falsegreen-js 0.2.0 → 0.3.0

package/CHANGELOG.md

@@ -6,6 +6,45 @@ All notable changes to this project are documented here. The format is based on
 
 ## [Unreleased]
 
+## [0.3.0] - 2026-06-23
+
+### Added
+- New codes: JS21 (matcher referenced but never called, `expect(x).toBe` with no `()`),
+  JS22 (empty `it.each`/`test.each` table), JS17 (commented-out test block), JS18 (`done`
+  callback instead of async/await).
+- supertest / chai-http `.expect()` is recognized as an assertion, so API integration tests
+  built with `request(app).get(...).expect(200)` are no longer flagged C2b.
+- Documented test-pyramid coverage: unit, integration (API and database), and E2E.
+- `--config-audit` mode (project layer): reads the Jest/Vitest config (`package.json` `jest`
+  field, `jest.config.*`, `vitest.config.*`; JSON directly, JS/TS via the TypeScript parser)
+  and reports PL10 (`passWithNoTests`), PL7 (no `coverageThreshold` / `coverage.thresholds`),
+  PL8 (`bail`). Findings carry level `project` and a fix hint. README now recommends Stryker
+  for the mutation-testing layer the static scan cannot reach.
+- Status report output: every finding now carries its pyramid level (unit / integration /
+  e2e, detected from the file's import roots) and a one-line fix hint. The text summary adds
+  a per-level breakdown and the top fixes by frequency; JSON gains `level` and `fix` fields.
+- `--output` flag: write to a file, or pass a directory (e.g. `.falsegreen/`) to get
+  `report.<ext>` for the chosen format. Parent directories are created as needed.
+
+### Added
+- Cross-language parity with the Python scanner: C6 (weak check — toBeTruthy/toBeDefined/length>0),
+  C20 (assertion in dead code after return/throw), C23 (mystery guest — real file at a literal
+  path / hard-coded URL), and JS8 (mocks the unit under test and asserts it directly).
+
+### Added
+- JS3 now covers visual snapshots (Playwright `toHaveScreenshot`/`toMatchScreenshot`): a test whose only check is a visual snapshot is snapshot-only (the baseline comes from the output). Percy `percySnapshot()`/`cy.percySnapshot()` is not a runtime assertion, so a percy-only test surfaces as no-assertion (C2b).
+
+### Fixed
+- Test-file discovery now matches more JS/TS naming conventions: Cypress `.cy.*`,
+  Deno/Go `_test.*`, Jasmine `*Spec.*`, Angular/Protractor `.e2e-spec.*`, and `.e2e.*`
+  (plus the `cypress`/`e2e` directories). Previously only `.test`/`.spec` were
+  discovered, so Cypress/Deno/Jasmine/Angular specs were silently skipped.
+
+### Added
+- Vue/Svelte test-utils coverage: JS5 now flags non-awaited `flushPromises`/`nextTick`/
+  `tick`; JS13 now flags Vue Test Utils `findComponent`/`findAllComponents` and
+  `find`/`findAll` with a string selector used as a loose statement.
+
 ## [0.2.0] - 2026-06-22
 
 ### Added
@@ -45,6 +84,7 @@ All notable changes to this project are documented here. The format is based on
 - pre-commit hook (`.pre-commit-hooks.yaml`), CI matrix (Node 18/20/22), and an npm
   trusted-publishing release workflow.
 
-[Unreleased]: https://github.com/vinicq/falsegreen-js/compare/v0.2.0...HEAD
+[Unreleased]: https://github.com/vinicq/falsegreen-js/compare/v0.3.0...HEAD
+[0.3.0]: https://github.com/vinicq/falsegreen-js/compare/v0.2.0...v0.3.0
 [0.2.0]: https://github.com/vinicq/falsegreen-js/compare/v0.1.0...v0.2.0
 [0.1.0]: https://github.com/vinicq/falsegreen-js/releases/tag/v0.1.0

package/README.md

@@ -28,9 +28,18 @@ npx falsegreen-js                 # scan cwd
 npx falsegreen-js src test        # scan paths
 npx falsegreen-js --staged        # only test files staged in git (pre-commit)
 npx falsegreen-js --json          # machine-readable output
+npx falsegreen-js --output report.json   # write to a file
+npx falsegreen-js --output .falsegreen/  # write report.<ext> into a directory
+npx falsegreen-js --config-audit  # audit Jest/Vitest config (project-layer PL codes)
 npx falsegreen-js --disable C7,JS3
 ```
 
+Each finding is reported with its pyramid level (unit / integration / e2e, read from the file's imports) and a one-line fix hint, and the summary breaks the findings down by level and lists the most common fixes. `--output` takes a file or a directory: an extension-less or trailing-slash path (e.g. `.falsegreen/`) receives `report.<ext>` for the chosen format. Reports are run artifacts; keep the output directory gitignored.
+
+`--config-audit` is a separate mode: instead of scanning test files, it reads the Jest/Vitest config (`package.json` `jest` field, `jest.config.*`, `vitest.config.*`) and reports the project-layer ways a suite stays green by configuration: `PL10` (`passWithNoTests` passes an empty or filtered-to-nothing run), `PL7` (no `coverageThreshold` / `coverage.thresholds`), `PL8` (`bail` stops the run early). The per-file scan cannot see config.
+
+For the layer no static scan reaches (does a green test fail when the code is wrong?), run a **mutation tester** like [Stryker](https://stryker-mutator.io/). falsegreen-js is the cheap pre-filter on every commit; mutation testing is the deeper audit.
+
 Exit code: `0` clean, `10` low-confidence only, `20` high-confidence present. Wire it
 into CI or a pre-commit hook and let exit `20` block the commit.
 
@@ -44,8 +53,9 @@ expect(x);                     // falsegreen: ignore
 ## Runner coverage
 
 Runner-agnostic. The assertion and test vocabulary spans Jest, Vitest, Mocha + Chai,
-Jasmine, AVA, `node:test`, tap, Cypress, Playwright, and Testing Library
-(`@testing-library/*` with `jest-dom` / `jasmine-dom` matchers and `user-event`).
+Jasmine, AVA, `node:test`, tap, Cypress, Playwright, Testing Library
+(`@testing-library/*` with `jest-dom` / `jasmine-dom` matchers and `user-event`),
+and Vue Test Utils (`mount`/`wrapper.find`/`flushPromises`/`nextTick`).
 `expect().matcher()`, chai `expect().to`, `assert`, `x.should`, and AVA `t.is` all
 count as real assertions, so a Mocha or AVA test is not mistaken for one that never
 checks anything.
@@ -54,6 +64,25 @@ Note: component files (`.vue`, `.svelte`, `.astro`, `.marko`) and templates (`.h
 are not test files. Tests for those frameworks are written in `.spec`/`.test` files in
 the eight extensions above, which is what the scanner reads.
 
+## Test levels (the pyramid)
+
+falsegreen-js scans tests at every level of the pyramid. Discovery is level-agnostic - it
+reads any test file - but a few codes are read in light of the level, so a valid pattern at
+one level is not flagged at another.
+
+- **Unit:** a function or component with its boundaries doubled. The oracle is `expect`.
+- **Integration (API and database):** API tests through supertest / chai-http
+  (`request(app).get("/").expect(200)`, recognized as an assertion) or `fetch`, and database
+  tests through Prisma / TypeORM / Knex against a real datastore. These cross the I/O
+  boundary on purpose, so the response or row IS the verification at that level.
+- **E2E:** Cypress (`.cy.*`) and Playwright (`.e2e.*`). `cy.get().should(...)` and
+  `expect(page).toHaveURL(...)` are the oracle; a visible element is a real check here, not a
+  weak one.
+
+A real API or database call inside a test that claims to be a unit test is itself the smell
+(mystery guest, environment coupling), not the level of the test. C23 flags the hard-coded
+file path or URL form.
+
 ## Case catalog
 
 Codes shared with `falsegreen` (Python) keep the same id, so cross-language results
@@ -64,7 +93,10 @@ line up in the research. `JS*` codes are ecosystem-specific.
 | C2  | high | test with no check at all (empty body) |
 | C2b | low  | test calls code but asserts nothing |
 | C5  | high | always-true check (`expect(true).toBe(true)`, `assert(1)`) |
+| C6  | low  | weak check — only verifies something came back (`toBeTruthy`/`toBeDefined`, `length > 0`) |
 | C7  | high | compares a thing to itself (`expect(x).toBe(x)`) |
+| C20 | high | assertion in dead code after a `return`/`throw` — it never runs |
+| C23 | low  | reads a real file at a literal path, or a hard-coded URL (mystery guest) |
 | C8  | low  | exact equality on a float (use `toBeCloseTo`) |
 | C9  | low  | `toThrow()` with no error type or message — accepts any error |
 | C16 | low  | result depends on `Date.now`, `Math.random`, or a fixed timer |
@@ -79,10 +111,15 @@ line up in the research. `JS*` codes are ecosystem-specific.
 | JS5 | low  | async query/event not awaited (`findBy*` / `waitFor` / `user-event`) |
 | JS6 | high | empty `describe`/`suite` — the suite is green but runs nothing |
 | JS7 | low  | assertion inside a non-awaited `setTimeout`/`then` callback — may run after the test ends |
+| JS8 | low  | mocks the unit under test (`jest.mock`/`vi.mock` of an imported module asserted directly) |
 | JS9 | high | assertion in a dead branch (`if(false)` / `if(true){}else`) — never runs |
 | JS11 | low | `try/catch` swallows the assertion — a failing `expect` is caught, test stays green |
 | JS13 | low | query (`getBy*`/`queryBy*`) as a loose statement — its result is never asserted |
 | JS15 | low | inappropriate assertion — comparison wrapped in a boolean (`expect(a===b).toBe(true)`), blind failure message |
+| JS17 | low | commented-out test block (`// it(...)` / `// test(...)`) — disabled, no longer runs |
+| JS18 | low | test takes a `done` callback instead of async/await — a mistimed `done` passes early |
+| JS21 | high | matcher referenced but never called (`expect(x).toBe` with no `()`) — the assertion never runs |
+| JS22 | high | empty `it.each`/`test.each` table — generated with zero cases, never runs |
 
 Each code carries a judgment tag (J1-J6) shared with the
 [falsegreen-skill](https://github.com/vinicq/falsegreen-skill) semantic framework.
@@ -107,12 +144,19 @@ default. Enable them with `--diagnostics`, or per code via config `severity`. Th
 npx falsegreen-js --diagnostics      # include D*/M* as warnings
 ```
 
-### Roadmap (researched, not yet active)
+### Deliberately not implemented
+
+Some catalog codes were reviewed and left out, on purpose:
 
-Tracked in the research hub, pending implementation: JS8 (mocking the unit under test),
-JS10 (async test with no `expect.assertions` and the assertion only in a `catch`), JS12
-(`render(<C/>)`/`mount()` with no query or assertion), JS13 (a `getBy*`/`queryBy*` query
-as a loose statement), and a general Mystery Guest / external-resource code.
+- **JS19** (`toBe` on an object/array literal): `expect(x).toBe({...})` compares by reference,
+  so it always fails. That is a loud red test, the opposite of false-green, and out of scope.
+- **JS20** (a Promise compared without `resolves`/`rejects`): telling that a value is a
+  Promise needs type information the parser does not have, so it would be too noisy.
+- **JS12** (a floating promise whose `expect` is never returned): already covered by JS7.
+- **JS16** (`async` test with no `expect.assertions(n)`): the absence of a guard is not a
+  smell on its own; flagging it would fire on most async tests.
+- **JS10** (any conditional in a test body): handled by `eslint-plugin-jest`
+  (`no-conditional-in-test`); JS9 and C21 already cover the false-green subset.
 
 ### What carries over from falsegreen, what does not
 
@@ -167,3 +211,30 @@ tracked as research in the private audit hub. Issues and PRs welcome.
 ## License
 
 MIT, Vinicius Queiroz.
+
+## Contributors ✨
+
+Thanks to the people who keep false-green tests out of real suites ([emoji key](https://allcontributors.org/docs/en/emoji-key)):
+
+<!-- ALL-CONTRIBUTORS-BADGE:START - Do not remove or modify this section -->
+[![All Contributors](https://img.shields.io/badge/all_contributors-2-orange.svg?style=flat-square)](#contributors-)
+<!-- ALL-CONTRIBUTORS-BADGE:END -->
+
+<!-- ALL-CONTRIBUTORS-LIST:START - Do not remove or modify this section -->
+<!-- prettier-ignore-start -->
+<!-- markdownlint-disable -->
+<table>
+  <tbody>
+    <tr>
+      <td align="center" valign="top" width="14.28%"><a href="https://vinicq.github.io/md-bridge/"><img src="https://avatars.githubusercontent.com/u/78210890?v=4?s=100" width="100px;" alt="Vinicius Queiroz"/><br /><sub><b>Vinicius Queiroz</b></sub></a><br /><a href="https://github.com/vinicq/falsegreen-js/commits?author=vinicq" title="Code">💻</a> <a href="https://github.com/vinicq/falsegreen-js/commits?author=vinicq" title="Documentation">📖</a> <a href="#ideas-vinicq" title="Ideas, Planning, & Feedback">🤔</a> <a href="#maintenance-vinicq" title="Maintenance">🚧</a> <a href="#infra-vinicq" title="Infrastructure (Hosting, Build-Tools, etc)">🚇</a> <a href="https://github.com/vinicq/falsegreen-js/commits?author=vinicq" title="Tests">⚠️</a> <a href="#research-vinicq" title="Research">🔬</a></td>
+      <td align="center" valign="top" width="14.28%"><a href="https://github.com/homesellerq-coder"><img src="https://avatars.githubusercontent.com/u/294912019?v=4?s=100" width="100px;" alt="Home Seller"/><br /><sub><b>Home Seller</b></sub></a><br /><a href="https://github.com/vinicq/falsegreen-js/commits?author=homesellerq-coder" title="Code">💻</a></td>
+    </tr>
+  </tbody>
+</table>
+
+<!-- markdownlint-restore -->
+<!-- prettier-ignore-end -->
+
+<!-- ALL-CONTRIBUTORS-LIST:END -->
+
+New contributors are added automatically; the table also recognizes non-code work (docs, ideas, infrastructure, tests, research) via the [all-contributors](https://allcontributors.org) spec.

package/dist/audit.d.ts

@@ -0,0 +1,5 @@
+import { Finding } from "./types.js";
+/** Read the Jest/Vitest config and report the project-layer PL codes: ways the
+ * suite can report green by configuration. Findings carry level `project`.
+ * Returns [] when no Jest/Vitest config is found. */
+export declare function auditConfig(start?: string): Finding[];

package/dist/audit.js

@@ -0,0 +1,120 @@
+import * as fs from "node:fs";
+import * as path from "node:path";
+import ts from "typescript";
+import { makeFinding } from "./types.js";
+import { parse } from "./parse.js";
+/** JSON config: package.json `jest` field, or jest.config.json. */
+function readJsonConfig(start) {
+    const pkg = path.join(start, "package.json");
+    if (fs.existsSync(pkg)) {
+        try {
+            const j = JSON.parse(fs.readFileSync(pkg, "utf-8"));
+            if (j && typeof j.jest === "object")
+                return { path: pkg, cfg: j.jest };
+        }
+        catch { /* unreadable */ }
+    }
+    const jcj = path.join(start, "jest.config.json");
+    if (fs.existsSync(jcj)) {
+        try {
+            return { path: jcj, cfg: JSON.parse(fs.readFileSync(jcj, "utf-8")) };
+        }
+        catch { /* unreadable */ }
+    }
+    return null;
+}
+/** JS/TS config (jest.config.*, vitest.config.*, vite.config.*): AST-walk for
+ * the property assignments of interest. A heuristic, not full evaluation. */
+function readAstConfig(start) {
+    const candidates = [
+        "jest.config.ts", "jest.config.js", "jest.config.mjs", "jest.config.cjs",
+        "vitest.config.ts", "vitest.config.js", "vitest.config.mts",
+        "vite.config.ts", "vite.config.js",
+    ];
+    for (const name of candidates) {
+        const p = path.join(start, name);
+        if (!fs.existsSync(p))
+            continue;
+        let text;
+        try {
+            text = fs.readFileSync(p, "utf-8");
+        }
+        catch {
+            continue;
+        }
+        const sf = parse(p, text);
+        const props = new Set();
+        let passWithNoTests = false;
+        let bail = false;
+        const visit = (node) => {
+            if (ts.isPropertyAssignment(node) &&
+                (ts.isIdentifier(node.name) || ts.isStringLiteral(node.name))) {
+                const key = node.name.text;
+                props.add(key);
+                const init = node.initializer;
+                if (key === "passWithNoTests" && init.kind === ts.SyntaxKind.TrueKeyword) {
+                    passWithNoTests = true;
+                }
+                if (key === "bail") {
+                    if (init.kind === ts.SyntaxKind.TrueKeyword)
+                        bail = true;
+                    else if (ts.isNumericLiteral(init) && Number(init.text) > 0)
+                        bail = true;
+                }
+            }
+            ts.forEachChild(node, visit);
+        };
+        visit(sf);
+        return { path: p, props, passWithNoTests, bail };
+    }
+    return null;
+}
+function collect(start) {
+    const json = readJsonConfig(start);
+    const ast = readAstConfig(start);
+    if (!json && !ast)
+        return null;
+    let passWithNoTests = false;
+    let bail = false;
+    let hasCovGate = false;
+    if (json) {
+        const c = json.cfg;
+        if (c.passWithNoTests === true)
+            passWithNoTests = true;
+        if (c.bail === true || (typeof c.bail === "number" && c.bail > 0))
+            bail = true;
+        const cov = c.coverage;
+        if (c.coverageThreshold || c.thresholds || (cov && cov.thresholds))
+            hasCovGate = true;
+    }
+    if (ast) {
+        if (ast.passWithNoTests)
+            passWithNoTests = true;
+        if (ast.bail)
+            bail = true;
+        if (ast.props.has("coverageThreshold") || ast.props.has("thresholds"))
+            hasCovGate = true;
+    }
+    return { where: json?.path ?? ast.path, passWithNoTests, bail, hasCovGate };
+}
+/** Read the Jest/Vitest config and report the project-layer PL codes: ways the
+ * suite can report green by configuration. Findings carry level `project`.
+ * Returns [] when no Jest/Vitest config is found. */
+export function auditConfig(start = process.cwd()) {
+    const sig = collect(start);
+    if (!sig)
+        return [];
+    const findings = [];
+    const mk = (code) => {
+        const f = makeFinding(sig.where, 1, code);
+        f.level = "project";
+        return f;
+    };
+    if (!sig.hasCovGate)
+        findings.push(mk("PL7"));
+    if (sig.bail)
+        findings.push(mk("PL8"));
+    if (sig.passWithNoTests)
+        findings.push(mk("PL10"));
+    return findings;
+}

package/dist/cases.d.ts

@@ -19,4 +19,13 @@ export declare const DIAGNOSTIC_THRESHOLDS: {
     assertionRoulette: number;
     longTest: number;
 };
-export declare function groupOf(code: string): "false-positive" | "diagnostic" | "coupling";
+export declare function groupOf(code: string): "false-positive" | "diagnostic" | "coupling" | "project";
+/** Test-pyramid level, detected from a file's import roots (see level.ts).
+ * `project` is the config-audit layer (--config-audit), not a file level. */
+export type PyramidLevel = "unit" | "integration" | "e2e" | "project";
+/**
+ * One-line remediation per case: what to change so the test protects something.
+ * Short, imperative, no trailing period. Surfaced in the status report (text +
+ * JSON `fix` field). A code missing here renders no fix line, never throws.
+ */
+export declare const FIX_HINTS: Record<string, string>;

package/dist/cases.js

@@ -19,7 +19,10 @@ export const CASES = {
     C2: { title: "test with no check at all (empty body)", confidence: "high", judgment: "J1" },
     C2b: { title: "test calls things but checks nothing", confidence: "low", judgment: "J1" },
     C5: { title: "always-true check (expect(true).toBe(true), assert(1))", confidence: "high", judgment: "J2" },
+    C6: { title: "weak check — only verifies something came back (toBeTruthy/toBeDefined, length > 0)", confidence: "low", judgment: "J4" },
     C7: { title: "compares a thing to itself (expect(x).toBe(x))", confidence: "high", judgment: "J2" },
+    C20: { title: "assertion in dead code after a return/throw — it never runs", confidence: "high", judgment: "J1" },
+    C23: { title: "reads a real file at a literal path or hits a hard-coded URL (mystery guest)", confidence: "low", judgment: "J6" },
     C8: { title: "exact equality on a float (fails on rounding, not bugs)", confidence: "low", judgment: "J4" },
     C16: { title: "result depends on time, randomness or a fixed timer", confidence: "low", judgment: "J1" },
     C18: { title: "compares String()/JSON.stringify()/`${x}` of a value to a literal (checks formatting, not the value)", confidence: "low", judgment: "J2" },
@@ -35,10 +38,15 @@ export const CASES = {
     JS5: { title: "async query/event not awaited (findBy* / waitFor / user-event) — the assertion may never settle", confidence: "low", judgment: "J1" },
     JS6: { title: "empty describe/suite block — the suite reports green but runs nothing", confidence: "high", judgment: "J1" },
     JS7: { title: "assertion inside a non-awaited setTimeout/setInterval/then callback — it may run after the test ends", confidence: "low", judgment: "J1" },
+    JS8: { title: "mocks the unit under test (jest.mock/vi.mock of an imported module asserted directly) — tests the mock, not the code", confidence: "low", judgment: "J3" },
     JS9: { title: "assertion in a dead branch (if(false) / if(true){}else) — it never runs", confidence: "high", judgment: "J1" },
     JS11: { title: "try/catch swallows the assertion — a failing expect is caught and the test stays green", confidence: "low", judgment: "J1" },
     JS13: { title: "query (getBy*/queryBy*/wrapper.find) as a loose statement — its result is never asserted", confidence: "low", judgment: "J4" },
     JS15: { title: "inappropriate assertion — the comparison is wrapped in a boolean (expect(a===b).toBe(true)), so the failure message is blind", confidence: "low", judgment: "J4" },
+    JS17: { title: "commented-out test block (// it(...) / // test(...)) — a disabled test that no longer runs", confidence: "low", judgment: "J1" },
+    JS18: { title: "test takes a done callback instead of async/await — a done called too early (or in a floating promise) passes before the assertions run", confidence: "low", judgment: "J1" },
+    JS21: { title: "matcher referenced but never called (expect(x).toBe with no ()) — the assertion never executes", confidence: "high", judgment: "J1" },
+    JS22: { title: "empty it.each/test.each table — the test is generated with zero cases and never runs", confidence: "high", judgment: "J1" },
     // --- diagnostic group (maintainability; default off, opt-in via --diagnostics
     // or config severity). These are NOT false-green: the test still protects. They
     // are a "plus" for test-code health, mirroring falsegreen's D/M group. -------
@@ -49,13 +57,68 @@ export const CASES = {
     D7: { title: "anonymous test — empty or missing description", confidence: "off", judgment: "J4" },
     D8: { title: "magic number in an assertion — a bare numeric literal instead of a named constant", confidence: "off", judgment: "J4" },
     M2: { title: "test body exceeds the line-count threshold — hard to read and maintain", confidence: "off", judgment: "J5" },
+    // --- project layer (config-audit only; emitted by --config-audit, never by
+    // the per-file scan). The suite goes green by configuration, not by a smell
+    // inside any one test file. ------------------------------------------------
+    PL7: { title: "no coverage gate (coverageThreshold / coverage.thresholds) - coverage can fall to zero and the suite still passes", confidence: "low", judgment: "J5" },
+    PL8: { title: "bail stops the run early (bail) - the reported test count is incomplete", confidence: "low", judgment: "J5" },
+    PL10: { title: "passWithNoTests lets an empty or fully-filtered suite report green", confidence: "low", judgment: "J1" },
 };
 /** Default thresholds for the diagnostic group (overridable later via config). */
 export const DIAGNOSTIC_THRESHOLDS = { assertionRoulette: 5, longTest: 50 };
 export function groupOf(code) {
+    if (code.startsWith("PL"))
+        return "project";
     if (code.startsWith("D"))
         return "diagnostic";
     if (code.startsWith("M"))
         return "coupling";
     return "false-positive";
 }
+/**
+ * One-line remediation per case: what to change so the test protects something.
+ * Short, imperative, no trailing period. Surfaced in the status report (text +
+ * JSON `fix` field). A code missing here renders no fix line, never throws.
+ */
+export const FIX_HINTS = {
+    C2: "add an assertion that checks the behaviour under test",
+    C2b: "assert the result of the call, not just that it ran",
+    C5: "assert the real behaviour, not a constant or tautology",
+    C6: "assert the actual value, not just that something came back",
+    C7: "compare against an independent expected value, not the subject itself",
+    C20: "move the assertion before the return/throw so it runs",
+    C23: "use a fixture or temp file instead of a real path or hard-coded URL",
+    C8: "use toBeCloseTo() or a tolerance instead of exact float equality",
+    C16: "freeze time and seed randomness so the result is deterministic",
+    C18: "assert the value, not its String()/JSON.stringify() form",
+    C21: "add at least one assertion that runs unconditionally",
+    C9: "pass an error type or message to toThrow()",
+    C37: "remove the duplicate it.each/test.each case",
+    CC: "restore the commented-out assertion, or delete it",
+    JS1: "remove .only (it.only/fit/describe.only) so the whole suite runs",
+    JS2: "add a matcher (expect(x).toBe(...)) so the assertion runs",
+    JS3: "add a real assertion; don't rely only on a self-generated snapshot",
+    JS4: "remove .skip/xit/todo, or implement the test",
+    JS5: "await the async query/event before asserting",
+    JS6: "add tests to the describe block, or remove it",
+    JS7: "await the promise/timer, or assert synchronously",
+    JS8: "unmock the unit under test; mock only its collaborators",
+    JS9: "remove the dead branch so the assertion runs",
+    JS11: "let the assertion error propagate; don't catch it",
+    JS13: "assert on the query result, not just query it",
+    JS15: "expect the value directly (expect(a).toBe(b)), not a boolean",
+    JS17: "restore the commented-out test, or delete it",
+    JS18: "use async/await instead of the done callback",
+    JS21: "call the matcher (add ()) so the assertion executes",
+    JS22: "add at least one row to the it.each/test.each table",
+    D1: "give each assertion a message, or split the test",
+    D3: "remove the duplicate assertion",
+    D4: "add titled cases to it.each/test.each",
+    D6: "remove console.* or replace it with an assertion",
+    D7: "give the test a description",
+    D8: "name the magic number with a constant",
+    M2: "split the long test into focused cases",
+    PL7: "set coverageThreshold (Jest) or coverage.thresholds (Vitest) to gate coverage",
+    PL8: "remove bail so the whole suite runs and the count is complete",
+    PL10: "drop passWithNoTests so an empty or filtered-to-nothing run fails",
+};

package/dist/cli.d.ts

@@ -1,2 +1,13 @@
 #!/usr/bin/env node
-export {};
+import { Finding } from "./types.js";
+/** Turn --output into a concrete file path. A directory (existing dir, a
+ * trailing separator, or an extension-less name like ".falsegreen") receives
+ * "report.<ext>" for the chosen format; anything else is treated as a file.
+ * Missing parent directories are created either way. */
+export declare function resolveOutputPath(p: string, fmt: "json" | "text"): string;
+export declare function renderText(findings: Finding[]): string;
+/** True when this module is the process entry point. Package managers expose the
+ * `bin` through a symlink (node_modules/.bin/falsegreen-js), so process.argv[1]
+ * is the symlink while import.meta.url is the real dist/cli.js path; resolve the
+ * realpath before comparing, or `npx falsegreen-js` would exit without scanning. */
+export declare function isDirectRun(invokedPath: string | undefined, moduleUrl: string): boolean;

package/dist/cli.js

@@ -1,6 +1,10 @@
 #!/usr/bin/env node
-import { JUDGMENTS, groupOf } from "./cases.js";
+import * as fs from "node:fs";
+import * as path from "node:path";
+import { pathToFileURL } from "node:url";
+import { JUDGMENTS, CASES, groupOf, FIX_HINTS } from "./cases.js";
 import { scanPaths, scanFile, stagedFiles, loadConfig, } from "./scan.js";
+import { auditConfig } from "./audit.js";
 const VERSION = "0.2.0";
 const TOOL_URI = "https://github.com/vinicq/falsegreen-js";
 const HELP = `falsegreen-js ${VERSION} - find false-positive JS/TS tests (static AST scan)
@@ -9,17 +13,23 @@ Usage:
   falsegreen-js [paths...]        files/dirs; no args = scan cwd
   falsegreen-js --staged          only test files staged in git
   falsegreen-js --json            JSON output
+  falsegreen-js --output PATH     write to a file, or report.<ext> into a directory
+  falsegreen-js --config-audit    audit Jest/Vitest config (project-layer PL codes)
   falsegreen-js --diagnostics     also report the opt-in maintainability group (D*/M*)
   falsegreen-js --disable C7,JS3  turn off specific codes
   falsegreen-js --version
   falsegreen-js --help
 
+Each finding carries its pyramid level (unit/integration/e2e, read from imports)
+and a one-line fix hint; the summary breaks findings down by level.
 Exit codes: 0 clean, 10 low-confidence only, 20 high-confidence present.
 Suppress inline:  expect(x).toBe(x); // falsegreen: ignore[C7]
 Covers: .js .jsx .ts .tsx .mjs .cjs .mts .cts`;
 function parseArgs(argv) {
     const paths = [];
     let json = false, staged = false, help = false, version = false, diagnostics = false;
+    let configAudit = false;
+    let output;
     const disable = new Set();
     for (let i = 0; i < argv.length; i++) {
         const a = argv[i];
@@ -27,12 +37,18 @@ function parseArgs(argv) {
             json = true;
         else if (a === "--staged")
             staged = true;
+        else if (a === "--config-audit")
+            configAudit = true;
         else if (a === "--diagnostics")
             diagnostics = true;
         else if (a === "--help" || a === "-h")
             help = true;
         else if (a === "--version" || a === "-V")
             version = true;
+        else if (a === "--output")
+            output = argv[++i] ?? "";
+        else if (a.startsWith("--output="))
+            output = a.slice("--output=".length);
         else if (a === "--disable") {
             const v = argv[++i] ?? "";
             v.split(",").map((s) => s.trim()).filter(Boolean).forEach((c) => disable.add(c));
@@ -48,7 +64,30 @@ function parseArgs(argv) {
         else
             paths.push(a);
     }
-    return { paths, json, staged, help, version, diagnostics, disable };
+    return { paths, json, staged, help, version, diagnostics, configAudit, disable, output };
+}
+/** Turn --output into a concrete file path. A directory (existing dir, a
+ * trailing separator, or an extension-less name like ".falsegreen") receives
+ * "report.<ext>" for the chosen format; anything else is treated as a file.
+ * Missing parent directories are created either way. */
+export function resolveOutputPath(p, fmt) {
+    const ext = fmt === "json" ? "json" : "txt";
+    const trimmed = p.replace(/[/\\]+$/, "");
+    const base = path.basename(trimmed);
+    let isDir = /[/\\]$/.test(p) || path.extname(base) === "";
+    try {
+        if (fs.statSync(p).isDirectory())
+            isDir = true;
+    }
+    catch { /* missing path */ }
+    if (isDir) {
+        fs.mkdirSync(p, { recursive: true });
+        return path.join(p, `report.${ext}`);
+    }
+    const parent = path.dirname(p);
+    if (parent)
+        fs.mkdirSync(parent, { recursive: true });
+    return p;
 }
 function exitCode(findings) {
     if (findings.some((f) => f.confidence === "high"))
@@ -57,7 +96,7 @@ function exitCode(findings) {
         return 10;
     return 0;
 }
-function renderText(findings) {
+export function renderText(findings) {
     if (findings.length === 0)
         return "falsegreen-js: no false-positive patterns found.";
     const byFile = new Map();
@@ -76,9 +115,30 @@ function renderText(findings) {
                 low++;
             lines.push(`  ${tag} ${f.code.padEnd(4)} L${f.line}  ${f.title}` +
                 (f.detail ? `\n         ${f.detail}` : ""));
+            const hint = FIX_HINTS[f.code];
+            lines.push(`         level: ${f.level}` + (hint ? `   fix: ${hint}` : ""));
         }
     }
     lines.push(`\n${high} high, ${low} low. ${TOOL_URI}`);
+    // Test-pyramid breakdown + the most common fixes, over every finding shown.
+    const byLevel = new Map();
+    const byCode = new Map();
+    for (const f of findings) {
+        byLevel.set(f.level, (byLevel.get(f.level) ?? 0) + 1);
+        byCode.set(f.code, (byCode.get(f.code) ?? 0) + 1);
+    }
+    const order = ["unit", "integration", "e2e"];
+    const levels = [
+        ...order.filter((l) => byLevel.has(l)),
+        ...[...byLevel.keys()].filter((l) => !order.includes(l)).sort(),
+    ];
+    lines.push("By level: " + levels.map((l) => `${l}:${byLevel.get(l)}`).join(", "));
+    const top = [...byCode.entries()]
+        .sort((a, b) => b[1] - a[1] || a[0].localeCompare(b[0])).slice(0, 3);
+    lines.push("Top fixes:");
+    for (const [code, n] of top) {
+        lines.push(`  ${code} (${n}): ${FIX_HINTS[code] ?? CASES[code].title}`);
+    }
     return lines.join("\n");
 }
 function main() {
@@ -91,6 +151,26 @@ function main() {
         process.stdout.write(VERSION + "\n");
         process.exit(0);
     }
+    if (opt.configAudit) {
+        const base = opt.paths.find((p) => { try {
+            return fs.statSync(p).isDirectory();
+        }
+        catch {
+            return false;
+        } }) ?? ".";
+        const findings = auditConfig(base);
+        const rendered = opt.json
+            ? JSON.stringify({
+                tool: "falsegreen-js", version: VERSION, judgments: JUDGMENTS,
+                findings: findings.map((f) => ({ ...f, group: groupOf(f.code), fix: FIX_HINTS[f.code] ?? "" })),
+            }, null, 2)
+            : renderText(findings);
+        if (opt.output)
+            fs.writeFileSync(resolveOutputPath(opt.output, opt.json ? "json" : "text"), rendered + "\n");
+        else
+            process.stdout.write(rendered + "\n");
+        process.exit(findings.length ? 10 : 0);
+    }
     const config = loadConfig();
     const scanOpts = { config, cliDisable: opt.disable, diagnostics: opt.diagnostics };
     let findings;
@@ -100,17 +180,41 @@ function main() {
     else {
         findings = scanPaths(opt.paths.length ? opt.paths : ["."], scanOpts);
     }
-    if (opt.json) {
-        process.stdout.write(JSON.stringify({
+    const rendered = opt.json
+        ? JSON.stringify({
             tool: "falsegreen-js",
             version: VERSION,
             judgments: JUDGMENTS,
-            findings: findings.map((f) => ({ ...f, group: groupOf(f.code) })),
-        }, null, 2) + "\n");
+            findings: findings.map((f) => ({
+                ...f, group: groupOf(f.code), fix: FIX_HINTS[f.code] ?? "",
+            })),
+        }, null, 2)
+        : renderText(findings);
+    if (opt.output) {
+        const dest = resolveOutputPath(opt.output, opt.json ? "json" : "text");
+        fs.writeFileSync(dest, rendered + "\n");
     }
     else {
-        process.stdout.write(renderText(findings) + "\n");
+        process.stdout.write(rendered + "\n");
     }
     process.exit(exitCode(findings));
 }
-main();
+/** True when this module is the process entry point. Package managers expose the
+ * `bin` through a symlink (node_modules/.bin/falsegreen-js), so process.argv[1]
+ * is the symlink while import.meta.url is the real dist/cli.js path; resolve the
+ * realpath before comparing, or `npx falsegreen-js` would exit without scanning. */
+export function isDirectRun(invokedPath, moduleUrl) {
+    if (!invokedPath)
+        return false;
+    let resolved = invokedPath;
+    try {
+        resolved = fs.realpathSync(invokedPath);
+    }
+    catch { /* keep raw path */ }
+    return moduleUrl === pathToFileURL(resolved).href;
+}
+// Run only when invoked as the CLI, so the module can be imported in tests
+// without triggering a scan and process.exit.
+if (isDirectRun(process.argv[1], import.meta.url)) {
+    main();
+}

package/dist/level.d.ts

@@ -0,0 +1,10 @@
+import ts from "typescript";
+import { PyramidLevel } from "./cases.js";
+/**
+ * Map a test file to a pyramid level from its import roots: "e2e" (browser
+ * driver / e2e framework), "integration" (HTTP client or database driver:
+ * API and DB tests), or "unit" (neither). Broadest wins. A real API/DB import
+ * in a test the author treats as a unit test is itself the smell, surfaced by
+ * the level mismatch.
+ */
+export declare function detectPyramidLevel(sf: ts.SourceFile): PyramidLevel;

package/dist/level.js

@@ -0,0 +1,75 @@
+import ts from "typescript";
+// Browser drivers and end-to-end frameworks. A test file importing one of these
+// drives a real browser or a full stack: it is an E2E test.
+const E2E_ROOTS = new Set([
+    "cypress", "@playwright/test", "playwright", "playwright-core",
+    "selenium-webdriver", "webdriverio", "@wdio/globals", "puppeteer",
+    "puppeteer-core", "protractor", "nightwatch", "testcafe",
+]);
+// HTTP clients / API mocks and real datastore drivers or ORMs. A test importing
+// one of these crosses an I/O boundary (API or database): it is an integration
+// test, where the response or the row is the oracle.
+const INTEGRATION_ROOTS = new Set([
+    // API / HTTP
+    "supertest", "axios", "node-fetch", "cross-fetch", "got", "undici",
+    "superagent", "request", "nock", "msw", "pactum",
+    // database drivers / ORMs
+    "@prisma/client", "prisma", "typeorm", "sequelize", "mongoose", "mongodb",
+    "pg", "mysql", "mysql2", "redis", "ioredis", "knex", "better-sqlite3",
+    "sqlite3", "drizzle-orm", "testcontainers",
+]);
+/** The package root of a module specifier, or null for a relative import.
+ * Scoped packages keep two segments (`@playwright/test`); others keep one. */
+function packageRoot(spec) {
+    if (!spec || spec.startsWith(".") || spec.startsWith("/"))
+        return null;
+    const parts = spec.split("/");
+    return spec.startsWith("@") ? parts.slice(0, 2).join("/") : parts[0];
+}
+/** Every module specifier imported or required in the file. */
+function importRoots(sf) {
+    const roots = new Set();
+    const add = (spec) => {
+        const root = spec ? packageRoot(spec) : null;
+        if (root)
+            roots.add(root);
+    };
+    const visit = (node) => {
+        if (ts.isImportDeclaration(node) && ts.isStringLiteral(node.moduleSpecifier)) {
+            add(node.moduleSpecifier.text);
+        }
+        else if (ts.isImportEqualsDeclaration(node) &&
+            ts.isExternalModuleReference(node.moduleReference) &&
+            ts.isStringLiteral(node.moduleReference.expression)) {
+            add(node.moduleReference.expression.text);
+        }
+        else if (ts.isCallExpression(node)) {
+            const fn = node.expression;
+            const isRequire = ts.isIdentifier(fn) && fn.text === "require";
+            const isDynImport = fn.kind === ts.SyntaxKind.ImportKeyword;
+            const arg = node.arguments[0];
+            if ((isRequire || isDynImport) && arg && ts.isStringLiteral(arg))
+                add(arg.text);
+        }
+        ts.forEachChild(node, visit);
+    };
+    visit(sf);
+    return roots;
+}
+/**
+ * Map a test file to a pyramid level from its import roots: "e2e" (browser
+ * driver / e2e framework), "integration" (HTTP client or database driver:
+ * API and DB tests), or "unit" (neither). Broadest wins. A real API/DB import
+ * in a test the author treats as a unit test is itself the smell, surfaced by
+ * the level mismatch.
+ */
+export function detectPyramidLevel(sf) {
+    const roots = importRoots(sf);
+    for (const r of roots)
+        if (E2E_ROOTS.has(r))
+            return "e2e";
+    for (const r of roots)
+        if (INTEGRATION_ROOTS.has(r))
+            return "integration";
+    return "unit";
+}

package/dist/rules.js

@@ -23,6 +23,8 @@ const ASSERT_METHODS = new Set([
 const SNAPSHOT_MATCHERS = new Set([
     "toMatchSnapshot", "toMatchInlineSnapshot",
     "toThrowErrorMatchingSnapshot", "toThrowErrorMatchingInlineSnapshot",
+    // visual snapshots (Playwright): the baseline is generated from the output too
+    "toHaveScreenshot", "toMatchScreenshot",
 ]);
 const EQUALITY_MATCHERS = new Set(["toBe", "toEqual", "toStrictEqual"]);
 // --- name helpers ----------------------------------------------------------
@@ -39,6 +41,44 @@ function calleeName(expr) {
         return calleeName(expr.expression);
     return "";
 }
+/** Leftmost identifier of a property/call/element chain: `a.b().c` -> "a". */
+function rootIdent(e) {
+    let cur = e;
+    while (cur) {
+        if (ts.isIdentifier(cur))
+            return cur.text;
+        if (ts.isPropertyAccessExpression(cur) || ts.isCallExpression(cur) || ts.isElementAccessExpression(cur)) {
+            cur = cur.expression;
+        }
+        else if (ts.isParenthesizedExpression(cur) || ts.isNonNullExpression(cur)) {
+            cur = cur.expression;
+        }
+        else {
+            return null;
+        }
+    }
+    return null;
+}
+/** True if the expression chain bottoms out in an `expect(...)` call, walking
+ *  through property access, calls, `.not`/`.resolves`/`.rejects`, and wrappers. */
+function expectRooted(e) {
+    let cur = e;
+    while (cur) {
+        if (ts.isCallExpression(cur) && ts.isIdentifier(cur.expression) && cur.expression.text === "expect") {
+            return true;
+        }
+        if (ts.isPropertyAccessExpression(cur) || ts.isCallExpression(cur) || ts.isElementAccessExpression(cur)) {
+            cur = cur.expression;
+        }
+        else if (ts.isParenthesizedExpression(cur) || ts.isNonNullExpression(cur)) {
+            cur = cur.expression;
+        }
+        else {
+            return false;
+        }
+    }
+    return false;
+}
 function literalTruthiness(e) {
     if (!e)
         return null;
@@ -141,6 +181,27 @@ function expectChain(call) {
     }
     return null;
 }
+/** True if a call's result is observed: awaited, returned, assigned, or the
+ *  implicit-return body of an arrow. A bare floating call (its enclosing
+ *  statement is a plain ExpressionStatement) is NOT observed. Used to gate
+ *  supertest `.expect()` so a floating API request still surfaces as C2b. */
+function isObservedAsync(node) {
+    let cur = node;
+    let p = node.parent;
+    while (p) {
+        if (ts.isAwaitExpression(p) || ts.isReturnStatement(p))
+            return true;
+        if (ts.isVariableDeclaration(p) || ts.isBinaryExpression(p))
+            return true;
+        if (ts.isArrowFunction(p) && p.body === cur)
+            return true;
+        if (ts.isExpressionStatement(p))
+            return false;
+        cur = p;
+        p = p.parent;
+    }
+    return false;
+}
 // --- assertion presence ----------------------------------------------------
 function isAssertionNode(node) {
     if (ts.isCallExpression(node)) {
@@ -151,6 +212,13 @@ function isAssertionNode(node) {
         // expect(x).matcher(...) — Jest, Vitest, Jasmine, Playwright, jest-dom, chai expect
         if (root === "expect" && ts.isPropertyAccessExpression(node.expression))
             return true;
+        // <chain>.expect(...) — supertest / chai-http API tests: request(app).get("/").expect(200)
+        // is the assertion (it throws on mismatch), but only when the request is awaited or
+        // returned. A floating `request(app).get("/").expect(200);` can finish after the test
+        // ends, so it stays uncovered (C2b) instead of scanning clean.
+        if (ts.isPropertyAccessExpression(node.expression) && node.expression.name.text === "expect"
+            && isObservedAsync(node))
+            return true;
         if (root === "assert")
             return true; // node:test, chai assert
         if (root === "sinon" && name.includes("assert"))
@@ -236,6 +304,8 @@ function getTestCallback(call) {
 }
 // --- JS5: async query/event not awaited (Testing Library) ------------------
 const ASYNC_AWAIT_LEAVES = new Set(["waitFor", "waitForElementToBeRemoved"]);
+// Vue/Svelte async test helpers that return a promise and must be awaited.
+const VUE_SVELTE_ASYNC = new Set(["flushPromises", "nextTick", "$nextTick", "tick"]);
 function isAsyncQueryCall(name) {
     const parts = name.split(".");
     const root = parts[0];
@@ -271,10 +341,30 @@ export function analyze(sf) {
     const push = (line, code, detail = "") => {
         findings.push(makeFinding(file, line, code, detail));
     };
+    // JS8 (self-mock) file-level state
+    const mockedAt = new Map(); // module -> line of jest.mock/vi.mock
+    const importBinding = new Map(); // binding name -> module
+    const expectRoots = new Set(); // root identifier used as expect subject
     const visit = (node) => {
+        if (ts.isImportDeclaration(node) && ts.isStringLiteral(node.moduleSpecifier)) {
+            const mod = node.moduleSpecifier.text;
+            const clause = node.importClause;
+            if (clause?.name)
+                importBinding.set(clause.name.text, mod);
+            const nb = clause?.namedBindings;
+            if (nb && ts.isNamespaceImport(nb))
+                importBinding.set(nb.name.text, mod);
+            if (nb && ts.isNamedImports(nb))
+                for (const el of nb.elements)
+                    importBinding.set(el.name.text, mod);
+        }
         if (ts.isCallExpression(node)) {
             const name = calleeName(node.expression);
             const root = name.split(".")[0];
+            if ((name === "jest.mock" || name === "vi.mock" || name === "jest.doMock" || name === "vi.doMock") &&
+                node.arguments[0] && ts.isStringLiteral(node.arguments[0])) {
+                mockedAt.set(node.arguments[0].text, lineOf(sf, node));
+            }
             const modifier = name.split(".")[1] ?? "";
             // JS1 focused / JS4 skipped
             if (name.endsWith(".only") ||
@@ -294,9 +384,27 @@ export function analyze(sf) {
                 ((TEST_BLOCK_ROOTS.has(root)) && (modifier === "only" || modifier === "skip" || modifier === "each"));
             if (isTestBlock) {
                 const cb = getTestCallback(node);
+                // JS18: the test takes a `done` callback instead of async/await. A done
+                // called too early, or inside a floating promise, lets the test pass
+                // before the assertions run.
+                if (cb && cb.parameters.length > 0) {
+                    const p0 = cb.parameters[0].name;
+                    if (ts.isIdentifier(p0) && p0.text === "done") {
+                        push(lineOf(sf, node), "JS18", "uses a done callback; prefer async/await");
+                    }
+                }
                 if (cb && cb.body && ts.isBlock(cb.body)) {
                     const stmts = cb.body.statements;
                     const line = lineOf(sf, node);
+                    // C20: an assertion after a return/throw in the test body is dead code
+                    let terminated = false;
+                    for (const st of stmts) {
+                        if (terminated && containsAssertion(st)) {
+                            push(lineOf(sf, st), "C20", "assertion after a return/throw never runs");
+                        }
+                        if (ts.isReturnStatement(st) || ts.isThrowStatement(st))
+                            terminated = true;
+                    }
                     if (stmts.length === 0) {
                         push(line, "C2", "test body is empty");
                     }
@@ -370,6 +478,11 @@ export function analyze(sf) {
             }
             // expect-chain matchers (C5, C7, C8)
             const chain = expectChain(node);
+            if (chain && chain.subject) {
+                const r = rootIdent(chain.subject);
+                if (r)
+                    expectRoots.add(r);
+            }
             if (chain && !chain.negated) {
                 const subj = chain.subject;
                 const arg = chain.args[0];
@@ -403,6 +516,18 @@ export function analyze(sf) {
                         push(lineOf(sf, node), "D8", `magic number ${arg.text} in the assertion`);
                     }
                 }
+                // C6 weak check: truthiness/defined-only, or length > 0, on a real (non-literal) value
+                if (subj && !isLiteral(subj) && !subjIsComparison) {
+                    if (chain.matcher === "toBeTruthy" || chain.matcher === "toBeFalsy" || chain.matcher === "toBeDefined") {
+                        push(lineOf(sf, node), "C6", "only checks the value is present, not the expected result");
+                    }
+                    else if (arg && ts.isNumericLiteral(arg) &&
+                        ((chain.matcher === "toBeGreaterThan" && Number(arg.text) === 0) ||
+                            (chain.matcher === "toBeGreaterThanOrEqual" && Number(arg.text) === 1)) &&
+                        /\.length\b/.test(subj.getText(sf))) {
+                        push(lineOf(sf, node), "C6", "only checks it is not empty");
+                    }
+                }
                 // C5 always-true
                 if (chain.matcher === "toBeTruthy" && literalTruthiness(subj) === true) {
                     push(lineOf(sf, node), "C5", "toBeTruthy on a constant truthy literal");
@@ -439,10 +564,29 @@ export function analyze(sf) {
                 if (detail)
                     push(lineOf(sf, node), "C16", detail);
             }
-            // JS5: Testing Library async query/event used without await
+            // C23 mystery guest: real file at a literal path, or a hard-coded URL
+            {
+                const leaf = name.split(".").pop() ?? "";
+                const a0 = node.arguments[0];
+                const lit = a0 && ts.isStringLiteral(a0) ? a0.text : null;
+                if (lit && /^(readFileSync|readFile|openSync|createReadStream)$/.test(leaf) && /[\\/]/.test(lit)) {
+                    push(lineOf(sf, node), "C23", "reads a real file at a literal path");
+                }
+                else if (lit && (leaf === "fetch" || name === "fetch" || leaf === "get") && /^https?:\/\//i.test(lit)) {
+                    push(lineOf(sf, node), "C23", "hard-coded URL (mystery guest)");
+                }
+            }
+            // JS5: async query/event used without await. Testing Library (findBy*/waitFor/
+            // user-event) plus Vue/Svelte async helpers (flushPromises/nextTick/tick) in
+            // their promise form (no callback arg) used as a bare, non-awaited statement.
             if (isAsyncQueryCall(name) && ts.isExpressionStatement(node.parent)) {
                 push(lineOf(sf, node), "JS5", `${name} is not awaited`);
             }
+            else if (ts.isExpressionStatement(node.parent) && node.arguments.length === 0 &&
+                VUE_SVELTE_ASYNC.has(name.split(".").pop() ?? "")) {
+                const leaf = name.split(".").pop();
+                push(lineOf(sf, node), "JS5", `${leaf}() is not awaited`);
+            }
             // JS7: assertion inside a non-awaited setTimeout/setInterval/then callback
             {
                 const leaf = name.split(".").pop() ?? "";
@@ -461,15 +605,35 @@ export function analyze(sf) {
                     }
                 }
             }
-            // JS13: a sync RTL query used as a loose statement (result never asserted)
+            // JS13: a sync query used as a loose statement (result never asserted).
+            // Testing Library getBy*/queryBy*, and Vue Test Utils findComponent /
+            // findAllComponents always, or find/findAll with a string selector (which
+            // distinguishes wrapper.find('.btn') from Array.prototype.find(fn)).
             if (ts.isExpressionStatement(node.parent)) {
                 const qleaf = name.split(".").pop() ?? "";
-                if (/^(getBy|getAllBy|queryBy|queryAllBy)/.test(qleaf)) {
+                const isRtlQuery = /^(getBy|getAllBy|queryBy|queryAllBy)/.test(qleaf);
+                const isVueComponentQuery = qleaf === "findComponent" || qleaf === "findAllComponents";
+                const isVueSelectorQuery = (qleaf === "find" || qleaf === "findAll") &&
+                    node.arguments.length > 0 && ts.isStringLiteral(node.arguments[0]);
+                if (isRtlQuery || isVueComponentQuery || isVueSelectorQuery) {
                     push(lineOf(sf, node), "JS13", `${qleaf}() result is not asserted`);
                 }
             }
+            // A runner `.each` table: it.each / test.each / describe.each (and fit/xit
+            // variants). Gate the each-table codes on a runner root so a plain helper
+            // like `_.each([], fn)` or `lodash.each([])` is never mistaken for a test table.
+            const eachRoot = name.split(".")[0];
+            const isRunnerEach = name.endsWith(".each") &&
+                (TEST_BLOCK_ROOTS.has(eachRoot) || SUITE_ROOTS.has(eachRoot) ||
+                    eachRoot === "fit" || eachRoot === "xit");
+            // JS22: empty it.each/test.each table — zero cases are generated, so the
+            // test is collected but never runs and the suite stays green.
+            if (isRunnerEach && node.arguments.length > 0 &&
+                ts.isArrayLiteralExpression(node.arguments[0]) && node.arguments[0].elements.length === 0) {
+                push(lineOf(sf, node), "JS22", "empty .each table — the test runs zero times");
+            }
             // C37: duplicate case in it.each/test.each table
-            if (name.endsWith(".each") && node.arguments.length > 0 && ts.isArrayLiteralExpression(node.arguments[0])) {
+            if (isRunnerEach && node.arguments.length > 0 && ts.isArrayLiteralExpression(node.arguments[0])) {
                 const seen = new Set();
                 for (const el of node.arguments[0].elements) {
                     const t = el.getText(sf).replace(/\s+/g, " ").trim();
@@ -508,18 +672,42 @@ export function analyze(sf) {
                 push(lineOf(sf, node), "JS11", "a failing assertion in try is swallowed by catch");
             }
         }
+        // JS21: a matcher referenced but never called — `expect(x).toBe;` with no (),
+        // so the assertion object is built and dropped; nothing executes. The chain
+        // must be a bare statement (a call would make node.parent a CallExpression).
+        if (ts.isPropertyAccessExpression(node) &&
+            node.name.text.startsWith("to") &&
+            ts.isExpressionStatement(node.parent) &&
+            expectRooted(node.expression)) {
+            push(lineOf(sf, node), "JS21", `${node.name.text} is referenced but never called`);
+        }
         ts.forEachChild(node, visit);
     };
     visit(sf);
+    // JS8: a mocked module's imported binding is asserted directly -> testing the mock,
+    // not the real unit. Conservative: same module both mocked and imported, and that
+    // import used as an expect subject.
+    for (const [binding, mod] of importBinding) {
+        if (mockedAt.has(mod) && expectRoots.has(binding)) {
+            findings.push(makeFinding(file, mockedAt.get(mod), "JS8", `${binding} (from ${mod}) is mocked and asserted directly`));
+            break;
+        }
+    }
     // CC: commented-out assertion (text scan over single-line comments)
     // CC: a single-line `//` comment that is a commented-out assertion call.
     // Requires the call paren (expect(/assert(/assert.x() or a .should chain) so it
     // does not match JSDoc prose like ` * assert that ...`.
     const lines = text.split(/\r?\n/);
     const ccRe = /^\s*\/\/\s*(?:await\s+)?(?:expect\s*\(|assert(?:\.\w+)?\s*\(|[\w.]+\.should\b)/;
+    // JS17: a commented-out test block (// it('...', / // test(...) / // describe(...)),
+    // optionally with .skip/.only/.each. A disabled test that no longer runs and no
+    // longer shows up as skipped.
+    const js17Re = /^\s*\/\/\s*(?:it|test|describe|context|specify)(?:\.\w+)?\s*\(/;
     lines.forEach((ln, i) => {
         if (ccRe.test(ln))
             push(i + 1, "CC", "assertion is commented out");
+        else if (js17Re.test(ln))
+            push(i + 1, "JS17", "test block is commented out");
     });
     return findings;
 }

package/dist/types.d.ts

@@ -1,4 +1,4 @@
-import { Confidence } from "./cases.js";
+import { Confidence, PyramidLevel } from "./cases.js";
 export interface Finding {
     file: string;
     line: number;
@@ -6,5 +6,6 @@ export interface Finding {
     detail: string;
     confidence: Confidence;
     title: string;
+    level: PyramidLevel;
 }
 export declare function makeFinding(file: string, line: number, code: string, detail?: string, confidence?: Confidence): Finding;

package/dist/types.js

@@ -7,5 +7,6 @@ export function makeFinding(file, line, code, detail = "", confidence) {
         detail,
         confidence: confidence ?? CASES[code].confidence,
         title: CASES[code].title,
+        level: "unit",
     };
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "falsegreen-js",
-  "version": "0.2.0",
+  "version": "0.3.0",
   "description": "Find JavaScript/TypeScript unit tests that give false positives: green tests that protect nothing, and tests that pass while asserting the wrong thing. Deterministic AST scanner, sibling of falsegreen (Python).",
   "keywords": [
     "jest", "vitest", "mocha", "testing", "test-smells", "false-positive",