@clear-capabilities/agentic-security-scanner 0.77.0 → 0.78.0

package/src/dataflow/.agentic-security/streak.json

@@ -0,0 +1,22 @@
+{
+  "firstScanDate": "2026-05-26T15:54:30.269Z",
+  "lastScanDate": "2026-05-27T09:30:02.400Z",
+  "totalScans": 28,
+  "daysCleanCritical": 2,
+  "lastCleanDate": "2026-05-27",
+  "lastCriticalDate": null,
+  "hasEverHadCritical": false,
+  "bestDaysCleanCritical": 2,
+  "totalFindingsAtFirstScan": 17,
+  "totalFindingsAtLastScan": 17,
+  "totalFixesInferred": 0,
+  "lastGrade": "A",
+  "bestGrade": "A",
+  "launchCheckPassedAt": null,
+  "achievements": [
+    "first-scan",
+    "grade-a",
+    "scan-veteran-25"
+  ],
+  "previousGrade": "A"
+}

package/src/dataflow/async-sequencing.js

@@ -55,22 +55,24 @@ const ASYNC_ITER_BODY_SOURCES = new Set([
  * AST shape expected (parser-js.js neutral):
  *   { kind: 'call', callee: { kind: 'member', object: <expr>, prop: <string> }, args: [...] }
  */
-export function describeChain(callExpr) {
+export function describeChain(callExpr, opts = {}) {
   if (!callExpr || callExpr.kind !== 'call') return null;
   const ops = [];
   let cur = callExpr;
-  // Walk leftward through .then/.catch/.finally chain.
   while (cur && cur.kind === 'call' && cur.callee && cur.callee.kind === 'member' && PROMISE_CHAIN_METHODS.has(cur.callee.prop)) {
     const arg = (cur.args || [])[0];
     ops.unshift({
-      kind: cur.callee.prop,           // 'then' | 'catch' | 'finally'
+      kind: cur.callee.prop,
       callback: arg && (arg.kind === 'ident' || arg.kind === 'arrow' || arg.kind === 'function') ? arg : null,
       argIndex: 0,
     });
     cur = cur.callee.object;
   }
-  // `cur` should be the root call (e.g., `fetch(url)` or `Promise.all([...])`).
-  const isPromise = isPromiseRoot(cur);
+  let isPromise = isPromiseRoot(cur);
+  if (!isPromise && opts.summaryCache && opts.callGraph && cur && cur.kind === 'call') {
+    const name = typeof cur.callee === 'string' ? cur.callee : (cur.callee?.name || null);
+    if (name) isPromise = isAsyncSourceFromSummary(name, opts.summaryCache, opts.callGraph);
+  }
   return { ops, rootCallee: cur, isPromise };
 }
 
@@ -84,13 +86,20 @@ function isPromiseRoot(expr) {
   }
   if (c.kind === 'member') {
     if (c.object && c.object.kind === 'ident' && c.object.name === 'Promise' && PROMISE_STATIC_METHODS.has(c.prop)) return true;
-    // any .xxxAsync() pattern, or .then-chainable: too noisy to assume; require
-    // an explicit await elsewhere or a known callee.
     return /Async$/.test(c.prop) || /^(fetch|json|text|blob|formData)$/.test(c.prop);
   }
   return false;
 }
 
+export function isAsyncSourceFromSummary(calleeName, summaryCache, callGraph) {
+  if (!calleeName || !summaryCache || !callGraph) return false;
+  const resolved = callGraph.resolve ? callGraph.resolve(calleeName) : null;
+  const qid = resolved && (resolved.qid || resolved);
+  if (typeof qid !== 'string') return false;
+  const sum = summaryCache.get(qid, new Set());
+  return !!(sum && sum.returnTainted);
+}
+
 /**
  * Given a chain descriptor + a `sourceTainted` boolean indicating whether
  * the root callee's resolved value is tainted, return whether each callback

package/src/dataflow/builtin-summaries.js

@@ -0,0 +1,131 @@
+// Pre-computed taint summaries for popular npm/pip packages.
+//
+// When the taint engine encounters a call to an external function that
+// the call graph can't resolve (e.g., lodash.merge from node_modules),
+// it checks this registry as a fallback. Each entry describes whether
+// the function's return value carries taint and whether any parameters
+// are mutated (tainted by reference).
+//
+// Format: same as SummaryCache entries.
+//   { returnTainted: bool, mutatedParams: Set<paramIndex-as-string> }
+//
+// Convention: param indices are STRING keys ('0', '1', ...) because
+// SummaryCache uses param names, and for external functions we don't
+// know names — we use positional indices instead.
+
+const S = (returnTainted, mutatedIndices = []) => ({
+  returnTainted,
+  mutatedParams: new Set(mutatedIndices.map(String)),
+  taintedGlobals: new Set(),
+  findings: [],
+  _builtin: true,
+});
+
+export const BUILTIN_SUMMARIES = new Map([
+  // ── Lodash ──────────────────────────────────────────────────────────────
+  ['_.merge',           S(true, [0])],
+  ['_.defaultsDeep',    S(true, [0])],
+  ['_.defaults',        S(true, [0])],
+  ['_.extend',          S(true, [0])],
+  ['_.assign',          S(true, [0])],
+  ['_.assignIn',        S(true, [0])],
+  ['_.set',             S(false, [0])],
+  ['_.get',             S(true)],
+  ['_.pick',            S(true)],
+  ['_.omit',            S(true)],
+  ['_.cloneDeep',       S(true)],
+  ['_.clone',           S(true)],
+  ['_.map',             S(true)],
+  ['_.filter',          S(true)],
+  ['_.find',            S(true)],
+  ['_.reduce',          S(true)],
+  ['_.flatten',         S(true)],
+  ['_.compact',         S(true)],
+  ['_.uniq',            S(true)],
+  ['_.groupBy',         S(true)],
+  ['_.keyBy',           S(true)],
+  ['_.values',          S(true)],
+  ['_.keys',            S(false)],
+  ['_.identity',        S(true)],
+
+  // ── Node.js core ────────────────────────────────────────────────────────
+  ['JSON.parse',        S(true)],
+  ['JSON.stringify',    S(true)],
+  ['Buffer.from',       S(true)],
+  ['Buffer.concat',     S(true)],
+  ['querystring.parse', S(true)],
+  ['url.parse',         S(true)],
+  ['path.join',         S(true)],
+  ['path.resolve',      S(true)],
+  ['util.format',       S(true)],
+
+  // ── Express / HTTP ──────────────────────────────────────────────────────
+  ['express.json',      S(false)],
+  ['express.urlencoded',S(false)],
+  ['bodyParser.json',   S(false)],
+  ['cors',              S(false)],
+
+  // ── Database clients ────────────────────────────────────────────────────
+  ['pool.query',        S(true)],
+  ['client.query',      S(true)],
+  ['db.query',          S(true)],
+  ['db.all',            S(true)],
+  ['db.get',            S(true)],
+  ['db.run',            S(false)],
+  ['knex.raw',          S(true)],
+  ['knex.select',       S(true)],
+
+  // ── HTTP clients ────────────────────────────────────────────────────────
+  ['axios.get',         S(true)],
+  ['axios.post',        S(true)],
+  ['axios.put',         S(true)],
+  ['axios.patch',       S(true)],
+  ['axios.delete',      S(true)],
+  ['axios.request',     S(true)],
+  ['fetch',             S(true)],
+  ['got',               S(true)],
+  ['got.get',           S(true)],
+  ['got.post',          S(true)],
+  ['superagent.get',    S(true)],
+  ['superagent.post',   S(true)],
+
+  // ── Crypto / hashing (return is derived, not tainted) ───────────────────
+  ['crypto.createHash', S(false)],
+  ['crypto.randomBytes',S(false)],
+  ['bcrypt.hash',       S(false)],
+  ['bcrypt.compare',    S(false)],
+
+  // ── Sanitizers (return is clean) ────────────────────────────────────────
+  ['parseInt',          S(false)],
+  ['parseFloat',        S(false)],
+  ['Number',            S(false)],
+  ['Boolean',           S(false)],
+  ['encodeURIComponent',S(false)],
+  ['encodeURI',         S(false)],
+  ['DOMPurify.sanitize',S(false)],
+  ['validator.escape',  S(false)],
+  ['he.encode',         S(false)],
+
+  // ── Python stdlib (matched by callee name) ──────────────────────────────
+  ['json.loads',        S(true)],
+  ['json.dumps',        S(true)],
+  ['int',               S(false)],
+  ['float',             S(false)],
+  ['str',               S(true)],
+  ['shlex.quote',       S(false)],
+  ['html.escape',       S(false)],
+  ['bleach.clean',      S(false)],
+]);
+
+export function lookupBuiltinSummary(calleeName) {
+  if (!calleeName || typeof calleeName !== 'string') return null;
+  const direct = BUILTIN_SUMMARIES.get(calleeName);
+  if (direct) return direct;
+  const lastDot = calleeName.lastIndexOf('.');
+  if (lastDot > 0) {
+    const short = calleeName.slice(lastDot + 1);
+    const fallback = BUILTIN_SUMMARIES.get(short);
+    if (fallback) return null;
+  }
+  return null;
+}

package/src/dataflow/catalog.js

@@ -139,12 +139,32 @@ export const CATALOG = [
   { kind: 'source', id: 'go-gin-query',  language: 'go', framework: 'gin',      match: { type: 'call',   callee: 'Query' },               label: 'c.Query (gin)' },
   { kind: 'source', id: 'go-gin-bindjson',language:'go', framework: 'gin',      match: { type: 'call',   callee: 'BindJSON' },            label: 'c.BindJSON (gin)' },
   { kind: 'source', id: 'go-echo-param', language: 'go', framework: 'echo',     match: { type: 'call',   callee: 'Param' },               label: 'c.Param (echo)' },
+  { kind: 'source', id: 'go-gin-postform',  language: 'go', framework: 'gin',  match: { type: 'call', callee: 'PostForm' },     label: 'c.PostForm (gin)' },
+  { kind: 'source', id: 'go-gin-shouldbind',language: 'go', framework: 'gin',  match: { type: 'call', callee: 'ShouldBind' },   label: 'c.ShouldBind (gin)' },
+  { kind: 'source', id: 'go-gin-shouldbindjson',language:'go',framework:'gin', match: { type: 'call', callee: 'ShouldBindJSON' },label: 'c.ShouldBindJSON (gin)' },
+  { kind: 'source', id: 'go-echo-formvalue',language: 'go', framework: 'echo', match: { type: 'call', callee: 'FormValue' },    label: 'c.FormValue (echo)' },
+  { kind: 'source', id: 'go-echo-queryparam',language:'go', framework: 'echo', match: { type: 'call', callee: 'QueryParam' },   label: 'c.QueryParam (echo)' },
+  { kind: 'source', id: 'go-echo-bind',     language: 'go', framework: 'echo', match: { type: 'call', callee: 'Bind' },         label: 'c.Bind (echo)' },
+  { kind: 'source', id: 'go-chi-urlparam',  language: 'go', framework: 'chi',  match: { type: 'call', callee: 'URLParam' },     label: 'chi.URLParam' },
+  { kind: 'source', id: 'go-r-postformvalue',language:'go', framework:'net/http',match:{type:'call',callee:'PostFormValue'},     label: 'r.PostFormValue' },
+  { kind: 'source', id: 'go-fiber-body',    language: 'go', framework: 'fiber', match: { type: 'call', callee: 'Body' },         label: 'c.Body (fiber)' },
+  { kind: 'source', id: 'go-fiber-query',   language: 'go', framework: 'fiber', match: { type: 'call', callee: 'Query' },        label: 'c.Query (fiber)' },
+  { kind: 'source', id: 'go-fiber-params',  language: 'go', framework: 'fiber', match: { type: 'call', callee: 'Params' },       label: 'c.Params (fiber)' },
+  { kind: 'source', id: 'go-fiber-formvalue',language:'go', framework: 'fiber', match: { type: 'call', callee: 'FormValue' },    label: 'c.FormValue (fiber)' },
+  { kind: 'source', id: 'go-fiber-cookies', language: 'go', framework: 'fiber', match: { type: 'call', callee: 'Cookies' },      label: 'c.Cookies (fiber)' },
+  { kind: 'source', id: 'go-fiber-bodyparser',language:'go',framework:'fiber', match: { type: 'call', callee: 'BodyParser' },    label: 'c.BodyParser (fiber)' },
+  { kind: 'source', id: 'go-buffalo-param', language: 'go', framework: 'buffalo',match: { type: 'call', callee: 'Param' },       label: 'c.Param (buffalo)' },
+  { kind: 'source', id: 'go-buffalo-request',language:'go', framework:'buffalo',match: { type: 'member', object: 'c', prop: 'Request' }, label: 'c.Request (buffalo)' },
+  { kind: 'source', id: 'go-gorilla-vars',  language: 'go', framework: 'gorilla',match: { type: 'call', callee: 'Vars' },        label: 'mux.Vars (gorilla)' },
 
   // ─── SOURCES (Ruby — Rails / Sinatra) ─────────────────────────────────────
   { kind: 'source', id: 'rb-rails-params',  language: 'rb', framework: 'rails', match: { type: 'global', name: 'params' }, label: 'params (Rails)' },
   { kind: 'source', id: 'rb-rails-cookies', language: 'rb', framework: 'rails', match: { type: 'global', name: 'cookies' }, label: 'cookies (Rails)' },
   { kind: 'source', id: 'rb-rails-session', language: 'rb', framework: 'rails', match: { type: 'global', name: 'session' }, label: 'session (Rails)' },
   { kind: 'source', id: 'rb-env',           language: 'rb', framework: 'stdlib',match: { type: 'global', name: 'ENV' },     label: 'ENV (Ruby)' },
+  { kind: 'source', id: 'rb-sinatra-request-body',language:'rb',framework:'sinatra',match:{type:'member',object:'request',prop:'body'},    label: 'request.body (Sinatra)' },
+  { kind: 'source', id: 'rb-sinatra-request-env', language:'rb',framework:'sinatra',match:{type:'member',object:'request',prop:'env'},     label: 'request.env (Sinatra)' },
+  { kind: 'source', id: 'rb-sinatra-request-params',language:'rb',framework:'sinatra',match:{type:'member',object:'request',prop:'params'},label: 'request.params (Sinatra)' },
 
   // ─── SOURCES (PHP) ────────────────────────────────────────────────────────
   { kind: 'source', id: 'php-request',  language: 'php', framework: 'core', match: { type: 'global', name: '_REQUEST' }, label: '$_REQUEST' },
@@ -152,6 +172,13 @@ export const CATALOG = [
   { kind: 'source', id: 'php-post',     language: 'php', framework: 'core', match: { type: 'global', name: '_POST' },    label: '$_POST' },
   { kind: 'source', id: 'php-cookie',   language: 'php', framework: 'core', match: { type: 'global', name: '_COOKIE' },  label: '$_COOKIE' },
   { kind: 'source', id: 'php-server',   language: 'php', framework: 'core', match: { type: 'global', name: '_SERVER' },  label: '$_SERVER' },
+  { kind: 'source', id: 'php-symfony-query',   language: 'php', framework: 'symfony', match: { type: 'member', object: '$request', prop: 'query' },   label: '$request->query (Symfony)' },
+  { kind: 'source', id: 'php-symfony-request', language: 'php', framework: 'symfony', match: { type: 'member', object: '$request', prop: 'request' }, label: '$request->request (Symfony)' },
+  { kind: 'source', id: 'php-symfony-cookies', language: 'php', framework: 'symfony', match: { type: 'member', object: '$request', prop: 'cookies' }, label: '$request->cookies (Symfony)' },
+  { kind: 'source', id: 'php-symfony-headers', language: 'php', framework: 'symfony', match: { type: 'member', object: '$request', prop: 'headers' }, label: '$request->headers (Symfony)' },
+  { kind: 'source', id: 'php-symfony-files',   language: 'php', framework: 'symfony', match: { type: 'member', object: '$request', prop: 'files' },   label: '$request->files (Symfony)' },
+  { kind: 'source', id: 'php-symfony-content', language: 'php', framework: 'symfony', match: { type: 'call', callee: 'getContent' },                  label: '$request->getContent() (Symfony)' },
+  { kind: 'source', id: 'php-symfony-get',     language: 'php', framework: 'symfony', match: { type: 'call', callee: 'get' },                         label: '$request->get() (Symfony)' },
 
   // ─── SINKS (SQL — Python) ─────────────────────────────────────────────────
   { kind: 'sink', id: 'py-cursor-execute',     language: 'py', framework: 'dbapi',      match: { type: 'call', callee: 'execute' }, argIndex: 0,
@@ -189,6 +216,74 @@ export const CATALOG = [
     vuln: { name: 'Native SQL Injection (EntityManager.createNativeQuery)', severity: 'critical', cwe: 'CWE-89',
             remediation: 'Use setParameter on the resulting Query.' } },
 
+  // ─── SINKS (SQL — Go) ──────────────────────────────────────────────────────
+  { kind: 'sink', id: 'go-db-query',    language: 'go', framework: 'database/sql', match: { type: 'call', callee: 'Query' },    argIndex: 0,
+    vuln: { name: 'SQL Injection (db.Query)', severity: 'critical', cwe: 'CWE-89',
+            remediation: 'Use parameterized queries: db.Query("SELECT * FROM t WHERE id = $1", id).' } },
+  { kind: 'sink', id: 'go-db-queryrow', language: 'go', framework: 'database/sql', match: { type: 'call', callee: 'QueryRow' }, argIndex: 0,
+    vuln: { name: 'SQL Injection (db.QueryRow)', severity: 'critical', cwe: 'CWE-89',
+            remediation: 'Use parameterized queries: db.QueryRow("... WHERE id = $1", id).' } },
+  { kind: 'sink', id: 'go-db-exec',     language: 'go', framework: 'database/sql', match: { type: 'call', callee: 'Exec' },     argIndex: 0,
+    vuln: { name: 'SQL Injection (db.Exec)', severity: 'critical', cwe: 'CWE-89',
+            remediation: 'Use parameterized queries with placeholder args.' } },
+  { kind: 'sink', id: 'go-gorm-raw',    language: 'go', framework: 'gorm',         match: { type: 'call', callee: 'Raw' },      argIndex: 0,
+    vuln: { name: 'SQL Injection (gorm.Raw)', severity: 'critical', cwe: 'CWE-89',
+            remediation: 'Use gorm.Where with parameterized placeholders: db.Where("name = ?", name).' } },
+  { kind: 'sink', id: 'go-gorm-exec',   language: 'go', framework: 'gorm',         match: { type: 'call', callee: 'Exec' },     argIndex: 0,
+    vuln: { name: 'SQL Injection (gorm.Exec)', severity: 'critical', cwe: 'CWE-89',
+            remediation: 'Use parameterized queries: db.Exec("UPDATE t SET x = ?", val).' } },
+  { kind: 'sink', id: 'go-fmt-fprintf',  language: 'go', framework: 'fmt',          match: { type: 'call', callee: 'Fprintf' },  argIndex: 1,
+    vuln: { name: 'XSS (fmt.Fprintf to ResponseWriter)', severity: 'high', cwe: 'CWE-79',
+            remediation: 'Use html/template for HTML output, not fmt.Fprintf with user input.' } },
+
+  // ─── SINKS (SQL — PHP) ─────────────────────────────────────────────────────
+  { kind: 'sink', id: 'php-mysqli-query',   language: 'php', framework: 'mysqli',  match: { type: 'call', callee: 'mysqli_query' },  argIndex: 1,
+    vuln: { name: 'SQL Injection (mysqli_query)', severity: 'critical', cwe: 'CWE-89',
+            remediation: 'Use prepared statements: $stmt = $conn->prepare("SELECT * WHERE id = ?"); $stmt->bind_param("i", $id);' } },
+  { kind: 'sink', id: 'php-pdo-query',     language: 'php', framework: 'pdo',     match: { type: 'call', callee: 'query' },         argIndex: 0,
+    vuln: { name: 'SQL Injection (PDO::query)', severity: 'critical', cwe: 'CWE-89',
+            remediation: 'Use PDO::prepare with bound parameters.' } },
+  { kind: 'sink', id: 'php-pdo-exec',      language: 'php', framework: 'pdo',     match: { type: 'call', callee: 'exec' },          argIndex: 0,
+    vuln: { name: 'SQL Injection (PDO::exec)', severity: 'critical', cwe: 'CWE-89',
+            remediation: 'Use PDO::prepare with bound parameters.' } },
+  { kind: 'sink', id: 'php-laravel-db-raw', language: 'php', framework: 'laravel', match: { type: 'call', callee: 'raw' },          argIndex: 0,
+    vuln: { name: 'SQL Injection (DB::raw)', severity: 'critical', cwe: 'CWE-89',
+            remediation: 'Use parameterized bindings: DB::select("SELECT * WHERE id = ?", [$id]).' } },
+  { kind: 'sink', id: 'php-exec',          language: 'php', framework: 'core',    match: { type: 'call', callee: 'exec' },          argIndex: 0,
+    vuln: { name: 'Command Injection (exec)', severity: 'critical', cwe: 'CWE-78',
+            remediation: 'Use escapeshellarg() on each argument and avoid shell metacharacters.' } },
+  { kind: 'sink', id: 'php-system',        language: 'php', framework: 'core',    match: { type: 'call', callee: 'system' },        argIndex: 0,
+    vuln: { name: 'Command Injection (system)', severity: 'critical', cwe: 'CWE-78',
+            remediation: 'Avoid system(); use proc_open with an argv array instead.' } },
+  { kind: 'sink', id: 'php-shell-exec',    language: 'php', framework: 'core',    match: { type: 'call', callee: 'shell_exec' },    argIndex: 0,
+    vuln: { name: 'Command Injection (shell_exec)', severity: 'critical', cwe: 'CWE-78',
+            remediation: 'Avoid shell_exec(); sanitize with escapeshellarg() if unavoidable.' } },
+
+  // ─── SINKS (SQL/CMD — Ruby) ───────────────────────────────────────────────
+  { kind: 'sink', id: 'rb-ar-where-string', language: 'rb', framework: 'rails',   match: { type: 'call', callee: 'where' },         argIndex: 0,
+    vuln: { name: 'SQL Injection (ActiveRecord where string)', severity: 'critical', cwe: 'CWE-89',
+            remediation: 'Use hash conditions: User.where(name: params[:name]).' } },
+  { kind: 'sink', id: 'rb-ar-find-by-sql', language: 'rb', framework: 'rails',    match: { type: 'call', callee: 'find_by_sql' },   argIndex: 0,
+    vuln: { name: 'SQL Injection (find_by_sql)', severity: 'critical', cwe: 'CWE-89',
+            remediation: 'Use parameterized SQL: find_by_sql(["SELECT * WHERE id = ?", id]).' } },
+  { kind: 'sink', id: 'rb-system',         language: 'rb', framework: 'stdlib',   match: { type: 'call', callee: 'system' },        argIndex: 0,
+    vuln: { name: 'Command Injection (Kernel.system)', severity: 'critical', cwe: 'CWE-78',
+            remediation: 'Use the array form: system("cmd", arg1, arg2).' } },
+  { kind: 'sink', id: 'rb-exec',           language: 'rb', framework: 'stdlib',   match: { type: 'call', callee: 'exec' },          argIndex: 0,
+    vuln: { name: 'Command Injection (Kernel.exec)', severity: 'critical', cwe: 'CWE-78',
+            remediation: 'Use the array form: exec("cmd", arg1, arg2).' } },
+  { kind: 'sink', id: 'rb-sinatra-erb',    language: 'rb', framework: 'sinatra',  match: { type: 'call', callee: 'erb' },           argIndex: 0,
+    vuln: { name: 'Server-Side Template Injection (Sinatra ERB)', severity: 'high', cwe: 'CWE-1336',
+            remediation: 'Use ERB auto-escaping. Never pass user input as the template name.' } },
+
+  // ─── SINKS (SQL — PHP / Symfony / Doctrine) ───────────────────────────────
+  { kind: 'sink', id: 'php-symfony-createquery',language:'php',framework:'symfony',match:{type:'call',callee:'createQuery'},   argIndex: 0,
+    vuln: { name: 'DQL Injection (Doctrine createQuery)', severity: 'critical', cwe: 'CWE-89',
+            remediation: 'Use DQL parameters: $em->createQuery("... WHERE e.id = :id")->setParameter("id", $id).' } },
+  { kind: 'sink', id: 'php-doctrine-nativequery',language:'php',framework:'doctrine',match:{type:'call',callee:'createNativeQuery'},argIndex:0,
+    vuln: { name: 'SQL Injection (Doctrine createNativeQuery)', severity: 'critical', cwe: 'CWE-89',
+            remediation: 'Use bound parameters with createNativeQuery.' } },
+
   // ─── SINKS (XSS / template — JS/TS / browser) ─────────────────────────────
   { kind: 'sink', id: 'js-innerHTML-assign', language: 'js', framework: 'dom', match: { type: 'member', object: '_any_', prop: 'innerHTML' }, argIndex: 'rhs',
     vuln: { name: 'DOM XSS (innerHTML)', severity: 'high', cwe: 'CWE-79',
@@ -366,6 +461,18 @@ export const CATALOG = [
   { kind: 'source', id: 'py-tornado-get-arg',   language: 'py', framework: 'tornado', match: { type: 'call', callee: 'get_argument'      }, argIndex: 0, label: 'tornado.get_argument', provenance: 'http-body' },
   { kind: 'source', id: 'py-tornado-get-args',  language: 'py', framework: 'tornado', match: { type: 'call', callee: 'get_arguments'     }, argIndex: 0, label: 'tornado.get_arguments', provenance: 'http-body' },
   { kind: 'source', id: 'py-tornado-get-body',  language: 'py', framework: 'tornado', match: { type: 'call', callee: 'get_body_argument' }, argIndex: 0, label: 'tornado.get_body_argument', provenance: 'http-body' },
+  // Starlette / Litestar — async ASGI sources.
+  { kind: 'source', id: 'py-starlette-json',   language: 'py', framework: 'starlette', match: { type: 'call', callee: 'json' },         label: 'request.json() (Starlette)', provenance: 'http-body' },
+  { kind: 'source', id: 'py-starlette-form',   language: 'py', framework: 'starlette', match: { type: 'call', callee: 'form' },         label: 'request.form() (Starlette)', provenance: 'http-body' },
+  { kind: 'source', id: 'py-starlette-body',   language: 'py', framework: 'starlette', match: { type: 'call', callee: 'body' },         label: 'request.body() (Starlette)', provenance: 'http-body' },
+  { kind: 'source', id: 'py-starlette-qparams',language: 'py', framework: 'starlette', match: { type: 'member', object: 'request', prop: 'query_params' }, label: 'request.query_params (Starlette)', provenance: 'url-param' },
+  { kind: 'source', id: 'py-starlette-path',   language: 'py', framework: 'starlette', match: { type: 'member', object: 'request', prop: 'path_params' },  label: 'request.path_params (Starlette)', provenance: 'path-param' },
+  { kind: 'source', id: 'py-litestar-data',    language: 'py', framework: 'litestar',  match: { type: 'call', callee: 'data' },         label: 'request.data() (Litestar)', provenance: 'http-body' },
+  // Sanic — async Python web.
+  { kind: 'source', id: 'py-sanic-args',       language: 'py', framework: 'sanic',     match: { type: 'member', object: 'request', prop: 'args' },  label: 'request.args (Sanic)', provenance: 'url-param' },
+  { kind: 'source', id: 'py-sanic-form',       language: 'py', framework: 'sanic',     match: { type: 'member', object: 'request', prop: 'form' },  label: 'request.form (Sanic)', provenance: 'http-body' },
+  { kind: 'source', id: 'py-sanic-json',       language: 'py', framework: 'sanic',     match: { type: 'member', object: 'request', prop: 'json' },  label: 'request.json (Sanic)', provenance: 'http-body' },
+  { kind: 'source', id: 'py-sanic-body',       language: 'py', framework: 'sanic',     match: { type: 'member', object: 'request', prop: 'body' },  label: 'request.body (Sanic)', provenance: 'http-body' },
   // sys.argv — CLI input source. (os.environ already declared above.)
   { kind: 'source', id: 'py-sys-argv',      language: 'py', framework: 'std', match: { type: 'member', object: 'sys', prop: 'argv'   }, label: 'sys.argv', provenance: 'cli' },
   // File reads.

package/src/dataflow/cross-repo.js

@@ -216,4 +216,78 @@ export function federatedFindings(graph) {
   return findings;
 }
 
-export const _internal = { _parseSpec, _endpointsFor, _leafPathsOf, _responseFields, _requestFields };
+// ── Intra-project cross-service taint ───────────────────────────────────────
+//
+// Detects HTTP client calls in one file whose target matches a route handler
+// in another file within the same project. When tainted data flows into the
+// client call's body, and the matching handler reads from req.body, emit a
+// cross-service finding.
+
+const _CLIENT_PATTERNS = [
+  { re: /\bfetch\s*\(\s*['"`]([^'"`]+)['"`]/g, method: null, bodyArg: true },
+  { re: /\baxios\.(\w+)\s*\(\s*['"`]([^'"`]+)['"`]/g, method: 1, pathGroup: 2, bodyArg: true },
+  { re: /\brequests\.(\w+)\s*\(\s*['"`]([^'"`]+)['"`]/g, method: 1, pathGroup: 2, bodyArg: true },
+  { re: /\bhttp\.NewRequest\s*\(\s*['"`](\w+)['"`]\s*,\s*['"`]([^'"`]+)['"`]/g, method: 1, pathGroup: 2 },
+];
+
+const _HANDLER_PATTERNS = [
+  { re: /\bapp\.(get|post|put|patch|delete)\s*\(\s*['"`]([^'"`]+)['"`]/g },
+  { re: /\brouter\.(get|post|put|patch|delete|HandleFunc)\s*\(\s*['"`]([^'"`]+)['"`]/g },
+  { re: /\b@app\.(route|get|post|put|patch|delete)\s*\(\s*['"`]([^'"`]+)['"`]/g },
+];
+
+function _normalizePath(p) {
+  return p.replace(/:[^/]+/g, '*').replace(/\{[^}]+\}/g, '*').replace(/<[^>]+>/g, '*').replace(/\/+$/, '');
+}
+
+export function detectIntraProjectServiceEdges(fileContents) {
+  if (!fileContents || typeof fileContents !== 'object') return [];
+  const consumers = [];
+  const producers = [];
+  for (const [fp, raw] of Object.entries(fileContents)) {
+    if (!raw || typeof raw !== 'string') continue;
+    const lineOf = (idx) => raw.slice(0, idx).split('\n').length;
+    for (const pat of _CLIENT_PATTERNS) {
+      pat.re.lastIndex = 0;
+      for (const m of raw.matchAll(pat.re)) {
+        const method = pat.method ? (m[pat.method] || 'get').toLowerCase() : 'get';
+        const path = m[pat.pathGroup || 1];
+        consumers.push({ file: fp, line: lineOf(m.index), method, path: _normalizePath(path) });
+      }
+    }
+    for (const pat of _HANDLER_PATTERNS) {
+      pat.re.lastIndex = 0;
+      for (const m of raw.matchAll(pat.re)) {
+        const method = m[1].toLowerCase();
+        const path = m[2];
+        producers.push({ file: fp, line: lineOf(m.index), method: method === 'route' ? 'any' : method, path: _normalizePath(path) });
+      }
+    }
+  }
+  const findings = [];
+  for (const c of consumers) {
+    for (const p of producers) {
+      if (c.file === p.file) continue;
+      if (p.method !== 'any' && c.method !== p.method) continue;
+      if (c.path !== p.path && !c.path.endsWith(p.path)) continue;
+      findings.push({
+        id: `cross-service:${c.file}:${c.line}->${p.file}:${p.line}`,
+        file: p.file,
+        line: p.line,
+        vuln: 'Cross-Service Taint — HTTP client in one file targets handler in another',
+        severity: 'medium',
+        family: 'cross-service-taint',
+        cwe: 'CWE-346',
+        parser: 'CROSS-SERVICE',
+        confidence: 0.60,
+        description: `HTTP client call in ${c.file}:${c.line} targets the route handler at ${p.file}:${p.line}. If tainted data flows through the client body into the handler's sink, this is a cross-service injection path.`,
+        remediation: 'Validate and sanitize all data crossing service boundaries, even internal ones. Treat internal API inputs the same as external user input.',
+        source: { file: c.file, line: c.line, label: `${c.method.toUpperCase()} ${c.path}` },
+        sink: { file: p.file, line: p.line, label: `handler ${p.path}` },
+      });
+    }
+  }
+  return findings;
+}
+
+export const _internal = { _parseSpec, _endpointsFor, _leafPathsOf, _responseFields, _requestFields, _normalizePath };

package/src/dataflow/engine.js

@@ -38,6 +38,7 @@ import { accessPathOf, isCoveredBy, addPath, removePathAndDescendants, joinSets
 import { aliasesForVar } from './points-to.js';
 import { higherOrderTaintFlow } from './higher-order.js';
 import { SummaryCache, entryStateFromCall } from './summaries.js';
+import { lookupBuiltinSummary } from './builtin-summaries.js';
 
 // v0.70 #2 — addPath that also taints every alias of the variable.
 // When `target` is a dotted path like "a.x" and the root `a` has aliases
@@ -242,6 +243,25 @@ function step(node, stateIn, callContext) {
             for (const v of mutated.mutated) newState = addPath(newState, v);
           }
           if (sum && sum.returnTainted) return { state: newState, findings: [] };
+        } else if (target && calleeName) {
+          // Fallback: check builtin summaries for unresolved external calls
+          const builtin = lookupBuiltinSummary(calleeName);
+          if (builtin) {
+            if (builtin.returnTainted && (node.source.args || []).some(a => exprTaint(a, newState))) {
+              newState = _addPathAliasAware(newState, target, callContext);
+            } else if (!builtin.returnTainted) {
+              newState = removePathAndDescendants(newState, target);
+              return { state: newState, findings: [] };
+            }
+            if (builtin.mutatedParams && builtin.mutatedParams.size) {
+              for (const idx of builtin.mutatedParams) {
+                const argExpr = (node.source.args || [])[parseInt(idx)];
+                if (argExpr && argExpr.kind === 'ident' && (node.source.args || []).some(a => exprTaint(a, newState))) {
+                  newState = _addPathAliasAware(newState, argExpr.name, callContext);
+                }
+              }
+            }
+          }
         }
       }
       if (src && target) {
@@ -293,6 +313,24 @@ function step(node, stateIn, callContext) {
           }
         }
       }
+      // Built-in mutation functions: Object.assign(target, ...sources),
+      // _.merge(target, ...sources), etc. When any source arg is tainted,
+      // taint the target in the caller's scope.
+      const calleeName = typeof node.callee === 'string' ? node.callee : null;
+      if (calleeName && /^(?:Object\.assign|_\.merge|_\.extend|_\.defaultsDeep|_\.defaults|Object\.defineProperties?)$/.test(calleeName)) {
+        const targetArg = (node.args || [])[0];
+        const sourceArgsTainted = argTaints.slice(1).some(Boolean);
+        if (targetArg && targetArg.kind === 'ident' && sourceArgsTainted) {
+          state = _addPathAliasAware(state, targetArg.name, callContext);
+          callContext._taintSources.push({
+            varName: targetArg.name,
+            sourceId: `builtin-mutation:${calleeName}`,
+            sourceLabel: `${calleeName} mutation`,
+            provenance: 'mutation',
+            line: node.line,
+          });
+        }
+      }
       if (cat) {
         for (const e of cat) {
           if (e.kind === 'sink' && (
@@ -535,6 +573,64 @@ export function runTaintEngine(perFileIR, callGraph, opts = {}) {
     if (summaryCache.size() === prevCacheSize) break;
     prevCacheSize = summaryCache.size();
   }
+  // Class-field cross-taint pass: when a method writes tainted data to _this_.field,
+  // re-analyze other methods of the same class with those fields in the entry state.
+  const classTaintedFields = new Map();
+  for (const fn of fnList) {
+    if (Date.now() > deadlineMs) break;
+    const sum = summaryCache.get(fn.qid, new Set());
+    if (!sum || !sum.mutatedParams) continue;
+    for (const p of sum.mutatedParams) {
+      if (typeof p === 'string' && p.startsWith('_this_.')) {
+        const classPrefix = fn.qid.split('::')[0] + '::';
+        if (!classTaintedFields.has(classPrefix)) classTaintedFields.set(classPrefix, new Set());
+        classTaintedFields.get(classPrefix).add(p);
+      }
+    }
+  }
+  for (const [classPrefix, fields] of classTaintedFields) {
+    if (Date.now() > deadlineMs) break;
+    for (const fn of fnList) {
+      if (!fn.qid.startsWith(classPrefix)) continue;
+      if (summaryCache.has(fn.qid, fields)) continue;
+      const ctx = {
+        _findings: [], _taintSources: [], _returnTainted: false,
+        _stack: new Set(), deadlineMs,
+        _summaryCache: summaryCache, _callGraph: callGraph,
+        _mutatedParamsOut: new Set(),
+      };
+      try { analyzeFunction(fn, fields, ctx); } catch {}
+      summaryCache.set(fn.qid, fields, {
+        returnTainted: !!ctx._returnTainted,
+        mutatedParams: ctx._mutatedParamsOut || new Set(),
+        taintedGlobals: new Set(),
+        findings: [],
+      });
+    }
+  }
+
+  // k=2 pass: compute tainted-entry-state summaries for functions with params
+  // AND at least one caller in the call graph. This catches "safe when called
+  // clean, dangerous when called with tainted input" wrapper patterns.
+  for (const fn of fnList) {
+    if (Date.now() > deadlineMs) break;
+    if (!fn.params || !fn.params.length) continue;
+    const taintedEntry = new Set(fn.params);
+    if (summaryCache.has(fn.qid, taintedEntry)) continue;
+    const ctx = {
+      _findings: [], _taintSources: [], _returnTainted: false,
+      _stack: new Set(), deadlineMs,
+      _summaryCache: summaryCache, _callGraph: callGraph,
+      _mutatedParamsOut: new Set(),
+    };
+    try { analyzeFunction(fn, taintedEntry, ctx); } catch {}
+    summaryCache.set(fn.qid, taintedEntry, {
+      returnTainted: !!ctx._returnTainted,
+      mutatedParams: ctx._mutatedParamsOut || new Set(),
+      taintedGlobals: new Set(),
+      findings: [],
+    });
+  }
   for (const fn of fnList) {
     if (++n > fnLimit) break;
     if (Date.now() > deadlineMs) break;  // global timeout
@@ -552,6 +648,39 @@ export function runTaintEngine(perFileIR, callGraph, opts = {}) {
     try {
       analyzeFunction(fn, new Set(), callContext);
     } catch { continue; }
+    // Process higher-order invocations: resolve callbacks and analyze with
+    // tainted first-param. Feed findings back into the caller's finding set.
+    const hoInvocations = callContext._higherOrderInvocations || [];
+    const HO_CAP = 50;
+    for (let hi = 0; hi < Math.min(hoInvocations.length, HO_CAP); hi++) {
+      if (Date.now() > deadlineMs) break;
+      const inv = hoInvocations[hi];
+      if (!inv.callee || !inv.taintedParam) continue;
+      const resolved = callGraph.resolve ? callGraph.resolve(inv.callee) : null;
+      const cbFn = resolved && resolved.qid ? resolved : null;
+      if (!cbFn || !cbFn.params || !cbFn.params.length) continue;
+      const cbEntry = new Set([cbFn.params[inv.paramIndex || 0]]);
+      let cbSummary = summaryCache.get(cbFn.qid, cbEntry);
+      if (!cbSummary) {
+        cbSummary = summaryCache.compute(cbFn.qid, cbEntry, () => {
+          const inner = {
+            _findings: [], _taintSources: [], _returnTainted: false,
+            _stack: new Set(), deadlineMs,
+            _summaryCache: summaryCache, _callGraph: callGraph,
+            _mutatedParamsOut: new Set(),
+          };
+          try { analyzeFunction(cbFn, cbEntry, inner); } catch {}
+          // Merge any findings from the callback analysis into the caller.
+          callContext._findings.push(...inner._findings.map(f => ({ ...f, _funcQid: fn.qid, _via: 'higher-order' })));
+          return {
+            returnTainted: !!inner._returnTainted,
+            mutatedParams: inner._mutatedParamsOut || new Set(),
+            taintedGlobals: new Set(),
+            findings: [],
+          };
+        });
+      }
+    }
     for (const f of callContext._findings) {
       const key = `${f.sinkId}:${fn.file}:${f.line}`;
       if (seen.has(key)) continue;