hackmyagent 0.7.2 → 0.8.1

package/dist/semantic/structural/instruction.js

@@ -0,0 +1,167 @@
+"use strict";
+/**
+ * Agent Instruction Static Analysis (Layer 2)
+ *
+ * Analyzes CLAUDE.md, .cursorrules, .windsurfrules, .clinerules,
+ * copilot-instructions.md for security issues:
+ * - Overly permissive instructions
+ * - Exfiltration enablement
+ * - Missing security boundaries
+ * - Large attack surface
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.InstructionAnalyzer = void 0;
+/** Patterns that indicate overly permissive agent instructions */
+const PERMISSIVE_PATTERNS = [
+    { pattern: /always\s+execute/i, label: '"always execute"' },
+    { pattern: /never\s+refuse/i, label: '"never refuse"' },
+    { pattern: /full\s+access/i, label: '"full access"' },
+    { pattern: /bypass\s+safety/i, label: '"bypass safety"' },
+    { pattern: /ignore\s+restrictions/i, label: '"ignore restrictions"' },
+    { pattern: /no\s+restrictions/i, label: '"no restrictions"' },
+    { pattern: /skip\s+(?:security|safety|validation)/i, label: '"skip security/safety"' },
+    { pattern: /disable\s+(?:security|safety|protection)/i, label: '"disable security"' },
+    { pattern: /without\s+(?:asking|confirmation|approval)/i, label: '"without asking"' },
+    { pattern: /unrestricted/i, label: '"unrestricted"' },
+    { pattern: /override\s+(?:safety|security|policy)/i, label: '"override safety/policy"' },
+];
+/** Patterns that could enable data exfiltration */
+const EXFILTRATION_PATTERNS = [
+    { pattern: /webhook\.site/i, label: 'webhook.site URL' },
+    { pattern: /requestbin/i, label: 'requestbin URL' },
+    { pattern: /ngrok\.io/i, label: 'ngrok tunnel' },
+    { pattern: /pipedream/i, label: 'pipedream URL' },
+    { pattern: /send\s+(?:results?|data|output|response)\s+to\s+/i, label: '"send results to" directive' },
+    { pattern: /post\s+(?:results?|data|output)\s+to\s+/i, label: '"post data to" directive' },
+    { pattern: /forward\s+(?:to|all)\s+/i, label: '"forward to" directive' },
+    { pattern: /exfiltrat/i, label: 'exfiltration reference' },
+    { pattern: /curl\s+.*-X\s*POST/i, label: 'curl POST command' },
+];
+/** Security-related terms that should be present in instruction files */
+const SECURITY_TERMS = [
+    /security/i,
+    /safe(?:ty|ly)?/i,
+    /restrict(?:ed|ion)?/i,
+    /permission/i,
+    /authoriz/i,
+    /sensitive/i,
+    /credential/i,
+    /secret/i,
+    /protect/i,
+    /boundary/i,
+    /sandbox/i,
+    /scope/i,
+];
+/** Max instruction file size before it becomes a concern */
+const LARGE_INSTRUCTION_THRESHOLD = 10 * 1024; // 10KB
+class InstructionAnalyzer {
+    analyze(files) {
+        const findings = [];
+        const instructionFiles = files.filter((f) => f.type === 'agent_instructions');
+        for (const file of instructionFiles) {
+            findings.push(...this.checkPermissiveInstructions(file));
+            findings.push(...this.checkExfiltrationEnablement(file));
+            findings.push(...this.checkMissingSecurityBoundaries(file));
+            findings.push(...this.checkLargeAttackSurface(file));
+        }
+        return findings;
+    }
+    checkPermissiveInstructions(file) {
+        const findings = [];
+        const lines = file.content.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+            const line = lines[i];
+            for (const { pattern, label } of PERMISSIVE_PATTERNS) {
+                if (pattern.test(line)) {
+                    findings.push({
+                        id: 'SEM-INST-001',
+                        title: 'Overly permissive agent instruction',
+                        description: `Found ${label} pattern in ${file.path}. This instructs the agent to bypass security controls.`,
+                        rationale: 'Permissive instructions weaken agent security boundaries. If an attacker achieves prompt injection, these instructions make it easier to escalate — the agent is already told to bypass safety checks.',
+                        category: 'instruction',
+                        severity: 'high',
+                        file: file.path,
+                        line: i + 1,
+                        recommendation: 'Replace permissive instructions with specific, scoped permissions. Instead of "always execute", specify which operations are allowed and under what conditions.',
+                        layer: 2,
+                        autoFixable: false,
+                    });
+                    break; // One finding per line
+                }
+            }
+        }
+        return findings;
+    }
+    checkExfiltrationEnablement(file) {
+        const findings = [];
+        const lines = file.content.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+            const line = lines[i];
+            for (const { pattern, label } of EXFILTRATION_PATTERNS) {
+                if (pattern.test(line)) {
+                    findings.push({
+                        id: 'SEM-INST-002',
+                        title: 'Exfiltration-enabling instruction',
+                        description: `Found ${label} in ${file.path}. This could enable data exfiltration by the agent.`,
+                        rationale: 'Instructions that direct the agent to send data to external services can be exploited via prompt injection to exfiltrate sensitive data from the project.',
+                        category: 'instruction',
+                        severity: 'high',
+                        file: file.path,
+                        line: i + 1,
+                        recommendation: 'Remove external URL references from agent instructions. If external communication is needed, scope it to specific trusted domains.',
+                        layer: 2,
+                        autoFixable: false,
+                    });
+                    break;
+                }
+            }
+        }
+        return findings;
+    }
+    checkMissingSecurityBoundaries(file) {
+        // Only flag if the file is non-trivial (>200 chars)
+        if (file.content.length < 200)
+            return [];
+        const hasSecurityTerms = SECURITY_TERMS.some((term) => term.test(file.content));
+        if (!hasSecurityTerms) {
+            return [
+                {
+                    id: 'SEM-INST-003',
+                    title: 'No security boundaries in agent instructions',
+                    description: `${file.path} contains agent instructions but no security-related guidance. The agent has no explicit security constraints.`,
+                    rationale: 'Without security boundaries, the agent relies on its default behavior which may be too permissive. Explicit security instructions help prevent prompt injection exploits.',
+                    category: 'instruction',
+                    severity: 'medium',
+                    file: file.path,
+                    recommendation: 'Add security guidance to the instruction file. Include: allowed/denied operations, file access scope, network restrictions, and how to handle sensitive data.',
+                    layer: 2,
+                    autoFixable: false,
+                },
+            ];
+        }
+        return [];
+    }
+    checkLargeAttackSurface(file) {
+        const size = Buffer.byteLength(file.content, 'utf-8');
+        if (size > LARGE_INSTRUCTION_THRESHOLD) {
+            const sizeKb = (size / 1024).toFixed(1);
+            return [
+                {
+                    id: 'SEM-INST-004',
+                    title: 'Large agent instruction file',
+                    description: `${file.path} is ${sizeKb}KB. Large instruction files increase the LLM context surface area for prompt injection.`,
+                    rationale: 'Larger instruction files provide more context for an attacker to work with during prompt injection attacks. They also increase the chance of containing sensitive information.',
+                    category: 'instruction',
+                    severity: 'low',
+                    file: file.path,
+                    recommendation: 'Review the instruction file for unnecessary content. Keep security-critical instructions concise and focused.',
+                    layer: 2,
+                    autoFixable: false,
+                },
+            ];
+        }
+        return [];
+    }
+}
+exports.InstructionAnalyzer = InstructionAnalyzer;
+//# sourceMappingURL=instruction.js.map

package/dist/semantic/structural/instruction.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"instruction.js","sourceRoot":"","sources":["../../../src/semantic/structural/instruction.ts"],"names":[],"mappings":";AAAA;;;;;;;;;GASG;;;AAIH,kEAAkE;AAClE,MAAM,mBAAmB,GAAG;IAC1B,EAAE,OAAO,EAAE,mBAAmB,EAAE,KAAK,EAAE,kBAAkB,EAAE;IAC3D,EAAE,OAAO,EAAE,iBAAiB,EAAE,KAAK,EAAE,gBAAgB,EAAE;IACvD,EAAE,OAAO,EAAE,gBAAgB,EAAE,KAAK,EAAE,eAAe,EAAE;IACrD,EAAE,OAAO,EAAE,kBAAkB,EAAE,KAAK,EAAE,iBAAiB,EAAE;IACzD,EAAE,OAAO,EAAE,wBAAwB,EAAE,KAAK,EAAE,uBAAuB,EAAE;IACrE,EAAE,OAAO,EAAE,oBAAoB,EAAE,KAAK,EAAE,mBAAmB,EAAE;IAC7D,EAAE,OAAO,EAAE,wCAAwC,EAAE,KAAK,EAAE,wBAAwB,EAAE;IACtF,EAAE,OAAO,EAAE,2CAA2C,EAAE,KAAK,EAAE,oBAAoB,EAAE;IACrF,EAAE,OAAO,EAAE,6CAA6C,EAAE,KAAK,EAAE,kBAAkB,EAAE;IACrF,EAAE,OAAO,EAAE,eAAe,EAAE,KAAK,EAAE,gBAAgB,EAAE;IACrD,EAAE,OAAO,EAAE,wCAAwC,EAAE,KAAK,EAAE,0BAA0B,EAAE;CACzF,CAAC;AAEF,mDAAmD;AACnD,MAAM,qBAAqB,GAAG;IAC5B,EAAE,OAAO,EAAE,gBAAgB,EAAE,KAAK,EAAE,kBAAkB,EAAE;IACxD,EAAE,OAAO,EAAE,aAAa,EAAE,KAAK,EAAE,gBAAgB,EAAE;IACnD,EAAE,OAAO,EAAE,YAAY,EAAE,KAAK,EAAE,cAAc,EAAE;IAChD,EAAE,OAAO,EAAE,YAAY,EAAE,KAAK,EAAE,eAAe,EAAE;IACjD,EAAE,OAAO,EAAE,mDAAmD,EAAE,KAAK,EAAE,6BAA6B,EAAE;IACtG,EAAE,OAAO,EAAE,0CAA0C,EAAE,KAAK,EAAE,0BAA0B,EAAE;IAC1F,EAAE,OAAO,EAAE,0BAA0B,EAAE,KAAK,EAAE,wBAAwB,EAAE;IACxE,EAAE,OAAO,EAAE,YAAY,EAAE,KAAK,EAAE,wBAAwB,EAAE;IAC1D,EAAE,OAAO,EAAE,qBAAqB,EAAE,KAAK,EAAE,mBAAmB,EAAE;CAC/D,CAAC;AAEF,yEAAyE;AACzE,MAAM,cAAc,GAAG;IACrB,WAAW;IACX,iBAAiB;IACjB,sBAAsB;IACtB,aAAa;IACb,WAAW;IACX,YAAY;IACZ,aAAa;IACb,SAAS;IACT,UAAU;IACV,WAAW;IACX,UAAU;IACV,QAAQ;CACT,CAAC;AAEF,4DAA4D;AAC5D,MAAM,2BAA2B,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC,OAAO;AAEtD,MAAa,mBAAmB;IAC9B,OAAO,CAAC,KAAqB;QAC3B,MAAM,QAAQ,GAAsB,EAAE,CAAC;QAEvC,MAAM,gBAAgB,GAAG,KAAK,CAAC,MAAM,CACnC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,oBAAoB,CACvC,CAAC;QAEF,KAAK,MAAM,IAAI,IAAI,gBAAgB,EAAE,CAAC;YACpC,QAAQ,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC,2BAA2B,CAAC,IAAI,CAAC,CAAC,CAAC;YACzD,QAAQ,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC,2BAA2B,CAAC,IAAI,CAAC,CAAC,CAAC;YACzD,QAAQ,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC,8BAA8B,CAAC,IAAI,CAAC,CAAC,CAAC;YAC5D,QAAQ,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC,uBAAuB,CAAC,IAAI,CAAC,CAAC,CAAC;QACvD,CAAC;QAED,OAAO,QAAQ,CAAC;IAClB,CAAC;IAEO,2BAA2B,CAAC,IAAkB;QACpD,MAAM,QAAQ,GAAsB,EAAE,CAAC;QACvC,MAAM,KAAK,GAAG,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;QAEvC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;YACtC,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;YAEtB,KAAK,MAAM,EAAE,OAAO,EAAE,KAAK,EAAE,IAAI,mBAAmB,EAAE,CAAC;gBACrD,IAAI,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;oBACvB,QAAQ,CAAC,IAAI,CAAC;wBACZ,EAAE,EAAE,cAAc;wBAClB,KAAK,EAAE,qCAAqC;wBAC5C,WAAW,EAAE,SAAS,KAAK,eAAe,IAAI,CAAC,IAAI,yDAAyD;wBAC5G,SAAS,EACP,wMAAwM;wBAC1M,QAAQ,EAAE,aAAa;wBACvB,QAAQ,EAAE,MAAM;wBAChB,IAAI,EAAE,IAAI,CAAC,IAAI;wBACf,IAAI,EAAE,CAAC,GAAG,CAAC;wBACX,cAAc,EACZ,iKAAiK;wBACnK,KAAK,EAAE,CAAC;wBACR,WAAW,EAAE,KAAK;qBACnB,CAAC,CAAC;oBACH,MAAM,CAAC,uBAAuB;gBAChC,CAAC;YACH,CAAC;QACH,CAAC;QAED,OAAO,QAAQ,CAAC;IAClB,CAAC;IAEO,2BAA2B,CAAC,IAAkB;QACpD,MAAM,QAAQ,GAAsB,EAAE,CAAC;QACvC,MAAM,KAAK,GAAG,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;QAEvC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;YACtC,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;YAEtB,KAAK,MAAM,EAAE,OAAO,EAAE,KAAK,EAAE,IAAI,qBAAqB,EAAE,CAAC;gBACvD,IAAI,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;oBACvB,QAAQ,CAAC,IAAI,CAAC;wBACZ,EAAE,EAAE,cAAc;wBAClB,KAAK,EAAE,mCAAmC;wBAC1C,WAAW,EAAE,SAAS,KAAK,OAAO,IAAI,CAAC,IAAI,qDAAqD;wBAChG,SAAS,EACP,2JAA2J;wBAC7J,QAAQ,EAAE,aAAa;wBACvB,QAAQ,EAAE,MAAM;wBAChB,IAAI,EAAE,IAAI,CAAC,IAAI;wBACf,IAAI,EAAE,CAAC,GAAG,CAAC;wBACX,cAAc,EACZ,oIAAoI;wBACtI,KAAK,EAAE,CAAC;wBACR,WAAW,EAAE,KAAK;qBACnB,CAAC,CAAC;oBACH,MAAM;gBACR,CAAC;YACH,CAAC;QACH,CAAC;QAED,OAAO,QAAQ,CAAC;IAClB,CAAC;IAEO,8BAA8B,CAAC,IAAkB;QACvD,oDAAoD;QACpD,IAAI,IAAI,CAAC,OAAO,CAAC,MAAM,GAAG,GAAG;YAAE,OAAO,EAAE,CAAC;QAEzC,MAAM,gBAAgB,GAAG,cAAc,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,EAAE,CACpD,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,CACxB,CAAC;QAEF,IAAI,CAAC,gBAAgB,EAAE,CAAC;YACtB,OAAO;gBACL;oBACE,EAAE,EAAE,cAAc;oBAClB,KAAK,EAAE,8CAA8C;oBACrD,WAAW,EAAE,GAAG,IAAI,CAAC,IAAI,gHAAgH;oBACzI,SAAS,EACP,2KAA2K;oBAC7K,QAAQ,EAAE,aAAa;oBACvB,QAAQ,EAAE,QAAQ;oBAClB,IAAI,EAAE,IAAI,CAAC,IAAI;oBACf,cAAc,EACZ,+JAA+J;oBACjK,KAAK,EAAE,CAAC;oBACR,WAAW,EAAE,KAAK;iBACnB;aACF,CAAC;QACJ,CAAC;QAED,OAAO,EAAE,CAAC;IACZ,CAAC;IAEO,uBAAuB,CAAC,IAAkB;QAChD,MAAM,IAAI,GAAG,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC;QAEtD,IAAI,IAAI,GAAG,2BAA2B,EAAE,CAAC;YACvC,MAAM,MAAM,GAAG,CAAC,IAAI,GAAG,IAAI,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC;YACxC,OAAO;gBACL;oBACE,EAAE,EAAE,cAAc;oBAClB,KAAK,EAAE,8BAA8B;oBACrC,WAAW,EAAE,GAAG,IAAI,CAAC,IAAI,OAAO,MAAM,yFAAyF;oBAC/H,SAAS,EACP,gLAAgL;oBAClL,QAAQ,EAAE,aAAa;oBACvB,QAAQ,EAAE,KAAK;oBACf,IAAI,EAAE,IAAI,CAAC,IAAI;oBACf,cAAc,EACZ,+GAA+G;oBACjH,KAAK,EAAE,CAAC;oBACR,WAAW,EAAE,KAAK;iBACnB;aACF,CAAC;QACJ,CAAC;QAED,OAAO,EAAE,CAAC;IACZ,CAAC;CACF;AAzID,kDAyIC"}

package/dist/semantic/structural/mcp-config.d.ts

@@ -0,0 +1,22 @@
+/**
+ * Deep MCP Configuration Analysis (Layer 2)
+ *
+ * Parses MCP configs structurally and detects:
+ * - Overprivileged filesystem scope (/, /home, /Users)
+ * - Sandbox bypass flags (--no-sandbox, --privileged)
+ * - Secrets in args array (exposed to LLM)
+ * - Wildcard permissions
+ * - Attack chains (filesystem + shell + network = read-execute-exfiltrate)
+ * - Large attack surface (>5 servers)
+ */
+import type { SemanticFinding, AnalysisFile } from '../types';
+export declare class McpConfigAnalyzer {
+    analyze(files: AnalysisFile[]): SemanticFinding[];
+    private checkOverprivilegedScope;
+    private checkSandboxBypass;
+    private checkSecretsInArgs;
+    private checkWildcardPermissions;
+    private checkAttackChains;
+    private findLineNumber;
+}
+//# sourceMappingURL=mcp-config.d.ts.map

package/dist/semantic/structural/mcp-config.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"mcp-config.d.ts","sourceRoot":"","sources":["../../../src/semantic/structural/mcp-config.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,OAAO,KAAK,EAAE,eAAe,EAAE,YAAY,EAAmB,MAAM,UAAU,CAAC;AA+D/E,qBAAa,iBAAiB;IAC5B,OAAO,CAAC,KAAK,EAAE,YAAY,EAAE,GAAG,eAAe,EAAE;IA+DjD,OAAO,CAAC,wBAAwB;IAkChC,OAAO,CAAC,kBAAkB;IA+B1B,OAAO,CAAC,kBAAkB;IA2D1B,OAAO,CAAC,wBAAwB;IAmChC,OAAO,CAAC,iBAAiB;IAwDzB,OAAO,CAAC,cAAc;CAUvB"}

package/dist/semantic/structural/mcp-config.js

@@ -0,0 +1,294 @@
+"use strict";
+/**
+ * Deep MCP Configuration Analysis (Layer 2)
+ *
+ * Parses MCP configs structurally and detects:
+ * - Overprivileged filesystem scope (/, /home, /Users)
+ * - Sandbox bypass flags (--no-sandbox, --privileged)
+ * - Secrets in args array (exposed to LLM)
+ * - Wildcard permissions
+ * - Attack chains (filesystem + shell + network = read-execute-exfiltrate)
+ * - Large attack surface (>5 servers)
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.McpConfigAnalyzer = void 0;
+/** Paths that indicate overprivileged filesystem scope */
+const OVERPRIVILEGED_PATHS = [
+    { pattern: /^\/$/, label: 'root filesystem (/)', severity: 'critical' },
+    { pattern: /^\/home\/?$/, label: '/home directory', severity: 'critical' },
+    { pattern: /^\/Users\/?$/, label: '/Users directory', severity: 'critical' },
+    { pattern: /^\/etc\/?$/, label: '/etc directory', severity: 'high' },
+    { pattern: /^\/var\/?$/, label: '/var directory', severity: 'high' },
+    { pattern: /^~\/?$/, label: 'home directory (~)', severity: 'high' },
+    { pattern: /^\/home\/[^/]+\/?$/, label: 'user home directory', severity: 'high' },
+    { pattern: /^\/Users\/[^/]+\/?$/, label: 'user home directory', severity: 'high' },
+];
+/** Sandbox bypass flags */
+const SANDBOX_BYPASS_FLAGS = [
+    '--no-sandbox',
+    '--disable-sandbox',
+    '--privileged',
+    '--disable-setuid-sandbox',
+    '--no-zygote',
+];
+/** Patterns in args that look like secrets */
+const SECRET_ARG_PATTERNS = [
+    /sk-[a-zA-Z0-9_-]{20,}/,
+    /ghp_[a-zA-Z0-9]{36}/,
+    /github_pat_/,
+    /AKIA[0-9A-Z]{16}/,
+    /Bearer\s+[a-zA-Z0-9._-]{20,}/,
+    /xox[baprs]-/,
+    /AIza[0-9A-Za-z_-]{35}/,
+];
+/** Key-name pattern for secret args */
+const SECRET_KEY_ARG = /^--(token|key|secret|password|api[-_]?key|auth|credential)$/i;
+function classifyServer(name, config) {
+    const capabilities = [];
+    const lower = [name, config.command, ...(config.args || [])].join(' ').toLowerCase();
+    if (lower.includes('filesystem') || lower.includes('fs') || lower.includes('file')) {
+        capabilities.push('filesystem');
+    }
+    if (lower.includes('shell') || lower.includes('exec') || lower.includes('bash') || lower.includes('terminal') || lower.includes('command')) {
+        capabilities.push('shell');
+    }
+    if (lower.includes('fetch') || lower.includes('http') || lower.includes('request') || lower.includes('curl') || lower.includes('network') || lower.includes('web')) {
+        capabilities.push('network');
+    }
+    if (lower.includes('postgres') || lower.includes('mysql') || lower.includes('sqlite') || lower.includes('mongo') || lower.includes('redis') || lower.includes('database') || lower.includes('db')) {
+        capabilities.push('database');
+    }
+    if (lower.includes('browser') || lower.includes('puppeteer') || lower.includes('playwright') || lower.includes('chrome') || lower.includes('selenium')) {
+        capabilities.push('browser');
+    }
+    return capabilities;
+}
+class McpConfigAnalyzer {
+    analyze(files) {
+        const findings = [];
+        for (const file of files) {
+            if (file.type !== 'mcp_config' && file.type !== 'claude_settings')
+                continue;
+            let config;
+            try {
+                config = JSON.parse(file.content);
+            }
+            catch {
+                continue;
+            }
+            const servers = config.mcpServers || {};
+            const allCapabilities = new Map();
+            for (const [serverName, serverConfig] of Object.entries(servers)) {
+                if (!serverConfig || typeof serverConfig !== 'object')
+                    continue;
+                // Track capabilities for attack chain detection
+                const caps = classifyServer(serverName, serverConfig);
+                allCapabilities.set(serverName, caps);
+                // Check overprivileged scope
+                findings.push(...this.checkOverprivilegedScope(serverName, serverConfig, file));
+                // Check sandbox bypass
+                findings.push(...this.checkSandboxBypass(serverName, serverConfig, file));
+                // Check secrets in args
+                findings.push(...this.checkSecretsInArgs(serverName, serverConfig, file));
+                // Check wildcard permissions
+                findings.push(...this.checkWildcardPermissions(serverName, serverConfig, file));
+            }
+            // Check attack chains across servers
+            findings.push(...this.checkAttackChains(allCapabilities, file));
+            // Check server count
+            const serverCount = Object.keys(servers).length;
+            if (serverCount > 5) {
+                findings.push({
+                    id: 'SEM-MCP-006',
+                    title: 'Large MCP attack surface',
+                    description: `${serverCount} MCP servers configured in ${file.path}. Each server expands the agent's capabilities and attack surface.`,
+                    rationale: 'More servers mean more capabilities the agent can be manipulated into using. Review whether all servers are necessary.',
+                    category: 'mcp-config',
+                    severity: 'info',
+                    file: file.path,
+                    recommendation: 'Review each MCP server and remove any that are not actively needed.',
+                    layer: 2,
+                    autoFixable: false,
+                });
+            }
+        }
+        return findings;
+    }
+    checkOverprivilegedScope(serverName, config, file) {
+        const findings = [];
+        const args = config.args || [];
+        for (const arg of args) {
+            for (const { pattern, label, severity } of OVERPRIVILEGED_PATHS) {
+                if (pattern.test(arg)) {
+                    const lineNum = this.findLineNumber(file.content, arg);
+                    findings.push({
+                        id: 'SEM-MCP-001',
+                        title: 'Overprivileged MCP server scope',
+                        description: `MCP server "${serverName}" has access to ${label}. This grants the agent read/write access to the entire ${label}.`,
+                        rationale: 'Overprivileged filesystem access allows the agent (or an attacker via prompt injection) to read sensitive files like SSH keys, credentials, and system configs.',
+                        category: 'mcp-config',
+                        severity,
+                        file: file.path,
+                        line: lineNum,
+                        recommendation: `Scope "${serverName}" to the project directory: replace "${arg}" with "./" or a specific subdirectory.`,
+                        layer: 2,
+                        autoFixable: false,
+                    });
+                    break;
+                }
+            }
+        }
+        return findings;
+    }
+    checkSandboxBypass(serverName, config, file) {
+        const findings = [];
+        const args = config.args || [];
+        for (const arg of args) {
+            if (SANDBOX_BYPASS_FLAGS.some((flag) => arg.includes(flag))) {
+                const lineNum = this.findLineNumber(file.content, arg);
+                findings.push({
+                    id: 'SEM-MCP-002',
+                    title: 'Sandbox bypass in MCP server',
+                    description: `MCP server "${serverName}" uses sandbox bypass flag "${arg}" in ${file.path}.`,
+                    rationale: 'Sandbox bypass flags disable security boundaries that prevent the agent from accessing system resources. This significantly increases the blast radius of any compromise.',
+                    category: 'mcp-config',
+                    severity: 'high',
+                    file: file.path,
+                    line: lineNum,
+                    recommendation: `Remove the "${arg}" flag from "${serverName}" or document why sandbox bypass is required.`,
+                    layer: 2,
+                    autoFixable: false,
+                });
+            }
+        }
+        return findings;
+    }
+    checkSecretsInArgs(serverName, config, file) {
+        const findings = [];
+        const args = config.args || [];
+        for (let i = 0; i < args.length; i++) {
+            const arg = args[i];
+            // Check for known secret patterns directly in args
+            for (const pattern of SECRET_ARG_PATTERNS) {
+                if (pattern.test(arg)) {
+                    const lineNum = this.findLineNumber(file.content, arg.substring(0, 20));
+                    findings.push({
+                        id: 'SEM-MCP-003',
+                        title: 'Secret exposed in MCP server args',
+                        description: `MCP server "${serverName}" has a credential-like value in its args array in ${file.path}. Args are visible to the LLM.`,
+                        rationale: 'MCP server args are passed on the command line and visible to the LLM in tool descriptions. Secrets in args can be extracted via prompt injection. Use env block instead.',
+                        category: 'mcp-config',
+                        severity: 'critical',
+                        file: file.path,
+                        line: lineNum,
+                        recommendation: `Move the secret from args to the env block: "env": { "API_KEY": "..." } — or better, reference an environment variable.`,
+                        layer: 2,
+                        autoFixable: false,
+                    });
+                    break;
+                }
+            }
+            // Check for --secret=value or --token value patterns
+            if (SECRET_KEY_ARG.test(arg) && i + 1 < args.length) {
+                const nextArg = args[i + 1];
+                if (nextArg && nextArg.length >= 8 && !nextArg.startsWith('-')) {
+                    const lineNum = this.findLineNumber(file.content, arg);
+                    findings.push({
+                        id: 'SEM-MCP-003',
+                        title: 'Secret exposed in MCP server args',
+                        description: `MCP server "${serverName}" passes "${arg}" as a command-line argument in ${file.path}.`,
+                        rationale: 'Command-line arguments are visible in process listings and to the LLM. Use environment variables instead.',
+                        category: 'mcp-config',
+                        severity: 'high',
+                        file: file.path,
+                        line: lineNum,
+                        recommendation: `Move "${arg}" value to the env block of the MCP server config.`,
+                        layer: 2,
+                        autoFixable: false,
+                    });
+                }
+            }
+        }
+        return findings;
+    }
+    checkWildcardPermissions(serverName, config, file) {
+        const findings = [];
+        const checkWildcard = (field, fieldName) => {
+            if (!field)
+                return;
+            if (field.includes('*') || field.some((v) => v === '*')) {
+                findings.push({
+                    id: 'SEM-MCP-004',
+                    title: 'Wildcard permission in MCP server',
+                    description: `MCP server "${serverName}" has ${fieldName}: ["*"] in ${file.path}, granting unrestricted access.`,
+                    rationale: 'Wildcard permissions disable capability boundaries. The agent (or an attacker) can use any tool or command without restriction.',
+                    category: 'mcp-config',
+                    severity: 'high',
+                    file: file.path,
+                    recommendation: `Replace wildcard with specific allowed ${fieldName}: ["tool1", "tool2"].`,
+                    layer: 2,
+                    autoFixable: false,
+                });
+            }
+        };
+        checkWildcard(config.allowedTools, 'allowedTools');
+        checkWildcard(config.allowedCommands, 'allowedCommands');
+        return findings;
+    }
+    checkAttackChains(allCapabilities, file) {
+        const findings = [];
+        const allCaps = new Set();
+        for (const caps of allCapabilities.values()) {
+            for (const cap of caps) {
+                allCaps.add(cap);
+            }
+        }
+        // Attack chain: filesystem + shell + network = read-execute-exfiltrate
+        if (allCaps.has('filesystem') && allCaps.has('shell') && allCaps.has('network')) {
+            const fsServers = [...allCapabilities.entries()].filter(([, c]) => c.includes('filesystem')).map(([n]) => n);
+            const shellServers = [...allCapabilities.entries()].filter(([, c]) => c.includes('shell')).map(([n]) => n);
+            const netServers = [...allCapabilities.entries()].filter(([, c]) => c.includes('network')).map(([n]) => n);
+            findings.push({
+                id: 'SEM-MCP-005',
+                title: 'MCP attack chain: read-execute-exfiltrate',
+                description: `MCP servers in ${file.path} form a complete attack chain: filesystem (${fsServers.join(', ')}) + shell (${shellServers.join(', ')}) + network (${netServers.join(', ')}). An attacker could read files, execute code, and exfiltrate data.`,
+                rationale: 'When filesystem, shell, and network capabilities are all available, a prompt injection attack can read sensitive files, execute arbitrary code, and send data to an external server. This is the most dangerous MCP configuration pattern.',
+                category: 'mcp-config',
+                severity: 'high',
+                file: file.path,
+                recommendation: 'Remove at least one capability from the chain. If all three are needed, add strict scope limits to each server.',
+                layer: 2,
+                autoFixable: false,
+            });
+        }
+        // Attack chain: filesystem + network (no shell needed for data exfiltration)
+        if (allCaps.has('filesystem') && allCaps.has('network') && !allCaps.has('shell')) {
+            findings.push({
+                id: 'SEM-MCP-005',
+                title: 'MCP attack chain: read-exfiltrate',
+                description: `MCP servers in ${file.path} enable a read-exfiltrate chain: filesystem access + network access. An attacker could read files and send data externally.`,
+                rationale: 'Even without shell access, filesystem + network capabilities allow reading sensitive files and exfiltrating them via HTTP requests.',
+                category: 'mcp-config',
+                severity: 'medium',
+                file: file.path,
+                recommendation: 'Scope filesystem access to the project directory and restrict network access to specific domains.',
+                layer: 2,
+                autoFixable: false,
+            });
+        }
+        return findings;
+    }
+    findLineNumber(content, searchStr) {
+        if (!searchStr)
+            return undefined;
+        const lines = content.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+            if (lines[i].includes(searchStr)) {
+                return i + 1;
+            }
+        }
+        return undefined;
+    }
+}
+exports.McpConfigAnalyzer = McpConfigAnalyzer;
+//# sourceMappingURL=mcp-config.js.map

package/dist/semantic/structural/mcp-config.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"mcp-config.js","sourceRoot":"","sources":["../../../src/semantic/structural/mcp-config.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;GAUG;;;AAIH,0DAA0D;AAC1D,MAAM,oBAAoB,GAAG;IAC3B,EAAE,OAAO,EAAE,MAAM,EAAsB,KAAK,EAAE,qBAAqB,EAAE,QAAQ,EAAE,UAAmB,EAAE;IACpG,EAAE,OAAO,EAAE,aAAa,EAAe,KAAK,EAAE,iBAAiB,EAAE,QAAQ,EAAE,UAAmB,EAAE;IAChG,EAAE,OAAO,EAAE,cAAc,EAAc,KAAK,EAAE,kBAAkB,EAAE,QAAQ,EAAE,UAAmB,EAAE;IACjG,EAAE,OAAO,EAAE,YAAY,EAAgB,KAAK,EAAE,gBAAgB,EAAE,QAAQ,EAAE,MAAe,EAAE;IAC3F,EAAE,OAAO,EAAE,YAAY,EAAgB,KAAK,EAAE,gBAAgB,EAAE,QAAQ,EAAE,MAAe,EAAE;IAC3F,EAAE,OAAO,EAAE,QAAQ,EAAoB,KAAK,EAAE,oBAAoB,EAAE,QAAQ,EAAE,MAAe,EAAE;IAC/F,EAAE,OAAO,EAAE,oBAAoB,EAAQ,KAAK,EAAE,qBAAqB,EAAE,QAAQ,EAAE,MAAe,EAAE;IAChG,EAAE,OAAO,EAAE,qBAAqB,EAAO,KAAK,EAAE,qBAAqB,EAAE,QAAQ,EAAE,MAAe,EAAE;CACjG,CAAC;AAEF,2BAA2B;AAC3B,MAAM,oBAAoB,GAAG;IAC3B,cAAc;IACd,mBAAmB;IACnB,cAAc;IACd,0BAA0B;IAC1B,aAAa;CACd,CAAC;AAEF,8CAA8C;AAC9C,MAAM,mBAAmB,GAAG;IAC1B,uBAAuB;IACvB,qBAAqB;IACrB,aAAa;IACb,kBAAkB;IAClB,8BAA8B;IAC9B,aAAa;IACb,uBAAuB;CACxB,CAAC;AAEF,uCAAuC;AACvC,MAAM,cAAc,GAAG,8DAA8D,CAAC;AAKtF,SAAS,cAAc,CAAC,IAAY,EAAE,MAAuB;IAC3D,MAAM,YAAY,GAAiB,EAAE,CAAC;IACtC,MAAM,KAAK,GAAG,CAAC,IAAI,EAAE,MAAM,CAAC,OAAO,EAAE,GAAG,CAAC,MAAM,CAAC,IAAI,IAAI,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,WAAW,EAAE,CAAC;IAErF,IAAI,KAAK,CAAC,QAAQ,CAAC,YAAY,CAAC,IAAI,KAAK,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,KAAK,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC;QACnF,YAAY,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;IAClC,CAAC;IACD,IAAI,KAAK,CAAC,QAAQ,CAAC,OAAO,CAAC,IAAI,KAAK,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,KAAK,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,KAAK,CAAC,QAAQ,CAAC,UAAU,CAAC,IAAI,KAAK,CAAC,QAAQ,CAAC,SAAS,CAAC,EAAE,CAAC;QAC3I,YAAY,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IAC7B,CAAC;IACD,IAAI,KAAK,CAAC,QAAQ,CAAC,OAAO,CAAC,IAAI,KAAK,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,KAAK,CAAC,QAAQ,CAAC,SAAS,CAAC,IAAI,KAAK,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,KAAK,CAAC,QAAQ,CAAC,SAAS,CAAC,IAAI,KAAK,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;QACnK,YAAY,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;IAC/B,CAAC;IACD,IAAI,KAAK,CAAC,QAAQ,CAAC,UAAU,CAAC,IAAI,KAAK,CAAC,QAAQ,CAAC,OAAO,CAAC,IAAI,KAAK,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,KAAK,CAAC,QAAQ,CAAC,OAAO,CAAC,IAAI,KAAK,CAAC,QAAQ,CAAC,OAAO,CAAC,IAAI,KAAK,CAAC,QAAQ,CAAC,UAAU,CAAC,IAAI,KAAK,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;QAClM,YAAY,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;IAChC,CAAC;IACD,IAAI,KAAK,CAAC,QAAQ,CAAC,SAAS,CAAC,IAAI,KAAK,CAAC,QAAQ,CAAC,WAAW,CAAC,IAAI,KAAK,CAAC,QAAQ,CAAC,YAAY,CAAC,IAAI,KAAK,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,KAAK,CAAC,QAAQ,CAAC,UAAU,CAAC,EAAE,CAAC;QACvJ,YAAY,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;IAC/B,CAAC;IAED,OAAO,YAAY,CAAC;AACtB,CAAC;AAED,MAAa,iBAAiB;IAC5B,OAAO,CAAC,KAAqB;QAC3B,MAAM,QAAQ,GAAsB,EAAE,CAAC;QAEvC,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;YACzB,IAAI,IAAI,CAAC,IAAI,KAAK,YAAY,IAAI,IAAI,CAAC,IAAI,KAAK,iBAAiB;gBAAE,SAAS;YAE5E,IAAI,MAA+B,CAAC;YACpC,IAAI,CAAC;gBACH,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;YACpC,CAAC;YAAC,MAAM,CAAC;gBACP,SAAS;YACX,CAAC;YAED,MAAM,OAAO,GACV,MAA2D,CAAC,UAAU,IAAI,EAAE,CAAC;YAEhF,MAAM,eAAe,GAAG,IAAI,GAAG,EAAwB,CAAC;YAExD,KAAK,MAAM,CAAC,UAAU,EAAE,YAAY,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC;gBACjE,IAAI,CAAC,YAAY,IAAI,OAAO,YAAY,KAAK,QAAQ;oBAAE,SAAS;gBAEhE,gDAAgD;gBAChD,MAAM,IAAI,GAAG,cAAc,CAAC,UAAU,EAAE,YAAY,CAAC,CAAC;gBACtD,eAAe,CAAC,GAAG,CAAC,UAAU,EAAE,IAAI,CAAC,CAAC;gBAEtC,6BAA6B;gBAC7B,QAAQ,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC,wBAAwB,CAAC,UAAU,EAAE,YAAY,EAAE,IAAI,CAAC,CAAC,CAAC;gBAEhF,uBAAuB;gBACvB,QAAQ,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC,kBAAkB,CAAC,UAAU,EAAE,YAAY,EAAE,IAAI,CAAC,CAAC,CAAC;gBAE1E,wBAAwB;gBACxB,QAAQ,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC,kBAAkB,CAAC,UAAU,EAAE,YAAY,EAAE,IAAI,CAAC,CAAC,CAAC;gBAE1E,6BAA6B;gBAC7B,QAAQ,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC,wBAAwB,CAAC,UAAU,EAAE,YAAY,EAAE,IAAI,CAAC,CAAC,CAAC;YAClF,CAAC;YAED,qCAAqC;YACrC,QAAQ,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC,iBAAiB,CAAC,eAAe,EAAE,IAAI,CAAC,CAAC,CAAC;YAEhE,qBAAqB;YACrB,MAAM,WAAW,GAAG,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,MAAM,CAAC;YAChD,IAAI,WAAW,GAAG,CAAC,EAAE,CAAC;gBACpB,QAAQ,CAAC,IAAI,CAAC;oBACZ,EAAE,EAAE,aAAa;oBACjB,KAAK,EAAE,0BAA0B;oBACjC,WAAW,EAAE,GAAG,WAAW,8BAA8B,IAAI,CAAC,IAAI,oEAAoE;oBACtI,SAAS,EACP,wHAAwH;oBAC1H,QAAQ,EAAE,YAAY;oBACtB,QAAQ,EAAE,MAAM;oBAChB,IAAI,EAAE,IAAI,CAAC,IAAI;oBACf,cAAc,EAAE,qEAAqE;oBACrF,KAAK,EAAE,CAAC;oBACR,WAAW,EAAE,KAAK;iBACnB,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,OAAO,QAAQ,CAAC;IAClB,CAAC;IAEO,wBAAwB,CAC9B,UAAkB,EAClB,MAAuB,EACvB,IAAkB;QAElB,MAAM,QAAQ,GAAsB,EAAE,CAAC;QACvC,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,IAAI,EAAE,CAAC;QAE/B,KAAK,MAAM,GAAG,IAAI,IAAI,EAAE,CAAC;YACvB,KAAK,MAAM,EAAE,OAAO,EAAE,KAAK,EAAE,QAAQ,EAAE,IAAI,oBAAoB,EAAE,CAAC;gBAChE,IAAI,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC;oBACtB,MAAM,OAAO,GAAG,IAAI,CAAC,cAAc,CAAC,IAAI,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC;oBACvD,QAAQ,CAAC,IAAI,CAAC;wBACZ,EAAE,EAAE,aAAa;wBACjB,KAAK,EAAE,iCAAiC;wBACxC,WAAW,EAAE,eAAe,UAAU,mBAAmB,KAAK,2DAA2D,KAAK,GAAG;wBACjI,SAAS,EACP,iKAAiK;wBACnK,QAAQ,EAAE,YAAY;wBACtB,QAAQ;wBACR,IAAI,EAAE,IAAI,CAAC,IAAI;wBACf,IAAI,EAAE,OAAO;wBACb,cAAc,EAAE,UAAU,UAAU,wCAAwC,GAAG,yCAAyC;wBACxH,KAAK,EAAE,CAAC;wBACR,WAAW,EAAE,KAAK;qBACnB,CAAC,CAAC;oBACH,MAAM;gBACR,CAAC;YACH,CAAC;QACH,CAAC;QAED,OAAO,QAAQ,CAAC;IAClB,CAAC;IAEO,kBAAkB,CACxB,UAAkB,EAClB,MAAuB,EACvB,IAAkB;QAElB,MAAM,QAAQ,GAAsB,EAAE,CAAC;QACvC,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,IAAI,EAAE,CAAC;QAE/B,KAAK,MAAM,GAAG,IAAI,IAAI,EAAE,CAAC;YACvB,IAAI,oBAAoB,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,GAAG,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,EAAE,CAAC;gBAC5D,MAAM,OAAO,GAAG,IAAI,CAAC,cAAc,CAAC,IAAI,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC;gBACvD,QAAQ,CAAC,IAAI,CAAC;oBACZ,EAAE,EAAE,aAAa;oBACjB,KAAK,EAAE,8BAA8B;oBACrC,WAAW,EAAE,eAAe,UAAU,+BAA+B,GAAG,QAAQ,IAAI,CAAC,IAAI,GAAG;oBAC5F,SAAS,EACP,2KAA2K;oBAC7K,QAAQ,EAAE,YAAY;oBACtB,QAAQ,EAAE,MAAM;oBAChB,IAAI,EAAE,IAAI,CAAC,IAAI;oBACf,IAAI,EAAE,OAAO;oBACb,cAAc,EAAE,eAAe,GAAG,gBAAgB,UAAU,+CAA+C;oBAC3G,KAAK,EAAE,CAAC;oBACR,WAAW,EAAE,KAAK;iBACnB,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,OAAO,QAAQ,CAAC;IAClB,CAAC;IAEO,kBAAkB,CACxB,UAAkB,EAClB,MAAuB,EACvB,IAAkB;QAElB,MAAM,QAAQ,GAAsB,EAAE,CAAC;QACvC,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,IAAI,EAAE,CAAC;QAE/B,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,IAAI,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;YACrC,MAAM,GAAG,GAAG,IAAI,CAAC,CAAC,CAAC,CAAC;YAEpB,mDAAmD;YACnD,KAAK,MAAM,OAAO,IAAI,mBAAmB,EAAE,CAAC;gBAC1C,IAAI,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC;oBACtB,MAAM,OAAO,GAAG,IAAI,CAAC,cAAc,CAAC,IAAI,CAAC,OAAO,EAAE,GAAG,CAAC,SAAS,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC;oBACxE,QAAQ,CAAC,IAAI,CAAC;wBACZ,EAAE,EAAE,aAAa;wBACjB,KAAK,EAAE,mCAAmC;wBAC1C,WAAW,EAAE,eAAe,UAAU,sDAAsD,IAAI,CAAC,IAAI,gCAAgC;wBACrI,SAAS,EACP,2KAA2K;wBAC7K,QAAQ,EAAE,YAAY;wBACtB,QAAQ,EAAE,UAAU;wBACpB,IAAI,EAAE,IAAI,CAAC,IAAI;wBACf,IAAI,EAAE,OAAO;wBACb,cAAc,EAAE,yHAAyH;wBACzI,KAAK,EAAE,CAAC;wBACR,WAAW,EAAE,KAAK;qBACnB,CAAC,CAAC;oBACH,MAAM;gBACR,CAAC;YACH,CAAC;YAED,qDAAqD;YACrD,IAAI,cAAc,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG,IAAI,CAAC,MAAM,EAAE,CAAC;gBACpD,MAAM,OAAO,GAAG,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;gBAC5B,IAAI,OAAO,IAAI,OAAO,CAAC,MAAM,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;oBAC/D,MAAM,OAAO,GAAG,IAAI,CAAC,cAAc,CAAC,IAAI,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC;oBACvD,QAAQ,CAAC,IAAI,CAAC;wBACZ,EAAE,EAAE,aAAa;wBACjB,KAAK,EAAE,mCAAmC;wBAC1C,WAAW,EAAE,eAAe,UAAU,aAAa,GAAG,mCAAmC,IAAI,CAAC,IAAI,GAAG;wBACrG,SAAS,EACP,2GAA2G;wBAC7G,QAAQ,EAAE,YAAY;wBACtB,QAAQ,EAAE,MAAM;wBAChB,IAAI,EAAE,IAAI,CAAC,IAAI;wBACf,IAAI,EAAE,OAAO;wBACb,cAAc,EAAE,SAAS,GAAG,oDAAoD;wBAChF,KAAK,EAAE,CAAC;wBACR,WAAW,EAAE,KAAK;qBACnB,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;QACH,CAAC;QAED,OAAO,QAAQ,CAAC;IAClB,CAAC;IAEO,wBAAwB,CAC9B,UAAkB,EAClB,MAAuB,EACvB,IAAkB;QAElB,MAAM,QAAQ,GAAsB,EAAE,CAAC;QAEvC,MAAM,aAAa,GAAG,CACpB,KAA2B,EAC3B,SAAiB,EACjB,EAAE;YACF,IAAI,CAAC,KAAK;gBAAE,OAAO;YACnB,IAAI,KAAK,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,KAAK,GAAG,CAAC,EAAE,CAAC;gBACxD,QAAQ,CAAC,IAAI,CAAC;oBACZ,EAAE,EAAE,aAAa;oBACjB,KAAK,EAAE,mCAAmC;oBAC1C,WAAW,EAAE,eAAe,UAAU,SAAS,SAAS,cAAc,IAAI,CAAC,IAAI,iCAAiC;oBAChH,SAAS,EACP,iIAAiI;oBACnI,QAAQ,EAAE,YAAY;oBACtB,QAAQ,EAAE,MAAM;oBAChB,IAAI,EAAE,IAAI,CAAC,IAAI;oBACf,cAAc,EAAE,0CAA0C,SAAS,uBAAuB;oBAC1F,KAAK,EAAE,CAAC;oBACR,WAAW,EAAE,KAAK;iBACnB,CAAC,CAAC;YACL,CAAC;QACH,CAAC,CAAC;QAEF,aAAa,CAAC,MAAM,CAAC,YAAY,EAAE,cAAc,CAAC,CAAC;QACnD,aAAa,CAAC,MAAM,CAAC,eAAe,EAAE,iBAAiB,CAAC,CAAC;QAEzD,OAAO,QAAQ,CAAC;IAClB,CAAC;IAEO,iBAAiB,CACvB,eAA0C,EAC1C,IAAkB;QAElB,MAAM,QAAQ,GAAsB,EAAE,CAAC;QACvC,MAAM,OAAO,GAAG,IAAI,GAAG,EAAc,CAAC;QAEtC,KAAK,MAAM,IAAI,IAAI,eAAe,CAAC,MAAM,EAAE,EAAE,CAAC;YAC5C,KAAK,MAAM,GAAG,IAAI,IAAI,EAAE,CAAC;gBACvB,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;YACnB,CAAC;QACH,CAAC;QAED,uEAAuE;QACvE,IAAI,OAAO,CAAC,GAAG,CAAC,YAAY,CAAC,IAAI,OAAO,CAAC,GAAG,CAAC,OAAO,CAAC,IAAI,OAAO,CAAC,GAAG,CAAC,SAAS,CAAC,EAAE,CAAC;YAChF,MAAM,SAAS,GAAG,CAAC,GAAG,eAAe,CAAC,OAAO,EAAE,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,YAAY,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC;YAC7G,MAAM,YAAY,GAAG,CAAC,GAAG,eAAe,CAAC,OAAO,EAAE,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC;YAC3G,MAAM,UAAU,GAAG,CAAC,GAAG,eAAe,CAAC,OAAO,EAAE,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC;YAE3G,QAAQ,CAAC,IAAI,CAAC;gBACZ,EAAE,EAAE,aAAa;gBACjB,KAAK,EAAE,2CAA2C;gBAClD,WAAW,EAAE,kBAAkB,IAAI,CAAC,IAAI,8CAA8C,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC,cAAc,YAAY,CAAC,IAAI,CAAC,IAAI,CAAC,gBAAgB,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,qEAAqE;gBACzP,SAAS,EACP,4OAA4O;gBAC9O,QAAQ,EAAE,YAAY;gBACtB,QAAQ,EAAE,MAAM;gBAChB,IAAI,EAAE,IAAI,CAAC,IAAI;gBACf,cAAc,EACZ,iHAAiH;gBACnH,KAAK,EAAE,CAAC;gBACR,WAAW,EAAE,KAAK;aACnB,CAAC,CAAC;QACL,CAAC;QAED,6EAA6E;QAC7E,IAAI,OAAO,CAAC,GAAG,CAAC,YAAY,CAAC,IAAI,OAAO,CAAC,GAAG,CAAC,SAAS,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,OAAO,CAAC,EAAE,CAAC;YACjF,QAAQ,CAAC,IAAI,CAAC;gBACZ,EAAE,EAAE,aAAa;gBACjB,KAAK,EAAE,mCAAmC;gBAC1C,WAAW,EAAE,kBAAkB,IAAI,CAAC,IAAI,6HAA6H;gBACrK,SAAS,EACP,qIAAqI;gBACvI,QAAQ,EAAE,YAAY;gBACtB,QAAQ,EAAE,QAAQ;gBAClB,IAAI,EAAE,IAAI,CAAC,IAAI;gBACf,cAAc,EACZ,mGAAmG;gBACrG,KAAK,EAAE,CAAC;gBACR,WAAW,EAAE,KAAK;aACnB,CAAC,CAAC;QACL,CAAC;QAED,OAAO,QAAQ,CAAC;IAClB,CAAC;IAEO,cAAc,CAAC,OAAe,EAAE,SAAiB;QACvD,IAAI,CAAC,SAAS;YAAE,OAAO,SAAS,CAAC;QACjC,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;QAClC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;YACtC,IAAI,KAAK,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,SAAS,CAAC,EAAE,CAAC;gBACjC,OAAO,CAAC,GAAG,CAAC,CAAC;YACf,CAAC;QACH,CAAC;QACD,OAAO,SAAS,CAAC;IACnB,CAAC;CACF;AAjSD,8CAiSC"}

package/dist/semantic/structural/permission-model.d.ts

@@ -0,0 +1,16 @@
+/**
+ * Permission Scope Analysis (Layer 2)
+ *
+ * Parses .claude/settings.json and similar config files to detect:
+ * - Wildcard permissions (allow: ["*"])
+ * - Bash tool with no restrictions
+ * - Write/Edit granted outside project scope
+ */
+import type { SemanticFinding, AnalysisFile } from '../types';
+export declare class PermissionModelAnalyzer {
+    analyze(files: AnalysisFile[]): SemanticFinding[];
+    private checkWildcardPermissions;
+    private checkBashPermissions;
+    private checkWriteScope;
+}
+//# sourceMappingURL=permission-model.d.ts.map

package/dist/semantic/structural/permission-model.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"permission-model.d.ts","sourceRoot":"","sources":["../../../src/semantic/structural/permission-model.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,KAAK,EAAE,eAAe,EAAE,YAAY,EAAkB,MAAM,UAAU,CAAC;AAE9E,qBAAa,uBAAuB;IAClC,OAAO,CAAC,KAAK,EAAE,YAAY,EAAE,GAAG,eAAe,EAAE;IAqBjD,OAAO,CAAC,wBAAwB;IA6BhC,OAAO,CAAC,oBAAoB;IAwC5B,OAAO,CAAC,eAAe;CA8CxB"}