feat(cfg+scan+output): wire C/C++ pipeline end-to-end

[shivasurya]

Summary

Three integration changes that bring C/C++ analysis into the full pathfinder scan pipeline.

1. CFG handlers (graph/callgraph/cfg/builder.go)

Adds processSwitch and processDoWhile so C/C++ control-flow surfaces in the CFG instead of falling through to the generic statement handler.

Construct	Shape
switch (x) { case 1: ...; case 2: ...; default: ... }	[BlockTypeSwitch header] fans out to one case block per case_statement, with fallthrough edges between consecutive cases and a merge block reachable from every case.
do { body } while (cond);	[pred] -> [body] -> [BlockTypeLoop cond], cond loops back to body and falls through to an after-block.

The do-while shape (no header gate before the first iteration) preserves the "execute body at least once" semantics that distinguishes it from a plain while.

2. Scan integration (cmd/scan.go)

After the existing Go block, the scan now:

• Calls BuildCModuleRegistry + BuildCCallGraph when the parsed CodeGraph carries any C-tagged node, then merges the result via MergeCallGraphs.
• Same for C++ with BuildCppModuleRegistry + BuildCppCallGraph.

Each step is gated by the new hasLanguageNodes(codeGraph, language) helper so a Python-only or Go-only project skips the C/C++ work entirely. Build failures log a warning and let the scan continue with whatever languages did build — matching the Go path.

3. Enricher (output/enricher.go)

extractFunctionFromFQN and fallbackLocation learn to handle C/C++ scope-resolved FQNs:

FQN	Function	ClassName	RelPath
src/main.c::main	main	(empty)	src/main.c
src/socket.cpp::mylib::Socket::connect	connect	Socket	src/socket.cpp
myapp.auth.login (regression)	login	auth	(existing path)

The dot-separated branch for Python / Go / Java is preserved; the :: branch only fires when the FQN actually contains ::.

Test plan

• go build ./...
• go test ./... — full suite green
• go vet ./...
• golangci-lint run ./graph/callgraph/cfg/ ./cmd/ ./output/ — 0 issues
• Coverage on changed functions: processSwitch 92.3%, processDoWhile 100%, hasLanguageNodes 100%, fallbackLocation 100%, extractFunctionFromFQN 85.7% (the unreachable terminal return is pre-existing dead code)
• CFG: switch with 3 cases + default, fallthrough between consecutive cases, empty switch body, do-while body + cond + after, body executes before loop header
• Scan: nil graph, empty graph, no matching nodes, multiple languages
• Enricher: C FQN (no class), C++ FQN with namespace + class, missing-file FQN falls through cleanly, dot-separated regression cases

Stacked on

shiva/cpp-statements (#676)

[safedep]

SafeDep Report Summary

No dependency changes detected. Nothing to scan.

View complete scan results →

_{This report is generated by SafeDep Github App}

[github-actions]

Code Pathfinder Security Scan

No security issues detected.

Metric	Value
Files Scanned	6
Rules	205

---

_{Powered by Code Pathfinder}

[codecov]

Codecov Report

❌ Patch coverage is 91.07143% with 10 lines in your changes missing coverage. Please review.
✅ Project coverage is 85.43%. Comparing base (1a3f8b4) to head (e2ae095).
⚠️ Report is 1 commits behind head on main.

Files with missing lines	Patch %	Lines
sast-engine/cmd/scan.go	80.00%	5 Missing and 2 partials ⚠️
sast-engine/graph/callgraph/cfg/builder.go	94.82%	2 Missing and 1 partial ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #677      +/-   ##
==========================================
+ Coverage   85.37%   85.43%   +0.06%     
==========================================
  Files         187      187              
  Lines       27164    27276     +112     
==========================================
+ Hits        23190    23303     +113     
+ Misses       3083     3082       -1     
  Partials      891      891              

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[shivasurya]

• feat(python-sdk): @c_rule / @cpp_rule decorators with language scoping #678
• feat(cfg+scan+output): wire C/C++ pipeline end-to-end #677 👈 (View in Graphite)
• feat(extraction): C/C++ statement extraction #676
• feat(callgraph): C++ call graph builder #675
• feat(callgraph): C call graph builder #674
• feat(callgraph): C/C++ explicit type inference engines #673
• feat(callgraph): C/C++ module registry and include resolution #672
• feat(graph): C++ parser — classes, namespaces, templates, exception flow #671
• feat(graph): C parser — function defs, types, decls, calls, includes #670
• feat(graph/clike): shared C/C++ AST extraction helpers #669
• feat(graph): C/C++ file detection and tree-sitter parsing foundation #668
• main

This stack of pull requests is managed by Graphite. Learn more about stacking.

[shivasurya]

Merge activity

• May 3, 1:15 PM UTC: A user started a stack merge that includes this pull request via Graphite.
• May 3, 1:33 PM UTC: Graphite rebased this pull request as part of a merge.
• May 3, 1:34 PM UTC: @shivasurya merged this pull request with Graphite.