sourcecode 1.35.0__tar.gz → 1.35.1__tar.gz

{sourcecode-1.35.0 → sourcecode-1.35.1}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: sourcecode
-Version: 1.35.0
+Version: 1.35.1
 Summary: Persistent structural context and ultra-fast repeated analysis for AI coding agents
 License-File: LICENSE
 Keywords: agents,ai,codebase,context,developer-tools,llm
@@ -39,7 +39,7 @@ Description-Content-Type: text/markdown
 
 **Persistent structural context and ultra-fast repeated analysis for AI coding agents.**
 
-![Version](https://img.shields.io/badge/version-1.35.0-blue)
+![Version](https://img.shields.io/badge/version-1.35.1-blue)
 ![Python](https://img.shields.io/badge/python-3.10%2B-green)
 
 ---

{sourcecode-1.35.0 → sourcecode-1.35.1}/README.md

@@ -2,7 +2,7 @@
 
 **Persistent structural context and ultra-fast repeated analysis for AI coding agents.**
 
-![Version](https://img.shields.io/badge/version-1.35.0-blue)
+![Version](https://img.shields.io/badge/version-1.35.1-blue)
 ![Python](https://img.shields.io/badge/python-3.10%2B-green)
 
 ---

{sourcecode-1.35.0 → sourcecode-1.35.1}/pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 
 [project]
 name = "sourcecode"
-version = "1.35.0"
+version = "1.35.1"
 description = "Persistent structural context and ultra-fast repeated analysis for AI coding agents"
 readme = "README.md"
 requires-python = ">=3.9"

{sourcecode-1.35.0 → sourcecode-1.35.1}/src/sourcecode/__init__.py

@@ -1,3 +1,3 @@
 """sourcecode — Deterministic codebase context maps for AI coding agents."""
 
-__version__ = "1.35.0"
+__version__ = "1.35.1"

{sourcecode-1.35.0 → sourcecode-1.35.1}/src/sourcecode/cli.py

@@ -3766,7 +3766,7 @@ def spring_audit_cmd(
     from sourcecode.spring_findings import SpringAuditResult, SpringFinding
     from sourcecode.spring_tx_analyzer import run_tx_audit
     from sourcecode.spring_security_audit import run_security_audit
-    from sourcecode.spring_semantic import build_tx_index
+    from sourcecode.spring_model import SpringSemanticModel
 
     target = path.resolve()
     if not target.exists() or not target.is_dir():
@@ -3816,13 +3816,13 @@ def spring_audit_cmd(
         return
 
     cir = build_canonical_ir(file_list, target)
-    tx_idx = build_tx_index(cir)
+    _model = SpringSemanticModel.build(cir)
 
     results: list[SpringAuditResult] = []
     if scope in ("all", "tx"):
-        results.append(run_tx_audit(cir, root=target, min_severity=min_severity))
+        results.append(run_tx_audit(cir, root=target, min_severity=min_severity, model=_model))
     if scope in ("all", "security"):
-        results.append(run_security_audit(cir, root=target, min_severity=min_severity, tx_index=tx_idx))
+        results.append(run_security_audit(cir, root=target, min_severity=min_severity, model=_model))
 
     if len(results) == 1:
         combined = results[0]
@@ -3843,6 +3843,18 @@ def spring_audit_cmd(
             metadata=merged_meta,
         ).finalize()
 
+    # Populate git_head from repo HEAD — non-fatal.
+    try:
+        import subprocess as _sub_sa
+        _sha_r = _sub_sa.run(
+            ["git", "-C", str(target), "rev-parse", "--short", "HEAD"],
+            capture_output=True, text=True, timeout=3,
+        )
+        if _sha_r.returncode == 0:
+            combined.git_head = _sha_r.stdout.strip()
+    except Exception:
+        pass
+
     data = combined.to_dict()
 
     # Non-fatal RIS side-effect — persist summary only (not full findings).

sourcecode-1.35.1/src/sourcecode/spring_model.py

@@ -0,0 +1,258 @@
+"""spring_model.py — Shared Spring semantic model.
+
+Builds once per analysis run from a CanonicalRepositoryIR.
+All pattern analyzers consume this rather than re-deriving shared structures.
+
+Components:
+  CallAdjacency      — forward call adjacency (caller → callees)
+  InheritanceGraph   — extends/implements graph with generic-parent detection
+  BeanGraph          — Spring bean registry + injection graph
+  SpringSemanticModel — umbrella: tx_index + call_adj + inheritance + bean_graph
+
+Eliminates per-pattern duplicate traversals:
+  build_tx_index()        was called 2× per scope=all run → now 1×
+  _build_forward_adjacency() was called 3× (TX-002/003/004) → now 1×
+  _build_extends_map()    was called per-run (SEC-002)    → now 1×
+
+Usage:
+    model = SpringSemanticModel.build(cir)
+    # or with pre-built tx_index (avoids double-build in CLI):
+    model = SpringSemanticModel.build(cir, tx_index=existing_index)
+"""
+from __future__ import annotations
+
+import re
+import time
+from dataclasses import dataclass, field
+from typing import TYPE_CHECKING, Optional
+
+from sourcecode.spring_semantic import TransactionBoundaryIndex, build_tx_index
+
+if TYPE_CHECKING:
+    from sourcecode.canonical_ir import CanonicalRepositoryIR
+
+# Edge types excluded from forward adjacency (structural, not call edges)
+_CALL_SKIP: frozenset[str] = frozenset({"annotated_with", "mapped_to", "contained_in"})
+
+# Spring bean stereotype annotations
+_BEAN_ANNOTATIONS: frozenset[str] = frozenset({
+    "@Component", "@Service", "@Repository",
+    "@Controller", "@RestController", "@Configuration", "@Bean",
+})
+
+_GENERIC_PARAM_RE = re.compile(r"<[A-Z][\w,\s<>?]*>")
+
+
+# ---------------------------------------------------------------------------
+# CallAdjacency
+# ---------------------------------------------------------------------------
+
+@dataclass
+class CallAdjacency:
+    """Forward call adjacency built from CIR call_graph edges.
+
+    Shared across TX patterns (TX-002, TX-003, TX-004) to avoid one rebuild
+    per pattern per analysis run.
+    """
+    adjacency: dict[str, list[str]] = field(default_factory=dict)  # caller → [callees]
+
+    @classmethod
+    def build(cls, cir: "CanonicalRepositoryIR") -> "CallAdjacency":
+        adj: dict[str, list[str]] = {}
+        for edge in cir.call_graph:
+            if not isinstance(edge, dict):
+                continue
+            if edge.get("type") in _CALL_SKIP:
+                continue
+            frm = edge.get("from") or ""
+            to = edge.get("to") or ""
+            if frm and to:
+                adj.setdefault(frm, []).append(to)
+        return cls(adjacency=adj)
+
+
+# ---------------------------------------------------------------------------
+# InheritanceGraph
+# ---------------------------------------------------------------------------
+
+@dataclass
+class InheritanceGraph:
+    """Extends/implements graph derived from CIR dependency edges.
+
+    Provides inheritance relationships for SEC-002 (@PreAuthorize on generic
+    supertype) and future self-invocation detection.
+
+    generic_parents: FQNs whose immediate parent signature has type parameters.
+    Computed once; avoids per-pattern regex matching at analysis time.
+    """
+    parent_of: dict[str, str] = field(default_factory=dict)    # child FQN → parent signature
+    generic_parents: set[str] = field(default_factory=set)      # FQNs with a generic parent
+
+    @classmethod
+    def build(cls, cir: "CanonicalRepositoryIR") -> "InheritanceGraph":
+        parent_of: dict[str, str] = {}
+        generic_parents: set[str] = set()
+        for edge in cir.dependencies:
+            if not isinstance(edge, dict):
+                continue
+            if edge.get("type") != "extends":
+                continue
+            child = edge.get("from") or ""
+            parent = edge.get("to") or ""
+            if child and parent:
+                parent_of[child] = parent
+                if _GENERIC_PARAM_RE.search(parent):
+                    generic_parents.add(child)
+        return cls(parent_of=parent_of, generic_parents=generic_parents)
+
+    def immediate_parent(self, fqn: str) -> str:
+        """Return the immediate parent signature for fqn, or empty string."""
+        return self.parent_of.get(fqn, "")
+
+    def has_generic_parent(self, fqn: str) -> bool:
+        """True when the immediate parent of fqn has type parameters."""
+        return fqn in self.generic_parents
+
+
+# ---------------------------------------------------------------------------
+# BeanGraph
+# ---------------------------------------------------------------------------
+
+@dataclass
+class BeanNode:
+    """Minimal representation of a detected Spring bean."""
+    fqn: str
+    stereotype: str    # component|service|repository|controller|configuration|bean
+    source_file: str
+
+
+@dataclass
+class BeanGraph:
+    """Spring bean registry derived from _raw_ir graph nodes.
+
+    Foundation for future capabilities:
+      - self-invocation detection (proxy cannot intercept this.method())
+      - conditional bean analysis (@ConditionalOn* chains)
+      - module impact analysis (inter-bean dependency tracing)
+
+    injections: @Autowired / constructor injection edges (type="injects").
+    """
+    beans: dict[str, BeanNode] = field(default_factory=dict)        # fqn → node
+    injections: dict[str, list[str]] = field(default_factory=dict)  # fqn → [injected FQNs]
+
+    @classmethod
+    def build(cls, cir: "CanonicalRepositoryIR") -> "BeanGraph":
+        beans: dict[str, BeanNode] = {}
+        injections: dict[str, list[str]] = {}
+
+        raw_ir = getattr(cir, "_raw_ir", {}) or {}
+        nodes = (raw_ir.get("graph") or {}).get("nodes") or []
+
+        for node in nodes:
+            if not isinstance(node, dict):
+                continue
+            ann_set = set(node.get("annotations") or [])
+            match = ann_set & _BEAN_ANNOTATIONS
+            if not match:
+                continue
+            fqn = node.get("fqn") or ""
+            if not fqn:
+                continue
+            ann = next(iter(match))
+            stereotype = ann.lstrip("@").lower()
+            beans[fqn] = BeanNode(
+                fqn=fqn,
+                stereotype=stereotype,
+                source_file=node.get("source_file") or "",
+            )
+
+        for edge in cir.call_graph:
+            if not isinstance(edge, dict):
+                continue
+            if edge.get("type") != "injects":
+                continue
+            frm = edge.get("from") or ""
+            to = edge.get("to") or ""
+            if frm and to and frm in beans:
+                injections.setdefault(frm, []).append(to)
+
+        return cls(beans=beans, injections=injections)
+
+    def is_bean(self, fqn: str) -> bool:
+        return fqn in self.beans
+
+    def get_stereotype(self, fqn: str) -> str:
+        node = self.beans.get(fqn)
+        return node.stereotype if node else ""
+
+
+# ---------------------------------------------------------------------------
+# SpringSemanticModel
+# ---------------------------------------------------------------------------
+
+@dataclass
+class SpringSemanticModel:
+    """Shared semantic context. Built once per analysis run.
+
+    Eliminates duplicate CIR traversals when multiple patterns run together.
+    Pattern analyzers that receive a model should consume it rather than
+    re-deriving from the CIR.
+
+    Fields:
+        tx_index:      @Transactional boundary index.
+        call_adj:      Forward call adjacency (caller → callees).
+        inheritance:   Extends/implements graph + generic-parent detection.
+        bean_graph:    Spring bean registry and injection graph.
+        build_time_ms: Wall-clock ms to build all sub-models (not counting
+                       a pre-built tx_index passed by the caller).
+    """
+    tx_index: TransactionBoundaryIndex
+    call_adj: CallAdjacency
+    inheritance: InheritanceGraph
+    bean_graph: BeanGraph
+    build_time_ms: float = 0.0
+
+    @classmethod
+    def build(
+        cls,
+        cir: "CanonicalRepositoryIR",
+        *,
+        tx_index: Optional[TransactionBoundaryIndex] = None,
+    ) -> "SpringSemanticModel":
+        """Build all sub-models from a CIR. Never raises.
+
+        Args:
+            cir:      CanonicalRepositoryIR from build_canonical_ir().
+            tx_index: Pre-built index to reuse — avoids double build in CLI
+                      when tx_index was already computed for another purpose.
+        """
+        t0 = time.monotonic()
+
+        try:
+            tx = tx_index if tx_index is not None else build_tx_index(cir)
+        except Exception:
+            tx = TransactionBoundaryIndex()
+
+        try:
+            adj = CallAdjacency.build(cir)
+        except Exception:
+            adj = CallAdjacency()
+
+        try:
+            inh = InheritanceGraph.build(cir)
+        except Exception:
+            inh = InheritanceGraph()
+
+        try:
+            bg = BeanGraph.build(cir)
+        except Exception:
+            bg = BeanGraph()
+
+        elapsed = round((time.monotonic() - t0) * 1000, 2)
+        return cls(
+            tx_index=tx,
+            call_adj=adj,
+            inheritance=inh,
+            bean_graph=bg,
+            build_time_ms=elapsed,
+        )

{sourcecode-1.35.0 → sourcecode-1.35.1}/src/sourcecode/spring_security_audit.py

@@ -9,12 +9,14 @@ All patterns are deterministic and never raise.
 """
 from __future__ import annotations
 
+import inspect
 import re
 import time
 from pathlib import Path
-from typing import TYPE_CHECKING, Optional, Protocol, runtime_checkable
+from typing import TYPE_CHECKING, Any, Optional, Protocol, runtime_checkable
 
 from sourcecode.spring_findings import SpringAuditResult, SpringFinding
+from sourcecode.spring_model import SpringSemanticModel
 from sourcecode.spring_semantic import TransactionBoundaryIndex, build_tx_index
 
 if TYPE_CHECKING:
@@ -38,10 +40,29 @@ class SecurityPattern(Protocol):
         cir: "CanonicalRepositoryIR",
         tx_index: Optional[TransactionBoundaryIndex],
         root: Optional[Path],
+        *,
+        model: Optional[SpringSemanticModel] = None,
     ) -> list[SpringFinding]:
         ...
 
 
+def _call_pattern_analyze(
+    pattern: Any,
+    cir: "CanonicalRepositoryIR",
+    tx_index: Optional[TransactionBoundaryIndex],
+    root: Optional[Path],
+    model: Optional[SpringSemanticModel],
+) -> list[SpringFinding]:
+    """Dispatch to pattern.analyze(), injecting model if the pattern accepts it."""
+    try:
+        sig = inspect.signature(pattern.analyze)
+        if "model" in sig.parameters:
+            return pattern.analyze(cir, tx_index, root, model=model)
+    except (ValueError, TypeError):
+        pass
+    return pattern.analyze(cir, tx_index, root)
+
+
 # ---------------------------------------------------------------------------
 # SEC-001: Endpoint without security guard (annotation_based model)
 # ---------------------------------------------------------------------------
@@ -55,6 +76,8 @@ class _SEC001UnsecuredEndpoint:
         cir: "CanonicalRepositoryIR",
         tx_index: Optional[TransactionBoundaryIndex],
         root: Optional[Path],
+        *,
+        model: Optional[SpringSemanticModel] = None,
     ) -> list[SpringFinding]:
         security_model = cir.metadata.get("security_model", "unknown")
         # filter_based model has centralized config — per-endpoint annotation absence is expected
@@ -119,9 +142,16 @@ class _SEC002PreAuthorizeGenericInheritance:
         cir: "CanonicalRepositoryIR",
         tx_index: Optional[TransactionBoundaryIndex],
         root: Optional[Path],
+        *,
+        model: Optional[SpringSemanticModel] = None,
     ) -> list[SpringFinding]:
-        # Build extends map: child_fqn → parent_signature (may contain generics)
-        extends_map = _build_extends_map(cir)
+        # Use shared inheritance graph when available; fall back to local build.
+        if model is not None:
+            _parent_of = model.inheritance.parent_of
+            _generic_parents = model.inheritance.generic_parents
+        else:
+            _parent_of = _build_extends_map(cir)
+            _generic_parents = None  # determined via regex below
 
         findings: list[SpringFinding] = []
         seen: set[str] = set()
@@ -135,8 +165,11 @@ class _SEC002PreAuthorizeGenericInheritance:
                 continue
 
             # Resolve parent class signature for this controller
-            parent_sig = extends_map.get(ep.controller_class, "")
-            has_generics = bool(_GENERIC_PARAM_RE.search(parent_sig))
+            parent_sig = _parent_of.get(ep.controller_class, "")
+            if _generic_parents is not None:
+                has_generics = ep.controller_class in _generic_parents
+            else:
+                has_generics = bool(_GENERIC_PARAM_RE.search(parent_sig))
             confidence = "high" if has_generics else "medium"
 
             key = f"{ep.controller_class}#{ep.handler_symbol}"
@@ -205,6 +238,8 @@ class _SEC003TransactionalOnController:
         cir: "CanonicalRepositoryIR",
         tx_index: Optional[TransactionBoundaryIndex],
         root: Optional[Path],
+        *,
+        model: Optional[SpringSemanticModel] = None,
     ) -> list[SpringFinding]:
         if tx_index is None:
             return []
@@ -337,11 +372,12 @@ def _build_extends_map(cir: "CanonicalRepositoryIR") -> dict[str, str]:
 def _controller_source_file(cir: "CanonicalRepositoryIR", controller_fqn: str) -> str:
     """Return the source_file for a controller class from cir.files, or empty string."""
     simple = controller_fqn.split(".")[-1]
-    for f in cir.files:
-        if not isinstance(f, dict):
-            continue
-        path = f.get("path", "")
-        if simple and (path.endswith(f"{simple}.java") or path.endswith(f"{simple}.kt")):
+    if not simple:
+        return ""
+    for path in cir.files:
+        if isinstance(path, str) and (
+            path.endswith(f"{simple}.java") or path.endswith(f"{simple}.kt")
+        ):
             return path
     return ""
 
@@ -379,6 +415,8 @@ class SecurityScanner:
     Usage:
         scanner = SecurityScanner()
         findings = scanner.analyze(cir, tx_index=tx_index, root=Path("/repo"))
+        # or with pre-built model (shares inheritance graph, avoids rebuilds):
+        findings = scanner.analyze(cir, tx_index=tx_index, root=Path("/repo"), model=model)
 
     Never raises. Pattern errors are silently swallowed (finding missed, not crash).
     """
@@ -393,11 +431,13 @@ class SecurityScanner:
         cir: "CanonicalRepositoryIR",
         tx_index: Optional[TransactionBoundaryIndex] = None,
         root: Optional[Path] = None,
+        *,
+        model: Optional[SpringSemanticModel] = None,
     ) -> list[SpringFinding]:
         all_findings: list[SpringFinding] = []
         for pattern in self.patterns:
             try:
-                found = pattern.analyze(cir, tx_index, root)
+                found = _call_pattern_analyze(pattern, cir, tx_index, root, model)
                 all_findings.extend(found)
             except Exception:
                 pass
@@ -417,6 +457,7 @@ def run_security_audit(
     min_severity: str = "low",
     patterns: Optional[list[SecurityPattern]] = None,
     tx_index: Optional[TransactionBoundaryIndex] = None,
+    model: Optional[SpringSemanticModel] = None,
 ) -> SpringAuditResult:
     """Run security surface audit and return a SpringAuditResult.
 
@@ -427,17 +468,20 @@ def run_security_audit(
         min_severity: Filter findings below this severity.
         patterns:     Override default pattern list (for testing).
         tx_index:     Pre-built TransactionBoundaryIndex (built from cir if None).
+        model:        Pre-built SpringSemanticModel (avoids duplicate build in CLI).
     """
     _sev_rank = {"critical": 0, "high": 1, "medium": 2, "low": 3}
     min_rank = _sev_rank.get(min_severity, 3)
 
     t0 = time.monotonic()
 
-    if tx_index is None:
+    if model is not None:
+        tx_index = model.tx_index
+    elif tx_index is None:
         tx_index = build_tx_index(cir)
 
     scanner = SecurityScanner(patterns=patterns)
-    findings = scanner.analyze(cir, tx_index=tx_index, root=root)
+    findings = scanner.analyze(cir, tx_index=tx_index, root=root, model=model)
 
     findings = [f for f in findings if _sev_rank.get(f.severity, 9) <= min_rank]
 

{sourcecode-1.35.0 → sourcecode-1.35.1}/src/sourcecode/spring_tx_analyzer.py

@@ -14,13 +14,15 @@ All patterns are deterministic and never raise.
 """
 from __future__ import annotations
 
+import inspect
 import re
 import time
 from collections import deque
 from pathlib import Path
-from typing import TYPE_CHECKING, Optional, Protocol, runtime_checkable
+from typing import TYPE_CHECKING, Any, Optional, Protocol, runtime_checkable
 
 from sourcecode.spring_findings import SpringAuditResult, SpringFinding
+from sourcecode.spring_model import SpringSemanticModel
 from sourcecode.spring_semantic import (
     PROPAGATION_DEFAULT,
     TransactionBoundary,
@@ -70,10 +72,33 @@ class TxPattern(Protocol):
         cir: "CanonicalRepositoryIR",
         tx_index: TransactionBoundaryIndex,
         root: Optional[Path],
+        *,
+        model: Optional[SpringSemanticModel] = None,
     ) -> list[SpringFinding]:
         ...
 
 
+def _call_pattern_analyze(
+    pattern: Any,
+    cir: "CanonicalRepositoryIR",
+    tx_index: TransactionBoundaryIndex,
+    root: Optional[Path],
+    model: Optional[SpringSemanticModel],
+) -> list[SpringFinding]:
+    """Dispatch to pattern.analyze(), injecting model if the pattern accepts it.
+
+    Patterns that declare `model` in their signature receive the shared model.
+    Patterns without it (e.g. test doubles) are called with the legacy signature.
+    """
+    try:
+        sig = inspect.signature(pattern.analyze)
+        if "model" in sig.parameters:
+            return pattern.analyze(cir, tx_index, root, model=model)
+    except (ValueError, TypeError):
+        pass
+    return pattern.analyze(cir, tx_index, root)
+
+
 # ---------------------------------------------------------------------------
 # TX-001: @Transactional on private or final method
 # ---------------------------------------------------------------------------
@@ -87,6 +112,8 @@ class _TX001ProxyBypass:
         cir: "CanonicalRepositoryIR",
         tx_index: TransactionBoundaryIndex,
         root: Optional[Path],
+        *,
+        model: Optional[SpringSemanticModel] = None,
     ) -> list[SpringFinding]:
         findings: list[SpringFinding] = []
 
@@ -210,11 +237,13 @@ class _TX002RequiresNewNested:
         cir: "CanonicalRepositoryIR",
         tx_index: TransactionBoundaryIndex,
         root: Optional[Path],
+        *,
+        model: Optional[SpringSemanticModel] = None,
     ) -> list[SpringFinding]:
         findings: list[SpringFinding] = []
         seen_pairs: set[tuple[str, str]] = set()
 
-        adj = _build_forward_adjacency(cir)
+        adj = model.call_adj.adjacency if model is not None else _build_forward_adjacency(cir)
         deadline = time.monotonic_ns() + _BFS_TIMEOUT_MS * 1_000_000
 
         for boundary in tx_index.all_boundaries():
@@ -284,11 +313,13 @@ class _TX003ReadOnlyWritePropagation:
         cir: "CanonicalRepositoryIR",
         tx_index: TransactionBoundaryIndex,
         root: Optional[Path],
+        *,
+        model: Optional[SpringSemanticModel] = None,
     ) -> list[SpringFinding]:
         findings: list[SpringFinding] = []
         seen_pairs: set[tuple[str, str]] = set()
 
-        adj = _build_forward_adjacency(cir)
+        adj = model.call_adj.adjacency if model is not None else _build_forward_adjacency(cir)
         deadline = time.monotonic_ns() + _BFS_TIMEOUT_MS * 1_000_000
 
         for boundary in tx_index.all_boundaries():
@@ -364,11 +395,13 @@ class _TX004TxSuspensionRisk:
         cir: "CanonicalRepositoryIR",
         tx_index: TransactionBoundaryIndex,
         root: Optional[Path],
+        *,
+        model: Optional[SpringSemanticModel] = None,
     ) -> list[SpringFinding]:
         findings: list[SpringFinding] = []
         seen_pairs: set[tuple[str, str]] = set()
 
-        adj = _build_forward_adjacency(cir)
+        adj = model.call_adj.adjacency if model is not None else _build_forward_adjacency(cir)
         deadline = time.monotonic_ns() + _BFS_TIMEOUT_MS * 1_000_000
 
         for boundary in tx_index.all_boundaries():
@@ -448,6 +481,8 @@ class _TX005ExceptionSwallowing:
         cir: "CanonicalRepositoryIR",
         tx_index: TransactionBoundaryIndex,
         root: Optional[Path],
+        *,
+        model: Optional[SpringSemanticModel] = None,
     ) -> list[SpringFinding]:
         if root is None:
             return []
@@ -551,6 +586,8 @@ class TxPatternEngine:
     Usage:
         engine = TxPatternEngine()
         findings = engine.analyze(cir, tx_index, root=Path("/repo"))
+        # or with pre-built model (eliminates duplicate adjacency builds):
+        findings = engine.analyze(cir, tx_index, root=Path("/repo"), model=model)
 
     Never raises. Pattern errors are silently swallowed (finding missed, not crash).
     """
@@ -563,11 +600,13 @@ class TxPatternEngine:
         cir: "CanonicalRepositoryIR",
         tx_index: TransactionBoundaryIndex,
         root: Optional[Path] = None,
+        *,
+        model: Optional[SpringSemanticModel] = None,
     ) -> list[SpringFinding]:
         all_findings: list[SpringFinding] = []
         for pattern in self.patterns:
             try:
-                found = pattern.analyze(cir, tx_index, root)
+                found = _call_pattern_analyze(pattern, cir, tx_index, root, model)
                 all_findings.extend(found)
             except Exception:
                 pass
@@ -586,6 +625,7 @@ def run_tx_audit(
     scope: str = "all",
     min_severity: str = "low",
     patterns: Optional[list[TxPattern]] = None,
+    model: Optional[SpringSemanticModel] = None,
 ) -> SpringAuditResult:
     """Run TX anomaly detection and return a SpringAuditResult.
 
@@ -595,15 +635,18 @@ def run_tx_audit(
         scope:        "all" | "tx" (reserved — always "tx" for this function).
         min_severity: Filter findings below this severity.
         patterns:     Override default pattern list (for testing).
+        model:        Pre-built SpringSemanticModel (avoids duplicate build in CLI).
     """
     _sev_rank = {"critical": 0, "high": 1, "medium": 2, "low": 3}
     min_rank = _sev_rank.get(min_severity, 3)
 
     t0 = time.monotonic()
 
-    tx_index = build_tx_index(cir)
+    if model is None:
+        model = SpringSemanticModel.build(cir)
+    tx_index = model.tx_index
     engine = TxPatternEngine(patterns=patterns)
-    findings = engine.analyze(cir, tx_index, root=root)
+    findings = engine.analyze(cir, tx_index, root=root, model=model)
 
     # Filter by min_severity
     findings = [f for f in findings if _sev_rank.get(f.severity, 9) <= min_rank]