PyPI - sourcecode - Versions diffs - 1.33.25__tar.gz → 1.35.0__tar.gz - Mend

sourcecode 1.33.25tar.gz → 1.35.0tar.gz

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (99) hide show

{sourcecode-1.33.25 → sourcecode-1.35.0}/PKG-INFO RENAMED Viewed

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: sourcecode
-Version: 1.33.25
+Version: 1.35.0
 Summary: Persistent structural context and ultra-fast repeated analysis for AI coding agents
 License-File: LICENSE
 Keywords: agents,ai,codebase,context,developer-tools,llm
@@ -39,7 +39,7 @@ Description-Content-Type: text/markdown
 **Persistent structural context and ultra-fast repeated analysis for AI coding agents.**
-![Version](https://img.shields.io/badge/version-1.33.25-blue)
+![Version](https://img.shields.io/badge/version-1.35.0-blue)
 ![Python](https://img.shields.io/badge/python-3.10%2B-green)
 ---

{sourcecode-1.33.25 → sourcecode-1.35.0}/README.md RENAMED Viewed

@@ -2,7 +2,7 @@
 **Persistent structural context and ultra-fast repeated analysis for AI coding agents.**
-![Version](https://img.shields.io/badge/version-1.33.25-blue)
+![Version](https://img.shields.io/badge/version-1.35.0-blue)
 ![Python](https://img.shields.io/badge/python-3.10%2B-green)
 ---

{sourcecode-1.33.25 → sourcecode-1.35.0}/pyproject.toml RENAMED Viewed

@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 [project]
 name = "sourcecode"
-version = "1.33.25"
+version = "1.35.0"
 description = "Persistent structural context and ultra-fast repeated analysis for AI coding agents"
 readme = "README.md"
 requires-python = ">=3.9"

{sourcecode-1.33.25 → sourcecode-1.35.0}/src/sourcecode/__init__.py RENAMED Viewed

@@ -1,3 +1,3 @@
 """sourcecode — Deterministic codebase context maps for AI coding agents."""
-__version__ = "1.33.25"
+__version__ = "1.35.0"

{sourcecode-1.33.25 → sourcecode-1.35.0}/src/sourcecode/cli.py RENAMED Viewed

@@ -223,6 +223,8 @@ _SUBCOMMANDS: frozenset[str] = frozenset(
         "cache",
         # RIS bootstrap
         "cold-start",
+        # Spring semantic audit
+        "spring-audit",
     }
 )
@@ -3697,6 +3699,174 @@ def endpoints_cmd(
     _nudge()
+# ── Spring Semantic Audit ─────────────────────────────────────────────────────
+@app.command("spring-audit")
+def spring_audit_cmd(
+    path: Path = typer.Argument(
+        Path("."),
+        help="Repository path to audit (default: current directory)",
+    ),
+    output_path: Optional[Path] = typer.Option(
+        None, "--output", "-o",
+        help="Write output to a file instead of stdout.",
+    ),
+    format: str = typer.Option(
+        "json",
+        "--format",
+        "-f",
+        help="Output format: json (default) or yaml.",
+        show_default=True,
+    ),
+    copy: bool = typer.Option(
+        False,
+        "--copy",
+        "-c",
+        help="Copy output to system clipboard after a successful run.",
+    ),
+    scope: str = typer.Option(
+        "all",
+        "--scope",
+        "-s",
+        help="Audit scope: all (default), tx, or security.",
+        show_default=True,
+    ),
+    min_severity: str = typer.Option(
+        "low",
+        "--min-severity",
+        help="Minimum severity to include: critical, high, medium, or low (default).",
+        show_default=True,
+    ),
+) -> None:
+    """Spring semantic audit: TX anomalies (TX-001..005) + security surface (SEC-001..003).
+    \b
+    Detects:
+      TX-001  @Transactional on private/final method (CGLIB proxy bypass)
+      TX-002  REQUIRES_NEW nested in REQUIRED call chain
+      TX-003  readOnly=true boundary propagating to write operation
+      TX-004  NOT_SUPPORTED/NEVER within active TX chain
+      TX-005  Exception swallowing inside @Transactional
+      SEC-001 Unsecured endpoint in annotation_based security model
+      SEC-002 CVE-2025-41248: @PreAuthorize on inherited method from generic supertype
+      SEC-003 @Transactional on @Controller/@RestController (TX in wrong layer)
+    \b
+    Examples:
+      sourcecode spring-audit .
+      sourcecode spring-audit /path/to/repo
+      sourcecode spring-audit . --scope security
+      sourcecode spring-audit . --min-severity high
+      sourcecode spring-audit . --output audit.json
+    """
+    import json as _json
+    from sourcecode.repository_ir import find_java_files
+    from sourcecode.canonical_ir import build_canonical_ir
+    from sourcecode.spring_findings import SpringAuditResult, SpringFinding
+    from sourcecode.spring_tx_analyzer import run_tx_audit
+    from sourcecode.spring_security_audit import run_security_audit
+    from sourcecode.spring_semantic import build_tx_index
+    target = path.resolve()
+    if not target.exists() or not target.is_dir():
+        _emit_error_json(
+            INVALID_INPUT_CODE,
+            f"'{target}' is not a valid directory.",
+            path=str(target),
+            hint="Pass an existing repository directory.",
+            expected="A directory path.",
+        )
+        raise typer.Exit(code=1)
+    if scope not in ("all", "tx", "security"):
+        _emit_error_json(
+            INVALID_INPUT_CODE,
+            f"Invalid scope '{scope}'.",
+            hint="scope must be one of: all, tx, security.",
+            expected="all | tx | security",
+        )
+        raise typer.Exit(code=1)
+    if min_severity not in ("critical", "high", "medium", "low"):
+        _emit_error_json(
+            INVALID_INPUT_CODE,
+            f"Invalid min-severity '{min_severity}'.",
+            hint="min-severity must be one of: critical, high, medium, low.",
+            expected="critical | high | medium | low",
+        )
+        raise typer.Exit(code=1)
+    file_list = find_java_files(target)
+    if not file_list:
+        data = SpringAuditResult(
+            spring_detected=False,
+            scope=scope,
+            limitations=["No Java files found in repository — Spring audit requires Java source."],
+            metadata={"java_files_found": 0},
+        ).finalize().to_dict()
+        output = _serialize_dict(data, format)
+        if output_path is not None:
+            output_path.write_text(output, encoding="utf-8")
+            typer.echo("Spring audit written to " + str(output_path), err=True)
+        else:
+            sys.stdout.buffer.write(output.encode("utf-8"))
+            sys.stdout.buffer.write(b"\n")
+            sys.stdout.buffer.flush()
+        return
+    cir = build_canonical_ir(file_list, target)
+    tx_idx = build_tx_index(cir)
+    results: list[SpringAuditResult] = []
+    if scope in ("all", "tx"):
+        results.append(run_tx_audit(cir, root=target, min_severity=min_severity))
+    if scope in ("all", "security"):
+        results.append(run_security_audit(cir, root=target, min_severity=min_severity, tx_index=tx_idx))
+    if len(results) == 1:
+        combined = results[0]
+    else:
+        all_findings: list[SpringFinding] = []
+        all_limitations: list[str] = []
+        merged_meta: dict = {}
+        for r in results:
+            all_findings.extend(r.findings)
+            all_limitations.extend(r.limitations)
+            merged_meta.update(r.metadata)
+        combined = SpringAuditResult(
+            repo_id=results[0].repo_id,
+            spring_detected=any(r.spring_detected for r in results),
+            scope="all",
+            findings=all_findings,
+            limitations=all_limitations,
+            metadata=merged_meta,
+        ).finalize()
+    data = combined.to_dict()
+    # Non-fatal RIS side-effect — persist summary only (not full findings).
+    try:
+        from sourcecode.ris import update_ris_spring_audit as _ris_sa
+        _ris_sa(target, data)
+    except Exception:
+        pass
+    output = _serialize_dict(data, format)
+    if output_path is not None:
+        output_path.write_text(output, encoding="utf-8")
+        total = combined.summary.get("total_findings", 0)
+        typer.echo(f"Spring audit written to {output_path} ({total} findings)", err=True)
+    else:
+        sys.stdout.buffer.write(output.encode("utf-8"))
+        sys.stdout.buffer.write(b"\n")
+        sys.stdout.buffer.flush()
+        if copy:
+            if _copy_to_clipboard(output):
+                typer.echo("✓ copied to clipboard", err=True)
 # ── Enterprise Workflow Commands ──────────────────────────────────────────────
 #
 # These are the five canonical enterprise workflows.  Each is a thin wrapper

{sourcecode-1.33.25 → sourcecode-1.35.0}/src/sourcecode/mcp/server.py RENAMED Viewed

@@ -614,6 +614,41 @@ def get_endpoints(repo_path: str = ".") -> dict:
         )
+@mcp.tool()
+def get_spring_audit(repo_path: str = ".", scope: str = "all") -> dict:
+    """Spring semantic audit: TX anomalies + security surface findings. JAVA/SPRING ONLY.
+    Do NOT call this on non-Java repositories — it will return spring_detected=false.
+    Maps to: sourcecode spring-audit <repo_path> --scope <scope>
+    Returns: SpringAuditResult with schema_version, spring_detected, scope, summary,
+             findings list (id, pattern_id, category, severity, confidence, title,
+             symbol, source_file, evidence, explanation, fix_hint), limitations, metadata.
+    Patterns: TX-001..005 (transaction anomalies), SEC-001..003 (security surface).
+    scope: "all" (default) | "tx" | "security".
+    repo_path: absolute path to the Java repository (default: current working directory).
+    """
+    _raw = repo_path
+    try:
+        if not isinstance(repo_path, str):
+            return _err("repo_path must be a string", "INVALID_ARGUMENT")
+        if scope not in ("all", "tx", "security"):
+            return _err(
+                f"Invalid scope '{scope}' — must be one of: all, tx, security",
+                "INVALID_ARGUMENT",
+            )
+        repo_path = _normalize_repo_path(repo_path)
+        _path_err = _check_repo_path(repo_path)
+        if _path_err is not None:
+            return _path_err
+        return _execute(["spring-audit", repo_path, "--scope", scope])
+    except Exception as exc:
+        return _err(
+            f"Internal error: {type(exc).__name__}: {exc} — repo_path recibido: {_raw}",
+            "INTERNAL_ERROR",
+        )
 @mcp.tool()
 def get_module_context(repo_path: str = ".", module: str = "") -> dict:
     """Compact analysis of a specific module or subdirectory within a repository.

{sourcecode-1.33.25 → sourcecode-1.35.0}/src/sourcecode/repository_ir.py RENAMED Viewed

@@ -238,6 +238,14 @@ _LOMBOK_CTOR_ANNOTATIONS: frozenset[str] = frozenset({
     "@AllArgsConstructor",       # injects all non-static fields
 })
+# Transaction annotations whose args must be captured for semantic analysis.
+_TX_ANNOTATIONS: frozenset[str] = frozenset({"@Transactional"})
+# Combined set used in _extract_symbols annotation-value capture.
+_CAPTURE_ANN_ARGS: frozenset[str] = (
+    _ENDPOINT_ANNOTATIONS | _PERMISSION_ANNOTATIONS | _PATH_ANNOTATIONS | _TX_ANNOTATIONS
+)
 _JAVA_ROLE_MAP: dict[str, str] = {
     # Spring MVC / Spring Boot
     "@RestController": "controller",
@@ -563,7 +571,7 @@ def _extract_symbols(source: str, rel_path: str) -> tuple[str, list[SymbolRecord
                 ann_args = ann_m.group(2) or ""
                 if ann not in pending_anns:
                     pending_anns.append(ann)
-                if ann_args and (ann in _ENDPOINT_ANNOTATIONS or ann in _PERMISSION_ANNOTATIONS or ann in _PATH_ANNOTATIONS):
+                if ann_args and ann in _CAPTURE_ANN_ARGS:
                     # P1 fix: attempt to resolve constant expressions before storing.
                     # Transforms '"/" + SECTION_KEY' → '"/category"' when constant
                     # is defined in this file. Falls back to original if unresolvable.
@@ -2234,6 +2242,9 @@ def _assemble(
             "role": spring_role_map.get(s.symbol, "other"),
             "in_degree": in_deg.get(s.symbol, 0),
             "out_degree": out_deg.get(s.symbol, 0),
+            "annotations": list(s.annotations),
+            "annotation_values": dict(s.annotation_values),
+            "modifiers": list(s.modifiers),
         }
         for s in sorted_syms
     ]

{sourcecode-1.33.25 → sourcecode-1.35.0}/src/sourcecode/ris.py RENAMED Viewed

@@ -275,6 +275,53 @@ def maybe_update_ris(repo_root: Path, core_dict: dict, git_head: str) -> None:
         pass
+def update_ris_spring_audit(repo_root: Path, audit_result: dict) -> None:
+    """Persist spring-audit summary into the RIS metadata section.
+    Stores summary-only snapshot (no full findings) in metadata["spring_audit"].
+    Called from spring_audit_cmd after a successful run.  Never raises.
+    """
+    try:
+        if not isinstance(audit_result, dict):
+            return
+        summary = audit_result.get("summary") or {}
+        existing = load_ris(repo_root)
+        if existing is None:
+            from sourcecode.cache import repo_id as _repo_id_fn
+            now = _now_iso()
+            existing = RepositoryIntelligenceSnapshot(
+                repo_id=_repo_id_fn(repo_root),
+                created_at=now,
+                last_updated_at=now,
+                git_head="",
+                version=RIS_SCHEMA_VERSION,
+                structural_map={},
+                api_surface={},
+                dependency_graph={},
+                compact_summary={},
+                agent_index={},
+                git_context_snapshot={},
+                metadata={"snapshot_source": "existing_snapshot_system", "confidence": 0.0, "partial": True},
+            )
+        spring_audit_cache = {
+            "total_findings": summary.get("total_findings", 0),
+            "by_severity": summary.get("by_severity", {}),
+            "by_category": summary.get("by_category", {}),
+            "confidence_level": summary.get("confidence_level", ""),
+            "scope": audit_result.get("scope", "all"),
+            "spring_detected": audit_result.get("spring_detected", False),
+            "last_run_at": audit_result.get("generated_at", _now_iso()),
+        }
+        updated_meta = {**existing.metadata, "spring_audit": spring_audit_cache}
+        updated = RepositoryIntelligenceSnapshot(
+            **{**existing.__dict__, "metadata": updated_meta, "last_updated_at": _now_iso()}
+        )
+        save_ris(repo_root, updated)
+    except Exception:
+        pass
 def update_ris_api_surface(repo_root: Path, endpoints_data: dict) -> None:
     """Update the api_surface section from an ``endpoints`` command output.

sourcecode-1.35.0/src/sourcecode/spring_findings.py ADDED Viewed

@@ -0,0 +1,130 @@
+"""spring_findings.py — Shared finding schema for Spring semantic audit.
+SpringFinding is the canonical output unit.
+SpringAuditResult is the top-level envelope returned by CLI and MCP.
+IDs are deterministic: same symbol + pattern → same ID across runs.
+"""
+from __future__ import annotations
+import hashlib
+import time
+from dataclasses import dataclass, field
+from datetime import datetime, timezone
+from typing import Optional
+# ---------------------------------------------------------------------------
+# SpringFinding
+# ---------------------------------------------------------------------------
+@dataclass
+class SpringFinding:
+    """Single audit finding — one anomaly in one symbol."""
+    id: str                         # deterministic: "{pattern_id}-{symbol_hash[:12]}"
+    pattern_id: str                 # "TX-001", "SEC-001", ...
+    category: str                   # "tx" | "security"
+    severity: str                   # "critical" | "high" | "medium" | "low"
+    confidence: str                 # "high" | "medium" | "low"
+    title: str
+    symbol: str                     # FQN of affected symbol
+    source_file: str
+    evidence: dict                  # pattern-specific structured evidence
+    explanation: str                # 2-3 sentences: what + why it matters
+    fix_hint: str                   # one actionable sentence
+    limitations: list[str] = field(default_factory=list)
+    related_symbols: list[str] = field(default_factory=list)
+    @staticmethod
+    def make_id(pattern_id: str, symbol: str) -> str:
+        h = hashlib.sha256(f"{pattern_id}:{symbol}".encode()).hexdigest()[:12]
+        return f"{pattern_id}-{h}"
+    def to_dict(self) -> dict:
+        d: dict = {
+            "id": self.id,
+            "pattern_id": self.pattern_id,
+            "category": self.category,
+            "severity": self.severity,
+            "confidence": self.confidence,
+            "title": self.title,
+            "symbol": self.symbol,
+            "source_file": self.source_file,
+            "evidence": self.evidence,
+            "explanation": self.explanation,
+            "fix_hint": self.fix_hint,
+        }
+        if self.limitations:
+            d["limitations"] = self.limitations
+        if self.related_symbols:
+            d["related_symbols"] = self.related_symbols
+        return d
+# ---------------------------------------------------------------------------
+# SpringAuditResult
+# ---------------------------------------------------------------------------
+@dataclass
+class SpringAuditResult:
+    """Top-level envelope returned by spring-audit command and MCP tool."""
+    schema_version: str = "1.0"
+    repo_id: str = ""
+    git_head: str = ""
+    generated_at: str = ""
+    spring_detected: bool = False
+    scope: str = "all"              # "all" | "tx" | "security"
+    findings: list[SpringFinding] = field(default_factory=list)
+    limitations: list[str] = field(default_factory=list)
+    metadata: dict = field(default_factory=dict)
+    # Populated by finalize()
+    summary: dict = field(default_factory=dict)
+    def finalize(self) -> "SpringAuditResult":
+        """Compute summary stats. Call after all findings are added."""
+        if not self.generated_at:
+            self.generated_at = datetime.now(timezone.utc).isoformat()
+        by_severity: dict[str, int] = {
+            "critical": 0, "high": 0, "medium": 0, "low": 0
+        }
+        by_category: dict[str, int] = {}
+        for f in self.findings:
+            by_severity[f.severity] = by_severity.get(f.severity, 0) + 1
+            by_category[f.category] = by_category.get(f.category, 0) + 1
+        # Overall confidence: lowest confidence of any high/critical finding
+        high_findings = [f for f in self.findings if f.severity in ("high", "critical")]
+        if not high_findings:
+            conf_level = "high"
+        elif all(f.confidence == "high" for f in high_findings):
+            conf_level = "high"
+        elif any(f.confidence == "low" for f in high_findings):
+            conf_level = "low"
+        else:
+            conf_level = "medium"
+        self.summary = {
+            "total_findings": len(self.findings),
+            "by_severity": by_severity,
+            "by_category": by_category,
+            "confidence_level": conf_level,
+        }
+        return self
+    def to_dict(self) -> dict:
+        return {
+            "schema_version": self.schema_version,
+            "repo_id": self.repo_id,
+            "git_head": self.git_head,
+            "generated_at": self.generated_at,
+            "spring_detected": self.spring_detected,
+            "scope": self.scope,
+            "summary": self.summary,
+            "findings": [f.to_dict() for f in self.findings],
+            "limitations": self.limitations,
+            "metadata": self.metadata,
+        }

sourcecode 1.33.25__tar.gz → 1.35.0__tar.gz

sourcecode 1.33.25tar.gz → 1.35.0tar.gz