@oculum/scanner 1.0.12 → 1.0.13

package/dist/detect/ai-code/agent-tools.js

@@ -0,0 +1,1509 @@
+"use strict";
+/**
+ * Layer 2: AI Agent Tool Permission Detection
+ * Detects overly permissive agent tools and missing authorization checks
+ *
+ * Covers B4: Agent/tool orchestration logic
+ *
+ * Issues detected:
+ * - Tools with unrestricted file system access
+ * - Tools with unrestricted network access
+ * - Tools with shell/code execution capability
+ * - Tools without user/tenant context verification
+ * - Database tools without proper scoping
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.detectAIAgentTools = detectAIAgentTools;
+const file_classifier_1 = require("../../parse/file-classifier");
+const BASE_CONFIDENCE = 0.50;
+// ============================================================================
+// Agent/Tool Context Detection
+// ============================================================================
+/**
+ * Check if file contains agent or tool definitions
+ */
+function isAgentOrToolFile(filePath, content) {
+    // File path indicators
+    const agentPathPatterns = [
+        /\/(agents?|tools?|functions?|actions?)\//i,
+        /\/(mcp|langchain|llamaindex|autogen)\//i,
+        /(agent|tool|function|action).*\.(ts|js|py)$/i,
+    ];
+    if (agentPathPatterns.some(p => p.test(filePath))) {
+        return true;
+    }
+    // Content patterns indicating tool/agent definitions
+    const toolDefinitionPatterns = [
+        /@tool/i, // Python decorator
+        /def\s+\w+_tool\s*\(/i, // Python tool function
+        /defineTool\s*\(/i, // JS/TS tool definition
+        /createTool\s*\(/i, // Tool creation
+        /\.registerTool\s*\(/i, // Tool registration
+        /\.addTool\s*\(/i, // Adding tool to agent
+        /tools\s*:\s*\[/i, // Tools array
+        /FunctionTool|StructuredTool/i, // LangChain tools
+        /tool_choice|function_call/i, // OpenAI function calling
+        /Tool\s*\(\s*\{/i, // Tool configuration object
+        /type:\s*['"`]function['"`]/i, // OpenAI function type
+        /mcpServer|McpServer/i, // MCP server
+    ];
+    return toolDefinitionPatterns.some(p => p.test(content));
+}
+/**
+ * Find tool definition boundaries (start and end lines)
+ */
+function findToolDefinitionContext(content, lineNumber, windowSize = 30) {
+    const lines = content.split('\n');
+    const startLine = Math.max(0, lineNumber - windowSize);
+    const endLine = Math.min(lines.length, lineNumber + windowSize);
+    return {
+        context: lines.slice(startLine, endLine).join('\n'),
+        startLine,
+        endLine,
+    };
+}
+// ============================================================================
+// Authorization Detection
+// ============================================================================
+/**
+ * Check if user context is verified in tool
+ */
+function hasUserContextVerification(context) {
+    const userContextPatterns = [
+        /user[_.]?id/i,
+        /userId/i,
+        /currentUser/i,
+        /req\.user/i,
+        /request\.user/i,
+        /session\.user/i,
+        /getUser\s*\(/i,
+        /getCurrentUser\s*\(/i,
+        /authenticatedUser/i,
+        /ctx\.user/i,
+        /context\.user/i,
+    ];
+    return userContextPatterns.some(p => p.test(context));
+}
+/**
+ * Check if tenant/organization context is verified
+ */
+function hasTenantContextVerification(context) {
+    const tenantContextPatterns = [
+        /tenant[_.]?id/i,
+        /tenantId/i,
+        /org[_.]?id/i,
+        /orgId/i,
+        /organization[_.]?id/i,
+        /workspace[_.]?id/i,
+        /workspaceId/i,
+        /team[_.]?id/i,
+        /teamId/i,
+        /account[_.]?id/i,
+        /accountId/i,
+    ];
+    return tenantContextPatterns.some(p => p.test(context));
+}
+/**
+ * Check if this is an MCP file with proper security controls
+ * MCP files with sanitization and authorization should be downgraded
+ */
+function isMCPFileWithSafePatterns(content, filePath) {
+    // Check if this is an MCP file
+    const mcpPatterns = [
+        /McpServer/i,
+        /@modelcontextprotocol/i,
+        /server\.tool\s*\(/i,
+        /@server\.tool/i,
+        /\/mcp\//i,
+    ];
+    if (!mcpPatterns.some(p => p.test(content) || p.test(filePath))) {
+        return false;
+    }
+    // Check for content sanitization patterns
+    const sanitizationPatterns = [
+        /sanitize|DOMPurify|purify/i,
+        /escapeHtml|escape_html/i,
+        /validateSchema|schema\.parse|safeParse/i,
+        /ALLOWED_TAGS/i,
+        /filterHtml|cleanHtml/i,
+    ];
+    // Check for authorization patterns
+    const authorizationPatterns = [
+        /if\s*\([^)]*ownerId\s*[!=]==?/i,
+        /if\s*\([^)]*userId\s*[!=]==?/i,
+        /if\s*\([^)]*tenantId\s*[!=]==?/i,
+        /throw.*Error.*(?:auth|Forbidden|Unauthorized)/i,
+        /Not\s*authorized/i,
+        /checkPermission|hasPermission|isAuthorized/i,
+    ];
+    const hasSanitization = sanitizationPatterns.some(p => p.test(content));
+    const hasAuthorization = authorizationPatterns.some(p => p.test(content));
+    // MCP file with BOTH sanitization AND authorization is safe
+    return hasSanitization && hasAuthorization;
+}
+/**
+ * Patterns indicating strong/verified restrictions (actual implementation)
+ */
+const STRONG_RESTRICTION_PATTERNS = [
+    // Sandboxing libraries and environments
+    /\bvm2\b/i,
+    /\bisolated-vm\b/i,
+    /\bquickjs\b/i,
+    /\bsandboxed\b/i,
+    /\bRestrictedPython\b/i,
+    /\bnsjail\b/i,
+    /\bfirejail\b/i,
+    /\bgvisor\b/i,
+    // Explicit path/resource restrictions with arrays
+    /allowed(?:Paths|Files|Dirs|Hosts|Urls|Commands)\s*[=:]\s*\[/i,
+    /(?:white|allow)list\s*[=:]\s*\[/i,
+    /(?:blocked|denied|forbidden)(?:Paths|Hosts|Commands)\s*[=:]\s*\[/i,
+    // Path validation functions
+    /validatePath\s*\(/i,
+    /isAllowedPath\s*\(/i,
+    /checkPathAccess\s*\(/i,
+    /resolvePath.*allowed/i,
+    /path\.resolve.*includes/i,
+    // Sandbox configuration objects
+    /sandbox\s*[=:]\s*(?:true|\{)/i,
+    /readonly\s*[=:]\s*true/i,
+    /readOnly\s*[=:]\s*true/i,
+    // Container/isolation patterns
+    /\b(?:docker|podman)\s+run\b.*--read-only/i,
+    /seccomp/i,
+    /capabilities\s*[=:]\s*\[\s*\]/i, // Empty capabilities = restricted
+    // Permission checking code
+    /if\s*\(\s*!?\s*(?:allowed|permitted|authorized)/i,
+    /(?:check|verify|validate)(?:Access|Permission|Capability)\s*\(/i,
+];
+/**
+ * Patterns indicating weak/unverified restriction mentions (comments, TODOs)
+ */
+const WEAK_RESTRICTION_PATTERNS = [
+    // Comments mentioning restrictions without implementation
+    /\/\/.*(?:sandbox|restrict|allowlist|whitelist|todo)/i,
+    /\/\*.*(?:sandbox|restrict|allowlist|whitelist|todo).*\*\//i,
+    /#.*(?:sandbox|restrict|allowlist|whitelist|todo)/i,
+    // TODOs and FIXMEs
+    /TODO.*(?:add|implement|enable).*(?:sandbox|restrict|allowlist)/i,
+    /FIXME.*(?:sandbox|restrict|security)/i,
+    // Variable names without assignment
+    /const\s+(?:sandbox|allowlist|whitelist)\s*;/i,
+];
+/**
+ * Check if tool has strong/verified access restrictions
+ * These are actual implementations, not just mentions
+ */
+function hasStrongRestrictions(context) {
+    // Check for strong patterns
+    const hasStrong = STRONG_RESTRICTION_PATTERNS.some(p => p.test(context));
+    if (!hasStrong)
+        return false;
+    // Verify it's not just a weak mention
+    const isWeak = WEAK_RESTRICTION_PATTERNS.some(p => p.test(context));
+    return !isWeak;
+}
+/**
+ * Check if tool has any access restrictions/allowlists (including weak mentions)
+ */
+function hasAccessRestrictions(context) {
+    const restrictionPatterns = [
+        /allowedPaths/i,
+        /allowedFiles/i,
+        /allowedDirs/i,
+        /allowedHosts/i,
+        /allowedUrls/i,
+        /allowedCommands/i,
+        /allowedOperations/i,
+        /whitelist/i,
+        /allowlist/i,
+        /permissions?:/i,
+        /capabilities:/i,
+        /restrictions?:/i,
+        /constraints?:/i,
+        /sandbox/i,
+        /readonly/i,
+        /readOnly/i,
+    ];
+    return restrictionPatterns.some(p => p.test(context));
+}
+const OVERPERMISSIVE_TOOL_PATTERNS = [
+    // ========== Filesystem Access Tools ==========
+    {
+        name: 'Unrestricted file read tool',
+        pattern: /(?:@tool|defineTool|createTool|Tool\s*\()[^)]*(?:read|get).*file|(?:fs|filesystem).*(?:read|get)/gi,
+        riskType: 'filesystem',
+        baseSeverity: 'high',
+        description: 'Tool provides file system read access. Without restrictions, agents can access any file the process can read.',
+        suggestedFix: 'Add allowedPaths restriction. Example: { allowedPaths: ["/data/user-uploads"] }. Validate paths stay within allowed directories.',
+        requiresRestrictions: true,
+    },
+    {
+        name: 'Unrestricted file write tool',
+        pattern: /(?:@tool|defineTool|createTool|Tool\s*\()[^)]*(?:write|create|save).*file|(?:fs|filesystem).*(?:write|create)/gi,
+        riskType: 'filesystem',
+        baseSeverity: 'high',
+        description: 'Tool provides file system write access. Agents could overwrite critical files or create malicious files.',
+        suggestedFix: 'Restrict to specific directories. Validate file extensions. Implement size limits. Consider using signed URLs instead of direct file access.',
+        requiresRestrictions: true,
+    },
+    {
+        name: 'File deletion tool',
+        pattern: /(?:@tool|defineTool|createTool|Tool\s*\()[^)]*(?:delete|remove).*file|(?:fs|filesystem).*(?:delete|unlink|remove)/gi,
+        riskType: 'filesystem',
+        baseSeverity: 'high',
+        description: 'Tool provides file deletion capability. High risk of data loss if misused.',
+        suggestedFix: 'Implement soft-delete instead of hard delete. Require confirmation. Restrict to user-owned files only.',
+        requiresRestrictions: true,
+        requiresUserContext: true,
+    },
+    // ========== Network Access Tools ==========
+    {
+        name: 'Unrestricted HTTP/fetch tool',
+        pattern: /(?:@tool|defineTool|createTool|Tool\s*\()[^)]*(?:http|fetch|request|api)|tool.*(?:fetch|request)\s*\(/gi,
+        riskType: 'network',
+        baseSeverity: 'medium',
+        description: 'Tool provides network/HTTP access. Without restrictions, agents could make requests to internal services (SSRF) or exfiltrate data.',
+        suggestedFix: 'Add allowedHosts configuration. Block internal/private IP ranges. Implement request signing for sensitive operations.',
+        requiresRestrictions: true,
+    },
+    {
+        name: 'Web scraping tool',
+        pattern: /(?:@tool|defineTool|createTool|Tool\s*\()[^)]*(?:scrape|crawl|browse)/gi,
+        riskType: 'network',
+        baseSeverity: 'medium',
+        description: 'Tool provides web scraping capability. Could be used for SSRF or accessing internal resources.',
+        suggestedFix: 'Restrict to allowed domains. Block internal IP ranges. Implement rate limiting.',
+        requiresRestrictions: true,
+    },
+    // ========== Code Execution Tools ==========
+    {
+        name: 'Code execution tool',
+        pattern: /(?:@tool|defineTool|createTool|Tool\s*\()[^)]*(?:execute|run|eval).*(?:code|script)|tool.*(?:eval|exec)\s*\(/gi,
+        riskType: 'code_execution',
+        baseSeverity: 'critical',
+        description: 'Tool provides code execution capability. This is extremely dangerous without sandboxing.',
+        suggestedFix: 'Use vm2, isolated-vm, or similar sandboxing. Implement timeout and memory limits. Restrict available APIs/modules.',
+        requiresRestrictions: true,
+    },
+    {
+        name: 'Python interpreter tool',
+        pattern: /(?:@tool|defineTool|createTool|Tool\s*\()[^)]*python.*(?:exec|run|interpret)|PythonREPL|python_repl/gi,
+        riskType: 'code_execution',
+        baseSeverity: 'critical',
+        description: 'Tool provides Python execution capability. Can execute arbitrary system commands.',
+        suggestedFix: 'Use RestrictedPython or sandboxed environments. Block dangerous modules (os, subprocess, socket). Implement resource limits.',
+        requiresRestrictions: true,
+    },
+    // ========== Shell/Command Tools ==========
+    {
+        name: 'Shell command tool',
+        pattern: /(?:@tool|defineTool|createTool|Tool\s*\()[^)]*(?:shell|command|terminal|bash)|ShellTool|BashTool/gi,
+        riskType: 'shell',
+        baseSeverity: 'critical',
+        description: 'Tool provides shell command execution. Allows arbitrary system commands.',
+        suggestedFix: 'Implement strict command allowlisting. Use parameterized commands (execFile, not exec). Consider removing this capability entirely.',
+        requiresRestrictions: true,
+    },
+    {
+        name: 'System command tool',
+        pattern: /(?:@tool|defineTool|createTool)[^)]*(?:system|exec|spawn|subprocess)/gi,
+        riskType: 'shell',
+        baseSeverity: 'critical',
+        description: 'Tool with system command execution capability.',
+        suggestedFix: 'Restrict to specific commands via allowlist. Validate all arguments. Log all command executions.',
+        requiresRestrictions: true,
+    },
+    // ========== Database Tools ==========
+    {
+        name: 'Database query tool',
+        pattern: /(?:@tool|defineTool|createTool|Tool\s*\()[^)]*(?:query|sql|database)|tool.*(?:query|execute)\s*\(/gi,
+        riskType: 'database',
+        baseSeverity: 'high',
+        description: 'Tool provides database query access. Without scoping, agents could access any data.',
+        suggestedFix: 'Always scope queries to current user/tenant. Use row-level security (RLS). Implement read-only mode for most operations.',
+        requiresUserContext: true,
+        requiresTenantContext: true,
+    },
+    {
+        name: 'Raw SQL tool',
+        pattern: /(?:@tool|defineTool|createTool)[^)]*(?:raw.*sql|execute.*sql)/gi,
+        riskType: 'database',
+        baseSeverity: 'critical',
+        description: 'Tool allows raw SQL execution. High risk of SQL injection and unauthorized data access.',
+        suggestedFix: 'Use parameterized queries only. Implement query validation. Consider using an ORM instead of raw SQL.',
+        requiresUserContext: true,
+        requiresTenantContext: true,
+    },
+    // ========== M5: MCP Server Tools ==========
+    {
+        name: 'MCP server tool registration',
+        pattern: /(?:McpServer|Server)\s*\([^)]*\).*(?:setRequestHandler|tool|registerTool)|server\.tool\s*\(/gi,
+        riskType: 'code_execution',
+        baseSeverity: 'high',
+        description: 'MCP (Model Context Protocol) server registering tools. Verify tool capabilities are appropriately restricted.',
+        suggestedFix: 'Add capability restrictions to MCP server. Implement allowlists for file paths, network hosts, and commands.',
+        requiresRestrictions: true,
+    },
+    {
+        name: 'MCP tool with shell access',
+        pattern: /server\.tool\s*\([^)]*(?:name:\s*['"`](?:run|exec|shell|command)[^)]*|(?:exec|spawn|shell)\s*\()/gi,
+        riskType: 'shell',
+        baseSeverity: 'critical',
+        description: 'MCP tool with shell command execution capability. Extremely dangerous without restrictions.',
+        suggestedFix: 'Use allowlist of permitted commands. Never allow arbitrary command execution. Consider read-only alternatives.',
+        requiresRestrictions: true,
+    },
+    {
+        name: 'MCP file system tool',
+        pattern: /server\.tool\s*\([^)]*(?:name:\s*['"`](?:read|write|create|delete|list).*(?:file|dir)[^)]*|fs\.|readFile|writeFile)/gi,
+        riskType: 'filesystem',
+        baseSeverity: 'high',
+        description: 'MCP tool with file system access. Agents could access or modify arbitrary files.',
+        suggestedFix: 'Restrict to specific directories with allowedPaths. Implement path validation. Consider read-only access.',
+        requiresRestrictions: true,
+    },
+    // ========== M5: Vercel AI SDK Tools ==========
+    {
+        name: 'Vercel AI SDK tool definition',
+        pattern: /tool\s*\(\s*\{[^}]*(?:execute|parameters)/gi,
+        riskType: 'code_execution',
+        baseSeverity: 'medium',
+        description: 'Vercel AI SDK tool definition. Review the execute function for dangerous operations.',
+        suggestedFix: 'Validate tool parameters against expected schema. Implement proper access controls within execute function.',
+        requiresUserContext: true,
+    },
+    {
+        name: 'AI SDK tool with dangerous execute',
+        pattern: /tool\s*\(\s*\{[^}]*execute\s*:\s*async[^}]*(?:exec|spawn|eval|fs\.|fetch\s*\()[^}]*\}/gi,
+        riskType: 'code_execution',
+        baseSeverity: 'high',
+        description: 'Vercel AI SDK tool with potentially dangerous execute function (shell, eval, fs, or network access).',
+        suggestedFix: 'Add validation and restrictions in execute function. Implement allowlists for external operations.',
+        requiresRestrictions: true,
+    },
+    {
+        name: 'StreamableUI tool action',
+        pattern: /createStreamableUI.*tool.*\{.*action/gi,
+        riskType: 'code_execution',
+        baseSeverity: 'medium',
+        description: 'Streamable UI tool with server action. Ensure proper authorization before state mutations.',
+        suggestedFix: 'Verify user authentication and authorization before executing actions. Validate all inputs.',
+        requiresUserContext: true,
+    },
+];
+/**
+ * Check if agent has proper iteration limits
+ */
+function hasIterationLimits(context) {
+    const limitPatterns = [
+        /maxIterations\s*[:=]\s*\d{1,2}\b/i, // 1-99
+        /max_iterations\s*[:=]\s*\d{1,2}\b/i,
+        /iteration_limit\s*[:=]\s*\d{1,2}\b/i,
+        /max_steps\s*[:=]\s*\d{1,2}\b/i,
+    ];
+    return limitPatterns.some(p => p.test(context));
+}
+/**
+ * Check if agent has timeout configured
+ */
+function hasTimeoutConfigured(context) {
+    const timeoutPatterns = [
+        /timeout\s*[:=]\s*[1-9]\d*/i, // Positive number
+        /max_execution_time\s*[:=]\s*[1-9]/i,
+        /execution_timeout\s*[:=]\s*[1-9]/i,
+    ];
+    return timeoutPatterns.some(p => p.test(context));
+}
+/**
+ * Check if human-in-the-loop is enabled
+ */
+function hasHumanInLoop(context) {
+    const humanPatterns = [
+        /humanInLoop\s*[:=]\s*true/i,
+        /human_in_loop\s*[:=]\s*True/i,
+        /requireApproval\s*[:=]\s*true/i,
+        /require_approval\s*[:=]\s*True/i,
+        /human_input_mode\s*[:=]\s*['"`](?:ALWAYS|TERMINATE)['"`]/i,
+        /confirm_before\s*[:=]\s*true/i,
+    ];
+    return humanPatterns.some(p => p.test(context));
+}
+/**
+ * Check if Docker is configured for code execution
+ */
+function hasDockerConfigured(context) {
+    const dockerPatterns = [
+        /use_docker\s*[:=]\s*True/i,
+        /docker\s*[:=]\s*true/i,
+        /container\s*[:=]\s*true/i,
+        /sandboxed\s*[:=]\s*true/i,
+    ];
+    return dockerPatterns.some(p => p.test(context));
+}
+/**
+ * Check if budget/cost limits are configured
+ */
+function hasBudgetLimits(context) {
+    const budgetPatterns = [
+        /budgetLimit|budget_limit/i,
+        /costLimit|cost_limit/i,
+        /max_cost|maxCost/i,
+        /spending_limit/i,
+        /token_limit|tokenLimit/i,
+    ];
+    return budgetPatterns.some(p => p.test(context));
+}
+/**
+ * Phase 5: LLM Output Flow Patterns
+ * Detect when LLM-generated content flows into dangerous operations
+ */
+const LLM_OUTPUT_FLOW_PATTERNS = [
+    // ========== LLM Output in Tool Names/Paths ==========
+    {
+        name: 'LLM output used as tool name',
+        pattern: /(?:tools?\[|getTools?\s*\(|callTool\s*\(|invokeTool\s*\(|executeTool\s*\()\s*(?:response|result|output|completion|message|content|llm|ai|model|gpt|claude)\.(?:content|text|tool|toolName|function|name|choice)/gi,
+        baseSeverity: 'critical',
+        description: 'LLM output used directly as tool name for invocation. An adversarial prompt could cause the agent to call arbitrary tools, bypassing intended restrictions.',
+        suggestedFix: 'Validate tool names against a static allowlist: const ALLOWED_TOOLS = [\'read\', \'write\'] as const; if (!ALLOWED_TOOLS.includes(toolName)) throw new Error("Invalid tool")',
+        framework: 'generic',
+    },
+    {
+        name: 'LLM output in file path',
+        pattern: /(?:fs|file|path|fsp)\.(?:readFile|writeFile|unlink|rm|mkdir|readdir|access|stat|copyFile|rename)\s*\(\s*(?:response|result|output|completion|message|content|llm|ai|model)\.(?:path|filePath|file|filename|directory|dir)/gi,
+        baseSeverity: 'critical',
+        description: 'LLM output used directly as file path. Path traversal or arbitrary file access could occur via prompt injection.',
+        suggestedFix: 'Validate paths against allowed directories: if (!path.startsWith(ALLOWED_BASE_DIR)) throw new Error("Invalid path"). Use path.resolve() and verify the result stays within bounds.',
+        framework: 'generic',
+    },
+    {
+        name: 'LLM output in shell command',
+        pattern: /(?:exec|spawn|execFile|execSync|spawnSync)\s*\(\s*(?:response|result|output|completion|message|content|llm|ai|model)\.(?:command|cmd|script|code|executable|program)/gi,
+        baseSeverity: 'critical',
+        description: 'LLM output used directly as shell command. Remote code execution via prompt injection.',
+        suggestedFix: 'Never use LLM output in shell commands. If necessary, use a strict allowlist of permitted commands and validate arguments.',
+        framework: 'generic',
+    },
+    {
+        name: 'LLM output in URL/endpoint',
+        pattern: /(?:fetch|axios|http|request|got)\s*\(\s*(?:response|result|output|completion|message|content|llm|ai|model)\.(?:url|endpoint|href|uri|link|host)/gi,
+        baseSeverity: 'high',
+        description: 'LLM output used directly as URL or endpoint. SSRF risk via prompt injection.',
+        suggestedFix: 'Validate URLs against allowed hosts. Use URL allowlists and block internal IP ranges.',
+        framework: 'generic',
+    },
+    {
+        name: 'LLM response destructured into tool call',
+        pattern: /(?:const|let|var)\s*\{\s*(?:tool|toolName|function|functionName|action|method)\s*\}\s*=\s*(?:response|result|output|completion|message|llm|ai|model)/gi,
+        baseSeverity: 'high',
+        description: 'Tool name destructured from LLM response. This pattern suggests dynamic tool selection based on LLM output.',
+        suggestedFix: 'Validate extracted tool names against a static allowlist before invocation.',
+        framework: 'generic',
+    },
+    {
+        name: 'Dynamic property access with LLM output',
+        pattern: /(?:tools|handlers|actions|functions|methods)\s*\[\s*(?:response|result|output|completion|message|content|llm|ai)(?:\.|(?:\s*\[['"`]?(?:tool|name|function|action)))/gi,
+        baseSeverity: 'high',
+        description: 'Dynamic object property access using LLM output. Could access unintended tools or methods.',
+        suggestedFix: 'Use explicit tool dispatch with allowlist validation: if (toolName in SAFE_TOOLS) { SAFE_TOOLS[toolName]() }',
+        framework: 'generic',
+    },
+];
+/**
+ * Phase 5: Tool Permission Accumulation Patterns
+ * Detect unbounded tool registration and permission growth
+ */
+const TOOL_ACCUMULATION_PATTERNS = [
+    // ========== Unbounded Tool Registration ==========
+    {
+        name: 'Unbounded tool registration',
+        pattern: /(?:agent|tools?|registry)\.(?:registerTool|addTool|push|add|set)\s*\(\s*(?:user|request|req|input|body|data|param)\.(?:tool|function|action|capability)/gi,
+        baseSeverity: 'high',
+        description: 'Tools registered dynamically from user input without bounds. Users could accumulate unlimited capabilities over time.',
+        suggestedFix: 'Use a static allowlist: const ALLOWED_TOOLS = [...] and validate against it. Implement tool count limits.',
+        framework: 'generic',
+    },
+    {
+        name: 'Tool array push without limit check',
+        pattern: /tools\.push\s*\([^)]+\)(?![\s\S]{0,50}(?:length\s*[<>]|limit|max|ALLOWED|whitelist|allowlist))/gi,
+        baseSeverity: 'medium',
+        description: 'Tools added to array without checking count limits. Tool list could grow unboundedly.',
+        suggestedFix: 'Add limit check: if (tools.length >= MAX_TOOLS) throw new Error("Tool limit reached")',
+        framework: 'generic',
+    },
+    {
+        name: 'Dynamic tool loading from user config',
+        pattern: /(?:require|import|loadModule|dynamicImport)\s*\(\s*(?:user|request|req|input|body|config)\.(?:tool|module|plugin|extension)/gi,
+        baseSeverity: 'critical',
+        description: 'Tool modules loaded dynamically from user-controlled paths. Could load arbitrary code.',
+        suggestedFix: 'Use a static module registry. Validate module paths against an allowlist.',
+        framework: 'generic',
+    },
+    {
+        name: 'Permission grant without authorization check',
+        pattern: /(?:grant|add|enable)(?:Permission|Capability|Access)\s*\(\s*[^)]*\)(?![\s\S]{0,30}(?:if|auth|permission|role|admin|isAdmin))/gi,
+        baseSeverity: 'high',
+        description: 'Permissions granted without visible authorization check. Users could escalate their own privileges.',
+        suggestedFix: 'Add authorization check: if (!user.hasRole("admin")) throw new Error("Unauthorized")',
+        framework: 'generic',
+    },
+    {
+        name: 'Tool inheritance without restriction',
+        pattern: /(?:inherit|extend|merge)(?:Tools|Capabilities|Permissions)\s*\(\s*(?:parent|base|source)\.tools/gi,
+        baseSeverity: 'medium',
+        description: 'Agent inherits tools from parent without filtering. Could inherit more permissions than intended.',
+        suggestedFix: 'Explicitly list inherited tools instead of blanket inheritance. Use allowlist for permitted inherited capabilities.',
+        framework: 'generic',
+    },
+];
+/**
+ * Phase 5: Database Write Scoping Patterns
+ * Detect database writes that may lack proper user scoping
+ */
+const DB_WRITE_SCOPING_PATTERNS = [
+    // ========== Database Writes Without User Scoping ==========
+    {
+        name: 'DB insert without userId',
+        pattern: /(?:db|database|prisma|knex|sequelize|mongoose|supabase|drizzle)\.(?:insert|create|save|add)\s*\(\s*\{(?![^}]*(?:userId|user_id|ownerId|owner_id|createdBy|created_by|authorId|author_id))[^}]*(?:content|data|text|body|message)\s*:/gi,
+        baseSeverity: 'high',
+        description: 'Database insert with content field but no user ID. AI-generated content may not be properly attributed to user.',
+        suggestedFix: 'Add user context: db.insert({ content: aiGenerated, userId: ctx.user.id })',
+        framework: 'generic',
+    },
+    {
+        name: 'DB insert with AI content unscopedp',
+        pattern: /(?:db|database|prisma|knex|sequelize|mongoose|supabase|drizzle)\.(?:insert|create)\s*\(\s*\{[^}]*:\s*(?:response|result|output|completion|message|ai|llm|model)\.(?:content|text|data|output|result)/gi,
+        baseSeverity: 'high',
+        description: 'AI-generated content inserted into database. Ensure proper user scoping and content validation.',
+        suggestedFix: 'Add user context and validate content: db.insert({ content: validated, userId: ctx.user.id, createdAt: Date.now() })',
+        framework: 'generic',
+    },
+    {
+        name: 'Bulk write without tenant filter',
+        pattern: /(?:db|database|prisma|knex|sequelize|mongoose|supabase|drizzle)\.(?:insertMany|createMany|bulkCreate|bulkInsert)\s*\([^)]*\)(?![\s\S]{0,50}(?:tenantId|tenant_id|orgId|org_id|organizationId))/gi,
+        baseSeverity: 'medium',
+        description: 'Bulk database write without visible tenant scoping. Multi-tenant data isolation may be at risk.',
+        suggestedFix: 'Add tenant filter to all bulk operations: records.map(r => ({ ...r, tenantId: ctx.tenant.id }))',
+        framework: 'generic',
+    },
+    {
+        name: 'Update without ownership check',
+        pattern: /(?:db|database|prisma|knex|sequelize|mongoose|supabase|drizzle)\.(?:update|updateOne|updateMany)\s*\(\s*\{[^}]*id\s*:/gi,
+        baseSeverity: 'medium',
+        description: 'Database update by ID without visible ownership verification. Agent could modify other users\' data.',
+        suggestedFix: 'Add ownership check: db.update({ where: { id, userId: ctx.user.id }, data: { ... } })',
+        framework: 'generic',
+    },
+    {
+        name: 'Delete without user scoping',
+        pattern: /(?:db|database|prisma|knex|sequelize|mongoose|supabase|drizzle)\.(?:delete|deleteOne|deleteMany|destroy|remove)\s*\(\s*\{[^}]*id\s*:/gi,
+        baseSeverity: 'high',
+        description: 'Database delete by ID without user scoping. Agent could delete other users\' data.',
+        suggestedFix: 'Add user scoping: db.delete({ where: { id, userId: ctx.user.id } })',
+        framework: 'generic',
+    },
+];
+/**
+ * Phase 6 Task 1: Tool Parameter Injection Patterns
+ * Detect LLM output flowing to tool parameters (not just tool names)
+ */
+const TOOL_PARAMETER_INJECTION_PATTERNS = [
+    // LLM output in tool parameters
+    {
+        name: 'LLM output in tool parameters',
+        pattern: /tool\s*\(\s*\{[^}]*:\s*(response|output|result|content|message|llmOutput|aiResponse|completion)(\.\w+)*\s*[,}]/gi,
+        baseSeverity: 'high',
+        description: 'Tool parameters derived from unvalidated LLM output can be manipulated via prompt injection. Attackers could modify tool behavior through crafted responses.',
+        suggestedFix: 'Validate and sanitize LLM output before passing as tool parameters. Use schema validation (zod, yup) to ensure expected structure.',
+        framework: 'generic',
+    },
+    // Tool args assigned directly from LLM output
+    {
+        name: 'Tool args from LLM output',
+        pattern: /\bargs\s*=\s*(response|output|result|content|message|llmOutput|aiResponse|completion)(\.\w+)*/gi,
+        baseSeverity: 'high',
+        description: 'Tool arguments assigned directly from LLM output enable parameter injection. Malicious prompts could inject unexpected arguments.',
+        suggestedFix: 'Use schema validation (zod, yup) on LLM output before passing to tools: const validatedArgs = toolArgsSchema.parse(llmOutput)',
+        framework: 'generic',
+    },
+    // Spread LLM output into tool call
+    {
+        name: 'LLM output spread into tool call',
+        pattern: /(?:executeTool|callTool|invokeTool|runTool)\s*\([^)]*\.\.\.(?:response|output|result|content|llmOutput|aiResponse)/gi,
+        baseSeverity: 'critical',
+        description: 'LLM output spread directly into tool invocation. All LLM-provided fields pass through unvalidated.',
+        suggestedFix: 'Destructure and validate specific fields: const { field1, field2 } = schema.parse(llmOutput); executeTool({ field1, field2 })',
+        framework: 'generic',
+    },
+    // Dynamic property access for tool params
+    {
+        name: 'Dynamic tool param from LLM',
+        pattern: /toolParams?\s*\[\s*(response|output|result|llmOutput|aiResponse)\./gi,
+        baseSeverity: 'high',
+        description: 'Tool parameter accessed dynamically from LLM output. Could access unintended parameters.',
+        suggestedFix: 'Use explicit parameter extraction with validation: const param = validateParam(llmOutput.expectedField)',
+        framework: 'generic',
+    },
+    // JSON.parse of LLM output for tool params
+    {
+        name: 'JSON parsed LLM output as tool params',
+        pattern: /JSON\.parse\s*\(\s*(response|output|result|content|llmOutput|aiResponse|completion)(?:\.\w+)?\s*\)[^;]*(?:tool|execute|invoke|call)/gi,
+        baseSeverity: 'high',
+        description: 'LLM output JSON-parsed and used as tool parameters. Parsed structure could contain malicious fields.',
+        suggestedFix: 'Validate parsed JSON against expected schema: const params = toolParamsSchema.parse(JSON.parse(llmOutput))',
+        framework: 'generic',
+    },
+];
+/**
+ * Phase 6 Task 2: Tool Error Message Injection Patterns
+ * Detect raw error exposure to LLM that could leak system information or enable injection
+ */
+const TOOL_ERROR_INJECTION_PATTERNS = [
+    // Raw error message in tool response
+    {
+        name: 'Raw error in tool response',
+        pattern: /catch\s*\([^)]*\)\s*\{[^}]*(return|resolve)\s*\([^)]*error\.(message|stack|toString)/gi,
+        baseSeverity: 'medium',
+        description: 'Raw error messages returned to LLM could leak system information (paths, credentials, internal state) or be used for prompt injection attacks.',
+        suggestedFix: 'Return sanitized, generic error messages to LLM. Log detailed errors server-side: catch (e) { logger.error(e); return { error: "Operation failed" } }',
+        framework: 'generic',
+    },
+    // Error object in tool return
+    {
+        name: 'Error object in tool return',
+        pattern: /return\s*\{[^}]*error\s*:\s*(?:e|err|error)(?:\s*,|\s*\})/gi,
+        baseSeverity: 'medium',
+        description: 'Error object returned directly to LLM. Full error objects may contain sensitive stack traces or internal details.',
+        suggestedFix: 'Return only error message or generic status: return { error: "Failed to process request", code: "OPERATION_FAILED" }',
+        framework: 'generic',
+    },
+    // Stack trace in response
+    {
+        name: 'Stack trace in tool response',
+        pattern: /return\s*\{[^}]*(?:stack|stackTrace|trace)\s*:\s*(?:e|err|error)\./gi,
+        baseSeverity: 'high',
+        description: 'Stack trace returned to LLM. Stack traces expose internal code paths, file structures, and potentially sensitive data.',
+        suggestedFix: 'Never return stack traces to LLM. Log them server-side for debugging: logger.error({ stack: e.stack }); return { error: "Internal error" }',
+        framework: 'generic',
+    },
+    // Exception details in resolve/reject
+    {
+        name: 'Exception details in promise resolution',
+        pattern: /(?:resolve|reject)\s*\(\s*\{[^}]*(?:exception|error|e)\s*:\s*(?:e|err|error)(?:\.message|\.stack)?/gi,
+        baseSeverity: 'medium',
+        description: 'Exception details passed in promise resolution. Error information flows to LLM context.',
+        suggestedFix: 'Sanitize error information before resolving: resolve({ success: false, error: sanitizeError(e) })',
+        framework: 'generic',
+    },
+    // String interpolation with error
+    {
+        name: 'Error interpolated in response string',
+        pattern: /return\s*[`'"].*\$\{(?:e|err|error)(?:\.message|\.stack)?\}.*[`'"]/gi,
+        baseSeverity: 'medium',
+        description: 'Error details interpolated into response string. Raw error text could contain sensitive information.',
+        suggestedFix: 'Use generic error messages: return `Operation failed: ${getGenericErrorMessage(e.code)}`',
+        framework: 'generic',
+    },
+];
+/**
+ * Phase 5: Recursive Agent Patterns
+ * Detect unbounded agent recursion and self-spawning patterns
+ */
+const RECURSIVE_AGENT_PATTERNS = [
+    // ========== Unbounded Agent Recursion ==========
+    {
+        name: 'Recursive agent call without depth limit',
+        pattern: /(?:async\s+)?function\s+(?:run|execute|process|handle)?Agent\s*\([^)]*\)\s*\{[\s\S]{0,200}(?:run|execute|process|handle)?Agent\s*\((?![^)]*depth|[^)]*level|[^)]*recursion)/gi,
+        baseSeverity: 'high',
+        description: 'Agent function calls itself without visible depth parameter. Could recurse indefinitely.',
+        suggestedFix: 'Add depth limit: async function runAgent(task, depth = 0) { if (depth > MAX_DEPTH) throw new Error("Max depth"); await runAgent(subtask, depth + 1) }',
+        framework: 'generic',
+    },
+    {
+        name: 'Agent spawns sub-agent without limit',
+        pattern: /(?:spawn|create|launch|start)(?:Agent|Worker|Task)\s*\([^)]*\)(?![\s\S]{0,50}(?:depth|level|count|limit|max|MAX))/gi,
+        baseSeverity: 'medium',
+        description: 'Sub-agent spawned without visible depth or count limit. Could lead to unbounded agent proliferation.',
+        suggestedFix: 'Track agent depth/count: if (agentCount >= MAX_AGENTS || depth > MAX_DEPTH) throw new Error("Agent limit reached")',
+        framework: 'generic',
+    },
+    {
+        name: 'Recursive task processing without bounds',
+        pattern: /(?:result|response|output)\.(?:subtasks?|children|next|followUp)\s*\.(?:forEach|map|for)\s*\([^)]*(?:process|run|execute)(?:Task|Agent)/gi,
+        baseSeverity: 'high',
+        description: 'Tasks processed recursively based on agent output. Agent could generate unlimited subtasks.',
+        suggestedFix: 'Limit subtask count: const subtasks = result.subtasks.slice(0, MAX_SUBTASKS). Track total processed tasks.',
+        framework: 'generic',
+    },
+    {
+        name: 'Self-improvement loop without termination',
+        pattern: /while\s*\([^)]*(?:improve|optimize|refine|enhance)[^)]*\)\s*\{[\s\S]{0,100}(?:agent|model|llm)/gi,
+        baseSeverity: 'high',
+        description: 'Agent self-improvement loop without clear termination. Could run indefinitely.',
+        suggestedFix: 'Add termination conditions: while (iterations < MAX_ITERATIONS && !satisfactory) { ... iterations++ }',
+        framework: 'generic',
+    },
+    {
+        name: 'CrewAI agent delegation without depth',
+        pattern: /\.delegate\s*\(\s*[^)]*\)(?![\s\S]{0,30}(?:max_delegation|delegation_limit|depth))/gi,
+        baseSeverity: 'medium',
+        description: 'CrewAI agent delegation without depth limit. Agents could delegate indefinitely to each other.',
+        suggestedFix: 'Set delegation limits in agent config: Agent(..., max_delegation_depth=3)',
+        framework: 'crewai',
+    },
+    {
+        name: 'LangGraph recursive edge without limit',
+        pattern: /\.add_edge\s*\([^)]*,\s*(?:SAME_NODE|self|current_node)/gi,
+        baseSeverity: 'medium',
+        description: 'LangGraph edge points back to same node without visible limit. Could create infinite loops.',
+        suggestedFix: 'Add iteration tracking and conditional edges with max_iterations check.',
+        framework: 'langchain',
+    },
+];
+/**
+ * Excessive agency patterns for unbounded agent autonomy
+ */
+const EXCESSIVE_AGENCY_PATTERNS = [
+    // ========== Generic Unbounded Loops ==========
+    {
+        name: 'Unbounded agent loop',
+        pattern: /while\s*\(\s*(?:true|1|True)\s*\)[\s\S]{0,100}(?:agent|step|run|execute|iterate)/gi,
+        baseSeverity: 'high',
+        description: 'Agent runs in an unbounded loop without explicit termination condition. This can lead to infinite execution, resource exhaustion, or runaway costs.',
+        suggestedFix: 'Add maxIterations limit: while (iterations < maxIterations) { ... }. Consider adding timeout and cost limits.',
+        framework: 'generic',
+    },
+    {
+        name: 'No iteration limit configured',
+        pattern: /maxIterations\s*[:=]\s*(?:-1|null|undefined|None|Infinity|float\s*\(\s*['"`]inf)/gi,
+        baseSeverity: 'high',
+        description: 'Agent configured with no iteration limit. This allows unbounded execution which can consume excessive resources.',
+        suggestedFix: 'Set a reasonable iteration limit: maxIterations: 10 (adjust based on your use case).',
+        framework: 'generic',
+    },
+    {
+        name: 'No timeout configured',
+        pattern: /timeout\s*[:=]\s*(?:-1|0|null|undefined|None|false|False)/gi,
+        baseSeverity: 'medium',
+        description: 'Agent timeout is disabled or set to zero. Long-running agents can hang indefinitely.',
+        suggestedFix: 'Configure a reasonable timeout: timeout: 300000 (5 minutes). Adjust based on expected execution time.',
+        framework: 'generic',
+    },
+    {
+        name: 'Auto-approve without human oversight',
+        pattern: /(?:autoApprove|auto_approve)\s*[:=]\s*(?:true|True)/gi,
+        baseSeverity: 'high',
+        description: 'Agent auto-approves actions without human review. Combined with destructive capabilities, this is dangerous.',
+        suggestedFix: 'Enable human-in-the-loop for sensitive operations: autoApprove: false, or implement approval workflows for destructive actions.',
+        framework: 'generic',
+    },
+    {
+        name: 'Human-in-loop disabled',
+        pattern: /(?:humanInLoop|human_in_loop)\s*[:=]\s*(?:false|False)/gi,
+        baseSeverity: 'medium',
+        description: 'Human oversight is explicitly disabled. The agent can take actions without human review.',
+        suggestedFix: 'Enable human-in-the-loop for sensitive operations: humanInLoop: true. Add confirmation prompts for destructive actions.',
+        framework: 'generic',
+    },
+    // ========== CrewAI Specific ==========
+    {
+        name: 'CrewAI unsafe code execution mode',
+        pattern: /code_execution_mode\s*[:=]\s*['"`]unsafe['"`]/gi,
+        baseSeverity: 'critical',
+        description: 'CrewAI agent configured with unsafe code execution mode. This allows arbitrary code execution without sandboxing.',
+        suggestedFix: 'Use safe mode: code_execution_mode="safe". This runs code in a restricted environment.',
+        framework: 'crewai',
+    },
+    {
+        name: 'CrewAI code execution without Docker',
+        pattern: /allow_code_execution\s*[:=]\s*True(?![\s\S]{0,50}use_docker\s*[:=]\s*True)/gi,
+        baseSeverity: 'high',
+        description: 'CrewAI agent allows code execution without Docker containerization. Code runs directly on the host system.',
+        suggestedFix: 'Enable Docker for code execution: Agent(..., allow_code_execution=True, code_execution_config={"use_docker": True})',
+        framework: 'crewai',
+    },
+    // ========== AutoGen Specific ==========
+    {
+        name: 'AutoGen use_docker=False',
+        pattern: /(?:code_execution_config|LocalCommandLineCodeExecutor)\s*[\s\S]{0,50}use_docker\s*[:=]\s*False/gi,
+        baseSeverity: 'critical',
+        description: 'AutoGen code execution configured without Docker. Code executes directly on the host, enabling full system access.',
+        suggestedFix: 'Use Docker: code_execution_config={"use_docker": True}. Or use DockerCommandLineCodeExecutor for sandboxed execution.',
+        framework: 'autogen',
+    },
+    {
+        name: 'AutoGen NEVER human input mode',
+        pattern: /human_input_mode\s*[:=]\s*['"`]NEVER['"`]/gi,
+        baseSeverity: 'high',
+        description: 'AutoGen agent configured to never request human input. Agent can execute indefinitely without human oversight.',
+        suggestedFix: 'Use "ALWAYS" or "TERMINATE" for human_input_mode. "TERMINATE" allows agent to complete but requests input on termination.',
+        framework: 'autogen',
+    },
+    {
+        name: 'AutoGen UserProxyAgent without reply limit',
+        pattern: /UserProxyAgent\s*\((?![^)]*max_consecutive_auto_reply)[^)]*\)/gi,
+        baseSeverity: 'medium',
+        description: 'AutoGen UserProxyAgent without max_consecutive_auto_reply limit. Agent can auto-reply indefinitely.',
+        suggestedFix: 'Add reply limit: UserProxyAgent(..., max_consecutive_auto_reply=10). Adjust limit based on expected conversation length.',
+        framework: 'autogen',
+    },
+    // ========== LangChain Specific ==========
+    {
+        name: 'LangChain AgentExecutor without limits',
+        pattern: /AgentExecutor\s*\([^)]*(?!max_iterations)[^)]*\)/gi,
+        baseSeverity: 'medium',
+        description: 'LangChain AgentExecutor without max_iterations. Agent can loop indefinitely on complex tasks.',
+        suggestedFix: 'Set iteration limit: AgentExecutor(..., max_iterations=15). Add early_stopping_method="generate" to gracefully stop.',
+        framework: 'langchain',
+    },
+    // ========== Overpermissioned Agents ==========
+    {
+        name: 'Agent with excessive tools',
+        pattern: /tools\s*[:=]\s*\[(?:[^\]]*,){10,}[^\]]*\]/gi,
+        baseSeverity: 'medium',
+        description: 'Agent configured with more than 10 tools. Overpermissioned agents have larger attack surface if compromised via prompt injection.',
+        suggestedFix: 'Follow principle of least privilege. Split into specialized agents with focused tool sets. Remove unused tools.',
+        framework: 'generic',
+    },
+];
+/**
+ * Patterns for missing authorization in tools
+ */
+const MISSING_AUTH_PATTERNS = [
+    {
+        name: 'Tool without user context',
+        pattern: /(?:@tool|defineTool|createTool|\.registerTool|\.addTool)\s*\([^)]*(?:async\s+)?(?:function|\().*(?:create|update|delete|modify|write|send)/gi,
+        riskType: 'database',
+        baseSeverity: 'medium',
+        description: 'Tool performs write operations but may not verify user context. Actions could be performed as wrong user.',
+        suggestedFix: 'Pass userId as required parameter. Verify user owns/can access the resource before modification.',
+        requiresUserContext: true,
+    },
+];
+// ============================================================================
+// Main Detection Function
+// ============================================================================
+/**
+ * Main detection function for AI agent tool permission issues
+ */
+function detectAIAgentTools(content, filePath, options) {
+    const vulnerabilities = [];
+    // Skip non-applicable files
+    if ((0, file_classifier_1.isScannerOrFixtureFile)(filePath))
+        return vulnerabilities;
+    // Only scan files that appear to have agent/tool definitions
+    if (!isAgentOrToolFile(filePath, content)) {
+        return vulnerabilities;
+    }
+    const lines = options?.parsed?.lines ?? content.split('\n');
+    const isTestFile = (0, file_classifier_1.isTestOrMockFile)(filePath);
+    const isExample = (0, file_classifier_1.isExampleDirectory)(filePath);
+    const isLibrary = (0, file_classifier_1.isLibraryCode)(filePath);
+    // Scan for overly permissive tool patterns
+    for (const pattern of OVERPERMISSIVE_TOOL_PATTERNS) {
+        const regex = new RegExp(pattern.pattern.source, pattern.pattern.flags);
+        let match;
+        while ((match = regex.exec(content)) !== null) {
+            const lineNumber = content.substring(0, match.index).split('\n').length;
+            const lineContent = lines[lineNumber - 1]?.trim() || '';
+            // Skip comments
+            if ((0, file_classifier_1.isComment)(lineContent))
+                continue;
+            // Get tool context
+            const { context } = findToolDefinitionContext(content, lineNumber);
+            // Check for mitigations (strong vs weak)
+            const hasStrong = hasStrongRestrictions(context);
+            const hasWeak = hasAccessRestrictions(context);
+            const hasUserContext = hasUserContextVerification(context);
+            const hasTenantContext = hasTenantContextVerification(context);
+            // Determine if issue is fully mitigated
+            let isMitigated = true;
+            let hasPartialMitigation = false;
+            const missingMitigations = [];
+            if (pattern.requiresRestrictions) {
+                if (hasStrong) {
+                    // Strong restrictions = fully mitigated for this requirement
+                }
+                else if (hasWeak) {
+                    // Weak restrictions = partial mitigation
+                    hasPartialMitigation = true;
+                    missingMitigations.push('verified access restrictions (found mentions but not implementation)');
+                    isMitigated = false;
+                }
+                else {
+                    isMitigated = false;
+                    missingMitigations.push('access restrictions');
+                }
+            }
+            if (pattern.requiresUserContext && !hasUserContext) {
+                isMitigated = false;
+                missingMitigations.push('user context verification');
+            }
+            if (pattern.requiresTenantContext && !hasTenantContext) {
+                isMitigated = false;
+                missingMitigations.push('tenant/org context verification');
+            }
+            // Skip if all required mitigations are present with strong verification
+            if (isMitigated)
+                continue;
+            // Calculate severity
+            let severity = pattern.baseSeverity;
+            const isMCPSafe = isMCPFileWithSafePatterns(content, filePath);
+            if (isTestFile) {
+                severity = 'info';
+            }
+            else if (isExample) {
+                // Example/demo code - downgrade to info
+                severity = 'info';
+            }
+            else if (isLibrary) {
+                // Library code - tool definitions are intentionally flexible
+                // Consumers add restrictions when they use the tools
+                severity = 'info';
+            }
+            else if (isMCPSafe) {
+                // MCP file with proper security controls (sanitization + authorization)
+                severity = 'info';
+            }
+            else if (hasPartialMitigation || hasUserContext || hasTenantContext) {
+                // Partial mitigation - downgrade
+                if (severity === 'critical')
+                    severity = 'high';
+                else if (severity === 'high')
+                    severity = 'medium';
+            }
+            // Build description
+            let description = pattern.description;
+            if (missingMitigations.length > 0) {
+                description += ` Missing: ${missingMitigations.join(', ')}.`;
+            }
+            if (isTestFile) {
+                description += ' (In test file.)';
+            }
+            else if (isExample) {
+                description += ' (In example/demo directory - not production code.)';
+            }
+            else if (isLibrary) {
+                description += ' (Library code - tool definitions are generic; consumers add restrictions.)';
+            }
+            else if (isMCPSafe) {
+                description += ' (MCP file with sanitization and authorization controls detected.)';
+            }
+            vulnerabilities.push({
+                id: `ai-tool-${filePath}-${lineNumber}-${pattern.riskType}`,
+                filePath,
+                lineNumber,
+                lineContent,
+                severity,
+                category: 'ai_overpermissive_tool',
+                title: pattern.name,
+                description,
+                suggestedFix: pattern.suggestedFix,
+                confidence: 'medium',
+                layer: 2,
+                source: 'ai_code',
+                requiresAIValidation: true, // Always validate - context dependent
+                baseConfidence: BASE_CONFIDENCE,
+            });
+        }
+    }
+    // Scan for missing authorization patterns
+    for (const pattern of MISSING_AUTH_PATTERNS) {
+        const regex = new RegExp(pattern.pattern.source, pattern.pattern.flags);
+        let match;
+        while ((match = regex.exec(content)) !== null) {
+            const lineNumber = content.substring(0, match.index).split('\n').length;
+            const lineContent = lines[lineNumber - 1]?.trim() || '';
+            // Skip comments
+            if ((0, file_classifier_1.isComment)(lineContent))
+                continue;
+            // Get tool context
+            const { context } = findToolDefinitionContext(content, lineNumber);
+            // Check if user context is verified
+            const hasUserContext = hasUserContextVerification(context);
+            // Skip if user context is present
+            if (hasUserContext)
+                continue;
+            let severity = pattern.baseSeverity;
+            let description = pattern.description;
+            if (isTestFile) {
+                severity = 'info';
+                description += ' (In test file.)';
+            }
+            vulnerabilities.push({
+                id: `ai-tool-auth-${filePath}-${lineNumber}`,
+                filePath,
+                lineNumber,
+                lineContent,
+                severity,
+                category: 'ai_overpermissive_tool',
+                title: pattern.name,
+                description,
+                suggestedFix: pattern.suggestedFix,
+                confidence: 'low', // Lower confidence - needs context
+                layer: 2,
+                source: 'ai_code',
+                requiresAIValidation: true,
+                baseConfidence: BASE_CONFIDENCE,
+            });
+        }
+    }
+    // Scan for excessive agency patterns (Phase 2)
+    for (const pattern of EXCESSIVE_AGENCY_PATTERNS) {
+        const regex = new RegExp(pattern.pattern.source, pattern.pattern.flags);
+        let match;
+        while ((match = regex.exec(content)) !== null) {
+            const lineNumber = content.substring(0, match.index).split('\n').length;
+            const lineContent = lines[lineNumber - 1]?.trim() || '';
+            // Skip comments
+            if ((0, file_classifier_1.isComment)(lineContent))
+                continue;
+            // Get surrounding context for mitigation checks
+            const { context } = findToolDefinitionContext(content, lineNumber);
+            // Check for mitigations
+            let isMitigated = false;
+            let isPartiallyMitigated = false;
+            let description = pattern.description;
+            // Check iteration limits
+            if (hasIterationLimits(context)) {
+                isPartiallyMitigated = true;
+                description += ' (Iteration limits detected nearby.)';
+            }
+            // Check timeout configuration
+            if (hasTimeoutConfigured(context)) {
+                isPartiallyMitigated = true;
+                description += ' (Timeout configured.)';
+            }
+            // Check human-in-the-loop
+            if (hasHumanInLoop(context)) {
+                isPartiallyMitigated = true;
+                description += ' (Human-in-loop enabled.)';
+            }
+            // Check Docker for code execution patterns
+            if (pattern.framework === 'crewai' || pattern.framework === 'autogen') {
+                if (hasDockerConfigured(context)) {
+                    isMitigated = true;
+                    description += ' (Docker containerization detected.)';
+                }
+            }
+            // Check budget limits
+            if (hasBudgetLimits(context)) {
+                isPartiallyMitigated = true;
+                description += ' (Budget limits configured.)';
+            }
+            // Calculate severity
+            let severity = pattern.baseSeverity;
+            const isMCPSafe = isMCPFileWithSafePatterns(content, filePath);
+            if (isMitigated) {
+                severity = 'info';
+            }
+            else if (isTestFile) {
+                severity = 'info';
+                description += ' (In test file.)';
+            }
+            else if (isExample) {
+                severity = 'info';
+                description += ' (In example/demo directory.)';
+            }
+            else if (isLibrary) {
+                severity = 'info';
+                description += ' (Library code.)';
+            }
+            else if (isPartiallyMitigated) {
+                // Downgrade if partial mitigations present
+                if (severity === 'critical')
+                    severity = 'high';
+                else if (severity === 'high')
+                    severity = 'medium';
+                else if (severity === 'medium')
+                    severity = 'low';
+            }
+            // Skip fully mitigated or info-level in non-agent files
+            if (isMitigated && severity === 'info')
+                continue;
+            vulnerabilities.push({
+                id: `ai-agency-${filePath}-${lineNumber}-${pattern.name.replace(/\s+/g, '-')}`,
+                filePath,
+                lineNumber,
+                lineContent,
+                severity,
+                category: 'ai_excessive_agency',
+                title: pattern.name,
+                description,
+                suggestedFix: pattern.suggestedFix,
+                confidence: severity === 'info' ? 'low' : 'medium',
+                layer: 2,
+                source: 'ai_code',
+                requiresAIValidation: severity !== 'info' && severity !== 'low',
+                baseConfidence: BASE_CONFIDENCE,
+            });
+        }
+    }
+    // Phase 5: Scan for LLM output flow patterns (Task 1)
+    for (const pattern of LLM_OUTPUT_FLOW_PATTERNS) {
+        const regex = new RegExp(pattern.pattern.source, pattern.pattern.flags);
+        let match;
+        while ((match = regex.exec(content)) !== null) {
+            const lineNumber = content.substring(0, match.index).split('\n').length;
+            const lineContent = lines[lineNumber - 1]?.trim() || '';
+            // Skip comments
+            if ((0, file_classifier_1.isComment)(lineContent))
+                continue;
+            // Get surrounding context
+            const { context } = findToolDefinitionContext(content, lineNumber);
+            // Check for validation/allowlist mitigations
+            const hasValidation = /(?:allowlist|whitelist|ALLOWED_|validTools|VALID_TOOLS|allowedTools|validateTool|isValidTool|includes|has)\s*\(/i.test(context);
+            const hasAllowlistCheck = /if\s*\(\s*!?\s*(?:ALLOWED|VALID|SAFE|permitted).*(?:includes|has|indexOf)/i.test(context);
+            let description = pattern.description;
+            let severity = pattern.baseSeverity;
+            if (hasValidation || hasAllowlistCheck) {
+                severity = severity === 'critical' ? 'medium' : 'low';
+                description += ' (Validation/allowlist detected nearby - verify it covers this case.)';
+            }
+            if (isTestFile) {
+                severity = 'info';
+                description += ' (In test file.)';
+            }
+            else if (isExample) {
+                severity = 'info';
+                description += ' (In example/demo directory.)';
+            }
+            else if (isLibrary) {
+                severity = 'info';
+                description += ' (Library code.)';
+            }
+            vulnerabilities.push({
+                id: `ai-llm-flow-${filePath}-${lineNumber}-${pattern.name.replace(/\s+/g, '-')}`,
+                filePath,
+                lineNumber,
+                lineContent,
+                severity,
+                category: 'ai_excessive_agency',
+                title: pattern.name,
+                description,
+                suggestedFix: pattern.suggestedFix,
+                confidence: severity === 'critical' ? 'high' : 'medium',
+                layer: 2,
+                source: 'ai_code',
+                requiresAIValidation: severity !== 'info',
+                baseConfidence: BASE_CONFIDENCE,
+            });
+        }
+    }
+    // Phase 5: Scan for tool permission accumulation patterns (Task 2)
+    for (const pattern of TOOL_ACCUMULATION_PATTERNS) {
+        const regex = new RegExp(pattern.pattern.source, pattern.pattern.flags);
+        let match;
+        while ((match = regex.exec(content)) !== null) {
+            const lineNumber = content.substring(0, match.index).split('\n').length;
+            const lineContent = lines[lineNumber - 1]?.trim() || '';
+            // Skip comments
+            if ((0, file_classifier_1.isComment)(lineContent))
+                continue;
+            // Skip UI array building patterns (not actual AI tool registration)
+            if (pattern.name === 'Tool array push without limit check') {
+                // Check if this is in a selector or UI configuration builder
+                const isUIPattern = 
+                // In selectors (zustand/redux pattern)
+                /selectors?\.ts$/i.test(filePath) ||
+                    // In store configuration
+                    /store\/.*\/selectors/i.test(filePath) ||
+                    // Building manifest/config arrays
+                    /manifest\s*:/i.test(lineContent) ||
+                    /identifier\s*:/i.test(lineContent) ||
+                    // Map/forEach building UI arrays
+                    /\.map\s*\([^)]*=>\s*\{[\s\S]{0,100}tools\.push/i.test(content.substring(Math.max(0, match.index - 200), match.index + 100));
+                if (isUIPattern) {
+                    continue; // Skip - this is building a UI configuration array
+                }
+            }
+            // Get surrounding context
+            const { context } = findToolDefinitionContext(content, lineNumber);
+            // Check for limits and authorization
+            const hasLimits = /(?:max|limit|MAX_|LIMIT_|\.length\s*[<>])/i.test(context);
+            const hasAuthCheck = /(?:if\s*\(.*(?:auth|permission|role|isAdmin|canRegister)|throw.*(?:Unauthorized|Forbidden))/i.test(context);
+            let description = pattern.description;
+            let severity = pattern.baseSeverity;
+            if (hasLimits) {
+                severity = severity === 'critical' ? 'high' : severity === 'high' ? 'medium' : 'low';
+                description += ' (Limit check detected nearby.)';
+            }
+            if (hasAuthCheck) {
+                severity = severity === 'critical' ? 'high' : severity === 'high' ? 'medium' : 'low';
+                description += ' (Authorization check detected.)';
+            }
+            if (isTestFile) {
+                severity = 'info';
+                description += ' (In test file.)';
+            }
+            else if (isExample) {
+                severity = 'info';
+                description += ' (In example/demo directory.)';
+            }
+            else if (isLibrary) {
+                severity = 'info';
+                description += ' (Library code.)';
+            }
+            vulnerabilities.push({
+                id: `ai-tool-accum-${filePath}-${lineNumber}-${pattern.name.replace(/\s+/g, '-')}`,
+                filePath,
+                lineNumber,
+                lineContent,
+                severity,
+                category: 'ai_excessive_agency',
+                title: pattern.name,
+                description,
+                suggestedFix: pattern.suggestedFix,
+                confidence: 'medium',
+                layer: 2,
+                source: 'ai_code',
+                requiresAIValidation: severity !== 'info' && severity !== 'low',
+                baseConfidence: BASE_CONFIDENCE,
+            });
+        }
+    }
+    // Phase 5: Scan for database write scoping patterns (Task 3)
+    for (const pattern of DB_WRITE_SCOPING_PATTERNS) {
+        const regex = new RegExp(pattern.pattern.source, pattern.pattern.flags);
+        let match;
+        while ((match = regex.exec(content)) !== null) {
+            const lineNumber = content.substring(0, match.index).split('\n').length;
+            const lineContent = lines[lineNumber - 1]?.trim() || '';
+            // Skip comments
+            if ((0, file_classifier_1.isComment)(lineContent))
+                continue;
+            // Get surrounding context
+            const { context } = findToolDefinitionContext(content, lineNumber);
+            // Check for user/tenant scoping
+            const hasUserScoping = hasUserContextVerification(context);
+            const hasTenantScoping = hasTenantContextVerification(context);
+            // Skip if properly scoped
+            if (hasUserScoping && hasTenantScoping)
+                continue;
+            let description = pattern.description;
+            let severity = pattern.baseSeverity;
+            if (hasUserScoping || hasTenantScoping) {
+                severity = severity === 'high' ? 'medium' : 'low';
+                description += hasUserScoping ? ' (User context detected.)' : ' (Tenant context detected.)';
+            }
+            if (isTestFile) {
+                severity = 'info';
+                description += ' (In test file.)';
+            }
+            else if (isExample) {
+                severity = 'info';
+                description += ' (In example/demo directory.)';
+            }
+            else if (isLibrary) {
+                severity = 'info';
+                description += ' (Library code.)';
+            }
+            vulnerabilities.push({
+                id: `ai-db-scoping-${filePath}-${lineNumber}-${pattern.name.replace(/\s+/g, '-')}`,
+                filePath,
+                lineNumber,
+                lineContent,
+                severity,
+                category: 'ai_excessive_agency',
+                title: pattern.name,
+                description,
+                suggestedFix: pattern.suggestedFix,
+                confidence: 'medium',
+                layer: 2,
+                source: 'ai_code',
+                requiresAIValidation: severity !== 'info',
+                baseConfidence: BASE_CONFIDENCE,
+            });
+        }
+    }
+    // Phase 5: Scan for recursive agent patterns (Task 4)
+    for (const pattern of RECURSIVE_AGENT_PATTERNS) {
+        const regex = new RegExp(pattern.pattern.source, pattern.pattern.flags);
+        let match;
+        while ((match = regex.exec(content)) !== null) {
+            const lineNumber = content.substring(0, match.index).split('\n').length;
+            const lineContent = lines[lineNumber - 1]?.trim() || '';
+            // Skip comments
+            if ((0, file_classifier_1.isComment)(lineContent))
+                continue;
+            // Skip CRUD/data operations that are NOT AI agent spawning
+            // These are false positives in apps where "agent" means "chat assistant configuration"
+            if (pattern.name === 'Agent spawns sub-agent without limit') {
+                const crudPatterns = [
+                    // Service/SDK method calls - database CRUD for agent configurations
+                    /(?:service|Service|sdk|SDK|store|Store|runtime|Runtime)\.(?:create|get|update|delete)Agent/i,
+                    /\.agents\.createAgent/i, // sdk.agents.createAgent
+                    /agentService\.createAgent/i,
+                    /agentState\.createAgent/i,
+                    /marketSDK\.agents\.createAgent/i,
+                    // React event handlers creating UI entities
+                    /onClick\s*=\s*\{\s*\(\s*\)\s*=>\s*createAgent/i,
+                    // Store action patterns
+                    /await\s+(?:state|store)\w*\.createAgent/i,
+                    // Builder/Runtime patterns for UI
+                    /agentBuilder(?:Runtime)?\.createAgent/i,
+                    /groupAgentBuilderRuntime\.createAgent/i,
+                ];
+                if (crudPatterns.some(p => p.test(lineContent))) {
+                    continue; // Skip - this is a data CRUD operation, not AI agent spawning
+                }
+            }
+            // Get surrounding context
+            const { context } = findToolDefinitionContext(content, lineNumber);
+            // Check for depth/count limits
+            const hasDepthLimit = /(?:depth|level|recursion)\s*[<>]|MAX_DEPTH|maxDepth|max_depth/i.test(context);
+            const hasCountLimit = /(?:count|iterations?)\s*[<>]|MAX_(?:AGENTS|TASKS|ITERATIONS)/i.test(context);
+            let description = pattern.description;
+            let severity = pattern.baseSeverity;
+            if (hasDepthLimit || hasCountLimit) {
+                severity = severity === 'high' ? 'medium' : 'low';
+                description += hasDepthLimit ? ' (Depth limit detected.)' : ' (Count limit detected.)';
+            }
+            // Check for iteration/timeout limits
+            if (hasIterationLimits(context) || hasTimeoutConfigured(context)) {
+                severity = severity === 'high' ? 'medium' : severity === 'medium' ? 'low' : severity;
+                description += ' (Iteration/timeout limits configured.)';
+            }
+            if (isTestFile) {
+                severity = 'info';
+                description += ' (In test file.)';
+            }
+            else if (isExample) {
+                severity = 'info';
+                description += ' (In example/demo directory.)';
+            }
+            else if (isLibrary) {
+                severity = 'info';
+                description += ' (Library code.)';
+            }
+            vulnerabilities.push({
+                id: `ai-recursive-${filePath}-${lineNumber}-${pattern.name.replace(/\s+/g, '-')}`,
+                filePath,
+                lineNumber,
+                lineContent,
+                severity,
+                category: 'ai_excessive_agency',
+                title: pattern.name,
+                description,
+                suggestedFix: pattern.suggestedFix,
+                confidence: 'medium',
+                layer: 2,
+                source: 'ai_code',
+                requiresAIValidation: severity !== 'info' && severity !== 'low',
+                baseConfidence: BASE_CONFIDENCE,
+            });
+        }
+    }
+    // Phase 6: Scan for tool parameter injection patterns (Task 1)
+    for (const pattern of TOOL_PARAMETER_INJECTION_PATTERNS) {
+        const regex = new RegExp(pattern.pattern.source, pattern.pattern.flags);
+        let match;
+        while ((match = regex.exec(content)) !== null) {
+            const lineNumber = content.substring(0, match.index).split('\n').length;
+            const lineContent = lines[lineNumber - 1]?.trim() || '';
+            // Skip comments
+            if ((0, file_classifier_1.isComment)(lineContent))
+                continue;
+            // Get surrounding context
+            const { context } = findToolDefinitionContext(content, lineNumber);
+            // Check for validation/schema patterns
+            const hasValidation = /(?:zod|yup|joi|schema|validate|safeParse|\.parse\(|validateSchema)/i.test(context);
+            const hasSanitization = /(?:sanitize|clean|escape|filter|strip)/i.test(context);
+            let description = pattern.description;
+            let severity = pattern.baseSeverity;
+            if (hasValidation) {
+                severity = 'low';
+                description += ' (Schema validation detected nearby - verify it covers LLM output.)';
+            }
+            else if (hasSanitization) {
+                severity = severity === 'critical' ? 'high' : severity === 'high' ? 'medium' : 'low';
+                description += ' (Sanitization detected nearby.)';
+            }
+            if (isTestFile) {
+                severity = 'info';
+                description += ' (In test file.)';
+            }
+            else if (isExample) {
+                severity = 'info';
+                description += ' (In example/demo directory.)';
+            }
+            else if (isLibrary) {
+                severity = 'info';
+                description += ' (Library code.)';
+            }
+            vulnerabilities.push({
+                id: `ai-tool-param-injection-${filePath}-${lineNumber}-${pattern.name.replace(/\s+/g, '-')}`,
+                filePath,
+                lineNumber,
+                lineContent,
+                severity,
+                category: 'ai_excessive_agency',
+                title: pattern.name,
+                description,
+                suggestedFix: pattern.suggestedFix,
+                confidence: severity === 'critical' ? 'high' : 'medium',
+                layer: 2,
+                source: 'ai_code',
+                requiresAIValidation: severity !== 'info' && severity !== 'low',
+                baseConfidence: BASE_CONFIDENCE,
+            });
+        }
+    }
+    // Phase 6: Scan for tool error message injection patterns (Task 2)
+    for (const pattern of TOOL_ERROR_INJECTION_PATTERNS) {
+        const regex = new RegExp(pattern.pattern.source, pattern.pattern.flags);
+        let match;
+        while ((match = regex.exec(content)) !== null) {
+            const lineNumber = content.substring(0, match.index).split('\n').length;
+            const lineContent = lines[lineNumber - 1]?.trim() || '';
+            // Skip comments
+            if ((0, file_classifier_1.isComment)(lineContent))
+                continue;
+            // Get surrounding context
+            const { context } = findToolDefinitionContext(content, lineNumber);
+            // Check for error sanitization patterns
+            const hasSanitizedError = /(?:sanitizeError|genericError|safeError|errorMessage\s*=\s*['"`])/i.test(context);
+            const hasLogging = /(?:logger|console)\.\w+\s*\([^)]*(?:error|err|e)\)/i.test(context);
+            let description = pattern.description;
+            let severity = pattern.baseSeverity;
+            if (hasSanitizedError) {
+                severity = 'info';
+                description += ' (Error sanitization detected.)';
+            }
+            else if (hasLogging) {
+                severity = severity === 'high' ? 'medium' : 'low';
+                description += ' (Server-side logging detected - verify error is sanitized in response.)';
+            }
+            if (isTestFile) {
+                severity = 'info';
+                description += ' (In test file.)';
+            }
+            else if (isExample) {
+                severity = 'info';
+                description += ' (In example/demo directory.)';
+            }
+            else if (isLibrary) {
+                severity = 'info';
+                description += ' (Library code.)';
+            }
+            vulnerabilities.push({
+                id: `ai-tool-error-injection-${filePath}-${lineNumber}-${pattern.name.replace(/\s+/g, '-')}`,
+                filePath,
+                lineNumber,
+                lineContent,
+                severity,
+                category: 'ai_excessive_agency',
+                title: pattern.name,
+                description,
+                suggestedFix: pattern.suggestedFix,
+                confidence: 'medium',
+                layer: 2,
+                source: 'ai_code',
+                requiresAIValidation: severity !== 'info' && severity !== 'low',
+                baseConfidence: BASE_CONFIDENCE,
+            });
+        }
+    }
+    return vulnerabilities;
+}
+//# sourceMappingURL=agent-tools.js.map