@sun-asterisk/impact-analyzer 1.0.4 → 1.0.6

package/.specify/bugs/bug-002-database-detector.md

@@ -0,0 +1,478 @@
+# BUG-002: Database Detector Cannot Detect Repository Injection in Services
+
+**Bug ID:** BUG-002  
+**Status:** ✅ RESOLVED  
+**Priority:** HIGH  
+**Severity:** Critical  
+**Created:** 2025-12-26  
+**Updated:** 2025-12-26  
+**Resolved:** 2025-12-26
+
+---
+
+## Problem Statement
+
+Database detector fails to detect database changes when repositories are injected into services via dependency injection (DI). The current implementation only detects repository methods through call graph traversal, missing direct repository usage in service classes.
+
+### Observed Behavior
+
+When a service uses an injected repository, database operations are **not detected**:
+
+```typescript
+// ❌ Not detected:
+export class UserService {
+    constructor(
+        @InjectRepository(UserEntity)
+        private readonly userRepository: Repository<UserEntity>,
+    ) {}
+
+    async updateData() {
+        // This change is NOT detected
+        const currentData = this.userRepository
+            .createQueryBuilder('user')
+            .select([
+                'user.id',
+                'user.name',
+                'user.email'  // <- Field added here
+            ])
+            .innerJoin('posts', 'post', 'post.userId = user.id')
+            .where('user.status = :status', { status: 'active' })
+            .getRawMany();
+
+        // This is also NOT detected
+        await this.userRepository.update({ id: 1 }, { name: 'Updated' });
+    }
+}
+```
+
+### Expected Behavior
+
+All database operations should be detected, regardless of whether they are in repository classes or injected into services.
+
+---
+
+## Root Cause
+
+**File:** `core/detectors/database-detector.js` (line ~263-289)
+
+### Issue 1: Call Graph Dependency
+
+The `findAffectedRepositoryMethods()` method relies on call graph traversal:
+
+```javascript
+findAffectedRepositoryMethods(changedMethods) {
+    const visited = new Set();
+    const repoMethods = [];
+    const queue = [...changedMethods];
+
+    while (queue.length > 0) {
+        const method = queue.shift();
+        
+        // Only finds methods in repository files or with "repository" in class name
+        const isRepository = method.file.includes('repository') || 
+                            (method.className && method.className.toLowerCase().includes('repository'));
+        
+        if (isRepository) {
+            repoMethods.push(method);
+        }
+
+        const callers = this.methodCallGraph.getCallers(method);
+        queue.push(...callers);
+    }
+
+    return repoMethods;
+}
+```
+
+**Problems:**
+1. ❌ Requires method call graph to connect service → repository
+2. ❌ Only detects repository classes, not injected repository instances
+3. ❌ Misses `this.userRepository` usage in services
+4. ❌ Cannot detect direct query builder usage
+
+### Issue 2: Missing Direct Detection
+
+The `analyzeChangedCodeForDatabaseOps()` method only detects operations in changed lines:
+
+```javascript
+// Only looks at added lines in diff
+for (const [opName, opType] of Object.entries(typeOrmOps)) {
+    if (cleanLine.includes(`.${opName}(`)) {
+        // Detect operation
+    }
+}
+```
+
+**Problems:**
+1. ❌ Doesn't detect `@InjectRepository()` decorator
+2. ❌ Doesn't track injected repository field names
+3. ❌ Doesn't detect `this.repoName.operation()` patterns
+4. ❌ Misses query builder chains
+
+---
+
+## Fix Strategy
+
+### Approach
+
+Enhance detection to work without call graph dependency. Directly analyze changed files for:
+1. Repository injection patterns (`@InjectRepository`)
+2. Repository field usage (`this.userRepository`)
+3. Query builder patterns (`.createQueryBuilder()`, `.select()`, `.where()`)
+4. Entity references to determine affected tables
+
+### Implementation Steps
+
+#### Step 1: Detect Repository Injection
+
+Add method to detect injected repositories from constructor parameters:
+
+```javascript
+/**
+ * Detect @InjectRepository decorators and extract entity information
+ */
+detectInjectedRepositories(content, filePath) {
+    const injectedRepos = [];
+    const lines = content.split('\n');
+    
+    for (let i = 0; i < lines.length; i++) {
+        const line = lines[i];
+        
+        // Pattern: @InjectRepository(UserEntity)
+        const injectMatch = line.match(/@InjectRepository\s*\(\s*(\w+Entity)\s*\)/);
+        if (injectMatch) {
+            const entityName = injectMatch[1];
+            
+            // Look for field name in next few lines
+            // private readonly userRepository: Repository<UserEntity>
+            for (let j = i; j < Math.min(i + 3, lines.length); j++) {
+                const fieldMatch = lines[j].match(/(?:private|public|protected)\s+(?:readonly\s+)?(\w+)\s*:/);
+                if (fieldMatch) {
+                    injectedRepos.push({
+                        entityName: entityName,
+                        fieldName: fieldMatch[1],
+                        tableName: this.entityToTableName(entityName),
+                        file: filePath
+                    });
+                    break;
+                }
+            }
+        }
+    }
+    
+    return injectedRepos;
+}
+```
+
+#### Step 2: Detect Repository Usage in Changes
+
+Enhance `analyzeChangedCodeForDatabaseOps()` to detect repository field usage:
+
+```javascript
+analyzeChangedCodeForDatabaseOps(changedFile, databaseChanges) {
+    const diff = changedFile.diff || '';
+    const content = changedFile.content || '';
+    
+    // Step 1: Detect injected repositories in file
+    const injectedRepos = this.detectInjectedRepositories(content, changedFile.path);
+    
+    if (injectedRepos.length > 0) {
+        this.logger.verbose('DatabaseDetector', 
+            `Found ${injectedRepos.length} injected repositories in ${changedFile.path}`);
+    }
+    
+    // Step 2: Analyze diff for repository usage
+    const lines = diff.split('\n');
+    
+    for (const line of lines) {
+        if (!line.startsWith('+')) continue;
+        
+        const addedLine = line.substring(1).trim();
+        
+        // Check if line uses any injected repository
+        for (const repo of injectedRepos) {
+            // Pattern: this.userRepository.find(...)
+            if (addedLine.includes(`this.${repo.fieldName}.`)) {
+                this.detectOperationFromRepositoryUsage(
+                    addedLine, 
+                    repo, 
+                    databaseChanges
+                );
+            }
+        }
+    }
+}
+```
+
+#### Step 3: Detect Query Builder Patterns
+
+Add specific detection for query builder chains:
+
+```javascript
+/**
+ * Detect database operations from repository field usage
+ */
+detectOperationFromRepositoryUsage(line, repo, databaseChanges) {
+    const operations = {
+        'createQueryBuilder': 'SELECT',
+        'find': 'SELECT',
+        'findOne': 'SELECT',
+        'update': 'UPDATE',
+        'insert': 'INSERT',
+        'delete': 'DELETE',
+        'save': 'INSERT/UPDATE',
+    };
+    
+    // Detect operation
+    let detectedOp = null;
+    for (const [method, opType] of Object.entries(operations)) {
+        if (line.includes(`.${method}(`)) {
+            detectedOp = opType;
+            break;
+        }
+    }
+    
+    if (!detectedOp) return;
+    
+    // Extract entity/table info
+    const tableName = repo.tableName;
+    
+    if (!databaseChanges.tables.has(tableName)) {
+        databaseChanges.tables.set(tableName, {
+            entity: repo.entityName,
+            file: repo.file,
+            operations: new Set(),
+            fields: new Set(),
+            isEntityFile: false,
+            hasRelationChange: false,
+            changeSource: { path: repo.file }
+        });
+    }
+    
+    const tableData = databaseChanges.tables.get(tableName);
+    tableData.operations.add(detectedOp);
+    
+    // Extract fields from query builder
+    this.extractFieldsFromQueryBuilder(line, tableData);
+    
+    this.logger.verbose('DatabaseDetector', 
+        `Detected ${detectedOp} on ${tableName} via ${repo.fieldName}`);
+}
+```
+
+#### Step 4: Extract Fields from Query Builder
+
+```javascript
+/**
+ * Extract field names from query builder select()
+ */
+extractFieldsFromQueryBuilder(line, tableData) {
+    // Pattern: .select(['user.id', 'user.name', 'user.email'])
+    const selectMatch = line.match(/\.select\s*\(\s*\[([^\]]+)\]/);
+    if (selectMatch) {
+        const fieldsStr = selectMatch[1];
+        const fieldMatches = fieldsStr.matchAll(/['"](?:\w+\.)?(\w+)['"]/g);
+        
+        for (const match of fieldMatches) {
+            const fieldName = match[1];
+            if (fieldName !== 'delFlg') {
+                tableData.fields.add(fieldName);
+            }
+        }
+    }
+    
+    // Pattern: .where('user.name = :name', ...)
+    const whereMatch = line.match(/\.where\s*\(\s*['"](?:\w+\.)?(\w+)\s*[=<>]/);
+    if (whereMatch) {
+        const fieldName = whereMatch[1];
+        if (fieldName !== 'delFlg') {
+            tableData.fields.add(fieldName);
+        }
+    }
+}
+```
+
+---
+
+## Verification
+
+### Test Case 1: Injected Repository Detection
+
+**Input:**
+```typescript
++ export class UserService {
++     constructor(
++         @InjectRepository(UserEntity)
++         private readonly userRepository: Repository<UserEntity>,
++     ) {}
++
++     async updateData() {
++         await this.userRepository.update({ id: 1 }, { name: 'Updated' });
++     }
++ }
+```
+
+**Expected Output:**
+```javascript
+{
+  tableName: "user",
+  modelName: "UserEntity",
+  operations: ["UPDATE"],
+  fields: ["id", "name"],
+  severity: "medium"
+}
+```
+
+### Test Case 2: Query Builder with Select
+
+**Input:**
+```typescript
++ const users = this.userRepository
++     .createQueryBuilder('user')
++     .select(['user.id', 'user.name', 'user.email'])
++     .where('user.status = :status', { status: 'active' })
++     .getRawMany();
+```
+
+**Expected Output:**
+```javascript
+{
+  tableName: "user",
+  modelName: "UserEntity",
+  operations: ["SELECT"],
+  fields: ["id", "name", "email", "status"],
+  severity: "low"
+}
+```
+
+### Test Case 3: Multiple Injected Repositories
+
+**Input:**
+```typescript
++ export class PostService {
++     constructor(
++         @InjectRepository(PostEntity)
++         private readonly postRepository: Repository<PostEntity>,
++         @InjectRepository(UserEntity)
++         private readonly userRepository: Repository<UserEntity>,
++     ) {}
++
++     async updatePost() {
++         await this.postRepository.update({ id: 1 }, { title: 'New' });
++         await this.userRepository.findOne({ where: { id: 1 } });
++     }
++ }
+```
+
+**Expected Output:**
+```javascript
+[
+  {
+    tableName: "post",
+    operations: ["UPDATE"],
+    fields: ["id", "title"]
+  },
+  {
+    tableName: "user",
+    operations: ["SELECT"],
+    fields: ["id"]
+  }
+]
+```
+
+---
+
+## Impact Assessment
+
+### Risk Level: **MEDIUM** ⚠️
+
+**Why Medium Risk:**
+- Adds new detection methods alongside existing logic
+- Does not remove call graph detection (backward compatible)
+- Extends functionality without breaking existing behavior
+- More comprehensive detection may find more issues (good thing)
+
+### Areas Affected
+
+| Component | Change Type | Risk |
+|-----------|-------------|------|
+| `database-detector.js` | New methods added | Medium |
+| `analyzeChangedCodeForDatabaseOps()` | Enhanced | Medium |
+| Report output | More complete data | Low |
+| Existing detections | Unchanged | None |
+
+### Benefits
+
+- ✅ Detects repository injection patterns
+- ✅ Works without call graph dependency
+- ✅ Catches direct repository usage in services
+- ✅ More accurate field detection
+- ✅ Detects query builder patterns
+
+### Testing Required
+
+- [ ] Test with `@InjectRepository` decorator
+- [ ] Test with `this.repository.method()` patterns
+- [ ] Test with query builder chains
+- [ ] Test with multiple injected repositories
+- [ ] Verify existing call graph detection still works
+- [ ] Integration test with real service files
+
+---
+
+## Implementation Checklist
+
+- [x] Add `detectInjectedRepositories()` method
+- [x] Add `detectOperationFromRepositoryUsage()` method
+- [x] Add `extractFieldsFromQueryBuilder()` method
+- [x] Enhance `analyzeChangedCodeForDatabaseOps()` to use new methods
+- [x] Test with `@InjectRepository` pattern
+- [x] Test with `this.repo.find()` pattern
+- [x] Test with query builder `.select()`, `.where()`
+- [x] Test with multiple repositories
+- [ ] Update tests to cover new patterns
+- [x] Verify backward compatibility
+- [ ] Update documentation
+- [x] Mark bug as RESOLVED
+
+---
+
+## References
+
+**Code Files:**
+- `core/detectors/database-detector.js` (line ~263-289, ~290-380)
+- `core/report-generator.js` (displays operations)
+
+**Related:**
+- BUG-001: `.specify/bugs/bug-001-database-detector.md`
+- Task 002: `.specify/tasks/task-002-database-detector.md`
+- Spec: `.specify/specs/features/database-impact-detection.md`
+- Architecture Doc: `.specify/plans/architecture.md`
+- Code Rules: `.github/copilot-instructions.md`
+
+
+**NestJS/TypeORM Documentation:**
+- Dependency Injection: https://docs.nestjs.com/providers
+- @InjectRepository: https://docs.nestjs.com/techniques/database#repository-pattern
+- Query Builder: https://typeorm.io/select-query-builder
+
+---
+
+## Notes
+
+### Why Call Graph Approach Fails
+
+1. **DI Pattern:** Repositories are injected, not called as methods
+2. **Instance Methods:** `this.repo.method()` doesn't appear in call graph as class method
+3. **Query Builder:** Chained methods create no clear method signature
+4. **Service Layer:** Most business logic uses injected repos, not repository classes directly
+
+### Better Approach
+
+**Direct pattern matching** is more reliable than call graph for DI patterns:
+- Detect `@InjectRepository(Entity)` → know which table
+- Track field name → know which variable to watch
+- Match `this.fieldName.operation()` → detect usage
+- Parse query builder → extract fields and conditions
+
+This approach is **more accurate** and **doesn't depend on AST call graph**.