46 lines
3.0 KiB
Markdown
46 lines
3.0 KiB
Markdown
# AOC Roslyn Source Analyzer (Compile-Time Contract Enforcement)
|
|
|
|
## Module
|
|
Aoc
|
|
|
|
## Status
|
|
VERIFIED
|
|
|
|
## Description
|
|
Roslyn source analyzer that enforces ingestion contracts at compile time via diagnostics `AOC0001`, `AOC0002`, and `AOC0003`, preventing forbidden and unguarded write patterns in AOC ingestion code.
|
|
|
|
## Implementation Details
|
|
- **AOC Analyzer**: `src/Aoc/__Analyzers/StellaOps.Aoc.Analyzers/AocForbiddenFieldAnalyzer.cs` - Roslyn `DiagnosticAnalyzer` that reports:
|
|
- `AOC0001` for forbidden field writes (for example `severity`, `cvss`, `risk_score`).
|
|
- `AOC0002` for derived `effective_*` field writes.
|
|
- `AOC0003` for unguarded database write operations outside `IAocGuard.Validate(...)` scope.
|
|
- **Analyzer Tests**: `src/Aoc/__Tests/StellaOps.Aoc.Analyzers.Tests/AocForbiddenFieldAnalyzerTests.cs` - analyzer behavior tests covering positive and negative paths (diagnostics emitted and suppressed appropriately).
|
|
|
|
## E2E Test Plan
|
|
- [x] Verify `AOC0001` is reported for forbidden field writes in ingestion context
|
|
- [x] Verify `AOC0002` is reported for `effective_*` derived field writes
|
|
- [x] Verify `AOC0003` is reported for unguarded database writes
|
|
- [x] Verify diagnostics are not reported for allowed writes and non-ingestion/test assemblies
|
|
- [x] Verify analyzer participates in `dotnet build`/test execution paths used in CI
|
|
|
|
## Verification
|
|
- **Verified**: 2026-02-11
|
|
- **Method**: Tier 0 source verification + Tier 1 build/test + Tier 2d behavioral analyzer test replay
|
|
- **Build**: PASS (`src/Aoc/__Analyzers/StellaOps.Aoc.Analyzers/StellaOps.Aoc.Analyzers.csproj`)
|
|
- **Tests**: PASS (`src/Aoc/__Tests/StellaOps.Aoc.Analyzers.Tests/StellaOps.Aoc.Analyzers.Tests.csproj`: 26/26)
|
|
- **Tier 0 Evidence**: `docs/qa/feature-checks/runs/aoc/aoc-roslyn-source-analyzer/run-001/tier0-source-check.json`
|
|
- **Tier 1 Evidence**: `docs/qa/feature-checks/runs/aoc/aoc-roslyn-source-analyzer/run-001/tier1-build-check.json`
|
|
- **Tier 2 Evidence**: `docs/qa/feature-checks/runs/aoc/aoc-roslyn-source-analyzer/run-001/tier2-integration-check.json`
|
|
|
|
## Recheck (Run-002)
|
|
- **Rechecked**: 2026-02-11
|
|
- **Method**: Tier 0 source verification + Tier 1 build/test + strict Tier 2 command-line behavior replay
|
|
- **Build**: PASS (`src/Aoc/__Analyzers/StellaOps.Aoc.Analyzers/StellaOps.Aoc.Analyzers.csproj`)
|
|
- **Tests**: PASS (`src/Aoc/__Tests/StellaOps.Aoc.Analyzers.Tests/StellaOps.Aoc.Analyzers.Tests.csproj`: 26/26)
|
|
- **Tier 2 Behavior**:
|
|
- Positive path: `dotnet build` of a violating ingestion sample reports `AOC0001`, `AOC0002`, and `AOC0003`.
|
|
- Negative path: `dotnet build` of a compliant ingestion sample reports none of `AOC0001`/`AOC0002`/`AOC0003`.
|
|
- **Tier 0 Evidence**: `docs/qa/feature-checks/runs/aoc/aoc-roslyn-source-analyzer/run-002/tier0-source-check.json`
|
|
- **Tier 1 Evidence**: `docs/qa/feature-checks/runs/aoc/aoc-roslyn-source-analyzer/run-002/tier1-build-check.json`
|
|
- **Tier 2 Evidence**: `docs/qa/feature-checks/runs/aoc/aoc-roslyn-source-analyzer/run-002/tier2-integration-check.json`
|