al-sem 0.0.1

package/src/detectors/d4-repeated-lookup-in-loop.ts

@@ -0,0 +1,128 @@
+import type { CombinedGraph } from "../engine/combined-graph.ts";
+import { compareStrings } from "../engine/uncertainty-util.ts";
+import { roleOf } from "../model/entities.ts";
+import type { RecordOperation } from "../model/entities.ts";
+import { isStringLikeLiteral } from "../model/expression.ts";
+import type { DetectorStats, EvidenceStep, Finding } from "../model/finding.ts";
+import type { SemanticModel } from "../model/model.ts";
+import { fingerprintOf } from "../projection/finding-fingerprint.ts";
+import { toConfidence } from "./confidence.ts";
+import type { DetectorContext } from "./detector-context.ts";
+
+const LOOKUP_OPS: ReadonlySet<string> = new Set(["Get", "FindFirst", "FindLast"]);
+
+/**
+ * D4: detect `Get` / `FindFirst` / `FindLast` called 2+ times inside the same loop
+ * with the same literal key argument on the same record variable.
+ *
+ * v1 only matches string-literal arguments (`'...'` or `"..."`), which is the
+ * conservative correct case — the key is known at compile time, so it can trivially
+ * be hoisted outside the loop. Future versions can extend this to dataflow over
+ * key expressions.
+ */
+export function detectD4(
+	model: SemanticModel,
+	_graph: CombinedGraph,
+	_ctx: DetectorContext,
+): { findings: Finding[]; stats: DetectorStats } {
+	const findings: Finding[] = [];
+	let candidatesConsidered = 0;
+	let skippedOther = 0;
+
+	for (const routine of model.routines) {
+		if (roleOf(routine) !== "primary") continue;
+		if (!routine.bodyAvailable) continue;
+		if (routine.parseIncomplete) continue;
+		candidatesConsidered++;
+		let emittedForRoutine = 0;
+
+		for (const loop of routine.features.loops) {
+			// Collect all lookup ops that sit inside this loop and have a literal key argument.
+			const candidates: { op: RecordOperation; key: string }[] = [];
+			for (const op of routine.features.recordOperations) {
+				if (!LOOKUP_OPS.has(op.op)) continue;
+				if (!op.loopStack.includes(loop.id)) continue;
+				// Only flag string-like literal keys (`'VALUE'` / `"VALUE"`); the structured
+				// classifier distinguishes them from identifiers / expressions without any
+				// text shredding. Dedup key uses the unquoted `.value` so `'X'` and `"X"`
+				// (same content, different quoting) group together.
+				const keyInfo = op.fieldArgumentInfos?.[0];
+				if (keyInfo === undefined) continue;
+				if (!isStringLikeLiteral(keyInfo)) continue;
+				candidates.push({ op, key: keyInfo.value ?? keyInfo.text });
+			}
+
+			if (candidates.length < 2) continue;
+
+			// Group by (recordVariableName.toLowerCase, literal key) — duplicates per group → finding.
+			const groups = new Map<string, RecordOperation[]>();
+			for (const { op, key } of candidates) {
+				const groupKey = `${op.recordVariableName.toLowerCase()}|${key}`;
+				const list = groups.get(groupKey);
+				if (list) list.push(op);
+				else groups.set(groupKey, [op]);
+			}
+
+			for (const ops of groups.values()) {
+				if (ops.length < 2) continue;
+				const first = ops[0];
+				if (!first) continue;
+
+				const path: EvidenceStep[] = [
+					{
+						routineId: routine.id,
+						loopId: loop.id,
+						sourceAnchor: loop.sourceAnchor,
+						note: `${loop.type} loop`,
+					},
+					...ops.map(
+						(o): EvidenceStep => ({
+							routineId: routine.id,
+							operationId: o.id,
+							sourceAnchor: o.sourceAnchor,
+							note: `${o.op} on ${o.recordVariableName} with literal key`,
+						}),
+					),
+				];
+
+				const finding: Finding = {
+					id: `d4/${routine.id}/${loop.id}/${first.recordVariableName.toLowerCase()}`,
+					rootCauseKey: `d4/${routine.id}/${loop.id}/${first.recordVariableName.toLowerCase()}`,
+					detector: "d4-repeated-lookup-in-loop",
+					title: "Repeated identical lookup inside a loop",
+					rootCause: `${routine.name} calls ${first.op} on ${first.recordVariableName} ${ops.length} times inside a loop with the same literal key — cache the result once before the loop.`,
+					severity: "medium",
+					confidence: toConfidence([], "likely"),
+					primaryLocation: first.sourceAnchor,
+					evidencePath: path,
+					affectedObjects: [routine.objectId],
+					affectedTables: first.tableId !== undefined ? [first.tableId] : [],
+					fixOptions: [
+						{
+							description:
+								"Move the lookup out of the loop into a local variable, then read fields from that variable inside the loop.",
+							safety: "high",
+						},
+					],
+					provenance: [{ source: "tree-sitter" }],
+				};
+				finding.fingerprint = fingerprintOf(finding, model);
+				findings.push(finding);
+				emittedForRoutine++;
+			}
+		}
+		if (emittedForRoutine === 0) skippedOther++;
+	}
+
+	const sorted = findings.sort((a, b) => compareStrings(a.id, b.id));
+
+	return {
+		findings: sorted,
+		stats: {
+			detector: "d4-repeated-lookup-in-loop",
+			candidatesConsidered,
+			findingsEmitted: sorted.length,
+			skipped: { other: skippedOther > 0 ? skippedOther : undefined },
+		},
+	};
+}

package/src/detectors/d40-transitive-load-missing.ts

@@ -0,0 +1,217 @@
+import type { CombinedGraph } from "../engine/combined-graph.ts";
+import { recordFlowRoleOf } from "../engine/op-classification.ts";
+import { beforeAnchor } from "../engine/source-anchor.ts";
+import { compareStrings } from "../engine/uncertainty-util.ts";
+import { type RecordOpType, type RecordOperation, roleOf } from "../model/entities.ts";
+import type { DetectorStats, EvidenceStep, Finding } from "../model/finding.ts";
+import type { SemanticModel } from "../model/model.ts";
+import { fingerprintOf } from "../projection/finding-fingerprint.ts";
+import { toConfidence } from "./confidence.ts";
+import type { DetectorContext } from "./detector-context.ts";
+
+/**
+ * D40 — transitive load missing.
+ *
+ * For each resolved call edge where the callee requires its parameter to be
+ * loaded at entry (callee.parameterRoles[Q].requiresLoadedAtEntry === "yes"),
+ * verify the caller has loaded the forwarded record before the callsite.
+ * Otherwise emit a finding at the caller's callsite.
+ *
+ * Severity: `medium`, escalates to `high` when the callee mutates the unloaded
+ * record (callee.mutatesBeforeLoad === "yes" — strictly worse than a read).
+ *
+ * Predicate:
+ *  - resolved callsite + binding;
+ *  - source is NOT an implicit-rec (`Rec`/`xRec` in triggers/event subscribers are
+ *    loaded by the AL runtime before the trigger fires — flagging them is a
+ *    structural false positive);
+ *  - source-tempState is not `known/true` (temporary records have no DB load concept);
+ *  - callee.parameterRoles[Q].requiresLoadedAtEntry === "yes";
+ *  - caller has not loaded the forwarded record on the path to the callsite
+ *    (intra-routine source-ordered check using `isLoadingOp` — see below).
+ *
+ * Skipped (counters):
+ *  - `unresolved`     — binding.bindingResolution !== "resolved", or no resolved edge.
+ *  - `implicitRec`    — binding.sourceKind === "implicit-rec".
+ *  - `tempRecord`     — binding.sourceTempState is known-true.
+ *  - `calleeUnknown`  — callee summary missing or no role for the parameter.
+ *  - `callerLoaded`   — caller has a prior loading op for the same source record.
+ *
+ * NOTE — opt-in pending Phase 6. D40 is intentionally NOT in the default detector
+ * registry while the Phase 4 walker remains straight-line-only. The walker bails to
+ * `requiresLoadedAtEntry = "unknown"` on any branching control flow, and D40's
+ * intra-caller load check doesn't see records loaded inside loops (FindSet/repeat/
+ * Next pattern). On Continia DC/Cloud the default-on shape produced ~1186 medium
+ * findings dominated by the loop-loaded false-positive class. Phase 6's full
+ * statement-tree walker closes that class; D40 returns to the default registry then.
+ * Until then it is usable via `--detector d40-transitive-load-missing`.
+ */
+
+/**
+ * True iff a record op acts as "load" for the parameter — after running it, the record
+ * variable is in a well-defined loaded/initialised state. Mirrors the Phase 4 walker's
+ * `loaded = true` triggers (loadsFromDb / initialises / copiesInto). The previous
+ * hand-maintained LOAD_OPS set is replaced by this single source of truth via
+ * `recordFlowRoleOf`, so future RecordOpType additions update one place.
+ */
+function isLoadingOp(op: RecordOpType): boolean {
+	const role = recordFlowRoleOf(op);
+	return role === "loadsFromDb" || role === "initialises" || role === "copiesInto";
+}
+
+export function detectD40(
+	model: SemanticModel,
+	_graph: CombinedGraph,
+	ctx: DetectorContext,
+): { findings: Finding[]; stats: DetectorStats } {
+	const findings: Finding[] = [];
+	const { routineById, resolvedCallEdgeByCallsite } = ctx;
+
+	let candidatesConsidered = 0;
+	let skippedUnresolved = 0;
+	let skippedImplicitRec = 0;
+	let skippedTempRecord = 0;
+	let skippedCallerLoaded = 0;
+	let skippedCalleeUnknown = 0;
+
+	for (const routine of model.routines) {
+		if (roleOf(routine) !== "primary") continue;
+		if (!routine.bodyAvailable) continue;
+		if (routine.parseIncomplete) continue;
+
+		// I2: precompute load-op buckets per source variable once per routine.
+		// Key = lowercase recordVariableName. Each bucket also retains the op's
+		// recordVariableId (when present) so we can prefer id-matching at the binding
+		// site (I4).
+		const loadsBySourceLc = new Map<string, RecordOperation[]>();
+		for (const op of routine.features.recordOperations) {
+			if (!isLoadingOp(op.op)) continue;
+			const key = op.recordVariableName.toLowerCase();
+			let bucket = loadsBySourceLc.get(key);
+			if (bucket === undefined) {
+				bucket = [];
+				loadsBySourceLc.set(key, bucket);
+			}
+			bucket.push(op);
+		}
+
+		for (const cs of routine.features.callSites) {
+			// I1: O(1) edge lookup via the new DetectorContext index.
+			const edge = resolvedCallEdgeByCallsite.get(cs.id);
+			if (edge?.to === undefined) {
+				skippedUnresolved++;
+				continue;
+			}
+			const callee = routineById.get(edge.to);
+			if (callee === undefined) continue;
+
+			for (const binding of cs.argumentBindings) {
+				// C2(a): implicit-rec narrowing — checked BEFORE bindingResolution so that
+				// triggers passing `Rec` (where the indexer classifies the arg as
+				// `non-record-arg` because there is no local recVar named `Rec` even though
+				// `sourceKind` is correctly `"implicit-rec"`) are still recognised and skipped.
+				// `Rec` / `xRec` inside a trigger or event subscriber are loaded by the AL
+				// runtime before the trigger fires — there is no caller in source code that
+				// could "Get them". Flagging is a structural false positive (~87 cases on
+				// DC/Cloud at the pre-narrowing default — ~7% of total).
+				if (binding.sourceKind === "implicit-rec") {
+					skippedImplicitRec++;
+					continue;
+				}
+				if (binding.bindingResolution !== "resolved") {
+					skippedUnresolved++;
+					continue;
+				}
+				if (binding.sourceTempState?.kind === "known" && binding.sourceTempState.value === true) {
+					skippedTempRecord++;
+					continue;
+				}
+				const calleeRole = callee.summary?.parameterRoles.find(
+					(r) => r.parameterIndex === binding.parameterIndex,
+				);
+				if (calleeRole === undefined) {
+					skippedCalleeUnknown++;
+					continue;
+				}
+				if (calleeRole.requiresLoadedAtEntry !== "yes") continue;
+				candidatesConsidered++;
+
+				const sourceNameLc = binding.sourceVariableName;
+				if (sourceNameLc === undefined) continue;
+				const bucket = loadsBySourceLc.get(sourceNameLc) ?? [];
+				// I4: prefer id-match when both sides have an id; fall back to the
+				// name-keyed bucket (AL forbids shadowing within a single procedure, so
+				// names disambiguate uniquely in practice).
+				const sourceId = binding.sourceRecordVariableId;
+				const loadedBefore = bucket.some((op) => {
+					if (!beforeAnchor(op.sourceAnchor, cs.sourceAnchor)) return false;
+					if (sourceId !== undefined && op.recordVariableId !== undefined) {
+						return op.recordVariableId === sourceId;
+					}
+					return true; // name-match already established by bucket lookup
+				});
+				if (loadedBefore) {
+					skippedCallerLoaded++;
+					continue;
+				}
+
+				const severity: Finding["severity"] =
+					calleeRole.mutatesBeforeLoad === "yes" ? "high" : "medium";
+
+				const path: EvidenceStep[] = [
+					{
+						routineId: routine.id,
+						callsiteId: cs.id,
+						sourceAnchor: binding.argumentAnchor,
+						note: `forwards ${binding.sourceVariableName} to ${callee.name} (param[${binding.parameterIndex}])`,
+					},
+					{
+						routineId: callee.id,
+						sourceAnchor: callee.sourceAnchor,
+						note: `${callee.name} ${calleeRole.mutatesBeforeLoad === "yes" ? "mutates" : "reads"} this record before loading it`,
+					},
+				];
+
+				const finding: Finding = {
+					id: `d40/${routine.id}/${cs.id}/${binding.parameterIndex}`,
+					rootCauseKey: `d40/${routine.id}/${cs.id}/${binding.parameterIndex}`,
+					detector: "d40-transitive-load-missing",
+					title: `Forwarded record not loaded before ${calleeRole.mutatesBeforeLoad === "yes" ? "mutating" : "reading"} helper`,
+					rootCause: `${routine.name} forwards ${binding.sourceVariableName} to ${callee.name}, which ${calleeRole.mutatesBeforeLoad === "yes" ? "mutates" : "reads"} the record without loading it — the caller must Get/Find the record before the call.`,
+					severity,
+					confidence: toConfidence([], "likely"),
+					primaryLocation: binding.argumentAnchor,
+					evidencePath: path,
+					affectedObjects: [routine.objectId, callee.objectId].sort(),
+					affectedTables: [],
+					fixOptions: [
+						{
+							description: `Load ${binding.sourceVariableName} with Get / FindFirst before forwarding to ${callee.name}, or have ${callee.name} load its parameter internally.`,
+							safety: "high",
+						},
+					],
+					provenance: [{ source: "tree-sitter" }],
+				};
+				finding.fingerprint = fingerprintOf(finding, model);
+				findings.push(finding);
+			}
+		}
+	}
+
+	const sorted = findings.sort((a, b) => compareStrings(a.id, b.id));
+	return {
+		findings: sorted,
+		stats: {
+			detector: "d40-transitive-load-missing",
+			candidatesConsidered,
+			findingsEmitted: sorted.length,
+			skipped: {
+				...(skippedUnresolved > 0 ? { unresolved: skippedUnresolved } : {}),
+				...(skippedImplicitRec > 0 ? { implicitRec: skippedImplicitRec } : {}),
+				...(skippedTempRecord > 0 ? { tempRecord: skippedTempRecord } : {}),
+				...(skippedCallerLoaded > 0 ? { callerLoaded: skippedCallerLoaded } : {}),
+				...(skippedCalleeUnknown > 0 ? { calleeUnknown: skippedCalleeUnknown } : {}),
+			},
+		},
+	};
+}

package/src/detectors/d41-transitive-filter-loss.ts

@@ -0,0 +1,200 @@
+import type { CombinedGraph } from "../engine/combined-graph.ts";
+import { beforeAnchor } from "../engine/source-anchor.ts";
+import { compareStrings } from "../engine/uncertainty-util.ts";
+import { roleOf } from "../model/entities.ts";
+import type { DetectorStats, EvidenceStep, Finding } from "../model/finding.ts";
+import type { SemanticModel } from "../model/model.ts";
+import { fingerprintOf } from "../projection/finding-fingerprint.ts";
+import { toConfidence } from "./confidence.ts";
+import type { DetectorContext } from "./detector-context.ts";
+
+const FILTER_SET_OPS: ReadonlySet<string> = new Set(["SetRange", "SetFilter"]);
+const FILTER_SENSITIVE_OPS: ReadonlySet<string> = new Set([
+	"FindFirst",
+	"FindLast",
+	"FindSet",
+	"Find",
+	"Next",
+	"CalcSums",
+	"DeleteAll",
+	"ModifyAll",
+	"Count",
+	"IsEmpty",
+]);
+
+/**
+ * D41 — transitive filter loss.
+ *
+ * Predicate (all four must hold):
+ *  1. Caller called SetRange / SetFilter on R before a callsite that forwards R
+ *     by-var to a callee;
+ *  2. Callee's parameterRoles[Q].resetsFiltersOnParam === "yes" (the helper calls
+ *     Reset on the forwarded record);
+ *  3. Caller subsequently performs a filter-sensitive op on R (FindFirst, FindLast,
+ *     FindSet, Find, Next, CalcSums, DeleteAll, ModifyAll, Count, IsEmpty) AFTER
+ *     the callsite;
+ *  4. Caller did NOT re-filter R between the callsite and the sensitive op.
+ *
+ * Without clause (3)+(4) the pattern is unobservable or intentional (the helper
+ * was called for the explicit purpose of resetting filters). This requirement is
+ * what makes D41 actionable rather than noisy.
+ *
+ * Severity: high (silent wrong-set-size). Confidence: likely.
+ * Anchor: caller's argumentAnchor (the argument forwarding the record).
+ *
+ * Skip counters:
+ *  - `noPriorFilter`  — caller did not filter R before the callsite
+ *  - `noPostUse`      — no filter-sensitive op on R after the callsite
+ *  - `reFiltered`     — caller re-filters R between the callsite and the sensitive op
+ *
+ * Control-flow-blindness carry-forward: the prior-filter check and the re-filter
+ * check are both source-order linear (same as D39's persist check). A SetRange/
+ * SetFilter that lives in a mutually-exclusive branch from the callsite can create
+ * false positives; a re-filter in a mutually-exclusive branch can create false
+ * negatives. These are the same FN/FP classes D39 documents and defers to a future
+ * walker-aware pass.
+ */
+export function detectD41(
+	model: SemanticModel,
+	_graph: CombinedGraph,
+	ctx: DetectorContext,
+): { findings: Finding[]; stats: DetectorStats } {
+	const findings: Finding[] = [];
+	const { routineById } = ctx;
+
+	let candidatesConsidered = 0;
+	let skippedNoPriorFilter = 0;
+	let skippedNoPostUse = 0;
+	let skippedReFiltered = 0;
+
+	for (const routine of model.routines) {
+		if (roleOf(routine) !== "primary") continue;
+		if (!routine.bodyAvailable) continue;
+		if (routine.parseIncomplete) continue;
+
+		for (const cs of routine.features.callSites) {
+			// O(1) resolved-edge lookup via the DetectorContext index (added in Phase 4 / I1).
+			const edge = ctx.resolvedCallEdgeByCallsite.get(cs.id);
+			if (edge?.to === undefined) continue;
+			const callee = routineById.get(edge.to);
+			if (callee === undefined) continue;
+
+			for (const binding of cs.argumentBindings) {
+				if (binding.bindingResolution !== "resolved") continue;
+				if (!binding.calleeParameterIsVar) continue;
+
+				const calleeRole = callee.summary?.parameterRoles.find(
+					(r) => r.parameterIndex === binding.parameterIndex,
+				);
+				if (calleeRole?.resetsFiltersOnParam !== "yes") continue;
+
+				const sourceNameLc = binding.sourceVariableName;
+				if (sourceNameLc === undefined) continue;
+				// Count every binding that targets a reset-helper callee — the meaningful
+				// candidate set at the structural gate. Matches D39's convention so
+				// cross-detector stats comparisons are meaningful.
+				candidatesConsidered++;
+
+				// Precompute all ops on this variable once for the three predicate checks.
+				const opsOnVar = routine.features.recordOperations.filter(
+					(op) => op.recordVariableName.toLowerCase() === sourceNameLc,
+				);
+
+				// (1) Caller filtered before the call?
+				const priorFilters = opsOnVar.filter(
+					(op) => FILTER_SET_OPS.has(op.op) && beforeAnchor(op.sourceAnchor, cs.sourceAnchor),
+				);
+				if (priorFilters.length === 0) {
+					skippedNoPriorFilter++;
+					continue;
+				}
+
+				// (3) Any filter-sensitive op AFTER the callsite?
+				const postSensitive = opsOnVar.filter(
+					(op) => FILTER_SENSITIVE_OPS.has(op.op) && beforeAnchor(cs.sourceAnchor, op.sourceAnchor),
+				);
+				if (postSensitive.length === 0) {
+					skippedNoPostUse++;
+					continue;
+				}
+
+				// (4) Re-filter between callsite and the sensitive op?
+				// biome-ignore lint/style/noNonNullAssertion: guarded by postSensitive.length === 0 check above
+				const firstSensitive = postSensitive[0]!;
+				const reFiltered = opsOnVar.some(
+					(op) =>
+						FILTER_SET_OPS.has(op.op) &&
+						beforeAnchor(cs.sourceAnchor, op.sourceAnchor) &&
+						beforeAnchor(op.sourceAnchor, firstSensitive.sourceAnchor),
+				);
+				if (reFiltered) {
+					skippedReFiltered++;
+					continue;
+				}
+
+				// priorFilters[0] is guaranteed to exist (guarded by priorFilters.length === 0 check above).
+				const firstPriorFilter = priorFilters[0];
+				if (firstPriorFilter === undefined) continue; // unreachable, satisfies the linter
+
+				const path: EvidenceStep[] = [
+					{
+						routineId: routine.id,
+						operationId: firstPriorFilter.id,
+						sourceAnchor: firstPriorFilter.sourceAnchor,
+						note: `${firstPriorFilter.op} on ${sourceNameLc}`,
+					},
+					{
+						routineId: routine.id,
+						callsiteId: cs.id,
+						sourceAnchor: binding.argumentAnchor,
+						note: `forwards ${sourceNameLc} to ${callee.name}, which calls Reset`,
+					},
+					{
+						routineId: routine.id,
+						operationId: firstSensitive.id,
+						sourceAnchor: firstSensitive.sourceAnchor,
+						note: `${firstSensitive.op} on ${sourceNameLc} — operates on the now-unfiltered set`,
+					},
+				];
+
+				const finding: Finding = {
+					id: `d41/${routine.id}/${cs.id}/${binding.parameterIndex}`,
+					rootCauseKey: `d41/${routine.id}/${cs.id}/${binding.parameterIndex}`,
+					detector: "d41-transitive-filter-loss",
+					title: "Filter silently lost across helper call",
+					rootCause: `${routine.name} filters ${sourceNameLc} before calling ${callee.name}, which calls Reset; the subsequent ${firstSensitive.op} operates on the unfiltered set.`,
+					severity: "high",
+					confidence: toConfidence([], "likely"),
+					primaryLocation: binding.argumentAnchor,
+					evidencePath: path,
+					affectedObjects: [routine.objectId, callee.objectId].sort(),
+					affectedTables: [],
+					fixOptions: [
+						{
+							description: `Re-apply the SetRange/SetFilter on ${sourceNameLc} after the call to ${callee.name}, or restructure to avoid the call inside the filtered scope.`,
+							safety: "high",
+						},
+					],
+					provenance: [{ source: "tree-sitter" }],
+				};
+				finding.fingerprint = fingerprintOf(finding, model);
+				findings.push(finding);
+			}
+		}
+	}
+
+	const sorted = findings.sort((a, b) => compareStrings(a.id, b.id));
+	return {
+		findings: sorted,
+		stats: {
+			detector: "d41-transitive-filter-loss",
+			candidatesConsidered,
+			findingsEmitted: sorted.length,
+			skipped: {
+				...(skippedNoPriorFilter > 0 ? { noPriorFilter: skippedNoPriorFilter } : {}),
+				...(skippedNoPostUse > 0 ? { noPostUse: skippedNoPostUse } : {}),
+				...(skippedReFiltered > 0 ? { reFiltered: skippedReFiltered } : {}),
+			},
+		},
+	};
+}