sink_pattern("request.env[*].sudo().*") — an AST/token-level attribute-chain matcher usable inside .reachable_to(pa.callsites(sink_pattern(...))) (#155 §3).
The escape hatch for dynamic-dispatch-heavy code (ORMs, message buses) where the resolved call graph cannot see the sinks. Matches are labeled structural by definition. Also bridges Bandit-/Semgrep-style pattern rules into CLDK without re-implementing them.
Part of #155. Branch: feat/issue-<n>.
sink_pattern("request.env[*].sudo().*")— an AST/token-level attribute-chain matcher usable inside.reachable_to(pa.callsites(sink_pattern(...)))(#155 §3).The escape hatch for dynamic-dispatch-heavy code (ORMs, message buses) where the resolved call graph cannot see the sinks. Matches are labeled
structuralby definition. Also bridges Bandit-/Semgrep-style pattern rules into CLDK without re-implementing them.Part of #155. Branch:
feat/issue-<n>.