circle-ir 3.56.0 → 3.58.0

package/dist/analysis/constant-propagation/patterns.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"patterns.d.ts","sourceRoot":"","sources":["../../../src/analysis/constant-propagation/patterns.ts"],"names":[],"mappings":"AAAA;;GAEG;AAMH,eAAO,MAAM,cAAc,UAgE1B,CAAC;AAGF,eAAO,MAAM,mBAAmB,QAE/B,CAAC;AAMF,eAAO,MAAM,iBAAiB,aAwC5B,CAAC;AAOH,eAAO,MAAM,sBAAsB,aA4BjC,CAAC;AAOH,eAAO,MAAM,kBAAkB,aA8B7B,CAAC"}
+{"version":3,"file":"patterns.d.ts","sourceRoot":"","sources":["../../../src/analysis/constant-propagation/patterns.ts"],"names":[],"mappings":"AAAA;;GAEG;AAMH,eAAO,MAAM,cAAc,UAgE1B,CAAC;AAGF,eAAO,MAAM,mBAAmB,QAE/B,CAAC;AAMF,eAAO,MAAM,iBAAiB,aAqD5B,CAAC;AAOH,eAAO,MAAM,sBAAsB,aA4BjC,CAAC;AAOH,eAAO,MAAM,kBAAkB,aA8B7B,CAAC"}

package/dist/analysis/constant-propagation/patterns.js

@@ -99,6 +99,18 @@ export const SANITIZER_METHODS = new Set([
     // General
     'sanitize', 'encode', 'escape', 'clean', 'filter', 'validate', 'validatePath',
     'validateCityName', 'validateInput', 'sanitizeInput',
+    // Type-cast barriers (#57) — numeric/boolean casts cannot carry a string
+    // injection payload. Conservative whitelist; ambiguous names like `valueOf`,
+    // `Parse`, `fromString` are intentionally excluded.
+    // Java
+    'parseInt', 'parseLong', 'parseFloat', 'parseDouble', 'parseShort', 'parseByte',
+    'fromString', // UUID.fromString — parses strict UUID format, rejects injection
+    // JS/TS (parseInt/parseFloat covered above)
+    'Number', 'BigInt',
+    // Go
+    'Atoi', 'ParseInt', 'ParseFloat', 'ParseUint', 'ParseBool',
+    // Python
+    'int', 'float', 'bool',
 ]);
 // =============================================================================
 // Anti-Sanitizer Methods

package/dist/analysis/constant-propagation/patterns.js.map

@@ -1 +1 @@
-{"version":3,"file":"patterns.js","sourceRoot":"","sources":["../../../src/analysis/constant-propagation/patterns.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,gFAAgF;AAChF,wBAAwB;AACxB,gFAAgF;AAEhF,MAAM,CAAC,MAAM,cAAc,GAAG;IAC5B,6BAA6B;IAC7B,sBAAsB;IACtB,mBAAmB;IACnB,oBAAoB;IACpB,oBAAoB;IACpB,wBAAwB;IACxB,wBAAwB;IACxB,qBAAqB;IACrB,uBAAuB;IACvB,yBAAyB;IACzB,mBAAmB;IACnB,gBAAgB;IAChB,sBAAsB;IACtB,mBAAmB;IACnB,aAAa;IACb,cAAc;IACd,YAAY,EAAG,oBAAoB;IACnC,cAAc;IACd,aAAa;IAEb,0DAA0D;IAC1D,sBAAsB;IACtB,oBAAoB;IACpB,eAAe;IAEf,cAAc;IACd,YAAY;IACZ,WAAW;IACX,YAAY;IACZ,QAAQ;IACR,gBAAgB;IAChB,gBAAgB;IAChB,qBAAqB;IACrB,eAAe;IAEf,kBAAkB;IAClB,wBAAwB;IACxB,cAAc;IAEd,mBAAmB;IACnB,aAAa;IACb,aAAa;IAEb,eAAe;IACf,qBAAqB;IACrB,mBAAmB;IACnB,qBAAqB;IAErB,mCAAmC;IACnC,eAAe;IACf,iBAAiB;IACjB,eAAe;IACf,mBAAmB;IACnB,iBAAiB;IACjB,mBAAmB;IACnB,cAAc;IACd,sBAAsB;IACtB,aAAa;IACb,eAAe;IACf,gBAAgB;IAChB,eAAe;IACf,uBAAuB;IACvB,yBAAyB;CAC1B,CAAC;AAEF,2DAA2D;AAC3D,MAAM,CAAC,MAAM,mBAAmB,GAAG,IAAI,MAAM,CAC3C,cAAc,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,qBAAqB,EAAE,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAC5E,CAAC;AAEF,gFAAgF;AAChF,oBAAoB;AACpB,gFAAgF;AAEhF,MAAM,CAAC,MAAM,iBAAiB,GAAG,IAAI,GAAG,CAAC;IACvC,QAAQ;IACR,eAAe,EAAE,wBAAwB,EAAE,qBAAqB;IAChE,cAAc,EAAE,cAAc,EAAE,cAAc,EAAE,uBAAuB;IACvE,eAAe,EAAE,aAAa,EAAE,gBAAgB,EAAE,cAAc;IAChE,aAAa,EAAE,iBAAiB,EAAE,cAAc;IAEhD,qBAAqB;IACrB,SAAS,EAAE,kBAAkB,EAAE,gBAAgB,EAAE,0BAA0B;IAC3E,eAAe,EAAE,oBAAoB,EAAE,wBAAwB;IAC/D,qBAAqB,EAAE,cAAc,EAAE,WAAW,EAAE,QAAQ,EAAE,iBAAiB;IAC/E,QAAQ,EAAE,iBAAiB,EAAE,eAAe,EAAE,eAAe,EAAE,UAAU;IAEzE,iBAAiB;IACjB,YAAY,EAAE,aAAa,EAAE,aAAa,EAAE,WAAW,EAAE,aAAa,EAAE,aAAa;IACrF,kBAAkB,EAAE,YAAY,EAAE,WAAW,EAAE,YAAY,EAAE,WAAW;IAExE,mBAAmB;IACnB,YAAY,EAAE,mBAAmB,EAAE,eAAe;IAElD,oBAAoB;IACpB,WAAW,EAAE,QAAQ,EAAE,SAAS,EAAE,WAAW,EAAE,UAAU,EAAE,YAAY;IACvE,SAAS,EAAE,cAAc,EAAE,WAAW,EAAE,UAAU,EAAE,eAAe;IAEnE,4BAA4B;IAC5B,kBAAkB,EAAE,WAAW,EAAE,YAAY;IAE7C,qCAAqC;IACrC,oBAAoB,EAAE,WAAW;IAEjC,0CAA0C;IAC1C,OAAO,EAAE,MAAM,EAAE,YAAY,EAAE,UAAU;IAEzC,oCAAoC;IACpC,eAAe,EAAE,sBAAsB,EAAE,cAAc,EAAE,gCAAgC;IACzF,eAAe,EAAE,SAAS,EAAE,UAAU,EAAE,MAAM;IAE9C,UAAU;IACV,UAAU,EAAE,QAAQ,EAAE,QAAQ,EAAE,OAAO,EAAE,QAAQ,EAAE,UAAU,EAAE,cAAc;IAC7E,kBAAkB,EAAE,eAAe,EAAE,eAAe;CACrD,CAAC,CAAC;AAEH,gFAAgF;AAChF,yBAAyB;AACzB,+FAA+F;AAC/F,gFAAgF;AAEhF,MAAM,CAAC,MAAM,sBAAsB,GAAG,IAAI,GAAG,CAAC;IAC5C,uCAAuC;IACvC,QAAQ,EAAY,sBAAsB;IAC1C,oBAAoB;IACpB,WAAW;IAEX,6CAA6C;IAC7C,cAAc;IACd,QAAQ,EAAY,+BAA+B;IAEnD,2CAA2C;IAC3C,cAAc,EAAE,eAAe,EAAE,eAAe;IAChD,aAAa;IACb,oBAAoB;IACpB,cAAc;IACd,cAAc;IAEd,6EAA6E;IAC7E,oEAAoE;IACpE,2EAA2E;IAC3E,wCAAwC;IACxC,0BAA0B;IAC1B,eAAe;IACf,qBAAqB;IAErB,mBAAmB;IACnB,UAAU;IACV,YAAY;CACb,CAAC,CAAC;AAEH,gFAAgF;AAChF,qBAAqB;AACrB,iFAAiF;AACjF,gFAAgF;AAEhF,MAAM,CAAC,MAAM,kBAAkB,GAAG,IAAI,GAAG,CAAC;IACxC,yBAAyB;IACzB,KAAK,EAAa,qCAAqC;IACvD,IAAI,EAAc,wBAAwB;IAC1C,SAAS,EAAS,sBAAsB;IACxC,gBAAgB,EAAE,6BAA6B;IAC/C,YAAY,EAAM,yBAAyB;IAE3C,UAAU;IACV,QAAQ,EAAU,qBAAqB;IACvC,OAAO,EAAW,eAAe;IACjC,OAAO,EAAW,cAAc;IAChC,QAAQ,EAAU,8BAA8B;IAEhD,mBAAmB;IACnB,SAAS,EAAS,oBAAoB;IACtC,QAAQ,EAAU,qBAAqB;IACvC,MAAM,EAAY,mBAAmB;IACrC,QAAQ,EAAU,uBAAuB;IAEzC,mBAAmB;IACnB,gBAAgB,EAAE,8BAA8B;IAEhD,8EAA8E;IAC9E,kFAAkF;IAClF,8EAA8E;IAC9E,+EAA+E;IAC/E,0BAA0B;IAC1B,eAAe;IACf,qBAAqB;CACtB,CAAC,CAAC"}
+{"version":3,"file":"patterns.js","sourceRoot":"","sources":["../../../src/analysis/constant-propagation/patterns.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,gFAAgF;AAChF,wBAAwB;AACxB,gFAAgF;AAEhF,MAAM,CAAC,MAAM,cAAc,GAAG;IAC5B,6BAA6B;IAC7B,sBAAsB;IACtB,mBAAmB;IACnB,oBAAoB;IACpB,oBAAoB;IACpB,wBAAwB;IACxB,wBAAwB;IACxB,qBAAqB;IACrB,uBAAuB;IACvB,yBAAyB;IACzB,mBAAmB;IACnB,gBAAgB;IAChB,sBAAsB;IACtB,mBAAmB;IACnB,aAAa;IACb,cAAc;IACd,YAAY,EAAG,oBAAoB;IACnC,cAAc;IACd,aAAa;IAEb,0DAA0D;IAC1D,sBAAsB;IACtB,oBAAoB;IACpB,eAAe;IAEf,cAAc;IACd,YAAY;IACZ,WAAW;IACX,YAAY;IACZ,QAAQ;IACR,gBAAgB;IAChB,gBAAgB;IAChB,qBAAqB;IACrB,eAAe;IAEf,kBAAkB;IAClB,wBAAwB;IACxB,cAAc;IAEd,mBAAmB;IACnB,aAAa;IACb,aAAa;IAEb,eAAe;IACf,qBAAqB;IACrB,mBAAmB;IACnB,qBAAqB;IAErB,mCAAmC;IACnC,eAAe;IACf,iBAAiB;IACjB,eAAe;IACf,mBAAmB;IACnB,iBAAiB;IACjB,mBAAmB;IACnB,cAAc;IACd,sBAAsB;IACtB,aAAa;IACb,eAAe;IACf,gBAAgB;IAChB,eAAe;IACf,uBAAuB;IACvB,yBAAyB;CAC1B,CAAC;AAEF,2DAA2D;AAC3D,MAAM,CAAC,MAAM,mBAAmB,GAAG,IAAI,MAAM,CAC3C,cAAc,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,qBAAqB,EAAE,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAC5E,CAAC;AAEF,gFAAgF;AAChF,oBAAoB;AACpB,gFAAgF;AAEhF,MAAM,CAAC,MAAM,iBAAiB,GAAG,IAAI,GAAG,CAAC;IACvC,QAAQ;IACR,eAAe,EAAE,wBAAwB,EAAE,qBAAqB;IAChE,cAAc,EAAE,cAAc,EAAE,cAAc,EAAE,uBAAuB;IACvE,eAAe,EAAE,aAAa,EAAE,gBAAgB,EAAE,cAAc;IAChE,aAAa,EAAE,iBAAiB,EAAE,cAAc;IAEhD,qBAAqB;IACrB,SAAS,EAAE,kBAAkB,EAAE,gBAAgB,EAAE,0BAA0B;IAC3E,eAAe,EAAE,oBAAoB,EAAE,wBAAwB;IAC/D,qBAAqB,EAAE,cAAc,EAAE,WAAW,EAAE,QAAQ,EAAE,iBAAiB;IAC/E,QAAQ,EAAE,iBAAiB,EAAE,eAAe,EAAE,eAAe,EAAE,UAAU;IAEzE,iBAAiB;IACjB,YAAY,EAAE,aAAa,EAAE,aAAa,EAAE,WAAW,EAAE,aAAa,EAAE,aAAa;IACrF,kBAAkB,EAAE,YAAY,EAAE,WAAW,EAAE,YAAY,EAAE,WAAW;IAExE,mBAAmB;IACnB,YAAY,EAAE,mBAAmB,EAAE,eAAe;IAElD,oBAAoB;IACpB,WAAW,EAAE,QAAQ,EAAE,SAAS,EAAE,WAAW,EAAE,UAAU,EAAE,YAAY;IACvE,SAAS,EAAE,cAAc,EAAE,WAAW,EAAE,UAAU,EAAE,eAAe;IAEnE,4BAA4B;IAC5B,kBAAkB,EAAE,WAAW,EAAE,YAAY;IAE7C,qCAAqC;IACrC,oBAAoB,EAAE,WAAW;IAEjC,0CAA0C;IAC1C,OAAO,EAAE,MAAM,EAAE,YAAY,EAAE,UAAU;IAEzC,oCAAoC;IACpC,eAAe,EAAE,sBAAsB,EAAE,cAAc,EAAE,gCAAgC;IACzF,eAAe,EAAE,SAAS,EAAE,UAAU,EAAE,MAAM;IAE9C,UAAU;IACV,UAAU,EAAE,QAAQ,EAAE,QAAQ,EAAE,OAAO,EAAE,QAAQ,EAAE,UAAU,EAAE,cAAc;IAC7E,kBAAkB,EAAE,eAAe,EAAE,eAAe;IAEpD,yEAAyE;IACzE,6EAA6E;IAC7E,oDAAoD;IACpD,OAAO;IACP,UAAU,EAAE,WAAW,EAAE,YAAY,EAAE,aAAa,EAAE,YAAY,EAAE,WAAW;IAC/E,YAAY,EAAE,iEAAiE;IAC/E,4CAA4C;IAC5C,QAAQ,EAAE,QAAQ;IAClB,KAAK;IACL,MAAM,EAAE,UAAU,EAAE,YAAY,EAAE,WAAW,EAAE,WAAW;IAC1D,SAAS;IACT,KAAK,EAAE,OAAO,EAAE,MAAM;CACvB,CAAC,CAAC;AAEH,gFAAgF;AAChF,yBAAyB;AACzB,+FAA+F;AAC/F,gFAAgF;AAEhF,MAAM,CAAC,MAAM,sBAAsB,GAAG,IAAI,GAAG,CAAC;IAC5C,uCAAuC;IACvC,QAAQ,EAAY,sBAAsB;IAC1C,oBAAoB;IACpB,WAAW;IAEX,6CAA6C;IAC7C,cAAc;IACd,QAAQ,EAAY,+BAA+B;IAEnD,2CAA2C;IAC3C,cAAc,EAAE,eAAe,EAAE,eAAe;IAChD,aAAa;IACb,oBAAoB;IACpB,cAAc;IACd,cAAc;IAEd,6EAA6E;IAC7E,oEAAoE;IACpE,2EAA2E;IAC3E,wCAAwC;IACxC,0BAA0B;IAC1B,eAAe;IACf,qBAAqB;IAErB,mBAAmB;IACnB,UAAU;IACV,YAAY;CACb,CAAC,CAAC;AAEH,gFAAgF;AAChF,qBAAqB;AACrB,iFAAiF;AACjF,gFAAgF;AAEhF,MAAM,CAAC,MAAM,kBAAkB,GAAG,IAAI,GAAG,CAAC;IACxC,yBAAyB;IACzB,KAAK,EAAa,qCAAqC;IACvD,IAAI,EAAc,wBAAwB;IAC1C,SAAS,EAAS,sBAAsB;IACxC,gBAAgB,EAAE,6BAA6B;IAC/C,YAAY,EAAM,yBAAyB;IAE3C,UAAU;IACV,QAAQ,EAAU,qBAAqB;IACvC,OAAO,EAAW,eAAe;IACjC,OAAO,EAAW,cAAc;IAChC,QAAQ,EAAU,8BAA8B;IAEhD,mBAAmB;IACnB,SAAS,EAAS,oBAAoB;IACtC,QAAQ,EAAU,qBAAqB;IACvC,MAAM,EAAY,mBAAmB;IACrC,QAAQ,EAAU,uBAAuB;IAEzC,mBAAmB;IACnB,gBAAgB,EAAE,8BAA8B;IAEhD,8EAA8E;IAC9E,kFAAkF;IAClF,8EAA8E;IAC9E,+EAA+E;IAC/E,0BAA0B;IAC1B,eAAe;IACf,qBAAqB;CACtB,CAAC,CAAC"}

package/dist/analysis/constant-propagation/propagator.d.ts

@@ -46,6 +46,7 @@ export declare class ConstantPropagator {
     private currentClassName;
     private inConstructor;
     private constructorParamPositions;
+    private safePatternFieldsCache;
     /**
      * Analyze source code and build constant propagation state.
      */
@@ -80,6 +81,58 @@ export declare class ConstantPropagator {
      * These are variables declared directly in the class body, not inside methods.
      */
     private collectClassFields;
+    /**
+     * Sprint 9 #55 — seed the symbol table with Python module-level constant
+     * assignments. Walks only direct children of the `module` root and adds
+     * `IDENT = <primitive literal>` to `symbols` so `if IDENT:` guards inside
+     * downstream functions can be folded to dead code.
+     *
+     * Recognized literal RHS kinds: `true`/`false` (booleans), integer/float
+     * literals, string literals. The ExpressionEvaluator already understands
+     * each via the same lookup callback; we just need the symbol present.
+     */
+    /**
+     * Sprint 9 #55 — gate `field_declaration` folding to primitive literals.
+     *
+     * The deep-nesting regression (cognium-ai#88) constructs a Java
+     * `static final String hyphenData = "a" + "b" + ... (10k segments)` at the
+     * class level. `handleVariableDeclaration` would otherwise dispatch
+     * `evaluateExpression` on the deeply nested binary AST and blow the V8
+     * stack. The dead-code-by-const-guard pattern (`if (DEBUG)`) only requires
+     * `boolean`/`integer`/`string` (single-literal) RHS folding, so restrict
+     * to those node types.
+     */
+    private fieldDeclHasPrimitiveLiteralValue;
+    /**
+     * Sprint 9 #58.1 — collect the set of class-level `Pattern` field names
+     * whose compiled regex is strict-anchored, i.e. provably matches a
+     * bounded character set with no wildcard escape. A subsequent
+     * `if (!FIELD.matcher(var).matches()) throw ...;` guard then proves
+     * `var` is sanitized after the if.
+     *
+     * Recognized initializer shapes (scanned via source-text regex to avoid
+     * threading another AST walk):
+     *   `static final Pattern FIELD = Pattern.compile("regex");`
+     *
+     * Strict-anchored regex criteria:
+     *   - starts with `^` and ends with `$`
+     *   - after stripping `[...]` character classes, must not contain `.` or
+     *     `|` (a `.` could match anything; `|` admits an arbitrary alternative)
+     */
+    private getSafePatternFields;
+    private isStrictAnchoredRegex;
+    /**
+     * Sprint 9 #58.1 — detect the regex-allowlist guard pattern.
+     *
+     *   if (!SAFE_NAME.matcher(var).matches()) { throw ...; }
+     *
+     * Returns the guarded variable name if the pattern matches AND
+     * `SAFE_NAME` is a recognized strict-anchored Pattern field, otherwise
+     * null. Caller drops the variable from `tainted` after the if-block.
+     */
+    private detectRegexAllowlistGuard;
+    private consequenceContainsThrow;
+    private seedPythonModuleConstants;
     private findAllMethods;
     private getMethodName;
     private refineTaintFromConstants;
@@ -149,8 +202,17 @@ export declare class ConstantPropagator {
     /**
      * Check if an expression is a call to a sanitizer method.
      * This includes both built-in sanitizers and @sanitizer annotated methods.
+     * Handles Java (`method_invocation`), Go/JS/TS (`call_expression`), and
+     * Python (`call`) AST shapes.
      */
     isSanitizerMethodCall(node: Node): boolean;
+    /**
+     * Extract the trailing method/function name from any call node shape:
+     *   Java   `method_invocation`        — name field
+     *   Go/JS  `call_expression`          — function field (identifier or selector/member)
+     *   Python `call`                     — function field (identifier or attribute)
+     */
+    private extractCallName;
     /**
      * Check if an expression is a call to an anti-sanitizer method.
      * Anti-sanitizers reverse the effect of sanitization (e.g., URLDecoder.decode reverses URLEncoder.encode).

package/dist/analysis/constant-propagation/propagator.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"propagator.d.ts","sourceRoot":"","sources":["../../../src/analysis/constant-propagation/propagator.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,EAAE,IAAI,EAAE,IAAI,EAAE,MAAM,iBAAiB,CAAC;AAClD,OAAO,KAAK,EAAE,aAAa,EAAE,wBAAwB,EAAE,gBAAgB,EAAkB,MAAM,YAAY,CAAC;AAK5G;;;;;;;;GAQG;AACH,qBAAa,kBAAkB;IAC7B,OAAO,CAAC,OAAO,CAAyC;IACxD,OAAO,CAAC,OAAO,CAA0B;IACzC,OAAO,CAAC,gBAAgB,CAA0B;IAClD,OAAO,CAAC,kBAAkB,CAAuC;IAEjE,OAAO,CAAC,aAAa,CAA0B;IAC/C,OAAO,CAAC,MAAM,CAAc;IAC5B,OAAO,CAAC,SAAS,CAAuB;IAGxC,OAAO,CAAC,eAAe,CAAgC;IAEvD,OAAO,CAAC,mBAAmB,CAAkB;IAE7C,OAAO,CAAC,qBAAqB,CAA0B;IAEvD,OAAO,CAAC,sBAAsB,CAA0B;IAExD,OAAO,CAAC,sBAAsB,CAAkC;IAEhE,OAAO,CAAC,sBAAsB,CAA0B;IAExD,OAAO,CAAC,uBAAuB,CAAgB;IAE/C,OAAO,CAAC,YAAY,CAA6C;IAEjE,OAAO,CAAC,aAAa,CAA0B;IAE/C,OAAO,CAAC,oBAAoB,CAAuC;IAEnE,OAAO,CAAC,aAAa,CAAuB;IAG5C,OAAO,CAAC,iBAAiB,CAAuC;IAEhE,OAAO,CAAC,cAAc,CAAgB;IAEtC,OAAO,CAAC,cAAc,CAAkC;IAExD,OAAO,CAAC,iBAAiB,CAA0B;IAEnD,OAAO,CAAC,mBAAmB,CAAkB;IAE7C,OAAO,CAAC,eAAe,CAAkC;IAEzD,OAAO,CAAC,WAAW,CAA0B;IAE7C,OAAO,CAAC,qBAAqB,CAA0B;IAEvD,OAAO,CAAC,kBAAkB,CAA0C;IAEpE,OAAO,CAAC,gBAAgB,CAAuB;IAE/C,OAAO,CAAC,aAAa,CAAkB;IAEvC,OAAO,CAAC,yBAAyB,CAAkC;IAEnE;;OAEG;IACH,OAAO,CAAC,IAAI,EAAE,IAAI,EAAE,UAAU,EAAE,MAAM,EAAE,uBAAuB,GAAE,MAAM,EAAO,EAAE,gBAAgB,GAAE,MAAM,EAAO,EAAE,iBAAiB,GAAE,gBAAgB,EAAO,GAAG,wBAAwB;IAmGtL;;OAEG;IACH,kBAAkB,CAAC,IAAI,EAAE,IAAI,GAAG,aAAa;IAI7C;;OAEG;IACH,QAAQ,CAAC,OAAO,EAAE,MAAM,GAAG,aAAa,GAAG,SAAS;IAIpD;;OAEG;IACH,SAAS,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO;IAInC;;OAEG;IACH,eAAe,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO;IAQtC;;OAEG;IACH,OAAO,CAAC,oBAAoB;IA8H5B,OAAO,CAAC,mBAAmB;IAsD3B,OAAO,CAAC,qBAAqB;IAuD7B,OAAO,CAAC,mBAAmB;IAgB3B,OAAO,CAAC,eAAe;IAqBvB,OAAO,CAAC,+BAA+B;IAuCvC;;;OAGG;IACH,OAAO,CAAC,kBAAkB;IAiC1B,OAAO,CAAC,cAAc;IAkBtB,OAAO,CAAC,aAAa;IAYrB,OAAO,CAAC,wBAAwB;IAkDhC,OAAO,CAAC,KAAK;IAmBb;;;;OAIG;IACH,OAAO,CAAC,QAAQ;IAgEhB;;;OAGG;IACH,OAAO,CAAC,uBAAuB;IA8E/B;;;OAGG;IACH,OAAO,CAAC,aAAa;IAYrB;;;;OAIG;IACH,OAAO,CAAC,YAAY;IAapB,OAAO,CAAC,mBAAmB;IAmD3B,OAAO,CAAC,wBAAwB;IAwBhC;;;OAGG;IACH,OAAO,CAAC,2BAA2B;IAanC;;OAEG;IACH,OAAO,CAAC,wBAAwB;IAYhC,OAAO,CAAC,iBAAiB;IA8BzB,OAAO,CAAC,yBAAyB;IAwDjC,OAAO,CAAC,gBAAgB;IA4FxB,OAAO,CAAC,4BAA4B;IAqCpC,OAAO,CAAC,sBAAsB;IA8C9B,OAAO,CAAC,iBAAiB;IAsGzB;;;OAGG;IACH,OAAO,CAAC,kBAAkB;IAwB1B;;;;OAIG;IACH,OAAO,CAAC,mBAAmB;IAW3B;;;;OAIG;IACH,qBAAqB,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO;IAoB/C,OAAO,CAAC,YAAY;IAwEpB,OAAO,CAAC,aAAa;IAwBrB,OAAO,CAAC,yBAAyB;IAYjC,OAAO,CAAC,eAAe;IAQvB,OAAO,CAAC,iBAAiB;IAYzB,OAAO,CAAC,gBAAgB;IAqBxB;;;OAGG;IACH,qBAAqB,CAAC,IAAI,EAAE,IAAI,GAAG,OAAO;IAc1C;;;;OAIG;IACH,mBAAmB,CAAC,IAAI,EAAE,IAAI,GAAG,OAAO;IAcxC;;;OAGG;IACH,8BAA8B,CAAC,IAAI,EAAE,IAAI,GAAG,OAAO;IAiCnD;;OAEG;IACH,OAAO,CAAC,oBAAoB;IAoB5B;;;;OAIG;IACH,OAAO,CAAC,uBAAuB;IAiB/B;;OAEG;IACH,OAAO,CAAC,mBAAmB;IA8B3B;;;OAGG;IACH,OAAO,CAAC,uBAAuB;IAe/B,mBAAmB,CAAC,IAAI,EAAE,IAAI,GAAG,OAAO;IAqBxC,OAAO,CAAC,uBAAuB;IAoW/B,OAAO,CAAC,oBAAoB;CA4L7B"}
+{"version":3,"file":"propagator.d.ts","sourceRoot":"","sources":["../../../src/analysis/constant-propagation/propagator.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,EAAE,IAAI,EAAE,IAAI,EAAE,MAAM,iBAAiB,CAAC;AAClD,OAAO,KAAK,EAAE,aAAa,EAAE,wBAAwB,EAAE,gBAAgB,EAAkB,MAAM,YAAY,CAAC;AAK5G;;;;;;;;GAQG;AACH,qBAAa,kBAAkB;IAC7B,OAAO,CAAC,OAAO,CAAyC;IACxD,OAAO,CAAC,OAAO,CAA0B;IACzC,OAAO,CAAC,gBAAgB,CAA0B;IAClD,OAAO,CAAC,kBAAkB,CAAuC;IAEjE,OAAO,CAAC,aAAa,CAA0B;IAC/C,OAAO,CAAC,MAAM,CAAc;IAC5B,OAAO,CAAC,SAAS,CAAuB;IAGxC,OAAO,CAAC,eAAe,CAAgC;IAEvD,OAAO,CAAC,mBAAmB,CAAkB;IAE7C,OAAO,CAAC,qBAAqB,CAA0B;IAEvD,OAAO,CAAC,sBAAsB,CAA0B;IAExD,OAAO,CAAC,sBAAsB,CAAkC;IAEhE,OAAO,CAAC,sBAAsB,CAA0B;IAExD,OAAO,CAAC,uBAAuB,CAAgB;IAE/C,OAAO,CAAC,YAAY,CAA6C;IAEjE,OAAO,CAAC,aAAa,CAA0B;IAE/C,OAAO,CAAC,oBAAoB,CAAuC;IAEnE,OAAO,CAAC,aAAa,CAAuB;IAG5C,OAAO,CAAC,iBAAiB,CAAuC;IAEhE,OAAO,CAAC,cAAc,CAAgB;IAEtC,OAAO,CAAC,cAAc,CAAkC;IAExD,OAAO,CAAC,iBAAiB,CAA0B;IAEnD,OAAO,CAAC,mBAAmB,CAAkB;IAE7C,OAAO,CAAC,eAAe,CAAkC;IAEzD,OAAO,CAAC,WAAW,CAA0B;IAE7C,OAAO,CAAC,qBAAqB,CAA0B;IAEvD,OAAO,CAAC,kBAAkB,CAA0C;IAEpE,OAAO,CAAC,gBAAgB,CAAuB;IAE/C,OAAO,CAAC,aAAa,CAAkB;IAEvC,OAAO,CAAC,yBAAyB,CAAkC;IAInE,OAAO,CAAC,sBAAsB,CAA4B;IAE1D;;OAEG;IACH,OAAO,CAAC,IAAI,EAAE,IAAI,EAAE,UAAU,EAAE,MAAM,EAAE,uBAAuB,GAAE,MAAM,EAAO,EAAE,gBAAgB,GAAE,MAAM,EAAO,EAAE,iBAAiB,GAAE,gBAAgB,EAAO,GAAG,wBAAwB;IA6GtL;;OAEG;IACH,kBAAkB,CAAC,IAAI,EAAE,IAAI,GAAG,aAAa;IAI7C;;OAEG;IACH,QAAQ,CAAC,OAAO,EAAE,MAAM,GAAG,aAAa,GAAG,SAAS;IAIpD;;OAEG;IACH,SAAS,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO;IAInC;;OAEG;IACH,eAAe,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO;IAQtC;;OAEG;IACH,OAAO,CAAC,oBAAoB;IA8H5B,OAAO,CAAC,mBAAmB;IAsD3B,OAAO,CAAC,qBAAqB;IAuD7B,OAAO,CAAC,mBAAmB;IAgB3B,OAAO,CAAC,eAAe;IAqBvB,OAAO,CAAC,+BAA+B;IAuCvC;;;OAGG;IACH,OAAO,CAAC,kBAAkB;IAiC1B;;;;;;;;;OASG;IACH;;;;;;;;;;OAUG;IACH,OAAO,CAAC,iCAAiC;IAqBzC;;;;;;;;;;;;;;;OAeG;IACH,OAAO,CAAC,oBAAoB;IAgB5B,OAAO,CAAC,qBAAqB;IAa7B;;;;;;;;OAQG;IACH,OAAO,CAAC,yBAAyB;IA2BjC,OAAO,CAAC,wBAAwB;IAehC,OAAO,CAAC,yBAAyB;IAoCjC,OAAO,CAAC,cAAc;IAkBtB,OAAO,CAAC,aAAa;IAYrB,OAAO,CAAC,wBAAwB;IAkDhC,OAAO,CAAC,KAAK;IAmBb;;;;OAIG;IACH,OAAO,CAAC,QAAQ;IAmFhB;;;OAGG;IACH,OAAO,CAAC,uBAAuB;IA8E/B;;;OAGG;IACH,OAAO,CAAC,aAAa;IAYrB;;;;OAIG;IACH,OAAO,CAAC,YAAY;IAapB,OAAO,CAAC,mBAAmB;IA6E3B,OAAO,CAAC,wBAAwB;IAwBhC;;;OAGG;IACH,OAAO,CAAC,2BAA2B;IAanC;;OAEG;IACH,OAAO,CAAC,wBAAwB;IAYhC,OAAO,CAAC,iBAAiB;IA8BzB,OAAO,CAAC,yBAAyB;IAwDjC,OAAO,CAAC,gBAAgB;IA4FxB,OAAO,CAAC,4BAA4B;IAqCpC,OAAO,CAAC,sBAAsB;IA8C9B,OAAO,CAAC,iBAAiB;IAqHzB;;;OAGG;IACH,OAAO,CAAC,kBAAkB;IAwB1B;;;;OAIG;IACH,OAAO,CAAC,mBAAmB;IAW3B;;;;OAIG;IACH,qBAAqB,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO;IAoB/C,OAAO,CAAC,YAAY;IAwEpB,OAAO,CAAC,aAAa;IAwBrB,OAAO,CAAC,yBAAyB;IAYjC,OAAO,CAAC,eAAe;IAQvB,OAAO,CAAC,iBAAiB;IAYzB,OAAO,CAAC,gBAAgB;IAqBxB;;;;;OAKG;IACH,qBAAqB,CAAC,IAAI,EAAE,IAAI,GAAG,OAAO;IAM1C;;;;;OAKG;IACH,OAAO,CAAC,eAAe;IAyBvB;;;;OAIG;IACH,mBAAmB,CAAC,IAAI,EAAE,IAAI,GAAG,OAAO;IAcxC;;;OAGG;IACH,8BAA8B,CAAC,IAAI,EAAE,IAAI,GAAG,OAAO;IAiCnD;;OAEG;IACH,OAAO,CAAC,oBAAoB;IAoB5B;;;;OAIG;IACH,OAAO,CAAC,uBAAuB;IAiB/B;;OAEG;IACH,OAAO,CAAC,mBAAmB;IA8B3B;;;OAGG;IACH,OAAO,CAAC,uBAAuB;IAe/B,mBAAmB,CAAC,IAAI,EAAE,IAAI,GAAG,OAAO;IAqBxC,OAAO,CAAC,uBAAuB;IAoW/B,OAAO,CAAC,oBAAoB;CAkN7B"}

package/dist/analysis/constant-propagation/propagator.js

@@ -72,6 +72,10 @@ export class ConstantPropagator {
     inConstructor = false;
     // Map constructor parameter names to their positions (0-indexed)
     constructorParamPositions = new Map();
+    // Sprint 9 #58.1 — names of `static final Pattern` fields whose compiled
+    // regex is strict-anchored (provably matches a bounded character set).
+    // Populated lazily on first access via `getSafePatternFields()`.
+    safePatternFieldsCache = null;
     /**
      * Analyze source code and build constant propagation state.
      */
@@ -105,6 +109,7 @@ export class ConstantPropagator {
         this.currentClassName = null;
         this.inConstructor = false;
         this.constructorParamPositions.clear();
+        this.safePatternFieldsCache = null;
         // Pre-pass: identify class fields
         this.collectClassFields(tree.rootNode);
         // Pre-populate methodReturnsSanitized with methods marked with @sanitizer annotation
@@ -115,6 +120,14 @@ export class ConstantPropagator {
         this.evaluator = new ExpressionEvaluator(this.source, (name) => this.lookupSymbol(name));
         // Pre-pass: identify methods that always return constants or sanitized values
         this.analyzeMethodReturns(tree.rootNode);
+        // Sprint 9 #55 — Pre-pass: fold Python module-level constant assignments
+        // (`DEBUG = False`, `FOO = "bar"`) into the symbol table so dead-code
+        // detection of `if DEBUG:` guards inside functions can mark the body
+        // unreachable. We do this only for top-level `assignment` nodes whose
+        // RHS is a primitive literal — keeps the change narrow and avoids the
+        // recursion hazards of dispatching the full `handleAssignment` path
+        // on Python ASTs.
+        this.seedPythonModuleConstants(tree.rootNode);
         // First pass: collect symbols, taint, and unreachable lines
         this.visit(tree.rootNode);
         // Second pass: refine taint for variables derived from constants
@@ -505,6 +518,203 @@ export class ConstantPropagator {
             }
         }
     }
+    /**
+     * Sprint 9 #55 — seed the symbol table with Python module-level constant
+     * assignments. Walks only direct children of the `module` root and adds
+     * `IDENT = <primitive literal>` to `symbols` so `if IDENT:` guards inside
+     * downstream functions can be folded to dead code.
+     *
+     * Recognized literal RHS kinds: `true`/`false` (booleans), integer/float
+     * literals, string literals. The ExpressionEvaluator already understands
+     * each via the same lookup callback; we just need the symbol present.
+     */
+    /**
+     * Sprint 9 #55 — gate `field_declaration` folding to primitive literals.
+     *
+     * The deep-nesting regression (cognium-ai#88) constructs a Java
+     * `static final String hyphenData = "a" + "b" + ... (10k segments)` at the
+     * class level. `handleVariableDeclaration` would otherwise dispatch
+     * `evaluateExpression` on the deeply nested binary AST and blow the V8
+     * stack. The dead-code-by-const-guard pattern (`if (DEBUG)`) only requires
+     * `boolean`/`integer`/`string` (single-literal) RHS folding, so restrict
+     * to those node types.
+     */
+    fieldDeclHasPrimitiveLiteralValue(node) {
+        const primitive = new Set([
+            // Java literal node types
+            'true', 'false', 'null_literal',
+            'decimal_integer_literal', 'hex_integer_literal',
+            'octal_integer_literal', 'binary_integer_literal',
+            'decimal_floating_point_literal',
+            'hex_floating_point_literal',
+            'character_literal', 'string_literal',
+            // JS/TS literal node types (defensive, in case other langs reuse it)
+            'number', 'string',
+        ]);
+        for (const child of node.children) {
+            if (child.type !== 'variable_declarator')
+                continue;
+            const value = child.childForFieldName('value');
+            if (!value)
+                continue;
+            if (!primitive.has(value.type))
+                return false;
+        }
+        return true;
+    }
+    /**
+     * Sprint 9 #58.1 — collect the set of class-level `Pattern` field names
+     * whose compiled regex is strict-anchored, i.e. provably matches a
+     * bounded character set with no wildcard escape. A subsequent
+     * `if (!FIELD.matcher(var).matches()) throw ...;` guard then proves
+     * `var` is sanitized after the if.
+     *
+     * Recognized initializer shapes (scanned via source-text regex to avoid
+     * threading another AST walk):
+     *   `static final Pattern FIELD = Pattern.compile("regex");`
+     *
+     * Strict-anchored regex criteria:
+     *   - starts with `^` and ends with `$`
+     *   - after stripping `[...]` character classes, must not contain `.` or
+     *     `|` (a `.` could match anything; `|` admits an arbitrary alternative)
+     */
+    getSafePatternFields() {
+        if (this.safePatternFieldsCache !== null)
+            return this.safePatternFieldsCache;
+        const set = new Set();
+        // Match `static final Pattern NAME = Pattern.compile("REGEX")` allowing
+        // arbitrary modifier order and optional `public/private/protected`.
+        const re = /\b(?:public\s+|private\s+|protected\s+)?(?:static\s+final|final\s+static)\s+(?:java\.util\.regex\.)?Pattern\s+(\w+)\s*=\s*(?:java\.util\.regex\.)?Pattern\s*\.\s*compile\s*\(\s*"((?:[^"\\]|\\.)*)"/g;
+        let m;
+        while ((m = re.exec(this.source)) !== null) {
+            const name = m[1];
+            const regex = m[2];
+            if (this.isStrictAnchoredRegex(regex))
+                set.add(name);
+        }
+        this.safePatternFieldsCache = set;
+        return set;
+    }
+    isStrictAnchoredRegex(re) {
+        if (!re.startsWith('^') || !re.endsWith('$'))
+            return false;
+        // Strip [..] character classes (and escaped brackets) — wildcards inside
+        // a class are fine because they only match the listed characters.
+        const stripped = re.replace(/\[(?:[^\]\\]|\\.)*\]/g, '');
+        // Forbid bare `.` (any char) and `|` (alternation) outside classes.
+        // `\.` (escaped dot) is fine; same for `\|`.
+        const cleaned = stripped.replace(/\\./g, '');
+        if (cleaned.includes('.'))
+            return false;
+        if (cleaned.includes('|'))
+            return false;
+        return true;
+    }
+    /**
+     * Sprint 9 #58.1 — detect the regex-allowlist guard pattern.
+     *
+     *   if (!SAFE_NAME.matcher(var).matches()) { throw ...; }
+     *
+     * Returns the guarded variable name if the pattern matches AND
+     * `SAFE_NAME` is a recognized strict-anchored Pattern field, otherwise
+     * null. Caller drops the variable from `tainted` after the if-block.
+     */
+    detectRegexAllowlistGuard(condition, consequence) {
+        if (!consequence)
+            return null;
+        let condText = getNodeText(condition, this.source).replace(/\s+/g, '');
+        // Strip balanced outer parens (Java's `if_statement` condition is a
+        // `parenthesized_expression`, so `(!SAFE.matcher(x).matches())` arrives
+        // wrapped). Repeat in case of redundant parens.
+        while (condText.startsWith('(') && condText.endsWith(')')) {
+            const inner = condText.slice(1, -1);
+            let depth = 0;
+            let balanced = true;
+            for (let i = 0; i < inner.length; i++) {
+                if (inner[i] === '(')
+                    depth++;
+                else if (inner[i] === ')')
+                    depth--;
+                if (depth < 0) {
+                    balanced = false;
+                    break;
+                }
+            }
+            if (!balanced || depth !== 0)
+                break;
+            condText = inner;
+        }
+        const m = condText.match(/^!(\w+)\.matcher\((\w+)\)\.matches\(\)$/);
+        if (!m)
+            return null;
+        const patternName = m[1];
+        const varName = m[2];
+        if (!this.getSafePatternFields().has(patternName))
+            return null;
+        if (!this.consequenceContainsThrow(consequence))
+            return null;
+        return varName;
+    }
+    consequenceContainsThrow(node) {
+        if (node.type === 'throw_statement')
+            return true;
+        // For block bodies, look for any throw_statement child.
+        const stack = [node];
+        while (stack.length > 0) {
+            const n = stack.pop();
+            if (!n)
+                continue;
+            if (n.type === 'throw_statement')
+                return true;
+            // Don't descend into nested control-flow that may not actually throw.
+            if (n.type === 'if_statement' || n.type === 'switch_statement')
+                continue;
+            for (const c of n.children)
+                stack.push(c);
+        }
+        return false;
+    }
+    seedPythonModuleConstants(root) {
+        if (root.type !== 'module')
+            return; // Python-only — Java/JS roots differ.
+        for (const child of root.children) {
+            // Top-level Python statements are wrapped in an `expression_statement`
+            // whose first child is the actual expression. Module-level `x = y`
+            // produces `expression_statement → assignment`.
+            const target = child.type === 'assignment'
+                ? child
+                : child.type === 'expression_statement' && child.children.length > 0
+                    ? child.children[0]
+                    : null;
+            if (!target || target.type !== 'assignment')
+                continue;
+            const left = target.childForFieldName('left');
+            const right = target.childForFieldName('right');
+            if (!left || !right)
+                continue;
+            if (left.type !== 'identifier')
+                continue;
+            // Constrain RHS to PRIMITIVE literal nodes only. Evaluating compound
+            // expressions (e.g. `"a" + "b" + ...`) via the full evaluator can
+            // recurse arbitrarily deep on pathological generated sources — the
+            // deep-nesting regression (cognium-ai#88) constructs 10k-segment
+            // string concatenations at module level. We don't need that here.
+            const allowed = new Set([
+                'true', 'false', 'none',
+                'integer', 'float',
+                'string',
+            ]);
+            if (!allowed.has(right.type))
+                continue;
+            const name = getNodeText(left, this.source);
+            if (!name)
+                continue;
+            const value = this.evaluateExpression(right);
+            if (!isKnown(value))
+                continue;
+            this.symbols.set(name, value);
+        }
+    }
     findAllMethods(node) {
         // Iterative DFS — guards against stack overflow on deeply nested AST
         // shapes (cognium-ai#88).
@@ -616,6 +826,24 @@ export class ConstantPropagator {
             case 'local_variable_declaration':
                 this.handleVariableDeclaration(node);
                 return false;
+            case 'field_declaration':
+                // Sprint 9 #55 — fold class-level `static final` constants into the
+                // symbols table so `if (DEBUG) { ... }` style guards can be evaluated
+                // and the unreachable branch marked as dead code. Structurally
+                // identical to `local_variable_declaration` (both have
+                // `variable_declarator` children with `name`/`value`), so the same
+                // handler applies.
+                //
+                // Constrain to primitive-literal initializers only. Java
+                // `public static final String hyphenData = "a" + "b" + ...` at the
+                // class level can be arbitrarily deep (cognium-ai#88), and the
+                // evaluator's binary recursion blows the stack at ~5k segments. The
+                // dead-code-by-const-guard pattern (`if (DEBUG)`) only needs
+                // booleans/numbers/single strings folded; nothing else.
+                if (this.fieldDeclHasPrimitiveLiteralValue(node)) {
+                    this.handleVariableDeclaration(node);
+                }
+                return false;
             case 'assignment_expression':
                 this.handleAssignment(node);
                 return false;
@@ -777,6 +1005,33 @@ export class ConstantPropagator {
             if (nameNode) {
                 const varName = getNodeText(nameNode, this.source);
                 loopVarNames.add(varName);
+                // Sprint 8 #84: propagate taint from iterated collection to the loop variable.
+                // If the collection is tainted (whole-collection taint), or contains tainted
+                // elements/keys, mark the loop variable as tainted so downstream uses at
+                // sinks fire as expected.
+                const collectionNode = node.childForFieldName('value');
+                if (collectionNode) {
+                    const collectionName = getNodeText(collectionNode, this.source);
+                    const scopedCollection = this.currentMethod
+                        ? `${this.currentMethod}:${collectionName}`
+                        : collectionName;
+                    let elementIsTainted = this.tainted.has(collectionName) || this.tainted.has(scopedCollection);
+                    if (!elementIsTainted) {
+                        const taintedIndices = this.taintedArrayElements.get(collectionName);
+                        if (taintedIndices && taintedIndices.size > 0)
+                            elementIsTainted = true;
+                    }
+                    if (!elementIsTainted) {
+                        const taintedKeys = this.taintedCollections.get(collectionName);
+                        if (taintedKeys && taintedKeys.size > 0)
+                            elementIsTainted = true;
+                    }
+                    if (elementIsTainted) {
+                        const scopedVar = this.currentMethod ? `${this.currentMethod}:${varName}` : varName;
+                        this.tainted.add(varName);
+                        this.tainted.add(scopedVar);
+                    }
+                }
             }
         }
         // Mark all loop variables as unknown BEFORE visiting children
@@ -1175,6 +1430,20 @@ export class ConstantPropagator {
             }
             this.inConditionalBranch = wasInConditional;
             this.tainted = new Set([...taintedBefore, ...taintedAfterThen, ...taintedAfterElse]);
+            // Sprint 9 #58.1 — regex-allowlist sanitizer.
+            //   if (!SAFE_NAME.matcher(var).matches()) throw ...;
+            // After this if, `var` is provably one of the strict-anchored regex's
+            // matches. Drop it from `tainted` (and from any scoped variant).
+            const guardedVar = this.detectRegexAllowlistGuard(condition, consequence);
+            if (guardedVar) {
+                this.tainted.delete(guardedVar);
+                this.sanitizedVars.add(guardedVar);
+                const scoped = this.getScopedName(guardedVar);
+                if (scoped !== guardedVar) {
+                    this.tainted.delete(scoped);
+                    this.sanitizedVars.add(scoped);
+                }
+            }
         }
     }
     /**
@@ -1378,18 +1647,44 @@ export class ConstantPropagator {
     /**
      * Check if an expression is a call to a sanitizer method.
      * This includes both built-in sanitizers and @sanitizer annotated methods.
+     * Handles Java (`method_invocation`), Go/JS/TS (`call_expression`), and
+     * Python (`call`) AST shapes.
      */
     isSanitizerMethodCall(node) {
-        if (node.type !== 'method_invocation') {
+        const methodName = this.extractCallName(node);
+        if (!methodName)
             return false;
-        }
-        const nameNode = node.childForFieldName('name');
-        if (!nameNode) {
-            return false;
-        }
-        const methodName = getNodeText(nameNode, this.source);
         return SANITIZER_METHODS.has(methodName) || this.methodReturnsSanitized.has(methodName);
     }
+    /**
+     * Extract the trailing method/function name from any call node shape:
+     *   Java   `method_invocation`        — name field
+     *   Go/JS  `call_expression`          — function field (identifier or selector/member)
+     *   Python `call`                     — function field (identifier or attribute)
+     */
+    extractCallName(node) {
+        let fnNode = null;
+        if (node.type === 'method_invocation') {
+            fnNode = node.childForFieldName('name');
+        }
+        else if (node.type === 'call_expression' || node.type === 'call') {
+            fnNode = node.childForFieldName('function');
+        }
+        if (!fnNode)
+            return null;
+        // For selector_expression (Go), member_expression (JS), attribute (Python),
+        // take the trailing identifier.
+        if (fnNode.type === 'selector_expression' ||
+            fnNode.type === 'member_expression' ||
+            fnNode.type === 'attribute') {
+            const tail = fnNode.childForFieldName('field') ||
+                fnNode.childForFieldName('property') ||
+                fnNode.childForFieldName('attribute');
+            if (tail)
+                return getNodeText(tail, this.source);
+        }
+        return getNodeText(fnNode, this.source);
+    }
     /**
      * Check if an expression is a call to an anti-sanitizer method.
      * Anti-sanitizers reverse the effect of sanitization (e.g., URLDecoder.decode reverses URLEncoder.encode).
@@ -1881,9 +2176,28 @@ export class ConstantPropagator {
                         this.taintedCollections.set(collectionName, new Set());
                     }
                     this.taintedCollections.get(collectionName).add(keyStr);
+                    // Sprint 8 #62: also mark the map variable itself as tainted so that
+                    // downstream `map.get(k)` reads at sinks are detected by
+                    // detectCollectionFlows (which checks taintedVars by container name).
+                    const scopedCollection = this.currentMethod ? `${this.currentMethod}:${collectionName}` : collectionName;
+                    this.tainted.add(scopedCollection);
+                    this.tainted.add(collectionName);
                 }
             }
         }
+        // Sprint 8 #62: StringBuilder / StringBuffer append/insert taint propagation.
+        // When tainted data is appended to a builder, mark the builder variable as
+        // tainted so that `sb.toString()` at sinks is detected by detectCollectionFlows.
+        if (methodName === 'append' || methodName === 'insert') {
+            const args = argsNode.children.filter((c) => c.type !== '(' && c.type !== ')' && c.type !== ',');
+            // For append the value is arg[0]; for insert(int offset, value) the value is arg[1].
+            const valueArg = methodName === 'insert' && args.length >= 2 ? args[1] : args[0];
+            if (valueArg && this.isTaintedExpression(valueArg)) {
+                const scopedCollection = this.currentMethod ? `${this.currentMethod}:${collectionName}` : collectionName;
+                this.tainted.add(scopedCollection);
+                this.tainted.add(collectionName);
+            }
+        }
         if (methodName === 'add' || methodName === 'addLast') {
             const args = argsNode.children.filter((c) => c.type !== '(' && c.type !== ')' && c.type !== ',');
             if (args.length >= 1) {