@oculum/scanner 1.0.14 → 1.0.15

package/dist/detect/ast-rules/rag-safety-ast.js

@@ -0,0 +1,640 @@
+"use strict";
+/**
+ * AST-Based RAG Safety Detection
+ *
+ * Migrates ai-code/rag-safety.ts from regex to AST.
+ * Detects data exfiltration risks in RAG systems.
+ *
+ * AST advantages:
+ * - Structurally detects vector store queries without filter arguments
+ * - Resolves call chains (retriever.invoke, collection.query)
+ * - Checks for access control scoping in enclosing function
+ * - Distinguishes client-side fuzzy search from vector stores
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.isLibraryOrFrameworkPath = isLibraryOrFrameworkPath;
+const ast_1 = require("../../parse/ast");
+const index_1 = require("./index");
+const call_analysis_1 = require("./helpers/call-analysis");
+const import_analysis_1 = require("./helpers/import-analysis");
+const user_input_1 = require("./helpers/user-input");
+const file_classifier_1 = require("../../parse/file-classifier");
+const python_helpers_1 = require("./helpers/python-helpers");
+// ============================================================================
+// Helpers
+// ============================================================================
+/** Quick pre-check for any RAG/vector store content */
+const RAG_CONTENT_QUICK_CHECK = /pinecone|weaviate|chromadb|qdrant|langchain.*vectorstore|from\s+langchain|faiss|milvus|VectorStore|Embeddings|pgvector|Retriever|similaritySearch|similarity_search|get_relevant_documents|query_engine|retriever|vectorStore|embeddingModel|llama_index|ChromaDB/i;
+/**
+ * Check if the file path indicates library/framework code that adapts
+ * or implements vector store operations (not application endpoints).
+ */
+function isLibraryOrFrameworkPath(filePath) {
+    return /node_modules[/\\]|site-packages[/\\]|vendor[/\\]|libs[/\\](core|partners|community)|packages[/\\](components|nodes|server)|adapters?[/\\]|providers?[/\\]|connectors?[/\\]|vector_?stores?[/\\]|vectorstores?[/\\]|datasources?[/\\]|retrievers?[/\\]|embeddings?[/\\]|base[/\\]|abstract/i.test(filePath);
+}
+/** Check for vector store imports */
+function hasVectorStoreImports(root, content) {
+    const modules = (0, import_analysis_1.getImportedModules)(root);
+    const vectorModules = /^(pinecone|@pinecone-database|weaviate|chromadb|@qdrant|qdrant|@langchain[\/.]vectorstores|langchain[\/.]vectorstores|faiss|milvus|@supabase)/;
+    if ([...modules].some(m => vectorModules.test(m)))
+        return true;
+    // JS/TS content fallback
+    if (/VectorStore|Embeddings|pgvector/i.test(content))
+        return true;
+    // Python import fallback: from langchain.vectorstores import ..., from chromadb import ...
+    if (/from\s+(?:langchain[._]?vectorstores|chromadb|pinecone|weaviate|qdrant|faiss|milvus)\s+import/i.test(content))
+        return true;
+    if (/import\s+(?:chromadb|pinecone|weaviate|qdrant)/i.test(content))
+        return true;
+    return false;
+}
+/** Check if a method name indicates an embedding operation (returns vectors, not documents) */
+function isEmbeddingMethod(name) {
+    return /^a?(embed|create_?embedding|encode)/i.test(name);
+}
+/** Check if the enclosing function is an ingestion/transformation operation (write-path) */
+function isIngestionContext(fnName) {
+    return /ingest|transform|load|split|chunk|process|parse|convert|prepare|index_doc/i.test(fnName);
+}
+/** Check if a .retrieve() call is an OpenAI REST CRUD call, not a vector similarity search */
+function isOpenAICRUDRetrieve(node) {
+    const text = node.text;
+    return /openai\.(beta\.)?(assistants|vector_?stores|files|threads|messages|runs)\./i.test(text);
+}
+/** Check if file is client-side fuzzy search (NOT a vector store) */
+function isClientSideFuzzySearch(root, content) {
+    if (!/fuse|flexsearch|lunr|minisearch|fuzzysort|match-sorter/i.test(content))
+        return false;
+    const modules = (0, import_analysis_1.getImportedModules)(root);
+    const fuzzyModules = /^(fuse\.js|flexsearch|lunr|minisearch|fuzzysort|match-sorter)$/;
+    return [...modules].some(m => fuzzyModules.test(m));
+}
+/** Check if file is in RAG context */
+function isRAGContextFile(root, filePath, content) {
+    // Quick content pre-check — skip files without any RAG/vector indicators
+    if (!RAG_CONTENT_QUICK_CHECK.test(content))
+        return false;
+    if (isClientSideFuzzySearch(root, content))
+        return false;
+    if (!hasVectorStoreImports(root, content))
+        return false;
+    if (/\/(rag|retrieval|retriever|embedding|vector|knowledge|search|index)\//i.test(filePath))
+        return true;
+    return /VectorStore|Embeddings|Retriever|similaritySearch|query_engine|retriever|vectorStore|embeddingModel/i.test(content);
+}
+/** Check for access control scoping in context */
+function hasAccessControlScoping(bodyText) {
+    return /userId|user_id|user\.id|currentUser|tenantId|tenant_id|tenant\.id|orgId|org_id|workspaceId|namespace\s*[:=]|checkAccess|verifyPermission|canAccess|hasAccess|filterByUser|filterByTenant|new.*Model\(.*user_?[iI]d\)|ctx\.userId|context\.user|where.*user_?id\s*[:=]/i.test(bodyText);
+}
+/** Check for auth in context */
+function hasAuth(bodyText) {
+    return /getSession|getCurrentUser|getServerSession|auth\(\)|requireAuth|verifyToken|req\.user|request\.user|userId|user\.id/i.test(bodyText);
+}
+/** Check for response filtering */
+function hasResponseFiltering(bodyText) {
+    return /\.map\s*\([^)]*\.(title|name|id|metadata|pageContent|content|text)\)|\.filter\s*\(|sanitize|redact|mask|strip/i.test(bodyText);
+}
+/** Check for content sanitization */
+function hasSanitization(bodyText) {
+    return /\bsanitize\b|\bvalidate\b|\bfilter\(|\bclean\(|\bstrip\(|\bclassify\(|\bscan\(|\bdetect.*injection|\bcontentFilter\b|\bbleach\b|\bescape\b/i.test(bodyText);
+}
+/** Get enclosing function name */
+function findEnclosingFunctionName(node) {
+    let current = node.parent;
+    while (current) {
+        if (/function_declaration|function_expression|method_definition|function_definition/.test(current.type)) {
+            return current.childForFieldName('name')?.text ?? null;
+        }
+        if (current.type === 'variable_declarator') {
+            return current.childForFieldName('name')?.text ?? null;
+        }
+        current = current.parent;
+    }
+    return null;
+}
+/** Get enclosing function body text */
+function getEnclosingBodyText(node, content) {
+    let current = node.parent;
+    while (current) {
+        if (/function_declaration|arrow_function|function_expression|method_definition|function_definition/.test(current.type)) {
+            return (current.childForFieldName('body') ?? current).text;
+        }
+        current = current.parent;
+    }
+    return content;
+}
+/**
+ * Check if a node contains an identifier that was assigned from user input in the body text.
+ * Looks for patterns like `varName = request.json.get(...)` or `varName = request.form[...]`.
+ */
+function containsBodyInputVariable(node, bodyText) {
+    // Collect identifiers in the node
+    const identifiers = [];
+    (0, ast_1.walkAST)(node, (child) => {
+        if (child.type === 'identifier') {
+            identifiers.push(child.text);
+        }
+        return false;
+    });
+    // Check if any identifier was assigned from user input in the enclosing body
+    for (const name of identifiers) {
+        const assignPattern = new RegExp(`${name.replace(/[.*+?^${}()|[\]\\]/g, '\\$&')}\\s*=\\s*(?:request\\.|input\\()`);
+        if (assignPattern.test(bodyText))
+            return true;
+    }
+    return false;
+}
+// ============================================================================
+// AST Rule: Unscoped Vector Store Query
+// ============================================================================
+(0, index_1.registerASTRule)({
+    id: 'ast-rag-unscoped-retrieval',
+    title: 'Vector store query without user/tenant scoping',
+    description: 'Vector store query may retrieve documents from other users, enabling cross-tenant data access.',
+    severity: 'high',
+    category: 'ai_rag_exfiltration',
+    suggestedFix: 'Add filter/metadata parameter to scope queries: .query(query, { filter: { userId: currentUser.id } })',
+    languages: ['javascript', 'typescript', 'tsx', 'python'],
+    confidence: 'medium',
+    baseConfidence: 0.45,
+    layer: 2,
+    source: 'ai_code',
+    requiresAIValidation: true,
+    detect(ast, content, nodeIndex) {
+        if ((0, file_classifier_1.isScannerOrFixtureFile)(ast.filePath))
+            return [];
+        if (isLibraryOrFrameworkPath(ast.filePath))
+            return [];
+        const root = ast.tree.rootNode;
+        if (!isRAGContextFile(root, ast.filePath, content))
+            return [];
+        const isTestFile = (0, file_classifier_1.isTestOrMockFile)(ast.filePath);
+        const isExample = (0, file_classifier_1.isExampleFile)(ast.filePath);
+        const matches = [];
+        // --- Python branch ---
+        if (ast.language === 'python') {
+            for (const node of (0, index_1.getNodes)(nodeIndex, 'call')) {
+                if ((0, python_helpers_1.isPythonMethodCallOn)(node, /vector_?store|retriever|collection|index/, ['query', 'similarity_search', 'get_relevant_documents', 'search'])) {
+                    // Skip embedding methods (returns vectors, not documents)
+                    const fnNode = node.childForFieldName('function');
+                    const methodName = fnNode?.type === 'attribute' ? fnNode.childForFieldName('attribute')?.text ?? '' : '';
+                    if (isEmbeddingMethod(methodName))
+                        continue;
+                    const bodyText = getEnclosingBodyText(node, content);
+                    if (hasAccessControlScoping(bodyText))
+                        continue;
+                    // Check for filter= keyword arg
+                    const filterArg = (0, python_helpers_1.getPythonKeywordArgument)(node, 'filter');
+                    if (filterArg)
+                        continue;
+                    let severity = 'high';
+                    let note = 'Vector store query without user/tenant scoping.';
+                    if (hasAuth(bodyText)) {
+                        severity = 'medium';
+                        note += ' Auth detected but no filter parameter visible.';
+                    }
+                    if (isTestFile || isExample) {
+                        severity = 'info';
+                        note += isTestFile ? ' (in test file)' : ' (in example directory)';
+                    }
+                    matches.push({ node, severity, note });
+                }
+            }
+            return matches;
+        }
+        // --- JS/TS branch ---
+        for (const node of (0, index_1.getNodes)(nodeIndex, 'call_expression')) {
+            const target = (0, call_analysis_1.resolveCallTarget)(node);
+            if (!target)
+                continue;
+            // .query(), .search(), .similaritySearch(), .retrieve(), .invoke()
+            const queryMethods = /^(query|search|similaritySearch|retrieve|invoke|getRelevantDocuments|nearText)$/;
+            if (!queryMethods.test(target.name))
+                continue;
+            // Skip embedding methods (returns float[][], not documents)
+            if (isEmbeddingMethod(target.name))
+                continue;
+            // Skip OpenAI REST CRUD .retrieve() calls (assistants.retrieve, files.retrieve, etc.)
+            if (target.name === 'retrieve' && isOpenAICRUDRetrieve(node))
+                continue;
+            // Get enclosing body for context
+            const bodyText = getEnclosingBodyText(node, content);
+            // Skip if access control scoping detected
+            if (hasAccessControlScoping(bodyText)) {
+                continue;
+            }
+            let severity = 'high';
+            let note = 'Vector store query without user/tenant scoping.';
+            if (hasAuth(bodyText)) {
+                severity = 'medium';
+                note += ' Auth detected but no filter parameter visible.';
+            }
+            if (isTestFile || isExample) {
+                severity = 'info';
+                note += isTestFile ? ' (in test file)' : ' (in example directory)';
+            }
+            matches.push({ node, severity, note });
+        }
+        return matches;
+    },
+});
+// ============================================================================
+// AST Rule: RAG Context Exposure
+// ============================================================================
+(0, index_1.registerASTRule)({
+    id: 'ast-rag-context-exposure',
+    title: 'Retrieved documents exposed in API response',
+    description: 'Raw retrieved documents returned in API response may leak sensitive knowledge base content.',
+    severity: 'medium',
+    category: 'ai_rag_exfiltration',
+    suggestedFix: 'Return only synthesized response or document IDs/titles. Filter to metadata only for source attribution.',
+    languages: ['javascript', 'typescript', 'tsx', 'python'],
+    confidence: 'medium',
+    baseConfidence: 0.45,
+    layer: 2,
+    source: 'ai_code',
+    requiresAIValidation: true,
+    detect(ast, content, nodeIndex) {
+        if ((0, file_classifier_1.isScannerOrFixtureFile)(ast.filePath))
+            return [];
+        if (isLibraryOrFrameworkPath(ast.filePath))
+            return [];
+        const root = ast.tree.rootNode;
+        if (!isRAGContextFile(root, ast.filePath, content))
+            return [];
+        const isTestFile = (0, file_classifier_1.isTestOrMockFile)(ast.filePath);
+        const matches = [];
+        // --- Python branch ---
+        if (ast.language === 'python') {
+            // Check return/response statements with RAG-related content
+            for (const node of (0, index_1.getNodes)(nodeIndex, 'return_statement')) {
+                const returnValue = node.namedChildren[0];
+                if (!returnValue)
+                    continue;
+                // Check the return value and enclosing function body for RAG content exposure
+                const bodyText = getEnclosingBodyText(node, content);
+                const returnText = returnValue.text;
+                // Direct RAG identifiers in return
+                const hasRagIds = /source_documents|retrieved_docs|documents|chunks|retrieved_context|rag_context/.test(returnText);
+                // Metadata exposure: .metadata must appear in the return value itself (not just body)
+                const hasMetadataExposure = /\.metadata\b/.test(returnText) && /similarity_search|get_relevant_documents|query|retrieve/.test(bodyText);
+                if (!hasRagIds && !hasMetadataExposure)
+                    continue;
+                if (hasResponseFiltering(bodyText))
+                    continue;
+                // Skip ingestion/transformation contexts (write-path, not read-path)
+                const fn = findEnclosingFunctionName(node);
+                if (fn && isIngestionContext(fn))
+                    continue;
+                let severity = 'medium';
+                if (!hasAuth(bodyText))
+                    severity = 'high';
+                if (isTestFile)
+                    severity = 'info';
+                matches.push({
+                    node,
+                    severity,
+                    note: 'Raw retrieved documents in API response.',
+                });
+            }
+            return matches;
+        }
+        // --- JS/TS branch ---
+        for (const node of (0, index_1.getNodes)(nodeIndex, 'call_expression')) {
+            const target = (0, call_analysis_1.resolveCallTarget)(node);
+            if (!target)
+                continue;
+            // res.json(...) or NextResponse.json(...)
+            if (!(target.name === 'json' && /^(res|response|NextResponse|Response)$/.test(target.object ?? '')))
+                continue;
+            // Check if arguments contain RAG-related identifiers
+            const args = (0, call_analysis_1.getCallArguments)(node);
+            for (const arg of args) {
+                if (/sourceDocuments|retrievedDocs|documents|chunks|retrievedContext|ragContext/.test(arg.text)) {
+                    const bodyText = getEnclosingBodyText(node, content);
+                    if (hasResponseFiltering(bodyText))
+                        continue;
+                    // Skip ingestion/transformation contexts (write-path, not read-path)
+                    const fn = findEnclosingFunctionName(node);
+                    if (fn && isIngestionContext(fn))
+                        continue;
+                    let severity = 'medium';
+                    if (!hasAuth(bodyText))
+                        severity = 'high';
+                    if (isTestFile)
+                        severity = 'info';
+                    matches.push({
+                        node,
+                        severity,
+                        note: 'Raw retrieved documents in API response.',
+                    });
+                    break;
+                }
+            }
+        }
+        return matches;
+    },
+});
+// ============================================================================
+// AST Rule: Corpus Poisoning
+// ============================================================================
+(0, index_1.registerASTRule)({
+    id: 'ast-rag-corpus-poisoning',
+    title: 'User content embedded without sanitization',
+    description: 'User-provided content embedded directly into vector store. Malicious instructions could poison the RAG corpus.',
+    severity: 'high',
+    category: 'ai_rag_corpus_poisoning',
+    suggestedFix: 'Sanitize user content before embedding: const sanitized = sanitizeForRAG(content); await embed(sanitized)',
+    languages: ['javascript', 'typescript', 'tsx', 'python'],
+    confidence: 'medium',
+    baseConfidence: 0.45,
+    layer: 2,
+    source: 'ai_code',
+    requiresAIValidation: true,
+    detect(ast, content, nodeIndex) {
+        if ((0, file_classifier_1.isScannerOrFixtureFile)(ast.filePath))
+            return [];
+        if (isLibraryOrFrameworkPath(ast.filePath))
+            return [];
+        const root = ast.tree.rootNode;
+        if (!isRAGContextFile(root, ast.filePath, content))
+            return [];
+        const isTestFile = (0, file_classifier_1.isTestOrMockFile)(ast.filePath);
+        const matches = [];
+        // --- Python branch ---
+        if (ast.language === 'python') {
+            for (const node of (0, index_1.getNodes)(nodeIndex, 'call')) {
+                if ((0, python_helpers_1.isPythonMethodCallOn)(node, /collection|index|store|vector_?store/, ['add', 'upsert', 'add_documents', 'add_texts', 'insert'])) {
+                    const argList = node.childForFieldName('arguments');
+                    if (!argList)
+                        continue;
+                    const bodyText = getEnclosingBodyText(node, content);
+                    const userInputBodyPattern = /request\.(?:json|data|form|args|values)\b/;
+                    // Find the argument node that carries user input
+                    let userInputArgNode = null;
+                    for (const arg of argList.namedChildren) {
+                        if (arg.type === 'keyword_argument') {
+                            const kwName = arg.childForFieldName('name');
+                            // Only check 'texts' or 'documents' keyword args (the content args)
+                            if (kwName && /^(texts|documents|data)$/.test(kwName.text)) {
+                                const kwValue = arg.childForFieldName('value');
+                                if (kwValue && ((0, python_helpers_1.isPythonUserInputExpression)(kwValue) ||
+                                    /request\.data|request\.json|request\.form|upload|file\.content/.test(kwValue.text) ||
+                                    (userInputBodyPattern.test(bodyText) && containsBodyInputVariable(kwValue, bodyText)))) {
+                                    userInputArgNode = kwValue;
+                                }
+                            }
+                            continue;
+                        }
+                        // Positional arg
+                        if ((0, python_helpers_1.isPythonUserInputExpression)(arg) ||
+                            /request\.data|request\.json|request\.form|upload|file\.content/.test(arg.text) ||
+                            (userInputBodyPattern.test(bodyText) && containsBodyInputVariable(arg, bodyText))) {
+                            userInputArgNode = arg;
+                        }
+                    }
+                    if (!userInputArgNode)
+                        continue;
+                    // Skip if metadatas kwarg contains PII fields — defer to PII rule
+                    const metadatasArg = (0, python_helpers_1.getPythonKeywordArgument)(node, 'metadatas');
+                    if (metadatasArg && /email|ssn|phone|fullName|address|cardNumber|patientName|medicalRecord/i.test(metadatasArg.text)) {
+                        continue;
+                    }
+                    if (hasSanitization(bodyText))
+                        continue;
+                    matches.push({
+                        node: userInputArgNode,
+                        severity: isTestFile ? 'info' : 'high',
+                        note: 'User-provided content flows to vector store without sanitization.',
+                    });
+                }
+            }
+            return matches;
+        }
+        // --- JS/TS branch ---
+        for (const node of (0, index_1.getNodes)(nodeIndex, 'call_expression')) {
+            const target = (0, call_analysis_1.resolveCallTarget)(node);
+            if (!target)
+                continue;
+            // .add(), .upsert(), .addDocuments(), .embed(), .createEmbedding()
+            const embedMethods = /^(add|upsert|addDocuments|embed|createEmbedding|create|insert)$/;
+            if (!embedMethods.test(target.name))
+                continue;
+            // Check if any argument references user input
+            const args = (0, call_analysis_1.getCallArguments)(node);
+            const hasUserContent = args.some(arg => (0, user_input_1.isUserInputExpression)(arg) ||
+                /user\.content|req\.body|upload|file\.content|document\.content/.test(arg.text));
+            if (!hasUserContent)
+                continue;
+            const bodyText = getEnclosingBodyText(node, content);
+            if (hasSanitization(bodyText))
+                continue;
+            let severity = 'high';
+            if (isTestFile)
+                severity = 'info';
+            matches.push({
+                node,
+                severity,
+                note: 'User-provided content flows to vector store without sanitization.',
+            });
+        }
+        return matches;
+    },
+});
+// ============================================================================
+// AST Rule: PII in Embedded Documents
+// ============================================================================
+(0, index_1.registerASTRule)({
+    id: 'ast-rag-pii-leakage',
+    title: 'PII fields in document metadata',
+    description: 'PII fields stored in document metadata will be exposed when documents are retrieved.',
+    severity: 'high',
+    category: 'ai_rag_pii_leakage',
+    suggestedFix: 'Remove PII from metadata. Store only non-sensitive identifiers: { userId: user.id, category: doc.type }',
+    languages: ['javascript', 'typescript', 'tsx', 'python'],
+    confidence: 'medium',
+    baseConfidence: 0.45,
+    layer: 2,
+    source: 'ai_code',
+    requiresAIValidation: true,
+    detect(ast, content, nodeIndex) {
+        if ((0, file_classifier_1.isScannerOrFixtureFile)(ast.filePath))
+            return [];
+        if (isLibraryOrFrameworkPath(ast.filePath))
+            return [];
+        const root = ast.tree.rootNode;
+        if (!isRAGContextFile(root, ast.filePath, content))
+            return [];
+        const isTestFile = (0, file_classifier_1.isTestOrMockFile)(ast.filePath);
+        const matches = [];
+        const piiFields = /^(email|ssn|phone(?:Number)?|fullName|dateOfBirth|dob|address|socialSecurity|cardNumber|cvv|accountNum|insuranceId|patientName|patientDob|medicalRecord|diagnosis)$/i;
+        const criticalPII = /^(ssn|socialSecurity|cardNumber|cvv|patientSsn|medicalRecord)$/i;
+        // --- Python branch ---
+        if (ast.language === 'python') {
+            // Look for metadatas=[{...}] or metadata={...} keyword args in vector store calls
+            const rawPiiMatches = [];
+            for (const node of (0, index_1.getNodes)(nodeIndex, 'keyword_argument')) {
+                const nameNode = node.childForFieldName('name');
+                if (!nameNode || !/^metadata[s]?$/.test(nameNode.text))
+                    continue;
+                // Scan all dicts nested under this kwarg for PII keys
+                (0, ast_1.walkAST)(node, (child) => {
+                    if (child.type === 'pair') {
+                        const pairKey = child.childForFieldName('key');
+                        const propName = pairKey?.text.replace(/['"]/g, '') ?? '';
+                        if (piiFields.test(propName)) {
+                            const isCritical = criticalPII.test(propName);
+                            rawPiiMatches.push({
+                                node: child,
+                                severity: isTestFile ? 'info' : (isCritical ? 'critical' : 'high'),
+                                note: `PII field "${propName}" in document metadata.`,
+                            });
+                        }
+                    }
+                    return false;
+                });
+            }
+            // Deduplicate PII matches within 3-line proximity (keep first in each group)
+            const dedupedPii = [];
+            for (const m of rawPiiMatches) {
+                const mLine = m.node.startPosition.row;
+                const isDuplicate = dedupedPii.some(existing => {
+                    const existingLine = existing.node.startPosition.row;
+                    return Math.abs(mLine - existingLine) <= 3;
+                });
+                if (!isDuplicate) {
+                    dedupedPii.push(m);
+                }
+            }
+            matches.push(...dedupedPii);
+            return matches;
+        }
+        // --- JS/TS branch ---
+        for (const node of (0, index_1.getNodes)(nodeIndex, 'pair')) {
+            // Look for metadata objects with PII fields
+            const key = node.childForFieldName('key');
+            if (key?.text.replace(/['"]/g, '') !== 'metadata')
+                continue;
+            const value = node.childForFieldName('value');
+            if (value?.type !== 'object')
+                continue;
+            // Check properties in metadata object for PII
+            for (const child of value.namedChildren) {
+                if (child.type === 'pair') {
+                    const propKey = child.childForFieldName('key');
+                    const propName = propKey?.text.replace(/['"]/g, '') ?? '';
+                    if (piiFields.test(propName)) {
+                        const isCritical = criticalPII.test(propName);
+                        matches.push({
+                            node: child,
+                            severity: isTestFile ? 'info' : (isCritical ? 'critical' : 'high'),
+                            note: `PII field "${propName}" in document metadata.`,
+                        });
+                    }
+                }
+            }
+        }
+        return matches;
+    },
+});
+// ============================================================================
+// AST Rule: Query Injection
+// ============================================================================
+(0, index_1.registerASTRule)({
+    id: 'ast-rag-query-injection',
+    title: 'User input directly in retrieval query',
+    description: 'User input flows to vector store query without sanitization. Could manipulate retrieval results.',
+    severity: 'high',
+    category: 'ai_rag_query_injection',
+    suggestedFix: 'Validate and sanitize user queries before retrieval.',
+    languages: ['javascript', 'typescript', 'tsx', 'python'],
+    confidence: 'medium',
+    baseConfidence: 0.45,
+    layer: 2,
+    source: 'ai_code',
+    requiresAIValidation: true,
+    detect(ast, content, nodeIndex) {
+        if ((0, file_classifier_1.isScannerOrFixtureFile)(ast.filePath))
+            return [];
+        if (isLibraryOrFrameworkPath(ast.filePath))
+            return [];
+        const root = ast.tree.rootNode;
+        if (!isRAGContextFile(root, ast.filePath, content))
+            return [];
+        const isTestFile = (0, file_classifier_1.isTestOrMockFile)(ast.filePath);
+        const matches = [];
+        // --- Python branch ---
+        if (ast.language === 'python') {
+            for (const node of (0, index_1.getNodes)(nodeIndex, 'call')) {
+                if ((0, python_helpers_1.isPythonMethodCallOn)(node, /vector_?store|retriever|collection|index/, ['query', 'similarity_search', 'search', 'invoke', 'retrieve'])) {
+                    const argList = node.childForFieldName('arguments');
+                    const firstArg = argList?.namedChildren.find(c => c.type !== 'keyword_argument' && c.type !== 'list_splat' && c.type !== 'dictionary_splat');
+                    if (!firstArg)
+                        continue;
+                    const bodyText = getEnclosingBodyText(node, content);
+                    const isDirectInput = (0, python_helpers_1.isPythonUserInputExpression)(firstArg);
+                    // Indirect: identifier assigned from user input (e.g. query = request.args.get("q"))
+                    const isIndirectInput = !isDirectInput && firstArg.type === 'identifier' &&
+                        containsBodyInputVariable(firstArg, bodyText);
+                    if (!isDirectInput && !isIndirectInput)
+                        continue;
+                    if (/sanitize|validate|clean|escape/i.test(bodyText))
+                        continue;
+                    // For indirect input, check if filter= kwarg provides user/tenant scoping
+                    if (isIndirectInput) {
+                        const filterArg = (0, python_helpers_1.getPythonKeywordArgument)(node, 'filter');
+                        if (filterArg && /user_?id|tenant_?id|org_?id|namespace/i.test(filterArg.text))
+                            continue;
+                    }
+                    matches.push({
+                        node: firstArg,
+                        severity: isTestFile ? 'info' : 'high',
+                        note: 'User input flows directly to vector store query.',
+                    });
+                }
+            }
+            return matches;
+        }
+        // --- JS/TS branch ---
+        for (const node of (0, index_1.getNodes)(nodeIndex, 'call_expression')) {
+            const target = (0, call_analysis_1.resolveCallTarget)(node);
+            if (!target)
+                continue;
+            const queryMethods = /^(query|search|similaritySearch|invoke|retrieve)$/;
+            if (!queryMethods.test(target.name))
+                continue;
+            // Check if first argument is user input
+            const args = (0, call_analysis_1.getCallArguments)(node);
+            if (args.length === 0)
+                continue;
+            // Unwrap TypeScript 'as' expression (e.g., req.query.q as string)
+            let argToCheck = args[0];
+            if (argToCheck.type === 'as_expression' || argToCheck.type === 'satisfies_expression') {
+                const inner = argToCheck.namedChildren[0];
+                if (inner)
+                    argToCheck = inner;
+            }
+            if ((0, user_input_1.isUserInputExpression)(argToCheck)) {
+                const bodyText = getEnclosingBodyText(node, content);
+                if (/sanitize|validate|clean|escape|zod|schema\.parse|safeParse/i.test(bodyText))
+                    continue;
+                // Check if query call has a filter argument with access control scoping
+                if (args.length >= 2) {
+                    const optionsArg = args[1];
+                    if (optionsArg.type === 'object') {
+                        const filterProp = (0, call_analysis_1.getObjectLiteralProperty)(optionsArg, 'filter');
+                        if (filterProp && /userId|user_id|tenantId|tenant_id|orgId|org_id|namespace/i.test(filterProp.text))
+                            continue;
+                    }
+                }
+                matches.push({
+                    node: argToCheck,
+                    severity: isTestFile ? 'info' : 'high',
+                    note: 'User input flows directly to vector store query.',
+                });
+            }
+        }
+        return matches;
+    },
+});
+//# sourceMappingURL=rag-safety-ast.js.map