npm - @ship-safe/cli - Versions diffs - 1.1.13 → 1.1.16 - Mend

@ship-safe/cli 1.1.13 → 1.1.16

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (2) hide show

package/dist/index.js +921 -36
package/package.json +1 -1

package/dist/index.js CHANGED Viewed

@@ -4125,6 +4125,59 @@ var SEVERITY_ORDER = {
   low: 3,
   info: 4
 };
+var TIERS = {
+  free: {
+    id: "free",
+    displayName: "Free",
+    kind: "free",
+    priceCents: 0,
+    aiScans: 0,
+    aiScansAreLifetime: false,
+    fixPromptsPerMonth: 0
+  },
+  growth: {
+    id: "growth",
+    displayName: "Growth",
+    kind: "subscription",
+    priceCents: 1900,
+    aiScans: 8,
+    aiScansAreLifetime: false,
+    fixPromptsPerMonth: 999
+  },
+  shield: {
+    id: "shield",
+    displayName: "Shield",
+    kind: "subscription",
+    priceCents: 3900,
+    aiScans: 15,
+    aiScansAreLifetime: false,
+    fixPromptsPerMonth: 999
+  },
+  audit: {
+    id: "audit",
+    displayName: "Pro Audit",
+    kind: "one_time",
+    priceCents: 900,
+    aiScans: 3,
+    aiScansAreLifetime: true,
+    fixPromptsPerMonth: 0
+  }
+};
+var AI_SCAN_LIMITS = {
+  free: TIERS.free.aiScans,
+  growth: TIERS.growth.aiScans,
+  shield: TIERS.shield.aiScans,
+  audit: TIERS.audit.aiScans
+};
+var FIX_PROMPT_LIMITS = {
+  free: TIERS.free.fixPromptsPerMonth,
+  growth: TIERS.growth.fixPromptsPerMonth,
+  shield: TIERS.shield.fixPromptsPerMonth,
+  audit: TIERS.audit.fixPromptsPerMonth
+};
+var LIFETIME_TIERS = new Set(
+  Object.values(TIERS).filter((t) => t.aiScansAreLifetime).map((t) => t.id)
+);
 var LANGUAGE_EXTENSIONS = {
   ".js": "javascript",
   ".jsx": "javascript",
@@ -4145,7 +4198,25 @@ var LANGUAGE_EXTENSIONS = {
   ".yml": "yaml",
   ".yaml": "yaml",
   ".json": "json",
-  ".toml": "toml"
+  ".toml": "toml",
+  // Added for AI-agent rules (round 7-vuln):
+  ".md": "markdown",
+  ".mdc": "markdown",
+  // Cursor 2026 rules format
+  ".sql": "sql",
+  ".sh": "shell",
+  ".bash": "shell",
+  ".zsh": "shell"
+};
+var LANGUAGE_FILENAMES = {
+  ".cursorrules": "markdown",
+  ".windsurfrules": "markdown",
+  ".clinerules": "markdown",
+  ".continuerules": "markdown",
+  ".aiderules": "markdown",
+  ".roorules": "markdown",
+  Dockerfile: "dockerfile",
+  Containerfile: "dockerfile"
 };
 var IGNORE_PATTERNS = [
   "node_modules",
@@ -4159,7 +4230,10 @@ var IGNORE_PATTERNS = [
   ".venv",
   "vendor",
   ".idea",
-  ".vscode",
+  // NOTE: `.vscode` intentionally removed — GitHub Copilot CVE-2025-53773
+  // modifies `.vscode/settings.json` to bypass guardrails, and we need to
+  // scan that file. Keep `.vscode/launch.json` etc out via specific rules
+  // if false-positive volume becomes an issue.
   "*.min.js",
   "*.min.css",
   "*.map",
@@ -4244,6 +4318,8 @@ var llmResponseSchema = external_exports.object({
 import path from "path";
 import { createHash } from "crypto";
 function detectLanguage(filePath) {
+  const basename = path.basename(filePath);
+  if (LANGUAGE_FILENAMES[basename]) return LANGUAGE_FILENAMES[basename];
   const ext = path.extname(filePath).toLowerCase();
   return LANGUAGE_EXTENSIONS[ext] ?? "unknown";
 }
@@ -4727,16 +4803,19 @@ var SECRET_RULES = [
   {
     id: "secrets/openai-api-key",
     title: "OpenAI API Key Detected",
-    description: "An OpenAI API key was found hardcoded. This can incur charges on your OpenAI account.",
+    description: "An OpenAI API key was found hardcoded. Anyone with repo access (or anyone running your built bundle) can drain your balance \u2014 and bots scrape GitHub for these continuously, so assume the key is already compromised.",
     severity: "critical",
     confidence: "high",
     cwe: "CWE-798",
+    owasp: "A07:2021",
     languages: ["*"],
     patterns: [
+      // Legacy 2023-era keys
       { regex: "sk-[a-zA-Z0-9]{20}T3BlbkFJ[a-zA-Z0-9]{20}", type: "match" },
-      { regex: "sk-proj-[a-zA-Z0-9\\-_]{40,}", type: "match" }
+      // Modern project-scoped, service-account, and sandbox key prefixes (2024+)
+      { regex: "sk-(?:proj|svcacct|None)-[a-zA-Z0-9_-]{20,}", type: "match" }
     ],
-    fix: { description: "Move your OpenAI key to an environment variable.", suggestion: "process.env.OPENAI_API_KEY" }
+    fix: { description: "Rotate at platform.openai.com immediately. Move the key to a server-only env var. If this was in a public repo for any window, assume it's drained.", suggestion: "process.env.OPENAI_API_KEY" }
   },
   {
     id: "secrets/supabase-service-role",
@@ -4851,6 +4930,201 @@ var SECRET_RULES = [
     ],
     excludePatterns: [{ regex: "(?:test|spec|mock|fixture|seed|placeholder|example|\\.test\\.|\\.spec\\.|__test__|jest|vitest)", type: "context_line" }],
     fix: { description: "Remove default credentials from code. Use environment variables and generate strong, unique passwords for each deployment." }
+  },
+  // ─────────────────────────────────────────────────────────────────────────
+  // Round 7-vuln additions: AI provider keys + vector DB keys + extension
+  // publish tokens. Sourced from tasks/HANDOFF_CLAUDE_CODE.md §I + §4.3.
+  // ─────────────────────────────────────────────────────────────────────────
+  {
+    id: "secrets/anthropic-api-key",
+    title: "Anthropic API Key Detected",
+    description: "An Anthropic API key (sk-ant-...) is sitting in source. Anyone with repo access can run up your Anthropic bill. Bots scrape GitHub for these continuously.",
+    severity: "critical",
+    confidence: "high",
+    cwe: "CWE-798",
+    owasp: "A07:2021",
+    languages: ["*"],
+    patterns: [{ regex: "sk-ant-[a-zA-Z0-9_-]{40,}", type: "match" }],
+    excludePatterns: [{ regex: "(?:example|test|fake|dummy|placeholder|xxxx|YOUR_KEY)", type: "context_line" }],
+    fix: { description: "Rotate at console.anthropic.com immediately. Move the key to a server-only env var. The key was already scraped \u2014 assume it's compromised, don't just remove the commit.", suggestion: "process.env.ANTHROPIC_API_KEY" }
+  },
+  {
+    id: "secrets/google-ai-key",
+    title: "Google AI Studio / Gemini API Key Detected",
+    description: "A Google AI Studio API key (AIza...) used for Gemini API and AI Studio. Same scrape risk as other AI keys.",
+    severity: "critical",
+    confidence: "high",
+    cwe: "CWE-798",
+    owasp: "A07:2021",
+    languages: ["*"],
+    patterns: [
+      { regex: `(?:GEMINI|GOOGLE_AI|GOOGLE_GEN_AI|GENAI)_API_KEY\\s*[:=]\\s*["']?AIza[A-Za-z0-9_-]{35}`, type: "match" },
+      { regex: `["']AIza[A-Za-z0-9_-]{35}["']`, type: "match" }
+    ],
+    excludePatterns: [{ regex: "(?:example|test|fake|placeholder)", type: "context_line" }],
+    fix: { description: "Revoke in Google AI Studio (https://aistudio.google.com/apikey). Create a new key with API restrictions and move to server-side env vars.", suggestion: "process.env.GEMINI_API_KEY" }
+  },
+  {
+    id: "secrets/grok-xai-key",
+    title: "xAI / Grok API Key Detected",
+    description: "An xAI/Grok API key (xai-...). Newer provider, same blast radius.",
+    severity: "critical",
+    confidence: "high",
+    cwe: "CWE-798",
+    languages: ["*"],
+    patterns: [{ regex: "\\bxai-[a-zA-Z0-9]{60,}\\b", type: "match" }],
+    fix: { description: "Rotate at https://console.x.ai. Server-side only from now on.", suggestion: "process.env.XAI_API_KEY" }
+  },
+  {
+    id: "secrets/huggingface-token",
+    title: "Hugging Face Token Detected",
+    description: "A Hugging Face access token (hf_...). Used for model downloads, inference API, dataset pushes. Has push permissions on repos by default.",
+    severity: "high",
+    confidence: "high",
+    cwe: "CWE-798",
+    languages: ["*"],
+    patterns: [{ regex: "\\bhf_[A-Za-z0-9]{34}\\b", type: "match" }],
+    fix: { description: "Revoke at huggingface.co/settings/tokens. Create a read-only token if that's all you need.", suggestion: "process.env.HUGGINGFACE_TOKEN" }
+  },
+  {
+    id: "secrets/replicate-token",
+    title: "Replicate API Token Detected",
+    description: "A Replicate API token (r8_...). Replicate runs ML models \u2014 your billing balance is directly burnable.",
+    severity: "critical",
+    confidence: "high",
+    cwe: "CWE-798",
+    languages: ["*"],
+    patterns: [{ regex: "\\br8_[A-Za-z0-9]{37,40}\\b", type: "match" }],
+    fix: { description: "Rotate at replicate.com/account/api-tokens immediately.", suggestion: "process.env.REPLICATE_API_TOKEN" }
+  },
+  {
+    id: "secrets/groq-api-key",
+    title: "Groq API Key Detected",
+    description: "A Groq API key (gsk_...). Same blast radius as OpenAI keys \u2014 burnable balance, no scope.",
+    severity: "critical",
+    confidence: "high",
+    cwe: "CWE-798",
+    languages: ["*"],
+    patterns: [{ regex: "\\bgsk_[A-Za-z0-9]{52,56}\\b", type: "match" }],
+    fix: { description: "Rotate at console.groq.com/keys.", suggestion: "process.env.GROQ_API_KEY" }
+  },
+  {
+    id: "secrets/perplexity-api-key",
+    title: "Perplexity API Key Detected",
+    description: "A Perplexity API key (pplx-...).",
+    severity: "high",
+    confidence: "high",
+    cwe: "CWE-798",
+    languages: ["*"],
+    patterns: [{ regex: "\\bpplx-[A-Za-z0-9]{48,56}\\b", type: "match" }],
+    fix: { description: "Rotate at perplexity.ai/settings/api.", suggestion: "process.env.PERPLEXITY_API_KEY" }
+  },
+  {
+    id: "secrets/together-api-key",
+    title: "Together AI API Key Detected",
+    description: "A Together AI API key. 64-hex-char format \u2014 requires the env-var context to fire to avoid false positives on file hashes.",
+    severity: "high",
+    confidence: "medium",
+    cwe: "CWE-798",
+    languages: ["*"],
+    patterns: [{ regex: `(?:TOGETHER_API_KEY|TOGETHERAI_API_KEY)\\s*[:=]\\s*["']?[a-f0-9]{64}["']?`, type: "match" }],
+    fix: { description: "Rotate at api.together.xyz/settings/api-keys.", suggestion: "process.env.TOGETHER_API_KEY" }
+  },
+  {
+    id: "secrets/elevenlabs-api-key",
+    title: "ElevenLabs API Key Detected",
+    description: "An ElevenLabs API key. Voice synthesis charges run fast \u2014 a prompt-injection that generates 30-minute outputs against a leaked key burns the balance in hours.",
+    severity: "high",
+    confidence: "medium",
+    cwe: "CWE-798",
+    languages: ["*"],
+    // Both patterns must match the file (engine §1.1b context_line filter)
+    // because 32-hex strings appear all over (hashes, UUIDs).
+    patterns: [
+      { regex: `(?:ELEVENLABS|XI)_API_KEY\\s*[:=]\\s*["']?(?:sk_)?[a-f0-9]{32}`, type: "match" }
+    ],
+    fix: { description: "Rotate at elevenlabs.io/app/settings/api-keys.", suggestion: "process.env.ELEVENLABS_API_KEY" }
+  },
+  {
+    id: "secrets/mistral-api-key",
+    title: "Mistral AI API Key Detected",
+    description: "A Mistral AI API key.",
+    severity: "high",
+    confidence: "medium",
+    cwe: "CWE-798",
+    languages: ["*"],
+    patterns: [{ regex: `\\bMISTRAL_API_KEY\\s*[:=]\\s*["']?[A-Za-z0-9]{32,}["']?`, type: "match" }],
+    fix: { description: "Rotate at console.mistral.ai/api-keys.", suggestion: "process.env.MISTRAL_API_KEY" }
+  },
+  {
+    id: "secrets/cohere-api-key",
+    title: "Cohere API Key Detected",
+    description: "A Cohere API key.",
+    severity: "high",
+    confidence: "medium",
+    cwe: "CWE-798",
+    languages: ["*"],
+    patterns: [{ regex: `\\bCOHERE_API_KEY\\s*[:=]\\s*["']?[A-Za-z0-9]{40,}["']?`, type: "match" }],
+    fix: { description: "Rotate at dashboard.cohere.com/api-keys.", suggestion: "process.env.COHERE_API_KEY" }
+  },
+  {
+    id: "secrets/deepseek-api-key",
+    title: "DeepSeek API Key Detected",
+    description: "A DeepSeek API key (sk-...). Format collides with OpenAI legacy keys, so detection requires the DEEPSEEK_API_KEY env-var context to avoid false positives.",
+    severity: "high",
+    confidence: "high",
+    cwe: "CWE-798",
+    languages: ["*"],
+    patterns: [
+      { regex: `(?:DEEPSEEK|DEEP_SEEK)_API_KEY\\s*[:=]\\s*["']?sk-[a-f0-9]{32}["']?`, type: "match" }
+    ],
+    fix: { description: "Rotate at platform.deepseek.com/api_keys.", suggestion: "process.env.DEEPSEEK_API_KEY" }
+  },
+  {
+    id: "secrets/pinecone-api-key",
+    title: "Pinecone API Key Detected",
+    description: "A Pinecone vector DB API key. Pinecone keys grant read+write on every index by default \u2014 an attacker with the key can dump or wipe your embeddings.",
+    severity: "critical",
+    confidence: "high",
+    cwe: "CWE-798",
+    languages: ["*"],
+    patterns: [
+      { regex: "\\bpcsk_[A-Za-z0-9_]{40,}\\b", type: "match" }
+    ],
+    fix: { description: "Rotate at app.pinecone.io. Restrict the new key to a specific project and consider creating index-scoped keys.", suggestion: "process.env.PINECONE_API_KEY" }
+  },
+  {
+    id: "secrets/weaviate-api-key",
+    title: "Weaviate API Key Detected",
+    description: "A Weaviate API key.",
+    severity: "high",
+    confidence: "medium",
+    cwe: "CWE-798",
+    languages: ["*"],
+    patterns: [{ regex: `(?:WEAVIATE_API_KEY|WEAVIATE_ADMIN_API_KEY)\\s*[:=]\\s*["']?[A-Za-z0-9-]{32,}["']?`, type: "match" }],
+    fix: { description: "Rotate the key in your Weaviate Cloud console. Prefer read-only keys for client-reachable code.", suggestion: "process.env.WEAVIATE_API_KEY" }
+  },
+  {
+    id: "secrets/vsce-publish-token",
+    title: "VS Code Marketplace Publish Token Detected",
+    description: "A VSCE personal access token publishes extensions to the VS Code Marketplace. The Clinejection attack stole this exact token via CI cache poisoning and published malware to millions of installs. Rotate immediately.",
+    severity: "critical",
+    confidence: "high",
+    cwe: "CWE-798",
+    languages: ["*"],
+    patterns: [{ regex: `(?:VSCE_PAT|VSCE_TOKEN|VSCODE_MARKETPLACE_TOKEN)\\s*[:=]\\s*["']?[A-Za-z0-9]{52,}`, type: "match" }],
+    fix: { description: "Rotate the token in https://dev.azure.com immediately. Move to GitHub Actions OIDC for publishing if possible. Audit the extension's recent versions for tampering.", suggestion: "process.env.VSCE_PAT" }
+  },
+  {
+    id: "secrets/ovsx-publish-token",
+    title: "Open VSX Publish Token Detected",
+    description: "An Open VSX publish token. Same blast radius as VSCE_PAT \u2014 the Clinejection attack stole this token alongside.",
+    severity: "critical",
+    confidence: "high",
+    cwe: "CWE-798",
+    languages: ["*"],
+    patterns: [{ regex: `(?:OVSX_PAT|OVSX_TOKEN|OPEN_VSX_TOKEN)\\s*[:=]\\s*["']?[A-Za-z0-9-]{30,}`, type: "match" }],
+    fix: { description: "Rotate at https://open-vsx.org/user-settings/tokens. Re-publish the latest known-good version of your extension after confirming the source hasn't been tampered with.", suggestion: "process.env.OVSX_PAT" }
   }
 ];
 var INJECTION_RULES = [
@@ -5091,6 +5365,25 @@ var CONFIG_RULES = [
     patterns: [{ regex: "(?:NextAuth|authOptions|nextauth)\\s*[:=(]", type: "match" }],
     excludePatterns: [{ regex: "(?:NEXTAUTH_SECRET|secret\\s*:\\s*process\\.env|AUTH_SECRET|NEXT_AUTH_SECRET)", type: "context_line" }],
     fix: { description: "Set the NEXTAUTH_SECRET environment variable in production. Generate a strong random secret with openssl rand -base64 32.", suggestion: "secret: process.env.NEXTAUTH_SECRET" }
+  },
+  // ─────────────────────────────────────────────────────────────────────────
+  // Round 7-vuln: agent-workspace config files committed to repo.
+  // ─────────────────────────────────────────────────────────────────────────
+  {
+    id: "config/agent-config-tracked",
+    title: "Agent Workspace Config Committed to Repo",
+    description: "A file like .cursor/mcp.json, .claude/settings.local.json, or .windsurf/config.json is in the repo. These are per-machine workspace files that often contain MCP server credentials, API keys, and absolute paths that leak the contributor's home directory. They should never be tracked.",
+    severity: "medium",
+    confidence: "medium",
+    cwe: "CWE-538",
+    languages: ["json", "yaml"],
+    patterns: [
+      // Fires only on the workspace-config filenames themselves.
+      { regex: "(?:^|/)(?:\\.cursor/mcp\\.json|\\.claude/settings\\.local\\.json|\\.windsurf/config\\.json|\\.cline/settings\\.json|\\.aider\\.conf\\.yml)$", type: "file_path" },
+      // Marker: any non-empty content. The presence of the file IS the finding.
+      { regex: "\\S", type: "match" }
+    ],
+    fix: { description: "Add to .gitignore, then `git rm --cached <file>` to untrack. Move secrets in the file to environment variables. Use a `.cursor/mcp.shared.json` (or similar tool convention) for team-shared, secret-free settings." }
   }
 ];
 var PII_RULES = [
@@ -5353,6 +5646,76 @@ var BAAS_RULES = [
     ],
     excludePatterns: [{ regex: `(?:allowedRedirects|validRedirects|safeUrls|startsWith\\s*\\(\\s*["']https://)`, type: "context_line" }],
     fix: { description: "Use a hardcoded or whitelisted redirect URL for OAuth callbacks. Never use raw user input.", suggestion: "redirectTo: `${process.env.NEXT_PUBLIC_URL}/auth/callback`" }
+  },
+  // ─────────────────────────────────────────────────────────────────────────
+  // Round 7-vuln additions: post-Lovable-CVE Supabase RLS patterns. The
+  // existing `supabase-rls-disabled` rule only flags MISSING RLS. These flag
+  // RLS that LOOKS protective but isn't — `USING (true)`, over-granted anon
+  // role, service-role used in client-reachable code, JWT-claim trust.
+  // ─────────────────────────────────────────────────────────────────────────
+  {
+    id: "baas/supabase-rls-policy-allows-all",
+    title: "Supabase RLS Policy Allows All Rows",
+    description: "This row-level-security policy uses USING (true), USING (1=1), or WITH CHECK (true). RLS is technically enabled \u2014 so the table looks protected and security scanners that only check `enable row level security` pass \u2014 but the policy itself authorizes everything. Lovable's 'security scan' missed exactly this pattern. CVE-2025-48757 fallout: 170 apps shipped this.",
+    severity: "critical",
+    confidence: "high",
+    cwe: "CWE-285",
+    owasp: "A01:2021",
+    languages: ["sql"],
+    patterns: [
+      { regex: "create\\s+policy[^;]+(?:using|with\\s+check)\\s*\\(\\s*(?:true|1\\s*=\\s*1)\\s*\\)", type: "match" },
+      { regex: "create\\s+policy[^;]+using\\s*\\(\\s*auth\\.role\\(\\)\\s*=\\s*'authenticated'\\s*\\)", type: "match" }
+    ],
+    fix: { description: "Replace `USING (true)` with a real predicate \u2014 typically `USING (auth.uid() = user_id)`. If the table genuinely allows public read, scope it by operation (`FOR SELECT`) and add a separate restrictive policy for writes." }
+  },
+  {
+    id: "baas/supabase-anon-overgrant",
+    title: "Postgres Anon Role Granted Broad Privileges",
+    description: "GRANT ALL, GRANT INSERT, or GRANT DELETE to the `anon` role gives unauthenticated users database-level write access. Even with RLS, this widens the attack surface \u2014 `anon` should only have SELECT on tables you intend to expose, and EXECUTE on RPC functions you've audited.",
+    severity: "high",
+    confidence: "high",
+    cwe: "CWE-732",
+    owasp: "A01:2021",
+    languages: ["sql"],
+    patterns: [
+      { regex: "grant\\s+(?:all|insert|update|delete|truncate)\\s+(?:on[^;]+)?to\\s+anon", type: "match" }
+    ],
+    fix: { description: "Revoke broad grants. `REVOKE ALL ON <table> FROM anon;` then `GRANT SELECT ON <table> TO anon;` only for tables that should be publicly readable." }
+  },
+  {
+    id: "baas/supabase-service-role-client-reachable",
+    title: "Service-Role Key Used in Client-Reachable Route",
+    description: "This route handler uses the Supabase service-role client but lives in a path the client can call (no auth gate, no internal/server-only marker). Service role bypasses RLS entirely \u2014 a single unauthenticated request reads every table. The April 2026 Lovable mass breach included this pattern across pre-Nov-2025 projects.",
+    severity: "critical",
+    confidence: "medium",
+    cwe: "CWE-269",
+    owasp: "A01:2021",
+    languages: ["javascript", "typescript"],
+    patterns: [
+      { regex: "createClient\\s*\\([^,]+,\\s*process\\.env\\.(?:SUPABASE_)?SERVICE_ROLE_KEY", type: "match" }
+    ],
+    excludePatterns: [
+      { regex: "(?:\\.server\\.|/api/internal|cron|webhook|middleware\\.ts|requireAuth|auth\\.uid|getServerSession)", type: "context_line" },
+      { regex: "(?:\\.server\\.|/api/internal|cron|webhook|middleware\\.ts)", type: "file_path" }
+    ],
+    fix: { description: "Either move this logic behind explicit auth (e.g. requireUser() at the top of the handler), or replace the service-role client with the anon client + RLS. Never use service role in an endpoint a logged-out browser can reach." }
+  },
+  {
+    id: "baas/supabase-rls-policy-jwt-claim-not-verified",
+    title: "Supabase RLS Policy Trusts a JWT Claim Without Issuing It",
+    description: "This policy authorizes based on auth.jwt() ->> 'role' or auth.jwt() ->> 'org_id' from a claim Supabase doesn't issue by default. If the claim comes from a third-party JWT (Clerk, Auth0, Firebase) and you haven't configured Supabase to validate the issuer, an attacker can craft their own JWT and bypass the policy.",
+    severity: "high",
+    confidence: "low",
+    cwe: "CWE-345",
+    owasp: "A01:2021",
+    languages: ["sql"],
+    patterns: [
+      { regex: "auth\\.jwt\\(\\)\\s*->>?\\s*'(?:role|org_id|tenant|company|workspace_id|account_id)'", type: "match" }
+    ],
+    excludePatterns: [
+      { regex: "(?:auth\\.uid|user_id|owner_id)", type: "context_line" }
+    ],
+    fix: { description: "Either issue these claims via Supabase Auth Hooks (so Supabase is the JWT issuer), or configure third-party JWT verification with a strict issuer + audience check. Don't read claims you don't issue." }
   }
 ];
 var LLM_RULES = [
@@ -5489,6 +5852,158 @@ var LLM_RULES = [
       { regex: "(?:query|execute|sql|raw)\\s*\\(\\s*(?:completion|response|result|output|llm|ai|gpt|claude)[.\\[]", type: "match" }
     ],
     fix: { description: "Never execute LLM output as code. Use structured output parsing with validation, or run generated code in a sandboxed environment." }
+  },
+  // ─────────────────────────────────────────────────────────────────────────
+  // Round 7-vuln additions: MCP tool pinning, LangChain SSRF/path traversal,
+  // Vercel AI SDK input handling, cost-exhaustion (max_tokens / rate limit),
+  // .env-into-prompt, Codex branch-shell, OpenAI Assistants allowlist,
+  // git-hook writes, agent-on-PR-content.
+  // ─────────────────────────────────────────────────────────────────────────
+  {
+    id: "llm/mcp-tool-no-pinning",
+    title: "MCP Tool Used Without Version Pinning",
+    description: "This code calls an MCP tool by name without checking the server's identity hash or pinning the tool description. A 'rug pull' (CVE-2025-54136) \u2014 server updates its tool description after you approved it \u2014 silently changes what the tool does. Your code keeps calling `add` and ends up exfiltrating data.",
+    severity: "medium",
+    confidence: "low",
+    cwe: "CWE-345",
+    languages: ["javascript", "typescript", "python"],
+    patterns: [
+      { regex: `(?:mcpClient|mcp_client|MCPClient)\\.(?:callTool|invoke|call)\\s*\\(\\s*["']`, type: "match" }
+    ],
+    excludePatterns: [{ regex: "(?:hash|fingerprint|version|pinned|approved)", type: "context_line" }],
+    fix: { description: "Record a hash of the tool description the first time you approve a server. Re-verify on every call. Reject calls whose description changed since approval." }
+  },
+  {
+    id: "llm/langchain-recursive-url-loader-unsafe",
+    title: "LangChain RecursiveUrlLoader Used Without SSRF Guard",
+    description: "RecursiveUrlLoader follows HTTP redirects in a way that bypasses URL validators \u2014 CVE-2026-27795 lets an attacker hand you a benign-looking URL that 302s to cloud metadata. If you load attacker-supplied URLs into a RAG pipeline, you leak 169.254.169.254 and friends.",
+    severity: "high",
+    confidence: "medium",
+    cwe: "CWE-918",
+    owasp: "A10:2021",
+    languages: ["python", "javascript", "typescript"],
+    patterns: [
+      { regex: "(?:RecursiveUrlLoader|recursive_url_loader)\\s*\\(", type: "match" }
+    ],
+    excludePatterns: [{ regex: "(?:allowlist|allow_list|allowed_domains|domain_filter|ssrf_guard)", type: "context_line" }],
+    fix: { description: "Upgrade @langchain/community to 1.1.14+ (Node) or langchain-community to the patched release (Python). Wrap loader calls in an SSRF-safe HTTP client that blocks RFC 1918, link-local, and cloud-metadata ranges before AND after redirects." }
+  },
+  {
+    id: "llm/langchain-load-prompt-from-path",
+    title: "LangChain Loads Prompt Template from Untrusted Path",
+    description: "load_prompt(...) (CVE-2026-34070) traverses any path you give it. If the path comes from request input, an attacker reads arbitrary files \u2014 /etc/passwd, .env, SSH keys.",
+    severity: "high",
+    confidence: "medium",
+    cwe: "CWE-22",
+    owasp: "A01:2021",
+    languages: ["python", "javascript", "typescript"],
+    patterns: [
+      { regex: "(?:load_prompt|loadPrompt)\\s*\\([^)]*(?:req\\.|request\\.|input|user|body|query|param)", type: "match" }
+    ],
+    fix: { description: "Never pass untrusted strings to load_prompt. Maintain an explicit registry of allowed prompt names and look up the path server-side." }
+  },
+  {
+    id: "llm/ai-sdk-input-as-prompt",
+    title: "Vercel AI SDK generateText/streamText Called with Raw User Input",
+    description: "generateText({ prompt: userInput }) and streamText({ messages: [...] }) with raw user input is the canonical Vercel AI SDK prompt-injection point. Users can override system instructions, extract the system prompt, or trigger arbitrary tool calls.",
+    severity: "high",
+    confidence: "medium",
+    cwe: "CWE-77",
+    languages: ["javascript", "typescript"],
+    patterns: [
+      { regex: "(?:generateText|streamText|generateObject|streamObject)\\s*\\(\\s*\\{[^}]*prompt\\s*:\\s*(?:req\\.|request\\.|body\\.|input|userInput|message)", type: "match" }
+    ],
+    excludePatterns: [{ regex: "(?:sanitize|validate|zod|schema|filter)", type: "context_line" }],
+    fix: { description: "Always pass user input as a separate `user` message, never as the prompt string and never interpolated into the system message. Validate with Zod before sending.", suggestion: "streamText({ system: SYSTEM_PROMPT, messages: [{ role: 'user', content: sanitize(input) }] })" }
+  },
+  {
+    id: "llm/agent-runs-on-unsanitized-pr-content",
+    title: "AI Agent Run on PR Title/Body Without Sanitizing",
+    description: "This code passes PR titles, bodies, or comments straight into an agent prompt. The 'Comment and Control' attack chain has confirmed exfil of ANTHROPIC_API_KEY and GITHUB_TOKEN via PR titles in Claude Code, fake 'Trusted Content Section' blocks in Gemini CLI, and HTML comments in Copilot Agent.",
+    severity: "critical",
+    confidence: "medium",
+    cwe: "CWE-77",
+    owasp: "A03:2021",
+    languages: ["javascript", "typescript", "python"],
+    patterns: [
+      { regex: "(?:pull_request|pullRequest|pr|issue)\\.(?:title|body|head_ref).{0,200}(?:prompt|messages|systemPrompt|userMessage)", type: "match" },
+      { regex: "(?:prompt|content)\\s*[:=]\\s*`[^`]*\\$\\{(?:pr|pullRequest|issue|comment)\\.(?:title|body)", type: "match" }
+    ],
+    fix: { description: "Treat PR content as untrusted data, never as instructions. Strip prompt-injection markers (<system>, </system>, 'ignore previous'). Move the actual instructions to a server-side system prompt and pass PR content as a quoted block inside a user message." }
+  },
+  {
+    id: "llm/no-max-tokens",
+    title: "LLM Call Without max_tokens or Cost Limit",
+    description: "This LLM call has no max_tokens (OpenAI/Anthropic), max_output_tokens (Gemini), or equivalent ceiling. A prompt-injection or a single buggy loop can rack up thousands of dollars on a free-tier app. Uber exhausted its 2026 AI budget months into the year \u2014 this is the pattern.",
+    severity: "medium",
+    confidence: "low",
+    cwe: "CWE-770",
+    owasp: "A04:2021",
+    languages: ["javascript", "typescript", "python"],
+    patterns: [
+      { regex: "(?:openai|anthropic|gemini|generativeai)\\.[a-z_]+\\.(?:create|generate|complete|messages)\\s*\\(\\s*\\{[^}]*\\bmodel\\s*:", type: "match" }
+    ],
+    excludePatterns: [{ regex: "(?:max_tokens|max_output_tokens|maxTokens|maxOutputTokens|max_completion_tokens)", type: "context_line" }],
+    fix: { description: "Always set a max_tokens ceiling. Add a per-user / per-IP rate limiter at the API edge. Track cost per request via the response usage object and refuse new requests when the user passes a daily threshold.", suggestion: "const completion = await openai.chat.completions.create({ model: 'gpt-4o', messages, max_tokens: 1024 });" }
+  },
+  {
+    id: "llm/env-file-read-into-prompt",
+    title: ".env or Secrets File Read into LLM Prompt",
+    description: "This code reads a secrets file (.env, .aws/credentials, ~/.ssh/) and passes it into an LLM prompt or message. The LLM provider now has your secrets in their logs; a prompt injection in the response can exfiltrate them; and any output filtering you do is best-effort.",
+    severity: "critical",
+    confidence: "medium",
+    cwe: "CWE-200",
+    owasp: "A01:2021",
+    languages: ["javascript", "typescript", "python"],
+    patterns: [
+      { regex: "(?:readFile|readFileSync|fs\\.read|open|Path\\([^)]+\\)\\.read)[\\s\\S]{0,80}(?:\\.env|credentials|\\.ssh|secret|\\.pem|id_rsa)[\\s\\S]{0,300}(?:prompt|messages|content|completion|generateText|streamText)", type: "match" }
+    ],
+    fix: { description: "Never put secrets in a prompt. If the agent needs to act on credentials, give it a tool that uses them internally and never returns or echoes them. Redact env files before passing any config snippet to an LLM." }
+  },
+  {
+    id: "llm/agent-writes-to-git-hooks",
+    title: "Code Writes to .git/hooks (CVE-2026-26268 vector)",
+    description: "This code writes to .git/hooks/. Cursor IDE CVE-2026-26268 used exactly this \u2014 an agent cloning a repo into a workspace triggers pre-commit hooks attackers placed there. If your own code writes hooks based on agent output or external input, you've recreated the bug.",
+    severity: "high",
+    confidence: "high",
+    cwe: "CWE-94",
+    owasp: "A03:2021",
+    languages: ["javascript", "typescript", "python", "shell"],
+    patterns: [
+      { regex: `(?:writeFile|writeFileSync|open|Path\\([^)]+\\)\\.write)[\\s\\S]{0,80}["']\\.git/hooks/`, type: "match" },
+      { regex: "chmod\\s+\\+x[\\s\\S]{0,80}\\.git/hooks/", type: "match" }
+    ],
+    fix: { description: "Don't write Git hooks from application code. If you need pre-commit checks, install them via husky or pre-commit at setup time with the user's explicit consent." }
+  },
+  {
+    id: "llm/codex-branch-name-shell-injection",
+    title: "Branch Name or Repo Field Passed to Shell Without Sanitizing",
+    description: "OpenAI Codex CVE (reported Dec 2025, patched Feb 2026) shipped because branch names were passed unsanitized into shell commands inside the agent container, letting any user with branch-create permission run arbitrary commands and exfiltrate the GitHub token. Same shape applies to any agent that runs shell with attacker-controllable repo metadata.",
+    severity: "critical",
+    confidence: "medium",
+    cwe: "CWE-78",
+    owasp: "A03:2021",
+    languages: ["javascript", "typescript", "python"],
+    patterns: [
+      { regex: "(?:exec|spawn|execSync|child_process|subprocess\\.(?:run|call|Popen))[\\s\\S]{0,100}(?:branch|ref|head_ref|base_ref|repo_name|pr_title)", type: "match" },
+      { regex: "`[^`]*\\$\\{(?:branch|ref|head|repo)Name", type: "match" }
+    ],
+    excludePatterns: [{ regex: "(?:shellQuote|escapeShellArg|shlex\\.quote|sanitize)", type: "context_line" }],
+    fix: { description: "Never interpolate any field that could be attacker-controlled into a shell command. Use execFile with argv array (no shell) or quote the input with shell-quote/shlex.quote." }
+  },
+  {
+    id: "llm/openai-assistant-tool-no-allowlist",
+    title: "OpenAI Assistants / Responses API Without Tool Allowlist",
+    description: "This code uses the OpenAI Assistants API or Responses API with tools enabled and no allowlist check before executing the returned tool call. The Codex command-injection chain (CVE patched Feb 2026) and the ChatGPT data-exfil chain (Feb 2026) both relied on this \u2014 the agent decides what to call, the code does it.",
+    severity: "high",
+    confidence: "medium",
+    cwe: "CWE-284",
+    languages: ["javascript", "typescript", "python"],
+    patterns: [
+      { regex: "required_action[\\s\\S]{0,100}submit_tool_outputs", type: "match" }
+    ],
+    excludePatterns: [{ regex: "(?:allowedTools|toolRegistry|ALLOW_LIST|whitelist|permitted)", type: "context_line" }],
+    fix: { description: "Maintain an explicit Set<string> of permitted tool names. Reject any tool call whose name isn't in the set. Log and alert on rejections." }
   }
 ];
 var HEADERS_RULES = [
@@ -5773,6 +6288,58 @@ var DEPS_RULES = [
     ],
     excludePatterns: [{ regex: "(?:integrity|crossorigin)", type: "context_line" }],
     fix: { description: "Add integrity and crossorigin attributes to all CDN-loaded scripts.", suggestion: '<script src="https://cdn.example.com/lib.js" integrity="sha384-..." crossorigin="anonymous"></script>' }
+  },
+  // ─────────────────────────────────────────────────────────────────────────
+  // Round 7-vuln additions: known-malicious packages from the Clinejection
+  // class of supply-chain attacks, extended slopsquatting list, no-lockfile.
+  // ─────────────────────────────────────────────────────────────────────────
+  {
+    id: "deps/known-malicious-package",
+    title: "Known-Malicious Package Detected",
+    description: "This package was used in a confirmed supply-chain attack. Remove it immediately and rotate any credentials that were on the machine when it was installed.",
+    severity: "critical",
+    confidence: "high",
+    cwe: "CWE-829",
+    owasp: "A06:2021",
+    languages: ["json"],
+    patterns: [
+      { regex: '"(?:openclaw|postmark-mcp)"\\s*:', type: "match" },
+      { regex: '"cline"\\s*:\\s*"[^"]*2\\.3\\.0[^"]*"', type: "match" },
+      { regex: "package(?:-lock)?\\.json$", type: "file_path" }
+    ],
+    fix: { description: "Remove the package. Rotate any tokens (npm publish, GitHub PAT, AI provider keys) that were active on the machine since install. Audit your shell history and ~/.npm cache. The Cline 2.3.0 incident shipped openclaw as a postinstall payload between 3:26am and 11:30am PT on 2026-02-17." }
+  },
+  {
+    id: "deps/slopsquatting-risk-extended",
+    title: "Likely AI-Hallucinated Package Name (Extended List)",
+    description: "Extension of `deps/slopsquatting-risk` with names observed in the past 6 months of AI-generated code (Cursor, Lovable, Bolt, v0 traces). These names sound plausible \u2014 'react-query-helpers', 'nextjs-auth-utils' \u2014 but they didn't exist when the model trained. Squatters now own these names.",
+    severity: "high",
+    confidence: "low",
+    cwe: "CWE-829",
+    languages: ["json"],
+    patterns: [
+      { regex: '"(?:react-query-helpers|nextjs-auth-utils|supabase-edge-utils|shadcn-ui-helpers|drizzle-helpers|hono-helpers|tanstack-router-utils|effect-helpers|zustand-helpers|tailwind-typography-extended|framer-motion-utils|radix-ui-helpers|trpc-helpers|prisma-edge-helpers|vercel-blob-utils|cloudflare-d1-helpers|nuxt-auth-utils|svelte-kit-helpers|astro-edge-helpers|solid-js-helpers)"\\s*:', type: "match" },
+      { regex: "package\\.json$", type: "file_path" }
+    ],
+    fix: { description: "Verify on npmjs.com. Run `npm view <pkg>` \u2014 if the package is <30 days old, has one maintainer, and zero stars, do not install." }
+  },
+  {
+    id: "deps/no-lockfile",
+    title: "No Dependency Lockfile in Project",
+    description: "This project's package.json has no companion package-lock.json / pnpm-lock.yaml / yarn.lock. Every install re-resolves versions, so a malicious update to any transitive dep ships on your next `npm install`. The Cline supply-chain attack window was 8 hours \u2014 without a lockfile, every install during that window pulled malware.",
+    severity: "medium",
+    confidence: "high",
+    cwe: "CWE-1357",
+    languages: ["json"],
+    patterns: [
+      { regex: '"name"\\s*:', type: "match" },
+      { regex: "(?:^|/)package\\.json$", type: "file_path" }
+    ],
+    requireSibling: {
+      // Rule fires only if NONE of these lockfiles exist anywhere in the scan set.
+      missing: ["package-lock.json", "pnpm-lock.yaml", "yarn.lock", "bun.lockb"]
+    },
+    fix: { description: "Commit a lockfile. `npm install --package-lock-only` or `pnpm install --lockfile-only`. Re-run on every dependency change. Set engine-strict and pin the package manager via `packageManager` in package.json." }
   }
 ];
 var CLIENT_RULES = [
@@ -5846,6 +6413,224 @@ var CLIENT_RULES = [
     fix: { description: "Add CSRF protection: use SameSite=Strict cookies, verify a CSRF token header, or use a framework that handles this automatically (e.g. Next.js Server Actions have built-in CSRF protection)." }
   }
 ];
+var AI_AGENT_RULES = [
+  {
+    id: "ai-agent/invisible-unicode-in-config",
+    title: "AI Agent Config File Contains Invisible Unicode",
+    description: "This agent config file contains zero-width, tag, or variation-selector Unicode characters that humans can't see but LLMs read as normal text. This is the standard technique for hiding prompt injection payloads inside .cursorrules / .windsurfrules / CLAUDE.md / AGENTS.md / copilot-instructions.md. If you didn't put them there, an attacker did.",
+    severity: "critical",
+    confidence: "high",
+    cwe: "CWE-1007",
+    owasp: "A03:2021",
+    languages: ["markdown"],
+    patterns: [
+      // JS regex Unicode escape uses \u{...} with /u flag (PCRE \x{} doesn't work).
+      // compileRegex auto-adds /u when it sees \u{...} braces in the source.
+      { regex: "[\\u{200B}-\\u{200F}\\u{2028}-\\u{202F}\\u{2060}-\\u{206F}\\u{FE00}-\\u{FE0F}\\u{E0000}-\\u{E007F}]", type: "match" },
+      { regex: "(?:\\.cursorrules|\\.windsurfrules|\\.clinerules|CLAUDE\\.md|AGENTS\\.md|copilot-instructions\\.md|\\.mdc|\\.cursor/rules/)", type: "file_path" }
+    ],
+    fix: { description: "Open the file in an editor that visualizes invisible characters (VS Code with 'Render Whitespace' + the 'Gremlins' extension, or `cat -v`). Strip any character outside printable ASCII unless you intentionally need it. Add a pre-commit hook that rejects these ranges.", suggestion: "perl -CSDA -pe 's/[\\x{200B}-\\x{200F}\\x{2060}-\\x{206F}\\x{E0000}-\\x{E007F}]//g' -i .cursorrules" }
+  },
+  {
+    id: "ai-agent/mcp-stdio-shell-command",
+    title: "MCP Server Runs an Arbitrary Shell Command",
+    description: "This MCP server config launches a STDIO process via a shell wrapper (sh -c, bash -c, eval, exec) or `npx -y` (downloads and runs arbitrary npm code). A poisoned tool description or a rug-pull update can inject extra arguments and run anything on your machine. The Windsurf zero-click RCE (CVE-2026-30615) used exactly this shape.",
+    severity: "critical",
+    confidence: "high",
+    cwe: "CWE-78",
+    owasp: "A03:2021",
+    languages: ["json"],
+    patterns: [
+      { regex: '"command"\\s*:\\s*"(?:sh|bash|zsh|cmd|powershell|pwsh|eval|exec)"', type: "match" },
+      { regex: '"args"\\s*:\\s*\\[\\s*"-c"', type: "match" },
+      { regex: "(?:mcp\\.json|mcp_settings\\.json|claude_desktop_config\\.json)$", type: "file_path" }
+    ],
+    fix: { description: 'MCP servers should be invoked with their executable directly \u2014 `"command": "node"`, `"args": ["server.js"]` \u2014 never wrapped in a shell. If the server requires shell expansion, the server itself is wrong.' }
+  },
+  {
+    id: "ai-agent/mcp-public-http-endpoint",
+    title: "MCP Server Points to a Public HTTP URL",
+    description: "This MCP server is configured to talk to an HTTP endpoint, not a local STDIO process, and the URL is on the public internet without TLS. Anything the server returns becomes context the agent acts on, so a network attacker can serve poisoned tool descriptions and trigger a confused-deputy attack.",
+    severity: "high",
+    confidence: "medium",
+    cwe: "CWE-319",
+    owasp: "A02:2021",
+    languages: ["json"],
+    patterns: [
+      { regex: '"url"\\s*:\\s*"http://(?!localhost|127\\.|0\\.0\\.0\\.0|::1)', type: "match" },
+      { regex: "(?:mcp\\.json|claude_desktop_config\\.json)$", type: "file_path" }
+    ],
+    excludePatterns: [
+      { regex: "ngrok\\.io|ngrok-free\\.app|loca\\.lt", type: "context_line" }
+    ],
+    fix: { description: "Require HTTPS for any MCP server you don't run locally. Pin the server's full URL including version path. Prefer STDIO with a locally installed binary for anything that handles credentials." }
+  },
+  {
+    id: "ai-agent/cursor-auto-run-enabled",
+    title: "Cursor Auto-Run / YOLO Mode Enabled",
+    description: "Cursor's Auto-Run Mode (formerly YOLO Mode) lets the agent execute commands without per-call approval. Combined with prompt injection from an MCP server, a rules file, or a PR comment, this turns the IDE into a one-shot RCE. CVE-2026-22708 specifically bypasses the allowlist via shell built-ins when this mode is on.",
+    severity: "high",
+    confidence: "high",
+    cwe: "CWE-269",
+    languages: ["json"],
+    patterns: [
+      { regex: '"cursor\\.(?:autoRun|yoloMode|composerAutoRun|chat\\.autoExecute|agent\\.autoRun|agent\\.skipApproval)"\\s*:\\s*true', type: "match" },
+      { regex: '"agent"\\s*:\\s*\\{[^}]*"autoApprove"\\s*:\\s*true', type: "match" }
+    ],
+    fix: { description: "Disable Auto-Run for any repo that contains code you didn't write yourself. If you must keep it on, also disable shell built-ins in the allowlist and review every MCP server in .cursor/mcp.json first." }
+  },
+  {
+    id: "ai-agent/agent-allowlist-disabled",
+    title: "Agent Tool Allowlist Disabled or Empty",
+    description: "This agent config disables the tool allowlist or sets it to allow everything. The allowlist is the last layer between a prompt injection and shell access \u2014 turning it off means any malicious instruction (in a file, an MCP tool description, a PR comment) becomes arbitrary code execution.",
+    severity: "high",
+    confidence: "medium",
+    cwe: "CWE-284",
+    languages: ["json"],
+    patterns: [
+      { regex: '"allowlist"\\s*:\\s*(?:false|null|\\[\\s*"\\*"\\s*\\])', type: "match" },
+      { regex: '"toolApproval"\\s*:\\s*"never"', type: "match" }
+    ],
+    fix: { description: "Keep the allowlist on. Add specific tool names you genuinely need (read_file, edit_file) and leave shell, web fetch, and MCP-write tools off until you have a reason to enable them per session." }
+  },
+  {
+    id: "ai-agent/auto-approve-tools",
+    title: "Agent Configured to Auto-Approve All Tool Calls",
+    description: "This config tells the agent to approve every tool call automatically. That removes the human-in-the-loop check that catches prompt injection mid-attack. The 'Comment and Control' PR-injection family relies on this \u2014 without auto-approve, the user sees the exfil command and stops it.",
+    severity: "high",
+    confidence: "medium",
+    cwe: "CWE-284",
+    languages: ["json", "yaml", "markdown", "shell"],
+    patterns: [
+      { regex: "(?:auto[_-]?approve|skipConfirmation|autoConfirm|trustedAlways)\\s*[:=]\\s*true", type: "match" },
+      { regex: "--dangerously-skip-permissions", type: "match" }
+    ],
+    fix: { description: "Remove the auto-approve flag for any agent that touches a CI environment, untrusted repo, or anything with real credentials. The 5 seconds of friction is the entire point." }
+  },
+  {
+    id: "ai-agent/ci-agent-untrusted-pr-input",
+    title: "CI Agent Reads PR Title or Body Without Sanitizing",
+    description: "This GitHub Action passes github.event.pull_request.title, .body, or .head_ref directly to an AI agent (Claude Code, Copilot Agent, Gemini CLI, Codex). An attacker opens a PR with prompt-injection in the title and exfiltrates ANTHROPIC_API_KEY / GITHUB_TOKEN. This is the 'Comment and Control' / CVE-2026-35020 family.",
+    severity: "critical",
+    confidence: "medium",
+    cwe: "CWE-77",
+    owasp: "A03:2021",
+    languages: ["yaml"],
+    patterns: [
+      { regex: "(?:claude-code|copilot|gemini|aider|devin|codex)[\\s\\S]{0,200}\\$\\{\\{\\s*github\\.event\\.pull_request\\.(?:title|body|head_ref)", type: "match" },
+      { regex: "\\.github/workflows/", type: "file_path" }
+    ],
+    fix: { description: "Never interpolate PR-controlled fields directly into an agent prompt or shell line. Pass them through an env var, then have the agent treat that env var as untrusted data (not instructions). Block any prompt-injection-shaped string before invoking the agent." }
+  },
+  {
+    id: "ai-agent/ci-agent-pull-request-fork",
+    title: "CI Agent Triggers on pull_request from Forks",
+    description: "This workflow uses pull_request and runs an AI agent. Forked PRs run in your workflow context with read access to secrets if the action requests them \u2014 combined with PR-body prompt injection, this is the documented exfiltration vector.",
+    severity: "high",
+    confidence: "low",
+    cwe: "CWE-269",
+    languages: ["yaml"],
+    patterns: [
+      { regex: "on\\s*:[\\s\\S]{0,80}pull_request(?:_target)?", type: "match" },
+      { regex: "(?:claude-code|copilot|gemini|aider|devin)", type: "context_line" },
+      { regex: "\\.github/workflows/", type: "file_path" }
+    ],
+    fix: { description: "Gate AI-agent jobs on `if: github.event.pull_request.head.repo.full_name == github.repository` so forks can't trigger them with secrets attached. Or move the agent to a manually-triggered workflow_dispatch after a maintainer reviews the PR." }
+  },
+  {
+    id: "ai-agent/github-action-injection-from-pr",
+    title: "PR Title or Body Interpolated into Shell Step",
+    description: "This workflow uses ${{ github.event.pull_request.title }} or similar inside a `run:` block. GitHub interpolates that into the shell before any escaping \u2014 an attacker with a PR title containing backticks runs commands on your runner. Independent of AI agents but urgent because AI-agent workflows tend to ship in this shape.",
+    severity: "critical",
+    confidence: "high",
+    cwe: "CWE-78",
+    owasp: "A03:2021",
+    languages: ["yaml"],
+    patterns: [
+      { regex: "run\\s*:[\\s\\S]{0,400}\\$\\{\\{\\s*github\\.event\\.(?:pull_request|issue|comment|review|release|discussion|head_commit|commits)\\.[a-z_]+(?:\\.[a-z_]+)?", type: "match" },
+      { regex: "\\.github/workflows/", type: "file_path" }
+    ],
+    fix: { description: 'Move the untrusted value into an env var (env: PR_TITLE: ${{ github.event.pull_request.title }}), then reference "$PR_TITLE" from the shell. The runner expands env vars after the shell parses the script, so injection becomes inert.' }
+  },
+  {
+    id: "ai-agent/agent-config-not-gitignored",
+    title: "Agent Config Path Suggests Workspace File Was Committed",
+    description: "Files like .cursor/mcp.json, .claude/settings.json, or .windsurf/config.json often contain MCP credentials, API keys, and machine-specific paths. If they're tracked by git, those secrets ship to anyone with repo access. (This rule signals a path-level concern; combine with `config/agent-config-tracked` for a stronger signal.)",
+    severity: "low",
+    confidence: "low",
+    cwe: "CWE-538",
+    languages: ["json"],
+    patterns: [
+      { regex: "(?:^|/)(?:\\.cursor|\\.claude|\\.windsurf|\\.cline|\\.continue|\\.aider)/", type: "file_path" },
+      { regex: "\\S", type: "match" }
+    ],
+    excludePatterns: [
+      { regex: "\\.gitignore$", type: "file_path" }
+    ],
+    fix: { description: "Add .cursor/, .claude/, .windsurf/, .cline/, .continue/, .aider* to .gitignore. Move anything secret out of the tracked config and into a local-only override." }
+  },
+  // ── Tier 2 additions (§4 of handoff) ────────────────────────────────────
+  {
+    id: "ai-agent/pwn-request-checkout",
+    title: "GitHub Action Uses pull_request_target + Checks Out PR Code",
+    description: "This workflow uses pull_request_target (which runs in the base repo's context with secrets) AND checks out the PR's head ref. Attacker opens a PR, the workflow runs their code with your secrets in env, attacker exfiltrates. This is the 'Pwn Request' attack \u2014 researchers have compromised Microsoft, Google, and Nvidia repos with exactly this pattern.",
+    severity: "critical",
+    confidence: "high",
+    cwe: "CWE-269",
+    owasp: "A01:2021",
+    languages: ["yaml"],
+    patterns: [
+      { regex: "pull_request_target", type: "match" },
+      { regex: "actions/checkout@[^\\s]+[\\s\\S]{0,200}ref\\s*:\\s*\\$\\{\\{\\s*github\\.event\\.pull_request\\.head\\.(?:sha|ref)", type: "match" },
+      { regex: "\\.github/workflows/", type: "file_path" }
+    ],
+    fix: { description: "Either switch to pull_request (loses secrets \u2014 that's the point) or split into two workflows. The privileged workflow runs only on the base branch (commenting, labeling); the build workflow runs on pull_request without secrets and reports back via artifact." }
+  },
+  {
+    id: "ai-agent/workflow-write-all-permissions",
+    title: "Workflow Grants Write-All Permissions to an AI-Agent Job",
+    description: "This workflow runs an AI agent (Claude Code, Copilot Agent, Codex) and grants `permissions: write-all` or doesn't set permissions: (which defaults to write on classic-token repos). A prompt-injection from PR content turns into write access to the repo, releases, and packages.",
+    severity: "high",
+    confidence: "medium",
+    cwe: "CWE-269",
+    languages: ["yaml"],
+    patterns: [
+      { regex: "permissions\\s*:\\s*write-all", type: "match" },
+      { regex: "(?:claude-code|copilot|codex|gemini|aider)", type: "context_line" },
+      { regex: "\\.github/workflows/", type: "file_path" }
+    ],
+    fix: { description: "Set explicit permissions: block listing only what the job needs. For an agent that comments on PRs: `permissions: { contents: read, pull-requests: write }`." }
+  },
+  {
+    id: "ai-agent/jetbrains-junie-json-schema-remote",
+    title: "JSON Schema Loaded from Untrusted Remote URL",
+    description: "JetBrains IDEs auto-load $schema URLs in JSON files. JetBrains Junie CVE-2025-58335 abused this \u2014 a malicious JSON in your repo points $schema at an attacker-controlled host, the IDE fetches it, and follow-on behavior (settings overwrite, prompt context contamination) opens the agent up.",
+    severity: "medium",
+    confidence: "medium",
+    cwe: "CWE-918",
+    languages: ["json"],
+    patterns: [
+      { regex: '"\\$schema"\\s*:\\s*"http://(?!localhost|127\\.)', type: "match" },
+      { regex: '"\\$schema"\\s*:\\s*"https?://(?!schemas\\.(?:jetbrains|microsoft|github)\\.|json\\.schemastore\\.org|raw\\.githubusercontent\\.com/SchemaStore/)', type: "match" }
+    ],
+    fix: { description: "Only reference $schema URLs from trusted hosts (schemastore.org, jetbrains.com, github.com). Audit any custom schema URL in your repo \u2014 if it's not yours, remove it." }
+  },
+  {
+    id: "ai-agent/cursor-mdc-rules-directory-presence",
+    title: "Cursor .cursor/rules/*.mdc Files Present \u2014 Review Recommended",
+    description: "Cursor's 2026 rules format is .cursor/rules/<name>.mdc (replacing the single .cursorrules file). Each .mdc carries frontmatter + instructions the agent reads. These files are prime targets for prompt injection and invisible Unicode payloads. This rule is an awareness flag \u2014 every .mdc file in a freshly cloned repo deserves a human read before opening Cursor.",
+    severity: "low",
+    confidence: "high",
+    cwe: "CWE-1188",
+    languages: ["markdown"],
+    patterns: [
+      { regex: "\\S", type: "match" },
+      // any non-empty content
+      { regex: "\\.cursor/rules/.*\\.mdc$", type: "file_path" }
+    ],
+    fix: { description: "Read every .mdc rule file before running Cursor on a new repo. If you didn't write the rule, treat it as untrusted instructions until you've verified it. Combine with `ai-agent/invisible-unicode-in-config` to catch the hidden-payload variant." }
+  }
+];
 var ALL_RULES = [
   ...SECRET_RULES,
   ...INJECTION_RULES,
@@ -5860,6 +6645,7 @@ var ALL_RULES = [
   ...HEADERS_RULES,
   ...DEPS_RULES,
   ...CLIENT_RULES,
+  ...AI_AGENT_RULES,
   ...ALL_FRAMEWORK_RULES
 ];
 var CATEGORY_MAP = {
@@ -5876,6 +6662,7 @@ var CATEGORY_MAP = {
   headers: HEADERS_RULES,
   deps: DEPS_RULES,
   client: CLIENT_RULES,
+  "ai-agent": AI_AGENT_RULES,
   nextjs: NEXTJS_RULES,
   express: EXPRESS_RULES,
   django: DJANGO_RULES,
@@ -5911,10 +6698,29 @@ function extractSnippet(content, line, contextLines = 5) {
     return `${marker} ${lineNum} | ${l}`;
   }).join("\n");
 }
-function isCommentLine(line) {
+function isCommentLine(line, language) {
   const trimmed = line.trim();
+  if (language === "markdown") {
+    return trimmed.startsWith("<!--");
+  }
+  if (language === "yaml" || language === "shell") {
+    return trimmed.startsWith("#");
+  }
+  if (language === "sql") {
+    return trimmed.startsWith("--") || trimmed.startsWith("/*") || trimmed.startsWith("* ") || trimmed.startsWith("*/") || trimmed === "*";
+  }
+  if (language === "json") {
+    return false;
+  }
   return trimmed.startsWith("//") || trimmed.startsWith("#") || trimmed.startsWith("/*") || trimmed.startsWith("* ") || trimmed.startsWith("*/") || trimmed === "*" || trimmed.startsWith("<!--");
 }
+function compileRegex(source, flags) {
+  let finalFlags = flags;
+  if (/\\u\{[0-9A-Fa-f]+\}/.test(source)) {
+    if (!finalFlags.includes("u")) finalFlags += "u";
+  }
+  return new RegExp(source, finalFlags);
+}
 function isInsideStringLiteral(line, pattern) {
   const match = pattern.exec(line);
   if (!match) return false;
@@ -5926,29 +6732,56 @@ function isInsideStringLiteral(line, pattern) {
   }
   return backtickCount % 2 === 1;
 }
+function isJsxTextContent(line) {
+  const trimmed = line.trim();
+  if (/^\w+\s*[:=]\s*["'`]/.test(trimmed) && trimmed.length > 80) {
+    const nonCodeChars = trimmed.replace(/[a-zA-Z\s.,!?;:'"()\-]/g, "").length;
+    if (nonCodeChars / trimmed.length < 0.15) return true;
+  }
+  if (/>[^<]{40,}</.test(trimmed)) return true;
+  if (/["'`][A-Z][^"'`]{60,}["'`]/.test(trimmed)) {
+    return true;
+  }
+  return false;
+}
 function matchRule(rule, file) {
   if (!rule.languages.includes("*") && !rule.languages.includes(file.language)) {
     return [];
   }
   const isSecretRule = rule.id.startsWith("secrets/");
   if (!isSecretRule) {
-    const docPaths = /(?:\/docs\/|\/examples\/|\/fixtures\/|__tests__\/fixtures)/i;
-    if (docPaths.test(file.path)) return [];
+    const contentPaths = /(?:\/docs\/|\/blog\/|\/for\/|\/examples\/|\/fixtures\/|\/tutorials?\/|\/guides?\/|__tests__\/fixtures)/i;
+    if (contentPaths.test(file.path)) return [];
+  }
+  const filePathPatterns = rule.patterns.filter((p) => p.type === "file_path");
+  if (filePathPatterns.length > 0) {
+    const allFilePathMatch = filePathPatterns.every(
+      (p) => compileRegex(p.regex, "i").test(file.path)
+    );
+    if (!allFilePathMatch) return [];
+  }
+  const contextLinePatterns = rule.patterns.filter((p) => p.type === "context_line");
+  if (contextLinePatterns.length > 0) {
+    const allContextMatch = contextLinePatterns.every(
+      (p) => compileRegex(p.regex, "i").test(file.content)
+    );
+    if (!allContextMatch) return [];
   }
   const findings = [];
   const lines = file.content.split("\n");
   for (const pattern of rule.patterns) {
     if (pattern.type !== "match") continue;
-    const regex = new RegExp(pattern.regex, "gi");
+    const regex = compileRegex(pattern.regex, "gi");
     for (let i = 0; i < lines.length; i++) {
       const line = lines[i];
       if (!regex.test(line)) continue;
       regex.lastIndex = 0;
-      if (!isSecretRule && isCommentLine(line)) continue;
-      if (!isSecretRule && isInsideStringLiteral(line, new RegExp(pattern.regex, "gi"))) continue;
+      if (!isSecretRule && isCommentLine(line, file.language)) continue;
+      if (!isSecretRule && isInsideStringLiteral(line, compileRegex(pattern.regex, "gi"))) continue;
+      if (!isSecretRule && isJsxTextContent(line)) continue;
       if (rule.excludePatterns?.length) {
         const excluded = rule.excludePatterns.some((ep) => {
-          const exRegex = new RegExp(ep.regex, "i");
+          const exRegex = compileRegex(ep.regex, "i");
           if (ep.type === "context_line") {
             return exRegex.test(line);
           }
@@ -5982,8 +6815,21 @@ function matchRule(rule, file) {
 }
 function runRules(rules, files) {
   const findings = [];
+  const filePathSet = new Set(files.map((f) => f.path));
+  const suppressedByMissingSibling = /* @__PURE__ */ new Set();
+  for (const rule of rules) {
+    if (!rule.requireSibling?.missing?.length) continue;
+    const anyPresent = rule.requireSibling.missing.some((sibling) => {
+      for (const filePath of filePathSet) {
+        if (filePath === sibling || filePath.endsWith("/" + sibling)) return true;
+      }
+      return false;
+    });
+    if (anyPresent) suppressedByMissingSibling.add(rule.id);
+  }
   for (const file of files) {
     for (const rule of rules) {
+      if (suppressedByMissingSibling.has(rule.id)) continue;
       findings.push(...matchRule(rule, file));
     }
   }
@@ -6839,12 +7685,15 @@ function detectPlatform(files) {
     if (lower.endsWith("package.json") && content.includes('"v0"')) {
       signals.v0.push("v0 dependency in package.json");
     }
-    if (content.includes("base44") || content.includes("Base44")) {
-      signals.base44.push("base44 reference in source");
-    }
     if (lower.includes("base44.config") || lower.includes(".base44")) {
       signals.base44.push("base44 config file");
     }
+    if (/from\s+['"]@?base44\b/i.test(content) || /require\s*\(\s*['"]@?base44\b/i.test(content)) {
+      signals.base44.push("base44 SDK import in source");
+    }
+    if (/https?:\/\/[^"'\s]*base44\.app/i.test(content)) {
+      signals.base44.push("base44.app URL in source");
+    }
   }
   const scores = Object.entries(signals).filter(([key]) => key !== "manual").map(([platform, sigs]) => ({
     platform,
@@ -7408,23 +8257,22 @@ async function loginCommand(options) {
           const profile = await fetchProfile(apiUrl, pollData.token);
           if (profile) {
             tokenData.tier = profile.tier;
-            tokenData.cliTier = profile.cliTier;
             tokenData.aiQuota = profile.aiQuota;
           }
           storeToken(tokenData);
           pollSpinner.succeed(
             chalk3.green(`Logged in as ${chalk3.bold(pollData.email)}`)
           );
-          if (profile?.cliTier) {
+          if (profile?.tier && profile.tier !== "free") {
             console.log(
               chalk3.cyan(
-                `  CLI plan: ${profile.cliTier} (${profile.aiQuota.remaining} AI scans remaining)`
+                `  Plan: ${profile.tier} (${profile.aiQuota.remaining} AI scans remaining)`
               )
             );
           } else {
             console.log(
               chalk3.dim(
-                "  No CLI plan. Upgrade at ship-safe.co/pricing for AI-powered scanning."
+                "  Free plan. Upgrade at ship-safe.co/pricing for AI-powered scanning."
               )
             );
           }
@@ -7498,20 +8346,17 @@ async function whoamiCommand(options) {
     storeToken({
       ...token,
       tier: profile.tier,
-      cliTier: profile.cliTier,
       aiQuota: profile.aiQuota
     });
     spinner.stop();
     console.log(chalk3.bold("\nShipSafe Account\n"));
-    console.log(`  Email:    ${chalk3.cyan(profile.email)}`);
-    console.log(`  Web tier: ${chalk3.cyan(profile.tier)}`);
-    if (profile.cliTier) {
-      console.log(`  CLI plan: ${chalk3.green(profile.cliTier)}`);
+    console.log(`  Email: ${chalk3.cyan(profile.email)}`);
+    console.log(`  Plan:  ${chalk3.cyan(profile.tier)}`);
+    if (profile.tier && profile.tier !== "free") {
       console.log(
         `  AI scans: ${chalk3.cyan(`${profile.aiQuota.used}/${profile.aiQuota.limit}`)} used this month (${chalk3.green(`${profile.aiQuota.remaining}`)} remaining)`
       );
     } else {
-      console.log(`  CLI plan: ${chalk3.dim("none")}`);
       console.log(
         chalk3.dim("  Upgrade at ship-safe.co/pricing for AI-powered scanning.")
       );
@@ -7520,8 +8365,8 @@ async function whoamiCommand(options) {
   } else {
     spinner.stop();
     console.log(chalk3.green(`Logged in as ${chalk3.bold(token.email)}`));
-    if (token.cliTier) {
-      console.log(chalk3.cyan(`  CLI plan: ${token.cliTier}`));
+    if (token.tier) {
+      console.log(chalk3.cyan(`  Plan: ${token.tier}`));
     }
   }
 }
@@ -7755,21 +8600,50 @@ async function scanCommand(targetPath, options) {
   spinner.succeed(
     chalk5.green(`Scan complete \u2014 ${result.findings.length} findings in ${result.durationMs}ms`)
   );
-  if (tokenData?.cliTier) {
+  if (tokenData?.tier === "growth" || tokenData?.tier === "badge" || tokenData?.tier === "shield") {
     const aiSpinner = ora2({
-      text: chalk5.dim("Running AI-powered deep analysis..."),
+      text: chalk5.dim("Running AI-powered deep analysis... (this may take 1-3 minutes)"),
       color: "yellow",
       spinner: "dots12"
     }).start();
+    const stages = [
+      "Uploading files to AI scanner...",
+      "Analyzing code with Claude AI...",
+      "Detecting auth & logic vulnerabilities...",
+      "Checking business logic flaws...",
+      "Generating plain-English report..."
+    ];
+    let stageIdx = 0;
+    const progressInterval = setInterval(() => {
+      stageIdx = Math.min(stageIdx + 1, stages.length - 1);
+      aiSpinner.text = chalk5.dim(`${stages[stageIdx]} (${(stageIdx + 1) * 20}%)`);
+    }, 15e3);
     try {
+      const MAX_AI_FILES = 100;
+      const MAX_FILE_BYTES = 1e5;
+      const MAX_TOTAL_BYTES = 4 * 1024 * 1024;
+      let totalBytes = 0;
+      const aiFiles = [];
+      for (const f of files) {
+        const size = new TextEncoder().encode(f.content).byteLength;
+        if (size > MAX_FILE_BYTES) continue;
+        if (totalBytes + size > MAX_TOTAL_BYTES) break;
+        totalBytes += size;
+        aiFiles.push(f);
+        if (aiFiles.length >= MAX_AI_FILES) break;
+      }
+      aiSpinner.text = chalk5.dim(`Uploading ${aiFiles.length} files to AI scanner...`);
       const aiRes = await fetch(`${options.apiUrl}/api/cli/ai-scan`, {
         method: "POST",
         headers: {
           "Content-Type": "application/json",
           Authorization: `Bearer ${tokenData.token}`
         },
-        body: JSON.stringify({ files })
+        body: JSON.stringify({ files: aiFiles }),
+        signal: AbortSignal.timeout(3e5)
+        // 5 minute timeout
       });
+      clearInterval(progressInterval);
       if (aiRes.ok) {
         const aiData = await aiRes.json();
         const aiFindings = aiData.findings.map((f) => ({
@@ -7805,8 +8679,9 @@ async function scanCommand(targetPath, options) {
             `AI analysis: ${aiFindings.length} additional findings`
           )
         );
+        const isUnlimited = !aiData.quota.limit || aiData.quota.limit < 0 || aiData.quota.limit >= 999999;
         printInfo(
-          `AI scans: ${aiData.quota.used}/${aiData.quota.limit} used this month (${aiData.quota.remaining} remaining)`
+          isUnlimited ? `AI scans: ${aiData.quota.used} used this month (unlimited plan)` : `AI scans: ${aiData.quota.used}/${aiData.quota.limit} used this month (${aiData.quota.remaining} remaining)`
         );
       } else if (aiRes.status === 429) {
         aiSpinner.warn(
@@ -7826,10 +8701,14 @@ async function scanCommand(targetPath, options) {
           chalk5.yellow(`AI analysis unavailable (HTTP ${aiRes.status}). ${errBody || "Showing rule-based results only."}`)
         );
       }
-    } catch {
+    } catch (fetchErr) {
+      clearInterval(progressInterval);
+      const errMsg = fetchErr instanceof Error ? fetchErr.message : String(fetchErr);
       aiSpinner.warn(
-        chalk5.yellow("Could not reach AI scanning service. Showing rule-based results only.")
+        chalk5.yellow(`Could not reach AI scanning service: ${errMsg}`)
       );
+    } finally {
+      clearInterval(progressInterval);
     }
   }
   const ignoredRules = loadIgnoredRules(resolvedPath);
@@ -7855,6 +8734,12 @@ async function scanCommand(targetPath, options) {
   const diff = diffWithPrevious(resolvedPath, result.findings);
   saveScanHistory(resolvedPath, result.findings);
   const isLoggedIn = !!getStoredToken();
+  if (options.sarifFile) {
+    writeFileSync4(options.sarifFile, formatSarifOutput(result), "utf-8");
+  }
+  if (options.jsonFile) {
+    writeFileSync4(options.jsonFile, formatJsonOutput(result), "utf-8");
+  }
   switch (options.output) {
     case "json":
       console.log(formatJsonOutput(result));
@@ -8090,14 +8975,14 @@ function getVersion() {
     for (let i = 0; i < 5; i++) {
       try {
         const pkg = JSON.parse(readFileSync6(join5(dir, "package.json"), "utf-8"));
-        if (pkg.name === "@ship-safe/cli") return pkg.version;
+        if (pkg.version) return pkg.version;
       } catch {
       }
       dir = dirname(dir);
     }
   } catch {
   }
-  return "1.1.11";
+  return "0.0.0-dev";
 }
 function validateApiUrl(value) {
   let parsed;
@@ -8117,7 +9002,7 @@ program.command("scan").description("Scan a directory or file for security vulne
   new Option("-o, --output <format>", "Output format: table, json, sarif").choices(["table", "json", "sarif"]).default("table")
 ).addOption(
   new Option("-s, --severity <level>", "Minimum severity: critical, high, medium, low").choices(["critical", "high", "medium", "low"]).default("low")
-).option("--ci", "CI mode: exit code 1 on high/critical findings", false).option("--upload", "Upload results to your ShipSafe dashboard", false).option(
+).option("--ci", "CI mode: exit code 1 on high/critical findings", false).option("--upload", "Upload results to your ShipSafe dashboard", false).option("--sarif-file <path>", "Also write SARIF output to a file (for CI / GitHub Action)").option("--json-file <path>", "Also write JSON output to a file (for CI / GitHub Action)").option(
   "--api-url <url>",
   "API URL for ShipSafe server",
   validateApiUrl,

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@ship-safe/cli",
-  "version": "1.1.13",
+  "version": "1.1.16",
   "description": "Security scanner for AI-generated code — find vulnerabilities before you ship",
   "type": "module",
   "license": "MIT",