cpf/enhancement: Implement call graph builder - Pass 3 (#327)

* feat: Add core data structures for call graph (PR #1)

Add foundational data structures for Python call graph construction:

New Types:
- CallSite: Represents function call locations with arguments and resolution status
- CallGraph: Maps functions to callees with forward/reverse edges
- ModuleRegistry: Maps Python file paths to module paths
- ImportMap: Tracks imports per file for name resolution
- Location: Source code position tracking
- Argument: Function call argument metadata

Features:
- 100% test coverage with comprehensive unit tests
- Bidirectional call graph edges (forward and reverse)
- Support for ambiguous short names in module registry
- Helper functions for module path manipulation

This establishes the foundation for 3-pass call graph algorithm:
- Pass 1 (next PR): Module registry builder
- Pass 2 (next PR): Import extraction and resolution
- Pass 3 (next PR): Call graph construction

Related: Phase 1 - Call Graph Construction & 3-Pass Algorithm

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

* feat: Implement module registry - Pass 1 of 3-pass algorithm (PR #2)

Implement the first pass of the call graph construction algorithm: building
a complete registry of Python modules by walking the directory tree.

New Features:
- BuildModuleRegistry: Walks directory tree and maps file paths to module paths
- convertToModulePath: Converts file system paths to Python import paths
- shouldSkipDirectory: Filters out venv, __pycache__, build dirs, etc.

Module Path Conversion:
- Handles regular files: myapp/views.py → myapp.views
- Handles packages: myapp/utils/__init__.py → myapp.utils
- Supports deep nesting: myapp/api/v1/endpoints/users.py → myapp.api.v1.endpoints.users
- Cross-platform: Normalizes Windows/Unix path separators

Performance Optimizations:
- Skips 15+ common non-source directories (venv, __pycache__, .git, dist, build, etc.)
- Avoids scanning thousands of dependency files
- Indexes both full module paths and short names for ambiguity detection

Test Coverage: 93%
- Comprehensive unit tests for all conversion scenarios
- Integration tests with real Python project structure
- Edge case handling: empty dirs, non-Python files, deep nesting, permissions
- Error path testing: walk errors, invalid paths, system errors
- Test fixtures: test-src/python/simple_project/ with realistic structure
- Documented: Remaining 7% are untestable OS-level errors (filepath.Abs failures)

This establishes Pass 1 of 3:
- ✅ Pass 1: Module registry (this PR)
- Next: Pass 2 - Import extraction and resolution
- Next: Pass 3 - Call graph construction

Related: Phase 1 - Call Graph Construction & 3-Pass Algorithm
Base Branch: shiva/callgraph-infra-1 (PR #1)

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

* feat: Implement import extraction with tree-sitter - Pass 2 Part A

This PR implements comprehensive import extraction for Python code using
tree-sitter AST parsing. It handles all three main import styles:

1. Simple imports: `import module`
2. From imports: `from module import name`
3. Aliased imports: `import module as alias` and `from module import name as alias`

The implementation uses direct AST traversal instead of tree-sitter queries
for better compatibility and control. It properly handles:
- Multiple imports per line (`from json import dumps, loads`)
- Nested module paths (`import xml.etree.ElementTree`)
- Whitespace variations
- Invalid/malformed syntax (fault-tolerant parsing)

Key functions:
- ExtractImports(): Main entry point that parses code and builds ImportMap
- traverseForImports(): Recursively traverses AST to find import statements
- processImportStatement(): Handles simple and aliased imports
- processImportFromStatement(): Handles from-import statements with proper
  module name skipping to avoid duplicate entries

Test coverage: 92.8% overall, 90-95% for import extraction functions

Test fixtures include:
- simple_imports.py: Basic import statements
- from_imports.py: From import statements with multiple names
- aliased_imports.py: Aliased imports (both simple and from)
- mixed_imports.py: Mixed import styles

All tests passing, linting clean, builds successfully.

This is Pass 2 Part A of the 3-pass call graph algorithm.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

* feat: Implement relative import resolution - Pass 2 Part B

This PR implements comprehensive relative import resolution for Python using
a 3-pass algorithm. It extends the import extraction system from PR #3 to handle
Python's relative import syntax with dot notation.

Key Changes:

1. **Added FileToModule reverse mapping to ModuleRegistry**
   - Enables O(1) lookup from file path to module path
   - Required for resolving relative imports
   - Updated AddModule() to maintain bidirectional mapping

2. **Implemented resolveRelativeImport() function**
   - Handles single dot (.) for current package
   - Handles multiple dots (.., ...) for parent/grandparent packages
   - Navigates package hierarchy using module path components
   - Clamps excessive dots to root package level
   - Falls back gracefully when file not in registry

3. **Enhanced processImportFromStatement() for relative imports**
   - Detects relative_import nodes in tree-sitter AST
   - Extracts import_prefix (dots) and optional module suffix
   - Resolves relative paths to absolute module paths before adding to ImportMap

4. **Comprehensive test coverage (94.5% overall)**
   - Unit tests for resolveRelativeImport with various dot counts
   - Integration tests with ExtractImports
   - Tests for deeply nested packages
   - Tests for mixed absolute and relative imports
   - Real fixture files with project structure

Relative Import Examples:
- `from . import utils` → "currentpackage.utils"
- `from .. import config` → "parentpackage.config"
- `from ..utils import helper` → "parentpackage.utils.helper"
- `from ...db import query` → "grandparent.db.query"

Test Fixtures:
- Created myapp/submodule/handler.py with all relative import styles
- Created supporting package structure with __init__.py files
- Tests verify correct resolution across package hierarchy

All tests passing, linting clean, builds successfully.

This is Pass 2 Part B of the 3-pass call graph algorithm.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

* feat: Implement call site extraction from AST - Pass 2 Part C

This PR implements call site extraction from Python source code using
tree-sitter AST parsing. It builds on the import resolution work from
PRs #3 and #4 to prepare for call graph construction in Pass 3.

## Changes

### Core Implementation (callsites.go)

1. **ExtractCallSites()**: Main entry point for extracting call sites
   - Parses Python source with tree-sitter
   - Traverses AST to find all call expressions
   - Returns slice of CallSite objects with location information

2. **traverseForCalls()**: Recursive AST traversal
   - Tracks function context while traversing
   - Updates context when entering function definitions
   - Finds and processes call expressions

3. **processCallExpression()**: Call site processing
   - Extracts callee name (function/method being called)
   - Parses arguments (positional and keyword)
   - Creates CallSite with source location
   - Parameters for importMap and caller reserved for Pass 3

4. **extractCalleeName()**: Callee name extraction
   - Handles simple identifiers: foo()
   - Handles attributes: obj.method(), obj.attr.method()
   - Recursively builds dotted names

5. **extractArguments()**: Argument parsing
   - Extracts all positional arguments
   - Preserves keyword arguments as "name=value" in Value field
   - Tracks argument position and variable status

6. **convertArgumentsToSlice()**: Helper for struct conversion
   - Converts []*Argument to []Argument for CallSite struct

### Comprehensive Tests (callsites_test.go)

Created 17 test functions covering:
- Simple function calls: foo(), bar()
- Method calls: obj.method(), self.helper()
- Arguments: positional, keyword, mixed
- Nested calls: foo(bar(x))
- Multiple functions in one file
- Class methods
- Chained calls: obj.method1().method2()
- Module-level calls (no function context)
- Source location tracking
- Empty files
- Complex arguments: expressions, lists, dicts, lambdas
- Nested method calls: obj.attr.method()
- Real file fixture integration

### Test Fixture (simple_calls.py)

Created realistic test file with:
- Function definitions with various call patterns
- Method calls on objects
- Calls with arguments (positional and keyword)
- Nested calls
- Class methods with self references

## Test Coverage

- Overall: 93.3%
- ExtractCallSites: 90.0%
- traverseForCalls: 93.3%
- processCallExpression: 83.3%
- extractCalleeName: 91.7%
- extractArguments: 87.5%
- convertArgumentsToSlice: 100.0%

## Design Decisions

1. **Keyword argument handling**: Store as "name=value" in Value field
   - Tree-sitter provides full keyword_argument node content
   - Preserves complete argument information for later analysis
   - Separating name/value would require additional parsing

2. **Caller context tracking**: Parameter reserved but not used yet
   - Will be populated in Pass 3 during call graph construction
   - Enables linking call sites to their containing functions

3. **Import map parameter**: Reserved for Pass 3 resolution
   - Will be used to resolve qualified names to FQNs
   - Enables cross-file call graph construction

4. **Location tracking**: Store exact position for each call site
   - File, line, column information
   - Enables precise error reporting and code navigation

## Testing Strategy

- Unit tests for each extraction function
- Integration tests with tree-sitter AST
- Real file fixture for end-to-end validation
- Edge cases: empty files, no context, nested structures

## Next Steps (PR #6)

Pass 3 will use this call site data to:
1. Build the complete call graph structure
2. Resolve call targets to function definitions
3. Link caller and callee through edges
4. Handle disambiguation for overloaded names

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

* feat: Implement call graph builder - Pass 3

This PR completes the 3-pass algorithm for building Python call graphs
by implementing the final pass that resolves call targets and constructs
the complete graph structure with edges linking callers to callees.

## Changes

### Core Implementation (builder.go)

1. **BuildCallGraph()**: Main entry point for Pass 3
   - Indexes all function definitions from code graph
   - Iterates through all Python files in the registry
   - Extracts imports and call sites for each file
   - Resolves each call site to its target function
   - Builds edges and stores call site details
   - Returns complete CallGraph with all relationships

2. **indexFunctions()**: Function indexing
   - Scans code graph for all function/method definitions
   - Maps each function to its FQN using module registry
   - Populates CallGraph.Functions map for quick lookup

3. **getFunctionsInFile()**: File-scoped function retrieval
   - Filters code graph nodes by file path
   - Returns only function/method definitions in that file
   - Used for finding containing functions of call sites

4. **findContainingFunction()**: Call site parent resolution
   - Determines which function contains a given call site
   - Uses line number comparison with nearest-match algorithm
   - Finds function with highest line number ≤ call line
   - Returns empty string for module-level calls

5. **resolveCallTarget()**: Core resolution logic
   - Handles simple names: sanitize() → myapp.utils.sanitize
   - Handles qualified names: utils.sanitize() → myapp.utils.sanitize
   - Resolves through import maps first
   - Falls back to same-module resolution
   - Validates FQNs against module registry
   - Returns (FQN, resolved bool) tuple

6. **validateFQN()**: FQN validation
   - Checks if a fully qualified name exists in registry
   - Handles both modules and functions within modules
   - Validates parent module for function FQNs

7. **readFileBytes()**: File reading helper
   - Reads source files for parsing
   - Handles absolute path conversion

### Comprehensive Tests (builder_test.go)

Created 15 test functions covering:

**Resolution Tests:**
- Simple imported function resolution
- Qualified import resolution (module.function)
- Same-module function resolution
- Unresolved method calls (obj.method)
- Non-existent function handling

**Validation Tests:**
- Module existence validation
- Function-in-module validation
- Non-existent module handling

**Helper Function Tests:**
- Function indexing from code graph
- Functions-in-file filtering
- Containing function detection with edge cases

**Integration Tests:**
- Simple single-file call graph
- Multi-file call graph with imports
- Real test fixture integration

## Test Coverage

- Overall: 91.8%
- BuildCallGraph: 80.8%
- indexFunctions: 87.5%
- getFunctionsInFile: 100.0%
- findContainingFunction: 100.0%
- resolveCallTarget: 85.0%
- validateFQN: 100.0%
- readFileBytes: 75.0%

## Algorithm Overview

Pass 3 ties together all previous work:

### Pass 1 (PR #2): BuildModuleRegistry
- Maps file paths to module paths
- Enables FQN generation

### Pass 2 (PRs #3-5): Import & Call Site Extraction
- ExtractImports: Maps local names to FQNs
- ExtractCallSites: Finds all function calls in AST

### Pass 3 (This PR): Call Graph Construction
- Resolves call targets using import maps
- Links callers to callees with edges
- Validates resolutions against registry
- Stores detailed call site information

## Resolution Strategy

The resolver uses a multi-step approach:

1. **Simple names** (no dots):
   - Check import map first
   - Fall back to same-module lookup
   - Return unresolved if neither works

2. **Qualified names** (with dots):
   - Split into base + rest
   - Resolve base through imports
   - Append rest to get full FQN
   - Try current module if not imported

3. **Validation**:
   - Check if target exists in registry
   - For functions, validate parent module exists
   - Mark resolution success/failure

## Design Decisions

1. **Containing function detection**:
   - Uses nearest-match algorithm based on line numbers
   - Finds function with highest line number ≤ call line
   - Handles module-level calls by returning empty FQN

2. **Resolution priority**:
   - Import map takes precedence over same-module
   - Explicit imports always respected even if unresolved
   - Same-module only tried when not in imports

3. **Validation vs Resolution**:
   - Resolution finds FQN from imports/context
   - Validation checks if FQN exists in registry
   - Both pieces of information stored in CallSite

4. **Error handling**:
   - Continues processing even if some files fail
   - Marks individual call sites as unresolved
   - Returns partial graph instead of failing completely

## Next Steps

The call graph infrastructure is now complete. Future PRs will:

- PR #7: Add CFG data structures for control flow analysis
- PR #8: Implement pattern matching for security rules
- PR #9: Integrate into main initialization pipeline
- PR #10: Add comprehensive documentation and examples
- PR #11: Performance optimizations (caching, pooling)

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

---------

Co-authored-by: Claude <noreply@anthropic.com>

Author: shivasurya

sourcecode-parser/graph/callgraph/builder.go

@@ -0,0 +1,321 @@
+package callgraph
+
+import (
+	"os"
+	"path/filepath"
+	"strings"
+
+	"github.com/shivasurya/code-pathfinder/sourcecode-parser/graph"
+)
+
+// BuildCallGraph constructs the complete call graph for a Python project.
+// This is Pass 3 of the 3-pass algorithm:
+//   - Pass 1: BuildModuleRegistry - map files to modules
+//   - Pass 2: ExtractImports + ExtractCallSites - parse imports and calls
+//   - Pass 3: BuildCallGraph - resolve calls and build graph
+//
+// Algorithm:
+//  1. For each Python file in the project:
+//     a. Extract imports to build ImportMap
+//     b. Extract call sites from AST
+//     c. Extract function definitions from main graph
+//  2. For each call site:
+//     a. Resolve target name using ImportMap
+//     b. Find target function definition in registry
+//     c. Add edge from caller to callee
+//     d. Store detailed call site information
+//
+// Parameters:
+//   - codeGraph: the existing code graph with parsed AST nodes
+//   - registry: module registry mapping files to modules
+//   - projectRoot: absolute path to project root
+//
+// Returns:
+//   - CallGraph: complete call graph with edges and call sites
+//   - error: if any step fails
+//
+// Example:
+//   Given:
+//     File: myapp/views.py
+//       def get_user():
+//           sanitize(data)  # call to myapp.utils.sanitize
+//
+//   Creates:
+//     edges: {"myapp.views.get_user": ["myapp.utils.sanitize"]}
+//     reverseEdges: {"myapp.utils.sanitize": ["myapp.views.get_user"]}
+//     callSites: {"myapp.views.get_user": [CallSite{Target: "sanitize", ...}]}
+func BuildCallGraph(codeGraph *graph.CodeGraph, registry *ModuleRegistry, projectRoot string) (*CallGraph, error) {
+	callGraph := NewCallGraph()
+
+	// First, index all function definitions from the code graph
+	// This builds the Functions map for quick lookup
+	indexFunctions(codeGraph, callGraph, registry)
+
+	// Process each Python file in the project
+	for modulePath, filePath := range registry.Modules {
+		// Skip non-Python files
+		if !strings.HasSuffix(filePath, ".py") {
+			continue
+		}
+
+		// Read source code for parsing
+		sourceCode, err := readFileBytes(filePath)
+		if err != nil {
+			// Skip files we can't read
+			continue
+		}
+
+		// Extract imports to build ImportMap for this file
+		importMap, err := ExtractImports(filePath, sourceCode, registry)
+		if err != nil {
+			// Skip files with import errors
+			continue
+		}
+
+		// Extract all call sites from this file
+		callSites, err := ExtractCallSites(filePath, sourceCode, importMap)
+		if err != nil {
+			// Skip files with call site extraction errors
+			continue
+		}
+
+		// Get all function definitions in this file
+		fileFunctions := getFunctionsInFile(codeGraph, filePath)
+
+		// Process each call site to resolve targets and build edges
+		for _, callSite := range callSites {
+			// Find the caller function containing this call site
+			callerFQN := findContainingFunction(callSite.Location, fileFunctions, modulePath)
+			if callerFQN == "" {
+				// Call at module level - use module name as caller
+				callerFQN = modulePath
+			}
+
+			// Resolve the call target to a fully qualified name
+			targetFQN, resolved := resolveCallTarget(callSite.Target, importMap, registry, modulePath)
+
+			// Update call site with resolution information
+			callSite.TargetFQN = targetFQN
+			callSite.Resolved = resolved
+
+			// Add call site to graph (dereference pointer)
+			callGraph.AddCallSite(callerFQN, *callSite)
+
+			// Add edge if we successfully resolved the target
+			if resolved {
+				callGraph.AddEdge(callerFQN, targetFQN)
+			}
+		}
+	}
+
+	return callGraph, nil
+}
+
+// indexFunctions builds the Functions map in the call graph.
+// Extracts all function definitions from the code graph and maps them by FQN.
+//
+// Parameters:
+//   - codeGraph: the parsed code graph
+//   - callGraph: the call graph being built
+//   - registry: module registry for resolving file paths to modules
+func indexFunctions(codeGraph *graph.CodeGraph, callGraph *CallGraph, registry *ModuleRegistry) {
+	for _, node := range codeGraph.Nodes {
+		// Only index function/method definitions
+		if node.Type != "method_declaration" && node.Type != "function_definition" {
+			continue
+		}
+
+		// Get the module path for this function's file
+		modulePath, ok := registry.FileToModule[node.File]
+		if !ok {
+			continue
+		}
+
+		// Build fully qualified name: module.function
+		fqn := modulePath + "." + node.Name
+		callGraph.Functions[fqn] = node
+	}
+}
+
+// getFunctionsInFile returns all function definitions in a specific file.
+//
+// Parameters:
+//   - codeGraph: the parsed code graph
+//   - filePath: absolute path to the file
+//
+// Returns:
+//   - List of function/method nodes in the file, sorted by line number
+func getFunctionsInFile(codeGraph *graph.CodeGraph, filePath string) []*graph.Node {
+	var functions []*graph.Node
+
+	for _, node := range codeGraph.Nodes {
+		if node.File == filePath &&
+			(node.Type == "method_declaration" || node.Type == "function_definition") {
+			functions = append(functions, node)
+		}
+	}
+
+	return functions
+}
+
+// findContainingFunction finds the function that contains a given call site location.
+// Uses line numbers to determine which function a call belongs to.
+//
+// Algorithm:
+//  1. Iterate through all functions in the file
+//  2. Find function with the highest line number that's still <= call line
+//  3. Return the FQN of that function
+//
+// Parameters:
+//   - location: source location of the call site
+//   - functions: all function definitions in the file
+//   - modulePath: module path of the file
+//
+// Returns:
+//   - Fully qualified name of the containing function, or empty if not found
+func findContainingFunction(location Location, functions []*graph.Node, modulePath string) string {
+	var bestMatch *graph.Node
+	var bestLine uint32
+
+	for _, fn := range functions {
+		// Check if call site is after this function definition
+		if uint32(location.Line) >= fn.LineNumber {
+			// Keep track of the closest preceding function
+			if bestMatch == nil || fn.LineNumber > bestLine {
+				bestMatch = fn
+				bestLine = fn.LineNumber
+			}
+		}
+	}
+
+	if bestMatch != nil {
+		return modulePath + "." + bestMatch.Name
+	}
+
+	return ""
+}
+
+// resolveCallTarget resolves a call target name to a fully qualified name.
+// This is the core resolution logic that handles:
+//   - Direct function calls: sanitize() → myapp.utils.sanitize
+//   - Method calls: obj.method() → (unresolved, needs type inference)
+//   - Imported functions: from utils import sanitize; sanitize() → myapp.utils.sanitize
+//   - Qualified calls: utils.sanitize() → myapp.utils.sanitize
+//
+// Algorithm:
+//  1. Check if target is a simple name (no dots)
+//     a. Look up in import map
+//     b. If found, return FQN from import
+//     c. If not found, try to find in same module
+//  2. If target has dots (qualified name)
+//     a. Split into base and rest
+//     b. Resolve base using import map
+//     c. Append rest to get full FQN
+//  3. If all else fails, check if it exists in the registry
+//
+// Parameters:
+//   - target: the call target name (e.g., "sanitize", "utils.sanitize", "obj.method")
+//   - importMap: import mappings for the current file
+//   - registry: module registry for validation
+//   - currentModule: the module containing this call
+//
+// Returns:
+//   - Fully qualified name of the target
+//   - Boolean indicating if resolution was successful
+//
+// Examples:
+//   target="sanitize", imports={"sanitize": "myapp.utils.sanitize"}
+//     → "myapp.utils.sanitize", true
+//
+//   target="utils.sanitize", imports={"utils": "myapp.utils"}
+//     → "myapp.utils.sanitize", true
+//
+//   target="obj.method", imports={}
+//     → "obj.method", false  (needs type inference)
+func resolveCallTarget(target string, importMap *ImportMap, registry *ModuleRegistry, currentModule string) (string, bool) {
+	// Handle simple names (no dots)
+	if !strings.Contains(target, ".") {
+		// Try to resolve through imports
+		if fqn, ok := importMap.Resolve(target); ok {
+			// Found in imports - return the FQN
+			// Validate if it exists in registry
+			resolved := validateFQN(fqn, registry)
+			return fqn, resolved
+		}
+
+		// Not in imports - might be in same module
+		sameLevelFQN := currentModule + "." + target
+		if validateFQN(sameLevelFQN, registry) {
+			return sameLevelFQN, true
+		}
+
+		// Can't resolve - return as-is
+		return target, false
+	}
+
+	// Handle qualified names (with dots)
+	parts := strings.SplitN(target, ".", 2)
+	base := parts[0]
+	rest := parts[1]
+
+	// Try to resolve base through imports
+	if baseFQN, ok := importMap.Resolve(base); ok {
+		fullFQN := baseFQN + "." + rest
+		if validateFQN(fullFQN, registry) {
+			return fullFQN, true
+		}
+		return fullFQN, false
+	}
+
+	// Base not in imports - might be module-level access
+	// Try current module
+	fullFQN := currentModule + "." + target
+	if validateFQN(fullFQN, registry) {
+		return fullFQN, true
+	}
+
+	// Can't resolve - return as-is
+	return target, false
+}
+
+// validateFQN checks if a fully qualified name exists in the registry.
+// Handles both module names and function names within modules.
+//
+// Examples:
+//   "myapp.utils" - checks if module exists
+//   "myapp.utils.sanitize" - checks if module "myapp.utils" exists
+//
+// Parameters:
+//   - fqn: fully qualified name to validate
+//   - registry: module registry
+//
+// Returns:
+//   - true if FQN is valid (module or function in existing module)
+func validateFQN(fqn string, registry *ModuleRegistry) bool {
+	// Check if it's a module
+	if _, ok := registry.Modules[fqn]; ok {
+		return true
+	}
+
+	// Check if parent module exists (for functions)
+	// "myapp.utils.sanitize" → check if "myapp.utils" exists
+	lastDot := strings.LastIndex(fqn, ".")
+	if lastDot > 0 {
+		parentModule := fqn[:lastDot]
+		if _, ok := registry.Modules[parentModule]; ok {
+			return true
+		}
+	}
+
+	return false
+}
+
+// readFileBytes reads a file and returns its contents as a byte slice.
+// Helper function for reading source code.
+func readFileBytes(filePath string) ([]byte, error) {
+	absPath, err := filepath.Abs(filePath)
+	if err != nil {
+		return nil, err
+	}
+	return os.ReadFile(absPath)
+}