feat: resolve stdlib call: attribute placeholders via CDN registry (#618)

* feat: resolve call: attribute placeholders via stdlib/thirdparty registry

When ResolveAttributePlaceholders encounters a call: placeholder like
'call:sqlite3.connect' that doesn't match a project function, it now
falls back to checking the stdlib and third-party CDN registries for
the function's return type or constructor. This resolves attribute types
for stdlib calls (e.g., sqlite3.connect → sqlite3.Connection) and
constructors (e.g., configparser.ConfigParser), enabling deep chain
resolution through stdlib intermediate types.

Project ReturnTypes lookup still takes priority over stdlib fallback.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* test: 100% coverage for call: placeholder stdlib/thirdparty resolution

Edge case tests for resolveCallPlaceholderViaRegistry and tryRegistryLookup:
- nil typeEngine safety
- single-part funcName (no dots) skipped
- unknown/empty return type skipped
- stdlib checked before thirdparty (ordering guarantee)
- thirdparty constructor fallback
- unknown module stays unresolved

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: extract dotted call types and use silentLogger for stdlib resolution

Three fixes to complete the stdlib attribute type propagation:

1. extraction/attributes.go: Handle attribute nodes (dotted calls like
   sqlite3.connect) in inferFromFunctionCall, not just identifiers. This
   creates call:sqlite3.connect placeholders for self.conn = sqlite3.connect().

2. resolution/attribute.go: Use a silentLogger (io.Discard writer) for
   stdlib/thirdparty registry lookups instead of nil, preventing panic
   when modules need to be lazy-loaded from CDN during attribute resolution.

3. registry/{stdlib,thirdparty}_remote.go: Add GetCachedModule() method
   for cache-only lookups without CDN downloads.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* test: 100% coverage for call: placeholder stdlib/thirdparty resolution

Cover all lines flagged by Codecov:
- extraction/attributes.go: dotted call extraction (sqlite3.connect)
- registry/stdlib_remote.go: GetCachedModule
- registry/thirdparty_remote.go: GetCachedModule

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: shivasurya

sast-engine/graph/callgraph/extraction/attributes.go

@@ -631,6 +631,19 @@ func inferFromFunctionCall(node *sitter.Node, sourceCode []byte, _ *resolution.T
 		}
 	}
 
+	// Dotted function/constructor call: module.func() or module.Class()
+	// Examples: sqlite3.connect(path), configparser.ConfigParser(), logging.getLogger(name)
+	if funcNode.Type() == "attribute" {
+		fullName := funcNode.Content(sourceCode)
+		if len(fullName) > 0 && strings.Contains(fullName, ".") {
+			return &core.TypeInfo{
+				TypeFQN:    "call:" + fullName,
+				Confidence: 0.8,
+				Source:     "function_call_attribute",
+			}
+		}
+	}
+
 	return nil
 }
 

sast-engine/graph/callgraph/extraction/attributes_test.go

@@ -0,0 +1,54 @@
+package extraction
+
+import (
+	"testing"
+
+	"github.com/shivasurya/code-pathfinder/sast-engine/graph/callgraph/core"
+	"github.com/shivasurya/code-pathfinder/sast-engine/graph/callgraph/registry"
+	"github.com/shivasurya/code-pathfinder/sast-engine/graph/callgraph/resolution"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestExtractClassAttributes_DottedCallPlaceholder(t *testing.T) {
+	source := []byte(`
+import sqlite3
+import configparser
+
+class DbWrapper:
+    def __init__(self, path):
+        self.conn = sqlite3.connect(path)
+
+class ConfigWrapper:
+    def __init__(self):
+        self.parser = configparser.ConfigParser()
+
+class SimpleWrapper:
+    def __init__(self):
+        self.data = {}
+        self.name = "test"
+        self.items = []
+`)
+
+	moduleRegistry := core.NewModuleRegistry()
+	typeEngine := resolution.NewTypeInferenceEngine(moduleRegistry)
+	typeEngine.Attributes = registry.NewAttributeRegistry()
+
+	err := ExtractClassAttributes("test.py", source, "test_module", typeEngine, typeEngine.Attributes)
+	require.NoError(t, err)
+
+	// Dotted call: sqlite3.connect → call:sqlite3.connect
+	attr := typeEngine.Attributes.GetAttribute("test_module.DbWrapper", "conn")
+	require.NotNil(t, attr, "conn attribute should be extracted")
+	assert.Equal(t, "call:sqlite3.connect", attr.Type.TypeFQN)
+
+	// Dotted constructor: configparser.ConfigParser → call:configparser.ConfigParser
+	attr = typeEngine.Attributes.GetAttribute("test_module.ConfigWrapper", "parser")
+	require.NotNil(t, attr, "parser attribute should be extracted")
+	assert.Equal(t, "call:configparser.ConfigParser", attr.Type.TypeFQN)
+
+	// Literal dict
+	attr = typeEngine.Attributes.GetAttribute("test_module.SimpleWrapper", "data")
+	require.NotNil(t, attr)
+	assert.Equal(t, "builtins.dict", attr.Type.TypeFQN)
+}

sast-engine/graph/callgraph/registry/stdlib_remote.go

@@ -214,6 +214,14 @@ func (r *StdlibRegistryRemote) HasModule(moduleName string) bool {
 	return false
 }
 
+// GetCachedModule retrieves a module from the in-memory cache without triggering a CDN download.
+// Returns nil if the module is not cached. Safe to call without a logger.
+func (r *StdlibRegistryRemote) GetCachedModule(moduleName string) *core.StdlibModule {
+	r.CacheMutex.RLock()
+	defer r.CacheMutex.RUnlock()
+	return r.ModuleCache[moduleName]
+}
+
 // GetFunction retrieves a function from a module, downloading the module if needed.
 //
 // Parameters:

sast-engine/graph/callgraph/registry/stdlib_remote_test.go

@@ -981,3 +981,27 @@ func TestStdlibRegistryRemote_FindClassMethodAlias_Inherited(t *testing.T) {
 	assert.Equal(t, "Base", className)
 	assert.Equal(t, "builtins.bytes", method.ReturnType)
 }
+
+func TestStdlibRegistryRemote_GetCachedModule(t *testing.T) {
+	remote := NewStdlibRegistryRemote("https://example.com", "3.14")
+	remote.Manifest = &core.Manifest{
+		Modules: []*core.ModuleEntry{{Name: "os"}},
+	}
+
+	// Not cached — returns nil without downloading
+	result := remote.GetCachedModule("os")
+	assert.Nil(t, result, "should return nil when module not in cache")
+
+	// Pre-populate cache
+	module := &core.StdlibModule{Module: "os", Functions: map[string]*core.StdlibFunction{}}
+	remote.ModuleCache["os"] = module
+
+	// Now cached — returns the module
+	result = remote.GetCachedModule("os")
+	assert.NotNil(t, result)
+	assert.Equal(t, "os", result.Module)
+
+	// Different module — still nil
+	result = remote.GetCachedModule("sys")
+	assert.Nil(t, result)
+}

sast-engine/graph/callgraph/registry/thirdparty_remote.go

@@ -171,6 +171,14 @@ func (r *ThirdPartyRegistryRemote) HasModule(moduleName string) bool {
 	return false
 }
 
+// GetCachedModule retrieves a module from the in-memory cache without triggering a CDN download.
+// Returns nil if the module is not cached. Safe to call without a logger.
+func (r *ThirdPartyRegistryRemote) GetCachedModule(moduleName string) *core.StdlibModule {
+	r.CacheMutex.RLock()
+	defer r.CacheMutex.RUnlock()
+	return r.ModuleCache[moduleName]
+}
+
 // GetFunction retrieves a function from a module, downloading the module if needed.
 func (r *ThirdPartyRegistryRemote) GetFunction(moduleName, functionName string, logger *output.Logger) *core.StdlibFunction {
 	module, err := r.GetModule(moduleName, logger)

sast-engine/graph/callgraph/registry/thirdparty_remote_test.go

@@ -598,3 +598,27 @@ func TestVerifyThirdPartyChecksum_Deterministic(t *testing.T) {
 	assert.True(t, verifyThirdPartyChecksum(data2, checksum),
 		"checksum of first marshal must verify against second marshal")
 }
+
+func TestThirdPartyRegistryRemote_GetCachedModule(t *testing.T) {
+	remote := NewThirdPartyRegistryRemote("https://example.com")
+	remote.Manifest = &core.Manifest{
+		Modules: []*core.ModuleEntry{{Name: "flask"}},
+	}
+
+	// Not cached — returns nil without downloading
+	result := remote.GetCachedModule("flask")
+	assert.Nil(t, result, "should return nil when module not in cache")
+
+	// Pre-populate cache
+	module := &core.StdlibModule{Module: "flask", Functions: map[string]*core.StdlibFunction{}}
+	remote.ModuleCache["flask"] = module
+
+	// Now cached — returns the module
+	result = remote.GetCachedModule("flask")
+	assert.NotNil(t, result)
+	assert.Equal(t, "flask", result.Module)
+
+	// Different module — still nil
+	result = remote.GetCachedModule("django")
+	assert.Nil(t, result)
+}

sast-engine/graph/callgraph/resolution/attribute.go

@@ -2,14 +2,20 @@ package resolution
 
 import (
 	"fmt"
+	"io"
 	"slices"
 	"strings"
 
 	"github.com/shivasurya/code-pathfinder/sast-engine/graph"
 	"github.com/shivasurya/code-pathfinder/sast-engine/graph/callgraph/core"
 	"github.com/shivasurya/code-pathfinder/sast-engine/graph/callgraph/registry"
+	"github.com/shivasurya/code-pathfinder/sast-engine/output"
 )
 
+// silentLogger is a shared logger that discards all output.
+// Used for registry lookups during attribute resolution where no logger is available.
+var silentLogger = output.NewLoggerWithWriter(output.VerbosityDefault, io.Discard)
+
 // FailureStats tracks why attribute chain resolution fails.
 type FailureStats struct {
 	TotalAttempts          int
@@ -539,7 +545,11 @@ func ResolveAttributePlaceholders(
 					attr.Type.TypeFQN = returnType.TypeFQN
 					attr.Type.Confidence = returnType.Confidence * 0.8 // Decay confidence
 					attr.Type.Source = "function_call_attribute"
+					break
 				}
+
+				// Fallback: try stdlib/thirdparty registry for calls like "sqlite3.connect"
+				resolveCallPlaceholderViaRegistry(funcName, attr, typeEngine)
 			case strings.HasPrefix(originalType, "param:"):
 				// param:User → resolve type annotation
 				typeName := strings.TrimPrefix(originalType, "param:")
@@ -556,6 +566,74 @@ func ResolveAttributePlaceholders(
 	}
 }
 
+// resolveCallPlaceholderViaRegistry resolves a "call:" placeholder by checking
+// the stdlib and third-party CDN registries for the function's return type.
+// For example, "sqlite3.connect" → checks stdlib for return type → "sqlite3.Connection".
+// Also handles constructor calls like "configparser.ConfigParser" → "configparser.ConfigParser".
+func resolveCallPlaceholderViaRegistry(funcName string, attr *core.ClassAttribute, typeEngine *TypeInferenceEngine) {
+	if typeEngine == nil {
+		return
+	}
+
+	// Split "sqlite3.connect" → module="sqlite3", name="connect".
+	lastDot := strings.LastIndex(funcName, ".")
+	if lastDot < 0 {
+		return
+	}
+	moduleName := funcName[:lastDot]
+	name := funcName[lastDot+1:]
+
+	tryRegistryLookup(moduleName, name, attr, typeEngine)
+}
+
+// tryRegistryLookup checks stdlib then thirdparty for a function or constructor.
+// Uses silentLogger for registry lookups that may trigger lazy module downloads.
+func tryRegistryLookup(moduleName, name string, attr *core.ClassAttribute, typeEngine *TypeInferenceEngine) bool {
+	// Check stdlib
+	if typeEngine.StdlibRemote != nil {
+		if loader, ok := typeEngine.StdlibRemote.(*registry.StdlibRegistryRemote); ok && loader.HasModule(moduleName) {
+			// Try as function (e.g., sqlite3.connect → returns sqlite3.Connection)
+			fn := loader.GetFunction(moduleName, name, silentLogger)
+			if fn != nil && fn.ReturnType != "" && fn.ReturnType != "unknown" {
+				attr.Type.TypeFQN = fn.ReturnType
+				attr.Type.Confidence = fn.Confidence * 0.85
+				attr.Type.Source = "stdlib_function_call_attribute"
+				return true
+			}
+			// Try as constructor (e.g., configparser.ConfigParser → type is configparser.ConfigParser)
+			cls := loader.GetClass(moduleName, name, silentLogger)
+			if cls != nil {
+				attr.Type.TypeFQN = moduleName + "." + name
+				attr.Type.Confidence = 0.9
+				attr.Type.Source = "stdlib_constructor_attribute"
+				return true
+			}
+		}
+	}
+
+	// Check thirdparty
+	if typeEngine.ThirdPartyRemote != nil {
+		if loader, ok := typeEngine.ThirdPartyRemote.(*registry.ThirdPartyRegistryRemote); ok && loader.HasModule(moduleName) {
+			fn := loader.GetFunction(moduleName, name, silentLogger)
+			if fn != nil && fn.ReturnType != "" && fn.ReturnType != "unknown" {
+				attr.Type.TypeFQN = fn.ReturnType
+				attr.Type.Confidence = fn.Confidence * 0.85
+				attr.Type.Source = "thirdparty_function_call_attribute"
+				return true
+			}
+			cls := loader.GetClass(moduleName, name, silentLogger)
+			if cls != nil {
+				attr.Type.TypeFQN = moduleName + "." + name
+				attr.Type.Confidence = 0.9
+				attr.Type.Source = "thirdparty_constructor_attribute"
+				return true
+			}
+		}
+	}
+
+	return false
+}
+
 // resolveClassName resolves a class name to its fully qualified name.
 // Uses module registry, code graph, and ImportMap to find the class definition.
 //