Ara embraces the JavaScript ecosystem’s existing conventions by treatingDocumentation Index
Fetch the complete documentation index at: https://mintlify.com/ara-home/ara/llms.txt
Use this file to discover all available pages before exploring further.
package.json as the authoritative source for your project’s identity, dependencies, and scripts. No migration step is required — if your project already has a package.json, Ara works with it immediately. An optional ara.toml file extends that foundation with Ara-specific settings: security risk thresholds and sandboxed build profiles. If you never need those features, you never need to create ara.toml at all.
package.json — Primary Manifest
package.json is the single source of truth for everything Ara needs to install and run your project. When you run ara add zod, Ara writes the new dependency directly to package.json, just as npm or Yarn would. All standard fields are read and respected.
Fields Ara reads
| Field | Purpose |
|---|---|
name | Project name |
version | Project version |
dependencies | Production dependencies |
devDependencies | Development-only dependencies |
peerDependencies | Peer requirements declared to consumers |
optionalDependencies | Optional enhancements that may be absent |
scripts | Named shell commands runnable via ara run |
workspaces | Glob patterns for monorepo workspace members |
Standard npm project
Monorepo with workspace protocol
Ara supports theworkspace: protocol, inspired by pnpm. Declaring a dependency as workspace:* or workspace:^ tells Ara to resolve it from a local workspace member instead of a registry. During install, workspace dependencies become live symlinks — node_modules/lib-a points directly to packages/lib-a, so source changes are immediately visible without reinstalling.
workspace: forms:
| Form | Meaning |
|---|---|
workspace:* | Always resolves to the local workspace member |
workspace:^ | Resolves locally; replaced with ^<version> on publish |
workspace:1.2.3 | Pins to an exact version within the workspace |
ara.toml — Advanced Configuration
ara.toml is entirely optional. It does not store dependencies or scripts — those live in package.json. Use it only when you want to enforce project-wide security policies or declare a default sandbox profile for builds.
[security] section
The [security] table controls how Ara’s built-in scanner reacts to findings during install.
risk_threshold accepts four values (from least to most severe):
- low
- medium
- high
- critical
Reports all findings —
low, medium, high, and critical. Most verbose; recommended during audits.[build] section
The [build] table sets default sandboxing behaviour for scripts executed with ara run.
hermetic = true activates the seccomp-BPF hermetic sandbox profile on Linux. On macOS and Windows, ara run executes the script without sandbox restrictions because the Linux-specific sandbox is not yet ported to other platforms.Complete ara.toml example
The example below reflects a typical security-conscious project:
How the two files interact
Merge rules: package.json + ara.toml
Merge rules: package.json + ara.toml
When Ara starts, it parses
package.json first and builds the full manifest in memory. If ara.toml exists, it is layered on top:package.jsonprovides: name, version, all dependency groups, scripts, and workspaces.ara.tomlprovides: security thresholds and build profiles.- Fields only in
package.json(e.g.description,license,main) are preserved verbatim and written back when Ara modifiespackage.json. - Neither file can override the other’s dependency list — dependencies always live in
package.json.
When do I actually need ara.toml?
When do I actually need ara.toml?
You need
ara.toml only if you want to:- Set a project-wide
risk_thresholdso that Ara automatically blocks packages above a severity level. - Enable
require_review = trueto always prompt for human approval regardless of findings. - Set
hermetic = trueto lock builds into a sandboxed environment by default. - Use
offline_first = trueto prevent installs from hitting the network.
package.json alone is sufficient.