Module resolve 

Feature-aware “is it actually built?” resolution via cargo tree.

Cargo.lock records optional dependencies even when their feature is off, so a lockfile-only scan can flag a package (e.g. proc-macro-error2 via jiff’s off-by-default defmt feature) that is never compiled. cargo metadata’s resolve graph is the maximal graph and includes those phantoms — but cargo tree is feature-aware, so we use it as the oracle for the host’s default build set.

This is opt-in (--resolve-features): it shells out to cargo and needs the repo’s buildable source, so it is never the default. Best-effort — any failure leaves findings unannotated rather than aborting the scan.

Functions

built_package_set

The (name, version) set actually compiled for the host’s default build of the project at project_dir, per cargo tree (normal + build edges, default features). Err (cargo missing, not a project, stale lock, …) tells the caller to skip annotation rather than fail the scan.

host_triple

The host target triple (e.g. x86_64-apple-darwin), parsed from rustc -vV.