Module extract 

Module extraction types: exports, imports, re-exports, and member info. Module extraction types.

Structs

AngularComponentSelector

A declared Angular @Component and its selector value(s), harvested from a @Component({ selector: '...' }) decorator. Consumed by the Angular arm of the unrendered-component detector, which flags a component whose every element selector is used in NO template project-wide (and that is not referenced by class name anywhere, e.g. routed / bootstrapped / dynamically rendered). A multi-selector string ('app-foo, [appBar]') is split into the selectors list. The span is stored as a byte offset (not an oxc_span::Span) so the type round-trips through the bitcode cache directly, mirroring AngularInputMember::span_start. @Directive is intentionally NOT harvested here (directives have no template render). ModuleInfo is not serialized, so no serde attrs are derived.

AngularInputMember

A declared Angular component/directive input, harvested from an @Input() decorator or a signal input() / input.required() / model() initializer on an Angular-decorated class. Consumed by the unused-component-input detector, which flags an input read nowhere in its own component (neither the template nor the class body). The span is stored as a byte offset (not an oxc_span::Span) so the type is cheap to mirror onto the cache, matching ComponentEmit::span_start. ModuleInfo is not serialized, so no serde attrs are derived here. bitcode derives let the type be mirrored directly onto CachedModule (the same pattern as ComponentEmit).

AngularOutputMember

A declared Angular component/directive output, harvested from an @Output() decorator or a signal output() / outputFromObservable() initializer on an Angular-decorated class. Consumed by the unused-component-output detector, which flags an output emitted nowhere in its own component. A model() is an input and a framework-driven output, so it is recorded ONLY as an input and never appears here (the implicit update: emit is framework-managed). The span is a byte offset for the same reason as AngularInputMember.

CalleeUse

A statically flattenable callee path invoked in a module (e.g. execSync, child_process.exec, console.log). One entry per unique callee_path per module; the span anchors the first occurrence. Consumed by the boundaries.calls.forbidden detector.

ClassHeritageInfo

Additional heritage metadata for an exported class.

ComplexityContribution

A single complexity increment, located at its source line/column.

ComponentEmit

A Vue <script setup> defineEmits declared event, harvested from the type tuple-call form (defineEmits<{ (e: 'foo'): void }>()), the type object form (defineEmits<{ foo: [x: string] }>()), or the runtime array form (defineEmits(['foo'])). used is set during extraction when the bound emit name is called as emit('<name>'). The unused-component-emit detector flags an event where used is false. See harvest_define_emits in sfc_props.rs.

ComponentFunction

An identified React component: a function/arrow whose body returns JSX. Captured by visit_jsx_element’s enclosing-component tracking. The unused-component-prop (React arm) and complexity-fold phases consume this; the abstain flags keep zero-FP on the cases ADR-001 cannot resolve.

ComponentProp

A Vue <script setup> defineProps declared prop, harvested from the runtime object form (defineProps({ foo: {...} })) or the inline TS literal form (defineProps<{ foo: T }>()). used_in_script / used_in_template are set during extraction; the unused-component-prop detector flags a prop where neither is true. See harvest_define_props in sfc.rs.

CssAnalytics

Stylesheet-level structural CSS analytics, computed from the parsed CSS syntax tree. Feeds fallow health penalty weights and located findings, never a standalone CSS score.

CssDeclarationBlock

A style rule’s declaration-block fingerprint and location, for cross-file duplicate-block detection. Only rules with a meaningful number of declarations are recorded (small blocks repeat legitimately). Internal staging only: this is consumed in-process by the health layer to build the grouped duplicate_declaration_blocks output and is never serialized.

CssRuleMetric

Structural CSS metrics for a single style rule, computed from the parsed CSS syntax tree. A rule is recorded only when it crosses a structural floor (an id selector, a complex selector, a !important declaration, or deep nesting), so the vector stays bounded on normal stylesheets.

DiKeySite

A Vue provide/inject or Svelte setContext/getContext call site keyed by an identifier symbol. The key_local is resolved at analyze time through the consuming module’s import/export tables to a canonical defining-site export key, so a provide and an inject of the same shared symbol unify even across barrel re-exports. Consumed by the unprovided-inject detector.

DispatchedEvent

A Svelte custom event dispatched via dispatch('<name>'), where dispatch is the binding from a const dispatch = createEventDispatcher() call. Only literal-first-arg dispatches are recorded; a dispatch(<nonLiteral>) sets ModuleInfo::has_dynamic_dispatch instead. Consumed by the unused-svelte-event detector, which flags an event dispatched here but listened to nowhere project-wide (the cross-file dead-output direction). The span is a byte offset (not an oxc_span::Span) so the type round-trips through the bitcode cache directly, mirroring ComponentEmit::span_start.

DynamicImportInfo

A dynamic import() call.

DynamicImportPattern

A dynamic import with a partially resolved pattern.

ExportInfo

An export declaration.

FlagUse

A feature flag use site.

ForwardAttr

One forwarded JSX attribute: the child attribute name plus the identifier root of its value expression. See RenderEdge::forward_attrs.

FunctionComplexity

Complexity metrics for a single function/method/arrow.

HookUse

A React hook call site inside a component. Consumed by the complexity-fold phase (hook density) and surfaced as descriptive hotspot context.

ImportInfo

An import declaration.

LoadReturnKey

A key returned from a SvelteKit route load() function’s terminal return object literal. Harvested from +page.{ts,server.ts,js,server.js} files exporting a load function. Consumed by the unused-load-data-key detector, which flags a key read by no consumer. The span is stored as byte offsets (not an oxc_span::Span) so the type round-trips through the bitcode cache directly, mirroring DiKeySite::span_start / ComponentEmit::span_start.

LocalTypeDeclaration

A module-scope declaration that can be used as a TypeScript type.

MemberAccess

A static member access expression (e.g., Status.Active, MyClass.create()).

MemberInfo

A member of an enum, class, or namespace.

MisplacedDirectiveSite

A "use client" / "use server" directive string written as an expression statement in program.body (NOT the leading prologue), so the RSC bundler silently ignores it. One entry per offending occurrence. Consumed by the misplaced-directive detector.

ModuleInfo

Extracted module information from a single file.

NamespaceObjectAlias

One alias entry tying an exported object’s dotted property path to a namespace import.

ParseResult

Result of parsing all files, including incremental cache statistics.

PublicSignatureTypeReference

A reference from an exported symbol’s public signature to a type name.

ReExportInfo

A re-export declaration.

RenderEdge

A render edge: one component rendering another (a capitalized or member-expression JSX tag). Captured at extraction time with the child’s written name; resolution of child_component_name to a FileId/export is deferred to graph build via the existing import map.

RequireCallInfo

A require() call.

SanitizedSinkArg

A captured sink argument that is itself a recognized sanitizer call.

SecurityControlSite

A known defensive control call site.

SinkObjectProperty

Static object-literal property metadata attached to a captured sink argument. Nested object paths are flattened with dot-separated keys.

SinkSite

A captured sink site. The visitor records every existing non-literal call / member-assign / member-call / tagged-template / jsx-attr sink site, and a small allowlist of literal-aware sites where the literal value is the signal. It knows nothing about CWE categories.

SkippedSecurityCalleeSite

Span-only diagnostic for a skipped security callee inside one module.

TaintedBinding

A local binding tied to the flattened member-access path it was initialized from. The analyze layer matches source_path against the data-driven source catalogue; when it matches, local is treated as carrying untrusted input.

Enums

ComplexityContributionKind

The syntactic construct that produced a single complexity increment.

ComplexityMetric

Which complexity metric a ComplexityContribution adds to.

ComponentFunctionKind

The syntactic shape of an identified React component definition. Drives the abstain ladder later phases apply: a forwardRef / memo wrapper whose props come from an imported interface fallow cannot resolve must abstain (ADR-001), not guess.

DiFramework

Which framework’s DI API a call site came from (drives the finding message).

DiRole

Which side of a dependency-injection link a call site represents.

ExportName

Export identifier.

FlagUseKind

The kind of feature flag pattern detected.

HookUseKind

The kind of a React hook call. Custom covers any use*-named call that is not one of the built-in hooks.

ImportedName

How a symbol is imported.

MemberKind

The kind of member.

SanitizerScope

Sanitizer output domain. Kept intentionally narrow so a sanitizer for one domain cannot suppress a different sink family.

SecurityControlKind

Defensive control family detected on a source to sink path.

SecurityUrlShape

Static URL construction shape captured for URL-shaped security sinks.

SinkArgKind

The shape of the argument captured at a sink site. Category-blind like SinkShape, but finer-grained: it lets the catalogue matcher require or exclude specific argument shapes. The discriminator is what distinguishes an unsafe SQL string concatenation or template-into-.execute() from a safely-parameterized sql`${x}` tagged template, an object-literal .execute({ sql, args }) argument, or a literal-aware sink argument.

SinkLiteralValue

Literal values attached to literal-aware security sink captures.

SinkShape

The syntactic shape of a captured security sink site. Category-blind: the extractor records the shape and the dotted/bare callee path; the analyze layer matches it against the data-driven catalogue. See crates/core/data/security_matchers.toml.

SkippedSecurityCalleeExpressionKind

Syntactic expression shape for a skipped security callee.

SkippedSecurityCalleeReason

Why a sink-shaped callee could not be flattened into a static catalogue path.

VisibilityTag

Visibility tag from JSDoc/TSDoc comments that suppresses unused-export detection.

Constants

PUBLIC_ENV_EXACT

Exact env var names that are public by convention (no prefix).

PUBLIC_ENV_METADATA_TOKENS

Env var-name tokens that usually describe public build or deployment metadata rather than secrets. Secret-shaped names win over these tokens.

PUBLIC_ENV_PREFIXES

Env var-name prefixes that frameworks inline into the client bundle by convention. A read of one of these is normal and safe, so it does NOT count as a secret source (issue #890). Shared by the extract layer (so public env vars never become source signals) and the bespoke client-server-leak rule.

SECRET_ENV_TOKENS

Env var-name tokens that should keep a variable source-backed even when the name also contains public metadata tokens such as REF or SHA.

Functions

byte_offset_to_line_col

Convert a byte offset to a 1-based line number and 0-based byte column.

compute_line_offsets

Compute a table of line-start byte offsets from source text.

is_public_env_path

Whether a flattened member path is a PUBLIC env-secret read (process.env.NEXT_PUBLIC_X, import.meta.env.VITE_Y), which must not be recorded as a secret source. Non-env paths (req.query.id) are never public.

is_public_env_var

Whether an env var name is public-by-convention (build-inlined into the client bundle), and therefore not a secret.