feat: track property reads in graph flow

Author: anasm266

.changeset/v1-2-property-flow.md

@@ -0,0 +1,5 @@
+---
+"any-map": minor
+---
+
+Improve graph propagation through object property reads, string-literal index reads, and plain assignment statements.

README.md

@@ -29,7 +29,7 @@ A single `any` in a utility can propagate through assignments, destructuring, an
 
 `any-map scan`: `--format table|json|dot` (or legacy `--json`), `--dump-graph` (JSON graph snapshot), `--top N` (limits **both** the greedy fix-order table and the blast-ranked table, and the matching JSON arrays; `--fail-coverage` still uses the full greedy run), `--source-kinds`, `--ignore` (comma-separated picomatch globs), `--fail-above N`, `--fail-coverage P` (cumulative % from the greedy run must be ≥ P — see [PLAN.md](./PLAN.md) for edge cases). CI: [.github/actions/any-map-scan/action.yml](.github/actions/any-map-scan/action.yml) (`npx any-map@… scan . ${{ inputs.args }}`).
 
-Direct intra-project flow currently includes import bindings and resolved cross-file call edges, so `any` can propagate through chains like `export default value` -> `import x` -> `consume(x)`.
+Direct intra-project flow currently includes import bindings, property/index reads, plain assignments, and resolved cross-file call edges, so `any` can propagate through chains like `export default value` -> `import x` -> `box.payload` -> `consume(x)`.
 
 ### `allowJs` / JavaScript
 

src/analyzer/build-graph.ts

@@ -40,6 +40,14 @@ function getEnclosingFunctionLike(
   return undefined;
 }
 
+function propertyNameText(name: ts.PropertyName): string | undefined {
+  if (ts.isIdentifier(name) || ts.isPrivateIdentifier(name)) return name.text;
+  if (ts.isStringLiteralLike(name) || ts.isNumericLiteral(name)) {
+    return name.text;
+  }
+  return undefined;
+}
+
 export class GraphBuilder {
   private readonly checker: ts.TypeChecker;
   private readonly nodes = new Map<string, GraphNodeMutable>();
@@ -111,6 +119,83 @@ export class GraphBuilder {
     return id;
   }
 
+  private ensurePropertyNamedNode(
+    name: ts.PropertyName,
+    discriminator = "",
+  ): string | undefined {
+    const text = propertyNameText(name);
+    if (!text) return undefined;
+    const sf = name.getSourceFile();
+    if (!this.isUserSourceFile(sf)) return undefined;
+    const filePath = this.rel(sf);
+    const start = name.getStart(sf, false);
+    const { line, character } = sf.getLineAndCharacterOfPosition(start);
+    const line1 = line + 1;
+    const col1 = character + 1;
+    const id = makeNodeId(filePath, line1, col1, text, discriminator);
+    if (!this.nodes.has(id)) {
+      this.nodes.set(id, {
+        id,
+        filePath,
+        line: line1,
+        column: col1,
+        name: text,
+        kind: "property",
+        typeString: this.typeStringAt(name),
+        isSource: false,
+        infectedBy: new Set(),
+      });
+    }
+    return id;
+  }
+
+  private declarationForSymbol(
+    sym: ts.Symbol | undefined,
+  ): ts.Declaration | undefined {
+    return (
+      sym?.declarations?.find(
+        (decl) =>
+          ts.isImportClause(decl) ||
+          ts.isImportSpecifier(decl) ||
+          ts.isNamespaceImport(decl) ||
+          ts.isImportEqualsDeclaration(decl),
+      ) ?? sym?.valueDeclaration
+    );
+  }
+
+  private propertySymbolForElementAccess(
+    expr: ts.ElementAccessExpression,
+  ): ts.Symbol | undefined {
+    const arg = expr.argumentExpression;
+    if (!arg || (!ts.isStringLiteralLike(arg) && !ts.isNumericLiteral(arg))) {
+      return undefined;
+    }
+    const key = arg.text;
+    const baseType = this.checker.getTypeAtLocation(expr.expression);
+    const apparent = this.checker.getApparentType(baseType);
+    return (
+      this.checker.getPropertyOfType(apparent, key) ??
+      this.checker.getPropertyOfType(baseType, key)
+    );
+  }
+
+  private reasonForValueRead(expr: ts.Expression): EdgeReason {
+    if (ts.isParenthesizedExpression(expr)) {
+      return this.reasonForValueRead(expr.expression);
+    }
+    if (
+      ts.isAsExpression(expr) ||
+      ts.isTypeAssertionExpression(expr) ||
+      ts.isSatisfiesExpression(expr) ||
+      ts.isNonNullExpression(expr)
+    ) {
+      return this.reasonForValueRead(expr.expression);
+    }
+    if (ts.isPropertyAccessExpression(expr)) return "property-access";
+    if (ts.isElementAccessExpression(expr)) return "index-access";
+    return "assignment";
+  }
+
   private ensureFromValueDeclaration(vd: ts.Declaration): string | undefined {
     if (ts.isImportClause(vd) && vd.name) {
       return this.ensureImportBinding(vd.name);
@@ -136,6 +221,15 @@ export class GraphBuilder {
     if (ts.isPropertyDeclaration(vd) && ts.isIdentifier(vd.name)) {
       return this.ensureNamedDecl(vd, "property");
     }
+    if (ts.isGetAccessorDeclaration(vd)) {
+      return this.ensurePropertyNamedNode(vd.name, "getter");
+    }
+    if (ts.isPropertyAssignment(vd)) {
+      return this.ensurePropertyNamedNode(vd.name, "object");
+    }
+    if (ts.isShorthandPropertyAssignment(vd)) {
+      return this.ensurePropertyNamedNode(vd.name, "object");
+    }
     return undefined;
   }
 
@@ -278,16 +372,32 @@ export class GraphBuilder {
 
   /** Value-flow sources: identifiers / simple references with a registered declaration. */
   exprToNodeId(expr: ts.Expression): string | undefined {
-    if (!ts.isIdentifier(expr)) return undefined;
-    const sym = this.checker.getSymbolAtLocation(expr);
-    const vd =
-      sym?.declarations?.find(
-        (decl) =>
-          ts.isImportClause(decl) ||
-          ts.isImportSpecifier(decl) ||
-          ts.isNamespaceImport(decl) ||
-          ts.isImportEqualsDeclaration(decl),
-      ) ?? sym?.valueDeclaration;
+    if (ts.isParenthesizedExpression(expr)) {
+      return this.exprToNodeId(expr.expression);
+    }
+    if (
+      ts.isAsExpression(expr) ||
+      ts.isTypeAssertionExpression(expr) ||
+      ts.isSatisfiesExpression(expr) ||
+      ts.isNonNullExpression(expr)
+    ) {
+      return this.exprToNodeId(expr.expression);
+    }
+
+    let sym: ts.Symbol | undefined;
+    if (ts.isIdentifier(expr)) {
+      sym = this.checker.getSymbolAtLocation(expr);
+    } else if (ts.isPropertyAccessExpression(expr)) {
+      sym =
+        this.checker.getSymbolAtLocation(expr.name) ??
+        this.checker.getSymbolAtLocation(expr);
+    } else if (ts.isElementAccessExpression(expr)) {
+      sym = this.propertySymbolForElementAccess(expr);
+    } else {
+      return undefined;
+    }
+
+    const vd = this.declarationForSymbol(sym);
     if (!vd) return undefined;
     return this.ensureFromValueDeclaration(vd);
   }
@@ -370,6 +480,20 @@ export class GraphBuilder {
       if (ts.isSpreadAssignment(p)) {
         const sid = this.exprToNodeId(p.expression);
         if (sid) this.addEdge(sid, lhs, "spread");
+        continue;
+      }
+      if (ts.isPropertyAssignment(p)) {
+        const pid = this.ensureFromValueDeclaration(p);
+        const rhs = this.exprToNodeId(p.initializer);
+        if (pid && rhs) {
+          this.addEdge(rhs, pid, this.reasonForValueRead(p.initializer));
+        }
+        continue;
+      }
+      if (ts.isShorthandPropertyAssignment(p)) {
+        const pid = this.ensureFromValueDeclaration(p);
+        const rhs = this.exprToNodeId(p.name);
+        if (pid && rhs) this.addEdge(rhs, pid, "assignment");
       }
     }
   }
@@ -382,13 +506,16 @@ export class GraphBuilder {
     }
     if (
       ts.isBinaryExpression(e) &&
-      e.operatorToken.kind === ts.SyntaxKind.EqualsToken &&
-      ts.isCallExpression(e.right)
+      e.operatorToken.kind === ts.SyntaxKind.EqualsToken
     ) {
-      const lhsId = ts.isIdentifier(e.left)
-        ? this.exprToNodeId(e.left)
-        : undefined;
-      this.edgesFromCall(e.right, lhsId);
+      const lhsId = this.exprToNodeId(e.left);
+      if (!lhsId) return;
+      if (ts.isCallExpression(e.right)) {
+        this.edgesFromCall(e.right, lhsId);
+        return;
+      }
+      const rhsId = this.exprToNodeId(e.right);
+      if (rhsId) this.addEdge(rhsId, lhsId, this.reasonForValueRead(e.right));
     }
   }
 
@@ -407,6 +534,11 @@ export class GraphBuilder {
         this.edgesFromCall(init, lhs);
         return;
       }
+      const rhs = this.exprToNodeId(init);
+      if (rhs) {
+        this.addEdge(rhs, lhs, this.reasonForValueRead(init));
+        return;
+      }
       if (ts.isObjectLiteralExpression(init)) {
         this.edgesFromObjectLiteral(init, node);
       }
@@ -427,7 +559,9 @@ export class GraphBuilder {
     if (!fn) return;
     const retId = this.ensureReturnNode(fn);
     const exId = this.exprToNodeId(node.expression);
-    if (retId && exId) this.addEdge(exId, retId, "assignment");
+    if (retId && exId) {
+      this.addEdge(exId, retId, this.reasonForValueRead(node.expression));
+    }
   }
 
   private visitPropertyDeclaration(node: ts.PropertyDeclaration): void {

tests/unit/graph-builder.test.ts

@@ -11,12 +11,11 @@ function hasEdge(
   fromName: string,
   toName: string,
 ): boolean {
-  const idOf = (name: string) => g.nodes.find((n) => n.name === name)?.id;
-  const from = idOf(fromName);
-  const to = idOf(toName);
-  if (!from || !to) return false;
   return g.edges.some(
-    (e) => e.from === from && e.to === to && e.reason === reason,
+    (e) =>
+      e.reason === reason &&
+      g.nodes.some((n) => n.id === e.from && n.name === fromName) &&
+      g.nodes.some((n) => n.id === e.to && n.name === toName),
   );
 }
 
@@ -123,6 +122,22 @@ describe("intra-module graph (m3)", () => {
     expect(hasEdge(g, "assignment", "imported", "local")).toBe(true);
   });
 
+  it("property-access: object literal property read flows to assignment target", () => {
+    const g = graphFor({
+      "src/index.ts": `const seed = 1;\nconst obj = { payload: seed };\nconst local = obj.payload;\n`,
+    });
+    expect(hasEdge(g, "assignment", "seed", "payload")).toBe(true);
+    expect(hasEdge(g, "property-access", "payload", "local")).toBe(true);
+  });
+
+  it("index-access: string-literal property read flows to assignment target", () => {
+    const g = graphFor({
+      "src/index.ts": `const seed = 1;\nconst obj = { payload: seed };\nconst local = obj["payload"];\n`,
+    });
+    expect(hasEdge(g, "assignment", "seed", "payload")).toBe(true);
+    expect(hasEdge(g, "index-access", "payload", "local")).toBe(true);
+  });
+
   it("arrow in variable: return uses return slot anchored on binding name", () => {
     const g = graphFor({
       "src/index.ts": `const arrow = (): number => {\n  const v = 3;\n  return v;\n};\n`,
@@ -163,6 +178,21 @@ describe("intra-module graph (m3)", () => {
     });
     expect(hasEdge(g, "parameter-binding", "imported", "formal")).toBe(true);
   });
+
+  it("parameter-binding uses property reads as call arguments", () => {
+    const g = graphFor({
+      "src/index.ts": `const seed = 1;\nconst obj = { payload: seed };\nfunction consume(formal: number): void { void formal; }\nconsume(obj.payload);\n`,
+    });
+    expect(hasEdge(g, "assignment", "seed", "payload")).toBe(true);
+    expect(hasEdge(g, "parameter-binding", "payload", "formal")).toBe(true);
+  });
+
+  it("assignment statement: lhs = rhs adds a direct flow edge", () => {
+    const g = graphFor({
+      "src/index.ts": `const source = 1;\nlet sink;\nsink = source;\n`,
+    });
+    expect(hasEdge(g, "assignment", "source", "sink")).toBe(true);
+  });
 });
 
 describe("propagation + blast (m4)", () => {
@@ -224,4 +254,24 @@ describe("propagation + blast (m4)", () => {
     expect(imported?.infectedBy).toContain(source?.id);
     expect(formal?.infectedBy).toContain(source?.id);
   });
+
+  it("object property reads propagate any infections into downstream locals", () => {
+    const g = graphFor({
+      "src/index.ts": `const seed: any = 1;\nconst obj = { payload: seed };\nconst local = obj.payload;\n`,
+    });
+    const source = g.nodes.find((n) => n.name === "seed" && n.isSource);
+    const local = g.nodes.find((n) => n.name === "local");
+    expect(source).toBeDefined();
+    expect(local?.infectedBy).toContain(source?.id);
+  });
+
+  it("assignment statements preserve propagated infections", () => {
+    const g = graphFor({
+      "src/index.ts": `const seed: any = 1;\nlet sink;\nsink = seed;\n`,
+    });
+    const source = g.nodes.find((n) => n.name === "seed" && n.isSource);
+    const sink = g.nodes.find((n) => n.name === "sink");
+    expect(source).toBeDefined();
+    expect(sink?.infectedBy).toContain(source?.id);
+  });
 });