test(eval): add contract-edge graph fixture

Add a repo regression fixture where a trait-dispatched call reaches an unsafe SQL-building implementation, plus a checked-in loader test and TODO.md update completing the multi-hop graph fixture backlog item.

Author: haasonsaas

TODO.md

@@ -142,7 +142,7 @@ This roadmap is derived from deep research into Greptile's public docs, blog, MC
 91. [ ] Add eval fixtures for external-context alignment, not just diff-local correctness.
 92. [ ] Add eval fixtures for merge-readiness judgments and unresolved-blocker classification.
 93. [ ] Add eval fixtures for addressed-vs-stale finding lifecycle inference.
-94. [ ] Add eval fixtures for multi-hop graph reasoning across call chains and contract edges.
+94. [x] Add eval fixtures for multi-hop graph reasoning across call chains and contract edges.
 95. [ ] Add eval runs that compare single-pass review against agentic loop review.
 96. [ ] Add production replay evals using anonymized accepted/rejected review outcomes.
 97. [ ] Add leaderboard reporting for reviewer usefulness metrics, not just precision/recall.

eval/fixtures/repo_regressions/graph_contract_edge_repo/db.rs

@@ -0,0 +1,9 @@
+use crate::search::QueryRunner;
+
+pub struct PostgresQueryRunner;
+
+impl QueryRunner for PostgresQueryRunner {
+    fn find_user(&self, name: &str) -> String {
+        format!("SELECT * FROM users WHERE name = '{}'", name)
+    }
+}

eval/fixtures/repo_regressions/graph_contract_edge_repo/request.rs

@@ -0,0 +1,9 @@
+pub struct Request {
+    name: String,
+}
+
+impl Request {
+    pub fn name(&self) -> &str {
+        &self.name
+    }
+}

eval/fixtures/repo_regressions/graph_contract_edge_repo/routes.rs

@@ -0,0 +1,6 @@
+use crate::request::Request;
+use crate::search::QueryRunner;
+
+pub fn get_profile(_runner: &dyn QueryRunner, _request: &Request) -> String {
+    "ok".to_string()
+}

eval/fixtures/repo_regressions/graph_contract_edge_repo/search.rs

@@ -0,0 +1,3 @@
+pub trait QueryRunner {
+    fn find_user(&self, name: &str) -> String;
+}

eval/fixtures/repo_regressions/trait_impl_sql_runner.yml

@@ -0,0 +1,28 @@
+name: repo regression - trait impl sql runner usage
+repo_path: graph_contract_edge_repo
+diff: |
+  diff --git a/routes.rs b/routes.rs
+  index 1111111..2222222 100644
+  --- a/routes.rs
+  +++ b/routes.rs
+  @@ -2,4 +2,5 @@ use crate::request::Request;
+   use crate::search::QueryRunner;
+   
+   pub fn get_profile(runner: &dyn QueryRunner, request: &Request) -> String {
+  -    "ok".to_string()
+  +    let user = runner.find_user(request.name());
+  +    user
+   }
+expect:
+  must_find:
+    - file: routes.rs
+      contains_any:
+        - sql injection
+        - unsafe sql
+        - trait implementation builds sql with user input
+        - user-controlled input reaches the query runner implementation
+        - interpolates user-controlled
+  must_not_find:
+    - contains: style
+  min_total: 1
+  max_total: 12

src/commands/eval/fixtures.rs

@@ -146,6 +146,32 @@ expect:
         );
     }
 
+    #[test]
+    fn test_checked_in_repo_regression_contract_edge_fixture_loads_expected_repo_path() {
+        let fixture_path = std::path::Path::new(env!("CARGO_MANIFEST_DIR"))
+            .join("eval/fixtures/repo_regressions/trait_impl_sql_runner.yml");
+
+        let fixtures = load_eval_fixtures_from_path(&fixture_path).unwrap();
+
+        assert_eq!(fixtures.len(), 1);
+        assert_eq!(
+            fixtures[0].fixture.name.as_deref(),
+            Some("repo regression - trait impl sql runner usage")
+        );
+        assert_eq!(
+            fixtures[0].fixture.repo_path,
+            Some(std::path::PathBuf::from("graph_contract_edge_repo"))
+        );
+        assert_eq!(
+            fixtures[0].fixture.expect.must_find[0].file.as_deref(),
+            Some("routes.rs")
+        );
+        assert!(fixtures[0].fixture.expect.must_find[0]
+            .contains_any
+            .iter()
+            .any(|phrase| phrase.contains("trait implementation")));
+    }
+
     #[test]
     fn test_collect_eval_fixtures_expands_pack_entries_in_sorted_order() {
         let dir = tempdir().unwrap();