sourcecode 1.41.0__py3-none-any.whl → 1.44.0__py3-none-any.whl

sourcecode/__init__.py

@@ -1,3 +1,3 @@
 """sourcecode — Deterministic codebase context maps for AI coding agents."""
 
-__version__ = "1.41.0"
+__version__ = "1.44.0"

sourcecode/repository_ir.py

@@ -131,9 +131,22 @@ _CLASS_DECL_RE = re.compile(
     r'\s*\{',
 )
 
+# CH-004c: detect a type declaration that participates structurally via inheritance
+# (`class X extends Base` / `interface I extends A` / `class C implements I`). Used by
+# the fast pre-scan to NOT skip annotation-free files that still own extends/implements
+# edges the impact graph needs. `[^{;]*?` keeps the match within a single declaration
+# head (stops at the body `{` or a `;`), matching the precision of _CLASS_DECL_RE.
+_INHERIT_PRESCAN_RE = re.compile(
+    r'\b(?:class|interface)\s+[A-Z]\w*[^{;]*?\b(?:extends|implements)\b'
+)
+
 _METHOD_DECL_RE = re.compile(
     r'^(?P<modifiers>(?:(?:public|private|protected|static|final|synchronized'
     r'|abstract|default|native|strictfp|override)\s+)*)'
+    # Inline (modifier-position) annotations, e.g. `public @ResponseBody Vets foo()`
+    # or `@Valid`, `@Nonnull`. Without this the whole declaration fails to match and
+    # the method (its endpoint + return-type edge) is silently dropped (CH-003/Fase 22).
+    r'(?P<inline_anns>(?:@[\w.]+(?:\s*\([^)]*\))?\s+)*)'
     r'(?:<[\w,\s?]+>\s+)?'
     r'(?P<return_type>(?:void|boolean|byte|char|short|int|long|float|double|String|[\w.<>\[\]?,]+)\s+)'
     r'(?P<name>[a-z_]\w*)\s*\(',
@@ -830,6 +843,11 @@ def _extract_symbols(
                 if mname not in _JAVA_KEYWORDS:
                     fqn = f"{class_fqn}#{mname}"
                     modifiers = _parse_modifier_str(mth_m.group("modifiers") or "")
+                    # Fold modifier-position inline annotations into pending_anns so
+                    # symbol_kind / endpoint detection see them (e.g. @ResponseBody).
+                    for _inl in re.findall(r'@[\w.]+', mth_m.group("inline_anns") or ""):
+                        if _inl not in pending_anns:
+                            pending_anns.append(_inl)
                     used = _resolve_types_from_text(stripped, import_map)
                     conf = "high" if ("public" in modifiers or pending_anns) else "medium"
 
@@ -1256,7 +1274,11 @@ def _build_relations(
             # commas so each base produces its own edge and the reverse graph sees
             # every supertype (not a single mangled token).
             for base in _split_supertype_list(extends_str):
-                to = import_map.get(base, base)
+                # CH-004: resolve same-package / wildcard-imported supertypes to their
+                # FQN (not just import_map), else a same-package `extends Base` stays a
+                # bare name and the implementation_graph cannot link sub→supertype.
+                _sbase = re.sub(r'<.*', '', base).strip()
+                to = _resolve_dep_type(_sbase) or import_map.get(_sbase, base)
                 edges.append(RelationEdge(
                     from_symbol=class_fqn,
                     to_symbol=to,
@@ -1267,7 +1289,8 @@ def _build_relations(
 
         if implements_str:
             for base in _split_supertype_list(implements_str):
-                to = import_map.get(base, base)
+                _sbase = re.sub(r'<.*', '', base).strip()
+                to = _resolve_dep_type(_sbase) or import_map.get(_sbase, base)
                 edges.append(RelationEdge(
                     from_symbol=class_fqn,
                     to_symbol=to,
@@ -1330,6 +1353,32 @@ def _build_relations(
                     evidence={"type": "annotation", "value": ann},
                 ))
 
+    # ── Type-usage: return-type edges (CH-003 / Fase 22) ──────────────────────
+    # A method's declared return type is a real dependency edge the call/DI graph
+    # misses: for a value/DTO/response type returned (esp. @ResponseBody) by a
+    # controller handler, this is the ONLY link from the type back to its endpoint.
+    # method → returnTypeFQN, type="returns".  Resolution reuses _resolve_dep_type,
+    # so only in-repo / imported types produce edges (primitives & void are skipped).
+    _PRIMITIVE_RETURNS: frozenset[str] = frozenset({
+        "void", "boolean", "byte", "char", "short", "int", "long", "float",
+        "double", "String", "Object",
+    })
+    for sym in symbols:
+        if sym.type != "method" or not sym.return_type:
+            continue
+        _ret_base = re.sub(r'<.*', '', sym.return_type).replace("[]", "").strip()
+        if not _ret_base or _ret_base in _PRIMITIVE_RETURNS or not _ret_base[0].isupper():
+            continue
+        _ret_fqn = _resolve_dep_type(_ret_base)
+        if _ret_fqn and _ret_fqn != _enclosing_class(sym.symbol):
+            edges.append(RelationEdge(
+                from_symbol=sym.symbol,
+                to_symbol=_ret_fqn,
+                type="returns",
+                confidence="high",
+                evidence={"type": "return_type", "value": sym.return_type},
+            ))
+
     _class_syms = [s for s in symbols if s.type in ("class", "interface") and "#" not in s.symbol]
 
     # Strip comments before event scanning to prevent Javadoc examples from
@@ -1425,6 +1474,46 @@ def _build_relations(
                     evidence={"type": "signature", "value": f"{ev_label}<{event_simple}>"},
                 ))
 
+    # ── Type-usage: instantiation edges (CH-003 / Fase 22) ────────────────────
+    # `new T(...)` couples the instantiating class to T — a type-usage edge the
+    # call/DI graph misses. Attributed at class level (one primary type per file,
+    # mirroring the publishes_event scan). Controllers are EXCLUDED: their value-type
+    # coupling is already covered precisely by `returns` edges, and a class-level
+    # edge from a controller would broaden a DTO's impact to every route on that
+    # controller (false breadth). Method-level attribution is a future refinement.
+    # Controller-like = class-level @RestController/@Controller OR a class that owns
+    # any endpoint-handler method (mappings are often only method-level).
+    _classes_with_endpoints = {
+        _enclosing_class(s.symbol) for s in symbols if s.symbol_kind == "endpoint"
+    }
+    _instantiating_controllers = {
+        s.symbol for s in symbols
+        if s.type in ("class", "interface")
+        and (
+            any(a in ("@RestController", "@Controller") for a in s.annotations)
+            or s.symbol in _classes_with_endpoints
+        )
+    }
+    _non_controller_classes = [
+        s for s in _class_syms if s.symbol not in _instantiating_controllers
+    ]
+    if _non_controller_classes:
+        _inst_targets: set[str] = set()
+        for _m in re.finditer(r'\bnew\s+([A-Z]\w*)\s*[(<]', _source_no_comments):
+            _t_fqn = _resolve_dep_type(_m.group(1))
+            if _t_fqn:
+                _inst_targets.add(_t_fqn)
+        for cls_sym in _non_controller_classes:
+            for _tgt in sorted(_inst_targets):
+                if _tgt != cls_sym.symbol:
+                    edges.append(RelationEdge(
+                        from_symbol=cls_sym.symbol,
+                        to_symbol=_tgt,
+                        type="instantiates",
+                        confidence="medium",
+                        evidence={"type": "method_call", "value": f"new {_tgt.split('.')[-1]}(...)"},
+                    ))
+
     seen: set[tuple[str, str, str]] = set()
     unique: list[RelationEdge] = []
     for e in edges:
@@ -3052,6 +3141,14 @@ def build_repo_ir(
         '@RequiredArgsConstructor', '@AllArgsConstructor',
         '@Inject', '@ApplicationScoped', '@RequestScoped', '@Singleton',
         '@EnableMethodSecurity', '@EnableGlobalMethodSecurity',
+        # Field/setter injection markers (CH-004). A class wired purely by field
+        # injection — no class-level stereotype — is still a node in the DI graph:
+        # e.g. an abstract base controller that holds @Autowired/@Resource services
+        # its concrete subclasses inherit. Omitting these pre-scan-skips such classes,
+        # dropping their injects edges, so impact-chain cannot reach callers through
+        # them (Broadleaf: AbstractCheckoutController → checkout endpoints went missing).
+        '@Autowired', '@Resource', '@Qualifier', '@Value',
+        '@PersistenceContext', '@PersistenceUnit',
         # JPA / persistence (needed for stereotype detection in all commands)
         '@Entity', '@MappedSuperclass', '@Embeddable',
         # AOP / messaging / event sourcing
@@ -3098,7 +3195,8 @@ def build_repo_ir(
         _meta_chars_read += len(source)
         # Fast pre-scan: if file has no relevant annotations skip full extraction.
         # Still register package/class name for same-package resolution.
-        if not any(marker in source for marker in _effective_markers):
+        if not any(marker in source for marker in _effective_markers) \
+                and not _INHERIT_PRESCAN_RE.search(source):
             pkg_m = _PKG_RE.search(source)
             _pkg = pkg_m.group(1) if pkg_m else ""
             # Minimal class-name symbols for same-package map (no methods/fields)

sourcecode/spring_impact.py

@@ -129,6 +129,50 @@ class ImpactChainResult:
         return d
 
 
+# ---------------------------------------------------------------------------
+# CH-003 — value/DTO type blind-spot detection
+# ---------------------------------------------------------------------------
+# The impact graph models call + DI/injection edges but not *type-usage* edges
+# (constructor instantiation `new T()`, field/local-variable type, and method
+# return type incl. @ResponseBody). For a service/repository the call+DI edges
+# cover the real blast radius; for a value/DTO/response type they cover nothing,
+# so its impact is invisible — and an all-zero result reported at confidence=high
+# reads as "globally dead" (a dangerous false negative). Until type-usage edges
+# are modelled (Fase 22 / CH-002), positively identify plain value types and
+# downgrade confidence + warn instead of asserting an empty high-confidence result.
+_STEREOTYPE_ANNOTATIONS = frozenset({
+    "@Service", "@Repository", "@Controller", "@RestController",
+    "@Component", "@Configuration", "@ControllerAdvice",
+    "@RestControllerAdvice", "@Bean",
+})
+_VALUE_TYPE_KINDS = frozenset({"class", "enum", "record"})
+
+
+def _is_unmodeled_value_type(cir, class_fqn: str, model) -> bool:
+    """True iff class_fqn is positively a plain value/DTO type whose blast radius
+    flows only through type-usage edges the impact graph does not model.
+
+    Conservative: returns False whenever the type cannot be positively confirmed
+    (node metadata absent, stereotype annotation present, recognized Spring role,
+    or controller) so spine symbols and incomplete-IR cases keep legacy behaviour.
+    """
+    graph = (getattr(cir, "_raw_ir", None) or {}).get("graph") or {}
+    node = next((n for n in (graph.get("nodes") or []) if n.get("fqn") == class_fqn), None)
+    if node is None:
+        return False  # cannot confirm — stay conservative (preserves IC-V3)
+    if (node.get("symbol_kind") or node.get("type")) not in _VALUE_TYPE_KINDS:
+        return False  # interface / annotation / bean-method etc.
+    anns = node.get("annotations") or []
+    if any(a.split("(", 1)[0] in _STEREOTYPE_ANNOTATIONS for a in anns):
+        return False  # Spring stereotype bean — spine participant
+    if (node.get("role") or "other") != "other":
+        return False  # recognized Spring role (repository/service/controller/mapper)
+    controllers = getattr(getattr(model, "endpoint_index", None), "controller_fqns", frozenset())
+    if class_fqn in controllers:
+        return False
+    return True
+
+
 # ---------------------------------------------------------------------------
 # Symbol resolution
 # ---------------------------------------------------------------------------
@@ -706,9 +750,31 @@ class ImpactOrchestrator:
             impact_findings_raw,
         )
 
+        # CH-003: empty blast radius on a positively-identified value/DTO type is a
+        # type-usage blind spot, not proof of dead code — warn + drop confidence.
+        empty_blast = (
+            not direct_callers and not indirect_callers
+            and not endpoints_affected and not subtype_classes_added
+        )
+        value_type_blind_spot = (
+            empty_blast
+            and "#" not in resolved_symbol
+            and resolution != "not_found"
+            and _is_unmodeled_value_type(cir, resolved_symbol, model)
+        )
+        if value_type_blind_spot:
+            warnings.append(
+                "Type-usage edges not modeled (CH-003): this type's blast radius flows "
+                "through instantiation (new T()), field/local types, and method return "
+                "types (incl. @ResponseBody) — edges impact-chain does not yet track. "
+                "An empty result is NOT proof the type is unused."
+            )
+
         confidence: str
         if resolution == "not_found":
             confidence = "low"
+        elif value_type_blind_spot:
+            confidence = "low"
         elif resolution == "partial" or warnings:
             confidence = "medium"
         else:

{sourcecode-1.41.0.dist-info → sourcecode-1.44.0.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: sourcecode
-Version: 1.41.0
+Version: 1.44.0
 Summary: Persistent structural context and ultra-fast repeated analysis for AI coding agents
 License-File: LICENSE
 Keywords: agents,ai,codebase,context,developer-tools,llm
@@ -40,7 +40,7 @@ Description-Content-Type: text/markdown
 
 **Persistent structural context and ultra-fast repeated analysis for AI coding agents.**
 
-![Version](https://img.shields.io/badge/version-1.39.0-blue)
+![Version](https://img.shields.io/badge/version-1.44.0-blue)
 ![Python](https://img.shields.io/badge/python-3.9%2B-green)
 
 ---
@@ -114,7 +114,7 @@ pipx install sourcecode
 
 ```bash
 sourcecode version
-# sourcecode 1.39.0
+# sourcecode 1.44.0
 ```
 
 ---

{sourcecode-1.41.0.dist-info → sourcecode-1.44.0.dist-info}/RECORD

@@ -1,4 +1,4 @@
-sourcecode/__init__.py,sha256=O5H1yHp5Huzjec-tRroSc8Z3rDJeqdAGgZ9MFZAqxnY,103
+sourcecode/__init__.py,sha256=KCoWiYA4njgsXUEDMnmPU0kheOgqm-RpLky5FPkilQw,103
 sourcecode/adaptive_scanner.py,sha256=XffluXKzJUXrMtjEiAOnSNPZnztdIcts17T9ouHeID0,10521
 sourcecode/architecture_analyzer.py,sha256=liCwQmLgb5vplohy8arjYxs_HOIv5C9MjLh_gY6bc5Q,44115
 sourcecode/architecture_summary.py,sha256=z34_6v7cSwy98cof2UVciGho7SCrZ93tiqMmq5WNzRQ,20405
@@ -44,7 +44,7 @@ sourcecode/redactor.py,sha256=SB4hwIvg8h-hvcqKcDWaZvA-aSyn-at-BIRwa0tUv5E,3227
 sourcecode/relevance_scorer.py,sha256=0AgEt4KrV73nioMqBgjhGjtY7L2C7L7cSyKtj3IKcrw,9408
 sourcecode/rename_refactor.py,sha256=h6dNFlB9aZ_3q6heeHBkgXQeXaT03nvPSsYH6P8qxFg,12965
 sourcecode/repo_classifier.py,sha256=FG1vaWKdWXsWdl-S8hjVMiTqcwgaRXkDyvK4rPcOGtQ,22681
-sourcecode/repository_ir.py,sha256=-rHQSinIMEa6lcbPdyoJzYB-USB9yX_9bsaWJgJqwHs,202432
+sourcecode/repository_ir.py,sha256=WjDYwbBm-eWp-k6aSdBrgO_XcRGuP-Llp0TZHBhq8bY,208237
 sourcecode/ris.py,sha256=RcqLVwC-doFcKKViYDkCjZLBqf_wzLES7-F6vHEeWzE,20419
 sourcecode/runtime_classifier.py,sha256=uTAD6BDCiBLUZEDRfqk718kM4RTT_vAbfkcOI2_Xx58,18432
 sourcecode/scanner.py,sha256=WdOQ78mMzjR1NjmKTlbxdgwinnCTfAhxCVLBEFQiFHU,8899
@@ -54,7 +54,7 @@ sourcecode/semantic_analyzer.py,sha256=4OdG6tTSnTvq3_dSWMbQu8Ad1ndSCKeG-b9qM4hIx
 sourcecode/serializer.py,sha256=TGzftrSKitZrtl6Hh-R05s4KdTOxwTmph_lGDbo2Wzg,125015
 sourcecode/spring_event_topology.py,sha256=5_ON_21Le5zbG-1GRc5GLIi5HJfy_QjcXLVPC5WeUGQ,18055
 sourcecode/spring_findings.py,sha256=G7Or2lKBUQbcTDqudLvSs9XvNg_YoAa-_lBOG_ULs8E,5457
-sourcecode/spring_impact.py,sha256=pg_SWogs2ylNF-Tjz_6AgPtJGePrr3VQeyeFYK6-NzA,35228
+sourcecode/spring_impact.py,sha256=rUKSiCfXh9NpC9a97KvjCu6Kn8bYezTnMDY3F7sgtCI,38737
 sourcecode/spring_model.py,sha256=zOAgFmrRbG4a6KLm1TJl55aWMyPNsz3OS3FSczqPG6A,16594
 sourcecode/spring_security_audit.py,sha256=XtPJ1SXlZJ8k6VYmaWuAp7Bbir4UmreAL7doIGQ5I7o,20595
 sourcecode/spring_semantic.py,sha256=O1nKSGVzlukuxLHQVuCPxc-XrcrMFxwlHA20_dmEGgM,13307
@@ -101,8 +101,8 @@ sourcecode/telemetry/consent.py,sha256=wLMvGNJeSSyZoNkQXpoUioY6mMv4Qdvuw7S9jAEWn
 sourcecode/telemetry/events.py,sha256=LtzYfaX9Ilckj5PTvAcTpDa9mLqDsYPDUiDkRa58piY,2580
 sourcecode/telemetry/filters.py,sha256=NHa5T-6DaZduQPFuC34jOqHWQgSizM-Ygq8aZ4j19ng,5834
 sourcecode/telemetry/transport.py,sha256=4gGHsq0WeY9VywEZXA3vUxykfiYnw9uuqfjAAec7F8o,1681
-sourcecode-1.41.0.dist-info/METADATA,sha256=fbTRvu0l7OOyoWnIFFNkEmSfEPtFzg3uSNvD33MsbLU,32359
-sourcecode-1.41.0.dist-info/WHEEL,sha256=QccIxa26bgl1E6uMy58deGWi-0aeIkkangHcxk2kWfw,87
-sourcecode-1.41.0.dist-info/entry_points.txt,sha256=ex3F9rmbXeyDIoFQHtkEqTsKSaJow8F0LrVu8XfIktQ,57
-sourcecode-1.41.0.dist-info/licenses/LICENSE,sha256=7DdHrU9Z_3e7dSvq4ISijZNjnuHo5NIHNiHDouMQ9JU,10491
-sourcecode-1.41.0.dist-info/RECORD,,
+sourcecode-1.44.0.dist-info/METADATA,sha256=0xHtFeZJ0-CMPHbgVACahR0Z11bN0WooJP34TW2xA4g,32359
+sourcecode-1.44.0.dist-info/WHEEL,sha256=QccIxa26bgl1E6uMy58deGWi-0aeIkkangHcxk2kWfw,87
+sourcecode-1.44.0.dist-info/entry_points.txt,sha256=ex3F9rmbXeyDIoFQHtkEqTsKSaJow8F0LrVu8XfIktQ,57
+sourcecode-1.44.0.dist-info/licenses/LICENSE,sha256=7DdHrU9Z_3e7dSvq4ISijZNjnuHo5NIHNiHDouMQ9JU,10491
+sourcecode-1.44.0.dist-info/RECORD,,