sourcecode 1.45.0__tar.gz → 1.50.0__tar.gz

{sourcecode-1.45.0 → sourcecode-1.50.0}/CHANGELOG.md

@@ -1,5 +1,121 @@
 # Changelog
 
+## [1.50.0] — 2026-06-17
+
+### Fixed
+- **F-1 — `impact-chain` confidence no longer capped at `medium` by informational
+  warnings.** Confidence was computed as `medium` whenever *any* warning was present, but
+  the CH-001a/b interface↔implementation expansion notices ("Interface implementation
+  expansion: added N symbols…") are appended on every Spring interface/impl query — the
+  overwhelmingly common case — so a clean exact/`class_expanded` resolution could never
+  report `high`. The signal was meaningless: `medium` meant "normal", not "degraded".
+
+  Fix: track a `confidence_reducing` flag set only by genuinely degrading conditions
+  (hub-guard capped traversal); informational expansion notices no longer affect
+  confidence. `partial` resolution and blind-spot guards (CH-003/CH-005) still degrade as
+  before. Verified on shopizer: `impact-chain ProductService` now reports `confidence:high`
+  (was `medium`) while still surfacing the expansion notice. 2 regression tests
+  (`TestConfidenceNotCappedByInfoWarnings`): expansion warning keeps `high`, hub-guard
+  truncation still caps to `medium`.
+
+  Closes the v1.47.0 field-benchmark backlog (F-3 → CH-006 v1.48.0, F-2 → v1.49.0,
+  F-1 → this release).
+
+## [1.49.0] — 2026-06-17
+
+### Added
+- **F-2 — honest WebFlux / functional-routing signal in `endpoints`.** The endpoint
+  surface models annotation-based routing (`@RequestMapping`/`@GetMapping`, JAX-RS) only.
+  Routes registered via the functional DSL (`route().GET("/path", handler)` /
+  `RouterFunction` / `CustomEndpoint`) were silently invisible — the v1.47.0 field
+  benchmark found `endpoints` returned **0** for all of halo (a reactive app with 168
+  functional registrations across 51 files), which an agent could misread as "this app
+  exposes no endpoints". `endpoints` now detects functional routing and reports a
+  `functional_routing` block (`files`, `route_registrations`, `modeled: false`) plus a
+  warning; when the annotation surface is empty but functional routes exist, the warning
+  explicitly says not to read it as "no endpoints".
+
+  Deliberately does **not** synthesize endpoint entries: the literal DSL paths are
+  relative (real paths depend on `nest()`/group-version prefixes unresolvable statically),
+  and emitting partial paths would mislead more than an empty surface (same false-positive
+  hazard CH-006 just removed). Full functional-route modeling is a separate effort.
+  Validated: halo → 168 registrations surfaced; shopizer (annotation MVC) → no false
+  trigger, 286 endpoints unchanged. 3 regression tests
+  (`test_functional_routing_surface.py`).
+
+## [1.48.0] — 2026-06-17
+
+### Fixed
+- **CH-006 — hub-interface caller over-expansion (false-positive callers) in
+  `impact-chain`.** `implements` and `extends` are structural type declarations, not
+  calls, but they were being traversed in the caller BFS. The reverse edge on an
+  interface/base lists its implementors/subclasses, so querying a class that implements a
+  high-fanout in-repo interface attributed **every sibling implementor** as a "direct
+  caller". Found in the v1.47.0 field benchmark: `impact-chain ThumbnailEndpoint` on halo
+  reported 42 direct callers — the other 42 `CustomEndpoint` implementors, none of which
+  call it — inflating a leaf endpoint to `risk:high`. The shopizer monolith had the same
+  pattern via its shared `Mapper<E,D>` base (45 phantom mapper callers on `ProductService`).
+
+  Fix: add `implements`/`extends` to the BFS edge-skip set. This is loss-free — the wanted
+  interface→implementation expansion (CH-001a/b) flows through `ImplementationGraph`
+  indices, not these reverse-graph edges, and real callers travel `injects`/`calls` edges.
+  Verified on both repos: halo `ThumbnailEndpoint` 42→0 false callers (`risk:high`→`low`);
+  shopizer `ProductService` real callers preserved (32 direct unchanged) while 45 phantom
+  `Mapper` callers — confirmed to have zero references to the queried symbol — were dropped.
+  2 regression tests (`TestHubInterfaceOverExpansion`): sibling implementors excluded, real
+  `injects` caller through a shared interface preserved.
+
+  Complements CH-005: that guard handles *external* supertypes (under-reporting); CH-006
+  handles *in-repo high-fanout* supertypes (over-reporting). False positives are worse than
+  an empty result — they actively misdirect a change — so this is the higher-leverage half.
+
+## [1.47.0] — 2026-06-17
+
+### Added
+- **CH-005 — framework/external-interface DI blind-spot detection in `impact-chain`.**
+  When a queried class has an empty blast radius *and* implements/extends an external
+  framework supertype (one the in-repo `ImplementationGraph` deliberately drops — e.g.
+  Spring Security's `RedirectStrategy`, a servlet `Filter`), `impact-chain` now positively
+  detects it instead of silently reporting `0 callers / risk:low` at `confidence=high`.
+  Such classes are wired by framework DI/config and invoked polymorphically through the
+  external type, so no in-repo edge names their methods — the empty result is an
+  unmodeled-edge blind spot, not proof of dead code. The query now:
+  - drops `confidence` to `low`,
+  - exposes `metadata.blind_spots` (`framework_di`) and `metadata.external_supertypes`,
+  - emits a `CH-005` warning pointing the agent to search DI/security/config wiring for
+    the supertype to recover the real callers.
+
+  Inert marker interfaces (`Serializable`, `Cloneable`, `Externalizable`) are excluded —
+  they carry no methods, so no polymorphic dispatch and no hidden blast radius.
+
+  This converts a dangerous false negative ("looks safe to change") into an honest "look
+  further" signal. It does **not** recover the real callers (they flow through framework
+  wiring the static call-graph never traverses); that is a separate, larger effort.
+  Mirrors the existing CH-003 value-type guard. Validated end-to-end on BroadleafCommerce
+  (`LocalRedirectStrategy` → flagged; `FieldDaoImpl` with 16 real callers → not flagged).
+
+## [1.46.0] — 2026-06-16
+
+### Added
+- **Two Java/Spring agent flow presets in the MCP orchestrator.** These wrap existing
+  tools into one-call, intent-routed flows so an agent can describe a task in natural
+  language and get the right sequence without reading docs:
+  - `run_migrate_flow` — wraps `migrate-check` for Spring Boot 2→3 planning and lifts a
+    top-level `headline` (`readiness_score`, `blocking_count`, `estimated_effort_days`,
+    `by_severity`, `by_target`) so the agent need not parse the full report.
+  - `run_security_audit_flow` — wraps `spring-audit` + `endpoints`. **Config-less
+    safeguard:** when no `sourcecode.config.json` is present and every endpoint reads
+    `none_detected`, the flow flags a likely custom-annotation blind spot
+    (`quality_warnings`) and returns a ready-to-paste `security_config_hint`, instead of
+    letting a misleading 100%-unsecured surface stand (prevents a false negative).
+- **Intent routing for migration and security audit.** New `INTENT_MIGRATION` /
+  `INTENT_SECURITY_AUDIT` detection plus orchestration rules R5 (migration → lead with
+  `get_migration_readiness`) and R6 (security audit → `get_endpoints` first, mirroring R2)
+  route `start_session` / `analyze_task` to the new presets.
+
+  Note: these presets add no new analysis — they are orchestration ergonomics over tools
+  that were already callable directly. The standout value is the config-less safeguard.
+
 ## [1.45.0] — 2026-06-16
 
 ### Fixed

{sourcecode-1.45.0 → sourcecode-1.50.0}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: sourcecode
-Version: 1.45.0
+Version: 1.50.0
 Summary: Persistent structural context and ultra-fast repeated analysis for AI coding agents
 License-File: LICENSE
 Keywords: agents,ai,codebase,context,developer-tools,llm
@@ -40,7 +40,7 @@ Description-Content-Type: text/markdown
 
 **Persistent structural context and ultra-fast repeated analysis for AI coding agents.**
 
-![Version](https://img.shields.io/badge/version-1.45.0-blue)
+![Version](https://img.shields.io/badge/version-1.50.0-blue)
 ![Python](https://img.shields.io/badge/python-3.9%2B-green)
 
 ---
@@ -368,6 +368,8 @@ sourcecode endpoints /path/to/repo --output endpoints.json
 
 Extracts all Spring MVC (`@GetMapping`, `@PostMapping`, `@RequestMapping`, etc.) and JAX-RS (`@GET`, `@POST`, `@Path`) endpoint methods. Returns HTTP method, path, controller class, and handler method.
 
+**Functional / WebFlux routing (honest limitation).** Routes registered via the functional DSL — `route().GET("/path", handler)` / `RouterFunction` / `CustomEndpoint`, common in reactive Spring apps — are **not** modeled (their real paths depend on `nest()`/group-version prefixes that can't be resolved statically). Rather than emit partial paths that would mislead, the output reports a `functional_routing` block (`files`, `route_registrations`, `modeled: false`) plus a warning. When the annotation surface is empty but functional routes exist, the warning explicitly tells you not to read it as "no endpoints". Annotation-based (MVC/JAX-RS) repos are unaffected.
+
 **Custom security annotations.** Enterprise repos often guard endpoints with a bespoke annotation instead of `@PreAuthorize`/`@Secured`. Drop a `sourcecode.config.json` at the repo root to teach the scanner about it — otherwise those endpoints report `policy: "none_detected"`:
 
 ```json
@@ -435,6 +437,12 @@ Unlike `impact` (which traces the caller graph), `impact-chain` builds on the Sp
 | `security_surfaces` | Per-endpoint security policy + SEC finding IDs |
 | `impact_findings` | TX-001..005 and SEC-001..003 findings that touch the call chain |
 | `risk_level` | `critical` \| `high` \| `medium` \| `low` |
+| `confidence` | `high` \| `medium` \| `low` — `low` on a detected blind spot, `medium` on partial resolution or capped traversal. Informational interface↔impl expansion notices do **not** lower it, so a clean resolved query stays `high`. |
+| `metadata.blind_spots` | `framework_di` and/or `value_type` when an empty result is unmodeled-edge driven, not real dead code |
+
+**Framework/DI blind spot (CH-005).** An empty blast radius is ambiguous: genuinely unused, or invoked through an edge the static graph does not model. When the target class implements/extends an **external** framework type (e.g. Spring Security's `RedirectStrategy`, a servlet `Filter`) it is typically wired by framework DI/config and invoked polymorphically — no in-repo edge names its methods, so `direct_callers` is `0`. Rather than report that as `risk:low` at high confidence (a dangerous false negative that reads as "safe to change"), `impact-chain` detects the external supertype, drops `confidence` to `low`, lists it in `metadata.external_supertypes`, and emits a `CH-005` warning telling you to search the DI/security/config wiring for the supertype. Inert markers (`Serializable`, `Cloneable`) are excluded.
+
+**Caller precision (CH-006).** `implements`/`extends` are structural type declarations, not calls — so they are excluded from the caller graph. Querying a class that implements a high-fanout interface (e.g. a 40-implementor `CustomEndpoint` or a shared `Mapper<E,D>` base) does **not** report its sibling implementors as callers; only real `injects`/`calls` edges count. This prevents a leaf class from being inflated to a large false blast radius.
 
 **Event topology** — query the publisher/consumer graph for a Spring event class:
 

{sourcecode-1.45.0 → sourcecode-1.50.0}/README.md

@@ -2,7 +2,7 @@
 
 **Persistent structural context and ultra-fast repeated analysis for AI coding agents.**
 
-![Version](https://img.shields.io/badge/version-1.45.0-blue)
+![Version](https://img.shields.io/badge/version-1.50.0-blue)
 ![Python](https://img.shields.io/badge/python-3.9%2B-green)
 
 ---
@@ -330,6 +330,8 @@ sourcecode endpoints /path/to/repo --output endpoints.json
 
 Extracts all Spring MVC (`@GetMapping`, `@PostMapping`, `@RequestMapping`, etc.) and JAX-RS (`@GET`, `@POST`, `@Path`) endpoint methods. Returns HTTP method, path, controller class, and handler method.
 
+**Functional / WebFlux routing (honest limitation).** Routes registered via the functional DSL — `route().GET("/path", handler)` / `RouterFunction` / `CustomEndpoint`, common in reactive Spring apps — are **not** modeled (their real paths depend on `nest()`/group-version prefixes that can't be resolved statically). Rather than emit partial paths that would mislead, the output reports a `functional_routing` block (`files`, `route_registrations`, `modeled: false`) plus a warning. When the annotation surface is empty but functional routes exist, the warning explicitly tells you not to read it as "no endpoints". Annotation-based (MVC/JAX-RS) repos are unaffected.
+
 **Custom security annotations.** Enterprise repos often guard endpoints with a bespoke annotation instead of `@PreAuthorize`/`@Secured`. Drop a `sourcecode.config.json` at the repo root to teach the scanner about it — otherwise those endpoints report `policy: "none_detected"`:
 
 ```json
@@ -397,6 +399,12 @@ Unlike `impact` (which traces the caller graph), `impact-chain` builds on the Sp
 | `security_surfaces` | Per-endpoint security policy + SEC finding IDs |
 | `impact_findings` | TX-001..005 and SEC-001..003 findings that touch the call chain |
 | `risk_level` | `critical` \| `high` \| `medium` \| `low` |
+| `confidence` | `high` \| `medium` \| `low` — `low` on a detected blind spot, `medium` on partial resolution or capped traversal. Informational interface↔impl expansion notices do **not** lower it, so a clean resolved query stays `high`. |
+| `metadata.blind_spots` | `framework_di` and/or `value_type` when an empty result is unmodeled-edge driven, not real dead code |
+
+**Framework/DI blind spot (CH-005).** An empty blast radius is ambiguous: genuinely unused, or invoked through an edge the static graph does not model. When the target class implements/extends an **external** framework type (e.g. Spring Security's `RedirectStrategy`, a servlet `Filter`) it is typically wired by framework DI/config and invoked polymorphically — no in-repo edge names its methods, so `direct_callers` is `0`. Rather than report that as `risk:low` at high confidence (a dangerous false negative that reads as "safe to change"), `impact-chain` detects the external supertype, drops `confidence` to `low`, lists it in `metadata.external_supertypes`, and emits a `CH-005` warning telling you to search the DI/security/config wiring for the supertype. Inert markers (`Serializable`, `Cloneable`) are excluded.
+
+**Caller precision (CH-006).** `implements`/`extends` are structural type declarations, not calls — so they are excluded from the caller graph. Querying a class that implements a high-fanout interface (e.g. a 40-implementor `CustomEndpoint` or a shared `Mapper<E,D>` base) does **not** report its sibling implementors as callers; only real `injects`/`calls` edges count. This prevents a leaf class from being inflated to a large false blast radius.
 
 **Event topology** — query the publisher/consumer graph for a Spring event class:
 

{sourcecode-1.45.0 → sourcecode-1.50.0}/pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 
 [project]
 name = "sourcecode"
-version = "1.45.0"
+version = "1.50.0"
 description = "Persistent structural context and ultra-fast repeated analysis for AI coding agents"
 readme = "README.md"
 requires-python = ">=3.9"

{sourcecode-1.45.0 → sourcecode-1.50.0}/src/sourcecode/__init__.py

@@ -1,3 +1,3 @@
 """sourcecode — Deterministic codebase context maps for AI coding agents."""
 
-__version__ = "1.45.0"
+__version__ = "1.50.0"

{sourcecode-1.45.0 → sourcecode-1.50.0}/src/sourcecode/mcp/orchestrator.py

@@ -6,29 +6,20 @@ Converts the MCP from a flat tool collection into a guided agent operating syste
 - run_pr_review_flow: auto-chains delta + review_pr + blast radius
 - run_bug_investigation_flow: auto-chains fix_bug + impact + IR context
 - run_feature_flow: auto-chains context + endpoints + delta + structural awareness
-
-TODO — planned high-value Java/Spring flow presets (audit 2026-06-16, repo SAINT):
-  These extend the existing orchestrator; they are NOT yet implemented.
-
-  1. TODO: implement later — run_migrate_flow
-     Preset wrapping `migrate-check`. Primary high-value entry point for
-     Spring Boot 2→3 planning (audit: produces 1,356-file prioritized
-     inventory in ~6s — the strongest determinante win). Should surface
-     readiness_score, blocking count, per-target breakdown (jakarta /
-     spring_security_6 / java_11) and estimated_effort_days.
-
-  2. TODO: implement later — run_security_audit_flow
-     Preset wrapping `spring-audit` + `endpoints`. Auto-handle the
-     config-less case: when no sourcecode.config.json is present and the
-     repo carries custom security annotations, emit a fallback WARNING +
-     hint to add sourcecode.config.json (customAnnotations) rather than
-     returning a misleading 100% none_detected result.
-
-  3. TODO: implement later — extend R2 orchestration rule (apply_orchestration_rules)
-     Inject preset (1)/(2) when detected intent maps to migration or
-     security audit, mirroring the existing R2 java_no_endpoints rule.
-     Requires new INTENT_MIGRATION / INTENT_SECURITY_AUDIT constants +
-     _INTENT_PATTERNS entries + WORKFLOW_SEQUENCES / FLOW_RUNNERS wiring.
+- run_migrate_flow: wraps migrate-check; Spring Boot 2→3 readiness in one call
+- run_security_audit_flow: wraps spring-audit + endpoints; config-less blind-spot warning
+
+High-value Java/Spring flow presets (audit 2026-06-16, repo SAINT) — implemented:
+  1. run_migrate_flow — preset over `migrate-check`, the primary entry point for
+     Spring Boot 2→3 planning. Lifts readiness_score, blocking_count,
+     estimated_effort_days and the per-target breakdown to a top-level headline.
+  2. run_security_audit_flow — preset over `spring-audit` + `endpoints`. Detects the
+     config-less case (no sourcecode.config.json + every endpoint none_detected) and
+     emits a warning plus a ready-to-paste config hint instead of a misleading 100%
+     unsecured surface.
+  3. apply_orchestration_rules R5/R6 — inject these presets when the detected intent
+     maps to migration (INTENT_MIGRATION) or security audit (INTENT_SECURITY_AUDIT),
+     mirroring the existing R2 java_no_endpoints rule.
 """
 from __future__ import annotations
 
@@ -55,6 +46,8 @@ SESSION_READY_FOR_REVIEW = "READY_FOR_REVIEW"  # flow complete
 # ---------------------------------------------------------------------------
 
 INTENT_PR_REVIEW = "pr_review"
+INTENT_MIGRATION = "migration"
+INTENT_SECURITY_AUDIT = "security_audit"
 INTENT_BUG_INVESTIGATION = "bug_investigation"
 INTENT_FEATURE_IMPLEMENTATION = "feature_implementation"
 INTENT_REFACTOR = "refactor"
@@ -67,6 +60,8 @@ INTENT_ORIENTATION = "orientation"
 
 WORKFLOW_SEQUENCES: dict[str, list[str]] = {
     INTENT_PR_REVIEW: ["get_delta", "review_pr_context", "get_impact_context"],
+    INTENT_MIGRATION: ["get_migration_readiness"],
+    INTENT_SECURITY_AUDIT: ["get_spring_audit", "get_endpoints"],
     INTENT_BUG_INVESTIGATION: ["fix_bug_context", "get_impact_context"],
     INTENT_FEATURE_IMPLEMENTATION: ["get_compact_context", "get_endpoints", "get_delta"],
     INTENT_REFACTOR: ["get_agent_context", "modernize_context", "get_ir_summary"],
@@ -76,6 +71,8 @@ WORKFLOW_SEQUENCES: dict[str, list[str]] = {
 
 WORKFLOW_DESCRIPTIONS: dict[str, str] = {
     INTENT_PR_REVIEW: "PR review: delta → execution paths → blast radius of changed classes",
+    INTENT_MIGRATION: "Spring Boot 2→3 migration: readiness score → javax→jakarta blockers → effort estimate",
+    INTENT_SECURITY_AUDIT: "Security audit: Spring TX/security findings → endpoint authorization surface",
     INTENT_BUG_INVESTIGATION: "Bug investigation: risk-ranked files → impact of suspect class",
     INTENT_FEATURE_IMPLEMENTATION: "Feature implementation: context → API surface → recent changes",
     INTENT_REFACTOR: "Refactor: deep context → modernization opportunities → IR coupling",
@@ -85,6 +82,8 @@ WORKFLOW_DESCRIPTIONS: dict[str, str] = {
 
 FLOW_RUNNERS: dict[str, str] = {
     INTENT_PR_REVIEW: "run_pr_review_flow",
+    INTENT_MIGRATION: "run_migrate_flow",
+    INTENT_SECURITY_AUDIT: "run_security_audit_flow",
     INTENT_BUG_INVESTIGATION: "run_bug_investigation_flow",
     INTENT_FEATURE_IMPLEMENTATION: "run_feature_flow",
     INTENT_REFACTOR: "run_feature_flow",
@@ -101,6 +100,16 @@ _INTENT_PATTERNS: list[tuple[str, list[str]]] = [
         r"\bpr\b", r"pull request", r"review pr", r"\bdiff\b", r"merge request",
         r"code review", r"changes in branch", r"review.*branch", r"branch.*review",
     ]),
+    (INTENT_MIGRATION, [
+        r"\bmigrat", r"spring.?boot.?[23]", r"spring boot 2.*3", r"boot 2.*3",
+        r"\bjakarta\b", r"\bjavax\b", r"javax.*jakarta", r"namespace.*(migrat|change)",
+        r"2\s*(?:->|to|→|–|—)\s*3", r"\bupgrade\b.*(spring|boot|jakarta|java)",
+    ]),
+    (INTENT_SECURITY_AUDIT, [
+        r"security audit", r"audit.*security", r"security.*surface",
+        r"\bauthoriz", r"\bpreauthorize\b", r"\bsecured\b", r"access control",
+        r"who can (?:call|access)", r"endpoint.*(secur|auth)", r"(secur|auth).*endpoint",
+    ]),
     (INTENT_BUG_INVESTIGATION, [
         r"\bbug\b", r"\berror\b", r"\bexception\b", r"\bcrash\b", r"\bnpe\b",
         r"\bfix\b", r"\bbroken\b", r"\bfail(s|ing)?\b", r"stack.?trace",
@@ -168,6 +177,9 @@ def apply_orchestration_rules(
       R2 java_no_endpoints → prepend get_endpoints (api_surface must exist first)
       R3 large_repo (>1000) → note RIS path preferred (informational, no seq change)
       R4 no_symptom_bug_flow → quality warning issued by caller (not a seq change)
+      R5 migration_intent (Java) → ensure get_migration_readiness leads the sequence
+      R6 security_audit_intent (Java) → ensure get_endpoints precedes the audit so the
+         authorization surface is available when findings are interpreted
     """
     seq = list(sequence)
     rules: list[str] = []
@@ -186,6 +198,17 @@ def apply_orchestration_rules(
     if repo_class_count > 1000:
         rules.append("R3:large_repo→RIS_path_preferred")
 
+    # R5: migration intent on a Java repo → migration readiness is the entry point.
+    if intent == INTENT_MIGRATION and is_java and "get_migration_readiness" not in seq:
+        seq.insert(0, "get_migration_readiness")
+        rules.append("R5:migration_intent→prepend_migration_readiness")
+
+    # R6: security-audit intent on a Java repo → endpoints surface must precede the
+    # audit (mirrors R2: the authorization surface has to exist first).
+    if intent == INTENT_SECURITY_AUDIT and is_java and "get_endpoints" not in seq:
+        seq.insert(0, "get_endpoints")
+        rules.append("R6:security_audit_intent→prepend_get_endpoints")
+
     return seq, rules
 
 
@@ -729,3 +752,166 @@ def run_feature_flow_impl(repo_path: str, feature_description: str = "") -> dict
             "tools_suggested_to_agent": 0,
         },
     }
+
+
+# ---------------------------------------------------------------------------
+# Flow: Spring Boot 2→3 Migration
+# ---------------------------------------------------------------------------
+
+def run_migrate_flow_impl(repo_path: str, min_severity: str = "low") -> dict[str, Any]:
+    """Migration Flow: Spring Boot 2→3 readiness in one call.
+
+    Primary high-value entry point for migration planning. Wraps ``migrate-check``
+    and lifts the headline numbers (readiness_score, blocking_count,
+    estimated_effort_days, per-target breakdown) to the top level so the agent
+    can plan a 2→3 upgrade without parsing the full report.
+    """
+    t0 = time.monotonic()
+    steps: list[str] = []
+    quality_warnings: list[str] = []
+    output: dict[str, Any] = {}
+
+    if not _is_java_repo(repo_path):
+        quality_warnings.append(
+            "not_a_java_repo: migration analysis targets Spring Boot / Java repos. "
+            "Result will be empty (readiness_score=100, no findings)."
+        )
+
+    report = _exec(["migrate-check", repo_path, "--min-severity", min_severity])
+    steps.append(f"get_migration_readiness(min_severity={min_severity})")
+    headline: dict[str, Any] = {}
+    if "_exec_error" not in report:
+        output["migration_readiness"] = report
+        # Lift the planning-relevant headline numbers to the top level.
+        for key in (
+            "readiness_score", "blocking_count", "estimated_effort_days",
+            "spring_boot_2_detected",
+        ):
+            if key in report:
+                headline[key] = report[key]
+        _summary = report.get("summary", {})
+        if isinstance(_summary, dict):
+            headline["total_findings"] = _summary.get("total_findings")
+            headline["affected_files"] = _summary.get("affected_files")
+            headline["by_severity"] = _summary.get("by_severity")
+            headline["by_target"] = _summary.get("by_target") or _summary.get("by_rule")
+    else:
+        quality_warnings.append(f"migrate_check_failed: {report['_exec_error']}")
+
+    ttfca_ms = int((time.monotonic() - t0) * 1000)
+
+    return {
+        "session_state": SESSION_READY_FOR_REVIEW,
+        "flow": "migration",
+        "min_severity": min_severity,
+        "headline": headline,
+        "steps_executed": steps,
+        "quality_warnings": quality_warnings,
+        "consolidated_output": output,
+        "session_meta": {
+            "ttfca_ms": ttfca_ms,
+            "steps_auto_executed": len(steps),
+            "tools_suggested_to_agent": 0,
+        },
+    }
+
+
+# ---------------------------------------------------------------------------
+# Flow: Security Audit
+# ---------------------------------------------------------------------------
+
+def _endpoint_security_coverage(endpoints: dict[str, Any]) -> tuple[int, int]:
+    """Return (total_endpoints, none_detected) from an endpoints result."""
+    if "_exec_error" in endpoints:
+        return 0, 0
+    data = endpoints.get("data", endpoints) if isinstance(endpoints, dict) else {}
+    total = int(data.get("total", 0) or 0)
+    none_detected = int(data.get("no_security_signal", 0) or 0)
+    return total, none_detected
+
+
+def run_security_audit_flow_impl(repo_path: str, scope: str = "all") -> dict[str, Any]:
+    """Security Audit Flow: Spring findings + endpoint authorization surface.
+
+    Wraps ``spring-audit`` (TX + security findings) and ``endpoints`` (authorization
+    surface) in one call. Auto-handles the config-less case: when no
+    ``sourcecode.config.json`` is present and every endpoint reads as
+    ``none_detected``, the all-zero security surface is almost certainly a
+    custom-annotation blind spot rather than a truly unsecured API — so the flow
+    emits a warning plus a ready-to-paste config hint instead of letting the
+    misleading result stand.
+    """
+    from sourcecode.security_config import CONFIG_FILENAME
+
+    t0 = time.monotonic()
+    steps: list[str] = []
+    quality_warnings: list[str] = []
+    output: dict[str, Any] = {}
+
+    if not _is_java_repo(repo_path):
+        quality_warnings.append(
+            "not_a_java_repo: spring-audit targets Java/Spring repos and will "
+            "report spring_detected=false."
+        )
+
+    # Step 1: Spring semantic audit (TX anomalies + security findings).
+    audit = _exec(["spring-audit", repo_path, "--scope", scope])
+    steps.append(f"get_spring_audit(scope={scope})")
+    if "_exec_error" not in audit:
+        output["spring_audit"] = audit
+    else:
+        quality_warnings.append(f"spring_audit_failed: {audit['_exec_error']}")
+
+    # Step 2: endpoint authorization surface.
+    endpoints = _exec(["endpoints", repo_path])
+    steps.append("get_endpoints")
+    if "_exec_error" not in endpoints:
+        output["endpoint_security_surface"] = endpoints
+    else:
+        quality_warnings.append(f"endpoints_failed: {endpoints['_exec_error']}")
+
+    # Config-less blind-spot detection: no sourcecode.config.json + every endpoint
+    # none_detected → warn rather than report a misleading 100% unsecured surface.
+    has_config = (Path(repo_path) / CONFIG_FILENAME).exists()
+    total, none_detected = _endpoint_security_coverage(endpoints)
+    if not has_config and total > 0 and none_detected == total:
+        quality_warnings.append(
+            "config_less_security_blind_spot: no sourcecode.config.json found and "
+            f"all {total} endpoints report none_detected. If this repo uses a custom "
+            "authorization annotation, the surface is a false negative — add the "
+            "config below and re-run."
+        )
+        output["security_config_hint"] = {
+            "reason": "no_custom_security_annotations_configured",
+            "file": CONFIG_FILENAME,
+            "example": {
+                "customSecurityAnnotations": [
+                    {
+                        "shortName": "YourSecurityAnnotation",
+                        "resourceParam": "resourceName",
+                        "levelParam": "requiredLevel",
+                    }
+                ]
+            },
+        }
+
+    ttfca_ms = int((time.monotonic() - t0) * 1000)
+
+    return {
+        "session_state": SESSION_READY_FOR_REVIEW,
+        "flow": "security_audit",
+        "scope": scope,
+        "endpoint_security_coverage": {
+            "total_endpoints": total,
+            "none_detected": none_detected,
+            "config_present": has_config,
+        },
+        "steps_executed": steps,
+        "quality_warnings": quality_warnings,
+        "consolidated_output": output,
+        "session_meta": {
+            "ttfca_ms": ttfca_ms,
+            "steps_auto_executed": len(steps),
+            "tools_suggested_to_agent": 0,
+        },
+    }

{sourcecode-1.45.0 → sourcecode-1.50.0}/src/sourcecode/mcp/server.py

@@ -510,6 +510,75 @@ def run_feature_flow(repo_path: str = ".", feature_description: str = "") -> dic
         )
 
 
+@mcp.tool()
+def run_migrate_flow(repo_path: str = ".", min_severity: str = "low") -> dict:
+    """Migration Flow — Spring Boot 2→3 readiness in one call. JAVA/SPRING ONLY.
+
+    Primary high-value entry point for migration planning. Wraps migrate-check and
+    lifts the headline numbers to the top level so the agent can plan a 2→3 upgrade
+    without parsing the full report:
+      - readiness_score (0–100; 100 = ready), blocking_count, estimated_effort_days
+      - by_severity and by_target breakdown (jakarta / spring_security_6 / java_11)
+
+    Use this instead of calling get_migration_readiness and interpreting it by hand.
+    Returns headline + consolidated_output.migration_readiness (full report).
+
+    repo_path: absolute path to the Java repository (default: current working directory).
+    min_severity: "critical" | "high" | "medium" | "low" (default — include everything).
+    """
+    _raw = repo_path
+    try:
+        if not isinstance(repo_path, str):
+            return _err("repo_path must be a string", "INVALID_ARGUMENT")
+        repo_path = _normalize_repo_path(repo_path)
+        _path_err = _check_repo_path(repo_path)
+        if _path_err is not None:
+            return _path_err
+        from sourcecode.mcp.orchestrator import run_migrate_flow_impl
+        return _ok(run_migrate_flow_impl(repo_path, min_severity or "low"))
+    except Exception as exc:
+        return _err(
+            f"Internal error: {type(exc).__name__}: {exc} — repo_path: {_raw}",
+            "INTERNAL_ERROR",
+        )
+
+
+@mcp.tool()
+def run_security_audit_flow(repo_path: str = ".", scope: str = "all") -> dict:
+    """Security Audit Flow — Spring findings + endpoint authorization surface. JAVA/SPRING ONLY.
+
+    Auto-chains in one call:
+      1. get_spring_audit(scope) — TX anomalies + security-surface findings
+      2. get_endpoints — endpoint authorization surface
+
+    Config-less safeguard: when no sourcecode.config.json is present and every
+    endpoint reads none_detected, the flow flags a likely custom-annotation blind
+    spot (quality_warnings) and returns a ready-to-paste security_config_hint —
+    rather than letting a misleading 100% none_detected surface stand.
+
+    Returns endpoint_security_coverage + consolidated_output (spring_audit,
+    endpoint_security_surface, optional security_config_hint).
+
+    repo_path: absolute path to the Java repository (default: current working directory).
+    scope: "all" (default) | "tx" | "security".
+    """
+    _raw = repo_path
+    try:
+        if not isinstance(repo_path, str):
+            return _err("repo_path must be a string", "INVALID_ARGUMENT")
+        repo_path = _normalize_repo_path(repo_path)
+        _path_err = _check_repo_path(repo_path)
+        if _path_err is not None:
+            return _path_err
+        from sourcecode.mcp.orchestrator import run_security_audit_flow_impl
+        return _ok(run_security_audit_flow_impl(repo_path, scope or "all"))
+    except Exception as exc:
+        return _err(
+            f"Internal error: {type(exc).__name__}: {exc} — repo_path: {_raw}",
+            "INTERNAL_ERROR",
+        )
+
+
 @mcp.tool()
 def get_cold_start_context(repo_path: str = ".") -> dict:
     """Instant session bootstrap from persisted Repository Intelligence Snapshot (RIS).
@@ -1333,16 +1402,19 @@ _NATIVE_MCP_TOOLS: frozenset[str] = frozenset({
     "run_pr_review_flow",
     "run_bug_investigation_flow",
     "run_feature_flow",
+    "run_migrate_flow",
+    "run_security_audit_flow",
 })
 
 
 def _finalize_mcp_registry() -> None:
     """Sync the MCP server with the runtime-generated registry.
 
-    Removes every tool except the 5 native orchestration tools (start_session,
-    analyze_task, flow runners) which are registered via @mcp.tool() in this
-    module and have no backing CLI command. All other tools are rebuilt from the
-    runtime-derived registry (build_mcp_tool_specs).
+    Removes every tool except the native orchestration tools (start_session,
+    analyze_task, and the flow runners — see _NATIVE_MCP_TOOLS) which are
+    registered via @mcp.tool() in this module and have no backing CLI command.
+    All other tools are rebuilt from the runtime-derived registry
+    (build_mcp_tool_specs).
     """
     from sourcecode.mcp.registry import build_mcp_tool_specs, make_tool_callable, validate_registry