fallow 3.3.0 → 3.4.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/README.md CHANGED
@@ -119,7 +119,7 @@ Create a config file in your project root, or run `fallow init`:
119
119
  ```jsonc
120
120
  // .fallowrc.json
121
121
  {
122
- "$schema": "https://raw.githubusercontent.com/fallow-rs/fallow/main/schema.json",
122
+ "$schema": "./node_modules/fallow/schema.json",
123
123
  "entry": ["src/workers/*.ts", "scripts/*.ts"],
124
124
  "ignorePatterns": ["**/*.generated.ts"],
125
125
  "rules": {
@@ -130,6 +130,16 @@ Create a config file in your project root, or run `fallow init`:
130
130
  }
131
131
  ```
132
132
 
133
+ `$schema` gives editors autocomplete and validation and has no effect on
134
+ analysis. As an npm package, `fallow` always ships a version-aligned schema at
135
+ `./node_modules/fallow/schema.json`, which `fallow init` and
136
+ `fallow recommend` point at by default: offline, no editor trust prompt. If
137
+ you install fallow another way (cargo, homebrew, a bare binary) with no
138
+ `node_modules/fallow` to point at, use the remote fallback instead:
139
+ `https://raw.githubusercontent.com/fallow-rs/fallow/main/schema.json`. Some
140
+ editors, including VS Code, refuse to load a remote schema URL until you
141
+ explicitly trust the domain.
142
+
133
143
  Also supports TOML (`fallow init --toml` creates `fallow.toml`).
134
144
 
135
145
  ## Documentation
package/capabilities.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "fallow",
3
- "version": "3.3.0",
3
+ "version": "3.4.2",
4
4
  "manifest_version": "1",
5
5
  "description": "Codebase analyzer for TypeScript/JavaScript: unused code, circular dependencies, code duplication, complexity hotspots, and architecture boundary violations",
6
6
  "global_flags": [
@@ -18,6 +18,16 @@
18
18
  "description": "Path to config file (.fallowrc.json, .fallowrc.jsonc, fallow.toml, or .fallow.toml)",
19
19
  "short": "-c"
20
20
  },
21
+ {
22
+ "name": "--allow-remote-extends",
23
+ "type": "bool",
24
+ "required": false,
25
+ "description": "Allow trusted config files to extend HTTPS URLs",
26
+ "possible_values": [
27
+ "true",
28
+ "false"
29
+ ]
30
+ },
21
31
  {
22
32
  "name": "--format",
23
33
  "type": "string",
@@ -36,7 +46,9 @@
36
46
  "pr-comment-gitlab",
37
47
  "review-github",
38
48
  "review-gitlab",
39
- "badge"
49
+ "badge",
50
+ "github-annotations",
51
+ "github-summary"
40
52
  ]
41
53
  },
42
54
  {
@@ -266,6 +278,12 @@
266
278
  "description": "Write the report to a file instead of stdout, for any --format (no ANSI codes). Useful on large projects where the terminal scrollback truncates the top. Progress and the confirmation stay on stderr",
267
279
  "short": "-o"
268
280
  },
281
+ {
282
+ "name": "--report-path-prefix",
283
+ "type": "string",
284
+ "required": false,
285
+ "description": "Prefix prepended to every path in the CI-facing formats (`github-annotations`, `github-summary`, `codeclimate`, `review-github`, `review-gitlab`). CI platforms address files by repository-root-relative path, so when the analyzed project lives in a subdirectory (e.g. `packages/app/`), paths need that offset. fallow detects the offset via the git toplevel automatically; this flag overrides the detection. Pass an empty string to disable rebasing and emit paths relative to `--root`"
286
+ },
269
287
  {
270
288
  "name": "--fail-on-regression",
271
289
  "type": "bool",
@@ -1448,6 +1466,18 @@
1448
1466
  }
1449
1467
  ]
1450
1468
  },
1469
+ {
1470
+ "name": "suppressions",
1471
+ "description": "List active fallow-ignore suppression markers (read-only inventory)",
1472
+ "flags": [
1473
+ {
1474
+ "name": "--file",
1475
+ "type": "string",
1476
+ "required": false,
1477
+ "description": "Only list suppressions in the specified files. Accepts multiple values"
1478
+ }
1479
+ ]
1480
+ },
1451
1481
  {
1452
1482
  "name": "explain",
1453
1483
  "description": "Explain one fallow issue type without running an analysis",
@@ -1753,6 +1783,18 @@
1753
1783
  }
1754
1784
  ]
1755
1785
  },
1786
+ {
1787
+ "name": "report",
1788
+ "description": "Render a saved `--format json` results file in another format without re-running analysis (analyze once, render annotations and the job summary from the same file). v1 renders the GitHub-native formats only: `--format github-annotations` or `--format github-summary`",
1789
+ "flags": [
1790
+ {
1791
+ "name": "--from",
1792
+ "type": "string",
1793
+ "required": true,
1794
+ "description": "Path to a fallow JSON results file produced by `--format json` (dead-code, dupes, health, audit, security, or bare combined)"
1795
+ }
1796
+ ]
1797
+ },
1756
1798
  {
1757
1799
  "name": "schema",
1758
1800
  "description": "Dump fallow's capability manifest (CLI commands and flags, issue types, MCP tools, framework plugins, env vars) as machine-readable JSON for agent introspection. Always JSON, regardless of --format",
@@ -6588,6 +6630,20 @@
6588
6630
  "license_note": null,
6589
6631
  "read_only": true
6590
6632
  },
6633
+ {
6634
+ "name": "list_suppressions",
6635
+ "kind": "analysis",
6636
+ "description": "List active fallow-ignore suppression markers grouped per file (line, kind, level, reason, and a stale cross-reference); a read-only governance inventory that always exits 0",
6637
+ "cli_command": "fallow suppressions --format json --quiet",
6638
+ "key_params": [
6639
+ "workspace",
6640
+ "changed_since",
6641
+ "file"
6642
+ ],
6643
+ "license": "free",
6644
+ "license_note": null,
6645
+ "read_only": true
6646
+ },
6591
6647
  {
6592
6648
  "name": "impact",
6593
6649
  "kind": "introspection",
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "fallow",
3
- "version": "3.3.0",
3
+ "version": "3.4.2",
4
4
  "description": "Codebase intelligence for TypeScript and JavaScript. Free static analysis of code and styles, optional paid runtime intelligence (Fallow Runtime). Quality, risk, architecture, dependencies, duplication, and design-system drift for humans, CI, and the agents writing your code. Zero-config framework support.",
5
5
  "license": "MIT",
6
6
  "repository": {
@@ -36,7 +36,7 @@
36
36
  "tanstack-intent"
37
37
  ],
38
38
  "engines": {
39
- "node": ">=16"
39
+ "node": ">=22"
40
40
  },
41
41
  "bin": {
42
42
  "fallow": "bin/fallow",
@@ -87,13 +87,13 @@
87
87
  "@tanstack/intent": "0.3.2"
88
88
  },
89
89
  "optionalDependencies": {
90
- "@fallow-cli/darwin-arm64": "3.3.0",
91
- "@fallow-cli/darwin-x64": "3.3.0",
92
- "@fallow-cli/linux-x64-gnu": "3.3.0",
93
- "@fallow-cli/linux-arm64-gnu": "3.3.0",
94
- "@fallow-cli/linux-x64-musl": "3.3.0",
95
- "@fallow-cli/linux-arm64-musl": "3.3.0",
96
- "@fallow-cli/win32-arm64-msvc": "3.3.0",
97
- "@fallow-cli/win32-x64-msvc": "3.3.0"
90
+ "@fallow-cli/darwin-arm64": "3.4.2",
91
+ "@fallow-cli/darwin-x64": "3.4.2",
92
+ "@fallow-cli/linux-x64-gnu": "3.4.2",
93
+ "@fallow-cli/linux-arm64-gnu": "3.4.2",
94
+ "@fallow-cli/linux-x64-musl": "3.4.2",
95
+ "@fallow-cli/linux-arm64-musl": "3.4.2",
96
+ "@fallow-cli/win32-arm64-msvc": "3.4.2",
97
+ "@fallow-cli/win32-x64-msvc": "3.4.2"
98
98
  }
99
99
  }
package/schema.json CHANGED
@@ -4,7 +4,7 @@
4
4
  "type": "object",
5
5
  "properties": {
6
6
  "$schema": {
7
- "description": "A string pointing at fallow's JSON Schema URL, used only by editors for autocomplete and validation of the config file; it has no effect on analysis and is stripped before serialization (serde skip_serializing, writeOnly in the schema). Set it to `https://fallow.dev/schema.json` to get editor IntelliSense; any other value is ignored by fallow.",
7
+ "description": "A string pointing at fallow's JSON Schema URL, used only by editors for autocomplete and validation of the config file; it has no effect on analysis and is stripped before serialization (serde skip_serializing, writeOnly in the schema). Set it to `./node_modules/fallow/schema.json` for npm installs (version-aligned, offline, avoids VS Code's untrusted-remote-schema prompt), or `https://raw.githubusercontent.com/fallow-rs/fallow/main/schema.json` for non-npm installs; any other value is ignored by fallow.",
8
8
  "type": [
9
9
  "string",
10
10
  "null"
@@ -106,11 +106,13 @@ Route by intent before reaching for the big analysis commands. Same matrix as `f
106
106
  | `dupes` | Code duplication detection | `--mode`, `--threshold`, `--top`, `--changed-since`, `--workspace`, `--changed-workspaces`, `--skip-local`, `--cross-language`, `--ignore-imports`, `--no-ignore-imports`, `--explain-skipped`, `--fail-on-regression`, `--tolerance`, `--regression-baseline`, `--save-regression-baseline` |
107
107
  | `health` | Function complexity analysis (also covers Angular templates as synthetic `<template>` findings: external `.html` files via `templateUrl` AND inline `@Component({ template: \`...\` })` literals; suppress external with `<!-- fallow-ignore-file complexity -->` at the top of the `.html` file, suppress inline with `// fallow-ignore-next-line complexity` directly above the `@Component` decorator) | `--complexity`, `--max-cyclomatic`, `--max-cognitive`, `--max-crap`, `--top`, `--sort`, `--file-scores`, `--hotspots`, `--ownership`, `--ownership-emails`, `--targets`, `--effort`, `--score`, `--min-score`, `--since`, `--min-commits`, `--save-snapshot`, `--trend`, `--coverage-gaps`, `--coverage`, `--coverage-root`, `--runtime-coverage`, `--min-invocations-hot`, `--min-observation-volume`, `--low-traffic-threshold`, `--css`, `--complexity-breakdown`, `--min-severity`, `--report-only`, `--workspace`, `--changed-workspaces`, `--baseline`, `--save-baseline` |
108
108
  | `flags` | Detect feature flag patterns (env vars, SDK calls, config objects) | `--top` |
109
+ | `suppressions` | List active fallow-ignore suppression markers (read-only inventory) | `--file` |
109
110
  | `explain` | Explain one issue type without running analysis | `<issue-type>`, `--format json` |
110
111
  | `audit` | Combined dead-code + complexity + duplication + styling for changed files, returns a verdict; `fallow review` is an alias for `fallow audit --brief` (advisory orientation brief, always exits 0) | `--base`, `--gate`, `--brief`, `--max-decisions`, `--walkthrough-guide`, `--walkthrough-file`, `--show-deprioritized`, `--production`, `--production-dead-code`, `--production-health`, `--production-dupes`, `--workspace`, `--changed-workspaces`, `--ci`, `--fail-on-issues`, `--explain`, `--explain-skipped`, `--dead-code-baseline`, `--health-baseline`, `--dupes-baseline`, `--max-crap`, `--coverage`, `--coverage-root`, `--no-css`, `--css-deep`, `--no-css-deep`, `--include-entry-exports` |
111
112
  | `decision-surface` | Surface the consequential structural DECISIONS a change embeds (the apex of the review brief), each framed as a judgment question with the routed expert to ask | `--max-decisions` |
112
113
  | `impact` | Show what fallow has done for you: how many issues it is surfacing, the trend since the last recorded run, and how many commits it contained at the pre-commit gate | `--all`, `--sort`, `--limit` |
113
114
  | `security` | Surface opt-in local security candidates for agent verification (not confirmed vulnerabilities). Rule families include the graph rule `client-server-leak`, a data-driven `tainted-sink` catalogue, and the include-required `hardcoded-secret` category for provider-prefix credentials and high-entropy literals assigned to secret-shaped identifiers. Most catalogue rows require non-literal input; narrowly literal-aware rows flag deterministic unsafe literals. Rules default off; suppress a file with `// fallow-ignore-file security-sink`; scope categories with `security.categories`. Add project-local request object names with `security.requestReceivers`; it extends the built-in `req` / `request` / `ctx` / `context` / `event` allowlist for HTTP `query`, `params`, and `body` reads. `hardcoded-secret` runs only when listed in `security.categories.include`. | `--format human\|json\|sarif`, `--changed-since`, `--file`, `--diff-file`, `--workspace`, `--changed-workspaces`, `--surface`, `--ci`, `--fail-on-issues`, `--sarif-file`, `--summary` |
115
+ | `report` | Render a saved `--format json` results file in another format without re-running analysis (analyze once, render annotations and the job summary from the same file). | `--from` |
114
116
  | `schema` | Dump CLI definition as JSON | |
115
117
  | `ci-template` | Print or vendor CI integration templates | |
116
118
  | `migrate` | Convert knip/jscpd config | `--dry-run`, `--from PATH` |
@@ -509,7 +509,7 @@ fallow health --format json --quiet --trend
509
509
  {
510
510
  "kind": "health",
511
511
  "schema_version": 7,
512
- "version": "3.3.0",
512
+ "version": "3.4.2",
513
513
  "elapsed_ms": 32,
514
514
  "summary": {
515
515
  "files_analyzed": 482,
@@ -907,7 +907,7 @@ fallow audit \
907
907
  {
908
908
  "kind": "audit",
909
909
  "schema_version": 7,
910
- "version": "3.3.0",
910
+ "version": "3.4.2",
911
911
  "command": "audit",
912
912
  "verdict": "fail",
913
913
  "changed_files_count": 12,
@@ -982,7 +982,7 @@ fallow flags --format json --quiet --workspace my-package
982
982
  ```json
983
983
  {
984
984
  "schema_version": 7,
985
- "version": "3.3.0",
985
+ "version": "3.4.2",
986
986
  "elapsed_ms": 116,
987
987
  "feature_flags": [],
988
988
  "total_flags": 0
@@ -1083,7 +1083,7 @@ fallow security --gate newly-reachable --changed-since origin/main
1083
1083
  {
1084
1084
  "kind": "security",
1085
1085
  "schema_version": "4",
1086
- "version": "3.3.0",
1086
+ "version": "3.4.2",
1087
1087
  "elapsed_ms": 42,
1088
1088
  "config": {
1089
1089
  "rules": {
@@ -1112,7 +1112,7 @@ fallow security --gate newly-reachable --changed-since origin/main
1112
1112
  {
1113
1113
  "kind": "security",
1114
1114
  "schema_version": "4",
1115
- "version": "3.3.0",
1115
+ "version": "3.4.2",
1116
1116
  "elapsed_ms": 42,
1117
1117
  "config": {
1118
1118
  "rules": {
@@ -1632,7 +1632,8 @@ Available on all commands:
1632
1632
  |---|---|---|---|
1633
1633
  | `-r, --root` | `string` | - | Project root directory |
1634
1634
  | `-c, --config` | `string` | - | Config file path |
1635
- | `-f, --format` | `human\|json\|sarif\|compact\|markdown\|codeclimate\|pr-comment-github\|pr-comment-gitlab\|review-github\|review-gitlab\|badge` | `human` | Output format (alias: --output) |
1635
+ | `--allow-remote-extends` | `bool` | `false` | Allow trusted config files to extend HTTPS URLs |
1636
+ | `-f, --format` | `human\|json\|sarif\|compact\|markdown\|codeclimate\|pr-comment-github\|pr-comment-gitlab\|review-github\|review-gitlab\|badge\|github-annotations\|github-summary` | `human` | Output format (alias: --output) |
1636
1637
  | `-q, --quiet` | `bool` | `false` | Suppress progress output |
1637
1638
  | `--no-cache` | `bool` | `false` | Disable incremental caching |
1638
1639
  | `--threads` | `string` | - | Number of parser threads |
@@ -1660,6 +1661,7 @@ Available on all commands:
1660
1661
  | `--fail-on-issues` | `bool` | `false` | Exit 1 if any issues found (promotes `warn` to `error`) |
1661
1662
  | `--sarif-file` | `string` | - | Write SARIF output to a file instead of stdout |
1662
1663
  | `-o, --output-file` | `string` | - | Write the report to a file instead of stdout, for any --format (no ANSI codes). Useful on large projects where the terminal scrollback truncates the top. Progress and the confirmation stay on stderr |
1664
+ | `--report-path-prefix` | `string` | - | Prefix prepended to every path in the CI-facing formats (`github-annotations`, `github-summary`, `codeclimate`, `review-github`, `review-gitlab`). CI platforms address files by repository-root-relative path, so when the analyzed project lives in a subdirectory (e.g. `packages/app/`), paths need that offset. fallow detects the offset via the git toplevel automatically; this flag overrides the detection. Pass an empty string to disable rebasing and emit paths relative to `--root` |
1663
1665
  | `--fail-on-regression` | `bool` | `false` | Fail if issue count increased beyond tolerance vs a regression baseline |
1664
1666
  | `--tolerance` | `string` | `0` | Allowed increase: `"2%"` (percentage) or `"5"` (absolute). Default: `"0"` |
1665
1667
  | `--regression-baseline` | `string` | - | Path to regression baseline file (default: `.fallow/regression-baseline.json`) |
@@ -1831,7 +1833,7 @@ The HTTP layer mirrors the bash `gh_api_retry` / `curl_retry` helpers: `FALLOW_A
1831
1833
  {
1832
1834
  "kind": "dead-code",
1833
1835
  "schema_version": 7,
1834
- "version": "3.3.0",
1836
+ "version": "3.4.2",
1835
1837
  "elapsed_ms": 45,
1836
1838
  "total_issues": 12,
1837
1839
  "entry_points": {
@@ -1991,7 +1993,7 @@ When `--baseline` is used in combined output, the JSON includes a `baseline_delt
1991
1993
  {
1992
1994
  "kind": "dupes",
1993
1995
  "schema_version": 7,
1994
- "version": "3.3.0",
1996
+ "version": "3.4.2",
1995
1997
  "elapsed_ms": 82,
1996
1998
  "total_clones": 15,
1997
1999
  "total_lines_duplicated": 230,
@@ -2035,11 +2037,11 @@ When running `fallow` with no subcommand (all analyses), the JSON output combine
2035
2037
  {
2036
2038
  "kind": "combined",
2037
2039
  "schema_version": 7,
2038
- "version": "3.3.0",
2040
+ "version": "3.4.2",
2039
2041
  "elapsed_ms": 159,
2040
2042
  "check": {
2041
2043
  "schema_version": 7,
2042
- "version": "3.3.0",
2044
+ "version": "3.4.2",
2043
2045
  "elapsed_ms": 45,
2044
2046
  "total_issues": 12,
2045
2047
  "unused_files": [],
@@ -34,6 +34,7 @@ When using fallow via MCP (`fallow-mcp`), the following tools are available:
34
34
  | `recommend` | introspection | free | `fallow recommend --format json --quiet` | `root` | Recommend a project-tailored config from framework/workspace/tooling detection: a loader-validated proposed_config and three-valued auto/default/taste decisions for cold-start onboarding |
35
35
  | `list_boundaries` | introspection | free | `fallow list --boundaries --format json --quiet` | - | Architecture boundary zones, access rules, and pre-expansion `autoDiscover` `logical_groups[]` (user-authored parent name, verbatim paths, discovered children, `status` enum, summed `file_count`). Returns `{"configured": false}` if no boundaries configured |
36
36
  | `feature_flags` | analysis | free | `fallow flags --format json --quiet` | `workspace`, `production` | Detect feature flag patterns (env vars, SDK calls, config objects). Set `top` to limit results |
37
+ | `list_suppressions` | analysis | free | `fallow suppressions --format json --quiet` | `workspace`, `changed_since`, `file` | List active fallow-ignore suppression markers grouped per file (line, kind, level, reason, and a stale cross-reference); a read-only governance inventory that always exits 0 |
37
38
  | `impact` | introspection | free | `fallow impact --format json --quiet` | `root` | Read the local, opt-in Fallow Impact value report (`fallow impact --format json`). Runs no analysis: current surfacing counts, trend since the last recorded run, pre-commit gate containment, and (on impact v1.5+) resolved/suppressed attribution. History is read from a per-project file in the user's private config dir (never inside the repo). Read-only and `root`-only; the mutating `enable` / `disable` / `default` lifecycle is not exposed. A never-enabled project returns a populated `{"enabled": false, ...}` report (never `{}`); branch on `enabled` and `enabled_source` (`project` / `user` / `default`) then `record_count`, recommending `fallow impact enable` only when `explicit_decision` is `false` (never asked) and staying silent when `true` (deliberately disabled here). Local-developer signal: fallow never records in CI, so empty there and not a CI metric |
38
39
  | `impact_all` | introspection | free | `fallow impact --all --format json --quiet` | `sort`, `limit` | Roll every tracked fallow project on this machine into one cross-repo value report (hashed keys plus basename labels, never paths; local-dev only) |
39
40
  | `trace_export` | trace | free | `fallow dead-code --trace <file:export> --format json --quiet` | `file`, `export_name` | Trace why an export is used or unused (`fallow dead-code --trace FILE:EXPORT_NAME --format json`). Required `file` and `export_name`. Returns file reachability, entry-point status, direct references, re-export chains, and a reason string. If `export_name` is a class / enum / store MEMBER, returns a member trace instead (`member_name`, `member_kind`, `owner_export`, `owner_is_used`) plus a `--unused-<kind>-members` pointer; branch on field presence. Use before deleting a supposedly-unused export or debugging an unused-class-member finding |
@@ -24,7 +24,7 @@
24
24
 
25
25
 
26
26
  /**
27
- * Schemas for the JSON output of fallow commands. Object-shaped envelopes covered by the `FallowOutput` contract carry a top-level `kind` discriminator. Current kind values: `audit`, `explain`, `inspect_target`, `trace`, `review-envelope`, `review-reconcile`, `coverage-setup`, `coverage-analyze`, `list-boundaries`, `list-workspaces`, `health`, `dupes`, `dead-code-grouped`, `impact`, `impact-cross-repo`, `security`, `security-survivors`, `security-blind-spots`, `dead-code`, `combined`, `feature-flags`, `audit-brief`, `decision-surface`, `review-walkthrough-guide`, `review-walkthrough-validation`. Consumers should branch on `kind` instead of probing for unique field presence. `CodeClimateOutput` is a bare JSON array (per the Code Climate / GitLab Code Quality spec) and stays a sibling root branch discriminated by checking whether the document root is an array.
27
+ * Schemas for the JSON output of fallow commands. Object-shaped envelopes covered by the `FallowOutput` contract carry a top-level `kind` discriminator. Current kind values: `audit`, `explain`, `inspect_target`, `trace`, `review-envelope`, `review-reconcile`, `coverage-setup`, `coverage-analyze`, `list-boundaries`, `list-workspaces`, `health`, `dupes`, `dead-code-grouped`, `impact`, `impact-cross-repo`, `security`, `security-survivors`, `security-blind-spots`, `dead-code`, `combined`, `feature-flags`, `audit-brief`, `decision-surface`, `review-walkthrough-guide`, `review-walkthrough-validation`, `suppression-inventory`. Consumers should branch on `kind` instead of probing for unique field presence. `CodeClimateOutput` is a bare JSON array (per the Code Climate / GitLab Code Quality spec) and stays a sibling root branch discriminated by checking whether the document root is an array.
28
28
  */
29
29
  export type FallowJsonOutput = (FallowOutput | CodeClimateOutput)
30
30
  /**
@@ -94,6 +94,8 @@ kind: "decision-surface"
94
94
  kind: "review-walkthrough-guide"
95
95
  }) | (WalkthroughValidation & {
96
96
  kind: "review-walkthrough-validation"
97
+ }) | (SuppressionInventoryOutput & {
98
+ kind: "suppression-inventory"
97
99
  }))
98
100
  /**
99
101
  * Schema version for this output format (independent of tool version). Bump
@@ -375,6 +377,12 @@ kind: "skipped-large-file"
375
377
  */
376
378
  size_bytes: number
377
379
  kind: "skipped-minified-file"
380
+ } | {
381
+ /**
382
+ * Filesystem or UTF-8 decoding error from `read_to_string`.
383
+ */
384
+ error: string
385
+ kind: "source-read-failure"
378
386
  })
379
387
  /**
380
388
  * Discriminant for [`CloneGroupAction::kind`]. Mirrors the action types
@@ -871,6 +879,19 @@ export type DecisionSurfaceSchemaVersion = number
871
879
  * The discriminated action kinds a decision can carry.
872
880
  */
873
881
  export type DecisionActionType = ("ask-expert" | "suppress")
882
+ /**
883
+ * The `fallow suppressions --format json` schema version. Independently
884
+ * versioned from the main contract, mirroring `SecuritySchemaVersion`.
885
+ */
886
+ export type SuppressionInventorySchemaVersion = "1"
887
+ /**
888
+ * Suppression marker scope.
889
+ */
890
+ export type SuppressionInventoryLevel = ("file" | "line")
891
+ /**
892
+ * How a suppression in the inventory was authored.
893
+ */
894
+ export type SuppressionInventoryOrigin = "comment"
874
895
  /**
875
896
  * Discriminator value for [`CodeClimateIssue::kind`].
876
897
  */
@@ -7939,6 +7960,11 @@ grouped_by: GroupByMode
7939
7960
  total_issues: number
7940
7961
  groups: CheckGroupedEntry[]
7941
7962
  _meta?: (Meta | null)
7963
+ /**
7964
+ * Diagnostics collected for the full analysis before issue grouping.
7965
+ * See [`CheckOutput::workspace_diagnostics`] for the contract.
7966
+ */
7967
+ workspace_diagnostics?: WorkspaceDiagnostic[]
7942
7968
  /**
7943
7969
  * Read-only follow-up commands computed from the full (ungrouped) findings.
7944
7970
  * See [`CheckOutput::next_steps`] for the contract.
@@ -10135,6 +10161,106 @@ change_anchor: string
10135
10161
  */
10136
10162
  reason: string
10137
10163
  }
10164
+ /**
10165
+ * The `fallow suppressions --format json` envelope. `FallowOutput`
10166
+ * discriminates it by the `kind: "suppression-inventory"` tag.
10167
+ *
10168
+ * A read-only projection over the suppression markers present in analyzed
10169
+ * files this run: nothing here is a finding, and the command that emits it
10170
+ * always exits 0.
10171
+ */
10172
+ export interface SuppressionInventoryOutput {
10173
+ schema_version: SuppressionInventorySchemaVersion
10174
+ summary: SuppressionInventorySummary
10175
+ /**
10176
+ * Per-file suppression listings, sorted by path then line.
10177
+ */
10178
+ files: SuppressionInventoryFile[]
10179
+ }
10180
+ /**
10181
+ * Project-level totals for the suppression inventory.
10182
+ */
10183
+ export interface SuppressionInventorySummary {
10184
+ /**
10185
+ * Total suppression markers in scope.
10186
+ */
10187
+ total: number
10188
+ /**
10189
+ * Number of files carrying at least one marker.
10190
+ */
10191
+ files: number
10192
+ /**
10193
+ * Markers without a human-authored `--` reason.
10194
+ */
10195
+ without_reason: number
10196
+ /**
10197
+ * Markers that also appear as stale-suppression findings this run. This
10198
+ * is a JOIN against the existing stale-suppression detector's output
10199
+ * (matched by file and kind), not a new detection.
10200
+ */
10201
+ stale: number
10202
+ /**
10203
+ * Marker counts per suppressed kind, sorted by count (descending) then
10204
+ * kind. `kind` is `null` for blanket markers, mirroring the per-entry
10205
+ * contract.
10206
+ */
10207
+ by_kind: SuppressionKindCount[]
10208
+ }
10209
+ /**
10210
+ * One `by_kind` row in the suppression inventory summary.
10211
+ */
10212
+ export interface SuppressionKindCount {
10213
+ /**
10214
+ * The suppressed issue kind in kebab-case, or `null` for blanket markers
10215
+ * (rendered as "blanket" in human output; machine consumers branch on
10216
+ * `null`).
10217
+ */
10218
+ kind?: (string | null)
10219
+ /**
10220
+ * Number of markers targeting this kind.
10221
+ */
10222
+ count: number
10223
+ }
10224
+ /**
10225
+ * One file's suppression listing.
10226
+ */
10227
+ export interface SuppressionInventoryFile {
10228
+ /**
10229
+ * Project-root-relative path, forward-slash separated.
10230
+ */
10231
+ path: string
10232
+ /**
10233
+ * Markers in this file, sorted by line.
10234
+ */
10235
+ suppressions: SuppressionInventoryEntry[]
10236
+ }
10237
+ /**
10238
+ * One suppression marker in the inventory.
10239
+ */
10240
+ export interface SuppressionInventoryEntry {
10241
+ /**
10242
+ * 1-based line of the suppression comment itself; 0 only if unknown.
10243
+ */
10244
+ line: number
10245
+ /**
10246
+ * The suppressed issue kind in kebab-case (e.g. `"unused-export"`), or
10247
+ * `null` for a blanket marker that suppresses every kind on its target.
10248
+ * Human output renders the blanket case as the literal word "blanket";
10249
+ * the JSON contract deliberately keeps `null` so machine consumers
10250
+ * branch on `null` instead of a magic string.
10251
+ */
10252
+ kind?: (string | null)
10253
+ level: SuppressionInventoryLevel
10254
+ origin: SuppressionInventoryOrigin
10255
+ /**
10256
+ * Human-authored reason after `--`; `null` when absent.
10257
+ */
10258
+ reason?: (string | null)
10259
+ /**
10260
+ * Whether a human-authored reason is present.
10261
+ */
10262
+ reason_present: boolean
10263
+ }
10138
10264
  /**
10139
10265
  * Single CodeClimate-compatible issue inside [`CodeClimateOutput`].
10140
10266
  */