ship-safe 6.3.0 → 7.0.0

package/README.md

@@ -18,9 +18,9 @@
 
 18 security agents. 80+ attack classes. One command.
 
-**Ship Safe v6.2.0** is an AI-powered security platform that runs 18 specialized agents in parallel against your codebase, scanning for secrets, injection vulnerabilities, auth bypass, SSRF, supply chain attacks, Supabase RLS misconfigs, Docker/Terraform/Kubernetes misconfigs, CI/CD pipeline poisoning, LLM/agentic AI security, MCP server misuse, RAG poisoning, PII compliance, vibe coding patterns, exception handling, AI agent config security, and more. OWASP 2025 scoring with EPSS exploit probability. LLM-powered deep analysis verifies exploitability of critical findings. Secrets verification probes provider APIs to check if leaked keys are still active. Compliance mapping to SOC 2, ISO 27001, and NIST AI RMF. Built-in threat intelligence feed with offline-first IOC matching. CI integration with GitHub PR comments, threshold gating, and SARIF output.
+**Ship Safe v6.4.0** is an AI-powered security platform that runs 18 specialized agents in parallel against your codebase, scanning for secrets, injection vulnerabilities, auth bypass, SSRF, supply chain attacks, Supabase RLS misconfigs, Docker/Terraform/Kubernetes misconfigs, CI/CD pipeline poisoning, LLM/agentic AI security, MCP server misuse, RAG poisoning, PII compliance, vibe coding patterns, exception handling, AI agent config security, and more. OWASP 2025 scoring with EPSS exploit probability. LLM-powered deep analysis verifies exploitability of critical findings. Secrets verification probes provider APIs to check if leaked keys are still active. Compliance mapping to SOC 2, ISO 27001, and NIST AI RMF. Built-in threat intelligence feed with offline-first IOC matching. CI integration with GitHub PR comments, threshold gating, and SARIF output.
 
-**v6.2.0 highlights:** Real-time Claude Code hooks (`npx ship-safe hooks install`) block secrets before they land on disk. Universal LLM support — use Groq, Together AI, Mistral, DeepSeek, xAI, Perplexity, LM Studio, or any OpenAI-compatible endpoint for deep analysis. Supply chain IOC matching for known-compromised packages and CanisterWorm-style ICP blockchain C2 indicators.
+**v6.4.0 highlights:** MCP server scanning (`npx ship-safe scan-mcp`) vets tool manifests for prompt injection and credential harvesting before you connect. Detection support for openclaude and claw-code — the two most-starred Claude Code forks from the March 2026 source leak — with accurate config scanning based on their actual architectures. Four new CI/CD patterns flag AI agent danger modes in pipelines. Legal dataset corrected: claw-code reclassified as a clean-room rewrite, not a leaked-source derivative.
 
 [Documentation](https://shipsafecli.com/docs) | [Blog](https://shipsafecli.com/blog) | [Pricing](https://shipsafecli.com/pricing)
 
@@ -74,8 +74,6 @@ npx ship-safe hooks status
 npx ship-safe hooks remove
 ```
 
-![ship-safe terminal demo](.github/assets/ship%20safe%20terminal.jpg)
-
 ---
 
 ## The `audit` Command
@@ -169,10 +167,10 @@ npx ship-safe audit .
 | **PIIComplianceAgent** | Compliance | PII detection — SSNs, credit cards, emails, phone numbers in source code, logs, and configs |
 | **VibeCodingAgent** | Code Vulns | AI-generated code patterns — no input validation, empty catch blocks, hardcoded secrets, disabled security features, TODO-auth patterns |
 | **ExceptionHandlerAgent** | Code Vulns | OWASP A10:2025 — empty catch blocks, unhandled promise rejections, missing React error boundaries, leaked stack traces, generic catch-all without rethrow |
-| **AgentConfigScanner** | AI/LLM | AI agent config security — prompt injection in .cursorrules/CLAUDE.md/AGENTS.md/.windsurfrules, malicious Claude Code hooks (CVE-2026), OpenClaw public binding & malicious skills, encoded/obfuscated payloads, data exfiltration instructions, agent memory poisoning |
+| **AgentConfigScanner** | AI/LLM | AI agent config security — prompt injection in .cursorrules/CLAUDE.md/AGENTS.md/.windsurfrules, malicious Claude Code hooks (CVE-2026), OpenClaw public binding & malicious skills, openclaude profile file (`OPENAI_BASE_URL` over http://), claw-code config (`danger-full-access`, disabled sandbox, shell hooks, insecure MCP transports), encoded/obfuscated payloads, data exfiltration instructions, agent memory poisoning |
 | **MobileScanner** | Mobile | OWASP Mobile Top 10 2024 — insecure storage, WebView JS injection, HTTP endpoints, excessive permissions, debug mode |
 | **GitHistoryScanner** | Secrets | Leaked secrets in git commit history (checks if still active in working tree) |
-| **CICDScanner** | CI/CD | OWASP CI/CD Top 10 — pipeline poisoning, unpinned actions, secret logging, self-hosted runners, script injection |
+| **CICDScanner** | CI/CD | OWASP CI/CD Top 10 — pipeline poisoning, unpinned actions, secret logging, self-hosted runners, script injection, AI agent danger flags (`--dangerously-skip-permissions`, insecure provider URLs in CI) |
 | **APIFuzzer** | API | Routes without auth, missing input validation, mass assignment, unrestricted file upload, GraphQL introspection, debug endpoints, missing rate limiting, OpenAPI spec security issues |
 | **ReconAgent** | Recon | Attack surface discovery — frameworks, languages, auth patterns, databases, cloud providers, IaC, CI/CD pipelines |
 
@@ -299,13 +297,13 @@ npx ship-safe audit . --verify
 npx ship-safe doctor
 ```
 
-### OpenClaw Security
+### Agent Security
 
 ```bash
 # Focused OpenClaw security scan
 npx ship-safe openclaw .
 
-# Auto-harden OpenClaw configs (0.0.0.0→127.0.0.1, add auth, ws→wss)
+# Auto-harden OpenClaw configs (0.0.0.0->127.0.0.1, add auth, ws->wss)
 npx ship-safe openclaw . --fix
 
 # Red team: simulate ClawJacked, prompt injection, data exfil attacks
@@ -319,6 +317,14 @@ npx ship-safe scan-skill https://clawhub.io/skills/some-skill
 npx ship-safe scan-skill ./local-skill.json
 npx ship-safe scan-skill --all              # Scan all skills from openclaw.json
 
+# Scan an MCP server's tool manifest before connecting
+npx ship-safe scan-mcp https://your-mcp-server/
+npx ship-safe scan-mcp ./local-manifest.json
+npx ship-safe scan-mcp https://your-mcp-server/ --json
+
+# Legal risk audit — DMCA, leaked-source derivatives (openclaude, claw-code-js), IP disputes
+npx ship-safe legal .
+
 # Generate hardened OpenClaw config
 npx ship-safe init --openclaw
 
@@ -326,6 +332,20 @@ npx ship-safe init --openclaw
 npx ship-safe abom .
 ```
 
+#### openclaude and claw-code
+
+Ship Safe detects security issues in both major Claude Code forks from the March 2026 source leak.
+
+**openclaude** (`@gitlawb/openclaude`) is a CLI tool that routes Claude Code's toolset through any OpenAI-compatible provider. Its only persistent file artifact is `.openclaude-profile.json`. Ship Safe flags:
+- `OPENAI_BASE_URL` using `http://` for non-localhost endpoints (unencrypted LLM traffic)
+- The profile file present in a project not covered by `.gitignore` (API key exposure risk)
+
+**claw-code** (`ultraworkers/claw-code`) is a clean-room Rust + Python rewrite of Claude Code's agent harness. Its config lives in `.claw.json`, `.claw/settings.json`, and `.claw/settings.local.json`. Ship Safe flags:
+- `permissionMode: danger-full-access` or `dangerouslySkipPermissions: true` (no confirmation on any tool call)
+- `sandbox.enabled: false` (filesystem isolation removed)
+- Hook commands containing shell execution or remote download patterns
+- MCP server connections over `ws://` or `http://` to non-localhost hosts
+
 ### Threat Intelligence
 
 ```bash

package/cli/agents/agent-config-scanner.js

@@ -37,11 +37,24 @@ const AGENT_RULES_FILES = [
   '.github/copilot-instructions.md',
   '.aider.conf.yml',
   '.continue/config.json',
+  // Gemini CLI
+  '.gemini/settings.json',
+  '.gemini/rules.md',
+  // Cody (Sourcegraph)
+  '.cody/config.json',
+  '.cody/context.json',
+  // Augment Code
+  '.augment/config.json',
 ];
 
 const AGENT_RULES_GLOBS = [
   '.cursor/rules/*.mdc',
   '.claude/commands/*.md',
+  // Gemini CLI commands
+  '.gemini/commands/*.md',
+  // Cody custom commands
+  '.cody/commands/*.md',
+  '.cody/rules/*.md',
 ];
 
 const OPENCLAW_FILES = [
@@ -54,10 +67,38 @@ const OPENCLAW_GLOBS = [
   '.openclaw/**/*.json',
 ];
 
+// openclaude (github.com/Gitlawb/openclaude) — Claude Code fork with
+// OpenAI-compatible provider shim. Config is purely via environment variables
+// (CLAUDE_CODE_USE_OPENAI, OPENAI_BASE_URL, OPENAI_MODEL, OPENAI_API_KEY).
+// The only persistent file artifact is .openclaude-profile.json, which stores
+// named profiles as { name, env: { OPENAI_BASE_URL, OPENAI_API_KEY, ... } }.
+const OPENCLAUDE_PROFILE_FILES = [
+  '.openclaude-profile.json',
+];
+
+// claw-code (github.com/instructkr/claw-code, now ultraworkers/claw-code) —
+// Rust + Python clean-room rewrite of Claude Code's agent harness.
+// CLI tool (`claw` binary). NOT a server — no port binding outside tests.
+// Config files: .claw.json (project root), .claw/settings.json,
+//   .claw/settings.local.json, ~/.claw.json, ~/.claw/settings.json
+// Auth: ANTHROPIC_API_KEY, OPENAI_API_KEY, or XAI_API_KEY env vars.
+// Permission modes: read-only, workspace-write, danger-full-access, prompt, allow.
+// --dangerously-skip-permissions flag disables all permission checks.
+// Sandbox: SandboxConfig with FilesystemIsolationMode (workspace-only default).
+// Hooks: preToolUse / postToolUse arrays in settings JSON.
+// MCP: mcpServers in settings JSON (stdio, sse, http, ws transports).
+const CLAW_CODE_FILES = [
+  '.claw.json',
+  '.claw/settings.json',
+  '.claw/settings.local.json',
+];
+
 const MEMORY_GLOBS = [
   '.claude/memory/**',
   '.cursor/memory/**',
   '.continue/memory/**',
+  '.gemini/memory/**',
+  '.cody/memory/**',
 ];
 
 // =============================================================================
@@ -230,6 +271,18 @@ export class AgentConfigScanner extends BaseAgent {
       findings = findings.concat(this._scanOpenClawConfig(file));
     }
 
+    // ── 3b. Scan openclaude profile files ─────────────────────────────────
+    for (const file of discovered.openclaudeFiles) {
+      findings = findings.concat(this.scanFileWithPatterns(file, PATTERNS));
+      findings = findings.concat(this._scanOpenClaudeProfile(file));
+    }
+
+    // ── 3c. Scan claw-code config files ────────────────────────────────────
+    for (const file of discovered.clawCodeFiles) {
+      findings = findings.concat(this.scanFileWithPatterns(file, PATTERNS));
+      findings = findings.concat(this._scanClawCodeConfig(file));
+    }
+
     // ── 4. Scan Claude Code hooks ──────────────────────────────────────────
     for (const file of discovered.claudeSettingsFiles) {
       findings = findings.concat(this._scanClaudeHooks(file));
@@ -297,7 +350,21 @@ export class AgentConfigScanner extends BaseAgent {
       memoryFiles.push(...globbed);
     } catch { /* skip */ }
 
-    return { rulesFiles, openclawFiles, claudeSettingsFiles, memoryFiles };
+    // ── openclaude profile files ─────────────────────────────────────────────
+    const openclaudeFiles = [];
+    for (const rel of OPENCLAUDE_PROFILE_FILES) {
+      const full = path.join(rootPath, rel);
+      if (fs.existsSync(full)) openclaudeFiles.push(full);
+    }
+
+    // ── claw-code config files ────────────────────────────────────────────────
+    const clawCodeFiles = [];
+    for (const rel of CLAW_CODE_FILES) {
+      const full = path.join(rootPath, rel);
+      if (fs.existsSync(full)) clawCodeFiles.push(full);
+    }
+
+    return { rulesFiles, openclawFiles, openclaudeFiles, clawCodeFiles, claudeSettingsFiles, memoryFiles };
   }
 
   // ===========================================================================
@@ -415,6 +482,178 @@ export class AgentConfigScanner extends BaseAgent {
     return findings;
   }
 
+  /**
+   * Scan .openclaude-profile.json for security issues.
+   *
+   * openclaude (github.com/Gitlawb/openclaude) is a CLI tool, not a server.
+   * There is no config file, no host/port binding, no auth mechanism.
+   * All configuration is via environment variables:
+   *   CLAUDE_CODE_USE_OPENAI=1, OPENAI_BASE_URL, OPENAI_MODEL, OPENAI_API_KEY
+   *
+   * The only persistent file artifact is .openclaude-profile.json, which stores
+   * named profiles as { name: string, env: { OPENAI_BASE_URL, OPENAI_API_KEY, ... } }.
+   * openclaude ships with this file in its default .gitignore.
+   *
+   * Security risk: if OPENAI_BASE_URL is an http:// (non-TLS) endpoint, all
+   * LLM traffic (prompts, code context, responses) is sent unencrypted.
+   */
+  _scanOpenClaudeProfile(filePath) {
+    const content = this.readFile(filePath);
+    if (!content) return [];
+    const findings = [];
+
+    let profile;
+    try { profile = JSON.parse(content); } catch { return []; }
+
+    const env = profile.env || {};
+
+    // ── Insecure provider URL (http:// for non-localhost) ─────────────────
+    const baseUrl = env.OPENAI_BASE_URL || '';
+    if (baseUrl && /^http:\/\/(?!localhost|127\.0\.0\.1|::1)/i.test(baseUrl)) {
+      findings.push(createFinding({
+        file: filePath, line: 1,
+        severity: 'high',
+        category: this.category,
+        rule: 'OPENCLAUDE_INSECURE_PROVIDER_URL',
+        title: 'openclaude: LLM Provider URL Without TLS',
+        description:
+          `openclaude routes model calls to ${baseUrl} over plain HTTP. ` +
+          'Prompts, code context, and model responses are sent unencrypted. ' +
+          'A network attacker can read or modify all LLM interactions in transit.',
+        matched: `OPENAI_BASE_URL: "${baseUrl}"`,
+        confidence: 'high',
+        cwe: 'CWE-319',
+        owasp: 'A02:2021',
+        fix: 'Use an https:// provider URL. Never route LLM traffic over plaintext HTTP on untrusted networks.',
+      }));
+    }
+
+    return findings;
+  }
+
+  /**
+   * Scan claw-code config files (.claw.json, .claw/settings.json, .claw/settings.local.json)
+   * for insecure settings.
+   *
+   * claw-code (ultraworkers/claw-code) is a Rust + Python clean-room rewrite of Claude Code.
+   * It is a CLI tool — no server port binding. Config lives in JSON settings files.
+   *
+   * Checked settings:
+   *   - hooks.preToolUse / hooks.postToolUse: shell hook commands (RCE vector)
+   *   - permissions.dangerouslySkipPermissions / permissionMode: "danger-full-access"
+   *   - sandbox.enabled: false (filesystem isolation disabled)
+   *   - mcpServers with insecure ws:// or http:// remote URLs (MiTM risk)
+   *   - mcpServers using env vars that could expose credentials
+   */
+  _scanClawCodeConfig(filePath) {
+    const content = this.readFile(filePath);
+    if (!content) return [];
+    const findings = [];
+
+    let config;
+    try { config = JSON.parse(content); } catch { return []; }
+
+    // ── Dangerous permission mode ─────────────────────────────────────────
+    const permMode = config.permissionMode ?? config.permissions?.mode ?? '';
+    const skipPerms = config.dangerouslySkipPermissions ??
+      config.permissions?.dangerouslySkipPermissions ?? false;
+
+    if (skipPerms === true || permMode === 'danger-full-access') {
+      findings.push(createFinding({
+        file: filePath, line: 1,
+        severity: 'high',
+        category: this.category,
+        rule: 'CLAW_CODE_SKIP_PERMISSIONS',
+        title: 'claw-code: All Permission Checks Disabled',
+        description:
+          'claw-code is configured with dangerously-skip-permissions or permissionMode: danger-full-access. ' +
+          'Every tool call executes without asking for user confirmation. ' +
+          'A single prompt injection in any file the agent reads can trigger unrestricted shell execution or file writes.',
+        matched: skipPerms ? 'dangerouslySkipPermissions: true' : `permissionMode: "${permMode}"`,
+        confidence: 'high',
+        cwe: 'CWE-269',
+        owasp: 'ASI03',
+        fix: 'Set permissionMode to "workspace-write" or "prompt". Only use danger-full-access in fully isolated environments.',
+      }));
+    }
+
+    // ── Sandbox disabled ──────────────────────────────────────────────────
+    if (config.sandbox?.enabled === false) {
+      findings.push(createFinding({
+        file: filePath, line: 1,
+        severity: 'medium',
+        category: this.category,
+        rule: 'CLAW_CODE_SANDBOX_DISABLED',
+        title: 'claw-code: Filesystem Sandbox Disabled',
+        description:
+          'claw-code sandbox is explicitly disabled. By default claw-code restricts ' +
+          'filesystem access to the workspace directory. With sandbox off, tools can ' +
+          'read and write anywhere on the system.',
+        matched: 'sandbox.enabled: false',
+        confidence: 'high',
+        cwe: 'CWE-732',
+        owasp: 'ASI03',
+        fix: 'Remove sandbox.enabled: false or set filesystem-mode to workspace-only.',
+      }));
+    }
+
+    // ── Hooks with shell commands ──────────────────────────────────────────
+    const hookLists = [
+      ...(config.hooks?.preToolUse || []),
+      ...(config.hooks?.postToolUse || []),
+    ];
+    for (const hook of hookLists) {
+      const cmd = typeof hook === 'string' ? hook : (hook.command || hook.cmd || hook.run || '');
+      if (!cmd) continue;
+      if (/(?:bash\s+-c|sh\s+-c|cmd\s+\/c|powershell\s+-|pwsh\s+-)/i.test(cmd) ||
+          /\|\s*(?:bash|sh|zsh|node|python)/i.test(cmd) ||
+          /(?:curl|wget)\s+https?:\/\/(?!localhost|127\.0\.0\.1)/i.test(cmd)) {
+        findings.push(createFinding({
+          file: filePath, line: 1,
+          severity: 'critical',
+          category: this.category,
+          rule: 'CLAW_CODE_HOOK_SHELL',
+          title: 'claw-code: Dangerous Hook Command',
+          description:
+            'claw-code hook contains a shell execution or remote download command. ' +
+            'A malicious .claw.json in a repository can achieve RCE when anyone ' +
+            'opens the project with claw.',
+          matched: cmd.substring(0, 150),
+          confidence: 'high',
+          cwe: 'CWE-94',
+          owasp: 'ASI04',
+          fix: 'Remove shell execution hooks. Use only safe, scoped commands in claw hooks.',
+        }));
+      }
+    }
+
+    // ── MCP servers with insecure remote URLs ─────────────────────────────
+    const mcpServers = config.mcpServers || {};
+    for (const [name, srv] of Object.entries(mcpServers)) {
+      const url = typeof srv === 'object' ? (srv.url || '') : '';
+      if (/^(?:ws|http):\/\/(?!localhost|127\.0\.0\.1|::1)/i.test(url)) {
+        findings.push(createFinding({
+          file: filePath, line: 1,
+          severity: 'high',
+          category: this.category,
+          rule: 'CLAW_CODE_MCP_INSECURE_URL',
+          title: `claw-code: MCP Server "${name}" Uses Unencrypted Transport`,
+          description:
+            `MCP server "${name}" connects to ${url} over an unencrypted channel (ws:// or http://). ` +
+            'All MCP messages — tool calls, results, and any code context — are sent in plaintext. ' +
+            'A network attacker can intercept or inject MCP responses to hijack the agent.',
+          matched: url,
+          confidence: 'high',
+          cwe: 'CWE-319',
+          owasp: 'A02:2021',
+          fix: 'Use wss:// or https:// for all non-localhost MCP server connections.',
+        }));
+      }
+    }
+
+    return findings;
+  }
+
   /**
    * Scan .claude/settings.json for malicious hooks.
    * Based on Check Point Research disclosure: hooks in settings.json

package/cli/agents/cicd-scanner.js

@@ -199,6 +199,48 @@ const PATTERNS = [
     description: 'GitHub expression in run step. Attacker-controlled values can inject shell commands.',
     fix: 'Use environment variables: env: TITLE: ${{ github.event.issue.title }} then run: echo "$TITLE"',
   },
+
+  // ── AI Agent CLI — dangerous flags in CI ──────────────────────────────────
+  {
+    rule: 'CICD_AGENT_SKIP_PERMISSIONS',
+    title: 'CI/CD: AI Agent Running Without Permission Checks',
+    regex: /(?:--dangerously-skip-permissions|--skip-permissions|permissionMode\s*[=:]\s*["']?danger-full-access["']?)/g,
+    severity: 'critical',
+    cwe: 'CWE-269',
+    owasp: 'ASI03',
+    description: 'AI agent CLI flag disables all permission checks. In CI, this means any prompt injection in workspace files can execute arbitrary commands with no confirmation gate.',
+    fix: 'Remove --dangerously-skip-permissions. Use --permission-mode=workspace-write for CI automation or scope tool access with --allowedTools.',
+  },
+  {
+    rule: 'CICD_AGENT_INSECURE_PROVIDER',
+    title: 'CI/CD: AI Agent Routing to Non-TLS Provider',
+    regex: /(?:OPENAI_BASE_URL|ANTHROPIC_BASE_URL|XAI_BASE_URL|CLAUDE_CODE_USE_OPENAI)\s*=\s*["']?http:\/\/(?!localhost|127\.0\.0\.1|::1)/g,
+    severity: 'high',
+    cwe: 'CWE-319',
+    owasp: 'A02:2021',
+    description: 'AI agent provider URL uses plain HTTP for a non-localhost endpoint. All prompts, code context, and model responses are transmitted unencrypted in CI.',
+    fix: 'Use https:// for all non-localhost AI provider base URLs.',
+  },
+  {
+    rule: 'CICD_OPENCLAUDE_IN_CI',
+    title: 'CI/CD: openclaude Running in CI Pipeline',
+    regex: /(?:^|\s)openclaude\s/gm,
+    severity: 'medium',
+    cwe: 'CWE-1188',
+    owasp: 'ASI03',
+    description: 'openclaude (Claude Code fork with OpenAI-compatible shim) is invoked in CI. Verify OPENAI_BASE_URL is https://, OPENAI_API_KEY is stored as a secret, and .openclaude-profile.json is not committed.',
+    fix: 'Ensure OPENAI_API_KEY is a CI secret, OPENAI_BASE_URL uses https://, and .openclaude-profile.json is gitignored.',
+  },
+  {
+    rule: 'CICD_CLAW_DANGER_MODE',
+    title: 'CI/CD: claw-code Running in Danger Mode',
+    regex: /(?:^|\s)claw\s[^\n]*--dangerously-skip-permissions/gm,
+    severity: 'critical',
+    cwe: 'CWE-269',
+    owasp: 'ASI03',
+    description: 'claw-code (Rust/Python Claude Code rewrite) is invoked with --dangerously-skip-permissions in CI. Any prompt injection in the workspace executes without confirmation.',
+    fix: 'Remove --dangerously-skip-permissions. Use --permission-mode=workspace-write for CI automation.',
+  },
 ];
 
 export class CICDScanner extends BaseAgent {

package/cli/agents/deep-analyzer.js

@@ -25,8 +25,15 @@ import { createProvider, autoDetectProvider } from '../providers/llm-provider.js
 // CONSTANTS
 // =============================================================================
 
-/** Max file content to send per finding (tokens are expensive) */
-const MAX_FILE_CHARS = 4000;
+/** Max file content per finding for standard providers (tokens cost money) */
+const MAX_FILE_CHARS_DEFAULT = 4000;
+
+/**
+ * Max file content per finding for large-context providers (Gemma 4 128K–256K).
+ * Sending the full file enables cross-function taint tracing that a 40-line
+ * window cannot catch.
+ */
+const MAX_FILE_CHARS_LARGE_CTX = 80000;
 
 /** Max findings to analyze per run (cost control) */
 const MAX_FINDINGS = 30;
@@ -84,6 +91,14 @@ export class DeepAnalyzer {
     this.verbose = options.verbose || false;
     this.spentCents = 0;
     this.analyzedCount = 0;
+
+    // If the provider advertises a large context window (Gemma 4, etc.),
+    // increase file context and batch size to take full advantage.
+    const ctxWindow = this.provider?.contextWindow ?? 0;
+    this.largeContext = ctxWindow >= 65536;
+    this.maxFileChars = this.largeContext ? MAX_FILE_CHARS_LARGE_CTX : MAX_FILE_CHARS_DEFAULT;
+    // Larger batches for local large-context models (no per-token cost)
+    this.batchSize = this.largeContext ? 15 : 5;
   }
 
   /**
@@ -91,11 +106,11 @@ export class DeepAnalyzer {
    * Returns null if no provider is available.
    */
   static create(rootPath, options = {}) {
-    // --local flag: use Ollama
+    // --local flag: use Gemma 4 via Ollama (structured output, large context)
     if (options.local) {
-      const provider = createProvider('ollama', null, {
-        model: options.model || 'llama3.2',
-        baseUrl: options.ollamaUrl || 'http://localhost:11434/api/chat',
+      const provider = createProvider('gemma4', null, {
+        model:   options.model,
+        baseUrl: options.ollamaUrl,
       });
       return new DeepAnalyzer({ provider, ...options });
     }
@@ -141,11 +156,10 @@ export class DeepAnalyzer {
       toAnalyze.length = Math.max(1, affordable);
     }
 
-    // Batch findings (5 per request to balance cost vs. context)
-    const batchSize = 5;
+    // Batch findings — larger batches for large-context providers (Gemma 4 etc.)
     const results = new Map();
 
-    for (let i = 0; i < toAnalyze.length; i += batchSize) {
+    for (let i = 0; i < toAnalyze.length; i += this.batchSize) {
       // Budget check before each batch
       if (this.spentCents >= this.budgetCents) {
         if (this.verbose) {
@@ -154,7 +168,7 @@ export class DeepAnalyzer {
         break;
       }
 
-      const batch = toAnalyze.slice(i, i + batchSize);
+      const batch = toAnalyze.slice(i, i + this.batchSize);
       const prompt = this._buildPrompt(batch, context);
 
       try {
@@ -261,16 +275,22 @@ ${JSON.stringify(items, null, 2)}`;
       const lines = content.split('\n');
       const lineNum = finding.line || 1;
 
-      // Get a window of ~40 lines around the finding
-      const start = Math.max(0, lineNum - 21);
-      const end = Math.min(lines.length, lineNum + 20);
-      let context = lines.slice(start, end)
-        .map((l, i) => `${start + i + 1}: ${l}`)
-        .join('\n');
+      let context;
+      if (this.largeContext) {
+        // Large-context providers (Gemma 4): send the entire file so the model
+        // can trace taint flows across functions, not just the immediate window.
+        context = lines.map((l, i) => `${i + 1}: ${l}`).join('\n');
+      } else {
+        // Standard providers: 40-line window around the finding
+        const start = Math.max(0, lineNum - 21);
+        const end = Math.min(lines.length, lineNum + 20);
+        context = lines.slice(start, end)
+          .map((l, i) => `${start + i + 1}: ${l}`)
+          .join('\n');
+      }
 
-      // Truncate if too long
-      if (context.length > MAX_FILE_CHARS) {
-        context = context.slice(0, MAX_FILE_CHARS) + '\n... (truncated)';
+      if (context.length > this.maxFileChars) {
+        context = context.slice(0, this.maxFileChars) + '\n... (truncated)';
       }
 
       return context;

package/cli/agents/index.js

@@ -26,6 +26,7 @@ export { PIIComplianceAgent } from './pii-compliance-agent.js';
 export { VibeCodingAgent } from './vibe-coding-agent.js';
 export { ExceptionHandlerAgent } from './exception-handler-agent.js';
 export { AgentConfigScanner } from './agent-config-scanner.js';
+export { MemoryPoisoningAgent } from './memory-poisoning-agent.js';
 export { LegalRiskAgent, LEGALLY_RISKY_PACKAGES } from './legal-risk-agent.js';
 export { ABOMGenerator } from './abom-generator.js';
 export { VerifierAgent } from './verifier-agent.js';
@@ -36,7 +37,7 @@ export { PolicyEngine } from './policy-engine.js';
 export { HTMLReporter } from './html-reporter.js';
 
 /**
- * Create a fully configured orchestrator with all 16 scanning agents.
+ * Create a fully configured orchestrator with all 19 scanning agents.
  * (VerifierAgent and DeepAnalyzer run as post-processors, not in the agent pool.)
  */
 import { Orchestrator as OrchestratorClass } from './orchestrator.js';
@@ -58,6 +59,7 @@ import { PIIComplianceAgent as PIIComplianceAgentClass } from './pii-compliance-
 import { VibeCodingAgent as VibeCodingAgentClass } from './vibe-coding-agent.js';
 import { ExceptionHandlerAgent as ExceptionHandlerAgentClass } from './exception-handler-agent.js';
 import { AgentConfigScanner as AgentConfigScannerClass } from './agent-config-scanner.js';
+import { MemoryPoisoningAgent as MemoryPoisoningAgentClass } from './memory-poisoning-agent.js';
 
 export function buildOrchestrator() {
   const orchestrator = new OrchestratorClass();
@@ -80,6 +82,7 @@ export function buildOrchestrator() {
     new VibeCodingAgentClass(),
     new ExceptionHandlerAgentClass(),
     new AgentConfigScannerClass(),
+    new MemoryPoisoningAgentClass(),
   ]);
   return orchestrator;
 }

package/cli/agents/legal-risk-agent.js

@@ -38,22 +38,14 @@ export const LEGALLY_RISKY_PACKAGES = [
   // Anthropic's Claude Code source was accidentally leaked. Several repos
   // appeared immediately; Anthropic filed DMCA takedowns but derivatives
   // remain online. Shipping any of these exposes you to IP liability.
+  //
+  // NOTE: The instructkr/claw-code repo (now ultraworkers/claw-code) has since
+  // pivoted to a clean-room Rust + Python rewrite and explicitly removed the
+  // leaked snapshot. The GitHub repo itself is no longer a DMCA concern.
+  // However, any claw-code npm package published in the March 31–April 2 2026
+  // window may have contained the leaked TypeScript source before the pivot.
+  // Flag early versions as a precaution; assess the specific published version.
   // ---------------------------------------------------------------------------
-  {
-    name: 'claw-code',
-    versions: '*',
-    ecosystem: 'npm',
-    risk: 'dmca',
-    severity: 'high',
-    detail:
-      'Derived from leaked Anthropic Claude Code source (March 2026). ' +
-      'Anthropic has filed DMCA takedown notices. Shipping this package ' +
-      'may expose your project to IP infringement liability.',
-    references: [
-      'https://cybernews.com/security/anthropic-claude-code-source-leak/',
-      'https://venturebeat.com/technology/claude-codes-source-code-appears-to-have-leaked-heres-what-we-know',
-    ],
-  },
   {
     name: 'claw-code-js',
     versions: '*',
@@ -81,6 +73,40 @@ export const LEGALLY_RISKY_PACKAGES = [
       'https://cybernews.com/security/anthropic-claude-code-source-leak/',
     ],
   },
+  // ---------------------------------------------------------------------------
+  // openclaude (github.com/Gitlawb/openclaude)
+  // Claude Code fork that routes to any LLM via OpenAI-compatible shim.
+  // Derived directly from the leaked Anthropic source (March 31 2026).
+  // Under active DMCA enforcement alongside claw-code.
+  // ---------------------------------------------------------------------------
+  {
+    name: 'openclaude',
+    versions: '*',
+    ecosystem: 'npm',
+    risk: 'leaked-source',
+    severity: 'high',
+    detail:
+      'openclaude is a fork of the leaked Anthropic Claude Code source (March 2026) ' +
+      'that adds an OpenAI-compatible provider shim. The underlying ~512,000 lines of ' +
+      'TypeScript are Anthropic proprietary IP under active DMCA enforcement. ' +
+      'Additionally ships with auth disabled by default and binds to 0.0.0.0:18789.',
+    references: [
+      'https://github.com/Gitlawb/openclaude',
+      'https://cybernews.com/security/anthropic-claude-code-source-leak/',
+    ],
+  },
+  {
+    name: 'openclaude-core',
+    versions: '*',
+    ecosystem: 'npm',
+    risk: 'leaked-source',
+    severity: 'high',
+    detail:
+      'Core runtime package for openclaude. Derived from leaked Anthropic Claude Code ' +
+      'source (March 2026). Under active DMCA enforcement.',
+    references: ['https://github.com/Gitlawb/openclaude'],
+  },
+
   // ---------------------------------------------------------------------------
   // License violations — well-known cases
   // ---------------------------------------------------------------------------