sourcecode 1.33.25__tar.gz → 1.35.1__tar.gz

{sourcecode-1.33.25 → sourcecode-1.35.1}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: sourcecode
-Version: 1.33.25
+Version: 1.35.1
 Summary: Persistent structural context and ultra-fast repeated analysis for AI coding agents
 License-File: LICENSE
 Keywords: agents,ai,codebase,context,developer-tools,llm
@@ -39,7 +39,7 @@ Description-Content-Type: text/markdown
 
 **Persistent structural context and ultra-fast repeated analysis for AI coding agents.**
 
-![Version](https://img.shields.io/badge/version-1.33.25-blue)
+![Version](https://img.shields.io/badge/version-1.35.1-blue)
 ![Python](https://img.shields.io/badge/python-3.10%2B-green)
 
 ---

{sourcecode-1.33.25 → sourcecode-1.35.1}/README.md

@@ -2,7 +2,7 @@
 
 **Persistent structural context and ultra-fast repeated analysis for AI coding agents.**
 
-![Version](https://img.shields.io/badge/version-1.33.25-blue)
+![Version](https://img.shields.io/badge/version-1.35.1-blue)
 ![Python](https://img.shields.io/badge/python-3.10%2B-green)
 
 ---

{sourcecode-1.33.25 → sourcecode-1.35.1}/pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 
 [project]
 name = "sourcecode"
-version = "1.33.25"
+version = "1.35.1"
 description = "Persistent structural context and ultra-fast repeated analysis for AI coding agents"
 readme = "README.md"
 requires-python = ">=3.9"

{sourcecode-1.33.25 → sourcecode-1.35.1}/src/sourcecode/__init__.py

@@ -1,3 +1,3 @@
 """sourcecode — Deterministic codebase context maps for AI coding agents."""
 
-__version__ = "1.33.25"
+__version__ = "1.35.1"

{sourcecode-1.33.25 → sourcecode-1.35.1}/src/sourcecode/cli.py

@@ -223,6 +223,8 @@ _SUBCOMMANDS: frozenset[str] = frozenset(
         "cache",
         # RIS bootstrap
         "cold-start",
+        # Spring semantic audit
+        "spring-audit",
     }
 )
 
@@ -3697,6 +3699,186 @@ def endpoints_cmd(
     _nudge()
 
 
+# ── Spring Semantic Audit ─────────────────────────────────────────────────────
+
+@app.command("spring-audit")
+def spring_audit_cmd(
+    path: Path = typer.Argument(
+        Path("."),
+        help="Repository path to audit (default: current directory)",
+    ),
+    output_path: Optional[Path] = typer.Option(
+        None, "--output", "-o",
+        help="Write output to a file instead of stdout.",
+    ),
+    format: str = typer.Option(
+        "json",
+        "--format",
+        "-f",
+        help="Output format: json (default) or yaml.",
+        show_default=True,
+    ),
+    copy: bool = typer.Option(
+        False,
+        "--copy",
+        "-c",
+        help="Copy output to system clipboard after a successful run.",
+    ),
+    scope: str = typer.Option(
+        "all",
+        "--scope",
+        "-s",
+        help="Audit scope: all (default), tx, or security.",
+        show_default=True,
+    ),
+    min_severity: str = typer.Option(
+        "low",
+        "--min-severity",
+        help="Minimum severity to include: critical, high, medium, or low (default).",
+        show_default=True,
+    ),
+) -> None:
+    """Spring semantic audit: TX anomalies (TX-001..005) + security surface (SEC-001..003).
+
+    \b
+    Detects:
+      TX-001  @Transactional on private/final method (CGLIB proxy bypass)
+      TX-002  REQUIRES_NEW nested in REQUIRED call chain
+      TX-003  readOnly=true boundary propagating to write operation
+      TX-004  NOT_SUPPORTED/NEVER within active TX chain
+      TX-005  Exception swallowing inside @Transactional
+      SEC-001 Unsecured endpoint in annotation_based security model
+      SEC-002 CVE-2025-41248: @PreAuthorize on inherited method from generic supertype
+      SEC-003 @Transactional on @Controller/@RestController (TX in wrong layer)
+
+    \b
+    Examples:
+      sourcecode spring-audit .
+      sourcecode spring-audit /path/to/repo
+      sourcecode spring-audit . --scope security
+      sourcecode spring-audit . --min-severity high
+      sourcecode spring-audit . --output audit.json
+    """
+    import json as _json
+
+    from sourcecode.repository_ir import find_java_files
+    from sourcecode.canonical_ir import build_canonical_ir
+    from sourcecode.spring_findings import SpringAuditResult, SpringFinding
+    from sourcecode.spring_tx_analyzer import run_tx_audit
+    from sourcecode.spring_security_audit import run_security_audit
+    from sourcecode.spring_model import SpringSemanticModel
+
+    target = path.resolve()
+    if not target.exists() or not target.is_dir():
+        _emit_error_json(
+            INVALID_INPUT_CODE,
+            f"'{target}' is not a valid directory.",
+            path=str(target),
+            hint="Pass an existing repository directory.",
+            expected="A directory path.",
+        )
+        raise typer.Exit(code=1)
+
+    if scope not in ("all", "tx", "security"):
+        _emit_error_json(
+            INVALID_INPUT_CODE,
+            f"Invalid scope '{scope}'.",
+            hint="scope must be one of: all, tx, security.",
+            expected="all | tx | security",
+        )
+        raise typer.Exit(code=1)
+
+    if min_severity not in ("critical", "high", "medium", "low"):
+        _emit_error_json(
+            INVALID_INPUT_CODE,
+            f"Invalid min-severity '{min_severity}'.",
+            hint="min-severity must be one of: critical, high, medium, low.",
+            expected="critical | high | medium | low",
+        )
+        raise typer.Exit(code=1)
+
+    file_list = find_java_files(target)
+    if not file_list:
+        data = SpringAuditResult(
+            spring_detected=False,
+            scope=scope,
+            limitations=["No Java files found in repository — Spring audit requires Java source."],
+            metadata={"java_files_found": 0},
+        ).finalize().to_dict()
+        output = _serialize_dict(data, format)
+        if output_path is not None:
+            output_path.write_text(output, encoding="utf-8")
+            typer.echo("Spring audit written to " + str(output_path), err=True)
+        else:
+            sys.stdout.buffer.write(output.encode("utf-8"))
+            sys.stdout.buffer.write(b"\n")
+            sys.stdout.buffer.flush()
+        return
+
+    cir = build_canonical_ir(file_list, target)
+    _model = SpringSemanticModel.build(cir)
+
+    results: list[SpringAuditResult] = []
+    if scope in ("all", "tx"):
+        results.append(run_tx_audit(cir, root=target, min_severity=min_severity, model=_model))
+    if scope in ("all", "security"):
+        results.append(run_security_audit(cir, root=target, min_severity=min_severity, model=_model))
+
+    if len(results) == 1:
+        combined = results[0]
+    else:
+        all_findings: list[SpringFinding] = []
+        all_limitations: list[str] = []
+        merged_meta: dict = {}
+        for r in results:
+            all_findings.extend(r.findings)
+            all_limitations.extend(r.limitations)
+            merged_meta.update(r.metadata)
+        combined = SpringAuditResult(
+            repo_id=results[0].repo_id,
+            spring_detected=any(r.spring_detected for r in results),
+            scope="all",
+            findings=all_findings,
+            limitations=all_limitations,
+            metadata=merged_meta,
+        ).finalize()
+
+    # Populate git_head from repo HEAD — non-fatal.
+    try:
+        import subprocess as _sub_sa
+        _sha_r = _sub_sa.run(
+            ["git", "-C", str(target), "rev-parse", "--short", "HEAD"],
+            capture_output=True, text=True, timeout=3,
+        )
+        if _sha_r.returncode == 0:
+            combined.git_head = _sha_r.stdout.strip()
+    except Exception:
+        pass
+
+    data = combined.to_dict()
+
+    # Non-fatal RIS side-effect — persist summary only (not full findings).
+    try:
+        from sourcecode.ris import update_ris_spring_audit as _ris_sa
+        _ris_sa(target, data)
+    except Exception:
+        pass
+
+    output = _serialize_dict(data, format)
+
+    if output_path is not None:
+        output_path.write_text(output, encoding="utf-8")
+        total = combined.summary.get("total_findings", 0)
+        typer.echo(f"Spring audit written to {output_path} ({total} findings)", err=True)
+    else:
+        sys.stdout.buffer.write(output.encode("utf-8"))
+        sys.stdout.buffer.write(b"\n")
+        sys.stdout.buffer.flush()
+        if copy:
+            if _copy_to_clipboard(output):
+                typer.echo("✓ copied to clipboard", err=True)
+
+
 # ── Enterprise Workflow Commands ──────────────────────────────────────────────
 #
 # These are the five canonical enterprise workflows.  Each is a thin wrapper

{sourcecode-1.33.25 → sourcecode-1.35.1}/src/sourcecode/mcp/server.py

@@ -614,6 +614,41 @@ def get_endpoints(repo_path: str = ".") -> dict:
         )
 
 
+@mcp.tool()
+def get_spring_audit(repo_path: str = ".", scope: str = "all") -> dict:
+    """Spring semantic audit: TX anomalies + security surface findings. JAVA/SPRING ONLY.
+
+    Do NOT call this on non-Java repositories — it will return spring_detected=false.
+
+    Maps to: sourcecode spring-audit <repo_path> --scope <scope>
+    Returns: SpringAuditResult with schema_version, spring_detected, scope, summary,
+             findings list (id, pattern_id, category, severity, confidence, title,
+             symbol, source_file, evidence, explanation, fix_hint), limitations, metadata.
+    Patterns: TX-001..005 (transaction anomalies), SEC-001..003 (security surface).
+    scope: "all" (default) | "tx" | "security".
+    repo_path: absolute path to the Java repository (default: current working directory).
+    """
+    _raw = repo_path
+    try:
+        if not isinstance(repo_path, str):
+            return _err("repo_path must be a string", "INVALID_ARGUMENT")
+        if scope not in ("all", "tx", "security"):
+            return _err(
+                f"Invalid scope '{scope}' — must be one of: all, tx, security",
+                "INVALID_ARGUMENT",
+            )
+        repo_path = _normalize_repo_path(repo_path)
+        _path_err = _check_repo_path(repo_path)
+        if _path_err is not None:
+            return _path_err
+        return _execute(["spring-audit", repo_path, "--scope", scope])
+    except Exception as exc:
+        return _err(
+            f"Internal error: {type(exc).__name__}: {exc} — repo_path recibido: {_raw}",
+            "INTERNAL_ERROR",
+        )
+
+
 @mcp.tool()
 def get_module_context(repo_path: str = ".", module: str = "") -> dict:
     """Compact analysis of a specific module or subdirectory within a repository.

{sourcecode-1.33.25 → sourcecode-1.35.1}/src/sourcecode/repository_ir.py

@@ -238,6 +238,14 @@ _LOMBOK_CTOR_ANNOTATIONS: frozenset[str] = frozenset({
     "@AllArgsConstructor",       # injects all non-static fields
 })
 
+# Transaction annotations whose args must be captured for semantic analysis.
+_TX_ANNOTATIONS: frozenset[str] = frozenset({"@Transactional"})
+
+# Combined set used in _extract_symbols annotation-value capture.
+_CAPTURE_ANN_ARGS: frozenset[str] = (
+    _ENDPOINT_ANNOTATIONS | _PERMISSION_ANNOTATIONS | _PATH_ANNOTATIONS | _TX_ANNOTATIONS
+)
+
 _JAVA_ROLE_MAP: dict[str, str] = {
     # Spring MVC / Spring Boot
     "@RestController": "controller",
@@ -563,7 +571,7 @@ def _extract_symbols(source: str, rel_path: str) -> tuple[str, list[SymbolRecord
                 ann_args = ann_m.group(2) or ""
                 if ann not in pending_anns:
                     pending_anns.append(ann)
-                if ann_args and (ann in _ENDPOINT_ANNOTATIONS or ann in _PERMISSION_ANNOTATIONS or ann in _PATH_ANNOTATIONS):
+                if ann_args and ann in _CAPTURE_ANN_ARGS:
                     # P1 fix: attempt to resolve constant expressions before storing.
                     # Transforms '"/" + SECTION_KEY' → '"/category"' when constant
                     # is defined in this file. Falls back to original if unresolvable.
@@ -2234,6 +2242,9 @@ def _assemble(
             "role": spring_role_map.get(s.symbol, "other"),
             "in_degree": in_deg.get(s.symbol, 0),
             "out_degree": out_deg.get(s.symbol, 0),
+            "annotations": list(s.annotations),
+            "annotation_values": dict(s.annotation_values),
+            "modifiers": list(s.modifiers),
         }
         for s in sorted_syms
     ]

{sourcecode-1.33.25 → sourcecode-1.35.1}/src/sourcecode/ris.py

@@ -275,6 +275,53 @@ def maybe_update_ris(repo_root: Path, core_dict: dict, git_head: str) -> None:
         pass
 
 
+def update_ris_spring_audit(repo_root: Path, audit_result: dict) -> None:
+    """Persist spring-audit summary into the RIS metadata section.
+
+    Stores summary-only snapshot (no full findings) in metadata["spring_audit"].
+    Called from spring_audit_cmd after a successful run.  Never raises.
+    """
+    try:
+        if not isinstance(audit_result, dict):
+            return
+        summary = audit_result.get("summary") or {}
+        existing = load_ris(repo_root)
+        if existing is None:
+            from sourcecode.cache import repo_id as _repo_id_fn
+            now = _now_iso()
+            existing = RepositoryIntelligenceSnapshot(
+                repo_id=_repo_id_fn(repo_root),
+                created_at=now,
+                last_updated_at=now,
+                git_head="",
+                version=RIS_SCHEMA_VERSION,
+                structural_map={},
+                api_surface={},
+                dependency_graph={},
+                compact_summary={},
+                agent_index={},
+                git_context_snapshot={},
+                metadata={"snapshot_source": "existing_snapshot_system", "confidence": 0.0, "partial": True},
+            )
+
+        spring_audit_cache = {
+            "total_findings": summary.get("total_findings", 0),
+            "by_severity": summary.get("by_severity", {}),
+            "by_category": summary.get("by_category", {}),
+            "confidence_level": summary.get("confidence_level", ""),
+            "scope": audit_result.get("scope", "all"),
+            "spring_detected": audit_result.get("spring_detected", False),
+            "last_run_at": audit_result.get("generated_at", _now_iso()),
+        }
+        updated_meta = {**existing.metadata, "spring_audit": spring_audit_cache}
+        updated = RepositoryIntelligenceSnapshot(
+            **{**existing.__dict__, "metadata": updated_meta, "last_updated_at": _now_iso()}
+        )
+        save_ris(repo_root, updated)
+    except Exception:
+        pass
+
+
 def update_ris_api_surface(repo_root: Path, endpoints_data: dict) -> None:
     """Update the api_surface section from an ``endpoints`` command output.
 

sourcecode-1.35.1/src/sourcecode/spring_findings.py

@@ -0,0 +1,130 @@
+"""spring_findings.py — Shared finding schema for Spring semantic audit.
+
+SpringFinding is the canonical output unit.
+SpringAuditResult is the top-level envelope returned by CLI and MCP.
+
+IDs are deterministic: same symbol + pattern → same ID across runs.
+"""
+from __future__ import annotations
+
+import hashlib
+import time
+from dataclasses import dataclass, field
+from datetime import datetime, timezone
+from typing import Optional
+
+
+# ---------------------------------------------------------------------------
+# SpringFinding
+# ---------------------------------------------------------------------------
+
+@dataclass
+class SpringFinding:
+    """Single audit finding — one anomaly in one symbol."""
+
+    id: str                         # deterministic: "{pattern_id}-{symbol_hash[:12]}"
+    pattern_id: str                 # "TX-001", "SEC-001", ...
+    category: str                   # "tx" | "security"
+    severity: str                   # "critical" | "high" | "medium" | "low"
+    confidence: str                 # "high" | "medium" | "low"
+    title: str
+    symbol: str                     # FQN of affected symbol
+    source_file: str
+    evidence: dict                  # pattern-specific structured evidence
+    explanation: str                # 2-3 sentences: what + why it matters
+    fix_hint: str                   # one actionable sentence
+    limitations: list[str] = field(default_factory=list)
+    related_symbols: list[str] = field(default_factory=list)
+
+    @staticmethod
+    def make_id(pattern_id: str, symbol: str) -> str:
+        h = hashlib.sha256(f"{pattern_id}:{symbol}".encode()).hexdigest()[:12]
+        return f"{pattern_id}-{h}"
+
+    def to_dict(self) -> dict:
+        d: dict = {
+            "id": self.id,
+            "pattern_id": self.pattern_id,
+            "category": self.category,
+            "severity": self.severity,
+            "confidence": self.confidence,
+            "title": self.title,
+            "symbol": self.symbol,
+            "source_file": self.source_file,
+            "evidence": self.evidence,
+            "explanation": self.explanation,
+            "fix_hint": self.fix_hint,
+        }
+        if self.limitations:
+            d["limitations"] = self.limitations
+        if self.related_symbols:
+            d["related_symbols"] = self.related_symbols
+        return d
+
+
+# ---------------------------------------------------------------------------
+# SpringAuditResult
+# ---------------------------------------------------------------------------
+
+@dataclass
+class SpringAuditResult:
+    """Top-level envelope returned by spring-audit command and MCP tool."""
+
+    schema_version: str = "1.0"
+    repo_id: str = ""
+    git_head: str = ""
+    generated_at: str = ""
+    spring_detected: bool = False
+    scope: str = "all"              # "all" | "tx" | "security"
+    findings: list[SpringFinding] = field(default_factory=list)
+    limitations: list[str] = field(default_factory=list)
+    metadata: dict = field(default_factory=dict)
+
+    # Populated by finalize()
+    summary: dict = field(default_factory=dict)
+
+    def finalize(self) -> "SpringAuditResult":
+        """Compute summary stats. Call after all findings are added."""
+        if not self.generated_at:
+            self.generated_at = datetime.now(timezone.utc).isoformat()
+
+        by_severity: dict[str, int] = {
+            "critical": 0, "high": 0, "medium": 0, "low": 0
+        }
+        by_category: dict[str, int] = {}
+        for f in self.findings:
+            by_severity[f.severity] = by_severity.get(f.severity, 0) + 1
+            by_category[f.category] = by_category.get(f.category, 0) + 1
+
+        # Overall confidence: lowest confidence of any high/critical finding
+        high_findings = [f for f in self.findings if f.severity in ("high", "critical")]
+        if not high_findings:
+            conf_level = "high"
+        elif all(f.confidence == "high" for f in high_findings):
+            conf_level = "high"
+        elif any(f.confidence == "low" for f in high_findings):
+            conf_level = "low"
+        else:
+            conf_level = "medium"
+
+        self.summary = {
+            "total_findings": len(self.findings),
+            "by_severity": by_severity,
+            "by_category": by_category,
+            "confidence_level": conf_level,
+        }
+        return self
+
+    def to_dict(self) -> dict:
+        return {
+            "schema_version": self.schema_version,
+            "repo_id": self.repo_id,
+            "git_head": self.git_head,
+            "generated_at": self.generated_at,
+            "spring_detected": self.spring_detected,
+            "scope": self.scope,
+            "summary": self.summary,
+            "findings": [f.to_dict() for f in self.findings],
+            "limitations": self.limitations,
+            "metadata": self.metadata,
+        }