sourcecode 1.35.5__py3-none-any.whl → 1.35.6__py3-none-any.whl

sourcecode/__init__.py

@@ -1,3 +1,3 @@
 """sourcecode — Deterministic codebase context maps for AI coding agents."""
 
-__version__ = "1.35.5"
+__version__ = "1.35.6"

sourcecode/repository_ir.py

@@ -323,6 +323,11 @@ _SPRING_OTHER: frozenset[str] = frozenset({
 
 _PUBLISH_EVENT_RE = re.compile(r'\.publishEvent\s*\(\s*new\s+(\w+)\s*[(\{]')
 
+# Two-step publish: SomeEvent var = new SomeEvent(...); publisher.publishEvent(var)
+# Used when event is created before passing to publishEvent (common pattern).
+_PUBLISH_EVENT_CALL_RE = re.compile(r'\.publishEvent\s*\(')
+_NEW_EVENT_INSTANTIATION_RE = re.compile(r'\bnew\s+(\w+Event)\s*[\({]')
+
 # Keycloak SPI event fire pattern: XxxEvent.fire(session, ...)
 _FIRE_EVENT_RE = re.compile(r'\b(\w+Event)\.fire\s*\(')
 
@@ -1195,6 +1200,27 @@ def _build_relations(
                 evidence={"type": "method_call", "value": f"publishEvent(new {event_simple})"},
             ))
 
+    # Two-step publish: `SomeEvent var = new SomeEvent(...); publisher.publishEvent(var)`.
+    # The inline regex above only catches publishEvent(new Evt(...)).  Many Spring services
+    # instantiate the event first and then pass the variable.  When the source contains
+    # publishEvent( (any form) we also scan for new XxxEvent instantiations that the inline
+    # regex would have missed (i.e. not already emitted), using confidence=low.
+    if _PUBLISH_EVENT_CALL_RE.search(_source_no_comments):
+        inline_matched: set[str] = {m.group(1) for m in _PUBLISH_EVENT_RE.finditer(_source_no_comments)}
+        for m in _NEW_EVENT_INSTANTIATION_RE.finditer(_source_no_comments):
+            event_simple = m.group(1)
+            if event_simple in inline_matched:
+                continue  # already captured by inline regex at higher confidence
+            event_fqn = import_map.get(event_simple) or _same_pkg.get(event_simple) or event_simple
+            for cls_sym in _class_syms:
+                edges.append(RelationEdge(
+                    from_symbol=cls_sym.symbol,
+                    to_symbol=event_fqn,
+                    type="publishes_event",
+                    confidence="low",
+                    evidence={"type": "method_call", "value": f"publishEvent(var) + new {event_simple}"},
+                ))
+
     # Keycloak SPI: XxxEvent.fire(...) static dispatch → publishes_event.
     for m in _FIRE_EVENT_RE.finditer(_source_no_comments):
         event_simple = m.group(1)

sourcecode/spring_impact.py

@@ -244,22 +244,48 @@ def _bfs_callers(
     X#fieldName), the containing class X is also added to the caller set and BFS
     continues from X.  This resolves the DI traversal gap where contained_in edges
     (which are skipped) were the only path from a field node back to its class.
+
+    BUG-004 fix: when BFS reaches a class-level node (no '#'), callers of that
+    class live on method-level keys (e.g. 'Foo#doWork') rather than the class key
+    ('Foo').  A class→method-key index is built upfront so the BFS also traverses
+    method-level entries when processing a class-level FQN.
     """
     visited: set[str] = set(seed_fqns)
     direct: list[str] = []
     indirect: list[str] = []
     was_truncated = False
 
-    # Hub-class guard: if seeds have > _BFS_CALLER_CAP direct callers combined,
-    # cap effective depth to 1 to avoid O(n^depth) explosion.
-    total_direct_count = 0
+    # BUG-004: index class FQN → list of method-level keys in reverse_graph.
+    # Callers of Foo#doWork are stored under reverse_graph["Foo#doWork"], never
+    # under reverse_graph["Foo"].  Without this index, BFS silently terminates
+    # whenever a class-level node is enqueued (e.g. via CH-002 expansion).
+    class_method_index: dict[str, list[str]] = {}
+    for rg_key in reverse_graph:
+        if "#" in rg_key:
+            cls = rg_key.split("#")[0]
+            class_method_index.setdefault(cls, []).append(rg_key)
+
+    def _edges_for(fqn: str) -> list[tuple[str, list[str]]]:
+        """Return all (etype, fqn_list) pairs from reverse_graph for fqn.
+        For class-level FQNs also includes method-level entries (BUG-004)."""
+        edges: list[tuple[str, list[str]]] = list((reverse_graph.get(fqn) or {}).items())
+        if "#" not in fqn:
+            for mk in class_method_index.get(fqn, []):
+                edges.extend((reverse_graph.get(mk) or {}).items())
+        return edges
+
+    # Hub-class guard: cap depth to 1 when the UNIQUE direct caller set exceeds
+    # _BFS_CALLER_CAP, to avoid O(n^depth) BFS explosion on high-fanout seeds.
+    # Uses unique callers (not raw sum per seed) so that interface-expansion seeds
+    # (which add many method-level FQNs sharing the same callers) don't trigger the
+    # guard prematurely — a 36-method interface still has ~20 unique calling classes.
+    unique_direct_callers: set[str] = set()
     for seed in seed_fqns:
-        entry = reverse_graph.get(seed) or {}
-        for etype, fqn_list in entry.items():
+        for etype, fqn_list in _edges_for(seed):
             if etype not in _SKIP_EDGE_TYPES:
-                total_direct_count += len(fqn_list)
+                unique_direct_callers.update(fqn_list)
 
-    effective_depth = 1 if total_direct_count > _BFS_CALLER_CAP else max_depth
+    effective_depth = 1 if len(unique_direct_callers) > _BFS_CALLER_CAP else max_depth
     if effective_depth < max_depth:
         was_truncated = True
 
@@ -281,8 +307,7 @@ def _bfs_callers(
         fqn, depth = queue.pop(0)
         if depth >= effective_depth:
             continue
-        entry = reverse_graph.get(fqn) or {}
-        for etype, fqn_list in entry.items():
+        for etype, fqn_list in _edges_for(fqn):
             if etype in _SKIP_EDGE_TYPES:
                 continue
             for caller in fqn_list:

sourcecode/spring_tx_analyzer.py

@@ -52,15 +52,16 @@ _WRITE_METHOD_RE = re.compile(
     re.IGNORECASE,
 )
 
-# Exception swallowing pattern for TX-005:
-# catch block that contains a log/print but no throw/rethrow
-_CATCH_SWALLOW_RE = re.compile(
-    r'catch\s*\([^)]+\)\s*\{[^}]*'          # catch(...) {
-    r'(?:log|logger|LOG|System\.out|e\.print)'  # logging call
-    r'[^}]*\}',                               # closing brace (no throw inside)
-    re.DOTALL,
-)
+# TX-005 catch-block detection helpers.
+# _CATCH_SWALLOW_RE is retained for reference but replaced by brace-counting
+# extraction in _has_swallowed_exception to avoid false positives from nested
+# braces (nested if/try blocks inside catch terminating the match prematurely).
+_CATCH_HEADER_RE = re.compile(r'\bcatch\s*\([^)]+\)\s*\{')
+_LOG_IN_CATCH_RE = re.compile(r'\b(?:log|logger|LOG|System\.out|e\.print)\b')
 _RETHROW_IN_CATCH_RE = re.compile(r'\bthrow\b')
+# Non-trivial return (method call) inside a catch block indicates recovery, not
+# silent swallowing — e.g. `return findNextId(idType)` after creating a missing row.
+_RECOVERY_RETURN_RE = re.compile(r'\breturn\s+\w[\w.<>]*\s*\(')
 
 
 def _extract_method_body(source: str, method_name: str) -> str:
@@ -507,6 +508,10 @@ class _TX005ExceptionSwallowing:
                 continue
             if not boundary.source_file:
                 continue
+            # readOnly=true transactions do not write data — swallowed exceptions
+            # cannot cause dirty commits, so TX-005 is not applicable.
+            if boundary.read_only:
+                continue
 
             abs_path = root / boundary.source_file
             try:
@@ -555,21 +560,76 @@ class _TX005ExceptionSwallowing:
         return findings
 
     def _has_swallowed_exception(self, source: str, symbol: str) -> bool:
-        """Return True if the specific method body has a catch-log-no-rethrow pattern.
+        """Return True if a @Transactional overload of method_name has a catch-log-no-rethrow pattern.
 
-        Scopes the search to the method body only (not the whole file) to avoid
-        false positives when other methods in the same file have swallowed exceptions.
+        Guards against two false-positive sources:
+        1. Overloaded methods — only checks the overload whose declaration is immediately
+           preceded by @Transactional (preamble anchored to last '}').
+        2. Call sites — skips any match where ';' appears before the next '{', which
+           is true for call expressions (e.g. dao.method(arg);) but not definitions.
         """
         method_name = symbol.split("#")[-1] if "#" in symbol else symbol.rsplit(".", 1)[-1]
-        body = _extract_method_body(source, method_name)
-        if not body:
-            return False
-        for match in _CATCH_SWALLOW_RE.finditer(body):
-            block = match.group(0)
-            if not _RETHROW_IN_CATCH_RE.search(block):
+        pattern = re.compile(r'\b' + re.escape(method_name) + r'\s*\(')
+        for m in pattern.finditer(source):
+            # Preamble: text between the previous closing brace and this method name.
+            # Anchoring to the last '}' prevents @Transactional from a prior method
+            # from leaking into this overload's preamble.
+            prev_brace = source.rfind('}', 0, m.start())
+            preamble_start = prev_brace + 1 if prev_brace >= 0 else 0
+            preamble = source[preamble_start:m.start()]
+            if '@Transactional' not in preamble:
+                continue
+            # Guard: if ';' comes before '{', this is a call site, not a definition.
+            brace_pos = source.find('{', m.end())
+            semi_pos = source.find(';', m.end())
+            if brace_pos < 0:
+                continue
+            if semi_pos >= 0 and semi_pos < brace_pos:
+                continue
+            # Extract this overload's body
+            depth = 1
+            i = brace_pos + 1
+            while i < len(source) and depth > 0:
+                c = source[i]
+                if c == '{':
+                    depth += 1
+                elif c == '}':
+                    depth -= 1
+                i += 1
+            body = source[brace_pos:i]
+            for catch_block in self._extract_catch_blocks(body):
+                if not _LOG_IN_CATCH_RE.search(catch_block):
+                    continue
+                if _RETHROW_IN_CATCH_RE.search(catch_block):
+                    continue
+                # Non-trivial return (method call) indicates recovery, not swallowing.
+                if _RECOVERY_RETURN_RE.search(catch_block):
+                    continue
                 return True
         return False
 
+    @staticmethod
+    def _extract_catch_blocks(body: str) -> list[str]:
+        """Extract full catch block bodies from a method body using brace counting.
+
+        Handles nested braces correctly — unlike a simple [^}]* regex which
+        terminates at the first nested '}' inside the catch block.
+        """
+        blocks: list[str] = []
+        for m in _CATCH_HEADER_RE.finditer(body):
+            brace_pos = m.end() - 1
+            depth = 1
+            i = brace_pos + 1
+            while i < len(body) and depth > 0:
+                c = body[i]
+                if c == '{':
+                    depth += 1
+                elif c == '}':
+                    depth -= 1
+                i += 1
+            blocks.append(body[brace_pos:i])
+        return blocks
+
 
 # ---------------------------------------------------------------------------
 # Default pattern registry

{sourcecode-1.35.5.dist-info → sourcecode-1.35.6.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: sourcecode
-Version: 1.35.5
+Version: 1.35.6
 Summary: Persistent structural context and ultra-fast repeated analysis for AI coding agents
 License-File: LICENSE
 Keywords: agents,ai,codebase,context,developer-tools,llm

{sourcecode-1.35.5.dist-info → sourcecode-1.35.6.dist-info}/RECORD

@@ -1,4 +1,4 @@
-sourcecode/__init__.py,sha256=QCdv6kJhqRAzIEK9ewWpwfq2rcWG3YpzJnjAJDMG_pc,103
+sourcecode/__init__.py,sha256=TcLh06FmiHFO9CNvHqSENDrpMzVidT6Co88A6deoVv8,103
 sourcecode/adaptive_scanner.py,sha256=XffluXKzJUXrMtjEiAOnSNPZnztdIcts17T9ouHeID0,10521
 sourcecode/architecture_analyzer.py,sha256=qh749a7ykPtGmQI1MR9y6j8TtL_jBdVYFx9YRsLqOMw,44121
 sourcecode/architecture_summary.py,sha256=z34_6v7cSwy98cof2UVciGho7SCrZ93tiqMmq5WNzRQ,20405
@@ -36,7 +36,7 @@ sourcecode/ranking_engine.py,sha256=ZAucq_YX2KkWUuAZf4P0lhtQ_38vEFnUhuGtSZd1S0E,
 sourcecode/redactor.py,sha256=SB4hwIvg8h-hvcqKcDWaZvA-aSyn-at-BIRwa0tUv5E,3227
 sourcecode/relevance_scorer.py,sha256=0AgEt4KrV73nioMqBgjhGjtY7L2C7L7cSyKtj3IKcrw,9408
 sourcecode/repo_classifier.py,sha256=FG1vaWKdWXsWdl-S8hjVMiTqcwgaRXkDyvK4rPcOGtQ,22681
-sourcecode/repository_ir.py,sha256=uLIewoLBg4nknI1JlI8bPo_kl9SVyT-GFQqENTeFz1M,167673
+sourcecode/repository_ir.py,sha256=SOACZ4viYG8tpmL_-l4XqoX6bN4GmCeX5ZIr9tnuQyA,169298
 sourcecode/ris.py,sha256=RcqLVwC-doFcKKViYDkCjZLBqf_wzLES7-F6vHEeWzE,20419
 sourcecode/runtime_classifier.py,sha256=uTAD6BDCiBLUZEDRfqk718kM4RTT_vAbfkcOI2_Xx58,18432
 sourcecode/scanner.py,sha256=WdOQ78mMzjR1NjmKTlbxdgwinnCTfAhxCVLBEFQiFHU,8899
@@ -45,11 +45,11 @@ sourcecode/semantic_analyzer.py,sha256=TDuC3wzZR2DPm1mgrAg1YSLk2QzJoueS3TZAmyGGp
 sourcecode/serializer.py,sha256=ooNZW2_fqx__BXII25eAWq-BomodvqQ6opUT_niQYCA,123403
 sourcecode/spring_event_topology.py,sha256=LvGv5RXtU_O-fVB_OO9eDD2UmZM72Jn2oUHgOo50Qm0,17157
 sourcecode/spring_findings.py,sha256=8V91iHOg9hFgg6tLLl4FSsgrF-dBqOcO2s-K5sD_goA,5417
-sourcecode/spring_impact.py,sha256=-ET4oB9tZQYfcyhfI781mMJCU-przz6x4Ejwr3hejA8,31743
+sourcecode/spring_impact.py,sha256=vb_cOk9dFU7YcGPeqivFcpS4OYSETT72oJYn4WC5al0,33266
 sourcecode/spring_model.py,sha256=IzMcM5ftw1_EHG3FGUDT7qdAMpo3eqbAE1LRuasfr_4,14739
 sourcecode/spring_security_audit.py,sha256=RPr491FGAmWNxqe-uN0FS2gmjQ0M5ryRyXjLNMMzKFk,20077
 sourcecode/spring_semantic.py,sha256=CiAf77p48-RFrUF0zbgww4w2Xigrbo1t5M3ZCDIfV_g,12032
-sourcecode/spring_tx_analyzer.py,sha256=eBcYLRKhlUllHl195CVGNWeg2vMext4u1Tezu_Mwrdg,27143
+sourcecode/spring_tx_analyzer.py,sha256=ZI_sG0oQi_iQAbm0hwIzjwGPMV2oS0RSsz2dGYCz__k,30103
 sourcecode/summarizer.py,sha256=YspHEVeYJVmltq0FMtGZF8kIP3qiR2KLcanGL6Y7uTI,20747
 sourcecode/tree_utils.py,sha256=8GAkIfQAsvtEudIeW1l4ooH_oRtrWR8cpJQJsEa_Pfw,2093
 sourcecode/workspace.py,sha256=X_6NmNnitvT3_38V-JDChydo_sR68s249hLFlrQskU0,8271
@@ -90,8 +90,8 @@ sourcecode/telemetry/consent.py,sha256=wLMvGNJeSSyZoNkQXpoUioY6mMv4Qdvuw7S9jAEWn
 sourcecode/telemetry/events.py,sha256=oEvvulfsv5GIDWG2174gSS6tNB95w38AIYiYeifGKlE,2294
 sourcecode/telemetry/filters.py,sha256=Asa71oRl7q3Wt_FMwuufIZJFzSYdgRNKS8LHCIyFeYE,4805
 sourcecode/telemetry/transport.py,sha256=KJeIPCPWMdmbCP3ySGs2iUlia34U6vWne2dZsUezesw,1560
-sourcecode-1.35.5.dist-info/METADATA,sha256=ZrHgEgvVfhprWb98X8P4rB5PUJZ7Av4uDsrHfzVgovU,21263
-sourcecode-1.35.5.dist-info/WHEEL,sha256=QccIxa26bgl1E6uMy58deGWi-0aeIkkangHcxk2kWfw,87
-sourcecode-1.35.5.dist-info/entry_points.txt,sha256=ex3F9rmbXeyDIoFQHtkEqTsKSaJow8F0LrVu8XfIktQ,57
-sourcecode-1.35.5.dist-info/licenses/LICENSE,sha256=7DdHrU9Z_3e7dSvq4ISijZNjnuHo5NIHNiHDouMQ9JU,10491
-sourcecode-1.35.5.dist-info/RECORD,,
+sourcecode-1.35.6.dist-info/METADATA,sha256=yC_5VR0K7bAsP10Dli2yOR3RAPA8ylm3slY150Z9O6g,21263
+sourcecode-1.35.6.dist-info/WHEEL,sha256=QccIxa26bgl1E6uMy58deGWi-0aeIkkangHcxk2kWfw,87
+sourcecode-1.35.6.dist-info/entry_points.txt,sha256=ex3F9rmbXeyDIoFQHtkEqTsKSaJow8F0LrVu8XfIktQ,57
+sourcecode-1.35.6.dist-info/licenses/LICENSE,sha256=7DdHrU9Z_3e7dSvq4ISijZNjnuHo5NIHNiHDouMQ9JU,10491
+sourcecode-1.35.6.dist-info/RECORD,,