al-sem 0.0.1

package/src/engine/summary-runner.ts

@@ -0,0 +1,560 @@
+import { extractCapabilities } from "../index/capability/extractor.ts";
+import type { CapabilityFact, EventExtra } from "../model/capability.ts";
+import type { CoverageReason } from "../model/coverage.ts";
+import type { Routine, VariableSymbol } from "../model/entities.ts";
+import type { Diagnostic } from "../model/finding.ts";
+import type { EventId, RoutineId } from "../model/ids.ts";
+import type { SemanticModel } from "../model/model.ts";
+import type { DbEffect, RecordRoleSummary, RoutineSummary, Uncertainty } from "../model/summary.ts";
+import { makeLap } from "../perf/profiler.ts";
+import { composeInheritedCones } from "./capability-cone.ts";
+import type { CombinedEdge, CombinedGraph } from "./combined-graph.ts";
+import { walkRoutine } from "./control-flow-walker.ts";
+import { effectKeyOf, joinPresence, mergeVia } from "./effect-lattice.ts";
+import { tarjanScc } from "./scc.ts";
+import { type SummaryContext, buildSummaryContext } from "./summary-context.ts";
+import { baseIntraproceduralSummaryCtx } from "./summary-engine.ts";
+import { compareStrings, uncertaintyKey } from "./uncertainty-util.ts";
+
+const MAX_FIXED_POINT_ITERATIONS = 1000;
+
+/**
+ * Optional SCC instrumentation, gated on `AL_SEM_SCC_STATS=1`. Cheap counters useful
+ * for deciding whether further fixed-point optimizations (fingerprint caching, worklist
+ * propagation) are worth the complexity. Prints once to stderr at the end of `runSummaries`.
+ */
+const SCC_STATS_ENABLED = process.env.AL_SEM_SCC_STATS === "1";
+
+export interface SummaryRunOptions {
+	/**
+	 * A fixed leaf: a routine whose `summary` is authoritative and must NOT be recomputed.
+	 * Default: any routine that already carries a summary. This covers both pipelines —
+	 * workspace routines and a cold run's current-app routines start with `summary ===
+	 * undefined`, so they are computed; merged-in artifact routines arrive with `summary`
+	 * set, so they are fixed leaves.
+	 */
+	isLeaf?: (r: Routine) => boolean;
+}
+
+function defaultIsLeaf(r: Routine): boolean {
+	return r.summary !== undefined;
+}
+
+/** Map a combined-edge kind to the `via` tag callee effects inherit through it. */
+function viaForEdge(
+	kind: CombinedEdge["kind"],
+): "inherited" | "implicit-trigger" | "event-subscriber" | "dynamic" {
+	if (kind === "implicit-trigger") return "implicit-trigger";
+	if (kind === "event-dispatch") return "event-subscriber";
+	if (kind === "dynamic") return "dynamic";
+	return "inherited";
+}
+
+/**
+ * Map an EventSymbol.eventKind to the EventExtra.eventClass discriminant.
+ * Phase 1a Family B publisher fix — used by the publish-fact injector in runSummaries.
+ */
+function mapEventKindToClass(
+	k: "integration" | "business" | "trigger" | "internal" | "unknown",
+): EventExtra["eventClass"] {
+	if (k === "business") return "Business";
+	if (k === "internal") return "Internal";
+	if (k === "trigger") return "Trigger";
+	return "Integration";
+}
+
+/** Stable fingerprint for fixed-point change detection. */
+function summaryFingerprint(s: RoutineSummary): string {
+	return JSON.stringify([
+		s.dbEffects.map((e) => `${e.effectKey}:${e.via}`),
+		s.hasUnresolvedCalls,
+		s.uncertainties.map(uncertaintyKey),
+		// Include may-fact fields so c1b changes are detected during fixed-point iteration.
+		// Entry-requirement fields (Phase 4 walker) and dirtyAtExit + currentLoadedFieldsAtExit
+		// (Phase 6) are pre-included so future phases cannot silently regress convergence by
+		// forgetting to extend the fingerprint.
+		s.parameterRoles.map((r) => [
+			r.parameterIndex,
+			r.loadsFromDbParam,
+			r.initialisesParam,
+			r.persistsCurrentRecord,
+			r.setBasedDbWrites,
+			r.validatesParam,
+			r.copiesIntoParam,
+			r.resetsFiltersOnParam,
+			r.mutatesParam,
+			r.requiresLoadedAtEntry,
+			r.mutatesBeforeLoad,
+			Array.isArray(r.requiredLoadedFieldsAtEntry)
+				? r.requiredLoadedFieldsAtEntry.join(",")
+				: r.requiredLoadedFieldsAtEntry,
+			r.dirtyAtExit,
+			typeof r.currentLoadedFieldsAtExit === "string"
+				? r.currentLoadedFieldsAtExit
+				: r.currentLoadedFieldsAtExit.join(","),
+		]),
+	]);
+}
+
+/**
+ * Compose a routine's full summary: start from its base intraprocedural summary, then fold
+ * in every outgoing combined edge's callee summary.
+ *
+ * O(1)-lookup + mutable-accumulator variant — the hot path inside `runSummaries`.
+ *
+ * Old hot-loop shape was:
+ *   acc.dbEffects = mergeDbEffects(acc.dbEffects, calleeEffects);     // new Map + sort
+ *   acc.publishesEvents = [...new Set([...acc, ...callee])].sort();   // new Set + array + sort
+ *   acc.uncertainties = dedupeUncertainties([...acc, ...callee]);     // new Map + sort
+ * — once PER outgoing edge. On large dependency graphs that's a lot of GC pressure.
+ *
+ * New shape: seed local Maps/Sets from the base summary once, fold every callee into them
+ * in place, then materialize sorted/canonical arrays exactly once at the end.
+ *
+ * `baseLookup` optionally returns a precomputed base summary. When set, this function
+ * reuses the precomputed summary's data (skipping a fresh `baseIntraproceduralSummaryCtx`
+ * call). Required for the fixed-point loop on recursive SCCs.
+ */
+export function composeRoutineCtx(
+	routine: Routine,
+	lookup: (id: RoutineId) => RoutineSummary | undefined,
+	graph: CombinedGraph,
+	ctx: SummaryContext,
+	baseLookup?: (id: RoutineId) => RoutineSummary | undefined,
+): RoutineSummary {
+	const base = baseLookup?.(routine.id) ?? baseIntraproceduralSummaryCtx(routine, ctx);
+	const calleeOpaque = (id: RoutineId): boolean => ctx.routineById.get(id)?.bodyAvailable === false;
+
+	// Scalar/lattice accumulators — copied because the base is shared and must not mutate.
+	let hasUnresolvedCalls = base.hasUnresolvedCalls;
+
+	// Set/Map accumulators seeded from the base. dbEffects key on effectKey so duplicate
+	// inherited entries merge by `via` precedence (matches the old mergeDbEffects).
+	const dbEffectsByKey = new Map<string, DbEffect>();
+	for (const e of base.dbEffects) dbEffectsByKey.set(e.effectKey, e);
+	const uncertaintiesByKey = new Map<string, Uncertainty>();
+	for (const u of base.uncertainties) uncertaintiesByKey.set(uncertaintyKey(u), u);
+
+	for (const edge of graph.edgesByFrom.get(routine.id) ?? []) {
+		const calleeSummary = lookup(edge.to);
+		if (calleeSummary === undefined) {
+			hasUnresolvedCalls = true;
+			continue;
+		}
+		const via = viaForEdge(edge.kind);
+		for (const e of calleeSummary.dbEffects) {
+			// Tag the inherited effect with the edge's via; recompute the key (effectKeyOf
+			// excludes via, so it's stable). Merge into the local map by precedence.
+			const key = effectKeyOf(e);
+			const existing = dbEffectsByKey.get(key);
+			if (existing) {
+				dbEffectsByKey.set(key, { ...existing, via: mergeVia(existing.via, via) });
+			} else {
+				dbEffectsByKey.set(key, { ...e, effectKey: key, via });
+			}
+		}
+		for (const u of calleeSummary.uncertainties) {
+			const k = uncertaintyKey(u);
+			if (!uncertaintiesByKey.has(k)) uncertaintiesByKey.set(k, u);
+		}
+		if (calleeSummary.hasUnresolvedCalls) hasUnresolvedCalls = true;
+
+		// interface / dynamic edges, and opaque callees, are confidence-lowering — the CALLER
+		// holds the callsiteId, so the opaque-callee uncertainty is attached here, not on the
+		// callee's own summary.
+		if (edge.kind === "interface" || edge.kind === "dynamic" || calleeOpaque(edge.to)) {
+			if (edge.callsiteId !== undefined) {
+				const u: Uncertainty = { kind: "opaque-callee", callsiteId: edge.callsiteId };
+				const k = uncertaintyKey(u);
+				if (!uncertaintiesByKey.has(k)) uncertaintiesByKey.set(k, u);
+			}
+			hasUnresolvedCalls = true;
+		}
+	}
+
+	// Uncertainty edges (to-less call sites) on this routine — looked up by `from`
+	// instead of scanned globally, which on big graphs was O(R × U) per iteration.
+	for (const ue of ctx.uncertaintyEdgesByFrom.get(routine.id) ?? []) {
+		const k = uncertaintyKey(ue.uncertainty);
+		if (!uncertaintiesByKey.has(k)) uncertaintiesByKey.set(k, ue.uncertainty);
+		hasUnresolvedCalls = true;
+	}
+
+	// Materialize deterministic arrays once. dbEffects sort key matches the old
+	// mergeDbEffects: (effectKey, operationId).
+	const dbEffects = [...dbEffectsByKey.values()].sort((a, b) => {
+		if (a.effectKey !== b.effectKey) return compareStrings(a.effectKey, b.effectKey);
+		return compareStrings(a.operationId, b.operationId);
+	});
+	const uncertainties = [...uncertaintiesByKey.values()].sort((a, b) =>
+		compareStrings(uncertaintyKey(a), uncertaintyKey(b)),
+	);
+
+	// Cross-call exit-effect composition (spec §(c1b)) — compose only when BOTH the
+	// caller-side source and the callee-side parameter are var.
+	// Deep-copy the base parameterRoles so we can mutate them independently each iteration.
+	// NOTE: entry-requirement fields (requiresLoadedAtEntry, mutatesBeforeLoad,
+	// requiredLoadedFieldsAtEntry) are overwritten by the walker below; base values
+	// computed in baseIntraproceduralSummaryCtx are intentionally superseded.
+	const parameterRoles: RecordRoleSummary[] = base.parameterRoles.map((r) => ({ ...r }));
+	for (const cs of routine.features.callSites) {
+		for (const binding of cs.argumentBindings) {
+			if (binding.bindingResolution !== "resolved") continue;
+			if (binding.sourceParameterIndex === undefined) continue;
+			if (!binding.callerSourceParameterIsVar) continue;
+			if (!binding.calleeParameterIsVar) continue;
+			const edge = ctx.resolvedCallEdgeByCallsite.get(cs.id);
+			if (edge?.to === undefined) continue;
+			const calleeRoutine = ctx.routineById.get(edge.to);
+			const calleeRoleSummary = lookup(edge.to);
+			const calleeRole = calleeRoleSummary?.parameterRoles.find(
+				(r) => r.parameterIndex === binding.parameterIndex,
+			);
+			const p = parameterRoles.find((r) => r.parameterIndex === binding.sourceParameterIndex);
+			if (p === undefined) continue;
+			// Opaque guard: any of the three reasons we cannot trust callee facts
+			// (no role, routine missing, body unavailable) takes the unknown branch.
+			// Phase 6's symbol-only projections may produce a callee role with
+			// bodyAvailable=false; this guard keeps such cases on the opaque path.
+			const opaque =
+				calleeRole === undefined ||
+				calleeRoutine === undefined ||
+				calleeRoutine.bodyAvailable === false;
+			if (opaque) {
+				p.persistsCurrentRecord = joinPresence(p.persistsCurrentRecord, "unknown");
+				p.setBasedDbWrites = joinPresence(p.setBasedDbWrites, "unknown");
+				p.validatesParam = joinPresence(p.validatesParam, "unknown");
+				p.copiesIntoParam = joinPresence(p.copiesIntoParam, "unknown");
+				p.resetsFiltersOnParam = joinPresence(p.resetsFiltersOnParam, "unknown");
+			} else {
+				p.persistsCurrentRecord = joinPresence(
+					p.persistsCurrentRecord,
+					calleeRole.persistsCurrentRecord,
+				);
+				p.setBasedDbWrites = joinPresence(p.setBasedDbWrites, calleeRole.setBasedDbWrites);
+				p.validatesParam = joinPresence(p.validatesParam, calleeRole.validatesParam);
+				p.copiesIntoParam = joinPresence(p.copiesIntoParam, calleeRole.copiesIntoParam);
+				p.resetsFiltersOnParam = joinPresence(
+					p.resetsFiltersOnParam,
+					calleeRole.resetsFiltersOnParam,
+				);
+			}
+			p.mutatesParam = joinPresence(
+				joinPresence(p.persistsCurrentRecord, p.validatesParam),
+				p.copiesIntoParam,
+			);
+		}
+	}
+
+	// Path-aware entry-requirement composition (spec §(c1a)).
+	// Run the walker with the current fixed-point `lookup` so callee summaries
+	// are from the current iteration (not the stale routine.summary).
+	// Only run on routines with a body — opaque/parse-incomplete cases stay "unknown"
+	// as set by baseIntraproceduralSummaryCtx.
+	//
+	// Memoization note (I7, deferred — see review): the walker is re-run every
+	// fixed-point iteration for routines in recursive SCCs. Measurement on DC/Cloud
+	// (AL_SEM_SCC_STATS=1: 35 recursive SCCs, maxSize=4, totalIters=65, maxIters=5)
+	// shows redundant walks are bounded at ~30 across the whole workspace — well
+	// below 1% of total walker cost. Phase 6's full statement-tree walker should
+	// re-measure; if cost grows materially, cache walkRoutine output keyed by
+	// (routineId × fingerprint of callee summaries' requires/mutates fields).
+	if (routine.bodyAvailable && !routine.parseIncomplete) {
+		const pathFacts = walkRoutine(routine, ctx, lookup);
+		const pathByIndex = new Map(pathFacts.map((p) => [p.parameterIndex, p]));
+		for (const role of parameterRoles) {
+			const pf = pathByIndex.get(role.parameterIndex);
+			if (pf === undefined) continue;
+			role.requiresLoadedAtEntry = pf.requiresLoadedAtEntry;
+			role.requiredLoadedFieldsAtEntry = pf.requiredLoadedFieldsAtEntry;
+			role.mutatesBeforeLoad = pf.mutatesBeforeLoad;
+			// Phase 6: walker now emits path-proven dirtyAtExit and
+			// currentLoadedFieldsAtExit. These override the base "unknown"
+			// placeholders set by baseIntraproceduralSummaryCtx.
+			role.dirtyAtExit = pf.dirtyAtExit;
+			role.currentLoadedFieldsAtExit = pf.currentLoadedFieldsAtExit;
+		}
+	}
+
+	return {
+		routineId: routine.id,
+		dbEffects,
+		inRecursiveCycle: base.inRecursiveCycle,
+		hasUnresolvedCalls,
+		uncertainties,
+		parameterRoles,
+	};
+}
+
+/**
+ * Public, model-based form kept for callers outside the runner (and the older spec text
+ * referenced in docs). Builds a one-shot context per call — fine for one-offs, NOT for
+ * hot loops. The runner uses `composeRoutineCtx` directly.
+ */
+export function composeRoutine(
+	routine: Routine,
+	lookup: (id: RoutineId) => RoutineSummary | undefined,
+	graph: CombinedGraph,
+	model: SemanticModel,
+): RoutineSummary {
+	return composeRoutineCtx(routine, lookup, graph, buildSummaryContext(model, graph));
+}
+
+/**
+ * Compute a RoutineSummary for every NON-leaf routine and mutate `routine.summary` in place.
+ * Fixed-leaf routines (see `SummaryRunOptions.isLeaf`) keep their existing `summary` and are
+ * pre-seeded into the lookup map so callers compose against them. Walks the SCC condensation
+ * bottom-up; recursive SCCs get a finite monotone fixed-point.
+ */
+export function runSummaries(
+	model: SemanticModel,
+	graph: CombinedGraph,
+	diagnostics: Diagnostic[],
+	options?: SummaryRunOptions,
+): void {
+	const isLeaf = options?.isLeaf ?? defaultIsLeaf;
+	const lap = makeLap("summary:");
+	// Build O(1) lookup indexes once. This replaces ~50G+ linear scans on Base App-sized
+	// dependencies — the cold-run dominant cost before the refactor.
+	const ctx = buildSummaryContext(model, graph);
+	lap("buildSummaryContext");
+
+	// Precompute base intraprocedural summaries ONCE per non-leaf routine. For non-recursive
+	// SCCs this is the same as before; for recursive SCCs it eliminates recomputing the base
+	// every fixed-point iteration (was a significant cost — base touches every record op,
+	// every call site, and computes parameterRoles, all of which never change between iters).
+	const baseSummaries = new Map<RoutineId, RoutineSummary>();
+	for (const r of model.routines) {
+		if (isLeaf(r)) continue;
+		baseSummaries.set(r.id, baseIntraproceduralSummaryCtx(r, ctx));
+	}
+	const baseLookup = (id: RoutineId): RoutineSummary | undefined => baseSummaries.get(id);
+	lap(`base-precompute (${baseSummaries.size} routines)`);
+
+	const final = new Map<RoutineId, RoutineSummary>();
+	// Pre-seed fixed leaves so composition can look them up; they are never recomputed.
+	for (const r of model.routines) {
+		if (isLeaf(r) && r.summary !== undefined) final.set(r.id, r.summary);
+	}
+
+	const { sccs } = tarjanScc(graph);
+	lap(`tarjanScc (${sccs.length} sccs)`);
+	let nonRecursiveSccs = 0;
+	let recursiveSccs = 0;
+	let maxSccSize = 0;
+	let totalSccMembers = 0;
+	let totalIterations = 0;
+	let maxIterations = 0;
+	let fingerprintCalls = 0;
+
+	for (const scc of sccs) {
+		if (SCC_STATS_ENABLED) {
+			if (scc.recursive) recursiveSccs++;
+			else nonRecursiveSccs++;
+			if (scc.members.length > maxSccSize) maxSccSize = scc.members.length;
+			totalSccMembers += scc.members.length;
+		}
+		if (!scc.recursive) {
+			const id = scc.members[0];
+			const routine = id !== undefined ? ctx.routineById.get(id) : undefined;
+			if (id === undefined || routine === undefined) continue;
+			if (isLeaf(routine)) continue; // fixed leaf — already in `final`
+			final.set(
+				id,
+				composeRoutineCtx(routine, (x) => final.get(x), graph, ctx, baseLookup),
+			);
+			continue;
+		}
+		// Recursive SCC — finite monotone fixed-point with snapshot iteration.
+		const inProgress = new Map<RoutineId, RoutineSummary>();
+		for (const id of scc.members) {
+			const routine = ctx.routineById.get(id);
+			if (routine === undefined) continue;
+			if (isLeaf(routine)) continue;
+			const base = baseSummaries.get(id);
+			if (base !== undefined) inProgress.set(id, base);
+		}
+		let iterations = 0;
+		let changed = true;
+		while (changed) {
+			changed = false;
+			iterations++;
+			const snapshot = new Map(inProgress);
+			for (const id of scc.members) {
+				const routine = ctx.routineById.get(id);
+				if (routine === undefined || isLeaf(routine)) continue;
+				const next = composeRoutineCtx(
+					routine,
+					(x) => snapshot.get(x) ?? final.get(x),
+					graph,
+					ctx,
+					baseLookup,
+				);
+				const prev = inProgress.get(id);
+				if (prev === undefined || summaryFingerprint(prev) !== summaryFingerprint(next)) {
+					changed = true;
+				}
+				if (SCC_STATS_ENABLED) fingerprintCalls += prev === undefined ? 1 : 2;
+				inProgress.set(id, next);
+			}
+			if (iterations >= MAX_FIXED_POINT_ITERATIONS) {
+				diagnostics.push({
+					severity: "warning",
+					stage: "summarize",
+					message: `Summary fixed-point did not converge for SCC [${scc.members.join(", ")}]`,
+				});
+				break;
+			}
+		}
+		if (SCC_STATS_ENABLED) {
+			totalIterations += iterations;
+			if (iterations > maxIterations) maxIterations = iterations;
+		}
+		for (const id of scc.members) {
+			const summary = inProgress.get(id);
+			if (summary !== undefined) final.set(id, { ...summary, inRecursiveCycle: true });
+		}
+	}
+
+	lap("scc-compose");
+	// Phase 0b-β: attach direct capability facts and baseline coverage to each non-leaf
+	// routine's final summary. Capability extraction is per-routine (intrinsic, not
+	// inherited) — it runs once here, after the fixed-point has converged, so every
+	// routine gets its own direct facts attached exactly once.
+	//
+	// capabilityFactsInherited stays [] and coverage.inheritedStatus stays "unknown"
+	// until Tasks 21-22 (coverage composer + inherited composition).
+	//
+	// Engine-never-throws: extractCapabilities catches its own errors; this loop adds a
+	// second outer guard so a bug in the wire-in itself cannot crash the engine.
+	//
+	// Index publisher events by routine ONCE. The per-routine publisher-fact injection below
+	// otherwise filtered the entire eventGraph.events array per routine — O(routines × events),
+	// which on Base App (84k non-leaf routines × thousands of platform events) is a multi-second
+	// quadratic. This map makes it O(routines + events). Insertion order matches eventGraph.events
+	// order, so injected-fact order is unchanged.
+	const eventsForPublisherIndex = model.eventGraph?.events ?? [];
+	const publisherEventsByRoutine = new Map<RoutineId, typeof eventsForPublisherIndex>();
+	for (const evt of eventsForPublisherIndex) {
+		if (evt.publisherRoutineId === undefined) continue;
+		const list = publisherEventsByRoutine.get(evt.publisherRoutineId);
+		if (list) list.push(evt);
+		else publisherEventsByRoutine.set(evt.publisherRoutineId, [evt]);
+	}
+
+	for (const routine of model.routines) {
+		if (isLeaf(routine)) continue;
+		const summary = final.get(routine.id);
+		if (summary === undefined) continue;
+
+		// Build a minimal ExtractionContext — the orchestrator rebuilds variables
+		// internally, so ctx.variables here is just a safe placeholder.
+		const dispatchCtx = {
+			routine,
+			variables: new Map<string, VariableSymbol>(),
+			receiverTypeOf: (_name: string) => "unknown",
+			reportDiagnostic: (_d: Diagnostic) => {},
+			reportCoverageGap: (_r: CoverageReason, _t?: string) => {},
+		};
+
+		let { facts, status, reasons } = extractCapabilities(routine, dispatchCtx);
+
+		// Opaque / parse-incomplete routines: skip extraction (no body to extract from).
+		// extractCapabilities already handles this internally but we reinforce intent.
+		if (!routine.bodyAvailable || routine.parseIncomplete) {
+			facts = [];
+			status = "unknown";
+			reasons = routine.parseIncomplete ? ["parse-incomplete"] : ["opaque-dependency"];
+		}
+
+		// Phase 1a Family B — publisher-fact injection.
+		//
+		// The events-family extractor (src/index/capability/events.ts) runs at
+		// routine-indexing time and has no access to the resolved event graph, so it
+		// intentionally emits SUBSCRIBE facts only. Publisher routines ([IntegrationEvent]
+		// / [BusinessEvent] / [InternalEvent]) therefore have no direct publish facts, which
+		// caused publishesEventsOf to return [] for publisher routines — direct publish
+		// facts must be present so callers' inherited cones surface the event.
+		//
+		// Here, in the summary engine where model.eventGraph is already resolved, we look up
+		// every EventSymbol whose publisherRoutineId === routine.id and inject one direct
+		// publish CapabilityFact per event. The Task-22 inherited-facts BFS (below) then
+		// naturally propagates these facts to callers via direct-call edges, satisfying the
+		// publishesEventsOf invariant on publisher routines.
+		//
+		// Injection runs BEFORE final.set so the facts are present when the BFS reads
+		// capabilityFactsDirect for each routine.
+		const publisherEvents = publisherEventsByRoutine.get(routine.id) ?? [];
+		for (const evt of publisherEvents) {
+			const extra: EventExtra = {
+				kind: "event",
+				eventClass: mapEventKindToClass(evt.eventKind),
+			};
+			const publishFact: CapabilityFact = {
+				subject: routine.id,
+				op: "publish",
+				resourceKind: "event",
+				resourceId: evt.id as EventId,
+				confidence: "static",
+				provenance: "direct",
+				via: "self",
+				extra,
+			};
+			facts = [...facts, publishFact];
+		}
+
+		final.set(routine.id, {
+			...summary,
+			capabilityFactsDirect: facts,
+			capabilityFactsInherited: [],
+			coverage: {
+				subject: routine.id,
+				directStatus: status,
+				inheritedStatus: "unknown",
+				reasons,
+				unknownTargets: [],
+			},
+		});
+	}
+
+	lap("task17-capability-extract");
+	const cones = composeInheritedCones(model, final, isLeaf, diagnostics);
+	for (const routine of model.routines) {
+		if (isLeaf(routine)) continue;
+		const summary = final.get(routine.id);
+		if (summary === undefined) continue;
+		const cone = cones.get(routine.id);
+		if (cone === undefined) continue; // composition failed → keep task-17 baseline coverage + []
+		final.set(routine.id, {
+			...summary,
+			capabilityFactsInherited: cone.inherited,
+			coverage: cone.coverage,
+		});
+	}
+
+	lap("task22-inherited-bfs");
+	for (const routine of model.routines) {
+		if (isLeaf(routine)) continue; // leaves keep their authoritative summary
+		routine.summary = final.get(routine.id);
+	}
+	lap("writeback");
+
+	if (SCC_STATS_ENABLED) {
+		process.stderr.write(
+			`al-sem SCC stats: sccs=${nonRecursiveSccs + recursiveSccs}` +
+				` (recursive=${recursiveSccs} non-recursive=${nonRecursiveSccs})` +
+				` maxSize=${maxSccSize} totalMembers=${totalSccMembers}` +
+				` totalIterations=${totalIterations} maxIterations=${maxIterations}` +
+				` fingerprintCalls=${fingerprintCalls}\n`,
+		);
+	}
+}
+
+/** Phase 2b-compatible entry point: run summaries with the default leaf policy. */
+export function computeSummaries(
+	model: SemanticModel,
+	graph: CombinedGraph,
+	diagnostics: Diagnostic[],
+): void {
+	runSummaries(model, graph, diagnostics);
+}

package/src/engine/transaction-spans.ts

@@ -0,0 +1,112 @@
+import {
+	publishesEventsOf,
+	reachableCoverage,
+	writesTablesOf,
+} from "../detectors/capability-query.ts";
+import { roleOf } from "../model/entities.ts";
+import type { EventId, OperationId, RoutineId, TableId } from "../model/ids.ts";
+import type { SemanticModel } from "../model/model.ts";
+import type { CombinedGraph } from "./combined-graph.ts";
+import type { ReverseCallGraph } from "./reverse-call-graph.ts";
+
+export interface TransactionSpan {
+	/** The Commit operation that bounds the span. */
+	commitOperationId: OperationId;
+	/** The routine containing the bounding Commit. */
+	commitRoutineId: RoutineId;
+	/** All routines reachable backward from commitRoutineId up to another commit or root. */
+	routinesInSpan: RoutineId[];
+	/** Union of tables written by any routine in the span (from writesTablesOf — sorted+deduped). */
+	writesTables: TableId[];
+	/** Union of events published by any routine in the span (from publishesEventsOf — sorted+deduped). */
+	publishesEvents: EventId[];
+	/** Entry roots — routines in the span with no upstream caller inside the span. */
+	spanRoots: RoutineId[];
+	/**
+	 * True iff EVERY routine in `routinesInSpan` has a defined summary AND
+	 * `reachableCoverage(summary) === "complete"`. False when at least
+	 * one routine's inherited cone is partial / unknown — which means
+	 * the aggregated `writesTables` and `publishesEvents` sets may be
+	 * an under-approximation of what this span actually touches.
+	 *
+	 * Replaces the legacy per-routine `summary.writesTables === "unknown"`
+	 * probe D9 used to do. The signal is coarser (overall coverage, not
+	 * per-family) because Phase 1a's `reachableCoverage` is per-routine
+	 * overall. When per-family coverage roll-up lands (spec §3.7
+	 * FingerprintCoverage.perFamily), this field upgrades cleanly to a
+	 * `writesCoverage: CoverageStatus`.
+	 */
+	coverageComplete: boolean;
+}
+
+const MAX_DEPTH = 50;
+
+/**
+ * Compute transaction spans. For each primary-app routine that contains a Commit, walk
+ * callers backward to find every routine that participates in the transaction. The walk
+ * stops at any routine that itself commits (that's a prior span's domain) or at the depth
+ * bound. Each Commit operation yields one TransactionSpan.
+ */
+export function computeTransactionSpans(
+	model: SemanticModel,
+	_graph: CombinedGraph,
+	reverse: ReverseCallGraph,
+): TransactionSpan[] {
+	const routineById = new Map(model.routines.map((r) => [r.id, r]));
+	const spans: TransactionSpan[] = [];
+
+	// Build: routineId → list of Commit operationIds in that routine (from operationSites
+	// with kind === "commit"). We only care about primary-app routines.
+	const commitsByRoutine = new Map<RoutineId, OperationId[]>();
+	for (const r of model.routines) {
+		if (roleOf(r) !== "primary") continue;
+		const commitOps = r.features.operationSites
+			.filter((os) => os.kind === "commit")
+			.map((os) => os.id);
+		if (commitOps.length > 0) commitsByRoutine.set(r.id, commitOps);
+	}
+
+	for (const [commitRoutineId, commitOps] of commitsByRoutine) {
+		for (const commitOperationId of commitOps) {
+			const visited = new Set<RoutineId>();
+			const queue: { id: RoutineId; depth: number }[] = [{ id: commitRoutineId, depth: 0 }];
+			while (queue.length > 0) {
+				const item = queue.shift();
+				if (!item) break;
+				const { id, depth } = item;
+				if (visited.has(id)) continue;
+				visited.add(id);
+				if (depth >= MAX_DEPTH) continue;
+				// Don't walk past another committing routine (prior span bounds the trace).
+				if (id !== commitRoutineId && commitsByRoutine.has(id)) continue;
+				for (const caller of reverse.get(id) ?? []) {
+					if (!visited.has(caller.from)) queue.push({ id: caller.from, depth: depth + 1 });
+				}
+			}
+			const writes = new Set<TableId>();
+			const events = new Set<EventId>();
+			let coverageComplete = true;
+			for (const rid of visited) {
+				const r = routineById.get(rid);
+				if (r?.summary === undefined) {
+					coverageComplete = false;
+					continue;
+				}
+				for (const t of writesTablesOf(r.summary)) writes.add(t);
+				for (const e of publishesEventsOf(r.summary)) events.add(e);
+				if (reachableCoverage(r.summary) !== "complete") coverageComplete = false;
+			}
+			const spanRoots = [...visited].filter((rid) => (reverse.get(rid) ?? []).length === 0);
+			spans.push({
+				commitOperationId,
+				commitRoutineId,
+				routinesInSpan: [...visited].sort(),
+				writesTables: [...writes].sort(),
+				publishesEvents: [...events].sort(),
+				spanRoots: spanRoots.sort(),
+				coverageComplete,
+			});
+		}
+	}
+	return spans;
+}