ship-safe 4.3.0 → 5.0.1

package/cli/agents/pii-compliance-agent.js

@@ -0,0 +1,301 @@
+/**
+ * PII Compliance Agent
+ * ======================
+ *
+ * Detects privacy violations and PII (Personally Identifiable
+ * Information) exposure in source code.
+ *
+ * Checks:
+ *   - PII logged to console/files/external services
+ *   - PII in URLs and query parameters
+ *   - PII in error responses sent to clients
+ *   - PII sent to third-party analytics/tracking
+ *   - Hardcoded PII patterns (SSN, credit cards) in source
+ *   - Unencrypted PII storage patterns
+ *   - Missing data deletion endpoints (GDPR right to erasure)
+ *
+ * Maps to: GDPR Articles 5, 25, 32; CCPA; OWASP A01
+ */
+
+import path from 'path';
+import { BaseAgent, createFinding } from './base-agent.js';
+
+// =============================================================================
+// PII COMPLIANCE PATTERNS
+// =============================================================================
+
+const PATTERNS = [
+  // ── PII in Logging ───────────────────────────────────────────────────────
+  {
+    rule: 'PII_IN_CONSOLE_LOG',
+    title: 'Privacy: PII Logged to Console',
+    regex: /console\.(?:log|info|warn|error|debug)\s*\([\s\S]{0,100}(?:email|password|ssn|social.?security|credit.?card|phone.?number|date.?of.?birth|dob|passport|national.?id|driver.?license)/gi,
+    severity: 'high',
+    cwe: 'CWE-532',
+    owasp: 'A09:2021',
+    description: 'PII fields logged to console. Log output may be stored in log aggregation services, exposing sensitive user data.',
+    fix: 'Remove PII from log statements. Use structured logging with PII redaction: logger.info({ userId: user.id }) instead of logging full user objects.',
+  },
+  {
+    rule: 'PII_IN_LOGGER',
+    title: 'Privacy: PII in Structured Logger',
+    regex: /(?:logger|log|winston|pino|bunyan|morgan)\.(?:info|warn|error|debug|log)\s*\([\s\S]{0,200}(?:email|password|ssn|creditCard|credit_card|phoneNumber|phone_number|dateOfBirth|date_of_birth)/g,
+    severity: 'high',
+    cwe: 'CWE-532',
+    owasp: 'A09:2021',
+    description: 'PII fields passed to structured logger. These values persist in log storage and may violate data retention policies.',
+    fix: 'Mask or redact PII before logging: email → "u***@example.com", phone → "***-***-1234".',
+  },
+  {
+    rule: 'PII_FULL_OBJECT_LOG',
+    title: 'Privacy: Full User Object Logged',
+    regex: /console\.(?:log|info|warn|error)\s*\(\s*(?:user|customer|patient|member|account|profile|person)\s*\)/gi,
+    severity: 'medium',
+    cwe: 'CWE-532',
+    owasp: 'A09:2021',
+    confidence: 'medium',
+    description: 'Full user/customer object passed to console.log. Likely contains PII fields (email, name, phone, address).',
+    fix: 'Log only necessary identifiers: console.log({ userId: user.id, action: "login" }).',
+  },
+
+  // ── PII in Error Responses ───────────────────────────────────────────────
+  {
+    rule: 'PII_IN_ERROR_RESPONSE',
+    title: 'Privacy: PII in Error Response to Client',
+    regex: /(?:res\.(?:json|send|status)|response\.(?:json|send)|jsonify)\s*\(\s*(?:\{[\s\S]{0,200}(?:email|password|ssn|creditCard|phone|user|customer|patient)[\s\S]{0,100}\}|err|error)/g,
+    severity: 'high',
+    cwe: 'CWE-209',
+    owasp: 'A01:2021',
+    confidence: 'medium',
+    description: 'PII or user data included in error responses sent to clients. Exposes sensitive information to end users or attackers.',
+    fix: 'Return generic error messages to clients. Log detailed errors server-side only.',
+  },
+  {
+    rule: 'PII_STACK_TRACE_RESPONSE',
+    title: 'Privacy: Stack Trace With PII in Response',
+    regex: /(?:res\.(?:json|send)|response\.(?:json|send))\s*\(\s*\{[\s\S]{0,100}(?:stack|stackTrace|stack_trace)/g,
+    severity: 'high',
+    cwe: 'CWE-209',
+    owasp: 'A01:2021',
+    description: 'Stack traces sent in API responses may contain PII from variable values in the call chain.',
+    fix: 'Never send stack traces to clients in production. Use error IDs for correlation.',
+  },
+
+  // ── PII in URLs ──────────────────────────────────────────────────────────
+  {
+    rule: 'PII_IN_URL_PARAMS',
+    title: 'Privacy: PII in URL Query Parameters',
+    regex: /(?:url|href|link|redirect|location)\s*[:=][\s\S]{0,100}(?:\?|&)(?:email|phone|ssn|name|address|dob|password)=/gi,
+    severity: 'high',
+    cwe: 'CWE-598',
+    owasp: 'A01:2021',
+    description: 'PII passed in URL query parameters. URLs are logged in server access logs, browser history, and CDN logs.',
+    fix: 'Send PII in request body (POST) instead of URL parameters (GET). Use encrypted tokens for cross-page references.',
+  },
+  {
+    rule: 'PII_IN_GET_REQUEST',
+    title: 'Privacy: PII Sent via GET Request',
+    regex: /(?:fetch|axios\.get|http\.get|requests\.get|got\.get)\s*\(\s*(?:`[^`]*\$\{[^}]*(?:email|phone|ssn|password|name|address)[^}]*\}`|.*\+\s*(?:email|phone|ssn|password))/g,
+    severity: 'high',
+    cwe: 'CWE-598',
+    owasp: 'A01:2021',
+    description: 'PII interpolated into GET request URLs. GET parameters are visible in logs, referrer headers, and browser history.',
+    fix: 'Use POST requests for sending PII. Never include sensitive data in URL parameters.',
+  },
+
+  // ── PII to Third Parties ─────────────────────────────────────────────────
+  {
+    rule: 'PII_TO_ANALYTICS',
+    title: 'Privacy: PII Sent to Analytics Service',
+    regex: /(?:analytics|segment|mixpanel|amplitude|posthog|gtag|dataLayer|fbq|intercom|hotjar)[\s\S]{0,50}(?:\.track|\.identify|\.page|\.push|\.event)\s*\([\s\S]{0,200}(?:email|phone|name|address|ssn|dob|userId|user_id)/gi,
+    severity: 'high',
+    cwe: 'CWE-359',
+    owasp: 'A01:2021',
+    description: 'PII sent to third-party analytics service without visible consent check. May violate GDPR Article 6 (lawful basis) and CCPA.',
+    fix: 'Hash or anonymize PII before sending to analytics. Implement consent management (check opt-in before tracking).',
+  },
+  {
+    rule: 'PII_TO_ERROR_TRACKING',
+    title: 'Privacy: PII Sent to Error Tracking Service',
+    regex: /(?:Sentry|Bugsnag|Rollbar|TrackJS|LogRocket|DataDog|NewRelic)[\s\S]{0,100}(?:setUser|setContext|setExtra|captureException|notify|addBreadcrumb)[\s\S]{0,200}(?:email|phone|name|address|ssn|password)/gi,
+    severity: 'high',
+    cwe: 'CWE-359',
+    owasp: 'A01:2021',
+    description: 'PII attached to error tracking events. Error tracking services store data externally, potentially in different jurisdictions.',
+    fix: 'Configure PII scrubbing in your error tracking service. Only send user IDs, not PII fields.',
+  },
+
+  // ── Hardcoded PII Patterns ───────────────────────────────────────────────
+  {
+    rule: 'PII_SSN_IN_CODE',
+    title: 'Privacy: Social Security Number in Source Code',
+    regex: /\b\d{3}-\d{2}-\d{4}\b/g,
+    severity: 'critical',
+    cwe: 'CWE-312',
+    owasp: 'A02:2021',
+    confidence: 'medium',
+    description: 'Pattern matching a US Social Security Number found in source code. May be test data or a real SSN.',
+    fix: 'Remove SSNs from source code. Use environment variables or a secrets manager for test data.',
+  },
+  {
+    rule: 'PII_CREDIT_CARD_IN_CODE',
+    title: 'Privacy: Credit Card Number in Source Code',
+    regex: /\b(?:4\d{3}|5[1-5]\d{2}|3[47]\d{2}|6(?:011|5\d{2}))[- ]?\d{4}[- ]?\d{4}[- ]?\d{4}\b/g,
+    severity: 'critical',
+    cwe: 'CWE-312',
+    owasp: 'A02:2021',
+    confidence: 'medium',
+    description: 'Pattern matching a credit card number found in source code. Violates PCI DSS requirements.',
+    fix: 'Remove credit card numbers from source code immediately. Never store raw card numbers — use tokenization.',
+  },
+  {
+    rule: 'PII_EMAIL_HARDCODED',
+    title: 'Privacy: Real Email Address Hardcoded',
+    regex: /['"][a-zA-Z0-9._%+-]+@(?!example\.com|test\.com|placeholder|fake|dummy)[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}['"]/g,
+    severity: 'medium',
+    cwe: 'CWE-312',
+    owasp: 'A02:2021',
+    confidence: 'low',
+    description: 'Real email address hardcoded in source code (not @example.com). May be PII or a credential.',
+    fix: 'Use @example.com for test emails. Store real emails in environment variables or config.',
+  },
+
+  // ── Unencrypted PII Storage ──────────────────────────────────────────────
+  {
+    rule: 'PII_PLAINTEXT_PASSWORD_STORE',
+    title: 'Privacy: Password Stored in Plaintext',
+    regex: /(?:password|passwd|pwd)\s*[:=]\s*(?:req\.|request\.|body\.|input\.|data\.)(?:password|passwd)/gi,
+    severity: 'critical',
+    cwe: 'CWE-256',
+    owasp: 'A02:2021',
+    confidence: 'medium',
+    description: 'Password appears to be stored directly from user input without hashing. Passwords must be hashed before storage.',
+    fix: 'Hash passwords with bcrypt, scrypt, or argon2 before storing: await bcrypt.hash(password, 12)',
+  },
+  {
+    rule: 'PII_NO_ENCRYPTION_AT_REST',
+    title: 'Privacy: PII Column Without Encryption',
+    regex: /(?:CREATE\s+TABLE|addColumn|column|field|attribute)[\s\S]{0,200}(?:ssn|social_security|credit_card|card_number|bank_account|passport|national_id|driver_license)[\s\S]{0,100}(?:VARCHAR|TEXT|STRING|varchar|text|string)(?![\s\S]{0,100}encrypt)/gi,
+    severity: 'high',
+    cwe: 'CWE-311',
+    owasp: 'A02:2021',
+    confidence: 'medium',
+    description: 'Database column storing sensitive PII (SSN, credit card, passport) without encryption-at-rest annotation.',
+    fix: 'Encrypt sensitive PII columns at the application level or use database-level encryption.',
+  },
+
+  // ── IP Address & Geolocation Logging ─────────────────────────────────────
+  {
+    rule: 'PII_IP_LOGGING',
+    title: 'Privacy: IP Address Logged Without Anonymization',
+    regex: /(?:console\.log|logger\.\w+|log\.\w+)\s*\([\s\S]{0,100}(?:(?<![a-z])ip(?![a-z])|ipAddress|ip_address|remoteAddress|x-forwarded-for|client.?ip)/gi,
+    severity: 'medium',
+    cwe: 'CWE-532',
+    owasp: 'A09:2021',
+    confidence: 'medium',
+    description: 'IP addresses logged without anonymization. Under GDPR, IP addresses are personal data.',
+    fix: 'Anonymize IP addresses in logs: mask the last octet (192.168.1.xxx) or hash before logging.',
+  },
+  {
+    rule: 'PII_GEOLOCATION_STORAGE',
+    title: 'Privacy: Precise Geolocation Stored',
+    regex: /(?:latitude|longitude|lat|lng|geolocation|geoip|geo_location)[\s\S]{0,100}(?:save|store|insert|create|update|write|database|db|mongo|prisma|sequelize)/gi,
+    severity: 'medium',
+    cwe: 'CWE-359',
+    owasp: 'A01:2021',
+    confidence: 'low',
+    description: 'Precise geolocation data stored in database. May require explicit consent under GDPR/CCPA.',
+    fix: 'Reduce precision of stored geolocation (city-level, not street-level). Require explicit consent for precise location.',
+  },
+
+  // ── Cookie & Tracking Without Consent ────────────────────────────────────
+  {
+    rule: 'PII_TRACKING_NO_CONSENT',
+    title: 'Privacy: Tracking Script Without Consent Check',
+    regex: /(?:gtag|GoogleAnalytics|ga\s*\(|fbq\s*\(|_paq\.push|hotjar|hj\s*\(|intercom|drift|crisp)[\s\S]{0,100}(?:init|config|identify|track|page)(?![\s\S]{0,300}(?:consent|gdpr|cookie.?banner|opt.?in|permission|accept))/g,
+    severity: 'medium',
+    cwe: 'CWE-359',
+    owasp: 'A01:2021',
+    confidence: 'low',
+    description: 'Analytics or tracking script initialized without visible consent check. May violate GDPR ePrivacy Directive.',
+    fix: 'Load tracking scripts only after user consents. Use a consent management platform (CMP).',
+  },
+];
+
+// =============================================================================
+// PII COMPLIANCE AGENT
+// =============================================================================
+
+export class PIIComplianceAgent extends BaseAgent {
+  constructor() {
+    super(
+      'PIIComplianceAgent',
+      'Detect PII exposure, privacy violations, and GDPR/CCPA compliance gaps',
+      'config'
+    );
+  }
+
+  async analyze(context) {
+    const { files } = context;
+
+    const codeFiles = files.filter(f => {
+      const ext = path.extname(f).toLowerCase();
+      return ['.js', '.jsx', '.ts', '.tsx', '.mjs', '.cjs', '.py', '.rb', '.php', '.go', '.java', '.sql'].includes(ext);
+    });
+
+    let findings = [];
+
+    // ── 1. Scan code files with PII patterns ─────────────────────────────
+    for (const file of codeFiles) {
+      findings = findings.concat(this.scanFileWithPatterns(file, PATTERNS));
+    }
+
+    // ── 2. Check for missing data deletion endpoint (GDPR right to erasure)
+    findings = findings.concat(this._checkDataDeletion(context));
+
+    return findings;
+  }
+
+  /**
+   * Check if the project has user data deletion capability (GDPR Article 17).
+   */
+  _checkDataDeletion(context) {
+    const { files } = context;
+    const findings = [];
+
+    // Check if there are user models/routes
+    const hasUserModel = files.some(f =>
+      /(?:user|account|customer|member|profile)(?:\.model|\.schema|\.entity|Model|Schema)/i.test(f)
+    );
+
+    if (!hasUserModel) return findings;
+
+    // Check if there's a delete user endpoint or function
+    const hasDeleteEndpoint = files.some(f => {
+      const content = this.readFile(f);
+      if (!content) return false;
+      return /(?:delete.*user|remove.*account|erase.*data|destroy.*profile|gdpr.*delete|data.*deletion|right.*erasure|forget.*me)/i.test(content);
+    });
+
+    if (!hasDeleteEndpoint) {
+      findings.push(createFinding({
+        file: 'project',
+        line: 0,
+        severity: 'medium',
+        category: this.category,
+        rule: 'PII_NO_DATA_DELETION',
+        title: 'Privacy: No User Data Deletion Capability',
+        description: 'Project has user models but no visible data deletion endpoint or function. GDPR Article 17 requires the ability to erase personal data on request.',
+        matched: 'No delete/erase/destroy user endpoint found',
+        confidence: 'low',
+        cwe: 'CWE-359',
+        owasp: 'A01:2021',
+        fix: 'Implement a user data deletion endpoint (DELETE /api/users/:id or similar) that removes all PII from your systems.',
+      }));
+    }
+
+    return findings;
+  }
+}
+
+export default PIIComplianceAgent;

package/cli/agents/rag-security-agent.js

@@ -0,0 +1,204 @@
+/**
+ * RAG Security Agent
+ * ====================
+ *
+ * Detects security vulnerabilities in Retrieval-Augmented Generation
+ * (RAG) implementations. RAG poisoning attacks are a proven threat
+ * vector — attackers corrupt knowledge bases to manipulate LLM outputs.
+ *
+ * Checks: unvalidated document ingestion, missing chunk isolation,
+ * embedding exposure, metadata leakage, no retrieval filtering,
+ * excessive context stuffing.
+ *
+ * Maps to: OWASP LLM08 (Vector & Embedding Weaknesses),
+ *          OWASP Agentic AI ASI04 (Memory Poisoning)
+ */
+
+import path from 'path';
+import { BaseAgent } from './base-agent.js';
+
+// =============================================================================
+// RAG SECURITY PATTERNS
+// =============================================================================
+
+const PATTERNS = [
+  // ── Document Ingestion ───────────────────────────────────────────────────
+  {
+    rule: 'RAG_UNSANITIZED_INGESTION',
+    title: 'RAG: Documents Ingested Without Sanitization',
+    regex: /(?:addDocuments|add_documents|upsert|insert|index\.add|from_documents)\s*\(\s*(?:documents|docs|chunks|texts|pages|uploads|files|userDocs|userFiles)/g,
+    severity: 'high',
+    cwe: 'CWE-20',
+    owasp: 'A03:2021',
+    description: 'Documents added to vector store without sanitization. Attackers can embed malicious instructions in documents that get retrieved and injected into LLM context.',
+    fix: 'Sanitize document content before ingestion: strip HTML/script tags, detect prompt injection patterns, validate content type.',
+  },
+  {
+    rule: 'RAG_USER_UPLOAD_TO_VECTORDB',
+    title: 'RAG: User Upload Directly to Vector Store',
+    regex: /(?:upload|multer|formidable|busboy|req\.file|req\.files)[\s\S]{0,500}(?:addDocuments|add_documents|upsert|vectorStore|index\.add|embed|from_documents)/g,
+    severity: 'critical',
+    cwe: 'CWE-434',
+    owasp: 'A03:2021',
+    description: 'User file uploads are fed directly into a vector database without review. This enables RAG poisoning — attackers upload documents containing hidden instructions.',
+    fix: 'Add a review/approval pipeline between user uploads and vector store ingestion. Scan uploads for prompt injection patterns.',
+  },
+  {
+    rule: 'RAG_NO_CONTENT_FILTER',
+    title: 'RAG: No Content Filtering on Ingestion',
+    regex: /(?:TextLoader|PDFLoader|CSVLoader|DirectoryLoader|WebBaseLoader|UnstructuredLoader|load_and_split|loadDocuments)\s*\((?![\s\S]{0,300}(?:filter|sanitize|clean|validate|strip|remove|moderate))/g,
+    severity: 'medium',
+    cwe: 'CWE-20',
+    owasp: 'A03:2021',
+    confidence: 'medium',
+    description: 'Document loaders used without content filtering. Loaded content goes directly to embedding/vector store.',
+    fix: 'Add content filtering after loading documents: remove scripts, detect injection patterns, validate format.',
+  },
+
+  // ── Chunk Isolation ──────────────────────────────────────────────────────
+  {
+    rule: 'RAG_NO_TENANT_ISOLATION',
+    title: 'RAG: Vector Store Without Tenant Isolation',
+    regex: /(?:vectorStore|pinecone|chroma|weaviate|qdrant|milvus|pgvector)[\s\S]{0,300}(?:add|upsert|insert|index)(?![\s\S]{0,200}(?:namespace|tenant|partition|collection|filter|user_id|org_id|metadata.*(?:user|tenant|org)))/g,
+    severity: 'high',
+    cwe: 'CWE-284',
+    owasp: 'A01:2021',
+    confidence: 'medium',
+    description: 'Documents stored in vector database without tenant/user isolation. Users can retrieve other users\' private documents.',
+    fix: 'Use namespaces, collections, or metadata filters to isolate documents by tenant/user.',
+  },
+  {
+    rule: 'RAG_SYSTEM_DOCS_WITH_USER_DOCS',
+    title: 'RAG: System Documents Mixed With User Documents',
+    regex: /(?:addDocuments|add_documents|upsert)[\s\S]{0,200}(?:system|internal|private|admin)[\s\S]{0,200}(?:user|public|external|upload)/g,
+    severity: 'medium',
+    cwe: 'CWE-668',
+    owasp: 'A01:2021',
+    confidence: 'low',
+    description: 'System/internal documents mixed with user documents in the same collection. User queries could retrieve sensitive internal docs.',
+    fix: 'Separate system documents from user documents in different collections or namespaces.',
+  },
+
+  // ── Retrieval & Query Safety ─────────────────────────────────────────────
+  {
+    rule: 'RAG_NO_RETRIEVAL_FILTER',
+    title: 'RAG: Retrieved Chunks Used Without Filtering',
+    regex: /(?:similarity_search|similaritySearch|query|retrieve|get_relevant|asRetriever)[\s\S]{0,300}(?:page_content|pageContent|text|content|document)[\s\S]{0,200}(?:prompt|messages|content|system|user)/g,
+    severity: 'high',
+    cwe: 'CWE-74',
+    owasp: 'A03:2021',
+    confidence: 'medium',
+    description: 'Retrieved document chunks injected into LLM prompt without filtering. Poisoned documents can override system instructions.',
+    fix: 'Filter retrieved chunks: remove instruction-like content, apply relevance score thresholds, limit number of chunks.',
+  },
+  {
+    rule: 'RAG_NO_RELEVANCE_THRESHOLD',
+    title: 'RAG: No Relevance Score Threshold on Retrieval',
+    regex: /(?:similarity_search|similaritySearch|asRetriever)\s*\(\s*(?:query|question|input)(?![\s\S]{0,200}(?:score_threshold|scoreThreshold|threshold|minScore|min_score|filter))/g,
+    severity: 'medium',
+    cwe: 'CWE-20',
+    owasp: 'A03:2021',
+    confidence: 'low',
+    description: 'Vector similarity search without relevance threshold. Low-relevance chunks may contain poisoned content designed to be retrieved for many queries.',
+    fix: 'Set a minimum relevance score threshold to filter out low-quality matches.',
+  },
+  {
+    rule: 'RAG_EXCESSIVE_CONTEXT',
+    title: 'RAG: Excessive Retrieved Context',
+    regex: /(?:k\s*[:=]\s*(?:[5-9]\d|\d{3,})|top_k\s*[:=]\s*(?:[5-9]\d|\d{3,})|search_kwargs.*k.*(?:[5-9]\d|\d{3,}))/g,
+    severity: 'medium',
+    cwe: 'CWE-400',
+    owasp: 'A04:2021',
+    confidence: 'low',
+    description: 'Retrieving a very large number of chunks (50+). Increases the attack surface for prompt injection via poisoned documents.',
+    fix: 'Limit retrieved chunks to the minimum needed (typically 3-10). More chunks = more injection surface.',
+  },
+
+  // ── Embedding & Data Exposure ────────────────────────────────────────────
+  {
+    rule: 'RAG_EMBEDDING_API_EXPOSED',
+    title: 'RAG: Embedding Endpoint Exposed Without Auth',
+    regex: /(?:app\.|router\.|api\.)(?:get|post)\s*\(\s*['"].*(?:embed|embedding|vectorize|encode)['"](?![\s\S]{0,300}(?:auth|middleware|protect|guard|jwt|bearer|session))/g,
+    severity: 'high',
+    cwe: 'CWE-306',
+    owasp: 'A07:2021',
+    confidence: 'medium',
+    description: 'Embedding API endpoint exposed without authentication. Attackers can enumerate embeddings or generate vectors for injection attacks.',
+    fix: 'Add authentication middleware to embedding endpoints.',
+  },
+  {
+    rule: 'RAG_METADATA_IN_RESPONSE',
+    title: 'RAG: Internal Metadata Exposed in Response',
+    regex: /(?:metadata|source|file_path|filePath|url|author|timestamp)[\s\S]{0,100}(?:res\.json|res\.send|response\.json|return\s*\{|jsonify)/g,
+    severity: 'medium',
+    cwe: 'CWE-200',
+    owasp: 'A01:2021',
+    confidence: 'low',
+    description: 'Internal document metadata (file paths, sources, authors) returned in API responses. Leaks information about the knowledge base structure.',
+    fix: 'Strip internal metadata before returning responses. Only expose necessary fields to the client.',
+  },
+  {
+    rule: 'RAG_EMBEDDING_IN_RESPONSE',
+    title: 'RAG: Raw Embeddings Returned to Client',
+    regex: /(?:embedding|vector|dense_vector)[\s\S]{0,100}(?:res\.json|res\.send|response|return|output)/g,
+    severity: 'medium',
+    cwe: 'CWE-200',
+    owasp: 'A01:2021',
+    confidence: 'low',
+    description: 'Raw embedding vectors returned in API responses. Research shows embeddings can be inverted to recover original text, leaking private data.',
+    fix: 'Never return raw embedding vectors in API responses. Embeddings should remain server-side only.',
+  },
+
+  // ── Model & Pipeline Safety ──────────────────────────────────────────────
+  {
+    rule: 'RAG_PICKLE_EMBEDDING_MODEL',
+    title: 'RAG: Embedding Model Loaded via Pickle',
+    regex: /(?:torch\.load|pickle\.load|joblib\.load)\s*\(\s*(?!.*safetensors)(?!.*weights_only\s*=\s*True)/g,
+    severity: 'critical',
+    cwe: 'CWE-502',
+    owasp: 'A08:2021',
+    description: 'ML model loaded from pickle format. Pickle files can contain arbitrary code that executes on load.',
+    fix: 'Use safetensors format for model loading. If using torch.load(), set weights_only=True.',
+  },
+  {
+    rule: 'RAG_TRUST_REMOTE_CODE',
+    title: 'RAG: Model Loaded With trust_remote_code=True',
+    regex: /trust_remote_code\s*=\s*True/g,
+    severity: 'high',
+    cwe: 'CWE-94',
+    owasp: 'A08:2021',
+    description: 'Embedding or LLM model loaded with trust_remote_code=True. Allows execution of arbitrary code from the model repository.',
+    fix: 'Set trust_remote_code=False. Audit model code before enabling remote code execution.',
+  },
+];
+
+// =============================================================================
+// RAG SECURITY AGENT
+// =============================================================================
+
+export class RAGSecurityAgent extends BaseAgent {
+  constructor() {
+    super(
+      'RAGSecurityAgent',
+      'Detect RAG security vulnerabilities — poisoning, embedding exposure, tenant isolation gaps',
+      'llm'
+    );
+  }
+
+  async analyze(context) {
+    const { files } = context;
+
+    const codeFiles = files.filter(f => {
+      const ext = path.extname(f).toLowerCase();
+      return ['.js', '.jsx', '.ts', '.tsx', '.mjs', '.cjs', '.py', '.rb', '.go', '.java'].includes(ext);
+    });
+
+    let findings = [];
+    for (const file of codeFiles) {
+      findings = findings.concat(this.scanFileWithPatterns(file, PATTERNS));
+    }
+    return findings;
+  }
+}
+
+export default RAGSecurityAgent;

package/cli/agents/sbom-generator.js

@@ -108,7 +108,11 @@ export class SBOMGenerator {
       } catch { /* skip */ }
     }
 
-    // ── Build CycloneDX BOM ───────────────────────────────────────────────────
+    // ── Detect licenses from lock files ─────────────────────────────────────
+    const licenses = this._detectLicenses(rootPath);
+
+    // ── Build CycloneDX BOM (CRA-enhanced) ──────────────────────────────────
+    const projectMeta = this.getProjectMetadata(rootPath);
     const bom = {
       bomFormat: 'CycloneDX',
       specVersion: '1.5',
@@ -119,23 +123,57 @@ export class SBOMGenerator {
         tools: [{
           vendor: 'ship-safe',
           name: 'ship-safe',
-          version: '4.0.0',
+          version: '5.0.0',
         }],
-        component: this.getProjectMetadata(rootPath),
+        component: projectMeta,
+        // EU CRA: supplier identification
+        supplier: this._getSupplier(rootPath),
+        // EU CRA: lifecycle phase
+        lifecycles: [{ phase: 'build' }],
       },
-      components: components.map((c, i) => ({
-        'bom-ref': `component-${i}`,
-        type: c.type,
-        name: c.name,
-        version: c.version,
-        purl: c.purl,
-        scope: c.scope,
-      })),
+      components: components.map((c, i) => {
+        const comp = {
+          'bom-ref': `component-${i}`,
+          type: c.type,
+          name: c.name,
+          version: c.version,
+          purl: c.purl,
+          scope: c.scope,
+        };
+        // EU CRA: attach license if known
+        const lic = licenses[c.name];
+        if (lic) {
+          comp.licenses = [{ license: { id: lic } }];
+        }
+        return comp;
+      }),
+      // EU CRA: vulnerability disclosure info
+      vulnerabilities: [],
     };
 
     return bom;
   }
 
+  /**
+   * Attach known vulnerabilities to the SBOM (CRA requirement).
+   */
+  attachVulnerabilities(bom, depVulns = []) {
+    bom.vulnerabilities = depVulns.map((v, i) => ({
+      'bom-ref': `vuln-${i}`,
+      id: v.id || v.package || `VULN-${i}`,
+      source: { name: 'ship-safe' },
+      ratings: [{
+        severity: v.severity || 'unknown',
+        method: 'other',
+      }],
+      description: v.description || '',
+      affects: [{
+        ref: v.package || 'unknown',
+      }],
+    }));
+    return bom;
+  }
+
   /**
    * Generate SBOM and write to file.
    */
@@ -165,6 +203,57 @@ export class SBOMGenerator {
     };
   }
 
+  /**
+   * EU CRA: Extract supplier info from package.json.
+   */
+  _getSupplier(rootPath) {
+    const pkgPath = path.join(rootPath, 'package.json');
+    try {
+      if (fs.existsSync(pkgPath)) {
+        const pkg = JSON.parse(fs.readFileSync(pkgPath, 'utf-8'));
+        const author = typeof pkg.author === 'string' ? pkg.author
+          : pkg.author?.name || pkg.author?.email || null;
+        if (author) {
+          return { name: author, url: [pkg.homepage || pkg.repository?.url || ''].filter(Boolean) };
+        }
+      }
+    } catch { /* skip */ }
+    return { name: 'Unknown' };
+  }
+
+  /**
+   * Detect licenses from node_modules (best-effort).
+   * Returns { packageName: 'MIT' | 'ISC' | ... }
+   */
+  _detectLicenses(rootPath) {
+    const licenses = {};
+    const nodeModules = path.join(rootPath, 'node_modules');
+    const pkgPath = path.join(rootPath, 'package.json');
+
+    if (!fs.existsSync(pkgPath)) return licenses;
+
+    try {
+      const pkg = JSON.parse(fs.readFileSync(pkgPath, 'utf-8'));
+      const allDeps = { ...pkg.dependencies, ...pkg.devDependencies };
+
+      for (const name of Object.keys(allDeps)) {
+        const depPkgPath = path.join(nodeModules, name, 'package.json');
+        try {
+          if (fs.existsSync(depPkgPath)) {
+            const depPkg = JSON.parse(fs.readFileSync(depPkgPath, 'utf-8'));
+            if (depPkg.license) {
+              licenses[name] = typeof depPkg.license === 'string'
+                ? depPkg.license
+                : depPkg.license.type || 'UNKNOWN';
+            }
+          }
+        } catch { /* skip */ }
+      }
+    } catch { /* skip */ }
+
+    return licenses;
+  }
+
   uuid() {
     return 'xxxxxxxx-xxxx-4xxx-yxxx-xxxxxxxxxxxx'.replace(/[xy]/g, c => {
       const r = Math.random() * 16 | 0;

package/cli/agents/scoring-engine.js

@@ -35,6 +35,10 @@ const FALLBACK_CATEGORY_MAP = {
   'history': 'secrets',
   'cicd': 'config',
   'mobile': 'injection',
+  'privacy': 'config',
+  'mcp': 'llm',
+  'agentic': 'llm',
+  'rag': 'llm',
   'recon': null, // skip recon findings
 };
 

package/cli/agents/supabase-rls-agent.js

@@ -66,6 +66,12 @@ export class SupabaseRLSAgent extends BaseAgent {
     super('SupabaseRLSAgent', 'Supabase Row Level Security audit', 'auth');
   }
 
+  shouldRun(recon) {
+    return recon?.databases?.includes('supabase') ||
+           recon?.authPatterns?.includes('supabase-auth') ||
+           false;
+  }
+
   async analyze(context) {
     const { rootPath, files } = context;
     let findings = [];