Module security 

fallow security command: opt-in local security-candidate surface.

Ships the graph-structural client-server-leak rule plus the data-driven tainted-sink catalogue (one TaintedSink kind covering every CWE category in security_matchers.toml). Findings are CANDIDATES for downstream agent verification, NOT verified vulnerabilities. This command is the ONLY surface for security findings: they never appear under bare fallow or the audit gate. There is no confidence or signal_strength field; the structural trace is the only honest signal.

Structs

SecurityOptions

Options for fallow security, mirroring the global CLI flags it honors.

SecurityOutput

The fallow security --format json envelope. security_findings is the unique required field used for untagged narrowing in FallowOutput.

Enums

SecuritySchemaVersion

The fallow security --format json schema version. Independently versioned from the main contract, mirroring ImpactReportSchemaVersion.

Functions

render_human

Human output. Frames findings as candidates and states the next human action per finding; surfaces the unresolved-edge blind spot as a counted line.

render_json

JSON: the SecurityOutput envelope, pretty-printed.

run

Run fallow security. Always exits 0 unless the user explicitly raised the security-client-server-leak rule to error AND findings exist (the rule defaults to off and the command forces it to warn, so the common case is advisory). Unsupported output formats exit 2.