sourcecode 1.35.2__tar.gz → 1.35.4__tar.gz

{sourcecode-1.35.2 → sourcecode-1.35.4}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: sourcecode
-Version: 1.35.2
+Version: 1.35.4
 Summary: Persistent structural context and ultra-fast repeated analysis for AI coding agents
 License-File: LICENSE
 Keywords: agents,ai,codebase,context,developer-tools,llm
@@ -39,7 +39,7 @@ Description-Content-Type: text/markdown
 
 **Persistent structural context and ultra-fast repeated analysis for AI coding agents.**
 
-![Version](https://img.shields.io/badge/version-1.35.2-blue)
+![Version](https://img.shields.io/badge/version-1.35.4-blue)
 ![Python](https://img.shields.io/badge/python-3.10%2B-green)
 
 ---
@@ -113,7 +113,7 @@ pipx install sourcecode
 
 ```bash
 sourcecode version
-# sourcecode 1.33.4
+# sourcecode 1.35.4
 ```
 
 ---
@@ -133,6 +133,15 @@ sourcecode --agent
 # Blast radius: what breaks if this class changes?
 sourcecode impact OrderService /path/to/repo
 
+# Spring semantic audit: TX anomalies + security surface (free)
+sourcecode spring-audit /path/to/repo
+
+# Impact chain: systemic blast radius with TX/SEC enrichment (free)
+sourcecode impact-chain OrderService /path/to/repo
+
+# Event topology: publisher → event → consumer graph (free)
+sourcecode impact-chain OrderPlacedEvent /path/to/repo --type events
+
 # REST endpoint surface
 sourcecode endpoints /path/to/repo
 
@@ -187,15 +196,21 @@ sourcecode /repo --agent               # ~4,500–5,500 tokens — more detail
 sourcecode onboard /repo               # task-structured: entry points, key files, gaps
 ```
 
-### Before every change — blast radius check
+### Before every change — blast radius + TX/SEC check
 
 ```bash
 # Always target the INTERFACE in Spring projects, not the implementation:
 sourcecode impact OrderService /repo           # ✓ 30 callers, 11 endpoints
 sourcecode impact OrderServiceImpl /repo       # ✗ 0 callers (Spring DI blindness)
 
-# Large hub interfaces — depth=1 is faster and still the most actionable signal:
-sourcecode impact KeycloakSession /repo --depth 1
+# Impact chain: blast radius enriched with TX boundary and security surfaces
+sourcecode impact-chain OrderService /repo
+
+# Event topology: who publishes/consumes this event, and in what TX phase?
+sourcecode impact-chain OrderPlacedEvent /repo --type events
+
+# Spring audit: catch TX anomalies before they hit production
+sourcecode spring-audit /repo --scope tx
 ```
 
 ### Continuous agent loop — delta context
@@ -262,6 +277,9 @@ Specifically:
 - Endpoint recall for JAX-RS subresource locator pattern is ~65%
 - `impact` on implementation classes (e.g. `OrderServiceImpl`) returns 0 callers in Spring Boot — callers inject the interface via `@Autowired`. Always target the interface. When `direct_callers: []` with `confidence_level: high` for a `@Service` class, re-query the interface.
 - `no_security_signal` on endpoints means no method-level annotations found — does **not** mean the endpoint is unsecured. Projects using Spring Security filter chains show 100% `no_security_signal` even when fully secured.
+- `spring-audit` and `impact-chain` are **Java/Spring only** — non-Java repos return `spring_detected: false`
+- Event topology via `--type events` does not resolve Kafka/RabbitMQ/Redis message routes — only Spring ApplicationEvent and `@EventListener` chains
+- Self-invocation TX bypass (calling `@Transactional` method from the same class without going through the proxy) is not detected
 
 ---
 
@@ -312,6 +330,81 @@ sourcecode endpoints /path/to/repo --output endpoints.json
 
 Extracts all Spring MVC (`@GetMapping`, `@PostMapping`, `@RequestMapping`, etc.) and JAX-RS (`@GET`, `@POST`, `@Path`) endpoint methods. Returns HTTP method, path, controller class, and handler method.
 
+### `spring-audit` — Spring semantic audit [free]
+
+```bash
+sourcecode spring-audit /path/to/repo
+sourcecode spring-audit /path/to/repo --scope tx          # TX anomalies only
+sourcecode spring-audit /path/to/repo --scope security     # security surface only
+sourcecode spring-audit /path/to/repo --min-severity high
+```
+
+Detects structural Spring anomalies that survive code review and tests, but cause production failures:
+
+| Pattern | Description |
+|---------|-------------|
+| `TX-001` | `@Transactional` on private/final method — CGLIB proxy bypass, TX silently ignored |
+| `TX-002` | `REQUIRES_NEW` nested inside `REQUIRED` call chain — unexpected transaction nesting |
+| `TX-003` | `readOnly=true` boundary propagating to write operation |
+| `TX-004` | `NOT_SUPPORTED`/`NEVER` called within active TX chain |
+| `TX-005` | Exception swallowing inside `@Transactional` — silent TX rollback suppression |
+| `SEC-001` | Unsecured endpoint in annotation-based security model |
+| `SEC-002` | CVE-2025-41248: `@PreAuthorize` on inherited method from generic supertype |
+| `SEC-003` | `@Transactional` on `@Controller`/`@RestController` — TX in wrong layer |
+
+Returns structured findings with `severity`, `confidence`, `symbol`, `source_file`, `evidence`, `explanation`, and `fix_hint`. JAVA/SPRING ONLY.
+
+### `impact-chain` — systemic blast radius with TX/SEC enrichment [free]
+
+```bash
+sourcecode impact-chain OrderService /path/to/repo
+sourcecode impact-chain com.example.OrderService#placeOrder /path/to/repo
+sourcecode impact-chain PaymentService . --depth 6
+```
+
+Unlike `impact` (which traces the caller graph), `impact-chain` builds on the SpringSemanticModel to enrich every step of the blast cone with transaction and security context:
+
+| Field | Description |
+|-------|-------------|
+| `direct_callers` | Symbols that directly call the target |
+| `indirect_callers` | Transitive callers (BFS up to `--depth` hops, default: 4) |
+| `endpoints_affected` | HTTP endpoints reachable through the call chain |
+| `transaction_boundary` | `@Transactional` semantics on the target: propagation, isolation, readOnly |
+| `security_surfaces` | Per-endpoint security policy + SEC finding IDs |
+| `impact_findings` | TX-001..005 and SEC-001..003 findings that touch the call chain |
+| `risk_level` | `critical` \| `high` \| `medium` \| `low` |
+
+**Event topology** — query the publisher/consumer graph for a Spring event class:
+
+```bash
+sourcecode impact-chain OrderPlacedEvent /path/to/repo --type events
+```
+
+| Field | Description |
+|-------|-------------|
+| `publishers` | FQNs that publish this event class |
+| `consumers` | Listeners with TX phase metadata (`AFTER_COMMIT`, `BEFORE_COMMIT`, etc.) |
+| `event_graph` | Publisher → event → consumer edges (BFS ≤ 2 hops) |
+| `transaction_context` | `AFTER_COMMIT` consumers, `BEFORE_COMMIT` risks |
+| `risk_level` | Derived from TX phase and consumer count |
+
+**Limitations of event topology:**
+- Resolves Spring `ApplicationEvent` / `@EventListener` chains only
+- Does not trace Kafka, RabbitMQ, Redis, or other message brokers
+- Does not detect self-invocation proxy bypass
+- Conditional beans (`@ConditionalOnProperty`) are not evaluated at analysis time
+
+### `cold-start` — RIS bootstrap context
+
+```bash
+sourcecode cold-start /path/to/repo
+sourcecode cold-start /path/to/repo --compact   # ~10K token subset
+```
+
+Returns the Repository Intelligence Snapshot (RIS) instantly — zero re-analysis. The RIS is built by a prior warm cache pass and includes stacks, entry points, endpoint surface, and Spring semantic signals. Status field: `cold_start_ready` | `cold_start_stale` | `no_ris`.
+
+Use `--compact` to get a ~10K token subset safe for direct LLM injection. Full snapshot can exceed 100K tokens on medium repos — use `--output FILE` for local search tooling.
+
 ### `repo-ir` — symbol-level IR
 
 ```bash

{sourcecode-1.35.2 → sourcecode-1.35.4}/README.md

@@ -2,7 +2,7 @@
 
 **Persistent structural context and ultra-fast repeated analysis for AI coding agents.**
 
-![Version](https://img.shields.io/badge/version-1.35.2-blue)
+![Version](https://img.shields.io/badge/version-1.35.4-blue)
 ![Python](https://img.shields.io/badge/python-3.10%2B-green)
 
 ---
@@ -76,7 +76,7 @@ pipx install sourcecode
 
 ```bash
 sourcecode version
-# sourcecode 1.33.4
+# sourcecode 1.35.4
 ```
 
 ---
@@ -96,6 +96,15 @@ sourcecode --agent
 # Blast radius: what breaks if this class changes?
 sourcecode impact OrderService /path/to/repo
 
+# Spring semantic audit: TX anomalies + security surface (free)
+sourcecode spring-audit /path/to/repo
+
+# Impact chain: systemic blast radius with TX/SEC enrichment (free)
+sourcecode impact-chain OrderService /path/to/repo
+
+# Event topology: publisher → event → consumer graph (free)
+sourcecode impact-chain OrderPlacedEvent /path/to/repo --type events
+
 # REST endpoint surface
 sourcecode endpoints /path/to/repo
 
@@ -150,15 +159,21 @@ sourcecode /repo --agent               # ~4,500–5,500 tokens — more detail
 sourcecode onboard /repo               # task-structured: entry points, key files, gaps
 ```
 
-### Before every change — blast radius check
+### Before every change — blast radius + TX/SEC check
 
 ```bash
 # Always target the INTERFACE in Spring projects, not the implementation:
 sourcecode impact OrderService /repo           # ✓ 30 callers, 11 endpoints
 sourcecode impact OrderServiceImpl /repo       # ✗ 0 callers (Spring DI blindness)
 
-# Large hub interfaces — depth=1 is faster and still the most actionable signal:
-sourcecode impact KeycloakSession /repo --depth 1
+# Impact chain: blast radius enriched with TX boundary and security surfaces
+sourcecode impact-chain OrderService /repo
+
+# Event topology: who publishes/consumes this event, and in what TX phase?
+sourcecode impact-chain OrderPlacedEvent /repo --type events
+
+# Spring audit: catch TX anomalies before they hit production
+sourcecode spring-audit /repo --scope tx
 ```
 
 ### Continuous agent loop — delta context
@@ -225,6 +240,9 @@ Specifically:
 - Endpoint recall for JAX-RS subresource locator pattern is ~65%
 - `impact` on implementation classes (e.g. `OrderServiceImpl`) returns 0 callers in Spring Boot — callers inject the interface via `@Autowired`. Always target the interface. When `direct_callers: []` with `confidence_level: high` for a `@Service` class, re-query the interface.
 - `no_security_signal` on endpoints means no method-level annotations found — does **not** mean the endpoint is unsecured. Projects using Spring Security filter chains show 100% `no_security_signal` even when fully secured.
+- `spring-audit` and `impact-chain` are **Java/Spring only** — non-Java repos return `spring_detected: false`
+- Event topology via `--type events` does not resolve Kafka/RabbitMQ/Redis message routes — only Spring ApplicationEvent and `@EventListener` chains
+- Self-invocation TX bypass (calling `@Transactional` method from the same class without going through the proxy) is not detected
 
 ---
 
@@ -275,6 +293,81 @@ sourcecode endpoints /path/to/repo --output endpoints.json
 
 Extracts all Spring MVC (`@GetMapping`, `@PostMapping`, `@RequestMapping`, etc.) and JAX-RS (`@GET`, `@POST`, `@Path`) endpoint methods. Returns HTTP method, path, controller class, and handler method.
 
+### `spring-audit` — Spring semantic audit [free]
+
+```bash
+sourcecode spring-audit /path/to/repo
+sourcecode spring-audit /path/to/repo --scope tx          # TX anomalies only
+sourcecode spring-audit /path/to/repo --scope security     # security surface only
+sourcecode spring-audit /path/to/repo --min-severity high
+```
+
+Detects structural Spring anomalies that survive code review and tests, but cause production failures:
+
+| Pattern | Description |
+|---------|-------------|
+| `TX-001` | `@Transactional` on private/final method — CGLIB proxy bypass, TX silently ignored |
+| `TX-002` | `REQUIRES_NEW` nested inside `REQUIRED` call chain — unexpected transaction nesting |
+| `TX-003` | `readOnly=true` boundary propagating to write operation |
+| `TX-004` | `NOT_SUPPORTED`/`NEVER` called within active TX chain |
+| `TX-005` | Exception swallowing inside `@Transactional` — silent TX rollback suppression |
+| `SEC-001` | Unsecured endpoint in annotation-based security model |
+| `SEC-002` | CVE-2025-41248: `@PreAuthorize` on inherited method from generic supertype |
+| `SEC-003` | `@Transactional` on `@Controller`/`@RestController` — TX in wrong layer |
+
+Returns structured findings with `severity`, `confidence`, `symbol`, `source_file`, `evidence`, `explanation`, and `fix_hint`. JAVA/SPRING ONLY.
+
+### `impact-chain` — systemic blast radius with TX/SEC enrichment [free]
+
+```bash
+sourcecode impact-chain OrderService /path/to/repo
+sourcecode impact-chain com.example.OrderService#placeOrder /path/to/repo
+sourcecode impact-chain PaymentService . --depth 6
+```
+
+Unlike `impact` (which traces the caller graph), `impact-chain` builds on the SpringSemanticModel to enrich every step of the blast cone with transaction and security context:
+
+| Field | Description |
+|-------|-------------|
+| `direct_callers` | Symbols that directly call the target |
+| `indirect_callers` | Transitive callers (BFS up to `--depth` hops, default: 4) |
+| `endpoints_affected` | HTTP endpoints reachable through the call chain |
+| `transaction_boundary` | `@Transactional` semantics on the target: propagation, isolation, readOnly |
+| `security_surfaces` | Per-endpoint security policy + SEC finding IDs |
+| `impact_findings` | TX-001..005 and SEC-001..003 findings that touch the call chain |
+| `risk_level` | `critical` \| `high` \| `medium` \| `low` |
+
+**Event topology** — query the publisher/consumer graph for a Spring event class:
+
+```bash
+sourcecode impact-chain OrderPlacedEvent /path/to/repo --type events
+```
+
+| Field | Description |
+|-------|-------------|
+| `publishers` | FQNs that publish this event class |
+| `consumers` | Listeners with TX phase metadata (`AFTER_COMMIT`, `BEFORE_COMMIT`, etc.) |
+| `event_graph` | Publisher → event → consumer edges (BFS ≤ 2 hops) |
+| `transaction_context` | `AFTER_COMMIT` consumers, `BEFORE_COMMIT` risks |
+| `risk_level` | Derived from TX phase and consumer count |
+
+**Limitations of event topology:**
+- Resolves Spring `ApplicationEvent` / `@EventListener` chains only
+- Does not trace Kafka, RabbitMQ, Redis, or other message brokers
+- Does not detect self-invocation proxy bypass
+- Conditional beans (`@ConditionalOnProperty`) are not evaluated at analysis time
+
+### `cold-start` — RIS bootstrap context
+
+```bash
+sourcecode cold-start /path/to/repo
+sourcecode cold-start /path/to/repo --compact   # ~10K token subset
+```
+
+Returns the Repository Intelligence Snapshot (RIS) instantly — zero re-analysis. The RIS is built by a prior warm cache pass and includes stacks, entry points, endpoint surface, and Spring semantic signals. Status field: `cold_start_ready` | `cold_start_stale` | `no_ris`.
+
+Use `--compact` to get a ~10K token subset safe for direct LLM injection. Full snapshot can exceed 100K tokens on medium repos — use `--output FILE` for local search tooling.
+
 ### `repo-ir` — symbol-level IR
 
 ```bash

{sourcecode-1.35.2 → sourcecode-1.35.4}/pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 
 [project]
 name = "sourcecode"
-version = "1.35.2"
+version = "1.35.4"
 description = "Persistent structural context and ultra-fast repeated analysis for AI coding agents"
 readme = "README.md"
 requires-python = ">=3.9"

{sourcecode-1.35.2 → sourcecode-1.35.4}/src/sourcecode/__init__.py

@@ -1,3 +1,3 @@
 """sourcecode — Deterministic codebase context maps for AI coding agents."""
 
-__version__ = "1.35.2"
+__version__ = "1.35.4"

{sourcecode-1.35.2 → sourcecode-1.35.4}/src/sourcecode/cir_graphs.py

@@ -68,11 +68,23 @@ class ImplementationGraph:
             dependencies:  cir.dependencies — list of edge dicts with 'from'/'to'/'type'
             known_symbols: set(cir.symbols) — only in-repo FQNs
 
-        Excludes implements edges where the interface (to_fqn) is NOT in known_symbols
-        (e.g. java.io.Serializable, org.springframework.* framework interfaces).
+        The Java parser stores 'implements' edges with the simple class name in the 'to'
+        field (e.g. 'OrderService') rather than the FQN.  We resolve these via a
+        precomputed simple-name → FQN map built from known_symbols.  Only unambiguous
+        resolutions are accepted; external framework interfaces and ambiguous names are
+        excluded.
+
         Includes edges where the implementing class (from_fqn) is NOT in known_symbols
         only when the interface IS known — this handles partial-parse edge cases.
         """
+        # Pre-build simple-name → [FQN] lookup for class-level symbols only (no '#').
+        # Used to resolve unqualified interface names (BUG-IC-001).
+        _simple_to_fqn: dict[str, list[str]] = {}
+        for sym in known_symbols:
+            if "#" not in sym and "." in sym:
+                simple = sym.rsplit(".", 1)[1]
+                _simple_to_fqn.setdefault(simple, []).append(sym)
+
         impl_of: dict[str, list[str]] = {}
         ifaces_of: dict[str, list[str]] = {}
 
@@ -83,9 +95,13 @@ class ImplementationGraph:
             to_fqn = (edge.get("to") or "").strip()
             if not from_fqn or not to_fqn:
                 continue
-            # Only track when the interface is an in-repo symbol
+            # Resolve to_fqn: prefer exact known-symbol match, then try simple-name lookup.
+            # Rejects external interfaces (java.*, org.springframework.*) and ambiguous names.
             if to_fqn not in known_symbols:
-                continue
+                candidates = _simple_to_fqn.get(to_fqn, [])
+                if len(candidates) != 1:
+                    continue
+                to_fqn = candidates[0]
             # Ignore malformed FQNs (e.g. generic type fragments like "Long>")
             if ">" in to_fqn or "<" in to_fqn:
                 continue

{sourcecode-1.35.2 → sourcecode-1.35.4}/src/sourcecode/cli.py

@@ -3917,6 +3917,11 @@ def impact_chain_cmd(
         False, "--copy", "-c",
         help="Copy output to clipboard after a successful run.",
     ),
+    query_type: str = typer.Option(
+        "impact", "--type", "-t",
+        help="Query type: impact (default) or events.",
+        show_default=True,
+    ),
 ) -> None:
     """Spring impact-chain: systemic blast radius of a symbol with TX/SEC enrichment.
 
@@ -3930,6 +3935,14 @@ def impact_chain_cmd(
       - impact_findings     — TX/SEC audit findings touching the call chain
       - risk_level          — critical | high | medium | low
 
+    \b
+    With --type events, returns event topology:
+      - publishers          — FQNs that publish the event class
+      - consumers           — listeners with TX phase metadata
+      - event_graph         — publisher → event → consumer edges (BFS ≤ 2)
+      - transaction_context — AFTER_COMMIT consumers, BEFORE_COMMIT risks
+      - risk_level          — high | medium | low
+
     \b
     Consumes SpringSemanticModel — zero duplicate CIR traversals.
     JAVA/SPRING ONLY.
@@ -3948,6 +3961,19 @@ def impact_chain_cmd(
     from sourcecode.spring_impact import run_impact_chain
     from sourcecode.spring_findings import SpringAuditResult
 
+    _VALID_TYPES = ("impact", "events")
+    if query_type not in _VALID_TYPES:
+        _emit_error_json(
+            INVALID_INPUT_CODE,
+            f"Invalid --type '{query_type}'. Valid values: {', '.join(_VALID_TYPES)}",
+            flag="--type",
+            value=query_type,
+            valid_values=list(_VALID_TYPES),
+            hint="Use --type impact (default) or --type events.",
+            expected="impact | events",
+        )
+        raise typer.Exit(code=1)
+
     target = path.resolve()
     if not target.exists() or not target.is_dir():
         _emit_error_json(
@@ -3970,7 +3996,7 @@ def impact_chain_cmd(
 
     file_list = find_java_files(target)
     if not file_list:
-        data = {
+        data: dict = {
             "schema_version": "1.0",
             "symbol": symbol,
             "resolution": "not_found",
@@ -3991,6 +4017,30 @@ def impact_chain_cmd(
 
     cir = build_canonical_ir(file_list, target)
     _model = SpringSemanticModel.build(cir)
+
+    if query_type == "events":
+        from sourcecode.spring_event_topology import run_event_topology
+        evt_result = run_event_topology(cir, symbol, model=_model)
+        data = evt_result.to_dict()
+        output = _serialize_dict(data, format)
+        if output_path is not None:
+            output_path.write_text(output, encoding="utf-8")
+            typer.echo(
+                f"Event topology written to {output_path} "
+                f"(risk: {evt_result.risk_level}, "
+                f"{evt_result.metadata.get('publisher_count', 0)} publishers, "
+                f"{evt_result.metadata.get('consumer_count', 0)} consumers)",
+                err=True,
+            )
+        else:
+            sys.stdout.buffer.write(output.encode("utf-8"))
+            sys.stdout.buffer.write(b"\n")
+            sys.stdout.buffer.flush()
+            if copy:
+                if _copy_to_clipboard(output):
+                    typer.echo("✓ copied to clipboard", err=True)
+        return
+
     result = run_impact_chain(cir, symbol, depth=depth, root=target, model=_model)
 
     data = result.to_dict()

{sourcecode-1.35.2 → sourcecode-1.35.4}/src/sourcecode/repository_ir.py

@@ -202,10 +202,13 @@ _FILTER_SECURITY_ANNOTATIONS: frozenset[str] = frozenset({
 })
 
 # Programmatic security: method-call patterns that indicate runtime auth enforcement.
+# Requires method-call or field-access context — bare class name mentions (imports,
+# type declarations) must NOT match or IAM/auth-domain repos generate false positives.
 _PROGRAMMATIC_SECURITY_RE = re.compile(
     r"\b(?:hasRole|hasAuthority|isAuthenticated|requirePermission|checkPermission"
     r"|assertAuthorized|authenticate)\s*\("
-    r"|(?:Authentication|SecurityContext|Principal|AuthorizationManager|AccessDecisionManager)\b"
+    r"|SecurityContextHolder\."
+    r"|\.(?:getAuthentication|getSecurityContext|getPrincipal|isAuthorized|checkAccess)\s*\("
     r"|throw\s+new\s+(?:AccessDeniedException|UnauthorizedException|ForbiddenException|AuthenticationException)\b",
     re.MULTILINE,
 )
@@ -239,7 +242,7 @@ _LOMBOK_CTOR_ANNOTATIONS: frozenset[str] = frozenset({
 })
 
 # Transaction annotations whose args must be captured for semantic analysis.
-_TX_ANNOTATIONS: frozenset[str] = frozenset({"@Transactional"})
+_TX_ANNOTATIONS: frozenset[str] = frozenset({"@Transactional", "@TransactionalEventListener"})
 
 # Combined set used in _extract_symbols annotation-value capture.
 _CAPTURE_ANN_ARGS: frozenset[str] = (
@@ -307,7 +310,9 @@ _SPRING_OTHER: frozenset[str] = frozenset({
     "@PutMapping", "@DeleteMapping", "@PatchMapping", "@Autowired",
     "@Inject", "@Value", "@Qualifier", "@EnableWebSecurity",
     "@SpringBootApplication", "@EnableAutoConfiguration",
-    "@EventListener", "@Async", "@Scheduled", "@Cacheable", "@CacheEvict",
+    "@EventListener", "@TransactionalEventListener",
+    "@KafkaListener", "@RabbitListener",
+    "@Async", "@Scheduled", "@Cacheable", "@CacheEvict",
     # CDI / Jakarta EE
     "@ApplicationScoped", "@RequestScoped", "@SessionScoped", "@Dependent",
     "@Named", "@Produces", "@Consumes",
@@ -321,6 +326,30 @@ _PUBLISH_EVENT_RE = re.compile(r'\.publishEvent\s*\(\s*new\s+(\w+)\s*[(\{]')
 # Keycloak SPI event fire pattern: XxxEvent.fire(session, ...)
 _FIRE_EVENT_RE = re.compile(r'\b(\w+Event)\.fire\s*\(')
 
+# Class-level consumer detection from class signature (not annotations).
+# Pattern 1: implements [Prefix]ApplicationListener<EventType>
+#            Matches both the standard Spring interface (ApplicationListener<E>) and
+#            framework-specific subinterfaces (BroadleafApplicationListener<E>,
+#            SmartApplicationListener<E>, etc.).  Uses \w* prefix instead of \b so
+#            that "Broadleaf" prefix does not break the word boundary. (BUG-EVT-001)
+_APP_LISTENER_RE = re.compile(r'\w*ApplicationListener\s*<\s*(\w+)\s*>')
+# Pattern 2: extends AbstractXxxEventListener<EventType> — abstract base class pattern
+#            (Broadleaf's AbstractBroadleafApplicationEventListener and similar).
+#            Matches any parent class name that contains "EventListener".
+_ABSTRACT_LISTENER_RE = re.compile(r'\bextends\s+\w+EventListener\w*\s*<\s*(\w+)\s*>')
+
+# Block comment stripper — removes /* ... */ (including Javadoc) to prevent
+# _PUBLISH_EVENT_RE / _FIRE_EVENT_RE from matching example code in comments.
+_BLOCK_COMMENT_RE = re.compile(r'/\*.*?\*/', re.DOTALL)
+_LINE_COMMENT_RE = re.compile(r'//[^\n]*')
+
+
+def _strip_java_comments(source: str) -> str:
+    """Remove // line comments and /* */ block comments from Java source."""
+    source = _BLOCK_COMMENT_RE.sub(' ', source)
+    source = _LINE_COMMENT_RE.sub(' ', source)
+    return source
+
 # Edge types used for subsystem grouping — semantic hierarchy only, not imports
 _SUBSYSTEM_STRUCTURAL_EDGES: frozenset[str] = frozenset({
     "extends", "implements", "injects", "contained_in",
@@ -544,9 +573,37 @@ def _extract_symbols(source: str, rel_path: str) -> tuple[str, list[SymbolRecord
     pending_ann_values: dict[str, str] = {}
     in_block_comment = False
 
+    # BUG-PARSER-001: normalize multi-line class declarations where the opening brace
+    # appears on a continuation line (e.g. "implements A,\n  B, C {").
+    # _CLASS_DECL_RE requires '{' on the same line as 'class' — joining the continuation
+    # here makes the regex work without changing the per-line brace-depth counter.
+    _raw_lines = source.splitlines()
+    _joined: list[str] = []
+    _i = 0
+    _CLASS_KW_RE = re.compile(r'\b(?:class|interface|enum)\s+[A-Z]')
+    while _i < len(_raw_lines):
+        _line = _raw_lines[_i]
+        _stripped = _line.strip()
+        if (_CLASS_KW_RE.search(_stripped) and '{' not in _stripped
+                and not _stripped.startswith('//')
+                and not _stripped.startswith('*')):
+            # Continuation: join until we hit a line containing '{'
+            _buf = _line
+            _i += 1
+            while _i < len(_raw_lines):
+                _cont = _raw_lines[_i]
+                _buf = _buf.rstrip() + ' ' + _cont.strip()
+                _i += 1
+                if '{' in _cont:
+                    break
+            _joined.append(_buf)
+        else:
+            _joined.append(_line)
+            _i += 1
+
     # P1 fix: normalize multiline annotations (e.g. @RequestMapping(\n  value="..."\n))
     # into single lines so the per-line regex can capture annotation args correctly.
-    _normalized_lines = _normalize_multiline_annotations(source.splitlines())
+    _normalized_lines = _normalize_multiline_annotations(_joined)
 
     for line in _normalized_lines:
         stripped = line.strip()
@@ -1101,24 +1158,34 @@ def _build_relations(
                 ))
 
     # Event flow edges — listens_to_event and publishes_event.
-    # Spring: method with @EventListener → resolved event parameter type(s).
+    # Spring: method with @EventListener or @TransactionalEventListener → resolved event type(s).
+    _LISTENER_ANNOTATIONS: frozenset[str] = frozenset({
+        "@EventListener", "@TransactionalEventListener",
+    })
     for sym in symbols:
-        if sym.type == "method" and "@EventListener" in sym.annotations:
+        if sym.type == "method" and (sym.annotations and
+                any(a in _LISTENER_ANNOTATIONS for a in sym.annotations)):
+            ann = next(a for a in sym.annotations if a in _LISTENER_ANNOTATIONS)
             for imp_fqn in sym.imports_used:
                 edges.append(RelationEdge(
                     from_symbol=sym.symbol,
                     to_symbol=imp_fqn,
                     type="listens_to_event",
                     confidence="high",
-                    evidence={"type": "annotation", "value": "@EventListener"},
+                    evidence={"type": "annotation", "value": ann},
                 ))
 
     _class_syms = [s for s in symbols if s.type in ("class", "interface") and "#" not in s.symbol]
 
+    # Strip comments before event scanning to prevent Javadoc examples from
+    # generating false publisher edges (BUG-003).
+    _source_no_comments = _strip_java_comments(source)
+
     # Spring: class that calls publishEvent(new XxxEvent(...)) → event type FQN.
-    for m in _PUBLISH_EVENT_RE.finditer(source):
+    for m in _PUBLISH_EVENT_RE.finditer(_source_no_comments):
         event_simple = m.group(1)
-        event_fqn = import_map.get(event_simple, event_simple)
+        # BUG-004: try import_map first, then same-package map, then keep simple name.
+        event_fqn = import_map.get(event_simple) or _same_pkg.get(event_simple) or event_simple
         for cls_sym in _class_syms:
             edges.append(RelationEdge(
                 from_symbol=cls_sym.symbol,
@@ -1129,9 +1196,9 @@ def _build_relations(
             ))
 
     # Keycloak SPI: XxxEvent.fire(...) static dispatch → publishes_event.
-    for m in _FIRE_EVENT_RE.finditer(source):
+    for m in _FIRE_EVENT_RE.finditer(_source_no_comments):
         event_simple = m.group(1)
-        event_fqn = import_map.get(event_simple, event_simple)
+        event_fqn = import_map.get(event_simple) or _same_pkg.get(event_simple) or event_simple
         for cls_sym in _class_syms:
             edges.append(RelationEdge(
                 from_symbol=cls_sym.symbol,
@@ -1154,6 +1221,34 @@ def _build_relations(
                 evidence={"type": "signature", "value": f"implements {_ELP_IFACE}"},
             ))
 
+    # Class-level consumer detection via class signature (EVT-003 / EVT-004).
+    # Pattern A: class Foo implements ApplicationListener<XxxEvent>
+    #            → standard Spring interface, event type = generic param.
+    # Pattern B: class Foo extends AbstractXxxEventListener<XxxEvent>
+    #            → abstract base class pattern (Broadleaf and similar frameworks),
+    #              event type = generic param of the parent class.
+    for sym in _class_syms:
+        sig = sym.signature or ""
+        for pattern, ev_label in (
+            (_APP_LISTENER_RE, "implements ApplicationListener"),
+            (_ABSTRACT_LISTENER_RE, "extends *EventListener"),
+        ):
+            m = pattern.search(sig)
+            if m:
+                event_simple = m.group(1)
+                event_fqn = (
+                    import_map.get(event_simple)
+                    or _same_pkg.get(event_simple)
+                    or event_simple
+                )
+                edges.append(RelationEdge(
+                    from_symbol=sym.symbol,
+                    to_symbol=event_fqn,
+                    type="listens_to_event",
+                    confidence="high",
+                    evidence={"type": "signature", "value": f"{ev_label}<{event_simple}>"},
+                ))
+
     seen: set[tuple[str, str, str]] = set()
     unique: list[RelationEdge] = []
     for e in edges:
@@ -2314,8 +2409,12 @@ def _assemble(
             for sym in _class_syms_asm
         )
     )
+    # Only real annotation-based policies count (not "programmatic" fallback).
+    # Programmatic security does not mean every unannotated endpoint is unsecured.
     _has_ann_sec_asm = any(
-        r.get("security_annotations") for r in _route_surface
+        isinstance(r.get("security_annotations"), dict)
+        and r["security_annotations"].get("policy") not in (None, "programmatic", "none_detected")
+        for r in _route_surface
         if isinstance(r, dict)
     )
     if _filter_based_asm and _has_ann_sec_asm:
@@ -3165,7 +3264,7 @@ def extract_java_endpoints(root: Path) -> "dict[str, Any]":
         )
     )
     _has_annotation_security = any(
-        e.get("security", {}).get("policy") != "none_detected"
+        e.get("security", {}).get("policy") not in (None, "none_detected", "programmatic")
         for e in endpoints
     )
     if _filter_based and _has_annotation_security: