Module security 

fallow security command: opt-in local security-candidate surface.

Ships the graph-structural client-server-leak rule plus the data-driven tainted-sink catalogue (one TaintedSink kind covering every CWE category in security_matchers.toml). Findings are CANDIDATES for downstream agent verification, NOT verified vulnerabilities. This command is the ONLY surface for security findings: they never appear under bare fallow or the audit gate. There is no confidence or signal_strength field; structural traces and reachability context are the only honest signals.

Structs

SecurityGate

The gate block on SecurityOutput, present only when --gate <mode> ran. Invariant: verdict == Fail IFF exit code 8 IFF new_count > 0.

SecurityOptions

Options for fallow security, mirroring the global CLI flags it honors.

SecurityOutput

The fallow security --format json envelope. FallowOutput discriminates it by the kind: "security" tag; the optional gate block is additive and is not part of that discrimination.

Enums

SecurityGateMode

Gate mode for fallow security --gate <mode> (issue #886). Tier 2 reserves the value newly-reachable.

SecurityGateVerdict

Gate verdict on the wire. fail is the CI-state token; human output renders it as “REVIEW REQUIRED” because these stay unverified candidates, never confirmed vulnerabilities.

SecuritySchemaVersion

The fallow security --format json schema version. Independently versioned from the main contract, mirroring ImpactReportSchemaVersion.

Functions

render_human

Human output. Frames findings as candidates and states the next human action per finding; surfaces the unresolved-edge blind spot as a counted line.

render_json

JSON: the SecurityOutput envelope, pretty-printed.

run

Run fallow security. Always exits 0 unless the user explicitly raised the security-client-server-leak rule to error AND findings exist (the rule defaults to off and the command forces it to warn, so the common case is advisory). Unsupported output formats exit 2.