specfact-cli 0.46.0__tar.gz → 0.46.4__tar.gz

{specfact_cli-0.46.0 → specfact_cli-0.46.4}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: specfact-cli
-Version: 0.46.0
+Version: 0.46.4
 Summary: The swiss knife CLI for agile DevOps teams. Keep backlog, specs, tests, and code in sync with validation and contract enforcement for new projects and long-lived codebases.
 Project-URL: Homepage, https://github.com/nold-ai/specfact-cli
 Project-URL: Repository, https://github.com/nold-ai/specfact-cli.git
@@ -224,12 +224,12 @@ Classifier: Topic :: Software Development :: Testing
 Requires-Python: >=3.11
 Requires-Dist: azure-identity>=1.17.1
 Requires-Dist: beartype>=0.22.4
+Requires-Dist: commentjson>=0.9.0
 Requires-Dist: cryptography>=43.0.0
 Requires-Dist: gitpython>=3.1.45
 Requires-Dist: graphviz>=0.20.1
 Requires-Dist: icontract>=2.7.1
 Requires-Dist: jinja2>=3.1.6
-Requires-Dist: json5>=0.9.28
 Requires-Dist: jsonschema>=4.23.0
 Requires-Dist: networkx>=3.4.2
 Requires-Dist: opentelemetry-exporter-otlp-proto-http>=1.27.0
@@ -248,16 +248,18 @@ Provides-Extra: contracts
 Requires-Dist: crosshair-tool>=0.0.97; extra == 'contracts'
 Requires-Dist: hypothesis>=6.142.4; extra == 'contracts'
 Provides-Extra: dev
+Requires-Dist: bandit>=1.7.0; extra == 'dev'
 Requires-Dist: basedpyright>=1.32.1; extra == 'dev'
-Requires-Dist: bearer>=3.1.0; extra == 'dev'
 Requires-Dist: beartype>=0.22.4; extra == 'dev'
 Requires-Dist: crosshair-tool>=0.0.97; extra == 'dev'
 Requires-Dist: graphviz>=0.20.1; extra == 'dev'
 Requires-Dist: hypothesis>=6.142.4; extra == 'dev'
 Requires-Dist: icontract>=2.7.1; extra == 'dev'
 Requires-Dist: isort>=7.0.0; extra == 'dev'
+Requires-Dist: pip-audit>=2.0.0; extra == 'dev'
+Requires-Dist: pip-licenses>=4.0.0; extra == 'dev'
 Requires-Dist: pip-tools>=7.5.1; extra == 'dev'
-Requires-Dist: pyan3>=1.2.0; extra == 'dev'
+Requires-Dist: pycg==0.0.7; extra == 'dev'
 Requires-Dist: pylint>=4.0.2; extra == 'dev'
 Requires-Dist: pytest-asyncio>=1.2.0; extra == 'dev'
 Requires-Dist: pytest-cov>=7.0.0; extra == 'dev'
@@ -271,10 +273,8 @@ Requires-Dist: setuptools<82,>=69.0.0; extra == 'dev'
 Requires-Dist: tomlkit>=0.13.3; extra == 'dev'
 Requires-Dist: types-pyyaml>=6.0.12.20250516; extra == 'dev'
 Provides-Extra: enhanced-analysis
-Requires-Dist: bearer>=3.1.0; extra == 'enhanced-analysis'
 Requires-Dist: graphviz>=0.20.1; extra == 'enhanced-analysis'
-Requires-Dist: pyan3>=1.2.0; extra == 'enhanced-analysis'
-Requires-Dist: syft>=0.9.5; extra == 'enhanced-analysis'
+Requires-Dist: pycg==0.0.7; extra == 'enhanced-analysis'
 Provides-Extra: scanning
 Requires-Dist: semgrep>=1.144.0; extra == 'scanning'
 Description-Content-Type: text/markdown
@@ -308,7 +308,7 @@ uvx specfact-cli code review run --path . --scope full
 **Sample output:**
 
 ```text
-SpecFact CLI - v0.46.0
+SpecFact CLI - v0.46.4
 
 Running Ruff checks...
 Running Radon complexity checks...
@@ -361,16 +361,28 @@ It exists because delivery drifts in predictable ways:
 
 ## Add SpecFact to your workflow
 
-**Pre-commit hook**
+### Pre-commit hook
+
+This repository uses a **modular** local hook layout (parity with `specfact-cli-modules`: `fail_fast`,
+separate verify / format / YAML / Markdown / workflow / lint / Block 2 hooks). If you copy
+[`.pre-commit-config.yaml`](.pre-commit-config.yaml) into another repo, you must also vendor the
+referenced `scripts/*.sh` entrypoints (at minimum `scripts/pre-commit-quality-checks.sh`,
+`scripts/pre-commit-verify-modules.sh`, `scripts/module-verify-policy.sh`, and
+`scripts/git-branch-module-signature-flag.sh`) so hook
+`entry:` paths resolve. Alternatively, skip vendoring the modular file and use the remote hook below.
+
+For a **single-hook** setup in downstream repos, keep using the stable id and script shim:
 
 ```yaml
 - repo: https://github.com/nold-ai/specfact-cli
-  rev: v0.46.0
+  rev: v0.46.4
   hooks:
     - id: specfact-smart-checks
 ```
 
-**GitHub Actions**
+The shim runs `scripts/pre-commit-quality-checks.sh all` (full pipeline including module verify).
+
+### GitHub Actions
 
 ```yaml
 - name: SpecFact Gate

{specfact_cli-0.46.0 → specfact_cli-0.46.4}/README.md

@@ -27,7 +27,7 @@ uvx specfact-cli code review run --path . --scope full
 **Sample output:**
 
 ```text
-SpecFact CLI - v0.46.0
+SpecFact CLI - v0.46.4
 
 Running Ruff checks...
 Running Radon complexity checks...
@@ -80,16 +80,28 @@ It exists because delivery drifts in predictable ways:
 
 ## Add SpecFact to your workflow
 
-**Pre-commit hook**
+### Pre-commit hook
+
+This repository uses a **modular** local hook layout (parity with `specfact-cli-modules`: `fail_fast`,
+separate verify / format / YAML / Markdown / workflow / lint / Block 2 hooks). If you copy
+[`.pre-commit-config.yaml`](.pre-commit-config.yaml) into another repo, you must also vendor the
+referenced `scripts/*.sh` entrypoints (at minimum `scripts/pre-commit-quality-checks.sh`,
+`scripts/pre-commit-verify-modules.sh`, `scripts/module-verify-policy.sh`, and
+`scripts/git-branch-module-signature-flag.sh`) so hook
+`entry:` paths resolve. Alternatively, skip vendoring the modular file and use the remote hook below.
+
+For a **single-hook** setup in downstream repos, keep using the stable id and script shim:
 
 ```yaml
 - repo: https://github.com/nold-ai/specfact-cli
-  rev: v0.46.0
+  rev: v0.46.4
   hooks:
     - id: specfact-smart-checks
 ```
 
-**GitHub Actions**
+The shim runs `scripts/pre-commit-quality-checks.sh all` (full pipeline including module verify).
+
+### GitHub Actions
 
 ```yaml
 - name: SpecFact Gate

{specfact_cli-0.46.0 → specfact_cli-0.46.4}/pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 
 [project]
 name = "specfact-cli"
-version = "0.46.0"
+version = "0.46.4"
 description = "The swiss knife CLI for agile DevOps teams. Keep backlog, specs, tests, and code in sync with validation and contract enforcement for new projects and long-lived codebases."
 readme = "README.md"
 requires-python = ">=3.11"
@@ -77,6 +77,7 @@ dependencies = [
     "graphviz>=0.20.1",  # Graph visualization (requires system Graphviz: apt-get install graphviz)
     
     # Git operations
+    # gitpython: CVE history (CVE-2022-24439, CVE-2023-41040, CVE-2023-40590). Phase 2: replace with dulwich.
     "gitpython>=3.1.45",
     
     # YAML utilities
@@ -84,8 +85,8 @@ dependencies = [
     
     # Schema validation
     "jsonschema>=4.23.0",
-    # VS Code settings.json is often JSON with comments (JSONC); parse/emit via JSON5 subset
-    "json5>=0.9.28",
+    # VS Code settings.json is JSONC (comments + trailing commas); commentjson (MIT) strips them, delegates to stdlib json
+    "commentjson>=0.9.0",
     
     # Contract-First (runtime decorators; exploration tools are optional extra `contracts`)
     "icontract>=2.7.1",  # Design-by-contract decorators
@@ -114,13 +115,13 @@ dev = [
     "pytest-xdist>=3.8.0",
     "basedpyright>=1.32.1",
     "isort>=7.0.0",
-    "pylint>=4.0.2",
+    "pylint>=4.0.2",  # GPL-2.0-or-later — dev-only exception (not in module manifests). Phase 2: replace with ruff --select ALL.
     "ruff>=0.14.2",
     "radon>=6.0.1",
     "tomlkit>=0.13.3",  # Style-preserving TOML library (recommended successor to pytoml)
     "types-PyYAML>=6.0.12.20250516",
     "pip-tools>=7.5.1",
-    "semgrep>=1.144.0",  # Latest version compatible with rich~=13.5.2
+    "semgrep>=1.144.0",  # LGPL-2.1 — required for code analysis; invoked as subprocess (accepted exception)
 
     # Same contract exploration stack as [contracts] (extras cannot self-reference)
     "crosshair-tool>=0.0.97",
@@ -131,11 +132,14 @@ dev = [
     "beartype>=0.22.4",
     
     # Enhanced Analysis Tools (for local development)
-    # Note: syft excluded from dev/test due to rich version conflict with semgrep
-    # Install separately: pip install specfact-cli[enhanced-analysis] if needed
     "graphviz>=0.20.1",  # Graph visualization (requires system Graphviz: apt-get install graphviz)
-    "pyan3>=1.2.0",  # Python call graph analysis
-    "bearer>=3.1.0",  # Data flow analysis for security
+    "pycg==0.0.7",  # Python call graph analysis (Apache-2.0; replaces removed GPL-2.0 pyan3; pin avoids 0.0.8)
+    # Removed from dev: pyan3 (GPL-2.0) and bearer (wrong PyPI package; SaaS auth, not scanner)
+    # syft removed — wrong PyPI package (OpenMined ML framework, not Anchore SBOM)
+    "bandit>=1.7.0",  # SAST scanner (MIT)
+    "pip-licenses>=4.0.0",  # License enumeration for compliance gate (MIT)
+    "pip-audit>=2.0.0",  # CVE audit via OSV database (Apache-2.0)
+    # pylint: GPL-2.0-or-later — dev-only exception (not in module manifests). Phase 2: replace with ruff --select ALL.
 ]
 
 scanning = [
@@ -144,9 +148,8 @@ scanning = [
 
 enhanced-analysis = [
     "graphviz>=0.20.1",  # Graph visualization (requires system Graphviz: apt-get install graphviz)
-    "pyan3>=1.2.0",  # Python call graph analysis
-    "syft>=0.9.5",  # Software Bill of Materials (SBOM) generation
-    "bearer>=3.1.0",  # Data flow analysis for security
+    "pycg==0.0.7",  # Python call graph analysis (Apache-2.0; replaces removed GPL-2.0 pyan3; pin avoids 0.0.8)
+    # Removed from enhanced-analysis: pyan3 (GPL-2.0), bearer, and syft (wrong PyPI packages)
 ]
 
 # Note: Specmatic integration (specfact spec commands) requires the Specmatic CLI tool
@@ -188,28 +191,36 @@ dependencies = [
     "pylint>=4.0.2",
     "ruff>=0.14.2",
     "radon>=6.0.1",
-    "yamllint>=1.37.1",
-    "semgrep>=1.144.0",  # Latest version compatible with rich~=13.5.2
+    "yamllint>=1.37.1",  # GPL-3.0-or-later — dev/test-only exception. Phase 2: replace with non-GPL YAML lint path.
+    "semgrep>=1.144.0",  # LGPL-2.1 — required for code analysis; invoked as subprocess (accepted exception)
     # Contract-First Development Dependencies
     "icontract>=2.7.1",
-    "beartype>=0.22.4", 
+    "beartype>=0.22.4",
     "crosshair-tool>=0.0.97",
     "hypothesis>=6.142.4",
     # Enhanced Analysis Tools (for local development)
-    # Note: syft excluded from dev/test due to rich version conflict with semgrep
-    # Install separately: pip install specfact-cli[enhanced-analysis] if needed
     "graphviz>=0.20.1",  # Graph visualization (requires system Graphviz: apt-get install graphviz)
-    "pyan3>=1.2.0",  # Python call graph analysis
-    "bearer>=3.1.0",  # Data flow analysis for security
+    "pycg==0.0.7",  # Python call graph analysis (Apache-2.0; replaces removed GPL-2.0 pyan3; pin avoids 0.0.8)
+    # Removed from Hatch default: pyan3 (GPL-2.0), bearer, and syft (wrong PyPI packages)
+    "bandit>=1.7.0",  # SAST scanner (MIT)
+    "pip-licenses>=4.0.0",  # License enumeration for compliance gate (MIT)
+    "pip-audit>=2.0.0",  # CVE audit via OSV database (Apache-2.0)
+    # pylint: GPL-2.0-or-later — dev-only exception (not in module manifests). Phase 2: replace with ruff --select ALL.
 ]
 
 [tool.hatch.envs.default.scripts]
 validate-prompts = "python tools/validate_prompts.py"
+# Security and license compliance gates
+bandit-scan = "bandit -r src/ -ll"
+license-check = "python scripts/check_license_compliance.py"
+# Wrap pip-audit so JSON parsing and CVSS threshold checks fail closed.
+security-audit = "python scripts/security_audit_gate.py"
 # Development scripts
 test = "pytest {args}"
 test-cov = "pytest --cov=src --cov-report=term-missing {args}"
 type-check = "basedpyright --pythonpath $(python -c 'import sys; print(sys.executable)') {args}"
-lint = "ruff format . --check && basedpyright --pythonpath $(python -c 'import sys; print(sys.executable)') && ruff check . && pylint src tests tools && python scripts/verify_safe_project_writes.py"
+# basedpyright --level error: suppress warning noise in pre-commit (Block 1 runs `hatch run lint`).
+lint = "ruff format . --check && basedpyright --level error --pythonpath $(python -c 'import sys; print(sys.executable)') && ruff check . && pylint src tests tools && python scripts/verify_safe_project_writes.py"
 governance = "pylint src tests tools --reports=y --output-format=parseable"
 format = "ruff check . --fix && ruff format ."
 
@@ -236,7 +247,8 @@ check-cross-site-links = "python scripts/check-cross-site-links.py"
 doc-frontmatter-check = "python scripts/check_doc_frontmatter.py"
 validate-agent-rule-signals = "python scripts/validate_agent_rule_applies_when.py"
 check-version-sources = "python scripts/check_version_sources.py"
-release = "python scripts/check_version_sources.py"
+check-pypi-ahead = "python scripts/check_local_version_ahead_of_pypi.py"
+release = "python scripts/check_local_version_ahead_of_pypi.py && python scripts/check_version_sources.py"
 docs-validate = "python scripts/check-docs-commands.py && python scripts/check-cross-site-links.py --warn-only && python scripts/check_doc_frontmatter.py && python scripts/validate_agent_rule_applies_when.py"
 
 # Legacy entry (kept for compatibility); prefer `workflows-lint` above
@@ -259,10 +271,15 @@ smart-test-e2e = "python tools/smart_test_coverage.py run --level e2e {args}"
 smart-test-full = "python tools/smart_test_coverage.py run --level full {args}"
 smart-test-auto = "python tools/smart_test_coverage.py run --level auto {args}"
 
+# Bundled module verify (flags from scripts/module-verify-policy.sh via run_verify_modules_policy.sh)
+verify-modules-signature = "bash scripts/run_verify_modules_policy.sh strict {args}"
+verify-modules-signature-pr = "bash scripts/run_verify_modules_policy.sh pr {args}"
+verify-modules-signature-push = "bash scripts/run_verify_modules_policy.sh push-orchestrator {args}"
+
 # Module migration pre-deletion gate
 verify-removal-gate = [
     "python scripts/verify-bundle-published.py --modules project,plan,import_cmd,sync,migrate,backlog,policy_engine,analyze,drift,validate,repro,contract,spec,sdd,generate,enforce,patch_mode",
-    "python scripts/verify-modules-signature.py --require-signature",
+    "hatch run verify-modules-signature",
 ]
 export-change-github = "python scripts/export-change-to-github.py {args}"
 
@@ -286,7 +303,6 @@ contract-prune = "python tools/migrate_tests_to_contracts.py --prune --dry-run"
 # Pre-commit hooks
 pre-commit-install = "bash scripts/setup-git-hooks.sh"
 pre-commit-checks = "bash scripts/pre-commit-smart-checks.sh"
-pre-commit-test = "bash scripts/pre-commit-smart-test.sh"
 
 [tool.hatch.envs.py311]
 python = "3.11"
@@ -313,13 +329,12 @@ dependencies = [
     "beartype>=0.22.4", 
     "crosshair-tool>=0.0.97",
     "hypothesis>=6.142.4",
-    "yamllint>=1.37.1",
+    "yamllint>=1.37.1",  # GPL-3.0-or-later — dev/test-only exception. Phase 2: replace with non-GPL YAML lint path.
     # Enhanced Analysis Tools (for testing)
-    # Note: syft excluded from test due to rich version conflict with semgrep
-    # Install separately: pip install specfact-cli[enhanced-analysis] if needed
     "graphviz>=0.20.1",  # Graph visualization (requires system Graphviz: apt-get install graphviz)
-    "pyan3>=1.2.0",  # Python call graph analysis
-    "bearer>=3.1.0",  # Data flow analysis for security
+    "pycg==0.0.7",  # Python call graph analysis (Apache-2.0; replaces removed GPL-2.0 pyan3; pin avoids 0.0.8)
+    # Removed from Hatch test: pyan3 (GPL-2.0), bearer, and syft (wrong PyPI packages)
+    "commentjson>=0.9.0",  # JSONC parser (MIT; replaces json5 for VS Code settings JSONC support)
 ]
 dev-mode = true
 parallel = true

specfact_cli-0.46.4/resources/bundled-module-registry/index.json

@@ -0,0 +1,20 @@
+{
+  "modules": [
+    {
+      "id": "init",
+      "latest_version": "0.1.30"
+    },
+    {
+      "id": "upgrade",
+      "latest_version": "0.1.4"
+    },
+    {
+      "id": "module-registry",
+      "latest_version": "0.1.19"
+    },
+    {
+      "id": "bundle-mapper",
+      "latest_version": "0.1.9"
+    }
+  ]
+}

{specfact_cli-0.46.0 → specfact_cli-0.46.4}/src/__init__.py

@@ -3,4 +3,4 @@ SpecFact CLI - Spec→Contract→Sentinel tool for contract-driven development.
 """
 
 # Package version: keep in sync with pyproject.toml, setup.py, src/specfact_cli/__init__.py
-__version__ = "0.46.0"
+__version__ = "0.46.4"

{specfact_cli-0.46.0 → specfact_cli-0.46.4}/src/specfact_cli/__init__.py

@@ -45,6 +45,6 @@ def _bootstrap_bundle_paths() -> None:
 
 _bootstrap_bundle_paths()
 
-__version__ = "0.46.0"
+__version__ = "0.46.4"
 
 __all__ = ["__version__"]

{specfact_cli-0.46.0 → specfact_cli-0.46.4}/src/specfact_cli/adapters/ado.py

@@ -54,7 +54,7 @@ console = Console()
 
 @dataclass(frozen=True, slots=True)
 class _AdoCreatedWorkItemRef:
-    work_item_id: Any
+    work_item_id: int | str
     work_item_url: str
     org: str
     project: str
@@ -744,7 +744,10 @@ class AdoAdapter(BridgeAdapter, BacklogAdapterMixin, BacklogAdapter):
             },
         }
         source_tracking = proposal_data.get("source_tracking")
-        if source_tracking is None:
+        if isinstance(source_tracking, list):
+            cast(list[dict[str, Any]], source_tracking).append(tracking_update)
+            return
+        if source_tracking is None or (isinstance(source_tracking, dict) and len(source_tracking) == 0):
             proposal_data["source_tracking"] = tracking_update
             return
         if isinstance(source_tracking, dict):
@@ -752,11 +755,6 @@ class AdoAdapter(BridgeAdapter, BacklogAdapterMixin, BacklogAdapter):
             st.update(tracking_update)
             proposal_data["source_tracking"] = st
             return
-        if isinstance(source_tracking, list):
-            if not source_tracking:
-                proposal_data["source_tracking"] = [tracking_update]
-                return
-            cast(list[dict[str, Any]], source_tracking).append(tracking_update)
 
     def _is_on_premise(self) -> bool:
         """
@@ -2270,8 +2268,10 @@ class AdoAdapter(BridgeAdapter, BacklogAdapterMixin, BacklogAdapter):
         Returns:
             Dict with updated work item data: {"work_item_id": int, "work_item_url": str, "state": str}
         """
-        target_repo = f"{org}/{project}"
-        work_item_id = self._get_source_tracking_work_item_id(proposal_data.get("source_tracking", {}), target_repo)
+        work_item_id = self._get_source_tracking_work_item_id(
+            proposal_data.get("source_tracking", {}),
+            f"{org}/{project}",
+        )
         ado_state = self._resolve_proposal_ado_state(proposal_data)
         work_item_data = self._patch_work_item(
             org,

{specfact_cli-0.46.0 → specfact_cli-0.46.4}/src/specfact_cli/adapters/github.py

@@ -159,7 +159,11 @@ def _get_github_token_from_gh_cli() -> str | None:
     return None
 
 
-_GITHUB_GIT_CONFIG_URL_RE = re.compile(r"(?im)^\s*url\s*=\s*(https?://\S+|ssh://\S+|git://\S+|git@[^:\s]+:\S+)\s*$")
+# Line-anchored so ``pushurl =`` / ``insteadOf`` lines do not match the ``url`` token inside another key.
+# Matches: https://, http://, ssh://, git://, and git@host:path remotes.
+_GITHUB_GIT_CONFIG_URL_RE = re.compile(
+    r"(?m)^\s*url\s*=\s*(https?://[^\s]+|ssh://[^\s]+|git://[^\s]+|git@[^:]+:[^\s]+)"
+)
 
 
 def _git_config_content_indicates_github(config_content: str) -> bool:
@@ -1471,7 +1475,14 @@ class GitHubAdapter(BridgeAdapter, BacklogAdapterMixin, BacklogAdapter):
             title = raw_title
 
         body = self._render_issue_body(
-            _IssueBodyRenderInput(title, description, rationale, impact, change_id, raw_body)
+            _IssueBodyRenderInput(
+                title=title,
+                description=description,
+                rationale=rationale,
+                impact=impact,
+                change_id=change_id,
+                raw_body=raw_body,
+            )
         )
 
         # Check for API token before making request
@@ -1735,7 +1746,15 @@ class GitHubAdapter(BridgeAdapter, BacklogAdapterMixin, BacklogAdapter):
         current_body, current_title, current_state = self._fetch_issue_snapshot(repo_owner, repo_name, issue_number)
         preserved_sections = self._preserved_issue_sections(current_body, change_id)
         body = self._render_issue_body(
-            _IssueBodyRenderInput(title, description, rationale, impact, change_id, raw_body, preserved_sections)
+            _IssueBodyRenderInput(
+                title=title,
+                description=description,
+                rationale=rationale,
+                impact=impact,
+                change_id=change_id,
+                raw_body=raw_body,
+                preserved_sections=preserved_sections,
+            )
         )
 
         # Update issue body via GitHub API PATCH

{specfact_cli-0.46.0 → specfact_cli-0.46.4}/src/specfact_cli/adapters/speckit.py

@@ -462,15 +462,19 @@ class SpecKitAdapter(BridgeAdapter):
             story_title = sd.get("title", "Unknown Story")
             priority = sd.get("priority", "P3")
             acceptance_raw = sd.get("acceptance", [])
-            default_acceptance = [f"{story_title} is implemented"]
             if isinstance(acceptance_raw, list) and acceptance_raw:
                 if all(isinstance(x, str) for x in acceptance_raw):
-                    acceptance = list(acceptance_raw) or default_acceptance
+                    acceptance = [s.strip() for s in acceptance_raw if isinstance(s, str) and s.strip()]
                 else:
-                    extracted = self._extract_text_list(cast(list[Any], acceptance_raw))
-                    acceptance = extracted or default_acceptance
+                    acceptance = [
+                        s.strip() for s in self._extract_text_list(cast(list[Any], acceptance_raw)) if s.strip()
+                    ]
+                    if not acceptance:
+                        acceptance = [f"{story_title} is implemented"]
+                if not acceptance:
+                    acceptance = [f"{story_title} is implemented"]
             else:
-                acceptance = default_acceptance
+                acceptance = [f"{story_title} is implemented"]
             story_points = priority_map.get(str(priority), 3)
             stories.append(
                 Story(
@@ -548,14 +552,13 @@ class SpecKitAdapter(BridgeAdapter):
 
         if existing_feature:
             existing_feature.title = payload.feature_title
-            existing_feature.outcomes = (
-                list(payload.outcomes) if payload.outcomes else list(existing_feature.outcomes or [])
-            )
-            existing_feature.acceptance = (
-                list(payload.acceptance) if payload.acceptance else list(existing_feature.acceptance or [])
-            )
+            existing_feature.outcomes = list(payload.outcomes)
+            existing_feature.acceptance = list(payload.acceptance)
             existing_feature.stories = [s.model_copy(deep=True) for s in payload.stories]
             existing_feature.constraints = list(constraints)
+            existing_feature.source_tracking = self._build_speckit_source_tracking(
+                payload.spec_path, payload.bridge_config
+            )
             return
 
         feature = Feature(

{specfact_cli-0.46.0 → specfact_cli-0.46.4}/src/specfact_cli/analyzers/code_analyzer.py

@@ -507,16 +507,16 @@ class CodeAnalyzer:
             }
         )
 
-        # Dependency Graph Analysis (requires pyan3 and networkx)
-        pyan3_available, _ = check_cli_tool_available("pyan3")
+        # Dependency Graph Analysis (requires pycg and networkx)
+        pycg_available, _ = check_cli_tool_available("pycg")
         networkx_available = check_python_package_available("networkx")
-        graph_enabled = pyan3_available and networkx_available
+        graph_enabled = pycg_available and networkx_available
         graph_used = graph_enabled  # Used if both dependencies are available
 
-        if not pyan3_available and not networkx_available:
-            reason = "pyan3 and networkx not installed (install: pip install pyan3 networkx)"
-        elif not pyan3_available:
-            reason = "pyan3 not installed (install: pip install pyan3)"
+        if not pycg_available and not networkx_available:
+            reason = "pycg and networkx not installed (install: pip install pycg networkx)"
+        elif not pycg_available:
+            reason = "pycg not installed (install: pip install pycg)"
         elif not networkx_available:
             reason = "networkx not installed (install: pip install networkx)"
         else:
@@ -738,19 +738,8 @@ class CodeAnalyzer:
     @staticmethod
     def _themes_for_import_module(module_name: str, theme_keywords: dict[str, str]) -> set[str]:
         lowered = module_name.lower()
-        tokens = [t for t in re.split(r"[._-]", lowered) if t]
-        top_level = lowered.split(".", 1)[0]
-        found: set[str] = set()
-        for keyword, theme in theme_keywords.items():
-            if keyword == lowered or lowered.startswith(f"{keyword}."):
-                found.add(theme)
-                continue
-            if keyword == top_level or top_level.startswith(f"{keyword}."):
-                found.add(theme)
-                continue
-            if keyword in tokens:
-                found.add(theme)
-        return found
+        segments = {p for p in lowered.replace("-", ".").split(".") if p}
+        return {theme for keyword, theme in theme_keywords.items() if keyword in segments}
 
     def _themes_for_import_node(self, node: ast.Import | ast.ImportFrom, theme_keywords: dict[str, str]) -> set[str]:
         if isinstance(node, ast.Import):
@@ -1745,14 +1734,50 @@ class CodeAnalyzer:
         self.async_patterns[module_name].extend(async_methods)
         return async_methods
 
-    def _detect_async_patterns_parallel(self, tree: ast.AST, file_path: Path) -> list[str]:
+    @staticmethod
+    def _build_ast_parent_map(tree: ast.AST) -> dict[ast.AST, ast.AST | None]:
+        parents: dict[ast.AST, ast.AST | None] = {}
+
+        def visit(node: ast.AST, parent: ast.AST | None) -> None:
+            parents[node] = parent
+            for child in ast.iter_child_nodes(node):
+                visit(child, node)
+
+        visit(tree, None)
+        return parents
+
+    @staticmethod
+    def _function_name_holding_await(parents: dict[ast.AST, ast.AST | None], await_node: ast.Await) -> str | None:
+        current: ast.AST | None = await_node
+        while current is not None:
+            par = parents.get(current)
+            if par is None:
+                return None
+            if isinstance(par, (ast.FunctionDef, ast.AsyncFunctionDef)):
+                return par.name
+            current = par
+        return None
+
+    def _detect_async_patterns_parallel(self, tree: ast.AST, _file_path: Path) -> list[str]:
         """
         Detect async/await patterns in code (thread-safe version).
 
         Returns:
             List of async method/function names
         """
-        return [node.name for node in ast.walk(tree) if isinstance(node, ast.AsyncFunctionDef)]
+        async_methods: list[str] = []
+        parents = self._build_ast_parent_map(tree)
+
+        for node in ast.walk(tree):
+            if isinstance(node, ast.AsyncFunctionDef):
+                async_methods.append(node.name)
+            if not isinstance(node, ast.Await):
+                continue
+            host = self._function_name_holding_await(parents, node)
+            if host and host not in async_methods:
+                async_methods.append(host)
+
+        return async_methods
 
     def _apply_commit_hash_to_matching_features(self, feature_num: str, commit_hash: str) -> None:
         for feature in self.features: