@oculum/scanner 1.0.13 → 1.0.15

package/src/detect/ast-rules/agent-tools-ast.ts

@@ -0,0 +1,861 @@
+/**
+ * AST-Based AI Agent Tool Permission Detection
+ *
+ * Migrates ai-code/agent-tools.ts from regex to AST.
+ * Detects overpermissive agent tools and excessive agency patterns.
+ *
+ * AST advantages:
+ * - Structurally detects tool definitions (defineTool, createTool, server.tool)
+ * - Resolves tool handler bodies to check for restrictions
+ * - Checks for user/tenant context from parameter patterns
+ * - Detects unbounded loops and recursive agent patterns from AST control flow
+ */
+
+import type { ParsedAST } from '../../parse/ast'
+import { walkAST } from '../../parse/ast'
+import { registerASTRule, type ASTRuleMatch, type NodeIndex, getNodes } from './index'
+import type Parser from 'tree-sitter'
+import { resolveCallTarget, getCallArguments, getObjectLiteralProperty } from './helpers/call-analysis'
+import { isLLMOutputExpression } from './helpers/user-input'
+import { getImportedModules } from './helpers/import-analysis'
+import { isScannerOrFixtureFile, isTestOrMockFile, isExampleFile } from '../../parse/file-classifier'
+import { hasPythonDecorator, resolvePythonCallTarget, getPythonKeywordArgument, isPythonLLMOutputExpression } from './helpers/python-helpers'
+
+// ============================================================================
+// Helpers
+// ============================================================================
+
+/** Check if file contains agent/tool definitions */
+function isAgentOrToolFile(root: Parser.SyntaxNode, filePath: string, content: string): boolean {
+  if (/\/(agents?|tools?|functions?|actions?|mcp|langchain|llamaindex|autogen)\//i.test(filePath)) return true
+  if (/(agent|tool|function|action).*\.(ts|js|py)$/i.test(filePath)) return true
+  return /@tool|defineTool|createTool|\.registerTool|\.addTool|tools\s*:\s*\[|FunctionTool|StructuredTool|tool_choice|function_call|McpServer|FastMCP|server\.tool|mcp\.tool|function_tool|register_function|register_for_execution|CrewAI|crewai|autogen/i.test(content)
+}
+
+/** Check for strong access restrictions */
+function hasStrongRestrictions(bodyText: string): boolean {
+  const strong = /\bvm2\b|\bisolated-vm\b|\bquickjs\b|\bRestrictedPython\b|\bsandboxed\b|allowed(?:Paths|Files|Dirs|Hosts|Urls|Commands)\s*[=:]\s*\[|(?:white|allow)list\s*[=:]\s*\[|validatePath\s*\(|isAllowedPath\s*\(|sandbox\s*[=:]\s*(?:true|\{)|readonly\s*[=:]\s*true|readOnly\s*[=:]\s*true|if\s*\(\s*!?\s*(?:\w+\.)*(?:allowed|permitted|authorized|approved|confirmed)|if\s+not\s+\w+\.startswith\s*\(|allowed_dir\b|startswith\s*\(\s*allowed|os\.path\.realpath.*allowed|@e2b|Sandbox\.create|throw\s+(?:new\s+)?(?:Error|Exception)\s*\(\s*['"].*(?:Not\s+auth|Unauthorized|Forbidden|denied|permission)|raise\s+(?:Exception|ValueError|PermissionError|RuntimeError)\s*\(\s*['"].*(?:denied|not\s+allowed|unauthorized|forbidden|permission)/i
+  const weak = /\/\/.*(?:sandbox|restrict|allowlist)|TODO.*(?:add|implement).*(?:sandbox|restrict)/i
+  return strong.test(bodyText) && !weak.test(bodyText)
+}
+
+/** Check for any access restrictions */
+function hasAccessRestrictions(bodyText: string): boolean {
+  return /allowedPaths|allowed_paths|allowedFiles|allowedDirs|allowedHosts|allowedUrls|allowedCommands|allowedOperations|whitelist|allowlist|permissions?:|capabilities:|restrictions?:|sandbox|readonly|(?:args|params)\.(?:approved|confirmed)|ownerId|owner_id|startsWith\s*\(.*allowed|in\s+allowed/i.test(bodyText)
+}
+
+/** Check for user context */
+function hasUserContext(bodyText: string): boolean {
+  return /user[_.]?id|userId|currentUser|req\.user|request\.user|session\.user|getUser\s*\(|getCurrentUser\s*\(|ctx\.user|context\.user/i.test(bodyText)
+}
+
+/** Check for tenant context */
+function hasTenantContext(bodyText: string): boolean {
+  return /tenant[_.]?id|tenantId|org[_.]?id|orgId|organization[_.]?id|workspace[_.]?id|workspaceId|team[_.]?id|account[_.]?id/i.test(bodyText)
+}
+
+/** Check for iteration limits */
+function hasIterationLimits(bodyText: string): boolean {
+  return /maxIterations\s*[:=]\s*\d{1,2}\b|max_iter(?:ations)?\s*[:=]\s*\d{1,2}\b|max_steps\s*[:=]\s*\d{1,2}\b/i.test(bodyText)
+}
+
+/** Check for timeout */
+function hasTimeout(bodyText: string): boolean {
+  return /timeout\s*[:=]\s*[1-9]\d*|max_execution_time\s*[:=]\s*[1-9]|setTimeout\s*\(|AbortSignal\.timeout|asyncio\.wait_for|asyncio\.timeout|deadline\s*[:=]\s*[1-9]|time_limit\s*[:=]\s*[1-9]/i.test(bodyText)
+}
+
+/** Check for loop bound checks (comparison + termination pattern) */
+function hasLoopBoundCheck(bodyText: string): boolean {
+  return /(?:elapsed|poll_count|retry_count|retries|attempts?|iteration|count)\s*(?:>|>=|==)\s*(?:timeout|max|limit|poll|retry)/i.test(bodyText) &&
+    /(?:raise|break|return)\b/.test(bodyText)
+}
+
+/** Check for early-exit patterns (conditional break/return + await/sleep = bounded polling) */
+function hasEarlyExitPattern(bodyText: string): boolean {
+  const hasConditionalExit = /if\s*\(.*\)\s*[{:]?\s*(?:break|return)\b|if\s+.*:\s*(?:break|return)\b/i.test(bodyText)
+  const hasWaitPattern = /\bawait\b|\bsleep\b|\btime\.sleep\b|\basyncio\.sleep\b/i.test(bodyText)
+  return hasConditionalExit && hasWaitPattern
+}
+
+/** Check for human-in-the-loop */
+function hasHumanInLoop(bodyText: string): boolean {
+  return /humanInLoop\s*[:=]\s*true|human_in_loop\s*[:=]\s*True|requireApproval\s*[:=]\s*true|human_input_mode\s*[:=]\s*['"`](?:ALWAYS|TERMINATE)/i.test(bodyText)
+}
+
+/** Check for Docker */
+function hasDocker(bodyText: string): boolean {
+  return /use_docker\s*[:=]\s*True|docker\s*[:=]\s*true|container\s*[:=]\s*true/i.test(bodyText)
+}
+
+/** Check for MCP file with safe patterns */
+function isMCPWithSafePatterns(bodyText: string): boolean {
+  const hasSanitization = /sanitize|DOMPurify|purify|escapeHtml|validateSchema|schema\.parse/i.test(bodyText)
+  const hasAuth = /if\s*\([^)]*ownerId\s*[!=]==?|throw.*Error.*(?:auth|Forbidden|Unauthorized)|checkPermission|hasPermission|isAuthorized/i.test(bodyText)
+  return hasSanitization && hasAuth
+}
+
+/** Get enclosing body text */
+function getBodyText(node: Parser.SyntaxNode, content: string, windowSize: number = 30): string {
+  let current: Parser.SyntaxNode | null = node.parent
+  while (current) {
+    if (/function_declaration|arrow_function|function_expression|method_definition|function_definition/.test(current.type)) {
+      return (current.childForFieldName('body') ?? current).text
+    }
+    current = current.parent
+  }
+  // Fallback: use surrounding text
+  const lines = content.split('\n')
+  const start = Math.max(0, node.startPosition.row - windowSize)
+  const end = Math.min(lines.length, node.startPosition.row + windowSize)
+  return lines.slice(start, end).join('\n')
+}
+
+// ============================================================================
+// AST Rule: Overpermissive Tool Detection
+// ============================================================================
+
+registerASTRule({
+  id: 'ast-overpermissive-tool',
+  title: 'Overpermissive agent tool',
+  description: 'Tool provides dangerous capabilities (filesystem, shell, code execution) without proper restrictions.',
+  severity: 'high',
+  category: 'ai_overpermissive_tool',
+  suggestedFix: 'Add access restrictions: allowedPaths, allowedHosts, sandbox. Implement user context verification.',
+  languages: ['javascript', 'typescript', 'tsx', 'python'],
+  confidence: 'medium',
+  baseConfidence: 0.50,
+  layer: 2,
+  source: 'ai_code',
+  requiresAIValidation: true,
+  detect(ast: ParsedAST, content: string, nodeIndex?: NodeIndex): ASTRuleMatch[] {
+    if (isScannerOrFixtureFile(ast.filePath)) return []
+
+    const root = ast.tree.rootNode
+    if (!isAgentOrToolFile(root, ast.filePath, content)) return []
+
+    const isTestFile = isTestOrMockFile(ast.filePath)
+    const isExample = isExampleFile(ast.filePath)
+    const matches: ASTRuleMatch[] = []
+    const flagged = new Set<number>()
+
+    // --- Python branch ---
+    if (ast.language === 'python') {
+      // Python dangerous capability patterns
+      const PY_SHELL = /os\.system|subprocess|os\.popen/
+      const PY_CODE_EXEC = /\beval\s*\(|\bexec\s*\(|\bcompile\s*\(/
+      const PY_FILE = /\bopen\s*\(|os\.remove|shutil\.|os\.rename/
+      const PY_NETWORK = /requests\.|httpx\.|urllib/
+      const PY_DB = /cursor\.execute|\.query\s*\(/
+
+      // @tool decorated functions (LangChain, MCP)
+      for (const node of getNodes(nodeIndex!, 'decorated_definition')) {
+        const funcDef = node.namedChildren.find(c => c.type === 'function_definition')
+        if (!funcDef) continue
+        if (!hasPythonDecorator(funcDef, /^(tool|server\.tool|mcp\.tool)$/)) continue
+
+        if (flagged.has(node.startPosition.row)) continue
+
+        const body = funcDef.childForFieldName('body')
+        if (!body) continue
+        const bodyText = body.text
+
+        const hasShell = PY_SHELL.test(bodyText)
+        const hasCodeExec = PY_CODE_EXEC.test(bodyText)
+        const hasFS = PY_FILE.test(bodyText)
+        const hasNetwork = PY_NETWORK.test(bodyText)
+        const hasDB = PY_DB.test(bodyText)
+
+        if (!hasFS && !hasShell && !hasCodeExec && !hasNetwork && !hasDB) continue
+
+        const strong = hasStrongRestrictions(bodyText)
+        const userCtx = hasUserContext(bodyText)
+        const weak = hasAccessRestrictions(bodyText)
+
+        if (strong) continue // Strong restrictions alone are sufficient (confirmation gate, auth throw, etc.)
+
+        let baseSeverity: 'critical' | 'high' | 'medium' = (hasShell || hasCodeExec) ? 'critical' : 'high'
+        let severity: string = baseSeverity
+        let note = ''
+
+        if (hasShell) note = 'Tool with shell command execution.'
+        else if (hasCodeExec) note = 'Tool with code execution capability.'
+        else if (hasFS) note = 'Tool with filesystem access.'
+        else if (hasNetwork) note = 'Tool with network access.'
+        else if (hasDB) note = 'Tool with database access.'
+
+        if (isTestFile || isExample) severity = 'info'
+        else if ((weak && userCtx)) {
+          severity = baseSeverity === 'critical' ? 'high' : 'medium'
+          note += ' (Partial restrictions detected.)'
+        }
+
+        flagged.add(node.startPosition.row)
+        matches.push({ node: funcDef, severity: severity as any, note })
+      }
+
+      // Tool(..., func=handler), function_tool(...), register_function(...)
+      for (const node of getNodes(nodeIndex!, 'call')) {
+        const target = resolvePythonCallTarget(node)
+        if (!target) continue
+
+        const isToolDef = /^(Tool|function_tool|register_function|register_for_execution)$/.test(target.name)
+        if (!isToolDef) continue
+        if (flagged.has(node.startPosition.row)) continue
+
+        // For Tool() calls, verify it has an executable handler (func=/execute=/callback=/handler= kwarg
+        // or a positional callable). Pure metadata/ORM registrations without handlers are not tools.
+        if (target.name === 'Tool') {
+          const funcKwCheck = getPythonKeywordArgument(node, 'func')
+            ?? getPythonKeywordArgument(node, 'execute')
+            ?? getPythonKeywordArgument(node, 'callback')
+            ?? getPythonKeywordArgument(node, 'handler')
+          if (!funcKwCheck) {
+            // Check for positional callable (lambda or identifier after name/description strings)
+            const argList = node.childForFieldName('arguments')
+            const positionalCallable = argList?.namedChildren.some(
+              c => c.type !== 'keyword_argument' && (c.type === 'lambda' || c.type === 'identifier')
+            )
+            if (!positionalCallable) continue // Pure metadata registration — skip
+          }
+        }
+
+        // Try to get the handler body text from keyword arg 'func' or first positional
+        const funcKw = getPythonKeywordArgument(node, 'func')
+        const bodyText = funcKw ? getBodyText(funcKw, content, 50) : getBodyText(node, content, 50)
+
+        const hasShell = PY_SHELL.test(bodyText)
+        const hasCodeExec = PY_CODE_EXEC.test(bodyText)
+        const hasFS = PY_FILE.test(bodyText)
+        const hasNetwork = PY_NETWORK.test(bodyText)
+        const hasDB = PY_DB.test(bodyText)
+
+        if (!hasFS && !hasShell && !hasCodeExec && !hasNetwork && !hasDB) continue
+
+        const strong = hasStrongRestrictions(bodyText)
+        const userCtx = hasUserContext(bodyText)
+        const weak = hasAccessRestrictions(bodyText)
+
+        if (strong && userCtx) continue
+
+        let baseSeverity: 'critical' | 'high' | 'medium' = (hasShell || hasCodeExec) ? 'critical' : 'high'
+        let severity: string = baseSeverity
+        let note = ''
+
+        if (hasShell) note = 'Tool with shell command execution.'
+        else if (hasCodeExec) note = 'Tool with code execution capability.'
+        else if (hasFS) note = 'Tool with filesystem access.'
+        else if (hasNetwork) note = 'Tool with network access.'
+        else if (hasDB) note = 'Tool with database access.'
+
+        if (isTestFile || isExample) severity = 'info'
+        else if (strong || (weak && userCtx)) {
+          severity = baseSeverity === 'critical' ? 'high' : 'medium'
+          note += ' (Partial restrictions detected.)'
+        }
+
+        flagged.add(node.startPosition.row)
+        matches.push({ node, severity: severity as any, note })
+      }
+
+      return matches
+    }
+
+    // --- JS/TS branch (original) ---
+    for (const node of getNodes(nodeIndex!, 'call_expression', 'new_expression')) {
+      const target = resolveCallTarget(node)
+      if (!target) continue
+
+      // Detect tool definition calls
+      const isToolDef = /^(defineTool|createTool|registerTool|addTool|tool)$/.test(target.name) ||
+        (target.name === 'tool' && target.object === 'server')
+
+      if (!isToolDef) continue
+
+      if (flagged.has(node.startPosition.row)) continue
+
+      // Get the handler body
+      const args = getCallArguments(node)
+      let handlerBody: Parser.SyntaxNode | null = null
+      for (const arg of args) {
+        if (arg.type === 'arrow_function' || arg.type === 'function_expression') {
+          handlerBody = arg.childForFieldName('body') ?? arg
+          break
+        }
+        // Also check for object with execute property
+        if (arg.type === 'object') {
+          const execProp = getObjectLiteralProperty(arg, 'execute')
+          if (execProp && (execProp.type === 'arrow_function' || execProp.type === 'function_expression')) {
+            handlerBody = execProp.childForFieldName('body') ?? execProp
+            break
+          }
+        }
+      }
+
+      if (!handlerBody) continue
+
+      const bodyText = handlerBody.text
+
+      // Detect dangerous capabilities
+      const hasFS = /fs\.|readFile|writeFile|unlink|rmSync|mkdir|readdir/i.test(bodyText)
+      const hasShell = /exec\s*\(|spawn\s*\(|execSync|spawnSync|child_process/i.test(bodyText)
+      const hasCodeExec = /eval\s*\(|new\s+Function|vm\.run/i.test(bodyText)
+      const hasNetwork = /fetch\s*\(|axios\.|http\.|got\(/i.test(bodyText)
+      const hasDB = /\.query\s*\(|\.execute\s*\(|\.raw\s*\(|db\./i.test(bodyText)
+
+      if (!hasFS && !hasShell && !hasCodeExec && !hasNetwork && !hasDB) continue
+
+      // Check mitigations
+      const strong = hasStrongRestrictions(bodyText)
+      const weak = hasAccessRestrictions(bodyText)
+      const userCtx = hasUserContext(bodyText)
+      const tenantCtx = hasTenantContext(bodyText)
+      const mcpSafe = isMCPWithSafePatterns(content)
+
+      if (strong) continue // Strong restrictions alone are sufficient (confirmation gate, auth throw, etc.)
+
+      // Determine severity
+      let baseSeverity: 'critical' | 'high' | 'medium' = (hasShell || hasCodeExec) ? 'critical' : 'high'
+      let severity: string = baseSeverity
+      let note = ''
+
+      if (hasShell) note = 'Tool with shell command execution.'
+      else if (hasCodeExec) note = 'Tool with code execution capability.'
+      else if (hasFS) note = 'Tool with filesystem access.'
+      else if (hasNetwork) note = 'Tool with network access.'
+      else if (hasDB) note = 'Tool with database access.'
+
+      if (isTestFile || isExample) {
+        severity = 'info'
+      } else if (mcpSafe) {
+        severity = 'info'
+        note += ' (MCP file with sanitization and auth controls.)'
+      } else if (weak && userCtx) {
+        severity = baseSeverity === 'critical' ? 'high' : 'medium'
+        note += ' (Partial restrictions detected.)'
+      }
+
+      const missingParts: string[] = []
+      if (!weak) missingParts.push('access restrictions')
+      if (!userCtx) missingParts.push('user context')
+      if (missingParts.length > 0) note += ` Missing: ${missingParts.join(', ')}.`
+
+      flagged.add(node.startPosition.row)
+      matches.push({ node: args[0] ?? node, severity: severity as any, note })
+    }
+
+    return matches
+  },
+})
+
+// ============================================================================
+// AST Rule: Excessive Agency (unbounded loops, no limits)
+// ============================================================================
+
+registerASTRule({
+  id: 'ast-excessive-agency',
+  title: 'Agent with excessive agency',
+  description: 'Agent configured with unbounded execution, disabled limits, or auto-approve without human oversight.',
+  severity: 'high',
+  category: 'ai_excessive_agency',
+  suggestedFix: 'Add iteration limits, timeouts, and human-in-the-loop for sensitive operations.',
+  languages: ['javascript', 'typescript', 'tsx', 'python'],
+  confidence: 'medium',
+  baseConfidence: 0.50,
+  layer: 2,
+  source: 'ai_code',
+  requiresAIValidation: true,
+  detect(ast: ParsedAST, content: string, nodeIndex?: NodeIndex): ASTRuleMatch[] {
+    if (isScannerOrFixtureFile(ast.filePath)) return []
+
+    const root = ast.tree.rootNode
+    if (!isAgentOrToolFile(root, ast.filePath, content)) return []
+
+    // Skip library/framework infrastructure code — users don't control these loops
+    if (/libs[\/\\](core|partners|community)|node_modules[\/\\]|site-packages[\/\\]|packages[\/\\](core|server)|base[\/\\]|abstract[\/\\]|_?internal[\/\\]/i.test(ast.filePath)) return []
+
+    const isTestFile = isTestOrMockFile(ast.filePath)
+    const isExample = isExampleFile(ast.filePath)
+    const matches: ASTRuleMatch[] = []
+
+    // --- Python branch ---
+    if (ast.language === 'python') {
+      // while True: agent loops
+      for (const node of getNodes(nodeIndex!, 'while_statement')) {
+        const condition = node.childForFieldName('condition')
+        if (condition && /^True$/.test(condition.text)) {
+          const bodyText = node.text
+          if (/agent|step|run|execute|iterate/i.test(bodyText)) {
+            const context = getBodyText(node, content)
+
+            // Skip bounded loops — explicit exit conditions mean the loop is not truly unbounded
+            if (hasEarlyExitPattern(bodyText) || hasLoopBoundCheck(bodyText)) continue
+            if (hasIterationLimits(context) || hasTimeout(context)) continue
+
+            let severity: string = 'high'
+            let note = 'Agent runs in unbounded while True loop.'
+
+            if (hasHumanInLoop(context)) {
+              severity = 'low'
+              note += ' (Human-in-loop enabled.)'
+            }
+            if (isTestFile || isExample) severity = 'info'
+
+            matches.push({ node: condition, severity: severity as any, note })
+          }
+        }
+      }
+
+      // Python keyword arguments for excessive agency patterns
+      for (const node of getNodes(nodeIndex!, 'keyword_argument')) {
+        const nameNode = node.childForFieldName('name')
+        const valueNode = node.childForFieldName('value')
+        if (!nameNode || !valueNode) continue
+
+        const keyText = nameNode.text
+        const valueText = valueNode.text
+
+        // max_iterations with unbounded value
+        if (/^max_iter(?:ations)?$/i.test(keyText) && /^(-1|None|float\(['"]inf['"]\))$/.test(valueText)) {
+          matches.push({
+            node,
+            severity: isTestFile || isExample ? 'info' : 'high',
+            note: 'Agent configured with no iteration limit.',
+          })
+        }
+
+        // human_input_mode: "NEVER" (AutoGen)
+        if (/^human_input_mode$/i.test(keyText) && /NEVER/i.test(valueText)) {
+          matches.push({
+            node,
+            severity: isTestFile || isExample ? 'info' : 'high',
+            note: 'AutoGen agent configured to never request human input.',
+          })
+        }
+
+        // use_docker=False with code execution context
+        if (/^use_docker$/i.test(keyText) && /^False$/.test(valueText)) {
+          const context = getBodyText(node, content)
+          if (/code_execution|allow_code_execution|LocalCommandLineCodeExecutor/i.test(context)) {
+            matches.push({
+              node,
+              severity: isTestFile || isExample ? 'info' : 'critical',
+              note: 'Code execution without Docker containerization.',
+            })
+          }
+        }
+
+        // code_execution_mode="unsafe"
+        if (/^code_execution_mode$/i.test(keyText) && /unsafe/i.test(valueText)) {
+          matches.push({
+            node,
+            severity: isTestFile || isExample ? 'info' : 'critical',
+            note: 'CrewAI agent with unsafe code execution mode.',
+          })
+        }
+
+        // auto_approve=True
+        if (/^auto_approve$/i.test(keyText) && /^True$/.test(valueText)) {
+          matches.push({
+            node,
+            severity: isTestFile || isExample ? 'info' : 'high',
+            note: 'Agent auto-approves actions without human review.',
+          })
+        }
+      }
+
+      return matches
+    }
+
+    // --- JS/TS branch (original) ---
+    // while(true) agent loops
+    for (const node of getNodes(nodeIndex!, 'while_statement')) {
+      const condition = node.childForFieldName('condition')
+      if (condition && /^(true|1)$/.test(condition.text.replace(/[()]/g, ''))) {
+        const bodyText = node.text
+        if (/agent|step|run|execute|iterate/i.test(bodyText)) {
+          const context = getBodyText(node, content)
+
+          // Skip bounded loops — explicit exit conditions mean the loop is not truly unbounded
+          if (hasEarlyExitPattern(bodyText) || hasLoopBoundCheck(bodyText)) continue
+          if (hasIterationLimits(context) || hasTimeout(context)) continue
+
+          let severity: string = 'high'
+          let note = 'Agent runs in unbounded while(true) loop.'
+
+          if (hasHumanInLoop(context)) {
+            severity = 'low'
+            note += ' (Human-in-loop enabled.)'
+          }
+          if (isTestFile || isExample) severity = 'info'
+
+          matches.push({ node: condition, severity: severity as any, note })
+        }
+      }
+    }
+
+    // Config properties indicating excessive agency
+    for (const node of getNodes(nodeIndex!, 'pair')) {
+      const key = node.childForFieldName('key')
+      const value = node.childForFieldName('value')
+      if (!key || !value) continue
+
+      const keyText = key.text.replace(/['"]/g, '')
+      const valueText = value.text.replace(/['"]/g, '')
+
+      // maxIterations: -1/null/Infinity
+      if (/^(maxIterations|max_iter(?:ations)?)$/i.test(keyText) && /^(-1|null|undefined|None|Infinity)$/.test(valueText)) {
+        matches.push({
+          node,
+          severity: isTestFile || isExample ? 'info' : 'high',
+          note: 'Agent configured with no iteration limit.',
+        })
+      }
+
+      // timeout: 0/false/null
+      if (/^timeout$/i.test(keyText) && /^(-1|0|null|undefined|None|false|False)$/.test(valueText)) {
+        matches.push({
+          node,
+          severity: isTestFile || isExample ? 'info' : 'medium',
+          note: 'Agent timeout disabled.',
+        })
+      }
+
+      // autoApprove: true
+      if (/^(autoApprove|auto_approve)$/i.test(keyText) && /^true$/i.test(valueText)) {
+        matches.push({
+          node,
+          severity: isTestFile || isExample ? 'info' : 'high',
+          note: 'Agent auto-approves actions without human review.',
+        })
+      }
+
+      // humanInLoop: false
+      if (/^(humanInLoop|human_in_loop)$/i.test(keyText) && /^(false|False)$/.test(valueText)) {
+        matches.push({
+          node,
+          severity: isTestFile || isExample ? 'info' : 'medium',
+          note: 'Human oversight explicitly disabled.',
+        })
+      }
+
+      // human_input_mode: NEVER (AutoGen)
+      if (/^human_input_mode$/i.test(keyText) && /NEVER/i.test(valueText)) {
+        matches.push({
+          node,
+          severity: isTestFile || isExample ? 'info' : 'high',
+          note: 'AutoGen agent configured to never request human input.',
+        })
+      }
+
+      // code_execution_mode: unsafe (CrewAI)
+      if (/^code_execution_mode$/i.test(keyText) && /unsafe/i.test(valueText)) {
+        matches.push({
+          node,
+          severity: isTestFile || isExample ? 'info' : 'critical',
+          note: 'CrewAI agent with unsafe code execution mode.',
+        })
+      }
+
+      // use_docker: False (AutoGen/CrewAI)
+      if (/^use_docker$/i.test(keyText) && /^(false|False)$/.test(valueText)) {
+        const context = getBodyText(node, content)
+        if (/code_execution|allow_code_execution|LocalCommandLineCodeExecutor/i.test(context)) {
+          matches.push({
+            node,
+            severity: isTestFile || isExample ? 'info' : 'critical',
+            note: 'Code execution without Docker containerization.',
+          })
+        }
+      }
+    }
+
+    return matches
+  },
+})
+
+// ============================================================================
+// AST Rule: LLM Output in Tool Names/Paths
+// ============================================================================
+
+registerASTRule({
+  id: 'ast-llm-output-flow',
+  title: 'LLM output used as tool name or resource path',
+  description: 'LLM output used directly to select tools or access resources. Prompt injection could invoke arbitrary tools.',
+  severity: 'critical',
+  category: 'ai_excessive_agency',
+  suggestedFix: 'Validate tool names/paths against a static allowlist before use.',
+  languages: ['javascript', 'typescript', 'tsx', 'python'],
+  confidence: 'high',
+  baseConfidence: 0.50,
+  layer: 2,
+  source: 'ai_code',
+  detect(ast: ParsedAST, content: string, nodeIndex?: NodeIndex): ASTRuleMatch[] {
+    if (isScannerOrFixtureFile(ast.filePath)) return []
+
+    const root = ast.tree.rootNode
+    if (!isAgentOrToolFile(root, ast.filePath, content)) return []
+
+    const isTestFile = isTestOrMockFile(ast.filePath)
+    const isExample = isExampleFile(ast.filePath)
+    const matches: ASTRuleMatch[] = []
+
+    // --- Python branch ---
+    if (ast.language === 'python') {
+      // call_tool(response.tool_name, ...) patterns
+      for (const node of getNodes(nodeIndex!, 'call')) {
+        const target = resolvePythonCallTarget(node)
+        if (!target) continue
+
+        if (/^(call_tool|invoke_tool|execute_tool|run_tool)$/.test(target.name)) {
+          const argList = node.childForFieldName('arguments')
+          const firstArg = argList?.namedChildren.find(
+            c => c.type !== 'keyword_argument' && c.type !== 'list_splat' && c.type !== 'dictionary_splat'
+          )
+          if (firstArg && isPythonLLMOutputExpression(firstArg)) {
+            const context = getBodyText(node, content)
+            const hasAllowlist = /(?:allowlist|ALLOWED_|valid_tools|allowed_tools|in\s+\w+_tools)/i.test(context)
+
+            let severity: string = 'critical'
+            if (hasAllowlist) severity = 'medium'
+            if (isTestFile || isExample) severity = 'info'
+
+            matches.push({
+              node,
+              severity: severity as any,
+              note: 'LLM output used as tool name for invocation.',
+            })
+          }
+        }
+      }
+
+      // tools[response.tool] subscript access
+      for (const node of getNodes(nodeIndex!, 'subscript')) {
+        const obj = node.childForFieldName('value')
+        const subscripts = node.childForFieldName('subscript')
+
+        if (!obj || !subscripts) continue
+        if (!/^(tools|handlers|actions|functions|methods)$/.test(obj.text)) continue
+        if (!isPythonLLMOutputExpression(subscripts)) continue
+
+        const context = getBodyText(node, content)
+        const hasAllowlist = /(?:allowlist|ALLOWED_|valid_tools|in\s+\w+_tools)/i.test(context)
+
+        let severity: string = 'high'
+        if (hasAllowlist) severity = 'medium'
+        if (isTestFile || isExample) severity = 'info'
+
+        matches.push({
+          node,
+          severity: severity as any,
+          note: 'Dynamic tool access using LLM output.',
+        })
+      }
+
+      return matches
+    }
+
+    // --- JS/TS branch (original) ---
+    for (const node of getNodes(nodeIndex!, 'call_expression')) {
+      const target = resolveCallTarget(node)
+      if (!target) continue
+
+      // callTool, invokeTool, executeTool patterns
+      if (/^(callTool|invokeTool|executeTool|runTool)$/.test(target.name)) {
+        const args = getCallArguments(node)
+        if (args.length > 0 && isLLMOutputExpression(args[0])) {
+          const context = getBodyText(node, content)
+          const hasAllowlist = /(?:allowlist|ALLOWED_|validTools|VALID_TOOLS|allowedTools|includes|has)\s*\(/i.test(context)
+
+          let severity: string = 'critical'
+          if (hasAllowlist) severity = 'medium'
+          if (isTestFile || isExample) severity = 'info'
+
+          matches.push({
+            node,
+            severity: severity as any,
+            note: 'LLM output used as tool name for invocation.',
+          })
+        }
+      }
+    }
+
+    // Also check subscript expressions: tools[response.tool]
+    for (const node of getNodes(nodeIndex!, 'subscript_expression')) {
+      const object = node.childForFieldName('object')
+      const index = node.childForFieldName('index')
+
+      if (!object || !index) continue
+      if (!/^(tools|handlers|actions|functions|methods)$/.test(object.text)) continue
+      if (!isLLMOutputExpression(index)) continue
+
+      const context = getBodyText(node, content)
+      const hasAllowlist = /(?:allowlist|ALLOWED_|validTools|includes|has)\s*\(/i.test(context)
+
+      let severity: string = 'high'
+      if (hasAllowlist) severity = 'medium'
+      if (isTestFile || isExample) severity = 'info'
+
+      matches.push({
+        node,
+        severity: severity as any,
+        note: 'Dynamic tool access using LLM output.',
+      })
+    }
+
+    return matches
+  },
+})
+
+// ============================================================================
+// AST Rule: Recursive Agent Without Depth Limit
+// ============================================================================
+
+registerASTRule({
+  id: 'ast-recursive-agent',
+  title: 'Recursive agent call without depth limit',
+  description: 'Agent function calls itself or spawns sub-agents without visible depth parameter.',
+  severity: 'high',
+  category: 'ai_excessive_agency',
+  suggestedFix: 'Add depth limit: async function runAgent(task, depth = 0) { if (depth > MAX_DEPTH) throw }',
+  languages: ['javascript', 'typescript', 'tsx', 'python'],
+  confidence: 'medium',
+  baseConfidence: 0.50,
+  layer: 2,
+  source: 'ai_code',
+  requiresAIValidation: true,
+  detect(ast: ParsedAST, content: string, nodeIndex?: NodeIndex): ASTRuleMatch[] {
+    if (isScannerOrFixtureFile(ast.filePath)) return []
+
+    const root = ast.tree.rootNode
+    if (!isAgentOrToolFile(root, ast.filePath, content)) return []
+
+    const isTestFile = isTestOrMockFile(ast.filePath)
+    const isExample = isExampleFile(ast.filePath)
+    const matches: ASTRuleMatch[] = []
+
+    // --- Python branch ---
+    if (ast.language === 'python') {
+      for (const node of getNodes(nodeIndex!, 'function_definition')) {
+        const fnName = node.childForFieldName('name')?.text
+        if (!fnName) continue
+        if (!/agent|run|execute|process|handle/i.test(fnName)) continue
+        if (/schema|type|json|parse|tree|node|format|render|convert|serialize/i.test(fnName)) continue
+
+        const body = node.childForFieldName('body')
+        if (!body) continue
+
+        // Check if function calls itself
+        let selfCall: Parser.SyntaxNode | null = null
+        walkAST(body, (child) => {
+          if (child.type === 'call') {
+            const t = resolvePythonCallTarget(child)
+            if (t?.name === fnName) {
+              if (t.object && /^super\b/.test(t.object)) return false
+              selfCall = child
+              return true
+            }
+          }
+          return false
+        })
+
+        if (!selfCall) continue
+
+        // Check if depth/level parameter exists
+        const params = node.childForFieldName('parameters')
+        const hasDepthParam = params?.text.includes('depth') || params?.text.includes('level') || params?.text.includes('recursion')
+
+        if (hasDepthParam) continue
+
+        const bodyText = body.text
+        if (/MAX_DEPTH|max_depth|depth\s*[<>]|level\s*[<>]/i.test(bodyText)) continue
+
+        let severity: string = 'high'
+        if (hasIterationLimits(bodyText) || hasTimeout(bodyText)) severity = 'medium'
+        if (isTestFile || isExample) severity = 'info'
+
+        matches.push({
+          node: selfCall!,
+          severity: severity as any,
+          note: `Recursive agent call to "${fnName}" without depth limit.`,
+        })
+      }
+
+      return matches
+    }
+
+    // --- JS/TS branch (original) ---
+    // Find functions that call themselves (recursive)
+    for (const node of getNodes(nodeIndex!, 'function_declaration')) {
+      const fnName = node.childForFieldName('name')?.text
+      if (!fnName) continue
+      if (!/agent|run|execute|process|handle/i.test(fnName)) continue
+      if (/schema|type|json|parse|tree|node|format|render|convert|serialize/i.test(fnName)) continue
+
+      const body = node.childForFieldName('body')
+      if (!body) continue
+
+      // Check if function calls itself
+      let selfCall: Parser.SyntaxNode | null = null
+      walkAST(body, (child) => {
+        if (child.type === 'call_expression') {
+          const t = resolveCallTarget(child)
+          if (t?.name === fnName) {
+            if (t.object && /^super\b/.test(t.object)) return false
+            selfCall = child
+            return true
+          }
+        }
+        return false
+      })
+
+      if (!selfCall) continue
+
+      // Check if depth/level parameter exists
+      const params = node.childForFieldName('parameters')
+      const hasDepthParam = params?.text.includes('depth') || params?.text.includes('level') || params?.text.includes('recursion')
+
+      if (hasDepthParam) continue
+
+      const bodyText = body.text
+      if (/MAX_DEPTH|maxDepth|max_depth|depth\s*[<>]|level\s*[<>]/i.test(bodyText)) continue
+
+      let severity: string = 'high'
+      if (hasIterationLimits(bodyText) || hasTimeout(bodyText)) severity = 'medium'
+      if (isTestFile || isExample) severity = 'info'
+
+      matches.push({
+        node: selfCall!,
+        severity: severity as any,
+        note: `Recursive agent call to "${fnName}" without depth limit.`,
+      })
+    }
+
+    // Check for spawnAgent/createAgent without limits
+    for (const node of getNodes(nodeIndex!, 'call_expression')) {
+      const target = resolveCallTarget(node)
+      if (!target) continue
+
+      if (!/^(spawn|create|launch|start)(?:Agent|Worker|Task)$/.test(target.name)) continue
+
+      // Skip CRUD operations (service.createAgent for DB)
+      const lineText = node.text
+      if (/(?:service|Service|sdk|SDK|store|Store|runtime|Runtime)\./i.test(lineText)) continue
+      if (/agentService|agentState|marketSDK/i.test(lineText)) continue
+
+      const context = getBodyText(node, content)
+
+      // Skip tool-less agents
+      if (!/tools\s*[:=]\s*\[/i.test(context)) continue
+
+      if (/depth|level|count|limit|max|MAX/i.test(context)) continue
+
+      matches.push({
+        node,
+        severity: isTestFile || isExample ? 'info' : 'medium',
+        note: 'Sub-agent spawned without depth or count limit.',
+      })
+    }
+
+    return matches
+  },
+})