topos.functors.probes.cpg.taint

Taint-flow probe (CPG → ℝ).

A taint flow is a source → sink data-flow path along DDG edges in the CPG, optionally interrupted by a sanitizer. v1 implements a purely syntactic version: we mark every input-like identifier as a source and every dangerous-API call site as a sink; the probe counts DDG paths between them.

Per-language source / sink registries are intentionally tiny — refine when real applications surface false negatives.

topos.functors.probes.cpg.taint.taint_flow_paths(cpg, allow=None)

Count DDG paths from any taint source to any dangerous-API sink.

A DDG path here is a chain of CPG nodes connected by DDG edges; we count distinct (source_node, sink_node) pairs that are reachable.

When allow is given, allowlisted sink patterns are excluded; the default allow=None preserves the canonical metrics behavior.