feat(callgraph): C call graph builder

[shivasurya]

Summary

Adds BuildCCallGraph — a four-pass algorithm that produces a *core.CallGraph for C projects, ready to merge into the unified graph alongside Python/Go.

Pass	Purpose
1	Index every C function_definition under \"<relpath>::<name>\" and ensure the FQN is also in registry.FunctionIndex
2	Register explicit return types (skipping void) and emit ParameterSymbol entries for every named parameter
3	Walk parser-emitted edges (function_definition → call_expression) to extract one CallSiteInternal per call — no second AST traversal
4	Resolve targets in a definition-preferring order, then emit edges and CallSite records

Resolution order (Pass 4)

1. Same-file definition — common case (helper in same .c); deterministic and independent of include state.
2. Global definition — scan registry.FunctionIndex[name] for an FQN whose call-graph entry is a definition. Handles cross-.c calls.
3. Same-file declaration — accept a forward declaration when no definition exists project-wide.
4. Declaration reachable through #include — last resort so externs handed off to another translation unit still surface as edges.

Calls that don't match any source produce a CallSite{Resolved: false, FailureReason: \"external_or_unresolved\"} — stdlib calls (printf, malloc) and unknown function pointers remain visible to rule writers without polluting the edge set.

Design notes

• Edges from the parser: every parseCCallExpression adds an edge from the enclosing function to the call node. The builder walks OutgoingEdges of each indexed function instead of doing byte-range containment, keeping Pass 3 deterministic and trivially testable.
• Definition vs declaration: the parser sets Metadata[\"is_declaration\"]=true on prototype/extern decls. isDeclaration() reads that key with a typed assertion so non-declaration nodes (no metadata) fall through correctly.
• Recursion: self-edges (process → process) are emitted as-is; the call graph already deduplicates via AddEdge.
• Static functions: same FQN-by-file mechanism — file-scope statics in different .c files map to disjoint FQNs.
• Unique FunctionIndex entries: Pass 1 dedupes against the registry's existing FunctionIndex so calling BuildCCallGraph after BuildCModuleRegistry is idempotent.

Test plan

• go build ./...
• go test ./... — full suite green
• go vet ./...
• golangci-lint run ./graph/callgraph/builder/ — 0 issues
• Coverage on c_builder.go lines: ~89.6%
• Spec scenarios covered:
  • Single-file main() → add() edge
  • Cross-file .c definition preferred over .h declaration
  • Header declaration via #include fallback
  • printf (stdlib) recorded as Resolved:false with failure reason
  • Recursive self-call
  • Same name in two .c files (file-scope statics)
  • Type engine populated; void returns dropped
  • Parameters indexed (anonymous params skipped)
  • Declarations skipped from Pass 2 type extraction
  • Merges cleanly into an empty unified graph
  • Non-C nodes ignored (mixed-language safety)
  • Anonymous / missing-file functions filtered
  • Empty-target call_expression produces no edge and no recorded site
  • Cross-.c global lookup works without an #include
  • Same-file forward declaration accepted when no definition exists

Stacked on

shiva/cpp-type-inference (#673)

[safedep]

SafeDep Report Summary

No dependency changes detected. Nothing to scan.

View complete scan results →

_{This report is generated by SafeDep Github App}

[github-actions]

Code Pathfinder Security Scan

No security issues detected.

Metric	Value
Files Scanned	2
Rules	205

---

_{Powered by Code Pathfinder}

[codecov]

Codecov Report

❌ Patch coverage is 88.35616% with 17 lines in your changes missing coverage. Please review.
✅ Project coverage is 85.30%. Comparing base (47d63d3) to head (3055d72).

Files with missing lines	Patch %	Lines
sast-engine/graph/callgraph/builder/c_builder.go	88.35%	11 Missing and 6 partials ⚠️

Additional details and impacted files

@@                     Coverage Diff                      @@
##           shiva/cpp-type-inference     #674      +/-   ##
============================================================
+ Coverage                     85.28%   85.30%   +0.01%     
============================================================
  Files                           182      183       +1     
  Lines                         26399    26545     +146     
============================================================
+ Hits                          22515    22644     +129     
- Misses                         3023     3034      +11     
- Partials                        861      867       +6     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.