al-sem 0.0.1

package/src/deps/dependency-resolver.ts

@@ -0,0 +1,154 @@
+import type { Diagnostic } from "../model/finding.ts";
+import { profilingActive, recordPhase } from "../perf/profiler.ts";
+import type { ManifestDependency } from "../symbols/app-manifest.ts";
+import { packageSemanticHash } from "../symbols/package-hash.ts";
+import type { DependencyArtifact, DirectDependencyRef } from "./dependency-artifact.ts";
+import {
+	computeArtifactKey,
+	readCachedArtifact,
+	resolveCacheDir,
+	writeCachedArtifact,
+} from "./dependency-cache.ts";
+import { resolveDependencyDag } from "./dependency-dag.ts";
+import { discoverDependencyPackages } from "./dependency-package-discovery.ts";
+import { ingestDependencyApp } from "./dependency-pipeline.ts";
+
+export interface ResolveDependencyArtifactsOptions {
+	/** Cache directory override. Default: ~/.al-sem/cache/. */
+	cacheDir?: string;
+	/** Skip the behavioral cold run — structural ABI only, conservative effects. */
+	noDepSummaries?: boolean;
+}
+
+export interface ResolveDependencyArtifactsResult {
+	/** Artifacts in dependency order (a dependency precedes its dependents). */
+	artifacts: DependencyArtifact[];
+	diagnostics: Diagnostic[];
+}
+
+/**
+ * The L1.5 dependency stage. Discover → resolve DAG → per package in topo order: compute the
+ * artifactKey from packageSemanticHash + resolved direct-dependency keys, then cache-hit or
+ * cold-run+write. Never throws — every failure is a diagnostic. Cold-run progress is written
+ * to stderr (operational), never to `Diagnostic[]` (which must be cache-presence-independent).
+ */
+export async function resolveDependencyArtifacts(
+	alpackagesDir: string,
+	workspaceDependencies: ManifestDependency[],
+	options: ResolveDependencyArtifactsOptions,
+): Promise<ResolveDependencyArtifactsResult> {
+	const diagnostics: Diagnostic[] = [];
+	const cacheDir = resolveCacheDir(options.cacheDir);
+
+	const discovered = discoverDependencyPackages(alpackagesDir);
+	diagnostics.push(...discovered.diagnostics);
+
+	const dag = resolveDependencyDag(discovered.packages, workspaceDependencies);
+	diagnostics.push(...dag.diagnostics);
+
+	if (options.noDepSummaries) {
+		diagnostics.push({
+			severity: "info",
+			stage: "symbol-read",
+			message:
+				"[DEP022] dependency effect summaries skipped (--no-dep-summaries) — calls into dependencies treated as conservative",
+		});
+	}
+
+	const artifacts: DependencyArtifact[] = [];
+	const keyByGuid = new Map<string, string>();
+	const artifactByGuid = new Map<string, DependencyArtifact>();
+
+	for (const pkg of dag.ordered) {
+		// direct-dependency refs, resolved from already-processed lower artifacts
+		const directDependencies: DirectDependencyRef[] = [];
+		const lowerArtifacts: DependencyArtifact[] = [];
+		for (const md of pkg.manifestDependencies) {
+			const depKey = keyByGuid.get(md.appGuid);
+			const depArtifact = artifactByGuid.get(md.appGuid);
+			if (depKey === undefined || depArtifact === undefined) continue; // dropped by DAG resolution
+			directDependencies.push({
+				appGuid: depArtifact.header.appIdentity.appGuid,
+				publisher: depArtifact.header.appIdentity.publisher,
+				name: depArtifact.header.appIdentity.name,
+				version: depArtifact.header.appIdentity.version,
+				artifactKey: depKey,
+			});
+			lowerArtifacts.push(depArtifact);
+		}
+
+		let semanticHash: string;
+		try {
+			semanticHash = packageSemanticHash(pkg.appPath);
+		} catch (err) {
+			diagnostics.push({
+				severity: "warning",
+				stage: "symbol-read",
+				message: `[DEP002] ${pkg.name}: could not compute semantic hash: ${(err as Error).message}`,
+				sourceRef: pkg.appPath,
+			});
+			continue;
+		}
+		const artifactMode = options.noDepSummaries ? "structural-only" : "full";
+		const artifactKey = computeArtifactKey(semanticHash, directDependencies, artifactMode);
+
+		// Cache is now namespaced by mode (full vs structural-only), so a `--no-dep-summaries`
+		// run hits its own cache and a flag-flipped run never picks up the wrong shape.
+		let artifact: DependencyArtifact | null = readCachedArtifact(artifactKey, cacheDir);
+
+		if (artifact === null) {
+			// cold run
+			const coldMessage = options.noDepSummaries
+				? `al-sem: building dependency cache for ${pkg.name} ${pkg.version} (one-time, structural-only)\n`
+				: `al-sem: building dependency cache for ${pkg.name} ${pkg.version} (one-time)\n`;
+			process.stderr.write(coldMessage);
+			const _tIngest = profilingActive() ? performance.now() : 0;
+			try {
+				artifact = await ingestDependencyApp(pkg, lowerArtifacts, artifactKey, {
+					structuralOnly: options.noDepSummaries ?? false,
+				});
+			} catch (err) {
+				diagnostics.push({
+					severity: "warning",
+					stage: "symbol-read",
+					message: `[DEP030] ${pkg.name}: dependency ingestion failed, app left opaque: ${(err as Error).message}`,
+					sourceRef: pkg.appPath,
+				});
+				continue;
+			}
+			// fill orchestrator-owned header fields
+			artifact.header.packageSemanticHash = semanticHash;
+			artifact.header.directDependencies = directDependencies;
+			if (artifact.header.summaryMode === "structural-only-parser-unavailable") {
+				// Don't persist a parser-unavailable degradation — it's an environmental
+				// failure (missing native lib), not a property of the dep package. Caching
+				// it would pin the degradation across runs even after the user reinstalls.
+			} else {
+				if (profilingActive())
+					recordPhase(`ingest:${pkg.name}:ingest-total`, performance.now() - _tIngest);
+				const _tWrite = profilingActive() ? performance.now() : 0;
+				try {
+					// writeCachedArtifact returns the canonical in-memory form (parse of the exact
+					// bytes a future cache hit reads), so cold-write output matches a warm hit
+					// without re-reading + re-validating the just-written multi-hundred-MB file.
+					artifact = writeCachedArtifact(artifact, cacheDir);
+					if (profilingActive())
+						recordPhase(`ingest:${pkg.name}:write`, performance.now() - _tWrite);
+				} catch (err) {
+					process.stderr.write(
+						`al-sem: could not persist dependency cache for ${pkg.name}: ${(err as Error).message}\n`,
+					);
+				}
+			}
+		}
+
+		// replay the artifact's own degradation diagnostics (skip behavioral ones in no-summaries mode)
+		if (!options.noDepSummaries) diagnostics.push(...artifact.diagnostics);
+
+		artifacts.push(artifact);
+		keyByGuid.set(pkg.appGuid, artifactKey);
+		artifactByGuid.set(pkg.appGuid, artifact);
+	}
+
+	return { artifacts, diagnostics };
+}

package/src/deps/workspace-dependencies.ts

@@ -0,0 +1,114 @@
+import type { ManifestDependency } from "../symbols/app-manifest.ts";
+
+interface AppJsonDependency {
+	id?: string;
+	name?: string;
+	publisher?: string;
+	version?: string;
+}
+
+interface AppJsonInternalsVisibleEntry {
+	id?: string;
+	name?: string;
+	publisher?: string;
+}
+
+interface AppJsonFull {
+	dependencies?: AppJsonDependency[];
+	/** Microsoft Application tier minimum (workspace's `application: "X.Y.Z.W"`). */
+	application?: string;
+	/** Microsoft Platform tier minimum (workspace's `platform: "X.Y.Z.W"`). */
+	platform?: string;
+	/** AL `internalsVisibleTo` — apps allowed to call this app's `internal` procedures. */
+	internalsVisibleTo?: AppJsonInternalsVisibleEntry[];
+}
+
+/**
+ * Well-known stable Microsoft platform app identities. BC `.app`s never list these in
+ * `<Dependencies>` — they are implicit, declared via `application` / `platform` in app.json.
+ * The compiler treats them as required platform-tier dependencies; al-sem mirrors that so
+ * symbols like `Customer`, `Sales Header`, etc. resolve through the dependency stage.
+ */
+const MS_APPLICATION_TIER: readonly { appGuid: string; name: string; publisher: string }[] = [
+	{ appGuid: "c1335042-3002-4257-bf8a-75c898ccb1b8", name: "Application", publisher: "Microsoft" },
+	{
+		appGuid: "437dbf0e-84ff-417a-965d-ed2bb9650972",
+		name: "Base Application",
+		publisher: "Microsoft",
+	},
+	{
+		appGuid: "f3552374-a1f2-4356-848e-196002525837",
+		name: "Business Foundation",
+		publisher: "Microsoft",
+	},
+];
+
+const MS_PLATFORM_TIER: readonly { appGuid: string; name: string; publisher: string }[] = [
+	{
+		appGuid: "63ca2fa4-4f03-4f2b-a480-172fef340d3f",
+		name: "System Application",
+		publisher: "Microsoft",
+	},
+	{ appGuid: "8874ed3a-0643-4247-9ced-7a7002f7135d", name: "System", publisher: "Microsoft" },
+];
+
+/**
+ * Parse a workspace app.json's dependency declarations into ManifestDependency[]. Includes
+ * both:
+ *  - **explicit** `dependencies[]` entries (other extensions the workspace depends on);
+ *  - **implicit** Microsoft platform-tier deps derived from the `application` / `platform`
+ *    fields (BC compilation convention — these are never listed in `dependencies`).
+ *
+ * Implicit deps are tagged with well-known Microsoft appGuids; the DAG resolver matches by
+ * appGuid, so the Microsoft `.app`s present in `.alpackages` are selected automatically.
+ * Never throws.
+ */
+export function parseWorkspaceDependencies(appJsonText: string): ManifestDependency[] {
+	let parsed: AppJsonFull;
+	try {
+		parsed = JSON.parse(appJsonText) as AppJsonFull;
+	} catch {
+		return [];
+	}
+
+	const explicit: ManifestDependency[] = (parsed.dependencies ?? []).map((d) => ({
+		appGuid: d.id ?? "",
+		name: d.name ?? "",
+		publisher: d.publisher ?? "",
+		minVersion: d.version ?? "0.0.0.0",
+	}));
+
+	const implicit: ManifestDependency[] = [];
+	if (typeof parsed.application === "string" && parsed.application !== "") {
+		for (const a of MS_APPLICATION_TIER) implicit.push({ ...a, minVersion: parsed.application });
+	}
+	if (typeof parsed.platform === "string" && parsed.platform !== "") {
+		for (const a of MS_PLATFORM_TIER) implicit.push({ ...a, minVersion: parsed.platform });
+	}
+
+	return [...explicit, ...implicit];
+}
+
+/**
+ * Parse the workspace app.json's `internalsVisibleTo` array — the AL feature that names
+ * apps allowed to call this app's `internal` procedures. Returns the lowercased app GUIDs
+ * (entries are deduplicated; malformed/missing entries are skipped). Empty array means
+ * no apps are granted internal access → `internal` procedures are effectively app-scoped
+ * and the dead-routine detector treats them like `local procedure` for reachability.
+ *
+ * Never throws.
+ */
+export function parseWorkspaceInternalsVisibleTo(appJsonText: string): string[] {
+	let parsed: AppJsonFull;
+	try {
+		parsed = JSON.parse(appJsonText) as AppJsonFull;
+	} catch {
+		return [];
+	}
+	const guids = new Set<string>();
+	for (const e of parsed.internalsVisibleTo ?? []) {
+		const id = typeof e.id === "string" ? e.id.trim().toLowerCase() : "";
+		if (id !== "") guids.add(id);
+	}
+	return [...guids].sort();
+}

package/src/detectors/capability-query.ts

@@ -0,0 +1,145 @@
+import type { CapabilityFact, CapabilityOp, CapabilityResourceKind } from "../model/capability.ts";
+import type { CoverageStatus } from "../model/coverage.ts";
+import type { EventId, TableId } from "../model/ids.ts";
+import type { EffectPresence, RoutineSummary } from "../model/summary.ts";
+
+/**
+ * Phase 1a capability-query helpers — pure functions over RoutineSummary.
+ *
+ * Every helper reads `capabilityFactsDirect ∪ capabilityFactsInherited` and
+ * returns a derived view. Helpers honour G6 coverage semantics: when a fact
+ * is absent and the cone is not "complete", tri-state helpers return
+ * "unknown" rather than "no".
+ *
+ * These helpers do NOT (in Phase 1a) replace the legacy boolean lattice
+ * (touchesDb / commits / writesTables / publishesEvents); they sit ALONGSIDE
+ * it, with a parity test (Phase 1a Task 7) asserting mechanical equivalence.
+ * Phase 1b migrates detectors over per-domain; Phase 1c deletes the legacy
+ * fields.
+ */
+
+function reachable(s: RoutineSummary): readonly CapabilityFact[] {
+	const direct = s.capabilityFactsDirect ?? [];
+	const inherited = s.capabilityFactsInherited ?? [];
+	if (direct.length === 0 && inherited.length === 0) return [];
+	return [...direct, ...inherited];
+}
+
+/**
+ * Filter reachable facts (direct + inherited) by an arbitrary predicate.
+ * Returns a fresh array; never mutates the summary.
+ */
+export function findCapabilities(
+	s: RoutineSummary,
+	predicate: (f: CapabilityFact) => boolean,
+): CapabilityFact[] {
+	return reachable(s).filter(predicate);
+}
+
+/**
+ * True when at least one reachable fact has the given (op, resourceKind).
+ * Strict discrimination — no fuzzy/substring matching.
+ */
+export function hasCapability(
+	s: RoutineSummary,
+	op: CapabilityOp,
+	kind: CapabilityResourceKind,
+): boolean {
+	for (const f of reachable(s)) {
+		if (f.op === op && f.resourceKind === kind) return true;
+	}
+	return false;
+}
+
+const TABLE_WRITE_OPS = new Set<CapabilityOp>(["insert", "modify", "delete"]);
+
+/**
+ * Sorted + deduped TableIds targeted by any reachable insert/modify/delete
+ * fact on `resourceKind === "table"` with a known `resourceId`. Facts whose
+ * table identity is unresolved (no `resourceId`) are dropped — callers that
+ * need to know whether the cone is partial should consult `reachableCoverage`
+ * separately.
+ *
+ * Read facts are NOT included. Phase 4 framework detectors that care about
+ * full read+write surface read `findCapabilities` directly.
+ */
+export function writesTablesOf(s: RoutineSummary): TableId[] {
+	const ids = new Set<string>();
+	for (const f of reachable(s)) {
+		if (f.resourceKind !== "table") continue;
+		if (!TABLE_WRITE_OPS.has(f.op)) continue;
+		if (typeof f.resourceId !== "string") continue;
+		ids.add(f.resourceId);
+	}
+	return Array.from(ids).sort() as TableId[];
+}
+
+/**
+ * Returns "yes" when any reachable fact is a commit on the transaction
+ * resource; "no" when no commit fact AND the inherited cone is "complete";
+ * "unknown" otherwise (G6 honesty — absence of evidence is not evidence of
+ * absence when the cone is partial or coverage data is missing).
+ */
+export function mayCommit(s: RoutineSummary): EffectPresence {
+	for (const f of reachable(s)) {
+		if (f.op === "commit" && f.resourceKind === "transaction") return "yes";
+	}
+	const status = s.coverage?.inheritedStatus ?? "unknown";
+	return status === "complete" ? "no" : "unknown";
+}
+
+/**
+ * Returns "yes" when any reachable fact has resourceKind === "table"
+ * (regardless of op — read or write); "no" when no such fact AND the
+ * inherited cone is "complete"; "unknown" otherwise.
+ *
+ * Note: state-only ops (SetRange, SetFilter, Init) are NOT in the
+ * capability fact stream per spec §3.1.1 substrate discipline — they
+ * stay on RecordOperation. So touchesDbOf reflects only "did the routine
+ * actually read or write a row," not "did it touch table state."
+ */
+export function touchesDbOf(s: RoutineSummary): EffectPresence {
+	for (const f of reachable(s)) {
+		if (f.resourceKind === "table") return "yes";
+	}
+	const status = s.coverage?.inheritedStatus ?? "unknown";
+	return status === "complete" ? "no" : "unknown";
+}
+
+/**
+ * Sorted + deduped EventIds (as plain strings — matches legacy
+ * RoutineSummary.publishesEvents shape) from reachable op="publish" facts
+ * on resourceKind="event" with a known resourceId. Facts whose event
+ * identity is unresolved are dropped.
+ */
+export function publishesEventsOf(s: RoutineSummary): string[] {
+	const ids = new Set<string>();
+	for (const f of reachable(s)) {
+		if (f.op !== "publish") continue;
+		if (f.resourceKind !== "event") continue;
+		if (typeof f.resourceId !== "string") continue;
+		ids.add(f.resourceId);
+	}
+	return Array.from(ids).sort();
+}
+
+/**
+ * Returns the routine's inherited coverage status, optionally narrowed to
+ * a single resourceKind.
+ *
+ * Phase 1a: the per-routine `coverage.inheritedStatus` is the only roll-up
+ * the composer maintains — there is no per-family status table yet. So when
+ * a `kind` is supplied, the function returns the same overall status,
+ * NOT a kind-specific narrowing. Per-family roll-up arrives with the
+ * fingerprint dump CLI's coverage rendering (§4.4 / spec §3.7
+ * FingerprintCoverage.perFamily) once that field lands.
+ *
+ * Returns "unknown" when the summary has no coverage record at all
+ * (pre-Phase-0b routines).
+ */
+export function reachableCoverage(
+	s: RoutineSummary,
+	_kind?: CapabilityResourceKind,
+): CoverageStatus {
+	return s.coverage?.inheritedStatus ?? "unknown";
+}

package/src/detectors/confidence.ts

@@ -0,0 +1,52 @@
+import type { FindingConfidence } from "../model/finding.ts";
+import type { Uncertainty } from "../model/summary.ts";
+
+type CappedByKind = NonNullable<FindingConfidence["cappedBy"]>[number];
+
+// The Uncertainty kinds that are also valid FindingConfidence.cappedBy values.
+const VALID_CAPPED_BY = new Set<CappedByKind>([
+	"unresolved-call",
+	"opaque-callee",
+	"dynamic-dispatch",
+	"parse-incomplete",
+	"version-mismatch",
+]);
+
+function describe(u: Uncertainty): string {
+	if ("callsiteId" in u) return `${u.kind} at ${u.callsiteId}`;
+	if ("operationId" in u) return `${u.kind} at ${u.operationId}`;
+	return `${u.kind} at ${u.routineId}`;
+}
+
+function isCappedByKind(kind: string): kind is CappedByKind {
+	return (VALID_CAPPED_BY as ReadonlySet<string>).has(kind);
+}
+
+/**
+ * Map a list of uncertainties to a FindingConfidence. Any uncertainty caps `level` at
+ * `possible`. Uncertainty kinds that are valid `cappedBy` values are listed there; the
+ * others (`interface-dispatch`, `recordref-or-variant`) still cap the level but are recorded
+ * only in `evidence` — never as an invalid `cappedBy` string. `baseLevel` is never raised.
+ */
+export function toConfidence(
+	uncertainties: Uncertainty[],
+	baseLevel: FindingConfidence["level"],
+): FindingConfidence {
+	if (uncertainties.length === 0) {
+		return { level: baseLevel, evidence: [] };
+	}
+	const cappedBySet = new Set(uncertainties.map((u) => u.kind).filter(isCappedByKind));
+	const cappedBy = cappedBySet.size > 0 ? ([...cappedBySet].sort() as CappedByKind[]) : undefined;
+	const evidence = uncertainties.map((u) => ({
+		source: "tree-sitter" as const,
+		note: describe(u),
+	}));
+	const result: FindingConfidence = {
+		level: "possible",
+		evidence,
+	};
+	if (cappedBy) {
+		result.cappedBy = cappedBy;
+	}
+	return result;
+}