@clear-capabilities/agentic-security-scanner 0.74.0

package/src/sast/.agentic-security/streak.json

@@ -0,0 +1,23 @@
+{
+  "firstScanDate": "2026-05-13T13:02:38.907Z",
+  "lastScanDate": "2026-05-20T17:07:59.655Z",
+  "totalScans": 203,
+  "daysCleanCritical": 4,
+  "lastCleanDate": "2026-05-20",
+  "lastCriticalDate": null,
+  "hasEverHadCritical": false,
+  "bestDaysCleanCritical": 4,
+  "totalFindingsAtFirstScan": 11,
+  "totalFindingsAtLastScan": 27,
+  "totalFixesInferred": 1,
+  "lastGrade": "A-",
+  "bestGrade": "A-",
+  "launchCheckPassedAt": null,
+  "achievements": [
+    "first-fix",
+    "first-scan",
+    "scan-veteran-100",
+    "scan-veteran-25"
+  ],
+  "previousGrade": "A-"
+}

package/src/sast/CLAUDE.md

@@ -0,0 +1,39 @@
+# scanner/src/sast/
+
+SAST detector modules. Each file exports one or more `scan*()` functions returning `Finding[]`. The orchestrator in `../engine.js` calls them.
+
+## Adding a new SAST rule
+
+1. **Pick the right module.** If your rule is language-specific (Python sink-side, Kotlin force-unwrap), it goes in or next to the existing language module. If it's framework-specific (Express auth, FastAPI hardening), use a `*-hardening.js`. If it's a cross-cutting class (CSRF, prototype pollution, mass assignment), add a new top-level `<topic>.js`.
+2. **Export `scan*()`** returning `Finding[]`. Required finding fields: `id` (stable), `severity`, `file`, `line`, `vuln`, `cwe`, `description`, `remediation`. Set `family` and `parser` if you can — defaults in `../posture/finding-defaults.js` will backfill, but a detector-set value is more accurate.
+3. **Import and call** in `../engine.js`. Find the existing `import { scanX } from './sast/x.js'` block and add yours alphabetically. Call the function inside `runFullScan` so its results flow into `finalFindings`.
+4. **Fixture pair.** Under `../../test/fixtures/<rule-name>/` create `vulnerable/` and `clean/`. The vulnerable shape must trigger the rule; the clean shape must not.
+5. **Cover it in tests.** Add to or create a `../../test/<rule-name>.test.js`. Wire it into `npm run test:sast` (or whichever scope it fits) in `../../package.json`.
+6. **Build + smoke.** `npm run build` then `npm run smoke`. The lifecycle guard (`npm run test:lifecycle`) catches a rule that ships without an import in `engine.js`.
+
+## What lives here, by category
+
+**Language-specific** — `cpp.js`, `csharp.js`, `dart-flutter.js`, `go-extended.js`, `java-deserialization.js`, `kotlin.js`, `php.js`, `python-sinks.js`, `ruby.js`, `rust.js`, `solidity.js`, `swift.js`, `xxe.js`.
+
+**Framework hardening** — `django-hardening.js`, `fastapi-hardening.js`, `laravel-hardening.js`, `quarkus-hardening.js`, `springboot-hardening.js`. Each detects "you used framework X but forgot the security-hardening step that ships with it" rather than a primary vuln.
+
+**Cross-cutting vuln classes** — `authz.js`, `csrf.js`, `host-header.js`, `jndi.js`, `jwt-exp.js`, `ldap-injection.js`, `xpath-injection.js`, `mass-assignment.js`, `mutation-xss.js`, `nosql-injection.js`, `prototype-pollution.js`, `ssrf-cloud-metadata.js`, `toctou.js`, `zip-slip.js`.
+
+**Cloud/infra** — `db-rls.js` (Supabase RLS), `env-hygiene.js` (NEXT_PUBLIC_ leaks, .env.example real values), `mobile-manifest.js`, `pipeline.js` (CI/CD integrity), `rate-limit.js`, `webhook.js`.
+
+**LLM / agent** — `llm.js`, `llm-owasp.js`, `llm-trading-agent.js`, `mcp-audit.js`, `model-load.js`, `prompt-firewall.js`, `prompt-template.js`.
+
+**Agent-of-agent / Claude Code hardening** — `claude-hook-injection.js`, `claude-md-prompt-injection.js`, `claude-settings.js`.
+
+**Auth / web** — `auth-provider.js`, `client-side.js`.
+
+**Bench-shape adapters (label-leakage, OFF by default)** — `bench-shape/` directory, plus `cpp-bench-extras.js`, `java-bench-extras.js`, `juliet-shape.js`, `primary-cwe-java.js`. These read Juliet / OWASP-Benchmark answer keys. Disabled unless `AGENTIC_SECURITY_BENCH_SHAPE=1`; `AGENTIC_SECURITY_BLIND_BENCH=1` overrides to force everything off. **Never use their emissions as a quality signal.**
+
+**Helpers** — `_comment-strip.js` strips comments while preserving line numbers (so finding `line` stays accurate). `index.js` is the public re-export.
+
+## Gotchas
+
+- **Comments confuse detectors.** Always go through `blankComments()` from `_comment-strip.js` before scanning a file body.
+- **Detector snippet attribution.** Don't grab `lines[matchLine - 1]` blindly — for multi-line patterns (`exec('ping' + req.body.host, …)`), the match index and the readable sink line can diverge. Premortem item — fixed in the dataflow engine; if you're regressing on it, your fix probably needs to use the actual sink expression, not the regex's match offset.
+- **Severity floor.** No detector should emit `severity: 'critical'` without strong evidence; the calibrator amplifies critical-rated findings and a flood drowns real ones. If in doubt, emit `high` and let `annotateExploitability` push it up.
+- **Family field for calibration.** If you can't tell what family your rule belongs to, that's a signal the rule covers too much. Split it.

package/src/sast/_comment-strip.js

@@ -0,0 +1,46 @@
+// Replace comments with same-length whitespace (newlines preserved) so that
+// character indices in the returned string match the original source one-to-one.
+// Required by detectors that emit `line = lineOf(raw, m.index)` after running
+// regexes against a comment-stripped view.
+//
+// Recognises:
+//   - JS/TS/Java/Go/C/C++/Rust line comments  // ...
+//   - JS/TS/Java/Go/C/C++/Rust block comments /* ... */
+//   - Python line comments                    # ...
+//
+// Skips comment-like content inside string literals (single/double/backtick).
+//
+// The `lang` parameter is optional; pass 'py' to treat `#` as a line comment.
+
+export function blankComments(s, lang) {
+  let out = '';
+  let inS = null;
+  let i = 0;
+  const isPy = lang === 'py';
+  while (i < s.length) {
+    const c = s[i];
+    if (inS) {
+      out += c;
+      if (c === '\\' && i + 1 < s.length) { out += s[i+1]; i += 2; continue; }
+      if (c === inS) inS = null;
+      i++; continue;
+    }
+    if (c === "'" || c === '"' || c === '`') { inS = c; out += c; i++; continue; }
+    if (!isPy && c === '/' && s[i+1] === '/') {
+      while (i < s.length && s[i] !== '\n') { out += ' '; i++; }
+      continue;
+    }
+    if (!isPy && c === '/' && s[i+1] === '*') {
+      const end = s.indexOf('*/', i + 2);
+      const stop = end < 0 ? s.length : end + 2;
+      while (i < stop) { out += (s[i] === '\n' ? '\n' : ' '); i++; }
+      continue;
+    }
+    if (isPy && c === '#') {
+      while (i < s.length && s[i] !== '\n') { out += ' '; i++; }
+      continue;
+    }
+    out += c; i++;
+  }
+  return out;
+}

package/src/sast/agent-tool-escalation.js

@@ -0,0 +1,131 @@
+// Agent Tool-Chain Privilege Escalation (OWASP LLM06 — Sensitive
+// Information Disclosure × LLM07 — Insecure Plugin Design, applied to
+// agent tool composition).
+//
+// Pattern: An agent has two tools — a low-privilege READ tool (`list_files`,
+// `fetch_url`, `query_db_readonly`) and a high-privilege ACT tool (`exec`,
+// `write_file`, `send_email`, `db_admin_query`). The agent's harness lets
+// the LLM call them in sequence: the LLM reads the output of the READ tool
+// (which can be attacker-controlled — files in a tenant's bucket, content
+// from a scraped URL, a row in a DB the attacker can update) and uses
+// that output as input to the ACT tool. The READ tool's output is now an
+// authority-promoting channel.
+//
+// We catch the AT-RISK PATTERN at code-shape time:
+//   - Two tools registered in the same agent harness
+//   - One is READ-class (callee name matches: read, list, get, fetch,
+//     search, query, find, scrape, retrieve)
+//   - The other is ACT-class (write, exec, run, send, post, delete,
+//     create, update, drop, kill)
+//   - No explicit `confirm` / `human_approval` / `policy_check` between
+//     them (search for these inside the tool's handler body)
+//
+// Frameworks we recognize:
+//   - LangChain Python:  Tool(name="…", func=…) / @tool decorator
+//   - LangChain JS:      new Tool({ name, func })
+//   - LangGraph:         tools=[…]
+//   - OpenAI Assistants: tools=[{ type:"function", function:{ name, …}}]
+//   - Anthropic Claude SDK: tools=[{ name, description, input_schema }]
+//   - MCP servers: tools.register or capabilities.tools
+
+import { blankComments } from './_comment-strip.js';
+
+const READ_VERBS = ['read', 'list', 'get', 'fetch', 'search', 'query', 'find', 'scrape', 'retrieve', 'lookup', 'show', 'select'];
+const ACT_VERBS  = ['write', 'exec', 'run', 'send', 'post', 'delete', 'create', 'update', 'drop', 'kill', 'execute', 'invoke', 'modify', 'patch', 'mutate', 'add_user', 'remove_user'];
+
+// Patterns capturing a tool NAME from a registration line, language-tagged.
+const TOOL_NAME_PATTERNS = [
+  // LangChain Python: Tool(name="…", …)  or  @tool def name(args):
+  ['py', /\bTool\s*\(\s*name\s*=\s*['"]([a-zA-Z_][\w]*)['"]/g],
+  ['py', /^\s*@tool\s*[\r\n]+\s*def\s+([a-zA-Z_][\w]*)\s*\(/gm],
+  // LangChain JS / LangGraph:  new Tool({ name: "…" })  or  tool({ name })
+  ['js', /\bnew\s+Tool\s*\(\s*\{\s*name\s*:\s*['"]([a-zA-Z_][\w]*)['"]/g],
+  ['js', /\btool\s*\(\s*\{\s*name\s*:\s*['"]([a-zA-Z_][\w]*)['"]/g],
+  // OpenAI Assistants:  { type: "function", function: { name: "…" } }
+  ['js', /\btype\s*:\s*['"]function['"]\s*,\s*function\s*:\s*\{\s*name\s*:\s*['"]([a-zA-Z_][\w]*)['"]/g],
+  ['py', /['"]type['"]\s*:\s*['"]function['"]\s*,\s*['"]function['"]\s*:\s*\{\s*['"]name['"]\s*:\s*['"]([a-zA-Z_][\w]*)['"]/g],
+  // Anthropic tools list: { name: "…", description, input_schema }
+  ['js', /\{\s*name\s*:\s*['"]([a-zA-Z_][\w]*)['"]\s*,\s*description/g],
+  ['py', /\{\s*['"]name['"]\s*:\s*['"]([a-zA-Z_][\w]*)['"]\s*,\s*['"]description['"]/g],
+  // MCP server registerTool / setRequestHandler('tools/call', …)
+  ['js', /\bregisterTool\s*\(\s*['"]([a-zA-Z_][\w]*)['"]/g],
+  ['py', /\b@server\s*\.\s*tool\s*\(\s*['"]([a-zA-Z_][\w]*)['"]/g],
+];
+
+const APPROVAL_HINT_RE =
+  /\b(?:requireConfirmation|require_confirmation|human_approval|policy_check|approveAction|approve_action|guardCheck|enforce_policy|capability_check)\b/;
+
+function _classify(name) {
+  const low = name.toLowerCase();
+  for (const v of ACT_VERBS) {
+    if (low.includes(v)) return 'act';
+  }
+  for (const v of READ_VERBS) {
+    if (low.includes(v)) return 'read';
+  }
+  return null;
+}
+
+function _lineOf(raw, idx) { return raw.substring(0, idx).split('\n').length; }
+function _lang(fp) {
+  if (/\.(?:js|jsx|ts|tsx|mjs|cjs)$/i.test(fp)) return 'js';
+  if (/\.py$/i.test(fp)) return 'py';
+  return null;
+}
+
+export function scanAgentToolEscalation(fp, raw) {
+  if (!raw || raw.length > 500_000) return [];
+  const lang = _lang(fp);
+  if (!lang) return [];
+  const code = blankComments(raw, lang === 'py' ? 'py' : undefined);
+  if (!/\b(?:Tool|tool|tools|registerTool|@tool|@server\.tool|input_schema|function_call|tool_use)\b/.test(code)) return [];
+  // Collect all tool names declared in this file with their classification.
+  const tools = []; // { name, kind: 'act'|'read', line }
+  for (const [plang, pat] of TOOL_NAME_PATTERNS) {
+    if (plang !== lang) continue;
+    const re = new RegExp(pat.source, pat.flags);
+    let m;
+    while ((m = re.exec(code))) {
+      const name = m[1];
+      const kind = _classify(name);
+      if (!kind) continue;
+      tools.push({ name, kind, line: _lineOf(raw, m.index) });
+    }
+  }
+  if (tools.length < 2) return [];
+  const hasRead = tools.some(t => t.kind === 'read');
+  const hasAct  = tools.some(t => t.kind === 'act');
+  if (!hasRead || !hasAct) return [];
+  // Approval-mechanism gate — if the file references a known confirm/policy
+  // helper, we assume the harness mediates the escalation and suppress.
+  if (APPROVAL_HINT_RE.test(code)) return [];
+  // Fire one finding per ACT tool, naming the READ counterpart in the trace.
+  const findings = [];
+  const seen = new Set();
+  const readNames = tools.filter(t => t.kind === 'read').map(t => t.name);
+  for (const actTool of tools.filter(t => t.kind === 'act')) {
+    const id = `agent-tool-escalation:${fp}:${actTool.line}:${actTool.name}`;
+    if (seen.has(id)) continue;
+    seen.add(id);
+    findings.push({
+      id,
+      file: fp, line: actTool.line,
+      vuln: `Agent Tool Privilege Escalation (act-tool "${actTool.name}" exposed alongside read-tools)`,
+      severity: 'high',
+      cwe: 'CWE-269',     // Improper Privilege Management
+      family: 'agent-tool-escalation',
+      stride: 'Elevation of Privilege',
+      snippet: (raw.split('\n')[actTool.line - 1] || '').trim().slice(0, 200),
+      remediation:
+        `Tool "${actTool.name}" performs an action (write/exec/send/delete). It's registered alongside read tools (${readNames.slice(0, 4).join(', ')}) in the same agent surface — the LLM can pipe the read tool's output (which is attacker-influenceable: scraped pages, DB rows tenants can edit, file contents in shared buckets) directly into the act tool's input. ` +
+        'Mitigations: ' +
+        '(1) require an explicit confirmation / human approval step for any act tool whose inputs are derived from a read tool\'s output; ' +
+        '(2) isolate act tools to a separate agent surface with a stricter system prompt; ' +
+        '(3) attach a policy_check / capability_check helper to the act tool that verifies the input was not solely derived from low-trust read sources; ' +
+        '(4) tag read-tool outputs with provenance metadata so the act tool can refuse low-trust input.',
+      parser: 'AGENT-TOOL-ESCALATION',
+      confidence: 0.7,
+    });
+  }
+  return findings;
+}

package/src/sast/auth-provider.js

@@ -0,0 +1,171 @@
+// Auth provider misconfiguration audit.
+//
+// Every popular auth library for vibecoders has provider-specific footguns.
+// This module detects the most common misconfigurations that static analysis
+// can catch: insecure options, missing required fields, dangerous flags.
+//
+// Providers covered:
+//   Clerk, NextAuth / Auth.js, Auth0, Lucia, Better Auth, Passport, generic
+//
+// Findings:
+//   AUTH_DANGEROUS_EMAIL_LINKING  — allowDangerousEmailAccountLinking: true
+//   AUTH_TRUST_HOST               — trustHost: true in NextAuth (CSRF bypass in prod)
+//   AUTH_MISSING_SECRET           — NextAuth without NEXTAUTH_SECRET env var reference
+//   AUTH_WEAK_SESSION_SECRET      — short/hardcoded session secret
+//   AUTH_CLERK_PUBLIC_ROUTE       — sensitive path incorrectly marked public in Clerk
+//   AUTH_MISSING_AUDIENCE         — JWT/OAuth without audience validation
+//   AUTH_DISABLE_CSRF             — explicit CSRF protection disabled
+//   AUTH_COOKIE_INSECURE          — session cookies without secure/sameSite
+//   AUTH_HARDCODED_CLIENT_SECRET  — OAuth clientSecret hardcoded
+
+const _SCAN_EXT_RE = /\.(?:js|jsx|ts|tsx|mjs|cjs)$/i;
+const _NONPROD_RE = /(?:^|\/)(?:tests?|__tests__|spec|fixtures?|examples?|node_modules)\//i;
+
+// --- Dangerous options ---
+
+// allowDangerousEmailAccountLinking: true — lets attacker take over account by
+// registering with same email via different provider
+const DANGEROUS_EMAIL_LINKING_RE = /allowDangerousEmailAccountLinking\s*:\s*true/;
+
+// trustHost: true in NextAuth — disables host validation, enabling CSRF when
+// deployed behind a reverse proxy that sets arbitrary Host headers
+const TRUST_HOST_RE = /trustHost\s*:\s*true/;
+
+// NextAuth without NEXTAUTH_SECRET
+const NEXTAUTH_IMPORT_RE = /(?:from|require)\s*\(?\s*['"`]next-auth['"`]/;
+const NEXTAUTH_SECRET_REF_RE = /NEXTAUTH_SECRET|authSecret\s*:|secret\s*:\s*process\.env/;
+
+// Weak session secret — short string literal as secret
+const WEAK_SESSION_SECRET_RE = /(?:secret|SESSION_SECRET|sessionSecret)\s*[:=]\s*['"`]([^'"`]{1,20})['"`]/;
+
+// CSRF disabled
+const CSRF_DISABLED_RE = /csrf\s*:\s*(?:false|disabled|0)|disableCsrf\s*:\s*true|csrfProtection\s*:\s*false/i;
+
+// OAuth clientSecret hardcoded
+const HARDCODED_CLIENT_SECRET_RE = /clientSecret\s*:\s*['"`][a-zA-Z0-9_\-]{8,}['"`]/;
+
+// JWT missing audience
+const JWT_NO_AUDIENCE_RE = /jwt\.(?:verify|sign)\s*\([^)]*\)/g;
+const JWT_AUDIENCE_RE = /\baudience\b/;
+
+// Auth0 hardcoded secret
+const AUTH0_SECRET_RE = /AUTH0_SECRET\s*[:=]\s*['"`][^'"`]{8,}['"`]/;
+
+// Cookie without secure flag
+const INSECURE_COOKIE_RE = /cookie\s*:\s*\{[^}]*\}/g;
+const COOKIE_SECURE_RE = /\bsecure\s*:\s*true/;
+const COOKIE_SAMESITE_RE = /\bsameSite\s*:/;
+
+// Clerk: publicRoutes containing sensitive paths
+const CLERK_CONFIG_RE = /(?:clerkMiddleware|authMiddleware)\s*\(\s*\{/;
+const CLERK_PUBLIC_ROUTES_RE = /publicRoutes\s*:\s*\[([^\]]+)\]/;
+const SENSITIVE_PATH_IN_PUBLIC_RE = /['"`]\/(?:api\/(?:admin|users|delete|update|private)|dashboard|settings|admin)[^'"`]*['"`]/i;
+
+function scanAuthProvider(file, content) {
+  if (!_SCAN_EXT_RE.test(file)) return [];
+  if (_NONPROD_RE.test(file)) return [];
+  const findings = [];
+  const lines = content.split('\n');
+
+  function lineOf(re, searchContent = content) {
+    const m = re.exec(searchContent);
+    if (!m) return -1;
+    return searchContent.slice(0, m.index).split('\n').length;
+  }
+
+  function push(id, title, severity, lineNum, description, remediation, cwe) {
+    if (lineNum < 1) lineNum = 1;
+    findings.push({ id: `auth-provider:${id}:${file}:${lineNum}`, title, severity, file, line: lineNum, description, remediation, cwe });
+  }
+
+  // allowDangerousEmailAccountLinking
+  if (DANGEROUS_EMAIL_LINKING_RE.test(content)) {
+    push('AUTH_DANGEROUS_EMAIL_LINKING', 'Dangerous email account linking enabled',
+      'high', lineOf(DANGEROUS_EMAIL_LINKING_RE),
+      'allowDangerousEmailAccountLinking: true lets an attacker register with the same email address via a different OAuth provider to take over an existing account without knowing the password.',
+      'Remove allowDangerousEmailAccountLinking: true. If you need multi-provider linking, implement explicit user-confirmation flow instead.',
+      'CWE-287');
+  }
+
+  // trustHost
+  if (TRUST_HOST_RE.test(content)) {
+    push('AUTH_TRUST_HOST', 'NextAuth trustHost: true disables host validation',
+      'high', lineOf(TRUST_HOST_RE),
+      'trustHost: true bypasses NextAuth\'s HOST header validation, disabling CSRF protection when deployed behind a reverse proxy. Attackers can craft requests with a spoofed Host header.',
+      'Remove trustHost: true. Instead, set the AUTH_URL / NEXTAUTH_URL environment variable to your canonical production URL.',
+      'CWE-352');
+  }
+
+  // NextAuth without secret
+  if (NEXTAUTH_IMPORT_RE.test(content) && !NEXTAUTH_SECRET_REF_RE.test(content)) {
+    push('AUTH_MISSING_SECRET', 'NextAuth configuration without NEXTAUTH_SECRET reference',
+      'high', lineOf(NEXTAUTH_IMPORT_RE),
+      'NextAuth requires NEXTAUTH_SECRET for JWT encryption and CSRF token signing. Without it, NextAuth falls back to an auto-generated secret that changes on every restart, invalidating all sessions, and is insecure in some deploy environments.',
+      'Add `secret: process.env.NEXTAUTH_SECRET` to your NextAuth config and set NEXTAUTH_SECRET to a 32+ byte random string in your environment.',
+      'CWE-330');
+  }
+
+  // Weak session secret
+  for (let i = 0; i < lines.length; i++) {
+    const m = WEAK_SESSION_SECRET_RE.exec(lines[i]);
+    if (m && m[1] && m[1].length <= 20) {
+      push('AUTH_WEAK_SESSION_SECRET', 'Session secret is short or hardcoded',
+        'high', i + 1,
+        `A session/auth secret of only ${m[1].length} characters is used. Secrets shorter than 32 characters are vulnerable to brute-force. Hardcoded secrets are also committed to git history.`,
+        'Generate a cryptographically random 32+ byte secret: `openssl rand -base64 32`. Store it as an environment variable, never in source code.',
+        'CWE-521');
+    }
+  }
+
+  // Hardcoded OAuth clientSecret
+  for (let i = 0; i < lines.length; i++) {
+    if (HARDCODED_CLIENT_SECRET_RE.test(lines[i])) {
+      push('AUTH_HARDCODED_CLIENT_SECRET', 'OAuth clientSecret hardcoded in source',
+        'high', i + 1,
+        'An OAuth client secret is embedded in source code. It will be committed to git, potentially leaked via the build bundle, and cannot be rotated without a code change.',
+        'Move to an environment variable: `clientSecret: process.env.OAUTH_CLIENT_SECRET`. Rotate the secret in your OAuth provider dashboard.',
+        'CWE-798');
+    }
+  }
+
+  // CSRF disabled
+  if (CSRF_DISABLED_RE.test(content)) {
+    push('AUTH_DISABLE_CSRF', 'CSRF protection explicitly disabled',
+      'high', lineOf(CSRF_DISABLED_RE),
+      'Cross-Site Request Forgery protection is turned off. Attackers can trick authenticated users into triggering state-changing actions on your app from a third-party website.',
+      'Remove the csrf: false / disableCsrf option. Auth libraries enable CSRF protection by default for good reason.',
+      'CWE-352');
+  }
+
+  // Clerk public routes containing sensitive paths
+  if (CLERK_CONFIG_RE.test(content)) {
+    const publicMatch = CLERK_PUBLIC_ROUTES_RE.exec(content);
+    if (publicMatch && SENSITIVE_PATH_IN_PUBLIC_RE.test(publicMatch[1])) {
+      const lineNum = content.slice(0, CLERK_PUBLIC_ROUTES_RE.lastIndex).split('\n').length;
+      push('AUTH_CLERK_PUBLIC_ROUTE', 'Sensitive route marked public in Clerk middleware',
+        'high', lineNum,
+        'A path that appears to be sensitive (admin, settings, private API) is listed in Clerk\'s publicRoutes, making it accessible to unauthenticated users.',
+        'Remove sensitive paths from publicRoutes. Use auth().protect() or redirect to sign-in for routes that require authentication.',
+        'CWE-284');
+    }
+  }
+
+  // Cookie without secure/sameSite in session config
+  let cookieM;
+  const cookieRe = new RegExp(INSECURE_COOKIE_RE.source, 'g');
+  while ((cookieM = cookieRe.exec(content)) !== null) {
+    const block = cookieM[0];
+    if (!COOKIE_SECURE_RE.test(block) || !COOKIE_SAMESITE_RE.test(block)) {
+      const lineNum = content.slice(0, cookieM.index).split('\n').length;
+      push('AUTH_COOKIE_INSECURE', 'Session cookie missing secure or sameSite flag',
+        'medium', lineNum,
+        'Session cookies without `secure: true` can be transmitted over HTTP. Without `sameSite`, they are sent on cross-site requests, enabling CSRF.',
+        'Set `cookie: { secure: true, sameSite: "lax", httpOnly: true }` in your session/auth config.',
+        'CWE-614');
+    }
+  }
+
+  return findings;
+}
+
+export { scanAuthProvider };

package/src/sast/authz.js

@@ -0,0 +1,236 @@
+// Authentication / authorization deep-analysis detector.
+//
+// OWASP A01: Broken Access Control is consistently the #1 source of real
+// breaches. The taint-based pipeline already catches IDOR-by-id and SQLi via
+// auth-table lookups. This module covers the higher-level patterns that pure
+// data-flow misses:
+//
+//   - JWT alg:none / algorithm confusion
+//   - Hardcoded JWT secret
+//   - jwt.verify called without an algorithms allow-list
+//   - OAuth2 authorization_code flow with no PKCE
+//   - OAuth2 redirect_uri taken from the request without allowlist validation
+//   - Session not regenerated after authentication (session fixation)
+//   - Multi-tenant query missing a tenant scope (cross-tenant read)
+//
+// F1 strategy:
+//   Each pattern fires only when there is concrete signal in source. Negative
+//   contexts (allow-list present, tenant filter present, PKCE generation
+//   present in the same module) suppress the finding.
+
+const _SCAN_EXT_RE = /\.(?:js|jsx|ts|tsx|mjs|cjs|py)$/i;
+const _NONPROD_PATH_RE = /(?:^|\/)(?:tests?|__tests__|spec|fixtures?|examples?|docs?|stories|codefixes|node_modules)\//i;
+
+// --- JWT patterns ---
+
+// jwt.sign or jwt.verify with explicit alg: 'none' / "none"
+const JWT_ALG_NONE_RE = /\b(?:jwt|jsonwebtoken)\.(?:sign|verify|decode)\s*\([^)]*?(?:algorithm|alg)\s*:\s*['"]none['"]/i;
+
+// JWT_SECRET / signingKey hardcoded as a literal short string in source
+const JWT_HARDCODED_SECRET_RE = /\b(?:JWT_SECRET|jwtSecret|jwt_secret|signingSecret|signing_key|JWT_KEY)\s*[:=]\s*['"]([^'"]{4,64})['"]/;
+
+// jwt.verify called without an `algorithms` option (algorithm confusion attack)
+// We require: a `jwt.verify(` call within ~200 chars of a missing `algorithms`
+const JWT_VERIFY_RE = /\b(?:jwt|jsonwebtoken)\.verify\s*\(/g;
+const JWT_ALGORITHMS_OPT_RE = /\balgorithms\s*:\s*\[/;
+
+// --- OAuth2 / OIDC ---
+
+// authorization_code flow without PKCE: matches `response_type: 'code'` with no
+// `code_challenge` in surrounding context.
+const OAUTH_AUTHCODE_RE = /\bresponse_type\s*[:=]\s*['"]code['"]/;
+const OAUTH_PKCE_RE = /\b(?:code_challenge|codeChallenge|pkce|code_verifier)\b/;
+
+// redirect_uri taken from req without allow-list. We trigger when:
+//   redirectUrl/url = req.query.redirect_uri      (or .body / .params)
+// and the same module has no constants[*] === url style allow-list.
+const OAUTH_REDIRECT_FROM_REQ_RE = /\b(?:redirect|redirectUri|redirect_uri|callback|returnTo|returnUrl|next)\s*[:=]\s*(?:req|request)\.(?:query|body|params)\.[A-Za-z_]\w*/i;
+const OAUTH_REDIRECT_ALLOWLIST_RE = /\b(?:ALLOWED_REDIRECTS|REDIRECT_ALLOWLIST|allowedRedirects|allowedHosts|isAllowed(?:Url|Host|Redirect)|VALID_REDIRECTS)\b|\.includes\s*\(\s*(?:redirect|redirectUri|redirect_uri|returnTo|callback|next|url)\s*\)/;
+
+// --- Session fixation ---
+
+// Pattern: an authentication step (req.login, passport.authenticate completion,
+// `req.session.userId = ...`) followed by no `session.regenerate(` call.
+const SESSION_LOGIN_RE = /\b(?:req\.login\s*\(|req\.session\.(?:userId|user_id|user|uid)\s*=|passport\.authenticate\s*\([^)]*\)\s*\(req|request\.session\['user'\]\s*=)/;
+const SESSION_REGENERATE_RE = /\b(?:req\.session\.regenerate\s*\(|session\.regenerate\s*\(|request\.session\.cycle_key\s*\(|sessionStore\.regenerate)/;
+
+// --- Multi-tenant scope ---
+
+// SELECT/find with a where-clause keyed by a non-tenant id (Sequelize, Prisma,
+// raw SQL, mongoose). Suppress if the same statement contains tenantId/orgId/
+// workspaceId in the where clause.
+const MT_QUERY_RE = /\b(?:findOne|findById|findFirst|findUnique|find\(\s*\{)\s*[^;]*?\bwhere\s*:\s*\{[^}]*\bid\s*:\s*(?:req|request)\.(?:params|body|query)\.[A-Za-z_]\w*[^}]*\}/i;
+const MT_TENANT_KEY_RE = /\b(?:tenantId|tenant_id|orgId|org_id|workspaceId|workspace_id|accountId|account_id|companyId|company_id)\b/;
+
+// Raw SQL with direct interpolation of a request value into the WHERE-by-id
+// clause. We deliberately do NOT match parameterized placeholders (?, $1, :id)
+// — those are the safe pattern. Only flag string-concatenation or template-
+// literal interpolation that pulls from req/request.
+const MT_RAW_SQL_RE = /\b(?:select|update|delete)\b[\s\S]{0,200}?\bwhere\s+(?:[\w_.]*\.)?id\s*=\s*\$?\{?\s*(?:req|request)\.(?:params|body|query)\.[A-Za-z_]\w*/i;
+
+function _emit(fp, line, vuln, severity, cwe, snippet, fix, confidence=0.85) {
+  return {
+    id: `authz:${fp}:${line}:${vuln.replace(/[^A-Za-z0-9]/g, '_').slice(0, 60)}`,
+    kind: 'authz', severity, vuln,
+    cwe, stride: 'Elevation of Privilege',
+    file: fp, line, snippet: (snippet || '').trim().slice(0, 200),
+    fix, confidence,
+  };
+}
+
+// Strip string-literal contents while preserving line/col so the raw-SQL and
+// shape-only patterns below don't self-detect inside fix-message templates or
+// other string-embedded examples.
+function _stripStrings(code){
+  const out = code.split('');
+  const n = code.length;
+  let i = 0, state = 0; // 0 NORMAL, 1 SQ, 2 DQ, 3 BT
+  while (i < n) {
+    const c = code[i];
+    if (state === 0) {
+      if (c === "'") { state = 1; i++; continue; }
+      if (c === '"') { state = 2; i++; continue; }
+      if (c === '`') { state = 3; i++; continue; }
+      i++; continue;
+    }
+    const quote = state === 1 ? "'" : state === 2 ? '"' : '`';
+    if (c === '\\' && i + 1 < n) { if (code[i+1] !== '\n') out[i+1] = ' '; out[i] = ' '; i += 2; continue; }
+    if (c === quote) { state = 0; i++; continue; }
+    if (state === 3 && c === '$' && code[i+1] === '{') {
+      // Preserve template expression content: skip ahead until matching }.
+      let depth = 1; out[i]='$'; out[i+1]='{'; i += 2;
+      while (i < n && depth > 0) {
+        if (code[i] === '{') depth++;
+        else if (code[i] === '}') depth--;
+        i++;
+      }
+      continue;
+    }
+    if (c !== '\n') out[i] = ' ';
+    i++;
+  }
+  return out.join('');
+}
+
+export function scanAuthZ(fp, raw) {
+  if (!_SCAN_EXT_RE.test(fp)) return [];
+  const fpNorm = fp.replace(/\\/g, '/');
+  if (_NONPROD_PATH_RE.test(fpNorm)) return [];
+  if (!raw || raw.length > 500_000) return [];
+
+  // `rawForShape` is used by detectors that match on code shape (raw SQL, JWT
+  // calls). String literals are blanked so fix-message templates and example
+  // snippets don't self-detect. Detectors that explicitly read literal content
+  // (hardcoded JWT secret) keep using `raw`.
+  const rawForShape = _stripStrings(raw);
+  const linesShape = rawForShape.split('\n');
+  const lines = raw.split('\n');
+  const findings = [];
+  const seen = new Set();
+  const push = (f) => { if (!seen.has(f.id)) { seen.add(f.id); findings.push(f); } };
+
+  // Per-line patterns
+  for (let i = 0; i < lines.length; i++) {
+    const ln = lines[i];
+
+    // 1. JWT alg:none
+    if (JWT_ALG_NONE_RE.test(ln)) {
+      push(_emit(fp, i + 1,
+        'AuthZ: JWT alg:none accepted (forgery)',
+        'critical', 'CWE-347', ln,
+        'Setting algorithm to "none" disables signature verification — any token is accepted as valid. Set an explicit `algorithms: ["RS256"]` (or HS256 for symmetric) and reject tokens that present a different alg.'));
+    }
+
+    // 2. Hardcoded JWT secret (shortish literal)
+    const m2 = ln.match(JWT_HARDCODED_SECRET_RE);
+    if (m2) {
+      const val = m2[1];
+      // Suppress only template/env placeholders
+      if (!/process\.env|\$\{|<.*?>|^\s*$/.test(val) && !/\bsecret\b|\bchange.?me\b|^example$/i.test(val) === false || val.length >= 4) {
+        // We still flag well-known placeholders ("secret", "changeme") because they
+        // are the most common production foot-gun.
+        push(_emit(fp, i + 1,
+          'AuthZ: hardcoded JWT secret in source',
+          'critical', 'CWE-798', ln.replace(val, '<redacted>'),
+          'Move the JWT secret to an environment variable or secret store, and rotate the previous value (it must be considered leaked). For asymmetric tokens, prefer RS256 with the private key in a KMS.'));
+      }
+    }
+
+    // 3. authorization_code flow without PKCE — needs whole-file context.
+    if (OAUTH_AUTHCODE_RE.test(ln)) {
+      const hasPkceNearby = OAUTH_PKCE_RE.test(raw);
+      if (!hasPkceNearby) {
+        push(_emit(fp, i + 1,
+          'AuthZ: OAuth2 authorization_code without PKCE',
+          'high', 'CWE-287', ln,
+          'Public OAuth2 clients (SPAs, mobile, native) must use PKCE. Generate a `code_verifier` (43–128 chars), derive a `code_challenge = base64url(sha256(verifier))`, send it on the authorize call, and verify it on the token exchange.'));
+      }
+    }
+
+    // 4. redirect_uri taken from request — flag if no allow-list anywhere in file
+    if (OAUTH_REDIRECT_FROM_REQ_RE.test(ln)) {
+      const hasAllowlist = OAUTH_REDIRECT_ALLOWLIST_RE.test(raw);
+      if (!hasAllowlist) {
+        push(_emit(fp, i + 1,
+          'AuthZ: OAuth2 redirect_uri from request without allow-list',
+          'high', 'CWE-601', ln,
+          'Validate the redirect_uri against a server-side allow-list before redirecting. An attacker can register a malicious client or pass `?redirect=evil.com` and intercept the authorization code or open-redirect to a phishing page.'));
+      }
+    }
+  }
+
+  // 5. jwt.verify without algorithms option
+  let vm;
+  const verifyRe = new RegExp(JWT_VERIFY_RE.source, 'g');
+  while ((vm = verifyRe.exec(raw))) {
+    // window is the call-site argument list
+    const after = raw.slice(vm.index, Math.min(raw.length, vm.index + 400));
+    if (!JWT_ALGORITHMS_OPT_RE.test(after) && !JWT_ALG_NONE_RE.test(after)) {
+      const line = raw.substring(0, vm.index).split('\n').length;
+      push(_emit(fp, line,
+        'AuthZ: jwt.verify called without algorithms allow-list',
+        'high', 'CWE-347', lines[line - 1] || '',
+        'Pass `{ algorithms: ["RS256"] }` (or HS256) explicitly to `jwt.verify`. Without it, an attacker can forge a token using an unexpected algorithm (alg:none, or HS256-signed with the public key for an RS256 issuer).'));
+    }
+  }
+
+  // 6. Session fixation: login without regenerate
+  if (SESSION_LOGIN_RE.test(raw) && !SESSION_REGENERATE_RE.test(raw)) {
+    const m = raw.match(SESSION_LOGIN_RE);
+    if (m) {
+      const line = raw.substring(0, m.index).split('\n').length;
+      push(_emit(fp, line,
+        'AuthZ: session not regenerated after authentication (session fixation)',
+        'high', 'CWE-384', lines[line - 1] || '',
+        'After successful authentication, call `req.session.regenerate(...)` (or your framework equivalent) before storing the user identity in the session. Otherwise an attacker who fixed the pre-auth session id retains access post-login.'));
+    }
+  }
+
+  // 7. Multi-tenant: where-by-id without tenant scope
+  let mm;
+  const mtRe = new RegExp(MT_QUERY_RE.source, 'gi');
+  while ((mm = mtRe.exec(raw))) {
+    const block = mm[0];
+    if (!MT_TENANT_KEY_RE.test(block)) {
+      const line = raw.substring(0, mm.index).split('\n').length;
+      push(_emit(fp, line,
+        'AuthZ: tenant-scoped query missing tenantId/orgId filter',
+        'high', 'CWE-639', lines[line - 1] || block.slice(0, 120),
+        'Multi-tenant queries must include the requesting user\'s tenantId/orgId in the WHERE clause. Otherwise a row id collision (or guessing) reads another tenant\'s data. Add `where: { id, tenantId: req.user.tenantId }`.'));
+    }
+  }
+  let rm;
+  const rawSqlRe = new RegExp(MT_RAW_SQL_RE.source, 'gi');
+  while ((rm = rawSqlRe.exec(rawForShape))) {
+    const block = rm[0];
+    if (!MT_TENANT_KEY_RE.test(block)) {
+      const line = rawForShape.substring(0, rm.index).split('\n').length;
+      push(_emit(fp, line,
+        'AuthZ: raw SQL where-by-id without tenant scope',
+        'high', 'CWE-639', lines[line - 1] || block.slice(0, 120),
+        'The query selects a row by id without scoping to the caller\'s tenant. Append `AND tenant_id = $tenantId` (and pass it from the authenticated session, never the request body).'));
+    }
+  }
+
+  return findings;
+}