fallow 2.92.1 → 2.94.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -0,0 +1,21 @@
1
+ # Node.js Bindings
2
+
3
+ When embedding fallow inside a Node.js process (editor extensions, long-running servers, custom tooling), prefer the NAPI bindings over spawning the CLI. Same analysis engine, same JSON envelopes, no subprocess or JSON parsing overhead.
4
+
5
+ ```bash
6
+ npm install @fallow-cli/fallow-node
7
+ ```
8
+
9
+ ```ts
10
+ import { detectDeadCode, detectDuplication, computeHealth } from '@fallow-cli/fallow-node';
11
+
12
+ const deadCode = await detectDeadCode({ root: process.cwd(), explain: true });
13
+ const dupes = await detectDuplication({ root: process.cwd(), mode: 'mild', minTokens: 30 });
14
+ const health = await computeHealth({ root: process.cwd(), score: true, ownershipEmails: 'handle' });
15
+ ```
16
+
17
+ Six async functions: `detectDeadCode`, `detectCircularDependencies`, `detectBoundaryViolations`, `detectDuplication`, `computeComplexity`, `computeHealth`. Each returns the same JSON envelope the CLI emits for `--format json`. Rejected promises throw a `FallowNodeError` with `message`, `exitCode`, and optional `code`, `help`, `context` fields that mirror the CLI's structured error surface.
18
+
19
+ Enum-like fields take lowercase CLI-style literals (`"mild"`, `"cyclomatic"`, `"handle"`, `"low"`). Write-path commands (`fix`, `init`, `hooks install`, `hooks uninstall`, `license activate`, `coverage setup`) are not exposed; use the CLI for those.
20
+
21
+ See <https://docs.fallow.tools/integrations/node-bindings> for the full field reference.
@@ -723,7 +723,7 @@ Use this when Claude Code is allowed to run Git commands in a repository that al
723
723
  The pattern is a local agent gate, not a Git hook. Claude Code intercepts its own `Bash` tool calls before execution. When Claude tries `git commit` or `git push`, the hook runs:
724
724
 
725
725
  ```bash
726
- fallow audit --format json --quiet --explain
726
+ fallow audit --format json --quiet --explain --gate-marker agent
727
727
  ```
728
728
 
729
729
  Behavior:
@@ -777,14 +777,14 @@ Prefer `fallow hooks install --target agent` to install this file. The script is
777
777
  Behavior you can rely on:
778
778
  - Runs only when the intercepted command matches `git commit` or `git push`; otherwise exits 0.
779
779
  - Resolves `fallow` from PATH first, then `npx --no-install fallow` as a fallback. Skips with a stderr notice if neither is available or if `jq` is missing.
780
- - Enforces a version floor via `FALLOW_GATE_MIN_VERSION` (default `2.46.0`). Binaries below the floor are blocked with an upgrade hint. Set the env var to the empty string to disable the check.
781
- - Runs `fallow audit --format json --quiet --explain` and, on verdict=`fail`, writes the full JSON envelope to stderr preceded by `fallow-gate: blocked by fallow <version> at <binary>` so the responsible binary is always identifiable.
780
+ - Enforces a version floor via `FALLOW_GATE_MIN_VERSION` (default `2.85.0`). Binaries below the floor are blocked with an upgrade hint. Set the env var to the empty string to disable the check.
781
+ - Runs `fallow audit --format json --quiet --explain --gate-marker agent` and, on verdict=`fail`, writes the full JSON envelope to stderr preceded by `fallow-gate: blocked by fallow <version> at <binary>` so the responsible binary is always identifiable. The gate marker lets local Impact record blocked-then-cleared agent gate events when Impact is enabled.
782
782
  - On runtime error (`{"error": true, ...}`) or unexpected non-zero exit, fails open with a one-line stderr notice; warn verdicts pass through silently.
783
783
 
784
784
  Codex fallback (add to repo root `AGENTS.md`):
785
785
 
786
786
  ```md
787
- Before any `git commit` or `git push`, run `fallow audit --format json --quiet --explain`. If the verdict is `fail`, fix the reported findings before retrying. Treat JSON runtime errors like `{ "error": true, ... }` as non-blocking.
787
+ Before any `git commit` or `git push`, run `fallow audit --format json --quiet --explain --gate-marker agent`. If the verdict is `fail`, fix the reported findings before retrying. Treat JSON runtime errors like `{ "error": true, ... }` as non-blocking.
788
788
  ```
789
789
 
790
790
  Keep `fallow audit` in CI alongside this local gate. The hook only runs for Claude Code, not for human pushes or other agents, so it is a reinforcement layer rather than a replacement for server-side enforcement.
@@ -732,6 +732,11 @@ _meta?: (Meta | null)
732
732
  dead_code?: (CheckOutput | null)
733
733
  duplication?: (DupesReportPayload | null)
734
734
  complexity?: (HealthReport | null)
735
+ /**
736
+ * Read-only follow-up commands computed from this run's findings. See
737
+ * [`CheckOutput::next_steps`] for the contract.
738
+ */
739
+ next_steps?: NextStep[]
735
740
  }
736
741
  /**
737
742
  * Per-category summary counts for the audit result.
@@ -1031,6 +1036,15 @@ baseline?: (BaselineMatch | null)
1031
1036
  regression?: (RegressionResult | null)
1032
1037
  _meta?: (Meta | null)
1033
1038
  workspace_diagnostics?: WorkspaceDiagnostic[]
1039
+ /**
1040
+ * Read-only follow-up commands computed from this run's findings, emitted
1041
+ * at the JSON root so an agent acting on the output is pointed at fallow's
1042
+ * adjacent verification capabilities (trace, complexity breakdown, audit,
1043
+ * workspace scoping). Each command is runnable as-is and never mutating;
1044
+ * see [`NextStep`] for both contracts. Omitted when empty or when
1045
+ * `FALLOW_SUGGESTIONS=off`; does NOT contribute to `total_issues`.
1046
+ */
1047
+ next_steps?: NextStep[]
1034
1048
  }
1035
1049
  /**
1036
1050
  * Entry-point detection summary embedded in `CheckOutput` and the combined
@@ -2446,6 +2460,53 @@ exceeded: boolean
2446
2460
  */
2447
2461
  reason?: (string | null)
2448
2462
  }
2463
+ /**
2464
+ * A read-only follow-up command fallow surfaces from the current findings,
2465
+ * emitted as the top-level `next_steps` array on each command's JSON envelope.
2466
+ *
2467
+ * `next_steps` exists to point agents and humans sideways to fallow's adjacent
2468
+ * verification capabilities (trace, complexity breakdown, audit, workspace
2469
+ * scoping) that telemetry shows agents rarely discover, because they act on the
2470
+ * output in front of them rather than on reference docs.
2471
+ *
2472
+ * ## Two hard contracts
2473
+ *
2474
+ * 1. **Read-only.** A `next_step` NEVER suggests `fallow fix` or any mutating
2475
+ * command. Fallow surfaces evidence and verification paths; deciding and
2476
+ * applying the remediation is the agent's job.
2477
+ * 2. **Runnable, placeholder-free.** `command` is always runnable as-is. It
2478
+ * never contains an angle-bracket placeholder (`<...>`); finding-derived
2479
+ * values are filled in from a real, deterministically-selected finding, and
2480
+ * any environment- or user-specific value that cannot be made concrete lives
2481
+ * in `reason` instead. An agent can copy `command` and run it without edits.
2482
+ *
2483
+ * Both contracts are enforced by unit tests in
2484
+ * `crates/cli/src/report/suggestions.rs`.
2485
+ *
2486
+ * Note: a SEPARATE, unrelated `next_steps` field exists on the
2487
+ * `coverage setup` envelope (`CoverageSetupOutput.next_steps`) as a plain
2488
+ * `Vec<String>` of human onboarding steps. Consumers that read multiple
2489
+ * envelope kinds must route on the envelope's `kind` before interpreting a
2490
+ * `next_steps` field: on analysis envelopes it is `Vec<NextStep>` objects, on
2491
+ * `coverage setup` it is `Vec<String>`.
2492
+ */
2493
+ export interface NextStep {
2494
+ /**
2495
+ * Stable kebab-case key for machine dispatch and de-duplication
2496
+ * (for example `"trace-unused-export"`). Identity is stable across runs;
2497
+ * the `command` and `reason` strings may vary with the findings.
2498
+ */
2499
+ id: string
2500
+ /**
2501
+ * A runnable, read-only command string. Placeholder-free by contract.
2502
+ */
2503
+ command: string
2504
+ /**
2505
+ * One short phrase explaining why this helps. Carries any value that
2506
+ * cannot be made concrete in `command`.
2507
+ */
2508
+ reason: string
2509
+ }
2449
2510
  /**
2450
2511
  * Wire-shape payload for `fallow dupes --format json` (the body that
2451
2512
  * flattens into [`crate::output_envelope::DupesOutput`] and is also
@@ -4623,6 +4684,11 @@ grouped_by?: (GroupByMode | null)
4623
4684
  groups?: (HealthGroup[] | null)
4624
4685
  _meta?: (Meta | null)
4625
4686
  workspace_diagnostics?: WorkspaceDiagnostic[]
4687
+ /**
4688
+ * Read-only follow-up commands computed from this run's findings. See
4689
+ * [`CheckOutput::next_steps`] for the contract.
4690
+ */
4691
+ next_steps?: NextStep[]
4626
4692
  }
4627
4693
  /**
4628
4694
  * A health report scoped to a single group.
@@ -4766,6 +4832,11 @@ _meta?: (Meta | null)
4766
4832
  * a separate top-level field.
4767
4833
  */
4768
4834
  workspace_diagnostics?: WorkspaceDiagnostic[]
4835
+ /**
4836
+ * Read-only follow-up commands computed from this run's findings. See
4837
+ * [`CheckOutput::next_steps`] for the contract.
4838
+ */
4839
+ next_steps?: NextStep[]
4769
4840
  }
4770
4841
  /**
4771
4842
  * A single grouped duplication bucket. Per-group `stats` are dedup-aware and
@@ -4880,6 +4951,11 @@ grouped_by: GroupByMode
4880
4951
  total_issues: number
4881
4952
  groups: CheckGroupedEntry[]
4882
4953
  _meta?: (Meta | null)
4954
+ /**
4955
+ * Read-only follow-up commands computed from the full (ungrouped) findings.
4956
+ * See [`CheckOutput::next_steps`] for the contract.
4957
+ */
4958
+ next_steps?: NextStep[]
4883
4959
  }
4884
4960
  /**
4885
4961
  * Single resolver bucket inside `CheckGroupedOutput`. Carries the group's
@@ -5129,6 +5205,18 @@ recent_resolved: ResolutionEvent[]
5129
5205
  * "resolution tracking starts from your next run" instead of a bare zero.
5130
5206
  */
5131
5207
  attribution_active: boolean
5208
+ /**
5209
+ * Whether the local agent onboarding prompt has been explicitly declined.
5210
+ * Stored under `.fallow/` so agents can avoid cross-session nags.
5211
+ */
5212
+ onboarding_declined: boolean
5213
+ /**
5214
+ * Whether the user ever made an explicit enable/disable decision for
5215
+ * Impact tracking. `enabled: false` with `explicit_decision: false` means
5216
+ * "never asked"; with `true` it means "asked and declined". Agents use
5217
+ * this to offer the impact opt-in exactly once per project.
5218
+ */
5219
+ explicit_decision: boolean
5132
5220
  }
5133
5221
  /**
5134
5222
  * Per-category issue counts captured at a recorded run.
@@ -5866,6 +5954,11 @@ _meta?: (CombinedMeta | null)
5866
5954
  check?: (CheckOutput | null)
5867
5955
  dupes?: (DupesReportPayload | null)
5868
5956
  health?: (HealthReport | null)
5957
+ /**
5958
+ * Read-only follow-up commands aggregated across the combined run's
5959
+ * findings. See [`CheckOutput::next_steps`] for the contract.
5960
+ */
5961
+ next_steps?: NextStep[]
5869
5962
  }
5870
5963
  export interface CombinedMeta {
5871
5964
  check?: (Meta | null)