@ship-safe/cli 1.1.14 → 1.1.17

package/dist/index.js

@@ -7,9 +7,9 @@ var __export = (target, all) => {
 
 // src/index.ts
 import { Command, InvalidArgumentError, Option } from "commander";
-import { readFileSync as readFileSync6 } from "fs";
+import { readFileSync as readFileSync7 } from "fs";
 import { fileURLToPath } from "url";
-import { dirname, join as join5 } from "path";
+import { dirname, join as join6 } from "path";
 
 // src/commands/scan.ts
 import { resolve as resolve2, join as join4 } from "path";
@@ -4125,6 +4125,65 @@ var SEVERITY_ORDER = {
   low: 3,
   info: 4
 };
+var TIERS = {
+  free: {
+    id: "free",
+    displayName: "Free",
+    kind: "free",
+    priceCents: 0,
+    aiScans: 0,
+    aiScansAreLifetime: false,
+    fixPromptsPerMonth: 0
+  },
+  growth: {
+    id: "growth",
+    displayName: "Growth",
+    kind: "subscription",
+    priceCents: 1900,
+    aiScans: 8,
+    aiScansAreLifetime: false,
+    fixPromptsPerMonth: 999
+  },
+  shield: {
+    id: "shield",
+    displayName: "Shield",
+    kind: "subscription",
+    priceCents: 3900,
+    aiScans: 15,
+    aiScansAreLifetime: false,
+    fixPromptsPerMonth: 999
+  },
+  audit: {
+    id: "audit",
+    displayName: "Pro Audit",
+    kind: "one_time",
+    priceCents: 900,
+    aiScans: 3,
+    aiScansAreLifetime: true,
+    fixPromptsPerMonth: 0
+  }
+};
+var AI_SCAN_LIMITS = {
+  free: TIERS.free.aiScans,
+  growth: TIERS.growth.aiScans,
+  shield: TIERS.shield.aiScans,
+  audit: TIERS.audit.aiScans
+};
+var FIX_PROMPT_LIMITS = {
+  free: TIERS.free.fixPromptsPerMonth,
+  growth: TIERS.growth.fixPromptsPerMonth,
+  shield: TIERS.shield.fixPromptsPerMonth,
+  audit: TIERS.audit.fixPromptsPerMonth
+};
+var LIFETIME_TIERS = new Set(
+  Object.values(TIERS).filter((t) => t.aiScansAreLifetime).map((t) => t.id)
+);
+function isPaidTier(tier) {
+  if (!tier) return false;
+  if (tier === "badge") return true;
+  const def = TIERS[tier];
+  return def ? def.priceCents > 0 : false;
+}
 var LANGUAGE_EXTENSIONS = {
   ".js": "javascript",
   ".jsx": "javascript",
@@ -4145,7 +4204,25 @@ var LANGUAGE_EXTENSIONS = {
   ".yml": "yaml",
   ".yaml": "yaml",
   ".json": "json",
-  ".toml": "toml"
+  ".toml": "toml",
+  // Added for AI-agent rules (round 7-vuln):
+  ".md": "markdown",
+  ".mdc": "markdown",
+  // Cursor 2026 rules format
+  ".sql": "sql",
+  ".sh": "shell",
+  ".bash": "shell",
+  ".zsh": "shell"
+};
+var LANGUAGE_FILENAMES = {
+  ".cursorrules": "markdown",
+  ".windsurfrules": "markdown",
+  ".clinerules": "markdown",
+  ".continuerules": "markdown",
+  ".aiderules": "markdown",
+  ".roorules": "markdown",
+  Dockerfile: "dockerfile",
+  Containerfile: "dockerfile"
 };
 var IGNORE_PATTERNS = [
   "node_modules",
@@ -4159,7 +4236,10 @@ var IGNORE_PATTERNS = [
   ".venv",
   "vendor",
   ".idea",
-  ".vscode",
+  // NOTE: `.vscode` intentionally removed — GitHub Copilot CVE-2025-53773
+  // modifies `.vscode/settings.json` to bypass guardrails, and we need to
+  // scan that file. Keep `.vscode/launch.json` etc out via specific rules
+  // if false-positive volume becomes an issue.
   "*.min.js",
   "*.min.css",
   "*.map",
@@ -4244,6 +4324,8 @@ var llmResponseSchema = external_exports.object({
 import path from "path";
 import { createHash } from "crypto";
 function detectLanguage(filePath) {
+  const basename = path.basename(filePath);
+  if (LANGUAGE_FILENAMES[basename]) return LANGUAGE_FILENAMES[basename];
   const ext = path.extname(filePath).toLowerCase();
   return LANGUAGE_EXTENSIONS[ext] ?? "unknown";
 }
@@ -4727,16 +4809,19 @@ var SECRET_RULES = [
   {
     id: "secrets/openai-api-key",
     title: "OpenAI API Key Detected",
-    description: "An OpenAI API key was found hardcoded. This can incur charges on your OpenAI account.",
+    description: "An OpenAI API key was found hardcoded. Anyone with repo access (or anyone running your built bundle) can drain your balance \u2014 and bots scrape GitHub for these continuously, so assume the key is already compromised.",
     severity: "critical",
     confidence: "high",
     cwe: "CWE-798",
+    owasp: "A07:2021",
     languages: ["*"],
     patterns: [
+      // Legacy 2023-era keys
       { regex: "sk-[a-zA-Z0-9]{20}T3BlbkFJ[a-zA-Z0-9]{20}", type: "match" },
-      { regex: "sk-proj-[a-zA-Z0-9\\-_]{40,}", type: "match" }
+      // Modern project-scoped, service-account, and sandbox key prefixes (2024+)
+      { regex: "sk-(?:proj|svcacct|None)-[a-zA-Z0-9_-]{20,}", type: "match" }
     ],
-    fix: { description: "Move your OpenAI key to an environment variable.", suggestion: "process.env.OPENAI_API_KEY" }
+    fix: { description: "Rotate at platform.openai.com immediately. Move the key to a server-only env var. If this was in a public repo for any window, assume it's drained.", suggestion: "process.env.OPENAI_API_KEY" }
   },
   {
     id: "secrets/supabase-service-role",
@@ -4851,6 +4936,230 @@ var SECRET_RULES = [
     ],
     excludePatterns: [{ regex: "(?:test|spec|mock|fixture|seed|placeholder|example|\\.test\\.|\\.spec\\.|__test__|jest|vitest)", type: "context_line" }],
     fix: { description: "Remove default credentials from code. Use environment variables and generate strong, unique passwords for each deployment." }
+  },
+  // ─────────────────────────────────────────────────────────────────────────
+  // Round 7-vuln additions: AI provider keys + vector DB keys + extension
+  // publish tokens. Sourced from tasks/HANDOFF_CLAUDE_CODE.md §I + §4.3.
+  // ─────────────────────────────────────────────────────────────────────────
+  {
+    id: "secrets/anthropic-api-key",
+    title: "Anthropic API Key Detected",
+    description: "An Anthropic API key (sk-ant-...) is sitting in source. Anyone with repo access can run up your Anthropic bill. Bots scrape GitHub for these continuously.",
+    severity: "critical",
+    confidence: "high",
+    cwe: "CWE-798",
+    owasp: "A07:2021",
+    languages: ["*"],
+    patterns: [{ regex: "sk-ant-[a-zA-Z0-9_-]{40,}", type: "match" }],
+    excludePatterns: [{ regex: "(?:example|test|fake|dummy|placeholder|xxxx|YOUR_KEY)", type: "context_line" }],
+    fix: { description: "Rotate at console.anthropic.com immediately. Move the key to a server-only env var. The key was already scraped \u2014 assume it's compromised, don't just remove the commit.", suggestion: "process.env.ANTHROPIC_API_KEY" }
+  },
+  {
+    id: "secrets/google-ai-key",
+    title: "Google AI Studio / Gemini API Key Detected",
+    description: "A Google AI Studio API key (AIza...) used for Gemini API and AI Studio. Same scrape risk as other AI keys.",
+    severity: "critical",
+    confidence: "high",
+    cwe: "CWE-798",
+    owasp: "A07:2021",
+    languages: ["*"],
+    patterns: [
+      { regex: `(?:GEMINI|GOOGLE_AI|GOOGLE_GEN_AI|GENAI)_API_KEY\\s*[:=]\\s*["']?AIza[A-Za-z0-9_-]{35}`, type: "match" },
+      { regex: `["']AIza[A-Za-z0-9_-]{35}["']`, type: "match" }
+    ],
+    excludePatterns: [{ regex: "(?:example|test|fake|placeholder)", type: "context_line" }],
+    fix: { description: "Revoke in Google AI Studio (https://aistudio.google.com/apikey). Create a new key with API restrictions and move to server-side env vars.", suggestion: "process.env.GEMINI_API_KEY" }
+  },
+  {
+    id: "secrets/grok-xai-key",
+    title: "xAI / Grok API Key Detected",
+    description: "An xAI/Grok API key (xai-...). Newer provider, same blast radius.",
+    severity: "critical",
+    confidence: "high",
+    cwe: "CWE-798",
+    languages: ["*"],
+    patterns: [{ regex: "\\bxai-[a-zA-Z0-9]{60,}\\b", type: "match" }],
+    fix: { description: "Rotate at https://console.x.ai. Server-side only from now on.", suggestion: "process.env.XAI_API_KEY" }
+  },
+  {
+    id: "secrets/huggingface-token",
+    title: "Hugging Face Token Detected",
+    description: "A Hugging Face access token (hf_...). Used for model downloads, inference API, dataset pushes. Has push permissions on repos by default.",
+    severity: "high",
+    confidence: "high",
+    cwe: "CWE-798",
+    languages: ["*"],
+    patterns: [{ regex: "\\bhf_[A-Za-z0-9]{34}\\b", type: "match" }],
+    fix: { description: "Revoke at huggingface.co/settings/tokens. Create a read-only token if that's all you need.", suggestion: "process.env.HUGGINGFACE_TOKEN" }
+  },
+  {
+    id: "secrets/replicate-token",
+    title: "Replicate API Token Detected",
+    description: "A Replicate API token (r8_...). Replicate runs ML models \u2014 your billing balance is directly burnable.",
+    severity: "critical",
+    confidence: "high",
+    cwe: "CWE-798",
+    languages: ["*"],
+    patterns: [{ regex: "\\br8_[A-Za-z0-9]{37,40}\\b", type: "match" }],
+    fix: { description: "Rotate at replicate.com/account/api-tokens immediately.", suggestion: "process.env.REPLICATE_API_TOKEN" }
+  },
+  {
+    id: "secrets/groq-api-key",
+    title: "Groq API Key Detected",
+    description: "A Groq API key (gsk_...). Same blast radius as OpenAI keys \u2014 burnable balance, no scope.",
+    severity: "critical",
+    confidence: "high",
+    cwe: "CWE-798",
+    languages: ["*"],
+    patterns: [{ regex: "\\bgsk_[A-Za-z0-9]{52,56}\\b", type: "match" }],
+    fix: { description: "Rotate at console.groq.com/keys.", suggestion: "process.env.GROQ_API_KEY" }
+  },
+  {
+    id: "secrets/perplexity-api-key",
+    title: "Perplexity API Key Detected",
+    description: "A Perplexity API key (pplx-...).",
+    severity: "high",
+    confidence: "high",
+    cwe: "CWE-798",
+    languages: ["*"],
+    patterns: [{ regex: "\\bpplx-[A-Za-z0-9]{48,56}\\b", type: "match" }],
+    fix: { description: "Rotate at perplexity.ai/settings/api.", suggestion: "process.env.PERPLEXITY_API_KEY" }
+  },
+  {
+    id: "secrets/together-api-key",
+    title: "Together AI API Key Detected",
+    description: "A Together AI API key. 64-hex-char format \u2014 requires the env-var context to fire to avoid false positives on file hashes.",
+    severity: "high",
+    confidence: "medium",
+    cwe: "CWE-798",
+    languages: ["*"],
+    patterns: [{ regex: `(?:TOGETHER_API_KEY|TOGETHERAI_API_KEY)\\s*[:=]\\s*["']?[a-f0-9]{64}["']?`, type: "match" }],
+    fix: { description: "Rotate at api.together.xyz/settings/api-keys.", suggestion: "process.env.TOGETHER_API_KEY" }
+  },
+  {
+    id: "secrets/elevenlabs-api-key",
+    title: "ElevenLabs API Key Detected",
+    description: "An ElevenLabs API key. Voice synthesis charges run fast \u2014 a prompt-injection that generates 30-minute outputs against a leaked key burns the balance in hours.",
+    severity: "high",
+    confidence: "medium",
+    cwe: "CWE-798",
+    languages: ["*"],
+    // Both patterns must match the file (engine §1.1b context_line filter)
+    // because 32-hex strings appear all over (hashes, UUIDs).
+    patterns: [
+      { regex: `(?:ELEVENLABS|XI)_API_KEY\\s*[:=]\\s*["']?(?:sk_)?[a-f0-9]{32}`, type: "match" }
+    ],
+    fix: { description: "Rotate at elevenlabs.io/app/settings/api-keys.", suggestion: "process.env.ELEVENLABS_API_KEY" }
+  },
+  {
+    id: "secrets/mistral-api-key",
+    title: "Mistral AI API Key Detected",
+    description: "A Mistral AI API key.",
+    severity: "high",
+    confidence: "medium",
+    cwe: "CWE-798",
+    languages: ["*"],
+    patterns: [{ regex: `\\bMISTRAL_API_KEY\\s*[:=]\\s*["']?[A-Za-z0-9]{32,}["']?`, type: "match" }],
+    fix: { description: "Rotate at console.mistral.ai/api-keys.", suggestion: "process.env.MISTRAL_API_KEY" }
+  },
+  {
+    id: "secrets/cohere-api-key",
+    title: "Cohere API Key Detected",
+    description: "A Cohere API key.",
+    severity: "high",
+    confidence: "medium",
+    cwe: "CWE-798",
+    languages: ["*"],
+    patterns: [{ regex: `\\bCOHERE_API_KEY\\s*[:=]\\s*["']?[A-Za-z0-9]{40,}["']?`, type: "match" }],
+    fix: { description: "Rotate at dashboard.cohere.com/api-keys.", suggestion: "process.env.COHERE_API_KEY" }
+  },
+  {
+    id: "secrets/deepseek-api-key",
+    title: "DeepSeek API Key Detected",
+    description: "A DeepSeek API key (sk-...). Format collides with OpenAI legacy keys, so detection requires the DEEPSEEK_API_KEY env-var context to avoid false positives.",
+    severity: "high",
+    confidence: "high",
+    cwe: "CWE-798",
+    languages: ["*"],
+    patterns: [
+      { regex: `(?:DEEPSEEK|DEEP_SEEK)_API_KEY\\s*[:=]\\s*["']?sk-[a-f0-9]{32}["']?`, type: "match" }
+    ],
+    fix: { description: "Rotate at platform.deepseek.com/api_keys.", suggestion: "process.env.DEEPSEEK_API_KEY" }
+  },
+  {
+    id: "secrets/pinecone-api-key",
+    title: "Pinecone API Key Detected",
+    description: "A Pinecone vector DB API key. Pinecone keys grant read+write on every index by default \u2014 an attacker with the key can dump or wipe your embeddings.",
+    severity: "critical",
+    confidence: "high",
+    cwe: "CWE-798",
+    languages: ["*"],
+    patterns: [
+      { regex: "\\bpcsk_[A-Za-z0-9_]{40,}\\b", type: "match" }
+    ],
+    fix: { description: "Rotate at app.pinecone.io. Restrict the new key to a specific project and consider creating index-scoped keys.", suggestion: "process.env.PINECONE_API_KEY" }
+  },
+  {
+    id: "secrets/weaviate-api-key",
+    title: "Weaviate API Key Detected",
+    description: "A Weaviate API key.",
+    severity: "high",
+    confidence: "medium",
+    cwe: "CWE-798",
+    languages: ["*"],
+    patterns: [{ regex: `(?:WEAVIATE_API_KEY|WEAVIATE_ADMIN_API_KEY)\\s*[:=]\\s*["']?[A-Za-z0-9-]{32,}["']?`, type: "match" }],
+    fix: { description: "Rotate the key in your Weaviate Cloud console. Prefer read-only keys for client-reachable code.", suggestion: "process.env.WEAVIATE_API_KEY" }
+  },
+  {
+    id: "secrets/vsce-publish-token",
+    title: "VS Code Marketplace Publish Token Detected",
+    description: "A VSCE personal access token publishes extensions to the VS Code Marketplace. The Clinejection attack stole this exact token via CI cache poisoning and published malware to millions of installs. Rotate immediately.",
+    severity: "critical",
+    confidence: "high",
+    cwe: "CWE-798",
+    languages: ["*"],
+    patterns: [{ regex: `(?:VSCE_PAT|VSCE_TOKEN|VSCODE_MARKETPLACE_TOKEN)\\s*[:=]\\s*["']?[A-Za-z0-9]{52,}`, type: "match" }],
+    fix: { description: "Rotate the token in https://dev.azure.com immediately. Move to GitHub Actions OIDC for publishing if possible. Audit the extension's recent versions for tampering.", suggestion: "process.env.VSCE_PAT" }
+  },
+  {
+    id: "secrets/ovsx-publish-token",
+    title: "Open VSX Publish Token Detected",
+    description: "An Open VSX publish token. Same blast radius as VSCE_PAT \u2014 the Clinejection attack stole this token alongside.",
+    severity: "critical",
+    confidence: "high",
+    cwe: "CWE-798",
+    languages: ["*"],
+    patterns: [{ regex: `(?:OVSX_PAT|OVSX_TOKEN|OPEN_VSX_TOKEN)\\s*[:=]\\s*["']?[A-Za-z0-9-]{30,}`, type: "match" }],
+    fix: { description: "Rotate at https://open-vsx.org/user-settings/tokens. Re-publish the latest known-good version of your extension after confirming the source hasn't been tampered with.", suggestion: "process.env.OVSX_PAT" }
+  },
+  {
+    id: "secrets/public-env-secret-exposed",
+    title: "Secret Exposed to the Browser via a Public Variable",
+    description: "A secret is tied to a public, client-bundled variable (VITE_, REACT_APP_, EXPO_PUBLIC_). These are inlined into the JavaScript shipped to every visitor, so anyone can read the key by viewing your site's source. (NEXT_PUBLIC_ is covered by a separate Next.js rule.)",
+    severity: "critical",
+    confidence: "high",
+    cwe: "CWE-200",
+    owasp: "A01:2021",
+    languages: ["*"],
+    patterns: [
+      // A public-prefixed variable whose NAME is unambiguously a server secret.
+      // Scoped to non-Next prefixes (framework/nextjs-public-env-secret owns
+      // NEXT_PUBLIC_) and to names that value-based rules can't catch from a bare
+      // `process.env.X` reference — so this is purely additive, no double-counting
+      // with llm/api-key-client-env. API_KEY/TOKEN are deliberately excluded (those
+      // overlap with value-based detection and legitimate publishable keys).
+      {
+        regex: "(?:VITE_|REACT_APP_|EXPO_PUBLIC_)[A-Z0-9_]*(?:SECRET|SERVICE_ROLE|PRIVATE|PASSWORD)(?!.*(?:anon|public))",
+        type: "match"
+      }
+    ],
+    excludePatterns: [
+      { regex: "ANON_KEY|PUBLISHABLE|PUBLIC_KEY|_URL\\b|_ID\\b", type: "context_line" }
+    ],
+    fix: {
+      description: "Never put a secret in a public variable. Use a server-only variable (drop the VITE_/EXPO_PUBLIC_ prefix) and read it from server code, or proxy the request through your backend so the key never reaches the browser.",
+      suggestion: "// server only \u2014 no public prefix:\nconst key = process.env.STRIPE_SECRET_KEY;"
+    }
   }
 ];
 var INJECTION_RULES = [
@@ -4929,6 +5238,56 @@ var INJECTION_RULES = [
     ],
     excludePatterns: [{ regex: "(?:__proto__|hasOwnProperty|prototype|constructor|sanitize|safeMerge|lodash\\.merge|deepmerge)", type: "context_line" }],
     fix: { description: "Validate that user-provided keys don't include __proto__, constructor, or prototype. Use Object.create(null) for key-value maps from user input.", suggestion: "if (['__proto__', 'constructor', 'prototype'].includes(key)) throw new Error('Invalid key')" }
+  },
+  {
+    id: "injection/python-sql-formatting",
+    title: "SQL Query Built with String Formatting (Python)",
+    description: "A SQL query passed to .execute() is built with % formatting or + concatenation. If any part comes from user input, this is SQL injection. Pass values as parameters instead. (f-string queries are caught separately.)",
+    severity: "critical",
+    confidence: "high",
+    cwe: "CWE-89",
+    owasp: "A03:2021",
+    languages: ["python"],
+    patterns: [
+      // f-strings are owned by framework/django-raw-sql; only the %/+ forms here,
+      // to stay purely additive and avoid double-counting one query.
+      { regex: `\\.execute(?:many)?\\s*\\(\\s*["'][^"']*["']\\s*%`, type: "match" },
+      { regex: `\\.execute(?:many)?\\s*\\(\\s*["'][^"']*["']\\s*\\+`, type: "match" }
+    ],
+    fix: {
+      description: "Use parameterized queries \u2014 pass values as the second argument to execute(), never format them into the SQL string.",
+      suggestion: 'cursor.execute("SELECT * FROM users WHERE id = %s", (user_id,))'
+    }
+  },
+  {
+    id: "injection/python-unsafe-yaml-load",
+    title: "Unsafe YAML Deserialization (Python)",
+    description: "yaml.load() without SafeLoader can construct arbitrary Python objects, so untrusted YAML can execute code on your server. Use yaml.safe_load() instead.",
+    severity: "critical",
+    confidence: "high",
+    cwe: "CWE-502",
+    owasp: "A08:2021",
+    languages: ["python"],
+    patterns: [{ regex: "yaml\\.load\\s*\\((?![^)]{0,200}SafeLoader)", type: "match" }],
+    fix: {
+      description: "Use yaml.safe_load() for any input you don't fully control.",
+      suggestion: "data = yaml.safe_load(user_input)"
+    }
+  },
+  {
+    id: "config/flask-debug-enabled",
+    title: "Flask Debug Mode Enabled",
+    description: "Flask runs with debug=True. The Werkzeug interactive debugger lets anyone who triggers an error run arbitrary code on your server. Never enable debug mode in production.",
+    severity: "critical",
+    confidence: "high",
+    cwe: "CWE-489",
+    owasp: "A05:2021",
+    languages: ["python"],
+    patterns: [{ regex: "\\.run\\s*\\([^)]*debug\\s*=\\s*True", type: "match" }],
+    fix: {
+      description: "Never run Flask with debug=True in production. Drive it from an environment variable that defaults to off.",
+      suggestion: 'app.run(debug=os.environ.get("FLASK_DEBUG") == "1")'
+    }
   }
 ];
 var XSS_RULES = [
@@ -5016,6 +5375,10 @@ var AUTH_RULES = [
     languages: ["javascript", "typescript"],
     patterns: [
       { regex: `(?:Access-Control-Allow-Origin|origin)\\s*[:=]\\s*["']\\*["']`, type: "match" },
+      // Two-argument header form: res.header("Access-Control-Allow-Origin", "*")
+      // / res.setHeader(...) — very common in AI-generated Express code, missed by
+      // the colon/equals pattern above.
+      { regex: `["']Access-Control-Allow-Origin["']\\s*,\\s*["']\\*["']`, type: "match" },
       { regex: "cors\\(\\s*\\)", type: "match" },
       { regex: `cors\\(\\s*\\{\\s*origin\\s*:\\s*(?:true|\\*|["']\\*["'])`, type: "match" }
     ],
@@ -5091,6 +5454,25 @@ var CONFIG_RULES = [
     patterns: [{ regex: "(?:NextAuth|authOptions|nextauth)\\s*[:=(]", type: "match" }],
     excludePatterns: [{ regex: "(?:NEXTAUTH_SECRET|secret\\s*:\\s*process\\.env|AUTH_SECRET|NEXT_AUTH_SECRET)", type: "context_line" }],
     fix: { description: "Set the NEXTAUTH_SECRET environment variable in production. Generate a strong random secret with openssl rand -base64 32.", suggestion: "secret: process.env.NEXTAUTH_SECRET" }
+  },
+  // ─────────────────────────────────────────────────────────────────────────
+  // Round 7-vuln: agent-workspace config files committed to repo.
+  // ─────────────────────────────────────────────────────────────────────────
+  {
+    id: "config/agent-config-tracked",
+    title: "Agent Workspace Config Committed to Repo",
+    description: "A file like .cursor/mcp.json, .claude/settings.local.json, or .windsurf/config.json is in the repo. These are per-machine workspace files that often contain MCP server credentials, API keys, and absolute paths that leak the contributor's home directory. They should never be tracked.",
+    severity: "medium",
+    confidence: "medium",
+    cwe: "CWE-538",
+    languages: ["json", "yaml"],
+    patterns: [
+      // Fires only on the workspace-config filenames themselves.
+      { regex: "(?:^|/)(?:\\.cursor/mcp\\.json|\\.claude/settings\\.local\\.json|\\.windsurf/config\\.json|\\.cline/settings\\.json|\\.aider\\.conf\\.yml)$", type: "file_path" },
+      // Marker: any non-empty content. The presence of the file IS the finding.
+      { regex: "\\S", type: "match" }
+    ],
+    fix: { description: "Add to .gitignore, then `git rm --cached <file>` to untrack. Move secrets in the file to environment variables. Use a `.cursor/mcp.shared.json` (or similar tool convention) for team-shared, secret-free settings." }
   }
 ];
 var PII_RULES = [
@@ -5353,6 +5735,76 @@ var BAAS_RULES = [
     ],
     excludePatterns: [{ regex: `(?:allowedRedirects|validRedirects|safeUrls|startsWith\\s*\\(\\s*["']https://)`, type: "context_line" }],
     fix: { description: "Use a hardcoded or whitelisted redirect URL for OAuth callbacks. Never use raw user input.", suggestion: "redirectTo: `${process.env.NEXT_PUBLIC_URL}/auth/callback`" }
+  },
+  // ─────────────────────────────────────────────────────────────────────────
+  // Round 7-vuln additions: post-Lovable-CVE Supabase RLS patterns. The
+  // existing `supabase-rls-disabled` rule only flags MISSING RLS. These flag
+  // RLS that LOOKS protective but isn't — `USING (true)`, over-granted anon
+  // role, service-role used in client-reachable code, JWT-claim trust.
+  // ─────────────────────────────────────────────────────────────────────────
+  {
+    id: "baas/supabase-rls-policy-allows-all",
+    title: "Supabase RLS Policy Allows All Rows",
+    description: "This row-level-security policy uses USING (true), USING (1=1), or WITH CHECK (true). RLS is technically enabled \u2014 so the table looks protected and security scanners that only check `enable row level security` pass \u2014 but the policy itself authorizes everything. Lovable's 'security scan' missed exactly this pattern. CVE-2025-48757 fallout: 170 apps shipped this.",
+    severity: "critical",
+    confidence: "high",
+    cwe: "CWE-285",
+    owasp: "A01:2021",
+    languages: ["sql"],
+    patterns: [
+      { regex: "create\\s+policy[^;]+(?:using|with\\s+check)\\s*\\(\\s*(?:true|1\\s*=\\s*1)\\s*\\)", type: "match" },
+      { regex: "create\\s+policy[^;]+using\\s*\\(\\s*auth\\.role\\(\\)\\s*=\\s*'authenticated'\\s*\\)", type: "match" }
+    ],
+    fix: { description: "Replace `USING (true)` with a real predicate \u2014 typically `USING (auth.uid() = user_id)`. If the table genuinely allows public read, scope it by operation (`FOR SELECT`) and add a separate restrictive policy for writes." }
+  },
+  {
+    id: "baas/supabase-anon-overgrant",
+    title: "Postgres Anon Role Granted Broad Privileges",
+    description: "GRANT ALL, GRANT INSERT, or GRANT DELETE to the `anon` role gives unauthenticated users database-level write access. Even with RLS, this widens the attack surface \u2014 `anon` should only have SELECT on tables you intend to expose, and EXECUTE on RPC functions you've audited.",
+    severity: "high",
+    confidence: "high",
+    cwe: "CWE-732",
+    owasp: "A01:2021",
+    languages: ["sql"],
+    patterns: [
+      { regex: "grant\\s+(?:all|insert|update|delete|truncate)\\s+(?:on[^;]+)?to\\s+anon", type: "match" }
+    ],
+    fix: { description: "Revoke broad grants. `REVOKE ALL ON <table> FROM anon;` then `GRANT SELECT ON <table> TO anon;` only for tables that should be publicly readable." }
+  },
+  {
+    id: "baas/supabase-service-role-client-reachable",
+    title: "Service-Role Key Used in Client-Reachable Route",
+    description: "This route handler uses the Supabase service-role client but lives in a path the client can call (no auth gate, no internal/server-only marker). Service role bypasses RLS entirely \u2014 a single unauthenticated request reads every table. The April 2026 Lovable mass breach included this pattern across pre-Nov-2025 projects.",
+    severity: "critical",
+    confidence: "medium",
+    cwe: "CWE-269",
+    owasp: "A01:2021",
+    languages: ["javascript", "typescript"],
+    patterns: [
+      { regex: "createClient\\s*\\([^,]+,\\s*process\\.env\\.(?:SUPABASE_)?SERVICE_ROLE_KEY", type: "match" }
+    ],
+    excludePatterns: [
+      { regex: "(?:\\.server\\.|/api/internal|cron|webhook|middleware\\.ts|requireAuth|auth\\.uid|getServerSession)", type: "context_line" },
+      { regex: "(?:\\.server\\.|/api/internal|cron|webhook|middleware\\.ts)", type: "file_path" }
+    ],
+    fix: { description: "Either move this logic behind explicit auth (e.g. requireUser() at the top of the handler), or replace the service-role client with the anon client + RLS. Never use service role in an endpoint a logged-out browser can reach." }
+  },
+  {
+    id: "baas/supabase-rls-policy-jwt-claim-not-verified",
+    title: "Supabase RLS Policy Trusts a JWT Claim Without Issuing It",
+    description: "This policy authorizes based on auth.jwt() ->> 'role' or auth.jwt() ->> 'org_id' from a claim Supabase doesn't issue by default. If the claim comes from a third-party JWT (Clerk, Auth0, Firebase) and you haven't configured Supabase to validate the issuer, an attacker can craft their own JWT and bypass the policy.",
+    severity: "high",
+    confidence: "low",
+    cwe: "CWE-345",
+    owasp: "A01:2021",
+    languages: ["sql"],
+    patterns: [
+      { regex: "auth\\.jwt\\(\\)\\s*->>?\\s*'(?:role|org_id|tenant|company|workspace_id|account_id)'", type: "match" }
+    ],
+    excludePatterns: [
+      { regex: "(?:auth\\.uid|user_id|owner_id)", type: "context_line" }
+    ],
+    fix: { description: "Either issue these claims via Supabase Auth Hooks (so Supabase is the JWT issuer), or configure third-party JWT verification with a strict issuer + audience check. Don't read claims you don't issue." }
   }
 ];
 var LLM_RULES = [
@@ -5489,6 +5941,158 @@ var LLM_RULES = [
       { regex: "(?:query|execute|sql|raw)\\s*\\(\\s*(?:completion|response|result|output|llm|ai|gpt|claude)[.\\[]", type: "match" }
     ],
     fix: { description: "Never execute LLM output as code. Use structured output parsing with validation, or run generated code in a sandboxed environment." }
+  },
+  // ─────────────────────────────────────────────────────────────────────────
+  // Round 7-vuln additions: MCP tool pinning, LangChain SSRF/path traversal,
+  // Vercel AI SDK input handling, cost-exhaustion (max_tokens / rate limit),
+  // .env-into-prompt, Codex branch-shell, OpenAI Assistants allowlist,
+  // git-hook writes, agent-on-PR-content.
+  // ─────────────────────────────────────────────────────────────────────────
+  {
+    id: "llm/mcp-tool-no-pinning",
+    title: "MCP Tool Used Without Version Pinning",
+    description: "This code calls an MCP tool by name without checking the server's identity hash or pinning the tool description. A 'rug pull' (CVE-2025-54136) \u2014 server updates its tool description after you approved it \u2014 silently changes what the tool does. Your code keeps calling `add` and ends up exfiltrating data.",
+    severity: "medium",
+    confidence: "low",
+    cwe: "CWE-345",
+    languages: ["javascript", "typescript", "python"],
+    patterns: [
+      { regex: `(?:mcpClient|mcp_client|MCPClient)\\.(?:callTool|invoke|call)\\s*\\(\\s*["']`, type: "match" }
+    ],
+    excludePatterns: [{ regex: "(?:hash|fingerprint|version|pinned|approved)", type: "context_line" }],
+    fix: { description: "Record a hash of the tool description the first time you approve a server. Re-verify on every call. Reject calls whose description changed since approval." }
+  },
+  {
+    id: "llm/langchain-recursive-url-loader-unsafe",
+    title: "LangChain RecursiveUrlLoader Used Without SSRF Guard",
+    description: "RecursiveUrlLoader follows HTTP redirects in a way that bypasses URL validators \u2014 CVE-2026-27795 lets an attacker hand you a benign-looking URL that 302s to cloud metadata. If you load attacker-supplied URLs into a RAG pipeline, you leak 169.254.169.254 and friends.",
+    severity: "high",
+    confidence: "medium",
+    cwe: "CWE-918",
+    owasp: "A10:2021",
+    languages: ["python", "javascript", "typescript"],
+    patterns: [
+      { regex: "(?:RecursiveUrlLoader|recursive_url_loader)\\s*\\(", type: "match" }
+    ],
+    excludePatterns: [{ regex: "(?:allowlist|allow_list|allowed_domains|domain_filter|ssrf_guard)", type: "context_line" }],
+    fix: { description: "Upgrade @langchain/community to 1.1.14+ (Node) or langchain-community to the patched release (Python). Wrap loader calls in an SSRF-safe HTTP client that blocks RFC 1918, link-local, and cloud-metadata ranges before AND after redirects." }
+  },
+  {
+    id: "llm/langchain-load-prompt-from-path",
+    title: "LangChain Loads Prompt Template from Untrusted Path",
+    description: "load_prompt(...) (CVE-2026-34070) traverses any path you give it. If the path comes from request input, an attacker reads arbitrary files \u2014 /etc/passwd, .env, SSH keys.",
+    severity: "high",
+    confidence: "medium",
+    cwe: "CWE-22",
+    owasp: "A01:2021",
+    languages: ["python", "javascript", "typescript"],
+    patterns: [
+      { regex: "(?:load_prompt|loadPrompt)\\s*\\([^)]*(?:req\\.|request\\.|input|user|body|query|param)", type: "match" }
+    ],
+    fix: { description: "Never pass untrusted strings to load_prompt. Maintain an explicit registry of allowed prompt names and look up the path server-side." }
+  },
+  {
+    id: "llm/ai-sdk-input-as-prompt",
+    title: "Vercel AI SDK generateText/streamText Called with Raw User Input",
+    description: "generateText({ prompt: userInput }) and streamText({ messages: [...] }) with raw user input is the canonical Vercel AI SDK prompt-injection point. Users can override system instructions, extract the system prompt, or trigger arbitrary tool calls.",
+    severity: "high",
+    confidence: "medium",
+    cwe: "CWE-77",
+    languages: ["javascript", "typescript"],
+    patterns: [
+      { regex: "(?:generateText|streamText|generateObject|streamObject)\\s*\\(\\s*\\{[^}]*prompt\\s*:\\s*(?:req\\.|request\\.|body\\.|input|userInput|message)", type: "match" }
+    ],
+    excludePatterns: [{ regex: "(?:sanitize|validate|zod|schema|filter)", type: "context_line" }],
+    fix: { description: "Always pass user input as a separate `user` message, never as the prompt string and never interpolated into the system message. Validate with Zod before sending.", suggestion: "streamText({ system: SYSTEM_PROMPT, messages: [{ role: 'user', content: sanitize(input) }] })" }
+  },
+  {
+    id: "llm/agent-runs-on-unsanitized-pr-content",
+    title: "AI Agent Run on PR Title/Body Without Sanitizing",
+    description: "This code passes PR titles, bodies, or comments straight into an agent prompt. The 'Comment and Control' attack chain has confirmed exfil of ANTHROPIC_API_KEY and GITHUB_TOKEN via PR titles in Claude Code, fake 'Trusted Content Section' blocks in Gemini CLI, and HTML comments in Copilot Agent.",
+    severity: "critical",
+    confidence: "medium",
+    cwe: "CWE-77",
+    owasp: "A03:2021",
+    languages: ["javascript", "typescript", "python"],
+    patterns: [
+      { regex: "(?:pull_request|pullRequest|pr|issue)\\.(?:title|body|head_ref).{0,200}(?:prompt|messages|systemPrompt|userMessage)", type: "match" },
+      { regex: "(?:prompt|content)\\s*[:=]\\s*`[^`]*\\$\\{(?:pr|pullRequest|issue|comment)\\.(?:title|body)", type: "match" }
+    ],
+    fix: { description: "Treat PR content as untrusted data, never as instructions. Strip prompt-injection markers (<system>, </system>, 'ignore previous'). Move the actual instructions to a server-side system prompt and pass PR content as a quoted block inside a user message." }
+  },
+  {
+    id: "llm/no-max-tokens",
+    title: "LLM Call Without max_tokens or Cost Limit",
+    description: "This LLM call has no max_tokens (OpenAI/Anthropic), max_output_tokens (Gemini), or equivalent ceiling. A prompt-injection or a single buggy loop can rack up thousands of dollars on a free-tier app. Uber exhausted its 2026 AI budget months into the year \u2014 this is the pattern.",
+    severity: "medium",
+    confidence: "low",
+    cwe: "CWE-770",
+    owasp: "A04:2021",
+    languages: ["javascript", "typescript", "python"],
+    patterns: [
+      { regex: "(?:openai|anthropic|gemini|generativeai)\\.[a-z_]+\\.(?:create|generate|complete|messages)\\s*\\(\\s*\\{[^}]*\\bmodel\\s*:", type: "match" }
+    ],
+    excludePatterns: [{ regex: "(?:max_tokens|max_output_tokens|maxTokens|maxOutputTokens|max_completion_tokens)", type: "context_line" }],
+    fix: { description: "Always set a max_tokens ceiling. Add a per-user / per-IP rate limiter at the API edge. Track cost per request via the response usage object and refuse new requests when the user passes a daily threshold.", suggestion: "const completion = await openai.chat.completions.create({ model: 'gpt-4o', messages, max_tokens: 1024 });" }
+  },
+  {
+    id: "llm/env-file-read-into-prompt",
+    title: ".env or Secrets File Read into LLM Prompt",
+    description: "This code reads a secrets file (.env, .aws/credentials, ~/.ssh/) and passes it into an LLM prompt or message. The LLM provider now has your secrets in their logs; a prompt injection in the response can exfiltrate them; and any output filtering you do is best-effort.",
+    severity: "critical",
+    confidence: "medium",
+    cwe: "CWE-200",
+    owasp: "A01:2021",
+    languages: ["javascript", "typescript", "python"],
+    patterns: [
+      { regex: "(?:readFile|readFileSync|fs\\.read|open|Path\\([^)]+\\)\\.read)[\\s\\S]{0,80}(?:\\.env|credentials|\\.ssh|secret|\\.pem|id_rsa)[\\s\\S]{0,300}(?:prompt|messages|content|completion|generateText|streamText)", type: "match" }
+    ],
+    fix: { description: "Never put secrets in a prompt. If the agent needs to act on credentials, give it a tool that uses them internally and never returns or echoes them. Redact env files before passing any config snippet to an LLM." }
+  },
+  {
+    id: "llm/agent-writes-to-git-hooks",
+    title: "Code Writes to .git/hooks (CVE-2026-26268 vector)",
+    description: "This code writes to .git/hooks/. Cursor IDE CVE-2026-26268 used exactly this \u2014 an agent cloning a repo into a workspace triggers pre-commit hooks attackers placed there. If your own code writes hooks based on agent output or external input, you've recreated the bug.",
+    severity: "high",
+    confidence: "high",
+    cwe: "CWE-94",
+    owasp: "A03:2021",
+    languages: ["javascript", "typescript", "python", "shell"],
+    patterns: [
+      { regex: `(?:writeFile|writeFileSync|open|Path\\([^)]+\\)\\.write)[\\s\\S]{0,80}["']\\.git/hooks/`, type: "match" },
+      { regex: "chmod\\s+\\+x[\\s\\S]{0,80}\\.git/hooks/", type: "match" }
+    ],
+    fix: { description: "Don't write Git hooks from application code. If you need pre-commit checks, install them via husky or pre-commit at setup time with the user's explicit consent." }
+  },
+  {
+    id: "llm/codex-branch-name-shell-injection",
+    title: "Branch Name or Repo Field Passed to Shell Without Sanitizing",
+    description: "OpenAI Codex CVE (reported Dec 2025, patched Feb 2026) shipped because branch names were passed unsanitized into shell commands inside the agent container, letting any user with branch-create permission run arbitrary commands and exfiltrate the GitHub token. Same shape applies to any agent that runs shell with attacker-controllable repo metadata.",
+    severity: "critical",
+    confidence: "medium",
+    cwe: "CWE-78",
+    owasp: "A03:2021",
+    languages: ["javascript", "typescript", "python"],
+    patterns: [
+      { regex: "(?:exec|spawn|execSync|child_process|subprocess\\.(?:run|call|Popen))[\\s\\S]{0,100}(?:branch|ref|head_ref|base_ref|repo_name|pr_title)", type: "match" },
+      { regex: "`[^`]*\\$\\{(?:branch|ref|head|repo)Name", type: "match" }
+    ],
+    excludePatterns: [{ regex: "(?:shellQuote|escapeShellArg|shlex\\.quote|sanitize)", type: "context_line" }],
+    fix: { description: "Never interpolate any field that could be attacker-controlled into a shell command. Use execFile with argv array (no shell) or quote the input with shell-quote/shlex.quote." }
+  },
+  {
+    id: "llm/openai-assistant-tool-no-allowlist",
+    title: "OpenAI Assistants / Responses API Without Tool Allowlist",
+    description: "This code uses the OpenAI Assistants API or Responses API with tools enabled and no allowlist check before executing the returned tool call. The Codex command-injection chain (CVE patched Feb 2026) and the ChatGPT data-exfil chain (Feb 2026) both relied on this \u2014 the agent decides what to call, the code does it.",
+    severity: "high",
+    confidence: "medium",
+    cwe: "CWE-284",
+    languages: ["javascript", "typescript", "python"],
+    patterns: [
+      { regex: "required_action[\\s\\S]{0,100}submit_tool_outputs", type: "match" }
+    ],
+    excludePatterns: [{ regex: "(?:allowedTools|toolRegistry|ALLOW_LIST|whitelist|permitted)", type: "context_line" }],
+    fix: { description: "Maintain an explicit Set<string> of permitted tool names. Reject any tool call whose name isn't in the set. Log and alert on rejections." }
   }
 ];
 var HEADERS_RULES = [
@@ -5773,6 +6377,58 @@ var DEPS_RULES = [
     ],
     excludePatterns: [{ regex: "(?:integrity|crossorigin)", type: "context_line" }],
     fix: { description: "Add integrity and crossorigin attributes to all CDN-loaded scripts.", suggestion: '<script src="https://cdn.example.com/lib.js" integrity="sha384-..." crossorigin="anonymous"></script>' }
+  },
+  // ─────────────────────────────────────────────────────────────────────────
+  // Round 7-vuln additions: known-malicious packages from the Clinejection
+  // class of supply-chain attacks, extended slopsquatting list, no-lockfile.
+  // ─────────────────────────────────────────────────────────────────────────
+  {
+    id: "deps/known-malicious-package",
+    title: "Known-Malicious Package Detected",
+    description: "This package was used in a confirmed supply-chain attack. Remove it immediately and rotate any credentials that were on the machine when it was installed.",
+    severity: "critical",
+    confidence: "high",
+    cwe: "CWE-829",
+    owasp: "A06:2021",
+    languages: ["json"],
+    patterns: [
+      { regex: '"(?:openclaw|postmark-mcp)"\\s*:', type: "match" },
+      { regex: '"cline"\\s*:\\s*"[^"]*2\\.3\\.0[^"]*"', type: "match" },
+      { regex: "package(?:-lock)?\\.json$", type: "file_path" }
+    ],
+    fix: { description: "Remove the package. Rotate any tokens (npm publish, GitHub PAT, AI provider keys) that were active on the machine since install. Audit your shell history and ~/.npm cache. The Cline 2.3.0 incident shipped openclaw as a postinstall payload between 3:26am and 11:30am PT on 2026-02-17." }
+  },
+  {
+    id: "deps/slopsquatting-risk-extended",
+    title: "Likely AI-Hallucinated Package Name (Extended List)",
+    description: "Extension of `deps/slopsquatting-risk` with names observed in the past 6 months of AI-generated code (Cursor, Lovable, Bolt, v0 traces). These names sound plausible \u2014 'react-query-helpers', 'nextjs-auth-utils' \u2014 but they didn't exist when the model trained. Squatters now own these names.",
+    severity: "high",
+    confidence: "low",
+    cwe: "CWE-829",
+    languages: ["json"],
+    patterns: [
+      { regex: '"(?:react-query-helpers|nextjs-auth-utils|supabase-edge-utils|shadcn-ui-helpers|drizzle-helpers|hono-helpers|tanstack-router-utils|effect-helpers|zustand-helpers|tailwind-typography-extended|framer-motion-utils|radix-ui-helpers|trpc-helpers|prisma-edge-helpers|vercel-blob-utils|cloudflare-d1-helpers|nuxt-auth-utils|svelte-kit-helpers|astro-edge-helpers|solid-js-helpers)"\\s*:', type: "match" },
+      { regex: "package\\.json$", type: "file_path" }
+    ],
+    fix: { description: "Verify on npmjs.com. Run `npm view <pkg>` \u2014 if the package is <30 days old, has one maintainer, and zero stars, do not install." }
+  },
+  {
+    id: "deps/no-lockfile",
+    title: "No Dependency Lockfile in Project",
+    description: "This project's package.json has no companion package-lock.json / pnpm-lock.yaml / yarn.lock. Every install re-resolves versions, so a malicious update to any transitive dep ships on your next `npm install`. The Cline supply-chain attack window was 8 hours \u2014 without a lockfile, every install during that window pulled malware.",
+    severity: "medium",
+    confidence: "high",
+    cwe: "CWE-1357",
+    languages: ["json"],
+    patterns: [
+      { regex: '"name"\\s*:', type: "match" },
+      { regex: "(?:^|/)package\\.json$", type: "file_path" }
+    ],
+    requireSibling: {
+      // Rule fires only if NONE of these lockfiles exist anywhere in the scan set.
+      missing: ["package-lock.json", "pnpm-lock.yaml", "yarn.lock", "bun.lockb"]
+    },
+    fix: { description: "Commit a lockfile. `npm install --package-lock-only` or `pnpm install --lockfile-only`. Re-run on every dependency change. Set engine-strict and pin the package manager via `packageManager` in package.json." }
   }
 ];
 var CLIENT_RULES = [
@@ -5846,6 +6502,224 @@ var CLIENT_RULES = [
     fix: { description: "Add CSRF protection: use SameSite=Strict cookies, verify a CSRF token header, or use a framework that handles this automatically (e.g. Next.js Server Actions have built-in CSRF protection)." }
   }
 ];
+var AI_AGENT_RULES = [
+  {
+    id: "ai-agent/invisible-unicode-in-config",
+    title: "AI Agent Config File Contains Invisible Unicode",
+    description: "This agent config file contains zero-width, tag, or variation-selector Unicode characters that humans can't see but LLMs read as normal text. This is the standard technique for hiding prompt injection payloads inside .cursorrules / .windsurfrules / CLAUDE.md / AGENTS.md / copilot-instructions.md. If you didn't put them there, an attacker did.",
+    severity: "critical",
+    confidence: "high",
+    cwe: "CWE-1007",
+    owasp: "A03:2021",
+    languages: ["markdown"],
+    patterns: [
+      // JS regex Unicode escape uses \u{...} with /u flag (PCRE \x{} doesn't work).
+      // compileRegex auto-adds /u when it sees \u{...} braces in the source.
+      { regex: "[\\u{200B}-\\u{200F}\\u{2028}-\\u{202F}\\u{2060}-\\u{206F}\\u{FE00}-\\u{FE0F}\\u{E0000}-\\u{E007F}]", type: "match" },
+      { regex: "(?:\\.cursorrules|\\.windsurfrules|\\.clinerules|CLAUDE\\.md|AGENTS\\.md|copilot-instructions\\.md|\\.mdc|\\.cursor/rules/)", type: "file_path" }
+    ],
+    fix: { description: "Open the file in an editor that visualizes invisible characters (VS Code with 'Render Whitespace' + the 'Gremlins' extension, or `cat -v`). Strip any character outside printable ASCII unless you intentionally need it. Add a pre-commit hook that rejects these ranges.", suggestion: "perl -CSDA -pe 's/[\\x{200B}-\\x{200F}\\x{2060}-\\x{206F}\\x{E0000}-\\x{E007F}]//g' -i .cursorrules" }
+  },
+  {
+    id: "ai-agent/mcp-stdio-shell-command",
+    title: "MCP Server Runs an Arbitrary Shell Command",
+    description: "This MCP server config launches a STDIO process via a shell wrapper (sh -c, bash -c, eval, exec) or `npx -y` (downloads and runs arbitrary npm code). A poisoned tool description or a rug-pull update can inject extra arguments and run anything on your machine. The Windsurf zero-click RCE (CVE-2026-30615) used exactly this shape.",
+    severity: "critical",
+    confidence: "high",
+    cwe: "CWE-78",
+    owasp: "A03:2021",
+    languages: ["json"],
+    patterns: [
+      { regex: '"command"\\s*:\\s*"(?:sh|bash|zsh|cmd|powershell|pwsh|eval|exec)"', type: "match" },
+      { regex: '"args"\\s*:\\s*\\[\\s*"-c"', type: "match" },
+      { regex: "(?:mcp\\.json|mcp_settings\\.json|claude_desktop_config\\.json)$", type: "file_path" }
+    ],
+    fix: { description: 'MCP servers should be invoked with their executable directly \u2014 `"command": "node"`, `"args": ["server.js"]` \u2014 never wrapped in a shell. If the server requires shell expansion, the server itself is wrong.' }
+  },
+  {
+    id: "ai-agent/mcp-public-http-endpoint",
+    title: "MCP Server Points to a Public HTTP URL",
+    description: "This MCP server is configured to talk to an HTTP endpoint, not a local STDIO process, and the URL is on the public internet without TLS. Anything the server returns becomes context the agent acts on, so a network attacker can serve poisoned tool descriptions and trigger a confused-deputy attack.",
+    severity: "high",
+    confidence: "medium",
+    cwe: "CWE-319",
+    owasp: "A02:2021",
+    languages: ["json"],
+    patterns: [
+      { regex: '"url"\\s*:\\s*"http://(?!localhost|127\\.|0\\.0\\.0\\.0|::1)', type: "match" },
+      { regex: "(?:mcp\\.json|claude_desktop_config\\.json)$", type: "file_path" }
+    ],
+    excludePatterns: [
+      { regex: "ngrok\\.io|ngrok-free\\.app|loca\\.lt", type: "context_line" }
+    ],
+    fix: { description: "Require HTTPS for any MCP server you don't run locally. Pin the server's full URL including version path. Prefer STDIO with a locally installed binary for anything that handles credentials." }
+  },
+  {
+    id: "ai-agent/cursor-auto-run-enabled",
+    title: "Cursor Auto-Run / YOLO Mode Enabled",
+    description: "Cursor's Auto-Run Mode (formerly YOLO Mode) lets the agent execute commands without per-call approval. Combined with prompt injection from an MCP server, a rules file, or a PR comment, this turns the IDE into a one-shot RCE. CVE-2026-22708 specifically bypasses the allowlist via shell built-ins when this mode is on.",
+    severity: "high",
+    confidence: "high",
+    cwe: "CWE-269",
+    languages: ["json"],
+    patterns: [
+      { regex: '"cursor\\.(?:autoRun|yoloMode|composerAutoRun|chat\\.autoExecute|agent\\.autoRun|agent\\.skipApproval)"\\s*:\\s*true', type: "match" },
+      { regex: '"agent"\\s*:\\s*\\{[^}]*"autoApprove"\\s*:\\s*true', type: "match" }
+    ],
+    fix: { description: "Disable Auto-Run for any repo that contains code you didn't write yourself. If you must keep it on, also disable shell built-ins in the allowlist and review every MCP server in .cursor/mcp.json first." }
+  },
+  {
+    id: "ai-agent/agent-allowlist-disabled",
+    title: "Agent Tool Allowlist Disabled or Empty",
+    description: "This agent config disables the tool allowlist or sets it to allow everything. The allowlist is the last layer between a prompt injection and shell access \u2014 turning it off means any malicious instruction (in a file, an MCP tool description, a PR comment) becomes arbitrary code execution.",
+    severity: "high",
+    confidence: "medium",
+    cwe: "CWE-284",
+    languages: ["json"],
+    patterns: [
+      { regex: '"allowlist"\\s*:\\s*(?:false|null|\\[\\s*"\\*"\\s*\\])', type: "match" },
+      { regex: '"toolApproval"\\s*:\\s*"never"', type: "match" }
+    ],
+    fix: { description: "Keep the allowlist on. Add specific tool names you genuinely need (read_file, edit_file) and leave shell, web fetch, and MCP-write tools off until you have a reason to enable them per session." }
+  },
+  {
+    id: "ai-agent/auto-approve-tools",
+    title: "Agent Configured to Auto-Approve All Tool Calls",
+    description: "This config tells the agent to approve every tool call automatically. That removes the human-in-the-loop check that catches prompt injection mid-attack. The 'Comment and Control' PR-injection family relies on this \u2014 without auto-approve, the user sees the exfil command and stops it.",
+    severity: "high",
+    confidence: "medium",
+    cwe: "CWE-284",
+    languages: ["json", "yaml", "markdown", "shell"],
+    patterns: [
+      { regex: "(?:auto[_-]?approve|skipConfirmation|autoConfirm|trustedAlways)\\s*[:=]\\s*true", type: "match" },
+      { regex: "--dangerously-skip-permissions", type: "match" }
+    ],
+    fix: { description: "Remove the auto-approve flag for any agent that touches a CI environment, untrusted repo, or anything with real credentials. The 5 seconds of friction is the entire point." }
+  },
+  {
+    id: "ai-agent/ci-agent-untrusted-pr-input",
+    title: "CI Agent Reads PR Title or Body Without Sanitizing",
+    description: "This GitHub Action passes github.event.pull_request.title, .body, or .head_ref directly to an AI agent (Claude Code, Copilot Agent, Gemini CLI, Codex). An attacker opens a PR with prompt-injection in the title and exfiltrates ANTHROPIC_API_KEY / GITHUB_TOKEN. This is the 'Comment and Control' / CVE-2026-35020 family.",
+    severity: "critical",
+    confidence: "medium",
+    cwe: "CWE-77",
+    owasp: "A03:2021",
+    languages: ["yaml"],
+    patterns: [
+      { regex: "(?:claude-code|copilot|gemini|aider|devin|codex)[\\s\\S]{0,200}\\$\\{\\{\\s*github\\.event\\.pull_request\\.(?:title|body|head_ref)", type: "match" },
+      { regex: "\\.github/workflows/", type: "file_path" }
+    ],
+    fix: { description: "Never interpolate PR-controlled fields directly into an agent prompt or shell line. Pass them through an env var, then have the agent treat that env var as untrusted data (not instructions). Block any prompt-injection-shaped string before invoking the agent." }
+  },
+  {
+    id: "ai-agent/ci-agent-pull-request-fork",
+    title: "CI Agent Triggers on pull_request from Forks",
+    description: "This workflow uses pull_request and runs an AI agent. Forked PRs run in your workflow context with read access to secrets if the action requests them \u2014 combined with PR-body prompt injection, this is the documented exfiltration vector.",
+    severity: "high",
+    confidence: "low",
+    cwe: "CWE-269",
+    languages: ["yaml"],
+    patterns: [
+      { regex: "on\\s*:[\\s\\S]{0,80}pull_request(?:_target)?", type: "match" },
+      { regex: "(?:claude-code|copilot|gemini|aider|devin)", type: "context_line" },
+      { regex: "\\.github/workflows/", type: "file_path" }
+    ],
+    fix: { description: "Gate AI-agent jobs on `if: github.event.pull_request.head.repo.full_name == github.repository` so forks can't trigger them with secrets attached. Or move the agent to a manually-triggered workflow_dispatch after a maintainer reviews the PR." }
+  },
+  {
+    id: "ai-agent/github-action-injection-from-pr",
+    title: "PR Title or Body Interpolated into Shell Step",
+    description: "This workflow uses ${{ github.event.pull_request.title }} or similar inside a `run:` block. GitHub interpolates that into the shell before any escaping \u2014 an attacker with a PR title containing backticks runs commands on your runner. Independent of AI agents but urgent because AI-agent workflows tend to ship in this shape.",
+    severity: "critical",
+    confidence: "high",
+    cwe: "CWE-78",
+    owasp: "A03:2021",
+    languages: ["yaml"],
+    patterns: [
+      { regex: "run\\s*:[\\s\\S]{0,400}\\$\\{\\{\\s*github\\.event\\.(?:pull_request|issue|comment|review|release|discussion|head_commit|commits)\\.[a-z_]+(?:\\.[a-z_]+)?", type: "match" },
+      { regex: "\\.github/workflows/", type: "file_path" }
+    ],
+    fix: { description: 'Move the untrusted value into an env var (env: PR_TITLE: ${{ github.event.pull_request.title }}), then reference "$PR_TITLE" from the shell. The runner expands env vars after the shell parses the script, so injection becomes inert.' }
+  },
+  {
+    id: "ai-agent/agent-config-not-gitignored",
+    title: "Agent Config Path Suggests Workspace File Was Committed",
+    description: "Files like .cursor/mcp.json, .claude/settings.json, or .windsurf/config.json often contain MCP credentials, API keys, and machine-specific paths. If they're tracked by git, those secrets ship to anyone with repo access. (This rule signals a path-level concern; combine with `config/agent-config-tracked` for a stronger signal.)",
+    severity: "low",
+    confidence: "low",
+    cwe: "CWE-538",
+    languages: ["json"],
+    patterns: [
+      { regex: "(?:^|/)(?:\\.cursor|\\.claude|\\.windsurf|\\.cline|\\.continue|\\.aider)/", type: "file_path" },
+      { regex: "\\S", type: "match" }
+    ],
+    excludePatterns: [
+      { regex: "\\.gitignore$", type: "file_path" }
+    ],
+    fix: { description: "Add .cursor/, .claude/, .windsurf/, .cline/, .continue/, .aider* to .gitignore. Move anything secret out of the tracked config and into a local-only override." }
+  },
+  // ── Tier 2 additions (§4 of handoff) ────────────────────────────────────
+  {
+    id: "ai-agent/pwn-request-checkout",
+    title: "GitHub Action Uses pull_request_target + Checks Out PR Code",
+    description: "This workflow uses pull_request_target (which runs in the base repo's context with secrets) AND checks out the PR's head ref. Attacker opens a PR, the workflow runs their code with your secrets in env, attacker exfiltrates. This is the 'Pwn Request' attack \u2014 researchers have compromised Microsoft, Google, and Nvidia repos with exactly this pattern.",
+    severity: "critical",
+    confidence: "high",
+    cwe: "CWE-269",
+    owasp: "A01:2021",
+    languages: ["yaml"],
+    patterns: [
+      { regex: "pull_request_target", type: "match" },
+      { regex: "actions/checkout@[^\\s]+[\\s\\S]{0,200}ref\\s*:\\s*\\$\\{\\{\\s*github\\.event\\.pull_request\\.head\\.(?:sha|ref)", type: "match" },
+      { regex: "\\.github/workflows/", type: "file_path" }
+    ],
+    fix: { description: "Either switch to pull_request (loses secrets \u2014 that's the point) or split into two workflows. The privileged workflow runs only on the base branch (commenting, labeling); the build workflow runs on pull_request without secrets and reports back via artifact." }
+  },
+  {
+    id: "ai-agent/workflow-write-all-permissions",
+    title: "Workflow Grants Write-All Permissions to an AI-Agent Job",
+    description: "This workflow runs an AI agent (Claude Code, Copilot Agent, Codex) and grants `permissions: write-all` or doesn't set permissions: (which defaults to write on classic-token repos). A prompt-injection from PR content turns into write access to the repo, releases, and packages.",
+    severity: "high",
+    confidence: "medium",
+    cwe: "CWE-269",
+    languages: ["yaml"],
+    patterns: [
+      { regex: "permissions\\s*:\\s*write-all", type: "match" },
+      { regex: "(?:claude-code|copilot|codex|gemini|aider)", type: "context_line" },
+      { regex: "\\.github/workflows/", type: "file_path" }
+    ],
+    fix: { description: "Set explicit permissions: block listing only what the job needs. For an agent that comments on PRs: `permissions: { contents: read, pull-requests: write }`." }
+  },
+  {
+    id: "ai-agent/jetbrains-junie-json-schema-remote",
+    title: "JSON Schema Loaded from Untrusted Remote URL",
+    description: "JetBrains IDEs auto-load $schema URLs in JSON files. JetBrains Junie CVE-2025-58335 abused this \u2014 a malicious JSON in your repo points $schema at an attacker-controlled host, the IDE fetches it, and follow-on behavior (settings overwrite, prompt context contamination) opens the agent up.",
+    severity: "medium",
+    confidence: "medium",
+    cwe: "CWE-918",
+    languages: ["json"],
+    patterns: [
+      { regex: '"\\$schema"\\s*:\\s*"http://(?!localhost|127\\.)', type: "match" },
+      { regex: '"\\$schema"\\s*:\\s*"https?://(?!schemas\\.(?:jetbrains|microsoft|github)\\.|json\\.schemastore\\.org|raw\\.githubusercontent\\.com/SchemaStore/)', type: "match" }
+    ],
+    fix: { description: "Only reference $schema URLs from trusted hosts (schemastore.org, jetbrains.com, github.com). Audit any custom schema URL in your repo \u2014 if it's not yours, remove it." }
+  },
+  {
+    id: "ai-agent/cursor-mdc-rules-directory-presence",
+    title: "Cursor .cursor/rules/*.mdc Files Present \u2014 Review Recommended",
+    description: "Cursor's 2026 rules format is .cursor/rules/<name>.mdc (replacing the single .cursorrules file). Each .mdc carries frontmatter + instructions the agent reads. These files are prime targets for prompt injection and invisible Unicode payloads. This rule is an awareness flag \u2014 every .mdc file in a freshly cloned repo deserves a human read before opening Cursor.",
+    severity: "low",
+    confidence: "high",
+    cwe: "CWE-1188",
+    languages: ["markdown"],
+    patterns: [
+      { regex: "\\S", type: "match" },
+      // any non-empty content
+      { regex: "\\.cursor/rules/.*\\.mdc$", type: "file_path" }
+    ],
+    fix: { description: "Read every .mdc rule file before running Cursor on a new repo. If you didn't write the rule, treat it as untrusted instructions until you've verified it. Combine with `ai-agent/invisible-unicode-in-config` to catch the hidden-payload variant." }
+  }
+];
 var ALL_RULES = [
   ...SECRET_RULES,
   ...INJECTION_RULES,
@@ -5860,6 +6734,7 @@ var ALL_RULES = [
   ...HEADERS_RULES,
   ...DEPS_RULES,
   ...CLIENT_RULES,
+  ...AI_AGENT_RULES,
   ...ALL_FRAMEWORK_RULES
 ];
 var CATEGORY_MAP = {
@@ -5876,6 +6751,7 @@ var CATEGORY_MAP = {
   headers: HEADERS_RULES,
   deps: DEPS_RULES,
   client: CLIENT_RULES,
+  "ai-agent": AI_AGENT_RULES,
   nextjs: NEXTJS_RULES,
   express: EXPRESS_RULES,
   django: DJANGO_RULES,
@@ -5911,10 +6787,29 @@ function extractSnippet(content, line, contextLines = 5) {
     return `${marker} ${lineNum} | ${l}`;
   }).join("\n");
 }
-function isCommentLine(line) {
+function isCommentLine(line, language) {
   const trimmed = line.trim();
+  if (language === "markdown") {
+    return trimmed.startsWith("<!--");
+  }
+  if (language === "yaml" || language === "shell") {
+    return trimmed.startsWith("#");
+  }
+  if (language === "sql") {
+    return trimmed.startsWith("--") || trimmed.startsWith("/*") || trimmed.startsWith("* ") || trimmed.startsWith("*/") || trimmed === "*";
+  }
+  if (language === "json") {
+    return false;
+  }
   return trimmed.startsWith("//") || trimmed.startsWith("#") || trimmed.startsWith("/*") || trimmed.startsWith("* ") || trimmed.startsWith("*/") || trimmed === "*" || trimmed.startsWith("<!--");
 }
+function compileRegex(source, flags) {
+  let finalFlags = flags;
+  if (/\\u\{[0-9A-Fa-f]+\}/.test(source)) {
+    if (!finalFlags.includes("u")) finalFlags += "u";
+  }
+  return new RegExp(source, finalFlags);
+}
 function isInsideStringLiteral(line, pattern) {
   const match = pattern.exec(line);
   if (!match) return false;
@@ -5947,21 +6842,35 @@ function matchRule(rule, file) {
     const contentPaths = /(?:\/docs\/|\/blog\/|\/for\/|\/examples\/|\/fixtures\/|\/tutorials?\/|\/guides?\/|__tests__\/fixtures)/i;
     if (contentPaths.test(file.path)) return [];
   }
+  const filePathPatterns = rule.patterns.filter((p) => p.type === "file_path");
+  if (filePathPatterns.length > 0) {
+    const allFilePathMatch = filePathPatterns.every(
+      (p) => compileRegex(p.regex, "i").test(file.path)
+    );
+    if (!allFilePathMatch) return [];
+  }
+  const contextLinePatterns = rule.patterns.filter((p) => p.type === "context_line");
+  if (contextLinePatterns.length > 0) {
+    const allContextMatch = contextLinePatterns.every(
+      (p) => compileRegex(p.regex, "i").test(file.content)
+    );
+    if (!allContextMatch) return [];
+  }
   const findings = [];
   const lines = file.content.split("\n");
   for (const pattern of rule.patterns) {
     if (pattern.type !== "match") continue;
-    const regex = new RegExp(pattern.regex, "gi");
+    const regex = compileRegex(pattern.regex, "gi");
     for (let i = 0; i < lines.length; i++) {
       const line = lines[i];
       if (!regex.test(line)) continue;
       regex.lastIndex = 0;
-      if (!isSecretRule && isCommentLine(line)) continue;
-      if (!isSecretRule && isInsideStringLiteral(line, new RegExp(pattern.regex, "gi"))) continue;
+      if (!isSecretRule && isCommentLine(line, file.language)) continue;
+      if (!isSecretRule && isInsideStringLiteral(line, compileRegex(pattern.regex, "gi"))) continue;
       if (!isSecretRule && isJsxTextContent(line)) continue;
       if (rule.excludePatterns?.length) {
         const excluded = rule.excludePatterns.some((ep) => {
-          const exRegex = new RegExp(ep.regex, "i");
+          const exRegex = compileRegex(ep.regex, "i");
           if (ep.type === "context_line") {
             return exRegex.test(line);
           }
@@ -5995,8 +6904,21 @@ function matchRule(rule, file) {
 }
 function runRules(rules, files) {
   const findings = [];
+  const filePathSet = new Set(files.map((f) => f.path));
+  const suppressedByMissingSibling = /* @__PURE__ */ new Set();
+  for (const rule of rules) {
+    if (!rule.requireSibling?.missing?.length) continue;
+    const anyPresent = rule.requireSibling.missing.some((sibling) => {
+      for (const filePath of filePathSet) {
+        if (filePath === sibling || filePath.endsWith("/" + sibling)) return true;
+      }
+      return false;
+    });
+    if (anyPresent) suppressedByMissingSibling.add(rule.id);
+  }
   for (const file of files) {
     for (const rule of rules) {
+      if (suppressedByMissingSibling.has(rule.id)) continue;
       findings.push(...matchRule(rule, file));
     }
   }
@@ -6169,6 +7091,10 @@ function dedupeEntries(entries) {
     return true;
   });
 }
+var OSV_QUERYBATCH_URL = "https://api.osv.dev/v1/querybatch";
+var OSV_VULN_URL = "https://api.osv.dev/v1/vulns";
+var MAX_ENRICH = 200;
+var ENRICH_CONCURRENCY = 8;
 async function queryOsv(packages) {
   const queries = packages.map((p) => ({
     package: { name: p.name, ecosystem: p.ecosystem },
@@ -6176,7 +7102,7 @@ async function queryOsv(packages) {
   }));
   let response;
   try {
-    response = await fetch("https://api.osv.dev/v1/querybatch", {
+    response = await fetch(OSV_QUERYBATCH_URL, {
       method: "POST",
       headers: { "Content-Type": "application/json" },
       body: JSON.stringify({ queries })
@@ -6192,38 +7118,84 @@ async function queryOsv(packages) {
     );
   }
   const data = await response.json();
-  const findings = [];
+  const matches = [];
+  const ids = /* @__PURE__ */ new Set();
   for (let i = 0; i < data.results.length; i++) {
     const result = data.results[i];
     const pkg = packages[i];
     if (!result?.vulns || result.vulns.length === 0 || !pkg) continue;
     for (const vuln of result.vulns) {
-      const cveAlias = vuln.aliases?.find((a) => a.startsWith("CVE-"));
-      const severity = mapOsvSeverity(vuln);
-      const fixedVersion = getFixedVersion(vuln, pkg.name);
-      const summaryText = vuln.summary ? vuln.summary.replace(/\n/g, " ").trim() : `Known vulnerability in ${pkg.name}`;
-      const humanTitle = summaryText.length > 120 ? summaryText.slice(0, 117) + "..." : summaryText;
-      findings.push({
-        id: `dep-${vuln.id}`,
-        ruleId: vuln.id,
-        title: humanTitle,
-        description: `${pkg.name}@${pkg.version} \u2014 ${vuln.id}${cveAlias ? ` (${cveAlias})` : ""}. ${summaryText}`,
-        plainEnglish: `Your dependency "${pkg.name}" version ${pkg.version} has a known vulnerability (${vuln.id}). ${summaryText}`,
-        severity,
-        confidence: "high",
-        source: "dependency",
-        file: pkg.lockfile,
-        line: 1,
-        snippet: `${pkg.name}@${pkg.version}`,
-        fix: {
-          description: fixedVersion ? `Upgrade ${pkg.name} to version ${fixedVersion} or later.` : `Check ${vuln.id} for remediation steps. Consider upgrading or replacing this dependency.`,
-          suggestion: fixedVersion ? `npm install ${pkg.name}@${fixedVersion}` : void 0
-        },
-        cwe: cveAlias
-      });
+      if (!vuln.id) continue;
+      matches.push({ pkg, id: vuln.id });
+      ids.add(vuln.id);
     }
   }
-  return findings;
+  if (matches.length === 0) return [];
+  const details = await fetchVulnDetails([...ids].slice(0, MAX_ENRICH));
+  return matches.map(
+    ({ pkg, id }) => buildDependencyFinding(pkg, id, details.get(id))
+  );
+}
+async function fetchVulnDetails(ids) {
+  const out = /* @__PURE__ */ new Map();
+  let cursor = 0;
+  async function worker() {
+    while (cursor < ids.length) {
+      const id = ids[cursor++];
+      if (!id) continue;
+      try {
+        const res = await fetch(`${OSV_VULN_URL}/${encodeURIComponent(id)}`);
+        if (res.ok) out.set(id, await res.json());
+      } catch {
+      }
+    }
+  }
+  const workers = Array.from(
+    { length: Math.min(ENRICH_CONCURRENCY, ids.length) },
+    () => worker()
+  );
+  await Promise.all(workers);
+  return out;
+}
+function upgradeCommand(pkg, version) {
+  switch (pkg.ecosystem) {
+    case "npm":
+      return `npm install ${pkg.name}@${version}`;
+    case "PyPI":
+      return `pip install --upgrade "${pkg.name}==${version}"`;
+    case "Go":
+      return `go get ${pkg.name}@v${version}`;
+    case "RubyGems":
+      return `bundle update ${pkg.name}`;
+    default:
+      return `Upgrade ${pkg.name} to ${version}`;
+  }
+}
+function buildDependencyFinding(pkg, id, vuln) {
+  const cveAlias = vuln?.aliases?.find((a) => a.startsWith("CVE-"));
+  const severity = vuln ? mapOsvSeverity(vuln) : "medium";
+  const fixedVersion = vuln ? getFixedVersion(vuln, pkg.name) : void 0;
+  const ref = cveAlias ?? id;
+  const summaryText = vuln?.summary ? vuln.summary.replace(/\n/g, " ").trim() : `Known vulnerability in ${pkg.name}`;
+  const humanTitle = summaryText.length > 120 ? summaryText.slice(0, 117) + "..." : summaryText;
+  return {
+    id: `dep-${id}`,
+    ruleId: id,
+    title: humanTitle,
+    description: `${pkg.name}@${pkg.version} \u2014 ${id}${cveAlias ? ` (${cveAlias})` : ""}. ${summaryText}`,
+    plainEnglish: `Your dependency "${pkg.name}" version ${pkg.version} has a known vulnerability (${ref}). ${summaryText}`,
+    severity,
+    confidence: "high",
+    source: "dependency",
+    file: pkg.lockfile,
+    line: 1,
+    snippet: `${pkg.name}@${pkg.version}`,
+    fix: {
+      description: fixedVersion ? `Upgrade ${pkg.name} to version ${fixedVersion} or later.` : `Check ${ref} for remediation steps. Consider upgrading or replacing this dependency.`,
+      suggestion: fixedVersion ? upgradeCommand(pkg, fixedVersion) : void 0
+    },
+    cwe: cveAlias
+  };
 }
 function mapOsvSeverity(vuln) {
   if (vuln.severity) {
@@ -6259,13 +7231,13 @@ function getFixedVersion(vuln, packageName) {
 }
 function deduplicateFindings(findings) {
   const seen = /* @__PURE__ */ new Map();
-  for (const finding of findings) {
-    const key = `${finding.file}:${finding.line}:${finding.ruleId}`;
+  for (const finding2 of findings) {
+    const key = `${finding2.file}:${finding2.line}:${finding2.ruleId}`;
     const existing = seen.get(key);
     if (!existing) {
-      seen.set(key, finding);
-    } else if (SEVERITY_ORDER[finding.severity] < SEVERITY_ORDER[existing.severity]) {
-      seen.set(key, finding);
+      seen.set(key, finding2);
+    } else if (SEVERITY_ORDER[finding2.severity] < SEVERITY_ORDER[existing.severity]) {
+      seen.set(key, finding2);
     }
   }
   return Array.from(seen.values()).sort(
@@ -6751,15 +7723,15 @@ async function translateFindings(findings, apiKey, platform) {
   for (const { start, translations } of batchResults) {
     const translationMap = new Map(translations.map((t) => [t.id, t]));
     for (let j = start; j < Math.min(start + batchSize, translated.length); j++) {
-      const finding = translated[j];
-      if (!finding) continue;
-      const t = translationMap.get(finding.id);
+      const finding2 = translated[j];
+      if (!finding2) continue;
+      const t = translationMap.get(finding2.id);
       if (t) {
         translated[j] = {
-          ...finding,
+          ...finding2,
           plainEnglish: t.plainEnglish,
           fix: {
-            ...finding.fix,
+            ...finding2.fix,
             description: t.fixDescription
           }
         };
@@ -6822,45 +7794,21 @@ function detectPlatform(files) {
     if (lower.endsWith("package.json") && content.includes("lovable-tagger")) {
       signals.lovable.push("lovable-tagger in package.json");
     }
-    if (content.includes("lovable") && /\/\*.*lovable.*\*\//i.test(content)) {
-      signals.lovable.push("lovable comment in source");
-    }
     if (lower.includes(".lovable") || lower.includes("lovable.config")) {
       signals.lovable.push("lovable config file");
     }
     if (lower.includes(".bolt/") || lower.includes(".bolt\\")) {
       signals.bolt.push(".bolt/ directory detected");
     }
-    if (lower.endsWith("package.json") && (content.includes("@bolt") || content.includes("bolt-"))) {
-      signals.bolt.push("bolt dependency in package.json");
-    }
-    if (/\/[/*].*bolt\.new/i.test(content)) {
-      signals.bolt.push("bolt.new reference in source");
-    }
     if (lower.endsWith(".cursorrules") || lower.endsWith(".cursorignore")) {
       signals.cursor.push(".cursorrules file detected");
     }
-    if (/\/[/*].*cursor/i.test(content) && lower.endsWith(".ts")) {
-      signals.cursor.push("cursor reference in source");
-    }
     if (lower.includes(".v0/") || lower.includes(".v0\\")) {
       signals.v0.push(".v0/ directory detected");
     }
-    if (content.includes("v0.dev") || content.includes("@v0/")) {
-      signals.v0.push("v0.dev reference in source");
-    }
-    if (lower.endsWith("package.json") && content.includes('"v0"')) {
-      signals.v0.push("v0 dependency in package.json");
-    }
     if (lower.includes("base44.config") || lower.includes(".base44")) {
       signals.base44.push("base44 config file");
     }
-    if (/from\s+['"]@?base44\b/i.test(content) || /require\s*\(\s*['"]@?base44\b/i.test(content)) {
-      signals.base44.push("base44 SDK import in source");
-    }
-    if (/https?:\/\/[^"'\s]*base44\.app/i.test(content)) {
-      signals.base44.push("base44.app URL in source");
-    }
   }
   const scores = Object.entries(signals).filter(([key]) => key !== "manual").map(([platform, sigs]) => ({
     platform,
@@ -6893,9 +7841,9 @@ function computeSummary(findings, files) {
     llm: 0,
     dependency: 0
   };
-  for (const finding of findings) {
-    bySeverity[finding.severity]++;
-    bySource[finding.source]++;
+  for (const finding2 of findings) {
+    bySeverity[finding2.severity]++;
+    bySource[finding2.source]++;
   }
   return {
     total: findings.length,
@@ -7005,6 +7953,95 @@ async function scan(config, onProgress) {
     ...warnings.length > 0 ? { warnings } : {}
   };
 }
+async function fetchStatus(fetchImpl, url, init, timeoutMs) {
+  const controller = new AbortController();
+  const timer = setTimeout(() => controller.abort(), timeoutMs);
+  try {
+    const res = await fetchImpl(url, { ...init, signal: controller.signal });
+    return res.status;
+  } catch {
+    return null;
+  } finally {
+    clearTimeout(timer);
+  }
+}
+function classify(status) {
+  if (status === null) return "unverifiable";
+  if (status === 200) return "live";
+  if (status === 401 || status === 403) return "revoked";
+  return "unverifiable";
+}
+var PROVIDER_VALIDATORS = [
+  {
+    id: "openai",
+    name: "OpenAI",
+    extract: (t) => t.match(/sk-(?:proj-)?[A-Za-z0-9_-]{20,}/)?.[0] ?? null,
+    check: async (value, f, ms) => classify(
+      await fetchStatus(f, "https://api.openai.com/v1/models", { headers: { Authorization: `Bearer ${value}` } }, ms)
+    )
+  },
+  {
+    id: "stripe",
+    name: "Stripe",
+    extract: (t) => t.match(/(?:sk|rk)_(?:live|test)_[A-Za-z0-9]{16,}/)?.[0] ?? null,
+    check: async (value, f, ms) => classify(
+      await fetchStatus(f, "https://api.stripe.com/v1/balance", { headers: { Authorization: `Bearer ${value}` } }, ms)
+    )
+  },
+  {
+    id: "github",
+    name: "GitHub",
+    extract: (t) => t.match(/gh[posru]_[A-Za-z0-9]{36,}|github_pat_[A-Za-z0-9_]{22,}/)?.[0] ?? null,
+    check: async (value, f, ms) => classify(
+      await fetchStatus(
+        f,
+        "https://api.github.com/user",
+        { headers: { Authorization: `Bearer ${value}`, "User-Agent": "ShipSafe-Validator" } },
+        ms
+      )
+    )
+  },
+  {
+    id: "sendgrid",
+    name: "SendGrid",
+    extract: (t) => t.match(/SG\.[A-Za-z0-9_-]{22}\.[A-Za-z0-9_-]{43}/)?.[0] ?? null,
+    check: async (value, f, ms) => classify(
+      await fetchStatus(f, "https://api.sendgrid.com/v3/scopes", { headers: { Authorization: `Bearer ${value}` } }, ms)
+    )
+  },
+  {
+    id: "gitlab",
+    name: "GitLab",
+    extract: (t) => t.match(/glpat-[A-Za-z0-9_-]{20}/)?.[0] ?? null,
+    check: async (value, f, ms) => classify(await fetchStatus(f, "https://gitlab.com/api/v4/user", { headers: { "PRIVATE-TOKEN": value } }, ms))
+  },
+  {
+    id: "slack",
+    name: "Slack",
+    extract: (t) => t.match(/xox[baprs]-[A-Za-z0-9-]{10,}/)?.[0] ?? null,
+    // auth.test is read-only; Slack returns {ok:true|false} regardless of HTTP 200.
+    check: async (value, f, ms) => {
+      const controller = new AbortController();
+      const timer = setTimeout(() => controller.abort(), ms);
+      try {
+        const res = await f("https://slack.com/api/auth.test", {
+          method: "POST",
+          headers: { Authorization: `Bearer ${value}` },
+          signal: controller.signal
+        });
+        const body = await res.json().catch(() => null);
+        if (body?.ok === true) return "live";
+        if (body?.ok === false) return "revoked";
+        return "unverifiable";
+      } catch {
+        return "unverifiable";
+      } finally {
+        clearTimeout(timer);
+      }
+    }
+  }
+];
+var VALIDATOR_BY_ID = new Map(PROVIDER_VALIDATORS.map((v) => [v.id, v]));
 
 // src/lib/file-collector.ts
 import { readdirSync, readFileSync, statSync, existsSync } from "fs";
@@ -7424,23 +8461,22 @@ async function loginCommand(options) {
           const profile = await fetchProfile(apiUrl, pollData.token);
           if (profile) {
             tokenData.tier = profile.tier;
-            tokenData.cliTier = profile.cliTier;
             tokenData.aiQuota = profile.aiQuota;
           }
           storeToken(tokenData);
           pollSpinner.succeed(
             chalk3.green(`Logged in as ${chalk3.bold(pollData.email)}`)
           );
-          if (profile?.cliTier) {
+          if (profile?.tier && profile.tier !== "free") {
             console.log(
               chalk3.cyan(
-                `  CLI plan: ${profile.cliTier} (${profile.aiQuota.remaining} AI scans remaining)`
+                `  Plan: ${profile.tier} (${profile.aiQuota.remaining} AI scans remaining)`
               )
             );
           } else {
             console.log(
               chalk3.dim(
-                "  No CLI plan. Upgrade at ship-safe.co/pricing for AI-powered scanning."
+                "  Free plan. Upgrade at ship-safe.co/pricing for AI-powered scanning."
               )
             );
           }
@@ -7514,20 +8550,17 @@ async function whoamiCommand(options) {
     storeToken({
       ...token,
       tier: profile.tier,
-      cliTier: profile.cliTier,
       aiQuota: profile.aiQuota
     });
     spinner.stop();
     console.log(chalk3.bold("\nShipSafe Account\n"));
-    console.log(`  Email:    ${chalk3.cyan(profile.email)}`);
-    console.log(`  Web tier: ${chalk3.cyan(profile.tier)}`);
-    if (profile.cliTier) {
-      console.log(`  CLI plan: ${chalk3.green(profile.cliTier)}`);
+    console.log(`  Email: ${chalk3.cyan(profile.email)}`);
+    console.log(`  Plan:  ${chalk3.cyan(profile.tier)}`);
+    if (profile.tier && profile.tier !== "free") {
       console.log(
         `  AI scans: ${chalk3.cyan(`${profile.aiQuota.used}/${profile.aiQuota.limit}`)} used this month (${chalk3.green(`${profile.aiQuota.remaining}`)} remaining)`
       );
     } else {
-      console.log(`  CLI plan: ${chalk3.dim("none")}`);
       console.log(
         chalk3.dim("  Upgrade at ship-safe.co/pricing for AI-powered scanning.")
       );
@@ -7536,8 +8569,8 @@ async function whoamiCommand(options) {
   } else {
     spinner.stop();
     console.log(chalk3.green(`Logged in as ${chalk3.bold(token.email)}`));
-    if (token.cliTier) {
-      console.log(chalk3.cyan(`  CLI plan: ${token.cliTier}`));
+    if (token.tier) {
+      console.log(chalk3.cyan(`  Plan: ${token.tier}`));
     }
   }
 }
@@ -7771,7 +8804,7 @@ async function scanCommand(targetPath, options) {
   spinner.succeed(
     chalk5.green(`Scan complete \u2014 ${result.findings.length} findings in ${result.durationMs}ms`)
   );
-  if (tokenData?.cliTier) {
+  if (tokenData && isPaidTier(tokenData.tier)) {
     const aiSpinner = ora2({
       text: chalk5.dim("Running AI-powered deep analysis... (this may take 1-3 minutes)"),
       color: "yellow",
@@ -7905,6 +8938,12 @@ async function scanCommand(targetPath, options) {
   const diff = diffWithPrevious(resolvedPath, result.findings);
   saveScanHistory(resolvedPath, result.findings);
   const isLoggedIn = !!getStoredToken();
+  if (options.sarifFile) {
+    writeFileSync4(options.sarifFile, formatSarifOutput(result), "utf-8");
+  }
+  if (options.jsonFile) {
+    writeFileSync4(options.jsonFile, formatJsonOutput(result), "utf-8");
+  }
   switch (options.output) {
     case "json":
       console.log(formatJsonOutput(result));
@@ -8133,21 +9172,67 @@ function initCommand() {
   console.log(chalk6.green("Created .shipsafe.yml configuration file."));
 }
 
+// src/commands/false-positive.ts
+import { readFileSync as readFileSync6, existsSync as existsSync7 } from "fs";
+import { homedir as homedir4 } from "os";
+import { join as join5 } from "path";
+import chalk7 from "chalk";
+var TOKEN_FILE2 = join5(homedir4(), ".shipsafe", "token.json");
+async function falsePositiveCommand(ruleId, options) {
+  if (!existsSync7(TOKEN_FILE2)) {
+    console.error(chalk7.red("Not logged in. Run `shipsafe login` first."));
+    process.exitCode = 1;
+    return;
+  }
+  let token;
+  try {
+    token = JSON.parse(readFileSync6(TOKEN_FILE2, "utf-8")).token;
+    if (!token) throw new Error("no token");
+  } catch {
+    console.error(chalk7.red("Couldn't read your login token. Run `shipsafe login` again."));
+    process.exitCode = 1;
+    return;
+  }
+  try {
+    const res = await fetch(`${options.apiUrl}/api/cli/false-positive`, {
+      method: "POST",
+      headers: { "Content-Type": "application/json", Authorization: `Bearer ${token}` },
+      body: JSON.stringify({
+        ruleId,
+        filePath: options.file,
+        lineNumber: options.line ? parseInt(options.line, 10) : void 0,
+        reason: options.reason,
+        surface: "cli"
+      })
+    });
+    if (!res.ok) {
+      const msg = await res.json().then((b) => b?.error).catch(() => null);
+      console.error(chalk7.red(`Couldn't report: ${msg || `HTTP ${res.status}`}`));
+      process.exitCode = 1;
+      return;
+    }
+    console.log(chalk7.green(`\u2713 Reported ${ruleId} as a false positive. Thanks \u2014 this helps ShipSafe tune the rule.`));
+  } catch (e) {
+    console.error(chalk7.red(`Couldn't reach ShipSafe: ${e instanceof Error ? e.message : "network error"}`));
+    process.exitCode = 1;
+  }
+}
+
 // src/index.ts
 function getVersion() {
   try {
     let dir = dirname(fileURLToPath(import.meta.url));
     for (let i = 0; i < 5; i++) {
       try {
-        const pkg = JSON.parse(readFileSync6(join5(dir, "package.json"), "utf-8"));
-        if (pkg.name === "@ship-safe/cli") return pkg.version;
+        const pkg = JSON.parse(readFileSync7(join6(dir, "package.json"), "utf-8"));
+        if (pkg.version) return pkg.version;
       } catch {
       }
       dir = dirname(dir);
     }
   } catch {
   }
-  return "1.1.11";
+  return "0.0.0-dev";
 }
 function validateApiUrl(value) {
   let parsed;
@@ -8167,7 +9252,7 @@ program.command("scan").description("Scan a directory or file for security vulne
   new Option("-o, --output <format>", "Output format: table, json, sarif").choices(["table", "json", "sarif"]).default("table")
 ).addOption(
   new Option("-s, --severity <level>", "Minimum severity: critical, high, medium, low").choices(["critical", "high", "medium", "low"]).default("low")
-).option("--ci", "CI mode: exit code 1 on high/critical findings", false).option("--upload", "Upload results to your ShipSafe dashboard", false).option(
+).option("--ci", "CI mode: exit code 1 on high/critical findings", false).option("--upload", "Upload results to your ShipSafe dashboard", false).option("--sarif-file <path>", "Also write SARIF output to a file (for CI / GitHub Action)").option("--json-file <path>", "Also write JSON output to a file (for CI / GitHub Action)").option(
   "--api-url <url>",
   "API URL for ShipSafe server",
   validateApiUrl,
@@ -8189,4 +9274,10 @@ program.command("whoami").description("Show current login status and plan info")
 ).action(whoamiCommand);
 program.command("ignore").description("Suppress a rule in future scans").argument("<rule-id>", "Rule ID to ignore (e.g. secrets/generic-api-key)").option("-r, --reason <reason>", "Why this rule is being suppressed").action(ignoreCommand);
 program.command("unignore").description("Re-enable a previously suppressed rule").argument("<rule-id>", "Rule ID to unignore").action(unignoreCommand);
+program.command("false-positive").description("Report a finding as a false positive to ShipSafe (helps tune the rule)").argument("<rule-id>", "Rule ID to report (e.g. secrets/generic-api-key)").option("-f, --file <path>", "File the finding was reported on").option("-l, --line <number>", "Line number of the finding").option("-r, --reason <reason>", "Why it's a false positive").option(
+  "--api-url <url>",
+  "API URL for ShipSafe server",
+  validateApiUrl,
+  "https://ship-safe.co"
+).action(falsePositiveCommand);
 program.parse();