al-sem 0.0.1

package/src/index/capability/hyperlink.ts

@@ -0,0 +1,60 @@
+import type { CapabilityConfidence, CapabilityFact, ValueSource } from "../../model/capability.ts";
+import type { CoverageReason } from "../../model/coverage.ts";
+import type { ExtractionContext } from "./extractor.ts";
+import { classifyValueSource } from "./value-source.ts";
+
+/**
+ * Phase 0b-β hyperlink family extractor. Detects bare `Hyperlink(url)` calls.
+ *
+ * Emits: op="open", resourceKind="ui", resourceArgSource = classifyValueSource(urlArg),
+ * confidence derived from URL ValueSource kind. Never throws.
+ */
+export function extractHyperlink(ctx: ExtractionContext): {
+	facts: CapabilityFact[];
+	reasons: CoverageReason[];
+} {
+	try {
+		const facts: CapabilityFact[] = [];
+		for (const cs of ctx.routine?.features?.callSites ?? []) {
+			const callee = cs.callee;
+			if (!callee || callee.kind !== "bare") continue;
+			if (typeof callee.name !== "string") continue;
+			if (callee.name.toLowerCase() !== "hyperlink") continue;
+
+			const urlInfo = cs.argumentInfos?.[0];
+			const urlSource: ValueSource =
+				urlInfo !== undefined ? classifyValueSource(urlInfo, ctx) : { kind: "unknown" };
+
+			facts.push({
+				subject: ctx.routine.id,
+				op: "open",
+				resourceKind: "ui",
+				resourceArgSource: urlSource,
+				confidence: confidenceFromSource(urlSource),
+				provenance: "direct",
+				via: "self",
+				witnessCallsiteId: cs.id,
+			});
+		}
+		return { facts, reasons: [] };
+	} catch {
+		return { facts: [], reasons: ["extraction-failed"] };
+	}
+}
+
+function confidenceFromSource(vs: ValueSource): CapabilityConfidence {
+	switch (vs.kind) {
+		case "literal":
+		case "enum":
+			return "static";
+		case "constant-var":
+			return confidenceFromSource(vs.initializer);
+		case "parameter":
+			return "userDynamic";
+		case "table-field":
+			return "configDynamic";
+		case "expression":
+		case "unknown":
+			return "unresolved";
+	}
+}

package/src/index/capability/isolated-storage.ts

@@ -0,0 +1,179 @@
+import type {
+	CapabilityConfidence,
+	CapabilityFact,
+	CapabilityOp,
+	StorageExtra,
+	ValueSource,
+} from "../../model/capability.ts";
+import type { CoverageReason } from "../../model/coverage.ts";
+import type { CallsiteId, OperationId } from "../../model/ids.ts";
+import type { ExtractionContext } from "./extractor.ts";
+import { classifyValueSource } from "./value-source.ts";
+
+/**
+ * Maps IsolatedStorage method names (lowercase) to their capability op.
+ * Methods not in this map are ignored.
+ */
+const ISOLATED_STORAGE_OPS = new Map<string, CapabilityOp>([
+	["get", "store-read"],
+	["getencrypted", "store-read"],
+	["contains", "store-read"],
+	["set", "store-write"],
+	["setencrypted", "store-write"],
+	["delete", "store-delete"],
+]);
+
+/**
+ * Maps a DataScope enum text (e.g. "DataScope::Company") to the StorageExtra
+ * scope literal. Falls back to "unknown" for unrecognized values.
+ */
+function parseDataScope(text: string): StorageExtra["scope"] {
+	const lower = text.toLowerCase();
+	if (lower.includes("::company")) return "Company";
+	if (lower.includes("::user")) return "User";
+	if (lower.includes("::module")) return "Module";
+	return "unknown";
+}
+
+function buildStorageFact(
+	ctx: ExtractionContext,
+	op: CapabilityOp,
+	keySource: ValueSource,
+	extra: StorageExtra,
+	witness: { kind: "operation"; id: OperationId } | { kind: "callsite"; id: CallsiteId },
+): CapabilityFact {
+	const witnessFields =
+		witness.kind === "operation"
+			? { witnessOperationId: witness.id }
+			: { witnessCallsiteId: witness.id };
+	return {
+		subject: ctx.routine.id,
+		op,
+		resourceKind: "isolated-storage",
+		resourceArgSource: keySource,
+		confidence: confidenceFromSource(keySource),
+		provenance: "direct",
+		via: "self",
+		...witnessFields,
+		extra,
+	};
+}
+
+/**
+ * Phase 0b-β isolated-storage family extractor. Detects IsolatedStorage
+ * system reference method calls.
+ *
+ * IsolatedStorage is a SYSTEM REFERENCE — not a declared variable. The gate
+ * is `receiver.toLowerCase() === "isolatedstorage"` (member callee) or
+ * `recordVariableName.toLowerCase() === "isolatedstorage"` (recordOperation).
+ *
+ * Why both branches? `intraprocedural-ops.ts` RECORD_OP_MAP maps `.Get` and
+ * `.Delete` to RecordOperation regardless of receiver type — so these two
+ * methods land in `recordOperations`. The remaining methods (`.Set`,
+ * `.SetEncrypted`, `.GetEncrypted`, `.Contains`) land in `callSites` as
+ * member callees.
+ *
+ * Op mapping:
+ *   .Get, .GetEncrypted, .Contains → store-read
+ *   .Set, .SetEncrypted            → store-write
+ *   .Delete                        → store-delete
+ *
+ * `resourceArgSource` is classifyValueSource on the key argument (arg[0] for
+ * callSites, fieldArgumentInfos[0] for recordOperations). `.Delete` has no
+ * fieldArgumentInfos so key falls back to `{ kind: "unknown" }`.
+ *
+ * `StorageExtra` carries:
+ *   keyArgSource   — same as resourceArgSource
+ *   valueArgSource — arg[1] for .Set/.SetEncrypted (callSites only)
+ *   scope          — arg[2] for .Set/.SetEncrypted; parsed from DataScope enum text
+ *
+ * Never throws.
+ */
+export function extractIsolatedStorage(ctx: ExtractionContext): {
+	facts: CapabilityFact[];
+	reasons: CoverageReason[];
+} {
+	try {
+		const facts: CapabilityFact[] = [];
+
+		// Branch A: IsolatedStorage.Get / .Delete from recordOperations.
+		// intraprocedural-ops.ts recognises Get/Delete via RECORD_OP_MAP
+		// regardless of receiver type — filter by recordVariableName here.
+		for (const ro of ctx.routine?.features?.recordOperations ?? []) {
+			const recv = ro.recordVariableName;
+			if (typeof recv !== "string") continue;
+			if (recv.toLowerCase() !== "isolatedstorage") continue;
+
+			const method = ro.op.toLowerCase();
+			const op = ISOLATED_STORAGE_OPS.get(method);
+			if (op === undefined) continue;
+
+			const keyInfo = ro.fieldArgumentInfos?.[0];
+			const keySource: ValueSource =
+				keyInfo !== undefined ? classifyValueSource(keyInfo, ctx) : { kind: "unknown" };
+
+			const extra: StorageExtra = {
+				kind: "storage",
+				keyArgSource: keySource,
+			};
+
+			facts.push(buildStorageFact(ctx, op, keySource, extra, { kind: "operation", id: ro.id }));
+		}
+
+		// Branch B: IsolatedStorage.Set / .SetEncrypted / .GetEncrypted / .Contains
+		// from callSites (member callees not caught by RECORD_OP_MAP).
+		for (const cs of ctx.routine?.features?.callSites ?? []) {
+			const callee = cs.callee;
+			if (!callee || callee.kind !== "member") continue;
+			if (callee.receiver.toLowerCase() !== "isolatedstorage") continue;
+
+			const method = callee.method.toLowerCase();
+			const op = ISOLATED_STORAGE_OPS.get(method);
+			if (op === undefined) continue;
+
+			const keyInfo = cs.argumentInfos?.[0];
+			const keySource: ValueSource =
+				keyInfo !== undefined ? classifyValueSource(keyInfo, ctx) : { kind: "unknown" };
+
+			const extra: StorageExtra = {
+				kind: "storage",
+				keyArgSource: keySource,
+			};
+
+			// For write methods: capture value arg (arg[1]) and scope arg (arg[2]).
+			if (op === "store-write") {
+				const valueInfo = cs.argumentInfos?.[1];
+				if (valueInfo !== undefined) {
+					extra.valueArgSource = classifyValueSource(valueInfo, ctx);
+				}
+				const scopeInfo = cs.argumentInfos?.[2];
+				if (scopeInfo !== undefined) {
+					extra.scope = parseDataScope(scopeInfo.text ?? "");
+				}
+			}
+
+			facts.push(buildStorageFact(ctx, op, keySource, extra, { kind: "callsite", id: cs.id }));
+		}
+
+		return { facts, reasons: [] };
+	} catch {
+		return { facts: [], reasons: ["extraction-failed"] };
+	}
+}
+
+function confidenceFromSource(vs: ValueSource): CapabilityConfidence {
+	switch (vs.kind) {
+		case "literal":
+		case "enum":
+			return "static";
+		case "constant-var":
+			return confidenceFromSource(vs.initializer);
+		case "parameter":
+			return "userDynamic";
+		case "table-field":
+			return "configDynamic";
+		case "expression":
+		case "unknown":
+			return "unresolved";
+	}
+}

package/src/index/capability/table.ts

@@ -0,0 +1,113 @@
+import type { CapabilityFact, CapabilityOp, TableExtra } from "../../model/capability.ts";
+import type { CoverageReason } from "../../model/coverage.ts";
+import type { RecordOpType } from "../../model/entities.ts";
+import type { ExtractionContext } from "./extractor.ts";
+
+/**
+ * Map an AL RecordOpType to a CapabilityOp.
+ *
+ * Returns undefined for state-only / filter ops (SetRange, SetFilter, Init,
+ * SetLoadFields, AddLoadFields, SetCurrentKey, Reset, LockTable) — these are
+ * NOT capability-relevant per spec §3.1 substrate-discipline. Phase 1
+ * detectors that need filter / load-field state read RecordOperation directly.
+ */
+function mapOp(op: RecordOpType): CapabilityOp | undefined {
+	switch (op) {
+		case "Get":
+		case "Find":
+		case "FindFirst":
+		case "FindLast":
+		case "FindSet":
+		case "IsEmpty":
+		case "Count":
+		case "CountApprox":
+		case "Next":
+		case "CalcFields":
+		case "CalcSums":
+		case "TestField":
+			return "read";
+		case "Modify":
+		case "ModifyAll":
+		case "Validate":
+		case "Copy":
+		case "TransferFields":
+			return "modify";
+		case "Insert":
+			return "insert";
+		case "Delete":
+		case "DeleteAll":
+			return "delete";
+		case "Init":
+		case "SetRange":
+		case "SetFilter":
+		case "SetLoadFields":
+		case "AddLoadFields":
+		case "SetCurrentKey":
+		case "Reset":
+		case "LockTable":
+			return undefined;
+		default: {
+			// Exhaustiveness guard — adding a RecordOpType variant must extend
+			// this switch. The `never` cast triggers tsc if a new variant slips in.
+			const _exhaustive: never = op;
+			return _exhaustive;
+		}
+	}
+}
+
+/**
+ * Phase 0b-β table family extractor.
+ *
+ * Iterates `ctx.routine.features.recordOperations` (already indexed by L2)
+ * and maps each RecordOperation to a CapabilityFact. State-only ops are
+ * skipped (undefined mapOp result).
+ *
+ * Confidence:
+ *  - "static"     when tableId is present (resolved from .app symbol deps)
+ *  - "unresolved" when tableId is absent (pure workspace, no dep resolution)
+ *
+ * TableExtra carries opSubtype, recordVariableId, and tempState — per spec
+ * §3.1, fieldArguments are NOT mirrored into extra (they stay on RecordOperation
+ * for Phase 1 detectors to read directly).
+ *
+ * Never throws.
+ */
+export function extractTable(ctx: ExtractionContext): {
+	facts: CapabilityFact[];
+	reasons: CoverageReason[];
+} {
+	try {
+		const facts: CapabilityFact[] = [];
+		const recordOps = ctx.routine?.features?.recordOperations ?? [];
+
+		for (const op of recordOps) {
+			const capOp = mapOp(op.op);
+			if (capOp === undefined) continue;
+
+			const extra: TableExtra = {
+				kind: "table",
+				opSubtype: op.op,
+				recordVariableId: op.recordVariableId,
+				tempState: op.tempState,
+			};
+
+			const fact: CapabilityFact = {
+				subject: ctx.routine.id,
+				op: capOp,
+				resourceKind: "table",
+				resourceId: op.tableId,
+				confidence: op.tableId !== undefined ? "static" : "unresolved",
+				provenance: "direct",
+				via: "self",
+				witnessOperationId: op.id,
+				extra,
+			};
+
+			facts.push(fact);
+		}
+
+		return { facts, reasons: [] };
+	} catch {
+		return { facts: [], reasons: ["extraction-failed"] };
+	}
+}

package/src/index/capability/telemetry.ts

@@ -0,0 +1,84 @@
+import type { CapabilityConfidence, CapabilityFact, ValueSource } from "../../model/capability.ts";
+import type { CoverageReason } from "../../model/coverage.ts";
+import type { ExtractionContext } from "./extractor.ts";
+import { classifyValueSource } from "./value-source.ts";
+
+/**
+ * Phase 0b-β telemetry family extractor. Detects:
+ *   - `Session.LogMessage(eventId, message, ...)` — member callee, receiver = "Session"
+ *   - `LogMessage(eventId, message, ...)` — bare callee
+ *
+ * Emits one CapabilityFact per match:
+ *   op: "log", resourceKind: "telemetry"
+ *   resourceArgSource: classifyValueSource on eventId (1st positional arg)
+ *   confidence derived from eventId ValueSource kind (same pattern as http.ts)
+ *   provenance: "direct", via: "self"
+ *   witnessCallsiteId: cs.id (both bare + member calls land in callSites)
+ *
+ * No TelemetryExtra defined in src/model/capability.ts — `extra` is omitted.
+ *
+ * Never throws.
+ */
+export function extractTelemetry(ctx: ExtractionContext): {
+	facts: CapabilityFact[];
+	reasons: CoverageReason[];
+} {
+	try {
+		const facts: CapabilityFact[] = [];
+		for (const cs of ctx.routine?.features?.callSites ?? []) {
+			const callee = cs.callee;
+			if (!callee) continue;
+
+			let matches = false;
+			if (callee.kind === "member") {
+				// Session.LogMessage — receiver name compared case-insensitively
+				if (
+					callee.receiver.toLowerCase() === "session" &&
+					callee.method.toLowerCase() === "logmessage"
+				) {
+					matches = true;
+				}
+			} else if (callee.kind === "bare") {
+				if (callee.name.toLowerCase() === "logmessage") {
+					matches = true;
+				}
+			}
+			if (!matches) continue;
+
+			const eventIdInfo = cs.argumentInfos?.[0];
+			const eventIdSource: ValueSource =
+				eventIdInfo !== undefined ? classifyValueSource(eventIdInfo, ctx) : { kind: "unknown" };
+
+			facts.push({
+				subject: ctx.routine.id,
+				op: "log",
+				resourceKind: "telemetry",
+				resourceArgSource: eventIdSource,
+				confidence: confidenceFromSource(eventIdSource),
+				provenance: "direct",
+				via: "self",
+				witnessCallsiteId: cs.id,
+			});
+		}
+		return { facts, reasons: [] };
+	} catch {
+		return { facts: [], reasons: ["extraction-failed"] };
+	}
+}
+
+function confidenceFromSource(vs: ValueSource): CapabilityConfidence {
+	switch (vs.kind) {
+		case "literal":
+		case "enum":
+			return "static";
+		case "constant-var":
+			return confidenceFromSource(vs.initializer);
+		case "parameter":
+			return "userDynamic";
+		case "table-field":
+			return "configDynamic";
+		case "expression":
+		case "unknown":
+			return "unresolved";
+	}
+}

package/src/index/capability/ui.ts

@@ -0,0 +1,55 @@
+import type { CapabilityFact, CapabilityOp } from "../../model/capability.ts";
+import type { CoverageReason } from "../../model/coverage.ts";
+import type { ExtractionContext } from "./extractor.ts";
+
+const UI_PRIMITIVES: Record<
+	string,
+	Extract<CapabilityOp, "ui-confirm" | "ui-message" | "ui-error">
+> = {
+	confirm: "ui-confirm",
+	message: "ui-message",
+	error: "ui-error",
+};
+
+/**
+ * Phase 0b-β ui family extractor. Detects bare UI primitive calls:
+ *   Confirm(...) → ui-confirm
+ *   Message(...) → ui-message
+ *   Error(...)   → ui-error
+ *
+ * Presence facts — no resourceArgSource (message text isn't a resource id),
+ * no extra. Confidence always "static" (the primitive itself is the resource).
+ *
+ * Note: Error is already handled by D20 for control-flow semantics; this
+ * UI extraction is orthogonal — UI capability is independent of CFG semantics.
+ *
+ * Never throws.
+ */
+export function extractUi(ctx: ExtractionContext): {
+	facts: CapabilityFact[];
+	reasons: CoverageReason[];
+} {
+	try {
+		const facts: CapabilityFact[] = [];
+		for (const cs of ctx.routine?.features?.callSites ?? []) {
+			const callee = cs.callee;
+			if (!callee || callee.kind !== "bare") continue;
+			if (typeof callee.name !== "string") continue;
+			const op = UI_PRIMITIVES[callee.name.toLowerCase()];
+			if (op === undefined) continue;
+
+			facts.push({
+				subject: ctx.routine.id,
+				op,
+				resourceKind: "ui",
+				confidence: "static",
+				provenance: "direct",
+				via: "self",
+				witnessCallsiteId: cs.id,
+			});
+		}
+		return { facts, reasons: [] };
+	} catch {
+		return { facts: [], reasons: ["extraction-failed"] };
+	}
+}

package/src/index/capability/value-source.ts

@@ -0,0 +1,202 @@
+// src/index/capability/value-source.ts
+//
+// Classify an `ExpressionInfo` (a serialized, tree-sitter-derived expression
+// summary) into a `ValueSource`. Used by every capability family extractor when
+// capturing resource arguments: URL for HTTP, key for IsolatedStorage, target id
+// for object-run dispatch, etc.
+//
+// Chases `constant-var` chains by looking up the identifier name in
+// `ctx.variables` and inspecting the `VariableSymbol.initializer` captured by
+// Phase 0b-α's `extractInitializer`. Chase depth is capped at MAX_CHASE_DEPTH
+// (3) to prevent infinite recursion on circular initializer chains.
+//
+// MUST NEVER throw — the outer `try/catch` in `classifyValueSource` returns
+// `{kind: "unknown"}` on any internal error, per the engine-never-throws
+// contract (CLAUDE.md §"The engine never throws").
+
+import type { ValueSource } from "../../model/capability.ts";
+import type { ExpressionInfo } from "../../model/expression.ts";
+import type { ExtractionContext } from "./extractor.ts";
+
+const MAX_CHASE_DEPTH = 3;
+
+/**
+ * Classify an `ExpressionInfo` as a `ValueSource`. Phase 0b-β capability
+ * extractors call this for every resource argument (HTTP URL, IsolatedStorage
+ * key, dispatch target id, etc.) so downstream consumers can reason about
+ * provenance (literal vs config-table vs user-input).
+ *
+ * Pass `null` or `undefined` to get `{kind: "unknown"}` — never throws.
+ */
+export function classifyValueSource(
+	info: ExpressionInfo | null | undefined,
+	ctx: ExtractionContext,
+): ValueSource {
+	try {
+		return classifyAtDepth(info, ctx, 0);
+	} catch {
+		return { kind: "unknown" };
+	}
+}
+
+function classifyAtDepth(
+	info: ExpressionInfo | null | undefined,
+	ctx: ExtractionContext,
+	depth: number,
+): ValueSource {
+	if (info === null || info === undefined) {
+		return { kind: "unknown" };
+	}
+
+	switch (info.kind) {
+		// ── Literal forms ──────────────────────────────────────────────────────
+		case "string_literal":
+			// `info.value` is the content between the single quotes (set by
+			// expressionInfoFromNode / deriveParts for string_literal).
+			return { kind: "literal", value: info.value ?? stripSingleQuotes(info.text) };
+
+		case "integer":
+		case "decimal":
+		case "boolean":
+			return { kind: "literal", value: info.value ?? info.text.trim() };
+
+		// ── Enum / database reference ─────────────────────────────────────────
+		// Both `qualified_enum_value` (e.g. `MyEnum::Value`) and
+		// `database_reference` (e.g. `Codeunit::"Job Q Codeunit"`) have the
+		// same shape: qualifier = LHS of `::`, member/value = RHS. Both are
+		// statically-known references, so both map to ValueSource "enum".
+		case "qualified_enum_value":
+		case "database_reference": {
+			const enumName = info.qualifier !== undefined ? stripDoubleQuotes(info.qualifier) : "";
+			const member = info.member ?? info.value ?? "";
+			return { kind: "enum", enumName, member };
+		}
+
+		// ── Identifier — parameter, constant-var, or chase ────────────────────
+		case "identifier":
+		case "quoted_identifier": {
+			const name = info.value !== undefined ? info.value.toLowerCase() : info.text.toLowerCase();
+			return classifyIdentifier(name, ctx, depth);
+		}
+
+		// ── Member expression — potential table-field ─────────────────────────
+		case "member_expression": {
+			return classifyMemberExpression(info.text, ctx);
+		}
+
+		// ── Unary expression (e.g. -3) — literal when operand is numeric ──────
+		case "unary_expression":
+			if (info.value !== undefined) return { kind: "literal", value: info.value };
+			return { kind: "expression" };
+
+		// ── Call / anything else → expression ─────────────────────────────────
+		default:
+			return { kind: "expression" };
+	}
+}
+
+// ─── Identifier resolution ──────────────────────────────────────────────────
+
+function classifyIdentifier(nameLower: string, ctx: ExtractionContext, depth: number): ValueSource {
+	const sym = ctx.variables.get(nameLower);
+	if (sym === undefined) {
+		// Not in scope — treat as an opaque expression reference.
+		return { kind: "expression" };
+	}
+
+	if (sym.isParameter) {
+		return {
+			kind: "parameter",
+			index: sym.parameterIndex ?? 0,
+			varName: nameLower,
+		};
+	}
+
+	// Local variable — see if we can chase the initializer.
+	const init = sym.initializer;
+	if (init === undefined || init.kind === "unknown" || init.kind === "expression") {
+		// No initializer captured or it's already opaque — emit constant-var.
+		return { kind: "constant-var", varName: nameLower, initializer: init ?? { kind: "unknown" } };
+	}
+
+	if (depth >= MAX_CHASE_DEPTH) {
+		// Depth cap hit — return constant-var with the raw initializer but don't recurse.
+		return { kind: "constant-var", varName: nameLower, initializer: init };
+	}
+
+	// Chase one hop deeper for `constant-var` (var-to-var alias).
+	if (init.kind === "constant-var") {
+		const deeper = classifyIdentifier(init.varName, ctx, depth + 1);
+		if (deeper.kind === "literal" || deeper.kind === "enum" || deeper.kind === "parameter") {
+			// Successfully resolved to a concrete source — return it directly so
+			// callers see the root kind rather than a chain of constant-var wrappers.
+			return deeper;
+		}
+		return { kind: "constant-var", varName: nameLower, initializer: deeper };
+	}
+
+	// Initializer is already a resolved kind (literal / enum / parameter / table-field).
+	return init;
+}
+
+// ─── Member expression (potential table-field) ──────────────────────────────
+
+/**
+ * Parse a member-expression text of the form `Receiver.Field` or
+ * `Receiver."Quoted Field"` and classify it as a `table-field` when the
+ * receiver resolves to a record-typed variable with a known tableId.
+ * Falls back to `expression` when the receiver is not a known record variable.
+ *
+ * The text splitting relies on the first `.` being the separator between the
+ * receiver identifier and the field member. This is safe because:
+ *  - AL receiver names are bare identifiers (no dots).
+ *  - `member_expression` nodes in the grammar always have exactly one `.`
+ *    separator at the top level.
+ */
+function classifyMemberExpression(text: string, ctx: ExtractionContext): ValueSource {
+	const dotIdx = text.indexOf(".");
+	if (dotIdx === -1) {
+		return { kind: "expression" };
+	}
+
+	const receiverRaw = text.slice(0, dotIdx).trim();
+	const fieldRaw = text.slice(dotIdx + 1).trim();
+	const receiverLower = receiverRaw.toLowerCase();
+
+	const sym = ctx.variables.get(receiverLower);
+	if (sym === undefined) {
+		return { kind: "expression" };
+	}
+
+	// Is the receiver a record variable?
+	const declType = sym.declaredType.toLowerCase();
+	const isRecord =
+		declType.startsWith("record ") || declType === "record" || declType.startsWith("recordref");
+
+	if (!isRecord) {
+		// Member call on a non-record (e.g. HttpClient.Get) — expression.
+		return { kind: "expression" };
+	}
+
+	const fieldName = stripDoubleQuotes(fieldRaw);
+	const tableId = sym.tableId ?? "unknown";
+	return { kind: "table-field", tableId, fieldName };
+}
+
+// ─── Quote helpers ───────────────────────────────────────────────────────────
+
+function stripSingleQuotes(s: string): string {
+	const t = s.trim();
+	if (t.length >= 2 && t[0] === "'" && t[t.length - 1] === "'") {
+		return t.slice(1, -1);
+	}
+	return t;
+}
+
+function stripDoubleQuotes(s: string): string {
+	const t = s.trim();
+	if (t.length >= 2 && t[0] === '"' && t[t.length - 1] === '"') {
+		return t.slice(1, -1);
+	}
+	return t;
+}