TagAiDrift.java

package org.egothor.methodatlas;

import java.util.List;

import java.util.Locale;

import org.egothor.methodatlas.ai.AiMethodSuggestion;

/**

 * Describes the agreement between a source-level {@code @Tag("security")} annotation

 * and the AI classification of the same test method.

 *

 * <p>Both the static annotation and the AI judgment are independent sources of truth.

 * When they disagree the discrepancy is called <em>drift</em>:</p>

 *

 * <ul>

 *   <li>{@link #TAG_ONLY} — the method carries {@code @Tag("security")} in source but

 *       the AI considers it non-security-relevant. The annotation may be stale,

 *       inaccurate, or applied to the wrong method. Tag-based CI gates and audit

 *       dashboards over-count security coverage.</li>

 *   <li>{@link #AI_ONLY} — the AI classifies the method as security-relevant but no

 *       {@code @Tag("security")} is present in source. Coverage dashboards and

 *       tag-based CI gates silently miss this test.</li>

 *   <li>{@link #NONE} — both sources agree; no action needed.</li>

 * </ul>

 *

 * <p>Drift detection requires an active AI classification. When no

 * {@link AiMethodSuggestion} is available (AI disabled, class too large, etc.)

 * {@link #compute} returns {@code null}.</p>

 *

 * @see MethodAtlasApp

 * @see org.egothor.methodatlas.emit.OutputEmitter

 * @see org.egothor.methodatlas.emit.SarifEmitter

 */

public enum TagAiDrift {

    /** Both sources agree — either both say security-relevant or neither does. */

    NONE,

    /**

     * Source code carries {@code @Tag("security")} but the AI disagrees.

     * The annotation may be stale, inaccurate, or applied to the wrong method.

     */

    TAG_ONLY,

    /**

     * AI classifies the method as security-relevant but no {@code @Tag("security")}

     * is present in source. Coverage dashboards and tag-based CI gates will miss it.

     */

    AI_ONLY;

    private static final String SECURITY_TAG_VALUE = "security";

    /**

     * Computes the drift between source-level security tags and the AI classification.

     *

     * @param sourceTags JUnit {@code @Tag} values extracted from the method

     * @param suggestion AI classification for the method, or {@code null} when AI

     *                   is disabled or unavailable

     * @return computed drift value, or {@code null} when {@code suggestion} is

     *         {@code null} (drift cannot be determined without AI classification)

     */

    public static TagAiDrift compute(List<String> sourceTags, AiMethodSuggestion suggestion) {

        if (suggestion == null) {

            return null;

        }

        boolean hasTag = sourceTags.stream()

                .anyMatch(SECURITY_TAG_VALUE::equalsIgnoreCase);

        boolean aiSaysSecure = suggestion.securityRelevant();

        if (hasTag == aiSaysSecure) {

            return NONE;

        }

        return hasTag ? TAG_ONLY : AI_ONLY;

    }

    /**

     * Returns the lowercase hyphenated string representation used in CSV and SARIF output.

     *

     * @return {@code "none"}, {@code "tag-only"}, or {@code "ai-only"}

     */

    public String toValue() {

        return name().toLowerCase(Locale.ROOT).replace('_', '-');

    }

}

Active mutators

• CONDITIONALS_BOUNDARY
• EMPTY_RETURNS
• EXPERIMENTAL_SWITCH
• FALSE_RETURNS
• INCREMENTS
• INVERT_NEGS
• MATH
• NULL_RETURNS
• PRIMITIVE_RETURNS
• REMOVE_CONDITIONALS_EQUAL_ELSE
• REMOVE_CONDITIONALS_EQUAL_IF
• REMOVE_CONDITIONALS_ORDER_ELSE
• REMOVE_CONDITIONALS_ORDER_IF
• TRUE_RETURNS
• VOID_METHOD_CALLS

Tests examined

• org.egothor.methodatlas.TagAiDriftTest.[engine:junit-jupiter]/[class:org.egothor.methodatlas.TagAiDriftTest]/[method:compute_noTagAndAiNonSecurity_returnsNone()] (0 ms)
• org.egothor.methodatlas.TagAiDriftTest.[engine:junit-jupiter]/[class:org.egothor.methodatlas.TagAiDriftTest]/[method:compute_bothSecurityRelevant_returnsNone()] (0 ms)
• org.egothor.methodatlas.TagAiDriftTest.[engine:junit-jupiter]/[class:org.egothor.methodatlas.TagAiDriftTest]/[method:compute_neitherSecurityRelevant_returnsNone()] (0 ms)
• org.egothor.methodatlas.TagAiDriftTest.[engine:junit-jupiter]/[class:org.egothor.methodatlas.TagAiDriftTest]/[method:compute_nonSecurityTagAndAiSecure_returnsAiOnly()] (0 ms)
• org.egothor.methodatlas.TagAiDriftTest.[engine:junit-jupiter]/[class:org.egothor.methodatlas.TagAiDriftTest]/[method:compute_tagPresentAiDisagrees_returnsTagOnly()] (0 ms)
• org.egothor.methodatlas.TagAiDriftTest.[engine:junit-jupiter]/[class:org.egothor.methodatlas.TagAiDriftTest]/[method:compute_securityTagAmongMultiple_tagOnlyWhenAiDisagrees()] (0 ms)
• org.egothor.methodatlas.TagAiDriftTest.[engine:junit-jupiter]/[class:org.egothor.methodatlas.TagAiDriftTest]/[method:compute_tagMatchingIsCaseInsensitive()] (0 ms)
• org.egothor.methodatlas.TagAiDriftTest.[engine:junit-jupiter]/[class:org.egothor.methodatlas.TagAiDriftTest]/[method:compute_aiSecurityNoTag_returnsAiOnly()] (0 ms)
• org.egothor.methodatlas.GitHubAnnotationsEmitterTest.[engine:junit-jupiter]/[class:org.egothor.methodatlas.GitHubAnnotationsEmitterTest]/[method:record_allOptionalFieldsAbsent_messageIsSecurityTestFallback()] (0 ms)
• org.egothor.methodatlas.GitHubAnnotationsEmitterTest.[engine:junit-jupiter]/[class:org.egothor.methodatlas.GitHubAnnotationsEmitterTest]/[method:record_blankDisplayNameInSuggestion_titleFallsBackToFqcnMethod()] (0 ms)
• org.egothor.methodatlas.GitHubAnnotationsEmitterTest.[engine:junit-jupiter]/[class:org.egothor.methodatlas.GitHubAnnotationsEmitterTest]/[method:record_emptyPrefix_fqcnAsRelativePath()] (0 ms)
• org.egothor.methodatlas.GitHubAnnotationsEmitterTest.[engine:junit-jupiter]/[class:org.egothor.methodatlas.GitHubAnnotationsEmitterTest]/[method:record_emptyTagsAndNonPlacebo_noSourceTag_messageIsAiOnlyDrift()] (0 ms)
• org.egothor.methodatlas.GitHubAnnotationsEmitterTest.[engine:junit-jupiter]/[class:org.egothor.methodatlas.GitHubAnnotationsEmitterTest]/[method:record_emptyTagsAndNonPlacebo_withMatchingSourceTag_noDriftInMessage()] (0 ms)
• org.egothor.methodatlas.OutputEmitterTest.[engine:junit-jupiter]/[class:org.egothor.methodatlas.OutputEmitterTest]/[method:emit_plainMode_driftTagOnly_tokenPresent()] (0 ms)
• org.egothor.methodatlas.GitHubAnnotationsEmitterTest.[engine:junit-jupiter]/[class:org.egothor.methodatlas.GitHubAnnotationsEmitterTest]/[method:record_fqcnConvertedToFilePath()] (0 ms)
• org.egothor.methodatlas.GitHubAnnotationsEmitterTest.[engine:junit-jupiter]/[class:org.egothor.methodatlas.GitHubAnnotationsEmitterTest]/[method:record_nullDisplayNameFallsBackToFqcnMethod()] (0 ms)
• org.egothor.methodatlas.OutputEmitterTest.[engine:junit-jupiter]/[class:org.egothor.methodatlas.OutputEmitterTest]/[method:emit_plainMode_driftNone_tokenPresent()] (0 ms)
• org.egothor.methodatlas.OutputEmitterTest.[engine:junit-jupiter]/[class:org.egothor.methodatlas.OutputEmitterTest]/[method:emit_plainMode_driftAiOnly_tokenPresent()] (0 ms)
• org.egothor.methodatlas.GitHubAnnotationsEmitterTest.[engine:junit-jupiter]/[class:org.egothor.methodatlas.GitHubAnnotationsEmitterTest]/[method:record_displayNameUsedAsTitle()] (0 ms)
• org.egothor.methodatlas.GitHubAnnotationsEmitterTest.[engine:junit-jupiter]/[class:org.egothor.methodatlas.GitHubAnnotationsEmitterTest]/[method:record_securityRelevant_emitsNoticeCommand()] (0 ms)
• org.egothor.methodatlas.GitHubAnnotationsEmitterTest.[engine:junit-jupiter]/[class:org.egothor.methodatlas.GitHubAnnotationsEmitterTest]/[method:record_noTagOnlyNorAiOnly_noDriftAppended()] (0 ms)
• org.egothor.methodatlas.GitHubAnnotationsEmitterTest.[engine:junit-jupiter]/[class:org.egothor.methodatlas.GitHubAnnotationsEmitterTest]/[method:record_tagsIncludedInMessage()] (0 ms)
• org.egothor.methodatlas.GitHubAnnotationsEmitterTest.[engine:junit-jupiter]/[class:org.egothor.methodatlas.GitHubAnnotationsEmitterTest]/[method:record_placeboMessageIncludesInteractionScore()] (0 ms)
• org.egothor.methodatlas.GitHubAnnotationsEmitterTest.[engine:junit-jupiter]/[class:org.egothor.methodatlas.GitHubAnnotationsEmitterTest]/[method:record_interactionScoreBelowThreshold_emitsNotice()] (0 ms)
• org.egothor.methodatlas.GitHubAnnotationsEmitterTest.[engine:junit-jupiter]/[class:org.egothor.methodatlas.GitHubAnnotationsEmitterTest]/[method:record_aiOnlyDrift_appendsDriftNoteToMessage()] (0 ms)
• org.egothor.methodatlas.GitHubAnnotationsEmitterTest.[engine:junit-jupiter]/[class:org.egothor.methodatlas.GitHubAnnotationsEmitterTest]/[method:record_interactionScoreAboveThreshold_emitsWarning()] (0 ms)
• org.egothor.methodatlas.GitHubAnnotationsEmitterTest.[engine:junit-jupiter]/[class:org.egothor.methodatlas.GitHubAnnotationsEmitterTest]/[method:record_emptyDisplayName_securitySuggestion_emitsBothAnnotations()] (0 ms)
• org.egothor.methodatlas.OutputEmitterTest.[engine:junit-jupiter]/[class:org.egothor.methodatlas.OutputEmitterTest]/[method:emit_csvMode_driftAiOnly_whenAiSecurityButNoSourceTag()] (0 ms)
• org.egothor.methodatlas.OutputEmitterTest.[engine:junit-jupiter]/[class:org.egothor.methodatlas.OutputEmitterTest]/[method:emit_csvMode_driftTagOnly_whenSourceTagButAiDisagrees()] (0 ms)
• org.egothor.methodatlas.GitHubAnnotationsEmitterTest.[engine:junit-jupiter]/[class:org.egothor.methodatlas.GitHubAnnotationsEmitterTest]/[method:record_aiOnlyDriftExactText_doesNotContainTagOnlyText()] (1 ms)
• org.egothor.methodatlas.OutputEmitterTest.[engine:junit-jupiter]/[class:org.egothor.methodatlas.OutputEmitterTest]/[method:emit_csvMode_driftNone_whenBothAgreeSecurityRelevant()] (0 ms)
• org.egothor.methodatlas.GitHubAnnotationsEmitterTest.[engine:junit-jupiter]/[class:org.egothor.methodatlas.GitHubAnnotationsEmitterTest]/[method:record_interactionScoreAtThreshold_emitsWarning()] (1 ms)
• org.egothor.methodatlas.SarifEmitterTest.[engine:junit-jupiter]/[class:org.egothor.methodatlas.SarifEmitterTest]/[method:flush_tagAiDriftTagOnly_whenSourceTagButAiDisagrees()] (4 ms)
• org.egothor.methodatlas.SarifEmitterTest.[engine:junit-jupiter]/[class:org.egothor.methodatlas.SarifEmitterTest]/[method:flush_nonSecurityMethodWithHighInteractionScore_noPlaceboResult()] (6 ms)
• org.egothor.methodatlas.SarifEmitterTest.[engine:junit-jupiter]/[class:org.egothor.methodatlas.SarifEmitterTest]/[method:flush_nullTagsInSuggestion_resolveRuleIdReturnsSecurityTest()] (4 ms)
• org.egothor.methodatlas.SarifEmitterTest.[engine:junit-jupiter]/[class:org.egothor.methodatlas.SarifEmitterTest]/[method:flush_securityMethodMessage_nullReason_reasonNotAppended()] (4 ms)
• org.egothor.methodatlas.SarifEmitterTest.[engine:junit-jupiter]/[class:org.egothor.methodatlas.SarifEmitterTest]/[method:flush_securityMethodMessage_confidenceOmitted_whenScoresInMessageFalse()] (4 ms)
• org.egothor.methodatlas.SarifEmitterTest.[engine:junit-jupiter]/[class:org.egothor.methodatlas.SarifEmitterTest]/[method:flush_securityMethodMessage_alwaysIncludesInteractionScore()] (5 ms)
• org.egothor.methodatlas.SarifEmitterTest.[engine:junit-jupiter]/[class:org.egothor.methodatlas.SarifEmitterTest]/[method:flush_securityMethodMessage_scoresOmitted_whenScoresInMessageFalse()] (5 ms)
• org.egothor.methodatlas.SarifEmitterTest.[engine:junit-jupiter]/[class:org.egothor.methodatlas.SarifEmitterTest]/[method:flush_securityMethodMessage_noDisplayName_usesGenericLine()] (6 ms)
• org.egothor.methodatlas.SarifEmitterTest.[engine:junit-jupiter]/[class:org.egothor.methodatlas.SarifEmitterTest]/[method:flush_securityMethodMessageContainsDisplayNameAndTags()] (5 ms)
• org.egothor.methodatlas.SarifEmitterTest.[engine:junit-jupiter]/[class:org.egothor.methodatlas.SarifEmitterTest]/[method:flush_securityAuthRuleHasTags()] (3 ms)
• org.egothor.methodatlas.SarifEmitterTest.[engine:junit-jupiter]/[class:org.egothor.methodatlas.SarifEmitterTest]/[method:flush_securityMethodWithOnlySecurityTagGetsRuleSecurityTest()] (6 ms)
• org.egothor.methodatlas.SarifEmitterTest.[engine:junit-jupiter]/[class:org.egothor.methodatlas.SarifEmitterTest]/[method:flush_securityMethodWithLowInteractionScore_noPlaceboResult()] (5 ms)
• org.egothor.methodatlas.SarifEmitterTest.[engine:junit-jupiter]/[class:org.egothor.methodatlas.SarifEmitterTest]/[method:flush_aiConfidenceAbsent_whenConfidenceDisabled()] (5 ms)
• org.egothor.methodatlas.SarifEmitterTest.[engine:junit-jupiter]/[class:org.egothor.methodatlas.SarifEmitterTest]/[method:flush_propertiesContainAiFields_whenAiEnabled()] (5 ms)
• org.egothor.methodatlas.SarifEmitterTest.[engine:junit-jupiter]/[class:org.egothor.methodatlas.SarifEmitterTest]/[method:flush_securityMethodMessage_blankReason_reasonNotAppended()] (8 ms)
• org.egothor.methodatlas.SarifEmitterTest.[engine:junit-jupiter]/[class:org.egothor.methodatlas.SarifEmitterTest]/[method:flush_blankAiReason_storedAsNullInProperties()] (8 ms)
• org.egothor.methodatlas.SarifEmitterTest.[engine:junit-jupiter]/[class:org.egothor.methodatlas.SarifEmitterTest]/[method:flush_tagAiDriftNone_whenBothAgreeSecurityRelevant()] (9 ms)
• org.egothor.methodatlas.SarifEmitterTest.[engine:junit-jupiter]/[class:org.egothor.methodatlas.SarifEmitterTest]/[method:flush_securitySeverityIsCritical_forInjectionTag()] (8 ms)
• org.egothor.methodatlas.SarifEmitterTest.[engine:junit-jupiter]/[class:org.egothor.methodatlas.SarifEmitterTest]/[method:flush_securitySeverityIsHigh_forAuthTag()] (9 ms)
• org.egothor.methodatlas.SarifEmitterTest.[engine:junit-jupiter]/[class:org.egothor.methodatlas.SarifEmitterTest]/[method:flush_rulesAreDeduplicatedAcrossResults()] (6 ms)
• org.egothor.methodatlas.SarifEmitterTest.[engine:junit-jupiter]/[class:org.egothor.methodatlas.SarifEmitterTest]/[method:flush_securityMethodMessage_highInteractionScore_includesPlaceboWarning()] (5 ms)
• org.egothor.methodatlas.SarifEmitterTest.[engine:junit-jupiter]/[class:org.egothor.methodatlas.SarifEmitterTest]/[method:flush_placeboMessage_scoreAlwaysPresent_evenWhenScoresInMessageFalse()] (7 ms)
• org.egothor.methodatlas.SarifEmitterTest.[engine:junit-jupiter]/[class:org.egothor.methodatlas.SarifEmitterTest]/[method:flush_placeboResult_hasLevelWarning()] (5 ms)
• org.egothor.methodatlas.SarifEmitterTest.[engine:junit-jupiter]/[class:org.egothor.methodatlas.SarifEmitterTest]/[method:flush_securityAuthRuleHasHelpText()] (10 ms)
• org.egothor.methodatlas.SarifEmitterTest.[engine:junit-jupiter]/[class:org.egothor.methodatlas.SarifEmitterTest]/[method:flush_securityMethodWithHighInteractionScore_producesPlaceboResult()] (6 ms)
• org.egothor.methodatlas.SarifEmitterTest.[engine:junit-jupiter]/[class:org.egothor.methodatlas.SarifEmitterTest]/[method:flush_placeboResult_messageContainsInteractionScoreAndThreshold()] (6 ms)
• org.egothor.methodatlas.SarifEmitterTest.[engine:junit-jupiter]/[class:org.egothor.methodatlas.SarifEmitterTest]/[method:flush_securitySeverityDefaultsMedium_forUnknownTag()] (13 ms)
• org.egothor.methodatlas.SarifEmitterTest.[engine:junit-jupiter]/[class:org.egothor.methodatlas.SarifEmitterTest]/[method:flush_placeboMessage_confidenceOmitted_whenScoresInMessageFalse()] (7 ms)
• org.egothor.methodatlas.SarifEmitterTest.[engine:junit-jupiter]/[class:org.egothor.methodatlas.SarifEmitterTest]/[method:flush_securityMethodWithAuthTagGetsRuleSecurityAuth()] (12 ms)
• org.egothor.methodatlas.SarifEmitterTest.[engine:junit-jupiter]/[class:org.egothor.methodatlas.SarifEmitterTest]/[method:flush_securityMethodMessage_omitsConfidence_whenDisabled()] (16 ms)
• org.egothor.methodatlas.SarifEmitterTest.[engine:junit-jupiter]/[class:org.egothor.methodatlas.SarifEmitterTest]/[method:flush_placeboResult_messageIncludesConfidence_whenEnabled()] (7 ms)
• org.egothor.methodatlas.SarifEmitterTest.[engine:junit-jupiter]/[class:org.egothor.methodatlas.SarifEmitterTest]/[method:flush_securityMethodMessage_includesConfidence_whenEnabled()] (16 ms)
• org.egothor.methodatlas.SarifEmitterTest.[engine:junit-jupiter]/[class:org.egothor.methodatlas.SarifEmitterTest]/[method:flush_placeboResult_propertiesContainInteractionScore()] (10 ms)
• org.egothor.methodatlas.SarifEmitterTest.[engine:junit-jupiter]/[class:org.egothor.methodatlas.SarifEmitterTest]/[method:flush_tagAiDriftAiOnly_whenAiSecurityButNoSourceTag()] (19 ms)
• org.egothor.methodatlas.SarifEmitterTest.[engine:junit-jupiter]/[class:org.egothor.methodatlas.SarifEmitterTest]/[method:flush_aiConfidencePresent_whenConfidenceEnabled()] (18 ms)
• org.egothor.methodatlas.SarifEmitterTest.[engine:junit-jupiter]/[class:org.egothor.methodatlas.SarifEmitterTest]/[method:flush_emptyDisplayNameOnSecurityMethod_producesBothResults()] (10 ms)
• org.egothor.methodatlas.SarifEmitterTest.[engine:junit-jupiter]/[class:org.egothor.methodatlas.SarifEmitterTest]/[method:flush_placeboResult_ruleIsRegistered()] (13 ms)
• org.egothor.methodatlas.SarifEmitterTest.[engine:junit-jupiter]/[class:org.egothor.methodatlas.SarifEmitterTest]/[method:flush_placeboResult_hasCorrectPhysicalLocation()] (14 ms)
• org.egothor.methodatlas.SarifEmitterTest.[engine:junit-jupiter]/[class:org.egothor.methodatlas.SarifEmitterTest]/[method:flush_securityMethodWithExactThresholdScore_producesPlaceboResult()] (20 ms)
• org.egothor.methodatlas.TagAiDriftTest.[engine:junit-jupiter]/[class:org.egothor.methodatlas.TagAiDriftTest]/[method:toValue_returnsExpectedStrings()] (0 ms)
• org.egothor.methodatlas.TagAiDriftTest.[engine:junit-jupiter]/[class:org.egothor.methodatlas.TagAiDriftTest]/[method:compute_nullSuggestion_returnsNull()] (0 ms)
• org.egothor.methodatlas.OutputEmitterTest.[engine:junit-jupiter]/[class:org.egothor.methodatlas.OutputEmitterTest]/[method:emit_csvMode_driftEmpty_whenSuggestionNull()] (0 ms)