@oculum/scanner 1.0.13 → 1.0.15

package/src/taint/propagation.ts

@@ -0,0 +1,1750 @@
+/**
+ * Taint Propagation Engine
+ *
+ * Forward worklist dataflow analysis. Seeds taint at sources, propagates
+ * through CFG to fixpoint, then checks if tainted data reaches sinks
+ * without proper sanitization.
+ *
+ * Algorithm:
+ * 1. Map sources/sinks/sanitizers to CFG nodes via AST containment
+ * 2. Seed source nodes with taint state
+ * 3. Worklist: propagate taint forward through CFG, applying transfer
+ *    functions at each node (assignment, call, destructuring, etc.)
+ * 4. At fixpoint: check each sink node for matching taint kinds
+ * 5. Reconstruct source-to-sink paths via backward slice
+ */
+
+import type Parser from 'tree-sitter'
+import type { CFG, CFGNode } from './cfg-types'
+import { getSuccessors, getPredecessors, buildFileCFGs } from './cfg-builder'
+import type { TaintKind, TaintSource, TaintSink, TaintSanitizer } from './types'
+import type { TaintState, TaintStep, TaintFinding, CallResolutionContext, CalleeResult } from './propagation-types'
+import { getTaint, setTaint, deleteTaint, getFieldTaint, setFieldTaint, WHOLE_OBJECT } from './propagation-types'
+import type { FieldKey } from './propagation-types'
+import { walkAST } from '../parse/ast'
+import { classifySources } from './source-classifier'
+import { classifySinks } from './sink-classifier'
+import { buildSanitizerRegistry } from './sanitizer-registry'
+import { resolveCallTarget } from '../detect/ast-rules/helpers/call-analysis'
+import { resolvePythonCallTarget } from '../detect/ast-rules/helpers/python-helpers'
+import { collectImportBindings } from './helpers'
+import { injectPromiseChainTaint, injectCallbackTaint } from './async-flow'
+import { collectConstants, isConstantExpression } from './constant-propagation'
+import type { ConstantMap } from './constant-propagation'
+import { getOrBuildSummary, composeSummary } from './taint-summary'
+
+// ============================================================================
+// AST → CFGNode Matching
+// ============================================================================
+
+/**
+ * Check if `child` is a descendant of (or equal to) `ancestor` in the AST.
+ */
+export function isDescendantOf(
+  child: Parser.SyntaxNode,
+  ancestor: Parser.SyntaxNode,
+): boolean {
+  let current: Parser.SyntaxNode | null = child
+  while (current) {
+    if (current.id === ancestor.id) return true
+    current = current.parent
+  }
+  return false
+}
+
+/**
+ * Find the CFG node that contains a given AST node.
+ * Returns the first CFG node whose astNode is an ancestor of (or equal to) the target.
+ */
+export function findContainingCFGNode(
+  cfg: CFG,
+  astNode: Parser.SyntaxNode,
+): CFGNode | null {
+  for (const [, cfgNode] of cfg.nodes) {
+    if (!cfgNode.astNode) continue
+    if (isDescendantOf(astNode, cfgNode.astNode)) return cfgNode
+  }
+  return null
+}
+
+/**
+ * Phase 8 (Part 4): O(D) parent-chain walk using pre-built CFG node map.
+ * Walks up the AST parent chain until a mapped node is found.
+ * D = AST depth (5-15), vs O(N) where N = CFG nodes (50-200).
+ */
+export function findContainingCFGNodeFast(
+  cfgNodeMap: Map<number, CFGNode>,
+  astNode: Parser.SyntaxNode,
+): CFGNode | null {
+  let current: Parser.SyntaxNode | null = astNode
+  while (current) {
+    const cfgNode = cfgNodeMap.get(current.id)
+    if (cfgNode) return cfgNode
+    current = current.parent
+  }
+  return null
+}
+
+/**
+ * Build a map from AST node ID → CFGNode for all nodes in a CFG.
+ */
+export function buildCFGNodeMap(cfg: CFG): Map<number, CFGNode> {
+  const map = new Map<number, CFGNode>()
+  for (const [, cfgNode] of cfg.nodes) {
+    if (cfgNode.astNode) {
+      map.set(cfgNode.astNode.id, cfgNode)
+    }
+  }
+  return map
+}
+
+// ============================================================================
+// Taint State Helpers
+// ============================================================================
+
+/** Clone a TaintState (deep copy of field maps and sets). */
+function cloneState(state: TaintState): TaintState {
+  const clone: TaintState = new Map()
+  for (const [varName, fieldMap] of state) {
+    const clonedFieldMap = new Map<FieldKey, Set<TaintKind>>()
+    for (const [field, kinds] of fieldMap) {
+      clonedFieldMap.set(field, new Set(kinds))
+    }
+    clone.set(varName, clonedFieldMap)
+  }
+  return clone
+}
+
+/** Merge multiple predecessor out-states into one in-state (union). */
+export function mergeStates(states: TaintState[]): TaintState {
+  const merged: TaintState = new Map()
+  for (const state of states) {
+    for (const [varName, fieldMap] of state) {
+      let existingFieldMap = merged.get(varName)
+      if (!existingFieldMap) {
+        existingFieldMap = new Map<FieldKey, Set<TaintKind>>()
+        merged.set(varName, existingFieldMap)
+      }
+      for (const [field, kinds] of fieldMap) {
+        const existingKinds = existingFieldMap.get(field)
+        if (existingKinds) {
+          for (const k of kinds) existingKinds.add(k)
+        } else {
+          existingFieldMap.set(field, new Set(kinds))
+        }
+      }
+    }
+  }
+  return merged
+}
+
+/** Check if two TaintStates are equal. */
+function statesEqual(a: TaintState, b: TaintState): boolean {
+  // Phase 8 (3c): identity fast path — catches cases where applyTransfer returned same ref
+  if (a === b) return true
+  if (a.size !== b.size) return false
+  for (const [varName, aFieldMap] of a) {
+    const bFieldMap = b.get(varName)
+    if (!bFieldMap) return false
+    if (aFieldMap.size !== bFieldMap.size) return false
+    for (const [field, aKinds] of aFieldMap) {
+      const bKinds = bFieldMap.get(field)
+      if (!bKinds) return false
+      if (aKinds.size !== bKinds.size) return false
+      for (const k of aKinds) {
+        if (!bKinds.has(k)) return false
+      }
+    }
+  }
+  return true
+}
+
+/** Collect taint from a set of used variables in the current state. */
+function collectUseTaint(
+  uses: Iterable<string>,
+  state: TaintState,
+): Set<TaintKind> {
+  const result = new Set<TaintKind>()
+  for (const u of uses) {
+    const kinds = getTaint(state, u)
+    if (kinds) {
+      for (const k of kinds) result.add(k)
+    }
+  }
+  return result
+}
+
+// ============================================================================
+// Sanitizer Map
+// ============================================================================
+
+export interface SanitizerMapping {
+  cfgNodeId: number
+  sanitizer: TaintSanitizer
+}
+
+/**
+ * Build a map from CFG node ID → sanitizers active in that node.
+ * Phase 8: accepts optional cfgNodeMap for O(D) lookup instead of O(N).
+ */
+export function buildSanitizerMap(
+  cfg: CFG,
+  sanitizers: TaintSanitizer[],
+  cfgNodeMap?: Map<number, CFGNode>,
+): Map<number, TaintSanitizer[]> {
+  const map = new Map<number, TaintSanitizer[]>()
+  for (const s of sanitizers) {
+    const cfgNode = cfgNodeMap
+      ? findContainingCFGNodeFast(cfgNodeMap, s.node)
+      : findContainingCFGNode(cfg, s.node)
+    if (!cfgNode) continue
+    const existing = map.get(cfgNode.id)
+    if (existing) {
+      existing.push(s)
+    } else {
+      map.set(cfgNode.id, [s])
+    }
+  }
+  return map
+}
+
+// ============================================================================
+// Expression-level Transfer Function
+// ============================================================================
+
+/**
+ * Resolve taint for the RHS of an assignment by walking its AST.
+ *
+ * Returns the set of taint kinds that the RHS expression carries,
+ * considering sanitizer calls and optionally cross-file call resolution.
+ */
+function resolveExpressionTaint(
+  exprNode: Parser.SyntaxNode,
+  inState: TaintState,
+  sanitizers: TaintSanitizer[],
+  callContext?: CallResolutionContext,
+  callerFile?: string,
+): Set<TaintKind> {
+  const result = new Set<TaintKind>()
+
+  // Literal values: no taint
+  if (isLiteral(exprNode)) return result
+
+  // Identifier: look up in state
+  if (exprNode.type === 'identifier') {
+    const kinds = getTaint(inState, exprNode.text)
+    if (kinds) for (const k of kinds) result.add(k)
+    return result
+  }
+
+  // Helper: shorthand for recursive calls with context forwarding
+  const resolve = (node: Parser.SyntaxNode) =>
+    resolveExpressionTaint(node, inState, sanitizers, callContext, callerFile)
+
+  // Await: taint propagates through (Python: 'await', JS: 'await_expression')
+  if (exprNode.type === 'await_expression' || exprNode.type === 'await') {
+    const inner = exprNode.namedChildren[0]
+    if (inner) {
+      const innerTaint = resolve(inner)
+      for (const k of innerTaint) result.add(k)
+    }
+    return result
+  }
+
+  // Parenthesized: pass through
+  if (exprNode.type === 'parenthesized_expression') {
+    const inner = exprNode.namedChildren[0]
+    if (inner) {
+      const innerTaint = resolve(inner)
+      for (const k of innerTaint) result.add(k)
+    }
+    return result
+  }
+
+  // Call expression: check sanitizers, then cross-file resolution, then conservative
+  // Python: 'call', JS: 'call_expression'
+  if (exprNode.type === 'call_expression' || exprNode.type === 'call') {
+    return resolveCallTaint(exprNode, inState, sanitizers, callContext, callerFile)
+  }
+
+  // New expression: union of arg taint
+  if (exprNode.type === 'new_expression') {
+    const args = exprNode.childForFieldName('arguments')
+    if (args) {
+      for (const arg of args.namedChildren) {
+        const argTaint = resolve(arg)
+        for (const k of argTaint) result.add(k)
+      }
+    }
+    return result
+  }
+
+  // Binary expression / template literal: union of both sides
+  // Python: 'binary_operator', JS: 'binary_expression'
+  if (exprNode.type === 'binary_expression' || exprNode.type === 'binary_operator') {
+    const left = exprNode.childForFieldName('left')
+    const right = exprNode.childForFieldName('right')
+    if (left) {
+      const lt = resolve(left)
+      for (const k of lt) result.add(k)
+    }
+    if (right) {
+      const rt = resolve(right)
+      for (const k of rt) result.add(k)
+    }
+    return result
+  }
+
+  // Python boolean/comparison operators: walk children for taint
+  if (exprNode.type === 'boolean_operator' || exprNode.type === 'comparison_operator' ||
+      exprNode.type === 'not_operator') {
+    for (const child of exprNode.namedChildren) {
+      const ct = resolve(child)
+      for (const k of ct) result.add(k)
+    }
+    return result
+  }
+
+  // Python f-string: string node with interpolation children
+  // Must check BEFORE the fallback walkAST to properly handle f-string taint
+  if (exprNode.type === 'string' && exprNode.descendantsOfType('interpolation').length > 0) {
+    for (const interp of exprNode.descendantsOfType('interpolation')) {
+      for (const child of interp.namedChildren) {
+        const childTaint = resolve(child)
+        for (const k of childTaint) result.add(k)
+      }
+    }
+    return result
+  }
+
+  // Python concatenated_string: "foo" + "bar" or "a" "b" style
+  if (exprNode.type === 'concatenated_string') {
+    for (const child of exprNode.namedChildren) {
+      const ct = resolve(child)
+      for (const k of ct) result.add(k)
+    }
+    return result
+  }
+
+  // Template string: union of all substitutions
+  if (exprNode.type === 'template_string') {
+    const subs = exprNode.descendantsOfType('template_substitution')
+    for (const sub of subs) {
+      for (const child of sub.namedChildren) {
+        const childTaint = resolve(child)
+        for (const k of childTaint) result.add(k)
+      }
+    }
+    return result
+  }
+
+  // Member expression: field-aware taint resolution
+  // Python: 'attribute' + 'subscript', JS: 'member_expression' + 'subscript_expression'
+  if (exprNode.type === 'member_expression' || exprNode.type === 'subscript_expression' ||
+      exprNode.type === 'attribute' || exprNode.type === 'subscript') {
+    const obj = exprNode.childForFieldName('object')
+      ?? exprNode.childForFieldName('value')  // Python subscript uses 'value' field
+    if (obj) {
+      // Try field-specific taint: obj.field → getFieldTaint(state, "obj", "field")
+      if ((exprNode.type === 'member_expression' || exprNode.type === 'attribute') && obj.type === 'identifier') {
+        const prop = exprNode.type === 'attribute'
+          ? exprNode.childForFieldName('attribute')
+          : exprNode.childForFieldName('property')
+        if (prop && (prop.type === 'property_identifier' || prop.type === 'identifier')) {
+          const fieldTaint = getFieldTaint(inState, obj.text, prop.text)
+          if (fieldTaint) for (const k of fieldTaint) result.add(k)
+          return result
+        }
+      }
+      // Computed/dynamic access or deep chain: fall back to whole-object taint
+      const objTaint = resolve(obj)
+      for (const k of objTaint) result.add(k)
+    }
+    // Computed index may also carry taint
+    if (exprNode.type === 'subscript_expression' || exprNode.type === 'subscript') {
+      const index = exprNode.childForFieldName('index')
+        ?? exprNode.childForFieldName('subscript')  // Python subscript field name
+      if (index) {
+        const idxTaint = resolve(index)
+        for (const k of idxTaint) result.add(k)
+      }
+    }
+    return result
+  }
+
+  // Spread element
+  if (exprNode.type === 'spread_element') {
+    const inner = exprNode.namedChildren[0]
+    if (inner) {
+      const innerTaint = resolve(inner)
+      for (const k of innerTaint) result.add(k)
+    }
+    return result
+  }
+
+  // Object literal: union of all value taint (whole-object view for backward compat)
+  if (exprNode.type === 'object') {
+    for (const child of exprNode.namedChildren) {
+      if (child.type === 'pair') {
+        const value = child.childForFieldName('value')
+        if (value) {
+          const vt = resolve(value)
+          for (const k of vt) result.add(k)
+        }
+      } else if (child.type === 'shorthand_property_identifier') {
+        const kinds = getTaint(inState, child.text)
+        if (kinds) for (const k of kinds) result.add(k)
+      } else if (child.type === 'spread_element') {
+        const inner = child.namedChildren[0]
+        if (inner) {
+          const innerTaint = resolve(inner)
+          for (const k of innerTaint) result.add(k)
+        }
+      }
+    }
+    return result
+  }
+
+  // Array literal / Python list/tuple: union of all element taint
+  if (exprNode.type === 'array' || exprNode.type === 'list' || exprNode.type === 'tuple') {
+    for (const child of exprNode.namedChildren) {
+      const ct = resolve(child)
+      for (const k of ct) result.add(k)
+    }
+    return result
+  }
+
+  // Python dictionary: union of all value taint
+  if (exprNode.type === 'dictionary') {
+    for (const child of exprNode.namedChildren) {
+      if (child.type === 'pair') {
+        const value = child.childForFieldName('value')
+        if (value) {
+          const vt = resolve(value)
+          for (const k of vt) result.add(k)
+        }
+      } else {
+        const ct = resolve(child)
+        for (const k of ct) result.add(k)
+      }
+    }
+    return result
+  }
+
+  // Ternary: union of both branches (conservative)
+  // Python: 'conditional_expression', JS: 'ternary_expression'
+  if (exprNode.type === 'ternary_expression' || exprNode.type === 'conditional_expression') {
+    for (const child of exprNode.namedChildren) {
+      const ct = resolve(child)
+      for (const k of ct) result.add(k)
+    }
+    return result
+  }
+
+  // Unary expression: propagate from operand
+  // Python: 'unary_operator', JS: 'unary_expression'
+  if (exprNode.type === 'unary_expression' || exprNode.type === 'unary_operator') {
+    const arg = exprNode.namedChildren[0]
+    if (arg) {
+      const at = resolve(arg)
+      for (const k of at) result.add(k)
+    }
+    return result
+  }
+
+  // Python keyword_argument: extract taint from value
+  if (exprNode.type === 'keyword_argument') {
+    const value = exprNode.childForFieldName('value')
+    if (value) {
+      const vt = resolve(value)
+      for (const k of vt) result.add(k)
+    }
+    return result
+  }
+
+  // Type assertion / as expression: propagate through
+  if (exprNode.type === 'as_expression' || exprNode.type === 'type_assertion' ||
+      exprNode.type === 'non_null_expression' || exprNode.type === 'satisfies_expression') {
+    const inner = exprNode.namedChildren[0]
+    if (inner) {
+      const innerTaint = resolve(inner)
+      for (const k of innerTaint) result.add(k)
+    }
+    return result
+  }
+
+  // Fallback: conservatively collect taint from all identifiers in the expression
+  walkAST(exprNode, (node) => {
+    if (node.type === 'identifier') {
+      const kinds = getTaint(inState, node.text)
+      if (kinds) for (const k of kinds) result.add(k)
+    }
+    // Don't descend into nested function expressions
+    if (node.type === 'arrow_function' || node.type === 'function_expression' ||
+        node.type === 'function_definition' || node.type === 'lambda') return true
+    return false
+  })
+
+  return result
+}
+
+/**
+ * Resolve taint for a call expression, checking sanitizers and cross-file callees.
+ */
+function resolveCallTaint(
+  callNode: Parser.SyntaxNode,
+  inState: TaintState,
+  sanitizers: TaintSanitizer[],
+  callContext?: CallResolutionContext,
+  callerFile?: string,
+): Set<TaintKind> {
+  const result = new Set<TaintKind>()
+  const resolve = (node: Parser.SyntaxNode) =>
+    resolveExpressionTaint(node, inState, sanitizers, callContext, callerFile)
+
+  // First, collect taint from all arguments (and per-argument taint for cross-file)
+  const argsNode = callNode.childForFieldName('arguments')
+  const argTaint = new Set<TaintKind>()
+  const perArgTaint: Set<TaintKind>[] = []
+  if (argsNode) {
+    for (const arg of argsNode.namedChildren) {
+      const at = resolve(arg)
+      perArgTaint.push(at)
+      for (const k of at) argTaint.add(k)
+    }
+  }
+
+  // Also get taint from the callee (for method chains: tainted.toString())
+  // Python: 'attribute', JS: 'member_expression'
+  const fnNode = callNode.childForFieldName('function')
+  if (fnNode?.type === 'member_expression' || fnNode?.type === 'attribute') {
+    const obj = fnNode.childForFieldName('object')
+    if (obj) {
+      const objTaint = resolve(obj)
+      for (const k of objTaint) argTaint.add(k)
+    }
+  }
+
+  // Check if this call is a sanitizer
+  const matchingSanitizer = findMatchingSanitizer(callNode, sanitizers)
+  if (matchingSanitizer) {
+    // Sanitizer: result = argTaint minus clearsKinds
+    for (const k of argTaint) {
+      if (!matchingSanitizer.clearsKinds.has(k)) {
+        result.add(k)
+      }
+    }
+    return result
+  }
+
+  // Cross-file / inter-procedural resolution
+  if (callContext && callerFile && argTaint.size > 0) {
+    const calleeResult = resolveCalleeReturnTaint(
+      callNode, perArgTaint, callContext, callerFile,
+    )
+    if (calleeResult !== null) {
+      return calleeResult.returnTaint
+    }
+  }
+
+  // Not a sanitizer, not cross-file resolved: conservatively propagate all arg taint
+  return argTaint
+}
+
+// ============================================================================
+// Cross-File Call Resolution
+// ============================================================================
+
+/**
+ * Resolve the return taint from following a call into another function/file.
+ *
+ * 1. Resolve call target name
+ * 2. Look up in CrossFileIndex (resolveImport or functionDefs)
+ * 3. If found and not in callStack (recursion guard):
+ *    a. Parse callee file's AST, build CFG
+ *    b. Create synthetic sources from argument taint → parameter names
+ *    c. Run propagation on callee's CFG
+ *    d. Collect return-value taint from return statements
+ * 4. Return the taint kinds flowing out + path steps
+ */
+export function resolveCalleeReturnTaint(
+  callNode: Parser.SyntaxNode,
+  perArgTaint: Set<TaintKind>[],
+  ctx: CallResolutionContext,
+  callerFile: string,
+): CalleeResult | null {
+  // Resolve the call target (try JS first, then Python fallback)
+  let resolved: { type: string; name: string; object?: string } | null = resolveCallTarget(callNode)
+  if (!resolved) {
+    const pyResolved = resolvePythonCallTarget(callNode)
+    if (pyResolved) {
+      resolved = { type: pyResolved.type, name: pyResolved.name, object: pyResolved.object }
+    }
+  }
+  if (!resolved) return null
+
+  const { crossFileIndex, allASTs, callStack, maxDepth } = ctx
+
+  // Try to find the function definition
+  let funcDef = crossFileIndex.resolveImport.get(`${callerFile}:${resolved.name}`)
+
+  // Also try namespace.method pattern
+  if (!funcDef && resolved.type === 'member' && resolved.object) {
+    funcDef = crossFileIndex.resolveImport.get(
+      `${callerFile}:${resolved.object}.${resolved.name}`,
+    )
+  }
+
+  // Also try local function
+  if (!funcDef) {
+    funcDef = crossFileIndex.functionDefs.get(`${callerFile}:${resolved.name}`)
+  }
+
+  if (!funcDef) return null
+
+  // Recursion guard
+  const callKey = `${funcDef.filePath}:${funcDef.functionName}`
+  if (callStack.has(callKey)) return null
+  if (callStack.size >= maxDepth) return null
+
+  // Check cache
+  const taintSig = perArgTaint.map(s => [...s].sort().join(',')).join('|')
+  const cacheKey = `${callKey}:${taintSig}`
+  if (ctx.resultCache.has(cacheKey)) {
+    return ctx.resultCache.get(cacheKey)!
+  }
+
+  // Phase 8: Try summary-based composition first (much faster than full analysis)
+  if (ctx.summaryCache && ctx.analysisCache) {
+    const summary = getOrBuildSummary(funcDef, ctx)
+    if (summary) {
+      const result = composeSummary(summary, perArgTaint, callerFile, callNode)
+      ctx.resultCache.set(cacheKey, result.returnTaint.size > 0 || result.calleeFindings.length > 0 ? result : null)
+      return result.returnTaint.size > 0 || result.calleeFindings.length > 0 ? result : null
+    }
+  }
+
+  // Get callee AST
+  const calleeAST = allASTs.get(funcDef.filePath)
+  if (!calleeAST) {
+    ctx.resultCache.set(cacheKey, null)
+    return null
+  }
+
+  // Phase 8: Use analysis cache if available, otherwise recompute
+  const fileCache = ctx.analysisCache?.get(funcDef.filePath)
+  const calleeCFGs = fileCache?.cfgs ?? buildFileCFGs(calleeAST)
+
+  // Find the specific function's CFG
+  let calleeCFG: CFG | undefined
+  for (const [name, cfg] of calleeCFGs) {
+    if (name === funcDef.functionName) {
+      calleeCFG = cfg
+      break
+    }
+  }
+
+  if (!calleeCFG) {
+    ctx.resultCache.set(cacheKey, null)
+    return null
+  }
+
+  // Create synthetic sources from argument taint → parameter names
+  const syntheticSources: TaintSource[] = []
+  for (let i = 0; i < funcDef.params.length && i < perArgTaint.length; i++) {
+    const paramTaint = perArgTaint[i]
+    if (paramTaint.size === 0) continue
+
+    // Find the parameter's AST node in the callee function
+    const paramNode = findParamNode(funcDef.astNode, funcDef.params[i])
+    if (!paramNode) continue
+
+    syntheticSources.push({
+      node: paramNode,
+      line: paramNode.startPosition.row + 1,
+      variable: funcDef.params[i],
+      expression: `${funcDef.functionName}(${funcDef.params[i]})`,
+      sourceType: 'external_api', // synthetic source
+      taintKinds: new Set(paramTaint),
+      confidence: 'high',
+    })
+  }
+
+  if (syntheticSources.length === 0) {
+    ctx.resultCache.set(cacheKey, null)
+    return null
+  }
+
+  // Phase 8: Get sinks and sanitizers from cache or recompute
+  const calleeSinks = fileCache?.sinks ?? classifySinks(calleeAST)
+  const calleeSanitizers = fileCache?.sanitizers ?? buildSanitizerRegistry(calleeAST)
+
+  // Map synthetic parameter sources to the CFG entry node.
+  // Parameters aren't inside any statement node, so mapSourcesToCFG would fail.
+  // Instead, seed them at the entry node — parameters are defined at function entry.
+  let entryNodeId = -1
+  for (const [id, node] of calleeCFG.nodes) {
+    if (node.kind === 'entry') {
+      entryNodeId = id
+      break
+    }
+  }
+  if (entryNodeId === -1) {
+    ctx.resultCache.set(cacheKey, null)
+    return null
+  }
+
+  const sourceMappings: SourceMapping[] = syntheticSources.map(source => ({
+    source,
+    cfgNodeId: entryNodeId,
+  }))
+  // Phase 8 (Part 4): use cached CFG node map for O(D) lookup
+  const calleeCFGNodeMap = fileCache?.cfgNodeMaps.get(funcDef.functionName)
+  const sinkMappings = mapSinksToCFG(calleeCFG, calleeSinks, calleeCFGNodeMap)
+  const sanitizerMap = buildSanitizerMap(calleeCFG, calleeSanitizers, calleeCFGNodeMap)
+
+  // Push to call stack
+  callStack.add(callKey)
+
+  // Create child context for deeper calls
+  const childContext: CallResolutionContext = {
+    ...ctx,
+    callStack: new Set(callStack),
+  }
+
+  // Run fixpoint ONCE — used for both callee findings and return taint
+  const calleeConstants = calleeCFG.functionNode ? collectConstants(calleeCFG.functionNode) : new Map()
+  const outStates = runFixpointInternal(calleeCFG, sourceMappings, sanitizerMap, funcDef.filePath, childContext, calleeConstants)
+  const calleeFindings = deduplicateFindings(
+    checkSinksInternal(calleeCFG, outStates, sinkMappings, sourceMappings, funcDef.filePath),
+  )
+
+  // Pop from call stack
+  callStack.delete(callKey)
+
+  // Extract return-value taint from the already-computed out-states
+  const returnTaint = extractReturnTaint(calleeCFG, outStates, calleeSanitizers, childContext, funcDef.filePath)
+
+  // Build path steps
+  const steps: TaintStep[] = [
+    {
+      nodeId: 0,
+      line: callNode.startPosition.row + 1,
+      variable: funcDef.functionName,
+      taintKinds: new Set(returnTaint),
+      description: `CALL_ENTRY ${funcDef.functionName}() in ${funcDef.filePath}`,
+      stepType: 'call_entry',
+      filePath: funcDef.filePath,
+      functionName: funcDef.functionName,
+    },
+    {
+      nodeId: 0,
+      line: callNode.startPosition.row + 1,
+      variable: funcDef.functionName,
+      taintKinds: new Set(returnTaint),
+      description: `CALL_RETURN ${funcDef.functionName}() → ${[...returnTaint].join(',')}`,
+      stepType: 'call_return',
+      filePath: callerFile,
+      functionName: funcDef.functionName,
+    },
+  ]
+
+  const calleeResult: CalleeResult = {
+    returnTaint,
+    steps,
+    calleeFindings,
+  }
+
+  ctx.resultCache.set(cacheKey, calleeResult)
+  return calleeResult
+}
+
+/**
+ * Extract taint kinds from return statements using pre-computed out-states.
+ * Walks all return statements in the CFG and resolves expression taint.
+ */
+function extractReturnTaint(
+  cfg: CFG,
+  outStates: Map<number, TaintState>,
+  sanitizers: TaintSanitizer[],
+  callContext?: CallResolutionContext,
+  filePath?: string,
+): Set<TaintKind> {
+  const returnTaint = new Set<TaintKind>()
+
+  for (const [, cfgNode] of cfg.nodes) {
+    if (!cfgNode.astNode) continue
+    const ast = cfgNode.astNode
+
+    if (ast.type !== 'return_statement') continue
+
+    const returnExpr = ast.namedChildren[0]
+    if (!returnExpr) continue
+
+    // Get the taint state at this node: merge predecessors + own out-state
+    const predIds = getPredecessors(cfg, cfgNode.id)
+    const predStates: TaintState[] = []
+    for (const pId of predIds) {
+      const ps = outStates.get(pId)
+      if (ps) predStates.push(ps)
+    }
+    const nodeInState = mergeStates(predStates)
+    const nodeState = mergeStates([nodeInState, outStates.get(cfgNode.id) ?? new Map()])
+
+    const exprTaint = resolveExpressionTaint(returnExpr, nodeState, sanitizers, callContext, filePath)
+    for (const k of exprTaint) returnTaint.add(k)
+  }
+
+  return returnTaint
+}
+
+/** Find a parameter's AST node in a function definition. */
+function findParamNode(
+  fnNode: Parser.SyntaxNode,
+  paramName: string,
+): Parser.SyntaxNode | null {
+  const params = fnNode.childForFieldName('parameters')
+  if (!params) return null
+
+  for (const child of params.namedChildren) {
+    if (child.type === 'identifier' && child.text === paramName) return child
+    // JS/TS param types
+    if (child.type === 'required_parameter' || child.type === 'optional_parameter') {
+      const pattern = child.childForFieldName('pattern')
+      if (pattern?.type === 'identifier' && pattern.text === paramName) return pattern
+    }
+    if (child.type === 'assignment_pattern') {
+      const left = child.childForFieldName('left')
+      if (left?.type === 'identifier' && left.text === paramName) return left
+    }
+    // Python param types
+    if (child.type === 'typed_parameter' || child.type === 'default_parameter' ||
+        child.type === 'typed_default_parameter') {
+      const nameNode = child.namedChildren.find(c => c.type === 'identifier')
+      if (nameNode && nameNode.text === paramName) return nameNode
+    }
+    if (child.type === 'list_splat_pattern' || child.type === 'dictionary_splat_pattern') {
+      const ident = child.namedChildren.find(c => c.type === 'identifier')
+      if (ident && ident.text === paramName) return ident
+    }
+  }
+
+  // Fallback: search for identifier in params subtree
+  let found: Parser.SyntaxNode | null = null
+  walkAST(params, (node) => {
+    if (node.type === 'identifier' && node.text === paramName && !found) {
+      found = node
+      return true
+    }
+    return false
+  })
+  return found
+}
+
+/**
+ * Find a sanitizer whose AST node matches this call expression.
+ */
+function findMatchingSanitizer(
+  callNode: Parser.SyntaxNode,
+  sanitizers: TaintSanitizer[],
+): TaintSanitizer | null {
+  for (const s of sanitizers) {
+    if (s.node.id === callNode.id) return s
+    // Also check if the sanitizer's node is a parent/ancestor of this call
+    if (isDescendantOf(callNode, s.node)) return s
+  }
+  return null
+}
+
+/** Check if a node represents a literal value (no taint). */
+function isLiteral(node: Parser.SyntaxNode): boolean {
+  switch (node.type) {
+    case 'string':
+      // Python f-strings have type 'string' but contain interpolation children — NOT a literal
+      if (node.descendantsOfType('interpolation').length > 0) return false
+      return true
+    case 'number':
+    case 'true':
+    case 'false':
+    case 'null':
+    case 'undefined':
+    case 'regex':
+    // Python literals
+    case 'integer':
+    case 'float':
+    case 'none':
+      return true
+    default:
+      return false
+  }
+}
+
+// ============================================================================
+// Statement-level Transfer Function
+// ============================================================================
+
+/**
+ * Apply the transfer function for a single CFG node.
+ * Given the incoming taint state, compute the outgoing taint state.
+ */
+export function applyTransfer(
+  cfgNode: CFGNode,
+  inState: TaintState,
+  sanitizerMap: Map<number, TaintSanitizer[]>,
+  callContext?: CallResolutionContext,
+  callerFile?: string,
+  constantMap?: ConstantMap,
+): TaintState {
+  // Phase 8 (3b): skip clone for no-op nodes — entry, exit, and nodes without AST
+  if (!cfgNode.astNode) return inState
+  if (cfgNode.kind === 'entry' || cfgNode.kind === 'exit') return inState
+
+  // Phase 8 (3b): condition nodes with no defs and no sanitizers are read-only
+  if (cfgNode.kind === 'condition' && cfgNode.defs.size === 0) {
+    const hasSanitizers = sanitizerMap.has(cfgNode.id)
+    if (!hasSanitizers) return inState
+  }
+
+  const outState = cloneState(inState)
+  const sanitizers = sanitizerMap.get(cfgNode.id) ?? []
+  const ast = cfgNode.astNode
+
+  applyNodeTransfer(ast, outState, sanitizers, callContext, callerFile, constantMap)
+
+  return outState
+}
+
+/**
+ * Recursively apply transfer for an AST node within a CFG statement.
+ */
+function applyNodeTransfer(
+  node: Parser.SyntaxNode,
+  state: TaintState,
+  sanitizers: TaintSanitizer[],
+  callContext?: CallResolutionContext,
+  callerFile?: string,
+  constantMap?: ConstantMap,
+): void {
+  // Helper for expression taint resolution with context forwarding
+  const resolve = (expr: Parser.SyntaxNode) =>
+    resolveExpressionTaint(expr, state, sanitizers, callContext, callerFile)
+
+  // Variable declaration: const x = <expr>
+  if (node.type === 'lexical_declaration' || node.type === 'variable_declaration') {
+    for (const child of node.namedChildren) {
+      applyNodeTransfer(child, state, sanitizers, callContext, callerFile, constantMap)
+    }
+    return
+  }
+
+  if (node.type === 'variable_declarator') {
+    const nameNode = node.childForFieldName('name')
+    const valueNode = node.childForFieldName('value')
+    if (!nameNode || !valueNode) return
+
+    if (nameNode.type === 'identifier') {
+      // Constant propagation: if RHS is entirely constant-derived, clear taint
+      if (constantMap && isConstantExpression(valueNode, constantMap)) {
+        deleteTaint(state, nameNode.text)
+        return
+      }
+      // Simple: const x = expr
+      const rhsTaint = resolve(valueNode)
+      if (rhsTaint.size > 0) {
+        setTaint(state, nameNode.text, rhsTaint)
+      } else {
+        deleteTaint(state, nameNode.text)
+      }
+    } else if (nameNode.type === 'object_pattern' || nameNode.type === 'array_pattern') {
+      // Destructuring: const { a, b } = expr
+      const rhsTaint = resolve(valueNode)
+      const rhsVarName = valueNode.type === 'identifier' ? valueNode.text
+        : (valueNode.type === 'member_expression' ? getMemberRoot(valueNode) : null)
+      applyDestructuringTaint(nameNode, rhsTaint, state, rhsVarName ?? undefined)
+    }
+    return
+  }
+
+  // Assignment: x = expr
+  // Python: 'assignment', JS: 'assignment_expression'
+  if (node.type === 'assignment_expression' || node.type === 'assignment') {
+    const left = node.childForFieldName('left')
+    const right = node.childForFieldName('right')
+    if (!left || !right) return
+
+    if (left.type === 'identifier') {
+      // Constant propagation: if RHS is entirely constant-derived, clear taint
+      if (constantMap && isConstantExpression(right, constantMap)) {
+        deleteTaint(state, left.text)
+        return
+      }
+      const rhsTaint = resolve(right)
+      if (rhsTaint.size > 0) {
+        setTaint(state, left.text, rhsTaint)
+      } else {
+        deleteTaint(state, left.text)
+      }
+    } else if (left.type === 'object_pattern' || left.type === 'array_pattern' ||
+               left.type === 'tuple_pattern' || left.type === 'list_pattern' ||
+               left.type === 'pattern_list' || left.type === 'tuple' || left.type === 'list') {
+      // Destructuring / Python unpacking: a, b = expr
+      const rhsTaint = resolve(right)
+      const rhsVarName = right.type === 'identifier' ? right.text
+        : (right.type === 'member_expression' || right.type === 'attribute' ? getMemberRoot(right) : null)
+      applyDestructuringTaint(left, rhsTaint, state, rhsVarName ?? undefined)
+    } else if (left.type === 'member_expression' || left.type === 'attribute') {
+      // obj.prop = val — field-level taint
+      // Python: 'attribute' with fields 'object'/'attribute', JS: 'member_expression' with 'object'/'property'
+      const obj = left.childForFieldName('object')
+      const prop = left.type === 'attribute'
+        ? left.childForFieldName('attribute')
+        : left.childForFieldName('property')
+      if (obj?.type === 'identifier' && prop && (prop.type === 'property_identifier' || prop.type === 'identifier')) {
+        // One-level field assignment: obj.field = val
+        const rhsTaint = resolve(right)
+        if (rhsTaint.size > 0) {
+          setFieldTaint(state, obj.text, prop.text, rhsTaint)
+        }
+      } else {
+        // Deep chain or computed: fall back to root object taint
+        const root = getMemberRoot(left)
+        if (root) {
+          const rhsTaint = resolve(right)
+          // Phase 8: clone before mutating — getTaint may return internal Set reference
+          const existing = new Set(getTaint(state, root) ?? [])
+          for (const k of rhsTaint) existing.add(k)
+          if (existing.size > 0) setTaint(state, root, existing)
+        }
+      }
+    }
+    return
+  }
+
+  // Augmented assignment: x += expr
+  // Python: 'augmented_assignment', JS: 'augmented_assignment_expression'
+  if (node.type === 'augmented_assignment_expression' || node.type === 'augmented_assignment') {
+    const left = node.childForFieldName('left')
+    const right = node.childForFieldName('right')
+    if (!left || !right) return
+
+    if (left.type === 'identifier') {
+      const rhsTaint = resolve(right)
+      // Phase 8: clone before mutating — getTaint may return internal Set reference
+      const existing = new Set(getTaint(state, left.text) ?? [])
+      for (const k of rhsTaint) existing.add(k)
+      if (existing.size > 0) setTaint(state, left.text, existing)
+    }
+    return
+  }
+
+  // Expression statement: unwrap the inner expression
+  if (node.type === 'expression_statement') {
+    for (const child of node.namedChildren) {
+      applyNodeTransfer(child, state, sanitizers, callContext, callerFile, constantMap)
+    }
+    return
+  }
+
+  // For-in header: captures iteration variable taint from the right side
+  if (node.type === 'for_in_statement') {
+    const left = node.childForFieldName('left')
+    const right = node.childForFieldName('right')
+    if (left && right) {
+      const rhsTaint = resolve(right)
+      if (left.type === 'identifier') {
+        if (rhsTaint.size > 0) setTaint(state, left.text, rhsTaint)
+      } else {
+        // Destructuring in for-of/for-in
+        applyDestructuringTaint(left, rhsTaint, state)
+      }
+    }
+    return
+  }
+
+  // Python for loop with left/right fields: for x in iterable
+  if (node.type === 'for_statement') {
+    const left = node.childForFieldName('left')
+    const right = node.childForFieldName('right')
+    if (left && right) {
+      const rhsTaint = resolve(right)
+      if (left.type === 'identifier') {
+        if (rhsTaint.size > 0) setTaint(state, left.text, rhsTaint)
+      } else {
+        applyDestructuringTaint(left, rhsTaint, state)
+      }
+    }
+    return
+  }
+
+  // Python with statement: with expr as var
+  if (node.type === 'with_statement') {
+    // The with_clause may contain 'as_pattern' nodes: expr as name
+    for (const child of node.namedChildren) {
+      if (child.type === 'with_clause') {
+        for (const item of child.namedChildren) {
+          if (item.type === 'with_item' || item.type === 'as_pattern') {
+            const expr = item.namedChildren[0]
+            const alias = item.namedChildren[1]
+            if (expr && alias?.type === 'identifier') {
+              const exprTaint = resolve(expr)
+              if (exprTaint.size > 0) setTaint(state, alias.text, exprTaint)
+            }
+          }
+        }
+      }
+    }
+    return
+  }
+
+  // Standalone call expression: trigger expression resolution so cross-file
+  // analysis discovers callee findings (sinks reached inside the called function).
+  // Without this, standalone calls like `query(input)` would be silently ignored.
+  // Python: 'call', JS: 'call_expression'
+  if (node.type === 'call_expression' || node.type === 'call') {
+    // Inject taint into callback parameters for promise chains and callback APIs.
+    // This must happen BEFORE resolve() so the taint state is available when
+    // analyzing the callback body's expressions.
+    injectPromiseChainTaint(node, state)
+    injectCallbackTaint(node, state)
+    resolve(node)
+    return
+  }
+
+  // Return / throw: no defs, but the expression is "used"
+  // (no state changes needed — uses are tracked by def-use)
+}
+
+/**
+ * Apply taint from a destructuring pattern.
+ * When rhsVarName is provided and object_pattern is used, field-specific
+ * taint is extracted per destructured key. Otherwise falls back to whole-object taint.
+ */
+function applyDestructuringTaint(
+  pattern: Parser.SyntaxNode,
+  rhsTaint: Set<TaintKind>,
+  state: TaintState,
+  rhsVarName?: string,
+): void {
+  if (rhsTaint.size === 0) return
+
+  if (pattern.type === 'identifier') {
+    setTaint(state, pattern.text, new Set(rhsTaint))
+    return
+  }
+
+  if (pattern.type === 'object_pattern') {
+    for (const prop of pattern.namedChildren) {
+      if (prop.type === 'shorthand_property_identifier_pattern') {
+        // { email } = obj → email gets field-specific taint from obj.email
+        if (rhsVarName) {
+          const fieldTaint = getFieldTaint(state, rhsVarName, prop.text)
+          if (fieldTaint && fieldTaint.size > 0) {
+            setTaint(state, prop.text, new Set(fieldTaint))
+          } else {
+            // Field has no taint — don't assign whole-object taint
+            deleteTaint(state, prop.text)
+          }
+        } else {
+          setTaint(state, prop.text, new Set(rhsTaint))
+        }
+      } else if (prop.type === 'pair_pattern') {
+        // { email: e } = obj → e gets taint from obj.email
+        const key = prop.childForFieldName('key')
+        const value = prop.childForFieldName('value')
+        if (value && rhsVarName && key) {
+          const fieldName = key.text
+          const fieldTaint = getFieldTaint(state, rhsVarName, fieldName)
+          if (fieldTaint && fieldTaint.size > 0) {
+            applyDestructuringTaint(value, fieldTaint, state)
+          }
+        } else if (value) {
+          applyDestructuringTaint(value, rhsTaint, state)
+        }
+      } else if (prop.type === 'rest_pattern') {
+        // { ...rest } = obj → rest gets whole-object taint (conservative)
+        const inner = prop.namedChildren[0]
+        if (inner) applyDestructuringTaint(inner, rhsTaint, state)
+      }
+    }
+    return
+  }
+
+  if (pattern.type === 'array_pattern') {
+    for (const elem of pattern.namedChildren) {
+      applyDestructuringTaint(elem, rhsTaint, state)
+    }
+    return
+  }
+
+  // Python unpacking: a, b = expr / (a, b) = expr / [a, b] = expr
+  if (pattern.type === 'tuple_pattern' || pattern.type === 'list_pattern' ||
+      pattern.type === 'pattern_list' || pattern.type === 'expression_list' ||
+      pattern.type === 'tuple' || pattern.type === 'list') {
+    for (const elem of pattern.namedChildren) {
+      applyDestructuringTaint(elem, rhsTaint, state)
+    }
+    return
+  }
+
+  // Python list_splat_pattern: *rest
+  if (pattern.type === 'list_splat_pattern') {
+    const inner = pattern.namedChildren[0]
+    if (inner) applyDestructuringTaint(inner, rhsTaint, state)
+    return
+  }
+
+  if (pattern.type === 'assignment_pattern') {
+    const left = pattern.childForFieldName('left')
+    if (left) applyDestructuringTaint(left, rhsTaint, state, rhsVarName)
+    return
+  }
+
+  if (pattern.type === 'rest_pattern') {
+    const inner = pattern.namedChildren[0]
+    if (inner) applyDestructuringTaint(inner, rhsTaint, state)
+  }
+}
+
+/** Get the root identifier of a member expression chain: `a.b.c` → 'a'. */
+function getMemberRoot(node: Parser.SyntaxNode): string | null {
+  let current = node
+  while (current.type === 'member_expression' || current.type === 'subscript_expression' ||
+         current.type === 'attribute' || current.type === 'subscript') {
+    const obj = current.childForFieldName('object')
+      ?? current.childForFieldName('value')  // Python subscript uses 'value' field
+    if (!obj) return null
+    current = obj
+  }
+  return current.type === 'identifier' ? current.text : null
+}
+
+// ============================================================================
+// Source / Sink Mapping
+// ============================================================================
+
+export interface SourceMapping {
+  source: TaintSource
+  cfgNodeId: number
+}
+
+export interface SinkMapping {
+  sink: TaintSink
+  cfgNodeId: number
+}
+
+/**
+ * Map sources to their containing CFG nodes.
+ * Phase 8: accepts optional cfgNodeMap for O(D) lookup instead of O(N).
+ */
+export function mapSourcesToCFG(
+  cfg: CFG,
+  sources: TaintSource[],
+  cfgNodeMap?: Map<number, CFGNode>,
+): SourceMapping[] {
+  const mappings: SourceMapping[] = []
+  for (const source of sources) {
+    const cfgNode = cfgNodeMap
+      ? findContainingCFGNodeFast(cfgNodeMap, source.node)
+      : findContainingCFGNode(cfg, source.node)
+    if (cfgNode) {
+      mappings.push({ source, cfgNodeId: cfgNode.id })
+    }
+  }
+  return mappings
+}
+
+/**
+ * Map sinks to their containing CFG nodes.
+ * Phase 8: accepts optional cfgNodeMap for O(D) lookup instead of O(N).
+ */
+export function mapSinksToCFG(
+  cfg: CFG,
+  sinks: TaintSink[],
+  cfgNodeMap?: Map<number, CFGNode>,
+): SinkMapping[] {
+  const mappings: SinkMapping[] = []
+  for (const sink of sinks) {
+    const cfgNode = cfgNodeMap
+      ? findContainingCFGNodeFast(cfgNodeMap, sink.node)
+      : findContainingCFGNode(cfg, sink.node)
+    if (cfgNode) {
+      mappings.push({ sink, cfgNodeId: cfgNode.id })
+    }
+  }
+  return mappings
+}
+
+// ============================================================================
+// Worklist Algorithm
+// ============================================================================
+
+const MAX_ITERATIONS = 1000
+
+/**
+ * Run the worklist fixpoint algorithm on a CFG.
+ *
+ * Seeds taint at source nodes, propagates forward through the CFG until
+ * no more state changes occur (fixpoint). Returns the per-node out-states.
+ *
+ * Exported as runFixpointInternal for use by taint-summary.ts (Phase 8).
+ */
+export function runFixpointInternal(
+  cfg: CFG,
+  sourceMappings: SourceMapping[],
+  sanitizerMap: Map<number, TaintSanitizer[]>,
+  filePath: string,
+  callContext?: CallResolutionContext,
+  constantMap?: ConstantMap,
+): Map<number, TaintState> {
+  // Per-node out-states
+  const outStates = new Map<number, TaintState>()
+  for (const [id] of cfg.nodes) {
+    outStates.set(id, new Map())
+  }
+
+  // Seed sources: set source variable taint in the source node's out-state
+  const worklist = new Set<number>()
+
+  // Build a per-node source seed map so seeds survive worklist overwrites.
+  // Without this, when a predecessor's propagation causes node N to be
+  // re-processed, applyTransfer overwrites the seeded out-state with just
+  // the propagated in-state — losing any source taint that was seeded here.
+  const sourceSeeds = new Map<number, Array<{ variable: string; kinds: Set<TaintKind>; isDestructuring: boolean; defs: Set<string> }>>()
+
+  for (const { source, cfgNodeId } of sourceMappings) {
+    const state = outStates.get(cfgNodeId)!
+    const cfgNode = cfg.nodes.get(cfgNodeId)
+    const varName = source.variable
+
+    const isDestructuring = varName.startsWith('{') || varName.startsWith('[')
+    if (isDestructuring && cfgNode && cfgNode.defs.size > 0) {
+      for (const defVar of cfgNode.defs) {
+        // Phase 8: clone before mutating — getTaint may return internal Set reference
+        const existing = new Set(getTaint(state, defVar) ?? [])
+        for (const k of source.taintKinds) existing.add(k)
+        setTaint(state, defVar, existing)
+      }
+    } else {
+      // Phase 8: clone before mutating — getTaint may return internal Set reference
+      const existing = new Set(getTaint(state, varName) ?? [])
+      for (const k of source.taintKinds) existing.add(k)
+      setTaint(state, varName, existing)
+
+      // For compound source variables (e.g. "req.body", "req.query"), also seed
+      // the root identifier. The expression-level resolver walks member chains
+      // from the root, so `req.body.email` resolves `req` → tainted → propagates.
+      if (varName.includes('.')) {
+        const root = varName.split('.')[0]
+        const rootExisting = new Set(getTaint(state, root) ?? [])
+        for (const k of source.taintKinds) rootExisting.add(k)
+        setTaint(state, root, rootExisting)
+      }
+    }
+
+    // Record seed for re-injection during worklist
+    if (!sourceSeeds.has(cfgNodeId)) sourceSeeds.set(cfgNodeId, [])
+    sourceSeeds.get(cfgNodeId)!.push({
+      variable: varName,
+      kinds: new Set(source.taintKinds),
+      isDestructuring,
+      defs: cfgNode?.defs ?? new Set(),
+    })
+
+    // Push successors to worklist (the source node's out-state is now seeded)
+    for (const succ of getSuccessors(cfg, cfgNodeId)) {
+      worklist.add(succ)
+    }
+  }
+
+  // Iterate to fixpoint
+  let iterations = 0
+
+  while (worklist.size > 0 && iterations < MAX_ITERATIONS) {
+    iterations++
+
+    // Pop first element from worklist
+    const nodeId = worklist.values().next().value!
+    worklist.delete(nodeId)
+
+    const cfgNode = cfg.nodes.get(nodeId)
+    if (!cfgNode) continue
+
+    // Compute in-state = merge of all predecessor out-states
+    // Phase 8 (3a): single-predecessor fast path — skip mergeStates allocation for ~70% of nodes
+    const predIds = getPredecessors(cfg, nodeId)
+    let inState: TaintState
+    if (predIds.length === 1) {
+      const ps = outStates.get(predIds[0])
+      inState = ps ?? new Map()
+    } else {
+      const predStates: TaintState[] = []
+      for (const pId of predIds) {
+        const ps = outStates.get(pId)
+        if (ps) predStates.push(ps)
+      }
+      inState = mergeStates(predStates)
+    }
+
+    // Apply transfer function
+    const newOutState = applyTransfer(cfgNode, inState, sanitizerMap, callContext, filePath, constantMap)
+
+    // Re-inject source seeds: if this node has sources, ensure their taint
+    // survives the transfer function (which only sees predecessor in-state).
+    // Phase 8: clone before mutating — getTaint may return internal Set reference
+    const seeds = sourceSeeds.get(nodeId)
+    if (seeds) {
+      for (const seed of seeds) {
+        if (seed.isDestructuring && seed.defs.size > 0) {
+          for (const defVar of seed.defs) {
+            const existing = new Set(getTaint(newOutState, defVar) ?? [])
+            for (const k of seed.kinds) existing.add(k)
+            setTaint(newOutState, defVar, existing)
+          }
+        } else {
+          const existing = new Set(getTaint(newOutState, seed.variable) ?? [])
+          for (const k of seed.kinds) existing.add(k)
+          setTaint(newOutState, seed.variable, existing)
+
+          if (seed.variable.includes('.')) {
+            const root = seed.variable.split('.')[0]
+            const rootExisting = new Set(getTaint(newOutState, root) ?? [])
+            for (const k of seed.kinds) rootExisting.add(k)
+            setTaint(newOutState, root, rootExisting)
+          }
+        }
+      }
+    }
+
+    // Check if state changed
+    const oldOutState = outStates.get(nodeId)!
+    // Phase 8 (3d): identity check — if applyTransfer returned same ref, no change possible
+    if (newOutState !== oldOutState && !statesEqual(newOutState, oldOutState)) {
+      outStates.set(nodeId, newOutState)
+      // Push all successors to worklist
+      for (const succ of getSuccessors(cfg, nodeId)) {
+        worklist.add(succ)
+      }
+    }
+  }
+
+  if (iterations >= MAX_ITERATIONS) {
+    console.warn(`[taint] Worklist hit iteration limit (${MAX_ITERATIONS}) for ${cfg.functionName} — results may be incomplete`)
+  }
+
+  return outStates
+}
+
+/**
+ * Check sinks for tainted data given computed out-states.
+ * Returns findings for each source→sink pair with matching taint kinds.
+ *
+ * Exported as checkSinksInternal for use by taint-summary.ts (Phase 8).
+ */
+export function checkSinksInternal(
+  cfg: CFG,
+  outStates: Map<number, TaintState>,
+  sinkMappings: SinkMapping[],
+  sourceMappings: SourceMapping[],
+  filePath: string,
+): TaintFinding[] {
+  const findings: TaintFinding[] = []
+
+  for (const { sink, cfgNodeId } of sinkMappings) {
+    // The taint state at the sink is the in-state (merge of predecessor outs)
+    const predIds = getPredecessors(cfg, cfgNodeId)
+    const predStates: TaintState[] = []
+    for (const pId of predIds) {
+      const ps = outStates.get(pId)
+      if (ps) predStates.push(ps)
+    }
+    // Also include the sink node's own out-state predecessor contributions
+    // But more importantly, check the in-state to the sink node
+    const sinkInState = mergeStates(predStates)
+
+    // Also check the out-state of the sink's own node (for cases where
+    // source and sink are in the same statement or sink uses vars from its own node)
+    const sinkOutState = outStates.get(cfgNodeId) ?? new Map()
+
+    // Merge both for maximum coverage
+    const combined = mergeStates([sinkInState, sinkOutState])
+
+    // Find which variables at this sink are tainted with matching kinds
+    const sinkNode = cfg.nodes.get(cfgNodeId)
+    if (!sinkNode) continue
+
+    // Get all variables used by the sink expression
+    const sinkUses = extractSinkUses(sink, sinkNode)
+
+    // Extract field-level accesses from the sink for precise taint checking
+    const sinkFieldAccesses = extractSinkFieldAccesses(sink)
+
+    for (const varName of sinkUses) {
+      // Check if this variable has a field-level access in the sink
+      const fieldAccess = sinkFieldAccesses.get(varName)
+      const varTaint = fieldAccess
+        ? getFieldTaint(combined, varName, fieldAccess)
+        : getTaint(combined, varName)
+      if (!varTaint || varTaint.size === 0) continue
+
+      // Find matching kinds: intersection of variable's taint and sink's vulnerable kinds
+      const matchingKinds = new Set<TaintKind>()
+      for (const k of varTaint) {
+        if (sink.vulnerableToKinds.has(k)) {
+          matchingKinds.add(k)
+        }
+      }
+
+      if (matchingKinds.size === 0) continue
+
+      // Find which source(s) contributed this taint
+      for (const { source } of sourceMappings) {
+        // Check if source's taint kinds overlap with matching kinds
+        const sourceOverlap = new Set<TaintKind>()
+        for (const k of matchingKinds) {
+          if (source.taintKinds.has(k)) sourceOverlap.add(k)
+        }
+        if (sourceOverlap.size === 0) continue
+
+        // Reconstruct path
+        const path = reconstructPath(
+          cfg, outStates, source, sink, varName,
+          sourceMappings, cfgNodeId,
+        )
+
+        findings.push({
+          source,
+          sink,
+          path,
+          matchingKinds: sourceOverlap,
+          functionName: cfg.functionName,
+          filePath,
+        })
+      }
+    }
+  }
+
+  return findings
+}
+
+/**
+ * Propagate taint through a single function's CFG.
+ *
+ * Returns all taint findings (source→sink pairs with matching kinds).
+ * When callContext is provided, calls to imported/local functions are
+ * resolved inter-procedurally.
+ */
+export function propagateFunction(
+  cfg: CFG,
+  sourceMappings: SourceMapping[],
+  sinkMappings: SinkMapping[],
+  sanitizerMap: Map<number, TaintSanitizer[]>,
+  filePath: string,
+  callContext?: CallResolutionContext,
+): TaintFinding[] {
+  // Collect constants for this function scope
+  const constantMap = cfg.functionNode ? collectConstants(cfg.functionNode) : new Map()
+  const outStates = runFixpointInternal(cfg, sourceMappings, sanitizerMap, filePath, callContext, constantMap)
+  const findings = checkSinksInternal(cfg, outStates, sinkMappings, sourceMappings, filePath)
+  return deduplicateFindings(findings)
+}
+
+/**
+ * Extract variables used by a sink expression.
+ * Uses the CFG node's `uses` set plus any identifiers in the sink's AST.
+ *
+ * When `sink.relevantArgNodes` is set (e.g., SSRF sinks), only variables
+ * within those specific argument nodes are collected — taint in other
+ * arguments (like request body) won't trigger the finding.
+ */
+function extractSinkUses(sink: TaintSink, cfgNode: CFGNode): Set<string> {
+  // When the sink specifies relevant arg nodes, ONLY collect vars from those nodes.
+  // This prevents e.g. tainted body data from triggering SSRF (which requires tainted URL).
+  if (sink.relevantArgNodes && sink.relevantArgNodes.length > 0) {
+    const uses = new Set<string>()
+    for (const argNode of sink.relevantArgNodes) {
+      walkAST(argNode, (node) => {
+        if (node.type === 'identifier') {
+          uses.add(node.text)
+        }
+        if (node.type === 'arrow_function' || node.type === 'function_expression') return true
+        return false
+      })
+    }
+    return uses
+  }
+
+  // Default: collect from entire sink expression + CFG node uses
+  const uses = new Set<string>(cfgNode.uses)
+
+  walkAST(sink.node, (node) => {
+    if (node.type === 'identifier') {
+      uses.add(node.text)
+    }
+    if (node.type === 'arrow_function' || node.type === 'function_expression') return true
+    return false
+  })
+
+  return uses
+}
+
+/**
+ * Extract one-level field accesses from a sink expression.
+ * Returns a map of root variable → field name for `obj.field` patterns.
+ * Used for field-sensitive sink checking.
+ */
+function extractSinkFieldAccesses(sink: TaintSink): Map<string, string> {
+  const accesses = new Map<string, string>()
+
+  // Walk the sink's arguments to find member expression patterns
+  walkAST(sink.node, (node) => {
+    if (node.type === 'member_expression') {
+      const obj = node.childForFieldName('object')
+      const prop = node.childForFieldName('property')
+      if (obj?.type === 'identifier' && prop?.type === 'property_identifier') {
+        accesses.set(obj.text, prop.text)
+      }
+    }
+    if (node.type === 'arrow_function' || node.type === 'function_expression') return true
+    return false
+  })
+
+  return accesses
+}
+
+// ============================================================================
+// Path Reconstruction
+// ============================================================================
+
+/**
+ * Reconstruct the path from source to sink via backward slice.
+ */
+function reconstructPath(
+  cfg: CFG,
+  outStates: Map<number, TaintState>,
+  source: TaintSource,
+  sink: TaintSink,
+  sinkVar: string,
+  sourceMappings: SourceMapping[],
+  sinkNodeId: number,
+): TaintStep[] {
+  const steps: TaintStep[] = []
+
+  // Step 1: Sink step
+  const sinkNode = cfg.nodes.get(sinkNodeId)
+  if (sinkNode) {
+    steps.unshift({
+      nodeId: sinkNodeId,
+      line: sink.line,
+      variable: sinkVar,
+      taintKinds: new Set(sink.vulnerableToKinds),
+      description: `SINK ${sink.expression.slice(0, 60)}`,
+      stepType: 'sink',
+    })
+  }
+
+  // Step 2: Walk backward from sink to source
+  const visited = new Set<number>()
+  let currentVar = sinkVar
+  let currentNodeId = sinkNodeId
+
+  for (let depth = 0; depth < 50; depth++) {
+    visited.add(currentNodeId)
+
+    // Check if we've reached a source node
+    const sourceMapping = sourceMappings.find(
+      sm => sm.source === source && sm.cfgNodeId === currentNodeId
+    )
+    if (sourceMapping) break
+
+    // Find a predecessor that has taint for the current variable
+    const predIds = getPredecessors(cfg, currentNodeId)
+    let foundPred = false
+
+    for (const predId of predIds) {
+      if (visited.has(predId)) continue
+
+      const predState = outStates.get(predId)
+      if (!predState) continue
+
+      // Check if this predecessor contributes taint for our variable
+      const predTaint = getTaint(predState, currentVar)
+      if (!predTaint || predTaint.size === 0) continue
+
+      const predNode = cfg.nodes.get(predId)
+      if (!predNode) continue
+
+      // Check if this node defines the variable (it's a propagation step)
+      if (predNode.defs.has(currentVar)) {
+        steps.unshift({
+          nodeId: predId,
+          line: predNode.line,
+          variable: currentVar,
+          taintKinds: new Set(predTaint),
+          description: `ASSIGN ${predNode.label}`,
+          stepType: 'propagation',
+        })
+
+        // Check what variable(s) contributed to this def
+        // Look at the node's uses that are tainted
+        for (const use of predNode.uses) {
+          const useTaint = getTaint(predState, use) // check predecessor's state
+          if (!useTaint || useTaint.size === 0) {
+            // Also check in-state (merge of pred's preds)
+            const predPredIds = getPredecessors(cfg, predId)
+            for (const ppId of predPredIds) {
+              const ppState = outStates.get(ppId)
+              const ppTaint = ppState ? getTaint(ppState, use) : undefined
+              if (ppTaint && ppTaint.size > 0) {
+                currentVar = use
+                break
+              }
+            }
+            if (currentVar !== use) continue
+          } else {
+            currentVar = use
+          }
+          break
+        }
+      }
+
+      currentNodeId = predId
+      foundPred = true
+      break
+    }
+
+    if (!foundPred) break
+  }
+
+  // Step 3: Source step
+  steps.unshift({
+    nodeId: sourceMappings.find(sm => sm.source === source)?.cfgNodeId ?? 0,
+    line: source.line,
+    variable: source.variable,
+    taintKinds: new Set(source.taintKinds),
+    description: `SOURCE ${source.expression.slice(0, 60)}`,
+    stepType: 'source',
+  })
+
+  return steps
+}
+
+// ============================================================================
+// Deduplication
+// ============================================================================
+
+/**
+ * Deduplicate findings: same source line + same sink line + same kinds = one finding.
+ */
+function deduplicateFindings(findings: TaintFinding[]): TaintFinding[] {
+  const seen = new Set<string>()
+  const result: TaintFinding[] = []
+
+  for (const f of findings) {
+    const key = `${f.source.line}:${f.sink.line}:${[...f.matchingKinds].sort().join(',')}`
+    if (seen.has(key)) continue
+    seen.add(key)
+    result.push(f)
+  }
+
+  return result
+}