# AOC Roslyn Source Analyzer (Compile-Time Contract Enforcement)

## Module
Aoc

## Status
VERIFIED

## Description
Roslyn source analyzer that enforces ingestion contracts at compile time via diagnostics `AOC0001`, `AOC0002`, and `AOC0003`, preventing forbidden and unguarded write patterns in AOC ingestion code.

## Implementation Details
- **AOC Analyzer**: `src/Aoc/__Analyzers/StellaOps.Aoc.Analyzers/AocForbiddenFieldAnalyzer.cs` - Roslyn `DiagnosticAnalyzer` that reports:
  - `AOC0001` for forbidden field writes (for example `severity`, `cvss`, `risk_score`).
  - `AOC0002` for derived `effective_*` field writes.
  - `AOC0003` for unguarded database write operations outside `IAocGuard.Validate(...)` scope.
- **Analyzer Tests**: `src/Aoc/__Tests/StellaOps.Aoc.Analyzers.Tests/AocForbiddenFieldAnalyzerTests.cs` - analyzer behavior tests covering positive and negative paths (diagnostics emitted and suppressed appropriately).

## E2E Test Plan
- [x] Verify `AOC0001` is reported for forbidden field writes in ingestion context
- [x] Verify `AOC0002` is reported for `effective_*` derived field writes
- [x] Verify `AOC0003` is reported for unguarded database writes
- [x] Verify diagnostics are not reported for allowed writes and non-ingestion/test assemblies
- [x] Verify analyzer participates in `dotnet build`/test execution paths used in CI

## Verification
- **Verified**: 2026-02-11
- **Method**: Tier 0 source verification + Tier 1 build/test + Tier 2d behavioral analyzer test replay
- **Build**: PASS (`src/Aoc/__Analyzers/StellaOps.Aoc.Analyzers/StellaOps.Aoc.Analyzers.csproj`)
- **Tests**: PASS (`src/Aoc/__Tests/StellaOps.Aoc.Analyzers.Tests/StellaOps.Aoc.Analyzers.Tests.csproj`: 26/26)
- **Tier 0 Evidence**: `docs/qa/feature-checks/runs/aoc/aoc-roslyn-source-analyzer/run-001/tier0-source-check.json`
- **Tier 1 Evidence**: `docs/qa/feature-checks/runs/aoc/aoc-roslyn-source-analyzer/run-001/tier1-build-check.json`
- **Tier 2 Evidence**: `docs/qa/feature-checks/runs/aoc/aoc-roslyn-source-analyzer/run-001/tier2-integration-check.json`

## Recheck (Run-002)
- **Rechecked**: 2026-02-11
- **Method**: Tier 0 source verification + Tier 1 build/test + strict Tier 2 command-line behavior replay
- **Build**: PASS (`src/Aoc/__Analyzers/StellaOps.Aoc.Analyzers/StellaOps.Aoc.Analyzers.csproj`)
- **Tests**: PASS (`src/Aoc/__Tests/StellaOps.Aoc.Analyzers.Tests/StellaOps.Aoc.Analyzers.Tests.csproj`: 26/26)
- **Tier 2 Behavior**:
- Positive path: `dotnet build` of a violating ingestion sample reports `AOC0001`, `AOC0002`, and `AOC0003`.
- Negative path: `dotnet build` of a compliant ingestion sample reports none of `AOC0001`/`AOC0002`/`AOC0003`.
- **Tier 0 Evidence**: `docs/qa/feature-checks/runs/aoc/aoc-roslyn-source-analyzer/run-002/tier0-source-check.json`
- **Tier 1 Evidence**: `docs/qa/feature-checks/runs/aoc/aoc-roslyn-source-analyzer/run-002/tier1-build-check.json`
- **Tier 2 Evidence**: `docs/qa/feature-checks/runs/aoc/aoc-roslyn-source-analyzer/run-002/tier2-integration-check.json`