feat(python-sdk): @c_rule / @cpp_rule decorators with language scoping

[shivasurya]

Summary

Adds C and C++ rule decorators that mirror the existing @go_rule / @python_rule contract. Rules can now be authored with @c_rule(...) / @cpp_rule(...); the decorators inject language="c" / language="cpp" into dataflow IR so DataflowExecutor scopes flows() rules to the right language. Pure calls() matchers stay language-agnostic — same documented contract as @go_rule.

This is the SDK glue half of the C/C++ language support track. Example security rules will land in a follow-up PR.

What's in this PR

• codepathfinder.{c,cpp}_decorators — @c_rule / @cpp_rule with full metadata (id/name/severity/cwe/cve/owasp/tags/message), atexit auto-output for python3 rule.py smoke runs, and clear_*_rules() helpers for test isolation.
• codepathfinder.{c,cpp}_ir — compile_c_rules() / compile_cpp_rules() emit JSON IR with "language" in both rule metadata and matcher dict.
• python-sdk/rules/ shims preserve the existing import path style (from rules.c_decorators import c_rule keeps working).
• dsl/loader.go decorator detector now recognises @c_rule( and @cpp_rule( so the loader can early-filter rule files like it does for @go_rule(.
• 33 unit tests covering metadata, language injection contract (dataflow vs call_matcher), JSON serialisation, registry isolation between C and C++ registries, default-message + default-name behavior, and invalid-matcher error paths.

Validation

End-to-end smoke runs (binary + locally-installed pip install -e python-sdk):

project	C++ functions	call sites	rules loaded	detections
tiny C smoke (4 unsafe calls)	–	–	1	4 unique sites
sglang sgl-kernel/csrc/cpu	337	9,594	2	5 unique sites
proxygen full tree	11,835	66,010	4	35 unique sites

• Class-qualified function names extracted correctly on real code: HTTP1xCodec::generateBody, CAresResolver::Query::queryCallback, TestAsyncTransport::WriteEvent::newEvent, H3DatagramAsyncSocket::deliverDatagram.
• No parse errors against 9.4 MB of production C++ (templates, nested classes, lambdas).
• Wildcard call-matchers (e.g. *memcpy) correctly match qualified C++ calls (std::memcpy) — same contract as @go_rule.

Test plan

• python -m pytest python-sdk/tests/ — 441 passed
• go test ./sast-engine/dsl/ — pass
• golangci-lint run ./dsl/... — 0 issues
• gradle buildGo — clean
• Manual scan: tiny C project (@c_rule + calls()) produces detections with correct file/line/function
• Manual scan: sglang and proxygen — @cpp_rule rules load and detect, function FQNs accurate
• Forbidden-files gate clean (no docs/plans/research files)

[safedep]

SafeDep Report Summary

No dependency changes detected. Nothing to scan.

View complete scan results →

_{This report is generated by SafeDep Github App}

[CLAassistant]

All committers have signed the CLA.

[github-actions]

Code Pathfinder Security Scan

No security issues detected.

Metric	Value
Files Scanned	11
Rules	205

---

_{Powered by Code Pathfinder}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 85.40%. Comparing base (b3fad0e) to head (e13bd29).

Additional details and impacted files

@@                 Coverage Diff                 @@
##           shiva/cpp-cfg-scan     #678   +/-   ##
===================================================
  Coverage               85.40%   85.40%           
===================================================
  Files                     187      187           
  Lines                   27276    27278    +2     
===================================================
+ Hits                    23296    23298    +2     
  Misses                   3087     3087           
  Partials                  893      893           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.