sourcecode 1.35.2__py3-none-any.whl → 1.35.4__py3-none-any.whl

sourcecode/__init__.py

@@ -1,3 +1,3 @@
 """sourcecode — Deterministic codebase context maps for AI coding agents."""
 
-__version__ = "1.35.2"
+__version__ = "1.35.4"

sourcecode/cir_graphs.py

@@ -68,11 +68,23 @@ class ImplementationGraph:
             dependencies:  cir.dependencies — list of edge dicts with 'from'/'to'/'type'
             known_symbols: set(cir.symbols) — only in-repo FQNs
 
-        Excludes implements edges where the interface (to_fqn) is NOT in known_symbols
-        (e.g. java.io.Serializable, org.springframework.* framework interfaces).
+        The Java parser stores 'implements' edges with the simple class name in the 'to'
+        field (e.g. 'OrderService') rather than the FQN.  We resolve these via a
+        precomputed simple-name → FQN map built from known_symbols.  Only unambiguous
+        resolutions are accepted; external framework interfaces and ambiguous names are
+        excluded.
+
         Includes edges where the implementing class (from_fqn) is NOT in known_symbols
         only when the interface IS known — this handles partial-parse edge cases.
         """
+        # Pre-build simple-name → [FQN] lookup for class-level symbols only (no '#').
+        # Used to resolve unqualified interface names (BUG-IC-001).
+        _simple_to_fqn: dict[str, list[str]] = {}
+        for sym in known_symbols:
+            if "#" not in sym and "." in sym:
+                simple = sym.rsplit(".", 1)[1]
+                _simple_to_fqn.setdefault(simple, []).append(sym)
+
         impl_of: dict[str, list[str]] = {}
         ifaces_of: dict[str, list[str]] = {}
 
@@ -83,9 +95,13 @@ class ImplementationGraph:
             to_fqn = (edge.get("to") or "").strip()
             if not from_fqn or not to_fqn:
                 continue
-            # Only track when the interface is an in-repo symbol
+            # Resolve to_fqn: prefer exact known-symbol match, then try simple-name lookup.
+            # Rejects external interfaces (java.*, org.springframework.*) and ambiguous names.
             if to_fqn not in known_symbols:
-                continue
+                candidates = _simple_to_fqn.get(to_fqn, [])
+                if len(candidates) != 1:
+                    continue
+                to_fqn = candidates[0]
             # Ignore malformed FQNs (e.g. generic type fragments like "Long>")
             if ">" in to_fqn or "<" in to_fqn:
                 continue

sourcecode/cli.py

@@ -3917,6 +3917,11 @@ def impact_chain_cmd(
         False, "--copy", "-c",
         help="Copy output to clipboard after a successful run.",
     ),
+    query_type: str = typer.Option(
+        "impact", "--type", "-t",
+        help="Query type: impact (default) or events.",
+        show_default=True,
+    ),
 ) -> None:
     """Spring impact-chain: systemic blast radius of a symbol with TX/SEC enrichment.
 
@@ -3930,6 +3935,14 @@ def impact_chain_cmd(
       - impact_findings     — TX/SEC audit findings touching the call chain
       - risk_level          — critical | high | medium | low
 
+    \b
+    With --type events, returns event topology:
+      - publishers          — FQNs that publish the event class
+      - consumers           — listeners with TX phase metadata
+      - event_graph         — publisher → event → consumer edges (BFS ≤ 2)
+      - transaction_context — AFTER_COMMIT consumers, BEFORE_COMMIT risks
+      - risk_level          — high | medium | low
+
     \b
     Consumes SpringSemanticModel — zero duplicate CIR traversals.
     JAVA/SPRING ONLY.
@@ -3948,6 +3961,19 @@ def impact_chain_cmd(
     from sourcecode.spring_impact import run_impact_chain
     from sourcecode.spring_findings import SpringAuditResult
 
+    _VALID_TYPES = ("impact", "events")
+    if query_type not in _VALID_TYPES:
+        _emit_error_json(
+            INVALID_INPUT_CODE,
+            f"Invalid --type '{query_type}'. Valid values: {', '.join(_VALID_TYPES)}",
+            flag="--type",
+            value=query_type,
+            valid_values=list(_VALID_TYPES),
+            hint="Use --type impact (default) or --type events.",
+            expected="impact | events",
+        )
+        raise typer.Exit(code=1)
+
     target = path.resolve()
     if not target.exists() or not target.is_dir():
         _emit_error_json(
@@ -3970,7 +3996,7 @@ def impact_chain_cmd(
 
     file_list = find_java_files(target)
     if not file_list:
-        data = {
+        data: dict = {
             "schema_version": "1.0",
             "symbol": symbol,
             "resolution": "not_found",
@@ -3991,6 +4017,30 @@ def impact_chain_cmd(
 
     cir = build_canonical_ir(file_list, target)
     _model = SpringSemanticModel.build(cir)
+
+    if query_type == "events":
+        from sourcecode.spring_event_topology import run_event_topology
+        evt_result = run_event_topology(cir, symbol, model=_model)
+        data = evt_result.to_dict()
+        output = _serialize_dict(data, format)
+        if output_path is not None:
+            output_path.write_text(output, encoding="utf-8")
+            typer.echo(
+                f"Event topology written to {output_path} "
+                f"(risk: {evt_result.risk_level}, "
+                f"{evt_result.metadata.get('publisher_count', 0)} publishers, "
+                f"{evt_result.metadata.get('consumer_count', 0)} consumers)",
+                err=True,
+            )
+        else:
+            sys.stdout.buffer.write(output.encode("utf-8"))
+            sys.stdout.buffer.write(b"\n")
+            sys.stdout.buffer.flush()
+            if copy:
+                if _copy_to_clipboard(output):
+                    typer.echo("✓ copied to clipboard", err=True)
+        return
+
     result = run_impact_chain(cir, symbol, depth=depth, root=target, model=_model)
 
     data = result.to_dict()

sourcecode/repository_ir.py

@@ -202,10 +202,13 @@ _FILTER_SECURITY_ANNOTATIONS: frozenset[str] = frozenset({
 })
 
 # Programmatic security: method-call patterns that indicate runtime auth enforcement.
+# Requires method-call or field-access context — bare class name mentions (imports,
+# type declarations) must NOT match or IAM/auth-domain repos generate false positives.
 _PROGRAMMATIC_SECURITY_RE = re.compile(
     r"\b(?:hasRole|hasAuthority|isAuthenticated|requirePermission|checkPermission"
     r"|assertAuthorized|authenticate)\s*\("
-    r"|(?:Authentication|SecurityContext|Principal|AuthorizationManager|AccessDecisionManager)\b"
+    r"|SecurityContextHolder\."
+    r"|\.(?:getAuthentication|getSecurityContext|getPrincipal|isAuthorized|checkAccess)\s*\("
     r"|throw\s+new\s+(?:AccessDeniedException|UnauthorizedException|ForbiddenException|AuthenticationException)\b",
     re.MULTILINE,
 )
@@ -239,7 +242,7 @@ _LOMBOK_CTOR_ANNOTATIONS: frozenset[str] = frozenset({
 })
 
 # Transaction annotations whose args must be captured for semantic analysis.
-_TX_ANNOTATIONS: frozenset[str] = frozenset({"@Transactional"})
+_TX_ANNOTATIONS: frozenset[str] = frozenset({"@Transactional", "@TransactionalEventListener"})
 
 # Combined set used in _extract_symbols annotation-value capture.
 _CAPTURE_ANN_ARGS: frozenset[str] = (
@@ -307,7 +310,9 @@ _SPRING_OTHER: frozenset[str] = frozenset({
     "@PutMapping", "@DeleteMapping", "@PatchMapping", "@Autowired",
     "@Inject", "@Value", "@Qualifier", "@EnableWebSecurity",
     "@SpringBootApplication", "@EnableAutoConfiguration",
-    "@EventListener", "@Async", "@Scheduled", "@Cacheable", "@CacheEvict",
+    "@EventListener", "@TransactionalEventListener",
+    "@KafkaListener", "@RabbitListener",
+    "@Async", "@Scheduled", "@Cacheable", "@CacheEvict",
     # CDI / Jakarta EE
     "@ApplicationScoped", "@RequestScoped", "@SessionScoped", "@Dependent",
     "@Named", "@Produces", "@Consumes",
@@ -321,6 +326,30 @@ _PUBLISH_EVENT_RE = re.compile(r'\.publishEvent\s*\(\s*new\s+(\w+)\s*[(\{]')
 # Keycloak SPI event fire pattern: XxxEvent.fire(session, ...)
 _FIRE_EVENT_RE = re.compile(r'\b(\w+Event)\.fire\s*\(')
 
+# Class-level consumer detection from class signature (not annotations).
+# Pattern 1: implements [Prefix]ApplicationListener<EventType>
+#            Matches both the standard Spring interface (ApplicationListener<E>) and
+#            framework-specific subinterfaces (BroadleafApplicationListener<E>,
+#            SmartApplicationListener<E>, etc.).  Uses \w* prefix instead of \b so
+#            that "Broadleaf" prefix does not break the word boundary. (BUG-EVT-001)
+_APP_LISTENER_RE = re.compile(r'\w*ApplicationListener\s*<\s*(\w+)\s*>')
+# Pattern 2: extends AbstractXxxEventListener<EventType> — abstract base class pattern
+#            (Broadleaf's AbstractBroadleafApplicationEventListener and similar).
+#            Matches any parent class name that contains "EventListener".
+_ABSTRACT_LISTENER_RE = re.compile(r'\bextends\s+\w+EventListener\w*\s*<\s*(\w+)\s*>')
+
+# Block comment stripper — removes /* ... */ (including Javadoc) to prevent
+# _PUBLISH_EVENT_RE / _FIRE_EVENT_RE from matching example code in comments.
+_BLOCK_COMMENT_RE = re.compile(r'/\*.*?\*/', re.DOTALL)
+_LINE_COMMENT_RE = re.compile(r'//[^\n]*')
+
+
+def _strip_java_comments(source: str) -> str:
+    """Remove // line comments and /* */ block comments from Java source."""
+    source = _BLOCK_COMMENT_RE.sub(' ', source)
+    source = _LINE_COMMENT_RE.sub(' ', source)
+    return source
+
 # Edge types used for subsystem grouping — semantic hierarchy only, not imports
 _SUBSYSTEM_STRUCTURAL_EDGES: frozenset[str] = frozenset({
     "extends", "implements", "injects", "contained_in",
@@ -544,9 +573,37 @@ def _extract_symbols(source: str, rel_path: str) -> tuple[str, list[SymbolRecord
     pending_ann_values: dict[str, str] = {}
     in_block_comment = False
 
+    # BUG-PARSER-001: normalize multi-line class declarations where the opening brace
+    # appears on a continuation line (e.g. "implements A,\n  B, C {").
+    # _CLASS_DECL_RE requires '{' on the same line as 'class' — joining the continuation
+    # here makes the regex work without changing the per-line brace-depth counter.
+    _raw_lines = source.splitlines()
+    _joined: list[str] = []
+    _i = 0
+    _CLASS_KW_RE = re.compile(r'\b(?:class|interface|enum)\s+[A-Z]')
+    while _i < len(_raw_lines):
+        _line = _raw_lines[_i]
+        _stripped = _line.strip()
+        if (_CLASS_KW_RE.search(_stripped) and '{' not in _stripped
+                and not _stripped.startswith('//')
+                and not _stripped.startswith('*')):
+            # Continuation: join until we hit a line containing '{'
+            _buf = _line
+            _i += 1
+            while _i < len(_raw_lines):
+                _cont = _raw_lines[_i]
+                _buf = _buf.rstrip() + ' ' + _cont.strip()
+                _i += 1
+                if '{' in _cont:
+                    break
+            _joined.append(_buf)
+        else:
+            _joined.append(_line)
+            _i += 1
+
     # P1 fix: normalize multiline annotations (e.g. @RequestMapping(\n  value="..."\n))
     # into single lines so the per-line regex can capture annotation args correctly.
-    _normalized_lines = _normalize_multiline_annotations(source.splitlines())
+    _normalized_lines = _normalize_multiline_annotations(_joined)
 
     for line in _normalized_lines:
         stripped = line.strip()
@@ -1101,24 +1158,34 @@ def _build_relations(
                 ))
 
     # Event flow edges — listens_to_event and publishes_event.
-    # Spring: method with @EventListener → resolved event parameter type(s).
+    # Spring: method with @EventListener or @TransactionalEventListener → resolved event type(s).
+    _LISTENER_ANNOTATIONS: frozenset[str] = frozenset({
+        "@EventListener", "@TransactionalEventListener",
+    })
     for sym in symbols:
-        if sym.type == "method" and "@EventListener" in sym.annotations:
+        if sym.type == "method" and (sym.annotations and
+                any(a in _LISTENER_ANNOTATIONS for a in sym.annotations)):
+            ann = next(a for a in sym.annotations if a in _LISTENER_ANNOTATIONS)
             for imp_fqn in sym.imports_used:
                 edges.append(RelationEdge(
                     from_symbol=sym.symbol,
                     to_symbol=imp_fqn,
                     type="listens_to_event",
                     confidence="high",
-                    evidence={"type": "annotation", "value": "@EventListener"},
+                    evidence={"type": "annotation", "value": ann},
                 ))
 
     _class_syms = [s for s in symbols if s.type in ("class", "interface") and "#" not in s.symbol]
 
+    # Strip comments before event scanning to prevent Javadoc examples from
+    # generating false publisher edges (BUG-003).
+    _source_no_comments = _strip_java_comments(source)
+
     # Spring: class that calls publishEvent(new XxxEvent(...)) → event type FQN.
-    for m in _PUBLISH_EVENT_RE.finditer(source):
+    for m in _PUBLISH_EVENT_RE.finditer(_source_no_comments):
         event_simple = m.group(1)
-        event_fqn = import_map.get(event_simple, event_simple)
+        # BUG-004: try import_map first, then same-package map, then keep simple name.
+        event_fqn = import_map.get(event_simple) or _same_pkg.get(event_simple) or event_simple
         for cls_sym in _class_syms:
             edges.append(RelationEdge(
                 from_symbol=cls_sym.symbol,
@@ -1129,9 +1196,9 @@ def _build_relations(
             ))
 
     # Keycloak SPI: XxxEvent.fire(...) static dispatch → publishes_event.
-    for m in _FIRE_EVENT_RE.finditer(source):
+    for m in _FIRE_EVENT_RE.finditer(_source_no_comments):
         event_simple = m.group(1)
-        event_fqn = import_map.get(event_simple, event_simple)
+        event_fqn = import_map.get(event_simple) or _same_pkg.get(event_simple) or event_simple
         for cls_sym in _class_syms:
             edges.append(RelationEdge(
                 from_symbol=cls_sym.symbol,
@@ -1154,6 +1221,34 @@ def _build_relations(
                 evidence={"type": "signature", "value": f"implements {_ELP_IFACE}"},
             ))
 
+    # Class-level consumer detection via class signature (EVT-003 / EVT-004).
+    # Pattern A: class Foo implements ApplicationListener<XxxEvent>
+    #            → standard Spring interface, event type = generic param.
+    # Pattern B: class Foo extends AbstractXxxEventListener<XxxEvent>
+    #            → abstract base class pattern (Broadleaf and similar frameworks),
+    #              event type = generic param of the parent class.
+    for sym in _class_syms:
+        sig = sym.signature or ""
+        for pattern, ev_label in (
+            (_APP_LISTENER_RE, "implements ApplicationListener"),
+            (_ABSTRACT_LISTENER_RE, "extends *EventListener"),
+        ):
+            m = pattern.search(sig)
+            if m:
+                event_simple = m.group(1)
+                event_fqn = (
+                    import_map.get(event_simple)
+                    or _same_pkg.get(event_simple)
+                    or event_simple
+                )
+                edges.append(RelationEdge(
+                    from_symbol=sym.symbol,
+                    to_symbol=event_fqn,
+                    type="listens_to_event",
+                    confidence="high",
+                    evidence={"type": "signature", "value": f"{ev_label}<{event_simple}>"},
+                ))
+
     seen: set[tuple[str, str, str]] = set()
     unique: list[RelationEdge] = []
     for e in edges:
@@ -2314,8 +2409,12 @@ def _assemble(
             for sym in _class_syms_asm
         )
     )
+    # Only real annotation-based policies count (not "programmatic" fallback).
+    # Programmatic security does not mean every unannotated endpoint is unsecured.
     _has_ann_sec_asm = any(
-        r.get("security_annotations") for r in _route_surface
+        isinstance(r.get("security_annotations"), dict)
+        and r["security_annotations"].get("policy") not in (None, "programmatic", "none_detected")
+        for r in _route_surface
         if isinstance(r, dict)
     )
     if _filter_based_asm and _has_ann_sec_asm:
@@ -3165,7 +3264,7 @@ def extract_java_endpoints(root: Path) -> "dict[str, Any]":
         )
     )
     _has_annotation_security = any(
-        e.get("security", {}).get("policy") != "none_detected"
+        e.get("security", {}).get("policy") not in (None, "none_detected", "programmatic")
         for e in endpoints
     )
     if _filter_based and _has_annotation_security:

sourcecode/spring_event_topology.py

@@ -0,0 +1,427 @@
+"""spring_event_topology.py — Event Topology: event_class → publishers, consumers, propagation graph.
+
+Pipeline:
+  1. Resolve event symbol from CIR
+  2. Find publishers via model.event_graph
+  3. Find Spring consumers via model.event_graph (EventListener + TransactionalEventListener)
+  4. Enrich consumers with TX phase from raw IR annotation_values
+  5. Build event propagation graph (BFS depth ≤ 2)
+  6. Attach TX semantics: AFTER_COMMIT consumers, BEFORE_COMMIT risks
+  7. Compute risk level + confidence
+
+Hard constraints:
+  - NO guessing / LLM inference
+  - ONLY CIR + AST-derived annotation data
+  - Deterministic: identical CIR → identical result
+  - Reuses model.event_graph + model.tx_index — no duplicate CIR traversal
+
+Usage:
+    model = SpringSemanticModel.build(cir)
+    result = run_event_topology(cir, "com.example.OrderCreatedEvent", model=model)
+    output = json.dumps(result.to_dict(), indent=2)
+"""
+from __future__ import annotations
+
+import re
+import time
+from dataclasses import dataclass, field
+from typing import TYPE_CHECKING, Optional
+
+if TYPE_CHECKING:
+    from sourcecode.canonical_ir import CanonicalRepositoryIR
+    from sourcecode.spring_model import SpringSemanticModel
+
+# ---------------------------------------------------------------------------
+# Constants
+# ---------------------------------------------------------------------------
+
+_SCHEMA_VERSION = "1.0"
+
+# Phase annotation value parser: phase=TransactionPhase.AFTER_COMMIT
+_TX_PHASE_RE = re.compile(r'phase\s*=\s*(?:TransactionPhase\.)?(\w+)')
+
+# TransactionalEventListener default phase (Spring default)
+_DEFAULT_TX_PHASE = "AFTER_COMMIT"
+
+_RISK_FANOUT_HIGH = 5
+_RISK_FANOUT_MEDIUM = 2
+
+
+# ---------------------------------------------------------------------------
+# Data model
+# ---------------------------------------------------------------------------
+
+@dataclass
+class EventConsumer:
+    """Single consumer of a Spring application event."""
+    fqn: str
+    type: str               # "spring_event" | "transactional"
+    transactional_phase: str  # "" | "BEFORE_COMMIT" | "AFTER_COMMIT" | "AFTER_ROLLBACK" | "AFTER_COMPLETION"
+    source_file: str
+
+    def to_dict(self) -> dict:
+        d: dict = {
+            "fqn": self.fqn,
+            "type": self.type,
+            "source_file": self.source_file,
+        }
+        if self.transactional_phase:
+            d["transactional_phase"] = self.transactional_phase
+        return d
+
+
+@dataclass
+class EventTopologyResult:
+    """Output contract for event topology query.
+
+    Stable contract — do not remove or rename fields.
+    """
+    schema_version: str = _SCHEMA_VERSION
+    event_class: str = ""
+    resolution: str = "not_found"   # "exact" | "class_expanded" | "partial" | "not_found"
+    publishers: list[str] = field(default_factory=list)
+    consumers: list[dict] = field(default_factory=list)
+    event_graph: dict = field(default_factory=dict)
+    transaction_context: dict = field(default_factory=dict)
+    risk_level: str = "low"
+    confidence: str = "high"
+    limitations: list[str] = field(default_factory=list)
+    metadata: dict = field(default_factory=dict)
+
+    def to_dict(self) -> dict:
+        return {
+            "schema_version": self.schema_version,
+            "event_class": self.event_class,
+            "resolution": self.resolution,
+            "publishers": self.publishers,
+            "consumers": self.consumers,
+            "event_graph": self.event_graph,
+            "transaction_context": self.transaction_context,
+            "risk_level": self.risk_level,
+            "confidence": self.confidence,
+            "limitations": self.limitations,
+            "metadata": self.metadata,
+        }
+
+
+# ---------------------------------------------------------------------------
+# Internal helpers
+# ---------------------------------------------------------------------------
+
+def _class_of(fqn: str) -> str:
+    if "#" in fqn:
+        return fqn.split("#")[0]
+    return fqn
+
+
+def _build_fqn_index(cir: "CanonicalRepositoryIR") -> dict[str, dict]:
+    """Build FQN → raw IR node dict for fast annotation lookup.
+
+    Reads once from cir._raw_ir.  Returns {} if raw IR not available.
+    """
+    raw = getattr(cir, "_raw_ir", {}) or {}
+    nodes = (raw.get("graph") or {}).get("nodes") or []
+    return {n["fqn"]: n for n in nodes if "fqn" in n}
+
+
+def _extract_tx_phase(annotation_values: dict, annotations: list) -> str:
+    """Extract @TransactionalEventListener phase from annotation_values.
+
+    Returns empty string for plain @EventListener (no TX constraint).
+    Returns _DEFAULT_TX_PHASE when annotation present but phase not specified.
+    """
+    if "@TransactionalEventListener" not in annotations:
+        return ""
+    raw_args = annotation_values.get("@TransactionalEventListener", "")
+    if not raw_args:
+        return _DEFAULT_TX_PHASE
+    m = _TX_PHASE_RE.search(raw_args)
+    if m:
+        return m.group(1).upper()
+    return _DEFAULT_TX_PHASE
+
+
+def _resolve_event_symbol(
+    event_class: str,
+    cir: "CanonicalRepositoryIR",
+) -> tuple[str, str, list[str]]:
+    """Resolve event_class to CIR FQN.
+
+    Returns (resolved_fqn, resolution, warnings).
+    resolution: "exact" | "class_expanded" | "not_found"
+    """
+    symbols = cir.symbols
+    warnings: list[str] = []
+
+    # 1. Exact FQN match
+    if event_class in symbols:
+        return event_class, "exact", []
+
+    # 2. Class-part suffix match (handles simple names like "OrderCreatedEvent")
+    candidates = [
+        s for s in symbols
+        if _class_of(s) == event_class or _class_of(s).endswith("." + event_class)
+    ]
+    unique_classes = {_class_of(s) for s in candidates}
+    if len(unique_classes) == 1:
+        return next(iter(unique_classes)), "class_expanded", []
+    if len(unique_classes) > 1:
+        # Multiple matches — take first alphabetically, warn
+        chosen = sorted(unique_classes)[0]
+        warnings.append(
+            f"Ambiguous event class '{event_class}': matched {sorted(unique_classes)}. "
+            f"Using '{chosen}'."
+        )
+        return chosen, "partial", warnings
+
+    return "", "not_found", [f"Event class '{event_class}' not found in CIR."]
+
+
+def _find_kafka_rabbit_counts(
+    fqn_index: dict[str, dict],
+) -> tuple[int, int]:
+    """Count @KafkaListener and @RabbitListener methods in raw IR."""
+    kafka_count = 0
+    rabbit_count = 0
+    for node in fqn_index.values():
+        anns = node.get("annotations") or []
+        if "@KafkaListener" in anns:
+            kafka_count += 1
+        if "@RabbitListener" in anns:
+            rabbit_count += 1
+    return kafka_count, rabbit_count
+
+
+def _compute_event_risk(
+    publisher_count: int,
+    consumer_count: int,
+    before_commit_count: int,
+    cross_module: bool,
+) -> str:
+    """Deterministic risk scoring per spec.
+
+    high: fanout > 5 OR cross-module propagation OR BEFORE_COMMIT consumers
+    medium: 2–5 consumers
+    low: ≤1 consumer
+    """
+    if consumer_count > _RISK_FANOUT_HIGH or cross_module or before_commit_count > 0:
+        return "high"
+    if consumer_count >= _RISK_FANOUT_MEDIUM:
+        return "medium"
+    return "low"
+
+
+# ---------------------------------------------------------------------------
+# Orchestrator
+# ---------------------------------------------------------------------------
+
+class EventTopologyOrchestrator:
+    """Stateless query engine: event_class → EventTopologyResult.
+
+    Consumes pre-built CIR + SpringSemanticModel. Never re-derives data
+    already present in the model.
+    """
+
+    def query(
+        self,
+        cir: "CanonicalRepositoryIR",
+        model: "SpringSemanticModel",
+        event_class: str,
+    ) -> EventTopologyResult:
+        """Execute event topology query.
+
+        Args:
+            cir:         CanonicalRepositoryIR from build_canonical_ir().
+            model:       Pre-built SpringSemanticModel.
+            event_class: Event class FQN or simple name.
+        """
+        t0 = time.monotonic()
+        warnings: list[str] = []
+        limitations: list[str] = [
+            "Only Spring annotations detected (@EventListener, @TransactionalEventListener).",
+            "No runtime dynamic event routing — static analysis only.",
+        ]
+
+        # ── 1. Resolve event symbol ────────────────────────────────────────
+        resolved_fqn, resolution, sym_warnings = _resolve_event_symbol(event_class, cir)
+        warnings.extend(sym_warnings)
+
+        if resolution == "not_found" or not resolved_fqn:
+            elapsed = round((time.monotonic() - t0) * 1000, 2)
+            return EventTopologyResult(
+                event_class=event_class,
+                resolution="not_found",
+                limitations=limitations + [f"Event class '{event_class}' not found in CIR."],
+                confidence="low",
+                metadata={"query_time_ms": elapsed},
+            )
+
+        # ── 2. Build FQN index for annotation lookups ──────────────────────
+        fqn_index = _build_fqn_index(cir)
+
+        # ── 3. Find publishers ─────────────────────────────────────────────
+        publishers = sorted(model.event_graph.publishers_of(resolved_fqn))
+
+        # ── 4. Find Spring consumers, enrich with TX phase ─────────────────
+        raw_consumer_fqns = model.event_graph.listeners_of(resolved_fqn)
+        consumers: list[EventConsumer] = []
+        for fqn in sorted(raw_consumer_fqns):
+            node = fqn_index.get(fqn) or {}
+            anns = node.get("annotations") or []
+            ann_vals = node.get("annotation_values") or {}
+            source_file = node.get("source_file") or ""
+            tx_phase = _extract_tx_phase(ann_vals, anns)
+            consumer_type = "transactional" if tx_phase else "spring_event"
+            consumers.append(EventConsumer(
+                fqn=fqn,
+                type=consumer_type,
+                transactional_phase=tx_phase,
+                source_file=source_file,
+            ))
+
+        # ── 5. Build event propagation graph (BFS ≤ 2) ────────────────────
+        graph_edges: list[dict] = []
+
+        # Level 0 → 1: publisher → event_class, event_class → consumer
+        for pub in publishers:
+            graph_edges.append({"from": pub, "to": resolved_fqn, "type": "publishes"})
+        for c in consumers:
+            graph_edges.append({"from": resolved_fqn, "to": c.fqn, "type": "consumes"})
+
+        # Level 1 → 2: consumers that also publish other events
+        level2_events: dict[str, list[str]] = {}  # secondary_event → [l2_consumers]
+        for c in consumers:
+            # Check if this consumer FQN also publishes events
+            # The event_graph publishers dict is indexed by event_type → [publisher_fqns]
+            for evt_type, pub_fqns in model.event_graph.publishers.items():
+                if evt_type == resolved_fqn:
+                    continue  # same event, skip
+                consumer_class = _class_of(c.fqn)
+                matching = [p for p in pub_fqns
+                            if p == c.fqn or _class_of(p) == consumer_class]
+                if matching:
+                    graph_edges.append({
+                        "from": c.fqn,
+                        "to": evt_type,
+                        "type": "re_publishes",
+                    })
+                    l2_listeners = model.event_graph.listeners_of(evt_type)
+                    level2_events[evt_type] = sorted(l2_listeners)
+                    for l2 in sorted(l2_listeners):
+                        graph_edges.append({
+                            "from": evt_type,
+                            "to": l2,
+                            "type": "consumes",
+                        })
+
+        # ── 6. Kafka/Rabbit counts (metadata only — not linkable to event_class) ──
+        kafka_count, rabbit_count = _find_kafka_rabbit_counts(fqn_index)
+        if kafka_count > 0 or rabbit_count > 0:
+            limitations.append(
+                f"Kafka/RabbitMQ consumer binding not supported in v1 — "
+                f"{kafka_count} @KafkaListener and {rabbit_count} @RabbitListener "
+                f"method(s) found in repo; cannot link to event class without "
+                f"explicit topic-to-event mapping."
+            )
+
+        # ── 7. TX context ──────────────────────────────────────────────────
+        after_commit = [c.fqn for c in consumers if c.transactional_phase == "AFTER_COMMIT"]
+        before_commit_risks = [c.fqn for c in consumers if c.transactional_phase == "BEFORE_COMMIT"]
+        tx_context = {
+            "after_commit_consumers": after_commit,
+            "before_commit_risks": before_commit_risks,
+        }
+
+        # ── 8. Cross-module detection ──────────────────────────────────────
+        # Simple heuristic: publisher and consumer in different top-level packages
+        pub_packages = {_class_of(p).rsplit(".", 2)[0] for p in publishers if "." in _class_of(p)}
+        con_packages = {_class_of(c.fqn).rsplit(".", 2)[0] for c in consumers if "." in _class_of(c.fqn)}
+        cross_module = bool(pub_packages and con_packages and not pub_packages.isdisjoint(con_packages) is False)
+        # More precise: cross-module if top-2-segment packages differ
+        def _top2(fqn: str) -> str:
+            parts = _class_of(fqn).split(".")
+            return ".".join(parts[:2]) if len(parts) >= 2 else fqn
+
+        pub_top2 = {_top2(p) for p in publishers}
+        con_top2 = {_top2(c.fqn) for c in consumers}
+        cross_module = bool(pub_top2 and con_top2 and pub_top2 != con_top2)
+
+        # ── 9. Risk ────────────────────────────────────────────────────────
+        risk_level = _compute_event_risk(
+            publisher_count=len(publishers),
+            consumer_count=len(consumers),
+            before_commit_count=len(before_commit_risks),
+            cross_module=cross_module,
+        )
+
+        # ── 10. Confidence ─────────────────────────────────────────────────
+        if resolution == "partial" or warnings:
+            confidence = "medium"
+        elif not publishers and not consumers:
+            confidence = "low"
+        else:
+            confidence = "high"
+
+        elapsed_ms = round((time.monotonic() - t0) * 1000, 2)
+
+        return EventTopologyResult(
+            schema_version=_SCHEMA_VERSION,
+            event_class=resolved_fqn,
+            resolution=resolution,
+            publishers=publishers,
+            consumers=[c.to_dict() for c in consumers],
+            event_graph={
+                "edges": graph_edges,
+                "level2_events": level2_events,
+            },
+            transaction_context=tx_context,
+            risk_level=risk_level,
+            confidence=confidence,
+            limitations=limitations,
+            metadata={
+                "query_time_ms": elapsed_ms,
+                "publisher_count": len(publishers),
+                "consumer_count": len(consumers),
+                "kafka_listeners_in_repo": kafka_count,
+                "rabbit_listeners_in_repo": rabbit_count,
+                "before_commit_risk_count": len(before_commit_risks),
+                "level2_events": list(level2_events.keys()),
+                "cross_module": cross_module,
+                "model_build_time_ms": model.build_time_ms,
+            },
+        )
+
+
+# ---------------------------------------------------------------------------
+# Convenience entry point
+# ---------------------------------------------------------------------------
+
+def run_event_topology(
+    cir: "CanonicalRepositoryIR",
+    event_class: str,
+    *,
+    model: "Optional[SpringSemanticModel]" = None,
+) -> EventTopologyResult:
+    """Run event topology query from a CIR.
+
+    Args:
+        cir:         CanonicalRepositoryIR from build_canonical_ir().
+        event_class: Event class FQN or simple name.
+        model:       Pre-built SpringSemanticModel. Built internally if None.
+
+    Returns EventTopologyResult — always JSON-serializable, never raises.
+    """
+    from sourcecode.spring_model import SpringSemanticModel as _SSM
+
+    try:
+        if model is None:
+            model = _SSM.build(cir)
+        orchestrator = EventTopologyOrchestrator()
+        return orchestrator.query(cir, model, event_class)
+    except Exception as exc:
+        return EventTopologyResult(
+            event_class=event_class,
+            resolution="not_found",
+            limitations=[f"Internal error: {type(exc).__name__}: {exc}"],
+            confidence="low",
+        )

sourcecode/spring_impact.py

@@ -289,9 +289,16 @@ def _bfs_callers(
                 _add_caller(caller, depth)
                 # CH-002: injects edge to a field/constructor node → also traverse
                 # the containing class, bypassing the skipped contained_in edge.
-                if etype == "injects" and "#" in caller:
-                    class_fqn = caller.rsplit("#", 1)[0]
-                    _add_caller(class_fqn, depth)
+                # Two formats emitted by the CIR parser:
+                #   Constructor injection: pkg.Class#<init>  (hash separator)
+                #   Field injection:       pkg.Class.field   (dot, lowercase last segment)
+                if etype == "injects":
+                    if "#" in caller:
+                        _add_caller(caller.rsplit("#", 1)[0], depth)
+                    elif "." in caller:
+                        last_seg = caller.rsplit(".", 1)[1]
+                        if last_seg and last_seg[0].islower():
+                            _add_caller(caller.rsplit(".", 1)[0], depth)
 
     return direct, indirect, was_truncated
 
@@ -316,10 +323,16 @@ def _collect_endpoints(
     """
     all_fqns = set(seed_fqns) | set(all_callers)
 
-    # Class-level seeds: controller class nodes (no '#') that are controllers.
-    # These arise when the user queries an entire class, not a specific method.
+    # Class-level controller FQNs (no '#') that appear anywhere in the chain.
+    # Two cases produce a class-level controller node in the chain:
+    #   1. Seed is the controller class itself (user queried the whole controller).
+    #   2. Caller is the controller class node — happens when a service/repository
+    #      is injected into a controller: the BFS reverse edge lands on the class
+    #      node (e.g. "OwnerController" with no '#'), not a specific method.
+    #      All endpoints of that controller are affected because any change to the
+    #      injected dependency impacts every handler that uses it.
     class_level_controllers: set[str] = {
-        fqn for fqn in seed_fqns
+        fqn for fqn in all_fqns
         if "#" not in fqn and fqn in model.endpoint_index.controller_fqns
     }
 
@@ -327,7 +340,7 @@ def _collect_endpoints(
     seen_ep_ids: set[str] = set()
 
     # Collect candidate controllers: those whose handler_symbol is in the chain
-    # OR whose class node was a seed (class-level query).
+    # OR whose class node appears in the chain (class-level).
     candidate_controllers: set[str] = set(class_level_controllers)
     for fqn in all_fqns:
         cls = _class_of(fqn)
@@ -339,8 +352,8 @@ def _collect_endpoints(
             handler = getattr(ep, "handler_symbol", "") or ""
             ep_id = getattr(ep, "id", "") or ""
 
-            # Include if: handler is directly in call chain OR controller is a
-            # class-level seed (whole-class query, all its endpoints in scope).
+            # Include if: handler method is in call chain OR the controller's class
+            # node appears at class-level in the chain (seed or DI-injected class).
             if handler not in all_fqns and controller not in class_level_controllers:
                 continue
 
@@ -561,6 +574,32 @@ class ImpactOrchestrator:
                     f"added {n_syms} symbol(s) from {n_classes} implementation(s)."
                 )
 
+        # CH-001b: expand impl seeds to include their interfaces for BFS (BUG-IC-002).
+        # Callers typically inject the interface type, so reverse-graph edges live on
+        # the interface node, not on the implementation node.  Without this expansion,
+        # querying 'OrderServiceImpl' finds 0 callers even though 36 classes inject it.
+        if impl_graph is not None:
+            current_seed_classes = {_class_of(s) for s in seed_fqns}
+            iface_seeds: list[str] = []
+            iface_classes_added: set[str] = set()
+            for seed_class in sorted(current_seed_classes):
+                ifaces = impl_graph.interfaces_of(seed_class)
+                for iface_class in ifaces:
+                    if iface_class in iface_classes_added or iface_class in current_seed_classes:
+                        continue
+                    iface_classes_added.add(iface_class)
+                    for sym in cir.symbols:
+                        if _class_of(sym) == iface_class and sym not in set(seed_fqns):
+                            iface_seeds.append(sym)
+            if iface_seeds:
+                seed_fqns = list(dict.fromkeys(seed_fqns + iface_seeds))
+                n_classes = len(iface_classes_added)
+                n_syms = len(iface_seeds)
+                warnings.append(
+                    f"Implementation-to-interface expansion (CH-001b): "
+                    f"added {n_syms} symbol(s) from {n_classes} interface(s) for caller BFS."
+                )
+
         # ── 2. BFS through reverse graph ─────────────────────────────────
         direct_callers, indirect_callers, truncated = _bfs_callers(
             seed_fqns, cir.reverse_graph, depth
@@ -580,8 +619,13 @@ class ImpactOrchestrator:
         try:
             boundary = model.tx_index.effective_boundary(resolved_symbol)
             if boundary is None and "#" not in resolved_symbol:
-                # Class-level symbol — try class_level directly
+                # Class-level symbol — try class_level directly, then fall back
+                # to first method-level boundary if class has only method-level TX.
                 boundary = model.tx_index.class_level.get(resolved_symbol)
+                if boundary is None:
+                    method_boundaries = model.tx_index.by_class.get(resolved_symbol, [])
+                    if method_boundaries:
+                        boundary = method_boundaries[0]
             if boundary is not None:
                 tx_boundary = boundary.to_dict()
         except Exception:

sourcecode/spring_tx_analyzer.py

@@ -63,6 +63,30 @@ _CATCH_SWALLOW_RE = re.compile(
 _RETHROW_IN_CATCH_RE = re.compile(r'\bthrow\b')
 
 
+def _extract_method_body(source: str, method_name: str) -> str:
+    """Extract the first method body matching method_name using brace counting.
+
+    Returns the text from '{' to the matching '}', or empty string if not found.
+    Needed to scope TX-005 regex to the specific method instead of the whole file.
+    """
+    pattern = re.compile(r'\b' + re.escape(method_name) + r'\s*\(')
+    for m in pattern.finditer(source):
+        brace_pos = source.find('{', m.end())
+        if brace_pos < 0:
+            continue
+        depth = 1
+        i = brace_pos + 1
+        while i < len(source) and depth > 0:
+            c = source[i]
+            if c == '{':
+                depth += 1
+            elif c == '}':
+                depth -= 1
+            i += 1
+        return source[brace_pos:i]
+    return ""
+
+
 # ---------------------------------------------------------------------------
 # Pattern protocol
 # ---------------------------------------------------------------------------
@@ -531,8 +555,16 @@ class _TX005ExceptionSwallowing:
         return findings
 
     def _has_swallowed_exception(self, source: str, symbol: str) -> bool:
-        """Return True if source contains a catch-log-no-rethrow pattern."""
-        for match in _CATCH_SWALLOW_RE.finditer(source):
+        """Return True if the specific method body has a catch-log-no-rethrow pattern.
+
+        Scopes the search to the method body only (not the whole file) to avoid
+        false positives when other methods in the same file have swallowed exceptions.
+        """
+        method_name = symbol.split("#")[-1] if "#" in symbol else symbol.rsplit(".", 1)[-1]
+        body = _extract_method_body(source, method_name)
+        if not body:
+            return False
+        for match in _CATCH_SWALLOW_RE.finditer(body):
             block = match.group(0)
             if not _RETHROW_IN_CATCH_RE.search(block):
                 return True

{sourcecode-1.35.2.dist-info → sourcecode-1.35.4.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: sourcecode
-Version: 1.35.2
+Version: 1.35.4
 Summary: Persistent structural context and ultra-fast repeated analysis for AI coding agents
 License-File: LICENSE
 Keywords: agents,ai,codebase,context,developer-tools,llm
@@ -39,7 +39,7 @@ Description-Content-Type: text/markdown
 
 **Persistent structural context and ultra-fast repeated analysis for AI coding agents.**
 
-![Version](https://img.shields.io/badge/version-1.35.2-blue)
+![Version](https://img.shields.io/badge/version-1.35.4-blue)
 ![Python](https://img.shields.io/badge/python-3.10%2B-green)
 
 ---
@@ -113,7 +113,7 @@ pipx install sourcecode
 
 ```bash
 sourcecode version
-# sourcecode 1.33.4
+# sourcecode 1.35.4
 ```
 
 ---
@@ -133,6 +133,15 @@ sourcecode --agent
 # Blast radius: what breaks if this class changes?
 sourcecode impact OrderService /path/to/repo
 
+# Spring semantic audit: TX anomalies + security surface (free)
+sourcecode spring-audit /path/to/repo
+
+# Impact chain: systemic blast radius with TX/SEC enrichment (free)
+sourcecode impact-chain OrderService /path/to/repo
+
+# Event topology: publisher → event → consumer graph (free)
+sourcecode impact-chain OrderPlacedEvent /path/to/repo --type events
+
 # REST endpoint surface
 sourcecode endpoints /path/to/repo
 
@@ -187,15 +196,21 @@ sourcecode /repo --agent               # ~4,500–5,500 tokens — more detail
 sourcecode onboard /repo               # task-structured: entry points, key files, gaps
 ```
 
-### Before every change — blast radius check
+### Before every change — blast radius + TX/SEC check
 
 ```bash
 # Always target the INTERFACE in Spring projects, not the implementation:
 sourcecode impact OrderService /repo           # ✓ 30 callers, 11 endpoints
 sourcecode impact OrderServiceImpl /repo       # ✗ 0 callers (Spring DI blindness)
 
-# Large hub interfaces — depth=1 is faster and still the most actionable signal:
-sourcecode impact KeycloakSession /repo --depth 1
+# Impact chain: blast radius enriched with TX boundary and security surfaces
+sourcecode impact-chain OrderService /repo
+
+# Event topology: who publishes/consumes this event, and in what TX phase?
+sourcecode impact-chain OrderPlacedEvent /repo --type events
+
+# Spring audit: catch TX anomalies before they hit production
+sourcecode spring-audit /repo --scope tx
 ```
 
 ### Continuous agent loop — delta context
@@ -262,6 +277,9 @@ Specifically:
 - Endpoint recall for JAX-RS subresource locator pattern is ~65%
 - `impact` on implementation classes (e.g. `OrderServiceImpl`) returns 0 callers in Spring Boot — callers inject the interface via `@Autowired`. Always target the interface. When `direct_callers: []` with `confidence_level: high` for a `@Service` class, re-query the interface.
 - `no_security_signal` on endpoints means no method-level annotations found — does **not** mean the endpoint is unsecured. Projects using Spring Security filter chains show 100% `no_security_signal` even when fully secured.
+- `spring-audit` and `impact-chain` are **Java/Spring only** — non-Java repos return `spring_detected: false`
+- Event topology via `--type events` does not resolve Kafka/RabbitMQ/Redis message routes — only Spring ApplicationEvent and `@EventListener` chains
+- Self-invocation TX bypass (calling `@Transactional` method from the same class without going through the proxy) is not detected
 
 ---
 
@@ -312,6 +330,81 @@ sourcecode endpoints /path/to/repo --output endpoints.json
 
 Extracts all Spring MVC (`@GetMapping`, `@PostMapping`, `@RequestMapping`, etc.) and JAX-RS (`@GET`, `@POST`, `@Path`) endpoint methods. Returns HTTP method, path, controller class, and handler method.
 
+### `spring-audit` — Spring semantic audit [free]
+
+```bash
+sourcecode spring-audit /path/to/repo
+sourcecode spring-audit /path/to/repo --scope tx          # TX anomalies only
+sourcecode spring-audit /path/to/repo --scope security     # security surface only
+sourcecode spring-audit /path/to/repo --min-severity high
+```
+
+Detects structural Spring anomalies that survive code review and tests, but cause production failures:
+
+| Pattern | Description |
+|---------|-------------|
+| `TX-001` | `@Transactional` on private/final method — CGLIB proxy bypass, TX silently ignored |
+| `TX-002` | `REQUIRES_NEW` nested inside `REQUIRED` call chain — unexpected transaction nesting |
+| `TX-003` | `readOnly=true` boundary propagating to write operation |
+| `TX-004` | `NOT_SUPPORTED`/`NEVER` called within active TX chain |
+| `TX-005` | Exception swallowing inside `@Transactional` — silent TX rollback suppression |
+| `SEC-001` | Unsecured endpoint in annotation-based security model |
+| `SEC-002` | CVE-2025-41248: `@PreAuthorize` on inherited method from generic supertype |
+| `SEC-003` | `@Transactional` on `@Controller`/`@RestController` — TX in wrong layer |
+
+Returns structured findings with `severity`, `confidence`, `symbol`, `source_file`, `evidence`, `explanation`, and `fix_hint`. JAVA/SPRING ONLY.
+
+### `impact-chain` — systemic blast radius with TX/SEC enrichment [free]
+
+```bash
+sourcecode impact-chain OrderService /path/to/repo
+sourcecode impact-chain com.example.OrderService#placeOrder /path/to/repo
+sourcecode impact-chain PaymentService . --depth 6
+```
+
+Unlike `impact` (which traces the caller graph), `impact-chain` builds on the SpringSemanticModel to enrich every step of the blast cone with transaction and security context:
+
+| Field | Description |
+|-------|-------------|
+| `direct_callers` | Symbols that directly call the target |
+| `indirect_callers` | Transitive callers (BFS up to `--depth` hops, default: 4) |
+| `endpoints_affected` | HTTP endpoints reachable through the call chain |
+| `transaction_boundary` | `@Transactional` semantics on the target: propagation, isolation, readOnly |
+| `security_surfaces` | Per-endpoint security policy + SEC finding IDs |
+| `impact_findings` | TX-001..005 and SEC-001..003 findings that touch the call chain |
+| `risk_level` | `critical` \| `high` \| `medium` \| `low` |
+
+**Event topology** — query the publisher/consumer graph for a Spring event class:
+
+```bash
+sourcecode impact-chain OrderPlacedEvent /path/to/repo --type events
+```
+
+| Field | Description |
+|-------|-------------|
+| `publishers` | FQNs that publish this event class |
+| `consumers` | Listeners with TX phase metadata (`AFTER_COMMIT`, `BEFORE_COMMIT`, etc.) |
+| `event_graph` | Publisher → event → consumer edges (BFS ≤ 2 hops) |
+| `transaction_context` | `AFTER_COMMIT` consumers, `BEFORE_COMMIT` risks |
+| `risk_level` | Derived from TX phase and consumer count |
+
+**Limitations of event topology:**
+- Resolves Spring `ApplicationEvent` / `@EventListener` chains only
+- Does not trace Kafka, RabbitMQ, Redis, or other message brokers
+- Does not detect self-invocation proxy bypass
+- Conditional beans (`@ConditionalOnProperty`) are not evaluated at analysis time
+
+### `cold-start` — RIS bootstrap context
+
+```bash
+sourcecode cold-start /path/to/repo
+sourcecode cold-start /path/to/repo --compact   # ~10K token subset
+```
+
+Returns the Repository Intelligence Snapshot (RIS) instantly — zero re-analysis. The RIS is built by a prior warm cache pass and includes stacks, entry points, endpoint surface, and Spring semantic signals. Status field: `cold_start_ready` | `cold_start_stale` | `no_ris`.
+
+Use `--compact` to get a ~10K token subset safe for direct LLM injection. Full snapshot can exceed 100K tokens on medium repos — use `--output FILE` for local search tooling.
+
 ### `repo-ir` — symbol-level IR
 
 ```bash

{sourcecode-1.35.2.dist-info → sourcecode-1.35.4.dist-info}/RECORD

@@ -1,13 +1,13 @@
-sourcecode/__init__.py,sha256=e_12xn8iAOn0Ld38ig-U9tbnikpJi5jHz6llETh6nDk,103
+sourcecode/__init__.py,sha256=HvT-OD6BpIxm8uMM8dF8IJUh4mkn6RKbB0__ghb_vHI,103
 sourcecode/adaptive_scanner.py,sha256=XffluXKzJUXrMtjEiAOnSNPZnztdIcts17T9ouHeID0,10521
 sourcecode/architecture_analyzer.py,sha256=qh749a7ykPtGmQI1MR9y6j8TtL_jBdVYFx9YRsLqOMw,44121
 sourcecode/architecture_summary.py,sha256=z34_6v7cSwy98cof2UVciGho7SCrZ93tiqMmq5WNzRQ,20405
 sourcecode/ast_extractor.py,sha256=_btmeOJIe3t-NicF94D5ZAesa2YIJ0_QNExGnbHxGFE,50578
 sourcecode/cache.py,sha256=wAyPrXN5DqiGivnMpeEuun2xHDKfBer2_oBsh6kj_vc,30447
 sourcecode/canonical_ir.py,sha256=uwpwCnJxMh_eiIVg4cOLv7-aZthvmDFcG4azCOycLkw,24281
-sourcecode/cir_graphs.py,sha256=6CBwPoFCbHrqW8Bq_9fZUMi2IgcQBmoaiXiJjlOY9QE,7740
+sourcecode/cir_graphs.py,sha256=wuRjW0MjSr9KLq03L1TzYqkIeY_phUmIbVA3FQDfHKk,8603
 sourcecode/classifier.py,sha256=2lYoSH3vOTkXZYPU7Go2WIet1-IuNzTWVhc-ULnXtgw,8024
-sourcecode/cli.py,sha256=D6QbdECWLdGENhugefKVBEmVzBg3YP2DOMoIX60zlj8,214843
+sourcecode/cli.py,sha256=UI80E2S1g6Ui300-vICvn4B7NXIuGYWE4a0FXrBa-8E,216875
 sourcecode/code_notes_analyzer.py,sha256=EJemNCNc9Dn-1RZYu-aNbK0ELzmsyC4s6FdHi3XyNEI,9392
 sourcecode/confidence_analyzer.py,sha256=_jckZSxksV-OU38vbkxfVNBnWCtlCq8Vwfg23x1uspA,19054
 sourcecode/context_scorer.py,sha256=QpChSpsmaAYz91rXA4Ue5xzQmNz_ZboZN09YOHScq1U,14679
@@ -36,19 +36,20 @@ sourcecode/ranking_engine.py,sha256=ZAucq_YX2KkWUuAZf4P0lhtQ_38vEFnUhuGtSZd1S0E,
 sourcecode/redactor.py,sha256=SB4hwIvg8h-hvcqKcDWaZvA-aSyn-at-BIRwa0tUv5E,3227
 sourcecode/relevance_scorer.py,sha256=0AgEt4KrV73nioMqBgjhGjtY7L2C7L7cSyKtj3IKcrw,9408
 sourcecode/repo_classifier.py,sha256=FG1vaWKdWXsWdl-S8hjVMiTqcwgaRXkDyvK4rPcOGtQ,22681
-sourcecode/repository_ir.py,sha256=54L2tN0e_fEhAspMAaz8ft43Y5RiRNEZ5CtpO7HQwqA,162600
+sourcecode/repository_ir.py,sha256=uLIewoLBg4nknI1JlI8bPo_kl9SVyT-GFQqENTeFz1M,167673
 sourcecode/ris.py,sha256=RcqLVwC-doFcKKViYDkCjZLBqf_wzLES7-F6vHEeWzE,20419
 sourcecode/runtime_classifier.py,sha256=uTAD6BDCiBLUZEDRfqk718kM4RTT_vAbfkcOI2_Xx58,18432
 sourcecode/scanner.py,sha256=WdOQ78mMzjR1NjmKTlbxdgwinnCTfAhxCVLBEFQiFHU,8899
 sourcecode/schema.py,sha256=aHNXDf8LGyUC8ZDE_VS9kiskC2-Oswhi_WnpdGy6HDw,24897
 sourcecode/semantic_analyzer.py,sha256=TDuC3wzZR2DPm1mgrAg1YSLk2QzJoueS3TZAmyGGpCU,89417
 sourcecode/serializer.py,sha256=ooNZW2_fqx__BXII25eAWq-BomodvqQ6opUT_niQYCA,123403
+sourcecode/spring_event_topology.py,sha256=LvGv5RXtU_O-fVB_OO9eDD2UmZM72Jn2oUHgOo50Qm0,17157
 sourcecode/spring_findings.py,sha256=8V91iHOg9hFgg6tLLl4FSsgrF-dBqOcO2s-K5sD_goA,5417
-sourcecode/spring_impact.py,sha256=ACmkbQMWgoJqZ9QLdHJLB1qNuFLgjEVv2r624X9Y6Y4,29004
+sourcecode/spring_impact.py,sha256=-ET4oB9tZQYfcyhfI781mMJCU-przz6x4Ejwr3hejA8,31743
 sourcecode/spring_model.py,sha256=IzMcM5ftw1_EHG3FGUDT7qdAMpo3eqbAE1LRuasfr_4,14739
 sourcecode/spring_security_audit.py,sha256=RPr491FGAmWNxqe-uN0FS2gmjQ0M5ryRyXjLNMMzKFk,20077
 sourcecode/spring_semantic.py,sha256=CiAf77p48-RFrUF0zbgww4w2Xigrbo1t5M3ZCDIfV_g,12032
-sourcecode/spring_tx_analyzer.py,sha256=0r5hQEd3fFERrcx2SZKuYixMdDGKIssRYxrlunmTMwQ,25952
+sourcecode/spring_tx_analyzer.py,sha256=eBcYLRKhlUllHl195CVGNWeg2vMext4u1Tezu_Mwrdg,27143
 sourcecode/summarizer.py,sha256=YspHEVeYJVmltq0FMtGZF8kIP3qiR2KLcanGL6Y7uTI,20747
 sourcecode/tree_utils.py,sha256=8GAkIfQAsvtEudIeW1l4ooH_oRtrWR8cpJQJsEa_Pfw,2093
 sourcecode/workspace.py,sha256=X_6NmNnitvT3_38V-JDChydo_sR68s249hLFlrQskU0,8271
@@ -89,8 +90,8 @@ sourcecode/telemetry/consent.py,sha256=wLMvGNJeSSyZoNkQXpoUioY6mMv4Qdvuw7S9jAEWn
 sourcecode/telemetry/events.py,sha256=oEvvulfsv5GIDWG2174gSS6tNB95w38AIYiYeifGKlE,2294
 sourcecode/telemetry/filters.py,sha256=Asa71oRl7q3Wt_FMwuufIZJFzSYdgRNKS8LHCIyFeYE,4805
 sourcecode/telemetry/transport.py,sha256=KJeIPCPWMdmbCP3ySGs2iUlia34U6vWne2dZsUezesw,1560
-sourcecode-1.35.2.dist-info/METADATA,sha256=XdJipgxGDt6qiU1emmUPj1VS2ti9uOKsgB-f2VFq3jk,16440
-sourcecode-1.35.2.dist-info/WHEEL,sha256=QccIxa26bgl1E6uMy58deGWi-0aeIkkangHcxk2kWfw,87
-sourcecode-1.35.2.dist-info/entry_points.txt,sha256=ex3F9rmbXeyDIoFQHtkEqTsKSaJow8F0LrVu8XfIktQ,57
-sourcecode-1.35.2.dist-info/licenses/LICENSE,sha256=7DdHrU9Z_3e7dSvq4ISijZNjnuHo5NIHNiHDouMQ9JU,10491
-sourcecode-1.35.2.dist-info/RECORD,,
+sourcecode-1.35.4.dist-info/METADATA,sha256=Pl9s6-m8pSLDCwawxAneFDVHpQvJLxehMZvruYMWnr0,21263
+sourcecode-1.35.4.dist-info/WHEEL,sha256=QccIxa26bgl1E6uMy58deGWi-0aeIkkangHcxk2kWfw,87
+sourcecode-1.35.4.dist-info/entry_points.txt,sha256=ex3F9rmbXeyDIoFQHtkEqTsKSaJow8F0LrVu8XfIktQ,57
+sourcecode-1.35.4.dist-info/licenses/LICENSE,sha256=7DdHrU9Z_3e7dSvq4ISijZNjnuHo5NIHNiHDouMQ9JU,10491
+sourcecode-1.35.4.dist-info/RECORD,,