sourcecode 1.35.3__tar.gz → 1.35.5__tar.gz

{sourcecode-1.35.3 → sourcecode-1.35.5}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: sourcecode
-Version: 1.35.3
+Version: 1.35.5
 Summary: Persistent structural context and ultra-fast repeated analysis for AI coding agents
 License-File: LICENSE
 Keywords: agents,ai,codebase,context,developer-tools,llm
@@ -39,7 +39,7 @@ Description-Content-Type: text/markdown
 
 **Persistent structural context and ultra-fast repeated analysis for AI coding agents.**
 
-![Version](https://img.shields.io/badge/version-1.35.3-blue)
+![Version](https://img.shields.io/badge/version-1.35.5-blue)
 ![Python](https://img.shields.io/badge/python-3.10%2B-green)
 
 ---
@@ -113,7 +113,7 @@ pipx install sourcecode
 
 ```bash
 sourcecode version
-# sourcecode 1.33.4
+# sourcecode 1.35.5
 ```
 
 ---
@@ -133,6 +133,15 @@ sourcecode --agent
 # Blast radius: what breaks if this class changes?
 sourcecode impact OrderService /path/to/repo
 
+# Spring semantic audit: TX anomalies + security surface (free)
+sourcecode spring-audit /path/to/repo
+
+# Impact chain: systemic blast radius with TX/SEC enrichment (free)
+sourcecode impact-chain OrderService /path/to/repo
+
+# Event topology: publisher → event → consumer graph (free)
+sourcecode impact-chain OrderPlacedEvent /path/to/repo --type events
+
 # REST endpoint surface
 sourcecode endpoints /path/to/repo
 
@@ -187,15 +196,21 @@ sourcecode /repo --agent               # ~4,500–5,500 tokens — more detail
 sourcecode onboard /repo               # task-structured: entry points, key files, gaps
 ```
 
-### Before every change — blast radius check
+### Before every change — blast radius + TX/SEC check
 
 ```bash
 # Always target the INTERFACE in Spring projects, not the implementation:
 sourcecode impact OrderService /repo           # ✓ 30 callers, 11 endpoints
 sourcecode impact OrderServiceImpl /repo       # ✗ 0 callers (Spring DI blindness)
 
-# Large hub interfaces — depth=1 is faster and still the most actionable signal:
-sourcecode impact KeycloakSession /repo --depth 1
+# Impact chain: blast radius enriched with TX boundary and security surfaces
+sourcecode impact-chain OrderService /repo
+
+# Event topology: who publishes/consumes this event, and in what TX phase?
+sourcecode impact-chain OrderPlacedEvent /repo --type events
+
+# Spring audit: catch TX anomalies before they hit production
+sourcecode spring-audit /repo --scope tx
 ```
 
 ### Continuous agent loop — delta context
@@ -262,6 +277,9 @@ Specifically:
 - Endpoint recall for JAX-RS subresource locator pattern is ~65%
 - `impact` on implementation classes (e.g. `OrderServiceImpl`) returns 0 callers in Spring Boot — callers inject the interface via `@Autowired`. Always target the interface. When `direct_callers: []` with `confidence_level: high` for a `@Service` class, re-query the interface.
 - `no_security_signal` on endpoints means no method-level annotations found — does **not** mean the endpoint is unsecured. Projects using Spring Security filter chains show 100% `no_security_signal` even when fully secured.
+- `spring-audit` and `impact-chain` are **Java/Spring only** — non-Java repos return `spring_detected: false`
+- Event topology via `--type events` does not resolve Kafka/RabbitMQ/Redis message routes — only Spring ApplicationEvent and `@EventListener` chains
+- Self-invocation TX bypass (calling `@Transactional` method from the same class without going through the proxy) is not detected
 
 ---
 
@@ -312,6 +330,81 @@ sourcecode endpoints /path/to/repo --output endpoints.json
 
 Extracts all Spring MVC (`@GetMapping`, `@PostMapping`, `@RequestMapping`, etc.) and JAX-RS (`@GET`, `@POST`, `@Path`) endpoint methods. Returns HTTP method, path, controller class, and handler method.
 
+### `spring-audit` — Spring semantic audit [free]
+
+```bash
+sourcecode spring-audit /path/to/repo
+sourcecode spring-audit /path/to/repo --scope tx          # TX anomalies only
+sourcecode spring-audit /path/to/repo --scope security     # security surface only
+sourcecode spring-audit /path/to/repo --min-severity high
+```
+
+Detects structural Spring anomalies that survive code review and tests, but cause production failures:
+
+| Pattern | Description |
+|---------|-------------|
+| `TX-001` | `@Transactional` on private/final method — CGLIB proxy bypass, TX silently ignored |
+| `TX-002` | `REQUIRES_NEW` nested inside `REQUIRED` call chain — unexpected transaction nesting |
+| `TX-003` | `readOnly=true` boundary propagating to write operation |
+| `TX-004` | `NOT_SUPPORTED`/`NEVER` called within active TX chain |
+| `TX-005` | Exception swallowing inside `@Transactional` — silent TX rollback suppression |
+| `SEC-001` | Unsecured endpoint in annotation-based security model |
+| `SEC-002` | CVE-2025-41248: `@PreAuthorize` on inherited method from generic supertype |
+| `SEC-003` | `@Transactional` on `@Controller`/`@RestController` — TX in wrong layer |
+
+Returns structured findings with `severity`, `confidence`, `symbol`, `source_file`, `evidence`, `explanation`, and `fix_hint`. JAVA/SPRING ONLY.
+
+### `impact-chain` — systemic blast radius with TX/SEC enrichment [free]
+
+```bash
+sourcecode impact-chain OrderService /path/to/repo
+sourcecode impact-chain com.example.OrderService#placeOrder /path/to/repo
+sourcecode impact-chain PaymentService . --depth 6
+```
+
+Unlike `impact` (which traces the caller graph), `impact-chain` builds on the SpringSemanticModel to enrich every step of the blast cone with transaction and security context:
+
+| Field | Description |
+|-------|-------------|
+| `direct_callers` | Symbols that directly call the target |
+| `indirect_callers` | Transitive callers (BFS up to `--depth` hops, default: 4) |
+| `endpoints_affected` | HTTP endpoints reachable through the call chain |
+| `transaction_boundary` | `@Transactional` semantics on the target: propagation, isolation, readOnly |
+| `security_surfaces` | Per-endpoint security policy + SEC finding IDs |
+| `impact_findings` | TX-001..005 and SEC-001..003 findings that touch the call chain |
+| `risk_level` | `critical` \| `high` \| `medium` \| `low` |
+
+**Event topology** — query the publisher/consumer graph for a Spring event class:
+
+```bash
+sourcecode impact-chain OrderPlacedEvent /path/to/repo --type events
+```
+
+| Field | Description |
+|-------|-------------|
+| `publishers` | FQNs that publish this event class |
+| `consumers` | Listeners with TX phase metadata (`AFTER_COMMIT`, `BEFORE_COMMIT`, etc.) |
+| `event_graph` | Publisher → event → consumer edges (BFS ≤ 2 hops) |
+| `transaction_context` | `AFTER_COMMIT` consumers, `BEFORE_COMMIT` risks |
+| `risk_level` | Derived from TX phase and consumer count |
+
+**Limitations of event topology:**
+- Resolves Spring `ApplicationEvent` / `@EventListener` chains only
+- Does not trace Kafka, RabbitMQ, Redis, or other message brokers
+- Does not detect self-invocation proxy bypass
+- Conditional beans (`@ConditionalOnProperty`) are not evaluated at analysis time
+
+### `cold-start` — RIS bootstrap context
+
+```bash
+sourcecode cold-start /path/to/repo
+sourcecode cold-start /path/to/repo --compact   # ~10K token subset
+```
+
+Returns the Repository Intelligence Snapshot (RIS) instantly — zero re-analysis. The RIS is built by a prior warm cache pass and includes stacks, entry points, endpoint surface, and Spring semantic signals. Status field: `cold_start_ready` | `cold_start_stale` | `no_ris`.
+
+Use `--compact` to get a ~10K token subset safe for direct LLM injection. Full snapshot can exceed 100K tokens on medium repos — use `--output FILE` for local search tooling.
+
 ### `repo-ir` — symbol-level IR
 
 ```bash

{sourcecode-1.35.3 → sourcecode-1.35.5}/README.md

@@ -2,7 +2,7 @@
 
 **Persistent structural context and ultra-fast repeated analysis for AI coding agents.**
 
-![Version](https://img.shields.io/badge/version-1.35.3-blue)
+![Version](https://img.shields.io/badge/version-1.35.5-blue)
 ![Python](https://img.shields.io/badge/python-3.10%2B-green)
 
 ---
@@ -76,7 +76,7 @@ pipx install sourcecode
 
 ```bash
 sourcecode version
-# sourcecode 1.33.4
+# sourcecode 1.35.5
 ```
 
 ---
@@ -96,6 +96,15 @@ sourcecode --agent
 # Blast radius: what breaks if this class changes?
 sourcecode impact OrderService /path/to/repo
 
+# Spring semantic audit: TX anomalies + security surface (free)
+sourcecode spring-audit /path/to/repo
+
+# Impact chain: systemic blast radius with TX/SEC enrichment (free)
+sourcecode impact-chain OrderService /path/to/repo
+
+# Event topology: publisher → event → consumer graph (free)
+sourcecode impact-chain OrderPlacedEvent /path/to/repo --type events
+
 # REST endpoint surface
 sourcecode endpoints /path/to/repo
 
@@ -150,15 +159,21 @@ sourcecode /repo --agent               # ~4,500–5,500 tokens — more detail
 sourcecode onboard /repo               # task-structured: entry points, key files, gaps
 ```
 
-### Before every change — blast radius check
+### Before every change — blast radius + TX/SEC check
 
 ```bash
 # Always target the INTERFACE in Spring projects, not the implementation:
 sourcecode impact OrderService /repo           # ✓ 30 callers, 11 endpoints
 sourcecode impact OrderServiceImpl /repo       # ✗ 0 callers (Spring DI blindness)
 
-# Large hub interfaces — depth=1 is faster and still the most actionable signal:
-sourcecode impact KeycloakSession /repo --depth 1
+# Impact chain: blast radius enriched with TX boundary and security surfaces
+sourcecode impact-chain OrderService /repo
+
+# Event topology: who publishes/consumes this event, and in what TX phase?
+sourcecode impact-chain OrderPlacedEvent /repo --type events
+
+# Spring audit: catch TX anomalies before they hit production
+sourcecode spring-audit /repo --scope tx
 ```
 
 ### Continuous agent loop — delta context
@@ -225,6 +240,9 @@ Specifically:
 - Endpoint recall for JAX-RS subresource locator pattern is ~65%
 - `impact` on implementation classes (e.g. `OrderServiceImpl`) returns 0 callers in Spring Boot — callers inject the interface via `@Autowired`. Always target the interface. When `direct_callers: []` with `confidence_level: high` for a `@Service` class, re-query the interface.
 - `no_security_signal` on endpoints means no method-level annotations found — does **not** mean the endpoint is unsecured. Projects using Spring Security filter chains show 100% `no_security_signal` even when fully secured.
+- `spring-audit` and `impact-chain` are **Java/Spring only** — non-Java repos return `spring_detected: false`
+- Event topology via `--type events` does not resolve Kafka/RabbitMQ/Redis message routes — only Spring ApplicationEvent and `@EventListener` chains
+- Self-invocation TX bypass (calling `@Transactional` method from the same class without going through the proxy) is not detected
 
 ---
 
@@ -275,6 +293,81 @@ sourcecode endpoints /path/to/repo --output endpoints.json
 
 Extracts all Spring MVC (`@GetMapping`, `@PostMapping`, `@RequestMapping`, etc.) and JAX-RS (`@GET`, `@POST`, `@Path`) endpoint methods. Returns HTTP method, path, controller class, and handler method.
 
+### `spring-audit` — Spring semantic audit [free]
+
+```bash
+sourcecode spring-audit /path/to/repo
+sourcecode spring-audit /path/to/repo --scope tx          # TX anomalies only
+sourcecode spring-audit /path/to/repo --scope security     # security surface only
+sourcecode spring-audit /path/to/repo --min-severity high
+```
+
+Detects structural Spring anomalies that survive code review and tests, but cause production failures:
+
+| Pattern | Description |
+|---------|-------------|
+| `TX-001` | `@Transactional` on private/final method — CGLIB proxy bypass, TX silently ignored |
+| `TX-002` | `REQUIRES_NEW` nested inside `REQUIRED` call chain — unexpected transaction nesting |
+| `TX-003` | `readOnly=true` boundary propagating to write operation |
+| `TX-004` | `NOT_SUPPORTED`/`NEVER` called within active TX chain |
+| `TX-005` | Exception swallowing inside `@Transactional` — silent TX rollback suppression |
+| `SEC-001` | Unsecured endpoint in annotation-based security model |
+| `SEC-002` | CVE-2025-41248: `@PreAuthorize` on inherited method from generic supertype |
+| `SEC-003` | `@Transactional` on `@Controller`/`@RestController` — TX in wrong layer |
+
+Returns structured findings with `severity`, `confidence`, `symbol`, `source_file`, `evidence`, `explanation`, and `fix_hint`. JAVA/SPRING ONLY.
+
+### `impact-chain` — systemic blast radius with TX/SEC enrichment [free]
+
+```bash
+sourcecode impact-chain OrderService /path/to/repo
+sourcecode impact-chain com.example.OrderService#placeOrder /path/to/repo
+sourcecode impact-chain PaymentService . --depth 6
+```
+
+Unlike `impact` (which traces the caller graph), `impact-chain` builds on the SpringSemanticModel to enrich every step of the blast cone with transaction and security context:
+
+| Field | Description |
+|-------|-------------|
+| `direct_callers` | Symbols that directly call the target |
+| `indirect_callers` | Transitive callers (BFS up to `--depth` hops, default: 4) |
+| `endpoints_affected` | HTTP endpoints reachable through the call chain |
+| `transaction_boundary` | `@Transactional` semantics on the target: propagation, isolation, readOnly |
+| `security_surfaces` | Per-endpoint security policy + SEC finding IDs |
+| `impact_findings` | TX-001..005 and SEC-001..003 findings that touch the call chain |
+| `risk_level` | `critical` \| `high` \| `medium` \| `low` |
+
+**Event topology** — query the publisher/consumer graph for a Spring event class:
+
+```bash
+sourcecode impact-chain OrderPlacedEvent /path/to/repo --type events
+```
+
+| Field | Description |
+|-------|-------------|
+| `publishers` | FQNs that publish this event class |
+| `consumers` | Listeners with TX phase metadata (`AFTER_COMMIT`, `BEFORE_COMMIT`, etc.) |
+| `event_graph` | Publisher → event → consumer edges (BFS ≤ 2 hops) |
+| `transaction_context` | `AFTER_COMMIT` consumers, `BEFORE_COMMIT` risks |
+| `risk_level` | Derived from TX phase and consumer count |
+
+**Limitations of event topology:**
+- Resolves Spring `ApplicationEvent` / `@EventListener` chains only
+- Does not trace Kafka, RabbitMQ, Redis, or other message brokers
+- Does not detect self-invocation proxy bypass
+- Conditional beans (`@ConditionalOnProperty`) are not evaluated at analysis time
+
+### `cold-start` — RIS bootstrap context
+
+```bash
+sourcecode cold-start /path/to/repo
+sourcecode cold-start /path/to/repo --compact   # ~10K token subset
+```
+
+Returns the Repository Intelligence Snapshot (RIS) instantly — zero re-analysis. The RIS is built by a prior warm cache pass and includes stacks, entry points, endpoint surface, and Spring semantic signals. Status field: `cold_start_ready` | `cold_start_stale` | `no_ris`.
+
+Use `--compact` to get a ~10K token subset safe for direct LLM injection. Full snapshot can exceed 100K tokens on medium repos — use `--output FILE` for local search tooling.
+
 ### `repo-ir` — symbol-level IR
 
 ```bash

{sourcecode-1.35.3 → sourcecode-1.35.5}/pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 
 [project]
 name = "sourcecode"
-version = "1.35.3"
+version = "1.35.5"
 description = "Persistent structural context and ultra-fast repeated analysis for AI coding agents"
 readme = "README.md"
 requires-python = ">=3.9"

{sourcecode-1.35.3 → sourcecode-1.35.5}/src/sourcecode/__init__.py

@@ -1,3 +1,3 @@
 """sourcecode — Deterministic codebase context maps for AI coding agents."""
 
-__version__ = "1.35.3"
+__version__ = "1.35.5"

{sourcecode-1.35.3 → sourcecode-1.35.5}/src/sourcecode/cir_graphs.py

@@ -68,11 +68,23 @@ class ImplementationGraph:
             dependencies:  cir.dependencies — list of edge dicts with 'from'/'to'/'type'
             known_symbols: set(cir.symbols) — only in-repo FQNs
 
-        Excludes implements edges where the interface (to_fqn) is NOT in known_symbols
-        (e.g. java.io.Serializable, org.springframework.* framework interfaces).
+        The Java parser stores 'implements' edges with the simple class name in the 'to'
+        field (e.g. 'OrderService') rather than the FQN.  We resolve these via a
+        precomputed simple-name → FQN map built from known_symbols.  Only unambiguous
+        resolutions are accepted; external framework interfaces and ambiguous names are
+        excluded.
+
         Includes edges where the implementing class (from_fqn) is NOT in known_symbols
         only when the interface IS known — this handles partial-parse edge cases.
         """
+        # Pre-build simple-name → [FQN] lookup for class-level symbols only (no '#').
+        # Used to resolve unqualified interface names (BUG-IC-001).
+        _simple_to_fqn: dict[str, list[str]] = {}
+        for sym in known_symbols:
+            if "#" not in sym and "." in sym:
+                simple = sym.rsplit(".", 1)[1]
+                _simple_to_fqn.setdefault(simple, []).append(sym)
+
         impl_of: dict[str, list[str]] = {}
         ifaces_of: dict[str, list[str]] = {}
 
@@ -83,9 +95,13 @@ class ImplementationGraph:
             to_fqn = (edge.get("to") or "").strip()
             if not from_fqn or not to_fqn:
                 continue
-            # Only track when the interface is an in-repo symbol
+            # Resolve to_fqn: prefer exact known-symbol match, then try simple-name lookup.
+            # Rejects external interfaces (java.*, org.springframework.*) and ambiguous names.
             if to_fqn not in known_symbols:
-                continue
+                candidates = _simple_to_fqn.get(to_fqn, [])
+                if len(candidates) != 1:
+                    continue
+                to_fqn = candidates[0]
             # Ignore malformed FQNs (e.g. generic type fragments like "Long>")
             if ">" in to_fqn or "<" in to_fqn:
                 continue

{sourcecode-1.35.3 → sourcecode-1.35.5}/src/sourcecode/repository_ir.py

@@ -202,10 +202,13 @@ _FILTER_SECURITY_ANNOTATIONS: frozenset[str] = frozenset({
 })
 
 # Programmatic security: method-call patterns that indicate runtime auth enforcement.
+# Requires method-call or field-access context — bare class name mentions (imports,
+# type declarations) must NOT match or IAM/auth-domain repos generate false positives.
 _PROGRAMMATIC_SECURITY_RE = re.compile(
     r"\b(?:hasRole|hasAuthority|isAuthenticated|requirePermission|checkPermission"
     r"|assertAuthorized|authenticate)\s*\("
-    r"|(?:Authentication|SecurityContext|Principal|AuthorizationManager|AccessDecisionManager)\b"
+    r"|SecurityContextHolder\."
+    r"|\.(?:getAuthentication|getSecurityContext|getPrincipal|isAuthorized|checkAccess)\s*\("
     r"|throw\s+new\s+(?:AccessDeniedException|UnauthorizedException|ForbiddenException|AuthenticationException)\b",
     re.MULTILINE,
 )
@@ -323,6 +326,30 @@ _PUBLISH_EVENT_RE = re.compile(r'\.publishEvent\s*\(\s*new\s+(\w+)\s*[(\{]')
 # Keycloak SPI event fire pattern: XxxEvent.fire(session, ...)
 _FIRE_EVENT_RE = re.compile(r'\b(\w+Event)\.fire\s*\(')
 
+# Class-level consumer detection from class signature (not annotations).
+# Pattern 1: implements [Prefix]ApplicationListener<EventType>
+#            Matches both the standard Spring interface (ApplicationListener<E>) and
+#            framework-specific subinterfaces (BroadleafApplicationListener<E>,
+#            SmartApplicationListener<E>, etc.).  Uses \w* prefix instead of \b so
+#            that "Broadleaf" prefix does not break the word boundary. (BUG-EVT-001)
+_APP_LISTENER_RE = re.compile(r'\w*ApplicationListener\s*<\s*(\w+)\s*>')
+# Pattern 2: extends AbstractXxxEventListener<EventType> — abstract base class pattern
+#            (Broadleaf's AbstractBroadleafApplicationEventListener and similar).
+#            Matches any parent class name that contains "EventListener".
+_ABSTRACT_LISTENER_RE = re.compile(r'\bextends\s+\w+EventListener\w*\s*<\s*(\w+)\s*>')
+
+# Block comment stripper — removes /* ... */ (including Javadoc) to prevent
+# _PUBLISH_EVENT_RE / _FIRE_EVENT_RE from matching example code in comments.
+_BLOCK_COMMENT_RE = re.compile(r'/\*.*?\*/', re.DOTALL)
+_LINE_COMMENT_RE = re.compile(r'//[^\n]*')
+
+
+def _strip_java_comments(source: str) -> str:
+    """Remove // line comments and /* */ block comments from Java source."""
+    source = _BLOCK_COMMENT_RE.sub(' ', source)
+    source = _LINE_COMMENT_RE.sub(' ', source)
+    return source
+
 # Edge types used for subsystem grouping — semantic hierarchy only, not imports
 _SUBSYSTEM_STRUCTURAL_EDGES: frozenset[str] = frozenset({
     "extends", "implements", "injects", "contained_in",
@@ -546,9 +573,37 @@ def _extract_symbols(source: str, rel_path: str) -> tuple[str, list[SymbolRecord
     pending_ann_values: dict[str, str] = {}
     in_block_comment = False
 
+    # BUG-PARSER-001: normalize multi-line class declarations where the opening brace
+    # appears on a continuation line (e.g. "implements A,\n  B, C {").
+    # _CLASS_DECL_RE requires '{' on the same line as 'class' — joining the continuation
+    # here makes the regex work without changing the per-line brace-depth counter.
+    _raw_lines = source.splitlines()
+    _joined: list[str] = []
+    _i = 0
+    _CLASS_KW_RE = re.compile(r'\b(?:class|interface|enum)\s+[A-Z]')
+    while _i < len(_raw_lines):
+        _line = _raw_lines[_i]
+        _stripped = _line.strip()
+        if (_CLASS_KW_RE.search(_stripped) and '{' not in _stripped
+                and not _stripped.startswith('//')
+                and not _stripped.startswith('*')):
+            # Continuation: join until we hit a line containing '{'
+            _buf = _line
+            _i += 1
+            while _i < len(_raw_lines):
+                _cont = _raw_lines[_i]
+                _buf = _buf.rstrip() + ' ' + _cont.strip()
+                _i += 1
+                if '{' in _cont:
+                    break
+            _joined.append(_buf)
+        else:
+            _joined.append(_line)
+            _i += 1
+
     # P1 fix: normalize multiline annotations (e.g. @RequestMapping(\n  value="..."\n))
     # into single lines so the per-line regex can capture annotation args correctly.
-    _normalized_lines = _normalize_multiline_annotations(source.splitlines())
+    _normalized_lines = _normalize_multiline_annotations(_joined)
 
     for line in _normalized_lines:
         stripped = line.strip()
@@ -1122,10 +1177,15 @@ def _build_relations(
 
     _class_syms = [s for s in symbols if s.type in ("class", "interface") and "#" not in s.symbol]
 
+    # Strip comments before event scanning to prevent Javadoc examples from
+    # generating false publisher edges (BUG-003).
+    _source_no_comments = _strip_java_comments(source)
+
     # Spring: class that calls publishEvent(new XxxEvent(...)) → event type FQN.
-    for m in _PUBLISH_EVENT_RE.finditer(source):
+    for m in _PUBLISH_EVENT_RE.finditer(_source_no_comments):
         event_simple = m.group(1)
-        event_fqn = import_map.get(event_simple, event_simple)
+        # BUG-004: try import_map first, then same-package map, then keep simple name.
+        event_fqn = import_map.get(event_simple) or _same_pkg.get(event_simple) or event_simple
         for cls_sym in _class_syms:
             edges.append(RelationEdge(
                 from_symbol=cls_sym.symbol,
@@ -1136,9 +1196,9 @@ def _build_relations(
             ))
 
     # Keycloak SPI: XxxEvent.fire(...) static dispatch → publishes_event.
-    for m in _FIRE_EVENT_RE.finditer(source):
+    for m in _FIRE_EVENT_RE.finditer(_source_no_comments):
         event_simple = m.group(1)
-        event_fqn = import_map.get(event_simple, event_simple)
+        event_fqn = import_map.get(event_simple) or _same_pkg.get(event_simple) or event_simple
         for cls_sym in _class_syms:
             edges.append(RelationEdge(
                 from_symbol=cls_sym.symbol,
@@ -1161,6 +1221,34 @@ def _build_relations(
                 evidence={"type": "signature", "value": f"implements {_ELP_IFACE}"},
             ))
 
+    # Class-level consumer detection via class signature (EVT-003 / EVT-004).
+    # Pattern A: class Foo implements ApplicationListener<XxxEvent>
+    #            → standard Spring interface, event type = generic param.
+    # Pattern B: class Foo extends AbstractXxxEventListener<XxxEvent>
+    #            → abstract base class pattern (Broadleaf and similar frameworks),
+    #              event type = generic param of the parent class.
+    for sym in _class_syms:
+        sig = sym.signature or ""
+        for pattern, ev_label in (
+            (_APP_LISTENER_RE, "implements ApplicationListener"),
+            (_ABSTRACT_LISTENER_RE, "extends *EventListener"),
+        ):
+            m = pattern.search(sig)
+            if m:
+                event_simple = m.group(1)
+                event_fqn = (
+                    import_map.get(event_simple)
+                    or _same_pkg.get(event_simple)
+                    or event_simple
+                )
+                edges.append(RelationEdge(
+                    from_symbol=sym.symbol,
+                    to_symbol=event_fqn,
+                    type="listens_to_event",
+                    confidence="high",
+                    evidence={"type": "signature", "value": f"{ev_label}<{event_simple}>"},
+                ))
+
     seen: set[tuple[str, str, str]] = set()
     unique: list[RelationEdge] = []
     for e in edges:
@@ -2321,8 +2409,12 @@ def _assemble(
             for sym in _class_syms_asm
         )
     )
+    # Only real annotation-based policies count (not "programmatic" fallback).
+    # Programmatic security does not mean every unannotated endpoint is unsecured.
     _has_ann_sec_asm = any(
-        r.get("security_annotations") for r in _route_surface
+        isinstance(r.get("security_annotations"), dict)
+        and r["security_annotations"].get("policy") not in (None, "programmatic", "none_detected")
+        for r in _route_surface
         if isinstance(r, dict)
     )
     if _filter_based_asm and _has_ann_sec_asm:
@@ -3172,7 +3264,7 @@ def extract_java_endpoints(root: Path) -> "dict[str, Any]":
         )
     )
     _has_annotation_security = any(
-        e.get("security", {}).get("policy") != "none_detected"
+        e.get("security", {}).get("policy") not in (None, "none_detected", "programmatic")
         for e in endpoints
     )
     if _filter_based and _has_annotation_security:

{sourcecode-1.35.3 → sourcecode-1.35.5}/src/sourcecode/spring_impact.py

@@ -289,9 +289,16 @@ def _bfs_callers(
                 _add_caller(caller, depth)
                 # CH-002: injects edge to a field/constructor node → also traverse
                 # the containing class, bypassing the skipped contained_in edge.
-                if etype == "injects" and "#" in caller:
-                    class_fqn = caller.rsplit("#", 1)[0]
-                    _add_caller(class_fqn, depth)
+                # Two formats emitted by the CIR parser:
+                #   Constructor injection: pkg.Class#<init>  (hash separator)
+                #   Field injection:       pkg.Class.field   (dot, lowercase last segment)
+                if etype == "injects":
+                    if "#" in caller:
+                        _add_caller(caller.rsplit("#", 1)[0], depth)
+                    elif "." in caller:
+                        last_seg = caller.rsplit(".", 1)[1]
+                        if last_seg and last_seg[0].islower():
+                            _add_caller(caller.rsplit(".", 1)[0], depth)
 
     return direct, indirect, was_truncated
 
@@ -316,10 +323,16 @@ def _collect_endpoints(
     """
     all_fqns = set(seed_fqns) | set(all_callers)
 
-    # Class-level seeds: controller class nodes (no '#') that are controllers.
-    # These arise when the user queries an entire class, not a specific method.
+    # Class-level controller FQNs (no '#') that appear anywhere in the chain.
+    # Two cases produce a class-level controller node in the chain:
+    #   1. Seed is the controller class itself (user queried the whole controller).
+    #   2. Caller is the controller class node — happens when a service/repository
+    #      is injected into a controller: the BFS reverse edge lands on the class
+    #      node (e.g. "OwnerController" with no '#'), not a specific method.
+    #      All endpoints of that controller are affected because any change to the
+    #      injected dependency impacts every handler that uses it.
     class_level_controllers: set[str] = {
-        fqn for fqn in seed_fqns
+        fqn for fqn in all_fqns
         if "#" not in fqn and fqn in model.endpoint_index.controller_fqns
     }
 
@@ -327,7 +340,7 @@ def _collect_endpoints(
     seen_ep_ids: set[str] = set()
 
     # Collect candidate controllers: those whose handler_symbol is in the chain
-    # OR whose class node was a seed (class-level query).
+    # OR whose class node appears in the chain (class-level).
     candidate_controllers: set[str] = set(class_level_controllers)
     for fqn in all_fqns:
         cls = _class_of(fqn)
@@ -339,8 +352,8 @@ def _collect_endpoints(
             handler = getattr(ep, "handler_symbol", "") or ""
             ep_id = getattr(ep, "id", "") or ""
 
-            # Include if: handler is directly in call chain OR controller is a
-            # class-level seed (whole-class query, all its endpoints in scope).
+            # Include if: handler method is in call chain OR the controller's class
+            # node appears at class-level in the chain (seed or DI-injected class).
             if handler not in all_fqns and controller not in class_level_controllers:
                 continue
 
@@ -561,6 +574,32 @@ class ImpactOrchestrator:
                     f"added {n_syms} symbol(s) from {n_classes} implementation(s)."
                 )
 
+        # CH-001b: expand impl seeds to include their interfaces for BFS (BUG-IC-002).
+        # Callers typically inject the interface type, so reverse-graph edges live on
+        # the interface node, not on the implementation node.  Without this expansion,
+        # querying 'OrderServiceImpl' finds 0 callers even though 36 classes inject it.
+        if impl_graph is not None:
+            current_seed_classes = {_class_of(s) for s in seed_fqns}
+            iface_seeds: list[str] = []
+            iface_classes_added: set[str] = set()
+            for seed_class in sorted(current_seed_classes):
+                ifaces = impl_graph.interfaces_of(seed_class)
+                for iface_class in ifaces:
+                    if iface_class in iface_classes_added or iface_class in current_seed_classes:
+                        continue
+                    iface_classes_added.add(iface_class)
+                    for sym in cir.symbols:
+                        if _class_of(sym) == iface_class and sym not in set(seed_fqns):
+                            iface_seeds.append(sym)
+            if iface_seeds:
+                seed_fqns = list(dict.fromkeys(seed_fqns + iface_seeds))
+                n_classes = len(iface_classes_added)
+                n_syms = len(iface_seeds)
+                warnings.append(
+                    f"Implementation-to-interface expansion (CH-001b): "
+                    f"added {n_syms} symbol(s) from {n_classes} interface(s) for caller BFS."
+                )
+
         # ── 2. BFS through reverse graph ─────────────────────────────────
         direct_callers, indirect_callers, truncated = _bfs_callers(
             seed_fqns, cir.reverse_graph, depth
@@ -580,8 +619,13 @@ class ImpactOrchestrator:
         try:
             boundary = model.tx_index.effective_boundary(resolved_symbol)
             if boundary is None and "#" not in resolved_symbol:
-                # Class-level symbol — try class_level directly
+                # Class-level symbol — try class_level directly, then fall back
+                # to first method-level boundary if class has only method-level TX.
                 boundary = model.tx_index.class_level.get(resolved_symbol)
+                if boundary is None:
+                    method_boundaries = model.tx_index.by_class.get(resolved_symbol, [])
+                    if method_boundaries:
+                        boundary = method_boundaries[0]
             if boundary is not None:
                 tx_boundary = boundary.to_dict()
         except Exception:

{sourcecode-1.35.3 → sourcecode-1.35.5}/src/sourcecode/spring_tx_analyzer.py

@@ -63,6 +63,30 @@ _CATCH_SWALLOW_RE = re.compile(
 _RETHROW_IN_CATCH_RE = re.compile(r'\bthrow\b')
 
 
+def _extract_method_body(source: str, method_name: str) -> str:
+    """Extract the first method body matching method_name using brace counting.
+
+    Returns the text from '{' to the matching '}', or empty string if not found.
+    Needed to scope TX-005 regex to the specific method instead of the whole file.
+    """
+    pattern = re.compile(r'\b' + re.escape(method_name) + r'\s*\(')
+    for m in pattern.finditer(source):
+        brace_pos = source.find('{', m.end())
+        if brace_pos < 0:
+            continue
+        depth = 1
+        i = brace_pos + 1
+        while i < len(source) and depth > 0:
+            c = source[i]
+            if c == '{':
+                depth += 1
+            elif c == '}':
+                depth -= 1
+            i += 1
+        return source[brace_pos:i]
+    return ""
+
+
 # ---------------------------------------------------------------------------
 # Pattern protocol
 # ---------------------------------------------------------------------------
@@ -531,8 +555,16 @@ class _TX005ExceptionSwallowing:
         return findings
 
     def _has_swallowed_exception(self, source: str, symbol: str) -> bool:
-        """Return True if source contains a catch-log-no-rethrow pattern."""
-        for match in _CATCH_SWALLOW_RE.finditer(source):
+        """Return True if the specific method body has a catch-log-no-rethrow pattern.
+
+        Scopes the search to the method body only (not the whole file) to avoid
+        false positives when other methods in the same file have swallowed exceptions.
+        """
+        method_name = symbol.split("#")[-1] if "#" in symbol else symbol.rsplit(".", 1)[-1]
+        body = _extract_method_body(source, method_name)
+        if not body:
+            return False
+        for match in _CATCH_SWALLOW_RE.finditer(body):
             block = match.group(0)
             if not _RETHROW_IN_CATCH_RE.search(block):
                 return True