sourcecode 1.31.16__tar.gz → 1.31.18__tar.gz

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (239) hide show
  1. sourcecode-1.31.18/.continue-here.md +134 -0
  2. sourcecode-1.31.18/AUDIT_REAL_REPOS.md +539 -0
  3. {sourcecode-1.31.16 → sourcecode-1.31.18}/PKG-INFO +111 -40
  4. {sourcecode-1.31.16 → sourcecode-1.31.18}/README.md +110 -39
  5. {sourcecode-1.31.16 → sourcecode-1.31.18}/pyproject.toml +1 -1
  6. {sourcecode-1.31.16 → sourcecode-1.31.18}/src/sourcecode/__init__.py +1 -1
  7. sourcecode-1.31.18/src/sourcecode/cache.py +470 -0
  8. {sourcecode-1.31.16 → sourcecode-1.31.18}/src/sourcecode/cli.py +17 -13
  9. {sourcecode-1.31.16 → sourcecode-1.31.18}/src/sourcecode/repository_ir.py +141 -1
  10. sourcecode-1.31.18/tests/test_cache.py +500 -0
  11. sourcecode-1.31.16/.continue-here.md +0 -108
  12. sourcecode-1.31.16/.sourcecode-cache/snapshot-88dc388-07db8d0b.json +0 -122
  13. sourcecode-1.31.16/.sourcecode-cache/snapshot-88dc388-178c65fa.json +0 -4012
  14. sourcecode-1.31.16/.sourcecode-cache/snapshot-88dc388-379aba51.json +0 -265
  15. sourcecode-1.31.16/.sourcecode-cache/snapshot-88dc388-530bd9cf.json +0 -406
  16. sourcecode-1.31.16/.sourcecode-cache/snapshot-88dc388-56888a2a.json +0 -244
  17. sourcecode-1.31.16/.sourcecode-cache/snapshot-88dc388-5b602060.json +0 -265
  18. sourcecode-1.31.16/.sourcecode-cache/snapshot-88dc388-5ea1c8f1.json +0 -570
  19. sourcecode-1.31.16/.sourcecode-cache/snapshot-88dc388-6934996c.json +0 -129
  20. sourcecode-1.31.16/.sourcecode-cache/snapshot-88dc388-7b6dd6cc.json +0 -351
  21. sourcecode-1.31.16/.sourcecode-cache/snapshot-88dc388-8cb41bc4.json +0 -390
  22. sourcecode-1.31.16/.sourcecode-cache/snapshot-88dc388-c9ab42a3.json +0 -13523
  23. sourcecode-1.31.16/AUDIT_REAL_REPOS.md +0 -619
  24. {sourcecode-1.31.16 → sourcecode-1.31.18}/.agents/skills/source-command-gsd-join-discord/SKILL.md +0 -0
  25. {sourcecode-1.31.16 → sourcecode-1.31.18}/.agents/skills/source-command-gsd-review-backlog/SKILL.md +0 -0
  26. {sourcecode-1.31.16 → sourcecode-1.31.18}/.agents/skills/source-command-gsd-workstreams/SKILL.md +0 -0
  27. {sourcecode-1.31.16 → sourcecode-1.31.18}/.github/workflows/build-windows.yml +0 -0
  28. {sourcecode-1.31.16 → sourcecode-1.31.18}/.gitignore +0 -0
  29. {sourcecode-1.31.16 → sourcecode-1.31.18}/.ruff.toml +0 -0
  30. {sourcecode-1.31.16 → sourcecode-1.31.18}/.sourcecode-cache/snapshot-3b5997a-fa5c742c.json +0 -0
  31. {sourcecode-1.31.16 → sourcecode-1.31.18}/CHANGELOG.md +0 -0
  32. {sourcecode-1.31.16 → sourcecode-1.31.18}/CONTRIBUTING.md +0 -0
  33. {sourcecode-1.31.16 → sourcecode-1.31.18}/LICENSE +0 -0
  34. {sourcecode-1.31.16 → sourcecode-1.31.18}/SECURITY.md +0 -0
  35. {sourcecode-1.31.16 → sourcecode-1.31.18}/docs/PRODUCT_TIERS.md +0 -0
  36. {sourcecode-1.31.16 → sourcecode-1.31.18}/docs/privacy.md +0 -0
  37. {sourcecode-1.31.16 → sourcecode-1.31.18}/docs/schema.md +0 -0
  38. {sourcecode-1.31.16 → sourcecode-1.31.18}/raw +0 -0
  39. {sourcecode-1.31.16 → sourcecode-1.31.18}/run_cli.py +0 -0
  40. {sourcecode-1.31.16 → sourcecode-1.31.18}/src/sourcecode/adaptive_scanner.py +0 -0
  41. {sourcecode-1.31.16 → sourcecode-1.31.18}/src/sourcecode/architecture_analyzer.py +0 -0
  42. {sourcecode-1.31.16 → sourcecode-1.31.18}/src/sourcecode/architecture_summary.py +0 -0
  43. {sourcecode-1.31.16 → sourcecode-1.31.18}/src/sourcecode/ast_extractor.py +0 -0
  44. {sourcecode-1.31.16 → sourcecode-1.31.18}/src/sourcecode/canonical_ir.py +0 -0
  45. {sourcecode-1.31.16 → sourcecode-1.31.18}/src/sourcecode/classifier.py +0 -0
  46. {sourcecode-1.31.16 → sourcecode-1.31.18}/src/sourcecode/code_notes_analyzer.py +0 -0
  47. {sourcecode-1.31.16 → sourcecode-1.31.18}/src/sourcecode/confidence_analyzer.py +0 -0
  48. {sourcecode-1.31.16 → sourcecode-1.31.18}/src/sourcecode/context_scorer.py +0 -0
  49. {sourcecode-1.31.16 → sourcecode-1.31.18}/src/sourcecode/context_summarizer.py +0 -0
  50. {sourcecode-1.31.16 → sourcecode-1.31.18}/src/sourcecode/contract_model.py +0 -0
  51. {sourcecode-1.31.16 → sourcecode-1.31.18}/src/sourcecode/contract_pipeline.py +0 -0
  52. {sourcecode-1.31.16 → sourcecode-1.31.18}/src/sourcecode/coverage_parser.py +0 -0
  53. {sourcecode-1.31.16 → sourcecode-1.31.18}/src/sourcecode/dependency_analyzer.py +0 -0
  54. {sourcecode-1.31.16 → sourcecode-1.31.18}/src/sourcecode/detectors/__init__.py +0 -0
  55. {sourcecode-1.31.16 → sourcecode-1.31.18}/src/sourcecode/detectors/base.py +0 -0
  56. {sourcecode-1.31.16 → sourcecode-1.31.18}/src/sourcecode/detectors/csproj_parser.py +0 -0
  57. {sourcecode-1.31.16 → sourcecode-1.31.18}/src/sourcecode/detectors/dart.py +0 -0
  58. {sourcecode-1.31.16 → sourcecode-1.31.18}/src/sourcecode/detectors/dotnet.py +0 -0
  59. {sourcecode-1.31.16 → sourcecode-1.31.18}/src/sourcecode/detectors/elixir.py +0 -0
  60. {sourcecode-1.31.16 → sourcecode-1.31.18}/src/sourcecode/detectors/go.py +0 -0
  61. {sourcecode-1.31.16 → sourcecode-1.31.18}/src/sourcecode/detectors/heuristic.py +0 -0
  62. {sourcecode-1.31.16 → sourcecode-1.31.18}/src/sourcecode/detectors/hybrid.py +0 -0
  63. {sourcecode-1.31.16 → sourcecode-1.31.18}/src/sourcecode/detectors/java.py +0 -0
  64. {sourcecode-1.31.16 → sourcecode-1.31.18}/src/sourcecode/detectors/jvm_ext.py +0 -0
  65. {sourcecode-1.31.16 → sourcecode-1.31.18}/src/sourcecode/detectors/nodejs.py +0 -0
  66. {sourcecode-1.31.16 → sourcecode-1.31.18}/src/sourcecode/detectors/parsers.py +0 -0
  67. {sourcecode-1.31.16 → sourcecode-1.31.18}/src/sourcecode/detectors/php.py +0 -0
  68. {sourcecode-1.31.16 → sourcecode-1.31.18}/src/sourcecode/detectors/project.py +0 -0
  69. {sourcecode-1.31.16 → sourcecode-1.31.18}/src/sourcecode/detectors/python.py +0 -0
  70. {sourcecode-1.31.16 → sourcecode-1.31.18}/src/sourcecode/detectors/ruby.py +0 -0
  71. {sourcecode-1.31.16 → sourcecode-1.31.18}/src/sourcecode/detectors/rust.py +0 -0
  72. {sourcecode-1.31.16 → sourcecode-1.31.18}/src/sourcecode/detectors/systems.py +0 -0
  73. {sourcecode-1.31.16 → sourcecode-1.31.18}/src/sourcecode/detectors/terraform.py +0 -0
  74. {sourcecode-1.31.16 → sourcecode-1.31.18}/src/sourcecode/detectors/tooling.py +0 -0
  75. {sourcecode-1.31.16 → sourcecode-1.31.18}/src/sourcecode/doc_analyzer.py +0 -0
  76. {sourcecode-1.31.16 → sourcecode-1.31.18}/src/sourcecode/entrypoint_classifier.py +0 -0
  77. {sourcecode-1.31.16 → sourcecode-1.31.18}/src/sourcecode/env_analyzer.py +0 -0
  78. {sourcecode-1.31.16 → sourcecode-1.31.18}/src/sourcecode/file_classifier.py +0 -0
  79. {sourcecode-1.31.16 → sourcecode-1.31.18}/src/sourcecode/flow_analyzer.py +0 -0
  80. {sourcecode-1.31.16 → sourcecode-1.31.18}/src/sourcecode/git_analyzer.py +0 -0
  81. {sourcecode-1.31.16 → sourcecode-1.31.18}/src/sourcecode/graph_analyzer.py +0 -0
  82. {sourcecode-1.31.16 → sourcecode-1.31.18}/src/sourcecode/mcp/__init__.py +0 -0
  83. {sourcecode-1.31.16 → sourcecode-1.31.18}/src/sourcecode/mcp/onboarding/__init__.py +0 -0
  84. {sourcecode-1.31.16 → sourcecode-1.31.18}/src/sourcecode/mcp/onboarding/applier.py +0 -0
  85. {sourcecode-1.31.16 → sourcecode-1.31.18}/src/sourcecode/mcp/onboarding/backup.py +0 -0
  86. {sourcecode-1.31.16 → sourcecode-1.31.18}/src/sourcecode/mcp/onboarding/detector.py +0 -0
  87. {sourcecode-1.31.16 → sourcecode-1.31.18}/src/sourcecode/mcp/onboarding/planner.py +0 -0
  88. {sourcecode-1.31.16 → sourcecode-1.31.18}/src/sourcecode/mcp/runner.py +0 -0
  89. {sourcecode-1.31.16 → sourcecode-1.31.18}/src/sourcecode/mcp/server.py +0 -0
  90. {sourcecode-1.31.16 → sourcecode-1.31.18}/src/sourcecode/metrics_analyzer.py +0 -0
  91. {sourcecode-1.31.16 → sourcecode-1.31.18}/src/sourcecode/output_budget.py +0 -0
  92. {sourcecode-1.31.16 → sourcecode-1.31.18}/src/sourcecode/path_filters.py +0 -0
  93. {sourcecode-1.31.16 → sourcecode-1.31.18}/src/sourcecode/pr_comment_renderer.py +0 -0
  94. {sourcecode-1.31.16 → sourcecode-1.31.18}/src/sourcecode/prepare_context.py +0 -0
  95. {sourcecode-1.31.16 → sourcecode-1.31.18}/src/sourcecode/progress.py +0 -0
  96. {sourcecode-1.31.16 → sourcecode-1.31.18}/src/sourcecode/ranking_engine.py +0 -0
  97. {sourcecode-1.31.16 → sourcecode-1.31.18}/src/sourcecode/redactor.py +0 -0
  98. {sourcecode-1.31.16 → sourcecode-1.31.18}/src/sourcecode/relevance_scorer.py +0 -0
  99. {sourcecode-1.31.16 → sourcecode-1.31.18}/src/sourcecode/repo_classifier.py +0 -0
  100. {sourcecode-1.31.16 → sourcecode-1.31.18}/src/sourcecode/runtime_classifier.py +0 -0
  101. {sourcecode-1.31.16 → sourcecode-1.31.18}/src/sourcecode/scanner.py +0 -0
  102. {sourcecode-1.31.16 → sourcecode-1.31.18}/src/sourcecode/schema.py +0 -0
  103. {sourcecode-1.31.16 → sourcecode-1.31.18}/src/sourcecode/semantic_analyzer.py +0 -0
  104. {sourcecode-1.31.16 → sourcecode-1.31.18}/src/sourcecode/serializer.py +0 -0
  105. {sourcecode-1.31.16 → sourcecode-1.31.18}/src/sourcecode/summarizer.py +0 -0
  106. {sourcecode-1.31.16 → sourcecode-1.31.18}/src/sourcecode/telemetry/__init__.py +0 -0
  107. {sourcecode-1.31.16 → sourcecode-1.31.18}/src/sourcecode/telemetry/config.py +0 -0
  108. {sourcecode-1.31.16 → sourcecode-1.31.18}/src/sourcecode/telemetry/consent.py +0 -0
  109. {sourcecode-1.31.16 → sourcecode-1.31.18}/src/sourcecode/telemetry/events.py +0 -0
  110. {sourcecode-1.31.16 → sourcecode-1.31.18}/src/sourcecode/telemetry/filters.py +0 -0
  111. {sourcecode-1.31.16 → sourcecode-1.31.18}/src/sourcecode/telemetry/transport.py +0 -0
  112. {sourcecode-1.31.16 → sourcecode-1.31.18}/src/sourcecode/tree_utils.py +0 -0
  113. {sourcecode-1.31.16 → sourcecode-1.31.18}/src/sourcecode/workspace.py +0 -0
  114. {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/__init__.py +0 -0
  115. {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/conftest.py +0 -0
  116. {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/fixtures/coverage.xml +0 -0
  117. {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/fixtures/fastapi_app/pyproject.toml +0 -0
  118. {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/fixtures/fastapi_app/src/main.py +0 -0
  119. {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/fixtures/go_service/cmd/api/main.go +0 -0
  120. {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/fixtures/go_service/go.mod +0 -0
  121. {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/fixtures/jacoco.xml +0 -0
  122. {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/fixtures/latin1_sample.java +0 -0
  123. {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/fixtures/latin1_sample_iso.java +0 -0
  124. {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/fixtures/lcov.info +0 -0
  125. {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/fixtures/nextjs_app/app/page.tsx +0 -0
  126. {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/fixtures/nextjs_app/package.json +0 -0
  127. {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/fixtures/nextjs_app/pnpm-lock.yaml +0 -0
  128. {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/fixtures/pnpm_monorepo/apps/web/app/page.tsx +0 -0
  129. {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/fixtures/pnpm_monorepo/apps/web/package.json +0 -0
  130. {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/fixtures/pnpm_monorepo/packages/api/main.py +0 -0
  131. {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/fixtures/pnpm_monorepo/packages/api/pyproject.toml +0 -0
  132. {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/fixtures/pnpm_monorepo/pnpm-workspace.yaml +0 -0
  133. {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/fixtures/spring_boot_minimal/pom.xml +0 -0
  134. {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/fixtures/spring_boot_minimal/src/main/java/com/example/ddd/ausente/application/service/FindAusenteService.java +0 -0
  135. {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/fixtures/spring_boot_minimal/src/main/java/com/example/ddd/ausente/domain/entities/Ausente.java +0 -0
  136. {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/fixtures/spring_boot_minimal/src/main/java/com/example/ddd/ausente/infrastructure/rest/AusenteRestController.java +0 -0
  137. {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/fixtures/spring_boot_minimal/src/main/java/com/example/ddd/autocoberturas/application/service/FindAutocoberturasService.java +0 -0
  138. {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/fixtures/spring_boot_minimal/src/main/java/com/example/ddd/autocoberturas/domain/entities/Autocoberturas.java +0 -0
  139. {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/fixtures/spring_boot_minimal/src/main/java/com/example/ddd/autocoberturas/infrastructure/rest/AutocoberturasRestController.java +0 -0
  140. {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/fixtures/spring_boot_minimal/src/main/java/com/example/ddd/calendarioTrabajador/application/service/FindCalendarioTrabajadorService.java +0 -0
  141. {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/fixtures/spring_boot_minimal/src/main/java/com/example/ddd/calendarioTrabajador/domain/entities/CalendarioTrabajador.java +0 -0
  142. {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/fixtures/spring_boot_minimal/src/main/java/com/example/ddd/calendarioTrabajador/infrastructure/rest/CalendarioTrabajadorRestController.java +0 -0
  143. {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/fixtures/spring_boot_minimal/src/main/java/com/example/ddd/departamento/application/service/FindDepartamentoService.java +0 -0
  144. {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/fixtures/spring_boot_minimal/src/main/java/com/example/ddd/departamento/domain/entities/Departamento.java +0 -0
  145. {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/fixtures/spring_boot_minimal/src/main/java/com/example/ddd/departamento/infrastructure/rest/DepartamentoRestController.java +0 -0
  146. {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/fixtures/spring_boot_minimal/src/main/java/com/example/ddd/empleado/application/service/FindEmpleadoService.java +0 -0
  147. {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/fixtures/spring_boot_minimal/src/main/java/com/example/ddd/empleado/domain/entities/Empleado.java +0 -0
  148. {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/fixtures/spring_boot_minimal/src/main/java/com/example/ddd/empleado/infrastructure/rest/EmpleadoRestController.java +0 -0
  149. {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/fixtures/spring_boot_minimal/src/main/java/com/example/demo/DemoApplication.java +0 -0
  150. {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/fixtures/spring_boot_minimal/src/main/java/com/example/demo/config/FilterConfig.java +0 -0
  151. {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/fixtures/spring_boot_minimal/src/main/java/com/example/demo/domain/Health.java +0 -0
  152. {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/fixtures/spring_boot_minimal/src/main/java/com/example/demo/mapper/HealthMapper.java +0 -0
  153. {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/fixtures/spring_boot_minimal/src/main/java/com/example/demo/repository/HealthRepository.java +0 -0
  154. {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/fixtures/spring_boot_minimal/src/main/java/com/example/demo/service/HealthService.java +0 -0
  155. {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/fixtures/spring_boot_minimal/src/main/java/com/example/demo/web/HealthRestController.java +0 -0
  156. {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/fixtures/spring_boot_minimal/src/main/java/com/example/demo/web/NominaRestController.java +0 -0
  157. {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/fixtures/spring_boot_minimal/src/main/resources/application-dev.yml +0 -0
  158. {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/fixtures/spring_boot_minimal/src/main/resources/application.yml +0 -0
  159. {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/fixtures/spring_boot_minimal/src/main/resources/mapper/HealthMapper.xml +0 -0
  160. {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/test_architecture_analyzer.py +0 -0
  161. {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/test_architecture_summary.py +0 -0
  162. {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/test_ast_extractor.py +0 -0
  163. {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/test_audit_fixes.py +0 -0
  164. {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/test_audit_sas_v2.py +0 -0
  165. {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/test_block1_reliability.py +0 -0
  166. {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/test_block2_coverage.py +0 -0
  167. {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/test_block5_quality.py +0 -0
  168. {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/test_broadleaf_fixes.py +0 -0
  169. {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/test_bug_fixes_v1302.py +0 -0
  170. {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/test_bug_fixes_v13115.py +0 -0
  171. {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/test_bug_fixes_v1312.py +0 -0
  172. {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/test_bug_fixes_v1313.py +0 -0
  173. {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/test_bug_fixes_v16.py +0 -0
  174. {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/test_bug_fixes_v2.py +0 -0
  175. {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/test_canonical_ir.py +0 -0
  176. {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/test_classifier.py +0 -0
  177. {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/test_cli.py +0 -0
  178. {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/test_code_notes_analyzer.py +0 -0
  179. {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/test_context_scorer.py +0 -0
  180. {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/test_contract_pipeline.py +0 -0
  181. {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/test_coverage_parser.py +0 -0
  182. {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/test_cross_consistency.py +0 -0
  183. {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/test_dependency_analyzer_node_python.py +0 -0
  184. {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/test_dependency_analyzer_polyglot.py +0 -0
  185. {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/test_dependency_schema.py +0 -0
  186. {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/test_detector_dotnet.py +0 -0
  187. {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/test_detector_go_rust_java.py +0 -0
  188. {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/test_detector_nodejs.py +0 -0
  189. {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/test_detector_php_ruby_dart.py +0 -0
  190. {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/test_detector_python.py +0 -0
  191. {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/test_detector_universal_managed.py +0 -0
  192. {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/test_detector_universal_systems.py +0 -0
  193. {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/test_detectors_base.py +0 -0
  194. {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/test_doc_analyzer_jsdom.py +0 -0
  195. {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/test_doc_analyzer_python.py +0 -0
  196. {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/test_encoding_regression.py +0 -0
  197. {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/test_enterprise_benchmarks.py +0 -0
  198. {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/test_graph_analyzer_polyglot.py +0 -0
  199. {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/test_graph_analyzer_python_node.py +0 -0
  200. {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/test_graph_schema.py +0 -0
  201. {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/test_hybrid_inference.py +0 -0
  202. {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/test_integration.py +0 -0
  203. {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/test_integration_dependencies.py +0 -0
  204. {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/test_integration_detection.py +0 -0
  205. {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/test_integration_docs.py +0 -0
  206. {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/test_integration_graph_modules.py +0 -0
  207. {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/test_integration_lqn.py +0 -0
  208. {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/test_integration_metrics.py +0 -0
  209. {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/test_integration_multistack.py +0 -0
  210. {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/test_integration_semantics.py +0 -0
  211. {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/test_integration_universal.py +0 -0
  212. {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/test_java_spring_integration.py +0 -0
  213. {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/test_mcp_runner.py +0 -0
  214. {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/test_mcp_serve.py +0 -0
  215. {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/test_mcp_tools.py +0 -0
  216. {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/test_metrics_analyzer.py +0 -0
  217. {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/test_output_ux.py +0 -0
  218. {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/test_packaging.py +0 -0
  219. {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/test_phase1_improvements.py +0 -0
  220. {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/test_pipeline_integrity.py +0 -0
  221. {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/test_real_projects.py +0 -0
  222. {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/test_redactor.py +0 -0
  223. {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/test_repository_ir.py +0 -0
  224. {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/test_scanner.py +0 -0
  225. {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/test_schema.py +0 -0
  226. {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/test_schema_normalization.py +0 -0
  227. {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/test_scoring_calibration.py +0 -0
  228. {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/test_semantic_analyzer_node.py +0 -0
  229. {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/test_semantic_analyzer_python.py +0 -0
  230. {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/test_semantic_import_resolution.py +0 -0
  231. {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/test_semantic_schema.py +0 -0
  232. {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/test_signal_hierarchy.py +0 -0
  233. {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/test_summarizer.py +0 -0
  234. {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/test_surface_honesty.py +0 -0
  235. {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/test_task_differentiation.py +0 -0
  236. {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/test_telemetry.py +0 -0
  237. {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/test_v131_improvements.py +0 -0
  238. {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/test_v1_10_regressions.py +0 -0
  239. {sourcecode-1.31.16 → sourcecode-1.31.18}/tests/test_workspace_analyzer.py +0 -0
@@ -0,0 +1,134 @@
1
+ # Continue Here — atlas-cli sesión 21
2
+
3
+ **Paused:** 2026-05-24
4
+ **Repo:** `/Users/user/Documents/workspace/atlas-cli`
5
+ **Branch:** master
6
+ **Version:** sourcecode 1.31.17
7
+
8
+ ---
9
+
10
+ ## Objetivo de esta sesión
11
+
12
+ Continuar corrección de bugs post-auditoría v1.31.16 (adversarial audit contra Keycloak + Broadleaf).
13
+ Sesión 21 atacó los dos P0s. Quedan P1s y P2s.
14
+
15
+ ---
16
+
17
+ ## Trabajo completado esta sesión
18
+
19
+ ### P0-01 — `impact OrderServiceImpl` → 0 callers FIXED ✅
20
+
21
+ **Root cause:** `_build_reverse_adjacency` descartaba edges `implements` cuando `to` era
22
+ nombre corto no-resuelto (`"OrderService"` en vez de FQN). El `reverse_graph["OrderService"]`
23
+ no tenía clave `"implements"` → scan desde reverse side imposible.
24
+
25
+ **Fix:** Escanear `graph.edges` forward para `type=implements` FROM matched classes.
26
+ Resolver `to` (short/FQN) contra claves de `reverse_graph` via suffix match.
27
+ Callers de la interfaz se añaden a `direct_callers`. Output incluye `via_interface_resolution`
28
+ y `via_interface_note`.
29
+
30
+ **Resultado:** `impact OrderServiceImpl` en Broadleaf: 0 callers → **74 callers**, risk LOW → **HIGH**.
31
+
32
+ ### P0-02 — `reverse_graph` unbounded por `--max-nodes`/`--max-edges` FIXED ✅
33
+
34
+ **Root cause:** `apply_ir_size_limits` sólo acotaba `graph.nodes`/`graph.edges`.
35
+ `reverse_graph` emitía 2685 claves (~3MB) aunque se pidieran 200 nodos.
36
+
37
+ **Fix:** Cuando `max_nodes` activo: restringir `reverse_graph` a `kept_fqns` + cap inner
38
+ caller lists a `max(20, max_nodes//4)`. Cuando sólo `max_edges`: cap a `max_edges` claves
39
+ por in-degree. Añade `reverse_graph_note` cuando trimmed.
40
+
41
+ **Resultado:** `--max-nodes 200 --max-edges 500`: 3.85MB → **939KB** (76% reducción).
42
+
43
+ ### Commit esta sesión
44
+
45
+ ```
46
+ e5fba19 fix(ir): resolve Spring DI interface bridging and bound reverse_graph
47
+ ```
48
+
49
+ ---
50
+
51
+ ## Estado archivos sin commitear
52
+
53
+ ```
54
+ ?? AUDIT_REAL_REPOS.md — auditoría 22 secciones (de sesión 20, no tocar)
55
+ ?? docs/PRODUCT_TIERS.md — de sesión anterior (no tocar esta sesión)
56
+ ```
57
+
58
+ Commitear estos docs antes de continuar con fixes:
59
+ ```bash
60
+ git add AUDIT_REAL_REPOS.md docs/PRODUCT_TIERS.md
61
+ git commit -m "docs(audit): adversarial audit v1.31.16 — real benchmarks, P0/P1/P2 findings"
62
+ ```
63
+
64
+ ---
65
+
66
+ ## Bugs pendientes por ROI
67
+
68
+ ### P1 — Altos
69
+
70
+ | # | Bug | Archivo | Tiempo est. |
71
+ |---|-----|---------|-------------|
72
+ | **P1-01** | Risk score inconsistente para 0-caller impls: `OrderServiceImpl`→low vs `OrderDaoImpl`→high (mismo 0 callers, distinta heurística). POST P0-01 fix: verificar si aún aplica o si interface bridging ya lo resuelve. | `repository_ir.py` → `compute_blast_radius` | 30 min |
73
+ | **P1-02** | `project_summary` = primera línea del README (license/marketing). Debe generarse de código: "N-module Spring Boot — M classes, K endpoints, J txn boundaries" | `serializer.py` o `summarizer.py` | 1h |
74
+ | **P1-03** | `fix-bug` devuelve 426 archivos para NPE genérico (14% repo, sin `score` field) | `prepare_context.py` → `fix_bug` | 30 min |
75
+ | **P1-04** | `indirect_callers:0` para KeycloakSession (1992 direct callers) — BFS para en nivel 1 por hub guard | `repository_ir.py` → `compute_blast_radius` hub guard logic | 45 min |
76
+ | **P1-05** | `fix-bug` 23s cold en Keycloak | profiling needed | ~1h |
77
+
78
+ ### P2 — Medios (batch)
79
+
80
+ - `bounded_contexts: ["dto","file"]` Broadleaf — WRONG. Fix: usar Maven module names
81
+ - `role: unknown` para todos `high_coupling_nodes` en modernize — nunca clasifica annotation/interface/entity
82
+ - `no_security_signal: 100%` en ambos repos — filter-based security nunca detectado
83
+ - JAX-RS sub-resource paths no compuestos con parent `@Path`
84
+ - `hotspot_candidates: []` siempre — git churn ignorado
85
+ - `--format`/`--no-cache` ausentes en `impact`, `endpoints`, `fix-bug`, `onboard`, `modernize`, `review-pr`
86
+ - Architecture confidence diferente entre `--compact` y `--agent` mismo repo
87
+
88
+ ---
89
+
90
+ ## Primera acción al retomar
91
+
92
+ ```bash
93
+ cd /Users/user/Documents/workspace/atlas-cli
94
+
95
+ # 1. Commitear docs pendientes
96
+ git add AUDIT_REAL_REPOS.md docs/PRODUCT_TIERS.md
97
+ git commit -m "docs(audit): adversarial audit v1.31.16 — Keycloak + Broadleaf findings"
98
+
99
+ # 2. Verificar si P1-01 aún existe post-fix P0-01:
100
+ sourcecode impact OrderDaoImpl ~/Documents/workspace/BroadleafCommerce 2>&1 | python3 -m json.tool | grep -E 'risk_level|confidence_level|direct_callers|via_interface'
101
+ # Si risk_level sigue siendo inconsistente → fix P1-01
102
+ # Si interface bridging ya lo resuelve → skip a P1-02
103
+
104
+ # 3. Si P1-01 persiste:
105
+ # En compute_blast_radius: cuando direct_callers=0 Y no hay interface bridging Y
106
+ # clase es @Service/@Repository impl → bajar confidence, añadir gap en explanation
107
+ ```
108
+
109
+ ---
110
+
111
+ ## Archivos clave del codebase
112
+
113
+ ```
114
+ src/sourcecode/
115
+ repository_ir.py — impact analysis, blast radius, interface bridging (P0-01/02 fixeados aquí)
116
+ prepare_context.py — fix-bug, onboard, review-pr output (P1-03 aquí)
117
+ serializer.py — compact/agent output, project_summary (P1-02 aquí)
118
+ summarizer.py — ProjectSummarizer (P1-02 posiblemente aquí)
119
+ cli.py — top-level commands, cache logic
120
+ tests/
121
+ test_enterprise_benchmarks.py
122
+ ```
123
+
124
+ ---
125
+
126
+ ## Contexto de versiones
127
+
128
+ - v1.31.16: bugs auditados en sesión 20
129
+ - v1.31.17: versión actual (bumpeada en 0cf28b1 por el usuario)
130
+ - Fixes P0-01/P0-02: commit e5fba19 (sesión 21)
131
+
132
+ ---
133
+
134
+ *Pausado 2026-05-24 — gsd:pause-work (sesión 21)*
@@ -0,0 +1,539 @@
1
+ # sourcecode — P1.5 Credibility Audit
2
+ **Adversarial audit against real enterprise Java repos. No synthetic fixtures.**
3
+
4
+ Version audited: 1.31.17
5
+ Date: 2026-05-24
6
+ Repos: `~/Documents/workspace/keycloak` (7885 Java files, 18K+ commits), `~/Documents/workspace/BroadleafCommerce` (2985 Java files, 18K+ commits)
7
+
8
+ ---
9
+
10
+ ## 1. Executive Summary
11
+
12
+ `sourcecode` delivers real, non-trivial value for Java/Spring enterprise codebases. The compact/agent scan, cache system, event flow detection, and transactional boundary extraction are genuinely useful. The `review-pr --format github-comment` output is above MVP and commercially differentiated.
13
+
14
+ **But the core `impact` command has a P0 correctness bug** that fundamentally undermines the product's main claim: for implementation classes (the natural query for a developer), it returns 0 callers with `confidence_level: high`. This is systematically wrong — the worst possible failure mode.
15
+
16
+ **Verdict:** `trust with caveats` — solid foundation, monetizable with specific fixes. Not yet safe to pitch as "AI-ready change intelligence" without fixing P0 and P1 issues.
17
+
18
+ ---
19
+
20
+ ## 2. Methodology
21
+
22
+ - `sourcecode --help` + all sub-command `--help` reviewed
23
+ - `sourcecode --compact`, `--agent`, `--format yaml` on both repos (cold + cached)
24
+ - `sourcecode endpoints` on both repos with path quality analysis
25
+ - `sourcecode impact` on: impl classes, interface classes, nonexistent targets, high-fan-in annotation classes
26
+ - `sourcecode onboard`, `fix-bug`, `modernize`, `review-pr` on both repos
27
+ - `sourcecode repo-ir --summary-only` and `--max-nodes 200 --max-edges 500`
28
+ - `sourcecode prepare-context` vs standalone aliases (diff comparison)
29
+ - Cache behavior: cold→warm timing, determinism (same output across runs)
30
+ - Error handling: invalid refs, missing targets, wrong flag combos
31
+ - Flag consistency audit across all commands
32
+
33
+ ---
34
+
35
+ ## 3. Repo-by-Repo Findings
36
+
37
+ ### Keycloak (7885 Java files — major IAM server, Quarkus/Jakarta EE)
38
+
39
+ **What worked:**
40
+ - Stack: correctly detected Quarkus + Jakarta EE + Vert.x + Node.js secondary
41
+ - Bootstrap entry points: correct (KeycloakMain, QuarkusKeycloakApplication, Main)
42
+ - 693 JAX-RS endpoints extracted from annotations
43
+ - Dependency list accurate (Jackson, WebAuthn4j, OpenTelemetry, FIPS providers, etc.)
44
+ - javax-to-jakarta migration risk flag correctly raised
45
+ - Cold scan `--compact`: 9s. Cached: 0.27s (~33x speedup)
46
+ - `fix-bug --symptom "OIDC token refresh fails after realm update"`: correct files surfaced (OIDCLoginProtocolService, RefreshTokenGrantType, RefreshTokenGrantTypeFactory). Budget trimmed 204KB → 15KB — safety net works.
47
+ - Spring profile `rhbk` (Red Hat's Keycloak fork) detected from env_vars
48
+
49
+ **What failed:**
50
+ - `project_type: "fullstack"` — Keycloak is an IAM **server product**, not a generic fullstack app
51
+ - `project_summary` copied from README ("Add authentication to applications...") — describes what Keycloak does for *users*, not what the *codebase does architecturally*
52
+ - `bounded_contexts: ["keycloak"]` — too generic; Keycloak has clear subsystem boundaries (oidc, saml, federation, authz, admin, operator)
53
+ - `entry_points.security` mixes SPI implementations (CredentialProvider, AuthenticatorFactory) with actual security filters — different concerns in same bucket
54
+ - `DefaultKeycloakSession` impact: **2 direct callers** (should be hundreds — injected via `KeycloakSession` interface everywhere). P0 bug.
55
+ - `KeycloakSession` interface impact: 1992 direct callers found but `indirect_callers: 0` — BFS exhausts at level 1 on very large fan-out
56
+ - Short JAX-RS paths (`/{id}`, `/sessions`) — sub-resource paths not composed with parent `@Path`
57
+ - `fix-bug` cold: 23s — slowest workflow, too slow for CI integration
58
+ - `no_security_signal: 693` for all endpoints — Keycloak uses JAX-RS filter security; metric provides zero signal
59
+
60
+ ### BroadleafCommerce (2985 Java files — e-commerce framework, Spring Boot)
61
+
62
+ **What worked:**
63
+ - Stack: correctly detected Spring Boot + Spring MVC + Spring Security + Spring LDAP + Spring AOP
64
+ - Security filter chain detected (SecurityFilter, CsrfFilter, SecurityBasedIgnoreFilter)
65
+ - `transactional_boundaries`: 29 classes correctly identified (OrderServiceImpl, OrderDaoImpl, OfferServiceImpl, etc.)
66
+ - Event flow: listeners, publishers, event types correctly extracted (CustomerPersistedEvent, OrderPersistedEvent, TransactionLifecycleEvent)
67
+ - Cache: 2.9s cold → 0.2s cached (~13x speedup)
68
+ - Dependency extraction with version info and risk flags correct
69
+ - review-pr: `HEAD~3` diff correctly identified 3 source changes + 13 build manifest changes
70
+ - review-pr invalid ref: structured JSON error with available branch list
71
+
72
+ **What failed:**
73
+ - `project_type: "api"` — BroadleafCommerce is an e-commerce **framework**, not a generic REST API
74
+ - `project_summary` lifted from README license notice ("Available to companies with under $5M in revenue...") — license blurb, not architecture summary
75
+ - `bounded_contexts: ["dto", "file"]` — WRONG. Real bounded contexts: Order, Catalog, Customer, CMS, Offer/Pricing
76
+ - `OrderServiceImpl` impact: **0 callers, risk_level: low, confidence_level: high** — WRONG. Most central class in order system; 43+ dependent files
77
+ - `OrderDaoImpl` impact: **0 callers, risk_level: high** — same 0-caller root cause, different risk level. Inconsistent behavior from same bug.
78
+ - 58 endpoint paths with colon notation (`/product:product`, `/bundle:bundle/{id}`) — unresolved constant expressions in annotations
79
+ - 20 endpoint paths that are FQN class names (`/org.broadleafcommerce.core.search.domain.FieldImpl`) — Broadleaf admin dynamic routing, not real REST paths
80
+ - `hotspot_candidates: []` despite 18K+ commits — git churn not used in hotspot analysis
81
+ - `cross_module_tangles: []` — 8 subsystems with known coupling, algorithm detects nothing
82
+ - `no_security_signal: 130` — Broadleaf uses XML-based security and custom AdminSecurityFilter; annotation detection returns nothing
83
+ - `entry_points.controllers: {methods: 21}` vs `endpoints` finding 130 — unexplained discrepancy
84
+
85
+ ---
86
+
87
+ ## 4. Core Engine Correctness
88
+
89
+ ### Endpoint Extraction
90
+
91
+ | Metric | Keycloak | Broadleaf |
92
+ |--------|----------|-----------|
93
+ | Endpoints found | 693 | 130 |
94
+ | Controller/handler present | ✓ | ✓ |
95
+ | Paths fully composed (parent + child) | Partial | Partial |
96
+ | Paths with annotation constant issues | ~0 | 58 (colons) |
97
+ | FQN class name paths (dynamic routing) | 0 | 20 |
98
+ | Security signal useful | ✗ (filter-based) | ✗ (XML+filter) |
99
+
100
+ **JAX-RS sub-resource paths:** Methods with `@GET/@POST` inside a `@Path`-annotated class extract only the method-level path. Parent path not composed → incomplete, ambiguous paths.
101
+
102
+ **Spring MVC constant expressions:** `@RequestMapping("/" + CONST_A + ":" + CONST_B)` → extracted as `/product:product`. Tool resolves string constants but the resulting path is unintelligible as a REST URL without domain knowledge.
103
+
104
+ ### Impact Analysis — THE KEY FINDING
105
+
106
+ **P0 Bug: Spring DI interface-injection blindness**
107
+
108
+ When `OrderServiceImpl implements OrderService` and all callers inject `@Autowired OrderService orderService`:
109
+
110
+ ```
111
+ sourcecode impact OrderServiceImpl /BroadleafCommerce
112
+ → direct_callers: 0, risk_level: low, confidence_level: HIGH
113
+
114
+ sourcecode impact OrderService /BroadleafCommerce
115
+ → direct_callers: 30, indirect_callers: 50, endpoints_affected: 11, risk_level: high
116
+ ```
117
+
118
+ This pattern is universal in Spring and Java DI: callers inject the interface, not the impl. Querying impl classes returns wrong answers. The tool documents this ("Target interfaces, not implementations"), but:
119
+
120
+ 1. `confidence_level: high` for the wrong 0-caller answer is the worst possible failure mode — a developer gets high-confidence garbage
121
+ 2. The natural query is the class name you're editing, which is the impl
122
+ 3. The tool should detect `@Service`/`@Repository` impls and warn/auto-redirect
123
+
124
+ **Risk score inconsistency from same root cause:**
125
+ - `OrderServiceImpl`: 0 callers → risk_level: **low** (no heuristic applies)
126
+ - `OrderDaoImpl`: 0 callers → risk_level: **high** (persistence path heuristic: "15 persistence paths in blast cone")
127
+
128
+ Both return 0 callers for the same Spring DI reason. They get different risk levels based on which heuristics fire. A developer comparing both would incorrectly conclude `OrderDaoImpl` is riskier.
129
+
130
+ **What works in impact:**
131
+ - Interface targets: accurate (OrderService: 30 direct, 50 indirect, 11 endpoints — matches grep-based verification of ~43 dependent files)
132
+ - Annotation classes: accurate (AdminPresentationClass: 278 found vs 285 actual in_degree — 2.4% gap)
133
+ - Nonexistent target: clean `{resolution: "not_found"}` response
134
+ - High fan-in interfaces: KeycloakSession 1992 direct callers correctly found
135
+
136
+ ### Confidence Scoring Inconsistency
137
+
138
+ compact: `sections.architecture = "low"`, factor: `"architecture.confidence=low → overall capped at medium"`
139
+ agent: `sections.architecture = "medium"`, factor: `"architecture.confidence=medium → downgraded"`
140
+
141
+ Same repo (Broadleaf), different confidence levels between compact and agent modes. Schema inconsistency.
142
+
143
+ ---
144
+
145
+ ## 5. Performance / Scale
146
+
147
+ | Command | Keycloak (7885 files) | Broadleaf (2985 files) |
148
+ |---------|-----------------------|------------------------|
149
+ | `--compact` cold | 9.0s | 2.9s |
150
+ | `--compact` cached | 0.27s | 0.20s |
151
+ | `--agent` cold | 17s | 7.3s |
152
+ | `impact interface` | ~12s | 5.9s |
153
+ | `fix-bug` cold | **23s** | 8.8s |
154
+ | `onboard` cold | n/a | 6.7s |
155
+ | `modernize` cold | n/a | 5.5s |
156
+ | `repo-ir --summary-only` | 12s | 5.4s |
157
+ | Cache speedup | ~33x | ~13x |
158
+
159
+ **`repo-ir --max-nodes 200 --max-edges 500`:** Output = **3,948,466 bytes / 987K tokens**. The flags only bound `graph.nodes/edges`. `reverse_graph` (3MB for 2685 hubs) is entirely unbounded.
160
+
161
+ **Token sizes (measured):**
162
+
163
+ | Output mode | Broadleaf | Keycloak |
164
+ |-------------|-----------|----------|
165
+ | `--compact` | 2,856 | 4,031 |
166
+ | `--agent` | 4,769 | 5,499 |
167
+ | `onboard` | 2,564 | n/a |
168
+ | `fix-bug` (trimmed) | 27,653 | 4,648 |
169
+ | `fix-bug` (raw before trim) | ~24,500 | ~51,000 |
170
+ | `repo-ir --summary-only` | 19,756 | 16,885 |
171
+ | `repo-ir --max-nodes 200` | **987,116** | n/a |
172
+
173
+ The budget trimming in fix-bug is a real safety net (204KB → 15KB for Keycloak). The concern is the 204KB raw size — if the budget check ever fails, LLM context floods.
174
+
175
+ ---
176
+
177
+ ## 6. Workflow Audit
178
+
179
+ ### `onboard` — MVP correct
180
+ **Signal:** 26 relevant files, entry points, transactional boundaries, gaps.
181
+ **Issues:** `project_summary` from README blurb. `relevant_files` has no `score` field. Gaps section too generic.
182
+ **Rating:** MVP correct — useful, not polished.
183
+
184
+ ### `impact` — below MVP for impl classes
185
+ **Signal:** Correct for interfaces. Wrong with high confidence for impls.
186
+ **Issues:** P0 bug. See Section 4. The main claim breaks for 95% of developer queries.
187
+ **Rating:** Below MVP for primary use case.
188
+
189
+ ### `fix-bug` — above MVP for specific symptoms
190
+ **Signal:** Good file ranking for keyword-rich symptoms. Budget trimming works.
191
+ **Issues:** 426 files returned for generic NPE symptom in 2985-file repo. No score field in relevant_files. 23s cold on Keycloak.
192
+ **Rating:** Above MVP for specific symptoms, MVP for generic ones.
193
+
194
+ ### `review-pr` — above MVP
195
+ **Signal:** Excellent `github-comment` format with epistemic labels. Correctly separates build manifest from source changes.
196
+ **Issues:** `classification_confidence: low` for simple 3-file validator PRs. Validator role not detected.
197
+ **Rating:** Above MVP. The github-comment format is the strongest differentiator in the product.
198
+
199
+ ### `modernize` — MVP only
200
+ **Signal:** `high_coupling_nodes` correctly identifies high-fan-in classes. Dead zone candidates plausible.
201
+ **Issues:** `hotspot_candidates: []` always. `cross_module_tangles: []`. `role: unknown` for all nodes.
202
+ **Rating:** MVP only.
203
+
204
+ ### `repo-ir --summary-only` — MVP correct
205
+ **Signal:** Spring events, route surface, impact.ranked_nodes all present.
206
+ **Issues:** 19K tokens even in summary mode. `reverse_graph_note: "showing 10/2685 hubs"` — correctly bounded in summary mode.
207
+ **Rating:** MVP correct for `--summary-only`. Use without it only with `--files`.
208
+
209
+ ### `prepare-context` vs top-level aliases
210
+ Output is **byte-for-byte identical** to `sourcecode onboard`, `sourcecode fix-bug`, etc. (verified by diff). Documented in README but creates confusing dual API surface.
211
+
212
+ ---
213
+
214
+ ## 7. CLI / UX Audit
215
+
216
+ **Flag inconsistency:**
217
+ - `--format yaml`: main command ✓, endpoints ✓, repo-ir ✓. `impact` ✗, `onboard` ✗, `fix-bug` ✗, `review-pr` ✗, `modernize` ✗
218
+ - `--no-cache`: main command ✓. `endpoints` ✗, `impact` ✗, task commands ✗
219
+
220
+ **`--deep` flag:** Referenced in output (`"Use --deep for up to 80 files"`) but absent from `--help` and README. Hidden feature.
221
+
222
+ **Error messages:**
223
+ - Nonexistent target: clean JSON `{resolution: "not_found"}` ✓
224
+ - Invalid git ref: structured JSON with available branch hints ✓
225
+ - `--compact --full` mutual exclusion: clear plain text ✓
226
+ - `--format yaml` on `impact`: generic Click error ✗
227
+
228
+ **Schema stability issues:**
229
+ - `truncated: None` (absent) vs `truncated: false` (explicit) — prefer always explicit boolean
230
+ - `impact.direct_callers` list truncated to 30 without adjacent count — actual count in `stats.direct_caller_count` and `explanation` text only
231
+ - Architecture confidence different between `--compact` and `--agent` modes for same repo
232
+
233
+ **--help token claim:**
234
+ - `--compact --help`: "typically 1000–3000 tokens"
235
+ - README quickstart: "typically 2000–4000 tokens"
236
+ - Measured: 2856–4031 for these repos
237
+
238
+ ---
239
+
240
+ ## 8. LLM / Agent Readiness
241
+
242
+ **Safe to inject into LLM context:**
243
+ - `--compact`: 2856–4031 tokens ✓
244
+ - `--agent`: 4769–5499 tokens ✓
245
+ - `onboard`: ~2564 tokens ✓
246
+ - `fix-bug` (Keycloak, after trim): 4648 tokens ✓
247
+ - `review-pr`: 2720 tokens ✓
248
+
249
+ **NOT safe without `--summary-only` or `--files`:**
250
+ - `repo-ir`: can exceed 987K tokens
251
+ - `fix-bug` raw before budget: 51K tokens (Keycloak), 24K (Broadleaf)
252
+
253
+ **Agent signal quality:**
254
+ - `confidence_summary.factors` with machine-readable explanations: ✓
255
+ - `analysis_gaps` with `area` + `reason` + `impact`: ✓
256
+ - `ci_decision` in `review-pr`: ✓
257
+ - `suggested_review_order` in `review-pr`: ✓
258
+ - `relevant_files` with score: ✗ (missing — agent can't weight files)
259
+ - Determinism: ✓ (same output across repeated runs)
260
+ - Structured failures (JSON errors, not stack traces): ✓
261
+
262
+ ---
263
+
264
+ ## 9. Bugs & Inconsistencies
265
+
266
+ ### P0 — Critical Correctness
267
+
268
+ **BUG-P0-01: `impact` returns 0 callers for Spring impl classes with high confidence**
269
+ - Command: `sourcecode impact OrderServiceImpl /BroadleafCommerce`
270
+ - Observed: `direct_callers: [], risk_level: "low", confidence_level: "high"`
271
+ - Expected: 30+ direct callers via interface, risk_level: high
272
+ - Root cause: Graph traces direct import edges only. When callers inject via `OrderService` interface, `OrderServiceImpl` has zero incoming edges.
273
+ - Risk: High-confidence wrong answer before risky refactors = missed blast radius = production incidents.
274
+ - Fix: Detect `@Service`/`@Component`/`@Repository` impls with 0 callers and their interfaces. Auto-merge interface impact OR emit warning: `"0 callers found — callers of interface OrderService: 30. Run: sourcecode impact OrderService"`
275
+
276
+ **BUG-P0-02: `repo-ir --max-nodes N --max-edges N` does not bound output**
277
+ - Command: `sourcecode repo-ir /BroadleafCommerce --max-nodes 200 --max-edges 500`
278
+ - Observed: 3,948,466 bytes / 987K tokens
279
+ - Root cause: Flags only limit `graph.nodes/edges`. `reverse_graph` (3,092KB for 2685 hubs × 20 callers) is unaffected.
280
+ - Risk: LLM context overflow. Users expecting size control get none.
281
+ - Fix: Apply limits to `reverse_graph` hubs as well, OR rename flags to `--max-graph-nodes`/`--max-graph-edges` and document the gap clearly.
282
+
283
+ ### P1 — High Severity
284
+
285
+ **BUG-P1-01: Risk score inconsistency for same 0-caller root cause**
286
+ - `OrderServiceImpl`: 0 callers → risk_level: **low** (no heuristic)
287
+ - `OrderDaoImpl`: 0 callers → risk_level: **high** (persistence path heuristic)
288
+ - Both have 0 callers for identical Spring DI reason. Different risk levels from different heuristics.
289
+ - Fix: When `direct_callers = 0` and class is a Spring impl, suppress confidence and add a gap annotation.
290
+
291
+ **BUG-P1-02: `project_summary` copies README license/marketing text**
292
+ - Broadleaf: `"Available to companies with under $5M in revenue — it is not an Apache 2 open source product"`
293
+ - Keycloak: `"Add authentication to applications and secure services with minimum effort"`
294
+ - These are first lines of READMEs — license/marketing, not architecture.
295
+ - Fix: Generate from code structure: `"N-module Spring Boot framework — M Java classes, K REST endpoints, J transactional boundaries"`.
296
+
297
+ **BUG-P1-03: `fix-bug` returns 426 relevant files for generic NPE symptom in 2985-file repo**
298
+ - 14% of all Java files flagged as relevant
299
+ - No `score` field — agent can't prioritize
300
+ - Fix: Cap at 20 files when symptom is generic (low keyword specificity). Add `score` field.
301
+
302
+ **BUG-P1-04: `indirect_callers: 0` for KeycloakSession with 1992 direct callers**
303
+ - BFS appears to exhaust budget at level 1, never computes level 2+ transitive callers
304
+ - Fix: Sample BFS on very large fan-out targets, or document behavior explicitly.
305
+
306
+ **BUG-P1-05: Keycloak `fix-bug` 23s cold**
307
+ - Broadleaf: 8.8s. Keycloak 7885 files: 23s.
308
+ - Marginal for interactive use, problematic for CI gates.
309
+ - Fix: Profile hotpath. Consider `--fast` flag for fix-bug (exists in prepare-context but not fix-bug).
310
+
311
+ ### P2 — Medium Severity
312
+
313
+ **BUG-P2-01: `bounded_contexts` wrong for both repos**
314
+ - Keycloak: `["keycloak"]` — one name for a multi-subsystem IAM server
315
+ - Broadleaf: `["dto", "file"]` — utility packages, not domain contexts
316
+ - Fix: Use Maven module names as primary signal for bounded context detection.
317
+
318
+ **BUG-P2-02: `role: unknown` for all `modernize.high_coupling_nodes`**
319
+ - All 20 nodes including annotation types, interfaces, domain entities have `role: "unknown"`
320
+ - Fix: Detect `@interface` (annotation), `interface`, `@Entity`, `@Service`, etc. from source.
321
+
322
+ **BUG-P2-03: `no_security_signal` always 100% for filter-based security**
323
+ - Both repos: all endpoints flagged despite being secured (via filter/XML config)
324
+ - Metric provides zero signal for the most common enterprise Java security pattern
325
+ - Fix: Detect `WebSecurityConfigurerAdapter`, `SecurityConfig`, custom `Filter` impls. When present, change metric to `security_model: "filter_based"`.
326
+
327
+ **BUG-P2-04: JAX-RS sub-resource paths not composed with parent `@Path`**
328
+ - Keycloak: `GET /{id}`, `/sessions` instead of `/admin/realms/{realm}/clients/{id}`
329
+ - Fix: Compose method `@Path` with class-level `@Path` during extraction.
330
+
331
+ **BUG-P2-05: Broadleaf admin framework paths mixed with REST endpoints**
332
+ - 20 paths with FQN class names (`/org.broadleafcommerce.core.search.domain.FieldImpl`)
333
+ - 58 paths with colon notation from constant concatenation (`/product:product`)
334
+ - Fix: Flag paths containing dots or colons (outside `{var}` segments) as `routing_type: "admin_framework"`.
335
+
336
+ **BUG-P2-06: Architecture confidence inconsistent between `--compact` and `--agent`**
337
+ - Same repo, different architecture confidence (low in compact, medium in agent)
338
+ - Fix: Unify architecture confidence calculation regardless of output mode.
339
+
340
+ **BUG-P2-07: `entry_points.controllers.methods: 21` vs `endpoints` finding 130**
341
+ - Unexplained discrepancy for same repo
342
+ - Fix: Align or explain the difference.
343
+
344
+ **BUG-P2-08: `--format` and `--no-cache` inconsistently available**
345
+ - `--format`: works on main/endpoints/repo-ir, fails on impact/onboard/fix-bug/modernize
346
+ - `--no-cache`: works on main, fails on all subcommands
347
+ - Fix: Add consistently to all commands, or document the restriction.
348
+
349
+ ### Cosmetic
350
+
351
+ - Code notes URLs truncated: `"s.webkit.org/..."` instead of `"https://bugs.webkit.org/..."`
352
+ - `truncated: None` (absent key) vs `truncated: false` (explicit boolean) — prefer always explicit
353
+ - `run_id` in task outputs — purpose undocumented
354
+ - `direct_callers` list truncated to 30 without adjacent count field
355
+ - `--compact --help` says "1000–3000 tokens", README says "2000–4000 tokens" — inconsistent
356
+ - `--deep` flag referenced in output but absent from `--help` and README
357
+
358
+ ---
359
+
360
+ ## 10. Good / Bad / Ugly
361
+
362
+ ### The Good
363
+ - Cache system: 13–33x speedup, content-hash keyed, deterministic
364
+ - Spring event flow detection: listeners + publishers + event types
365
+ - Transactional boundary detection: 29 Broadleaf classes correctly identified
366
+ - javax-to-jakarta migration risk flags
367
+ - `review-pr --format github-comment`: epistemic labels (FACT / STRUCTURAL SIGNAL / INFERRED / OMITTED)
368
+ - Structured error responses (JSON errors with recovery hints)
369
+ - fix-bug budget trimming (204KB → 15KB safety net works)
370
+ - Interface impact accuracy (~97.6% of actual in_degree for annotation classes)
371
+ - Deterministic: same output across repeated runs
372
+
373
+ ### The Bad
374
+ - `impact` on impl classes: 0 callers with high confidence — the core value prop fails for natural queries
375
+ - `project_summary` from README blurb — zero architectural intelligence
376
+ - `bounded_contexts` detection wrong for both repos
377
+ - `hotspot_candidates: []` always for annotation-heavy repos
378
+ - `repo-ir` size explosion with `--max-nodes/edges`
379
+
380
+ ### The Ugly
381
+ - Risk score diverges for same bug: `OrderServiceImpl` → low, `OrderDaoImpl` → high. Same root cause, opposite conclusions.
382
+ - `indirect_callers: 0` for KeycloakSession (1992 direct callers). BFS stops at level 1. An LLM given this would underestimate transitive impact.
383
+ - 24% of Broadleaf endpoints are non-REST paths mixed into the list without differentiation.
384
+
385
+ ---
386
+
387
+ ## 11. What Works Above MVP
388
+
389
+ 1. Cache system (13–33x speedup, content-hash keyed)
390
+ 2. Spring event flow detection
391
+ 3. Transactional boundary detection with class names
392
+ 4. javax-to-jakarta migration risk flag
393
+ 5. `review-pr --format github-comment` with epistemic labels
394
+ 6. Structured JSON error responses
395
+ 7. fix-bug budget trimming
396
+ 8. Interface impact accuracy (~97.6% for annotation classes)
397
+ 9. Deterministic, cacheable outputs
398
+ 10. review-pr: build manifest vs source file differentiation
399
+
400
+ ---
401
+
402
+ ## 12. What Is MVP Only
403
+
404
+ 1. Stack detection
405
+ 2. Entry point detection (bootstrap files)
406
+ 3. compact/agent onboarding
407
+ 4. YAML output format
408
+ 5. Spring MVC endpoint extraction
409
+ 6. Dependency extraction with versions
410
+ 7. Code notes extraction (TODO/BUG/FIXME)
411
+ 8. review-pr JSON format
412
+ 9. onboard workflow
413
+
414
+ ---
415
+
416
+ ## 13. What Is Below MVP
417
+
418
+ 1. `impact` on impl classes (P0)
419
+ 2. `repo-ir` size control with `--max-nodes/edges` (P0)
420
+ 3. `hotspot_candidates` — always empty in annotation-heavy repos
421
+ 4. `bounded_contexts` detection — wrong for both repos
422
+ 5. JAX-RS sub-resource path composition
423
+ 6. `no_security_signal` for filter-based security projects
424
+ 7. `project_summary` generation for enterprise codebases
425
+
426
+ ---
427
+
428
+ ## 14. Market Differentiation
429
+
430
+ ### What pain does `sourcecode` actually solve?
431
+
432
+ **Blast radius blindness in Java monoliths.** Senior engineers spend 30-60 minutes per PR doing manual blast radius assessment. `sourcecode impact` collapses this to seconds — when it works (interface targets): 30 direct callers, 50 indirect, 11 endpoints in 6 seconds.
433
+
434
+ **New engineer/agent ramp-up in 7885-file codebases.** `sourcecode onboard` produces a bounded, structured context bundle — the right answer in seconds, not hours of grepping.
435
+
436
+ **LLM context preparation for Java repos.** AI agents working on Java monoliths fail from context overflow. `sourcecode` pre-selects highest-signal files and produces bounded JSON. The fix-bug 204KB → 15KB trim is a concrete example.
437
+
438
+ ### What alternatives don't provide
439
+
440
+ | Alternative | What it misses |
441
+ |-------------|---------------|
442
+ | grep / find | No structure, no graph, no ranking |
443
+ | IDE navigation | Interactive only; not scriptable; not AI-ready |
444
+ | LSP (Java Language Server) | Requires JVM; slow startup; no bounded JSON output |
445
+ | SonarQube | Static quality analysis, not change intelligence |
446
+ | GitHub code search | No impact graph; no transactional awareness |
447
+ | MCP wrappers | Dumps raw files; no pre-selection; no bounded signal |
448
+
449
+ `sourcecode` uniquely combines: static Java graph analysis + bounded AI-ready output + change impact + transactional awareness. No direct competitor produces this combination in sub-10-second cold scans.
450
+
451
+ **The gap:** The P0 impl-class impact bug makes the strongest claim ("what breaks if I change X?") unreliable for the majority of queries in Spring codebases. Fix this and the differentiation holds.
452
+
453
+ ---
454
+
455
+ ## 15. Concrete Corrections Recommended
456
+
457
+ **Priority 1 (fix before enterprise pitch):**
458
+ 1. `impact`: Detect `@Service`/`@Repository` impl with 0 callers → auto-run on interfaces OR warn with: `"0 callers found — callers of interface OrderService: 30. Consider: sourcecode impact OrderService"`
459
+ 2. `repo-ir`: Apply `--max-nodes/edges` limits to `reverse_graph` hubs as well, OR document clearly.
460
+ 3. `project_summary`: Generate from code structure, not README. Template: `"[N-module Spring Boot/Quarkus] — [M] Java classes, [K] REST endpoints, [J] transactional boundaries."`
461
+
462
+ **Priority 2 (improve credibility):**
463
+ 4. When `direct_callers = 0` and class is Spring impl: lower `confidence_level` to medium and add gap: `"impl class — consider targeting interface for full caller graph."`
464
+ 5. `bounded_contexts`: Use Maven module names as primary signal.
465
+ 6. `no_security_signal`: Detect filter-based security. Change to `security_model: "filter_based"` + note.
466
+ 7. `modernize.hotspot_candidates`: Use git churn (`git log --follow --name-only`) combined with coupling degree.
467
+ 8. `modernize.high_coupling_nodes.role`: Classify annotation types, interfaces, entities — never return `"unknown"`.
468
+
469
+ **Priority 3 (polish):**
470
+ 9. Add `score` field to `relevant_files` in all task outputs.
471
+ 10. Add `direct_callers_count` alongside `direct_callers` list.
472
+ 11. Add `--format`/`--no-cache` consistently to all commands.
473
+ 12. Fix URL truncation in code_notes.
474
+ 13. Fix `truncated: None` → always explicit `truncated: false`.
475
+ 14. Add `--deep` to `--help` output.
476
+ 15. Unify architecture confidence between `--compact` and `--agent`.
477
+ 16. Align `entry_points.controllers.methods` with `sourcecode endpoints` count.
478
+ 17. Fix `--compact --help` vs README token count inconsistency (claim: 1000-3000, measured: 2856-4031).
479
+
480
+ ---
481
+
482
+ ## 16. High-Leverage Feature Opportunities
483
+
484
+ **Interface → impl resolution** (extends the P0 fix):
485
+ Auto-detect interface when user targets impl. Present: "Direct callers of impl: 0. Via interface: 30. Using interface results." Makes impact correct by default.
486
+
487
+ **Git churn coupling (hotspot 2.0):**
488
+ Combine temporal coupling (files changed together in same commit), static import coupling, and fan-in degree. "Change risk index" per file. Monetizable as continuous CI/CD signal.
489
+
490
+ **PR risk score:**
491
+ Single `risk_score: 0–100` from: blast radius of changed classes + test coverage + transactional boundaries touched + security surface changes. CI gate in one field.
492
+
493
+ **Dead code confidence:**
494
+ Combine git recency + zero import edges + no test pair → confidence-scored dead code. Flat list vs scored list — the latter is actionable.
495
+
496
+ **Security surface change detection:**
497
+ Flag when a PR modifies a class in the security filter chain or a direct caller of security-annotated endpoints.
498
+
499
+ **Transactional lineage:**
500
+ For each `@Transactional` class, show which JPA entities and queries it coordinates. Critical for data corruption bug triage.
501
+
502
+ ---
503
+
504
+ ## 17. Final Verdict
505
+
506
+ | Dimension | Rating |
507
+ |-----------|--------|
508
+ | Core correctness (interface targets) | ✓ Strong |
509
+ | Core correctness (impl targets) | ✗ P0 bug |
510
+ | Performance | ✓ Acceptable |
511
+ | Boundedness (compact/agent) | ✓ Solid |
512
+ | Boundedness (repo-ir) | ✗ Broken |
513
+ | LLM readiness | ✓ With caveats |
514
+ | CLI surface coherence | ~ Mixed |
515
+ | Market differentiation | ✓ Real |
516
+ | Documentation accuracy | ~ Mostly accurate |
517
+ | Verdict | **trust with caveats** |
518
+
519
+ **Safe to use for:**
520
+ - Onboarding new engineers/agents (`onboard`)
521
+ - PR review context (`review-pr`)
522
+ - Bug triage with specific symptoms (`fix-bug --symptom "..."`)
523
+ - Interface impact analysis
524
+
525
+ **Not safe without knowing limits:**
526
+ - `impact ClassName` when ClassName is a Spring impl
527
+ - `repo-ir` without `--summary-only`
528
+ - `no_security_signal` as a real security indicator
529
+ - `hotspot_candidates` as a completeness signal
530
+
531
+ **Monetizable today:**
532
+ - `review-pr --format github-comment` as a GitHub Action
533
+ - `impact` on interface classes as a pre-commit/pre-PR tool
534
+ - `fix-bug` for symptom-driven triage in support scenarios
535
+ - `onboard` as first-prompt injection for AI coding agents
536
+
537
+ **Not yet monetizable without fix:**
538
+ - "AI-ready change intelligence" claim needs P0 fix
539
+ - "Know what breaks before you touch it" needs reliable impl-class impact