times per process).
- Document the positive --signature flag in help; it's already accepted
  by the CLI parser and is needed to override a config value of
  signature:false.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* docs(config): add JSDoc coverage across lib/config.ts

Convert existing inline prose comments into JSDoc and add short doc
blocks to exported types, internal helpers, and module-level constants.
Content is unchanged; this just makes each symbol self-describe for
hover/autocomplete and for future readers.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* fix(config): address Copilot review feedback

- Trim each entry in resolveTargetList's comma-split paths (both CLI and
  pkg.targets string forms). Inputs like "node22-linux-x64, node22-win-x64"
  previously produced a leading-space token and failed in parseTargets with
  "Unknown token ' node22'". Matches the trim pattern already used by
  resolveList for other list-shaped flags.
- Correct the deployFiles schema row in docs-site/guide/configuration.md:
  it is a tuple array ([from, to] or [from, to, "directory"]), not a
  plain string[]. Matches lib/types.ts and lib/walker.ts.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* fix(sea): silence benign LIEF warnings during postject injection

LIEF (inside postject) prints "signature seems corrupted" and
"Can't find string offset for section name '.note.100'" to stderr
after postject expands the ELF section table to make room for
NODE_SEA_BLOB. The messages are cosmetic — the injection succeeds
and macOS binaries are re-signed afterwards — but users reasonably
assume something is wrong.

Wrap the postject.inject() call in a tiny stderr filter that drops
only those specific lines. Everything else passes through
unchanged, and the original process.stderr.write is restored in a
finally block.

* refactor(sea): tighten typing of postject stderr filter

Replace `unknown` + `...rest: unknown[]` (which forced two `as` casts
and a runtime `rest.find` to locate the callback) with the actual
write() overload parameters: `chunk: string | Uint8Array`,
`encodingOrCb?: BufferEncoding | WriteCallback`, `cb?: WriteCallback`.

Disambiguate the pass-through call so the right write() overload is
dispatched, and handle plain Uint8Array chunks explicitly.

Whitelist `BufferEncoding` as a global in the TS ESLint block,
mirroring how `NodeJS` is already handled — both are type-only
identifiers that `no-undef` can't resolve on its own.

* fix(sea): restore original stderr.write reference, not a bound wrapper

Keep the unbound write function for restoration so process.stderr.write
regains its exact prior identity after the call. Use a separate bound
copy internally for calling from the filter.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

…ynamic import, decorators) (#268)

* fix(sea): parse ESM files as modules and walk dynamic import() literals

`detector.parse()` called babel with the default `sourceType: 'script'`,
so SEA-mode walker runs over `import.meta` / top-level `await` failed
to parse and silently skipped the file's dependency traversal. Thread
`isESMFile(record.file)` through `stepDetect` → `detect()` → `parse()`
so ESM files get `sourceType: 'module'`. Also teach the visitor to
recognize `import('literal')` `CallExpression`s so bundler-emitted
dynamic imports are bundled like static ones.

* docs(detector): add concise jsdoc for visitor and helper functions

* fix(detector): enable decorators-legacy plugin for babel parse

Third-party sources that ship raw `@decorator` syntax (fontkit, older
MobX / Nest builds) tripped the same silent-drop failure mode as #264:
babel.parse threw, `detect()` logged a warning, and the file's
dependency graph was dropped. Enable `decorators-legacy` in both the
walker's detector and the ESM-transformer parse calls so these sources
parse cleanly and their requires/imports get bundled. Extend test-94
with a decorator fixture walked via `pkg.scripts`.

* fix(detector): reject non-string specifiers in dynamic import matcher

Guard visitorDynamicImport against `import(0)` / `import(true)` so a
numeric or boolean literal can't flow through the walker as an alias and
crash downstream string checks (e.g. isBuiltin's moduleName.startsWith).

Addresses Copilot review feedback on PR #268.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>