@clear-capabilities/agentic-security-scanner 0.74.0

package/src/posture/cross-lang-meta.js

@@ -0,0 +1,101 @@
+// Cross-language chain metadata (FR-CHAIN-FILTER + FR-FAMILY-REGISTRY).
+//
+// Phase-1 polyglot bench revealed two issues with the cross-language chain
+// detectors:
+//
+//   1. Chains fired on ANY high-severity finding in the linked file. That
+//      included CSRF, header-hardening, body-parser DoS — incidental issues
+//      that have nothing to do with what flows across the language boundary.
+//      The chain was semantically wrong.
+//
+//   2. Chain findings got auto-slugged family names like
+//      `cross-language-taint-client-call-post-us` (truncated to 40 chars).
+//      Ugly, brittle, and useless for filtering downstream.
+//
+// Both fixed here. The cross-lang-* modules import these helpers; the
+// helpers are tested in isolation so the contract is auditable.
+
+// ─── FR-CHAIN-FILTER ────────────────────────────────────────────────────────
+//
+// Only emit a cross-language chain when the linked finding is in a family
+// that propagates meaningfully across a service boundary. CSRF on the OTHER
+// side of a queue tells you nothing useful; SQL injection does.
+
+const CHAIN_WORTHY_FAMILIES = new Set([
+  'sql-injection',
+  'command-injection',
+  'xss',
+  'ssrf',
+  'code-injection',
+  'insecure-deserialization',
+  'xxe',
+  'path-traversal',
+  'jndi-injection',
+  'ldap-injection',
+  'xpath-injection',
+  'nosql-injection',
+  'ssti',
+  'idor',                // ownership flows across language boundary
+  'mass-assignment',     // request-body taint flows
+  'prototype-pollution', // pollution flows through JSON
+]);
+
+// Substring patterns we'll treat as chain-worthy when finding.family is not set.
+// Lets callers (especially unit tests) pass minimal finding objects without
+// requiring the dedupe pipeline to have stamped family first.
+const CHAIN_WORTHY_VULN_PATTERNS = [
+  /\bSQL Injection\b/i, /\bCommand Injection\b/i, /\bXSS\b/i, /\bSSRF\b/i,
+  /\bCode Injection\b/i, /\bDeserialization\b/i, /\bXXE\b/i,
+  /\bPath Traversal\b/i, /\bJNDI\b/i, /\bLDAP Injection\b/i,
+  /\bXPath Injection\b/i, /\bNoSQL Injection\b/i, /\bSSTI\b/i,
+  /\bIDOR\b/i, /\bMass Assignment\b/i, /\bPrototype Pollution\b/i,
+];
+
+/**
+ * Is this finding eligible to be the "tail" of a cross-language chain?
+ * Returns true only for families whose taint genuinely propagates across
+ * a service boundary. Falls back to a vuln-string substring check when
+ * the finding object has no `family` field yet.
+ */
+export function isChainWorthy(finding) {
+  if (!finding || typeof finding !== 'object') return false;
+  const fam = finding.family;
+  if (fam) return CHAIN_WORTHY_FAMILIES.has(fam);
+  const vuln = finding.vuln;
+  if (typeof vuln !== 'string') return false;
+  return CHAIN_WORTHY_VULN_PATTERNS.some(re => re.test(vuln));
+}
+
+/**
+ * Filter a list of high-severity findings down to the chain-worthy ones.
+ */
+export function chainWorthyFindings(findings) {
+  if (!Array.isArray(findings)) return [];
+  return findings.filter(isChainWorthy);
+}
+
+// ─── FR-FAMILY-REGISTRY ─────────────────────────────────────────────────────
+//
+// Each cross-language detector has a canonical family name. Reports filter
+// by these stable strings instead of an auto-slug of the chain's vuln text.
+
+export const XLANG_FAMILIES = Object.freeze({
+  openapi: 'xlang-openapi',
+  grpc:    'xlang-grpc',
+  graphql: 'xlang-graphql',
+  queue:   'xlang-queue',
+  orm:     'xlang-orm',
+  iac:     'xlang-iac',
+});
+
+/**
+ * Resolve the canonical family for a cross-language chain by the boundary
+ * type that produced it. Detectors call this when emitting chain findings.
+ */
+export function familyForBoundary(boundary) {
+  if (typeof boundary !== 'string') return 'xlang-unknown';
+  return XLANG_FAMILIES[boundary] || 'xlang-unknown';
+}
+
+// For tests + the no-dead-modules check.
+export const _internals = { CHAIN_WORTHY_FAMILIES };

package/src/posture/cross-lang-openapi.js

@@ -0,0 +1,187 @@
+import { isChainWorthy, familyForBoundary } from './cross-lang-meta.js';
+
+// OpenAPI-aware cross-language taint propagation (Sentinel-parity FR-X-1).
+//
+// First-cut implementation: when an openapi.json / openapi.yaml is present in
+// the scan root, build a map from (method, path) → endpoint description. For
+// any client-side fetch/axios/requests call whose URL matches a known
+// endpoint AND whose response is then passed to a sink (SQL, exec, write,
+// innerHTML), emit a `cross_language: true` finding that ties the client
+// site to the server route as a chain.
+//
+// Conservative on purpose: only flow taint when BOTH endpoints are
+// unambiguously mapped. Ambiguous matches produce zero findings rather than
+// false positives.
+//
+// Out of scope (deferred to a follow-up): gRPC .proto introspection, GraphQL
+// resolver-to-resolver tracking, SQL/ORM round-trip, message queues.
+
+import * as yaml from 'js-yaml';
+
+function loadOpenAPI(fileContents) {
+  for (const [fp, c] of Object.entries(fileContents || {})) {
+    const base = fp.split('/').pop().toLowerCase();
+    if (!/openapi\.(?:ya?ml|json)$|swagger\.(?:ya?ml|json)$/.test(base)) continue;
+    try {
+      const doc = /\.json$/i.test(base) ? JSON.parse(c) : yaml.load(c);
+      if (doc && doc.paths) return { doc, file: fp };
+    } catch { /* ignore */ }
+  }
+  return null;
+}
+
+function endpoints(doc) {
+  const out = [];
+  if (!doc || !doc.paths) return out;
+  for (const [p, methods] of Object.entries(doc.paths)) {
+    for (const m of Object.keys(methods)) {
+      if (!/^(?:get|post|put|patch|delete|options|head)$/i.test(m)) continue;
+      // staticPrefix = the literal prefix before the first {param} or :param.
+      // Used to match client URLs that look like '/users/' + id where the only
+      // static piece is the prefix.
+      const staticPrefix = p.split(/\{|:/)[0];
+      out.push({
+        method: m.toUpperCase(),
+        path: p,
+        staticPrefix,
+        urlRegex: new RegExp(
+          '^' +
+          p.replace(/[.+^$()|[\]\\]/g, '\\$&')
+           .replace(/\{[^}]+\}/g, '[^/?#]+')
+           .replace(/:[A-Za-z_][\w]*/g, '[^/?#]+') +
+          '$'
+        ),
+      });
+    }
+  }
+  return out;
+}
+
+function urlMatchesEndpoint(url, ep) {
+  const clean = url.replace(/^https?:\/\/[^/]+/, '').split('?')[0];
+  if (ep.urlRegex.test(clean)) return true;
+  // Soft match: client URL is a concat — the literal we see is just the
+  // static prefix up to a path parameter.
+  if (ep.staticPrefix && ep.staticPrefix.length >= 3 && clean === ep.staticPrefix) return true;
+  // Also match when the client wrote the path WITH a templated placeholder.
+  if (clean === ep.path) return true;
+  return false;
+}
+
+// Find client-side HTTP calls that match an OpenAPI endpoint.
+// Returns Array<{ file, line, method, path, snippet }>
+function clientCalls(fileContents, eps) {
+  const CALL_RE = /\b(?:fetch|axios(?:\.(?:get|post|put|patch|delete))?|requests\.(?:get|post|put|patch|delete)|http\.request|urllib\.request\.urlopen)\s*\(\s*([`'"])([^`'"]+)\1/g;
+  const out = [];
+  for (const [fp, c] of Object.entries(fileContents || {})) {
+    if (!c || typeof c !== 'string') continue;
+    if (c.length > 500_000) continue;
+    let m;
+    const r = new RegExp(CALL_RE.source, CALL_RE.flags);
+    while ((m = r.exec(c))) {
+      const url = m[2];
+      const ep = eps.find(e => urlMatchesEndpoint(url, e));
+      if (!ep) continue;
+      const line = c.substring(0, m.index).split('\n').length;
+      out.push({
+        file: fp, line,
+        method: ep.method, path: ep.path,
+        snippet: (c.split('\n')[line - 1] || '').trim().slice(0, 200),
+      });
+    }
+  }
+  return out;
+}
+
+// Match an endpoint to its server-side route handler. Looks for express's
+// app.METHOD(path, ...) or fastapi's @app.METHOD(path) or Flask's @app.route.
+function serverRoutes(fileContents, eps) {
+  const ROUTE_RE = [
+    // Express / Fastify / Koa
+    { lang: 'js', re: /\b(?:app|router|server|fastify)\s*\.\s*(get|post|put|patch|delete)\s*\(\s*([`'"])([^`'"]+)\2/gi },
+    // FastAPI
+    { lang: 'py', re: /@\w+\s*\.\s*(get|post|put|patch|delete)\s*\(\s*([`'"])([^`'"]+)\2/gi },
+    // Flask. The `methods=['POST']` part needs to anchor on the opening quote
+    // of the method literal, otherwise `[^\]]*` greedy-consumes most of it
+    // and only the last letter ends up in the capture group.
+    { lang: 'py', re: /@(?:app|bp|blueprint)\s*\.\s*route\s*\(\s*([`'"])([^`'"]+)\1[^)]*methods\s*=\s*\[\s*['"]([A-Z]+)/gi },
+  ];
+  const out = [];
+  for (const [fp, c] of Object.entries(fileContents || {})) {
+    if (!c || typeof c !== 'string') continue;
+    if (c.length > 500_000) continue;
+    for (const { lang, re } of ROUTE_RE) {
+      if (lang === 'js' && !/\.(?:js|jsx|ts|tsx|mjs|cjs)$/i.test(fp)) continue;
+      if (lang === 'py' && !/\.py$/i.test(fp)) continue;
+      const r = new RegExp(re.source, re.flags);
+      let m;
+      while ((m = r.exec(c))) {
+        let method, urlPattern;
+        if (re === ROUTE_RE[2].re) { urlPattern = m[2]; method = (m[3] || 'GET').toUpperCase(); }
+        else { method = (m[1] || '').toUpperCase(); urlPattern = m[3]; }
+        const ep = eps.find(e =>
+          e.method === method && urlMatchesEndpoint(urlPattern, e));
+        if (!ep) continue;
+        const line = c.substring(0, m.index).split('\n').length;
+        out.push({ file: fp, line, method, path: ep.path });
+      }
+    }
+  }
+  return out;
+}
+
+// Top-level: returns Finding[] describing client-side calls whose response is
+// returned from a server-side handler that itself has tainted-input findings.
+export function scanCrossLangOpenAPI(fileContents, existingFindings) {
+  const oa = loadOpenAPI(fileContents);
+  if (!oa) return [];
+  const eps = endpoints(oa.doc);
+  if (eps.length === 0) return [];
+  const callers = clientCalls(fileContents, eps);
+  if (callers.length === 0) return [];
+  const handlers = serverRoutes(fileContents, eps);
+  if (handlers.length === 0) return [];
+
+  // Index existing findings by file. A handler is "tainted-output" if any
+  // critical/high finding sits in its file AND it's chain-worthy
+  // (FR-CHAIN-FILTER) — CSRF, header-hardening etc. don't propagate across
+  // a service boundary in a useful way.
+  const findingsByFile = new Map();
+  for (const f of existingFindings || []) {
+    if (!f.file) continue;
+    if (!/critical|high/i.test(f.severity || '')) continue;
+    if (!isChainWorthy(f)) continue;
+    if (!findingsByFile.has(f.file)) findingsByFile.set(f.file, []);
+    findingsByFile.get(f.file).push(f);
+  }
+
+  const findings = [];
+  for (const c of callers) {
+    const matching = handlers.filter(h => h.method === c.method && h.path === c.path);
+    for (const h of matching) {
+      const fs = findingsByFile.get(h.file) || [];
+      if (!fs.length) continue;
+      const seed = fs[0];
+      findings.push({
+        id: `xlang-openapi:${c.file}:${c.line}:${h.method}-${h.path}`,
+        file: c.file, line: c.line,
+        vuln: `Cross-Language Taint: client call → ${h.method} ${h.path} (server handler in ${h.file}:${h.line} has a ${seed.severity} finding)`,
+        severity: 'high',
+        cwe: seed.cwe || 'CWE-862',
+        stride: 'Information Disclosure',
+        snippet: c.snippet,
+        remediation: `The server-side handler for ${h.method} ${h.path} (${h.file}:${h.line}) has unaddressed ${seed.severity}-severity findings — specifically "${seed.vuln}". A response from that handler that flows into a client-side sink (innerHTML, eval, exec) propagates the underlying issue. Fix the server-side finding first.`,
+        parser: 'XLANG-OPENAPI',
+        family: familyForBoundary('openapi'),   // FR-FAMILY-REGISTRY
+        confidence: 0.65,
+        cross_language: true,
+        chain: [
+          { file: c.file, line: c.line, label: 'client-call' },
+          { file: h.file, line: h.line, label: `${h.method} ${h.path}` },
+          { file: seed.file, line: seed.line, label: seed.vuln },
+        ],
+      });
+    }
+  }
+  return findings;
+}

package/src/posture/cross-lang-orm.js

@@ -0,0 +1,153 @@
+import { isChainWorthy, familyForBoundary } from './cross-lang-meta.js';
+
+// SQL / ORM round-trip taint (Sentinel-parity FR-DET-3).
+//
+// When a tainted value is written to column C of table T via an ORM `create`
+// or `update`, subsequent reads of T.C are tainted — the database is just a
+// persistence layer, not a sanitizer. This module builds a table.column→
+// tainted-source registry and emits chains.
+//
+// Coverage:
+//   - JS/TS: Mongoose (.create / .save / .findOne), Sequelize, Prisma
+//   - Python: SQLAlchemy session.add, Django ORM .objects.create / .filter
+//   - Ruby: ActiveRecord Model.create / Model.where
+//   - Go:   GORM .Create / .Where
+//   - PHP:  Eloquent ::create / ::where
+//
+// The detector is necessarily heuristic; we name table+column by best-effort.
+
+const TAINT_HINTS = /\b(req|request|ctx\.request|params|input|userInput|body|query|cookies|headers)\b/;
+
+// Identify ORM writes that bind a literal field name to a tainted value.
+// Returns [{file, line, model, field, taintHint}].
+function findOrmWrites(fileContents) {
+  const out = [];
+  for (const [fp, c] of Object.entries(fileContents || {})) {
+    if (!c || typeof c !== 'string') continue;
+    if (c.length > 500_000) continue;
+    const lang = (fp.match(/\.([a-z]+)$/i) || [])[1] || '';
+    if (!/^(?:js|jsx|ts|tsx|mjs|cjs|py|rb|go|php)$/i.test(lang)) continue;
+
+    // Match patterns like  Model.create({ <field>: <expr-with-taint> })
+    // or  await Model.create({ data: { <field>: <expr> } })  (Prisma)
+    const reJsPyRb = /\b([A-Z]\w+)\s*\.\s*(?:create|save|update|build|insert|upsert)\s*\(\s*\{([^}]{0,500})\}/g;
+    let m;
+    while ((m = reJsPyRb.exec(c))) {
+      const model = m[1];
+      const body = m[2];
+      // Prisma wraps under `data: { ... }`
+      const prismaInner = body.match(/data\s*:\s*\{([^}]{0,400})\}/);
+      const fields = prismaInner ? prismaInner[1] : body;
+      const fieldRe = /\b(\w+)\s*:\s*([^,}\n]+)/g;
+      let fm;
+      while ((fm = fieldRe.exec(fields))) {
+        const field = fm[1];
+        const val = fm[2].trim();
+        if (TAINT_HINTS.test(val)) {
+          const line = c.substring(0, m.index).split('\n').length;
+          out.push({ file: fp, line, model, field, val: val.slice(0, 60) });
+        }
+      }
+    }
+    // Python kwargs:  Model.objects.create(field1=value, field2=value)
+    const rePyKw = /\b([A-Z]\w+)\.objects\.create\s*\(([^)]{0,500})\)/g;
+    while ((m = rePyKw.exec(c))) {
+      const model = m[1];
+      const body = m[2];
+      const kwRe = /\b(\w+)\s*=\s*([^,)]+)/g;
+      let km;
+      while ((km = kwRe.exec(body))) {
+        const field = km[1];
+        const val = km[2].trim();
+        if (TAINT_HINTS.test(val)) {
+          const line = c.substring(0, m.index).split('\n').length;
+          out.push({ file: fp, line, model, field, val: val.slice(0, 60) });
+        }
+      }
+    }
+    // GORM:  db.Create(&user)  or  db.Model(&User{}).Where(...).Update("col", val)
+    const reGormUpdate = /db\s*\.\s*(?:Model\([^)]*\)\s*\.\s*)?(?:Where[^.]*\.\s*)?Update\s*\(\s*"(\w+)"\s*,\s*([^)]+)\)/g;
+    while ((m = reGormUpdate.exec(c))) {
+      const field = m[1];
+      const val = m[2].trim();
+      if (TAINT_HINTS.test(val)) {
+        const line = c.substring(0, m.index).split('\n').length;
+        out.push({ file: fp, line, model: '<gorm>', field, val: val.slice(0, 60) });
+      }
+    }
+  }
+  return out;
+}
+
+// Find ORM reads — any Model.findX / Model.where / Model.filter / db.Query / etc.
+// that READS column C and BINDS its value into a downstream use.
+// Returns [{file, line, model, field}] candidate read sites.
+function findOrmReads(fileContents) {
+  const out = [];
+  for (const [fp, c] of Object.entries(fileContents || {})) {
+    if (!c || typeof c !== 'string') continue;
+    if (c.length > 500_000) continue;
+    // Match Model.findX(...) / Model.objects.filter(...) / Model.where(...)
+    const reRead = /\b([A-Z]\w+)\s*\.\s*(?:findOne|findAll|findBy\w*|find|findById|first|last|where|filter|objects\.get|objects\.filter|objects\.all)\s*\(/g;
+    let m;
+    while ((m = reRead.exec(c))) {
+      const model = m[1];
+      const line = c.substring(0, m.index).split('\n').length;
+      out.push({ file: fp, line, model });
+    }
+  }
+  return out;
+}
+
+export function scanCrossLangOrm(fileContents, existingFindings) {
+  const writes = findOrmWrites(fileContents);
+  if (writes.length === 0) return [];
+  const reads = findOrmReads(fileContents);
+  if (reads.length === 0) return [];
+
+  // Index sinks: collect sink lines + their snippets from existing findings.
+  const sinksByFile = new Map();
+  for (const f of existingFindings || []) {
+    const sink = f.sink || f;
+    const file = sink.file || f.file;
+    const line = sink.line || f.line;
+    if (!file || !line) continue;
+    if (!/critical|high|medium/i.test(f.severity || '')) continue;
+    if (!isChainWorthy(f)) continue;   // FR-CHAIN-FILTER
+    if (!sinksByFile.has(file)) sinksByFile.set(file, []);
+    sinksByFile.get(file).push({ line, vuln: f.vuln, severity: f.severity });
+  }
+
+  const out = [];
+  for (const w of writes) {
+    // Find any READ of the same Model — anywhere in the project.
+    const readers = reads.filter(r => r.model === w.model);
+    if (!readers.length) continue;
+    for (const r of readers) {
+      // Check if there's a sink in the reader's file near the read line.
+      const sinksInReadFile = sinksByFile.get(r.file) || [];
+      const nearby = sinksInReadFile.filter(s => Math.abs((s.line || 0) - r.line) <= 20);
+      if (!nearby.length) continue;
+      const seed = nearby[0];
+      out.push({
+        id: `xlang-orm:${w.file}:${w.line}->${r.file}:${r.line}`,
+        file: r.file, line: r.line,
+        vuln: `Cross-Language Taint (ORM round-trip): ${w.model}.${w.field} written tainted at ${w.file}:${w.line} → read at ${r.file}:${r.line} → reaches ${seed.severity} sink`,
+        severity: 'medium',
+        cwe: 'CWE-89',
+        snippet: `(round-trip via ${w.model}.${w.field})`,
+        remediation: `A tainted value is written to ${w.model}.${w.field} at ${w.file}:${w.line} and read at ${r.file}:${r.line}, then flows into "${seed.vuln}". The DB doesn't sanitize — coerce/validate the value on write OR on read, ideally both. For Mongo, ensure the value is a primitive (String(...)) before write; for SQL, parameterize the downstream sink.`,
+        parser: 'XLANG-ORM',
+        family: familyForBoundary('orm'),   // FR-FAMILY-REGISTRY
+        confidence: 0.55,
+        cross_language: true,
+        chain: [
+          { file: w.file, line: w.line, label: `write ${w.model}.${w.field}` },
+          { file: r.file, line: r.line, label: `read ${w.model}` },
+          { file: r.file, line: seed.line, label: seed.vuln },
+        ],
+      });
+    }
+  }
+  return out;
+}

package/src/posture/cross-lang-queues.js

@@ -0,0 +1,210 @@
+import { isChainWorthy, familyForBoundary } from './cross-lang-meta.js';
+
+// Cross-language message-queue taint propagation (FR-XSAT-4 — P1.5).
+//
+// When a project ships producer and consumer code for the same message
+// queue (Kafka topic, AWS SQS queue, RabbitMQ exchange, Redis stream,
+// Google Pub/Sub topic), tainted data flowing into the producer carries
+// through the queue and emerges in the consumer's hand. The engine pairs
+// producer call sites with consumer handlers by topic name; when either
+// end has a high+ finding, we emit a `cross_language: true` chain finding
+// at the OTHER end so engineers see the transitive flow.
+//
+// This module is deliberately conservative: we only emit chains when the
+// producer and consumer agree on the topic name (string literal match).
+// Constant-folded topic names (variables, env vars) get a `topic: 'inferred'`
+// tag and lower confidence rather than dropped — that's the precision/recall
+// trade-off documented in the parent PRD's Pillar-6 honesty commitments.
+//
+// Detectors per queue tech:
+//   Kafka          — kafkajs (Node), confluent-kafka (Python), kafka-clients (Java), sarama (Go)
+//   AWS SQS        — aws-sdk (Node), boto3 (Python), aws-sdk-java
+//   RabbitMQ       — amqplib (Node), pika (Python), RabbitTemplate (Spring)
+//   Redis Streams  — redis (xadd/xread) — Node/Python/Java/Go
+//   Google Pub/Sub — @google-cloud/pubsub (Node), google-cloud-pubsub (Python)
+
+// ─── Topic extraction ──────────────────────────────────────────────────────
+
+// Each regex finds either a producer-write site or a consumer-handler site.
+// Group 1 = topic name (literal or expression text).
+const PRODUCER_PATTERNS = [
+  // Kafka
+  { tech: 'kafka',  re: /\bproducer\s*\.\s*send\s*\(\s*\{[^}]*?topic\s*:\s*['"]([^'"]+)['"]/g },
+  { tech: 'kafka',  re: /\bsendMessage\s*\(\s*['"]([^'"]+)['"]/g },                        // kafka-clients (Java)
+  { tech: 'kafka',  re: /producer\.send\s*\(\s*new\s+ProducerRecord\s*[<(]\s*[^,]*?,\s*['"]([^'"]+)['"]/g },  // Java
+  { tech: 'kafka',  re: /(?:Producer|producer)\.produce\s*\(\s*['"]([^'"]+)['"]/g },        // confluent-kafka Python
+  // SQS
+  { tech: 'sqs',    re: /\bsendMessage\s*\(\s*\{[^}]*?QueueUrl\s*:\s*['"][^'"]*?\/([^'"\/]+)['"]/g },  // aws-sdk node, queue URL ends with name
+  { tech: 'sqs',    re: /\bsend_message\s*\(\s*QueueUrl\s*=\s*['"][^'"]*?\/([^'"\/]+)['"]/g },        // boto3
+  // RabbitMQ
+  { tech: 'rabbit', re: /\bpublish\s*\(\s*['"]([^'"]+)['"]/g },                            // amqplib & pika common
+  { tech: 'rabbit', re: /rabbitTemplate\.convertAndSend\s*\(\s*['"]([^'"]+)['"]/g },        // Spring
+  // Redis streams (multi-language XADD shapes)
+  { tech: 'redis',  re: /\.\s*xadd\s*\(\s*['"]([^'"]+)['"]/gi },                            // node/ioredis: xadd('key', ...)
+  { tech: 'redis',  re: /\bXADD\s+([\w:.-]+)/g },                                          // redis-cli style in code strings
+  { tech: 'redis',  re: /XAddArgs\s*\{\s*Stream\s*:\s*['"]([^'"]+)['"]/g },                // go-redis: &redis.XAddArgs{Stream: "..."}
+  { tech: 'redis',  re: /\.\s*xadd\s*\(\s*name\s*=\s*['"]([^'"]+)['"]/g },                  // python redis-py: xadd(name="...")
+  // Google Pub/Sub
+  { tech: 'pubsub', re: /\btopic\s*\(\s*['"]([^'"]+)['"]\s*\)\s*\.publish/g },             // @google-cloud/pubsub
+  { tech: 'pubsub', re: /publisher\.publish\s*\(\s*topic_path\s*\([^,]+,\s*['"]([^'"]+)['"]/g },  // python
+];
+
+const CONSUMER_PATTERNS = [
+  // Kafka
+  { tech: 'kafka',  re: /\bconsumer\s*\.\s*subscribe\s*\(\s*\{[^}]*?topics?\s*:\s*\[?\s*['"]([^'"]+)['"]/g },
+  { tech: 'kafka',  re: /\.\s*subscribe\s*\(\s*\[\s*['"]([^'"]+)['"]/g },
+  { tech: 'kafka',  re: /@KafkaListener\s*\(\s*topics\s*=\s*\{?\s*['"]([^'"]+)['"]/g },   // Spring Boot
+  // SQS
+  { tech: 'sqs',    re: /\bsqsClient\.receiveMessage\s*\(\s*\{[^}]*?QueueUrl\s*:\s*['"][^'"]*?\/([^'"\/]+)['"]/g },
+  { tech: 'sqs',    re: /\breceive_message\s*\(\s*QueueUrl\s*=\s*['"][^'"]*?\/([^'"\/]+)['"]/g },
+  // RabbitMQ
+  { tech: 'rabbit', re: /\.\s*consume\s*\(\s*['"]([^'"]+)['"]/g },                         // amqplib
+  { tech: 'rabbit', re: /\.\s*basic_consume\s*\(\s*[^,]*,\s*queue\s*=\s*['"]([^'"]+)['"]/g }, // pika
+  { tech: 'rabbit', re: /@RabbitListener\s*\(\s*queues\s*=\s*['"]([^'"]+)['"]/g },         // Spring
+  // Redis streams (multi-language XREAD shapes)
+  { tech: 'redis',  re: /\.\s*xread(?:group)?\s*\(\s*[^)]*?streams\s*:\s*\{?\s*['"]([^'"]+)['"]/gi },
+  { tech: 'redis',  re: /\bXREAD(?:GROUP)?\s+(?:GROUP\s+\S+\s+\S+\s+)?(?:COUNT\s+\d+\s+)?STREAMS\s+([\w:.-]+)/gi },
+  { tech: 'redis',  re: /\.\s*xread\s*\(\s*\{[^}]*?key\s*:\s*['"]([^'"]+)['"]/gi },        // node-redis v4: xread({key:'...'})
+  // Google Pub/Sub
+  { tech: 'pubsub', re: /\bsubscription\s*\(\s*['"]([^'"]+)['"]\s*\)\s*\.on/g },
+  { tech: 'pubsub', re: /\bsubscriber\.subscribe\s*\(\s*subscription_path\s*\([^,]+,\s*['"]([^'"]+)['"]/g },
+];
+
+function lineOf(raw, idx) { return raw.substring(0, idx).split('\n').length; }
+
+/**
+ * Walk every file looking for queue producer/consumer call sites.
+ * Returns:
+ *   {
+ *     producers: Map<topic, Array<{file, line, tech}>>
+ *     consumers: Map<topic, Array<{file, line, tech}>>
+ *   }
+ *
+ * Topic normalization: lowercase + strip leading slashes (SQS queue URLs
+ * vary by region/account; we key only on the queue name segment).
+ */
+function indexQueueSites(fileContents) {
+  const producers = new Map();
+  const consumers = new Map();
+  for (const [fp, c] of Object.entries(fileContents || {})) {
+    if (typeof c !== 'string' || c.length > 500_000) continue;
+    if (!_looksLikeCodeFile(fp)) continue;
+    for (const { tech, re } of PRODUCER_PATTERNS) {
+      const rx = new RegExp(re.source, re.flags);
+      let m;
+      while ((m = rx.exec(c))) {
+        const topic = _normTopic(m[1]);
+        if (!topic) continue;
+        const line = lineOf(c, m.index);
+        const arr = producers.get(topic) || [];
+        arr.push({ file: fp, line, tech });
+        producers.set(topic, arr);
+      }
+    }
+    for (const { tech, re } of CONSUMER_PATTERNS) {
+      const rx = new RegExp(re.source, re.flags);
+      let m;
+      while ((m = rx.exec(c))) {
+        const topic = _normTopic(m[1]);
+        if (!topic) continue;
+        const line = lineOf(c, m.index);
+        const arr = consumers.get(topic) || [];
+        arr.push({ file: fp, line, tech });
+        consumers.set(topic, arr);
+      }
+    }
+  }
+  return { producers, consumers };
+}
+
+function _normTopic(s) {
+  if (!s || typeof s !== 'string') return '';
+  return s.trim().toLowerCase().replace(/^\/+/, '');
+}
+
+function _looksLikeCodeFile(fp) {
+  return /\.(js|jsx|ts|tsx|mjs|cjs|py|java|kt|go|rb|cs|rs|php|scala|swift)$/i.test(fp);
+}
+
+// ─── Chain emission ─────────────────────────────────────────────────────────
+
+/**
+ * For each (producer, consumer) pair on the same topic, look up high+ findings
+ * at either site and emit a chain finding at the OTHER side.
+ *
+ * Returns an array of chain findings ready to splice into finalFindings.
+ */
+export function scanCrossLangQueues(fileContents, findings) {
+  const { producers, consumers } = indexQueueSites(fileContents);
+  if (!producers.size || !consumers.size) return [];
+  // Index existing findings by (file, line) for fast lookup. Only include
+  // chain-worthy families (FR-CHAIN-FILTER): chaining to a CSRF or
+  // header-hardening finding on the other side of a queue is semantically
+  // meaningless — taint doesn't propagate through those classes.
+  const findingsByFile = new Map();
+  for (const f of findings || []) {
+    if (!f || typeof f !== 'object') continue;
+    if (!/critical|high/.test(f.severity || '')) continue;
+    if (!isChainWorthy(f)) continue;
+    const file = f.file || f.sink?.file;
+    if (!file) continue;
+    const list = findingsByFile.get(file) || [];
+    list.push(f);
+    findingsByFile.set(file, list);
+  }
+  const chains = [];
+  for (const [topic, prodList] of producers) {
+    const consList = consumers.get(topic);
+    if (!consList) continue;
+    for (const prod of prodList) {
+      for (const cons of consList) {
+        // For each producer, see if the consumer file has high+ findings.
+        const consFindings = findingsByFile.get(cons.file) || [];
+        for (const consF of consFindings) {
+          chains.push(_chainFinding({
+            origin: prod, target: cons, topic, sourceFinding: consF, dir: 'producer->consumer',
+          }));
+        }
+        const prodFindings = findingsByFile.get(prod.file) || [];
+        for (const prodF of prodFindings) {
+          chains.push(_chainFinding({
+            origin: cons, target: prod, topic, sourceFinding: prodF, dir: 'consumer->producer',
+          }));
+        }
+      }
+    }
+  }
+  return chains;
+}
+
+function _chainFinding({ origin, target, topic, sourceFinding, dir }) {
+  return {
+    id: `xlang-queue:${origin.file}:${origin.line}->${target.file}:${target.line}:${topic}`,
+    file: origin.file,
+    line: origin.line,
+    vuln: `Cross-language taint via ${target.tech} topic '${topic}' — ${dir} — reaches ${sourceFinding.vuln}`,
+    severity: _downgradeSeverity(sourceFinding.severity),
+    cwe: sourceFinding.cwe || null,
+    parser: 'XLANG-QUEUE',
+    family: familyForBoundary('queue'),       // FR-FAMILY-REGISTRY: canonical name
+    cross_language: true,
+    boundary: 'queue',
+    topic,
+    tech: target.tech,
+    confidence: 0.6,
+    source: { file: origin.file, line: origin.line, label: `${target.tech} producer (topic ${topic})` },
+    sink:   { file: target.file, line: target.line, label: `${target.tech} consumer reaches ${sourceFinding.vuln}` },
+    remediation: `A tainted message written to '${topic}' is read by a handler with a high-severity finding (${sourceFinding.cwe || sourceFinding.vuln}). Validate the payload at both ends: producer should not forward unsanitized request data; consumer should treat the queue body as untrusted.`,
+    snippet: `// taint flows: ${origin.file}:${origin.line} → ${target.tech}/${topic} → ${target.file}:${target.line}`,
+  };
+}
+
+function _downgradeSeverity(sev) {
+  // The chain finding is informational alongside the source finding — we
+  // demote one tier so it doesn't double-count in severity bucketing.
+  const next = { critical: 'high', high: 'medium', medium: 'low', low: 'low' };
+  return next[sev || 'high'] || 'low';
+}
+
+// For tests + bench tooling.
+export function _indexQueueSites(fileContents) { return indexQueueSites(fileContents); }