ship-safe 3.1.0 → 4.0.0

package/cli/agents/injection-tester.js

@@ -0,0 +1,401 @@
+/**
+ * InjectionTester Agent
+ * ======================
+ *
+ * Detects injection vulnerabilities by tracing data flow patterns
+ * from user input to dangerous sinks.
+ *
+ * Covers: SQL Injection, NoSQL Injection, Command Injection,
+ *         Code Injection, XSS, LDAP Injection, Template Injection,
+ *         Header Injection, Path Traversal, Log Injection,
+ *         GraphQL Injection, Open Redirect.
+ */
+
+import path from 'path';
+import { BaseAgent, createFinding } from './base-agent.js';
+
+// =============================================================================
+// INJECTION PATTERNS
+// =============================================================================
+
+const PATTERNS = [
+  // ── SQL Injection ──────────────────────────────────────────────────────────
+  {
+    rule: 'SQL_INJECTION_TEMPLATE_LITERAL',
+    title: 'SQL Injection via Template Literal',
+    regex: /`(?:SELECT|INSERT|UPDATE|DELETE|DROP\s+TABLE|ALTER\s+TABLE|TRUNCATE|CREATE|REPLACE|MERGE)[^`]*\$\{/gi,
+    severity: 'critical',
+    cwe: 'CWE-89',
+    owasp: 'A03:2021',
+    description: 'SQL query with interpolated template variable. Use parameterized queries ($1, ?) or an ORM.',
+    fix: 'Use parameterized queries: db.query("SELECT * FROM users WHERE id = $1", [userId])',
+  },
+  {
+    rule: 'SQL_INJECTION_CONCAT',
+    title: 'SQL Injection via String Concatenation',
+    regex: /["'](?:SELECT|INSERT|UPDATE|DELETE)\s+[^"']{4,}["']\s*\+/gi,
+    severity: 'high',
+    cwe: 'CWE-89',
+    owasp: 'A03:2021',
+    description: 'SQL built with string concatenation is vulnerable to injection. Use parameterized queries.',
+    fix: 'Replace string concat with parameterized query or ORM method',
+  },
+  {
+    rule: 'SQL_INJECTION_RAW',
+    title: 'Raw SQL Query (Prisma/Sequelize/Knex)',
+    regex: /(?:\$queryRaw|\.raw|knex\.raw)\s*\(\s*`[^`]*\$\{/gi,
+    severity: 'critical',
+    cwe: 'CWE-89',
+    owasp: 'A03:2021',
+    description: 'ORM raw query with interpolated values bypasses parameterization. Use tagged templates or bind parameters.',
+    fix: 'Prisma: use $queryRaw`...${Prisma.sql}...`; Sequelize: use bind parameters',
+  },
+
+  // ── NoSQL Injection ────────────────────────────────────────────────────────
+  {
+    rule: 'NOSQL_INJECTION_WHERE',
+    title: 'NoSQL Injection via $where',
+    regex: /\$where\s*:/g,
+    severity: 'high',
+    cwe: 'CWE-943',
+    owasp: 'A03:2021',
+    description: '$where in MongoDB executes JavaScript and is vulnerable to injection. Use standard query operators.',
+    fix: 'Replace $where with standard MongoDB operators ($eq, $gt, $regex, etc.)',
+  },
+  {
+    rule: 'NOSQL_INJECTION_DYNAMIC',
+    title: 'NoSQL Injection via Dynamic Query',
+    regex: /\.find\(\s*(?:req\.|request\.|ctx\.)/g,
+    severity: 'high',
+    cwe: 'CWE-943',
+    owasp: 'A03:2021',
+    description: 'Passing request data directly to MongoDB find() enables NoSQL injection. Validate and whitelist query fields.',
+    fix: 'Validate input: only allow expected fields, cast types explicitly',
+  },
+
+  // ── Command Injection ──────────────────────────────────────────────────────
+  {
+    rule: 'CMD_INJECTION_EXEC_TEMPLATE',
+    title: 'Command Injection via exec() Template',
+    regex: /\bexec(?:Sync)?\s*\(\s*`[^`]*\$\{/g,
+    severity: 'critical',
+    cwe: 'CWE-78',
+    owasp: 'A03:2021',
+    description: 'Shell command with interpolated values enables command injection. Use execFile() with argument arrays.',
+    fix: 'Use execFile(cmd, [arg1, arg2]) instead of exec(`cmd ${arg}`)',
+  },
+  {
+    rule: 'CMD_INJECTION_EXEC_CONCAT',
+    title: 'Command Injection via exec() Concatenation',
+    regex: /\bexec(?:Sync)?\s*\(\s*["'][^"']*["']\s*\+/g,
+    severity: 'critical',
+    cwe: 'CWE-78',
+    owasp: 'A03:2021',
+    description: 'Shell command built with string concatenation enables injection. Use execFile() with arrays.',
+    fix: 'Use execFile(cmd, [arg1, arg2]) or spawn(cmd, args) without shell: true',
+  },
+  {
+    rule: 'CMD_INJECTION_SHELL_TRUE',
+    title: 'Command Injection via shell: true',
+    regex: /\bspawn(?:Sync)?\s*\([^)]*\bshell\s*:\s*true/g,
+    severity: 'high',
+    cwe: 'CWE-78',
+    owasp: 'A03:2021',
+    description: 'shell: true in spawn enables shell expansion and command injection. Pass args as array without shell.',
+    fix: 'Remove shell: true and pass arguments as an array',
+  },
+  {
+    rule: 'CMD_INJECTION_PYTHON_OS',
+    title: 'Command Injection via os.system/popen',
+    regex: /\b(?:os\.system|os\.popen|subprocess\.call|subprocess\.Popen)\s*\([^)]*(?:f['"]|\.format\(|\s*\+\s*)/g,
+    severity: 'critical',
+    cwe: 'CWE-78',
+    owasp: 'A03:2021',
+    description: 'Shell command with string formatting enables injection. Use subprocess.run() with args list.',
+    fix: 'Use subprocess.run([cmd, arg1, arg2], shell=False)',
+  },
+
+  // ── Code Injection ─────────────────────────────────────────────────────────
+  {
+    rule: 'CODE_INJECTION_EVAL',
+    title: 'Code Injection via eval()',
+    regex: /\beval\s*\(\s*(?:req\.|request\.|ctx\.|params|query|body|input|data|user)/g,
+    severity: 'critical',
+    cwe: 'CWE-94',
+    owasp: 'A03:2021',
+    description: 'eval() with user input executes arbitrary code. Never pass user data to eval.',
+    fix: 'Use JSON.parse() for data, a sandboxed interpreter, or restructure to avoid eval',
+  },
+  {
+    rule: 'CODE_INJECTION_EVAL_GENERIC',
+    title: 'Code Injection: eval() Usage',
+    regex: /\beval\s*\(/g,
+    severity: 'high',
+    cwe: 'CWE-94',
+    owasp: 'A03:2021',
+    confidence: 'medium',
+    description: 'eval() executes arbitrary code. Replace with JSON.parse(), Function, or a safer alternative.',
+    fix: 'Replace eval() with JSON.parse() or a domain-specific parser',
+  },
+  {
+    rule: 'CODE_INJECTION_NEW_FUNCTION',
+    title: 'Code Injection via new Function()',
+    regex: /\bnew\s+Function\s*\(/g,
+    severity: 'high',
+    cwe: 'CWE-94',
+    owasp: 'A03:2021',
+    description: 'new Function() is equivalent to eval(). Avoid dynamic code generation.',
+    fix: 'Refactor to avoid dynamic code generation',
+  },
+  {
+    rule: 'CODE_INJECTION_VM',
+    title: 'Code Injection via vm.runInNewContext()',
+    regex: /\bvm\.(?:runInNewContext|runInThisContext|compileFunction)\s*\(/g,
+    severity: 'high',
+    cwe: 'CWE-94',
+    owasp: 'A03:2021',
+    description: 'Node.js vm module does not provide security isolation. Use vm2 or isolated-vm for untrusted code.',
+    fix: 'Use isolated-vm or a proper sandbox for untrusted code execution',
+  },
+
+  // ── XSS ────────────────────────────────────────────────────────────────────
+  {
+    rule: 'XSS_DANGEROUS_HTML',
+    title: 'XSS via dangerouslySetInnerHTML',
+    regex: /dangerouslySetInnerHTML\s*=\s*\{\s*\{/g,
+    severity: 'high',
+    cwe: 'CWE-79',
+    owasp: 'A03:2021',
+    description: 'dangerouslySetInnerHTML can introduce XSS if the value contains user input.',
+    fix: 'Sanitize with DOMPurify: dangerouslySetInnerHTML={{__html: DOMPurify.sanitize(html)}}',
+  },
+  {
+    rule: 'XSS_INNERHTML',
+    title: 'XSS via innerHTML Assignment',
+    regex: /\.innerHTML\s*=\s*(?!['"]<)/g,
+    severity: 'high',
+    cwe: 'CWE-79',
+    owasp: 'A03:2021',
+    description: 'innerHTML with dynamic data leads to XSS. Use textContent or DOMPurify.',
+    fix: 'Use element.textContent for text, or DOMPurify.sanitize() for HTML',
+  },
+  {
+    rule: 'XSS_DOCUMENT_WRITE',
+    title: 'XSS via document.write()',
+    regex: /\bdocument\.write(?:ln)?\s*\(/g,
+    severity: 'medium',
+    cwe: 'CWE-79',
+    owasp: 'A03:2021',
+    description: 'document.write() is deprecated and can introduce XSS. Use DOM manipulation.',
+    fix: 'Use createElement/appendChild or textContent instead',
+  },
+  {
+    rule: 'XSS_OUTERHTML',
+    title: 'XSS via outerHTML Assignment',
+    regex: /\.outerHTML\s*=/g,
+    severity: 'high',
+    cwe: 'CWE-79',
+    owasp: 'A03:2021',
+    description: 'outerHTML with dynamic content enables XSS. Sanitize with DOMPurify.',
+    fix: 'Sanitize HTML with DOMPurify before assigning to outerHTML',
+  },
+  {
+    rule: 'XSS_JQUERY_HTML',
+    title: 'XSS via jQuery .html()',
+    regex: /\$\([^)]+\)\.html\s*\(\s*(?!['"])/g,
+    severity: 'high',
+    cwe: 'CWE-79',
+    owasp: 'A03:2021',
+    description: 'jQuery .html() with dynamic data enables XSS. Use .text() or sanitize.',
+    fix: 'Use .text() for plain text or sanitize HTML with DOMPurify before .html()',
+  },
+  {
+    rule: 'XSS_V_HTML',
+    title: 'XSS via Vue v-html Directive',
+    regex: /v-html\s*=\s*["']/g,
+    severity: 'high',
+    cwe: 'CWE-79',
+    owasp: 'A03:2021',
+    description: 'Vue v-html renders raw HTML and is vulnerable to XSS. Sanitize before rendering.',
+    fix: 'Sanitize with DOMPurify or use v-text for plain text',
+  },
+
+  // ── Path Traversal ─────────────────────────────────────────────────────────
+  {
+    rule: 'PATH_TRAVERSAL_FS',
+    title: 'Path Traversal in File Operations',
+    regex: /(?:readFile|readFileSync|createReadStream|writeFile|writeFileSync|unlink|unlinkSync|stat|statSync)\s*\(\s*(?:req\.|request\.|ctx\.|params|query|`[^`]*\$\{)/g,
+    severity: 'critical',
+    cwe: 'CWE-22',
+    owasp: 'A01:2021',
+    description: 'User input in file path enables directory traversal (../../etc/passwd). Validate and restrict paths.',
+    fix: 'Use path.resolve() + validate that resolved path starts with allowed directory',
+  },
+  {
+    rule: 'PATH_TRAVERSAL_DOTDOT',
+    title: 'Path Traversal: No ../ Validation',
+    regex: /path\.join\s*\([^)]*(?:req\.|request\.|ctx\.|params|query|body)/g,
+    severity: 'high',
+    cwe: 'CWE-22',
+    owasp: 'A01:2021',
+    description: 'path.join() with user input without ../​ validation enables traversal.',
+    fix: 'After path.join, verify: if (!resolvedPath.startsWith(allowedDir)) throw new Error()',
+  },
+
+  // ── Template Injection ─────────────────────────────────────────────────────
+  {
+    rule: 'TEMPLATE_INJECTION_EJS',
+    title: 'Server-Side Template Injection (EJS)',
+    regex: /ejs\.render\s*\(\s*(?:req\.|request\.|ctx\.|body|query|params)/g,
+    severity: 'critical',
+    cwe: 'CWE-94',
+    owasp: 'A03:2021',
+    description: 'Passing user input as an EJS template enables server-side template injection (SSTI).',
+    fix: 'Render from template files, pass user data only as template variables',
+  },
+  {
+    rule: 'TEMPLATE_INJECTION_UNESCAPED',
+    title: 'Unescaped Template Output',
+    regex: /<%[-=]?\s*(?:req\.|request\.|body|query|params)/g,
+    severity: 'high',
+    cwe: 'CWE-79',
+    owasp: 'A03:2021',
+    description: 'Unescaped template output with user data enables XSS. Use escaped output.',
+    fix: 'Use <%- sanitize(userInput) %> or escape before rendering',
+  },
+
+  // ── Header Injection ───────────────────────────────────────────────────────
+  {
+    rule: 'HEADER_INJECTION',
+    title: 'HTTP Header Injection',
+    regex: /(?:setHeader|writeHead|header)\s*\([^,]*,\s*(?:req\.|request\.|ctx\.|body|query|params)/g,
+    severity: 'high',
+    cwe: 'CWE-113',
+    owasp: 'A03:2021',
+    description: 'User input in HTTP headers enables header injection / response splitting.',
+    fix: 'Validate and sanitize: strip newlines (\\r\\n) from header values',
+  },
+
+  // ── Open Redirect ──────────────────────────────────────────────────────────
+  {
+    rule: 'OPEN_REDIRECT',
+    title: 'Open Redirect',
+    regex: /(?:res\.redirect|redirect|location\.href|window\.location)\s*(?:\(|=)\s*(?:req\.|request\.|ctx\.|query|params)/g,
+    severity: 'medium',
+    cwe: 'CWE-601',
+    owasp: 'A01:2021',
+    description: 'Redirecting to user-supplied URL enables phishing via open redirect.',
+    fix: 'Validate redirect URL is relative or matches an allowlist of trusted domains',
+  },
+
+  // ── Log Injection ──────────────────────────────────────────────────────────
+  {
+    rule: 'LOG_INJECTION',
+    title: 'Log Injection',
+    regex: /(?:console\.log|logger\.\w+|log\.\w+)\s*\(\s*`[^`]*\$\{(?:req\.|request\.|ctx\.|body|query|params)/g,
+    severity: 'medium',
+    cwe: 'CWE-117',
+    owasp: 'A09:2021',
+    description: 'Unsanitized user input in logs enables log forging and injection attacks.',
+    fix: 'Sanitize user input before logging: strip control characters and newlines',
+  },
+
+  // ── Regex DoS ──────────────────────────────────────────────────────────────
+  {
+    rule: 'REDOS',
+    title: 'Regular Expression DoS (ReDoS)',
+    regex: /new\s+RegExp\s*\(\s*(?:req\.|request\.|ctx\.|body|query|params|input|user)/g,
+    severity: 'high',
+    cwe: 'CWE-1333',
+    owasp: 'A03:2021',
+    description: 'User-controlled regex can cause catastrophic backtracking (ReDoS). Validate or use RE2.',
+    fix: 'Use the re2 package for user-supplied patterns, or validate regex complexity',
+  },
+
+  // ── Prototype Pollution ────────────────────────────────────────────────────
+  {
+    rule: 'PROTOTYPE_POLLUTION',
+    title: 'Prototype Pollution',
+    regex: /(?:Object\.assign|_\.merge|_\.extend|_\.defaultsDeep|lodash\.merge)\s*\(\s*(?:\{\}|[a-zA-Z]+),\s*(?:req\.|request\.|ctx\.|body|query|params|input|data)/g,
+    severity: 'high',
+    cwe: 'CWE-1321',
+    owasp: 'A03:2021',
+    description: 'Merging user input into objects can pollute Object.prototype. Validate input keys.',
+    fix: 'Validate keys against an allowlist, or use Object.create(null) as target',
+  },
+
+  // ── XXE ────────────────────────────────────────────────────────────────────
+  {
+    rule: 'XXE_PARSER',
+    title: 'XML External Entity (XXE) Injection',
+    regex: /(?:xml2js|libxmljs|DOMParser|parseString|parseXML)\s*(?:\.\w+\s*)?\(/g,
+    severity: 'high',
+    cwe: 'CWE-611',
+    owasp: 'A05:2017',
+    confidence: 'medium',
+    description: 'XML parsers with default settings may be vulnerable to XXE. Disable external entity processing.',
+    fix: 'Disable DTDs and external entities in parser configuration',
+  },
+
+  // ── Insecure Deserialization ────────────────────────────────────────────────
+  {
+    rule: 'UNSAFE_DESERIALIZE_PICKLE',
+    title: 'Unsafe Deserialization: pickle',
+    regex: /\bpickle\.loads?\s*\(/g,
+    severity: 'critical',
+    cwe: 'CWE-502',
+    owasp: 'A08:2021',
+    description: 'pickle.loads() on untrusted data enables arbitrary code execution.',
+    fix: 'Use JSON, msgpack, or protobuf for untrusted data serialization',
+  },
+  {
+    rule: 'UNSAFE_DESERIALIZE_YAML',
+    title: 'Unsafe Deserialization: yaml.load()',
+    regex: /\byaml\.load\s*\(\s*(?!.*Loader\s*=\s*yaml\.SafeLoader)/g,
+    severity: 'high',
+    cwe: 'CWE-502',
+    owasp: 'A08:2021',
+    description: 'yaml.load() without SafeLoader can execute arbitrary Python code.',
+    fix: 'Use yaml.safe_load() or yaml.load(data, Loader=yaml.SafeLoader)',
+  },
+  {
+    rule: 'UNSAFE_DESERIALIZE_UNSERIALIZE',
+    title: 'Unsafe Deserialization: PHP unserialize()',
+    regex: /\bunserialize\s*\(\s*\$/g,
+    severity: 'critical',
+    cwe: 'CWE-502',
+    owasp: 'A08:2021',
+    description: 'PHP unserialize() with user input enables object injection attacks.',
+    fix: 'Use json_decode() instead, or validate input with allowed_classes option',
+  },
+];
+
+// =============================================================================
+// INJECTION TESTER AGENT
+// =============================================================================
+
+export class InjectionTester extends BaseAgent {
+  constructor() {
+    super('InjectionTester', 'Detect injection vulnerabilities across all classes', 'injection');
+  }
+
+  async analyze(context) {
+    const { rootPath, files } = context;
+    const codeFiles = files.filter(f => {
+      const ext = path.extname(f).toLowerCase();
+      return ['.js', '.jsx', '.ts', '.tsx', '.mjs', '.cjs',
+              '.py', '.rb', '.php', '.go', '.java'].includes(ext);
+    });
+
+    let findings = [];
+
+    for (const file of codeFiles) {
+      const fileFindings = this.scanFileWithPatterns(file, PATTERNS);
+      findings = findings.concat(fileFindings);
+    }
+
+    return findings;
+  }
+}
+
+export default InjectionTester;

package/cli/agents/llm-redteam.js

@@ -0,0 +1,251 @@
+/**
+ * LLMRedTeam Agent
+ * =================
+ *
+ * AI/LLM security testing based on OWASP LLM Top 10 2025.
+ * Detects prompt injection vulnerabilities, system prompt leakage,
+ * unsafe LLM output handling, excessive agency, and more.
+ */
+
+import path from 'path';
+import { BaseAgent } from './base-agent.js';
+
+const PATTERNS = [
+  // ── LLM01: Prompt Injection ────────────────────────────────────────────────
+  {
+    rule: 'LLM_PROMPT_INJECTION_NO_SANITIZE',
+    title: 'Prompt Injection: No Input Sanitization',
+    regex: /(?:messages|prompt|content)\s*[:=]\s*(?:`[^`]*\$\{(?:req\.|request\.|body|query|params|input|user)|.*\+\s*(?:req\.|request\.|body|query|params|input|user))/g,
+    severity: 'high',
+    cwe: 'CWE-77',
+    owasp: 'LLM01',
+    description: 'User input concatenated directly into LLM prompt without sanitization enables prompt injection.',
+    fix: 'Sanitize user input, use structured messages, separate system/user content clearly',
+  },
+  {
+    rule: 'LLM_SYSTEM_USER_CONCAT',
+    title: 'Prompt Injection: System + User Concatenation',
+    regex: /(?:system|systemPrompt|system_prompt)\s*[:=].*(?:\+\s*(?:user|input|query|message)|`[^`]*\$\{)/g,
+    severity: 'critical',
+    cwe: 'CWE-77',
+    owasp: 'LLM01',
+    description: 'System prompt concatenated with user input. User can override system instructions.',
+    fix: 'Use separate message roles: [{role:"system", content: systemPrompt}, {role:"user", content: userInput}]',
+  },
+
+  // ── LLM02: Sensitive Information Disclosure ────────────────────────────────
+  {
+    rule: 'LLM_SECRET_IN_PROMPT',
+    title: 'Sensitive Data in LLM Prompt',
+    regex: /(?:system|prompt|content)\s*[:=].*(?:API_KEY|api_key|SECRET|PASSWORD|TOKEN|PRIVATE_KEY|DATABASE_URL)/g,
+    severity: 'critical',
+    cwe: 'CWE-200',
+    owasp: 'LLM02',
+    description: 'Sensitive data (secrets, keys) included in LLM prompt. Data may be logged or leaked.',
+    fix: 'Never include real credentials in prompts. Use placeholder references instead.',
+  },
+  {
+    rule: 'LLM_NO_OUTPUT_FILTER',
+    title: 'LLM Output Without Filtering',
+    regex: /(?:completion|response|result|output)(?:\.\w+)*\.(?:content|text|message)\s*(?:\)|;)/g,
+    severity: 'medium',
+    cwe: 'CWE-200',
+    owasp: 'LLM02',
+    confidence: 'low',
+    description: 'LLM output used directly without filtering. May contain sensitive info or hallucinations.',
+    fix: 'Filter LLM output before displaying: remove PII, validate against expected format',
+  },
+
+  // ── LLM05: Improper Output Handling ────────────────────────────────────────
+  {
+    rule: 'LLM_OUTPUT_TO_EVAL',
+    title: 'LLM Output to eval()/Function()',
+    regex: /eval\s*\(\s*(?:completion|response|result|output|generated|llm|ai|gpt|claude)/gi,
+    severity: 'critical',
+    cwe: 'CWE-94',
+    owasp: 'LLM05',
+    description: 'LLM output passed to eval() enables arbitrary code execution via prompt injection.',
+    fix: 'Never eval() LLM output. Parse as JSON with try/catch, or use a sandboxed interpreter.',
+  },
+  {
+    rule: 'LLM_OUTPUT_TO_SQL',
+    title: 'LLM Output in SQL Query',
+    regex: /(?:query|execute|raw)\s*\(\s*(?:completion|response|result|output|generated|llm|ai|gpt|claude)/gi,
+    severity: 'critical',
+    cwe: 'CWE-89',
+    owasp: 'LLM05',
+    description: 'LLM-generated text used in SQL query. Attacker can inject SQL via prompt injection.',
+    fix: 'Never use LLM output in raw SQL. Validate against expected query patterns.',
+  },
+  {
+    rule: 'LLM_OUTPUT_TO_HTML',
+    title: 'LLM Output Rendered as HTML',
+    regex: /(?:innerHTML|dangerouslySetInnerHTML|v-html)\s*=\s*(?:.*(?:completion|response|result|output|generated|llm|ai|gpt|claude))/gi,
+    severity: 'high',
+    cwe: 'CWE-79',
+    owasp: 'LLM05',
+    description: 'LLM output rendered as unescaped HTML enables XSS via prompt injection.',
+    fix: 'Render LLM output as text, or sanitize with DOMPurify before HTML rendering.',
+  },
+  {
+    rule: 'LLM_OUTPUT_TO_SHELL',
+    title: 'LLM Output in Shell Command',
+    regex: /(?:exec|spawn|system|popen)\s*\(\s*(?:completion|response|result|output|generated|llm|ai|gpt|claude)/gi,
+    severity: 'critical',
+    cwe: 'CWE-78',
+    owasp: 'LLM05',
+    description: 'LLM output used in shell command enables RCE via prompt injection.',
+    fix: 'Never pass LLM output to shell. Use a strict allowlist of allowed commands.',
+  },
+
+  // ── LLM06: Excessive Agency ────────────────────────────────────────────────
+  {
+    rule: 'LLM_TOOL_NO_CONFIRM',
+    title: 'LLM Tool Use Without Confirmation',
+    regex: /(?:tools|functions|function_call)\s*[:=]\s*\[.*(?:write|delete|update|create|send|execute|deploy|modify)/gi,
+    severity: 'high',
+    cwe: 'CWE-862',
+    owasp: 'LLM06',
+    confidence: 'medium',
+    description: 'LLM given tools with side effects (write/delete/send) without human confirmation.',
+    fix: 'Require human approval for destructive actions. Implement an approval workflow.',
+  },
+  {
+    rule: 'LLM_DB_WRITE_ACCESS',
+    title: 'LLM Has Database Write Access',
+    regex: /(?:tool|function).*(?:INSERT|UPDATE|DELETE|DROP|CREATE|ALTER).*(?:sql|query|database|db)/gi,
+    severity: 'critical',
+    cwe: 'CWE-862',
+    owasp: 'LLM06',
+    description: 'LLM can write to database. Prompt injection could corrupt or destroy data.',
+    fix: 'Give LLM read-only database access. Require human approval for writes.',
+  },
+  {
+    rule: 'LLM_FILE_WRITE',
+    title: 'LLM Has File System Write Access',
+    regex: /(?:tool|function).*(?:writeFile|fs\.write|unlink|rmdir|mkdir)/gi,
+    severity: 'critical',
+    cwe: 'CWE-862',
+    owasp: 'LLM06',
+    description: 'LLM can write/delete files. Prompt injection could modify or destroy files.',
+    fix: 'Restrict LLM file access to a sandboxed directory with read-only permissions.',
+  },
+
+  // ── LLM07: System Prompt Leakage ───────────────────────────────────────────
+  {
+    rule: 'LLM_SYSTEM_PROMPT_CLIENT',
+    title: 'System Prompt Exposed to Client',
+    regex: /(?:systemPrompt|system_prompt|SYSTEM_PROMPT)\s*[:=]\s*["'`]/g,
+    severity: 'high',
+    cwe: 'CWE-200',
+    owasp: 'LLM07',
+    confidence: 'medium',
+    description: 'System prompt hardcoded in code. If client-side, users can extract it.',
+    fix: 'Keep system prompts server-side only. Load from environment variables or config.',
+  },
+
+  // ── LLM10: Unbounded Consumption ───────────────────────────────────────────
+  {
+    rule: 'LLM_NO_TOKEN_LIMIT',
+    title: 'LLM Call Without Token Limit',
+    regex: /(?:openai|anthropic|ai)\.\w+\.create\s*\(\s*\{(?![\s\S]*max_tokens)[\s\S]*?\}/g,
+    severity: 'medium',
+    cwe: 'CWE-770',
+    owasp: 'LLM10',
+    confidence: 'low',
+    description: 'LLM API call without max_tokens limit. Could generate excessive output and costs.',
+    fix: 'Set max_tokens in API call to limit response size and costs',
+  },
+  {
+    rule: 'LLM_NO_RATE_LIMIT',
+    title: 'LLM Endpoint Without Rate Limiting',
+    regex: /(?:\/api\/.*(?:chat|complete|generate|ai|llm|gpt|claude)|\/chat|\/generate)\s*['"]/gi,
+    severity: 'medium',
+    cwe: 'CWE-770',
+    owasp: 'LLM10',
+    confidence: 'low',
+    description: 'AI endpoint without rate limiting. Users could rack up API costs.',
+    fix: 'Add rate limiting per user: express-rate-limit, @upstash/ratelimit, etc.',
+  },
+  {
+    rule: 'LLM_NO_COST_LIMIT',
+    title: 'LLM Usage Without Cost Controls',
+    regex: /(?:OPENAI|ANTHROPIC|AI)_(?:API_KEY|KEY).*(?!(?:budget|limit|cap|max_cost|spending))/gi,
+    severity: 'medium',
+    cwe: 'CWE-770',
+    owasp: 'LLM10',
+    confidence: 'low',
+    description: 'AI API usage without cost controls. Set spending limits on your provider dashboard.',
+    fix: 'Configure spending limits in OpenAI/Anthropic dashboard. Add per-user token budgets.',
+  },
+
+  // ── LLM03: Supply Chain ────────────────────────────────────────────────────
+  {
+    rule: 'LLM_UNVERIFIED_MODEL',
+    title: 'Unverified Model Download',
+    regex: /(?:from_pretrained|AutoModel|pipeline)\s*\(\s*["'][^"']+\/[^"']+["']/g,
+    severity: 'medium',
+    cwe: 'CWE-829',
+    owasp: 'LLM03',
+    confidence: 'low',
+    description: 'Loading model from Hugging Face without verification. Model could contain backdoors.',
+    fix: 'Verify model hash, use models from trusted organizations, scan for malicious code',
+  },
+
+  // ── LLM08: Vector/Embedding Weaknesses ─────────────────────────────────────
+  {
+    rule: 'LLM_RAG_NO_VALIDATION',
+    title: 'RAG Pipeline Without Input Validation',
+    regex: /(?:embed|embedding|vector|similarity_search|query)\s*\(\s*(?:req\.|request\.|body|query|params|input|user)/g,
+    severity: 'medium',
+    cwe: 'CWE-20',
+    owasp: 'LLM08',
+    description: 'User input passed directly to vector search/embedding without validation.',
+    fix: 'Validate and sanitize input before embedding. Limit query length.',
+  },
+  {
+    rule: 'LLM_RAG_NO_ACCESS_CONTROL',
+    title: 'RAG Without Access Control',
+    regex: /(?:pinecone|chroma|weaviate|qdrant|milvus).*(?:query|search|similarity)\s*\(/g,
+    severity: 'medium',
+    cwe: 'CWE-862',
+    owasp: 'LLM08',
+    confidence: 'low',
+    description: 'Vector database query without access control. Users may access other users\' data.',
+    fix: 'Add namespace/tenant filtering: filter by userId in vector DB queries',
+  },
+
+  // ── Prompt Injection Patterns (content-level detection) ────────────────────
+  {
+    rule: 'PROMPT_INJECTION_PATTERN',
+    title: 'Known Prompt Injection Pattern',
+    regex: /(?:ignore\s+(?:all\s+)?previous\s+instructions|disregard\s+(?:all\s+)?(?:previous|prior)|you\s+are\s+now\s+DAN|system\s*prompt|jailbreak|bypass\s+(?:your|the)\s+(?:rules|instructions|guidelines))/gi,
+    severity: 'high',
+    cwe: 'CWE-77',
+    owasp: 'LLM01',
+    description: 'Known prompt injection pattern detected in code. Ensure this is for testing only.',
+    fix: 'If in test data, add # ship-safe-ignore. If in user-facing code, add input filtering.',
+  },
+];
+
+export class LLMRedTeam extends BaseAgent {
+  constructor() {
+    super('LLMRedTeam', 'AI/LLM security audit based on OWASP LLM Top 10', 'llm');
+  }
+
+  async analyze(context) {
+    const { files } = context;
+    const codeFiles = files.filter(f => {
+      const ext = path.extname(f).toLowerCase();
+      return ['.js', '.jsx', '.ts', '.tsx', '.mjs', '.cjs', '.py', '.rb'].includes(ext);
+    });
+
+    let findings = [];
+    for (const file of codeFiles) {
+      findings = findings.concat(this.scanFileWithPatterns(file, PATTERNS));
+    }
+    return findings;
+  }
+}
+
+export default LLMRedTeam;