al-sem 0.0.1

package/src/detectors/d3-missing-setloadfields.ts

@@ -0,0 +1,234 @@
+import type { CombinedGraph } from "../engine/combined-graph.ts";
+import { compareStrings } from "../engine/uncertainty-util.ts";
+import { roleOf } from "../model/entities.ts";
+import type { DetectorStats, EvidenceStep, Finding } from "../model/finding.ts";
+import type { SourceAnchor } from "../model/identity.ts";
+import type { SemanticModel } from "../model/model.ts";
+import type { Uncertainty } from "../model/summary.ts";
+import { fingerprintOf } from "../projection/finding-fingerprint.ts";
+import { toConfidence } from "./confidence.ts";
+import { deriveLoadStates } from "./d3-load-state.ts";
+import type { DetectorContext } from "./detector-context.ts";
+
+const INVALIDATING_OPS = new Set(["Reset", "Copy", "TransferFields"]);
+
+/** Is anchor `a` strictly before anchor `b` in source order? */
+function before(a: SourceAnchor, b: SourceAnchor): boolean {
+	if (a.range.startLine !== b.range.startLine) return a.range.startLine < b.range.startLine;
+	return a.range.startColumn < b.range.startColumn;
+}
+
+/**
+ * D3: detect retrievals (`FindSet` / `FindFirst` / `FindLast` / `Get`) whose loaded field set
+ * does not cover the fields later accessed — same-routine, and through directly-resolved
+ * callees via `RecordRoleSummary`. Emits only on a complete witness (a concrete
+ * retrieval + a concrete access); bails conservatively, never claiming a false "clean".
+ */
+export function detectD3(
+	model: SemanticModel,
+	graph: CombinedGraph,
+	ctx: DetectorContext,
+): { findings: Finding[]; stats: DetectorStats } {
+	const findings: Finding[] = [];
+	const { routineById, tableById } = ctx;
+	let candidatesConsidered = 0;
+	let skippedTemporaryRecord = 0;
+	let skippedParseIncomplete = 0;
+	let skippedUnknownReads = 0;
+
+	for (const routine of model.routines) {
+		if (roleOf(routine) !== "primary") continue;
+		if (!routine.bodyAvailable) continue;
+		if (routine.parseIncomplete) {
+			skippedParseIncomplete++;
+			continue;
+		}
+		candidatesConsidered++;
+
+		for (const state of deriveLoadStates(routine)) {
+			const loadState = state.loadState;
+			if (loadState.kind === "invalidated") continue; // bailout — cannot prove
+
+			const varKey = state.recordVariableName.toLowerCase();
+			const recVar = routine.features.recordVariables.find(
+				(rv) => rv.name.toLowerCase() === varKey,
+			);
+			// Temp records live in memory; SetLoadFields has no SQL benefit.
+			if (recVar?.tempState.kind === "known" && recVar.tempState.value === true) {
+				skippedTemporaryRecord++;
+				continue;
+			}
+			const tableId = recVar?.tableId;
+			if (tableId === undefined) continue; // unresolved table — bailout
+			const table = tableById.get(tableId);
+			if (table === undefined) continue;
+			const fieldNameById = new Map(table.fields.map((f) => [f.id, f.name.toLowerCase()]));
+
+			const retrievalAnchor = state.retrievalOp.sourceAnchor;
+
+			// The window closes at the first invalidating op on this record var after the retrieval.
+			const invalidatingAfter = routine.features.recordOperations
+				.filter(
+					(op) =>
+						op.recordVariableName.toLowerCase() === varKey &&
+						INVALIDATING_OPS.has(op.op) &&
+						before(retrievalAnchor, op.sourceAnchor),
+				)
+				.sort((a, b) => {
+					if (before(a.sourceAnchor, b.sourceAnchor)) return -1;
+					if (before(b.sourceAnchor, a.sourceAnchor)) return 1;
+					return 0;
+				})[0];
+			const windowEnd = invalidatingAfter?.sourceAnchor;
+			const inWindow = (anchor: SourceAnchor): boolean =>
+				before(retrievalAnchor, anchor) && (windowEnd === undefined || before(anchor, windowEnd));
+
+			const accessedFields = new Set<string>();
+			const accessSteps: EvidenceStep[] = [];
+			const uncertainties: Uncertainty[] = [];
+			let bailout = false;
+
+			// --- same-routine field accesses in the window ---
+			for (const fa of routine.features.fieldAccesses) {
+				if (fa.recordVariableName.toLowerCase() !== varKey) continue;
+				if (!inWindow(fa.sourceAnchor)) continue;
+				accessedFields.add(fa.fieldName.toLowerCase());
+				accessSteps.push({
+					routineId: routine.id,
+					sourceAnchor: fa.sourceAnchor,
+					note: `accesses ${state.recordVariableName}.${fa.fieldName}`,
+				});
+			}
+
+			// --- cross-routine: record passed by simple identifier to a directly-resolved callee ---
+			for (const cs of routine.features.callSites) {
+				if (!inWindow(cs.sourceAnchor)) continue;
+				const argIndex = cs.argumentTexts.findIndex((a) => a.trim().toLowerCase() === varKey);
+				if (argIndex < 0) continue;
+				const edge = (graph.edgesByFrom.get(routine.id) ?? []).find((e) => e.callsiteId === cs.id);
+				if (edge === undefined || edge.kind === "interface" || edge.kind === "dynamic") {
+					bailout = true;
+					uncertainties.push({ kind: "interface-dispatch", callsiteId: cs.id });
+					continue;
+				}
+				const callee = routineById.get(edge.to);
+				const paramEffect = callee?.summary?.parameterRoles.find(
+					(pe) => pe.parameterIndex === argIndex,
+				);
+				if (callee === undefined || paramEffect === undefined) continue;
+				const calleeParam = callee.parameters[argIndex];
+				const passedByVar = calleeParam?.isVar === true;
+				// A by-var callee that resets/changes load fields / assigns / uses RecordRef
+				// invalidates the caller's state — bail. By-value callees do not.
+				if (
+					passedByVar &&
+					(paramEffect.mayResetFilters ||
+						paramEffect.mayChangeLoadFields ||
+						paramEffect.mayAssignRecord ||
+						paramEffect.mayUseRecordRef)
+				) {
+					bailout = true;
+					uncertainties.push({ kind: "recordref-or-variant", operationId: cs.operationId });
+					continue;
+				}
+				const reads = paramEffect.readsFields;
+				if (reads === "unknown") {
+					skippedUnknownReads++;
+					continue;
+				}
+				for (const fid of reads) {
+					const name = fieldNameById.get(fid);
+					if (name !== undefined) accessedFields.add(name);
+				}
+				if (reads.length > 0) {
+					const triggerNote =
+						edge.kind === "implicit-trigger" ? ` (via implicit ${callee.name} trigger)` : "";
+					accessSteps.push({
+						routineId: routine.id,
+						callsiteId: cs.id,
+						sourceAnchor: cs.sourceAnchor,
+						note: `passes ${state.recordVariableName} to ${callee.name}${triggerNote}, which reads ${reads.length} field(s)`,
+					});
+				}
+			}
+
+			if (accessedFields.size === 0) continue; // no concrete access — no witness, no emit
+
+			// --- determination ---
+			let kind: "missing" | "incomplete" | undefined;
+			let missingList: string[] = [];
+			if (loadState.kind === "none") {
+				kind = "missing";
+				missingList = [...accessedFields].sort();
+			} else if (loadState.kind === "loaded") {
+				const missing = [...accessedFields].filter((f) => !loadState.fields.has(f));
+				if (missing.length > 0) {
+					kind = "incomplete";
+					missingList = missing.sort();
+				}
+			}
+			if (kind === undefined) continue; // loaded set covers all accesses — silent
+
+			const retrievalStep: EvidenceStep = {
+				routineId: routine.id,
+				operationId: state.retrievalOp.id,
+				sourceAnchor: retrievalAnchor,
+				note: `${state.retrievalOp.op} on ${state.recordVariableName}${
+					kind === "missing" ? " with no SetLoadFields" : " with a partial SetLoadFields"
+				}`,
+			};
+			const d3finding: Finding = {
+				id: `d3/${state.retrievalOp.id}`,
+				rootCauseKey: `d3/${state.retrievalOp.id}`,
+				detector: "d3-missing-setloadfields",
+				title:
+					kind === "missing"
+						? "Missing SetLoadFields before a record retrieval"
+						: "Incomplete SetLoadFields — accessed fields not loaded",
+				rootCause: `${routine.name} runs ${state.retrievalOp.op} on ${state.recordVariableName} and then accesses field(s) [${missingList.join(", ")}] — ${
+					kind === "missing" ? "no SetLoadFields was set" : "an incomplete SetLoadFields"
+				}.`,
+				severity: "medium",
+				confidence: toConfidence(uncertainties, bailout ? "possible" : "likely"),
+				primaryLocation: retrievalAnchor,
+				evidencePath: [retrievalStep, ...accessSteps],
+				affectedObjects: [routine.objectId],
+				affectedTables: [tableId],
+				fixOptions: [
+					{
+						description:
+							kind === "missing"
+								? `Add SetLoadFields(${missingList.join(", ")}) before the retrieval.`
+								: `Extend SetLoadFields to include: ${missingList.join(", ")}.`,
+						safety: "high",
+					},
+				],
+				provenance: [{ source: "tree-sitter" }],
+			};
+			d3finding.fingerprint = fingerprintOf(d3finding, model);
+			findings.push(d3finding);
+		}
+	}
+
+	// Dedupe by id (keep first-seen): deriveLoadStates yields at most one state per retrieval op,
+	// so ids are unique by construction — but dedupe defensively anyway.
+	const seen = new Set<string>();
+	const deduped: Finding[] = [];
+	for (const f of findings) {
+		if (seen.has(f.id)) continue;
+		seen.add(f.id);
+		deduped.push(f);
+	}
+	const sorted = deduped.sort((a, b) => compareStrings(a.id, b.id));
+	const stats: DetectorStats = {
+		detector: "d3-missing-setloadfields",
+		candidatesConsidered,
+		findingsEmitted: sorted.length,
+		skipped: {
+			...(skippedTemporaryRecord > 0 ? { temporaryRecord: skippedTemporaryRecord } : {}),
+			...(skippedParseIncomplete > 0 ? { parseIncomplete: skippedParseIncomplete } : {}),
+			...(skippedUnknownReads > 0 ? { unknownReads: skippedUnknownReads } : {}),
+		},
+	};
+	return { findings: sorted, stats };
+}

package/src/detectors/d32-constant-boolean-parameter.ts

@@ -0,0 +1,185 @@
+import type { CombinedGraph } from "../engine/combined-graph.ts";
+import { compareStrings } from "../engine/uncertainty-util.ts";
+import { roleOf } from "../model/entities.ts";
+import type { ParameterSymbol, Routine } from "../model/entities.ts";
+import type { DetectorStats, EvidenceStep, Finding } from "../model/finding.ts";
+import type { SemanticModel } from "../model/model.ts";
+import { fingerprintOf } from "../projection/finding-fingerprint.ts";
+import { toConfidence } from "./confidence.ts";
+import type { DetectorContext } from "./detector-context.ts";
+
+/** Match `true` / `false` (case-insensitive) — and only those — as the entire argument
+ * text. Whitespace tolerated. */
+function isBooleanLiteral(arg: string): "true" | "false" | undefined {
+	const t = arg.trim().toLowerCase();
+	if (t === "true") return "true";
+	if (t === "false") return "false";
+	return undefined;
+}
+
+/**
+ * D32 — a `local procedure` parameter of type `Boolean` is passed the same literal
+ * (`true` or `false`) at every resolved primary-app call site. The parameter is dead:
+ * either the value is never actually variable, or the branches it gates can be flattened
+ * out of the procedure.
+ *
+ * Tight scope to keep the signal precise:
+ *  - `accessModifier === "local"` only — public/internal/protected procedures may have
+ *    callers outside the workspace we cannot see; non-local routines stay out.
+ *  - `kind === "procedure"` only — triggers and event subscribers have publisher-dictated
+ *    signatures; flattening is not an option.
+ *  - parameter type contains `Boolean` (case-insensitive); other scalar params are out of
+ *    scope (we can't reason about non-Boolean literal-equality without dataflow).
+ *  - at least 2 resolved primary-app call sites; the routine isn't reached at all means
+ *    D14 territory, and a single call site is not enough evidence of "always".
+ *  - every reaching edge must be a `direct` kind (not `interface` / `dynamic` /
+ *    `event-dispatch`) and resolve to a callsite in a primary-app routine; mixed call
+ *    shapes leave too much uncertainty.
+ *
+ * Severity: `info` — refactoring signal, not a correctness break.
+ */
+export function detectD32(
+	model: SemanticModel,
+	_graph: CombinedGraph,
+	ctx: DetectorContext,
+): { findings: Finding[]; stats: DetectorStats } {
+	const findings: Finding[] = [];
+	const { routineById } = ctx;
+	let candidatesConsidered = 0;
+	let skippedAccessModifier = 0;
+	let skippedNoBooleanParams = 0;
+	let skippedTooFewCallers = 0;
+	let skippedUnresolvedOrMixedEdges = 0;
+	let skippedVariesAcrossCallers = 0;
+
+	for (const callee of model.routines) {
+		if (roleOf(callee) !== "primary") continue;
+		if (!callee.bodyAvailable) continue;
+		if (callee.kind !== "procedure") continue;
+		if (callee.accessModifier !== "local") {
+			skippedAccessModifier++;
+			continue;
+		}
+		const boolParams = callee.parameters.filter((p): p is ParameterSymbol =>
+			/\bBoolean\b/i.test(p.typeText),
+		);
+		if (boolParams.length === 0) {
+			skippedNoBooleanParams++;
+			continue;
+		}
+
+		// Collect every primary-app, direct edge into this routine and the matching callsite.
+		const incoming = ctx.reverseCallGraph.get(callee.id) ?? [];
+		const directEdges = incoming.filter((e) => e.kind === "direct");
+		if (directEdges.length < 2) {
+			skippedTooFewCallers++;
+			continue;
+		}
+		// If any reaching edge is non-direct (interface / dynamic / event-dispatch), the
+		// callsite arg story is incomplete — bail rather than risk a false positive.
+		const mixed = incoming.some((e) => e.kind !== "direct");
+		if (mixed) {
+			skippedUnresolvedOrMixedEdges++;
+			continue;
+		}
+		candidatesConsidered++;
+
+		for (const param of boolParams) {
+			const values = new Set<"true" | "false">();
+			let bailed = false;
+			for (const e of directEdges) {
+				const caller = routineById.get(e.from);
+				if (!caller) {
+					bailed = true;
+					break;
+				}
+				if (roleOf(caller) !== "primary") {
+					bailed = true;
+					break;
+				}
+				const cs = caller.features.callSites.find((c) => c.id === e.callsiteId);
+				const argText = cs?.argumentTexts[param.index];
+				if (argText === undefined) {
+					bailed = true;
+					break;
+				}
+				const lit = isBooleanLiteral(argText);
+				if (lit === undefined) {
+					bailed = true;
+					break;
+				}
+				values.add(lit);
+				if (values.size > 1) {
+					bailed = true;
+					break;
+				}
+			}
+			if (bailed) {
+				skippedVariesAcrossCallers++;
+				continue;
+			}
+			const constant = [...values][0];
+			if (constant === undefined) continue;
+
+			emit(callee, param, constant, directEdges.length, findings, model);
+		}
+	}
+
+	const sorted = findings.sort((a, b) => compareStrings(a.id, b.id));
+	return {
+		findings: sorted,
+		stats: {
+			detector: "d32-constant-boolean-parameter",
+			candidatesConsidered,
+			findingsEmitted: sorted.length,
+			skipped: {
+				...(skippedAccessModifier > 0 ? { nonLocal: skippedAccessModifier } : {}),
+				...(skippedNoBooleanParams > 0 ? { noBooleanParams: skippedNoBooleanParams } : {}),
+				...(skippedTooFewCallers > 0 ? { tooFewCallers: skippedTooFewCallers } : {}),
+				...(skippedUnresolvedOrMixedEdges > 0
+					? { unresolvedOrMixedEdges: skippedUnresolvedOrMixedEdges }
+					: {}),
+				...(skippedVariesAcrossCallers > 0 ? { varies: skippedVariesAcrossCallers } : {}),
+			},
+		},
+	};
+}
+
+function emit(
+	callee: Routine,
+	param: ParameterSymbol,
+	constantValue: "true" | "false",
+	callerCount: number,
+	findings: Finding[],
+	model: SemanticModel,
+): void {
+	const path: EvidenceStep[] = [
+		{
+			routineId: callee.id,
+			sourceAnchor: callee.sourceAnchor,
+			note: `local procedure ${callee.name}(${param.name}: ${param.typeText}) — parameter at position ${param.index}`,
+		},
+	];
+	const finding: Finding = {
+		id: `d32/${callee.id}/p${param.index}`,
+		rootCauseKey: `d32/${callee.id}/p${param.index}`,
+		detector: "d32-constant-boolean-parameter",
+		title: "Boolean parameter is always passed the same literal",
+		rootCause: `${callee.name} declares Boolean parameter '${param.name}' at position ${param.index}, but all ${callerCount} resolved primary-app callers pass \`${constantValue}\` — the parameter is dead.`,
+		severity: "info",
+		confidence: toConfidence([], "likely"),
+		primaryLocation: callee.sourceAnchor,
+		evidencePath: path,
+		affectedObjects: [callee.objectId],
+		affectedTables: [],
+		fixOptions: [
+			{
+				description: `Flatten the procedure: assume '${param.name} = ${constantValue}' at every site, simplify the body, and remove the parameter. If the parameter is intended for future use, leave a TODO documenting it.`,
+				safety: "medium",
+			},
+		],
+		provenance: [{ source: "tree-sitter" }],
+	};
+	finding.fingerprint = fingerprintOf(finding, model);
+	findings.push(finding);
+}

package/src/detectors/d33-unfiltered-bulk-write.ts

@@ -0,0 +1,173 @@
+import type { CombinedGraph } from "../engine/combined-graph.ts";
+import { beforeAnchor } from "../engine/source-anchor.ts";
+import { compareStrings } from "../engine/uncertainty-util.ts";
+import { roleOf } from "../model/entities.ts";
+import type { RecordOperation } from "../model/entities.ts";
+import type { DetectorStats, EvidenceStep, Finding } from "../model/finding.ts";
+import type { SemanticModel } from "../model/model.ts";
+import { fingerprintOf } from "../projection/finding-fingerprint.ts";
+import { toConfidence } from "./confidence.ts";
+import type { DetectorContext } from "./detector-context.ts";
+
+const FILTER_OPS: ReadonlySet<string> = new Set(["SetRange", "SetFilter"]);
+
+/**
+ * D33 — `DeleteAll` / `ModifyAll` on a local record variable with no narrowing filter
+ * applied earlier in the routine since the last `Reset` on that same variable.
+ *
+ * Blast radius justifies treating this as a guardrail: an accidental unfiltered
+ * `Customer.DeleteAll();` walks the whole table. Built-in AL analyzers don't model
+ * filter state across record operations; al-sem can because it tracks ops in source
+ * order on each record variable.
+ *
+ * Decision is on source-ordered intra-routine evidence only:
+ *  - start with `filtered = false`;
+ *  - `SetRange` / `SetFilter` on the same variable → `filtered = true`;
+ *  - `Reset` on the same variable → `filtered = false` (wipes prior filters);
+ *  - at the bulk write, if `filtered` is still false → flag.
+ *
+ * Skipped:
+ *  - by-var parameter record variables (caller may have applied filters);
+ *  - temporary records (operations are in-memory; no blast radius) — detected
+ *    structurally via the `temporary` keyword on the var declaration, propagated
+ *    onto each RecordOperation by routine-indexer.ts (not a naming convention);
+ *  - record variables whose tableId did not resolve (we cannot identify the table
+ *    in the rootCause; finding would be too vague).
+ *
+ * Severity:
+ *  - `DeleteAll` without filter: `critical` — irrecoverable, whole-table impact.
+ *  - `ModifyAll` without filter: `high` — whole-table state change.
+ *
+ * Known precision gaps (documented for future work):
+ *  - filters inherited via `Copy(R)` / `CopyFilters(R)` are not tracked; the indexer
+ *    captures `Copy` but doesn't carry the source variable, so we cannot follow them.
+ *  - filters set in a callee on a by-var parameter are not tracked (would require
+ *    interprocedural filter-state analysis).
+ */
+export function detectD33(
+	model: SemanticModel,
+	_graph: CombinedGraph,
+	ctx: DetectorContext,
+): { findings: Finding[]; stats: DetectorStats } {
+	const findings: Finding[] = [];
+	const { tableById } = ctx;
+	let candidatesConsidered = 0;
+	let skippedTempRecord = 0;
+	let skippedParameter = 0;
+	let skippedUnresolvedTable = 0;
+	let skippedFiltered = 0;
+	let skippedParseIncomplete = 0;
+
+	for (const routine of model.routines) {
+		if (roleOf(routine) !== "primary") continue;
+		if (!routine.bodyAvailable) continue;
+		if (routine.parseIncomplete) {
+			skippedParseIncomplete++;
+			continue;
+		}
+
+		const paramRecordNames = new Set(
+			routine.features.recordVariables
+				.filter((rv) => rv.isParameter)
+				.map((rv) => rv.name.toLowerCase()),
+		);
+
+		for (const op of routine.features.recordOperations) {
+			if (op.op !== "DeleteAll" && op.op !== "ModifyAll") continue;
+			candidatesConsidered++;
+			const varKey = op.recordVariableName.toLowerCase();
+			if (op.tempState.kind === "known" && op.tempState.value === true) {
+				skippedTempRecord++;
+				continue;
+			}
+			if (paramRecordNames.has(varKey)) {
+				skippedParameter++;
+				continue;
+			}
+			if (op.tableId === undefined) {
+				skippedUnresolvedTable++;
+				continue;
+			}
+
+			if (wasFilteredBefore(routine.features.recordOperations, varKey, op)) {
+				skippedFiltered++;
+				continue;
+			}
+
+			emit(routine, op, tableById.get(op.tableId)?.name ?? op.tableId, findings, model);
+		}
+	}
+
+	const sorted = findings.sort((a, b) => compareStrings(a.id, b.id));
+	return {
+		findings: sorted,
+		stats: {
+			detector: "d33-unfiltered-bulk-write",
+			candidatesConsidered,
+			findingsEmitted: sorted.length,
+			skipped: {
+				...(skippedFiltered > 0 ? { filtered: skippedFiltered } : {}),
+				...(skippedTempRecord > 0 ? { tempRecord: skippedTempRecord } : {}),
+				...(skippedParameter > 0 ? { parameter: skippedParameter } : {}),
+				...(skippedUnresolvedTable > 0 ? { unresolvedTable: skippedUnresolvedTable } : {}),
+				...(skippedParseIncomplete > 0 ? { parseIncomplete: skippedParseIncomplete } : {}),
+			},
+		},
+	};
+}
+
+function wasFilteredBefore(
+	ops: RecordOperation[],
+	varKey: string,
+	bulkOp: RecordOperation,
+): boolean {
+	let filtered = false;
+	for (const other of ops) {
+		if (other === bulkOp) continue;
+		if (other.recordVariableName.toLowerCase() !== varKey) continue;
+		if (!beforeAnchor(other.sourceAnchor, bulkOp.sourceAnchor)) continue;
+		if (FILTER_OPS.has(other.op)) filtered = true;
+		else if (other.op === "Reset") filtered = false;
+	}
+	return filtered;
+}
+
+function emit(
+	routine: { id: string; objectId: string; name: string },
+	op: RecordOperation,
+	tableName: string,
+	findings: Finding[],
+	model: SemanticModel,
+): void {
+	const severity: Finding["severity"] = op.op === "DeleteAll" ? "critical" : "high";
+	const path: EvidenceStep[] = [
+		{
+			routineId: routine.id,
+			operationId: op.id,
+			sourceAnchor: op.sourceAnchor,
+			note: `${op.op} on ${op.recordVariableName} (${tableName}) with no prior SetRange/SetFilter in this routine`,
+		},
+	];
+	const finding: Finding = {
+		id: `d33/${routine.id}/${op.id}`,
+		rootCauseKey: `d33/${routine.id}/${op.id}`,
+		detector: "d33-unfiltered-bulk-write",
+		title: `Unfiltered ${op.op}`,
+		rootCause: `${routine.name} calls ${op.op} on ${op.recordVariableName} (${tableName}) with no SetRange/SetFilter applied since the last Reset — the operation affects every row in the table.`,
+		severity,
+		confidence: toConfidence([], "likely"),
+		primaryLocation: op.sourceAnchor,
+		evidencePath: path,
+		affectedObjects: [routine.objectId],
+		affectedTables: op.tableId !== undefined ? [op.tableId] : [],
+		fixOptions: [
+			{
+				description: `Apply a SetRange / SetFilter on ${op.recordVariableName} before calling ${op.op}, or confirm the unconditional whole-table operation is intentional and document it.`,
+				safety: "high",
+			},
+		],
+		provenance: [{ source: "tree-sitter" }],
+	};
+	finding.fingerprint = fingerprintOf(finding, model);
+	findings.push(finding);
+}