In bare `fallow`, dead-code analysis and duplication detection run on the
same sources but share no mutable state: each writes to a distinct cache
subdir (parse-vN vs dupes-tokens-vN), each returns a buffered result that
the central printer renders, and each sorts its own outputs internally so
work-stealing order cannot leak into the rendered output. Wrapping them
in `rayon::join` overlaps check's analyze pass with dupes' suffix-array
build, the two largest serial steps in the warm path.

Measured wall-clock impact (8 warm runs each):

- vrs-portals (1123 files): 230ms to 145ms (37% faster)
- bazam.app (272 files):    80ms to 45ms   (44% faster)

The opportunistic share_files_with_dupes path (skipped dupes' file
discovery when health was also running and production flags matched) is
forfeited only on the both-enabled branch; standalone-check and
standalone-dupes paths still take it. Worth ~8ms warm; the parallel join
saves ~80ms net.

A new `combined_parallel_output_is_deterministic` test runs combined
mode three times and asserts byte-identical canonicalized JSON to pin
the determinism guarantee against future scheduling changes.

`fallow audit` (default `--gate new-only`) runs the dead-code, dupes,
and health pipelines twice: once on the working tree, once on a
temporary git worktree checked out at the base ref. The two halves
operate on different working trees and share no mutable state, so they
can run concurrently via `rayon::join`. Inside the base snapshot, check
and dupes also run concurrently: that branch never reuses the dead-code
parse for health and never hands the file list to dupes, so no sharing
optimization is forfeited. The HEAD branch keeps check sequential
before dupes and health so its existing share-the-parse path still
applies.

Measured wall-clock impact on vrs-portals (8 warm runs, default
`--gate new-only`): 930ms to 640ms, 32% faster. Cold first runs
remain bound by I/O (worktree checkout + reading source files for the
first time). `--gate all` (no base snapshot) is unchanged in
performance, as expected.

Determinism verified: sequential and parallel produce byte-identical
JSON output (sha256 match after stripping wall-clock fields). A new
`audit_parallel_output_is_deterministic` test exercises the HEAD
versus base-snapshot parallel path on a two-commit fixture.

Adds a fast way to silence Fallow's editor squiggles without disabling
the rule, so duplicate-code findings stop drowning out TypeScript and
ESLint diagnostics.

- DiagnosticFilter intercepts diagnostics via vscode-languageclient
  middleware (push handleDiagnostics + pull provideDiagnostics), caches
  the unfiltered set per URI, and re-applies through
  client.diagnostics.set on toggle change. No LSP restart, no
  re-analysis. Always guards on source==="fallow" so TypeScript and
  ESLint diagnostics flow through untouched. LRU-bounded at 5000 entries
  with onDidCloseTextDocument eviction.
- LanguageStatusItem in the right gutter (severity Warning when
  anything is muted) with click-to-manage QuickPick; CodeAction provider
  offers "Mute Fallow <category> findings in this workspace" on every
  Fallow squiggle.
- Five new commands: fallow.toggleMuteDuplicates,
  fallow.toggleAllDiagnostics, fallow.manageDiagnosticMutes,
  fallow.clearDiagnosticMutes, plus an internal
  fallow.muteDiagnosticCategory invoked by the CodeAction.
- State persists in context.workspaceState (per-workspace), key
  fallow.diagnosticFilter.v1.

The global `--performance` flag was parsed by clap but never plumbed
into `DupesOptions`, so `fallow dupes --performance` was silently a
no-op. Combined-mode `fallow --performance` already prints a
duplication stage in its bare pipeline panel, so users naturally
expected the standalone `dupes` command to do the same.

`run_dupes` now emits a "Duplication Performance" panel on stderr
after the report renders, listing total wall-clock time, files /
tokens analyzed, clone-group and instance counts, and the duplicated-
line percentage (data already on `DuplicationStats`, no new
instrumentation). The panel only renders for human, compact, and
markdown output; structured formats (JSON / SARIF / CodeClimate)
suppress it so machine envelopes stay uncorrupted. Combined,
audit, and the programmatic API set `performance: false` and
delegate timing to their existing panels to avoid double-printing.

Two regression tests pin the behaviour: one asserts the panel
header appears in human stderr, the other asserts JSON output
never includes it.

Convert the prisma plugin from the base define_plugin! macro to a custom
resolve_config that scans .prisma files for `generator { provider = "..." }`
blocks and credits non-built-in providers as referenced dependencies. Covers
the canonical `prisma/schema.prisma`, root-level `schema.prisma`, and the
multi-file `prisma/schema/*.prisma` layout.

Skips datasource providers (different block), shell-command form (contains
space), path form (starts with `.`). Strips both `//` line comments and
`/* */` block comments while preserving quoted strings, so commented-out
generators do not produce phantom credits.

Custom schema paths configured via `prisma.config.ts`'s `schema` field are
out of scope (filesystem fallback is non-recursive); users with non-canonical
layouts continue to fall back to `ignoreDependencies`.

Closes #288.

The plugin discovery stage on a 21k-file Next.js monorepo was 7.4s,
83% of the entire pipeline wall clock. Profiling traced 7.3s of that
to `discover_config_files` running ~800k filesystem stat calls (12k
search roots x 11 plugins x ~6 brace-expanded patterns each), almost
all returning false because patterns like `webpack.config.{ts,js,mjs,cjs}`
describe source files that fallow already discovered.

Source-extension root-anchored patterns (no path separator, no leading
dot, all expanded extensions in `SOURCE_EXTENSIONS`) are now wrapped
with a `**/` prefix when compiling Phase 3a matchers, so the in-memory
matcher catches them at any depth in the discovered file set. The
`discover_config_files` filesystem fallback then skips those patterns,
eliminating the stat storm.

In production mode the source walker excludes `*.config.*` and dotfile
configs, so the FS walk is still required for those patterns. A
`production_mode` flag threads through `run_with_search_roots` and
`run_workspace_fast` to preserve correctness there.

Measured (no-cache cold runs):

- Next.js (21,033 files):
  - bare `fallow`: 9.7s -> 3.3s (-66%)
  - `fallow audit --gate all`: 11.7s -> 5.4s (-54%)
  - plugins stage alone: 7378ms -> 1362ms (-82%)
- vrs-portals (1,123 files): no regression (within noise)

Adds tests covering: nested webpack config matching via the precompiled
matcher, FS-walk skipping for source-ext root patterns, and FS-walk
preservation for dotfile/JSON patterns.

`fallow dupes` ignored `duplicates.minLines`, `duplicates.minTokens`,
`duplicates.threshold`, `duplicates.mode`, and `duplicates.skipLocal`
in `.fallowrc.jsonc` when the matching CLI flag was not passed. The
`Command::Dupes` clap definitions used `default_value = "5"` (etc.),
so `min_lines: usize` was always populated with the clap default and
`build_dupes_config` overwrote the toml value unconditionally.

Switch the four scalar fields (`mode`, `min_tokens`, `min_lines`,
`threshold`) on `DupesOptions` and the `Command::Dupes` clap args to
`Option<T>` and drop their `default_value`s. `build_dupes_config` now
falls back to `toml_dupes.x` when the CLI value is `None`. The
`skip_local` boolean adopts the same OR-merge already used for
`cross_language` / `ignore_imports` so config-driven `skipLocal: true`
is honored too.

Audit, combined, and programmatic call sites already merge config
into their own structs before constructing `DupesOptions`, so they
forward each value as an explicit `Some(...)` (no behavior change at
those entry points).

The standalone `DupesResult.threshold` is now sourced from the merged
`dupes_config.threshold` rather than the unmerged `opts.threshold`,
so `.fallowrc.jsonc`'s `threshold` actually drives the failure gate.

Tests:
- existing `build_config_uses_cli_*` tests updated to wrap CLI values
  in `Some(...)`
- new regression tests for each fallback path:
  `falls_back_to_toml_min_lines_when_cli_unset`,
  `falls_back_to_toml_min_tokens_when_cli_unset`,
  `falls_back_to_toml_threshold_when_cli_unset`,
  `falls_back_to_toml_mode_when_cli_unset`,
  `cli_min_lines_overrides_toml`,
  `skip_local_or_merges_with_toml`