fallow 2.91.0 → 2.92.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/README.md CHANGED
@@ -12,7 +12,7 @@ Fallow turns a JS/TS repository into a trusted quality report: health score, cha
12
12
 
13
13
  It helps you answer: what changed, what got riskier, what should be reviewed, what should be refactored, and what can be safely removed. No AI inside the analyzer. Fallow produces deterministic findings, typed output contracts, and traceable explanations that downstream tools can trust.
14
14
 
15
- Static analysis is free and open source. An optional paid runtime layer (Fallow Runtime) adds production execution evidence. Rust-native, sub-second, 97 framework plugins, 5-41x faster than [knip](https://knip.dev) v5 (2-18x faster than knip v6), 8-29x faster than [jscpd](https://github.com/kucherenko/jscpd) for duplication detection, with no Node.js runtime dependency for analysis.
15
+ Static analysis is free and open source. An optional paid runtime layer (Fallow Runtime) adds production execution evidence. Rust-native, sub-second, 122 framework plugins, 5-18x faster than [knip](https://knip.dev) v5 (2.7-9x faster than knip v6), 8-29x faster than [jscpd](https://github.com/kucherenko/jscpd) for duplication detection, with no Node.js runtime dependency for analysis.
16
16
 
17
17
  ## Installation
18
18
 
@@ -90,7 +90,7 @@ Every issue in `--format json` carries a machine-actionable `actions` array with
90
90
 
91
91
  ## Framework support
92
92
 
93
- 97 built-in plugins covering Next.js, Nuxt, Remix, Qwik, SvelteKit, Gatsby, Astro, Angular, NestJS, AdonisJS, Ember, Expo Router, Vite, Webpack, Vitest, Jest, Playwright, Cypress, Storybook, ESLint, TypeScript, Tailwind, UnoCSS, Prisma, Drizzle, Convex, Turborepo, Hardhat, and many more. Auto-detected from your `package.json`.
93
+ 122 built-in plugins covering Next.js, Nuxt, Remix, Qwik, SvelteKit, Gatsby, Astro, Angular, NestJS, AdonisJS, Ember, Expo Router, Vite, Webpack, Vitest, Jest, Playwright, Cypress, Storybook, ESLint, TypeScript, Tailwind, UnoCSS, Prisma, Drizzle, Convex, Turborepo, Hardhat, and many more. Auto-detected from your `package.json`.
94
94
 
95
95
  ## Configuration
96
96
 
package/package.json CHANGED
@@ -1,7 +1,7 @@
1
1
  {
2
2
  "name": "fallow",
3
- "version": "2.91.0",
4
- "description": "Deterministic codebase intelligence for TypeScript and JavaScript. Quality, risk, architecture, dependencies, duplication, and safe cleanup evidence for humans, CI, and agents. Optional runtime intelligence layer (Fallow Runtime) adds production execution evidence. Rust-native, sub-second, 96 framework plugins.",
3
+ "version": "2.92.1",
4
+ "description": "Deterministic codebase intelligence for TypeScript and JavaScript. Quality, risk, architecture, dependencies, duplication, and safe cleanup evidence for humans, CI, and agents. Optional runtime intelligence layer (Fallow Runtime) adds production execution evidence. Rust-native, sub-second, zero-config framework support.",
5
5
  "license": "MIT",
6
6
  "repository": {
7
7
  "type": "git",
@@ -83,13 +83,13 @@
83
83
  "@tanstack/intent": "0.0.41"
84
84
  },
85
85
  "optionalDependencies": {
86
- "@fallow-cli/darwin-arm64": "2.91.0",
87
- "@fallow-cli/darwin-x64": "2.91.0",
88
- "@fallow-cli/linux-x64-gnu": "2.91.0",
89
- "@fallow-cli/linux-arm64-gnu": "2.91.0",
90
- "@fallow-cli/linux-x64-musl": "2.91.0",
91
- "@fallow-cli/linux-arm64-musl": "2.91.0",
92
- "@fallow-cli/win32-arm64-msvc": "2.91.0",
93
- "@fallow-cli/win32-x64-msvc": "2.91.0"
86
+ "@fallow-cli/darwin-arm64": "2.92.1",
87
+ "@fallow-cli/darwin-x64": "2.92.1",
88
+ "@fallow-cli/linux-x64-gnu": "2.92.1",
89
+ "@fallow-cli/linux-arm64-gnu": "2.92.1",
90
+ "@fallow-cli/linux-x64-musl": "2.92.1",
91
+ "@fallow-cli/linux-arm64-musl": "2.92.1",
92
+ "@fallow-cli/win32-arm64-msvc": "2.92.1",
93
+ "@fallow-cli/win32-x64-msvc": "2.92.1"
94
94
  }
95
95
  }
package/schema.json CHANGED
@@ -169,7 +169,8 @@
169
169
  "unused-dependency-overrides": "warn",
170
170
  "misconfigured-dependency-overrides": "error",
171
171
  "security-client-server-leak": "off",
172
- "security-sink": "off"
172
+ "security-sink": "off",
173
+ "policy-violation": "warn"
173
174
  }
174
175
  },
175
176
  "boundaries": {
@@ -212,6 +213,13 @@
212
213
  },
213
214
  "default": []
214
215
  },
216
+ "rulePacks": {
217
+ "description": "Paths to declarative rule-pack files (JSON or JSONC), relative to the\nproject root. Each pack declares `banned-call` / `banned-import` rules\nthat report as `policy-violation` findings. Packs are pure data: no\nproject code is executed. Invalid or missing packs fail config load.",
218
+ "type": "array",
219
+ "items": {
220
+ "type": "string"
221
+ }
222
+ },
215
223
  "dynamicallyLoaded": {
216
224
  "type": "array",
217
225
  "items": {
@@ -992,6 +1000,11 @@
992
1000
  "description": "Opt-in (default off): a syntactic tainted-sink candidate matched against\nthe data-driven catalogue (`security_matchers.toml`). ONE knob gates ALL\ncatalogue categories. Surfaced only by `fallow security`; never under\nbare `fallow` or the `audit` gate.",
993
1001
  "$ref": "#/$defs/Severity",
994
1002
  "default": "off"
1003
+ },
1004
+ "policy-violation": {
1005
+ "description": "Master severity for rule-pack findings (`rulePacks` config). Defaults\nto `warn` so enabling a brand-new policy pack never hard-fails CI on\nits first run; individual pack rules opt up via `\"severity\": \"error\"`.\n`off` is a kill switch that disables the whole evaluator (per-rule\nseverity cannot resurrect it).",
1006
+ "$ref": "#/$defs/Severity",
1007
+ "default": "warn"
995
1008
  }
996
1009
  }
997
1010
  },
@@ -1045,6 +1058,14 @@
1045
1058
  "$ref": "#/$defs/BoundaryRule"
1046
1059
  },
1047
1060
  "default": []
1061
+ },
1062
+ "coverage": {
1063
+ "description": "Optional policy for files that match no zone.",
1064
+ "$ref": "#/$defs/BoundaryCoverageConfig"
1065
+ },
1066
+ "calls": {
1067
+ "description": "Optional forbidden-call policy for zoned files.",
1068
+ "$ref": "#/$defs/BoundaryCallsConfig"
1048
1069
  }
1049
1070
  }
1050
1071
  },
@@ -1135,6 +1156,70 @@
1135
1156
  "from"
1136
1157
  ]
1137
1158
  },
1159
+ "BoundaryCoverageConfig": {
1160
+ "description": "Boundary zone coverage policy.",
1161
+ "type": "object",
1162
+ "properties": {
1163
+ "requireAllFiles": {
1164
+ "description": "Report source files that do not match any boundary zone.",
1165
+ "type": "boolean"
1166
+ },
1167
+ "allowUnmatched": {
1168
+ "description": "Glob patterns for files that may remain unmatched by any zone.",
1169
+ "type": "array",
1170
+ "items": {
1171
+ "type": "string"
1172
+ }
1173
+ }
1174
+ }
1175
+ },
1176
+ "BoundaryCallsConfig": {
1177
+ "description": "Boundary forbidden-call policy. Applies only to files classified into a\nzone; unzoned files are unrestricted, matching the import rules.",
1178
+ "type": "object",
1179
+ "properties": {
1180
+ "forbidden": {
1181
+ "description": "Callee patterns that files in a zone may not call.",
1182
+ "type": "array",
1183
+ "items": {
1184
+ "$ref": "#/$defs/ForbiddenCallRule"
1185
+ }
1186
+ }
1187
+ }
1188
+ },
1189
+ "ForbiddenCallRule": {
1190
+ "description": "One forbidden-call entry: files in zone `from` may not call callees\nmatching `callee`.",
1191
+ "type": "object",
1192
+ "properties": {
1193
+ "from": {
1194
+ "description": "Zone whose files may not make matching calls.",
1195
+ "type": "string"
1196
+ },
1197
+ "callee": {
1198
+ "description": "Forbidden callee pattern(s). Matching is segment-aware, not substring:\n`child_process.*` matches `child_process.exec` (and named imports from\n`child_process` / `node:child_process`), `fetch` matches only `fetch`,\nand a leading `*.` suffix-matches any object (`*.innerHTML`).",
1199
+ "$ref": "#/$defs/ForbiddenCallee"
1200
+ }
1201
+ },
1202
+ "required": [
1203
+ "from",
1204
+ "callee"
1205
+ ]
1206
+ },
1207
+ "ForbiddenCallee": {
1208
+ "description": "One callee pattern or a list of patterns for a single `from` zone.",
1209
+ "anyOf": [
1210
+ {
1211
+ "description": "A single callee pattern.",
1212
+ "type": "string"
1213
+ },
1214
+ {
1215
+ "description": "Multiple callee patterns sharing the same `from` zone.",
1216
+ "type": "array",
1217
+ "items": {
1218
+ "type": "string"
1219
+ }
1220
+ }
1221
+ ]
1222
+ },
1138
1223
  "FlagsConfig": {
1139
1224
  "description": "Feature flag detection configuration.\n\nControls which patterns fallow uses to detect feature flags in source code.\nConfigured via the `flags` section in `.fallowrc.json`, `.fallowrc.jsonc`, `fallow.toml`, or `.fallow.toml`.\n\n# Examples\n\n```json\n{\n \"flags\": {\n \"sdkPatterns\": [\n { \"function\": \"useFlag\", \"nameArg\": 0, \"provider\": \"LaunchDarkly\" }\n ],\n \"envPrefixes\": [\"FEATURE_\", \"NEXT_PUBLIC_ENABLE_\"],\n \"configObjectHeuristics\": false\n }\n}\n```",
1140
1225
  "type": "object",
@@ -1188,7 +1273,7 @@
1188
1273
  ]
1189
1274
  },
1190
1275
  "SecurityConfig": {
1191
- "description": "Scopes the security categories used by `fallow security`. An absent block\nadmits every catalogue category. `hardcoded-secret` is include-required and\nonly runs when explicitly listed in `security.categories.include`.",
1276
+ "description": "Scopes `fallow security` catalogue behavior. An absent category block admits\nevery catalogue category. `hardcoded-secret` is include-required and only\nruns when explicitly listed in `security.categories.include`.",
1192
1277
  "type": "object",
1193
1278
  "properties": {
1194
1279
  "categories": {
@@ -1201,6 +1286,13 @@
1201
1286
  "type": "null"
1202
1287
  }
1203
1288
  ]
1289
+ },
1290
+ "requestReceivers": {
1291
+ "description": "Additional project-local names for HTTP request objects. These names\nextend the built-in receiver allowlist for `*.query`, `*.params`, and\n`*.body` source patterns. They do not replace the built-ins and do not\ngate `*.searchParams`, which intentionally stays ungated.",
1292
+ "type": "array",
1293
+ "items": {
1294
+ "type": "string"
1295
+ }
1204
1296
  }
1205
1297
  },
1206
1298
  "additionalProperties": false
@@ -1593,6 +1685,16 @@
1593
1685
  "type": "null"
1594
1686
  }
1595
1687
  ]
1688
+ },
1689
+ "policy-violation": {
1690
+ "anyOf": [
1691
+ {
1692
+ "$ref": "#/$defs/Severity"
1693
+ },
1694
+ {
1695
+ "type": "null"
1696
+ }
1697
+ ]
1596
1698
  }
1597
1699
  }
1598
1700
  },
@@ -1715,6 +1817,24 @@
1715
1817
  "format": "uint",
1716
1818
  "minimum": 0,
1717
1819
  "default": 0
1820
+ },
1821
+ "boundaryCoverageViolations": {
1822
+ "type": "integer",
1823
+ "format": "uint",
1824
+ "minimum": 0,
1825
+ "default": 0
1826
+ },
1827
+ "boundaryCallViolations": {
1828
+ "type": "integer",
1829
+ "format": "uint",
1830
+ "minimum": 0,
1831
+ "default": 0
1832
+ },
1833
+ "policyViolations": {
1834
+ "type": "integer",
1835
+ "format": "uint",
1836
+ "minimum": 0,
1837
+ "default": 0
1718
1838
  }
1719
1839
  }
1720
1840
  },
@@ -1,6 +1,6 @@
1
1
  ---
2
2
  name: fallow
3
- description: Codebase intelligence for JavaScript and TypeScript. Free static layer reports quality, changed-code risk, cleanup opportunities (unused files, exports, types, dependencies), code duplication, circular dependencies, complexity hotspots, architecture boundary violations, feature flag patterns, and opt-in security candidates. Runtime coverage merges production execution data into the same health report for hot-path review, cold-path deletion confidence, and stale-flag evidence, with a single local capture available by default and continuous/cloud runtime monitoring available as an optional mode. 118 framework plugins, zero configuration, sub-second static analysis. Use when asked to analyze code health, audit PR risk, find cleanup opportunities or unused code, detect duplicates, check circular dependencies, audit complexity, check architecture boundaries, detect feature flags, surface security candidates, clean up the codebase, auto-fix issues, merge runtime coverage, or run fallow.
3
+ description: Codebase intelligence for JavaScript and TypeScript. Free static layer reports quality, changed-code risk, cleanup opportunities (unused files, exports, types, dependencies), code duplication, circular dependencies, complexity hotspots, architecture boundary violations, feature flag patterns, and opt-in security candidates. Runtime coverage merges production execution data into the same health report for hot-path review, cold-path deletion confidence, and stale-flag evidence, with a single local capture available by default and continuous/cloud runtime monitoring available as an optional mode. 122 framework plugins, zero configuration, sub-second static analysis. Use when asked to analyze code health, audit PR risk, find cleanup opportunities or unused code, detect duplicates, check circular dependencies, audit complexity, check architecture boundaries, detect feature flags, surface security candidates, clean up the codebase, auto-fix issues, merge runtime coverage, or run fallow.
4
4
  license: MIT
5
5
  metadata:
6
6
  author: Bart Waardenburg
@@ -10,7 +10,7 @@ metadata:
10
10
 
11
11
  # Fallow: codebase intelligence for JavaScript and TypeScript
12
12
 
13
- Codebase intelligence for JavaScript and TypeScript. The free static layer reports quality, changed-code risk, cleanup opportunities, circular dependencies, code duplication, complexity hotspots, architecture boundary violations, feature flag patterns, and opt-in security candidates. Runtime coverage merges production execution data into the same `fallow health` report for hot-path review, cold-path deletion confidence, and stale-flag evidence, with a single local capture available by default and continuous/cloud runtime monitoring available as an optional mode. 118 framework plugins, zero configuration, sub-second static analysis.
13
+ Codebase intelligence for JavaScript and TypeScript. The free static layer reports quality, changed-code risk, cleanup opportunities, circular dependencies, code duplication, complexity hotspots, architecture boundary violations, feature flag patterns, and opt-in security candidates. Runtime coverage merges production execution data into the same `fallow health` report for hot-path review, cold-path deletion confidence, and stale-flag evidence, with a single local capture available by default and continuous/cloud runtime monitoring available as an optional mode. 122 framework plugins, zero configuration, sub-second static analysis.
14
14
 
15
15
  ## When to Use
16
16
 
@@ -68,14 +68,14 @@ cargo install fallow-cli # build from source
68
68
  | `dead-code` | Dead code analysis (`check` is an alias) | `--unused-exports`, `--changed-since`, `--changed-workspaces`, `--production`, `--file`, `--include-entry-exports`, `--stale-suppressions`, `--ci`, `--group-by`, `--summary`, `--fail-on-regression`, `--tolerance`, `--regression-baseline`, `--save-regression-baseline` |
69
69
  | `dupes` | Code duplication detection | `--mode`, `--threshold`, `--top`, `--changed-since`, `--workspace`, `--changed-workspaces`, `--skip-local`, `--cross-language`, `--ignore-imports`, `--explain-skipped`, `--fail-on-regression`, `--tolerance`, `--regression-baseline`, `--save-regression-baseline` |
70
70
  | `fix` | Auto-remove unused exports/deps | `--dry-run`, `--yes` (required in non-TTY) |
71
- | `init` | Generate config file or pre-commit hook | `--toml`, `--hooks`, `--branch` |
71
+ | `init` | Generate config file, AGENTS.md agent guide, or pre-commit hook | `--toml`, `--agents`, `--hooks`, `--branch` |
72
72
  | `migrate` | Convert knip/jscpd config | `--dry-run`, `--from PATH` |
73
73
  | `list` | Inspect project structure | `--files`, `--entry-points`, `--plugins`, `--boundaries`, `--workspaces` |
74
74
  | `workspaces` | Inspect monorepo workspaces + discovery diagnostics (shorthand for `list --workspaces`) | (no flags) |
75
75
  | `health` | Function complexity analysis (also covers Angular templates as synthetic `<template>` findings: external `.html` files via `templateUrl` AND inline `@Component({ template: \`...\` })` literals; suppress external with `<!-- fallow-ignore-file complexity -->` at the top of the `.html` file, suppress inline with `// fallow-ignore-next-line complexity` directly above the `@Component` decorator) | `--complexity`, `--max-cyclomatic`, `--max-cognitive`, `--max-crap`, `--top`, `--sort`, `--file-scores`, `--hotspots`, `--ownership`, `--ownership-emails`, `--targets`, `--effort`, `--score`, `--min-score`, `--since`, `--min-commits`, `--save-snapshot`, `--trend`, `--coverage-gaps`, `--coverage`, `--coverage-root`, `--runtime-coverage`, `--min-invocations-hot`, `--min-observation-volume`, `--low-traffic-threshold`, `--workspace`, `--changed-workspaces`, `--baseline`, `--save-baseline` |
76
76
  | `audit` | Combined dead-code + complexity + duplication for changed files | `--base`, `--gate`, `--production`, `--production-dead-code`, `--production-health`, `--production-dupes`, `--workspace`, `--changed-workspaces`, `--ci`, `--fail-on-issues`, `--explain`, `--explain-skipped`, `--dead-code-baseline`, `--health-baseline`, `--dupes-baseline`, `--max-crap`, `--coverage`, `--coverage-root`, `--include-entry-exports` |
77
77
  | `flags` | Detect feature flag patterns (env vars, SDK calls, config objects) | `--top` |
78
- | `security` | Surface opt-in local security candidates for agent verification (not confirmed vulnerabilities). Rule families include the graph rule `client-server-leak`, a data-driven `tainted-sink` catalogue, and the include-required `hardcoded-secret` category for provider-prefix credentials and high-entropy literals assigned to secret-shaped identifiers. Most catalogue rows require non-literal input; narrowly literal-aware rows flag deterministic unsafe literals. Rules default off; suppress a file with `// fallow-ignore-file security-sink`; scope categories with `security.categories`. `hardcoded-secret` runs only when listed in `security.categories.include`. | `--format human|json|sarif`, `--changed-since`, `--file`, `--diff-file`, `--workspace`, `--changed-workspaces`, `--surface`, `--ci`, `--fail-on-issues`, `--sarif-file`, `--summary` |
78
+ | `security` | Surface opt-in local security candidates for agent verification (not confirmed vulnerabilities). Rule families include the graph rule `client-server-leak`, a data-driven `tainted-sink` catalogue, and the include-required `hardcoded-secret` category for provider-prefix credentials and high-entropy literals assigned to secret-shaped identifiers. Most catalogue rows require non-literal input; narrowly literal-aware rows flag deterministic unsafe literals. Rules default off; suppress a file with `// fallow-ignore-file security-sink`; scope categories with `security.categories`. Add project-local request object names with `security.requestReceivers`; it extends the built-in `req` / `request` / `ctx` / `context` / `event` allowlist for HTTP `query`, `params`, and `body` reads. `hardcoded-secret` runs only when listed in `security.categories.include`. | `--format human|json|sarif`, `--changed-since`, `--file`, `--diff-file`, `--workspace`, `--changed-workspaces`, `--surface`, `--ci`, `--fail-on-issues`, `--sarif-file`, `--summary` |
79
79
  | `explain` | Explain one issue type without running analysis | `<issue-type>`, `--format json` |
80
80
  | `license` | Manage the local license JWT for continuous/cloud runtime monitoring (activate, status, refresh, deactivate) | `activate --trial --email <addr>`, `activate --from-file`, `activate --stdin`, `status`, `refresh`, `deactivate` |
81
81
  | `telemetry` | Manage opt-in, off-by-default product telemetry (never collects code, paths, or names). Agents must not enable it; only the user may | `status`, `enable`, `disable`, `inspect --example` |
@@ -101,7 +101,8 @@ cargo install fallow-cli # build from source
101
101
  | Duplicate exports | `--duplicate-exports` | Same symbol exported from multiple modules |
102
102
  | Circular dependencies | `--circular-deps` | Import cycles in the module graph |
103
103
  | Re-export cycles | `--re-export-cycles` | Barrel files re-exporting from each other in a loop (`kind: "multi-node"`) or a barrel re-exporting from itself (`kind: "self-loop"`). Chain propagation through the loop is a structural no-op so imports through any member may silently come up empty. Default `warn`. Distinct from `circular-dependencies` (runtime cycles, sometimes intentional). File-scoped suppression only: `// fallow-ignore-file re-export-cycle` on any member breaks the cycle. |
104
- | Boundary violations | `--boundary-violations` | Imports crossing architecture zone boundaries. Presets: `layered`, `hexagonal`, `feature-sliced`, `bulletproof`; `autoDiscover` can create one zone per feature directory; per-rule `allowTypeOnly: [zones]` admits `import type` / `export type` crossings while still blocking value imports |
104
+ | Boundary violations | `--boundary-violations` | Imports crossing architecture zone boundaries. Presets: `layered`, `hexagonal`, `feature-sliced`, `bulletproof`; `autoDiscover` can create one zone per feature directory; per-rule `allowTypeOnly: [zones]` admits `import type` / `export type` crossings while still blocking value imports. Optional sections: `boundaries.coverage.requireAllFiles` reports unzoned source files (`allowUnmatched` globs exempt intentional ones), and `boundaries.calls.forbidden` bans callee patterns per zone (segment-aware and import-resolved, so `child_process.*` covers `node:child_process` named/namespace/default imports; direct callees only, zoned files only). The whole family shares the `boundary-violation` rule and suppression token (`boundary-call-violation` and `boundary-call-violations` accepted as aliases); start the rule at `warn` for a staged rollout |
105
+ | Policy violations | `--policy-violations` | Calls or imports banned by a declarative rule pack (`rulePacks` config key lists standalone JSON/JSONC files of `banned-call` / `banned-import` rules; pure data, no project code executes). Findings identified as `<pack>/<rule-id>`. Default `warn` master; per-rule `severity` overrides per finding and the exit gate reads the effective severity. Invalid or missing packs fail config load with exit 2. `fallow rule-pack-schema` prints the pack JSON Schema. Suppress with `// fallow-ignore-next-line policy-violation` (one token covers every pack rule on the line). |
105
106
  | Stale suppressions | `--stale-suppressions` | `fallow-ignore` comments or `@expected-unused` JSDoc tags that no longer match any issue |
106
107
  | Test-only dependencies | n/a | Production deps only imported from test files (should be devDependencies) |
107
108
  | Unused pnpm catalog entries | `--unused-catalog-entries` | `pnpm-workspace.yaml` entries no workspace package.json references via `catalog:` (default `warn`) |
@@ -116,9 +117,11 @@ When using fallow via MCP (`fallow-mcp`), the following tools are available:
116
117
 
117
118
  | Tool | Description |
118
119
  |------|-------------|
119
- | `analyze` | Full dead code analysis (unused files/exports/types/dependencies/members + circular dependencies + re-export cycles (barrel files that form a structural loop, silently breaking re-exports) + boundary violations + stale suppressions). Private type leaks are an opt-in API hygiene check via `issue_types: ["private-type-leaks"]`. Set `boundary_violations: true` as a convenience alias for `issue_types: ["boundary-violations"]`. Set `group_by` to `"owner"`, `"directory"`, `"package"`, or `"section"` to partition results. The `section` mode reads GitLab CODEOWNERS `[Section]` headers and emits `owners` metadata per group |
120
+ | `analyze` | Full dead code analysis (unused files/exports/types/dependencies/members + circular dependencies + re-export cycles (barrel files that form a structural loop, silently breaking re-exports) + boundary violations + rule-pack policy violations (banned calls and banned imports declared via the `rulePacks` config key) + stale suppressions). Private type leaks are an opt-in API hygiene check via `issue_types: ["private-type-leaks"]`. Set `boundary_violations: true` as a convenience alias for `issue_types: ["boundary-violations"]`. Set `group_by` to `"owner"`, `"directory"`, `"package"`, or `"section"` to partition results. The `section` mode reads GitLab CODEOWNERS `[Section]` headers and emits `owners` metadata per group |
120
121
  | `check_changed` | Incremental analysis of files changed since a git ref |
121
- | `security_candidates` | Unverified local security candidates, not confirmed vulnerabilities (`fallow security --format json`). Read `security_findings[]` for category, CWE, severity, evidence, trace, optional `reachability`, and blind-spot counters. `severity` is a review-priority tier, not a verified vulnerability verdict. Each finding also carries an agent-actionable `candidate` (`source_kind`/`sink`/`boundary`), an optional `taint_flow` source-to-sink triple, and a stable `finding_id` (equal to the SARIF fingerprint) for cross-run correlation; there is no `impact` field (deciding exploitability is the agent's job). Set `surface: true` to include top-level `attack_surface[]` entries with defensive-boundary prompts for a verifier. `reachability.untrusted_source_trace` is module-level import context only and does not prove value flow; `reachability.taint_confidence` tiers each reachable candidate as `arg-level` (sink argument traces to a same-module source read, strong) or `module-level` (only the module is import-reachable from a source, weak), so tier from this field instead of the evidence text. Verify trace, reachability context, severity, and evidence before editing code. Supports `root`, `config`, `workspace`, `paths`, `changed_since`, `changed_workspaces`, `surface`, `no_cache`, and `threads`; `paths` forwards repeated `fallow security --file` filters for finding anchors, trace hops, or untrusted-source reachability trace hops. See <https://docs.fallow.tools/cli/security-agent-verification> for the verifier packet and verdict recipe. Inherits `FALLOW_DIFF_FILE` from the server environment for line-level diff scoping; raise `FALLOW_TIMEOUT_SECS` for large repos. |
122
+ | `security_candidates` | Unverified local security candidates, not confirmed vulnerabilities (`fallow security --format json`). Read `security_findings[]` for category, CWE, severity, evidence, trace, optional `reachability`, blind-spot counters, and optional `unresolved_callee_diagnostics` samples for dynamic callee follow-up. `severity` is a review-priority tier, not a verified vulnerability verdict. Each finding also carries an agent-actionable `candidate` (`source_kind`/`sink`/`boundary`), where URL-category sinks may include `url_shape` (`fixed-origin-dynamic-path` or `dynamic-origin`), an optional `taint_flow` source-to-sink triple, and a stable `finding_id` (equal to the SARIF fingerprint) for cross-run correlation; there is no `impact` field (deciding exploitability is the agent's job). Set `surface: true` to include top-level `attack_surface[]` entries with defensive-boundary prompts for a verifier. Set `gate` to `new` for changed-line candidates or `newly-reachable` for candidates that became reachable from entry points; `newly-reachable` requires `changed_since`. `reachability.untrusted_source_trace` is module-level import context only and does not prove value flow; `reachability.taint_confidence` tiers each reachable candidate as `arg-level` (sink argument traces to a same-module source read, strong) or `module-level` (only the module is import-reachable from a source, weak), so tier from this field instead of the evidence text. Verify trace, reachability context, severity, and evidence before editing code. Supports `root`, `config`, `workspace`, `paths`, `changed_since`, `changed_workspaces`, `surface`, `gate`, `no_cache`, and `threads`; `paths` forwards repeated `fallow security --file` filters for finding anchors, trace hops, untrusted-source reachability trace hops, and unresolved-callee diagnostics. See <https://docs.fallow.tools/cli/security-agent-verification> for the verifier packet and verdict recipe. Inherits `FALLOW_DIFF_FILE` from the server environment for line-level diff scoping; raise `FALLOW_TIMEOUT_SECS` for large repos. |
123
+ | `inspect_target` | Compose one evidence bundle for a file or exported symbol. File targets use `target: { type: "file", file }`; symbol targets use `target: { type: "symbol", file, export_name }`. Returns `kind: "inspect_target"`, normalized target identity, `trace_file`, optional `trace_export`, file-scoped dead-code actions, duplication groups filtered to the file, complexity findings filtered to the file, and security candidates scoped to the file. Evidence sections carry `status` and `scope`; symbol targets warn when supporting evidence is file-scoped. Supports `root`, `config`, `production`, `workspace`, `no_cache`, and `threads`; `production` applies to trace, dead-code, and health evidence only. Raise `FALLOW_TIMEOUT_SECS` for large repos. |
124
+ | `code_execute` | Bounded read-only Code Mode for composing multiple fallow analysis calls in one JavaScript snippet. The snippet receives `{ fallow, root }`, returns JSON-serializable data, and can call read-only helpers such as `fallow.projectInfo`, `fallow.audit`, `fallow.checkHealth`, and `fallow.run(tool, params)` for the same allowlist. Mutating fix tools are not exposed. The sandbox has no filesystem, network, imports, `eval`, `Function`, `process`, `require`, `Deno`, `Bun`, or shell access. Params: `code`, optional `root`, `timeout_ms` (capped at 30000), and `max_output_bytes` (capped at 4000000). |
122
125
  | `find_dupes` | Code duplication detection. Set `changed_since` to scope to changed files since a git ref. Set `min_occurrences` (≥ 2, default 2) to hide pair-only clones and focus on widespread copy-paste; JSON gains `stats.clone_groups_below_min_occurrences` when the filter hides anything. Each `clone_groups[]` entry carries a stable `fingerprint`, usually `dup:<8hex>` and widened only on rare report collisions; pass it to `trace_clone` to deep-dive that group |
123
126
  | `fix_preview` | Dry-run auto-fix preview |
124
127
  | `fix_apply` | Apply auto-fixes (destructive) |
@@ -148,7 +151,7 @@ Runtime source-map confidence for cloud runtime tools:
148
151
  | `unresolved` + `low` | No matching source map was uploaded for this bundle and commit. | Ask the operator to upload the source map before acting on file-level coverage signals. |
149
152
  | `null` + `null` | The row does not include source-map confidence metadata. | Treat the row as missing confidence metadata. Do not downgrade it to `low` without other evidence. |
150
153
 
151
- All tools accept `root`, `config`, `no_cache`, and `threads` params (except `impact`, which takes only `root`). The MCP server subprocess timeout defaults to 120s, configurable via `FALLOW_TIMEOUT_SECS`.
154
+ Most tools accept `root`, `config`, `no_cache`, and `threads` params. Exceptions: `impact` takes only `root`; `code_execute` takes `code`, optional `root`, `timeout_ms`, and `max_output_bytes`. The MCP server subprocess timeout defaults to 120s, configurable via `FALLOW_TIMEOUT_SECS`.
152
155
 
153
156
  All JSON responses include structured `actions` arrays on every finding (dead code, health, duplication), enabling programmatic fix application or suppression.
154
157
 
@@ -235,7 +238,7 @@ fallow list --entry-points --format json --quiet
235
238
  fallow list --plugins --format json --quiet
236
239
  ```
237
240
 
238
- Shows detected entry points and active framework plugins (118 built-in: Next.js, Vite, Ember, Wuchale, Jest, Storybook, Tailwind, PandaCSS, Contentlayer, tap, tsd, etc.).
241
+ Shows detected entry points and active framework plugins (122 built-in: Next.js, Vite, Ember, Wuchale, Jest, Storybook, Tailwind, PandaCSS, Contentlayer, tap, tsd, etc.).
239
242
 
240
243
  ### Production-only analysis
241
244
 
@@ -321,6 +324,7 @@ Auto-detects `knip.json`, `knip.jsonc`, `.knip.json`, `.knip.jsonc`, `.jscpd.jso
321
324
  ```bash
322
325
  fallow init # creates .fallowrc.json, adds .fallow/ to .gitignore
323
326
  fallow init --toml # creates fallow.toml, adds .fallow/ to .gitignore
327
+ fallow init --agents # scaffolds a starter AGENTS.md prefilled from detected project info (never overwrites)
324
328
  fallow hooks install --target git
325
329
  fallow hooks install --target git --branch develop # fallback base branch when no upstream is set
326
330
  ```
@@ -340,7 +344,7 @@ When `--format json` is active and exit code is 2, errors are emitted as JSON on
340
344
 
341
345
  ## Configuration
342
346
 
343
- Fallow reads config from project root: `.fallowrc.json` > `.fallowrc.jsonc` > `fallow.toml` > `.fallow.toml`. Both `.fallowrc.json` and `.fallowrc.jsonc` accept JSON-with-comments syntax (same parser); the `.jsonc` extension lets editors auto-detect JSONC syntax highlighting. Most projects work with zero configuration thanks to 118 auto-detecting framework plugins.
347
+ Fallow reads config from project root: `.fallowrc.json` > `.fallowrc.jsonc` > `fallow.toml` > `.fallow.toml`. Both `.fallowrc.json` and `.fallowrc.jsonc` accept JSON-with-comments syntax (same parser); the `.jsonc` extension lets editors auto-detect JSONC syntax highlighting. Most projects work with zero configuration thanks to 121 auto-detecting framework plugins.
344
348
 
345
349
  ```jsonc
346
350
  {
@@ -391,7 +395,7 @@ export const deprecatedHelper = () => {};
391
395
  ## Key Gotchas
392
396
 
393
397
  - **`fix --yes` is required** in non-TTY (agent) environments. Without it, `fix` exits with code 2
394
- - **Zero config by default.** 118 framework plugins auto-detect, including Wuchale config, Contentlayer content roots, tap and tsd test entry points. Don't create config unless customization is needed
398
+ - **Zero config by default.** 122 framework plugins auto-detect, including Wuchale config, Contentlayer content roots, tap and tsd test entry points. Don't create config unless customization is needed
395
399
  - **Syntactic analysis only.** No TypeScript compiler, so fully dynamic `import(variable)` is not resolved
396
400
  - **Function overloads are deduplicated.** TypeScript function overload signatures are merged into a single export (not reported as separate unused exports)
397
401
  - **Re-export chains are resolved.** Exports through barrel files are tracked, not falsely flagged