Build(deps-dev): Bump the dependencies group across 1 directory with 10 updates

[dependabot]

Bumps the dependencies group with 5 updates in the / directory:

Package	From	To
@playwright/test	1.59.1	1.60.0
@types/node	24.12.3	25.9.1
eslint-plugin-playwright	2.10.2	2.10.4
fallow	2.67.0	2.76.0
oxlint-tsgolint	0.22.1	0.23.0

Updates @playwright/test from 1.59.1 to 1.60.0

Release notes

Sourced from @​playwright/test's releases.

v1.60.0

🌐 HAR recording on Tracing

tracing.startHar() / tracing.stopHar() expose HAR recording as a first-class tracing API, with the same content, mode and urlFilter options as recordHar. The returned Disposable makes it easy to scope a recording with await using:

await using har = await context.tracing.startHar('trace.har');
const page = await context.newPage();
await page.goto('https://playwright.dev');
// HAR is finalized when `har` goes out of scope.

🪝 Drop API

New locator.drop() simulates an external drag-and-drop of files or clipboard-like data onto an element. Playwright dispatches dragenter, dragover, and drop with a synthetic [DataTransfer] in the page context — works cross-browser and is great for testing upload zones:

await page.locator('#dropzone').drop({
  files: { name: 'note.txt', mimeType: 'text/plain', buffer: Buffer.from('hello') },
});
await page.locator('#dropzone').drop({
data: {
'text/plain': 'hello world',
'text/uri-list': 'https://example.com',
},
});

🎯 Aria snapshots

• expect(page).toMatchAriaSnapshot() now works on a Page, in addition to a Locator — equivalent to asserting against page.locator('body').
• New boxes option on locator.ariaSnapshot() / page.ariaSnapshot() appends each element's bounding box as [box=x,y,width,height], useful for AI consumption.

🛑 test.abort()

New test.abort() aborts the currently running test from a fixture, hook, or route handler with an optional message. Use it when you have detected an unrecoverable misuse and want to fail the test right away:

test('does not publish to the shared page', async ({ page }) => {
  await page.route('**/publish', route => {
    test.abort('Tests must not publish to the shared page. Use the `clone` option.');
    return route.abort();
  });
  // ...
});

New APIs

Browser, Context and Page

... (truncated)

Commits

• 87bb9dd cherry-pick(#40747): fix(yauzl): vendor yauzl with destroy-lifecycle fix
• 9a9c51c cherry-pick(#40733): chore(electron): revert #40184 (move Electron API to a s...
• 4b3b628 cherry-pick(#40736): Revert "feat(electron): add timeout option to electronAp...
• f869f96 chore: bump version to v1.60.0 (#40714)
• 7eb6918 cherry-pick(#40710): docs: release notes v1.60
• 118d2aa cherry-pick(#40693): chore(python): formdata path type
• 54012f5 chore(deps): bump ip-address and express-rate-limit (#40680)
• 9fa531d fix(screencast): unblock frame ack when an async client disconnects (#40674)
• 3649db5 chore(mcp): bump default extension protocol to v2 (#40678)
• bb6c009 chore(extension): mark 0.2.1 (#40679)
• Additional commits viewable in compare view

Updates @types/node from 24.12.3 to 25.9.1

Commits

• See full diff in compare view

Updates @vitest/coverage-v8 from 4.1.5 to 4.1.6

Release notes

Sourced from @​vitest/coverage-v8's releases.

v4.1.6

   🐞 Bug Fixes

• browser: Provide project reference in ToMatchScreenshotResolvePath  -  by @​macarie and @​sheremet-va in vitest-dev/vitest#10138 (31882)
• Global sequence.concurrent: true with top-level test(..., { concurrent: false }) + depreacte sequential test API and options  -  by @​hi-ogawa, Codex and @​sheremet-va in vitest-dev/vitest#10196 (2847d)
• browser: Simplify orchestrator otel carrier  -  by @​hi-ogawa in vitest-dev/vitest#10285 (18af9)

   🏎 Performance

• Stringify diff objects only once  -  by @​sheremet-va in vitest-dev/vitest#10276 (9f7b1)

    View changes on GitHub

Commits

• a8fd24c chore: release v4.1.6
• See full diff in compare view

Updates eslint-plugin-playwright from 2.10.2 to 2.10.4

Release notes

Sourced from eslint-plugin-playwright's releases.

v2.10.4

2.10.4 (2026-05-19)

Bug Fixes

• valid-title: Skip title checks for anonymous describe blocks (894c0ec)

v2.10.3

2.10.3 (2026-05-18)

Bug Fixes

• missing-playwright-await: Fix false positive when not assigning awaited variable (#464) (801f01a)

Commits

• 894c0ec fix(valid-title): Skip title checks for anonymous describe blocks
• 801f01a fix(missing-playwright-await): Fix false positive when not assigning awaited ...
• b264380 chore(deps): Bump postcss from 8.5.6 to 8.5.14 (#462)
• adc8ad1 chore(deps): Bump ip-address from 10.1.0 to 10.2.0 (#461)
• See full diff in compare view

Updates fallow from 2.67.0 to 2.76.0

Release notes

Sourced from fallow's releases.

v2.76.0: --diff-file scopes every finding, schema-derive ladder lands, fallow_core deprecated

Highlights

• --diff-file now filters every finding, not just the runtime-coverage section. A single flag scopes unused-export, complexity hotspot, clone family, boundary violation, and runtime-coverage findings to lines inside an added hunk, so the JSON total_issues already matches what your PR introduces. CI pipelines previously running a downstream jq filter (filter-changed.jq) can drop it; the --diff-stdin alias accepts gh pr diff | fallow audit --diff-file -. Closes #424.

• fallow fix knows about pnpm-catalog comment blocks. A new fix.catalog.deletePrecedingComments knob (auto default, plus always / never) deletes a contiguous YAML comment block when removing the catalog entry it documents, with two escape hatches: a # fallow-keep marker on any line and an auto-policy banner heuristic for # === React 18 pins ===-style headers. The JSON action gains an entry_line field alongside line so annotators can pick either anchor unambiguously. Closes #360.

• fallow fix creates .fallowrc.json when no fallow config exists. Previously the duplicate-export add-to-config fix told you to run fallow init first, then re-run fallow fix --yes. Now the fixer materialises the same framework-aware scaffolding fallow init would emit, layers your ignoreExports rules on top, and skips when invoked from a monorepo subpackage (with a targeted error pointing at the workspace root). --dry-run previews the write as a unified diff in both human and JSON modes. Closes #332.

• Architecture boundaries: opt-in allowTypeOnly lets type-only imports cross zones. { from: "featureB", allowTypeOnly: ["featureA"] } allows import type {...}, inline import { type Foo } (when every named specifier carries the type qualifier), and export type { Foo } from "..." across zones without a runtime dependency. Mixed-specifier imports still fire. Strictly additive: omitting the field preserves pre-feature behavior. Closes #365. Thanks @​DrJonki.

• Angular component complexity rollup. fallow health --complexity (and audit, combined) now emits a synthetic <component> finding per Angular component whose class function findings AND template both cleared the cyclomatic / cognitive thresholds. The rollup sums worst_class_method + template and ships a component_rollup payload so the breakdown stays visible. Component-inherited CRAP provenance also lands on synthetic \<template> findings via the inverse templateUrl edge, with coverage_source: "estimated_component_inherited" and inherited_from on the wire. Closes #234. Refs #186 tier 1.

• autoDiscover parent zones now auto-allow their discovered children. Top-level barrels (src/features/index.ts) can re-export feature modules without false-positive cross-zone violations. The Bulletproof preset gains patterns: ["src/features/**"] on the features zone so non-barrel top-level files (src/features/types.ts) classify under the parent zone and still obey the features rule. Closes #372.

• fallow list --boundaries --format json surfaces the logical group name for autoDiscover zones. Config UIs and Sankey renderers no longer need to reconstruct the grouping from the features/<child> naming convention; a parallel logical_groups[] array carries name, children, auto_discover, status, source_zone_index, file_count, plus byte-accurate config-patch metadata. Closes #373.

Schema-derive ladder shipped

Issue #384 closes in this release. Every object-shaped --format json envelope (AuditOutput, CheckOutput, CombinedOutput, DupesOutput, HealthOutput, ExplainOutput, CoverageSetupOutput, CoverageAnalyzeOutput, ReviewEnvelopeOutput, ReviewReconcileOutput, ListBoundariesOutput) is now a variant of a typed FallowOutput enum derived from Rust source via schemars. The document-root oneOf block in docs/output-schema.json is regenerated instead of hand-maintained, and every legacy inject_*_actions JSON post-pass in report/json.rs is retired in favour of typed *Finding envelope wrappers that flatten the bare payload and carry actions: T[] natively. Wire shape is byte-identical (verified against vue-core, vite, preact, zod, next.js); the codegen-derived TS contracts in editors/vscode/src/generated/output-contract.d.ts and npm/fallow/types/output-contract.d.ts expose FallowOutput as a discriminated union, plus backwards-compat aliases for the bare names that json-schema-to-typescript dedupes away.

fallow_core deprecated for external consumers

Per ADR-008, the top-level entry points (analyze, analyze_with_usages, analyze_with_trace, analyze_retaining_modules, analyze_with_parse_result, analyze_project), the fallow_core::analyze::* detector helpers, and the feature-flag helpers (collect_feature_flags, correlate_with_dead_code) now carry #[deprecated(since = "2.76.0")] annotations pointing external consumers at fallow_cli::programmatic. Workspace path-dependency callers continue to compile via #[expect(deprecated)]. The next minor release (target 2.77.0, no earlier than 2026-Q3) will flip publish = false on fallow-core; this release is the one-cycle warning window. See docs/fallow-core-migration.md for the function-by-function map. Closes #418.

Bug fixes

• typeof import('./path').X inside .d.ts ambient declarations now traces the target file. unplugin-auto-import's auto-imports.d.ts and unplugin-vue-components' components.d.ts no longer surface their composables and components as unused-files. Declaration files are also auto-promoted to entry points so module-augmentation interfaces like GlobalComponents skip unused-export checks (pass --include-entry-exports to opt back in). Closes #396, #397. Thanks @​wouterkroes.

• new URL('./', import.meta.url) no longer flags ./ as an unresolved import. Directory-only specifiers (./, ../, paths ending in /) are now skipped because they construct a directory URL, not a file URL. File-pointing specifiers (./worker.js, ./assets/foo.svg) are unaffected. Closes #399. Thanks @​wouterkroes.

• Standalone export default \<template>...</template> in .gts files now extracts imports and the default export. The v2.75.0 multi-template fix only treated single-byte expression delimiters as expression position, so the canonical template-only-component shape fell through and oxc dropped every import in the file. Closes #379.

• Abstract base-class methods called through a generic-constrained this.<field> are credited. A BaseService<TClient extends BaseClient> with constructor(client: TClient) and a body calling this.client.fetchLatest(id) now resolves to BaseClient.fetchLatest through the existing bound-member-access pipeline. Closes #388. Thanks @​vethman.

• Fluent-builder chains credit intermediate setters. EventBuilder.createWithDefaults().setProcessId("x").setSubject("y").build() no longer flags every setter as unused; a new propagate_fluent_chain_accesses pass walks each chain step against the resolved class export and credits is_self_returning methods reached from an is_instance_returning_static root. Closes #387. Thanks @​vethman.

• Class methods reached via a typed getter chain inside a Playwright fixture teardown are credited. Typed getter declarations now register as instance bindings, so a fixture pattern like get processEventsService() { return container.resolve(ProcessEventsService); } followed by fixtures.processEventsService.clearLast() resolves through the bound-member pipeline. Closes #386. Thanks @​vethman.

• PR comments no longer render empty when the only finding is a project-level dependency / catalog / override issue. --format pr-comment-github and --format pr-comment-gitlab previously applied FALLOW_DIFF_FILTER to every finding, including those anchored at fixed package.json / pnpm-workspace.yaml lines. Project-level rules now bypass the diff filter in the PR-comment path so the body always explains every CI-failure reason. Closes #381. Thanks @​cloud-walker.

• Runtime coverage mapping is tightened across V8 offsets, source maps, and cloud coverage. Five-fix bundle: V8 coverage offsets map as source positions, partial source-map remaps are kept, owner segments are preserved in source-map project ids, cloud coverage requires a line match before attributing a hit, and scoped source-map repo names (@scope/name) are accepted. PR #376. Thanks @​M-Hassan-Raza.

• Duplication JSON output now emits actions: [] on every nested CloneGroup inside clone_families[].groups[] and on the combined dupes block. Closes #393.

• docs/output-schema.json regen no longer silently drops struct fields named after JSON Schema keywords. ContributorEntry.format was listed in required but missing from properties because the schema normaliser stripped the format key recursively. Closes #394.

Documentation

• TypeScript bare-name aliases ship in the npm-published fallow/types contract. The 17 dead-code bare aliases (UnusedExport, UnusedDependency, BoundaryViolation, etc.) plus 7 dupes/health aliases now live in the generated output-contract.d.ts, so import type { UnusedExport } from "fallow/types" type-checks after upgrading. Closes #415.

... (truncated)

Changelog

Sourced from fallow's changelog.

[2.76.0] - 2026-05-19

Deprecated

• fallow_core is now an internal-only surface per ADR-008. The top-level entry points (analyze, analyze_with_usages, analyze_with_trace, analyze_retaining_modules, analyze_with_parse_result, analyze_project), the fallow_core::analyze::* detector helpers (find_dead_code_full, find_unused_exports, find_duplicate_exports, find_unused_files, find_unused_members, find_unused_dependencies, find_unused_dependency_overrides, find_misconfigured_dependency_overrides, find_unused_catalog_entries, find_empty_catalog_groups, find_unresolved_catalog_references, find_boundary_violations), and the feature-flag helpers (collect_feature_flags, correlate_with_dead_code) now carry #[deprecated(https://github.com/fallow-rs/fallow/blob/main/since = "2.76.0")] annotations pointing external consumers at fallow_cli::programmatic (or fallow flags --format json for feature-flag data). Workspace path-dependency callers in fallow-cli, fallow-lsp, fallow-core itself, and the in-tree integration tests continue to compile via #[expect(deprecated)] at the call sites. The next minor release (target 2.77.0, no earlier than 2026-Q3) will flip publish = false on fallow-core so the crate is no longer fetchable from crates.io; this release is the one-cycle warning window for any external consumers. The replacement programmatic functions return serde_json::Value matching the CLI's --format json contract (with *Finding wrappers, so e.g. unused_exports[i].export.path rather than unused_exports[i].path), and structured ProgrammaticError { exit_code, ... } mirrors the CLI's exit-code ladder so CI integrations branching on exit codes work identically. See docs/fallow-core-migration.md for the function-by-function map and a minimal usage example. Consumers running RUSTFLAGS=-Dwarnings will need to allow deprecated on their fallow-core call sites or migrate before upgrading. (Closes #418.)

Changed

• --diff-file <PATH> now scopes every finding to changed lines, not just the runtime-coverage hot-path-touched verdict. Before: a developer running fallow audit --diff-file pr.diff saw line-level filtering only on the runtime-coverage section; every other finding type (unused-export, complexity hotspot, clone family, boundary violation, etc.) stayed at full project scope, and the GitHub Action / GitLab CI shipped a downstream jq filter (filter-changed.jq) to narrow the JSON output before posting to PRs. After: when --diff-file (or $FALLOW_DIFF_FILE) is set, fallow narrows ALL source-anchored findings to lines inside an added hunk for that file, so the JSON total_issues is already accurate without jq post-processing. Project-level findings (unused-deps, catalog entries, dependency overrides) bypass the filter because they anchor at fixed package.json / pnpm-workspace.yaml lines a PR rarely touches even when it semantically caused the finding (e.g. removing the last consumer of lodash). Range-shaped findings filter via overlap: a complexity hotspot at lines 10..120 touched by a PR at line 115 is kept; a clone family is kept when ANY of its instances overlaps the diff, even when the other instances are off-diff. Pass - as the path or use the new --diff-stdin alias to read the diff from stdin (gh pr diff | fallow audit --diff-file -). When both --diff-file and --changed-since are set, --diff-file wins for line-level filtering and --changed-since still scopes file discovery; fallow logs a one-line stderr note so the precedence is visible in CI logs. An opt-in --diff-file that parses 0 added lines (typo, wrong path, pure-rename diff with no content hunks) now emits a fallow: warning [diff-file]: ... parsed 0 added lines warning instead of silently dropping every finding. Existing Action / CI pipelines that already set FALLOW_DIFF_FILE keep working unchanged with stricter filtering; pipelines that relied on the pre-feature behavior (full project scope when --diff-file was set for runtime-coverage only) should unset FALLOW_DIFF_FILE or remove the flag. (Closes #424.)

• fallow fix can remove leading pnpm-catalog comment blocks when deleting unused catalog entries. The new fix.catalog.deletePrecedingComments config knob accepts "auto" (default), "always", or "never". auto deletes a contiguous same-indent YAML comment block only when it directly follows the parent catalog header or a blank separator, preserving sibling-adjacent comments for manual review. Two escape hatches keep curated comments safe: a # fallow-keep marker on any line in the block preserves it regardless of policy (mirroring the existing fallow-ignore inline-suppression convention), and the auto policy additionally preserves section-banner blocks whose comment body starts with three or more =, -, *, _, ~, +, or # characters (e.g. # === React 18 production pins ===). The JSON fix action gains an entry_line field alongside the (now deletion-start) line field so CI annotators and agents can pick whichever anchor they need without ambiguity; the human-mode summary surfaces the absorbed comment-line count (Fixed N issue(s) (+M catalog comment lines)). LSP quick fixes intentionally stay conservative and do not delete leading comments. (Closes #360.)

• Duplication actions flow through serde natively; the inject_dupes_actions JSON post-pass is fully retired. fallow dupes --format json (and the dupes block of audit / combined output, and the per-bucket output under --group-by) now serialises each clone_groups[] item through a typed CloneGroupFinding wrapper that flattens the bare CloneGroup payload and carries actions: CloneGroupAction[] plus the optional audit-mode introduced: boolean as named fields. Each clone_families[] item flows through a typed CloneFamilyFinding wrapper; its nested groups[] items each carry their own typed actions[] array, preserving the issue #393 regression contract for JSON-Schema strict consumers. Per-bucket --group-by items flow through AttributedCloneGroupFinding. The on-the-wire shape is unchanged: every inner field (instances, token_count, line_count, files, groups, total_duplicated_lines, total_duplicated_tokens, suggestions, primary_owner, instances[].owner) still sits at the top level of each item alongside actions and (top-level only) introduced. The OLD-vs-NEW JSON diff on the vue-core benchmark fixture is byte-identical modulo elapsed_ms / version for both standalone dupes --format json and the bare combined invocation. A new DupesReportPayload mirrors DuplicationReport field-for-field with wrapped findings, and DupesOutput.report / CombinedOutput.dupes / AuditOutput.duplication now flatten the payload instead of the bare report. The 120-line inject_dupes_actions post-pass plus its build_clone_family_actions / build_clone_group_actions helpers are deleted from crates/cli/src/report/json.rs. With this batch the legacy inject_*_actions post-pass is fully retired across check, dupes, and health. The codegen-derived TS contracts (editors/vscode/src/generated/output-contract.d.ts, npm/fallow/types/output-contract.d.ts) gain matching CloneGroupFinding / CloneFamilyFinding / AttributedCloneGroupFinding interfaces; backwards-compat aliases (type CloneGroup = CloneGroupFinding, type CloneFamily = CloneFamilyFinding, type AttributedCloneGroup = AttributedCloneGroupFinding) live in editors/vscode/src/types.ts so existing consumers see no API break. (Closes #409. Refs #384.)

• fallow coverage analyze --format json envelope is now derived from a typed Rust struct; the last hand-built serde_json::json! root envelope is retired. print_runtime_json in crates/cli/src/coverage/analyze.rs previously built the output via a serde_json::json!({"schema_version": "1", "version": ..., "elapsed_ms": ..., "runtime_coverage": ...}) macro and grafted the optional _meta block via a JSON-map insertion. The envelope now flows through a typed CoverageAnalyzeOutput struct (singleton schema_version: CoverageAnalyzeSchemaVersion::V1 discriminator, plus version, elapsed_ms, runtime_coverage: RuntimeCoverageReport, optional _meta: Meta) so the schema is derived from Rust source. CoverageAnalyzeOutput joins FallowOutput as a new untagged CoverageAnalyze variant rather than staying a hand-maintained sibling root oneOf branch; the document-root oneOf simplifies to two entries (FallowOutput + CodeClimateOutput). The wire shape is byte-identical: same four required fields, same optional _meta. The drift-gate registry in crates/cli/src/bin/schema_emit.rs drops the CoverageAnalyzeOutput entry from both HAND_MAINTAINED_ALLOW_LIST and HAND_MAINTAINED_ROOT_ENVELOPES, both now empty. The root schema description field gains runtime_coverage as a discriminator and drops the "still hand-maintained" caveat. (Closes #410. Refs #384.)

• Hotspot and refactoring-target actions flow through serde natively; the JSON post-pass that patched them in is fully retired. fallow health --hotspots --targets --format json (and the health block of audit / combined output, and the per-group output under --group-by) now serialises each hotspots[] item through a typed HotspotFinding wrapper and each targets[] item through a typed RefactoringTargetFinding wrapper. Both wrappers flatten the inner payload via #[serde(flatten)] and carry actions as a named field (HotspotAction[] and RefactoringTargetAction[] respectively). The on-the-wire shape is unchanged: every inner field (HotspotEntry's path, score, commits, weighted_commits, lines_added, lines_deleted, complexity_density, fan_in, trend, ownership, is_test_path; RefactoringTarget's path, priority, efficiency, recommendation, category, effort, confidence, factors, evidence) still sits at the top level alongside actions. The OLD-vs-NEW JSON diff on the vue-core benchmark fixture is byte-identical modulo elapsed_ms / version for health --hotspots --targets, the bare combined invocation, and audit --base HEAD~1. The schema ships separate HotspotFinding / HotspotEntry and RefactoringTargetFinding / RefactoringTarget definitions in docs/output-schema.json, and the codegen-derived TS contracts (editors/vscode/src/generated/output-contract.d.ts, npm/fallow/types/output-contract.d.ts) gain matching HotspotFinding / RefactoringTargetFinding interfaces plus HotspotEntry = Omit<HotspotFinding, "actions"> and RefactoringTarget = Omit<RefactoringTargetFinding, "actions"> type aliases so downstream consumers can type either the wrapper or the inner payload. Asymmetry with HealthFinding: neither HotspotFinding nor RefactoringTargetFinding carries the audit-mode introduced flag because hotspot ranking and refactoring targets are not produced by fallow audit's base-snapshot classifier; the pre-wrapper finding_augmentation set include_introduced: false for both and the typed wrappers preserve that. With this batch the legacy inject_health_post_pass_actions post-pass is fully retired across report/json.rs, audit.rs, and combined.rs. (Closes #408. Refs #384.)

• Health-finding actions and introduced flow through serde natively; the JSON post-pass that patched them in is retired for findings. fallow health --format json (and the health block of audit / combined output) now serialises each findings[] item through a typed HealthFinding wrapper that flattens the inner ComplexityViolation payload and carries actions: HealthFindingAction[] plus the optional audit-mode introduced: boolean as named fields. The on-the-wire shape is unchanged: every inner field (path, name, line, col, cyclomatic, cognitive, ...) still sits at the top level of each findings[] item alongside actions and introduced. The OLD-vs-NEW JSON diff on the vue-core benchmark fixture (273 findings) is empty modulo elapsed_ms / version, and per-finding actions[] discriminants are byte-identical. The schema now ships separate HealthFinding and ComplexityViolation definitions in docs/output-schema.json (HealthFinding describes the wire envelope; ComplexityViolation is the inner payload); the codegen-derived TS contracts (editors/vscode/src/generated/output-contract.d.ts, npm/fallow/types/output-contract.d.ts) gain a matching HealthFinding interface plus a ComplexityViolation type alias (Omit<HealthFinding, "actions" | "introduced">) so downstream consumers can type either the wrapper or the inner payload. The inject_health_actions post-pass that previously mutated the serialised JSON tree to add actions arrays and the report-root actions_meta breadcrumb is retired for findings; the renamed inject_health_post_pass_actions still walks targets[] and hotspots[] until their typed-wrapper migrations land (out of scope for this PR). actions_meta is now set at construction time on the typed HealthReport.actions_meta field (and on each per-group HealthGroup.actions_meta when --group-by is active) when the active HealthActionContext requests suppress-line omission, so the breadcrumb flows through serde natively. (Refs #384.)

Added

• Angular component complexity rollup: synthesise a <component> finding per component that has both class AND template above threshold. fallow health --complexity (and audit, combined) now emits a synthetic <component> finding per Angular component whose class function findings AND \<template> finding both cleared the cyclomatic / cognitive thresholds. The rollup's cyclomatic and cognitive are worst_class_method + template; the new component_rollup payload carries the pre-summation breakdown so consumers see WHY the component ranks high (class_worst_function: "handleClick", class_cyclomatic: 3, class_cognitive: 4, template_path: "src/host-game.component.html", template_cyclomatic: 6, template_cognitive: 9, component: "host-game.component" derived from the .ts owner's file stem). A component whose class scores moderately (3/4) and whose template scores moderately (6/9) was previously two scattered medium findings the headline rank could miss; the rollup surfaces it as one finding cyclomatic 9, cognitive 13 that wins --targets selection. Per-function and per-\<template> entries stay where they are so existing suppression sites and per-finding tooling references keep working: the rollup is strictly additive. The rollup is anchored at the worst class method's line so // fallow-ignore-next-line complexity placed above that method hides both the function finding and the rollup; the JSON action declares placement: "above-component-worst-method". Both external-templateUrl components (using the inverse-templateUrl provenance map populated alongside CRAP scoring) and inline template: components (where the \<template> finding already lives on the owning .ts) are handled; defensive against the rare multi-@Component .ts file (no rollup, since fallow can't yet AST-attribute each template to a specific class). Wire-level deltas: (a) new component_rollup: ComponentRollup optional field on every HealthFinding, gated by #[serde(default, skip_serializing_if = "Option::is_none")] so non-rollup findings see no shape change; (b) new ComponentRollup definition in docs/output-schema.json and the codegen-derived TS contracts (editors/vscode/src/generated/output-contract.d.ts, npm/fallow/types/output-contract.d.ts); (c) fallow health human output renders a rolled up: 3cyc 4cog on host-game.component.handleClick + 6cyc 9cog on host-game.component.html breakdown line under the <component> row; (d) the MCP check_health tool description teaches AI agents how to read the discriminator and the breakdown so the rollup steers refactoring decisions. Existing baselines see the <component> findings as new (audit --gate new-only will surface them); rebake baselines after upgrade if you want to suppress the rollup historically. (Closes #234.)

• Synthetic Angular \<template> complexity findings now carry component-inherited CRAP provenance. When fallow health --complexity (and audit, combined) emit a \<template> finding on a .html template, the CRAP score is computed against the owning .component.ts reached via the inverse templateUrl SideEffect edge, and the finding ships two new fields: coverage_source: "estimated_component_inherited" and inherited_from: "<owner>.component.ts" (project-relative). The score itself does not move for the common case (BFS already cascades reachability through the templateUrl edge, so .html.is_test_reachable() already matches the owning .ts), so existing baselines and --max-crap gates are unaffected. The wire-level deltas are: (a) the two new optional fields appear on HealthFinding when the inherit path triggered, gated by #[serde(skip_serializing_if = "Option::is_none")] so existing consumers see no shape change otherwise; (b) the new CoverageSource enum (istanbul / estimated / estimated_component_inherited) is published in docs/output-schema.json and the codegen-derived TS contracts (editors/vscode/src/generated/output-contract.d.ts, npm/fallow/types/output-contract.d.ts); (c) fallow health human output renders (inherited from foo.component.ts) after the CRAP score on template rows; (d) the JSON action ladder pivots the primary coverage action for inherited \<template> findings from "increase coverage on \<template>" to "increase test coverage on <owner>.component.ts" with a target_path field, so AI agents target the component rather than scaffolding tests against a structurally untestable .html path. The MCP check_health tool description now explains the discriminator so agents discover the new fields without inspecting the schema. Tier 2 (AOT source-map back-mapping for projects whose tests are AOT-compiled) is tracked separately on the same issue. (Refs #186 tier 1.)

• fallow fix creates .fallowrc.json when no fallow config exists, with framework-aware scaffolding plus the new ignoreExports rules. Previously, fallow fix against a project with duplicate-exports findings and no fallow config file printed Skipped duplicate-export config fix: no fallow config file at <root>. Run fallow init to create one, then re-run fallow fix --yes. and exited without writing. Users had to run two commands to fix what felt like one issue. The applier now creates .fallowrc.json directly using the same scaffolding fallow init emits (framework detection for TypeScript / Storybook / Vitest / Jest / Playwright / React / Vue / Angular / Svelte, $schema, entry, ignorePatterns, duplicates.minOccurrences = 3, rules.unused-dependencies = "warn") and layers the new ignoreExports entries on top, so the post-fix fallow check does not surface a fresh wave of unused_files for Storybook files or unused_dependencies for test-framework packages. The create-fallback refuses to fire inside a monorepo subpackage (one of pnpm-workspace.yaml, package.json#workspaces, turbo.json, lerna.json, rush.json above the invocation directory) and emits a targeted error pointing at the workspace root instead, so 8-package monorepos do not end up with 8 fragmented configs. A new --no-create-config flag (default off) opts out of the create-fallback for pre-commit hooks, CI bots, and fallow watch where silently materialising a new top-level file would surprise the user; the duplicate-export config-add path is skipped with an explanatory entry while source-file edits proceed normally. After a successful create, the human stderr emits Created .fallowrc.json with N ignoreExports rule(s). Add it to git. so the new artifact is not silently lost. The JSON add-to-config action's auto_fixable field is now true whenever the applier can safely write the rule (config exists, OR no config exists and the working directory is not inside a monorepo subpackage); the per-instance flip remains for the monorepo case, so agents that filter on auto_fixable: true continue to receive only actions they can safely pipe into fallow fix --yes. (Closes #332.)

• fallow fix --dry-run previews ignoreExports config writes as a unified diff, replacing the prior Would add N rule(s) count-only line. Both human (--format human) and JSON (--format json) modes carry the proposal in full. For the create-fallback case the diff is hand-rolled +-prefix output (BEFORE side is always empty). For the edit case it is a similar::TextDiff unified diff with 3 lines of context so callers can audit the exact bytes that will land in .fallowrc.json / .fallowrc.jsonc / fallow.toml / .fallow.toml. The JSON fix entry gains a proposed_diff: "..." field alongside the existing entries: [...] breadcrumb so agents piping fallow fix --dry-run --format json into fallow fix --yes can validate the proposal programmatically. The create-fallback also surfaces created_files: [".fallowrc.json"] so consumers know exactly which paths the apply step would (or did) materialize. Monorepo-subpackage refusals carry skip_reason: "monorepo_subpackage" with the resolved workspace_root; --no-create-config refusals carry skip_reason: "no_create_config". (Refs #332.)

• fallow list --boundaries --format json surfaces the user's logical group name for autoDiscover zones. When a config declares { name: "features", autoDiscover: ["src/features"] } (or uses a preset whose zones autoDiscover under the hood, e.g. Bulletproof), expansion previously rewrote zones[] into the discovered children (features/auth, features/billing) and dropped the user-authored features parent from the output. Consumers (config UIs, Sankey renderers of from -> allow rules, agent-driven config tooling, dashboards) had to reconstruct the grouping from the features/<child> naming convention. The output now carries a parallel logical_groups[] array with one entry per pre-expansion autoDiscover zone: name (the parent the user wrote), children (discovered zone names in stable directory-sorted order), auto_discover (the user's verbatim path strings, including trailing slash and leading ./, so config-edit tooling round-trips without rewriting unchanged source), status (ok / empty / invalid_path, discriminating "directory empty" from "directory missing or unreadable"), source_zone_index (the parent's position in the pre-expansion zones[] for byte-accurate config patches), file_count (sum across children plus any fallback zone), merged_from (parent zone indices when the user declared the same parent name multiple times; surfaces the duplicate in JSON instead of hiding it behind a tracing::warn!), original_zone_root (echo of the parent's root subtree scope so monorepo patchers know whether root was authored on the parent or per-child), child_source_indices (parallel to children, attributing each child to a specific auto_discover entry when multiple paths were authored), and optional authored_rule (the pre-expansion { allow, allowTypeOnly } keyed on the parent) and fallback_zone (cross-reference to the zone twin when the parent had both patterns and autoDiscover, e.g. the Bulletproof case). zones[], rules[], zone_count, rule_count are unchanged so existing consumers see zero behavioral delta; the empty-boundaries branch also gains logical_group_count: 0, logical_groups: [] plus parity zone_count / rule_count so consumers can read the count fields without first branching on configured. The full envelope (ListBoundariesOutput, BoundariesListing, BoundariesListZone, BoundariesListRule, BoundariesListLogicalGroup, plus the LogicalGroup, LogicalGroupStatus, AuthoredRule building blocks) is now drift-gated in docs/output-schema.json via the same Rust-source-of-truth pipeline as the analytical commands (refs #338, #384). The human list --boundaries output gains a Logical groups: section parallel to Zones: and Rules:, with empty sections suppressed, correct singular/plural counts, errors-first ordering inside the section so misconfigured paths surface at the top, and a N files (X children + Y fallback) split when the parent kept its own classifier. (Closes #373.)

• Architecture boundaries: opt-in escape hatch for type-only imports across zones (allowTypeOnly). TypeScript codebases often need type-level contracts between modules that should not have runtime dependencies on each other. Previously the only options were to scatter // fallow-ignore-next-line comments on every type-only cross-boundary import (noisy; real violations hide among the legitimate ignores) or duplicate type definitions in a shared layer (loses ownership clarity). A BoundaryRule now accepts an optional allowTypeOnly: ["zoneA", ...] list mirroring the existing allow shape. When featureB has allow: [], allowTypeOnly: ["featureA"], type-only imports from featureB into featureA (import type {...}, import type * as ns, inline import { type Foo } where every named specifier carries the type qualifier, AND type-only re-exports export type { Foo } from "...") no longer fire boundary violations. Mixed-specifier imports (import { type Foo, Bar }) still fire because the runtime dependency on Bar is real. The predicate is edge.symbols.iter().all(|s| s.is_type_only), the same one cycle detection already uses to skip type-only edges from circular-dependency reports. Strictly additive: omitting allowTypeOnly preserves pre-feature behavior, and no preset (Layered, Hexagonal, FeatureSliced, Bulletproof) defaults the field on. (Closes #365. Thanks @​DrJonki for the report.)

Fixed

• Runtime coverage mapping is tightened along the V8-offset, source-map, and cloud-coverage paths. Five contributor-PR fixes land together: V8 coverage offsets are now mapped as source positions before the line-and-column lookup so off-by-one ranges no longer misattribute; partial source-map remaps are kept when only some segments resolve cleanly instead of dropping the entire mapping; the owner segment is preserved in source-map project ids so monorepo deployments at <owner>/<repo> route to the right Fallow Cloud project instead of being conflated with a same-named repo at a different owner; cloud coverage now requires a line match before attributing a hit (the prior column-only fallback over-credited adjacent statements on a single line); and scoped source-map repo names (@scope/name) are accepted by the project-id parser without rejection. (PR #376. Thanks @​M-Hassan-Raza for the patch.)

• Class methods reached via a typed getter chain inside a Playwright fixture teardown are credited. A Playwright fixture pattern like await use({ get processEventsService() { return container.resolve(ProcessEventsService); } }); followed by a teardown step that calls fixtures.processEventsService.clearLast() previously reported ProcessEventsService.clearLast as unused-class-member because the typed-getter chain dropped the receiver type before the bound-member-access pass could resolve it. The extract visitor now records typed getter declarations as instance bindings under the same machinery already used for typed fields, so the access chain <fixtures>.<getter>.<method> resolves through the existing bound-member pipeline. CACHE_VERSION bumped 79 to 80 so the fix takes effect on warm caches. (Closes #386. Thanks @​vethman for the report.)

• docs/output-schema.json no longer ships an orphan SuppressAutoFixable definition. The committed schema carried a singleton oneOf: [{type: "string", const: "false"}] definition named SuppressAutoFixable whose prose suggested suppress-action auto_fixable should render as a literal false rather than a generic boolean. No Rust type ever produced the definition (it survived from a pre-#384 hand-authored draft into the merged regen via merge_with_committed), no $ref pointed at it, and the wire shape on SuppressLineAction.auto_fixable and SuppressFileAction.auto_fixable is and remains {"type": "boolean"}. Keeping the field as boolean is the documented intent on IssueAction in crates/types/src/output.rs:61-64: a future auto-applier (e.g. an LLM-driven suppression writer) can promote individual variants to auto_fixable: true without a schema bump. The definition is removed and the corresponding HAND_MAINTAINED_ALLOW_LIST entry in crates/cli/src/bin/schema_emit.rs is dropped, so the structural drift gate now rejects re-introduction of the name without a matching Rust source. Strictly an internal schema cleanup: no wire shape change, no codegen-derived TS contract change. (Closes #402. Refs #384 item 1 follow-up.)

• typeof import('./path').X inside .d.ts ambient declarations now traces the target file. unplugin-auto-import's auto-imports.d.ts and unplugin-vue-components' components.d.ts embed typeof import() references inside declare global { ... } and declare module 'vue' { ... } bodies; fallow previously walked those bodies but had no extractor for the TSImportType node, so the referenced composables and components surfaced as unused-files in every Vite + Vue + unplugin-* project. The visitor now records each TSImportType as a type-only ImportInfo (qualifier root identifier becomes a Named import; bare typeof import('./x') and typeof import('./x')['default'] indexed-access patterns produce SideEffect), and the graph layer promotes every .d.ts / .d.mts / .d.cts file to an overall reachability root so the new edge actually propagates through BFS. Declaration files were already exempt from unused-files; this aligns reachability with that existing "always alive" policy. Side effect: is_entry_point() returns true for .d.ts files, which auto-skips them in unused-exports / unused-types detection (preventing false positives on module-augmentation interfaces like GlobalComponents that TypeScript consumes invisibly via global type resolution). Pass --inc...

  Description has been truncated

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[codescene-delta-analysis]

No application code in the PR — skipped Code Health checks.

See analysis details in CodeScene

Quality Gate Profile: Custom Configuration
Install CodeScene MCP: safeguard and uplift AI-generated code. Catch issues early with our IDE extension and CLI tool.