@oculum/scanner 1.0.12 → 1.0.13

package/src/score/index.ts

@@ -0,0 +1,316 @@
+/**
+ * Confidence Scoring System
+ *
+ * Entry point for the confidence scoring system. Provides:
+ * - scoreFindings() — score a batch of findings
+ * - buildConfidenceLog() — structured logging for debugging/tuning
+ * - buildAdjustmentContext() — build context for adjustment rules
+ * - DEPTH_CONFIGS — threshold configs for each scan depth
+ */
+
+import type { Vulnerability, ScanDepth } from '../shared/types'
+import type {
+  ScoredFinding,
+  ConfidenceLog,
+  AdjustmentContext,
+  DepthConfig,
+} from './types'
+import type { ContextEngineResult } from '../model/taint-types'
+import type { CrossFileTaintPath } from '../model/cross-file-taint'
+import { findClosestRoute } from '../model/route-discovery/utils'
+import { computeConfidence } from './confidence'
+import { ALL_ADJUSTMENT_RULES } from './adjustments'
+import {
+  isTestOrMockFile,
+  isExampleFile,
+  isScannerOrFixtureFile,
+  isToolingDirectory,
+  isServerOnlyFile,
+  isClientBundledFile,
+} from '../parse/file-classifier'
+
+// ============================================================================
+// Depth Configurations
+// ============================================================================
+
+/**
+ * Score thresholds per scan depth.
+ *
+ * - local:    Only high-confidence findings surface. No AI.
+ * - verified: High-confidence surface directly; medium goes to AI.
+ * - deep:     High-confidence surface; nearly everything goes to AI.
+ */
+export const DEPTH_CONFIGS: Record<ScanDepth, DepthConfig> = {
+  local: {
+    surfaceThreshold: 0.70,
+    validateThreshold: 1.0,   // Effectively no validation (nothing reaches 1.0)
+    aiEnabled: false,
+  },
+  verified: {
+    surfaceThreshold: 0.70,
+    validateThreshold: 0.20,
+    aiEnabled: true,
+  },
+  deep: {
+    surfaceThreshold: 0.70,
+    validateThreshold: 0.10,
+    aiEnabled: true,
+  },
+}
+
+// ============================================================================
+// Context Builder
+// ============================================================================
+
+/**
+ * Build adjustment context for a finding from file + project info.
+ */
+export function buildAdjustmentContext(
+  finding: Vulnerability,
+  ceResult: ContextEngineResult
+): AdjustmentContext {
+  // Look up taint data for this finding's file
+  let taint: AdjustmentContext['taint'] = undefined
+  const fileAnalysis = ceResult.fileTaintAnalyses?.get(finding.filePath)
+  if (fileAnalysis) {
+    // Check if any taint path has a sink at the finding's line number
+    const matchingPaths = fileAnalysis.taintPaths.filter(
+      tp => tp.sink.line === finding.lineNumber
+    )
+    if (matchingPaths.length > 0) {
+      // Pick the highest-confidence unsanitised path, or any path
+      const bestPath = matchingPaths.find(p => !p.sanitised) ?? matchingPaths[0]
+      taint = {
+        confirmed: true,
+        sources: matchingPaths.map(p => p.source.sourceType),
+        sinkType: bestPath.sink.sinkType,
+        sanitised: bestPath.sanitised,
+        confidence: bestPath.confidence,
+      }
+    } else {
+      // Check cross-file taint paths (CE Phase 4) — sink-side match
+      const crossFilePaths = findCrossFileTaintMatch(ceResult, finding)
+
+      if (crossFilePaths.length > 0) {
+        const bestPath = crossFilePaths.find(p => !p.sanitised) ?? crossFilePaths[0]
+        taint = {
+          confirmed: true,
+          sources: crossFilePaths.map(p => p.source.sourceType),
+          sinkType: bestPath.sink.sinkType,
+          sanitised: bestPath.sanitised,
+          confidence: bestPath.confidence,
+        }
+      } else {
+        // File has taint analysis but no path to this finding's line
+        taint = {
+          confirmed: false,
+          sources: [],
+          sinkType: null,
+          sanitised: false,
+          confidence: null,
+        }
+      }
+    }
+  } else {
+    // No intra-file taint analysis — still check cross-file taint paths (call-site match)
+    const crossFilePaths = findCrossFileTaintMatch(ceResult, finding)
+    if (crossFilePaths.length > 0) {
+      const bestPath = crossFilePaths.find(p => !p.sanitised) ?? crossFilePaths[0]
+      taint = {
+        confirmed: true,
+        sources: crossFilePaths.map(p => p.source.sourceType),
+        sinkType: bestPath.sink.sinkType,
+        sanitised: bestPath.sanitised,
+        confidence: bestPath.confidence,
+      }
+    }
+  }
+
+  // Look up route data for this finding's file
+  let route: AdjustmentContext['route'] = undefined
+  const fileRoutes = ceResult.routeMap?.fileToRoutes.get(finding.filePath)
+  if (fileRoutes && fileRoutes.length > 0) {
+    // Find the closest route to the finding's line number
+    const closestRoute = findClosestRoute(fileRoutes, finding.lineNumber)
+    if (closestRoute) {
+      route = {
+        hasAuth: closestRoute.authMiddleware.length > 0,
+        isPublic: closestRoute.isPublic,
+        middleware: closestRoute.authMiddleware,
+        methods: closestRoute.methods,
+        hasRateLimiting: closestRoute.rateLimiting,
+      }
+    }
+  }
+
+  // Look up framework analysis for this finding's file
+  let framework: AdjustmentContext['framework'] = undefined
+  const fileFramework = ceResult.frameworkAnalyses?.get(finding.filePath)
+  if (fileFramework) {
+    const safeLinePatterns = fileFramework.safeLines.get(finding.lineNumber)
+    const unsafeLinePatterns = fileFramework.unsafeLines.get(finding.lineNumber)
+    const safeLine = safeLinePatterns?.[0]
+    const unsafeLine = unsafeLinePatterns?.[0]
+    if (safeLine || unsafeLine) {
+      const activeFrameworks: string[] = []
+      const pc2 = ceResult.projectContext
+      if (pc2.frameworks.primary) activeFrameworks.push(pc2.frameworks.primary)
+      if (pc2.frameworks.frontend && !activeFrameworks.includes(pc2.frameworks.frontend)) {
+        activeFrameworks.push(pc2.frameworks.frontend)
+      }
+      framework = {
+        safePatternMatch: safeLine ? { id: safeLine.id, reason: safeLine.reason } : null,
+        unsafePatternMatch: unsafeLine ? { id: unsafeLine.id, reason: unsafeLine.reason } : null,
+        activeFrameworks,
+        orm: ceResult.projectContext.dataAccess.orm ?? null,
+      }
+    }
+  }
+
+  const pc = ceResult.projectContext
+  return {
+    file: {
+      isTestFile: isTestOrMockFile(finding.filePath),
+      isExampleFile: isExampleFile(finding.filePath),
+      isDocFile: /\.(md|mdx|txt|rst)$/i.test(finding.filePath),
+      isScannerCode: isScannerOrFixtureFile(finding.filePath),
+      isToolingDir: isToolingDirectory(finding.filePath),
+      isServerOnly: isServerOnlyFile(finding.filePath),
+      isClientBundled: isClientBundledFile(finding.filePath),
+    },
+    project: {
+      hasAuthMiddleware: pc.auth.hasGlobalMiddleware,
+      hasTypeScript: pc.frameworks.usesTypeScript,
+      orm: pc.dataAccess.orm ?? null,
+      validationLib: pc.dataAccess.validationLibrary ?? null,
+    },
+    lineContent: finding.lineContent,
+    filePath: finding.filePath,
+    taint,
+    route,
+    framework,
+  }
+}
+
+/**
+ * Find cross-file taint paths matching a finding — both sink-side and call-site.
+ * Mirrors the matching logic in request-builder.ts for AI annotations.
+ */
+function findCrossFileTaintMatch(
+  ceResult: ContextEngineResult,
+  finding: Vulnerability
+): CrossFileTaintPath[] {
+  return ceResult.crossFileTaintPaths?.filter(
+    cfp => (cfp.sinkFile === finding.filePath && cfp.sink.line === finding.lineNumber) ||
+           (cfp.sourceFile === finding.filePath && cfp.importLink.callLine === finding.lineNumber)
+  ) ?? []
+}
+
+// ============================================================================
+// Score Findings
+// ============================================================================
+
+/**
+ * Score a batch of findings with confidence scoring.
+ *
+ * Each finding gets a ConfidenceComputation attached as `confidence_score`.
+ * The routing field indicates whether the finding should be surfaced,
+ * validated by AI, or suppressed.
+ */
+export interface ScoringDiagnostics {
+  /** How many times each adjustment rule fired */
+  ruleHitCounts: Record<string, number>
+  /** Score distribution buckets */
+  scoreDistribution: { '0.0-0.2': number; '0.2-0.4': number; '0.4-0.6': number; '0.6-0.8': number; '0.8-1.0': number }
+  /** Average score per category */
+  categoryAvgScores: Record<string, { avg: number; count: number }>
+  /** Taint rule hits specifically */
+  taintRuleHits: Record<string, number>
+}
+
+export function scoreFindings(
+  findings: Vulnerability[],
+  depth: ScanDepth,
+  ceResult: ContextEngineResult
+): { scored: ScoredFinding[]; diagnostics: ScoringDiagnostics } {
+  const depthConfig = DEPTH_CONFIGS[depth]
+  const ruleHitCounts: Record<string, number> = {}
+  const taintRuleHits: Record<string, number> = {}
+  const scoreDistribution = { '0.0-0.2': 0, '0.2-0.4': 0, '0.4-0.6': 0, '0.6-0.8': 0, '0.8-1.0': 0 }
+  const categoryScoreSums: Record<string, { sum: number; count: number }> = {}
+
+  const scored = findings.map(finding => {
+    const context = buildAdjustmentContext(finding, ceResult)
+    const computation = computeConfidence(finding, context, ALL_ADJUSTMENT_RULES, depthConfig)
+
+    // Collect diagnostics
+    for (const adj of computation.adjustments) {
+      ruleHitCounts[adj.factor] = (ruleHitCounts[adj.factor] || 0) + 1
+      if (adj.source === 'taint') {
+        taintRuleHits[adj.factor] = (taintRuleHits[adj.factor] || 0) + 1
+      }
+    }
+
+    // Score distribution
+    const s = computation.score
+    if (s < 0.2) scoreDistribution['0.0-0.2']++
+    else if (s < 0.4) scoreDistribution['0.2-0.4']++
+    else if (s < 0.6) scoreDistribution['0.4-0.6']++
+    else if (s < 0.8) scoreDistribution['0.6-0.8']++
+    else scoreDistribution['0.8-1.0']++
+
+    // Per-category avg
+    const cat = finding.category
+    if (!categoryScoreSums[cat]) categoryScoreSums[cat] = { sum: 0, count: 0 }
+    categoryScoreSums[cat].sum += computation.score
+    categoryScoreSums[cat].count++
+
+    return {
+      ...finding,
+      confidence_score: computation,
+    }
+  })
+
+  const categoryAvgScores: Record<string, { avg: number; count: number }> = {}
+  for (const [cat, data] of Object.entries(categoryScoreSums)) {
+    categoryAvgScores[cat] = { avg: data.sum / data.count, count: data.count }
+  }
+
+  return {
+    scored,
+    diagnostics: { ruleHitCounts, scoreDistribution, categoryAvgScores, taintRuleHits },
+  }
+}
+
+// ============================================================================
+// Confidence Log
+// ============================================================================
+
+/**
+ * Build structured confidence logs for a batch of scored findings.
+ * Used for debugging, tuning, and comparing with tier-based routing.
+ */
+export function buildConfidenceLog(scored: ScoredFinding[]): ConfidenceLog[] {
+  return scored.map(f => ({
+    findingId: `${f.filePath}:${f.lineNumber}:${f.category}`,
+    category: f.category,
+    detectorGroup: f.source ?? 'unknown',
+    base: f.confidence_score.base,
+    adjustments: f.confidence_score.adjustments,
+    final: f.confidence_score.score,
+    routing: f.confidence_score.routing,
+    filePath: f.filePath,
+    severity: f.severity,
+  }))
+}
+
+// Re-export types for consumer convenience
+export type {
+  ScoredFinding,
+  ConfidenceComputation,
+  ConfidenceAdjustment,
+  ConfidenceLog,
+  AdjustmentRule,
+  AdjustmentContext,
+  DepthConfig,
+} from './types'

package/src/score/types.ts

@@ -0,0 +1,187 @@
+/**
+ * Confidence Scoring Types
+ *
+ * Per-finding continuous confidence scoring (0.0–1.0) that replaces
+ * the tier-based routing system. Each finding gets a numeric score
+ * computed from baseConfidence + sum(adjustments), and routing
+ * decisions use score thresholds instead of tier membership.
+ *
+ * The adjustment system is extensible for the future Context Engine
+ * (taint, route, framework data).
+ */
+
+import type { Vulnerability, ScanDepth } from '../shared/types'
+
+// ============================================================================
+// Confidence Adjustment
+// ============================================================================
+
+/**
+ * A single adjustment applied to a finding's confidence score.
+ * Records what changed the score, by how much, and why.
+ */
+export interface ConfidenceAdjustment {
+  /** Which adjustment rule produced this */
+  factor: string
+  /** Numeric change to score (positive = more confident, negative = less) */
+  delta: number
+  /** Human-readable explanation */
+  reason: string
+  /** Origin of this adjustment */
+  source: 'file_context' | 'auto_dismiss' | 'taint' | 'route' | 'framework' | 'detector'
+}
+
+// ============================================================================
+// Confidence Computation Result
+// ============================================================================
+
+/**
+ * Full computation result for a single finding's confidence score.
+ */
+export interface ConfidenceComputation {
+  /** Final clamped score (0.0–1.0) */
+  score: number
+  /** Base confidence from the detector */
+  base: number
+  /** All adjustments applied */
+  adjustments: ConfidenceAdjustment[]
+  /** Routing decision based on score thresholds */
+  routing: 'surface' | 'validate' | 'suppress'
+}
+
+// ============================================================================
+// Scored Finding
+// ============================================================================
+
+/**
+ * A vulnerability enriched with confidence scoring data.
+ * Extends the base Vulnerability with computed confidence information.
+ */
+export interface ScoredFinding extends Vulnerability {
+  /** Confidence computation result */
+  confidence_score: ConfidenceComputation
+}
+
+// ============================================================================
+// Depth Configuration
+// ============================================================================
+
+/**
+ * Score thresholds for each scan depth level.
+ * Determines how findings are routed based on their confidence score.
+ */
+export interface DepthConfig {
+  /** Minimum score to surface directly without AI validation */
+  surfaceThreshold: number
+  /** Minimum score to send to AI validation (below this = suppress) */
+  validateThreshold: number
+  /** Whether AI validation is available at this depth */
+  aiEnabled: boolean
+}
+
+// ============================================================================
+// Confidence Log
+// ============================================================================
+
+/**
+ * Structured log entry for confidence scoring decisions.
+ * Used for debugging, tuning, and audit trails.
+ */
+export interface ConfidenceLog {
+  /** Finding identifier (filePath:lineNumber:category) */
+  findingId: string
+  /** Vulnerability category */
+  category: string
+  /** Detector group that produced the finding */
+  detectorGroup: string
+  /** Base confidence from detector */
+  base: number
+  /** All adjustments applied */
+  adjustments: ConfidenceAdjustment[]
+  /** Final computed score */
+  final: number
+  /** Routing decision */
+  routing: 'surface' | 'validate' | 'suppress'
+  /** File path */
+  filePath: string
+  /** Severity */
+  severity: string
+}
+
+// ============================================================================
+// Adjustment Rule System
+// ============================================================================
+
+/**
+ * Context available to adjustment rules for evaluating findings.
+ *
+ * Starts minimal (file classification + basic project info).
+ * When Context Engine lands, add optional taint?, route?, framework?
+ * fields — existing rules ignore them; new rules check for presence.
+ */
+export interface AdjustmentContext {
+  /** File-level classification */
+  file: {
+    isTestFile: boolean
+    isExampleFile: boolean
+    isDocFile: boolean
+    isScannerCode: boolean
+    isToolingDir: boolean
+    isServerOnly: boolean
+    isClientBundled: boolean
+  }
+  /** Project-level context */
+  project: {
+    hasAuthMiddleware: boolean
+    hasTypeScript: boolean
+    orm: string | null
+    validationLib: string | null
+  }
+  /** The raw line content of the finding */
+  lineContent: string
+  /** The file path of the finding */
+  filePath: string
+
+  // Context Engine fields (optional — existing rules ignore undefined)
+  taint?: {
+    confirmed: boolean
+    sources: string[]
+    sinkType: string | null
+    sanitised: boolean
+    confidence: 'high' | 'medium' | 'low' | null
+  }
+  route?: {
+    hasAuth: boolean
+    isPublic: boolean
+    middleware: string[]
+    methods: string[]
+    hasRateLimiting: boolean
+  }
+  framework?: {
+    /** A safe-by-design pattern matches this finding's line */
+    safePatternMatch: { id: string; reason: string } | null
+    /** An unsafe-despite-framework pattern matches this finding's line */
+    unsafePatternMatch: { id: string; reason: string } | null
+    /** Which frameworks are active in the project */
+    activeFrameworks: string[]
+    /** ORM in use */
+    orm: string | null
+  }
+}
+
+/**
+ * A single adjustment rule that can modify a finding's confidence score.
+ * Rules are evaluated in order; all matching rules contribute their delta.
+ */
+export interface AdjustmentRule {
+  /** Unique name for this rule */
+  name: string
+  /** Origin category */
+  source: ConfidenceAdjustment['source']
+  /** Whether this rule applies to the given finding + context */
+  applies: (finding: Vulnerability, context: AdjustmentContext) => boolean
+  /** Score delta when rule applies (negative = less confident) */
+  delta: number
+  /** Human-readable reason */
+  reason: string
+}

package/src/{baseline → shared/baseline}/__tests__/diff.test.ts

@@ -72,7 +72,7 @@ describe('Baseline Diff Computation', () => {
       ]
 
       // Need to compute the hash that would match
-      const { computeFindingHash } = require('../../suppression/hash')
+      const { computeFindingHash } = require('../../../postprocess/suppression/hash')
       const hash = computeFindingHash(current[0])
 
       const baseline = createBaseline([
@@ -119,7 +119,7 @@ describe('Baseline Diff Computation', () => {
     it('should handle mixed scenario with new, fixed, and existing findings', () => {
       // Create a finding that will be in both current and baseline
       const existingVuln = createVuln('src/existing.ts', 10, 'xss', 'medium', 'Existing XSS')
-      const { computeFindingHash } = require('../../suppression/hash')
+      const { computeFindingHash } = require('../../../postprocess/suppression/hash')
       const existingHash = computeFindingHash(existingVuln)
 
       // Current: one existing + one new

package/src/{baseline → shared/baseline}/diff.ts

@@ -5,7 +5,7 @@
 
 import type { Vulnerability, SeverityCounts, VulnerabilitySeverity } from '../types'
 import type { BaselineData, BaselineFinding, DiffResult } from './types'
-import { computeFindingHash } from '../suppression/hash'
+import { computeFindingHash } from '../../postprocess/suppression/hash'
 
 /**
  * Compute severity counts from baseline findings

package/src/{baseline → shared/baseline}/manager.ts

@@ -9,7 +9,7 @@ import { execFileSync } from 'child_process'
 import type { ScanResult, ScanDepth, Vulnerability } from '../types'
 import type { BaselineData, BaselineFinding } from './types'
 import { BASELINE_FILE_PATH, OCULUM_DIR } from './types'
-import { computeFindingHash } from '../suppression/hash'
+import { computeFindingHash } from '../../postprocess/suppression/hash'
 
 export interface BaselineManagerOptions {
   /** Project root path */

package/src/{category-filter.ts → shared/category-filter.ts}

@@ -16,7 +16,7 @@
  */
 
 import type { VulnerabilityCategory, Vulnerability, VulnerabilitySeverity } from './types'
-import { severityRank } from './utils/parsed-file'
+import { severityRank } from './parsed-file'
 
 /**
  * Category group definitions for wildcard expansion

package/src/{utils → shared}/code-analysis.ts

@@ -6,7 +6,7 @@
  */
 
 import { ParsedFile } from './parsed-file'
-import { isComment } from './context-helpers'
+import { isComment } from '../parse/file-classifier'
 
 /**
  * Check if a line is inside a try-catch block.

package/src/{rules → shared/rules}/__tests__/metadata.test.ts

@@ -53,6 +53,13 @@ const ALL_CATEGORIES: VulnerabilityCategory[] = [
   'ai_unverified_model',
   'ai_unsafe_finetuning',
   'ai_excessive_agency',
+  // Agent skill file security
+  'ai_skill_injection',
+  // OWASP Workstream 1
+  'missing_security_headers',
+  'ssrf',
+  'log_injection',
+  'xxe',
 ]
 
 describe('Rule Metadata Registry', () => {

package/src/{rules → shared/rules}/framework-fixes.ts

@@ -11,7 +11,7 @@
  */
 
 import type { VulnerabilityCategory } from '../types'
-import type { FrameworkContext, DataAccessContext } from '../utils/project-context-builder'
+import type { FrameworkContext, DataAccessContext } from '../../model/project-context'
 
 // ============================================================================
 // Types

package/src/{rules → shared/rules}/metadata.ts

@@ -806,6 +806,100 @@ export const RULE_REGISTRY: Record<VulnerabilityCategory, RuleMetadata> = {
       'https://docs.crewai.com/concepts/security',
     ],
   },
+  // ==========================================================================
+  // OWASP Workstream 1: Classic Vulnerability Detectors
+  // ==========================================================================
+  missing_security_headers: {
+    name: 'Missing Security Headers',
+    whyItMatters:
+      'Missing HTTP security headers (CSP, HSTS, X-Frame-Options) leave the application vulnerable to clickjacking, MIME sniffing, XSS, and man-in-the-middle attacks.',
+    fixSteps: [
+      'Add helmet middleware for Express apps: app.use(helmet())',
+      'Configure Content-Security-Policy to restrict resource loading',
+      'Enable HSTS (Strict-Transport-Security) for HTTPS enforcement',
+      'Set X-Frame-Options to prevent clickjacking',
+      'Add X-Content-Type-Options: nosniff to prevent MIME sniffing',
+    ],
+    evidence: 'Server configuration missing critical HTTP security headers',
+    references: [
+      'https://owasp.org/www-project-secure-headers/',
+      'https://cwe.mitre.org/data/definitions/693.html',
+    ],
+  },
+
+  ssrf: {
+    name: 'Server-Side Request Forgery (SSRF)',
+    whyItMatters:
+      'SSRF allows attackers to make the server send requests to unintended locations, potentially accessing internal services, cloud metadata endpoints, or performing port scanning from within the network.',
+    fixSteps: [
+      'Validate and sanitize all user-supplied URLs before making server-side requests',
+      'Implement an allowlist of permitted domains or IP ranges',
+      'Block requests to private IP ranges (127.0.0.1, 10.x, 192.168.x, 169.254.x)',
+      'Use a URL parser to validate the scheme, host, and port',
+      'Consider using a proxy service for user-supplied URLs',
+    ],
+    evidence: 'User-controlled input flows to server-side HTTP request without validation',
+    references: [
+      'https://owasp.org/www-community/attacks/Server_Side_Request_Forgery',
+      'https://cwe.mitre.org/data/definitions/918.html',
+    ],
+  },
+
+  log_injection: {
+    name: 'Log Injection',
+    whyItMatters:
+      'Unsanitized user input in log statements can forge log entries, inject CRLF sequences to create fake log lines, or exploit log processing tools via injection attacks.',
+    fixSteps: [
+      'Sanitize user input before including in log messages (strip newlines, control characters)',
+      'Use structured logging (JSON format) instead of string interpolation',
+      'Parameterize log fields instead of concatenating user input',
+      'Implement log output encoding appropriate to the log format',
+    ],
+    evidence: 'User-controlled request data flows directly into log statements',
+    references: [
+      'https://owasp.org/www-community/attacks/Log_Injection',
+      'https://cwe.mitre.org/data/definitions/117.html',
+    ],
+  },
+
+  xxe: {
+    name: 'XML External Entity (XXE) Injection',
+    whyItMatters:
+      'XXE vulnerabilities allow attackers to read server files, perform SSRF, execute denial-of-service attacks (billion laughs), and potentially achieve remote code execution through XML parsing.',
+    fixSteps: [
+      'Disable external entity processing in your XML parser',
+      'Use defusedxml (Python) instead of standard xml library',
+      'Set factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true) in Java',
+      'Use JSON instead of XML where possible',
+      'Upgrade XML parsing libraries to versions with secure defaults',
+    ],
+    evidence: 'XML parser used without disabling external entity processing',
+    references: [
+      'https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing',
+      'https://cwe.mitre.org/data/definitions/611.html',
+    ],
+  },
+
+  // ==========================================================================
+  // Agent Skill File Security
+  // ==========================================================================
+  ai_skill_injection: {
+    name: 'Agent Skill Injection',
+    whyItMatters:
+      'AI agent skill/configuration files define agent behavior. Prompt injection, data exfiltration commands, or hidden execution patterns in these files can compromise the agent, exfiltrate sensitive data, or execute arbitrary code on the host system.',
+    fixSteps: [
+      'Review the skill file for any instructions that override safety guidelines',
+      'Remove any shell commands that pipe remote content to execution (curl | sh)',
+      'Remove any references to sensitive files or environment variables',
+      'Check for hidden Unicode characters using a hex editor or unicode inspector',
+      'Ensure tool descriptions do not contain injection language',
+    ],
+    evidence: 'Detected prompt injection, data exfiltration, or hidden execution pattern in agent skill file',
+    references: [
+      'https://owasp.org/www-project-top-10-for-large-language-model-applications/',
+      'https://cwe.mitre.org/data/definitions/77.html',
+    ],
+  },
 }
 
 /**