fallow 2.101.0 → 2.103.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "fallow",
|
|
3
|
-
"version": "2.
|
|
3
|
+
"version": "2.103.0",
|
|
4
4
|
"description": "Deterministic codebase intelligence for TypeScript and JavaScript. Quality, risk, architecture, dependencies, duplication, and safe cleanup evidence for humans, CI, and agents. Optional runtime intelligence layer (Fallow Runtime) adds production execution evidence. Rust-native, sub-second, zero-config framework support.",
|
|
5
5
|
"license": "MIT",
|
|
6
6
|
"repository": {
|
|
@@ -80,16 +80,16 @@
|
|
|
80
80
|
"detect-libc": "2.1.2"
|
|
81
81
|
},
|
|
82
82
|
"devDependencies": {
|
|
83
|
-
"@tanstack/intent": "0.
|
|
83
|
+
"@tanstack/intent": "0.1.1"
|
|
84
84
|
},
|
|
85
85
|
"optionalDependencies": {
|
|
86
|
-
"@fallow-cli/darwin-arm64": "2.
|
|
87
|
-
"@fallow-cli/darwin-x64": "2.
|
|
88
|
-
"@fallow-cli/linux-x64-gnu": "2.
|
|
89
|
-
"@fallow-cli/linux-arm64-gnu": "2.
|
|
90
|
-
"@fallow-cli/linux-x64-musl": "2.
|
|
91
|
-
"@fallow-cli/linux-arm64-musl": "2.
|
|
92
|
-
"@fallow-cli/win32-arm64-msvc": "2.
|
|
93
|
-
"@fallow-cli/win32-x64-msvc": "2.
|
|
86
|
+
"@fallow-cli/darwin-arm64": "2.103.0",
|
|
87
|
+
"@fallow-cli/darwin-x64": "2.103.0",
|
|
88
|
+
"@fallow-cli/linux-x64-gnu": "2.103.0",
|
|
89
|
+
"@fallow-cli/linux-arm64-gnu": "2.103.0",
|
|
90
|
+
"@fallow-cli/linux-x64-musl": "2.103.0",
|
|
91
|
+
"@fallow-cli/linux-arm64-musl": "2.103.0",
|
|
92
|
+
"@fallow-cli/win32-arm64-msvc": "2.103.0",
|
|
93
|
+
"@fallow-cli/win32-x64-msvc": "2.103.0"
|
|
94
94
|
}
|
|
95
95
|
}
|
package/skills/fallow/SKILL.md
CHANGED
|
@@ -13,7 +13,6 @@ metadata:
|
|
|
13
13
|
Codebase intelligence for JavaScript and TypeScript. The free static layer reports quality, changed-code risk, cleanup opportunities, circular dependencies, code duplication, complexity hotspots, architecture boundary violations, feature flag patterns, and opt-in security candidates. Runtime coverage merges production execution data into the same `fallow health` report for hot-path review, cold-path deletion confidence, and stale-flag evidence, with a single local capture available by default and continuous/cloud runtime monitoring available as an optional mode. 122 framework plugins, zero configuration, sub-second static analysis.
|
|
14
14
|
|
|
15
15
|
## When to Use
|
|
16
|
-
|
|
17
16
|
- Finding cleanup opportunities (unused files, exports, types, enum/class members)
|
|
18
17
|
- Finding unused or unlisted dependencies
|
|
19
18
|
- Detecting code duplication and clones
|
|
@@ -32,7 +31,6 @@ Codebase intelligence for JavaScript and TypeScript. The free static layer repor
|
|
|
32
31
|
- Reviewing what fallow has surfaced over time (`fallow impact`)
|
|
33
32
|
|
|
34
33
|
## When NOT to Use
|
|
35
|
-
|
|
36
34
|
- Runtime error analysis or debugging
|
|
37
35
|
- Type checking (use `tsc` for that)
|
|
38
36
|
- Linting style or formatting issues (use ESLint, Biome, Prettier)
|
|
@@ -96,6 +94,7 @@ Route by intent before reaching for the big analysis commands. Same matrix as `f
|
|
|
96
94
|
| `dead-code` | Dead code analysis (`check` is an alias) | `--unused-exports`, `--changed-since`, `--changed-workspaces`, `--production`, `--file`, `--include-entry-exports`, `--stale-suppressions`, `--ci`, `--group-by`, `--summary`, `--fail-on-regression`, `--tolerance`, `--regression-baseline`, `--save-regression-baseline` |
|
|
97
95
|
| `watch` | Watch for changes and re-run analysis | `--no-clear` |
|
|
98
96
|
| `inspect` | Compose one evidence bundle for a file or exported symbol | `--file <path>`, `--symbol <file>:<export>` |
|
|
97
|
+
| `trace` | Trace a symbol's call chain (best-effort, syntactic; OFF the ranked path) | `symbol`, `--callers`, `--callees`, `--depth` |
|
|
99
98
|
| `fix` | Auto-remove unused exports/deps | `--dry-run`, `--yes` (required in non-TTY) |
|
|
100
99
|
| `init` | Generate config file, AGENTS.md agent guide, or pre-commit hook | `--toml`, `--agents`, `--hooks`, `--branch` |
|
|
101
100
|
| `hooks` | Inspect, install, or remove fallow-managed Git and agent hooks | `status`, `install --target git`, `install --target agent`, `uninstall --target git`, `uninstall --target agent` |
|
|
@@ -108,10 +107,11 @@ Route by intent before reaching for the big analysis commands. Same matrix as `f
|
|
|
108
107
|
| `list` | Inspect project structure | `--files`, `--entry-points`, `--plugins`, `--boundaries`, `--workspaces` |
|
|
109
108
|
| `workspaces` | Inspect monorepo workspaces + discovery diagnostics (shorthand for `list --workspaces`) | (no flags) |
|
|
110
109
|
| `dupes` | Code duplication detection | `--mode`, `--threshold`, `--top`, `--changed-since`, `--workspace`, `--changed-workspaces`, `--skip-local`, `--cross-language`, `--ignore-imports`, `--no-ignore-imports`, `--explain-skipped`, `--fail-on-regression`, `--tolerance`, `--regression-baseline`, `--save-regression-baseline` |
|
|
111
|
-
| `health` | Function complexity analysis (also covers Angular templates as synthetic `<template>` findings: external `.html` files via `templateUrl` AND inline `@Component({ template: \`...\` })` literals; suppress external with `<!-- fallow-ignore-file complexity -->` at the top of the `.html` file, suppress inline with `// fallow-ignore-next-line complexity` directly above the `@Component` decorator) | `--complexity`, `--max-cyclomatic`, `--max-cognitive`, `--max-crap`, `--top`, `--sort`, `--file-scores`, `--hotspots`, `--ownership`, `--ownership-emails`, `--targets`, `--effort`, `--score`, `--min-score`, `--since`, `--min-commits`, `--save-snapshot`, `--trend`, `--coverage-gaps`, `--coverage`, `--coverage-root`, `--runtime-coverage`, `--min-invocations-hot`, `--min-observation-volume`, `--low-traffic-threshold`, `--workspace`, `--changed-workspaces`, `--baseline`, `--save-baseline` |
|
|
110
|
+
| `health` | Function complexity analysis (also covers Angular templates as synthetic `<template>` findings: external `.html` files via `templateUrl` AND inline `@Component({ template: \`...\` })` literals; suppress external with `<!-- fallow-ignore-file complexity -->` at the top of the `.html` file, suppress inline with `// fallow-ignore-next-line complexity` directly above the `@Component` decorator) | `--complexity`, `--max-cyclomatic`, `--max-cognitive`, `--max-crap`, `--top`, `--sort`, `--file-scores`, `--hotspots`, `--ownership`, `--ownership-emails`, `--targets`, `--effort`, `--score`, `--min-score`, `--since`, `--min-commits`, `--save-snapshot`, `--trend`, `--coverage-gaps`, `--coverage`, `--coverage-root`, `--runtime-coverage`, `--min-invocations-hot`, `--min-observation-volume`, `--low-traffic-threshold`, `--css`, `--complexity-breakdown`, `--min-severity`, `--report-only`, `--workspace`, `--changed-workspaces`, `--baseline`, `--save-baseline` |
|
|
112
111
|
| `flags` | Detect feature flag patterns (env vars, SDK calls, config objects) | `--top` |
|
|
113
112
|
| `explain` | Explain one issue type without running analysis | `<issue-type>`, `--format json` |
|
|
114
|
-
| `audit` | Combined dead-code + complexity + duplication for changed files | `--base`, `--gate`, `--production`, `--production-dead-code`, `--production-health`, `--production-dupes`, `--workspace`, `--changed-workspaces`, `--ci`, `--fail-on-issues`, `--explain`, `--explain-skipped`, `--dead-code-baseline`, `--health-baseline`, `--dupes-baseline`, `--max-crap`, `--coverage`, `--coverage-root`, `--include-entry-exports` |
|
|
113
|
+
| `audit` | Combined dead-code + complexity + duplication for changed files, returns a verdict; `fallow review` is an alias for `fallow audit --brief` (advisory orientation brief, always exits 0) | `--base`, `--gate`, `--brief`, `--max-decisions`, `--walkthrough-guide`, `--walkthrough-file`, `--show-deprioritized`, `--production`, `--production-dead-code`, `--production-health`, `--production-dupes`, `--workspace`, `--changed-workspaces`, `--ci`, `--fail-on-issues`, `--explain`, `--explain-skipped`, `--dead-code-baseline`, `--health-baseline`, `--dupes-baseline`, `--max-crap`, `--coverage`, `--coverage-root`, `--include-entry-exports` |
|
|
114
|
+
| `decision-surface` | Surface the consequential structural DECISIONS a change embeds (the apex of the review brief), each framed as a judgment question with the routed expert to ask | `--max-decisions` |
|
|
115
115
|
| `impact` | Show what fallow has done for you: how many issues it is surfacing, the trend since the last recorded run, and how many commits it contained at the pre-commit gate | `--all`, `--sort`, `--limit` |
|
|
116
116
|
| `security` | Surface opt-in local security candidates for agent verification (not confirmed vulnerabilities). Rule families include the graph rule `client-server-leak`, a data-driven `tainted-sink` catalogue, and the include-required `hardcoded-secret` category for provider-prefix credentials and high-entropy literals assigned to secret-shaped identifiers. Most catalogue rows require non-literal input; narrowly literal-aware rows flag deterministic unsafe literals. Rules default off; suppress a file with `// fallow-ignore-file security-sink`; scope categories with `security.categories`. Add project-local request object names with `security.requestReceivers`; it extends the built-in `req` / `request` / `ctx` / `context` / `event` allowlist for HTTP `query`, `params`, and `body` reads. `hardcoded-secret` runs only when listed in `security.categories.include`. | `--format human\|json\|sarif`, `--changed-since`, `--file`, `--diff-file`, `--workspace`, `--changed-workspaces`, `--surface`, `--ci`, `--fail-on-issues`, `--sarif-file`, `--summary` |
|
|
117
117
|
| `schema` | Dump CLI definition as JSON | |
|
|
@@ -149,10 +149,11 @@ Run `fallow <command> --help` for the full flag list per command (see also refer
|
|
|
149
149
|
| `circular-dependency` | `--circular-deps` | - | `// fallow-ignore-next-line circular-dependency` | Import cycles in the module graph |
|
|
150
150
|
| `re-export-cycle` | `--re-export-cycles` | - | `// fallow-ignore-file re-export-cycle` | Barrel files re-exporting from each other in a loop (`kind: "multi-node"`) or a barrel re-exporting from itself (`kind: "self-loop"`). Chain propagation through the loop is a structural no-op so imports through any member may silently come up empty. Default `warn`. Distinct from `circular-dependencies` (runtime cycles, sometimes intentional). File-scoped suppression only: `// fallow-ignore-file re-export-cycle` on any member breaks the cycle. |
|
|
151
151
|
| `boundary-violation` | `--boundary-violations` | - | `// fallow-ignore-next-line boundary-violation` | Imports crossing architecture zone boundaries. Presets: `layered`, `hexagonal`, `feature-sliced`, `bulletproof`; `autoDiscover` can create one zone per feature directory; per-rule `allowTypeOnly: [zones]` admits `import type` / `export type` crossings while still blocking value imports. Optional sections: `boundaries.coverage.requireAllFiles` reports unzoned source files (`allowUnmatched` globs exempt intentional ones), and `boundaries.calls.forbidden` bans callee patterns per zone (segment-aware and import-resolved, so `child_process.*` covers `node:child_process` named/namespace/default imports; direct callees only, zoned files only). The whole family shares the `boundary-violation` rule and suppression token (`boundary-call-violation` and `boundary-call-violations` accepted as aliases); start the rule at `warn` for a staged rollout |
|
|
152
|
-
| `boundary-coverage` | - | - | `// fallow-ignore-file boundary-violation` | Source file matches no configured architecture boundary zone; Requires boundaries.coverage.requireAllFiles |
|
|
153
|
-
| `boundary-call-violation` | - | - | `// fallow-ignore-next-line boundary-call-violation` | Zoned file calls a callee its zone forbids; Requires boundaries.calls.forbidden patterns |
|
|
152
|
+
| `boundary-coverage` | `--boundary-violations` | - | `// fallow-ignore-file boundary-violation` | Source file matches no configured architecture boundary zone; Requires boundaries.coverage.requireAllFiles |
|
|
153
|
+
| `boundary-call-violation` | `--boundary-violations` | - | `// fallow-ignore-next-line boundary-call-violation` | Zoned file calls a callee its zone forbids; Requires boundaries.calls.forbidden patterns |
|
|
154
154
|
| `policy-violation` | `--policy-violations` | - | `// fallow-ignore-next-line policy-violation` | Calls, imports, or catalogue-derived effects banned by a declarative rule pack (`rulePacks` config key lists standalone JSON/JSONC files of `banned-call`, `banned-import`, and `banned-effect` rules; pure data, no project code executes). Findings identified as `<pack>/<rule-id>`. Default `warn` master; per-rule `severity` overrides per finding and the exit gate reads the effective severity. Invalid or missing packs fail config load with exit 2. `fallow rule-pack-schema` prints the pack JSON Schema. Use the scoped token to suppress one rule; bare `policy-violation` still covers every pack rule on the line or file. |
|
|
155
155
|
| `stale-suppression` | `--stale-suppressions` | - | - | `fallow-ignore` comments or `@expected-unused` JSDoc tags that no longer match any issue |
|
|
156
|
+
| `missing-suppression-reason` | - | - | - | Suppression comment omits a required reason |
|
|
156
157
|
| `unused-catalog-entry` | `--unused-catalog-entries` | yes | - | `pnpm-workspace.yaml` entries no workspace package.json references via `catalog:` (default `warn`) |
|
|
157
158
|
| `empty-catalog-group` | `--empty-catalog-groups` | - | - | Named `catalogs.<name>:` groups in `pnpm-workspace.yaml` with no entries. Top-level `catalog:` placeholders are ignored. Default `warn`. |
|
|
158
159
|
| `unresolved-catalog-reference` | `--unresolved-catalog-references` | - | - | `package.json` references to `catalog:` / `catalog:<name>` whose catalog does not declare the package; `pnpm install` would fail. Default `error`. Suppress via `ignoreCatalogReferences: [{ package, catalog?, consumer? }]` in fallow config (package.json has no comment syntax). |
|
|
@@ -211,6 +212,7 @@ When using fallow via MCP (`fallow-mcp`), the following tools are available:
|
|
|
211
212
|
| `get_importance` | runtime-coverage | freemium | `coverage`, `group_by` | Runtime-context slice for production-importance review. Same params as `check_runtime_coverage`; read `runtime_coverage.importance` for stable `fallow:importance:<hash>` IDs, invocations, cyclomatic complexity, owner count, 0-100 score, and templated reason. |
|
|
212
213
|
| `get_cleanup_candidates` | runtime-coverage | freemium | `coverage`, `group_by` | Runtime-context slice for cleanup review. Same params as `check_runtime_coverage`; read `runtime_coverage.findings` for `safe_to_delete`, `review_required`, `low_traffic`, and `coverage_unavailable`. |
|
|
213
214
|
| `audit` | analysis | free | `gate`, `base`, `max_crap`, `coverage`, `runtime_coverage` | Combined dead-code + complexity + duplication for changed files, returns verdict. Set `gate` to `"new-only"` or `"all"`. Optional `runtime_coverage` (V8 dir / V8 JSON / Istanbul JSON) folds runtime findings into the same call; `min_invocations_hot` tunes the hot-path threshold (default 100). Runtime evidence appears under the audit `complexity` sub-result, including `coverage_intelligence` when combined evidence yields actionable recommendations. |
|
|
215
|
+
| `decision_surface` | analysis | free | `base`, `max_decisions`, `workspace` | Surface the few consequential structural decisions a change embeds (coupling, public API, dependency), each as a judgment question with the routed expert; ranked, capped, and signal_id-anchored |
|
|
214
216
|
| `fallow_explain` | introspection | free | `issue_type` | Explain one issue type without running analysis. Required `issue_type`; returns rationale, examples, fix guidance, and docs URL |
|
|
215
217
|
| `fix_preview` | fix | free | `no_create_config` | Dry-run auto-fix preview |
|
|
216
218
|
| `fix_apply` | fix | free | `no_create_config` | Apply auto-fixes (destructive) |
|
|
@@ -441,7 +443,7 @@ When `--format json` is active and exit code is 2, errors are emitted as JSON on
|
|
|
441
443
|
|
|
442
444
|
## Configuration
|
|
443
445
|
|
|
444
|
-
Fallow reads config from project root: `.fallowrc.json` > `.fallowrc.jsonc` > `fallow.toml` > `.fallow.toml`. Both `.fallowrc.json` and `.fallowrc.jsonc` accept JSON-with-comments syntax (same parser); the `.jsonc` extension lets editors auto-detect JSONC syntax highlighting. Most projects work with zero configuration thanks to
|
|
446
|
+
Fallow reads config from project root: `.fallowrc.json` > `.fallowrc.jsonc` > `fallow.toml` > `.fallow.toml`. Both `.fallowrc.json` and `.fallowrc.jsonc` accept JSON-with-comments syntax (same parser); the `.jsonc` extension lets editors auto-detect JSONC syntax highlighting. Most projects work with zero configuration thanks to 122 auto-detecting framework plugins.
|
|
445
447
|
|
|
446
448
|
```jsonc
|
|
447
449
|
{
|
|
@@ -17,6 +17,8 @@ Complete command and flag specifications for all fallow CLI commands.
|
|
|
17
17
|
- [`flags`: Feature Flag Detection](#flags-feature-flag-detection)
|
|
18
18
|
- [`security`: Security Candidate Detection](#security-security-candidate-detection)
|
|
19
19
|
- [`inspect`: Target Evidence Bundle](#inspect-target-evidence-bundle)
|
|
20
|
+
- [`trace`: Symbol Call Chains](#trace-symbol-call-chains)
|
|
21
|
+
- [`decision-surface`: Structural Decisions](#decision-surface-structural-decisions)
|
|
20
22
|
- [`explain`: Rule Explanation](#explain-rule-explanation)
|
|
21
23
|
- [`schema`: CLI Introspection](#schema-cli-introspection)
|
|
22
24
|
- [`config-schema`: Config JSON Schema](#config-schema-config-json-schema)
|
|
@@ -45,6 +47,7 @@ Analyzes the project for unused files, exports, dependencies, types, members, an
|
|
|
45
47
|
| `--trace` | `string` | - | Trace export usage chain |
|
|
46
48
|
| `--trace-file` | `string` | - | Show all edges for a file |
|
|
47
49
|
| `--trace-dependency` | `string` | - | Trace where a dependency is used |
|
|
50
|
+
| `--impact-closure` | `string` | - | Compute the impact closure for a file (the transitive affected-but-not-in-diff set + coordination gap). Walks reverse-deps and re-export chains; powers the `inspect_target` MCP tool |
|
|
48
51
|
| `--top` | `string` | - | Show only the top N items per category |
|
|
49
52
|
| `--file` | `string` | - | Scope output to specific files. Only issues in the specified files are reported. Project-wide dependency issues are suppressed. Warns on non-existent paths. Useful for lint-staged |
|
|
50
53
|
|
|
@@ -505,7 +508,7 @@ fallow health --format json --quiet --trend
|
|
|
505
508
|
{
|
|
506
509
|
"kind": "health",
|
|
507
510
|
"schema_version": 7,
|
|
508
|
-
"version": "2.
|
|
511
|
+
"version": "2.103.0",
|
|
509
512
|
"elapsed_ms": 32,
|
|
510
513
|
"summary": {
|
|
511
514
|
"files_analyzed": 482,
|
|
@@ -828,6 +831,11 @@ Audits changed files for dead code, complexity, and duplication. Returns a verdi
|
|
|
828
831
|
| `--runtime-coverage` | `string` | - | Paid runtime-coverage sidecar input. Accepts a V8 directory, a single V8 JSON file, or an Istanbul coverage map JSON. Spawns the `fallow-cov` sidecar as part of the audit pipeline so the `hot-path-touched` verdict surfaces alongside dead-code and complexity findings without requiring a second `fallow health` invocation in CI. License-gated; the verdict is informational (no exit code change) until a future `--gate hot-path-touched` knob lands |
|
|
829
832
|
| `--min-invocations-hot` | `string` | `100` | Threshold for hot-path classification, forwarded to the sidecar when `--runtime-coverage` is set |
|
|
830
833
|
| `--gate-marker` | `string` | - | Internal marker identifying a gate run (e.g. `pre-commit`), set by the generated git hook so Fallow Impact can record a containment event when the gate blocks then clears. Hidden; never changes the verdict, exit code, or output |
|
|
834
|
+
| `--brief` | `bool` | `false` | Render the deterministic review brief instead of the gating audit report. The brief answers "where do I look?" rather than "will CI block this?", runs the same analysis, and ALWAYS exits 0 (the verdict is carried informationally). Implied by `fallow review`. Orthogonal to `--format` |
|
|
835
|
+
| `--max-decisions` | `string` | `4` | Cap on the number of consequential structural decisions surfaced in the review brief's decision surface (the working-memory limit). Default 4; clamped to the 3-5 band (4 plus or minus 1). Only consulted on the brief path |
|
|
836
|
+
| `--walkthrough-guide` | `bool` | `false` | Emit the agent-contract WALKTHROUGH GUIDE: the current digest (brief + decision surface), the review direction, the JSON schema the agent must return, and a deterministic graph-snapshot hash pinned into the digest. The digest is built from the graph only (PR prose is never folded in, so it is injection-resistant). Implies the brief; always exits 0. A thin agent skill calls this to fetch the current guide, produces judgment JSON, then reopens with `--walkthrough-file` |
|
|
837
|
+
| `--walkthrough-file` | `string` | - | Ingest an agent's judgment JSON and POST-VALIDATE it against the LIVE graph. Rejects any judgment whose `signal_id` fallow did not emit (anti-hallucination); refuses the whole payload as stale when the echoed graph-snapshot hash no longer matches (the tree moved). The verifier is the graph, not a second model. Implies the brief; always exits 0. The agent's free-text framing is fenced as non-deterministic and never gates or auto-posts |
|
|
838
|
+
| `--show-deprioritized` | `bool` | `false` | Expand the de-prioritized units in the review brief's weighted focus map ("show me what you de-prioritized"). The `deprioritized` escape-hatch list is ALWAYS present in `--format json` regardless; this flag only re-expands the collapse-by-default human focus render. Only consulted on the brief path |
|
|
831
839
|
|
|
832
840
|
Common global flags for this command: [`--format`](#global-flags), [`--quiet`](#global-flags), [`--changed-since`](#global-flags), [`--diff-file`](#global-flags), [`--diff-stdin`](#global-flags), [`--workspace`](#global-flags), [`--changed-workspaces`](#global-flags), [`--group-by`](#global-flags), [`--output-file`](#global-flags).
|
|
833
841
|
<!-- generated:flags:audit:end -->
|
|
@@ -892,7 +900,7 @@ fallow audit \
|
|
|
892
900
|
{
|
|
893
901
|
"kind": "audit",
|
|
894
902
|
"schema_version": 7,
|
|
895
|
-
"version": "2.
|
|
903
|
+
"version": "2.103.0",
|
|
896
904
|
"command": "audit",
|
|
897
905
|
"verdict": "fail",
|
|
898
906
|
"changed_files_count": 12,
|
|
@@ -967,7 +975,7 @@ fallow flags --format json --quiet --workspace my-package
|
|
|
967
975
|
```json
|
|
968
976
|
{
|
|
969
977
|
"schema_version": 7,
|
|
970
|
-
"version": "2.
|
|
978
|
+
"version": "2.103.0",
|
|
971
979
|
"elapsed_ms": 116,
|
|
972
980
|
"feature_flags": [],
|
|
973
981
|
"total_flags": 0
|
|
@@ -1030,6 +1038,7 @@ The second rule family is a data-driven `tainted-sink` catalogue: syntactic dang
|
|
|
1030
1038
|
| `secret-pii-log` | 532 | source-backed secrets or request PII reaching logs |
|
|
1031
1039
|
| `hardcoded-secret` | 798 | provider-prefix credentials and high-entropy literals assigned to secret-shaped identifiers (include-required) |
|
|
1032
1040
|
| `secret-to-network` | 201 | a non-public `process.env` / `import.meta.env` secret reaching a network call body (`fetch` / `axios` / `got` / ...) via same-identifier flow (include-required) |
|
|
1041
|
+
| `llm-call-injection` | 1427 | an untrusted source reaching the prompt/messages argument of a known LLM-call sink (taint-path gated, pinned to distinctive LLM SDK call shapes) |
|
|
1033
1042
|
| `xpath-injection` | 643 | `xpath.select` / `select1` with a non-literal expression |
|
|
1034
1043
|
|
|
1035
1044
|
Build-config and test files are excluded from candidate generation. Security rule families default to `off` and are surfaced only by `fallow security`, never under bare `fallow` or the `audit` gate. Scope which catalogue categories run with `security.categories` include / exclude lists in config. Add project-local request object names with `security.requestReceivers`; it extends the built-in `req` / `request` / `ctx` / `context` / `event` allowlist for HTTP `query`, `params`, and `body` reads. The setting is additive only and does not gate `*.searchParams`. `hardcoded-secret` and `secret-to-network` are intentionally include-required and only run when listed in `security.categories.include` (`secret-to-network` is opt-in because legitimate auth is also a secret reaching a network call). Public-by-convention env vars (`NEXT_PUBLIC_`, `VITE_`, ...) are never treated as secrets.
|
|
@@ -1067,7 +1076,7 @@ fallow security --gate newly-reachable --changed-since origin/main
|
|
|
1067
1076
|
{
|
|
1068
1077
|
"kind": "security",
|
|
1069
1078
|
"schema_version": "4",
|
|
1070
|
-
"version": "2.
|
|
1079
|
+
"version": "2.103.0",
|
|
1071
1080
|
"elapsed_ms": 42,
|
|
1072
1081
|
"config": {
|
|
1073
1082
|
"rules": {
|
|
@@ -1096,7 +1105,7 @@ fallow security --gate newly-reachable --changed-since origin/main
|
|
|
1096
1105
|
{
|
|
1097
1106
|
"kind": "security",
|
|
1098
1107
|
"schema_version": "4",
|
|
1099
|
-
"version": "2.
|
|
1108
|
+
"version": "2.103.0",
|
|
1100
1109
|
"elapsed_ms": 42,
|
|
1101
1110
|
"config": {
|
|
1102
1111
|
"rules": {
|
|
@@ -1209,6 +1218,48 @@ Each evidence section carries `status` and `scope`. Non-fatal child-analysis fai
|
|
|
1209
1218
|
|
|
1210
1219
|
---
|
|
1211
1220
|
|
|
1221
|
+
## `trace`: Symbol Call Chains
|
|
1222
|
+
|
|
1223
|
+
Walk the callers and callees of one exported symbol through the module graph. Callers are the modules that import the symbol (walked up); callees are the symbol's module's import-symbol edges plus its intra-module call sites (walked down). Best-effort and syntactic per ADR-001: resolved and unresolved callees are reported honestly, never silently dropped. This is its own surface, never folded into the ranked review brief.
|
|
1224
|
+
|
|
1225
|
+
The target is a positional argument, formatted as `FILE:SYMBOL` (for example `src/utils.ts:formatDate`). When neither `--callers` nor `--callees` is given, both directions are walked.
|
|
1226
|
+
|
|
1227
|
+
```bash
|
|
1228
|
+
fallow trace src/utils.ts:formatDate
|
|
1229
|
+
fallow trace src/utils.ts:formatDate --callers --depth 3
|
|
1230
|
+
```
|
|
1231
|
+
|
|
1232
|
+
<!-- generated:flags:trace:start -->
|
|
1233
|
+
| Flag | Type | Default | Description |
|
|
1234
|
+
|---|---|---|---|
|
|
1235
|
+
| `--callers` | `bool` | `false` | Walk UP to callers (modules that import the symbol). When neither `--callers` nor `--callees` is set, both directions are walked |
|
|
1236
|
+
| `--callees` | `bool` | `false` | Walk DOWN to callees (the symbol's module's import-symbol edges plus unresolved call sites). When neither flag is set, both are walked |
|
|
1237
|
+
| `--depth` | `string` | - | Chain depth bound for both directions (default 2). Symbol-level is best-effort, so a shallow bound keeps the trace legible |
|
|
1238
|
+
|
|
1239
|
+
Common global flags for this command: [`--format`](#global-flags), [`--quiet`](#global-flags), [`--root`](#global-flags), [`--config`](#global-flags).
|
|
1240
|
+
<!-- generated:flags:trace:end -->
|
|
1241
|
+
|
|
1242
|
+
---
|
|
1243
|
+
|
|
1244
|
+
## `decision-surface`: Structural Decisions
|
|
1245
|
+
|
|
1246
|
+
Surface only the consequential structural decisions a change embeds (the apex of the review brief): a ranked, capped (3 to 5, default 4) set of coupling/boundary, public-API/contract, and dependency decisions, each framed as a judgment question with the routed expert to ask, plus a trade-off clause and the count of in-repo consumers that already depend on the anchor. Runs the same changed-code analysis as `fallow review` but emits only the decisions, separable and cheap. Always exits 0 (advisory, never a gate); every decision is suppressible with `// fallow-ignore`. Use `--base` / `--changed-since` to pick the comparison point, exactly like `fallow audit`.
|
|
1247
|
+
|
|
1248
|
+
```bash
|
|
1249
|
+
fallow decision-surface --base main
|
|
1250
|
+
fallow decision-surface --base main --format json --quiet
|
|
1251
|
+
```
|
|
1252
|
+
|
|
1253
|
+
<!-- generated:flags:decision-surface:start -->
|
|
1254
|
+
| Flag | Type | Default | Description |
|
|
1255
|
+
|---|---|---|---|
|
|
1256
|
+
| `--max-decisions` | `string` | `4` | Cap on the number of surfaced decisions (the working-memory limit). Default 4; clamped to the 3-5 band (4 plus or minus 1) |
|
|
1257
|
+
|
|
1258
|
+
Common global flags for this command: [`--changed-since`](#global-flags), [`--format`](#global-flags), [`--quiet`](#global-flags), [`--workspace`](#global-flags), [`--root`](#global-flags), [`--config`](#global-flags).
|
|
1259
|
+
<!-- generated:flags:decision-surface:end -->
|
|
1260
|
+
|
|
1261
|
+
---
|
|
1262
|
+
|
|
1212
1263
|
## `explain`: Rule Explanation
|
|
1213
1264
|
|
|
1214
1265
|
Print rule rationale, examples, fix guidance, and docs URL for one issue type without running analysis.
|
|
@@ -1762,7 +1813,7 @@ The HTTP layer mirrors the bash `gh_api_retry` / `curl_retry` helpers: `FALLOW_A
|
|
|
1762
1813
|
{
|
|
1763
1814
|
"kind": "dead-code",
|
|
1764
1815
|
"schema_version": 7,
|
|
1765
|
-
"version": "2.
|
|
1816
|
+
"version": "2.103.0",
|
|
1766
1817
|
"elapsed_ms": 45,
|
|
1767
1818
|
"total_issues": 12,
|
|
1768
1819
|
"entry_points": {
|
|
@@ -1922,7 +1973,7 @@ When `--baseline` is used in combined output, the JSON includes a `baseline_delt
|
|
|
1922
1973
|
{
|
|
1923
1974
|
"kind": "dupes",
|
|
1924
1975
|
"schema_version": 7,
|
|
1925
|
-
"version": "2.
|
|
1976
|
+
"version": "2.103.0",
|
|
1926
1977
|
"elapsed_ms": 82,
|
|
1927
1978
|
"total_clones": 15,
|
|
1928
1979
|
"total_lines_duplicated": 230,
|
|
@@ -1966,11 +2017,11 @@ When running `fallow` with no subcommand (all analyses), the JSON output combine
|
|
|
1966
2017
|
{
|
|
1967
2018
|
"kind": "combined",
|
|
1968
2019
|
"schema_version": 7,
|
|
1969
|
-
"version": "2.
|
|
2020
|
+
"version": "2.103.0",
|
|
1970
2021
|
"elapsed_ms": 159,
|
|
1971
2022
|
"check": {
|
|
1972
2023
|
"schema_version": 7,
|
|
1973
|
-
"version": "2.
|
|
2024
|
+
"version": "2.103.0",
|
|
1974
2025
|
"elapsed_ms": 45,
|
|
1975
2026
|
"total_issues": 12,
|
|
1976
2027
|
"unused_files": [],
|
|
@@ -23,7 +23,7 @@ Always preview with `--dry-run` before applying. This is a destructive operation
|
|
|
23
23
|
|
|
24
24
|
## Don't Create Config Unless Needed
|
|
25
25
|
|
|
26
|
-
Fallow works with zero configuration for most projects thanks to
|
|
26
|
+
Fallow works with zero configuration for most projects thanks to 122 auto-detecting framework plugins. Creating an unnecessary config file can mask issues or override detection behavior.
|
|
27
27
|
|
|
28
28
|
```bash
|
|
29
29
|
# WRONG: creating config for a standard Next.js project
|
|
@@ -67,7 +67,7 @@ The `--changed-since` flag limits analysis to files modified since a git ref. It
|
|
|
67
67
|
# This only shows issues in files changed since main
|
|
68
68
|
fallow dead-code --format json --quiet --changed-since main
|
|
69
69
|
|
|
70
|
-
# Same for duplication
|
|
70
|
+
# Same for duplication, only clone groups involving changed files
|
|
71
71
|
fallow dupes --format json --quiet --changed-since main
|
|
72
72
|
|
|
73
73
|
# This shows ALL issues in the project
|
|
@@ -577,7 +577,7 @@ Fallow detects production dependencies that are only imported from test files (`
|
|
|
577
577
|
// src/handlers.test.ts
|
|
578
578
|
import { setupServer } from 'msw/node'; // Flagged as test-only dependency
|
|
579
579
|
|
|
580
|
-
// src/app.ts
|
|
580
|
+
// src/app.ts: no imports of "msw" here
|
|
581
581
|
```
|
|
582
582
|
|
|
583
583
|
```bash
|
|
@@ -596,8 +596,8 @@ The `test-only-dependencies` rule defaults to `warn`. Suppress with `"test-only-
|
|
|
596
596
|
|
|
597
597
|
These are separate features and can be used independently or together:
|
|
598
598
|
|
|
599
|
-
- **`FALLOW_COMMENT: "true"
|
|
600
|
-
- **`FALLOW_REVIEW: "true"
|
|
599
|
+
- **`FALLOW_COMMENT: "true"`**: posts a single summary comment on the MR with issue counts and a findings table
|
|
600
|
+
- **`FALLOW_REVIEW: "true"`**: posts inline code review comments on the exact MR diff lines where issues were found
|
|
601
601
|
|
|
602
602
|
```yaml
|
|
603
603
|
# WRONG: expecting inline review comments from FALLOW_COMMENT
|
|
@@ -658,7 +658,7 @@ variables:
|
|
|
658
658
|
FALLOW_CHANGED_SINCE: "origin/main"
|
|
659
659
|
|
|
660
660
|
# CORRECT: let the template auto-detect
|
|
661
|
-
# (no FALLOW_CHANGED_SINCE needed
|
|
661
|
+
# (no FALLOW_CHANGED_SINCE needed, it reads the MR target branch)
|
|
662
662
|
```
|
|
663
663
|
|
|
664
664
|
Override `FALLOW_CHANGED_SINCE` only when you need a specific ref (e.g., a release branch) or want to disable auto-detection by setting it to an empty string.
|
|
@@ -669,4 +669,4 @@ Override `FALLOW_CHANGED_SINCE` only when you need a specific ref (e.g., a relea
|
|
|
669
669
|
|
|
670
670
|
The GitLab CI template auto-detects the project's package manager from lockfiles (`package-lock.json` for npm, `pnpm-lock.yaml` for pnpm, `yarn.lock` for yarn). MR comments and review comments use the correct commands for the detected manager.
|
|
671
671
|
|
|
672
|
-
This means review comments will show `pnpm remove lodash` instead of `npm uninstall lodash` in a pnpm project. No configuration is needed
|
|
672
|
+
This means review comments will show `pnpm remove lodash` instead of `npm uninstall lodash` in a pnpm project. No configuration is needed; detection is automatic.
|
|
@@ -222,7 +222,7 @@ fallow:
|
|
|
222
222
|
FALLOW_FAIL_ON_ISSUES: "true"
|
|
223
223
|
```
|
|
224
224
|
|
|
225
|
-
Generates Code Quality reports (inline MR annotations) automatically. In MR pipelines, `--changed-since` is automatically set to the target branch
|
|
225
|
+
Generates Code Quality reports (inline MR annotations) automatically. In MR pipelines, `--changed-since` is automatically set to the target branch; no manual configuration needed.
|
|
226
226
|
|
|
227
227
|
If runners cannot reach `raw.githubusercontent.com`, run `fallow ci-template gitlab --vendor`, commit the generated `ci/` and `action/` files, and use GitLab's local include syntax:
|
|
228
228
|
|
|
@@ -494,9 +494,9 @@ fallow dupes --format json --quiet
|
|
|
494
494
|
| jscpd | fallow |
|
|
495
495
|
|-------|--------|
|
|
496
496
|
| Default (exact tokens) | `strict` |
|
|
497
|
-
|
|
|
498
|
-
|
|
|
499
|
-
|
|
|
497
|
+
| n/a | `mild` (fallow default, syntax normalized) |
|
|
498
|
+
| n/a | `weak` (literal normalization) |
|
|
499
|
+
| n/a | `semantic` (variable rename detection) |
|
|
500
500
|
|
|
501
501
|
---
|
|
502
502
|
|