@oculum/scanner 1.0.11 → 1.0.13

package/src/{layer2/ai-agent-tools.ts → detect/ai-code/agent-tools.ts}

@@ -12,14 +12,17 @@
  * - Database tools without proper scoping
  */
 
-import type { Vulnerability, VulnerabilitySeverity } from '../types'
+import type { Vulnerability, VulnerabilitySeverity } from '../../shared/types'
+import type { ParsedFile } from '../../shared/parsed-file'
 import {
   isComment,
   isTestOrMockFile,
   isScannerOrFixtureFile,
   isExampleDirectory,
   isLibraryCode,
-} from '../utils/context-helpers'
+} from '../../parse/file-classifier'
+
+const BASE_CONFIDENCE = 0.50
 
 // ============================================================================
 // Agent/Tool Context Detection
@@ -536,6 +539,318 @@ function hasBudgetLimits(context: string): boolean {
   return budgetPatterns.some(p => p.test(context))
 }
 
+/**
+ * Phase 5: LLM Output Flow Patterns
+ * Detect when LLM-generated content flows into dangerous operations
+ */
+const LLM_OUTPUT_FLOW_PATTERNS: ExcessiveAgencyPattern[] = [
+  // ========== LLM Output in Tool Names/Paths ==========
+  {
+    name: 'LLM output used as tool name',
+    pattern: /(?:tools?\[|getTools?\s*\(|callTool\s*\(|invokeTool\s*\(|executeTool\s*\()\s*(?:response|result|output|completion|message|content|llm|ai|model|gpt|claude)\.(?:content|text|tool|toolName|function|name|choice)/gi,
+    baseSeverity: 'critical',
+    description: 'LLM output used directly as tool name for invocation. An adversarial prompt could cause the agent to call arbitrary tools, bypassing intended restrictions.',
+    suggestedFix: 'Validate tool names against a static allowlist: const ALLOWED_TOOLS = [\'read\', \'write\'] as const; if (!ALLOWED_TOOLS.includes(toolName)) throw new Error("Invalid tool")',
+    framework: 'generic',
+  },
+  {
+    name: 'LLM output in file path',
+    pattern: /(?:fs|file|path|fsp)\.(?:readFile|writeFile|unlink|rm|mkdir|readdir|access|stat|copyFile|rename)\s*\(\s*(?:response|result|output|completion|message|content|llm|ai|model)\.(?:path|filePath|file|filename|directory|dir)/gi,
+    baseSeverity: 'critical',
+    description: 'LLM output used directly as file path. Path traversal or arbitrary file access could occur via prompt injection.',
+    suggestedFix: 'Validate paths against allowed directories: if (!path.startsWith(ALLOWED_BASE_DIR)) throw new Error("Invalid path"). Use path.resolve() and verify the result stays within bounds.',
+    framework: 'generic',
+  },
+  {
+    name: 'LLM output in shell command',
+    pattern: /(?:exec|spawn|execFile|execSync|spawnSync)\s*\(\s*(?:response|result|output|completion|message|content|llm|ai|model)\.(?:command|cmd|script|code|executable|program)/gi,
+    baseSeverity: 'critical',
+    description: 'LLM output used directly as shell command. Remote code execution via prompt injection.',
+    suggestedFix: 'Never use LLM output in shell commands. If necessary, use a strict allowlist of permitted commands and validate arguments.',
+    framework: 'generic',
+  },
+  {
+    name: 'LLM output in URL/endpoint',
+    pattern: /(?:fetch|axios|http|request|got)\s*\(\s*(?:response|result|output|completion|message|content|llm|ai|model)\.(?:url|endpoint|href|uri|link|host)/gi,
+    baseSeverity: 'high',
+    description: 'LLM output used directly as URL or endpoint. SSRF risk via prompt injection.',
+    suggestedFix: 'Validate URLs against allowed hosts. Use URL allowlists and block internal IP ranges.',
+    framework: 'generic',
+  },
+  {
+    name: 'LLM response destructured into tool call',
+    pattern: /(?:const|let|var)\s*\{\s*(?:tool|toolName|function|functionName|action|method)\s*\}\s*=\s*(?:response|result|output|completion|message|llm|ai|model)/gi,
+    baseSeverity: 'high',
+    description: 'Tool name destructured from LLM response. This pattern suggests dynamic tool selection based on LLM output.',
+    suggestedFix: 'Validate extracted tool names against a static allowlist before invocation.',
+    framework: 'generic',
+  },
+  {
+    name: 'Dynamic property access with LLM output',
+    pattern: /(?:tools|handlers|actions|functions|methods)\s*\[\s*(?:response|result|output|completion|message|content|llm|ai)(?:\.|(?:\s*\[['"`]?(?:tool|name|function|action)))/gi,
+    baseSeverity: 'high',
+    description: 'Dynamic object property access using LLM output. Could access unintended tools or methods.',
+    suggestedFix: 'Use explicit tool dispatch with allowlist validation: if (toolName in SAFE_TOOLS) { SAFE_TOOLS[toolName]() }',
+    framework: 'generic',
+  },
+]
+
+/**
+ * Phase 5: Tool Permission Accumulation Patterns
+ * Detect unbounded tool registration and permission growth
+ */
+const TOOL_ACCUMULATION_PATTERNS: ExcessiveAgencyPattern[] = [
+  // ========== Unbounded Tool Registration ==========
+  {
+    name: 'Unbounded tool registration',
+    pattern: /(?:agent|tools?|registry)\.(?:registerTool|addTool|push|add|set)\s*\(\s*(?:user|request|req|input|body|data|param)\.(?:tool|function|action|capability)/gi,
+    baseSeverity: 'high',
+    description: 'Tools registered dynamically from user input without bounds. Users could accumulate unlimited capabilities over time.',
+    suggestedFix: 'Use a static allowlist: const ALLOWED_TOOLS = [...] and validate against it. Implement tool count limits.',
+    framework: 'generic',
+  },
+  {
+    name: 'Tool array push without limit check',
+    pattern: /tools\.push\s*\([^)]+\)(?![\s\S]{0,50}(?:length\s*[<>]|limit|max|ALLOWED|whitelist|allowlist))/gi,
+    baseSeverity: 'medium',
+    description: 'Tools added to array without checking count limits. Tool list could grow unboundedly.',
+    suggestedFix: 'Add limit check: if (tools.length >= MAX_TOOLS) throw new Error("Tool limit reached")',
+    framework: 'generic',
+  },
+  {
+    name: 'Dynamic tool loading from user config',
+    pattern: /(?:require|import|loadModule|dynamicImport)\s*\(\s*(?:user|request|req|input|body|config)\.(?:tool|module|plugin|extension)/gi,
+    baseSeverity: 'critical',
+    description: 'Tool modules loaded dynamically from user-controlled paths. Could load arbitrary code.',
+    suggestedFix: 'Use a static module registry. Validate module paths against an allowlist.',
+    framework: 'generic',
+  },
+  {
+    name: 'Permission grant without authorization check',
+    pattern: /(?:grant|add|enable)(?:Permission|Capability|Access)\s*\(\s*[^)]*\)(?![\s\S]{0,30}(?:if|auth|permission|role|admin|isAdmin))/gi,
+    baseSeverity: 'high',
+    description: 'Permissions granted without visible authorization check. Users could escalate their own privileges.',
+    suggestedFix: 'Add authorization check: if (!user.hasRole("admin")) throw new Error("Unauthorized")',
+    framework: 'generic',
+  },
+  {
+    name: 'Tool inheritance without restriction',
+    pattern: /(?:inherit|extend|merge)(?:Tools|Capabilities|Permissions)\s*\(\s*(?:parent|base|source)\.tools/gi,
+    baseSeverity: 'medium',
+    description: 'Agent inherits tools from parent without filtering. Could inherit more permissions than intended.',
+    suggestedFix: 'Explicitly list inherited tools instead of blanket inheritance. Use allowlist for permitted inherited capabilities.',
+    framework: 'generic',
+  },
+]
+
+/**
+ * Phase 5: Database Write Scoping Patterns
+ * Detect database writes that may lack proper user scoping
+ */
+const DB_WRITE_SCOPING_PATTERNS: ExcessiveAgencyPattern[] = [
+  // ========== Database Writes Without User Scoping ==========
+  {
+    name: 'DB insert without userId',
+    pattern: /(?:db|database|prisma|knex|sequelize|mongoose|supabase|drizzle)\.(?:insert|create|save|add)\s*\(\s*\{(?![^}]*(?:userId|user_id|ownerId|owner_id|createdBy|created_by|authorId|author_id))[^}]*(?:content|data|text|body|message)\s*:/gi,
+    baseSeverity: 'high',
+    description: 'Database insert with content field but no user ID. AI-generated content may not be properly attributed to user.',
+    suggestedFix: 'Add user context: db.insert({ content: aiGenerated, userId: ctx.user.id })',
+    framework: 'generic',
+  },
+  {
+    name: 'DB insert with AI content unscopedp',
+    pattern: /(?:db|database|prisma|knex|sequelize|mongoose|supabase|drizzle)\.(?:insert|create)\s*\(\s*\{[^}]*:\s*(?:response|result|output|completion|message|ai|llm|model)\.(?:content|text|data|output|result)/gi,
+    baseSeverity: 'high',
+    description: 'AI-generated content inserted into database. Ensure proper user scoping and content validation.',
+    suggestedFix: 'Add user context and validate content: db.insert({ content: validated, userId: ctx.user.id, createdAt: Date.now() })',
+    framework: 'generic',
+  },
+  {
+    name: 'Bulk write without tenant filter',
+    pattern: /(?:db|database|prisma|knex|sequelize|mongoose|supabase|drizzle)\.(?:insertMany|createMany|bulkCreate|bulkInsert)\s*\([^)]*\)(?![\s\S]{0,50}(?:tenantId|tenant_id|orgId|org_id|organizationId))/gi,
+    baseSeverity: 'medium',
+    description: 'Bulk database write without visible tenant scoping. Multi-tenant data isolation may be at risk.',
+    suggestedFix: 'Add tenant filter to all bulk operations: records.map(r => ({ ...r, tenantId: ctx.tenant.id }))',
+    framework: 'generic',
+  },
+  {
+    name: 'Update without ownership check',
+    pattern: /(?:db|database|prisma|knex|sequelize|mongoose|supabase|drizzle)\.(?:update|updateOne|updateMany)\s*\(\s*\{[^}]*id\s*:/gi,
+    baseSeverity: 'medium',
+    description: 'Database update by ID without visible ownership verification. Agent could modify other users\' data.',
+    suggestedFix: 'Add ownership check: db.update({ where: { id, userId: ctx.user.id }, data: { ... } })',
+    framework: 'generic',
+  },
+  {
+    name: 'Delete without user scoping',
+    pattern: /(?:db|database|prisma|knex|sequelize|mongoose|supabase|drizzle)\.(?:delete|deleteOne|deleteMany|destroy|remove)\s*\(\s*\{[^}]*id\s*:/gi,
+    baseSeverity: 'high',
+    description: 'Database delete by ID without user scoping. Agent could delete other users\' data.',
+    suggestedFix: 'Add user scoping: db.delete({ where: { id, userId: ctx.user.id } })',
+    framework: 'generic',
+  },
+]
+
+/**
+ * Phase 6 Task 1: Tool Parameter Injection Patterns
+ * Detect LLM output flowing to tool parameters (not just tool names)
+ */
+const TOOL_PARAMETER_INJECTION_PATTERNS: ExcessiveAgencyPattern[] = [
+  // LLM output in tool parameters
+  {
+    name: 'LLM output in tool parameters',
+    pattern: /tool\s*\(\s*\{[^}]*:\s*(response|output|result|content|message|llmOutput|aiResponse|completion)(\.\w+)*\s*[,}]/gi,
+    baseSeverity: 'high',
+    description: 'Tool parameters derived from unvalidated LLM output can be manipulated via prompt injection. Attackers could modify tool behavior through crafted responses.',
+    suggestedFix: 'Validate and sanitize LLM output before passing as tool parameters. Use schema validation (zod, yup) to ensure expected structure.',
+    framework: 'generic',
+  },
+  // Tool args assigned directly from LLM output
+  {
+    name: 'Tool args from LLM output',
+    pattern: /\bargs\s*=\s*(response|output|result|content|message|llmOutput|aiResponse|completion)(\.\w+)*/gi,
+    baseSeverity: 'high',
+    description: 'Tool arguments assigned directly from LLM output enable parameter injection. Malicious prompts could inject unexpected arguments.',
+    suggestedFix: 'Use schema validation (zod, yup) on LLM output before passing to tools: const validatedArgs = toolArgsSchema.parse(llmOutput)',
+    framework: 'generic',
+  },
+  // Spread LLM output into tool call
+  {
+    name: 'LLM output spread into tool call',
+    pattern: /(?:executeTool|callTool|invokeTool|runTool)\s*\([^)]*\.\.\.(?:response|output|result|content|llmOutput|aiResponse)/gi,
+    baseSeverity: 'critical',
+    description: 'LLM output spread directly into tool invocation. All LLM-provided fields pass through unvalidated.',
+    suggestedFix: 'Destructure and validate specific fields: const { field1, field2 } = schema.parse(llmOutput); executeTool({ field1, field2 })',
+    framework: 'generic',
+  },
+  // Dynamic property access for tool params
+  {
+    name: 'Dynamic tool param from LLM',
+    pattern: /toolParams?\s*\[\s*(response|output|result|llmOutput|aiResponse)\./gi,
+    baseSeverity: 'high',
+    description: 'Tool parameter accessed dynamically from LLM output. Could access unintended parameters.',
+    suggestedFix: 'Use explicit parameter extraction with validation: const param = validateParam(llmOutput.expectedField)',
+    framework: 'generic',
+  },
+  // JSON.parse of LLM output for tool params
+  {
+    name: 'JSON parsed LLM output as tool params',
+    pattern: /JSON\.parse\s*\(\s*(response|output|result|content|llmOutput|aiResponse|completion)(?:\.\w+)?\s*\)[^;]*(?:tool|execute|invoke|call)/gi,
+    baseSeverity: 'high',
+    description: 'LLM output JSON-parsed and used as tool parameters. Parsed structure could contain malicious fields.',
+    suggestedFix: 'Validate parsed JSON against expected schema: const params = toolParamsSchema.parse(JSON.parse(llmOutput))',
+    framework: 'generic',
+  },
+]
+
+/**
+ * Phase 6 Task 2: Tool Error Message Injection Patterns
+ * Detect raw error exposure to LLM that could leak system information or enable injection
+ */
+const TOOL_ERROR_INJECTION_PATTERNS: ExcessiveAgencyPattern[] = [
+  // Raw error message in tool response
+  {
+    name: 'Raw error in tool response',
+    pattern: /catch\s*\([^)]*\)\s*\{[^}]*(return|resolve)\s*\([^)]*error\.(message|stack|toString)/gi,
+    baseSeverity: 'medium',
+    description: 'Raw error messages returned to LLM could leak system information (paths, credentials, internal state) or be used for prompt injection attacks.',
+    suggestedFix: 'Return sanitized, generic error messages to LLM. Log detailed errors server-side: catch (e) { logger.error(e); return { error: "Operation failed" } }',
+    framework: 'generic',
+  },
+  // Error object in tool return
+  {
+    name: 'Error object in tool return',
+    pattern: /return\s*\{[^}]*error\s*:\s*(?:e|err|error)(?:\s*,|\s*\})/gi,
+    baseSeverity: 'medium',
+    description: 'Error object returned directly to LLM. Full error objects may contain sensitive stack traces or internal details.',
+    suggestedFix: 'Return only error message or generic status: return { error: "Failed to process request", code: "OPERATION_FAILED" }',
+    framework: 'generic',
+  },
+  // Stack trace in response
+  {
+    name: 'Stack trace in tool response',
+    pattern: /return\s*\{[^}]*(?:stack|stackTrace|trace)\s*:\s*(?:e|err|error)\./gi,
+    baseSeverity: 'high',
+    description: 'Stack trace returned to LLM. Stack traces expose internal code paths, file structures, and potentially sensitive data.',
+    suggestedFix: 'Never return stack traces to LLM. Log them server-side for debugging: logger.error({ stack: e.stack }); return { error: "Internal error" }',
+    framework: 'generic',
+  },
+  // Exception details in resolve/reject
+  {
+    name: 'Exception details in promise resolution',
+    pattern: /(?:resolve|reject)\s*\(\s*\{[^}]*(?:exception|error|e)\s*:\s*(?:e|err|error)(?:\.message|\.stack)?/gi,
+    baseSeverity: 'medium',
+    description: 'Exception details passed in promise resolution. Error information flows to LLM context.',
+    suggestedFix: 'Sanitize error information before resolving: resolve({ success: false, error: sanitizeError(e) })',
+    framework: 'generic',
+  },
+  // String interpolation with error
+  {
+    name: 'Error interpolated in response string',
+    pattern: /return\s*[`'"].*\$\{(?:e|err|error)(?:\.message|\.stack)?\}.*[`'"]/gi,
+    baseSeverity: 'medium',
+    description: 'Error details interpolated into response string. Raw error text could contain sensitive information.',
+    suggestedFix: 'Use generic error messages: return `Operation failed: ${getGenericErrorMessage(e.code)}`',
+    framework: 'generic',
+  },
+]
+
+/**
+ * Phase 5: Recursive Agent Patterns
+ * Detect unbounded agent recursion and self-spawning patterns
+ */
+const RECURSIVE_AGENT_PATTERNS: ExcessiveAgencyPattern[] = [
+  // ========== Unbounded Agent Recursion ==========
+  {
+    name: 'Recursive agent call without depth limit',
+    pattern: /(?:async\s+)?function\s+(?:run|execute|process|handle)?Agent\s*\([^)]*\)\s*\{[\s\S]{0,200}(?:run|execute|process|handle)?Agent\s*\((?![^)]*depth|[^)]*level|[^)]*recursion)/gi,
+    baseSeverity: 'high',
+    description: 'Agent function calls itself without visible depth parameter. Could recurse indefinitely.',
+    suggestedFix: 'Add depth limit: async function runAgent(task, depth = 0) { if (depth > MAX_DEPTH) throw new Error("Max depth"); await runAgent(subtask, depth + 1) }',
+    framework: 'generic',
+  },
+  {
+    name: 'Agent spawns sub-agent without limit',
+    pattern: /(?:spawn|create|launch|start)(?:Agent|Worker|Task)\s*\([^)]*\)(?![\s\S]{0,50}(?:depth|level|count|limit|max|MAX))/gi,
+    baseSeverity: 'medium',
+    description: 'Sub-agent spawned without visible depth or count limit. Could lead to unbounded agent proliferation.',
+    suggestedFix: 'Track agent depth/count: if (agentCount >= MAX_AGENTS || depth > MAX_DEPTH) throw new Error("Agent limit reached")',
+    framework: 'generic',
+  },
+  {
+    name: 'Recursive task processing without bounds',
+    pattern: /(?:result|response|output)\.(?:subtasks?|children|next|followUp)\s*\.(?:forEach|map|for)\s*\([^)]*(?:process|run|execute)(?:Task|Agent)/gi,
+    baseSeverity: 'high',
+    description: 'Tasks processed recursively based on agent output. Agent could generate unlimited subtasks.',
+    suggestedFix: 'Limit subtask count: const subtasks = result.subtasks.slice(0, MAX_SUBTASKS). Track total processed tasks.',
+    framework: 'generic',
+  },
+  {
+    name: 'Self-improvement loop without termination',
+    pattern: /while\s*\([^)]*(?:improve|optimize|refine|enhance)[^)]*\)\s*\{[\s\S]{0,100}(?:agent|model|llm)/gi,
+    baseSeverity: 'high',
+    description: 'Agent self-improvement loop without clear termination. Could run indefinitely.',
+    suggestedFix: 'Add termination conditions: while (iterations < MAX_ITERATIONS && !satisfactory) { ... iterations++ }',
+    framework: 'generic',
+  },
+  {
+    name: 'CrewAI agent delegation without depth',
+    pattern: /\.delegate\s*\(\s*[^)]*\)(?![\s\S]{0,30}(?:max_delegation|delegation_limit|depth))/gi,
+    baseSeverity: 'medium',
+    description: 'CrewAI agent delegation without depth limit. Agents could delegate indefinitely to each other.',
+    suggestedFix: 'Set delegation limits in agent config: Agent(..., max_delegation_depth=3)',
+    framework: 'crewai',
+  },
+  {
+    name: 'LangGraph recursive edge without limit',
+    pattern: /\.add_edge\s*\([^)]*,\s*(?:SAME_NODE|self|current_node)/gi,
+    baseSeverity: 'medium',
+    description: 'LangGraph edge points back to same node without visible limit. Could create infinite loops.',
+    suggestedFix: 'Add iteration tracking and conditional edges with max_iterations check.',
+    framework: 'langchain',
+  },
+]
+
 /**
  * Excessive agency patterns for unbounded agent autonomy
  */
@@ -671,7 +986,8 @@ const MISSING_AUTH_PATTERNS: ToolPattern[] = [
  */
 export function detectAIAgentTools(
   content: string,
-  filePath: string
+  filePath: string,
+  options?: { parsed?: ParsedFile }
 ): Vulnerability[] {
   const vulnerabilities: Vulnerability[] = []
 
@@ -683,7 +999,7 @@ export function detectAIAgentTools(
     return vulnerabilities
   }
 
-  const lines = content.split('\n')
+  const lines = options?.parsed?.lines ?? content.split('\n')
   const isTestFile = isTestOrMockFile(filePath)
   const isExample = isExampleDirectory(filePath)
   const isLibrary = isLibraryCode(filePath)
@@ -788,7 +1104,9 @@ export function detectAIAgentTools(
         suggestedFix: pattern.suggestedFix,
         confidence: 'medium',
         layer: 2,
+        source: 'ai_code' as const,
         requiresAIValidation: true, // Always validate - context dependent
+        baseConfidence: BASE_CONFIDENCE,
       })
     }
   }
@@ -834,7 +1152,9 @@ export function detectAIAgentTools(
         suggestedFix: pattern.suggestedFix,
         confidence: 'low', // Lower confidence - needs context
         layer: 2,
+        source: 'ai_code' as const,
         requiresAIValidation: true,
+        baseConfidence: BASE_CONFIDENCE,
       })
     }
   }
@@ -928,7 +1248,412 @@ export function detectAIAgentTools(
         suggestedFix: pattern.suggestedFix,
         confidence: severity === 'info' ? 'low' : 'medium',
         layer: 2,
+        source: 'ai_code' as const,
+        requiresAIValidation: severity !== 'info' && severity !== 'low',
+        baseConfidence: BASE_CONFIDENCE,
+      })
+    }
+  }
+
+  // Phase 5: Scan for LLM output flow patterns (Task 1)
+  for (const pattern of LLM_OUTPUT_FLOW_PATTERNS) {
+    const regex = new RegExp(pattern.pattern.source, pattern.pattern.flags)
+    let match
+
+    while ((match = regex.exec(content)) !== null) {
+      const lineNumber = content.substring(0, match.index).split('\n').length
+      const lineContent = lines[lineNumber - 1]?.trim() || ''
+
+      // Skip comments
+      if (isComment(lineContent)) continue
+
+      // Get surrounding context
+      const { context } = findToolDefinitionContext(content, lineNumber)
+
+      // Check for validation/allowlist mitigations
+      const hasValidation = /(?:allowlist|whitelist|ALLOWED_|validTools|VALID_TOOLS|allowedTools|validateTool|isValidTool|includes|has)\s*\(/i.test(context)
+      const hasAllowlistCheck = /if\s*\(\s*!?\s*(?:ALLOWED|VALID|SAFE|permitted).*(?:includes|has|indexOf)/i.test(context)
+
+      let description = pattern.description
+      let severity = pattern.baseSeverity
+
+      if (hasValidation || hasAllowlistCheck) {
+        severity = severity === 'critical' ? 'medium' : 'low'
+        description += ' (Validation/allowlist detected nearby - verify it covers this case.)'
+      }
+
+      if (isTestFile) {
+        severity = 'info'
+        description += ' (In test file.)'
+      } else if (isExample) {
+        severity = 'info'
+        description += ' (In example/demo directory.)'
+      } else if (isLibrary) {
+        severity = 'info'
+        description += ' (Library code.)'
+      }
+
+      vulnerabilities.push({
+        id: `ai-llm-flow-${filePath}-${lineNumber}-${pattern.name.replace(/\s+/g, '-')}`,
+        filePath,
+        lineNumber,
+        lineContent,
+        severity,
+        category: 'ai_excessive_agency',
+        title: pattern.name,
+        description,
+        suggestedFix: pattern.suggestedFix,
+        confidence: severity === 'critical' ? 'high' : 'medium',
+        layer: 2,
+        source: 'ai_code' as const,
+        requiresAIValidation: severity !== 'info',
+        baseConfidence: BASE_CONFIDENCE,
+      })
+    }
+  }
+
+  // Phase 5: Scan for tool permission accumulation patterns (Task 2)
+  for (const pattern of TOOL_ACCUMULATION_PATTERNS) {
+    const regex = new RegExp(pattern.pattern.source, pattern.pattern.flags)
+    let match
+
+    while ((match = regex.exec(content)) !== null) {
+      const lineNumber = content.substring(0, match.index).split('\n').length
+      const lineContent = lines[lineNumber - 1]?.trim() || ''
+
+      // Skip comments
+      if (isComment(lineContent)) continue
+
+      // Skip UI array building patterns (not actual AI tool registration)
+      if (pattern.name === 'Tool array push without limit check') {
+        // Check if this is in a selector or UI configuration builder
+        const isUIPattern =
+          // In selectors (zustand/redux pattern)
+          /selectors?\.ts$/i.test(filePath) ||
+          // In store configuration
+          /store\/.*\/selectors/i.test(filePath) ||
+          // Building manifest/config arrays
+          /manifest\s*:/i.test(lineContent) ||
+          /identifier\s*:/i.test(lineContent) ||
+          // Map/forEach building UI arrays
+          /\.map\s*\([^)]*=>\s*\{[\s\S]{0,100}tools\.push/i.test(content.substring(Math.max(0, match.index - 200), match.index + 100))
+
+        if (isUIPattern) {
+          continue // Skip - this is building a UI configuration array
+        }
+      }
+
+      // Get surrounding context
+      const { context } = findToolDefinitionContext(content, lineNumber)
+
+      // Check for limits and authorization
+      const hasLimits = /(?:max|limit|MAX_|LIMIT_|\.length\s*[<>])/i.test(context)
+      const hasAuthCheck = /(?:if\s*\(.*(?:auth|permission|role|isAdmin|canRegister)|throw.*(?:Unauthorized|Forbidden))/i.test(context)
+
+      let description = pattern.description
+      let severity = pattern.baseSeverity
+
+      if (hasLimits) {
+        severity = severity === 'critical' ? 'high' : severity === 'high' ? 'medium' : 'low'
+        description += ' (Limit check detected nearby.)'
+      }
+      if (hasAuthCheck) {
+        severity = severity === 'critical' ? 'high' : severity === 'high' ? 'medium' : 'low'
+        description += ' (Authorization check detected.)'
+      }
+
+      if (isTestFile) {
+        severity = 'info'
+        description += ' (In test file.)'
+      } else if (isExample) {
+        severity = 'info'
+        description += ' (In example/demo directory.)'
+      } else if (isLibrary) {
+        severity = 'info'
+        description += ' (Library code.)'
+      }
+
+      vulnerabilities.push({
+        id: `ai-tool-accum-${filePath}-${lineNumber}-${pattern.name.replace(/\s+/g, '-')}`,
+        filePath,
+        lineNumber,
+        lineContent,
+        severity,
+        category: 'ai_excessive_agency',
+        title: pattern.name,
+        description,
+        suggestedFix: pattern.suggestedFix,
+        confidence: 'medium',
+        layer: 2,
+        source: 'ai_code' as const,
+        requiresAIValidation: severity !== 'info' && severity !== 'low',
+        baseConfidence: BASE_CONFIDENCE,
+      })
+    }
+  }
+
+  // Phase 5: Scan for database write scoping patterns (Task 3)
+  for (const pattern of DB_WRITE_SCOPING_PATTERNS) {
+    const regex = new RegExp(pattern.pattern.source, pattern.pattern.flags)
+    let match
+
+    while ((match = regex.exec(content)) !== null) {
+      const lineNumber = content.substring(0, match.index).split('\n').length
+      const lineContent = lines[lineNumber - 1]?.trim() || ''
+
+      // Skip comments
+      if (isComment(lineContent)) continue
+
+      // Get surrounding context
+      const { context } = findToolDefinitionContext(content, lineNumber)
+
+      // Check for user/tenant scoping
+      const hasUserScoping = hasUserContextVerification(context)
+      const hasTenantScoping = hasTenantContextVerification(context)
+
+      // Skip if properly scoped
+      if (hasUserScoping && hasTenantScoping) continue
+
+      let description = pattern.description
+      let severity = pattern.baseSeverity
+
+      if (hasUserScoping || hasTenantScoping) {
+        severity = severity === 'high' ? 'medium' : 'low'
+        description += hasUserScoping ? ' (User context detected.)' : ' (Tenant context detected.)'
+      }
+
+      if (isTestFile) {
+        severity = 'info'
+        description += ' (In test file.)'
+      } else if (isExample) {
+        severity = 'info'
+        description += ' (In example/demo directory.)'
+      } else if (isLibrary) {
+        severity = 'info'
+        description += ' (Library code.)'
+      }
+
+      vulnerabilities.push({
+        id: `ai-db-scoping-${filePath}-${lineNumber}-${pattern.name.replace(/\s+/g, '-')}`,
+        filePath,
+        lineNumber,
+        lineContent,
+        severity,
+        category: 'ai_excessive_agency',
+        title: pattern.name,
+        description,
+        suggestedFix: pattern.suggestedFix,
+        confidence: 'medium',
+        layer: 2,
+        source: 'ai_code' as const,
+        requiresAIValidation: severity !== 'info',
+        baseConfidence: BASE_CONFIDENCE,
+      })
+    }
+  }
+
+  // Phase 5: Scan for recursive agent patterns (Task 4)
+  for (const pattern of RECURSIVE_AGENT_PATTERNS) {
+    const regex = new RegExp(pattern.pattern.source, pattern.pattern.flags)
+    let match
+
+    while ((match = regex.exec(content)) !== null) {
+      const lineNumber = content.substring(0, match.index).split('\n').length
+      const lineContent = lines[lineNumber - 1]?.trim() || ''
+
+      // Skip comments
+      if (isComment(lineContent)) continue
+
+      // Skip CRUD/data operations that are NOT AI agent spawning
+      // These are false positives in apps where "agent" means "chat assistant configuration"
+      if (pattern.name === 'Agent spawns sub-agent without limit') {
+        const crudPatterns = [
+          // Service/SDK method calls - database CRUD for agent configurations
+          /(?:service|Service|sdk|SDK|store|Store|runtime|Runtime)\.(?:create|get|update|delete)Agent/i,
+          /\.agents\.createAgent/i, // sdk.agents.createAgent
+          /agentService\.createAgent/i,
+          /agentState\.createAgent/i,
+          /marketSDK\.agents\.createAgent/i,
+          // React event handlers creating UI entities
+          /onClick\s*=\s*\{\s*\(\s*\)\s*=>\s*createAgent/i,
+          // Store action patterns
+          /await\s+(?:state|store)\w*\.createAgent/i,
+          // Builder/Runtime patterns for UI
+          /agentBuilder(?:Runtime)?\.createAgent/i,
+          /groupAgentBuilderRuntime\.createAgent/i,
+        ]
+        if (crudPatterns.some(p => p.test(lineContent))) {
+          continue // Skip - this is a data CRUD operation, not AI agent spawning
+        }
+      }
+
+      // Get surrounding context
+      const { context } = findToolDefinitionContext(content, lineNumber)
+
+      // Check for depth/count limits
+      const hasDepthLimit = /(?:depth|level|recursion)\s*[<>]|MAX_DEPTH|maxDepth|max_depth/i.test(context)
+      const hasCountLimit = /(?:count|iterations?)\s*[<>]|MAX_(?:AGENTS|TASKS|ITERATIONS)/i.test(context)
+
+      let description = pattern.description
+      let severity = pattern.baseSeverity
+
+      if (hasDepthLimit || hasCountLimit) {
+        severity = severity === 'high' ? 'medium' : 'low'
+        description += hasDepthLimit ? ' (Depth limit detected.)' : ' (Count limit detected.)'
+      }
+
+      // Check for iteration/timeout limits
+      if (hasIterationLimits(context) || hasTimeoutConfigured(context)) {
+        severity = severity === 'high' ? 'medium' : severity === 'medium' ? 'low' : severity
+        description += ' (Iteration/timeout limits configured.)'
+      }
+
+      if (isTestFile) {
+        severity = 'info'
+        description += ' (In test file.)'
+      } else if (isExample) {
+        severity = 'info'
+        description += ' (In example/demo directory.)'
+      } else if (isLibrary) {
+        severity = 'info'
+        description += ' (Library code.)'
+      }
+
+      vulnerabilities.push({
+        id: `ai-recursive-${filePath}-${lineNumber}-${pattern.name.replace(/\s+/g, '-')}`,
+        filePath,
+        lineNumber,
+        lineContent,
+        severity,
+        category: 'ai_excessive_agency',
+        title: pattern.name,
+        description,
+        suggestedFix: pattern.suggestedFix,
+        confidence: 'medium',
+        layer: 2,
+        source: 'ai_code' as const,
+        requiresAIValidation: severity !== 'info' && severity !== 'low',
+        baseConfidence: BASE_CONFIDENCE,
+      })
+    }
+  }
+
+  // Phase 6: Scan for tool parameter injection patterns (Task 1)
+  for (const pattern of TOOL_PARAMETER_INJECTION_PATTERNS) {
+    const regex = new RegExp(pattern.pattern.source, pattern.pattern.flags)
+    let match
+
+    while ((match = regex.exec(content)) !== null) {
+      const lineNumber = content.substring(0, match.index).split('\n').length
+      const lineContent = lines[lineNumber - 1]?.trim() || ''
+
+      // Skip comments
+      if (isComment(lineContent)) continue
+
+      // Get surrounding context
+      const { context } = findToolDefinitionContext(content, lineNumber)
+
+      // Check for validation/schema patterns
+      const hasValidation = /(?:zod|yup|joi|schema|validate|safeParse|\.parse\(|validateSchema)/i.test(context)
+      const hasSanitization = /(?:sanitize|clean|escape|filter|strip)/i.test(context)
+
+      let description = pattern.description
+      let severity = pattern.baseSeverity
+
+      if (hasValidation) {
+        severity = 'low'
+        description += ' (Schema validation detected nearby - verify it covers LLM output.)'
+      } else if (hasSanitization) {
+        severity = severity === 'critical' ? 'high' : severity === 'high' ? 'medium' : 'low'
+        description += ' (Sanitization detected nearby.)'
+      }
+
+      if (isTestFile) {
+        severity = 'info'
+        description += ' (In test file.)'
+      } else if (isExample) {
+        severity = 'info'
+        description += ' (In example/demo directory.)'
+      } else if (isLibrary) {
+        severity = 'info'
+        description += ' (Library code.)'
+      }
+
+      vulnerabilities.push({
+        id: `ai-tool-param-injection-${filePath}-${lineNumber}-${pattern.name.replace(/\s+/g, '-')}`,
+        filePath,
+        lineNumber,
+        lineContent,
+        severity,
+        category: 'ai_excessive_agency',
+        title: pattern.name,
+        description,
+        suggestedFix: pattern.suggestedFix,
+        confidence: severity === 'critical' ? 'high' : 'medium',
+        layer: 2,
+        source: 'ai_code' as const,
+        requiresAIValidation: severity !== 'info' && severity !== 'low',
+        baseConfidence: BASE_CONFIDENCE,
+      })
+    }
+  }
+
+  // Phase 6: Scan for tool error message injection patterns (Task 2)
+  for (const pattern of TOOL_ERROR_INJECTION_PATTERNS) {
+    const regex = new RegExp(pattern.pattern.source, pattern.pattern.flags)
+    let match
+
+    while ((match = regex.exec(content)) !== null) {
+      const lineNumber = content.substring(0, match.index).split('\n').length
+      const lineContent = lines[lineNumber - 1]?.trim() || ''
+
+      // Skip comments
+      if (isComment(lineContent)) continue
+
+      // Get surrounding context
+      const { context } = findToolDefinitionContext(content, lineNumber)
+
+      // Check for error sanitization patterns
+      const hasSanitizedError = /(?:sanitizeError|genericError|safeError|errorMessage\s*=\s*['"`])/i.test(context)
+      const hasLogging = /(?:logger|console)\.\w+\s*\([^)]*(?:error|err|e)\)/i.test(context)
+
+      let description = pattern.description
+      let severity = pattern.baseSeverity
+
+      if (hasSanitizedError) {
+        severity = 'info'
+        description += ' (Error sanitization detected.)'
+      } else if (hasLogging) {
+        severity = severity === 'high' ? 'medium' : 'low'
+        description += ' (Server-side logging detected - verify error is sanitized in response.)'
+      }
+
+      if (isTestFile) {
+        severity = 'info'
+        description += ' (In test file.)'
+      } else if (isExample) {
+        severity = 'info'
+        description += ' (In example/demo directory.)'
+      } else if (isLibrary) {
+        severity = 'info'
+        description += ' (Library code.)'
+      }
+
+      vulnerabilities.push({
+        id: `ai-tool-error-injection-${filePath}-${lineNumber}-${pattern.name.replace(/\s+/g, '-')}`,
+        filePath,
+        lineNumber,
+        lineContent,
+        severity,
+        category: 'ai_excessive_agency',
+        title: pattern.name,
+        description,
+        suggestedFix: pattern.suggestedFix,
+        confidence: 'medium',
+        layer: 2,
+        source: 'ai_code' as const,
         requiresAIValidation: severity !== 'info' && severity !== 'low',
+        baseConfidence: BASE_CONFIDENCE,
       })
     }
   }