al-sem 0.0.1

package/src/detectors/d1-db-op-in-loop.ts

@@ -0,0 +1,457 @@
+import type { CombinedGraph } from "../engine/combined-graph.ts";
+import { classifyOp, isDbTouchingClass } from "../engine/op-classification.ts";
+import type { Terminal, WalkPolicy, WalkResult } from "../engine/path-walker.ts";
+import { walkEvidence } from "../engine/path-walker.ts";
+import { compareStrings } from "../engine/uncertainty-util.ts";
+import { roleOf } from "../model/entities.ts";
+import type { RecordOperation, Routine, Table } from "../model/entities.ts";
+import type { DetectorStats, EvidenceStep, Finding } from "../model/finding.ts";
+import type { LoopId, RoutineId, TableId } from "../model/ids.ts";
+import type { SemanticModel } from "../model/model.ts";
+import type { DbEffect } from "../model/summary.ts";
+import { pickActionableAnchor } from "../projection/actionable-anchor.ts";
+import { fingerprintOf } from "../projection/finding-fingerprint.ts";
+import { touchesDbOf } from "./capability-query.ts";
+import { toConfidence } from "./confidence.ts";
+import type { DetectorContext } from "./detector-context.ts";
+import { mergeByTerminal } from "./path-merge.ts";
+import { describeTable } from "./table-display.ts";
+
+// The path-walker's depth/node budget for the interprocedural call-chain walk.
+const BOUNDS = { maxDepth: 20, maxNodes: 500 };
+
+const WRITE_OPS = new Set(["Modify", "ModifyAll", "Insert", "Delete", "DeleteAll"]);
+const HEAVY_READ_OPS = new Set(["CalcFields", "CalcSums"]); // FlowField materialisation = high cost
+const RETRIEVAL_OPS = new Set(["FindSet", "FindFirst", "FindLast", "Find", "Get", "Next"]);
+/**
+ * Ops that open a recordset cursor BEFORE a `repeat..until` loop. When an in-loop `Next`
+ * has the same record-var as one of these earlier ops, the Next IS the cursor advance —
+ * not an N+1 antipattern. Without this filter `Next` produced ~28% of D1's findings on
+ * real workspaces, all on legitimate FindSet+repeat patterns.
+ */
+const CURSOR_OPENER_OPS = new Set(["FindSet", "FindFirst", "FindLast", "Find"]);
+
+interface D1Terminal extends Terminal {
+	op: RecordOperation;
+}
+
+/**
+ * BC "setup singleton" pattern: tables whose name ends in `Setup` are by AL convention
+ * single-record config tables (General Ledger Setup, Sales & Receivables Setup, custom
+ * `CDO Setup`, etc.). BC caches `<Setup>.Get()` per session, so an in-loop Get on such a
+ * table is typically O(1) after the first hit — actionably weak as an N+1 warning.
+ *
+ * We downgrade these findings to `info` rather than suppressing entirely: the call is
+ * still technically a DB op inside a loop, and a strict consumer can opt back in by
+ * lowering `--min-severity` (info is below the usual `--min-severity high` threshold).
+ *
+ * Narrow conditions for the heuristic to apply:
+ *   - op kind is `Get` (the by-PK lookup that participates in BC's singleton cache);
+ *   - the rendered table-display name ends in `Setup` (case-insensitive, after stripping
+ *     the `(type not loaded)` suffix that `describeTable` adds when only the variable's
+ *     declared type is known).
+ *
+ * `Find*` ops on the same table do not trigger the heuristic — they imply a multi-record
+ * scan and are legitimate D1 signal.
+ */
+function isSetupSingletonGet(
+	op: RecordOperation,
+	routine: Routine | undefined,
+	tableById: Map<TableId, Table>,
+): boolean {
+	if (op.op !== "Get") return false;
+	const display = describeTable(op, routine, tableById);
+	// Strip the `(type not loaded)` suffix so both the resolved-table and type-only paths
+	// land on the same naming check. `var <name>` and `unknown table` fall through to false.
+	const name = display.replace(/\s*\(type not loaded\)$/i, "").trim();
+	if (name === "" || name.startsWith("var ") || name === "unknown table") return false;
+	return /\bSetup$/i.test(name);
+}
+
+/**
+ * The representative loop of a loopStack — the innermost loop the op/callsite sits in.
+ * `loopStack` is outermost-first (see test/intraprocedural-ops.test.ts), so the innermost
+ * loop is the LAST element. Findings are keyed on this so a deeply nested op reports once.
+ */
+function representativeLoopId(loopStack: LoopId[]): LoopId | undefined {
+	return loopStack.at(-1);
+}
+
+function severityFor(
+	op: RecordOperation,
+	effectiveLoopDepth: number,
+	isSetupSingleton: boolean,
+): Finding["severity"] {
+	if (op.tempState.kind === "known" && op.tempState.value === true) return "info";
+	if (isSetupSingleton) return "info";
+	let base: Finding["severity"];
+	if (WRITE_OPS.has(op.op))
+		base = "high"; // write inside loop = always high
+	else if (HEAVY_READ_OPS.has(op.op))
+		base = "high"; // FlowField materialisation = high
+	else if (RETRIEVAL_OPS.has(op.op))
+		base = "medium"; // pure retrieval = medium
+	else if (classifyOp(op.op) === "db-lock") base = "low";
+	else base = "medium";
+	if (effectiveLoopDepth >= 2) {
+		// nested loop escalates one level
+		if (base === "high") base = "critical";
+		else if (base === "medium") base = "high";
+	}
+	return base;
+}
+
+/**
+ * Render the terminal op's target table for the rootCause string. Looks up the
+ * table NAME via `tableById` so the user sees `"Modify on Customer"` instead of
+ * the unhelpful internal id `"Modify on 437dbf0e-…/table/18"`. Falls back to
+ * the receiver's declared type name (with a `(type not loaded)` hint) when the
+ * tableId can't be resolved — see describeTable for the full tier list.
+ */
+function tableNote(
+	op: RecordOperation,
+	routine: Routine | undefined,
+	tableById: Map<TableId, Table>,
+): string {
+	return `${op.op} on ${describeTable(op, routine, tableById)}`;
+}
+
+/**
+ * Synthesise a RecordOperation from a DbEffect for routines whose raw features have been
+ * stripped (dependency-role artifact projections). The loopStack is empty because the
+ * depth is tracked by the path-walker's initialLoopDepth / localLoopDepth accounting.
+ */
+function synthRecordOpFromEffect(
+	routineId: RoutineId,
+	routine: Routine,
+	effect: DbEffect,
+): RecordOperation {
+	return {
+		id: effect.operationId,
+		routineId,
+		op: effect.op,
+		recordVariableName: "",
+		tableId: effect.tableId === "unknown" ? undefined : effect.tableId,
+		tempState: effect.tempState,
+		loopStack: [],
+		sourceAnchor: { ...routine.sourceAnchor, enclosingRoutineId: routineId },
+	};
+}
+
+function buildFinding(
+	loopRoutine: Routine,
+	representativeLoop: LoopId,
+	result: WalkResult,
+	terminalOp: RecordOperation,
+	routineById: Map<RoutineId, Routine>,
+	tableById: Map<TableId, Table>,
+	model: SemanticModel,
+): Finding {
+	const terminalRoutine = routineById.get(terminalOp.routineId);
+	const setupSingleton = isSetupSingletonGet(terminalOp, terminalRoutine, tableById);
+	const severity = severityFor(terminalOp, result.effectiveLoopDepth, setupSingleton);
+	const tempNote =
+		terminalOp.tempState.kind === "known" && terminalOp.tempState.value === true
+			? " (temporary record — not a SQL round-trip)"
+			: terminalOp.tempState.kind !== "known"
+				? " (temp state uncertain)"
+				: "";
+	const setupNote = setupSingleton
+		? " (Setup singleton — BC caches Get() per session, so the round-trip happens at most once.)"
+		: "";
+
+	// Two keys, two purposes:
+	//   `id`           per-(loop, op) — used by the existing within-walker dedup that
+	//                  drops a path the path-walker enumerated twice via different
+	//                  call-site branches.
+	//   `rootCauseKey` per-(terminal-op) — used by mergeByTerminal at the end of
+	//                  detectD1 to fold M different ancestor loops reaching the same
+	//                  op into ONE finding with the others in additionalPaths. The
+	//                  bug entity is the terminal DB op, not the (loop, op) pair.
+	const finding: Finding = {
+		id: `d1/${representativeLoop}/${terminalOp.routineId}/${terminalOp.id}`,
+		rootCauseKey: `d1/${terminalOp.routineId}/${terminalOp.id}`,
+		detector: "d1-db-op-in-loop",
+		title: "Database operation inside a loop",
+		rootCause: `A loop in ${loopRoutine.name} reaches ${tableNote(terminalOp, terminalRoutine, tableById)}${tempNote}${setupNote}.`,
+		severity,
+		confidence: toConfidence(result.uncertainties, "likely"),
+		primaryLocation: terminalOp.sourceAnchor,
+		evidencePath: result.path,
+		affectedObjects: [
+			...new Set(
+				[loopRoutine.objectId, terminalRoutine?.objectId].filter(
+					(x): x is string => x !== undefined,
+				),
+			),
+		].sort(),
+		affectedTables: terminalOp.tableId !== undefined ? [terminalOp.tableId] : [],
+		fixOptions: setupSingleton
+			? [
+					{
+						description:
+							"Setup tables are session-cached by BC, so a Get() inside a loop is typically O(1) after the first hit. Hoist the Get() outside the loop only if the call site shows up in a CPU profile.",
+						safety: "high",
+					},
+				]
+			: [
+					{
+						description:
+							"Move the database operation outside the loop, or batch it into a set-based operation.",
+						safety: "medium",
+					},
+				],
+		provenance: [{ source: "tree-sitter" }],
+	};
+
+	const actionable = pickActionableAnchor(finding, model);
+	if (actionable !== undefined) finding.actionableAnchor = actionable;
+	// Fingerprint deferred until AFTER mergeByTerminal — the merged finding's
+	// affectedObjects/affectedTables can grow (union across paths), and fingerprint
+	// includes affectedTables for edit-survival stability.
+	return finding;
+}
+
+/** D1: find DB operations executed inside a loop — directly or through an in-loop call chain. */
+export function detectD1(
+	model: SemanticModel,
+	graph: CombinedGraph,
+	ctx: DetectorContext,
+): { findings: Finding[]; stats: DetectorStats } {
+	const findings: Finding[] = [];
+	const { routineById } = ctx;
+	let candidatesConsidered = 0;
+	let skippedParseIncomplete = 0;
+	let downgradedToInfo = 0;
+	let downgradedSetupSingleton = 0;
+	let skippedOpaqueCallee = 0;
+	let skippedDynamicDispatch = 0;
+
+	const policy: WalkPolicy<D1Terminal> = {
+		terminalsAt: (node) => {
+			const r = routineById.get(node);
+			if (r === undefined) return [];
+			// Dep routines ship with EMPTY_FEATURES (artifact projection strips them);
+			// reconstruct in-loop DB terminals from their summary.dbEffects.
+			if (roleOf(r) !== "dependency") {
+				return r.features.recordOperations
+					.filter((op) => isDbTouchingClass(classifyOp(op.op)))
+					.map((op) => ({ routineId: node, localLoopDepth: op.loopStack.length, op }));
+			}
+			// Dependency routines have their raw features stripped in the artifact. Synthesize
+			// terminals from summary.dbEffects (direct effects only — transitive ones are not
+			// re-emitted at this node; they are accessible by expanding further).
+			const effects = r.summary?.dbEffects.filter(
+				(e) => e.via === "direct" && isDbTouchingClass(classifyOp(e.op)),
+			);
+			if (!effects || effects.length === 0) return [];
+			return effects.map((e) => ({
+				routineId: node,
+				localLoopDepth: 0,
+				op: synthRecordOpFromEffect(node, r, e),
+			}));
+		},
+		expand: (node) =>
+			(graph.edgesByFrom.get(node) ?? []).filter((e) => {
+				// event fan-out is D2's job
+				if (e.kind === "event-dispatch") return false;
+				const to = routineById.get(e.to);
+				return to?.summary !== undefined && touchesDbOf(to.summary) !== "no";
+			}),
+		buildHopStep: (edge) => {
+			const fromRoutine = routineById.get(edge.from);
+			const cs = fromRoutine?.features.callSites.find((c) => c.id === edge.callsiteId);
+			const toName = routineById.get(edge.to)?.name ?? edge.to;
+			const triggerNote =
+				edge.kind === "implicit-trigger" ? ` (via implicit ${toName} trigger)` : "";
+			return {
+				routineId: edge.from,
+				callsiteId: edge.callsiteId,
+				sourceAnchor: cs?.sourceAnchor ??
+					fromRoutine?.sourceAnchor ?? {
+						sourceUnitId: "",
+						range: { startLine: 0, startColumn: 0, endLine: 0, endColumn: 0 },
+						enclosingRoutineId: edge.from,
+						syntaxKind: "call",
+					},
+				note: `calls ${toName}${triggerNote}`,
+			};
+		},
+		buildTerminalStep: (t) => ({
+			routineId: t.routineId,
+			operationId: t.op.id,
+			sourceAnchor: t.op.sourceAnchor,
+			note: tableNote(t.op, routineById.get(t.routineId), ctx.tableById),
+		}),
+	};
+
+	for (const routine of model.routines) {
+		if (roleOf(routine) !== "primary") continue;
+		if (!routine.bodyAvailable) continue;
+		if (routine.parseIncomplete) {
+			skippedParseIncomplete++;
+			continue;
+		}
+		candidatesConsidered++;
+		const loopById = new Map(routine.features.loops.map((l) => [l.id, l]));
+
+		// Record-vars that had a cursor opened before any loop — used to suppress in-loop
+		// `Next` on the same var (the cursor's natural advance, not N+1).
+		const cursorOpenedRecordVars = new Set<string>();
+		for (const op of routine.features.recordOperations) {
+			if (op.loopStack.length !== 0) continue;
+			if (!CURSOR_OPENER_OPS.has(op.op)) continue;
+			cursorOpenedRecordVars.add(op.recordVariableName.toLowerCase());
+		}
+
+		// (a) Direct in-loop DB ops within this routine — iterate ops, key on representative loop.
+		for (const op of routine.features.recordOperations) {
+			if (op.loopStack.length === 0) continue;
+			if (!isDbTouchingClass(classifyOp(op.op))) continue;
+			if (op.op === "Next" && cursorOpenedRecordVars.has(op.recordVariableName.toLowerCase())) {
+				// FindSet/FindFirst/Find/FindLast on this var earlier → Next is the cursor advance.
+				continue;
+			}
+			const representativeLoop = representativeLoopId(op.loopStack);
+			if (representativeLoop === undefined) continue;
+			const loop = loopById.get(representativeLoop);
+			if (loop === undefined) continue;
+			if (op.tempState.kind === "known" && op.tempState.value === true) {
+				downgradedToInfo++;
+			}
+
+			const loopStep: EvidenceStep = {
+				routineId: routine.id,
+				loopId: loop.id,
+				sourceAnchor: loop.sourceAnchor,
+				note: `${loop.type} loop`,
+			};
+			const opStep: EvidenceStep = {
+				routineId: routine.id,
+				operationId: op.id,
+				sourceAnchor: op.sourceAnchor,
+				note: tableNote(op, routine, ctx.tableById),
+			};
+			const result: WalkResult = {
+				path: [loopStep, opStep],
+				effectiveLoopDepth: op.loopStack.length,
+				// Always [] here: the op is directly observed in this routine — no call resolution.
+				uncertainties: [],
+				stop: "complete",
+			};
+			findings.push(
+				buildFinding(routine, representativeLoop, result, op, routineById, ctx.tableById, model),
+			);
+		}
+
+		// (b) In-loop calls to DB-touching callees — walk the call chain.
+		for (const cs of routine.features.callSites) {
+			if (cs.loopStack.length === 0) continue;
+			const representativeLoop = representativeLoopId(cs.loopStack);
+			if (representativeLoop === undefined) continue;
+			const loop = loopById.get(representativeLoop);
+			if (loop === undefined) continue;
+
+			const edge = (graph.edgesByFrom.get(routine.id) ?? []).find((e) => e.callsiteId === cs.id);
+			if (edge === undefined) {
+				// No resolved edge — opaque callee
+				skippedOpaqueCallee++;
+				continue;
+			}
+			if (edge.kind === "interface" || edge.kind === "dynamic") {
+				skippedDynamicDispatch++;
+				continue;
+			}
+			const callsiteTo = routineById.get(edge.to);
+			if (callsiteTo?.summary === undefined || touchesDbOf(callsiteTo.summary) === "no") continue;
+
+			const loopStep: EvidenceStep = {
+				routineId: routine.id,
+				loopId: loop.id,
+				sourceAnchor: loop.sourceAnchor,
+				note: `${loop.type} loop`,
+			};
+			const callStep: EvidenceStep = {
+				routineId: routine.id,
+				callsiteId: cs.id,
+				sourceAnchor: cs.sourceAnchor,
+				note: `calls ${routineById.get(edge.to)?.name ?? edge.to}`,
+			};
+
+			const results = walkEvidence(edge.to, policy, BOUNDS, graph, model, {
+				initialLoopDepth: cs.loopStack.length,
+				initialSteps: [loopStep, callStep],
+				routineById,
+				uncertaintyEdgesByFrom: ctx.uncertaintyEdgesByFrom,
+				callSiteById: ctx.callSiteById,
+			});
+
+			for (const result of results) {
+				if (result.stop !== "complete") continue;
+				const lastStep = result.path.at(-1);
+				if (lastStep?.operationId === undefined) continue;
+				const terminalRoutine = routineById.get(lastStep.routineId);
+				// Primary routines have real RecordOperations; dependency routines have theirs stripped
+				// in the artifact but preserve the operationId in summary.dbEffects.
+				const terminalOp: RecordOperation | undefined =
+					terminalRoutine?.features.recordOperations.find((o) => o.id === lastStep.operationId) ??
+					(() => {
+						const effect = terminalRoutine?.summary?.dbEffects.find(
+							(e) => e.operationId === lastStep.operationId,
+						);
+						if (!effect || !terminalRoutine) return undefined;
+						return synthRecordOpFromEffect(lastStep.routineId, terminalRoutine, effect);
+					})();
+				if (terminalOp === undefined) continue;
+				findings.push(
+					buildFinding(
+						routine,
+						representativeLoop,
+						result,
+						terminalOp,
+						routineById,
+						ctx.tableById,
+						model,
+					),
+				);
+			}
+		}
+	}
+
+	// Two-stage collapse:
+	//   1. Dedupe by id (loop+op pair) — drops within-walker duplicates when the
+	//      path-walker enumerates the same (loop, op) via different branches.
+	//   2. mergeByTerminal — folds different loops on the same terminal op into a
+	//      single Finding with additionalPaths. Sorts by canonical id for
+	//      determinism (a `rootCauseKey`-keyed sort is equivalent here).
+	const seen = new Set<string>();
+	const deduped: Finding[] = [];
+	for (const f of findings) {
+		if (seen.has(f.id)) continue;
+		seen.add(f.id);
+		deduped.push(f);
+	}
+	const merged = mergeByTerminal(deduped);
+	for (const f of merged) {
+		// Setup-singleton downgrades carry their note in rootCause — count them for stats
+		// (cheap signature check vs threading a counter through buildFinding + merge).
+		if (f.rootCause.includes("Setup singleton")) downgradedSetupSingleton++;
+	}
+	// Fingerprint AFTER merge — affectedObjects/affectedTables are unioned across
+	// paths, so the fingerprint needs the final values to be edit-stable.
+	for (const f of merged) f.fingerprint = fingerprintOf(f, model);
+	const sorted = merged.sort((a, b) => compareStrings(a.id, b.id));
+	const stats: DetectorStats = {
+		detector: "d1-db-op-in-loop",
+		candidatesConsidered,
+		findingsEmitted: sorted.length,
+		skipped: {
+			...(skippedOpaqueCallee > 0 ? { opaqueCallee: skippedOpaqueCallee } : {}),
+			...(skippedDynamicDispatch > 0 ? { dynamicDispatch: skippedDynamicDispatch } : {}),
+			...(skippedParseIncomplete > 0 ? { parseIncomplete: skippedParseIncomplete } : {}),
+			...(downgradedToInfo > 0 ? { downgradedToInfo } : {}),
+			...(downgradedSetupSingleton > 0 ? { downgradedSetupSingleton } : {}),
+		},
+	};
+	return { findings: sorted, stats };
+}

package/src/detectors/d10-self-modifying-loop.ts

@@ -0,0 +1,114 @@
+import type { CombinedGraph } from "../engine/combined-graph.ts";
+import { compareStrings } from "../engine/uncertainty-util.ts";
+import { roleOf } from "../model/entities.ts";
+import type { DetectorStats, EvidenceStep, Finding } from "../model/finding.ts";
+import type { SemanticModel } from "../model/model.ts";
+import { fingerprintOf } from "../projection/finding-fingerprint.ts";
+import { toConfidence } from "./confidence.ts";
+import type { DetectorContext } from "./detector-context.ts";
+
+const MUTATING_OPS: ReadonlySet<string> = new Set([
+	"Modify",
+	"ModifyAll",
+	"Validate",
+	"Delete",
+	"DeleteAll",
+]);
+
+/**
+ * The operation that drives cursor advancement in a repeat/until loop.
+ * `Next()` is always emitted inside the loop body, so it carries a non-empty
+ * loopStack — unlike `FindSet`/`FindFirst` which appear in the `if` guard
+ * before the `repeat` keyword and therefore have loopStack === [].
+ */
+const LOOP_DRIVER_OPS: ReadonlySet<string> = new Set(["Next"]);
+
+export function detectD10(
+	model: SemanticModel,
+	_graph: CombinedGraph,
+	_ctx: DetectorContext,
+): { findings: Finding[]; stats: DetectorStats } {
+	const findings: Finding[] = [];
+	let candidatesConsidered = 0;
+	let skippedParseIncomplete = 0;
+
+	for (const routine of model.routines) {
+		if (roleOf(routine) !== "primary") continue;
+		if (!routine.bodyAvailable) continue;
+		if (routine.parseIncomplete) {
+			skippedParseIncomplete++;
+			continue;
+		}
+		candidatesConsidered++;
+
+		// Map loopId → record variable that drives the loop.
+		// We use Next() as the signal: it is always emitted inside the repeat/until body
+		// (loopStack is non-empty), whereas FindSet/FindFirst appear in the `if` guard
+		// before the `repeat` keyword and therefore have loopStack === [].
+		const loopDriver = new Map<string, string>();
+		for (const op of routine.features.recordOperations) {
+			if (!LOOP_DRIVER_OPS.has(op.op)) continue;
+			const loop = op.loopStack[op.loopStack.length - 1];
+			if (loop === undefined) continue;
+			if (!loopDriver.has(loop)) loopDriver.set(loop, op.recordVariableName.toLowerCase());
+		}
+
+		for (const op of routine.features.recordOperations) {
+			if (!MUTATING_OPS.has(op.op)) continue;
+			const loop = op.loopStack[op.loopStack.length - 1];
+			if (loop === undefined) continue;
+			const driver = loopDriver.get(loop);
+			if (driver === undefined) continue;
+			if (op.recordVariableName.toLowerCase() !== driver) continue;
+
+			const loopNode = routine.features.loops.find((l) => l.id === loop);
+			const path: EvidenceStep[] = [];
+			if (loopNode) {
+				path.push({
+					routineId: routine.id,
+					loopId: loopNode.id,
+					sourceAnchor: loopNode.sourceAnchor,
+					note: `${loopNode.type} loop iterating ${op.recordVariableName}`,
+				});
+			}
+			path.push({
+				routineId: routine.id,
+				operationId: op.id,
+				sourceAnchor: op.sourceAnchor,
+				note: `${op.op} on iterating record ${op.recordVariableName}`,
+			});
+
+			const finding: Finding = {
+				id: `d10/${routine.id}/${op.id}`,
+				rootCauseKey: `d10/${routine.id}/${op.id}`,
+				detector: "d10-self-modifying-loop",
+				title: "Self-modifying loop",
+				rootCause: `${routine.name} runs ${op.op} on the iterating record ${op.recordVariableName} inside its own loop — the cursor's snapshot may be corrupted.`,
+				severity: "high",
+				confidence: toConfidence([], "likely"),
+				primaryLocation: op.sourceAnchor,
+				evidencePath: path,
+				affectedObjects: [routine.objectId],
+				affectedTables: op.tableId !== undefined ? [op.tableId] : [],
+				fixOptions: [
+					{
+						description:
+							"Collect the keys first, then iterate a fresh recordset to perform the modifications; or use ModifyAll with a filter.",
+						safety: "medium",
+					},
+				],
+				provenance: [{ source: "tree-sitter" }],
+			};
+			finding.fingerprint = fingerprintOf(finding, model);
+			findings.push(finding);
+		}
+	}
+
+	const stats: DetectorStats = {
+		detector: "d10-self-modifying-loop",
+		candidatesConsidered,
+		findingsEmitted: findings.length,
+		skipped: { parseIncomplete: skippedParseIncomplete > 0 ? skippedParseIncomplete : undefined },
+	};
+	return { findings: findings.sort((a, b) => compareStrings(a.id, b.id)), stats };
+}