sourcecode 1.35.5__tar.gz → 1.35.7__tar.gz

{sourcecode-1.35.5 → sourcecode-1.35.7}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: sourcecode
-Version: 1.35.5
+Version: 1.35.7
 Summary: Persistent structural context and ultra-fast repeated analysis for AI coding agents
 License-File: LICENSE
 Keywords: agents,ai,codebase,context,developer-tools,llm

{sourcecode-1.35.5 → sourcecode-1.35.7}/pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 
 [project]
 name = "sourcecode"
-version = "1.35.5"
+version = "1.35.7"
 description = "Persistent structural context and ultra-fast repeated analysis for AI coding agents"
 readme = "README.md"
 requires-python = ">=3.9"

{sourcecode-1.35.5 → sourcecode-1.35.7}/src/sourcecode/__init__.py

@@ -1,3 +1,3 @@
 """sourcecode — Deterministic codebase context maps for AI coding agents."""
 
-__version__ = "1.35.5"
+__version__ = "1.35.7"

{sourcecode-1.35.5 → sourcecode-1.35.7}/src/sourcecode/mcp/registry.py

@@ -10,7 +10,7 @@ Internal helpers remain explicitly marked and are not exported to MCP.
 """
 from __future__ import annotations
 
-from dataclasses import dataclass, field
+from dataclasses import dataclass, field, replace
 import inspect
 from functools import lru_cache
 from typing import Any, Callable, Mapping
@@ -69,6 +69,7 @@ class ToolSpec:
     aliases: tuple[str, ...] = ()
     internal: bool = False
     not_exposed_to_cli: bool = False
+    mcp_hidden: bool = False
     docstring: str = ""
     runtime_command: str = ""
     _argv_builder: Callable[[Mapping[str, Any]], list[str]] | None = field(
@@ -82,6 +83,10 @@ class ToolSpec:
     def public(self) -> bool:
         return not self.internal and not self.not_exposed_to_cli
 
+    @property
+    def mcp_visible(self) -> bool:
+        return self.public and not self.mcp_hidden
+
     def build_argv(self, inputs: Mapping[str, Any]) -> list[str]:
         if self._argv_builder is None:
             raise RuntimeError(f"ToolSpec '{self.name}' has no argv builder")
@@ -488,8 +493,11 @@ def _alias_spec(
     aliases: tuple[str, ...] = (),
     internal: bool = False,
     not_exposed_to_cli: bool = False,
+    mcp_hidden: bool = False,
+    docstring_override: str | None = None,
     validator: Callable[[Mapping[str, Any]], str | None] | None = None,
 ) -> ToolSpec:
+    doc = docstring_override or _build_contract_doc(description, params, cli_path, supported_targets, unsupported_targets)
     return ToolSpec(
         name=name,
         description=description,
@@ -500,7 +508,8 @@ def _alias_spec(
         aliases=aliases,
         internal=internal,
         not_exposed_to_cli=not_exposed_to_cli,
-        docstring=_build_contract_doc(description, params, cli_path, supported_targets, unsupported_targets),
+        mcp_hidden=mcp_hidden,
+        docstring=doc,
         runtime_command=" ".join(cli_path) if cli_path else "sourcecode",
         _argv_builder=argv_builder,
         validator=validator,
@@ -788,17 +797,169 @@ def _internal_specs() -> list[ToolSpec]:
     ]
 
 
+# Canonical CLI tools that are MCP-noise: raw passthroughs, meta-commands, and duplicates
+# superseded by cleaner alias variants. Still tracked by validate_registry(); just not served.
+_MCP_HIDDEN_CANONICAL_TOOLS: frozenset[str] = frozenset({
+    # Raw CLI passthroughs (clean alias exists)
+    "sourcecode_root",    # 40+ flags, no agent guidance; use get_compact_context / get_agent_context
+    "prepare_context",    # requires knowing subtask string; use task-specific aliases
+    "repo_ir",            # raw IR dump; use get_ir_summary
+    "fix_bug",            # raw Pro command; use fix_bug_context for MCP
+    "review_pr",          # raw Pro command; use review_pr_context for MCP
+    "onboard",            # raw with llm_prompt/copy flags; use onboard_context
+    # Duplicates (inferior params — cleaner alias exists)
+    "impact",             # path/target order reversed vs get_impact_context; use get_impact_context
+    "cold_start",         # duplicate of get_cold_start_context
+    "cache_freshness",    # duplicate of check_freshness
+    "modernize",          # duplicate of modernize_context
+    # Curated overrides — canonical CLI spec replaced by cleaner alias with same name.
+    # Listed here so validate_registry() skips CLI param-drift checks on the alias.
+    "spring_audit",       # curated: repo_path + scope + min_severity only (strips output_path/format/copy)
+    "impact_chain",       # curated: repo_path + symbol + depth + query_type with choices
+    # MCP self-management (an agent is not the MCP client admin)
+    "mcp_init",
+    "mcp_serve",
+    "mcp_status",
+    "mcp_remove",
+    "mcp_list_tools",
+    # Telemetry sub-commands (consolidated into telemetry(action=))
+    "telemetry_status",
+    "telemetry_enable",
+    "telemetry_disable",
+})
+
+
+def _java_spring_aliases() -> list[ToolSpec]:
+    """Curated MCP overrides for Java/Spring tools.
+
+    These replace the auto-generated canonical specs with cleaner param surfaces:
+    - repo_path (not raw `path`) for consistency with all other MCP tools
+    - MCP-irrelevant CLI flags (output_path, format, copy) stripped
+    - query_type choices documented so agents discover event topology
+    - Rich docstrings instead of contract-format stubs
+    """
+    validate_repo_path = _repo_path_validator()
+
+    _SPRING_AUDIT_DOC = """\
+Spring semantic audit: TX anomalies + security surface. JAVA/SPRING ONLY.
+
+Do NOT call on non-Java repositories — returns spring_detected=false with no findings.
+
+Patterns detected:
+  TX-001: @Transactional missing rollbackFor for checked exceptions
+  TX-002: propagation=NEVER/NOT_SUPPORTED inside @Transactional scope
+  TX-003: readOnly=true method calling write operations
+  TX-004: REQUIRES_NEW nested inside REQUIRED (TX isolation breach risk)
+  TX-005: @Async method called within @Transactional context (TX context lost)
+  SEC-001: public endpoint with no security annotation (none_detected policy)
+  SEC-002: security annotation on non-endpoint method (misplaced)
+  SEC-003: missing auth on admin-pattern operations
+
+Returns: schema_version, spring_detected, scope, summary, findings[], limitations, metadata.
+findings fields: id, pattern_id, category, severity, confidence, title, symbol,
+  source_file, evidence, explanation, fix_hint.
+
+repo_path: absolute path to the Java repository (default: current working directory).
+scope: "all" (default) | "tx" (TX-001..005 only) | "security" (SEC-001..003 only)
+min_severity: "low" (default) | "medium" | "high" | "critical"
+"""
+
+    _IMPACT_CHAIN_DOC = """\
+Spring impact-chain: blast radius of a symbol with TX/SEC semantic enrichment. JAVA/SPRING ONLY.
+
+Do NOT call on non-Java repositories — returns resolution=not_found.
+
+Two query modes via query_type:
+  "impact" (default) — BFS call graph: direct_callers, indirect_callers, endpoints_affected,
+    transaction_boundary, security_surfaces, impact_findings (TX/SEC patterns in call chain).
+  "events" — event topology: publishers, consumers, propagation graph for an event class
+    or event publisher. Use when symbol is an event class (e.g. OrderPlacedEvent).
+
+Returns: schema_version, symbol, resolution, direct_callers, indirect_callers,
+  endpoints_affected, transaction_boundary, security_surfaces, impact_findings,
+  analysis_warnings, risk_level, confidence, metadata.
+
+symbol: FQN, class name, or Class#method.
+  Examples: "OrderService", "com.example.OrderService#placeOrder",
+            "OrderPlacedEvent" (with query_type="events" for event topology)
+repo_path: absolute path to the Java repository (default: current working directory).
+depth: BFS traversal depth 1–8 (default 4).
+query_type: "impact" (default) | "events"
+"""
+
+    spring_audit = _alias_spec(
+        "spring_audit",
+        "Spring semantic audit: TX anomalies + security surface. JAVA/SPRING ONLY.",
+        ("spring-audit",),
+        (
+            ToolParamSpec("repo_path", "argument", str, required=False, default=".", is_path=True,
+                          help="Absolute path to the Java repository."),
+            ToolParamSpec("scope", "option", str, required=False, default="all",
+                          option_names=("--scope",), choices=("all", "tx", "security"),
+                          help="all (default) | tx | security"),
+            ToolParamSpec("min_severity", "option", str, required=False, default="low",
+                          option_names=("--min-severity",), choices=("low", "medium", "high", "critical"),
+                          help="low (default) | medium | high | critical"),
+        ),
+        lambda inputs: [
+            "spring-audit",
+            str(inputs.get("repo_path", ".")),
+            "--scope", str(inputs.get("scope", "all")),
+            "--min-severity", str(inputs.get("min_severity", "low")),
+        ],
+        supported_targets=("repo_path",),
+        unsupported_targets=("file_path",),
+        validator=validate_repo_path,
+        docstring_override=_SPRING_AUDIT_DOC,
+    )
+
+    impact_chain = _alias_spec(
+        "impact_chain",
+        "Spring impact-chain: blast radius + TX/SEC enrichment. JAVA/SPRING ONLY.",
+        ("impact-chain",),
+        (
+            ToolParamSpec("symbol", "argument", str, required=True, default=None,
+                          help="FQN, class name, or Class#method."),
+            ToolParamSpec("repo_path", "argument", str, required=False, default=".", is_path=True,
+                          help="Absolute path to the Java repository."),
+            ToolParamSpec("depth", "option", int, required=False, default=4,
+                          option_names=("--depth",), help="BFS depth 1–8 (default 4)."),
+            ToolParamSpec("query_type", "option", str, required=False, default="impact",
+                          option_names=("--type",), choices=("impact", "events"),
+                          help="impact (default) = call-chain blast radius; events = event topology"),
+        ),
+        lambda inputs: [
+            "impact-chain",
+            str(inputs["symbol"]),
+            str(inputs.get("repo_path", ".")),
+            "--depth", str(inputs.get("depth", 4)),
+            "--type", str(inputs.get("query_type", "impact")),
+        ],
+        supported_targets=("repo_path", "class_name"),
+        unsupported_targets=("file_path",),
+        validator=validate_repo_path,
+        docstring_override=_IMPACT_CHAIN_DOC,
+    )
+
+    return [spring_audit, impact_chain]
+
+
 @lru_cache(maxsize=1)
 def build_tool_specs() -> tuple[ToolSpec, ...]:
     """Build the full MCP registry from the live CLI runtime."""
-    canonical = [
+    canonical_raw = [
         _canonical_spec_for_runtime_command(runtime)
         for runtime in discover_runtime_commands()
         if (runtime.callback is not None or runtime.path == ())
         and (not runtime.hidden or runtime.path == ("analyze",))
     ]
+    # Mark canonical tools that should not be served via MCP (validate_registry still checks them)
+    canonical = [
+        replace(spec, mcp_hidden=True) if spec.name in _MCP_HIDDEN_CANONICAL_TOOLS else spec
+        for spec in canonical_raw
+    ]
 
-    aliases = _root_aliases() + _prepare_context_aliases()
+    aliases = _root_aliases() + _prepare_context_aliases() + _java_spring_aliases()
     internals = _internal_specs()
 
     merged: dict[str, ToolSpec] = {}
@@ -842,6 +1003,11 @@ def validate_registry() -> list[str]:
         spec = registry_by_path.get(path)
         if spec is None:
             continue
+        # Skip docstring/param drift for mcp_hidden tools and intentional curated overrides.
+        # Curated aliases (e.g. spring_audit, impact_chain) replace canonical CLI specs with
+        # cleaner MCP surfaces — their params diverge from the raw CLI by design.
+        if spec.name in _MCP_HIDDEN_CANONICAL_TOOLS or spec.mcp_hidden:
+            continue
         expected_doc = _first_doc_line(runtime.docstring or runtime.help or "")
         if expected_doc and expected_doc not in spec.description:
             issues.append(f"docstring_mismatch:{spec.name}")
@@ -853,9 +1019,15 @@ def validate_registry() -> list[str]:
     return issues
 
 
+@lru_cache(maxsize=1)
+def build_mcp_tool_specs() -> tuple[ToolSpec, ...]:
+    """Tool specs actually served via MCP: public and not mcp_hidden."""
+    return tuple(spec for spec in build_tool_specs() if spec.mcp_visible)
+
+
 def mcp_tool_specs() -> tuple[ToolSpec, ...]:
-    """Public tool specs only."""
-    return build_public_tool_specs()
+    """Tool specs served via MCP (public, not mcp_hidden)."""
+    return build_mcp_tool_specs()
 
 
 def mcp_internal_tool_specs() -> tuple[ToolSpec, ...]:

{sourcecode-1.35.5 → sourcecode-1.35.7}/src/sourcecode/mcp/server.py

@@ -1179,17 +1179,36 @@ def telemetry(action: str) -> dict:
     return _execute(["telemetry", action])
 
 
+_NATIVE_MCP_TOOLS: frozenset[str] = frozenset({
+    "start_session",
+    "analyze_task",
+    "run_pr_review_flow",
+    "run_bug_investigation_flow",
+    "run_feature_flow",
+})
+
+
 def _finalize_mcp_registry() -> None:
-    """Replace manual tool registration with the runtime-generated registry."""
-    from sourcecode.mcp.registry import build_public_tool_specs, make_tool_callable, validate_registry
+    """Sync the MCP server with the runtime-generated registry.
+
+    Removes every tool except the 5 native orchestration tools (start_session,
+    analyze_task, flow runners) which are registered via @mcp.tool() in this
+    module and have no backing CLI command. All other tools are rebuilt from the
+    runtime-derived registry (build_mcp_tool_specs).
+    """
+    from sourcecode.mcp.registry import build_mcp_tool_specs, make_tool_callable, validate_registry
+
+    mcp_specs = build_mcp_tool_specs()
 
+    # Remove everything except the native orchestration tools
     try:
         for tool in list(mcp._tool_manager.list_tools()):  # type: ignore[attr-defined]
-            mcp.remove_tool(tool.name)
+            if tool.name not in _NATIVE_MCP_TOOLS:
+                mcp.remove_tool(tool.name)
     except Exception:
         pass
 
-    for spec in build_public_tool_specs():
+    for spec in mcp_specs:
         tool_fn = make_tool_callable(spec)
         tool_fn.__doc__ = spec.docstring
         globals()[spec.name] = tool_fn

{sourcecode-1.35.5 → sourcecode-1.35.7}/src/sourcecode/repository_ir.py

@@ -323,6 +323,11 @@ _SPRING_OTHER: frozenset[str] = frozenset({
 
 _PUBLISH_EVENT_RE = re.compile(r'\.publishEvent\s*\(\s*new\s+(\w+)\s*[(\{]')
 
+# Two-step publish: SomeEvent var = new SomeEvent(...); publisher.publishEvent(var)
+# Used when event is created before passing to publishEvent (common pattern).
+_PUBLISH_EVENT_CALL_RE = re.compile(r'\.publishEvent\s*\(')
+_NEW_EVENT_INSTANTIATION_RE = re.compile(r'\bnew\s+(\w+Event)\s*[\({]')
+
 # Keycloak SPI event fire pattern: XxxEvent.fire(session, ...)
 _FIRE_EVENT_RE = re.compile(r'\b(\w+Event)\.fire\s*\(')
 
@@ -1195,6 +1200,27 @@ def _build_relations(
                 evidence={"type": "method_call", "value": f"publishEvent(new {event_simple})"},
             ))
 
+    # Two-step publish: `SomeEvent var = new SomeEvent(...); publisher.publishEvent(var)`.
+    # The inline regex above only catches publishEvent(new Evt(...)).  Many Spring services
+    # instantiate the event first and then pass the variable.  When the source contains
+    # publishEvent( (any form) we also scan for new XxxEvent instantiations that the inline
+    # regex would have missed (i.e. not already emitted), using confidence=low.
+    if _PUBLISH_EVENT_CALL_RE.search(_source_no_comments):
+        inline_matched: set[str] = {m.group(1) for m in _PUBLISH_EVENT_RE.finditer(_source_no_comments)}
+        for m in _NEW_EVENT_INSTANTIATION_RE.finditer(_source_no_comments):
+            event_simple = m.group(1)
+            if event_simple in inline_matched:
+                continue  # already captured by inline regex at higher confidence
+            event_fqn = import_map.get(event_simple) or _same_pkg.get(event_simple) or event_simple
+            for cls_sym in _class_syms:
+                edges.append(RelationEdge(
+                    from_symbol=cls_sym.symbol,
+                    to_symbol=event_fqn,
+                    type="publishes_event",
+                    confidence="low",
+                    evidence={"type": "method_call", "value": f"publishEvent(var) + new {event_simple}"},
+                ))
+
     # Keycloak SPI: XxxEvent.fire(...) static dispatch → publishes_event.
     for m in _FIRE_EVENT_RE.finditer(_source_no_comments):
         event_simple = m.group(1)

{sourcecode-1.35.5 → sourcecode-1.35.7}/src/sourcecode/spring_impact.py

@@ -244,22 +244,48 @@ def _bfs_callers(
     X#fieldName), the containing class X is also added to the caller set and BFS
     continues from X.  This resolves the DI traversal gap where contained_in edges
     (which are skipped) were the only path from a field node back to its class.
+
+    BUG-004 fix: when BFS reaches a class-level node (no '#'), callers of that
+    class live on method-level keys (e.g. 'Foo#doWork') rather than the class key
+    ('Foo').  A class→method-key index is built upfront so the BFS also traverses
+    method-level entries when processing a class-level FQN.
     """
     visited: set[str] = set(seed_fqns)
     direct: list[str] = []
     indirect: list[str] = []
     was_truncated = False
 
-    # Hub-class guard: if seeds have > _BFS_CALLER_CAP direct callers combined,
-    # cap effective depth to 1 to avoid O(n^depth) explosion.
-    total_direct_count = 0
+    # BUG-004: index class FQN → list of method-level keys in reverse_graph.
+    # Callers of Foo#doWork are stored under reverse_graph["Foo#doWork"], never
+    # under reverse_graph["Foo"].  Without this index, BFS silently terminates
+    # whenever a class-level node is enqueued (e.g. via CH-002 expansion).
+    class_method_index: dict[str, list[str]] = {}
+    for rg_key in reverse_graph:
+        if "#" in rg_key:
+            cls = rg_key.split("#")[0]
+            class_method_index.setdefault(cls, []).append(rg_key)
+
+    def _edges_for(fqn: str) -> list[tuple[str, list[str]]]:
+        """Return all (etype, fqn_list) pairs from reverse_graph for fqn.
+        For class-level FQNs also includes method-level entries (BUG-004)."""
+        edges: list[tuple[str, list[str]]] = list((reverse_graph.get(fqn) or {}).items())
+        if "#" not in fqn:
+            for mk in class_method_index.get(fqn, []):
+                edges.extend((reverse_graph.get(mk) or {}).items())
+        return edges
+
+    # Hub-class guard: cap depth to 1 when the UNIQUE direct caller set exceeds
+    # _BFS_CALLER_CAP, to avoid O(n^depth) BFS explosion on high-fanout seeds.
+    # Uses unique callers (not raw sum per seed) so that interface-expansion seeds
+    # (which add many method-level FQNs sharing the same callers) don't trigger the
+    # guard prematurely — a 36-method interface still has ~20 unique calling classes.
+    unique_direct_callers: set[str] = set()
     for seed in seed_fqns:
-        entry = reverse_graph.get(seed) or {}
-        for etype, fqn_list in entry.items():
+        for etype, fqn_list in _edges_for(seed):
             if etype not in _SKIP_EDGE_TYPES:
-                total_direct_count += len(fqn_list)
+                unique_direct_callers.update(fqn_list)
 
-    effective_depth = 1 if total_direct_count > _BFS_CALLER_CAP else max_depth
+    effective_depth = 1 if len(unique_direct_callers) > _BFS_CALLER_CAP else max_depth
     if effective_depth < max_depth:
         was_truncated = True
 
@@ -281,8 +307,7 @@ def _bfs_callers(
         fqn, depth = queue.pop(0)
         if depth >= effective_depth:
             continue
-        entry = reverse_graph.get(fqn) or {}
-        for etype, fqn_list in entry.items():
+        for etype, fqn_list in _edges_for(fqn):
             if etype in _SKIP_EDGE_TYPES:
                 continue
             for caller in fqn_list:

{sourcecode-1.35.5 → sourcecode-1.35.7}/src/sourcecode/spring_tx_analyzer.py

@@ -52,15 +52,16 @@ _WRITE_METHOD_RE = re.compile(
     re.IGNORECASE,
 )
 
-# Exception swallowing pattern for TX-005:
-# catch block that contains a log/print but no throw/rethrow
-_CATCH_SWALLOW_RE = re.compile(
-    r'catch\s*\([^)]+\)\s*\{[^}]*'          # catch(...) {
-    r'(?:log|logger|LOG|System\.out|e\.print)'  # logging call
-    r'[^}]*\}',                               # closing brace (no throw inside)
-    re.DOTALL,
-)
+# TX-005 catch-block detection helpers.
+# _CATCH_SWALLOW_RE is retained for reference but replaced by brace-counting
+# extraction in _has_swallowed_exception to avoid false positives from nested
+# braces (nested if/try blocks inside catch terminating the match prematurely).
+_CATCH_HEADER_RE = re.compile(r'\bcatch\s*\([^)]+\)\s*\{')
+_LOG_IN_CATCH_RE = re.compile(r'\b(?:log|logger|LOG|System\.out|e\.print)\b')
 _RETHROW_IN_CATCH_RE = re.compile(r'\bthrow\b')
+# Non-trivial return (method call) inside a catch block indicates recovery, not
+# silent swallowing — e.g. `return findNextId(idType)` after creating a missing row.
+_RECOVERY_RETURN_RE = re.compile(r'\breturn\s+\w[\w.<>]*\s*\(')
 
 
 def _extract_method_body(source: str, method_name: str) -> str:
@@ -507,6 +508,10 @@ class _TX005ExceptionSwallowing:
                 continue
             if not boundary.source_file:
                 continue
+            # readOnly=true transactions do not write data — swallowed exceptions
+            # cannot cause dirty commits, so TX-005 is not applicable.
+            if boundary.read_only:
+                continue
 
             abs_path = root / boundary.source_file
             try:
@@ -555,21 +560,76 @@ class _TX005ExceptionSwallowing:
         return findings
 
     def _has_swallowed_exception(self, source: str, symbol: str) -> bool:
-        """Return True if the specific method body has a catch-log-no-rethrow pattern.
+        """Return True if a @Transactional overload of method_name has a catch-log-no-rethrow pattern.
 
-        Scopes the search to the method body only (not the whole file) to avoid
-        false positives when other methods in the same file have swallowed exceptions.
+        Guards against two false-positive sources:
+        1. Overloaded methods — only checks the overload whose declaration is immediately
+           preceded by @Transactional (preamble anchored to last '}').
+        2. Call sites — skips any match where ';' appears before the next '{', which
+           is true for call expressions (e.g. dao.method(arg);) but not definitions.
         """
         method_name = symbol.split("#")[-1] if "#" in symbol else symbol.rsplit(".", 1)[-1]
-        body = _extract_method_body(source, method_name)
-        if not body:
-            return False
-        for match in _CATCH_SWALLOW_RE.finditer(body):
-            block = match.group(0)
-            if not _RETHROW_IN_CATCH_RE.search(block):
+        pattern = re.compile(r'\b' + re.escape(method_name) + r'\s*\(')
+        for m in pattern.finditer(source):
+            # Preamble: text between the previous closing brace and this method name.
+            # Anchoring to the last '}' prevents @Transactional from a prior method
+            # from leaking into this overload's preamble.
+            prev_brace = source.rfind('}', 0, m.start())
+            preamble_start = prev_brace + 1 if prev_brace >= 0 else 0
+            preamble = source[preamble_start:m.start()]
+            if '@Transactional' not in preamble:
+                continue
+            # Guard: if ';' comes before '{', this is a call site, not a definition.
+            brace_pos = source.find('{', m.end())
+            semi_pos = source.find(';', m.end())
+            if brace_pos < 0:
+                continue
+            if semi_pos >= 0 and semi_pos < brace_pos:
+                continue
+            # Extract this overload's body
+            depth = 1
+            i = brace_pos + 1
+            while i < len(source) and depth > 0:
+                c = source[i]
+                if c == '{':
+                    depth += 1
+                elif c == '}':
+                    depth -= 1
+                i += 1
+            body = source[brace_pos:i]
+            for catch_block in self._extract_catch_blocks(body):
+                if not _LOG_IN_CATCH_RE.search(catch_block):
+                    continue
+                if _RETHROW_IN_CATCH_RE.search(catch_block):
+                    continue
+                # Non-trivial return (method call) indicates recovery, not swallowing.
+                if _RECOVERY_RETURN_RE.search(catch_block):
+                    continue
                 return True
         return False
 
+    @staticmethod
+    def _extract_catch_blocks(body: str) -> list[str]:
+        """Extract full catch block bodies from a method body using brace counting.
+
+        Handles nested braces correctly — unlike a simple [^}]* regex which
+        terminates at the first nested '}' inside the catch block.
+        """
+        blocks: list[str] = []
+        for m in _CATCH_HEADER_RE.finditer(body):
+            brace_pos = m.end() - 1
+            depth = 1
+            i = brace_pos + 1
+            while i < len(body) and depth > 0:
+                c = body[i]
+                if c == '{':
+                    depth += 1
+                elif c == '}':
+                    depth -= 1
+                i += 1
+            blocks.append(body[brace_pos:i])
+        return blocks
+
 
 # ---------------------------------------------------------------------------
 # Default pattern registry