@oculum/scanner 1.0.11 → 1.0.13

package/dist/layer2/ai-agent-tools.js

@@ -453,6 +453,312 @@ function hasBudgetLimits(context) {
     ];
     return budgetPatterns.some(p => p.test(context));
 }
+/**
+ * Phase 5: LLM Output Flow Patterns
+ * Detect when LLM-generated content flows into dangerous operations
+ */
+const LLM_OUTPUT_FLOW_PATTERNS = [
+    // ========== LLM Output in Tool Names/Paths ==========
+    {
+        name: 'LLM output used as tool name',
+        pattern: /(?:tools?\[|getTools?\s*\(|callTool\s*\(|invokeTool\s*\(|executeTool\s*\()\s*(?:response|result|output|completion|message|content|llm|ai|model|gpt|claude)\.(?:content|text|tool|toolName|function|name|choice)/gi,
+        baseSeverity: 'critical',
+        description: 'LLM output used directly as tool name for invocation. An adversarial prompt could cause the agent to call arbitrary tools, bypassing intended restrictions.',
+        suggestedFix: 'Validate tool names against a static allowlist: const ALLOWED_TOOLS = [\'read\', \'write\'] as const; if (!ALLOWED_TOOLS.includes(toolName)) throw new Error("Invalid tool")',
+        framework: 'generic',
+    },
+    {
+        name: 'LLM output in file path',
+        pattern: /(?:fs|file|path|fsp)\.(?:readFile|writeFile|unlink|rm|mkdir|readdir|access|stat|copyFile|rename)\s*\(\s*(?:response|result|output|completion|message|content|llm|ai|model)\.(?:path|filePath|file|filename|directory|dir)/gi,
+        baseSeverity: 'critical',
+        description: 'LLM output used directly as file path. Path traversal or arbitrary file access could occur via prompt injection.',
+        suggestedFix: 'Validate paths against allowed directories: if (!path.startsWith(ALLOWED_BASE_DIR)) throw new Error("Invalid path"). Use path.resolve() and verify the result stays within bounds.',
+        framework: 'generic',
+    },
+    {
+        name: 'LLM output in shell command',
+        pattern: /(?:exec|spawn|execFile|execSync|spawnSync)\s*\(\s*(?:response|result|output|completion|message|content|llm|ai|model)\.(?:command|cmd|script|code|executable|program)/gi,
+        baseSeverity: 'critical',
+        description: 'LLM output used directly as shell command. Remote code execution via prompt injection.',
+        suggestedFix: 'Never use LLM output in shell commands. If necessary, use a strict allowlist of permitted commands and validate arguments.',
+        framework: 'generic',
+    },
+    {
+        name: 'LLM output in URL/endpoint',
+        pattern: /(?:fetch|axios|http|request|got)\s*\(\s*(?:response|result|output|completion|message|content|llm|ai|model)\.(?:url|endpoint|href|uri|link|host)/gi,
+        baseSeverity: 'high',
+        description: 'LLM output used directly as URL or endpoint. SSRF risk via prompt injection.',
+        suggestedFix: 'Validate URLs against allowed hosts. Use URL allowlists and block internal IP ranges.',
+        framework: 'generic',
+    },
+    {
+        name: 'LLM response destructured into tool call',
+        pattern: /(?:const|let|var)\s*\{\s*(?:tool|toolName|function|functionName|action|method)\s*\}\s*=\s*(?:response|result|output|completion|message|llm|ai|model)/gi,
+        baseSeverity: 'high',
+        description: 'Tool name destructured from LLM response. This pattern suggests dynamic tool selection based on LLM output.',
+        suggestedFix: 'Validate extracted tool names against a static allowlist before invocation.',
+        framework: 'generic',
+    },
+    {
+        name: 'Dynamic property access with LLM output',
+        pattern: /(?:tools|handlers|actions|functions|methods)\s*\[\s*(?:response|result|output|completion|message|content|llm|ai)(?:\.|(?:\s*\[['"`]?(?:tool|name|function|action)))/gi,
+        baseSeverity: 'high',
+        description: 'Dynamic object property access using LLM output. Could access unintended tools or methods.',
+        suggestedFix: 'Use explicit tool dispatch with allowlist validation: if (toolName in SAFE_TOOLS) { SAFE_TOOLS[toolName]() }',
+        framework: 'generic',
+    },
+];
+/**
+ * Phase 5: Tool Permission Accumulation Patterns
+ * Detect unbounded tool registration and permission growth
+ */
+const TOOL_ACCUMULATION_PATTERNS = [
+    // ========== Unbounded Tool Registration ==========
+    {
+        name: 'Unbounded tool registration',
+        pattern: /(?:agent|tools?|registry)\.(?:registerTool|addTool|push|add|set)\s*\(\s*(?:user|request|req|input|body|data|param)\.(?:tool|function|action|capability)/gi,
+        baseSeverity: 'high',
+        description: 'Tools registered dynamically from user input without bounds. Users could accumulate unlimited capabilities over time.',
+        suggestedFix: 'Use a static allowlist: const ALLOWED_TOOLS = [...] and validate against it. Implement tool count limits.',
+        framework: 'generic',
+    },
+    {
+        name: 'Tool array push without limit check',
+        pattern: /tools\.push\s*\([^)]+\)(?![\s\S]{0,50}(?:length\s*[<>]|limit|max|ALLOWED|whitelist|allowlist))/gi,
+        baseSeverity: 'medium',
+        description: 'Tools added to array without checking count limits. Tool list could grow unboundedly.',
+        suggestedFix: 'Add limit check: if (tools.length >= MAX_TOOLS) throw new Error("Tool limit reached")',
+        framework: 'generic',
+    },
+    {
+        name: 'Dynamic tool loading from user config',
+        pattern: /(?:require|import|loadModule|dynamicImport)\s*\(\s*(?:user|request|req|input|body|config)\.(?:tool|module|plugin|extension)/gi,
+        baseSeverity: 'critical',
+        description: 'Tool modules loaded dynamically from user-controlled paths. Could load arbitrary code.',
+        suggestedFix: 'Use a static module registry. Validate module paths against an allowlist.',
+        framework: 'generic',
+    },
+    {
+        name: 'Permission grant without authorization check',
+        pattern: /(?:grant|add|enable)(?:Permission|Capability|Access)\s*\(\s*[^)]*\)(?![\s\S]{0,30}(?:if|auth|permission|role|admin|isAdmin))/gi,
+        baseSeverity: 'high',
+        description: 'Permissions granted without visible authorization check. Users could escalate their own privileges.',
+        suggestedFix: 'Add authorization check: if (!user.hasRole("admin")) throw new Error("Unauthorized")',
+        framework: 'generic',
+    },
+    {
+        name: 'Tool inheritance without restriction',
+        pattern: /(?:inherit|extend|merge)(?:Tools|Capabilities|Permissions)\s*\(\s*(?:parent|base|source)\.tools/gi,
+        baseSeverity: 'medium',
+        description: 'Agent inherits tools from parent without filtering. Could inherit more permissions than intended.',
+        suggestedFix: 'Explicitly list inherited tools instead of blanket inheritance. Use allowlist for permitted inherited capabilities.',
+        framework: 'generic',
+    },
+];
+/**
+ * Phase 5: Database Write Scoping Patterns
+ * Detect database writes that may lack proper user scoping
+ */
+const DB_WRITE_SCOPING_PATTERNS = [
+    // ========== Database Writes Without User Scoping ==========
+    {
+        name: 'DB insert without userId',
+        pattern: /(?:db|database|prisma|knex|sequelize|mongoose|supabase|drizzle)\.(?:insert|create|save|add)\s*\(\s*\{(?![^}]*(?:userId|user_id|ownerId|owner_id|createdBy|created_by|authorId|author_id))[^}]*(?:content|data|text|body|message)\s*:/gi,
+        baseSeverity: 'high',
+        description: 'Database insert with content field but no user ID. AI-generated content may not be properly attributed to user.',
+        suggestedFix: 'Add user context: db.insert({ content: aiGenerated, userId: ctx.user.id })',
+        framework: 'generic',
+    },
+    {
+        name: 'DB insert with AI content unscopedp',
+        pattern: /(?:db|database|prisma|knex|sequelize|mongoose|supabase|drizzle)\.(?:insert|create)\s*\(\s*\{[^}]*:\s*(?:response|result|output|completion|message|ai|llm|model)\.(?:content|text|data|output|result)/gi,
+        baseSeverity: 'high',
+        description: 'AI-generated content inserted into database. Ensure proper user scoping and content validation.',
+        suggestedFix: 'Add user context and validate content: db.insert({ content: validated, userId: ctx.user.id, createdAt: Date.now() })',
+        framework: 'generic',
+    },
+    {
+        name: 'Bulk write without tenant filter',
+        pattern: /(?:db|database|prisma|knex|sequelize|mongoose|supabase|drizzle)\.(?:insertMany|createMany|bulkCreate|bulkInsert)\s*\([^)]*\)(?![\s\S]{0,50}(?:tenantId|tenant_id|orgId|org_id|organizationId))/gi,
+        baseSeverity: 'medium',
+        description: 'Bulk database write without visible tenant scoping. Multi-tenant data isolation may be at risk.',
+        suggestedFix: 'Add tenant filter to all bulk operations: records.map(r => ({ ...r, tenantId: ctx.tenant.id }))',
+        framework: 'generic',
+    },
+    {
+        name: 'Update without ownership check',
+        pattern: /(?:db|database|prisma|knex|sequelize|mongoose|supabase|drizzle)\.(?:update|updateOne|updateMany)\s*\(\s*\{[^}]*id\s*:/gi,
+        baseSeverity: 'medium',
+        description: 'Database update by ID without visible ownership verification. Agent could modify other users\' data.',
+        suggestedFix: 'Add ownership check: db.update({ where: { id, userId: ctx.user.id }, data: { ... } })',
+        framework: 'generic',
+    },
+    {
+        name: 'Delete without user scoping',
+        pattern: /(?:db|database|prisma|knex|sequelize|mongoose|supabase|drizzle)\.(?:delete|deleteOne|deleteMany|destroy|remove)\s*\(\s*\{[^}]*id\s*:/gi,
+        baseSeverity: 'high',
+        description: 'Database delete by ID without user scoping. Agent could delete other users\' data.',
+        suggestedFix: 'Add user scoping: db.delete({ where: { id, userId: ctx.user.id } })',
+        framework: 'generic',
+    },
+];
+/**
+ * Phase 6 Task 1: Tool Parameter Injection Patterns
+ * Detect LLM output flowing to tool parameters (not just tool names)
+ */
+const TOOL_PARAMETER_INJECTION_PATTERNS = [
+    // LLM output in tool parameters
+    {
+        name: 'LLM output in tool parameters',
+        pattern: /tool\s*\(\s*\{[^}]*:\s*(response|output|result|content|message|llmOutput|aiResponse|completion)(\.\w+)*\s*[,}]/gi,
+        baseSeverity: 'high',
+        description: 'Tool parameters derived from unvalidated LLM output can be manipulated via prompt injection. Attackers could modify tool behavior through crafted responses.',
+        suggestedFix: 'Validate and sanitize LLM output before passing as tool parameters. Use schema validation (zod, yup) to ensure expected structure.',
+        framework: 'generic',
+    },
+    // Tool args assigned directly from LLM output
+    {
+        name: 'Tool args from LLM output',
+        pattern: /\bargs\s*=\s*(response|output|result|content|message|llmOutput|aiResponse|completion)(\.\w+)*/gi,
+        baseSeverity: 'high',
+        description: 'Tool arguments assigned directly from LLM output enable parameter injection. Malicious prompts could inject unexpected arguments.',
+        suggestedFix: 'Use schema validation (zod, yup) on LLM output before passing to tools: const validatedArgs = toolArgsSchema.parse(llmOutput)',
+        framework: 'generic',
+    },
+    // Spread LLM output into tool call
+    {
+        name: 'LLM output spread into tool call',
+        pattern: /(?:executeTool|callTool|invokeTool|runTool)\s*\([^)]*\.\.\.(?:response|output|result|content|llmOutput|aiResponse)/gi,
+        baseSeverity: 'critical',
+        description: 'LLM output spread directly into tool invocation. All LLM-provided fields pass through unvalidated.',
+        suggestedFix: 'Destructure and validate specific fields: const { field1, field2 } = schema.parse(llmOutput); executeTool({ field1, field2 })',
+        framework: 'generic',
+    },
+    // Dynamic property access for tool params
+    {
+        name: 'Dynamic tool param from LLM',
+        pattern: /toolParams?\s*\[\s*(response|output|result|llmOutput|aiResponse)\./gi,
+        baseSeverity: 'high',
+        description: 'Tool parameter accessed dynamically from LLM output. Could access unintended parameters.',
+        suggestedFix: 'Use explicit parameter extraction with validation: const param = validateParam(llmOutput.expectedField)',
+        framework: 'generic',
+    },
+    // JSON.parse of LLM output for tool params
+    {
+        name: 'JSON parsed LLM output as tool params',
+        pattern: /JSON\.parse\s*\(\s*(response|output|result|content|llmOutput|aiResponse|completion)(?:\.\w+)?\s*\)[^;]*(?:tool|execute|invoke|call)/gi,
+        baseSeverity: 'high',
+        description: 'LLM output JSON-parsed and used as tool parameters. Parsed structure could contain malicious fields.',
+        suggestedFix: 'Validate parsed JSON against expected schema: const params = toolParamsSchema.parse(JSON.parse(llmOutput))',
+        framework: 'generic',
+    },
+];
+/**
+ * Phase 6 Task 2: Tool Error Message Injection Patterns
+ * Detect raw error exposure to LLM that could leak system information or enable injection
+ */
+const TOOL_ERROR_INJECTION_PATTERNS = [
+    // Raw error message in tool response
+    {
+        name: 'Raw error in tool response',
+        pattern: /catch\s*\([^)]*\)\s*\{[^}]*(return|resolve)\s*\([^)]*error\.(message|stack|toString)/gi,
+        baseSeverity: 'medium',
+        description: 'Raw error messages returned to LLM could leak system information (paths, credentials, internal state) or be used for prompt injection attacks.',
+        suggestedFix: 'Return sanitized, generic error messages to LLM. Log detailed errors server-side: catch (e) { logger.error(e); return { error: "Operation failed" } }',
+        framework: 'generic',
+    },
+    // Error object in tool return
+    {
+        name: 'Error object in tool return',
+        pattern: /return\s*\{[^}]*error\s*:\s*(?:e|err|error)(?:\s*,|\s*\})/gi,
+        baseSeverity: 'medium',
+        description: 'Error object returned directly to LLM. Full error objects may contain sensitive stack traces or internal details.',
+        suggestedFix: 'Return only error message or generic status: return { error: "Failed to process request", code: "OPERATION_FAILED" }',
+        framework: 'generic',
+    },
+    // Stack trace in response
+    {
+        name: 'Stack trace in tool response',
+        pattern: /return\s*\{[^}]*(?:stack|stackTrace|trace)\s*:\s*(?:e|err|error)\./gi,
+        baseSeverity: 'high',
+        description: 'Stack trace returned to LLM. Stack traces expose internal code paths, file structures, and potentially sensitive data.',
+        suggestedFix: 'Never return stack traces to LLM. Log them server-side for debugging: logger.error({ stack: e.stack }); return { error: "Internal error" }',
+        framework: 'generic',
+    },
+    // Exception details in resolve/reject
+    {
+        name: 'Exception details in promise resolution',
+        pattern: /(?:resolve|reject)\s*\(\s*\{[^}]*(?:exception|error|e)\s*:\s*(?:e|err|error)(?:\.message|\.stack)?/gi,
+        baseSeverity: 'medium',
+        description: 'Exception details passed in promise resolution. Error information flows to LLM context.',
+        suggestedFix: 'Sanitize error information before resolving: resolve({ success: false, error: sanitizeError(e) })',
+        framework: 'generic',
+    },
+    // String interpolation with error
+    {
+        name: 'Error interpolated in response string',
+        pattern: /return\s*[`'"].*\$\{(?:e|err|error)(?:\.message|\.stack)?\}.*[`'"]/gi,
+        baseSeverity: 'medium',
+        description: 'Error details interpolated into response string. Raw error text could contain sensitive information.',
+        suggestedFix: 'Use generic error messages: return `Operation failed: ${getGenericErrorMessage(e.code)}`',
+        framework: 'generic',
+    },
+];
+/**
+ * Phase 5: Recursive Agent Patterns
+ * Detect unbounded agent recursion and self-spawning patterns
+ */
+const RECURSIVE_AGENT_PATTERNS = [
+    // ========== Unbounded Agent Recursion ==========
+    {
+        name: 'Recursive agent call without depth limit',
+        pattern: /(?:async\s+)?function\s+(?:run|execute|process|handle)?Agent\s*\([^)]*\)\s*\{[\s\S]{0,200}(?:run|execute|process|handle)?Agent\s*\((?![^)]*depth|[^)]*level|[^)]*recursion)/gi,
+        baseSeverity: 'high',
+        description: 'Agent function calls itself without visible depth parameter. Could recurse indefinitely.',
+        suggestedFix: 'Add depth limit: async function runAgent(task, depth = 0) { if (depth > MAX_DEPTH) throw new Error("Max depth"); await runAgent(subtask, depth + 1) }',
+        framework: 'generic',
+    },
+    {
+        name: 'Agent spawns sub-agent without limit',
+        pattern: /(?:spawn|create|launch|start)(?:Agent|Worker|Task)\s*\([^)]*\)(?![\s\S]{0,50}(?:depth|level|count|limit|max|MAX))/gi,
+        baseSeverity: 'medium',
+        description: 'Sub-agent spawned without visible depth or count limit. Could lead to unbounded agent proliferation.',
+        suggestedFix: 'Track agent depth/count: if (agentCount >= MAX_AGENTS || depth > MAX_DEPTH) throw new Error("Agent limit reached")',
+        framework: 'generic',
+    },
+    {
+        name: 'Recursive task processing without bounds',
+        pattern: /(?:result|response|output)\.(?:subtasks?|children|next|followUp)\s*\.(?:forEach|map|for)\s*\([^)]*(?:process|run|execute)(?:Task|Agent)/gi,
+        baseSeverity: 'high',
+        description: 'Tasks processed recursively based on agent output. Agent could generate unlimited subtasks.',
+        suggestedFix: 'Limit subtask count: const subtasks = result.subtasks.slice(0, MAX_SUBTASKS). Track total processed tasks.',
+        framework: 'generic',
+    },
+    {
+        name: 'Self-improvement loop without termination',
+        pattern: /while\s*\([^)]*(?:improve|optimize|refine|enhance)[^)]*\)\s*\{[\s\S]{0,100}(?:agent|model|llm)/gi,
+        baseSeverity: 'high',
+        description: 'Agent self-improvement loop without clear termination. Could run indefinitely.',
+        suggestedFix: 'Add termination conditions: while (iterations < MAX_ITERATIONS && !satisfactory) { ... iterations++ }',
+        framework: 'generic',
+    },
+    {
+        name: 'CrewAI agent delegation without depth',
+        pattern: /\.delegate\s*\(\s*[^)]*\)(?![\s\S]{0,30}(?:max_delegation|delegation_limit|depth))/gi,
+        baseSeverity: 'medium',
+        description: 'CrewAI agent delegation without depth limit. Agents could delegate indefinitely to each other.',
+        suggestedFix: 'Set delegation limits in agent config: Agent(..., max_delegation_depth=3)',
+        framework: 'crewai',
+    },
+    {
+        name: 'LangGraph recursive edge without limit',
+        pattern: /\.add_edge\s*\([^)]*,\s*(?:SAME_NODE|self|current_node)/gi,
+        baseSeverity: 'medium',
+        description: 'LangGraph edge points back to same node without visible limit. Could create infinite loops.',
+        suggestedFix: 'Add iteration tracking and conditional edges with max_iterations check.',
+        framework: 'langchain',
+    },
+];
 /**
  * Excessive agency patterns for unbounded agent autonomy
  */
@@ -579,7 +885,7 @@ const MISSING_AUTH_PATTERNS = [
 /**
  * Main detection function for AI agent tool permission issues
  */
-function detectAIAgentTools(content, filePath) {
+function detectAIAgentTools(content, filePath, options) {
     const vulnerabilities = [];
     // Skip non-applicable files
     if ((0, context_helpers_1.isScannerOrFixtureFile)(filePath))
@@ -588,7 +894,7 @@ function detectAIAgentTools(content, filePath) {
     if (!isAgentOrToolFile(filePath, content)) {
         return vulnerabilities;
     }
-    const lines = content.split('\n');
+    const lines = options?.parsed?.lines ?? content.split('\n');
     const isTestFile = (0, context_helpers_1.isTestOrMockFile)(filePath);
     const isExample = (0, context_helpers_1.isExampleDirectory)(filePath);
     const isLibrary = (0, context_helpers_1.isLibraryCode)(filePath);
@@ -826,6 +1132,359 @@ function detectAIAgentTools(content, filePath) {
             });
         }
     }
+    // Phase 5: Scan for LLM output flow patterns (Task 1)
+    for (const pattern of LLM_OUTPUT_FLOW_PATTERNS) {
+        const regex = new RegExp(pattern.pattern.source, pattern.pattern.flags);
+        let match;
+        while ((match = regex.exec(content)) !== null) {
+            const lineNumber = content.substring(0, match.index).split('\n').length;
+            const lineContent = lines[lineNumber - 1]?.trim() || '';
+            // Skip comments
+            if ((0, context_helpers_1.isComment)(lineContent))
+                continue;
+            // Get surrounding context
+            const { context } = findToolDefinitionContext(content, lineNumber);
+            // Check for validation/allowlist mitigations
+            const hasValidation = /(?:allowlist|whitelist|ALLOWED_|validTools|VALID_TOOLS|allowedTools|validateTool|isValidTool|includes|has)\s*\(/i.test(context);
+            const hasAllowlistCheck = /if\s*\(\s*!?\s*(?:ALLOWED|VALID|SAFE|permitted).*(?:includes|has|indexOf)/i.test(context);
+            let description = pattern.description;
+            let severity = pattern.baseSeverity;
+            if (hasValidation || hasAllowlistCheck) {
+                severity = severity === 'critical' ? 'medium' : 'low';
+                description += ' (Validation/allowlist detected nearby - verify it covers this case.)';
+            }
+            if (isTestFile) {
+                severity = 'info';
+                description += ' (In test file.)';
+            }
+            else if (isExample) {
+                severity = 'info';
+                description += ' (In example/demo directory.)';
+            }
+            else if (isLibrary) {
+                severity = 'info';
+                description += ' (Library code.)';
+            }
+            vulnerabilities.push({
+                id: `ai-llm-flow-${filePath}-${lineNumber}-${pattern.name.replace(/\s+/g, '-')}`,
+                filePath,
+                lineNumber,
+                lineContent,
+                severity,
+                category: 'ai_excessive_agency',
+                title: pattern.name,
+                description,
+                suggestedFix: pattern.suggestedFix,
+                confidence: severity === 'critical' ? 'high' : 'medium',
+                layer: 2,
+                requiresAIValidation: severity !== 'info',
+            });
+        }
+    }
+    // Phase 5: Scan for tool permission accumulation patterns (Task 2)
+    for (const pattern of TOOL_ACCUMULATION_PATTERNS) {
+        const regex = new RegExp(pattern.pattern.source, pattern.pattern.flags);
+        let match;
+        while ((match = regex.exec(content)) !== null) {
+            const lineNumber = content.substring(0, match.index).split('\n').length;
+            const lineContent = lines[lineNumber - 1]?.trim() || '';
+            // Skip comments
+            if ((0, context_helpers_1.isComment)(lineContent))
+                continue;
+            // Skip UI array building patterns (not actual AI tool registration)
+            if (pattern.name === 'Tool array push without limit check') {
+                // Check if this is in a selector or UI configuration builder
+                const isUIPattern = 
+                // In selectors (zustand/redux pattern)
+                /selectors?\.ts$/i.test(filePath) ||
+                    // In store configuration
+                    /store\/.*\/selectors/i.test(filePath) ||
+                    // Building manifest/config arrays
+                    /manifest\s*:/i.test(lineContent) ||
+                    /identifier\s*:/i.test(lineContent) ||
+                    // Map/forEach building UI arrays
+                    /\.map\s*\([^)]*=>\s*\{[\s\S]{0,100}tools\.push/i.test(content.substring(Math.max(0, match.index - 200), match.index + 100));
+                if (isUIPattern) {
+                    continue; // Skip - this is building a UI configuration array
+                }
+            }
+            // Get surrounding context
+            const { context } = findToolDefinitionContext(content, lineNumber);
+            // Check for limits and authorization
+            const hasLimits = /(?:max|limit|MAX_|LIMIT_|\.length\s*[<>])/i.test(context);
+            const hasAuthCheck = /(?:if\s*\(.*(?:auth|permission|role|isAdmin|canRegister)|throw.*(?:Unauthorized|Forbidden))/i.test(context);
+            let description = pattern.description;
+            let severity = pattern.baseSeverity;
+            if (hasLimits) {
+                severity = severity === 'critical' ? 'high' : severity === 'high' ? 'medium' : 'low';
+                description += ' (Limit check detected nearby.)';
+            }
+            if (hasAuthCheck) {
+                severity = severity === 'critical' ? 'high' : severity === 'high' ? 'medium' : 'low';
+                description += ' (Authorization check detected.)';
+            }
+            if (isTestFile) {
+                severity = 'info';
+                description += ' (In test file.)';
+            }
+            else if (isExample) {
+                severity = 'info';
+                description += ' (In example/demo directory.)';
+            }
+            else if (isLibrary) {
+                severity = 'info';
+                description += ' (Library code.)';
+            }
+            vulnerabilities.push({
+                id: `ai-tool-accum-${filePath}-${lineNumber}-${pattern.name.replace(/\s+/g, '-')}`,
+                filePath,
+                lineNumber,
+                lineContent,
+                severity,
+                category: 'ai_excessive_agency',
+                title: pattern.name,
+                description,
+                suggestedFix: pattern.suggestedFix,
+                confidence: 'medium',
+                layer: 2,
+                requiresAIValidation: severity !== 'info' && severity !== 'low',
+            });
+        }
+    }
+    // Phase 5: Scan for database write scoping patterns (Task 3)
+    for (const pattern of DB_WRITE_SCOPING_PATTERNS) {
+        const regex = new RegExp(pattern.pattern.source, pattern.pattern.flags);
+        let match;
+        while ((match = regex.exec(content)) !== null) {
+            const lineNumber = content.substring(0, match.index).split('\n').length;
+            const lineContent = lines[lineNumber - 1]?.trim() || '';
+            // Skip comments
+            if ((0, context_helpers_1.isComment)(lineContent))
+                continue;
+            // Get surrounding context
+            const { context } = findToolDefinitionContext(content, lineNumber);
+            // Check for user/tenant scoping
+            const hasUserScoping = hasUserContextVerification(context);
+            const hasTenantScoping = hasTenantContextVerification(context);
+            // Skip if properly scoped
+            if (hasUserScoping && hasTenantScoping)
+                continue;
+            let description = pattern.description;
+            let severity = pattern.baseSeverity;
+            if (hasUserScoping || hasTenantScoping) {
+                severity = severity === 'high' ? 'medium' : 'low';
+                description += hasUserScoping ? ' (User context detected.)' : ' (Tenant context detected.)';
+            }
+            if (isTestFile) {
+                severity = 'info';
+                description += ' (In test file.)';
+            }
+            else if (isExample) {
+                severity = 'info';
+                description += ' (In example/demo directory.)';
+            }
+            else if (isLibrary) {
+                severity = 'info';
+                description += ' (Library code.)';
+            }
+            vulnerabilities.push({
+                id: `ai-db-scoping-${filePath}-${lineNumber}-${pattern.name.replace(/\s+/g, '-')}`,
+                filePath,
+                lineNumber,
+                lineContent,
+                severity,
+                category: 'ai_excessive_agency',
+                title: pattern.name,
+                description,
+                suggestedFix: pattern.suggestedFix,
+                confidence: 'medium',
+                layer: 2,
+                requiresAIValidation: severity !== 'info',
+            });
+        }
+    }
+    // Phase 5: Scan for recursive agent patterns (Task 4)
+    for (const pattern of RECURSIVE_AGENT_PATTERNS) {
+        const regex = new RegExp(pattern.pattern.source, pattern.pattern.flags);
+        let match;
+        while ((match = regex.exec(content)) !== null) {
+            const lineNumber = content.substring(0, match.index).split('\n').length;
+            const lineContent = lines[lineNumber - 1]?.trim() || '';
+            // Skip comments
+            if ((0, context_helpers_1.isComment)(lineContent))
+                continue;
+            // Skip CRUD/data operations that are NOT AI agent spawning
+            // These are false positives in apps where "agent" means "chat assistant configuration"
+            if (pattern.name === 'Agent spawns sub-agent without limit') {
+                const crudPatterns = [
+                    // Service/SDK method calls - database CRUD for agent configurations
+                    /(?:service|Service|sdk|SDK|store|Store|runtime|Runtime)\.(?:create|get|update|delete)Agent/i,
+                    /\.agents\.createAgent/i, // sdk.agents.createAgent
+                    /agentService\.createAgent/i,
+                    /agentState\.createAgent/i,
+                    /marketSDK\.agents\.createAgent/i,
+                    // React event handlers creating UI entities
+                    /onClick\s*=\s*\{\s*\(\s*\)\s*=>\s*createAgent/i,
+                    // Store action patterns
+                    /await\s+(?:state|store)\w*\.createAgent/i,
+                    // Builder/Runtime patterns for UI
+                    /agentBuilder(?:Runtime)?\.createAgent/i,
+                    /groupAgentBuilderRuntime\.createAgent/i,
+                ];
+                if (crudPatterns.some(p => p.test(lineContent))) {
+                    continue; // Skip - this is a data CRUD operation, not AI agent spawning
+                }
+            }
+            // Get surrounding context
+            const { context } = findToolDefinitionContext(content, lineNumber);
+            // Check for depth/count limits
+            const hasDepthLimit = /(?:depth|level|recursion)\s*[<>]|MAX_DEPTH|maxDepth|max_depth/i.test(context);
+            const hasCountLimit = /(?:count|iterations?)\s*[<>]|MAX_(?:AGENTS|TASKS|ITERATIONS)/i.test(context);
+            let description = pattern.description;
+            let severity = pattern.baseSeverity;
+            if (hasDepthLimit || hasCountLimit) {
+                severity = severity === 'high' ? 'medium' : 'low';
+                description += hasDepthLimit ? ' (Depth limit detected.)' : ' (Count limit detected.)';
+            }
+            // Check for iteration/timeout limits
+            if (hasIterationLimits(context) || hasTimeoutConfigured(context)) {
+                severity = severity === 'high' ? 'medium' : severity === 'medium' ? 'low' : severity;
+                description += ' (Iteration/timeout limits configured.)';
+            }
+            if (isTestFile) {
+                severity = 'info';
+                description += ' (In test file.)';
+            }
+            else if (isExample) {
+                severity = 'info';
+                description += ' (In example/demo directory.)';
+            }
+            else if (isLibrary) {
+                severity = 'info';
+                description += ' (Library code.)';
+            }
+            vulnerabilities.push({
+                id: `ai-recursive-${filePath}-${lineNumber}-${pattern.name.replace(/\s+/g, '-')}`,
+                filePath,
+                lineNumber,
+                lineContent,
+                severity,
+                category: 'ai_excessive_agency',
+                title: pattern.name,
+                description,
+                suggestedFix: pattern.suggestedFix,
+                confidence: 'medium',
+                layer: 2,
+                requiresAIValidation: severity !== 'info' && severity !== 'low',
+            });
+        }
+    }
+    // Phase 6: Scan for tool parameter injection patterns (Task 1)
+    for (const pattern of TOOL_PARAMETER_INJECTION_PATTERNS) {
+        const regex = new RegExp(pattern.pattern.source, pattern.pattern.flags);
+        let match;
+        while ((match = regex.exec(content)) !== null) {
+            const lineNumber = content.substring(0, match.index).split('\n').length;
+            const lineContent = lines[lineNumber - 1]?.trim() || '';
+            // Skip comments
+            if ((0, context_helpers_1.isComment)(lineContent))
+                continue;
+            // Get surrounding context
+            const { context } = findToolDefinitionContext(content, lineNumber);
+            // Check for validation/schema patterns
+            const hasValidation = /(?:zod|yup|joi|schema|validate|safeParse|\.parse\(|validateSchema)/i.test(context);
+            const hasSanitization = /(?:sanitize|clean|escape|filter|strip)/i.test(context);
+            let description = pattern.description;
+            let severity = pattern.baseSeverity;
+            if (hasValidation) {
+                severity = 'low';
+                description += ' (Schema validation detected nearby - verify it covers LLM output.)';
+            }
+            else if (hasSanitization) {
+                severity = severity === 'critical' ? 'high' : severity === 'high' ? 'medium' : 'low';
+                description += ' (Sanitization detected nearby.)';
+            }
+            if (isTestFile) {
+                severity = 'info';
+                description += ' (In test file.)';
+            }
+            else if (isExample) {
+                severity = 'info';
+                description += ' (In example/demo directory.)';
+            }
+            else if (isLibrary) {
+                severity = 'info';
+                description += ' (Library code.)';
+            }
+            vulnerabilities.push({
+                id: `ai-tool-param-injection-${filePath}-${lineNumber}-${pattern.name.replace(/\s+/g, '-')}`,
+                filePath,
+                lineNumber,
+                lineContent,
+                severity,
+                category: 'ai_excessive_agency',
+                title: pattern.name,
+                description,
+                suggestedFix: pattern.suggestedFix,
+                confidence: severity === 'critical' ? 'high' : 'medium',
+                layer: 2,
+                requiresAIValidation: severity !== 'info' && severity !== 'low',
+            });
+        }
+    }
+    // Phase 6: Scan for tool error message injection patterns (Task 2)
+    for (const pattern of TOOL_ERROR_INJECTION_PATTERNS) {
+        const regex = new RegExp(pattern.pattern.source, pattern.pattern.flags);
+        let match;
+        while ((match = regex.exec(content)) !== null) {
+            const lineNumber = content.substring(0, match.index).split('\n').length;
+            const lineContent = lines[lineNumber - 1]?.trim() || '';
+            // Skip comments
+            if ((0, context_helpers_1.isComment)(lineContent))
+                continue;
+            // Get surrounding context
+            const { context } = findToolDefinitionContext(content, lineNumber);
+            // Check for error sanitization patterns
+            const hasSanitizedError = /(?:sanitizeError|genericError|safeError|errorMessage\s*=\s*['"`])/i.test(context);
+            const hasLogging = /(?:logger|console)\.\w+\s*\([^)]*(?:error|err|e)\)/i.test(context);
+            let description = pattern.description;
+            let severity = pattern.baseSeverity;
+            if (hasSanitizedError) {
+                severity = 'info';
+                description += ' (Error sanitization detected.)';
+            }
+            else if (hasLogging) {
+                severity = severity === 'high' ? 'medium' : 'low';
+                description += ' (Server-side logging detected - verify error is sanitized in response.)';
+            }
+            if (isTestFile) {
+                severity = 'info';
+                description += ' (In test file.)';
+            }
+            else if (isExample) {
+                severity = 'info';
+                description += ' (In example/demo directory.)';
+            }
+            else if (isLibrary) {
+                severity = 'info';
+                description += ' (Library code.)';
+            }
+            vulnerabilities.push({
+                id: `ai-tool-error-injection-${filePath}-${lineNumber}-${pattern.name.replace(/\s+/g, '-')}`,
+                filePath,
+                lineNumber,
+                lineContent,
+                severity,
+                category: 'ai_excessive_agency',
+                title: pattern.name,
+                description,
+                suggestedFix: pattern.suggestedFix,
+                confidence: 'medium',
+                layer: 2,
+                requiresAIValidation: severity !== 'info' && severity !== 'low',
+            });
+        }
+    }
     return vulnerabilities;
 }
 //# sourceMappingURL=ai-agent-tools.js.map