fallow 2.91.0 → 2.93.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -71,7 +71,7 @@ kind: "dupes"
71
71
  kind: "dead-code-grouped"
72
72
  }) | (ImpactReport & {
73
73
  kind: "impact"
74
- }) | (SecurityOutput & {
74
+ }) | ((SecurityOutput | SecuritySummaryOutput) & {
75
75
  kind: "security"
76
76
  }) | (CheckOutput & {
77
77
  kind: "dead-code"
@@ -170,7 +170,7 @@ export type IssueAction = (FixAction | SuppressLineAction | SuppressFileAction |
170
170
  * Discriminant string for [`FixAction`]. Kebab-case per the JSON output
171
171
  * contract.
172
172
  */
173
- export type FixActionType = ("remove-export" | "delete-file" | "remove-dependency" | "move-dependency" | "remove-enum-member" | "remove-class-member" | "resolve-import" | "install-dependency" | "remove-duplicate" | "move-to-dev" | "refactor-cycle" | "refactor-re-export-cycle" | "refactor-boundary" | "export-type" | "remove-catalog-entry" | "remove-empty-catalog-group" | "update-catalog-reference" | "add-catalog-entry" | "remove-catalog-reference" | "remove-dependency-override" | "fix-dependency-override")
173
+ export type FixActionType = ("remove-export" | "delete-file" | "remove-dependency" | "move-dependency" | "remove-enum-member" | "remove-class-member" | "resolve-import" | "install-dependency" | "remove-duplicate" | "move-to-dev" | "refactor-cycle" | "refactor-re-export-cycle" | "refactor-boundary" | "export-type" | "remove-catalog-entry" | "remove-empty-catalog-group" | "update-catalog-reference" | "add-catalog-entry" | "remove-catalog-reference" | "remove-dependency-override" | "fix-dependency-override" | "resolve-policy-violation")
174
174
  /**
175
175
  * Singleton discriminant for [`SuppressLineAction`].
176
176
  */
@@ -232,6 +232,17 @@ export type MemberKind = ("enum_member" | "class_method" | "class_property" | "n
232
232
  * Discriminator for [`ReExportCycle`]: which structural shape was detected.
233
233
  */
234
234
  export type ReExportCycleKind = ("multi-node" | "self-loop")
235
+ /**
236
+ * Which rule-pack rule kind produced a [`PolicyViolation`].
237
+ */
238
+ export type PolicyRuleKind = ("banned-call" | "banned-import")
239
+ /**
240
+ * Effective severity of a single [`PolicyViolation`]. Per-rule `severity`
241
+ * overrides the `rules."policy-violation"` master; `off` rules emit nothing,
242
+ * so only `error` and `warn` appear on the wire. The exit-code gate inspects
243
+ * this per-finding value, not the master severity.
244
+ */
245
+ export type PolicyViolationSeverity = ("error" | "warn")
235
246
  /**
236
247
  * The origin of a stale suppression: inline comment or JSDoc tag.
237
248
  */
@@ -328,6 +339,12 @@ kind: "tsconfig-reference-dir-missing"
328
339
  */
329
340
  size_bytes: number
330
341
  kind: "skipped-large-file"
342
+ } | {
343
+ /**
344
+ * On-disk size of the skipped file in bytes.
345
+ */
346
+ size_bytes: number
347
+ kind: "skipped-minified-file"
331
348
  })
332
349
  /**
333
350
  * Discriminant for [`CloneGroupAction::kind`]. Mirrors the action types
@@ -606,12 +623,18 @@ export type ImpactTrendDirection = ("improving" | "declining" | "stable")
606
623
  * The `fallow security --format json` schema version. Independently versioned
607
624
  * from the main contract, mirroring `ImpactReportSchemaVersion`.
608
625
  */
609
- export type SecuritySchemaVersion = ("1" | "2")
626
+ export type SecuritySchemaVersion = ("1" | "2" | "3" | "4" | "5" | "6")
627
+ /**
628
+ * Severity level for rules.
629
+ *
630
+ * Controls whether an issue type causes CI failure (`error`), is reported
631
+ * without failing (`warn`), or is suppressed entirely (`off`).
632
+ */
633
+ export type Severity = ("error" | "warn" | "off")
610
634
  /**
611
- * Gate mode for `fallow security --gate <mode>` (issue #886). Tier 2 reserves
612
- * the value `newly-reachable`.
635
+ * Gate mode for `fallow security --gate <mode>`.
613
636
  */
614
- export type SecurityGateMode = "new"
637
+ export type SecurityGateMode = ("new" | "newly-reachable")
615
638
  /**
616
639
  * Gate verdict on the wire. `fail` is the CI-state token; human output renders
617
640
  * it as "REVIEW REQUIRED" because these stay unverified candidates, never
@@ -645,6 +668,10 @@ export type SecurityDeadCodeKind = ("unused-file" | "unused-export")
645
668
  * rank, never gate).
646
669
  */
647
670
  export type TaintConfidence = ("arg-level" | "module-level")
671
+ /**
672
+ * Static URL construction shape captured for URL-shaped security sinks.
673
+ */
674
+ export type SecurityUrlShape = ("fixed-origin-dynamic-path" | "dynamic-origin")
648
675
  /**
649
676
  * Runtime coverage state for the function enclosing a security sink.
650
677
  * This is production-observation evidence, not an exploitability verdict.
@@ -654,6 +681,15 @@ export type SecurityRuntimeState = ("runtime-hot" | "runtime-cold" | "never-exec
654
681
  * Defensive control family detected on a source to sink path.
655
682
  */
656
683
  export type SecurityControlKind = ("sanitization" | "validation" | "authentication" | "authorization")
684
+ /**
685
+ * Why a sink-shaped callee could not be flattened into a static catalogue
686
+ * path.
687
+ */
688
+ export type SkippedSecurityCalleeReason = ("computed-member" | "dynamic-dispatch" | "unsupported-assignment-object")
689
+ /**
690
+ * Syntactic expression shape for a skipped security callee.
691
+ */
692
+ export type SkippedSecurityCalleeExpressionKind = ("static-member-expression" | "computed-member-expression" | "identifier" | "other")
657
693
  /**
658
694
  * Discriminator value for [`CodeClimateIssue::kind`].
659
695
  */
@@ -679,14 +715,28 @@ command: AuditCommand
679
715
  verdict: AuditVerdict
680
716
  changed_files_count: number
681
717
  base_ref: string
718
+ /**
719
+ * Human-readable provenance of `base_ref`, e.g. `merge-base with
720
+ * origin/main`, `local main`, or `FALLOW_AUDIT_BASE=upstream/main`.
721
+ * Present when the base was auto-detected or set via `FALLOW_AUDIT_BASE`;
722
+ * absent for an explicit `--base` (the ref the user typed is already
723
+ * self-describing).
724
+ */
725
+ base_description?: (string | null)
682
726
  head_sha?: (string | null)
683
727
  elapsed_ms: ElapsedMs
684
728
  base_snapshot_skipped?: (boolean | null)
685
729
  summary: AuditSummary
686
730
  attribution: AuditAttribution
731
+ _meta?: (Meta | null)
687
732
  dead_code?: (CheckOutput | null)
688
733
  duplication?: (DupesReportPayload | null)
689
734
  complexity?: (HealthReport | null)
735
+ /**
736
+ * Read-only follow-up commands computed from this run's findings. See
737
+ * [`CheckOutput::next_steps`] for the contract.
738
+ */
739
+ next_steps?: NextStep[]
690
740
  }
691
741
  /**
692
742
  * Per-category summary counts for the audit result.
@@ -710,6 +760,88 @@ complexity_inherited: number
710
760
  duplication_introduced: number
711
761
  duplication_inherited: number
712
762
  }
763
+ /**
764
+ * Metric and rule definitions emitted under `_meta` when `--explain` is
765
+ * passed (always present in MCP responses). Helps AI agents and CI systems
766
+ * interpret metric values without re-reading the docs site.
767
+ */
768
+ export interface Meta {
769
+ /**
770
+ * URL to the documentation page for this command.
771
+ */
772
+ docs?: (string | null)
773
+ /**
774
+ * Local telemetry correlation metadata for agent follow-up runs.
775
+ */
776
+ telemetry?: (TelemetryMeta | null)
777
+ /**
778
+ * Per-field definitions for envelope fields and action payload fields.
779
+ */
780
+ field_definitions?: {
781
+ [k: string]: string
782
+ }
783
+ /**
784
+ * Per-metric definitions: name, description, range, interpretation.
785
+ */
786
+ metrics?: {
787
+ [k: string]: MetaMetric
788
+ }
789
+ /**
790
+ * Per-rule definitions for check command output.
791
+ */
792
+ rules?: {
793
+ [k: string]: MetaRule
794
+ }
795
+ }
796
+ /**
797
+ * Privacy-safe local run metadata emitted for JSON consumers.
798
+ */
799
+ export interface TelemetryMeta {
800
+ /**
801
+ * Ephemeral local token that may be passed to the hidden `--parent-run`
802
+ * flag on a later command. It is not derived from repository, path, user,
803
+ * machine, project, or cloud data.
804
+ */
805
+ analysis_run_id?: (string | null)
806
+ }
807
+ /**
808
+ * Single-metric definition inside [`Meta::metrics`].
809
+ */
810
+ export interface MetaMetric {
811
+ /**
812
+ * Human-readable metric name.
813
+ */
814
+ name?: (string | null)
815
+ /**
816
+ * What this metric measures and how it is computed.
817
+ */
818
+ description?: (string | null)
819
+ /**
820
+ * Valid value range (e.g., `"[0, 100]"`).
821
+ */
822
+ range?: (string | null)
823
+ /**
824
+ * How to read the value (e.g., `"lower is better"`).
825
+ */
826
+ interpretation?: (string | null)
827
+ }
828
+ /**
829
+ * Single-rule definition inside [`Meta::rules`].
830
+ */
831
+ export interface MetaRule {
832
+ /**
833
+ * Human-readable rule name.
834
+ */
835
+ name?: (string | null)
836
+ /**
837
+ * What this rule detects.
838
+ */
839
+ description?: (string | null)
840
+ /**
841
+ * URL to the rule documentation.
842
+ */
843
+ docs?: (string | null)
844
+ }
713
845
  /**
714
846
  * Envelope emitted by `fallow dead-code --format json` (plus the `check`
715
847
  * block inside the combined and audit envelopes).
@@ -837,6 +969,25 @@ re_export_cycles?: ReExportCycleFinding[]
837
969
  * array natively.
838
970
  */
839
971
  boundary_violations?: BoundaryViolationFinding[]
972
+ /**
973
+ * Files that matched no architecture boundary zone while
974
+ * `boundaries.coverage.requireAllFiles` was enabled.
975
+ */
976
+ boundary_coverage_violations?: BoundaryCoverageViolationFinding[]
977
+ /**
978
+ * Calls from zoned files to callees forbidden for that zone via
979
+ * `boundaries.calls.forbidden`. Wrapped in
980
+ * [`BoundaryCallViolationFinding`] so each entry carries a typed
981
+ * `actions` array natively.
982
+ */
983
+ boundary_call_violations?: BoundaryCallViolationFinding[]
984
+ /**
985
+ * Banned calls and banned imports matched by declarative rule packs
986
+ * (`rulePacks` config). Wrapped in [`PolicyViolationFinding`] so each
987
+ * entry carries a typed `actions` array natively. Each finding carries
988
+ * its effective per-rule severity.
989
+ */
990
+ policy_violations?: PolicyViolationFinding[]
840
991
  /**
841
992
  * Suppression comments or JSDoc tags that no longer match any issue.
842
993
  */
@@ -885,6 +1036,15 @@ baseline?: (BaselineMatch | null)
885
1036
  regression?: (RegressionResult | null)
886
1037
  _meta?: (Meta | null)
887
1038
  workspace_diagnostics?: WorkspaceDiagnostic[]
1039
+ /**
1040
+ * Read-only follow-up commands computed from this run's findings, emitted
1041
+ * at the JSON root so an agent acting on the output is pointed at fallow's
1042
+ * adjacent verification capabilities (trace, complexity breakdown, audit,
1043
+ * workspace scoping). Each command is runnable as-is and never mutating;
1044
+ * see [`NextStep`] for both contracts. Omitted when empty or when
1045
+ * `FALLOW_SUGGESTIONS=off`; does NOT contribute to `total_issues`.
1046
+ */
1047
+ next_steps?: NextStep[]
888
1048
  }
889
1049
  /**
890
1050
  * Entry-point detection summary embedded in `CheckOutput` and the combined
@@ -979,6 +1139,18 @@ re_export_cycles?: number
979
1139
  * Imports that cross architecture boundary rules.
980
1140
  */
981
1141
  boundary_violations: number
1142
+ /**
1143
+ * Files that match no architecture boundary zone.
1144
+ */
1145
+ boundary_coverage_violations?: number
1146
+ /**
1147
+ * Calls from zoned files to callees forbidden for that zone.
1148
+ */
1149
+ boundary_call_violations?: number
1150
+ /**
1151
+ * Banned calls and banned imports matched by declarative rule packs.
1152
+ */
1153
+ policy_violations?: number
982
1154
  /**
983
1155
  * Suppression comments that no longer match a finding.
984
1156
  */
@@ -1666,7 +1838,7 @@ introduced?: (AuditIntroduced | null)
1666
1838
  */
1667
1839
  export interface TestOnlyDependencyFinding {
1668
1840
  /**
1669
- * Production dependency that is only imported by test files consider
1841
+ * Production dependency that is only imported by test files , consider
1670
1842
  * moving to devDependencies.
1671
1843
  */
1672
1844
  package_name: string
@@ -1837,6 +2009,124 @@ actions: IssueAction[]
1837
2009
  */
1838
2010
  introduced?: (AuditIntroduced | null)
1839
2011
  }
2012
+ /**
2013
+ * Wire-shape envelope for a [`BoundaryCoverageViolation`] finding. Carries
2014
+ * actions for assigning the file to a zone or explicitly allowing it to stay
2015
+ * unmatched.
2016
+ */
2017
+ export interface BoundaryCoverageViolationFinding {
2018
+ /**
2019
+ * The unmatched source file.
2020
+ */
2021
+ path: string
2022
+ /**
2023
+ * 1-based line number used for diagnostics.
2024
+ */
2025
+ line: number
2026
+ /**
2027
+ * 0-based byte column offset used for diagnostics.
2028
+ */
2029
+ col: number
2030
+ /**
2031
+ * Suggested next steps.
2032
+ */
2033
+ actions: IssueAction[]
2034
+ /**
2035
+ * Set by the audit pass when this finding is introduced relative to
2036
+ * the merge-base.
2037
+ */
2038
+ introduced?: (AuditIntroduced | null)
2039
+ }
2040
+ /**
2041
+ * Wire-shape envelope for a [`BoundaryCallViolation`] finding. Carries
2042
+ * actions for refactoring the forbidden call out of the zone or suppressing
2043
+ * it with the shared `boundary-violation` token.
2044
+ */
2045
+ export interface BoundaryCallViolationFinding {
2046
+ /**
2047
+ * The zoned source file making the forbidden call.
2048
+ */
2049
+ path: string
2050
+ /**
2051
+ * 1-based line number of the call site.
2052
+ */
2053
+ line: number
2054
+ /**
2055
+ * 0-based byte column offset of the call site.
2056
+ */
2057
+ col: number
2058
+ /**
2059
+ * The zone the calling file is classified into.
2060
+ */
2061
+ zone: string
2062
+ /**
2063
+ * The callee path as written at the call site (e.g. `cp.exec`).
2064
+ */
2065
+ callee: string
2066
+ /**
2067
+ * The configured pattern that matched (e.g. `child_process.*`), so
2068
+ * consumers can see both the written path and the rule that fired.
2069
+ */
2070
+ pattern: string
2071
+ /**
2072
+ * Suggested next steps.
2073
+ */
2074
+ actions: IssueAction[]
2075
+ /**
2076
+ * Set by the audit pass when this finding is introduced relative to
2077
+ * the merge-base.
2078
+ */
2079
+ introduced?: (AuditIntroduced | null)
2080
+ }
2081
+ /**
2082
+ * Wire-shape envelope for a [`PolicyViolation`] finding. Carries actions for
2083
+ * replacing the banned call or import, or suppressing it with the
2084
+ * `policy-violation` token.
2085
+ */
2086
+ export interface PolicyViolationFinding {
2087
+ /**
2088
+ * The source file containing the banned call or import.
2089
+ */
2090
+ path: string
2091
+ /**
2092
+ * 1-based line number of the call site or import declaration.
2093
+ */
2094
+ line: number
2095
+ /**
2096
+ * 0-based byte column offset of the call site or import declaration.
2097
+ */
2098
+ col: number
2099
+ /**
2100
+ * Name of the rule pack that declared the matching rule.
2101
+ */
2102
+ pack: string
2103
+ /**
2104
+ * Id of the matching rule inside the pack. `pack` plus `rule_id` is the
2105
+ * finding's policy identity.
2106
+ */
2107
+ rule_id: string
2108
+ kind: PolicyRuleKind
2109
+ /**
2110
+ * What matched: the written callee path for `banned-call` (e.g.
2111
+ * `cp.exec`), or the raw import specifier for `banned-import` (e.g.
2112
+ * `moment/locale/nl`).
2113
+ */
2114
+ matched: string
2115
+ severity: PolicyViolationSeverity
2116
+ /**
2117
+ * The rule's author-provided message, when set.
2118
+ */
2119
+ message?: (string | null)
2120
+ /**
2121
+ * Suggested next steps.
2122
+ */
2123
+ actions: IssueAction[]
2124
+ /**
2125
+ * Set by the audit pass when this finding is introduced relative to
2126
+ * the merge-base.
2127
+ */
2128
+ introduced?: (AuditIntroduced | null)
2129
+ }
1840
2130
  /**
1841
2131
  * A suppression comment or JSDoc tag that no longer matches any issue.
1842
2132
  */
@@ -2171,71 +2461,51 @@ exceeded: boolean
2171
2461
  reason?: (string | null)
2172
2462
  }
2173
2463
  /**
2174
- * Metric and rule definitions emitted under `_meta` when `--explain` is
2175
- * passed (always present in MCP responses). Helps AI agents and CI systems
2176
- * interpret metric values without re-reading the docs site.
2177
- */
2178
- export interface Meta {
2179
- /**
2180
- * URL to the documentation page for this command.
2181
- */
2182
- docs?: (string | null)
2183
- /**
2184
- * Per-field definitions for envelope fields and action payload fields.
2185
- */
2186
- field_definitions?: {
2187
- [k: string]: string
2188
- }
2189
- /**
2190
- * Per-metric definitions: name, description, range, interpretation.
2191
- */
2192
- metrics?: {
2193
- [k: string]: MetaMetric
2194
- }
2195
- /**
2196
- * Per-rule definitions for check command output.
2197
- */
2198
- rules?: {
2199
- [k: string]: MetaRule
2200
- }
2201
- }
2202
- /**
2203
- * Single-metric definition inside [`Meta::metrics`].
2204
- */
2205
- export interface MetaMetric {
2206
- /**
2207
- * Human-readable metric name.
2208
- */
2209
- name?: (string | null)
2210
- /**
2211
- * What this metric measures and how it is computed.
2212
- */
2213
- description?: (string | null)
2214
- /**
2215
- * Valid value range (e.g., `"[0, 100]"`).
2216
- */
2217
- range?: (string | null)
2218
- /**
2219
- * How to read the value (e.g., `"lower is better"`).
2220
- */
2221
- interpretation?: (string | null)
2222
- }
2223
- /**
2224
- * Single-rule definition inside [`Meta::rules`].
2464
+ * A read-only follow-up command fallow surfaces from the current findings,
2465
+ * emitted as the top-level `next_steps` array on each command's JSON envelope.
2466
+ *
2467
+ * `next_steps` exists to point agents and humans sideways to fallow's adjacent
2468
+ * verification capabilities (trace, complexity breakdown, audit, workspace
2469
+ * scoping) that telemetry shows agents rarely discover, because they act on the
2470
+ * output in front of them rather than on reference docs.
2471
+ *
2472
+ * ## Two hard contracts
2473
+ *
2474
+ * 1. **Read-only.** A `next_step` NEVER suggests `fallow fix` or any mutating
2475
+ * command. Fallow surfaces evidence and verification paths; deciding and
2476
+ * applying the remediation is the agent's job.
2477
+ * 2. **Runnable, placeholder-free.** `command` is always runnable as-is. It
2478
+ * never contains an angle-bracket placeholder (`<...>`); finding-derived
2479
+ * values are filled in from a real, deterministically-selected finding, and
2480
+ * any environment- or user-specific value that cannot be made concrete lives
2481
+ * in `reason` instead. An agent can copy `command` and run it without edits.
2482
+ *
2483
+ * Both contracts are enforced by unit tests in
2484
+ * `crates/cli/src/report/suggestions.rs`.
2485
+ *
2486
+ * Note: a SEPARATE, unrelated `next_steps` field exists on the
2487
+ * `coverage setup` envelope (`CoverageSetupOutput.next_steps`) as a plain
2488
+ * `Vec<String>` of human onboarding steps. Consumers that read multiple
2489
+ * envelope kinds must route on the envelope's `kind` before interpreting a
2490
+ * `next_steps` field: on analysis envelopes it is `Vec<NextStep>` objects, on
2491
+ * `coverage setup` it is `Vec<String>`.
2225
2492
  */
2226
- export interface MetaRule {
2493
+ export interface NextStep {
2227
2494
  /**
2228
- * Human-readable rule name.
2495
+ * Stable kebab-case key for machine dispatch and de-duplication
2496
+ * (for example `"trace-unused-export"`). Identity is stable across runs;
2497
+ * the `command` and `reason` strings may vary with the findings.
2229
2498
  */
2230
- name?: (string | null)
2499
+ id: string
2231
2500
  /**
2232
- * What this rule detects.
2501
+ * A runnable, read-only command string. Placeholder-free by contract.
2233
2502
  */
2234
- description?: (string | null)
2503
+ command: string
2235
2504
  /**
2236
- * URL to the rule documentation.
2505
+ * One short phrase explaining why this helps. Carries any value that
2506
+ * cannot be made concrete in `command`.
2237
2507
  */
2238
- docs?: (string | null)
2508
+ reason: string
2239
2509
  }
2240
2510
  /**
2241
2511
  * Wire-shape payload for `fallow dupes --format json` (the body that
@@ -2777,7 +3047,7 @@ severity_high_count: number
2777
3047
  severity_moderate_count: number
2778
3048
  }
2779
3049
  /**
2780
- * Project-wide vital signs a fixed set of metrics for trend tracking.
3050
+ * Project-wide vital signs , a fixed set of metrics for trend tracking.
2781
3051
  *
2782
3052
  * Metrics are `Option` when the data source was not available in the current run
2783
3053
  * (e.g., `duplication_pct` is `None` unless the duplication pipeline was run,
@@ -3318,7 +3588,7 @@ coverage_percent: number
3318
3588
  trace_count: number
3319
3589
  /**
3320
3590
  * Days of observation covered by the supplied dump (Phase 2 local analysis
3321
- * emits 0 set by the beacon/cloud in Phase 3+).
3591
+ * emits 0 , set by the beacon/cloud in Phase 3+).
3322
3592
  */
3323
3593
  period_days: number
3324
3594
  /**
@@ -3780,6 +4050,14 @@ complex_functions?: EvidenceFunction[]
3780
4050
  * Files forming the import cycle (populated for `BreakCircularDependency` targets).
3781
4051
  */
3782
4052
  cycle_path?: string[]
4053
+ /**
4054
+ * Files that directly import this target, with imported and local symbols.
4055
+ */
4056
+ direct_callers?: DirectCallerEvidence[]
4057
+ /**
4058
+ * Other duplicate-code instances that share a clone group with this target.
4059
+ */
4060
+ clone_siblings?: CloneSiblingEvidence[]
3783
4061
  }
3784
4062
  /**
3785
4063
  * A function referenced in target evidence.
@@ -3798,6 +4076,57 @@ line: number
3798
4076
  */
3799
4077
  cognitive: number
3800
4078
  }
4079
+ /**
4080
+ * A direct importer referenced in target evidence.
4081
+ */
4082
+ export interface DirectCallerEvidence {
4083
+ /**
4084
+ * File that directly imports the target.
4085
+ */
4086
+ path: string
4087
+ /**
4088
+ * Symbols imported from the target by this file.
4089
+ */
4090
+ symbols?: DirectCallerSymbolEvidence[]
4091
+ }
4092
+ /**
4093
+ * Symbol details for a direct importer.
4094
+ */
4095
+ export interface DirectCallerSymbolEvidence {
4096
+ /**
4097
+ * Imported binding name.
4098
+ */
4099
+ imported: string
4100
+ /**
4101
+ * Local binding name in the importing file.
4102
+ */
4103
+ local: string
4104
+ /**
4105
+ * Whether the import is type-only.
4106
+ */
4107
+ type_only: boolean
4108
+ }
4109
+ /**
4110
+ * A duplicate-code sibling referenced in target evidence.
4111
+ */
4112
+ export interface CloneSiblingEvidence {
4113
+ /**
4114
+ * File containing the sibling clone instance.
4115
+ */
4116
+ path: string
4117
+ /**
4118
+ * 1-based start line of the sibling clone.
4119
+ */
4120
+ start_line: number
4121
+ /**
4122
+ * 1-based end line of the sibling clone.
4123
+ */
4124
+ end_line: number
4125
+ /**
4126
+ * Stable duplicate-group handle, matching `dupes --trace dup:<id>`.
4127
+ */
4128
+ fingerprint: string
4129
+ }
3801
4130
  /**
3802
4131
  * Suggested action attached to a [`RefactoringTarget`].
3803
4132
  *
@@ -4355,6 +4684,11 @@ grouped_by?: (GroupByMode | null)
4355
4684
  groups?: (HealthGroup[] | null)
4356
4685
  _meta?: (Meta | null)
4357
4686
  workspace_diagnostics?: WorkspaceDiagnostic[]
4687
+ /**
4688
+ * Read-only follow-up commands computed from this run's findings. See
4689
+ * [`CheckOutput::next_steps`] for the contract.
4690
+ */
4691
+ next_steps?: NextStep[]
4358
4692
  }
4359
4693
  /**
4360
4694
  * A health report scoped to a single group.
@@ -4498,6 +4832,11 @@ _meta?: (Meta | null)
4498
4832
  * a separate top-level field.
4499
4833
  */
4500
4834
  workspace_diagnostics?: WorkspaceDiagnostic[]
4835
+ /**
4836
+ * Read-only follow-up commands computed from this run's findings. See
4837
+ * [`CheckOutput::next_steps`] for the contract.
4838
+ */
4839
+ next_steps?: NextStep[]
4501
4840
  }
4502
4841
  /**
4503
4842
  * A single grouped duplication bucket. Per-group `stats` are dedup-aware and
@@ -4612,6 +4951,11 @@ grouped_by: GroupByMode
4612
4951
  total_issues: number
4613
4952
  groups: CheckGroupedEntry[]
4614
4953
  _meta?: (Meta | null)
4954
+ /**
4955
+ * Read-only follow-up commands computed from the full (ungrouped) findings.
4956
+ * See [`CheckOutput::next_steps`] for the contract.
4957
+ */
4958
+ next_steps?: NextStep[]
4615
4959
  }
4616
4960
  /**
4617
4961
  * Single resolver bucket inside `CheckGroupedOutput`. Carries the group's
@@ -4731,6 +5075,25 @@ re_export_cycles?: ReExportCycleFinding[]
4731
5075
  * array natively.
4732
5076
  */
4733
5077
  boundary_violations?: BoundaryViolationFinding[]
5078
+ /**
5079
+ * Files that matched no architecture boundary zone while
5080
+ * `boundaries.coverage.requireAllFiles` was enabled.
5081
+ */
5082
+ boundary_coverage_violations?: BoundaryCoverageViolationFinding[]
5083
+ /**
5084
+ * Calls from zoned files to callees forbidden for that zone via
5085
+ * `boundaries.calls.forbidden`. Wrapped in
5086
+ * [`BoundaryCallViolationFinding`] so each entry carries a typed
5087
+ * `actions` array natively.
5088
+ */
5089
+ boundary_call_violations?: BoundaryCallViolationFinding[]
5090
+ /**
5091
+ * Banned calls and banned imports matched by declarative rule packs
5092
+ * (`rulePacks` config). Wrapped in [`PolicyViolationFinding`] so each
5093
+ * entry carries a typed `actions` array natively. Each finding carries
5094
+ * its effective per-rule severity.
5095
+ */
5096
+ policy_violations?: PolicyViolationFinding[]
4734
5097
  /**
4735
5098
  * Suppression comments or JSDoc tags that no longer match any issue.
4736
5099
  */
@@ -4782,6 +5145,7 @@ export interface ImpactReport {
4782
5145
  schema_version: ImpactReportSchemaVersion
4783
5146
  enabled: boolean
4784
5147
  record_count: number
5148
+ _meta?: (Meta | null)
4785
5149
  first_recorded?: (string | null)
4786
5150
  /**
4787
5151
  * Git SHA of the most recent recorded run, so a consumer can tell which
@@ -4883,6 +5247,13 @@ timestamp: string
4883
5247
  */
4884
5248
  export interface SecurityOutput {
4885
5249
  schema_version: SecuritySchemaVersion
5250
+ version: ToolVersion
5251
+ elapsed_ms: ElapsedMs
5252
+ config: SecurityOutputConfig
5253
+ /**
5254
+ * Security-specific rule and field metadata, emitted with `--explain`.
5255
+ */
5256
+ _meta?: (Meta | null)
4886
5257
  /**
4887
5258
  * Gate verdict, present only when `--gate <mode>` was set (issue #886).
4888
5259
  * Emitted on pass too (`verdict: "pass"`, `new_count: 0`) so consumers
@@ -4912,6 +5283,34 @@ unresolved_edge_files: number
4912
5283
  * here is NOT a clean bill.
4913
5284
  */
4914
5285
  unresolved_callee_sites: number
5286
+ /**
5287
+ * Bounded diagnostics for unresolved callee blind spots.
5288
+ */
5289
+ unresolved_callee_diagnostics?: (SecurityUnresolvedCalleeDiagnostics | null)
5290
+ }
5291
+ /**
5292
+ * Allowlisted config context for `fallow security --format json`.
5293
+ */
5294
+ export interface SecurityOutputConfig {
5295
+ rules: SecurityOutputRulesConfig
5296
+ /**
5297
+ * `security.categories.include` from config. `null` means unset, `[]`
5298
+ * means explicitly empty.
5299
+ */
5300
+ categories_include: (string[] | null)
5301
+ /**
5302
+ * `security.categories.exclude` from config. `null` means unset, `[]`
5303
+ * means explicitly empty.
5304
+ */
5305
+ categories_exclude: (string[] | null)
5306
+ }
5307
+ export interface SecurityOutputRulesConfig {
5308
+ security_client_server_leak: SecurityRuleSeverityConfig
5309
+ security_sink: SecurityRuleSeverityConfig
5310
+ }
5311
+ export interface SecurityRuleSeverityConfig {
5312
+ configured: Severity
5313
+ effective: Severity
4915
5314
  }
4916
5315
  /**
4917
5316
  * The `gate` block on `SecurityOutput`, present only when `--gate <mode>` ran.
@@ -4921,7 +5320,7 @@ export interface SecurityGate {
4921
5320
  mode: SecurityGateMode
4922
5321
  verdict: SecurityGateVerdict
4923
5322
  /**
4924
- * Number of candidates introduced in the changed lines.
5323
+ * Number of candidates matching the selected gate mode.
4925
5324
  */
4926
5325
  new_count: number
4927
5326
  }
@@ -5192,6 +5591,12 @@ cwe?: (number | null)
5192
5591
  * `None` for `client-server-leak` and matches that name no callee.
5193
5592
  */
5194
5593
  callee?: (string | null)
5594
+ /**
5595
+ * URL construction shape for SSRF and open-redirect style candidates when
5596
+ * fallow can classify whether the origin is fixed or dynamic. Absent for
5597
+ * non-URL sinks and unclassified URL expressions.
5598
+ */
5599
+ url_shape?: (SecurityUrlShape | null)
5195
5600
  }
5196
5601
  /**
5197
5602
  * The boundary slot of a [`SecurityCandidate`]: which structural boundaries the
@@ -5377,6 +5782,155 @@ col: number
5377
5782
  */
5378
5783
  callee: string
5379
5784
  }
5785
+ /**
5786
+ * Bounded unresolved-callee diagnostics for `fallow security --format json`.
5787
+ */
5788
+ export interface SecurityUnresolvedCalleeDiagnostics {
5789
+ /**
5790
+ * Deterministic sample rows, capped by `sample_limit`.
5791
+ */
5792
+ sampled: SecurityUnresolvedCalleeSample[]
5793
+ /**
5794
+ * Files with the most unresolved callees, capped by `top_files_limit`.
5795
+ */
5796
+ top_files: SecurityUnresolvedCalleeTopFile[]
5797
+ /**
5798
+ * Full count by unresolved-callee reason, sorted by count then reason.
5799
+ */
5800
+ by_reason: SecurityUnresolvedCalleeReasonCount[]
5801
+ /**
5802
+ * Maximum number of sample rows emitted.
5803
+ */
5804
+ sample_limit: number
5805
+ /**
5806
+ * Maximum number of top-file rows emitted.
5807
+ */
5808
+ top_files_limit: number
5809
+ }
5810
+ /**
5811
+ * One sampled unresolved-callee row.
5812
+ */
5813
+ export interface SecurityUnresolvedCalleeSample {
5814
+ /**
5815
+ * Project-relative source path.
5816
+ */
5817
+ path: string
5818
+ /**
5819
+ * 1-based source line.
5820
+ */
5821
+ line: number
5822
+ /**
5823
+ * 0-based byte column.
5824
+ */
5825
+ col: number
5826
+ reason: SkippedSecurityCalleeReason
5827
+ expression_kind: SkippedSecurityCalleeExpressionKind
5828
+ }
5829
+ /**
5830
+ * Count of unresolved callees in one file.
5831
+ */
5832
+ export interface SecurityUnresolvedCalleeTopFile {
5833
+ /**
5834
+ * Project-relative source path.
5835
+ */
5836
+ path: string
5837
+ /**
5838
+ * Number of unresolved callees in this file.
5839
+ */
5840
+ count: number
5841
+ }
5842
+ /**
5843
+ * Count of unresolved callees for one reason.
5844
+ */
5845
+ export interface SecurityUnresolvedCalleeReasonCount {
5846
+ reason: SkippedSecurityCalleeReason
5847
+ /**
5848
+ * Number of unresolved callees with this reason.
5849
+ */
5850
+ count: number
5851
+ }
5852
+ /**
5853
+ * Compact `fallow security --summary --format json` payload. Uses the same
5854
+ * `kind: "security"` discriminator as the full payload, but omits candidate
5855
+ * arrays and exposes only aggregate counts.
5856
+ */
5857
+ export interface SecuritySummaryOutput {
5858
+ schema_version: SecuritySchemaVersion
5859
+ version: ToolVersion
5860
+ elapsed_ms: ElapsedMs
5861
+ config: SecurityOutputConfig
5862
+ /**
5863
+ * Security-specific rule and field metadata, emitted with `--explain`.
5864
+ */
5865
+ _meta?: (Meta | null)
5866
+ /**
5867
+ * Gate verdict, present only when `--gate <mode>` was set.
5868
+ */
5869
+ gate?: (SecurityGate | null)
5870
+ summary: SecuritySummary
5871
+ }
5872
+ /**
5873
+ * Aggregate counts for `fallow security --summary --format json`.
5874
+ */
5875
+ export interface SecuritySummary {
5876
+ /**
5877
+ * Number of security candidates after all filters, gates, and scopes.
5878
+ */
5879
+ security_findings: number
5880
+ by_severity: SecuritySeverityCounts
5881
+ /**
5882
+ * Finding counts by catalogue category, or by kind for findings without a
5883
+ * catalogue category.
5884
+ */
5885
+ by_category: {
5886
+ [k: string]: number
5887
+ }
5888
+ by_reachability: SecurityReachabilityCounts
5889
+ by_runtime_state: SecurityRuntimeStateCounts
5890
+ /**
5891
+ * Number of client files whose dynamic imports could not be followed.
5892
+ */
5893
+ unresolved_edge_files: number
5894
+ /**
5895
+ * Number of sink-shaped callees that could not be statically flattened.
5896
+ */
5897
+ unresolved_callee_sites: number
5898
+ /**
5899
+ * Number of attack-surface entries included in the prepared full output.
5900
+ */
5901
+ attack_surface_entries: number
5902
+ }
5903
+ /**
5904
+ * Fixed severity counters for summary JSON.
5905
+ */
5906
+ export interface SecuritySeverityCounts {
5907
+ high: number
5908
+ medium: number
5909
+ low: number
5910
+ }
5911
+ /**
5912
+ * Fixed reachability counters for summary JSON.
5913
+ */
5914
+ export interface SecurityReachabilityCounts {
5915
+ entry_reachable: number
5916
+ untrusted_source_reachable: number
5917
+ arg_level: number
5918
+ module_level: number
5919
+ crosses_boundary: number
5920
+ source_backed: number
5921
+ }
5922
+ /**
5923
+ * Fixed runtime coverage counters for summary JSON.
5924
+ */
5925
+ export interface SecurityRuntimeStateCounts {
5926
+ runtime_hot: number
5927
+ runtime_cold: number
5928
+ never_executed: number
5929
+ low_traffic: number
5930
+ coverage_unavailable: number
5931
+ runtime_unknown: number
5932
+ not_collected: number
5933
+ }
5380
5934
  /**
5381
5935
  * Bare `fallow --format json` envelope.
5382
5936
  */
@@ -5388,11 +5942,17 @@ _meta?: (CombinedMeta | null)
5388
5942
  check?: (CheckOutput | null)
5389
5943
  dupes?: (DupesReportPayload | null)
5390
5944
  health?: (HealthReport | null)
5945
+ /**
5946
+ * Read-only follow-up commands aggregated across the combined run's
5947
+ * findings. See [`CheckOutput::next_steps`] for the contract.
5948
+ */
5949
+ next_steps?: NextStep[]
5391
5950
  }
5392
5951
  export interface CombinedMeta {
5393
5952
  check?: (Meta | null)
5394
5953
  dupes?: (Meta | null)
5395
5954
  health?: (Meta | null)
5955
+ telemetry?: (TelemetryMeta | null)
5396
5956
  }
5397
5957
  /**
5398
5958
  * Single CodeClimate-compatible issue inside [`CodeClimateOutput`].