ship-safe 6.4.0 → 8.0.0

package/cli/commands/env-audit.js

@@ -0,0 +1,349 @@
+/**
+ * Env Audit Command
+ * ==================
+ *
+ * Post-sync credential health check. Designed to run immediately after
+ * `stripe projects env --pull` or any credential provisioning workflow.
+ *
+ * Checks:
+ *   1. Every .env* file is covered by .gitignore
+ *   2. No .env values appear hardcoded in source files
+ *   3. Git history has no previously committed .env files
+ *   4. Agent configs can't read credential files without restriction
+ *
+ * USAGE:
+ *   ship-safe env-audit [path]
+ *   ship-safe env-audit . --json
+ *
+ * EXIT CODES:
+ *   0 — clean
+ *   1 — issues found
+ */
+
+import fs from 'fs';
+import path from 'path';
+import fg from 'fast-glob';
+import chalk from 'chalk';
+import ora from 'ora';
+import { execFileSync } from 'child_process';
+import { SECRET_PATTERNS, SKIP_DIRS } from '../utils/patterns.js';
+
+// Minimum value length to cross-reference (skip short values like "true", "3000")
+const MIN_VALUE_LENGTH = 8;
+
+// Keys that are safe to appear in source (not secrets)
+const SAFE_KEY_PATTERNS = /^(?:NEXT_PUBLIC_|REACT_APP_|VITE_|NUXT_PUBLIC_|NODE_ENV|PORT|HOST|HOSTNAME|LOG_LEVEL|DEBUG|TZ|LANG|APP_NAME|APP_URL|BASE_URL)/i;
+
+// =============================================================================
+// ENV AUDIT COMMAND
+// =============================================================================
+
+export async function envAuditCommand(targetPath = '.', options) {
+  const absolutePath = path.resolve(targetPath);
+  const spinner = ora('Auditing credential environment...').start();
+
+  const findings = [];
+
+  try {
+    // ── Step 1: Find all .env files ──────────────────────────────────────────
+    const envFiles = await findEnvFiles(absolutePath);
+    spinner.text = `Found ${envFiles.length} .env file(s)`;
+
+    if (envFiles.length === 0) {
+      spinner.succeed('No .env files found — nothing to audit.');
+      return;
+    }
+
+    // ── Step 2: Check .gitignore coverage ────────────────────────────────────
+    spinner.text = 'Checking .gitignore coverage...';
+    for (const envFile of envFiles) {
+      const relPath = path.relative(absolutePath, envFile).replace(/\\/g, '/');
+      const basename = path.basename(envFile);
+
+      // Skip .env.example and .env.sample — these are meant to be committed
+      if (/\.env\.(?:example|sample|template)$/i.test(basename)) continue;
+
+      const isIgnored = checkGitignored(absolutePath, relPath);
+      if (!isIgnored) {
+        findings.push({
+          type: 'gitignore',
+          severity: 'critical',
+          file: relPath,
+          message: `${relPath} is NOT covered by .gitignore — credentials will be committed`,
+          fix: `Add "${basename}" to your .gitignore file`,
+        });
+      }
+    }
+
+    // ── Step 3: Parse .env values and cross-reference against source ─────────
+    spinner.text = 'Cross-referencing credentials against source files...';
+    // Only cross-reference real .env files, not .env.example/.env.sample
+    const realEnvFiles = envFiles.filter(f => !/\.env\.(?:example|sample|template)$/i.test(path.basename(f)));
+    const envValues = parseEnvFiles(realEnvFiles);
+    const sensitiveValues = envValues.filter(v =>
+      v.value.length >= MIN_VALUE_LENGTH && !SAFE_KEY_PATTERNS.test(v.key)
+    );
+
+    if (sensitiveValues.length > 0) {
+      const sourceFiles = await findSourceFiles(absolutePath);
+      for (const { key, value, file: envFile } of sensitiveValues) {
+        for (const srcFile of sourceFiles) {
+          const relSrc = path.relative(absolutePath, srcFile).replace(/\\/g, '/');
+          // Don't flag the .env file itself
+          if (srcFile === envFile) continue;
+
+          try {
+            const content = fs.readFileSync(srcFile, 'utf-8');
+            if (content.includes(value)) {
+              findings.push({
+                type: 'hardcoded',
+                severity: 'critical',
+                file: relSrc,
+                message: `${key} value from ${path.basename(envFile)} is hardcoded in ${relSrc}`,
+                fix: `Replace the hardcoded value with process.env.${key} or equivalent`,
+              });
+            }
+          } catch {
+            // skip unreadable files
+          }
+        }
+      }
+    }
+
+    // ── Step 4: Check git history for committed .env files ───────────────────
+    spinner.text = 'Checking git history for committed credentials...';
+    const historyLeaks = checkGitHistory(absolutePath);
+    for (const leak of historyLeaks) {
+      findings.push({
+        type: 'history',
+        severity: 'high',
+        file: leak,
+        message: `${leak} was previously committed to git history — credentials may be in old commits`,
+        fix: 'Rotate all credentials that were in this file. Use git filter-repo to remove from history if needed.',
+      });
+    }
+
+    // ── Step 5: Check .projects manifest for credential leaks ────────────────
+    spinner.text = 'Checking .projects manifest...';
+    const projectsDir = path.join(absolutePath, '.projects');
+    if (fs.existsSync(projectsDir)) {
+      const projectsFiles = await fg(['**/*'], {
+        cwd: projectsDir,
+        absolute: true,
+        onlyFiles: true,
+      });
+
+      for (const pFile of projectsFiles) {
+        try {
+          const content = fs.readFileSync(pFile, 'utf-8');
+          for (const pattern of SECRET_PATTERNS) {
+            pattern.pattern.lastIndex = 0;
+            const match = pattern.pattern.exec(content);
+            if (match) {
+              const relPath = path.relative(absolutePath, pFile).replace(/\\/g, '/');
+              findings.push({
+                type: 'projects-manifest',
+                severity: 'critical',
+                file: relPath,
+                message: `${pattern.name} found in .projects manifest — credentials should not be in the manifest`,
+                fix: 'Remove credential values from .projects/ config. Stripe Projects stores credentials server-side.',
+              });
+            }
+          }
+        } catch {
+          // skip unreadable
+        }
+      }
+    }
+
+    // ── Step 6: Check agent config access to .env files ──────────────────────
+    spinner.text = 'Checking agent config access to credential files...';
+    const agentConfigs = await fg([
+      '.claude/settings.json',
+      '.cursorrules',
+      '.cursor/rules/*.mdc',
+      '.windsurfrules',
+      'CLAUDE.md',
+      '.claw.json',
+      '.claw/settings.json',
+      'openclaw.json',
+    ], {
+      cwd: absolutePath,
+      absolute: true,
+      onlyFiles: true,
+      dot: true,
+    });
+
+    for (const configFile of agentConfigs) {
+      try {
+        const content = fs.readFileSync(configFile, 'utf-8');
+        const relPath = path.relative(absolutePath, configFile).replace(/\\/g, '/');
+
+        // Check for danger modes that give agents full access
+        if (/dangerouslySkipPermissions\s*["']?\s*[:=]\s*["']?true/i.test(content) ||
+            /permissionMode\s*["']?\s*[:=]\s*["']?danger-full-access/i.test(content)) {
+          findings.push({
+            type: 'agent-access',
+            severity: 'critical',
+            file: relPath,
+            message: `${relPath} grants unrestricted file access — agent can read all .env credentials`,
+            fix: 'Remove dangerouslySkipPermissions / danger-full-access. Scope agent file access explicitly.',
+          });
+        }
+      } catch {
+        // skip
+      }
+    }
+
+    // ── Output ───────────────────────────────────────────────────────────────
+    spinner.stop();
+
+    if (options.json) {
+      console.log(JSON.stringify({ findings, envFiles: envFiles.length, clean: findings.length === 0 }, null, 2));
+      process.exit(findings.length > 0 ? 1 : 0);
+      return;
+    }
+
+    console.log();
+    console.log(chalk.cyan.bold('  Ship Safe — Env Audit'));
+    console.log(chalk.gray(`  Scanned ${envFiles.length} .env file(s), ${sensitiveValues.length} credential(s)`));
+    console.log();
+
+    if (findings.length === 0) {
+      console.log(chalk.green('  ✔ Environment is clean. No credential leaks detected.\n'));
+      console.log(chalk.gray('  Tip: run this after every `stripe projects env --pull` or credential sync.\n'));
+      process.exit(0);
+      return;
+    }
+
+    // Group by type
+    const groups = {
+      gitignore: { label: 'Missing .gitignore Coverage', icon: '🔓' },
+      hardcoded: { label: 'Hardcoded Credentials in Source', icon: '🔑' },
+      history: { label: 'Credentials in Git History', icon: '📜' },
+      'projects-manifest': { label: 'Credentials in .projects Manifest', icon: '📁' },
+      'agent-access': { label: 'Agent Config: Unrestricted Credential Access', icon: '🤖' },
+    };
+
+    for (const [type, meta] of Object.entries(groups)) {
+      const typeFindings = findings.filter(f => f.type === type);
+      if (typeFindings.length === 0) continue;
+
+      console.log(chalk.yellow(`  ${meta.icon} ${meta.label} (${typeFindings.length})`));
+      for (const f of typeFindings) {
+        const sevColor = f.severity === 'critical' ? chalk.red : chalk.yellow;
+        console.log(`    ${sevColor(f.severity.toUpperCase())} ${f.file}`);
+        console.log(chalk.gray(`      ${f.message}`));
+        console.log(chalk.gray(`      Fix: ${f.fix}`));
+      }
+      console.log();
+    }
+
+    const criticals = findings.filter(f => f.severity === 'critical').length;
+    if (criticals > 0) {
+      console.log(chalk.red.bold(`  ✘ ${criticals} critical issue(s). Fix before committing.\n`));
+    } else {
+      console.log(chalk.yellow(`  ⚠ ${findings.length} issue(s) found. Review before committing.\n`));
+    }
+
+    process.exit(1);
+
+  } catch (err) {
+    spinner.fail(`Env audit error: ${err.message}`);
+    process.exit(1);
+  }
+}
+
+// =============================================================================
+// HELPERS
+// =============================================================================
+
+async function findEnvFiles(rootPath) {
+  return fg(['.env', '.env.*', '**/.env', '**/.env.*'], {
+    cwd: rootPath,
+    absolute: true,
+    onlyFiles: true,
+    dot: true,
+    ignore: Array.from(SKIP_DIRS).map(d => `**/${d}/**`),
+  });
+}
+
+function parseEnvFiles(envFiles) {
+  const values = [];
+  for (const file of envFiles) {
+    try {
+      const content = fs.readFileSync(file, 'utf-8');
+      for (const line of content.split('\n')) {
+        const trimmed = line.trim();
+        if (!trimmed || trimmed.startsWith('#')) continue;
+        const eqIdx = trimmed.indexOf('=');
+        if (eqIdx === -1) continue;
+        const key = trimmed.slice(0, eqIdx).trim();
+        let value = trimmed.slice(eqIdx + 1).trim();
+        // Strip surrounding quotes
+        if ((value.startsWith('"') && value.endsWith('"')) ||
+            (value.startsWith("'") && value.endsWith("'"))) {
+          value = value.slice(1, -1);
+        }
+        if (value && value !== '' && !value.startsWith('${')) {
+          values.push({ key, value, file });
+        }
+      }
+    } catch {
+      // skip unreadable
+    }
+  }
+  return values;
+}
+
+async function findSourceFiles(rootPath) {
+  return fg(['**/*.{js,jsx,ts,tsx,mjs,cjs,py,rb,go,rs,php,java,kt,swift,yaml,yml,json,toml,tf}'], {
+    cwd: rootPath,
+    absolute: true,
+    onlyFiles: true,
+    ignore: [
+      ...Array.from(SKIP_DIRS).map(d => `**/${d}/**`),
+      '**/.env*',
+      '**/*.min.js',
+      '**/__tests__/**',
+      '**/*.test.*',
+      '**/*.spec.*',
+      '**/test/**',
+      '**/tests/**',
+      '**/fixtures/**',
+      '**/snippets/**',
+    ],
+  });
+}
+
+function checkGitignored(rootPath, relPath) {
+  try {
+    execFileSync('git', ['check-ignore', '-q', relPath], { cwd: rootPath, stdio: 'pipe' });
+    return true; // exit 0 means it IS ignored
+  } catch {
+    return false; // exit 1 means it is NOT ignored
+  }
+}
+
+function checkGitHistory(rootPath) {
+  try {
+    const result = execFileSync('git', ['log', '--all', '--diff-filter=A', '--name-only', '--pretty=format:'], {
+      cwd: rootPath,
+      stdio: ['pipe', 'pipe', 'pipe'],
+      maxBuffer: 5 * 1024 * 1024,
+    }).toString();
+
+    const envFilePattern = /^\.env(?:\.\w+)?$/;
+    const safeEnvPattern = /\.env\.(?:example|sample|template)$/;
+    const committed = new Set();
+    for (const line of result.split('\n')) {
+      const trimmed = line.trim();
+      if (trimmed && envFilePattern.test(path.basename(trimmed)) && !safeEnvPattern.test(trimmed)) {
+        committed.add(trimmed);
+      }
+    }
+    return Array.from(committed);
+  } catch {
+    return [];
+  }
+}

package/cli/commands/live-advisories.js

@@ -0,0 +1,241 @@
+/**
+ * Live Advisory Feed
+ * ===================
+ *
+ * Queries the GitHub Advisory Database and OSV.dev API for real-time
+ * advisories on your exact dependency versions. Unlike static CVE checks,
+ * this catches actively-compromised packages (Axios 1.8.2, LiteLLM 1.82.7)
+ * within hours of publication.
+ *
+ * USAGE:
+ *   ship-safe advisories .              # Check npm + PyPI deps
+ *   ship-safe advisories . --ecosystem npm
+ *   ship-safe advisories . --json
+ *
+ * APIs used:
+ *   - OSV.dev (https://api.osv.dev) — aggregates GitHub Advisories, PyPI, npm
+ *   - No API key needed — fully open, rate-limited to 1000 req/min
+ */
+
+import fs from 'fs';
+import path from 'path';
+
+// =============================================================================
+// DEPENDENCY EXTRACTION
+// =============================================================================
+
+/**
+ * Extract package names + versions from project manifests.
+ * Returns: [{ name, version, ecosystem, file }]
+ */
+export function extractDependencies(rootPath) {
+  const deps = [];
+
+  // npm / Node.js
+  const pkgPath = path.join(rootPath, 'package.json');
+  if (fs.existsSync(pkgPath)) {
+    try {
+      const pkg = JSON.parse(fs.readFileSync(pkgPath, 'utf-8'));
+      const allDeps = {
+        ...(pkg.dependencies || {}),
+        ...(pkg.devDependencies || {}),
+      };
+      for (const [name, versionRange] of Object.entries(allDeps)) {
+        // Strip semver prefix (^, ~, >=)
+        const version = String(versionRange).replace(/^[\^~>=<]+/, '').trim();
+        if (/^\d/.test(version)) {
+          deps.push({ name, version, ecosystem: 'npm', file: pkgPath });
+        }
+      }
+    } catch { /* skip */ }
+  }
+
+  // Also check package-lock.json for pinned versions (more accurate)
+  const lockPath = path.join(rootPath, 'package-lock.json');
+  if (fs.existsSync(lockPath)) {
+    try {
+      const lock = JSON.parse(fs.readFileSync(lockPath, 'utf-8'));
+      const packages = lock.packages || {};
+      for (const [pkgKey, info] of Object.entries(packages)) {
+        if (!pkgKey || pkgKey === '') continue; // root entry
+        const name = pkgKey.replace(/^node_modules\//, '');
+        if (info.version && /^\d/.test(info.version)) {
+          // Only add if not already present from package.json
+          if (!deps.find(d => d.name === name && d.ecosystem === 'npm')) {
+            deps.push({ name, version: info.version, ecosystem: 'npm', file: lockPath });
+          }
+        }
+      }
+    } catch { /* skip */ }
+  }
+
+  // Python
+  const reqPath = path.join(rootPath, 'requirements.txt');
+  if (fs.existsSync(reqPath)) {
+    try {
+      const lines = fs.readFileSync(reqPath, 'utf-8').split('\n');
+      for (const line of lines) {
+        const m = line.trim().match(/^([\w-]+)==([\d.]+)/);
+        if (m) {
+          deps.push({ name: m[1], version: m[2], ecosystem: 'PyPI', file: reqPath });
+        }
+      }
+    } catch { /* skip */ }
+  }
+
+  // Poetry (pyproject.toml)
+  const pyprojectPath = path.join(rootPath, 'pyproject.toml');
+  if (fs.existsSync(pyprojectPath)) {
+    try {
+      const content = fs.readFileSync(pyprojectPath, 'utf-8');
+      const depSection = content.match(/\[tool\.poetry\.dependencies\]([\s\S]*?)(?:\n\[|$)/);
+      if (depSection) {
+        const lines = depSection[1].split('\n');
+        for (const line of lines) {
+          const m = line.match(/^([\w-]+)\s*=\s*"([\d.]+)"/);
+          if (m) {
+            deps.push({ name: m[1], version: m[2], ecosystem: 'PyPI', file: pyprojectPath });
+          }
+        }
+      }
+    } catch { /* skip */ }
+  }
+
+  return deps;
+}
+
+// =============================================================================
+// OSV.DEV API
+// =============================================================================
+
+/**
+ * Query OSV.dev for known vulnerabilities affecting a specific package version.
+ * Uses the batch query endpoint for efficiency.
+ *
+ * @param {{ name: string, version: string, ecosystem: string }[]} deps
+ * @returns {Promise<object[]>} — Array of advisory objects
+ */
+export async function queryOSV(deps) {
+  if (deps.length === 0) return [];
+
+  // OSV batch query supports up to 1000 packages per request
+  const batchSize = 1000;
+  const allResults = [];
+
+  for (let i = 0; i < deps.length; i += batchSize) {
+    const batch = deps.slice(i, i + batchSize);
+    const queries = batch.map(d => ({
+      package: { name: d.name, ecosystem: d.ecosystem },
+      version: d.version,
+    }));
+
+    try {
+      const response = await fetch('https://api.osv.dev/v1/querybatch', {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/json' },
+        body: JSON.stringify({ queries }),
+      });
+
+      if (!response.ok) {
+        throw new Error(`OSV API error: HTTP ${response.status}`);
+      }
+
+      const data = await response.json();
+      const results = data.results || [];
+
+      for (let j = 0; j < results.length; j++) {
+        const vulns = results[j].vulns || [];
+        for (const vuln of vulns) {
+          allResults.push({
+            id: vuln.id,
+            summary: vuln.summary || '',
+            severity: extractSeverity(vuln),
+            package: batch[j].name,
+            version: batch[j].version,
+            ecosystem: batch[j].ecosystem,
+            file: deps[i + j].file,
+            aliases: vuln.aliases || [],
+            published: vuln.published || null,
+            modified: vuln.modified || null,
+            isMalware: (vuln.id || '').startsWith('MAL-') ||
+                       (vuln.summary || '').toLowerCase().includes('malicious') ||
+                       (vuln.summary || '').toLowerCase().includes('malware'),
+          });
+        }
+      }
+    } catch (err) {
+      // Network error — return what we have so far
+      if (allResults.length === 0) {
+        throw new Error(`Failed to reach OSV.dev: ${err.message}. Run with --offline to skip live checks.`);
+      }
+    }
+  }
+
+  return allResults;
+}
+
+/**
+ * Extract the highest severity from an OSV vulnerability object.
+ */
+function extractSeverity(vuln) {
+  // Check database_specific severity first
+  if (vuln.database_specific?.severity) {
+    return vuln.database_specific.severity.toLowerCase();
+  }
+
+  // Check CVSS in severity array
+  const sevEntries = vuln.severity || [];
+  for (const entry of sevEntries) {
+    if (entry.type === 'CVSS_V3') {
+      const score = parseFloat(entry.score) || 0;
+      if (score >= 9.0) return 'critical';
+      if (score >= 7.0) return 'high';
+      if (score >= 4.0) return 'medium';
+      return 'low';
+    }
+  }
+
+  // Malware is always critical
+  if ((vuln.id || '').startsWith('MAL-')) return 'critical';
+
+  return 'medium';
+}
+
+// =============================================================================
+// MAIN COMMAND
+// =============================================================================
+
+/**
+ * Run the live advisory check.
+ * Returns findings in ship-safe standard format.
+ */
+export async function runLiveAdvisories(rootPath, options = {}) {
+  const deps = extractDependencies(rootPath);
+
+  if (deps.length === 0) {
+    return { advisories: [], deps: 0, checked: 0 };
+  }
+
+  // Filter by ecosystem if requested
+  const filtered = options.ecosystem
+    ? deps.filter(d => d.ecosystem.toLowerCase() === options.ecosystem.toLowerCase())
+    : deps;
+
+  const advisories = await queryOSV(filtered);
+
+  // Sort: malware first, then by severity
+  const sevOrder = { critical: 0, high: 1, medium: 2, low: 3 };
+  advisories.sort((a, b) => {
+    if (a.isMalware && !b.isMalware) return -1;
+    if (!a.isMalware && b.isMalware) return 1;
+    return (sevOrder[a.severity] || 2) - (sevOrder[b.severity] || 2);
+  });
+
+  return {
+    advisories,
+    deps: filtered.length,
+    checked: filtered.length,
+  };
+}
+
+export default { extractDependencies, queryOSV, runLiveAdvisories };

package/cli/commands/red-team.js

@@ -17,7 +17,7 @@ import fs from 'fs';
 import path from 'path';
 import chalk from 'chalk';
 import ora from 'ora';
-import { buildOrchestrator } from '../agents/index.js';
+import { buildOrchestratorAsync } from '../agents/index.js';
 import { ScoringEngine } from '../agents/scoring-engine.js';
 import { PolicyEngine } from '../agents/policy-engine.js';
 import { HTMLReporter } from '../agents/html-reporter.js';
@@ -39,7 +39,7 @@ export async function redTeamCommand(targetPath = '.', options = {}) {
   console.log();
 
   // ── 1. Run orchestrator ─────────────────────────────────────────────────────
-  const orchestrator = buildOrchestrator();
+  const orchestrator = await buildOrchestratorAsync(absolutePath, { quiet: true });
 
   const agentFilter = options.agents
     ? options.agents.split(',').map(a => a.trim())

package/cli/commands/scan-mcp.js

@@ -109,6 +109,72 @@ const MCP_TOOL_PATTERNS = [
     severity: 'medium',
     target: 'any',
   },
+
+  // ── Hermes Agent: Function-Call Poisoning (ASI-03, ASI-05) ───────────────
+  {
+    name: 'Hermes: XML tool_call injection in description',
+    regex: /<tool_call>[\s\S]{0,300}<\/tool_call>/gi,
+    severity: 'critical',
+    target: 'description',
+    owasp: 'ASI-03',
+    note: 'Description embeds a Hermes-format <tool_call> block — will be parsed and executed by agents consuming this manifest.',
+  },
+  {
+    name: 'Hermes: Function-call format injection',
+    regex: /<function_calls>[\s\S]{0,300}<\/function_calls>/gi,
+    severity: 'critical',
+    target: 'description',
+    owasp: 'ASI-03',
+    note: 'Description embeds a <function_calls> block matching Hermes/Claude XML call format.',
+  },
+  {
+    name: 'Hermes: tool_choice manipulation',
+    regex: /tool_choice\s*[=:]\s*["']?(?:auto|any|none|required)["']?\s*(?:,|\}|$)/gi,
+    severity: 'high',
+    target: 'description',
+    owasp: 'ASI-03',
+    note: 'Description attempts to override tool_choice routing, steering agent to call attacker-controlled tools.',
+  },
+  {
+    name: 'Hermes: Forced tool invocation via description',
+    regex: /(?:you\s+must\s+(?:call|invoke|use)\s+(?:the\s+)?tool|always\s+(?:call|invoke|run)\s+(?:the\s+)?(?:tool|function)|tool\s+MUST\s+be\s+(?:called|invoked|used))/gi,
+    severity: 'high',
+    target: 'description',
+    owasp: 'ASI-03',
+    note: 'Instruction in tool description coerces the LLM agent into calling a specific tool, bypassing agent autonomy.',
+  },
+  {
+    name: 'Hermes: Schema bypass via additionalProperties',
+    regex: /"additionalProperties"\s*:\s*true/gi,
+    severity: 'high',
+    target: 'schema',
+    owasp: 'ASI-03',
+    note: 'Tool input schema allows arbitrary extra properties — attackers can inject undeclared parameters that bypass input validation.',
+  },
+  {
+    name: 'Hermes: Late binding via env-var registry URL',
+    regex: /(?:HERMES_REGISTRY_URL|AGENT_REGISTRY|TOOL_REGISTRY_URL|REGISTRY_ENDPOINT)\s*[=:]/gi,
+    severity: 'critical',
+    target: 'any',
+    owasp: 'ASI-05',
+    note: 'Tool definition references a runtime-resolved registry URL — attacker who controls the env var can swap the entire tool registry at execution time.',
+  },
+  {
+    name: 'Hermes: Namespace collision / tool shadowing',
+    regex: /(?:override\s+(?:existing\s+)?tool|shadow\s+tool|replace\s+(?:the\s+)?(?:existing\s+)?tool|re-register\s+tool)/gi,
+    severity: 'critical',
+    target: 'description',
+    owasp: 'ASI-05',
+    note: 'Description explicitly documents shadowing a previously registered tool — classic namespace collision attack.',
+  },
+  {
+    name: 'Hermes: Recursive sub-agent invocation in description',
+    regex: /(?:spawn\s+(?:a\s+)?(?:new\s+)?(?:sub[-\s]?agent|child[-\s]?agent|nested[-\s]?agent)|create\s+(?:a\s+)?(?:sub[-\s]?agent|child[-\s]?agent)|recursively\s+call\s+(?:agent|tool))/gi,
+    severity: 'high',
+    target: 'description',
+    owasp: 'ASI-02',
+    note: 'Description instructs the agent to spawn sub-agents — could lead to unbounded recursion or privilege escalation through child agents.',
+  },
 ];
 
 // Dangerous tool name keywords — flag tools whose names suggest shell/exec access
@@ -348,6 +414,18 @@ function analyzeToolDefinition(tool) {
     }
   }
 
+  // Check for additionalProperties: true at the top-level schema (schema bypass)
+  const topSchema = tool.inputSchema || tool.input_schema || {};
+  if (topSchema.additionalProperties === true) {
+    findings.push({
+      check: 'schema-analysis',
+      name: 'Hermes: Schema bypass — additionalProperties: true',
+      severity: 'high',
+      tool: name,
+      matched: 'Top-level inputSchema has additionalProperties: true — arbitrary params accepted',
+    });
+  }
+
   // Check for excessive required parameters (information harvesting)
   const required = tool.inputSchema?.required || tool.input_schema?.required || [];
   const properties = tool.inputSchema?.properties || tool.input_schema?.properties || {};