From d05901ad3f84c529791275df2b64c52fd1797613 Mon Sep 17 00:00:00 2001
From: yoff <yoff@github.com>
Date: Thu, 22 Jan 2026 15:09:43 +0100
Subject: [PATCH] python/javascript/ruby: mark internal predicates

---
 .../javascript/dataflow/internal/BarrierGuards.qll       | 5 +++++
 .../frameworks/data/internal/ApiGraphModels.qll          | 4 ++++
 .../python/dataflow/new/internal/DataFlowPublic.qll      | 9 ++++++++-
 .../python/frameworks/data/internal/ApiGraphModels.qll   | 4 ++++
 .../lib/codeql/ruby/dataflow/internal/DataFlowPublic.qll | 9 ++++++++-
 .../ruby/frameworks/data/internal/ApiGraphModels.qll     | 4 ++++
 6 files changed, 33 insertions(+), 2 deletions(-)

diff --git a/javascript/ql/lib/semmle/javascript/dataflow/internal/BarrierGuards.qll b/javascript/ql/lib/semmle/javascript/dataflow/internal/BarrierGuards.qll
index b0a8518ef55..699cfd94fbb 100644
--- a/javascript/ql/lib/semmle/javascript/dataflow/internal/BarrierGuards.qll
+++ b/javascript/ql/lib/semmle/javascript/dataflow/internal/BarrierGuards.qll
@@ -60,6 +60,11 @@ module ExternalBarrierGuard {
 
   /**
    * Gets a barrier guard node of the given `kind` defined via models-as-data.
+   *
+   * This only provides external barrier nodes defined as guards. To get all externally defined barrer nodes,
+   * use `ModelOutput::barrierNode(node, kind)`.
+   *
+   * INTERNAL: Do not use.
    */
   DataFlow::Node getAnExternalBarrierNode(string kind) {
     result = MakeStateBarrierGuard<string, BarrierGuard>::getABarrierNode(kind)
diff --git a/javascript/ql/lib/semmle/javascript/frameworks/data/internal/ApiGraphModels.qll b/javascript/ql/lib/semmle/javascript/frameworks/data/internal/ApiGraphModels.qll
index 19b5a0e01a9..60fe40e716d 100644
--- a/javascript/ql/lib/semmle/javascript/frameworks/data/internal/ApiGraphModels.qll
+++ b/javascript/ql/lib/semmle/javascript/frameworks/data/internal/ApiGraphModels.qll
@@ -850,11 +850,15 @@ module ModelOutput {
 
   /**
    * Holds if an external model contributed `barrier` with the given `kind`.
+   *
+   * INTERNAL: Do not use.
    */
   API::Node getABarrierNode(string kind) { result = getABarrierNode(kind, _) }
 
   /**
    * Holds if an external model contributed `barrier-guard` with the given `kind` and `branch`.
+   *
+   * INTERNAL: Do not use.
    */
   API::Node getABarrierGuardNode(string kind, boolean branch) {
     result = getABarrierGuardNode(kind, branch, _)
diff --git a/python/ql/lib/semmle/python/dataflow/new/internal/DataFlowPublic.qll b/python/ql/lib/semmle/python/dataflow/new/internal/DataFlowPublic.qll
index 2727ed6651d..4d112bcdcdd 100644
--- a/python/ql/lib/semmle/python/dataflow/new/internal/DataFlowPublic.qll
+++ b/python/ql/lib/semmle/python/dataflow/new/internal/DataFlowPublic.qll
@@ -649,7 +649,14 @@ module ExternalBarrierGuard {
     )
   }
 
-  /** Gets a node that is an external barrier of the given kind. */
+  /**
+   * Gets a node that is an external barrier of the given kind.
+   *
+   * This only provides external barrier nodes defined as guards. To get all externally defined barrer nodes,
+   * use `ModelOutput::barrierNode(node, kind)`.
+   *
+   * INTERNAL: Do not use.
+   */
   ExprNode getAnExternalBarrierNode(string kind) {
     result = ParameterizedBarrierGuard<string, guardCheck/4>::getABarrierNode(kind)
   }
diff --git a/python/ql/lib/semmle/python/frameworks/data/internal/ApiGraphModels.qll b/python/ql/lib/semmle/python/frameworks/data/internal/ApiGraphModels.qll
index 19b5a0e01a9..60fe40e716d 100644
--- a/python/ql/lib/semmle/python/frameworks/data/internal/ApiGraphModels.qll
+++ b/python/ql/lib/semmle/python/frameworks/data/internal/ApiGraphModels.qll
@@ -850,11 +850,15 @@ module ModelOutput {
 
   /**
    * Holds if an external model contributed `barrier` with the given `kind`.
+   *
+   * INTERNAL: Do not use.
    */
   API::Node getABarrierNode(string kind) { result = getABarrierNode(kind, _) }
 
   /**
    * Holds if an external model contributed `barrier-guard` with the given `kind` and `branch`.
+   *
+   * INTERNAL: Do not use.
    */
   API::Node getABarrierGuardNode(string kind, boolean branch) {
     result = getABarrierGuardNode(kind, branch, _)
diff --git a/ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowPublic.qll b/ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowPublic.qll
index 10d5a662151..6f2bc8b4acc 100644
--- a/ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowPublic.qll
+++ b/ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowPublic.qll
@@ -1000,7 +1000,14 @@ module ExternalBarrierGuard {
     )
   }
 
-  /** Gets a node that is an external barrier of the given kind. */
+  /**
+   * Gets a node that is an external barrier of the given kind.
+   *
+   * This only provides external barrier nodes defined as guards. To get all externally defined barrer nodes,
+   * use `ModelOutput::barrierNode(node, kind)`.
+   *
+   * INTERNAL: Do not use.
+   */
   ExprNode getAnExternalBarrierNode(string kind) {
     result = ParameterizedBarrierGuard<string, guardCheck/4>::getABarrierNode(kind)
   }
diff --git a/ruby/ql/lib/codeql/ruby/frameworks/data/internal/ApiGraphModels.qll b/ruby/ql/lib/codeql/ruby/frameworks/data/internal/ApiGraphModels.qll
index 19b5a0e01a9..60fe40e716d 100644
--- a/ruby/ql/lib/codeql/ruby/frameworks/data/internal/ApiGraphModels.qll
+++ b/ruby/ql/lib/codeql/ruby/frameworks/data/internal/ApiGraphModels.qll
@@ -850,11 +850,15 @@ module ModelOutput {
 
   /**
    * Holds if an external model contributed `barrier` with the given `kind`.
+   *
+   * INTERNAL: Do not use.
    */
   API::Node getABarrierNode(string kind) { result = getABarrierNode(kind, _) }
 
   /**
    * Holds if an external model contributed `barrier-guard` with the given `kind` and `branch`.
+   *
+   * INTERNAL: Do not use.
    */
   API::Node getABarrierGuardNode(string kind, boolean branch) {
     result = getABarrierGuardNode(kind, branch, _)