taint-analysislisted

# Taint analysis (coordinator) Run a whole-repo source→sink taint hunt. You are the **coordinator**: you run the deterministic prepare step, then spawn the phase subagents and thread their staged JSON drafts together. The subagents do the LLM labeling and triage; you sequence them and report. Run these steps in order. ## 1. Prepare (deterministic) ```bash node "${CLAUDE_PLUGIN_ROOT}/scripts/cmd/taint-analysis-prepare.mjs" --target "<repo root>" ``` Parse the JSON envelope. Keep `prepPath`, `sinksDraftPath`, `sourcesDraftPath`, `flowsDraftPath`, `findingsDraftPath`, `backends`, and `assembleCommand`. Relay any `warnings` to the user (e.g. no context run, no CodeQL DB / Joern CPG → flow tracing will use tree-sitter + same-file linking). ## 2. Label sinks and sources — IN PARALLEL In a **single message**, spawn two subagents (one Task call each, so they run concurrently): - **`taint-sink-labeler`** — prompt: the target directory, the `prepPath`, and "write your sink specs to `<sinksDraftPath>`". - **`taint-source-labeler`** — prompt: the target directory, the `prepPath`, and "write your source specs to `<sourcesDraftPath>`". Wait for both to finish. ## 3. Trace flows Spawn **`taint-flow-tracer`** with: the target directory, the `prepPath`, the `sinksDraftPath`, the `sourcesDraftPath`, and "write your flows to `<flowsDraftPath>`". It uses `backends` from prep to decide whether to run `joern:query` / `codeql:query` against prebuilt databases or fall back to same-file