#[non_exhaustive]pub struct Finding {
pub id: String,
pub file: String,
pub function: String,
pub line: u32,
pub verdict: Verdict,
pub invocations: Option<u64>,
pub confidence: Confidence,
pub evidence: Evidence,
pub actions: Vec<Action>,
pub identity: Option<FunctionIdentity>,
}Expand description
A per-function finding combining static analysis and runtime coverage.
Marked #[non_exhaustive] in 0.6.0: downstream Rust consumers must
stop using struct-literal construction. The wire shape is unchanged.
Fields (Non-exhaustive)§
This struct is marked as non-exhaustive
Struct { .. } syntax; cannot be matched against without a wildcard ..; and struct update syntax will not work.id: StringDeterministic content hash of shape fallow:prod:<hash>. See
finding_id for the canonical helper. Continues to ship through
0.6 alongside Finding::identity.
Which key for which job. Three identifiers travel with a function and serve different axes; do not conflate them:
Finding::idis the per-finding suppression key. It hashesfile + function + line + "prod", so it changes when the function moves. Agents writing suppression files / baselines / CI dedup key on this to suppress THIS specific finding, not every finding on the function.FunctionIdentity::stable_idis the cross-surface + cross-producer join key. The same function gets ONE value across findings, hot paths, blast-radius entries, and importance entries, and across V8 / Istanbul / oxc producers (columns are excluded from the hash, so producers of differing positional fidelity still agree). Cloud aggregation and any “show me this function’s history” join uses it. It hashesstart_line, so, exactly likeFinding::id, it is NOT immune to line moves: a function that moves to a new line gets a newstable_id.FunctionIdentity::source_hashis the content tiebreaker. It hashes the canonical body bytes and excludes position, so it is the only one of the three that survives a line move with an unchanged body. Optional and absent unless a producer computes it; consumers that want line-move-tolerant matching layer it on top ofstable_idwhen present.
New agent suppression formats SHOULD write identity.stable_id
when present (so one entry correlates the function across every
surface, not just this one finding) AND retain Finding::id for
backwards-compatibility with 0.5-era baselines. Readers MUST
accept both forms during the grace window.
file: StringPath to the source file, relative to Request::project_root.
function: StringFunction name as reported by the static analyzer. Matches
StaticFunction::name and FunctionIdentity::name.
line: u321-indexed line number the function starts on. Included in the ID hash so anonymous functions with identical names but different locations get distinct IDs.
verdict: VerdictPer-finding verdict. Describes what the agent should do with this specific function.
invocations: Option<u64>Raw invocation count from the V8 dump. None when the function was
not tracked (lazy-parsed, worker-thread isolate, etc.).
confidence: ConfidenceConfidence the sidecar has in this finding’s Finding::verdict.
evidence: EvidenceEvidence rows the sidecar used to arrive at the finding.
actions: Vec<Action>Machine-readable next-step hints for AI agents.
identity: Option<FunctionIdentity>Canonical function identity introduced in 0.6.0. Optional for
forward-compat with 0.5-shape sidecars. See FunctionIdentity
for the canonical join semantics.