sourcecode 1.42.0__tar.gz → 1.45.0__tar.gz

{sourcecode-1.42.0 → sourcecode-1.45.0}/CHANGELOG.md

@@ -1,5 +1,74 @@
 # Changelog
 
+## [1.45.0] — 2026-06-16
+
+### Fixed
+- **P1 — `cache clear` hung indefinitely in non-interactive contexts (CI, MCP, pipes).**
+  Without `--yes`, the command called `click.confirm()`, which blocks reading stdin
+  forever when stdin is an open pipe that never sends EOF (exactly the CI/agent case) —
+  breaking pipelines and leaving the cache uncleared. The confirm prompt is now gated
+  behind `sys.stdin.isatty()`: interactive terminals still prompt, while non-interactive
+  runs proceed immediately (clear is idempotent; RIS stays preserved unless `--all`) and
+  print a one-line notice. Verified: old path times out on a never-EOF pipe, new path
+  returns in ~0.2s with exit 0.
+- **`--no-cache` rejected by analysis subcommands ("No such option").** The flag existed
+  only on the root analysis command, so `sourcecode endpoints --no-cache` (and `validation`,
+  `spring-audit`, `migrate-check`, `impact`, `impact-chain`) aborted with exit 2, breaking
+  scripted invocations that pass a uniform flag. These subcommands always read fresh source,
+  so `--no-cache` is now accepted as a documented no-op on each.
+- **`endpoints --limit` reported incoherent security counters.** `total` was recomputed to
+  the limited set while `no_security_signal` / `undocumented` kept their repo-wide values
+  (e.g. `total:2` next to `no_security_signal:3996`). The counters are now recomputed over
+  the filtered set; the repo-wide originals are preserved under `_filter.*_before_filter`.
+- **`validation` returned all-zeros silently when no OpenAPI spec was present.** A repo with
+  no spec (no `target/generated-sources`/spec on disk) produced an empty result with no
+  explanation, easily misread as "no validation anywhere". The result now carries an explicit
+  `openapi_spec: null` + `note` field (also echoed to stderr) clarifying that declarative DTO
+  constraints can't be recovered without a spec and that zero counts are expected, not a finding.
+
+### Notes
+- MCP orchestrator (`mcp/orchestrator.py`) gained a scoped TODO documenting three planned
+  high-value Java/Spring flow presets (`run_migrate_flow`, `run_security_audit_flow`, and an
+  R2-rule extension) — documented only, not implemented.
+
+## [1.44.0] — 2026-06-16
+
+### Fixed
+- **CH-004c — annotation-free structural classes dropped their inheritance edges.**
+  `build_repo_ir`'s fast pre-scan skips files with no recognized annotation marker,
+  emitting only minimal class-name symbols (for same-package resolution) and **no
+  relations**. A class with no annotation and no injected field of its own that
+  participates purely structurally — `class X extends Base implements I {}` — therefore
+  lost its `extends`/`implements` edges, so `implementation_graph` could not link
+  sub→supertype and impact analysis could not traverse the hierarchy. The pre-scan now
+  also keeps a file when a type declaration carries an `extends`/`implements` clause
+  (`_INHERIT_PRESCAN_RE`), routing it through full extraction so its inheritance edges
+  are built and resolved in pass 2 with the same-package map. Annotation-free leaf
+  classes with no inheritance still skip, preserving the pre-scan optimization. Closes
+  the last open layer of CH-004 (a/b shipped in 1.43.0).
+
+## [1.43.0] — 2026-06-16
+
+### Fixed
+- **CH-004a — impact graph dropped field-injection-only classes.** `build_repo_ir`'s fast
+  pre-scan skips files with no recognized annotation marker; the marker set included
+  `@Inject` but not `@Autowired`, `@Resource`, `@Qualifier`, or `@Value`. A class wired
+  purely by field injection with no class-level stereotype (e.g. an abstract base controller
+  that holds the services its concrete subclasses inherit) was skipped entirely, so its
+  `injects` edges never existed and `impact-chain` could not traverse through it. Added the
+  field/setter-injection annotations (`@Autowired`, `@Resource`, `@Qualifier`, `@Value`,
+  `@PersistenceContext`, `@PersistenceUnit`) to the pre-scan marker set.
+- **CH-004b — same-package supertypes were not FQN-resolved.** The `extends`/`implements`
+  edge builder resolved supertype names only via `import_map`, so a same-package
+  `extends Base` (which needs no Java import) produced a **bare-name** edge target. The
+  `implementation_graph` could then not link sub→supertype, making same-package class
+  hierarchies invisible to impact analysis. Supertypes are now resolved via
+  `_resolve_dep_type` (import + same-package + wildcard), matching `injects`/constructor edges.
+
+Both fixes were surfaced by a field test on BroadleafCommerce (2985-file monolith); they
+under-reported blast radius on any large repo, not just that one. See
+`docs/eval/2026-06-16-broadleaf-checkout-impact-fieldtest.md`.
+
 ## [1.42.0] — 2026-06-16
 
 ### Added

{sourcecode-1.42.0 → sourcecode-1.45.0}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: sourcecode
-Version: 1.42.0
+Version: 1.45.0
 Summary: Persistent structural context and ultra-fast repeated analysis for AI coding agents
 License-File: LICENSE
 Keywords: agents,ai,codebase,context,developer-tools,llm
@@ -40,7 +40,7 @@ Description-Content-Type: text/markdown
 
 **Persistent structural context and ultra-fast repeated analysis for AI coding agents.**
 
-![Version](https://img.shields.io/badge/version-1.39.0-blue)
+![Version](https://img.shields.io/badge/version-1.45.0-blue)
 ![Python](https://img.shields.io/badge/python-3.9%2B-green)
 
 ---
@@ -114,7 +114,7 @@ pipx install sourcecode
 
 ```bash
 sourcecode version
-# sourcecode 1.39.0
+# sourcecode 1.44.0
 ```
 
 ---

{sourcecode-1.42.0 → sourcecode-1.45.0}/README.md

@@ -2,7 +2,7 @@
 
 **Persistent structural context and ultra-fast repeated analysis for AI coding agents.**
 
-![Version](https://img.shields.io/badge/version-1.39.0-blue)
+![Version](https://img.shields.io/badge/version-1.45.0-blue)
 ![Python](https://img.shields.io/badge/python-3.9%2B-green)
 
 ---
@@ -76,7 +76,7 @@ pipx install sourcecode
 
 ```bash
 sourcecode version
-# sourcecode 1.39.0
+# sourcecode 1.44.0
 ```
 
 ---

{sourcecode-1.42.0 → sourcecode-1.45.0}/pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 
 [project]
 name = "sourcecode"
-version = "1.42.0"
+version = "1.45.0"
 description = "Persistent structural context and ultra-fast repeated analysis for AI coding agents"
 readme = "README.md"
 requires-python = ">=3.9"

{sourcecode-1.42.0 → sourcecode-1.45.0}/src/sourcecode/__init__.py

@@ -1,3 +1,3 @@
 """sourcecode — Deterministic codebase context maps for AI coding agents."""
 
-__version__ = "1.42.0"
+__version__ = "1.45.0"

{sourcecode-1.42.0 → sourcecode-1.45.0}/src/sourcecode/cli.py

@@ -3685,6 +3685,10 @@ def impact_cmd(
         "-c",
         help="Copy output to system clipboard after a successful run. No-op when --output is used or clipboard is unavailable.",
     ),
+    no_cache: bool = typer.Option(
+        False, "--no-cache",
+        help="Accepted for compatibility; this command always reads fresh source (no snapshot cache). No-op.",
+    ),
 ) -> None:
     """Blast-radius analysis: who calls this class and what breaks if it changes?
 
@@ -3836,6 +3840,10 @@ def endpoints_cmd(
         None, "--limit", "-n",
         help="Maximum number of endpoints to return.",
     ),
+    no_cache: bool = typer.Option(
+        False, "--no-cache",
+        help="Accepted for compatibility; this command always reads fresh source (no snapshot cache). No-op.",
+    ),
 ) -> None:
     """Extract REST API endpoint surface from Java source files.
 
@@ -3899,13 +3907,26 @@ def endpoints_cmd(
     if limit is not None and limit > 0:
         endpoints_list = endpoints_list[:limit]
     if path_prefix or controller or limit is not None:
+        # Preserve the repo-wide aggregates before overwriting them with the
+        # filtered counts, so a --limit/--filter request stays internally
+        # coherent (total must match the security counters it is reported with).
+        _no_sec_before = data.get("no_security_signal")
+        _undoc_before = data.get("undocumented")
+        _no_sec_after = sum(
+            1 for e in endpoints_list
+            if e.get("security", {}).get("policy") == "none_detected"
+        )
         data["endpoints"] = endpoints_list
         data["total"] = len(endpoints_list)
+        data["no_security_signal"] = _no_sec_after
+        data["undocumented"] = _no_sec_after
         data["_filter"] = {
             "path_prefix": path_prefix,
             "controller": controller,
             "limit": limit,
             "total_before_filter": _total_before,
+            "no_security_signal_before_filter": _no_sec_before,
+            "undocumented_before_filter": _undoc_before,
         }
 
     output = _serialize_dict(data, format)
@@ -3948,6 +3969,10 @@ def validation_cmd(
         False, "--gaps-only",
         help="Report only endpoints/fields with no declared validation (the gaps section).",
     ),
+    no_cache: bool = typer.Option(
+        False, "--no-cache",
+        help="Accepted for compatibility; this command always reads fresh source (no snapshot cache). No-op.",
+    ),
 ) -> None:
     """Map request-body validation per endpoint (constraints + custom validators).
 
@@ -3997,14 +4022,21 @@ def validation_cmd(
             g for g in data.get("gaps", [])
             if str(g.get("path", "")).startswith(path_prefix)
         ]
+    _note = data.get("note")
     if gaps_only:
         data = {
             "gaps": data.get("gaps", []),
             "summary": data.get("summary", {}),
         }
+        if _note:
+            data["note"] = _note
 
     output = _serialize_dict(data, format)
     _summary = data.get("summary", {})
+    # Human-facing heads-up when the result is empty purely because no OpenAPI
+    # spec was found — otherwise the all-zero JSON reads as a false negative.
+    if _note:
+        typer.echo(f"Note: {_note}", err=True)
     _emit_command_output(
         output, output_path, copy,
         success_msg=f"Validation surface written to {output_path} "
@@ -4133,6 +4165,10 @@ def spring_audit_cmd(
         "--ci/--no-ci",
         help="Exit with code 1 if any findings at or above --min-severity are found. For CI/CD gates.",
     ),
+    no_cache: bool = typer.Option(
+        False, "--no-cache",
+        help="Accepted for compatibility; this command always reads fresh source (no snapshot cache). No-op.",
+    ),
 ) -> None:
     """Spring semantic audit: TX anomalies (TX-001..005) + security surface (SEC-001..003).
 
@@ -4315,6 +4351,10 @@ def migrate_check_cmd(
         help="Minimum severity to include: critical, high, medium, or low (default).",
         show_default=True,
     ),
+    no_cache: bool = typer.Option(
+        False, "--no-cache",
+        help="Accepted for compatibility; this command always reads fresh source (no snapshot cache). No-op.",
+    ),
 ) -> None:
     """Spring Boot 2→3 migration readiness: detect javax→jakarta namespace blockers.
 
@@ -4423,6 +4463,10 @@ def impact_chain_cmd(
         help="Query type: impact (default) or events.",
         show_default=True,
     ),
+    no_cache: bool = typer.Option(
+        False, "--no-cache",
+        help="Accepted for compatibility; this command always reads fresh source (no snapshot cache). No-op.",
+    ),
 ) -> None:
     """Spring impact-chain: systemic blast radius of a symbol with TX/SEC enrichment.
 
@@ -6135,8 +6179,19 @@ def cache_clear_cmd(
     _clear_ris = include_ris or all_
     if not yes:
         _ris_note = " (including RIS)" if _clear_ris else " (RIS preserved — use --all to also clear it)"
-        import click as _click
-        _click.confirm(f"Delete all cache files for {target}{_ris_note}?", abort=True, err=True)
+        # P1: never block on stdin in a non-interactive context (CI, MCP, pipes).
+        # The interactive prompt is only meaningful on a TTY; elsewhere it would
+        # hang indefinitely waiting for input. Treat non-interactive as confirmed
+        # (clear is idempotent cleanup; RIS is preserved unless --all is passed).
+        if sys.stdin.isatty():
+            import click as _click
+            _click.confirm(f"Delete all cache files for {target}{_ris_note}?", abort=True, err=True)
+        else:
+            typer.echo(
+                f"Non-interactive: clearing cache for {target}{_ris_note}. "
+                "Pass --yes to silence this notice.",
+                err=True,
+            )
     removed = _cm.clear(target, clear_ris=_clear_ris)
     typer.echo(f"Removed {removed} file(s).", err=True)
 

{sourcecode-1.42.0 → sourcecode-1.45.0}/src/sourcecode/mcp/orchestrator.py

@@ -6,6 +6,29 @@ Converts the MCP from a flat tool collection into a guided agent operating syste
 - run_pr_review_flow: auto-chains delta + review_pr + blast radius
 - run_bug_investigation_flow: auto-chains fix_bug + impact + IR context
 - run_feature_flow: auto-chains context + endpoints + delta + structural awareness
+
+TODO — planned high-value Java/Spring flow presets (audit 2026-06-16, repo SAINT):
+  These extend the existing orchestrator; they are NOT yet implemented.
+
+  1. TODO: implement later — run_migrate_flow
+     Preset wrapping `migrate-check`. Primary high-value entry point for
+     Spring Boot 2→3 planning (audit: produces 1,356-file prioritized
+     inventory in ~6s — the strongest determinante win). Should surface
+     readiness_score, blocking count, per-target breakdown (jakarta /
+     spring_security_6 / java_11) and estimated_effort_days.
+
+  2. TODO: implement later — run_security_audit_flow
+     Preset wrapping `spring-audit` + `endpoints`. Auto-handle the
+     config-less case: when no sourcecode.config.json is present and the
+     repo carries custom security annotations, emit a fallback WARNING +
+     hint to add sourcecode.config.json (customAnnotations) rather than
+     returning a misleading 100% none_detected result.
+
+  3. TODO: implement later — extend R2 orchestration rule (apply_orchestration_rules)
+     Inject preset (1)/(2) when detected intent maps to migration or
+     security audit, mirroring the existing R2 java_no_endpoints rule.
+     Requires new INTENT_MIGRATION / INTENT_SECURITY_AUDIT constants +
+     _INTENT_PATTERNS entries + WORKFLOW_SEQUENCES / FLOW_RUNNERS wiring.
 """
 from __future__ import annotations
 

{sourcecode-1.42.0 → sourcecode-1.45.0}/src/sourcecode/repository_ir.py

@@ -131,6 +131,15 @@ _CLASS_DECL_RE = re.compile(
     r'\s*\{',
 )
 
+# CH-004c: detect a type declaration that participates structurally via inheritance
+# (`class X extends Base` / `interface I extends A` / `class C implements I`). Used by
+# the fast pre-scan to NOT skip annotation-free files that still own extends/implements
+# edges the impact graph needs. `[^{;]*?` keeps the match within a single declaration
+# head (stops at the body `{` or a `;`), matching the precision of _CLASS_DECL_RE.
+_INHERIT_PRESCAN_RE = re.compile(
+    r'\b(?:class|interface)\s+[A-Z]\w*[^{;]*?\b(?:extends|implements)\b'
+)
+
 _METHOD_DECL_RE = re.compile(
     r'^(?P<modifiers>(?:(?:public|private|protected|static|final|synchronized'
     r'|abstract|default|native|strictfp|override)\s+)*)'
@@ -1265,7 +1274,11 @@ def _build_relations(
             # commas so each base produces its own edge and the reverse graph sees
             # every supertype (not a single mangled token).
             for base in _split_supertype_list(extends_str):
-                to = import_map.get(base, base)
+                # CH-004: resolve same-package / wildcard-imported supertypes to their
+                # FQN (not just import_map), else a same-package `extends Base` stays a
+                # bare name and the implementation_graph cannot link sub→supertype.
+                _sbase = re.sub(r'<.*', '', base).strip()
+                to = _resolve_dep_type(_sbase) or import_map.get(_sbase, base)
                 edges.append(RelationEdge(
                     from_symbol=class_fqn,
                     to_symbol=to,
@@ -1276,7 +1289,8 @@ def _build_relations(
 
         if implements_str:
             for base in _split_supertype_list(implements_str):
-                to = import_map.get(base, base)
+                _sbase = re.sub(r'<.*', '', base).strip()
+                to = _resolve_dep_type(_sbase) or import_map.get(_sbase, base)
                 edges.append(RelationEdge(
                     from_symbol=class_fqn,
                     to_symbol=to,
@@ -3127,6 +3141,14 @@ def build_repo_ir(
         '@RequiredArgsConstructor', '@AllArgsConstructor',
         '@Inject', '@ApplicationScoped', '@RequestScoped', '@Singleton',
         '@EnableMethodSecurity', '@EnableGlobalMethodSecurity',
+        # Field/setter injection markers (CH-004). A class wired purely by field
+        # injection — no class-level stereotype — is still a node in the DI graph:
+        # e.g. an abstract base controller that holds @Autowired/@Resource services
+        # its concrete subclasses inherit. Omitting these pre-scan-skips such classes,
+        # dropping their injects edges, so impact-chain cannot reach callers through
+        # them (Broadleaf: AbstractCheckoutController → checkout endpoints went missing).
+        '@Autowired', '@Resource', '@Qualifier', '@Value',
+        '@PersistenceContext', '@PersistenceUnit',
         # JPA / persistence (needed for stereotype detection in all commands)
         '@Entity', '@MappedSuperclass', '@Embeddable',
         # AOP / messaging / event sourcing
@@ -3173,7 +3195,8 @@ def build_repo_ir(
         _meta_chars_read += len(source)
         # Fast pre-scan: if file has no relevant annotations skip full extraction.
         # Still register package/class name for same-package resolution.
-        if not any(marker in source for marker in _effective_markers):
+        if not any(marker in source for marker in _effective_markers) \
+                and not _INHERIT_PRESCAN_RE.search(source):
             pkg_m = _PKG_RE.search(source)
             _pkg = pkg_m.group(1) if pkg_m else ""
             # Minimal class-name symbols for same-package map (no methods/fields)

{sourcecode-1.42.0 → sourcecode-1.45.0}/src/sourcecode/validation_surface.py

@@ -302,4 +302,19 @@ def build_validation_surface(
     spec_path = endpoints_data.get("openapi_spec")
     if spec_path:
         result["openapi_spec"] = spec_path
+    else:
+        # No OpenAPI spec on disk / under target/generated-sources. Declarative
+        # DTO constraints cannot be recovered, so a sea of zeros here is expected
+        # and NOT a sign the repo lacks validation — it just isn't OpenAPI-driven.
+        # Surface this explicitly so the result is not silently misread as
+        # "no validation anywhere".
+        result["openapi_spec"] = None
+        result["note"] = (
+            "No OpenAPI spec found (no spec on disk or under "
+            "target/generated-sources). Declarative DTO constraints cannot be "
+            "recovered; only source-declared custom validators are reported. "
+            "Body-endpoint and validated-field counts will read zero unless an "
+            "OpenAPI spec is present — this is expected, not a missing-validation "
+            "finding."
+        )
     return result