Module security 

fallow security command: opt-in local security-candidate surface.

Ships the graph-structural client-server-leak rule plus the data-driven tainted-sink catalogue (one TaintedSink kind covering every CWE category in security_matchers.toml). Findings are CANDIDATES for downstream agent verification, NOT verified vulnerabilities. This command is the ONLY surface for security findings: they never appear under bare fallow or the audit gate. There is no confidence or signal_strength field; structural traces and reachability context are the only honest signals.

Structs

SecurityGate

The gate block on SecurityOutput, present only when --gate <mode> ran. Invariant: verdict == Fail IFF exit code 8 IFF new_count > 0.

SecurityOptions

Options for fallow security, mirroring the global CLI flags it honors.

SecurityOutput

The fallow security --format json envelope. FallowOutput discriminates it by the kind: "security" tag; the optional gate block is additive and is not part of that discrimination.

SecurityOutputConfig

Allowlisted config context for fallow security --format json.

SecurityOutputRulesConfig

SecurityReachabilityCounts

Fixed reachability counters for summary JSON.

SecurityRuleSeverityConfig

SecurityRuntimeStateCounts

Fixed runtime coverage counters for summary JSON.

SecuritySeverityCounts

Fixed severity counters for summary JSON.

SecuritySummary

Aggregate counts for fallow security --summary --format json.

SecuritySummaryOutput

Compact fallow security --summary --format json payload. Uses the same kind: "security" discriminator as the full payload, but omits candidate arrays and exposes only aggregate counts.

SecurityUnresolvedCalleeDiagnostics

Bounded unresolved-callee diagnostics for fallow security --format json.

SecurityUnresolvedCalleeReasonCount

Count of unresolved callees for one reason.

SecurityUnresolvedCalleeSample

One sampled unresolved-callee row.

SecurityUnresolvedCalleeTopFile

Count of unresolved callees in one file.

Enums

SecurityGateMode

Gate mode for fallow security --gate <mode>.

SecurityGateVerdict

Gate verdict on the wire. fail is the CI-state token; human output renders it as “REVIEW REQUIRED” because these stay unverified candidates, never confirmed vulnerabilities.

SecuritySchemaVersion

The fallow security --format json schema version. Independently versioned from the main contract, mirroring ImpactReportSchemaVersion.

Functions

render_human

Human output. Frames findings as candidates and states the next human action per finding; surfaces the unresolved-edge blind spot as a counted line.

render_json

JSON: the SecurityOutput envelope, pretty-printed.

render_json_summary

JSON summary: compact aggregate payload without per-finding arrays.

run

Run fallow security. Always exits 0 unless the user explicitly raised the security-client-server-leak rule to error AND findings exist (the rule defaults to off and the command forces it to warn, so the common case is advisory). Unsupported output formats exit 2.