sourcecode 1.41.0__tar.gz → 1.44.0__tar.gz

{sourcecode-1.41.0 → sourcecode-1.44.0}/.gitignore

@@ -33,4 +33,7 @@ src/*.egg-info/
 .DS_Store
 Thumbs.db
 
-.planning
+.planning
+
+# Supabase local temp
+supabase/.temp/

{sourcecode-1.41.0 → sourcecode-1.44.0}/CHANGELOG.md

@@ -1,5 +1,77 @@
 # Changelog
 
+## [1.44.0] — 2026-06-16
+
+### Fixed
+- **CH-004c — annotation-free structural classes dropped their inheritance edges.**
+  `build_repo_ir`'s fast pre-scan skips files with no recognized annotation marker,
+  emitting only minimal class-name symbols (for same-package resolution) and **no
+  relations**. A class with no annotation and no injected field of its own that
+  participates purely structurally — `class X extends Base implements I {}` — therefore
+  lost its `extends`/`implements` edges, so `implementation_graph` could not link
+  sub→supertype and impact analysis could not traverse the hierarchy. The pre-scan now
+  also keeps a file when a type declaration carries an `extends`/`implements` clause
+  (`_INHERIT_PRESCAN_RE`), routing it through full extraction so its inheritance edges
+  are built and resolved in pass 2 with the same-package map. Annotation-free leaf
+  classes with no inheritance still skip, preserving the pre-scan optimization. Closes
+  the last open layer of CH-004 (a/b shipped in 1.43.0).
+
+## [1.43.0] — 2026-06-16
+
+### Fixed
+- **CH-004a — impact graph dropped field-injection-only classes.** `build_repo_ir`'s fast
+  pre-scan skips files with no recognized annotation marker; the marker set included
+  `@Inject` but not `@Autowired`, `@Resource`, `@Qualifier`, or `@Value`. A class wired
+  purely by field injection with no class-level stereotype (e.g. an abstract base controller
+  that holds the services its concrete subclasses inherit) was skipped entirely, so its
+  `injects` edges never existed and `impact-chain` could not traverse through it. Added the
+  field/setter-injection annotations (`@Autowired`, `@Resource`, `@Qualifier`, `@Value`,
+  `@PersistenceContext`, `@PersistenceUnit`) to the pre-scan marker set.
+- **CH-004b — same-package supertypes were not FQN-resolved.** The `extends`/`implements`
+  edge builder resolved supertype names only via `import_map`, so a same-package
+  `extends Base` (which needs no Java import) produced a **bare-name** edge target. The
+  `implementation_graph` could then not link sub→supertype, making same-package class
+  hierarchies invisible to impact analysis. Supertypes are now resolved via
+  `_resolve_dep_type` (import + same-package + wildcard), matching `injects`/constructor edges.
+
+Both fixes were surfaced by a field test on BroadleafCommerce (2985-file monolith); they
+under-reported blast radius on any large repo, not just that one. See
+`docs/eval/2026-06-16-broadleaf-checkout-impact-fieldtest.md`.
+
+## [1.42.0] — 2026-06-16
+
+### Added
+- **Fase 22 — type-usage edges in `impact-chain` (CH-003).** Value/DTO/response
+  types previously had an invisible blast radius: the impact graph modelled call and
+  DI/injection edges but not how a type is wired *by type*. Two new edges close this:
+  - **`returns`** — `method → returnTypeFQN` (method-level). For a `@ResponseBody`
+    handler returning a domain type this is the only link from the type back to its
+    endpoint, so `_collect_endpoints` now surfaces that route precisely.
+  - **`instantiates`** — `class → T` for `new T(...)`, giving build-only value types
+    (commands, receipts) a visible blast radius. Controller-like classes are excluded
+    (already covered precisely by `returns`) to avoid broadening a DTO's impact to
+    every route on the controller.
+
+### Fixed
+- **Inline-annotation method parsing.** `_METHOD_DECL_RE` could not match a
+  modifier-position annotation (`public @ResponseBody Vets foo()`); the whole
+  declaration failed and the method — its endpoint *and* return type — was silently
+  dropped. Inline annotations are now consumed and folded into the method's annotation
+  set. Recovers, e.g., the `GET /vets` handler in spring-petclinic `VetController`.
+
+### Changed
+- **Safety guard for type-usage blind spots (CH-003 Part 1).** A fully empty blast
+  radius on a positively-identified plain value type (node present, `symbol_kind` in
+  class/enum/record, no stereotype annotation, role `other`, not a controller) is no
+  longer reported at `confidence: high` — it drops to `low` with a warning that an
+  empty result is not proof the type is unused. Spine symbols and incomplete-IR cases
+  keep prior behaviour. The guard now stays dormant when real type-usage edges exist.
+
+### Field test (spring-petclinic #2333)
+- `impact-chain Vets`: was `confidence: high` with 0 callers / 0 endpoints (a dangerous
+  false zero) → now `high`, caller `showResourcesVetList`, endpoint `GET /vets`.
+- `impact-chain VetController`: was 1 of 2 endpoints → both (`GET /vets` + `/vets.html`).
+
 ## [1.41.0] — 2026-06-16
 
 ### Added

{sourcecode-1.41.0 → sourcecode-1.44.0}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: sourcecode
-Version: 1.41.0
+Version: 1.44.0
 Summary: Persistent structural context and ultra-fast repeated analysis for AI coding agents
 License-File: LICENSE
 Keywords: agents,ai,codebase,context,developer-tools,llm
@@ -40,7 +40,7 @@ Description-Content-Type: text/markdown
 
 **Persistent structural context and ultra-fast repeated analysis for AI coding agents.**
 
-![Version](https://img.shields.io/badge/version-1.39.0-blue)
+![Version](https://img.shields.io/badge/version-1.44.0-blue)
 ![Python](https://img.shields.io/badge/python-3.9%2B-green)
 
 ---
@@ -114,7 +114,7 @@ pipx install sourcecode
 
 ```bash
 sourcecode version
-# sourcecode 1.39.0
+# sourcecode 1.44.0
 ```
 
 ---

{sourcecode-1.41.0 → sourcecode-1.44.0}/README.md

@@ -2,7 +2,7 @@
 
 **Persistent structural context and ultra-fast repeated analysis for AI coding agents.**
 
-![Version](https://img.shields.io/badge/version-1.39.0-blue)
+![Version](https://img.shields.io/badge/version-1.44.0-blue)
 ![Python](https://img.shields.io/badge/python-3.9%2B-green)
 
 ---
@@ -76,7 +76,7 @@ pipx install sourcecode
 
 ```bash
 sourcecode version
-# sourcecode 1.39.0
+# sourcecode 1.44.0
 ```
 
 ---

{sourcecode-1.41.0 → sourcecode-1.44.0}/pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 
 [project]
 name = "sourcecode"
-version = "1.41.0"
+version = "1.44.0"
 description = "Persistent structural context and ultra-fast repeated analysis for AI coding agents"
 readme = "README.md"
 requires-python = ">=3.9"

{sourcecode-1.41.0 → sourcecode-1.44.0}/src/sourcecode/__init__.py

@@ -1,3 +1,3 @@
 """sourcecode — Deterministic codebase context maps for AI coding agents."""
 
-__version__ = "1.41.0"
+__version__ = "1.44.0"

{sourcecode-1.41.0 → sourcecode-1.44.0}/src/sourcecode/repository_ir.py

@@ -131,9 +131,22 @@ _CLASS_DECL_RE = re.compile(
     r'\s*\{',
 )
 
+# CH-004c: detect a type declaration that participates structurally via inheritance
+# (`class X extends Base` / `interface I extends A` / `class C implements I`). Used by
+# the fast pre-scan to NOT skip annotation-free files that still own extends/implements
+# edges the impact graph needs. `[^{;]*?` keeps the match within a single declaration
+# head (stops at the body `{` or a `;`), matching the precision of _CLASS_DECL_RE.
+_INHERIT_PRESCAN_RE = re.compile(
+    r'\b(?:class|interface)\s+[A-Z]\w*[^{;]*?\b(?:extends|implements)\b'
+)
+
 _METHOD_DECL_RE = re.compile(
     r'^(?P<modifiers>(?:(?:public|private|protected|static|final|synchronized'
     r'|abstract|default|native|strictfp|override)\s+)*)'
+    # Inline (modifier-position) annotations, e.g. `public @ResponseBody Vets foo()`
+    # or `@Valid`, `@Nonnull`. Without this the whole declaration fails to match and
+    # the method (its endpoint + return-type edge) is silently dropped (CH-003/Fase 22).
+    r'(?P<inline_anns>(?:@[\w.]+(?:\s*\([^)]*\))?\s+)*)'
     r'(?:<[\w,\s?]+>\s+)?'
     r'(?P<return_type>(?:void|boolean|byte|char|short|int|long|float|double|String|[\w.<>\[\]?,]+)\s+)'
     r'(?P<name>[a-z_]\w*)\s*\(',
@@ -830,6 +843,11 @@ def _extract_symbols(
                 if mname not in _JAVA_KEYWORDS:
                     fqn = f"{class_fqn}#{mname}"
                     modifiers = _parse_modifier_str(mth_m.group("modifiers") or "")
+                    # Fold modifier-position inline annotations into pending_anns so
+                    # symbol_kind / endpoint detection see them (e.g. @ResponseBody).
+                    for _inl in re.findall(r'@[\w.]+', mth_m.group("inline_anns") or ""):
+                        if _inl not in pending_anns:
+                            pending_anns.append(_inl)
                     used = _resolve_types_from_text(stripped, import_map)
                     conf = "high" if ("public" in modifiers or pending_anns) else "medium"
 
@@ -1256,7 +1274,11 @@ def _build_relations(
             # commas so each base produces its own edge and the reverse graph sees
             # every supertype (not a single mangled token).
             for base in _split_supertype_list(extends_str):
-                to = import_map.get(base, base)
+                # CH-004: resolve same-package / wildcard-imported supertypes to their
+                # FQN (not just import_map), else a same-package `extends Base` stays a
+                # bare name and the implementation_graph cannot link sub→supertype.
+                _sbase = re.sub(r'<.*', '', base).strip()
+                to = _resolve_dep_type(_sbase) or import_map.get(_sbase, base)
                 edges.append(RelationEdge(
                     from_symbol=class_fqn,
                     to_symbol=to,
@@ -1267,7 +1289,8 @@ def _build_relations(
 
         if implements_str:
             for base in _split_supertype_list(implements_str):
-                to = import_map.get(base, base)
+                _sbase = re.sub(r'<.*', '', base).strip()
+                to = _resolve_dep_type(_sbase) or import_map.get(_sbase, base)
                 edges.append(RelationEdge(
                     from_symbol=class_fqn,
                     to_symbol=to,
@@ -1330,6 +1353,32 @@ def _build_relations(
                     evidence={"type": "annotation", "value": ann},
                 ))
 
+    # ── Type-usage: return-type edges (CH-003 / Fase 22) ──────────────────────
+    # A method's declared return type is a real dependency edge the call/DI graph
+    # misses: for a value/DTO/response type returned (esp. @ResponseBody) by a
+    # controller handler, this is the ONLY link from the type back to its endpoint.
+    # method → returnTypeFQN, type="returns".  Resolution reuses _resolve_dep_type,
+    # so only in-repo / imported types produce edges (primitives & void are skipped).
+    _PRIMITIVE_RETURNS: frozenset[str] = frozenset({
+        "void", "boolean", "byte", "char", "short", "int", "long", "float",
+        "double", "String", "Object",
+    })
+    for sym in symbols:
+        if sym.type != "method" or not sym.return_type:
+            continue
+        _ret_base = re.sub(r'<.*', '', sym.return_type).replace("[]", "").strip()
+        if not _ret_base or _ret_base in _PRIMITIVE_RETURNS or not _ret_base[0].isupper():
+            continue
+        _ret_fqn = _resolve_dep_type(_ret_base)
+        if _ret_fqn and _ret_fqn != _enclosing_class(sym.symbol):
+            edges.append(RelationEdge(
+                from_symbol=sym.symbol,
+                to_symbol=_ret_fqn,
+                type="returns",
+                confidence="high",
+                evidence={"type": "return_type", "value": sym.return_type},
+            ))
+
     _class_syms = [s for s in symbols if s.type in ("class", "interface") and "#" not in s.symbol]
 
     # Strip comments before event scanning to prevent Javadoc examples from
@@ -1425,6 +1474,46 @@ def _build_relations(
                     evidence={"type": "signature", "value": f"{ev_label}<{event_simple}>"},
                 ))
 
+    # ── Type-usage: instantiation edges (CH-003 / Fase 22) ────────────────────
+    # `new T(...)` couples the instantiating class to T — a type-usage edge the
+    # call/DI graph misses. Attributed at class level (one primary type per file,
+    # mirroring the publishes_event scan). Controllers are EXCLUDED: their value-type
+    # coupling is already covered precisely by `returns` edges, and a class-level
+    # edge from a controller would broaden a DTO's impact to every route on that
+    # controller (false breadth). Method-level attribution is a future refinement.
+    # Controller-like = class-level @RestController/@Controller OR a class that owns
+    # any endpoint-handler method (mappings are often only method-level).
+    _classes_with_endpoints = {
+        _enclosing_class(s.symbol) for s in symbols if s.symbol_kind == "endpoint"
+    }
+    _instantiating_controllers = {
+        s.symbol for s in symbols
+        if s.type in ("class", "interface")
+        and (
+            any(a in ("@RestController", "@Controller") for a in s.annotations)
+            or s.symbol in _classes_with_endpoints
+        )
+    }
+    _non_controller_classes = [
+        s for s in _class_syms if s.symbol not in _instantiating_controllers
+    ]
+    if _non_controller_classes:
+        _inst_targets: set[str] = set()
+        for _m in re.finditer(r'\bnew\s+([A-Z]\w*)\s*[(<]', _source_no_comments):
+            _t_fqn = _resolve_dep_type(_m.group(1))
+            if _t_fqn:
+                _inst_targets.add(_t_fqn)
+        for cls_sym in _non_controller_classes:
+            for _tgt in sorted(_inst_targets):
+                if _tgt != cls_sym.symbol:
+                    edges.append(RelationEdge(
+                        from_symbol=cls_sym.symbol,
+                        to_symbol=_tgt,
+                        type="instantiates",
+                        confidence="medium",
+                        evidence={"type": "method_call", "value": f"new {_tgt.split('.')[-1]}(...)"},
+                    ))
+
     seen: set[tuple[str, str, str]] = set()
     unique: list[RelationEdge] = []
     for e in edges:
@@ -3052,6 +3141,14 @@ def build_repo_ir(
         '@RequiredArgsConstructor', '@AllArgsConstructor',
         '@Inject', '@ApplicationScoped', '@RequestScoped', '@Singleton',
         '@EnableMethodSecurity', '@EnableGlobalMethodSecurity',
+        # Field/setter injection markers (CH-004). A class wired purely by field
+        # injection — no class-level stereotype — is still a node in the DI graph:
+        # e.g. an abstract base controller that holds @Autowired/@Resource services
+        # its concrete subclasses inherit. Omitting these pre-scan-skips such classes,
+        # dropping their injects edges, so impact-chain cannot reach callers through
+        # them (Broadleaf: AbstractCheckoutController → checkout endpoints went missing).
+        '@Autowired', '@Resource', '@Qualifier', '@Value',
+        '@PersistenceContext', '@PersistenceUnit',
         # JPA / persistence (needed for stereotype detection in all commands)
         '@Entity', '@MappedSuperclass', '@Embeddable',
         # AOP / messaging / event sourcing
@@ -3098,7 +3195,8 @@ def build_repo_ir(
         _meta_chars_read += len(source)
         # Fast pre-scan: if file has no relevant annotations skip full extraction.
         # Still register package/class name for same-package resolution.
-        if not any(marker in source for marker in _effective_markers):
+        if not any(marker in source for marker in _effective_markers) \
+                and not _INHERIT_PRESCAN_RE.search(source):
             pkg_m = _PKG_RE.search(source)
             _pkg = pkg_m.group(1) if pkg_m else ""
             # Minimal class-name symbols for same-package map (no methods/fields)

{sourcecode-1.41.0 → sourcecode-1.44.0}/src/sourcecode/spring_impact.py

@@ -129,6 +129,50 @@ class ImpactChainResult:
         return d
 
 
+# ---------------------------------------------------------------------------
+# CH-003 — value/DTO type blind-spot detection
+# ---------------------------------------------------------------------------
+# The impact graph models call + DI/injection edges but not *type-usage* edges
+# (constructor instantiation `new T()`, field/local-variable type, and method
+# return type incl. @ResponseBody). For a service/repository the call+DI edges
+# cover the real blast radius; for a value/DTO/response type they cover nothing,
+# so its impact is invisible — and an all-zero result reported at confidence=high
+# reads as "globally dead" (a dangerous false negative). Until type-usage edges
+# are modelled (Fase 22 / CH-002), positively identify plain value types and
+# downgrade confidence + warn instead of asserting an empty high-confidence result.
+_STEREOTYPE_ANNOTATIONS = frozenset({
+    "@Service", "@Repository", "@Controller", "@RestController",
+    "@Component", "@Configuration", "@ControllerAdvice",
+    "@RestControllerAdvice", "@Bean",
+})
+_VALUE_TYPE_KINDS = frozenset({"class", "enum", "record"})
+
+
+def _is_unmodeled_value_type(cir, class_fqn: str, model) -> bool:
+    """True iff class_fqn is positively a plain value/DTO type whose blast radius
+    flows only through type-usage edges the impact graph does not model.
+
+    Conservative: returns False whenever the type cannot be positively confirmed
+    (node metadata absent, stereotype annotation present, recognized Spring role,
+    or controller) so spine symbols and incomplete-IR cases keep legacy behaviour.
+    """
+    graph = (getattr(cir, "_raw_ir", None) or {}).get("graph") or {}
+    node = next((n for n in (graph.get("nodes") or []) if n.get("fqn") == class_fqn), None)
+    if node is None:
+        return False  # cannot confirm — stay conservative (preserves IC-V3)
+    if (node.get("symbol_kind") or node.get("type")) not in _VALUE_TYPE_KINDS:
+        return False  # interface / annotation / bean-method etc.
+    anns = node.get("annotations") or []
+    if any(a.split("(", 1)[0] in _STEREOTYPE_ANNOTATIONS for a in anns):
+        return False  # Spring stereotype bean — spine participant
+    if (node.get("role") or "other") != "other":
+        return False  # recognized Spring role (repository/service/controller/mapper)
+    controllers = getattr(getattr(model, "endpoint_index", None), "controller_fqns", frozenset())
+    if class_fqn in controllers:
+        return False
+    return True
+
+
 # ---------------------------------------------------------------------------
 # Symbol resolution
 # ---------------------------------------------------------------------------
@@ -706,9 +750,31 @@ class ImpactOrchestrator:
             impact_findings_raw,
         )
 
+        # CH-003: empty blast radius on a positively-identified value/DTO type is a
+        # type-usage blind spot, not proof of dead code — warn + drop confidence.
+        empty_blast = (
+            not direct_callers and not indirect_callers
+            and not endpoints_affected and not subtype_classes_added
+        )
+        value_type_blind_spot = (
+            empty_blast
+            and "#" not in resolved_symbol
+            and resolution != "not_found"
+            and _is_unmodeled_value_type(cir, resolved_symbol, model)
+        )
+        if value_type_blind_spot:
+            warnings.append(
+                "Type-usage edges not modeled (CH-003): this type's blast radius flows "
+                "through instantiation (new T()), field/local types, and method return "
+                "types (incl. @ResponseBody) — edges impact-chain does not yet track. "
+                "An empty result is NOT proof the type is unused."
+            )
+
         confidence: str
         if resolution == "not_found":
             confidence = "low"
+        elif value_type_blind_spot:
+            confidence = "low"
         elif resolution == "partial" or warnings:
             confidence = "medium"
         else:

sourcecode-1.41.0/supabase/.temp/cli-latest

@@ -1 +0,0 @@
-v2.106.0