up

docs/modules/scanner/design/runtime-parity-plan.md

@@ -0,0 +1,37 @@
+# Runtime Parity Plan (Java / .NET / PHP) — Scanner Aú · Signals Alignment (2025-12-09)
+
+## Objectives
+- Close runtime parity gaps by pairing static analyzer hooks with runtime evidence for Java, .NET, and PHP.
+- Produce deterministic artefacts (TRX/binlogs + NDJSON) that Signals can ingest for runtime reconciliation.
+
+## Scope & Hooks
+- **Java (21-005..011)**: jar/classpath resolution, `Main-Class`, module-info, shaded jars. Runtime hook: capture resolved classpath + main entry via proc snapshot or launcher args.
+- **.NET (11-001..005)**: `.deps.json`, RID-graph, single-file/trimmed detection, `runtimeconfig.json`. Runtime hook: capture host command line + loaded assembly list via Signals proc trace.
+- **PHP (27-001)**: composer autoload graph (`vendor/composer/autoload_*.php`), package metadata, runtime entry (fpm/cli). Runtime hook: map autoloaded files to runtime include graph when proc snapshot present.
+
+## Evidence Plan
+1) **Static**: ensure analyzers emit deterministically ordered inventories + edges with layer attribution (already enforced across analyzers).
+2) **Runtime capture** (requires Signals):
+   - Provide proc snapshot schema to Scanner (cmdline, env, cwd, loaded modules/files).
+   - Export runtime observations as NDJSON with stable ordering (path, module, hash).
+3) **Reconciliation**:
+   - Join static entries to runtime observations on normalized path + hash.
+   - Emit `runtime.match` / `runtime.miss` diagnostics with counts per analyzer.
+4) **Artefacts**:
+   - CI: TRX/binlog per analyzer suite.
+   - NDJSON samples: runtime reconciliation outputs for each language (hosted under `src/Scanner/__Tests/.../Fixtures/RuntimeParity`).
+
+## Task Backlog
+- T1: Wire proc snapshot ingestion for Java/.NET/PHP analyzers (Signals contract).
+- T2: Add runtime reconciliation step with deterministic ordering and diagnostics.
+- T3: Author runtime fixtures (one per language) and goldens for reconciliation output.
+- T4: Document runtime parity expectations in readiness checkpoints and surfaces guides.
+
+## Constraints
+- Offline-friendly: no network calls during reconciliation; rely solely on provided proc snapshot.
+- Deterministic: stable sort (layer, path, name), UTC timestamps, no random seeds.
+- Security: avoid executing payloads; treat proc snapshot as data only.
+
+## Dependencies
+- Signals to confirm proc snapshot schema and DSSE/NDJSON event shape for runtime observations.
+- Dedicated CI runner (DEVOPS-SCANNER-CI-11-001) to record TRX/binlogs for Java/.NET suites.