@clear-capabilities/agentic-security-scanner 0.79.0 → 0.80.0

package/src/sast/llm-app.js

@@ -0,0 +1,272 @@
+// AI / LLM application security — Recommendation #1 of the world-class+2 plan.
+//
+// Coverage for the fastest-growing attack surface in 2026 — applications
+// that wire user input into an LLM call. The existing /llm skill +
+// scanner/src/sast/llm.js + llm-owasp.js are start; this module adds the
+// production-grade detectors:
+//
+//   - llm-prompt-injection      System prompt + user prompt concatenated
+//                               without isolation/delimiter
+//   - llm-tool-exec             Agent tool definitions that expose
+//                               exec/shell/fetch/subprocess to the LLM
+//   - llm-rag-injection         Vector-store retrieve → llm.generate
+//                               without sanitization of retrieved content
+//   - llm-model-load-untrusted  loading a model file from a user-controlled
+//                               path (model-poisoning surface)
+//   - llm-credential-in-prompt  API key / secret embedded in the prompt
+//                               text (exposed to model + logs)
+//   - llm-output-untrusted-sink LLM output directly written to eval/exec/
+//                               file/HTML without validation
+//   - llm-training-data-pii     PII fields in training/fine-tuning paths
+//
+// Detection runs over the universal IR + content regex. Findings carry
+// family 'llm-app-security' with finer subfamily strings.
+
+import { blankComments } from './_comment-strip.js';
+
+const _LLM_CLIENT_PATTERNS = [
+  /\bopenai\b/i,
+  /\bAnthropic\b/i,
+  /\bbedrock\b/i,
+  /\bvertex(?:ai)?\b/i,
+  /\bAzureOpenAI\b/i,
+  /\bllamaIndex\b/i,
+  /\blangchain\b/i,
+  /\bllama_cpp\b/i,
+  /\bollama\b/i,
+  /\bmistral(?:ai)?\b/i,
+  /\bgroq\b/i,
+  /\bcohere\b/i,
+  /\bhuggingface\b/i,
+  /\btransformers\b/i,
+];
+
+// Heuristic: file looks LLM-relevant when ANY common LLM client / framework
+// appears. We avoid noisy detection on files that have nothing to do with
+// LLMs.
+function _isLlmRelevant(text) {
+  return _LLM_CLIENT_PATTERNS.some(re => re.test(text));
+}
+
+function _lineOf(raw, idx) { return raw.substring(0, idx).split('\n').length; }
+function _snip(raw, line) { return (raw.split('\n')[line - 1] || '').trim().slice(0, 200); }
+
+const _findingShape = (raw, line, ruleId, vuln, sub, severity, cwe, remediation) => ({
+  id: `${ruleId}:${line}`,
+  line, vuln, severity, cwe,
+  stride: 'Tampering',
+  snippet: _snip(raw, line),
+  remediation,
+  confidence: 0.8,
+  parser: 'LLM-APP',
+  family: 'llm-app-security',
+  subfamily: sub,
+});
+
+// ── Individual detectors ───────────────────────────────────────────────────
+
+function detectPromptInjection(file, raw, code, out, seen) {
+  // Pattern: `messages: [{role: 'system', content: ...}, {role: 'user',
+  // content: <tainted-or-concatenated>}]` where the user content is built
+  // by concatenating a system-shaped prefix with user input — i.e., the
+  // developer is mixing trust boundaries inside a single prompt.
+  //
+  // Detection heuristics in v1:
+  //   1. A literal "system" role message immediately followed by a user
+  //      role whose content concatenates a string with a free variable
+  //   2. Direct `system_prompt + user_input` concatenation at the call site
+  const re1 = /\brole\s*[:=]\s*["']user["'][^}]{0,400}content\s*[:=]\s*[^,)]*\+\s*\w/g;
+  let m;
+  while ((m = re1.exec(code))) {
+    const line = _lineOf(raw, m.index);
+    const id = `llm-prompt-injection-user-concat:${file}:${line}`;
+    if (seen.has(id)) continue;
+    seen.add(id);
+    out.push({
+      ..._findingShape(raw, line, 'llm-prompt-injection-user-concat',
+        'Prompt Injection — user prompt built from string concatenation',
+        'prompt-injection', 'high', 'CWE-1427',
+        'Separate trust boundaries: keep system prompt as a literal constant; pass user input as a separate message with role "user" and never concatenate. Use the messages array form (e.g. messages.create) and avoid string interpolation. When user content must be embedded inside structured prompts, wrap it in delimiter tokens AND sanitize.'),
+      file,
+    });
+  }
+  // Pattern: system_prompt + " " + user_input shape
+  const re2 = /\b(?:system[_-]?prompt|systemPrompt|SYSTEM_PROMPT)\s*[\+,]\s*(?:["'][\s\S]{0,40}["']\s*[\+,]\s*)?(?:user[_-]?(?:input|prompt|query|message)|userInput|userPrompt|message|input|query)\b/gi;
+  while ((m = re2.exec(code))) {
+    const line = _lineOf(raw, m.index);
+    const id = `llm-prompt-injection-mix:${file}:${line}`;
+    if (seen.has(id)) continue;
+    seen.add(id);
+    out.push({
+      ..._findingShape(raw, line, 'llm-prompt-injection-mix',
+        'Prompt Injection — system prompt concatenated with user input',
+        'prompt-injection', 'high', 'CWE-1427',
+        'Pass system prompt and user message as separate role-tagged messages: `chat.create({messages: [{role:"system", content:S}, {role:"user", content:U}]})`. Concatenation merges the two trust levels into one string and lets the user override the system prompt.'),
+      file,
+    });
+  }
+}
+
+function detectToolExec(file, raw, code, out, seen) {
+  // Pattern: agent / tool definitions that expose dangerous APIs to the LLM:
+  //   - exec / shell / subprocess / spawn
+  //   - eval / Function ctor
+  //   - http / fetch / requests with arbitrary URL
+  //   - file_read / file_write with arbitrary path
+  // The detection looks for tool-array entries whose `name` or `function`
+  // field references one of these patterns.
+  const re = /\b(?:tools|function_calls|functions)\s*[:=]\s*\[[^\]]{0,2000}(?:exec|shell|spawn|subprocess|eval|Function|child_process|os\.system|run_command|http_request|fetch_url|http_call|file_read|file_write|read_file|write_file)/gi;
+  let m;
+  while ((m = re.exec(code))) {
+    const line = _lineOf(raw, m.index);
+    const id = `llm-tool-exec:${file}:${line}`;
+    if (seen.has(id)) continue;
+    seen.add(id);
+    out.push({
+      ..._findingShape(raw, line, 'llm-tool-exec',
+        'Insecure LLM Tool — agent exposes shell/exec/eval/network surface to the model',
+        'tool-exec', 'critical', 'CWE-78',
+        'Tools given to an LLM execute under the LLM\'s judgment, which is adversary-controllable via prompt injection. Replace bare `exec` / `shell` tools with: (1) a typed allow-list of operations (e.g. `kubectl_get_pods`, not `kubectl`); (2) explicit confirmation for any side-effectful call; (3) network egress allow-list; (4) per-tool capability scoping.'),
+      file,
+    });
+  }
+}
+
+function detectRagInjection(file, raw, code, out, seen) {
+  // Pattern: vectorstore.query(...) / vectorstore.similarity_search(...) /
+  // retriever.retrieve(...) → embedded into next prompt. We detect when a
+  // retrieval result is wired directly into messages or used as content
+  // without an intermediate sanitization / instruction-isolation step.
+  const re = /\b(?:vectorstore|vector_store|vectorStore|retriever|index)\s*\.\s*(?:query|similarity_search|search|retrieve|invoke)\s*\(/gi;
+  let m;
+  while ((m = re.exec(code))) {
+    const line = _lineOf(raw, m.index);
+    // Look in the next ~10 lines for a chat/completion call.
+    const windowEnd = code.indexOf('\n', m.index);
+    const tail = code.slice(m.index, Math.min(code.length, m.index + 800));
+    const consumed = /\b(?:chat\.completions?\.create|completion\.create|messages\.create|invoke|llm\.generate|invoke_model|InvokeModel|generate_content|prompt\s*=|content\s*=)/.test(tail);
+    if (!consumed) continue;
+    const id = `llm-rag-injection:${file}:${line}`;
+    if (seen.has(id)) continue;
+    seen.add(id);
+    out.push({
+      ..._findingShape(raw, line, 'llm-rag-injection',
+        'RAG Injection — vector-store result flows into LLM prompt without sanitization',
+        'rag-injection', 'high', 'CWE-1427',
+        'Retrieved content from a vector store is untrusted (any document indexed in your knowledge base is now an attacker-vector). Wrap retrieved chunks in clear delimiter tokens, instruct the system prompt to treat them as data, and apply a known-instruction-keyword filter before prompting. Also: confirm document-ingest pipeline validates that no document contains directives.'),
+      file,
+    });
+  }
+}
+
+function detectModelLoadUntrusted(file, raw, code, out, seen) {
+  // model = torch.load(user_supplied_path) / pickle.load / safetensors.load
+  // with arbitrary path.
+  const re = /\b(?:torch\.load|pickle\.load|joblib\.load|safetensors\.torch\.load_file|tf\.keras\.models\.load_model|transformers\.AutoModel(?:\w+)?\.from_pretrained)\s*\(\s*(?!["'])\w/g;
+  let m;
+  while ((m = re.exec(code))) {
+    const line = _lineOf(raw, m.index);
+    const id = `llm-model-load-untrusted:${file}:${line}`;
+    if (seen.has(id)) continue;
+    seen.add(id);
+    out.push({
+      ..._findingShape(raw, line, 'llm-model-load-untrusted',
+        'Untrusted Model Load — model file loaded from a non-literal path',
+        'model-load', 'high', 'CWE-502',
+        'Model files (PyTorch .pt, pickle, transformers checkpoints) execute arbitrary code on load — pickle especially can carry RCE payloads. Pin the model file path to a constant, verify the file hash against a known-good value before loading, and prefer .safetensors over .pt where possible (safetensors cannot carry code).'),
+      file,
+    });
+  }
+}
+
+function detectCredentialInPrompt(file, raw, code, out, seen) {
+  // System prompt or user message containing a string literal that looks
+  // like an API key or secret. Catches the common error of embedding a
+  // credential into a system prompt for "context."
+  const re = /\b(?:system_prompt|systemPrompt|user_prompt|userPrompt|prompt|content|message)\s*[:=]\s*(?:f?["'`])[\s\S]{0,400}?(?:sk-[A-Za-z0-9]{20,}|AKIA[A-Z0-9]{16}|ghp_[A-Za-z0-9]{36}|xox[abprs]-[A-Za-z0-9-]{10,})/g;
+  let m;
+  while ((m = re.exec(code))) {
+    const line = _lineOf(raw, m.index);
+    const id = `llm-credential-in-prompt:${file}:${line}`;
+    if (seen.has(id)) continue;
+    seen.add(id);
+    out.push({
+      ..._findingShape(raw, line, 'llm-credential-in-prompt',
+        'Credential in LLM Prompt — API key / secret embedded in prompt text',
+        'credential-in-prompt', 'critical', 'CWE-798',
+        'Credentials embedded in prompts are sent to the model endpoint AND logged in any LLM-debugging trace. Worse, the model may echo them in its response. Remove the literal; pass the credential via the API client\'s headers / SDK auth; never include it in the prompt.'),
+      file,
+    });
+  }
+}
+
+function detectOutputUntrustedSink(file, raw, code, out, seen) {
+  // Pattern: `result = completion.choices[0].message.content; eval(result)`
+  // or `... innerHTML = result` or `... = await chat.invoke(...); fs.writeFile(path, result)`.
+  // Detection: an LLM call result is captured in a variable, then that
+  // variable appears in a sink (eval / exec / write / innerHTML / etc.)
+  // within the next ~20 lines.
+  const llmCallRe = /(\w+)\s*=\s*(?:await\s+)?(?:openai|anthropic|client|llm|chat|completion|model)[\.\w]*\.\s*(?:complete|completions?\.create|messages\.create|invoke|generate|generate_content|chat|call)\s*\(/gi;
+  let m;
+  while ((m = llmCallRe.exec(code))) {
+    const varName = m[1];
+    const startLine = _lineOf(raw, m.index);
+    const tail = code.slice(m.index, Math.min(code.length, m.index + 1500));
+    const sinkRe = new RegExp(`\\b(?:eval|exec|new\\s+Function|innerHTML\\s*=|outerHTML\\s*=|document\\.write|fs\\.writeFile|writeFile|child_process|os\\.system|subprocess\\.run|Function\\s*\\()[^\\n]{0,200}\\b${varName.replace(/[.+^${}()|\\]/g, '\\$&')}\\b`);
+    const sinkMatch = sinkRe.exec(tail);
+    if (!sinkMatch) continue;
+    const sinkLine = startLine + tail.substring(0, sinkMatch.index).split('\n').length - 1;
+    const id = `llm-output-untrusted-sink:${file}:${sinkLine}`;
+    if (seen.has(id)) continue;
+    seen.add(id);
+    out.push({
+      ..._findingShape(raw, sinkLine, 'llm-output-untrusted-sink',
+        `Untrusted LLM Output Sink — value from LLM (var \`${varName}\`) flows into eval/exec/innerHTML/file-write`,
+        'output-untrusted-sink', 'critical', 'CWE-94',
+        'LLM output is adversary-influenced (via prompt injection). Treat it like network input: never eval/exec/innerHTML it directly. If you need to render it: HTML-encode for DOM, validate against a JSON schema for tool use, and quarantine in a sandbox iframe for arbitrary content.'),
+      file,
+    });
+  }
+}
+
+function detectTrainingDataPii(file, raw, code, out, seen) {
+  // Patterns where a fine-tuning / training pipeline reads from a path
+  // that suggests PII presence (paths containing user / personal /
+  // customers / users / pii).
+  const re = /\b(?:openai\.FineTuning|fine_tune|trainer\.train|model\.fit|datasets\.load_dataset)\s*\([^)]*["'][^"']*(?:users?|customer|personal|pii|patient|patient_data|medical|finance|salary)\b/gi;
+  let m;
+  while ((m = re.exec(code))) {
+    const line = _lineOf(raw, m.index);
+    const id = `llm-training-data-pii:${file}:${line}`;
+    if (seen.has(id)) continue;
+    seen.add(id);
+    out.push({
+      ..._findingShape(raw, line, 'llm-training-data-pii',
+        'PII in Training Data — fine-tune/training source path suggests personal data',
+        'training-data-pii', 'high', 'CWE-359',
+        'Fine-tuning embeds the training data into model weights — the data is recoverable via membership-inference attacks. PII in training data triggers GDPR Art. 22 (automated decision-making) AND HIPAA. Sanitize before training: redact PII via dedicated tooling (Presidio, Cape Privacy), or use differential-privacy training (Opacus / TensorFlow Privacy).'),
+      file,
+    });
+  }
+}
+
+// ── Entry point ────────────────────────────────────────────────────────────
+
+export function scanLlmApp(fp, raw) {
+  if (!raw || raw.length > 500_000) return [];
+  if (!_isLlmRelevant(raw)) return [];
+  const code = blankComments(raw);
+  const out = [];
+  const seen = new Set();
+  try { detectPromptInjection(fp, raw, code, out, seen); } catch {}
+  try { detectToolExec(fp, raw, code, out, seen); } catch {}
+  try { detectRagInjection(fp, raw, code, out, seen); } catch {}
+  try { detectModelLoadUntrusted(fp, raw, code, out, seen); } catch {}
+  try { detectCredentialInPrompt(fp, raw, code, out, seen); } catch {}
+  try { detectOutputUntrustedSink(fp, raw, code, out, seen); } catch {}
+  try { detectTrainingDataPii(fp, raw, code, out, seen); } catch {}
+  for (const f of out) f.file = fp;
+  return out;
+}
+
+export const _internals = { _LLM_CLIENT_PATTERNS, _isLlmRelevant };

package/src/sast/ml-supply-chain.js

@@ -0,0 +1,259 @@
+// ML supply chain analyzer — Item #7 of the world-class+3 plan.
+//
+// Fills the gaps between model-load.js (pickle/torch/yaml core) and
+// llm-app.js / llm-owasp.js (runtime prompt-injection / tool-exec). This
+// module catches:
+//
+//   1. MLFLOW_UNTRUSTED_URI            mlflow.pyfunc.load_model from URI
+//                                       not under a verified registry
+//   2. ONNX_NO_PROVIDER_ALLOWLIST      onnxruntime.InferenceSession without
+//                                       explicit providers=[...]
+//   3. HF_DATASETS_TRUST_REMOTE_CODE   load_dataset(trust_remote_code=True)
+//   4. STREAMING_DATASET_URL           webdataset / streaming.StreamingDataset
+//                                       loading from HTTP without checksum
+//   5. PROMPT_FROM_ENV_OR_URL          System prompt sourced from env var /
+//                                       URL fetch / file read without integrity
+//   6. AGENT_TOOL_EXPOSES_EXEC         LangChain / OpenAI function-calling
+//                                       tool definitions exposing exec/shell/eval/fs.write
+//   7. UNSAFE_MODEL_FILE_FORMAT        Loading .pt/.pth/.bin where .safetensors
+//                                       would do (informational nudge)
+//   8. MODEL_HASH_NOT_VERIFIED         Downloading model file via requests /
+//                                       urllib without a verifying checksum
+//   9. GRADIO_AUTH_DISABLED            gradio.launch(share=True) without auth
+//  10. CUSTOM_HF_HUB_URL               HF cache_dir / endpoint override
+//                                       pointing at non-canonical mirror
+//
+// Detection: regex on .py / .ipynb. Lower confidence than model-load.js
+// because these patterns are less unique — context matters.
+//
+// Opt-out: AGENTIC_SECURITY_NO_ML_SUPPLY=1
+
+import { blankComments } from './_comment-strip.js';
+
+const _SCAN_EXT_RE = /\.(?:py|ipynb)$/i;
+const _NONPROD_PATH_RE = /(?:^|\/)(?:tests?|__tests__|spec|fixtures?|examples?|docs?|stories|codefixes|node_modules)\//i;
+
+const _RELEVANCE = /\b(?:mlflow|onnxruntime|onnx_runtime|datasets\b|webdataset|streaming\.StreamingDataset|gradio|huggingface_hub|HUGGINGFACE|HF_HUB|langchain|openai|anthropic|tools?\s*=)/i;
+
+function _line(raw, idx) { return raw.slice(0, idx).split('\n').length; }
+function _snip(raw, line) { return (raw.split('\n')[line - 1] || '').trim().slice(0, 200); }
+
+function _shape(file, line, ruleId, vuln, fam, sev, cwe, remediation, description) {
+  return {
+    id: `${ruleId}:${file}:${line}`,
+    file, line, vuln, severity: sev, cwe,
+    family: fam, parser: 'ML-SUPPLY',
+    confidence: 0.75,
+    stride: 'Tampering',
+    description: description || vuln,
+    remediation,
+  };
+}
+
+// ── Detectors ──────────────────────────────────────────────────────────────
+
+function detectMlflowUntrustedUri(file, raw, code, out, seen) {
+  // mlflow.pyfunc.load_model / mlflow.sklearn.load_model from URI not pinning
+  // to a registry alias / version.
+  const re = /\bmlflow\.(?:pyfunc|sklearn|pytorch|keras|tensorflow|onnx|spark|xgboost)\.load_model\s*\(\s*['"]([^'"]+)['"]/g;
+  let m;
+  while ((m = re.exec(code))) {
+    const uri = m[1];
+    // Pinned forms: models:/<name>/<version-number>, models:/<name>@<alias>,
+    // runs:/<run-id>/<artifact>, or trailing /\d+ on a non-models URI.
+    const isPinned =
+      /\bmodels:\/[^/]+\/\d+\b/.test(uri) ||
+      /\bmodels:\/[^/]+@\w+/.test(uri) ||
+      /\bruns:\/[^/]+\/[\w./-]+/.test(uri) ||
+      /\/v?\d+(?:\.\d+)*(?:[/?#]|$)/.test(uri);
+    if (isPinned) continue;
+    const ln = _line(raw, m.index);
+    const id = `mlflow-untrusted-uri:${file}:${ln}`;
+    if (seen.has(id)) continue;
+    seen.add(id);
+    out.push(_shape(file, ln, 'mlflow-untrusted-uri',
+      `mlflow.load_model from ${uri} without a pinned version / alias`,
+      'mlflow-untrusted-uri', 'medium', 'CWE-1357',
+      'Use a pinned MLflow URI: `models:/<name>/<version>` or `models:/<name>@<alias>`. Without it, model loads pick up whatever revision the registry serves at runtime — a registry compromise (or accidental promotion) silently changes your inference path.',
+      'MLflow URIs without explicit version pinning resolve to the current "latest" / champion. Model promotion events change the deployed model without redeploying your service. Same risk class as `:latest` Docker tags.'));
+  }
+}
+
+function detectOnnxNoProviderAllowlist(file, raw, code, out, seen) {
+  // onnxruntime.InferenceSession(...) without explicit providers=[...].
+  const re = /\b(?:onnxruntime|ort)\.InferenceSession\s*\([^)]+\)/g;
+  let m;
+  while ((m = re.exec(code))) {
+    if (/providers\s*=/.test(m[0])) continue;
+    const ln = _line(raw, m.index);
+    const id = `onnx-no-providers:${file}:${ln}`;
+    if (seen.has(id)) continue;
+    seen.add(id);
+    out.push(_shape(file, ln, 'onnx-no-providers',
+      'onnxruntime.InferenceSession without explicit providers list — falls back to default CPU+CUDA',
+      'onnx-providers', 'low', 'CWE-1357',
+      'Pass `providers=["CPUExecutionProvider"]` (or specific GPU provider). Without it, ONNX Runtime tries CUDA → DirectML → CPU in order; on shared machines this can leak inference state through GPU residual data.',
+      'Explicit providers=[...] also prevents accidental upgrades when ORT changes its provider auto-selection logic between versions.'));
+  }
+}
+
+function detectHfDatasetsTrustRemoteCode(file, raw, code, out, seen) {
+  const re = /\bload_dataset\s*\([^)]*trust_remote_code\s*=\s*True/g;
+  let m;
+  while ((m = re.exec(code))) {
+    const ln = _line(raw, m.index);
+    const id = `hf-datasets-trust-remote-code:${file}:${ln}`;
+    if (seen.has(id)) continue;
+    seen.add(id);
+    out.push(_shape(file, ln, 'hf-datasets-trust-remote-code',
+      'datasets.load_dataset(trust_remote_code=True) executes arbitrary loading code from HF Hub',
+      'hf-datasets-rce', 'critical', 'CWE-94',
+      'Remove trust_remote_code=True. If you need a dataset whose loader requires custom code, audit the loader script first and vendor it locally as a script under your repo.',
+      'HF datasets can ship a Python loader script (.py) that runs during load_dataset. trust_remote_code=True allows that script to run. Same RCE class as transformers.from_pretrained(trust_remote_code=True).'));
+  }
+}
+
+function detectStreamingDatasetUrl(file, raw, code, out, seen) {
+  // webdataset / mosaicml streaming from http(s) URL.
+  const patterns = [
+    /\bwebdataset\.(?:WebDataset|WebLoader)\s*\(\s*['"]https?:\/\//g,
+    /\bstreaming\.StreamingDataset\s*\(\s*[^)]*remote\s*=\s*['"]https?:\/\//g,
+    /\bdatasets\.load_dataset\s*\(\s*['"]https?:\/\//g,
+  ];
+  for (const re of patterns) {
+    let m;
+    while ((m = re.exec(code))) {
+      const ln = _line(raw, m.index);
+      const id = `streaming-dataset-url:${file}:${ln}`;
+      if (seen.has(id)) continue;
+      seen.add(id);
+      out.push(_shape(file, ln, 'streaming-dataset-url',
+        'Streaming dataset loaded from HTTP(S) URL without integrity verification',
+        'streaming-dataset-url', 'medium', 'CWE-494',
+        'Mirror the dataset to a controlled store (S3 + signed URLs, GCS, internal HF Hub) and verify a manifest checksum before training. Public CDNs hosting datasets are routinely repointed.',
+        'Training-time data poisoning is a documented attack class — controlling even 0.1% of training data is enough to backdoor an LLM (Carlini et al., 2023). Mirror + checksum is the proven defense.'));
+    }
+  }
+}
+
+function detectPromptFromEnvOrUrl(file, raw, code, out, seen) {
+  // System prompt sourced from os.environ / requests.get / open() at runtime.
+  const indicators = [
+    { re: /SYSTEM_PROMPT\s*=\s*os\.(?:environ\.get|getenv)\s*\(/g, src: 'os.environ' },
+    { re: /system_prompt\s*=\s*os\.(?:environ\.get|getenv)\s*\(/g, src: 'os.environ' },
+    { re: /(?:system_prompt|SYSTEM_PROMPT)\s*=\s*requests\.get\s*\(/g, src: 'requests.get' },
+    { re: /(?:system_prompt|SYSTEM_PROMPT)\s*=\s*open\s*\(\s*['"][^'"]+['"]/g, src: 'open()' },
+  ];
+  for (const ind of indicators) {
+    let m;
+    while ((m = ind.re.exec(code))) {
+      const ln = _line(raw, m.index);
+      const id = `prompt-from-env-or-url:${file}:${ln}`;
+      if (seen.has(id)) continue;
+      seen.add(id);
+      out.push(_shape(file, ln, 'prompt-from-env-or-url',
+        `System prompt loaded from ${ind.src} — modifiable at runtime`,
+        'prompt-integrity', 'medium', 'CWE-345',
+        'Bake the system prompt into the deployed artifact (Python string constant or repo-committed file). If you need runtime overrides, gate them behind a signed manifest (Sigstore) or HMAC-checked source. Environment variables and remote fetches are tamperable by anyone with deploy or network access.',
+        'A modifiable system prompt is one of the easiest ways to subvert an agent — change the instructions, change the behavior. Recent prompt-injection-via-config-file incidents (Replit Agent, Cursor) all reduce to this pattern.'));
+    }
+  }
+}
+
+// (Agent tools exposing exec/shell/subprocess to the LLM are detected by
+// sast/llm-app.js detectToolExec — not duplicated here.)
+
+function detectUnsafeModelFileFormat(file, raw, code, out, seen) {
+  // Loading .pt / .pth / .bin — recommend .safetensors.
+  // Only fires when path-string literally ends in one of those extensions.
+  const re = /['"]([^'"]+\.(?:pt|pth|bin|ckpt))['"]/g;
+  let m;
+  while ((m = re.exec(code))) {
+    const window = code.slice(Math.max(0, m.index - 100), m.index);
+    if (!/torch\.load|load_state_dict|from_pretrained|joblib\.load/.test(window)) continue;
+    const ln = _line(raw, m.index);
+    const id = `unsafe-model-format:${file}:${ln}`;
+    if (seen.has(id)) continue;
+    seen.add(id);
+    out.push(_shape(file, ln, 'unsafe-model-format',
+      `Loading ${m[1]} (.pt/.pth/.bin/.ckpt is pickle-based) — prefer .safetensors`,
+      'model-format', 'low', 'CWE-502',
+      'Convert to `.safetensors` format: `from safetensors.torch import save_file; save_file(state_dict, "model.safetensors")`. Safetensors is a header + raw tensor data — it cannot execute code during load.',
+      'pickle-based model formats are the canonical RCE attack vector for ML supply chain. Safetensors was created specifically to eliminate this class.'));
+  }
+}
+
+function detectGradioAuthDisabled(file, raw, code, out, seen) {
+  // gradio.launch(share=True) without auth=...
+  const re = /\b(?:gr|gradio)\.[A-Z]\w*\.launch\s*\(([^)]*)\)|\b(?:demo|app|iface)\.launch\s*\(([^)]*)\)/g;
+  let m;
+  while ((m = re.exec(code))) {
+    const args = (m[1] || m[2] || '');
+    if (!/share\s*=\s*True/.test(args)) continue;
+    if (/\bauth\s*=/.test(args)) continue;
+    const ln = _line(raw, m.index);
+    const id = `gradio-share-no-auth:${file}:${ln}`;
+    if (seen.has(id)) continue;
+    seen.add(id);
+    out.push(_shape(file, ln, 'gradio-share-no-auth',
+      'gradio launch with share=True but no auth — publicly accessible via gradio.live',
+      'gradio-auth', 'high', 'CWE-862',
+      'Add `auth=("user", "password")` or `auth=callable` to gradio.launch. share=True exposes the demo via gradio.live tunnel — a public URL that anyone with the link can reach.',
+      'gradio.live tunnels are routinely scraped by drift-bots for unauthenticated ML demos. Many demos run prediction APIs that consume rate-limited backend resources.'));
+  }
+}
+
+function detectCustomHfHubUrl(file, raw, code, out, seen) {
+  // HF_HUB_ENDPOINT / HF_ENDPOINT / HUGGINGFACE_HUB_CACHE pointing at a
+  // non-canonical URL.
+  const re = /(?:HF_HUB_ENDPOINT|HF_ENDPOINT|HUGGINGFACE_CO_URL|HUGGINGFACE_HUB_URL)\s*=\s*['"]([^'"]+)['"]/g;
+  let m;
+  while ((m = re.exec(code))) {
+    const url = m[1];
+    if (/huggingface\.co|hf\.co/.test(url)) continue;
+    const ln = _line(raw, m.index);
+    const id = `custom-hf-hub-url:${file}:${ln}`;
+    if (seen.has(id)) continue;
+    seen.add(id);
+    out.push(_shape(file, ln, 'custom-hf-hub-url',
+      `HF Hub endpoint overridden to ${url}`,
+      'hf-endpoint-override', 'medium', 'CWE-494',
+      'Verify this is an authorized mirror (e.g. corporate proxy with TLS termination + integrity verification). Some attacks substitute a hostile mirror that returns backdoored weights for popular model names.',
+      'Mirror substitution is a documented supply-chain pattern. The mirror returns valid weights for unknown queries and substituted weights for the model the attacker targets.'));
+  }
+}
+
+// ── Entry point ────────────────────────────────────────────────────────────
+
+const _BENCH_FIXTURE_RE = /(?:^|\/|\\)(?:BenchmarkTest|JulietTestCase|CWE\d+_)[\w-]*\.(?:py|java|c|cpp|cs)$/i;
+
+export function scanMlSupplyChain(fp, raw) {
+  if (process.env.AGENTIC_SECURITY_NO_ML_SUPPLY === '1') return [];
+  if (!raw || raw.length > 500_000) return [];
+  if (!_SCAN_EXT_RE.test(fp)) return [];
+  if (_BENCH_FIXTURE_RE.test(fp)) return [];
+  if (_NONPROD_PATH_RE.test(fp.replace(/\\/g, '/'))) return [];
+  if (!_RELEVANCE.test(raw)) return [];
+
+  const code = blankComments(raw, 'py');
+  const out = [];
+  const seen = new Set();
+  try { detectMlflowUntrustedUri(fp, raw, code, out, seen); } catch {}
+  try { detectOnnxNoProviderAllowlist(fp, raw, code, out, seen); } catch {}
+  try { detectHfDatasetsTrustRemoteCode(fp, raw, code, out, seen); } catch {}
+  try { detectStreamingDatasetUrl(fp, raw, code, out, seen); } catch {}
+  try { detectPromptFromEnvOrUrl(fp, raw, code, out, seen); } catch {}
+  try { detectUnsafeModelFileFormat(fp, raw, code, out, seen); } catch {}
+  try { detectGradioAuthDisabled(fp, raw, code, out, seen); } catch {}
+  try { detectCustomHfHubUrl(fp, raw, code, out, seen); } catch {}
+  for (const f of out) f.file = fp;
+  return out;
+}
+
+export const _internals = {
+  _RELEVANCE,
+  detectMlflowUntrustedUri, detectOnnxNoProviderAllowlist,
+  detectHfDatasetsTrustRemoteCode, detectStreamingDatasetUrl,
+  detectPromptFromEnvOrUrl,
+  detectUnsafeModelFileFormat, detectGradioAuthDisabled, detectCustomHfHubUrl,
+};