@clear-capabilities/agentic-security-scanner 0.74.0

package/src/posture/iac-reachability.js

@@ -0,0 +1,163 @@
+// IaC → application code reachability bridge (Sentinel-parity FR-DET-4).
+//
+// Detects publicly-exposed cloud resources in IaC (Terraform / CloudFormation
+// / Kubernetes) and correlates them with application-code references to the
+// same resource (by name, ARN, or hostname). Application-code findings on
+// resources that IaC has exposed get a severity bump and an explicit
+// "exposed-via-iac" tag.
+//
+// Patterns detected:
+//
+//   S3 bucket with public-read ACL / public-access-block disabled
+//   RDS / DocumentDB / Redshift with publicly_accessible = true
+//   Security group with 0.0.0.0/0 ingress on a sensitive port
+//   ALB / NLB / API Gateway with internet-facing scheme
+//   K8s Service of type LoadBalancer with no NetworkPolicy
+//   K8s Ingress with no auth annotation
+//   Lambda function URL with auth_type = NONE
+//   ECS task with assignPublicIp = ENABLED
+//
+// Output: { exposedResources: [{name, kind, file, line, severity}], findings: [...new findings] }
+
+const SENSITIVE_PORTS = new Set([22, 23, 25, 110, 143, 3306, 3389, 5432, 6379, 27017, 9200, 9300, 1521, 5984, 11211]);
+
+// Match Terraform resource blocks.
+function parseTerraform(fileContents) {
+  const resources = [];
+  for (const [fp, c] of Object.entries(fileContents || {})) {
+    if (!/\.tf$/i.test(fp)) continue;
+    if (!c || typeof c !== 'string') continue;
+    // resource "TYPE" "NAME" { ... }
+    const re = /resource\s+"([^"]+)"\s+"([^"]+)"\s*\{([\s\S]*?)\n\}/g;
+    let m;
+    while ((m = re.exec(c))) {
+      const line = c.substring(0, m.index).split('\n').length;
+      resources.push({ file: fp, line, kind: m[1], name: m[2], body: m[3] });
+    }
+  }
+  return resources;
+}
+
+function classifyExposure(r) {
+  const reasons = [];
+  if (r.kind === 'aws_s3_bucket' || r.kind === 'aws_s3_bucket_acl' || r.kind === 'aws_s3_bucket_public_access_block') {
+    if (/acl\s*=\s*"public-read"|acl\s*=\s*"public-read-write"/.test(r.body)) reasons.push('s3-public-acl');
+    if (/block_public_acls\s*=\s*false|restrict_public_buckets\s*=\s*false/.test(r.body)) reasons.push('s3-public-access-block-off');
+  }
+  if (/aws_db_instance|aws_rds|aws_docdb_cluster_instance/.test(r.kind)) {
+    if (/publicly_accessible\s*=\s*true/.test(r.body)) reasons.push('db-publicly-accessible');
+  }
+  if (r.kind === 'aws_security_group' || r.kind === 'aws_security_group_rule' || r.kind === 'aws_vpc_security_group_ingress_rule') {
+    if (/cidr_blocks?\s*=\s*\[\s*"0\.0\.0\.0\/0"\s*\]|cidr_ipv4\s*=\s*"0\.0\.0\.0\/0"/.test(r.body)) {
+      const portMatch = r.body.match(/from_port\s*=\s*(\d+)/);
+      const port = portMatch ? parseInt(portMatch[1], 10) : null;
+      if (port && SENSITIVE_PORTS.has(port)) reasons.push(`sg-open-${port}`);
+      else if (port === 0 || (portMatch && parseInt(portMatch[1], 10) === 0)) reasons.push('sg-all-ports-open');
+      else if (!portMatch) reasons.push('sg-no-port-restriction');
+    }
+  }
+  if (/aws_lb\b|aws_alb\b|aws_elb\b/.test(r.kind)) {
+    if (/internal\s*=\s*false/.test(r.body) || /scheme\s*=\s*"internet-facing"/.test(r.body)) reasons.push('lb-internet-facing');
+  }
+  if (r.kind === 'aws_lambda_function_url') {
+    if (/authorization_type\s*=\s*"NONE"/.test(r.body)) reasons.push('lambda-url-no-auth');
+  }
+  if (r.kind === 'aws_ecs_service' || r.kind === 'aws_ecs_task_definition') {
+    if (/assign_public_ip\s*=\s*true/.test(r.body)) reasons.push('ecs-public-ip');
+  }
+  return reasons;
+}
+
+// Detect application-code references to a named resource. Heuristic:
+// `process.env.<UPPERCASE_NAME>`, hardcoded `"<bucket-name>"` literals, or
+// ARN substrings containing the resource name.
+function findCodeReferences(fileContents, resourceName) {
+  const out = [];
+  const envName = resourceName.toUpperCase().replace(/[^A-Z0-9]/g, '_');
+  for (const [fp, c] of Object.entries(fileContents || {})) {
+    if (!c || typeof c !== 'string') continue;
+    if (c.length > 500_000) continue;
+    if (!/\.(?:js|jsx|ts|tsx|mjs|cjs|py|rb|go|java|kt|cs|php)$/i.test(fp)) continue;
+    // process.env.<NAME> reference.
+    const re1 = new RegExp(`\\b(?:process\\.env|os\\.environ|os\\.getenv|System\\.getenv)\\s*[.\\[]\\s*['"]?${envName}['"]?`, 'g');
+    let m;
+    while ((m = re1.exec(c))) {
+      const line = c.substring(0, m.index).split('\n').length;
+      out.push({ file: fp, line, refType: 'env-var' });
+    }
+    // String literal reference.
+    const re2 = new RegExp(`['"]${resourceName.replace(/[.*+?^${}()|[\]\\]/g, '\\$&')}['"]`, 'g');
+    while ((m = re2.exec(c))) {
+      const line = c.substring(0, m.index).split('\n').length;
+      out.push({ file: fp, line, refType: 'literal' });
+    }
+  }
+  return out;
+}
+
+export function scanIacReachability(fileContents, existingFindings) {
+  const resources = parseTerraform(fileContents);
+  if (resources.length === 0) return [];
+  const exposed = [];
+  for (const r of resources) {
+    const reasons = classifyExposure(r);
+    if (reasons.length) exposed.push({ ...r, reasons });
+  }
+  if (!exposed.length) return [];
+
+  const out = [];
+  for (const r of exposed) {
+    // 1. Always emit an IaC finding for the exposed resource itself.
+    out.push({
+      id: `iac-exposed:${r.file}:${r.line}:${r.kind}:${r.name}`,
+      file: r.file, line: r.line,
+      vuln: `Publicly-exposed cloud resource (${r.kind} "${r.name}"): ${r.reasons.join(', ')}`,
+      severity: 'high',
+      cwe: 'CWE-668',
+      stride: 'Information Disclosure',
+      snippet: `${r.kind} "${r.name}"`,
+      remediation: `Tighten the IaC config for ${r.kind} "${r.name}". Specific reasons: ${r.reasons.join(', ')}. ` +
+        `Remove public-read ACLs / publicly_accessible flags / 0.0.0.0/0 ingress on sensitive ports. ` +
+        `Use private subnets + VPC endpoints; require IAM-authenticated access at minimum.`,
+      parser: 'IAC-REACH',
+      confidence: 0.85,
+    });
+
+    // 2. Find application-code references; bump severity on findings that
+    //    sit on lines referencing this resource.
+    const refs = findCodeReferences(fileContents, r.name);
+    for (const ref of refs) {
+      // Look for existing findings near this ref line.
+      const nearby = (existingFindings || []).filter(f =>
+        f.file === ref.file && Math.abs((f.line || 0) - ref.line) <= 5
+      );
+      for (const f of nearby) {
+        // Bump severity by one notch and annotate.
+        const before = f.severity;
+        if (before === 'medium') f.severity = 'high';
+        else if (before === 'low') f.severity = 'medium';
+        f.iacExposed = true;
+        f.iacExposureReason = r.reasons.join(',');
+        f.iacResource = `${r.kind}:${r.name}`;
+      }
+      if (refs.length && !nearby.length) {
+        out.push({
+          id: `iac-codepath:${ref.file}:${ref.line}:${r.name}`,
+          file: ref.file, line: ref.line,
+          vuln: `Application references publicly-exposed ${r.kind} "${r.name}" (${r.reasons.join(', ')})`,
+          severity: 'medium',
+          cwe: 'CWE-668',
+          snippet: `(reference to ${r.kind}:${r.name})`,
+          remediation: `Application code at ${ref.file}:${ref.line} reads the resource "${r.name}" which IaC has exposed publicly (${r.reasons.join(', ')}). Either fix the IaC config or assume the data path is untrusted and add server-side authz.`,
+          parser: 'IAC-REACH',
+          confidence: 0.6,
+          chain: [
+            { file: r.file, line: r.line, label: `IaC: ${r.kind} ${r.name} (${r.reasons[0]})` },
+            { file: ref.file, line: ref.line, label: `code uses ${r.name}` },
+          ],
+        });
+      }
+    }
+  }
+  return out;
+}

package/src/posture/iam-policy.js

@@ -0,0 +1,128 @@
+// IAM policy reachability (FR-XSAT-7).
+//
+// Parses AWS IAM policy JSON files (Terraform inline policies, raw policy
+// documents, CDK stack output, attached-role JSON), correlates them with
+// app code references (env vars, role ARNs, service names), and flags
+// over-permissive grants — wildcards on dangerous actions, * resource on
+// high-blast-radius services, or PassRole on broad targets.
+//
+// Honest scope for v1:
+//   - Static analysis of policy docs. No cloud-API calls.
+//   - Reachability proxy: a policy is "reachable" if its file is in the
+//     repo AND the policy's role name or ARN appears anywhere in app code
+//     (likely indicating the app assumes that role).
+//   - The over-permissive ruleset is curated, not exhaustive. Aim for high
+//     precision; recall improvements queued for v2.
+
+const IAM_POLICY_FILE_RE = /(?:^|\/)(?:.*\.iam\.json|policy.*\.json|iam-policy.*\.json|role-policy.*\.json)$/i;
+const POLICY_JSON_HINTS = /"Version"\s*:\s*"2012-10-17"|"Statement"\s*:\s*\[/;
+
+// Actions we consider dangerous when combined with wildcard resource OR
+// effect=Allow + no Condition. Curated; not exhaustive.
+const DANGEROUS_ACTIONS = [
+  // Identity/access — escalation primitives.
+  { action: /^iam:(\*|PassRole|CreateRole|AttachRolePolicy|PutRolePolicy|UpdateAssumeRolePolicy)$/, family: 'iam-overpermissive', severity: 'critical', why: 'IAM action allowing role escalation' },
+  // Object storage — exfiltration.
+  { action: /^s3:(\*|GetObject|PutObject|DeleteObject)$/, family: 'iam-overpermissive', severity: 'high',     why: 'S3 read/write/delete' },
+  // Compute — lateral movement.
+  { action: /^lambda:(\*|InvokeFunction|UpdateFunctionCode|CreateFunction)$/, family: 'iam-overpermissive', severity: 'high', why: 'Lambda action allowing code injection / lateral move' },
+  { action: /^ec2:(\*|RunInstances|TerminateInstances|ModifyInstanceAttribute)$/, family: 'iam-overpermissive', severity: 'high', why: 'EC2 lifecycle control' },
+  // Data layer.
+  { action: /^dynamodb:(\*|GetItem|PutItem|DeleteItem|Query|Scan)$/, family: 'iam-overpermissive', severity: 'medium', why: 'DynamoDB data access' },
+  { action: /^rds:(\*|DeleteDBInstance|ModifyDBInstance)$/, family: 'iam-overpermissive', severity: 'high', why: 'RDS lifecycle control' },
+  // Secrets.
+  { action: /^secretsmanager:(\*|GetSecretValue|PutSecretValue)$/, family: 'iam-overpermissive', severity: 'high', why: 'Secrets Manager read/write' },
+  { action: /^kms:(\*|Decrypt|Encrypt|GenerateDataKey)$/, family: 'iam-overpermissive', severity: 'high', why: 'KMS key usage' },
+];
+
+const WILDCARD_RESOURCE_RE = /^(\*|arn:[\w-]+:\w+:\*:\*:\*)$/;
+
+function _parseStatements(raw) {
+  let policy;
+  try { policy = JSON.parse(raw); } catch { return []; }
+  const stmt = policy.Statement || (policy.PolicyDocument && policy.PolicyDocument.Statement);
+  if (!stmt) return [];
+  return Array.isArray(stmt) ? stmt : [stmt];
+}
+
+function _lineOf(raw, sub) {
+  const idx = raw.indexOf(sub);
+  if (idx < 0) return 1;
+  return raw.substring(0, idx).split('\n').length;
+}
+
+function _expandActions(actions) {
+  if (!actions) return [];
+  return Array.isArray(actions) ? actions : [actions];
+}
+
+function _expandResources(resources) {
+  if (!resources) return ['*'];
+  return Array.isArray(resources) ? resources : [resources];
+}
+
+function _isWildcardResource(res) {
+  if (typeof res !== 'string') return false;
+  return WILDCARD_RESOURCE_RE.test(res);
+}
+
+/**
+ * Scan one IAM policy file. Returns finding objects.
+ */
+function scanOnePolicyFile(file, raw) {
+  if (!POLICY_JSON_HINTS.test(raw)) return [];
+  const statements = _parseStatements(raw);
+  const findings = [];
+  for (const s of statements) {
+    if ((s.Effect || 'Allow') !== 'Allow') continue;
+    const actions = _expandActions(s.Action);
+    const resources = _expandResources(s.Resource);
+    const hasCondition = s.Condition && Object.keys(s.Condition).length > 0;
+    // Identify which actions are dangerous + paired with wildcard resource
+    // OR no Condition gate.
+    for (const a of actions) {
+      const rule = DANGEROUS_ACTIONS.find(r => r.action.test(a));
+      if (!rule) continue;
+      const broadResource = resources.some(_isWildcardResource);
+      if (!broadResource && hasCondition) continue;   // narrow + conditioned → ok
+      const reason = broadResource
+        ? `wildcard resource ${resources.join(',')}`
+        : 'no Condition gate';
+      findings.push({
+        id: `iam:${file}:${a}:${reason}`,
+        file,
+        line: _lineOf(raw, `"${a}"`),
+        vuln: `IAM over-permissive grant: ${a} (${reason})`,
+        severity: broadResource ? rule.severity : 'medium',
+        cwe: 'CWE-732',                                  // insecure resource permissions
+        family: rule.family,
+        stride: 'Elevation of Privilege',
+        parser: 'IAM-POLICY',
+        confidence: 0.7,
+        snippet: `Effect=Allow Action=${a} Resource=${resources.join(',')}${hasCondition ? ' [Condition gate present]' : ''}`,
+        remediation: `${rule.why}. Either narrow the Action to the specific verb you need, scope Resource to a single ARN, or add a Condition (e.g. \`aws:PrincipalTag\`, \`aws:SourceIp\`, \`aws:RequestedRegion\`) so the grant isn't usable from arbitrary contexts.`,
+      });
+    }
+  }
+  return findings;
+}
+
+/**
+ * Module entry point. fileContents is the full project map; existingFindings
+ * is the engine's findings list (used for reachability correlation — the
+ * future Phase-2.5 expansion).
+ */
+export function scanIamPolicies(fileContents /* , existingFindings */) {
+  if (!fileContents || typeof fileContents !== 'object') return [];
+  const findings = [];
+  for (const [fp, content] of Object.entries(fileContents)) {
+    if (typeof content !== 'string' || content.length === 0) continue;
+    if (content.length > 500_000) continue;
+    if (!IAM_POLICY_FILE_RE.test(fp) && !POLICY_JSON_HINTS.test(content.slice(0, 500))) continue;
+    findings.push(...scanOnePolicyFile(fp, content));
+  }
+  return findings;
+}
+
+// For tests + the no-dead-modules check.
+export const _internals = { DANGEROUS_ACTIONS, IAM_POLICY_FILE_RE, scanOnePolicyFile };

package/src/posture/integrity.js

@@ -0,0 +1,97 @@
+// Tamper-evidence for `.agentic-security/last-scan.json`.
+//
+// Writes a sibling `.sig` file containing an HMAC-SHA256 of the JSON body.
+// Readers verify the signature before trusting findings counts / file paths.
+//
+// KEY MATERIAL (premortem #1):
+//   The key is read from one of:
+//     1. $AGENTIC_SECURITY_HMAC_KEY  — explicit operator-provided key (hex)
+//     2. $XDG_CONFIG_HOME/agentic-security/scan-key  (or ~/.config/agentic-security/scan-key)
+//        — a per-install 32-byte random key, mode 0600, generated on first use.
+//   The old hostname-derived key is accepted in VERIFY-ONLY mode for one
+//   release so existing signed `last-scan.json` files keep verifying. New
+//   signatures only use the random key.
+//
+// Threat model: this is a guardrail against accidental corruption, naive
+// manual edits, CI-cache poisoning, and supply-chain planting of a fake
+// last-scan.json designed to weaponize MCP `apply_fix`. An attacker who
+// reads $AGENTIC_SECURITY_HMAC_KEY or the on-disk key file can forge — so
+// the key file is mode 0600, and the env-var variant is intended for
+// operators who manage secrets separately (Doppler/Infisical/etc.).
+
+import * as crypto from 'node:crypto';
+import * as fs from 'node:fs';
+import * as os from 'node:os';
+import * as path from 'node:path';
+
+const _HMAC_SALT = 'agentic-security:last-scan:v1';
+
+function _keyDir() {
+  const xdg = process.env.XDG_CONFIG_HOME;
+  const base = xdg && xdg.length ? xdg : path.join(os.homedir(), '.config');
+  return path.join(base, 'agentic-security');
+}
+function _keyPath() { return path.join(_keyDir(), 'scan-key'); }
+
+function _readOrGenerateKey() {
+  const fromEnv = process.env.AGENTIC_SECURITY_HMAC_KEY;
+  if (fromEnv && /^[0-9a-fA-F]{32,}$/.test(fromEnv.trim())) {
+    return Buffer.from(fromEnv.trim(), 'hex');
+  }
+  const fp = _keyPath();
+  try {
+    if (fs.existsSync(fp)) {
+      const hex = fs.readFileSync(fp, 'utf8').trim();
+      if (/^[0-9a-fA-F]{32,}$/.test(hex)) return Buffer.from(hex, 'hex');
+    }
+  } catch { /* fall through to generate */ }
+  // Generate, mode 0600.
+  const buf = crypto.randomBytes(32);
+  try {
+    fs.mkdirSync(_keyDir(), { recursive: true, mode: 0o700 });
+    fs.writeFileSync(fp, buf.toString('hex') + '\n', { mode: 0o600 });
+  } catch { /* best-effort — fall back to in-memory key for the process */ }
+  return buf;
+}
+
+function _legacyHostnameKey() {
+  return crypto.createHash('sha256').update(`${_HMAC_SALT}:${os.hostname()}`).digest();
+}
+
+let _cachedKey = null;
+function _key() {
+  if (_cachedKey) return _cachedKey;
+  _cachedKey = _readOrGenerateKey();
+  return _cachedKey;
+}
+
+export function signLastScan(body) {
+  return crypto.createHmac('sha256', _key()).update(body).digest('hex');
+}
+
+// Verify body against a sibling .sig file.
+// Returns true if valid under the current install key OR the legacy hostname
+// key (for one-release migration), false if invalid, null if sig file is
+// absent (first-run case — call sites decide whether absent == fail-closed).
+export function verifyLastScan(body, sigFile) {
+  if (!fs.existsSync(sigFile)) return null;
+  let stored;
+  try { stored = fs.readFileSync(sigFile, 'utf8').trim(); }
+  catch { return false; }
+  const tryKey = (k) => {
+    try {
+      const expected = crypto.createHmac('sha256', k).update(body).digest('hex');
+      if (stored.length !== expected.length) return false;
+      return crypto.timingSafeEqual(Buffer.from(stored, 'hex'), Buffer.from(expected, 'hex'));
+    } catch { return false; }
+  };
+  if (tryKey(_key())) return true;
+  // Legacy hostname-key path — accepted for verification only, not for new
+  // signatures. Remove after one minor release.
+  if (tryKey(_legacyHostnameKey())) return true;
+  return false;
+}
+
+// Test-only helpers (premortem-tracked):
+export function _resetKeyCacheForTests() { _cachedKey = null; }
+export function _keyFilePathForTests() { return _keyPath(); }

package/src/posture/learning.js

@@ -0,0 +1,166 @@
+// Active learning loop (FR-PREC-4).
+//
+// Consumes user triage decisions written by /triage to
+// .agentic-security/triage-feedback.json and uses them as priors on the
+// next scan:
+//   - Findings whose `stableId` was previously marked false-positive get
+//     suppressed (with a recorded reason).
+//   - Findings whose `family + file-pattern + sink-pattern` matches a FP
+//     pattern in past feedback also get suppressed.
+//   - Findings whose stableId was previously marked true-positive get a
+//     small confidence boost.
+//
+// File shape:
+//   {
+//     "entries": [
+//       { "stableId": "...", "verdict": "tp" | "fp" | "wontfix", "reason": "...",
+//         "family": "...", "filePattern": "src/auth/*.js", "sinkPattern": "...",
+//         "at": "2026-05-18T..." }
+//     ]
+//   }
+
+import * as fs from 'node:fs';
+import * as path from 'node:path';
+
+const FILE = '.agentic-security/triage-feedback.json';
+
+export function loadFeedback(scanRoot) {
+  if (!scanRoot) return { entries: [] };
+  const fp = path.join(scanRoot, FILE);
+  if (!fs.existsSync(fp)) return { entries: [] };
+  try { return JSON.parse(fs.readFileSync(fp, 'utf8')) || { entries: [] }; }
+  catch { return { entries: [] }; }
+}
+
+export function saveFeedback(scanRoot, data) {
+  if (!scanRoot) return;
+  const fp = path.join(scanRoot, FILE);
+  fs.mkdirSync(path.dirname(fp), { recursive: true });
+  fs.writeFileSync(fp, JSON.stringify(data, null, 2));
+}
+
+export function recordVerdict(scanRoot, finding, verdict, reason) {
+  if (!['tp', 'fp', 'wontfix'].includes(verdict)) {
+    throw new Error(`invalid verdict: ${verdict}`);
+  }
+  const data = loadFeedback(scanRoot);
+  data.entries = data.entries || [];
+  data.entries.push({
+    stableId: finding.stableId || null,
+    verdict,
+    reason: reason || '',
+    family: finding.family || null,
+    file: finding.file || null,
+    line: finding.line || null,
+    vuln: finding.vuln || null,
+    sinkSnippet: (finding.sink?.snippet || finding.snippet || '').slice(0, 200),
+    at: new Date().toISOString(),
+  });
+  saveFeedback(scanRoot, data);
+}
+
+function matchesPattern(filePath, pattern) {
+  if (!pattern) return true;
+  // Very small glob — supports `*` and `**` only; sufficient for triage entries.
+  const regex = new RegExp(
+    '^' +
+    pattern
+      .replace(/[.+^${}()|[\]\\]/g, '\\$&')
+      .replace(/\*\*/g, '@@DOUBLE@@')
+      .replace(/\*/g, '[^/]*')
+      .replace(/@@DOUBLE@@/g, '.*') +
+    '$'
+  );
+  return regex.test(filePath);
+}
+
+// Apply feedback to a freshly produced set of findings. Returns
+// { kept: Finding[], suppressed: SuppressionLogEntry[] }.
+//
+// SAFETY (post-premortem R3.3):
+//   - DEFAULT OFF: only consulted when AGENTIC_SECURITY_LEARN=1.
+//   - QUORUM: a stableId is suppressed only after ≥ AGENTIC_SECURITY_LEARN_QUORUM
+//     distinct fp entries (default 2).
+//   - CAP: most-recent 500 entries by `at` timestamp are honored — bounds
+//     the poisoning blast radius.
+//   - PATTERN MATCHES require ≥ quorum entries with the same family+filePattern.
+export function applyFeedback(scanRoot, findings) {
+  const suppressed = [];
+  // OPT-IN gate.
+  if (process.env.AGENTIC_SECURITY_LEARN !== '1') return { kept: findings, suppressed };
+  const data = loadFeedback(scanRoot);
+  if (!data.entries || !data.entries.length) return { kept: findings, suppressed };
+  const quorum = Math.max(1, parseInt(process.env.AGENTIC_SECURITY_LEARN_QUORUM || '2', 10));
+  // Keep the most recent 500 entries by `at`.
+  const sorted = [...data.entries].sort((a, b) => String(a.at || '').localeCompare(String(b.at || ''))).slice(-500);
+  const fpCountById = new Map();
+  const fpById = new Map();
+  const tpById = new Set();
+  const patternCounts = new Map();
+  for (const e of sorted) {
+    if (e.verdict === 'fp') {
+      if (e.stableId) {
+        fpCountById.set(e.stableId, (fpCountById.get(e.stableId) || 0) + 1);
+        if (!fpById.has(e.stableId)) fpById.set(e.stableId, e);
+      }
+      if (e.family && (e.file || e.sinkSnippet)) {
+        const k = `${e.family}|${e.file ? e.file.split('/').slice(0, -1).join('/') + '/*' : ''}|${(e.sinkSnippet || '').slice(0, 80)}`;
+        patternCounts.set(k, (patternCounts.get(k) || 0) + 1);
+      }
+    } else if (e.verdict === 'tp') {
+      if (e.stableId) tpById.add(e.stableId);
+    }
+  }
+  // Drop stableIds below quorum.
+  for (const [id, count] of fpCountById) {
+    if (count < quorum) fpById.delete(id);
+  }
+  // Build pattern list — only patterns at quorum.
+  const fpPatterns = [];
+  for (const [key, count] of patternCounts) {
+    if (count < quorum) continue;
+    const [family, filePattern, sinkSnippet] = key.split('|');
+    fpPatterns.push({
+      family: family || null,
+      filePattern: filePattern || null,
+      sinkSnippet: sinkSnippet || '',
+      reason: `quorum-${count}-fp-votes`,
+    });
+  }
+  const kept = [];
+  for (const f of findings) {
+    if (!f) continue;
+    // Direct stableId match → suppress
+    if (f.stableId && fpById.has(f.stableId)) {
+      suppressed.push({
+        vuln: f.vuln, file: f.file, line: f.line, snippet: f.snippet,
+        reason: 'learned-fp:' + (fpById.get(f.stableId).reason || 'past-triage'),
+      });
+      continue;
+    }
+    // Pattern match
+    let patternHit = null;
+    for (const p of fpPatterns) {
+      if (p.family && f.family !== p.family) continue;
+      if (p.filePattern && !matchesPattern(f.file || '', p.filePattern)) continue;
+      const sinkText = (f.sink?.snippet || f.snippet || '').slice(0, 80);
+      if (p.sinkSnippet && sinkText.includes(p.sinkSnippet.slice(0, 30))) {
+        patternHit = p; break;
+      }
+    }
+    if (patternHit) {
+      suppressed.push({
+        vuln: f.vuln, file: f.file, line: f.line, snippet: f.snippet,
+        reason: 'learned-fp-pattern:' + (patternHit.reason || 'past-triage'),
+      });
+      continue;
+    }
+    // TP boost — small confidence bump.
+    if (f.stableId && tpById.has(f.stableId)) {
+      f.confidence = Math.min(1, (f.confidence || 0.5) + 0.10);
+      f._learned = 'tp-prior';
+    }
+    kept.push(f);
+  }
+  return { kept, suppressed };
+}

package/src/posture/license-policy.js

@@ -0,0 +1,109 @@
+// 0.8.0 Feat-10: License policy enforcement — allow/deny/review per SPDX license expression.
+//
+// Reads .agentic-security/license-policy.yml (allow / deny / review-required) and
+// emits findings of kind 'license' for components whose license violates the policy.
+//
+// Policy file shape:
+//   allow:   ['MIT', 'Apache-2.0', 'BSD-3-Clause', 'BSD-2-Clause', 'ISC', '0BSD']
+//   deny:    ['GPL-3.0', 'GPL-2.0', 'AGPL-3.0', 'AGPL-1.0', 'SSPL-1.0']
+//   review:  ['LGPL-2.1', 'LGPL-3.0', 'MPL-2.0']
+//   unknown: 'review'   # 'deny' | 'allow' | 'review' — what to do with components missing a license
+//
+// Default policy (when no file exists) is permissive: nothing fires unless the
+// user opts in by creating the policy file.
+
+import * as fs from 'node:fs';
+import * as path from 'node:path';
+import * as yaml from 'js-yaml';
+
+const DEFAULT_POLICY = {
+  allow: [],
+  deny: [],
+  review: [],
+  unknown: 'allow',
+};
+
+export function loadLicensePolicy(scanRoot) {
+  if (!scanRoot) return null;
+  for (const name of ['license-policy.yml', 'license-policy.yaml', 'license-policy.json']) {
+    const p = path.join(scanRoot, '.agentic-security', name);
+    if (!fs.existsSync(p)) continue;
+    try {
+      const raw = fs.readFileSync(p, 'utf8');
+      const doc = name.endsWith('.json') ? JSON.parse(raw) : yaml.load(raw);
+      return _normalize(doc);
+    } catch (e) {
+      return { _error: `Failed to parse ${p}: ${e.message}` };
+    }
+  }
+  return null;
+}
+
+function _normalize(doc) {
+  return {
+    allow:   Array.isArray(doc?.allow)   ? doc.allow.map(_norm)   : [],
+    deny:    Array.isArray(doc?.deny)    ? doc.deny.map(_norm)    : [],
+    review:  Array.isArray(doc?.review)  ? doc.review.map(_norm)  : [],
+    unknown: ['allow','deny','review'].includes(doc?.unknown) ? doc.unknown : 'allow',
+  };
+}
+
+function _norm(s) { return String(s||'').trim().toUpperCase(); }
+
+// Classify a single license string against the policy.
+// Returns one of: 'allow' | 'deny' | 'review' | 'unknown'.
+export function classifyLicense(license, policy) {
+  policy = policy || DEFAULT_POLICY;
+  if (!license || !license.trim()) return policy.unknown || 'allow';
+  const norm = _norm(license);
+  // SPDX expressions can be compound: "(MIT OR Apache-2.0)"; treat as deny if ANY
+  // compound atom is denied; otherwise allow if any allowed atom matches.
+  const atoms = norm.replace(/[()]/g, '').split(/\s+(?:OR|AND)\s+/i).map(s=>s.trim()).filter(Boolean);
+  if (atoms.length > 1) {
+    if (atoms.some(a => policy.deny.includes(a))) return 'deny';
+    if (atoms.some(a => policy.review.includes(a))) return 'review';
+    if (atoms.some(a => policy.allow.includes(a))) return 'allow';
+    return policy.unknown || 'allow';
+  }
+  if (policy.deny.includes(norm))   return 'deny';
+  if (policy.review.includes(norm)) return 'review';
+  if (policy.allow.includes(norm))  return 'allow';
+  return policy.unknown || 'allow';
+}
+
+// Run the policy against scan.components and emit findings of kind 'license'.
+export function evaluateLicensePolicy(components, policy) {
+  if (!policy) return [];
+  if (policy._error) return [{
+    id: 'license-policy:error',
+    kind: 'license', severity: 'low',
+    vuln: 'License policy file failed to parse',
+    file: '.agentic-security/license-policy.yml', line: 0,
+    snippet: policy._error,
+  }];
+  const findings = [];
+  for (const c of components || []) {
+    const verdict = classifyLicense(c.license || '', policy);
+    if (verdict === 'allow') continue;
+    const sev = verdict === 'deny' ? 'high' : 'low';
+    const lic = c.license || '(none)';
+    findings.push({
+      id: `license-policy:${c.ecosystem}:${c.name}@${c.version}:${verdict}`,
+      kind: 'license', severity: sev,
+      vuln: verdict === 'deny'
+        ? `Denied license: ${lic} in ${c.name}@${c.version}`
+        : verdict === 'review'
+          ? `License requires review: ${lic} in ${c.name}@${c.version}`
+          : `Component without declared license: ${c.name}@${c.version}`,
+      file: c.filePath || 'package.json', line: 0,
+      snippet: `${c.ecosystem}:${c.name}@${c.version} — license ${lic}`,
+      fix: verdict === 'deny'
+        ? 'Replace this dependency with a license-compatible alternative, or move it under .agentic-security/license-policy.yml `review:` if your legal team approves a one-off exception.'
+        : verdict === 'review'
+          ? 'Have legal/license review confirm this license is compatible with your distribution model. Add it to `allow:` or `deny:` once decided.'
+          : 'Confirm this dependency\'s actual license (check the upstream repo). Many `unknown` cases are misconfigured registry metadata for an otherwise-permissive license.',
+      package: c.name, version: c.version, ecosystem: c.ecosystem, license: c.license || null,
+    });
+  }
+  return findings;
+}