sourcecode 1.33.24__tar.gz → 1.35.0__tar.gz

{sourcecode-1.33.24 → sourcecode-1.35.0}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: sourcecode
-Version: 1.33.24
+Version: 1.35.0
 Summary: Persistent structural context and ultra-fast repeated analysis for AI coding agents
 License-File: LICENSE
 Keywords: agents,ai,codebase,context,developer-tools,llm
@@ -39,7 +39,7 @@ Description-Content-Type: text/markdown
 
 **Persistent structural context and ultra-fast repeated analysis for AI coding agents.**
 
-![Version](https://img.shields.io/badge/version-1.33.24-blue)
+![Version](https://img.shields.io/badge/version-1.35.0-blue)
 ![Python](https://img.shields.io/badge/python-3.10%2B-green)
 
 ---

{sourcecode-1.33.24 → sourcecode-1.35.0}/README.md

@@ -2,7 +2,7 @@
 
 **Persistent structural context and ultra-fast repeated analysis for AI coding agents.**
 
-![Version](https://img.shields.io/badge/version-1.33.24-blue)
+![Version](https://img.shields.io/badge/version-1.35.0-blue)
 ![Python](https://img.shields.io/badge/python-3.10%2B-green)
 
 ---

{sourcecode-1.33.24 → sourcecode-1.35.0}/pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 
 [project]
 name = "sourcecode"
-version = "1.33.24"
+version = "1.35.0"
 description = "Persistent structural context and ultra-fast repeated analysis for AI coding agents"
 readme = "README.md"
 requires-python = ">=3.9"

{sourcecode-1.33.24 → sourcecode-1.35.0}/src/sourcecode/__init__.py

@@ -1,3 +1,3 @@
 """sourcecode — Deterministic codebase context maps for AI coding agents."""
 
-__version__ = "1.33.24"
+__version__ = "1.35.0"

{sourcecode-1.33.24 → sourcecode-1.35.0}/src/sourcecode/cli.py

@@ -223,6 +223,8 @@ _SUBCOMMANDS: frozenset[str] = frozenset(
         "cache",
         # RIS bootstrap
         "cold-start",
+        # Spring semantic audit
+        "spring-audit",
     }
 )
 
@@ -3697,6 +3699,174 @@ def endpoints_cmd(
     _nudge()
 
 
+# ── Spring Semantic Audit ─────────────────────────────────────────────────────
+
+@app.command("spring-audit")
+def spring_audit_cmd(
+    path: Path = typer.Argument(
+        Path("."),
+        help="Repository path to audit (default: current directory)",
+    ),
+    output_path: Optional[Path] = typer.Option(
+        None, "--output", "-o",
+        help="Write output to a file instead of stdout.",
+    ),
+    format: str = typer.Option(
+        "json",
+        "--format",
+        "-f",
+        help="Output format: json (default) or yaml.",
+        show_default=True,
+    ),
+    copy: bool = typer.Option(
+        False,
+        "--copy",
+        "-c",
+        help="Copy output to system clipboard after a successful run.",
+    ),
+    scope: str = typer.Option(
+        "all",
+        "--scope",
+        "-s",
+        help="Audit scope: all (default), tx, or security.",
+        show_default=True,
+    ),
+    min_severity: str = typer.Option(
+        "low",
+        "--min-severity",
+        help="Minimum severity to include: critical, high, medium, or low (default).",
+        show_default=True,
+    ),
+) -> None:
+    """Spring semantic audit: TX anomalies (TX-001..005) + security surface (SEC-001..003).
+
+    \b
+    Detects:
+      TX-001  @Transactional on private/final method (CGLIB proxy bypass)
+      TX-002  REQUIRES_NEW nested in REQUIRED call chain
+      TX-003  readOnly=true boundary propagating to write operation
+      TX-004  NOT_SUPPORTED/NEVER within active TX chain
+      TX-005  Exception swallowing inside @Transactional
+      SEC-001 Unsecured endpoint in annotation_based security model
+      SEC-002 CVE-2025-41248: @PreAuthorize on inherited method from generic supertype
+      SEC-003 @Transactional on @Controller/@RestController (TX in wrong layer)
+
+    \b
+    Examples:
+      sourcecode spring-audit .
+      sourcecode spring-audit /path/to/repo
+      sourcecode spring-audit . --scope security
+      sourcecode spring-audit . --min-severity high
+      sourcecode spring-audit . --output audit.json
+    """
+    import json as _json
+
+    from sourcecode.repository_ir import find_java_files
+    from sourcecode.canonical_ir import build_canonical_ir
+    from sourcecode.spring_findings import SpringAuditResult, SpringFinding
+    from sourcecode.spring_tx_analyzer import run_tx_audit
+    from sourcecode.spring_security_audit import run_security_audit
+    from sourcecode.spring_semantic import build_tx_index
+
+    target = path.resolve()
+    if not target.exists() or not target.is_dir():
+        _emit_error_json(
+            INVALID_INPUT_CODE,
+            f"'{target}' is not a valid directory.",
+            path=str(target),
+            hint="Pass an existing repository directory.",
+            expected="A directory path.",
+        )
+        raise typer.Exit(code=1)
+
+    if scope not in ("all", "tx", "security"):
+        _emit_error_json(
+            INVALID_INPUT_CODE,
+            f"Invalid scope '{scope}'.",
+            hint="scope must be one of: all, tx, security.",
+            expected="all | tx | security",
+        )
+        raise typer.Exit(code=1)
+
+    if min_severity not in ("critical", "high", "medium", "low"):
+        _emit_error_json(
+            INVALID_INPUT_CODE,
+            f"Invalid min-severity '{min_severity}'.",
+            hint="min-severity must be one of: critical, high, medium, low.",
+            expected="critical | high | medium | low",
+        )
+        raise typer.Exit(code=1)
+
+    file_list = find_java_files(target)
+    if not file_list:
+        data = SpringAuditResult(
+            spring_detected=False,
+            scope=scope,
+            limitations=["No Java files found in repository — Spring audit requires Java source."],
+            metadata={"java_files_found": 0},
+        ).finalize().to_dict()
+        output = _serialize_dict(data, format)
+        if output_path is not None:
+            output_path.write_text(output, encoding="utf-8")
+            typer.echo("Spring audit written to " + str(output_path), err=True)
+        else:
+            sys.stdout.buffer.write(output.encode("utf-8"))
+            sys.stdout.buffer.write(b"\n")
+            sys.stdout.buffer.flush()
+        return
+
+    cir = build_canonical_ir(file_list, target)
+    tx_idx = build_tx_index(cir)
+
+    results: list[SpringAuditResult] = []
+    if scope in ("all", "tx"):
+        results.append(run_tx_audit(cir, root=target, min_severity=min_severity))
+    if scope in ("all", "security"):
+        results.append(run_security_audit(cir, root=target, min_severity=min_severity, tx_index=tx_idx))
+
+    if len(results) == 1:
+        combined = results[0]
+    else:
+        all_findings: list[SpringFinding] = []
+        all_limitations: list[str] = []
+        merged_meta: dict = {}
+        for r in results:
+            all_findings.extend(r.findings)
+            all_limitations.extend(r.limitations)
+            merged_meta.update(r.metadata)
+        combined = SpringAuditResult(
+            repo_id=results[0].repo_id,
+            spring_detected=any(r.spring_detected for r in results),
+            scope="all",
+            findings=all_findings,
+            limitations=all_limitations,
+            metadata=merged_meta,
+        ).finalize()
+
+    data = combined.to_dict()
+
+    # Non-fatal RIS side-effect — persist summary only (not full findings).
+    try:
+        from sourcecode.ris import update_ris_spring_audit as _ris_sa
+        _ris_sa(target, data)
+    except Exception:
+        pass
+
+    output = _serialize_dict(data, format)
+
+    if output_path is not None:
+        output_path.write_text(output, encoding="utf-8")
+        total = combined.summary.get("total_findings", 0)
+        typer.echo(f"Spring audit written to {output_path} ({total} findings)", err=True)
+    else:
+        sys.stdout.buffer.write(output.encode("utf-8"))
+        sys.stdout.buffer.write(b"\n")
+        sys.stdout.buffer.flush()
+        if copy:
+            if _copy_to_clipboard(output):
+                typer.echo("✓ copied to clipboard", err=True)
+
+
 # ── Enterprise Workflow Commands ──────────────────────────────────────────────
 #
 # These are the five canonical enterprise workflows.  Each is a thin wrapper

{sourcecode-1.33.24 → sourcecode-1.35.0}/src/sourcecode/mcp/server.py

@@ -614,6 +614,41 @@ def get_endpoints(repo_path: str = ".") -> dict:
         )
 
 
+@mcp.tool()
+def get_spring_audit(repo_path: str = ".", scope: str = "all") -> dict:
+    """Spring semantic audit: TX anomalies + security surface findings. JAVA/SPRING ONLY.
+
+    Do NOT call this on non-Java repositories — it will return spring_detected=false.
+
+    Maps to: sourcecode spring-audit <repo_path> --scope <scope>
+    Returns: SpringAuditResult with schema_version, spring_detected, scope, summary,
+             findings list (id, pattern_id, category, severity, confidence, title,
+             symbol, source_file, evidence, explanation, fix_hint), limitations, metadata.
+    Patterns: TX-001..005 (transaction anomalies), SEC-001..003 (security surface).
+    scope: "all" (default) | "tx" | "security".
+    repo_path: absolute path to the Java repository (default: current working directory).
+    """
+    _raw = repo_path
+    try:
+        if not isinstance(repo_path, str):
+            return _err("repo_path must be a string", "INVALID_ARGUMENT")
+        if scope not in ("all", "tx", "security"):
+            return _err(
+                f"Invalid scope '{scope}' — must be one of: all, tx, security",
+                "INVALID_ARGUMENT",
+            )
+        repo_path = _normalize_repo_path(repo_path)
+        _path_err = _check_repo_path(repo_path)
+        if _path_err is not None:
+            return _path_err
+        return _execute(["spring-audit", repo_path, "--scope", scope])
+    except Exception as exc:
+        return _err(
+            f"Internal error: {type(exc).__name__}: {exc} — repo_path recibido: {_raw}",
+            "INTERNAL_ERROR",
+        )
+
+
 @mcp.tool()
 def get_module_context(repo_path: str = ".", module: str = "") -> dict:
     """Compact analysis of a specific module or subdirectory within a repository.

{sourcecode-1.33.24 → sourcecode-1.35.0}/src/sourcecode/prepare_context.py

@@ -864,6 +864,10 @@ _SYMPTOM_STOP_WORDS: frozenset[str] = frozenset({
     "error", "issue", "problem", "bug",
     "from", "into", "via", "due", "also", "after", "before",
     "slow", "fast", "new", "old",
+    # Diagnostic abbreviations — too ubiquitous in comments/javadoc to be useful
+    # as path/content signals (e.g. "npe" matches "NPE" in thousands of comments).
+    "npe", "oom", "oob", "iae", "ise", "npe", "cce", "aioobe",
+    "exception", "throwable", "stacktrace",
 })
 
 # Repo-scale threshold: above this file count, use stricter injection logic.
@@ -2363,6 +2367,26 @@ class TaskContextBuilder:
                 if _is_large_repo and len(relevant_files) > 40:
                     relevant_files = relevant_files[:40]
 
+                # Score normalization: prevent all-1.0 saturation when many files
+                # accumulate enough boost to hit the cap.  Normalize display scores
+                # relative to max raw signal so the ranked gradient is preserved.
+                _norm_max = max(
+                    (_raw_signals.get(rf.path, rf.score) for rf in relevant_files),
+                    default=1.0,
+                ) or 1.0
+                if _norm_max > 1.0:
+                    relevant_files = [
+                        RelevantFile(
+                            path=rf.path,
+                            role=rf.role,
+                            score=round(min(_raw_signals.get(rf.path, rf.score) / _norm_max, 1.0), 3),
+                            reason=rf.reason,
+                            why=rf.why,
+                            tier=rf.tier,
+                        )
+                        for rf in relevant_files
+                    ]
+
                 # Synonym note (only when synonyms actually fired)
                 if _frontend_kws and _sx_synonyms:
                     symptom_note = (
@@ -2491,12 +2515,27 @@ class TaskContextBuilder:
                     key=lambda x: -(x["public_method_count"] * (1.5 if x["has_framework_annotations"] else 1.0))
                 )
                 _top = _java_candidates if all_gaps else _java_candidates[:20]
+                _max_rank = max(
+                    (c["public_method_count"] * (1.5 if c["has_framework_annotations"] else 1.0)
+                     for c in _java_candidates),
+                    default=1.0,
+                ) or 1.0
                 test_gaps = [
                     {
                         "path": c["path"],
                         "public_method_count": c["public_method_count"],
                         "has_framework_annotations": c["has_framework_annotations"],
                         "rank_score": round(c["public_method_count"] * (1.5 if c["has_framework_annotations"] else 1.0), 1),
+                        "score": round(min(
+                            c["public_method_count"] * (1.5 if c["has_framework_annotations"] else 1.0) / _max_rank,
+                            1.0,
+                        ), 3),
+                        "reason": (
+                            (f"{c['public_method_count']} public method{'s' if c['public_method_count'] != 1 else ''}; "
+                             if c["public_method_count"] else "")
+                            + ("has Spring/Jakarta framework annotations" if c["has_framework_annotations"]
+                               else "no test coverage detected")
+                        ).strip("; ") or "untested source file",
                     }
                     for c in _top
                 ]

{sourcecode-1.33.24 → sourcecode-1.35.0}/src/sourcecode/relevance_scorer.py

@@ -88,6 +88,31 @@ _AUXILIARY_DIR_PATTERNS: list[re.Pattern[str]] = [
     re.compile(r"(?:^|/)stories(?:/|$)"),
 ]
 
+# JVM source roots: path components below these are package namespaces, not
+# functional directories. "com/example/foo" must not match the "example"
+# auxiliary-dir pattern just because "example" is a package name component.
+_JVM_SRC_ROOTS: tuple[str, ...] = (
+    "src/main/java/", "src/test/java/",
+    "src/main/kotlin/", "src/test/kotlin/",
+    "src/main/scala/", "src/test/scala/",
+    "src/integration-test/java/", "src/integrationTest/java/",
+)
+
+
+def _jvm_strip_path(path: str) -> str:
+    """Return the path segment used for auxiliary-dir pattern matching.
+
+    For JVM source trees the package path below the source root is a namespace,
+    not a functional directory hierarchy.  Truncate at the source root so that
+    package components like 'example' in com.example.* don't false-match
+    _AUXILIARY_DIR_PATTERNS entries.
+    """
+    for root in _JVM_SRC_ROOTS:
+        idx = path.find(root)
+        if idx >= 0:
+            return path[: idx + len(root)]
+    return path
+
 # Test file patterns — scored low, excluded from default contract output
 _TEST_FILE_PATTERNS: tuple[str, ...] = (
     "_test.", ".test.", ".spec.", "test_", "conftest", "_spec.",
@@ -221,7 +246,7 @@ class RelevanceScorer:
         return self._is_auxiliary(path.replace("\\", "/"))
 
     def _is_auxiliary(self, norm: str) -> bool:
-        return any(p.search(norm) for p in _AUXILIARY_DIR_PATTERNS)
+        return any(p.search(_jvm_strip_path(norm)) for p in _AUXILIARY_DIR_PATTERNS)
 
     def package_role(self, path: str) -> str:
         """Return the monorepo package role for this path, or empty string."""

{sourcecode-1.33.24 → sourcecode-1.35.0}/src/sourcecode/repository_ir.py

@@ -238,6 +238,14 @@ _LOMBOK_CTOR_ANNOTATIONS: frozenset[str] = frozenset({
     "@AllArgsConstructor",       # injects all non-static fields
 })
 
+# Transaction annotations whose args must be captured for semantic analysis.
+_TX_ANNOTATIONS: frozenset[str] = frozenset({"@Transactional"})
+
+# Combined set used in _extract_symbols annotation-value capture.
+_CAPTURE_ANN_ARGS: frozenset[str] = (
+    _ENDPOINT_ANNOTATIONS | _PERMISSION_ANNOTATIONS | _PATH_ANNOTATIONS | _TX_ANNOTATIONS
+)
+
 _JAVA_ROLE_MAP: dict[str, str] = {
     # Spring MVC / Spring Boot
     "@RestController": "controller",
@@ -563,7 +571,7 @@ def _extract_symbols(source: str, rel_path: str) -> tuple[str, list[SymbolRecord
                 ann_args = ann_m.group(2) or ""
                 if ann not in pending_anns:
                     pending_anns.append(ann)
-                if ann_args and (ann in _ENDPOINT_ANNOTATIONS or ann in _PERMISSION_ANNOTATIONS or ann in _PATH_ANNOTATIONS):
+                if ann_args and ann in _CAPTURE_ANN_ARGS:
                     # P1 fix: attempt to resolve constant expressions before storing.
                     # Transforms '"/" + SECTION_KEY' → '"/category"' when constant
                     # is defined in this file. Falls back to original if unresolvable.
@@ -2234,6 +2242,9 @@ def _assemble(
             "role": spring_role_map.get(s.symbol, "other"),
             "in_degree": in_deg.get(s.symbol, 0),
             "out_degree": out_deg.get(s.symbol, 0),
+            "annotations": list(s.annotations),
+            "annotation_values": dict(s.annotation_values),
+            "modifiers": list(s.modifiers),
         }
         for s in sorted_syms
     ]

{sourcecode-1.33.24 → sourcecode-1.35.0}/src/sourcecode/ris.py

@@ -275,6 +275,53 @@ def maybe_update_ris(repo_root: Path, core_dict: dict, git_head: str) -> None:
         pass
 
 
+def update_ris_spring_audit(repo_root: Path, audit_result: dict) -> None:
+    """Persist spring-audit summary into the RIS metadata section.
+
+    Stores summary-only snapshot (no full findings) in metadata["spring_audit"].
+    Called from spring_audit_cmd after a successful run.  Never raises.
+    """
+    try:
+        if not isinstance(audit_result, dict):
+            return
+        summary = audit_result.get("summary") or {}
+        existing = load_ris(repo_root)
+        if existing is None:
+            from sourcecode.cache import repo_id as _repo_id_fn
+            now = _now_iso()
+            existing = RepositoryIntelligenceSnapshot(
+                repo_id=_repo_id_fn(repo_root),
+                created_at=now,
+                last_updated_at=now,
+                git_head="",
+                version=RIS_SCHEMA_VERSION,
+                structural_map={},
+                api_surface={},
+                dependency_graph={},
+                compact_summary={},
+                agent_index={},
+                git_context_snapshot={},
+                metadata={"snapshot_source": "existing_snapshot_system", "confidence": 0.0, "partial": True},
+            )
+
+        spring_audit_cache = {
+            "total_findings": summary.get("total_findings", 0),
+            "by_severity": summary.get("by_severity", {}),
+            "by_category": summary.get("by_category", {}),
+            "confidence_level": summary.get("confidence_level", ""),
+            "scope": audit_result.get("scope", "all"),
+            "spring_detected": audit_result.get("spring_detected", False),
+            "last_run_at": audit_result.get("generated_at", _now_iso()),
+        }
+        updated_meta = {**existing.metadata, "spring_audit": spring_audit_cache}
+        updated = RepositoryIntelligenceSnapshot(
+            **{**existing.__dict__, "metadata": updated_meta, "last_updated_at": _now_iso()}
+        )
+        save_ris(repo_root, updated)
+    except Exception:
+        pass
+
+
 def update_ris_api_surface(repo_root: Path, endpoints_data: dict) -> None:
     """Update the api_surface section from an ``endpoints`` command output.
 
@@ -422,7 +469,9 @@ def get_cold_start_context(repo_root: Path) -> dict:
         if _validation_status == "incomplete_snapshot" and not stale:
             _status_base = "cold_start_incomplete"
 
+        _compact = ris.compact_summary or {}
         result: dict = {
+            "schema_version": "1.1",
             "status": _status_base,
             "repo_id": ris.repo_id,
             "git_head": ris.git_head,
@@ -433,7 +482,10 @@ def get_cold_start_context(repo_root: Path) -> dict:
             "cache_source": "RIS",
             "data_scope": "RIS_BOOTSTRAP",
             "api_surface_complete": _api_complete,
-            "summary": ris.compact_summary,
+            # Backward-compat alias: old consumers read cold-start.project_type directly.
+            # New consumers should use cold-start.summary.project_type.
+            "project_type": _compact.get("project_type"),
+            "summary": _compact,
             "entrypoints": ris.structural_map.get("entrypoints", []),
             "endpoints": endpoints,
             "hotspots": ris.git_context_snapshot.get("hotspots", []),

sourcecode-1.35.0/src/sourcecode/spring_findings.py

@@ -0,0 +1,130 @@
+"""spring_findings.py — Shared finding schema for Spring semantic audit.
+
+SpringFinding is the canonical output unit.
+SpringAuditResult is the top-level envelope returned by CLI and MCP.
+
+IDs are deterministic: same symbol + pattern → same ID across runs.
+"""
+from __future__ import annotations
+
+import hashlib
+import time
+from dataclasses import dataclass, field
+from datetime import datetime, timezone
+from typing import Optional
+
+
+# ---------------------------------------------------------------------------
+# SpringFinding
+# ---------------------------------------------------------------------------
+
+@dataclass
+class SpringFinding:
+    """Single audit finding — one anomaly in one symbol."""
+
+    id: str                         # deterministic: "{pattern_id}-{symbol_hash[:12]}"
+    pattern_id: str                 # "TX-001", "SEC-001", ...
+    category: str                   # "tx" | "security"
+    severity: str                   # "critical" | "high" | "medium" | "low"
+    confidence: str                 # "high" | "medium" | "low"
+    title: str
+    symbol: str                     # FQN of affected symbol
+    source_file: str
+    evidence: dict                  # pattern-specific structured evidence
+    explanation: str                # 2-3 sentences: what + why it matters
+    fix_hint: str                   # one actionable sentence
+    limitations: list[str] = field(default_factory=list)
+    related_symbols: list[str] = field(default_factory=list)
+
+    @staticmethod
+    def make_id(pattern_id: str, symbol: str) -> str:
+        h = hashlib.sha256(f"{pattern_id}:{symbol}".encode()).hexdigest()[:12]
+        return f"{pattern_id}-{h}"
+
+    def to_dict(self) -> dict:
+        d: dict = {
+            "id": self.id,
+            "pattern_id": self.pattern_id,
+            "category": self.category,
+            "severity": self.severity,
+            "confidence": self.confidence,
+            "title": self.title,
+            "symbol": self.symbol,
+            "source_file": self.source_file,
+            "evidence": self.evidence,
+            "explanation": self.explanation,
+            "fix_hint": self.fix_hint,
+        }
+        if self.limitations:
+            d["limitations"] = self.limitations
+        if self.related_symbols:
+            d["related_symbols"] = self.related_symbols
+        return d
+
+
+# ---------------------------------------------------------------------------
+# SpringAuditResult
+# ---------------------------------------------------------------------------
+
+@dataclass
+class SpringAuditResult:
+    """Top-level envelope returned by spring-audit command and MCP tool."""
+
+    schema_version: str = "1.0"
+    repo_id: str = ""
+    git_head: str = ""
+    generated_at: str = ""
+    spring_detected: bool = False
+    scope: str = "all"              # "all" | "tx" | "security"
+    findings: list[SpringFinding] = field(default_factory=list)
+    limitations: list[str] = field(default_factory=list)
+    metadata: dict = field(default_factory=dict)
+
+    # Populated by finalize()
+    summary: dict = field(default_factory=dict)
+
+    def finalize(self) -> "SpringAuditResult":
+        """Compute summary stats. Call after all findings are added."""
+        if not self.generated_at:
+            self.generated_at = datetime.now(timezone.utc).isoformat()
+
+        by_severity: dict[str, int] = {
+            "critical": 0, "high": 0, "medium": 0, "low": 0
+        }
+        by_category: dict[str, int] = {}
+        for f in self.findings:
+            by_severity[f.severity] = by_severity.get(f.severity, 0) + 1
+            by_category[f.category] = by_category.get(f.category, 0) + 1
+
+        # Overall confidence: lowest confidence of any high/critical finding
+        high_findings = [f for f in self.findings if f.severity in ("high", "critical")]
+        if not high_findings:
+            conf_level = "high"
+        elif all(f.confidence == "high" for f in high_findings):
+            conf_level = "high"
+        elif any(f.confidence == "low" for f in high_findings):
+            conf_level = "low"
+        else:
+            conf_level = "medium"
+
+        self.summary = {
+            "total_findings": len(self.findings),
+            "by_severity": by_severity,
+            "by_category": by_category,
+            "confidence_level": conf_level,
+        }
+        return self
+
+    def to_dict(self) -> dict:
+        return {
+            "schema_version": self.schema_version,
+            "repo_id": self.repo_id,
+            "git_head": self.git_head,
+            "generated_at": self.generated_at,
+            "spring_detected": self.spring_detected,
+            "scope": self.scope,
+            "summary": self.summary,
+            "findings": [f.to_dict() for f in self.findings],
+            "limitations": self.limitations,
+            "metadata": self.metadata,
+        }