Will be good idea to be have consistent name and documentation terminology: include versus header.

Please use using and run Clang-tidy modernize.

Please don't use auto here, since type is not obvious.

Please include <cstring>.

Please don't use auto here, since type is not obvious.

I don't think that you should prefix llvm with ::

Please run Clang-format over code.

Please separate constructor with empty line from rest of methods.

The check seems do nothing with the default option.

Do we have a corresponding guideline of fuchsia?

Please don't suffix with an underscore -- you can actually drop the underscore here (we allow constructor arguments to hide the names of class members).

Are you sure that vector and map are the best data types to use, rather than LLVM ADTs?

Also you can drop the elaborated type specifier for FileID.

const auto &

This comment doesn't really add much value.

Diagnostics are not complete sentences, so you should remove the punctuation and capitalization here.

Function can be const and return a const ref.

I think this could use some edge case tests for awful things people can do:

#define foo <stdio.h>

#include foo

# /* hahaha */ include /* oops */ foo

We don't really use Doxygen comments for local class stuff, so you can convert these into regular comments.

I believe this check will be finding transitive includes, correct? If so, maybe this should be two diagnostics: one to say "'%0' is prohibited from being included" and a note for the transitive case to say "file included transitively from here"?

Regardless of the behavior you'd like for it, we should have a test case:

// a.h
// Assumed that a.h is prohibited
void f();

// b.h
#include "a.h"

// c.c
#include "b.h"

int main() {
  f();
}

Are you okay with breaking user's code from this removal? If you remove the header file, but not the parts of the code that require that header file to be included, this FixIt will break code.

Do you need to clear this? I don't think EndOfMainFile() can be called twice, can it?

This can be replaced with: return llvm::is_contained(Check.getRestrictedIncludes(), IncludeFile); which suggests the private function isn't needed at all.

s/headers/includes

There is a mild problem here (present in the previous form, using commas, as well): the separator is technically a legal character for a file name. You may want to provide a comment in the documentation that explicitly states a file with the delimiter in the name is not supported. e.g., a file named foo.h;bar.h is not something you can prohibit with this check. I don't think it's worth picking a different delimiter over given how unlikely this file name is in practice.

The default value here seems very strange as it's not an include file. I assume this intended to use vector?

The list is not comma-separated, it's semicolon-separated.

I think this should be named fuchsia-restrict-system-includes.

I'm not certain that IsAngled is sufficient. For instance, say the user prohibits use of vector, nothing prevents the user from writing #include "vector" to access the system header (assuming there is no user header with the same name). e.g., https://godbolt.org/g/Scfv3U

Perhaps we could use SourceManager::isInSystemHeader() or extract some logic from it to test whether the actual included file is in the system header search path?

Be explicit that this only impacts system headers.

Should also be explicit about system headers.

Please add in the EOF.

Please add in the EOF.

Please add in the EOF.

Is it necessary to highlight that warnings will not be emitted in case of disallowed headers are not found? Same in documentation.

Rather than use this StringMap, can you change InclusionDirective() to filter out includes you don't care about? Something along the lines of:

FileID FID = SM.translateFile(File);
assert(FID != FileID() && "Source Manager does not know about this header file");

bool Invalid;
const SLocEntry &Entry = SM.getSLocEntry(FID, &Invalid);
if (!Invalid && SrcMgr::isSystem(Entry.getFile().getFileCharacteristic())) {
  // It's a system file.
}

This way you don't have to store all the path information and test against paths in EndOfMainFile(), unless I'm missing something. Note, this is untested code and perhaps that assert will fire (maybe SourceManager is unaware of this file by the time InclusionDirective() is called).

Alternatively, you could alter InclusionDirective() to also pass in the CharacteristicKind calculated by Preprocessor::HandleIncludeDirective() as that seems like generally useful information for the callback to have on hand.

This should only be on a single line -- you can remove some - characters.

This default seems a bit odd to me, but perhaps it's fine. What's novel is that the check is a no-op by default, so how do Fuchsia developers get the correct list? Or is there no canonical list and developers are expected to populate their own manually?

So there's never a case where you need to prohibit use of all system includes? Right now, an empty string means "allow all includes" while a non-empty string means "allow only these includes", so there's no way to prohibit all includes except by listing them manually. I'm wondering whether you want to use a glob for allowed file names, which gives you extra flexibility. e.g., * allows all includes (default value), foo.h allows only <foo.h>, experimental/* allows all headers in the experimental directory, cstd* allows <cstdint> while prohibiting <stdint.h>, and the empty string will disallow all system headers.

Perhaps you don't need that level of flexibility, but for the use cases I'm imagining it seems more user friendly to be able to write cstd* rather than manually listing out all the C++ headers explicitly.

GlobList::contains isn't const, so it can't...

Bah, I didn't see that. You can ignore, sorry for the noise.