sourcecode 1.36.3__tar.gz → 1.36.4__tar.gz

{sourcecode-1.36.3 → sourcecode-1.36.4}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: sourcecode
-Version: 1.36.3
+Version: 1.36.4
 Summary: Persistent structural context and ultra-fast repeated analysis for AI coding agents
 License-File: LICENSE
 Keywords: agents,ai,codebase,context,developer-tools,llm
@@ -40,8 +40,8 @@ Description-Content-Type: text/markdown
 
 **Persistent structural context and ultra-fast repeated analysis for AI coding agents.**
 
-![Version](https://img.shields.io/badge/version-1.36.1-blue)
-![Python](https://img.shields.io/badge/python-3.10%2B-green)
+![Version](https://img.shields.io/badge/version-1.36.4-blue)
+![Python](https://img.shields.io/badge/python-3.9%2B-green)
 
 ---
 
@@ -114,7 +114,7 @@ pipx install sourcecode
 
 ```bash
 sourcecode version
-# sourcecode 1.36.1
+# sourcecode 1.36.4
 ```
 
 ---
@@ -283,7 +283,7 @@ Specifically:
 - Architecture pattern detection best for Spring MVC layered apps; SPI/plugin architectures (e.g. Quarkus extension model) may be misclassified
 - Endpoint recall for JAX-RS subresource locator pattern is ~65%
 - `impact` on implementation classes (e.g. `OrderServiceImpl`) returns 0 callers in Spring Boot — callers inject the interface via `@Autowired`. Always target the interface. When `direct_callers: []` with `confidence_level: high` for a `@Service` class, re-query the interface.
-- `no_security_signal` on endpoints means no method-level annotations found — does **not** mean the endpoint is unsecured. Projects using Spring Security filter chains show 100% `no_security_signal` even when fully secured.
+- `no_security_signal` on endpoints means no recognized method-level annotation found — does **not** mean the endpoint is unsecured. Projects using Spring Security filter chains show 100% `no_security_signal` even when fully secured. Projects using a custom authorization annotation can teach the scanner via [`sourcecode.config.json`](#sourcecodeconfigjson-repo-root).
 - `spring-audit` and `impact-chain` are **Java/Spring only** — non-Java repos return `spring_detected: false`
 - Event topology via `--type events` does not resolve Kafka/RabbitMQ/Redis message routes — only Spring ApplicationEvent and `@EventListener` chains
 - Self-invocation TX bypass (calling `@Transactional` method from the same class without going through the proxy) is not detected
@@ -411,6 +411,8 @@ Detects structural Spring anomalies that survive code review and tests, but caus
 
 Returns structured findings with `severity`, `confidence`, `symbol`, `source_file`, `evidence`, `explanation`, and `fix_hint`. JAVA/SPRING ONLY.
 
+Endpoints guarded by a project-specific authorization annotation are treated as secured (not flagged `SEC-001`) once declared in [`sourcecode.config.json`](#sourcecodeconfigjson-repo-root).
+
 ### `impact-chain` — systemic blast radius with TX/SEC enrichment [free]
 
 ```bash
@@ -716,3 +718,29 @@ Or: `export SOURCECODE_TELEMETRY=0`
 ```bash
 sourcecode config    # show version, config file path, telemetry status
 ```
+
+### `sourcecode.config.json` (repo root)
+
+Optional, per-repo. Loaded from the root of the repo being analyzed. Absent or
+malformed config is ignored — the tool behaves exactly as without it.
+
+**Custom security annotations.** Teach `endpoints`, `spring-audit`, and `explain`
+about project-specific authorization annotations (otherwise reported as
+`policy: "none_detected"`):
+
+```json
+{
+  "customSecurityAnnotations": [
+    {
+      "fullyQualifiedName": "com.example.security.M3FiltroSeguridad",
+      "shortName": "M3FiltroSeguridad",
+      "resourceParam": "nombreRecurso",
+      "levelParam": "nivelRequerido"
+    }
+  ]
+}
+```
+
+`resourceParam` / `levelParam` are optional and name the annotation attributes to
+surface as `resourceName` / `requiredLevel`. Matching endpoints report
+`policy: "custom"` and drop out of the `no_security_signal` count.

{sourcecode-1.36.3 → sourcecode-1.36.4}/README.md

@@ -2,8 +2,8 @@
 
 **Persistent structural context and ultra-fast repeated analysis for AI coding agents.**
 
-![Version](https://img.shields.io/badge/version-1.36.1-blue)
-![Python](https://img.shields.io/badge/python-3.10%2B-green)
+![Version](https://img.shields.io/badge/version-1.36.4-blue)
+![Python](https://img.shields.io/badge/python-3.9%2B-green)
 
 ---
 
@@ -76,7 +76,7 @@ pipx install sourcecode
 
 ```bash
 sourcecode version
-# sourcecode 1.36.1
+# sourcecode 1.36.4
 ```
 
 ---
@@ -245,7 +245,7 @@ Specifically:
 - Architecture pattern detection best for Spring MVC layered apps; SPI/plugin architectures (e.g. Quarkus extension model) may be misclassified
 - Endpoint recall for JAX-RS subresource locator pattern is ~65%
 - `impact` on implementation classes (e.g. `OrderServiceImpl`) returns 0 callers in Spring Boot — callers inject the interface via `@Autowired`. Always target the interface. When `direct_callers: []` with `confidence_level: high` for a `@Service` class, re-query the interface.
-- `no_security_signal` on endpoints means no method-level annotations found — does **not** mean the endpoint is unsecured. Projects using Spring Security filter chains show 100% `no_security_signal` even when fully secured.
+- `no_security_signal` on endpoints means no recognized method-level annotation found — does **not** mean the endpoint is unsecured. Projects using Spring Security filter chains show 100% `no_security_signal` even when fully secured. Projects using a custom authorization annotation can teach the scanner via [`sourcecode.config.json`](#sourcecodeconfigjson-repo-root).
 - `spring-audit` and `impact-chain` are **Java/Spring only** — non-Java repos return `spring_detected: false`
 - Event topology via `--type events` does not resolve Kafka/RabbitMQ/Redis message routes — only Spring ApplicationEvent and `@EventListener` chains
 - Self-invocation TX bypass (calling `@Transactional` method from the same class without going through the proxy) is not detected
@@ -373,6 +373,8 @@ Detects structural Spring anomalies that survive code review and tests, but caus
 
 Returns structured findings with `severity`, `confidence`, `symbol`, `source_file`, `evidence`, `explanation`, and `fix_hint`. JAVA/SPRING ONLY.
 
+Endpoints guarded by a project-specific authorization annotation are treated as secured (not flagged `SEC-001`) once declared in [`sourcecode.config.json`](#sourcecodeconfigjson-repo-root).
+
 ### `impact-chain` — systemic blast radius with TX/SEC enrichment [free]
 
 ```bash
@@ -678,3 +680,29 @@ Or: `export SOURCECODE_TELEMETRY=0`
 ```bash
 sourcecode config    # show version, config file path, telemetry status
 ```
+
+### `sourcecode.config.json` (repo root)
+
+Optional, per-repo. Loaded from the root of the repo being analyzed. Absent or
+malformed config is ignored — the tool behaves exactly as without it.
+
+**Custom security annotations.** Teach `endpoints`, `spring-audit`, and `explain`
+about project-specific authorization annotations (otherwise reported as
+`policy: "none_detected"`):
+
+```json
+{
+  "customSecurityAnnotations": [
+    {
+      "fullyQualifiedName": "com.example.security.M3FiltroSeguridad",
+      "shortName": "M3FiltroSeguridad",
+      "resourceParam": "nombreRecurso",
+      "levelParam": "nivelRequerido"
+    }
+  ]
+}
+```
+
+`resourceParam` / `levelParam` are optional and name the annotation attributes to
+surface as `resourceName` / `requiredLevel`. Matching endpoints report
+`policy: "custom"` and drop out of the `no_security_signal` count.

{sourcecode-1.36.3 → sourcecode-1.36.4}/pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 
 [project]
 name = "sourcecode"
-version = "1.36.3"
+version = "1.36.4"
 description = "Persistent structural context and ultra-fast repeated analysis for AI coding agents"
 readme = "README.md"
 requires-python = ">=3.9"

{sourcecode-1.36.3 → sourcecode-1.36.4}/src/sourcecode/__init__.py

@@ -1,3 +1,3 @@
 """sourcecode — Deterministic codebase context maps for AI coding agents."""
 
-__version__ = "1.36.3"
+__version__ = "1.36.4"