@oculum/scanner 1.0.13 → 1.0.15

package/dist/taint/propagation.js

@@ -0,0 +1,1576 @@
+"use strict";
+/**
+ * Taint Propagation Engine
+ *
+ * Forward worklist dataflow analysis. Seeds taint at sources, propagates
+ * through CFG to fixpoint, then checks if tainted data reaches sinks
+ * without proper sanitization.
+ *
+ * Algorithm:
+ * 1. Map sources/sinks/sanitizers to CFG nodes via AST containment
+ * 2. Seed source nodes with taint state
+ * 3. Worklist: propagate taint forward through CFG, applying transfer
+ *    functions at each node (assignment, call, destructuring, etc.)
+ * 4. At fixpoint: check each sink node for matching taint kinds
+ * 5. Reconstruct source-to-sink paths via backward slice
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.isDescendantOf = isDescendantOf;
+exports.findContainingCFGNode = findContainingCFGNode;
+exports.findContainingCFGNodeFast = findContainingCFGNodeFast;
+exports.buildCFGNodeMap = buildCFGNodeMap;
+exports.mergeStates = mergeStates;
+exports.buildSanitizerMap = buildSanitizerMap;
+exports.resolveCalleeReturnTaint = resolveCalleeReturnTaint;
+exports.applyTransfer = applyTransfer;
+exports.mapSourcesToCFG = mapSourcesToCFG;
+exports.mapSinksToCFG = mapSinksToCFG;
+exports.runFixpointInternal = runFixpointInternal;
+exports.checkSinksInternal = checkSinksInternal;
+exports.propagateFunction = propagateFunction;
+const cfg_builder_1 = require("./cfg-builder");
+const propagation_types_1 = require("./propagation-types");
+const ast_1 = require("../parse/ast");
+const sink_classifier_1 = require("./sink-classifier");
+const sanitizer_registry_1 = require("./sanitizer-registry");
+const call_analysis_1 = require("../detect/ast-rules/helpers/call-analysis");
+const python_helpers_1 = require("../detect/ast-rules/helpers/python-helpers");
+const async_flow_1 = require("./async-flow");
+const constant_propagation_1 = require("./constant-propagation");
+const taint_summary_1 = require("./taint-summary");
+// ============================================================================
+// AST → CFGNode Matching
+// ============================================================================
+/**
+ * Check if `child` is a descendant of (or equal to) `ancestor` in the AST.
+ */
+function isDescendantOf(child, ancestor) {
+    let current = child;
+    while (current) {
+        if (current.id === ancestor.id)
+            return true;
+        current = current.parent;
+    }
+    return false;
+}
+/**
+ * Find the CFG node that contains a given AST node.
+ * Returns the first CFG node whose astNode is an ancestor of (or equal to) the target.
+ */
+function findContainingCFGNode(cfg, astNode) {
+    for (const [, cfgNode] of cfg.nodes) {
+        if (!cfgNode.astNode)
+            continue;
+        if (isDescendantOf(astNode, cfgNode.astNode))
+            return cfgNode;
+    }
+    return null;
+}
+/**
+ * Phase 8 (Part 4): O(D) parent-chain walk using pre-built CFG node map.
+ * Walks up the AST parent chain until a mapped node is found.
+ * D = AST depth (5-15), vs O(N) where N = CFG nodes (50-200).
+ */
+function findContainingCFGNodeFast(cfgNodeMap, astNode) {
+    let current = astNode;
+    while (current) {
+        const cfgNode = cfgNodeMap.get(current.id);
+        if (cfgNode)
+            return cfgNode;
+        current = current.parent;
+    }
+    return null;
+}
+/**
+ * Build a map from AST node ID → CFGNode for all nodes in a CFG.
+ */
+function buildCFGNodeMap(cfg) {
+    const map = new Map();
+    for (const [, cfgNode] of cfg.nodes) {
+        if (cfgNode.astNode) {
+            map.set(cfgNode.astNode.id, cfgNode);
+        }
+    }
+    return map;
+}
+// ============================================================================
+// Taint State Helpers
+// ============================================================================
+/** Clone a TaintState (deep copy of field maps and sets). */
+function cloneState(state) {
+    const clone = new Map();
+    for (const [varName, fieldMap] of state) {
+        const clonedFieldMap = new Map();
+        for (const [field, kinds] of fieldMap) {
+            clonedFieldMap.set(field, new Set(kinds));
+        }
+        clone.set(varName, clonedFieldMap);
+    }
+    return clone;
+}
+/** Merge multiple predecessor out-states into one in-state (union). */
+function mergeStates(states) {
+    const merged = new Map();
+    for (const state of states) {
+        for (const [varName, fieldMap] of state) {
+            let existingFieldMap = merged.get(varName);
+            if (!existingFieldMap) {
+                existingFieldMap = new Map();
+                merged.set(varName, existingFieldMap);
+            }
+            for (const [field, kinds] of fieldMap) {
+                const existingKinds = existingFieldMap.get(field);
+                if (existingKinds) {
+                    for (const k of kinds)
+                        existingKinds.add(k);
+                }
+                else {
+                    existingFieldMap.set(field, new Set(kinds));
+                }
+            }
+        }
+    }
+    return merged;
+}
+/** Check if two TaintStates are equal. */
+function statesEqual(a, b) {
+    // Phase 8 (3c): identity fast path — catches cases where applyTransfer returned same ref
+    if (a === b)
+        return true;
+    if (a.size !== b.size)
+        return false;
+    for (const [varName, aFieldMap] of a) {
+        const bFieldMap = b.get(varName);
+        if (!bFieldMap)
+            return false;
+        if (aFieldMap.size !== bFieldMap.size)
+            return false;
+        for (const [field, aKinds] of aFieldMap) {
+            const bKinds = bFieldMap.get(field);
+            if (!bKinds)
+                return false;
+            if (aKinds.size !== bKinds.size)
+                return false;
+            for (const k of aKinds) {
+                if (!bKinds.has(k))
+                    return false;
+            }
+        }
+    }
+    return true;
+}
+/** Collect taint from a set of used variables in the current state. */
+function collectUseTaint(uses, state) {
+    const result = new Set();
+    for (const u of uses) {
+        const kinds = (0, propagation_types_1.getTaint)(state, u);
+        if (kinds) {
+            for (const k of kinds)
+                result.add(k);
+        }
+    }
+    return result;
+}
+/**
+ * Build a map from CFG node ID → sanitizers active in that node.
+ * Phase 8: accepts optional cfgNodeMap for O(D) lookup instead of O(N).
+ */
+function buildSanitizerMap(cfg, sanitizers, cfgNodeMap) {
+    const map = new Map();
+    for (const s of sanitizers) {
+        const cfgNode = cfgNodeMap
+            ? findContainingCFGNodeFast(cfgNodeMap, s.node)
+            : findContainingCFGNode(cfg, s.node);
+        if (!cfgNode)
+            continue;
+        const existing = map.get(cfgNode.id);
+        if (existing) {
+            existing.push(s);
+        }
+        else {
+            map.set(cfgNode.id, [s]);
+        }
+    }
+    return map;
+}
+// ============================================================================
+// Expression-level Transfer Function
+// ============================================================================
+/**
+ * Resolve taint for the RHS of an assignment by walking its AST.
+ *
+ * Returns the set of taint kinds that the RHS expression carries,
+ * considering sanitizer calls and optionally cross-file call resolution.
+ */
+function resolveExpressionTaint(exprNode, inState, sanitizers, callContext, callerFile) {
+    const result = new Set();
+    // Literal values: no taint
+    if (isLiteral(exprNode))
+        return result;
+    // Identifier: look up in state
+    if (exprNode.type === 'identifier') {
+        const kinds = (0, propagation_types_1.getTaint)(inState, exprNode.text);
+        if (kinds)
+            for (const k of kinds)
+                result.add(k);
+        return result;
+    }
+    // Helper: shorthand for recursive calls with context forwarding
+    const resolve = (node) => resolveExpressionTaint(node, inState, sanitizers, callContext, callerFile);
+    // Await: taint propagates through (Python: 'await', JS: 'await_expression')
+    if (exprNode.type === 'await_expression' || exprNode.type === 'await') {
+        const inner = exprNode.namedChildren[0];
+        if (inner) {
+            const innerTaint = resolve(inner);
+            for (const k of innerTaint)
+                result.add(k);
+        }
+        return result;
+    }
+    // Parenthesized: pass through
+    if (exprNode.type === 'parenthesized_expression') {
+        const inner = exprNode.namedChildren[0];
+        if (inner) {
+            const innerTaint = resolve(inner);
+            for (const k of innerTaint)
+                result.add(k);
+        }
+        return result;
+    }
+    // Call expression: check sanitizers, then cross-file resolution, then conservative
+    // Python: 'call', JS: 'call_expression'
+    if (exprNode.type === 'call_expression' || exprNode.type === 'call') {
+        return resolveCallTaint(exprNode, inState, sanitizers, callContext, callerFile);
+    }
+    // New expression: union of arg taint
+    if (exprNode.type === 'new_expression') {
+        const args = exprNode.childForFieldName('arguments');
+        if (args) {
+            for (const arg of args.namedChildren) {
+                const argTaint = resolve(arg);
+                for (const k of argTaint)
+                    result.add(k);
+            }
+        }
+        return result;
+    }
+    // Binary expression / template literal: union of both sides
+    // Python: 'binary_operator', JS: 'binary_expression'
+    if (exprNode.type === 'binary_expression' || exprNode.type === 'binary_operator') {
+        const left = exprNode.childForFieldName('left');
+        const right = exprNode.childForFieldName('right');
+        if (left) {
+            const lt = resolve(left);
+            for (const k of lt)
+                result.add(k);
+        }
+        if (right) {
+            const rt = resolve(right);
+            for (const k of rt)
+                result.add(k);
+        }
+        return result;
+    }
+    // Python boolean/comparison operators: walk children for taint
+    if (exprNode.type === 'boolean_operator' || exprNode.type === 'comparison_operator' ||
+        exprNode.type === 'not_operator') {
+        for (const child of exprNode.namedChildren) {
+            const ct = resolve(child);
+            for (const k of ct)
+                result.add(k);
+        }
+        return result;
+    }
+    // Python f-string: string node with interpolation children
+    // Must check BEFORE the fallback walkAST to properly handle f-string taint
+    if (exprNode.type === 'string' && exprNode.descendantsOfType('interpolation').length > 0) {
+        for (const interp of exprNode.descendantsOfType('interpolation')) {
+            for (const child of interp.namedChildren) {
+                const childTaint = resolve(child);
+                for (const k of childTaint)
+                    result.add(k);
+            }
+        }
+        return result;
+    }
+    // Python concatenated_string: "foo" + "bar" or "a" "b" style
+    if (exprNode.type === 'concatenated_string') {
+        for (const child of exprNode.namedChildren) {
+            const ct = resolve(child);
+            for (const k of ct)
+                result.add(k);
+        }
+        return result;
+    }
+    // Template string: union of all substitutions
+    if (exprNode.type === 'template_string') {
+        const subs = exprNode.descendantsOfType('template_substitution');
+        for (const sub of subs) {
+            for (const child of sub.namedChildren) {
+                const childTaint = resolve(child);
+                for (const k of childTaint)
+                    result.add(k);
+            }
+        }
+        return result;
+    }
+    // Member expression: field-aware taint resolution
+    // Python: 'attribute' + 'subscript', JS: 'member_expression' + 'subscript_expression'
+    if (exprNode.type === 'member_expression' || exprNode.type === 'subscript_expression' ||
+        exprNode.type === 'attribute' || exprNode.type === 'subscript') {
+        const obj = exprNode.childForFieldName('object')
+            ?? exprNode.childForFieldName('value'); // Python subscript uses 'value' field
+        if (obj) {
+            // Try field-specific taint: obj.field → getFieldTaint(state, "obj", "field")
+            if ((exprNode.type === 'member_expression' || exprNode.type === 'attribute') && obj.type === 'identifier') {
+                const prop = exprNode.type === 'attribute'
+                    ? exprNode.childForFieldName('attribute')
+                    : exprNode.childForFieldName('property');
+                if (prop && (prop.type === 'property_identifier' || prop.type === 'identifier')) {
+                    const fieldTaint = (0, propagation_types_1.getFieldTaint)(inState, obj.text, prop.text);
+                    if (fieldTaint)
+                        for (const k of fieldTaint)
+                            result.add(k);
+                    return result;
+                }
+            }
+            // Computed/dynamic access or deep chain: fall back to whole-object taint
+            const objTaint = resolve(obj);
+            for (const k of objTaint)
+                result.add(k);
+        }
+        // Computed index may also carry taint
+        if (exprNode.type === 'subscript_expression' || exprNode.type === 'subscript') {
+            const index = exprNode.childForFieldName('index')
+                ?? exprNode.childForFieldName('subscript'); // Python subscript field name
+            if (index) {
+                const idxTaint = resolve(index);
+                for (const k of idxTaint)
+                    result.add(k);
+            }
+        }
+        return result;
+    }
+    // Spread element
+    if (exprNode.type === 'spread_element') {
+        const inner = exprNode.namedChildren[0];
+        if (inner) {
+            const innerTaint = resolve(inner);
+            for (const k of innerTaint)
+                result.add(k);
+        }
+        return result;
+    }
+    // Object literal: union of all value taint (whole-object view for backward compat)
+    if (exprNode.type === 'object') {
+        for (const child of exprNode.namedChildren) {
+            if (child.type === 'pair') {
+                const value = child.childForFieldName('value');
+                if (value) {
+                    const vt = resolve(value);
+                    for (const k of vt)
+                        result.add(k);
+                }
+            }
+            else if (child.type === 'shorthand_property_identifier') {
+                const kinds = (0, propagation_types_1.getTaint)(inState, child.text);
+                if (kinds)
+                    for (const k of kinds)
+                        result.add(k);
+            }
+            else if (child.type === 'spread_element') {
+                const inner = child.namedChildren[0];
+                if (inner) {
+                    const innerTaint = resolve(inner);
+                    for (const k of innerTaint)
+                        result.add(k);
+                }
+            }
+        }
+        return result;
+    }
+    // Array literal / Python list/tuple: union of all element taint
+    if (exprNode.type === 'array' || exprNode.type === 'list' || exprNode.type === 'tuple') {
+        for (const child of exprNode.namedChildren) {
+            const ct = resolve(child);
+            for (const k of ct)
+                result.add(k);
+        }
+        return result;
+    }
+    // Python dictionary: union of all value taint
+    if (exprNode.type === 'dictionary') {
+        for (const child of exprNode.namedChildren) {
+            if (child.type === 'pair') {
+                const value = child.childForFieldName('value');
+                if (value) {
+                    const vt = resolve(value);
+                    for (const k of vt)
+                        result.add(k);
+                }
+            }
+            else {
+                const ct = resolve(child);
+                for (const k of ct)
+                    result.add(k);
+            }
+        }
+        return result;
+    }
+    // Ternary: union of both branches (conservative)
+    // Python: 'conditional_expression', JS: 'ternary_expression'
+    if (exprNode.type === 'ternary_expression' || exprNode.type === 'conditional_expression') {
+        for (const child of exprNode.namedChildren) {
+            const ct = resolve(child);
+            for (const k of ct)
+                result.add(k);
+        }
+        return result;
+    }
+    // Unary expression: propagate from operand
+    // Python: 'unary_operator', JS: 'unary_expression'
+    if (exprNode.type === 'unary_expression' || exprNode.type === 'unary_operator') {
+        const arg = exprNode.namedChildren[0];
+        if (arg) {
+            const at = resolve(arg);
+            for (const k of at)
+                result.add(k);
+        }
+        return result;
+    }
+    // Python keyword_argument: extract taint from value
+    if (exprNode.type === 'keyword_argument') {
+        const value = exprNode.childForFieldName('value');
+        if (value) {
+            const vt = resolve(value);
+            for (const k of vt)
+                result.add(k);
+        }
+        return result;
+    }
+    // Type assertion / as expression: propagate through
+    if (exprNode.type === 'as_expression' || exprNode.type === 'type_assertion' ||
+        exprNode.type === 'non_null_expression' || exprNode.type === 'satisfies_expression') {
+        const inner = exprNode.namedChildren[0];
+        if (inner) {
+            const innerTaint = resolve(inner);
+            for (const k of innerTaint)
+                result.add(k);
+        }
+        return result;
+    }
+    // Fallback: conservatively collect taint from all identifiers in the expression
+    (0, ast_1.walkAST)(exprNode, (node) => {
+        if (node.type === 'identifier') {
+            const kinds = (0, propagation_types_1.getTaint)(inState, node.text);
+            if (kinds)
+                for (const k of kinds)
+                    result.add(k);
+        }
+        // Don't descend into nested function expressions
+        if (node.type === 'arrow_function' || node.type === 'function_expression' ||
+            node.type === 'function_definition' || node.type === 'lambda')
+            return true;
+        return false;
+    });
+    return result;
+}
+/**
+ * Resolve taint for a call expression, checking sanitizers and cross-file callees.
+ */
+function resolveCallTaint(callNode, inState, sanitizers, callContext, callerFile) {
+    const result = new Set();
+    const resolve = (node) => resolveExpressionTaint(node, inState, sanitizers, callContext, callerFile);
+    // First, collect taint from all arguments (and per-argument taint for cross-file)
+    const argsNode = callNode.childForFieldName('arguments');
+    const argTaint = new Set();
+    const perArgTaint = [];
+    if (argsNode) {
+        for (const arg of argsNode.namedChildren) {
+            const at = resolve(arg);
+            perArgTaint.push(at);
+            for (const k of at)
+                argTaint.add(k);
+        }
+    }
+    // Also get taint from the callee (for method chains: tainted.toString())
+    // Python: 'attribute', JS: 'member_expression'
+    const fnNode = callNode.childForFieldName('function');
+    if (fnNode?.type === 'member_expression' || fnNode?.type === 'attribute') {
+        const obj = fnNode.childForFieldName('object');
+        if (obj) {
+            const objTaint = resolve(obj);
+            for (const k of objTaint)
+                argTaint.add(k);
+        }
+    }
+    // Check if this call is a sanitizer
+    const matchingSanitizer = findMatchingSanitizer(callNode, sanitizers);
+    if (matchingSanitizer) {
+        // Sanitizer: result = argTaint minus clearsKinds
+        for (const k of argTaint) {
+            if (!matchingSanitizer.clearsKinds.has(k)) {
+                result.add(k);
+            }
+        }
+        return result;
+    }
+    // Cross-file / inter-procedural resolution
+    if (callContext && callerFile && argTaint.size > 0) {
+        const calleeResult = resolveCalleeReturnTaint(callNode, perArgTaint, callContext, callerFile);
+        if (calleeResult !== null) {
+            return calleeResult.returnTaint;
+        }
+    }
+    // Not a sanitizer, not cross-file resolved: conservatively propagate all arg taint
+    return argTaint;
+}
+// ============================================================================
+// Cross-File Call Resolution
+// ============================================================================
+/**
+ * Resolve the return taint from following a call into another function/file.
+ *
+ * 1. Resolve call target name
+ * 2. Look up in CrossFileIndex (resolveImport or functionDefs)
+ * 3. If found and not in callStack (recursion guard):
+ *    a. Parse callee file's AST, build CFG
+ *    b. Create synthetic sources from argument taint → parameter names
+ *    c. Run propagation on callee's CFG
+ *    d. Collect return-value taint from return statements
+ * 4. Return the taint kinds flowing out + path steps
+ */
+function resolveCalleeReturnTaint(callNode, perArgTaint, ctx, callerFile) {
+    // Resolve the call target (try JS first, then Python fallback)
+    let resolved = (0, call_analysis_1.resolveCallTarget)(callNode);
+    if (!resolved) {
+        const pyResolved = (0, python_helpers_1.resolvePythonCallTarget)(callNode);
+        if (pyResolved) {
+            resolved = { type: pyResolved.type, name: pyResolved.name, object: pyResolved.object };
+        }
+    }
+    if (!resolved)
+        return null;
+    const { crossFileIndex, allASTs, callStack, maxDepth } = ctx;
+    // Try to find the function definition
+    let funcDef = crossFileIndex.resolveImport.get(`${callerFile}:${resolved.name}`);
+    // Also try namespace.method pattern
+    if (!funcDef && resolved.type === 'member' && resolved.object) {
+        funcDef = crossFileIndex.resolveImport.get(`${callerFile}:${resolved.object}.${resolved.name}`);
+    }
+    // Also try local function
+    if (!funcDef) {
+        funcDef = crossFileIndex.functionDefs.get(`${callerFile}:${resolved.name}`);
+    }
+    if (!funcDef)
+        return null;
+    // Recursion guard
+    const callKey = `${funcDef.filePath}:${funcDef.functionName}`;
+    if (callStack.has(callKey))
+        return null;
+    if (callStack.size >= maxDepth)
+        return null;
+    // Check cache
+    const taintSig = perArgTaint.map(s => [...s].sort().join(',')).join('|');
+    const cacheKey = `${callKey}:${taintSig}`;
+    if (ctx.resultCache.has(cacheKey)) {
+        return ctx.resultCache.get(cacheKey);
+    }
+    // Phase 8: Try summary-based composition first (much faster than full analysis)
+    if (ctx.summaryCache && ctx.analysisCache) {
+        const summary = (0, taint_summary_1.getOrBuildSummary)(funcDef, ctx);
+        if (summary) {
+            const result = (0, taint_summary_1.composeSummary)(summary, perArgTaint, callerFile, callNode);
+            ctx.resultCache.set(cacheKey, result.returnTaint.size > 0 || result.calleeFindings.length > 0 ? result : null);
+            return result.returnTaint.size > 0 || result.calleeFindings.length > 0 ? result : null;
+        }
+    }
+    // Get callee AST
+    const calleeAST = allASTs.get(funcDef.filePath);
+    if (!calleeAST) {
+        ctx.resultCache.set(cacheKey, null);
+        return null;
+    }
+    // Phase 8: Use analysis cache if available, otherwise recompute
+    const fileCache = ctx.analysisCache?.get(funcDef.filePath);
+    const calleeCFGs = fileCache?.cfgs ?? (0, cfg_builder_1.buildFileCFGs)(calleeAST);
+    // Find the specific function's CFG
+    let calleeCFG;
+    for (const [name, cfg] of calleeCFGs) {
+        if (name === funcDef.functionName) {
+            calleeCFG = cfg;
+            break;
+        }
+    }
+    if (!calleeCFG) {
+        ctx.resultCache.set(cacheKey, null);
+        return null;
+    }
+    // Create synthetic sources from argument taint → parameter names
+    const syntheticSources = [];
+    for (let i = 0; i < funcDef.params.length && i < perArgTaint.length; i++) {
+        const paramTaint = perArgTaint[i];
+        if (paramTaint.size === 0)
+            continue;
+        // Find the parameter's AST node in the callee function
+        const paramNode = findParamNode(funcDef.astNode, funcDef.params[i]);
+        if (!paramNode)
+            continue;
+        syntheticSources.push({
+            node: paramNode,
+            line: paramNode.startPosition.row + 1,
+            variable: funcDef.params[i],
+            expression: `${funcDef.functionName}(${funcDef.params[i]})`,
+            sourceType: 'external_api', // synthetic source
+            taintKinds: new Set(paramTaint),
+            confidence: 'high',
+        });
+    }
+    if (syntheticSources.length === 0) {
+        ctx.resultCache.set(cacheKey, null);
+        return null;
+    }
+    // Phase 8: Get sinks and sanitizers from cache or recompute
+    const calleeSinks = fileCache?.sinks ?? (0, sink_classifier_1.classifySinks)(calleeAST);
+    const calleeSanitizers = fileCache?.sanitizers ?? (0, sanitizer_registry_1.buildSanitizerRegistry)(calleeAST);
+    // Map synthetic parameter sources to the CFG entry node.
+    // Parameters aren't inside any statement node, so mapSourcesToCFG would fail.
+    // Instead, seed them at the entry node — parameters are defined at function entry.
+    let entryNodeId = -1;
+    for (const [id, node] of calleeCFG.nodes) {
+        if (node.kind === 'entry') {
+            entryNodeId = id;
+            break;
+        }
+    }
+    if (entryNodeId === -1) {
+        ctx.resultCache.set(cacheKey, null);
+        return null;
+    }
+    const sourceMappings = syntheticSources.map(source => ({
+        source,
+        cfgNodeId: entryNodeId,
+    }));
+    // Phase 8 (Part 4): use cached CFG node map for O(D) lookup
+    const calleeCFGNodeMap = fileCache?.cfgNodeMaps.get(funcDef.functionName);
+    const sinkMappings = mapSinksToCFG(calleeCFG, calleeSinks, calleeCFGNodeMap);
+    const sanitizerMap = buildSanitizerMap(calleeCFG, calleeSanitizers, calleeCFGNodeMap);
+    // Push to call stack
+    callStack.add(callKey);
+    // Create child context for deeper calls
+    const childContext = {
+        ...ctx,
+        callStack: new Set(callStack),
+    };
+    // Run fixpoint ONCE — used for both callee findings and return taint
+    const calleeConstants = calleeCFG.functionNode ? (0, constant_propagation_1.collectConstants)(calleeCFG.functionNode) : new Map();
+    const outStates = runFixpointInternal(calleeCFG, sourceMappings, sanitizerMap, funcDef.filePath, childContext, calleeConstants);
+    const calleeFindings = deduplicateFindings(checkSinksInternal(calleeCFG, outStates, sinkMappings, sourceMappings, funcDef.filePath));
+    // Pop from call stack
+    callStack.delete(callKey);
+    // Extract return-value taint from the already-computed out-states
+    const returnTaint = extractReturnTaint(calleeCFG, outStates, calleeSanitizers, childContext, funcDef.filePath);
+    // Build path steps
+    const steps = [
+        {
+            nodeId: 0,
+            line: callNode.startPosition.row + 1,
+            variable: funcDef.functionName,
+            taintKinds: new Set(returnTaint),
+            description: `CALL_ENTRY ${funcDef.functionName}() in ${funcDef.filePath}`,
+            stepType: 'call_entry',
+            filePath: funcDef.filePath,
+            functionName: funcDef.functionName,
+        },
+        {
+            nodeId: 0,
+            line: callNode.startPosition.row + 1,
+            variable: funcDef.functionName,
+            taintKinds: new Set(returnTaint),
+            description: `CALL_RETURN ${funcDef.functionName}() → ${[...returnTaint].join(',')}`,
+            stepType: 'call_return',
+            filePath: callerFile,
+            functionName: funcDef.functionName,
+        },
+    ];
+    const calleeResult = {
+        returnTaint,
+        steps,
+        calleeFindings,
+    };
+    ctx.resultCache.set(cacheKey, calleeResult);
+    return calleeResult;
+}
+/**
+ * Extract taint kinds from return statements using pre-computed out-states.
+ * Walks all return statements in the CFG and resolves expression taint.
+ */
+function extractReturnTaint(cfg, outStates, sanitizers, callContext, filePath) {
+    const returnTaint = new Set();
+    for (const [, cfgNode] of cfg.nodes) {
+        if (!cfgNode.astNode)
+            continue;
+        const ast = cfgNode.astNode;
+        if (ast.type !== 'return_statement')
+            continue;
+        const returnExpr = ast.namedChildren[0];
+        if (!returnExpr)
+            continue;
+        // Get the taint state at this node: merge predecessors + own out-state
+        const predIds = (0, cfg_builder_1.getPredecessors)(cfg, cfgNode.id);
+        const predStates = [];
+        for (const pId of predIds) {
+            const ps = outStates.get(pId);
+            if (ps)
+                predStates.push(ps);
+        }
+        const nodeInState = mergeStates(predStates);
+        const nodeState = mergeStates([nodeInState, outStates.get(cfgNode.id) ?? new Map()]);
+        const exprTaint = resolveExpressionTaint(returnExpr, nodeState, sanitizers, callContext, filePath);
+        for (const k of exprTaint)
+            returnTaint.add(k);
+    }
+    return returnTaint;
+}
+/** Find a parameter's AST node in a function definition. */
+function findParamNode(fnNode, paramName) {
+    const params = fnNode.childForFieldName('parameters');
+    if (!params)
+        return null;
+    for (const child of params.namedChildren) {
+        if (child.type === 'identifier' && child.text === paramName)
+            return child;
+        // JS/TS param types
+        if (child.type === 'required_parameter' || child.type === 'optional_parameter') {
+            const pattern = child.childForFieldName('pattern');
+            if (pattern?.type === 'identifier' && pattern.text === paramName)
+                return pattern;
+        }
+        if (child.type === 'assignment_pattern') {
+            const left = child.childForFieldName('left');
+            if (left?.type === 'identifier' && left.text === paramName)
+                return left;
+        }
+        // Python param types
+        if (child.type === 'typed_parameter' || child.type === 'default_parameter' ||
+            child.type === 'typed_default_parameter') {
+            const nameNode = child.namedChildren.find(c => c.type === 'identifier');
+            if (nameNode && nameNode.text === paramName)
+                return nameNode;
+        }
+        if (child.type === 'list_splat_pattern' || child.type === 'dictionary_splat_pattern') {
+            const ident = child.namedChildren.find(c => c.type === 'identifier');
+            if (ident && ident.text === paramName)
+                return ident;
+        }
+    }
+    // Fallback: search for identifier in params subtree
+    let found = null;
+    (0, ast_1.walkAST)(params, (node) => {
+        if (node.type === 'identifier' && node.text === paramName && !found) {
+            found = node;
+            return true;
+        }
+        return false;
+    });
+    return found;
+}
+/**
+ * Find a sanitizer whose AST node matches this call expression.
+ */
+function findMatchingSanitizer(callNode, sanitizers) {
+    for (const s of sanitizers) {
+        if (s.node.id === callNode.id)
+            return s;
+        // Also check if the sanitizer's node is a parent/ancestor of this call
+        if (isDescendantOf(callNode, s.node))
+            return s;
+    }
+    return null;
+}
+/** Check if a node represents a literal value (no taint). */
+function isLiteral(node) {
+    switch (node.type) {
+        case 'string':
+            // Python f-strings have type 'string' but contain interpolation children — NOT a literal
+            if (node.descendantsOfType('interpolation').length > 0)
+                return false;
+            return true;
+        case 'number':
+        case 'true':
+        case 'false':
+        case 'null':
+        case 'undefined':
+        case 'regex':
+        // Python literals
+        case 'integer':
+        case 'float':
+        case 'none':
+            return true;
+        default:
+            return false;
+    }
+}
+// ============================================================================
+// Statement-level Transfer Function
+// ============================================================================
+/**
+ * Apply the transfer function for a single CFG node.
+ * Given the incoming taint state, compute the outgoing taint state.
+ */
+function applyTransfer(cfgNode, inState, sanitizerMap, callContext, callerFile, constantMap) {
+    // Phase 8 (3b): skip clone for no-op nodes — entry, exit, and nodes without AST
+    if (!cfgNode.astNode)
+        return inState;
+    if (cfgNode.kind === 'entry' || cfgNode.kind === 'exit')
+        return inState;
+    // Phase 8 (3b): condition nodes with no defs and no sanitizers are read-only
+    if (cfgNode.kind === 'condition' && cfgNode.defs.size === 0) {
+        const hasSanitizers = sanitizerMap.has(cfgNode.id);
+        if (!hasSanitizers)
+            return inState;
+    }
+    const outState = cloneState(inState);
+    const sanitizers = sanitizerMap.get(cfgNode.id) ?? [];
+    const ast = cfgNode.astNode;
+    applyNodeTransfer(ast, outState, sanitizers, callContext, callerFile, constantMap);
+    return outState;
+}
+/**
+ * Recursively apply transfer for an AST node within a CFG statement.
+ */
+function applyNodeTransfer(node, state, sanitizers, callContext, callerFile, constantMap) {
+    // Helper for expression taint resolution with context forwarding
+    const resolve = (expr) => resolveExpressionTaint(expr, state, sanitizers, callContext, callerFile);
+    // Variable declaration: const x = <expr>
+    if (node.type === 'lexical_declaration' || node.type === 'variable_declaration') {
+        for (const child of node.namedChildren) {
+            applyNodeTransfer(child, state, sanitizers, callContext, callerFile, constantMap);
+        }
+        return;
+    }
+    if (node.type === 'variable_declarator') {
+        const nameNode = node.childForFieldName('name');
+        const valueNode = node.childForFieldName('value');
+        if (!nameNode || !valueNode)
+            return;
+        if (nameNode.type === 'identifier') {
+            // Constant propagation: if RHS is entirely constant-derived, clear taint
+            if (constantMap && (0, constant_propagation_1.isConstantExpression)(valueNode, constantMap)) {
+                (0, propagation_types_1.deleteTaint)(state, nameNode.text);
+                return;
+            }
+            // Simple: const x = expr
+            const rhsTaint = resolve(valueNode);
+            if (rhsTaint.size > 0) {
+                (0, propagation_types_1.setTaint)(state, nameNode.text, rhsTaint);
+            }
+            else {
+                (0, propagation_types_1.deleteTaint)(state, nameNode.text);
+            }
+        }
+        else if (nameNode.type === 'object_pattern' || nameNode.type === 'array_pattern') {
+            // Destructuring: const { a, b } = expr
+            const rhsTaint = resolve(valueNode);
+            const rhsVarName = valueNode.type === 'identifier' ? valueNode.text
+                : (valueNode.type === 'member_expression' ? getMemberRoot(valueNode) : null);
+            applyDestructuringTaint(nameNode, rhsTaint, state, rhsVarName ?? undefined);
+        }
+        return;
+    }
+    // Assignment: x = expr
+    // Python: 'assignment', JS: 'assignment_expression'
+    if (node.type === 'assignment_expression' || node.type === 'assignment') {
+        const left = node.childForFieldName('left');
+        const right = node.childForFieldName('right');
+        if (!left || !right)
+            return;
+        if (left.type === 'identifier') {
+            // Constant propagation: if RHS is entirely constant-derived, clear taint
+            if (constantMap && (0, constant_propagation_1.isConstantExpression)(right, constantMap)) {
+                (0, propagation_types_1.deleteTaint)(state, left.text);
+                return;
+            }
+            const rhsTaint = resolve(right);
+            if (rhsTaint.size > 0) {
+                (0, propagation_types_1.setTaint)(state, left.text, rhsTaint);
+            }
+            else {
+                (0, propagation_types_1.deleteTaint)(state, left.text);
+            }
+        }
+        else if (left.type === 'object_pattern' || left.type === 'array_pattern' ||
+            left.type === 'tuple_pattern' || left.type === 'list_pattern' ||
+            left.type === 'pattern_list' || left.type === 'tuple' || left.type === 'list') {
+            // Destructuring / Python unpacking: a, b = expr
+            const rhsTaint = resolve(right);
+            const rhsVarName = right.type === 'identifier' ? right.text
+                : (right.type === 'member_expression' || right.type === 'attribute' ? getMemberRoot(right) : null);
+            applyDestructuringTaint(left, rhsTaint, state, rhsVarName ?? undefined);
+        }
+        else if (left.type === 'member_expression' || left.type === 'attribute') {
+            // obj.prop = val — field-level taint
+            // Python: 'attribute' with fields 'object'/'attribute', JS: 'member_expression' with 'object'/'property'
+            const obj = left.childForFieldName('object');
+            const prop = left.type === 'attribute'
+                ? left.childForFieldName('attribute')
+                : left.childForFieldName('property');
+            if (obj?.type === 'identifier' && prop && (prop.type === 'property_identifier' || prop.type === 'identifier')) {
+                // One-level field assignment: obj.field = val
+                const rhsTaint = resolve(right);
+                if (rhsTaint.size > 0) {
+                    (0, propagation_types_1.setFieldTaint)(state, obj.text, prop.text, rhsTaint);
+                }
+            }
+            else {
+                // Deep chain or computed: fall back to root object taint
+                const root = getMemberRoot(left);
+                if (root) {
+                    const rhsTaint = resolve(right);
+                    // Phase 8: clone before mutating — getTaint may return internal Set reference
+                    const existing = new Set((0, propagation_types_1.getTaint)(state, root) ?? []);
+                    for (const k of rhsTaint)
+                        existing.add(k);
+                    if (existing.size > 0)
+                        (0, propagation_types_1.setTaint)(state, root, existing);
+                }
+            }
+        }
+        return;
+    }
+    // Augmented assignment: x += expr
+    // Python: 'augmented_assignment', JS: 'augmented_assignment_expression'
+    if (node.type === 'augmented_assignment_expression' || node.type === 'augmented_assignment') {
+        const left = node.childForFieldName('left');
+        const right = node.childForFieldName('right');
+        if (!left || !right)
+            return;
+        if (left.type === 'identifier') {
+            const rhsTaint = resolve(right);
+            // Phase 8: clone before mutating — getTaint may return internal Set reference
+            const existing = new Set((0, propagation_types_1.getTaint)(state, left.text) ?? []);
+            for (const k of rhsTaint)
+                existing.add(k);
+            if (existing.size > 0)
+                (0, propagation_types_1.setTaint)(state, left.text, existing);
+        }
+        return;
+    }
+    // Expression statement: unwrap the inner expression
+    if (node.type === 'expression_statement') {
+        for (const child of node.namedChildren) {
+            applyNodeTransfer(child, state, sanitizers, callContext, callerFile, constantMap);
+        }
+        return;
+    }
+    // For-in header: captures iteration variable taint from the right side
+    if (node.type === 'for_in_statement') {
+        const left = node.childForFieldName('left');
+        const right = node.childForFieldName('right');
+        if (left && right) {
+            const rhsTaint = resolve(right);
+            if (left.type === 'identifier') {
+                if (rhsTaint.size > 0)
+                    (0, propagation_types_1.setTaint)(state, left.text, rhsTaint);
+            }
+            else {
+                // Destructuring in for-of/for-in
+                applyDestructuringTaint(left, rhsTaint, state);
+            }
+        }
+        return;
+    }
+    // Python for loop with left/right fields: for x in iterable
+    if (node.type === 'for_statement') {
+        const left = node.childForFieldName('left');
+        const right = node.childForFieldName('right');
+        if (left && right) {
+            const rhsTaint = resolve(right);
+            if (left.type === 'identifier') {
+                if (rhsTaint.size > 0)
+                    (0, propagation_types_1.setTaint)(state, left.text, rhsTaint);
+            }
+            else {
+                applyDestructuringTaint(left, rhsTaint, state);
+            }
+        }
+        return;
+    }
+    // Python with statement: with expr as var
+    if (node.type === 'with_statement') {
+        // The with_clause may contain 'as_pattern' nodes: expr as name
+        for (const child of node.namedChildren) {
+            if (child.type === 'with_clause') {
+                for (const item of child.namedChildren) {
+                    if (item.type === 'with_item' || item.type === 'as_pattern') {
+                        const expr = item.namedChildren[0];
+                        const alias = item.namedChildren[1];
+                        if (expr && alias?.type === 'identifier') {
+                            const exprTaint = resolve(expr);
+                            if (exprTaint.size > 0)
+                                (0, propagation_types_1.setTaint)(state, alias.text, exprTaint);
+                        }
+                    }
+                }
+            }
+        }
+        return;
+    }
+    // Standalone call expression: trigger expression resolution so cross-file
+    // analysis discovers callee findings (sinks reached inside the called function).
+    // Without this, standalone calls like `query(input)` would be silently ignored.
+    // Python: 'call', JS: 'call_expression'
+    if (node.type === 'call_expression' || node.type === 'call') {
+        // Inject taint into callback parameters for promise chains and callback APIs.
+        // This must happen BEFORE resolve() so the taint state is available when
+        // analyzing the callback body's expressions.
+        (0, async_flow_1.injectPromiseChainTaint)(node, state);
+        (0, async_flow_1.injectCallbackTaint)(node, state);
+        resolve(node);
+        return;
+    }
+    // Return / throw: no defs, but the expression is "used"
+    // (no state changes needed — uses are tracked by def-use)
+}
+/**
+ * Apply taint from a destructuring pattern.
+ * When rhsVarName is provided and object_pattern is used, field-specific
+ * taint is extracted per destructured key. Otherwise falls back to whole-object taint.
+ */
+function applyDestructuringTaint(pattern, rhsTaint, state, rhsVarName) {
+    if (rhsTaint.size === 0)
+        return;
+    if (pattern.type === 'identifier') {
+        (0, propagation_types_1.setTaint)(state, pattern.text, new Set(rhsTaint));
+        return;
+    }
+    if (pattern.type === 'object_pattern') {
+        for (const prop of pattern.namedChildren) {
+            if (prop.type === 'shorthand_property_identifier_pattern') {
+                // { email } = obj → email gets field-specific taint from obj.email
+                if (rhsVarName) {
+                    const fieldTaint = (0, propagation_types_1.getFieldTaint)(state, rhsVarName, prop.text);
+                    if (fieldTaint && fieldTaint.size > 0) {
+                        (0, propagation_types_1.setTaint)(state, prop.text, new Set(fieldTaint));
+                    }
+                    else {
+                        // Field has no taint — don't assign whole-object taint
+                        (0, propagation_types_1.deleteTaint)(state, prop.text);
+                    }
+                }
+                else {
+                    (0, propagation_types_1.setTaint)(state, prop.text, new Set(rhsTaint));
+                }
+            }
+            else if (prop.type === 'pair_pattern') {
+                // { email: e } = obj → e gets taint from obj.email
+                const key = prop.childForFieldName('key');
+                const value = prop.childForFieldName('value');
+                if (value && rhsVarName && key) {
+                    const fieldName = key.text;
+                    const fieldTaint = (0, propagation_types_1.getFieldTaint)(state, rhsVarName, fieldName);
+                    if (fieldTaint && fieldTaint.size > 0) {
+                        applyDestructuringTaint(value, fieldTaint, state);
+                    }
+                }
+                else if (value) {
+                    applyDestructuringTaint(value, rhsTaint, state);
+                }
+            }
+            else if (prop.type === 'rest_pattern') {
+                // { ...rest } = obj → rest gets whole-object taint (conservative)
+                const inner = prop.namedChildren[0];
+                if (inner)
+                    applyDestructuringTaint(inner, rhsTaint, state);
+            }
+        }
+        return;
+    }
+    if (pattern.type === 'array_pattern') {
+        for (const elem of pattern.namedChildren) {
+            applyDestructuringTaint(elem, rhsTaint, state);
+        }
+        return;
+    }
+    // Python unpacking: a, b = expr / (a, b) = expr / [a, b] = expr
+    if (pattern.type === 'tuple_pattern' || pattern.type === 'list_pattern' ||
+        pattern.type === 'pattern_list' || pattern.type === 'expression_list' ||
+        pattern.type === 'tuple' || pattern.type === 'list') {
+        for (const elem of pattern.namedChildren) {
+            applyDestructuringTaint(elem, rhsTaint, state);
+        }
+        return;
+    }
+    // Python list_splat_pattern: *rest
+    if (pattern.type === 'list_splat_pattern') {
+        const inner = pattern.namedChildren[0];
+        if (inner)
+            applyDestructuringTaint(inner, rhsTaint, state);
+        return;
+    }
+    if (pattern.type === 'assignment_pattern') {
+        const left = pattern.childForFieldName('left');
+        if (left)
+            applyDestructuringTaint(left, rhsTaint, state, rhsVarName);
+        return;
+    }
+    if (pattern.type === 'rest_pattern') {
+        const inner = pattern.namedChildren[0];
+        if (inner)
+            applyDestructuringTaint(inner, rhsTaint, state);
+    }
+}
+/** Get the root identifier of a member expression chain: `a.b.c` → 'a'. */
+function getMemberRoot(node) {
+    let current = node;
+    while (current.type === 'member_expression' || current.type === 'subscript_expression' ||
+        current.type === 'attribute' || current.type === 'subscript') {
+        const obj = current.childForFieldName('object')
+            ?? current.childForFieldName('value'); // Python subscript uses 'value' field
+        if (!obj)
+            return null;
+        current = obj;
+    }
+    return current.type === 'identifier' ? current.text : null;
+}
+/**
+ * Map sources to their containing CFG nodes.
+ * Phase 8: accepts optional cfgNodeMap for O(D) lookup instead of O(N).
+ */
+function mapSourcesToCFG(cfg, sources, cfgNodeMap) {
+    const mappings = [];
+    for (const source of sources) {
+        const cfgNode = cfgNodeMap
+            ? findContainingCFGNodeFast(cfgNodeMap, source.node)
+            : findContainingCFGNode(cfg, source.node);
+        if (cfgNode) {
+            mappings.push({ source, cfgNodeId: cfgNode.id });
+        }
+    }
+    return mappings;
+}
+/**
+ * Map sinks to their containing CFG nodes.
+ * Phase 8: accepts optional cfgNodeMap for O(D) lookup instead of O(N).
+ */
+function mapSinksToCFG(cfg, sinks, cfgNodeMap) {
+    const mappings = [];
+    for (const sink of sinks) {
+        const cfgNode = cfgNodeMap
+            ? findContainingCFGNodeFast(cfgNodeMap, sink.node)
+            : findContainingCFGNode(cfg, sink.node);
+        if (cfgNode) {
+            mappings.push({ sink, cfgNodeId: cfgNode.id });
+        }
+    }
+    return mappings;
+}
+// ============================================================================
+// Worklist Algorithm
+// ============================================================================
+const MAX_ITERATIONS = 1000;
+/**
+ * Run the worklist fixpoint algorithm on a CFG.
+ *
+ * Seeds taint at source nodes, propagates forward through the CFG until
+ * no more state changes occur (fixpoint). Returns the per-node out-states.
+ *
+ * Exported as runFixpointInternal for use by taint-summary.ts (Phase 8).
+ */
+function runFixpointInternal(cfg, sourceMappings, sanitizerMap, filePath, callContext, constantMap) {
+    // Per-node out-states
+    const outStates = new Map();
+    for (const [id] of cfg.nodes) {
+        outStates.set(id, new Map());
+    }
+    // Seed sources: set source variable taint in the source node's out-state
+    const worklist = new Set();
+    // Build a per-node source seed map so seeds survive worklist overwrites.
+    // Without this, when a predecessor's propagation causes node N to be
+    // re-processed, applyTransfer overwrites the seeded out-state with just
+    // the propagated in-state — losing any source taint that was seeded here.
+    const sourceSeeds = new Map();
+    for (const { source, cfgNodeId } of sourceMappings) {
+        const state = outStates.get(cfgNodeId);
+        const cfgNode = cfg.nodes.get(cfgNodeId);
+        const varName = source.variable;
+        const isDestructuring = varName.startsWith('{') || varName.startsWith('[');
+        if (isDestructuring && cfgNode && cfgNode.defs.size > 0) {
+            for (const defVar of cfgNode.defs) {
+                // Phase 8: clone before mutating — getTaint may return internal Set reference
+                const existing = new Set((0, propagation_types_1.getTaint)(state, defVar) ?? []);
+                for (const k of source.taintKinds)
+                    existing.add(k);
+                (0, propagation_types_1.setTaint)(state, defVar, existing);
+            }
+        }
+        else {
+            // Phase 8: clone before mutating — getTaint may return internal Set reference
+            const existing = new Set((0, propagation_types_1.getTaint)(state, varName) ?? []);
+            for (const k of source.taintKinds)
+                existing.add(k);
+            (0, propagation_types_1.setTaint)(state, varName, existing);
+            // For compound source variables (e.g. "req.body", "req.query"), also seed
+            // the root identifier. The expression-level resolver walks member chains
+            // from the root, so `req.body.email` resolves `req` → tainted → propagates.
+            if (varName.includes('.')) {
+                const root = varName.split('.')[0];
+                const rootExisting = new Set((0, propagation_types_1.getTaint)(state, root) ?? []);
+                for (const k of source.taintKinds)
+                    rootExisting.add(k);
+                (0, propagation_types_1.setTaint)(state, root, rootExisting);
+            }
+        }
+        // Record seed for re-injection during worklist
+        if (!sourceSeeds.has(cfgNodeId))
+            sourceSeeds.set(cfgNodeId, []);
+        sourceSeeds.get(cfgNodeId).push({
+            variable: varName,
+            kinds: new Set(source.taintKinds),
+            isDestructuring,
+            defs: cfgNode?.defs ?? new Set(),
+        });
+        // Push successors to worklist (the source node's out-state is now seeded)
+        for (const succ of (0, cfg_builder_1.getSuccessors)(cfg, cfgNodeId)) {
+            worklist.add(succ);
+        }
+    }
+    // Iterate to fixpoint
+    let iterations = 0;
+    while (worklist.size > 0 && iterations < MAX_ITERATIONS) {
+        iterations++;
+        // Pop first element from worklist
+        const nodeId = worklist.values().next().value;
+        worklist.delete(nodeId);
+        const cfgNode = cfg.nodes.get(nodeId);
+        if (!cfgNode)
+            continue;
+        // Compute in-state = merge of all predecessor out-states
+        // Phase 8 (3a): single-predecessor fast path — skip mergeStates allocation for ~70% of nodes
+        const predIds = (0, cfg_builder_1.getPredecessors)(cfg, nodeId);
+        let inState;
+        if (predIds.length === 1) {
+            const ps = outStates.get(predIds[0]);
+            inState = ps ?? new Map();
+        }
+        else {
+            const predStates = [];
+            for (const pId of predIds) {
+                const ps = outStates.get(pId);
+                if (ps)
+                    predStates.push(ps);
+            }
+            inState = mergeStates(predStates);
+        }
+        // Apply transfer function
+        const newOutState = applyTransfer(cfgNode, inState, sanitizerMap, callContext, filePath, constantMap);
+        // Re-inject source seeds: if this node has sources, ensure their taint
+        // survives the transfer function (which only sees predecessor in-state).
+        // Phase 8: clone before mutating — getTaint may return internal Set reference
+        const seeds = sourceSeeds.get(nodeId);
+        if (seeds) {
+            for (const seed of seeds) {
+                if (seed.isDestructuring && seed.defs.size > 0) {
+                    for (const defVar of seed.defs) {
+                        const existing = new Set((0, propagation_types_1.getTaint)(newOutState, defVar) ?? []);
+                        for (const k of seed.kinds)
+                            existing.add(k);
+                        (0, propagation_types_1.setTaint)(newOutState, defVar, existing);
+                    }
+                }
+                else {
+                    const existing = new Set((0, propagation_types_1.getTaint)(newOutState, seed.variable) ?? []);
+                    for (const k of seed.kinds)
+                        existing.add(k);
+                    (0, propagation_types_1.setTaint)(newOutState, seed.variable, existing);
+                    if (seed.variable.includes('.')) {
+                        const root = seed.variable.split('.')[0];
+                        const rootExisting = new Set((0, propagation_types_1.getTaint)(newOutState, root) ?? []);
+                        for (const k of seed.kinds)
+                            rootExisting.add(k);
+                        (0, propagation_types_1.setTaint)(newOutState, root, rootExisting);
+                    }
+                }
+            }
+        }
+        // Check if state changed
+        const oldOutState = outStates.get(nodeId);
+        // Phase 8 (3d): identity check — if applyTransfer returned same ref, no change possible
+        if (newOutState !== oldOutState && !statesEqual(newOutState, oldOutState)) {
+            outStates.set(nodeId, newOutState);
+            // Push all successors to worklist
+            for (const succ of (0, cfg_builder_1.getSuccessors)(cfg, nodeId)) {
+                worklist.add(succ);
+            }
+        }
+    }
+    if (iterations >= MAX_ITERATIONS) {
+        console.warn(`[taint] Worklist hit iteration limit (${MAX_ITERATIONS}) for ${cfg.functionName} — results may be incomplete`);
+    }
+    return outStates;
+}
+/**
+ * Check sinks for tainted data given computed out-states.
+ * Returns findings for each source→sink pair with matching taint kinds.
+ *
+ * Exported as checkSinksInternal for use by taint-summary.ts (Phase 8).
+ */
+function checkSinksInternal(cfg, outStates, sinkMappings, sourceMappings, filePath) {
+    const findings = [];
+    for (const { sink, cfgNodeId } of sinkMappings) {
+        // The taint state at the sink is the in-state (merge of predecessor outs)
+        const predIds = (0, cfg_builder_1.getPredecessors)(cfg, cfgNodeId);
+        const predStates = [];
+        for (const pId of predIds) {
+            const ps = outStates.get(pId);
+            if (ps)
+                predStates.push(ps);
+        }
+        // Also include the sink node's own out-state predecessor contributions
+        // But more importantly, check the in-state to the sink node
+        const sinkInState = mergeStates(predStates);
+        // Also check the out-state of the sink's own node (for cases where
+        // source and sink are in the same statement or sink uses vars from its own node)
+        const sinkOutState = outStates.get(cfgNodeId) ?? new Map();
+        // Merge both for maximum coverage
+        const combined = mergeStates([sinkInState, sinkOutState]);
+        // Find which variables at this sink are tainted with matching kinds
+        const sinkNode = cfg.nodes.get(cfgNodeId);
+        if (!sinkNode)
+            continue;
+        // Get all variables used by the sink expression
+        const sinkUses = extractSinkUses(sink, sinkNode);
+        // Extract field-level accesses from the sink for precise taint checking
+        const sinkFieldAccesses = extractSinkFieldAccesses(sink);
+        for (const varName of sinkUses) {
+            // Check if this variable has a field-level access in the sink
+            const fieldAccess = sinkFieldAccesses.get(varName);
+            const varTaint = fieldAccess
+                ? (0, propagation_types_1.getFieldTaint)(combined, varName, fieldAccess)
+                : (0, propagation_types_1.getTaint)(combined, varName);
+            if (!varTaint || varTaint.size === 0)
+                continue;
+            // Find matching kinds: intersection of variable's taint and sink's vulnerable kinds
+            const matchingKinds = new Set();
+            for (const k of varTaint) {
+                if (sink.vulnerableToKinds.has(k)) {
+                    matchingKinds.add(k);
+                }
+            }
+            if (matchingKinds.size === 0)
+                continue;
+            // Find which source(s) contributed this taint
+            for (const { source } of sourceMappings) {
+                // Check if source's taint kinds overlap with matching kinds
+                const sourceOverlap = new Set();
+                for (const k of matchingKinds) {
+                    if (source.taintKinds.has(k))
+                        sourceOverlap.add(k);
+                }
+                if (sourceOverlap.size === 0)
+                    continue;
+                // Reconstruct path
+                const path = reconstructPath(cfg, outStates, source, sink, varName, sourceMappings, cfgNodeId);
+                findings.push({
+                    source,
+                    sink,
+                    path,
+                    matchingKinds: sourceOverlap,
+                    functionName: cfg.functionName,
+                    filePath,
+                });
+            }
+        }
+    }
+    return findings;
+}
+/**
+ * Propagate taint through a single function's CFG.
+ *
+ * Returns all taint findings (source→sink pairs with matching kinds).
+ * When callContext is provided, calls to imported/local functions are
+ * resolved inter-procedurally.
+ */
+function propagateFunction(cfg, sourceMappings, sinkMappings, sanitizerMap, filePath, callContext) {
+    // Collect constants for this function scope
+    const constantMap = cfg.functionNode ? (0, constant_propagation_1.collectConstants)(cfg.functionNode) : new Map();
+    const outStates = runFixpointInternal(cfg, sourceMappings, sanitizerMap, filePath, callContext, constantMap);
+    const findings = checkSinksInternal(cfg, outStates, sinkMappings, sourceMappings, filePath);
+    return deduplicateFindings(findings);
+}
+/**
+ * Extract variables used by a sink expression.
+ * Uses the CFG node's `uses` set plus any identifiers in the sink's AST.
+ *
+ * When `sink.relevantArgNodes` is set (e.g., SSRF sinks), only variables
+ * within those specific argument nodes are collected — taint in other
+ * arguments (like request body) won't trigger the finding.
+ */
+function extractSinkUses(sink, cfgNode) {
+    // When the sink specifies relevant arg nodes, ONLY collect vars from those nodes.
+    // This prevents e.g. tainted body data from triggering SSRF (which requires tainted URL).
+    if (sink.relevantArgNodes && sink.relevantArgNodes.length > 0) {
+        const uses = new Set();
+        for (const argNode of sink.relevantArgNodes) {
+            (0, ast_1.walkAST)(argNode, (node) => {
+                if (node.type === 'identifier') {
+                    uses.add(node.text);
+                }
+                if (node.type === 'arrow_function' || node.type === 'function_expression')
+                    return true;
+                return false;
+            });
+        }
+        return uses;
+    }
+    // Default: collect from entire sink expression + CFG node uses
+    const uses = new Set(cfgNode.uses);
+    (0, ast_1.walkAST)(sink.node, (node) => {
+        if (node.type === 'identifier') {
+            uses.add(node.text);
+        }
+        if (node.type === 'arrow_function' || node.type === 'function_expression')
+            return true;
+        return false;
+    });
+    return uses;
+}
+/**
+ * Extract one-level field accesses from a sink expression.
+ * Returns a map of root variable → field name for `obj.field` patterns.
+ * Used for field-sensitive sink checking.
+ */
+function extractSinkFieldAccesses(sink) {
+    const accesses = new Map();
+    // Walk the sink's arguments to find member expression patterns
+    (0, ast_1.walkAST)(sink.node, (node) => {
+        if (node.type === 'member_expression') {
+            const obj = node.childForFieldName('object');
+            const prop = node.childForFieldName('property');
+            if (obj?.type === 'identifier' && prop?.type === 'property_identifier') {
+                accesses.set(obj.text, prop.text);
+            }
+        }
+        if (node.type === 'arrow_function' || node.type === 'function_expression')
+            return true;
+        return false;
+    });
+    return accesses;
+}
+// ============================================================================
+// Path Reconstruction
+// ============================================================================
+/**
+ * Reconstruct the path from source to sink via backward slice.
+ */
+function reconstructPath(cfg, outStates, source, sink, sinkVar, sourceMappings, sinkNodeId) {
+    const steps = [];
+    // Step 1: Sink step
+    const sinkNode = cfg.nodes.get(sinkNodeId);
+    if (sinkNode) {
+        steps.unshift({
+            nodeId: sinkNodeId,
+            line: sink.line,
+            variable: sinkVar,
+            taintKinds: new Set(sink.vulnerableToKinds),
+            description: `SINK ${sink.expression.slice(0, 60)}`,
+            stepType: 'sink',
+        });
+    }
+    // Step 2: Walk backward from sink to source
+    const visited = new Set();
+    let currentVar = sinkVar;
+    let currentNodeId = sinkNodeId;
+    for (let depth = 0; depth < 50; depth++) {
+        visited.add(currentNodeId);
+        // Check if we've reached a source node
+        const sourceMapping = sourceMappings.find(sm => sm.source === source && sm.cfgNodeId === currentNodeId);
+        if (sourceMapping)
+            break;
+        // Find a predecessor that has taint for the current variable
+        const predIds = (0, cfg_builder_1.getPredecessors)(cfg, currentNodeId);
+        let foundPred = false;
+        for (const predId of predIds) {
+            if (visited.has(predId))
+                continue;
+            const predState = outStates.get(predId);
+            if (!predState)
+                continue;
+            // Check if this predecessor contributes taint for our variable
+            const predTaint = (0, propagation_types_1.getTaint)(predState, currentVar);
+            if (!predTaint || predTaint.size === 0)
+                continue;
+            const predNode = cfg.nodes.get(predId);
+            if (!predNode)
+                continue;
+            // Check if this node defines the variable (it's a propagation step)
+            if (predNode.defs.has(currentVar)) {
+                steps.unshift({
+                    nodeId: predId,
+                    line: predNode.line,
+                    variable: currentVar,
+                    taintKinds: new Set(predTaint),
+                    description: `ASSIGN ${predNode.label}`,
+                    stepType: 'propagation',
+                });
+                // Check what variable(s) contributed to this def
+                // Look at the node's uses that are tainted
+                for (const use of predNode.uses) {
+                    const useTaint = (0, propagation_types_1.getTaint)(predState, use); // check predecessor's state
+                    if (!useTaint || useTaint.size === 0) {
+                        // Also check in-state (merge of pred's preds)
+                        const predPredIds = (0, cfg_builder_1.getPredecessors)(cfg, predId);
+                        for (const ppId of predPredIds) {
+                            const ppState = outStates.get(ppId);
+                            const ppTaint = ppState ? (0, propagation_types_1.getTaint)(ppState, use) : undefined;
+                            if (ppTaint && ppTaint.size > 0) {
+                                currentVar = use;
+                                break;
+                            }
+                        }
+                        if (currentVar !== use)
+                            continue;
+                    }
+                    else {
+                        currentVar = use;
+                    }
+                    break;
+                }
+            }
+            currentNodeId = predId;
+            foundPred = true;
+            break;
+        }
+        if (!foundPred)
+            break;
+    }
+    // Step 3: Source step
+    steps.unshift({
+        nodeId: sourceMappings.find(sm => sm.source === source)?.cfgNodeId ?? 0,
+        line: source.line,
+        variable: source.variable,
+        taintKinds: new Set(source.taintKinds),
+        description: `SOURCE ${source.expression.slice(0, 60)}`,
+        stepType: 'source',
+    });
+    return steps;
+}
+// ============================================================================
+// Deduplication
+// ============================================================================
+/**
+ * Deduplicate findings: same source line + same sink line + same kinds = one finding.
+ */
+function deduplicateFindings(findings) {
+    const seen = new Set();
+    const result = [];
+    for (const f of findings) {
+        const key = `${f.source.line}:${f.sink.line}:${[...f.matchingKinds].sort().join(',')}`;
+        if (seen.has(key))
+            continue;
+        seen.add(key);
+        result.push(f);
+    }
+    return result;
+}
+//# sourceMappingURL=propagation.js.map