al-sem 0.0.1

package/src/engine/event-flow.ts

@@ -0,0 +1,524 @@
+import type { CapabilityFact } from "../model/capability.ts";
+import { type Scope, roleOf } from "../model/entities.ts";
+import type { EventEdge } from "../model/graph.ts";
+import type { EventId, RoutineId } from "../model/ids.ts";
+import type { SemanticModel } from "../model/model.ts";
+import { compareStrings } from "./uncertainty-util.ts";
+
+/**
+ * Per-event lookup of subscribers whose subscriberAppId differs from the
+ * publisher's appGuid. Sorted RoutineId list. Empty when all subscribers
+ * are in-app. Returns an empty array (not undefined) for events not
+ * tracked or with no cross-app subscribers.
+ *
+ * Used by D43/D44/D45 to populate Finding.crossExtensionSubscribers
+ * evidence (Phase 3.3 §4.2 — evidence-only, no detector filtering).
+ */
+export function buildCrossExtensionSubscribers(
+	model: SemanticModel,
+): ReadonlyMap<EventId, readonly RoutineId[]> {
+	// Map object id → appGuid for fast lookup.
+	const objectAppById = new Map<string, string>();
+	for (const obj of model.objects) {
+		if (obj.appGuid !== undefined) objectAppById.set(obj.id, obj.appGuid);
+	}
+
+	// Event publisher app: from EventSymbol.publisherObjectId → objectAppById.
+	const eventPubApp = new Map<EventId, string>();
+	for (const ev of model.eventGraph.events) {
+		const app = objectAppById.get(ev.publisherObjectId);
+		if (app !== undefined) eventPubApp.set(ev.id as EventId, app);
+	}
+
+	// Bucket cross-extension subs per event.
+	const buckets = new Map<EventId, Set<RoutineId>>();
+	for (const edge of model.eventGraph.edges) {
+		const pubApp = eventPubApp.get(edge.eventId as EventId);
+		if (pubApp === undefined) continue;
+		if (edge.subscriberAppId === pubApp) continue;
+		const set = buckets.get(edge.eventId as EventId) ?? new Set<RoutineId>();
+		set.add(edge.subscriberRoutineId);
+		buckets.set(edge.eventId as EventId, set);
+	}
+
+	const out = new Map<EventId, readonly RoutineId[]>();
+	for (const [eventId, set] of buckets) {
+		out.set(eventId, [...set].sort(compareStrings) as RoutineId[]);
+	}
+	return out;
+}
+
+export type EventKind = "integration" | "business" | "internal";
+
+export interface FanoutCoverage {
+	dispatchEdges: "complete" | "partial" | "unknown";
+	subscriberDiscovery: "complete" | "partial" | "unknown";
+	capabilityComposition: "complete" | "partial" | "unknown";
+}
+
+export interface FanoutEntry {
+	publisher: RoutineId;
+	eventId: EventId;
+	eventName: string;
+	eventKind: EventKind;
+	directSubscriberCount: number;
+	coverage: FanoutCoverage;
+}
+
+export function eventKindOf(k: string): EventKind {
+	if (k === "business" || k === "internal") return k;
+	return "integration"; // trigger / unknown / integration → integration default
+}
+
+export interface EventFlowIndexes {
+	/** EventId → publisher RoutineId (when present). */
+	readonly publisherByEvent: ReadonlyMap<EventId, RoutineId>;
+	/** Publisher RoutineId → events it publishes. */
+	readonly eventsByPublisher: ReadonlyMap<RoutineId, readonly EventId[]>;
+	/** EventId → sorted unique subscriber RoutineIds. */
+	readonly subscribersByEvent: ReadonlyMap<EventId, readonly RoutineId[]>;
+	/** Subscriber RoutineId → sorted unique publisher RoutineIds. */
+	readonly publishersBySubscriber: ReadonlyMap<RoutineId, readonly RoutineId[]>;
+	/** EventId → event name. Built once; used by walkEventChain for node labels. */
+	readonly eventNameByEvent: ReadonlyMap<EventId, string>;
+	/** RoutineIds whose analysisRole is primary (absent ⇒ primary). For scope filtering. */
+	readonly primaryRoutines: ReadonlySet<RoutineId>;
+}
+
+export function buildEventFlowIndexes(model: SemanticModel): EventFlowIndexes {
+	const publisherByEvent = new Map<EventId, RoutineId>();
+	const eventsByPublisherSet = new Map<RoutineId, Set<EventId>>();
+	const eventNameByEvent = new Map<EventId, string>();
+	const primaryRoutines = new Set<RoutineId>();
+	for (const r of model.routines) {
+		if (roleOf(r) !== "dependency") primaryRoutines.add(r.id);
+	}
+	for (const ev of model.eventGraph.events) {
+		eventNameByEvent.set(ev.id, ev.eventName);
+		if (ev.publisherRoutineId !== undefined) {
+			publisherByEvent.set(ev.id, ev.publisherRoutineId);
+			const bag = eventsByPublisherSet.get(ev.publisherRoutineId) ?? new Set<EventId>();
+			bag.add(ev.id);
+			eventsByPublisherSet.set(ev.publisherRoutineId, bag);
+		}
+	}
+
+	const subscribersByEventSet = new Map<EventId, Set<RoutineId>>();
+	const publishersBySubscriberSet = new Map<RoutineId, Set<RoutineId>>();
+	for (const e of model.eventGraph.edges) {
+		if (e.resolution !== "resolved") continue;
+		const subs = subscribersByEventSet.get(e.eventId) ?? new Set<RoutineId>();
+		subs.add(e.subscriberRoutineId);
+		subscribersByEventSet.set(e.eventId, subs);
+		const pub = publisherByEvent.get(e.eventId);
+		if (pub !== undefined) {
+			const pubs = publishersBySubscriberSet.get(e.subscriberRoutineId) ?? new Set<RoutineId>();
+			pubs.add(pub);
+			publishersBySubscriberSet.set(e.subscriberRoutineId, pubs);
+		}
+	}
+
+	const sortedFreeze = <K, V extends string>(m: Map<K, Set<V>>): Map<K, readonly V[]> => {
+		const out = new Map<K, readonly V[]>();
+		for (const [k, set] of m) out.set(k, [...set].sort(compareStrings) as readonly V[]);
+		return out;
+	};
+
+	return {
+		publisherByEvent,
+		eventsByPublisher: sortedFreeze(eventsByPublisherSet),
+		subscribersByEvent: sortedFreeze(subscribersByEventSet),
+		publishersBySubscriber: sortedFreeze(publishersBySubscriberSet),
+		eventNameByEvent,
+		primaryRoutines,
+	};
+}
+
+export function getSubscribersOfPublisher(
+	publisher: RoutineId,
+	ix: EventFlowIndexes,
+): readonly RoutineId[] {
+	const events = ix.eventsByPublisher.get(publisher) ?? [];
+	const out = new Set<RoutineId>();
+	for (const ev of events) {
+		for (const sub of ix.subscribersByEvent.get(ev) ?? []) out.add(sub);
+	}
+	return [...out].sort(compareStrings) as readonly RoutineId[];
+}
+
+export function getPublishersForSubscriber(
+	subscriber: RoutineId,
+	ix: EventFlowIndexes,
+): readonly RoutineId[] {
+	return ix.publishersBySubscriber.get(subscriber) ?? [];
+}
+
+export function getSubscribersOfEvent(
+	eventId: EventId,
+	ix: EventFlowIndexes,
+): readonly RoutineId[] {
+	return ix.subscribersByEvent.get(eventId) ?? [];
+}
+
+export function getPublisherOfEvent(eventId: EventId, ix: EventFlowIndexes): RoutineId | undefined {
+	return ix.publisherByEvent.get(eventId);
+}
+
+export function computeFanout(model: SemanticModel, ix: EventFlowIndexes): readonly FanoutEntry[] {
+	const out: FanoutEntry[] = [];
+
+	// Group all edges (resolved and unresolved) by eventId for dispatchEdges coverage.
+	const edgesByEvent = new Map<EventId, EventEdge[]>();
+	for (const e of model.eventGraph.edges) {
+		const bag = edgesByEvent.get(e.eventId) ?? [];
+		bag.push(e);
+		edgesByEvent.set(e.eventId, bag);
+	}
+
+	const summaryByRoutine = new Map(model.routines.map((r) => [r.id, r.summary] as const));
+
+	for (const ev of model.eventGraph.events) {
+		if (ev.publisherRoutineId === undefined) continue;
+
+		const resolvedSubs = ix.subscribersByEvent.get(ev.id) ?? [];
+		const allEdges = edgesByEvent.get(ev.id) ?? [];
+		let unresolvedEdges = 0;
+		for (const e of allEdges) if (e.resolution !== "resolved") unresolvedEdges++;
+
+		const dispatchEdges: FanoutCoverage["dispatchEdges"] =
+			allEdges.length === 0 ? "complete" : unresolvedEdges === 0 ? "complete" : "partial";
+
+		// subscriberDiscovery: mirrors dispatchEdges for now (refined when per-event
+		// coverage substrate lands).
+		const subscriberDiscovery: FanoutCoverage["subscriberDiscovery"] = dispatchEdges;
+
+		// capabilityComposition: derive from the worst subscriber summary coverage.
+		let capCov: FanoutCoverage["capabilityComposition"] = "complete";
+		if (resolvedSubs.length === 0) {
+			capCov = "unknown";
+		} else {
+			let sawPartial = false;
+			let sawMissing = false;
+			for (const sub of resolvedSubs) {
+				const sum = summaryByRoutine.get(sub);
+				const status = sum?.coverage?.inheritedStatus;
+				if (status === undefined) sawMissing = true;
+				else if (status === "partial" || status === "unknown") sawPartial = true;
+			}
+			capCov = sawMissing ? "unknown" : sawPartial ? "partial" : "complete";
+		}
+
+		out.push({
+			publisher: ev.publisherRoutineId,
+			eventId: ev.id,
+			eventName: ev.eventName,
+			eventKind: eventKindOf(ev.eventKind),
+			directSubscriberCount: resolvedSubs.length,
+			coverage: { dispatchEdges, subscriberDiscovery, capabilityComposition: capCov },
+		});
+	}
+
+	out.sort(
+		(a, b) =>
+			compareStrings(a.publisher, b.publisher) ||
+			compareStrings(a.eventName, b.eventName) ||
+			compareStrings(a.eventId, b.eventId),
+	);
+
+	return out;
+}
+
+// ---------------------------------------------------------------------------
+// walkEventChain
+// ---------------------------------------------------------------------------
+
+/** Reserved kinds. Currently emitted: "root", "event-dispatch", "subscriber".
+ *  "publisher" is reserved for a future enhancement (a subscriber that also
+ *  publishes its own event in the chain). */
+export type ChainNodeKind = "root" | "publisher" | "event-dispatch" | "subscriber";
+
+export interface ChainNode {
+	kind: ChainNodeKind;
+	routineId?: RoutineId;
+	eventId?: EventId;
+	eventName?: string;
+	children: readonly ChainNode[];
+	cycleDetected?: boolean;
+	depthTruncated?: boolean;
+}
+
+export interface ChainWalkOptions {
+	maxDepth?: number;
+	maxNodes?: number;
+}
+
+const DEFAULT_MAX_DEPTH = 16;
+const DEFAULT_MAX_NODES = 1024;
+
+/**
+ * Walk the event-chain tree from a root publisher RoutineId.
+ *
+ * ONLY follows event-graph edges (publisher → subscriber via
+ * `ix.eventsByPublisher` + `ix.subscribersByEvent`). Does NOT follow
+ * call-graph relays where a subscriber routine's body calls another
+ * event-publisher — for that, use `collectRelaySubscribers` from
+ * `./event-relay.ts`. Event-name labels on dispatch nodes come from
+ * `ix.eventNameByEvent` (built once), so this is a pure function of `ix`.
+ *
+ * Truncation precedence (locked):
+ *   1. cycle wins when the next edge revisits a node already on the active path
+ *   2. depth wins when expansion would exceed maxDepth before evaluating children
+ *   3. nodes wins globally once adding another node would exceed maxNodes
+ *  Collision (cycle reached AT depth limit): cycle marker fires first.
+ */
+export function walkEventChain(
+	root: RoutineId,
+	ix: EventFlowIndexes,
+	opts: ChainWalkOptions = {},
+): ChainNode {
+	const maxDepth = opts.maxDepth ?? DEFAULT_MAX_DEPTH;
+	const maxNodes = opts.maxNodes ?? DEFAULT_MAX_NODES;
+	let nodeBudget = maxNodes;
+	const onPath = new Set<RoutineId>();
+
+	// `eventDepth` is the depth at which the event-dispatch nodes emitted by this
+	// call will land in the output tree. Conceptually the root routine is at
+	// depth -1; the initial call passes 0 so the root's immediate events land at
+	// depth 0. Subscribers of those events are at eventDepth+1; their published
+	// events (grand-events) are at eventDepth+2.
+	function expand(routine: RoutineId, eventDepth: number): readonly ChainNode[] {
+		if (eventDepth >= maxDepth) return [];
+		if (nodeBudget <= 0) return [];
+		onPath.add(routine);
+		const out: ChainNode[] = [];
+		const events = ix.eventsByPublisher.get(routine) ?? [];
+		for (const ev of events) {
+			if (nodeBudget <= 0) break;
+			nodeBudget--;
+
+			const subs = ix.subscribersByEvent.get(ev) ?? [];
+			const subChildren: ChainNode[] = [];
+			let depthTrunc = false;
+
+			if (eventDepth + 1 >= maxDepth) {
+				// Subscribers would be at depth >= maxDepth — truncate entirely.
+				depthTrunc = true;
+			} else {
+				for (const sub of subs) {
+					if (nodeBudget <= 0) break;
+					nodeBudget--;
+					// Cycle check wins over depth check (precedence rule 1 > 2).
+					if (onPath.has(sub)) {
+						subChildren.push({
+							kind: "subscriber",
+							routineId: sub,
+							children: [],
+							cycleDetected: true,
+						});
+						continue;
+					}
+					// Subscriber's own children (events it publishes) would be at
+					// eventDepth+2. If eventDepth+2 >= maxDepth they'd be truncated,
+					// but the subscriber node itself is still emitted — the truncation
+					// marker goes on its event-dispatch children, which expand()
+					// handles recursively.
+					const grand = expand(sub, eventDepth + 2);
+					subChildren.push({ kind: "subscriber", routineId: sub, children: grand });
+				}
+			}
+
+			out.push({
+				kind: "event-dispatch",
+				eventId: ev,
+				eventName: ix.eventNameByEvent.get(ev),
+				children: subChildren,
+				...(depthTrunc ? { depthTruncated: true } : {}),
+			});
+		}
+		onPath.delete(routine);
+		return out;
+	}
+
+	nodeBudget--; // root counts as one node
+	// Root routine is conceptually at depth -1; pass 0 so its immediate events
+	// land at depth 0.
+	const children = expand(root, 0);
+	return { kind: "root", routineId: root, children };
+}
+
+// ---------------------------------------------------------------------------
+// publisherBranchFacts
+// ---------------------------------------------------------------------------
+
+export type BranchSliceConfidence = "exact" | "pattern" | "unknown";
+
+export interface PublisherBranchFacts {
+	confidence: BranchSliceConfidence;
+	/** Facts that fire when IsHandled is FALSE (the default branch). */
+	defaultBranchFacts: readonly CapabilityFact[];
+	/** Facts that fire when IsHandled is TRUE (the guarded branch — subscriber set it). */
+	guardedBranchFacts: readonly CapabilityFact[];
+	/** Facts in neither branch (unconditional). */
+	unguardedFacts: readonly CapabilityFact[];
+	/** Identifier name of the boolean guard variable (lowercased). */
+	guardParamName?: string;
+}
+
+export const IS_HANDLED_RE = /^is.?handled$/i;
+
+/**
+ * BranchSliceConfidence ladder:
+ *  - `exact`   — no branching at all; every direct fact is in the default branch.
+ *  - `pattern` — branching present AND IsHandled is assigned somewhere in the body.
+ *  - `unknown` — branching present but no IsHandled assignment detected.
+ *
+ * Returns undefined when the routine has no IsHandled-shaped parameter.
+ *
+ * The default-branch slicing is conservative: we return ALL direct facts as
+ * `defaultBranchFacts` and leave `guardedBranchFacts`/`unguardedFacts` empty.
+ * Refinement (true AST slicing) is deferred — D43 emits findings only when
+ * confidence is `exact` or `pattern`, so this conservative slice still yields
+ * correct hits without false positives.
+ */
+export function publisherBranchFacts(
+	publisher: RoutineId,
+	model: SemanticModel,
+): PublisherBranchFacts | undefined {
+	const routine = model.routines.find((r) => r.id === publisher);
+	if (routine === undefined) return undefined;
+	const guardParam = routine.parameters.find((p) => IS_HANDLED_RE.test(p.name));
+	if (guardParam === undefined) return undefined;
+	const directFacts: readonly CapabilityFact[] = routine.summary?.capabilityFactsDirect ?? [];
+	const hasBranching = routine.features.hasBranching === true;
+	const assignsIsHandled = (routine.features.varAssignments ?? []).some((a) =>
+		IS_HANDLED_RE.test(a.lhsName),
+	);
+	let confidence: BranchSliceConfidence;
+	if (!hasBranching) {
+		confidence = "exact";
+	} else if (assignsIsHandled) {
+		confidence = "pattern";
+	} else {
+		confidence = "unknown";
+	}
+	return {
+		confidence,
+		defaultBranchFacts: directFacts,
+		guardedBranchFacts: [],
+		unguardedFacts: [],
+		guardParamName: guardParam.name.toLowerCase(),
+	};
+}
+
+// ---------------------------------------------------------------------------
+// Report composition
+// ---------------------------------------------------------------------------
+
+export interface FanoutReport {
+	entries: readonly FanoutEntry[];
+	summary: {
+		totalPublishers: number;
+		totalEvents: number;
+		zeroSubscriberEvents: number;
+		hotEvents: number;
+		coveragePartialEvents: number;
+	};
+}
+
+export function computeFanoutReport(
+	model: SemanticModel,
+	ix: EventFlowIndexes,
+	opts?: { scope?: Scope },
+): FanoutReport {
+	const scope = opts?.scope ?? "all";
+	const all = computeFanout(model, ix);
+	// FanoutEntry omits the subscriber id list (only the count), so re-query the index
+	// to test whether any subscriber is primary.
+	const entries =
+		scope === "all"
+			? all
+			: all.filter(
+					(e) =>
+						ix.primaryRoutines.has(e.publisher) ||
+						(ix.subscribersByEvent.get(e.eventId) ?? []).some((s) => ix.primaryRoutines.has(s)),
+				);
+	const publishers = new Set(entries.map((e) => e.publisher));
+	let zero = 0;
+	let hot = 0;
+	let partial = 0;
+	for (const e of entries) {
+		if (e.directSubscriberCount === 0) zero++;
+		if (e.directSubscriberCount > 5) hot++;
+		if (e.coverage.dispatchEdges === "partial" || e.coverage.capabilityComposition === "partial") {
+			partial++;
+		}
+	}
+	return {
+		entries,
+		summary: {
+			totalPublishers: publishers.size,
+			totalEvents: entries.length,
+			zeroSubscriberEvents: zero,
+			hotEvents: hot,
+			coveragePartialEvents: partial,
+		},
+	};
+}
+
+export interface ChainReport {
+	chains: readonly ChainNode[];
+	summary: {
+		totalRoots: number;
+		rootsWithEvents: number;
+		maxChainDepth: number;
+		cyclesDetected: number;
+		depthTruncatedNodes: number;
+	};
+}
+
+function chainStats(
+	node: ChainNode,
+	depth: number,
+	acc: { max: number; cycles: number; depthTruncated: number },
+): void {
+	acc.max = Math.max(acc.max, depth);
+	if (node.cycleDetected) acc.cycles++;
+	if (node.depthTruncated) acc.depthTruncated++;
+	for (const c of node.children) chainStats(c, depth + 1, acc);
+}
+
+function treeTouchesPrimary(node: ChainNode, primary: ReadonlySet<RoutineId>): boolean {
+	if (node.routineId !== undefined && primary.has(node.routineId)) return true;
+	for (const c of node.children) if (treeTouchesPrimary(c, primary)) return true;
+	return false;
+}
+
+export function computeChainReport(
+	ix: EventFlowIndexes,
+	opts?: ChainWalkOptions & { scope?: Scope },
+): ChainReport {
+	const scope = opts?.scope ?? "all";
+	const roots = [...ix.eventsByPublisher.keys()].sort(compareStrings);
+	const chains: ChainNode[] = [];
+	const acc = { max: 0, cycles: 0, depthTruncated: 0 };
+	for (const root of roots) {
+		const tree = walkEventChain(root, ix, opts);
+		// scope=primary keeps a tree only when a primary routine participates (root or any
+		// descendant subscriber). Stats accumulate over the KEPT trees so the summary matches.
+		if (scope === "primary" && !treeTouchesPrimary(tree, ix.primaryRoutines)) continue;
+		chains.push(tree);
+		chainStats(tree, 0, acc);
+	}
+	// Every key in eventsByPublisher has >=1 event, so rootsWithEvents always equals
+	// totalRoots; under scope=primary both reflect the kept (participating) chains.
+	return {
+		chains,
+		summary: {
+			totalRoots: chains.length,
+			rootsWithEvents: chains.length,
+			maxChainDepth: acc.max,
+			cyclesDetected: acc.cycles,
+			depthTruncatedNodes: acc.depthTruncated,
+		},
+	};
+}

package/src/engine/event-relay.ts

@@ -0,0 +1,92 @@
+import type { RoutineId } from "../model/ids.ts";
+import type { SemanticModel } from "../model/model.ts";
+import type { CombinedGraph } from "./combined-graph.ts";
+import type { EventFlowIndexes } from "./event-flow.ts";
+import { compareStrings } from "./uncertainty-util.ts";
+
+/**
+ * Options for {@link collectRelaySubscribers}.
+ */
+export interface RelayWalkOptions {
+	/** Maximum chain depth (default 4). Depth 1 = direct subscriber of the root. */
+	maxDepth?: number;
+	/** Maximum total subscribers discovered before the walk terminates (default 256). */
+	maxNodes?: number;
+}
+
+/**
+ * Walk the transitive subscriber chain starting from `publisher`, bridging
+ * event-graph dispatches with call-graph relay edges. Returns a Map of
+ * subscriber RoutineId → minimum chain depth (depth 1 = direct subscriber
+ * of the root, depth 2 = subscriber of an event published by a relay
+ * subscriber, etc.).
+ *
+ * Unlike `walkEventChain` (which only follows event-graph edges), this
+ * helper bridges the gap where a subscriber routine's BODY calls another
+ * event-publisher routine — that's a call-graph edge, not an event-graph
+ * edge. In canonical AL, "relay subscriber" patterns where one event's
+ * handler dispatches a downstream event live in real production code,
+ * so D45-style detectors need this traversal.
+ *
+ * Traversal alternates two graph types:
+ *   - Event graph:  publisher → (events) → direct subscribers (depth +1)
+ *   - Call graph:   subscriber → (callees that are event-publishers) →
+ *                   their subscribers (depth +2 per event-hop crossing)
+ *
+ * Caps:
+ *  - `maxDepth` bounds chain length (default 4).
+ *  - `maxNodes` bounds total subscribers discovered (default 256).
+ *
+ * Deterministic: subscribers iterated in `compareStrings` order at each hop.
+ */
+export function collectRelaySubscribers(
+	publisher: RoutineId,
+	_model: SemanticModel,
+	ix: EventFlowIndexes,
+	graph: CombinedGraph,
+	opts?: RelayWalkOptions,
+): Map<RoutineId, number> {
+	const maxDepth = opts?.maxDepth ?? 4;
+	const maxNodes = opts?.maxNodes ?? 256;
+
+	const result = new Map<RoutineId, number>();
+	// Queue: [routineId that publishes events, depth at which its direct subscribers land]
+	const queue: Array<{ pub: RoutineId; depth: number }> = [{ pub: publisher, depth: 1 }];
+	// Track visited publishers to avoid cycles.
+	const visitedPubs = new Set<RoutineId>([publisher]);
+
+	while (queue.length > 0) {
+		const item = queue.shift();
+		if (item === undefined) break;
+		const { pub, depth } = item;
+		if (depth > maxDepth) continue;
+
+		const events = ix.eventsByPublisher.get(pub) ?? [];
+		for (const ev of events) {
+			const subs = [...(ix.subscribersByEvent.get(ev) ?? [])].sort(compareStrings);
+			for (const sub of subs) {
+				if (result.size >= maxNodes) break;
+				// Record this subscriber at min depth.
+				const existing = result.get(sub);
+				if (existing === undefined || depth < existing) {
+					result.set(sub, depth);
+				}
+				if (depth + 1 > maxDepth) continue;
+				// Follow call-graph edges from this subscriber to event-publisher callees.
+				// This bridges the gap where a subscriber calls an IntegrationEvent procedure
+				// in its body, making it a "relay" to the next hop.
+				const callEdges = graph.edgesByFrom.get(sub) ?? [];
+				for (const edge of callEdges) {
+					const callee = edge.to;
+					if (!ix.eventsByPublisher.has(callee)) continue;
+					if (visitedPubs.has(callee)) continue;
+					visitedPubs.add(callee);
+					// The callee is an event-publisher; its direct subscribers land at depth+1.
+					queue.push({ pub: callee, depth: depth + 1 });
+				}
+			}
+		}
+	}
+
+	return result;
+}