flutter/flutter

Why this matters

flutter/flutter is the flagship “platform-driven polyglot monorepo” in the corpus — a single tree where the framework itself is Dart, but every native-OS embedder (Android, iOS, macOS, Linux, Windows, Fuchsia, GLFW desktop, the cross-platform “embedder” ABI) lives as a peer subdirectory under engine/src/flutter/shell/platform/, each implementing the same surface (PlatformView, ExternalTexture, KeyEventHandler, VsyncWaiter, PlatformMessageHandler, AccessibilityBridge) in the language native to that OS:

• Dart for the framework + the CLI tools + the engine’s Dart bindings
• Java for the Android engine surface
• Kotlin for the Gradle plugin + newer Android integration-test apps
• Swift + Objective-C for the iOS / macOS engine surface
• C / C++ for the engine core and the Linux + Windows engine surfaces

Where apache/arrow is the data-format-driven polyglot (one schema, six per-language readers), flutter is the platform-driven polyglot (one framework, six per-OS embedders).

Concrete polyglot density in the in-scope tree:

• 304 Java + 61 Kotlin + 131 Swift + 342 Objective-C + 3,227 C/C++
  • 4,857 Dart files — all 5 native-platform languages PLUS Dart
• 6 per-OS engine subdirs implementing the same engine ABI
• 7 flutter create template subdirs scaffolding apps per platform
• 39 analysis_options.yaml files, 232 BUILD.gn files, 91 build.gradle / .kts, 25 Podfile, 409 AndroidManifest.xml, 97 Info.plist, 16 GitHub Actions workflows, plus a 7,198-line .ci.yaml orchestrating 464 named CI targets across linux / mac / win / android-emu / ios-device / fuchsia shards

No per-platform IDE / linter sees the cross-platform conventions: Android Studio sees android/, Xcode sees darwin/{ios,macos}/, MSVC sees windows/, but no one tool sees them as peers.

Headline catch

Running the alint config against the live tree surfaces 5 real Trojan-Source / CVE-2021-42574 errors in docs/about/Values.md and 4 archived release-notes files under docs/releases/archive/, caught by oss-baseline’s no_bidi_controls rule. Flutter ships these with embedded bidi controls in contributor names / commit messages; alint surfaces them at PR time.

This is the strongest single “alint catches things other tools miss” data point in the case-study corpus. The bidi controls slip past every per-language linter (Dart analyzer, clang-format, clang-tidy, eslint, gofmt, etc.) because they’re embedded in markdown text content, not source code; they slip past markdown linters because the controls are valid Unicode and don’t break rendering. alint’s no_bidi_controls rule, shipped in the oss-baseline@v1 ruleset by default, catches them across the whole repo in one pass.

CVE-2021-42574 (Trojan Source) is the 2021-disclosed attack class where bidirectional text controls let attackers visually conceal malicious code in commits — exactly the threat model where “valid Unicode that no per-language tool flags” is the failure mode. A language-agnostic tool that scans every text file in the repo by default is the only structural defence.

Plus the Apple framework four-file layout (Headers/, Source/, Info.plist, module.modulemap per engine/src/flutter/shell/ platform/darwin/{ios,macos}/framework/) — another invariant no Linux/Windows developer would notice was broken; drift here silently breaks xcodebuild framework targets that external Flutter apps consume.

Where alint earns its keep here

The Flutter-Authors BSD-style header rule across 5 native languages + Dart is the cleanest single-rule polyglot demo in the catalogue — one regex, ~9,000 source files across 6 languages, one alint pass. The engine subtree’s format.sh enforces this on engine/src/flutter/ only; alint extends the same gate to the framework subtree (packages/, dev/, examples/) where it’s currently enforced only by review discipline.

Per-platform structural invariants checked once across the entire polyglot tree:

• Per-platform engine BUILD.gn presence (android, darwin/ios, darwin/macos, linux, windows, fuchsia, glfw, embedder, common)
• Apple framework four-file layout (iOS + macOS)
• flutter create template parity (every supported platform has its scaffold template)
• Per-Dart-package resolution: workspace across 9 packages
• Engine build_overrides/ .gni presence (vulkan, wayland, swiftshader, glslang, spirv-tools, angle)
• Dart analyzer strict-mode pins (strict-casts, strict-inference, strict-raw-types) across every per-package analysis_options.yaml

flutter is the fifth independent demand signal for cross_language_implementation_complete (now v0.11+ ship-target, saturated at 5 sources: arrow + TF + protobuf + angular + flutter) and the first platform-driven source — distinct from the data-format-driven variant that arrow + tensorflow demonstrate. The shape generalises to every cross-platform UI framework with per-OS native embedders (React Native, Xamarin/MAUI, Qt, Tauri).

flutter also surfaces:

• The .ci.yaml ↔ dev/bots/test.dart shard registry resolution problem (sixth source for registry_paths_resolve, now v0.10 ship-target, 8 sources)
• .ci.yaml’s 464 targets are conventionally alphabetised by name within each OS group (ordered_block, now v0.10 ship-target, 7 sources)

Future story angles

• Pair as the platform-driven flagship Wave-2 polyglot tile on alint.org/examples alongside arrow as the Wave-1 data-format flagship: arrow demonstrates one schema → six per-language readers; flutter demonstrates one engine ABI → six per-OS embedders
• The pitch: “flutter has 5 native-platform languages + Dart, 6 per-OS engine embedders implementing the same ABI, 0 tools that see the platform-driven conventions — alint is the layer that does.”
• The Trojan-Source finding is the one-frame demo for security- sensitive audiences (CNCF supply-chain talks, OpenSSF Scorecard alignment): a single rule, 5 real CVE hits in production-shipped docs of the 2nd-most-starred Google OSS project — caught by a bundled ruleset in <2s on the live tree