@oculum/scanner 1.0.13 → 1.0.15

package/src/detect/ast-rules/mcp-security-ast.ts

@@ -0,0 +1,808 @@
+/**
+ * AST-Based MCP (Model Context Protocol) Security Detection
+ *
+ * Migrates ai-code/mcp-security.ts from regex to AST.
+ * Detects security issues in MCP tool implementations.
+ *
+ * AST advantages:
+ * - Structurally detects server.tool() registrations and their handlers
+ * - Resolves return values to check for unsanitized content
+ * - Checks tool parameter destructuring for credential fields
+ * - Detects missing user context from function parameter analysis
+ */
+
+import type { ParsedAST } from '../../parse/ast'
+import { registerASTRule, type ASTRuleMatch, type NodeIndex, getNodes } from './index'
+import type Parser from 'tree-sitter'
+import { resolveCallTarget, getCallArguments, getReceiverChain, getObjectLiteralProperty } from './helpers/call-analysis'
+import { getImportedModules } from './helpers/import-analysis'
+import { isScannerOrFixtureFile, isTestOrMockFile, isExampleFile } from '../../parse/file-classifier'
+import { hasPythonDecorator, isPythonFString, getPythonFStringParts } from './helpers/python-helpers'
+
+// ============================================================================
+// Helpers
+// ============================================================================
+
+/** Check if file is an MCP file */
+function isMCPFile(root: Parser.SyntaxNode, filePath: string, content: string): boolean {
+  // Cheap checks first — skip expensive import analysis for 99%+ of files
+  if (/McpServer|server\.tool\s*\(|@server\.tool|@mcp\.tool|FastMCP/i.test(content)) return true
+  if (/\/mcp\/|mcp[-_]?server|mcp[-_]?tools?/i.test(filePath)) return true
+  // Only check imports if content mentions MCP-related strings
+  if (!/@modelcontextprotocol|mcp|fastmcp/i.test(content)) return false
+  const modules = getImportedModules(root)
+  return [...modules].some(m => /^(@modelcontextprotocol\/sdk|mcp|@mcp\/)/.test(m))
+}
+
+/** Check for content sanitization */
+function hasSanitization(bodyText: string): boolean {
+  return /sanitize|DOMPurify|purify|escapeHtml|escape_html|stripTags|validateContent|zod\.parse|schema\.parse|safeParse|filterHtml|cleanHtml|ALLOWED_TAGS/i.test(bodyText)
+}
+
+/** Check for user context */
+function hasUserContext(bodyText: string): boolean {
+  return /context\.user|context\.userId|context\.session|context\.auth|getCurrentUser|request\.user|req\.user|user\.id|userId|session\.user|auth\(\)|tenantId|tenant\.id|orgId/i.test(bodyText)
+}
+
+/** Check for authorization check */
+function hasAuthCheck(bodyText: string): boolean {
+  return /if\s*\([^)]*\.ownerId\s*[!=]==?|if\s*\([^)]*userId\s*[!=]==?|Not\s*authorized|Forbidden|checkPermission|checkAccess|canAccess|hasPermission|isAuthorized|throw.*Error.*auth/i.test(bodyText)
+}
+
+/** Check if data source is safe/static */
+function isSafeDataSource(bodyText: string): boolean {
+  return /(?:static|public)(?:Data|Docs|Content)|mathjs|calculate|compute|findByUser|getByUser|user\.(?:files|documents|records)/i.test(bodyText)
+}
+
+/** Get enclosing Python function body text */
+function getPythonEnclosingBody(node: Parser.SyntaxNode): string {
+  let current: Parser.SyntaxNode | null = node.parent
+  while (current) {
+    if (current.type === 'function_definition') {
+      return (current.childForFieldName('body') ?? current).text
+    }
+    current = current.parent
+  }
+  return ''
+}
+
+/** Get Python MCP tool function definitions (decorated with @server.tool or @mcp.tool) */
+function getPythonMCPToolFunctions(nodeIndex: NodeIndex): Array<{ decoratedDef: Parser.SyntaxNode; funcDef: Parser.SyntaxNode; body: Parser.SyntaxNode }> {
+  const results: Array<{ decoratedDef: Parser.SyntaxNode; funcDef: Parser.SyntaxNode; body: Parser.SyntaxNode }> = []
+  for (const node of getNodes(nodeIndex, 'decorated_definition')) {
+    const funcDef = node.namedChildren.find(c => c.type === 'function_definition')
+    if (!funcDef) continue
+    if (!hasPythonDecorator(funcDef, /^(server\.tool|mcp\.tool|tool)$/)) continue
+    const body = funcDef.childForFieldName('body')
+    if (!body) continue
+    results.push({ decoratedDef: node, funcDef, body })
+  }
+  return results
+}
+
+/** Get tool handler body from server.tool() call */
+function getToolHandlerBody(node: Parser.SyntaxNode): Parser.SyntaxNode | null {
+  const args = node.namedChildren.find(c => c.type === 'arguments')
+  if (!args) return null
+
+  // server.tool(name, schema, handler) or server.tool(name, handler)
+  for (const arg of args.namedChildren) {
+    if (arg.type === 'arrow_function' || arg.type === 'function_expression') {
+      return arg.childForFieldName('body') ?? arg
+    }
+  }
+  return null
+}
+
+// ============================================================================
+// AST Rule: Tool Poisoning (unsanitized external content)
+// ============================================================================
+
+registerASTRule({
+  id: 'ast-mcp-tool-poisoning',
+  title: 'MCP tool returns unsanitized external content',
+  description: 'MCP tool returns external content (HTTP, files, DB) without sanitization. Prompt injection payloads could manipulate AI behavior.',
+  severity: 'high',
+  category: 'ai_mcp_tool_poisoning',
+  suggestedFix: 'Sanitize external content before returning: return { content: sanitize(response.text()) }',
+  languages: ['javascript', 'typescript', 'tsx', 'python'],
+  confidence: 'medium',
+  baseConfidence: 0.50,
+  layer: 2,
+  source: 'ai_code',
+  requiresAIValidation: true,
+  detect(ast: ParsedAST, content: string, nodeIndex?: NodeIndex): ASTRuleMatch[] {
+    if (isScannerOrFixtureFile(ast.filePath)) return []
+
+    const root = ast.tree.rootNode
+    if (!isMCPFile(root, ast.filePath, content)) return []
+
+    const isTestFile = isTestOrMockFile(ast.filePath)
+    const matches: ASTRuleMatch[] = []
+
+    // --- Python branch ---
+    if (ast.language === 'python') {
+      const toolFuncs = getPythonMCPToolFunctions(nodeIndex!)
+      for (const { funcDef, body } of toolFuncs) {
+        const bodyText = body.text
+
+        // Check for external content fetching patterns
+        const externalPatterns = /requests\.get|httpx\.get|urllib\.request\.urlopen|open\s*\(.*\)\.read|urlopen/i
+        if (!externalPatterns.test(bodyText)) continue
+
+        if (hasSanitization(bodyText)) continue
+        if (isSafeDataSource(bodyText)) continue
+
+        let severity: 'info' | 'medium' | 'high' = 'high'
+        let note = 'MCP tool returns unsanitized external content.'
+
+        if (hasUserContext(bodyText)) {
+          severity = 'medium'
+          note += ' (User context present — may be returning user\'s own data.)'
+        }
+        if (isTestFile) {
+          severity = 'info'
+          note += ' (in test file)'
+        }
+
+        matches.push({ node: funcDef, severity, note })
+      }
+      return matches
+    }
+
+    // --- JS/TS branch ---
+    for (const node of getNodes(nodeIndex!, 'return_statement')) {
+      // Must be inside an MCP context
+      let inMCPHandler = false
+      let current: Parser.SyntaxNode | null = node.parent
+      while (current) {
+        if (/server\.tool/i.test(current.text.slice(0, 20))) {
+          inMCPHandler = true
+          break
+        }
+        current = current.parent
+      }
+      if (!inMCPHandler) {
+        // Check broader context
+        if (!/server\.tool/i.test(content)) continue
+      }
+
+      const returnValue = node.namedChildren[0]
+      if (!returnValue) continue
+
+      const returnText = returnValue.text
+
+      // Check for external content patterns in return
+      const externalPatterns = /response\.text\(\)|response\.json\(\)|response\.body|res\.text|res\.json|fs\.readFile|readFileSync|readFile|email\.body|feed\.items|mail\.body/i
+      if (!externalPatterns.test(returnText)) continue
+
+      // Get enclosing function body
+      let fnBody: Parser.SyntaxNode | null = null
+      let cur: Parser.SyntaxNode | null = node.parent
+      while (cur) {
+        if (/function_declaration|arrow_function|function_expression/.test(cur.type)) {
+          fnBody = cur.childForFieldName('body') ?? cur
+          break
+        }
+        cur = cur.parent
+      }
+      const bodyText = fnBody?.text ?? ''
+
+      // Skip if sanitized
+      if (hasSanitization(bodyText)) continue
+      if (isSafeDataSource(bodyText)) continue
+
+      let severity: 'info' | 'medium' | 'high' = 'high'
+      let note = 'MCP tool returns unsanitized external content.'
+
+      if (hasUserContext(bodyText)) {
+        severity = 'medium'
+        note += ' (User context present — may be returning user\'s own data.)'
+      }
+
+      if (isTestFile) {
+        severity = 'info'
+        note += ' (in test file)'
+      }
+
+      matches.push({ node, severity, note })
+    }
+
+    return matches
+  },
+})
+
+// ============================================================================
+// AST Rule: Credentials in Tool Parameters
+// ============================================================================
+
+registerASTRule({
+  id: 'ast-mcp-credential-param',
+  title: 'Credentials in MCP tool parameter',
+  description: 'Tool accepts credentials (API keys, tokens) as parameters. Credentials should not flow through the model.',
+  severity: 'high',
+  category: 'ai_mcp_credential_issue',
+  suggestedFix: 'Use server-side credential storage. Remove credential parameter and use environment variables.',
+  languages: ['javascript', 'typescript', 'tsx', 'python'],
+  confidence: 'medium',
+  baseConfidence: 0.50,
+  layer: 2,
+  source: 'ai_code',
+  detect(ast: ParsedAST, content: string, nodeIndex?: NodeIndex): ASTRuleMatch[] {
+    if (isScannerOrFixtureFile(ast.filePath)) return []
+
+    const root = ast.tree.rootNode
+    if (!isMCPFile(root, ast.filePath, content)) return []
+
+    const isTestFile = isTestOrMockFile(ast.filePath)
+    const matches: ASTRuleMatch[] = []
+
+    const credentialFields = /^(apiKey|api_key|token|secret|password|privateKey|private_key|accessToken|access_token|authToken|auth_token|connectionString|connection_string|dbUrl|databaseUrl|database_url)$/
+
+    // --- Python branch ---
+    if (ast.language === 'python') {
+      const toolFuncs = getPythonMCPToolFunctions(nodeIndex!)
+      for (const { funcDef } of toolFuncs) {
+        const params = funcDef.childForFieldName('parameters')
+        if (!params) continue
+
+        for (const child of params.namedChildren) {
+          let paramName = ''
+          if (child.type === 'identifier') {
+            paramName = child.text
+          } else if (child.type === 'typed_parameter' || child.type === 'default_parameter') {
+            const nameNode = child.namedChildren.find(c => c.type === 'identifier')
+            paramName = nameNode?.text ?? ''
+          }
+
+          if (credentialFields.test(paramName)) {
+            matches.push({
+              node: child,
+              severity: isTestFile ? 'info' : 'high',
+              note: `Tool accepts credential "${paramName}" as parameter. Secrets should not flow through the model.`,
+            })
+          }
+        }
+      }
+      return matches
+    }
+
+    // --- JS/TS branch ---
+    for (const node of getNodes(nodeIndex!, 'object_pattern')) {
+      // Check if this is a parameter of a function inside server.tool()
+      let inToolHandler = false
+      let current: Parser.SyntaxNode | null = node.parent
+      while (current) {
+        if (current.type === 'call_expression') {
+          const target = resolveCallTarget(current)
+          if (target?.name === 'tool' && target?.object === 'server') {
+            inToolHandler = true
+            break
+          }
+        }
+        current = current.parent
+      }
+      if (!inToolHandler) continue
+
+      // Check destructured properties for credential names
+      for (const child of node.namedChildren) {
+        if (child.type === 'shorthand_property_identifier_pattern' || child.type === 'pair_pattern') {
+          const propName = child.type === 'shorthand_property_identifier_pattern'
+            ? child.text
+            : child.childForFieldName('key')?.text ?? ''
+          if (credentialFields.test(propName)) {
+            matches.push({
+              node: child,
+              severity: isTestFile ? 'info' : 'high',
+              note: `Tool accepts credential "${propName}" as parameter. Secrets should not flow through the model.`,
+            })
+          }
+        }
+      }
+    }
+
+    // Also check for credentials in return statements
+    for (const node of getNodes(nodeIndex!, 'return_statement')) {
+      const returnValue = node.namedChildren[0]
+      if (returnValue?.type !== 'object') continue
+
+      for (const child of returnValue.namedChildren) {
+        if (child.type === 'pair') {
+          const key = child.childForFieldName('key')
+          const keyName = key?.text.replace(/['"]/g, '') ?? ''
+          if (credentialFields.test(keyName)) {
+            matches.push({
+              node: child,
+              severity: isTestFile ? 'info' : 'critical',
+              note: `Tool response includes credential "${keyName}". Exposing secrets to the model is dangerous.`,
+            })
+          }
+        }
+      }
+    }
+
+    return matches
+  },
+})
+
+// ============================================================================
+// AST Rule: Confused Deputy (operations without user context)
+// ============================================================================
+
+registerASTRule({
+  id: 'ast-mcp-confused-deputy',
+  title: 'MCP tool operation without user context verification',
+  description: 'Tool performs data operations with only an ID without verifying user ownership.',
+  severity: 'high',
+  category: 'ai_mcp_confused_deputy',
+  suggestedFix: 'Add user context and verify ownership: if (record.ownerId !== context.user.id) throw new Error("Unauthorized")',
+  languages: ['javascript', 'typescript', 'tsx', 'python'],
+  confidence: 'medium',
+  baseConfidence: 0.50,
+  layer: 2,
+  source: 'ai_code',
+  requiresAIValidation: true,
+  detect(ast: ParsedAST, content: string, nodeIndex?: NodeIndex): ASTRuleMatch[] {
+    if (isScannerOrFixtureFile(ast.filePath)) return []
+
+    const root = ast.tree.rootNode
+    if (!isMCPFile(root, ast.filePath, content)) return []
+
+    const isTestFile = isTestOrMockFile(ast.filePath)
+    const matches: ASTRuleMatch[] = []
+
+    // --- Python branch ---
+    if (ast.language === 'python') {
+      const toolFuncs = getPythonMCPToolFunctions(nodeIndex!)
+      for (const { funcDef, body } of toolFuncs) {
+        const bodyText = body.text
+
+        const hasModification = /\.delete\s*\(|\.remove\s*\(|os\.remove|shutil\.rmtree|\.update\s*\(|\.save\s*\(/i.test(bodyText)
+        if (!hasModification) continue
+
+        if (hasUserContext(bodyText) && hasAuthCheck(bodyText)) continue
+
+        let severity: 'info' | 'medium' | 'high' = 'high'
+        let note = 'MCP tool performs data operations without user context verification.'
+
+        if (hasUserContext(bodyText)) {
+          severity = 'medium'
+          note = 'User context present but no authorization check visible.'
+        }
+        if (isTestFile) {
+          severity = 'info'
+          note += ' (in test file)'
+        }
+
+        matches.push({ node: funcDef, severity, note })
+      }
+      return matches
+    }
+
+    // --- JS/TS branch ---
+    // Find server.tool() calls with data modification operations
+    for (const node of getNodes(nodeIndex!, 'call_expression')) {
+      const target = resolveCallTarget(node)
+      if (!target || target.name !== 'tool' || target.object !== 'server') continue
+
+      const handlerBody = getToolHandlerBody(node)
+      if (!handlerBody) continue
+
+      const bodyText = handlerBody.text
+
+      // Check if handler has data modification operations
+      const hasModification = /\.delete\s*\(|\.remove\s*\(|\.destroy\s*\(|\.update\s*\(|\.set\s*\(|\.save\s*\(/i.test(bodyText)
+      if (!hasModification) continue
+
+      // Check for user context and authorization
+      if (hasUserContext(bodyText) && hasAuthCheck(bodyText)) continue
+
+      let severity: 'info' | 'medium' | 'high' = 'high'
+      let note = 'MCP tool performs data operations without user context verification.'
+
+      if (hasUserContext(bodyText)) {
+        severity = 'medium'
+        note = 'User context present but no authorization check visible.'
+      }
+
+      if (isTestFile) {
+        severity = 'info'
+        note += ' (in test file)'
+      }
+
+      // Report on the tool name argument for precise location
+      const args = getCallArguments(node)
+      const reportNode = args.length > 0 ? args[0] : node
+
+      matches.push({ node: reportNode, severity, note })
+    }
+
+    return matches
+  },
+})
+
+// ============================================================================
+// AST Rule: Dynamic Tool Description (injection risk)
+// ============================================================================
+
+registerASTRule({
+  id: 'ast-mcp-description-injection',
+  title: 'Dynamic MCP tool description from variable',
+  description: 'Tool description from user input or external source. Malicious content could manipulate AI behavior.',
+  severity: 'high',
+  category: 'ai_mcp_description_injection',
+  suggestedFix: 'Use static descriptions only. Never include user input in tool descriptions.',
+  languages: ['javascript', 'typescript', 'tsx', 'python'],
+  confidence: 'medium',
+  baseConfidence: 0.50,
+  layer: 2,
+  source: 'ai_code',
+  detect(ast: ParsedAST, content: string, nodeIndex?: NodeIndex): ASTRuleMatch[] {
+    if (isScannerOrFixtureFile(ast.filePath)) return []
+
+    const root = ast.tree.rootNode
+    if (!isMCPFile(root, ast.filePath, content)) return []
+
+    const isTestFile = isTestOrMockFile(ast.filePath)
+    const matches: ASTRuleMatch[] = []
+
+    // --- Python branch ---
+    if (ast.language === 'python') {
+      // Check decorator arguments for description with dynamic content
+      const toolFuncs = getPythonMCPToolFunctions(nodeIndex!)
+      for (const { decoratedDef, funcDef } of toolFuncs) {
+        // Look for description keyword arg in the decorator call
+        for (const child of decoratedDef.namedChildren) {
+          if (child.type !== 'decorator') continue
+          for (const dChild of child.namedChildren) {
+            if (dChild.type !== 'call') continue
+            const argList = dChild.childForFieldName('arguments')
+            if (!argList) continue
+            for (const arg of argList.namedChildren) {
+              if (arg.type === 'keyword_argument') {
+                const nameNode = arg.childForFieldName('name')
+                if (nameNode?.text !== 'description') continue
+                const valueNode = arg.childForFieldName('value')
+                if (!valueNode) continue
+
+                // f-string with interpolation — only flag user-controlled variables
+                if (valueNode.type === 'string' && isPythonFString(valueNode)) {
+                  const { dynamicParts } = getPythonFStringParts(valueNode)
+                  const userControlledParts = dynamicParts.filter(
+                    p => /user|req|input|param|body|query/i.test(p.text) && !/config|settings|env|options/i.test(p.text)
+                  )
+                  if (userControlledParts.length > 0) {
+                    matches.push({
+                      node: valueNode,
+                      severity: isTestFile ? 'info' : 'high',
+                      note: 'Tool description constructed from dynamic f-string interpolation.',
+                    })
+                  }
+                }
+
+                // Static string with injection keywords
+                if (valueNode.type === 'string') {
+                  if (/ignore\s*(?:previous|above|all|any|user)|bypass|override|system\s*prompt|disregard|forget|first\s+call\s+\w+|before\s+(?:using|running)\s+this|include\s+(?:the\s+)?(?:full\s+)?(?:conversation|chat)\s*history|search\s+all\s+(?:available|private)|\/etc\/passwd|exfiltrat/i.test(valueNode.text)) {
+                    matches.push({
+                      node: valueNode,
+                      severity: isTestFile ? 'info' : 'critical',
+                      note: 'Tool description contains prompt injection keywords.',
+                    })
+                  }
+                }
+              }
+              // Positional string argument (first arg is often the description in some SDKs)
+              if (arg.type === 'string' && arg !== argList.namedChildren[0]) {
+                if (/ignore\s*(?:previous|above|all|any|user)|bypass|override|system\s*prompt|disregard|forget|first\s+call\s+\w+|before\s+(?:using|running)\s+this|include\s+(?:the\s+)?(?:full\s+)?(?:conversation|chat)\s*history|search\s+all\s+(?:available|private)|\/etc\/passwd|exfiltrat/i.test(arg.text)) {
+                  matches.push({
+                    node: arg,
+                    severity: isTestFile ? 'info' : 'critical',
+                    note: 'Tool description contains prompt injection keywords.',
+                  })
+                }
+              }
+            }
+          }
+        }
+      }
+      return matches
+    }
+
+    // --- JS/TS branch ---
+    for (const node of getNodes(nodeIndex!, 'pair')) {
+      const key = node.childForFieldName('key')
+      const value = node.childForFieldName('value')
+      if (!key || !value) continue
+
+      const keyText = key.text.replace(/['"]/g, '')
+      if (keyText !== 'description') continue
+
+      // Check if description is a template literal with interpolation
+      if (value.type === 'template_string') {
+        // Only flag user-controlled interpolations, not admin/config values
+        const hasUserInterpolation = /\$\{.*(?:user|req|input|param|body|query).*\}/i.test(value.text)
+        const isAdminControlled = /\$\{.*(?:config|settings|env|options).*\}/i.test(value.text) && !hasUserInterpolation
+        if (hasUserInterpolation && !isAdminControlled) {
+          matches.push({
+            node: value,
+            severity: isTestFile ? 'info' : 'high',
+            note: 'Tool description constructed from user input or external variables.',
+          })
+        }
+      }
+
+      // Check for concatenation with user input
+      if (value.type === 'binary_expression' && /user|req|input|param|body|query/.test(value.text)) {
+        // Skip admin-controlled values
+        if (!/(?:config|settings|env)\./i.test(value.text)) {
+          matches.push({
+            node: value,
+            severity: isTestFile ? 'info' : 'high',
+            note: 'Tool description concatenated with user-controlled values.',
+          })
+        }
+      }
+
+      // Check for injection keywords in static descriptions
+      if (value.type === 'string' || value.type === 'template_string') {
+        const text = value.text
+        if (/ignore\s*(?:previous|above|all|any|user)|bypass|override|system\s*prompt|disregard|forget|first\s+call\s+\w+|before\s+(?:using|running)\s+this|include\s+(?:the\s+)?(?:full\s+)?(?:conversation|chat)\s*history|search\s+all\s+(?:available|private)|\/etc\/passwd|exfiltrat/i.test(text)) {
+          matches.push({
+            node: value,
+            severity: isTestFile ? 'info' : 'critical',
+            note: 'Tool description contains prompt injection keywords.',
+          })
+        }
+      }
+    }
+
+    // Also check server.tool() positional args: server.tool(name, description, schema, handler)
+    // The 2nd positional argument is the description string
+    const INJECTION_RE = /ignore\s*(?:previous|above|all|any|user)|bypass|override|system\s*prompt|disregard|forget|first\s+call\s+\w+|before\s+(?:using|running)\s+this|include\s+(?:the\s+)?(?:full\s+)?(?:conversation|chat)\s*history|search\s+all\s+(?:available|private)|\/etc\/passwd|exfiltrat/i
+    for (const node of getNodes(nodeIndex!, 'call_expression')) {
+      const target = resolveCallTarget(node)
+      if (!target || target.name !== 'tool' || target.object !== 'server') continue
+
+      const args = getCallArguments(node)
+      // server.tool(name, description, schema?, handler) — description is the 2nd arg
+      if (args.length < 2) continue
+      const descArg = args[1]
+      if (!descArg) continue
+
+      if (descArg.type === 'string' || descArg.type === 'template_string') {
+        if (INJECTION_RE.test(descArg.text)) {
+          matches.push({
+            node: descArg,
+            severity: isTestFile ? 'info' : 'critical',
+            note: 'Tool description contains prompt injection keywords.',
+          })
+        }
+      }
+      // Template literal with user interpolation
+      if (descArg.type === 'template_string') {
+        const hasUserInterpolation = /\$\{.*(?:user|req|input|param|body|query).*\}/i.test(descArg.text)
+        const isAdminControlled = /\$\{.*(?:config|settings|env|options).*\}/i.test(descArg.text) && !hasUserInterpolation
+        if (hasUserInterpolation && !isAdminControlled) {
+          matches.push({
+            node: descArg,
+            severity: isTestFile ? 'info' : 'high',
+            note: 'Tool description constructed from user input or external variables.',
+          })
+        }
+      }
+    }
+
+    return matches
+  },
+})
+
+// ============================================================================
+// AST Rule: Missing Human-in-the-Loop for Destructive Operations
+// ============================================================================
+
+registerASTRule({
+  id: 'ast-mcp-missing-hitl',
+  title: 'MCP destructive operation without confirmation',
+  description: 'MCP tool performs destructive operations without human confirmation mechanism.',
+  severity: 'high',
+  category: 'ai_excessive_agency',
+  suggestedFix: 'Add confirmation: if (!args.confirmed) return { needsConfirmation: true, action: "delete" }',
+  languages: ['javascript', 'typescript', 'tsx', 'python'],
+  confidence: 'medium',
+  baseConfidence: 0.50,
+  layer: 2,
+  source: 'ai_code',
+  requiresAIValidation: true,
+  detect(ast: ParsedAST, content: string, nodeIndex?: NodeIndex): ASTRuleMatch[] {
+    if (isScannerOrFixtureFile(ast.filePath)) return []
+
+    const root = ast.tree.rootNode
+    if (!isMCPFile(root, ast.filePath, content)) return []
+
+    const isTestFile = isTestOrMockFile(ast.filePath)
+    const matches: ASTRuleMatch[] = []
+
+    // --- Python branch ---
+    if (ast.language === 'python') {
+      const toolFuncs = getPythonMCPToolFunctions(nodeIndex!)
+      for (const { funcDef, body } of toolFuncs) {
+        const bodyText = body.text
+
+        const destructiveOps = /os\.remove|shutil\.rmtree|subprocess\.run|subprocess\.call|os\.system|DELETE\s+FROM|DROP\s+TABLE|\.delete\s*\(|\.drop\s*\(/i
+        if (!destructiveOps.test(bodyText)) continue
+
+        if (/confirm|approved|require_approval|human_in_loop|owner_id|user_id|not\s+auth|unauthorized|forbidden|check_permission|has_permission|is_authorized/i.test(bodyText)) continue
+
+        const fnName = funcDef.childForFieldName('name')?.text ?? ''
+        const isDestructiveName = /delete|remove|drop|exec|shell|command|send/i.test(fnName)
+
+        if (!isDestructiveName) continue
+
+        let severity: 'info' | 'high' | 'critical' = 'high'
+        if (/shutil\.rmtree/i.test(bodyText)) severity = 'critical'
+        if (isTestFile) severity = 'info'
+
+        matches.push({
+          node: funcDef,
+          severity,
+          note: `Destructive MCP tool "${fnName}" without confirmation mechanism.`,
+        })
+      }
+      return matches
+    }
+
+    // --- JS/TS branch ---
+    for (const node of getNodes(nodeIndex!, 'call_expression')) {
+      const target = resolveCallTarget(node)
+      if (!target || target.name !== 'tool' || target.object !== 'server') continue
+
+      const handlerBody = getToolHandlerBody(node)
+      if (!handlerBody) continue
+
+      const bodyText = handlerBody.text
+
+      // Check for destructive operations
+      const destructiveOps = /fs\.rm|fs\.unlink|unlinkSync|rmSync|rimraf|\.delete\s*\(|\.drop\s*\(|\.truncate\s*\(|\.destroy\s*\(|DELETE\s+FROM|DROP\s+TABLE|exec\s*\(|spawn\s*\(|execSync|spawnSync/i
+      if (!destructiveOps.test(bodyText)) continue
+
+      // Check for confirmation mechanism or ownership/authorization check
+      if (/confirm|approved|needsConfirmation|requireApproval|humanInLoop|ownerId|owner_id|userId.*!==|Not\s+auth|Unauthorized|Forbidden|checkPermission|hasPermission|isAuthorized/i.test(bodyText)) continue
+
+      // Check tool name for destructive indicators
+      const args = getCallArguments(node)
+      const toolNameArg = args[0]
+      const toolName = toolNameArg?.text?.replace(/['"]/g, '') ?? ''
+      const isDestructiveName = /delete|remove|rm|drop|truncate|exec|shell|command|send|publish|pay|charge|transfer|unlink|wipe|purge|clean/i.test(toolName)
+
+      if (!isDestructiveName && !/recursive\s*:\s*true/i.test(bodyText)) continue
+
+      let severity: 'info' | 'high' | 'critical' = 'high'
+      if (/recursive\s*:\s*true|rmSync.*recursive/i.test(bodyText)) severity = 'critical'
+      if (/pay|charge|transfer|transaction/i.test(toolName)) severity = 'critical'
+
+      if (isTestFile) severity = 'info'
+
+      matches.push({
+        node: toolNameArg ?? node,
+        severity,
+        note: `Destructive MCP tool "${toolName}" without confirmation mechanism.`,
+      })
+    }
+
+    return matches
+  },
+})
+
+// ============================================================================
+// AST Rule: Unsafe Filesystem Access with User-Controlled Path
+// ============================================================================
+
+/** Filesystem methods that are dangerous with user-controlled paths */
+const DANGEROUS_FS_METHODS = /^(readFileSync|readFile|writeFileSync|writeFile|unlinkSync|unlink|rmSync|rm|rmdirSync|rmdir|appendFileSync|appendFile|copyFileSync|copyFile|renameSync|rename|mkdirSync|mkdir|createReadStream|createWriteStream)$/
+
+/** Check if a node or its descendants reference args.* (MCP tool argument access) */
+function referencesToolArgs(node: Parser.SyntaxNode): boolean {
+  if (node.type === 'member_expression') {
+    const obj = node.childForFieldName('object')
+    if (obj?.type === 'identifier' && obj.text === 'args') return true
+  }
+  for (const child of node.namedChildren) {
+    if (referencesToolArgs(child)) return true
+  }
+  return false
+}
+
+/** Check if handler body contains path validation */
+function hasPathValidation(bodyText: string): boolean {
+  return /allowedPaths|allowedDirs|allowList|whitelist|safePaths|startsWith\s*\(|path\.resolve.*startsWith|path\.join.*startsWith|path\.normalize|isAbsolute|validatePath|sanitizePath|checkPath|pathFilter|ALLOWED_PATHS|BASE_DIR|basePath|rootDir|chroot/i.test(bodyText)
+}
+
+registerASTRule({
+  id: 'ast-mcp-unsafe-fs-access',
+  title: 'MCP tool performs filesystem operation with user-controlled path',
+  description: 'MCP tool handler passes tool arguments directly to filesystem operations without path validation. This allows path traversal to read, write, or delete arbitrary files.',
+  severity: 'high',
+  category: 'ai_excessive_agency',
+  suggestedFix: 'Validate paths against an allowlist: const safePath = path.resolve(BASE_DIR, args.path); if (!safePath.startsWith(BASE_DIR)) throw new Error("Invalid path")',
+  languages: ['javascript', 'typescript', 'tsx'],
+  confidence: 'medium',
+  baseConfidence: 0.55,
+  layer: 2,
+  source: 'ai_code',
+  requiresAIValidation: true,
+  detect(ast: ParsedAST, content: string, nodeIndex?: NodeIndex): ASTRuleMatch[] {
+    if (isScannerOrFixtureFile(ast.filePath)) return []
+
+    const root = ast.tree.rootNode
+    if (!isMCPFile(root, ast.filePath, content)) return []
+
+    // Cheap pre-check: file must mention both fs and args
+    if (!/\bfs\./i.test(content) || !/\bargs\./i.test(content)) return []
+
+    const isTestFile = isTestOrMockFile(ast.filePath)
+    const matches: ASTRuleMatch[] = []
+
+    for (const node of getNodes(nodeIndex!, 'call_expression')) {
+      const target = resolveCallTarget(node)
+      if (!target) continue
+
+      // Check if this is an fs.* method call
+      if (target.object !== 'fs' || !DANGEROUS_FS_METHODS.test(target.name)) continue
+
+      // Check if any argument references args.* (user-controlled MCP tool input)
+      const callArgs = getCallArguments(node)
+      const hasArgsRef = callArgs.some(arg => referencesToolArgs(arg))
+      if (!hasArgsRef) continue
+
+      // Walk up to verify we're inside an MCP server.tool() handler
+      let inToolHandler = false
+      let handlerBody: Parser.SyntaxNode | null = null
+      let current: Parser.SyntaxNode | null = node.parent
+      while (current) {
+        // Check if we're inside a function that is an argument to server.tool()
+        if (current.type === 'arrow_function' || current.type === 'function_expression') {
+          const parent = current.parent
+          // Direct argument to server.tool(name, schema, handler)
+          if (parent?.type === 'arguments') {
+            const callExpr = parent.parent
+            if (callExpr?.type === 'call_expression') {
+              const callTarget = resolveCallTarget(callExpr)
+              if (callTarget?.name === 'tool' && callTarget?.object === 'server') {
+                inToolHandler = true
+                handlerBody = current.childForFieldName('body') ?? current
+                break
+              }
+            }
+          }
+        }
+        current = current.parent
+      }
+      if (!inToolHandler || !handlerBody) continue
+
+      // Check for path validation or confirmation/approval mechanism in the handler body
+      const bodyText = handlerBody.text
+      if (hasPathValidation(bodyText)) continue
+      if (/confirm|approved|needsConfirmation|requireApproval|humanInLoop|require_approval|human_in_loop/i.test(bodyText)) continue
+
+      // Classify severity: destructive ops are high, read-only ops are medium
+      const isDestructive = /^(unlinkSync|unlink|rmSync|rm|rmdirSync|rmdir|writeFileSync|writeFile|appendFileSync|appendFile|renameSync|rename)$/.test(target.name)
+      let severity: 'info' | 'medium' | 'high' = isDestructive ? 'high' : 'high'
+      let note = `MCP tool passes user-controlled args to fs.${target.name}() without path validation.`
+
+      if (isDestructive) {
+        note += ' Destructive operation — attacker-controlled path could delete or overwrite arbitrary files.'
+      } else {
+        note += ' Attacker-controlled path could read arbitrary files (path traversal).'
+      }
+
+      if (isTestFile) {
+        severity = 'info'
+        note += ' (in test file)'
+      }
+
+      matches.push({ node, severity, note })
+    }
+
+    return matches
+  },
+})