Spike. Effect / capability graph — per-symbol effect labels (db.read/write, network.io, fs.io, crypto/secret, ffi.boundary, spawns_task, owns_join_handle, emits_event, updates_schema, serializes_public_payload, uses_clock/random, unsafe).
Approach: NOT full Joern. Leaf-level syntactic effect detectors (tree-sitter/AST/regex) + interprocedural propagation as a fixpoint over the existing call graph (a function inherits the effects it transitively calls).
Honest limits (must be labeled): propagation under-reports through dyn Trait dispatch, FFI boundaries, and dynamically-built SQL. So effect output is a conservative lower bound ("known effects"), and any forbidden_path_check (source→sink) must FAIL LOUD on a propagation gap, never silently pass.
Why it helps an agent: danger labels before it patches — "this writes the sync tables and touches key material."
Part of #115 epic. Ref: docs/plans/2026-06-14-agent-value-strategy.md §4c.
Spike. Effect / capability graph — per-symbol effect labels (db.read/write, network.io, fs.io, crypto/secret, ffi.boundary, spawns_task, owns_join_handle, emits_event, updates_schema, serializes_public_payload, uses_clock/random, unsafe).
Approach: NOT full Joern. Leaf-level syntactic effect detectors (tree-sitter/AST/regex) + interprocedural propagation as a fixpoint over the existing call graph (a function inherits the effects it transitively calls).
Honest limits (must be labeled): propagation under-reports through
dyn Traitdispatch, FFI boundaries, and dynamically-built SQL. So effect output is a conservative lower bound ("known effects"), and anyforbidden_path_check(source→sink) must FAIL LOUD on a propagation gap, never silently pass.Why it helps an agent: danger labels before it patches — "this writes the sync tables and touches key material."
Part of #115 epic. Ref:
docs/plans/2026-06-14-agent-value-strategy.md§4c.