npm - circle-ir - Versions diffs - 3.21.0 → 3.22.0 - Mend

circle-ir 3.21.0 → 3.22.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (28) hide show

package/configs/sinks/golang.json +144 -0
package/configs/sources/golang.json +150 -0
package/dist/analyzer.js +9 -0
package/dist/analyzer.js.map +1 -1
package/dist/browser/circle-ir.js +1387 -183
package/dist/core/circle-ir-core.cjs +610 -0
package/dist/core/circle-ir-core.js +610 -0
package/dist/core/extractors/calls.js +133 -0
package/dist/core/extractors/calls.js.map +1 -1
package/dist/core/extractors/cfg.js +68 -0
package/dist/core/extractors/cfg.js.map +1 -1
package/dist/core/extractors/dfg.js +270 -0
package/dist/core/extractors/dfg.js.map +1 -1
package/dist/core/extractors/imports.js +78 -0
package/dist/core/extractors/imports.js.map +1 -1
package/dist/core/extractors/types.js +160 -0
package/dist/core/extractors/types.js.map +1 -1
package/dist/core/parser.d.ts +1 -1
package/dist/languages/plugins/go.d.ts +61 -0
package/dist/languages/plugins/go.js +615 -0
package/dist/languages/plugins/go.js.map +1 -0
package/dist/languages/plugins/index.d.ts +1 -0
package/dist/languages/plugins/index.js +3 -0
package/dist/languages/plugins/index.js.map +1 -1
package/dist/languages/types.d.ts +1 -1
package/dist/types/index.d.ts +1 -1
package/dist/wasm/tree-sitter-go.wasm +0 -0
package/package.json +1 -1

package/dist/browser/circle-ir.js CHANGED Viewed

@@ -4297,6 +4297,9 @@ function extractTypes(tree, cache, language) {
   const isJavaScript = effectiveLanguage === "javascript" || effectiveLanguage === "typescript";
   const isPython = effectiveLanguage === "python";
   const isRust = effectiveLanguage === "rust";
+  if (effectiveLanguage === "go") {
+    return extractGoTypes(tree, cache);
+  }
   if (isRust) {
     return extractRustTypes(tree, cache);
   }
@@ -5432,6 +5435,143 @@ function extractRustDerives(node) {
   }
   return derives;
 }
+function extractGoTypes(tree, cache) {
+  const types = [];
+  const root = tree.rootNode;
+  const typeDecls = getNodesFromCache(root, "type_declaration", cache);
+  for (const decl of typeDecls) {
+    for (let i2 = 0; i2 < decl.childCount; i2++) {
+      const spec = decl.child(i2);
+      if (!spec || spec.type !== "type_spec") continue;
+      const nameNode = spec.childForFieldName("name");
+      const typeNode = spec.childForFieldName("type");
+      if (!nameNode || !typeNode) continue;
+      const name2 = getNodeText(nameNode);
+      const isInterface = typeNode.type === "interface_type";
+      const isStruct = typeNode.type === "struct_type";
+      if (!isStruct && !isInterface) continue;
+      const fields = [];
+      const methods = [];
+      if (isStruct) {
+        const fieldList = findChildByType(typeNode, "field_declaration_list");
+        if (fieldList) {
+          for (let j = 0; j < fieldList.childCount; j++) {
+            const field = fieldList.child(j);
+            if (!field || field.type !== "field_declaration") continue;
+            const fieldName = field.childForFieldName("name");
+            const fieldType = field.childForFieldName("type");
+            if (fieldName) {
+              fields.push({
+                name: getNodeText(fieldName),
+                type: fieldType ? getNodeText(fieldType) : null,
+                modifiers: [],
+                annotations: []
+              });
+            }
+          }
+        }
+      }
+      const methodDecls = getNodesFromCache(root, "method_declaration", cache);
+      for (const md of methodDecls) {
+        const receiver = md.childForFieldName("receiver");
+        if (!receiver) continue;
+        const receiverText = getNodeText(receiver);
+        if (receiverText.includes(name2)) {
+          const methodNameNode = md.childForFieldName("name");
+          const params = md.childForFieldName("parameters");
+          const result = md.childForFieldName("result");
+          if (methodNameNode) {
+            methods.push({
+              name: getNodeText(methodNameNode),
+              return_type: result ? getNodeText(result) : null,
+              parameters: params ? extractGoParameters(params) : [],
+              annotations: [],
+              modifiers: [],
+              start_line: md.startPosition.row + 1,
+              end_line: md.endPosition.row + 1
+            });
+          }
+        }
+      }
+      let pkg = null;
+      const pkgClause = findChildByType(root, "package_clause");
+      if (pkgClause) {
+        for (let j = 0; j < pkgClause.childCount; j++) {
+          const child = pkgClause.child(j);
+          if (child && child.type === "package_identifier") {
+            pkg = getNodeText(child);
+            break;
+          }
+        }
+      }
+      types.push({
+        name: name2,
+        kind: isInterface ? "interface" : "class",
+        package: pkg,
+        extends: null,
+        implements: [],
+        annotations: [],
+        methods,
+        fields,
+        start_line: decl.startPosition.row + 1,
+        end_line: decl.endPosition.row + 1
+      });
+    }
+  }
+  const functions = getNodesFromCache(root, "function_declaration", cache);
+  if (functions.length > 0) {
+    const moduleFunctions = [];
+    for (const func2 of functions) {
+      const nameNode = func2.childForFieldName("name");
+      const params = func2.childForFieldName("parameters");
+      const result = func2.childForFieldName("result");
+      if (nameNode) {
+        moduleFunctions.push({
+          name: getNodeText(nameNode),
+          return_type: result ? getNodeText(result) : null,
+          parameters: params ? extractGoParameters(params) : [],
+          annotations: [],
+          modifiers: [],
+          start_line: func2.startPosition.row + 1,
+          end_line: func2.endPosition.row + 1
+        });
+      }
+    }
+    if (moduleFunctions.length > 0) {
+      types.push({
+        name: "<module>",
+        kind: "class",
+        package: null,
+        extends: null,
+        implements: [],
+        annotations: [],
+        methods: moduleFunctions,
+        fields: [],
+        start_line: 1,
+        end_line: root.endPosition.row + 1
+      });
+    }
+  }
+  return types;
+}
+function extractGoParameters(params) {
+  const parameters = [];
+  for (let i2 = 0; i2 < params.childCount; i2++) {
+    const child = params.child(i2);
+    if (!child || child.type !== "parameter_declaration") continue;
+    const nameNode = child.childForFieldName("name");
+    const typeNode = child.childForFieldName("type");
+    if (nameNode) {
+      parameters.push({
+        name: getNodeText(nameNode),
+        type: typeNode ? getNodeText(typeNode) : null,
+        annotations: [],
+        line: child.startPosition.row + 1
+      });
+    }
+  }
+  return parameters;
+}
 function findChildByType(node, type) {
   for (let i2 = 0; i2 < node.childCount; i2++) {
     const child = node.child(i2);
@@ -5479,6 +5619,9 @@ function extractCalls(tree, cache, language) {
   const isJavaScript = detectedLanguage === "javascript" || detectedLanguage === "typescript";
   const isPython = detectedLanguage === "python";
   const isRust = detectedLanguage === "rust";
+  if (detectedLanguage === "go") {
+    return extractGoCalls(tree, cache);
+  }
   if (detectedLanguage === "bash") {
     return extractBashCalls(tree, cache);
   }
@@ -6761,6 +6904,104 @@ function resolveRustCall(methodName, receiver, context) {
     status: "external_method"
   };
 }
+function extractGoCalls(tree, cache) {
+  const calls = [];
+  const callExpressions = getNodesFromCache(tree.rootNode, "call_expression", cache);
+  for (const call of callExpressions) {
+    const callInfo = extractGoCallInfo(call);
+    if (callInfo) {
+      calls.push(callInfo);
+    }
+  }
+  return calls;
+}
+function extractGoCallInfo(node) {
+  const funcNode = node.childForFieldName("function");
+  if (!funcNode) return null;
+  let methodName;
+  let receiver = null;
+  if (funcNode.type === "selector_expression") {
+    const operand = funcNode.childForFieldName("operand");
+    const field = funcNode.childForFieldName("field");
+    receiver = operand ? getNodeText(operand) : null;
+    methodName = field ? getNodeText(field) : getNodeText(funcNode);
+  } else if (funcNode.type === "identifier") {
+    methodName = getNodeText(funcNode);
+  } else {
+    methodName = getNodeText(funcNode);
+  }
+  const argsNode = node.childForFieldName("arguments");
+  const args2 = argsNode ? extractGoArguments(argsNode) : [];
+  const inMethod = findGoEnclosingFunction(node);
+  return {
+    method_name: methodName,
+    receiver,
+    arguments: args2,
+    location: {
+      line: node.startPosition.row + 1,
+      column: node.startPosition.column
+    },
+    in_method: inMethod,
+    resolved: false,
+    resolution: { status: "external_method" }
+  };
+}
+function extractGoArguments(argsNode) {
+  const args2 = [];
+  let position = 0;
+  for (let i2 = 0; i2 < argsNode.childCount; i2++) {
+    const child = argsNode.child(i2);
+    if (!child) continue;
+    if (child.type === "(" || child.type === ")" || child.type === ",") continue;
+    const expression = getNodeText(child);
+    const variable = child.type === "identifier" ? expression : null;
+    const literal = isGoLiteral(child) ? extractGoLiteralValue(child) : null;
+    args2.push({
+      position: position++,
+      expression,
+      variable,
+      literal
+    });
+  }
+  return args2;
+}
+function isGoLiteral(node) {
+  const literalTypes = /* @__PURE__ */ new Set([
+    "interpreted_string_literal",
+    "raw_string_literal",
+    "int_literal",
+    "float_literal",
+    "true",
+    "false",
+    "nil"
+  ]);
+  return literalTypes.has(node.type);
+}
+function extractGoLiteralValue(node) {
+  const text = getNodeText(node);
+  if (node.type === "interpreted_string_literal") {
+    return text.slice(1, -1);
+  }
+  if (node.type === "raw_string_literal") {
+    return text.slice(1, -1);
+  }
+  return text;
+}
+function findGoEnclosingFunction(node) {
+  let current = node.parent;
+  while (current) {
+    if (current.type === "function_declaration") {
+      const nameNode = current.childForFieldName("name");
+      return nameNode ? getNodeText(nameNode) : null;
+    }
+    if (current.type === "method_declaration") {
+      const nameNode = current.childForFieldName("name");
+      return nameNode ? getNodeText(nameNode) : null;
+    }
+    current = current.parent;
+  }
+  return null;
+}
 // src/core/extractors/imports.ts
 function detectLanguage2(tree) {
@@ -6815,6 +7056,9 @@ function extractImports(tree, language) {
   const isJavaScript = effectiveLanguage === "javascript" || effectiveLanguage === "typescript";
   const isPython = effectiveLanguage === "python";
   const isRust = effectiveLanguage === "rust";
+  if (effectiveLanguage === "go") {
+    return extractGoImports(tree);
+  }
   if (isRust) {
     return extractRustImports(tree);
   }
@@ -7362,6 +7606,61 @@ function extractRustScopedUseList(node, lineNumber) {
   }
   return imports;
 }
+function extractGoImports(tree) {
+  const imports = [];
+  const importDecls = findNodes(tree.rootNode, "import_declaration");
+  for (const decl of importDecls) {
+    const singleSpec = findGoChildByType(decl, "import_spec");
+    if (singleSpec) {
+      const parsed = parseGoImportSpec(singleSpec);
+      if (parsed) imports.push(parsed);
+      continue;
+    }
+    const specList = findGoChildByType(decl, "import_spec_list");
+    if (specList) {
+      for (let i2 = 0; i2 < specList.childCount; i2++) {
+        const spec = specList.child(i2);
+        if (!spec || spec.type !== "import_spec") continue;
+        const parsed = parseGoImportSpec(spec);
+        if (parsed) imports.push(parsed);
+      }
+    }
+  }
+  return imports;
+}
+function parseGoImportSpec(spec) {
+  let alias = null;
+  let path;
+  for (let i2 = 0; i2 < spec.childCount; i2++) {
+    const child = spec.child(i2);
+    if (!child) continue;
+    if (child.type === "package_identifier" || child.type === "blank_identifier" || child.type === "dot") {
+      alias = getNodeText(child);
+    }
+    if (child.type === "interpreted_string_literal") {
+      const text = getNodeText(child);
+      path = text.slice(1, -1);
+    }
+  }
+  if (!path) return null;
+  const shortName = alias || path.split("/").pop() || path;
+  return {
+    imported_name: shortName,
+    from_package: path,
+    alias,
+    is_wildcard: alias === ".",
+    line_number: spec.startPosition.row + 1
+  };
+}
+function findGoChildByType(node, type) {
+  for (let i2 = 0; i2 < node.childCount; i2++) {
+    const child = node.child(i2);
+    if (child?.type === type) {
+      return child;
+    }
+  }
+  return null;
+}
 // src/core/extractors/exports.ts
 function extractExports(types) {
@@ -7453,6 +7752,9 @@ function buildCFG(tree, language) {
   if (effectiveLanguage === "bash") {
     return buildBashCFG(tree, blockIdCounter);
   }
+  if (effectiveLanguage === "go") {
+    return buildGoCFG(tree, blockIdCounter);
+  }
   if (isJavaScript) {
     const functions = [
       ...findNodes(tree.rootNode, "function_declaration"),
@@ -7929,6 +8231,58 @@ function isStatement(node, isJavaScript) {
   ]);
   return isJavaScript ? jsStatementTypes.has(node.type) : javaStatementTypes.has(node.type);
 }
+function buildGoCFG(tree, blockIdCounter) {
+  const allBlocks = [];
+  const allEdges = [];
+  const functions = [
+    ...findNodes(tree.rootNode, "function_declaration"),
+    ...findNodes(tree.rootNode, "method_declaration")
+  ];
+  for (const func2 of functions) {
+    const body2 = func2.childForFieldName("body");
+    if (!body2 || body2.type !== "block") continue;
+    const { blocks, edges, nextId } = buildMethodCFG(body2, blockIdCounter, false);
+    allBlocks.push(...blocks);
+    allEdges.push(...edges);
+    blockIdCounter = nextId;
+  }
+  const hasTopLevelDecls = tree.rootNode.children.some(
+    (c) => c !== null && isGoStatement(c)
+  );
+  if (hasTopLevelDecls) {
+    const block = {
+      id: blockIdCounter++,
+      type: "normal",
+      start_line: 1,
+      end_line: tree.rootNode.endPosition.row + 1
+    };
+    allBlocks.push(block);
+  }
+  return { blocks: allBlocks, edges: allEdges };
+}
+function isGoStatement(node) {
+  const goStatementTypes = /* @__PURE__ */ new Set([
+    "short_var_declaration",
+    "var_declaration",
+    "assignment_statement",
+    "expression_statement",
+    "if_statement",
+    "for_statement",
+    "switch_statement",
+    "type_switch_statement",
+    "select_statement",
+    "return_statement",
+    "go_statement",
+    "defer_statement",
+    "send_statement",
+    "inc_statement",
+    "dec_statement",
+    "block",
+    "type_declaration",
+    "const_declaration"
+  ]);
+  return goStatementTypes.has(node.type);
+}
 // src/core/extractors/dfg.ts
 function detectLanguage4(tree) {
@@ -7976,6 +8330,9 @@ function buildDFG(tree, cache, language) {
   if (effectiveLanguage === "bash") {
     return buildBashDFG(tree);
   }
+  if (effectiveLanguage === "go") {
+    return buildGoDFG(tree);
+  }
   return buildJavaDFG(tree, cache);
 }
 function buildJavaDFG(tree, cache) {
@@ -8959,68 +9316,321 @@ function isRustKeyword(name2) {
   ]);
   return keywords.has(name2);
 }
-// src/analysis/config-loader.ts
-var DEFAULT_SOURCES = [
-  // HTTP Sources (Servlet API)
-  { method: "getParameter", class: "HttpServletRequest", type: "http_param", severity: "high", return_tainted: true },
-  { method: "getParameterValues", class: "HttpServletRequest", type: "http_param", severity: "high", return_tainted: true },
-  { method: "getParameterMap", class: "HttpServletRequest", type: "http_param", severity: "high", return_tainted: true },
-  { method: "getParameterNames", class: "HttpServletRequest", type: "http_param", severity: "high", return_tainted: true },
-  { method: "getHeader", class: "HttpServletRequest", type: "http_header", severity: "high", return_tainted: true },
-  { method: "getHeaders", class: "HttpServletRequest", type: "http_header", severity: "high", return_tainted: true },
-  { method: "getHeaderNames", class: "HttpServletRequest", type: "http_header", severity: "high", return_tainted: true },
-  { method: "getQueryString", class: "HttpServletRequest", type: "http_query", severity: "high", return_tainted: true },
-  { method: "getCookies", class: "HttpServletRequest", type: "http_cookie", severity: "high", return_tainted: true },
-  { method: "getInputStream", class: "HttpServletRequest", type: "http_body", severity: "high", return_tainted: true },
-  { method: "getReader", class: "HttpServletRequest", type: "http_body", severity: "high", return_tainted: true },
-  { method: "getPathInfo", class: "HttpServletRequest", type: "http_path", severity: "high", return_tainted: true },
-  { method: "getRequestURI", class: "HttpServletRequest", type: "http_path", severity: "high", return_tainted: true },
-  { method: "getRequestURL", class: "HttpServletRequest", type: "http_path", severity: "high", return_tainted: true },
-  { method: "getServletPath", class: "HttpServletRequest", type: "http_path", severity: "high", return_tainted: true },
-  { method: "getContextPath", class: "HttpServletRequest", type: "http_path", severity: "medium", return_tainted: true },
-  { method: "getRemoteHost", class: "HttpServletRequest", type: "http_header", severity: "medium", return_tainted: true },
-  { method: "getRemoteAddr", class: "HttpServletRequest", type: "http_header", severity: "medium", return_tainted: true },
-  // Additional HTTP request methods that can be attacker-controlled
-  { method: "getProtocol", class: "HttpServletRequest", type: "http_header", severity: "medium", return_tainted: true },
-  { method: "getScheme", class: "HttpServletRequest", type: "http_header", severity: "medium", return_tainted: true },
-  { method: "getAuthType", class: "HttpServletRequest", type: "http_header", severity: "medium", return_tainted: true },
-  { method: "getRemoteUser", class: "HttpServletRequest", type: "http_header", severity: "medium", return_tainted: true },
-  { method: "getMethod", class: "HttpServletRequest", type: "http_header", severity: "low", return_tainted: true },
-  { method: "getContentType", class: "HttpServletRequest", type: "http_header", severity: "medium", return_tainted: true },
-  { method: "getCharacterEncoding", class: "HttpServletRequest", type: "http_header", severity: "low", return_tainted: true },
-  // Enumeration/Iterator sources (from request.getHeaders(), etc.)
-  { method: "nextElement", class: "Enumeration", type: "http_header", severity: "high", return_tainted: true },
-  { method: "nextElement", type: "http_header", severity: "high", return_tainted: true },
-  // Cookie sources
-  { method: "getValue", class: "Cookie", type: "http_cookie", severity: "high", return_tainted: true },
-  { method: "getName", class: "Cookie", type: "http_cookie", severity: "high", return_tainted: true },
-  // I/O Sources (Scanner, BufferedReader, etc.)
-  { method: "readLine", class: "BufferedReader", type: "io_input", severity: "high", return_tainted: true },
-  { method: "readLine", type: "io_input", severity: "high", return_tainted: true },
-  { method: "nextLine", class: "Scanner", type: "io_input", severity: "high", return_tainted: true },
-  { method: "next", class: "Scanner", type: "io_input", severity: "high", return_tainted: true },
-  { method: "nextInt", class: "Scanner", type: "io_input", severity: "high", return_tainted: true },
-  // Database result sources
-  { method: "getString", class: "ResultSet", type: "db_input", severity: "medium", return_tainted: true },
-  { method: "getObject", class: "ResultSet", type: "db_input", severity: "medium", return_tainted: true },
-  { method: "getInt", class: "ResultSet", type: "db_input", severity: "medium", return_tainted: true },
-  // Spring annotations
-  { annotation: "RequestParam", type: "http_param", severity: "high", param_tainted: true },
-  { annotation: "RequestBody", type: "http_body", severity: "high", param_tainted: true },
-  { annotation: "PathVariable", type: "http_path", severity: "medium", param_tainted: true },
-  { annotation: "RequestHeader", type: "http_header", severity: "high", param_tainted: true },
-  { annotation: "CookieValue", type: "http_cookie", severity: "high", param_tainted: true },
-  // JAX-RS annotations
-  { annotation: "QueryParam", type: "http_param", severity: "high", param_tainted: true },
-  { annotation: "FormParam", type: "http_param", severity: "high", param_tainted: true },
-  { annotation: "PathParam", type: "http_path", severity: "medium", param_tainted: true },
-  { annotation: "HeaderParam", type: "http_header", severity: "high", param_tainted: true },
-  // Environment
-  { method: "getenv", class: "System", type: "env_input", severity: "medium", return_tainted: true },
-  { method: "getProperty", class: "System", type: "env_input", severity: "medium", return_tainted: true },
-  // Note: Properties.getProperty is NOT included by default as it causes many false positives
-  // in OWASP Benchmark. Include it via custom config if needed for specific analyses.
+var GO_KEYWORDS = /* @__PURE__ */ new Set([
+  "break",
+  "case",
+  "chan",
+  "const",
+  "continue",
+  "default",
+  "defer",
+  "else",
+  "fallthrough",
+  "for",
+  "func",
+  "go",
+  "goto",
+  "if",
+  "import",
+  "interface",
+  "map",
+  "package",
+  "range",
+  "return",
+  "select",
+  "struct",
+  "switch",
+  "type",
+  "var",
+  "true",
+  "false",
+  "nil",
+  "iota",
+  "append",
+  "cap",
+  "close",
+  "complex",
+  "copy",
+  "delete",
+  "imag",
+  "len",
+  "make",
+  "new",
+  "panic",
+  "print",
+  "println",
+  "real",
+  "recover",
+  "string",
+  "int",
+  "int8",
+  "int16",
+  "int32",
+  "int64",
+  "uint",
+  "uint8",
+  "uint16",
+  "uint32",
+  "uint64",
+  "float32",
+  "float64",
+  "complex64",
+  "complex128",
+  "byte",
+  "rune",
+  "bool",
+  "error",
+  "any"
+]);
+function buildGoDFG(tree) {
+  const defs = [];
+  const uses = [];
+  let defIdCounter = 1;
+  let useIdCounter = 1;
+  const scopeStack = [/* @__PURE__ */ new Map()];
+  const functions = [
+    ...findNodes(tree.rootNode, "function_declaration"),
+    ...findNodes(tree.rootNode, "method_declaration")
+  ];
+  for (const func2 of functions) {
+    scopeStack.push(/* @__PURE__ */ new Map());
+    const params = func2.childForFieldName("parameters");
+    if (params) {
+      extractGoParamDefs(params, defs, defIdCounter, scopeStack);
+      defIdCounter = defs.length + 1;
+    }
+    const receiver = func2.childForFieldName("receiver");
+    if (receiver) {
+      extractGoParamDefs(receiver, defs, defIdCounter, scopeStack);
+      defIdCounter = defs.length + 1;
+    }
+    const body2 = func2.childForFieldName("body");
+    if (body2) {
+      processGoBlock(body2, defs, uses, scopeStack, { defId: defIdCounter, useId: useIdCounter });
+      defIdCounter = defs.length + 1;
+      useIdCounter = uses.length + 1;
+    }
+    scopeStack.pop();
+  }
+  for (let i2 = 0; i2 < tree.rootNode.childCount; i2++) {
+    const child = tree.rootNode.child(i2);
+    if (!child) continue;
+    if (child.type === "var_declaration") {
+      processGoVarDecl(child, defs, scopeStack, { defId: defIdCounter });
+      defIdCounter = defs.length + 1;
+    }
+  }
+  const chains = computeChains(defs, uses);
+  return { defs, uses, chains };
+}
+function extractGoParamDefs(params, defs, _startId, scopeStack) {
+  for (let i2 = 0; i2 < params.childCount; i2++) {
+    const param = params.child(i2);
+    if (!param || param.type !== "parameter_declaration") continue;
+    const typeNode = param.childForFieldName("type");
+    for (let j = 0; j < param.childCount; j++) {
+      const nameNode = param.child(j);
+      if (!nameNode || nameNode.type !== "identifier") continue;
+      if (nameNode === typeNode) continue;
+      const varName = getNodeText(nameNode);
+      if (varName === "_") continue;
+      const def = {
+        id: defs.length + 1,
+        variable: varName,
+        kind: "param",
+        line: param.startPosition.row + 1
+      };
+      defs.push(def);
+      currentScope(scopeStack).set(varName, def.id);
+    }
+  }
+}
+function processGoBlock(node, defs, uses, scopeStack, counters) {
+  walkTree(node, (child) => {
+    if (child.type === "short_var_declaration") {
+      const left = child.childForFieldName("left");
+      const right = child.childForFieldName("right");
+      if (right) {
+        extractGoUses(right, uses, scopeStack);
+      }
+      if (left) {
+        extractGoLhsDefs(left, defs, scopeStack, child.startPosition.row + 1);
+      }
+    } else if (child.type === "var_declaration") {
+      processGoVarDecl(child, defs, scopeStack, counters);
+    } else if (child.type === "assignment_statement") {
+      const left = child.childForFieldName("left");
+      const right = child.childForFieldName("right");
+      if (right) {
+        extractGoUses(right, uses, scopeStack);
+      }
+      if (left) {
+        extractGoLhsDefs(left, defs, scopeStack, child.startPosition.row + 1);
+      }
+    } else if (child.type === "for_statement") {
+      const rangeClause = findChildByTypeGo(child, "range_clause");
+      if (rangeClause) {
+        const left = rangeClause.childForFieldName("left");
+        if (left) {
+          extractGoLhsDefs(left, defs, scopeStack, child.startPosition.row + 1);
+        }
+      }
+    } else if (child.type === "call_expression") {
+      extractGoUses(child, uses, scopeStack);
+    } else if (child.type === "return_statement") {
+      for (let i2 = 0; i2 < child.childCount; i2++) {
+        const expr = child.child(i2);
+        if (expr && expr.type !== "return") {
+          extractGoUses(expr, uses, scopeStack);
+        }
+      }
+    }
+  });
+}
+function processGoVarDecl(node, defs, scopeStack, _counters) {
+  for (let i2 = 0; i2 < node.childCount; i2++) {
+    const spec = node.child(i2);
+    if (!spec || spec.type !== "var_spec") continue;
+    for (let j = 0; j < spec.childCount; j++) {
+      const nameNode = spec.child(j);
+      if (!nameNode || nameNode.type !== "identifier") continue;
+      const varName = getNodeText(nameNode);
+      if (varName === "_") continue;
+      const def = {
+        id: defs.length + 1,
+        variable: varName,
+        kind: "local",
+        line: spec.startPosition.row + 1
+      };
+      defs.push(def);
+      currentScope(scopeStack).set(varName, def.id);
+    }
+  }
+}
+function extractGoLhsDefs(left, defs, scopeStack, line) {
+  if (left.type === "identifier") {
+    const varName = getNodeText(left);
+    if (varName === "_") return;
+    const def = {
+      id: defs.length + 1,
+      variable: varName,
+      kind: "local",
+      line
+    };
+    defs.push(def);
+    currentScope(scopeStack).set(varName, def.id);
+  } else if (left.type === "expression_list") {
+    for (let i2 = 0; i2 < left.childCount; i2++) {
+      const item = left.child(i2);
+      if (item && item.type === "identifier") {
+        const varName = getNodeText(item);
+        if (varName === "_") continue;
+        const def = {
+          id: defs.length + 1,
+          variable: varName,
+          kind: "local",
+          line
+        };
+        defs.push(def);
+        currentScope(scopeStack).set(varName, def.id);
+      }
+    }
+  }
+}
+function extractGoUses(node, uses, scopeStack) {
+  walkTree(node, (child) => {
+    if (child.type === "identifier") {
+      const varName = getNodeText(child);
+      if (varName === "_" || GO_KEYWORDS.has(varName)) return;
+      const parent = child.parent;
+      if (parent?.type === "selector_expression" && parent.childForFieldName("field") === child) {
+        return;
+      }
+      if (parent?.type === "parameter_declaration" && parent.childForFieldName("type") === child) {
+        return;
+      }
+      if (parent?.type === "type_identifier") {
+        return;
+      }
+      const defId = findReachingDef(varName, scopeStack);
+      uses.push({
+        id: uses.length + 1,
+        variable: varName,
+        line: child.startPosition.row + 1,
+        def_id: defId
+      });
+    }
+  });
+}
+function findChildByTypeGo(node, type) {
+  for (let i2 = 0; i2 < node.childCount; i2++) {
+    const child = node.child(i2);
+    if (child?.type === type) return child;
+  }
+  return null;
+}
+// src/analysis/config-loader.ts
+var DEFAULT_SOURCES = [
+  // HTTP Sources (Servlet API)
+  { method: "getParameter", class: "HttpServletRequest", type: "http_param", severity: "high", return_tainted: true },
+  { method: "getParameterValues", class: "HttpServletRequest", type: "http_param", severity: "high", return_tainted: true },
+  { method: "getParameterMap", class: "HttpServletRequest", type: "http_param", severity: "high", return_tainted: true },
+  { method: "getParameterNames", class: "HttpServletRequest", type: "http_param", severity: "high", return_tainted: true },
+  { method: "getHeader", class: "HttpServletRequest", type: "http_header", severity: "high", return_tainted: true },
+  { method: "getHeaders", class: "HttpServletRequest", type: "http_header", severity: "high", return_tainted: true },
+  { method: "getHeaderNames", class: "HttpServletRequest", type: "http_header", severity: "high", return_tainted: true },
+  { method: "getQueryString", class: "HttpServletRequest", type: "http_query", severity: "high", return_tainted: true },
+  { method: "getCookies", class: "HttpServletRequest", type: "http_cookie", severity: "high", return_tainted: true },
+  { method: "getInputStream", class: "HttpServletRequest", type: "http_body", severity: "high", return_tainted: true },
+  { method: "getReader", class: "HttpServletRequest", type: "http_body", severity: "high", return_tainted: true },
+  { method: "getPathInfo", class: "HttpServletRequest", type: "http_path", severity: "high", return_tainted: true },
+  { method: "getRequestURI", class: "HttpServletRequest", type: "http_path", severity: "high", return_tainted: true },
+  { method: "getRequestURL", class: "HttpServletRequest", type: "http_path", severity: "high", return_tainted: true },
+  { method: "getServletPath", class: "HttpServletRequest", type: "http_path", severity: "high", return_tainted: true },
+  { method: "getContextPath", class: "HttpServletRequest", type: "http_path", severity: "medium", return_tainted: true },
+  { method: "getRemoteHost", class: "HttpServletRequest", type: "http_header", severity: "medium", return_tainted: true },
+  { method: "getRemoteAddr", class: "HttpServletRequest", type: "http_header", severity: "medium", return_tainted: true },
+  // Additional HTTP request methods that can be attacker-controlled
+  { method: "getProtocol", class: "HttpServletRequest", type: "http_header", severity: "medium", return_tainted: true },
+  { method: "getScheme", class: "HttpServletRequest", type: "http_header", severity: "medium", return_tainted: true },
+  { method: "getAuthType", class: "HttpServletRequest", type: "http_header", severity: "medium", return_tainted: true },
+  { method: "getRemoteUser", class: "HttpServletRequest", type: "http_header", severity: "medium", return_tainted: true },
+  { method: "getMethod", class: "HttpServletRequest", type: "http_header", severity: "low", return_tainted: true },
+  { method: "getContentType", class: "HttpServletRequest", type: "http_header", severity: "medium", return_tainted: true },
+  { method: "getCharacterEncoding", class: "HttpServletRequest", type: "http_header", severity: "low", return_tainted: true },
+  // Enumeration/Iterator sources (from request.getHeaders(), etc.)
+  { method: "nextElement", class: "Enumeration", type: "http_header", severity: "high", return_tainted: true },
+  { method: "nextElement", type: "http_header", severity: "high", return_tainted: true },
+  // Cookie sources
+  { method: "getValue", class: "Cookie", type: "http_cookie", severity: "high", return_tainted: true },
+  { method: "getName", class: "Cookie", type: "http_cookie", severity: "high", return_tainted: true },
+  // I/O Sources (Scanner, BufferedReader, etc.)
+  { method: "readLine", class: "BufferedReader", type: "io_input", severity: "high", return_tainted: true },
+  { method: "readLine", type: "io_input", severity: "high", return_tainted: true },
+  { method: "nextLine", class: "Scanner", type: "io_input", severity: "high", return_tainted: true },
+  { method: "next", class: "Scanner", type: "io_input", severity: "high", return_tainted: true },
+  { method: "nextInt", class: "Scanner", type: "io_input", severity: "high", return_tainted: true },
+  // Database result sources
+  { method: "getString", class: "ResultSet", type: "db_input", severity: "medium", return_tainted: true },
+  { method: "getObject", class: "ResultSet", type: "db_input", severity: "medium", return_tainted: true },
+  { method: "getInt", class: "ResultSet", type: "db_input", severity: "medium", return_tainted: true },
+  // Spring annotations
+  { annotation: "RequestParam", type: "http_param", severity: "high", param_tainted: true },
+  { annotation: "RequestBody", type: "http_body", severity: "high", param_tainted: true },
+  { annotation: "PathVariable", type: "http_path", severity: "medium", param_tainted: true },
+  { annotation: "RequestHeader", type: "http_header", severity: "high", param_tainted: true },
+  { annotation: "CookieValue", type: "http_cookie", severity: "high", param_tainted: true },
+  // JAX-RS annotations
+  { annotation: "QueryParam", type: "http_param", severity: "high", param_tainted: true },
+  { annotation: "FormParam", type: "http_param", severity: "high", param_tainted: true },
+  { annotation: "PathParam", type: "http_path", severity: "medium", param_tainted: true },
+  { annotation: "HeaderParam", type: "http_header", severity: "high", param_tainted: true },
+  // Environment
+  { method: "getenv", class: "System", type: "env_input", severity: "medium", return_tainted: true },
+  { method: "getProperty", class: "System", type: "env_input", severity: "medium", return_tainted: true },
+  // Note: Properties.getProperty is NOT included by default as it causes many false positives
+  // in OWASP Benchmark. Include it via custom config if needed for specific analyses.
   // Servlet Configuration Parameters (can be attacker-influenced in some deployments)
   { method: "getInitParameter", class: "ServletConfig", type: "http_param", severity: "medium", return_tainted: true },
   { method: "getInitParameter", class: "ServletContext", type: "http_param", severity: "medium", return_tainted: true },
@@ -17886,211 +18496,784 @@ var BashPlugin = class extends BaseLanguagePlugin {
         argPositions: [1]
       },
       {
-        method: "zsh",
-        type: "command_injection",
-        cwe: "CWE-78",
-        severity: "critical",
-        argPositions: [1]
+        method: "zsh",
+        type: "command_injection",
+        cwe: "CWE-78",
+        severity: "critical",
+        argPositions: [1]
+      },
+      {
+        method: "ksh",
+        type: "command_injection",
+        cwe: "CWE-78",
+        severity: "critical",
+        argPositions: [1]
+      },
+      // SQL injection via DB CLI clients (first arg is query/expression)
+      {
+        method: "mysql",
+        type: "sql_injection",
+        cwe: "CWE-89",
+        severity: "critical",
+        argPositions: [1]
+      },
+      {
+        method: "psql",
+        type: "sql_injection",
+        cwe: "CWE-89",
+        severity: "critical",
+        argPositions: [1]
+      },
+      {
+        method: "sqlite3",
+        type: "sql_injection",
+        cwe: "CWE-89",
+        severity: "critical",
+        argPositions: [1]
+      },
+      // Path traversal via file operations (first arg is path)
+      {
+        method: "cat",
+        type: "path_traversal",
+        cwe: "CWE-22",
+        severity: "high",
+        argPositions: [0]
+      },
+      {
+        method: "rm",
+        type: "path_traversal",
+        cwe: "CWE-22",
+        severity: "high",
+        argPositions: [0]
+      },
+      {
+        method: "cp",
+        type: "path_traversal",
+        cwe: "CWE-22",
+        severity: "high",
+        argPositions: [0]
+      },
+      {
+        method: "mv",
+        type: "path_traversal",
+        cwe: "CWE-22",
+        severity: "high",
+        argPositions: [0]
+      },
+      {
+        method: "chmod",
+        type: "path_traversal",
+        cwe: "CWE-22",
+        severity: "medium",
+        argPositions: [1]
+      },
+      {
+        method: "chown",
+        type: "path_traversal",
+        cwe: "CWE-22",
+        severity: "medium",
+        argPositions: [1]
+      },
+      // SSRF — curl/wget with externally-controlled URL
+      {
+        method: "curl",
+        type: "ssrf",
+        cwe: "CWE-918",
+        severity: "high",
+        argPositions: [0]
+      },
+      {
+        method: "wget",
+        type: "ssrf",
+        cwe: "CWE-918",
+        severity: "high",
+        argPositions: [0]
+      }
+    ];
+  }
+  /**
+   * Shell has no OOP receiver types.
+   */
+  getReceiverType(_node, _context) {
+    return void 0;
+  }
+  /**
+   * Bash string literals: quoted strings and raw ($'...') strings.
+   */
+  isStringLiteral(node) {
+    return node.type === "string" || node.type === "raw_string" || node.type === "ansi_c_string";
+  }
+  /**
+   * Extract string value from bash string literal, stripping quotes.
+   */
+  getStringValue(node) {
+    if (!this.isStringLiteral(node)) return void 0;
+    const text = node.text;
+    if (node.type === "raw_string") {
+      return text.slice(1, -1);
+    }
+    if (node.type === "ansi_c_string") {
+      return text.slice(2, -1);
+    }
+    const match = text.match(/^"(.*)"$/s);
+    if (match) return match[1];
+    return text;
+  }
+  // Extraction methods — delegate to base extractors via generic walker
+  extractTypes(_context) {
+    return [];
+  }
+  extractCalls(_context) {
+    return [];
+  }
+  extractImports(_context) {
+    return [];
+  }
+  extractPackage(_context) {
+    return void 0;
+  }
+};
+// src/languages/plugins/html.ts
+var HtmlPlugin = class extends BaseLanguagePlugin {
+  id = "html";
+  name = "HTML";
+  extensions = [".html", ".htm", ".xhtml"];
+  wasmPath = "tree-sitter-html.wasm";
+  nodeTypes = {
+    // HTML has no OOP constructs
+    classDeclaration: [],
+    interfaceDeclaration: [],
+    enumDeclaration: [],
+    functionDeclaration: [],
+    methodDeclaration: [],
+    // No expressions in HTML
+    methodCall: [],
+    functionCall: [],
+    assignment: [],
+    variableDeclaration: [],
+    // No parameters
+    parameter: [],
+    argument: [],
+    // No annotations
+    annotation: [],
+    decorator: [],
+    // No imports
+    importStatement: [],
+    // No control flow
+    ifStatement: [],
+    forStatement: [],
+    whileStatement: [],
+    tryStatement: [],
+    returnStatement: []
+  };
+  detectFramework(_context) {
+    return void 0;
+  }
+  getBuiltinSources() {
+    return [];
+  }
+  getBuiltinSinks() {
+    return [];
+  }
+  getReceiverType(_node, _context) {
+    return void 0;
+  }
+  isStringLiteral(node) {
+    return node.type === "attribute_value" || node.type === "quoted_attribute_value";
+  }
+  getStringValue(node) {
+    if (!this.isStringLiteral(node)) return void 0;
+    const text = node.text;
+    if (text.startsWith('"') && text.endsWith('"') || text.startsWith("'") && text.endsWith("'")) {
+      return text.slice(1, -1);
+    }
+    return text;
+  }
+  extractTypes(_context) {
+    return [];
+  }
+  extractCalls(_context) {
+    return [];
+  }
+  extractImports(_context) {
+    return [];
+  }
+  extractPackage(_context) {
+    return void 0;
+  }
+};
+// src/languages/plugins/go.ts
+var GoPlugin = class extends BaseLanguagePlugin {
+  id = "go";
+  name = "Go";
+  extensions = [".go"];
+  wasmPath = "tree-sitter-go.wasm";
+  nodeTypes = {
+    // Type declarations
+    classDeclaration: ["type_declaration"],
+    interfaceDeclaration: ["type_declaration"],
+    enumDeclaration: [],
+    // Go has no enums (uses iota constants)
+    functionDeclaration: ["function_declaration"],
+    methodDeclaration: ["method_declaration"],
+    // Expressions
+    methodCall: ["call_expression"],
+    functionCall: ["call_expression"],
+    assignment: ["short_var_declaration", "assignment_statement", "var_declaration"],
+    variableDeclaration: ["short_var_declaration", "var_declaration"],
+    // Parameters and arguments
+    parameter: ["parameter_declaration"],
+    argument: ["argument_list"],
+    // Annotations/decorators
+    annotation: [],
+    // Go has no annotations
+    decorator: [],
+    // Go has no decorators
+    // Imports
+    importStatement: ["import_declaration"],
+    // Control flow
+    ifStatement: ["if_statement"],
+    forStatement: ["for_statement"],
+    whileStatement: [],
+    // Go uses for with condition
+    tryStatement: [],
+    // Go uses defer/recover
+    returnStatement: ["return_statement"]
+  };
+  /**
+   * Detect Go web frameworks from imports.
+   */
+  detectFramework(context) {
+    const indicators = [];
+    let framework;
+    let confidence = 0;
+    for (const imp of context.imports) {
+      const path = imp.from_package || imp.imported_name;
+      if (path.includes("gin-gonic/gin")) {
+        framework = "gin";
+        confidence = Math.max(confidence, 0.95);
+        indicators.push(`import: ${path}`);
+      }
+      if (path.includes("labstack/echo")) {
+        framework = "echo";
+        confidence = Math.max(confidence, 0.95);
+        indicators.push(`import: ${path}`);
+      }
+      if (path.includes("gofiber/fiber")) {
+        framework = "fiber";
+        confidence = Math.max(confidence, 0.95);
+        indicators.push(`import: ${path}`);
+      }
+      if (path.includes("go-chi/chi")) {
+        framework = "chi";
+        confidence = Math.max(confidence, 0.9);
+        indicators.push(`import: ${path}`);
+      }
+      if (path.includes("gorm.io/gorm")) {
+        indicators.push(`import: ${path}`);
+      }
+      if (path === "net/http") {
+        framework = framework || "net/http";
+        confidence = Math.max(confidence, 0.8);
+        indicators.push(`import: ${path}`);
+      }
+    }
+    if (framework) {
+      return { name: framework, confidence, indicators };
+    }
+    return void 0;
+  }
+  /**
+   * Go taint source patterns.
+   */
+  getBuiltinSources() {
+    return [
+      // net/http request methods
+      {
+        method: "FormValue",
+        class: "Request",
+        type: "http_param",
+        severity: "high",
+        confidence: 0.95,
+        returnTainted: true
+      },
+      {
+        method: "PostFormValue",
+        class: "Request",
+        type: "http_param",
+        severity: "high",
+        confidence: 0.95,
+        returnTainted: true
+      },
+      {
+        method: "Query",
+        class: "URL",
+        type: "http_param",
+        severity: "high",
+        confidence: 0.95,
+        returnTainted: true
+      },
+      {
+        method: "Get",
+        class: "Header",
+        type: "http_header",
+        severity: "high",
+        confidence: 0.9,
+        returnTainted: true
+      },
+      {
+        method: "Cookie",
+        class: "Request",
+        type: "http_cookie",
+        severity: "high",
+        confidence: 0.9,
+        returnTainted: true
+      },
+      // Gin framework
+      {
+        method: "Query",
+        class: "Context",
+        type: "http_param",
+        severity: "high",
+        confidence: 0.95,
+        returnTainted: true
+      },
+      {
+        method: "Param",
+        class: "Context",
+        type: "http_path",
+        severity: "high",
+        confidence: 0.95,
+        returnTainted: true
+      },
+      {
+        method: "PostForm",
+        class: "Context",
+        type: "http_param",
+        severity: "high",
+        confidence: 0.95,
+        returnTainted: true
+      },
+      {
+        method: "GetRawData",
+        class: "Context",
+        type: "http_body",
+        severity: "high",
+        confidence: 0.95,
+        returnTainted: true
+      },
+      // Standard library I/O
+      {
+        method: "Getenv",
+        class: "os",
+        type: "env_var",
+        severity: "medium",
+        confidence: 0.85,
+        returnTainted: true
+      },
+      {
+        method: "ReadAll",
+        class: "io",
+        type: "io_input",
+        severity: "medium",
+        confidence: 0.8,
+        returnTainted: true
+      },
+      {
+        method: "ReadFile",
+        class: "os",
+        type: "file_input",
+        severity: "medium",
+        confidence: 0.8,
+        returnTainted: true
       },
       {
-        method: "ksh",
-        type: "command_injection",
-        cwe: "CWE-78",
+        method: "Text",
+        class: "Scanner",
+        type: "io_input",
+        severity: "medium",
+        confidence: 0.8,
+        returnTainted: true
+      }
+    ];
+  }
+  /**
+   * Go taint sink patterns.
+   */
+  getBuiltinSinks() {
+    return [
+      // SQL Injection
+      {
+        method: "Query",
+        class: "DB",
+        type: "sql_injection",
+        cwe: "CWE-89",
         severity: "critical",
-        argPositions: [1]
+        argPositions: [0]
       },
-      // SQL injection via DB CLI clients (first arg is query/expression)
       {
-        method: "mysql",
+        method: "QueryRow",
+        class: "DB",
         type: "sql_injection",
         cwe: "CWE-89",
         severity: "critical",
-        argPositions: [1]
+        argPositions: [0]
       },
       {
-        method: "psql",
+        method: "Exec",
+        class: "DB",
         type: "sql_injection",
         cwe: "CWE-89",
         severity: "critical",
-        argPositions: [1]
+        argPositions: [0]
       },
       {
-        method: "sqlite3",
+        method: "Query",
+        class: "Tx",
         type: "sql_injection",
         cwe: "CWE-89",
         severity: "critical",
-        argPositions: [1]
+        argPositions: [0]
       },
-      // Path traversal via file operations (first arg is path)
+      // Command Injection
       {
-        method: "cat",
-        type: "path_traversal",
-        cwe: "CWE-22",
-        severity: "high",
+        method: "Command",
+        class: "exec",
+        type: "command_injection",
+        cwe: "CWE-78",
+        severity: "critical",
         argPositions: [0]
       },
       {
-        method: "rm",
+        method: "CommandContext",
+        class: "exec",
+        type: "command_injection",
+        cwe: "CWE-78",
+        severity: "critical",
+        argPositions: [1]
+      },
+      // Path Traversal
+      {
+        method: "Open",
+        class: "os",
         type: "path_traversal",
         cwe: "CWE-22",
         severity: "high",
         argPositions: [0]
       },
       {
-        method: "cp",
+        method: "ReadFile",
+        class: "os",
         type: "path_traversal",
         cwe: "CWE-22",
         severity: "high",
         argPositions: [0]
       },
       {
-        method: "mv",
+        method: "WriteFile",
+        class: "os",
         type: "path_traversal",
         cwe: "CWE-22",
         severity: "high",
         argPositions: [0]
       },
+      // XSS (writing to http.ResponseWriter without escaping)
       {
-        method: "chmod",
-        type: "path_traversal",
-        cwe: "CWE-22",
-        severity: "medium",
+        method: "Fprintf",
+        class: "fmt",
+        type: "xss",
+        cwe: "CWE-79",
+        severity: "high",
         argPositions: [1]
       },
       {
-        method: "chown",
-        type: "path_traversal",
-        cwe: "CWE-22",
-        severity: "medium",
-        argPositions: [1]
+        method: "Write",
+        class: "ResponseWriter",
+        type: "xss",
+        cwe: "CWE-79",
+        severity: "high",
+        argPositions: [0]
       },
-      // SSRF — curl/wget with externally-controlled URL
+      // SSRF
       {
-        method: "curl",
+        method: "Get",
+        class: "http",
         type: "ssrf",
         cwe: "CWE-918",
         severity: "high",
         argPositions: [0]
       },
       {
-        method: "wget",
+        method: "Post",
+        class: "http",
         type: "ssrf",
         cwe: "CWE-918",
         severity: "high",
+        argPositions: [0, 2]
+      },
+      // Deserialization
+      {
+        method: "Unmarshal",
+        class: "json",
+        type: "deserialization",
+        cwe: "CWE-502",
+        severity: "medium",
+        argPositions: [0]
+      },
+      {
+        method: "Decode",
+        class: "Decoder",
+        type: "deserialization",
+        cwe: "CWE-502",
+        severity: "medium",
         argPositions: [0]
       }
     ];
   }
   /**
-   * Shell has no OOP receiver types.
+   * Get receiver type from a Go call expression.
    */
-  getReceiverType(_node, _context) {
+  getReceiverType(node, _context) {
+    if (node.type !== "call_expression") return void 0;
+    const func2 = node.childForFieldName("function");
+    if (!func2) return void 0;
+    if (func2.type === "selector_expression") {
+      const operand = func2.childForFieldName("operand");
+      if (operand) {
+        return operand.text;
+      }
+    }
     return void 0;
   }
   /**
-   * Bash string literals: quoted strings and raw ($'...') strings.
+   * Check if node is a Go string literal.
    */
   isStringLiteral(node) {
-    return node.type === "string" || node.type === "raw_string" || node.type === "ansi_c_string";
+    return node.type === "interpreted_string_literal" || node.type === "raw_string_literal";
   }
   /**
-   * Extract string value from bash string literal, stripping quotes.
+   * Get string value from Go string literal.
    */
   getStringValue(node) {
     if (!this.isStringLiteral(node)) return void 0;
     const text = node.text;
-    if (node.type === "raw_string") {
+    if (text.startsWith("`") && text.endsWith("`")) {
       return text.slice(1, -1);
     }
-    if (node.type === "ansi_c_string") {
-      return text.slice(2, -1);
+    if (text.startsWith('"') && text.endsWith('"')) {
+      return text.slice(1, -1);
     }
-    const match = text.match(/^"(.*)"$/s);
-    if (match) return match[1];
     return text;
   }
-  // Extraction methods — delegate to base extractors via generic walker
-  extractTypes(_context) {
-    return [];
-  }
-  extractCalls(_context) {
-    return [];
-  }
-  extractImports(_context) {
-    return [];
-  }
-  extractPackage(_context) {
-    return void 0;
-  }
-};
-// src/languages/plugins/html.ts
-var HtmlPlugin = class extends BaseLanguagePlugin {
-  id = "html";
-  name = "HTML";
-  extensions = [".html", ".htm", ".xhtml"];
-  wasmPath = "tree-sitter-html.wasm";
-  nodeTypes = {
-    // HTML has no OOP constructs
-    classDeclaration: [],
-    interfaceDeclaration: [],
-    enumDeclaration: [],
-    functionDeclaration: [],
-    methodDeclaration: [],
-    // No expressions in HTML
-    methodCall: [],
-    functionCall: [],
-    assignment: [],
-    variableDeclaration: [],
-    // No parameters
-    parameter: [],
-    argument: [],
-    // No annotations
-    annotation: [],
-    decorator: [],
-    // No imports
-    importStatement: [],
-    // No control flow
-    ifStatement: [],
-    forStatement: [],
-    whileStatement: [],
-    tryStatement: [],
-    returnStatement: []
-  };
-  detectFramework(_context) {
-    return void 0;
+  /**
+   * Extract type information from Go source.
+   */
+  extractTypes(context) {
+    const types = [];
+    const root = context.tree.rootNode;
+    const typeDecls = this.findNodes(root, "type_declaration");
+    for (const decl of typeDecls) {
+      for (let i2 = 0; i2 < decl.childCount; i2++) {
+        const spec = decl.child(i2);
+        if (!spec || spec.type !== "type_spec") continue;
+        const nameNode = spec.childForFieldName("name");
+        const typeNode = spec.childForFieldName("type");
+        if (!nameNode || !typeNode) continue;
+        const name2 = nameNode.text;
+        const isInterface = typeNode.type === "interface_type";
+        const isStruct = typeNode.type === "struct_type";
+        if (isStruct || isInterface) {
+          const fields = [];
+          const methods = [];
+          if (isStruct) {
+            const fieldList = typeNode.childForFieldName("fields") ?? this.findChildByType(typeNode, "field_declaration_list");
+            if (fieldList) {
+              for (let j = 0; j < fieldList.childCount; j++) {
+                const field = fieldList.child(j);
+                if (!field || field.type !== "field_declaration") continue;
+                const fieldName = field.childForFieldName("name");
+                const fieldType = field.childForFieldName("type");
+                if (fieldName) {
+                  fields.push({
+                    name: fieldName.text,
+                    type: fieldType?.text || null,
+                    modifiers: [],
+                    annotations: []
+                  });
+                }
+              }
+            }
+          }
+          const methodDecls = this.findNodes(root, "method_declaration");
+          for (const md of methodDecls) {
+            const receiver = md.childForFieldName("receiver");
+            if (!receiver) continue;
+            const receiverText = receiver.text;
+            if (receiverText.includes(name2)) {
+              const methodName = md.childForFieldName("name");
+              const params = md.childForFieldName("parameters");
+              const result = md.childForFieldName("result");
+              if (methodName) {
+                methods.push({
+                  name: methodName.text,
+                  return_type: result?.text || null,
+                  parameters: params ? this.extractGoParams(params) : [],
+                  annotations: [],
+                  modifiers: [],
+                  start_line: md.startPosition.row + 1,
+                  end_line: md.endPosition.row + 1
+                });
+              }
+            }
+          }
+          types.push({
+            name: name2,
+            kind: isInterface ? "interface" : "class",
+            package: context.package || null,
+            extends: null,
+            implements: [],
+            annotations: [],
+            methods,
+            fields,
+            start_line: decl.startPosition.row + 1,
+            end_line: decl.endPosition.row + 1
+          });
+        }
+      }
+    }
+    return types;
   }
-  getBuiltinSources() {
-    return [];
+  /**
+   * Extract call information from Go source.
+   */
+  extractCalls(context) {
+    const calls = [];
+    const root = context.tree.rootNode;
+    const callExprs = this.findNodes(root, "call_expression");
+    for (const call of callExprs) {
+      const func2 = call.childForFieldName("function");
+      if (!func2) continue;
+      let methodName;
+      let receiver = null;
+      if (func2.type === "selector_expression") {
+        const operand = func2.childForFieldName("operand");
+        const field = func2.childForFieldName("field");
+        receiver = operand?.text || null;
+        methodName = field?.text || func2.text;
+      } else {
+        methodName = func2.text;
+      }
+      const args2 = call.childForFieldName("arguments");
+      const argInfos = [];
+      let argPos = 0;
+      if (args2) {
+        for (let i2 = 0; i2 < args2.childCount; i2++) {
+          const arg = args2.child(i2);
+          if (arg && arg.type !== "(" && arg.type !== ")" && arg.type !== ",") {
+            argInfos.push({
+              position: argPos++,
+              expression: arg.text,
+              variable: arg.type === "identifier" ? arg.text : null,
+              literal: arg.type === "interpreted_string_literal" || arg.type === "int_literal" ? arg.text : null
+            });
+          }
+        }
+      }
+      calls.push({
+        method_name: methodName,
+        receiver,
+        arguments: argInfos,
+        location: {
+          line: call.startPosition.row + 1,
+          column: call.startPosition.column
+        }
+      });
+    }
+    return calls;
   }
-  getBuiltinSinks() {
-    return [];
+  /**
+   * Extract import information from Go source.
+   */
+  extractImports(context) {
+    const imports = [];
+    const root = context.tree.rootNode;
+    const importDecls = this.findNodes(root, "import_declaration");
+    for (const decl of importDecls) {
+      const singleSpec = this.findChildByType(decl, "import_spec");
+      if (singleSpec) {
+        const parsed = this.parseImportSpec(singleSpec);
+        if (parsed) imports.push(parsed);
+        continue;
+      }
+      const specList = this.findChildByType(decl, "import_spec_list");
+      if (specList) {
+        for (let i2 = 0; i2 < specList.childCount; i2++) {
+          const spec = specList.child(i2);
+          if (!spec || spec.type !== "import_spec") continue;
+          const parsed = this.parseImportSpec(spec);
+          if (parsed) imports.push(parsed);
+        }
+      }
+    }
+    return imports;
   }
-  getReceiverType(_node, _context) {
+  /**
+   * Extract package name from Go source.
+   */
+  extractPackage(context) {
+    const root = context.tree.rootNode;
+    const pkgClause = this.findChildByType(root, "package_clause");
+    if (!pkgClause) return void 0;
+    for (let i2 = 0; i2 < pkgClause.childCount; i2++) {
+      const child = pkgClause.child(i2);
+      if (child && child.type === "package_identifier") {
+        return child.text;
+      }
+    }
     return void 0;
   }
-  isStringLiteral(node) {
-    return node.type === "attribute_value" || node.type === "quoted_attribute_value";
-  }
-  getStringValue(node) {
-    if (!this.isStringLiteral(node)) return void 0;
-    const text = node.text;
-    if (text.startsWith('"') && text.endsWith('"') || text.startsWith("'") && text.endsWith("'")) {
-      return text.slice(1, -1);
+  // ── Private helpers ─────────────────────────────────────────────────────
+  parseImportSpec(spec) {
+    let alias = null;
+    let path;
+    for (let i2 = 0; i2 < spec.childCount; i2++) {
+      const child = spec.child(i2);
+      if (!child) continue;
+      if (child.type === "package_identifier" || child.type === "blank_identifier" || child.type === "dot") {
+        alias = child.text;
+      }
+      if (child.type === "interpreted_string_literal") {
+        path = child.text.slice(1, -1);
+      }
     }
-    return text;
-  }
-  extractTypes(_context) {
-    return [];
-  }
-  extractCalls(_context) {
-    return [];
-  }
-  extractImports(_context) {
-    return [];
+    if (!path) return null;
+    const shortName = alias || path.split("/").pop() || path;
+    return {
+      imported_name: shortName,
+      from_package: path,
+      alias,
+      is_wildcard: alias === ".",
+      line_number: spec.startPosition.row + 1
+    };
   }
-  extractPackage(_context) {
-    return void 0;
+  extractGoParams(params) {
+    const result = [];
+    for (let i2 = 0; i2 < params.childCount; i2++) {
+      const param = params.child(i2);
+      if (!param || param.type !== "parameter_declaration") continue;
+      const nameNode = param.childForFieldName("name");
+      const typeNode = param.childForFieldName("type");
+      if (nameNode) {
+        result.push({
+          name: nameNode.text,
+          type: typeNode?.text || null,
+          annotations: []
+        });
+      }
+    }
+    return result;
   }
 };
@@ -18102,6 +19285,7 @@ function registerBuiltinPlugins() {
   registerLanguage(new RustPlugin());
   registerLanguage(new BashPlugin());
   registerLanguage(new HtmlPlugin());
+  registerLanguage(new GoPlugin());
 }
 // src/utils/logger.ts
@@ -24327,6 +25511,26 @@ function getNodeTypesForLanguage(language) {
         "self_closing_tag",
         "text"
       ]);
+    case "go":
+      return /* @__PURE__ */ new Set([
+        "call_expression",
+        "function_declaration",
+        "method_declaration",
+        "package_clause",
+        "import_declaration",
+        "import_spec",
+        "var_declaration",
+        "short_var_declaration",
+        "assignment_statement",
+        "type_declaration",
+        "if_statement",
+        "for_statement",
+        "return_statement",
+        "defer_statement",
+        "go_statement",
+        "selector_expression",
+        "identifier"
+      ]);
     default:
       return /* @__PURE__ */ new Set([
         "method_invocation",