git.stella-ops.org/docs/features/unchecked/scanner/semantic-entrypoint-engine.md

# Semantic Entrypoint Engine

## Module
Scanner

## Status
IMPLEMENTED

## Description
Classifies entrypoints with semantic meaning (ApplicationIntent, CapabilityClass flags, ThreatVector, DataFlowBoundary) to enable risk-aware prioritization beyond pure reachability. Includes per-language semantic adapters for Python, Java, Node, .NET, and Go.

## Implementation Details
- **Semantic Models**:
  - `src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Semantic/SemanticEntrypoint.cs` - `SemanticEntrypoint` model combining ApplicationIntent, CapabilityClass, ThreatVector, and DataFlowBoundary
  - `src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Semantic/ApplicationIntent.cs` - `ApplicationIntent` enum classifying the purpose of an entrypoint (e.g., WebApi, CLI, Worker, Scheduler)
  - `src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Semantic/CapabilityClass.cs` - `CapabilityClass` flags for entrypoint capabilities (e.g., NetworkAccess, FileSystem, Crypto, ProcessExec)
  - `src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Semantic/ThreatVector.cs` - `ThreatVector` enum classifying potential threat exposure (e.g., External, Internal, Privileged)
  - `src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Semantic/DataFlowBoundary.cs` - `DataFlowBoundary` enum classifying data flow trust boundaries
- **Orchestrator**:
  - `src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Semantic/SemanticEntrypointOrchestrator.cs` - `SemanticEntrypointOrchestrator` coordinating analysis across per-language adapters
  - `src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Semantic/SemanticEntryTraceAnalyzer.cs` - `SemanticEntryTraceAnalyzer` performing semantic classification
  - `src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Semantic/ISemanticEntrypointAnalyzer.cs` - Interface for semantic analysis
- **Analysis Components**:
  - `src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Semantic/Analysis/ThreatVectorInferrer.cs` - `ThreatVectorInferrer` inferring threat vectors from entrypoint characteristics
  - `src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Semantic/Analysis/DataBoundaryMapper.cs` - `DataBoundaryMapper` mapping data flow boundaries
  - `src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Semantic/Analysis/CapabilityDetector.cs` - `CapabilityDetector` detecting capability flags
- **Per-Language Adapters**:
  - `src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Semantic/Adapters/PythonSemanticAdapter.cs` - Python semantic adapter (Flask, Django, FastAPI patterns)
  - `src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Semantic/Adapters/JavaSemanticAdapter.cs` - Java semantic adapter (Spring, Jakarta patterns)
  - `src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Semantic/Adapters/NodeSemanticAdapter.cs` - Node.js semantic adapter (Express, Fastify patterns)
  - `src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Semantic/Adapters/DotNetSemanticAdapter.cs` - .NET semantic adapter (ASP.NET, gRPC patterns)
  - `src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Semantic/Adapters/GoSemanticAdapter.cs` - Go semantic adapter (net/http, gin patterns)

## E2E Test Plan
- [ ] Analyze a Python Flask web application entrypoint and verify it is classified with ApplicationIntent=WebApi, ThreatVector=External, and appropriate CapabilityClass flags
- [ ] Analyze a Java Spring Boot scheduler entrypoint and verify ApplicationIntent=Scheduler with Internal threat vector
- [ ] Verify `CapabilityDetector` correctly identifies NetworkAccess, FileSystem, and Crypto capabilities from code patterns
- [ ] Verify `ThreatVectorInferrer` distinguishes between externally-exposed and internal-only entrypoints
- [ ] Verify `DataBoundaryMapper` correctly classifies trust boundary crossings (e.g., user input to database, network to filesystem)
- [ ] Verify the orchestrator aggregates results from all per-language adapters into a unified semantic entrypoint classification