al-sem 0.0.1

package/src/engine/op-classification.ts

@@ -0,0 +1,92 @@
+import type { RecordOpType } from "../model/entities.ts";
+
+/**
+ * The effect class of a record operation. `touchesDb` is driven only by db-read /
+ * db-write / db-lock; state-only ops feed D3's load-field analysis and parameterRoles;
+ * `trigger` (Validate) has no direct DB effect — its effects arrive via the Phase 2a
+ * implicit-trigger edge.
+ */
+export type OpEffectClass = "db-read" | "db-write" | "db-lock" | "state-only" | "trigger";
+
+const CLASS_BY_OP: Record<RecordOpType, OpEffectClass> = {
+	FindSet: "db-read",
+	FindFirst: "db-read",
+	FindLast: "db-read",
+	Find: "db-read",
+	Get: "db-read",
+	Next: "db-read",
+	Count: "db-read",
+	CountApprox: "db-read",
+	IsEmpty: "db-read",
+	CalcFields: "db-read",
+	CalcSums: "db-read",
+	TestField: "state-only",
+	Modify: "db-write",
+	ModifyAll: "db-write",
+	Insert: "db-write",
+	Delete: "db-write",
+	DeleteAll: "db-write",
+	LockTable: "db-lock",
+	SetLoadFields: "state-only",
+	AddLoadFields: "state-only",
+	SetRange: "state-only",
+	SetFilter: "state-only",
+	SetCurrentKey: "state-only",
+	Reset: "state-only",
+	Copy: "state-only",
+	TransferFields: "state-only",
+	Init: "state-only",
+	Validate: "trigger",
+};
+
+/** Classify a record operation by its database effect. Pure, total over RecordOpType. */
+export function classifyOp(op: RecordOpType): OpEffectClass {
+	return CLASS_BY_OP[op];
+}
+
+/** True when this op class contributes to `touchesDb`. */
+export function isDbTouchingClass(cls: OpEffectClass): boolean {
+	return cls === "db-read" || cls === "db-write" || cls === "db-lock";
+}
+
+/**
+ * Per-op record-flow role used by the record-flow framework's may-fact
+ * bootstrap (spec §(a)). Each op classifies into at most one of these
+ * categories for the purposes of state-flow tracking. Field-level facts
+ * (readsFields/writesFields) are computed independently by D3 already.
+ */
+export type RecordFlowOpRole =
+	| "loadsFromDb" // Get / FindFirst / FindLast / FindSet / Find / Next
+	| "initialises" // Init
+	| "persistsCurrent" // Modify / Insert / Rename
+	| "setBasedWrite" // ModifyAll / DeleteAll
+	| "validates" // Validate
+	| "copiesInto" // Copy / TransferFields (target side)
+	| "resetsFilter" // Reset
+	| "neutral"; // SetRange / SetFilter / SetLoadFields / AddLoadFields / TestField / etc.
+
+// Partial so most ops fall through to "neutral"; tightening the key to RecordOpType
+// gives exhaustiveness — adding a new op-type will surface here at the compiler if
+// the new op should map to a non-neutral role. (Note: "Rename" is not yet in
+// RecordOpType — when it lands, decide whether to add it here as "persistsCurrent".)
+const ROLE_BY_OP: Partial<Record<RecordOpType, RecordFlowOpRole>> = {
+	Get: "loadsFromDb",
+	FindFirst: "loadsFromDb",
+	FindLast: "loadsFromDb",
+	FindSet: "loadsFromDb",
+	Find: "loadsFromDb",
+	Next: "loadsFromDb",
+	Init: "initialises",
+	Modify: "persistsCurrent",
+	Insert: "persistsCurrent",
+	ModifyAll: "setBasedWrite",
+	DeleteAll: "setBasedWrite",
+	Validate: "validates",
+	Copy: "copiesInto",
+	TransferFields: "copiesInto",
+	Reset: "resetsFilter",
+};
+
+export function recordFlowRoleOf(op: RecordOpType): RecordFlowOpRole {
+	return ROLE_BY_OP[op] ?? "neutral";
+}

package/src/engine/path-walker.ts

@@ -0,0 +1,189 @@
+import type { CallSite, Routine } from "../model/entities.ts";
+import type { EvidenceStep } from "../model/finding.ts";
+import type { CallsiteId, RoutineId } from "../model/ids.ts";
+import type { SemanticModel } from "../model/model.ts";
+import type { Uncertainty } from "../model/summary.ts";
+import type { CombinedEdge, CombinedGraph } from "./combined-graph.ts";
+import { dedupeUncertainties } from "./uncertainty-util.ts";
+
+/** A real op site the walk can terminate at. Policies may return a richer subtype. */
+export interface Terminal {
+	routineId: RoutineId;
+	/** Loop nesting depth of the op site within its OWN routine. */
+	localLoopDepth: number;
+}
+
+/** Why a walk branch stopped. Detectors emit findings only from `complete` results. */
+export type WalkStop = "complete" | "cycle-cut" | "depth-cut" | "node-budget-cut" | "dead-end";
+
+export interface WalkResult {
+	path: EvidenceStep[];
+	effectiveLoopDepth: number;
+	uncertainties: Uncertainty[];
+	stop: WalkStop;
+}
+
+/** The mutable context threaded through one walk branch. */
+export interface PathCtx {
+	routinePath: RoutineId[];
+	inheritedLoopDepth: number;
+	steps: EvidenceStep[];
+	uncertainties: Uncertainty[];
+}
+
+export interface WalkBounds {
+	maxDepth: number; // max routine-path length
+	maxNodes: number; // max nodes visited across the whole walk
+}
+
+/** Detector-supplied policy: which edges to follow, what counts as a terminal, how to build steps. */
+export interface WalkPolicy<T extends Terminal = Terminal> {
+	terminalsAt(node: RoutineId, ctx: PathCtx): T[];
+	expand(node: RoutineId, ctx: PathCtx): CombinedEdge[];
+	buildHopStep(edge: CombinedEdge, ctx: PathCtx): EvidenceStep;
+	buildTerminalStep(terminal: T, ctx: PathCtx): EvidenceStep;
+}
+
+export interface WalkOpts {
+	/** Loop depth already established by the detector (e.g. the loop D1 started from). */
+	initialLoopDepth?: number;
+	/** Evidence steps the detector wants prepended (e.g. the loop step). */
+	initialSteps?: EvidenceStep[];
+	/**
+	 * Prebuilt indexes. `walkEvidence` is called once per in-loop call site by D1/D2, so
+	 * rebuilding these from `model`/`graph` on every call is O(routines + edges) per call —
+	 * the dominant cost on large workspaces. Callers that hold the shared DetectorContext
+	 * pass its maps; when omitted, the walker builds them itself (unchanged behaviour for
+	 * one-off callers / tests). All three are read-only here.
+	 */
+	routineById?: Map<RoutineId, Routine>;
+	uncertaintyEdgesByFrom?: Map<RoutineId, Uncertainty[]>;
+	callSiteById?: Map<CallsiteId, CallSite>;
+}
+
+/**
+ * Bounded depth-first evidence walk. Returns one WalkResult per branch that reached a
+ * terminal (`complete`) or stopped (`cycle-cut` / `depth-cut` / `node-budget-cut` /
+ * `dead-end`). Pure — no I/O. Cycle detection is per-path; bounds cap depth and total nodes.
+ */
+export function walkEvidence<T extends Terminal>(
+	start: RoutineId,
+	policy: WalkPolicy<T>,
+	bounds: WalkBounds,
+	graph: CombinedGraph,
+	model: SemanticModel,
+	opts: WalkOpts = {},
+): WalkResult[] {
+	const results: WalkResult[] = [];
+	let nodesVisited = 0;
+	const routineById = opts.routineById ?? new Map(model.routines.map((r) => [r.id, r]));
+
+	const uncertaintyEdgesByFrom =
+		opts.uncertaintyEdgesByFrom ??
+		(() => {
+			const m = new Map<RoutineId, Uncertainty[]>();
+			for (const ue of graph.uncertaintyEdges) {
+				const list = m.get(ue.from);
+				if (list) list.push(ue.uncertainty);
+				else m.set(ue.from, [ue.uncertainty]);
+			}
+			return m;
+		})();
+
+	const callSiteById =
+		opts.callSiteById ??
+		(() => {
+			const m = new Map<CallsiteId, CallSite>();
+			for (const r of model.routines) {
+				for (const cs of r.features.callSites) m.set(cs.id, cs);
+			}
+			return m;
+		})();
+
+	const uncertaintiesAt = (node: RoutineId): Uncertainty[] => {
+		const fromSummary = routineById.get(node)?.summary?.uncertainties ?? [];
+		const fromEdges = uncertaintyEdgesByFrom.get(node) ?? [];
+		return [...fromSummary, ...fromEdges];
+	};
+
+	const loopDepthOfEdge = (edge: CombinedEdge): number => {
+		if (edge.callsiteId === undefined) return 0;
+		const cs = callSiteById.get(edge.callsiteId);
+		return cs?.loopStack.length ?? 0;
+	};
+
+	const visit = (node: RoutineId, ctx: PathCtx): void => {
+		nodesVisited++;
+		const ctxHere: PathCtx = {
+			...ctx,
+			uncertainties: dedupeUncertainties([...ctx.uncertainties, ...uncertaintiesAt(node)]),
+		};
+
+		const terminals = policy.terminalsAt(node, ctxHere);
+		for (const t of terminals) {
+			results.push({
+				path: [...ctxHere.steps, policy.buildTerminalStep(t, ctxHere)],
+				effectiveLoopDepth: ctxHere.inheritedLoopDepth + t.localLoopDepth,
+				uncertainties: ctxHere.uncertainties,
+				stop: "complete",
+			});
+		}
+
+		const edges = policy.expand(node, ctxHere);
+		if (edges.length === 0 && terminals.length === 0) {
+			results.push({
+				path: ctxHere.steps,
+				effectiveLoopDepth: ctxHere.inheritedLoopDepth,
+				uncertainties: ctxHere.uncertainties,
+				stop: "dead-end",
+			});
+			return;
+		}
+
+		for (const edge of edges) {
+			if (nodesVisited >= bounds.maxNodes) {
+				results.push({
+					path: ctxHere.steps,
+					effectiveLoopDepth: ctxHere.inheritedLoopDepth,
+					uncertainties: ctxHere.uncertainties,
+					stop: "node-budget-cut",
+				});
+				continue;
+			}
+			if (ctxHere.routinePath.includes(edge.to)) {
+				results.push({
+					path: ctxHere.steps,
+					effectiveLoopDepth: ctxHere.inheritedLoopDepth,
+					uncertainties: ctxHere.uncertainties,
+					stop: "cycle-cut",
+				});
+				continue;
+			}
+			if (ctxHere.routinePath.length >= bounds.maxDepth) {
+				results.push({
+					path: ctxHere.steps,
+					effectiveLoopDepth: ctxHere.inheritedLoopDepth,
+					uncertainties: ctxHere.uncertainties,
+					stop: "depth-cut",
+				});
+				continue;
+			}
+			const childCtx: PathCtx = {
+				routinePath: [...ctxHere.routinePath, edge.to],
+				inheritedLoopDepth: ctxHere.inheritedLoopDepth + loopDepthOfEdge(edge),
+				steps: [...ctxHere.steps, policy.buildHopStep(edge, ctxHere)],
+				uncertainties: ctxHere.uncertainties,
+			};
+			visit(edge.to, childCtx);
+		}
+	};
+
+	visit(start, {
+		routinePath: [start],
+		inheritedLoopDepth: opts.initialLoopDepth ?? 0,
+		steps: opts.initialSteps ?? [],
+		uncertainties: [],
+	});
+
+	return results;
+}

package/src/engine/reverse-call-graph.ts

@@ -0,0 +1,23 @@
+import type { RoutineId } from "../model/ids.ts";
+import type { CombinedEdge, CombinedGraph } from "./combined-graph.ts";
+
+/** Map of routineId → edges where that routine is the callee. */
+export type ReverseCallGraph = Map<RoutineId, CombinedEdge[]>;
+
+/** Invert `graph.edgesByFrom` so each routine knows who calls it. */
+export function buildReverseCallGraph(graph: CombinedGraph): ReverseCallGraph {
+	const reverse: ReverseCallGraph = new Map();
+	for (const edges of graph.edgesByFrom.values()) {
+		for (const e of edges) {
+			const list = reverse.get(e.to);
+			if (list) list.push(e);
+			else reverse.set(e.to, [e]);
+		}
+	}
+	return reverse;
+}
+
+/** Return the resolved callers of a routine; empty list when none. */
+export function callersOf(reverse: ReverseCallGraph, routineId: RoutineId): CombinedEdge[] {
+	return reverse.get(routineId) ?? [];
+}

package/src/engine/root-classifier-overlay.ts

@@ -0,0 +1,194 @@
+import type { RootsConfig, RootsConfigTarget } from "../config/roots-config.ts";
+import type { Routine } from "../model/entities.ts";
+import type { Diagnostic } from "../model/finding.ts";
+import type { RoutineId } from "../model/ids.ts";
+import type { SemanticModel } from "../model/model.ts";
+import {
+	type RootClassification,
+	type RootKind,
+	isExternallyReachableKind,
+} from "../model/root-classification.ts";
+import { ROOT_KIND_ORDER } from "./root-classifier.ts";
+
+/**
+ * Merge a `RootsConfig` overlay on top of the AST classification result
+ * (Phase 1 §4.3 Task 6).
+ *
+ * Provenance discipline:
+ *   - AST classifications are the base layer (no config = output equals input).
+ *   - Each config entry: resolve target → routine. On success, merge into
+ *     an existing AST classification OR create a new one.
+ *   - When AST + config agree on kinds → `source: "ast+config"`,
+ *     `confidence: "static"`.
+ *   - When AST + config disagree → emit `kinds-mismatch` diagnostic; union the
+ *     kinds, still `source: "ast+config"`, `confidence: "static"` (AST
+ *     corroboration upgrades user-asserted → static).
+ *   - Config-only routines (no AST signal) → `source: "config"`,
+ *     `confidence: "user-asserted"`.
+ *   - Two config entries on the same routine (no AST signal) →
+ *     `[roots-config/duplicate-target]` diagnostic; last-write-wins on the
+ *     stored entry, both ids named in the diagnostic.
+ *   - Unresolved targets → `[roots-config/unresolved]` diagnostic; entry
+ *     dropped.
+ *   - Ambiguous targets (multiple matches) → `[roots-config/ambiguous]`
+ *     diagnostic; classification recorded on the FIRST routine by canonical
+ *     id sort, with `resolutionStatus: "ambiguous"`.
+ *
+ * Pure: never throws, never does I/O. Output is sorted by `routineId` for
+ * determinism, matching the AST classifier's invariant.
+ */
+export function overlayConfigRoots(
+	astRoots: RootClassification[],
+	config: RootsConfig | undefined,
+	model: SemanticModel,
+): { roots: RootClassification[]; diagnostics: Diagnostic[] } {
+	if (config === undefined) {
+		return { roots: astRoots, diagnostics: [] };
+	}
+
+	const diagnostics: Diagnostic[] = [];
+	// `astRoots` already has at most one entry per RoutineId (Task 3 invariant).
+	// `astByRoutine` is a FROZEN snapshot of the AST baseline — read-only.
+	// `byRoutine` is the accumulator (starts from AST, then overlay writes win).
+	// Keeping them separate guarantees a second config entry on the same routine
+	// sees the ORIGINAL AST kind set, not the first entry's merged result.
+	const astByRoutine = new Map<RoutineId, RootClassification>(
+		astRoots.map((r) => [r.routineId, r]),
+	);
+	const byRoutine = new Map<RoutineId, RootClassification>(astByRoutine);
+	// Tracks which routines have already been written by a config entry in
+	// this pass, so we can emit `[roots-config/duplicate-target]` when two
+	// entries target the same routine.
+	const configWriters = new Map<RoutineId, string>();
+
+	for (const entry of config.roots) {
+		const matches = resolveTarget(entry.target, model).sort((a, b) =>
+			a.id < b.id ? -1 : a.id > b.id ? 1 : 0,
+		);
+
+		if (matches.length === 0) {
+			diagnostics.push(
+				diag(
+					"warning",
+					`[roots-config/unresolved] roots.config.json entry "${entry.id}" did not match any routine; skipping.`,
+					entry.id,
+				),
+			);
+			continue;
+		}
+
+		const ambiguous = matches.length > 1;
+		if (ambiguous) {
+			diagnostics.push(
+				diag(
+					"warning",
+					`[roots-config/ambiguous] roots.config.json entry "${entry.id}" matched ${matches.length} routines; using first by id sort.`,
+					entry.id,
+				),
+			);
+		}
+
+		// matches.length >= 1 — guarded above.
+		// biome-ignore lint/style/noNonNullAssertion: length checked above.
+		const winner = matches[0]!;
+		const existingAst = astByRoutine.get(winner.id);
+		const hasAst = existingAst !== undefined;
+		// Loader already canonicalized the kind set (deduped + sorted in
+		// ROOT_KIND_ORDER); Set for O(k) lookup.
+		const cfgKinds = new Set<RootKind>(entry.kinds);
+		const cfgExternally = entry.externallyReachable;
+
+		// Duplicate-target check fires independently of AST status — two
+		// config entries pointing at the same routine is a config-author
+		// mistake either way.
+		const priorWriter = configWriters.get(winner.id);
+		if (priorWriter !== undefined) {
+			diagnostics.push(
+				diag(
+					"warning",
+					`[roots-config/duplicate-target] roots.config.json entries "${priorWriter}" and "${entry.id}" both target the same routine; last entry wins.`,
+					entry.id,
+				),
+			);
+		}
+
+		if (!hasAst) {
+			// Config-only root: no AST signal, "user-asserted" confidence.
+			// Last-write-wins when multiple config entries target the same
+			// routine — the duplicate-target diagnostic was already emitted
+			// above naming both ids.
+			const kinds: RootKind[] = ROOT_KIND_ORDER.filter((k) => cfgKinds.has(k));
+			// Defensive: loader rejects entries with kinds.length === 0,
+			// so this guard should be unreachable. Keep it so a future
+			// loader change can't silently emit empty-kinds classifications.
+			if (kinds.length === 0) continue;
+			byRoutine.set(winner.id, {
+				routineId: winner.id,
+				kinds,
+				externallyReachable: cfgExternally ?? kinds.some(isExternallyReachableKind),
+				source: "config",
+				confidence: "user-asserted",
+				sourceAnchor: winner.sourceAnchor,
+				configEntryId: entry.id,
+				resolutionStatus: ambiguous ? "ambiguous" : "resolved",
+			});
+			configWriters.set(winner.id, entry.id);
+		} else {
+			// AST + config corroboration: union kinds, upgrade to "static".
+			// `existingAst` is the ORIGINAL AST entry from the frozen snapshot,
+			// so a second config entry on the same routine still unions
+			// against AST's kinds (not entry 1's merged result).
+			//
+			// biome-ignore lint/style/noNonNullAssertion: hasAst === true implies astByRoutine has the entry.
+			const existing = existingAst!;
+			const astKindSet = new Set<RootKind>(existing.kinds);
+			const onlyAstSet = new Set<RootKind>([...astKindSet].filter((k) => !cfgKinds.has(k)));
+			const onlyCfgSet = new Set<RootKind>([...cfgKinds].filter((k) => !astKindSet.has(k)));
+			if (onlyAstSet.size > 0 || onlyCfgSet.size > 0) {
+				// Order diff kind lists by ROOT_KIND_ORDER for stable
+				// reading and to match the union-output ordering.
+				const onlyAst = ROOT_KIND_ORDER.filter((k) => onlyAstSet.has(k));
+				const onlyCfg = ROOT_KIND_ORDER.filter((k) => onlyCfgSet.has(k));
+				diagnostics.push(
+					diag(
+						"warning",
+						`[roots-config/kinds-mismatch] roots.config.json entry "${entry.id}" disagrees with AST: ast-only=${JSON.stringify(onlyAst)}, config-only=${JSON.stringify(onlyCfg)}.`,
+						entry.id,
+					),
+				);
+			}
+			const unionedSet = new Set<RootKind>([...existing.kinds, ...entry.kinds]);
+			const unionedKinds: RootKind[] = ROOT_KIND_ORDER.filter((k) => unionedSet.has(k));
+			byRoutine.set(winner.id, {
+				...existing,
+				kinds: unionedKinds,
+				externallyReachable: cfgExternally ?? unionedKinds.some(isExternallyReachableKind),
+				source: "ast+config",
+				confidence: "static",
+				configEntryId: entry.id,
+				resolutionStatus: ambiguous ? "ambiguous" : "resolved",
+			});
+			configWriters.set(winner.id, entry.id);
+		}
+	}
+
+	const roots = [...byRoutine.values()].sort((a, b) =>
+		a.routineId < b.routineId ? -1 : a.routineId > b.routineId ? 1 : 0,
+	);
+	return { roots, diagnostics };
+}
+
+function resolveTarget(target: RootsConfigTarget, model: SemanticModel): Routine[] {
+	if ("routineId" in target) {
+		const r = model.routines.find((rr) => rr.id === target.routineId);
+		return r === undefined ? [] : [r];
+	}
+	const lcName = target.routineName.toLowerCase();
+	return model.routines.filter(
+		(rr) => rr.objectId === target.objectId && rr.name.toLowerCase() === lcName,
+	);
+}
+
+function diag(severity: Diagnostic["severity"], message: string, sourceRef: string): Diagnostic {
+	return { severity, stage: "discover", message, sourceRef };
+}

package/src/engine/root-classifier.ts

@@ -0,0 +1,135 @@
+import type { ObjectDecl, Routine } from "../model/entities.ts";
+import type { ObjectId } from "../model/ids.ts";
+import type { SemanticModel } from "../model/model.ts";
+import {
+	ROOT_KIND_VALUES,
+	type RootClassification,
+	type RootKind,
+	isExternallyReachableKind,
+} from "../model/root-classification.ts";
+
+/**
+ * Canonical RootKind declaration order. Re-exported from the model layer
+ * (`ROOT_KIND_VALUES`) so tests and future formatters can reference the
+ * source-of-truth rather than redeclaring. Typed as `readonly RootKind[]`
+ * (widening away the tuple's literal `.length`) to preserve the original
+ * signature for existing consumers.
+ */
+export const ROOT_KIND_ORDER: readonly RootKind[] = ROOT_KIND_VALUES;
+
+/**
+ * Phase 1 §4.3 AST-only root-classifier. Produces `RootClassification[]` for every
+ * routine that qualifies as one or more `RootKind`. Routines with no qualifying kind
+ * are not in the result.
+ *
+ * Pure transform over the `SemanticModel`; never throws. Routines whose declaring
+ * object is missing from `model.objects` (should never happen, but `objectId` is a
+ * string alias) are silently skipped rather than crashing — the engine never throws.
+ *
+ * Deferred kinds (not produced by this implementation):
+ *   - `page-action`: needs Page action AST indexing (not yet in routine-indexer).
+ *   - `web-service-exposed`: needs a cross-object WebService scan.
+ *   - `job-queue-entrypoint`: no static signal — depends on runtime registration.
+ *
+ * Output is sorted by `routineId` (canonical lexicographic) for determinism.
+ */
+export function classifyRoots(model: SemanticModel): RootClassification[] {
+	const objectsById = new Map<ObjectId, ObjectDecl>(model.objects.map((o) => [o.id, o]));
+	const result: RootClassification[] = [];
+
+	for (const routine of model.routines) {
+		const object = objectsById.get(routine.objectId);
+		if (object === undefined) continue;
+		const kinds = kindsFor(routine, object);
+		if (kinds.length === 0) continue;
+		const externallyReachable = kinds.some(isExternallyReachableKind);
+		result.push({
+			routineId: routine.id,
+			kinds,
+			externallyReachable,
+			source: "ast",
+			confidence: "static",
+			sourceAnchor: routine.sourceAnchor,
+		});
+	}
+
+	// Canonical sort for determinism — RoutineId is a string.
+	result.sort((a, b) => (a.routineId < b.routineId ? -1 : a.routineId > b.routineId ? 1 : 0));
+	return result;
+}
+
+/**
+ * Compute the set of `RootKind`s a routine qualifies for, based purely on its
+ * structural shape + the host object's declared metadata. Returns the empty
+ * array when no kind applies.
+ *
+ * `public-procedure` is a catch-all and is only added when no more specific
+ * kind applied — otherwise routines on an Install/Upgrade/API host would be
+ * double-classified.
+ */
+function kindsFor(routine: Routine, object: ObjectDecl): RootKind[] {
+	const kinds: RootKind[] = [];
+
+	// Trigger kinds — gated on routine.kind === "trigger". Codeunit OnRun is not
+	// a separate kind here; it falls through to the Subtype-based classification.
+	if (routine.kind === "trigger") {
+		switch (object.objectType) {
+			case "Table":
+			case "TableExtension":
+				kinds.push("trigger-table");
+				break;
+			case "Page":
+			case "PageExtension":
+				kinds.push("trigger-page");
+				break;
+			case "Report":
+				kinds.push("report-trigger");
+				break;
+			// Other object types: codeunit triggers (OnRun) get classified via
+			// Subtype below; the trigger alone is not an entry-point kind today.
+		}
+	}
+
+	// Event-subscriber — direct from routine.kind (set by routine-indexer when
+	// the [EventSubscriber(...)] attribute is present).
+	if (routine.kind === "event-subscriber") {
+		kinds.push("event-subscriber");
+	}
+
+	// Codeunit Subtype-based kinds. Applies to ALL routines on a Codeunit with
+	// the matching Subtype — Install/Upgrade codeunits run their OnRun (and any
+	// helper procedures invoked from it) as part of app install/upgrade flow.
+	if (object.objectType === "Codeunit") {
+		const subtype = object.objectSubtype?.toLowerCase();
+		if (subtype === "install") kinds.push("install-codeunit");
+		if (subtype === "upgrade") kinds.push("upgrade-codeunit");
+	}
+
+	// Page with PageType=API — every routine on the page is HTTP-exposed.
+	if (
+		(object.objectType === "Page" || object.objectType === "PageExtension") &&
+		object.pageType?.toLowerCase() === "api"
+	) {
+		kinds.push("api-page");
+	}
+
+	// Test procedures — via [Test] attribute on the routine itself.
+	if (routine.attributesParsed.some((a) => a.name.toLowerCase() === "test")) {
+		kinds.push("test-procedure");
+	}
+
+	// Public procedures — non-trigger, non-event-subscriber procedures with
+	// default access (undefined accessModifier = AL's "public" default). This
+	// is the catch-all callable-surface kind: only added when nothing more
+	// specific applied, so a default-access procedure on an Install codeunit
+	// stays `["install-codeunit"]`, not `["install-codeunit","public-procedure"]`.
+	if (routine.kind === "procedure" && routine.accessModifier === undefined && kinds.length === 0) {
+		kinds.push("public-procedure");
+	}
+
+	// Normalize to the documented invariant: deduplicated, sorted in RootKind
+	// declaration order. Insertion order above happens to match — this pass
+	// makes it defensive against future reorderings.
+	const seen = new Set<RootKind>(kinds);
+	return ROOT_KIND_ORDER.filter((k) => seen.has(k));
+}