al-sem 0.0.1

package/src/engine/control-flow-walker.ts

@@ -0,0 +1,1317 @@
+import type {
+	CallArgumentBinding,
+	CallSite,
+	ControlFlowNode,
+	FieldAccess,
+	RecordOperation,
+	Routine,
+} from "../model/entities.ts";
+import type { CallsiteId, FieldId, RoutineId } from "../model/ids.ts";
+import type { EffectPresence, RoutineSummary } from "../model/summary.ts";
+import { joinPresence } from "./effect-lattice.ts";
+import { recordFlowRoleOf } from "./op-classification.ts";
+import type { SummaryContext } from "./summary-context.ts";
+
+/**
+ * Per-parameter path-aware state computed by the walker.
+ *
+ * Phase 6 rewrite: the walker now does a recursive AL-statement-tree traversal
+ * (via `routine.features.statementTree`) maintaining branch-aware per-parameter
+ * state. Output facts:
+ *  - Entry requirements: `requiresLoadedAtEntry`, `requiredLoadedFieldsAtEntry`,
+ *    `mutatesBeforeLoad` (same shape as Phase 4 — strictly more precise now).
+ *  - Exit effects: `dirtyAtExit`, `currentLoadedFieldsAtExit` (path-proven).
+ *  - Per-callsite snapshot: `currentLoadedFieldsAtCallsite` (for D42 in P8).
+ */
+export interface PathAwareFacts {
+	parameterIndex: number;
+
+	// Entry requirements (Phase 4 — preserved with higher precision in Phase 6)
+	requiresLoadedAtEntry: EffectPresence;
+	requiredLoadedFieldsAtEntry: FieldId[] | "unknown";
+	mutatesBeforeLoad: EffectPresence;
+
+	// Per-callsite snapshots — currentLoadedFields visible to the callee at
+	// each forwarding callsite. Indexed by callsite id. Populated in Phase 6.
+	currentLoadedFieldsAtCallsite: Map<string, FieldId[] | "full" | "unknown">;
+
+	// Exit-effect facts (Phase 6).
+	dirtyAtExit: EffectPresence;
+	currentLoadedFieldsAtExit: FieldId[] | "full" | "unknown";
+}
+
+// ============================================================================
+// Internal state machine
+// ============================================================================
+
+type Loaded = "yes" | "no" | "unknown";
+type Dirty = "pristine" | "dirty" | "persisted" | "unknown";
+type LoadedFields = FieldId[] | "full" | "unknown";
+type PendingNarrow = FieldId[] | "none" | "unknown";
+
+/**
+ * Per-parameter mutable state threaded along control flow. Lists are kept sorted
+ * and unique so equality comparison + deterministic output are cheap.
+ *
+ * Conventions:
+ *  - `loaded`: `"yes"` after a load/init/copyInto op or call that loads on the
+ *    callee var-param side; `"unknown"` after a branch join where branches disagree.
+ *  - `dirty`: lattice element from §(b) of the spec. `pristine | dirty | persisted | unknown`.
+ *  - `pendingNarrow`: the pending SetLoadFields/AddLoadFields set that the NEXT
+ *    Get/Find/Next would consume into `currentLoadedFields`. `"none"` means no
+ *    pending narrow (next load loads everything).
+ *  - `currentLoadedFields`: what's currently loaded in the record. `"full"` at init
+ *    (matches AL semantics: a fresh record loads all normal fields on first Get).
+ *  - `requiresLoadedAtEntry` / `mutatesBeforeLoad`: ⊔-accumulated contributions
+ *    across the walk, never lowered.
+ *  - `requiredFields`: raw field-name strings (case-preserved from the indexer).
+ *    Cast to FieldId at output time to match the v1 walker's shape.
+ *    `"unknown"` absorbs.
+ */
+interface PerParamState {
+	loaded: Loaded;
+	dirty: Dirty;
+	pendingNarrow: PendingNarrow;
+	currentLoadedFields: LoadedFields;
+	requiresLoadedAtEntry: EffectPresence;
+	mutatesBeforeLoad: EffectPresence;
+	requiredFields: Set<string> | "unknown";
+}
+
+function initialState(): PerParamState {
+	return {
+		loaded: "no",
+		dirty: "pristine",
+		pendingNarrow: "none",
+		currentLoadedFields: "full",
+		requiresLoadedAtEntry: "no",
+		mutatesBeforeLoad: "no",
+		requiredFields: new Set(),
+	};
+}
+
+// ----- lattice joins --------------------------------------------------------
+
+function joinLoaded(a: Loaded, b: Loaded): Loaded {
+	if (a === b) return a;
+	return "unknown";
+}
+
+function joinDirty(a: Dirty, b: Dirty): Dirty {
+	if (a === b) return a;
+	// "dirty" dominates anything else (sound: at least one path is dirty).
+	if (a === "dirty" || b === "dirty") return "dirty";
+	// otherwise unknown (mixed pristine/persisted/unknown).
+	return "unknown";
+}
+
+function joinPending(a: PendingNarrow, b: PendingNarrow): PendingNarrow {
+	if (a === "unknown" || b === "unknown") return "unknown";
+	if (a === "none" && b === "none") return "none";
+	if (a === "none" || b === "none") return "unknown";
+	// Both are lists — they must agree or join to unknown.
+	if (a.length !== b.length) return "unknown";
+	for (let i = 0; i < a.length; i++) if (a[i] !== b[i]) return "unknown";
+	return a;
+}
+
+function joinLoadedFields(a: LoadedFields, b: LoadedFields): LoadedFields {
+	if (a === "unknown" || b === "unknown") return "unknown";
+	if (a === "full" && b === "full") return "full";
+	if (a === "full" || b === "full") return "unknown";
+	// Both are lists — equal lists merge; differing -> unknown (sound, less precise).
+	if (a.length !== b.length) return "unknown";
+	for (let i = 0; i < a.length; i++) if (a[i] !== b[i]) return "unknown";
+	return a;
+}
+
+function joinRequiredFields(
+	a: Set<string> | "unknown",
+	b: Set<string> | "unknown",
+): Set<string> | "unknown" {
+	if (a === "unknown" || b === "unknown") return "unknown";
+	const out = new Set<string>(a);
+	for (const f of b) out.add(f);
+	return out;
+}
+
+function joinStates(a: PerParamState, b: PerParamState): PerParamState {
+	return {
+		loaded: joinLoaded(a.loaded, b.loaded),
+		dirty: joinDirty(a.dirty, b.dirty),
+		pendingNarrow: joinPending(a.pendingNarrow, b.pendingNarrow),
+		currentLoadedFields: joinLoadedFields(a.currentLoadedFields, b.currentLoadedFields),
+		requiresLoadedAtEntry: joinPresence(a.requiresLoadedAtEntry, b.requiresLoadedAtEntry),
+		mutatesBeforeLoad: joinPresence(a.mutatesBeforeLoad, b.mutatesBeforeLoad),
+		requiredFields: joinRequiredFields(a.requiredFields, b.requiredFields),
+	};
+}
+
+function statesEqual(a: PerParamState, b: PerParamState): boolean {
+	if (a.loaded !== b.loaded) return false;
+	if (a.dirty !== b.dirty) return false;
+	if (a.requiresLoadedAtEntry !== b.requiresLoadedAtEntry) return false;
+	if (a.mutatesBeforeLoad !== b.mutatesBeforeLoad) return false;
+	if (!pendingEqual(a.pendingNarrow, b.pendingNarrow)) return false;
+	if (!loadedFieldsEqual(a.currentLoadedFields, b.currentLoadedFields)) return false;
+	if (!requiredFieldsEqual(a.requiredFields, b.requiredFields)) return false;
+	return true;
+}
+
+function pendingEqual(a: PendingNarrow, b: PendingNarrow): boolean {
+	if (a === b) return true;
+	if (typeof a === "string" || typeof b === "string") return false;
+	if (a.length !== b.length) return false;
+	for (let i = 0; i < a.length; i++) if (a[i] !== b[i]) return false;
+	return true;
+}
+
+function loadedFieldsEqual(a: LoadedFields, b: LoadedFields): boolean {
+	if (a === b) return true;
+	if (typeof a === "string" || typeof b === "string") return false;
+	if (a.length !== b.length) return false;
+	for (let i = 0; i < a.length; i++) if (a[i] !== b[i]) return false;
+	return true;
+}
+
+function requiredFieldsEqual(a: Set<string> | "unknown", b: Set<string> | "unknown"): boolean {
+	if (a === "unknown" && b === "unknown") return true;
+	if (a === "unknown" || b === "unknown") return false;
+	if (a.size !== b.size) return false;
+	for (const f of a) if (!b.has(f)) return false;
+	return true;
+}
+
+/**
+ * Saturate all "decidable" fields to unknown — used by:
+ *  - bounded loop overshoot (state did not converge),
+ *  - opaque callee on a var-param (cannot reason about effect),
+ *  - "other" / unrecognised statement nodes (conservative).
+ *
+ * Accumulated entry-requirement contributions (`requiresLoadedAtEntry`,
+ * `mutatesBeforeLoad`, `requiredFields`) are NOT lowered — they're monotone
+ * lattice elements that only grow.
+ */
+function saturateUnknown(s: PerParamState): PerParamState {
+	return {
+		loaded: "unknown",
+		dirty: "unknown",
+		pendingNarrow: "unknown",
+		currentLoadedFields: "unknown",
+		requiresLoadedAtEntry: s.requiresLoadedAtEntry,
+		mutatesBeforeLoad: s.mutatesBeforeLoad,
+		requiredFields: "unknown",
+	};
+}
+
+// ============================================================================
+// Walker entry point
+// ============================================================================
+
+/**
+ * Walk the routine's body with per-parameter state tracking.
+ *
+ * Phase 6 implementation: recursive AL-statement-tree walker using
+ * `routine.features.statementTree` (populated in P6.T1). Maintains
+ * branch-aware state per record-parameter, joining state-sets at
+ * `if`/`case`/loop joins. Bounded loop fixed-point (max 3) with
+ * `"unknown"`-saturation on overshoot.
+ *
+ * Falls back to a single straight-line pass over `recordOperations` +
+ * `fieldAccesses` + `callSites` when `statementTree` is absent — keeps the
+ * walker usable on routines whose body wasn't indexed with the CFN builder
+ * (e.g. older fixtures, parse-incomplete bodies that still expose flat features).
+ *
+ * When `lookup` is provided, the walker uses it for callee summaries during the
+ * fixed-point (current iteration). When absent, falls back to `routine.summary`
+ * on the callee.
+ */
+export function walkRoutine(
+	routine: Routine,
+	ctx: SummaryContext,
+	lookup?: (id: RoutineId) => RoutineSummary | undefined,
+): PathAwareFacts[] {
+	const facts: PathAwareFacts[] = [];
+
+	for (const param of routine.parameters) {
+		if (!param.isRecord) continue;
+
+		const recVar = routine.features.recordVariables.find(
+			(rv) => rv.isParameter && rv.parameterIndex === param.index,
+		);
+		const recVarNameLc = recVar?.name.toLowerCase() ?? param.name.toLowerCase();
+		const recVarId = recVar?.id;
+		const paramCtx: ParamCtx = { index: param.index, nameLc: recVarNameLc, recVarId };
+
+		// Per-walk snapshots collected at every forwarding callsite for this param.
+		const callsiteSnapshots = new Map<CallsiteId, LoadedFields>();
+		// Exit states collected at every `exit`/`error` reached by the walker.
+		const exitStates: PerParamState[] = [];
+
+		const tree = routine.features.statementTree;
+		const initial = initialState();
+
+		let finalState: PerParamState;
+		if (tree !== undefined) {
+			const opIndex = indexOps(routine);
+			const callIndex = indexCalls(routine);
+			const faIndex = indexFieldAccesses(routine);
+			finalState = walkCFG(
+				tree,
+				initial,
+				paramCtx,
+				routine,
+				ctx,
+				lookup,
+				exitStates,
+				callsiteSnapshots,
+				opIndex,
+				callIndex,
+				faIndex,
+			);
+		} else {
+			// No statement tree — straight-line fallback using flat features.
+			finalState = walkFlat(routine, paramCtx, ctx, lookup, initial, callsiteSnapshots);
+		}
+
+		// Aggregate exit + fallthrough states for the exit-effect facts.
+		const allExitStates: PerParamState[] = [...exitStates, finalState];
+		const dirtyAtExit = computeDirtyAtExit(allExitStates);
+		const currentLoadedFieldsAtExit = computeCurrentLoadedAtExit(allExitStates);
+
+		// Entry-requirement facts: take the JOIN across all exit + fallthrough states
+		// — every path's contribution counts. (These fields are accumulator-style so
+		// joinPresence yields the same as the JOIN of contributions on every reached
+		// exit state.)
+		let requires: EffectPresence = "no";
+		let mutates: EffectPresence = "no";
+		let required: Set<string> | "unknown" = new Set();
+		for (const s of allExitStates) {
+			requires = joinPresence(requires, s.requiresLoadedAtEntry);
+			mutates = joinPresence(mutates, s.mutatesBeforeLoad);
+			required = joinRequiredFields(required, s.requiredFields);
+		}
+
+		const requiredFieldsFinal: FieldId[] | "unknown" =
+			required === "unknown" ? "unknown" : ([...required].sort() as FieldId[]);
+
+		facts.push({
+			parameterIndex: param.index,
+			requiresLoadedAtEntry: requires,
+			requiredLoadedFieldsAtEntry: requiredFieldsFinal,
+			mutatesBeforeLoad: mutates,
+			currentLoadedFieldsAtCallsite: callsiteSnapshots,
+			dirtyAtExit,
+			currentLoadedFieldsAtExit,
+		});
+	}
+	return facts;
+}
+
+// ============================================================================
+// Recursive walker
+// ============================================================================
+
+interface ParamCtx {
+	index: number;
+	nameLc: string;
+	recVarId: string | undefined;
+}
+
+type OpIndex = Map<string, RecordOperation>;
+type CallIndex = Map<string, CallSite>;
+type FaIndex = Map<string, FieldAccess[]>; // keyed by `${line}:${column}`
+
+function indexOps(routine: Routine): OpIndex {
+	const m: OpIndex = new Map();
+	for (const op of routine.features.recordOperations) m.set(op.id, op);
+	return m;
+}
+
+function indexCalls(routine: Routine): CallIndex {
+	const m: CallIndex = new Map();
+	for (const cs of routine.features.callSites) m.set(cs.id, cs);
+	return m;
+}
+
+/**
+ * Field accesses are not represented as their own CFN leaves (the indexer
+ * doesn't anchor them in the statement tree). To attribute field reads to
+ * the correct CFN position, we index every FA by `(line, column)` of its
+ * source anchor. Each block-walker call (`case "block"` in `walkCFG`) then
+ * picks the FAs whose source position falls inside the block but NOT inside
+ * any RECURSIVE child (block / if / case / case-branch / loops / try /
+ * "other"-with-children) — those recursive children will attribute them
+ * themselves. FAs inside a non-recursive leaf (op / call / exit / error /
+ * leaf "other") are correctly attributed by the enclosing block.
+ *
+ * This yields branch-aware attribution: e.g. an FA inside the `then` branch
+ * of an `if` is walked by the `if`'s then-branch block, so its contribution
+ * is joined with the else-branch contribution at the `if` join point.
+ */
+function indexFieldAccesses(routine: Routine): FaIndex {
+	const m: FaIndex = new Map();
+	for (const fa of routine.features.fieldAccesses) {
+		const key = `${fa.sourceAnchor.range.startLine}:${fa.sourceAnchor.range.startColumn}`;
+		const list = m.get(key);
+		if (list !== undefined) list.push(fa);
+		else m.set(key, [fa]);
+	}
+	return m;
+}
+
+function walkCFG(
+	node: ControlFlowNode,
+	pre: PerParamState,
+	param: ParamCtx,
+	routine: Routine,
+	ctx: SummaryContext,
+	lookup: ((id: RoutineId) => RoutineSummary | undefined) | undefined,
+	exitStates: PerParamState[],
+	snapshots: Map<CallsiteId, LoadedFields>,
+	opIndex: OpIndex,
+	callIndex: CallIndex,
+	faIndex: FaIndex,
+): PerParamState {
+	switch (node.kind) {
+		case "block": {
+			let state = pre;
+			// Interleave field-access events with child CFN nodes by source position.
+			// A field read like `Cust.Name` fires at its own line, NOT at the block
+			// entry. This matters when an op (e.g. `Cust.Get(...)`) precedes the FA
+			// in the same block: the Get walks first → loaded=yes → the FA no
+			// longer contributes to requiresLoadedAtEntry.
+			const children = node.children ?? [];
+			const fas = collectFieldAccessesInBlock(node, children, param, faIndex);
+			const events: Array<
+				| { kind: "child"; node: ControlFlowNode; line: number; col: number }
+				| { kind: "fa"; fa: FieldAccess; line: number; col: number }
+			> = [];
+			for (const c of children) {
+				events.push({
+					kind: "child",
+					node: c,
+					line: c.sourceAnchor.range.startLine,
+					col: c.sourceAnchor.range.startColumn,
+				});
+			}
+			for (const fa of fas) {
+				events.push({
+					kind: "fa",
+					fa,
+					line: fa.sourceAnchor.range.startLine,
+					col: fa.sourceAnchor.range.startColumn,
+				});
+			}
+			events.sort((a, b) => (a.line !== b.line ? a.line - b.line : a.col - b.col));
+			for (const e of events) {
+				if (e.kind === "child") {
+					state = walkCFG(
+						e.node,
+						state,
+						param,
+						routine,
+						ctx,
+						lookup,
+						exitStates,
+						snapshots,
+						opIndex,
+						callIndex,
+						faIndex,
+					);
+				} else {
+					state = applyFieldRead(state, e.fa);
+				}
+			}
+			return state;
+		}
+		case "if": {
+			// P7.5: condition-position ops/calls evaluate BEFORE branch selection.
+			const preBranch = applyConditionLeaves(
+				pre,
+				node.conditionLeaves,
+				param,
+				routine,
+				ctx,
+				lookup,
+				exitStates,
+				snapshots,
+				opIndex,
+				callIndex,
+				faIndex,
+			);
+			const thenBranch = node.children?.[0];
+			const elseBranch = node.elseChildren?.[0];
+			const thenState =
+				thenBranch !== undefined
+					? walkCFG(
+							thenBranch,
+							preBranch,
+							param,
+							routine,
+							ctx,
+							lookup,
+							exitStates,
+							snapshots,
+							opIndex,
+							callIndex,
+							faIndex,
+						)
+					: preBranch;
+			const elseState =
+				elseBranch !== undefined
+					? walkCFG(
+							elseBranch,
+							preBranch,
+							param,
+							routine,
+							ctx,
+							lookup,
+							exitStates,
+							snapshots,
+							opIndex,
+							callIndex,
+							faIndex,
+						)
+					: preBranch; // missing else = the no-match path = preBranch.
+			return joinStates(thenState, elseState);
+		}
+		case "case": {
+			// Walk each case-branch from `pre`; join all post-states.
+			// case-else-branch is one of the children (the CFN builder uses the
+			// same `case-branch` kind for both, since the lattice doesn't care).
+			// If the case has no `else`, the no-match path = pre, which we include
+			// in the join (spec §(b): "missing default = pre-state").
+			//
+			// P7.5: case-value expression evaluates ONCE before branch selection.
+			const preBranch = applyConditionLeaves(
+				pre,
+				node.conditionLeaves,
+				param,
+				routine,
+				ctx,
+				lookup,
+				exitStates,
+				snapshots,
+				opIndex,
+				callIndex,
+				faIndex,
+			);
+			const branches = node.children ?? [];
+			let hasElse = false;
+			let acc: PerParamState | undefined;
+			for (const c of branches) {
+				if (c.sourceAnchor.syntaxKind === "case_else_branch") hasElse = true;
+				const post = walkCFG(
+					c,
+					preBranch,
+					param,
+					routine,
+					ctx,
+					lookup,
+					exitStates,
+					snapshots,
+					opIndex,
+					callIndex,
+					faIndex,
+				);
+				acc = acc === undefined ? post : joinStates(acc, post);
+			}
+			if (acc === undefined) return preBranch; // empty case
+			if (!hasElse) acc = joinStates(acc, preBranch);
+			return acc;
+		}
+		case "case-branch": {
+			// case-branch wraps a single body block as its first child.
+			let state = pre;
+			for (const c of node.children ?? []) {
+				state = walkCFG(
+					c,
+					state,
+					param,
+					routine,
+					ctx,
+					lookup,
+					exitStates,
+					snapshots,
+					opIndex,
+					callIndex,
+					faIndex,
+				);
+			}
+			return state;
+		}
+		case "while":
+		case "for":
+		case "foreach": {
+			// Bounded fixed-point: walk body up to 3 times; if state isn't yet
+			// converged, saturate decidable lattice fields to "unknown" but keep
+			// accumulated entry-requirement contributions.
+			//
+			// Body iteration semantics: at the start of each iteration we are at
+			// the join of (pre, previous body post). The body itself may use
+			// `exit`/`error` — those snapshots are captured into `exitStates`.
+			//
+			// P7.5: condition / range / iterable expression-position ops fire BEFORE
+			// each body iteration (pre-condition test). The fixed-point naturally
+			// folds them into each iteration: we apply conditionLeaves first, then
+			// the body. The post-loop "loop did not run" path also requires the
+			// condition to have been evaluated at least once.
+			const bodyNode = node.children?.[0];
+			// Apply the (zero-or-many) condition leaves once for the "loop ran zero
+			// times" path: even if the body never runs, the condition was tested
+			// (whether true or false). This ensures the loaded-after-cond effect
+			// reaches the post-loop state.
+			const preCond = applyConditionLeaves(
+				pre,
+				node.conditionLeaves,
+				param,
+				routine,
+				ctx,
+				lookup,
+				exitStates,
+				snapshots,
+				opIndex,
+				callIndex,
+				faIndex,
+			);
+			if (bodyNode === undefined) return preCond;
+			let bodyPre = preCond;
+			for (let i = 0; i < 3; i++) {
+				const bodyPost = walkCFG(
+					bodyNode,
+					bodyPre,
+					param,
+					routine,
+					ctx,
+					lookup,
+					exitStates,
+					snapshots,
+					opIndex,
+					callIndex,
+					faIndex,
+				);
+				// Re-apply condition leaves at start of next iteration (pre-condition
+				// loops test before each iteration's body).
+				const nextIterPre = applyConditionLeaves(
+					bodyPost,
+					node.conditionLeaves,
+					param,
+					routine,
+					ctx,
+					lookup,
+					exitStates,
+					snapshots,
+					opIndex,
+					callIndex,
+					faIndex,
+				);
+				const joined = joinStates(bodyPre, nextIterPre);
+				if (statesEqual(joined, bodyPre)) {
+					return joined;
+				}
+				bodyPre = joined;
+			}
+			return saturateUnknown(bodyPre);
+		}
+		case "repeat": {
+			// repeat ... until: body executes at least once, condition tested AFTER body.
+			// P7.5: the until-expression's ops fire at the END of each iteration.
+			const bodyNode = node.children?.[0];
+			if (bodyNode === undefined) {
+				// No body — just apply the until-condition (degenerate; grammar shouldn't
+				// produce this, but stay safe).
+				return applyConditionLeaves(
+					pre,
+					node.conditionLeaves,
+					param,
+					routine,
+					ctx,
+					lookup,
+					exitStates,
+					snapshots,
+					opIndex,
+					callIndex,
+					faIndex,
+				);
+			}
+			let bodyPre = pre;
+			for (let i = 0; i < 3; i++) {
+				const bodyPost = walkCFG(
+					bodyNode,
+					bodyPre,
+					param,
+					routine,
+					ctx,
+					lookup,
+					exitStates,
+					snapshots,
+					opIndex,
+					callIndex,
+					faIndex,
+				);
+				// Apply until-condition leaves AFTER body (post-condition semantics).
+				const afterCond = applyConditionLeaves(
+					bodyPost,
+					node.conditionLeaves,
+					param,
+					routine,
+					ctx,
+					lookup,
+					exitStates,
+					snapshots,
+					opIndex,
+					callIndex,
+					faIndex,
+				);
+				const joined = joinStates(bodyPre, afterCond);
+				if (statesEqual(joined, bodyPre)) {
+					return joined;
+				}
+				bodyPre = joined;
+			}
+			return saturateUnknown(bodyPre);
+		}
+		case "exit": {
+			exitStates.push(pre);
+			return pre;
+		}
+		case "error": {
+			// P7.5: any argument-position ops on a bare Error(...) call still
+			// execute before the Error exits (argument evaluation precedes call).
+			const post = applyConditionLeaves(
+				pre,
+				node.conditionLeaves,
+				param,
+				routine,
+				ctx,
+				lookup,
+				exitStates,
+				snapshots,
+				opIndex,
+				callIndex,
+				faIndex,
+			);
+			exitStates.push(post);
+			return post;
+		}
+		case "op": {
+			// P7.5: nested ops in arguments evaluate BEFORE this op (`foo(bar.X())`).
+			const preOp = applyConditionLeaves(
+				pre,
+				node.conditionLeaves,
+				param,
+				routine,
+				ctx,
+				lookup,
+				exitStates,
+				snapshots,
+				opIndex,
+				callIndex,
+				faIndex,
+			);
+			const op = opIndex.get(node.operationId ?? "");
+			if (op === undefined) return preOp;
+			return applyOp(preOp, op, param);
+		}
+		case "call": {
+			// P7.5: argument-position ops evaluate BEFORE the call applies.
+			const preCall = applyConditionLeaves(
+				pre,
+				node.conditionLeaves,
+				param,
+				routine,
+				ctx,
+				lookup,
+				exitStates,
+				snapshots,
+				opIndex,
+				callIndex,
+				faIndex,
+			);
+			const cs = callIndex.get(node.callsiteId ?? "");
+			if (cs === undefined) return preCall;
+			return applyCall(preCall, cs, param, ctx, lookup, snapshots);
+		}
+		case "try": {
+			// AL grammar currently does not expose a try_statement, so children
+			// is empty. Treat as opaque-with-possible-exit: snapshot a sat-unknown
+			// exit state and return saturated.
+			const sat = saturateUnknown(pre);
+			exitStates.push(sat);
+			return sat;
+		}
+		default: {
+			// "other" (and any future unrecognised kind) wraps assignment / message /
+			// with / asserterror / etc. Recursively
+			// walk any children (e.g. `with_statement` body) so embedded ops/calls
+			// inside the wrapped statement still affect state.
+			// P7.5: also apply any argument-position leaves harvested by the indexer
+			// (e.g. a call_expression statement whose function is unresolved but whose
+			// arguments contain a record-op).
+			let state = applyConditionLeaves(
+				pre,
+				node.conditionLeaves,
+				param,
+				routine,
+				ctx,
+				lookup,
+				exitStates,
+				snapshots,
+				opIndex,
+				callIndex,
+				faIndex,
+			);
+			for (const c of node.children ?? []) {
+				state = walkCFG(
+					c,
+					state,
+					param,
+					routine,
+					ctx,
+					lookup,
+					exitStates,
+					snapshots,
+					opIndex,
+					callIndex,
+					faIndex,
+				);
+			}
+			return state;
+		}
+	}
+}
+
+/**
+ * P7.5: process a node's harvested expression-position leaves (`conditionLeaves`)
+ * in source order. Each leaf is an `op` / `call` / `error` ControlFlowNode produced
+ * by the indexer's `harvestExpressionLeaves`. We re-enter `walkCFG` for each leaf so
+ * nested argument leaves (e.g. `Helper(Cust.FindSet())` → call leaf with op
+ * conditionLeaves) propagate correctly.
+ *
+ * The CALLER controls timing: pre-body (if/case/while/for/foreach), post-body
+ * (repeat), or pre-effect (op/call/error/other-with-args). This helper is purely
+ * a sequencer — it doesn't decide.
+ */
+function applyConditionLeaves(
+	pre: PerParamState,
+	leaves: ControlFlowNode[] | undefined,
+	param: ParamCtx,
+	routine: Routine,
+	ctx: SummaryContext,
+	lookup: ((id: RoutineId) => RoutineSummary | undefined) | undefined,
+	exitStates: PerParamState[],
+	snapshots: Map<CallsiteId, LoadedFields>,
+	opIndex: OpIndex,
+	callIndex: CallIndex,
+	faIndex: FaIndex,
+): PerParamState {
+	if (leaves === undefined || leaves.length === 0) return pre;
+	let state = pre;
+	for (const leaf of leaves) {
+		state = walkCFG(
+			leaf,
+			state,
+			param,
+			routine,
+			ctx,
+			lookup,
+			exitStates,
+			snapshots,
+			opIndex,
+			callIndex,
+			faIndex,
+		);
+	}
+	return state;
+}
+
+// ============================================================================
+// Op + call application
+// ============================================================================
+
+function opAffectsParam(op: RecordOperation, param: ParamCtx): boolean {
+	if (param.recVarId !== undefined && op.recordVariableId === param.recVarId) return true;
+	return op.recordVariableName.toLowerCase() === param.nameLc;
+}
+
+function applyOp(state: PerParamState, op: RecordOperation, param: ParamCtx): PerParamState {
+	if (!opAffectsParam(op, param)) return state;
+	const role = recordFlowRoleOf(op.op);
+	const out: PerParamState = {
+		...state,
+		requiredFields: state.requiredFields === "unknown" ? "unknown" : new Set(state.requiredFields),
+	};
+	switch (role) {
+		case "loadsFromDb": {
+			out.loaded = "yes";
+			if (out.pendingNarrow === "unknown") {
+				out.currentLoadedFields = "unknown";
+			} else if (out.pendingNarrow === "none") {
+				out.currentLoadedFields = "full";
+			} else {
+				out.currentLoadedFields = [...out.pendingNarrow].sort() as FieldId[];
+			}
+			out.pendingNarrow = "none";
+			out.dirty = "pristine";
+			break;
+		}
+		case "initialises": {
+			out.loaded = "yes";
+			out.currentLoadedFields = "full";
+			out.pendingNarrow = "none";
+			out.dirty = "pristine";
+			break;
+		}
+		case "copiesInto": {
+			out.loaded = "yes";
+			// currentLoadedFields after Copy/TransferFields is conservatively unknown
+			// (depends on the source record), but we keep prior state — copy doesn't
+			// reduce knowledge about what's loaded.
+			out.dirty = "pristine";
+			break;
+		}
+		case "persistsCurrent": {
+			if (out.loaded !== "yes") {
+				out.requiresLoadedAtEntry = "yes";
+				out.mutatesBeforeLoad = "yes";
+			}
+			out.dirty = "persisted";
+			break;
+		}
+		case "validates": {
+			if (out.loaded !== "yes") {
+				out.requiresLoadedAtEntry = "yes";
+				out.mutatesBeforeLoad = "yes";
+			}
+			// Validate transitions to dirty (raises in-memory dirty); doesn't lower
+			// `persisted` because once persisted the Modify+Validate sequence is its
+			// own dirty cycle. Spec wording: "Validate → dirty (if was pristine) /
+			// unchanged (otherwise)". We model "unchanged" conservatively here so
+			// `persisted → Validate` stays `persisted` (downgrading to dirty would
+			// invent a may-fact); but if prior was pristine OR unknown we raise to
+			// dirty. This is the sound choice.
+			if (out.dirty === "pristine") out.dirty = "dirty";
+			else if (out.dirty === "unknown") out.dirty = "dirty";
+			break;
+		}
+		case "setBasedWrite": {
+			// ModifyAll / DeleteAll are set-based and do NOT transition the current
+			// record's dirty state. They DO require the record to be in a valid
+			// filter-state — but that's covered by D41, not the dirty lattice.
+			break;
+		}
+		case "resetsFilter": {
+			out.pendingNarrow = "none";
+			// Reset does NOT reload; currentLoadedFields unchanged.
+			break;
+		}
+		case "neutral": {
+			if (op.op === "SetLoadFields") {
+				const fields = [...new Set(op.fieldArguments ?? [])].sort();
+				out.pendingNarrow = fields as FieldId[];
+			} else if (op.op === "AddLoadFields") {
+				const additions = op.fieldArguments ?? [];
+				if (out.pendingNarrow === "unknown") {
+					// stay unknown
+				} else if (out.pendingNarrow === "none") {
+					out.pendingNarrow = [...new Set(additions)].sort() as FieldId[];
+				} else {
+					out.pendingNarrow = [
+						...new Set([...out.pendingNarrow, ...additions]),
+					].sort() as FieldId[];
+				}
+			}
+			// Other neutral ops (SetRange/SetFilter/TestField/SetCurrentKey/Count/etc.)
+			// — no state change here.
+			break;
+		}
+	}
+	return out;
+}
+
+function applyCall(
+	state: PerParamState,
+	cs: CallSite,
+	param: ParamCtx,
+	ctx: SummaryContext,
+	lookup: ((id: RoutineId) => RoutineSummary | undefined) | undefined,
+	snapshots: Map<CallsiteId, LoadedFields>,
+): PerParamState {
+	// Find the binding that forwards THIS param to the callee.
+	const binding = cs.argumentBindings.find((b) => {
+		if (b.bindingResolution !== "resolved") return false;
+		if (param.recVarId !== undefined && b.sourceRecordVariableId === param.recVarId) return true;
+		return b.sourceVariableName === param.nameLc;
+	});
+
+	// Even if no binding for this param, the call might still be a relevant snapshot
+	// for OTHER params; but we only record snapshots when this param IS forwarded.
+	if (binding === undefined) return state;
+
+	// Snapshot the current loaded fields at this callsite for D42's use.
+	snapshots.set(cs.id, state.currentLoadedFields);
+
+	const edge = ctx.resolvedCallEdgeByCallsite.get(cs.id);
+	const callee = edge?.to !== undefined ? ctx.routineById.get(edge.to) : undefined;
+	if (callee === undefined || callee.bodyAvailable === false) {
+		// Opaque callee — sound c1b: var-on-var means we lose state. Entry-req
+		// composition (c1a) is also unknown for an opaque callee — JOIN unknown.
+		const out: PerParamState = {
+			...state,
+			requiredFields:
+				state.requiredFields === "unknown" ? "unknown" : new Set(state.requiredFields),
+		};
+		if (state.loaded !== "yes") {
+			out.requiresLoadedAtEntry = joinPresence(state.requiresLoadedAtEntry, "unknown");
+			out.mutatesBeforeLoad = joinPresence(state.mutatesBeforeLoad, "unknown");
+		}
+		if (binding.callerSourceParameterIsVar && binding.calleeParameterIsVar) {
+			out.loaded = "unknown";
+			out.dirty = "unknown";
+			out.pendingNarrow = "unknown";
+			out.currentLoadedFields = "unknown";
+		}
+		return out;
+	}
+
+	const calleeSummary = lookup !== undefined ? lookup(callee.id) : callee.summary;
+	const calleeRole = calleeSummary?.parameterRoles.find(
+		(r) => r.parameterIndex === binding.parameterIndex,
+	);
+	if (calleeRole === undefined) {
+		// Callee body available but no role for this param — treat as opaque-ish.
+		const out: PerParamState = {
+			...state,
+			requiredFields:
+				state.requiredFields === "unknown" ? "unknown" : new Set(state.requiredFields),
+		};
+		if (state.loaded !== "yes") {
+			out.requiresLoadedAtEntry = joinPresence(state.requiresLoadedAtEntry, "unknown");
+			out.mutatesBeforeLoad = joinPresence(state.mutatesBeforeLoad, "unknown");
+		}
+		if (binding.callerSourceParameterIsVar && binding.calleeParameterIsVar) {
+			out.loaded = "unknown";
+			out.dirty = "unknown";
+			out.pendingNarrow = "unknown";
+			out.currentLoadedFields = "unknown";
+		}
+		return out;
+	}
+
+	const out: PerParamState = {
+		...state,
+		requiredFields: state.requiredFields === "unknown" ? "unknown" : new Set(state.requiredFields),
+	};
+
+	// c1a — entry requirements compose regardless of var-ness, but only when
+	// we haven't loaded yet on this path.
+	if (state.loaded !== "yes") {
+		out.requiresLoadedAtEntry = joinPresence(
+			state.requiresLoadedAtEntry,
+			calleeRole.requiresLoadedAtEntry,
+		);
+		out.mutatesBeforeLoad = joinPresence(state.mutatesBeforeLoad, calleeRole.mutatesBeforeLoad);
+		if (out.requiredFields !== "unknown") {
+			if (calleeRole.requiredLoadedFieldsAtEntry === "unknown") {
+				out.requiredFields = "unknown";
+			} else {
+				for (const f of calleeRole.requiredLoadedFieldsAtEntry) out.requiredFields.add(f);
+			}
+		}
+	}
+
+	// c1b — exit effects compose only when BOTH the caller-side source and the
+	// callee-side parameter are var.
+	if (binding.callerSourceParameterIsVar && binding.calleeParameterIsVar) {
+		// loadsFromDbParam / initialisesParam / copiesIntoParam all establish
+		// loaded=yes on the caller's record handle when the callee runs.
+		if (
+			calleeRole.loadsFromDbParam === "yes" ||
+			calleeRole.initialisesParam === "yes" ||
+			calleeRole.copiesIntoParam === "yes"
+		) {
+			out.loaded = "yes";
+			// We don't know what fields the callee loaded — conservatively trust
+			// the callee's exit-loaded set if it's not unknown, else mark unknown.
+			out.currentLoadedFields = calleeRole.currentLoadedFieldsAtExit;
+			out.pendingNarrow = "none";
+		} else if (
+			calleeRole.loadsFromDbParam === "unknown" ||
+			calleeRole.initialisesParam === "unknown" ||
+			calleeRole.copiesIntoParam === "unknown"
+		) {
+			out.loaded = "unknown";
+			out.currentLoadedFields = "unknown";
+			out.pendingNarrow = "unknown";
+		}
+
+		// dirty state transitions: persisted dominates dirty dominates pristine.
+		// We must respect the spec's "Validate dominates if any branch dirty" rule
+		// at branch joins; here at a callsite, the callee's may-facts are an OR.
+		// Conservative rules:
+		//   - persistsCurrentRecord=yes (may persist): for non-[TryFunction] callees,
+		//     transition out.dirty -> "persisted" (best-case we trust the persist).
+		//     For [TryFunction] callees, the persist may not happen — keep as unknown.
+		//     v1 simplification: we conservatively join, since we cannot tell
+		//     [TryFunction] from here. The spec calls this out as a documented
+		//     unknown-clearing case; we mirror it by NOT downgrading dirty just
+		//     because callee may persist (sound-but-imprecise).
+		if (calleeRole.persistsCurrentRecord === "yes") {
+			// Spec: treat persist-contribution conservatively. Keep dirty if it's
+			// already dirty (this is the dirtyAtExit soundness anchor); transition
+			// pristine -> persisted; unknown -> unknown.
+			if (out.dirty === "pristine") out.dirty = "persisted";
+			// dirty stays dirty (don't optimistically clear)
+			// persisted stays persisted
+			// unknown stays unknown
+		}
+		if (calleeRole.validatesParam === "yes" || calleeRole.copiesIntoParam === "yes") {
+			// Validate raises dirty if was pristine; otherwise keep.
+			if (out.dirty === "pristine") out.dirty = "dirty";
+			else if (out.dirty === "unknown") out.dirty = "dirty";
+		}
+		if (calleeRole.resetsFiltersOnParam === "yes") {
+			out.pendingNarrow = "none";
+		}
+
+		// If any of the dirty-affecting may-facts are unknown, conservatively
+		// raise out.dirty to unknown (don't claim certainty).
+		if (
+			calleeRole.persistsCurrentRecord === "unknown" ||
+			calleeRole.validatesParam === "unknown" ||
+			calleeRole.copiesIntoParam === "unknown"
+		) {
+			if (out.dirty === "pristine" || out.dirty === "persisted") out.dirty = "unknown";
+		}
+	}
+
+	return out;
+}
+
+// ============================================================================
+// Field-read accumulation (sound-but-imprecise — see indexFieldAccesses doc)
+// ============================================================================
+
+/**
+ * Collect field accesses on `param` that fall inside this block's source range
+ * but NOT inside any of its direct children's ranges. These are the "bare" FAs
+ * that belong to this block level (e.g. `Message(Cust.Name)` in a routine body).
+ *
+ * FAs nested inside a child node (e.g. inside an `if` branch body block) are
+ * attributed by THAT child's recursive walk, not here.
+ */
+function collectFieldAccessesInBlock(
+	block: ControlFlowNode,
+	children: ControlFlowNode[],
+	param: ParamCtx,
+	faIndex: FaIndex,
+): FieldAccess[] {
+	const result: FieldAccess[] = [];
+	const blockRange = block.sourceAnchor.range;
+
+	function fallsInRange(
+		faLine: number,
+		faCol: number,
+		startLine: number,
+		startCol: number,
+		endLine: number,
+		endCol: number,
+	): boolean {
+		if (faLine < startLine || faLine > endLine) return false;
+		if (faLine === startLine && faCol < startCol) return false;
+		if (faLine === endLine && faCol > endCol) return false;
+		return true;
+	}
+
+	for (const list of faIndex.values()) {
+		for (const fa of list) {
+			if (fa.recordVariableName.toLowerCase() !== param.nameLc) continue;
+			const fr = fa.sourceAnchor.range;
+			// Must lie inside the block range.
+			if (
+				!fallsInRange(
+					fr.startLine,
+					fr.startColumn,
+					blockRange.startLine,
+					blockRange.startColumn,
+					blockRange.endLine,
+					blockRange.endColumn,
+				)
+			)
+				continue;
+			// MUST NOT lie inside any direct child that ITSELF recurses into FAs.
+			// Leaf nodes (op/call/exit/error, "other" without children) do not
+			// recurse, so an FA at e.g. `Message(Cust.Name)` (which becomes a
+			// call leaf covering the FA's position) MUST be attributed here.
+			// Composite children (block / if / case / case-branch / loops /
+			// try / "other"-with-children) WILL recurse and attribute the FA
+			// themselves; exclude those.
+			let inRecursiveChild = false;
+			for (const c of children) {
+				if (!childRecursesIntoFAs(c)) continue;
+				const cr = c.sourceAnchor.range;
+				if (
+					fallsInRange(
+						fr.startLine,
+						fr.startColumn,
+						cr.startLine,
+						cr.startColumn,
+						cr.endLine,
+						cr.endColumn,
+					)
+				) {
+					inRecursiveChild = true;
+					break;
+				}
+			}
+			if (inRecursiveChild) continue;
+			result.push(fa);
+		}
+	}
+	return result;
+}
+
+/**
+ * True iff `walkCFG` would recurse into a child of this node — implying it
+ * could re-attribute FAs inside its range. False for terminal/opaque nodes
+ * (op/call/exit/error and "other" without children) — FAs inside their range
+ * must be attributed by the enclosing block.
+ */
+function childRecursesIntoFAs(c: ControlFlowNode): boolean {
+	switch (c.kind) {
+		case "op":
+		case "call":
+		case "exit":
+		case "error":
+			return false;
+		case "other":
+			return (c.children ?? []).length > 0;
+		default:
+			// block / if / case / case-branch / while / repeat / for / foreach / try
+			return true;
+	}
+}
+
+function applyFieldRead(state: PerParamState, fa: FieldAccess): PerParamState {
+	if (state.loaded === "yes") return state;
+	const out: PerParamState = {
+		...state,
+		requiredFields: state.requiredFields === "unknown" ? "unknown" : new Set(state.requiredFields),
+	};
+	out.requiresLoadedAtEntry = "yes";
+	if (out.requiredFields !== "unknown") out.requiredFields.add(fa.fieldName);
+	return out;
+}
+
+// ============================================================================
+// Exit-fact aggregation
+// ============================================================================
+
+function computeDirtyAtExit(states: PerParamState[]): EffectPresence {
+	// Spec §(b): if any exit state has dirty -> "yes"; else if any has unknown
+	// -> "unknown"; else "no". `persisted` and `pristine` are clean.
+	let anyDirty = false;
+	let anyUnknown = false;
+	for (const s of states) {
+		if (s.dirty === "dirty") {
+			anyDirty = true;
+			break;
+		}
+		if (s.dirty === "unknown") anyUnknown = true;
+	}
+	if (anyDirty) return "yes";
+	if (anyUnknown) return "unknown";
+	return "no";
+}
+
+function computeCurrentLoadedAtExit(states: PerParamState[]): LoadedFields {
+	let acc: LoadedFields | undefined;
+	for (const s of states) {
+		acc = acc === undefined ? s.currentLoadedFields : joinLoadedFields(acc, s.currentLoadedFields);
+	}
+	return acc ?? "unknown";
+}
+
+// ============================================================================
+// Flat fallback (no statementTree available)
+// ============================================================================
+
+type FlatEvent =
+	| { kind: "op"; op: RecordOperation; line: number; col: number }
+	| { kind: "field"; fa: FieldAccess; line: number; col: number }
+	| {
+			kind: "call";
+			cs: CallSite;
+			binding: CallArgumentBinding;
+			line: number;
+			col: number;
+	  };
+
+function walkFlat(
+	routine: Routine,
+	param: ParamCtx,
+	ctx: SummaryContext,
+	lookup: ((id: RoutineId) => RoutineSummary | undefined) | undefined,
+	pre: PerParamState,
+	snapshots: Map<CallsiteId, LoadedFields>,
+): PerParamState {
+	const events: FlatEvent[] = [];
+	for (const op of routine.features.recordOperations) {
+		if (!opAffectsParam(op, param)) continue;
+		events.push({
+			kind: "op",
+			op,
+			line: op.sourceAnchor.range.startLine,
+			col: op.sourceAnchor.range.startColumn,
+		});
+	}
+	for (const fa of routine.features.fieldAccesses) {
+		if (fa.recordVariableName.toLowerCase() !== param.nameLc) continue;
+		events.push({
+			kind: "field",
+			fa,
+			line: fa.sourceAnchor.range.startLine,
+			col: fa.sourceAnchor.range.startColumn,
+		});
+	}
+	for (const cs of routine.features.callSites) {
+		for (const binding of cs.argumentBindings) {
+			if (binding.bindingResolution !== "resolved") continue;
+			const byId =
+				param.recVarId !== undefined && binding.sourceRecordVariableId === param.recVarId;
+			const byName = binding.sourceVariableName === param.nameLc;
+			if (!byId && !byName) continue;
+			events.push({
+				kind: "call",
+				cs,
+				binding,
+				line: cs.sourceAnchor.range.startLine,
+				col: cs.sourceAnchor.range.startColumn,
+			});
+			break;
+		}
+	}
+	events.sort((a, b) => (a.line !== b.line ? a.line - b.line : a.col - b.col));
+
+	let state = pre;
+	for (const e of events) {
+		if (e.kind === "op") {
+			state = applyOp(state, e.op, param);
+		} else if (e.kind === "field") {
+			if (state.loaded !== "yes") {
+				const out: PerParamState = {
+					...state,
+					requiredFields:
+						state.requiredFields === "unknown" ? "unknown" : new Set(state.requiredFields),
+				};
+				out.requiresLoadedAtEntry = "yes";
+				if (out.requiredFields !== "unknown") out.requiredFields.add(e.fa.fieldName);
+				state = out;
+			}
+		} else {
+			state = applyCall(state, e.cs, param, ctx, lookup, snapshots);
+		}
+	}
+	return state;
+}