Changelog

All notable changes to Calor, organized by release.

[0.5.0] - 2026-04-22

Roslyn 5.3.0 upgrade — Migration pipeline now uses Roslyn 5.3.0 (C# 14 support), enabling conversion of modern C# files using lambda parameter modifiers, out in lambda parameters, and other C# 13/14 features.
LanguageVersion.Preview parse option — The C# parser now accepts the broadest possible C# syntax.

Non-exhaustive match on Option<T> / Result<T,E> is now an error — exhaustive match on known sum types is mandatory syntax (Calor0500).
Microsoft.CodeAnalysis.CSharp upgraded from 4.8.0 to 5.3.0 across all projects.

Cross-assembly IL analysis — Opt-in compile-time analysis that traces method calls through referenced .NET assemblies to discover effects not covered by manifests. Enabled via <CalorEnableILAnalysis>true</CalorEnableILAnalysis>. Handles async state machines, iterator methods, delegate creation, and virtual dispatch. See Cross-Assembly IL Analysis guide.
Cross-module effect propagation — Multi-file Calor projects now verify effect contracts at file boundaries. A caller that invokes a public function declared in another module must declare that callee's effects. Violations produce Calor0410; public functions without §E produce the new Calor0417 warning.
Multi-file CLI — calor --input a.calr --input b.calr compiles multiple files and runs the cross-module effect pass across them. Single-file invocations are unchanged.
MSBuild cross-module enforcement — The CompileCalor task runs the cross-module pass over every .calr in the project. Works correctly on warm builds via persistent per-module effect summaries in the build cache.
Effect summary cache (schema v2.0) — Each module's public function declarations, internal names, and call-site listings are cached alongside the content hash, so incremental builds retain complete cross-module coverage without re-parsing skipped files.
Cross-Module Effect Propagation guide — Contract model, bare-name vs. qualified calls, incremental build semantics, CLI + MSBuild integration.

--input option in the calor CLI now accepts multiple values.
Build state cache format bumped from 1.0 to 2.0 — existing caches auto-invalidate on first build after upgrade.
Options hash includes EffectKind enum shape — future enum changes automatically invalidate caches, preventing stale summaries from silently dropping effects.

Incremental compilation — CompileCalor MSBuild task now owns all incremental logic with a two-level cache gate: (mtime, size) stat check then SHA256 content hash. Global invalidation on compiler DLL, options, effect manifest, or output directory changes.
calor effects suggest CLI command — Analyzes Calor source files and generates a .calor-effects.suggested.json manifest template for unresolved external calls. Supports --json for agent consumption, --merge for additive updates to existing manifests.
Shared ExternalCallCollector — Extracted from InteropEffectCoverageCalculator, extended to walk class methods and constructors. Resolves variable types via §NEW initializer scanning.
Incremental build benchmark — Measures cold, warm (no changes), and warm (1 file changed) build times
Effect manifests .NET ecosystem guide — ~170 covered types, resolution mechanics, custom manifest authoring, CLI tools

Static analysis for class members — The --analyze flag now examines methods, constructors, property accessors, operators, indexers, and event accessors (previously only top-level functions were analyzed)
Verification-gated reporting — --analyze only reports proven findings by default (Z3-confirmed or constant analysis); use --all-findings for lower-confidence results
Taint hop-count tracking — Taint analysis tracks propagation steps; single-hop parameter-to-sink flows filtered by default to reduce false positives
Bug pattern detection in class members — Division by zero, null dereference, integer overflow, off-by-one, path traversal, command injection, and SQL injection detection now covers all class member bodies
Arity-aware overload resolution — Correct overload resolved by argument count, preventing wrong return types from flowing into Z3
Constructor initializer binding — : base()/: this() arguments visible to bug pattern checkers
33 new unit tests for class member binding, scope, overloads, dataflow, and end-to-end analysis
New --all-findings CLI flag for showing all analysis findings including inconclusive results
New static analysis documentation page

False positive elimination — Unhandled expression types return opaque expressions instead of literal zero, eliminating false division-by-zero reports
this.field shadowing — this.field resolves from class scope, not method scope
Throw-to-catch CFG edges — Throw statements inside try blocks now flow to catch blocks
Assignment dataflow — x = 1 no longer reports x as used before write

47 open-source projects scanned — 23 verified findings, ~90% true positive rate
Real findings: ILSpy null dereferences, FluentFTP path traversal, ASP.NET Core path traversal

Effect system: .NET framework manifests — Tier B effect manifests for 30+ common .NET framework interfaces (ILogger, DbContext, HttpClient, ControllerBase, etc.)
Effect system: ecosystem library manifests — Manifests for Serilog, Newtonsoft.Json, Dapper, MediatR, AutoMapper, FluentValidation, Polly
Effect system: BCL manifest expansion — New manifests for System.Text.Json, Regex, Concurrent collections, Crypto types
Effect system: variable type resolution — Enforcement pass resolves instance method calls via initializer tracking
95 new enforcement tests (210 total)

Effect system: unified resolver — Consolidated three parallel effect systems into a single manifest-based resolver
Parser: compound effect codes — Fixed silent mis-parsing of chained compound codes

See the full changelog on GitHub for versions prior to 0.4.5.