al-sem 0.0.1

package/src/detectors/d44-event-multi-subscriber-overlap.ts

@@ -0,0 +1,223 @@
+import type { CombinedGraph } from "../engine/combined-graph.ts";
+import { buildCrossExtensionSubscribers, eventKindOf } from "../engine/event-flow.ts";
+import { compareStrings } from "../engine/uncertainty-util.ts";
+import type { CapabilityOp } from "../model/capability.ts";
+import type { DetectorStats, EvidenceStep, Finding } from "../model/finding.ts";
+import type { EventId, RoutineId, TableId } from "../model/ids.ts";
+import type { SemanticModel } from "../model/model.ts";
+import { fingerprintOf } from "../projection/finding-fingerprint.ts";
+import { findCapabilities } from "./capability-query.ts";
+import type { DetectorContext } from "./detector-context.ts";
+import { groupAndCap, truncationDiagnostic } from "./finding-grouping.ts";
+
+export const D44_NAME = "d44-event-multi-subscriber-overlap";
+
+const WRITE_OPS = new Set<CapabilityOp>(["insert", "modify", "delete"]);
+
+const D44_MAX_PER_EVENT = 32;
+
+interface SubWrite {
+	subscriber: string;
+	table: string;
+	op: CapabilityOp;
+}
+
+export function detectD44(
+	model: SemanticModel,
+	_graph: CombinedGraph,
+	ctx: DetectorContext,
+): { findings: Finding[]; stats: DetectorStats } {
+	const ix = ctx.getEventFlowIndexes();
+	const findings: Finding[] = [];
+	let candidates = 0;
+
+	const eventKindById = new Map<EventId, "integration" | "business" | "internal">();
+	for (const ev of model.eventGraph.events) {
+		eventKindById.set(ev.id as EventId, eventKindOf(ev.eventKind));
+	}
+
+	// Phase 3.3: cross-extension subscriber lookup per event.
+	const crossExtByEvent = buildCrossExtensionSubscribers(model);
+
+	// Build (event, table) → subscriber writes
+	const grouped = new Map<string, SubWrite[]>(); // key = `${eventId}|${tableId}`
+	for (const [eventId, subs] of ix.subscribersByEvent) {
+		for (const sub of subs) {
+			const r = ctx.routineById.get(sub);
+			if (!r?.summary) continue;
+			const writes = findCapabilities(
+				r.summary,
+				(f) =>
+					f.resourceKind === "table" && WRITE_OPS.has(f.op) && typeof f.resourceId === "string",
+			);
+			for (const w of writes) {
+				const key = `${eventId}|${w.resourceId}`;
+				const bag = grouped.get(key) ?? [];
+				bag.push({ subscriber: sub, table: w.resourceId as string, op: w.op });
+				grouped.set(key, bag);
+			}
+		}
+	}
+
+	for (const [key, writes] of grouped) {
+		const uniqueSubs = new Set(writes.map((w) => w.subscriber));
+		if (uniqueSubs.size < 2) continue;
+		candidates++;
+		const [eventId, tableId] = key.split("|", 2) as [string, string];
+		const subList = [...uniqueSubs].sort(compareStrings);
+		const opUnion = [...new Set(writes.map((w) => w.op))].sort(compareStrings);
+		const first =
+			subList[0] !== undefined ? ctx.routineById.get(subList[0] as RoutineId) : undefined;
+		if (!first) continue;
+		const rootCauseKey = `d44/${eventId}|${tableId}`;
+		const evidence: EvidenceStep[] = subList.map((sub) => {
+			const sr = ctx.routineById.get(sub as RoutineId);
+			return {
+				routineId: sub as never,
+				sourceAnchor: sr?.sourceAnchor ?? first.sourceAnchor,
+				note: `writes table ${tableId}`,
+			};
+		});
+		const crossExtSubsWW = crossExtByEvent.get(eventId as EventId);
+		const finding: Finding = {
+			id: rootCauseKey,
+			rootCauseKey,
+			detector: D44_NAME,
+			title: "Multiple event subscribers write the same table",
+			rootCause: `${subList.length} subscribers of event ${eventId} write table ${tableId} (ops: ${opUnion.join(", ")})`,
+			severity: "medium",
+			confidence: { level: "likely", evidence: [] },
+			primaryLocation: first.sourceAnchor,
+			evidencePath: evidence,
+			affectedObjects: [],
+			affectedTables: [tableId] as TableId[],
+			eventKind: eventKindById.get(eventId as EventId),
+			crossExtensionSubscribers:
+				crossExtSubsWW !== undefined && crossExtSubsWW.length > 0 ? crossExtSubsWW : undefined,
+			fixOptions: [
+				{
+					description:
+						"Coordinate the writes (single subscriber, or merge intent) to avoid lost-update / ordering surprises.",
+					safety: "medium",
+				},
+			],
+			provenance: [{ source: "tree-sitter" }],
+		};
+		finding.fingerprint = fingerprintOf(finding, model);
+		findings.push(finding);
+	}
+
+	// Phase 3.2 read-after-write: find tables where one subscriber writes AND a
+	// DIFFERENT subscriber reads on the same event.
+	const writersByEventTable = new Map<string, Set<string>>();
+	const readersByEventTable = new Map<string, Set<string>>();
+	for (const [eventId, subs] of ix.subscribersByEvent) {
+		for (const sub of subs) {
+			const r = ctx.routineById.get(sub);
+			if (!r?.summary) continue;
+			const writeFacts = findCapabilities(
+				r.summary,
+				(f) =>
+					f.resourceKind === "table" && WRITE_OPS.has(f.op) && typeof f.resourceId === "string",
+			);
+			for (const w of writeFacts) {
+				const k = `${eventId}|${w.resourceId}`;
+				const set = writersByEventTable.get(k) ?? new Set<string>();
+				set.add(sub);
+				writersByEventTable.set(k, set);
+			}
+			const readFacts = findCapabilities(
+				r.summary,
+				(f) => f.resourceKind === "table" && f.op === "read" && typeof f.resourceId === "string",
+			);
+			for (const rd of readFacts) {
+				const k = `${eventId}|${rd.resourceId}`;
+				const set = readersByEventTable.get(k) ?? new Set<string>();
+				set.add(sub);
+				readersByEventTable.set(k, set);
+			}
+		}
+	}
+
+	for (const [key, writers] of writersByEventTable) {
+		const readers = readersByEventTable.get(key) ?? new Set<string>();
+		const distinctReaders = [...readers].filter((rd) => !writers.has(rd));
+		if (distinctReaders.length === 0) continue;
+		const [eventId, tableId] = key.split("|", 2);
+		if (eventId === undefined || tableId === undefined) continue;
+		const writerList = [...writers].sort(compareStrings);
+		const readerList = distinctReaders.sort(compareStrings);
+		const first =
+			writerList[0] !== undefined ? ctx.routineById.get(writerList[0] as RoutineId) : undefined;
+		if (!first) continue;
+		const rootCauseKey = `d44-rw/${eventId}|${tableId}`;
+		const evidence: EvidenceStep[] = [
+			...writerList.map((sub) => {
+				const r = ctx.routineById.get(sub as RoutineId);
+				return {
+					routineId: sub as never,
+					sourceAnchor: r?.sourceAnchor ?? first.sourceAnchor,
+					note: `writes ${tableId}`,
+				};
+			}),
+			...readerList.map((sub) => {
+				const r = ctx.routineById.get(sub as RoutineId);
+				return {
+					routineId: sub as never,
+					sourceAnchor: r?.sourceAnchor ?? first.sourceAnchor,
+					note: `reads ${tableId}`,
+				};
+			}),
+		];
+		const crossExtSubsRW = crossExtByEvent.get(eventId as EventId);
+		const finding: Finding = {
+			id: rootCauseKey,
+			rootCauseKey,
+			detector: D44_NAME,
+			title: "Event subscriber reads a table that another subscriber writes",
+			rootCause: `On event ${eventId}, subscribers {${writerList.join(", ")}} write ${tableId}; subscribers {${readerList.join(", ")}} read ${tableId}. AL subscriber order is undefined — reads may see pre- or post-mutation state.`,
+			severity: "low",
+			confidence: { level: "likely", evidence: [] },
+			primaryLocation: first.sourceAnchor,
+			evidencePath: evidence,
+			affectedObjects: [],
+			affectedTables: [tableId] as TableId[],
+			eventKind: eventKindById.get(eventId as EventId),
+			crossExtensionSubscribers:
+				crossExtSubsRW !== undefined && crossExtSubsRW.length > 0 ? crossExtSubsRW : undefined,
+			fixOptions: [
+				{
+					description:
+						"Make subscriber ordering explicit, or move the read into the writing subscriber.",
+					safety: "medium",
+				},
+			],
+			provenance: [{ source: "tree-sitter" }],
+		};
+		finding.fingerprint = fingerprintOf(finding, model);
+		findings.push(finding);
+	}
+
+	// Apply the output cap across BOTH write/write and r/w findings.
+	const grouped2 = groupAndCap(
+		findings,
+		(f) => {
+			const m = f.rootCauseKey.match(/^d44(?:-rw)?\/([^|]+)/);
+			return m?.[1] ?? f.rootCauseKey;
+		},
+		D44_MAX_PER_EVENT,
+	);
+	if (grouped2.truncated.length > 0) {
+		ctx.diagnostics.push(truncationDiagnostic(D44_NAME, "event", grouped2.truncated.length));
+	}
+
+	return {
+		findings: [...grouped2.kept].sort((a, b) => compareStrings(a.id, b.id)),
+		stats: {
+			detector: D44_NAME,
+			candidatesConsidered: candidates,
+			findingsEmitted: grouped2.kept.length,
+			skipped: {},
+		},
+	};
+}

package/src/detectors/d45-event-transitive-table-exposure.ts

@@ -0,0 +1,159 @@
+import type { CombinedGraph } from "../engine/combined-graph.ts";
+import {
+	type EventFlowIndexes,
+	buildCrossExtensionSubscribers,
+	eventKindOf,
+} from "../engine/event-flow.ts";
+import { collectRelaySubscribers } from "../engine/event-relay.ts";
+import { compareStrings } from "../engine/uncertainty-util.ts";
+import { roleOf } from "../model/entities.ts";
+import type { DetectorStats, EvidenceStep, Finding } from "../model/finding.ts";
+import type { EventId, RoutineId, TableId } from "../model/ids.ts";
+import type { SemanticModel } from "../model/model.ts";
+import { fingerprintOf } from "../projection/finding-fingerprint.ts";
+import { reachableCoverage, writesTablesOf } from "./capability-query.ts";
+import type { DetectorContext } from "./detector-context.ts";
+import { groupAndCap, truncationDiagnostic } from "./finding-grouping.ts";
+
+export const D45_NAME = "d45-event-transitive-table-exposure";
+
+const D45_MAX_DEPTH = 4;
+const D45_MAX_NODES = 256;
+const D45_MAX_PER_PUBLISHER = 16;
+
+export function detectD45(
+	model: SemanticModel,
+	graph: CombinedGraph,
+	ctx: DetectorContext,
+): { findings: Finding[]; stats: DetectorStats } {
+	const ix = ctx.getEventFlowIndexes();
+	const findings: Finding[] = [];
+	let candidates = 0;
+
+	const eventKindById = new Map<EventId, "integration" | "business" | "internal">();
+	for (const ev of model.eventGraph.events) {
+		eventKindById.set(ev.id as EventId, eventKindOf(ev.eventKind));
+	}
+
+	// Phase 3.3: cross-extension subscriber lookup per event.
+	const crossExtByEvent = buildCrossExtensionSubscribers(model);
+
+	for (const [publisher] of ix.eventsByPublisher) {
+		const pubRoutine = ctx.routineById.get(publisher);
+		if (!pubRoutine?.summary) continue;
+		// Findings are anchored at the publisher; a dependency-app publisher's finding is
+		// scoped out by runDetectors (dep-anchored, no primary actionableAnchor). Skip those
+		// publishers up front instead of walking thousands of Base App subscriber chains whose
+		// findings are discarded. Output-identical; large cold-analyze win.
+		if (roleOf(pubRoutine) !== "primary") continue;
+		const pubWrites = new Set(writesTablesOf(pubRoutine.summary));
+		const pubCov = reachableCoverage(pubRoutine.summary);
+
+		// Walk the full subscriber chain (N hops via event + call graph).
+		const subscribersByDepth = collectRelaySubscribers(publisher, model, ix, graph, {
+			maxDepth: D45_MAX_DEPTH,
+			maxNodes: D45_MAX_NODES,
+		});
+
+		// Aggregate subscriber-induced writes, tracking worst coverage and writer sets.
+		const writerSubsByTable = new Map<string, Set<string>>();
+		let subCovWorst: "complete" | "partial" | "unknown" = "complete";
+
+		for (const [sub] of subscribersByDepth) {
+			const r = ctx.routineById.get(sub);
+			if (!r?.summary) {
+				subCovWorst = "unknown";
+				continue;
+			}
+			const status = reachableCoverage(r.summary);
+			if (status === "unknown") subCovWorst = "unknown";
+			else if (status === "partial" && subCovWorst !== "unknown") subCovWorst = "partial";
+			for (const t of writesTablesOf(r.summary)) {
+				const set = writerSubsByTable.get(t) ?? new Set<string>();
+				set.add(sub);
+				writerSubsByTable.set(t, set);
+			}
+		}
+
+		const publisherEvents = [...(ix.eventsByPublisher.get(publisher) ?? [])].sort(compareStrings);
+		const firstEvent = publisherEvents[0];
+		const publisherEventKind = firstEvent ? eventKindById.get(firstEvent as EventId) : undefined;
+
+		for (const [table, writerSet] of writerSubsByTable) {
+			candidates++;
+			const publisherAlsoWrites: "yes" | "no" | "unknown" = pubWrites.has(table)
+				? "yes"
+				: pubCov === "complete"
+					? "no"
+					: "unknown";
+			const writerSubs = [...writerSet].sort(compareStrings);
+			// direct = at least one writer is at chain depth ≤ 1 (immediate subscriber).
+			let coverageReach: "direct" | "transitive" = "transitive";
+			for (const sub of writerSubs) {
+				const d = subscribersByDepth.get(sub as RoutineId);
+				if (d !== undefined && d <= 1) {
+					coverageReach = "direct";
+					break;
+				}
+			}
+			const rootCauseKey = `d45/${publisher}|${table}`;
+			const evidence: EvidenceStep[] = writerSubs.map((sub) => {
+				const sr = ctx.routineById.get(sub as RoutineId);
+				return {
+					routineId: sub,
+					sourceAnchor: sr?.sourceAnchor ?? pubRoutine.sourceAnchor,
+					note: `subscriber writes ${table}`,
+				};
+			});
+			const crossExtSubs = firstEvent ? crossExtByEvent.get(firstEvent as EventId) : undefined;
+			const finding: Finding = {
+				id: rootCauseKey,
+				rootCauseKey,
+				detector: D45_NAME,
+				title: "Event subscribers expose table transitively from publisher",
+				rootCause: `Publisher ${publisher} dispatches to ${writerSubs.length} subscriber(s) that write table ${table}; reach=${coverageReach}; publisherAlsoWrites=${publisherAlsoWrites}; subscriberCoverage=${subCovWorst}`,
+				severity: "info",
+				confidence: { level: "likely", evidence: [] },
+				primaryLocation: pubRoutine.sourceAnchor,
+				evidencePath: evidence,
+				affectedObjects: [],
+				affectedTables: [table] as TableId[],
+				eventKind: publisherEventKind,
+				crossExtensionSubscribers:
+					crossExtSubs !== undefined && crossExtSubs.length > 0 ? crossExtSubs : undefined,
+				fixOptions: [
+					{
+						description: `Treat ${table} as part of this event's effect surface for permission/transaction reasoning.`,
+						safety: "high",
+					},
+				],
+				provenance: [{ source: "tree-sitter" }],
+			};
+			finding.fingerprint = fingerprintOf(finding, model);
+			findings.push(finding);
+		}
+	}
+
+	// Apply per-publisher cap.
+	const grouped = groupAndCap(
+		findings,
+		(f) => {
+			const m = f.rootCauseKey.match(/^d45\/([^|]+)/);
+			return m?.[1] ?? f.rootCauseKey;
+		},
+		D45_MAX_PER_PUBLISHER,
+	);
+	if (grouped.truncated.length > 0) {
+		ctx.diagnostics.push(truncationDiagnostic(D45_NAME, "publisher", grouped.truncated.length));
+	}
+
+	return {
+		findings: [...grouped.kept].sort((a, b) => compareStrings(a.id, b.id)),
+		stats: {
+			detector: D45_NAME,
+			candidatesConsidered: candidates,
+			findingsEmitted: grouped.kept.length,
+			skipped: {},
+		},
+	};
+}

package/src/detectors/d5-set-based-opportunity.ts

@@ -0,0 +1,162 @@
+import type { CombinedGraph } from "../engine/combined-graph.ts";
+import { compareStrings } from "../engine/uncertainty-util.ts";
+import { roleOf } from "../model/entities.ts";
+import type { DetectorStats, EvidenceStep, Finding } from "../model/finding.ts";
+import type { SemanticModel } from "../model/model.ts";
+import { fingerprintOf } from "../projection/finding-fingerprint.ts";
+import { toConfidence } from "./confidence.ts";
+import type { DetectorContext } from "./detector-context.ts";
+
+/**
+ * Ops that count as "filter / load-state setters" and are allowed alongside a
+ * Modify without disqualifying the pattern.
+ */
+const ALLOWED_OTHER_OPS: ReadonlySet<string> = new Set([
+	"SetRange",
+	"SetFilter",
+	"SetLoadFields",
+	"AddLoadFields",
+	"SetCurrentKey",
+	"Next",
+]);
+
+/**
+ * D5 — narrow heuristic: a loop whose only DB write is Modify on the iterating record,
+ * no callSites, no other DB ops outside filter/load-state setters → emit info-level
+ * ModifyAll suggestion. Future versions can extend to DeleteAll and to conditional
+ * cases via dataflow.
+ *
+ * Detection strategy mirrors D10: use `Next()` inside the loop body to identify the
+ * record variable driving the loop (FindSet/FindFirst appear in the `if` guard before
+ * the `repeat` keyword and therefore carry loopStack === []).
+ */
+export function detectD5(
+	model: SemanticModel,
+	_graph: CombinedGraph,
+	_ctx: DetectorContext,
+): { findings: Finding[]; stats: DetectorStats } {
+	const findings: Finding[] = [];
+	let candidatesConsidered = 0;
+	let skippedOther = 0;
+
+	for (const routine of model.routines) {
+		if (roleOf(routine) !== "primary") continue;
+		if (!routine.bodyAvailable) continue;
+		if (routine.parseIncomplete) continue;
+		candidatesConsidered++;
+		let emittedForRoutine = 0;
+
+		// Map loopId → record variable that drives the loop (identified via Next() inside
+		// the repeat/until body, which always has a non-empty loopStack).
+		const loopDriver = new Map<string, string>();
+		for (const op of routine.features.recordOperations) {
+			if (op.op !== "Next") continue;
+			const loop = op.loopStack[op.loopStack.length - 1];
+			if (loop === undefined) continue;
+			if (!loopDriver.has(loop)) loopDriver.set(loop, op.recordVariableName.toLowerCase());
+		}
+
+		for (const loop of routine.features.loops) {
+			const driver = loopDriver.get(loop.id);
+			if (driver === undefined) continue;
+
+			// All record ops inside this loop.
+			const opsInLoop = routine.features.recordOperations.filter((op) =>
+				op.loopStack.includes(loop.id),
+			);
+
+			// No callSites inside the loop — interprocedural calls could hide DB ops.
+			const callsitesInLoop = routine.features.callSites.filter((cs) =>
+				cs.loopStack.includes(loop.id),
+			);
+			if (callsitesInLoop.length > 0) continue;
+
+			// Must have exactly one Modify on the iterating record variable inside the loop.
+			const modifyOps = opsInLoop.filter(
+				(op) => op.op === "Modify" && op.recordVariableName.toLowerCase() === driver,
+			);
+			if (modifyOps.length !== 1) continue;
+			const modify = modifyOps[0];
+			if (modify === undefined) continue;
+
+			// All other ops in the loop must be filter/load-state setters or Next.
+			const otherOps = opsInLoop.filter((op) => op !== modify);
+			if (!otherOps.every((op) => ALLOWED_OTHER_OPS.has(op.op))) continue;
+
+			// Find the associated retrieval op for this record variable outside the loop
+			// (FindSet/FindFirst/FindLast/Find — they live before the repeat with loopStack=[]).
+			const retrievalOp = routine.features.recordOperations.find(
+				(op) =>
+					(op.op === "FindSet" ||
+						op.op === "FindFirst" ||
+						op.op === "FindLast" ||
+						op.op === "Find") &&
+					op.recordVariableName.toLowerCase() === driver &&
+					op.loopStack.length === 0,
+			);
+
+			const recordVarDisplay =
+				routine.features.recordOperations.find(
+					(op) => op.recordVariableName.toLowerCase() === driver,
+				)?.recordVariableName ?? driver;
+
+			const path: EvidenceStep[] = [];
+			if (retrievalOp !== undefined) {
+				path.push({
+					routineId: routine.id,
+					operationId: retrievalOp.id,
+					sourceAnchor: retrievalOp.sourceAnchor,
+					note: `${retrievalOp.op} on ${recordVarDisplay} — loop entry`,
+				});
+			}
+			path.push({
+				routineId: routine.id,
+				loopId: loop.id,
+				sourceAnchor: loop.sourceAnchor,
+				note: `${loop.type} loop on ${recordVarDisplay}`,
+			});
+			path.push({
+				routineId: routine.id,
+				operationId: modify.id,
+				sourceAnchor: modify.sourceAnchor,
+				note: `Modify on ${recordVarDisplay} — consider ModifyAll`,
+			});
+
+			const finding: Finding = {
+				id: `d5/${routine.id}/${loop.id}`,
+				rootCauseKey: `d5/${routine.id}/${loop.id}`,
+				detector: "d5-set-based-opportunity",
+				title: "Loop-and-Modify could be ModifyAll",
+				rootCause: `${routine.name} loops over ${recordVarDisplay} and Modifies each row with no conditional branches or inter-record DB calls — ModifyAll on the same filter would issue one SQL statement.`,
+				severity: "info",
+				confidence: toConfidence([], "possible"),
+				primaryLocation: modify.sourceAnchor,
+				evidencePath: path,
+				affectedObjects: [routine.objectId],
+				affectedTables: modify.tableId !== undefined ? [modify.tableId] : [],
+				fixOptions: [
+					{
+						description:
+							"Replace the FindSet+repeat+Modify pattern with ModifyAll on the same filter.",
+						safety: "medium",
+					},
+				],
+				provenance: [{ source: "tree-sitter" }],
+			};
+			finding.fingerprint = fingerprintOf(finding, model);
+			findings.push(finding);
+			emittedForRoutine++;
+		}
+		if (emittedForRoutine === 0) skippedOther++;
+	}
+
+	return {
+		findings: findings.sort((a, b) => compareStrings(a.id, b.id)),
+		stats: {
+			detector: "d5-set-based-opportunity",
+			candidatesConsidered,
+			findingsEmitted: findings.length,
+			skipped: { other: skippedOther > 0 ? skippedOther : undefined },
+		},
+	};
+}

package/src/detectors/d7-recursive-event-expansion.ts

@@ -0,0 +1,151 @@
+import type { CombinedEdge, CombinedGraph } from "../engine/combined-graph.ts";
+import { compareStrings } from "../engine/uncertainty-util.ts";
+import { roleOf } from "../model/entities.ts";
+import type { DetectorStats, EvidenceStep, Finding } from "../model/finding.ts";
+import type { RoutineId } from "../model/ids.ts";
+import type { SemanticModel } from "../model/model.ts";
+import { fingerprintOf } from "../projection/finding-fingerprint.ts";
+import { toConfidence } from "./confidence.ts";
+import type { DetectorContext } from "./detector-context.ts";
+
+function tarjanSCC(
+	nodes: RoutineId[],
+	edgesFrom: (id: RoutineId) => CombinedEdge[],
+): RoutineId[][] {
+	let index = 0;
+	const indices = new Map<RoutineId, number>();
+	const lowlink = new Map<RoutineId, number>();
+	const onStack = new Set<RoutineId>();
+	const stack: RoutineId[] = [];
+	const sccs: RoutineId[][] = [];
+
+	function strongconnect(v: RoutineId): void {
+		indices.set(v, index);
+		lowlink.set(v, index);
+		index++;
+		stack.push(v);
+		onStack.add(v);
+		for (const e of edgesFrom(v)) {
+			const w = e.to;
+			if (!indices.has(w)) {
+				strongconnect(w);
+				const lvl = lowlink.get(v) ?? 0;
+				const lwl = lowlink.get(w) ?? 0;
+				lowlink.set(v, Math.min(lvl, lwl));
+			} else if (onStack.has(w)) {
+				const lvl = lowlink.get(v) ?? 0;
+				const iwl = indices.get(w) ?? 0;
+				lowlink.set(v, Math.min(lvl, iwl));
+			}
+		}
+		if (lowlink.get(v) === indices.get(v)) {
+			const scc: RoutineId[] = [];
+			let w: RoutineId | undefined;
+			do {
+				w = stack.pop();
+				if (w === undefined) break;
+				onStack.delete(w);
+				scc.push(w);
+			} while (w !== v);
+			sccs.push(scc);
+		}
+	}
+	for (const v of nodes) if (!indices.has(v)) strongconnect(v);
+	return sccs;
+}
+
+/**
+ * D7 — Recursive event expansion: an event-subscriber cycle where a subscriber
+ * transitively publishes an event whose subscriber eventually publishes the original
+ * event again (or any other event in the same SCC). Any such cycle risks unbounded
+ * recursion at runtime.
+ *
+ * Algorithm: Tarjan SCC over the combined graph. Report any SCC of size >= 2 that
+ * contains at least one event-dispatch edge (within the SCC) AND at least one primary
+ * routine.
+ */
+export function detectD7(
+	model: SemanticModel,
+	graph: CombinedGraph,
+	ctx: DetectorContext,
+): { findings: Finding[]; stats: DetectorStats } {
+	const edgesFrom = (id: RoutineId) => graph.edgesByFrom.get(id) ?? [];
+	const sccs = tarjanSCC(graph.nodes, edgesFrom).filter((scc) => scc.length >= 2);
+
+	const findings: Finding[] = [];
+	const { routineById } = ctx;
+	const candidatesConsidered = sccs.length;
+
+	for (const scc of sccs) {
+		const inSet = new Set(scc);
+		const hasEventEdge = scc.some((from) =>
+			(graph.edgesByFrom.get(from) ?? []).some(
+				(e) => e.kind === "event-dispatch" && inSet.has(e.to),
+			),
+		);
+		if (!hasEventEdge) continue;
+		const hasPrimary = scc.some((id) => {
+			const r = routineById.get(id);
+			return r !== undefined && roleOf(r) === "primary";
+		});
+		if (!hasPrimary) continue;
+
+		const sortedScc = [...scc].sort();
+		const path: EvidenceStep[] = sortedScc.map((id) => {
+			const r = routineById.get(id);
+			return {
+				routineId: id,
+				sourceAnchor: r?.sourceAnchor ?? {
+					sourceUnitId: "",
+					range: { startLine: 0, startColumn: 0, endLine: 0, endColumn: 0 },
+					enclosingRoutineId: id,
+					syntaxKind: "routine",
+				},
+				note: r ? `participant: ${r.name}` : `participant: ${id}`,
+			};
+		});
+		const firstId = sortedScc[0];
+		if (firstId === undefined) continue;
+		const anchorRoutine = routineById.get(firstId);
+		if (!anchorRoutine) continue;
+
+		const finding: Finding = {
+			id: `d7/${sortedScc.join(",")}`,
+			rootCauseKey: `d7/${sortedScc.join(",")}`,
+			detector: "d7-recursive-event-expansion",
+			title: "Event subscriber chain forms a cycle",
+			rootCause: `Routines ${sortedScc.map((id) => routineById.get(id)?.name ?? id).join(" → ")} → ${anchorRoutine.name} form an event-dispatch cycle — invoking any of them at runtime can trigger unbounded recursion.`,
+			severity: "high",
+			confidence: toConfidence([], "likely"),
+			primaryLocation: anchorRoutine.sourceAnchor,
+			evidencePath: path,
+			affectedObjects: [
+				...new Set(
+					sortedScc
+						.map((id) => routineById.get(id)?.objectId)
+						.filter((x): x is string => x !== undefined),
+				),
+			].sort(),
+			affectedTables: [],
+			fixOptions: [
+				{
+					description:
+						"Break the cycle: either remove one of the event publishes from a subscriber, or gate the publish on a 'currently-processing' flag.",
+					safety: "low",
+				},
+			],
+			provenance: [{ source: "tree-sitter" }],
+		};
+		finding.fingerprint = fingerprintOf(finding, model);
+		findings.push(finding);
+	}
+	return {
+		findings: findings.sort((a, b) => compareStrings(a.id, b.id)),
+		stats: {
+			detector: "d7-recursive-event-expansion",
+			candidatesConsidered,
+			findingsEmitted: findings.length,
+			skipped: {},
+		},
+	};
+}