npm - al-sem - Versions diffs - 0.0.1 - Mend

al-sem 0.0.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (231) hide show

package/LICENSE +21 -0
package/README.md +361 -0
package/package.json +64 -0
package/scripts/d40-diff.ts +44 -0
package/scripts/fetch-native-parser.ts +179 -0
package/scripts/precision-sample.ts +99 -0
package/scripts/precision-study.ts +42 -0
package/scripts/precision-tabulate.ts +52 -0
package/src/cli/baseline.ts +31 -0
package/src/cli/diff.ts +199 -0
package/src/cli/events-chains.ts +56 -0
package/src/cli/events-fanout.ts +87 -0
package/src/cli/exit-code.ts +30 -0
package/src/cli/fingerprint-indexes.ts +130 -0
package/src/cli/fingerprint-query.ts +543 -0
package/src/cli/fingerprint-witness.ts +493 -0
package/src/cli/fingerprint.ts +292 -0
package/src/cli/format-compact-json.ts +45 -0
package/src/cli/format-events.ts +77 -0
package/src/cli/format-fingerprint.ts +295 -0
package/src/cli/format-html.ts +503 -0
package/src/cli/format-json.ts +13 -0
package/src/cli/format-policy.ts +95 -0
package/src/cli/format-sarif.ts +186 -0
package/src/cli/format-terminal.ts +153 -0
package/src/cli/index.ts +566 -0
package/src/cli/policy.ts +204 -0
package/src/config/roots-config.ts +302 -0
package/src/deps/cache-versions.ts +74 -0
package/src/deps/canonical-json.ts +27 -0
package/src/deps/dependency-artifact.ts +144 -0
package/src/deps/dependency-cache.ts +262 -0
package/src/deps/dependency-dag.ts +128 -0
package/src/deps/dependency-package-discovery.ts +85 -0
package/src/deps/dependency-pipeline.ts +483 -0
package/src/deps/dependency-projection.ts +211 -0
package/src/deps/dependency-resolver.ts +154 -0
package/src/deps/workspace-dependencies.ts +114 -0
package/src/detectors/capability-query.ts +145 -0
package/src/detectors/confidence.ts +52 -0
package/src/detectors/d1-db-op-in-loop.ts +457 -0
package/src/detectors/d10-self-modifying-loop.ts +114 -0
package/src/detectors/d11-modify-without-get.ts +129 -0
package/src/detectors/d12-dead-integration-event.ts +81 -0
package/src/detectors/d13-cross-app-internal-call.ts +105 -0
package/src/detectors/d14-dead-routine.ts +151 -0
package/src/detectors/d16-obsolete-routine-call.ts +94 -0
package/src/detectors/d17-min-version-drift.ts +157 -0
package/src/detectors/d18-constant-filter-in-loop.ts +151 -0
package/src/detectors/d19-unused-parameter.ts +116 -0
package/src/detectors/d2-event-fanout-in-loop.ts +240 -0
package/src/detectors/d20-unreachable-after-exit.ts +92 -0
package/src/detectors/d21-read-without-load.ts +128 -0
package/src/detectors/d22-flowfield-without-calcfields.ts +168 -0
package/src/detectors/d29-subscriber-modify-on-event-record.ts +163 -0
package/src/detectors/d3-load-state.ts +72 -0
package/src/detectors/d3-missing-setloadfields.ts +234 -0
package/src/detectors/d32-constant-boolean-parameter.ts +185 -0
package/src/detectors/d33-unfiltered-bulk-write.ts +173 -0
package/src/detectors/d34-commit-in-loop.ts +206 -0
package/src/detectors/d35-commit-in-event-subscriber.ts +138 -0
package/src/detectors/d36-late-setloadfields.ts +162 -0
package/src/detectors/d37-validate-without-persist.ts +271 -0
package/src/detectors/d38-subscriber-to-obsolete-event.ts +140 -0
package/src/detectors/d39-record-left-dirty-across-chain.ts +165 -0
package/src/detectors/d4-repeated-lookup-in-loop.ts +128 -0
package/src/detectors/d40-transitive-load-missing.ts +217 -0
package/src/detectors/d41-transitive-filter-loss.ts +200 -0
package/src/detectors/d42-cross-call-wrong-setloadfields.ts +243 -0
package/src/detectors/d43-event-ishandled-skip.ts +257 -0
package/src/detectors/d44-event-multi-subscriber-overlap.ts +223 -0
package/src/detectors/d45-event-transitive-table-exposure.ts +159 -0
package/src/detectors/d5-set-based-opportunity.ts +162 -0
package/src/detectors/d7-recursive-event-expansion.ts +151 -0
package/src/detectors/d8-commit-in-transaction.ts +132 -0
package/src/detectors/d9-transaction-span-summary.ts +107 -0
package/src/detectors/detector-context.ts +121 -0
package/src/detectors/finding-grouping.ts +61 -0
package/src/detectors/path-merge.ts +174 -0
package/src/detectors/registry.ts +176 -0
package/src/detectors/table-display.ts +42 -0
package/src/diff/diff-abi.ts +195 -0
package/src/diff/diff-capabilities.ts +179 -0
package/src/diff/diff-engine.ts +146 -0
package/src/diff/diff-events.ts +323 -0
package/src/diff/diff-identity.ts +73 -0
package/src/diff/diff-indexes.ts +199 -0
package/src/diff/diff-permissions.ts +260 -0
package/src/diff/diff-policy.ts +101 -0
package/src/diff/diff-preflight.ts +66 -0
package/src/diff/diff-renames.ts +104 -0
package/src/diff/diff-schema.ts +232 -0
package/src/diff/format-diff.ts +148 -0
package/src/engine/attribute-parser.ts +50 -0
package/src/engine/capability-cone.ts +531 -0
package/src/engine/combined-graph.ts +357 -0
package/src/engine/control-flow-walker.ts +1317 -0
package/src/engine/dispatch-sites.ts +199 -0
package/src/engine/effect-lattice.ts +81 -0
package/src/engine/entry-points.ts +57 -0
package/src/engine/event-flow.ts +524 -0
package/src/engine/event-relay.ts +92 -0
package/src/engine/op-classification.ts +92 -0
package/src/engine/path-walker.ts +189 -0
package/src/engine/reverse-call-graph.ts +23 -0
package/src/engine/root-classifier-overlay.ts +194 -0
package/src/engine/root-classifier.ts +135 -0
package/src/engine/scc.ts +110 -0
package/src/engine/source-anchor.ts +25 -0
package/src/engine/summary-context.ts +104 -0
package/src/engine/summary-engine.ts +296 -0
package/src/engine/summary-runner.ts +560 -0
package/src/engine/transaction-spans.ts +112 -0
package/src/engine/uncertainty-util.ts +54 -0
package/src/hash.ts +31 -0
package/src/index/attribute-from-node.ts +141 -0
package/src/index/callee-from-node.ts +181 -0
package/src/index/capability/background.ts +90 -0
package/src/index/capability/commit.ts +44 -0
package/src/index/capability/dispatch.ts +164 -0
package/src/index/capability/events.ts +65 -0
package/src/index/capability/extractor.ts +124 -0
package/src/index/capability/file-blob.ts +137 -0
package/src/index/capability/http.ts +159 -0
package/src/index/capability/hyperlink.ts +60 -0
package/src/index/capability/isolated-storage.ts +179 -0
package/src/index/capability/table.ts +113 -0
package/src/index/capability/telemetry.ts +84 -0
package/src/index/capability/ui.ts +55 -0
package/src/index/capability/value-source.ts +202 -0
package/src/index/expression-from-node.ts +117 -0
package/src/index/indexer.ts +102 -0
package/src/index/intraprocedural-body.ts +1467 -0
package/src/index/intraprocedural-ops.ts +253 -0
package/src/index/intraprocedural-refs.ts +188 -0
package/src/index/object-indexer.ts +279 -0
package/src/index/routine-indexer.ts +282 -0
package/src/index/routine-signature.ts +46 -0
package/src/index/variable-indexer.ts +134 -0
package/src/index/variable-initializer-extractor.ts +155 -0
package/src/index/variable-type-normalizer.ts +83 -0
package/src/index.ts +267 -0
package/src/mcp/server.ts +72 -0
package/src/mcp/session.ts +49 -0
package/src/mcp/tools/explain-path.ts +75 -0
package/src/mcp/tools/get-analysis-health.ts +62 -0
package/src/mcp/tools/get-finding.ts +47 -0
package/src/mcp/tools/get-routine-summary.ts +126 -0
package/src/mcp/tools/list-findings.ts +85 -0
package/src/mcp/tools/list-hotspots.ts +78 -0
package/src/mcp/tools/list-rollups.ts +103 -0
package/src/mcp/tools/validators.ts +25 -0
package/src/model/attributes.ts +120 -0
package/src/model/callee.ts +45 -0
package/src/model/capability.ts +187 -0
package/src/model/coverage.ts +85 -0
package/src/model/entities.ts +628 -0
package/src/model/expression.ts +98 -0
package/src/model/finding.ts +110 -0
package/src/model/graph-edge.ts +93 -0
package/src/model/graph.ts +62 -0
package/src/model/identity.ts +81 -0
package/src/model/ids.ts +90 -0
package/src/model/index.ts +13 -0
package/src/model/model.ts +51 -0
package/src/model/permission.ts +76 -0
package/src/model/root-classification.ts +116 -0
package/src/model/stable-identity.ts +102 -0
package/src/model/summary.ts +96 -0
package/src/parser/ast.ts +82 -0
package/src/parser/native/ffi.ts +145 -0
package/src/parser/native/parse-index-pool.ts +148 -0
package/src/parser/native/parse-index-worker.ts +94 -0
package/src/parser/native/wrapper.ts +353 -0
package/src/parser/parser-init.ts +43 -0
package/src/perf/profiler.ts +66 -0
package/src/policy/policy-default.yaml +83 -0
package/src/policy/policy-engine.ts +339 -0
package/src/policy/policy-loader.ts +257 -0
package/src/policy/policy-schema.json +379 -0
package/src/policy/policy-types.ts +81 -0
package/src/policy/predicate-compiler.ts +151 -0
package/src/policy/predicate-evaluator.ts +267 -0
package/src/policy/predicate-fields.ts +439 -0
package/src/projection/actionable-anchor.ts +48 -0
package/src/projection/finding-filters.ts +44 -0
package/src/projection/finding-fingerprint.ts +54 -0
package/src/projection/finding-groups.ts +41 -0
package/src/projection/finding-summary.ts +110 -0
package/src/projection/rollup-findings.ts +105 -0
package/src/providers/discover.ts +88 -0
package/src/providers/external.ts +46 -0
package/src/providers/types.ts +36 -0
package/src/providers/workspace.ts +117 -0
package/src/resolve/call-resolver.ts +117 -0
package/src/resolve/coverage.ts +61 -0
package/src/resolve/event-graph.ts +166 -0
package/src/resolve/implicit-edges.ts +53 -0
package/src/resolve/record-types.ts +36 -0
package/src/resolve/resolver.ts +23 -0
package/src/resolve/semantic-graph.ts +29 -0
package/src/resolve/symbol-table.ts +69 -0
package/src/snapshot/app-snapshot.ts +74 -0
package/src/snapshot/compose.ts +100 -0
package/src/snapshot/derive/callsite-evidence.ts +76 -0
package/src/snapshot/derive/capability-facts.ts +70 -0
package/src/snapshot/derive/contracts.ts +131 -0
package/src/snapshot/derive/coverage.ts +35 -0
package/src/snapshot/derive/event-declarations.ts +140 -0
package/src/snapshot/derive/identity-table.ts +58 -0
package/src/snapshot/derive/inputs.ts +91 -0
package/src/snapshot/derive/operation-evidence.ts +70 -0
package/src/snapshot/derive/permissions.ts +186 -0
package/src/snapshot/derive/root-classifications.ts +56 -0
package/src/snapshot/derive/schema.ts +130 -0
package/src/snapshot/derive/typed-edges.ts +60 -0
package/src/snapshot/derive/workspace-fingerprint.ts +19 -0
package/src/snapshot/deserialize.ts +40 -0
package/src/snapshot/serialize-cbor-gz.ts +12 -0
package/src/snapshot/serialize-cbor.ts +19 -0
package/src/snapshot/serialize-json.ts +22 -0
package/src/snapshot/shard.ts +134 -0
package/src/snapshot/types.ts +181 -0
package/src/symbols/app-manifest.ts +96 -0
package/src/symbols/app-package-zip.ts +50 -0
package/src/symbols/embedded-source-reader.ts +41 -0
package/src/symbols/package-hash.ts +81 -0
package/src/symbols/symbol-reader.ts +101 -0
package/src/symbols/symbol-reference-parser.ts +378 -0
package/src/symbols/symbol-reference-reader.ts +27 -0
package/tsconfig.json +18 -0

package/src/detectors/d17-min-version-drift.ts ADDED Viewed

@@ -0,0 +1,157 @@
+// src/detectors/d17-min-version-drift.ts
+import type { CombinedGraph } from "../engine/combined-graph.ts";
+import { compareStrings } from "../engine/uncertainty-util.ts";
+import { roleOf } from "../model/entities.ts";
+import type { DetectorStats, Finding } from "../model/finding.ts";
+import type { SemanticModel } from "../model/model.ts";
+import { fingerprintOf } from "../projection/finding-fingerprint.ts";
+import { toConfidence } from "./confidence.ts";
+import type { DetectorContext } from "./detector-context.ts";
+/**
+ * Compare two BC version strings ("X.Y.Z.W"). Returns -1, 0, 1. Missing components
+ * are treated as 0 so "24" < "24.1" < "24.1.0.0" correctly.
+ */
+function cmpVersion(a: string, b: string): number {
+	const pa = a.split(".").map((x) => Number.parseInt(x, 10) || 0);
+	const pb = b.split(".").map((x) => Number.parseInt(x, 10) || 0);
+	const len = Math.max(pa.length, pb.length);
+	for (let i = 0; i < len; i++) {
+		const da = pa[i] ?? 0;
+		const db = pb[i] ?? 0;
+		if (da !== db) return da < db ? -1 : 1;
+	}
+	return 0;
+}
+/**
+ * D17 — MinVersion vs resolved-Version drift (Outcome-B precision).
+ *
+ * For each dep declared in the primary app's app.json dependencies[], compare the
+ * declared minVersion against the actual resolved app version
+ * (SemanticModel.apps[].version). If resolved > declared AND the primary app
+ * actually calls into that dep, emit one info finding per drifting dep.
+ *
+ * Per-routine sinceVersion is deferred: SymbolReference.json doesn't carry it.
+ */
+export function detectD17(
+	model: SemanticModel,
+	graph: CombinedGraph,
+	ctx: DetectorContext,
+): { findings: Finding[]; stats: DetectorStats } {
+	const findings: Finding[] = [];
+	const declared = model.identity.primaryDependencies ?? [];
+	if (declared.length === 0) {
+		return {
+			findings,
+			stats: {
+				detector: "d17-min-version-drift",
+				candidatesConsidered: 0,
+				findingsEmitted: 0,
+				skipped: {},
+			},
+		};
+	}
+	const appByGuid = new Map(model.apps.map((a) => [a.appGuid, a]));
+	const objectsById = ctx.objectsById;
+	const routinesById = ctx.routineById;
+	const calledDepGuids = new Set<string>();
+	const sampleCallsiteByDep = new Map<
+		string,
+		{
+			callerRoutineId: string;
+			calleeRoutineName: string;
+			anchor: (typeof model.routines)[number]["sourceAnchor"];
+		}
+	>();
+	for (const [, edges] of graph.edgesByFrom) {
+		for (const e of edges) {
+			const caller = routinesById.get(e.from);
+			const callee = routinesById.get(e.to);
+			if (!caller || !callee) continue;
+			if (roleOf(caller) !== "primary") continue;
+			const callerObj = objectsById.get(caller.objectId);
+			const calleeObj = objectsById.get(callee.objectId);
+			if (!callerObj || !calleeObj) continue;
+			if (callerObj.appGuid === calleeObj.appGuid) continue;
+			calledDepGuids.add(calleeObj.appGuid);
+			if (!sampleCallsiteByDep.has(calleeObj.appGuid)) {
+				const cs = caller.features.callSites.find((c) => c.id === e.callsiteId);
+				sampleCallsiteByDep.set(calleeObj.appGuid, {
+					callerRoutineId: caller.id,
+					calleeRoutineName: callee.name,
+					anchor: cs?.sourceAnchor ?? caller.sourceAnchor,
+				});
+			}
+		}
+	}
+	let candidatesConsidered = 0;
+	let skippedOther = 0;
+	for (const dep of declared) {
+		candidatesConsidered++;
+		const resolved = appByGuid.get(dep.appGuid);
+		if (resolved === undefined) {
+			skippedOther++;
+			continue;
+		}
+		if (cmpVersion(resolved.version, dep.minVersion) <= 0) {
+			skippedOther++;
+			continue;
+		}
+		if (!calledDepGuids.has(dep.appGuid)) {
+			skippedOther++;
+			continue;
+		}
+		const sample = sampleCallsiteByDep.get(dep.appGuid);
+		if (sample === undefined) {
+			skippedOther++;
+			continue;
+		}
+		const callerRoutine = routinesById.get(sample.callerRoutineId);
+		if (!callerRoutine) {
+			skippedOther++;
+			continue;
+		}
+		const finding: Finding = {
+			id: `d17/${dep.appGuid}`,
+			rootCauseKey: `d17/${dep.appGuid}`,
+			detector: "d17-min-version-drift",
+			title: "Declared MinVersion is older than the resolved dependency version",
+			rootCause: `${callerRoutine.name} calls into ${dep.name} (${dep.appGuid}). app.json declares MinVersion ${dep.minVersion} for this dependency, but the resolved .app is at version ${resolved.version} — your code may use APIs that don't exist on older tenants.`,
+			severity: "info",
+			confidence: toConfidence([], "possible"),
+			primaryLocation: sample.anchor,
+			evidencePath: [
+				{
+					routineId: sample.callerRoutineId,
+					sourceAnchor: sample.anchor,
+					note: `calls ${sample.calleeRoutineName} in ${dep.name} ${resolved.version} (declared MinVersion ${dep.minVersion})`,
+				},
+			],
+			affectedObjects: [callerRoutine.objectId].sort(),
+			affectedTables: [],
+			fixOptions: [
+				{
+					description: `Bump app.json dependencies[].version for ${dep.name} to at least ${resolved.version}, or test that your code paths into this dep also work on ${dep.minVersion}.`,
+					safety: "medium",
+				},
+			],
+			provenance: [{ source: "tree-sitter" }],
+		};
+		finding.fingerprint = fingerprintOf(finding, model);
+		findings.push(finding);
+	}
+	return {
+		findings: findings.sort((a, b) => compareStrings(a.id, b.id)),
+		stats: {
+			detector: "d17-min-version-drift",
+			candidatesConsidered,
+			findingsEmitted: findings.length,
+			skipped: { other: skippedOther > 0 ? skippedOther : undefined },
+		},
+	};
+}

package/src/detectors/d18-constant-filter-in-loop.ts ADDED Viewed

@@ -0,0 +1,151 @@
+import type { CombinedGraph } from "../engine/combined-graph.ts";
+import { compareStrings } from "../engine/uncertainty-util.ts";
+import { roleOf } from "../model/entities.ts";
+import type { RecordOperation } from "../model/entities.ts";
+import { isLiteralExpression, unquotedFieldName } from "../model/expression.ts";
+import type { DetectorStats, EvidenceStep, Finding } from "../model/finding.ts";
+import type { SemanticModel } from "../model/model.ts";
+import { fingerprintOf } from "../projection/finding-fingerprint.ts";
+import { toConfidence } from "./confidence.ts";
+import type { DetectorContext } from "./detector-context.ts";
+const FILTER_OPS: ReadonlySet<string> = new Set(["SetRange", "SetFilter"]);
+/**
+ * A "literal" argument that does not depend on any loop variable — the same
+ * value is produced every iteration. Conservative matcher (see
+ * `model/expression.ts → isLiteralExpression`):
+ *  - quoted string (`'value'` or `"value"`)
+ *  - numeric literal (with optional unary `+` / `-`)
+ *  - boolean (`true` / `false`)
+ *  - enum literal `Type::Member`
+ *
+ * Identifiers and calls fall through to non-literal — we cannot prove the value
+ * is loop-invariant without dataflow we don't have. Better silent than wrong.
+ */
+/**
+ * D18 — flag `SetRange` / `SetFilter` inside a loop whose every argument after the
+ * field name is a literal. The same filter is applied every iteration with no
+ * dependency on the iterating variable; the call can be hoisted out of the loop.
+ *
+ * Skipped:
+ *  - temporary records (`tempState: { kind: "known", value: true }`) — the state
+ *    cost is in-memory and negligible;
+ *  - any non-literal value argument — we cannot statically prove loop-invariance.
+ *
+ * Dedup key: (routineId, loopId, recordVar, fieldName) — multiple identical sets
+ * inside the same loop produce one finding.
+ */
+export function detectD18(
+	model: SemanticModel,
+	_graph: CombinedGraph,
+	_ctx: DetectorContext,
+): { findings: Finding[]; stats: DetectorStats } {
+	const findings: Finding[] = [];
+	const seen = new Set<string>();
+	let candidatesConsidered = 0;
+	let skippedNonLiteral = 0;
+	let skippedTempRecord = 0;
+	for (const routine of model.routines) {
+		if (roleOf(routine) !== "primary") continue;
+		if (!routine.bodyAvailable) continue;
+		if (routine.parseIncomplete) continue;
+		candidatesConsidered++;
+		const loopById = new Map(routine.features.loops.map((l) => [l.id, l]));
+		for (const op of routine.features.recordOperations) {
+			if (!FILTER_OPS.has(op.op)) continue;
+			if (op.loopStack.length === 0) continue;
+			if (op.tempState.kind === "known" && op.tempState.value === true) {
+				skippedTempRecord++;
+				continue;
+			}
+			const infos = op.fieldArgumentInfos ?? [];
+			if (infos.length < 2) continue; // unrenderable — bail
+			const valueArgs = infos.slice(1);
+			if (!valueArgs.every(isLiteralExpression)) {
+				skippedNonLiteral++;
+				continue;
+			}
+			const representativeLoop = op.loopStack.at(-1);
+			if (representativeLoop === undefined) continue;
+			const loop = loopById.get(representativeLoop);
+			if (loop === undefined) continue;
+			const recordVar = op.recordVariableName.toLowerCase();
+			const fieldInfo = infos[0];
+			if (fieldInfo === undefined) continue;
+			const fieldName = fieldInfo.text.trim();
+			const dedupKey = `${routine.id}|${loop.id}|${recordVar}|${unquotedFieldName(fieldInfo)}`;
+			if (seen.has(dedupKey)) continue;
+			seen.add(dedupKey);
+			emit(routine, loop, op, fieldName, findings, model);
+		}
+	}
+	const sorted = findings.sort((a, b) => compareStrings(a.id, b.id));
+	return {
+		findings: sorted,
+		stats: {
+			detector: "d18-constant-filter-in-loop",
+			candidatesConsidered,
+			findingsEmitted: sorted.length,
+			skipped: {
+				...(skippedNonLiteral > 0 ? { nonLiteralArgs: skippedNonLiteral } : {}),
+				...(skippedTempRecord > 0 ? { tempRecord: skippedTempRecord } : {}),
+			},
+		},
+	};
+}
+function emit(
+	routine: { id: string; objectId: string; name: string; sourceAnchor: unknown },
+	loop: { id: string; type: string; sourceAnchor: unknown },
+	op: RecordOperation,
+	fieldName: string,
+	findings: Finding[],
+	model: SemanticModel,
+): void {
+	const path: EvidenceStep[] = [
+		{
+			routineId: routine.id,
+			loopId: loop.id,
+			sourceAnchor: loop.sourceAnchor as EvidenceStep["sourceAnchor"],
+			note: `${loop.type} loop`,
+		},
+		{
+			routineId: routine.id,
+			operationId: op.id,
+			sourceAnchor: op.sourceAnchor,
+			note: `${op.op}(${op.fieldArguments?.join(", ") ?? ""}) on ${op.recordVariableName}`,
+		},
+	];
+	const finding: Finding = {
+		id: `d18/${routine.id}/${loop.id}/${op.recordVariableName.toLowerCase()}/${fieldName.toLowerCase()}`,
+		rootCauseKey: `d18/${routine.id}/${loop.id}/${op.recordVariableName.toLowerCase()}/${fieldName.toLowerCase()}`,
+		detector: "d18-constant-filter-in-loop",
+		title: "Constant filter applied inside a loop",
+		rootCause: `${routine.name} calls ${op.op} on ${op.recordVariableName}.${fieldName} with literal arguments inside a ${loop.type} loop — the filter is identical every iteration and can be hoisted outside.`,
+		severity: "low",
+		confidence: toConfidence([], "likely"),
+		primaryLocation: op.sourceAnchor,
+		evidencePath: path,
+		affectedObjects: [routine.objectId],
+		affectedTables: op.tableId !== undefined ? [op.tableId] : [],
+		fixOptions: [
+			{
+				description:
+					"Move the SetRange/SetFilter call outside the loop. The filter state persists across iterations until reset or cleared.",
+				safety: "high",
+			},
+		],
+		provenance: [{ source: "tree-sitter" }],
+	};
+	finding.fingerprint = fingerprintOf(finding, model);
+	findings.push(finding);
+}

package/src/detectors/d19-unused-parameter.ts ADDED Viewed

@@ -0,0 +1,116 @@
+import type { CombinedGraph } from "../engine/combined-graph.ts";
+import { compareStrings } from "../engine/uncertainty-util.ts";
+import { roleOf } from "../model/entities.ts";
+import type { Routine } from "../model/entities.ts";
+import type { DetectorStats, EvidenceStep, Finding } from "../model/finding.ts";
+import type { SemanticModel } from "../model/model.ts";
+import { fingerprintOf } from "../projection/finding-fingerprint.ts";
+import { toConfidence } from "./confidence.ts";
+import type { DetectorContext } from "./detector-context.ts";
+/**
+ * D19 — declared procedure parameter never referenced in the routine body.
+ *
+ * Restricted to forms where the signal is precise:
+ *   - `procedure` only (NOT triggers, NOT event subscribers — the latter's signature
+ *     is dictated by the publisher and must keep every parameter declared, even unused).
+ *
+ * Detection: the L2 indexer walks the routine body and collects every identifier
+ * referenced as a *value* into `features.identifierReferences` (lowercased, sorted,
+ * deduped). Field names, enum member names, and bare type names in enum-type
+ * position are excluded by construction. A parameter whose lowercased name is
+ * absent from that set is unreferenced.
+ *
+ * Severity: `info` — hygiene, not correctness.
+ */
+export function detectD19(
+	model: SemanticModel,
+	_graph: CombinedGraph,
+	_ctx: DetectorContext,
+): { findings: Finding[]; stats: DetectorStats } {
+	const findings: Finding[] = [];
+	let candidatesConsidered = 0;
+	let skippedEventSubscriber = 0;
+	let skippedTrigger = 0;
+	for (const routine of model.routines) {
+		if (roleOf(routine) !== "primary") continue;
+		if (!routine.bodyAvailable) continue;
+		if (routine.parseIncomplete) continue;
+		if (routine.kind === "trigger") {
+			skippedTrigger++;
+			continue;
+		}
+		if (routine.kind === "event-subscriber") {
+			skippedEventSubscriber++;
+			continue;
+		}
+		if (routine.parameters.length === 0) continue;
+		candidatesConsidered++;
+		const refs = new Set(routine.features.identifierReferences);
+		for (const param of routine.parameters) {
+			const lc = param.name.toLowerCase();
+			if (lc === "") continue; // unnamed slot — never flag
+			if (refs.has(lc)) continue;
+			const path: EvidenceStep[] = [
+				{
+					routineId: routine.id,
+					sourceAnchor: routine.sourceAnchor,
+					note: `parameter '${param.name}: ${param.typeText}' declared but never referenced`,
+				},
+			];
+			findings.push(makeFinding(routine, param, path, model));
+		}
+	}
+	const sorted = findings.sort((a, b) => compareStrings(a.id, b.id));
+	return {
+		findings: sorted,
+		stats: {
+			detector: "d19-unused-parameter",
+			candidatesConsidered,
+			findingsEmitted: sorted.length,
+			skipped: {
+				...(skippedTrigger > 0 ? { trigger: skippedTrigger } : {}),
+				...(skippedEventSubscriber > 0 ? { eventSubscriber: skippedEventSubscriber } : {}),
+			},
+		},
+	};
+}
+function makeFinding(
+	routine: Routine,
+	param: Routine["parameters"][number],
+	path: EvidenceStep[],
+	model: SemanticModel,
+): Finding {
+	const finding: Finding = {
+		id: `d19/${routine.id}/p${param.index}`,
+		rootCauseKey: `d19/${routine.id}/p${param.index}`,
+		detector: "d19-unused-parameter",
+		title: "Procedure parameter is never used",
+		rootCause: `${routine.name} declares parameter '${param.name}' (${param.typeText}) at position ${param.index} but the body never references it.`,
+		severity: "info",
+		// Confidence upgraded from "possible" to "likely" — `identifierReferences`
+		// covers scalar parameter uses too (the pre-PR-5 fragment scan only saw
+		// record/call/field-access positions, which is why scalar params were
+		// excluded entirely). Now record AND scalar params are checked from the
+		// same precise structural signal.
+		confidence: toConfidence([], "likely"),
+		primaryLocation: routine.sourceAnchor,
+		evidencePath: path,
+		affectedObjects: [routine.objectId],
+		affectedTables: [],
+		fixOptions: [
+			{
+				description:
+					"Remove the parameter, or wire it into the procedure body. If callers must keep the existing signature, leave it and silence with an `_` prefix on the name.",
+				safety: "low",
+			},
+		],
+		provenance: [{ source: "tree-sitter" }],
+	};
+	finding.fingerprint = fingerprintOf(finding, model);
+	return finding;
+}

package/src/detectors/d2-event-fanout-in-loop.ts ADDED Viewed

@@ -0,0 +1,240 @@
+import type { CombinedGraph } from "../engine/combined-graph.ts";
+import { classifyOp, isDbTouchingClass } from "../engine/op-classification.ts";
+import type { Terminal, WalkPolicy } from "../engine/path-walker.ts";
+import { walkEvidence } from "../engine/path-walker.ts";
+import { resolvePublishedEvent } from "../engine/summary-engine.ts";
+import { compareStrings, dedupeUncertainties } from "../engine/uncertainty-util.ts";
+import { roleOf } from "../model/entities.ts";
+import type { RecordOperation } from "../model/entities.ts";
+import type { DetectorStats, EvidenceStep, Finding } from "../model/finding.ts";
+import type { RoutineId } from "../model/ids.ts";
+import type { SemanticModel } from "../model/model.ts";
+import type { Uncertainty } from "../model/summary.ts";
+import { fingerprintOf } from "../projection/finding-fingerprint.ts";
+import { touchesDbOf, writesTablesOf } from "./capability-query.ts";
+import { toConfidence } from "./confidence.ts";
+import type { DetectorContext } from "./detector-context.ts";
+import { mergeByTerminal } from "./path-merge.ts";
+import { describeTable } from "./table-display.ts";
+const BOUNDS = { maxDepth: 20, maxNodes: 500 };
+interface D2Terminal extends Terminal {
+	op: RecordOperation;
+}
+/** D2: find an event raised inside a loop whose subscribers touch the database. */
+export function detectD2(
+	model: SemanticModel,
+	graph: CombinedGraph,
+	ctx: DetectorContext,
+): { findings: Finding[]; stats: DetectorStats } {
+	const findings: Finding[] = [];
+	const { routineById, objectsById: objectById } = ctx;
+	const publisherRoutineIds = new Set(
+		model.routines.filter((r) => r.kind === "event-publisher").map((r) => r.id),
+	);
+	let candidatesConsidered = 0;
+	let skippedOpaqueCallee = 0;
+	let skippedDynamicDispatch = 0;
+	let skippedParseIncomplete = 0;
+	let unresolvedSubscriber = 0;
+	const policy: WalkPolicy<D2Terminal> = {
+		terminalsAt: (node) => {
+			const r = routineById.get(node);
+			if (r === undefined) return [];
+			return r.features.recordOperations
+				.filter((op) => isDbTouchingClass(classifyOp(op.op)))
+				.map((op) => ({ routineId: node, localLoopDepth: op.loopStack.length, op }));
+		},
+		expand: (node) =>
+			(graph.edgesByFrom.get(node) ?? []).filter((e) => {
+				if (e.kind === "event-dispatch") return false;
+				const to = routineById.get(e.to);
+				return to?.summary !== undefined && touchesDbOf(to.summary) !== "no";
+			}),
+		buildHopStep: (edge) => {
+			const fromRoutine = routineById.get(edge.from);
+			const cs = fromRoutine?.features.callSites.find((c) => c.id === edge.callsiteId);
+			const toName = routineById.get(edge.to)?.name ?? edge.to;
+			const triggerNote =
+				edge.kind === "implicit-trigger" ? ` (via implicit ${toName} trigger)` : "";
+			return {
+				routineId: edge.from,
+				callsiteId: edge.callsiteId,
+				sourceAnchor: cs?.sourceAnchor ??
+					fromRoutine?.sourceAnchor ?? {
+						sourceUnitId: "",
+						range: { startLine: 0, startColumn: 0, endLine: 0, endColumn: 0 },
+						enclosingRoutineId: edge.from,
+						syntaxKind: "call",
+					},
+				note: `calls ${toName}${triggerNote}`,
+			};
+		},
+		buildTerminalStep: (t) => ({
+			routineId: t.routineId,
+			operationId: t.op.id,
+			sourceAnchor: t.op.sourceAnchor,
+			note: `${t.op.op} on ${describeTable(t.op, routineById.get(t.routineId), ctx.tableById)}`,
+		}),
+	};
+	for (const routine of model.routines) {
+		if (roleOf(routine) !== "primary") continue;
+		if (!routine.bodyAvailable) continue;
+		if (routine.parseIncomplete) {
+			skippedParseIncomplete++;
+			continue;
+		}
+		candidatesConsidered++;
+		for (const cs of routine.features.callSites) {
+			if (cs.loopStack.length === 0) continue; // publish must be inside a loop
+			const edge = (graph.edgesByFrom.get(routine.id) ?? []).find((e) => e.callsiteId === cs.id);
+			if (edge === undefined) {
+				// No resolved edge in a loop — opaque callee
+				skippedOpaqueCallee++;
+				continue;
+			}
+			if (edge.kind === "interface" || edge.kind === "dynamic") {
+				skippedDynamicDispatch++;
+				continue;
+			}
+			if (!publisherRoutineIds.has(edge.to)) continue; // not an event publish
+			const eventId = resolvePublishedEvent(cs.operationId, model);
+			if (eventId === undefined) continue;
+			const subEdges = (graph.edgesByFrom.get(edge.to) ?? []).filter(
+				(e) => e.kind === "event-dispatch" && e.eventId === eventId,
+			);
+			const eventName = model.eventGraph.events.find((s) => s.id === eventId)?.eventName ?? eventId;
+			const loopId = cs.loopStack[cs.loopStack.length - 1];
+			const loopStep: EvidenceStep = {
+				routineId: routine.id,
+				loopId,
+				callsiteId: cs.id,
+				sourceAnchor: cs.sourceAnchor,
+				note: `loop raises event ${eventName}`,
+			};
+			const subscriberSteps: EvidenceStep[] = [];
+			const affectedObjects = new Set<string>([routine.objectId]);
+			const affectedTables = new Set<string>();
+			const uncertainties: Uncertainty[] = [];
+			let anyDbSubscriber = false;
+			let allResolved = true;
+			for (const subEdge of subEdges) {
+				if (subEdge.resolution !== "resolved") allResolved = false;
+				const subRoutine = routineById.get(subEdge.to);
+				if (subRoutine === undefined) {
+					unresolvedSubscriber++;
+					continue;
+				}
+				if (!subRoutine.bodyAvailable) {
+					allResolved = false;
+					continue;
+				}
+				if (subRoutine.summary === undefined || touchesDbOf(subRoutine.summary) === "no") continue;
+				// The subscriber's summary-level `touchesDb: "yes"` is the witness; the deep walk
+				// below is supplementary evidence that locates the exact op site.
+				const subSummary = subRoutine.summary;
+				anyDbSubscriber = true;
+				affectedObjects.add(subRoutine.objectId);
+				for (const u of subSummary.uncertainties) uncertainties.push(u);
+				for (const t of writesTablesOf(subSummary)) affectedTables.add(t);
+				const subObjectName = objectById.get(subRoutine.objectId)?.name ?? subRoutine.objectId;
+				subscriberSteps.push({
+					routineId: subRoutine.id,
+					sourceAnchor: subRoutine.sourceAnchor,
+					note: `subscriber ${subRoutine.name} in ${subObjectName} (app ${subEdge.subscriberAppId}) touches the database`,
+				});
+				const results = walkEvidence(subRoutine.id, policy, BOUNDS, graph, model, {
+					routineById,
+					uncertaintyEdgesByFrom: ctx.uncertaintyEdgesByFrom,
+					callSiteById: ctx.callSiteById,
+				});
+				const complete = results.find((r) => r.stop === "complete");
+				if (complete !== undefined) {
+					subscriberSteps.push(...complete.path);
+					for (const u of complete.uncertainties) uncertainties.push(u);
+					const term = complete.path.at(-1);
+					const termOp =
+						term?.operationId !== undefined
+							? routineById
+									.get(term.routineId)
+									?.features.recordOperations.find((o) => o.id === term.operationId)
+							: undefined;
+					if (termOp?.tableId !== undefined) affectedTables.add(termOp.tableId);
+				}
+			}
+			if (!anyDbSubscriber) continue;
+			const baseLevel = allResolved ? "likely" : "possible";
+			// Two keys, two purposes (mirrors D1):
+			//   `id`           per-(loop, eventId) — drops within-walker duplicates
+			//                  when the same loop publishes the same event from two
+			//                  callsites.
+			//   `rootCauseKey` per-eventId — used by mergeByTerminal to fold M
+			//                  different loops publishing the same event into ONE
+			//                  finding with the others in additionalPaths. The bug
+			//                  entity is the event with DB-touching subscribers; the
+			//                  loops are supporting traces. Fixing the subscribers
+			//                  cheap-ifies all callsites at once.
+			const d2finding: Finding = {
+				id: `d2/${loopId}/${eventId}`,
+				rootCauseKey: `d2/${eventId}`,
+				detector: "d2-event-fanout-in-loop",
+				title: "Event raised inside a loop fans out to database work",
+				rootCause: `${routine.name} raises ${eventName} inside a loop; subscribers touch the database every iteration.`,
+				severity: "high",
+				confidence: toConfidence(dedupeUncertainties(uncertainties), baseLevel),
+				primaryLocation: cs.sourceAnchor,
+				evidencePath: [loopStep, ...subscriberSteps],
+				affectedObjects: [...affectedObjects].sort(),
+				affectedTables: [...affectedTables].sort(),
+				fixOptions: [
+					{
+						description:
+							"Raise the event once outside the loop, or batch the work the subscribers do.",
+						safety: "medium",
+					},
+				],
+				provenance: [{ source: "tree-sitter" }],
+			};
+			// Fingerprint deferred until AFTER mergeByTerminal — affectedObjects /
+			// affectedTables are unioned across paths.
+			findings.push(d2finding);
+		}
+	}
+	// Two-stage collapse (mirrors D1):
+	//   1. Dedupe by id (loop+event pair) — drops within-walker duplicates.
+	//   2. mergeByTerminal — folds different loops on the same event into a
+	//      single Finding with additionalPaths.
+	const seen = new Set<string>();
+	const deduped: Finding[] = [];
+	for (const f of findings) {
+		if (seen.has(f.id)) continue;
+		seen.add(f.id);
+		deduped.push(f);
+	}
+	const merged = mergeByTerminal(deduped);
+	for (const f of merged) f.fingerprint = fingerprintOf(f, model);
+	const sorted = merged.sort((a, b) => compareStrings(a.id, b.id));
+	const stats: DetectorStats = {
+		detector: "d2-event-fanout-in-loop",
+		candidatesConsidered,
+		findingsEmitted: sorted.length,
+		skipped: {
+			...(skippedOpaqueCallee > 0 ? { opaqueCallee: skippedOpaqueCallee } : {}),
+			...(skippedDynamicDispatch > 0 ? { dynamicDispatch: skippedDynamicDispatch } : {}),
+			...(skippedParseIncomplete > 0 ? { parseIncomplete: skippedParseIncomplete } : {}),
+			...(unresolvedSubscriber > 0 ? { unresolvedSubscriber } : {}),
+		},
+	};
+	return { findings: sorted, stats };
+}