1use serde_json::Value;
8
9const DOCS_BASE: &str = "https://docs.fallow.tools";
10
11pub struct RuleDef {
13 pub id: &'static str,
14 pub category: &'static str,
21 pub name: &'static str,
22 pub short: &'static str,
23 pub full: &'static str,
24 pub docs_path: &'static str,
25}
26
27pub const CHECK_RULES: &[RuleDef] = &[
28 RuleDef {
29 id: "fallow/unused-file",
30 category: "Dead code",
31 name: "Unused Files",
32 short: "File is not reachable from any entry point",
33 full: "Source files that are not imported by any other module and are not entry points (scripts, tests, configs). These files can safely be deleted. Detection uses graph reachability from configured entry points.",
34 docs_path: "explanations/dead-code#unused-files",
35 },
36 RuleDef {
37 id: "fallow/unused-export",
38 category: "Dead code",
39 name: "Unused Exports",
40 short: "Export is never imported",
41 full: "Named exports that are never imported by any other module in the project. Includes both direct exports and re-exports through barrel files. The export may still be used locally within the same file.",
42 docs_path: "explanations/dead-code#unused-exports",
43 },
44 RuleDef {
45 id: "fallow/unused-type",
46 category: "Dead code",
47 name: "Unused Type Exports",
48 short: "Type export is never imported",
49 full: "Type-only exports (interfaces, type aliases, enums used only as types) that are never imported. These do not generate runtime code but add maintenance burden.",
50 docs_path: "explanations/dead-code#unused-types",
51 },
52 RuleDef {
53 id: "fallow/private-type-leak",
54 category: "Dead code",
55 name: "Private Type Leaks",
56 short: "Exported signature references a private type",
57 full: "Exported values or types whose public TypeScript signature references a same-file type declaration that is not exported. Consumers cannot name that private type directly, so the backing type should be exported or removed from the public signature.",
58 docs_path: "explanations/dead-code#private-type-leaks",
59 },
60 RuleDef {
61 id: "fallow/unused-dependency",
62 category: "Dependencies",
63 name: "Unused Dependencies",
64 short: "Dependency listed but never imported",
65 full: "Packages listed in dependencies that are never imported or required by any source file. Framework plugins and CLI tools may be false positives; use the ignore_dependencies config to suppress.",
66 docs_path: "explanations/dead-code#unused-dependencies",
67 },
68 RuleDef {
69 id: "fallow/unused-dev-dependency",
70 category: "Dependencies",
71 name: "Unused Dev Dependencies",
72 short: "Dev dependency listed but never imported",
73 full: "Packages listed in devDependencies that are never imported by test files, config files, or scripts. Build tools and jest presets that are referenced only in config may appear as false positives.",
74 docs_path: "explanations/dead-code#unused-devdependencies",
75 },
76 RuleDef {
77 id: "fallow/unused-optional-dependency",
78 category: "Dependencies",
79 name: "Unused Optional Dependencies",
80 short: "Optional dependency listed but never imported",
81 full: "Packages listed in optionalDependencies that are never imported. Optional dependencies are typically platform-specific; verify they are not needed on any supported platform before removing.",
82 docs_path: "explanations/dead-code#unused-optionaldependencies",
83 },
84 RuleDef {
85 id: "fallow/type-only-dependency",
86 category: "Dependencies",
87 name: "Type-only Dependencies",
88 short: "Production dependency only used via type-only imports",
89 full: "Production dependencies that are only imported via `import type` statements. These can be moved to devDependencies since they generate no runtime code and are stripped during compilation.",
90 docs_path: "explanations/dead-code#type-only-dependencies",
91 },
92 RuleDef {
93 id: "fallow/test-only-dependency",
94 category: "Dependencies",
95 name: "Test-only Dependencies",
96 short: "Production dependency only imported by test files",
97 full: "Production dependencies that are only imported from test files. These can usually move to devDependencies because production entry points do not require them at runtime.",
98 docs_path: "explanations/dead-code#test-only-dependencies",
99 },
100 RuleDef {
101 id: "fallow/unused-enum-member",
102 category: "Dead code",
103 name: "Unused Enum Members",
104 short: "Enum member is never referenced",
105 full: "Enum members that are never referenced in the codebase. Uses scope-aware binding analysis to track all references including computed access patterns.",
106 docs_path: "explanations/dead-code#unused-enum-members",
107 },
108 RuleDef {
109 id: "fallow/unused-class-member",
110 category: "Dead code",
111 name: "Unused Class Members",
112 short: "Class member is never referenced",
113 full: "Class methods and properties that are never referenced outside the class. Private members are checked within the class scope; public members are checked project-wide.",
114 docs_path: "explanations/dead-code#unused-class-members",
115 },
116 RuleDef {
117 id: "fallow/unused-store-member",
118 category: "Dead code",
119 name: "Unused Store Members",
120 short: "Store member is never accessed by any consumer",
121 full: "Pinia store members (a `state` / `getters` / `actions` key, or a setup-store returned key) declared but never accessed by any consumer project-wide. The store binding is imported (so the module is reachable) yet a specific member is dead. Defaults to warn, not error: a store has an open declaration surface (plugins, dynamic dispatch) so confidence is lower. Activates only when pinia or @pinia/nuxt is a declared dependency.",
122 docs_path: "explanations/dead-code#unused-store-members",
123 },
124 RuleDef {
125 id: "fallow/unresolved-import",
126 category: "Dead code",
127 name: "Unresolved Imports",
128 short: "Import could not be resolved",
129 full: "Import specifiers that could not be resolved to a file on disk. Common causes: deleted files, typos in paths, missing path aliases in tsconfig, or uninstalled packages.",
130 docs_path: "explanations/dead-code#unresolved-imports",
131 },
132 RuleDef {
133 id: "fallow/unlisted-dependency",
134 category: "Dependencies",
135 name: "Unlisted Dependencies",
136 short: "Dependency used but not in package.json",
137 full: "Packages that are imported in source code but not listed in package.json. These work by accident (hoisted from another workspace package or transitive dep) and will break in strict package managers.",
138 docs_path: "explanations/dead-code#unlisted-dependencies",
139 },
140 RuleDef {
141 id: "fallow/duplicate-export",
142 category: "Dead code",
143 name: "Duplicate Exports",
144 short: "Export name appears in multiple modules",
145 full: "The same export name is defined in multiple modules. Consumers may import from the wrong module, leading to subtle bugs. Consider renaming or consolidating.",
146 docs_path: "explanations/dead-code#duplicate-exports",
147 },
148 RuleDef {
149 id: "fallow/circular-dependency",
150 category: "Architecture",
151 name: "Circular Dependencies",
152 short: "Circular dependency chain detected",
153 full: "A cycle in the module import graph. Circular dependencies cause undefined behavior with CommonJS (partial modules) and initialization ordering issues with ESM. Break cycles by extracting shared code.",
154 docs_path: "explanations/dead-code#circular-dependencies",
155 },
156 RuleDef {
157 id: "fallow/re-export-cycle",
158 category: "Architecture",
159 name: "Re-Export Cycles",
160 short: "Two or more barrel files re-export from each other in a loop",
161 full: "A barrel file re-exports from another barrel that ultimately re-exports back. When this happens, imports from any file in the loop may silently come up empty, because the re-export chain has no terminating module to resolve names against. To fix this: open any one file in the loop and remove the `export * from` (or `export { ... } from`) statement that points back into the cycle. Any single removal will break the cycle and restore working re-exports. A self-loop (a single barrel re-exporting from itself, often a rename leftover) is reported under the same rule with kind `self-loop`.",
162 docs_path: "explanations/dead-code#re-export-cycles",
163 },
164 RuleDef {
165 id: "fallow/boundary-violation",
166 category: "Architecture",
167 name: "Boundary Violations",
168 short: "Import crosses a configured architecture boundary",
169 full: "A module imports from a zone that its configured boundary rules do not allow. Boundary checks help keep layered architecture, feature slices, and package ownership rules enforceable.",
170 docs_path: "explanations/dead-code#boundary-violations",
171 },
172 RuleDef {
173 id: "fallow/boundary-coverage",
174 category: "Architecture",
175 name: "Boundary Coverage",
176 short: "Source file matches no configured architecture boundary zone",
177 full: "A reachable source file is not assigned to any configured boundary zone while boundaries.coverage.requireAllFiles is enabled. Add the file to a zone pattern, move it under an existing zone, or allow-list generated and intentionally unzoned paths with boundaries.coverage.allowUnmatched.",
178 docs_path: "explanations/dead-code#boundary-violations",
179 },
180 RuleDef {
181 id: "fallow/boundary-call-violation",
182 category: "Architecture",
183 name: "Boundary Call Violation",
184 short: "Zoned file calls a callee its zone forbids",
185 full: "A file classified into a boundary zone calls a callee matching one of the zone's boundaries.calls.forbidden patterns. The check is syntactic: it matches the written callee path and the import-resolved canonical path, and it only applies to files classified into a zone. Move the call behind an allowed abstraction, or adjust the zone's forbidden patterns if the rule was wrong.",
186 docs_path: "explanations/dead-code#boundary-violations",
187 },
188 RuleDef {
189 id: "fallow/policy-violation",
190 category: "Policy",
191 name: "Policy Violation",
192 short: "Banned usage matched a rule-pack rule",
193 full: "A call site, import, or catalogue-derived effect matched a rule from a configured rule pack (the rulePacks config key). Packs are pure declarative data; the check is syntactic, call and effect matching use written plus import-resolved canonical callees, and import matching uses the raw specifier. Replace the banned usage per the rule's message, scope the rule with files/exclude globs, or adjust its severity.",
194 docs_path: "explanations/dead-code#policy-violations",
195 },
196 RuleDef {
197 id: "fallow/stale-suppression",
198 category: "Suppressions",
199 name: "Stale Suppressions",
200 short: "Suppression comment or tag no longer matches any issue",
201 full: "A fallow-ignore-next-line, fallow-ignore-file, or @expected-unused suppression that no longer matches any active issue. The underlying problem was fixed but the suppression was left behind. Remove it to keep the codebase clean.",
202 docs_path: "explanations/dead-code#stale-suppressions",
203 },
204 RuleDef {
205 id: "fallow/missing-suppression-reason",
206 category: "Suppressions",
207 name: "Missing Suppression Reason",
208 short: "Suppression comment omits a required reason",
209 full: "A fallow-ignore-next-line or fallow-ignore-file suppression omits the explanatory reason required by the requireSuppressionReason rule. Add a short reason after the suppression token, or remove the suppression if the issue is no longer intentional.",
210 docs_path: "explanations/dead-code#stale-suppressions",
211 },
212 RuleDef {
213 id: "fallow/unused-catalog-entry",
214 category: "Dependencies",
215 name: "Unused catalog entry",
216 short: "Catalog entry not referenced by any workspace package",
217 full: "An entry in a package manager catalog (`pnpm-workspace.yaml` `catalog:` / `catalogs:` or Bun root `package.json` `workspaces.catalog` / `workspaces.catalogs`) that no workspace package.json references via the `catalog:` protocol. Catalog entries are leftover dependency metadata once a package is removed from every consumer; delete the entry to keep the catalog truthful. See also: fallow/unresolved-catalog-reference (the inverse: consumer references a catalog that does not declare the package).",
218 docs_path: "explanations/dead-code#unused-catalog-entries",
219 },
220 RuleDef {
221 id: "fallow/empty-catalog-group",
222 category: "Dependencies",
223 name: "Empty catalog group",
224 short: "Named catalog group has no entries",
225 full: "A named group under `catalogs:` in `pnpm-workspace.yaml` or Bun root `package.json` has no package entries. Empty named groups are leftover catalog structure after the last entry is removed. The default `catalog` map is intentionally ignored because some projects keep it as a stable hook.",
226 docs_path: "explanations/dead-code#empty-catalog-groups",
227 },
228 RuleDef {
229 id: "fallow/unresolved-catalog-reference",
230 category: "Dependencies",
231 name: "Unresolved catalog reference",
232 short: "package.json references a catalog that does not declare the package",
233 full: "A workspace package.json declares a dependency with the `catalog:` or `catalog:<name>` protocol, but the catalog has no entry for that package. The package manager install will fail until the catalog is fixed. To fix: add the package to the named catalog, switch the reference to a different catalog that does declare it, or remove the reference and pin a hardcoded version. Scope: the detector scans `dependencies`, `devDependencies`, `peerDependencies`, and `optionalDependencies` in every workspace `package.json`, using `pnpm-workspace.yaml` catalogs when present and Bun root `package.json` catalogs otherwise. See also: fallow/unused-catalog-entry (the inverse: catalog entries no consumer references).",
234 docs_path: "explanations/dead-code#unresolved-catalog-references",
235 },
236 RuleDef {
237 id: "fallow/unused-dependency-override",
238 category: "Dependencies",
239 name: "Unused pnpm dependency override",
240 short: "pnpm.overrides entry targets a package not declared or resolved",
241 full: "An entry in `pnpm-workspace.yaml`'s `overrides:` section, or the root `package.json`'s `pnpm.overrides` block, whose target package is not declared by any workspace package and is not present in `pnpm-lock.yaml`. Override entries linger after their target package leaves the resolved dependency tree. For projects without a readable lockfile, fallow falls back to workspace package.json manifests and keeps a `hint` so transitive CVE pins can be reviewed before removal. To fix: delete the entry, refresh `pnpm-lock.yaml` if it is stale, or add the entry to `ignoreDependencyOverrides` when the override is intentionally retained. See also: fallow/misconfigured-dependency-override.",
242 docs_path: "explanations/dead-code#unused-dependency-overrides",
243 },
244 RuleDef {
245 id: "fallow/misconfigured-dependency-override",
246 category: "Dependencies",
247 name: "Misconfigured pnpm dependency override",
248 short: "pnpm.overrides entry has an unparsable key or value",
249 full: "An entry in `pnpm-workspace.yaml`'s `overrides:` or `package.json`'s `pnpm.overrides` whose key or value does not parse as a valid pnpm override spec. Common shapes: empty key, empty value, malformed version selector on the target (`@types/react@<<18`), unbalanced parent matcher (`react>`), or unsupported `npm:alias@` syntax in the version (only the `-`, `$ref`, and `npm:alias` pnpm idioms are allowed). pnpm rejects the workspace at install time with a parser error. To fix: correct the key/value shape, or remove the entry. See also: fallow/unused-dependency-override.",
250 docs_path: "explanations/dead-code#misconfigured-dependency-overrides",
251 },
252 RuleDef {
253 id: "fallow/invalid-client-export",
254 category: "Policy",
255 name: "Invalid client export",
256 short: "\"use client\" file exports a server-only / route-config name",
257 full: "A file carrying the `\"use client\"` directive also exports a Next.js server-only or route-segment config name (such as `metadata`, `generateMetadata`, `revalidate`, `generateStaticParams`, or a route HTTP method like `GET`/`POST`). Next.js rejects this combination at build time. Move the server-only export to a non-client module (a server component, a `route.ts`, or a separate config file), or remove the `\"use client\"` directive if the module does not need to be a client boundary. The check runs only when the project declares `next`.",
258 docs_path: "explanations/dead-code#invalid-client-exports",
259 },
260 RuleDef {
261 id: "fallow/mixed-client-server-barrel",
262 category: "Policy",
263 name: "Mixed client/server barrel",
264 short: "Barrel re-exports both a \"use client\" module and a server-only module",
265 full: "A barrel file (a module whose exports are `export ... from` re-exports) forwards a name from a `\"use client\"` module alongside a name from a server-only module (one carrying `\"use server\"`, importing the `server-only` package, or importing a server-only Next.js API such as `next/headers`). Importing one name from such a barrel drags the other's directive context across the React Server Components boundary, the documented Next.js App Router footgun. Type-only re-exports are ignored (erased at build), and a barrel re-exporting a client module alongside an ordinary undirected utility does NOT flag. To fix: split the barrel so client and server-only modules are re-exported from separate entry points. The check runs only when the project declares `next`.",
266 docs_path: "explanations/dead-code#mixed-client-server-barrels",
267 },
268 RuleDef {
269 id: "fallow/misplaced-directive",
270 category: "Policy",
271 name: "Misplaced directive",
272 short: "\"use client\" / \"use server\" directive is not in the leading position and is ignored",
273 full: "A `\"use client\"` or `\"use server\"` directive string appears as an expression statement after a non-directive statement (an `import`, a `const`). React Server Components bundlers only honor a directive in the leading prologue, before any other statement; once any statement precedes it the string is parsed as an ordinary expression and SILENTLY IGNORED. The intended client/server boundary never takes effect, so the file is treated as a server module. To fix: move the directive to the very top of the file, above every import. The check runs only when the project declares `next`.",
274 docs_path: "explanations/dead-code#misplaced-directives",
275 },
276 RuleDef {
277 id: "fallow/unprovided-inject",
278 category: "Dead code",
279 name: "Unprovided injects",
280 short: "inject() / getContext() reads a key that no provide() / setContext() supplies",
281 full: "A Vue `inject(KEY)` or Svelte `getContext(KEY)` reads a dependency-injection key (an imported or module-local symbol) that no matching `provide(KEY)` / `setContext(KEY)` supplies anywhere in the project. The read resolves to undefined at runtime, surfaced only at render. To fix: add a matching provider for the key, or remove the dead inject. Defaults to warn, not error: a provider may live outside the analyzed graph (an app-level provide registered elsewhere, a plugin, a host application). String-literal keys and keys imported from a package are abstained.",
282 docs_path: "explanations/dead-code#unprovided-injects",
283 },
284 RuleDef {
285 id: "fallow/unrendered-component",
286 category: "Dead code",
287 name: "Unrendered components",
288 short: "A Vue / Svelte component is reachable through a barrel but rendered nowhere",
289 full: "A Vue or Svelte single-file component (the default export of a `.vue` / `.svelte` file) is reachable in the module graph (a barrel re-exports it) but instantiated NOWHERE in the project: no `<Tag>`, no `:is` / `this=` binding, no `components` / `app.component` registration, no `h()` / auto-import use, and no script value-read. It survives unused-file (the barrel keeps it reachable) and unused-export (the re-export counts as a use), yet no file actually renders it. To fix: render the component somewhere, or delete it and drop the dead re-export. Defaults to warn, not error: a component can be rendered reflectively (a dynamic `<component :is>` resolved from a non-literal value), so analyzer confidence is lower. Components that are themselves entry points (route pages, layouts, `App.vue`) and components re-exported from a non-private package entry point are abstained.",
290 docs_path: "explanations/dead-code#unrendered-components",
291 },
292 RuleDef {
293 id: "fallow/unused-component-prop",
294 category: "Dead code",
295 name: "Unused component props",
296 short: "A Vue, Svelte, or React component prop is referenced nowhere in its own component",
297 full: "A declared component prop referenced nowhere inside its own component, in these framework shapes: a Vue `<script setup>` defineProps prop, a Svelte 5 `$props()` prop, or a React/Preact prop destructured from a component's first parameter and read nowhere in its body. Framework type checkers check caller-side prop correctness, not this in-component dead-input direction. Conservative: Vue abstains on `$attrs` fallthrough, whole-object props use, defineExpose, defineModel, and imported prop-type aliases; Svelte abstains on rest, computed, nested, and whole-object `$props()` shapes; React abstains on rest spread (`{...rest}`), props forwarded by spread, props passed wholesale to a hook, `forwardRef` / imported-interface props, and exported public-API component props. Default warn; suppress or remove the prop.",
298 docs_path: "explanations/dead-code#unused-component-props",
299 },
300 RuleDef {
301 id: "fallow/unused-component-emit",
302 category: "Dead code",
303 name: "Unused component emits",
304 short: "A Vue <script setup> defineEmits event is emitted nowhere in its own component",
305 full: "A Vue `<script setup>` defineEmits declared event that is emitted nowhere in its own component (no `emit('<name>')` call). vue-tsc / Volar check caller-side emit correctness, not this in-component dead-output direction. Conservative: abstains on `$attrs` fallthrough, whole-object emit use, defineExpose, defineModel, and imported emit-type aliases. Default warn; suppress or remove the emit.",
306 docs_path: "explanations/dead-code#unused-component-emits",
307 },
308 RuleDef {
309 id: "fallow/unused-component-input",
310 category: "Dead code",
311 name: "Unused component inputs",
312 short: "An Angular @Input() / signal input() / model() input is read nowhere in its own component",
313 full: "An Angular `@Input()` / signal `input()` / `model()` declared input that is read nowhere in its own component (neither the inline / external template nor the class body). The Angular compiler never flags a declared-but-unread `@Input`, and there is no `@angular-eslint` rule for it. Conservative: usage detection over-credits by design (a template sentinel ref, any class-body member access by that name, or a bare identifier read counts as used), and the whole component abstains on an unresolved `extends` heritage clause (a base class in another file may read the input). A `model()` is recorded as an input only. Default warn; suppress or remove the input. The check runs only when the project declares `@angular/core`.",
314 docs_path: "explanations/dead-code#unused-component-inputs",
315 },
316 RuleDef {
317 id: "fallow/unused-component-output",
318 category: "Dead code",
319 name: "Unused component outputs",
320 short: "An Angular @Output() / signal output() output is emitted nowhere in its own component",
321 full: "An Angular `@Output()` / signal `output()` declared output that is emitted nowhere in its own component (no `this.<output>.emit(...)`). The Angular compiler never flags a declared-but-unemitted `@Output`, and there is no `@angular-eslint` rule for it. Conservative: usage detection over-credits by design (a `this.<output>.emit` call site, or any value read of `this.<output>` that might forward it, counts as used), and the whole component abstains on an unresolved `extends` heritage clause. A `model()`-derived implicit output is never flagged. Default warn; suppress or remove the output. The check runs only when the project declares `@angular/core`.",
322 docs_path: "explanations/dead-code#unused-component-outputs",
323 },
324 RuleDef {
325 id: "fallow/unused-svelte-event",
326 category: "Dead code",
327 name: "Unused Svelte events",
328 short: "A Svelte component dispatches a createEventDispatcher event whose name is listened to nowhere in the project",
329 full: "A Svelte component that dispatches a custom event via `createEventDispatcher` (`const dispatch = createEventDispatcher(); dispatch('save')`) whose event name is listened to NOWHERE in the analyzed project. This is the cross-file dead-OUTPUT direction: the component fires an event nothing handles. No native tool covers the listener side: eslint-plugin-svelte and svelte-check are single-file / type-only. fallow builds a project-wide listened-event set from every component-tag `on:<name>` binding (event forwarding, an `on:<name>` with no handler, counts as a listen), then flags a dispatched event whose name is in no listened set. Conservative (zero false positives): the whole component abstains on a dynamic `dispatch(<nonLiteral>)` (the event name is unknowable) or a `dispatch` reference forwarded as a value; a DOM `on:click` on a lowercase element is NOT a custom event and is ignored; and any listener on any component anywhere credits the name (the liberal over-credit, false-negative-safe direction). Default warn; remove the dispatched event or wire a listener. The check runs only when the project declares `svelte`.",
330 docs_path: "explanations/dead-code#unused-svelte-events",
331 },
332 RuleDef {
333 id: "fallow/unused-server-action",
334 category: "Dead code",
335 name: "Unused server actions",
336 short: "A Next.js Server Action exported from a \"use server\" file is referenced by no code in the project",
337 full: "A Next.js Server Action (an export of a `\"use server\"` file) that no code in the project references: no import-and-call, no `action={fn}` JSX binding, no `<form action={fn}>`. This is the cross-graph \"declared but zero consumers\" direction, reclassified out of `unused-export` for `\"use server\"` files so the finding carries the action-specific signal. eslint-plugin-next is single-file and cannot see cross-file usage. It does NOT mean the endpoint is unreachable: Next.js still registers a generated action id, so it stays POST-able; it means no project code references it (likely forgotten or dead, and a candidate for removal to shrink surface area). Default warn; wire the action to a consumer or remove it. The check runs only when the project declares `next`.",
338 docs_path: "explanations/dead-code#unused-server-actions",
339 },
340 RuleDef {
341 id: "fallow/unused-load-data-key",
342 category: "Dead code",
343 name: "Unused load data keys",
344 short: "A SvelteKit load() return-object key is read by no consumer",
345 full: "A SvelteKit route `load()` (in `+page.ts` / `+page.server.ts` and the `.js` variants) returns an object whose keys become the route's `data` prop. A returned key that NO consumer reads is dead: it runs a real server-side fetch / DB cost on every request for data nothing renders. fallow checks two channels: the sibling `+page.svelte`'s `data.<key>` reads (route-pinned), and project-wide `page.data.<key>` (Svelte 5 `$app/state`) / `$page.data.<key>` (Svelte 4 `$app/stores`) reads in any component. `svelte-check` types `data` via generated `$types` but never flags an unread RETURNED key. The detector abstains (never false-flags) on a spread / non-literal / multi-return / computed-key / wrapped `load`, on a sibling that passes the whole `data` object opaquely, on a `+page.server.ts` whose universal `+page.ts` sibling forwards its `data`, and project-wide when any whole-object use of `page.data` / `$page.data` is seen. Default warn; delete the key or wire a consumer. A load fetch can have side effects, so there is no safe auto-fix. The check runs only when the project declares `@sveltejs/kit`.",
346 docs_path: "explanations/dead-code#unused-load-data-keys",
347 },
348 RuleDef {
349 id: "fallow/prop-drilling",
350 category: "Dead code",
351 name: "Prop drilling",
352 short: "A React/Preact prop is forwarded unchanged through 3+ pass-through components to a distant consumer",
353 full: "A React/Preact prop is received by a component, forwarded UNCHANGED to a child, and forwarded again through two or more intermediate \"pass-through\" components until a component that substantively uses it. The high-confidence signal is that the received identifier appears ONLY as the root of forwarded child-JSX attribute values (so `<Child userName={user.name}/>` counts: the prop `user` is projected forward), not the attribute name matching. fallow emits located per-chain records (the source, each pass-through hop, and the consumer with file + line + component name) so CI and an agent can act: colocate the consumer with the data, lift the value to a React context/provider at a mid-chain hop, or compose the component so the intermediates no longer thread the prop. This is a graph-derived health signal, not a correctness error. The rule defaults to OFF (opt-in), like private-type-leak and the security rules: enable it with `prop-drilling: \"warn\"` in `rules`. Zero false positives by construction: any `{...props}` spread, `cloneElement`, element-as-prop / render-prop / children-as-function, or context `*.Provider` anywhere in the chain abstains the whole chain, as does an ambiguous or unresolvable hop. The check runs only when the project declares `react` / `react-dom` / `next` / `preact`.",
354 docs_path: "explanations/dead-code#prop-drilling",
355 },
356 RuleDef {
357 id: "fallow/thin-wrapper",
358 category: "Dead code",
359 name: "Thin wrapper",
360 short: "A React/Preact component whose whole body is a single spread-forwarded child render (a candidate for inlining)",
361 full: "A React/Preact component whose ENTIRE body is structural indirection: it returns exactly one capitalized component element that forwards the component's own props via a bare spread (`return <Child {...props}/>`), with no host-element wrapper, no extra children, no named attributes alongside the spread, no hooks, no branching, and no other statements. Such a component adds nothing of its own: it is a CANDIDATE for inlining at its call sites or deleting, not a correctness error. fallow emits a located per-wrapper record (file + line + the wrapper and child component names) so CI and an agent can act. The rule defaults to OFF (opt-in), like prop-drilling and the security rules: enable it with `thin-wrapper: \"warn\"` in `rules`. Zero false positives by construction: a `forwardRef` / `memo` wrapper (the sanctioned way to make a child ref-able or set a perf boundary), an EXPORTED component (a public-API re-brand / encapsulation), a context `*.Provider` wrapper, a `cloneElement` / render-prop forward, a wrapper that passes ANY named attribute alongside the spread (a fixed configuration), a self-render, or an unresolvable / member-expression child all abstain. A TypeScript-only type-narrowing wrapper (`const StrictButton = (p: StrictProps) => <Button {...p}/>`) is a known limitation under ADR-001's syntactic analysis; suppress it with the inline comment. The check runs only when the project declares `react` / `react-dom` / `next` / `preact`.",
362 docs_path: "explanations/dead-code#thin-wrapper",
363 },
364 RuleDef {
365 id: "fallow/duplicate-prop-shape",
366 category: "Dead code",
367 name: "Duplicate prop shape",
368 short: "Three or more React/Preact components across two or more files declare an identical prop-name set (a missing shared Props type)",
369 full: "Three or more distinct React/Preact components, living in two or more files, whose statically-harvested prop NAME set is byte-for-byte IDENTICAL after (a) excluding a fixed denylist of ubiquitous DOM / render-passthrough prop names (className, style, id, children, key, ref, the common event handlers, plus data-* / aria-* by prefix) and (b) requiring the REMAINING significant set to have four or more members. Identity is over NAMES only, never types (ADR-001 cannot resolve types). This is a structural-refactor health signal: the recurring shape is a missing shared abstraction, so extract one shared `Props` type (or a base component) that every member reuses. It is never a correctness error and never an auto-fix. fallow emits one located record per participating component, each naming the shared `shape`, the `group_size`, and the OTHER members in `sharing_components`. The rule defaults to OFF (opt-in), like thin-wrapper and the security rules: enable it with `duplicate-prop-shape: \"warn\"` in `rules`. Anti-noise gates (defended as rule-of-three plus a denylist-survivor floor, not tuned magic): the four-significant-prop floor turns `{label, onClick}` buttons into non-findings; the three-component floor is the rule-of-three abstraction trigger; the two-file floor keeps a local same-shaped variant pair (a render-prop pair, a Foo/FooImpl split) unflagged. A component whose props are not fully harvestable (a rest/spread signature, a forwardRef/memo over an imported interface) ABSTAINS, because a partial prop set can never be proven identical. Exact full-set identity ONLY: a superset / subset relationship does NOT group, so a four-prop group and a five-prop superset form TWO findings (the price of zero invalid groups: the finding always fits one extracted shared type). The check runs only when the project declares `react` / `react-dom` / `next` / `preact`.",
370 docs_path: "explanations/dead-code#duplicate-prop-shape",
371 },
372 RuleDef {
373 id: "fallow/route-collision",
374 category: "Policy",
375 name: "Route collision",
376 short: "Two or more Next.js App Router route files resolve to the same URL",
377 full: "Two or more App Router route files (a `page` or a `route` handler) resolve to the SAME URL within one app-root. Route groups `(name)` and parallel slots `@name` do not change the URL, so `app/(marketing)/about/page.tsx` and `app/(shop)/about/page.tsx` both own `/about`. Next.js fails the build (\"You cannot have two parallel pages that resolve to the same path\") because a URL can have at most one owner, whether a Page or a Route Handler. fallow surfaces every colliding file at once; the build error names only one. Buckets are scoped per app-root (per workspace package), so a monorepo with several independent Next apps sharing a path is not flagged. Files under a private `_folder` or an intercepting marker `(.)`/`(..)`/`(...)` are excluded. There is no safe auto-fix: move or merge one of the files so each URL has a single owner. The check runs only when the project declares `next`.",
378 docs_path: "explanations/dead-code#route-collisions",
379 },
380 RuleDef {
381 id: "fallow/dynamic-segment-name-conflict",
382 category: "Policy",
383 name: "Dynamic segment name conflict",
384 short: "Sibling Next.js dynamic route segments use different slug names at the same position",
385 full: "Two or more sibling dynamic route segments at the same App Router tree position use different param spellings (`[id]` vs `[slug]`, or a catch-all `[...x]` vs an optional catch-all `[[...x]]`). Next.js throws \"You cannot use different slug names for the same dynamic path\" at dev and production runtime when the position is hit, because one position must resolve to a single param name. `next build` does NOT catch this (the build succeeds), so CI passes while the route crashes on its first request; fallow's static catch closes that gap. Route groups are transparent to the position and parallel slots fork it, so only genuinely-sibling segments conflict. To fix: rename the dynamic segments at the position to one consistent slug name. The check runs only when the project declares `next`.",
386 docs_path: "explanations/dead-code#dynamic-segment-name-conflicts",
387 },
388];
389
390#[must_use]
392pub fn rule_by_id(id: &str) -> Option<&'static RuleDef> {
393 CHECK_RULES
394 .iter()
395 .chain(HEALTH_RULES.iter())
396 .chain(DUPES_RULES.iter())
397 .chain(FLAGS_RULES.iter())
398 .chain(SECURITY_RULES.iter())
399 .find(|r| r.id == id)
400}
401
402#[must_use]
404pub fn rule_docs_url(rule: &RuleDef) -> String {
405 let docs_path = rule_result_meta(rule).map_or(rule.docs_path, |meta| meta.meta_docs_path);
406 format!("{DOCS_BASE}/{docs_path}")
407}
408
409fn rule_result_meta(rule: &RuleDef) -> Option<&'static fallow_types::issue_meta::IssueResultMeta> {
410 let code = rule.id.strip_prefix("fallow/")?;
411 fallow_types::issue_meta::issue_result_meta_by_code(code)
412}
413
414fn rule_explain_name(rule: &RuleDef) -> &'static str {
415 rule_result_meta(rule).map_or(rule.name, |meta| meta.meta_name)
416}
417
418fn rule_explain_summary(rule: &RuleDef) -> &'static str {
419 rule_result_meta(rule).map_or(rule.short, |meta| meta.sarif_description)
420}
421
422pub struct RuleGuide {
427 pub example: &'static str,
428 pub how_to_fix: &'static str,
429}
430
431#[must_use]
436pub fn rule_by_token(token: &str) -> Option<&'static RuleDef> {
437 let trimmed = token.trim();
438 if trimmed.is_empty() {
439 return None;
440 }
441 if let Some(rule) = rule_by_id(trimmed) {
442 return Some(rule);
443 }
444 let normalized = trimmed
445 .strip_prefix("fallow/")
446 .unwrap_or(trimmed)
447 .trim_start_matches("--")
448 .replace('_', "-")
449 .split_whitespace()
450 .collect::<Vec<_>>()
451 .join("-");
452 if let Some(rule) = dead_code_registry_rule(&normalized) {
453 return Some(rule);
454 }
455 let alias = health_alias_id(&normalized).or_else(|| security_alias_id(&normalized));
456 if let Some(id) = alias
457 && let Some(rule) = rule_by_id(id)
458 {
459 return Some(rule);
460 }
461 let security_token = normalized.strip_prefix("security-").unwrap_or(&normalized);
462 let security_id = format!("security/{security_token}");
463 if let Some(rule) = rule_by_id(&security_id) {
464 return Some(rule);
465 }
466 let singular = normalized
467 .strip_suffix('s')
468 .filter(|_| normalized != "unused-class")
469 .unwrap_or(&normalized);
470 let singular_security_token = singular.strip_prefix("security-").unwrap_or(singular);
471 let singular_security_id = format!("security/{singular_security_token}");
472 if let Some(rule) = rule_by_id(&singular_security_id) {
473 return Some(rule);
474 }
475 let id = format!("fallow/{singular}");
476 rule_by_id(&id).or_else(|| {
477 CHECK_RULES
478 .iter()
479 .chain(HEALTH_RULES.iter())
480 .chain(DUPES_RULES.iter())
481 .chain(FLAGS_RULES.iter())
482 .chain(SECURITY_RULES.iter())
483 .find(|rule| {
484 rule.docs_path.ends_with(&normalized)
485 || rule.docs_path.ends_with(singular)
486 || rule_result_meta(rule).is_some_and(|meta| {
487 meta.meta_docs_path.ends_with(&normalized)
488 || meta.meta_docs_path.ends_with(singular)
489 || meta.meta_name.eq_ignore_ascii_case(trimmed)
490 })
491 || rule.name.eq_ignore_ascii_case(trimmed)
492 })
493 })
494}
495
496fn dead_code_registry_rule(normalized: &str) -> Option<&'static RuleDef> {
497 let meta = fallow_types::issue_meta::issue_meta_for_contract_token(normalized)?;
498 CHECK_RULES
499 .iter()
500 .find(|rule| rule.id.strip_prefix("fallow/") == Some(meta.code))
501}
502
503fn health_alias_id(normalized: &str) -> Option<&'static str> {
504 match normalized {
505 "complexity" | "high-complexity" => Some("fallow/high-complexity"),
506 "cyclomatic" | "high-cyclomatic" | "high-cyclomatic-complexity" => {
507 Some("fallow/high-cyclomatic-complexity")
508 }
509 "cognitive" | "high-cognitive" | "high-cognitive-complexity" => {
510 Some("fallow/high-cognitive-complexity")
511 }
512 "crap" | "high-crap" | "high-crap-score" => Some("fallow/high-crap-score"),
513 "duplication" | "dupes" | "code-duplication" => Some("fallow/code-duplication"),
514 "feature-flag" | "feature-flags" | "flags" => Some("fallow/feature-flag"),
515 _ => None,
516 }
517}
518
519fn security_alias_id(normalized: &str) -> Option<&'static str> {
520 match normalized {
521 "security"
522 | "security-candidate"
523 | "security-candidates"
524 | "tainted-sink"
525 | "tainted-sinks"
526 | "security-sink"
527 | "security-sinks" => Some("security/tainted-sink"),
528 "client-server-leak"
529 | "client-server-leaks"
530 | "security-client-server-leak"
531 | "security-client-server-leaks" => Some("security/client-server-leak"),
532 "hardcoded-secret" | "hardcoded-secrets" | "hard-coded-secret" | "hard-coded-secrets" => {
533 Some("security/hardcoded-secret")
534 }
535 _ => None,
536 }
537}
538
539#[must_use]
541pub fn rule_guide(rule: &RuleDef) -> RuleGuide {
542 source_dead_code_rule_guide(rule.id)
543 .or_else(|| member_import_rule_guide(rule.id))
544 .or_else(|| architecture_rule_guide(rule.id))
545 .or_else(|| catalog_rule_guide(rule.id))
546 .or_else(|| health_runtime_rule_guide(rule.id))
547 .or_else(|| duplication_rule_guide(rule.id))
548 .or_else(|| security_rule_guide(rule.id))
549 .unwrap_or_else(fallback_rule_guide)
550}
551
552fn source_dead_code_rule_guide(id: &str) -> Option<RuleGuide> {
553 Some(match id {
554 "fallow/unused-file" => RuleGuide {
555 example: "src/old-widget.ts is not imported by any entry point, route, script, or config file.",
556 how_to_fix: "Delete the file if it is genuinely dead. If a framework loads it implicitly, add the right plugin/config pattern or mark it in alwaysUsed.",
557 },
558 "fallow/unused-export" => RuleGuide {
559 example: "export const formatPrice = ... exists in src/money.ts, but no module imports formatPrice.",
560 how_to_fix: "Remove the export or make it file-local. If it is public API, import it from an entry point or add an intentional suppression with context.",
561 },
562 "fallow/unused-type" => RuleGuide {
563 example: "export interface LegacyProps is exported, but no module imports the type.",
564 how_to_fix: "Remove the type export, inline it, or keep it behind an explicit API entry point when consumers rely on it.",
565 },
566 "fallow/private-type-leak" => RuleGuide {
567 example: "export function makeUser(): InternalUser exposes InternalUser even though InternalUser is not exported.",
568 how_to_fix: "Export the referenced type, change the public signature to an exported type, or keep the helper private.",
569 },
570 "fallow/unused-dependency"
571 | "fallow/unused-dev-dependency"
572 | "fallow/unused-optional-dependency" => RuleGuide {
573 example: "package.json lists left-pad, but no source, script, config, or plugin-recognized file imports it.",
574 how_to_fix: "Remove the dependency after checking runtime/plugin usage. If another workspace uses it, move the dependency to that workspace.",
575 },
576 "fallow/type-only-dependency" => RuleGuide {
577 example: "zod is in dependencies but only appears in import type declarations.",
578 how_to_fix: "Move the package to devDependencies unless runtime code imports it as a value.",
579 },
580 "fallow/test-only-dependency" => RuleGuide {
581 example: "vitest is listed in dependencies, but only test files import it.",
582 how_to_fix: "Move the package to devDependencies unless production code imports it at runtime.",
583 },
584 _ => return None,
585 })
586}
587
588fn member_import_rule_guide(id: &str) -> Option<RuleGuide> {
589 Some(match id {
590 "fallow/unused-enum-member" => RuleGuide {
591 example: "Status.Legacy remains in an exported enum, but no code reads that member.",
592 how_to_fix: "Remove the member after checking serialized/API compatibility, or suppress it with a reason when external data still uses it.",
593 },
594 "fallow/unused-class-member" => RuleGuide {
595 example: "class Parser has a public parseLegacy method that is never called in the project.",
596 how_to_fix: "Remove or privatize the member. For reflection/framework lifecycle hooks, configure or suppress the intentional entry point.",
597 },
598 "fallow/unused-store-member" => RuleGuide {
599 example: "useCartStore declares a discountTotal getter that no component, composable, or other store ever reads.",
600 how_to_fix: "Remove the unused state property, getter, or action. If it is consumed reflectively (a Pinia plugin, $onAction, or dynamic dispatch), suppress the line with // fallow-ignore-next-line unused-store-member.",
601 },
602 "fallow/unprovided-inject" => RuleGuide {
603 example: "A component calls inject(ThemeKey) (Vue) or getContext(ThemeKey) (Svelte) with an imported symbol key, but no provide(ThemeKey) / setContext(ThemeKey) exists anywhere in the project.",
604 how_to_fix: "Add a matching provide() / setContext() for the key, or remove the dead inject() / getContext(). If a provider lives outside the analyzed graph (an app-level provide registered elsewhere, a plugin, a host app), suppress the line with // fallow-ignore-next-line unprovided-inject.",
605 },
606 "fallow/unrendered-component" => RuleGuide {
607 example: "components/Orphan.vue is re-exported from a barrel (export { default as Orphan } from './Orphan.vue') but no template, registration, h() call, or dynamic import ever renders it.",
608 how_to_fix: "Render the component where it belongs, or delete it and remove the dead barrel re-export. If it is rendered reflectively (a dynamic <component :is> from a non-literal value), suppress the line with // fallow-ignore-next-line unrendered-component.",
609 },
610 "fallow/unused-component-prop" => RuleGuide {
611 example: "Widget.vue declares defineProps<{ size: string }>(), or a React Widget({ size }) destructures `size`, but `size` is referenced nowhere in the component (Vue: its script or template; React: its function body or JSX).",
612 how_to_fix: "Remove the unused prop, or reference it in the component (Vue: the script / template; React: the function body or JSX). If the prop is part of a deliberately-stable public component API, suppress the line with // fallow-ignore-next-line unused-component-prop.",
613 },
614 "fallow/unused-component-emit" => RuleGuide {
615 example: "Widget.vue declares defineEmits<{ close: [] }>() but `emit('close')` is called nowhere in the component's script.",
616 how_to_fix: "Remove the unused emit, or emit it in the script. If the emit is part of a deliberately-stable public component API, suppress the line with // fallow-ignore-next-line unused-component-emit.",
617 },
618 "fallow/unused-component-input" => RuleGuide {
619 example: "user-card.component.ts declares @Input() size: string (or size = input<string>()) but `size` is read nowhere in the template or the class body.",
620 how_to_fix: "Remove the unused input, or read it in the template or class body. If the input is part of a deliberately-stable public component API, suppress the line with // fallow-ignore-next-line unused-component-input.",
621 },
622 "fallow/unused-component-output" => RuleGuide {
623 example: "user-card.component.ts declares @Output() close = new EventEmitter<void>() (or close = output<void>()) but `this.close.emit(...)` is called nowhere in the class.",
624 how_to_fix: "Remove the unused output, or emit it from the class. If the output is part of a deliberately-stable public component API, suppress the line with // fallow-ignore-next-line unused-component-output.",
625 },
626 "fallow/unused-svelte-event" => RuleGuide {
627 example: "Child.svelte calls const dispatch = createEventDispatcher(); dispatch('dead'), but no parent listens for it (no <Child on:dead> anywhere in the project).",
628 how_to_fix: "Remove the dispatched event, or listen for it on the component (<Child on:dead={...}> or forward it via <Child on:dead>). If the event is dispatched reflectively (a dynamic name) or is part of a deliberately-stable public component API, suppress the line with // fallow-ignore-next-line unused-svelte-event.",
629 },
630 "fallow/unused-server-action" => RuleGuide {
631 example: "app/actions.ts has \"use server\" and exports submitForm, but no component imports it, binds it via action={submitForm}, or uses it in <form action={submitForm}>.",
632 how_to_fix: "Wire the action to a consumer (an import-and-call, an action={fn} binding, or a <form action={fn}>), or remove it. If it is invoked reflectively (an action registry dispatching by id, or a non-JS caller), suppress the line with // fallow-ignore-next-line unused-server-action.",
633 },
634 "fallow/unused-load-data-key" => RuleGuide {
635 example: "src/routes/blog/+page.ts returns { posts, draftCount } but +page.svelte only reads data.posts and no component reads page.data.draftCount.",
636 how_to_fix: "Delete the unused key from the load() return (and skip its fetch), or wire a consumer (read data.<key> in +page.svelte, or page.data.<key> in a shared component). If the load fetch has a side effect you must keep, suppress the line with // fallow-ignore-next-line unused-load-data-key.",
637 },
638 "fallow/prop-drilling" => RuleGuide {
639 example: "Page receives `user` and renders <Layout user={user}/>; Layout only re-passes it to <Sidebar user={user}/>; Sidebar only re-passes it to <Profile user={user}/>, which finally reads user.name. The prop is drilled through Layout and Sidebar untouched.",
640 how_to_fix: "Collapse the chain: colocate the consumer with the data, lift the value into a React context/provider at a mid-chain hop and consume it there, or compose the component (pass the rendered child as children) so the intermediates no longer thread the prop. Enable the rule with rules.prop-drilling = \"warn\" (it defaults to off). To accept one chain, suppress the source prop with // fallow-ignore-next-line prop-drilling.",
641 },
642 "fallow/thin-wrapper" => RuleGuide {
643 example: "const ButtonWrapper = (props) => <Button {...props}/>; the wrapper has no own markup, hooks, or logic, so it only re-points at Button.",
644 how_to_fix: "Inline the wrapper at its call sites (use <Button .../> directly) or delete it. Keep it only if it is a deliberate seam (a planned divergence point, a public-API re-brand): an exported wrapper already abstains. Enable the rule with rules.thin-wrapper = \"warn\" (it defaults to off). To accept one wrapper, suppress it with // fallow-ignore-next-line thin-wrapper above the component definition.",
645 },
646 "fallow/duplicate-prop-shape" => RuleGuide {
647 example: "FieldText, FieldNumber, and FieldSelect (across three files) each declare exactly { name, label, value, onChange, error }. The five significant prop names are identical, so they form one duplicate-prop-shape group.",
648 how_to_fix: "Extract one shared Props type (e.g. type FieldProps = { name; label; value; onChange; error }) that every member reuses, or a base component the variants compose. Keep them separate only if a per-variant prop divergence is planned. Enable the rule with rules.duplicate-prop-shape = \"warn\" (it defaults to off). To accept one member, suppress it with // fallow-ignore-next-line duplicate-prop-shape above the component definition; the suppressed member still appears in its siblings' sharing_components because the group is real regardless of suppression.",
649 },
650 "fallow/unresolved-import" => RuleGuide {
651 example: "src/app.ts imports ./routes/admin, but no matching file exists after extension and index resolution.",
652 how_to_fix: "Fix the specifier, restore the missing file, install the package, or align tsconfig path aliases with the runtime resolver.",
653 },
654 "fallow/unlisted-dependency" => RuleGuide {
655 example: "src/api.ts imports undici, but the nearest package.json does not list undici.",
656 how_to_fix: "Add the package to dependencies/devDependencies in the workspace that imports it instead of relying on hoisting or transitive deps.",
657 },
658 "fallow/duplicate-export" => RuleGuide {
659 example: "Button is exported from both src/ui/button.ts and src/components/button.ts.",
660 how_to_fix: "Rename or consolidate the exports so consumers have one intentional import target.",
661 },
662 _ => return None,
663 })
664}
665
666fn architecture_rule_guide(id: &str) -> Option<RuleGuide> {
667 Some(match id {
668 "fallow/circular-dependency" => RuleGuide {
669 example: "src/a.ts imports src/b.ts, and src/b.ts imports src/a.ts.",
670 how_to_fix: "Extract shared code to a third module, invert the dependency, or split initialization-time side effects from type-only contracts.",
671 },
672 "fallow/boundary-violation" => RuleGuide {
673 example: "features/billing imports app/admin even though the configured boundary only allows imports from shared and entities.",
674 how_to_fix: "Move the shared contract to an allowed zone, invert the dependency, or update the boundary config only if the architecture rule was wrong.",
675 },
676 "fallow/boundary-coverage" => RuleGuide {
677 example: "src/generated/client.ts is reachable but does not match any boundaries.zones[].patterns entry.",
678 how_to_fix: "Add the file to the intended zone pattern, move it under a zoned directory, or add a generated-file glob to boundaries.coverage.allowUnmatched.",
679 },
680 "fallow/boundary-call-violation" => RuleGuide {
681 example: "src/domain/policy.ts calls execSync from node:child_process while boundaries.calls.forbidden bans child_process.* from the domain zone.",
682 how_to_fix: "Move the call into a zone that may perform the effect, route it through an allowed abstraction, or narrow the forbidden pattern if the rule was wrong. To suppress, use the boundary family token: `// fallow-ignore-next-line boundary-violation` governs import, coverage, and call findings alike (the rule-id-shaped `boundary-call-violation` is accepted as an alias).",
683 },
684 "fallow/policy-violation" => RuleGuide {
685 example: "src/app.ts imports moment while a rule pack bans the moment specifier with the message 'Use date-fns.'",
686 how_to_fix: "Replace the banned call, import, or effectful usage with the alternative named in the rule's message. To waive one rule, use `// fallow-ignore-next-line policy-violation:<pack>/<rule-id>` or the file-level form. Use bare `policy-violation` only when you intend to suppress every rule-pack finding at that scope.",
687 },
688 "fallow/stale-suppression" => RuleGuide {
689 example: "// fallow-ignore-next-line unused-export remains above an export that is now used.",
690 how_to_fix: "Remove the suppression. If a different issue is still intentional, replace it with a current, specific suppression.",
691 },
692 "fallow/missing-suppression-reason" => RuleGuide {
693 example: "// fallow-ignore-next-line unused-export appears without the required explanatory reason.",
694 how_to_fix: "Add a concise reason after the suppression token, or remove the suppression if the issue is no longer intentional.",
695 },
696 _ => return None,
697 })
698}
699
700fn catalog_rule_guide(id: &str) -> Option<RuleGuide> {
701 Some(match id {
702 "fallow/unused-catalog-entry" => RuleGuide {
703 example: "The catalog source declares `catalog: { is-even: ^1.0.0 }`, but no workspace package.json declares `\"is-even\": \"catalog:\"`.",
704 how_to_fix: "Delete the entry from the catalog source file. If any consumer uses a hardcoded version (surfaced in `hardcoded_consumers`), switch that consumer to `catalog:` first to keep versions aligned.",
705 },
706 "fallow/empty-catalog-group" => RuleGuide {
707 example: "The catalog source declares `catalogs: { react17: {} }` after the last react17 entry was removed.",
708 how_to_fix: "Delete the empty named group from the catalog source file. Comments between the deleted header and the next sibling can stay in place for manual review.",
709 },
710 "fallow/unresolved-catalog-reference" => RuleGuide {
711 example: "packages/app/package.json declares `\"old-react\": \"catalog:react17\"`, but `catalogs.react17` in the catalog source does not declare `old-react`. The package manager install will fail.",
712 how_to_fix: "If `available_in_catalogs` is non-empty, change the reference to one of those catalogs (e.g. `catalog:react18`). Otherwise add the package to the named catalog in the catalog source, or remove the catalog reference and pin a hardcoded version. For staged migrations where the catalog edit lands separately, add the (package, catalog, consumer) triple to `ignoreCatalogReferences` in your fallow config.",
713 },
714 "fallow/unused-dependency-override" => RuleGuide {
715 example: "pnpm-workspace.yaml declares `overrides: { axios: ^1.6.0 }`, but no workspace package.json declares `axios` and `pnpm-lock.yaml` does not resolve it.",
716 how_to_fix: "Delete the entry from `pnpm-workspace.yaml` or `package.json#pnpm.overrides`. If the finding is caused by a stale or missing lockfile, refresh `pnpm-lock.yaml` and rerun fallow. If the override is intentionally retained, add it to `ignoreDependencyOverrides` in your fallow config.",
717 },
718 "fallow/misconfigured-dependency-override" => RuleGuide {
719 example: "pnpm-workspace.yaml declares `overrides: { \"@types/react@<<18\": \"18.0.0\" }`. The doubled `<<` is not a valid pnpm version selector and pnpm will reject the workspace at install time.",
720 how_to_fix: "Fix the key/value to match pnpm's override grammar: bare names (`axios`), scoped names (`@types/react`), targets with version selectors (`@types/react@<18`), parent matchers (`react>react-dom`), and parent chains with selectors on either side. Allowed value idioms: bare version range, `-` (delete), `$ref`, and `npm:alias`. If the entry was experimental, remove it.",
721 },
722 _ => return None,
723 })
724}
725
726fn health_runtime_rule_guide(id: &str) -> Option<RuleGuide> {
727 Some(match id {
728 "fallow/high-cyclomatic-complexity"
729 | "fallow/high-cognitive-complexity"
730 | "fallow/high-complexity" => RuleGuide {
731 example: "A function contains several nested conditionals, loops, and early exits, exceeding the configured complexity threshold. fallow also flags synthetic `<template>` findings on Angular .html templates and inline `@Component({ template: ... })` literals, and `<component>` rollup findings that combine the worst class method with its template.",
732 how_to_fix: "For function findings, extract named helpers, split independent branches, flatten guard clauses, and add tests around the behavior before refactoring. For `<template>` findings, split the template into child components, hoist data into the component class as computed signals, or replace nested `@if`/`@for` with a flatter structure. For `<component>` rollup findings, attack the larger half first; the per-half breakdown lives in `component_rollup`.",
733 },
734 "fallow/high-crap-score" => RuleGuide {
735 example: "A complex function has little or no matching Istanbul coverage, so its CRAP score crosses the configured gate.",
736 how_to_fix: "Add focused tests for the risky branches first, then simplify the function if the score remains high.",
737 },
738 "fallow/refactoring-target" => RuleGuide {
739 example: "A file combines high complexity density, churn, fan-in, and dead-code signals.",
740 how_to_fix: "Start with the listed evidence: remove dead exports, extract complex functions, then reduce fan-out or cycles in small steps.",
741 },
742 "fallow/untested-file" | "fallow/untested-export" => RuleGuide {
743 example: "Production-reachable code has no dependency path from discovered test entry points.",
744 how_to_fix: "Add or wire a test that imports the runtime path, or update entry-point/test discovery if the existing test is invisible to fallow.",
745 },
746 "fallow/runtime-safe-to-delete"
747 | "fallow/runtime-review-required"
748 | "fallow/runtime-low-traffic"
749 | "fallow/runtime-coverage-unavailable"
750 | "fallow/runtime-coverage" => RuleGuide {
751 example: "Runtime coverage shows a function was never called, barely called, or could not be matched during the capture window.",
752 how_to_fix: "Treat high-confidence cold static-dead code as delete candidates. For advisory or unavailable coverage, inspect seasonality, workers, source maps, and capture quality first.",
753 },
754 _ => return None,
755 })
756}
757
758fn duplication_rule_guide(id: &str) -> Option<RuleGuide> {
759 Some(match id {
760 "fallow/code-duplication" => RuleGuide {
761 example: "Two files contain the same normalized token sequence across a multi-line block.",
762 how_to_fix: "Extract the shared logic when the duplicated behavior should evolve together. Leave it duplicated when the similarity is accidental and likely to diverge.",
763 },
764 _ => return None,
765 })
766}
767
768fn security_rule_guide(id: &str) -> Option<RuleGuide> {
769 Some(match id {
770 "security/tainted-sink" => RuleGuide {
771 example: "A non-literal request field reaches a catalogue sink such as security/sql-injection or security/dangerous-html. The finding is a candidate, not proof of exploitability.",
772 how_to_fix: "Trace the source, sink, sanitization, and runtime context. Fix confirmed issues with parameterization, escaping, validation, or safer APIs, and suppress only reviewed false positives with context.",
773 },
774 "security/client-server-leak" => RuleGuide {
775 example: "A module marked `use client` imports code that reads a non-public `process.env` or `import.meta.env` value through a static path.",
776 how_to_fix: "Keep non-public env reads on the server side, move the value behind an API boundary, or rename only intentionally public values to the framework's public prefix.",
777 },
778 "security/hardcoded-secret" => RuleGuide {
779 example: "A provider-prefixed token-shaped literal is assigned to a secret-shaped variable, and the hardcoded-secret category is explicitly included.",
780 how_to_fix: "Rotate real credentials, move them to a secret manager or environment variable, and keep test-only literals clearly fake so they do not resemble provider tokens.",
781 },
782 id if id.starts_with("security/") => RuleGuide {
783 example: "A `fallow security` candidate uses this catalogue category as its SARIF rule id, for example security/sql-injection for a matched SQL sink.",
784 how_to_fix: "Review the candidate trace before acting. Confirm attacker control, missing sanitization, and reachable runtime context, then fix with the category-appropriate safer API or add a reviewed suppression.",
785 },
786 _ => return None,
787 })
788}
789
790fn fallback_rule_guide() -> RuleGuide {
791 RuleGuide {
792 example: "Run the relevant command with --format json --quiet --explain to inspect this rule in context.",
793 how_to_fix: "Use the issue action hints, source location, and docs URL to decide whether to remove, move, configure, or suppress the finding.",
794 }
795}
796
797pub fn explain_issue_type(
804 issue_type: &str,
805) -> Result<fallow_output::ExplainOutput, crate::ProgrammaticError> {
806 let Some(rule) = rule_by_token(issue_type) else {
807 return Err(unknown_explain_error(issue_type));
808 };
809 let guide = rule_guide(rule);
810 Ok(fallow_output::ExplainOutput {
811 id: rule.id.to_string(),
812 name: rule_explain_name(rule).to_string(),
813 summary: rule_explain_summary(rule).to_string(),
814 rationale: rule.full.to_string(),
815 example: guide.example.to_string(),
816 how_to_fix: guide.how_to_fix.to_string(),
817 docs: rule_docs_url(rule),
818 })
819}
820
821pub fn serialize_explain_programmatic_json(
828 issue_type: &str,
829 mode: fallow_output::RootEnvelopeMode,
830 analysis_run_id: Option<&str>,
831) -> Result<serde_json::Value, crate::ProgrammaticError> {
832 let output = explain_issue_type(issue_type)?;
833 fallow_output::serialize_explain_json_output(output, mode, analysis_run_id).map_err(|error| {
834 crate::ProgrammaticError::new(format!("JSON serialization error: {error}"), 2)
835 .with_code("json_serialization")
836 })
837}
838
839#[must_use]
840pub fn unknown_explain_error(issue_type: &str) -> crate::ProgrammaticError {
841 let message = if looks_security_explain_token(issue_type) {
842 format!(
843 "unknown issue type '{issue_type}'. Try values like tainted-sink, client-server-leak, hardcoded-secret, sql-injection, or security/sql-injection"
844 )
845 } else {
846 format!(
847 "unknown issue type '{issue_type}'. Try values like unused files, unused-export, high complexity, or code duplication"
848 )
849 };
850 crate::ProgrammaticError::new(message, 2).with_code("unknown_issue_type")
851}
852
853fn looks_security_explain_token(issue_type: &str) -> bool {
854 let normalized = issue_type.trim().to_ascii_lowercase().replace('_', "-");
855 normalized.contains("security")
856 || normalized.contains("secret")
857 || normalized.contains("sink")
858 || normalized.contains("cwe")
859 || normalized.contains("client-server")
860 || normalized.contains("injection")
861}
862
863pub const HEALTH_RULES: &[RuleDef] = &[
864 RuleDef {
865 id: "fallow/high-cyclomatic-complexity",
866 category: "Health",
867 name: "High Cyclomatic Complexity",
868 short: "Function has high cyclomatic complexity",
869 full: "McCabe cyclomatic complexity exceeds the configured threshold. Cyclomatic complexity counts the number of independent paths through a function (1 + decision points: if/else, switch cases, loops, ternary, logical operators). High values indicate functions that are hard to test exhaustively. fallow also emits this rule on synthetic `<template>` findings (Angular .html templates and inline `@Component({ template: ... })` literals), counting template control-flow blocks (`@if`, `@else if`, `@for`, `@case`, `@defer (when ...)`, legacy `*ngIf`/`*ngFor`) plus ternary and logical operators inside bound attributes and `{{ }}` interpolations; and on synthetic `<component>` rollup findings whose `cyclomatic` is the worst class method's score plus the template's. Ranking and `--targets` use the rollup total; JSON exposes the per-half breakdown under `component_rollup`.",
870 docs_path: "explanations/health#cyclomatic-complexity",
871 },
872 RuleDef {
873 id: "fallow/high-cognitive-complexity",
874 category: "Health",
875 name: "High Cognitive Complexity",
876 short: "Function has high cognitive complexity",
877 full: "SonarSource cognitive complexity exceeds the configured threshold. Unlike cyclomatic complexity, cognitive complexity penalizes nesting depth and non-linear control flow (breaks, continues, early returns). It measures how hard a function is to understand when reading sequentially. fallow also emits this rule on synthetic `<template>` findings (Angular .html templates and inline `@Component({ template: ... })` literals), where nesting penalties accumulate on stacked `@if`/`@for`/`@switch` blocks; and on synthetic `<component>` rollup findings whose `cognitive` is the worst class method's score plus the template's. Ranking and `--targets` use the rollup total; JSON exposes the per-half breakdown under `component_rollup`.",
878 docs_path: "explanations/health#cognitive-complexity",
879 },
880 RuleDef {
881 id: "fallow/high-complexity",
882 category: "Health",
883 name: "High Complexity (Both)",
884 short: "Function exceeds both complexity thresholds",
885 full: "Function exceeds both cyclomatic and cognitive complexity thresholds. This is the strongest signal that a function needs refactoring, it has many paths AND is hard to understand. The same rule fires on synthetic `<template>` findings (Angular .html templates and inline `@Component({ template: ... })` literals) when both metrics exceed their thresholds, and on synthetic `<component>` rollup findings whose totals are the worst class method's score plus the template's. Ranking and `--targets` use the rollup totals; JSON exposes the per-half breakdown under `component_rollup`.",
886 docs_path: "explanations/health#complexity-metrics",
887 },
888 RuleDef {
889 id: "fallow/high-crap-score",
890 category: "Health",
891 name: "High CRAP Score",
892 short: "Function has a high CRAP score (complexity combined with low coverage)",
893 full: "The function's CRAP (Change Risk Anti-Patterns) score meets or exceeds the configured threshold. CRAP combines cyclomatic complexity with test coverage using the Savoia and Evans (2007) formula: `CC^2 * (1 - coverage/100)^3 + CC`. High CRAP indicates changes to this function carry high risk because it is complex AND poorly tested. Pair with `--coverage` for accurate per-function scoring; without it fallow estimates coverage from the module graph.",
894 docs_path: "explanations/health#crap-score",
895 },
896 RuleDef {
897 id: "fallow/refactoring-target",
898 category: "Health",
899 name: "Refactoring Target",
900 short: "File identified as a high-priority refactoring candidate",
901 full: "File identified as a refactoring candidate based on a weighted combination of complexity density, churn velocity, dead code ratio, fan-in (blast radius), and fan-out (coupling). Categories: urgent churn+complexity, break circular dependency, split high-impact file, remove dead code, extract complex functions, reduce coupling.",
902 docs_path: "explanations/health#refactoring-targets",
903 },
904 RuleDef {
905 id: "fallow/css-token-drift",
906 category: "Health",
907 name: "CSS Token Drift",
908 short: "CSS or CSS-in-JS hardcoded styling value bypasses the design token system",
909 full: "A styling value appears to bypass the project's design token system, for example a Tailwind arbitrary value in markup. The finding is advisory by default and does not affect the audit verdict unless rules.css-token-drift is set to error. Verify the value and replace it with an existing scale token when appropriate.",
910 docs_path: "explanations/health#css-token-drift",
911 },
912 RuleDef {
913 id: "fallow/css-duplicate-block",
914 category: "Health",
915 name: "CSS Duplicate Block",
916 short: "CSS or CSS-in-JS declaration block is duplicated across rules",
917 full: "A style rule declaration block is repeated across selectors, suggesting copy-pasted styling that can often be consolidated. The finding is advisory by default and does not affect the audit verdict unless rules.css-duplicate-block is set to error.",
918 docs_path: "explanations/health#css-duplicate-block",
919 },
920 RuleDef {
921 id: "fallow/css-selector-complexity",
922 category: "Health",
923 name: "CSS Selector Complexity",
924 short: "CSS selector, nesting, or important usage is structurally complex",
925 full: "A CSS or CSS-in-JS rule crosses the structural floor for selector specificity, selector complexity, nesting depth, or important usage. The finding is advisory by default and does not affect the audit verdict unless rules.css-selector-complexity is set to error.",
926 docs_path: "explanations/health#css-selector-complexity",
927 },
928 RuleDef {
929 id: "fallow/css-dead-surface",
930 category: "Health",
931 name: "CSS Dead Surface",
932 short: "CSS or CSS-in-JS surface appears unused",
933 full: "A styling surface appears unused in the analyzed project, such as a scoped SFC class with no component-local use. The finding is advisory by default and does not affect the audit verdict unless rules.css-dead-surface is set to error. Verify dynamic consumers before deleting.",
934 docs_path: "explanations/health#css-dead-surface",
935 },
936 RuleDef {
937 id: "fallow/css-broken-reference",
938 category: "Health",
939 name: "CSS Broken Reference",
940 short: "CSS or CSS-in-JS reference resolves to no stylesheet definition",
941 full: "A styling reference appears unresolved, such as a class token or keyframes name that has no stylesheet definition in the analyzed project. The finding is advisory by default and does not affect the audit verdict unless rules.css-broken-reference is set to error. Verify external or CSS-in-JS definitions before fixing.",
942 docs_path: "explanations/health#css-broken-reference",
943 },
944 RuleDef {
945 id: "fallow/untested-file",
946 category: "Health",
947 name: "Untested File",
948 short: "Runtime-reachable file has no test dependency path",
949 full: "A file is reachable from runtime entry points but not from any discovered test entry point. This indicates production code that no test imports, directly or transitively, according to the static module graph.",
950 docs_path: "explanations/health#coverage-gaps",
951 },
952 RuleDef {
953 id: "fallow/untested-export",
954 category: "Health",
955 name: "Untested Export",
956 short: "Runtime-reachable export has no test dependency path",
957 full: "A value export is reachable from runtime entry points but no test-reachable module references it. This is a static test dependency gap rather than line coverage, and highlights exports exercised only through production entry paths.",
958 docs_path: "explanations/health#coverage-gaps",
959 },
960 RuleDef {
961 id: "fallow/runtime-safe-to-delete",
962 category: "Health",
963 name: "Production Safe To Delete",
964 short: "Statically unused AND never invoked in production with V8 tracking",
965 full: "The function is both statically unreachable in the module graph and was never invoked during the observed runtime coverage window. This is the highest-confidence delete signal fallow emits.",
966 docs_path: "explanations/health#runtime-coverage",
967 },
968 RuleDef {
969 id: "fallow/runtime-review-required",
970 category: "Health",
971 name: "Production Review Required",
972 short: "Statically used but never invoked in production",
973 full: "The function is reachable in the module graph (or exercised by tests / untracked call sites) but was not invoked during the observed runtime coverage window. Needs a human look: may be seasonal, error-path only, or legitimately unused.",
974 docs_path: "explanations/health#runtime-coverage",
975 },
976 RuleDef {
977 id: "fallow/runtime-low-traffic",
978 category: "Health",
979 name: "Production Low Traffic",
980 short: "Function was invoked below the low-traffic threshold",
981 full: "The function was invoked in production but below the configured `--low-traffic-threshold` fraction of total trace count (spec default 0.1%). Effectively dead for the current period.",
982 docs_path: "explanations/health#runtime-coverage",
983 },
984 RuleDef {
985 id: "fallow/runtime-coverage-unavailable",
986 category: "Health",
987 name: "Runtime Coverage Unavailable",
988 short: "Runtime coverage could not be resolved for this function",
989 full: "The function could not be matched to a V8-tracked coverage entry. Common causes: the function lives in a worker thread (separate V8 isolate), it is lazy-parsed and never reached the JIT tier, or its source map did not resolve to the expected source path. This is advisory, not a dead-code signal.",
990 docs_path: "explanations/health#runtime-coverage",
991 },
992 RuleDef {
993 id: "fallow/runtime-coverage",
994 category: "Health",
995 name: "Runtime Coverage",
996 short: "Runtime coverage finding",
997 full: "Generic runtime-coverage finding for verdicts not covered by a more specific rule. Covers the forward-compat `unknown` sentinel; the CLI filters `active` entries out of `runtime_coverage.findings` so the surfaced list stays actionable.",
998 docs_path: "explanations/health#runtime-coverage",
999 },
1000 RuleDef {
1001 id: "fallow/coverage-intelligence-risky-change",
1002 category: "Health",
1003 name: "Coverage Intelligence Risky Change",
1004 short: "Changed hot path combines high CRAP and low test coverage",
1005 full: "Coverage intelligence combined change scope, runtime hot-path evidence, low test coverage, and high CRAP into a risky-change finding. Add focused tests or split the change before merging.",
1006 docs_path: "explanations/health#coverage-intelligence",
1007 },
1008 RuleDef {
1009 id: "fallow/coverage-intelligence-delete",
1010 category: "Health",
1011 name: "Coverage Intelligence Delete",
1012 short: "Static and runtime evidence indicate code can be deleted",
1013 full: "Coverage intelligence combined static unused status, runtime cold evidence, and lack of test reachability into a high-confidence delete recommendation.",
1014 docs_path: "explanations/health#coverage-intelligence",
1015 },
1016 RuleDef {
1017 id: "fallow/coverage-intelligence-review",
1018 category: "Health",
1019 name: "Coverage Intelligence Review",
1020 short: "Cold reachable uncovered code needs owner review",
1021 full: "Coverage intelligence found code that is statically reachable but cold in runtime evidence, uncovered by tests, and ownership-risky. Route it to an owner before changing or deleting it.",
1022 docs_path: "explanations/health#coverage-intelligence",
1023 },
1024 RuleDef {
1025 id: "fallow/coverage-intelligence-refactor",
1026 category: "Health",
1027 name: "Coverage Intelligence Refactor",
1028 short: "Hot covered code has high CRAP and should be refactored carefully",
1029 full: "Coverage intelligence found hot production code that is covered by tests but still has high CRAP. Refactor carefully while preserving behavior.",
1030 docs_path: "explanations/health#coverage-intelligence",
1031 },
1032];
1033
1034pub const DUPES_RULES: &[RuleDef] = &[RuleDef {
1035 id: "fallow/code-duplication",
1036 category: "Duplication",
1037 name: "Code Duplication",
1038 short: "Duplicated code block",
1039 full: "A block of code that appears in multiple locations with identical or near-identical token sequences. Clone detection uses normalized token comparison: identifier names and literals are abstracted away in non-strict modes.",
1040 docs_path: "explanations/duplication#clone-groups",
1041}];
1042
1043pub const FLAGS_RULES: &[RuleDef] = &[RuleDef {
1044 id: "fallow/feature-flag",
1045 category: "Flags",
1046 name: "Feature Flags",
1047 short: "Detected feature flag pattern",
1048 full: "A feature flag pattern detected by `fallow flags`: environment-variable checks, flag SDK calls (LaunchDarkly, Unleash, and similar), or config-object lookups. Long-lived flags accumulate dead branches; review old flags for retirement and pair with dead-code analysis to find branches that can no longer execute.",
1049 docs_path: "cli/flags",
1050}];
1051
1052macro_rules! security_catalogue_rule {
1053 ($id:literal, $name:literal, $cwe:literal) => {
1054 RuleDef {
1055 id: concat!("security/", $id),
1056 category: "Security",
1057 name: $name,
1058 short: concat!("Catalogue security candidate for CWE-", $cwe),
1059 full: concat!(
1060 $name,
1061 " is a data-driven `fallow security` tainted-sink catalogue category with CWE-",
1062 $cwe,
1063 " metadata. fallow reports it as an unverified candidate when a captured sink shape matches this category. Use it to understand or filter `security/",
1064 $id,
1065 "` findings, then inspect the trace, source, sink, sanitization, and application context before treating it as exploitable."
1066 ),
1067 docs_path: "cli/security",
1068 }
1069 };
1070}
1071
1072pub const SECURITY_RULES: &[RuleDef] = &[
1073 RuleDef {
1074 id: "security/tainted-sink",
1075 category: "Security",
1076 name: "Tainted Sink Candidates",
1077 short: "Syntactic security sink candidates require verification",
1078 full: "The `tainted-sink` family covers data-driven `fallow security` catalogue categories. These findings are unverified candidates, not confirmed vulnerabilities. fallow can connect known source signals to captured sink shapes and add CWE metadata, but it does not prove attacker control, missing sanitization, exploitability, or business impact.",
1079 docs_path: "cli/security",
1080 },
1081 RuleDef {
1082 id: "security/client-server-leak",
1083 category: "Security",
1084 name: "Client-server Secret Leak Candidates",
1085 short: "Client-bound code reaches a non-public env read",
1086 full: "`client-server-leak` reports a candidate when a `use client` module can transitively reach a static non-public `process.env` or `import.meta.env` read. Public-by-convention env prefixes are treated as public. The finding is advisory and still needs bundle, framework, and runtime verification before treating it as a real exposure.",
1087 docs_path: "cli/security",
1088 },
1089 RuleDef {
1090 id: "security/hardcoded-secret",
1091 category: "Security",
1092 name: "Hardcoded Secret Candidates",
1093 short: "Provider-prefixed or contextual secret literals require verification",
1094 full: "`hardcoded-secret` reports opt-in candidates for provider-prefixed or contextual secret-shaped literals. The category is include-required and only runs when listed in `security.categories.include`. It avoids raw entropy alone, but every result still requires review, secret rotation decisions, and context before acting.",
1095 docs_path: "cli/security",
1096 },
1097 security_catalogue_rule!("dangerous-html", "Dangerous HTML sink", "79"),
1098 security_catalogue_rule!(
1099 "template-escape-bypass",
1100 "Template escape bypass sink",
1101 "79"
1102 ),
1103 security_catalogue_rule!("command-injection", "OS command injection sink", "78"),
1104 security_catalogue_rule!("code-injection", "Code injection sink", "94"),
1105 security_catalogue_rule!("dynamic-regex", "Dynamic regular expression sink", "1333"),
1106 security_catalogue_rule!("redos-regex", "ReDoS regex sink", "1333"),
1107 security_catalogue_rule!(
1108 "resource-amplification",
1109 "Resource amplification sink",
1110 "400"
1111 ),
1112 security_catalogue_rule!("dynamic-module-load", "Dynamic module load sink", "95"),
1113 security_catalogue_rule!("sql-injection", "SQL injection sink", "89"),
1114 security_catalogue_rule!("ssrf", "Server-side request forgery sink", "918"),
1115 security_catalogue_rule!(
1116 "secret-to-network",
1117 "Secret reaches a network request",
1118 "201"
1119 ),
1120 security_catalogue_rule!("path-traversal", "Path traversal sink", "22"),
1121 security_catalogue_rule!(
1122 "header-injection",
1123 "HTTP response header injection sink",
1124 "113"
1125 ),
1126 security_catalogue_rule!("open-redirect", "Open redirect sink", "601"),
1127 security_catalogue_rule!(
1128 "postmessage-wildcard-origin",
1129 "Wildcard postMessage target origin",
1130 "346"
1131 ),
1132 security_catalogue_rule!("tls-validation-disabled", "TLS validation disabled", "295"),
1133 security_catalogue_rule!("cleartext-transport", "Cleartext transport URL", "319"),
1134 security_catalogue_rule!(
1135 "electron-unsafe-webpreferences",
1136 "Unsafe Electron BrowserWindow preferences",
1137 "1188"
1138 ),
1139 security_catalogue_rule!(
1140 "world-writable-permission",
1141 "World-writable chmod mode",
1142 "732"
1143 ),
1144 security_catalogue_rule!(
1145 "insecure-temp-file",
1146 "Predictable temporary file path",
1147 "377"
1148 ),
1149 security_catalogue_rule!(
1150 "mysql-multiple-statements",
1151 "MySQL multiple statements enabled",
1152 "89"
1153 ),
1154 security_catalogue_rule!("permissive-cors", "Permissive CORS policy", "942"),
1155 security_catalogue_rule!("insecure-cookie", "Insecure cookie options", "614"),
1156 security_catalogue_rule!("mass-assignment", "Mass assignment sink", "915"),
1157 security_catalogue_rule!("weak-crypto", "Runtime-selectable crypto algorithm", "327"),
1158 security_catalogue_rule!("insecure-randomness", "Insecure randomness sink", "338"),
1159 security_catalogue_rule!("jwt-alg-none", "JWT alg none", "347"),
1160 security_catalogue_rule!(
1161 "jwt-verify-missing-algorithms",
1162 "JWT verify missing algorithms allowlist",
1163 "347"
1164 ),
1165 security_catalogue_rule!("deprecated-cipher", "Deprecated cipher constructor", "327"),
1166 security_catalogue_rule!(
1167 "unsafe-buffer-alloc",
1168 "Unsafe Buffer allocation sink",
1169 "1188"
1170 ),
1171 security_catalogue_rule!(
1172 "unsafe-deserialization",
1173 "Unsafe deserialization sink",
1174 "502"
1175 ),
1176 security_catalogue_rule!(
1177 "angular-trusted-html",
1178 "Angular bypassSecurityTrust sink",
1179 "79"
1180 ),
1181 security_catalogue_rule!("nextjs-open-redirect", "Next.js open redirect sink", "601"),
1182 security_catalogue_rule!("dom-document-write", "DOM document.write sink", "79"),
1183 security_catalogue_rule!("jquery-html", "jQuery .html() sink", "79"),
1184 security_catalogue_rule!(
1185 "route-send-file",
1186 "Route file-send path traversal sink",
1187 "22"
1188 ),
1189 security_catalogue_rule!("webview-injection", "WebView injected-script sink", "94"),
1190 security_catalogue_rule!("prototype-pollution", "Prototype pollution sink", "1321"),
1191 security_catalogue_rule!("zip-slip", "Archive path-traversal (zip-slip) sink", "22"),
1192 security_catalogue_rule!("nosql-injection", "NoSQL injection sink", "943"),
1193 security_catalogue_rule!("ssti", "Server-side template injection sink", "1336"),
1194 security_catalogue_rule!("xxe", "XML external entity (XXE) sink", "611"),
1195 security_catalogue_rule!("secret-pii-log", "Secret or PII logged", "532"),
1196 security_catalogue_rule!("xpath-injection", "XPath injection sink", "643"),
1197 security_catalogue_rule!(
1198 "llm-call-injection",
1199 "Untrusted input reaches an LLM call",
1200 "1427"
1201 ),
1202];
1203
1204#[must_use]
1206pub fn security_meta() -> fallow_types::envelope::Meta {
1207 fallow_output::security_meta(SECURITY_RULES.iter().map(|rule| {
1208 fallow_output::SecurityRuleMeta {
1209 id: rule.id,
1210 name: rule.name,
1211 description: rule.full,
1212 docs_path: rule.docs_path,
1213 }
1214 }))
1215}
1216
1217#[must_use]
1219pub fn coverage_setup_meta() -> Value {
1220 fallow_output::coverage_setup_meta()
1221}
1222
1223#[must_use]
1225pub fn coverage_analyze_meta() -> Value {
1226 fallow_output::coverage_analyze_meta()
1227}
1228
1229#[cfg(test)]
1230#[allow(
1231 clippy::unwrap_used,
1232 reason = "registry tests intentionally index fixture JSON"
1233)]
1234mod tests {
1235 use super::*;
1236 use serde_json::json;
1237
1238 fn meta_value(meta: fallow_types::envelope::Meta) -> Value {
1239 serde_json::to_value(meta).expect("metadata should serialize")
1240 }
1241
1242 fn check_meta() -> Value {
1243 meta_value(fallow_output::check_meta())
1244 }
1245
1246 fn health_meta() -> Value {
1247 meta_value(fallow_output::health_meta())
1248 }
1249
1250 fn dupes_meta() -> Value {
1251 meta_value(fallow_output::dupes_meta())
1252 }
1253
1254 #[test]
1255 fn rule_by_id_finds_check_rule() {
1256 let rule = rule_by_id("fallow/unused-file").unwrap();
1257 assert_eq!(rule.name, "Unused Files");
1258 }
1259
1260 #[test]
1261 fn rule_by_id_finds_health_rule() {
1262 let rule = rule_by_id("fallow/high-cyclomatic-complexity").unwrap();
1263 assert_eq!(rule.name, "High Cyclomatic Complexity");
1264 }
1265
1266 #[test]
1267 fn rule_by_id_finds_dupes_rule() {
1268 let rule = rule_by_id("fallow/code-duplication").unwrap();
1269 assert_eq!(rule.name, "Code Duplication");
1270 }
1271
1272 #[test]
1273 fn rule_by_id_finds_security_rule() {
1274 let rule = rule_by_id("security/tainted-sink").unwrap();
1275 assert_eq!(rule.name, "Tainted Sink Candidates");
1276 }
1277
1278 #[test]
1279 fn rule_by_id_returns_none_for_unknown() {
1280 assert!(rule_by_id("fallow/nonexistent").is_none());
1281 assert!(rule_by_id("").is_none());
1282 }
1283
1284 #[test]
1285 fn rule_docs_url_format() {
1286 let rule = rule_by_id("fallow/unused-export").unwrap();
1287 let url = rule_docs_url(rule);
1288 assert!(url.starts_with("https://docs.fallow.tools/"));
1289 assert!(url.contains("unused-exports"));
1290 }
1291
1292 #[test]
1293 fn explain_output_prefers_issue_result_registry_contract_fields() {
1294 let output = explain_issue_type("unused-type").unwrap();
1295 let meta = fallow_types::issue_meta::issue_result_meta_by_code("unused-type").unwrap();
1296 assert_eq!(output.name, meta.meta_name);
1297 assert_eq!(output.summary, meta.sarif_description);
1298 assert_eq!(
1299 output.docs,
1300 format!("https://docs.fallow.tools/{}", meta.meta_docs_path)
1301 );
1302 }
1303
1304 #[test]
1305 fn result_sarif_rule_ids_have_explain_metadata() {
1306 for contract in fallow_output::issue_output_contracts() {
1307 for rule_id in contract.sarif_rule_ids {
1308 assert!(
1309 rule_by_id(&rule_id).is_some(),
1310 "result metadata code {} has SARIF rule id {rule_id} without RuleDef",
1311 contract.code
1312 );
1313 }
1314 }
1315 }
1316
1317 #[test]
1318 fn registry_dead_code_tokens_resolve_to_explain_rules() {
1319 for meta in fallow_types::issue_meta::ISSUE_KIND_META {
1320 let Some(expected) = CHECK_RULES
1321 .iter()
1322 .find(|rule| rule.id.strip_prefix("fallow/") == Some(meta.code))
1323 else {
1324 continue;
1325 };
1326 assert_registry_token(expected, meta.code);
1327 for token in meta.aliases {
1328 assert_registry_token(expected, token);
1329 }
1330 if let Some(token) = meta.config_key {
1331 assert_registry_token(expected, token);
1332 }
1333 if let Some(token) = meta.mcp_issue_type {
1334 assert_registry_token(expected, token);
1335 }
1336 if let Some(token) = meta.filter_flag {
1337 assert_registry_token(expected, token);
1338 }
1339 if let Some(token) = meta.suppress_token {
1340 assert_registry_token(expected, token);
1341 }
1342 }
1343 }
1344
1345 fn assert_registry_token(expected: &RuleDef, token: &str) {
1346 if !registry_token_is_unique(token) {
1347 return;
1348 }
1349 let actual = rule_by_token(token)
1350 .unwrap_or_else(|| panic!("registry token {token} did not resolve to an explain rule"));
1351 assert_eq!(
1352 actual.id, expected.id,
1353 "registry token {token} resolved to the wrong explain rule"
1354 );
1355 }
1356
1357 fn registry_token_is_unique(token: &str) -> bool {
1358 fallow_types::issue_meta::ISSUE_KIND_META
1359 .iter()
1360 .filter(|meta| {
1361 CHECK_RULES
1362 .iter()
1363 .any(|rule| rule.id.strip_prefix("fallow/") == Some(meta.code))
1364 && fallow_types::issue_meta::issue_meta_matches_contract_token(meta, token)
1365 })
1366 .count()
1367 == 1
1368 }
1369
1370 #[test]
1371 fn check_rules_all_have_fallow_prefix() {
1372 for rule in CHECK_RULES {
1373 assert!(
1374 rule.id.starts_with("fallow/"),
1375 "rule {} should start with fallow/",
1376 rule.id
1377 );
1378 }
1379 }
1380
1381 #[test]
1382 fn check_rules_all_have_docs_path() {
1383 for rule in CHECK_RULES {
1384 assert!(
1385 !rule.docs_path.is_empty(),
1386 "rule {} should have a docs_path",
1387 rule.id
1388 );
1389 }
1390 }
1391
1392 #[test]
1393 fn check_rules_no_duplicate_ids() {
1394 let mut seen = rustc_hash::FxHashSet::default();
1395 for rule in CHECK_RULES
1396 .iter()
1397 .chain(HEALTH_RULES)
1398 .chain(DUPES_RULES)
1399 .chain(FLAGS_RULES)
1400 .chain(SECURITY_RULES)
1401 {
1402 assert!(seen.insert(rule.id), "duplicate rule id: {}", rule.id);
1403 }
1404 }
1405
1406 #[test]
1407 fn check_meta_has_docs_and_rules() {
1408 let meta = check_meta();
1409 assert!(meta.get("docs").is_some());
1410 assert!(meta.get("rules").is_some());
1411 let rules = meta["rules"].as_object().unwrap();
1412 assert_eq!(rules.len(), CHECK_RULES.len());
1413 assert!(rules.contains_key("unused-file"));
1414 assert!(rules.contains_key("unused-export"));
1415 assert!(rules.contains_key("unused-type"));
1416 assert!(rules.contains_key("unused-dependency"));
1417 assert!(rules.contains_key("unused-dev-dependency"));
1418 assert!(rules.contains_key("unused-optional-dependency"));
1419 assert!(rules.contains_key("unused-enum-member"));
1420 assert!(rules.contains_key("unused-class-member"));
1421 assert!(rules.contains_key("unresolved-import"));
1422 assert!(rules.contains_key("unlisted-dependency"));
1423 assert!(rules.contains_key("duplicate-export"));
1424 assert!(rules.contains_key("type-only-dependency"));
1425 assert!(rules.contains_key("circular-dependency"));
1426 }
1427
1428 #[test]
1429 fn check_meta_documents_per_finding_auto_fixable() {
1430 let meta = check_meta();
1431 let defs = meta["field_definitions"].as_object().unwrap();
1432 let note = defs["actions[].auto_fixable"].as_str().unwrap();
1433 assert!(
1434 note.contains("PER FINDING"),
1435 "auto_fixable note must call out per-finding evaluation"
1436 );
1437 assert!(
1438 note.contains("remove-catalog-entry"),
1439 "auto_fixable note must cite remove-catalog-entry per-instance flip"
1440 );
1441 assert!(
1442 note.contains("used_in_workspaces"),
1443 "auto_fixable note must cite the dependency-action per-instance flip"
1444 );
1445 assert!(
1446 note.contains("ignoreExports"),
1447 "auto_fixable note must cite the duplicate-exports config-fixable flip"
1448 );
1449 assert!(defs.contains_key("actions[]"));
1450 }
1451
1452 #[test]
1453 fn health_and_dupes_meta_share_actions_field_definitions() {
1454 for meta in [health_meta(), dupes_meta()] {
1455 let defs = meta["field_definitions"].as_object().unwrap();
1456 assert_eq!(
1457 defs["actions[]"].as_str().unwrap(),
1458 fallow_output::ACTIONS_FIELD_DEFINITION,
1459 );
1460 assert_eq!(
1461 defs["actions[].auto_fixable"].as_str().unwrap(),
1462 fallow_output::ACTIONS_AUTO_FIXABLE_FIELD_DEFINITION,
1463 );
1464 }
1465 }
1466
1467 #[test]
1468 fn check_meta_rule_has_required_fields() {
1469 let meta = check_meta();
1470 let rules = meta["rules"].as_object().unwrap();
1471 for (key, value) in rules {
1472 assert!(value.get("name").is_some(), "rule {key} missing 'name'");
1473 assert!(
1474 value.get("description").is_some(),
1475 "rule {key} missing 'description'"
1476 );
1477 assert!(value.get("docs").is_some(), "rule {key} missing 'docs'");
1478 }
1479 }
1480
1481 #[test]
1482 fn health_meta_has_metrics() {
1483 let meta = health_meta();
1484 assert!(meta.get("docs").is_some());
1485 let metrics = meta["metrics"].as_object().unwrap();
1486 assert!(metrics.contains_key("cyclomatic"));
1487 assert!(metrics.contains_key("cognitive"));
1488 assert!(metrics.contains_key("maintainability_index"));
1489 assert!(metrics.contains_key("complexity_density"));
1490 assert!(metrics.contains_key("fan_in"));
1491 assert!(metrics.contains_key("fan_out"));
1492 }
1493
1494 #[test]
1495 fn dupes_meta_has_metrics() {
1496 let meta = dupes_meta();
1497 assert!(meta.get("docs").is_some());
1498 let metrics = meta["metrics"].as_object().unwrap();
1499 assert!(metrics.contains_key("duplication_percentage"));
1500 assert!(metrics.contains_key("token_count"));
1501 assert!(metrics.contains_key("clone_groups"));
1502 assert!(metrics.contains_key("clone_families"));
1503 }
1504
1505 #[test]
1506 fn coverage_setup_meta_has_docs_fields_enums_and_warnings() {
1507 let meta = coverage_setup_meta();
1508 assert_eq!(meta["docs_url"], fallow_output::COVERAGE_SETUP_DOCS);
1509 assert!(
1510 meta["field_definitions"]
1511 .as_object()
1512 .unwrap()
1513 .contains_key("members[]")
1514 );
1515 assert!(
1516 meta["field_definitions"]
1517 .as_object()
1518 .unwrap()
1519 .contains_key("config_written")
1520 );
1521 assert!(
1522 meta["field_definitions"]
1523 .as_object()
1524 .unwrap()
1525 .contains_key("members[].package_manager")
1526 );
1527 assert!(
1528 meta["field_definitions"]
1529 .as_object()
1530 .unwrap()
1531 .contains_key("members[].warnings")
1532 );
1533 assert!(
1534 meta["enums"]
1535 .as_object()
1536 .unwrap()
1537 .contains_key("framework_detected")
1538 );
1539 assert!(
1540 meta["warnings"]
1541 .as_object()
1542 .unwrap()
1543 .contains_key("No runtime workspace members were detected")
1544 );
1545 assert!(
1546 meta["warnings"]
1547 .as_object()
1548 .unwrap()
1549 .contains_key("Package manager was not detected")
1550 );
1551 }
1552
1553 #[test]
1554 fn coverage_analyze_meta_documents_data_source_and_action_vocabulary() {
1555 let meta = coverage_analyze_meta();
1556 assert_eq!(meta["docs_url"], fallow_output::COVERAGE_ANALYZE_DOCS);
1557 let fields = meta["field_definitions"].as_object().unwrap();
1558 assert!(fields.contains_key("runtime_coverage.summary.data_source"));
1559 assert!(fields.contains_key("runtime_coverage.summary.last_received_at"));
1560 assert!(fields.contains_key("runtime_coverage.findings[].evidence.test_coverage"));
1561 assert!(fields.contains_key("runtime_coverage.findings[].actions[].type"));
1562 let enums = meta["enums"].as_object().unwrap();
1563 assert_eq!(enums["data_source"], json!(["local", "cloud"]));
1564 assert_eq!(enums["test_coverage"], json!(["covered", "not_covered"]));
1565 assert_eq!(enums["v8_tracking"], json!(["tracked", "untracked"]));
1566 assert_eq!(
1567 enums["action_type"],
1568 json!(["delete-cold-code", "review-runtime"])
1569 );
1570 let warnings = meta["warnings"].as_object().unwrap();
1571 assert!(warnings.contains_key("cloud_functions_unmatched"));
1572 }
1573
1574 #[test]
1575 fn health_rules_all_have_fallow_prefix() {
1576 for rule in HEALTH_RULES {
1577 assert!(
1578 rule.id.starts_with("fallow/"),
1579 "health rule {} should start with fallow/",
1580 rule.id
1581 );
1582 }
1583 }
1584
1585 #[test]
1586 fn health_rules_all_have_docs_path() {
1587 for rule in HEALTH_RULES {
1588 assert!(
1589 !rule.docs_path.is_empty(),
1590 "health rule {} should have a docs_path",
1591 rule.id
1592 );
1593 }
1594 }
1595
1596 #[test]
1597 fn health_rules_all_have_non_empty_fields() {
1598 for rule in HEALTH_RULES {
1599 assert!(
1600 !rule.name.is_empty(),
1601 "health rule {} missing name",
1602 rule.id
1603 );
1604 assert!(
1605 !rule.short.is_empty(),
1606 "health rule {} missing short description",
1607 rule.id
1608 );
1609 assert!(
1610 !rule.full.is_empty(),
1611 "health rule {} missing full description",
1612 rule.id
1613 );
1614 }
1615 }
1616
1617 #[test]
1618 fn dupes_rules_all_have_fallow_prefix() {
1619 for rule in DUPES_RULES {
1620 assert!(
1621 rule.id.starts_with("fallow/"),
1622 "dupes rule {} should start with fallow/",
1623 rule.id
1624 );
1625 }
1626 }
1627
1628 #[test]
1629 fn dupes_rules_all_have_docs_path() {
1630 for rule in DUPES_RULES {
1631 assert!(
1632 !rule.docs_path.is_empty(),
1633 "dupes rule {} should have a docs_path",
1634 rule.id
1635 );
1636 }
1637 }
1638
1639 #[test]
1640 fn dupes_rules_all_have_non_empty_fields() {
1641 for rule in DUPES_RULES {
1642 assert!(!rule.name.is_empty(), "dupes rule {} missing name", rule.id);
1643 assert!(
1644 !rule.short.is_empty(),
1645 "dupes rule {} missing short description",
1646 rule.id
1647 );
1648 assert!(
1649 !rule.full.is_empty(),
1650 "dupes rule {} missing full description",
1651 rule.id
1652 );
1653 }
1654 }
1655
1656 #[test]
1657 fn security_rules_all_have_security_prefix() {
1658 for rule in SECURITY_RULES {
1659 assert!(
1660 rule.id.starts_with("security/"),
1661 "security rule {} should start with security/",
1662 rule.id
1663 );
1664 }
1665 }
1666
1667 #[test]
1668 fn security_rules_all_have_docs_path() {
1669 for rule in SECURITY_RULES {
1670 assert_eq!(
1671 rule.docs_path, "cli/security",
1672 "security rule {} should point at security docs",
1673 rule.id
1674 );
1675 }
1676 }
1677
1678 #[test]
1679 fn security_rules_all_have_non_empty_fields() {
1680 for rule in SECURITY_RULES {
1681 assert!(
1682 !rule.name.is_empty(),
1683 "security rule {} missing name",
1684 rule.id
1685 );
1686 assert!(
1687 !rule.short.is_empty(),
1688 "security rule {} missing short description",
1689 rule.id
1690 );
1691 assert!(
1692 !rule.full.is_empty(),
1693 "security rule {} missing full description",
1694 rule.id
1695 );
1696 }
1697 }
1698
1699 #[test]
1700 fn check_rules_all_have_non_empty_fields() {
1701 for rule in CHECK_RULES {
1702 assert!(!rule.name.is_empty(), "check rule {} missing name", rule.id);
1703 assert!(
1704 !rule.short.is_empty(),
1705 "check rule {} missing short description",
1706 rule.id
1707 );
1708 assert!(
1709 !rule.full.is_empty(),
1710 "check rule {} missing full description",
1711 rule.id
1712 );
1713 }
1714 }
1715
1716 #[test]
1717 fn rule_docs_url_health_rule() {
1718 let rule = rule_by_id("fallow/high-cyclomatic-complexity").unwrap();
1719 let url = rule_docs_url(rule);
1720 assert!(url.starts_with("https://docs.fallow.tools/"));
1721 assert!(url.contains("health"));
1722 }
1723
1724 #[test]
1725 fn rule_docs_url_dupes_rule() {
1726 let rule = rule_by_id("fallow/code-duplication").unwrap();
1727 let url = rule_docs_url(rule);
1728 assert!(url.starts_with("https://docs.fallow.tools/"));
1729 assert!(url.contains("duplication"));
1730 }
1731
1732 #[test]
1733 fn rule_docs_url_security_rule() {
1734 let rule = rule_by_id("security/sql-injection").unwrap();
1735 let url = rule_docs_url(rule);
1736 assert_eq!(url, "https://docs.fallow.tools/cli/security");
1737 }
1738
1739 #[test]
1740 fn health_meta_all_metrics_have_name_and_description() {
1741 let meta = health_meta();
1742 let metrics = meta["metrics"].as_object().unwrap();
1743 for (key, value) in metrics {
1744 assert!(
1745 value.get("name").is_some(),
1746 "health metric {key} missing 'name'"
1747 );
1748 assert!(
1749 value.get("description").is_some(),
1750 "health metric {key} missing 'description'"
1751 );
1752 assert!(
1753 value.get("interpretation").is_some(),
1754 "health metric {key} missing 'interpretation'"
1755 );
1756 }
1757 }
1758
1759 #[test]
1760 fn health_meta_has_all_expected_metrics() {
1761 let meta = health_meta();
1762 let metrics = meta["metrics"].as_object().unwrap();
1763 let expected = [
1764 "cyclomatic",
1765 "cognitive",
1766 "line_count",
1767 "lines",
1768 "maintainability_index",
1769 "complexity_density",
1770 "dead_code_ratio",
1771 "fan_in",
1772 "fan_out",
1773 "score",
1774 "weighted_commits",
1775 "trend",
1776 "priority",
1777 "efficiency",
1778 "effort",
1779 "confidence",
1780 "bus_factor",
1781 "contributor_count",
1782 "share",
1783 "stale_days",
1784 "drift",
1785 "unowned",
1786 "runtime_coverage_verdict",
1787 "runtime_coverage_state",
1788 "runtime_coverage_confidence",
1789 "production_invocations",
1790 "percent_dead_in_production",
1791 ];
1792 for key in &expected {
1793 assert!(
1794 metrics.contains_key(*key),
1795 "health_meta missing expected metric: {key}"
1796 );
1797 }
1798 }
1799
1800 #[test]
1801 fn dupes_meta_all_metrics_have_name_and_description() {
1802 let meta = dupes_meta();
1803 let metrics = meta["metrics"].as_object().unwrap();
1804 for (key, value) in metrics {
1805 assert!(
1806 value.get("name").is_some(),
1807 "dupes metric {key} missing 'name'"
1808 );
1809 assert!(
1810 value.get("description").is_some(),
1811 "dupes metric {key} missing 'description'"
1812 );
1813 }
1814 }
1815
1816 #[test]
1817 fn dupes_meta_has_line_count() {
1818 let meta = dupes_meta();
1819 let metrics = meta["metrics"].as_object().unwrap();
1820 assert!(metrics.contains_key("line_count"));
1821 }
1822
1823 #[test]
1824 fn check_docs_url_valid() {
1825 assert!(fallow_output::CHECK_DOCS.starts_with("https://"));
1826 assert!(fallow_output::CHECK_DOCS.contains("dead-code"));
1827 }
1828
1829 #[test]
1830 fn health_docs_url_valid() {
1831 assert!(fallow_output::HEALTH_DOCS.starts_with("https://"));
1832 assert!(fallow_output::HEALTH_DOCS.contains("health"));
1833 }
1834
1835 #[test]
1836 fn dupes_docs_url_valid() {
1837 assert!(fallow_output::DUPES_DOCS.starts_with("https://"));
1838 assert!(fallow_output::DUPES_DOCS.contains("dupes"));
1839 }
1840
1841 #[test]
1842 fn check_meta_docs_url_matches_constant() {
1843 let meta = check_meta();
1844 assert_eq!(meta["docs"].as_str().unwrap(), fallow_output::CHECK_DOCS);
1845 }
1846
1847 #[test]
1848 fn health_meta_docs_url_matches_constant() {
1849 let meta = health_meta();
1850 assert_eq!(meta["docs"].as_str().unwrap(), fallow_output::HEALTH_DOCS);
1851 }
1852
1853 #[test]
1854 fn dupes_meta_docs_url_matches_constant() {
1855 let meta = dupes_meta();
1856 assert_eq!(meta["docs"].as_str().unwrap(), fallow_output::DUPES_DOCS);
1857 }
1858
1859 #[test]
1860 fn rule_by_id_finds_all_check_rules() {
1861 for rule in CHECK_RULES {
1862 assert!(
1863 rule_by_id(rule.id).is_some(),
1864 "rule_by_id should find check rule {}",
1865 rule.id
1866 );
1867 }
1868 }
1869
1870 #[test]
1871 fn rule_by_id_finds_all_health_rules() {
1872 for rule in HEALTH_RULES {
1873 assert!(
1874 rule_by_id(rule.id).is_some(),
1875 "rule_by_id should find health rule {}",
1876 rule.id
1877 );
1878 }
1879 }
1880
1881 #[test]
1882 fn rule_by_id_finds_all_dupes_rules() {
1883 for rule in DUPES_RULES {
1884 assert!(
1885 rule_by_id(rule.id).is_some(),
1886 "rule_by_id should find dupes rule {}",
1887 rule.id
1888 );
1889 }
1890 }
1891
1892 #[test]
1893 fn rule_by_id_finds_all_security_rules() {
1894 for rule in SECURITY_RULES {
1895 assert!(
1896 rule_by_id(rule.id).is_some(),
1897 "rule_by_id should find security rule {}",
1898 rule.id
1899 );
1900 }
1901 }
1902
1903 #[test]
1904 fn check_rules_count() {
1905 assert_eq!(CHECK_RULES.len(), 45);
1906 }
1907
1908 #[test]
1909 fn health_rules_count() {
1910 assert_eq!(HEALTH_RULES.len(), 21);
1911 }
1912
1913 #[test]
1914 fn dupes_rules_count() {
1915 assert_eq!(DUPES_RULES.len(), 1);
1916 }
1917
1918 #[test]
1919 fn flags_rules_count() {
1920 assert_eq!(FLAGS_RULES.len(), 1);
1921 }
1922
1923 #[test]
1924 fn security_rules_count() {
1925 assert_eq!(
1926 SECURITY_RULES.len(),
1927 matcher_entries_from_security_catalogue().len() + 3
1928 );
1929 }
1930
1931 #[test]
1932 fn security_rules_cover_every_catalogue_matcher() {
1933 let mut rule_ids = rustc_hash::FxHashSet::default();
1934 for rule in SECURITY_RULES {
1935 rule_ids.insert(rule.id);
1936 }
1937
1938 for matcher in matcher_entries_from_security_catalogue() {
1939 let rule_id = format!("security/{}", matcher.id);
1940 assert!(
1941 rule_ids.contains(rule_id.as_str()),
1942 "security matcher {} has no explain rule",
1943 matcher.id
1944 );
1945 }
1946 }
1947
1948 #[test]
1949 fn security_catalogue_rules_match_catalogue_title_and_cwe() {
1950 for matcher in matcher_entries_from_security_catalogue() {
1951 let rule_id = format!("security/{}", matcher.id);
1952 let rule = rule_by_id(&rule_id)
1953 .unwrap_or_else(|| panic!("security matcher {} has no explain rule", matcher.id));
1954 let cwe = format!("CWE-{}", matcher.cwe);
1955 assert_eq!(
1956 rule.name, matcher.title,
1957 "security matcher {} has stale explain title",
1958 matcher.id
1959 );
1960 assert!(
1961 rule.short.contains(&cwe),
1962 "security matcher {} explain summary does not mention {cwe}",
1963 matcher.id
1964 );
1965 assert!(
1966 rule.full.contains(&cwe),
1967 "security matcher {} explain rationale does not mention {cwe}",
1968 matcher.id
1969 );
1970 }
1971 }
1972
1973 #[test]
1979 fn every_rule_declares_a_category() {
1980 let allowed = [
1981 "Dead code",
1982 "Dependencies",
1983 "Duplication",
1984 "Health",
1985 "Architecture",
1986 "Suppressions",
1987 "Security",
1988 "Policy",
1989 "Flags",
1990 ];
1991 for rule in CHECK_RULES
1992 .iter()
1993 .chain(HEALTH_RULES)
1994 .chain(DUPES_RULES)
1995 .chain(FLAGS_RULES)
1996 .chain(SECURITY_RULES)
1997 {
1998 assert!(
1999 !rule.category.is_empty(),
2000 "rule {} has empty category",
2001 rule.id
2002 );
2003 assert!(
2004 allowed.contains(&rule.category),
2005 "rule {} has unrecognised category {:?}; add to allowlist or pick from {:?}",
2006 rule.id,
2007 rule.category,
2008 allowed
2009 );
2010 }
2011 }
2012
2013 #[derive(Debug)]
2014 struct MatcherEntry {
2015 id: &'static str,
2016 title: &'static str,
2017 cwe: &'static str,
2018 }
2019
2020 fn matcher_entries_from_security_catalogue() -> Vec<MatcherEntry> {
2021 let toml = include_str!("../../security/data/security_matchers.toml");
2022 let mut entries = Vec::new();
2023 let mut in_matcher = false;
2024 let mut id = None;
2025 let mut title = None;
2026 let mut cwe = None;
2027
2028 for line in toml.lines() {
2029 let trimmed = line.trim();
2030 if trimmed == "[[matcher]]" {
2031 if let (Some(id), Some(title), Some(cwe)) = (id.take(), title.take(), cwe.take()) {
2032 entries.push(MatcherEntry { id, title, cwe });
2033 }
2034 in_matcher = true;
2035 continue;
2036 }
2037 if trimmed.starts_with("[[") {
2038 if let (Some(id), Some(title), Some(cwe)) = (id.take(), title.take(), cwe.take()) {
2039 entries.push(MatcherEntry { id, title, cwe });
2040 }
2041 in_matcher = false;
2042 continue;
2043 }
2044 if !in_matcher {
2045 continue;
2046 }
2047 if let Some(value) = trimmed
2048 .strip_prefix("id = \"")
2049 .and_then(|value| value.strip_suffix('"'))
2050 {
2051 id = Some(value);
2052 } else if let Some(value) = trimmed
2053 .strip_prefix("title = \"")
2054 .and_then(|value| value.strip_suffix('"'))
2055 {
2056 title = Some(value);
2057 } else if let Some(value) = trimmed.strip_prefix("cwe = ") {
2058 cwe = Some(value);
2059 }
2060 }
2061
2062 if let (Some(id), Some(title), Some(cwe)) = (id.take(), title.take(), cwe.take()) {
2063 entries.push(MatcherEntry { id, title, cwe });
2064 }
2065
2066 let mut seen = rustc_hash::FxHashSet::default();
2067 entries
2068 .into_iter()
2069 .filter(|entry| seen.insert(entry.id))
2070 .collect()
2071 }
2072}