falsegreen-js 0.4.0 → 0.5.0

package/CHANGELOG.md

@@ -6,6 +6,51 @@ All notable changes to this project are documented here. The format is based on
 
 ## [Unreleased]
 
+## [0.5.0] - 2026-06-28
+
+### Added
+- `JS23` (high, J1): `expect.assertions(N)` with a numeric `N` higher than the unconditional,
+  reachable, non-nested `expect()` calls that can run. The guard can never be met, so the test
+  passes without ever exercising the count it claims. Fires only when `N` is a numeric literal
+  and the shortfall is provable: an `expect` in a loop, a branch, a `.then`/callback, or a
+  helper makes the count indeterminate and suppresses the finding. `expect.hasAssertions()`
+  carries no count and is skipped. This is the implemented sibling of the still-skipped JS16.
+- `JS24` (low, J4): a Cypress query chain (`cy.get`/`cy.find`/`cy.contains`) used as a statement
+  with no terminating `.should`/`.and` and no `expect` inside a `.then` callback. The query
+  produces a subject that is never asserted, the cy.* analogue of JS13. Action commands
+  (`click`/`type`/`visit`/...) do work rather than just query, so a chain ending in one stays
+  clean, as does a chain that ends in `.should`/`.and` or asserts in `.then`.
+- CLI `--enable <codes>` (and `--enable=...`): re-activates listed off or opt-in codes at their
+  catalog severity, flipping a default-off code on. It cannot raise a code above catalog
+  severity. `--disable` wins over `--enable`, so a code passed to both stays off.
+- `examples/` tree (#47): a worked sample for every emitted code, a BAD test the scanner flags
+  paired with a CLEAN look-alike one token away that it leaves alone. Files are grouped by
+  RiskGroup (`effectiveness`, `execution`, `nondeterminism`, `dependency`), with `cypress.cy.ts`
+  for the Cypress code and `diagnostics.test.ts` for the opt-in maintainability group. C16 keeps
+  a separate frozen-clock file because the fake-timer signal is file-wide. `vitest.config.ts`
+  excludes `examples/**` from collection, and `test/examples.test.ts` scans each file with
+  `analyze(parse(...))` to assert every code fires in its file, with a drift guard that fails if a
+  new default-on code lands without an example. The config-audit-only PL series scans Jest/Vitest
+  config rather than a test file, so it has no test-file example.
+
+### Changed
+- `JS8` now also catches the `jest.spyOn`/`vi.spyOn` form: a spy with a canned return
+  (`mockReturnValue`/`mockResolvedValue`/`mockImplementation`) whose spied target root is also an
+  `expect` subject. The test asserts the canned value, not real behaviour. Conservative
+  same-binding guard: spying a collaborator (a different object) stays clean, and asserting on
+  the spy handle itself (`expect(spy).toHaveBeenCalled()`) is not treated as the subject.
+- `JS3` gains a distinct detail when the snapshot is an empty inline baseline:
+  `toMatchInlineSnapshot()` with no argument, or an empty or whitespace-only string baseline,
+  passes by writing itself on the first run. A populated inline snapshot keeps the existing
+  detail; the snapshot-only detection logic is unchanged.
+
+### Docs
+- `CONTRIBUTING.md` documents the FP-boundary decisions that previously lived only in
+  source comments: the admission criteria for a new code (statically provable, FP-guarded,
+  ships with a CLEAN look-alike one token from the BAD, carries a catalog entry, clears the
+  panel and principal-reviewer gate) and the standing per-code rules for C44, C6, JS5, C16,
+  JS23, JS24, and JS8 (#51).
+
 ## [0.4.0] - 2026-06-28
 
 ### Fixed
@@ -176,7 +221,8 @@ All notable changes to this project are documented here. The format is based on
 - pre-commit hook (`.pre-commit-hooks.yaml`), CI matrix (Node 18/20/22), and an npm
   trusted-publishing release workflow.
 
-[Unreleased]: https://github.com/vinicq/falsegreen-js/compare/v0.4.0...HEAD
+[Unreleased]: https://github.com/vinicq/falsegreen-js/compare/v0.5.0...HEAD
+[0.5.0]: https://github.com/vinicq/falsegreen-js/compare/v0.4.0...v0.5.0
 [0.4.0]: https://github.com/vinicq/falsegreen-js/compare/v0.3.0...v0.4.0
 [0.3.0]: https://github.com/vinicq/falsegreen-js/compare/v0.2.0...v0.3.0
 [0.2.0]: https://github.com/vinicq/falsegreen-js/compare/v0.1.0...v0.2.0

package/README.md

@@ -15,7 +15,14 @@ AST scan, no code execution. Sibling of [`falsegreen`](https://github.com/vinicq
 
 Covers `.js`, `.jsx`, `.ts`, `.tsx`, `.mjs`, `.cjs`, `.mts`, `.cts`.
 
-**The falsegreen family:** [falsegreen](https://github.com/vinicq/falsegreen) (Python/pytest) · **falsegreen-js** (JS/TS) · [robotframework-falsegreen](https://github.com/vinicq/robotframework-falsegreen) (Robot Framework) · [falsegreen-skill](https://github.com/vinicq/falsegreen-skill) (semantic LLM pass).
+**The falsegreen family** (install the one for your stack):
+
+| Tool | Stack | Install | Package |
+|---|---|---|---|
+| [falsegreen](https://github.com/vinicq/falsegreen) | Python / pytest | `pip install falsegreen` | [PyPI](https://pypi.org/project/falsegreen/) |
+| **falsegreen-js** | JS / TS | `npm i -D falsegreen-js` (`npx falsegreen-js`) | [npm](https://www.npmjs.com/package/falsegreen-js) |
+| [robotframework-falsegreen](https://github.com/vinicq/robotframework-falsegreen) | Robot Framework | `pip install robotframework-falsegreen` | [PyPI](https://pypi.org/project/robotframework-falsegreen/) |
+| [falsegreen-skill](https://github.com/vinicq/falsegreen-skill) | semantic LLM pass | `npx falsegreen-skill analyze <path>` | [npm](https://www.npmjs.com/package/falsegreen-skill) |
 
 ## Why
 
@@ -44,6 +51,7 @@ npx falsegreen-js --output report.json   # write to a file
 npx falsegreen-js --output .falsegreen/  # write report.<ext> into a directory
 npx falsegreen-js --config-audit  # audit Jest/Vitest config (project-layer PL codes)
 npx falsegreen-js --disable C7,JS3
+npx falsegreen-js --enable D8,M2   # re-activate off/opt-in codes at catalog severity
 ```
 
 Each finding is reported with its pyramid level (unit / integration / e2e, read from the file's imports) and a one-line fix hint, and the summary breaks the findings down by level and lists the most common fixes. `--output` takes a file or a directory: an extension-less or trailing-slash path (e.g. `.falsegreen/`) receives `report.<ext>` for the chosen format. Reports are run artifacts; keep the output directory gitignored.
@@ -152,6 +160,8 @@ line up in the research. `JS*` codes are ecosystem-specific.
 | JS18 | low | test takes a `done` callback instead of async/await — a mistimed `done` passes early |
 | JS21 | high | matcher referenced but never called (`expect(x).toBe` with no `()`) — the assertion never runs |
 | JS22 | high | empty `it.each`/`test.each` table — generated with zero cases, never runs |
+| JS23 | high | `expect.assertions(N)` with fewer unconditional `expect()` calls than N — the guard can never be met |
+| JS24 | low  | Cypress query (`cy.get`/`cy.find`/`cy.contains`) as a loose statement with no terminating `.should`/`.and` and no `expect` in `.then` — its result is never asserted |
 
 Each code carries a judgment tag (J1-J6) shared with the
 [falsegreen-skill](https://github.com/vinicq/falsegreen-skill) semantic framework.
@@ -186,8 +196,11 @@ Some catalog codes were reviewed and left out, on purpose:
 - **JS20** (a Promise compared without `resolves`/`rejects`): telling that a value is a
   Promise needs type information the AST does not carry, so it would be too noisy.
 - **JS12** (a floating promise whose `expect` is never returned): already covered by JS7.
-- **JS16** (`async` test with no `expect.assertions(n)`): the absence of a guard is not a
-  smell on its own; flagging it would fire on most async tests.
+- **JS16** (`async` test with no `expect.assertions(n)`): the *absence* of a guard is not a
+  smell on its own; flagging it would fire on most async tests. The implemented sibling is
+  `JS23`, which fires on a present-but-unsatisfiable guard: `expect.assertions(N)` with a
+  numeric `N` higher than the unconditional `expect()` calls that can run, so the count can
+  never be met.
 - **JS14** (a giant inline snapshot): a readability and review-noise concern, not a
   false-green one. The snapshot still protects, so it belongs to the diagnostic group and is
   better served by `eslint-plugin-jest` (`no-large-snapshots`) as an opt-in lint rule.
@@ -226,7 +239,7 @@ Optional. `falsegreen.json`, `.falsegreenrc.json`, or a `"falsegreen"` key in
 }
 ```
 
-Precedence: CLI `--disable` > config `disable`/`severity` > catalog default.
+Precedence: CLI `--disable` > CLI `--enable` > config `disable`/`severity` > catalog default. `--enable <codes>` re-activates listed off or opt-in codes at their catalog severity (it flips a default-off code on; it cannot raise a code above catalog). A code passed to both `--enable` and `--disable` stays off — `--disable` wins.
 
 ## Scope and honesty
 

package/dist/cases.js

@@ -59,6 +59,8 @@ export const CASES = {
     JS18: { title: "test takes a done callback instead of async/await — a done called too early (or in a floating promise) passes before the assertions run", group: "execution", severity: "low", defaultOn: true, judgment: "J1" },
     JS21: { title: "matcher referenced but never called (expect(x).toBe with no ()) — the assertion never executes", group: "execution", severity: "high", defaultOn: true, judgment: "J1" },
     JS22: { title: "empty it.each/test.each table — the test is generated with zero cases and never runs", group: "execution", severity: "high", defaultOn: true, judgment: "J1" },
+    JS23: { title: "expect.assertions(N) with fewer unconditional expect() calls than N — the guard can never be met", group: "execution", severity: "high", defaultOn: true, judgment: "J1" },
+    JS24: { title: "Cypress query (cy.get/find/contains) with no terminating .should/.and and no expect in .then — its result is never asserted", group: "effectiveness", severity: "low", defaultOn: true, judgment: "J4" },
     // --- diagnostic group (maintainability; default off, opt-in via --diagnostics
     // or config severity). These are NOT false-green: the test still protects. They
     // are a "plus" for test-code health, mirroring falsegreen's D/M group. -------
@@ -155,6 +157,8 @@ export const FIX_HINTS = {
     JS18: "use async/await instead of the done callback",
     JS21: "call the matcher (add ()) so the assertion executes",
     JS22: "add at least one row to the it.each/test.each table",
+    JS23: "make the unconditional expect() count match expect.assertions(N), or remove the guard",
+    JS24: "end the cy query in .should()/.and(), or assert in .then()",
     D1: "give each assertion a message, or split the test",
     D3: "remove the duplicate assertion",
     D4: "add titled cases to it.each/test.each",

package/dist/cli.js

@@ -34,6 +34,7 @@ Usage:
   falsegreen-js --config-audit    audit Jest/Vitest config (project-layer PL codes)
   falsegreen-js --diagnostics     also report the opt-in maintainability group (D*/M*)
   falsegreen-js --disable C7,JS3  turn off specific codes
+  falsegreen-js --enable D8,M2    re-activate off/opt-in codes at catalog severity (--disable wins)
   falsegreen-js --version
   falsegreen-js --help
 
@@ -52,6 +53,7 @@ function parseArgs(argv) {
     let baseline;
     let writeBaselinePath;
     const disable = new Set();
+    const enable = new Set();
     // An optional-value flag (--baseline / --write-baseline) consumes the next
     // token only when it is a value, not another flag.
     const optionalValue = (next) => (next !== undefined && !next.startsWith("-")) ? next : undefined;
@@ -115,6 +117,14 @@ function parseArgs(argv) {
             a.slice("--disable=".length).split(",").map((s) => s.trim())
                 .filter(Boolean).forEach((c) => disable.add(c));
         }
+        else if (a === "--enable") {
+            const v = argv[++i] ?? "";
+            v.split(",").map((s) => s.trim()).filter(Boolean).forEach((c) => enable.add(c));
+        }
+        else if (a.startsWith("--enable=")) {
+            a.slice("--enable=".length).split(",").map((s) => s.trim())
+                .filter(Boolean).forEach((c) => enable.add(c));
+        }
         else if (a.startsWith("-")) {
             process.stderr.write(`falsegreen-js: unknown option ${a}\n`);
             process.exit(2);
@@ -124,7 +134,7 @@ function parseArgs(argv) {
     }
     const fmt = format ?? (json ? "json" : "text");
     return {
-        paths, fmt, staged, help, version, diagnostics, configAudit, disable,
+        paths, fmt, staged, help, version, diagnostics, configAudit, disable, enable,
         output, baseline, writeBaselinePath,
     };
 }
@@ -234,7 +244,9 @@ export function renderText(findings) {
 }
 function scan(opt) {
     const config = loadConfig();
-    const scanOpts = { config, cliDisable: opt.disable, diagnostics: opt.diagnostics };
+    const scanOpts = {
+        config, cliDisable: opt.disable, cliEnable: opt.enable, diagnostics: opt.diagnostics,
+    };
     if (opt.staged)
         return stagedFiles().flatMap((f) => scanFile(f, scanOpts));
     return scanPaths(opt.paths.length ? opt.paths : ["."], scanOpts);

package/dist/rules.js

@@ -78,6 +78,58 @@ function expectRooted(e) {
     }
     return false;
 }
+// --- JS24: Cypress query chain with no terminating assertion ---------------
+const CY_QUERY_COMMANDS = new Set(["get", "find", "contains"]);
+/** True if any `expect(...)` call appears under `scope` (any matcher form, or a
+ *  bare expect). Used to keep a cy chain clean when it asserts inside a .then. */
+function containsExpectCall(scope) {
+    let found = false;
+    const walk = (n) => {
+        if (found)
+            return;
+        if (ts.isCallExpression(n) && expectRooted(n)) {
+            found = true;
+            return;
+        }
+        ts.forEachChild(n, walk);
+    };
+    walk(scope);
+    return found;
+}
+/** True if a call chain rooted at `cy` ends in a query command (get/find/contains)
+ *  and carries no terminating `.should`/`.and` and no `expect(...)` inside a `.then`
+ *  callback — so it produces a subject that is never asserted. Action commands
+ *  (click/type/visit/...) as the outermost call do something, so they stay clean.
+ *  `expr` is the outermost call of the statement. */
+function isUnassertedCyQuery(expr) {
+    if (rootIdent(expr) !== "cy")
+        return false;
+    // outermost command must be a query, not an action (action does work, not just query)
+    if (!ts.isPropertyAccessExpression(expr.expression))
+        return false;
+    if (!CY_QUERY_COMMANDS.has(expr.expression.name.text))
+        return false;
+    // scan the whole chain for a terminating assertion: any .should/.and, or an
+    // expect(...) inside a .then(cb) callback. Either keeps it clean.
+    let cur = expr;
+    const visit = (n) => {
+        if (ts.isCallExpression(n) && ts.isPropertyAccessExpression(n.expression)) {
+            const m = n.expression.name.text;
+            if (m === "should" || m === "and")
+                return true;
+            if (m === "then") {
+                const cb = n.arguments.find((a) => ts.isArrowFunction(a) || ts.isFunctionExpression(a));
+                if (cb && containsExpectCall(cb))
+                    return true;
+            }
+        }
+        let asserted = false;
+        ts.forEachChild(n, (c) => { if (visit(c))
+            asserted = true; });
+        return asserted;
+    };
+    return !visit(cur);
+}
 function literalTruthiness(e) {
     if (!e)
         return null;
@@ -328,6 +380,139 @@ function matchersUnder(scope) {
     ts.forEachChild(scope, walk);
     return out;
 }
+/** True if any snapshot matcher under `scope` is an inline snapshot with no
+ *  baseline yet: `toMatchInlineSnapshot()` / `toThrowErrorMatchingInlineSnapshot()`
+ *  with no argument, or an empty/whitespace-only string-literal baseline. On the
+ *  first run the runner writes the snapshot from the output itself, so it passes
+ *  by construction. A populated inline snapshot has a real baseline and is not this. */
+function hasEmptyInlineSnapshot(scope) {
+    let found = false;
+    const walk = (n) => {
+        if (found)
+            return;
+        if (ts.isCallExpression(n)) {
+            const chain = expectChain(n);
+            if (chain && (chain.matcher === "toMatchInlineSnapshot" ||
+                chain.matcher === "toThrowErrorMatchingInlineSnapshot")) {
+                const a0 = chain.args[0];
+                if (a0 === undefined) {
+                    found = true;
+                    return;
+                }
+                if ((ts.isStringLiteral(a0) || ts.isNoSubstitutionTemplateLiteral(a0)) &&
+                    a0.text.trim() === "") {
+                    found = true;
+                    return;
+                }
+            }
+        }
+        ts.forEachChild(n, walk);
+    };
+    ts.forEachChild(scope, walk);
+    return found;
+}
+/** The numeric N of an `expect.assertions(N)` call (N a numeric literal), else
+ *  null. `expect.hasAssertions()` carries no count and is not this. */
+function expectAssertionsCount(call) {
+    if (calleeName(call.expression) !== "expect.assertions")
+        return null;
+    const a0 = call.arguments[0];
+    if (a0 && ts.isNumericLiteral(a0))
+        return Number(a0.text);
+    return null;
+}
+/** JS23 expect accounting. `unconditional` is the count of expect-chain matcher
+ *  calls guaranteed to run: a direct ExpressionStatement on the test body's spine
+ *  (optionally awaited). `indeterminate` is true when any other expect-chain call
+ *  exists in the body (in a loop, branch, try, switch, callback, .then, or an
+ *  expression operand) — its run count cannot be proven, so a shortfall is not
+ *  provable and JS23 must be suppressed (FP-averse: a false positive is worse than
+ *  a miss). Stops at nested functions only for the spine count, but the
+ *  indeterminate scan walks the whole body (a .then callback IS indeterminate). */
+function expectAccounting(body) {
+    const spine = new Set();
+    let unconditional = 0;
+    for (const st of body.statements) {
+        if (!ts.isExpressionStatement(st))
+            continue;
+        let e = st.expression;
+        if (ts.isAwaitExpression(e))
+            e = e.expression;
+        if (ts.isCallExpression(e) && expectChain(e)) {
+            unconditional++;
+            spine.add(e);
+        }
+    }
+    // Anything that is not the proven-unconditional expect spine makes the count
+    // indeterminate: an off-spine expect chain (loop/branch/.then/operand), or any
+    // other call — a helper or setup call may carry assertions the count cannot see.
+    // Do not descend into a spine chain (its inner expect()/matcher calls are
+    // accounted, not separate helpers).
+    let indeterminate = false;
+    const walk = (n) => {
+        if (indeterminate)
+            return;
+        if (spine.has(n))
+            return; // whole spine chain already counted
+        if (ts.isCallExpression(n)) {
+            const nm = calleeName(n.expression);
+            if (nm !== "expect.assertions" && nm !== "expect.hasAssertions") {
+                indeterminate = true;
+                return;
+            }
+        }
+        ts.forEachChild(n, walk);
+    };
+    walk(body);
+    return { unconditional, indeterminate };
+}
+/** JS8 (spyOn form): collect `{root -> line}` for every jest.spyOn/vi.spyOn target
+ *  whose return was canned (mockReturnValue/mockResolvedValue/mockRejectedValue/
+ *  mockImplementation) under `scope`. Test-local on purpose: a spyOn is hoisted only
+ *  within its own test body, unlike the module-wide jest.mock form. */
+function cannedSpyTargets(scope) {
+    const out = new Map();
+    const sf = scope.getSourceFile();
+    const walk = (n) => {
+        if (ts.isCallExpression(n) &&
+            /^(mockReturnValue|mockResolvedValue|mockRejectedValue|mockImplementation)$/.test(calleeName(n.expression).split(".").pop() ?? "")) {
+            let base = n.expression;
+            while (ts.isPropertyAccessExpression(base) || ts.isCallExpression(base)) {
+                if (ts.isCallExpression(base)) {
+                    const cn = calleeName(base.expression);
+                    if (cn === "jest.spyOn" || cn === "vi.spyOn") {
+                        const tr = base.arguments[0] && rootIdent(base.arguments[0]);
+                        if (tr)
+                            out.set(tr, lineOf(sf, n));
+                        break;
+                    }
+                }
+                base = ts.isCallExpression(base) ? base.expression
+                    : base.expression;
+            }
+        }
+        ts.forEachChild(n, walk);
+    };
+    walk(scope);
+    return out;
+}
+/** Root identifiers used as an expect subject under `scope` (`expect(a.b).m()` -> "a"). */
+function expectSubjectRoots(scope) {
+    const out = new Set();
+    const walk = (n) => {
+        if (ts.isCallExpression(n)) {
+            const chain = expectChain(n);
+            if (chain && chain.subject) {
+                const r = rootIdent(chain.subject);
+                if (r)
+                    out.add(r);
+            }
+        }
+        ts.forEachChild(n, walk);
+    };
+    walk(scope);
+    return out;
+}
 function getTestCallback(call) {
     for (const arg of call.arguments) {
         if (ts.isArrowFunction(arg) || ts.isFunctionExpression(arg))
@@ -578,7 +763,9 @@ export function analyze(sf) {
                     else if (hasAssertion(cb)) {
                         const ms = matchersUnder(cb);
                         if (ms.length > 0 && ms.every((m) => SNAPSHOT_MATCHERS.has(m))) {
-                            push(line, "JS3", "the only assertion is a snapshot");
+                            push(line, "JS3", hasEmptyInlineSnapshot(cb)
+                                ? "the only assertion is an empty inline snapshot — it passes by writing itself on first run"
+                                : "the only assertion is a snapshot");
                         }
                         // C21: the test has at least one assertion in its own scope and none of
                         // them is guaranteed to run unconditionally (all behind a condition, a
@@ -596,6 +783,42 @@ export function analyze(sf) {
                             push(line, "C21", "every assertion is guarded by a condition");
                         }
                     }
+                    // JS23: expect.assertions(N) with N a numeric literal, but fewer
+                    // unconditional reachable non-nested expect() matcher calls than N — the
+                    // guard can never be satisfied. FP-averse: any expect in a loop, branch,
+                    // callback, or helper is indeterminate, so the count is undercounted and a
+                    // shortfall is only reported when it is provable. expect.hasAssertions()
+                    // carries no count and is skipped. Distinct from the deliberately-skipped JS16.
+                    let assertionsGuard = null;
+                    forEachNoNesting(cb.body, (n) => {
+                        if (ts.isCallExpression(n)) {
+                            const cnt = expectAssertionsCount(n);
+                            if (cnt !== null)
+                                assertionsGuard = { line: lineOf(sf, n), n: cnt };
+                        }
+                    });
+                    if (assertionsGuard !== null) {
+                        const guard = assertionsGuard;
+                        const acc = expectAccounting(cb.body);
+                        if (!acc.indeterminate && acc.unconditional < guard.n) {
+                            push(guard.line, "JS23", `expect.assertions(${guard.n}) but only ${acc.unconditional} unconditional expect() call(s) run`);
+                        }
+                    }
+                    // JS8 (spyOn form): test-local. A spyOn target with a canned return that is
+                    // also an expect subject IN THE SAME test body is a self-mock — the test
+                    // asserts the canned value. Scoped to cb.body so a spy in one test never
+                    // matches an assertion in another (the jest.mock module form, hoisted
+                    // file-wide, is handled separately after the walk).
+                    const spied = cannedSpyTargets(cb.body);
+                    if (spied.size > 0) {
+                        const subjects = expectSubjectRoots(cb.body);
+                        for (const [tr, ln] of spied) {
+                            if (subjects.has(tr)) {
+                                push(ln, "JS8", `${tr} is spied with a canned return and asserted directly`);
+                                break;
+                            }
+                        }
+                    }
                     // D7: anonymous test (empty or missing description)
                     const desc = node.arguments[0];
                     const emptyStr = (d) => d !== undefined &&
@@ -821,9 +1044,18 @@ export function analyze(sf) {
                 const isVueComponentQuery = qleaf === "findComponent" || qleaf === "findAllComponents";
                 const isVueSelectorQuery = (qleaf === "find" || qleaf === "findAll") &&
                     node.arguments.length > 0 && ts.isStringLiteral(node.arguments[0]);
-                if (isRtlQuery || isVueComponentQuery || isVueSelectorQuery) {
+                // A cy-rooted chain belongs to JS24, not JS13: cy.get("ul").find("li") ends in
+                // .find("li") and would otherwise trip the Vue-selector heuristic (double-report).
+                if ((isRtlQuery || isVueComponentQuery || isVueSelectorQuery) && rootIdent(node) !== "cy") {
                     push(lineOf(sf, node), "JS13", `${qleaf}() result is not asserted`);
                 }
+                // JS24: the cy.* analogue of JS13 — a Cypress query chain (cy.get/find/
+                // contains) as a statement with no terminating .should/.and and no expect
+                // in a .then callback. Only query commands produce a subject; action
+                // commands (click/type/visit/...) do work and stay clean.
+                if (isUnassertedCyQuery(node)) {
+                    push(lineOf(sf, node), "JS24", `cy query (${qleaf}) result is not asserted`);
+                }
             }
             // A runner `.each` table: it.each / test.each / describe.each (and fit/xit
             // variants). Gate the each-table codes on a runner root so a plain helper

package/dist/scan.d.ts

@@ -9,6 +9,7 @@ export interface Config {
 export interface ScanOptions {
     config?: Config;
     cliDisable?: Set<string>;
+    cliEnable?: Set<string>;
     diagnostics?: boolean;
 }
 export declare function isTestFile(file: string): boolean;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "falsegreen-js",
-  "version": "0.4.0",
+  "version": "0.5.0",
   "description": "Find JavaScript/TypeScript unit tests that give false positives: green tests that protect nothing, and tests that pass while asserting the wrong thing. Deterministic AST scanner, sibling of falsegreen (Python).",
   "keywords": [
     "jest",