feat(go): package-level var Source 3 + StdlibLoader embed resolution

[shivasurya]

Summary

• Fix F8 (Source 3): Add package-level variable type resolution to Pattern 1b in resolveGoCallTarget. When Source 1 (function params) and Source 2 (scope bindings) both fail, Source 3 scans codeGraph.Nodes for module_variable nodes in the same package as the caller. Reads node.DataType (e.g. *sql.DB), strips pointer prefix, resolves via importMap. Fixes the one PoC failure: globalDB.Query() → database/sql.DB.Query. Extends resolveGoCallTarget signature with codeGraph *graph.CodeGraph.
• Fix C (cross-package embeds): Add resolveEmbeddings method to GoThirdPartyLocalLoader. Tries StdlibLoader.GetType first (covers all stdlib interfaces: context.Context, sort.Interface, etc.), falls back to the hardcoded well-known table when StdlibLoader is nil. Add registry field to loader; wire via InitGoThirdPartyLoader. Called in getOrLoadPackage after tree-sitter extraction.

Test plan

• TestSource3_PackageLevelVariable — var globalDB *sql.DB resolves globalDB.Query → database/sql.DB.Query
• TestSource3_PointerType — leading * stripped from DataType
• TestSource3_SamePackageFilter — variable in different package is NOT resolved
• TestSource3_NoTypeAnnotation — empty DataType skipped gracefully
• TestSource3_NilCodeGraph — no panic with nil codeGraph
• TestResolveEmbeddings_ViaStdlibLoader — context.Context methods flattened via StdlibLoader
• TestResolveEmbeddings_FallbackToWellKnown — io.Closer.Close resolves without StdlibLoader
• TestResolveEmbeddings_NilRegistryStdlibLoader — no panic, fallback fires
• TestResolveEmbeddings_DoesNotOverwriteExistingMethods — existing methods preserved
• TestResolveEmbeddings_SamePackageEmbedSkipped — same-package embeds ignored
• Full suite: go test ./... — 29/29 packages pass
• Lint: golangci-lint run — 0 issues

🤖 Generated with Claude Code

[safedep]

SafeDep Report Summary

No dependency changes detected. Nothing to scan.

View complete scan results →

_{This report is generated by SafeDep Github App}

[github-actions]

Code Pathfinder Security Scan

No security issues detected.

Metric	Value
Files Scanned	9
Rules	205

---

_{Powered by Code Pathfinder}

[codecov]

Codecov Report

❌ Patch coverage is 94.11765% with 2 lines in your changes missing coverage. Please review.
✅ Project coverage is 84.24%. Comparing base (4eb8da7) to head (4b48d38).
⚠️ Report is 1 commits behind head on main.

Files with missing lines	Patch %	Lines
sast-engine/graph/callgraph/builder/go_builder.go	83.33%	1 Missing and 1 partial ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #643      +/-   ##
==========================================
+ Coverage   84.22%   84.24%   +0.01%     
==========================================
  Files         162      162              
  Lines       23327    23358      +31     
==========================================
+ Hits        19648    19677      +29     
- Misses       2940     2941       +1     
- Partials      739      740       +1     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[shivasurya]

• feat(cache): delta-based incremental SQLite analysis cache for Go #649
• feat: GoThirdPartyCombinedLoader — CDN-first + local fallback routing #648
• feat: CDN registry generator for Go third-party packages #647
• feat: GoThirdPartyRegistryRemote CDN loader with manifest-first lazy loading #646
• feat: Go resolution statistics in resolution-report command #645
• feat: Go third-party QueryType classes + GORM SQLi & Gin SSRF rules #644
• feat(go): package-level var Source 3 + StdlibLoader embed resolution #643 👈 (View in Graphite)
• feat(go): eager scope creation + parameter-aware RHS inference #642
• feat(go): third-party type resolution from vendor/GOMODCACHE #641
• main

This stack of pull requests is managed by Graphite. Learn more about stacking.

[shivasurya]

Merge activity

• Apr 7, 8:35 PM UTC: A user started a stack merge that includes this pull request via Graphite.
• Apr 7, 8:39 PM UTC: Graphite rebased this pull request as part of a merge.
• Apr 7, 8:39 PM UTC: @shivasurya merged this pull request with Graphite.