al-sem 0.0.1

package/src/detectors/d42-cross-call-wrong-setloadfields.ts

@@ -0,0 +1,243 @@
+import type { CombinedGraph } from "../engine/combined-graph.ts";
+import { beforeAnchor } from "../engine/source-anchor.ts";
+import { compareStrings } from "../engine/uncertainty-util.ts";
+import { type RecordOperation, roleOf } from "../model/entities.ts";
+import type { DetectorStats, EvidenceStep, Finding } from "../model/finding.ts";
+import type { FieldId } from "../model/ids.ts";
+import type { SemanticModel } from "../model/model.ts";
+import { fingerprintOf } from "../projection/finding-fingerprint.ts";
+import { toConfidence } from "./confidence.ts";
+import type { DetectorContext } from "./detector-context.ts";
+
+const RELOAD_OPS: ReadonlySet<string> = new Set(["Reset"]);
+
+/**
+ * Compute the source-ordered narrowed-load fingerprint for a record variable AT a
+ * given anchor (typically a callsite's `argumentAnchor`). Returns:
+ *  - `"full"`     — no prior SetLoadFields/AddLoadFields op exists on this var before
+ *                   the anchor (the variable carries the full record);
+ *  - `string[]`   — the cumulative narrow that the most recent SetLoadFields plus any
+ *                   subsequent AddLoadFields imposed;
+ *  - `"unknown"`  — a `Reset` between the last narrow and the anchor (Reset wipes
+ *                   the pending-narrow per spec) leaves the load shape unknowable
+ *                   here without walker support; treat as unknown to stay sound.
+ *
+ * Source-ordered, intra-routine. Mirrors D36's approach (the post-load placement
+ * detector) so detectors operating on the same flat features stay consistent.
+ *
+ * NOTE: this is a straight-line approximation. A `SetLoadFields` placed inside one
+ * branch of an `if`/`case` is treated as if it always applies — same control-flow-
+ * blindness carry-forward as D39/D41/D36. The Phase 6 walker handles this correctly
+ * for parameters; the per-callsite snapshot is not yet propagated to RoutineSummary
+ * (see the detector docstring's carry-forward note).
+ */
+function computeNarrowAtCallsite(
+	ops: readonly RecordOperation[],
+	varNameLc: string,
+	callsiteAnchor: { range: { startLine: number; startColumn: number } },
+): FieldId[] | "full" | "unknown" {
+	let pending: FieldId[] | "none" | "unknown" = "none";
+	for (const op of ops) {
+		if (op.recordVariableName.toLowerCase() !== varNameLc) continue;
+		if (!beforeAnchor(op.sourceAnchor, callsiteAnchor)) continue;
+		if (op.op === "SetLoadFields") {
+			const fields = [...new Set(op.fieldArguments ?? [])].sort() as FieldId[];
+			pending = fields;
+		} else if (op.op === "AddLoadFields") {
+			const additions = op.fieldArguments ?? [];
+			if (pending === "none") {
+				pending = [...new Set(additions)].sort() as FieldId[];
+			} else if (pending === "unknown") {
+				// stay unknown
+			} else {
+				pending = [...new Set([...pending, ...additions])].sort() as FieldId[];
+			}
+		} else if (RELOAD_OPS.has(op.op)) {
+			// Reset wipes pendingNarrow (spec §(b1) / control-flow-walker.ts:904-907).
+			pending = "unknown";
+		}
+	}
+	if (pending === "none") return "full";
+	if (pending === "unknown") return "unknown";
+	return pending;
+}
+
+/**
+ * D42 — cross-call wrong SetLoadFields.
+ *
+ * At each resolved call edge that forwards a record to a callee var-parameter:
+ *  - caller-side narrow LF (computed as the source-ordered cumulative
+ *    SetLoadFields/AddLoadFields on the forwarded variable at the callsite, or
+ *    falling back to caller-parameter `currentLoadedFieldsAtExit` from the walker
+ *    when the source is the routine's own parameter) is a concrete list;
+ *  - callee `parameterRoles[Q].requiredLoadedFieldsAtEntry` is a non-empty
+ *    concrete list RF;
+ *  - RF \ LF is non-empty;
+ * then the runtime will issue an extra SQL round-trip to fetch the missing fields,
+ * silently defeating the partial-load optimisation the caller was paying the
+ * complexity for.
+ *
+ * Severity: low (perf hygiene — measurable but small cost). Confidence: likely
+ * (both sides concrete; opaque callees and "unknown" walker outputs are skipped).
+ *
+ * Anchor: caller's argumentAnchor. rootCauseKey: routine + callsite + parameter index
+ * (stable across edits that move lines, unstable only if the routine or call boundary
+ * itself changes).
+ *
+ * Skip counters:
+ *  - `callerFull`         — caller-side LF is the "full" sentinel (no narrow at all);
+ *  - `calleeRequiresNone` — callee's RF is empty or `"unknown"`;
+ *  - `calleeUnknown`      — callee has no parameterRole for this binding index.
+ *
+ * Carry-forward (precision TODO): the Phase 6 walker computes a per-callsite
+ * snapshot `currentLoadedFieldsAtCallsite` on `PathAwareFacts` (control-flow-
+ * walker.ts), but `summary-runner.ts` does NOT propagate it to
+ * `RoutineSummary.parameterRoles`. The detector therefore uses (a) a local
+ * source-ordered scan over `recordOperations` (this routine's load-narrow history
+ * on the forwarded variable) for local-record sources, and (b) the conservative
+ * `currentLoadedFieldsAtExit` fallback when the source IS the routine's own
+ * parameter. The latter is sound for narrows not subsequently widened (the
+ * dominant pattern) but can miss a narrow-then-widen-then-forward sequence (FN).
+ * Tightening this is a Phase 6 follow-on: surface the per-callsite snapshot on
+ * RecordRoleSummary and prefer it when present.
+ *
+ * Carry-forward (case-folded field-name comparison): the `RF.filter((f) =>
+ * !loaded.includes(f))` check below compares FieldId strings case-sensitively.
+ * AL field identifiers are case-insensitive at the language level, so a
+ * SetLoadFields list spelled `"no."` and a callee `requiredLoadedFieldsAtEntry`
+ * entry of `"No."` (or vice versa) would currently look like a missing field
+ * and emit a false positive. Field names are sourced from table metadata on
+ * both sides today so the mismatch is rare in practice, but a case-folded
+ * compare would harden the detector against author-style FPs. Tracked in
+ * STATUS.md Phase 4 carry-forwards; intentionally NOT implemented here so the
+ * change ships in its own scoped commit with targeted fixtures.
+ *
+ * Why this is al-sem-only:
+ *  - Requires resolved call graph + per-callsite argument binding to know who
+ *    forwards what.
+ *  - Requires the callee's `requiredLoadedFieldsAtEntry` — a path-aware walker
+ *    fact composed bottom-up over the SCC condensation. A per-file analyzer has
+ *    no view of either side of the boundary.
+ *  - Compares concrete FieldId lists derived from `op.fieldArguments[]` resolved
+ *    against table metadata, not bare identifier text.
+ */
+export function detectD42(
+	model: SemanticModel,
+	_graph: CombinedGraph,
+	ctx: DetectorContext,
+): { findings: Finding[]; stats: DetectorStats } {
+	const findings: Finding[] = [];
+	const { routineById, resolvedCallEdgeByCallsite } = ctx;
+
+	let candidatesConsidered = 0;
+	let skippedCallerFull = 0;
+	let skippedCalleeRequiresNone = 0;
+	let skippedCalleeUnknown = 0;
+
+	for (const routine of model.routines) {
+		if (roleOf(routine) !== "primary") continue;
+		if (!routine.bodyAvailable) continue;
+		if (routine.parseIncomplete) continue;
+		const ownRole = routine.summary?.parameterRoles ?? [];
+		const ops = routine.features.recordOperations;
+
+		for (const cs of routine.features.callSites) {
+			const edge = resolvedCallEdgeByCallsite.get(cs.id);
+			if (edge?.to === undefined) continue;
+			const callee = routineById.get(edge.to);
+			if (callee === undefined) continue;
+
+			for (const binding of cs.argumentBindings) {
+				if (binding.bindingResolution !== "resolved") continue;
+				const calleeRole = callee.summary?.parameterRoles.find(
+					(r) => r.parameterIndex === binding.parameterIndex,
+				);
+				if (calleeRole === undefined) {
+					skippedCalleeUnknown++;
+					continue;
+				}
+				const RF = calleeRole.requiredLoadedFieldsAtEntry;
+				if (RF === "unknown" || RF.length === 0) {
+					skippedCalleeRequiresNone++;
+					continue;
+				}
+
+				// Caller-side LF — two-tier resolution. Prefer the intra-routine
+				// source-ordered scan when the source is a local record-var (the
+				// walker doesn't track locals). Fall back to the caller-parameter
+				// walker fact `currentLoadedFieldsAtExit` when the source is the
+				// routine's own parameter.
+				let LF: FieldId[] | "full" | "unknown" = "unknown";
+				const sourceNameLc = binding.sourceVariableName;
+				if (sourceNameLc !== undefined) {
+					LF = computeNarrowAtCallsite(ops, sourceNameLc, cs.sourceAnchor);
+				}
+				if (LF === "unknown" && binding.sourceParameterIndex !== undefined) {
+					const callerRole = ownRole.find((r) => r.parameterIndex === binding.sourceParameterIndex);
+					LF = callerRole?.currentLoadedFieldsAtExit ?? "unknown";
+				}
+				if (LF === "unknown") continue;
+				if (LF === "full") {
+					skippedCallerFull++;
+					continue;
+				}
+				const loaded = LF; // narrow to FieldId[]
+				const missing = RF.filter((f) => !loaded.includes(f));
+				if (missing.length === 0) continue;
+				candidatesConsidered++;
+
+				const path: EvidenceStep[] = [
+					{
+						routineId: routine.id,
+						callsiteId: cs.id,
+						sourceAnchor: binding.argumentAnchor,
+						note: `forwards ${binding.sourceVariableName ?? "record"} (narrowed to ${loaded.join(", ")}) to ${callee.name}`,
+					},
+					{
+						routineId: callee.id,
+						sourceAnchor: callee.sourceAnchor,
+						note: `${callee.name} requires ${missing.join(", ")} loaded; the runtime will issue an extra SQL round-trip`,
+					},
+				];
+
+				const finding: Finding = {
+					id: `d42/${routine.id}/${cs.id}/${binding.parameterIndex}`,
+					rootCauseKey: `d42/${routine.id}/${cs.id}/${binding.parameterIndex}`,
+					detector: "d42-cross-call-wrong-setloadfields",
+					title: "Forwarded record's narrowed load misses a field the callee reads",
+					rootCause: `${routine.name} narrowed ${binding.sourceVariableName ?? "the record"}'s load to ${loaded.join(", ")} but forwards it to ${callee.name}, which reads ${missing.join(", ")} — defeats the partial-load optimisation.`,
+					severity: "low",
+					confidence: toConfidence([], "likely"),
+					primaryLocation: binding.argumentAnchor,
+					evidencePath: path,
+					affectedObjects: [routine.objectId, callee.objectId].sort(),
+					affectedTables: [],
+					fixOptions: [
+						{
+							description: `Add ${missing.join(", ")} to the SetLoadFields/AddLoadFields call on ${binding.sourceVariableName ?? "the record"} before forwarding to ${callee.name}.`,
+							safety: "high",
+						},
+					],
+					provenance: [{ source: "tree-sitter" }],
+				};
+				finding.fingerprint = fingerprintOf(finding, model);
+				findings.push(finding);
+			}
+		}
+	}
+
+	const sorted = findings.sort((a, b) => compareStrings(a.id, b.id));
+	return {
+		findings: sorted,
+		stats: {
+			detector: "d42-cross-call-wrong-setloadfields",
+			candidatesConsidered,
+			findingsEmitted: sorted.length,
+			skipped: {
+				...(skippedCallerFull > 0 ? { callerFull: skippedCallerFull } : {}),
+				...(skippedCalleeRequiresNone > 0 ? { calleeRequiresNone: skippedCalleeRequiresNone } : {}),
+				...(skippedCalleeUnknown > 0 ? { calleeUnknown: skippedCalleeUnknown } : {}),
+			},
+		},
+	};
+}

package/src/detectors/d43-event-ishandled-skip.ts

@@ -0,0 +1,257 @@
+import type { CombinedGraph } from "../engine/combined-graph.ts";
+import { type DispatchSite, enumerateDispatchSites } from "../engine/dispatch-sites.ts";
+import {
+	IS_HANDLED_RE,
+	buildCrossExtensionSubscribers,
+	eventKindOf,
+} from "../engine/event-flow.ts";
+import { compareStrings } from "../engine/uncertainty-util.ts";
+import type { ControlFlowNode, Routine } from "../model/entities.ts";
+import type { DetectorStats, EvidenceStep, Finding } from "../model/finding.ts";
+import type { SourceAnchor } from "../model/identity.ts";
+import type { EventId, RoutineId, TableId } from "../model/ids.ts";
+import type { SemanticModel } from "../model/model.ts";
+import { fingerprintOf } from "../projection/finding-fingerprint.ts";
+import { writesTablesOf } from "./capability-query.ts";
+import type { DetectorContext } from "./detector-context.ts";
+
+export const D43_NAME = "d43-event-ishandled-skip";
+
+type SetterClassification = "mustSetTrue" | "maySetTrue" | "noSetTrue";
+
+/**
+ * Returns true when the assignment's source range is found inside a conditional
+ * branch (if/while/case/case-branch/repeat/for/foreach) in the routine's
+ * `statementTree`. Top-level assignments — direct children of the root block —
+ * return false (not nested).
+ *
+ * Algorithm: depth-first walk of the CFN tree. We track whether we are currently
+ * descending into the BODY of a conditional/loop node. When we encounter a node
+ * whose `sourceAnchor` matches the assignment anchor by start position, we record
+ * whether we are in a conditional context at that point.
+ *
+ * "Matches" is start-position equality (line + column) — the tree guarantees
+ * unique statement positions within a routine body.
+ */
+function isAssignmentNestedInTree(
+	assignmentAnchor: SourceAnchor,
+	tree: ControlFlowNode | undefined,
+): boolean {
+	if (!tree) return false; // no tree → can't determine → conservative: NOT nested
+	const a = assignmentAnchor.range;
+	let result = false;
+
+	const CONDITIONAL_KINDS = new Set([
+		"if",
+		"while",
+		"repeat",
+		"for",
+		"foreach",
+		"case",
+		"case-branch",
+	]);
+
+	function visit(node: ControlFlowNode, inConditional: boolean): void {
+		if (result) return; // early exit once found
+		const r = node.sourceAnchor.range;
+		if (r.startLine === a.startLine && r.startColumn === a.startColumn) {
+			// This node IS the assignment statement.
+			result = inConditional;
+			return;
+		}
+		// Recurse into children. Children of a conditional/loop body are inside a branch.
+		const childConditional = inConditional || CONDITIONAL_KINDS.has(node.kind);
+		for (const c of node.children ?? []) {
+			visit(c, childConditional);
+			if (result) return;
+		}
+		for (const c of node.elseChildren ?? []) {
+			visit(c, true); // else-branch is always conditional
+			if (result) return;
+		}
+	}
+
+	visit(tree, false);
+	return result;
+}
+
+function classifySubscriber(
+	subscriber: RoutineId,
+	routineById: Map<RoutineId, Routine>,
+): SetterClassification {
+	const r = routineById.get(subscriber);
+	if (!r) return "noSetTrue";
+	const sets = (r.features.varAssignments ?? []).filter(
+		(a) => IS_HANDLED_RE.test(a.lhsName) && a.rhsLiteralValue === "true",
+	);
+	if (sets.length === 0) return "noSetTrue";
+	// Phase 3.x refinement: classify as mustSetTrue when the assignment is at top
+	// level (not nested in any if/while/case/repeat-until/loop). hasBranching === false
+	// trivially means top-level — fast-path without CFN traversal.
+	if (r.features.hasBranching === false) return "mustSetTrue";
+	// If ANY setter is at top level (not nested in a conditional), the routine
+	// guarantees IsHandled=true on every path → mustSetTrue.
+	for (const setter of sets) {
+		if (!isAssignmentNestedInTree(setter.sourceAnchor, r.features.statementTree)) {
+			return "mustSetTrue";
+		}
+	}
+	return "maySetTrue";
+}
+
+function classifyConfidence(
+	site: DispatchSite,
+	setter: SetterClassification,
+): Finding["confidence"]["level"] {
+	if (site.postCallGuards.length === 0) return "possible";
+	if (setter === "mustSetTrue" && site.handledActual !== undefined) return "confirmed";
+	if (setter === "maySetTrue") return "likely";
+	return "possible";
+}
+
+export function detectD43(
+	model: SemanticModel,
+	_graph: CombinedGraph,
+	ctx: DetectorContext,
+): { findings: Finding[]; stats: DetectorStats } {
+	const ix = ctx.getEventFlowIndexes();
+	const findings: Finding[] = [];
+	let candidates = 0;
+	let skippedNoGuard = 0;
+	let skippedNoSetter = 0;
+
+	// Substrate guard: if no routine has any conditionReference AND there are
+	// event subscribers (Phase 3 T10 idiom), emit ONE warning + bail.
+	const sawAnyConditionRef = model.routines.some(
+		(r) => (r.features.conditionReferences?.length ?? 0) > 0,
+	);
+	const eventSubscriberCount = model.routines.filter((r) => r.kind === "event-subscriber").length;
+	if (!sawAnyConditionRef && eventSubscriberCount > 0) {
+		ctx.diagnostics.push({
+			severity: "warning",
+			stage: "detect",
+			message: `${D43_NAME}: conditionReferences substrate empty; dispatch-site detection limited`,
+		});
+		return finalize();
+	}
+
+	const eventKindById = new Map<EventId, "integration" | "business" | "internal">();
+	for (const ev of model.eventGraph.events) {
+		eventKindById.set(ev.id as EventId, eventKindOf(ev.eventKind));
+	}
+
+	// Phase 3.3: cross-extension subscriber lookup per event.
+	const crossExtByEvent = buildCrossExtensionSubscribers(model);
+
+	const sites = enumerateDispatchSites(model, ix);
+	for (const site of sites) {
+		if (site.postCallGuards.length === 0) {
+			skippedNoGuard++;
+			continue;
+		}
+		if (site.guardedTablesWritten.length === 0) {
+			skippedNoGuard++;
+			continue;
+		}
+		const subs = ix.subscribersByEvent.get(site.eventId) ?? [];
+		const setters: Array<{ sub: RoutineId; classification: SetterClassification }> = [];
+		for (const sub of subs) {
+			const c = classifySubscriber(sub, ctx.routineById);
+			if (c !== "noSetTrue") setters.push({ sub, classification: c });
+		}
+		if (setters.length === 0) {
+			skippedNoSetter++;
+			continue;
+		}
+		const guardedSet = new Set<string>(site.guardedTablesWritten);
+		// Coverage candidates: subs that write at least one of the guarded tables.
+		const coverageCandidates: RoutineId[] = [];
+		for (const sub of subs) {
+			const r = ctx.routineById.get(sub);
+			if (!r?.summary) continue;
+			if (writesTablesOf(r.summary).some((t) => guardedSet.has(t))) {
+				coverageCandidates.push(sub);
+			}
+		}
+		for (const { sub: setter, classification } of setters) {
+			candidates++;
+			const r = ctx.routineById.get(setter);
+			if (!r?.summary) continue;
+			const setterWrites = new Set(writesTablesOf(r.summary));
+			const missing = site.guardedTablesWritten.filter((t) => !setterWrites.has(t));
+			if (missing.length === 0) continue;
+			const coverageStatus: "candidate-coverage" | "no-other-writers" =
+				coverageCandidates.length > 0 ? "candidate-coverage" : "no-other-writers";
+			const severityBase: Finding["severity"] =
+				coverageStatus === "candidate-coverage" ? "medium" : "high";
+			const confidenceLevel = classifyConfidence(site, classification);
+			const severity: Finding["severity"] =
+				confidenceLevel === "possible"
+					? severityBase === "high"
+						? "medium"
+						: severityBase === "medium"
+							? "low"
+							: severityBase
+					: severityBase;
+			const caller = ctx.routineById.get(site.callerRoutine);
+			for (const table of missing) {
+				const rootCauseKey = `d43/${site.eventId}|${site.callerRoutine}|${site.callsiteId}|${setter}|${table}`;
+				const evidence: EvidenceStep[] = [
+					{
+						routineId: site.callerRoutine,
+						callsiteId: site.callsiteId,
+						sourceAnchor: caller?.sourceAnchor ?? r.sourceAnchor,
+						note: `dispatch site for ${site.eventId}; guard via ${site.handledActual?.variableName ?? "IsHandled"}`,
+					},
+					{
+						routineId: setter,
+						sourceAnchor: r.sourceAnchor,
+						note: `subscriber ${classification === "mustSetTrue" ? "always" : "may"} set IsHandled := true`,
+					},
+				];
+				const crossExtSubs = crossExtByEvent.get(site.eventId as EventId);
+				const finding: Finding = {
+					id: rootCauseKey,
+					rootCauseKey,
+					detector: D43_NAME,
+					title:
+						"Event subscriber sets IsHandled but does not perform the publisher's default write",
+					rootCause: `Caller ${site.callerRoutine} guards table writes on IsHandled; subscriber ${setter} sets it true but doesn't write ${table}. coverage=${coverageStatus}`,
+					severity,
+					confidence: { level: confidenceLevel, evidence: [] },
+					primaryLocation: r.sourceAnchor,
+					evidencePath: evidence,
+					affectedObjects: [],
+					affectedTables: [table] as TableId[],
+					eventKind: eventKindById.get(site.eventId as EventId),
+					crossExtensionSubscribers:
+						crossExtSubs !== undefined && crossExtSubs.length > 0 ? crossExtSubs : undefined,
+					fixOptions: [
+						{
+							description:
+								"Either perform the missing write in the subscriber, or stop setting IsHandled := true.",
+							safety: "high",
+						},
+					],
+					provenance: [{ source: "tree-sitter" }],
+				};
+				finding.fingerprint = fingerprintOf(finding, model);
+				findings.push(finding);
+			}
+		}
+	}
+	return finalize();
+
+	function finalize(): { findings: Finding[]; stats: DetectorStats } {
+		findings.sort((a, b) => compareStrings(a.id, b.id));
+		return {
+			findings,
+			stats: {
+				detector: D43_NAME,
+				candidatesConsidered: candidates,
+				findingsEmitted: findings.length,
+				skipped: { other: skippedNoGuard + skippedNoSetter },
+			},
+		};
+	}
+}