al-sem 0.0.1

package/src/cli/fingerprint-indexes.ts

@@ -0,0 +1,130 @@
+import type { CapabilityFact } from "../model/capability.ts";
+import type { CoverageRecord } from "../model/coverage.ts";
+import type { GraphEdge } from "../model/graph-edge.ts";
+import type { CallsiteId, OperationId } from "../model/ids.ts";
+import type { StableRoutineId } from "../model/stable-identity.ts";
+import type { CallsiteEvidence, CapabilitySnapshot, OperationEvidence } from "../snapshot/types.ts";
+
+/**
+ * The shared per-invocation index set used by `fingerprintQuery` and
+ * `reconstructWitnessPaths`. Built once from a `CapabilitySnapshot`.
+ *
+ * `routineDisplayById` is the full `Object::Routine` form (e.g.
+ * `Codeunit "Sales-Post"::Run`). Other display maps return shorter forms
+ * (`stableIdToDisplay` is whatever the identity table records for that id).
+ */
+export interface FingerprintIndexes {
+	stableIdToDisplay: Map<string, string>;
+	/** Lowercase whitespace-normalized display → all routines that match. */
+	displayToStableIds: Map<string, StableRoutineId[]>;
+	routineDisplayById: Map<StableRoutineId, string>;
+	outgoingEdges: Map<StableRoutineId, readonly GraphEdge[]>;
+	factsByRoutine: Map<StableRoutineId, readonly CapabilityFact[]>;
+	directFactsByRoutine: Map<StableRoutineId, readonly CapabilityFact[]>;
+	coverageByRoutine: Map<StableRoutineId, CoverageRecord>;
+	callsiteById: Map<CallsiteId, CallsiteEvidence>;
+	operationById: Map<OperationId, OperationEvidence>;
+	/** Event-id → display for hop rendering; sourced from event declarations. */
+	eventDisplayById: Map<string, string>;
+}
+
+const ROUTINE_ID_SEPARATOR = "#"; // StableRoutineId encodes `${stableObjectId}#${signatureHash}`
+
+function isRoutineStableId(id: string): boolean {
+	return id.includes(ROUTINE_ID_SEPARATOR);
+}
+
+/**
+ * Lowercase, trim, collapse internal whitespace. Used by both the index builder
+ * (key for `displayToStableIds`) and the query module's selector resolver.
+ * Shared so the two sides cannot silently drift apart on the normalization contract.
+ */
+export function normalizeDisplayKey(s: string): string {
+	return s.trim().toLowerCase().replace(/\s+/g, " ");
+}
+
+/**
+ * Builds the shared per-invocation index set from a CapabilitySnapshot.
+ * Used by fingerprint query and witness path reconstruction.
+ */
+export function buildFingerprintIndexes(snap: CapabilitySnapshot): FingerprintIndexes {
+	const stableIdToDisplay = new Map<string, string>();
+	const displayToStableIds = new Map<string, StableRoutineId[]>();
+	const routineDisplayById = new Map<StableRoutineId, string>();
+
+	for (let i = 0; i < snap.identities.stableIds.length; i++) {
+		const id = snap.identities.stableIds[i] ?? "";
+		const display = snap.identities.displayNames[i] ?? "";
+		if (id === "") continue;
+		stableIdToDisplay.set(id, display);
+		if (isRoutineStableId(id)) {
+			const rid = id as StableRoutineId;
+			routineDisplayById.set(rid, display);
+			const key = normalizeDisplayKey(display);
+			const list = displayToStableIds.get(key) ?? [];
+			list.push(rid);
+			displayToStableIds.set(key, list);
+		}
+	}
+
+	const outgoingEdges = new Map<StableRoutineId, GraphEdge[]>();
+	for (const edge of snap.typedEdges) {
+		const from = edge.from as unknown as StableRoutineId;
+		const list = outgoingEdges.get(from) ?? [];
+		list.push(edge);
+		outgoingEdges.set(from, list);
+	}
+
+	const factsByRoutine = new Map<StableRoutineId, CapabilityFact[]>();
+	const directFactsByRoutine = new Map<StableRoutineId, CapabilityFact[]>();
+	for (const fact of snap.capabilityFacts) {
+		const subject = fact.subject as unknown as StableRoutineId;
+		const list = factsByRoutine.get(subject) ?? [];
+		list.push(fact);
+		factsByRoutine.set(subject, list);
+		if (fact.provenance === "direct") {
+			const direct = directFactsByRoutine.get(subject) ?? [];
+			direct.push(fact);
+			directFactsByRoutine.set(subject, direct);
+		}
+	}
+
+	const coverageByRoutine = new Map<StableRoutineId, CoverageRecord>();
+	for (const rec of snap.coverage) {
+		coverageByRoutine.set(rec.subject as unknown as StableRoutineId, rec);
+	}
+
+	const callsiteById = new Map<CallsiteId, CallsiteEvidence>();
+	for (const cs of snap.callsiteIndex) {
+		callsiteById.set(cs.callsiteId, cs);
+	}
+
+	const operationById = new Map<OperationId, OperationEvidence>();
+	for (const op of snap.operationIndex) {
+		operationById.set(op.operationId, op);
+	}
+
+	const eventDisplayById = new Map<string, string>();
+	for (const decl of snap.eventDeclarations) {
+		if (decl.kind !== "publisher") continue;
+		// StableEventId format: `${stablePublisherObjectId}::${eventName}::${parameterShapeHash}`.
+		// Extract event name from middle segment. Publishers have the canonical name; subscribers
+		// carry back-pointers only and should not override this map.
+		const parts = decl.eventId.split("::");
+		const eventName = parts[1] ?? String(decl.eventId);
+		eventDisplayById.set(String(decl.eventId), eventName);
+	}
+
+	return {
+		stableIdToDisplay,
+		displayToStableIds,
+		routineDisplayById,
+		outgoingEdges: outgoingEdges as Map<StableRoutineId, readonly GraphEdge[]>,
+		factsByRoutine: factsByRoutine as Map<StableRoutineId, readonly CapabilityFact[]>,
+		directFactsByRoutine: directFactsByRoutine as Map<StableRoutineId, readonly CapabilityFact[]>,
+		coverageByRoutine,
+		callsiteById,
+		operationById,
+		eventDisplayById,
+	};
+}

package/src/cli/fingerprint-query.ts

@@ -0,0 +1,543 @@
+import type {
+	CapabilityConfidence,
+	CapabilityFact,
+	CapabilityOp,
+	CapabilityProvenance,
+	CapabilityResourceKind,
+	CapabilityVia,
+	ValueSource,
+} from "../model/capability.ts";
+import type { CoverageReason, CoverageStatus } from "../model/coverage.ts";
+import type { CallsiteId } from "../model/ids.ts";
+import type { RootKind } from "../model/root-classification.ts";
+import type { StableObjectId, StableRoutineId } from "../model/stable-identity.ts";
+import type { CapabilitySnapshot } from "../snapshot/types.ts";
+import {
+	type FingerprintIndexes,
+	buildFingerprintIndexes,
+	normalizeDisplayKey,
+} from "./fingerprint-indexes.ts";
+import {
+	type WitnessDiagnostic,
+	type WitnessIndexes,
+	type WitnessPath,
+	reconstructWitnessPaths,
+} from "./fingerprint-witness.ts";
+
+export interface FingerprintFilters {
+	roots?: ReadonlySet<RootKind>;
+	routineSelectors?: readonly string[];
+	includeInherited: boolean;
+	witnessLimit: false | number | "all";
+}
+
+export interface FingerprintQueryResult {
+	blocks: readonly FingerprintBlock[];
+	diagnostics: readonly FingerprintQueryDiagnostic[];
+	summary: {
+		totalClassifications: number;
+		renderedBlocks: number;
+		rootsConfigIgnored: boolean;
+	};
+}
+
+export interface FingerprintBlock {
+	routineId: StableRoutineId;
+	objectId?: StableObjectId;
+	objectDisplay: string;
+	routineDisplay: string;
+	kinds: readonly RootKind[];
+	classificationSource: "ast" | "config" | "ast+config";
+	configEntryId?: string;
+	coverage: BlockCoverage;
+	families: readonly BlockCapabilityFamily[];
+	mayCommit: BlockCommitSummary;
+	dispatch: BlockDispatchSummary;
+	requiredPermissions: readonly PermissionLine[];
+	witnesses: readonly BlockWitness[];
+}
+
+export interface BlockCoverage {
+	status: CoverageStatus;
+	directStatus: CoverageStatus;
+	inheritedStatus: CoverageStatus;
+	reasons: readonly CoverageReason[];
+	unknownTargets: readonly string[];
+	unknownTargetDisplays: readonly string[];
+	inheritedExcluded: boolean;
+}
+
+export interface BlockCapabilityFamily {
+	kind: CapabilityResourceKind;
+	coneCoverage: CoverageStatus;
+	resources: readonly BlockResource[];
+}
+
+export interface BlockResource {
+	id?: string;
+	display: string;
+	source?: ValueSource;
+	confidence: CapabilityConfidence;
+	ops: readonly CapabilityOp[];
+	facts: readonly CapabilityFact[];
+}
+
+export interface BlockCommitSummary {
+	presence: "yes" | "no" | "unknown";
+	witnessFact?: CapabilityFact;
+}
+
+export interface BlockDispatchSummary {
+	resolved: readonly DispatchInstance[];
+	unresolved: readonly DispatchInstance[];
+}
+
+export interface DispatchInstance {
+	objectType: "Codeunit" | "Page" | "Report";
+	targetId?: string;
+	targetDisplay?: string;
+	targetIdSource?: ValueSource;
+	confidence: CapabilityConfidence;
+	modal?: boolean;
+	provenance: CapabilityProvenance;
+	via: CapabilityVia;
+	witnessCallsiteId?: CallsiteId;
+}
+
+export interface PermissionLine {
+	targetKind: "table" | "object";
+	targetId: string;
+	targetDisplay: string;
+	rights: string;
+	coverage: CoverageStatus;
+}
+
+export interface BlockWitness {
+	fact: CapabilityFact;
+	paths: readonly WitnessPath[];
+	truncated: boolean;
+	incomplete: boolean;
+	diagnostics: readonly WitnessDiagnostic[];
+}
+
+export type FingerprintQueryDiagnostic =
+	| { kind: "selector-unresolved"; selector: string; triedForms: readonly string[] }
+	| {
+			kind: "selector-ambiguous";
+			selector: string;
+			matchedForm: string;
+			candidates: readonly { stableId: StableRoutineId; display: string }[];
+	  };
+
+const SELECTOR_FORMS = ["stable-routine-id", "full-display", "two-segment", "one-segment"] as const;
+
+const MAX_AMBIGUOUS_CANDIDATES = 16;
+
+function resolveSelector(
+	selector: string,
+	indexes: FingerprintIndexes,
+): { matches: StableRoutineId[]; matchedForm: string } {
+	// Form 1: exact StableRoutineId match (case-sensitive).
+	if (indexes.routineDisplayById.has(selector as StableRoutineId)) {
+		return { matches: [selector as StableRoutineId], matchedForm: "stable-routine-id" };
+	}
+
+	// Form 2: full display name.
+	const key = normalizeDisplayKey(selector);
+	const full = indexes.displayToStableIds.get(key) ?? [];
+	if (full.length > 0) return { matches: full, matchedForm: "full-display" };
+
+	// Form 3: two-segment match — user omits the leading type-keyword prefix.
+	// Display format is always `TypeWord "ObjectName"::RoutineName` (the TypeWord
+	// is an unquoted AL keyword such as Codeunit, Page, Report). Strip the leading
+	// word-and-space to get `"ObjectName"::RoutineName` and compare. This approach
+	// is robust to "::" appearing inside a quoted object name, which
+	// `display.split("::")` and naive `lastIndexOf` cannot handle correctly.
+	const typeWordPrefix = /^\w+\s+/;
+	const two: StableRoutineId[] = [];
+	for (const [display, ids] of indexes.displayToStableIds) {
+		const stripped = display.replace(typeWordPrefix, "");
+		if (stripped !== display && stripped === key) two.push(...ids);
+	}
+	if (two.length > 0) return { matches: two, matchedForm: "two-segment" };
+
+	// Form 4: one-segment (`Routine`).
+	// The routine name follows the last "::" in the display. Using lastIndexOf
+	// instead of split is robust to "::" inside quoted object names, since the
+	// routine identifier itself is always unquoted and never contains "::".
+	const one: StableRoutineId[] = [];
+	for (const [display, ids] of indexes.displayToStableIds) {
+		const lastSep = display.lastIndexOf("::");
+		const last = lastSep < 0 ? display : display.slice(lastSep + 2);
+		if (normalizeDisplayKey(last) === key) one.push(...ids);
+	}
+	if (one.length > 0) return { matches: one, matchedForm: "one-segment" };
+
+	// No match — matchedForm is "" since it is not read when matches is empty.
+	return { matches: [], matchedForm: "" };
+}
+
+export function fingerprintQuery(
+	snap: CapabilitySnapshot,
+	filters: FingerprintFilters,
+): FingerprintQueryResult {
+	const indexes = buildFingerprintIndexes(snap);
+	const diagnostics: FingerprintQueryDiagnostic[] = [];
+
+	// Resolve --routine selectors.
+	// Consumed by block aggregation below to intersect with the root pool.
+	const resolvedSet = new Set<StableRoutineId>();
+	let anySelectorFailed = false;
+	if (filters.routineSelectors !== undefined && filters.routineSelectors.length > 0) {
+		for (const sel of filters.routineSelectors) {
+			const { matches, matchedForm } = resolveSelector(sel, indexes);
+			if (matches.length === 0) {
+				diagnostics.push({
+					kind: "selector-unresolved",
+					selector: sel,
+					triedForms: SELECTOR_FORMS,
+				});
+				anySelectorFailed = true;
+				continue;
+			}
+			if (matches.length >= 2) {
+				diagnostics.push({
+					kind: "selector-ambiguous",
+					selector: sel,
+					matchedForm,
+					candidates: matches.slice(0, MAX_AMBIGUOUS_CANDIDATES).map((id) => ({
+						stableId: id,
+						display: indexes.routineDisplayById.get(id) ?? "",
+					})),
+				});
+				anySelectorFailed = true;
+				continue;
+			}
+			const first = matches[0];
+			if (first !== undefined) resolvedSet.add(first);
+		}
+	}
+
+	if (anySelectorFailed) {
+		return {
+			blocks: [],
+			diagnostics,
+			summary: {
+				totalClassifications: snap.rootClassifications.length,
+				renderedBlocks: 0,
+				rootsConfigIgnored: snap.inputsMetadata?.rootsConfigIgnored === true,
+			},
+		};
+	}
+
+	// --- Build root pool, filter, aggregate ---
+	const rootPool = snap.rootClassifications.filter((r) => {
+		const id = r.routineId as unknown as StableRoutineId;
+		if (filters.roots !== undefined) {
+			const roots = filters.roots;
+			const intersects = r.kinds.some((k) => roots.has(k as RootKind));
+			if (!intersects) return false;
+		}
+		if (filters.routineSelectors !== undefined && filters.routineSelectors.length > 0) {
+			if (!resolvedSet.has(id)) return false;
+		}
+		return true;
+	});
+
+	const blocks: FingerprintBlock[] = [];
+	for (const root of rootPool) {
+		const rid = root.routineId as unknown as StableRoutineId;
+		const block = buildBlock(rid, root, snap, indexes, filters);
+		if (block !== undefined) blocks.push(block);
+	}
+	blocks.sort((a, b) => (a.routineId < b.routineId ? -1 : a.routineId > b.routineId ? 1 : 0));
+
+	return {
+		blocks,
+		diagnostics,
+		summary: {
+			totalClassifications: snap.rootClassifications.length,
+			renderedBlocks: blocks.length,
+			rootsConfigIgnored: snap.inputsMetadata?.rootsConfigIgnored === true,
+		},
+	};
+}
+
+const CAPABILITY_RESOURCE_KIND_ORDER: readonly CapabilityResourceKind[] = [
+	"table",
+	"event",
+	"codeunit",
+	"page",
+	"report",
+	"http",
+	"telemetry",
+	"isolated-storage",
+	"file",
+	"transaction",
+	"ui",
+	"background",
+];
+
+function parseObjectIdFromRoutine(rid: StableRoutineId): StableObjectId | undefined {
+	const hashAt = rid.lastIndexOf("#");
+	if (hashAt <= 0) return undefined;
+	return rid.slice(0, hashAt) as StableObjectId;
+}
+
+function splitObjectAndRoutine(display: string): { object: string; routine: string } {
+	const idx = display.lastIndexOf("::");
+	if (idx < 0) return { object: "", routine: display };
+	return { object: display.slice(0, idx), routine: display.slice(idx + 2) };
+}
+
+function resolveResourceDisplay(
+	fact: CapabilityFact,
+	indexes: FingerprintIndexes,
+): { id?: string; display: string; source?: ValueSource } {
+	const raw = fact.resourceId;
+	if (raw !== undefined) {
+		const display = indexes.stableIdToDisplay.get(String(raw)) ?? String(raw);
+		return { id: String(raw), display };
+	}
+	if (fact.resourceArgSource !== undefined) {
+		return { display: renderValueSource(fact.resourceArgSource), source: fact.resourceArgSource };
+	}
+	return { display: "<unknown>" };
+}
+
+function renderValueSource(vs: ValueSource): string {
+	// Minimal renderer; extend if richer formatting is needed for
+	// table-field / constant-var / expression cases.
+	switch (vs.kind) {
+		case "literal":
+			return vs.value;
+		case "enum":
+			return vs.member !== undefined ? `${vs.enumName}.${vs.member}` : vs.enumName;
+		case "constant-var":
+			return vs.varName;
+		case "parameter":
+			return vs.varName;
+		case "table-field":
+			return `${String(vs.tableId)}.${vs.fieldName}`;
+		case "expression":
+			return "<expression>";
+		case "unknown":
+			return "<unknown>";
+	}
+}
+
+function buildBlock(
+	rid: StableRoutineId,
+	root: CapabilitySnapshot["rootClassifications"][number],
+	snap: CapabilitySnapshot,
+	indexes: FingerprintIndexes,
+	filters: FingerprintFilters,
+): FingerprintBlock | undefined {
+	const display = indexes.routineDisplayById.get(rid) ?? String(rid);
+	const split = splitObjectAndRoutine(display);
+
+	const rootFacts = indexes.factsByRoutine.get(rid) ?? [];
+	const renderedFacts = filters.includeInherited
+		? rootFacts
+		: rootFacts.filter((f) => f.provenance === "direct");
+
+	const covRec = indexes.coverageByRoutine.get(rid);
+	const coverage: BlockCoverage = {
+		status: filters.includeInherited
+			? (covRec?.inheritedStatus ?? "unknown")
+			: (covRec?.directStatus ?? "unknown"),
+		directStatus: covRec?.directStatus ?? "unknown",
+		inheritedStatus: covRec?.inheritedStatus ?? "unknown",
+		reasons: covRec?.reasons ?? [],
+		unknownTargets: covRec?.unknownTargets ?? [],
+		unknownTargetDisplays: (covRec?.unknownTargets ?? []).map(
+			(t) => indexes.stableIdToDisplay.get(t) ?? t,
+		),
+		inheritedExcluded: !filters.includeInherited,
+	};
+
+	// --- families ---
+	const byKind = new Map<CapabilityResourceKind, CapabilityFact[]>();
+	for (const f of renderedFacts) {
+		// Dispatch facts go into the dispatch summary, not a family.
+		if (f.op === "execute" && f.extra?.kind === "dispatch") continue;
+		const arr = byKind.get(f.resourceKind) ?? [];
+		arr.push(f);
+		byKind.set(f.resourceKind, arr);
+	}
+	const families: BlockCapabilityFamily[] = [];
+	for (const kind of CAPABILITY_RESOURCE_KIND_ORDER) {
+		const facts = byKind.get(kind);
+		if (facts === undefined || facts.length === 0) continue;
+		const resByDisplay = new Map<string, BlockResource>();
+		for (const f of facts) {
+			const rd = resolveResourceDisplay(f, indexes);
+			const key = rd.id ?? rd.display;
+			const existing = resByDisplay.get(key);
+			if (existing === undefined) {
+				resByDisplay.set(key, {
+					id: rd.id,
+					display: rd.display,
+					source: rd.source,
+					confidence: f.confidence,
+					ops: [f.op],
+					facts: [f],
+				});
+			} else {
+				const opsSet = new Set(existing.ops);
+				opsSet.add(f.op);
+				resByDisplay.set(key, {
+					...existing,
+					ops: [...opsSet],
+					facts: [...existing.facts, f],
+				});
+			}
+		}
+		const resources = [...resByDisplay.values()].sort((a, b) =>
+			a.display < b.display
+				? -1
+				: a.display > b.display
+					? 1
+					: a.id && b.id
+						? a.id < b.id
+							? -1
+							: 1
+						: 0,
+		);
+		families.push({ kind, coneCoverage: coverage.status, resources });
+	}
+
+	// --- mayCommit ---
+	const commitFact = renderedFacts.find((f) => f.op === "commit");
+	const mayCommit: BlockCommitSummary = {
+		presence:
+			commitFact !== undefined ? "yes" : coverage.directStatus === "complete" ? "no" : "unknown",
+		witnessFact: commitFact,
+	};
+
+	// --- dispatch ---
+	const resolvedDisp: DispatchInstance[] = [];
+	const unresolvedDisp: DispatchInstance[] = [];
+	for (const f of renderedFacts) {
+		if (f.op !== "execute") continue;
+		if (f.extra?.kind !== "dispatch") continue;
+		const extra = f.extra;
+		const targetId = f.resourceId !== undefined ? String(f.resourceId) : undefined;
+		const targetDisplay =
+			targetId !== undefined ? (indexes.stableIdToDisplay.get(targetId) ?? targetId) : undefined;
+		const inst: DispatchInstance = {
+			objectType: extra.objectType,
+			targetId,
+			targetDisplay,
+			targetIdSource: f.resourceArgSource,
+			confidence: f.confidence,
+			modal: extra.modal,
+			provenance: f.provenance,
+			via: f.via,
+			witnessCallsiteId: f.witnessCallsiteId,
+		};
+		if (targetId !== undefined) resolvedDisp.push(inst);
+		else unresolvedDisp.push(inst);
+	}
+	resolvedDisp.sort((a, b) => {
+		const aKey = a.targetId ?? "";
+		const bKey = b.targetId ?? "";
+		if (aKey !== bKey) return aKey < bKey ? -1 : 1;
+		return 0;
+	});
+	unresolvedDisp.sort((a, b) => {
+		// Unresolved instances have no targetId; sort by witnessCallsiteId for stability.
+		const aKey = String(a.witnessCallsiteId ?? "");
+		const bKey = String(b.witnessCallsiteId ?? "");
+		if (aKey !== bKey) return aKey < bKey ? -1 : 1;
+		return 0;
+	});
+	const dispatch: BlockDispatchSummary = {
+		resolved: resolvedDisp,
+		unresolved: unresolvedDisp,
+	};
+
+	// --- required permissions ---
+	const permMap = new Map<string, PermissionLine>();
+	for (const f of renderedFacts) {
+		if (f.resourceKind !== "table") continue;
+		if (f.resourceId === undefined) continue;
+		const target = String(f.resourceId);
+		const targetDisplay = indexes.stableIdToDisplay.get(target) ?? target;
+		const key = `table|${target}`;
+		const existing = permMap.get(key);
+		const right =
+			f.op === "read"
+				? "R"
+				: f.op === "insert"
+					? "W"
+					: f.op === "modify"
+						? "M"
+						: f.op === "delete"
+							? "D"
+							: "";
+		if (right === "") continue;
+		if (existing === undefined) {
+			permMap.set(key, {
+				targetKind: "table",
+				targetId: target,
+				targetDisplay,
+				rights: right,
+				coverage: coverage.status,
+			});
+		} else {
+			const rs = new Set(existing.rights.split(""));
+			rs.add(right);
+			permMap.set(key, { ...existing, rights: [...rs].sort().join("") });
+		}
+	}
+	const requiredPermissions = [...permMap.values()].sort((a, b) =>
+		a.targetDisplay < b.targetDisplay ? -1 : a.targetDisplay > b.targetDisplay ? 1 : 0,
+	);
+
+	// --- witnesses ---
+	const witnesses: BlockWitness[] = [];
+	if (filters.witnessLimit !== false) {
+		const witnessIndexes: WitnessIndexes = {
+			outgoingEdges: indexes.outgoingEdges,
+			directFactsByRoutine: indexes.directFactsByRoutine,
+			callsiteById: indexes.callsiteById,
+			operationById: indexes.operationById,
+			routineDisplayById: indexes.routineDisplayById,
+			stableIdToDisplay: indexes.stableIdToDisplay,
+			eventDisplayById: indexes.eventDisplayById,
+			coverageByRoutine: indexes.coverageByRoutine,
+		};
+		for (const fact of renderedFacts) {
+			const outcome = reconstructWitnessPaths({
+				rootId: rid,
+				fact,
+				limit: filters.witnessLimit,
+				indexes: witnessIndexes,
+			});
+			witnesses.push({
+				fact,
+				paths: outcome.paths,
+				truncated: outcome.truncated,
+				incomplete: outcome.incomplete,
+				diagnostics: outcome.diagnostics,
+			});
+		}
+	}
+
+	return {
+		routineId: rid,
+		objectId: parseObjectIdFromRoutine(rid),
+		objectDisplay: split.object,
+		routineDisplay: split.routine,
+		kinds: root.kinds as readonly RootKind[],
+		classificationSource: root.source,
+		configEntryId: root.configEntryId,
+		coverage,
+		families,
+		mayCommit,
+		dispatch,
+		requiredPermissions,
+		witnesses,
+	};
+}