fallow 2.91.0 → 2.93.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +2 -2
- package/package.json +10 -10
- package/schema.json +122 -2
- package/skills/fallow/SKILL.md +215 -62
- package/skills/fallow/references/cli-reference.md +175 -70
- package/skills/fallow/references/gotchas.md +1 -1
- package/skills/fallow/references/patterns.md +14 -1
- package/types/output-contract.d.ts +628 -68
|
@@ -71,7 +71,7 @@ kind: "dupes"
|
|
|
71
71
|
kind: "dead-code-grouped"
|
|
72
72
|
}) | (ImpactReport & {
|
|
73
73
|
kind: "impact"
|
|
74
|
-
}) | (SecurityOutput & {
|
|
74
|
+
}) | ((SecurityOutput | SecuritySummaryOutput) & {
|
|
75
75
|
kind: "security"
|
|
76
76
|
}) | (CheckOutput & {
|
|
77
77
|
kind: "dead-code"
|
|
@@ -170,7 +170,7 @@ export type IssueAction = (FixAction | SuppressLineAction | SuppressFileAction |
|
|
|
170
170
|
* Discriminant string for [`FixAction`]. Kebab-case per the JSON output
|
|
171
171
|
* contract.
|
|
172
172
|
*/
|
|
173
|
-
export type FixActionType = ("remove-export" | "delete-file" | "remove-dependency" | "move-dependency" | "remove-enum-member" | "remove-class-member" | "resolve-import" | "install-dependency" | "remove-duplicate" | "move-to-dev" | "refactor-cycle" | "refactor-re-export-cycle" | "refactor-boundary" | "export-type" | "remove-catalog-entry" | "remove-empty-catalog-group" | "update-catalog-reference" | "add-catalog-entry" | "remove-catalog-reference" | "remove-dependency-override" | "fix-dependency-override")
|
|
173
|
+
export type FixActionType = ("remove-export" | "delete-file" | "remove-dependency" | "move-dependency" | "remove-enum-member" | "remove-class-member" | "resolve-import" | "install-dependency" | "remove-duplicate" | "move-to-dev" | "refactor-cycle" | "refactor-re-export-cycle" | "refactor-boundary" | "export-type" | "remove-catalog-entry" | "remove-empty-catalog-group" | "update-catalog-reference" | "add-catalog-entry" | "remove-catalog-reference" | "remove-dependency-override" | "fix-dependency-override" | "resolve-policy-violation")
|
|
174
174
|
/**
|
|
175
175
|
* Singleton discriminant for [`SuppressLineAction`].
|
|
176
176
|
*/
|
|
@@ -232,6 +232,17 @@ export type MemberKind = ("enum_member" | "class_method" | "class_property" | "n
|
|
|
232
232
|
* Discriminator for [`ReExportCycle`]: which structural shape was detected.
|
|
233
233
|
*/
|
|
234
234
|
export type ReExportCycleKind = ("multi-node" | "self-loop")
|
|
235
|
+
/**
|
|
236
|
+
* Which rule-pack rule kind produced a [`PolicyViolation`].
|
|
237
|
+
*/
|
|
238
|
+
export type PolicyRuleKind = ("banned-call" | "banned-import")
|
|
239
|
+
/**
|
|
240
|
+
* Effective severity of a single [`PolicyViolation`]. Per-rule `severity`
|
|
241
|
+
* overrides the `rules."policy-violation"` master; `off` rules emit nothing,
|
|
242
|
+
* so only `error` and `warn` appear on the wire. The exit-code gate inspects
|
|
243
|
+
* this per-finding value, not the master severity.
|
|
244
|
+
*/
|
|
245
|
+
export type PolicyViolationSeverity = ("error" | "warn")
|
|
235
246
|
/**
|
|
236
247
|
* The origin of a stale suppression: inline comment or JSDoc tag.
|
|
237
248
|
*/
|
|
@@ -328,6 +339,12 @@ kind: "tsconfig-reference-dir-missing"
|
|
|
328
339
|
*/
|
|
329
340
|
size_bytes: number
|
|
330
341
|
kind: "skipped-large-file"
|
|
342
|
+
} | {
|
|
343
|
+
/**
|
|
344
|
+
* On-disk size of the skipped file in bytes.
|
|
345
|
+
*/
|
|
346
|
+
size_bytes: number
|
|
347
|
+
kind: "skipped-minified-file"
|
|
331
348
|
})
|
|
332
349
|
/**
|
|
333
350
|
* Discriminant for [`CloneGroupAction::kind`]. Mirrors the action types
|
|
@@ -606,12 +623,18 @@ export type ImpactTrendDirection = ("improving" | "declining" | "stable")
|
|
|
606
623
|
* The `fallow security --format json` schema version. Independently versioned
|
|
607
624
|
* from the main contract, mirroring `ImpactReportSchemaVersion`.
|
|
608
625
|
*/
|
|
609
|
-
export type SecuritySchemaVersion = ("1" | "2")
|
|
626
|
+
export type SecuritySchemaVersion = ("1" | "2" | "3" | "4" | "5" | "6")
|
|
627
|
+
/**
|
|
628
|
+
* Severity level for rules.
|
|
629
|
+
*
|
|
630
|
+
* Controls whether an issue type causes CI failure (`error`), is reported
|
|
631
|
+
* without failing (`warn`), or is suppressed entirely (`off`).
|
|
632
|
+
*/
|
|
633
|
+
export type Severity = ("error" | "warn" | "off")
|
|
610
634
|
/**
|
|
611
|
-
* Gate mode for `fallow security --gate <mode
|
|
612
|
-
* the value `newly-reachable`.
|
|
635
|
+
* Gate mode for `fallow security --gate <mode>`.
|
|
613
636
|
*/
|
|
614
|
-
export type SecurityGateMode = "new"
|
|
637
|
+
export type SecurityGateMode = ("new" | "newly-reachable")
|
|
615
638
|
/**
|
|
616
639
|
* Gate verdict on the wire. `fail` is the CI-state token; human output renders
|
|
617
640
|
* it as "REVIEW REQUIRED" because these stay unverified candidates, never
|
|
@@ -645,6 +668,10 @@ export type SecurityDeadCodeKind = ("unused-file" | "unused-export")
|
|
|
645
668
|
* rank, never gate).
|
|
646
669
|
*/
|
|
647
670
|
export type TaintConfidence = ("arg-level" | "module-level")
|
|
671
|
+
/**
|
|
672
|
+
* Static URL construction shape captured for URL-shaped security sinks.
|
|
673
|
+
*/
|
|
674
|
+
export type SecurityUrlShape = ("fixed-origin-dynamic-path" | "dynamic-origin")
|
|
648
675
|
/**
|
|
649
676
|
* Runtime coverage state for the function enclosing a security sink.
|
|
650
677
|
* This is production-observation evidence, not an exploitability verdict.
|
|
@@ -654,6 +681,15 @@ export type SecurityRuntimeState = ("runtime-hot" | "runtime-cold" | "never-exec
|
|
|
654
681
|
* Defensive control family detected on a source to sink path.
|
|
655
682
|
*/
|
|
656
683
|
export type SecurityControlKind = ("sanitization" | "validation" | "authentication" | "authorization")
|
|
684
|
+
/**
|
|
685
|
+
* Why a sink-shaped callee could not be flattened into a static catalogue
|
|
686
|
+
* path.
|
|
687
|
+
*/
|
|
688
|
+
export type SkippedSecurityCalleeReason = ("computed-member" | "dynamic-dispatch" | "unsupported-assignment-object")
|
|
689
|
+
/**
|
|
690
|
+
* Syntactic expression shape for a skipped security callee.
|
|
691
|
+
*/
|
|
692
|
+
export type SkippedSecurityCalleeExpressionKind = ("static-member-expression" | "computed-member-expression" | "identifier" | "other")
|
|
657
693
|
/**
|
|
658
694
|
* Discriminator value for [`CodeClimateIssue::kind`].
|
|
659
695
|
*/
|
|
@@ -679,14 +715,28 @@ command: AuditCommand
|
|
|
679
715
|
verdict: AuditVerdict
|
|
680
716
|
changed_files_count: number
|
|
681
717
|
base_ref: string
|
|
718
|
+
/**
|
|
719
|
+
* Human-readable provenance of `base_ref`, e.g. `merge-base with
|
|
720
|
+
* origin/main`, `local main`, or `FALLOW_AUDIT_BASE=upstream/main`.
|
|
721
|
+
* Present when the base was auto-detected or set via `FALLOW_AUDIT_BASE`;
|
|
722
|
+
* absent for an explicit `--base` (the ref the user typed is already
|
|
723
|
+
* self-describing).
|
|
724
|
+
*/
|
|
725
|
+
base_description?: (string | null)
|
|
682
726
|
head_sha?: (string | null)
|
|
683
727
|
elapsed_ms: ElapsedMs
|
|
684
728
|
base_snapshot_skipped?: (boolean | null)
|
|
685
729
|
summary: AuditSummary
|
|
686
730
|
attribution: AuditAttribution
|
|
731
|
+
_meta?: (Meta | null)
|
|
687
732
|
dead_code?: (CheckOutput | null)
|
|
688
733
|
duplication?: (DupesReportPayload | null)
|
|
689
734
|
complexity?: (HealthReport | null)
|
|
735
|
+
/**
|
|
736
|
+
* Read-only follow-up commands computed from this run's findings. See
|
|
737
|
+
* [`CheckOutput::next_steps`] for the contract.
|
|
738
|
+
*/
|
|
739
|
+
next_steps?: NextStep[]
|
|
690
740
|
}
|
|
691
741
|
/**
|
|
692
742
|
* Per-category summary counts for the audit result.
|
|
@@ -710,6 +760,88 @@ complexity_inherited: number
|
|
|
710
760
|
duplication_introduced: number
|
|
711
761
|
duplication_inherited: number
|
|
712
762
|
}
|
|
763
|
+
/**
|
|
764
|
+
* Metric and rule definitions emitted under `_meta` when `--explain` is
|
|
765
|
+
* passed (always present in MCP responses). Helps AI agents and CI systems
|
|
766
|
+
* interpret metric values without re-reading the docs site.
|
|
767
|
+
*/
|
|
768
|
+
export interface Meta {
|
|
769
|
+
/**
|
|
770
|
+
* URL to the documentation page for this command.
|
|
771
|
+
*/
|
|
772
|
+
docs?: (string | null)
|
|
773
|
+
/**
|
|
774
|
+
* Local telemetry correlation metadata for agent follow-up runs.
|
|
775
|
+
*/
|
|
776
|
+
telemetry?: (TelemetryMeta | null)
|
|
777
|
+
/**
|
|
778
|
+
* Per-field definitions for envelope fields and action payload fields.
|
|
779
|
+
*/
|
|
780
|
+
field_definitions?: {
|
|
781
|
+
[k: string]: string
|
|
782
|
+
}
|
|
783
|
+
/**
|
|
784
|
+
* Per-metric definitions: name, description, range, interpretation.
|
|
785
|
+
*/
|
|
786
|
+
metrics?: {
|
|
787
|
+
[k: string]: MetaMetric
|
|
788
|
+
}
|
|
789
|
+
/**
|
|
790
|
+
* Per-rule definitions for check command output.
|
|
791
|
+
*/
|
|
792
|
+
rules?: {
|
|
793
|
+
[k: string]: MetaRule
|
|
794
|
+
}
|
|
795
|
+
}
|
|
796
|
+
/**
|
|
797
|
+
* Privacy-safe local run metadata emitted for JSON consumers.
|
|
798
|
+
*/
|
|
799
|
+
export interface TelemetryMeta {
|
|
800
|
+
/**
|
|
801
|
+
* Ephemeral local token that may be passed to the hidden `--parent-run`
|
|
802
|
+
* flag on a later command. It is not derived from repository, path, user,
|
|
803
|
+
* machine, project, or cloud data.
|
|
804
|
+
*/
|
|
805
|
+
analysis_run_id?: (string | null)
|
|
806
|
+
}
|
|
807
|
+
/**
|
|
808
|
+
* Single-metric definition inside [`Meta::metrics`].
|
|
809
|
+
*/
|
|
810
|
+
export interface MetaMetric {
|
|
811
|
+
/**
|
|
812
|
+
* Human-readable metric name.
|
|
813
|
+
*/
|
|
814
|
+
name?: (string | null)
|
|
815
|
+
/**
|
|
816
|
+
* What this metric measures and how it is computed.
|
|
817
|
+
*/
|
|
818
|
+
description?: (string | null)
|
|
819
|
+
/**
|
|
820
|
+
* Valid value range (e.g., `"[0, 100]"`).
|
|
821
|
+
*/
|
|
822
|
+
range?: (string | null)
|
|
823
|
+
/**
|
|
824
|
+
* How to read the value (e.g., `"lower is better"`).
|
|
825
|
+
*/
|
|
826
|
+
interpretation?: (string | null)
|
|
827
|
+
}
|
|
828
|
+
/**
|
|
829
|
+
* Single-rule definition inside [`Meta::rules`].
|
|
830
|
+
*/
|
|
831
|
+
export interface MetaRule {
|
|
832
|
+
/**
|
|
833
|
+
* Human-readable rule name.
|
|
834
|
+
*/
|
|
835
|
+
name?: (string | null)
|
|
836
|
+
/**
|
|
837
|
+
* What this rule detects.
|
|
838
|
+
*/
|
|
839
|
+
description?: (string | null)
|
|
840
|
+
/**
|
|
841
|
+
* URL to the rule documentation.
|
|
842
|
+
*/
|
|
843
|
+
docs?: (string | null)
|
|
844
|
+
}
|
|
713
845
|
/**
|
|
714
846
|
* Envelope emitted by `fallow dead-code --format json` (plus the `check`
|
|
715
847
|
* block inside the combined and audit envelopes).
|
|
@@ -837,6 +969,25 @@ re_export_cycles?: ReExportCycleFinding[]
|
|
|
837
969
|
* array natively.
|
|
838
970
|
*/
|
|
839
971
|
boundary_violations?: BoundaryViolationFinding[]
|
|
972
|
+
/**
|
|
973
|
+
* Files that matched no architecture boundary zone while
|
|
974
|
+
* `boundaries.coverage.requireAllFiles` was enabled.
|
|
975
|
+
*/
|
|
976
|
+
boundary_coverage_violations?: BoundaryCoverageViolationFinding[]
|
|
977
|
+
/**
|
|
978
|
+
* Calls from zoned files to callees forbidden for that zone via
|
|
979
|
+
* `boundaries.calls.forbidden`. Wrapped in
|
|
980
|
+
* [`BoundaryCallViolationFinding`] so each entry carries a typed
|
|
981
|
+
* `actions` array natively.
|
|
982
|
+
*/
|
|
983
|
+
boundary_call_violations?: BoundaryCallViolationFinding[]
|
|
984
|
+
/**
|
|
985
|
+
* Banned calls and banned imports matched by declarative rule packs
|
|
986
|
+
* (`rulePacks` config). Wrapped in [`PolicyViolationFinding`] so each
|
|
987
|
+
* entry carries a typed `actions` array natively. Each finding carries
|
|
988
|
+
* its effective per-rule severity.
|
|
989
|
+
*/
|
|
990
|
+
policy_violations?: PolicyViolationFinding[]
|
|
840
991
|
/**
|
|
841
992
|
* Suppression comments or JSDoc tags that no longer match any issue.
|
|
842
993
|
*/
|
|
@@ -885,6 +1036,15 @@ baseline?: (BaselineMatch | null)
|
|
|
885
1036
|
regression?: (RegressionResult | null)
|
|
886
1037
|
_meta?: (Meta | null)
|
|
887
1038
|
workspace_diagnostics?: WorkspaceDiagnostic[]
|
|
1039
|
+
/**
|
|
1040
|
+
* Read-only follow-up commands computed from this run's findings, emitted
|
|
1041
|
+
* at the JSON root so an agent acting on the output is pointed at fallow's
|
|
1042
|
+
* adjacent verification capabilities (trace, complexity breakdown, audit,
|
|
1043
|
+
* workspace scoping). Each command is runnable as-is and never mutating;
|
|
1044
|
+
* see [`NextStep`] for both contracts. Omitted when empty or when
|
|
1045
|
+
* `FALLOW_SUGGESTIONS=off`; does NOT contribute to `total_issues`.
|
|
1046
|
+
*/
|
|
1047
|
+
next_steps?: NextStep[]
|
|
888
1048
|
}
|
|
889
1049
|
/**
|
|
890
1050
|
* Entry-point detection summary embedded in `CheckOutput` and the combined
|
|
@@ -979,6 +1139,18 @@ re_export_cycles?: number
|
|
|
979
1139
|
* Imports that cross architecture boundary rules.
|
|
980
1140
|
*/
|
|
981
1141
|
boundary_violations: number
|
|
1142
|
+
/**
|
|
1143
|
+
* Files that match no architecture boundary zone.
|
|
1144
|
+
*/
|
|
1145
|
+
boundary_coverage_violations?: number
|
|
1146
|
+
/**
|
|
1147
|
+
* Calls from zoned files to callees forbidden for that zone.
|
|
1148
|
+
*/
|
|
1149
|
+
boundary_call_violations?: number
|
|
1150
|
+
/**
|
|
1151
|
+
* Banned calls and banned imports matched by declarative rule packs.
|
|
1152
|
+
*/
|
|
1153
|
+
policy_violations?: number
|
|
982
1154
|
/**
|
|
983
1155
|
* Suppression comments that no longer match a finding.
|
|
984
1156
|
*/
|
|
@@ -1666,7 +1838,7 @@ introduced?: (AuditIntroduced | null)
|
|
|
1666
1838
|
*/
|
|
1667
1839
|
export interface TestOnlyDependencyFinding {
|
|
1668
1840
|
/**
|
|
1669
|
-
* Production dependency that is only imported by test files
|
|
1841
|
+
* Production dependency that is only imported by test files , consider
|
|
1670
1842
|
* moving to devDependencies.
|
|
1671
1843
|
*/
|
|
1672
1844
|
package_name: string
|
|
@@ -1837,6 +2009,124 @@ actions: IssueAction[]
|
|
|
1837
2009
|
*/
|
|
1838
2010
|
introduced?: (AuditIntroduced | null)
|
|
1839
2011
|
}
|
|
2012
|
+
/**
|
|
2013
|
+
* Wire-shape envelope for a [`BoundaryCoverageViolation`] finding. Carries
|
|
2014
|
+
* actions for assigning the file to a zone or explicitly allowing it to stay
|
|
2015
|
+
* unmatched.
|
|
2016
|
+
*/
|
|
2017
|
+
export interface BoundaryCoverageViolationFinding {
|
|
2018
|
+
/**
|
|
2019
|
+
* The unmatched source file.
|
|
2020
|
+
*/
|
|
2021
|
+
path: string
|
|
2022
|
+
/**
|
|
2023
|
+
* 1-based line number used for diagnostics.
|
|
2024
|
+
*/
|
|
2025
|
+
line: number
|
|
2026
|
+
/**
|
|
2027
|
+
* 0-based byte column offset used for diagnostics.
|
|
2028
|
+
*/
|
|
2029
|
+
col: number
|
|
2030
|
+
/**
|
|
2031
|
+
* Suggested next steps.
|
|
2032
|
+
*/
|
|
2033
|
+
actions: IssueAction[]
|
|
2034
|
+
/**
|
|
2035
|
+
* Set by the audit pass when this finding is introduced relative to
|
|
2036
|
+
* the merge-base.
|
|
2037
|
+
*/
|
|
2038
|
+
introduced?: (AuditIntroduced | null)
|
|
2039
|
+
}
|
|
2040
|
+
/**
|
|
2041
|
+
* Wire-shape envelope for a [`BoundaryCallViolation`] finding. Carries
|
|
2042
|
+
* actions for refactoring the forbidden call out of the zone or suppressing
|
|
2043
|
+
* it with the shared `boundary-violation` token.
|
|
2044
|
+
*/
|
|
2045
|
+
export interface BoundaryCallViolationFinding {
|
|
2046
|
+
/**
|
|
2047
|
+
* The zoned source file making the forbidden call.
|
|
2048
|
+
*/
|
|
2049
|
+
path: string
|
|
2050
|
+
/**
|
|
2051
|
+
* 1-based line number of the call site.
|
|
2052
|
+
*/
|
|
2053
|
+
line: number
|
|
2054
|
+
/**
|
|
2055
|
+
* 0-based byte column offset of the call site.
|
|
2056
|
+
*/
|
|
2057
|
+
col: number
|
|
2058
|
+
/**
|
|
2059
|
+
* The zone the calling file is classified into.
|
|
2060
|
+
*/
|
|
2061
|
+
zone: string
|
|
2062
|
+
/**
|
|
2063
|
+
* The callee path as written at the call site (e.g. `cp.exec`).
|
|
2064
|
+
*/
|
|
2065
|
+
callee: string
|
|
2066
|
+
/**
|
|
2067
|
+
* The configured pattern that matched (e.g. `child_process.*`), so
|
|
2068
|
+
* consumers can see both the written path and the rule that fired.
|
|
2069
|
+
*/
|
|
2070
|
+
pattern: string
|
|
2071
|
+
/**
|
|
2072
|
+
* Suggested next steps.
|
|
2073
|
+
*/
|
|
2074
|
+
actions: IssueAction[]
|
|
2075
|
+
/**
|
|
2076
|
+
* Set by the audit pass when this finding is introduced relative to
|
|
2077
|
+
* the merge-base.
|
|
2078
|
+
*/
|
|
2079
|
+
introduced?: (AuditIntroduced | null)
|
|
2080
|
+
}
|
|
2081
|
+
/**
|
|
2082
|
+
* Wire-shape envelope for a [`PolicyViolation`] finding. Carries actions for
|
|
2083
|
+
* replacing the banned call or import, or suppressing it with the
|
|
2084
|
+
* `policy-violation` token.
|
|
2085
|
+
*/
|
|
2086
|
+
export interface PolicyViolationFinding {
|
|
2087
|
+
/**
|
|
2088
|
+
* The source file containing the banned call or import.
|
|
2089
|
+
*/
|
|
2090
|
+
path: string
|
|
2091
|
+
/**
|
|
2092
|
+
* 1-based line number of the call site or import declaration.
|
|
2093
|
+
*/
|
|
2094
|
+
line: number
|
|
2095
|
+
/**
|
|
2096
|
+
* 0-based byte column offset of the call site or import declaration.
|
|
2097
|
+
*/
|
|
2098
|
+
col: number
|
|
2099
|
+
/**
|
|
2100
|
+
* Name of the rule pack that declared the matching rule.
|
|
2101
|
+
*/
|
|
2102
|
+
pack: string
|
|
2103
|
+
/**
|
|
2104
|
+
* Id of the matching rule inside the pack. `pack` plus `rule_id` is the
|
|
2105
|
+
* finding's policy identity.
|
|
2106
|
+
*/
|
|
2107
|
+
rule_id: string
|
|
2108
|
+
kind: PolicyRuleKind
|
|
2109
|
+
/**
|
|
2110
|
+
* What matched: the written callee path for `banned-call` (e.g.
|
|
2111
|
+
* `cp.exec`), or the raw import specifier for `banned-import` (e.g.
|
|
2112
|
+
* `moment/locale/nl`).
|
|
2113
|
+
*/
|
|
2114
|
+
matched: string
|
|
2115
|
+
severity: PolicyViolationSeverity
|
|
2116
|
+
/**
|
|
2117
|
+
* The rule's author-provided message, when set.
|
|
2118
|
+
*/
|
|
2119
|
+
message?: (string | null)
|
|
2120
|
+
/**
|
|
2121
|
+
* Suggested next steps.
|
|
2122
|
+
*/
|
|
2123
|
+
actions: IssueAction[]
|
|
2124
|
+
/**
|
|
2125
|
+
* Set by the audit pass when this finding is introduced relative to
|
|
2126
|
+
* the merge-base.
|
|
2127
|
+
*/
|
|
2128
|
+
introduced?: (AuditIntroduced | null)
|
|
2129
|
+
}
|
|
1840
2130
|
/**
|
|
1841
2131
|
* A suppression comment or JSDoc tag that no longer matches any issue.
|
|
1842
2132
|
*/
|
|
@@ -2171,71 +2461,51 @@ exceeded: boolean
|
|
|
2171
2461
|
reason?: (string | null)
|
|
2172
2462
|
}
|
|
2173
2463
|
/**
|
|
2174
|
-
*
|
|
2175
|
-
*
|
|
2176
|
-
*
|
|
2177
|
-
|
|
2178
|
-
|
|
2179
|
-
|
|
2180
|
-
*
|
|
2181
|
-
|
|
2182
|
-
|
|
2183
|
-
|
|
2184
|
-
*
|
|
2185
|
-
|
|
2186
|
-
|
|
2187
|
-
|
|
2188
|
-
|
|
2189
|
-
|
|
2190
|
-
*
|
|
2191
|
-
|
|
2192
|
-
|
|
2193
|
-
|
|
2194
|
-
|
|
2195
|
-
|
|
2196
|
-
*
|
|
2197
|
-
|
|
2198
|
-
|
|
2199
|
-
|
|
2200
|
-
|
|
2201
|
-
|
|
2202
|
-
/**
|
|
2203
|
-
* Single-metric definition inside [`Meta::metrics`].
|
|
2204
|
-
*/
|
|
2205
|
-
export interface MetaMetric {
|
|
2206
|
-
/**
|
|
2207
|
-
* Human-readable metric name.
|
|
2208
|
-
*/
|
|
2209
|
-
name?: (string | null)
|
|
2210
|
-
/**
|
|
2211
|
-
* What this metric measures and how it is computed.
|
|
2212
|
-
*/
|
|
2213
|
-
description?: (string | null)
|
|
2214
|
-
/**
|
|
2215
|
-
* Valid value range (e.g., `"[0, 100]"`).
|
|
2216
|
-
*/
|
|
2217
|
-
range?: (string | null)
|
|
2218
|
-
/**
|
|
2219
|
-
* How to read the value (e.g., `"lower is better"`).
|
|
2220
|
-
*/
|
|
2221
|
-
interpretation?: (string | null)
|
|
2222
|
-
}
|
|
2223
|
-
/**
|
|
2224
|
-
* Single-rule definition inside [`Meta::rules`].
|
|
2464
|
+
* A read-only follow-up command fallow surfaces from the current findings,
|
|
2465
|
+
* emitted as the top-level `next_steps` array on each command's JSON envelope.
|
|
2466
|
+
*
|
|
2467
|
+
* `next_steps` exists to point agents and humans sideways to fallow's adjacent
|
|
2468
|
+
* verification capabilities (trace, complexity breakdown, audit, workspace
|
|
2469
|
+
* scoping) that telemetry shows agents rarely discover, because they act on the
|
|
2470
|
+
* output in front of them rather than on reference docs.
|
|
2471
|
+
*
|
|
2472
|
+
* ## Two hard contracts
|
|
2473
|
+
*
|
|
2474
|
+
* 1. **Read-only.** A `next_step` NEVER suggests `fallow fix` or any mutating
|
|
2475
|
+
* command. Fallow surfaces evidence and verification paths; deciding and
|
|
2476
|
+
* applying the remediation is the agent's job.
|
|
2477
|
+
* 2. **Runnable, placeholder-free.** `command` is always runnable as-is. It
|
|
2478
|
+
* never contains an angle-bracket placeholder (`<...>`); finding-derived
|
|
2479
|
+
* values are filled in from a real, deterministically-selected finding, and
|
|
2480
|
+
* any environment- or user-specific value that cannot be made concrete lives
|
|
2481
|
+
* in `reason` instead. An agent can copy `command` and run it without edits.
|
|
2482
|
+
*
|
|
2483
|
+
* Both contracts are enforced by unit tests in
|
|
2484
|
+
* `crates/cli/src/report/suggestions.rs`.
|
|
2485
|
+
*
|
|
2486
|
+
* Note: a SEPARATE, unrelated `next_steps` field exists on the
|
|
2487
|
+
* `coverage setup` envelope (`CoverageSetupOutput.next_steps`) as a plain
|
|
2488
|
+
* `Vec<String>` of human onboarding steps. Consumers that read multiple
|
|
2489
|
+
* envelope kinds must route on the envelope's `kind` before interpreting a
|
|
2490
|
+
* `next_steps` field: on analysis envelopes it is `Vec<NextStep>` objects, on
|
|
2491
|
+
* `coverage setup` it is `Vec<String>`.
|
|
2225
2492
|
*/
|
|
2226
|
-
export interface
|
|
2493
|
+
export interface NextStep {
|
|
2227
2494
|
/**
|
|
2228
|
-
*
|
|
2495
|
+
* Stable kebab-case key for machine dispatch and de-duplication
|
|
2496
|
+
* (for example `"trace-unused-export"`). Identity is stable across runs;
|
|
2497
|
+
* the `command` and `reason` strings may vary with the findings.
|
|
2229
2498
|
*/
|
|
2230
|
-
|
|
2499
|
+
id: string
|
|
2231
2500
|
/**
|
|
2232
|
-
*
|
|
2501
|
+
* A runnable, read-only command string. Placeholder-free by contract.
|
|
2233
2502
|
*/
|
|
2234
|
-
|
|
2503
|
+
command: string
|
|
2235
2504
|
/**
|
|
2236
|
-
*
|
|
2505
|
+
* One short phrase explaining why this helps. Carries any value that
|
|
2506
|
+
* cannot be made concrete in `command`.
|
|
2237
2507
|
*/
|
|
2238
|
-
|
|
2508
|
+
reason: string
|
|
2239
2509
|
}
|
|
2240
2510
|
/**
|
|
2241
2511
|
* Wire-shape payload for `fallow dupes --format json` (the body that
|
|
@@ -2777,7 +3047,7 @@ severity_high_count: number
|
|
|
2777
3047
|
severity_moderate_count: number
|
|
2778
3048
|
}
|
|
2779
3049
|
/**
|
|
2780
|
-
* Project-wide vital signs
|
|
3050
|
+
* Project-wide vital signs , a fixed set of metrics for trend tracking.
|
|
2781
3051
|
*
|
|
2782
3052
|
* Metrics are `Option` when the data source was not available in the current run
|
|
2783
3053
|
* (e.g., `duplication_pct` is `None` unless the duplication pipeline was run,
|
|
@@ -3318,7 +3588,7 @@ coverage_percent: number
|
|
|
3318
3588
|
trace_count: number
|
|
3319
3589
|
/**
|
|
3320
3590
|
* Days of observation covered by the supplied dump (Phase 2 local analysis
|
|
3321
|
-
* emits 0
|
|
3591
|
+
* emits 0 , set by the beacon/cloud in Phase 3+).
|
|
3322
3592
|
*/
|
|
3323
3593
|
period_days: number
|
|
3324
3594
|
/**
|
|
@@ -3780,6 +4050,14 @@ complex_functions?: EvidenceFunction[]
|
|
|
3780
4050
|
* Files forming the import cycle (populated for `BreakCircularDependency` targets).
|
|
3781
4051
|
*/
|
|
3782
4052
|
cycle_path?: string[]
|
|
4053
|
+
/**
|
|
4054
|
+
* Files that directly import this target, with imported and local symbols.
|
|
4055
|
+
*/
|
|
4056
|
+
direct_callers?: DirectCallerEvidence[]
|
|
4057
|
+
/**
|
|
4058
|
+
* Other duplicate-code instances that share a clone group with this target.
|
|
4059
|
+
*/
|
|
4060
|
+
clone_siblings?: CloneSiblingEvidence[]
|
|
3783
4061
|
}
|
|
3784
4062
|
/**
|
|
3785
4063
|
* A function referenced in target evidence.
|
|
@@ -3798,6 +4076,57 @@ line: number
|
|
|
3798
4076
|
*/
|
|
3799
4077
|
cognitive: number
|
|
3800
4078
|
}
|
|
4079
|
+
/**
|
|
4080
|
+
* A direct importer referenced in target evidence.
|
|
4081
|
+
*/
|
|
4082
|
+
export interface DirectCallerEvidence {
|
|
4083
|
+
/**
|
|
4084
|
+
* File that directly imports the target.
|
|
4085
|
+
*/
|
|
4086
|
+
path: string
|
|
4087
|
+
/**
|
|
4088
|
+
* Symbols imported from the target by this file.
|
|
4089
|
+
*/
|
|
4090
|
+
symbols?: DirectCallerSymbolEvidence[]
|
|
4091
|
+
}
|
|
4092
|
+
/**
|
|
4093
|
+
* Symbol details for a direct importer.
|
|
4094
|
+
*/
|
|
4095
|
+
export interface DirectCallerSymbolEvidence {
|
|
4096
|
+
/**
|
|
4097
|
+
* Imported binding name.
|
|
4098
|
+
*/
|
|
4099
|
+
imported: string
|
|
4100
|
+
/**
|
|
4101
|
+
* Local binding name in the importing file.
|
|
4102
|
+
*/
|
|
4103
|
+
local: string
|
|
4104
|
+
/**
|
|
4105
|
+
* Whether the import is type-only.
|
|
4106
|
+
*/
|
|
4107
|
+
type_only: boolean
|
|
4108
|
+
}
|
|
4109
|
+
/**
|
|
4110
|
+
* A duplicate-code sibling referenced in target evidence.
|
|
4111
|
+
*/
|
|
4112
|
+
export interface CloneSiblingEvidence {
|
|
4113
|
+
/**
|
|
4114
|
+
* File containing the sibling clone instance.
|
|
4115
|
+
*/
|
|
4116
|
+
path: string
|
|
4117
|
+
/**
|
|
4118
|
+
* 1-based start line of the sibling clone.
|
|
4119
|
+
*/
|
|
4120
|
+
start_line: number
|
|
4121
|
+
/**
|
|
4122
|
+
* 1-based end line of the sibling clone.
|
|
4123
|
+
*/
|
|
4124
|
+
end_line: number
|
|
4125
|
+
/**
|
|
4126
|
+
* Stable duplicate-group handle, matching `dupes --trace dup:<id>`.
|
|
4127
|
+
*/
|
|
4128
|
+
fingerprint: string
|
|
4129
|
+
}
|
|
3801
4130
|
/**
|
|
3802
4131
|
* Suggested action attached to a [`RefactoringTarget`].
|
|
3803
4132
|
*
|
|
@@ -4355,6 +4684,11 @@ grouped_by?: (GroupByMode | null)
|
|
|
4355
4684
|
groups?: (HealthGroup[] | null)
|
|
4356
4685
|
_meta?: (Meta | null)
|
|
4357
4686
|
workspace_diagnostics?: WorkspaceDiagnostic[]
|
|
4687
|
+
/**
|
|
4688
|
+
* Read-only follow-up commands computed from this run's findings. See
|
|
4689
|
+
* [`CheckOutput::next_steps`] for the contract.
|
|
4690
|
+
*/
|
|
4691
|
+
next_steps?: NextStep[]
|
|
4358
4692
|
}
|
|
4359
4693
|
/**
|
|
4360
4694
|
* A health report scoped to a single group.
|
|
@@ -4498,6 +4832,11 @@ _meta?: (Meta | null)
|
|
|
4498
4832
|
* a separate top-level field.
|
|
4499
4833
|
*/
|
|
4500
4834
|
workspace_diagnostics?: WorkspaceDiagnostic[]
|
|
4835
|
+
/**
|
|
4836
|
+
* Read-only follow-up commands computed from this run's findings. See
|
|
4837
|
+
* [`CheckOutput::next_steps`] for the contract.
|
|
4838
|
+
*/
|
|
4839
|
+
next_steps?: NextStep[]
|
|
4501
4840
|
}
|
|
4502
4841
|
/**
|
|
4503
4842
|
* A single grouped duplication bucket. Per-group `stats` are dedup-aware and
|
|
@@ -4612,6 +4951,11 @@ grouped_by: GroupByMode
|
|
|
4612
4951
|
total_issues: number
|
|
4613
4952
|
groups: CheckGroupedEntry[]
|
|
4614
4953
|
_meta?: (Meta | null)
|
|
4954
|
+
/**
|
|
4955
|
+
* Read-only follow-up commands computed from the full (ungrouped) findings.
|
|
4956
|
+
* See [`CheckOutput::next_steps`] for the contract.
|
|
4957
|
+
*/
|
|
4958
|
+
next_steps?: NextStep[]
|
|
4615
4959
|
}
|
|
4616
4960
|
/**
|
|
4617
4961
|
* Single resolver bucket inside `CheckGroupedOutput`. Carries the group's
|
|
@@ -4731,6 +5075,25 @@ re_export_cycles?: ReExportCycleFinding[]
|
|
|
4731
5075
|
* array natively.
|
|
4732
5076
|
*/
|
|
4733
5077
|
boundary_violations?: BoundaryViolationFinding[]
|
|
5078
|
+
/**
|
|
5079
|
+
* Files that matched no architecture boundary zone while
|
|
5080
|
+
* `boundaries.coverage.requireAllFiles` was enabled.
|
|
5081
|
+
*/
|
|
5082
|
+
boundary_coverage_violations?: BoundaryCoverageViolationFinding[]
|
|
5083
|
+
/**
|
|
5084
|
+
* Calls from zoned files to callees forbidden for that zone via
|
|
5085
|
+
* `boundaries.calls.forbidden`. Wrapped in
|
|
5086
|
+
* [`BoundaryCallViolationFinding`] so each entry carries a typed
|
|
5087
|
+
* `actions` array natively.
|
|
5088
|
+
*/
|
|
5089
|
+
boundary_call_violations?: BoundaryCallViolationFinding[]
|
|
5090
|
+
/**
|
|
5091
|
+
* Banned calls and banned imports matched by declarative rule packs
|
|
5092
|
+
* (`rulePacks` config). Wrapped in [`PolicyViolationFinding`] so each
|
|
5093
|
+
* entry carries a typed `actions` array natively. Each finding carries
|
|
5094
|
+
* its effective per-rule severity.
|
|
5095
|
+
*/
|
|
5096
|
+
policy_violations?: PolicyViolationFinding[]
|
|
4734
5097
|
/**
|
|
4735
5098
|
* Suppression comments or JSDoc tags that no longer match any issue.
|
|
4736
5099
|
*/
|
|
@@ -4782,6 +5145,7 @@ export interface ImpactReport {
|
|
|
4782
5145
|
schema_version: ImpactReportSchemaVersion
|
|
4783
5146
|
enabled: boolean
|
|
4784
5147
|
record_count: number
|
|
5148
|
+
_meta?: (Meta | null)
|
|
4785
5149
|
first_recorded?: (string | null)
|
|
4786
5150
|
/**
|
|
4787
5151
|
* Git SHA of the most recent recorded run, so a consumer can tell which
|
|
@@ -4883,6 +5247,13 @@ timestamp: string
|
|
|
4883
5247
|
*/
|
|
4884
5248
|
export interface SecurityOutput {
|
|
4885
5249
|
schema_version: SecuritySchemaVersion
|
|
5250
|
+
version: ToolVersion
|
|
5251
|
+
elapsed_ms: ElapsedMs
|
|
5252
|
+
config: SecurityOutputConfig
|
|
5253
|
+
/**
|
|
5254
|
+
* Security-specific rule and field metadata, emitted with `--explain`.
|
|
5255
|
+
*/
|
|
5256
|
+
_meta?: (Meta | null)
|
|
4886
5257
|
/**
|
|
4887
5258
|
* Gate verdict, present only when `--gate <mode>` was set (issue #886).
|
|
4888
5259
|
* Emitted on pass too (`verdict: "pass"`, `new_count: 0`) so consumers
|
|
@@ -4912,6 +5283,34 @@ unresolved_edge_files: number
|
|
|
4912
5283
|
* here is NOT a clean bill.
|
|
4913
5284
|
*/
|
|
4914
5285
|
unresolved_callee_sites: number
|
|
5286
|
+
/**
|
|
5287
|
+
* Bounded diagnostics for unresolved callee blind spots.
|
|
5288
|
+
*/
|
|
5289
|
+
unresolved_callee_diagnostics?: (SecurityUnresolvedCalleeDiagnostics | null)
|
|
5290
|
+
}
|
|
5291
|
+
/**
|
|
5292
|
+
* Allowlisted config context for `fallow security --format json`.
|
|
5293
|
+
*/
|
|
5294
|
+
export interface SecurityOutputConfig {
|
|
5295
|
+
rules: SecurityOutputRulesConfig
|
|
5296
|
+
/**
|
|
5297
|
+
* `security.categories.include` from config. `null` means unset, `[]`
|
|
5298
|
+
* means explicitly empty.
|
|
5299
|
+
*/
|
|
5300
|
+
categories_include: (string[] | null)
|
|
5301
|
+
/**
|
|
5302
|
+
* `security.categories.exclude` from config. `null` means unset, `[]`
|
|
5303
|
+
* means explicitly empty.
|
|
5304
|
+
*/
|
|
5305
|
+
categories_exclude: (string[] | null)
|
|
5306
|
+
}
|
|
5307
|
+
export interface SecurityOutputRulesConfig {
|
|
5308
|
+
security_client_server_leak: SecurityRuleSeverityConfig
|
|
5309
|
+
security_sink: SecurityRuleSeverityConfig
|
|
5310
|
+
}
|
|
5311
|
+
export interface SecurityRuleSeverityConfig {
|
|
5312
|
+
configured: Severity
|
|
5313
|
+
effective: Severity
|
|
4915
5314
|
}
|
|
4916
5315
|
/**
|
|
4917
5316
|
* The `gate` block on `SecurityOutput`, present only when `--gate <mode>` ran.
|
|
@@ -4921,7 +5320,7 @@ export interface SecurityGate {
|
|
|
4921
5320
|
mode: SecurityGateMode
|
|
4922
5321
|
verdict: SecurityGateVerdict
|
|
4923
5322
|
/**
|
|
4924
|
-
* Number of candidates
|
|
5323
|
+
* Number of candidates matching the selected gate mode.
|
|
4925
5324
|
*/
|
|
4926
5325
|
new_count: number
|
|
4927
5326
|
}
|
|
@@ -5192,6 +5591,12 @@ cwe?: (number | null)
|
|
|
5192
5591
|
* `None` for `client-server-leak` and matches that name no callee.
|
|
5193
5592
|
*/
|
|
5194
5593
|
callee?: (string | null)
|
|
5594
|
+
/**
|
|
5595
|
+
* URL construction shape for SSRF and open-redirect style candidates when
|
|
5596
|
+
* fallow can classify whether the origin is fixed or dynamic. Absent for
|
|
5597
|
+
* non-URL sinks and unclassified URL expressions.
|
|
5598
|
+
*/
|
|
5599
|
+
url_shape?: (SecurityUrlShape | null)
|
|
5195
5600
|
}
|
|
5196
5601
|
/**
|
|
5197
5602
|
* The boundary slot of a [`SecurityCandidate`]: which structural boundaries the
|
|
@@ -5377,6 +5782,155 @@ col: number
|
|
|
5377
5782
|
*/
|
|
5378
5783
|
callee: string
|
|
5379
5784
|
}
|
|
5785
|
+
/**
|
|
5786
|
+
* Bounded unresolved-callee diagnostics for `fallow security --format json`.
|
|
5787
|
+
*/
|
|
5788
|
+
export interface SecurityUnresolvedCalleeDiagnostics {
|
|
5789
|
+
/**
|
|
5790
|
+
* Deterministic sample rows, capped by `sample_limit`.
|
|
5791
|
+
*/
|
|
5792
|
+
sampled: SecurityUnresolvedCalleeSample[]
|
|
5793
|
+
/**
|
|
5794
|
+
* Files with the most unresolved callees, capped by `top_files_limit`.
|
|
5795
|
+
*/
|
|
5796
|
+
top_files: SecurityUnresolvedCalleeTopFile[]
|
|
5797
|
+
/**
|
|
5798
|
+
* Full count by unresolved-callee reason, sorted by count then reason.
|
|
5799
|
+
*/
|
|
5800
|
+
by_reason: SecurityUnresolvedCalleeReasonCount[]
|
|
5801
|
+
/**
|
|
5802
|
+
* Maximum number of sample rows emitted.
|
|
5803
|
+
*/
|
|
5804
|
+
sample_limit: number
|
|
5805
|
+
/**
|
|
5806
|
+
* Maximum number of top-file rows emitted.
|
|
5807
|
+
*/
|
|
5808
|
+
top_files_limit: number
|
|
5809
|
+
}
|
|
5810
|
+
/**
|
|
5811
|
+
* One sampled unresolved-callee row.
|
|
5812
|
+
*/
|
|
5813
|
+
export interface SecurityUnresolvedCalleeSample {
|
|
5814
|
+
/**
|
|
5815
|
+
* Project-relative source path.
|
|
5816
|
+
*/
|
|
5817
|
+
path: string
|
|
5818
|
+
/**
|
|
5819
|
+
* 1-based source line.
|
|
5820
|
+
*/
|
|
5821
|
+
line: number
|
|
5822
|
+
/**
|
|
5823
|
+
* 0-based byte column.
|
|
5824
|
+
*/
|
|
5825
|
+
col: number
|
|
5826
|
+
reason: SkippedSecurityCalleeReason
|
|
5827
|
+
expression_kind: SkippedSecurityCalleeExpressionKind
|
|
5828
|
+
}
|
|
5829
|
+
/**
|
|
5830
|
+
* Count of unresolved callees in one file.
|
|
5831
|
+
*/
|
|
5832
|
+
export interface SecurityUnresolvedCalleeTopFile {
|
|
5833
|
+
/**
|
|
5834
|
+
* Project-relative source path.
|
|
5835
|
+
*/
|
|
5836
|
+
path: string
|
|
5837
|
+
/**
|
|
5838
|
+
* Number of unresolved callees in this file.
|
|
5839
|
+
*/
|
|
5840
|
+
count: number
|
|
5841
|
+
}
|
|
5842
|
+
/**
|
|
5843
|
+
* Count of unresolved callees for one reason.
|
|
5844
|
+
*/
|
|
5845
|
+
export interface SecurityUnresolvedCalleeReasonCount {
|
|
5846
|
+
reason: SkippedSecurityCalleeReason
|
|
5847
|
+
/**
|
|
5848
|
+
* Number of unresolved callees with this reason.
|
|
5849
|
+
*/
|
|
5850
|
+
count: number
|
|
5851
|
+
}
|
|
5852
|
+
/**
|
|
5853
|
+
* Compact `fallow security --summary --format json` payload. Uses the same
|
|
5854
|
+
* `kind: "security"` discriminator as the full payload, but omits candidate
|
|
5855
|
+
* arrays and exposes only aggregate counts.
|
|
5856
|
+
*/
|
|
5857
|
+
export interface SecuritySummaryOutput {
|
|
5858
|
+
schema_version: SecuritySchemaVersion
|
|
5859
|
+
version: ToolVersion
|
|
5860
|
+
elapsed_ms: ElapsedMs
|
|
5861
|
+
config: SecurityOutputConfig
|
|
5862
|
+
/**
|
|
5863
|
+
* Security-specific rule and field metadata, emitted with `--explain`.
|
|
5864
|
+
*/
|
|
5865
|
+
_meta?: (Meta | null)
|
|
5866
|
+
/**
|
|
5867
|
+
* Gate verdict, present only when `--gate <mode>` was set.
|
|
5868
|
+
*/
|
|
5869
|
+
gate?: (SecurityGate | null)
|
|
5870
|
+
summary: SecuritySummary
|
|
5871
|
+
}
|
|
5872
|
+
/**
|
|
5873
|
+
* Aggregate counts for `fallow security --summary --format json`.
|
|
5874
|
+
*/
|
|
5875
|
+
export interface SecuritySummary {
|
|
5876
|
+
/**
|
|
5877
|
+
* Number of security candidates after all filters, gates, and scopes.
|
|
5878
|
+
*/
|
|
5879
|
+
security_findings: number
|
|
5880
|
+
by_severity: SecuritySeverityCounts
|
|
5881
|
+
/**
|
|
5882
|
+
* Finding counts by catalogue category, or by kind for findings without a
|
|
5883
|
+
* catalogue category.
|
|
5884
|
+
*/
|
|
5885
|
+
by_category: {
|
|
5886
|
+
[k: string]: number
|
|
5887
|
+
}
|
|
5888
|
+
by_reachability: SecurityReachabilityCounts
|
|
5889
|
+
by_runtime_state: SecurityRuntimeStateCounts
|
|
5890
|
+
/**
|
|
5891
|
+
* Number of client files whose dynamic imports could not be followed.
|
|
5892
|
+
*/
|
|
5893
|
+
unresolved_edge_files: number
|
|
5894
|
+
/**
|
|
5895
|
+
* Number of sink-shaped callees that could not be statically flattened.
|
|
5896
|
+
*/
|
|
5897
|
+
unresolved_callee_sites: number
|
|
5898
|
+
/**
|
|
5899
|
+
* Number of attack-surface entries included in the prepared full output.
|
|
5900
|
+
*/
|
|
5901
|
+
attack_surface_entries: number
|
|
5902
|
+
}
|
|
5903
|
+
/**
|
|
5904
|
+
* Fixed severity counters for summary JSON.
|
|
5905
|
+
*/
|
|
5906
|
+
export interface SecuritySeverityCounts {
|
|
5907
|
+
high: number
|
|
5908
|
+
medium: number
|
|
5909
|
+
low: number
|
|
5910
|
+
}
|
|
5911
|
+
/**
|
|
5912
|
+
* Fixed reachability counters for summary JSON.
|
|
5913
|
+
*/
|
|
5914
|
+
export interface SecurityReachabilityCounts {
|
|
5915
|
+
entry_reachable: number
|
|
5916
|
+
untrusted_source_reachable: number
|
|
5917
|
+
arg_level: number
|
|
5918
|
+
module_level: number
|
|
5919
|
+
crosses_boundary: number
|
|
5920
|
+
source_backed: number
|
|
5921
|
+
}
|
|
5922
|
+
/**
|
|
5923
|
+
* Fixed runtime coverage counters for summary JSON.
|
|
5924
|
+
*/
|
|
5925
|
+
export interface SecurityRuntimeStateCounts {
|
|
5926
|
+
runtime_hot: number
|
|
5927
|
+
runtime_cold: number
|
|
5928
|
+
never_executed: number
|
|
5929
|
+
low_traffic: number
|
|
5930
|
+
coverage_unavailable: number
|
|
5931
|
+
runtime_unknown: number
|
|
5932
|
+
not_collected: number
|
|
5933
|
+
}
|
|
5380
5934
|
/**
|
|
5381
5935
|
* Bare `fallow --format json` envelope.
|
|
5382
5936
|
*/
|
|
@@ -5388,11 +5942,17 @@ _meta?: (CombinedMeta | null)
|
|
|
5388
5942
|
check?: (CheckOutput | null)
|
|
5389
5943
|
dupes?: (DupesReportPayload | null)
|
|
5390
5944
|
health?: (HealthReport | null)
|
|
5945
|
+
/**
|
|
5946
|
+
* Read-only follow-up commands aggregated across the combined run's
|
|
5947
|
+
* findings. See [`CheckOutput::next_steps`] for the contract.
|
|
5948
|
+
*/
|
|
5949
|
+
next_steps?: NextStep[]
|
|
5391
5950
|
}
|
|
5392
5951
|
export interface CombinedMeta {
|
|
5393
5952
|
check?: (Meta | null)
|
|
5394
5953
|
dupes?: (Meta | null)
|
|
5395
5954
|
health?: (Meta | null)
|
|
5955
|
+
telemetry?: (TelemetryMeta | null)
|
|
5396
5956
|
}
|
|
5397
5957
|
/**
|
|
5398
5958
|
* Single CodeClimate-compatible issue inside [`CodeClimateOutput`].
|