al-sem 0.0.1

package/src/detectors/d37-validate-without-persist.ts

@@ -0,0 +1,271 @@
+import type { CombinedGraph } from "../engine/combined-graph.ts";
+import { beforeAnchor } from "../engine/source-anchor.ts";
+import { compareStrings } from "../engine/uncertainty-util.ts";
+import { roleOf } from "../model/entities.ts";
+import type { CallSite, RecordOperation } from "../model/entities.ts";
+import type { DetectorStats, EvidenceStep, Finding } from "../model/finding.ts";
+import type { SemanticModel } from "../model/model.ts";
+import { fingerprintOf } from "../projection/finding-fingerprint.ts";
+import { toConfidence } from "./confidence.ts";
+import type { DetectorContext } from "./detector-context.ts";
+
+const PERSIST_OPS: ReadonlySet<string> = new Set(["Modify", "ModifyAll", "Insert"]);
+const RESET_LIKE_OPS: ReadonlySet<string> = new Set([
+	"Init", // reinitialises the in-memory record (drops pending Validate changes)
+	"Reset",
+	"Get", // reloads — pending Validate state is overwritten
+	"FindFirst",
+	"FindLast",
+	"FindSet",
+	"Find",
+	"Next",
+	"Copy", // overwrites with another record's state
+	"TransferFields",
+]);
+
+/**
+ * D37 — `Validate(...)` on a record variable with no subsequent `Modify` / `ModifyAll`
+ * / `Insert` to persist the change before the record's state is overwritten or the
+ * routine exits. `Validate` runs field-validation logic and changes the IN-MEMORY
+ * record; without a later persist call, the field write is silently discarded.
+ *
+ * Detection (intra-routine, source-ordered):
+ *  - for each Validate op V on record-var R;
+ *  - walk subsequent ops on R in source order;
+ *  - if a Modify/ModifyAll/Insert appears before any state-overwriting op
+ *    (Init/Reset/Get/Find/FindFirst/FindLast/FindSet/Next/Copy/TransferFields),
+ *    the Validate is persisted — skip;
+ *  - otherwise the Validate is unpersisted — flag.
+ *
+ * Suppressions:
+ *  - temporary records (no DB persistence concept) — skippedTempRecord
+ *  - by-var parameter records (caller may persist after returning) — skippedParameter
+ *  - calls passing R to a helper whose summary may persist — skippedHelperMayPersist
+ *      Note: persistsCurrentRecord = "yes" is a MAY fact (helper persists on at least
+ *      one path). True must-persist tracking is a documented carry-forward — see
+ *      docs/superpowers/specs/2026-05-17-al-sem-record-flow-framework-design.md.
+ *  - calls passing R to an opaque or unresolved helper — skippedHelperPersistsUnknown
+ *
+ * The forwardedAfter regex from the original implementation is replaced with
+ * structural CallSite.argumentBindings (Phase 1 of the record-flow framework).
+ *
+ * Severity: `medium`. Real bug but the conservative suppressions keep it actionable.
+ * Confidence: `possible` (we don't have interprocedural persist tracking).
+ *
+ * Known precision gaps:
+ *  - The `helperMayPersist` suppression is conservative — persistsCurrentRecord = "yes"
+ *    is a MAY fact; if the helper only persists on some paths, a Validate in the caller
+ *    that's followed by a non-persisting path through the helper is still flagged
+ *    incorrectly. Must-persist tracking is the documented carry-forward for this.
+ *  - We don't track `TransferFields` direction (it's a write to the target record).
+ *    We treat it as state-overwriting on the receiver, which suppresses correctly when
+ *    R is the SOURCE; if R is the TARGET, we conservatively still treat it as overwriting
+ *    its prior in-memory state, which is the safe call.
+ */
+export function detectD37(
+	model: SemanticModel,
+	graph: CombinedGraph,
+	ctx: DetectorContext,
+): { findings: Finding[]; stats: DetectorStats } {
+	const findings: Finding[] = [];
+	let candidatesConsidered = 0;
+	let skippedPersisted = 0;
+	let skippedHelperMayPersist = 0;
+	let skippedHelperPersistsUnknown = 0;
+	let skippedTempRecord = 0;
+	let skippedParameter = 0;
+
+	for (const routine of model.routines) {
+		if (roleOf(routine) !== "primary") continue;
+		if (!routine.bodyAvailable) continue;
+		if (routine.parseIncomplete) continue;
+
+		const paramRecordNames = new Set(
+			routine.features.recordVariables
+				.filter((rv) => rv.isParameter)
+				.map((rv) => rv.name.toLowerCase()),
+		);
+
+		for (const op of routine.features.recordOperations) {
+			if (op.op !== "Validate") continue;
+			candidatesConsidered++;
+			const varKey = op.recordVariableName.toLowerCase();
+			if (op.tempState.kind === "known" && op.tempState.value === true) {
+				skippedTempRecord++;
+				continue;
+			}
+			if (paramRecordNames.has(varKey)) {
+				skippedParameter++;
+				continue;
+			}
+
+			// Walk subsequent ops in source order, looking for persistence vs reset.
+			const verdict = laterPersisted(routine.features.recordOperations, varKey, op);
+			if (verdict === "persisted") {
+				skippedPersisted++;
+				continue;
+			}
+
+			// Phase 3: precise verdict using callee.persistsCurrentRecord summary.
+			const sourceVariableNameLc = op.recordVariableName.toLowerCase();
+			const sourceRecordVariableId = op.recordVariableId;
+			const helperVerdict = postValidateHelperVerdict(
+				routine,
+				sourceRecordVariableId,
+				sourceVariableNameLc,
+				op,
+				graph,
+				ctx,
+			);
+			if (helperVerdict === "suppress-may-persist") {
+				skippedHelperMayPersist++;
+				continue;
+			}
+			if (helperVerdict === "suppress-unknown") {
+				skippedHelperPersistsUnknown++;
+				continue;
+			}
+			// "do-not-suppress" — helper provably doesn't persist; fall through to emit.
+
+			emit(routine, op, findings, model);
+		}
+	}
+
+	const sorted = findings.sort((a, b) => compareStrings(a.id, b.id));
+	return {
+		findings: sorted,
+		stats: {
+			detector: "d37-validate-without-persist",
+			candidatesConsidered,
+			findingsEmitted: sorted.length,
+			skipped: {
+				...(skippedPersisted > 0 ? { persisted: skippedPersisted } : {}),
+				...(skippedHelperMayPersist > 0 ? { helperMayPersist: skippedHelperMayPersist } : {}),
+				...(skippedHelperPersistsUnknown > 0
+					? { helperPersistsUnknown: skippedHelperPersistsUnknown }
+					: {}),
+				...(skippedTempRecord > 0 ? { tempRecord: skippedTempRecord } : {}),
+				...(skippedParameter > 0 ? { parameter: skippedParameter } : {}),
+			},
+		},
+	};
+}
+
+function laterPersisted(
+	ops: RecordOperation[],
+	varKey: string,
+	validateOp: RecordOperation,
+): "persisted" | "unpersisted" {
+	// Iterate ops in source order; the first persist OR reset wins.
+	const sorted = ops
+		.filter((o) => o.recordVariableName.toLowerCase() === varKey)
+		.filter((o) => beforeAnchor(validateOp.sourceAnchor, o.sourceAnchor))
+		.sort((a, b) => (beforeAnchor(a.sourceAnchor, b.sourceAnchor) ? -1 : 1));
+	for (const o of sorted) {
+		if (PERSIST_OPS.has(o.op)) return "persisted";
+		if (RESET_LIKE_OPS.has(o.op)) return "unpersisted";
+	}
+	return "unpersisted";
+}
+
+/**
+ * After the Validate op, walk callsites in source order. For each callsite that
+ * forwards the same record variable to a callee, look at the callee's summary:
+ *   - persistsCurrentRecord === "yes" → may persist (may-fact); suppress with
+ *     helperMayPersist counter. Must-persist tracking is a documented
+ *     carry-forward — would close this conservative suppression.
+ *   - persistsCurrentRecord === "no" → helper provably doesn't persist; do not
+ *     suppress (the Validate's unpersistence is the real bug).
+ *   - persistsCurrentRecord === "unknown" → conservative suppress with
+ *     helperPersistsUnknown counter.
+ *
+ * Returns the verdict for the entire post-Validate sequence: if any post-Validate
+ * helper might persist (yes or unknown), the Validate is suppressed; only when
+ * EVERY forwarding helper provably doesn't persist do we fall through to emit.
+ */
+function postValidateHelperVerdict(
+	routine: { id: string; features: { callSites: CallSite[] } },
+	sourceRecordVariableId: string | undefined,
+	sourceVariableNameLc: string,
+	validateOp: { sourceAnchor: { range: { startLine: number; startColumn: number } } },
+	graph: CombinedGraph,
+	ctx: DetectorContext,
+): "suppress-may-persist" | "suppress-unknown" | "do-not-suppress" {
+	for (const cs of routine.features.callSites) {
+		if (!beforeAnchor(validateOp.sourceAnchor, cs.sourceAnchor)) continue;
+		for (const binding of cs.argumentBindings) {
+			// Literals / non-record expressions can't forward a record — skip silently.
+			if (binding.bindingResolution === "non-record-arg") continue;
+			// Match by stable id when both sides have one; fall back to name (lowercased).
+			const matchesById =
+				binding.sourceRecordVariableId !== undefined &&
+				sourceRecordVariableId !== undefined &&
+				binding.sourceRecordVariableId === sourceRecordVariableId;
+			const matchesByName = binding.sourceVariableName === sourceVariableNameLc;
+			if (!matchesById && !matchesByName) continue;
+			// Unresolved-callee / ambiguous: we cannot trust calleeParameterIsVar (it's left
+			// false as a placeholder by the indexer) nor look up a callee summary. The old
+			// regex-based forwardedAfter suppressed every callsite regardless of resolution;
+			// preserve that conservatism for unresolved bindings that DO target our record.
+			if (binding.bindingResolution !== "resolved") return "suppress-unknown";
+			// By-value callees can't persist the caller's record (the in-memory copy stays in callee).
+			if (!binding.calleeParameterIsVar) continue;
+			const edge = (graph.edgesByFrom.get(routine.id) ?? []).find((e) => e.callsiteId === cs.id);
+			if (edge?.to === undefined) return "suppress-unknown";
+			const callee = ctx.routineById.get(edge.to);
+			const calleeRole = callee?.summary?.parameterRoles.find(
+				(r) => r.parameterIndex === binding.parameterIndex,
+			);
+			if (calleeRole === undefined || callee?.bodyAvailable === false) {
+				return "suppress-unknown";
+			}
+			switch (calleeRole.persistsCurrentRecord) {
+				case "yes":
+					return "suppress-may-persist";
+				case "unknown":
+					return "suppress-unknown";
+				case "no" /* helper provably doesn't persist — keep walking */:
+					break;
+			}
+		}
+	}
+	return "do-not-suppress";
+}
+
+function emit(
+	routine: { id: string; objectId: string; name: string },
+	op: RecordOperation,
+	findings: Finding[],
+	model: SemanticModel,
+): void {
+	const path: EvidenceStep[] = [
+		{
+			routineId: routine.id,
+			operationId: op.id,
+			sourceAnchor: op.sourceAnchor,
+			note: `Validate on ${op.recordVariableName} with no later Modify/Insert before the record is reloaded or the routine exits`,
+		},
+	];
+	const finding: Finding = {
+		id: `d37/${routine.id}/${op.id}`,
+		rootCauseKey: `d37/${routine.id}/${op.id}`,
+		detector: "d37-validate-without-persist",
+		title: "Validate changes are not persisted",
+		rootCause: `${routine.name} calls Validate on ${op.recordVariableName} but never persists the change with Modify / ModifyAll / Insert before the record is reloaded or the routine returns — the field write is discarded.`,
+		severity: "medium",
+		confidence: toConfidence([], "possible"),
+		primaryLocation: op.sourceAnchor,
+		evidencePath: path,
+		affectedObjects: [routine.objectId],
+		affectedTables: op.tableId !== undefined ? [op.tableId] : [],
+		fixOptions: [
+			{
+				description: `Add ${op.recordVariableName}.Modify() after the Validate (or ${op.recordVariableName}.Insert() if the record is new). If the Validate is intentional (only running validation logic, not persisting), document the intent.`,
+				safety: "high",
+			},
+		],
+		provenance: [{ source: "tree-sitter" }],
+	};
+	finding.fingerprint = fingerprintOf(finding, model);
+	findings.push(finding);
+}

package/src/detectors/d38-subscriber-to-obsolete-event.ts

@@ -0,0 +1,140 @@
+import { parseRoutineAttributes } from "../engine/attribute-parser.ts";
+import type { CombinedGraph } from "../engine/combined-graph.ts";
+import { compareStrings } from "../engine/uncertainty-util.ts";
+import { roleOf } from "../model/entities.ts";
+import type { DetectorStats, EvidenceStep, Finding } from "../model/finding.ts";
+import type { SemanticModel } from "../model/model.ts";
+import { fingerprintOf } from "../projection/finding-fingerprint.ts";
+import { toConfidence } from "./confidence.ts";
+import type { DetectorContext } from "./detector-context.ts";
+
+/**
+ * D38 — primary-app `[EventSubscriber(...)]` bound to a publisher whose publisher
+ * routine carries `[Obsolete(...)]`.
+ *
+ * Why al-sem: needs the **event graph** (publisher routine ↔ subscriber routine edges
+ * resolved across apps, including into dep `.app` packages) and per-routine attribute
+ * parsing. A per-file scanner can read the subscriber's attribute string but cannot
+ * resolve the publisher's routine — that requires the cross-app event resolver.
+ *
+ * Closest neighbour: D16 (call to obsolete routine) — different surface. D16 flags a
+ * *call* edge; D38 flags an *event subscription* edge. The subscriber is never called
+ * by primary code (the publisher dispatches it), so D16 misses it.
+ *
+ * Severity by publisher's obsolete state:
+ *  - Pending  → info  (deprecated, plan migration; subscriber still fires today)
+ *  - Removed  → high  (publisher is gone or about to be — subscriber will never fire)
+ *
+ * Skipped:
+ *  - non-resolved edges (resolution !== "resolved"): can't trust the publisher
+ *    identity, so can't reason about its attributes.
+ *  - publisher symbol with no publisherRoutineId: trigger-style or synthetic events
+ *    don't have a routine carrying [Obsolete].
+ *  - subscriber not in primary app: user can't edit dep subscribers.
+ */
+export function detectD38(
+	model: SemanticModel,
+	_graph: CombinedGraph,
+	ctx: DetectorContext,
+): { findings: Finding[]; stats: DetectorStats } {
+	const findings: Finding[] = [];
+	const { routineById } = ctx;
+
+	const eventById = new Map(model.eventGraph.events.map((e) => [e.id, e]));
+
+	let candidatesConsidered = 0;
+	let skippedUnresolved = 0;
+	let skippedNoPublisherRoutine = 0;
+	let skippedPublisherMissing = 0;
+	let skippedPublisherNotObsolete = 0;
+
+	for (const edge of model.eventGraph.edges) {
+		if (edge.resolution !== "resolved") {
+			skippedUnresolved++;
+			continue;
+		}
+		const subscriber = routineById.get(edge.subscriberRoutineId);
+		if (subscriber === undefined) continue;
+		if (roleOf(subscriber) !== "primary") continue;
+		if (subscriber.parseIncomplete) continue;
+
+		const event = eventById.get(edge.eventId);
+		if (event === undefined) continue;
+		if (event.publisherRoutineId === undefined) {
+			skippedNoPublisherRoutine++;
+			continue;
+		}
+		const publisher = routineById.get(event.publisherRoutineId);
+		if (publisher === undefined) {
+			skippedPublisherMissing++;
+			continue;
+		}
+		candidatesConsidered++;
+
+		const attrs = parseRoutineAttributes(publisher);
+		if (attrs.obsoleteState === undefined) {
+			skippedPublisherNotObsolete++;
+			continue;
+		}
+
+		const sev: Finding["severity"] = attrs.obsoleteState === "Removed" ? "high" : "info";
+		const path: EvidenceStep[] = [
+			{
+				routineId: subscriber.id,
+				sourceAnchor: subscriber.sourceAnchor,
+				note: `[EventSubscriber] subscribes to '${event.eventName}'`,
+			},
+			{
+				routineId: publisher.id,
+				sourceAnchor: publisher.sourceAnchor,
+				note: `publisher ${publisher.name} is [Obsolete(${attrs.obsoleteState})]${attrs.obsoleteReason ? ` — ${attrs.obsoleteReason}` : ""}`,
+			},
+		];
+
+		const finding: Finding = {
+			id: `d38/${subscriber.id}/${event.id}`,
+			rootCauseKey: `d38/${subscriber.id}/${event.id}`,
+			detector: "d38-subscriber-to-obsolete-event",
+			title: `Subscriber bound to obsolete event (${attrs.obsoleteState})`,
+			rootCause:
+				attrs.obsoleteState === "Removed"
+					? `${subscriber.name} subscribes to '${event.eventName}', whose publisher ${publisher.name} is [Obsolete(Removed)] — the subscriber will stop firing once the publisher is removed.`
+					: `${subscriber.name} subscribes to '${event.eventName}', whose publisher ${publisher.name} is [Obsolete(Pending)] — plan a migration to the successor before the publisher is removed.`,
+			severity: sev,
+			confidence: toConfidence([], "confirmed"),
+			primaryLocation: subscriber.sourceAnchor,
+			evidencePath: path,
+			affectedObjects: [subscriber.objectId, publisher.objectId].sort(),
+			affectedTables: [],
+			fixOptions: [
+				{
+					description:
+						attrs.obsoleteReason ??
+						"Migrate the subscriber to the documented successor event; if none exists, remove the subscription once the publisher is gone.",
+					safety: "high",
+				},
+			],
+			provenance: [{ source: "tree-sitter" }],
+		};
+		finding.fingerprint = fingerprintOf(finding, model);
+		findings.push(finding);
+	}
+
+	const sorted = findings.sort((a, b) => compareStrings(a.id, b.id));
+	return {
+		findings: sorted,
+		stats: {
+			detector: "d38-subscriber-to-obsolete-event",
+			candidatesConsidered,
+			findingsEmitted: sorted.length,
+			skipped: {
+				...(skippedUnresolved > 0 ? { unresolved: skippedUnresolved } : {}),
+				...(skippedNoPublisherRoutine > 0 ? { noPublisherRoutine: skippedNoPublisherRoutine } : {}),
+				...(skippedPublisherMissing > 0 ? { publisherMissing: skippedPublisherMissing } : {}),
+				...(skippedPublisherNotObsolete > 0
+					? { publisherNotObsolete: skippedPublisherNotObsolete }
+					: {}),
+			},
+		},
+	};
+}

package/src/detectors/d39-record-left-dirty-across-chain.ts

@@ -0,0 +1,165 @@
+import type { CombinedGraph } from "../engine/combined-graph.ts";
+import { beforeAnchor } from "../engine/source-anchor.ts";
+import { compareStrings } from "../engine/uncertainty-util.ts";
+import { roleOf } from "../model/entities.ts";
+import type { DetectorStats, EvidenceStep, Finding } from "../model/finding.ts";
+import type { SemanticModel } from "../model/model.ts";
+import { fingerprintOf } from "../projection/finding-fingerprint.ts";
+import { toConfidence } from "./confidence.ts";
+import type { DetectorContext } from "./detector-context.ts";
+
+const PERSIST_OPS: ReadonlySet<string> = new Set(["Modify", "Insert", "Rename"]);
+
+/**
+ * D39 — record left dirty across helper chain.
+ *
+ * For each var-param P of every primary callee where the path-aware walker PROVED
+ * `dirtyAtExit[P] === "yes"` (at least one exit path leaves the record dirty after a
+ * Validate without a subsequent persist), walk the reverse call graph. Every primary
+ * caller that:
+ *   (a) forwards a record to P (binding resolves to a local/parameter/implicit-rec source),
+ *   (b) passes by-var (calleeParameterIsVar === true),
+ *   (c) does NOT persist the same source variable after the callsite, and
+ *   (d) does NOT pass it from a by-value parameter (parameter source that is not var)
+ * …is flagged: the Validate's field write is silently discarded across the chain.
+ *
+ * `dirtyAtExit === "unknown"` cases are counted in `unknownDirtyCallee` and NOT emitted;
+ * this protects D39 from the alert-fatigue regression D40 hit when the walker bailed to
+ * unknown on complex control flow.
+ *
+ * Skipped:
+ *  - `callerPersists`      — caller persists the source variable after the callsite
+ *  - `unknownDirtyCallee`  — callee's dirtyAtExit === "unknown" (counted but not emitted)
+ *  - non-persisting source kinds (expression, global, unresolved — can't persist these)
+ *  - by-value parameter source (callerSourceParameterIsVar === false) — bug is in the callee
+ *
+ * Severity: `medium`. Confidence: `likely`.
+ */
+export function detectD39(
+	model: SemanticModel,
+	_graph: CombinedGraph,
+	ctx: DetectorContext,
+): { findings: Finding[]; stats: DetectorStats } {
+	const findings: Finding[] = [];
+	const { routineById, reverseCallGraph } = ctx;
+
+	let candidatesConsidered = 0;
+	let skippedCallerPersists = 0;
+	let unknownDirtyCallee = 0;
+
+	for (const callee of model.routines) {
+		if (!callee.bodyAvailable) continue;
+		for (const role of callee.summary?.parameterRoles ?? []) {
+			if (role.dirtyAtExit === "unknown") {
+				unknownDirtyCallee++;
+				continue;
+			}
+			if (role.dirtyAtExit !== "yes") continue;
+
+			// Find all resolved callers that forward a record to this var-parameter.
+			const callerEdges = reverseCallGraph.get(callee.id) ?? [];
+			for (const edge of callerEdges) {
+				if (edge.callsiteId === undefined) continue;
+				const caller = routineById.get(edge.from);
+				if (caller === undefined) continue;
+				if (roleOf(caller) !== "primary") continue;
+				if (!caller.bodyAvailable) continue;
+
+				const cs = caller.features.callSites.find((c) => c.id === edge.callsiteId);
+				if (cs === undefined) continue;
+
+				const binding = cs.argumentBindings.find(
+					(b) =>
+						b.parameterIndex === role.parameterIndex &&
+						b.bindingResolution === "resolved" &&
+						b.calleeParameterIsVar,
+				);
+				if (binding === undefined) continue;
+
+				// Only source kinds the caller can actually persist.
+				if (
+					binding.sourceKind !== "parameter" &&
+					binding.sourceKind !== "local" &&
+					binding.sourceKind !== "implicit-rec"
+				) {
+					continue;
+				}
+
+				// For parameter sources, require the caller-side parameter to be var (otherwise
+				// the caller's copy is local — the bug is real but is D37's domain inside the callee).
+				if (binding.sourceKind === "parameter" && !binding.callerSourceParameterIsVar) {
+					continue;
+				}
+
+				const sourceNameLc = binding.sourceVariableName;
+				if (sourceNameLc === undefined) continue;
+
+				candidatesConsidered++;
+
+				// Did caller persist the source variable after the callsite?
+				const persistedAfter = caller.features.recordOperations.some(
+					(op) =>
+						PERSIST_OPS.has(op.op) &&
+						op.recordVariableName.toLowerCase() === sourceNameLc &&
+						beforeAnchor(cs.sourceAnchor, op.sourceAnchor),
+				);
+				if (persistedAfter) {
+					skippedCallerPersists++;
+					continue;
+				}
+
+				// Emit.
+				const path: EvidenceStep[] = [
+					{
+						routineId: caller.id,
+						callsiteId: cs.id,
+						sourceAnchor: binding.argumentAnchor,
+						note: `forwards ${binding.sourceVariableName} to ${callee.name}; never persists after the call`,
+					},
+					{
+						routineId: callee.id,
+						sourceAnchor: callee.sourceAnchor,
+						note: `${callee.name} validates and exits dirty on at least one path`,
+					},
+				];
+
+				const finding: Finding = {
+					id: `d39/${caller.id}/${cs.id}/${role.parameterIndex}`,
+					rootCauseKey: `d39/${caller.id}/${cs.id}/${role.parameterIndex}`,
+					detector: "d39-record-left-dirty-across-chain",
+					title: "Record left dirty across helper chain",
+					rootCause: `${caller.name} forwards ${binding.sourceVariableName} to ${callee.name}, which leaves the record in a Validate-dirty state on at least one exit path. ${caller.name} never persists after the call — the field write is silently discarded.`,
+					severity: "medium",
+					confidence: toConfidence([], "likely"),
+					primaryLocation: binding.argumentAnchor,
+					evidencePath: path,
+					affectedObjects: [caller.objectId, callee.objectId].sort(),
+					affectedTables: [],
+					fixOptions: [
+						{
+							description: `Add ${binding.sourceVariableName}.Modify() in ${caller.name} after the call to ${callee.name}, or have ${callee.name} persist before returning.`,
+							safety: "high",
+						},
+					],
+					provenance: [{ source: "tree-sitter" }],
+				};
+				finding.fingerprint = fingerprintOf(finding, model);
+				findings.push(finding);
+			}
+		}
+	}
+
+	const sorted = findings.sort((a, b) => compareStrings(a.id, b.id));
+	return {
+		findings: sorted,
+		stats: {
+			detector: "d39-record-left-dirty-across-chain",
+			candidatesConsidered,
+			findingsEmitted: sorted.length,
+			skipped: {
+				...(skippedCallerPersists > 0 ? { callerPersists: skippedCallerPersists } : {}),
+				...(unknownDirtyCallee > 0 ? { unknownDirtyCallee } : {}),
+			},
+		},
+	};
+}