@clear-capabilities/agentic-security-scanner 0.74.0

package/src/sast/llm-trading-agent.js

@@ -0,0 +1,161 @@
+// LLM autonomous-trading-agent security audit.
+//
+// Targets code that gives an LLM agent on-chain transaction authority. These
+// patterns aren't generic LLM prompt-injection issues — they're financial-
+// loss-shaped, so a missed check means real money.
+//
+// Coverage:
+//   1. send_raw_transaction / signTransaction / sendTransaction without a
+//      prior eth_call simulation.
+//   2. Trading agent code with no MAX_SINGLE_TX or MAX_DAILY_SPEND constant
+//      (when an LLM-call API is present in the same file).
+//   3. RPC response / token name / pair label concatenated into an LLM
+//      prompt without sanitization (prompt-injection-via-onchain-data).
+//   4. Autonomous trading loop without a circuit breaker
+//      (consecutive-loss counter or hourly-loss-pct halt).
+//   5. Raw hex private key in source: PRIVATE_KEY = "0x..."
+//
+// Fires on .py / .js / .ts / .mjs / .cjs files. The agent ↔ wallet pattern
+// usually lives in Python or JS today; we cover both.
+
+const _SUPPORTED_EXT = /\.(?:py|js|jsx|ts|tsx|mjs|cjs)$/i;
+
+function _line(raw, idx) {
+  return raw.slice(0, idx).split('\n').length;
+}
+
+function _looksLikeTradingAgent(raw) {
+  // Heuristic: file imports web3 / ethers / viem / solana AND mentions an LLM
+  // SDK (anthropic / openai / langchain / together / groq) OR an agent loop.
+  const onchain = /\b(?:from\s+web3\b|import\s+\{?[^}]*\}?\s+from\s+['"]ethers|import\s+\{?[^}]*\}?\s+from\s+['"]viem|from\s+solders|from\s+anchorpy)\b/.test(raw);
+  const llmSdk = /\b(?:anthropic|openai|langchain|together|groq|@anthropic-ai|@openai)\b/i.test(raw);
+  const agentLoop = /\b(?:while\s+True|while\s*\(\s*true|asyncio\.run|setInterval|setTimeout.*?ms\s*\)|trading_loop|run_agent)\b/i.test(raw);
+  return onchain && (llmSdk || agentLoop);
+}
+
+const _SIGN_OR_SEND_RE = /\b(?:send_raw_transaction|sendRawTransaction|signTransaction|sign_transaction|sendTransaction)\s*\(/;
+const _ETH_CALL_RE = /\b(?:eth_call|eth\.call|w3\.eth\.call|client\.call|estimateGas|estimate_gas|simulate(?:_transaction)?|callStatic)\b/;
+const _SPEND_LIMIT_RE = /\b(?:MAX_SINGLE_TX|MAX_DAILY_SPEND|MAX_TX_VALUE|DAILY_LIMIT|SPEND_LIMIT|TX_BUDGET|TRADE_BUDGET)\b/;
+const _CIRCUIT_BREAKER_RE = /\b(?:circuit_breaker|CircuitBreaker|consecutive_losses|max_hourly_loss|HOURLY_LOSS|MAX_DRAWDOWN|halt(?:_trading|_loop)?)\b/i;
+
+const _PROMPT_INJECTION_PATTERNS = [
+  /ignore\s+(?:previous|all)\s+instructions/i,
+  /system\s+prompt/i,
+  /transfer\s+.{0,50}\s+to\b/i,
+  /approve\s+.{0,50}\s+for\b/i,
+  /\bsend\s+.{0,50}\s+to\s+0x[0-9a-fA-F]{40}\b/i,
+];
+
+const _ONCHAIN_DATA_SOURCES = [
+  'token_name', 'pair_name', 'pair_label', 'token_symbol', 'tokenName',
+  'pairName', 'pairLabel', 'tokenSymbol', 'pool_name', 'event_log',
+  'metadata', 'rpc_response', 'event_data',
+];
+
+const _PROMPT_SINKS = /\b(?:client\.messages\.create|chat\.completions\.create|generate|invoke|stream|completion)\s*\(/;
+
+export function scanLlmTradingAgent(file, raw) {
+  if (!file || !raw || typeof raw !== 'string') return [];
+  if (!_SUPPORTED_EXT.test(file)) return [];
+  if (raw.length > 200_000) return [];
+  if (!_looksLikeTradingAgent(raw)) return [];
+
+  const findings = [];
+
+  // 1. send_raw_transaction without prior eth_call simulation.
+  for (const m of raw.matchAll(new RegExp(_SIGN_OR_SEND_RE.source, 'g'))) {
+    // Look ±50 lines for any simulation call.
+    const lineNum = _line(raw, m.index);
+    const lines = raw.split('\n');
+    const window = lines.slice(Math.max(0, lineNum - 50), lineNum + 5).join('\n');
+    if (_ETH_CALL_RE.test(window)) continue;
+    findings.push({
+      id: `llm-trading:no-simulation:${file}:${lineNum}`,
+      file, line: lineNum,
+      vuln: 'Trading agent sends transaction without prior simulation (eth_call / estimateGas)',
+      severity: 'high',
+      family: 'llm-trading-no-simulation',
+      cwe: 'CWE-754',
+      confidence: 0.7,
+      description: 'The agent signs and sends a transaction without first calling eth_call / estimateGas / callStatic to simulate the outcome. A bug, prompt-injection, or oracle manipulation that produces a bad tx silently lands on-chain — and reverts there cost gas.',
+      remediation: 'Add a pre-send simulation: const result = await w3.eth.call(tx); decode the expected output; require it matches an expected_min_out before signTransaction + sendRawTransaction.',
+    });
+  }
+
+  // 2. No spend-limit constant
+  if (!_SPEND_LIMIT_RE.test(raw)) {
+    // Only flag when the file actually signs / sends.
+    if (_SIGN_OR_SEND_RE.test(raw)) {
+      const m = _SIGN_OR_SEND_RE.exec(raw);
+      findings.push({
+        id: `llm-trading:no-spend-limit:${file}:${_line(raw, m.index)}`,
+        file, line: _line(raw, m.index),
+        vuln: 'LLM trading agent has no per-tx / daily spend limit constant',
+        severity: 'critical',
+        family: 'llm-trading-no-spend-limit',
+        cwe: 'CWE-770',
+        confidence: 0.7,
+        description: 'Code can sign and send transactions but no MAX_SINGLE_TX / MAX_DAILY_SPEND / TX_BUDGET constant is visible. A prompt-injection (or a routine LLM hallucination) that asks the agent to "send all funds" has no upper bound.',
+        remediation: 'Define MAX_SINGLE_TX_USD and MAX_DAILY_SPEND_USD as Decimal constants. Add a SpendLimitGuard that checks both before every transaction; persist daily spend in disk-state so restart doesn\'t reset it.',
+      });
+    }
+  }
+
+  // 3. Onchain data concatenated into LLM prompt
+  if (_PROMPT_SINKS.test(raw)) {
+    for (const src of _ONCHAIN_DATA_SOURCES) {
+      // Look for f-string / template literal / + concat with the source name.
+      const fstr = new RegExp(`f["'][^"']*?\\{\\s*${src}\\s*\\}|\\$\\{\\s*${src}\\s*\\}|['"][^'"]*?['"]\\s*\\+\\s*${src}\\b`);
+      const m = fstr.exec(raw);
+      if (!m) continue;
+      // Only fire if there's no obvious sanitizer call near it.
+      const nearby = raw.slice(Math.max(0, m.index - 600), m.index + 200);
+      if (/\b(?:sanitize|validate|allow_list|allowlist|whitelist|escape|redact)/i.test(nearby)) continue;
+      findings.push({
+        id: `llm-trading:onchain-prompt-injection:${file}:${_line(raw, m.index)}`,
+        file, line: _line(raw, m.index),
+        vuln: `On-chain data (${src}) concatenated into an LLM prompt without sanitization`,
+        severity: 'high',
+        family: 'llm-trading-prompt-injection',
+        cwe: 'CWE-77',
+        confidence: 0.7,
+        description: `Token names, pair labels, pool metadata, and event-log payloads are attacker-controlled (anyone can deploy a token with any name). When concatenated into an execution-capable LLM prompt, the attacker can issue arbitrary trading instructions.`,
+        remediation: `Strip / allow-list the on-chain string before it enters the prompt. Verify it against known injection shapes: "ignore previous instructions", "transfer to 0x...", "approve unlimited".`,
+      });
+      break;     // one per source is enough
+    }
+  }
+
+  // 4. Trading loop without circuit breaker
+  if (/while\s+True|while\s*\(\s*true|setInterval/.test(raw) && _SIGN_OR_SEND_RE.test(raw) && !_CIRCUIT_BREAKER_RE.test(raw)) {
+    const m = /while\s+True|while\s*\(\s*true|setInterval/.exec(raw);
+    findings.push({
+      id: `llm-trading:no-circuit-breaker:${file}:${_line(raw, m.index)}`,
+      file, line: _line(raw, m.index),
+      vuln: 'Autonomous trading loop with no circuit breaker',
+      severity: 'high',
+      family: 'llm-trading-no-circuit-breaker',
+      cwe: 'CWE-754',
+      confidence: 0.7,
+      description: 'Loop signs and sends transactions in a continuous cycle with no halt condition. A stuck oracle, an exchange bug, or a market crash causes the agent to keep trading the loss.',
+      remediation: 'Add a circuit breaker that halts after MAX_CONSECUTIVE_LOSSES or after a portfolio-value drop of MAX_HOURLY_LOSS_PCT. Require human re-arm to resume.',
+    });
+  }
+
+  // 5. Raw hex private key — PRIVATE_KEY = "0x..." (64 hex chars)
+  for (const m of raw.matchAll(/\b(?:PRIVATE_KEY|WALLET_KEY|SIGNING_KEY|priv_key|privKey)\s*[:=]\s*['"]0x[0-9a-fA-F]{64}['"]/g)) {
+    findings.push({
+      id: `llm-trading:hardcoded-private-key:${file}:${_line(raw, m.index)}`,
+      file, line: _line(raw, m.index),
+      vuln: 'Hardcoded 32-byte raw private key in source',
+      severity: 'critical',
+      family: 'llm-trading-hardcoded-key',
+      cwe: 'CWE-798',
+      confidence: 0.98,
+      description: 'A literal 64-hex-char private key in source is catastrophic — anyone who reads the file can sign transactions as the wallet owner. Bots scrape GitHub for this pattern in real-time.',
+      remediation: 'Move to a secure vault (AWS KMS / HashiCorp Vault / GCP Secret Manager) or a hardware wallet. Rotate the key immediately by sweeping funds to a new wallet from a clean machine.',
+    });
+  }
+
+  return findings;
+}

package/src/sast/llm.js

@@ -0,0 +1,308 @@
+// Prompt-injection / LLM-app security detector.
+//
+// F1 strategy:
+//   Recall  — broad SDK coverage (Anthropic, OpenAI, Vercel AI, LangChain,
+//             Google, Mistral, Cohere, Groq, Together; JS + Python).
+//   Precision — only fire when concrete evidence ties a tainted source to an
+//             LLM sink, or a tool definition exposes a known-dangerous capability.
+//             Pure-literal prompts and non-prod paths are suppressed.
+
+const _NONPROD_PATH_RE = /(?:^|\/)(?:tests?|__tests__|spec|fixtures?|examples?|docs?|stories|codefixes|node_modules)\//i;
+const _SCANNABLE_EXT_RE = /\.(?:js|jsx|ts|tsx|mjs|cjs|py)$/i;
+
+// LLM SDK call sites — one per family; line-anchored, escape-safe.
+const LLM_SINK_PATTERNS = [
+  // Anthropic (TS/JS + Python share the same dotted shape)
+  /\b(?:anthropic|client|claude)\.(?:messages|completions)\.create\s*\(/,
+  // OpenAI SDK v4+ (chat/responses/completions)
+  /\b(?:openai|client|oai)\.(?:chat\.)?completions\.create\s*\(/,
+  /\b(?:openai|client|oai)\.responses\.create\s*\(/,
+  // Vercel AI SDK
+  /\b(?:generateText|streamText|generateObject|streamObject)\s*\(/,
+  // LangChain JS / Python
+  /\b(?:llm|model|chain|chat|agent|executor)\.(?:invoke|call|run|predict|stream|batch|ainvoke|astream)\s*\(/,
+  /\bChatPromptTemplate\.from(?:Messages|Template)\s*\(/,
+  // Google Generative AI
+  /\b(?:model|genAI|chat)\.generateContent(?:Stream)?\s*\(/,
+  // Mistral / Cohere / Groq / Together (same dotted-create shape)
+  /\b(?:mistral|cohere|groq|together)\.(?:chat\.complete|chat\.completions\.create|generate)\s*\(/,
+  // Ollama / OpenAI-compatible HTTP endpoints via any client (requests/httpx/aiohttp/fetch).
+  // Matches a quoted URL pointing at a known LLM completion path.
+  /["'`][^"'`]*\/(?:api\/(?:generate|chat|embeddings)|v1\/(?:chat\/completions|completions|messages|embeddings))(?:["'`?]|$)/,
+];
+
+// Lower-precision LLM-call shape used only as a corroborator (require import).
+const LLM_FUZZY_CALL_RE = /\b(?:complete|generate|chat|invoke|predict)\s*\(/;
+
+// Imports indicate an LLM-using file even when call shape is non-standard.
+const LLM_IMPORT_RE = /(?:from\s+["']?(?:anthropic|openai|@ai-sdk|ai|@anthropic-ai|@google\/generative-ai|cohere-ai|@mistralai|groq-sdk|together-ai|langchain|ollama|gpt4all|llama_index|llama-index)["']?|require\s*\(\s*["'](?:@anthropic-ai|@ai-sdk|openai|anthropic|cohere-ai|@mistralai|langchain|groq-sdk|together-ai|ollama)[^"']*["']\s*\)|\bimport\s+(?:OpenAI|Anthropic|GoogleGenerativeAI|Mistral|Cohere|Groq|Ollama))/;
+
+// Environment / config signals that a file is talking to an LLM endpoint
+// even when no SDK is imported (Ollama-style direct HTTP).
+const LLM_ENDPOINT_SIGNAL_RE = /(?:\b(?:OLLAMA_(?:BASE_URL|HOST)|ollama_url|openai_url|llm_url|LITELLM_|HUGGINGFACE_(?:HUB_)?TOKEN|HF_TOKEN|GROQ_API|TOGETHER_API|MISTRAL_API|ANTHROPIC_API|OPENAI_API)\b|\/api\/(?:generate|chat|embeddings)\b|\/v1\/(?:chat\/completions|completions|messages|embeddings)\b)/;
+
+// HTTP-tainted source (JS/TS + Python frameworks)
+const HTTP_TAINT_RHS_RE = /\b(?:req|request|ctx|c)\.(?:body|query|params|headers|cookies|files|url|originalUrl|rawBody)\b|\bsearchParams\b|\bawait\s+(?:request|req)\.(?:json|text|formData)\b/;
+const PY_HTTP_TAINT_RHS_RE = /\b(?:flask\.)?request\.(?:args|form|json|values|files|headers|data|cookies|get_json)\b|\brequest\.GET\b|\brequest\.POST\b|\bbody\s*=\s*await\s+request/;
+
+// External / indirect taint (file, network, db) — for indirect prompt injection
+const EXT_TAINT_RHS_RE = /\b(?:fetch|axios\.(?:get|post|request)|https?\.get|fs\.readFileSync|fs\.readFile|fs\.promises\.readFile|fs\.createReadStream|readFileSync|open\s*\(.*['"][^'"]+['"]\s*,\s*['"]r)/;
+const PY_EXT_TAINT_RHS_RE = /\b(?:requests\.(?:get|post)|urlopen|httpx\.(?:get|post)|open\s*\(.*['"](?:r|rb)['"]\)\.read)/;
+
+// Dangerous LLM tool names (LLM-callable functions with strong side-effects)
+const DANGEROUS_TOOL_NAME_RE = /\bname\s*[:=]\s*["'](shell|bash|exec|execute|execute_shell|run_command|run_shell|run_code|sandbox_exec|eval|eval_python|python_exec|sql|sql_query|execute_sql|raw_query|query_db|read_file|write_file|delete_file|file_write|file_delete|edit_file|fetch_url|http_request|web_request|browse_url|navigate|delete|drop_table|admin|sudo|root|kubectl|docker_exec)["']/i;
+
+// Output-rendering sinks that turn LLM text into HTML / response body
+const UNSAFE_HTML_SINK_RE = /(?:\.innerHTML\s*=|dangerouslySetInnerHTML\s*=|document\.write\s*\(|\.outerHTML\s*=|v-html\s*=|\$\{\s*[A-Za-z_$][\w$]*\s*\}\s*<\/)/;
+
+// Variables likely holding an LLM response (LHS-side patterns)
+const LLM_OUTPUT_LHS_RE = [
+  /\b(?:const|let|var)\s+(\w+)\s*=\s*[^;]*?\.(?:content\s*\[\s*0\s*\]\.text|completion|message\.content|choices\s*\[\s*0\s*\]\.message\.content|generated_text|output_text|text\s*\(\s*\))\b/,
+  /\b(?:const|let|var)\s+\{\s*(?:text|content|completion|message)\s*:\s*(\w+)\b/,
+  /\b(?:const|let|var)\s+(\w+)\s*=\s*await\s+(?:anthropic|openai|client|llm|model|chain|agent|generateText|streamText|generateObject|streamObject)\b/,
+  // Python: reply = response.choices[0].message.content
+  /^\s*(\w+)\s*=\s*(?:[A-Za-z_]\w*)\.choices\s*\[\s*0\s*\]\.message\.content\b/m,
+  /^\s*(\w+)\s*=\s*(?:response|completion|reply)\.content\s*\[\s*0\s*\]\.text\b/m,
+];
+
+// System-prompt leakage via response body / log (PI-5)
+const SYSTEM_PROMPT_LEAK_RE = /(?:res\.(?:json|send)\s*\([^)]*?\b(?:messages|systemPrompt|system_prompt|systemMessage)\b|console\.log\s*\([^)]*?\b(?:systemPrompt|system_prompt|messages)\b)/;
+
+const TOOL_CONTEXT_RE = /\b(?:tools?\s*[:=]|tool_choice|tool_calls?|input_schema|function_declarations|parameters\s*:\s*\{|strict\s*:\s*true)\b/;
+
+function _hasLLMSink(line) {
+  return LLM_SINK_PATTERNS.some(re => re.test(line));
+}
+
+function _collectLHSAssignments(lines, regexList) {
+  const map = new Map();
+  for (let i = 0; i < lines.length; i++) {
+    const ln = lines[i];
+    for (const re of regexList) {
+      const m = ln.match(re);
+      if (m && m[1]) map.set(m[1], { line: i + 1, kind: 'llm-output' });
+    }
+  }
+  return map;
+}
+
+function _collectTaintedVars(lines) {
+  const vars = new Map();
+  for (let i = 0; i < lines.length; i++) {
+    const ln = lines[i];
+    // JS: const x = req.body.foo
+    let m = ln.match(/\b(?:const|let|var)\s+(\w+)\s*=[^;]*?(?:req|request|ctx|c)\.(?:body|query|params|headers|cookies)\b/);
+    if (m) vars.set(m[1], { line: i + 1, kind: 'http' });
+    // JS: destructured const { foo, bar } = req.body
+    m = ln.match(/\b(?:const|let|var)\s+\{([^}]+)\}\s*=[^;]*?(?:req|request|ctx|c)\.(?:body|query|params|headers|cookies)\b/);
+    if (m) for (const n of m[1].split(',')) {
+      const id = n.split(':').pop().trim().replace(/[^A-Za-z0-9_$]/g, '');
+      if (id) vars.set(id, { line: i + 1, kind: 'http' });
+    }
+    // JS: external/indirect (fetch, fs, db)
+    m = ln.match(/\b(?:const|let|var)\s+(\w+)\s*=[^;]*?(?:fetch|axios|fs\.readFile|fs\.readFileSync|\.query\s*\(|\.findOne\s*\()/);
+    if (m && /await|\.then|\.text\(|\.json\(|fs\.read/i.test(ln)) vars.set(m[1], { line: i + 1, kind: 'external' });
+    // Python: x = request.args.get(...) / request.json
+    m = ln.match(/^\s*(\w+)\s*=\s*(?:flask\.)?request\.(?:args|form|json|values|files|headers|data)\b/);
+    if (m) vars.set(m[1], { line: i + 1, kind: 'http' });
+    // Python: x = requests.get(...).text / open(...).read()
+    m = ln.match(/^\s*(\w+)\s*=\s*(?:requests\.(?:get|post)|urlopen|open\s*\()/);
+    if (m) vars.set(m[1], { line: i + 1, kind: 'external' });
+  }
+  return vars;
+}
+
+function _ctxWindow(lines, startLine, span) {
+  const start = Math.max(0, startLine);
+  const end = Math.min(lines.length, startLine + span);
+  return { text: lines.slice(start, end).join('\n'), start, end };
+}
+
+export function scanLLM(fp, raw) {
+  if (!_SCANNABLE_EXT_RE.test(fp)) return [];
+  const fpNorm = fp.replace(/\\/g, '/');
+  if (_NONPROD_PATH_RE.test(fpNorm)) return [];
+  if (!raw || raw.length > 500_000) return [];
+
+  const hasImport = LLM_IMPORT_RE.test(raw);
+  const hasAnyStrictSink = LLM_SINK_PATTERNS.some(re => re.test(raw));
+  const hasEndpointSignal = LLM_ENDPOINT_SIGNAL_RE.test(raw);
+  if (!hasImport && !hasAnyStrictSink && !hasEndpointSignal) return [];
+
+  const lines = raw.split('\n');
+  const findings = [];
+  const taintedVars = _collectTaintedVars(lines);
+  const llmOutVars = _collectLHSAssignments(lines, LLM_OUTPUT_LHS_RE);
+  const seen = new Set();
+
+  // Classify the *position* a tainted variable occupies inside the LLM call window.
+  // Returns one of: 'unsafe' (system/instruction position or interpolation),
+  //                 'safe-user-role' (pure user-role content slot),
+  //                 'unknown'  (referenced but position unclear).
+  function _positionForVar(ctxLines, vn) {
+    const wordRe = new RegExp(`\\b${vn}\\b`);
+    const tplRe  = new RegExp(`\\$\\{[^}]*\\b${vn}\\b[^}]*\\}`);
+    const concatRe = new RegExp(`['"]\\s*\\+\\s*${vn}\\b|\\b${vn}\\s*\\+\\s*['"]`);
+    const sysFieldRe = new RegExp(`\\b(?:system|instructions|preamble)\\s*:\\s*${vn}\\b`);
+    let referenced = false, looksUnsafe = false, anySafeUser = false;
+    for (let i = 0; i < ctxLines.length; i++) {
+      const ln = ctxLines[i];
+      if (!wordRe.test(ln)) continue;
+      referenced = true;
+      // Interpolation or string concat anywhere = injection-prone
+      if (tplRe.test(ln) || concatRe.test(ln)) { looksUnsafe = true; break; }
+      // Direct assignment into `system:` / `instructions:` field
+      if (sysFieldRe.test(ln)) { looksUnsafe = true; break; }
+      // `content: <var>` immediately following a `role: 'user'` line/clause
+      const looksContent = new RegExp(`\\bcontent\\s*:\\s*${vn}\\b`).test(ln);
+      if (looksContent) {
+        const within = (ctxLines[i - 1] || '') + ' ' + ln;
+        if (/role\s*:\s*['"]user['"]/.test(within)) anySafeUser = true;
+      }
+      // Surrounding system-role marker on adjacent lines
+      const win = (ctxLines[i - 1] || '') + ' ' + ln;
+      if (/role\s*:\s*['"]system['"]/.test(win) && new RegExp(`\\bcontent\\s*:\\s*${vn}\\b`).test(ln)) {
+        looksUnsafe = true; break;
+      }
+    }
+    if (!referenced) return 'absent';
+    if (looksUnsafe) return 'unsafe';
+    if (anySafeUser) return 'safe-user-role';
+    return 'unknown';
+  }
+
+  // Pass 1 — direct & indirect prompt injection at LLM sinks.
+  for (let li = 0; li < lines.length; li++) {
+    const line = lines[li];
+    const strictSink = _hasLLMSink(line);
+    const fuzzySink = !strictSink && (hasImport || hasEndpointSignal) && LLM_FUZZY_CALL_RE.test(line);
+    if (!strictSink && !fuzzySink) continue;
+
+    const { text: ctx } = _ctxWindow(lines, li, 18);
+    const ctxLines = ctx.split('\n');
+
+    // PI-1a: tainted variable referenced inside the call window.
+    let matched = false;
+    for (const [vn, info] of taintedVars) {
+      if (info.line > li + 18) continue; // forward refs we don't trust
+      const pos = _positionForVar(ctxLines, vn);
+      if (pos === 'absent' || pos === 'safe-user-role') continue;
+      // 'unknown' is a precision risk — only flag if the variable is HTTP-tainted
+      // AND the call uses fuzzy-sink shape; otherwise skip.
+      if (pos === 'unknown' && (info.kind !== 'http' || !strictSink)) continue;
+      const id = `llm-pi:${fp}:${li + 1}:${vn}:${info.kind}`;
+      if (seen.has(id)) continue;
+      seen.add(id);
+      const severity = info.kind === 'http' ? 'high' : 'medium';
+      const vuln = info.kind === 'http'
+        ? 'Prompt Injection (HTTP user input in LLM call)'
+        : 'Indirect Prompt Injection (external content in LLM call)';
+      findings.push({
+        id, kind: 'sast', severity, vuln,
+        cwe: 'CWE-1427', stride: 'Tampering',
+        file: fp, line: li + 1, snippet: line.trim(),
+        chain: [
+          { type: 'source', label: `Tainted (${info.kind}): ${vn}`, line: info.line },
+          { type: 'sink',   label: 'LLM call (' + (pos === 'unsafe' ? 'system/instruction position' : 'unknown position') + ')', line: li + 1, snippet: line.trim() },
+        ],
+        fix: info.kind === 'http'
+          ? 'Pass user input only as a user-role message. Never interpolate it into the system prompt or instructions string.'
+          : 'Sanitize and bound external content before embedding in a prompt; consider tagging it with explicit "untrusted data" delimiters and instruction-defense system messages.',
+        confidence: pos === 'unsafe' ? (strictSink ? 0.92 : 0.7) : 0.55,
+      });
+      matched = true;
+    }
+
+    // PI-1b: template-literal user input directly in the call (no intermediate var)
+    if (!matched && /\$\{[^}]*\b(?:req|request|ctx|c)\.(?:body|query|params|headers|cookies)\b/.test(ctx)) {
+      const id = `llm-pi:${fp}:${li + 1}:template-http`;
+      if (!seen.has(id)) {
+        seen.add(id);
+        findings.push({
+          id, kind: 'sast', severity: 'high',
+          vuln: 'Prompt Injection (template-literal user input)',
+          cwe: 'CWE-1427', stride: 'Tampering',
+          file: fp, line: li + 1, snippet: line.trim(),
+          chain: [
+            { type: 'source', label: 'HTTP user input (inline ${...})', line: li + 1 },
+            { type: 'sink',   label: 'LLM call (template literal)', line: li + 1, snippet: line.trim() },
+          ],
+          fix: 'Move user input out of the system prompt. Keep instructions separate from data; pass user content as a discrete user-role message.',
+          confidence: 0.88,
+        });
+      }
+    }
+  }
+
+  // Pass 2 — dangerous LLM tool definitions.
+  for (let li = 0; li < lines.length; li++) {
+    const line = lines[li];
+    if (!DANGEROUS_TOOL_NAME_RE.test(line)) continue;
+    // Require nearby tool-context evidence to avoid false matches on plain identifiers
+    const { text: wider } = _ctxWindow(lines, Math.max(0, li - 6), 14);
+    if (!TOOL_CONTEXT_RE.test(wider)) continue;
+    const m = line.match(DANGEROUS_TOOL_NAME_RE);
+    const toolName = m ? m[1] : 'dangerous';
+    const id = `llm-pi:${fp}:${li + 1}:tool:${toolName}`;
+    if (seen.has(id)) continue;
+    seen.add(id);
+    findings.push({
+      id, kind: 'sast', severity: 'high',
+      vuln: `Insecure LLM Tool Definition: ${toolName}`,
+      cwe: 'CWE-77', stride: 'Elevation of Privilege',
+      file: fp, line: li + 1, snippet: line.trim(),
+      fix: `Restrict the "${toolName}" tool to an explicit allowlist. Validate every argument against a schema; never let the LLM pass arbitrary input to shell, SQL, filesystem, or network primitives.`,
+      confidence: 0.8,
+    });
+  }
+
+  // Pass 3 — LLM output rendered to an unsafe HTML sink (XSS via LLM).
+  for (let li = 0; li < lines.length; li++) {
+    if (!UNSAFE_HTML_SINK_RE.test(lines[li])) continue;
+    for (const [vn, info] of llmOutVars) {
+      if (new RegExp(`\\b${vn}\\b`).test(lines[li])) {
+        const id = `llm-pi:${fp}:${li + 1}:${vn}:output-xss`;
+        if (seen.has(id)) continue;
+        seen.add(id);
+        findings.push({
+          id, kind: 'sast', severity: 'high',
+          vuln: 'Unsanitized LLM Output Rendered as HTML',
+          cwe: 'CWE-79', stride: 'Tampering',
+          file: fp, line: li + 1, snippet: lines[li].trim(),
+          chain: [
+            { type: 'source', label: `LLM response: ${vn}`, line: info.line },
+            { type: 'sink',   label: 'HTML / DOM sink',     line: li + 1, snippet: lines[li].trim() },
+          ],
+          fix: 'Render LLM output as text. If HTML is required, sanitize with DOMPurify or a server-side sanitizer with a strict allowlist.',
+          confidence: 0.85,
+        });
+      }
+    }
+  }
+
+  // Pass 4 — system-prompt leakage to user response or logs.
+  for (let li = 0; li < lines.length; li++) {
+    if (SYSTEM_PROMPT_LEAK_RE.test(lines[li])) {
+      const id = `llm-pi:${fp}:${li + 1}:sys-prompt-leak`;
+      if (seen.has(id)) continue;
+      seen.add(id);
+      findings.push({
+        id, kind: 'sast', severity: 'medium',
+        vuln: 'System Prompt / Message History Disclosure',
+        cwe: 'CWE-200', stride: 'Information Disclosure',
+        file: fp, line: li + 1, snippet: lines[li].trim(),
+        fix: 'Do not return system prompts, tool schemas, or full message arrays to clients. Strip these fields before responding.',
+        confidence: 0.7,
+      });
+    }
+  }
+
+  return findings;
+}
+
+export const _LLM_INTERNAL = {
+  LLM_SINK_PATTERNS, LLM_IMPORT_RE, LLM_ENDPOINT_SIGNAL_RE,
+  HTTP_TAINT_RHS_RE, PY_HTTP_TAINT_RHS_RE,
+  EXT_TAINT_RHS_RE, PY_EXT_TAINT_RHS_RE,
+  DANGEROUS_TOOL_NAME_RE, UNSAFE_HTML_SINK_RE, SYSTEM_PROMPT_LEAK_RE,
+};

package/src/sast/logic.js

@@ -0,0 +1,140 @@
+// Business-logic flaw detector — high-precision pattern layer.
+//
+// Logic flaws normally require semantic reasoning, but a handful of canonical
+// anti-patterns are unambiguous in source: an admin check that uses `||` so it
+// always passes, a TOCTOU `existsSync → readFile` sequence, a price field
+// trusted from the request body in a DB write. We cover those here so the
+// engine emits findings on them without needing an agent. Deeper logic review
+// (intent vs. implementation) is delegated to the security-logic-reviewer agent.
+
+const _NONPROD_PATH_RE = /(?:^|\/)(?:tests?|__tests__|spec|fixtures?|examples?|docs?|stories|codefixes|node_modules)\//i;
+const _SCAN_EXT_RE = /\.(?:js|jsx|ts|tsx|mjs|cjs|py|rb|go|java|php)$/i;
+
+// PATTERN A — always-true authorization clause.
+// Examples:  if (user.isAdmin || user.id)               -> user.id is always truthy
+//            if (req.user.role === 'admin' || true)     -> obvious
+//            if (isAdmin || isUser)                      -> isUser is always truthy in an authed context
+const ALWAYS_TRUE_AUTH_RE = /\bif\s*\(\s*(?:[A-Za-z_$][\w$.]*\.(?:isAdmin|admin|isOwner|hasRole|role)\b[^)]*?)\|\|\s*(?:true\b|[A-Za-z_$][\w$.]*\.(?:id|userId|uid|email|user)\b\s*\)|true\b)/;
+
+// PATTERN B — TOCTOU on filesystem. existsSync → readFile / open / unlink at a related path.
+const TOCTOU_EXISTS_THEN_OP_RE = /\bfs\.existsSync\s*\(\s*([^)]+?)\s*\)[\s\S]{1,300}?\bfs\.(?:readFile(?:Sync)?|writeFile(?:Sync)?|unlink(?:Sync)?|open(?:Sync)?|createReadStream|createWriteStream)\s*\(\s*\1/;
+
+// PATTERN C — client-controlled monetary field flowing into a DB write.
+const CLIENT_AMOUNT_TO_DB_RE = /(?:price|amount|total|subtotal|cost|fee|charge|payment|sum)\s*[:=]\s*(?:req|request)\.body\b/;
+
+// PATTERN D — admin / role / isAdmin set from request body (mass-assignment of privilege).
+const PRIV_FROM_BODY_RE = /\b(?:isAdmin|is_admin|admin|role|roles|permissions|scopes|tier|isOwner|is_owner)\s*[:=]\s*(?:req|request)\.body\.[A-Za-z_]\w*/;
+
+// PATTERN E — state transition without prior-state guard.
+// Heuristic: `<obj>.status = 'completed' / 'paid' / 'shipped' / 'approved'` immediately
+// after a fetch with no surrounding `if (... .status === ...)` check in the same function block.
+const STATE_TERMINAL_SET_RE = /\b(\w+)\.(?:status|state|stage)\s*=\s*['"](?:completed|complete|paid|shipped|approved|active|published|verified|confirmed)['"]/;
+
+// PATTERN F — coupon / discount applied without server-side lookup.
+// Match either `discount = req.body...` (assignment) or `req.body.discount` (direct read).
+const CLIENT_DISCOUNT_RE = /(?:discount|coupon|promo|voucher)\s*[:=]\s*(?:req|request)\.body\b|(?:req|request)\.body\.(?:discount|coupon|promo|voucher)\b/i;
+
+// PATTERN G — duplicate-create / missing idempotency.
+// Fires when a POST handler does an INSERT/.create()/.save() with no upstream
+// SELECT-or-find-by-key check inside the same handler.
+//
+// Implemented in the per-route pass below.
+
+function _ctxFn(lines, atIdx, span = 25) {
+  const start = Math.max(0, atIdx - Math.floor(span / 2));
+  const end = Math.min(lines.length, atIdx + Math.ceil(span / 2));
+  return lines.slice(start, end).join('\n');
+}
+
+function _emit(fp, vuln, line, snippet, severity, cwe, fix, confidence) {
+  return {
+    id: `logic:${fp}:${line}:${vuln.replace(/\s/g, '_').slice(0, 60)}`,
+    kind: 'logic', severity, vuln,
+    cwe: cwe || null, stride: 'Tampering',
+    file: fp, line, snippet: snippet.trim(),
+    fix, confidence,
+  };
+}
+
+export function scanBusinessLogic(fp, raw) {
+  if (!_SCAN_EXT_RE.test(fp)) return [];
+  const fpNorm = fp.replace(/\\/g, '/');
+  if (_NONPROD_PATH_RE.test(fpNorm)) return [];
+  if (!raw || raw.length > 500_000) return [];
+
+  const lines = raw.split('\n');
+  const findings = [];
+  const seen = new Set();
+
+  // Single-line patterns
+  for (let li = 0; li < lines.length; li++) {
+    const line = lines[li];
+
+    // PATTERN A
+    if (ALWAYS_TRUE_AUTH_RE.test(line)) {
+      const f = _emit(fp, 'Always-True Authorization Clause',
+        li + 1, line, 'high', 'CWE-285',
+        'The `||` short-circuit makes this check pass for any authenticated user. Use `&&` to require BOTH conditions, or split into explicit role checks.',
+        0.9);
+      if (!seen.has(f.id)) { seen.add(f.id); findings.push(f); }
+    }
+
+    // PATTERN C — client-controlled money
+    if (CLIENT_AMOUNT_TO_DB_RE.test(line)) {
+      const f = _emit(fp, 'Client-Controlled Monetary Field',
+        li + 1, line, 'high', 'CWE-841',
+        'Recompute price/amount on the server from authoritative records (catalog, cart, subscription tier). Never accept the final amount from the request body.',
+        0.85);
+      if (!seen.has(f.id)) { seen.add(f.id); findings.push(f); }
+    }
+
+    // PATTERN D — privilege from body
+    if (PRIV_FROM_BODY_RE.test(line)) {
+      const f = _emit(fp, 'Privilege Field Set from Request Body',
+        li + 1, line, 'critical', 'CWE-915',
+        'Strip privilege fields from the request body before assignment, or use an explicit allowlist of mutable fields. An attacker can post `isAdmin:true` and elevate.',
+        0.9);
+      if (!seen.has(f.id)) { seen.add(f.id); findings.push(f); }
+    }
+
+    // PATTERN F — client-controlled discount/coupon
+    if (CLIENT_DISCOUNT_RE.test(line)) {
+      const f = _emit(fp, 'Client-Controlled Discount/Coupon',
+        li + 1, line, 'medium', 'CWE-840',
+        'Look up the coupon by code on the server and validate redemption status, expiry, and per-user use-count. Do not trust the discount value sent by the client.',
+        0.8);
+      if (!seen.has(f.id)) { seen.add(f.id); findings.push(f); }
+    }
+
+    // PATTERN E — terminal state set without prior-state guard.
+    // Heuristic: look upward in a 25-line window for an `if (... .status === ...)` guard;
+    // suppress when one is present.
+    const stateM = line.match(STATE_TERMINAL_SET_RE);
+    if (stateM) {
+      const objName = stateM[1];
+      const ctxAbove = lines.slice(Math.max(0, li - 25), li).join('\n');
+      const guardRe = new RegExp(`if\\s*\\([^)]*\\b${objName}\\.(?:status|state|stage)\\s*(?:===|==|!==|!=)\\s*['"]`, 'i');
+      if (!guardRe.test(ctxAbove)) {
+        const f = _emit(fp, 'Terminal State Set Without Prior-State Guard',
+          li + 1, line, 'medium', 'CWE-840',
+          'Verify the current state before transitioning to a terminal state (e.g., assert order.status === "pending" before setting to "paid"). Without this guard an attacker can replay or skip required steps.',
+          0.7);
+        if (!seen.has(f.id)) { seen.add(f.id); findings.push(f); }
+      }
+    }
+  }
+
+  // Multi-line: TOCTOU
+  let m;
+  const toctouRe = new RegExp(TOCTOU_EXISTS_THEN_OP_RE.source, 'g');
+  while ((m = toctouRe.exec(raw))) {
+    const line = raw.substring(0, m.index).split('\n').length;
+    const f = _emit(fp, 'TOCTOU: existsSync followed by file op',
+      line, lines[line - 1] || '', 'medium', 'CWE-367',
+      'Replace the check-then-act sequence with a single atomic operation (e.g., `fs.open` with appropriate flags). Between `existsSync` and the file op the file can be replaced by a symlink or removed.',
+      0.85);
+    if (!seen.has(f.id)) { seen.add(f.id); findings.push(f); }
+  }
+
+  return findings;
+}