sourcecode 1.55.0__tar.gz → 1.56.0__tar.gz

{sourcecode-1.55.0 → sourcecode-1.56.0}/CHANGELOG.md

@@ -1,5 +1,37 @@
 # Changelog
 
+## [1.56.0] — 2026-06-19
+
+### Added
+- **CH-007 — `impact-chain` recovers callers wired through an external interface.**
+  The flagship blast-radius gap (BroadleafCommerce #3124): a class wired by DI through
+  an external framework interface (e.g. a Spring Security `UserDetailsService` /
+  `RedirectStrategy` impl) reported `0 callers` because consumers inject the *interface*,
+  never the impl — so no reverse-graph edge names it and CH-001b (in-repo interface
+  expansion) cannot bridge. CH-005 only warned; it did not recover the callers.
+
+  `_recover_external_iface_callers()` now reads the raw dependency edges (which record
+  `<consumer> -[injects|calls|instantiates|returns]-> <external interface>` even though
+  those edges never reach `reverse_graph`) and attributes the in-repo wiring/consumer
+  classes as callers, then recomputes the endpoints/findings/surfaces/risk that depend
+  on them. In-repo implementors of the interface are counted: exactly one → unambiguous
+  binding (`confidence:medium`, `framework_di` dropped from `metadata.blind_spots`);
+  several → `metadata.external_iface_binding_ambiguous:true`, confidence stays `low`
+  with an ambiguity warning. No in-repo wiring → the honest CH-005 blind-spot path is
+  unchanged. New metadata: `external_iface_callers_recovered`, `external_iface_binding_ambiguous`.
+
+- **Precision: concrete JDK base classes excluded from DI detection.** `class Foo extends
+  ArrayList`/`Stack`/`InputStream` is implementation reuse, not DI dispatch, and a consumer
+  holding an `ArrayList` field is not a caller of `Foo`. Added `_NON_DI_SUPERTYPES`
+  (java.util containers, java.io streams, java.lang bases) to the external-supertype
+  filter — found via real-repo validation, where it cut false recoveries from 12 to 7.
+
+  Validated on BroadleafCommerce (2762 files, 22 247 symbols): CH-007 recovers wiring
+  callers for 7 classes, all genuine DI interfaces; querying a `UserDetailsService`
+  implementation recovers the security-config + login-service classes that wire it.
+  Report: `.planning/benchmark-broadleaf-3124.md`. Tests: `TestExternalInterfaceDIBridge`
+  (recovery / ambiguity / no-wiring fallback).
+
 ## [1.55.0] — 2026-06-19
 
 ### Security

{sourcecode-1.55.0 → sourcecode-1.56.0}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: sourcecode
-Version: 1.55.0
+Version: 1.56.0
 Summary: Persistent structural context and ultra-fast repeated analysis for AI coding agents
 License-File: LICENSE
 Keywords: agents,ai,codebase,context,developer-tools,llm
@@ -40,7 +40,7 @@ Description-Content-Type: text/markdown
 
 **Persistent structural context and ultra-fast repeated analysis for AI coding agents.**
 
-![Version](https://img.shields.io/badge/version-1.55.0-blue)
+![Version](https://img.shields.io/badge/version-1.56.0-blue)
 ![Python](https://img.shields.io/badge/python-3.9%2B-green)
 
 ---
@@ -459,9 +459,12 @@ Unlike `impact` (which traces the caller graph), `impact-chain` builds on the Sp
 | `impact_findings` | TX-001..005 and SEC-001..003 findings that touch the call chain |
 | `risk_level` | `critical` \| `high` \| `medium` \| `low` |
 | `confidence` | `high` \| `medium` \| `low` — `low` on a detected blind spot, `medium` on partial resolution or capped traversal. Informational interface↔impl expansion notices do **not** lower it, so a clean resolved query stays `high`. |
-| `metadata.blind_spots` | `framework_di` and/or `value_type` when an empty result is unmodeled-edge driven, not real dead code |
+| `metadata.blind_spots` | `framework_di` and/or `value_type` when an empty result is unmodeled-edge driven, not real dead code (CH-007 drops `framework_di` once it recovers the wiring callers) |
+| `metadata.external_iface_callers_recovered` / `external_iface_binding_ambiguous` | CH-007 — count of in-repo wiring callers recovered through an external interface, and whether the impl→bean binding is ambiguous (multiple in-repo implementors) |
 
-**Framework/DI blind spot (CH-005).** An empty blast radius is ambiguous: genuinely unused, or invoked through an edge the static graph does not model. When the target class implements/extends an **external** framework type (e.g. Spring Security's `RedirectStrategy`, a servlet `Filter`) it is typically wired by framework DI/config and invoked polymorphically — no in-repo edge names its methods, so `direct_callers` is `0`. Rather than report that as `risk:low` at high confidence (a dangerous false negative that reads as "safe to change"), `impact-chain` detects the external supertype, drops `confidence` to `low`, lists it in `metadata.external_supertypes`, and emits a `CH-005` warning telling you to search the DI/security/config wiring for the supertype. Inert markers (`Serializable`, `Cloneable`) are excluded.
+**Framework/DI blind spot (CH-005).** An empty blast radius is ambiguous: genuinely unused, or invoked through an edge the static graph does not model. When the target class implements/extends an **external** framework type (e.g. Spring Security's `RedirectStrategy`, a servlet `Filter`) it is typically wired by framework DI/config and invoked polymorphically — no in-repo edge names its methods, so `direct_callers` is `0`. Rather than report that as `risk:low` at high confidence (a dangerous false negative that reads as "safe to change"), `impact-chain` detects the external supertype, drops `confidence` to `low`, lists it in `metadata.external_supertypes`, and emits a `CH-005` warning telling you to search the DI/security/config wiring for the supertype. Inert markers (`Serializable`, `Cloneable`) and concrete JDK base classes extended for reuse (`ArrayList`, `InputStream`, …) are excluded.
+
+**External-interface DI caller recovery (CH-007).** When the target is wired through an external interface, the consumers that inject that interface never name the target, so the static caller graph misses them — but the wiring sites are still in-repo. `impact-chain` reads the dependency edges to recover the in-repo classes that inject/use the external supertype and attributes them as callers (so their endpoints map too). If exactly one in-repo class implements the interface the binding is unambiguous (`confidence:medium`); if several do, `metadata.external_iface_binding_ambiguous` is `true` and confidence stays `low`. `metadata.external_iface_callers_recovered` reports the count. Recovered callers reach the target only if it is the bean configured for that interface (which may also have framework/third-party implementations) — the warning says so. Validated on BroadleafCommerce: querying a `UserDetailsService` implementation recovers the security-config and login-service classes that wire it.
 
 **Caller precision (CH-006).** `implements`/`extends` are structural type declarations, not calls — so they are excluded from the caller graph. Querying a class that implements a high-fanout interface (e.g. a 40-implementor `CustomEndpoint` or a shared `Mapper<E,D>` base) does **not** report its sibling implementors as callers; only real `injects`/`calls` edges count. This prevents a leaf class from being inflated to a large false blast radius.
 

{sourcecode-1.55.0 → sourcecode-1.56.0}/README.md

@@ -2,7 +2,7 @@
 
 **Persistent structural context and ultra-fast repeated analysis for AI coding agents.**
 
-![Version](https://img.shields.io/badge/version-1.55.0-blue)
+![Version](https://img.shields.io/badge/version-1.56.0-blue)
 ![Python](https://img.shields.io/badge/python-3.9%2B-green)
 
 ---
@@ -421,9 +421,12 @@ Unlike `impact` (which traces the caller graph), `impact-chain` builds on the Sp
 | `impact_findings` | TX-001..005 and SEC-001..003 findings that touch the call chain |
 | `risk_level` | `critical` \| `high` \| `medium` \| `low` |
 | `confidence` | `high` \| `medium` \| `low` — `low` on a detected blind spot, `medium` on partial resolution or capped traversal. Informational interface↔impl expansion notices do **not** lower it, so a clean resolved query stays `high`. |
-| `metadata.blind_spots` | `framework_di` and/or `value_type` when an empty result is unmodeled-edge driven, not real dead code |
+| `metadata.blind_spots` | `framework_di` and/or `value_type` when an empty result is unmodeled-edge driven, not real dead code (CH-007 drops `framework_di` once it recovers the wiring callers) |
+| `metadata.external_iface_callers_recovered` / `external_iface_binding_ambiguous` | CH-007 — count of in-repo wiring callers recovered through an external interface, and whether the impl→bean binding is ambiguous (multiple in-repo implementors) |
 
-**Framework/DI blind spot (CH-005).** An empty blast radius is ambiguous: genuinely unused, or invoked through an edge the static graph does not model. When the target class implements/extends an **external** framework type (e.g. Spring Security's `RedirectStrategy`, a servlet `Filter`) it is typically wired by framework DI/config and invoked polymorphically — no in-repo edge names its methods, so `direct_callers` is `0`. Rather than report that as `risk:low` at high confidence (a dangerous false negative that reads as "safe to change"), `impact-chain` detects the external supertype, drops `confidence` to `low`, lists it in `metadata.external_supertypes`, and emits a `CH-005` warning telling you to search the DI/security/config wiring for the supertype. Inert markers (`Serializable`, `Cloneable`) are excluded.
+**Framework/DI blind spot (CH-005).** An empty blast radius is ambiguous: genuinely unused, or invoked through an edge the static graph does not model. When the target class implements/extends an **external** framework type (e.g. Spring Security's `RedirectStrategy`, a servlet `Filter`) it is typically wired by framework DI/config and invoked polymorphically — no in-repo edge names its methods, so `direct_callers` is `0`. Rather than report that as `risk:low` at high confidence (a dangerous false negative that reads as "safe to change"), `impact-chain` detects the external supertype, drops `confidence` to `low`, lists it in `metadata.external_supertypes`, and emits a `CH-005` warning telling you to search the DI/security/config wiring for the supertype. Inert markers (`Serializable`, `Cloneable`) and concrete JDK base classes extended for reuse (`ArrayList`, `InputStream`, …) are excluded.
+
+**External-interface DI caller recovery (CH-007).** When the target is wired through an external interface, the consumers that inject that interface never name the target, so the static caller graph misses them — but the wiring sites are still in-repo. `impact-chain` reads the dependency edges to recover the in-repo classes that inject/use the external supertype and attributes them as callers (so their endpoints map too). If exactly one in-repo class implements the interface the binding is unambiguous (`confidence:medium`); if several do, `metadata.external_iface_binding_ambiguous` is `true` and confidence stays `low`. `metadata.external_iface_callers_recovered` reports the count. Recovered callers reach the target only if it is the bean configured for that interface (which may also have framework/third-party implementations) — the warning says so. Validated on BroadleafCommerce: querying a `UserDetailsService` implementation recovers the security-config and login-service classes that wire it.
 
 **Caller precision (CH-006).** `implements`/`extends` are structural type declarations, not calls — so they are excluded from the caller graph. Querying a class that implements a high-fanout interface (e.g. a 40-implementor `CustomEndpoint` or a shared `Mapper<E,D>` base) does **not** report its sibling implementors as callers; only real `injects`/`calls` edges count. This prevents a leaf class from being inflated to a large false blast radius.
 

{sourcecode-1.55.0 → sourcecode-1.56.0}/pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 
 [project]
 name = "sourcecode"
-version = "1.55.0"
+version = "1.56.0"
 description = "Persistent structural context and ultra-fast repeated analysis for AI coding agents"
 readme = "README.md"
 requires-python = ">=3.9"

{sourcecode-1.55.0 → sourcecode-1.56.0}/src/sourcecode/__init__.py

@@ -1,3 +1,3 @@
 """sourcecode — Deterministic codebase context maps for AI coding agents."""
 
-__version__ = "1.55.0"
+__version__ = "1.56.0"

{sourcecode-1.55.0 → sourcecode-1.56.0}/src/sourcecode/spring_impact.py

@@ -182,6 +182,25 @@ _INERT_MARKER_SUPERTYPES = frozenset({
     "Externalizable", "java.io.Externalizable",
 })
 
+# Concrete JDK base classes extended for implementation reuse, NOT framework-DI
+# interfaces. `class Foo extends ArrayList` is code reuse, not polymorphic wiring,
+# and consumers that merely hold an ArrayList/InputStream field are not callers of
+# Foo. Validated on BroadleafCommerce: without this, CH-007 mis-recovered consumers
+# of ArrayList/Stack/InputStream as callers of EmptyFilterValues/IdentityUtilContext/
+# ResourceInputStream. Simple-name match (the external type is, by definition, not in-repo).
+_NON_DI_SUPERTYPES = frozenset({
+    # java.util containers
+    "ArrayList", "LinkedList", "Vector", "Stack", "HashMap", "LinkedHashMap",
+    "TreeMap", "HashSet", "LinkedHashSet", "TreeSet", "ArrayDeque", "Properties",
+    "AbstractList", "AbstractMap", "AbstractSet", "AbstractCollection", "EnumMap",
+    # java.io / java.nio streams + readers
+    "InputStream", "OutputStream", "Reader", "Writer", "FilterInputStream",
+    "FilterOutputStream", "ByteArrayInputStream", "ByteArrayOutputStream",
+    # java.lang base classes
+    "Object", "Thread", "Throwable", "Exception", "RuntimeException", "Error",
+    "Number", "Enum", "ClassLoader", "ThreadLocal",
+})
+
 
 def _external_supertypes(cir, class_fqn: str) -> list[str]:
     """Return supertypes of class_fqn that are NOT in-repo symbols.
@@ -212,6 +231,8 @@ def _external_supertypes(cir, class_fqn: str) -> list[str]:
         simple = to.rsplit(".", 1)[1] if "." in to else to
         if simple in _INERT_MARKER_SUPERTYPES or to in _INERT_MARKER_SUPERTYPES:
             continue
+        if simple in _NON_DI_SUPERTYPES:
+            continue  # concrete JDK base extended for reuse, not DI dispatch
         # Internal if it resolves to exactly one in-repo class (exact or simple-name).
         if to in known:
             continue
@@ -246,6 +267,51 @@ def _is_unmodeled_value_type(cir, class_fqn: str, model) -> bool:
     return True
 
 
+# CH-007 — external-interface DI bridge (caller recovery)
+# ---------------------------------------------------------------------------
+# When a class is reachable only through an external interface it implements
+# (the CH-005 blind spot), its consumers inject/reference the *external* type,
+# never the impl — so no reverse-graph edge names the impl and CH-001b (in-repo
+# interface expansion) cannot bridge. The wiring sites are still in-repo, though:
+# the raw dependency edges record `<consumer> -[injects|calls|instantiates|returns]->
+# <external interface>`. Read those to recover the consumer classes, and count how
+# many in-repo classes implement/extend each external supertype: exactly one means
+# the binding is unambiguous (this impl IS the injected bean); several means any
+# could be, so recover all candidates and flag the ambiguity rather than assert.
+_DI_USE_EDGE_TYPES = frozenset({"injects", "calls", "instantiates", "returns"})
+
+
+def _recover_external_iface_callers(
+    cir, external_supertypes: list[str], impl_class_fqn: str
+) -> tuple[list[str], int]:
+    """Recover in-repo wiring/consumer classes for an impl wired via an external
+    interface (CH-007). See module note above.
+
+    Returns ``(recovered_caller_classes, max_impl_count)`` where max_impl_count is
+    the largest number of in-repo implementors across the matched supertypes — 1
+    means the impl→bean binding is unambiguous, >1 means it is not.
+    """
+    deps = getattr(cir, "dependencies", None) or []
+    ext = set(external_supertypes)
+    if not ext:
+        return [], 0
+    recovered: list[str] = []
+    impl_count: dict[str, int] = {e: 0 for e in ext}
+    for edge in deps:
+        to = (edge.get("to") or "").strip()
+        if to not in ext:
+            continue
+        et = edge.get("type")
+        if et in ("implements", "extends"):
+            impl_count[to] = impl_count.get(to, 0) + 1
+        elif et in _DI_USE_EDGE_TYPES:
+            owner = normalize_owner_fqn((edge.get("from") or "").strip())
+            if owner and owner != impl_class_fqn:
+                recovered.append(owner)
+    max_impl = max(impl_count.values()) if impl_count else 0
+    return list(dict.fromkeys(recovered)), max_impl
+
+
 # ---------------------------------------------------------------------------
 # Symbol resolution
 # ---------------------------------------------------------------------------
@@ -846,7 +912,57 @@ class ImpactOrchestrator:
         if empty_blast and class_level_seed:
             external_supertypes = _external_supertypes(cir, resolved_symbol)
         framework_di_blind_spot = bool(external_supertypes)
+
+        # CH-007: external-interface DI bridge. Before treating the empty result as a
+        # blind spot, recover the in-repo wiring/consumer classes that inject the
+        # external supertype (they never name this impl, so the BFS missed them).
+        di_recovered_callers: list[str] = []
+        di_binding_ambiguous = False
         if framework_di_blind_spot:
+            di_recovered_callers, _max_impl = _recover_external_iface_callers(
+                cir, external_supertypes, resolved_symbol
+            )
+            di_binding_ambiguous = _max_impl > 1
+            # Keep only genuinely new caller classes (not seeds / already found).
+            _known = set(seed_fqns) | set(direct_callers) | set(indirect_callers)
+            di_recovered_callers = [c for c in di_recovered_callers if c not in _known]
+
+        di_recovered = bool(di_recovered_callers)
+        if di_recovered:
+            # Merge recovered wiring sites into the chain and recompute the views
+            # that depend on the caller set (endpoints, findings, surfaces, risk).
+            direct_callers = direct_callers + di_recovered_callers
+            empty_blast = False
+            all_callers = direct_callers + indirect_callers
+            endpoints_affected = _collect_endpoints(all_callers, seed_fqns, model)
+            impact_findings_raw = _filter_findings(
+                all_findings, seed_fqns, direct_callers, indirect_callers, endpoints_affected
+            )
+            impact_findings_raw.sort(
+                key=lambda f: (SEVERITY_ORDER.get(f.severity, 9), f.symbol)
+            )
+            impact_findings = [f.to_dict() for f in impact_findings_raw]
+            security_surfaces = _build_security_surfaces(endpoints_affected, impact_findings_raw)
+            risk_level, risk_score = _compute_risk(
+                len(direct_callers), len(indirect_callers),
+                len(endpoints_affected), impact_findings_raw,
+            )
+            _ambig = (
+                " Binding is ambiguous (the external type has multiple in-repo "
+                "implementors); the recovered caller(s) wire one of them — verify "
+                "which bean is configured." if di_binding_ambiguous else ""
+            )
+            warnings.append(
+                f"External-interface DI bridge (CH-007): recovered "
+                f"{len(di_recovered_callers)} in-repo wiring/consumer class(es) that "
+                "inject the external supertype(s) [" + ", ".join(external_supertypes)
+                + "] this class implements. These callers reference the interface, not "
+                "this class directly, so the static call-graph missed them. They reach "
+                "this class only if it is the bean configured for that interface — the "
+                "interface may also have framework/third-party implementations; verify "
+                "the wiring." + _ambig
+            )
+        elif framework_di_blind_spot:
             warnings.append(
                 "Framework/external-interface DI blind spot (CH-005): this class "
                 "implements/extends external type(s) [" + ", ".join(external_supertypes)
@@ -900,6 +1016,10 @@ class ImpactOrchestrator:
         confidence: str
         if resolution == "not_found":
             confidence = "low"
+        elif di_recovered:
+            # Callers recovered structurally via the external-interface DI bridge.
+            # Unambiguous binding (single in-repo impl) → medium; ambiguous → low.
+            confidence = "low" if di_binding_ambiguous else "medium"
         elif framework_di_blind_spot or value_type_blind_spot or unresolved_ref_blind_spot:
             confidence = "low"
         elif resolution == "partial" or confidence_reducing:
@@ -931,11 +1051,14 @@ class ImpactOrchestrator:
                 "model_build_time_ms": model.build_time_ms,
                 "query_time_ms": elapsed_ms,
                 "blind_spots": (
-                    (["framework_di"] if framework_di_blind_spot else [])
+                    # framework_di stops being a blind spot once CH-007 recovers callers
+                    (["framework_di"] if framework_di_blind_spot and not di_recovered else [])
                     + (["value_type"] if value_type_blind_spot else [])
                     + (["unresolved_refs"] if unresolved_ref_blind_spot else [])
                 ),
                 "external_supertypes": external_supertypes,
+                "external_iface_callers_recovered": len(di_recovered_callers),
+                "external_iface_binding_ambiguous": di_binding_ambiguous,
             },
         )