@oculum/scanner 1.0.14 → 1.0.15

package/dist/detect/ast-rules/mcp-security-ast.js

@@ -0,0 +1,755 @@
+"use strict";
+/**
+ * AST-Based MCP (Model Context Protocol) Security Detection
+ *
+ * Migrates ai-code/mcp-security.ts from regex to AST.
+ * Detects security issues in MCP tool implementations.
+ *
+ * AST advantages:
+ * - Structurally detects server.tool() registrations and their handlers
+ * - Resolves return values to check for unsanitized content
+ * - Checks tool parameter destructuring for credential fields
+ * - Detects missing user context from function parameter analysis
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+const index_1 = require("./index");
+const call_analysis_1 = require("./helpers/call-analysis");
+const import_analysis_1 = require("./helpers/import-analysis");
+const file_classifier_1 = require("../../parse/file-classifier");
+const python_helpers_1 = require("./helpers/python-helpers");
+// ============================================================================
+// Helpers
+// ============================================================================
+/** Check if file is an MCP file */
+function isMCPFile(root, filePath, content) {
+    // Cheap checks first — skip expensive import analysis for 99%+ of files
+    if (/McpServer|server\.tool\s*\(|@server\.tool|@mcp\.tool|FastMCP/i.test(content))
+        return true;
+    if (/\/mcp\/|mcp[-_]?server|mcp[-_]?tools?/i.test(filePath))
+        return true;
+    // Only check imports if content mentions MCP-related strings
+    if (!/@modelcontextprotocol|mcp|fastmcp/i.test(content))
+        return false;
+    const modules = (0, import_analysis_1.getImportedModules)(root);
+    return [...modules].some(m => /^(@modelcontextprotocol\/sdk|mcp|@mcp\/)/.test(m));
+}
+/** Check for content sanitization */
+function hasSanitization(bodyText) {
+    return /sanitize|DOMPurify|purify|escapeHtml|escape_html|stripTags|validateContent|zod\.parse|schema\.parse|safeParse|filterHtml|cleanHtml|ALLOWED_TAGS/i.test(bodyText);
+}
+/** Check for user context */
+function hasUserContext(bodyText) {
+    return /context\.user|context\.userId|context\.session|context\.auth|getCurrentUser|request\.user|req\.user|user\.id|userId|session\.user|auth\(\)|tenantId|tenant\.id|orgId/i.test(bodyText);
+}
+/** Check for authorization check */
+function hasAuthCheck(bodyText) {
+    return /if\s*\([^)]*\.ownerId\s*[!=]==?|if\s*\([^)]*userId\s*[!=]==?|Not\s*authorized|Forbidden|checkPermission|checkAccess|canAccess|hasPermission|isAuthorized|throw.*Error.*auth/i.test(bodyText);
+}
+/** Check if data source is safe/static */
+function isSafeDataSource(bodyText) {
+    return /(?:static|public)(?:Data|Docs|Content)|mathjs|calculate|compute|findByUser|getByUser|user\.(?:files|documents|records)/i.test(bodyText);
+}
+/** Get enclosing Python function body text */
+function getPythonEnclosingBody(node) {
+    let current = node.parent;
+    while (current) {
+        if (current.type === 'function_definition') {
+            return (current.childForFieldName('body') ?? current).text;
+        }
+        current = current.parent;
+    }
+    return '';
+}
+/** Get Python MCP tool function definitions (decorated with @server.tool or @mcp.tool) */
+function getPythonMCPToolFunctions(nodeIndex) {
+    const results = [];
+    for (const node of (0, index_1.getNodes)(nodeIndex, 'decorated_definition')) {
+        const funcDef = node.namedChildren.find(c => c.type === 'function_definition');
+        if (!funcDef)
+            continue;
+        if (!(0, python_helpers_1.hasPythonDecorator)(funcDef, /^(server\.tool|mcp\.tool|tool)$/))
+            continue;
+        const body = funcDef.childForFieldName('body');
+        if (!body)
+            continue;
+        results.push({ decoratedDef: node, funcDef, body });
+    }
+    return results;
+}
+/** Get tool handler body from server.tool() call */
+function getToolHandlerBody(node) {
+    const args = node.namedChildren.find(c => c.type === 'arguments');
+    if (!args)
+        return null;
+    // server.tool(name, schema, handler) or server.tool(name, handler)
+    for (const arg of args.namedChildren) {
+        if (arg.type === 'arrow_function' || arg.type === 'function_expression') {
+            return arg.childForFieldName('body') ?? arg;
+        }
+    }
+    return null;
+}
+// ============================================================================
+// AST Rule: Tool Poisoning (unsanitized external content)
+// ============================================================================
+(0, index_1.registerASTRule)({
+    id: 'ast-mcp-tool-poisoning',
+    title: 'MCP tool returns unsanitized external content',
+    description: 'MCP tool returns external content (HTTP, files, DB) without sanitization. Prompt injection payloads could manipulate AI behavior.',
+    severity: 'high',
+    category: 'ai_mcp_tool_poisoning',
+    suggestedFix: 'Sanitize external content before returning: return { content: sanitize(response.text()) }',
+    languages: ['javascript', 'typescript', 'tsx', 'python'],
+    confidence: 'medium',
+    baseConfidence: 0.50,
+    layer: 2,
+    source: 'ai_code',
+    requiresAIValidation: true,
+    detect(ast, content, nodeIndex) {
+        if ((0, file_classifier_1.isScannerOrFixtureFile)(ast.filePath))
+            return [];
+        const root = ast.tree.rootNode;
+        if (!isMCPFile(root, ast.filePath, content))
+            return [];
+        const isTestFile = (0, file_classifier_1.isTestOrMockFile)(ast.filePath);
+        const matches = [];
+        // --- Python branch ---
+        if (ast.language === 'python') {
+            const toolFuncs = getPythonMCPToolFunctions(nodeIndex);
+            for (const { funcDef, body } of toolFuncs) {
+                const bodyText = body.text;
+                // Check for external content fetching patterns
+                const externalPatterns = /requests\.get|httpx\.get|urllib\.request\.urlopen|open\s*\(.*\)\.read|urlopen/i;
+                if (!externalPatterns.test(bodyText))
+                    continue;
+                if (hasSanitization(bodyText))
+                    continue;
+                if (isSafeDataSource(bodyText))
+                    continue;
+                let severity = 'high';
+                let note = 'MCP tool returns unsanitized external content.';
+                if (hasUserContext(bodyText)) {
+                    severity = 'medium';
+                    note += ' (User context present — may be returning user\'s own data.)';
+                }
+                if (isTestFile) {
+                    severity = 'info';
+                    note += ' (in test file)';
+                }
+                matches.push({ node: funcDef, severity, note });
+            }
+            return matches;
+        }
+        // --- JS/TS branch ---
+        for (const node of (0, index_1.getNodes)(nodeIndex, 'return_statement')) {
+            // Must be inside an MCP context
+            let inMCPHandler = false;
+            let current = node.parent;
+            while (current) {
+                if (/server\.tool/i.test(current.text.slice(0, 20))) {
+                    inMCPHandler = true;
+                    break;
+                }
+                current = current.parent;
+            }
+            if (!inMCPHandler) {
+                // Check broader context
+                if (!/server\.tool/i.test(content))
+                    continue;
+            }
+            const returnValue = node.namedChildren[0];
+            if (!returnValue)
+                continue;
+            const returnText = returnValue.text;
+            // Check for external content patterns in return
+            const externalPatterns = /response\.text\(\)|response\.json\(\)|response\.body|res\.text|res\.json|fs\.readFile|readFileSync|readFile|email\.body|feed\.items|mail\.body/i;
+            if (!externalPatterns.test(returnText))
+                continue;
+            // Get enclosing function body
+            let fnBody = null;
+            let cur = node.parent;
+            while (cur) {
+                if (/function_declaration|arrow_function|function_expression/.test(cur.type)) {
+                    fnBody = cur.childForFieldName('body') ?? cur;
+                    break;
+                }
+                cur = cur.parent;
+            }
+            const bodyText = fnBody?.text ?? '';
+            // Skip if sanitized
+            if (hasSanitization(bodyText))
+                continue;
+            if (isSafeDataSource(bodyText))
+                continue;
+            let severity = 'high';
+            let note = 'MCP tool returns unsanitized external content.';
+            if (hasUserContext(bodyText)) {
+                severity = 'medium';
+                note += ' (User context present — may be returning user\'s own data.)';
+            }
+            if (isTestFile) {
+                severity = 'info';
+                note += ' (in test file)';
+            }
+            matches.push({ node, severity, note });
+        }
+        return matches;
+    },
+});
+// ============================================================================
+// AST Rule: Credentials in Tool Parameters
+// ============================================================================
+(0, index_1.registerASTRule)({
+    id: 'ast-mcp-credential-param',
+    title: 'Credentials in MCP tool parameter',
+    description: 'Tool accepts credentials (API keys, tokens) as parameters. Credentials should not flow through the model.',
+    severity: 'high',
+    category: 'ai_mcp_credential_issue',
+    suggestedFix: 'Use server-side credential storage. Remove credential parameter and use environment variables.',
+    languages: ['javascript', 'typescript', 'tsx', 'python'],
+    confidence: 'medium',
+    baseConfidence: 0.50,
+    layer: 2,
+    source: 'ai_code',
+    detect(ast, content, nodeIndex) {
+        if ((0, file_classifier_1.isScannerOrFixtureFile)(ast.filePath))
+            return [];
+        const root = ast.tree.rootNode;
+        if (!isMCPFile(root, ast.filePath, content))
+            return [];
+        const isTestFile = (0, file_classifier_1.isTestOrMockFile)(ast.filePath);
+        const matches = [];
+        const credentialFields = /^(apiKey|api_key|token|secret|password|privateKey|private_key|accessToken|access_token|authToken|auth_token|connectionString|connection_string|dbUrl|databaseUrl|database_url)$/;
+        // --- Python branch ---
+        if (ast.language === 'python') {
+            const toolFuncs = getPythonMCPToolFunctions(nodeIndex);
+            for (const { funcDef } of toolFuncs) {
+                const params = funcDef.childForFieldName('parameters');
+                if (!params)
+                    continue;
+                for (const child of params.namedChildren) {
+                    let paramName = '';
+                    if (child.type === 'identifier') {
+                        paramName = child.text;
+                    }
+                    else if (child.type === 'typed_parameter' || child.type === 'default_parameter') {
+                        const nameNode = child.namedChildren.find(c => c.type === 'identifier');
+                        paramName = nameNode?.text ?? '';
+                    }
+                    if (credentialFields.test(paramName)) {
+                        matches.push({
+                            node: child,
+                            severity: isTestFile ? 'info' : 'high',
+                            note: `Tool accepts credential "${paramName}" as parameter. Secrets should not flow through the model.`,
+                        });
+                    }
+                }
+            }
+            return matches;
+        }
+        // --- JS/TS branch ---
+        for (const node of (0, index_1.getNodes)(nodeIndex, 'object_pattern')) {
+            // Check if this is a parameter of a function inside server.tool()
+            let inToolHandler = false;
+            let current = node.parent;
+            while (current) {
+                if (current.type === 'call_expression') {
+                    const target = (0, call_analysis_1.resolveCallTarget)(current);
+                    if (target?.name === 'tool' && target?.object === 'server') {
+                        inToolHandler = true;
+                        break;
+                    }
+                }
+                current = current.parent;
+            }
+            if (!inToolHandler)
+                continue;
+            // Check destructured properties for credential names
+            for (const child of node.namedChildren) {
+                if (child.type === 'shorthand_property_identifier_pattern' || child.type === 'pair_pattern') {
+                    const propName = child.type === 'shorthand_property_identifier_pattern'
+                        ? child.text
+                        : child.childForFieldName('key')?.text ?? '';
+                    if (credentialFields.test(propName)) {
+                        matches.push({
+                            node: child,
+                            severity: isTestFile ? 'info' : 'high',
+                            note: `Tool accepts credential "${propName}" as parameter. Secrets should not flow through the model.`,
+                        });
+                    }
+                }
+            }
+        }
+        // Also check for credentials in return statements
+        for (const node of (0, index_1.getNodes)(nodeIndex, 'return_statement')) {
+            const returnValue = node.namedChildren[0];
+            if (returnValue?.type !== 'object')
+                continue;
+            for (const child of returnValue.namedChildren) {
+                if (child.type === 'pair') {
+                    const key = child.childForFieldName('key');
+                    const keyName = key?.text.replace(/['"]/g, '') ?? '';
+                    if (credentialFields.test(keyName)) {
+                        matches.push({
+                            node: child,
+                            severity: isTestFile ? 'info' : 'critical',
+                            note: `Tool response includes credential "${keyName}". Exposing secrets to the model is dangerous.`,
+                        });
+                    }
+                }
+            }
+        }
+        return matches;
+    },
+});
+// ============================================================================
+// AST Rule: Confused Deputy (operations without user context)
+// ============================================================================
+(0, index_1.registerASTRule)({
+    id: 'ast-mcp-confused-deputy',
+    title: 'MCP tool operation without user context verification',
+    description: 'Tool performs data operations with only an ID without verifying user ownership.',
+    severity: 'high',
+    category: 'ai_mcp_confused_deputy',
+    suggestedFix: 'Add user context and verify ownership: if (record.ownerId !== context.user.id) throw new Error("Unauthorized")',
+    languages: ['javascript', 'typescript', 'tsx', 'python'],
+    confidence: 'medium',
+    baseConfidence: 0.50,
+    layer: 2,
+    source: 'ai_code',
+    requiresAIValidation: true,
+    detect(ast, content, nodeIndex) {
+        if ((0, file_classifier_1.isScannerOrFixtureFile)(ast.filePath))
+            return [];
+        const root = ast.tree.rootNode;
+        if (!isMCPFile(root, ast.filePath, content))
+            return [];
+        const isTestFile = (0, file_classifier_1.isTestOrMockFile)(ast.filePath);
+        const matches = [];
+        // --- Python branch ---
+        if (ast.language === 'python') {
+            const toolFuncs = getPythonMCPToolFunctions(nodeIndex);
+            for (const { funcDef, body } of toolFuncs) {
+                const bodyText = body.text;
+                const hasModification = /\.delete\s*\(|\.remove\s*\(|os\.remove|shutil\.rmtree|\.update\s*\(|\.save\s*\(/i.test(bodyText);
+                if (!hasModification)
+                    continue;
+                if (hasUserContext(bodyText) && hasAuthCheck(bodyText))
+                    continue;
+                let severity = 'high';
+                let note = 'MCP tool performs data operations without user context verification.';
+                if (hasUserContext(bodyText)) {
+                    severity = 'medium';
+                    note = 'User context present but no authorization check visible.';
+                }
+                if (isTestFile) {
+                    severity = 'info';
+                    note += ' (in test file)';
+                }
+                matches.push({ node: funcDef, severity, note });
+            }
+            return matches;
+        }
+        // --- JS/TS branch ---
+        // Find server.tool() calls with data modification operations
+        for (const node of (0, index_1.getNodes)(nodeIndex, 'call_expression')) {
+            const target = (0, call_analysis_1.resolveCallTarget)(node);
+            if (!target || target.name !== 'tool' || target.object !== 'server')
+                continue;
+            const handlerBody = getToolHandlerBody(node);
+            if (!handlerBody)
+                continue;
+            const bodyText = handlerBody.text;
+            // Check if handler has data modification operations
+            const hasModification = /\.delete\s*\(|\.remove\s*\(|\.destroy\s*\(|\.update\s*\(|\.set\s*\(|\.save\s*\(/i.test(bodyText);
+            if (!hasModification)
+                continue;
+            // Check for user context and authorization
+            if (hasUserContext(bodyText) && hasAuthCheck(bodyText))
+                continue;
+            let severity = 'high';
+            let note = 'MCP tool performs data operations without user context verification.';
+            if (hasUserContext(bodyText)) {
+                severity = 'medium';
+                note = 'User context present but no authorization check visible.';
+            }
+            if (isTestFile) {
+                severity = 'info';
+                note += ' (in test file)';
+            }
+            // Report on the tool name argument for precise location
+            const args = (0, call_analysis_1.getCallArguments)(node);
+            const reportNode = args.length > 0 ? args[0] : node;
+            matches.push({ node: reportNode, severity, note });
+        }
+        return matches;
+    },
+});
+// ============================================================================
+// AST Rule: Dynamic Tool Description (injection risk)
+// ============================================================================
+(0, index_1.registerASTRule)({
+    id: 'ast-mcp-description-injection',
+    title: 'Dynamic MCP tool description from variable',
+    description: 'Tool description from user input or external source. Malicious content could manipulate AI behavior.',
+    severity: 'high',
+    category: 'ai_mcp_description_injection',
+    suggestedFix: 'Use static descriptions only. Never include user input in tool descriptions.',
+    languages: ['javascript', 'typescript', 'tsx', 'python'],
+    confidence: 'medium',
+    baseConfidence: 0.50,
+    layer: 2,
+    source: 'ai_code',
+    detect(ast, content, nodeIndex) {
+        if ((0, file_classifier_1.isScannerOrFixtureFile)(ast.filePath))
+            return [];
+        const root = ast.tree.rootNode;
+        if (!isMCPFile(root, ast.filePath, content))
+            return [];
+        const isTestFile = (0, file_classifier_1.isTestOrMockFile)(ast.filePath);
+        const matches = [];
+        // --- Python branch ---
+        if (ast.language === 'python') {
+            // Check decorator arguments for description with dynamic content
+            const toolFuncs = getPythonMCPToolFunctions(nodeIndex);
+            for (const { decoratedDef, funcDef } of toolFuncs) {
+                // Look for description keyword arg in the decorator call
+                for (const child of decoratedDef.namedChildren) {
+                    if (child.type !== 'decorator')
+                        continue;
+                    for (const dChild of child.namedChildren) {
+                        if (dChild.type !== 'call')
+                            continue;
+                        const argList = dChild.childForFieldName('arguments');
+                        if (!argList)
+                            continue;
+                        for (const arg of argList.namedChildren) {
+                            if (arg.type === 'keyword_argument') {
+                                const nameNode = arg.childForFieldName('name');
+                                if (nameNode?.text !== 'description')
+                                    continue;
+                                const valueNode = arg.childForFieldName('value');
+                                if (!valueNode)
+                                    continue;
+                                // f-string with interpolation — only flag user-controlled variables
+                                if (valueNode.type === 'string' && (0, python_helpers_1.isPythonFString)(valueNode)) {
+                                    const { dynamicParts } = (0, python_helpers_1.getPythonFStringParts)(valueNode);
+                                    const userControlledParts = dynamicParts.filter(p => /user|req|input|param|body|query/i.test(p.text) && !/config|settings|env|options/i.test(p.text));
+                                    if (userControlledParts.length > 0) {
+                                        matches.push({
+                                            node: valueNode,
+                                            severity: isTestFile ? 'info' : 'high',
+                                            note: 'Tool description constructed from dynamic f-string interpolation.',
+                                        });
+                                    }
+                                }
+                                // Static string with injection keywords
+                                if (valueNode.type === 'string') {
+                                    if (/ignore\s*(?:previous|above|all|any|user)|bypass|override|system\s*prompt|disregard|forget|first\s+call\s+\w+|before\s+(?:using|running)\s+this|include\s+(?:the\s+)?(?:full\s+)?(?:conversation|chat)\s*history|search\s+all\s+(?:available|private)|\/etc\/passwd|exfiltrat/i.test(valueNode.text)) {
+                                        matches.push({
+                                            node: valueNode,
+                                            severity: isTestFile ? 'info' : 'critical',
+                                            note: 'Tool description contains prompt injection keywords.',
+                                        });
+                                    }
+                                }
+                            }
+                            // Positional string argument (first arg is often the description in some SDKs)
+                            if (arg.type === 'string' && arg !== argList.namedChildren[0]) {
+                                if (/ignore\s*(?:previous|above|all|any|user)|bypass|override|system\s*prompt|disregard|forget|first\s+call\s+\w+|before\s+(?:using|running)\s+this|include\s+(?:the\s+)?(?:full\s+)?(?:conversation|chat)\s*history|search\s+all\s+(?:available|private)|\/etc\/passwd|exfiltrat/i.test(arg.text)) {
+                                    matches.push({
+                                        node: arg,
+                                        severity: isTestFile ? 'info' : 'critical',
+                                        note: 'Tool description contains prompt injection keywords.',
+                                    });
+                                }
+                            }
+                        }
+                    }
+                }
+            }
+            return matches;
+        }
+        // --- JS/TS branch ---
+        for (const node of (0, index_1.getNodes)(nodeIndex, 'pair')) {
+            const key = node.childForFieldName('key');
+            const value = node.childForFieldName('value');
+            if (!key || !value)
+                continue;
+            const keyText = key.text.replace(/['"]/g, '');
+            if (keyText !== 'description')
+                continue;
+            // Check if description is a template literal with interpolation
+            if (value.type === 'template_string') {
+                // Only flag user-controlled interpolations, not admin/config values
+                const hasUserInterpolation = /\$\{.*(?:user|req|input|param|body|query).*\}/i.test(value.text);
+                const isAdminControlled = /\$\{.*(?:config|settings|env|options).*\}/i.test(value.text) && !hasUserInterpolation;
+                if (hasUserInterpolation && !isAdminControlled) {
+                    matches.push({
+                        node: value,
+                        severity: isTestFile ? 'info' : 'high',
+                        note: 'Tool description constructed from user input or external variables.',
+                    });
+                }
+            }
+            // Check for concatenation with user input
+            if (value.type === 'binary_expression' && /user|req|input|param|body|query/.test(value.text)) {
+                // Skip admin-controlled values
+                if (!/(?:config|settings|env)\./i.test(value.text)) {
+                    matches.push({
+                        node: value,
+                        severity: isTestFile ? 'info' : 'high',
+                        note: 'Tool description concatenated with user-controlled values.',
+                    });
+                }
+            }
+            // Check for injection keywords in static descriptions
+            if (value.type === 'string' || value.type === 'template_string') {
+                const text = value.text;
+                if (/ignore\s*(?:previous|above|all|any|user)|bypass|override|system\s*prompt|disregard|forget|first\s+call\s+\w+|before\s+(?:using|running)\s+this|include\s+(?:the\s+)?(?:full\s+)?(?:conversation|chat)\s*history|search\s+all\s+(?:available|private)|\/etc\/passwd|exfiltrat/i.test(text)) {
+                    matches.push({
+                        node: value,
+                        severity: isTestFile ? 'info' : 'critical',
+                        note: 'Tool description contains prompt injection keywords.',
+                    });
+                }
+            }
+        }
+        // Also check server.tool() positional args: server.tool(name, description, schema, handler)
+        // The 2nd positional argument is the description string
+        const INJECTION_RE = /ignore\s*(?:previous|above|all|any|user)|bypass|override|system\s*prompt|disregard|forget|first\s+call\s+\w+|before\s+(?:using|running)\s+this|include\s+(?:the\s+)?(?:full\s+)?(?:conversation|chat)\s*history|search\s+all\s+(?:available|private)|\/etc\/passwd|exfiltrat/i;
+        for (const node of (0, index_1.getNodes)(nodeIndex, 'call_expression')) {
+            const target = (0, call_analysis_1.resolveCallTarget)(node);
+            if (!target || target.name !== 'tool' || target.object !== 'server')
+                continue;
+            const args = (0, call_analysis_1.getCallArguments)(node);
+            // server.tool(name, description, schema?, handler) — description is the 2nd arg
+            if (args.length < 2)
+                continue;
+            const descArg = args[1];
+            if (!descArg)
+                continue;
+            if (descArg.type === 'string' || descArg.type === 'template_string') {
+                if (INJECTION_RE.test(descArg.text)) {
+                    matches.push({
+                        node: descArg,
+                        severity: isTestFile ? 'info' : 'critical',
+                        note: 'Tool description contains prompt injection keywords.',
+                    });
+                }
+            }
+            // Template literal with user interpolation
+            if (descArg.type === 'template_string') {
+                const hasUserInterpolation = /\$\{.*(?:user|req|input|param|body|query).*\}/i.test(descArg.text);
+                const isAdminControlled = /\$\{.*(?:config|settings|env|options).*\}/i.test(descArg.text) && !hasUserInterpolation;
+                if (hasUserInterpolation && !isAdminControlled) {
+                    matches.push({
+                        node: descArg,
+                        severity: isTestFile ? 'info' : 'high',
+                        note: 'Tool description constructed from user input or external variables.',
+                    });
+                }
+            }
+        }
+        return matches;
+    },
+});
+// ============================================================================
+// AST Rule: Missing Human-in-the-Loop for Destructive Operations
+// ============================================================================
+(0, index_1.registerASTRule)({
+    id: 'ast-mcp-missing-hitl',
+    title: 'MCP destructive operation without confirmation',
+    description: 'MCP tool performs destructive operations without human confirmation mechanism.',
+    severity: 'high',
+    category: 'ai_excessive_agency',
+    suggestedFix: 'Add confirmation: if (!args.confirmed) return { needsConfirmation: true, action: "delete" }',
+    languages: ['javascript', 'typescript', 'tsx', 'python'],
+    confidence: 'medium',
+    baseConfidence: 0.50,
+    layer: 2,
+    source: 'ai_code',
+    requiresAIValidation: true,
+    detect(ast, content, nodeIndex) {
+        if ((0, file_classifier_1.isScannerOrFixtureFile)(ast.filePath))
+            return [];
+        const root = ast.tree.rootNode;
+        if (!isMCPFile(root, ast.filePath, content))
+            return [];
+        const isTestFile = (0, file_classifier_1.isTestOrMockFile)(ast.filePath);
+        const matches = [];
+        // --- Python branch ---
+        if (ast.language === 'python') {
+            const toolFuncs = getPythonMCPToolFunctions(nodeIndex);
+            for (const { funcDef, body } of toolFuncs) {
+                const bodyText = body.text;
+                const destructiveOps = /os\.remove|shutil\.rmtree|subprocess\.run|subprocess\.call|os\.system|DELETE\s+FROM|DROP\s+TABLE|\.delete\s*\(|\.drop\s*\(/i;
+                if (!destructiveOps.test(bodyText))
+                    continue;
+                if (/confirm|approved|require_approval|human_in_loop|owner_id|user_id|not\s+auth|unauthorized|forbidden|check_permission|has_permission|is_authorized/i.test(bodyText))
+                    continue;
+                const fnName = funcDef.childForFieldName('name')?.text ?? '';
+                const isDestructiveName = /delete|remove|drop|exec|shell|command|send/i.test(fnName);
+                if (!isDestructiveName)
+                    continue;
+                let severity = 'high';
+                if (/shutil\.rmtree/i.test(bodyText))
+                    severity = 'critical';
+                if (isTestFile)
+                    severity = 'info';
+                matches.push({
+                    node: funcDef,
+                    severity,
+                    note: `Destructive MCP tool "${fnName}" without confirmation mechanism.`,
+                });
+            }
+            return matches;
+        }
+        // --- JS/TS branch ---
+        for (const node of (0, index_1.getNodes)(nodeIndex, 'call_expression')) {
+            const target = (0, call_analysis_1.resolveCallTarget)(node);
+            if (!target || target.name !== 'tool' || target.object !== 'server')
+                continue;
+            const handlerBody = getToolHandlerBody(node);
+            if (!handlerBody)
+                continue;
+            const bodyText = handlerBody.text;
+            // Check for destructive operations
+            const destructiveOps = /fs\.rm|fs\.unlink|unlinkSync|rmSync|rimraf|\.delete\s*\(|\.drop\s*\(|\.truncate\s*\(|\.destroy\s*\(|DELETE\s+FROM|DROP\s+TABLE|exec\s*\(|spawn\s*\(|execSync|spawnSync/i;
+            if (!destructiveOps.test(bodyText))
+                continue;
+            // Check for confirmation mechanism or ownership/authorization check
+            if (/confirm|approved|needsConfirmation|requireApproval|humanInLoop|ownerId|owner_id|userId.*!==|Not\s+auth|Unauthorized|Forbidden|checkPermission|hasPermission|isAuthorized/i.test(bodyText))
+                continue;
+            // Check tool name for destructive indicators
+            const args = (0, call_analysis_1.getCallArguments)(node);
+            const toolNameArg = args[0];
+            const toolName = toolNameArg?.text?.replace(/['"]/g, '') ?? '';
+            const isDestructiveName = /delete|remove|rm|drop|truncate|exec|shell|command|send|publish|pay|charge|transfer|unlink|wipe|purge|clean/i.test(toolName);
+            if (!isDestructiveName && !/recursive\s*:\s*true/i.test(bodyText))
+                continue;
+            let severity = 'high';
+            if (/recursive\s*:\s*true|rmSync.*recursive/i.test(bodyText))
+                severity = 'critical';
+            if (/pay|charge|transfer|transaction/i.test(toolName))
+                severity = 'critical';
+            if (isTestFile)
+                severity = 'info';
+            matches.push({
+                node: toolNameArg ?? node,
+                severity,
+                note: `Destructive MCP tool "${toolName}" without confirmation mechanism.`,
+            });
+        }
+        return matches;
+    },
+});
+// ============================================================================
+// AST Rule: Unsafe Filesystem Access with User-Controlled Path
+// ============================================================================
+/** Filesystem methods that are dangerous with user-controlled paths */
+const DANGEROUS_FS_METHODS = /^(readFileSync|readFile|writeFileSync|writeFile|unlinkSync|unlink|rmSync|rm|rmdirSync|rmdir|appendFileSync|appendFile|copyFileSync|copyFile|renameSync|rename|mkdirSync|mkdir|createReadStream|createWriteStream)$/;
+/** Check if a node or its descendants reference args.* (MCP tool argument access) */
+function referencesToolArgs(node) {
+    if (node.type === 'member_expression') {
+        const obj = node.childForFieldName('object');
+        if (obj?.type === 'identifier' && obj.text === 'args')
+            return true;
+    }
+    for (const child of node.namedChildren) {
+        if (referencesToolArgs(child))
+            return true;
+    }
+    return false;
+}
+/** Check if handler body contains path validation */
+function hasPathValidation(bodyText) {
+    return /allowedPaths|allowedDirs|allowList|whitelist|safePaths|startsWith\s*\(|path\.resolve.*startsWith|path\.join.*startsWith|path\.normalize|isAbsolute|validatePath|sanitizePath|checkPath|pathFilter|ALLOWED_PATHS|BASE_DIR|basePath|rootDir|chroot/i.test(bodyText);
+}
+(0, index_1.registerASTRule)({
+    id: 'ast-mcp-unsafe-fs-access',
+    title: 'MCP tool performs filesystem operation with user-controlled path',
+    description: 'MCP tool handler passes tool arguments directly to filesystem operations without path validation. This allows path traversal to read, write, or delete arbitrary files.',
+    severity: 'high',
+    category: 'ai_excessive_agency',
+    suggestedFix: 'Validate paths against an allowlist: const safePath = path.resolve(BASE_DIR, args.path); if (!safePath.startsWith(BASE_DIR)) throw new Error("Invalid path")',
+    languages: ['javascript', 'typescript', 'tsx'],
+    confidence: 'medium',
+    baseConfidence: 0.55,
+    layer: 2,
+    source: 'ai_code',
+    requiresAIValidation: true,
+    detect(ast, content, nodeIndex) {
+        if ((0, file_classifier_1.isScannerOrFixtureFile)(ast.filePath))
+            return [];
+        const root = ast.tree.rootNode;
+        if (!isMCPFile(root, ast.filePath, content))
+            return [];
+        // Cheap pre-check: file must mention both fs and args
+        if (!/\bfs\./i.test(content) || !/\bargs\./i.test(content))
+            return [];
+        const isTestFile = (0, file_classifier_1.isTestOrMockFile)(ast.filePath);
+        const matches = [];
+        for (const node of (0, index_1.getNodes)(nodeIndex, 'call_expression')) {
+            const target = (0, call_analysis_1.resolveCallTarget)(node);
+            if (!target)
+                continue;
+            // Check if this is an fs.* method call
+            if (target.object !== 'fs' || !DANGEROUS_FS_METHODS.test(target.name))
+                continue;
+            // Check if any argument references args.* (user-controlled MCP tool input)
+            const callArgs = (0, call_analysis_1.getCallArguments)(node);
+            const hasArgsRef = callArgs.some(arg => referencesToolArgs(arg));
+            if (!hasArgsRef)
+                continue;
+            // Walk up to verify we're inside an MCP server.tool() handler
+            let inToolHandler = false;
+            let handlerBody = null;
+            let current = node.parent;
+            while (current) {
+                // Check if we're inside a function that is an argument to server.tool()
+                if (current.type === 'arrow_function' || current.type === 'function_expression') {
+                    const parent = current.parent;
+                    // Direct argument to server.tool(name, schema, handler)
+                    if (parent?.type === 'arguments') {
+                        const callExpr = parent.parent;
+                        if (callExpr?.type === 'call_expression') {
+                            const callTarget = (0, call_analysis_1.resolveCallTarget)(callExpr);
+                            if (callTarget?.name === 'tool' && callTarget?.object === 'server') {
+                                inToolHandler = true;
+                                handlerBody = current.childForFieldName('body') ?? current;
+                                break;
+                            }
+                        }
+                    }
+                }
+                current = current.parent;
+            }
+            if (!inToolHandler || !handlerBody)
+                continue;
+            // Check for path validation or confirmation/approval mechanism in the handler body
+            const bodyText = handlerBody.text;
+            if (hasPathValidation(bodyText))
+                continue;
+            if (/confirm|approved|needsConfirmation|requireApproval|humanInLoop|require_approval|human_in_loop/i.test(bodyText))
+                continue;
+            // Classify severity: destructive ops are high, read-only ops are medium
+            const isDestructive = /^(unlinkSync|unlink|rmSync|rm|rmdirSync|rmdir|writeFileSync|writeFile|appendFileSync|appendFile|renameSync|rename)$/.test(target.name);
+            let severity = isDestructive ? 'high' : 'high';
+            let note = `MCP tool passes user-controlled args to fs.${target.name}() without path validation.`;
+            if (isDestructive) {
+                note += ' Destructive operation — attacker-controlled path could delete or overwrite arbitrary files.';
+            }
+            else {
+                note += ' Attacker-controlled path could read arbitrary files (path traversal).';
+            }
+            if (isTestFile) {
+                severity = 'info';
+                note += ' (in test file)';
+            }
+            matches.push({ node, severity, note });
+        }
+        return matches;
+    },
+});
+//# sourceMappingURL=mcp-security-ast.js.map