Expand description
Analysis result types exposed through the engine boundary.
Structs§
- Active
Suppression - A suppression comment present in an analyzed file this run.
- Analysis
Results - Complete analysis results.
- Boundary
Call Violation - A call from a zoned file to a callee forbidden for that zone via
boundaries.calls.forbidden. One finding is reported per unique callee path per file (first occurrence wins). - Boundary
Call Violation Finding - Wire-shape envelope for a
BoundaryCallViolationfinding. Carries actions for refactoring the forbidden call out of the zone or suppressing it with the sharedboundary-violationtoken. - Boundary
Coverage Violation - A source file that does not match any configured architecture boundary zone.
- Boundary
Coverage Violation Finding - Wire-shape envelope for a
BoundaryCoverageViolationfinding. Carries actions for assigning the file to a zone or explicitly allowing it to stay unmatched. - Boundary
Violation - An import that crosses an architecture boundary rule.
- Boundary
Violation Finding - Wire-shape envelope for a
BoundaryViolationfinding. MirrorsUnusedFileFinding: flattens the bare finding and carries a typedactionsarray (refactor-boundaryprimary plussuppress-linesecondary). - Circular
Dependency - A circular dependency chain detected in the module graph.
- Circular
Dependency Edge - One import hop in a circular dependency: the file containing the import and where that import statement sits.
- Circular
Dependency Finding - Wire-shape envelope for a
CircularDependencyfinding. MirrorsUnusedFileFinding: flattens the bare finding and carries a typedactionsarray (refactor-cycleprimary plussuppress-linesecondary). - Duplicate
Export - An export that appears multiple times across the project.
- Duplicate
Export Finding - Wire-shape envelope for a
DuplicateExportfinding. Carries up to three actions in position-locked order: anadd-to-configignoreExportssnippet (only whenlocations[]carries at least one path) followed by theremove-duplicatefix and the multi-location suppress. - Duplicate
Location - A location where a duplicate export appears.
- Duplicate
Prop Shape - A React/Preact component that participates in a duplicate-prop-shape GROUP:
three or more distinct components across two or more files whose
statically-harvested, fully-known prop NAME set is byte-for-byte IDENTICAL
after excluding a fixed denylist of ubiquitous DOM / render-passthrough prop
names, with the REMAINING significant set holding four or more members. This
is a structural-refactor health signal (extract a shared
Propstype or a base component), never a correctness error and never an auto-fix. One finding is emitted per participating component;sharing_componentslists the other members of the same group. Health signal: the rule defaults tooff(opt-in), so this is dormant until enabled. Exact full-set identity only: a superset / subset relationship does NOT group (so the finding always fits one extracted shared type). - Duplicate
Prop Shape Finding - Wire-shape envelope for a
DuplicatePropShapefinding. There is no safe auto-fix: extracting a sharedPropstype or a base component for a group of same-shaped components is a design decision. The actions are manual guidance (extract the shared shape) plus a line-level suppress at the component definition and a file-level suppress escape hatch (mirroring the route-collision multi-file model). The rule defaults tooff(opt-in health signal), so this finding is dormant by default. - Duplicate
Prop Shape Member - One member of a duplicate-prop-shape group: the OTHER components that share
the same significant prop-name set, listed in each member’s
sharing_components. Path-sorted for stable output. A located reference (noshape, which is carried once on the owningDuplicatePropShape). - Dynamic
Segment Name Conflict - Two or more sibling dynamic route segments at the SAME App Router tree
position using different param spellings (
[id]vs[slug], or[...x]vs[[...x]]). Next.js throws “You cannot use different slug names for the same dynamic path” at dev / production RUNTIME when the position is hit;next builddoes NOT catch it, so fallow’s static catch surfaces a route that would otherwise pass CI and crash at request time. One finding is emitted per involved file. - Dynamic
Segment Name Conflict Finding - Wire-shape envelope for a
DynamicSegmentNameConflictfinding. The conflict is a Next.js dev / runtime error (next builddoes NOT catch it), so the primary action is manual guidance (rename the dynamic segments to a single consistent slug name), with a file-level suppress as escape hatch. - Empty
Catalog Group - A named
catalogs.<name>group with no package entries. - Empty
Catalog Group Finding - Wire-shape envelope for an
EmptyCatalogGroupfinding. Carries aremove-empty-catalog-groupprimary. YAML-sourced findings also include a YAML-comment suppress action. - Entry
Point Summary - Summary of detected entry points, grouped by discovery source.
- Export
Usage - Usage count for an export symbol. Used by the LSP Code Lens to show reference counts above each export declaration.
- Feature
Flag - A detected feature flag use site.
- Import
Site - A location where an import occurs.
- Invalid
Client Export - A
"use client"file that exports a Next.js server-only / route-segment config name. Next.js rejects this combination at build time; fallow catches it statically before the build runs. - Invalid
Client Export Finding - Wire-shape envelope for an
InvalidClientExportfinding. There is no safe auto-fix: the export itself may be a legitimate client-component value export that happens to collide with a Next.js server-only name, so removing it could break the component. Actions are a manualmove-to-server-modulefix (the real remediation) plus a line-level suppress. - Misconfigured
Dependency Override - An override entry whose key or value is malformed. Default severity is
errorbecause pnpm refuses to install (or silently produces a no-op override) when it encounters these shapes. - Misconfigured
Dependency Override Finding - Wire-shape envelope for a
MisconfiguredDependencyOverridefinding. Carries afix-dependency-overrideprimary plus the conditionaladd-to-configignoreDependencyOverridessuppress (skipped when bothtarget_packageandraw_keyare empty, since the rule matcher keys on a non-empty package name). - Misplaced
Directive - A
"use client"/"use server"directive written as an expression statement after a non-directive statement (an import, a const). The RSC bundler only honors a directive in the leading prologue, so once any statement precedes it the string is parsed as an ordinary expression and silently ignored: the intended client/server boundary never takes effect. The fix is to move the directive to the very top of the file. - Misplaced
Directive Finding - Wire-shape envelope for a
MisplacedDirectivefinding. There is no safe auto-fix: moving a directive to the leading prologue is a small but judgement-bearing edit (the author may have intended the file to be a server module after all). Actions are a manualhoist-directivefix (the real remediation) plus a line-level suppress. - Mixed
Client Server Barrel - A barrel file that re-exports BOTH a
"use client"origin module AND a server-only origin module. Importing one name from such a barrel drags the other’s directive context across the React Server Components boundary (the Next.js App Router footgun); fallow catches it statically. - Mixed
Client Server Barrel Finding - Wire-shape envelope for a
MixedClientServerBarrelfinding. There is no safe auto-fix: splitting a barrel into separate client and server modules is a human decision (the barrel may intentionally aggregate both surfaces). Actions are a manualsplit-mixed-barrelfix (the real remediation) plus a line-level suppress. - Policy
Violation - A banned call, banned import, or banned effect matched by a declarative rule
pack (
rulePacksconfig). Banned-call and banned-effect findings report one entry per unique callee path per file (first occurrence wins, matchingboundary_call_violations); banned-import findings anchor at each matching import or re-export declaration. - Policy
Violation Finding - Wire-shape envelope for a
PolicyViolationfinding. Carries actions for replacing the banned call, import, or effect, or suppressing it with a scopedpolicy-violation:<pack>/<rule-id>token. - Private
Type Leak - A public export signature that references a same-file private type.
- Private
Type Leak Finding - Wire-shape envelope for a
PrivateTypeLeakfinding. MirrorsUnusedFileFinding: flattens the bare finding and carries a typedactionsarray (export-typeprimary plussuppress-linesecondary). - Prop
Drill Hop - One hop in a prop-drilling chain: a component that received the prop and passed it along (or, at the chain ends, the source that owns it and the consumer that substantively reads it).
- Prop
Drilling Chain - A located prop-drilling chain: a received prop forwarded unchanged through
>= Nintermediate pass-through components, each of which only re-passes it, until a component that substantively consumes it. The high-confidence signal is “the received identifier is used ONLY as the root of forwarded child-JSX attribute values”, not the attribute name matching. Health signal (rule defaults tooff, opt-in): a small capped penalty plus ahealth --hotspotssurface, and located per-chain records so CI / an agent can act (“colocate or lift to context at hop B”). Zero-FP doctrine: any spread /cloneElement/ element-as-prop / render-prop / context-provider / dynamic shape in the path abstains the whole chain. - Prop
Drilling Chain Finding - Wire-shape envelope for a
PropDrillingChainfinding. There is no safe auto-fix: collapsing a drilling chain (colocate the consumer, lift to a context, or compose the component) is a design decision. The only action is a line-level suppress at the source hop’s prop declaration. The rule defaults tooff(opt-in health signal), so this finding is dormant by default. - ReExport
Cycle - A cycle or self-loop in the re-export edge subgraph.
- ReExport
Cycle Finding - Wire-shape envelope for a
ReExportCyclefinding. MirrorsCircularDependencyFinding: flattens the bare finding and carries a typedactionsarray (refactor-re-export-cycleinformational primary plussuppress-filesecondary; cycles are file-scoped so a single file-level suppression on the alphabetically-first member breaks the cycle, and no// fallow-ignore-next-lineform makes sense because the diagnostic is anchored at line 1 col 0 of each member). - React
Component Intel - Per-component render + prop + hook intelligence for one React component.
DESCRIPTIVE ambient editor context surfaced by the LSP (a component summary
code lens plus per-prop hovers), NOT a finding, IssueKind, severity, or
total_issuesinput. Carried in-process on the#[serde(skip)]AnalysisResults::react_component_intelfield (likeRenderFanInMetric); never serialized, so barefallow/auditand the JSON / schema surface are untouched. - React
Hook Summary - Per-kind hook counts for a React component, summarized from
hook_uses. DESCRIPTIVE editor context (the LSP code-lens hook breakdown), never a finding, severity, ortotal_issuesinput.customcollects everyuse*-named call that is not one of the four built-ins. - React
Prop Drill - A prop-drilling trace for a prop at the ROOT of a forwarding chain.
DESCRIPTIVE ambient editor context (the LSP per-prop hover): the prop is
forwarded unchanged through
depthcomponents before a component substantively consumes it. Reuses theprop-drillingchain machinery’s abstain ladder (spread /cloneElement/ dynamic / provider-in-subtree drop the whole chain), so the trace is honest. NOT a finding (the opt-inprop-drillingrule owns the finding); this rides the#[serde(skip)]ReactComponentIntelcarrier. - React
Prop Intel - Per-prop usage intelligence for one React component prop. DESCRIPTIVE editor
context (the LSP per-prop hover): whether the prop is read in the component
body and how many render sites pass it. NOT a finding (the
unused-component-propReact arm owns the deadness rule); this is ambient signal.anchor_line/anchor_colfollow the same convention the Reactunused-component-propfindings use (1-based line, byte-derived col frombyte_offset_to_line_col). - Reference
Location - A location where an export is referenced (import site in another file).
- Render
FanIn Component - One component’s render fan-in detail: how many JSX render SITES target it and how many DISTINCT parent components render it.
- Render
FanIn Metric - Per-component render fan-in counts plus the precomputed concentration aggregates.
- Route
Collision - Two or more Next.js App Router route files that resolve to the SAME URL
within one app-root. Next.js fails the build (“You cannot have two parallel
pages that resolve to the same path”); fallow catches it statically and
names every colliding file at once. One finding is emitted per colliding
file;
conflicting_pathslists the sibling files that share the URL. - Route
Collision Finding - Wire-shape envelope for a
RouteCollisionfinding. A route collision is a guaranteednext buildfailure, so the PRIMARY action is manual guidance (move or merge one of the colliding files), NOT a suppress: suppressing a build error never makes the build pass. A file-level suppress is offered as an escape hatch only. - Security
Attack Surface Entry - One untrusted entry to reachable sink path for
fallow security --surface. - Security
Candidate - An agent-actionable candidate record on a
SecurityFinding. fallow fillssource_kind,sink, andboundary. The exploitability IMPACT is deliberately NOT a field:severityon the parent finding is only a review-priority tier, while deciding exploitability remains the consuming agent’s job. A perpetually-nullimpactkey would only train consumers to ignore it. The agent reads this record, then writes its own impact verdict downstream. - Security
Candidate Boundary - The boundary slot of a
SecurityCandidate: which structural boundaries the candidate’s flow crosses. A flow that crosses a client/server or module boundary is a stronger review target than a self-contained one; the boundary is fallow’s structural signal over a pure source-sink match. - Security
Candidate Sink - The sink slot of a
SecurityCandidate: a self-contained description of the matched sink site. Echoes the finding’s own span (path/line/col) plus the cataloguecategory/cweand the capturedcallee, so an agent can act oncandidate.sinkin isolation (e.g. after fanning a finding out to a sub-agent) without reading the parent finding. - Security
Dead Code Context - Dead-code cross-link attached to a security candidate when fallow’s dead-code pass reports the same anchor as removable code.
- Security
Defensive Boundary - Agent-facing defensive-boundary verification context for one surface path.
- Security
Defensive Control - Defensive control found on an attack-surface path.
- Security
Finding - A local security CANDIDATE for downstream agent verification, NOT a verified
vulnerability. Emitted only by
fallow security, never under barefallowor theauditgate. There is deliberately noconfidenceorsignal_strengthfield: fallow does not prove exploitability, so the trace (its hops and length) is the only honest signal. - Security
Network Context - Network-destination context for a
secret-to-networkcandidate (#890): where the secret-bearing network call sends its data. Present only on network-category candidates. A consuming agent uses it to triage exfil (dynamic / untrusted destination) from intended auth (a literal provider host) without re-reading source. - Security
Reachability - Graph-derived reachability ranking signal for a security candidate. Computed from the existing module graph after detection, never proven exploitable. Used to surface candidates that sit on a request/runtime-reachable surface, receive same-module source evidence, or are import-reachable from an untrusted-source module above isolated helpers or scripts.
- Security
Runtime Context - Runtime coverage context attached to a security candidate when
fallow security --runtime-coverageis supplied. - Security
Taint Flow - A source-to-sink taint-flow triple, emitted only when an untrusted source is
import-reachable to the sink (
reachability.reachable_from_untrusted_source). The{ source, sink, path }shape matches the model agent SAST tooling expects (cf. Semgreptaint_source/taint_sink, SARIFthreadFlows). - Security
Unresolved Callee Diagnostic - Internal row for a security sink-shaped callee that extraction could not flatten to a static catalogue path.
- Security
Zone Crossing - A declared architecture-zone crossing, recovered by correlating a finding’s anchor against the run’s architecture-boundary violations.
- Stale
Suppression - A suppression comment or JSDoc tag that no longer matches any issue.
- Taint
Endpoint - One endpoint (source or sink node) of a
SecurityTaintFlow. - Taint
Path - Compact taint-flow path shape. The ordered per-hop trace is NOT duplicated
here: it lives on
SecurityReachability::untrusted_source_trace. This carries only the flow’s structural summary (intra-module flow plus the cross-module hop count) so consumers do not parse two copies of the hops. - Test
Only Dependency - A production dependency that is only imported by test files. Since it is never used in production code, it could be moved to devDependencies.
- Test
Only Dependency Finding - Wire-shape envelope for a
TestOnlyDependencyfinding. Carries amove-to-devprimary (different prose thanTypeOnlyDependencyFinding) plus the standardignoreDependenciesconfig suppress. - Thin
Wrapper - A located thin-wrapper / passthrough component: a React/Preact component
whose entire body is
return <Child {...props}/>(a single spread-forwarded child render, no host wrapper, no own value-add). It is pure structural indirection, a CANDIDATE for inlining at call sites or deleting. Health signal (rule defaults tooff, opt-in): never a correctness error. Zero-FP doctrine:forwardRef/memo/ exported / context-provider /cloneElement/ render-prop / named-attr / unresolved-child wrappers all abstain (each is an intentional indirection or unprovable shape). - Thin
Wrapper Finding - Wire-shape envelope for a
ThinWrapperfinding. There is no safe auto-fix: inlining a thin wrapper at its call sites (or deleting it) is a design decision. The only action is a line-level suppress at the wrapper’s definition. The rule defaults tooff(opt-in health signal), so this finding is dormant by default. - Trace
Hop - One hop in a security finding’s structural trace. Stored as an absolute path
internally; JSON serialization strips the project root via
serde_path::serialize. - Type
Only Dependency - A production dependency that is only used via type-only imports. In production builds, type imports are erased, so this dependency is not needed at runtime and could be moved to devDependencies.
- Type
Only Dependency Finding - Wire-shape envelope for a
TypeOnlyDependencyfinding. Carries amove-to-devprimary plus the standardignoreDependenciesconfig suppress. - Unlisted
Dependency - A dependency used in code but not listed in package.json.
- Unlisted
Dependency Finding - Wire-shape envelope for an
UnlistedDependencyfinding. Carries aninstall-dependencyprimary (non-auto-fixable) plus the standardignoreDependenciesconfig suppress. - Unprovided
Inject - A Vue
inject(KEY)or SveltegetContext(KEY)whose symbol KEY isprovide/setContext’d nowhere in the analyzed project. The key is a symbol with cross-file identity, so an unmatched key is a real dead-half DI link: at runtime the inject returnsundefined, surfaced only at render. The fix is binary: provide the key somewhere, or remove the dead inject. - Unprovided
Inject Finding - Wire-shape envelope for an
UnprovidedInjectfinding. There is no safe auto-fix: the fix is binary but judgement-bearing (add aprovidefor the key, or delete the dead inject). Actions are manual remediation guidance plus a line-level suppress. - Unrendered
Component - A Vue/Svelte single-file component (the default export of a
.vue/.sveltefile) that is reachable in the module graph but rendered NOWHERE in the project: no<Tag>, no:is/this=binding, nocomponents/app.componentregistration, noh()/auto-import use, and no script value-read. It survivesunused-file(a barrel re-export keeps it reachable) andunused-export(the re-export counts as a use), yet no file actually instantiates it. - Unrendered
Component Finding - Wire-shape envelope for an
UnrenderedComponentfinding. There is no safe auto-fix: the fix is binary but judgement-bearing (render the component somewhere, or delete the dead component). Actions are manual remediation guidance plus a line-level suppress. - Unresolved
Catalog Reference - A workspace package.json reference (
catalog:orcatalog:<name>) that points at a catalog which does not declare the consumed package. - Unresolved
Catalog Reference Finding - Wire-shape envelope for an
UnresolvedCatalogReferencefinding. The primary action at position 0 discriminates onavailable_in_catalogs:add-catalog-entrywhen the array is empty (no other catalog declares the package), orupdate-catalog-referencewhen at least one alternative exists. When exactly one alternative exists, the action also carriessuggested_targetso deterministic agents can land the edit without picking from a list. - Unresolved
Import - An import that could not be resolved.
- Unresolved
Import Finding - Wire-shape envelope for an
UnresolvedImportfinding. MirrorsUnusedFileFinding: flattens the bare finding and carries a typedactionsarray (resolve-importprimary plus config and inline suppression actions). - Unused
Catalog Entry - A package manager catalog entry that no workspace package references via
the
catalog:protocol. - Unused
Catalog Entry Finding - Wire-shape envelope for an
UnusedCatalogEntryfinding. Per-instanceauto_fixableflips tofalsewhenhardcoded_consumersis non-empty or the source is notpnpm-workspace.yaml. - Unused
Class Member Finding - Wire-shape envelope for an
UnusedMemberfinding consumed under theunused_class_memberskey. Same Rust struct asUnusedEnumMemberFinding; the fix action and suppress comment carry the class-member kebab-case identifier instead. - Unused
Component Emit - A Vue
<script setup>defineEmitsdeclared event that is EMITTED nowhere inside its own single-file component (noemit('<name>')call). Single-file finding, zero-FP doctrine: the whole file abstains on any unharvestable / dynamic-emit / whole-object-use /defineModelsignal. - Unused
Component Emit Finding - Wire-shape envelope for an
UnusedComponentEmitfinding. There is no safe auto-fix: removing a declared emit is judgement-bearing (the event may be part of a deliberately-stable public component API). Actions are manual remediation guidance plus a line-level suppress at the emit declaration. - Unused
Component Input - An Angular
@Input()/ signalinput()/model()declared input that is read NOWHERE inside its own component (neither the inline/external template nor the class body). Single-file dead-input direction; the Angular analogue ofUnusedComponentProp. The whole component abstains on an unresolvedextendsheritage clause (a base class in another file may readthis.foo). - Unused
Component Input Finding - Wire-shape envelope for an
UnusedComponentInputfinding. There is no safe auto-fix: removing a declared input is judgement-bearing (the input may be part of a deliberately-stable public component API). The only action is a line-level suppress at the input declaration. - Unused
Component Output - An Angular
@Output()/ signaloutput()declared output that is EMITTED nowhere inside its own component (nothis.<output>.emit(...)). Single-file dead-output direction; the Angular analogue ofUnusedComponentEmit. Amodel()is recorded as an input only, so its framework-drivenupdate:emit is never flagged here. The whole component abstains on an unresolvedextendsheritage clause. - Unused
Component Output Finding - Wire-shape envelope for an
UnusedComponentOutputfinding. There is no safe auto-fix: removing a declared output is judgement-bearing (the event may be part of a deliberately-stable public component API). The only action is a line-level suppress at the output declaration. - Unused
Component Prop - A Vue
<script setup>defineProps, Svelte 5$props(), or React declared prop that is referenced NOWHERE inside its own component. Single-component finding, zero-FP doctrine: the component abstains on any opaque public or fallthrough signal. - Unused
Component Prop Finding - Wire-shape envelope for an
UnusedComponentPropfinding. There is no safe auto-fix: removing a declared prop is judgement-bearing (the prop may be part of a deliberately-stable public component API). Actions are manual remediation guidance plus a line-level suppress at the prop declaration. - Unused
Dependency - A dependency that is listed in package.json but never imported.
- Unused
Dependency Finding - Wire-shape envelope for an
UnusedDependencyfinding consumed under theunused_dependencieskey (production deps). Flattens the bare finding; the typedactionsarray carries either aremove-dependencyormove-dependencyprimary depending oninner.used_in_workspaces. - Unused
Dependency Override - An entry in pnpm’s
overrides:map (or the legacypnpm.overridesinpackage.json) whose target package is not declared in any workspacepackage.jsonand is not present inpnpm-lock.yaml. Projects without a readable lockfile fall back to package manifest checks; thehintfield flags that conservative mode. - Unused
Dependency Override Finding - Wire-shape envelope for an
UnusedDependencyOverridefinding. Carries aremove-dependency-overrideprimary plus anadd-to-configignoreDependencyOverridessuppress scoped to the target package and declaration source. - Unused
DevDependency Finding - Wire-shape envelope for an
UnusedDependencyfinding consumed under theunused_dev_dependencieskey. Same bare struct asUnusedDependencyFinding; the fix description points atdevDependenciesand the suppress comment usesunused-dev-dependency. - Unused
Enum Member Finding - Wire-shape envelope for an
UnusedMemberfinding consumed under theunused_enum_memberskey. - Unused
Export - An export that is never imported by other modules.
- Unused
Export Finding - Wire-shape envelope for an
UnusedExportfinding consumed under theunused_exportskey. Same Rust struct asUnusedTypeFinding, with a different fix description so consumers can tell value-export from type-export removal at the action level. - Unused
File - A file that is not reachable from any entry point.
- Unused
File Finding - Wire-shape envelope for an
UnusedFilefinding. The bare finding flattens in via#[serde(flatten)], with a typedactionsarray populated at construction time and the audit-passintroducedflag attached as an optional sibling. - Unused
Load Data Key - A SvelteKit
+page.{ts,server.ts,js,server.js}load()return-object key read by no consumer: not off the sibling+page.svelte’sdata.<key>, nor project-wide viapage.data.<key>/$page.data.<key>. A dead load key runs a real server/DB fetch cost on every request for data nothing renders. The fix is a human call (delete the key, or wire a consumer): a load fetch may have side effects, so there is no safe auto-fix. - Unused
Load Data KeyFinding - Wire-shape envelope for an
UnusedLoadDataKeyfinding. There is no safe auto-fix: aload()fetch can have side effects, so deleting the key is a human call. Actions are manual remediation guidance plus a line-level suppress. - Unused
Member - An unused enum or class member.
- Unused
Optional Dependency Finding - Wire-shape envelope for an
UnusedDependencyfinding consumed under theunused_optional_dependencieskey. Same bare struct asUnusedDependencyFinding; the fix description points atoptionalDependencies. Reuses theunused-dependencysuppressIssueKindbecause there is no dedicated variant for optional deps. - Unused
Server Action - A Next.js Server Action (an export of a
"use server"file) that no code in the analyzed project references: no import-and-call, noaction={fn}JSX binding, no<form action={fn}>. This is the cross-graph “declared but zero consumers” direction, reclassified out ofunused-exportfor"use server"files so the finding carries the action-specific signal. It does NOT mean the endpoint is unreachable: Next still registers the action id, so it stays POST-able. It means no project code calls it (likely forgotten / dead, and a candidate for removal to shrink surface area). - Unused
Server Action Finding - Wire-shape envelope for an
UnusedServerActionfinding. There is no safe auto-fix: the fix is binary but judgement-bearing (wire the action up to a consumer, or delete it). Actions are manual remediation guidance plus a line-level suppress. - Unused
Store Member Finding - Wire-shape envelope for an
UnusedMemberfinding consumed under theunused_store_memberskey (a Piniastate/getters/actionskey, or a setup-store returned key, declared but never accessed by any consumer project-wide). Same Rust struct asUnusedClassMemberFinding. Emits only a line-level suppress action: there is no safe auto-fix because a store member can be accessed reflectively (a Pinia plugin,store.$onAction, or dynamic dispatch) in ways syntactic analysis cannot see, so removal is a behavioral change the user must own. - Unused
Svelte Event - A Svelte component dispatching a custom event via
createEventDispatcher()whose event name is listened to NOWHERE in the analyzed project. Cross-file dead-output direction: the component fires an event nothing handles. Zero-FP doctrine: the whole component abstains on any dynamic-dispatch or whole-dispatch-value signal, and a listener on ANY component anywhere credits the event name (the liberal over-credit direction). - Unused
Svelte Event Finding - Wire-shape envelope for an
UnusedSvelteEventfinding. There is no safe auto-fix: removing a dispatched event is judgement-bearing (the event may be part of a deliberately-stable public component API, or a listener may be added later). Actions are manual remediation guidance plus a line-level suppress at thedispatchcall. - Unused
Type Finding - Wire-shape envelope for an
UnusedExportfinding consumed under theunused_typeskey. Wraps the same bareUnusedExportstruct asUnusedExportFindingbut emits a fix action targeted at type-only declarations, with the sameis_re_export-aware note swap.
Enums§
- Dependency
Location - Where in package.json a dependency is listed.
- Dependency
Override Misconfig Reason - Why a dependency-override entry is misconfigured.
pnpm installwould either fail at install time or silently no-op on these entries; surfacing them statically catches the issue before pnpm does. - Dependency
Override Source - Where an override entry was declared. Serialized as the filename label
(
"pnpm-workspace.yaml"or"package.json") so the value in JSON output matches the value users write inignoreDependencyOverrides[].source. - Flag
Confidence - Detection confidence for a feature flag finding.
- Flag
Kind - The detection method used to identify a feature flag.
- Policy
Rule Kind - Which rule-pack rule kind produced a
PolicyViolation. - Policy
Violation Severity - Effective severity of a single
PolicyViolation. Per-ruleseverityoverrides therules."policy-violation"master;offrules emit nothing, so onlyerrorandwarnappear on the wire. The exit-code gate inspects this per-finding value, not the master severity. - ReExport
Cycle Kind - Discriminator for
ReExportCycle: which structural shape was detected. - Security
Dead Code Kind - Dead-code issue kind linked to a security candidate.
- Security
Finding Kind - The kind of security candidate. Findings are CANDIDATES for downstream agent verification, NOT verified vulnerabilities.
- Security
Runtime State - Runtime coverage state for the function enclosing a security sink. This is production-observation evidence, not an exploitability verdict.
- Security
Severity - Verification-priority tier for a security candidate. This is ranking, not an exploitability verdict.
- Suppression
Origin - The origin of a stale suppression: inline comment or JSDoc tag.
- Taint
Confidence - How strongly the untrusted-source signal is associated with the sink, a
structured discriminator so a consumer can tier candidates without parsing
the human
evidenceprose. Present only whenSecurityReachability::reachable_from_untrusted_sourceis true. Neither value proves exploitability; both are ranking signals (issue #885 doctrine: rank, never gate). - Trace
HopRole - The role a hop plays in a security finding’s structural import trace.
Constants§
- NAMESPACE_
BARREL_ HINT - Shared note for the
duplicate-exportsfix action. Mirrors the const used by the human report (seecrates/cli/src/report/shared.rs); kept here so the wire-format builder reads from the same source of truth. - TOTAL_
ISSUE_ RESULT_ KEYS - Serialized
AnalysisResultsarrays that contribute toAnalysisResults::total_issues.