# aphoria-concept-paths

## AUDIT (2026-02-06)

**Pattern:** Concept paths built inconsistently across extractors

**Analysis:**
Found 29 concept path constructions across different patterns:

| Pattern | Count | Files |
|---------|-------|-------|
| A - Inline `format!("code://{}", path.join("/"))` | 24 | All extractors |
| B - `build_claim()` helper | 1 | traits.rs definition only |
| C - `format!("{}/{}", prefix, subject)` | 3 | llm/extractor.rs |
| D - Hardcoded literals | scattered | tests |

**Key Finding:**
The `build_claim()` helper in `traits.rs` already exists but is NOT used by any extractor!

```rust
// traits.rs:35-63 - UNDERUTILIZED HELPER
pub fn build_claim(
    path_segments: &[String],
    leaf_segments: &[&str],
    predicate: &str,
    value: ObjectValue,
    file: &str,
    line: usize,
    matched_text: &str,
    base_confidence: f32,
    description: &str,
) -> ExtractedClaim {
    // ... builds concept_path consistently
}
```

**Files with inline concept path construction:**
- `extractors/jwt_config.rs` (1)
- `extractors/tls_verify.rs` (1)
- `extractors/tls_version.rs` (1)
- `extractors/timeout_config.rs` (1)
- `extractors/weak_crypto.rs` (2)
- `extractors/hardcoded_secrets.rs` (1)
- `extractors/cors_config.rs` (2)
- `extractors/rate_limit.rs` (2)
- `extractors/dep_versions.rs` (4)
- `extractors/sql_injection.rs` (1)
- `extractors/command_injection.rs` (2)
- `extractors/unreal_*.rs` (4)
- `extractors/config_security.rs` (1)
- `extractors/declarative/executor.rs` (1)
- `llm/extractor.rs` (3)

**Recommended Fix:**
1. Migrate all extractors to use `build_claim()` helper
2. Create a `ConceptPath` struct for type-safe path building
3. Validate scheme prefixes (code://, rfc://, owasp://)

**Priority:** Medium (code duplication, no functional bug)

## DEFERRED (2026-02-06)

**Reason:** Low impact refactor - all patterns produce correct output.

**Mitigation:**
1. `build_claim()` helper already exists in `traits.rs`
2. aphoria-dev skill already guides new extractors to use helper
3. No functional bugs from current implementation
4. 24 extractors would need updating with no user-visible benefit

**Recommendation for future:**
- New extractors MUST use `build_claim()` helper
- Consider migration if a breaking change to concept paths is needed