ship-safe 7.0.0 → 9.0.0

package/README.md

@@ -16,11 +16,11 @@
 
 ---
 
-18 security agents. 80+ attack classes. One command.
+22 security agents. 80+ attack classes. One command.
 
-**Ship Safe v6.4.0** is an AI-powered security platform that runs 18 specialized agents in parallel against your codebase, scanning for secrets, injection vulnerabilities, auth bypass, SSRF, supply chain attacks, Supabase RLS misconfigs, Docker/Terraform/Kubernetes misconfigs, CI/CD pipeline poisoning, LLM/agentic AI security, MCP server misuse, RAG poisoning, PII compliance, vibe coding patterns, exception handling, AI agent config security, and more. OWASP 2025 scoring with EPSS exploit probability. LLM-powered deep analysis verifies exploitability of critical findings. Secrets verification probes provider APIs to check if leaked keys are still active. Compliance mapping to SOC 2, ISO 27001, and NIST AI RMF. Built-in threat intelligence feed with offline-first IOC matching. CI integration with GitHub PR comments, threshold gating, and SARIF output.
+**Ship Safe v8.0.0** is an AI-powered security platform that runs 22 specialized agents in parallel against your codebase — covering secrets, injection vulnerabilities, auth bypass, SSRF, supply chain attacks, memory poisoning, Hermes Agent security, Supabase RLS, Docker/Terraform/Kubernetes misconfigs, CI/CD pipeline poisoning, LLM/agentic AI security, MCP server misuse, RAG poisoning, PII compliance, vibe coding patterns, exception handling, Claude Managed Agent configs, and more. Full OWASP Agentic AI Top 10 mapping (ASI-01–ASI-10) enriches every finding. Live OSV.dev advisory feed surfaces actively exploited CVEs within hours of disclosure. OWASP 2025 scoring with EPSS exploit probability. LLM-powered deep analysis verifies exploitability of critical findings. Secrets verification probes provider APIs to check if leaked keys are still active.
 
-**v6.4.0 highlights:** MCP server scanning (`npx ship-safe scan-mcp`) vets tool manifests for prompt injection and credential harvesting before you connect. Detection support for openclaude and claw-code — the two most-starred Claude Code forks from the March 2026 source leak — with accurate config scanning based on their actual architectures. Four new CI/CD patterns flag AI agent danger modes in pipelines. Legal dataset corrected: claw-code reclassified as a clean-room rewrite, not a leaked-source derivative.
+**v8.0.0 highlights:** **Ship Safe × Hermes Agent** — two new agents purpose-built for [NousResearch Hermes Agent](https://github.com/NousResearch/hermes-function-calling) deployments. `HermesSecurityAgent` detects 17 attack patterns across the full OWASP Agentic AI Top 10 surface: tool registry poisoning, function-call injection, goal/plan hijacking, memory layer attacks, skill permission drift, and multi-agent trust boundary violations. `AgentAttestationAgent` catches supply-chain failures in agent manifests: unpinned versions, missing integrity hashes on remote tool sources, unsigned manifests, and dynamic `require()` of manifests from env vars. Both agents integrate into the `--agentic` loop for automated scan → annotate → re-scan cycles. Ship Safe is now a first-class Hermes citizen via `skills/ship-safe-security.md` and `registerWithHermes()`.
 
 [Documentation](https://shipsafecli.com/docs) | [Blog](https://shipsafecli.com/blog) | [Pricing](https://shipsafecli.com/pricing)
 
@@ -29,19 +29,32 @@
 ## Quick Start
 
 ```bash
-# Full security audit — secrets + 18 agents + deps + remediation plan
+# Full security audit — secrets + 22 agents + deps + remediation plan
 npx ship-safe audit .
 
-# LLM-powered deep analysis (Anthropic, OpenAI, Google, Ollama)
+# LLM-powered deep analysis (Anthropic, OpenAI, Google, Ollama, Gemma 4)
 npx ship-safe audit . --deep
 
-# Red team scan only (18 agents, 80+ attack classes)
+# Agentic loop — scan → auto-annotate fixes → re-scan until score ≥ 75
+npx ship-safe audit . --agentic
+npx ship-safe audit . --agentic 5 --agentic-target 85
+
+# Red team scan (22 agents, 80+ attack classes)
 npx ship-safe red-team .
 
 # Scan only changed files (fast pre-commit & PR scanning)
 npx ship-safe diff
 npx ship-safe diff --staged
 
+# Live OSV.dev advisory feed — no API key, no stale data
+npx ship-safe advisories .
+
+# Continuous monitoring
+npx ship-safe watch .                         # Lightweight file watcher
+npx ship-safe watch . --deep                  # Full 22-agent scan on every change
+npx ship-safe watch . --deep --threshold 80   # Fail if score drops below threshold
+npx ship-safe watch . --status                # Show last deep-watch results
+
 # Fun emoji security grade with shareable badge
 npx ship-safe vibe-check .
 
@@ -86,11 +99,11 @@ npx ship-safe audit .
 
 ```
 ════════════════════════════════════════════════════════════
-  Ship Safe v6.0 — Full Security Audit
+  Ship Safe v8.0 — Full Security Audit
 ════════════════════════════════════════════════════════════
 
   [Phase 1/4] Scanning for secrets...         ✔ 49 found
-  [Phase 2/4] Running 18 security agents...   ✔ 103 findings
+  [Phase 2/4] Running 22 security agents...   ✔ 103 findings
   [Phase 3/4] Auditing dependencies...        ✔ 44 CVEs
   [Phase 4/4] Computing security score...     ✔ 25/100 F
 
@@ -117,7 +130,7 @@ npx ship-safe audit .
 
 **What it runs:**
 1. **Secret scan** — 50+ patterns with entropy scoring (API keys, passwords, tokens)
-2. **18 security agents** — run in parallel with per-agent timeouts and framework-aware filtering (injection, auth, SSRF, supply chain, config, Supabase RLS, LLM, MCP, agentic AI, RAG, PII, vibe coding, exception handling, agent config, mobile, git history, CI/CD, API)
+2. **22 security agents** — run in parallel with per-agent timeouts and framework-aware filtering
 3. **Dependency audit** — npm/pip/bundler CVE scanning with EPSS exploit probability scores
 4. **Secrets verification** — probes provider APIs (GitHub, Stripe, OpenAI, etc.) to check if leaked keys are still active
 5. **Deep analysis** — LLM-powered taint analysis verifies exploitability of critical/high findings (optional)
@@ -143,38 +156,43 @@ npx ship-safe audit .
 - `--deep` — LLM-powered taint analysis for critical/high findings
 - `--local` — use local Ollama model for deep analysis
 - `--model <model>` — LLM model to use for deep/AI analysis
-- `--provider <name>` — LLM provider: groq, together, mistral, deepseek, xai, perplexity, lmstudio
+- `--provider <name>` — LLM provider: groq, together, mistral, deepseek, xai, perplexity, lmstudio, gemma4
 - `--base-url <url>` — custom OpenAI-compatible base URL (e.g. LM Studio, vLLM)
 - `--budget <cents>` — max spend in cents for deep analysis (default: 50)
 - `--verify` — check if leaked secrets are still active (probes provider APIs)
+- `--agentic [n]` — scan → annotate fixes → re-scan loop, up to n iterations (default: 3)
+- `--agentic-target <score>` — stop agentic loop when score reaches this threshold (default: 75)
 
 ---
 
-## 18 Security Agents
+## 22 Security Agents
 
 | Agent | Category | What It Detects |
 |-------|----------|-----------------|
 | **InjectionTester** | Code Vulns | SQL/NoSQL injection, command injection, code injection (eval), XSS, path traversal, XXE, ReDoS, prototype pollution, Python f-string SQL injection, Python subprocess shell injection |
 | **AuthBypassAgent** | Auth | JWT vulnerabilities (alg:none, weak secrets), cookie security, CSRF, OAuth misconfig, BOLA/IDOR, weak crypto, timing attacks, TLS bypass, Django `DEBUG = True`, Flask hardcoded secret keys |
 | **SSRFProber** | SSRF | User input in fetch/axios, cloud metadata endpoints, internal IPs, redirect following |
-| **SupplyChainAudit** | Supply Chain | Typosquatting (Levenshtein distance), git/URL dependencies, wildcard versions, suspicious install scripts, dependency confusion, lockfile integrity |
+| **SupplyChainAudit** | Supply Chain | Typosquatting (Levenshtein distance), git/URL dependencies, wildcard versions, suspicious install scripts, dependency confusion, lockfile integrity, trojanized package behavioral signatures (env-var harvesting, DNS exfiltration, WebSocket C2) |
 | **ConfigAuditor** | Config | Dockerfile (running as root, :latest tags), Terraform (public S3/RDS, open SG, CloudFront HTTP, Lambda admin, S3 no versioning), Kubernetes (privileged containers, `:latest` tags, missing NetworkPolicy), CORS, CSP, Firebase, Nginx |
 | **SupabaseRLSAgent** | Auth | Supabase Row Level Security — `service_role` key in client code, `CREATE TABLE` without RLS, anon key inserts, unprotected storage operations |
 | **LLMRedTeam** | AI/LLM | OWASP LLM Top 10 — prompt injection, excessive agency, system prompt leakage, unbounded consumption, RAG poisoning |
 | **MCPSecurityAgent** | AI/LLM | MCP server security — unvalidated tool inputs, missing auth, excessive permissions, tool poisoning, typosquatting detection, over-permissioned tools, shadow config discovery |
 | **AgenticSecurityAgent** | AI/LLM | OWASP Agentic AI Top 10 — agent hijacking, privilege escalation, unsafe code execution, memory poisoning |
 | **RAGSecurityAgent** | AI/LLM | RAG pipeline security — unvalidated embeddings, context injection, document poisoning, vector DB access control |
+| **MemoryPoisoningAgent** | AI/LLM | ASI-01/ASI-05 — instruction injection in `.claude/memory/`, `.cursorrules`, `.cursor/rules/`, `.windsurfrules`, `.continue/config.json`, `.gemini/`, `.cody/`, `.augment/` and docs; hidden Unicode payloads; persona hijacking; persistent trigger detection |
 | **PIIComplianceAgent** | Compliance | PII detection — SSNs, credit cards, emails, phone numbers in source code, logs, and configs |
 | **VibeCodingAgent** | Code Vulns | AI-generated code patterns — no input validation, empty catch blocks, hardcoded secrets, disabled security features, TODO-auth patterns |
 | **ExceptionHandlerAgent** | Code Vulns | OWASP A10:2025 — empty catch blocks, unhandled promise rejections, missing React error boundaries, leaked stack traces, generic catch-all without rethrow |
-| **AgentConfigScanner** | AI/LLM | AI agent config security — prompt injection in .cursorrules/CLAUDE.md/AGENTS.md/.windsurfrules, malicious Claude Code hooks (CVE-2026), OpenClaw public binding & malicious skills, openclaude profile file (`OPENAI_BASE_URL` over http://), claw-code config (`danger-full-access`, disabled sandbox, shell hooks, insecure MCP transports), encoded/obfuscated payloads, data exfiltration instructions, agent memory poisoning |
+| **AgentConfigScanner** | AI/LLM | AI agent config security — prompt injection in .cursorrules/CLAUDE.md/AGENTS.md/.windsurfrules, malicious Claude Code hooks (CVE-2026), OpenClaw public binding & malicious skills, claw-code config risks, Gemini CLI / Cody / Augment Code config risks, encoded/obfuscated payloads |
 | **MobileScanner** | Mobile | OWASP Mobile Top 10 2024 — insecure storage, WebView JS injection, HTTP endpoints, excessive permissions, debug mode |
 | **GitHistoryScanner** | Secrets | Leaked secrets in git commit history (checks if still active in working tree) |
-| **CICDScanner** | CI/CD | OWASP CI/CD Top 10 — pipeline poisoning, unpinned actions, secret logging, self-hosted runners, script injection, AI agent danger flags (`--dangerously-skip-permissions`, insecure provider URLs in CI) |
+| **CICDScanner** | CI/CD | OWASP CI/CD Top 10 — pipeline poisoning, unpinned actions, secret logging, self-hosted runners, script injection, AI agent danger flags |
 | **APIFuzzer** | API | Routes without auth, missing input validation, mass assignment, unrestricted file upload, GraphQL introspection, debug endpoints, missing rate limiting, OpenAPI spec security issues |
-| **ReconAgent** | Recon | Attack surface discovery — frameworks, languages, auth patterns, databases, cloud providers, IaC, CI/CD pipelines |
+| **ManagedAgentScanner** | AI/LLM | Claude Managed Agents misconfigurations — `always_allow` permission policies, unrestricted networking, bash without human confirmation, MCP servers over HTTP, hardcoded vault tokens, unpinned environment packages (ASI-03, ASI-04, ASI-05, ASI-07) |
+| **HermesSecurityAgent** *(new)* | AI/LLM | Hermes Agent deployments — tool registry poisoning, function-call injection (`<tool_call>` / `<function_calls>`), goal/plan hijacking, memory layer attacks, skill permission drift, sub-agent trust boundary violations, manifest attestation (ASI-01–ASI-10) |
+| **AgentAttestationAgent** *(new)* | Supply Chain | Agent manifest supply chain — unpinned versions (`latest`, `^`, `~`), missing integrity hashes on remote tool sources, unsigned manifests, `skipIntegrityCheck` bypass, dynamic `require()` of manifests from env vars, missing provenance fields (ASI-10, SLSA Level 0) |
 
-**Post-processors:** ScoringEngine (8-category weighted scoring), VerifierAgent (secrets liveness verification), DeepAnalyzer (LLM-powered taint analysis)
+**Post-processors:** ScoringEngine (8-category weighted scoring with OWASP Agentic AI Top 10 enrichment), VerifierAgent (secrets liveness verification), DeepAnalyzer (LLM-powered taint analysis)
 
 ---
 
@@ -186,7 +204,7 @@ npx ship-safe audit .
 # Full audit with remediation plan + HTML report
 npx ship-safe audit .
 
-# Red team: 18 agents, 80+ attack classes
+# Red team: 22 agents, 80+ attack classes
 npx ship-safe red-team .
 npx ship-safe red-team . --agents injection,auth    # Run specific agents
 npx ship-safe red-team . --html report.html         # HTML report
@@ -346,6 +364,27 @@ Ship Safe detects security issues in both major Claude Code forks from the March
 - Hook commands containing shell execution or remote download patterns
 - MCP server connections over `ws://` or `http://` to non-localhost hosts
 
+### Hermes Agent Integration
+
+Ship Safe is a first-class Hermes Agent citizen. Register Ship Safe tools directly in your Hermes tool registry:
+
+```js
+import { registerWithHermes, verifyIntegrity } from 'ship-safe';
+
+// Register all 5 Ship Safe tools with integrity verification
+await registerWithHermes(toolRegistry);
+```
+
+Or use the bundled skill in your Hermes agent:
+
+```yaml
+# In your Hermes agent manifest
+skills:
+  - ./node_modules/ship-safe/skills/ship-safe-security.md
+```
+
+Available tools: `ship_safe_audit`, `ship_safe_scan_mcp`, `ship_safe_get_findings`, `ship_safe_suppress_finding`, `ship_safe_memory_list`.
+
 ### Threat Intelligence
 
 ```bash
@@ -396,6 +435,16 @@ jobs:
 
 Scans `openclaw.json`, `.cursorrules`, `CLAUDE.md`, Claude Code hooks, and MCP configs. Checks against the bundled threat intelligence database for known ClawHavoc IOCs.
 
+### Live Advisory Feed
+
+```bash
+# Query OSV.dev for actively exploited CVEs across all package ecosystems
+npx ship-safe advisories .
+npx ship-safe advisories . --json    # JSON output for CI
+```
+
+No API key required. Malware advisories (MAL-*) are sorted to the top. Results include EPSS exploit probability and remediation guidance.
+
 ### Defensive Hooks
 
 ```bash
@@ -409,9 +458,15 @@ npx ship-safe watch . --configs
 ### Infrastructure Commands
 
 ```bash
-# Continuous monitoring (watch files for changes)
+# Lightweight file watcher — re-scans changed files on save
 npx ship-safe watch .
 
+# Deep watch — full 22-agent orchestrator on every change
+npx ship-safe watch . --deep
+npx ship-safe watch . --deep --threshold 80   # Fail if score drops below threshold
+npx ship-safe watch . --deep --debounce 2000  # Custom debounce in ms (default: 1000)
+npx ship-safe watch . --status                # Show last deep-watch results from .ship-safe/watch.json
+
 # Generate CycloneDX SBOM
 npx ship-safe sbom .
 
@@ -467,7 +522,7 @@ claude plugin add github:asamassekou10/ship-safe
 
 | Command | Description |
 |---------|-------------|
-| `/ship-safe` | Full security audit — 18 agents, remediation plan, auto-fix |
+| `/ship-safe` | Full security audit — 22 agents, remediation plan, auto-fix |
 | `/ship-safe-scan` | Quick scan for leaked secrets |
 | `/ship-safe-score` | Security health score (0-100) |
 | `/ship-safe-deep` | LLM-powered deep taint analysis |
@@ -524,7 +579,8 @@ Ship Safe supports any AI provider for deep analysis and classification:
 | **Anthropic** | `ANTHROPIC_API_KEY` | *(auto-detected)* | claude-haiku-4-5 |
 | **OpenAI** | `OPENAI_API_KEY` | *(auto-detected)* | gpt-4o-mini |
 | **Google** | `GOOGLE_AI_API_KEY` | *(auto-detected)* | gemini-2.0-flash |
-| **Ollama** | `OLLAMA_HOST` | `--local` | Local models |
+| **Gemma 4 (Ollama)** | *(none)* | `--provider gemma4` | gemma4:e4b (256K ctx) |
+| **Ollama** | `OLLAMA_HOST` | `--local` | gemma4:e4b |
 | **Groq** | `GROQ_API_KEY` | `--provider groq` | llama-3.3-70b-versatile |
 | **Together AI** | `TOGETHER_API_KEY` | `--provider together` | meta-llama/Llama-3-70b-chat-hf |
 | **Mistral** | `MISTRAL_API_KEY` | `--provider mistral` | mistral-small-latest |
@@ -656,7 +712,7 @@ docs/
 | **OWASP Top 10 Mobile 2024** | M1-M10: Improper Credential Usage, Inadequate Supply Chain, Insecure Auth, Insufficient Validation, Insecure Communication, Inadequate Privacy, Binary Protections, Security Misconfiguration, Insecure Data Storage, Insufficient Cryptography |
 | **OWASP LLM Top 10 2025** | LLM01-LLM10: Prompt Injection, Sensitive Info Disclosure, Supply Chain, Data Poisoning, Improper Output Handling, Excessive Agency, System Prompt Leakage, Vector/Embedding Weaknesses, Misinformation, Unbounded Consumption |
 | **OWASP CI/CD Top 10** | CICD-SEC-1 to 10: Insufficient Flow Control, Identity Management, Dependency Chain Abuse, Poisoned Pipeline Execution, Insufficient PBAC, Credential Hygiene, Insecure System Config, Ungoverned Usage, Improper Artifact Integrity, Insufficient Logging |
-| **OWASP Agentic AI Top 10** | ASI01-ASI10: Agent Hijacking, Tool Misuse, Privilege Escalation, Unsafe Code Execution, Memory Poisoning, Identity Spoofing, Excessive Autonomy, Logging Gaps, Supply Chain Attacks, Cascading Hallucination |
+| **OWASP Agentic AI Top 10** | ASI-01–ASI-10: Goal Hijacking, Excessive Agency, Unsafe Tool Use, Unvalidated Actions, Untrusted Tools, Memory Poisoning, Lack of Oversight, Logging Gaps, Supply Chain Attacks, Cascading Failures |
 
 ---
 
@@ -674,6 +730,9 @@ LLM security: prompt injection detection, cost protection, system prompt hardeni
 ### [`/checklists`](./checklists)
 Manual security audits: launch-day checklist, framework-specific guides.
 
+### [`/skills`](./skills)
+Hermes Agent skill definitions. Install `skills/ship-safe-security.md` to give any Hermes agent native security scanning capabilities.
+
 ---
 
 ## Add a Security Badge to Your README

package/cli/agents/agent-attestation-agent.js

@@ -0,0 +1,318 @@
+/**
+ * AgentAttestationAgent — Ship Safe × Hermes Agent
+ * ==================================================
+ *
+ * Detects missing or broken attestation in agent manifests and deployment
+ * configurations: unsigned manifests, missing provenance, unpinned package
+ * versions, integrity hash drift, and lack of supply-chain controls.
+ *
+ * OWASP Agentic AI: ASI-10 (Supply Chain), ASI-07 (Lack of Oversight)
+ * SLSA Level 0 → checking for basic provenance and version pinning.
+ *
+ * SCANNING TARGETS:
+ *   - agent-manifest.{json,yaml,yml}
+ *   - agents.{json,yaml,yml}
+ *   - hermes.config.{js,ts,json,yaml,yml}
+ *   - openclaw.json
+ *   - package.json, package-lock.json
+ *   - .hermes/**
+ *   - Any file declaring agent versions, integrity hashes, or provenance
+ */
+
+import fs from 'fs';
+import path from 'path';
+import { createHash } from 'crypto';
+import { BaseAgent, createFinding } from './base-agent.js';
+
+// =============================================================================
+// PATTERNS — detected in source files
+// =============================================================================
+
+const PATTERNS = [
+  // ── Unpinned versions ──────────────────────────────────────────────────────
+  {
+    rule: 'AGENT_UNPINNED_VERSION_LATEST',
+    title: 'Agent: Unpinned version "latest" (ASI-10 Supply Chain)',
+    regex: /["'](?:\w*[Vv]ersion|tag|image|ref)["']\s*:\s*["']latest["']/gi,
+    severity: 'high',
+    cwe: 'CWE-1104',
+    owasp: 'ASI-10',
+    confidence: 'high',
+    description: 'Agent/image version pinned to "latest" — next pull may silently upgrade to a tampered or incompatible version.',
+    fix: 'Pin to a specific semantic version (e.g., "1.2.3") or commit SHA.',
+  },
+  {
+    rule: 'AGENT_UNPINNED_VERSION_STAR',
+    title: 'Agent: Unpinned version wildcard (* or ^) (ASI-10)',
+    regex: /["'](?:\w*[Vv]ersion|tag)["']\s*:\s*["'][\^~*><=][^"']{1,20}["']/gi,
+    severity: 'high',
+    cwe: 'CWE-1104',
+    owasp: 'ASI-10',
+    confidence: 'high',
+    description: 'Agent version uses a mutable range specifier — version may float to an attacker-controlled release.',
+    fix: 'Pin to an exact version string without range operators.',
+  },
+  {
+    rule: 'AGENT_HERMES_UNPINNED',
+    title: 'Hermes: @nousresearch/hermes-agent not pinned to exact version',
+    regex: /["']@nousresearch\/hermes-agent["']\s*:\s*["'][\^~*><=][^"']{1,20}["']/gi,
+    severity: 'high',
+    cwe: 'CWE-1104',
+    owasp: 'ASI-10',
+    confidence: 'high',
+    description: 'hermes-agent package version is not pinned — a malicious minor/patch release could modify agent behavior.',
+    fix: 'Pin to exact version: "\"@nousresearch/hermes-agent\": \"1.2.3\""',
+  },
+
+  // ── Missing integrity fields ────────────────────────────────────────────────
+  {
+    rule: 'AGENT_NO_INTEGRITY_HASH',
+    title: 'Agent: No integrity hash on remote resource (ASI-10)',
+    regex: /["'](?:url|source|registry|endpoint)["']\s*:\s*["']https?:\/\/[^"']{10,}["'](?!\s*,?\s*["']integrity["'])/gi,
+    severity: 'high',
+    cwe: 'CWE-494',
+    owasp: 'ASI-10',
+    confidence: 'medium',
+    description: 'Remote resource loaded without an integrity hash — no way to detect tampering between publish and load time.',
+    fix: 'Add an "integrity": "sha256-..." or "sha512-..." field alongside the URL.',
+  },
+  {
+    rule: 'AGENT_MANIFEST_NO_SIGNATURE',
+    title: 'Agent: Manifest loaded without signature verification',
+    regex: /(?:loadManifest|readManifest|parseManifest|loadConfig|readConfig|parseConfig)\s*\([^)]{0,80}\)(?!\s*\.(?:verify|checkSignature|assertIntegrity))/gi,
+    severity: 'high',
+    cwe: 'CWE-345',
+    owasp: 'ASI-10',
+    confidence: 'medium',
+    description: 'Agent manifest is loaded/parsed without a subsequent signature or integrity check — manifest tampering goes undetected.',
+    fix: 'Verify manifest signature or compute expected SHA-256 before trusting its contents.',
+  },
+
+  // ── Missing provenance fields ──────────────────────────────────────────────
+  {
+    rule: 'AGENT_NO_AUTHOR_FIELD',
+    title: 'Agent manifest: No author/publisher field',
+    regex: /^\s*\{\s*"(?:name|id|version)":/m,
+    severity: 'low',
+    cwe: 'CWE-1059',
+    owasp: 'ASI-10',
+    confidence: 'low',
+    description: 'Agent manifest has no author or publisher field — provenance cannot be established.',
+    fix: 'Add "author", "publisher", or "maintainer" fields with contact information.',
+  },
+
+  // ── Attestation bypass patterns ────────────────────────────────────────────
+  {
+    rule: 'AGENT_SKIP_INTEGRITY_CHECK',
+    title: 'Agent: Integrity check explicitly skipped',
+    regex: /(?:skipIntegrityCheck\s*:\s*true|verifyIntegrity\s*:\s*false|integrity\s*:\s*false|bypassAttestation\s*:\s*true|noVerify\s*:\s*true)/gi,
+    severity: 'critical',
+    cwe: 'CWE-345',
+    owasp: 'ASI-10',
+    confidence: 'high',
+    description: 'Code explicitly disables integrity checking — removes the primary defense against supply-chain attacks.',
+    fix: 'Remove the integrity bypass flag and restore verification.',
+  },
+  {
+    rule: 'AGENT_DYNAMIC_REQUIRE_MANIFEST',
+    title: 'Agent: Dynamic require/import of manifest path from user input',
+    regex: /(?:require|import)\s*\(\s*(?:req\.|request\.|body\.|params\.|process\.env\.[A-Z_]{3,})\s*\)/gi,
+    severity: 'critical',
+    cwe: 'CWE-706',
+    owasp: 'ASI-10',
+    confidence: 'medium',
+    description: 'Manifest/module path resolved from external input — attacker can redirect load to a malicious file.',
+    fix: 'Use a hardcoded manifest path or validate against an allowlist of safe paths.',
+  },
+
+  // ── No changelog / audit trail ────────────────────────────────────────────
+  {
+    rule: 'AGENT_NO_CHANGELOG_REFERENCE',
+    title: 'Agent manifest: No changelog or audit trail reference',
+    regex: /^\s*\{\s*(?:(?:"(?:name|id|version|description)":[^}]{0,200})){2,}\}/ms,
+    severity: 'low',
+    cwe: 'CWE-778',
+    owasp: 'ASI-07',
+    confidence: 'low',
+    description: 'Agent manifest has no changelog, releaseNotes, or auditLog field — version changes cannot be audited.',
+    fix: 'Add a "changelog" or "releaseNotes" URL field to the manifest.',
+  },
+];
+
+// =============================================================================
+// STRUCTURAL CHECKS
+// =============================================================================
+
+const MANIFEST_EXTENSIONS = new Set(['.json', '.yaml', '.yml']);
+
+function checkManifestFields(filePath, content) {
+  const findings = [];
+  let manifest;
+
+  try {
+    // Only handle JSON manifests for deep structural checks
+    if (!filePath.endsWith('.json')) return findings;
+    manifest = JSON.parse(content);
+  } catch {
+    return findings;
+  }
+
+  const basename = path.basename(filePath);
+  const isAgentManifest = /(?:agent[-_]manifest|agents|hermes\.config|openclaw)/i.test(basename);
+  if (!isAgentManifest) return findings;
+
+  // ── Missing integrity hash on tools array ─────────────────────────────────
+  const tools = manifest.tools || manifest.skills || [];
+  if (Array.isArray(tools)) {
+    for (const tool of tools) {
+      const remoteRef = (tool.url || tool.source || '');
+      const isRemote = /^https?:\/\//i.test(remoteRef);
+      if (isRemote && !tool.integrity && !tool.hash && !tool.checksum) {
+        findings.push(createFinding({
+          rule: 'AGENT_TOOL_NO_INTEGRITY',
+          title: `Tool "${tool.name || tool.id || '?'}" has remote source but no integrity hash`,
+          severity: 'high',
+          file: filePath,
+          line: 0,
+          snippet: JSON.stringify(tool).slice(0, 120),
+          cwe: 'CWE-494',
+          owasp: 'ASI-10',
+          confidence: 'high',
+          description: `Tool "${tool.name || tool.id}" is loaded from a remote URL without an integrity constraint — can be silently replaced.`,
+          fix: 'Add integrity: "sha256-<base64>" to each remotely-sourced tool definition.',
+          category: 'supply-chain',
+        }));
+      }
+    }
+  }
+
+  // ── Agent version unpinned (no exact semver) ──────────────────────────────
+  const version = manifest.version || manifest.agentVersion;
+  if (version && /[\^~*]/.test(String(version))) {
+    findings.push(createFinding({
+      rule: 'AGENT_MANIFEST_UNPINNED',
+      title: 'Agent manifest version uses mutable range',
+      severity: 'high',
+      file: filePath,
+      line: 0,
+      snippet: `version: "${version}"`,
+      cwe: 'CWE-1104',
+      owasp: 'ASI-10',
+      confidence: 'high',
+      description: 'Manifest version field uses a range specifier — future installs may receive a different agent.',
+      fix: 'Use an exact version string without ^ or ~.',
+      category: 'supply-chain',
+    }));
+  }
+
+  // ── Hermes-specific: missing hermes version pin ───────────────────────────
+  const hermesVersion = manifest.hermes?.version || manifest.hermesVersion || manifest.dependencies?.['@nousresearch/hermes-agent'];
+  if (hermesVersion && /[\^~*><=]/.test(String(hermesVersion))) {
+    findings.push(createFinding({
+      rule: 'HERMES_AGENT_UNPINNED',
+      title: 'hermes-agent dependency not pinned in manifest',
+      severity: 'high',
+      file: filePath,
+      line: 0,
+      snippet: `hermes-agent: "${hermesVersion}"`,
+      cwe: 'CWE-1104',
+      owasp: 'ASI-10',
+      confidence: 'high',
+      description: 'The hermes-agent version is not pinned — a compromised minor release would affect all agents using this manifest.',
+      fix: 'Pin to exact version: "@nousresearch/hermes-agent": "x.y.z"',
+      category: 'supply-chain',
+    }));
+  }
+
+  // ── No signature/provenance field at all ─────────────────────────────────
+  const hasProvenance = manifest.signature || manifest.provenance || manifest.attestation || manifest.integrity;
+  if (!hasProvenance && isAgentManifest) {
+    findings.push(createFinding({
+      rule: 'AGENT_NO_PROVENANCE',
+      title: 'Agent manifest has no signature, provenance, or attestation field',
+      severity: 'medium',
+      file: filePath,
+      line: 0,
+      snippet: `(top-level keys: ${Object.keys(manifest).join(', ')})`,
+      cwe: 'CWE-345',
+      owasp: 'ASI-10',
+      confidence: 'high',
+      description: 'No attestation metadata found in manifest — cannot verify the manifest was produced by the expected pipeline.',
+      fix: 'Add a "provenance" or "signature" field referencing a SLSA attestation or signed hash.',
+      category: 'supply-chain',
+    }));
+  }
+
+  return findings;
+}
+
+// =============================================================================
+// AGENT
+// =============================================================================
+
+export class AgentAttestationAgent extends BaseAgent {
+  constructor() {
+    super('AgentAttestationAgent', 'Agent Attestation & Supply Chain — unsigned manifests, unpinned versions, missing provenance', 'supply-chain');
+  }
+
+  shouldRun() { return true; }
+
+  async analyze(context) {
+    const { files = [], rootPath } = context;
+    const findings = [];
+
+    for (const file of files) {
+      const basename = path.basename(file);
+      const ext = path.extname(file);
+
+      // Only scan relevant files
+      const isManifest = MANIFEST_EXTENSIONS.has(ext) && /(?:agent|manifest|hermes|openclaw|config)/i.test(basename);
+      const isPackageJson = basename === 'package.json';
+      const isSourceWithLoad = /\.[jt]s$/.test(ext);
+
+      if (!isManifest && !isPackageJson && !isSourceWithLoad) continue;
+
+      let content;
+      try {
+        content = fs.readFileSync(file, 'utf-8');
+      } catch {
+        continue;
+      }
+
+      // Skip huge source files that are unlikely to contain manifest loading
+      if (isSourceWithLoad && content.length > 200_000) continue;
+
+      // Pattern-based checks
+      const lines = content.split('\n');
+      for (let i = 0; i < lines.length; i++) {
+        const line = lines[i];
+        for (const pattern of PATTERNS) {
+          pattern.regex.lastIndex = 0;
+          if (pattern.regex.test(line)) {
+            findings.push(createFinding({
+              rule: pattern.rule,
+              title: pattern.title,
+              severity: pattern.severity,
+              file,
+              line: i + 1,
+              snippet: line.trim().slice(0, 120),
+              cwe: pattern.cwe,
+              owasp: pattern.owasp,
+              confidence: pattern.confidence || 'medium',
+              description: pattern.description,
+              fix: pattern.fix,
+              category: 'supply-chain',
+            }));
+          }
+        }
+      }
+
+      // Structural checks on manifest files
+      if (isManifest || isPackageJson) {
+        findings.push(...checkManifestFields(file, content));
+      }
+    }
+
+    return findings;
+  }
+}

package/cli/agents/agentic-security-agent.js

@@ -215,6 +215,41 @@ const PATTERNS = [
     fix: 'Validate LLM structured output against a schema (Zod, Joi, Pydantic) before processing.',
   },
 
+  // ── Credential Isolation ─────────────────────────────────────────────────
+  {
+    rule: 'AGENT_ENV_FILE_ACCESS',
+    title: 'Agent: Reads .env Files Without Restriction',
+    regex: /(?:readFile|readFileSync|fs\.read|open)\s*\(\s*(?:.*\.env|.*process\.env|.*dotenv)/g,
+    severity: 'high',
+    cwe: 'CWE-522',
+    owasp: 'A02:2021',
+    confidence: 'medium',
+    description: 'Agent code reads .env files or loads dotenv directly. If the agent is compromised via prompt injection, all credentials in the environment file are exposed.',
+    fix: 'Inject only the specific environment variables the agent needs, not the entire .env file. Use scoped credential providers.',
+  },
+  {
+    rule: 'AGENT_NETWORK_AND_FILE_ACCESS',
+    title: 'Agent: Both Network and File Access (Exfiltration Risk)',
+    regex: /(?:tools|capabilities|functions)[\s\S]{0,800}(?:(?:fetch|http|request|axios|got|curl)[\s\S]{0,400}(?:read|file|fs|disk|path)|(?:read|file|fs|disk|path)[\s\S]{0,400}(?:fetch|http|request|axios|got|curl))/g,
+    severity: 'high',
+    cwe: 'CWE-200',
+    owasp: 'A01:2021',
+    confidence: 'medium',
+    description: 'Agent has tools for both file access and network requests. This is the exfiltration combination: read credentials from disk, send them over the network.',
+    fix: 'Separate file-reading agents from network-capable agents. If both are needed, add human-in-the-loop approval for network requests that follow file reads.',
+  },
+  {
+    rule: 'AGENT_ENV_FORWARDED_TO_TOOL',
+    title: 'Agent: Environment Variables Forwarded to Tool',
+    regex: /(?:process\.env|os\.environ|ENV)\s*(?:\[|\.)[\s\S]{0,100}(?:tool|function|action|invoke|call|execute)/g,
+    severity: 'high',
+    cwe: 'CWE-522',
+    owasp: 'A02:2021',
+    confidence: 'medium',
+    description: 'Environment variables (which may contain secrets from Stripe Projects or similar) are forwarded directly to agent tools. A compromised tool receives credentials.',
+    fix: 'Pass only the specific variables each tool needs. Never forward the entire process.env to tool invocations.',
+  },
+
   // ── Audit & Observability ────────────────────────────────────────────────
   {
     rule: 'AGENT_NO_AUDIT_LOG',

package/cli/agents/cicd-scanner.js

@@ -241,6 +241,28 @@ const PATTERNS = [
     description: 'claw-code (Rust/Python Claude Code rewrite) is invoked with --dangerously-skip-permissions in CI. Any prompt injection in the workspace executes without confirmation.',
     fix: 'Remove --dangerously-skip-permissions. Use --permission-mode=workspace-write for CI automation.',
   },
+
+  // ── Branch Name Injection (Codex-class attack, CVE pending) ──────────────
+  {
+    rule: 'CICD_BRANCH_NAME_INJECTION',
+    title: 'CI/CD: Unsanitized Branch Name in Shell Command',
+    regex: /(?:git\s+(?:checkout|switch|clone\s+--branch|fetch\s+origin))\s+(?:\$\{\{[^}]*(?:head\.ref|branch|ref_name)[^}]*\}\}|\$(?:BRANCH|GITHUB_HEAD_REF|CI_COMMIT_BRANCH|BITBUCKET_BRANCH))/gi,
+    severity: 'critical',
+    cwe: 'CWE-78',
+    owasp: 'CICD-SEC-4',
+    description: 'Branch name from an external source (PR head ref, environment variable) is passed directly to a git shell command without sanitization. Attackers can create branches with names containing shell metacharacters to inject arbitrary commands. This is the exact attack vector used in the OpenAI Codex GitHub token theft (BeyondTrust Phantom Labs, Mar 2026).',
+    fix: 'Sanitize branch names: strip shell metacharacters, use -- to separate git options from arguments, or use actions/checkout which handles this safely.',
+  },
+  {
+    rule: 'CICD_BRANCH_NAME_IN_RUN',
+    title: 'CI/CD: Branch Name Interpolated in run Step',
+    regex: /run\s*:\s*[^\n]*\$\{\{\s*(?:github\.head_ref|github\.ref_name)\s*\}\}/g,
+    severity: 'high',
+    cwe: 'CWE-78',
+    owasp: 'CICD-SEC-4',
+    description: 'GitHub expression for branch name used directly in a run step. An attacker can craft a branch name with shell injection payloads. This pattern was exploited in the OpenAI Codex vulnerability to steal GitHub OAuth tokens.',
+    fix: 'Assign to an environment variable first: env: BRANCH: ${{ github.head_ref }}, then reference as "$BRANCH" (quoted) in the run step.',
+  },
 ];
 
 export class CICDScanner extends BaseAgent {