feat(python-sdk): @c_rule / @cpp_rule decorators with language scoping

[shivasurya]

Summary

Adds C and C++ rule decorators that mirror the existing @go_rule / @python_rule contract. Rules can now be authored with @c_rule(...) / @cpp_rule(...); the decorators inject language="c" / language="cpp" into dataflow IR so DataflowExecutor scopes flows() rules to the right language. Pure calls() matchers stay language-agnostic — same documented contract as @go_rule.

This is the SDK glue half of the C/C++ language support track. Example security rules will land in a follow-up PR.

What's in this PR

• codepathfinder.{c,cpp}_decorators — @c_rule / @cpp_rule with full metadata (id/name/severity/cwe/cve/owasp/tags/message), atexit auto-output for python3 rule.py smoke runs, and clear_*_rules() helpers for test isolation.
• codepathfinder.{c,cpp}_ir — compile_c_rules() / compile_cpp_rules() emit JSON IR with "language" in both rule metadata and matcher dict.
• python-sdk/rules/ shims preserve the existing import path style (from rules.c_decorators import c_rule keeps working).
• dsl/loader.go decorator detector now recognises @c_rule( and @cpp_rule( so the loader can early-filter rule files like it does for @go_rule(.
• 33 unit tests covering metadata, language injection contract (dataflow vs call_matcher), JSON serialisation, registry isolation between C and C++ registries, default-message + default-name behavior, and invalid-matcher error paths.

Validation

End-to-end smoke runs (binary + locally-installed pip install -e python-sdk):

project	C++ functions	call sites	rules loaded	detections
tiny C smoke (4 unsafe calls)	–	–	1	4 unique sites
sglang sgl-kernel/csrc/cpu	337	9,594	2	5 unique sites
proxygen full tree	11,835	66,010	4	35 unique sites

• Class-qualified function names extracted correctly on real code: HTTP1xCodec::generateBody, CAresResolver::Query::queryCallback, TestAsyncTransport::WriteEvent::newEvent, H3DatagramAsyncSocket::deliverDatagram.
• No parse errors against 9.4 MB of production C++ (templates, nested classes, lambdas).
• Wildcard call-matchers (e.g. *memcpy) correctly match qualified C++ calls (std::memcpy) — same contract as @go_rule.

Test plan

• python -m pytest python-sdk/tests/ — 441 passed
• go test ./sast-engine/dsl/ — pass
• golangci-lint run ./dsl/... — 0 issues
• gradle buildGo — clean
• Manual scan: tiny C project (@c_rule + calls()) produces detections with correct file/line/function
• Manual scan: sglang and proxygen — @cpp_rule rules load and detect, function FQNs accurate
• Forbidden-files gate clean (no docs/plans/research files)

[safedep]

SafeDep Report Summary

No dependency changes detected. Nothing to scan.

View complete scan results →

_{This report is generated by SafeDep Github App}

[CLAassistant]

All committers have signed the CLA.

[github-actions]

Code Pathfinder Security Scan

No security issues detected.

Metric	Value
Files Scanned	14
Rules	205

---

_{Powered by Code Pathfinder}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 85.43%. Comparing base (afb74f1) to head (20cb8ce).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #678      +/-   ##
==========================================
+ Coverage   85.41%   85.43%   +0.01%     
==========================================
  Files         187      187              
  Lines       27276    27278       +2     
==========================================
+ Hits        23298    23305       +7     
+ Misses       3086     3082       -4     
+ Partials      892      891       -1     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[shivasurya]

• feat(python-sdk): @c_rule / @cpp_rule decorators with language scoping #678 👈 (View in Graphite)
• feat(cfg+scan+output): wire C/C++ pipeline end-to-end #677
• feat(extraction): C/C++ statement extraction #676
• feat(callgraph): C++ call graph builder #675
• feat(callgraph): C call graph builder #674
• feat(callgraph): C/C++ explicit type inference engines #673
• feat(callgraph): C/C++ module registry and include resolution #672
• feat(graph): C++ parser — classes, namespaces, templates, exception flow #671
• feat(graph): C parser — function defs, types, decls, calls, includes #670
• feat(graph/clike): shared C/C++ AST extraction helpers #669
• feat(graph): C/C++ file detection and tree-sitter parsing foundation #668
• main

This stack of pull requests is managed by Graphite. Learn more about stacking.

[shivasurya]

Merge activity

• May 3, 1:15 PM UTC: A user started a stack merge that includes this pull request via Graphite.
• May 3, 1:35 PM UTC: Graphite rebased this pull request as part of a merge.
• May 3, 1:36 PM UTC: @shivasurya merged this pull request with Graphite.