Critical bug fixes and recall improvements (#68)

tests/fixtures/realistic/sqli_xlang/SqliJavaParamTaintedBinds.java

@@ -0,0 +1,24 @@
+// Phase 15 deferred-fix negative — Java JPA parameterised query with
+// TAINTED bind value.  The JPQL string at arg 0 of
+// `entityManager.createQuery` is a literal; the user-controlled `name`
+// is bound via `setParameter`, which the JPA layer escapes through the
+// JDBC parameterised path.  Without payload-arg gating on
+// `entityManager.createQuery` (Phase 15 deferred fix in
+// `labels/java.rs::GATED_SINKS`), the flat rule's all-arg activation
+// combined with `setParameter`'s arg→return propagation could surface a
+// SQL_QUERY finding on the chain.  The Destination gate restricts
+// `sink_payload_args` to `&[0]`, narrowing the scan to the JPQL string.
+package com.example;
+
+import javax.persistence.EntityManager;
+import javax.persistence.Query;
+import javax.servlet.http.HttpServletRequest;
+
+public class SqliJavaParamTaintedBinds {
+    public Object lookup(HttpServletRequest request, EntityManager entityManager) {
+        String name = request.getParameter("name");
+        Query q = entityManager.createQuery("SELECT u FROM User u WHERE u.name = :name");
+        q.setParameter("name", name);
+        return q.getResultList();
+    }
+}