A declared Angular @Component and its selector value(s), harvested from a
@Component({ selector: '...' }) decorator. Consumed by the Angular arm of
the unrendered-component detector, which flags a component whose every
element selector is used in NO template project-wide (and that is not
referenced by class name anywhere, e.g. routed / bootstrapped / dynamically
rendered). A multi-selector string ('app-foo, [appBar]') is split into the
selectors list. The span is stored as a byte offset (not an
oxc_span::Span) so the type round-trips through the bitcode cache directly,
mirroring AngularInputMember::span_start. @Directive is intentionally NOT
harvested here (directives have no template render). ModuleInfo is not
serialized, so no serde attrs are derived.
A declared Angular component/directive input, harvested from an @Input()
decorator or a signal input() / input.required() / model() initializer
on an Angular-decorated class. Consumed by the unused-component-input
detector, which flags an input read nowhere in its own component (neither the
template nor the class body). The span is stored as a byte offset (not an
oxc_span::Span) so the type is cheap to mirror onto the cache, matching
ComponentEmit::span_start. ModuleInfo is not serialized, so no serde
attrs are derived here. bitcode derives let the type be mirrored directly
onto CachedModule (the same pattern as ComponentEmit).
A declared Angular component/directive output, harvested from an @Output()
decorator or a signal output() / outputFromObservable() initializer on an
Angular-decorated class. Consumed by the unused-component-output detector,
which flags an output emitted nowhere in its own component. A model() is an
input and a framework-driven output, so it is recorded ONLY as an input and
never appears here (the implicit update: emit is framework-managed). The
span is a byte offset for the same reason as AngularInputMember.
A statically flattenable callee path invoked in a module (e.g. execSync,
child_process.exec, console.log). One entry per unique callee_path
per module; the span anchors the first occurrence. Consumed by the
boundaries.calls.forbidden detector.
A Vue <script setup>defineEmits declared event, harvested from the type
tuple-call form (defineEmits<{ (e: 'foo'): void }>()), the type object form
(defineEmits<{ foo: [x: string] }>()), or the runtime array form
(defineEmits(['foo'])). used is set during extraction when the bound emit
name is called as emit('<name>'). The unused-component-emit detector flags
an event where used is false. See harvest_define_emits in sfc_props.rs.
An identified React component: a function/arrow whose body returns JSX.
Captured by visit_jsx_element’s enclosing-component tracking. The
unused-component-prop (React arm) and complexity-fold phases consume this;
the abstain flags keep zero-FP on the cases ADR-001 cannot resolve.
A component prop declared by Vue <script setup>defineProps or Svelte 5
$props(). used_in_script / used_in_template are set during extraction;
the unused-component-prop detector flags a prop where neither is true. See
harvest_define_props and harvest_svelte_props in sfc_props.rs.
Stylesheet-level structural CSS analytics, computed from the parsed CSS
syntax tree. Feeds fallow health penalty weights and located findings,
never a standalone CSS score.
A style rule’s declaration-block fingerprint and location, for cross-file
duplicate-block detection. Only rules with a meaningful number of
declarations are recorded (small blocks repeat legitimately). Internal
staging only: this is consumed in-process by the health layer to build the
grouped duplicate_declaration_blocks output and is never serialized.
Structural CSS metrics for a single style rule, computed from the parsed CSS
syntax tree. A rule is recorded only when it crosses a structural floor (an
id selector, a complex selector, a !important declaration, or deep
nesting), so the vector stays bounded on normal stylesheets.
A Vue provide/inject or Svelte setContext/getContext call site keyed
by an identifier symbol. The key_local is resolved at analyze time through
the consuming module’s import/export tables to a canonical defining-site
export key, so a provide and an inject of the same shared symbol unify even
across barrel re-exports. Consumed by the unprovided-inject detector.
A Svelte custom event dispatched via dispatch('<name>'), where dispatch
is the binding from a const dispatch = createEventDispatcher() call. Only
literal-first-arg dispatches are recorded; a dispatch(<nonLiteral>) sets
ModuleInfo::has_dynamic_dispatch instead. Consumed by the
unused-svelte-event detector, which flags an event dispatched here but
listened to nowhere project-wide (the cross-file dead-output direction). The
span is a byte offset (not an oxc_span::Span) so the type round-trips
through the bitcode cache directly, mirroring ComponentEmit::span_start.
A key returned from a SvelteKit route load() function’s terminal return
object literal. Harvested from +page.{ts,server.ts,js,server.js} files
exporting a load function. Consumed by the unused-load-data-key detector,
which flags a key read by no consumer. The span is stored as byte offsets
(not an oxc_span::Span) so the type round-trips through the bitcode cache
directly, mirroring DiKeySite::span_start / ComponentEmit::span_start.
A "use client" / "use server" directive string written as an expression
statement in program.body (NOT the leading prologue), so the RSC bundler
silently ignores it. One entry per offending occurrence. Consumed by the
misplaced-directive detector.
A Lit / web-component custom element registered in a module via
@customElement('x-foo') or customElements.define('x-foo', C). Consumed by
the Lit arm of the unrendered-component detector. The span is stored as a
byte offset (not an oxc_span::Span) so the type round-trips through the
bitcode cache directly, mirroring AngularComponentSelector::span_start.
A render edge: one component rendering another (a capitalized or
member-expression JSX tag). Captured at extraction time with the child’s
written name; resolution of child_component_name to a FileId/export is
deferred to graph build via the existing import map.
A captured sink site. The visitor records every existing non-literal call /
member-assign / member-call / tagged-template / jsx-attr sink site, and a
small allowlist of literal-aware sites where the literal value is the signal.
It knows nothing about CWE categories.
A local binding tied to the flattened member-access path it was initialized
from. The analyze layer matches source_path against the data-driven source
catalogue; when it matches, local is treated as carrying untrusted input.
The syntactic shape of an identified React component definition. Drives the
abstain ladder later phases apply: a forwardRef / memo wrapper whose
props come from an imported interface fallow cannot resolve must abstain
(ADR-001), not guess.
The shape of the argument captured at a sink site. Category-blind like
SinkShape, but finer-grained: it lets the catalogue matcher require or
exclude specific argument shapes. The discriminator is what distinguishes an
unsafe SQL string concatenation or template-into-.execute() from a
safely-parameterized sql`${x}` tagged template, an object-literal
.execute({ sql, args }) argument, or a literal-aware sink argument.
The syntactic shape of a captured security sink site. Category-blind: the
extractor records the shape and the dotted/bare callee path; the analyze
layer matches it against the data-driven catalogue. See
crates/security/data/security_matchers.toml.
Env var-name prefixes that frameworks inline into the client bundle by
convention. A read of one of these is normal and safe, so it does NOT count
as a secret source (issue #890). Shared by the extract layer (so public env
vars never become source signals) and the bespoke client-server-leak rule.