sourcecode 1.31.16__tar.gz → 1.31.18__tar.gz
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- sourcecode-1.31.18/.continue-here.md +134 -0
- sourcecode-1.31.18/AUDIT_REAL_REPOS.md +539 -0
- {sourcecode-1.31.16 → sourcecode-1.31.18}/PKG-INFO +111 -40
- {sourcecode-1.31.16 → sourcecode-1.31.18}/README.md +110 -39
- {sourcecode-1.31.16 → sourcecode-1.31.18}/pyproject.toml +1 -1
- {sourcecode-1.31.16 → sourcecode-1.31.18}/src/sourcecode/__init__.py +1 -1
- sourcecode-1.31.18/src/sourcecode/cache.py +470 -0
- {sourcecode-1.31.16 → sourcecode-1.31.18}/src/sourcecode/cli.py +17 -13
- {sourcecode-1.31.16 → sourcecode-1.31.18}/src/sourcecode/repository_ir.py +141 -1
- sourcecode-1.31.18/tests/test_cache.py +500 -0
- sourcecode-1.31.16/.continue-here.md +0 -108
- sourcecode-1.31.16/.sourcecode-cache/snapshot-88dc388-07db8d0b.json +0 -122
- sourcecode-1.31.16/.sourcecode-cache/snapshot-88dc388-178c65fa.json +0 -4012
- sourcecode-1.31.16/.sourcecode-cache/snapshot-88dc388-379aba51.json +0 -265
- sourcecode-1.31.16/.sourcecode-cache/snapshot-88dc388-530bd9cf.json +0 -406
- sourcecode-1.31.16/.sourcecode-cache/snapshot-88dc388-56888a2a.json +0 -244
- sourcecode-1.31.16/.sourcecode-cache/snapshot-88dc388-5b602060.json +0 -265
- sourcecode-1.31.16/.sourcecode-cache/snapshot-88dc388-5ea1c8f1.json +0 -570
- sourcecode-1.31.16/.sourcecode-cache/snapshot-88dc388-6934996c.json +0 -129
- sourcecode-1.31.16/.sourcecode-cache/snapshot-88dc388-7b6dd6cc.json +0 -351
- sourcecode-1.31.16/.sourcecode-cache/snapshot-88dc388-8cb41bc4.json +0 -390
- sourcecode-1.31.16/.sourcecode-cache/snapshot-88dc388-c9ab42a3.json +0 -13523
- sourcecode-1.31.16/AUDIT_REAL_REPOS.md +0 -619
- {sourcecode-1.31.16 → sourcecode-1.31.18}/.agents/skills/source-command-gsd-join-discord/SKILL.md +0 -0
- {sourcecode-1.31.16 → sourcecode-1.31.18}/.agents/skills/source-command-gsd-review-backlog/SKILL.md +0 -0
- {sourcecode-1.31.16 → sourcecode-1.31.18}/.agents/skills/source-command-gsd-workstreams/SKILL.md +0 -0
- {sourcecode-1.31.16 → sourcecode-1.31.18}/.github/workflows/build-windows.yml +0 -0
- {sourcecode-1.31.16 → sourcecode-1.31.18}/.gitignore +0 -0
- {sourcecode-1.31.16 → sourcecode-1.31.18}/.ruff.toml +0 -0
- {sourcecode-1.31.16 → sourcecode-1.31.18}/.sourcecode-cache/snapshot-3b5997a-fa5c742c.json +0 -0
- {sourcecode-1.31.16 → sourcecode-1.31.18}/CHANGELOG.md +0 -0
- {sourcecode-1.31.16 → sourcecode-1.31.18}/CONTRIBUTING.md +0 -0
- {sourcecode-1.31.16 → sourcecode-1.31.18}/LICENSE +0 -0
- {sourcecode-1.31.16 → sourcecode-1.31.18}/SECURITY.md +0 -0
- {sourcecode-1.31.16 → sourcecode-1.31.18}/docs/PRODUCT_TIERS.md +0 -0
- {sourcecode-1.31.16 → sourcecode-1.31.18}/docs/privacy.md +0 -0
- {sourcecode-1.31.16 → sourcecode-1.31.18}/docs/schema.md +0 -0
- {sourcecode-1.31.16 → sourcecode-1.31.18}/raw +0 -0
- {sourcecode-1.31.16 → sourcecode-1.31.18}/run_cli.py +0 -0
- {sourcecode-1.31.16 → sourcecode-1.31.18}/src/sourcecode/adaptive_scanner.py +0 -0
- {sourcecode-1.31.16 → sourcecode-1.31.18}/src/sourcecode/architecture_analyzer.py +0 -0
- {sourcecode-1.31.16 → sourcecode-1.31.18}/src/sourcecode/architecture_summary.py +0 -0
- {sourcecode-1.31.16 → sourcecode-1.31.18}/src/sourcecode/ast_extractor.py +0 -0
- {sourcecode-1.31.16 → sourcecode-1.31.18}/src/sourcecode/canonical_ir.py +0 -0
- {sourcecode-1.31.16 → sourcecode-1.31.18}/src/sourcecode/classifier.py +0 -0
- {sourcecode-1.31.16 → sourcecode-1.31.18}/src/sourcecode/code_notes_analyzer.py +0 -0
- {sourcecode-1.31.16 → sourcecode-1.31.18}/src/sourcecode/confidence_analyzer.py +0 -0
- {sourcecode-1.31.16 → sourcecode-1.31.18}/src/sourcecode/context_scorer.py +0 -0
- {sourcecode-1.31.16 → sourcecode-1.31.18}/src/sourcecode/context_summarizer.py +0 -0
- {sourcecode-1.31.16 → sourcecode-1.31.18}/src/sourcecode/contract_model.py +0 -0
- {sourcecode-1.31.16 → sourcecode-1.31.18}/src/sourcecode/contract_pipeline.py +0 -0
- {sourcecode-1.31.16 → sourcecode-1.31.18}/src/sourcecode/coverage_parser.py +0 -0
- {sourcecode-1.31.16 → sourcecode-1.31.18}/src/sourcecode/dependency_analyzer.py +0 -0
- {sourcecode-1.31.16 → sourcecode-1.31.18}/src/sourcecode/detectors/__init__.py +0 -0
- {sourcecode-1.31.16 → sourcecode-1.31.18}/src/sourcecode/detectors/base.py +0 -0
- {sourcecode-1.31.16 → sourcecode-1.31.18}/src/sourcecode/detectors/csproj_parser.py +0 -0
- {sourcecode-1.31.16 → sourcecode-1.31.18}/src/sourcecode/detectors/dart.py +0 -0
- {sourcecode-1.31.16 → sourcecode-1.31.18}/src/sourcecode/detectors/dotnet.py +0 -0
- {sourcecode-1.31.16 → sourcecode-1.31.18}/src/sourcecode/detectors/elixir.py +0 -0
- {sourcecode-1.31.16 → sourcecode-1.31.18}/src/sourcecode/detectors/go.py +0 -0
- {sourcecode-1.31.16 → sourcecode-1.31.18}/src/sourcecode/detectors/heuristic.py +0 -0
- {sourcecode-1.31.16 → sourcecode-1.31.18}/src/sourcecode/detectors/hybrid.py +0 -0
- {sourcecode-1.31.16 → sourcecode-1.31.18}/src/sourcecode/detectors/java.py +0 -0
- {sourcecode-1.31.16 → sourcecode-1.31.18}/src/sourcecode/detectors/jvm_ext.py +0 -0
- {sourcecode-1.31.16 → sourcecode-1.31.18}/src/sourcecode/detectors/nodejs.py +0 -0
- {sourcecode-1.31.16 → sourcecode-1.31.18}/src/sourcecode/detectors/parsers.py +0 -0
- {sourcecode-1.31.16 → sourcecode-1.31.18}/src/sourcecode/detectors/php.py +0 -0
- {sourcecode-1.31.16 → sourcecode-1.31.18}/src/sourcecode/detectors/project.py +0 -0
- {sourcecode-1.31.16 → sourcecode-1.31.18}/src/sourcecode/detectors/python.py +0 -0
- {sourcecode-1.31.16 → sourcecode-1.31.18}/src/sourcecode/detectors/ruby.py +0 -0
- {sourcecode-1.31.16 → sourcecode-1.31.18}/src/sourcecode/detectors/rust.py +0 -0
- {sourcecode-1.31.16 → sourcecode-1.31.18}/src/sourcecode/detectors/systems.py +0 -0
- {sourcecode-1.31.16 → sourcecode-1.31.18}/src/sourcecode/detectors/terraform.py +0 -0
- {sourcecode-1.31.16 → sourcecode-1.31.18}/src/sourcecode/detectors/tooling.py +0 -0
- {sourcecode-1.31.16 → sourcecode-1.31.18}/src/sourcecode/doc_analyzer.py +0 -0
- {sourcecode-1.31.16 → sourcecode-1.31.18}/src/sourcecode/entrypoint_classifier.py +0 -0
- {sourcecode-1.31.16 → sourcecode-1.31.18}/src/sourcecode/env_analyzer.py +0 -0
- {sourcecode-1.31.16 → sourcecode-1.31.18}/src/sourcecode/file_classifier.py +0 -0
- {sourcecode-1.31.16 → sourcecode-1.31.18}/src/sourcecode/flow_analyzer.py +0 -0
- {sourcecode-1.31.16 → sourcecode-1.31.18}/src/sourcecode/git_analyzer.py +0 -0
- {sourcecode-1.31.16 → sourcecode-1.31.18}/src/sourcecode/graph_analyzer.py +0 -0
- {sourcecode-1.31.16 → sourcecode-1.31.18}/src/sourcecode/mcp/__init__.py +0 -0
- {sourcecode-1.31.16 → sourcecode-1.31.18}/src/sourcecode/mcp/onboarding/__init__.py +0 -0
- {sourcecode-1.31.16 → sourcecode-1.31.18}/src/sourcecode/mcp/onboarding/applier.py +0 -0
- {sourcecode-1.31.16 → sourcecode-1.31.18}/src/sourcecode/mcp/onboarding/backup.py +0 -0
- {sourcecode-1.31.16 → sourcecode-1.31.18}/src/sourcecode/mcp/onboarding/detector.py +0 -0
- {sourcecode-1.31.16 → sourcecode-1.31.18}/src/sourcecode/mcp/onboarding/planner.py +0 -0
- {sourcecode-1.31.16 → sourcecode-1.31.18}/src/sourcecode/mcp/runner.py +0 -0
- {sourcecode-1.31.16 → sourcecode-1.31.18}/src/sourcecode/mcp/server.py +0 -0
- {sourcecode-1.31.16 → sourcecode-1.31.18}/src/sourcecode/metrics_analyzer.py +0 -0
- {sourcecode-1.31.16 → sourcecode-1.31.18}/src/sourcecode/output_budget.py +0 -0
- {sourcecode-1.31.16 → sourcecode-1.31.18}/src/sourcecode/path_filters.py +0 -0
- {sourcecode-1.31.16 → sourcecode-1.31.18}/src/sourcecode/pr_comment_renderer.py +0 -0
- {sourcecode-1.31.16 → sourcecode-1.31.18}/src/sourcecode/prepare_context.py +0 -0
- {sourcecode-1.31.16 → sourcecode-1.31.18}/src/sourcecode/progress.py +0 -0
- {sourcecode-1.31.16 → sourcecode-1.31.18}/src/sourcecode/ranking_engine.py +0 -0
- {sourcecode-1.31.16 → sourcecode-1.31.18}/src/sourcecode/redactor.py +0 -0
- {sourcecode-1.31.16 → sourcecode-1.31.18}/src/sourcecode/relevance_scorer.py +0 -0
- {sourcecode-1.31.16 → sourcecode-1.31.18}/src/sourcecode/repo_classifier.py +0 -0
- {sourcecode-1.31.16 → sourcecode-1.31.18}/src/sourcecode/runtime_classifier.py +0 -0
- {sourcecode-1.31.16 → sourcecode-1.31.18}/src/sourcecode/scanner.py +0 -0
- {sourcecode-1.31.16 → sourcecode-1.31.18}/src/sourcecode/schema.py +0 -0
- {sourcecode-1.31.16 → sourcecode-1.31.18}/src/sourcecode/semantic_analyzer.py +0 -0
- {sourcecode-1.31.16 → sourcecode-1.31.18}/src/sourcecode/serializer.py +0 -0
- {sourcecode-1.31.16 → sourcecode-1.31.18}/src/sourcecode/summarizer.py +0 -0
- {sourcecode-1.31.16 → sourcecode-1.31.18}/src/sourcecode/telemetry/__init__.py +0 -0
- {sourcecode-1.31.16 → sourcecode-1.31.18}/src/sourcecode/telemetry/config.py +0 -0
- {sourcecode-1.31.16 → sourcecode-1.31.18}/src/sourcecode/telemetry/consent.py +0 -0
- {sourcecode-1.31.16 → sourcecode-1.31.18}/src/sourcecode/telemetry/events.py +0 -0
- {sourcecode-1.31.16 → sourcecode-1.31.18}/src/sourcecode/telemetry/filters.py +0 -0
- {sourcecode-1.31.16 → sourcecode-1.31.18}/src/sourcecode/telemetry/transport.py +0 -0
- {sourcecode-1.31.16 → sourcecode-1.31.18}/src/sourcecode/tree_utils.py +0 -0
- {sourcecode-1.31.16 → sourcecode-1.31.18}/src/sourcecode/workspace.py +0 -0
- {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/__init__.py +0 -0
- {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/conftest.py +0 -0
- {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/fixtures/coverage.xml +0 -0
- {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/fixtures/fastapi_app/pyproject.toml +0 -0
- {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/fixtures/fastapi_app/src/main.py +0 -0
- {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/fixtures/go_service/cmd/api/main.go +0 -0
- {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/fixtures/go_service/go.mod +0 -0
- {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/fixtures/jacoco.xml +0 -0
- {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/fixtures/latin1_sample.java +0 -0
- {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/fixtures/latin1_sample_iso.java +0 -0
- {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/fixtures/lcov.info +0 -0
- {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/fixtures/nextjs_app/app/page.tsx +0 -0
- {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/fixtures/nextjs_app/package.json +0 -0
- {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/fixtures/nextjs_app/pnpm-lock.yaml +0 -0
- {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/fixtures/pnpm_monorepo/apps/web/app/page.tsx +0 -0
- {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/fixtures/pnpm_monorepo/apps/web/package.json +0 -0
- {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/fixtures/pnpm_monorepo/packages/api/main.py +0 -0
- {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/fixtures/pnpm_monorepo/packages/api/pyproject.toml +0 -0
- {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/fixtures/pnpm_monorepo/pnpm-workspace.yaml +0 -0
- {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/fixtures/spring_boot_minimal/pom.xml +0 -0
- {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/fixtures/spring_boot_minimal/src/main/java/com/example/ddd/ausente/application/service/FindAusenteService.java +0 -0
- {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/fixtures/spring_boot_minimal/src/main/java/com/example/ddd/ausente/domain/entities/Ausente.java +0 -0
- {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/fixtures/spring_boot_minimal/src/main/java/com/example/ddd/ausente/infrastructure/rest/AusenteRestController.java +0 -0
- {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/fixtures/spring_boot_minimal/src/main/java/com/example/ddd/autocoberturas/application/service/FindAutocoberturasService.java +0 -0
- {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/fixtures/spring_boot_minimal/src/main/java/com/example/ddd/autocoberturas/domain/entities/Autocoberturas.java +0 -0
- {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/fixtures/spring_boot_minimal/src/main/java/com/example/ddd/autocoberturas/infrastructure/rest/AutocoberturasRestController.java +0 -0
- {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/fixtures/spring_boot_minimal/src/main/java/com/example/ddd/calendarioTrabajador/application/service/FindCalendarioTrabajadorService.java +0 -0
- {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/fixtures/spring_boot_minimal/src/main/java/com/example/ddd/calendarioTrabajador/domain/entities/CalendarioTrabajador.java +0 -0
- {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/fixtures/spring_boot_minimal/src/main/java/com/example/ddd/calendarioTrabajador/infrastructure/rest/CalendarioTrabajadorRestController.java +0 -0
- {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/fixtures/spring_boot_minimal/src/main/java/com/example/ddd/departamento/application/service/FindDepartamentoService.java +0 -0
- {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/fixtures/spring_boot_minimal/src/main/java/com/example/ddd/departamento/domain/entities/Departamento.java +0 -0
- {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/fixtures/spring_boot_minimal/src/main/java/com/example/ddd/departamento/infrastructure/rest/DepartamentoRestController.java +0 -0
- {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/fixtures/spring_boot_minimal/src/main/java/com/example/ddd/empleado/application/service/FindEmpleadoService.java +0 -0
- {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/fixtures/spring_boot_minimal/src/main/java/com/example/ddd/empleado/domain/entities/Empleado.java +0 -0
- {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/fixtures/spring_boot_minimal/src/main/java/com/example/ddd/empleado/infrastructure/rest/EmpleadoRestController.java +0 -0
- {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/fixtures/spring_boot_minimal/src/main/java/com/example/demo/DemoApplication.java +0 -0
- {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/fixtures/spring_boot_minimal/src/main/java/com/example/demo/config/FilterConfig.java +0 -0
- {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/fixtures/spring_boot_minimal/src/main/java/com/example/demo/domain/Health.java +0 -0
- {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/fixtures/spring_boot_minimal/src/main/java/com/example/demo/mapper/HealthMapper.java +0 -0
- {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/fixtures/spring_boot_minimal/src/main/java/com/example/demo/repository/HealthRepository.java +0 -0
- {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/fixtures/spring_boot_minimal/src/main/java/com/example/demo/service/HealthService.java +0 -0
- {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/fixtures/spring_boot_minimal/src/main/java/com/example/demo/web/HealthRestController.java +0 -0
- {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/fixtures/spring_boot_minimal/src/main/java/com/example/demo/web/NominaRestController.java +0 -0
- {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/fixtures/spring_boot_minimal/src/main/resources/application-dev.yml +0 -0
- {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/fixtures/spring_boot_minimal/src/main/resources/application.yml +0 -0
- {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/fixtures/spring_boot_minimal/src/main/resources/mapper/HealthMapper.xml +0 -0
- {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/test_architecture_analyzer.py +0 -0
- {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/test_architecture_summary.py +0 -0
- {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/test_ast_extractor.py +0 -0
- {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/test_audit_fixes.py +0 -0
- {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/test_audit_sas_v2.py +0 -0
- {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/test_block1_reliability.py +0 -0
- {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/test_block2_coverage.py +0 -0
- {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/test_block5_quality.py +0 -0
- {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/test_broadleaf_fixes.py +0 -0
- {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/test_bug_fixes_v1302.py +0 -0
- {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/test_bug_fixes_v13115.py +0 -0
- {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/test_bug_fixes_v1312.py +0 -0
- {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/test_bug_fixes_v1313.py +0 -0
- {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/test_bug_fixes_v16.py +0 -0
- {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/test_bug_fixes_v2.py +0 -0
- {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/test_canonical_ir.py +0 -0
- {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/test_classifier.py +0 -0
- {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/test_cli.py +0 -0
- {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/test_code_notes_analyzer.py +0 -0
- {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/test_context_scorer.py +0 -0
- {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/test_contract_pipeline.py +0 -0
- {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/test_coverage_parser.py +0 -0
- {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/test_cross_consistency.py +0 -0
- {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/test_dependency_analyzer_node_python.py +0 -0
- {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/test_dependency_analyzer_polyglot.py +0 -0
- {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/test_dependency_schema.py +0 -0
- {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/test_detector_dotnet.py +0 -0
- {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/test_detector_go_rust_java.py +0 -0
- {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/test_detector_nodejs.py +0 -0
- {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/test_detector_php_ruby_dart.py +0 -0
- {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/test_detector_python.py +0 -0
- {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/test_detector_universal_managed.py +0 -0
- {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/test_detector_universal_systems.py +0 -0
- {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/test_detectors_base.py +0 -0
- {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/test_doc_analyzer_jsdom.py +0 -0
- {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/test_doc_analyzer_python.py +0 -0
- {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/test_encoding_regression.py +0 -0
- {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/test_enterprise_benchmarks.py +0 -0
- {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/test_graph_analyzer_polyglot.py +0 -0
- {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/test_graph_analyzer_python_node.py +0 -0
- {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/test_graph_schema.py +0 -0
- {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/test_hybrid_inference.py +0 -0
- {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/test_integration.py +0 -0
- {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/test_integration_dependencies.py +0 -0
- {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/test_integration_detection.py +0 -0
- {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/test_integration_docs.py +0 -0
- {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/test_integration_graph_modules.py +0 -0
- {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/test_integration_lqn.py +0 -0
- {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/test_integration_metrics.py +0 -0
- {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/test_integration_multistack.py +0 -0
- {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/test_integration_semantics.py +0 -0
- {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/test_integration_universal.py +0 -0
- {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/test_java_spring_integration.py +0 -0
- {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/test_mcp_runner.py +0 -0
- {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/test_mcp_serve.py +0 -0
- {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/test_mcp_tools.py +0 -0
- {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/test_metrics_analyzer.py +0 -0
- {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/test_output_ux.py +0 -0
- {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/test_packaging.py +0 -0
- {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/test_phase1_improvements.py +0 -0
- {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/test_pipeline_integrity.py +0 -0
- {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/test_real_projects.py +0 -0
- {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/test_redactor.py +0 -0
- {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/test_repository_ir.py +0 -0
- {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/test_scanner.py +0 -0
- {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/test_schema.py +0 -0
- {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/test_schema_normalization.py +0 -0
- {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/test_scoring_calibration.py +0 -0
- {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/test_semantic_analyzer_node.py +0 -0
- {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/test_semantic_analyzer_python.py +0 -0
- {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/test_semantic_import_resolution.py +0 -0
- {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/test_semantic_schema.py +0 -0
- {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/test_signal_hierarchy.py +0 -0
- {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/test_summarizer.py +0 -0
- {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/test_surface_honesty.py +0 -0
- {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/test_task_differentiation.py +0 -0
- {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/test_telemetry.py +0 -0
- {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/test_v131_improvements.py +0 -0
- {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/test_v1_10_regressions.py +0 -0
- {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/test_workspace_analyzer.py +0 -0
|
@@ -0,0 +1,134 @@
|
|
|
1
|
+
# Continue Here — atlas-cli sesión 21
|
|
2
|
+
|
|
3
|
+
**Paused:** 2026-05-24
|
|
4
|
+
**Repo:** `/Users/user/Documents/workspace/atlas-cli`
|
|
5
|
+
**Branch:** master
|
|
6
|
+
**Version:** sourcecode 1.31.17
|
|
7
|
+
|
|
8
|
+
---
|
|
9
|
+
|
|
10
|
+
## Objetivo de esta sesión
|
|
11
|
+
|
|
12
|
+
Continuar corrección de bugs post-auditoría v1.31.16 (adversarial audit contra Keycloak + Broadleaf).
|
|
13
|
+
Sesión 21 atacó los dos P0s. Quedan P1s y P2s.
|
|
14
|
+
|
|
15
|
+
---
|
|
16
|
+
|
|
17
|
+
## Trabajo completado esta sesión
|
|
18
|
+
|
|
19
|
+
### P0-01 — `impact OrderServiceImpl` → 0 callers FIXED ✅
|
|
20
|
+
|
|
21
|
+
**Root cause:** `_build_reverse_adjacency` descartaba edges `implements` cuando `to` era
|
|
22
|
+
nombre corto no-resuelto (`"OrderService"` en vez de FQN). El `reverse_graph["OrderService"]`
|
|
23
|
+
no tenía clave `"implements"` → scan desde reverse side imposible.
|
|
24
|
+
|
|
25
|
+
**Fix:** Escanear `graph.edges` forward para `type=implements` FROM matched classes.
|
|
26
|
+
Resolver `to` (short/FQN) contra claves de `reverse_graph` via suffix match.
|
|
27
|
+
Callers de la interfaz se añaden a `direct_callers`. Output incluye `via_interface_resolution`
|
|
28
|
+
y `via_interface_note`.
|
|
29
|
+
|
|
30
|
+
**Resultado:** `impact OrderServiceImpl` en Broadleaf: 0 callers → **74 callers**, risk LOW → **HIGH**.
|
|
31
|
+
|
|
32
|
+
### P0-02 — `reverse_graph` unbounded por `--max-nodes`/`--max-edges` FIXED ✅
|
|
33
|
+
|
|
34
|
+
**Root cause:** `apply_ir_size_limits` sólo acotaba `graph.nodes`/`graph.edges`.
|
|
35
|
+
`reverse_graph` emitía 2685 claves (~3MB) aunque se pidieran 200 nodos.
|
|
36
|
+
|
|
37
|
+
**Fix:** Cuando `max_nodes` activo: restringir `reverse_graph` a `kept_fqns` + cap inner
|
|
38
|
+
caller lists a `max(20, max_nodes//4)`. Cuando sólo `max_edges`: cap a `max_edges` claves
|
|
39
|
+
por in-degree. Añade `reverse_graph_note` cuando trimmed.
|
|
40
|
+
|
|
41
|
+
**Resultado:** `--max-nodes 200 --max-edges 500`: 3.85MB → **939KB** (76% reducción).
|
|
42
|
+
|
|
43
|
+
### Commit esta sesión
|
|
44
|
+
|
|
45
|
+
```
|
|
46
|
+
e5fba19 fix(ir): resolve Spring DI interface bridging and bound reverse_graph
|
|
47
|
+
```
|
|
48
|
+
|
|
49
|
+
---
|
|
50
|
+
|
|
51
|
+
## Estado archivos sin commitear
|
|
52
|
+
|
|
53
|
+
```
|
|
54
|
+
?? AUDIT_REAL_REPOS.md — auditoría 22 secciones (de sesión 20, no tocar)
|
|
55
|
+
?? docs/PRODUCT_TIERS.md — de sesión anterior (no tocar esta sesión)
|
|
56
|
+
```
|
|
57
|
+
|
|
58
|
+
Commitear estos docs antes de continuar con fixes:
|
|
59
|
+
```bash
|
|
60
|
+
git add AUDIT_REAL_REPOS.md docs/PRODUCT_TIERS.md
|
|
61
|
+
git commit -m "docs(audit): adversarial audit v1.31.16 — real benchmarks, P0/P1/P2 findings"
|
|
62
|
+
```
|
|
63
|
+
|
|
64
|
+
---
|
|
65
|
+
|
|
66
|
+
## Bugs pendientes por ROI
|
|
67
|
+
|
|
68
|
+
### P1 — Altos
|
|
69
|
+
|
|
70
|
+
| # | Bug | Archivo | Tiempo est. |
|
|
71
|
+
|---|-----|---------|-------------|
|
|
72
|
+
| **P1-01** | Risk score inconsistente para 0-caller impls: `OrderServiceImpl`→low vs `OrderDaoImpl`→high (mismo 0 callers, distinta heurística). POST P0-01 fix: verificar si aún aplica o si interface bridging ya lo resuelve. | `repository_ir.py` → `compute_blast_radius` | 30 min |
|
|
73
|
+
| **P1-02** | `project_summary` = primera línea del README (license/marketing). Debe generarse de código: "N-module Spring Boot — M classes, K endpoints, J txn boundaries" | `serializer.py` o `summarizer.py` | 1h |
|
|
74
|
+
| **P1-03** | `fix-bug` devuelve 426 archivos para NPE genérico (14% repo, sin `score` field) | `prepare_context.py` → `fix_bug` | 30 min |
|
|
75
|
+
| **P1-04** | `indirect_callers:0` para KeycloakSession (1992 direct callers) — BFS para en nivel 1 por hub guard | `repository_ir.py` → `compute_blast_radius` hub guard logic | 45 min |
|
|
76
|
+
| **P1-05** | `fix-bug` 23s cold en Keycloak | profiling needed | ~1h |
|
|
77
|
+
|
|
78
|
+
### P2 — Medios (batch)
|
|
79
|
+
|
|
80
|
+
- `bounded_contexts: ["dto","file"]` Broadleaf — WRONG. Fix: usar Maven module names
|
|
81
|
+
- `role: unknown` para todos `high_coupling_nodes` en modernize — nunca clasifica annotation/interface/entity
|
|
82
|
+
- `no_security_signal: 100%` en ambos repos — filter-based security nunca detectado
|
|
83
|
+
- JAX-RS sub-resource paths no compuestos con parent `@Path`
|
|
84
|
+
- `hotspot_candidates: []` siempre — git churn ignorado
|
|
85
|
+
- `--format`/`--no-cache` ausentes en `impact`, `endpoints`, `fix-bug`, `onboard`, `modernize`, `review-pr`
|
|
86
|
+
- Architecture confidence diferente entre `--compact` y `--agent` mismo repo
|
|
87
|
+
|
|
88
|
+
---
|
|
89
|
+
|
|
90
|
+
## Primera acción al retomar
|
|
91
|
+
|
|
92
|
+
```bash
|
|
93
|
+
cd /Users/user/Documents/workspace/atlas-cli
|
|
94
|
+
|
|
95
|
+
# 1. Commitear docs pendientes
|
|
96
|
+
git add AUDIT_REAL_REPOS.md docs/PRODUCT_TIERS.md
|
|
97
|
+
git commit -m "docs(audit): adversarial audit v1.31.16 — Keycloak + Broadleaf findings"
|
|
98
|
+
|
|
99
|
+
# 2. Verificar si P1-01 aún existe post-fix P0-01:
|
|
100
|
+
sourcecode impact OrderDaoImpl ~/Documents/workspace/BroadleafCommerce 2>&1 | python3 -m json.tool | grep -E 'risk_level|confidence_level|direct_callers|via_interface'
|
|
101
|
+
# Si risk_level sigue siendo inconsistente → fix P1-01
|
|
102
|
+
# Si interface bridging ya lo resuelve → skip a P1-02
|
|
103
|
+
|
|
104
|
+
# 3. Si P1-01 persiste:
|
|
105
|
+
# En compute_blast_radius: cuando direct_callers=0 Y no hay interface bridging Y
|
|
106
|
+
# clase es @Service/@Repository impl → bajar confidence, añadir gap en explanation
|
|
107
|
+
```
|
|
108
|
+
|
|
109
|
+
---
|
|
110
|
+
|
|
111
|
+
## Archivos clave del codebase
|
|
112
|
+
|
|
113
|
+
```
|
|
114
|
+
src/sourcecode/
|
|
115
|
+
repository_ir.py — impact analysis, blast radius, interface bridging (P0-01/02 fixeados aquí)
|
|
116
|
+
prepare_context.py — fix-bug, onboard, review-pr output (P1-03 aquí)
|
|
117
|
+
serializer.py — compact/agent output, project_summary (P1-02 aquí)
|
|
118
|
+
summarizer.py — ProjectSummarizer (P1-02 posiblemente aquí)
|
|
119
|
+
cli.py — top-level commands, cache logic
|
|
120
|
+
tests/
|
|
121
|
+
test_enterprise_benchmarks.py
|
|
122
|
+
```
|
|
123
|
+
|
|
124
|
+
---
|
|
125
|
+
|
|
126
|
+
## Contexto de versiones
|
|
127
|
+
|
|
128
|
+
- v1.31.16: bugs auditados en sesión 20
|
|
129
|
+
- v1.31.17: versión actual (bumpeada en 0cf28b1 por el usuario)
|
|
130
|
+
- Fixes P0-01/P0-02: commit e5fba19 (sesión 21)
|
|
131
|
+
|
|
132
|
+
---
|
|
133
|
+
|
|
134
|
+
*Pausado 2026-05-24 — gsd:pause-work (sesión 21)*
|
|
@@ -0,0 +1,539 @@
|
|
|
1
|
+
# sourcecode — P1.5 Credibility Audit
|
|
2
|
+
**Adversarial audit against real enterprise Java repos. No synthetic fixtures.**
|
|
3
|
+
|
|
4
|
+
Version audited: 1.31.17
|
|
5
|
+
Date: 2026-05-24
|
|
6
|
+
Repos: `~/Documents/workspace/keycloak` (7885 Java files, 18K+ commits), `~/Documents/workspace/BroadleafCommerce` (2985 Java files, 18K+ commits)
|
|
7
|
+
|
|
8
|
+
---
|
|
9
|
+
|
|
10
|
+
## 1. Executive Summary
|
|
11
|
+
|
|
12
|
+
`sourcecode` delivers real, non-trivial value for Java/Spring enterprise codebases. The compact/agent scan, cache system, event flow detection, and transactional boundary extraction are genuinely useful. The `review-pr --format github-comment` output is above MVP and commercially differentiated.
|
|
13
|
+
|
|
14
|
+
**But the core `impact` command has a P0 correctness bug** that fundamentally undermines the product's main claim: for implementation classes (the natural query for a developer), it returns 0 callers with `confidence_level: high`. This is systematically wrong — the worst possible failure mode.
|
|
15
|
+
|
|
16
|
+
**Verdict:** `trust with caveats` — solid foundation, monetizable with specific fixes. Not yet safe to pitch as "AI-ready change intelligence" without fixing P0 and P1 issues.
|
|
17
|
+
|
|
18
|
+
---
|
|
19
|
+
|
|
20
|
+
## 2. Methodology
|
|
21
|
+
|
|
22
|
+
- `sourcecode --help` + all sub-command `--help` reviewed
|
|
23
|
+
- `sourcecode --compact`, `--agent`, `--format yaml` on both repos (cold + cached)
|
|
24
|
+
- `sourcecode endpoints` on both repos with path quality analysis
|
|
25
|
+
- `sourcecode impact` on: impl classes, interface classes, nonexistent targets, high-fan-in annotation classes
|
|
26
|
+
- `sourcecode onboard`, `fix-bug`, `modernize`, `review-pr` on both repos
|
|
27
|
+
- `sourcecode repo-ir --summary-only` and `--max-nodes 200 --max-edges 500`
|
|
28
|
+
- `sourcecode prepare-context` vs standalone aliases (diff comparison)
|
|
29
|
+
- Cache behavior: cold→warm timing, determinism (same output across runs)
|
|
30
|
+
- Error handling: invalid refs, missing targets, wrong flag combos
|
|
31
|
+
- Flag consistency audit across all commands
|
|
32
|
+
|
|
33
|
+
---
|
|
34
|
+
|
|
35
|
+
## 3. Repo-by-Repo Findings
|
|
36
|
+
|
|
37
|
+
### Keycloak (7885 Java files — major IAM server, Quarkus/Jakarta EE)
|
|
38
|
+
|
|
39
|
+
**What worked:**
|
|
40
|
+
- Stack: correctly detected Quarkus + Jakarta EE + Vert.x + Node.js secondary
|
|
41
|
+
- Bootstrap entry points: correct (KeycloakMain, QuarkusKeycloakApplication, Main)
|
|
42
|
+
- 693 JAX-RS endpoints extracted from annotations
|
|
43
|
+
- Dependency list accurate (Jackson, WebAuthn4j, OpenTelemetry, FIPS providers, etc.)
|
|
44
|
+
- javax-to-jakarta migration risk flag correctly raised
|
|
45
|
+
- Cold scan `--compact`: 9s. Cached: 0.27s (~33x speedup)
|
|
46
|
+
- `fix-bug --symptom "OIDC token refresh fails after realm update"`: correct files surfaced (OIDCLoginProtocolService, RefreshTokenGrantType, RefreshTokenGrantTypeFactory). Budget trimmed 204KB → 15KB — safety net works.
|
|
47
|
+
- Spring profile `rhbk` (Red Hat's Keycloak fork) detected from env_vars
|
|
48
|
+
|
|
49
|
+
**What failed:**
|
|
50
|
+
- `project_type: "fullstack"` — Keycloak is an IAM **server product**, not a generic fullstack app
|
|
51
|
+
- `project_summary` copied from README ("Add authentication to applications...") — describes what Keycloak does for *users*, not what the *codebase does architecturally*
|
|
52
|
+
- `bounded_contexts: ["keycloak"]` — too generic; Keycloak has clear subsystem boundaries (oidc, saml, federation, authz, admin, operator)
|
|
53
|
+
- `entry_points.security` mixes SPI implementations (CredentialProvider, AuthenticatorFactory) with actual security filters — different concerns in same bucket
|
|
54
|
+
- `DefaultKeycloakSession` impact: **2 direct callers** (should be hundreds — injected via `KeycloakSession` interface everywhere). P0 bug.
|
|
55
|
+
- `KeycloakSession` interface impact: 1992 direct callers found but `indirect_callers: 0` — BFS exhausts at level 1 on very large fan-out
|
|
56
|
+
- Short JAX-RS paths (`/{id}`, `/sessions`) — sub-resource paths not composed with parent `@Path`
|
|
57
|
+
- `fix-bug` cold: 23s — slowest workflow, too slow for CI integration
|
|
58
|
+
- `no_security_signal: 693` for all endpoints — Keycloak uses JAX-RS filter security; metric provides zero signal
|
|
59
|
+
|
|
60
|
+
### BroadleafCommerce (2985 Java files — e-commerce framework, Spring Boot)
|
|
61
|
+
|
|
62
|
+
**What worked:**
|
|
63
|
+
- Stack: correctly detected Spring Boot + Spring MVC + Spring Security + Spring LDAP + Spring AOP
|
|
64
|
+
- Security filter chain detected (SecurityFilter, CsrfFilter, SecurityBasedIgnoreFilter)
|
|
65
|
+
- `transactional_boundaries`: 29 classes correctly identified (OrderServiceImpl, OrderDaoImpl, OfferServiceImpl, etc.)
|
|
66
|
+
- Event flow: listeners, publishers, event types correctly extracted (CustomerPersistedEvent, OrderPersistedEvent, TransactionLifecycleEvent)
|
|
67
|
+
- Cache: 2.9s cold → 0.2s cached (~13x speedup)
|
|
68
|
+
- Dependency extraction with version info and risk flags correct
|
|
69
|
+
- review-pr: `HEAD~3` diff correctly identified 3 source changes + 13 build manifest changes
|
|
70
|
+
- review-pr invalid ref: structured JSON error with available branch list
|
|
71
|
+
|
|
72
|
+
**What failed:**
|
|
73
|
+
- `project_type: "api"` — BroadleafCommerce is an e-commerce **framework**, not a generic REST API
|
|
74
|
+
- `project_summary` lifted from README license notice ("Available to companies with under $5M in revenue...") — license blurb, not architecture summary
|
|
75
|
+
- `bounded_contexts: ["dto", "file"]` — WRONG. Real bounded contexts: Order, Catalog, Customer, CMS, Offer/Pricing
|
|
76
|
+
- `OrderServiceImpl` impact: **0 callers, risk_level: low, confidence_level: high** — WRONG. Most central class in order system; 43+ dependent files
|
|
77
|
+
- `OrderDaoImpl` impact: **0 callers, risk_level: high** — same 0-caller root cause, different risk level. Inconsistent behavior from same bug.
|
|
78
|
+
- 58 endpoint paths with colon notation (`/product:product`, `/bundle:bundle/{id}`) — unresolved constant expressions in annotations
|
|
79
|
+
- 20 endpoint paths that are FQN class names (`/org.broadleafcommerce.core.search.domain.FieldImpl`) — Broadleaf admin dynamic routing, not real REST paths
|
|
80
|
+
- `hotspot_candidates: []` despite 18K+ commits — git churn not used in hotspot analysis
|
|
81
|
+
- `cross_module_tangles: []` — 8 subsystems with known coupling, algorithm detects nothing
|
|
82
|
+
- `no_security_signal: 130` — Broadleaf uses XML-based security and custom AdminSecurityFilter; annotation detection returns nothing
|
|
83
|
+
- `entry_points.controllers: {methods: 21}` vs `endpoints` finding 130 — unexplained discrepancy
|
|
84
|
+
|
|
85
|
+
---
|
|
86
|
+
|
|
87
|
+
## 4. Core Engine Correctness
|
|
88
|
+
|
|
89
|
+
### Endpoint Extraction
|
|
90
|
+
|
|
91
|
+
| Metric | Keycloak | Broadleaf |
|
|
92
|
+
|--------|----------|-----------|
|
|
93
|
+
| Endpoints found | 693 | 130 |
|
|
94
|
+
| Controller/handler present | ✓ | ✓ |
|
|
95
|
+
| Paths fully composed (parent + child) | Partial | Partial |
|
|
96
|
+
| Paths with annotation constant issues | ~0 | 58 (colons) |
|
|
97
|
+
| FQN class name paths (dynamic routing) | 0 | 20 |
|
|
98
|
+
| Security signal useful | ✗ (filter-based) | ✗ (XML+filter) |
|
|
99
|
+
|
|
100
|
+
**JAX-RS sub-resource paths:** Methods with `@GET/@POST` inside a `@Path`-annotated class extract only the method-level path. Parent path not composed → incomplete, ambiguous paths.
|
|
101
|
+
|
|
102
|
+
**Spring MVC constant expressions:** `@RequestMapping("/" + CONST_A + ":" + CONST_B)` → extracted as `/product:product`. Tool resolves string constants but the resulting path is unintelligible as a REST URL without domain knowledge.
|
|
103
|
+
|
|
104
|
+
### Impact Analysis — THE KEY FINDING
|
|
105
|
+
|
|
106
|
+
**P0 Bug: Spring DI interface-injection blindness**
|
|
107
|
+
|
|
108
|
+
When `OrderServiceImpl implements OrderService` and all callers inject `@Autowired OrderService orderService`:
|
|
109
|
+
|
|
110
|
+
```
|
|
111
|
+
sourcecode impact OrderServiceImpl /BroadleafCommerce
|
|
112
|
+
→ direct_callers: 0, risk_level: low, confidence_level: HIGH
|
|
113
|
+
|
|
114
|
+
sourcecode impact OrderService /BroadleafCommerce
|
|
115
|
+
→ direct_callers: 30, indirect_callers: 50, endpoints_affected: 11, risk_level: high
|
|
116
|
+
```
|
|
117
|
+
|
|
118
|
+
This pattern is universal in Spring and Java DI: callers inject the interface, not the impl. Querying impl classes returns wrong answers. The tool documents this ("Target interfaces, not implementations"), but:
|
|
119
|
+
|
|
120
|
+
1. `confidence_level: high` for the wrong 0-caller answer is the worst possible failure mode — a developer gets high-confidence garbage
|
|
121
|
+
2. The natural query is the class name you're editing, which is the impl
|
|
122
|
+
3. The tool should detect `@Service`/`@Repository` impls and warn/auto-redirect
|
|
123
|
+
|
|
124
|
+
**Risk score inconsistency from same root cause:**
|
|
125
|
+
- `OrderServiceImpl`: 0 callers → risk_level: **low** (no heuristic applies)
|
|
126
|
+
- `OrderDaoImpl`: 0 callers → risk_level: **high** (persistence path heuristic: "15 persistence paths in blast cone")
|
|
127
|
+
|
|
128
|
+
Both return 0 callers for the same Spring DI reason. They get different risk levels based on which heuristics fire. A developer comparing both would incorrectly conclude `OrderDaoImpl` is riskier.
|
|
129
|
+
|
|
130
|
+
**What works in impact:**
|
|
131
|
+
- Interface targets: accurate (OrderService: 30 direct, 50 indirect, 11 endpoints — matches grep-based verification of ~43 dependent files)
|
|
132
|
+
- Annotation classes: accurate (AdminPresentationClass: 278 found vs 285 actual in_degree — 2.4% gap)
|
|
133
|
+
- Nonexistent target: clean `{resolution: "not_found"}` response
|
|
134
|
+
- High fan-in interfaces: KeycloakSession 1992 direct callers correctly found
|
|
135
|
+
|
|
136
|
+
### Confidence Scoring Inconsistency
|
|
137
|
+
|
|
138
|
+
compact: `sections.architecture = "low"`, factor: `"architecture.confidence=low → overall capped at medium"`
|
|
139
|
+
agent: `sections.architecture = "medium"`, factor: `"architecture.confidence=medium → downgraded"`
|
|
140
|
+
|
|
141
|
+
Same repo (Broadleaf), different confidence levels between compact and agent modes. Schema inconsistency.
|
|
142
|
+
|
|
143
|
+
---
|
|
144
|
+
|
|
145
|
+
## 5. Performance / Scale
|
|
146
|
+
|
|
147
|
+
| Command | Keycloak (7885 files) | Broadleaf (2985 files) |
|
|
148
|
+
|---------|-----------------------|------------------------|
|
|
149
|
+
| `--compact` cold | 9.0s | 2.9s |
|
|
150
|
+
| `--compact` cached | 0.27s | 0.20s |
|
|
151
|
+
| `--agent` cold | 17s | 7.3s |
|
|
152
|
+
| `impact interface` | ~12s | 5.9s |
|
|
153
|
+
| `fix-bug` cold | **23s** | 8.8s |
|
|
154
|
+
| `onboard` cold | n/a | 6.7s |
|
|
155
|
+
| `modernize` cold | n/a | 5.5s |
|
|
156
|
+
| `repo-ir --summary-only` | 12s | 5.4s |
|
|
157
|
+
| Cache speedup | ~33x | ~13x |
|
|
158
|
+
|
|
159
|
+
**`repo-ir --max-nodes 200 --max-edges 500`:** Output = **3,948,466 bytes / 987K tokens**. The flags only bound `graph.nodes/edges`. `reverse_graph` (3MB for 2685 hubs) is entirely unbounded.
|
|
160
|
+
|
|
161
|
+
**Token sizes (measured):**
|
|
162
|
+
|
|
163
|
+
| Output mode | Broadleaf | Keycloak |
|
|
164
|
+
|-------------|-----------|----------|
|
|
165
|
+
| `--compact` | 2,856 | 4,031 |
|
|
166
|
+
| `--agent` | 4,769 | 5,499 |
|
|
167
|
+
| `onboard` | 2,564 | n/a |
|
|
168
|
+
| `fix-bug` (trimmed) | 27,653 | 4,648 |
|
|
169
|
+
| `fix-bug` (raw before trim) | ~24,500 | ~51,000 |
|
|
170
|
+
| `repo-ir --summary-only` | 19,756 | 16,885 |
|
|
171
|
+
| `repo-ir --max-nodes 200` | **987,116** | n/a |
|
|
172
|
+
|
|
173
|
+
The budget trimming in fix-bug is a real safety net (204KB → 15KB for Keycloak). The concern is the 204KB raw size — if the budget check ever fails, LLM context floods.
|
|
174
|
+
|
|
175
|
+
---
|
|
176
|
+
|
|
177
|
+
## 6. Workflow Audit
|
|
178
|
+
|
|
179
|
+
### `onboard` — MVP correct
|
|
180
|
+
**Signal:** 26 relevant files, entry points, transactional boundaries, gaps.
|
|
181
|
+
**Issues:** `project_summary` from README blurb. `relevant_files` has no `score` field. Gaps section too generic.
|
|
182
|
+
**Rating:** MVP correct — useful, not polished.
|
|
183
|
+
|
|
184
|
+
### `impact` — below MVP for impl classes
|
|
185
|
+
**Signal:** Correct for interfaces. Wrong with high confidence for impls.
|
|
186
|
+
**Issues:** P0 bug. See Section 4. The main claim breaks for 95% of developer queries.
|
|
187
|
+
**Rating:** Below MVP for primary use case.
|
|
188
|
+
|
|
189
|
+
### `fix-bug` — above MVP for specific symptoms
|
|
190
|
+
**Signal:** Good file ranking for keyword-rich symptoms. Budget trimming works.
|
|
191
|
+
**Issues:** 426 files returned for generic NPE symptom in 2985-file repo. No score field in relevant_files. 23s cold on Keycloak.
|
|
192
|
+
**Rating:** Above MVP for specific symptoms, MVP for generic ones.
|
|
193
|
+
|
|
194
|
+
### `review-pr` — above MVP
|
|
195
|
+
**Signal:** Excellent `github-comment` format with epistemic labels. Correctly separates build manifest from source changes.
|
|
196
|
+
**Issues:** `classification_confidence: low` for simple 3-file validator PRs. Validator role not detected.
|
|
197
|
+
**Rating:** Above MVP. The github-comment format is the strongest differentiator in the product.
|
|
198
|
+
|
|
199
|
+
### `modernize` — MVP only
|
|
200
|
+
**Signal:** `high_coupling_nodes` correctly identifies high-fan-in classes. Dead zone candidates plausible.
|
|
201
|
+
**Issues:** `hotspot_candidates: []` always. `cross_module_tangles: []`. `role: unknown` for all nodes.
|
|
202
|
+
**Rating:** MVP only.
|
|
203
|
+
|
|
204
|
+
### `repo-ir --summary-only` — MVP correct
|
|
205
|
+
**Signal:** Spring events, route surface, impact.ranked_nodes all present.
|
|
206
|
+
**Issues:** 19K tokens even in summary mode. `reverse_graph_note: "showing 10/2685 hubs"` — correctly bounded in summary mode.
|
|
207
|
+
**Rating:** MVP correct for `--summary-only`. Use without it only with `--files`.
|
|
208
|
+
|
|
209
|
+
### `prepare-context` vs top-level aliases
|
|
210
|
+
Output is **byte-for-byte identical** to `sourcecode onboard`, `sourcecode fix-bug`, etc. (verified by diff). Documented in README but creates confusing dual API surface.
|
|
211
|
+
|
|
212
|
+
---
|
|
213
|
+
|
|
214
|
+
## 7. CLI / UX Audit
|
|
215
|
+
|
|
216
|
+
**Flag inconsistency:**
|
|
217
|
+
- `--format yaml`: main command ✓, endpoints ✓, repo-ir ✓. `impact` ✗, `onboard` ✗, `fix-bug` ✗, `review-pr` ✗, `modernize` ✗
|
|
218
|
+
- `--no-cache`: main command ✓. `endpoints` ✗, `impact` ✗, task commands ✗
|
|
219
|
+
|
|
220
|
+
**`--deep` flag:** Referenced in output (`"Use --deep for up to 80 files"`) but absent from `--help` and README. Hidden feature.
|
|
221
|
+
|
|
222
|
+
**Error messages:**
|
|
223
|
+
- Nonexistent target: clean JSON `{resolution: "not_found"}` ✓
|
|
224
|
+
- Invalid git ref: structured JSON with available branch hints ✓
|
|
225
|
+
- `--compact --full` mutual exclusion: clear plain text ✓
|
|
226
|
+
- `--format yaml` on `impact`: generic Click error ✗
|
|
227
|
+
|
|
228
|
+
**Schema stability issues:**
|
|
229
|
+
- `truncated: None` (absent) vs `truncated: false` (explicit) — prefer always explicit boolean
|
|
230
|
+
- `impact.direct_callers` list truncated to 30 without adjacent count — actual count in `stats.direct_caller_count` and `explanation` text only
|
|
231
|
+
- Architecture confidence different between `--compact` and `--agent` modes for same repo
|
|
232
|
+
|
|
233
|
+
**--help token claim:**
|
|
234
|
+
- `--compact --help`: "typically 1000–3000 tokens"
|
|
235
|
+
- README quickstart: "typically 2000–4000 tokens"
|
|
236
|
+
- Measured: 2856–4031 for these repos
|
|
237
|
+
|
|
238
|
+
---
|
|
239
|
+
|
|
240
|
+
## 8. LLM / Agent Readiness
|
|
241
|
+
|
|
242
|
+
**Safe to inject into LLM context:**
|
|
243
|
+
- `--compact`: 2856–4031 tokens ✓
|
|
244
|
+
- `--agent`: 4769–5499 tokens ✓
|
|
245
|
+
- `onboard`: ~2564 tokens ✓
|
|
246
|
+
- `fix-bug` (Keycloak, after trim): 4648 tokens ✓
|
|
247
|
+
- `review-pr`: 2720 tokens ✓
|
|
248
|
+
|
|
249
|
+
**NOT safe without `--summary-only` or `--files`:**
|
|
250
|
+
- `repo-ir`: can exceed 987K tokens
|
|
251
|
+
- `fix-bug` raw before budget: 51K tokens (Keycloak), 24K (Broadleaf)
|
|
252
|
+
|
|
253
|
+
**Agent signal quality:**
|
|
254
|
+
- `confidence_summary.factors` with machine-readable explanations: ✓
|
|
255
|
+
- `analysis_gaps` with `area` + `reason` + `impact`: ✓
|
|
256
|
+
- `ci_decision` in `review-pr`: ✓
|
|
257
|
+
- `suggested_review_order` in `review-pr`: ✓
|
|
258
|
+
- `relevant_files` with score: ✗ (missing — agent can't weight files)
|
|
259
|
+
- Determinism: ✓ (same output across repeated runs)
|
|
260
|
+
- Structured failures (JSON errors, not stack traces): ✓
|
|
261
|
+
|
|
262
|
+
---
|
|
263
|
+
|
|
264
|
+
## 9. Bugs & Inconsistencies
|
|
265
|
+
|
|
266
|
+
### P0 — Critical Correctness
|
|
267
|
+
|
|
268
|
+
**BUG-P0-01: `impact` returns 0 callers for Spring impl classes with high confidence**
|
|
269
|
+
- Command: `sourcecode impact OrderServiceImpl /BroadleafCommerce`
|
|
270
|
+
- Observed: `direct_callers: [], risk_level: "low", confidence_level: "high"`
|
|
271
|
+
- Expected: 30+ direct callers via interface, risk_level: high
|
|
272
|
+
- Root cause: Graph traces direct import edges only. When callers inject via `OrderService` interface, `OrderServiceImpl` has zero incoming edges.
|
|
273
|
+
- Risk: High-confidence wrong answer before risky refactors = missed blast radius = production incidents.
|
|
274
|
+
- Fix: Detect `@Service`/`@Component`/`@Repository` impls with 0 callers and their interfaces. Auto-merge interface impact OR emit warning: `"0 callers found — callers of interface OrderService: 30. Run: sourcecode impact OrderService"`
|
|
275
|
+
|
|
276
|
+
**BUG-P0-02: `repo-ir --max-nodes N --max-edges N` does not bound output**
|
|
277
|
+
- Command: `sourcecode repo-ir /BroadleafCommerce --max-nodes 200 --max-edges 500`
|
|
278
|
+
- Observed: 3,948,466 bytes / 987K tokens
|
|
279
|
+
- Root cause: Flags only limit `graph.nodes/edges`. `reverse_graph` (3,092KB for 2685 hubs × 20 callers) is unaffected.
|
|
280
|
+
- Risk: LLM context overflow. Users expecting size control get none.
|
|
281
|
+
- Fix: Apply limits to `reverse_graph` hubs as well, OR rename flags to `--max-graph-nodes`/`--max-graph-edges` and document the gap clearly.
|
|
282
|
+
|
|
283
|
+
### P1 — High Severity
|
|
284
|
+
|
|
285
|
+
**BUG-P1-01: Risk score inconsistency for same 0-caller root cause**
|
|
286
|
+
- `OrderServiceImpl`: 0 callers → risk_level: **low** (no heuristic)
|
|
287
|
+
- `OrderDaoImpl`: 0 callers → risk_level: **high** (persistence path heuristic)
|
|
288
|
+
- Both have 0 callers for identical Spring DI reason. Different risk levels from different heuristics.
|
|
289
|
+
- Fix: When `direct_callers = 0` and class is a Spring impl, suppress confidence and add a gap annotation.
|
|
290
|
+
|
|
291
|
+
**BUG-P1-02: `project_summary` copies README license/marketing text**
|
|
292
|
+
- Broadleaf: `"Available to companies with under $5M in revenue — it is not an Apache 2 open source product"`
|
|
293
|
+
- Keycloak: `"Add authentication to applications and secure services with minimum effort"`
|
|
294
|
+
- These are first lines of READMEs — license/marketing, not architecture.
|
|
295
|
+
- Fix: Generate from code structure: `"N-module Spring Boot framework — M Java classes, K REST endpoints, J transactional boundaries"`.
|
|
296
|
+
|
|
297
|
+
**BUG-P1-03: `fix-bug` returns 426 relevant files for generic NPE symptom in 2985-file repo**
|
|
298
|
+
- 14% of all Java files flagged as relevant
|
|
299
|
+
- No `score` field — agent can't prioritize
|
|
300
|
+
- Fix: Cap at 20 files when symptom is generic (low keyword specificity). Add `score` field.
|
|
301
|
+
|
|
302
|
+
**BUG-P1-04: `indirect_callers: 0` for KeycloakSession with 1992 direct callers**
|
|
303
|
+
- BFS appears to exhaust budget at level 1, never computes level 2+ transitive callers
|
|
304
|
+
- Fix: Sample BFS on very large fan-out targets, or document behavior explicitly.
|
|
305
|
+
|
|
306
|
+
**BUG-P1-05: Keycloak `fix-bug` 23s cold**
|
|
307
|
+
- Broadleaf: 8.8s. Keycloak 7885 files: 23s.
|
|
308
|
+
- Marginal for interactive use, problematic for CI gates.
|
|
309
|
+
- Fix: Profile hotpath. Consider `--fast` flag for fix-bug (exists in prepare-context but not fix-bug).
|
|
310
|
+
|
|
311
|
+
### P2 — Medium Severity
|
|
312
|
+
|
|
313
|
+
**BUG-P2-01: `bounded_contexts` wrong for both repos**
|
|
314
|
+
- Keycloak: `["keycloak"]` — one name for a multi-subsystem IAM server
|
|
315
|
+
- Broadleaf: `["dto", "file"]` — utility packages, not domain contexts
|
|
316
|
+
- Fix: Use Maven module names as primary signal for bounded context detection.
|
|
317
|
+
|
|
318
|
+
**BUG-P2-02: `role: unknown` for all `modernize.high_coupling_nodes`**
|
|
319
|
+
- All 20 nodes including annotation types, interfaces, domain entities have `role: "unknown"`
|
|
320
|
+
- Fix: Detect `@interface` (annotation), `interface`, `@Entity`, `@Service`, etc. from source.
|
|
321
|
+
|
|
322
|
+
**BUG-P2-03: `no_security_signal` always 100% for filter-based security**
|
|
323
|
+
- Both repos: all endpoints flagged despite being secured (via filter/XML config)
|
|
324
|
+
- Metric provides zero signal for the most common enterprise Java security pattern
|
|
325
|
+
- Fix: Detect `WebSecurityConfigurerAdapter`, `SecurityConfig`, custom `Filter` impls. When present, change metric to `security_model: "filter_based"`.
|
|
326
|
+
|
|
327
|
+
**BUG-P2-04: JAX-RS sub-resource paths not composed with parent `@Path`**
|
|
328
|
+
- Keycloak: `GET /{id}`, `/sessions` instead of `/admin/realms/{realm}/clients/{id}`
|
|
329
|
+
- Fix: Compose method `@Path` with class-level `@Path` during extraction.
|
|
330
|
+
|
|
331
|
+
**BUG-P2-05: Broadleaf admin framework paths mixed with REST endpoints**
|
|
332
|
+
- 20 paths with FQN class names (`/org.broadleafcommerce.core.search.domain.FieldImpl`)
|
|
333
|
+
- 58 paths with colon notation from constant concatenation (`/product:product`)
|
|
334
|
+
- Fix: Flag paths containing dots or colons (outside `{var}` segments) as `routing_type: "admin_framework"`.
|
|
335
|
+
|
|
336
|
+
**BUG-P2-06: Architecture confidence inconsistent between `--compact` and `--agent`**
|
|
337
|
+
- Same repo, different architecture confidence (low in compact, medium in agent)
|
|
338
|
+
- Fix: Unify architecture confidence calculation regardless of output mode.
|
|
339
|
+
|
|
340
|
+
**BUG-P2-07: `entry_points.controllers.methods: 21` vs `endpoints` finding 130**
|
|
341
|
+
- Unexplained discrepancy for same repo
|
|
342
|
+
- Fix: Align or explain the difference.
|
|
343
|
+
|
|
344
|
+
**BUG-P2-08: `--format` and `--no-cache` inconsistently available**
|
|
345
|
+
- `--format`: works on main/endpoints/repo-ir, fails on impact/onboard/fix-bug/modernize
|
|
346
|
+
- `--no-cache`: works on main, fails on all subcommands
|
|
347
|
+
- Fix: Add consistently to all commands, or document the restriction.
|
|
348
|
+
|
|
349
|
+
### Cosmetic
|
|
350
|
+
|
|
351
|
+
- Code notes URLs truncated: `"s.webkit.org/..."` instead of `"https://bugs.webkit.org/..."`
|
|
352
|
+
- `truncated: None` (absent key) vs `truncated: false` (explicit boolean) — prefer always explicit
|
|
353
|
+
- `run_id` in task outputs — purpose undocumented
|
|
354
|
+
- `direct_callers` list truncated to 30 without adjacent count field
|
|
355
|
+
- `--compact --help` says "1000–3000 tokens", README says "2000–4000 tokens" — inconsistent
|
|
356
|
+
- `--deep` flag referenced in output but absent from `--help` and README
|
|
357
|
+
|
|
358
|
+
---
|
|
359
|
+
|
|
360
|
+
## 10. Good / Bad / Ugly
|
|
361
|
+
|
|
362
|
+
### The Good
|
|
363
|
+
- Cache system: 13–33x speedup, content-hash keyed, deterministic
|
|
364
|
+
- Spring event flow detection: listeners + publishers + event types
|
|
365
|
+
- Transactional boundary detection: 29 Broadleaf classes correctly identified
|
|
366
|
+
- javax-to-jakarta migration risk flags
|
|
367
|
+
- `review-pr --format github-comment`: epistemic labels (FACT / STRUCTURAL SIGNAL / INFERRED / OMITTED)
|
|
368
|
+
- Structured error responses (JSON errors with recovery hints)
|
|
369
|
+
- fix-bug budget trimming (204KB → 15KB safety net works)
|
|
370
|
+
- Interface impact accuracy (~97.6% of actual in_degree for annotation classes)
|
|
371
|
+
- Deterministic: same output across repeated runs
|
|
372
|
+
|
|
373
|
+
### The Bad
|
|
374
|
+
- `impact` on impl classes: 0 callers with high confidence — the core value prop fails for natural queries
|
|
375
|
+
- `project_summary` from README blurb — zero architectural intelligence
|
|
376
|
+
- `bounded_contexts` detection wrong for both repos
|
|
377
|
+
- `hotspot_candidates: []` always for annotation-heavy repos
|
|
378
|
+
- `repo-ir` size explosion with `--max-nodes/edges`
|
|
379
|
+
|
|
380
|
+
### The Ugly
|
|
381
|
+
- Risk score diverges for same bug: `OrderServiceImpl` → low, `OrderDaoImpl` → high. Same root cause, opposite conclusions.
|
|
382
|
+
- `indirect_callers: 0` for KeycloakSession (1992 direct callers). BFS stops at level 1. An LLM given this would underestimate transitive impact.
|
|
383
|
+
- 24% of Broadleaf endpoints are non-REST paths mixed into the list without differentiation.
|
|
384
|
+
|
|
385
|
+
---
|
|
386
|
+
|
|
387
|
+
## 11. What Works Above MVP
|
|
388
|
+
|
|
389
|
+
1. Cache system (13–33x speedup, content-hash keyed)
|
|
390
|
+
2. Spring event flow detection
|
|
391
|
+
3. Transactional boundary detection with class names
|
|
392
|
+
4. javax-to-jakarta migration risk flag
|
|
393
|
+
5. `review-pr --format github-comment` with epistemic labels
|
|
394
|
+
6. Structured JSON error responses
|
|
395
|
+
7. fix-bug budget trimming
|
|
396
|
+
8. Interface impact accuracy (~97.6% for annotation classes)
|
|
397
|
+
9. Deterministic, cacheable outputs
|
|
398
|
+
10. review-pr: build manifest vs source file differentiation
|
|
399
|
+
|
|
400
|
+
---
|
|
401
|
+
|
|
402
|
+
## 12. What Is MVP Only
|
|
403
|
+
|
|
404
|
+
1. Stack detection
|
|
405
|
+
2. Entry point detection (bootstrap files)
|
|
406
|
+
3. compact/agent onboarding
|
|
407
|
+
4. YAML output format
|
|
408
|
+
5. Spring MVC endpoint extraction
|
|
409
|
+
6. Dependency extraction with versions
|
|
410
|
+
7. Code notes extraction (TODO/BUG/FIXME)
|
|
411
|
+
8. review-pr JSON format
|
|
412
|
+
9. onboard workflow
|
|
413
|
+
|
|
414
|
+
---
|
|
415
|
+
|
|
416
|
+
## 13. What Is Below MVP
|
|
417
|
+
|
|
418
|
+
1. `impact` on impl classes (P0)
|
|
419
|
+
2. `repo-ir` size control with `--max-nodes/edges` (P0)
|
|
420
|
+
3. `hotspot_candidates` — always empty in annotation-heavy repos
|
|
421
|
+
4. `bounded_contexts` detection — wrong for both repos
|
|
422
|
+
5. JAX-RS sub-resource path composition
|
|
423
|
+
6. `no_security_signal` for filter-based security projects
|
|
424
|
+
7. `project_summary` generation for enterprise codebases
|
|
425
|
+
|
|
426
|
+
---
|
|
427
|
+
|
|
428
|
+
## 14. Market Differentiation
|
|
429
|
+
|
|
430
|
+
### What pain does `sourcecode` actually solve?
|
|
431
|
+
|
|
432
|
+
**Blast radius blindness in Java monoliths.** Senior engineers spend 30-60 minutes per PR doing manual blast radius assessment. `sourcecode impact` collapses this to seconds — when it works (interface targets): 30 direct callers, 50 indirect, 11 endpoints in 6 seconds.
|
|
433
|
+
|
|
434
|
+
**New engineer/agent ramp-up in 7885-file codebases.** `sourcecode onboard` produces a bounded, structured context bundle — the right answer in seconds, not hours of grepping.
|
|
435
|
+
|
|
436
|
+
**LLM context preparation for Java repos.** AI agents working on Java monoliths fail from context overflow. `sourcecode` pre-selects highest-signal files and produces bounded JSON. The fix-bug 204KB → 15KB trim is a concrete example.
|
|
437
|
+
|
|
438
|
+
### What alternatives don't provide
|
|
439
|
+
|
|
440
|
+
| Alternative | What it misses |
|
|
441
|
+
|-------------|---------------|
|
|
442
|
+
| grep / find | No structure, no graph, no ranking |
|
|
443
|
+
| IDE navigation | Interactive only; not scriptable; not AI-ready |
|
|
444
|
+
| LSP (Java Language Server) | Requires JVM; slow startup; no bounded JSON output |
|
|
445
|
+
| SonarQube | Static quality analysis, not change intelligence |
|
|
446
|
+
| GitHub code search | No impact graph; no transactional awareness |
|
|
447
|
+
| MCP wrappers | Dumps raw files; no pre-selection; no bounded signal |
|
|
448
|
+
|
|
449
|
+
`sourcecode` uniquely combines: static Java graph analysis + bounded AI-ready output + change impact + transactional awareness. No direct competitor produces this combination in sub-10-second cold scans.
|
|
450
|
+
|
|
451
|
+
**The gap:** The P0 impl-class impact bug makes the strongest claim ("what breaks if I change X?") unreliable for the majority of queries in Spring codebases. Fix this and the differentiation holds.
|
|
452
|
+
|
|
453
|
+
---
|
|
454
|
+
|
|
455
|
+
## 15. Concrete Corrections Recommended
|
|
456
|
+
|
|
457
|
+
**Priority 1 (fix before enterprise pitch):**
|
|
458
|
+
1. `impact`: Detect `@Service`/`@Repository` impl with 0 callers → auto-run on interfaces OR warn with: `"0 callers found — callers of interface OrderService: 30. Consider: sourcecode impact OrderService"`
|
|
459
|
+
2. `repo-ir`: Apply `--max-nodes/edges` limits to `reverse_graph` hubs as well, OR document clearly.
|
|
460
|
+
3. `project_summary`: Generate from code structure, not README. Template: `"[N-module Spring Boot/Quarkus] — [M] Java classes, [K] REST endpoints, [J] transactional boundaries."`
|
|
461
|
+
|
|
462
|
+
**Priority 2 (improve credibility):**
|
|
463
|
+
4. When `direct_callers = 0` and class is Spring impl: lower `confidence_level` to medium and add gap: `"impl class — consider targeting interface for full caller graph."`
|
|
464
|
+
5. `bounded_contexts`: Use Maven module names as primary signal.
|
|
465
|
+
6. `no_security_signal`: Detect filter-based security. Change to `security_model: "filter_based"` + note.
|
|
466
|
+
7. `modernize.hotspot_candidates`: Use git churn (`git log --follow --name-only`) combined with coupling degree.
|
|
467
|
+
8. `modernize.high_coupling_nodes.role`: Classify annotation types, interfaces, entities — never return `"unknown"`.
|
|
468
|
+
|
|
469
|
+
**Priority 3 (polish):**
|
|
470
|
+
9. Add `score` field to `relevant_files` in all task outputs.
|
|
471
|
+
10. Add `direct_callers_count` alongside `direct_callers` list.
|
|
472
|
+
11. Add `--format`/`--no-cache` consistently to all commands.
|
|
473
|
+
12. Fix URL truncation in code_notes.
|
|
474
|
+
13. Fix `truncated: None` → always explicit `truncated: false`.
|
|
475
|
+
14. Add `--deep` to `--help` output.
|
|
476
|
+
15. Unify architecture confidence between `--compact` and `--agent`.
|
|
477
|
+
16. Align `entry_points.controllers.methods` with `sourcecode endpoints` count.
|
|
478
|
+
17. Fix `--compact --help` vs README token count inconsistency (claim: 1000-3000, measured: 2856-4031).
|
|
479
|
+
|
|
480
|
+
---
|
|
481
|
+
|
|
482
|
+
## 16. High-Leverage Feature Opportunities
|
|
483
|
+
|
|
484
|
+
**Interface → impl resolution** (extends the P0 fix):
|
|
485
|
+
Auto-detect interface when user targets impl. Present: "Direct callers of impl: 0. Via interface: 30. Using interface results." Makes impact correct by default.
|
|
486
|
+
|
|
487
|
+
**Git churn coupling (hotspot 2.0):**
|
|
488
|
+
Combine temporal coupling (files changed together in same commit), static import coupling, and fan-in degree. "Change risk index" per file. Monetizable as continuous CI/CD signal.
|
|
489
|
+
|
|
490
|
+
**PR risk score:**
|
|
491
|
+
Single `risk_score: 0–100` from: blast radius of changed classes + test coverage + transactional boundaries touched + security surface changes. CI gate in one field.
|
|
492
|
+
|
|
493
|
+
**Dead code confidence:**
|
|
494
|
+
Combine git recency + zero import edges + no test pair → confidence-scored dead code. Flat list vs scored list — the latter is actionable.
|
|
495
|
+
|
|
496
|
+
**Security surface change detection:**
|
|
497
|
+
Flag when a PR modifies a class in the security filter chain or a direct caller of security-annotated endpoints.
|
|
498
|
+
|
|
499
|
+
**Transactional lineage:**
|
|
500
|
+
For each `@Transactional` class, show which JPA entities and queries it coordinates. Critical for data corruption bug triage.
|
|
501
|
+
|
|
502
|
+
---
|
|
503
|
+
|
|
504
|
+
## 17. Final Verdict
|
|
505
|
+
|
|
506
|
+
| Dimension | Rating |
|
|
507
|
+
|-----------|--------|
|
|
508
|
+
| Core correctness (interface targets) | ✓ Strong |
|
|
509
|
+
| Core correctness (impl targets) | ✗ P0 bug |
|
|
510
|
+
| Performance | ✓ Acceptable |
|
|
511
|
+
| Boundedness (compact/agent) | ✓ Solid |
|
|
512
|
+
| Boundedness (repo-ir) | ✗ Broken |
|
|
513
|
+
| LLM readiness | ✓ With caveats |
|
|
514
|
+
| CLI surface coherence | ~ Mixed |
|
|
515
|
+
| Market differentiation | ✓ Real |
|
|
516
|
+
| Documentation accuracy | ~ Mostly accurate |
|
|
517
|
+
| Verdict | **trust with caveats** |
|
|
518
|
+
|
|
519
|
+
**Safe to use for:**
|
|
520
|
+
- Onboarding new engineers/agents (`onboard`)
|
|
521
|
+
- PR review context (`review-pr`)
|
|
522
|
+
- Bug triage with specific symptoms (`fix-bug --symptom "..."`)
|
|
523
|
+
- Interface impact analysis
|
|
524
|
+
|
|
525
|
+
**Not safe without knowing limits:**
|
|
526
|
+
- `impact ClassName` when ClassName is a Spring impl
|
|
527
|
+
- `repo-ir` without `--summary-only`
|
|
528
|
+
- `no_security_signal` as a real security indicator
|
|
529
|
+
- `hotspot_candidates` as a completeness signal
|
|
530
|
+
|
|
531
|
+
**Monetizable today:**
|
|
532
|
+
- `review-pr --format github-comment` as a GitHub Action
|
|
533
|
+
- `impact` on interface classes as a pre-commit/pre-PR tool
|
|
534
|
+
- `fix-bug` for symptom-driven triage in support scenarios
|
|
535
|
+
- `onboard` as first-prompt injection for AI coding agents
|
|
536
|
+
|
|
537
|
+
**Not yet monetizable without fix:**
|
|
538
|
+
- "AI-ready change intelligence" claim needs P0 fix
|
|
539
|
+
- "Know what breaks before you touch it" needs reliable impl-class impact
|