# CodeQL baseline

Deterministic baseline runner that emits a benchmark submission for one or more cases using CodeQL when available. If CodeQL is not installed, it still produces a schema‑valid submission marking all sinks as `unreachable`, so CI and comparisons remain stable.

## Usage
```bash
# One case
baselines/codeql/run_case.sh cases/js/unsafe-eval /tmp/codeql-out

# All cases under a root
baselines/codeql/run_all.sh cases /tmp/codeql-all
```

Outputs:
- Per-case: `<out>/submission.json`
- All cases: `<out>/submission.json` (merged, deterministic ordering)

## Determinism posture
- No network access; all inputs are local files.
- Stable ordering of cases and sinks.
- If CodeQL is missing or analysis fails, the runner falls back to a deterministic “all unreachable” submission.

## Requirements
- Python 3.11+.
- Optional: `codeql` CLI on PATH for real analysis (not required for offline deterministic fallback).