circle-ir 3.8.4 → 3.9.7

package/dist/graph/import-graph.js

@@ -0,0 +1,170 @@
+/**
+ * ImportGraph
+ *
+ * Builds a directed file→file import graph from a ProjectGraph.
+ * Only relative imports (from_package starting with '.') are resolved to edges —
+ * stdlib and npm package imports are ignored.
+ *
+ * Used by CircularDependencyPass and OrphanModulePass.
+ */
+// ---------------------------------------------------------------------------
+// Path helpers (no Node.js 'path' module — must run in browser too)
+// ---------------------------------------------------------------------------
+function dirname(filePath) {
+    const idx = filePath.lastIndexOf('/');
+    return idx >= 0 ? filePath.slice(0, idx) : '';
+}
+function normalizePath(p) {
+    const isAbsolute = p.startsWith('/');
+    const parts = p.split('/');
+    const result = [];
+    for (const part of parts) {
+        if (part === '' || part === '.')
+            continue;
+        if (part === '..') {
+            result.pop();
+        }
+        else {
+            result.push(part);
+        }
+    }
+    return (isAbsolute ? '/' : '') + result.join('/');
+}
+const EXTENSIONS = ['.ts', '.tsx', '.js', '.jsx', '.py', '.java', '.rs', ''];
+// Entry-point filenames (base without extension) — not treated as orphans
+const ENTRY_POINT_NAMES = /^(index|main|app|server|mod|cli|bin|start|run|entry|init)$/i;
+// ---------------------------------------------------------------------------
+// ImportGraph
+// ---------------------------------------------------------------------------
+export class ImportGraph {
+    /** file → set of files it imports */
+    outEdges;
+    /** file → set of files that import it */
+    inEdges;
+    /** All known file paths */
+    allFiles;
+    constructor(projectGraph) {
+        this.outEdges = new Map();
+        this.inEdges = new Map();
+        this.allFiles = new Set(projectGraph.filePaths);
+        // Initialize edge sets for all files
+        for (const file of this.allFiles) {
+            this.outEdges.set(file, new Set());
+            this.inEdges.set(file, new Set());
+        }
+        // Build edges from imports
+        for (const filePath of projectGraph.filePaths) {
+            const ir = projectGraph.getIR(filePath);
+            if (!ir)
+                continue;
+            const dir = dirname(filePath);
+            for (const imp of ir.imports) {
+                const pkg = imp.from_package;
+                if (!pkg || !pkg.startsWith('.'))
+                    continue; // skip stdlib/npm
+                // Resolve relative path
+                const rawCandidate = dir ? `${dir}/${pkg}` : pkg;
+                const base = normalizePath(rawCandidate);
+                // Try with each extension
+                let resolved = null;
+                for (const ext of EXTENSIONS) {
+                    const candidate = base + ext;
+                    if (this.allFiles.has(candidate)) {
+                        resolved = candidate;
+                        break;
+                    }
+                }
+                // TypeScript ESM convention: `import './foo.js'` refers to `./foo.ts` on disk.
+                // Strip the .js suffix and retry with TypeScript extensions.
+                if (!resolved && base.endsWith('.js')) {
+                    const stripped = base.slice(0, -3);
+                    for (const ext of ['.ts', '.tsx', '.js']) {
+                        const candidate = stripped + ext;
+                        if (this.allFiles.has(candidate)) {
+                            resolved = candidate;
+                            break;
+                        }
+                    }
+                }
+                if (resolved && resolved !== filePath) {
+                    this.outEdges.get(filePath).add(resolved);
+                    this.inEdges.get(resolved).add(filePath);
+                }
+            }
+        }
+    }
+    /** Files directly imported by `filePath`. */
+    edgesFrom(filePath) {
+        return [...(this.outEdges.get(filePath) ?? [])];
+    }
+    /** Files that directly import `filePath`. */
+    edgesTo(filePath) {
+        return [...(this.inEdges.get(filePath) ?? [])];
+    }
+    /**
+     * Tarjan's SCC — returns groups of files that form import cycles.
+     * Each returned Set has size ≥ 2 (only actual cycles).
+     */
+    findCycles() {
+        const index = new Map();
+        const lowlink = new Map();
+        const onStack = new Map();
+        const stack = [];
+        const cycles = [];
+        let counter = 0;
+        const strongConnect = (v) => {
+            index.set(v, counter);
+            lowlink.set(v, counter);
+            counter++;
+            stack.push(v);
+            onStack.set(v, true);
+            for (const w of (this.outEdges.get(v) ?? [])) {
+                if (!index.has(w)) {
+                    strongConnect(w);
+                    lowlink.set(v, Math.min(lowlink.get(v), lowlink.get(w)));
+                }
+                else if (onStack.get(w)) {
+                    lowlink.set(v, Math.min(lowlink.get(v), index.get(w)));
+                }
+            }
+            if (lowlink.get(v) === index.get(v)) {
+                // Root of SCC — pop the component
+                const scc = new Set();
+                let w;
+                do {
+                    w = stack.pop();
+                    onStack.set(w, false);
+                    scc.add(w);
+                } while (w !== v);
+                if (scc.size > 1) {
+                    cycles.push(scc);
+                }
+            }
+        };
+        for (const v of this.allFiles) {
+            if (!index.has(v)) {
+                strongConnect(v);
+            }
+        }
+        return cycles;
+    }
+    /**
+     * Returns file paths with zero incoming import edges that are not entry points.
+     * Entry points: filename base (without extension) matches /^(index|main|app|server|mod)$/i
+     */
+    findOrphans() {
+        const orphans = [];
+        for (const file of this.allFiles) {
+            if ((this.inEdges.get(file)?.size ?? 0) > 0)
+                continue;
+            // Check if entry point
+            const base = file.split('/').pop() ?? '';
+            const baseName = base.includes('.') ? base.slice(0, base.lastIndexOf('.')) : base;
+            if (ENTRY_POINT_NAMES.test(baseName))
+                continue;
+            orphans.push(file);
+        }
+        return orphans.sort();
+    }
+}
+//# sourceMappingURL=import-graph.js.map

package/dist/graph/import-graph.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"import-graph.js","sourceRoot":"","sources":["../../src/graph/import-graph.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAIH,8EAA8E;AAC9E,oEAAoE;AACpE,8EAA8E;AAE9E,SAAS,OAAO,CAAC,QAAgB;IAC/B,MAAM,GAAG,GAAG,QAAQ,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC;IACtC,OAAO,GAAG,IAAI,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;AAChD,CAAC;AAED,SAAS,aAAa,CAAC,CAAS;IAC9B,MAAM,UAAU,GAAG,CAAC,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC;IACrC,MAAM,KAAK,GAAG,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAC3B,MAAM,MAAM,GAAa,EAAE,CAAC;IAC5B,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,IAAI,IAAI,KAAK,EAAE,IAAI,IAAI,KAAK,GAAG;YAAE,SAAS;QAC1C,IAAI,IAAI,KAAK,IAAI,EAAE,CAAC;YAClB,MAAM,CAAC,GAAG,EAAE,CAAC;QACf,CAAC;aAAM,CAAC;YACN,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACpB,CAAC;IACH,CAAC;IACD,OAAO,CAAC,UAAU,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,GAAG,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;AACpD,CAAC;AAED,MAAM,UAAU,GAAG,CAAC,KAAK,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,KAAK,EAAE,OAAO,EAAE,KAAK,EAAE,EAAE,CAAC,CAAC;AAE7E,0EAA0E;AAC1E,MAAM,iBAAiB,GAAG,6DAA6D,CAAC;AAExF,8EAA8E;AAC9E,cAAc;AACd,8EAA8E;AAE9E,MAAM,OAAO,WAAW;IACtB,qCAAqC;IACpB,QAAQ,CAA2B;IACpD,yCAAyC;IACxB,OAAO,CAA2B;IACnD,2BAA2B;IACV,QAAQ,CAAc;IAEvC,YAAY,YAA0B;QACpC,IAAI,CAAC,QAAQ,GAAG,IAAI,GAAG,EAAE,CAAC;QAC1B,IAAI,CAAC,OAAO,GAAI,IAAI,GAAG,EAAE,CAAC;QAC1B,IAAI,CAAC,QAAQ,GAAG,IAAI,GAAG,CAAC,YAAY,CAAC,SAAS,CAAC,CAAC;QAEhD,qCAAqC;QACrC,KAAK,MAAM,IAAI,IAAI,IAAI,CAAC,QAAQ,EAAE,CAAC;YACjC,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,EAAE,IAAI,GAAG,EAAE,CAAC,CAAC;YACnC,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,IAAI,EAAE,IAAI,GAAG,EAAE,CAAC,CAAC;QACpC,CAAC;QAED,2BAA2B;QAC3B,KAAK,MAAM,QAAQ,IAAI,YAAY,CAAC,SAAS,EAAE,CAAC;YAC9C,MAAM,EAAE,GAAG,YAAY,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC;YACxC,IAAI,CAAC,EAAE;gBAAE,SAAS;YAElB,MAAM,GAAG,GAAG,OAAO,CAAC,QAAQ,CAAC,CAAC;YAE9B,KAAK,MAAM,GAAG,IAAI,EAAE,CAAC,OAAO,EAAE,CAAC;gBAC7B,MAAM,GAAG,GAAG,GAAG,CAAC,YAAY,CAAC;gBAC7B,IAAI,CAAC,GAAG,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC,GAAG,CAAC;oBAAE,SAAS,CAAC,kBAAkB;gBAE9D,wBAAwB;gBACxB,MAAM,YAAY,GAAG,GAAG,CAAC,CAAC,CAAC,GAAG,GAAG,IAAI,GAAG,EAAE,CAAC,CAAC,CAAC,GAAG,CAAC;gBACjD,MAAM,IAAI,GAAG,aAAa,CAAC,YAAY,CAAC,CAAC;gBAEzC,0BAA0B;gBAC1B,IAAI,QAAQ,GAAkB,IAAI,CAAC;gBACnC,KAAK,MAAM,GAAG,IAAI,UAAU,EAAE,CAAC;oBAC7B,MAAM,SAAS,GAAG,IAAI,GAAG,GAAG,CAAC;oBAC7B,IAAI,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,SAAS,CAAC,EAAE,CAAC;wBACjC,QAAQ,GAAG,SAAS,CAAC;wBACrB,MAAM;oBACR,CAAC;gBACH,CAAC;gBAED,+EAA+E;gBAC/E,6DAA6D;gBAC7D,IAAI,CAAC,QAAQ,IAAI,IAAI,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;oBACtC,MAAM,QAAQ,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;oBACnC,KAAK,MAAM,GAAG,IAAI,CAAC,KAAK,EAAE,MAAM,EAAE,KAAK,CAAC,EAAE,CAAC;wBACzC,MAAM,SAAS,GAAG,QAAQ,GAAG,GAAG,CAAC;wBACjC,IAAI,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,SAAS,CAAC,EAAE,CAAC;4BACjC,QAAQ,GAAG,SAAS,CAAC;4BACrB,MAAM;wBACR,CAAC;oBACH,CAAC;gBACH,CAAC;gBAED,IAAI,QAAQ,IAAI,QAAQ,KAAK,QAAQ,EAAE,CAAC;oBACtC,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,QAAQ,CAAE,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;oBAC3C,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAE,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;gBAC5C,CAAC;YACH,CAAC;QACH,CAAC;IACH,CAAC;IAED,6CAA6C;IAC7C,SAAS,CAAC,QAAgB;QACxB,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC;IAClD,CAAC;IAED,6CAA6C;IAC7C,OAAO,CAAC,QAAgB;QACtB,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC;IACjD,CAAC;IAED;;;OAGG;IACH,UAAU;QACR,MAAM,KAAK,GAA2B,IAAI,GAAG,EAAE,CAAC;QAChD,MAAM,OAAO,GAAyB,IAAI,GAAG,EAAE,CAAC;QAChD,MAAM,OAAO,GAAyB,IAAI,GAAG,EAAE,CAAC;QAChD,MAAM,KAAK,GAA2B,EAAE,CAAC;QACzC,MAAM,MAAM,GAA0B,EAAE,CAAC;QACzC,IAAM,OAAO,GAAI,CAAC,CAAC;QAEnB,MAAM,aAAa,GAAG,CAAC,CAAS,EAAQ,EAAE;YACxC,KAAK,CAAC,GAAG,CAAC,CAAC,EAAE,OAAO,CAAC,CAAC;YACtB,OAAO,CAAC,GAAG,CAAC,CAAC,EAAE,OAAO,CAAC,CAAC;YACxB,OAAO,EAAE,CAAC;YACV,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;YACd,OAAO,CAAC,GAAG,CAAC,CAAC,EAAE,IAAI,CAAC,CAAC;YAErB,KAAK,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,EAAE,CAAC;gBAC7C,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC;oBAClB,aAAa,CAAC,CAAC,CAAC,CAAC;oBACjB,OAAO,CAAC,GAAG,CAAC,CAAC,EAAE,IAAI,CAAC,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAE,EAAE,OAAO,CAAC,GAAG,CAAC,CAAC,CAAE,CAAC,CAAC,CAAC;gBAC7D,CAAC;qBAAM,IAAI,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC;oBAC1B,OAAO,CAAC,GAAG,CAAC,CAAC,EAAE,IAAI,CAAC,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAE,EAAE,KAAK,CAAC,GAAG,CAAC,CAAC,CAAE,CAAC,CAAC,CAAC;gBAC3D,CAAC;YACH,CAAC;YAED,IAAI,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,KAAK,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC;gBACpC,kCAAkC;gBAClC,MAAM,GAAG,GAAgB,IAAI,GAAG,EAAE,CAAC;gBACnC,IAAI,CAAS,CAAC;gBACd,GAAG,CAAC;oBACF,CAAC,GAAG,KAAK,CAAC,GAAG,EAAG,CAAC;oBACjB,OAAO,CAAC,GAAG,CAAC,CAAC,EAAE,KAAK,CAAC,CAAC;oBACtB,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;gBACb,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE;gBAElB,IAAI,GAAG,CAAC,IAAI,GAAG,CAAC,EAAE,CAAC;oBACjB,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;gBACnB,CAAC;YACH,CAAC;QACH,CAAC,CAAC;QAEF,KAAK,MAAM,CAAC,IAAI,IAAI,CAAC,QAAQ,EAAE,CAAC;YAC9B,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC;gBAClB,aAAa,CAAC,CAAC,CAAC,CAAC;YACnB,CAAC;QACH,CAAC;QAED,OAAO,MAAM,CAAC;IAChB,CAAC;IAED;;;OAGG;IACH,WAAW;QACT,MAAM,OAAO,GAAa,EAAE,CAAC;QAC7B,KAAK,MAAM,IAAI,IAAI,IAAI,CAAC,QAAQ,EAAE,CAAC;YACjC,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,IAAI,IAAI,CAAC,CAAC,GAAG,CAAC;gBAAE,SAAS;YACtD,uBAAuB;YACvB,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,IAAI,EAAE,CAAC;YACzC,MAAM,QAAQ,GAAG,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;YAClF,IAAI,iBAAiB,CAAC,IAAI,CAAC,QAAQ,CAAC;gBAAE,SAAS;YAC/C,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACrB,CAAC;QACD,OAAO,OAAO,CAAC,IAAI,EAAE,CAAC;IACxB,CAAC;CACF"}

package/dist/graph/index.d.ts

@@ -0,0 +1,4 @@
+export { CodeGraph } from './code-graph.js';
+export { ProjectGraph } from './project-graph.js';
+export { ImportGraph } from './import-graph.js';
+export { AnalysisPipeline, type AnalysisPass, type PassContext, type PipelineRunResult, } from './analysis-pass.js';

package/dist/graph/index.js

@@ -0,0 +1,5 @@
+export { CodeGraph } from './code-graph.js';
+export { ProjectGraph } from './project-graph.js';
+export { ImportGraph } from './import-graph.js';
+export { AnalysisPipeline, } from './analysis-pass.js';
+//# sourceMappingURL=index.js.map

package/dist/graph/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/graph/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAC;AAC5C,OAAO,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AAClD,OAAO,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AAChD,OAAO,EACL,gBAAgB,GAIjB,MAAM,oBAAoB,CAAC"}

package/dist/graph/project-graph.d.ts

@@ -0,0 +1,43 @@
+/**
+ * ProjectGraph
+ *
+ * Wraps multiple per-file CodeGraph instances with lazy cross-file resolution
+ * infrastructure (SymbolTable, TypeHierarchyResolver, CrossFileResolver).
+ *
+ * Usage:
+ *   const pg = new ProjectGraph();
+ *   pg.addFile('/src/A.java', graphA);
+ *   pg.addFile('/src/B.java', graphB);
+ *   const flows = pg.resolver.findCrossFileTaintFlows();
+ */
+import type { CircleIR } from '../types/index.js';
+import { CodeGraph } from './code-graph.js';
+import { SymbolTable, TypeHierarchyResolver, CrossFileResolver } from '../resolution/index.js';
+export declare class ProjectGraph {
+    private readonly files;
+    private _symbolTable;
+    private _typeHierarchy;
+    private _resolver;
+    /**
+     * Register a file's CodeGraph.  Invalidates all lazy caches.
+     */
+    addFile(filePath: string, graph: CodeGraph): void;
+    /** Registered file paths in insertion order. */
+    get filePaths(): string[];
+    /** Total number of registered files. */
+    get fileCount(): number;
+    /** Retrieve a file's CodeGraph, or undefined if not registered. */
+    getGraph(filePath: string): CodeGraph | undefined;
+    /** Retrieve a file's CircleIR, or undefined if not registered. */
+    getIR(filePath: string): CircleIR | undefined;
+    /** Lazily-built SymbolTable covering all registered files. */
+    get symbolTable(): SymbolTable;
+    /** Lazily-built TypeHierarchyResolver covering all registered files. */
+    get typeHierarchy(): TypeHierarchyResolver;
+    /**
+     * Lazily-built CrossFileResolver.
+     * Accesses `this.symbolTable` and `this.typeHierarchy` (also lazy) so all
+     * three are computed together on the first call after any `addFile()`.
+     */
+    get resolver(): CrossFileResolver;
+}

package/dist/graph/project-graph.js

@@ -0,0 +1,80 @@
+/**
+ * ProjectGraph
+ *
+ * Wraps multiple per-file CodeGraph instances with lazy cross-file resolution
+ * infrastructure (SymbolTable, TypeHierarchyResolver, CrossFileResolver).
+ *
+ * Usage:
+ *   const pg = new ProjectGraph();
+ *   pg.addFile('/src/A.java', graphA);
+ *   pg.addFile('/src/B.java', graphB);
+ *   const flows = pg.resolver.findCrossFileTaintFlows();
+ */
+import { SymbolTable, TypeHierarchyResolver, CrossFileResolver, } from '../resolution/index.js';
+export class ProjectGraph {
+    files = new Map();
+    // Lazy caches — nulled whenever a new file is added
+    _symbolTable = null;
+    _typeHierarchy = null;
+    _resolver = null;
+    /**
+     * Register a file's CodeGraph.  Invalidates all lazy caches.
+     */
+    addFile(filePath, graph) {
+        this.files.set(filePath, { graph, ir: graph.ir });
+        this._symbolTable = null;
+        this._typeHierarchy = null;
+        this._resolver = null;
+    }
+    /** Registered file paths in insertion order. */
+    get filePaths() {
+        return [...this.files.keys()];
+    }
+    /** Total number of registered files. */
+    get fileCount() {
+        return this.files.size;
+    }
+    /** Retrieve a file's CodeGraph, or undefined if not registered. */
+    getGraph(filePath) {
+        return this.files.get(filePath)?.graph;
+    }
+    /** Retrieve a file's CircleIR, or undefined if not registered. */
+    getIR(filePath) {
+        return this.files.get(filePath)?.ir;
+    }
+    /** Lazily-built SymbolTable covering all registered files. */
+    get symbolTable() {
+        if (!this._symbolTable) {
+            const st = new SymbolTable();
+            for (const [path, { ir }] of this.files)
+                st.addFromIR(ir, path);
+            this._symbolTable = st;
+        }
+        return this._symbolTable;
+    }
+    /** Lazily-built TypeHierarchyResolver covering all registered files. */
+    get typeHierarchy() {
+        if (!this._typeHierarchy) {
+            const th = new TypeHierarchyResolver();
+            for (const [path, { ir }] of this.files)
+                th.addFromIR(ir, path);
+            this._typeHierarchy = th;
+        }
+        return this._typeHierarchy;
+    }
+    /**
+     * Lazily-built CrossFileResolver.
+     * Accesses `this.symbolTable` and `this.typeHierarchy` (also lazy) so all
+     * three are computed together on the first call after any `addFile()`.
+     */
+    get resolver() {
+        if (!this._resolver) {
+            const r = new CrossFileResolver(this.symbolTable, this.typeHierarchy);
+            for (const [path, { ir }] of this.files)
+                r.addFile(path, ir);
+            this._resolver = r;
+        }
+        return this._resolver;
+    }
+}
+//# sourceMappingURL=project-graph.js.map

package/dist/graph/project-graph.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"project-graph.js","sourceRoot":"","sources":["../../src/graph/project-graph.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAIH,OAAO,EACL,WAAW,EACX,qBAAqB,EACrB,iBAAiB,GAClB,MAAM,wBAAwB,CAAC;AAEhC,MAAM,OAAO,YAAY;IACN,KAAK,GAAG,IAAI,GAAG,EAA8C,CAAC;IAE/E,oDAAoD;IAC5C,YAAY,GAAyB,IAAI,CAAC;IAC1C,cAAc,GAAiC,IAAI,CAAC;IACpD,SAAS,GAAkC,IAAI,CAAC;IAExD;;OAEG;IACH,OAAO,CAAC,QAAgB,EAAE,KAAgB;QACxC,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,QAAQ,EAAE,EAAE,KAAK,EAAE,EAAE,EAAE,KAAK,CAAC,EAAE,EAAE,CAAC,CAAC;QAClD,IAAI,CAAC,YAAY,GAAK,IAAI,CAAC;QAC3B,IAAI,CAAC,cAAc,GAAG,IAAI,CAAC;QAC3B,IAAI,CAAC,SAAS,GAAQ,IAAI,CAAC;IAC7B,CAAC;IAED,gDAAgD;IAChD,IAAI,SAAS;QACX,OAAO,CAAC,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC,CAAC;IAChC,CAAC;IAED,wCAAwC;IACxC,IAAI,SAAS;QACX,OAAO,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC;IACzB,CAAC;IAED,mEAAmE;IACnE,QAAQ,CAAC,QAAgB;QACvB,OAAO,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,QAAQ,CAAC,EAAE,KAAK,CAAC;IACzC,CAAC;IAED,kEAAkE;IAClE,KAAK,CAAC,QAAgB;QACpB,OAAO,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;IACtC,CAAC;IAED,8DAA8D;IAC9D,IAAI,WAAW;QACb,IAAI,CAAC,IAAI,CAAC,YAAY,EAAE,CAAC;YACvB,MAAM,EAAE,GAAG,IAAI,WAAW,EAAE,CAAC;YAC7B,KAAK,MAAM,CAAC,IAAI,EAAE,EAAE,EAAE,EAAE,CAAC,IAAI,IAAI,CAAC,KAAK;gBAAE,EAAE,CAAC,SAAS,CAAC,EAAE,EAAE,IAAI,CAAC,CAAC;YAChE,IAAI,CAAC,YAAY,GAAG,EAAE,CAAC;QACzB,CAAC;QACD,OAAO,IAAI,CAAC,YAAY,CAAC;IAC3B,CAAC;IAED,wEAAwE;IACxE,IAAI,aAAa;QACf,IAAI,CAAC,IAAI,CAAC,cAAc,EAAE,CAAC;YACzB,MAAM,EAAE,GAAG,IAAI,qBAAqB,EAAE,CAAC;YACvC,KAAK,MAAM,CAAC,IAAI,EAAE,EAAE,EAAE,EAAE,CAAC,IAAI,IAAI,CAAC,KAAK;gBAAE,EAAE,CAAC,SAAS,CAAC,EAAE,EAAE,IAAI,CAAC,CAAC;YAChE,IAAI,CAAC,cAAc,GAAG,EAAE,CAAC;QAC3B,CAAC;QACD,OAAO,IAAI,CAAC,cAAc,CAAC;IAC7B,CAAC;IAED;;;;OAIG;IACH,IAAI,QAAQ;QACV,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,CAAC;YACpB,MAAM,CAAC,GAAG,IAAI,iBAAiB,CAAC,IAAI,CAAC,WAAW,EAAE,IAAI,CAAC,aAAa,CAAC,CAAC;YACtE,KAAK,MAAM,CAAC,IAAI,EAAE,EAAE,EAAE,EAAE,CAAC,IAAI,IAAI,CAAC,KAAK;gBAAE,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC;YAC7D,IAAI,CAAC,SAAS,GAAG,CAAC,CAAC;QACrB,CAAC;QACD,OAAO,IAAI,CAAC,SAAS,CAAC;IACxB,CAAC;CACF"}

package/dist/graph/scope-graph.d.ts

@@ -0,0 +1,63 @@
+/**
+ * ScopeGraph
+ *
+ * Thin wrapper over CodeGraph that enriches each DFGDef with declaration-keyword
+ * awareness. Needed by the three Group-3 passes (variable-shadowing, leaked-global,
+ * unused-variable) which must distinguish between a "real" variable declaration
+ * (`let x = 5`) and a bare reassignment (`x = 5`).
+ *
+ * The DFG extractor treats both as `kind='local'` because reassignments also
+ * create new reaching definitions. ScopeGraph recovers the distinction by
+ * scanning the source line for language-specific declaration keywords.
+ *
+ * Design:
+ *   - Built once per pass via `new ScopeGraph(graph, code, language)`
+ *   - O(n) construction where n = number of DFG defs
+ *   - No mutations — all state is computed in the constructor
+ *   - Browser + Node.js safe (no platform APIs)
+ */
+import type { DFGDef } from '../types/index.js';
+import type { CodeGraph } from './code-graph.js';
+/** Enriched view of a single DFGDef with scope metadata. */
+export interface ScopeEntry {
+    /** The underlying DFG definition. */
+    readonly def: DFGDef;
+    /**
+     * True when the source line that created this def contains a declaration
+     * keyword appropriate for the language (e.g. `let`/`const`/`var` for JS,
+     * type keyword for Java, `let` for Rust). False for bare reassignments.
+     */
+    readonly hasDeclKeyword: boolean;
+    /**
+     * `start_line` of the enclosing method, or -1 if the def is at the
+     * top/module level (no enclosing method found).
+     */
+    readonly methodStart: number;
+    /**
+     * `end_line` of the enclosing method, or -1 if top-level.
+     */
+    readonly methodEnd: number;
+}
+export declare class ScopeGraph {
+    /** One entry per DFGDef in the IR, in original order. */
+    readonly entries: ScopeEntry[];
+    constructor(graph: CodeGraph, code: string, language: string);
+    /**
+     * Returns all entries whose def falls within the inclusive range
+     * [start, end] (both are 1-based source line numbers).
+     */
+    defsInMethod(start: number, end: number): ScopeEntry[];
+    /**
+     * Returns true if the given variable has at least one def with
+     * `hasDeclKeyword === true` inside the method whose start line is
+     * `methodStart` OR at module level (methodStart === -1).
+     *
+     * Module-level declarations are included because JavaScript/TypeScript
+     * module-level `let`/`const`/`var` variables are legitimately reassigned
+     * inside functions — that is not a global leak.
+     *
+     * Used by `leaked-global` to determine whether a bare assignment is truly
+     * undeclared within its enclosing function.
+     */
+    hasDeclaredDef(variable: string, methodStart: number): boolean;
+}

package/dist/graph/scope-graph.js

@@ -0,0 +1,89 @@
+/**
+ * ScopeGraph
+ *
+ * Thin wrapper over CodeGraph that enriches each DFGDef with declaration-keyword
+ * awareness. Needed by the three Group-3 passes (variable-shadowing, leaked-global,
+ * unused-variable) which must distinguish between a "real" variable declaration
+ * (`let x = 5`) and a bare reassignment (`x = 5`).
+ *
+ * The DFG extractor treats both as `kind='local'` because reassignments also
+ * create new reaching definitions. ScopeGraph recovers the distinction by
+ * scanning the source line for language-specific declaration keywords.
+ *
+ * Design:
+ *   - Built once per pass via `new ScopeGraph(graph, code, language)`
+ *   - O(n) construction where n = number of DFG defs
+ *   - No mutations — all state is computed in the constructor
+ *   - Browser + Node.js safe (no platform APIs)
+ */
+// ---------------------------------------------------------------------------
+// Per-language declaration keyword patterns
+// ---------------------------------------------------------------------------
+/**
+ * Returns true when the source line text contains a variable-declaration keyword
+ * for the given language.
+ *
+ * Java/Rust/JS/TS: explicit keywords precede the variable name.
+ * Python: no declaration keyword exists → always returns false.
+ */
+function hasDeclKeyword(lineText, language) {
+    switch (language) {
+        case 'java':
+            // Primitive types, `var`, `final`, generic types (upper-case first letter)
+            return /\b(?:int|long|float|double|boolean|byte|char|short|var|final)\b/.test(lineText)
+                || /\b[A-Z]\w*(?:<[^>]*>)?\s+\w/.test(lineText);
+        case 'javascript':
+        case 'typescript':
+            return /\b(?:let|const|var)\s+[\w{[]/.test(lineText);
+        case 'rust':
+            return /\blet\s+(?:mut\s+)?\w/.test(lineText);
+        default:
+            // Python and other languages: no reliable declaration keyword
+            return false;
+    }
+}
+// ---------------------------------------------------------------------------
+// ScopeGraph
+// ---------------------------------------------------------------------------
+export class ScopeGraph {
+    /** One entry per DFGDef in the IR, in original order. */
+    entries;
+    constructor(graph, code, language) {
+        const codeLines = code.split('\n');
+        this.entries = graph.ir.dfg.defs.map((def) => {
+            const m = graph.methodAtLine(def.line);
+            const lineText = codeLines[def.line - 1] ?? '';
+            return {
+                def,
+                hasDeclKeyword: hasDeclKeyword(lineText, language),
+                methodStart: m?.method.start_line ?? -1,
+                methodEnd: m?.method.end_line ?? -1,
+            };
+        });
+    }
+    /**
+     * Returns all entries whose def falls within the inclusive range
+     * [start, end] (both are 1-based source line numbers).
+     */
+    defsInMethod(start, end) {
+        return this.entries.filter(e => e.def.line >= start && e.def.line <= end);
+    }
+    /**
+     * Returns true if the given variable has at least one def with
+     * `hasDeclKeyword === true` inside the method whose start line is
+     * `methodStart` OR at module level (methodStart === -1).
+     *
+     * Module-level declarations are included because JavaScript/TypeScript
+     * module-level `let`/`const`/`var` variables are legitimately reassigned
+     * inside functions — that is not a global leak.
+     *
+     * Used by `leaked-global` to determine whether a bare assignment is truly
+     * undeclared within its enclosing function.
+     */
+    hasDeclaredDef(variable, methodStart) {
+        return this.entries.some(e => e.def.variable === variable
+            && e.hasDeclKeyword
+            && (e.methodStart === methodStart || e.methodStart === -1));
+    }
+}
+//# sourceMappingURL=scope-graph.js.map

package/dist/graph/scope-graph.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"scope-graph.js","sourceRoot":"","sources":["../../src/graph/scope-graph.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;GAiBG;AAKH,8EAA8E;AAC9E,4CAA4C;AAC5C,8EAA8E;AAE9E;;;;;;GAMG;AACH,SAAS,cAAc,CAAC,QAAgB,EAAE,QAAgB;IACxD,QAAQ,QAAQ,EAAE,CAAC;QACjB,KAAK,MAAM;YACT,2EAA2E;YAC3E,OAAO,iEAAiE,CAAC,IAAI,CAAC,QAAQ,CAAC;mBAChF,6BAA6B,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;QAEtD,KAAK,YAAY,CAAC;QAClB,KAAK,YAAY;YACf,OAAO,8BAA8B,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;QAEvD,KAAK,MAAM;YACT,OAAO,uBAAuB,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;QAEhD;YACE,8DAA8D;YAC9D,OAAO,KAAK,CAAC;IACjB,CAAC;AACH,CAAC;AA2BD,8EAA8E;AAC9E,aAAa;AACb,8EAA8E;AAE9E,MAAM,OAAO,UAAU;IACrB,yDAAyD;IAChD,OAAO,CAAe;IAE/B,YAAY,KAAgB,EAAE,IAAY,EAAE,QAAgB;QAC1D,MAAM,SAAS,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;QACnC,IAAI,CAAC,OAAO,GAAG,KAAK,CAAC,EAAE,CAAC,GAAG,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,GAAG,EAAc,EAAE;YACvD,MAAM,CAAC,GAAG,KAAK,CAAC,YAAY,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;YACvC,MAAM,QAAQ,GAAG,SAAS,CAAC,GAAG,CAAC,IAAI,GAAG,CAAC,CAAC,IAAI,EAAE,CAAC;YAC/C,OAAO;gBACL,GAAG;gBACH,cAAc,EAAE,cAAc,CAAC,QAAQ,EAAE,QAAQ,CAAC;gBAClD,WAAW,EAAE,CAAC,EAAE,MAAM,CAAC,UAAU,IAAI,CAAC,CAAC;gBACvC,SAAS,EAAI,CAAC,EAAE,MAAM,CAAC,QAAQ,IAAM,CAAC,CAAC;aACxC,CAAC;QACJ,CAAC,CAAC,CAAC;IACL,CAAC;IAED;;;OAGG;IACH,YAAY,CAAC,KAAa,EAAE,GAAW;QACrC,OAAO,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,GAAG,CAAC,IAAI,IAAI,KAAK,IAAI,CAAC,CAAC,GAAG,CAAC,IAAI,IAAI,GAAG,CAAC,CAAC;IAC5E,CAAC;IAED;;;;;;;;;;;OAWG;IACH,cAAc,CAAC,QAAgB,EAAE,WAAmB;QAClD,OAAO,IAAI,CAAC,OAAO,CAAC,IAAI,CACtB,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,GAAG,CAAC,QAAQ,KAAK,QAAQ;eAC3B,CAAC,CAAC,cAAc;eAChB,CAAC,CAAC,CAAC,WAAW,KAAK,WAAW,IAAI,CAAC,CAAC,WAAW,KAAK,CAAC,CAAC,CAAC,CAC7D,CAAC;IACJ,CAAC;CACF"}

package/dist/index.d.ts

@@ -3,8 +3,8 @@
  *
  * A universal library for static analysis and taint tracking.
  */
-export { initAnalyzer, analyze, analyzeForAPI, isAnalyzerInitialized, resetAnalyzer, type AnalyzerOptions, } from './analyzer.js';
-export type { CircleIR, Meta, TypeInfo, MethodInfo, ParameterInfo, FieldInfo, CallInfo, ArgumentInfo, CallResolution, CFG, CFGBlock, CFGEdge, DFG, DFGDef, DFGUse, DFGChain, Taint, TaintSource, TaintSink, TaintSanitizer, ImportInfo, ExportInfo, UnresolvedItem, Enriched, EnrichedFunction, ResolvedCall, Finding, TaintHop, Vulnerability, AnalysisResponse, SourceType, SinkType, Severity, ProjectAnalysis, ProjectMeta, FileAnalysis, TypeHierarchy, ClassHierarchyInfo, InterfaceHierarchyInfo, CrossFileCall, ArgMapping, TaintPath, } from './types/index.js';
+export { initAnalyzer, analyze, analyzeForAPI, analyzeProject, isAnalyzerInitialized, resetAnalyzer, type AnalyzerOptions, } from './analyzer.js';
+export type { CircleIR, Meta, TypeInfo, MethodInfo, ParameterInfo, FieldInfo, CallInfo, ArgumentInfo, CallResolution, CFG, CFGBlock, CFGEdge, DFG, DFGDef, DFGUse, DFGChain, Taint, TaintSource, TaintSink, TaintSanitizer, ImportInfo, ExportInfo, UnresolvedItem, Enriched, EnrichedFunction, ResolvedCall, Finding, TaintHop, Vulnerability, AnalysisResponse, SourceType, SinkType, Severity, PassCategory, SarifLevel, SastFinding, MetricCategory, MetricValue, FileMetrics, ProjectAnalysis, ProjectMeta, FileAnalysis, TypeHierarchy, ClassHierarchyInfo, InterfaceHierarchyInfo, CrossFileCall, ArgMapping, TaintPath, } from './types/index.js';
 export type { SourceConfig, SinkConfig, TaintConfig, SourcePattern, SinkPattern, SanitizerPattern, } from './types/config.js';
 export { initParser, parse, walkTree, findNodes, findAncestor, getNodeText, collectAllNodes, type SupportedLanguage, type SyntaxNode, type Node, type NodeCache, type Tree, } from './core/index.js';
 export { extractMeta, extractTypes, extractCalls, extractImports, extractExports, buildCFG, buildDFG, } from './core/index.js';

package/dist/index.js

@@ -4,7 +4,7 @@
  * A universal library for static analysis and taint tracking.
  */
 // Main analyzer
-export { initAnalyzer, analyze, analyzeForAPI, isAnalyzerInitialized, resetAnalyzer, } from './analyzer.js';
+export { initAnalyzer, analyze, analyzeForAPI, analyzeProject, isAnalyzerInitialized, resetAnalyzer, } from './analyzer.js';
 // Core utilities (for advanced usage)
 export { initParser, parse, walkTree, findNodes, findAncestor, getNodeText, collectAllNodes, } from './core/index.js';
 // Core extractors

package/dist/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,gBAAgB;AAChB,OAAO,EACL,YAAY,EACZ,OAAO,EACP,aAAa,EACb,qBAAqB,EACrB,aAAa,GAEd,MAAM,eAAe,CAAC;AA+DvB,sCAAsC;AACtC,OAAO,EACL,UAAU,EACV,KAAK,EACL,QAAQ,EACR,SAAS,EACT,YAAY,EACZ,WAAW,EACX,eAAe,GAMhB,MAAM,iBAAiB,CAAC;AAEzB,kBAAkB;AAClB,OAAO,EACL,WAAW,EACX,YAAY,EACZ,YAAY,EACZ,cAAc,EACd,cAAc,EACd,QAAQ,EACR,QAAQ,GACT,MAAM,iBAAiB,CAAC;AAEzB,qBAAqB;AACrB,OAAO,EACL,gBAAgB,EAChB,iBAAiB,EACjB,YAAY,EACZ,gBAAgB,EAChB,cAAc,EACd,gBAAgB,EAChB,0BAA0B,EAC1B,kBAAkB,EAClB,OAAO,EACP,aAAa,EACb,WAAW,EACX,eAAe,EACf,aAAa,EACb,kBAAkB,GAMnB,MAAM,qBAAqB,CAAC;AAE7B,mBAAmB;AACnB,OAAO,EACL,WAAW,EACX,gBAAgB,GAEjB,MAAM,qBAAqB,CAAC;AAE7B,uBAAuB;AACvB,OAAO,EACL,qBAAqB,EACrB,kBAAkB,EAClB,WAAW,EACX,gBAAgB,EAChB,iBAAiB,EACjB,sBAAsB,GACvB,MAAM,uBAAuB,CAAC;AAE/B,mBAAmB;AACnB,OAAO,EACL,mBAAmB,EACnB,gBAAgB,EAChB,iBAAiB,EACjB,kBAAkB,EAClB,cAAc,EACd,mBAAmB,EACnB,sBAAsB,EACtB,UAAU,EACV,gBAAgB,EAChB,YAAY,EACZ,UAAU,EACV,kBAAkB,GACnB,MAAM,sBAAsB,CAAC;AAY9B,gCAAgC;AAChC,OAAO,EACL,MAAM,EACN,SAAS,EACT,eAAe,EACf,WAAW,EACX,WAAW,GAIZ,MAAM,mBAAmB,CAAC"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,gBAAgB;AAChB,OAAO,EACL,YAAY,EACZ,OAAO,EACP,aAAa,EACb,cAAc,EACd,qBAAqB,EACrB,aAAa,GAEd,MAAM,eAAe,CAAC;AAuEvB,sCAAsC;AACtC,OAAO,EACL,UAAU,EACV,KAAK,EACL,QAAQ,EACR,SAAS,EACT,YAAY,EACZ,WAAW,EACX,eAAe,GAMhB,MAAM,iBAAiB,CAAC;AAEzB,kBAAkB;AAClB,OAAO,EACL,WAAW,EACX,YAAY,EACZ,YAAY,EACZ,cAAc,EACd,cAAc,EACd,QAAQ,EACR,QAAQ,GACT,MAAM,iBAAiB,CAAC;AAEzB,qBAAqB;AACrB,OAAO,EACL,gBAAgB,EAChB,iBAAiB,EACjB,YAAY,EACZ,gBAAgB,EAChB,cAAc,EACd,gBAAgB,EAChB,0BAA0B,EAC1B,kBAAkB,EAClB,OAAO,EACP,aAAa,EACb,WAAW,EACX,eAAe,EACf,aAAa,EACb,kBAAkB,GAMnB,MAAM,qBAAqB,CAAC;AAE7B,mBAAmB;AACnB,OAAO,EACL,WAAW,EACX,gBAAgB,GAEjB,MAAM,qBAAqB,CAAC;AAE7B,uBAAuB;AACvB,OAAO,EACL,qBAAqB,EACrB,kBAAkB,EAClB,WAAW,EACX,gBAAgB,EAChB,iBAAiB,EACjB,sBAAsB,GACvB,MAAM,uBAAuB,CAAC;AAE/B,mBAAmB;AACnB,OAAO,EACL,mBAAmB,EACnB,gBAAgB,EAChB,iBAAiB,EACjB,kBAAkB,EAClB,cAAc,EACd,mBAAmB,EACnB,sBAAsB,EACtB,UAAU,EACV,gBAAgB,EAChB,YAAY,EACZ,UAAU,EACV,kBAAkB,GACnB,MAAM,sBAAsB,CAAC;AAY9B,gCAAgC;AAChC,OAAO,EACL,MAAM,EACN,SAAS,EACT,eAAe,EACf,WAAW,EACX,WAAW,GAIZ,MAAM,mBAAmB,CAAC"}

package/dist/resolution/cross-file.js

@@ -336,35 +336,68 @@ export class CrossFileResolver {
      */
     findCrossFileTaintFlows() {
         const flows = [];
+        // Deduplicate: same source + target sink should only emit one flow
+        const seen = new Set();
         for (const [filePath, ir] of this.fileIRs) {
             // Check each source in the file
             for (const source of ir.taint.sources) {
+                // `interprocedural_param` sources represent "this method's parameter MIGHT be
+                // tainted when called by tainted code" — they are a per-file meta-analysis result
+                // and are not confirmed external inputs suitable for cross-file taint flows.
+                // Using them here causes false positives on every internal library function that
+                // has typed parameters and happens to call another file that contains any sink.
+                if (source.type === 'interprocedural_param')
+                    continue;
                 // Find calls at or after the source line
                 for (const call of ir.calls) {
                     if (call.location.line < source.line)
                         continue;
                     const resolved = this.resolveCall(call, filePath);
-                    if (resolved && resolved.targetFile !== filePath) {
-                        // This is a cross-file call
-                        // Check if any argument might be tainted
-                        const taintedArgs = [];
-                        for (let i = 0; i < call.arguments.length; i++) {
-                            // Simple heuristic: if variable was defined at or after source, might be tainted
-                            taintedArgs.push(i);
-                        }
-                        if (taintedArgs.length > 0) {
-                            flows.push({
-                                sourceFile: filePath,
-                                sourceLine: source.line,
-                                sourceType: source.type,
-                                targetFile: resolved.targetFile,
-                                targetLine: call.location.line,
-                                targetMethod: resolved.targetMethod,
-                                flowType: 'call_arg',
-                                taintedArgPositions: taintedArgs,
-                            });
+                    if (!resolved || resolved.targetFile === filePath)
+                        continue;
+                    // Only proceed if the target file has any YAML-matched sinks at all.
+                    // Skipping sink-free files prevents the cartesian explosion of flows into
+                    // utility modules (AST helpers, string utilities, etc.) that have no
+                    // dangerous operations.
+                    const targetIR = this.fileIRs.get(resolved.targetFile);
+                    if (!targetIR || targetIR.taint.sinks.length === 0)
+                        continue;
+                    // Find the target method in the target file so we can locate sinks within it.
+                    // `resolved.targetMethod` is a FQN like "ClassName.methodName"; we match on
+                    // the suffix after the last dot.
+                    const shortName = resolved.targetMethod.split('.').pop() ?? resolved.targetMethod;
+                    let targetMethod;
+                    for (const type of targetIR.types) {
+                        const m = type.methods.find(m => m.name === shortName);
+                        if (m) {
+                            targetMethod = m;
+                            break;
                         }
                     }
+                    if (!targetMethod)
+                        continue;
+                    // Only emit a flow when at least one known sink falls inside the target method.
+                    // This means `targetLine` now correctly points to an actual dangerous operation
+                    // in the target file (not the caller's line in the source file).
+                    const sinksInMethod = targetIR.taint.sinks.filter(s => s.line >= targetMethod.start_line && s.line <= targetMethod.end_line);
+                    if (sinksInMethod.length === 0)
+                        continue;
+                    for (const sink of sinksInMethod) {
+                        const key = `${filePath}:${source.line}→${resolved.targetFile}:${sink.line}`;
+                        if (seen.has(key))
+                            continue;
+                        seen.add(key);
+                        flows.push({
+                            sourceFile: filePath,
+                            sourceLine: source.line,
+                            sourceType: source.type,
+                            targetFile: resolved.targetFile,
+                            targetLine: sink.line, // actual sink line in target file
+                            targetMethod: resolved.targetMethod,
+                            flowType: 'call_arg',
+                            taintedArgPositions: call.arguments.map((_, i) => i),
+                        });
+                    }
                 }
             }
         }