sourcecode 1.36.3__py3-none-any.whl → 1.36.4__py3-none-any.whl

sourcecode/__init__.py

@@ -1,3 +1,3 @@
 """sourcecode — Deterministic codebase context maps for AI coding agents."""
 
-__version__ = "1.36.3"
+__version__ = "1.36.4"

{sourcecode-1.36.3.dist-info → sourcecode-1.36.4.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: sourcecode
-Version: 1.36.3
+Version: 1.36.4
 Summary: Persistent structural context and ultra-fast repeated analysis for AI coding agents
 License-File: LICENSE
 Keywords: agents,ai,codebase,context,developer-tools,llm
@@ -40,8 +40,8 @@ Description-Content-Type: text/markdown
 
 **Persistent structural context and ultra-fast repeated analysis for AI coding agents.**
 
-![Version](https://img.shields.io/badge/version-1.36.1-blue)
-![Python](https://img.shields.io/badge/python-3.10%2B-green)
+![Version](https://img.shields.io/badge/version-1.36.4-blue)
+![Python](https://img.shields.io/badge/python-3.9%2B-green)
 
 ---
 
@@ -114,7 +114,7 @@ pipx install sourcecode
 
 ```bash
 sourcecode version
-# sourcecode 1.36.1
+# sourcecode 1.36.4
 ```
 
 ---
@@ -283,7 +283,7 @@ Specifically:
 - Architecture pattern detection best for Spring MVC layered apps; SPI/plugin architectures (e.g. Quarkus extension model) may be misclassified
 - Endpoint recall for JAX-RS subresource locator pattern is ~65%
 - `impact` on implementation classes (e.g. `OrderServiceImpl`) returns 0 callers in Spring Boot — callers inject the interface via `@Autowired`. Always target the interface. When `direct_callers: []` with `confidence_level: high` for a `@Service` class, re-query the interface.
-- `no_security_signal` on endpoints means no method-level annotations found — does **not** mean the endpoint is unsecured. Projects using Spring Security filter chains show 100% `no_security_signal` even when fully secured.
+- `no_security_signal` on endpoints means no recognized method-level annotation found — does **not** mean the endpoint is unsecured. Projects using Spring Security filter chains show 100% `no_security_signal` even when fully secured. Projects using a custom authorization annotation can teach the scanner via [`sourcecode.config.json`](#sourcecodeconfigjson-repo-root).
 - `spring-audit` and `impact-chain` are **Java/Spring only** — non-Java repos return `spring_detected: false`
 - Event topology via `--type events` does not resolve Kafka/RabbitMQ/Redis message routes — only Spring ApplicationEvent and `@EventListener` chains
 - Self-invocation TX bypass (calling `@Transactional` method from the same class without going through the proxy) is not detected
@@ -411,6 +411,8 @@ Detects structural Spring anomalies that survive code review and tests, but caus
 
 Returns structured findings with `severity`, `confidence`, `symbol`, `source_file`, `evidence`, `explanation`, and `fix_hint`. JAVA/SPRING ONLY.
 
+Endpoints guarded by a project-specific authorization annotation are treated as secured (not flagged `SEC-001`) once declared in [`sourcecode.config.json`](#sourcecodeconfigjson-repo-root).
+
 ### `impact-chain` — systemic blast radius with TX/SEC enrichment [free]
 
 ```bash
@@ -716,3 +718,29 @@ Or: `export SOURCECODE_TELEMETRY=0`
 ```bash
 sourcecode config    # show version, config file path, telemetry status
 ```
+
+### `sourcecode.config.json` (repo root)
+
+Optional, per-repo. Loaded from the root of the repo being analyzed. Absent or
+malformed config is ignored — the tool behaves exactly as without it.
+
+**Custom security annotations.** Teach `endpoints`, `spring-audit`, and `explain`
+about project-specific authorization annotations (otherwise reported as
+`policy: "none_detected"`):
+
+```json
+{
+  "customSecurityAnnotations": [
+    {
+      "fullyQualifiedName": "com.example.security.M3FiltroSeguridad",
+      "shortName": "M3FiltroSeguridad",
+      "resourceParam": "nombreRecurso",
+      "levelParam": "nivelRequerido"
+    }
+  ]
+}
+```
+
+`resourceParam` / `levelParam` are optional and name the annotation attributes to
+surface as `resourceName` / `requiredLevel`. Matching endpoints report
+`policy: "custom"` and drop out of the `no_security_signal` count.

{sourcecode-1.36.3.dist-info → sourcecode-1.36.4.dist-info}/RECORD

@@ -1,4 +1,4 @@
-sourcecode/__init__.py,sha256=R2EBl2n5HISPyZl0TZ5WWj834XZILTkphQ_J6rBP3zA,103
+sourcecode/__init__.py,sha256=VaLp6STbtbdgz6lEh8T1SQ9wlrYaZOhGX5EsxDkin2c,103
 sourcecode/adaptive_scanner.py,sha256=XffluXKzJUXrMtjEiAOnSNPZnztdIcts17T9ouHeID0,10521
 sourcecode/architecture_analyzer.py,sha256=liCwQmLgb5vplohy8arjYxs_HOIv5C9MjLh_gY6bc5Q,44115
 sourcecode/architecture_summary.py,sha256=z34_6v7cSwy98cof2UVciGho7SCrZ93tiqMmq5WNzRQ,20405
@@ -98,8 +98,8 @@ sourcecode/telemetry/consent.py,sha256=wLMvGNJeSSyZoNkQXpoUioY6mMv4Qdvuw7S9jAEWn
 sourcecode/telemetry/events.py,sha256=LtzYfaX9Ilckj5PTvAcTpDa9mLqDsYPDUiDkRa58piY,2580
 sourcecode/telemetry/filters.py,sha256=NHa5T-6DaZduQPFuC34jOqHWQgSizM-Ygq8aZ4j19ng,5834
 sourcecode/telemetry/transport.py,sha256=4gGHsq0WeY9VywEZXA3vUxykfiYnw9uuqfjAAec7F8o,1681
-sourcecode-1.36.3.dist-info/METADATA,sha256=QGvZo4o1EjzCa6zRqOWBZQs7y9RjI1AEsVBrVc4BNvw,31056
-sourcecode-1.36.3.dist-info/WHEEL,sha256=QccIxa26bgl1E6uMy58deGWi-0aeIkkangHcxk2kWfw,87
-sourcecode-1.36.3.dist-info/entry_points.txt,sha256=ex3F9rmbXeyDIoFQHtkEqTsKSaJow8F0LrVu8XfIktQ,57
-sourcecode-1.36.3.dist-info/licenses/LICENSE,sha256=7DdHrU9Z_3e7dSvq4ISijZNjnuHo5NIHNiHDouMQ9JU,10491
-sourcecode-1.36.3.dist-info/RECORD,,
+sourcecode-1.36.4.dist-info/METADATA,sha256=cvBsZ2SCRYW3ObJswm0cwyqc54S36u_Y3V6VoVljSQ4,32243
+sourcecode-1.36.4.dist-info/WHEEL,sha256=QccIxa26bgl1E6uMy58deGWi-0aeIkkangHcxk2kWfw,87
+sourcecode-1.36.4.dist-info/entry_points.txt,sha256=ex3F9rmbXeyDIoFQHtkEqTsKSaJow8F0LrVu8XfIktQ,57
+sourcecode-1.36.4.dist-info/licenses/LICENSE,sha256=7DdHrU9Z_3e7dSvq4ISijZNjnuHo5NIHNiHDouMQ9JU,10491
+sourcecode-1.36.4.dist-info/RECORD,,