sourcecode 1.35.3__py3-none-any.whl → 1.35.4__py3-none-any.whl

sourcecode/__init__.py

@@ -1,3 +1,3 @@
 """sourcecode — Deterministic codebase context maps for AI coding agents."""
 
-__version__ = "1.35.3"
+__version__ = "1.35.4"

sourcecode/cir_graphs.py

@@ -68,11 +68,23 @@ class ImplementationGraph:
             dependencies:  cir.dependencies — list of edge dicts with 'from'/'to'/'type'
             known_symbols: set(cir.symbols) — only in-repo FQNs
 
-        Excludes implements edges where the interface (to_fqn) is NOT in known_symbols
-        (e.g. java.io.Serializable, org.springframework.* framework interfaces).
+        The Java parser stores 'implements' edges with the simple class name in the 'to'
+        field (e.g. 'OrderService') rather than the FQN.  We resolve these via a
+        precomputed simple-name → FQN map built from known_symbols.  Only unambiguous
+        resolutions are accepted; external framework interfaces and ambiguous names are
+        excluded.
+
         Includes edges where the implementing class (from_fqn) is NOT in known_symbols
         only when the interface IS known — this handles partial-parse edge cases.
         """
+        # Pre-build simple-name → [FQN] lookup for class-level symbols only (no '#').
+        # Used to resolve unqualified interface names (BUG-IC-001).
+        _simple_to_fqn: dict[str, list[str]] = {}
+        for sym in known_symbols:
+            if "#" not in sym and "." in sym:
+                simple = sym.rsplit(".", 1)[1]
+                _simple_to_fqn.setdefault(simple, []).append(sym)
+
         impl_of: dict[str, list[str]] = {}
         ifaces_of: dict[str, list[str]] = {}
 
@@ -83,9 +95,13 @@ class ImplementationGraph:
             to_fqn = (edge.get("to") or "").strip()
             if not from_fqn or not to_fqn:
                 continue
-            # Only track when the interface is an in-repo symbol
+            # Resolve to_fqn: prefer exact known-symbol match, then try simple-name lookup.
+            # Rejects external interfaces (java.*, org.springframework.*) and ambiguous names.
             if to_fqn not in known_symbols:
-                continue
+                candidates = _simple_to_fqn.get(to_fqn, [])
+                if len(candidates) != 1:
+                    continue
+                to_fqn = candidates[0]
             # Ignore malformed FQNs (e.g. generic type fragments like "Long>")
             if ">" in to_fqn or "<" in to_fqn:
                 continue

sourcecode/repository_ir.py

@@ -202,10 +202,13 @@ _FILTER_SECURITY_ANNOTATIONS: frozenset[str] = frozenset({
 })
 
 # Programmatic security: method-call patterns that indicate runtime auth enforcement.
+# Requires method-call or field-access context — bare class name mentions (imports,
+# type declarations) must NOT match or IAM/auth-domain repos generate false positives.
 _PROGRAMMATIC_SECURITY_RE = re.compile(
     r"\b(?:hasRole|hasAuthority|isAuthenticated|requirePermission|checkPermission"
     r"|assertAuthorized|authenticate)\s*\("
-    r"|(?:Authentication|SecurityContext|Principal|AuthorizationManager|AccessDecisionManager)\b"
+    r"|SecurityContextHolder\."
+    r"|\.(?:getAuthentication|getSecurityContext|getPrincipal|isAuthorized|checkAccess)\s*\("
     r"|throw\s+new\s+(?:AccessDeniedException|UnauthorizedException|ForbiddenException|AuthenticationException)\b",
     re.MULTILINE,
 )
@@ -323,6 +326,30 @@ _PUBLISH_EVENT_RE = re.compile(r'\.publishEvent\s*\(\s*new\s+(\w+)\s*[(\{]')
 # Keycloak SPI event fire pattern: XxxEvent.fire(session, ...)
 _FIRE_EVENT_RE = re.compile(r'\b(\w+Event)\.fire\s*\(')
 
+# Class-level consumer detection from class signature (not annotations).
+# Pattern 1: implements [Prefix]ApplicationListener<EventType>
+#            Matches both the standard Spring interface (ApplicationListener<E>) and
+#            framework-specific subinterfaces (BroadleafApplicationListener<E>,
+#            SmartApplicationListener<E>, etc.).  Uses \w* prefix instead of \b so
+#            that "Broadleaf" prefix does not break the word boundary. (BUG-EVT-001)
+_APP_LISTENER_RE = re.compile(r'\w*ApplicationListener\s*<\s*(\w+)\s*>')
+# Pattern 2: extends AbstractXxxEventListener<EventType> — abstract base class pattern
+#            (Broadleaf's AbstractBroadleafApplicationEventListener and similar).
+#            Matches any parent class name that contains "EventListener".
+_ABSTRACT_LISTENER_RE = re.compile(r'\bextends\s+\w+EventListener\w*\s*<\s*(\w+)\s*>')
+
+# Block comment stripper — removes /* ... */ (including Javadoc) to prevent
+# _PUBLISH_EVENT_RE / _FIRE_EVENT_RE from matching example code in comments.
+_BLOCK_COMMENT_RE = re.compile(r'/\*.*?\*/', re.DOTALL)
+_LINE_COMMENT_RE = re.compile(r'//[^\n]*')
+
+
+def _strip_java_comments(source: str) -> str:
+    """Remove // line comments and /* */ block comments from Java source."""
+    source = _BLOCK_COMMENT_RE.sub(' ', source)
+    source = _LINE_COMMENT_RE.sub(' ', source)
+    return source
+
 # Edge types used for subsystem grouping — semantic hierarchy only, not imports
 _SUBSYSTEM_STRUCTURAL_EDGES: frozenset[str] = frozenset({
     "extends", "implements", "injects", "contained_in",
@@ -546,9 +573,37 @@ def _extract_symbols(source: str, rel_path: str) -> tuple[str, list[SymbolRecord
     pending_ann_values: dict[str, str] = {}
     in_block_comment = False
 
+    # BUG-PARSER-001: normalize multi-line class declarations where the opening brace
+    # appears on a continuation line (e.g. "implements A,\n  B, C {").
+    # _CLASS_DECL_RE requires '{' on the same line as 'class' — joining the continuation
+    # here makes the regex work without changing the per-line brace-depth counter.
+    _raw_lines = source.splitlines()
+    _joined: list[str] = []
+    _i = 0
+    _CLASS_KW_RE = re.compile(r'\b(?:class|interface|enum)\s+[A-Z]')
+    while _i < len(_raw_lines):
+        _line = _raw_lines[_i]
+        _stripped = _line.strip()
+        if (_CLASS_KW_RE.search(_stripped) and '{' not in _stripped
+                and not _stripped.startswith('//')
+                and not _stripped.startswith('*')):
+            # Continuation: join until we hit a line containing '{'
+            _buf = _line
+            _i += 1
+            while _i < len(_raw_lines):
+                _cont = _raw_lines[_i]
+                _buf = _buf.rstrip() + ' ' + _cont.strip()
+                _i += 1
+                if '{' in _cont:
+                    break
+            _joined.append(_buf)
+        else:
+            _joined.append(_line)
+            _i += 1
+
     # P1 fix: normalize multiline annotations (e.g. @RequestMapping(\n  value="..."\n))
     # into single lines so the per-line regex can capture annotation args correctly.
-    _normalized_lines = _normalize_multiline_annotations(source.splitlines())
+    _normalized_lines = _normalize_multiline_annotations(_joined)
 
     for line in _normalized_lines:
         stripped = line.strip()
@@ -1122,10 +1177,15 @@ def _build_relations(
 
     _class_syms = [s for s in symbols if s.type in ("class", "interface") and "#" not in s.symbol]
 
+    # Strip comments before event scanning to prevent Javadoc examples from
+    # generating false publisher edges (BUG-003).
+    _source_no_comments = _strip_java_comments(source)
+
     # Spring: class that calls publishEvent(new XxxEvent(...)) → event type FQN.
-    for m in _PUBLISH_EVENT_RE.finditer(source):
+    for m in _PUBLISH_EVENT_RE.finditer(_source_no_comments):
         event_simple = m.group(1)
-        event_fqn = import_map.get(event_simple, event_simple)
+        # BUG-004: try import_map first, then same-package map, then keep simple name.
+        event_fqn = import_map.get(event_simple) or _same_pkg.get(event_simple) or event_simple
         for cls_sym in _class_syms:
             edges.append(RelationEdge(
                 from_symbol=cls_sym.symbol,
@@ -1136,9 +1196,9 @@ def _build_relations(
             ))
 
     # Keycloak SPI: XxxEvent.fire(...) static dispatch → publishes_event.
-    for m in _FIRE_EVENT_RE.finditer(source):
+    for m in _FIRE_EVENT_RE.finditer(_source_no_comments):
         event_simple = m.group(1)
-        event_fqn = import_map.get(event_simple, event_simple)
+        event_fqn = import_map.get(event_simple) or _same_pkg.get(event_simple) or event_simple
         for cls_sym in _class_syms:
             edges.append(RelationEdge(
                 from_symbol=cls_sym.symbol,
@@ -1161,6 +1221,34 @@ def _build_relations(
                 evidence={"type": "signature", "value": f"implements {_ELP_IFACE}"},
             ))
 
+    # Class-level consumer detection via class signature (EVT-003 / EVT-004).
+    # Pattern A: class Foo implements ApplicationListener<XxxEvent>
+    #            → standard Spring interface, event type = generic param.
+    # Pattern B: class Foo extends AbstractXxxEventListener<XxxEvent>
+    #            → abstract base class pattern (Broadleaf and similar frameworks),
+    #              event type = generic param of the parent class.
+    for sym in _class_syms:
+        sig = sym.signature or ""
+        for pattern, ev_label in (
+            (_APP_LISTENER_RE, "implements ApplicationListener"),
+            (_ABSTRACT_LISTENER_RE, "extends *EventListener"),
+        ):
+            m = pattern.search(sig)
+            if m:
+                event_simple = m.group(1)
+                event_fqn = (
+                    import_map.get(event_simple)
+                    or _same_pkg.get(event_simple)
+                    or event_simple
+                )
+                edges.append(RelationEdge(
+                    from_symbol=sym.symbol,
+                    to_symbol=event_fqn,
+                    type="listens_to_event",
+                    confidence="high",
+                    evidence={"type": "signature", "value": f"{ev_label}<{event_simple}>"},
+                ))
+
     seen: set[tuple[str, str, str]] = set()
     unique: list[RelationEdge] = []
     for e in edges:
@@ -2321,8 +2409,12 @@ def _assemble(
             for sym in _class_syms_asm
         )
     )
+    # Only real annotation-based policies count (not "programmatic" fallback).
+    # Programmatic security does not mean every unannotated endpoint is unsecured.
     _has_ann_sec_asm = any(
-        r.get("security_annotations") for r in _route_surface
+        isinstance(r.get("security_annotations"), dict)
+        and r["security_annotations"].get("policy") not in (None, "programmatic", "none_detected")
+        for r in _route_surface
         if isinstance(r, dict)
     )
     if _filter_based_asm and _has_ann_sec_asm:
@@ -3172,7 +3264,7 @@ def extract_java_endpoints(root: Path) -> "dict[str, Any]":
         )
     )
     _has_annotation_security = any(
-        e.get("security", {}).get("policy") != "none_detected"
+        e.get("security", {}).get("policy") not in (None, "none_detected", "programmatic")
         for e in endpoints
     )
     if _filter_based and _has_annotation_security:

sourcecode/spring_impact.py

@@ -289,9 +289,16 @@ def _bfs_callers(
                 _add_caller(caller, depth)
                 # CH-002: injects edge to a field/constructor node → also traverse
                 # the containing class, bypassing the skipped contained_in edge.
-                if etype == "injects" and "#" in caller:
-                    class_fqn = caller.rsplit("#", 1)[0]
-                    _add_caller(class_fqn, depth)
+                # Two formats emitted by the CIR parser:
+                #   Constructor injection: pkg.Class#<init>  (hash separator)
+                #   Field injection:       pkg.Class.field   (dot, lowercase last segment)
+                if etype == "injects":
+                    if "#" in caller:
+                        _add_caller(caller.rsplit("#", 1)[0], depth)
+                    elif "." in caller:
+                        last_seg = caller.rsplit(".", 1)[1]
+                        if last_seg and last_seg[0].islower():
+                            _add_caller(caller.rsplit(".", 1)[0], depth)
 
     return direct, indirect, was_truncated
 
@@ -316,10 +323,16 @@ def _collect_endpoints(
     """
     all_fqns = set(seed_fqns) | set(all_callers)
 
-    # Class-level seeds: controller class nodes (no '#') that are controllers.
-    # These arise when the user queries an entire class, not a specific method.
+    # Class-level controller FQNs (no '#') that appear anywhere in the chain.
+    # Two cases produce a class-level controller node in the chain:
+    #   1. Seed is the controller class itself (user queried the whole controller).
+    #   2. Caller is the controller class node — happens when a service/repository
+    #      is injected into a controller: the BFS reverse edge lands on the class
+    #      node (e.g. "OwnerController" with no '#'), not a specific method.
+    #      All endpoints of that controller are affected because any change to the
+    #      injected dependency impacts every handler that uses it.
     class_level_controllers: set[str] = {
-        fqn for fqn in seed_fqns
+        fqn for fqn in all_fqns
         if "#" not in fqn and fqn in model.endpoint_index.controller_fqns
     }
 
@@ -327,7 +340,7 @@ def _collect_endpoints(
     seen_ep_ids: set[str] = set()
 
     # Collect candidate controllers: those whose handler_symbol is in the chain
-    # OR whose class node was a seed (class-level query).
+    # OR whose class node appears in the chain (class-level).
     candidate_controllers: set[str] = set(class_level_controllers)
     for fqn in all_fqns:
         cls = _class_of(fqn)
@@ -339,8 +352,8 @@ def _collect_endpoints(
             handler = getattr(ep, "handler_symbol", "") or ""
             ep_id = getattr(ep, "id", "") or ""
 
-            # Include if: handler is directly in call chain OR controller is a
-            # class-level seed (whole-class query, all its endpoints in scope).
+            # Include if: handler method is in call chain OR the controller's class
+            # node appears at class-level in the chain (seed or DI-injected class).
             if handler not in all_fqns and controller not in class_level_controllers:
                 continue
 
@@ -561,6 +574,32 @@ class ImpactOrchestrator:
                     f"added {n_syms} symbol(s) from {n_classes} implementation(s)."
                 )
 
+        # CH-001b: expand impl seeds to include their interfaces for BFS (BUG-IC-002).
+        # Callers typically inject the interface type, so reverse-graph edges live on
+        # the interface node, not on the implementation node.  Without this expansion,
+        # querying 'OrderServiceImpl' finds 0 callers even though 36 classes inject it.
+        if impl_graph is not None:
+            current_seed_classes = {_class_of(s) for s in seed_fqns}
+            iface_seeds: list[str] = []
+            iface_classes_added: set[str] = set()
+            for seed_class in sorted(current_seed_classes):
+                ifaces = impl_graph.interfaces_of(seed_class)
+                for iface_class in ifaces:
+                    if iface_class in iface_classes_added or iface_class in current_seed_classes:
+                        continue
+                    iface_classes_added.add(iface_class)
+                    for sym in cir.symbols:
+                        if _class_of(sym) == iface_class and sym not in set(seed_fqns):
+                            iface_seeds.append(sym)
+            if iface_seeds:
+                seed_fqns = list(dict.fromkeys(seed_fqns + iface_seeds))
+                n_classes = len(iface_classes_added)
+                n_syms = len(iface_seeds)
+                warnings.append(
+                    f"Implementation-to-interface expansion (CH-001b): "
+                    f"added {n_syms} symbol(s) from {n_classes} interface(s) for caller BFS."
+                )
+
         # ── 2. BFS through reverse graph ─────────────────────────────────
         direct_callers, indirect_callers, truncated = _bfs_callers(
             seed_fqns, cir.reverse_graph, depth
@@ -580,8 +619,13 @@ class ImpactOrchestrator:
         try:
             boundary = model.tx_index.effective_boundary(resolved_symbol)
             if boundary is None and "#" not in resolved_symbol:
-                # Class-level symbol — try class_level directly
+                # Class-level symbol — try class_level directly, then fall back
+                # to first method-level boundary if class has only method-level TX.
                 boundary = model.tx_index.class_level.get(resolved_symbol)
+                if boundary is None:
+                    method_boundaries = model.tx_index.by_class.get(resolved_symbol, [])
+                    if method_boundaries:
+                        boundary = method_boundaries[0]
             if boundary is not None:
                 tx_boundary = boundary.to_dict()
         except Exception:

sourcecode/spring_tx_analyzer.py

@@ -63,6 +63,30 @@ _CATCH_SWALLOW_RE = re.compile(
 _RETHROW_IN_CATCH_RE = re.compile(r'\bthrow\b')
 
 
+def _extract_method_body(source: str, method_name: str) -> str:
+    """Extract the first method body matching method_name using brace counting.
+
+    Returns the text from '{' to the matching '}', or empty string if not found.
+    Needed to scope TX-005 regex to the specific method instead of the whole file.
+    """
+    pattern = re.compile(r'\b' + re.escape(method_name) + r'\s*\(')
+    for m in pattern.finditer(source):
+        brace_pos = source.find('{', m.end())
+        if brace_pos < 0:
+            continue
+        depth = 1
+        i = brace_pos + 1
+        while i < len(source) and depth > 0:
+            c = source[i]
+            if c == '{':
+                depth += 1
+            elif c == '}':
+                depth -= 1
+            i += 1
+        return source[brace_pos:i]
+    return ""
+
+
 # ---------------------------------------------------------------------------
 # Pattern protocol
 # ---------------------------------------------------------------------------
@@ -531,8 +555,16 @@ class _TX005ExceptionSwallowing:
         return findings
 
     def _has_swallowed_exception(self, source: str, symbol: str) -> bool:
-        """Return True if source contains a catch-log-no-rethrow pattern."""
-        for match in _CATCH_SWALLOW_RE.finditer(source):
+        """Return True if the specific method body has a catch-log-no-rethrow pattern.
+
+        Scopes the search to the method body only (not the whole file) to avoid
+        false positives when other methods in the same file have swallowed exceptions.
+        """
+        method_name = symbol.split("#")[-1] if "#" in symbol else symbol.rsplit(".", 1)[-1]
+        body = _extract_method_body(source, method_name)
+        if not body:
+            return False
+        for match in _CATCH_SWALLOW_RE.finditer(body):
             block = match.group(0)
             if not _RETHROW_IN_CATCH_RE.search(block):
                 return True

{sourcecode-1.35.3.dist-info → sourcecode-1.35.4.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: sourcecode
-Version: 1.35.3
+Version: 1.35.4
 Summary: Persistent structural context and ultra-fast repeated analysis for AI coding agents
 License-File: LICENSE
 Keywords: agents,ai,codebase,context,developer-tools,llm
@@ -39,7 +39,7 @@ Description-Content-Type: text/markdown
 
 **Persistent structural context and ultra-fast repeated analysis for AI coding agents.**
 
-![Version](https://img.shields.io/badge/version-1.35.3-blue)
+![Version](https://img.shields.io/badge/version-1.35.4-blue)
 ![Python](https://img.shields.io/badge/python-3.10%2B-green)
 
 ---
@@ -113,7 +113,7 @@ pipx install sourcecode
 
 ```bash
 sourcecode version
-# sourcecode 1.33.4
+# sourcecode 1.35.4
 ```
 
 ---
@@ -133,6 +133,15 @@ sourcecode --agent
 # Blast radius: what breaks if this class changes?
 sourcecode impact OrderService /path/to/repo
 
+# Spring semantic audit: TX anomalies + security surface (free)
+sourcecode spring-audit /path/to/repo
+
+# Impact chain: systemic blast radius with TX/SEC enrichment (free)
+sourcecode impact-chain OrderService /path/to/repo
+
+# Event topology: publisher → event → consumer graph (free)
+sourcecode impact-chain OrderPlacedEvent /path/to/repo --type events
+
 # REST endpoint surface
 sourcecode endpoints /path/to/repo
 
@@ -187,15 +196,21 @@ sourcecode /repo --agent               # ~4,500–5,500 tokens — more detail
 sourcecode onboard /repo               # task-structured: entry points, key files, gaps
 ```
 
-### Before every change — blast radius check
+### Before every change — blast radius + TX/SEC check
 
 ```bash
 # Always target the INTERFACE in Spring projects, not the implementation:
 sourcecode impact OrderService /repo           # ✓ 30 callers, 11 endpoints
 sourcecode impact OrderServiceImpl /repo       # ✗ 0 callers (Spring DI blindness)
 
-# Large hub interfaces — depth=1 is faster and still the most actionable signal:
-sourcecode impact KeycloakSession /repo --depth 1
+# Impact chain: blast radius enriched with TX boundary and security surfaces
+sourcecode impact-chain OrderService /repo
+
+# Event topology: who publishes/consumes this event, and in what TX phase?
+sourcecode impact-chain OrderPlacedEvent /repo --type events
+
+# Spring audit: catch TX anomalies before they hit production
+sourcecode spring-audit /repo --scope tx
 ```
 
 ### Continuous agent loop — delta context
@@ -262,6 +277,9 @@ Specifically:
 - Endpoint recall for JAX-RS subresource locator pattern is ~65%
 - `impact` on implementation classes (e.g. `OrderServiceImpl`) returns 0 callers in Spring Boot — callers inject the interface via `@Autowired`. Always target the interface. When `direct_callers: []` with `confidence_level: high` for a `@Service` class, re-query the interface.
 - `no_security_signal` on endpoints means no method-level annotations found — does **not** mean the endpoint is unsecured. Projects using Spring Security filter chains show 100% `no_security_signal` even when fully secured.
+- `spring-audit` and `impact-chain` are **Java/Spring only** — non-Java repos return `spring_detected: false`
+- Event topology via `--type events` does not resolve Kafka/RabbitMQ/Redis message routes — only Spring ApplicationEvent and `@EventListener` chains
+- Self-invocation TX bypass (calling `@Transactional` method from the same class without going through the proxy) is not detected
 
 ---
 
@@ -312,6 +330,81 @@ sourcecode endpoints /path/to/repo --output endpoints.json
 
 Extracts all Spring MVC (`@GetMapping`, `@PostMapping`, `@RequestMapping`, etc.) and JAX-RS (`@GET`, `@POST`, `@Path`) endpoint methods. Returns HTTP method, path, controller class, and handler method.
 
+### `spring-audit` — Spring semantic audit [free]
+
+```bash
+sourcecode spring-audit /path/to/repo
+sourcecode spring-audit /path/to/repo --scope tx          # TX anomalies only
+sourcecode spring-audit /path/to/repo --scope security     # security surface only
+sourcecode spring-audit /path/to/repo --min-severity high
+```
+
+Detects structural Spring anomalies that survive code review and tests, but cause production failures:
+
+| Pattern | Description |
+|---------|-------------|
+| `TX-001` | `@Transactional` on private/final method — CGLIB proxy bypass, TX silently ignored |
+| `TX-002` | `REQUIRES_NEW` nested inside `REQUIRED` call chain — unexpected transaction nesting |
+| `TX-003` | `readOnly=true` boundary propagating to write operation |
+| `TX-004` | `NOT_SUPPORTED`/`NEVER` called within active TX chain |
+| `TX-005` | Exception swallowing inside `@Transactional` — silent TX rollback suppression |
+| `SEC-001` | Unsecured endpoint in annotation-based security model |
+| `SEC-002` | CVE-2025-41248: `@PreAuthorize` on inherited method from generic supertype |
+| `SEC-003` | `@Transactional` on `@Controller`/`@RestController` — TX in wrong layer |
+
+Returns structured findings with `severity`, `confidence`, `symbol`, `source_file`, `evidence`, `explanation`, and `fix_hint`. JAVA/SPRING ONLY.
+
+### `impact-chain` — systemic blast radius with TX/SEC enrichment [free]
+
+```bash
+sourcecode impact-chain OrderService /path/to/repo
+sourcecode impact-chain com.example.OrderService#placeOrder /path/to/repo
+sourcecode impact-chain PaymentService . --depth 6
+```
+
+Unlike `impact` (which traces the caller graph), `impact-chain` builds on the SpringSemanticModel to enrich every step of the blast cone with transaction and security context:
+
+| Field | Description |
+|-------|-------------|
+| `direct_callers` | Symbols that directly call the target |
+| `indirect_callers` | Transitive callers (BFS up to `--depth` hops, default: 4) |
+| `endpoints_affected` | HTTP endpoints reachable through the call chain |
+| `transaction_boundary` | `@Transactional` semantics on the target: propagation, isolation, readOnly |
+| `security_surfaces` | Per-endpoint security policy + SEC finding IDs |
+| `impact_findings` | TX-001..005 and SEC-001..003 findings that touch the call chain |
+| `risk_level` | `critical` \| `high` \| `medium` \| `low` |
+
+**Event topology** — query the publisher/consumer graph for a Spring event class:
+
+```bash
+sourcecode impact-chain OrderPlacedEvent /path/to/repo --type events
+```
+
+| Field | Description |
+|-------|-------------|
+| `publishers` | FQNs that publish this event class |
+| `consumers` | Listeners with TX phase metadata (`AFTER_COMMIT`, `BEFORE_COMMIT`, etc.) |
+| `event_graph` | Publisher → event → consumer edges (BFS ≤ 2 hops) |
+| `transaction_context` | `AFTER_COMMIT` consumers, `BEFORE_COMMIT` risks |
+| `risk_level` | Derived from TX phase and consumer count |
+
+**Limitations of event topology:**
+- Resolves Spring `ApplicationEvent` / `@EventListener` chains only
+- Does not trace Kafka, RabbitMQ, Redis, or other message brokers
+- Does not detect self-invocation proxy bypass
+- Conditional beans (`@ConditionalOnProperty`) are not evaluated at analysis time
+
+### `cold-start` — RIS bootstrap context
+
+```bash
+sourcecode cold-start /path/to/repo
+sourcecode cold-start /path/to/repo --compact   # ~10K token subset
+```
+
+Returns the Repository Intelligence Snapshot (RIS) instantly — zero re-analysis. The RIS is built by a prior warm cache pass and includes stacks, entry points, endpoint surface, and Spring semantic signals. Status field: `cold_start_ready` | `cold_start_stale` | `no_ris`.
+
+Use `--compact` to get a ~10K token subset safe for direct LLM injection. Full snapshot can exceed 100K tokens on medium repos — use `--output FILE` for local search tooling.
+
 ### `repo-ir` — symbol-level IR
 
 ```bash

{sourcecode-1.35.3.dist-info → sourcecode-1.35.4.dist-info}/RECORD

@@ -1,11 +1,11 @@
-sourcecode/__init__.py,sha256=l4fbYaAaQU-7wY0KjeGVwAwIoc3EKyw8SNnqZYuRfP8,103
+sourcecode/__init__.py,sha256=HvT-OD6BpIxm8uMM8dF8IJUh4mkn6RKbB0__ghb_vHI,103
 sourcecode/adaptive_scanner.py,sha256=XffluXKzJUXrMtjEiAOnSNPZnztdIcts17T9ouHeID0,10521
 sourcecode/architecture_analyzer.py,sha256=qh749a7ykPtGmQI1MR9y6j8TtL_jBdVYFx9YRsLqOMw,44121
 sourcecode/architecture_summary.py,sha256=z34_6v7cSwy98cof2UVciGho7SCrZ93tiqMmq5WNzRQ,20405
 sourcecode/ast_extractor.py,sha256=_btmeOJIe3t-NicF94D5ZAesa2YIJ0_QNExGnbHxGFE,50578
 sourcecode/cache.py,sha256=wAyPrXN5DqiGivnMpeEuun2xHDKfBer2_oBsh6kj_vc,30447
 sourcecode/canonical_ir.py,sha256=uwpwCnJxMh_eiIVg4cOLv7-aZthvmDFcG4azCOycLkw,24281
-sourcecode/cir_graphs.py,sha256=6CBwPoFCbHrqW8Bq_9fZUMi2IgcQBmoaiXiJjlOY9QE,7740
+sourcecode/cir_graphs.py,sha256=wuRjW0MjSr9KLq03L1TzYqkIeY_phUmIbVA3FQDfHKk,8603
 sourcecode/classifier.py,sha256=2lYoSH3vOTkXZYPU7Go2WIet1-IuNzTWVhc-ULnXtgw,8024
 sourcecode/cli.py,sha256=UI80E2S1g6Ui300-vICvn4B7NXIuGYWE4a0FXrBa-8E,216875
 sourcecode/code_notes_analyzer.py,sha256=EJemNCNc9Dn-1RZYu-aNbK0ELzmsyC4s6FdHi3XyNEI,9392
@@ -36,7 +36,7 @@ sourcecode/ranking_engine.py,sha256=ZAucq_YX2KkWUuAZf4P0lhtQ_38vEFnUhuGtSZd1S0E,
 sourcecode/redactor.py,sha256=SB4hwIvg8h-hvcqKcDWaZvA-aSyn-at-BIRwa0tUv5E,3227
 sourcecode/relevance_scorer.py,sha256=0AgEt4KrV73nioMqBgjhGjtY7L2C7L7cSyKtj3IKcrw,9408
 sourcecode/repo_classifier.py,sha256=FG1vaWKdWXsWdl-S8hjVMiTqcwgaRXkDyvK4rPcOGtQ,22681
-sourcecode/repository_ir.py,sha256=LI_kJzdz-iQOb0e0LuHnEzXRjUdoUnoRlicEk46rwgA,162975
+sourcecode/repository_ir.py,sha256=uLIewoLBg4nknI1JlI8bPo_kl9SVyT-GFQqENTeFz1M,167673
 sourcecode/ris.py,sha256=RcqLVwC-doFcKKViYDkCjZLBqf_wzLES7-F6vHEeWzE,20419
 sourcecode/runtime_classifier.py,sha256=uTAD6BDCiBLUZEDRfqk718kM4RTT_vAbfkcOI2_Xx58,18432
 sourcecode/scanner.py,sha256=WdOQ78mMzjR1NjmKTlbxdgwinnCTfAhxCVLBEFQiFHU,8899
@@ -45,11 +45,11 @@ sourcecode/semantic_analyzer.py,sha256=TDuC3wzZR2DPm1mgrAg1YSLk2QzJoueS3TZAmyGGp
 sourcecode/serializer.py,sha256=ooNZW2_fqx__BXII25eAWq-BomodvqQ6opUT_niQYCA,123403
 sourcecode/spring_event_topology.py,sha256=LvGv5RXtU_O-fVB_OO9eDD2UmZM72Jn2oUHgOo50Qm0,17157
 sourcecode/spring_findings.py,sha256=8V91iHOg9hFgg6tLLl4FSsgrF-dBqOcO2s-K5sD_goA,5417
-sourcecode/spring_impact.py,sha256=ACmkbQMWgoJqZ9QLdHJLB1qNuFLgjEVv2r624X9Y6Y4,29004
+sourcecode/spring_impact.py,sha256=-ET4oB9tZQYfcyhfI781mMJCU-przz6x4Ejwr3hejA8,31743
 sourcecode/spring_model.py,sha256=IzMcM5ftw1_EHG3FGUDT7qdAMpo3eqbAE1LRuasfr_4,14739
 sourcecode/spring_security_audit.py,sha256=RPr491FGAmWNxqe-uN0FS2gmjQ0M5ryRyXjLNMMzKFk,20077
 sourcecode/spring_semantic.py,sha256=CiAf77p48-RFrUF0zbgww4w2Xigrbo1t5M3ZCDIfV_g,12032
-sourcecode/spring_tx_analyzer.py,sha256=0r5hQEd3fFERrcx2SZKuYixMdDGKIssRYxrlunmTMwQ,25952
+sourcecode/spring_tx_analyzer.py,sha256=eBcYLRKhlUllHl195CVGNWeg2vMext4u1Tezu_Mwrdg,27143
 sourcecode/summarizer.py,sha256=YspHEVeYJVmltq0FMtGZF8kIP3qiR2KLcanGL6Y7uTI,20747
 sourcecode/tree_utils.py,sha256=8GAkIfQAsvtEudIeW1l4ooH_oRtrWR8cpJQJsEa_Pfw,2093
 sourcecode/workspace.py,sha256=X_6NmNnitvT3_38V-JDChydo_sR68s249hLFlrQskU0,8271
@@ -90,8 +90,8 @@ sourcecode/telemetry/consent.py,sha256=wLMvGNJeSSyZoNkQXpoUioY6mMv4Qdvuw7S9jAEWn
 sourcecode/telemetry/events.py,sha256=oEvvulfsv5GIDWG2174gSS6tNB95w38AIYiYeifGKlE,2294
 sourcecode/telemetry/filters.py,sha256=Asa71oRl7q3Wt_FMwuufIZJFzSYdgRNKS8LHCIyFeYE,4805
 sourcecode/telemetry/transport.py,sha256=KJeIPCPWMdmbCP3ySGs2iUlia34U6vWne2dZsUezesw,1560
-sourcecode-1.35.3.dist-info/METADATA,sha256=3tFt-FeyMB5EsxTzF2Jw2DY8Up3A0iHat59uNWsylT8,16440
-sourcecode-1.35.3.dist-info/WHEEL,sha256=QccIxa26bgl1E6uMy58deGWi-0aeIkkangHcxk2kWfw,87
-sourcecode-1.35.3.dist-info/entry_points.txt,sha256=ex3F9rmbXeyDIoFQHtkEqTsKSaJow8F0LrVu8XfIktQ,57
-sourcecode-1.35.3.dist-info/licenses/LICENSE,sha256=7DdHrU9Z_3e7dSvq4ISijZNjnuHo5NIHNiHDouMQ9JU,10491
-sourcecode-1.35.3.dist-info/RECORD,,
+sourcecode-1.35.4.dist-info/METADATA,sha256=Pl9s6-m8pSLDCwawxAneFDVHpQvJLxehMZvruYMWnr0,21263
+sourcecode-1.35.4.dist-info/WHEEL,sha256=QccIxa26bgl1E6uMy58deGWi-0aeIkkangHcxk2kWfw,87
+sourcecode-1.35.4.dist-info/entry_points.txt,sha256=ex3F9rmbXeyDIoFQHtkEqTsKSaJow8F0LrVu8XfIktQ,57
+sourcecode-1.35.4.dist-info/licenses/LICENSE,sha256=7DdHrU9Z_3e7dSvq4ISijZNjnuHo5NIHNiHDouMQ9JU,10491
+sourcecode-1.35.4.dist-info/RECORD,,