fallow 2.92.1 → 2.94.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/package.json +9 -9
- package/schema.json +18 -0
- package/skills/fallow/SKILL.md +224 -140
- package/skills/fallow/references/cli-reference.md +271 -214
- package/skills/fallow/references/node-bindings.md +21 -0
- package/skills/fallow/references/patterns.md +4 -4
- package/types/output-contract.d.ts +93 -0
|
@@ -0,0 +1,21 @@
|
|
|
1
|
+
# Node.js Bindings
|
|
2
|
+
|
|
3
|
+
When embedding fallow inside a Node.js process (editor extensions, long-running servers, custom tooling), prefer the NAPI bindings over spawning the CLI. Same analysis engine, same JSON envelopes, no subprocess or JSON parsing overhead.
|
|
4
|
+
|
|
5
|
+
```bash
|
|
6
|
+
npm install @fallow-cli/fallow-node
|
|
7
|
+
```
|
|
8
|
+
|
|
9
|
+
```ts
|
|
10
|
+
import { detectDeadCode, detectDuplication, computeHealth } from '@fallow-cli/fallow-node';
|
|
11
|
+
|
|
12
|
+
const deadCode = await detectDeadCode({ root: process.cwd(), explain: true });
|
|
13
|
+
const dupes = await detectDuplication({ root: process.cwd(), mode: 'mild', minTokens: 30 });
|
|
14
|
+
const health = await computeHealth({ root: process.cwd(), score: true, ownershipEmails: 'handle' });
|
|
15
|
+
```
|
|
16
|
+
|
|
17
|
+
Six async functions: `detectDeadCode`, `detectCircularDependencies`, `detectBoundaryViolations`, `detectDuplication`, `computeComplexity`, `computeHealth`. Each returns the same JSON envelope the CLI emits for `--format json`. Rejected promises throw a `FallowNodeError` with `message`, `exitCode`, and optional `code`, `help`, `context` fields that mirror the CLI's structured error surface.
|
|
18
|
+
|
|
19
|
+
Enum-like fields take lowercase CLI-style literals (`"mild"`, `"cyclomatic"`, `"handle"`, `"low"`). Write-path commands (`fix`, `init`, `hooks install`, `hooks uninstall`, `license activate`, `coverage setup`) are not exposed; use the CLI for those.
|
|
20
|
+
|
|
21
|
+
See <https://docs.fallow.tools/integrations/node-bindings> for the full field reference.
|
|
@@ -723,7 +723,7 @@ Use this when Claude Code is allowed to run Git commands in a repository that al
|
|
|
723
723
|
The pattern is a local agent gate, not a Git hook. Claude Code intercepts its own `Bash` tool calls before execution. When Claude tries `git commit` or `git push`, the hook runs:
|
|
724
724
|
|
|
725
725
|
```bash
|
|
726
|
-
fallow audit --format json --quiet --explain
|
|
726
|
+
fallow audit --format json --quiet --explain --gate-marker agent
|
|
727
727
|
```
|
|
728
728
|
|
|
729
729
|
Behavior:
|
|
@@ -777,14 +777,14 @@ Prefer `fallow hooks install --target agent` to install this file. The script is
|
|
|
777
777
|
Behavior you can rely on:
|
|
778
778
|
- Runs only when the intercepted command matches `git commit` or `git push`; otherwise exits 0.
|
|
779
779
|
- Resolves `fallow` from PATH first, then `npx --no-install fallow` as a fallback. Skips with a stderr notice if neither is available or if `jq` is missing.
|
|
780
|
-
- Enforces a version floor via `FALLOW_GATE_MIN_VERSION` (default `2.
|
|
781
|
-
- Runs `fallow audit --format json --quiet --explain` and, on verdict=`fail`, writes the full JSON envelope to stderr preceded by `fallow-gate: blocked by fallow <version> at <binary>` so the responsible binary is always identifiable.
|
|
780
|
+
- Enforces a version floor via `FALLOW_GATE_MIN_VERSION` (default `2.85.0`). Binaries below the floor are blocked with an upgrade hint. Set the env var to the empty string to disable the check.
|
|
781
|
+
- Runs `fallow audit --format json --quiet --explain --gate-marker agent` and, on verdict=`fail`, writes the full JSON envelope to stderr preceded by `fallow-gate: blocked by fallow <version> at <binary>` so the responsible binary is always identifiable. The gate marker lets local Impact record blocked-then-cleared agent gate events when Impact is enabled.
|
|
782
782
|
- On runtime error (`{"error": true, ...}`) or unexpected non-zero exit, fails open with a one-line stderr notice; warn verdicts pass through silently.
|
|
783
783
|
|
|
784
784
|
Codex fallback (add to repo root `AGENTS.md`):
|
|
785
785
|
|
|
786
786
|
```md
|
|
787
|
-
Before any `git commit` or `git push`, run `fallow audit --format json --quiet --explain`. If the verdict is `fail`, fix the reported findings before retrying. Treat JSON runtime errors like `{ "error": true, ... }` as non-blocking.
|
|
787
|
+
Before any `git commit` or `git push`, run `fallow audit --format json --quiet --explain --gate-marker agent`. If the verdict is `fail`, fix the reported findings before retrying. Treat JSON runtime errors like `{ "error": true, ... }` as non-blocking.
|
|
788
788
|
```
|
|
789
789
|
|
|
790
790
|
Keep `fallow audit` in CI alongside this local gate. The hook only runs for Claude Code, not for human pushes or other agents, so it is a reinforcement layer rather than a replacement for server-side enforcement.
|
|
@@ -732,6 +732,11 @@ _meta?: (Meta | null)
|
|
|
732
732
|
dead_code?: (CheckOutput | null)
|
|
733
733
|
duplication?: (DupesReportPayload | null)
|
|
734
734
|
complexity?: (HealthReport | null)
|
|
735
|
+
/**
|
|
736
|
+
* Read-only follow-up commands computed from this run's findings. See
|
|
737
|
+
* [`CheckOutput::next_steps`] for the contract.
|
|
738
|
+
*/
|
|
739
|
+
next_steps?: NextStep[]
|
|
735
740
|
}
|
|
736
741
|
/**
|
|
737
742
|
* Per-category summary counts for the audit result.
|
|
@@ -1031,6 +1036,15 @@ baseline?: (BaselineMatch | null)
|
|
|
1031
1036
|
regression?: (RegressionResult | null)
|
|
1032
1037
|
_meta?: (Meta | null)
|
|
1033
1038
|
workspace_diagnostics?: WorkspaceDiagnostic[]
|
|
1039
|
+
/**
|
|
1040
|
+
* Read-only follow-up commands computed from this run's findings, emitted
|
|
1041
|
+
* at the JSON root so an agent acting on the output is pointed at fallow's
|
|
1042
|
+
* adjacent verification capabilities (trace, complexity breakdown, audit,
|
|
1043
|
+
* workspace scoping). Each command is runnable as-is and never mutating;
|
|
1044
|
+
* see [`NextStep`] for both contracts. Omitted when empty or when
|
|
1045
|
+
* `FALLOW_SUGGESTIONS=off`; does NOT contribute to `total_issues`.
|
|
1046
|
+
*/
|
|
1047
|
+
next_steps?: NextStep[]
|
|
1034
1048
|
}
|
|
1035
1049
|
/**
|
|
1036
1050
|
* Entry-point detection summary embedded in `CheckOutput` and the combined
|
|
@@ -2446,6 +2460,53 @@ exceeded: boolean
|
|
|
2446
2460
|
*/
|
|
2447
2461
|
reason?: (string | null)
|
|
2448
2462
|
}
|
|
2463
|
+
/**
|
|
2464
|
+
* A read-only follow-up command fallow surfaces from the current findings,
|
|
2465
|
+
* emitted as the top-level `next_steps` array on each command's JSON envelope.
|
|
2466
|
+
*
|
|
2467
|
+
* `next_steps` exists to point agents and humans sideways to fallow's adjacent
|
|
2468
|
+
* verification capabilities (trace, complexity breakdown, audit, workspace
|
|
2469
|
+
* scoping) that telemetry shows agents rarely discover, because they act on the
|
|
2470
|
+
* output in front of them rather than on reference docs.
|
|
2471
|
+
*
|
|
2472
|
+
* ## Two hard contracts
|
|
2473
|
+
*
|
|
2474
|
+
* 1. **Read-only.** A `next_step` NEVER suggests `fallow fix` or any mutating
|
|
2475
|
+
* command. Fallow surfaces evidence and verification paths; deciding and
|
|
2476
|
+
* applying the remediation is the agent's job.
|
|
2477
|
+
* 2. **Runnable, placeholder-free.** `command` is always runnable as-is. It
|
|
2478
|
+
* never contains an angle-bracket placeholder (`<...>`); finding-derived
|
|
2479
|
+
* values are filled in from a real, deterministically-selected finding, and
|
|
2480
|
+
* any environment- or user-specific value that cannot be made concrete lives
|
|
2481
|
+
* in `reason` instead. An agent can copy `command` and run it without edits.
|
|
2482
|
+
*
|
|
2483
|
+
* Both contracts are enforced by unit tests in
|
|
2484
|
+
* `crates/cli/src/report/suggestions.rs`.
|
|
2485
|
+
*
|
|
2486
|
+
* Note: a SEPARATE, unrelated `next_steps` field exists on the
|
|
2487
|
+
* `coverage setup` envelope (`CoverageSetupOutput.next_steps`) as a plain
|
|
2488
|
+
* `Vec<String>` of human onboarding steps. Consumers that read multiple
|
|
2489
|
+
* envelope kinds must route on the envelope's `kind` before interpreting a
|
|
2490
|
+
* `next_steps` field: on analysis envelopes it is `Vec<NextStep>` objects, on
|
|
2491
|
+
* `coverage setup` it is `Vec<String>`.
|
|
2492
|
+
*/
|
|
2493
|
+
export interface NextStep {
|
|
2494
|
+
/**
|
|
2495
|
+
* Stable kebab-case key for machine dispatch and de-duplication
|
|
2496
|
+
* (for example `"trace-unused-export"`). Identity is stable across runs;
|
|
2497
|
+
* the `command` and `reason` strings may vary with the findings.
|
|
2498
|
+
*/
|
|
2499
|
+
id: string
|
|
2500
|
+
/**
|
|
2501
|
+
* A runnable, read-only command string. Placeholder-free by contract.
|
|
2502
|
+
*/
|
|
2503
|
+
command: string
|
|
2504
|
+
/**
|
|
2505
|
+
* One short phrase explaining why this helps. Carries any value that
|
|
2506
|
+
* cannot be made concrete in `command`.
|
|
2507
|
+
*/
|
|
2508
|
+
reason: string
|
|
2509
|
+
}
|
|
2449
2510
|
/**
|
|
2450
2511
|
* Wire-shape payload for `fallow dupes --format json` (the body that
|
|
2451
2512
|
* flattens into [`crate::output_envelope::DupesOutput`] and is also
|
|
@@ -4623,6 +4684,11 @@ grouped_by?: (GroupByMode | null)
|
|
|
4623
4684
|
groups?: (HealthGroup[] | null)
|
|
4624
4685
|
_meta?: (Meta | null)
|
|
4625
4686
|
workspace_diagnostics?: WorkspaceDiagnostic[]
|
|
4687
|
+
/**
|
|
4688
|
+
* Read-only follow-up commands computed from this run's findings. See
|
|
4689
|
+
* [`CheckOutput::next_steps`] for the contract.
|
|
4690
|
+
*/
|
|
4691
|
+
next_steps?: NextStep[]
|
|
4626
4692
|
}
|
|
4627
4693
|
/**
|
|
4628
4694
|
* A health report scoped to a single group.
|
|
@@ -4766,6 +4832,11 @@ _meta?: (Meta | null)
|
|
|
4766
4832
|
* a separate top-level field.
|
|
4767
4833
|
*/
|
|
4768
4834
|
workspace_diagnostics?: WorkspaceDiagnostic[]
|
|
4835
|
+
/**
|
|
4836
|
+
* Read-only follow-up commands computed from this run's findings. See
|
|
4837
|
+
* [`CheckOutput::next_steps`] for the contract.
|
|
4838
|
+
*/
|
|
4839
|
+
next_steps?: NextStep[]
|
|
4769
4840
|
}
|
|
4770
4841
|
/**
|
|
4771
4842
|
* A single grouped duplication bucket. Per-group `stats` are dedup-aware and
|
|
@@ -4880,6 +4951,11 @@ grouped_by: GroupByMode
|
|
|
4880
4951
|
total_issues: number
|
|
4881
4952
|
groups: CheckGroupedEntry[]
|
|
4882
4953
|
_meta?: (Meta | null)
|
|
4954
|
+
/**
|
|
4955
|
+
* Read-only follow-up commands computed from the full (ungrouped) findings.
|
|
4956
|
+
* See [`CheckOutput::next_steps`] for the contract.
|
|
4957
|
+
*/
|
|
4958
|
+
next_steps?: NextStep[]
|
|
4883
4959
|
}
|
|
4884
4960
|
/**
|
|
4885
4961
|
* Single resolver bucket inside `CheckGroupedOutput`. Carries the group's
|
|
@@ -5129,6 +5205,18 @@ recent_resolved: ResolutionEvent[]
|
|
|
5129
5205
|
* "resolution tracking starts from your next run" instead of a bare zero.
|
|
5130
5206
|
*/
|
|
5131
5207
|
attribution_active: boolean
|
|
5208
|
+
/**
|
|
5209
|
+
* Whether the local agent onboarding prompt has been explicitly declined.
|
|
5210
|
+
* Stored under `.fallow/` so agents can avoid cross-session nags.
|
|
5211
|
+
*/
|
|
5212
|
+
onboarding_declined: boolean
|
|
5213
|
+
/**
|
|
5214
|
+
* Whether the user ever made an explicit enable/disable decision for
|
|
5215
|
+
* Impact tracking. `enabled: false` with `explicit_decision: false` means
|
|
5216
|
+
* "never asked"; with `true` it means "asked and declined". Agents use
|
|
5217
|
+
* this to offer the impact opt-in exactly once per project.
|
|
5218
|
+
*/
|
|
5219
|
+
explicit_decision: boolean
|
|
5132
5220
|
}
|
|
5133
5221
|
/**
|
|
5134
5222
|
* Per-category issue counts captured at a recorded run.
|
|
@@ -5866,6 +5954,11 @@ _meta?: (CombinedMeta | null)
|
|
|
5866
5954
|
check?: (CheckOutput | null)
|
|
5867
5955
|
dupes?: (DupesReportPayload | null)
|
|
5868
5956
|
health?: (HealthReport | null)
|
|
5957
|
+
/**
|
|
5958
|
+
* Read-only follow-up commands aggregated across the combined run's
|
|
5959
|
+
* findings. See [`CheckOutput::next_steps`] for the contract.
|
|
5960
|
+
*/
|
|
5961
|
+
next_steps?: NextStep[]
|
|
5869
5962
|
}
|
|
5870
5963
|
export interface CombinedMeta {
|
|
5871
5964
|
check?: (Meta | null)
|