al-sem 0.0.1

package/src/detectors/d34-commit-in-loop.ts

@@ -0,0 +1,206 @@
+import type { CombinedGraph } from "../engine/combined-graph.ts";
+import { compareStrings } from "../engine/uncertainty-util.ts";
+import { roleOf } from "../model/entities.ts";
+import type { OperationSite } from "../model/entities.ts";
+import type { DetectorStats, EvidenceStep, Finding } from "../model/finding.ts";
+import type { LoopId } from "../model/ids.ts";
+import type { SemanticModel } from "../model/model.ts";
+import { fingerprintOf } from "../projection/finding-fingerprint.ts";
+import { mayCommit } from "./capability-query.ts";
+import { toConfidence } from "./confidence.ts";
+import type { DetectorContext } from "./detector-context.ts";
+
+/**
+ * D34 — `Commit` inside a loop, either directly or reached via an in-loop call.
+ *
+ * Per-iteration commits are both a perf smell (chunked SQL round-trips kill long-running
+ * batch jobs) and a correctness smell (partial-state failures aren't atomic; retries are
+ * unsafe). D8 catches commits *inside a posting-transaction span*; D34 catches commits
+ * inside *any* loop — including upgrade scripts, integrations, and validation routines
+ * that aren't inside a known transaction span.
+ *
+ * Direct case: `operationSites[].kind === "commit"` with non-empty `loopStack`.
+ * Transitive case: an in-loop callsite reaches a callee whose summary reports
+ * `commits === "yes"`. Confidence is lowered for transitive cases — the call chain
+ * is real but the commit isn't visible at the loop site.
+ *
+ * Severity:
+ *  - direct commit in loop: `high`
+ *  - direct commit in nested loop (depth >= 2): `critical`
+ *  - transitive in-loop commit: `medium` (lowered confidence)
+ *
+ * Skipped:
+ *  - nothing structural — every commit in a loop deserves attention. Intentional
+ *    chunked-batch patterns can suppress via baseline.
+ */
+export function detectD34(
+	model: SemanticModel,
+	graph: CombinedGraph,
+	ctx: DetectorContext,
+): { findings: Finding[]; stats: DetectorStats } {
+	const findings: Finding[] = [];
+	const { routineById } = ctx;
+	let candidatesConsidered = 0;
+	let skippedParseIncomplete = 0;
+	let skippedSuppressedByDirect = 0;
+
+	for (const routine of model.routines) {
+		if (roleOf(routine) !== "primary") continue;
+		if (!routine.bodyAvailable) continue;
+		if (routine.parseIncomplete) {
+			skippedParseIncomplete++;
+			continue;
+		}
+		candidatesConsidered++;
+
+		const loopById = new Map(routine.features.loops.map((l) => [l.id, l]));
+
+		// (a) direct commit inside a loop
+		for (const site of routine.features.operationSites) {
+			if (site.kind !== "commit") continue;
+			if (site.loopStack.length === 0) continue;
+			const repId = site.loopStack.at(-1);
+			if (repId === undefined) continue;
+			const loop = loopById.get(repId);
+			if (loop === undefined) continue;
+			emitDirect(routine, loop, site, findings, model);
+		}
+
+		// (b) in-loop call reaches a routine whose summary commits
+		for (const cs of routine.features.callSites) {
+			if (cs.loopStack.length === 0) continue;
+			const repId = cs.loopStack.at(-1);
+			if (repId === undefined) continue;
+			const loop = loopById.get(repId);
+			if (loop === undefined) continue;
+			const edge = (graph.edgesByFrom.get(routine.id) ?? []).find((e) => e.callsiteId === cs.id);
+			if (edge === undefined) continue;
+			if (edge.kind === "event-dispatch") continue; // D2 lives here
+			const callee = routineById.get(edge.to);
+			if (callee?.summary === undefined || mayCommit(callee.summary) !== "yes") continue;
+
+			// Suppress if THIS routine also has a direct in-loop commit on the same loop — the
+			// direct finding is already the strongest evidence; the transitive one would be
+			// noise on top.
+			const hasDirectOnSameLoop = routine.features.operationSites.some(
+				(s) => s.kind === "commit" && s.loopStack.includes(loop.id),
+			);
+			if (hasDirectOnSameLoop) {
+				skippedSuppressedByDirect++;
+				continue;
+			}
+
+			emitTransitive(routine, loop, cs.id, cs.sourceAnchor, callee.name, findings, model);
+		}
+	}
+
+	const sorted = findings.sort((a, b) => compareStrings(a.id, b.id));
+	return {
+		findings: sorted,
+		stats: {
+			detector: "d34-commit-in-loop",
+			candidatesConsidered,
+			findingsEmitted: sorted.length,
+			skipped: {
+				...(skippedParseIncomplete > 0 ? { parseIncomplete: skippedParseIncomplete } : {}),
+				...(skippedSuppressedByDirect > 0 ? { suppressedByDirect: skippedSuppressedByDirect } : {}),
+			},
+		},
+	};
+}
+
+function emitDirect(
+	routine: { id: string; objectId: string; name: string },
+	loop: { id: LoopId; type: string; sourceAnchor: OperationSite["sourceAnchor"] },
+	site: OperationSite,
+	findings: Finding[],
+	model: SemanticModel,
+): void {
+	const depth = site.loopStack.length;
+	const severity: Finding["severity"] = depth >= 2 ? "critical" : "high";
+	const path: EvidenceStep[] = [
+		{
+			routineId: routine.id,
+			loopId: loop.id,
+			sourceAnchor: loop.sourceAnchor,
+			note: `${loop.type} loop`,
+		},
+		{
+			routineId: routine.id,
+			operationId: site.id,
+			sourceAnchor: site.sourceAnchor,
+			note: depth >= 2 ? `Commit (loop depth ${depth})` : "Commit",
+		},
+	];
+	const finding: Finding = {
+		id: `d34/${routine.id}/${loop.id}/${site.id}`,
+		rootCauseKey: `d34/${routine.id}/${loop.id}/${site.id}`,
+		detector: "d34-commit-in-loop",
+		title: depth >= 2 ? "Commit inside a nested loop" : "Commit inside a loop",
+		rootCause: `${routine.name} calls Commit inside a ${loop.type} loop — per-iteration commits break atomicity and prevent the job from being retried safely.`,
+		severity,
+		confidence: toConfidence([], "likely"),
+		primaryLocation: site.sourceAnchor,
+		evidencePath: path,
+		affectedObjects: [routine.objectId],
+		affectedTables: [],
+		fixOptions: [
+			{
+				description:
+					"Move the Commit outside the loop. If progress-saving is genuinely required, document a chunking strategy and consider a job queue.",
+				safety: "medium",
+			},
+		],
+		provenance: [{ source: "tree-sitter" }],
+	};
+	finding.fingerprint = fingerprintOf(finding, model);
+	findings.push(finding);
+}
+
+function emitTransitive(
+	routine: { id: string; objectId: string; name: string },
+	loop: { id: LoopId; type: string; sourceAnchor: OperationSite["sourceAnchor"] },
+	callsiteId: string,
+	callsiteAnchor: OperationSite["sourceAnchor"],
+	calleeName: string,
+	findings: Finding[],
+	model: SemanticModel,
+): void {
+	const path: EvidenceStep[] = [
+		{
+			routineId: routine.id,
+			loopId: loop.id,
+			sourceAnchor: loop.sourceAnchor,
+			note: `${loop.type} loop`,
+		},
+		{
+			routineId: routine.id,
+			callsiteId,
+			sourceAnchor: callsiteAnchor,
+			note: `calls ${calleeName} (transitively commits)`,
+		},
+	];
+	const finding: Finding = {
+		id: `d34/${routine.id}/${loop.id}/${callsiteId}`,
+		rootCauseKey: `d34/${routine.id}/${loop.id}/${callsiteId}`,
+		detector: "d34-commit-in-loop",
+		title: "Loop reaches a Commit through a callee",
+		rootCause: `${routine.name}'s ${loop.type} loop calls ${calleeName}, which commits — per-iteration commits break atomicity even when the Commit isn't visible at the loop site.`,
+		severity: "medium",
+		confidence: toConfidence([], "possible"),
+		primaryLocation: callsiteAnchor,
+		evidencePath: path,
+		affectedObjects: [routine.objectId],
+		affectedTables: [],
+		fixOptions: [
+			{
+				description:
+					"Verify the callee really needs to Commit. If the loop is correct as written, hoist the work that requires a Commit (or the Commit itself) outside the loop.",
+				safety: "medium",
+			},
+		],
+		provenance: [{ source: "tree-sitter" }],
+	};
+	finding.fingerprint = fingerprintOf(finding, model);
+	findings.push(finding);
+}

package/src/detectors/d35-commit-in-event-subscriber.ts

@@ -0,0 +1,138 @@
+import type { CombinedGraph } from "../engine/combined-graph.ts";
+import { compareStrings } from "../engine/uncertainty-util.ts";
+import { roleOf } from "../model/entities.ts";
+import type { Routine } from "../model/entities.ts";
+import type { DetectorStats, EvidenceStep, Finding } from "../model/finding.ts";
+import type { SemanticModel } from "../model/model.ts";
+import { fingerprintOf } from "../projection/finding-fingerprint.ts";
+import { mayCommit } from "./capability-query.ts";
+import { toConfidence } from "./confidence.ts";
+import type { DetectorContext } from "./detector-context.ts";
+
+/**
+ * D35 — `Commit` reachable from an `[EventSubscriber]` routine, directly or via the
+ * call graph.
+ *
+ * Event subscribers run inside the publisher's execution context. A commit inside a
+ * subscriber pins the publisher's in-flight work and leaves orphaned partial state
+ * if the publisher later fails — the publisher cannot roll back what the subscriber
+ * already committed.
+ *
+ * Direct case (high, likely): subscriber routine has an `operationSites[].kind ===
+ * "commit"` directly in its body.
+ *
+ * Transitive case (high, possible): `mayCommit(subscriber.summary) === "yes"`. The
+ * summary engine has already flowed commits through the call graph for us, so the
+ * subscriber's own summary captures both direct and reached commits. We mark
+ * `confidence: possible` when the direct site isn't in this routine — the call
+ * chain is real but the commit might be a few hops away.
+ *
+ * Severity: `high` in both cases. Subscribers are a published extension surface;
+ * publishers shouldn't have to defensively re-validate their transaction after a
+ * subscriber runs.
+ *
+ * Skipped:
+ *  - subscribers where `mayCommit(summary) === "no"` (the safe case).
+ *  - non-event-subscriber routines (out of scope).
+ */
+export function detectD35(
+	model: SemanticModel,
+	_graph: CombinedGraph,
+	_ctx: DetectorContext,
+): { findings: Finding[]; stats: DetectorStats } {
+	const findings: Finding[] = [];
+	let candidatesConsidered = 0;
+	let safeCount = 0;
+
+	for (const routine of model.routines) {
+		if (roleOf(routine) !== "primary") continue;
+		if (routine.kind !== "event-subscriber") continue;
+		if (!routine.bodyAvailable) continue;
+		if (routine.parseIncomplete) continue;
+		candidatesConsidered++;
+
+		const summaryCommits = routine.summary === undefined ? "unknown" : mayCommit(routine.summary);
+		if (summaryCommits === "no") {
+			safeCount++;
+			continue;
+		}
+
+		// Find a concrete commit anchor for the evidence path: prefer a direct one in
+		// this routine; fall back to the routine's own anchor.
+		const directCommit = routine.features.operationSites.find((s) => s.kind === "commit");
+		const isDirect = directCommit !== undefined;
+
+		emit(routine, directCommit, isDirect, summaryCommits, findings, model);
+	}
+
+	const sorted = findings.sort((a, b) => compareStrings(a.id, b.id));
+	return {
+		findings: sorted,
+		stats: {
+			detector: "d35-commit-in-event-subscriber",
+			candidatesConsidered,
+			findingsEmitted: sorted.length,
+			skipped: {
+				...(safeCount > 0 ? { commitFreeSubscriber: safeCount } : {}),
+			},
+		},
+	};
+}
+
+function emit(
+	routine: Routine,
+	directCommit: { id: string; sourceAnchor: EvidenceStep["sourceAnchor"] } | undefined,
+	isDirect: boolean,
+	summaryCommits: "yes" | "unknown",
+	findings: Finding[],
+	model: SemanticModel,
+): void {
+	const anchor = directCommit?.sourceAnchor ?? routine.sourceAnchor;
+	const path: EvidenceStep[] = isDirect
+		? [
+				{
+					routineId: routine.id,
+					sourceAnchor: routine.sourceAnchor,
+					note: `[EventSubscriber] ${routine.name}`,
+				},
+				{
+					routineId: routine.id,
+					operationId: directCommit?.id,
+					sourceAnchor: anchor,
+					note: "Commit",
+				},
+			]
+		: [
+				{
+					routineId: routine.id,
+					sourceAnchor: routine.sourceAnchor,
+					note: `[EventSubscriber] ${routine.name} transitively commits (mayCommit(summary) == "${summaryCommits}")`,
+				},
+			];
+	const confidence = isDirect ? "likely" : summaryCommits === "yes" ? "possible" : "possible";
+	const titleSuffix = isDirect ? "" : " (via callee)";
+
+	const finding: Finding = {
+		id: `d35/${routine.id}/${isDirect ? (directCommit?.id ?? "x") : "transitive"}`,
+		rootCauseKey: `d35/${routine.id}`,
+		detector: "d35-commit-in-event-subscriber",
+		title: `Commit reachable from event subscriber${titleSuffix}`,
+		rootCause: `${routine.name} is an event subscriber that ${isDirect ? "calls Commit directly" : "transitively reaches Commit through its callees"} — the publisher cannot roll back the committed state if its work later fails.`,
+		severity: "high",
+		confidence: toConfidence([], confidence),
+		primaryLocation: anchor,
+		evidencePath: path,
+		affectedObjects: [routine.objectId],
+		affectedTables: [],
+		fixOptions: [
+			{
+				description:
+					"Remove the Commit from the subscriber path. If durable side effects are required, schedule them outside the publisher's transaction (e.g. a job-queue entry written without Commit, processed later).",
+				safety: "medium",
+			},
+		],
+		provenance: [{ source: "tree-sitter" }],
+	};
+	finding.fingerprint = fingerprintOf(finding, model);
+	findings.push(finding);
+}

package/src/detectors/d36-late-setloadfields.ts

@@ -0,0 +1,162 @@
+import type { CombinedGraph } from "../engine/combined-graph.ts";
+import { beforeAnchor } from "../engine/source-anchor.ts";
+import { compareStrings } from "../engine/uncertainty-util.ts";
+import { roleOf } from "../model/entities.ts";
+import type { RecordOperation } from "../model/entities.ts";
+import type { DetectorStats, EvidenceStep, Finding } from "../model/finding.ts";
+import type { SemanticModel } from "../model/model.ts";
+import { fingerprintOf } from "../projection/finding-fingerprint.ts";
+import { toConfidence } from "./confidence.ts";
+import type { DetectorContext } from "./detector-context.ts";
+
+const LOAD_OPS: ReadonlySet<string> = new Set([
+	"Get",
+	"FindFirst",
+	"FindLast",
+	"FindSet",
+	"Find",
+	"Next",
+]);
+const LOAD_FIELDS_OPS: ReadonlySet<string> = new Set(["SetLoadFields", "AddLoadFields"]);
+
+/**
+ * D36 — `SetLoadFields` / `AddLoadFields` placed AFTER a load (`Get`/`Find*`/`Next`)
+ * with no later load on the same record variable. The partial-record optimisation
+ * doesn't apply to the row that was already loaded; the call has no effect on the
+ * data the routine then reads.
+ *
+ * Complements D3 (which flags missing SetLoadFields when a partial-load opportunity
+ * exists). D36 catches the inverse mistake: the developer added SetLoadFields but
+ * placed it where it can't matter.
+ *
+ * Detection (intra-routine, source-ordered):
+ *  - for each SetLoadFields/AddLoadFields op O on record-var R;
+ *  - find every LOAD_OP L on the same R with `before(L, O)` (anchor sort);
+ *  - if there is at least one such L AND there is no subsequent LOAD_OP after O on
+ *    the same R, then O is late — flag it.
+ *  - if there IS a later LOAD_OP on R, the SetLoadFields applies to that next load
+ *    (legitimate "prepare for next iteration" pattern); skip.
+ *
+ * Skipped:
+ *  - temporary records (loadfields semantics don't apply);
+ *  - by-var parameter records (caller may issue the next load);
+ *  - record-vars with no preceding load (D3's domain — too-early is not D36).
+ *
+ * Severity: `low` by default; the cost is wasted intent, not a correctness break.
+ */
+export function detectD36(
+	model: SemanticModel,
+	_graph: CombinedGraph,
+	_ctx: DetectorContext,
+): { findings: Finding[]; stats: DetectorStats } {
+	const findings: Finding[] = [];
+	let candidatesConsidered = 0;
+	let skippedHasLaterLoad = 0;
+	let skippedNoPriorLoad = 0;
+	let skippedTempRecord = 0;
+	let skippedParameter = 0;
+
+	for (const routine of model.routines) {
+		if (roleOf(routine) !== "primary") continue;
+		if (!routine.bodyAvailable) continue;
+		if (routine.parseIncomplete) continue;
+
+		const paramRecordNames = new Set(
+			routine.features.recordVariables
+				.filter((rv) => rv.isParameter)
+				.map((rv) => rv.name.toLowerCase()),
+		);
+
+		for (const op of routine.features.recordOperations) {
+			if (!LOAD_FIELDS_OPS.has(op.op)) continue;
+			candidatesConsidered++;
+			const varKey = op.recordVariableName.toLowerCase();
+			if (op.tempState.kind === "known" && op.tempState.value === true) {
+				skippedTempRecord++;
+				continue;
+			}
+			if (paramRecordNames.has(varKey)) {
+				skippedParameter++;
+				continue;
+			}
+
+			const hasPriorLoad = routine.features.recordOperations.some(
+				(other) =>
+					LOAD_OPS.has(other.op) &&
+					other.recordVariableName.toLowerCase() === varKey &&
+					beforeAnchor(other.sourceAnchor, op.sourceAnchor),
+			);
+			if (!hasPriorLoad) {
+				skippedNoPriorLoad++;
+				continue;
+			}
+
+			const hasLaterLoad = routine.features.recordOperations.some(
+				(other) =>
+					LOAD_OPS.has(other.op) &&
+					other.recordVariableName.toLowerCase() === varKey &&
+					beforeAnchor(op.sourceAnchor, other.sourceAnchor),
+			);
+			if (hasLaterLoad) {
+				skippedHasLaterLoad++;
+				continue;
+			}
+
+			emit(routine, op, findings, model);
+		}
+	}
+
+	const sorted = findings.sort((a, b) => compareStrings(a.id, b.id));
+	return {
+		findings: sorted,
+		stats: {
+			detector: "d36-late-setloadfields",
+			candidatesConsidered,
+			findingsEmitted: sorted.length,
+			skipped: {
+				...(skippedHasLaterLoad > 0 ? { hasLaterLoad: skippedHasLaterLoad } : {}),
+				...(skippedNoPriorLoad > 0 ? { noPriorLoad: skippedNoPriorLoad } : {}),
+				...(skippedTempRecord > 0 ? { tempRecord: skippedTempRecord } : {}),
+				...(skippedParameter > 0 ? { parameter: skippedParameter } : {}),
+			},
+		},
+	};
+}
+
+function emit(
+	routine: { id: string; objectId: string; name: string },
+	op: RecordOperation,
+	findings: Finding[],
+	model: SemanticModel,
+): void {
+	const path: EvidenceStep[] = [
+		{
+			routineId: routine.id,
+			operationId: op.id,
+			sourceAnchor: op.sourceAnchor,
+			note: `${op.op} on ${op.recordVariableName} after the record was already loaded — the call has no effect`,
+		},
+	];
+	const finding: Finding = {
+		id: `d36/${routine.id}/${op.id}`,
+		rootCauseKey: `d36/${routine.id}/${op.id}`,
+		detector: "d36-late-setloadfields",
+		title: "SetLoadFields placed after the load",
+		rootCause: `${routine.name} calls ${op.op} on ${op.recordVariableName} after the record was already loaded and never loads it again — the partial-record optimisation cannot apply.`,
+		severity: "low",
+		confidence: toConfidence([], "likely"),
+		primaryLocation: op.sourceAnchor,
+		evidencePath: path,
+		affectedObjects: [routine.objectId],
+		affectedTables: op.tableId !== undefined ? [op.tableId] : [],
+		fixOptions: [
+			{
+				description: `Move the ${op.op} call to BEFORE the preceding Get / Find on ${op.recordVariableName}, so the loader can fetch only the listed fields.`,
+				safety: "high",
+			},
+		],
+		provenance: [{ source: "tree-sitter" }],
+	};
+	finding.fingerprint = fingerprintOf(finding, model);
+	findings.push(finding);
+}