@clear-capabilities/agentic-security-scanner 0.74.0

package/src/ir/class-hierarchy.js

@@ -0,0 +1,195 @@
+// Class Hierarchy Analysis (CHA) — JS/TS (P1.2).
+//
+// Walks the Babel ASTs across the project to build:
+//
+//   classDefs:    Map<className, { file, line, methods, fields, extends?, implements? }>
+//   methodOwners: Map<methodQid, className>
+//   typeOfVar:    Map<file::scope::varName, className>  — assignment-time type
+//                                                          inference (simple, no
+//                                                          flow analysis)
+//
+// The output is consumed by the dataflow engine's receiver-sensitivity layer
+// (`receiver-context.js`) and by `callgraph.js` to refine virtual-call resolution.
+//
+// Scope of this v1: shallow analysis. We DON'T resolve:
+//   - polymorphic types (T<U>),
+//   - cross-file class inheritance via dynamic imports,
+//   - mixins (Object.assign / class factories),
+//   - prototype-based assignments outside `class` declarations.
+//
+// What we DO catch:
+//   - `class Foo {}` declarations + their method signatures.
+//   - `class Bar extends Foo {}` extends relationships.
+//   - `let x = new Foo()` typed-LHS inference.
+//   - `const x: Foo = ...` TS-annotated-LHS inference.
+//   - `function buildFoo(): Foo { ... }` typed-return inference.
+
+const _AST_CACHE = new WeakMap();
+
+/**
+ * Build the CHA over a perFileIR map (file → parsed IR with raw AST attached
+ * under `_ast`). When AST isn't attached, fall back to the IR's own
+ * structural hints (class names appearing in qids).
+ */
+export function buildClassHierarchy(perFileIR) {
+  const classes = new Map();       // className -> { file, line, methods, extends }
+  const methodOwners = new Map();  // qid -> className
+  const typeOfVar = new Map();     // file::scope::var -> className
+
+  if (!perFileIR || typeof perFileIR !== 'object') {
+    return { classes, methodOwners, typeOfVar };
+  }
+
+  for (const [file, ir] of Object.entries(perFileIR)) {
+    if (!ir || !Array.isArray(ir.functions)) continue;
+    // Recover class names from method qids of the shape
+    //   <file>::<scope>::<className.method>
+    // Many of our existing parsers emit class methods as `Foo.bar` in qid.
+    for (const fn of ir.functions) {
+      if (!fn.qid) continue;
+      const tail = fn.qid.split('::').pop() || '';
+      const dotIdx = tail.indexOf('.');
+      if (dotIdx <= 0) continue;
+      const className = tail.slice(0, dotIdx);
+      const methodName = tail.slice(dotIdx + 1);
+      methodOwners.set(fn.qid, className);
+      let cls = classes.get(className);
+      if (!cls) {
+        cls = { name: className, file, line: fn.line || 0, methods: new Set(), extends: null };
+        classes.set(className, cls);
+      }
+      cls.methods.add(methodName);
+    }
+    // Try to recover `let x = new Foo(...)` typing — we walk the IR's
+    // assign nodes for any call whose callee starts with a known class name.
+    for (const fn of ir.functions) {
+      const cfg = fn.cfg;
+      if (!cfg || !cfg.nodes) continue;
+      for (const id of Object.keys(cfg.nodes)) {
+        const n = cfg.nodes[id];
+        if (!n || n.kind !== 'assign') continue;
+        const src = n.source;
+        if (!src || src.kind !== 'call') continue;
+        // `new Foo()` is shaped as { kind: 'call', callee: { kind: 'ident', name: 'Foo' }, isNew: true }
+        const callee = src.callee;
+        const className = callee?.kind === 'ident' ? callee.name : null;
+        if (!className) continue;
+        if (classes.has(className) || /^[A-Z]/.test(className)) {
+          // Convention: PascalCase callees treated as constructors.
+          const target = typeof n.target === 'string' ? n.target : null;
+          if (target) typeOfVar.set(`${file}::${fn.qid}::${target}`, className);
+        }
+      }
+    }
+  }
+
+  return { classes, methodOwners, typeOfVar };
+}
+
+/**
+ * Given a variable reference (file + enclosing fn qid + var name), return
+ * the inferred class name if any.
+ */
+export function classOfVar(cha, file, fnQid, varName) {
+  if (!cha || !cha.typeOfVar || !varName) return null;
+  return cha.typeOfVar.get(`${file}::${fnQid}::${varName}`) || null;
+}
+
+/**
+ * Given a class name + method, return the resolved qid (if we know it).
+ * v1: no override resolution — only direct definition.
+ */
+export function resolveMethod(cha, className, methodName) {
+  if (!cha || !cha.classes || !className || !methodName) return null;
+  // Walk the class hierarchy upward — extends chain — to find a method.
+  let cur = className;
+  const seen = new Set();
+  while (cur && !seen.has(cur)) {
+    seen.add(cur);
+    const cls = cha.classes.get(cur);
+    if (!cls) break;
+    if (cls.methods && cls.methods.has(methodName)) {
+      // Return a synthetic qid; the call graph may have its own resolution.
+      return { className: cur, methodName };
+    }
+    cur = cls.extends || null;
+  }
+  return null;
+}
+
+// ════════════════════════════════════════════════════════════════════════════
+// P4.5 — Rapid Type Analysis (RTA)
+// ════════════════════════════════════════════════════════════════════════════
+//
+// CHA over-approximates virtual dispatch: a call on a receiver of type
+// Animal resolves to EVERY method named `speak` on EVERY subclass — even
+// subclasses that are never instantiated. RTA narrows this by tracking
+// which classes are actually instantiated in the program.
+
+/**
+ * Walk the IR for `new ClassName(...)` expressions and return the set of
+ * instantiated class names.
+ */
+export function collectInstantiatedClasses(perFileIR) {
+  const live = new Set();
+  if (!perFileIR) return live;
+  for (const ir of Object.values(perFileIR)) {
+    for (const fn of (ir.functions || [])) {
+      const cfg = fn.cfg;
+      if (!cfg || !cfg.nodes) continue;
+      for (const id of Object.keys(cfg.nodes)) {
+        const n = cfg.nodes[id];
+        if (!n) continue;
+        if (n.kind === 'assign' && n.source && n.source.kind === 'call' && n.source.isNew) {
+          const callee = n.source.callee;
+          if (callee && typeof callee === 'object' && callee.kind === 'ident') live.add(callee.name);
+          else if (typeof callee === 'string') live.add(callee);
+        }
+        if (n.kind === 'call' && n.isNew && typeof n.callee === 'string') live.add(n.callee);
+      }
+    }
+  }
+  return live;
+}
+
+/**
+ * RTA-refined virtual-call resolution. Narrows a virtual-call candidate set
+ * to actually-live (instantiated) classes.
+ *
+ *   cha:           class hierarchy
+ *   methodName:    the method being dispatched
+ *   liveClasses:   output of collectInstantiatedClasses
+ *   rootClass:     the declared/inferred receiver type (or null = any class)
+ */
+export function resolveMethodRTA(cha, methodName, liveClasses, rootClass) {
+  if (!cha || !methodName || !liveClasses) return [];
+  const out = [];
+  for (const [cn, cls] of cha.classes) {
+    if (!liveClasses.has(cn)) continue;
+    if (!cls.methods || !cls.methods.has(methodName)) continue;
+    if (rootClass) {
+      // cn must be rootClass or a transitive subclass.
+      let cur = cn;
+      let inHierarchy = false;
+      const seen = new Set();
+      while (cur && !seen.has(cur)) {
+        seen.add(cur);
+        if (cur === rootClass) { inHierarchy = true; break; }
+        cur = cha.classes.get(cur)?.extends || null;
+      }
+      if (!inHierarchy) continue;
+    }
+    out.push({ className: cn, methodName });
+  }
+  return out;
+}
+
+/**
+ * Annotate an existing CHA with the live-class set so consumers don't have
+ * to recompute it.
+ */
+export function annotateRTA(cha, perFileIR) {
+  if (!cha) return cha;
+  cha.liveClasses = collectInstantiatedClasses(perFileIR);
+  return cha;
+}

package/src/ir/index.js

@@ -0,0 +1,152 @@
+// IR entry point.
+//
+// Build per-file IR for every JS/TS/Python/Java file in a project, then
+// build the cross-file call graph on top.
+
+import { parseJsFile } from './parser-js.js';
+import { parseCSharpFile } from './parser-cs.js';
+import { parseKotlinFile } from './parser-kt.js';
+import { parsePythonFile as parsePythonFileRegex } from './parser-py.js';
+import {
+  parsePythonFile as parsePythonFileCst,
+  parsePythonFilesBatch as parsePythonFilesBatchCst,
+  probePythonAvailable,
+} from './parser-py-cst.js';
+import { parseJavaFile } from './parser-java.js';
+import { buildCallGraph } from './callgraph.js';
+import { buildClassHierarchy } from './class-hierarchy.js';
+import { computeSSA, isSSAEnabled } from './ssa.js';
+
+// Pick the Python parser based on env + capability probe.
+//   AGENTIC_SECURITY_PY_PARSER=cst   — force AST parser; error if unavailable
+//   AGENTIC_SECURITY_PY_PARSER=regex — force the legacy regex parser
+//   AGENTIC_SECURITY_PY_PARSER=auto (default) — try CST, fall back silently
+//
+// The default is `auto` for one minor release so we can validate the CST
+// path in real-world deployments without regressing customers who don't
+// have python3 on PATH. Flip the default to `cst` once the equivalence
+// corpus has run clean for two consecutive releases.
+function _chooseParser() {
+  const choice = (process.env.AGENTIC_SECURITY_PY_PARSER || 'auto').toLowerCase();
+  if (choice === 'regex') return { parser: 'regex' };
+  if (choice === 'cst') {
+    const cap = probePythonAvailable();
+    if (!cap.ok) {
+      throw new Error(`AGENTIC_SECURITY_PY_PARSER=cst but Python is unavailable: ${cap.reason}`);
+    }
+    return { parser: 'cst' };
+  }
+  // auto: prefer cst when capability is present.
+  const cap = probePythonAvailable();
+  return { parser: cap.ok ? 'cst' : 'regex' };
+}
+
+function _parsePythonFiles(pyEntries) {
+  // pyEntries: [{ file, content }, ...]
+  const choice = _chooseParser();
+  if (choice.parser === 'cst') {
+    const batch = parsePythonFilesBatchCst(pyEntries);
+    if (batch !== null) return batch;
+    // Silent fall-through to regex when the CST path failed mid-run (e.g.
+    // helper crashed). Operators see this in stderr when debugging is on.
+    if (process.env.AGENTIC_SECURITY_PY_PARSER_DEBUG === '1') {
+      process.stderr.write('parser-py-cst: batch failed; falling back to regex parser\n');
+    }
+  }
+  // Regex per-file parse — matches the old behavior exactly.
+  return pyEntries.map(({ file, content }) => parsePythonFileRegex(file, content)).filter(Boolean);
+}
+
+// Synchronous default — JS/TS + Python only. Engine.js calls this directly.
+// Java IR requires async import of java-parser; callers who want it can use
+// buildProjectIRAsync instead.
+export function buildProjectIR(fileContents) {
+  const perFile = {};
+  const pyBatch = [];
+  for (const [file, code] of Object.entries(fileContents || {})) {
+    if (/\.(?:js|jsx|ts|tsx|mjs|cjs)$/i.test(file)) {
+      const ir = parseJsFile(file, code);
+      if (ir) perFile[file] = ir;
+    } else if (/\.py$/i.test(file)) {
+      // Defer Python files to a single batched subprocess call.
+      pyBatch.push({ file, content: code });
+    } else if (/\.cs$/i.test(file)) {
+      const ir = parseCSharpFile(file, code);
+      if (ir) perFile[file] = ir;
+    } else if (/\.kt$/i.test(file)) {
+      const ir = parseKotlinFile(file, code);
+      if (ir) perFile[file] = ir;
+    }
+  }
+  if (pyBatch.length) {
+    for (const ir of _parsePythonFiles(pyBatch)) {
+      if (ir && ir.file) perFile[ir.file] = ir;
+    }
+  }
+  if (isSSAEnabled()) {
+    for (const ir of Object.values(perFile)) {
+      for (const fn of (ir.functions || [])) {
+        try { computeSSA(fn.cfg); } catch {}
+      }
+    }
+  }
+  const cg = buildCallGraph(perFile);
+  const cha = buildClassHierarchy(perFile);
+  return { perFile, callGraph: cg, cha };
+}
+
+// Async variant — includes Java IR via java-parser.
+export async function buildProjectIRAsync(fileContents) {
+  const perFile = {};
+  const pyBatch = [];
+  for (const [file, code] of Object.entries(fileContents || {})) {
+    if (/\.(?:js|jsx|ts|tsx|mjs|cjs)$/i.test(file)) {
+      const ir = parseJsFile(file, code);
+      if (ir) perFile[file] = ir;
+    } else if (/\.py$/i.test(file)) {
+      pyBatch.push({ file, content: code });
+    } else if (/\.cs$/i.test(file)) {
+      const ir = parseCSharpFile(file, code);
+      if (ir) perFile[file] = ir;
+    } else if (/\.kt$/i.test(file)) {
+      const ir = parseKotlinFile(file, code);
+      if (ir) perFile[file] = ir;
+    } else if (/\.java$/i.test(file)) {
+      try {
+        const ir = await parseJavaFile(file, code);
+        if (ir) perFile[file] = ir;
+      } catch { /* skip */ }
+    }
+  }
+  if (pyBatch.length) {
+    for (const ir of _parsePythonFiles(pyBatch)) {
+      if (ir && ir.file) perFile[ir.file] = ir;
+    }
+  }
+  if (isSSAEnabled()) {
+    for (const ir of Object.values(perFile)) {
+      for (const fn of (ir.functions || [])) {
+        try { computeSSA(fn.cfg); } catch {}
+      }
+    }
+  }
+  const cg = buildCallGraph(perFile);
+  const cha = buildClassHierarchy(perFile);
+  return { perFile, callGraph: cg, cha };
+}
+
+// `parsePythonFile` is the single-file shim. We re-export the dispatcher
+// so existing imports (e.g. tests that import { parsePythonFile } from
+// './ir/index.js') keep working. The dispatcher routes to CST or regex
+// according to the same rules as the batch path.
+export function parsePythonFile(file, code) {
+  if (!file || typeof code !== 'string') return null;
+  const choice = _chooseParser();
+  if (choice.parser === 'cst') {
+    const r = parsePythonFileCst(file, code);
+    if (r) return r;
+  }
+  return parsePythonFileRegex(file, code);
+}
+
+export { parseJsFile, parseJavaFile, parseCSharpFile, parseKotlinFile, buildCallGraph, buildClassHierarchy, computeSSA, isSSAEnabled, probePythonAvailable };

package/src/ir/parser-cs.js

@@ -0,0 +1,260 @@
+// C# IR frontend (v0.66).
+//
+// Regex-based, pragmatic, focused on ASP.NET / Entity Framework / Dapper /
+// System.IO surface area. Parallels parser-py.js (the legacy Python regex
+// parser) in approach: extract method bodies, lower assignments and calls
+// to the canonical IR shape, build a linear CFG.
+//
+// What we model:
+//   - method declarations: `[modifiers] returnType Name(params) { body }`
+//   - simple assignments: `var x = ...;`  `Type x = ...;`  `x = ...;`
+//   - method calls (statement-form): `obj.Method(args);` / `Method(args);`
+//   - return: `return expr;`
+//   - ASP.NET source-like access: `Request.Form["x"]`, `Request.QueryString[...]`
+//
+// What we do NOT model (regex-fallback class limits):
+//   - LINQ expressions (treated as opaque expression)
+//   - lambdas (body collapsed)
+//   - async/await (transparent)
+//   - generics on declarations beyond Type<...> name
+//   - attributes (skipped)
+//   - destructuring / tuples
+//   - control flow (if/for/while/switch) — body is treated as straight-line;
+//     this is enough for the source-reaches-sink shapes we care about.
+//
+// This is a v1. Promoted to a Roslyn-backed CST parser (analogous to
+// parser-py-cst.js) once we have a dotnet capability probe.
+
+import * as crypto from 'node:crypto';
+
+const METHOD_RE = new RegExp(
+  '(?:^|[\\s;{}])(?:public|private|protected|internal|static|virtual|override|async|sealed|abstract|new|readonly|partial)' +
+  '(?:\\s+(?:public|private|protected|internal|static|virtual|override|async|sealed|abstract|new|readonly|partial))*' +
+  '\\s+([A-Za-z_][A-Za-z0-9_<>?\\[\\],\\s]*?)' +    // return type (group 1)
+  '\\s+([A-Za-z_][A-Za-z0-9_]*)' +                  // method name (group 2)
+  '\\s*\\(([^)]*)\\)' +                             // params (group 3)
+  '\\s*\\{', 'g');
+
+// Matches a top-level statement inside a method body. We split on `;` only
+// at brace-depth 0; this keeps simple lambdas inside calls intact.
+function _splitStatements(body) {
+  const out = [];
+  let buf = '';
+  let depth = 0;
+  let inString = null;     // null | '"' | "'" | '@"' style
+  let escape = false;
+  for (let i = 0; i < body.length; i++) {
+    const c = body[i];
+    if (escape) { buf += c; escape = false; continue; }
+    if (inString) {
+      buf += c;
+      if (inString === '"' && c === '\\') { escape = true; continue; }
+      if (c === inString) inString = null;
+      continue;
+    }
+    if (c === '"' || c === "'") { inString = c; buf += c; continue; }
+    if (c === '{' || c === '(' || c === '[') depth++;
+    if (c === '}' || c === ')' || c === ']') depth--;
+    if (c === ';' && depth === 0) { out.push(buf.trim()); buf = ''; continue; }
+    buf += c;
+  }
+  if (buf.trim()) out.push(buf.trim());
+  return out;
+}
+
+function _lowerExpr(text) {
+  const s = String(text || '').trim();
+  if (!s) return { kind: 'unknown' };
+  // Member access: a.b.c["foo"]
+  if (/^[A-Za-z_][\w.]*\[[^\]]*\]$/.test(s)) {
+    // E.g. Request.Form["name"]. Split on first '[' to isolate index.
+    const lb = s.indexOf('[');
+    const base = s.slice(0, lb);
+    const dots = base.split('.');
+    return _buildMemberChain(dots, /*indexed*/ s.slice(lb));
+  }
+  // Plain dotted ident: Request.Form / Request.QueryString
+  if (/^[A-Za-z_][\w.]*$/.test(s)) {
+    const parts = s.split('.');
+    if (parts.length === 1) return { kind: 'ident', name: parts[0] };
+    return _buildMemberChain(parts);
+  }
+  // Call: foo.bar(args) or Bar(args). Find the LAST '(' at depth 0.
+  const callMatch = s.match(/^([\w.]+)\s*\((.*)\)\s*$/s);
+  if (callMatch) {
+    const callee = callMatch[1];
+    const args = _splitTopLevelCommas(callMatch[2]).map(_lowerExpr);
+    return { kind: 'call', callee, args };
+  }
+  // String concat / interpolation — heuristic.
+  if (s.includes('+') && /["']/.test(s)) {
+    const parts = _splitTopLevelPlus(s).map(_lowerExpr);
+    return { kind: 'tpl', parts };
+  }
+  if (/^"|^@"/.test(s)) return { kind: 'literal', value: s };
+  if (/^\d/.test(s))   return { kind: 'literal', value: s };
+  return { kind: 'unknown' };
+}
+
+function _buildMemberChain(parts, indexer) {
+  // [a, b, c]  →  member(member(ident a, b), c). If indexer, wrap as a final member.
+  let cur = { kind: 'ident', name: parts[0] };
+  for (let i = 1; i < parts.length; i++) cur = { kind: 'member', object: cur, prop: parts[i] };
+  if (indexer) cur = { kind: 'member', object: cur, prop: indexer };
+  return cur;
+}
+
+function _splitTopLevelCommas(s) {
+  const out = [];
+  let buf = '';
+  let depth = 0;
+  let inStr = null;
+  for (let i = 0; i < s.length; i++) {
+    const c = s[i];
+    if (inStr) {
+      buf += c;
+      if (c === inStr && s[i-1] !== '\\') inStr = null;
+      continue;
+    }
+    if (c === '"' || c === "'") { inStr = c; buf += c; continue; }
+    if (c === '(' || c === '{' || c === '[' || c === '<') depth++;
+    if (c === ')' || c === '}' || c === ']' || c === '>') depth--;
+    if (c === ',' && depth === 0) { out.push(buf.trim()); buf = ''; continue; }
+    buf += c;
+  }
+  if (buf.trim()) out.push(buf.trim());
+  return out;
+}
+
+function _splitTopLevelPlus(s) {
+  const out = [];
+  let buf = '';
+  let depth = 0;
+  let inStr = null;
+  for (let i = 0; i < s.length; i++) {
+    const c = s[i];
+    if (inStr) {
+      buf += c;
+      if (c === inStr && s[i-1] !== '\\') inStr = null;
+      continue;
+    }
+    if (c === '"' || c === "'") { inStr = c; buf += c; continue; }
+    if (c === '(' || c === '{' || c === '[') depth++;
+    if (c === ')' || c === '}' || c === ']') depth--;
+    if (c === '+' && depth === 0) { out.push(buf.trim()); buf = ''; continue; }
+    buf += c;
+  }
+  if (buf.trim()) out.push(buf.trim());
+  return out;
+}
+
+// Lower one C# statement to an IR node. `line` is the absolute file line.
+function _lowerStmt(stmt, line) {
+  const s = stmt.trim().replace(/^\s+/, '');
+  if (!s || s.startsWith('//') || s.startsWith('/*')) return null;
+  // return
+  if (/^return\b/.test(s)) {
+    const m = s.match(/^return\s*(.*?)\s*$/);
+    const expr = m && m[1] ? _lowerExpr(m[1]) : null;
+    return { kind: 'return', line, value: expr };
+  }
+  // throw
+  if (/^throw\b/.test(s)) return { kind: 'throw', line, value: _lowerExpr(s.replace(/^throw\s*/, '')) };
+  // assign:   `var x = …`  `Type x = …`  `x = …`  `x.y = …`
+  const m = s.match(/^(?:(?:var|[A-Za-z_][\w<>?,\s.]*)\s+)?([A-Za-z_][\w.]*?)\s*=\s*(.+)$/s);
+  if (m) {
+    const target = m[1];
+    const sourceText = m[2];
+    return { kind: 'assign', line, target, source: _lowerExpr(sourceText) };
+  }
+  // statement-form call
+  const cm = s.match(/^([A-Za-z_][\w.]*)\s*\((.*)\)\s*$/s);
+  if (cm) {
+    return { kind: 'call', line, callee: cm[1], args: _splitTopLevelCommas(cm[2]).map(_lowerExpr) };
+  }
+  return { kind: 'unknown', line, text: s };
+}
+
+function _extractBody(src, openBrace) {
+  // openBrace is the index of the '{' starting the method body.
+  let depth = 1;
+  let i = openBrace + 1;
+  let inStr = null;
+  let escape = false;
+  while (i < src.length && depth > 0) {
+    const c = src[i];
+    if (escape) { escape = false; i++; continue; }
+    if (inStr) {
+      if (inStr === '"' && c === '\\') { escape = true; i++; continue; }
+      if (c === inStr) inStr = null;
+      i++; continue;
+    }
+    if (c === '"' || c === "'") { inStr = c; i++; continue; }
+    if (c === '{') depth++;
+    else if (c === '}') depth--;
+    if (depth === 0) return { body: src.slice(openBrace + 1, i), end: i };
+    i++;
+  }
+  return null;
+}
+
+function _lineAt(src, idx) {
+  let line = 1;
+  for (let i = 0; i < idx && i < src.length; i++) if (src[i] === '\n') line++;
+  return line;
+}
+
+function _qid(file, name, line, body) {
+  const sha = crypto.createHash('sha256').update(body).digest('hex').slice(0, 8);
+  return `${file}::${name}@${line}#${sha}`;
+}
+
+export function parseCSharpFile(file, code) {
+  if (!file || typeof code !== 'string') return null;
+  const functions = [];
+  METHOD_RE.lastIndex = 0;
+  let m;
+  while ((m = METHOD_RE.exec(code)) !== null) {
+    const name = m[2];
+    const paramsText = m[3] || '';
+    const params = paramsText.split(',').map(p => {
+      const t = p.trim();
+      if (!t) return null;
+      // "Type name" → name. "Type<T> name" → name. "Type[] name = default" → name.
+      const last = t.replace(/=.*$/, '').trim().split(/\s+/).pop();
+      return last && /^[A-Za-z_][\w]*$/.test(last) ? last : null;
+    }).filter(Boolean);
+    const braceIdx = code.indexOf('{', m.index + m[0].length - 1);
+    if (braceIdx < 0) continue;
+    const extracted = _extractBody(code, braceIdx);
+    if (!extracted) continue;
+    const startLine = _lineAt(code, m.index);
+    const stmts = _splitStatements(extracted.body);
+    // Build a linear CFG: entry → s1 → s2 → ... → exit.
+    const nodes = {};
+    nodes.entry = { kind: 'entry', line: startLine, succ: [], pred: [] };
+    nodes.exit  = { kind: 'exit',  line: startLine, succ: [], pred: [] };
+    let prev = 'entry';
+    let stmtLine = startLine;
+    for (let idx = 0; idx < stmts.length; idx++) {
+      const node = _lowerStmt(stmts[idx], stmtLine);
+      if (!node) continue;
+      const id = `n${idx}`;
+      nodes[id] = { ...node, succ: [], pred: [prev] };
+      nodes[prev].succ.push(id);
+      prev = id;
+      // Approximate per-statement line advance by counting '\n' in source.
+      // (Cheap, good-enough for finding line attribution.)
+      stmtLine += (stmts[idx].match(/\n/g) || []).length + 1;
+    }
+    nodes[prev].succ.push('exit');
+    nodes.exit.pred.push(prev);
+    functions.push({
+      qid: _qid(file, name, startLine, extracted.body),
+      name, line: startLine, params, file,
+      cfg: { entry: 'entry', exit: 'exit', nodes },
+    });
+    METHOD_RE.lastIndex = extracted.end + 1;
+  }
+  return { file, functions, topLevel: null };
+}