ship-safe 8.0.0 → 9.1.0

package/README.md

@@ -16,11 +16,13 @@
 
 ---
 
-22 security agents. 80+ attack classes. One command.
+23 security agents. 80+ attack classes. One command.
 
-**Ship Safe v8.0.0** is an AI-powered security platform that runs 22 specialized agents in parallel against your codebase — covering secrets, injection vulnerabilities, auth bypass, SSRF, supply chain attacks, memory poisoning, Hermes Agent security, Supabase RLS, Docker/Terraform/Kubernetes misconfigs, CI/CD pipeline poisoning, LLM/agentic AI security, MCP server misuse, RAG poisoning, PII compliance, vibe coding patterns, exception handling, Claude Managed Agent configs, and more. Full OWASP Agentic AI Top 10 mapping (ASI-01–ASI-10) enriches every finding. Live OSV.dev advisory feed surfaces actively exploited CVEs within hours of disclosure. OWASP 2025 scoring with EPSS exploit probability. LLM-powered deep analysis verifies exploitability of critical findings. Secrets verification probes provider APIs to check if leaked keys are still active.
+**Ship Safe v9.1.0** is an AI-powered security platform that runs 23 specialized agents in parallel against your codebase — covering secrets, injection vulnerabilities, auth bypass, SSRF, supply chain attacks, AI integration supply chain (Vercel-class attacks), memory poisoning, Hermes Agent security, Supabase RLS, Docker/Terraform/Kubernetes misconfigs, CI/CD pipeline poisoning, LLM/agentic AI security, MCP server misuse, RAG poisoning, PII compliance, vibe coding patterns, exception handling, Claude Managed Agent configs, and more. Full OWASP Agentic AI Top 10 mapping (ASI-01–ASI-10) enriches every finding. Live OSV.dev advisory feed surfaces actively exploited CVEs within hours of disclosure. OWASP 2025 scoring with EPSS exploit probability. LLM-powered deep analysis verifies exploitability of critical findings. Secrets verification probes provider APIs to check if leaked keys are still active.
 
-**v8.0.0 highlights:** **Ship Safe × Hermes Agent** — two new agents purpose-built for [NousResearch Hermes Agent](https://github.com/NousResearch/hermes-function-calling) deployments. `HermesSecurityAgent` detects 17 attack patterns across the full OWASP Agentic AI Top 10 surface: tool registry poisoning, function-call injection, goal/plan hijacking, memory layer attacks, skill permission drift, and multi-agent trust boundary violations. `AgentAttestationAgent` catches supply-chain failures in agent manifests: unpinned versions, missing integrity hashes on remote tool sources, unsigned manifests, and dynamic `require()` of manifests from env vars. Both agents integrate into the `--agentic` loop for automated scan → annotate → re-scan cycles. Ship Safe is now a first-class Hermes citizen via `skills/ship-safe-security.md` and `registerWithHermes()`.
+**v9.1.0 highlights:** **AgenticSupplyChainAgent & Vercel Breach Checker** — new 23rd agent detects AI integration supply chain attacks (Vercel-class): unpinned AI CI actions, OAuth scope abuse in platform integrations, unsigned webhook handlers, and MCP/Hermes cross-boundary token forwarding. New public breach impact checker at /breach/vercel-april-2026 lets any Vercel user self-serve all four checks without the CLI. Full incident analysis published.
+
+**v9.0.0:** **Agent Studio, Teams & Findings** — the web dashboard is now a full AI security operations platform. **Agent Studio** lets you build, configure, and deploy custom Hermes security agents from the UI — give each agent a role, tools, and memory, then deploy to a live container in one click. **Agent Console** provides a live SSE chat interface with ANSI color rendering and per-session run history. **Agent Teams** orchestrate multiple specialist agents (pen tester, secrets scanner, CVE analyst) under a lead agent that plans, delegates tasks in parallel, and synthesises an executive security report. **Agent Triggers** add webhook and cron-based automation per agent. The new **Findings Dashboard** aggregates all security findings across every agent run with severity charts, trend data, and one-click GitHub issue creation. Billing has moved to monthly subscriptions (Pro at $9/month, Team at $19/seat/month) with automatic plan downgrade on cancellation.
 
 [Documentation](https://shipsafecli.com/docs) | [Blog](https://shipsafecli.com/blog) | [Pricing](https://shipsafecli.com/pricing)
 
@@ -29,7 +31,7 @@
 ## Quick Start
 
 ```bash
-# Full security audit — secrets + 22 agents + deps + remediation plan
+# Full security audit — secrets + 23 agents + deps + remediation plan
 npx ship-safe audit .
 
 # LLM-powered deep analysis (Anthropic, OpenAI, Google, Ollama, Gemma 4)
@@ -39,7 +41,7 @@ npx ship-safe audit . --deep
 npx ship-safe audit . --agentic
 npx ship-safe audit . --agentic 5 --agentic-target 85
 
-# Red team scan (22 agents, 80+ attack classes)
+# Red team scan (23 agents, 80+ attack classes)
 npx ship-safe red-team .
 
 # Scan only changed files (fast pre-commit & PR scanning)
@@ -51,7 +53,7 @@ npx ship-safe advisories .
 
 # Continuous monitoring
 npx ship-safe watch .                         # Lightweight file watcher
-npx ship-safe watch . --deep                  # Full 22-agent scan on every change
+npx ship-safe watch . --deep                  # Full 23-agent scan on every change
 npx ship-safe watch . --deep --threshold 80   # Fail if score drops below threshold
 npx ship-safe watch . --status                # Show last deep-watch results
 
@@ -99,11 +101,11 @@ npx ship-safe audit .
 
 ```
 ════════════════════════════════════════════════════════════
-  Ship Safe v8.0 — Full Security Audit
+  Ship Safe v9.0 — Full Security Audit
 ════════════════════════════════════════════════════════════
 
   [Phase 1/4] Scanning for secrets...         ✔ 49 found
-  [Phase 2/4] Running 22 security agents...   ✔ 103 findings
+  [Phase 2/4] Running 23 security agents...   ✔ 103 findings
   [Phase 3/4] Auditing dependencies...        ✔ 44 CVEs
   [Phase 4/4] Computing security score...     ✔ 25/100 F
 
@@ -130,7 +132,7 @@ npx ship-safe audit .
 
 **What it runs:**
 1. **Secret scan** — 50+ patterns with entropy scoring (API keys, passwords, tokens)
-2. **22 security agents** — run in parallel with per-agent timeouts and framework-aware filtering
+2. **23 security agents** — run in parallel with per-agent timeouts and framework-aware filtering
 3. **Dependency audit** — npm/pip/bundler CVE scanning with EPSS exploit probability scores
 4. **Secrets verification** — probes provider APIs (GitHub, Stripe, OpenAI, etc.) to check if leaked keys are still active
 5. **Deep analysis** — LLM-powered taint analysis verifies exploitability of critical/high findings (optional)
@@ -165,7 +167,7 @@ npx ship-safe audit .
 
 ---
 
-## 22 Security Agents
+## 23 Security Agents
 
 | Agent | Category | What It Detects |
 |-------|----------|-----------------|
@@ -189,8 +191,9 @@ npx ship-safe audit .
 | **CICDScanner** | CI/CD | OWASP CI/CD Top 10 — pipeline poisoning, unpinned actions, secret logging, self-hosted runners, script injection, AI agent danger flags |
 | **APIFuzzer** | API | Routes without auth, missing input validation, mass assignment, unrestricted file upload, GraphQL introspection, debug endpoints, missing rate limiting, OpenAPI spec security issues |
 | **ManagedAgentScanner** | AI/LLM | Claude Managed Agents misconfigurations — `always_allow` permission policies, unrestricted networking, bash without human confirmation, MCP servers over HTTP, hardcoded vault tokens, unpinned environment packages (ASI-03, ASI-04, ASI-05, ASI-07) |
-| **HermesSecurityAgent** *(new)* | AI/LLM | Hermes Agent deployments — tool registry poisoning, function-call injection (`<tool_call>` / `<function_calls>`), goal/plan hijacking, memory layer attacks, skill permission drift, sub-agent trust boundary violations, manifest attestation (ASI-01–ASI-10) |
-| **AgentAttestationAgent** *(new)* | Supply Chain | Agent manifest supply chain — unpinned versions (`latest`, `^`, `~`), missing integrity hashes on remote tool sources, unsigned manifests, `skipIntegrityCheck` bypass, dynamic `require()` of manifests from env vars, missing provenance fields (ASI-10, SLSA Level 0) |
+| **HermesSecurityAgent** | AI/LLM | Hermes Agent deployments — tool registry poisoning, function-call injection (`<tool_call>` / `<function_calls>`), goal/plan hijacking, memory layer attacks, skill permission drift, sub-agent trust boundary violations, manifest attestation (ASI-01–ASI-10) |
+| **AgentAttestationAgent** | Supply Chain | Agent manifest supply chain — unpinned versions (`latest`, `^`, `~`), missing integrity hashes on remote tool sources, unsigned manifests, `skipIntegrityCheck` bypass, dynamic `require()` of manifests from env vars, missing provenance fields (ASI-10, SLSA Level 0) |
+| **AgenticSupplyChainAgent** *(new)* | Supply Chain | AI integration supply chain — over-privileged AI CI actions (Vercel/GitHub/Netlify), OAuth scope creep in AI platform integrations, unsigned AI webhook receivers (missing HMAC), MCP/Hermes cross-boundary token forwarding to third-party servers (ASI-02, ASI-06, ASI-09, CICD-SEC-8) |
 
 **Post-processors:** ScoringEngine (8-category weighted scoring with OWASP Agentic AI Top 10 enrichment), VerifierAgent (secrets liveness verification), DeepAnalyzer (LLM-powered taint analysis)
 
@@ -204,7 +207,7 @@ npx ship-safe audit .
 # Full audit with remediation plan + HTML report
 npx ship-safe audit .
 
-# Red team: 22 agents, 80+ attack classes
+# Red team: 23 agents, 80+ attack classes
 npx ship-safe red-team .
 npx ship-safe red-team . --agents injection,auth    # Run specific agents
 npx ship-safe red-team . --html report.html         # HTML report
@@ -461,7 +464,7 @@ npx ship-safe watch . --configs
 # Lightweight file watcher — re-scans changed files on save
 npx ship-safe watch .
 
-# Deep watch — full 22-agent orchestrator on every change
+# Deep watch — full 23-agent orchestrator on every change
 npx ship-safe watch . --deep
 npx ship-safe watch . --deep --threshold 80   # Fail if score drops below threshold
 npx ship-safe watch . --deep --debounce 2000  # Custom debounce in ms (default: 1000)
@@ -522,7 +525,7 @@ claude plugin add github:asamassekou10/ship-safe
 
 | Command | Description |
 |---------|-------------|
-| `/ship-safe` | Full security audit — 22 agents, remediation plan, auto-fix |
+| `/ship-safe` | Full security audit — 23 agents, remediation plan, auto-fix |
 | `/ship-safe-scan` | Quick scan for leaked secrets |
 | `/ship-safe-score` | Security health score (0-100) |
 | `/ship-safe-deep` | LLM-powered deep taint analysis |

package/cli/agents/agentic-supply-chain-agent.js

@@ -0,0 +1,463 @@
+/**
+ * AgenticSupplyChainAgent
+ * ========================
+ *
+ * Detects supply chain attack vectors specific to AI integrations —
+ * the class of vulnerability exploited in the Vercel April 2026 incident.
+ *
+ * Four detection tracks:
+ *   1. Over-privileged AI actions in CI (GitHub Actions)
+ *   2. Excessive OAuth scopes in AI platform integrations
+ *   3. Webhook receivers that trust AI platform payloads without HMAC
+ *   4. Agent tools forwarding credentials cross-boundary (MCP / Hermes)
+ */
+
+import fs from 'fs';
+import path from 'path';
+import { BaseAgent, createFinding } from './base-agent.js';
+
+// ── Track 1: AI actions in CI with overly broad scopes ───────────────────────
+// Match action names that are AI-related — these get elevated scrutiny because
+// a compromised AI CI action has access to secrets + can exfiltrate model outputs.
+const AI_ACTION_NAME_RE = /uses\s*:\s*([\w.-]+\/[\w.-]*(?:ai|llm|copilot|claude|openai|anthropic|gpt|gemini|cursor|codeium|tabnine|hermes|codex|devin|agent|autopilot)[\w.-]*)@([\w./-]+)/gi;
+
+// Broad write/admin scopes in the same workflow as an AI action
+const BROAD_SCOPE_PATTERNS = [
+  {
+    rule: 'AI_CI_WRITE_ALL',
+    title: 'AI CI Action: Workflow Has write-all Permissions',
+    regex: /permissions\s*:\s*write-all/g,
+    severity: 'critical',
+    cwe: 'CWE-250',
+    owasp: 'ASI-02',
+    description: 'This workflow uses an AI action and has write-all permissions. A compromised AI action (e.g. via a malicious model response or prompt injection) can exfiltrate all repository secrets and push malicious code. This is the permission level abused in the Vercel April 2026 AI pipeline compromise.',
+    fix: 'Scope permissions to the minimum needed. If the AI action only reads code, use: permissions: { contents: read }',
+  },
+  {
+    rule: 'AI_CI_ADMIN_SCOPE',
+    title: 'AI CI Action: Administration Write Permission',
+    regex: /administration\s*:\s*write/g,
+    severity: 'critical',
+    cwe: 'CWE-250',
+    owasp: 'ASI-02',
+    description: 'Administration write scope in a workflow that may include AI actions grants branch protection bypass. An AI agent with prompt injection can use this to push directly to protected branches.',
+    fix: 'Remove administration: write unless absolutely necessary. AI actions do not require administration scope.',
+  },
+  {
+    rule: 'AI_CI_SECRETS_WRITE',
+    title: 'AI CI Action: Secrets Write Permission',
+    regex: /secrets\s*:\s*write/g,
+    severity: 'critical',
+    cwe: 'CWE-250',
+    owasp: 'ASI-02',
+    description: 'Secrets write permission in a CI workflow. If an AI action is present, a prompt injection attack could cause the agent to overwrite repository secrets.',
+    fix: 'Remove secrets: write. AI actions should only read secrets via environment variables.',
+  },
+  {
+    rule: 'AI_CI_PACKAGES_WRITE',
+    title: 'AI CI Action: Packages Write Permission',
+    regex: /packages\s*:\s*write/g,
+    severity: 'high',
+    cwe: 'CWE-829',
+    owasp: 'ASI-02',
+    confidence: 'medium',
+    description: 'Packages write permission in a workflow with AI actions. A supply chain attack via prompt injection could cause the AI agent to publish malicious packages to the GitHub Container Registry.',
+    fix: 'Separate package publishing into a dedicated workflow without AI actions. Use packages: read in AI workflows.',
+  },
+  {
+    rule: 'AI_CI_UNPINNED_AI_ACTION',
+    title: 'AI CI Action: Unpinned AI Action (mutable tag)',
+    // Matches AI action uses: lines NOT pinned to a 40-char SHA
+    regex: /uses\s*:\s*[\w.-]*(?:ai|llm|copilot|claude|openai|anthropic|gpt|gemini|cursor|codeium|tabnine|hermes|codex|devin|agent|autopilot)[\w.-]*\/[\w.-]+@(?![\da-f]{40}\b)[\w./-]+/gi,
+    severity: 'critical',
+    cwe: 'CWE-829',
+    owasp: 'CICD-SEC-8',
+    description: 'An AI-related GitHub Action is not pinned to a full commit SHA. AI actions are high-value supply chain targets: a compromised action version can exfiltrate all secrets passed to it and inject malicious code into AI-generated PRs. This is the exact vector used against Vercel in April 2026.',
+    fix: 'Pin to the full 40-character commit SHA: uses: ai-vendor/action@a1b2c3d4e5f6... # v1.2.3',
+  },
+];
+
+// ── Track 2: Excessive OAuth scopes in AI platform integrations ──────────────
+
+// Vercel integration config — checks for AI integrations with broad scopes
+const VERCEL_AI_INTEGRATIONS = new Set([
+  'vercel-ai', 'v0', 'cursor', 'codeium', 'copilot', 'openai',
+  'anthropic', 'gemini', 'devin', 'sweep', 'cody', 'tabnine',
+]);
+
+// GitHub App manifest: dangerous scopes that AI apps rarely need
+const DANGEROUS_GITHUB_APP_SCOPES = new Set([
+  'administration', 'organization_administration', 'secrets',
+  'organization_secrets', 'actions', 'organization_hooks',
+  'members', 'organization_plan',
+]);
+
+// Netlify plugin scopes
+const NETLIFY_AI_PLUGINS = new Set([
+  '@netlify/plugin-ai', 'netlify-plugin-openai', 'netlify-plugin-anthropic',
+  'netlify-plugin-langchain', 'netlify-plugin-vector-db',
+]);
+
+// ── Track 3: Webhook receivers that skip HMAC ────────────────────────────────
+// We look for route handlers that parse AI platform webhook payloads
+// without verifying a signature.
+
+const WEBHOOK_PATTERNS = [
+  {
+    rule: 'WEBHOOK_NO_HMAC_OPENAI',
+    title: 'Webhook: OpenAI Payload Without Signature Verification',
+    regex: /(?:openai|stripe|linear|vercel)[._-]?(?:webhook|event|payload|hook)/gi,
+    severity: 'high',
+    cwe: 'CWE-345',
+    owasp: 'ASI-06',
+    description: 'Route appears to handle AI platform webhook events. If the Stripe-Signature / OpenAI-Signature header is not verified via HMAC-SHA256, an attacker can forge arbitrary events to trigger AI agent actions (e.g., invoice.paid spoofing to grant premium access, or forging model completion events to inject malicious output).',
+    fix: 'Verify the webhook signature before processing: compare the HMAC-SHA256 of the raw body against the signature header using a constant-time comparison.',
+  },
+  {
+    rule: 'WEBHOOK_RAW_BODY_NOT_USED',
+    title: 'Webhook: Parsed JSON Body Used for HMAC Input',
+    // Catches cases where body is JSON.parsed BEFORE signature check
+    regex: /(?:req|request|event)\.(?:body|json\(\))\s*(?:;|\n|\.)/g,
+    severity: 'medium',
+    cwe: 'CWE-345',
+    owasp: 'ASI-06',
+    confidence: 'low',
+    description: 'HMAC webhook verification requires the raw request body bytes — JSON.parse then re-stringify changes whitespace and property order, invalidating the signature check. Always read the raw buffer before any JSON parsing.',
+    fix: 'Use express.raw({ type: "application/json" }) or Buffer from readable stream before calling JSON.parse.',
+  },
+];
+
+// HMAC verification markers — if any of these appear near a webhook route, we
+// suppress the Track 3 findings for that file (not a simple regex thing — handled
+// in the custom analyze logic below).
+const HMAC_MARKERS = [
+  /createHmac/,
+  /timingSafeEqual/,
+  /stripe\.webhooks\.constructEvent/,
+  /verifySignature/,
+  /webhook[Ss]ecret/,
+  /x-hub-signature/i,
+  /svix-signature/i,
+  /openai-beta-assistant/i,
+];
+
+// ── Track 4: Cross-boundary token forwarding in agent tool configs ────────────
+
+const TOKEN_FORWARD_PATTERNS = [
+  {
+    rule: 'MCP_TOKEN_FORWARD_ENV',
+    title: 'MCP: Agent Tool Forwards Auth Token to Third-Party URL',
+    // env vars that look like bearer tokens / API keys passed to remote tool servers
+    regex: /(?:ANTHROPIC_API_KEY|OPENAI_API_KEY|GITHUB_TOKEN|VERCEL_TOKEN|LINEAR_API_KEY|SLACK_BOT_TOKEN|GH_PAT|CI_TOKEN)\s*[:=]\s*(?:\$\{[^}]+\}|["'][^"']{10,}["'])/g,
+    severity: 'high',
+    cwe: 'CWE-200',
+    owasp: 'ASI-09',
+    description: 'A high-value credential is set in an MCP server or agent tool configuration. If the tool server URL points to a third-party host, this credential will be transmitted to that host on every tool call — the data exfiltration vector exploited in the April 2026 Vercel incident where compromised AI integrations forwarded Vercel deployment tokens.',
+    fix: 'Never pass production credentials to third-party MCP servers. Use scoped, read-only tokens. Prefer official first-party integrations.',
+  },
+  {
+    rule: 'MCP_THIRD_PARTY_SERVER_WITH_AUTH',
+    title: 'MCP: Third-Party Server URL With Auth Headers',
+    regex: /(?:url|baseUrl|endpoint|server)\s*[:=]\s*["']https?:\/\/(?!localhost|127\.|0\.0\.0\.0|::1)([^"'/]+)[^"']*["'][^}]{0,200}(?:Authorization|Bearer|api[_-]?key|token)/gs,
+    severity: 'critical',
+    cwe: 'CWE-200',
+    owasp: 'ASI-09',
+    description: 'An MCP server configuration sends auth headers to a non-localhost URL. The remote MCP server receives every tool call result, including file contents and environment variable values. A compromised or malicious MCP server at this URL is a silent data exfiltration channel.',
+    fix: 'Audit this MCP server. Prefer self-hosted or officially verified servers. If third-party is required, use a dedicated secrets-free agent profile.',
+  },
+  {
+    rule: 'HERMES_TOOL_EXFIL',
+    title: 'Hermes: Tool Config Forwards Credentials to Remote URL',
+    regex: /(?:tools?|plugin)\s*[:=]\s*\{[^}]{0,400}(?:url|endpoint)\s*[:=]\s*["']https?:\/\/(?!localhost|127\.|0\.0\.0\.0)[^"']+["'][^}]{0,200}(?:auth|token|key|secret|bearer)/gis,
+    severity: 'critical',
+    cwe: 'CWE-200',
+    owasp: 'ASI-09',
+    description: 'A Hermes agent tool configuration passes authentication material to a remote endpoint. Hermes tools execute with the full ambient credentials of the agent — a malicious tool server receives them all.',
+    fix: 'Audit all Hermes tool endpoints. Use allowlist-based URL validation and never inject high-privilege tokens into tool configs.',
+  },
+  {
+    rule: 'AGENT_OAUTH_SCOPE_CREEP',
+    title: 'Agent Config: Dangerously Broad OAuth Scopes',
+    regex: /scopes?\s*[:=]\s*(?:\[|["'])(?:[^"'\]]*,\s*){3,}[^"'\]]*/g,
+    severity: 'high',
+    cwe: 'CWE-272',
+    owasp: 'ASI-02',
+    confidence: 'medium',
+    description: 'Agent OAuth configuration requests 4 or more scopes. AI agents should follow least-privilege: request only the scopes needed for the specific task. Broad scope sets increase the blast radius of a prompt injection attack.',
+    fix: 'Reduce to the minimum required scopes. Create separate agent profiles for different task types.',
+  },
+];
+
+export class AgenticSupplyChainAgent extends BaseAgent {
+  constructor() {
+    super(
+      'AgenticSupplyChainAgent',
+      'Detect AI integration supply chain attack vectors (over-privileged CI actions, OAuth scope abuse, unsigned webhooks, cross-boundary token forwarding)',
+      'supply-chain'
+    );
+  }
+
+  async analyze(context) {
+    const { rootPath, files } = context;
+    const findings = [];
+
+    // ── Track 1: Over-privileged AI actions in CI ─────────────────────────────
+    const ciFiles = files.filter(f => {
+      const rel = path.relative(rootPath, f).replace(/\\/g, '/');
+      return rel.startsWith('.github/workflows/') && /\.ya?ml$/.test(f);
+    });
+
+    for (const file of ciFiles) {
+      const content = this.readFile(file);
+      if (!content) continue;
+
+      // Check if this workflow uses any AI actions
+      const hasAiAction = AI_ACTION_NAME_RE.test(content);
+      AI_ACTION_NAME_RE.lastIndex = 0;
+
+      if (hasAiAction) {
+        // Flag broad scope patterns in this workflow
+        findings.push(...this.scanFileWithPatterns(file, BROAD_SCOPE_PATTERNS));
+
+        // Flag AI actions not pinned to a commit SHA
+        const lines = content.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          AI_ACTION_NAME_RE.lastIndex = 0;
+          let m;
+          while ((m = AI_ACTION_NAME_RE.exec(lines[i])) !== null) {
+            const ref = m[2];
+            // Warn if ref is NOT a 40-char hex SHA
+            if (!/^[0-9a-f]{40}$/i.test(ref)) {
+              findings.push(createFinding({
+                file,
+                line: i + 1,
+                column: m.index + 1,
+                severity: 'critical',
+                category: this.category,
+                rule: 'AI_CI_UNPINNED_AI_ACTION',
+                title: `AI CI Action Not Pinned to SHA: ${m[1]}@${ref}`,
+                description: `The AI action "${m[1]}" is referenced by a mutable tag ("${ref}") rather than a commit SHA. A supply chain attack via tag hijacking (as seen in April 2026) can replace this action with a credential stealer. All secrets passed to this action would be silently exfiltrated.`,
+                matched: m[0],
+                cwe: 'CWE-829',
+                owasp: 'CICD-SEC-8',
+                fix: `Pin to the full 40-character commit SHA: uses: ${m[1]}@<sha> # ${ref}`,
+              }));
+            }
+          }
+          AI_ACTION_NAME_RE.lastIndex = 0;
+        }
+      }
+    }
+
+    // ── Track 2: Excessive OAuth scopes in AI platform integrations ───────────
+
+    // vercel.json / .vercel/project.json
+    for (const vercelConfig of ['vercel.json', '.vercel/project.json']) {
+      const p = path.join(rootPath, vercelConfig);
+      if (!fs.existsSync(p)) continue;
+      try {
+        const cfg = JSON.parse(fs.readFileSync(p, 'utf-8'));
+        this._auditVercelIntegrations(p, cfg, findings);
+      } catch { /* skip parse errors */ }
+    }
+
+    // GitHub App manifests (app.yml, .github/app.yml, github-app.yml)
+    for (const appManifest of [
+      'app.yml', 'app.yaml',
+      '.github/app.yml', '.github/app.yaml',
+      'github-app.yml', 'github-app.yaml',
+    ]) {
+      const p = path.join(rootPath, appManifest);
+      if (!fs.existsSync(p)) continue;
+      this._auditGitHubAppManifest(p, findings);
+    }
+
+    // netlify.toml
+    const netlifyPath = path.join(rootPath, 'netlify.toml');
+    if (fs.existsSync(netlifyPath)) {
+      this._auditNetlify(netlifyPath, findings);
+    }
+
+    // ── Track 3: Webhook receivers without HMAC ───────────────────────────────
+    const webhookFiles = files.filter(f => {
+      const rel = path.relative(rootPath, f).replace(/\\/g, '/');
+      return (
+        /webhook/i.test(rel) &&
+        !f.includes('node_modules') &&
+        /\.(js|ts|mjs|cjs)$/.test(f)
+      );
+    });
+
+    for (const file of webhookFiles) {
+      const content = this.readFile(file);
+      if (!content) continue;
+
+      const hasHmac = HMAC_MARKERS.some(re => re.test(content));
+      if (!hasHmac) {
+        // Only fire if the file actually looks like it handles AI/payment webhook events
+        const looksLikeWebhook = /(?:openai|anthropic|vercel|stripe|linear|github|slack).*(?:event|payload|hook)/i.test(content);
+        if (looksLikeWebhook) {
+          findings.push(createFinding({
+            file,
+            line: 1,
+            severity: 'high',
+            category: this.category,
+            rule: 'WEBHOOK_NO_HMAC_VERIFICATION',
+            title: 'AI Platform Webhook: No HMAC Signature Verification',
+            description: 'This webhook handler processes AI or payment platform events but no HMAC verification was detected. An attacker can POST forged events to trigger AI agent actions, grant access, or inject malicious payloads — without a valid signature. This was a secondary exploit path in the April 2026 Vercel incident.',
+            matched: path.basename(file),
+            cwe: 'CWE-345',
+            owasp: 'ASI-06',
+            fix: 'Verify the platform-specific signature header (e.g. Stripe-Signature, X-Hub-Signature-256) using HMAC-SHA256 with a constant-time comparison before processing any event.',
+          }));
+        }
+      }
+    }
+
+    // Also scan for raw-body anti-pattern in verified webhook files
+    for (const file of webhookFiles) {
+      findings.push(...this.scanFileWithPatterns(file, [WEBHOOK_PATTERNS[1]]));
+    }
+
+    // ── Track 4: Cross-boundary token forwarding ──────────────────────────────
+    const agentConfigFiles = files.filter(f => {
+      const rel = path.relative(rootPath, f).replace(/\\/g, '/');
+      const base = path.basename(f);
+      return (
+        !f.includes('node_modules') &&
+        (
+          /mcp[._-]?(?:server|config|settings)/i.test(base) ||
+          /\.hermes(?:rc|\.json|\.yaml|\.yml)$/.test(base) ||
+          /hermes[._-]?config/i.test(base) ||
+          /agent[._-]?config/i.test(base) ||
+          /claude[._-]?(?:md|settings|config)/i.test(base) ||
+          base === '.mcp.json' ||
+          base === 'mcp.json' ||
+          rel.includes('.claude/') ||
+          rel.includes('.hermes/')
+        )
+      );
+    });
+
+    for (const file of agentConfigFiles) {
+      findings.push(...this.scanFileWithPatterns(file, TOKEN_FORWARD_PATTERNS));
+    }
+
+    // Also scan workflow files for token forwarding to external MCP servers
+    for (const file of ciFiles) {
+      findings.push(...this.scanFileWithPatterns(file, [TOKEN_FORWARD_PATTERNS[0]]));
+    }
+
+    return findings;
+  }
+
+  // ── Helpers ──────────────────────────────────────────────────────────────────
+
+  _auditVercelIntegrations(filePath, cfg, findings) {
+    // Vercel integrations can specify required scopes — check for overly broad ones
+    const integrations = cfg.integrations || cfg.extensions || [];
+    if (!Array.isArray(integrations)) return;
+
+    for (const integration of integrations) {
+      const name = (integration.name || integration.slug || '').toLowerCase();
+      const isAi = VERCEL_AI_INTEGRATIONS.has(name) ||
+        /ai|llm|copilot|claude|gpt|agent|cursor/.test(name);
+      if (!isAi) continue;
+
+      const scopes = integration.scopes || integration.permissions || [];
+      const broadScopes = (Array.isArray(scopes) ? scopes : Object.keys(scopes))
+        .filter(s => /write|admin|delete|deploy|secret/.test(String(s).toLowerCase()));
+
+      if (broadScopes.length > 0) {
+        findings.push(createFinding({
+          file: filePath,
+          line: 0,
+          severity: 'high',
+          category: this.category,
+          rule: 'VERCEL_AI_INTEGRATION_BROAD_SCOPE',
+          title: `Vercel AI Integration Overly Broad Scopes: ${name}`,
+          description: `The Vercel AI integration "${name}" requests write/admin scopes: ${broadScopes.join(', ')}. If this integration is compromised (e.g. via a trojanized update — the vector in the April 2026 Vercel incident), it can modify deployments, exfiltrate secrets, or inject malicious environment variables.`,
+          matched: broadScopes.join(', '),
+          cwe: 'CWE-272',
+          owasp: 'ASI-02',
+          fix: `Review whether "${name}" actually needs ${broadScopes.join(', ')} scope. Request read-only scopes where possible.`,
+        }));
+      }
+    }
+  }
+
+  _auditGitHubAppManifest(filePath, findings) {
+    const content = this.readFile(filePath);
+    if (!content) return;
+
+    // Check for dangerous permission combinations
+    for (const scope of DANGEROUS_GITHUB_APP_SCOPES) {
+      const re = new RegExp(`${scope}\\s*:\\s*write`, 'gi');
+      if (re.test(content)) {
+        findings.push(createFinding({
+          file: filePath,
+          line: 0,
+          severity: 'high',
+          category: this.category,
+          rule: 'GITHUB_APP_DANGEROUS_SCOPE',
+          title: `GitHub App Manifest: Dangerous Scope "${scope}: write"`,
+          description: `The GitHub App manifest requests "${scope}: write". If this app integrates AI functionality, a supply chain compromise of the app (malicious version update, OAuth token theft) grants an attacker ${scope} write access across all installed repositories.`,
+          matched: `${scope}: write`,
+          cwe: 'CWE-272',
+          owasp: 'ASI-02',
+          fix: `Only request write access to scopes your app directly needs. Consider splitting AI-only functionality into a separate app with minimal permissions.`,
+        }));
+      }
+    }
+
+    // Check if the app manifest includes a webhook URL without TLS
+    const webhookMatch = content.match(/webhook_url\s*:\s*["']?(http:\/\/[^"'\s]+)/i);
+    if (webhookMatch) {
+      findings.push(createFinding({
+        file: filePath,
+        line: 0,
+        severity: 'high',
+        category: this.category,
+        rule: 'GITHUB_APP_INSECURE_WEBHOOK',
+        title: 'GitHub App Manifest: Webhook URL Without TLS',
+        description: `The GitHub App webhook_url uses plain HTTP: "${webhookMatch[1]}". All event payloads (including code review comments and CI results) are transmitted unencrypted, and the HMAC signature over HTTP provides no protection against MITM injection.`,
+        matched: webhookMatch[1],
+        cwe: 'CWE-319',
+        owasp: 'A02:2021',
+        fix: 'Use an https:// webhook URL. GitHub will not deliver events to HTTP URLs in production.',
+      }));
+    }
+  }
+
+  _auditNetlify(filePath, findings) {
+    const content = this.readFile(filePath);
+    if (!content) return;
+
+    // Look for AI plugins in netlify.toml [[plugins]] sections
+    const pluginMatches = content.matchAll(/\[\[plugins\]\][^\[]*package\s*=\s*["']([^"']+)["']/gs);
+    for (const m of pluginMatches) {
+      const pkg = m[1];
+      if (!NETLIFY_AI_PLUGINS.has(pkg) && !/ai|llm|openai|anthropic|langchain|vector/.test(pkg)) continue;
+
+      // Check if the plugin section has env vars containing secrets
+      const pluginSection = m[0];
+      if (/(?:api[_-]?key|token|secret)\s*=\s*["']?\$\{?(?:process\.env|env)\./i.test(pluginSection)) {
+        findings.push(createFinding({
+          file: filePath,
+          line: 0,
+          severity: 'high',
+          category: this.category,
+          rule: 'NETLIFY_AI_PLUGIN_SECRET_EXPOSURE',
+          title: `Netlify AI Plugin Exposes Secrets in Build Config: ${pkg}`,
+          description: `The Netlify AI plugin "${pkg}" receives secrets via the build configuration. Netlify plugins run in the build environment with access to all env vars. A compromised plugin version can exfiltrate every secret in your Netlify site.`,
+          matched: pkg,
+          cwe: 'CWE-312',
+          owasp: 'ASI-09',
+          fix: 'Pin the plugin to a specific version and verify it on npm before updating. Only pass the minimum required secrets.',
+        }));
+      }
+    }
+  }
+}
+
+export default AgenticSupplyChainAgent;