@clear-capabilities/agentic-security-scanner 0.74.0

package/src/posture/container-runtime.js

@@ -0,0 +1,149 @@
+// Container runtime config audit (FR-XSAT-8).
+//
+// Flags dangerous combinations in Dockerfile, Kubernetes manifests, and
+// ECS task definitions. Each rule names one specific misconfiguration; we
+// stay narrow (high precision) and let the curated list grow over time.
+//
+// Coverage:
+//   - Dockerfile          USER root, no USER directive, ADD with URL,
+//                         --privileged in HEALTHCHECK
+//   - Kubernetes manifest privileged: true, hostNetwork: true,
+//                         hostPID: true, runAsUser: 0, allowPrivilegeEscalation: true,
+//                         bind-mount of /var/run/docker.sock, capabilities ALL/SYS_ADMIN
+//   - ECS task definition privileged: true, host network mode, root user
+
+const DOCKERFILE_NAME_RE = /(?:^|\/)Dockerfile(?:\.[\w.-]+)?$/i;
+const K8S_YAML_RE        = /\.(?:ya?ml)$/i;
+const ECS_TASK_DEF_RE    = /(?:^|\/)task[-_]?definition[s]?(?:[-_.][\w-]*)?\.json$/i;
+
+function _lineOf(raw, idx) { return raw.substring(0, idx).split('\n').length; }
+
+// ─── Dockerfile rules ──────────────────────────────────────────────────────
+
+const DOCKERFILE_RULES = [
+  {
+    re: /^\s*ADD\s+(?:https?:\/\/|ftp:\/\/)/gmi,
+    vuln: 'Dockerfile ADD with remote URL (TLS/MITM exposure; prefer COPY + verified checksum)',
+    severity: 'medium', cwe: 'CWE-494', family: 'container-runtime',
+  },
+  {
+    re: /^\s*USER\s+root\b/gmi,
+    vuln: 'Dockerfile USER root (container runs with root privileges)',
+    severity: 'high', cwe: 'CWE-250', family: 'container-runtime',
+  },
+  {
+    re: /--privileged\b/gi,
+    vuln: 'Dockerfile flag --privileged (full host privileges in container)',
+    severity: 'critical', cwe: 'CWE-250', family: 'container-runtime',
+  },
+];
+
+function scanDockerfile(file, raw) {
+  const findings = [];
+  for (const rule of DOCKERFILE_RULES) {
+    const r = new RegExp(rule.re.source, rule.re.flags);
+    let m;
+    while ((m = r.exec(raw))) {
+      findings.push(_finding(rule, file, _lineOf(raw, m.index), m[0]));
+    }
+  }
+  // Special check: no USER directive at all.
+  if (!/^\s*USER\s+/mi.test(raw)) {
+    findings.push(_finding(
+      { vuln: 'Dockerfile has no USER directive (defaults to root)', severity: 'medium', cwe: 'CWE-250', family: 'container-runtime' },
+      file, 1, '(no USER directive present)'
+    ));
+  }
+  return findings;
+}
+
+// ─── Kubernetes manifest rules ────────────────────────────────────────────
+
+const K8S_RULES = [
+  { re: /\bprivileged\s*:\s*true\b/gi,                vuln: 'K8s container privileged: true',                 severity: 'critical', cwe: 'CWE-250' },
+  { re: /\bhostNetwork\s*:\s*true\b/gi,               vuln: 'K8s pod hostNetwork: true (host network namespace)', severity: 'high',     cwe: 'CWE-732' },
+  { re: /\bhostPID\s*:\s*true\b/gi,                   vuln: 'K8s pod hostPID: true (host PID namespace)',     severity: 'high',     cwe: 'CWE-732' },
+  { re: /\bhostIPC\s*:\s*true\b/gi,                   vuln: 'K8s pod hostIPC: true (host IPC namespace)',     severity: 'high',     cwe: 'CWE-732' },
+  { re: /\ballowPrivilegeEscalation\s*:\s*true\b/gi,  vuln: 'K8s container allowPrivilegeEscalation: true',    severity: 'high',     cwe: 'CWE-250' },
+  { re: /\brunAsUser\s*:\s*0\b/gi,                    vuln: 'K8s container runAsUser: 0 (root UID)',           severity: 'high',     cwe: 'CWE-250' },
+  // capabilities: add: [ALL] or SYS_ADMIN
+  { re: /\badd\s*:\s*\[\s*['"]?ALL['"]?/gi,           vuln: 'K8s securityContext capabilities.add: ALL',       severity: 'critical', cwe: 'CWE-250' },
+  { re: /\badd\s*:\s*\[\s*['"]?SYS_ADMIN['"]?/gi,     vuln: 'K8s securityContext capabilities.add: SYS_ADMIN', severity: 'high',     cwe: 'CWE-250' },
+  // docker.sock bind-mount
+  { re: /\bpath\s*:\s*['"]?\/var\/run\/docker\.sock/gi, vuln: 'K8s hostPath /var/run/docker.sock (container escape primitive)', severity: 'critical', cwe: 'CWE-250' },
+  // readOnlyRootFilesystem: false (or missing — only checked when present and false)
+  { re: /\breadOnlyRootFilesystem\s*:\s*false\b/gi,   vuln: 'K8s readOnlyRootFilesystem: false (writable root FS)', severity: 'low',  cwe: 'CWE-732' },
+];
+
+function scanK8sYaml(file, raw) {
+  // Heuristic: looks like a k8s manifest if it has apiVersion + kind.
+  if (!/\bapiVersion\s*:/.test(raw) || !/\bkind\s*:/.test(raw)) return [];
+  const findings = [];
+  for (const rule of K8S_RULES) {
+    const r = new RegExp(rule.re.source, rule.re.flags);
+    let m;
+    while ((m = r.exec(raw))) {
+      findings.push(_finding({ ...rule, family: 'container-runtime' }, file, _lineOf(raw, m.index), m[0]));
+    }
+  }
+  return findings;
+}
+
+// ─── ECS task definition rules ────────────────────────────────────────────
+
+const ECS_RULES = [
+  { re: /"privileged"\s*:\s*true\b/g,             vuln: 'ECS container privileged: true',                 severity: 'critical', cwe: 'CWE-250' },
+  { re: /"networkMode"\s*:\s*"host"\b/g,          vuln: 'ECS task networkMode: host (host network namespace)', severity: 'high',     cwe: 'CWE-732' },
+  { re: /"user"\s*:\s*"(?:root|0)"/g,              vuln: 'ECS container user: root/0',                      severity: 'high',     cwe: 'CWE-250' },
+];
+
+function scanEcsTaskDef(file, raw) {
+  const findings = [];
+  for (const rule of ECS_RULES) {
+    const r = new RegExp(rule.re.source, rule.re.flags);
+    let m;
+    while ((m = r.exec(raw))) {
+      findings.push(_finding({ ...rule, family: 'container-runtime' }, file, _lineOf(raw, m.index), m[0]));
+    }
+  }
+  return findings;
+}
+
+// ─── Common ────────────────────────────────────────────────────────────────
+
+function _finding(rule, file, line, snippet) {
+  return {
+    id: `container-runtime:${file}:${line}:${(rule.vuln || '').slice(0, 40)}`,
+    file, line,
+    vuln: rule.vuln,
+    severity: rule.severity,
+    cwe: rule.cwe || 'CWE-250',
+    family: rule.family || 'container-runtime',
+    stride: 'Elevation of Privilege',
+    parser: 'CONTAINER-RUNTIME',
+    confidence: 0.85,
+    snippet: typeof snippet === 'string' ? snippet.slice(0, 200) : '',
+    remediation: 'Container-runtime misconfig: review the highlighted directive. Default to non-root user, drop all capabilities and add back specifically what you need, set readOnlyRootFilesystem: true, never mount the docker socket, and avoid host namespaces unless explicitly required.',
+  };
+}
+
+/**
+ * Module entry point.
+ */
+export function scanContainerRuntime(fileContents) {
+  if (!fileContents || typeof fileContents !== 'object') return [];
+  const out = [];
+  for (const [fp, raw] of Object.entries(fileContents)) {
+    if (typeof raw !== 'string' || raw.length === 0 || raw.length > 500_000) continue;
+    if (DOCKERFILE_NAME_RE.test(fp)) {
+      out.push(...scanDockerfile(fp, raw));
+    } else if (ECS_TASK_DEF_RE.test(fp)) {
+      out.push(...scanEcsTaskDef(fp, raw));
+    } else if (K8S_YAML_RE.test(fp)) {
+      out.push(...scanK8sYaml(fp, raw));
+    }
+  }
+  return out;
+}
+
+export const _internals = { DOCKERFILE_RULES, K8S_RULES, ECS_RULES };

package/src/posture/counterfactual.js

@@ -0,0 +1,109 @@
+// FR-LOGIC-9 — Counterfactual analysis (reverse blast radius for controls).
+//
+// For each defensive control found in the code (auth check, sanitizer guard,
+// CSRF middleware, rate-limit middleware, type guard), compute the reverse
+// blast radius: how many existing findings would become critical or exposed
+// if THIS control were removed or bypassed?
+//
+// The output is a list of `single-point-of-failure` records — controls whose
+// removal would expose ≥ 3 findings at high+. These are the controls that
+// most deserve hardening attention BEFORE an attacker tests them. The output
+// also feeds the trust-boundary diagram.
+//
+// We deliberately do NOT modify the findings themselves; we emit a separate
+// `counterfactualReport` artifact that lives on the scan object.
+
+const CONTROL_PATTERNS = [
+  // Each entry: [name, regex, family of finding this control mitigates]
+  ['auth-middleware',      /(?:requireAuth|authMiddleware|isAuthenticated|verifyJWT|@login_required|protect|requireLogin|getServerSession)\s*\(/g, ['missing-authz', 'broken-auth', 'idor']],
+  ['csrf-middleware',      /(?:csrf|csurf|csrfProtection|CSRFProtect|CsrfFilter)\s*\(/g, ['csrf']],
+  ['rate-limiter',         /(?:rateLimit|expressRateLimit|RateLimiter|rateLimiterFlexible)\s*\(/g, ['unbounded-llm', 'broken-auth']],
+  ['xss-sanitizer',        /(?:DOMPurify\.sanitize|sanitizeHtml|escape|bleach\.clean|html_safe)\s*\(/g, ['xss']],
+  ['sql-param',            /\.(?:prepare|query)\s*\([^)]{0,40}\$\d|\?|placeholder/g, ['sql-injection']],
+  ['url-validator',        /(?:validateUrl|isValidUrl|url\.parse|new URL\()/g, ['ssrf', 'open-redirect']],
+  ['path-validator',       /(?:path\.normalize|path\.resolve|isPathInside|safe_join)\s*\(/g, ['path-traversal']],
+  ['signature-verify',     /(?:hmac|createVerify|timingSafeEqual|verify_signature|stripe\.webhooks\.constructEvent)\s*\(/g, ['webhook-no-signature']],
+  ['admin-gate',           /(?:isAdmin|requireAdmin|hasRole\(['"]admin['"])/g, ['idor', 'missing-authz']],
+];
+
+function detectControls(fileContents) {
+  const controls = [];
+  if (!fileContents) return controls;
+  for (const [fp, text] of Object.entries(fileContents)) {
+    if (!text || typeof text !== 'string') continue;
+    for (const [name, re, mitigatesFamilies] of CONTROL_PATTERNS) {
+      re.lastIndex = 0;
+      let m;
+      while ((m = re.exec(text))) {
+        const line = text.slice(0, m.index).split('\n').length;
+        controls.push({ name, file: fp, line, mitigates: mitigatesFamilies });
+      }
+    }
+  }
+  return controls;
+}
+
+function familyOfFinding(f) {
+  if (f.family) return String(f.family).toLowerCase();
+  const v = (f.vuln || '').toLowerCase();
+  if (/sql.*injection/.test(v)) return 'sql-injection';
+  if (/command.*injection/.test(v)) return 'command-injection';
+  if (/xss|cross.site/.test(v)) return 'xss';
+  if (/ssrf/.test(v)) return 'ssrf';
+  if (/idor/.test(v)) return 'idor';
+  if (/missing.auth/.test(v)) return 'missing-authz';
+  if (/broken.auth|jwt|session/.test(v)) return 'broken-auth';
+  if (/csrf/.test(v)) return 'csrf';
+  if (/path.travers/.test(v)) return 'path-traversal';
+  if (/open.redirect/.test(v)) return 'open-redirect';
+  if (/webhook.*sign/.test(v)) return 'webhook-no-signature';
+  if (/max_tokens|unbounded/.test(v)) return 'unbounded-llm';
+  return 'unknown';
+}
+
+export function runCounterfactual(findings, fileContents) {
+  const controls = detectControls(fileContents);
+  if (!controls.length) return { spofControls: [], note: 'no-controls-detected' };
+
+  // For each control, count how many findings it currently mitigates and
+  // how many would become exposed if it were removed.
+  const byMitigates = new Map();
+  for (const c of controls) {
+    const key = `${c.name}@${c.file}:${c.line}`;
+    if (!byMitigates.has(key)) byMitigates.set(key, { control: c, exposedIfRemoved: [] });
+  }
+
+  if (Array.isArray(findings)) {
+    for (const f of findings) {
+      if (!f || typeof f !== 'object') continue;
+      const fam = familyOfFinding(f);
+      if (fam === 'unknown') continue;
+      // A control that's in the same file as the finding (proxy for "this
+      // route uses this control") and that lists `fam` in its mitigates set
+      // is treated as a current mitigator.
+      for (const [key, rec] of byMitigates) {
+        if (rec.control.file !== f.file) continue;
+        if (!rec.control.mitigates.includes(fam)) continue;
+        // Only flag the finding as "exposed if removed" if it currently has
+        // severity high+ — small bugs don't deserve a SPOF alarm.
+        if (['critical', 'high'].includes(f.severity)) {
+          rec.exposedIfRemoved.push({ family: fam, file: f.file, line: f.line, severity: f.severity });
+        }
+      }
+    }
+  }
+
+  const spofControls = [];
+  for (const [, rec] of byMitigates) {
+    if (rec.exposedIfRemoved.length >= 3) {
+      spofControls.push({
+        control: rec.control.name,
+        location: `${rec.control.file}:${rec.control.line}`,
+        wouldExpose: rec.exposedIfRemoved.length,
+        examples: rec.exposedIfRemoved.slice(0, 5),
+        recommendation: `${rec.control.name} at ${rec.control.file}:${rec.control.line} is a single point of failure for ${rec.exposedIfRemoved.length} high+ findings. Consider redundant defense-in-depth.`,
+      });
+    }
+  }
+  return { spofControls, controlsDetected: controls.length };
+}

package/src/posture/cross-lang-graphql.js

@@ -0,0 +1,165 @@
+import { isChainWorthy, familyForBoundary } from './cross-lang-meta.js';
+
+// GraphQL resolver-to-resolver cross-language taint (Sentinel-parity FR-DET-3).
+//
+// Parses GraphQL SDL files (.graphql / .gql / .schema.graphql) and detects
+// resolver implementations. When a high+ finding sits inside one resolver,
+// and another resolver references the same Type/field via parent/context,
+// the engine reports a cross-resolver chain.
+//
+// We also catch client query call sites (Apollo Client, urql, graphql-request)
+// referencing a Query/Mutation by name and pair them with the server resolver
+// the same way the OpenAPI module pairs HTTP routes.
+
+function parseSchemas(fileContents) {
+  // Returns { types: Map<typeName, {fields: Map<fieldName, {file, line, returnType?}>}>,
+  //           queries: Map<queryName, {file, line, returnType?}>,
+  //           mutations: Map<mutationName, ...> }
+  const types = new Map();
+  const queries = new Map();
+  const mutations = new Map();
+  for (const [fp, c] of Object.entries(fileContents || {})) {
+    if (!/\.(?:graphql|gql|schema\.graphql)$/i.test(fp)) continue;
+    if (typeof c !== 'string' || c.length > 500_000) continue;
+    // Type declarations: type X { field: T  field2(arg: Y): Z }
+    const typeRe = /\btype\s+(\w+)\s*(?:implements\s+[^{]+)?\{([\s\S]*?)\}/g;
+    let tm;
+    while ((tm = typeRe.exec(c))) {
+      const tName = tm[1];
+      const body = tm[2];
+      const fields = new Map();
+      const fieldRe = /^\s*(\w+)\s*(?:\([^)]*\))?\s*:\s*([\w!\[\]]+)/gm;
+      let fm;
+      while ((fm = fieldRe.exec(body))) {
+        const line = c.substring(0, tm.index + (fm.index || 0)).split('\n').length;
+        fields.set(fm[1], { file: fp, line, returnType: fm[2] });
+      }
+      if (tName === 'Query') for (const [k, v] of fields) queries.set(k, v);
+      else if (tName === 'Mutation') for (const [k, v] of fields) mutations.set(k, v);
+      else types.set(tName, { fields });
+    }
+  }
+  return { types, queries, mutations };
+}
+
+// Detect server resolvers. Patterns vary by framework:
+//   Apollo Server: const resolvers = { Query: { foo(parent, args, ctx) {...} } }
+//   GraphQL-JS:    new GraphQLSchema({ types: ..., resolve(parent, args, ctx) }
+//   NestJS:        @Query() foo() {} / @Mutation() / @ResolveField()
+//   Hot Chocolate (.NET): [ExtendObjectType(Name="Query")] ... GetFoo(...)
+//   Strawberry / Graphene (Python): @strawberry.field def foo(): ...
+function findResolvers(fileContents, schema) {
+  const found = [];
+  const allKnown = new Set([
+    ...schema.queries.keys(),
+    ...schema.mutations.keys(),
+  ]);
+  for (const t of schema.types.values()) for (const k of t.fields.keys()) allKnown.add(k);
+  if (!allKnown.size) return found;
+
+  for (const [fp, c] of Object.entries(fileContents || {})) {
+    if (!c || typeof c !== 'string') continue;
+    if (c.length > 500_000) continue;
+    if (!/\.(?:js|jsx|ts|tsx|mjs|cjs|py|cs|rb|go|java|kt)$/i.test(fp)) continue;
+    // Only spend regex budget on files that look graphql-related. Heuristics:
+    //   - content references graphql / apollo / gql backticks / NestJS / Strawberry / Graphene
+    //   - filename contains "resolver", "schema", "graphql", "mutation", "query"
+    const looksGraphqlByContent = /(?:graphql|GraphQL|apollo|@nestjs\/graphql|strawberry|graphene|HotChocolate|gql\s*`|const\s+resolvers\s*=)/i.test(c);
+    const looksGraphqlByName    = /(?:resolver|schema|graphql|mutations?|queries?)\b/i.test(fp);
+    if (!looksGraphqlByContent && !looksGraphqlByName) continue;
+
+    for (const fieldName of allKnown) {
+      // Property-style resolver:  fieldName(parent, args, ctx) { ... }
+      // Or: fieldName: async (parent, args, ctx) => ...
+      const reA = new RegExp(`\\b${fieldName}\\s*\\(\\s*\\w+\\s*,\\s*\\w+\\s*,\\s*\\w+\\s*\\)\\s*\\{`, 'g');
+      const reB = new RegExp(`\\b${fieldName}\\s*:\\s*(?:async\\s+)?\\(?\\s*\\w+\\s*,\\s*\\w+\\s*,\\s*\\w+\\s*\\)?\\s*=>`, 'g');
+      // NestJS decorator: @Query(() => X) async fieldName(...)
+      const reC = new RegExp(`@(?:Query|Mutation|ResolveField)\\s*\\([^)]*\\)\\s*\\n?\\s*(?:async\\s+)?${fieldName}\\s*\\(`, 'g');
+      // Python decorator: @strawberry.field def field_name(...)
+      const snakeName = fieldName.replace(/[A-Z]/g, (s, i) => (i ? '_' : '') + s.toLowerCase());
+      const reD = new RegExp(`@strawberry\\.field\\s*(?:\\([^)]*\\))?\\s*def\\s+${snakeName}\\s*\\(`, 'g');
+
+      for (const re of [reA, reB, reC, reD]) {
+        let m;
+        while ((m = re.exec(c))) {
+          const line = c.substring(0, m.index).split('\n').length;
+          found.push({ file: fp, line, field: fieldName,
+                       snippet: (c.split('\n')[line - 1] || '').trim().slice(0, 200) });
+        }
+      }
+    }
+  }
+  return found;
+}
+
+// Client query call sites. Apollo / urql / graphql-request style:
+//   useQuery(GET_USER) / client.query({query: GET_USER}) / gql`query { user { ... } }`
+function findClientQueries(fileContents, schema) {
+  const allKnown = new Set([...schema.queries.keys(), ...schema.mutations.keys()]);
+  if (!allKnown.size) return [];
+  const found = [];
+  for (const [fp, c] of Object.entries(fileContents || {})) {
+    if (!c || typeof c !== 'string') continue;
+    if (c.length > 500_000) continue;
+    if (!/\.(?:js|jsx|ts|tsx|mjs|cjs|py|go)$/i.test(fp)) continue;
+    if (!/(?:gql\s*`|useQuery|useMutation|client\.query\(|client\.mutate\(|graphql\s*`)/i.test(c)) continue;
+    // Look for `gql`query { fieldName ...`` patterns or `mutation { fieldName ...`
+    for (const queryName of allKnown) {
+      const re = new RegExp(`(?:query|mutation)\\b[^\`]{0,400}?\\b${queryName}\\s*[\\(\\{]`, 'g');
+      let m;
+      while ((m = re.exec(c))) {
+        const line = c.substring(0, m.index).split('\n').length;
+        found.push({ file: fp, line, query: queryName,
+                     snippet: (c.split('\n')[line - 1] || '').trim().slice(0, 200) });
+      }
+    }
+  }
+  return found;
+}
+
+export function scanCrossLangGraphql(fileContents, existingFindings) {
+  const schema = parseSchemas(fileContents);
+  const totalDecls = schema.queries.size + schema.mutations.size + schema.types.size;
+  if (totalDecls === 0) return [];
+
+  const resolvers = findResolvers(fileContents, schema);
+  if (resolvers.length === 0) return [];
+  const clients = findClientQueries(fileContents, schema);
+
+  const findingsByFile = new Map();
+  for (const f of existingFindings || []) {
+    if (!f.file || !/critical|high/i.test(f.severity || '')) continue;
+    if (!isChainWorthy(f)) continue;   // FR-CHAIN-FILTER
+    if (!findingsByFile.has(f.file)) findingsByFile.set(f.file, []);
+    findingsByFile.get(f.file).push(f);
+  }
+
+  const out = [];
+  for (const c of clients) {
+    const impls = resolvers.filter(r => r.field === c.query);
+    for (const impl of impls) {
+      const fs = findingsByFile.get(impl.file) || [];
+      if (!fs.length) continue;
+      const seed = fs[0];
+      out.push({
+        id: `xlang-graphql:${c.file}:${c.line}:${c.query}`,
+        file: c.file, line: c.line,
+        vuln: `Cross-Language Taint (GraphQL): query ${c.query} → resolver in ${impl.file}:${impl.line} carries ${seed.severity}`,
+        severity: 'high',
+        cwe: seed.cwe || 'CWE-862',
+        snippet: c.snippet,
+        remediation: `The GraphQL field "${c.query}" is resolved at ${impl.file}:${impl.line} where "${seed.vuln}" was reported. Fix the resolver-side finding first; any client that consumes the response inherits the underlying risk.`,
+        parser: 'XLANG-GRAPHQL',
+        family: familyForBoundary('graphql'),   // FR-FAMILY-REGISTRY
+        confidence: 0.6,
+        cross_language: true,
+        chain: [
+          { file: c.file,    line: c.line,    label: `query ${c.query}` },
+          { file: impl.file, line: impl.line, label: `resolver ${impl.field}` },
+          { file: seed.file, line: seed.line, label: seed.vuln },
+        ],
+      });
+    }
+  }
+  return out;
+}

package/src/posture/cross-lang-grpc.js

@@ -0,0 +1,166 @@
+import { isChainWorthy, familyForBoundary } from './cross-lang-meta.js';
+
+// gRPC / .proto cross-language taint propagation (Sentinel-parity FR-DET-3).
+//
+// When a project ships .proto files alongside server impls and client stubs,
+// the engine can correlate them:
+//
+//   service UserService {
+//     rpc GetUser(GetUserRequest) returns (User);
+//   }
+//
+//   // server (Go / Java / Python / Node)
+//   func (s *userServer) GetUser(ctx, req) (*User, error) { ... }
+//
+//   // client
+//   resp, err := client.GetUser(ctx, &pb.GetUserRequest{...})
+//
+// We pair the GetUser call site (client) with the GetUser implementation
+// (server). When the server implementation file has high+ findings, we emit
+// a cross_language:true chain to the client call site so engineers see the
+// transitive risk.
+
+function parseProtoFiles(fileContents) {
+  // Returns { services: Map<serviceName, {file, methods: Set<methodName>}> }
+  const services = new Map();
+  for (const [fp, c] of Object.entries(fileContents || {})) {
+    if (!fp.endsWith('.proto')) continue;
+    if (typeof c !== 'string' || c.length > 500_000) continue;
+    const blockRe = /\bservice\s+(\w+)\s*\{([^}]*)\}/g;
+    let bm;
+    while ((bm = blockRe.exec(c))) {
+      const svcName = bm[1];
+      const body = bm[2] || '';
+      const methods = new Set();
+      const methodRe = /\brpc\s+(\w+)\s*\(/g;
+      let mm;
+      while ((mm = methodRe.exec(body))) methods.add(mm[1]);
+      services.set(svcName, { file: fp, methods });
+    }
+  }
+  return services;
+}
+
+// Find client-side gRPC call sites. The generated stubs call <ServiceName>Client
+// (Go / Java / Node) or <service_name>Stub (Python) — but the method name on
+// the receiver is what we match.
+function findClientCalls(fileContents, services) {
+  const allMethods = new Set();
+  for (const s of services.values()) for (const m of s.methods) allMethods.add(m);
+  if (!allMethods.size) return [];
+  const found = [];
+  for (const [fp, c] of Object.entries(fileContents || {})) {
+    if (!c || typeof c !== 'string') continue;
+    if (c.length > 500_000) continue;
+    if (!/\.(?:js|jsx|ts|tsx|mjs|cjs|py|go|java|kt|rb|cs)$/i.test(fp)) continue;
+    // <receiver>.<MethodName>(<ctx>, <req>)  — generic client invocation.
+    // We look for any of the proto-declared method names being called on an
+    // object that looks like a client (camelCase identifier ending in "Client"
+    // or "Stub", OR any identifier when the method name is uncommon enough).
+    const re = /\b(\w+)\s*\.\s*(\w+)\s*\(/g;
+    let m;
+    while ((m = re.exec(c))) {
+      const methodName = m[2];
+      if (!allMethods.has(methodName)) continue;
+      const recv = m[1];
+      // Heuristic: receiver name suggests "client" or "stub" — reduces FPs.
+      // Skip generic names that are too common (.map, .filter, etc.).
+      if (!/(?:client|stub|conn|svc|service)/i.test(recv)) continue;
+      const line = c.substring(0, m.index).split('\n').length;
+      found.push({ file: fp, line, method: methodName, receiver: recv,
+                   snippet: (c.split('\n')[line - 1] || '').trim().slice(0, 200) });
+    }
+  }
+  return found;
+}
+
+// Find server impls — methods on a struct/class that match a proto method.
+function findServerImpls(fileContents, services) {
+  const allMethods = new Set();
+  for (const s of services.values()) for (const m of s.methods) allMethods.add(m);
+  if (!allMethods.size) return [];
+  const found = [];
+  // Patterns vary by language:
+  //   Go:    func (s *userServer) GetUser(ctx, req) (*User, error) {
+  //   Java:  public User getUser(GetUserRequest req) {  (note: lower-cased)
+  //   Python: def GetUser(self, request, context):
+  //   Node:  async getUser(call, callback) {  (lower-camel)
+  // We match on either the exact proto name OR its lower-camel variant.
+  function expand(m) {
+    return new Set([m, m.charAt(0).toLowerCase() + m.slice(1)]);
+  }
+  for (const [fp, c] of Object.entries(fileContents || {})) {
+    if (!c || typeof c !== 'string') continue;
+    if (c.length > 500_000) continue;
+    if (!/\.(?:go|java|kt|py|rb|js|ts|cs)$/i.test(fp)) continue;
+    for (const method of allMethods) {
+      const variants = [...expand(method)];
+      // Approximate detection: a function/method definition whose name is
+      // one of the variants, AND the file has 'pb' / 'proto' / 'grpc' import.
+      if (!/(?:grpc|pb|protobuf|protoc-gen|@grpc\/grpc-js|google\.protobuf)/i.test(c)) continue;
+      const altList = variants.map(v => v.replace(/[.*+?^${}()|[\]\\]/g, '\\$&')).join('|');
+      // Accept any function-definition shape (Go, Java, Python, JS function /
+      // arrow / class method) whose name is one of the proto-method variants
+      // AND whose arg list starts with `<ident>,` (the gRPC call / context).
+      const defRe = new RegExp(
+        `\\b(?:func\\s+\\([^)]*\\)\\s+|public\\s+\\w[\\w<>,\\s]*\\s+|async\\s+|def\\s+|function\\s+|exports\\.\\s*)?` +
+        `(?:${altList})\\s*\\(\\s*\\w+\\s*,`,
+        'g'
+      );
+      let dm;
+      while ((dm = defRe.exec(c))) {
+        const line = c.substring(0, dm.index).split('\n').length;
+        found.push({ file: fp, line, method,
+                     snippet: (c.split('\n')[line - 1] || '').trim().slice(0, 200) });
+      }
+    }
+  }
+  return found;
+}
+
+export function scanCrossLangGrpc(fileContents, existingFindings) {
+  const services = parseProtoFiles(fileContents);
+  if (services.size === 0) return [];
+  const clients = findClientCalls(fileContents, services);
+  if (clients.length === 0) return [];
+  const servers = findServerImpls(fileContents, services);
+  if (servers.length === 0) return [];
+
+  // Index findings by file — high+ AND chain-worthy only (FR-CHAIN-FILTER).
+  const findingsByFile = new Map();
+  for (const f of existingFindings || []) {
+    if (!f.file || !/critical|high/i.test(f.severity || '')) continue;
+    if (!isChainWorthy(f)) continue;
+    if (!findingsByFile.has(f.file)) findingsByFile.set(f.file, []);
+    findingsByFile.get(f.file).push(f);
+  }
+
+  const out = [];
+  for (const c of clients) {
+    const impls = servers.filter(s => s.method === c.method);
+    for (const impl of impls) {
+      const fs = findingsByFile.get(impl.file) || [];
+      if (!fs.length) continue;
+      const seed = fs[0];
+      out.push({
+        id: `xlang-grpc:${c.file}:${c.line}:${c.method}`,
+        file: c.file, line: c.line,
+        vuln: `Cross-Language Taint (gRPC): client call → ${c.method} (server impl in ${impl.file}:${impl.line} carries ${seed.severity})`,
+        severity: 'high',
+        cwe: seed.cwe || 'CWE-862',
+        snippet: c.snippet,
+        remediation: `The gRPC method ${c.method} is implemented in ${impl.file}:${impl.line} where "${seed.vuln}" was reported. Any client that propagates the response into a sensitive sink inherits the underlying risk. Fix the server-side finding first.`,
+        parser: 'XLANG-GRPC',
+        family: familyForBoundary('grpc'),   // FR-FAMILY-REGISTRY
+        confidence: 0.65,
+        cross_language: true,
+        chain: [
+          { file: c.file,   line: c.line,   label: `client.${c.method}` },
+          { file: impl.file, line: impl.line, label: `impl ${impl.method}` },
+          { file: seed.file, line: seed.line, label: seed.vuln },
+        ],
+      });
+    }
+  }
+  return out;
+}