Establishes the SDK side of the analyzer/SDK boundary now standard across the codeanalyzer-* family (cldk-forge PR #7; reference instantiation codellm-devkit/codeanalyzer-java#171). The analyzers are pure graph providers — they emit the dependence graph (SDG with transitive SUMMARY edges) and nothing more. Client analyses (taint, slicing) live here, in the TypeScript SDK.
This is the destination for the taint/slicing work being removed from the analyzer scope of codeanalyzer-typescript#2. That issue keeps the Jelly integration and the SDG construction (the graph substrate); the taint query, the sources/sinks/sanitizers model packs, and the taint_flows output move here.
Scope
- Graph models for
analysis.json's program_graphs section (CFG/PDG/SDG, (signature, node_id) keys), mirroring the shared cross-language shapes.
- Backward/forward slicing as reverse reachability over
CDG ∪ DDG ∪ PARAM_* ∪ SUMMARY, context-sensitive via the two-phase HRB traversal (SUMMARY edges carry across calls).
- Taint as labeled reachability: seed at sources, propagate along dependence edges, block/flag at sanitizers on the path, report source→sink flows; witness paths reconstructed lazily over reverse value-flow edges with the model id per hop.
- Sources/sinks/sanitizers/library models as data — JSON spec + JSON Schema, precedence built-in pack < config file < inline. The relational-summary/model-pack format from the analyzer spike moves here.
taint_flows / slice-result as SDK output ({ source, sink, rule, sanitized, path }), not analyzer output.
- Facade methods on
CLDK.for("typescript")'s query surface: slice + taint.
- Surface graph over-approximations in results (ENTRY-anchored PARAM arity, missing SUMMARY edges before they land, heap precision capped by Jelly's Andersen solve).
Gates
- Slice: exact hand-computed node set; no callee-internal leakage (SUMMARY edges proven used).
- Taint: one source→sink flow found; the same flow with a sanitizer interposed reported
sanitized; witness path names every hop.
Contract references: cldk-forge cldk-sdk-frontend (SKILL.md § Client analyses, sdk-testing.md § 3b).
Establishes the SDK side of the analyzer/SDK boundary now standard across the
codeanalyzer-*family (cldk-forge PR #7; reference instantiation codellm-devkit/codeanalyzer-java#171). The analyzers are pure graph providers — they emit the dependence graph (SDG with transitiveSUMMARYedges) and nothing more. Client analyses (taint, slicing) live here, in the TypeScript SDK.This is the destination for the taint/slicing work being removed from the analyzer scope of codeanalyzer-typescript#2. That issue keeps the Jelly integration and the SDG construction (the graph substrate); the taint query, the sources/sinks/sanitizers model packs, and the
taint_flowsoutput move here.Scope
analysis.json'sprogram_graphssection (CFG/PDG/SDG,(signature, node_id)keys), mirroring the shared cross-language shapes.CDG ∪ DDG ∪ PARAM_* ∪ SUMMARY, context-sensitive via the two-phase HRB traversal (SUMMARYedges carry across calls).taint_flows/ slice-result as SDK output ({ source, sink, rule, sanitized, path }), not analyzer output.CLDK.for("typescript")'s query surface: slice + taint.Gates
sanitized; witness path names every hop.Contract references: cldk-forge
cldk-sdk-frontend(SKILL.md § Client analyses,sdk-testing.md § 3b).