falsegreen-js 0.3.0 → 0.4.0

package/dist/rules.js

@@ -1,32 +1,31 @@
 import ts from "typescript";
 import { makeFinding } from "./types.js";
 import { DIAGNOSTIC_THRESHOLDS } from "./cases.js";
+import { ASSERT_ROOTS, ASSERT_METHODS, SNAPSHOT_MATCHERS, EQUALITY_MATCHERS, VUE_SVELTE_ASYNC, oracleKind, } from "./oracles.js";
 import { lineOf } from "./parse.js";
+import { assertionsInDeadCode, hasUnconditionalAssertion } from "./cfg.js";
 // --- test framework vocabulary (runner-agnostic) ---------------------------
 // it/test/specify (Jest, Vitest, Mocha, Jasmine, AVA, node:test, Cypress,
 // Playwright, tap). describe/context/suite are suites. fit/fdescribe focus and
-// xit/xdescribe skip come from Jasmine/Mocha.
+// xit/xdescribe skip come from Jasmine/Mocha. The assertion-API vocabulary
+// (ASSERT_ROOTS/ASSERT_METHODS/SNAPSHOT_MATCHERS/EQUALITY_MATCHERS and the async
+// leaves) lives in the oracle registry (oracles.ts), imported above. JS5 routes
+// its async detection through oracleKind() instead of a hand-rolled name list.
 const TEST_BLOCK_ROOTS = new Set(["it", "test", "specify"]);
 const SUITE_ROOTS = new Set(["describe", "context", "suite", "fdescribe", "xdescribe", "fcontext", "xcontext"]);
 const FOCUS_NAMES = new Set(["fit", "fdescribe", "fcontext"]);
 const SKIP_NAMES = new Set(["xit", "xdescribe", "xcontext", "xspecify"]);
-// Roots whose `<root>.<method>()` call counts as an assertion across runners:
-// AVA (t), node:test/tap (t), Cypress (cy), chai assert, sinon.assert.
-const ASSERT_ROOTS = new Set(["assert", "t", "cy", "tap", "qunit", "sinon", "chai", "should"]);
-// Assertion method names used by AVA / tap / node:test / chai assert / QUnit.
-const ASSERT_METHODS = new Set([
-    "is", "not", "ok", "notOk", "true", "false", "truthy", "falsy",
-    "equal", "notEqual", "deepEqual", "notDeepEqual", "strictEqual",
-    "same", "notSame", "throws", "notThrows", "throwsAsync", "regex", "notRegex",
-    "pass", "fail", "assert", "expect", "include", "match",
+// --- C48 dark-patch: a test that flips a known test-mode flag then asserts ---
+// env keys (process.env.<KEY> = <test-mode value>) whose name means "we are under
+// test". NODE_ENV only counts when set to "test" (production/development are real
+// configs); CI is excluded (infra, not a product branch).
+const ENV_TEST_MODE_KEYS = new Set([
+    "NODE_ENV", "JEST_WORKER_ID", "VITEST", "TEST", "TESTING", "TEST_MODE",
+    "TESTMODE", "UNDER_TEST", "IS_TEST",
 ]);
-const SNAPSHOT_MATCHERS = new Set([
-    "toMatchSnapshot", "toMatchInlineSnapshot",
-    "toThrowErrorMatchingSnapshot", "toThrowErrorMatchingInlineSnapshot",
-    // visual snapshots (Playwright): the baseline is generated from the output too
-    "toHaveScreenshot", "toMatchScreenshot",
-]);
-const EQUALITY_MATCHERS = new Set(["toBe", "toEqual", "toStrictEqual"]);
+// module/settings flag names (settings.TESTING = true, config.TEST_MODE = true).
+const MODULE_TEST_MODE_RE = /^(TESTING|TEST_MODE|IS_TEST|UNDER_TEST|_TESTING)$/;
+const TEST_MODE_TRUE_STRINGS = new Set(["1", "true", "test", "yes", "on"]);
 // --- name helpers ----------------------------------------------------------
 function calleeName(expr) {
     if (ts.isIdentifier(expr))
@@ -119,35 +118,6 @@ function isStringify(e) {
     }
     return false;
 }
-const CONDITIONAL_ANCESTORS = new Set([
-    ts.SyntaxKind.IfStatement, ts.SyntaxKind.ForStatement, ts.SyntaxKind.ForOfStatement,
-    ts.SyntaxKind.ForInStatement, ts.SyntaxKind.WhileStatement, ts.SyntaxKind.DoStatement,
-    ts.SyntaxKind.SwitchStatement, ts.SyntaxKind.CatchClause, ts.SyntaxKind.ConditionalExpression,
-]);
-/** True if the function has at least one assertion and every one of them sits under a
- *  conditional (if/for/while/switch/catch/?:) — so none runs unconditionally (C21). */
-function assertionsAllConditional(fn) {
-    const asserts = [];
-    const walk = (n) => { if (isAssertionNode(n))
-        asserts.push(n); ts.forEachChild(n, walk); };
-    ts.forEachChild(fn, walk);
-    if (asserts.length === 0)
-        return false;
-    for (const a of asserts) {
-        let p = a.parent;
-        let conditional = false;
-        while (p && p !== fn) {
-            if (CONDITIONAL_ANCESTORS.has(p.kind)) {
-                conditional = true;
-                break;
-            }
-            p = p.parent;
-        }
-        if (!conditional)
-            return false;
-    }
-    return true;
-}
 function containsCall(node) {
     let found = false;
     const walk = (n) => {
@@ -181,18 +151,33 @@ function expectChain(call) {
     }
     return null;
 }
-/** True if a call's result is observed: awaited, returned, assigned, or the
- *  implicit-return body of an arrow. A bare floating call (its enclosing
- *  statement is a plain ExpressionStatement) is NOT observed. Used to gate
- *  supertest `.expect()` so a floating API request still surfaces as C2b. */
+/** True if a call's result is observed: awaited, returned, assigned, the
+ *  implicit-return body of an arrow, or explicitly discarded with `void` (an
+ *  author signalling "I am dropping this on purpose"). A bare floating call (its
+ *  enclosing statement is a plain ExpressionStatement) is NOT observed. Used to
+ *  gate supertest `.expect()` so a floating API request still surfaces as C2b,
+ *  and JS5 so a dropped async query/event still surfaces. */
 function isObservedAsync(node) {
     let cur = node;
     let p = node.parent;
     while (p) {
         if (ts.isAwaitExpression(p) || ts.isReturnStatement(p))
             return true;
-        if (ts.isVariableDeclaration(p) || ts.isBinaryExpression(p))
+        if (ts.isVariableDeclaration(p))
             return true;
+        // A BinaryExpression only observes the call when it is a real assignment
+        // (`=` or a compound `+=` etc., kinds in FirstAssignment..LastAssignment) and
+        // the call is the right-hand side. A logical/comparison/arithmetic operator
+        // (`||`, `&&`, `===`, `+`, ...) does NOT observe it: `findBy*() || expect(...)`
+        // still floats the promise and must surface as JS5.
+        if (ts.isBinaryExpression(p)) {
+            const k = p.operatorToken.kind;
+            const isAssign = k >= ts.SyntaxKind.FirstAssignment && k <= ts.SyntaxKind.LastAssignment;
+            if (isAssign && p.right === cur)
+                return true;
+        }
+        if (ts.isVoidExpression(p))
+            return true; // `void expr` — discarded on purpose
         if (ts.isArrowFunction(p) && p.body === cur)
             return true;
         if (ts.isExpressionStatement(p))
@@ -260,6 +245,54 @@ function hasAssertion(scope) {
 function containsAssertion(node) {
     return isAssertionNode(node) || hasAssertion(node);
 }
+/** Visit descendants of `node` without entering nested function scopes (a helper
+ *  def/arrow/method in the test body is its own scope, not the test's). */
+function forEachNoNesting(node, visit) {
+    ts.forEachChild(node, (child) => {
+        visit(child);
+        if (!ts.isFunctionLike(child))
+            forEachNoNesting(child, visit);
+    });
+}
+/** The env key of a `process.env.KEY = ...` / `process.env["KEY"] = ...` target, else null. */
+function envAssignKey(lhs) {
+    const isProcessEnv = (e) => ts.isPropertyAccessExpression(e) && e.name.text === "env" &&
+        ts.isIdentifier(e.expression) && e.expression.text === "process";
+    if (ts.isPropertyAccessExpression(lhs) && isProcessEnv(lhs.expression))
+        return lhs.name.text;
+    if (ts.isElementAccessExpression(lhs) && isProcessEnv(lhs.expression) &&
+        ts.isStringLiteralLike(lhs.argumentExpression))
+        return lhs.argumentExpression.text;
+    return null;
+}
+/** A value that puts a test-mode flag into test mode. NODE_ENV only counts as "test";
+ *  every other key takes true/1/"1"/"true"/"test"/"yes"/"on". */
+function isTestModeValue(rhs, key) {
+    if (key === "NODE_ENV")
+        return ts.isStringLiteralLike(rhs) && rhs.text === "test";
+    if (rhs.kind === ts.SyntaxKind.TrueKeyword)
+        return true;
+    if (ts.isNumericLiteral(rhs))
+        return rhs.text === "1";
+    if (ts.isStringLiteralLike(rhs))
+        return TEST_MODE_TRUE_STRINGS.has(rhs.text.trim().toLowerCase());
+    return false;
+}
+/** True if `bin` is a raw write that flips a known test-mode toggle into test mode:
+ *  process.env.<KEY> = <test value>, or <obj>.TESTING = <truthy> (obj not `this`). */
+function isTestModeToggleWrite(bin) {
+    if (bin.operatorToken.kind !== ts.SyntaxKind.EqualsToken)
+        return false;
+    const lhs = bin.left;
+    const envKey = envAssignKey(lhs);
+    if (envKey && ENV_TEST_MODE_KEYS.has(envKey) && isTestModeValue(bin.right, envKey))
+        return true;
+    if (ts.isPropertyAccessExpression(lhs) && MODULE_TEST_MODE_RE.test(lhs.name.text) &&
+        lhs.expression.kind !== ts.SyntaxKind.ThisKeyword &&
+        isTestModeValue(bin.right, lhs.name.text))
+        return true;
+    return false;
+}
 /** True if a catch block does nothing meaningful: empty, or only console.* /
  *  comments, with no throw, no assertion, and no fail() — so it swallows errors. */
 function isHarmlessCatch(block) {
@@ -302,27 +335,137 @@ function getTestCallback(call) {
     }
     return null;
 }
-// --- JS5: async query/event not awaited (Testing Library) ------------------
-const ASYNC_AWAIT_LEAVES = new Set(["waitFor", "waitForElementToBeRemoved"]);
-// Vue/Svelte async test helpers that return a promise and must be awaited.
-const VUE_SVELTE_ASYNC = new Set(["flushPromises", "nextTick", "$nextTick", "tick"]);
-function isAsyncQueryCall(name) {
-    const parts = name.split(".");
-    const root = parts[0];
-    const leaf = parts[parts.length - 1];
-    if (root === "userEvent")
+/** The function body that encloses `node` for timer-flush scoping: the nearest
+ *  ancestor arrow/function that is the callback of an it/test/specify call (so a
+ *  flush in one test never reaches a timer in another), falling back to the
+ *  nearest enclosing function, then the whole source file. */
+function enclosingTestScope(node) {
+    let fallback = null;
+    let p = node.parent;
+    while (p) {
+        if (ts.isArrowFunction(p) || ts.isFunctionExpression(p) || ts.isFunctionDeclaration(p)) {
+            if (!fallback)
+                fallback = p;
+            const call = p.parent;
+            if (call && ts.isCallExpression(call) && call.arguments.includes(p)) {
+                const root = calleeName(call.expression).split(".")[0];
+                if (TEST_BLOCK_ROOTS.has(root) || root === "fit" || root === "xit")
+                    return p;
+            }
+        }
+        p = p.parent;
+    }
+    return fallback ?? node.getSourceFile();
+}
+const FAKE_TIMER_INSTALL = /\b(useFakeTimers|installFakeTimers)\b/;
+const FAKE_TIMER_FLUSH = /\b(runAllTimers|runOnlyPendingTimers|advanceTimersByTime|tick)\b/;
+const SETUP_HOOKS = new Set(["beforeEach", "beforeAll"]);
+const TEARDOWN_HOOKS = new Set(["afterEach", "afterAll"]);
+/** True if any call under `scope` matches `re`. */
+function callMatchesUnder(scope, sf, re) {
+    let found = false;
+    const walk = (n) => {
+        if (found)
+            return;
+        if (ts.isCallExpression(n) && re.test(calleeName(n.expression))) {
+            found = true;
+            return;
+        }
+        ts.forEachChild(n, walk);
+    };
+    walk(scope);
+    return found;
+}
+/** Scan one statement list for a lifecycle hook that drives the timer: a
+ *  fake-timer install in a beforeEach/beforeAll runs before every test in scope,
+ *  a flush/advance in an afterEach/afterAll runs after. Order inside the hook does
+ *  not matter — the runner sequences the hook around the test body. */
+function hookStatementsControlTimer(statements, sf) {
+    for (const stmt of statements) {
+        if (!ts.isExpressionStatement(stmt) || !ts.isCallExpression(stmt.expression))
+            continue;
+        const hook = calleeName(stmt.expression.expression).split(".")[0];
+        const cb = getTestCallback(stmt.expression);
+        if (!cb)
+            continue;
+        if (SETUP_HOOKS.has(hook) && callMatchesUnder(cb, sf, FAKE_TIMER_INSTALL))
+            return true;
+        if (TEARDOWN_HOOKS.has(hook) && callMatchesUnder(cb, sf, FAKE_TIMER_FLUSH))
+            return true;
+    }
+    return false;
+}
+/** A timer can be driven from a sibling lifecycle hook rather than the test body.
+ *  Top-level hooks (outside any describe) wrap every test in the file, and hooks
+ *  in any enclosing describe/suite wrap every test nested under it. Check both. */
+function hookControlsTimer(timer, sf) {
+    // Top-level hooks live directly in the source file and apply to every test.
+    if (hookStatementsControlTimer(sf.statements, sf))
         return true;
-    if (leaf.startsWith("findBy") || leaf.startsWith("findAllBy"))
+    let p = timer.parent;
+    while (p) {
+        // The body of an enclosing describe/suite callback: scan its top-level hook calls.
+        if ((ts.isArrowFunction(p) || ts.isFunctionExpression(p) || ts.isFunctionDeclaration(p)) &&
+            p.parent && ts.isCallExpression(p.parent) &&
+            p.parent.arguments.includes(p)) {
+            const suiteRoot = calleeName(p.parent.expression).split(".")[0];
+            if (SUITE_ROOTS.has(suiteRoot) && p.body && ts.isBlock(p.body)) {
+                if (hookStatementsControlTimer(p.body.statements, sf))
+                    return true;
+            }
+        }
+        p = p.parent;
+    }
+    return false;
+}
+/** Precise replacement for the old file-wide fake-timer suppression. A
+ *  setTimeout/setInterval is "controlled" when, inside the same enclosing test
+ *  callback, either a fake-timer install runs BEFORE it or a flush/advance call
+ *  runs AFTER it; OR when an enclosing describe drives the timer through a sibling
+ *  hook (install in beforeEach/beforeAll, flush in afterEach/afterAll). A flush
+ *  before the arm (callback never ran) or a flush in a different test does not
+ *  count. */
+function timerIsControlled(timer, sf) {
+    const scope = enclosingTestScope(timer);
+    const armPos = timer.getStart(sf);
+    let controlled = false;
+    const walk = (n) => {
+        if (controlled)
+            return;
+        if (ts.isCallExpression(n)) {
+            const name = calleeName(n.expression);
+            const pos = n.getStart(sf);
+            if (FAKE_TIMER_INSTALL.test(name) && pos < armPos) {
+                controlled = true;
+                return;
+            }
+            if (FAKE_TIMER_FLUSH.test(name) && pos > armPos) {
+                controlled = true;
+                return;
+            }
+        }
+        ts.forEachChild(n, walk);
+    };
+    walk(scope);
+    if (controlled)
         return true;
-    return ASYNC_AWAIT_LEAVES.has(leaf);
+    return hookControlsTimer(timer, sf);
 }
 // --- C16: nondeterminism ----------------------------------------------------
 function c16Detail(call) {
     const name = calleeName(call.expression);
+    const leaf = name.split(".").pop() ?? "";
     if (name === "Math.random")
         return "Math.random() without a fixed seed";
     if (name === "Date.now" || name === "performance.now")
         return "reads the system clock";
+    // crypto.randomUUID() / crypto.getRandomValues() (incl. globalThis/window/self.crypto and
+    // the bare node:crypto import) produce a fresh random value each run with no seed. Anchored
+    // to a crypto root so a user method named randomUUID()/getRandomValues() is NOT flagged.
+    const isCryptoRandom = (m) => name === "crypto." + m || name.endsWith(".crypto." + m) || name === m;
+    if (isCryptoRandom("randomUUID") || isCryptoRandom("getRandomValues")) {
+        return "crypto randomness without a seed";
+    }
     if (name === "setTimeout" || name === "setInterval") {
         if (call.arguments.length >= 2 && ts.isNumericLiteral(call.arguments[1])) {
             return "fixed timer delay";
@@ -337,7 +480,12 @@ export function analyze(sf) {
     const findings = [];
     const file = sf.fileName;
     const text = sf.getFullText();
-    const fakeTimers = /\b(useFakeTimers)\b/.test(text);
+    // Fake-timer / flush presence suppresses the JS7 timer arm: if the test fakes
+    // or drives timers anywhere, a setTimeout/setInterval callback is flushed
+    // synchronously and its assertion does run. Covers Jest, Vitest and Sinon
+    // install calls plus the explicit advance/run calls (jest/vi runAllTimers,
+    // runOnlyPendingTimers, advanceTimersByTime, sinon clock.tick).
+    const fakeTimers = /\b(useFakeTimers|installFakeTimers|runAllTimers|runOnlyPendingTimers|advanceTimersByTime|tick)\b/.test(text);
     const push = (line, code, detail = "") => {
         findings.push(makeFinding(file, line, code, detail));
     };
@@ -380,8 +528,7 @@ export function analyze(sf) {
             // test-level block body checks (C2, C2b, JS3). Only `it`/`test`/`specify`
             // (and the focus/skip variants) — never `describe`/`suite`, whose body holds
             // nested tests, not assertions.
-            const isTestBlock = TEST_BLOCK_ROOTS.has(root) || root === "fit" || root === "xit" ||
-                ((TEST_BLOCK_ROOTS.has(root)) && (modifier === "only" || modifier === "skip" || modifier === "each"));
+            const isTestBlock = TEST_BLOCK_ROOTS.has(root) || root === "fit" || root === "xit";
             if (isTestBlock) {
                 const cb = getTestCallback(node);
                 // JS18: the test takes a `done` callback instead of async/await. A done
@@ -396,14 +543,31 @@ export function analyze(sf) {
                 if (cb && cb.body && ts.isBlock(cb.body)) {
                     const stmts = cb.body.statements;
                     const line = lineOf(sf, node);
-                    // C20: an assertion after a return/throw in the test body is dead code
-                    let terminated = false;
-                    for (const st of stmts) {
-                        if (terminated && containsAssertion(st)) {
-                            push(lineOf(sf, st), "C20", "assertion after a return/throw never runs");
+                    // C20: an assertion at a position control can never reach (after a
+                    // return/throw/process.exit/break, both-arms-terminating if, exhaustive
+                    // switch). Structured reachability over the whole body, not just the top
+                    // level; stops at nested functions (their returns are their own).
+                    const deadAsserts = assertionsInDeadCode(cb.body, isAssertionNode);
+                    for (const a of deadAsserts) {
+                        push(lineOf(sf, a), "C20", "assertion in unreachable code (after a return/throw/exit) never runs");
+                    }
+                    const deadAssertSet = new Set(deadAsserts);
+                    // C48: dark patch — the test flips a known test-mode flag (process.env or a
+                    // module/settings flag) into test mode and then asserts, exercising the
+                    // product's test-only branch instead of real behaviour. v1: raw writes only.
+                    const toggles = [];
+                    const assertPositions = [];
+                    forEachNoNesting(cb.body, (n) => {
+                        if (ts.isBinaryExpression(n) && isTestModeToggleWrite(n)) {
+                            toggles.push({ pos: n.getStart(sf), line: lineOf(sf, n) });
+                        }
+                        if (isAssertionNode(n))
+                            assertPositions.push(n.getStart(sf));
+                    });
+                    for (const w of toggles) {
+                        if (assertPositions.some((ap) => ap > w.pos)) {
+                            push(w.line, "C48", "test sets a test-mode flag then asserts — drive real behaviour, not the test-only branch");
                         }
-                        if (ts.isReturnStatement(st) || ts.isThrowStatement(st))
-                            terminated = true;
                     }
                     if (stmts.length === 0) {
                         push(line, "C2", "test body is empty");
@@ -416,7 +580,19 @@ export function analyze(sf) {
                         if (ms.length > 0 && ms.every((m) => SNAPSHOT_MATCHERS.has(m))) {
                             push(line, "JS3", "the only assertion is a snapshot");
                         }
-                        if (assertionsAllConditional(cb)) {
+                        // C21: the test has at least one assertion in its own scope and none of
+                        // them is guaranteed to run unconditionally (all behind a condition, a
+                        // loop, a switch, or a catch). Assertions that live only inside a nested
+                        // callback are not counted here (unmodeled execution → suppress, FP-averse).
+                        // Assertions already flagged C20 (dead code) are excluded: C20 owns them, so
+                        // a dead-code-only test reports C20 alone, not a contradictory C20 + C21 (#62).
+                        const ownAsserts = [];
+                        forEachNoNesting(cb.body, (n) => {
+                            if (isAssertionNode(n) && !deadAssertSet.has(n))
+                                ownAsserts.push(n);
+                        });
+                        if (ownAsserts.length > 0 &&
+                            !hasUnconditionalAssertion(cb.body, isAssertionNode, literalTruthiness, deadAssertSet)) {
                             push(line, "C21", "every assertion is guarded by a condition");
                         }
                     }
@@ -460,7 +636,7 @@ export function analyze(sf) {
                 }
             }
             // JS6: empty describe/suite block
-            if (SUITE_ROOTS.has(root) || (SUITE_ROOTS.has(root) && (modifier === "only" || modifier === "skip"))) {
+            if (SUITE_ROOTS.has(root)) {
                 const cb = getTestCallback(node);
                 if (cb && cb.body && ts.isBlock(cb.body) && cb.body.statements.length === 0) {
                     push(lineOf(sf, node), "JS6", "suite body is empty");
@@ -507,6 +683,21 @@ export function analyze(sf) {
                 if (subjIsComparison && boolMatcher) {
                     push(lineOf(sf, node), "JS15", "comparison wrapped in a boolean; assert the values directly");
                 }
+                // C44 numeric tautology: `expect(x.length).toBeGreaterThanOrEqual(0)`.
+                // A `.length` is never negative and never NaN, so `>= 0` holds for every
+                // input and verifies nothing — the JS/TS mirror of the Python `len(x) >= 0`.
+                // The subject must be a DIRECT property access ending in `.length`: a derived
+                // expression that merely mentions `.length` (e.g. `a.length - b.length`) can
+                // be negative, so it is a real check and is not flagged. Bounds that can still
+                // fail (`>= 1`, `> 0`) are not tautologies either. Finiteness/NaN guards
+                // (`toBeLessThan(Infinity)`, `toBeGreaterThan(-Infinity)`) are intentionally
+                // NOT flagged: they are false for NaN (and `Infinity`), so they catch
+                // divide-by-zero and invalid-number bugs.
+                if (chain.matcher === "toBeGreaterThanOrEqual" &&
+                    arg && ts.isNumericLiteral(arg) && Number(arg.text) === 0 &&
+                    subj && ts.isPropertyAccessExpression(subj) && subj.name.text === "length") {
+                    push(lineOf(sf, node), "C44", "length is never negative; this comparison is always true");
+                }
                 // D8 (diagnostic, opt-in): a magic integer literal as the expected value.
                 // Floats are C8's concern; D8 covers bare integers abs > 1.
                 if ((chain.matcher === "toBe" || chain.matcher === "toEqual" || chain.matcher === "toStrictEqual") &&
@@ -576,18 +767,33 @@ export function analyze(sf) {
                     push(lineOf(sf, node), "C23", "hard-coded URL (mystery guest)");
                 }
             }
-            // JS5: async query/event used without await. Testing Library (findBy*/waitFor/
-            // user-event) plus Vue/Svelte async helpers (flushPromises/nextTick/tick) in
-            // their promise form (no callback arg) used as a bare, non-awaited statement.
-            if (isAsyncQueryCall(name) && ts.isExpressionStatement(node.parent)) {
-                push(lineOf(sf, node), "JS5", `${name} is not awaited`);
-            }
-            else if (ts.isExpressionStatement(node.parent) && node.arguments.length === 0 &&
-                VUE_SVELTE_ASYNC.has(name.split(".").pop() ?? "")) {
-                const leaf = name.split(".").pop();
-                push(lineOf(sf, node), "JS5", `${leaf}() is not awaited`);
+            // JS5: async query/event whose settled state is dropped. Detection runs
+            // through the oracle registry: a `promise` or `value-only` call (Testing
+            // Library findBy*/waitFor*, user-event, Vue/Svelte flushPromises/nextTick/
+            // tick) that is not awaited, returned, assigned, or `void`-discarded leaves
+            // the following assertion reading a stale moment. The Vue/Svelte helpers are
+            // only their promise form when called with no callback argument; nextTick(cb)
+            // is the callback form and settles on its own.
+            {
+                const kind = oracleKind(name);
+                const leaf = name.split(".").pop() ?? "";
+                const isVueSvelte = VUE_SVELTE_ASYNC.has(leaf);
+                const promiseForm = !isVueSvelte || node.arguments.length === 0;
+                if ((kind === "promise" || kind === "value-only") && promiseForm && !isObservedAsync(node)) {
+                    push(lineOf(sf, node), "JS5", isVueSvelte ? `${leaf}() is not awaited` : `${name} is not awaited`);
+                }
             }
-            // JS7: assertion inside a non-awaited setTimeout/setInterval/then callback
+            // JS7: a deferred assertion. One code, two mechanisms tagged in `detail`:
+            //   timer arm   — assertion in a setTimeout/setInterval callback that is
+            //                 never flushed. Suppression is precise (timerIsControlled):
+            //                 scoped to the enclosing it/test callback and order-aware —
+            //                 a fake-timer install BEFORE the arm, or a flush/advance
+            //                 AFTER it, in the same callback. A flush before the arm
+            //                 (callback never ran) or a flush in a different test does
+            //                 not count, so it still runs after the test reports green.
+            //   promise arm — assertion in a floating .then/.catch/.finally (the call
+            //                 is a bare statement, not awaited/returned/chained), so it
+            //                 may not run before the test ends.
             {
                 const leaf = name.split(".").pop() ?? "";
                 const isTimer = name === "setTimeout" || name === "setInterval";
@@ -596,11 +802,11 @@ export function analyze(sf) {
                     const cb = node.arguments.find((a) => ts.isArrowFunction(a) || ts.isFunctionExpression(a));
                     if (cb && containsAssertion(cb)) {
                         const awaitedOrChained = !ts.isExpressionStatement(node.parent);
-                        if (isTimer && !fakeTimers) {
-                            push(lineOf(sf, node), "JS7", `assertion inside a non-awaited ${name}() callback`);
+                        if (isTimer && !timerIsControlled(node, sf)) {
+                            push(lineOf(sf, node), "JS7", `assertion deferred into ${name}; runs after the test ends`);
                         }
                         else if (isThen && !awaitedOrChained) {
-                            push(lineOf(sf, node), "JS7", `assertion inside a non-awaited .${leaf}() callback`);
+                            push(lineOf(sf, node), "JS7", `assertion deferred into a floating .${leaf}(); may not run before the test ends`);
                         }
                     }
                 }
@@ -681,6 +887,16 @@ export function analyze(sf) {
             expectRooted(node.expression)) {
             push(lineOf(sf, node), "JS21", `${node.name.text} is referenced but never called`);
         }
+        // C16: `new Date()` with no argument reads the system clock (nondeterministic).
+        // `new Date(literal)` / `new Date(expr)` constructs a fixed instant, so it stays
+        // clean; the file-wide fake-timer suppression applies here too.
+        if (!fakeTimers &&
+            ts.isNewExpression(node) &&
+            ts.isIdentifier(node.expression) &&
+            node.expression.text === "Date" &&
+            (node.arguments === undefined || node.arguments.length === 0)) {
+            push(lineOf(sf, node), "C16", "new Date() reads the system clock");
+        }
         ts.forEachChild(node, visit);
     };
     visit(sf);

package/dist/types.js

@@ -1,11 +1,11 @@
-import { CASES } from "./cases.js";
+import { baseConfidence, CASES } from "./cases.js";
 export function makeFinding(file, line, code, detail = "", confidence) {
     return {
         file,
         line,
         code,
         detail,
-        confidence: confidence ?? CASES[code].confidence,
+        confidence: confidence ?? baseConfidence(code),
         title: CASES[code].title,
         level: "unit",
     };

package/package.json

@@ -1,24 +1,47 @@
 {
   "name": "falsegreen-js",
-  "version": "0.3.0",
+  "version": "0.4.0",
   "description": "Find JavaScript/TypeScript unit tests that give false positives: green tests that protect nothing, and tests that pass while asserting the wrong thing. Deterministic AST scanner, sibling of falsegreen (Python).",
   "keywords": [
-    "jest", "vitest", "mocha", "testing", "test-smells", "false-positive",
-    "static-analysis", "typescript", "javascript", "tsx", "jsx", "code-quality",
+    "jest",
+    "vitest",
+    "mocha",
+    "testing",
+    "test-smells",
+    "false-positive",
+    "static-analysis",
+    "typescript",
+    "javascript",
+    "tsx",
+    "jsx",
+    "code-quality",
     "ai-generated-tests"
   ],
   "license": "MIT",
   "author": "Vinicius Queiroz",
   "type": "module",
-  "engines": { "node": ">=18" },
-  "bin": { "falsegreen-js": "dist/cli.js" },
+  "engines": {
+    "node": ">=18"
+  },
+  "bin": {
+    "falsegreen-js": "dist/cli.js"
+  },
   "main": "dist/scan.js",
   "types": "dist/scan.d.ts",
   "exports": {
-    ".": { "types": "./dist/scan.d.ts", "import": "./dist/scan.js" }
+    ".": {
+      "types": "./dist/scan.d.ts",
+      "import": "./dist/scan.js"
+    }
   },
-  "publishConfig": { "access": "public" },
-  "files": ["dist", "CHANGELOG.md", "CREDITS.md"],
+  "publishConfig": {
+    "access": "public"
+  },
+  "files": [
+    "dist",
+    "CHANGELOG.md",
+    "CREDITS.md"
+  ],
   "scripts": {
     "build": "tsc -p tsconfig.json",
     "test": "vitest run",
@@ -37,5 +60,7 @@
     "url": "https://github.com/vinicq/falsegreen-js.git"
   },
   "homepage": "https://github.com/vinicq/falsegreen-js#readme",
-  "bugs": { "url": "https://github.com/vinicq/falsegreen-js/issues" }
+  "bugs": {
+    "url": "https://github.com/vinicq/falsegreen-js/issues"
+  }
 }