# Semantic Entrypoint Engine ## Module Scanner ## Status VERIFIED ## Description Classifies entrypoints with semantic meaning (ApplicationIntent, CapabilityClass flags, ThreatVector, DataFlowBoundary) to enable risk-aware prioritization beyond pure reachability. Includes per-language semantic adapters for Python, Java, Node, .NET, and Go. ## Implementation Details - **Semantic Models**: - `src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Semantic/SemanticEntrypoint.cs` - `SemanticEntrypoint` model combining ApplicationIntent, CapabilityClass, ThreatVector, and DataFlowBoundary - `src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Semantic/ApplicationIntent.cs` - `ApplicationIntent` enum classifying the purpose of an entrypoint (e.g., WebApi, CLI, Worker, Scheduler) - `src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Semantic/CapabilityClass.cs` - `CapabilityClass` flags for entrypoint capabilities (e.g., NetworkAccess, FileSystem, Crypto, ProcessExec) - `src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Semantic/ThreatVector.cs` - `ThreatVector` enum classifying potential threat exposure (e.g., External, Internal, Privileged) - `src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Semantic/DataFlowBoundary.cs` - `DataFlowBoundary` enum classifying data flow trust boundaries - **Orchestrator**: - `src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Semantic/SemanticEntrypointOrchestrator.cs` - `SemanticEntrypointOrchestrator` coordinating analysis across per-language adapters - `src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Semantic/SemanticEntryTraceAnalyzer.cs` - `SemanticEntryTraceAnalyzer` performing semantic classification - `src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Semantic/ISemanticEntrypointAnalyzer.cs` - Interface for semantic analysis - **Analysis Components**: - `src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Semantic/Analysis/ThreatVectorInferrer.cs` - `ThreatVectorInferrer` inferring threat vectors from entrypoint characteristics - `src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Semantic/Analysis/DataBoundaryMapper.cs` - `DataBoundaryMapper` mapping data flow boundaries - `src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Semantic/Analysis/CapabilityDetector.cs` - `CapabilityDetector` detecting capability flags - **Per-Language Adapters**: - `src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Semantic/Adapters/PythonSemanticAdapter.cs` - Python semantic adapter (Flask, Django, FastAPI patterns) - `src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Semantic/Adapters/JavaSemanticAdapter.cs` - Java semantic adapter (Spring, Jakarta patterns) - `src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Semantic/Adapters/NodeSemanticAdapter.cs` - Node.js semantic adapter (Express, Fastify patterns) - `src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Semantic/Adapters/DotNetSemanticAdapter.cs` - .NET semantic adapter (ASP.NET, gRPC patterns) - `src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Semantic/Adapters/GoSemanticAdapter.cs` - Go semantic adapter (net/http, gin patterns) ## E2E Test Plan - [ ] Analyze a Python Flask web application entrypoint and verify it is classified with ApplicationIntent=WebApi, ThreatVector=External, and appropriate CapabilityClass flags - [ ] Analyze a Java Spring Boot scheduler entrypoint and verify ApplicationIntent=Scheduler with Internal threat vector - [ ] Verify `CapabilityDetector` correctly identifies NetworkAccess, FileSystem, and Crypto capabilities from code patterns - [ ] Verify `ThreatVectorInferrer` distinguishes between externally-exposed and internal-only entrypoints - [ ] Verify `DataBoundaryMapper` correctly classifies trust boundary crossings (e.g., user input to database, network to filesystem) - [ ] Verify the orchestrator aggregates results from all per-language adapters into a unified semantic entrypoint classification --- ## Verification | Check | Result | |-------|--------| | Tier 0 - Source files exist | PASS | | Tier 1 - Build + code review | PASS | | Tier 2 - Integration tests | PASS | | Verified | 2026-02-13T18:10:00Z |