@pikku/inspector 0.12.21 → 0.12.22

package/CHANGELOG.md

@@ -1,3 +1,23 @@
+## 0.12.22
+
+### Patch Changes
+
+- 06234a9: Fix DSL `Promise.all` fanout silently failing to register its child RPC (causing a runtime "Function not found").
+
+  Two distinct causes are addressed:
+  - A fanout/group captured into a variable (`const results = await Promise.all(array.map(e => workflow.do(...)))`) was dropped entirely, because the `const`-declaration path had no `Promise.all` branch — fanout handling only ran on the bare/assignment path. The declaration path now extracts fanout and parallel groups too.
+  - `extractStringLiteral` threw on a `+` concatenation with a non-static operand (e.g. `'Enrich ' + (e.id ?? e.name)`), unlike a template literal (`` `Enrich ${e.id ?? e.name}` ``) which never threw. The throw was uncaught while scanning workflow invocations and aborted the run. The `+` branch now falls back to `${...}` placeholders to match template literals, and a step's cosmetic display name can no longer block RPC registration.
+
+- 8e72c93: Exclude `node_modules` from inspector source scanning. A locally-installed addon (under the project's `node_modules`) is a dependency, not project source — scanning it double-counted the addon's own application types (`CoreConfig`/`CoreServices`/`CoreSingletonServices`) and failed `pikku all` with "More than one … found". Addons still contribute via their generated metadata, not by being re-scanned as source.
+- 6645e7a: Add a severity model for coded diagnostics so security findings can surface without blocking the dev server.
+  - `InspectorLogger` gains `diagnostic({ severity, code, message })` (`severity: 'warn' | 'error' | 'critical'`). `critical(code, message)` is now sugar for `diagnostic({ severity: 'critical', ... })`.
+  - The CLI fails the build only on `critical` diagnostics by default. New global flags `--fail-on-error` and `--fail-on-warn` (implies `--fail-on-error`) opt into stricter gating; `--fail-on-critical` is always on.
+  - Data-classification leaks (`PKU910`) are now emitted at `error` severity instead of `critical`. They are still printed, but no longer abort `pikku all` / the dev server — pass `--fail-on-error` (e.g. at deploy) to make them blocking and recommend a fix.
+  - Contract-immutability drift (`PKU861`) during `pikku versions update` (run inside `pikku all`) no longer calls `process.exit(1)`. It is surfaced as an `error` diagnostic and skips saving the manifest, so a stale baseline can't crash-loop the dev server. `pikku versions check` remains the hard gate, and `--fail-on-error` makes `pikku all` block on it at deploy.
+
+- Updated dependencies [6bca38f]
+  - @pikku/core@0.12.35
+
 ## 0.12.21
 
 ### Patch Changes

package/dist/add/add-functions.js

@@ -660,16 +660,24 @@ export const addFunctions = (logger, node, checker, state, options) => {
                 .filter((f) => f.classification === 'private' || f.classification === 'pii')
                 .map((f) => f.path);
             if (secretPaths.length > 0) {
-                logger.critical(ErrorCode.PII_IN_OUTPUT, `Function '${name}' exposes secret-classified field(s) in its return type: ` +
-                    secretPaths.map((p) => `'${p}'`).join(', ') +
-                    `.\n  Secret fields must never appear in function output. ` +
-                    `Strip these fields before returning or change the column classification.`);
+                logger.diagnostic({
+                    severity: 'error',
+                    code: ErrorCode.PII_IN_OUTPUT,
+                    message: `Function '${name}' exposes secret-classified field(s) in its return type: ` +
+                        secretPaths.map((p) => `'${p}'`).join(', ') +
+                        `.\n  Secret fields must never appear in function output. ` +
+                        `Strip these fields before returning or change the column classification.`,
+                });
             }
             if (sessionless && privatePaths.length > 0) {
-                logger.critical(ErrorCode.PII_IN_OUTPUT, `Sessionless function '${name}' exposes private-classified field(s) in its return type: ` +
-                    privatePaths.map((p) => `'${p}'`).join(', ') +
-                    `.\n  Private fields are only safe to return from authenticated (sessioned) functions. ` +
-                    `Either require a session (use pikkuFunc) or mark the column @public if it is safe to expose publicly.`);
+                logger.diagnostic({
+                    severity: 'error',
+                    code: ErrorCode.PII_IN_OUTPUT,
+                    message: `Sessionless function '${name}' exposes private-classified field(s) in its return type: ` +
+                        privatePaths.map((p) => `'${p}'`).join(', ') +
+                        `.\n  Private fields are only safe to return from authenticated (sessioned) functions. ` +
+                        `Either require a session (use pikkuFunc) or mark the column @public if it is safe to expose publicly.`,
+                });
             }
         }
     }

package/dist/add/add-workflow.js

@@ -5,6 +5,20 @@ import { ErrorCode } from '../error-codes.js';
 import { extractStringLiteral, isStringLike, isFunctionLike, extractDescription, extractDuration, } from '../utils/extract-node-value.js';
 import { getCommonWireMetaData, getPropertyValue, } from '../utils/get-property-value.js';
 import { extractDSLWorkflow } from '../utils/workflow/dsl/extract-dsl-workflow.js';
+import { getSourceText } from '../utils/workflow/dsl/patterns.js';
+/**
+ * Extract a workflow step's display name without letting a non-static name
+ * (e.g. a function call) abort the scan. The step name is cosmetic, so a
+ * resolution failure must never prevent the RPC from being registered.
+ */
+function extractStepName(node, checker) {
+    try {
+        return extractStringLiteral(node, checker);
+    }
+    catch {
+        return getSourceText(node);
+    }
+}
 /**
  * Recursively check if any step has inline type (non-serializable)
  */
@@ -89,7 +103,7 @@ function getWorkflowInvocations(node, checker, state, workflowName, steps) {
                     const stepNameArg = args[0];
                     const secondArg = args[1];
                     const optionsArg = args.length >= 4 ? args[args.length - 1] : undefined;
-                    const stepName = extractStringLiteral(stepNameArg, checker);
+                    const stepName = extractStepName(stepNameArg, checker);
                     const description = extractDescription(optionsArg, checker) ?? undefined;
                     // Determine form by checking 2nd argument type
                     if (isStringLike(secondArg, checker)) {
@@ -115,7 +129,7 @@ function getWorkflowInvocations(node, checker, state, workflowName, steps) {
                     // workflow.sleep(stepName, duration)
                     const stepNameArg = args[0];
                     const durationArg = args[1];
-                    const stepName = extractStringLiteral(stepNameArg, checker);
+                    const stepName = extractStepName(stepNameArg, checker);
                     const duration = extractDuration(durationArg, checker);
                     steps.push({
                         type: 'sleep',

package/dist/error-codes.d.ts

@@ -59,3 +59,15 @@ export declare enum ErrorCode {
     WORKFLOW_MULTI_QUEUE_NOT_SUPPORTED = "PKU901",
     PII_IN_OUTPUT = "PKU910"
 }
+/**
+ * Severity of a tracked, coded diagnostic. `critical` always blocks the build;
+ * `error`/`warn` only block when the CLI is told to via `--fail-on-error` /
+ * `--fail-on-warn` (default: critical only). All severities are still printed.
+ */
+export type DiagnosticSeverity = 'warn' | 'error' | 'critical';
+/** A coded diagnostic emitted via `logger.diagnostic(...)`. */
+export interface CodedDiagnostic {
+    severity: DiagnosticSeverity;
+    code: ErrorCode;
+    message: string;
+}

package/dist/index.d.ts

@@ -3,6 +3,7 @@ export type { TypesMap } from './types-map.js';
 export type * from './types.js';
 export type { FilesAndMethodsErrors } from './utils/get-files-and-methods.js';
 export { ErrorCode } from './error-codes.js';
+export type { DiagnosticSeverity, CodedDiagnostic } from './error-codes.js';
 export { AUTH_HANDLER_FUNC_ID } from './add/add-auth.js';
 export { serializeInspectorState, deserializeInspectorState, } from './utils/serialize-inspector-state.js';
 export type { SerializableInspectorState } from './utils/serialize-inspector-state.js';

package/dist/inspector.js

@@ -209,9 +209,13 @@ export const inspect = async (logger, routeFiles, options = {}) => {
     // Use provided rootDir or infer from source files
     const rootDir = options.rootDir || findCommonAncestor(routeFiles);
     const startSourceFiles = performance.now();
+    // node_modules under rootDir (e.g. a locally-installed addon) is a
+    // dependency, not project source — scanning it double-counts the addon's
+    // own application types (CoreConfig/Services/SingletonServices).
     const sourceFiles = program
         .getSourceFiles()
-        .filter((sf) => sf.fileName.startsWith(rootDir));
+        .filter((sf) => sf.fileName.startsWith(rootDir) &&
+        !sf.fileName.includes('/node_modules/'));
     logger.debug(`Got source files in ${(performance.now() - startSourceFiles).toFixed(2)}ms`);
     const state = getInitialInspectorState(rootDir);
     // First sweep: add all functions

package/dist/types.d.ts

@@ -16,7 +16,7 @@ import type { VariableDefinitions } from '@pikku/core/variable';
 import type { TypesMap } from './types-map.js';
 import type { FunctionsMeta, FunctionServicesMeta, FunctionWiresMeta, JSONValue } from '@pikku/core';
 import type { OpenAPISpecInfo } from './utils/serialize-openapi-json.js';
-import type { ErrorCode } from './error-codes.js';
+import type { ErrorCode, CodedDiagnostic } from './error-codes.js';
 import type { VersionManifest, VersionValidateError } from './utils/contract-hashes.js';
 import type { SerializedWorkflowGraphs } from './utils/workflow/graph/workflow-graph.types.js';
 export type PathToNameAndType = Map<string, {
@@ -192,6 +192,15 @@ export interface InspectorLogger {
     error: (message: string) => void;
     warn: (message: string) => void;
     debug: (message: string) => void;
+    /**
+     * Emit a tracked, coded diagnostic. It is recorded and printed; `error`/`warn`
+     * only block the build when the CLI is run with `--fail-on-error` /
+     * `--fail-on-warn` (default: critical only). Use this for issues worth
+     * surfacing (e.g. data-classification leaks) that should not stop the dev
+     * server from starting.
+     */
+    diagnostic: (diagnostic: CodedDiagnostic) => void;
+    /** Sugar for `diagnostic({ severity: 'critical', code, message })`. */
     critical: (code: ErrorCode, message: string) => void;
     hasCriticalErrors: () => boolean;
 }

package/dist/utils/extract-node-value.js

@@ -26,8 +26,8 @@ export function extractStringLiteral(node, checker) {
     }
     if (ts.isBinaryExpression(node) &&
         node.operatorToken.kind === ts.SyntaxKind.PlusToken) {
-        return (extractStringLiteral(node.left, checker) +
-            extractStringLiteral(node.right, checker));
+        return (extractConcatOperand(node.left, checker) +
+            extractConcatOperand(node.right, checker));
     }
     // Try to evaluate constant identifiers
     if (ts.isIdentifier(node)) {
@@ -42,6 +42,23 @@ export function extractStringLiteral(node, checker) {
     }
     throw new Error('Unable to extract string literal from node');
 }
+/**
+ * Resolve one operand of a `+` string concatenation.
+ *
+ * An operand that can't be statically resolved (e.g. `a ?? b`) becomes a
+ * `${...}` placeholder rather than throwing — mirroring the TemplateExpression
+ * branch above, so `'x ' + expr` and `` `x ${expr}` `` produce the same string.
+ * This keeps an unresolvable display name from aborting the whole extraction.
+ */
+function extractConcatOperand(node, checker) {
+    try {
+        return extractStringLiteral(node, checker);
+    }
+    catch {
+        const inner = ts.isParenthesizedExpression(node) ? node.expression : node;
+        return '${' + inner.getText() + '}';
+    }
+}
 /**
  * Check if node is string-like (string literal or template expression)
  */

package/dist/utils/workflow/dsl/extract-dsl-workflow.js

@@ -255,6 +255,21 @@ function extractVariableDeclaration(statement, context) {
                 return step;
             }
         }
+        // Promise.all fanout/group captured into a variable
+        // (const results = await Promise.all(array.map(...)))
+        if (isParallelFanout(call) || isParallelGroup(call)) {
+            const step = isParallelFanout(call)
+                ? extractParallelFanout(call, context)
+                : extractParallelGroup(call, context);
+            if (step) {
+                const type = context.checker.getTypeAtLocation(decl);
+                context.outputVars.set(varName, { type, node: decl });
+                if (isArrayType(type, context.checker)) {
+                    context.arrayVars.add(varName);
+                }
+                return step;
+            }
+        }
     }
     // Check for array.filter(...)
     if (ts.isCallExpression(init)) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@pikku/inspector",
-  "version": "0.12.21",
+  "version": "0.12.22",
   "author": "yasser.fadl@gmail.com",
   "license": "BUSL-1.1",
   "type": "module",
@@ -35,7 +35,7 @@
   },
   "dependencies": {
     "@openapi-contrib/json-schema-to-openapi-schema": "^4.3.1",
-    "@pikku/core": "^0.12.32",
+    "@pikku/core": "^0.12.35",
     "openapi-types": "^12.1.3",
     "path-to-regexp": "^8.3.0",
     "ts-json-schema-generator": "^2.5.0",

package/src/add/add-auth.test.ts

@@ -13,6 +13,9 @@ const makeLogger = (criticals: Array<{ code: ErrorCode; message: string }>) =>
     info: () => {},
     warn: () => {},
     error: () => {},
+    diagnostic: ({ code, message }) => {
+      criticals.push({ code, message })
+    },
     critical: (code: ErrorCode, message: string) => {
       criticals.push({ code, message })
     },

package/src/add/add-cli-renderers.test.ts

@@ -12,6 +12,7 @@ const makeLogger = () =>
     info: () => {},
     warn: () => {},
     error: () => {},
+    diagnostic: () => {},
     critical: () => {},
     hasCriticalErrors: () => false,
   }) satisfies InspectorLogger

package/src/add/add-functions.test.ts

@@ -39,6 +39,9 @@ describe('addFunctions duplicate name handling', () => {
       info: () => {},
       warn: () => {},
       error: () => {},
+      diagnostic: ({ code, message }) => {
+        criticals.push({ code, message })
+      },
       critical: (code: ErrorCode, message: string) => {
         criticals.push({ code, message })
       },
@@ -91,6 +94,9 @@ describe('addFunctions duplicate name handling', () => {
       info: () => {},
       warn: () => {},
       error: () => {},
+      diagnostic: ({ code, message }) => {
+        criticals.push({ code, message })
+      },
       critical: (code: ErrorCode, message: string) => {
         criticals.push({ code, message })
       },
@@ -142,6 +148,7 @@ describe('addFunctions duplicate name handling', () => {
       info: () => {},
       warn: () => {},
       error: () => {},
+      diagnostic: () => {},
       critical: () => {},
       hasCriticalErrors: () => false,
     }
@@ -204,6 +211,9 @@ describe('addFunctions duplicate name handling', () => {
       info: () => {},
       warn: () => {},
       error: () => {},
+      diagnostic: ({ code, message }) => {
+        criticals.push({ code, message })
+      },
       critical: (code: ErrorCode, message: string) => {
         criticals.push({ code, message })
       },
@@ -250,6 +260,7 @@ describe('addFunctions implementationHash', () => {
       info: () => {},
       warn: () => {},
       error: () => {},
+      diagnostic: () => {},
       critical: () => {},
       hasCriticalErrors: () => false,
     }
@@ -296,6 +307,7 @@ describe('addFunctions implementationHash', () => {
       info: () => {},
       warn: () => {},
       error: () => {},
+      diagnostic: () => {},
       critical: () => {},
       hasCriticalErrors: () => false,
     }
@@ -349,6 +361,7 @@ describe('pikkuChannelConnectionFunc generic mapping', () => {
       info: () => {},
       warn: () => {},
       error: () => {},
+      diagnostic: () => {},
       critical: () => {},
       hasCriticalErrors: () => false,
     }

package/src/add/add-functions.ts

@@ -931,23 +931,27 @@ export const addFunctions: AddWiring = (
         .map((f) => f.path)
 
       if (secretPaths.length > 0) {
-        logger.critical(
-          ErrorCode.PII_IN_OUTPUT,
-          `Function '${name}' exposes secret-classified field(s) in its return type: ` +
+        logger.diagnostic({
+          severity: 'error',
+          code: ErrorCode.PII_IN_OUTPUT,
+          message:
+            `Function '${name}' exposes secret-classified field(s) in its return type: ` +
             secretPaths.map((p) => `'${p}'`).join(', ') +
             `.\n  Secret fields must never appear in function output. ` +
-            `Strip these fields before returning or change the column classification.`
-        )
+            `Strip these fields before returning or change the column classification.`,
+        })
       }
 
       if (sessionless && privatePaths.length > 0) {
-        logger.critical(
-          ErrorCode.PII_IN_OUTPUT,
-          `Sessionless function '${name}' exposes private-classified field(s) in its return type: ` +
+        logger.diagnostic({
+          severity: 'error',
+          code: ErrorCode.PII_IN_OUTPUT,
+          message:
+            `Sessionless function '${name}' exposes private-classified field(s) in its return type: ` +
             privatePaths.map((p) => `'${p}'`).join(', ') +
             `.\n  Private fields are only safe to return from authenticated (sessioned) functions. ` +
-            `Either require a session (use pikkuFunc) or mark the column @public if it is safe to expose publicly.`
-        )
+            `Either require a session (use pikkuFunc) or mark the column @public if it is safe to expose publicly.`,
+        })
       }
     }
   }

package/src/add/add-workflow-fanout.test.ts

@@ -0,0 +1,106 @@
+import { strict as assert } from 'assert'
+import { describe, test } from 'node:test'
+import { mkdtemp, rm, writeFile } from 'node:fs/promises'
+import { tmpdir } from 'node:os'
+import { join } from 'node:path'
+import { inspect } from '../inspector.js'
+import type { InspectorLogger } from '../types.js'
+
+function makeLogger(
+  criticals: Array<{ code: string; message: string }>
+): InspectorLogger {
+  return {
+    debug: () => {},
+    info: () => {},
+    warn: () => {},
+    error: () => {},
+    diagnostic: ({ code, message }) => {
+      criticals.push({ code, message })
+    },
+    critical: (code: any, message: string) => {
+      criticals.push({ code, message })
+    },
+    hasCriticalErrors: () => criticals.length > 0,
+  }
+}
+
+const STEP_FILE = [
+  "import { pikkuSessionlessFunc } from '@pikku/core'",
+  'export const processEventLeadsStep = pikkuSessionlessFunc({',
+  '  func: async ({ logger }) => ({ persistedCount: 1 }),',
+  '})',
+].join('\n')
+
+describe('addWorkflow — Promise.all fanout RPC detection', () => {
+  test('registers fanout RPC when captured with `const x = await Promise.all(map(...))`', async () => {
+    const rootDir = await mkdtemp(join(tmpdir(), 'pikku-fanout-const-'))
+    const wfFile = join(rootDir, 'leads.workflow.ts')
+    const stepFile = join(rootDir, 'leads.steps.ts')
+
+    await writeFile(stepFile, STEP_FILE)
+    await writeFile(
+      wfFile,
+      [
+        "import { pikkuWorkflowFunc } from '@pikku/core/workflow'",
+        'export const extractLeadsWorkflow = pikkuWorkflowFunc(async (_, data, { workflow }) => {',
+        '  const events = [{ id: "a", name: "x" }]',
+        '  const processed = await Promise.all(',
+        '    events.map((event) =>',
+        "      workflow.do(`Enrich event ${event.id ?? event.name}`, 'processEventLeadsStep', { event })",
+        '    )',
+        '  )',
+        '  return { count: processed.length }',
+        '})',
+      ].join('\n')
+    )
+
+    const criticals: Array<{ code: string; message: string }> = []
+    try {
+      const state = await inspect(makeLogger(criticals), [stepFile, wfFile], {
+        rootDir,
+      })
+      assert.ok(
+        state.rpc.invokedFunctions.has('processEventLeadsStep'),
+        'processEventLeadsStep should be registered when fanout is captured with const'
+      )
+    } finally {
+      await rm(rootDir, { recursive: true, force: true })
+    }
+  })
+
+  test('registers fanout RPC with string-concatenation (`+`) step name, same as template literal', async () => {
+    const rootDir = await mkdtemp(join(tmpdir(), 'pikku-fanout-concat-'))
+    const wfFile = join(rootDir, 'leads.workflow.ts')
+    const stepFile = join(rootDir, 'leads.steps.ts')
+
+    await writeFile(stepFile, STEP_FILE)
+    await writeFile(
+      wfFile,
+      [
+        "import { pikkuWorkflowFunc } from '@pikku/core/workflow'",
+        'export const extractLeadsWorkflow = pikkuWorkflowFunc(async (_, data, { workflow }) => {',
+        '  const events = [{ id: "a", name: "x" }]',
+        '  await Promise.all(',
+        '    events.map((event) =>',
+        "      workflow.do('Enrich event ' + (event.id ?? event.name), 'processEventLeadsStep', { event })",
+        '    )',
+        '  )',
+        '  return { ok: true }',
+        '})',
+      ].join('\n')
+    )
+
+    const criticals: Array<{ code: string; message: string }> = []
+    try {
+      const state = await inspect(makeLogger(criticals), [stepFile, wfFile], {
+        rootDir,
+      })
+      assert.ok(
+        state.rpc.invokedFunctions.has('processEventLeadsStep'),
+        'processEventLeadsStep should be registered even when the step name uses `+` concatenation with a non-static operand'
+      )
+    } finally {
+      await rm(rootDir, { recursive: true, force: true })
+    }
+  })
+})

package/src/add/add-workflow.test.ts

@@ -14,6 +14,9 @@ function makeLogger(
     info: () => {},
     warn: () => {},
     error: () => {},
+    diagnostic: ({ code, message }) => {
+      criticals.push({ code, message })
+    },
     critical: (code: any, message: string) => {
       criticals.push({ code, message })
     },

package/src/add/add-workflow.ts

@@ -16,6 +16,20 @@ import {
   getPropertyValue,
 } from '../utils/get-property-value.js'
 import { extractDSLWorkflow } from '../utils/workflow/dsl/extract-dsl-workflow.js'
+import { getSourceText } from '../utils/workflow/dsl/patterns.js'
+
+/**
+ * Extract a workflow step's display name without letting a non-static name
+ * (e.g. a function call) abort the scan. The step name is cosmetic, so a
+ * resolution failure must never prevent the RPC from being registered.
+ */
+function extractStepName(node: ts.Node, checker: ts.TypeChecker): string {
+  try {
+    return extractStringLiteral(node, checker)
+  } catch {
+    return getSourceText(node)
+  }
+}
 
 /**
  * Recursively check if any step has inline type (non-serializable)
@@ -99,7 +113,7 @@ function getWorkflowInvocations(
           const optionsArg =
             args.length >= 4 ? args[args.length - 1] : undefined
 
-          const stepName = extractStringLiteral(stepNameArg, checker)
+          const stepName = extractStepName(stepNameArg, checker)
           const description =
             extractDescription(optionsArg, checker) ?? undefined
 
@@ -126,7 +140,7 @@ function getWorkflowInvocations(
           const stepNameArg = args[0]
           const durationArg = args[1]
 
-          const stepName = extractStringLiteral(stepNameArg, checker)
+          const stepName = extractStepName(stepNameArg, checker)
           const duration = extractDuration(durationArg, checker)
 
           steps.push({

package/src/add/pii-check.test.ts

@@ -10,12 +10,16 @@ import type { InspectorLogger } from '../types.js'
 // ── helpers ──────────────────────────────────────────────────────────────────
 
 function makeLogger() {
+  // Collects every coded diagnostic regardless of severity. PKU910 is now
+  // emitted at 'error' severity (surface, don't block the dev server) so it
+  // arrives via `diagnostic`, not `critical`.
   const criticals: Array<{ code: ErrorCode; message: string }> = []
   const logger: InspectorLogger = {
     debug: () => {},
     info: () => {},
     warn: () => {},
     error: () => {},
+    diagnostic: ({ code, message }) => criticals.push({ code, message }),
     critical: (code, message) => criticals.push({ code, message }),
     hasCriticalErrors: () => criticals.length > 0,
   }

package/src/add/wire-name-literal.test.ts

@@ -13,6 +13,9 @@ const makeLogger = (criticals: Array<{ code: ErrorCode; message: string }>) =>
     info: () => {},
     warn: () => {},
     error: () => {},
+    diagnostic: ({ code, message }) => {
+      criticals.push({ code, message })
+    },
     critical: (code: ErrorCode, message: string) => {
       criticals.push({ code, message })
     },

package/src/error-codes.ts

@@ -85,3 +85,17 @@ export enum ErrorCode {
   // Data classification errors
   PII_IN_OUTPUT = 'PKU910',
 }
+
+/**
+ * Severity of a tracked, coded diagnostic. `critical` always blocks the build;
+ * `error`/`warn` only block when the CLI is told to via `--fail-on-error` /
+ * `--fail-on-warn` (default: critical only). All severities are still printed.
+ */
+export type DiagnosticSeverity = 'warn' | 'error' | 'critical'
+
+/** A coded diagnostic emitted via `logger.diagnostic(...)`. */
+export interface CodedDiagnostic {
+  severity: DiagnosticSeverity
+  code: ErrorCode
+  message: string
+}

package/src/index.ts

@@ -3,6 +3,7 @@ export type { TypesMap } from './types-map.js'
 export type * from './types.js'
 export type { FilesAndMethodsErrors } from './utils/get-files-and-methods.js'
 export { ErrorCode } from './error-codes.js'
+export type { DiagnosticSeverity, CodedDiagnostic } from './error-codes.js'
 export { AUTH_HANDLER_FUNC_ID } from './add/add-auth.js'
 export {
   serializeInspectorState,

package/src/inspector.ts

@@ -256,9 +256,16 @@ export const inspect = async (
   const rootDir = options.rootDir || findCommonAncestor(routeFiles)
 
   const startSourceFiles = performance.now()
+  // node_modules under rootDir (e.g. a locally-installed addon) is a
+  // dependency, not project source — scanning it double-counts the addon's
+  // own application types (CoreConfig/Services/SingletonServices).
   const sourceFiles = program
     .getSourceFiles()
-    .filter((sf) => sf.fileName.startsWith(rootDir))
+    .filter(
+      (sf) =>
+        sf.fileName.startsWith(rootDir) &&
+        !sf.fileName.includes('/node_modules/')
+    )
   logger.debug(
     `Got source files in ${(performance.now() - startSourceFiles).toFixed(2)}ms`
   )

package/src/types.ts

@@ -25,7 +25,7 @@ import type {
   JSONValue,
 } from '@pikku/core'
 import type { OpenAPISpecInfo } from './utils/serialize-openapi-json.js'
-import type { ErrorCode } from './error-codes.js'
+import type { ErrorCode, CodedDiagnostic } from './error-codes.js'
 import type {
   VersionManifest,
   VersionValidateError,
@@ -238,6 +238,15 @@ export interface InspectorLogger {
   error: (message: string) => void
   warn: (message: string) => void
   debug: (message: string) => void
+  /**
+   * Emit a tracked, coded diagnostic. It is recorded and printed; `error`/`warn`
+   * only block the build when the CLI is run with `--fail-on-error` /
+   * `--fail-on-warn` (default: critical only). Use this for issues worth
+   * surfacing (e.g. data-classification leaks) that should not stop the dev
+   * server from starting.
+   */
+  diagnostic: (diagnostic: CodedDiagnostic) => void
+  /** Sugar for `diagnostic({ severity: 'critical', code, message })`. */
   critical: (code: ErrorCode, message: string) => void
   hasCriticalErrors: () => boolean
 }