fix(linkers,supply-chain): cobra package-level vars and Gradle workspace detection

jgstern-agent · jgstern · commit ca2a87f57c03 · 2026-04-12T23:17:18.000+02:00
Two fixes:

1. go_cobra_linker (WI-lihih): When a cobra.Command literal is inside
   a package-level var declaration (the most common Go cobra pattern),
   fall back to the enclosing variable symbol as the edge source. Previously
   these were silently skipped because find_enclosing_symbol only looked
   for function/method/class/module kinds.

2. supply_chain (WI-zizuf): detect_package_roots() now parses
   settings.gradle / settings.gradle.kts include directives to detect
   Gradle multi-project subprojects. Fixes degenerate tier distribution
   on Gradle monorepos (e.g. Kafka) where all files were classified as
   first_party because no workspace roots were detected.

Signed-off-by: jgstern-agent &lt;josh-agent@iterabloom.com&gt;
diff --git a/.ci/affected-tests.txt b/.ci/affected-tests.txt
@@ -1,11 +1,69 @@
 # Test selection manifest
-# Generated by smart-test at 2026-04-12T03:41:33-04:00
+# Generated by smart-test at 2026-04-12T04:44:45-04:00
 # Mode: targeted
-# Baseline: 2cafd5680732b1462de6628e5547e403f2f9e00e
-# Reason: no Python source files changed
-# Changed files: 7
-# Changed source files: 0
-# Selected tests: 0
+# Baseline: 4a043784bfa0467b7ffc73af361527d47e25da31
+# Changed files: 10
+# Changed source files: 2
+# Selected tests: 57
 #
 # === CHANGED_SOURCE_FILES ===
+packages/hypergumbo-core/src/hypergumbo_core/linkers/go_cobra.py
+packages/hypergumbo-core/src/hypergumbo_core/supply_chain.py
 # === SELECTED_TESTS ===
+packages/hypergumbo-core/tests/test_analyzer_registry.py
+packages/hypergumbo-core/tests/test_annotation_convention_linker.py
+packages/hypergumbo-core/tests/test_build_grammars.py
+packages/hypergumbo-core/tests/test_cli_basic.py
+packages/hypergumbo-core/tests/test_cli_cache.py
+packages/hypergumbo-core/tests/test_cli_commands.py
+packages/hypergumbo-core/tests/test_cli_config.py
+packages/hypergumbo-core/tests/test_cli_dead_code.py
+packages/hypergumbo-core/tests/test_cli_explain.py
+packages/hypergumbo-core/tests/test_cli_io_boundaries.py
+packages/hypergumbo-core/tests/test_cli_routes.py
+packages/hypergumbo-core/tests/test_cli_run_behavior_map.py
+packages/hypergumbo-core/tests/test_cli_search.py
+packages/hypergumbo-core/tests/test_cli_symbols.py
+packages/hypergumbo-core/tests/test_cli_test_coverage.py
+packages/hypergumbo-core/tests/test_cli_verify_claims.py
+packages/hypergumbo-core/tests/test_crypto_flow_linker.py
+packages/hypergumbo-core/tests/test_file_excludes.py
+packages/hypergumbo-core/tests/test_frameworks_flag.py
+packages/hypergumbo-core/tests/test_gitleaks.py
+packages/hypergumbo-core/tests/test_go_cobra_linker.py
+packages/hypergumbo-core/tests/test_ir.py
+packages/hypergumbo-core/tests/test_linker_filtering.py
+packages/hypergumbo-core/tests/test_linker_registry.py
+packages/hypergumbo-core/tests/test_locale.py
+packages/hypergumbo-core/tests/test_max_tier.py
+packages/hypergumbo-core/tests/test_message_dispatch_linker.py
+packages/hypergumbo-core/tests/test_no_first_party_priority.py
+packages/hypergumbo-core/tests/test_profile.py
+packages/hypergumbo-core/tests/test_run_behavior_map.py
+packages/hypergumbo-core/tests/test_schema_compliance.py
+packages/hypergumbo-core/tests/test_sketch.py
+packages/hypergumbo-core/tests/test_sketch_sanity.py
+packages/hypergumbo-core/tests/test_slice_tier_filter.py
+packages/hypergumbo-core/tests/test_stable_shape_ids.py
+packages/hypergumbo-core/tests/test_supply_chain.py
+packages/hypergumbo-core/tests/test_tree_sitter_analyzer.py
+packages/hypergumbo-core/tests/test_yjs_crdt_linker.py
+packages/hypergumbo-lang-common/tests/BRANCHES_test_dart.py
+packages/hypergumbo-lang-common/tests/BRANCHES_test_elixir.py
+packages/hypergumbo-lang-mainstream/tests/BRANCHES_test_cpp.py
+packages/hypergumbo-lang-mainstream/tests/BRANCHES_test_c.py
+packages/hypergumbo-lang-mainstream/tests/BRANCHES_test_csharp.py
+packages/hypergumbo-lang-mainstream/tests/BRANCHES_test_go.py
+packages/hypergumbo-lang-mainstream/tests/BRANCHES_test_java.py
+packages/hypergumbo-lang-mainstream/tests/BRANCHES_test_js_ts.py
+packages/hypergumbo-lang-mainstream/tests/BRANCHES_test_kotlin.py
+packages/hypergumbo-lang-mainstream/tests/BRANCHES_test_php.py
+packages/hypergumbo-lang-mainstream/tests/BRANCHES_test_python_ast_analysis.py
+packages/hypergumbo-lang-mainstream/tests/BRANCHES_test_ruby.py
+packages/hypergumbo-lang-mainstream/tests/BRANCHES_test_rust.py
+packages/hypergumbo-lang-mainstream/tests/BRANCHES_test_scala.py
+packages/hypergumbo-lang-mainstream/tests/BRANCHES_test_swift.py
+packages/hypergumbo-lang-mainstream/tests/test_go.py
+packages/hypergumbo-lang-mainstream/tests/test_html_analysis.py
+packages/hypergumbo-lang-mainstream/tests/test_python_ast_analysis.py
+packages/hypergumbo-lang-mainstream/tests/test_rust.py
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -34,7 +34,7 @@ This changelog tracks the **tool version** (package releases). The **schema vers
 #### Cross-language linkers
 
 - **`go_memberlist` linker** (WI-lojuf): `dispatches_to` edges from `memberlist.Create` to the 12 canonical delegate methods (`NotifyMsg`, `GetBroadcasts`, `LocalState`, etc.). Used by alertmanager, consul, nomad, serf, vault.
-- **`go_cobra` linker** (WI-gohad): `dispatches_to` edges from `cobra.Command{…}` struct literals to handler functions in `Run`/`RunE`/`PreRun`/`PostRun` and `Persistent*` variants. Used by kubectl, helm, hugo, prometheus, terraform, docker.
+- **`go_cobra` linker** (WI-gohad): `dispatches_to` edges from `cobra.Command{…}` struct literals to handler functions in `Run`/`RunE`/`PreRun`/`PostRun` and `Persistent*` variants. Used by kubectl, helm, hugo, prometheus, terraform, docker. Package-level `var cmd = &cobra.Command{…}` declarations (WI-lihih) now emit edges from the var symbol when no enclosing function exists.
 
 #### Behavior map
 
@@ -48,6 +48,7 @@ This changelog tracks the **tool version** (package releases). The **schema vers
 - **Go closure wrapper edges** (WI-nikul): route registrations through closure wrappers (e.g. `wrapAgent(api.query)`) emit `wraps` edges. Covers Gin/Echo/Fiber and Gorilla mux/stdlib.
 - **Import-based framework validation**: manifest-detected frameworks cross-referenced against import edges. Test-only or unimported frameworks reclassified as `dev_frameworks`.
 - **Go tier 2/3 classification via go.mod** (WI-vovuk): unresolved Go external references classified using `go.mod` — direct deps tier 2, indirect/stdlib tier 3. Language-agnostic `DependencyManifest` enables future extension.
+- **Gradle multi-project workspace detection** (WI-zizuf): `detect_package_roots()` now parses `settings.gradle` / `settings.gradle.kts` `include` directives. Gradle subprojects are classified as workspace members, fixing degenerate tier distribution on Gradle monorepos like Kafka.
 - **Orchestration hub floor for symbol ranking**: functions with out-degree ≥ 20 get a minimum effective in-degree of `sqrt(out_degree) * 0.8`, preventing orchestration hubs (main, run, app) from being buried by within-file dampening.
 - **Event edge type weights**: `event_subscribes`/`event_publishes` raised to 0.8 (was 0.5). `dispatches_to` added at 0.6.
 
diff --git a/packages/hypergumbo-core/src/hypergumbo_core/linkers/go_cobra.py b/packages/hypergumbo-core/src/hypergumbo_core/linkers/go_cobra.py
@@ -30,9 +30,10 @@
    already reachable via containment.
 3. For each captured ``(field, identifier)`` pair, resolve
    ``identifier`` to a Symbol via ``ctx.find_symbols_by_name`` and emit
-   a ``dispatches_to`` edge from the enclosing function (or the
-   cobra.Command site if no enclosing function can be found) to the
-   handler.
+   a ``dispatches_to`` edge from the enclosing function to the handler.
+   When the cobra.Command literal is at package level (inside a
+   ``var … = &cobra.Command{…}`` declaration), the linker falls back
+   to the enclosing variable symbol as the edge source.
 
 Why regex and not tree-sitter
 -----------------------------
@@ -212,8 +213,13 @@ def go_cobra_linker(ctx: LinkerContext) -> LinkerResult:
 
             # Find the enclosing function. If the cobra.Command literal
             # is outside any function (e.g., a package-level var init),
-            # fall back to the first file-level symbol.
+            # fall back to the enclosing variable symbol — the most
+            # common Go cobra pattern is ``var rootCmd = &cobra.Command{…}``.
             enclosing = ctx.find_enclosing_symbol(str(file_path), line)
+            if enclosing is None:
+                enclosing = ctx.find_enclosing_symbol(
+                    str(file_path), line, kinds=("variable",),
+                )
             if enclosing is None:
                 continue
 
diff --git a/packages/hypergumbo-core/src/hypergumbo_core/supply_chain.py b/packages/hypergumbo-core/src/hypergumbo_core/supply_chain.py
@@ -642,6 +642,7 @@ def detect_package_roots(repo_root: Path) -> set[Path]:
     - npm/yarn/pnpm workspaces in package.json
     - Cargo workspace members in Cargo.toml
     - Maven modules in pom.xml
+    - Gradle subprojects in settings.gradle / settings.gradle.kts
 
     Args:
         repo_root: Root directory of the repository
@@ -717,6 +718,33 @@ def detect_package_roots(repo_root: Path) -> set[Path]:
         except (OSError, ET.ParseError):
             pass
 
+    # Gradle multi-project builds (WI-zizuf)
+    # settings.gradle or settings.gradle.kts declares subprojects via
+    # include('mod') or include 'mod'.  Colon separators (e.g., 'connect:api')
+    # map to directory nesting (connect/api/).
+    for settings_name in ("settings.gradle", "settings.gradle.kts"):
+        settings_file = repo_root / settings_name
+        if settings_file.exists():
+            try:
+                content = settings_file.read_text()
+                # Match both Groovy (include 'a', 'b') and Kotlin DSL
+                # (include("a", "b")) styles. Each include() call may
+                # list multiple projects separated by commas.
+                for m in re.finditer(
+                    r"""include\s*\(?\s*((?:['"]:?[^'"]*['"],?\s*)+)\)?""",
+                    content,
+                ):
+                    for name in re.findall(r"""['"][:.]?([^'"]+)['"]""", m.group(1)):
+                        if not name:  # pragma: no cover - regex guarantees non-empty
+                            continue
+                        # Gradle ':' separator maps to directory '/'
+                        dir_name = name.replace(":", "/")
+                        mod_path = repo_root / dir_name
+                        if mod_path.is_dir():
+                            roots.add(mod_path)
+            except OSError:
+                pass
+
     return roots
 
 
diff --git a/packages/hypergumbo-core/tests/test_go_cobra_linker.py b/packages/hypergumbo-core/tests/test_go_cobra_linker.py
@@ -417,11 +417,58 @@ def test_package_qualified_handler_resolves_via_short_name(
         assert matching[0].meta is not None
         assert matching[0].meta.get("handler_name") == "runner.runMyCmd"
 
-    def test_handler_outside_any_function_yields_no_edge(
+    def test_package_level_var_emits_edge_from_var_symbol(
         self, tmp_path: Path,
     ) -> None:
-        """When the cobra.Command literal is at package level with no
-        enclosing function symbol, the linker skips rather than emitting a
+        """When the cobra.Command literal is a package-level var declaration,
+        the linker should emit an edge from the var symbol to the handler."""
+        p = tmp_path / "cmd.go"
+        p.write_text(
+            'package main\n\n'
+            'import "github.com/spf13/cobra"\n\n'
+            'var rootCmd = &cobra.Command{\n'
+            '    Use:  "root",\n'
+            '    RunE: rootRun,\n'
+            '}\n\n'
+            'func rootRun(cmd *cobra.Command, args []string) error {\n'
+            '    return nil\n'
+            '}\n',
+        )
+
+        var_sym = Symbol(
+            id=f"go:{p}:5-8:rootCmd:variable",
+            name="rootCmd",
+            kind="variable",
+            language="go",
+            path=str(p),
+            span=Span(start_line=5, end_line=8, start_col=0, end_col=0),
+        )
+        handler_sym = Symbol(
+            id=f"go:{p}:10-12:rootRun:function",
+            name="rootRun",
+            kind="function",
+            language="go",
+            path=str(p),
+            span=Span(start_line=10, end_line=12, start_col=0, end_col=0),
+        )
+        ctx = LinkerContext(
+            repo_root=tmp_path,
+            symbols=[var_sym, handler_sym],
+            detected_languages={"go"},
+        )
+        result = go_cobra_linker(ctx)
+        # Package-level var → edge from var symbol to handler.
+        assert len(result.edges) == 1
+        edge = result.edges[0]
+        assert edge.src == var_sym.id
+        assert edge.dst == handler_sym.id
+        assert edge.edge_type == "dispatches_to"
+
+    def test_package_level_var_no_var_symbol_yields_no_edge(
+        self, tmp_path: Path,
+    ) -> None:
+        """When the cobra.Command literal is at package level and no
+        var symbol is provided, the linker skips rather than emitting a
         misattributed edge."""
         p = tmp_path / "cmd.go"
         p.write_text(
@@ -450,7 +497,7 @@ def test_handler_outside_any_function_yields_no_edge(
             detected_languages={"go"},
         )
         result = go_cobra_linker(ctx)
-        # No enclosing function at package level → no edges.
+        # No var symbol and no enclosing function → no edges.
         assert result.edges == []
 
     def test_pattern_compiles(self) -> None:
diff --git a/packages/hypergumbo-core/tests/test_supply_chain.py b/packages/hypergumbo-core/tests/test_supply_chain.py
@@ -536,6 +536,145 @@ def test_examples_lower_priority_than_workspace_source(self, tmp_path):
         assert lib_result.tier < example_result.tier
 
 
+class TestGradleWorkspaces:
+    """Gradle multi-project workspace detection (WI-zizuf)."""
+
+    def test_settings_gradle_includes(self, tmp_path):
+        """Detect Gradle subprojects from settings.gradle include directives."""
+        settings = tmp_path / "settings.gradle"
+        settings.write_text("include 'clients', 'core', 'streams'\n")
+
+        for mod in ["clients", "core", "streams"]:
+            (tmp_path / mod).mkdir()
+
+        roots = detect_package_roots(tmp_path)
+        assert tmp_path / "clients" in roots
+        assert tmp_path / "core" in roots
+        assert tmp_path / "streams" in roots
+
+    def test_settings_gradle_kts_includes(self, tmp_path):
+        """Detect Gradle subprojects from settings.gradle.kts."""
+        settings = tmp_path / "settings.gradle.kts"
+        settings.write_text('include("clients", "core")\n')
+
+        for mod in ["clients", "core"]:
+            (tmp_path / mod).mkdir()
+
+        roots = detect_package_roots(tmp_path)
+        assert tmp_path / "clients" in roots
+        assert tmp_path / "core" in roots
+
+    def test_settings_gradle_colon_prefix(self, tmp_path):
+        """Handle Gradle include(':module') syntax with colon prefix."""
+        settings = tmp_path / "settings.gradle"
+        settings.write_text("include ':clients'\ninclude ':core'\n")
+
+        for mod in ["clients", "core"]:
+            (tmp_path / mod).mkdir()
+
+        roots = detect_package_roots(tmp_path)
+        assert tmp_path / "clients" in roots
+        assert tmp_path / "core" in roots
+
+    def test_settings_gradle_nested_subproject(self, tmp_path):
+        """Handle Gradle nested subprojects like 'connect:api' → connect/api/."""
+        settings = tmp_path / "settings.gradle"
+        settings.write_text("include 'connect:api', 'connect:runtime'\n")
+
+        for mod in ["connect/api", "connect/runtime"]:
+            (tmp_path / mod).mkdir(parents=True)
+
+        roots = detect_package_roots(tmp_path)
+        assert tmp_path / "connect" / "api" in roots
+        assert tmp_path / "connect" / "runtime" in roots
+
+    def test_settings_gradle_nonexistent_module(self, tmp_path):
+        """Gradle modules that don't exist on disk are ignored."""
+        settings = tmp_path / "settings.gradle"
+        settings.write_text("include 'exists', 'does-not-exist'\n")
+
+        (tmp_path / "exists").mkdir()
+        roots = detect_package_roots(tmp_path)
+        assert tmp_path / "exists" in roots
+        assert tmp_path / "does-not-exist" not in roots
+
+    def test_settings_gradle_empty_or_no_includes(self, tmp_path):
+        """settings.gradle without include directives produces no roots."""
+        settings = tmp_path / "settings.gradle"
+        settings.write_text("rootProject.name = 'myapp'\n")
+
+        roots = detect_package_roots(tmp_path)
+        # No Gradle includes, and no other workspace configs → empty
+        assert roots == set()
+
+    def test_gradle_subproject_files_are_first_party(self, tmp_path):
+        """Files in Gradle subprojects are classified as first-party via workspace."""
+        settings = tmp_path / "settings.gradle"
+        settings.write_text("include 'clients'\n")
+
+        src = tmp_path / "clients" / "src" / "main" / "java" / "org"
+        src.mkdir(parents=True)
+        (src / "App.java").write_text("class App {}")
+
+        roots = detect_package_roots(tmp_path)
+        result = classify_file(src / "App.java", tmp_path, roots)
+        assert result.tier == Tier.FIRST_PARTY
+        assert "clients" in result.reason
+
+    def test_gradle_subproject_test_dir_is_internal_dep(self, tmp_path):
+        """Test directories within Gradle subprojects are tier 2."""
+        settings = tmp_path / "settings.gradle"
+        settings.write_text("include 'clients'\n")
+
+        test_dir = tmp_path / "clients" / "src" / "test" / "java"
+        test_dir.mkdir(parents=True)
+        (test_dir / "AppTest.java").write_text("class AppTest {}")
+
+        roots = detect_package_roots(tmp_path)
+        result = classify_file(test_dir / "AppTest.java", tmp_path, roots)
+        assert result.tier == Tier.INTERNAL_DEP
+        assert result.is_test is True
+
+    def test_malformed_settings_gradle(self, tmp_path):
+        """Malformed settings.gradle doesn't crash."""
+        settings = tmp_path / "settings.gradle"
+        settings.write_text("this is not valid groovy\n{{{broken")
+
+        roots = detect_package_roots(tmp_path)
+        # Should not crash; may or may not find roots depending on parsing
+        assert isinstance(roots, set)
+
+    def test_unreadable_settings_gradle(self, tmp_path):
+        """Unreadable settings.gradle doesn't crash (OSError path)."""
+        settings = tmp_path / "settings.gradle"
+        settings.write_text("include 'core'\n")
+        (tmp_path / "core").mkdir()
+        settings.chmod(0o000)
+
+        roots = detect_package_roots(tmp_path)
+        # OSError on read → silently skipped, no Gradle roots detected
+        assert tmp_path / "core" not in roots
+        # Restore permissions so tmp_path cleanup succeeds
+        settings.chmod(0o644)
+
+    def test_settings_gradle_multiple_include_lines(self, tmp_path):
+        """Multiple include lines are all parsed."""
+        settings = tmp_path / "settings.gradle"
+        settings.write_text(
+            "include 'clients'\n"
+            "include 'core'\n"
+            "include 'streams'\n"
+        )
+
+        for mod in ["clients", "core", "streams"]:
+            (tmp_path / mod).mkdir()
+
+        roots = detect_package_roots(tmp_path)
+        assert tmp_path / "clients" in roots
+        assert tmp_path / "core" in roots
+        assert tmp_path / "streams" in roots
+
+
 class TestDocCClassification:
     """DocC documentation directories should be tier 2 (not first-party)."""
 
