git.stella-ops.org/docs/modules/scanner/design/dotnet-analyzer-11-001.md

# .NET Analyzer Design · 11-001 Entrypoint Resolver (2025-12-09)

## Goals
- Resolve .NET entrypoints deterministically from project/publish artefacts and emit normalized identities (assembly name, MVID, TFM, RID, host kind, publish mode).
- Capture environment profiles (single-file, trimmed, self-contained vs framework-dependent, ALC hints) without executing payloads.
- Produce deterministic evidence aligned to `dotnet-il-metadata.schema.json` for downstream analyzers 11-002..005.

## Inputs
- `*.csproj`/`*.fsproj` metadata (TargetFrameworks, RuntimeIdentifiers, PublishSingleFile/Trim options).
- Publish outputs: apphost (`*.exe`), `*.dll`, `*.deps.json`, `*.runtimeconfig.json`, `*.targets` cache.
- RID graph from SDK (offline snapshot in repo), deterministic time provider.

## Outputs
- `entrypoints[]` records: `assembly`, `mvid`, `tfm`, `rid`, `hostKind` (apphost/framework-dependent/self-contained), `publishMode` (single-file/trimmed), `alcHints` (AssemblyLoadContext names), `probingPaths`, `nativeDeps` (apphost bundles).
- Evidence: `LanguageComponentEvidence` entries per entrypoint with locator = publish path, hash over file bytes for determinism.
- Diagnostics: missing deps/runtimeconfig, mixed RID publish, single-file without extractor support.

## Algorithm (deterministic)
1) Parse project: target frameworks, RIDs, publish flags; normalize to ordered sets.
2) Discover publish artefacts under `bin/<Configuration>/<TFM>/...` and `publish/` folders; prefer `*.runtimeconfig.json` when present.
3) Read `*.deps.json` to extract runtime targets and resolve primary entry assembly; fall back to `apphost` name.
4) Compute MVID from PE header; compute SHA-256 over `*.dll`/`*.exe` bytes; capture file size.
5) Classify host:
   - `apphost` present -> `hostKind = apphost`; detect single-file bundle via marker sections.
   - Framework-dependent -> `hostKind = framework-dependent`; use `runtimeconfig` probing paths.
6) Infer ALC hints: scan deps for `runtimeconfig.dev.json` probing paths and `additionalProbingPaths`; add known SDK paths.
7) Emit entrypoint with deterministic ordering: sort by assembly name, then RID, then TFM.

## Determinism & Offline
- No network access; relies solely on on-disk project/publish artefacts.
- Stable ordering and casing (`Ordinal` sort), UTC time provider.
- Hashes: SHA-256 over file bytes; no timestamps.

## Test & Fixture Plan
- Existing suite: `src/Scanner/__Tests/StellaOps.Scanner.Analyzers.Lang.DotNet.Tests` (now green; TRX at `TestResults/dotnet/dotnet-tests.trx`).
- Fixtures to maintain:
  - Framework-dependent app with deps/runtimeconfig.
  - Self-contained single-file publish (bundle) with apphost.
  - Trimmed publish with ALC hints.
  - Multi-RID publish verifying RID selection and deterministic ordering.
- Add new fixtures under `...DotNet.Tests/Fixtures/` when new host kinds are supported; keep hashes stable.

## Next Steps
- Wire readiness checkpoints to mark 11-001 design+tests complete; keep CI runner validation optional (DEVOPS-SCANNER-CI-11-001) for reproducibility.
- Feed outputs into 11-002..005 analyzers once entrypoint metadata is consumed by downstream IL/reflection pipelines.