agent-security-lens 0.1.0

package/src/intelligence/finding-context.mjs

@@ -0,0 +1,180 @@
+export const EXPOSURE_CONTEXT_WEIGHTS = {
+  runtime_exposure: 1,
+  install_exposure: 0.85,
+  supply_chain_exposure: 0.35,
+  documented_optional_capability: 0.45,
+  repository_maintenance_activity: 0
+};
+
+const MANIFEST_NAMES = new Set([
+  "package.json",
+  "package-lock.json",
+  "pnpm-lock.yaml",
+  "yarn.lock",
+  "pyproject.toml",
+  "requirements.txt",
+  "poetry.lock",
+  "uv.lock",
+  "server.json",
+  "mcp.json",
+  "mcp.yaml",
+  "mcp.yml",
+  "manifest.json"
+]);
+
+function normalizedPath(path = "") {
+  return String(path).replaceAll("\\", "/").toLowerCase();
+}
+
+function fileName(path = "") {
+  return normalizedPath(path).split("/").at(-1) || "";
+}
+
+function isDocumentation(path) {
+  return /\.(?:md|mdx|rst|txt)$/i.test(path);
+}
+
+function isInstallPath(path) {
+  return /(?:^|\/)(?:install|setup|bootstrap|entrypoint)(?:[._-]|\/|$)/i.test(path)
+    || /(?:install|setup|bootstrap)\.(?:sh|ps1|py|js|mjs|cjs|ts)$/i.test(path);
+}
+
+function isMaintenancePath(path) {
+  return /(?:^|\/)\.github\/(?:workflows|actions)\//i.test(path)
+    || /(?:^|\/)(?:release|publish)(?:[._-]|\/)/i.test(path);
+}
+
+function actionableInstallLine(line = "") {
+  return /\b(?:curl|wget|invoke-webrequest)\b[^\r\n|;]*(?:\||;).*\b(?:sh|bash|zsh|powershell|python|node)\b/i.test(line)
+    || /\b(?:npx\s+-y|uvx|pipx\s+run|pip\s+install|npm\s+install|pnpm\s+add|yarn\s+add)\b/i.test(line);
+}
+
+export function classifyFindingContext({ path = "", line = "", ruleId = "", signal = "" } = {}) {
+  const normalized = normalizedPath(path);
+  const name = fileName(path);
+
+  if (isMaintenancePath(normalized)) {
+    return {
+      context: "repository_maintenance_activity",
+      weight: EXPOSURE_CONTEXT_WEIGHTS.repository_maintenance_activity,
+      rationale: "The finding is in repository CI, release or publishing automation rather than installed component runtime."
+    };
+  }
+
+  if (isInstallPath(normalized)) {
+    return {
+      context: "install_exposure",
+      weight: EXPOSURE_CONTEXT_WEIGHTS.install_exposure,
+      rationale: "The finding is in an installation, setup or bootstrap entrypoint."
+    };
+  }
+
+  if (/(?:^|\/)(?:examples?|tests?|test|fixtures?|docs?\/scripts)\//i.test(normalized)
+    || /(?:^|\/)\.github\/skills?\//i.test(normalized)) {
+    return {
+      context: "documented_optional_capability",
+      weight: EXPOSURE_CONTEXT_WEIGHTS.documented_optional_capability,
+      rationale: "The finding is in an example, test, fixture or optional bundled Skill rather than the default runtime path."
+    };
+  }
+
+  if (MANIFEST_NAMES.has(name)) {
+    const installSurface =
+      signal === "remote-code-install"
+      || /\b(?:runtimehint|bin|postinstall|preinstall|install)\b/i.test(line);
+    return {
+      context: installSurface ? "install_exposure" : "supply_chain_exposure",
+      weight: installSurface
+        ? EXPOSURE_CONTEXT_WEIGHTS.install_exposure
+        : EXPOSURE_CONTEXT_WEIGHTS.supply_chain_exposure,
+      rationale: installSurface
+        ? "The manifest declares an installation or executable entrypoint."
+        : "The finding is dependency or package metadata and does not by itself prove runtime access."
+    };
+  }
+
+  if (isDocumentation(normalized)) {
+    if (ruleId === "repo-instruction-override" || signal === "prompt-injection-pattern") {
+      return {
+        context: "runtime_exposure",
+        weight: EXPOSURE_CONTEXT_WEIGHTS.runtime_exposure,
+        rationale: "Instruction override text is consumed by an Agent at runtime."
+      };
+    }
+    if (actionableInstallLine(line) || signal === "remote-code-install") {
+      return {
+        context: "install_exposure",
+        weight: EXPOSURE_CONTEXT_WEIGHTS.install_exposure,
+        rationale: "The documentation contains an actionable install command."
+      };
+    }
+    return {
+      context: "documented_optional_capability",
+      weight: EXPOSURE_CONTEXT_WEIGHTS.documented_optional_capability,
+      rationale: "The documentation declares a capability or example that may not be enabled in every run."
+    };
+  }
+
+  if (/^(?:dockerfile|docker-compose\.ya?ml)$/i.test(name)) {
+    return {
+      context: "install_exposure",
+      weight: EXPOSURE_CONTEXT_WEIGHTS.install_exposure,
+      rationale: "The finding is part of the component build or deployment surface."
+    };
+  }
+
+  return {
+    context: "runtime_exposure",
+    weight: EXPOSURE_CONTEXT_WEIGHTS.runtime_exposure,
+    rationale: "The finding is in executable component source or runtime configuration."
+  };
+}
+
+export function contextualizeFindings(findings = []) {
+  return findings.map((finding) => {
+    const classification = classifyFindingContext({
+      path: finding.evidence?.path,
+      line: finding.evidence?.preview,
+      ruleId: finding.rule_id,
+      signal: finding.risk_signal
+    });
+    return {
+      ...finding,
+      exposure_context: classification.context,
+      context_weight: classification.weight,
+      context_rationale: classification.rationale,
+      effective_confidence: Number((Number(finding.confidence || 0) * classification.weight).toFixed(3))
+    };
+  });
+}
+
+export function summarizeFindingContexts(findings = []) {
+  const contexts = {};
+  const signalContexts = {};
+  for (const finding of findings) {
+    const context = finding.exposure_context || "runtime_exposure";
+    contexts[context] ||= { finding_count: 0, signals: [] };
+    contexts[context].finding_count += 1;
+    contexts[context].signals.push(finding.risk_signal);
+    signalContexts[finding.risk_signal] ||= [];
+    signalContexts[finding.risk_signal].push(context);
+  }
+  for (const item of Object.values(contexts)) item.signals = [...new Set(item.signals)];
+  for (const [signal, values] of Object.entries(signalContexts)) {
+    signalContexts[signal] = [...new Set(values)];
+  }
+  const effectiveFindings = findings.filter((finding) =>
+    !["repository_maintenance_activity", "supply_chain_exposure"].includes(finding.exposure_context)
+  );
+  return {
+    contexts,
+    signal_contexts: signalContexts,
+    observed_signals: [...new Set(findings.map((item) => item.risk_signal))],
+    effective_risk_signals: [...new Set(effectiveFindings.map((item) => item.risk_signal))],
+    non_runtime_observations: [...new Set(
+      findings
+        .filter((finding) => ["repository_maintenance_activity", "supply_chain_exposure"].includes(finding.exposure_context))
+        .map((item) => item.risk_signal)
+    )]
+  };
+}

package/src/intelligence/safety-score-v0.2.mjs

@@ -0,0 +1,294 @@
+const EXPOSURE_POINTS = {
+  "remote-code-install": 24,
+  "shell-execution": 20,
+  "subprocess-spawn": 20,
+  "dynamic-code-execution": 20,
+  "credential-access": 18,
+  "filesystem-write": 15,
+  "filesystem-read": 10,
+  "browser-access": 15,
+  "database-access": 15,
+  "data-retention": 12,
+  "network-access": 12,
+  "external-api": 12,
+  webhook: 12,
+  "remote-mcp-endpoint": 12,
+  "background-execution": 10,
+  "scheduled-trigger": 10,
+  "workflow-automation": 10,
+  "multi-agent-delegation": 10,
+  "tool-chaining": 8,
+  "third-party-integration": 8,
+  "hidden-instruction": 18,
+  "override-rules": 18,
+  "ignore-safety": 18,
+  "prompt-injection-pattern": 14,
+  "repository-write": 14,
+  "message-write": 10,
+  "unknown-source": 12,
+  "catalog-unreviewed": 8
+};
+
+const CONTROL_POINTS = {
+  "sandbox-or-container": 18,
+  "workspace-scope": 14,
+  "read-only-mode": 14,
+  "command-confirmation": 14,
+  "scoped-credentials": 14,
+  "network-allowlist": 10,
+  "isolated-browser-profile": 10,
+  "audit-logging": 8,
+  "pinned-version": 8,
+  "automatic-update-disabled": 6,
+  "destructive-action-confirmation": 8
+};
+
+const CRITICAL_INCIDENT_TYPES = new Set([
+  "credential_theft",
+  "hidden_data_exfiltration",
+  "confirmed_malicious_code",
+  "unauthorized_remote_execution",
+  "backdoor"
+]);
+
+const HARD_FAILURE_SIGNALS = new Set([
+  "credential-theft-confirmed",
+  "hidden-data-exfiltration",
+  "malicious-code-confirmed",
+  "token-passthrough",
+  "known-critical-vulnerability-unmitigated",
+  "version-mismatch",
+  "destructive-action-without-confirmation"
+]);
+
+function clamp(value) {
+  return Math.max(0, Math.min(100, Math.round(value)));
+}
+
+function unique(values = []) {
+  return [...new Set(values.filter(Boolean))];
+}
+
+function evidenceGroups(known = {}) {
+  return new Map((known?.evidence || []).map((item) => [item.kind, item]));
+}
+
+function sourceRecords(known = {}) {
+  return evidenceGroups(known).get("source")?.records || [];
+}
+
+function technicalScan(known = {}) {
+  return evidenceGroups(known).get("technical_scan")?.scan || null;
+}
+
+function qualityReview(known = {}) {
+  return evidenceGroups(known).get("independent_quality_review")?.review || null;
+}
+
+function hasCommunityEvidence(records = []) {
+  return records.some((item) => [
+    "github_issues_api",
+    "github_issues_page",
+    "hacker_news_search_api",
+    "community_report",
+    "community_signal",
+    "security_advisory"
+  ].includes(item.source_type));
+}
+
+function controlsFrom(input = {}, known = null) {
+  const explicit = [
+    ...(input.applied_controls || []),
+    ...(input.security_controls || []),
+    ...(known?.verified_controls || [])
+  ];
+  if (input.exact_version || input.commit_sha || input.package_digest) explicit.push("pinned-version");
+  if (input.sandboxed === true || input.containerized === true) explicit.push("sandbox-or-container");
+  if (input.read_only === true) explicit.push("read-only-mode");
+  if (input.user_confirmation_for_commands === true) explicit.push("command-confirmation");
+  if (input.scoped_credentials === true) explicit.push("scoped-credentials");
+  if (input.network_allowlist === true) explicit.push("network-allowlist");
+  if (input.isolated_browser_profile === true) explicit.push("isolated-browser-profile");
+  return unique(explicit);
+}
+
+function contextWeightForSignal(signal, known = null) {
+  const contexts = known?.signal_contexts?.[signal] || [];
+  if (!contexts.length) return 1;
+  const weights = {
+    runtime_exposure: 1,
+    install_exposure: 0.85,
+    supply_chain_exposure: 0.35,
+    documented_optional_capability: 0.45,
+    repository_maintenance_activity: 0
+  };
+  return Math.max(...contexts.map((context) => weights[context] ?? 1));
+}
+
+function exposureDimension(risks = [], known = null) {
+  const applied = unique(risks).map((signal) => ({
+    signal,
+    context_weight: contextWeightForSignal(signal, known),
+    points: Math.round((EXPOSURE_POINTS[signal] || 6) * contextWeightForSignal(signal, known))
+  }));
+  return {
+    score: clamp(applied.reduce((sum, item) => sum + item.points, 0)),
+    applied
+  };
+}
+
+function controlDimension(input = {}, known = null) {
+  const controls = controlsFrom(input, known);
+  const applied = controls.map((control) => ({
+    control,
+    points: CONTROL_POINTS[control] || 4
+  }));
+  return {
+    score: clamp(applied.reduce((sum, item) => sum + item.points, 0)),
+    applied,
+    verified_only: true
+  };
+}
+
+function supplyChainDimension(input = {}, known = null) {
+  const records = sourceRecords(known);
+  const repository = records.find((item) => item.source_type === "github_repository_api")?.facts || {};
+  const release = records.find((item) => item.source_type === "github_release_api")?.facts || {};
+  const checks = [];
+  const sourceUrl = input.source_url || known?.source_url || "";
+  if (String(sourceUrl).startsWith("https://")) checks.push({ id: "canonical-https-source", points: 10 });
+  if (repository.license) checks.push({ id: "license-disclosed", points: 10 });
+  if (repository.pushed_at && Date.now() - Date.parse(repository.pushed_at) <= 90 * 86_400_000) {
+    checks.push({ id: "recent-maintenance", points: 15 });
+  }
+  if (release.latest_release) checks.push({ id: "published-release", points: 15 });
+  if (input.exact_version || input.commit_sha || input.package_digest) checks.push({ id: "install-artifact-pinned", points: 15 });
+  if (Number(repository.stars || known?.stars || 0) >= 100) checks.push({ id: "community-adoption-auxiliary", points: 5 });
+  if (known?.trust_signals?.includes("transparent-permissions")) checks.push({ id: "permissions-documented", points: 10 });
+  if (known?.trust_signals?.includes("signed-release-or-pinned-version")) checks.push({ id: "signed-or-pinned-release", points: 10 });
+  if (known?.intelligence_state === "strict_reviewed") checks.push({ id: "asl-source-review-complete", points: 10 });
+  if (repository.archived) checks.push({ id: "repository-archived", points: -20 });
+  return { score: clamp(checks.reduce((sum, item) => sum + item.points, 0)), applied: checks };
+}
+
+function evidenceDimension(known = null) {
+  if (!known) return { score: 0, checks: [], review_level: "L0_discovered" };
+  const groups = evidenceGroups(known);
+  const records = sourceRecords(known);
+  const scan = technicalScan(known);
+  const quality = qualityReview(known);
+  const checks = [];
+  if (known.source_url) checks.push({ id: "canonical-source", points: 15 });
+  if (records.some((item) => item.source_type === "github_release_api" && item.facts?.latest_release)) {
+    checks.push({ id: "version-or-release-evidence", points: 10 });
+  }
+  if (records.length >= 2) checks.push({ id: "multiple-structured-sources", points: 15 });
+  if (Number(scan?.files_scanned || 0) >= 1) checks.push({ id: "file-level-static-scan", points: 20 });
+  if (hasCommunityEvidence(records)) checks.push({ id: "community-source-check", points: 10 });
+  if (quality?.passed === true) checks.push({ id: "independent-recalculation", points: 15 });
+  if ((scan?.findings || []).some((item) => item.evidence?.sha)) checks.push({ id: "reproducible-source-reference", points: 5 });
+  if (known.runtime_validation?.passed === true) checks.push({ id: "runtime-sandbox-validation", points: 10 });
+  const score = clamp(checks.reduce((sum, item) => sum + item.points, 0));
+  const reviewLevel =
+    known.continuous_monitoring?.active === true && score >= 90
+      ? "L4_continuously_monitored"
+      : known.runtime_validation?.passed === true && score >= 85
+        ? "L3_runtime_validated"
+        : known.intelligence_state === "strict_reviewed" && score >= 80
+          ? "L2_evidence_reviewed"
+          : score >= 30
+            ? "L1_auto_assessed"
+            : "L0_discovered";
+  return { score, checks, review_level: reviewLevel };
+}
+
+function incidentDimension(input = {}, known = null) {
+  const incidents = [...(known?.incidents || []), ...(input.incidents || [])];
+  const scored = incidents.map((incident) => {
+    const reliability = Number(incident.evidence_reliability ?? incident.source_reliability ?? 0.5);
+    const severity = Number(incident.severity_score ?? 50);
+    const resolutionFactor = incident.resolution === "fixed" ? 0.25 : incident.resolution === "mitigated" ? 0.5 : 1;
+    const corroboration = incident.status === "confirmed" ? 1 : incident.status === "corroborated" ? 0.8 : 0.45;
+    return {
+      id: incident.id || incident.claim_type || "incident",
+      claim_type: incident.claim_type || "unknown",
+      score: clamp(severity * reliability * resolutionFactor * corroboration),
+      confirmed_critical:
+        incident.status === "confirmed" &&
+        incident.resolution !== "fixed" &&
+        CRITICAL_INCIDENT_TYPES.has(incident.claim_type)
+    };
+  });
+  return {
+    score: scored.length ? Math.max(...scored.map((item) => item.score)) : 0,
+    incidents: scored,
+    auxiliary_sentiment_only: true
+  };
+}
+
+function hardFailures(risks = [], incident = {}) {
+  const failures = unique(risks.filter((signal) => HARD_FAILURE_SIGNALS.has(signal)));
+  if (incident.incidents?.some((item) => item.confirmed_critical)) failures.push("confirmed-critical-security-incident");
+  return unique(failures);
+}
+
+function requiredControls(risks = []) {
+  const controls = [];
+  if (risks.some((risk) => ["shell-execution", "subprocess-spawn", "remote-code-install", "dynamic-code-execution"].includes(risk))) {
+    controls.push("sandbox-or-container", "command-confirmation", "pinned-version");
+  }
+  if (risks.includes("filesystem-write")) controls.push("workspace-scope");
+  if (risks.includes("credential-access")) controls.push("scoped-credentials");
+  if (risks.includes("network-access")) controls.push("network-allowlist");
+  if (risks.includes("browser-access")) controls.push("isolated-browser-profile");
+  if (risks.some((risk) => ["background-execution", "scheduled-trigger", "workflow-automation"].includes(risk))) {
+    controls.push("audit-logging", "automatic-update-disabled");
+  }
+  return unique(controls);
+}
+
+export function evaluateComponentSafety({ risks = [], known = null, input = {} }) {
+  const exposure = exposureDimension(risks, known);
+  const controls = controlDimension(input, known);
+  const supplyChain = supplyChainDimension(input, known);
+  const evidence = evidenceDimension(known);
+  const incident = incidentDimension(input, known);
+  const failures = hardFailures(risks, incident);
+  const required = requiredControls(risks);
+  const appliedControlIds = new Set(controls.applied.map((item) => item.control));
+  const missingControls = required.filter((control) => !appliedControlIds.has(control));
+  const residualRisk = clamp(exposure.score * (1 - controls.score / 125) + incident.score * 0.45);
+  const contextSafetyScore = clamp(
+    (100 - exposure.score) * 0.25 +
+    controls.score * 0.3 +
+    supplyChain.score * 0.25 +
+    evidence.score * 0.2 -
+    incident.score * 0.35
+  );
+
+  let decision = "allow_with_restrictions";
+  if (failures.length || incident.score >= 80) decision = "avoid";
+  else if (known?.intelligence_state !== "strict_reviewed" || evidence.score < 80) decision = "ask_user";
+  else if (residualRisk >= 55 || (exposure.score >= 60 && controls.score < 50)) decision = "ask_user";
+  else if (residualRisk <= 20 && controls.score >= 60 && supplyChain.score >= 65) decision = "allow";
+
+  return {
+    standard: "ASL Agent Component Safety Standard",
+    model_version: "asl-safety-standard@0.2.0",
+    context_safety_score: contextSafetyScore,
+    dimensions: {
+      exposure_risk: exposure,
+      control_strength: controls,
+      supply_chain_trust: supplyChain,
+      evidence_confidence: evidence,
+      incident_risk: incident
+    },
+    residual_risk: residualRisk,
+    decision,
+    hard_failures: failures,
+    required_controls: required,
+    missing_controls: missingControls,
+    scoring_disclosure:
+      "The score evaluates this installation context. Powerful capabilities are exposure, not proof of malicious intent."
+  };
+}

package/src/observations/json-observations.mjs

@@ -0,0 +1,211 @@
+import { readFile } from "node:fs/promises";
+
+function isJsonLike(path) {
+  return path.endsWith(".json") || path.endsWith(".jsonc");
+}
+
+function makeObservation({ type, file, jsonPath, value, severityHint = "medium" }) {
+  return {
+    type,
+    path: file.relative_path,
+    json_path: jsonPath,
+    line: file.resolve_json_line ? file.resolve_json_line(jsonPath) : 1,
+    value,
+    severity_hint: severityHint
+  };
+}
+
+function pathSegments(jsonPath) {
+  if (jsonPath === "$") return [];
+  const normalized = jsonPath
+    .replace(/^\$\./, "")
+    .replace(/\[(\d+)\]/g, ".$1");
+  return normalized.split(".").filter(Boolean);
+}
+
+function buildJsonLineIndex(content) {
+  const index = new Map();
+  const stack = [];
+  const lines = content.split(/\r?\n/);
+
+  index.set("$", 1);
+
+  for (let i = 0; i < lines.length; i += 1) {
+    const line = lines[i];
+    const arrayItemMatch = line.match(/^\s*\{/);
+    if (arrayItemMatch && stack.length) {
+      const parentPath = ["$", ...stack.map((item) => item.key)].join(".");
+      if (!index.has(`${parentPath}.0`)) {
+        index.set(`${parentPath}.0`, i + 1);
+      }
+    }
+
+    const keyMatch = line.match(/^\s*"([^"]+)"\s*:/);
+    if (!keyMatch) continue;
+
+    const indent = line.match(/^\s*/)[0].length;
+    while (stack.length && stack[stack.length - 1].indent >= indent) {
+      stack.pop();
+    }
+
+    const key = keyMatch[1];
+    const currentPath = ["$", ...stack.map((item) => item.key), key].join(".");
+    index.set(currentPath, i + 1);
+
+    const valuePart = line.slice(line.indexOf(":") + 1).trim();
+    if (valuePart.startsWith("{") || valuePart.startsWith("[")) {
+      stack.push({ key, indent });
+    }
+
+  }
+
+  return index;
+}
+
+function findNearestLine(jsonLineIndex, jsonPath) {
+  const segments = pathSegments(jsonPath);
+  for (let end = segments.length; end >= 0; end -= 1) {
+    const candidate = end === 0 ? "$" : `$.${segments.slice(0, end).join(".")}`;
+    if (jsonLineIndex.has(candidate)) return jsonLineIndex.get(candidate);
+  }
+  return 1;
+}
+
+function walk(value, visitor, path = "$") {
+  visitor(value, path);
+  if (Array.isArray(value)) {
+    value.forEach((item, index) => walk(item, visitor, `${path}[${index}]`));
+  } else if (value && typeof value === "object") {
+    for (const [key, child] of Object.entries(value)) {
+      walk(child, visitor, `${path}.${key}`);
+    }
+  }
+}
+
+function hasAnyKey(value, keys) {
+  if (!value || typeof value !== "object" || Array.isArray(value)) return false;
+  return keys.some((key) => Object.prototype.hasOwnProperty.call(value, key));
+}
+
+function extractMcpServerObservations(file, data, observations) {
+  walk(data, (value, path) => {
+    if (!value || typeof value !== "object" || Array.isArray(value)) return;
+
+    const lowerPath = path.toLowerCase();
+    const isSpecificServer = lowerPath.includes(".servers.") || lowerPath.includes(".mcpservers.");
+
+    if (hasAnyKey(value, ["command", "args"]) && lowerPath.includes("mcp") && isSpecificServer) {
+      observations.push(makeObservation({
+        type: "mcp-stdio-process",
+        file,
+        jsonPath: path,
+        value,
+        severityHint: "high"
+      }));
+    }
+
+    const type = typeof value.type === "string" ? value.type.toLowerCase() : "";
+    const url = typeof value.url === "string" ? value.url : "";
+    if ((type.includes("sse") || type.includes("http") || /^https?:\/\//i.test(url)) && lowerPath.includes("mcp") && isSpecificServer) {
+      observations.push(makeObservation({
+        type: "mcp-remote-endpoint",
+        file,
+        jsonPath: path,
+        value,
+        severityHint: "medium"
+      }));
+    }
+
+    const serialized = JSON.stringify(value).toLowerCase();
+    if (lowerPath.includes("mcp") && isSpecificServer && serialized.includes("filesystem")) {
+      observations.push(makeObservation({
+        type: "mcp-filesystem-capability",
+        file,
+        jsonPath: path,
+        value,
+        severityHint: "high"
+      }));
+    }
+  });
+}
+
+function extractRemoteTriggerObservations(file, data, observations) {
+  walk(data, (value, path) => {
+    if (!value || typeof value !== "object" || Array.isArray(value)) return;
+    const lowerPath = path.toLowerCase();
+    const serialized = JSON.stringify(value).toLowerCase();
+    const hasChannelKey = ["telegram", "discord", "slack", "feishu", "wechat", "qq", "whatsapp", "signal", "gateway", "webhook"]
+      .some((key) => lowerPath.includes(key) || serialized.includes(key));
+    const hasPolicyKey = hasAnyKey(value, ["dmPolicy", "allowFrom", "groupPolicy", "allowed_users", "webhookSecret", "botToken"]);
+
+    if (hasChannelKey && hasPolicyKey) {
+      observations.push(makeObservation({
+        type: "remote-trigger-config",
+        file,
+        jsonPath: path,
+        value,
+        severityHint: "medium"
+      }));
+    }
+  });
+}
+
+function extractScheduledObservations(file, data, observations) {
+  walk(data, (value, path) => {
+    if (!value || typeof value !== "object") return;
+    const lowerPath = path.toLowerCase();
+    const isSpecificTask = path !== "$" && (/\[(\d+)\]$/.test(path) || hasAnyKey(value, ["cron", "schedule", "prompt", "task"]));
+    const hasDirectScheduleField = hasAnyKey(value, ["cron", "schedule"]);
+    const isSchedulePath = lowerPath.includes("cron") || lowerPath.includes("scheduled") || lowerPath.includes("schedule");
+    if (isSpecificTask && (hasDirectScheduleField || (/\[(\d+)\]$/.test(path) && isSchedulePath))) {
+      observations.push(makeObservation({
+        type: "scheduled-agent-execution",
+        file,
+        jsonPath: path,
+        value,
+        severityHint: "medium"
+      }));
+    }
+  });
+}
+
+function extractCredentialObservations(file, data, observations) {
+  walk(data, (value, path) => {
+    if (typeof value !== "string") return;
+    const text = `${path} ${value}`;
+    if (/(api_key|token|secret|private_key|botToken|webhookSecret|\$\{[A-Z0-9_]*(TOKEN|SECRET|KEY)[A-Z0-9_]*\})/i.test(text)) {
+      observations.push(makeObservation({
+        type: "credential-reference",
+        file,
+        jsonPath: path,
+        value,
+        severityHint: "medium"
+      }));
+    }
+  });
+}
+
+export async function extractJsonObservations(files) {
+  const observations = [];
+
+  for (const file of files) {
+    if (!isJsonLike(file.relative_path)) continue;
+    const content = await readFile(file.path, "utf8");
+    let data;
+    try {
+      data = JSON.parse(content);
+    } catch {
+      continue;
+    }
+
+    const lineIndex = buildJsonLineIndex(content);
+    file.resolve_json_line = (jsonPath) => findNearestLine(lineIndex, jsonPath);
+
+    extractMcpServerObservations(file, data, observations);
+    extractRemoteTriggerObservations(file, data, observations);
+    extractScheduledObservations(file, data, observations);
+    extractCredentialObservations(file, data, observations);
+  }
+
+  return observations;
+}