@oculum/scanner 1.0.14 → 1.0.15

package/dist/detect/ast-rules/agent-tools-ast.js

@@ -0,0 +1,809 @@
+"use strict";
+/**
+ * AST-Based AI Agent Tool Permission Detection
+ *
+ * Migrates ai-code/agent-tools.ts from regex to AST.
+ * Detects overpermissive agent tools and excessive agency patterns.
+ *
+ * AST advantages:
+ * - Structurally detects tool definitions (defineTool, createTool, server.tool)
+ * - Resolves tool handler bodies to check for restrictions
+ * - Checks for user/tenant context from parameter patterns
+ * - Detects unbounded loops and recursive agent patterns from AST control flow
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+const ast_1 = require("../../parse/ast");
+const index_1 = require("./index");
+const call_analysis_1 = require("./helpers/call-analysis");
+const user_input_1 = require("./helpers/user-input");
+const file_classifier_1 = require("../../parse/file-classifier");
+const python_helpers_1 = require("./helpers/python-helpers");
+// ============================================================================
+// Helpers
+// ============================================================================
+/** Check if file contains agent/tool definitions */
+function isAgentOrToolFile(root, filePath, content) {
+    if (/\/(agents?|tools?|functions?|actions?|mcp|langchain|llamaindex|autogen)\//i.test(filePath))
+        return true;
+    if (/(agent|tool|function|action).*\.(ts|js|py)$/i.test(filePath))
+        return true;
+    return /@tool|defineTool|createTool|\.registerTool|\.addTool|tools\s*:\s*\[|FunctionTool|StructuredTool|tool_choice|function_call|McpServer|FastMCP|server\.tool|mcp\.tool|function_tool|register_function|register_for_execution|CrewAI|crewai|autogen/i.test(content);
+}
+/** Check for strong access restrictions */
+function hasStrongRestrictions(bodyText) {
+    const strong = /\bvm2\b|\bisolated-vm\b|\bquickjs\b|\bRestrictedPython\b|\bsandboxed\b|allowed(?:Paths|Files|Dirs|Hosts|Urls|Commands)\s*[=:]\s*\[|(?:white|allow)list\s*[=:]\s*\[|validatePath\s*\(|isAllowedPath\s*\(|sandbox\s*[=:]\s*(?:true|\{)|readonly\s*[=:]\s*true|readOnly\s*[=:]\s*true|if\s*\(\s*!?\s*(?:\w+\.)*(?:allowed|permitted|authorized|approved|confirmed)|if\s+not\s+\w+\.startswith\s*\(|allowed_dir\b|startswith\s*\(\s*allowed|os\.path\.realpath.*allowed|@e2b|Sandbox\.create|throw\s+(?:new\s+)?(?:Error|Exception)\s*\(\s*['"].*(?:Not\s+auth|Unauthorized|Forbidden|denied|permission)|raise\s+(?:Exception|ValueError|PermissionError|RuntimeError)\s*\(\s*['"].*(?:denied|not\s+allowed|unauthorized|forbidden|permission)/i;
+    const weak = /\/\/.*(?:sandbox|restrict|allowlist)|TODO.*(?:add|implement).*(?:sandbox|restrict)/i;
+    return strong.test(bodyText) && !weak.test(bodyText);
+}
+/** Check for any access restrictions */
+function hasAccessRestrictions(bodyText) {
+    return /allowedPaths|allowed_paths|allowedFiles|allowedDirs|allowedHosts|allowedUrls|allowedCommands|allowedOperations|whitelist|allowlist|permissions?:|capabilities:|restrictions?:|sandbox|readonly|(?:args|params)\.(?:approved|confirmed)|ownerId|owner_id|startsWith\s*\(.*allowed|in\s+allowed/i.test(bodyText);
+}
+/** Check for user context */
+function hasUserContext(bodyText) {
+    return /user[_.]?id|userId|currentUser|req\.user|request\.user|session\.user|getUser\s*\(|getCurrentUser\s*\(|ctx\.user|context\.user/i.test(bodyText);
+}
+/** Check for tenant context */
+function hasTenantContext(bodyText) {
+    return /tenant[_.]?id|tenantId|org[_.]?id|orgId|organization[_.]?id|workspace[_.]?id|workspaceId|team[_.]?id|account[_.]?id/i.test(bodyText);
+}
+/** Check for iteration limits */
+function hasIterationLimits(bodyText) {
+    return /maxIterations\s*[:=]\s*\d{1,2}\b|max_iter(?:ations)?\s*[:=]\s*\d{1,2}\b|max_steps\s*[:=]\s*\d{1,2}\b/i.test(bodyText);
+}
+/** Check for timeout */
+function hasTimeout(bodyText) {
+    return /timeout\s*[:=]\s*[1-9]\d*|max_execution_time\s*[:=]\s*[1-9]|setTimeout\s*\(|AbortSignal\.timeout|asyncio\.wait_for|asyncio\.timeout|deadline\s*[:=]\s*[1-9]|time_limit\s*[:=]\s*[1-9]/i.test(bodyText);
+}
+/** Check for loop bound checks (comparison + termination pattern) */
+function hasLoopBoundCheck(bodyText) {
+    return /(?:elapsed|poll_count|retry_count|retries|attempts?|iteration|count)\s*(?:>|>=|==)\s*(?:timeout|max|limit|poll|retry)/i.test(bodyText) &&
+        /(?:raise|break|return)\b/.test(bodyText);
+}
+/** Check for early-exit patterns (conditional break/return + await/sleep = bounded polling) */
+function hasEarlyExitPattern(bodyText) {
+    const hasConditionalExit = /if\s*\(.*\)\s*[{:]?\s*(?:break|return)\b|if\s+.*:\s*(?:break|return)\b/i.test(bodyText);
+    const hasWaitPattern = /\bawait\b|\bsleep\b|\btime\.sleep\b|\basyncio\.sleep\b/i.test(bodyText);
+    return hasConditionalExit && hasWaitPattern;
+}
+/** Check for human-in-the-loop */
+function hasHumanInLoop(bodyText) {
+    return /humanInLoop\s*[:=]\s*true|human_in_loop\s*[:=]\s*True|requireApproval\s*[:=]\s*true|human_input_mode\s*[:=]\s*['"`](?:ALWAYS|TERMINATE)/i.test(bodyText);
+}
+/** Check for Docker */
+function hasDocker(bodyText) {
+    return /use_docker\s*[:=]\s*True|docker\s*[:=]\s*true|container\s*[:=]\s*true/i.test(bodyText);
+}
+/** Check for MCP file with safe patterns */
+function isMCPWithSafePatterns(bodyText) {
+    const hasSanitization = /sanitize|DOMPurify|purify|escapeHtml|validateSchema|schema\.parse/i.test(bodyText);
+    const hasAuth = /if\s*\([^)]*ownerId\s*[!=]==?|throw.*Error.*(?:auth|Forbidden|Unauthorized)|checkPermission|hasPermission|isAuthorized/i.test(bodyText);
+    return hasSanitization && hasAuth;
+}
+/** Get enclosing body text */
+function getBodyText(node, content, windowSize = 30) {
+    let current = node.parent;
+    while (current) {
+        if (/function_declaration|arrow_function|function_expression|method_definition|function_definition/.test(current.type)) {
+            return (current.childForFieldName('body') ?? current).text;
+        }
+        current = current.parent;
+    }
+    // Fallback: use surrounding text
+    const lines = content.split('\n');
+    const start = Math.max(0, node.startPosition.row - windowSize);
+    const end = Math.min(lines.length, node.startPosition.row + windowSize);
+    return lines.slice(start, end).join('\n');
+}
+// ============================================================================
+// AST Rule: Overpermissive Tool Detection
+// ============================================================================
+(0, index_1.registerASTRule)({
+    id: 'ast-overpermissive-tool',
+    title: 'Overpermissive agent tool',
+    description: 'Tool provides dangerous capabilities (filesystem, shell, code execution) without proper restrictions.',
+    severity: 'high',
+    category: 'ai_overpermissive_tool',
+    suggestedFix: 'Add access restrictions: allowedPaths, allowedHosts, sandbox. Implement user context verification.',
+    languages: ['javascript', 'typescript', 'tsx', 'python'],
+    confidence: 'medium',
+    baseConfidence: 0.50,
+    layer: 2,
+    source: 'ai_code',
+    requiresAIValidation: true,
+    detect(ast, content, nodeIndex) {
+        if ((0, file_classifier_1.isScannerOrFixtureFile)(ast.filePath))
+            return [];
+        const root = ast.tree.rootNode;
+        if (!isAgentOrToolFile(root, ast.filePath, content))
+            return [];
+        const isTestFile = (0, file_classifier_1.isTestOrMockFile)(ast.filePath);
+        const isExample = (0, file_classifier_1.isExampleFile)(ast.filePath);
+        const matches = [];
+        const flagged = new Set();
+        // --- Python branch ---
+        if (ast.language === 'python') {
+            // Python dangerous capability patterns
+            const PY_SHELL = /os\.system|subprocess|os\.popen/;
+            const PY_CODE_EXEC = /\beval\s*\(|\bexec\s*\(|\bcompile\s*\(/;
+            const PY_FILE = /\bopen\s*\(|os\.remove|shutil\.|os\.rename/;
+            const PY_NETWORK = /requests\.|httpx\.|urllib/;
+            const PY_DB = /cursor\.execute|\.query\s*\(/;
+            // @tool decorated functions (LangChain, MCP)
+            for (const node of (0, index_1.getNodes)(nodeIndex, 'decorated_definition')) {
+                const funcDef = node.namedChildren.find(c => c.type === 'function_definition');
+                if (!funcDef)
+                    continue;
+                if (!(0, python_helpers_1.hasPythonDecorator)(funcDef, /^(tool|server\.tool|mcp\.tool)$/))
+                    continue;
+                if (flagged.has(node.startPosition.row))
+                    continue;
+                const body = funcDef.childForFieldName('body');
+                if (!body)
+                    continue;
+                const bodyText = body.text;
+                const hasShell = PY_SHELL.test(bodyText);
+                const hasCodeExec = PY_CODE_EXEC.test(bodyText);
+                const hasFS = PY_FILE.test(bodyText);
+                const hasNetwork = PY_NETWORK.test(bodyText);
+                const hasDB = PY_DB.test(bodyText);
+                if (!hasFS && !hasShell && !hasCodeExec && !hasNetwork && !hasDB)
+                    continue;
+                const strong = hasStrongRestrictions(bodyText);
+                const userCtx = hasUserContext(bodyText);
+                const weak = hasAccessRestrictions(bodyText);
+                if (strong)
+                    continue; // Strong restrictions alone are sufficient (confirmation gate, auth throw, etc.)
+                let baseSeverity = (hasShell || hasCodeExec) ? 'critical' : 'high';
+                let severity = baseSeverity;
+                let note = '';
+                if (hasShell)
+                    note = 'Tool with shell command execution.';
+                else if (hasCodeExec)
+                    note = 'Tool with code execution capability.';
+                else if (hasFS)
+                    note = 'Tool with filesystem access.';
+                else if (hasNetwork)
+                    note = 'Tool with network access.';
+                else if (hasDB)
+                    note = 'Tool with database access.';
+                if (isTestFile || isExample)
+                    severity = 'info';
+                else if ((weak && userCtx)) {
+                    severity = baseSeverity === 'critical' ? 'high' : 'medium';
+                    note += ' (Partial restrictions detected.)';
+                }
+                flagged.add(node.startPosition.row);
+                matches.push({ node: funcDef, severity: severity, note });
+            }
+            // Tool(..., func=handler), function_tool(...), register_function(...)
+            for (const node of (0, index_1.getNodes)(nodeIndex, 'call')) {
+                const target = (0, python_helpers_1.resolvePythonCallTarget)(node);
+                if (!target)
+                    continue;
+                const isToolDef = /^(Tool|function_tool|register_function|register_for_execution)$/.test(target.name);
+                if (!isToolDef)
+                    continue;
+                if (flagged.has(node.startPosition.row))
+                    continue;
+                // For Tool() calls, verify it has an executable handler (func=/execute=/callback=/handler= kwarg
+                // or a positional callable). Pure metadata/ORM registrations without handlers are not tools.
+                if (target.name === 'Tool') {
+                    const funcKwCheck = (0, python_helpers_1.getPythonKeywordArgument)(node, 'func')
+                        ?? (0, python_helpers_1.getPythonKeywordArgument)(node, 'execute')
+                        ?? (0, python_helpers_1.getPythonKeywordArgument)(node, 'callback')
+                        ?? (0, python_helpers_1.getPythonKeywordArgument)(node, 'handler');
+                    if (!funcKwCheck) {
+                        // Check for positional callable (lambda or identifier after name/description strings)
+                        const argList = node.childForFieldName('arguments');
+                        const positionalCallable = argList?.namedChildren.some(c => c.type !== 'keyword_argument' && (c.type === 'lambda' || c.type === 'identifier'));
+                        if (!positionalCallable)
+                            continue; // Pure metadata registration — skip
+                    }
+                }
+                // Try to get the handler body text from keyword arg 'func' or first positional
+                const funcKw = (0, python_helpers_1.getPythonKeywordArgument)(node, 'func');
+                const bodyText = funcKw ? getBodyText(funcKw, content, 50) : getBodyText(node, content, 50);
+                const hasShell = PY_SHELL.test(bodyText);
+                const hasCodeExec = PY_CODE_EXEC.test(bodyText);
+                const hasFS = PY_FILE.test(bodyText);
+                const hasNetwork = PY_NETWORK.test(bodyText);
+                const hasDB = PY_DB.test(bodyText);
+                if (!hasFS && !hasShell && !hasCodeExec && !hasNetwork && !hasDB)
+                    continue;
+                const strong = hasStrongRestrictions(bodyText);
+                const userCtx = hasUserContext(bodyText);
+                const weak = hasAccessRestrictions(bodyText);
+                if (strong && userCtx)
+                    continue;
+                let baseSeverity = (hasShell || hasCodeExec) ? 'critical' : 'high';
+                let severity = baseSeverity;
+                let note = '';
+                if (hasShell)
+                    note = 'Tool with shell command execution.';
+                else if (hasCodeExec)
+                    note = 'Tool with code execution capability.';
+                else if (hasFS)
+                    note = 'Tool with filesystem access.';
+                else if (hasNetwork)
+                    note = 'Tool with network access.';
+                else if (hasDB)
+                    note = 'Tool with database access.';
+                if (isTestFile || isExample)
+                    severity = 'info';
+                else if (strong || (weak && userCtx)) {
+                    severity = baseSeverity === 'critical' ? 'high' : 'medium';
+                    note += ' (Partial restrictions detected.)';
+                }
+                flagged.add(node.startPosition.row);
+                matches.push({ node, severity: severity, note });
+            }
+            return matches;
+        }
+        // --- JS/TS branch (original) ---
+        for (const node of (0, index_1.getNodes)(nodeIndex, 'call_expression', 'new_expression')) {
+            const target = (0, call_analysis_1.resolveCallTarget)(node);
+            if (!target)
+                continue;
+            // Detect tool definition calls
+            const isToolDef = /^(defineTool|createTool|registerTool|addTool|tool)$/.test(target.name) ||
+                (target.name === 'tool' && target.object === 'server');
+            if (!isToolDef)
+                continue;
+            if (flagged.has(node.startPosition.row))
+                continue;
+            // Get the handler body
+            const args = (0, call_analysis_1.getCallArguments)(node);
+            let handlerBody = null;
+            for (const arg of args) {
+                if (arg.type === 'arrow_function' || arg.type === 'function_expression') {
+                    handlerBody = arg.childForFieldName('body') ?? arg;
+                    break;
+                }
+                // Also check for object with execute property
+                if (arg.type === 'object') {
+                    const execProp = (0, call_analysis_1.getObjectLiteralProperty)(arg, 'execute');
+                    if (execProp && (execProp.type === 'arrow_function' || execProp.type === 'function_expression')) {
+                        handlerBody = execProp.childForFieldName('body') ?? execProp;
+                        break;
+                    }
+                }
+            }
+            if (!handlerBody)
+                continue;
+            const bodyText = handlerBody.text;
+            // Detect dangerous capabilities
+            const hasFS = /fs\.|readFile|writeFile|unlink|rmSync|mkdir|readdir/i.test(bodyText);
+            const hasShell = /exec\s*\(|spawn\s*\(|execSync|spawnSync|child_process/i.test(bodyText);
+            const hasCodeExec = /eval\s*\(|new\s+Function|vm\.run/i.test(bodyText);
+            const hasNetwork = /fetch\s*\(|axios\.|http\.|got\(/i.test(bodyText);
+            const hasDB = /\.query\s*\(|\.execute\s*\(|\.raw\s*\(|db\./i.test(bodyText);
+            if (!hasFS && !hasShell && !hasCodeExec && !hasNetwork && !hasDB)
+                continue;
+            // Check mitigations
+            const strong = hasStrongRestrictions(bodyText);
+            const weak = hasAccessRestrictions(bodyText);
+            const userCtx = hasUserContext(bodyText);
+            const tenantCtx = hasTenantContext(bodyText);
+            const mcpSafe = isMCPWithSafePatterns(content);
+            if (strong)
+                continue; // Strong restrictions alone are sufficient (confirmation gate, auth throw, etc.)
+            // Determine severity
+            let baseSeverity = (hasShell || hasCodeExec) ? 'critical' : 'high';
+            let severity = baseSeverity;
+            let note = '';
+            if (hasShell)
+                note = 'Tool with shell command execution.';
+            else if (hasCodeExec)
+                note = 'Tool with code execution capability.';
+            else if (hasFS)
+                note = 'Tool with filesystem access.';
+            else if (hasNetwork)
+                note = 'Tool with network access.';
+            else if (hasDB)
+                note = 'Tool with database access.';
+            if (isTestFile || isExample) {
+                severity = 'info';
+            }
+            else if (mcpSafe) {
+                severity = 'info';
+                note += ' (MCP file with sanitization and auth controls.)';
+            }
+            else if (weak && userCtx) {
+                severity = baseSeverity === 'critical' ? 'high' : 'medium';
+                note += ' (Partial restrictions detected.)';
+            }
+            const missingParts = [];
+            if (!weak)
+                missingParts.push('access restrictions');
+            if (!userCtx)
+                missingParts.push('user context');
+            if (missingParts.length > 0)
+                note += ` Missing: ${missingParts.join(', ')}.`;
+            flagged.add(node.startPosition.row);
+            matches.push({ node: args[0] ?? node, severity: severity, note });
+        }
+        return matches;
+    },
+});
+// ============================================================================
+// AST Rule: Excessive Agency (unbounded loops, no limits)
+// ============================================================================
+(0, index_1.registerASTRule)({
+    id: 'ast-excessive-agency',
+    title: 'Agent with excessive agency',
+    description: 'Agent configured with unbounded execution, disabled limits, or auto-approve without human oversight.',
+    severity: 'high',
+    category: 'ai_excessive_agency',
+    suggestedFix: 'Add iteration limits, timeouts, and human-in-the-loop for sensitive operations.',
+    languages: ['javascript', 'typescript', 'tsx', 'python'],
+    confidence: 'medium',
+    baseConfidence: 0.50,
+    layer: 2,
+    source: 'ai_code',
+    requiresAIValidation: true,
+    detect(ast, content, nodeIndex) {
+        if ((0, file_classifier_1.isScannerOrFixtureFile)(ast.filePath))
+            return [];
+        const root = ast.tree.rootNode;
+        if (!isAgentOrToolFile(root, ast.filePath, content))
+            return [];
+        // Skip library/framework infrastructure code — users don't control these loops
+        if (/libs[\/\\](core|partners|community)|node_modules[\/\\]|site-packages[\/\\]|packages[\/\\](core|server)|base[\/\\]|abstract[\/\\]|_?internal[\/\\]/i.test(ast.filePath))
+            return [];
+        const isTestFile = (0, file_classifier_1.isTestOrMockFile)(ast.filePath);
+        const isExample = (0, file_classifier_1.isExampleFile)(ast.filePath);
+        const matches = [];
+        // --- Python branch ---
+        if (ast.language === 'python') {
+            // while True: agent loops
+            for (const node of (0, index_1.getNodes)(nodeIndex, 'while_statement')) {
+                const condition = node.childForFieldName('condition');
+                if (condition && /^True$/.test(condition.text)) {
+                    const bodyText = node.text;
+                    if (/agent|step|run|execute|iterate/i.test(bodyText)) {
+                        const context = getBodyText(node, content);
+                        // Skip bounded loops — explicit exit conditions mean the loop is not truly unbounded
+                        if (hasEarlyExitPattern(bodyText) || hasLoopBoundCheck(bodyText))
+                            continue;
+                        if (hasIterationLimits(context) || hasTimeout(context))
+                            continue;
+                        let severity = 'high';
+                        let note = 'Agent runs in unbounded while True loop.';
+                        if (hasHumanInLoop(context)) {
+                            severity = 'low';
+                            note += ' (Human-in-loop enabled.)';
+                        }
+                        if (isTestFile || isExample)
+                            severity = 'info';
+                        matches.push({ node: condition, severity: severity, note });
+                    }
+                }
+            }
+            // Python keyword arguments for excessive agency patterns
+            for (const node of (0, index_1.getNodes)(nodeIndex, 'keyword_argument')) {
+                const nameNode = node.childForFieldName('name');
+                const valueNode = node.childForFieldName('value');
+                if (!nameNode || !valueNode)
+                    continue;
+                const keyText = nameNode.text;
+                const valueText = valueNode.text;
+                // max_iterations with unbounded value
+                if (/^max_iter(?:ations)?$/i.test(keyText) && /^(-1|None|float\(['"]inf['"]\))$/.test(valueText)) {
+                    matches.push({
+                        node,
+                        severity: isTestFile || isExample ? 'info' : 'high',
+                        note: 'Agent configured with no iteration limit.',
+                    });
+                }
+                // human_input_mode: "NEVER" (AutoGen)
+                if (/^human_input_mode$/i.test(keyText) && /NEVER/i.test(valueText)) {
+                    matches.push({
+                        node,
+                        severity: isTestFile || isExample ? 'info' : 'high',
+                        note: 'AutoGen agent configured to never request human input.',
+                    });
+                }
+                // use_docker=False with code execution context
+                if (/^use_docker$/i.test(keyText) && /^False$/.test(valueText)) {
+                    const context = getBodyText(node, content);
+                    if (/code_execution|allow_code_execution|LocalCommandLineCodeExecutor/i.test(context)) {
+                        matches.push({
+                            node,
+                            severity: isTestFile || isExample ? 'info' : 'critical',
+                            note: 'Code execution without Docker containerization.',
+                        });
+                    }
+                }
+                // code_execution_mode="unsafe"
+                if (/^code_execution_mode$/i.test(keyText) && /unsafe/i.test(valueText)) {
+                    matches.push({
+                        node,
+                        severity: isTestFile || isExample ? 'info' : 'critical',
+                        note: 'CrewAI agent with unsafe code execution mode.',
+                    });
+                }
+                // auto_approve=True
+                if (/^auto_approve$/i.test(keyText) && /^True$/.test(valueText)) {
+                    matches.push({
+                        node,
+                        severity: isTestFile || isExample ? 'info' : 'high',
+                        note: 'Agent auto-approves actions without human review.',
+                    });
+                }
+            }
+            return matches;
+        }
+        // --- JS/TS branch (original) ---
+        // while(true) agent loops
+        for (const node of (0, index_1.getNodes)(nodeIndex, 'while_statement')) {
+            const condition = node.childForFieldName('condition');
+            if (condition && /^(true|1)$/.test(condition.text.replace(/[()]/g, ''))) {
+                const bodyText = node.text;
+                if (/agent|step|run|execute|iterate/i.test(bodyText)) {
+                    const context = getBodyText(node, content);
+                    // Skip bounded loops — explicit exit conditions mean the loop is not truly unbounded
+                    if (hasEarlyExitPattern(bodyText) || hasLoopBoundCheck(bodyText))
+                        continue;
+                    if (hasIterationLimits(context) || hasTimeout(context))
+                        continue;
+                    let severity = 'high';
+                    let note = 'Agent runs in unbounded while(true) loop.';
+                    if (hasHumanInLoop(context)) {
+                        severity = 'low';
+                        note += ' (Human-in-loop enabled.)';
+                    }
+                    if (isTestFile || isExample)
+                        severity = 'info';
+                    matches.push({ node: condition, severity: severity, note });
+                }
+            }
+        }
+        // Config properties indicating excessive agency
+        for (const node of (0, index_1.getNodes)(nodeIndex, 'pair')) {
+            const key = node.childForFieldName('key');
+            const value = node.childForFieldName('value');
+            if (!key || !value)
+                continue;
+            const keyText = key.text.replace(/['"]/g, '');
+            const valueText = value.text.replace(/['"]/g, '');
+            // maxIterations: -1/null/Infinity
+            if (/^(maxIterations|max_iter(?:ations)?)$/i.test(keyText) && /^(-1|null|undefined|None|Infinity)$/.test(valueText)) {
+                matches.push({
+                    node,
+                    severity: isTestFile || isExample ? 'info' : 'high',
+                    note: 'Agent configured with no iteration limit.',
+                });
+            }
+            // timeout: 0/false/null
+            if (/^timeout$/i.test(keyText) && /^(-1|0|null|undefined|None|false|False)$/.test(valueText)) {
+                matches.push({
+                    node,
+                    severity: isTestFile || isExample ? 'info' : 'medium',
+                    note: 'Agent timeout disabled.',
+                });
+            }
+            // autoApprove: true
+            if (/^(autoApprove|auto_approve)$/i.test(keyText) && /^true$/i.test(valueText)) {
+                matches.push({
+                    node,
+                    severity: isTestFile || isExample ? 'info' : 'high',
+                    note: 'Agent auto-approves actions without human review.',
+                });
+            }
+            // humanInLoop: false
+            if (/^(humanInLoop|human_in_loop)$/i.test(keyText) && /^(false|False)$/.test(valueText)) {
+                matches.push({
+                    node,
+                    severity: isTestFile || isExample ? 'info' : 'medium',
+                    note: 'Human oversight explicitly disabled.',
+                });
+            }
+            // human_input_mode: NEVER (AutoGen)
+            if (/^human_input_mode$/i.test(keyText) && /NEVER/i.test(valueText)) {
+                matches.push({
+                    node,
+                    severity: isTestFile || isExample ? 'info' : 'high',
+                    note: 'AutoGen agent configured to never request human input.',
+                });
+            }
+            // code_execution_mode: unsafe (CrewAI)
+            if (/^code_execution_mode$/i.test(keyText) && /unsafe/i.test(valueText)) {
+                matches.push({
+                    node,
+                    severity: isTestFile || isExample ? 'info' : 'critical',
+                    note: 'CrewAI agent with unsafe code execution mode.',
+                });
+            }
+            // use_docker: False (AutoGen/CrewAI)
+            if (/^use_docker$/i.test(keyText) && /^(false|False)$/.test(valueText)) {
+                const context = getBodyText(node, content);
+                if (/code_execution|allow_code_execution|LocalCommandLineCodeExecutor/i.test(context)) {
+                    matches.push({
+                        node,
+                        severity: isTestFile || isExample ? 'info' : 'critical',
+                        note: 'Code execution without Docker containerization.',
+                    });
+                }
+            }
+        }
+        return matches;
+    },
+});
+// ============================================================================
+// AST Rule: LLM Output in Tool Names/Paths
+// ============================================================================
+(0, index_1.registerASTRule)({
+    id: 'ast-llm-output-flow',
+    title: 'LLM output used as tool name or resource path',
+    description: 'LLM output used directly to select tools or access resources. Prompt injection could invoke arbitrary tools.',
+    severity: 'critical',
+    category: 'ai_excessive_agency',
+    suggestedFix: 'Validate tool names/paths against a static allowlist before use.',
+    languages: ['javascript', 'typescript', 'tsx', 'python'],
+    confidence: 'high',
+    baseConfidence: 0.50,
+    layer: 2,
+    source: 'ai_code',
+    detect(ast, content, nodeIndex) {
+        if ((0, file_classifier_1.isScannerOrFixtureFile)(ast.filePath))
+            return [];
+        const root = ast.tree.rootNode;
+        if (!isAgentOrToolFile(root, ast.filePath, content))
+            return [];
+        const isTestFile = (0, file_classifier_1.isTestOrMockFile)(ast.filePath);
+        const isExample = (0, file_classifier_1.isExampleFile)(ast.filePath);
+        const matches = [];
+        // --- Python branch ---
+        if (ast.language === 'python') {
+            // call_tool(response.tool_name, ...) patterns
+            for (const node of (0, index_1.getNodes)(nodeIndex, 'call')) {
+                const target = (0, python_helpers_1.resolvePythonCallTarget)(node);
+                if (!target)
+                    continue;
+                if (/^(call_tool|invoke_tool|execute_tool|run_tool)$/.test(target.name)) {
+                    const argList = node.childForFieldName('arguments');
+                    const firstArg = argList?.namedChildren.find(c => c.type !== 'keyword_argument' && c.type !== 'list_splat' && c.type !== 'dictionary_splat');
+                    if (firstArg && (0, python_helpers_1.isPythonLLMOutputExpression)(firstArg)) {
+                        const context = getBodyText(node, content);
+                        const hasAllowlist = /(?:allowlist|ALLOWED_|valid_tools|allowed_tools|in\s+\w+_tools)/i.test(context);
+                        let severity = 'critical';
+                        if (hasAllowlist)
+                            severity = 'medium';
+                        if (isTestFile || isExample)
+                            severity = 'info';
+                        matches.push({
+                            node,
+                            severity: severity,
+                            note: 'LLM output used as tool name for invocation.',
+                        });
+                    }
+                }
+            }
+            // tools[response.tool] subscript access
+            for (const node of (0, index_1.getNodes)(nodeIndex, 'subscript')) {
+                const obj = node.childForFieldName('value');
+                const subscripts = node.childForFieldName('subscript');
+                if (!obj || !subscripts)
+                    continue;
+                if (!/^(tools|handlers|actions|functions|methods)$/.test(obj.text))
+                    continue;
+                if (!(0, python_helpers_1.isPythonLLMOutputExpression)(subscripts))
+                    continue;
+                const context = getBodyText(node, content);
+                const hasAllowlist = /(?:allowlist|ALLOWED_|valid_tools|in\s+\w+_tools)/i.test(context);
+                let severity = 'high';
+                if (hasAllowlist)
+                    severity = 'medium';
+                if (isTestFile || isExample)
+                    severity = 'info';
+                matches.push({
+                    node,
+                    severity: severity,
+                    note: 'Dynamic tool access using LLM output.',
+                });
+            }
+            return matches;
+        }
+        // --- JS/TS branch (original) ---
+        for (const node of (0, index_1.getNodes)(nodeIndex, 'call_expression')) {
+            const target = (0, call_analysis_1.resolveCallTarget)(node);
+            if (!target)
+                continue;
+            // callTool, invokeTool, executeTool patterns
+            if (/^(callTool|invokeTool|executeTool|runTool)$/.test(target.name)) {
+                const args = (0, call_analysis_1.getCallArguments)(node);
+                if (args.length > 0 && (0, user_input_1.isLLMOutputExpression)(args[0])) {
+                    const context = getBodyText(node, content);
+                    const hasAllowlist = /(?:allowlist|ALLOWED_|validTools|VALID_TOOLS|allowedTools|includes|has)\s*\(/i.test(context);
+                    let severity = 'critical';
+                    if (hasAllowlist)
+                        severity = 'medium';
+                    if (isTestFile || isExample)
+                        severity = 'info';
+                    matches.push({
+                        node,
+                        severity: severity,
+                        note: 'LLM output used as tool name for invocation.',
+                    });
+                }
+            }
+        }
+        // Also check subscript expressions: tools[response.tool]
+        for (const node of (0, index_1.getNodes)(nodeIndex, 'subscript_expression')) {
+            const object = node.childForFieldName('object');
+            const index = node.childForFieldName('index');
+            if (!object || !index)
+                continue;
+            if (!/^(tools|handlers|actions|functions|methods)$/.test(object.text))
+                continue;
+            if (!(0, user_input_1.isLLMOutputExpression)(index))
+                continue;
+            const context = getBodyText(node, content);
+            const hasAllowlist = /(?:allowlist|ALLOWED_|validTools|includes|has)\s*\(/i.test(context);
+            let severity = 'high';
+            if (hasAllowlist)
+                severity = 'medium';
+            if (isTestFile || isExample)
+                severity = 'info';
+            matches.push({
+                node,
+                severity: severity,
+                note: 'Dynamic tool access using LLM output.',
+            });
+        }
+        return matches;
+    },
+});
+// ============================================================================
+// AST Rule: Recursive Agent Without Depth Limit
+// ============================================================================
+(0, index_1.registerASTRule)({
+    id: 'ast-recursive-agent',
+    title: 'Recursive agent call without depth limit',
+    description: 'Agent function calls itself or spawns sub-agents without visible depth parameter.',
+    severity: 'high',
+    category: 'ai_excessive_agency',
+    suggestedFix: 'Add depth limit: async function runAgent(task, depth = 0) { if (depth > MAX_DEPTH) throw }',
+    languages: ['javascript', 'typescript', 'tsx', 'python'],
+    confidence: 'medium',
+    baseConfidence: 0.50,
+    layer: 2,
+    source: 'ai_code',
+    requiresAIValidation: true,
+    detect(ast, content, nodeIndex) {
+        if ((0, file_classifier_1.isScannerOrFixtureFile)(ast.filePath))
+            return [];
+        const root = ast.tree.rootNode;
+        if (!isAgentOrToolFile(root, ast.filePath, content))
+            return [];
+        const isTestFile = (0, file_classifier_1.isTestOrMockFile)(ast.filePath);
+        const isExample = (0, file_classifier_1.isExampleFile)(ast.filePath);
+        const matches = [];
+        // --- Python branch ---
+        if (ast.language === 'python') {
+            for (const node of (0, index_1.getNodes)(nodeIndex, 'function_definition')) {
+                const fnName = node.childForFieldName('name')?.text;
+                if (!fnName)
+                    continue;
+                if (!/agent|run|execute|process|handle/i.test(fnName))
+                    continue;
+                if (/schema|type|json|parse|tree|node|format|render|convert|serialize/i.test(fnName))
+                    continue;
+                const body = node.childForFieldName('body');
+                if (!body)
+                    continue;
+                // Check if function calls itself
+                let selfCall = null;
+                (0, ast_1.walkAST)(body, (child) => {
+                    if (child.type === 'call') {
+                        const t = (0, python_helpers_1.resolvePythonCallTarget)(child);
+                        if (t?.name === fnName) {
+                            if (t.object && /^super\b/.test(t.object))
+                                return false;
+                            selfCall = child;
+                            return true;
+                        }
+                    }
+                    return false;
+                });
+                if (!selfCall)
+                    continue;
+                // Check if depth/level parameter exists
+                const params = node.childForFieldName('parameters');
+                const hasDepthParam = params?.text.includes('depth') || params?.text.includes('level') || params?.text.includes('recursion');
+                if (hasDepthParam)
+                    continue;
+                const bodyText = body.text;
+                if (/MAX_DEPTH|max_depth|depth\s*[<>]|level\s*[<>]/i.test(bodyText))
+                    continue;
+                let severity = 'high';
+                if (hasIterationLimits(bodyText) || hasTimeout(bodyText))
+                    severity = 'medium';
+                if (isTestFile || isExample)
+                    severity = 'info';
+                matches.push({
+                    node: selfCall,
+                    severity: severity,
+                    note: `Recursive agent call to "${fnName}" without depth limit.`,
+                });
+            }
+            return matches;
+        }
+        // --- JS/TS branch (original) ---
+        // Find functions that call themselves (recursive)
+        for (const node of (0, index_1.getNodes)(nodeIndex, 'function_declaration')) {
+            const fnName = node.childForFieldName('name')?.text;
+            if (!fnName)
+                continue;
+            if (!/agent|run|execute|process|handle/i.test(fnName))
+                continue;
+            if (/schema|type|json|parse|tree|node|format|render|convert|serialize/i.test(fnName))
+                continue;
+            const body = node.childForFieldName('body');
+            if (!body)
+                continue;
+            // Check if function calls itself
+            let selfCall = null;
+            (0, ast_1.walkAST)(body, (child) => {
+                if (child.type === 'call_expression') {
+                    const t = (0, call_analysis_1.resolveCallTarget)(child);
+                    if (t?.name === fnName) {
+                        if (t.object && /^super\b/.test(t.object))
+                            return false;
+                        selfCall = child;
+                        return true;
+                    }
+                }
+                return false;
+            });
+            if (!selfCall)
+                continue;
+            // Check if depth/level parameter exists
+            const params = node.childForFieldName('parameters');
+            const hasDepthParam = params?.text.includes('depth') || params?.text.includes('level') || params?.text.includes('recursion');
+            if (hasDepthParam)
+                continue;
+            const bodyText = body.text;
+            if (/MAX_DEPTH|maxDepth|max_depth|depth\s*[<>]|level\s*[<>]/i.test(bodyText))
+                continue;
+            let severity = 'high';
+            if (hasIterationLimits(bodyText) || hasTimeout(bodyText))
+                severity = 'medium';
+            if (isTestFile || isExample)
+                severity = 'info';
+            matches.push({
+                node: selfCall,
+                severity: severity,
+                note: `Recursive agent call to "${fnName}" without depth limit.`,
+            });
+        }
+        // Check for spawnAgent/createAgent without limits
+        for (const node of (0, index_1.getNodes)(nodeIndex, 'call_expression')) {
+            const target = (0, call_analysis_1.resolveCallTarget)(node);
+            if (!target)
+                continue;
+            if (!/^(spawn|create|launch|start)(?:Agent|Worker|Task)$/.test(target.name))
+                continue;
+            // Skip CRUD operations (service.createAgent for DB)
+            const lineText = node.text;
+            if (/(?:service|Service|sdk|SDK|store|Store|runtime|Runtime)\./i.test(lineText))
+                continue;
+            if (/agentService|agentState|marketSDK/i.test(lineText))
+                continue;
+            const context = getBodyText(node, content);
+            // Skip tool-less agents
+            if (!/tools\s*[:=]\s*\[/i.test(context))
+                continue;
+            if (/depth|level|count|limit|max|MAX/i.test(context))
+                continue;
+            matches.push({
+                node,
+                severity: isTestFile || isExample ? 'info' : 'medium',
+                note: 'Sub-agent spawned without depth or count limit.',
+            });
+        }
+        return matches;
+    },
+});
+//# sourceMappingURL=agent-tools-ast.js.map