ship-safe 4.3.0 → 5.0.1

package/cli/agents/agentic-security-agent.js

@@ -0,0 +1,261 @@
+/**
+ * Agentic Security Agent
+ * ========================
+ *
+ * Detects security vulnerabilities in AI agent implementations.
+ * Covers the OWASP Top 10 for Agentic Applications (2026):
+ *   ASI01 — Agent Goal Hijacking
+ *   ASI02 — Tool Misuse
+ *   ASI03 — Identity & Privilege Abuse
+ *   ASI04 — Memory Poisoning
+ *   ASI05 — Cascading Hallucination
+ *   ASI06 — Supply Chain Vulnerabilities
+ *
+ * 48% of cybersecurity professionals identify agentic AI as
+ * the top attack vector for 2026.
+ */
+
+import path from 'path';
+import { BaseAgent } from './base-agent.js';
+
+// =============================================================================
+// AGENTIC SECURITY PATTERNS
+// =============================================================================
+
+const PATTERNS = [
+  // ── Goal Hijacking (ASI01) ───────────────────────────────────────────────
+  {
+    rule: 'AGENT_USER_INPUT_IN_SYSTEM_PROMPT',
+    title: 'Agent: User Input in System Prompt / Goal',
+    regex: /(?:system|instructions|goal|objective|persona)\s*[:=]\s*(?:`[^`]*\$\{|.*\+\s*(?:req\.|request\.|user|input|message|query|body))/g,
+    severity: 'critical',
+    cwe: 'CWE-74',
+    owasp: 'A03:2021',
+    description: 'User input concatenated into agent system prompt or goal definition. Enables agent goal hijacking — the attacker can rewrite the agent\'s objectives.',
+    fix: 'Separate system instructions from user input. Use structured message roles (system vs user). Never interpolate user input into system prompts.',
+  },
+  {
+    rule: 'AGENT_NO_GOAL_BOUNDARY',
+    title: 'Agent: Missing Goal Boundary Enforcement',
+    regex: /(?:agent|assistant|bot)[\s\S]{0,200}(?:system|instructions)\s*[:=]\s*(?:req\.|request\.|input|body|query|params)/g,
+    severity: 'critical',
+    cwe: 'CWE-284',
+    owasp: 'A01:2021',
+    description: 'Agent goal or system instructions set directly from external input without boundary enforcement.',
+    fix: 'Hardcode agent goals. If customization is needed, validate against an allowlist of approved goal templates.',
+  },
+
+  // ── Tool Misuse (ASI02) ──────────────────────────────────────────────────
+  {
+    rule: 'AGENT_UNRESTRICTED_TOOLS',
+    title: 'Agent: Unrestricted Tool Access',
+    regex: /(?:tools|actions|capabilities|functions)\s*[:=]\s*(?:\[\s*\.{3}|"all"|'all'|"\*"|'\*'|Object\.keys|getAll|listAll)/g,
+    severity: 'critical',
+    cwe: 'CWE-269',
+    owasp: 'A01:2021',
+    description: 'Agent given wildcard or unbounded tool access. Prompt injection can trigger any available tool.',
+    fix: 'Restrict agent tools to minimum required set. Use explicit allowlists, not wildcard access.',
+  },
+  {
+    rule: 'AGENT_TOOL_NO_CONFIRMATION',
+    title: 'Agent: Destructive Tools Without Human Confirmation',
+    regex: /(?:auto_approve|auto_execute|requireConfirmation\s*[:=]\s*false|confirm\s*[:=]\s*false|human_in_loop\s*[:=]\s*false|humanInTheLoop\s*[:=]\s*false|approval\s*[:=]\s*false)/gi,
+    severity: 'high',
+    cwe: 'CWE-862',
+    owasp: 'A01:2021',
+    description: 'Agent configured to auto-execute tools without human confirmation. Prompt injection can trigger destructive actions.',
+    fix: 'Require human-in-the-loop confirmation for destructive operations (write, delete, send, pay).',
+  },
+  {
+    rule: 'AGENT_TOOL_SHELL_ACCESS',
+    title: 'Agent: Tool With Shell/Command Execution',
+    regex: /(?:tools|functions)[\s\S]{0,500}(?:exec\s*\(|execSync|spawn|child_process|subprocess|os\.system|shell\s*[:=]\s*true)/g,
+    severity: 'critical',
+    cwe: 'CWE-78',
+    owasp: 'A03:2021',
+    description: 'Agent has access to a tool that executes shell commands. Prompt injection achieves RCE.',
+    fix: 'Remove shell execution tools from agent capabilities. If needed, use strict command allowlists.',
+  },
+  {
+    rule: 'AGENT_UNVALIDATED_TOOL_OUTPUT',
+    title: 'Agent: Tool Output Used Without Validation',
+    regex: /(?:tool_result|toolResult|function_result|tool_output)[\s\S]{0,200}(?:eval\s*\(|exec\s*\(|innerHTML|dangerouslySetInnerHTML|\.query\s*\(|\.execute\s*\()/g,
+    severity: 'critical',
+    cwe: 'CWE-94',
+    owasp: 'A03:2021',
+    description: 'Tool output passed directly to dangerous sinks (eval, SQL, HTML). Poisoned tool results can achieve code execution.',
+    fix: 'Validate and sanitize all tool outputs before using them in code execution, SQL queries, or HTML rendering.',
+  },
+
+  // ── Identity & Privilege Abuse (ASI03) ───────────────────────────────────
+  {
+    rule: 'AGENT_ESCALATED_PERMISSIONS',
+    title: 'Agent: Runs With Elevated Permissions',
+    regex: /(?:agent|bot|assistant)[\s\S]{0,300}(?:admin|sudo|root|superuser|service.?role|elevated|full.?access|all.?permissions)/gi,
+    severity: 'high',
+    cwe: 'CWE-269',
+    owasp: 'A04:2021',
+    confidence: 'medium',
+    description: 'Agent configured with elevated permissions (admin, root, service-role). Prompt injection inherits these privileges.',
+    fix: 'Apply principle of least privilege. Agents should have minimal permissions required for their specific task.',
+  },
+  {
+    rule: 'AGENT_CREDENTIAL_FORWARDING',
+    title: 'Agent: Credentials Passed Between Tools',
+    regex: /(?:tool|function|action)[\s\S]{0,300}(?:credential|password|secret|token|apiKey|api_key)[\s\S]{0,100}(?:forward|pass|send|share|propagate|next)/gi,
+    severity: 'high',
+    cwe: 'CWE-522',
+    owasp: 'A07:2021',
+    confidence: 'medium',
+    description: 'Agent forwards credentials between tools or to external services. Compromised tools can steal credentials.',
+    fix: 'Scope credentials per-tool. Never forward authentication tokens between tool invocations.',
+  },
+
+  // ── Memory Poisoning (ASI04) ─────────────────────────────────────────────
+  {
+    rule: 'AGENT_MEMORY_USER_WRITE',
+    title: 'Agent: User Input Written to Persistent Memory',
+    regex: /(?:memory|context|history|state|knowledge)[\s\S]{0,100}(?:\.append|\.push|\.add|\.set|\.save|\.store|\.write|\.update)\s*\(\s*(?:user|input|message|query|req\.|request\.)/g,
+    severity: 'high',
+    cwe: 'CWE-472',
+    owasp: 'A03:2021',
+    description: 'User-controlled content written directly to agent persistent memory. Enables memory poisoning — attacker instructions persist across sessions.',
+    fix: 'Sanitize and validate content before writing to agent memory. Separate user messages from system state.',
+  },
+  {
+    rule: 'AGENT_MEMORY_NO_EXPIRY',
+    title: 'Agent: Persistent Memory Without Expiration',
+    regex: /(?:memory|longTermMemory|persistentState)[\s\S]{0,200}(?:save|store|persist|write)(?![\s\S]{0,200}(?:ttl|expir|maxAge|retention|cleanup|prune))/g,
+    severity: 'medium',
+    cwe: 'CWE-404',
+    owasp: 'A04:2021',
+    confidence: 'low',
+    description: 'Agent memory persists without expiration policy. Poisoned memories remain indefinitely.',
+    fix: 'Set TTL or retention policies on agent memory. Implement periodic cleanup of stale entries.',
+  },
+
+  // ── Unbounded Execution ──────────────────────────────────────────────────
+  {
+    rule: 'AGENT_NO_ITERATION_LIMIT',
+    title: 'Agent: Execution Loop Without Iteration Limit',
+    regex: /(?:while\s*\(\s*true|for\s*\(\s*;\s*;\s*\)|loop\s*\{)[\s\S]{0,500}(?:agent|llm|completion|chat|generate|invoke)/g,
+    severity: 'high',
+    cwe: 'CWE-835',
+    owasp: 'A04:2021',
+    description: 'Agent runs in an unbounded loop without iteration limits. Enables denial of wallet and runaway costs.',
+    fix: 'Set maxIterations or maxSteps limit on agent execution loops. Add timeout enforcement.',
+  },
+  {
+    rule: 'AGENT_NO_TIMEOUT',
+    title: 'Agent: No Timeout on Execution',
+    regex: /(?:agent|AgentExecutor|runAgent|createAgent)\s*\(\s*\{(?:(?!timeout|maxTime|deadline|abort|signal).)*\}\s*\)/gs,
+    severity: 'medium',
+    cwe: 'CWE-400',
+    owasp: 'A04:2021',
+    confidence: 'low',
+    description: 'Agent execution without timeout configuration. Runaway agents can consume unlimited resources.',
+    fix: 'Set explicit timeout on agent execution. Use AbortController or equivalent mechanism.',
+  },
+  {
+    rule: 'AGENT_NO_COST_LIMIT',
+    title: 'Agent: No Spending/Token Limit',
+    regex: /(?:agent|completion|chat)[\s\S]{0,300}(?:model|engine)\s*[:=](?![\s\S]{0,300}(?:max_tokens|maxTokens|budget|cost|limit|cap))/g,
+    severity: 'medium',
+    cwe: 'CWE-770',
+    owasp: 'A04:2021',
+    confidence: 'low',
+    description: 'Agent makes LLM calls without token or cost limits. Enables denial of wallet attacks.',
+    fix: 'Set max_tokens on all LLM calls. Implement per-session cost budgets.',
+  },
+
+  // ── Multi-Agent Risks ────────────────────────────────────────────────────
+  {
+    rule: 'AGENT_RECURSIVE_INVOCATION',
+    title: 'Agent: Recursive Self-Invocation',
+    regex: /(?:agent|assistant)[\s\S]{0,200}(?:call|invoke|run|execute)[\s\S]{0,100}(?:self|this|agent|itself)/g,
+    severity: 'high',
+    cwe: 'CWE-674',
+    owasp: 'A04:2021',
+    confidence: 'medium',
+    description: 'Agent can recursively invoke itself or spawn sub-agents without depth limits. Enables infinite loops.',
+    fix: 'Set max recursion depth for agent self-invocation. Track and limit sub-agent spawn depth.',
+  },
+  {
+    rule: 'AGENT_CHAIN_NO_ISOLATION',
+    title: 'Agent: Multi-Agent Chain Without Privilege Isolation',
+    regex: /(?:pipe|chain|sequence|workflow)[\s\S]{0,300}(?:agent|step|task)[\s\S]{0,200}(?:agent|step|task)(?![\s\S]{0,200}(?:permission|scope|restrict|isolat))/g,
+    severity: 'medium',
+    cwe: 'CWE-269',
+    owasp: 'A04:2021',
+    confidence: 'low',
+    description: 'Multi-agent pipeline without privilege isolation between steps. A compromised agent can escalate through the chain.',
+    fix: 'Apply privilege isolation between agents in a chain. Each agent should have scoped permissions.',
+  },
+
+  // ── Output Safety ────────────────────────────────────────────────────────
+  {
+    rule: 'AGENT_OUTPUT_TO_ACTION',
+    title: 'Agent: LLM Output Directly Triggers Actions',
+    regex: /(?:completion|response|output|result|generated)[\s\S]{0,100}(?:\.execute|\.run|\.send|\.post|\.delete|\.pay|\.transfer|\.deploy)/g,
+    severity: 'high',
+    cwe: 'CWE-862',
+    owasp: 'A01:2021',
+    confidence: 'medium',
+    description: 'LLM output directly triggers side-effect actions without validation. Hallucinated or injected outputs can cause unintended actions.',
+    fix: 'Validate LLM output against expected schemas before executing side effects. Add human confirmation for irreversible actions.',
+  },
+  {
+    rule: 'AGENT_NO_OUTPUT_SCHEMA',
+    title: 'Agent: No Schema Validation on LLM Output',
+    regex: /(?:JSON\.parse|json\.loads)\s*\(\s*(?:completion|response|output|result|generated|llm|ai|gpt|claude)(?![\s\S]{0,200}(?:schema|validate|zod|yup|joi|ajv|parse|safeParse|type_adapter))/g,
+    severity: 'medium',
+    cwe: 'CWE-20',
+    owasp: 'A03:2021',
+    description: 'LLM JSON output parsed without schema validation. Malformed or malicious output can cause unexpected behavior.',
+    fix: 'Validate LLM structured output against a schema (Zod, Joi, Pydantic) before processing.',
+  },
+
+  // ── Audit & Observability ────────────────────────────────────────────────
+  {
+    rule: 'AGENT_NO_AUDIT_LOG',
+    title: 'Agent: Tool Invocations Not Logged',
+    regex: /(?:tool_call|function_call|executeTool|callTool|tool\.run)[\s\S]{0,300}(?![\s\S]{0,300}(?:log|audit|record|track|monitor|trace|emit|publish))/g,
+    severity: 'medium',
+    cwe: 'CWE-778',
+    owasp: 'A09:2021',
+    confidence: 'low',
+    description: 'Agent tool invocations are not being logged or audited. Makes incident response and forensics impossible.',
+    fix: 'Log all tool invocations including: tool name, arguments, caller identity, timestamp, and result status.',
+  },
+];
+
+// =============================================================================
+// AGENTIC SECURITY AGENT
+// =============================================================================
+
+export class AgenticSecurityAgent extends BaseAgent {
+  constructor() {
+    super(
+      'AgenticSecurityAgent',
+      'Detect AI agent security vulnerabilities — goal hijacking, tool misuse, memory poisoning, unbounded execution',
+      'llm'
+    );
+  }
+
+  async analyze(context) {
+    const { files } = context;
+
+    const codeFiles = files.filter(f => {
+      const ext = path.extname(f).toLowerCase();
+      return ['.js', '.jsx', '.ts', '.tsx', '.mjs', '.cjs', '.py', '.rb', '.go'].includes(ext);
+    });
+
+    let findings = [];
+    for (const file of codeFiles) {
+      findings = findings.concat(this.scanFileWithPatterns(file, PATTERNS));
+    }
+    return findings;
+  }
+}
+
+export default AgenticSecurityAgent;

package/cli/agents/base-agent.js

@@ -18,7 +18,7 @@
 import fs from 'fs';
 import path from 'path';
 import fg from 'fast-glob';
-import { SKIP_DIRS, SKIP_EXTENSIONS, MAX_FILE_SIZE, loadGitignorePatterns } from '../utils/patterns.js';
+import { SKIP_DIRS, SKIP_EXTENSIONS, SKIP_FILENAMES, MAX_FILE_SIZE, loadGitignorePatterns } from '../utils/patterns.js';
 
 // =============================================================================
 // FINDING FACTORY
@@ -86,6 +86,15 @@ export class BaseAgent {
     throw new Error(`${this.name}.analyze() not implemented`);
   }
 
+  /**
+   * Whether this agent should run given the recon results.
+   * Override in subclasses to skip irrelevant scans.
+   * Default: always run.
+   */
+  shouldRun(recon) {
+    return true;
+  }
+
   // ── Helpers available to all agents ─────────────────────────────────────────
 
   /**
@@ -122,6 +131,7 @@ export class BaseAgent {
       const ext = path.extname(file).toLowerCase();
       if (SKIP_EXTENSIONS.has(ext)) return false;
       const basename = path.basename(file);
+      if (SKIP_FILENAMES.has(basename)) return false;
       if (basename.endsWith('.min.js') || basename.endsWith('.min.css')) return false;
       try {
         const stats = fs.statSync(file);

package/cli/agents/deep-analyzer.js

@@ -0,0 +1,333 @@
+/**
+ * DeepAnalyzer — LLM-Powered Taint Analysis
+ * ============================================
+ *
+ * Takes critical/high findings nominated by regex scan and sends them
+ * to an LLM for deeper analysis: taint reachability, sanitization
+ * verification, and exploitability assessment.
+ *
+ * Supports:
+ *   - Anthropic API (ANTHROPIC_API_KEY)
+ *   - OpenAI API (OPENAI_API_KEY)
+ *   - Google Gemini (GOOGLE_API_KEY)
+ *   - Ollama local models (--local flag)
+ *
+ * USAGE:
+ *   const analyzer = new DeepAnalyzer({ provider, budgetCents: 50 });
+ *   const enrichedFindings = await analyzer.analyze(findings, context);
+ */
+
+import fs from 'fs';
+import path from 'path';
+import { createProvider, autoDetectProvider } from '../providers/llm-provider.js';
+
+// =============================================================================
+// CONSTANTS
+// =============================================================================
+
+/** Max file content to send per finding (tokens are expensive) */
+const MAX_FILE_CHARS = 4000;
+
+/** Max findings to analyze per run (cost control) */
+const MAX_FINDINGS = 30;
+
+/** Approximate cost per 1K input tokens (Haiku pricing) */
+const COST_PER_1K_INPUT = 0.08;  // cents
+const COST_PER_1K_OUTPUT = 0.4;  // cents
+
+/** Estimated tokens per finding analysis */
+const EST_INPUT_TOKENS_PER_FINDING = 1500;
+const EST_OUTPUT_TOKENS_PER_FINDING = 300;
+
+// =============================================================================
+// SYSTEM PROMPT
+// =============================================================================
+
+const SYSTEM_PROMPT = `You are a security code auditor performing taint analysis. For each finding, determine:
+
+1. **Tainted**: Is the flagged value controllable by an external user (via HTTP request, file upload, CLI args, env vars, database read, etc.)?
+2. **Sanitized**: Is there sanitization, validation, or encoding between the source and sink that neutralizes the risk?
+3. **Exploitability**: Rate as "confirmed", "likely", "unlikely", or "false_positive".
+4. **Reasoning**: One sentence explaining your verdict.
+
+Respond with a JSON array ONLY. No markdown, no explanation outside JSON.
+
+[{
+  "findingId": "<id>",
+  "tainted": true|false,
+  "sanitized": true|false,
+  "exploitability": "confirmed"|"likely"|"unlikely"|"false_positive",
+  "reasoning": "<one sentence>"
+}]
+
+Rules:
+- If the value is a hardcoded string literal with no user input path, it is NOT tainted.
+- If there is a validation library (zod, joi, yup, ajv) or sanitization function between input and sink, mark sanitized=true.
+- If the code is in a test file, example, or documentation, mark as false_positive.
+- If you cannot determine taint flow from the provided context, mark exploitability as "unlikely" rather than guessing.
+- Be conservative: only mark "confirmed" when there is a clear, unsanitized path from user input to dangerous sink.`;
+
+// =============================================================================
+// DEEP ANALYZER
+// =============================================================================
+
+export class DeepAnalyzer {
+  /**
+   * @param {object} options
+   * @param {object} options.provider    — LLM provider instance (from createProvider)
+   * @param {number} options.budgetCents — Max spend in cents (default: 50)
+   * @param {boolean} options.verbose    — Log analysis progress
+   */
+  constructor(options = {}) {
+    this.provider = options.provider || null;
+    this.budgetCents = options.budgetCents ?? 50;
+    this.verbose = options.verbose || false;
+    this.spentCents = 0;
+    this.analyzedCount = 0;
+  }
+
+  /**
+   * Create a DeepAnalyzer with auto-detected provider.
+   * Returns null if no provider is available.
+   */
+  static create(rootPath, options = {}) {
+    // --local flag: use Ollama
+    if (options.local) {
+      const provider = createProvider('ollama', null, {
+        model: options.model || 'llama3.2',
+        baseUrl: options.ollamaUrl || 'http://localhost:11434/api/chat',
+      });
+      return new DeepAnalyzer({ provider, ...options });
+    }
+
+    // Auto-detect from env
+    const provider = autoDetectProvider(rootPath);
+    if (!provider) return null;
+
+    return new DeepAnalyzer({ provider, ...options });
+  }
+
+  /**
+   * Analyze findings with LLM-powered taint analysis.
+   * Only processes critical/high findings to optimize cost.
+   *
+   * @param {object[]} findings — All findings from agents
+   * @param {object}   context  — { rootPath, recon }
+   * @returns {Promise<object[]>} — Findings with deepAnalysis attached
+   */
+  async analyze(findings, context = {}) {
+    if (!this.provider) return findings;
+
+    // Filter to critical/high only
+    const candidates = findings.filter(
+      f => f.severity === 'critical' || f.severity === 'high'
+    );
+
+    if (candidates.length === 0) return findings;
+
+    // Cap at MAX_FINDINGS
+    const toAnalyze = candidates.slice(0, MAX_FINDINGS);
+
+    // Check budget before starting
+    const estimatedCost = this._estimateCost(toAnalyze.length);
+    if (estimatedCost > this.budgetCents) {
+      const affordable = Math.floor(
+        this.budgetCents / (estimatedCost / toAnalyze.length)
+      );
+      toAnalyze.length = Math.max(1, affordable);
+    }
+
+    // Batch findings (5 per request to balance cost vs. context)
+    const batchSize = 5;
+    const results = new Map();
+
+    for (let i = 0; i < toAnalyze.length; i += batchSize) {
+      // Budget check before each batch
+      if (this.spentCents >= this.budgetCents) {
+        if (this.verbose) {
+          console.log(`  Deep analysis: budget exhausted (${this.spentCents}c / ${this.budgetCents}c)`);
+        }
+        break;
+      }
+
+      const batch = toAnalyze.slice(i, i + batchSize);
+      const prompt = this._buildPrompt(batch, context);
+
+      try {
+        const response = await this.provider.complete(
+          SYSTEM_PROMPT,
+          prompt,
+          { maxTokens: 1500 }
+        );
+
+        // Track cost
+        const inputTokens = Math.ceil(prompt.length / 4);
+        const outputTokens = Math.ceil(response.length / 4);
+        this.spentCents += (inputTokens / 1000) * COST_PER_1K_INPUT
+                         + (outputTokens / 1000) * COST_PER_1K_OUTPUT;
+
+        // Parse response
+        const analyses = this._parseResponse(response);
+        for (const analysis of analyses) {
+          results.set(analysis.findingId, analysis);
+        }
+
+        this.analyzedCount += batch.length;
+      } catch (err) {
+        if (this.verbose) {
+          console.log(`  Deep analysis batch failed: ${err.message}`);
+        }
+        // Continue with remaining batches
+      }
+    }
+
+    // Attach deep analysis to findings
+    for (const finding of findings) {
+      const id = this._findingId(finding);
+      const analysis = results.get(id);
+
+      if (analysis) {
+        finding.deepAnalysis = {
+          tainted: analysis.tainted,
+          sanitized: analysis.sanitized,
+          exploitability: analysis.exploitability,
+          reasoning: analysis.reasoning,
+        };
+
+        // Adjust confidence based on deep analysis
+        if (analysis.exploitability === 'false_positive') {
+          finding.confidence = 'low';
+        } else if (analysis.exploitability === 'unlikely') {
+          if (finding.confidence === 'high') finding.confidence = 'medium';
+        } else if (analysis.exploitability === 'confirmed') {
+          finding.confidence = 'high';
+        }
+      }
+    }
+
+    return findings;
+  }
+
+  /**
+   * Build the analysis prompt for a batch of findings.
+   */
+  _buildPrompt(findings, context) {
+    const items = findings.map(f => {
+      const id = this._findingId(f);
+      const fileContent = this._getFileContext(f);
+
+      return {
+        findingId: id,
+        rule: f.rule,
+        severity: f.severity,
+        title: f.title,
+        description: f.description,
+        file: f.file ? path.basename(f.file) : 'unknown',
+        line: f.line,
+        matched: (f.matched || '').slice(0, 200),
+        codeContext: fileContent,
+      };
+    });
+
+    // Add project context if available
+    let projectContext = '';
+    if (context.recon) {
+      const r = context.recon;
+      const parts = [];
+      if (r.frameworks?.length) parts.push(`Frameworks: ${r.frameworks.join(', ')}`);
+      if (r.databases?.length) parts.push(`Databases: ${r.databases.join(', ')}`);
+      if (r.authPatterns?.length) parts.push(`Auth: ${r.authPatterns.join(', ')}`);
+      if (parts.length) projectContext = `\nProject context:\n${parts.join('\n')}\n`;
+    }
+
+    return `Analyze these ${items.length} security findings for taint reachability and exploitability.
+${projectContext}
+Findings:
+${JSON.stringify(items, null, 2)}`;
+  }
+
+  /**
+   * Get file content around the finding for LLM context.
+   */
+  _getFileContext(finding) {
+    if (!finding.file) return '';
+
+    try {
+      const content = fs.readFileSync(finding.file, 'utf-8');
+      const lines = content.split('\n');
+      const lineNum = finding.line || 1;
+
+      // Get a window of ~40 lines around the finding
+      const start = Math.max(0, lineNum - 21);
+      const end = Math.min(lines.length, lineNum + 20);
+      let context = lines.slice(start, end)
+        .map((l, i) => `${start + i + 1}: ${l}`)
+        .join('\n');
+
+      // Truncate if too long
+      if (context.length > MAX_FILE_CHARS) {
+        context = context.slice(0, MAX_FILE_CHARS) + '\n... (truncated)';
+      }
+
+      return context;
+    } catch {
+      return '';
+    }
+  }
+
+  /**
+   * Generate a stable ID for a finding.
+   */
+  _findingId(finding) {
+    const file = finding.file ? path.basename(finding.file) : 'unknown';
+    return `${file}:${finding.line}:${finding.rule}`;
+  }
+
+  /**
+   * Parse LLM response into analysis objects.
+   */
+  _parseResponse(text) {
+    const cleaned = text
+      .replace(/^```(?:json)?\s*/i, '')
+      .replace(/\s*```\s*$/i, '')
+      .trim();
+
+    try {
+      const parsed = JSON.parse(cleaned);
+      if (!Array.isArray(parsed)) return [];
+
+      // Validate each entry
+      return parsed.filter(item =>
+        item.findingId &&
+        typeof item.tainted === 'boolean' &&
+        typeof item.sanitized === 'boolean' &&
+        ['confirmed', 'likely', 'unlikely', 'false_positive'].includes(item.exploitability)
+      );
+    } catch {
+      return [];
+    }
+  }
+
+  /**
+   * Estimate cost for analyzing N findings (in cents).
+   */
+  _estimateCost(count) {
+    const inputCost = (count * EST_INPUT_TOKENS_PER_FINDING / 1000) * COST_PER_1K_INPUT;
+    const outputCost = (count * EST_OUTPUT_TOKENS_PER_FINDING / 1000) * COST_PER_1K_OUTPUT;
+    return inputCost + outputCost;
+  }
+
+  /**
+   * Get analysis stats.
+   */
+  getStats() {
+    return {
+      analyzedCount: this.analyzedCount,
+      spentCents: Math.round(this.spentCents * 100) / 100,
+      budgetCents: this.budgetCents,
+      provider: this.provider?.name || 'none',
+    };
+  }
+}
+
+export default DeepAnalyzer;

package/cli/agents/index.js

@@ -19,13 +19,20 @@ export { GitHistoryScanner } from './git-history-scanner.js';
 export { CICDScanner } from './cicd-scanner.js';
 export { APIFuzzer } from './api-fuzzer.js';
 export { SupabaseRLSAgent } from './supabase-rls-agent.js';
+export { MCPSecurityAgent } from './mcp-security-agent.js';
+export { AgenticSecurityAgent } from './agentic-security-agent.js';
+export { RAGSecurityAgent } from './rag-security-agent.js';
+export { PIIComplianceAgent } from './pii-compliance-agent.js';
+export { VerifierAgent } from './verifier-agent.js';
+export { DeepAnalyzer } from './deep-analyzer.js';
 export { ScoringEngine, GRADES, CATEGORIES } from './scoring-engine.js';
 export { SBOMGenerator } from './sbom-generator.js';
 export { PolicyEngine } from './policy-engine.js';
 export { HTMLReporter } from './html-reporter.js';
 
 /**
- * Create a fully configured orchestrator with all 12 agents.
+ * Create a fully configured orchestrator with all 15 scanning agents.
+ * (VerifierAgent and DeepAnalyzer run as post-processors, not in the agent pool.)
  */
 import { Orchestrator as OrchestratorClass } from './orchestrator.js';
 import { InjectionTester as InjectionTesterClass } from './injection-tester.js';
@@ -39,6 +46,10 @@ import { GitHistoryScanner as GitHistoryScannerClass } from './git-history-scann
 import { CICDScanner as CICDScannerClass } from './cicd-scanner.js';
 import { APIFuzzer as APIFuzzerClass } from './api-fuzzer.js';
 import { SupabaseRLSAgent as SupabaseRLSAgentClass } from './supabase-rls-agent.js';
+import { MCPSecurityAgent as MCPSecurityAgentClass } from './mcp-security-agent.js';
+import { AgenticSecurityAgent as AgenticSecurityAgentClass } from './agentic-security-agent.js';
+import { RAGSecurityAgent as RAGSecurityAgentClass } from './rag-security-agent.js';
+import { PIIComplianceAgent as PIIComplianceAgentClass } from './pii-compliance-agent.js';
 
 export function buildOrchestrator() {
   const orchestrator = new OrchestratorClass();
@@ -54,6 +65,10 @@ export function buildOrchestrator() {
     new CICDScannerClass(),
     new APIFuzzerClass(),
     new SupabaseRLSAgentClass(),
+    new MCPSecurityAgentClass(),
+    new AgenticSecurityAgentClass(),
+    new RAGSecurityAgentClass(),
+    new PIIComplianceAgentClass(),
   ]);
   return orchestrator;
 }