feat: implement Phase R Wave 3 — R.7 hot-path column usage analysis and R.8 unhandled DB call detection

- ColumnUsageAnalyzer (R.7): TypeScript AST analyzer that tracks SELECT * hot paths
  per source line, identifies which fields are actually accessed (map/forEach/filter
  callbacks, rows[0].field access, destructuring), and emits hot-path-select-star
  anomalies with specific column lists instead of generic suggestions. Supports
  rows[n].field element access chains. Auto-wired in db profile for dev/test via
  profile-factory.
- SourceAnalyzer.scanForUnhandledDbCall (R.8): Walks TypeScript source files to find
  DB calls without try/catch or .catch() chains. Default severity info; escalates to
  critical when the source line appears in a crashed-lines set from CrashGuard.
  Integrated into StaticScanner.scan() via runUnhandledDbCallScan().
- 601 tests, 0 TS errors, 0 ESLint errors, Prettier clean.
- Demo app: added /debug/hot-select-star (R.7) and /debug/r8-info (R.8) routes.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: sharon77242

CHANGELOG.md

@@ -10,6 +10,29 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ## [Unreleased]
 
 ### Added
+- **Phase R Wave 3 — Complex codebase-intelligence rules**: Two new rules that require
+  both runtime observations and TypeScript AST access to produce targeted advice that
+  generic APMs cannot generate.
+  - **`hot-path-select-star`** (`warning`) — `ColumnUsageAnalyzer` tracks how many times
+    a `SELECT *` call fires from the same `sourceLine`. After `threshold` hits (default 5),
+    it parses the TypeScript source file, finds the variable the result is assigned to, and
+    walks the containing function scope to collect all accessed field names. The emitted
+    `hot-path-select-star` anomaly replaces the generic "use explicit columns" suggestion
+    with e.g. "you only access `id`, `email` — replace with `SELECT id, email`". Supports
+    `.map()` callbacks, `rows[0].field` element access, and `const { a, b } = rows[0]`
+    destructuring. Falls back to null (and stays silent) for dynamic patterns or plain JS.
+    Enabled via `.withColumnUsageAnalysis(dir?, threshold?)`. Auto-wired for `db` app type
+    in dev/test environments via `profile-factory`.
+  - **`unhandled-db-call`** (`info` / `critical`) — `SourceAnalyzer.scanForUnhandledDbCall()`
+    walks the TypeScript AST of every source file and flags DB calls (`query`, `execute`,
+    `findMany`, `find`, etc.) that have no surrounding `try/catch` and no `.catch()` chain.
+    Default severity is `info`. When `CrashGuard` feeds in a set of crashed source lines
+    (lines that have actually thrown `uncaughtException` in production), any finding at a
+    crashed location is escalated to `critical` with a message that mentions the crash
+    history. Integrated into `StaticScanner.scan()` via the new `runUnhandledDbCallScan()`
+    method. Wired into `ArgusAgent` startup scans; crash escalation feeds back from the
+    `CrashGuard` event stream.
+
 - **Phase R Wave 2 — Static + runtime intelligence rules**: Three new rules that combine
   static codebase knowledge with runtime frequency data to surface issues no single monitor
   can detect alone.

README.md

@@ -729,10 +729,11 @@ packages/agent/
       circuit-breaker-detector.ts    → Sustained error-rate detection across drivers
       static-scanner.ts              → Background tsc / ESLint / query-in-loop static analysis
       audit-scanner.ts               → npm audit CVE scanning
-      source-analyzer.ts             → R.4: TypeScript AST scan for DB calls inside loops
+      source-analyzer.ts             → R.4: DB calls inside loops; R.8: unhandled DB calls
       migration-scanner.ts           → R.5: SQL & Prisma migration parser → index map
       index-hint-analyzer.ts         → R.5: Runtime high-frequency missing-index detection
       route-tracker.ts               → R.6: Endpoint-never-called detection after warmup
+      column-usage-analyzer.ts       → R.7: SELECT * hot-path → specific column suggestions
 
     export/
       aggregator.ts                  → p99 sliding window metric aggregation