CLI reference for fallow coverage. Run the resumable setup flow, analyze local or cloud runtime coverage, upload source maps, and push static inventory so the dashboard can surface untracked code.
Use this file to discover all available pages before exploring further.
fallow coverage groups the paid Runtime Coverage workflow commands:
fallow coverage setup # resumable first-run flowfallow coverage analyze --cloud --repo owner/repofallow coverage upload-inventory # push a static function inventoryfallow coverage upload-source-maps # upload build source maps for bundled code
setup is the guided first-run path: license check, sidecar install, recipe generation, health handoff. It is intentionally resumable: run it once to bootstrap, follow the generated recipe, then run it again after traffic has been captured.analyze is the focused agent/CLI loop. Local mode reads a V8 or Istanbul artifact from disk. Cloud mode is explicit opt-in only and pulls the latest runtime facts for a repo before merging them with the current local AST/static analysis.upload-inventory is the CI step that unlocks the Untracked filter in the dashboard by pairing the runtime V8/Istanbul data (what actually ran) with the AST view of every function that exists.coverage upload-source-maps is the CI step for bundled/minified apps. It uploads build .map files so cloud runtime coverage can resolve bundle paths back to original source files.
Accept prompts automatically. Useful for local setup when you want fallow to continue without confirmation prompts.
--non-interactive
Print instructions instead of prompting. Useful in CI, remote shells, or agent workflows.
--json
Emit deterministic agent-readable setup instructions as JSON. Implies --non-interactive and does not prompt, write files, install packages, activate a license, or make network calls. Workspace projects emit a members[] array with one entry per runtime-bearing workspace (each with its own framework_detected, runtime_targets, files_to_edit, snippets, dockerfile_snippet); the top-level fields mirror the first emitted runtime member.
--explain
With --json, include a _meta block with field definitions, enum values, warning semantics, and this docs URL.
fallow coverage setup inspects package.json, lockfiles, and scripts to tailor the instructions:
Detection
Purpose
Framework
Chooses a recipe for Next.js, NestJS, Nuxt, SvelteKit, Astro, Remix, Vite browser apps, plain Node services, or a generic fallback. When both a Node-server framework (Elysia, Hono, Fastify, Express, Koa, @trpc/server) and Vite appear in the same package.json, the Node-server framework wins so the recipe targets the API rather than the bundled client.
Workspace topology
Walks workspaces (npm/pnpm/yarn/bun) and emits one recipe per runtime-bearing member. Library-only workspaces (no start/preview/dev script and no Node-server dependency) are skipped. The top-level runtime_targets array is the union (["node"], ["browser"], or ["node", "browser"]) across all members.
Package manager
Uses packageManager, lockfiles, or both to choose install commands for npm, pnpm, yarn, or bun.
Coverage artifact
Detects existing coverage/coverage-final.json, .nyc_output/coverage-final.json, or JSON-containing V8 directories.
Sidecar binary
Resolves FALLOW_COV_BIN, FALLOW_COV_BINARY_PATH, project-local shims, package-manager bin lookups, ~/.fallow/bin/fallow-cov, and PATH.
If the project does not match a built-in framework recipe, fallow still writes a fallback docs/collect-coverage.md with a link to the public coverage docs for manual setup.
fallow coverage setup --yes --json is the agent-driven entry point. The payload is deterministic, side-effect-free, and stable across reruns. Add --explain when the consumer needs in-payload documentation: it adds optional _meta.field_definitions, _meta.enums, _meta.warnings, and _meta.docs_url keys without changing schema_version.On a workspace monorepo (Elysia API at root + two Vite browser apps in dashboard/ and site/):
framework_detected uses canonical ids (nextjs, nestjs, nuxt, sveltekit, astro, remix, vite, plain_node, unknown). Top-level fields mirror the first emitted runtime member (the root when the root itself is a runtime app, otherwise the first runtime workspace), so on a browser-rooted monorepo with a Node child agents should read each member’s dockerfile_snippet rather than the top-level one. Single-app projects emit a members array of length 1 (path "."), so consumers can treat members[] uniformly.Aggregator-only repos (workspaces whose only runtime indicator is a Turbo/Nx-style dev script delegating to children, plus build-only library packages) are not runtime-bearing and emit an empty payload: framework_detected: "unknown", runtime_targets: [], members: [], plus a warnings entry of "No runtime workspace members were detected; emitted install commands only.". Agents can branch on members.length === 0 (or framework_detected === "unknown") to detect this case and skip the snippet-application step.
The generated docs/collect-coverage.md recipe typically looks like:
1. Remove any old dump directory: rm -rf ./coverage2. Build the app3. Start the app with NODE_V8_COVERAGE=./coverage ...4. Exercise the routes or jobs you care about5. Stop the app and run: fallow coverage setup
Framework-aware script selection means fallow prefers existing build, start, or preview scripts when they exist and falls back to common framework commands otherwise.
Local V8 directory, V8 JSON file, or Istanbul coverage map. Mutually exclusive with cloud mode.
--cloud, --runtime-coverage-cloud
Explicitly fetch cloud runtime facts from /v1/coverage/:repo/runtime-context.
--repo <OWNER/REPO>
Repository to fetch in cloud mode. Falls back to $FALLOW_REPO, then parsed origin. Slashes are URL-encoded as one route segment.
--api-key <KEY>
Fallow cloud bearer token. Falls back to $FALLOW_API_KEY, but only after explicit cloud opt-in.
--api-endpoint <URL>
Override the API base URL. Useful for staging and on-prem deployments.
--coverage-period <DAYS>
Cloud observation window, 1 through 90 days. Default: 30.
--project-id <ID>
Optional monorepo/project discriminator.
--environment <NAME>
Optional cloud environment filter.
--commit-sha <SHA>
Optional cloud commit filter.
--top <N>
Show only the top N runtime findings, hot paths, blast-radius entries, and importance entries. Truncation happens before rendering, so it propagates to JSON, human, and cloud-merge output equally.
--blast-radius
Show the first-class blast-radius section in human output. JSON always includes runtime_coverage.blast_radius whenever runtime coverage analysis runs.
--importance
Show the first-class importance section in human output. JSON always includes runtime_coverage.importance whenever runtime coverage analysis runs.
--production
Run analyze in production mode, matching fallow health --production. Filters out test files and dev-only code paths before merging runtime data.
--min-invocations-hot <N>
Hot-path classification threshold. Functions invoked at least N times during the captured window are classified as hot. Default: 100. Mirrors the same flag on fallow health --runtime-coverage.
--min-observation-volume <N>
Minimum total trace volume before high-confidence safe_to_delete / review_required verdicts. Below this the sidecar caps confidence at medium. Default: 5000.
--low-traffic-threshold <RATIO>
Fraction of total trace count below which an invoked function is classified low_traffic rather than active. Decimal form (0.001 = 0.1%). Default: 0.001.
--explain
With --format json, attach a top-level _meta block with field definitions, enum values (data_source, test_coverage, v8_tracking, action_type, etc.), warning-code documentation, and the docs URL.
Cloud analysis emits the same runtime_coverage JSON block as local mode. Its summary includes data_source: "cloud", last_received_at, and capture_quality derived from the pulled runtime window. Cloud functions that cannot be matched to the local AST/static index are omitted from findings and reported through a cloud_functions_unmatched warning.Each finding’s actions[].type uses the canonical kebab-case vocabulary: delete-cold-code is emitted on verdict=safe_to_delete, review-runtime on verdict=review_required. The sidecar may emit additional protocol-specific identifiers, so consumers should treat unknown values as forward-compat extensions rather than schema violations.
If fallow-cov is missing, setup tells you exactly what it checked and suggests the correct install command for your package manager, for example:
pnpm add -D @fallow-cli/fallow-cov
You can also bypass auto-discovery by setting either explicit-override env var to a binary path. Resolution order is FALLOW_COV_BIN first, then FALLOW_COV_BINARY_PATH, then project-local auto-discovery. Both fail hard with a clear error if the configured path does not exist (they never silently fall through to the next step). FALLOW_COV_BINARY_PATH exists for air-gapped enterprise installs, Linux distro-packaged sidecars, and Docker multi-user setups where ~/.fallow/bin is not writable.
Every sidecar spawn runs an Ed25519 signature check against the compiled-in public key. The sidecar binary must ship with an adjacent <binary>.sig file. A missing, wrong-length, or invalid signature fails hard with exit code 4 rather than executing an unverified binary. There is no warn-and-run mode and no opt-out env var. If verification fails, install the signed distribution:
fallow coverage upload-inventory walks every JS/TS source in the project and POSTs a static function inventory (one row per declaration, expression, arrow, or method) to fallow cloud. The server computes inventory − runtime-seen = untracked for the matching git SHA, which lights up the dashboard’s Untracked filter.This is the only fallow subcommand that does network I/O outside of fallow license. check, dupes, and health stay offline.
Fallow cloud bearer token. Prefer $FALLOW_API_KEY on shared CI runners — passing secrets on the command line may be visible to other processes via ps and can leak into shell history or process audit logs.
--api-endpoint <URL>
Override the base URL. Useful for staging and on-prem deployments.
--project-id <OWNER/REPO>
Project identifier, owner/repo form.
--git-sha <SHA>
Commit SHA this inventory is keyed to. Max 64 chars; [A-Za-z0-9._-] only.
--allow-dirty
Silence the warning when the working tree has uncommitted changes.
--exclude-paths <GLOB>
Additional globs to skip, applied after the configured fallow ignore rules. Repeatable.
--path-prefix <PREFIX>
Prefix prepended to every emitted filePath so the static inventory matches the path shape the runtime beacon reports. Required for containerized deployments: the beacon reports V8’s absolute path inside the container (e.g. /app/src/foo.ts) while the walker emits repo-relative paths (src/foo.ts) by default. Must start with / and use POSIX separators. Common values: /app (typical Dockerfile), /workspace (Buildpacks / Cloud Run), /usr/src/app (older Node images), /var/task (Lambda), /home/runner/work/<repo>/<repo> (GitHub Actions).
--dry-run
Print what would be uploaded and exit. No network call.
--ignore-upload-errors
Treat upload failures as warnings (exit 0). Validation errors still fail hard.
The function’s own id (function foo() {}, named function expression).
(anonymous_N) where N is a file-scoped monotonic counter.
TypeScript declaration files (*.d.ts, *.d.mts, *.d.cts, *.d.tsx) and overload signatures with no body are intentionally skipped: they have no runtime footprint, so including them would pollute the dashboard with permanently untracked entries.
The runtime beacon reports V8’s filePath as it sees it at runtime. In a container, that is the path inside the image (e.g. /app/src/foo.ts when the Dockerfile sets WORKDIR /app). The static inventory walker, running in CI against the checkout, emits repo-relative paths (src/foo.ts) by default. The server joins runtime and inventory on the exact (filePath, functionName) pair; if the two sides don’t share a prefix shape, the Untracked filter never lights up and the dashboard surfaces a mismatched state.The fix: pass --path-prefix matching your deployed WORKDIR:
Docker image with WORKDIR /app (most Node services)
/app
Cloud Run / Buildpacks
/workspace
Older official Node images
/usr/src/app
AWS Lambda
/var/task
GitHub Actions default checkout
/home/runner/work/<repo>/<repo>
After upload, the server samples up to 100 recent runtime rows and reports the overlap with the inventory. The CLI prints a yellow warning if overlap < 50% with an example mismatch, and the dashboard renders a configuration-needed state on the repo detail page until the prefix is corrected.
fallow coverage upload-source-maps scans a build output directory for source maps and POSTs each map to fallow cloud under the current repo and git SHA. The production beacon reports coverage against deployed bundles; uploaded source maps let the cloud resolver remap those bundle positions back to original source files.
Directory scanned recursively. Relative paths resolve from the project root.
--include <GLOB>
**/*.map
Include glob, matched relative to --dir.
--exclude <GLOB>
**/node_modules/**
Exclude glob, repeatable.
--repo <NAME>
package.jsonrepository.url, then git remote get-url origin parsed to owner/repo
Repo identifier used in /v1/coverage/:repo/source-maps. Must match the beacon’s projectId (and the --project-id passed to upload-inventory); pass --repo <bare-name> explicitly if your beacon reports a bare name.
--git-sha <SHA>
$GITHUB_SHA, $CI_COMMIT_SHA, $COMMIT_SHA, then git rev-parse HEAD
Commit SHA the beacon will report for the deployed build. Must be 7-40 hex chars.
--endpoint <URL>
$FALLOW_API_URL or https://api.fallow.cloud
Override for staging or enterprise deployments.
--strip-path <BOOL>
true
Upload only the basename as fileName, e.g. dist/assets/app.js.map -> app.js.map. Set --strip-path=false when runtime coverage reports bundle paths with directories, e.g. assets/app.js.
--dry-run
false
Print what would upload without reading FALLOW_API_KEY or making network calls.
--concurrency <N>
4
Parallel upload fanout.
--fail-fast
false
Stop on the first failed map instead of uploading the rest and reporting a partial-failure summary.
The API key comes only from FALLOW_API_KEY; there is intentionally no --api-key flag, so secrets do not land in shell history or process lists.
