# .NET Analyzer Design ยท 11-001 Entrypoint Resolver (2025-12-09) ## Goals - Resolve .NET entrypoints deterministically from project/publish artefacts and emit normalized identities (assembly name, MVID, TFM, RID, host kind, publish mode). - Capture environment profiles (single-file, trimmed, self-contained vs framework-dependent, ALC hints) without executing payloads. - Produce deterministic evidence aligned to `dotnet-il-metadata.schema.json` for downstream analyzers 11-002..005. ## Inputs - `*.csproj`/`*.fsproj` metadata (TargetFrameworks, RuntimeIdentifiers, PublishSingleFile/Trim options). - Publish outputs: apphost (`*.exe`), `*.dll`, `*.deps.json`, `*.runtimeconfig.json`, `*.targets` cache. - RID graph from SDK (offline snapshot in repo), deterministic time provider. ## Outputs - `entrypoints[]` records: `assembly`, `mvid`, `tfm`, `rid`, `hostKind` (apphost/framework-dependent/self-contained), `publishMode` (single-file/trimmed), `alcHints` (AssemblyLoadContext names), `probingPaths`, `nativeDeps` (apphost bundles). - Evidence: `LanguageComponentEvidence` entries per entrypoint with locator = publish path, hash over file bytes for determinism. - Diagnostics: missing deps/runtimeconfig, mixed RID publish, single-file without extractor support. ## Algorithm (deterministic) 1) Parse project: target frameworks, RIDs, publish flags; normalize to ordered sets. 2) Discover publish artefacts under `bin///...` and `publish/` folders; prefer `*.runtimeconfig.json` when present. 3) Read `*.deps.json` to extract runtime targets and resolve primary entry assembly; fall back to `apphost` name. 4) Compute MVID from PE header; compute SHA-256 over `*.dll`/`*.exe` bytes; capture file size. 5) Classify host: - `apphost` present -> `hostKind = apphost`; detect single-file bundle via marker sections. - Framework-dependent -> `hostKind = framework-dependent`; use `runtimeconfig` probing paths. 6) Infer ALC hints: scan deps for `runtimeconfig.dev.json` probing paths and `additionalProbingPaths`; add known SDK paths. 7) Emit entrypoint with deterministic ordering: sort by assembly name, then RID, then TFM. ## Determinism & Offline - No network access; relies solely on on-disk project/publish artefacts. - Stable ordering and casing (`Ordinal` sort), UTC time provider. - Hashes: SHA-256 over file bytes; no timestamps. ## Test & Fixture Plan - Existing suite: `src/Scanner/__Tests/StellaOps.Scanner.Analyzers.Lang.DotNet.Tests` (now green; TRX at `TestResults/dotnet/dotnet-tests.trx`). - Fixtures to maintain: - Framework-dependent app with deps/runtimeconfig. - Self-contained single-file publish (bundle) with apphost. - Trimmed publish with ALC hints. - Multi-RID publish verifying RID selection and deterministic ordering. - Add new fixtures under `...DotNet.Tests/Fixtures/` when new host kinds are supported; keep hashes stable. ## Next Steps - Wire readiness checkpoints to mark 11-001 design+tests complete; keep CI runner validation optional (DEVOPS-SCANNER-CI-11-001) for reproducibility. - Feed outputs into 11-002..005 analyzers once entrypoint metadata is consumed by downstream IL/reflection pipelines.