vigilsec 0.1.0__py3-none-any.whl

vigil/__init__.py

@@ -0,0 +1,2 @@
+"""Vigil — AI coding security co-pilot."""
+__version__ = "0.1.0"

vigil/cli.py

@@ -0,0 +1,175 @@
+"""vigil scan <file|dir> [--format terminal|json|sarif] [--severity CRITICAL|HIGH|...]
+vigil init [--global]
+vigil feedback
+
+Exit codes (scan):
+  0 — no findings
+  1 — advisory findings only (MEDIUM/LOW/INFO)
+  2 — CRITICAL or HIGH findings present (causes Claude Code to block the write)
+"""
+import argparse
+import json as _json
+import sys
+import webbrowser
+from pathlib import Path
+
+from .config import load_config
+from .engine import Engine
+from .reporter import report_terminal, report_json, report_sarif
+from .rules import DEFAULT_RULES, Severity, SEVERITY_ORDER
+
+
+def _find_hook_sh() -> Path | None:
+    """Locate plugin/hook.sh relative to this file (works for editable installs)."""
+    here = Path(__file__).resolve().parent
+    candidates = [
+        here.parent.parent / "plugin" / "hook.sh",    # editable: src/vigil/ → project root
+        Path.home() / ".vigil" / "plugin" / "hook.sh",
+        Path("/usr/local/share/vigil/hook.sh"),
+    ]
+    return next((p for p in candidates if p.exists()), None)
+
+
+def _run_init(global_install: bool) -> None:
+    hook_sh = _find_hook_sh()
+    if hook_sh is None:
+        print(
+            "vigil init: could not locate plugin/hook.sh.\n"
+            "Run from the vigil project directory or see plugin/README_INSTALL.md.",
+            file=sys.stderr,
+        )
+        sys.exit(1)
+
+    # Ensure hook.sh is executable — git clones and zip downloads often strip the bit
+    if not hook_sh.stat().st_mode & 0o111:
+        hook_sh.chmod(hook_sh.stat().st_mode | 0o755)
+        print(f"Fixed execute permission on {hook_sh.name}")
+
+    settings_path = (
+        Path.home() / ".claude" / "settings.json"
+        if global_install
+        else Path.cwd() / ".claude" / "settings.json"
+    )
+    settings_path.parent.mkdir(parents=True, exist_ok=True)
+
+    settings: dict = {}
+    if settings_path.exists():
+        try:
+            settings = _json.loads(settings_path.read_text())
+        except (_json.JSONDecodeError, OSError):
+            settings = {}
+
+    post_tool_use: list = settings.setdefault("hooks", {}).setdefault("PostToolUse", [])
+    for entry in post_tool_use:
+        for h in entry.get("hooks", []):
+            if Path(h.get("command", "")).name == hook_sh.name:
+                print(f"Vigil hook already installed in {settings_path}")
+                return
+
+    post_tool_use.append({
+        "matcher": "Write|Edit|MultiEdit",
+        "hooks": [{"type": "command", "command": str(hook_sh)}],
+    })
+    settings_path.write_text(_json.dumps(settings, indent=2) + "\n")
+    print(f"Vigil hook installed → {settings_path}")
+    print("Reload Claude Code to activate.")
+
+
+def main() -> None:
+    parser = argparse.ArgumentParser(
+        prog="vigil",
+        description="AI coding security co-pilot — blocks insecure code at generation time.",
+    )
+    sub = parser.add_subparsers(dest="command")
+
+    scan_p = sub.add_parser("scan", help="Scan a file or directory")
+    scan_p.add_argument("path", type=Path)
+    scan_p.add_argument(
+        "--format", choices=["terminal", "json", "sarif"], default="terminal",
+        help="Output format (default: terminal)",
+    )
+    scan_p.add_argument(
+        "--severity", choices=[s.value for s in Severity], default=None,
+        help="Only report findings at this severity level or higher",
+    )
+    scan_p.add_argument("--no-color", action="store_true", help="Disable ANSI color output")
+
+    init_p = sub.add_parser("init", help="Wire the Vigil PostToolUse hook into .claude/settings.json")
+    init_p.add_argument(
+        "--global", dest="global_install", action="store_true",
+        help="Install into ~/.claude/settings.json (user-wide) instead of ./.claude/settings.json",
+    )
+
+    sub.add_parser("feedback", help="Open the Vigil feedback & waitlist page")
+
+    args = parser.parse_args()
+    if args.command is None:
+        parser.print_help()
+        sys.exit(0)
+
+    if args.command == "feedback":
+        url = "https://thefwss.com/vigil"
+        print(f"Opening {url}")
+        print("Or email: prem.fwss@gmail.com")
+        webbrowser.open(url)
+        return
+
+    if args.command == "init":
+        _run_init(args.global_install)
+        return
+
+    path = args.path.resolve()
+    config = load_config(path)
+    rules = [r for r in DEFAULT_RULES if r.id not in config.disabled_rules]
+    engine = Engine(rules=rules, telemetry_enabled=config.telemetry)
+
+    if path.is_file():
+        # Honour exclude_paths for single-file scans too (same logic scan_dir uses)
+        if config.exclude_paths and any(part in config.exclude_paths for part in path.parts):
+            results = {}
+        else:
+            findings = engine.scan(path)
+            results = {path: findings} if findings else {}
+    elif path.is_dir():
+        results = engine.scan_dir(path, extra_skip=set(config.exclude_paths))
+    else:
+        print(f"vigil: path not found: {path}", file=sys.stderr)
+        sys.exit(1)
+
+    all_findings = [f for fs in results.values() for f in fs]
+
+    # --severity flag takes priority over .vigilrc min_severity
+    effective_sev = args.severity or config.min_severity
+    if effective_sev:
+        min_order = SEVERITY_ORDER[Severity(effective_sev)]
+        all_findings = [f for f in all_findings if SEVERITY_ORDER[f.severity] <= min_order]
+        results = {
+            p: [f for f in fs if SEVERITY_ORDER[f.severity] <= min_order]
+            for p, fs in results.items()
+        }
+        results = {p: fs for p, fs in results.items() if fs}
+
+    if args.format == "json":
+        print(report_json(results))
+    elif args.format == "sarif":
+        print(report_sarif(results))
+    else:
+        for _path, file_findings in results.items():
+            report_terminal(file_findings, use_color=not args.no_color)
+        if all_findings:
+            _dim = "\033[2m" if not args.no_color else ""
+            _rst = "\033[0m" if not args.no_color else ""
+            print(
+                f"{_dim}── Vigil · feedback & waitlist → thefwss.com/vigil ──{_rst}",
+                file=sys.stderr,
+            )
+
+    if engine.blocking(all_findings):
+        sys.exit(2)
+    if all_findings:
+        sys.exit(1)
+    sys.exit(0)
+
+
+if __name__ == "__main__":
+    main()

vigil/config.py

@@ -0,0 +1,40 @@
+from __future__ import annotations
+import tomllib
+from dataclasses import dataclass, field
+from pathlib import Path
+
+
+@dataclass
+class VigilConfig:
+    disabled_rules: list[str] = field(default_factory=list)
+    min_severity: str | None = None
+    exclude_paths: list[str] = field(default_factory=list)
+    telemetry: bool = True
+
+
+def load_config(start: Path) -> VigilConfig:
+    """Walk up from start looking for .vigilrc (TOML format).
+
+    Searches the given path (or its parent if a file) and all ancestor
+    directories until the filesystem root. Returns defaults if not found.
+    """
+    current = start if start.is_dir() else start.parent
+    while True:
+        candidate = current / ".vigilrc"
+        if candidate.is_file():
+            try:
+                with open(candidate, "rb") as f:
+                    data = tomllib.load(f)
+            except Exception:
+                return VigilConfig()
+            return VigilConfig(
+                disabled_rules=data.get("disabled_rules", []),
+                min_severity=data.get("min_severity"),
+                exclude_paths=data.get("exclude_paths", []),
+                telemetry=data.get("telemetry", True),
+            )
+        parent = current.parent
+        if parent == current:
+            break
+        current = parent
+    return VigilConfig()

vigil/engine.py

@@ -0,0 +1,68 @@
+from pathlib import Path
+from .rules import DEFAULT_RULES, Finding, Rule, Severity, SEVERITY_ORDER
+from . import telemetry as _telemetry
+
+
+class Engine:
+    def __init__(self, rules: list[Rule] | None = None, telemetry_enabled: bool = True) -> None:
+        self.rules = rules if rules is not None else DEFAULT_RULES
+        self._telemetry = telemetry_enabled
+
+    def scan(self, path: Path) -> list[Finding]:
+        """Scan a single file. Returns findings sorted by severity (CRITICAL first).
+
+        Lines containing '# vigil: ignore' are suppressed — same pattern as
+        '# noqa' (flake8) and '# nosec' (bandit).
+        """
+        if not path.is_file():
+            return []
+        try:
+            source_lines = path.read_text(errors="ignore").splitlines()
+        except OSError:
+            source_lines = []
+
+        applicable = [r for r in self.rules if r.applies_to(path)]
+        findings: list[Finding] = []
+        for rule in applicable:
+            for f in rule.check(path):
+                if (
+                    f.line
+                    and f.line <= len(source_lines)
+                    and "# vigil: ignore" in source_lines[f.line - 1]
+                ):
+                    continue
+                findings.append(f)
+        sorted_findings = sorted(findings, key=lambda f: SEVERITY_ORDER[f.severity])
+        _telemetry.record(sorted_findings, telemetry_enabled=self._telemetry)
+        return sorted_findings
+
+    def scan_dir(
+        self,
+        root: Path,
+        skip: set[str] | None = None,
+        extra_skip: set[str] | None = None,
+    ) -> dict[Path, list[Finding]]:
+        """Recursively scan all scannable files under root.
+
+        skip: replaces the default skip set when provided.
+        extra_skip: merged with the default skip set (use for .vigilrc exclude_paths).
+        """
+        _default = {".venv", "venv", "node_modules", ".git", "build", "dist", "__pycache__", "Pods"}
+        _skip = (skip if skip is not None else _default) | (extra_skip or set())
+        results: dict[Path, list[Finding]] = {}
+        for path in root.rglob("*"):
+            if not path.is_file():
+                continue
+            if any(s in path.parts for s in _skip):
+                continue
+            if not any(r.applies_to(path) for r in self.rules):
+                continue
+            findings = self.scan(path)
+            if findings:
+                results[path] = findings
+        return results
+
+    @staticmethod
+    def blocking(findings: list[Finding]) -> bool:
+        """True if any finding is CRITICAL or HIGH — should block the AI write."""
+        return any(f.severity in (Severity.CRITICAL, Severity.HIGH) for f in findings)

vigil/reporter.py

@@ -0,0 +1,119 @@
+import json
+import sys
+from pathlib import Path
+from .rules import Finding, Severity
+
+_SARIF_LEVEL = {
+    Severity.CRITICAL: "error",
+    Severity.HIGH: "error",
+    Severity.MEDIUM: "warning",
+    Severity.LOW: "note",
+    Severity.INFO: "note",
+}
+
+_COLORS = {
+    Severity.CRITICAL: "\033[91m",
+    Severity.HIGH:     "\033[93m",
+    Severity.MEDIUM:   "\033[94m",
+    Severity.LOW:      "\033[96m",
+    Severity.INFO:     "\033[37m",
+}
+_RESET = "\033[0m"
+_BOLD  = "\033[1m"
+
+
+def _c(sev: Severity, text: str, use_color: bool) -> str:
+    return f"{_COLORS[sev]}{text}{_RESET}" if use_color else text
+
+
+def report_terminal(findings: list[Finding], use_color: bool = True) -> None:
+    if not findings:
+        return
+    blocking = [f for f in findings if f.severity in (Severity.CRITICAL, Severity.HIGH)]
+    advisory = [f for f in findings if f.severity not in (Severity.CRITICAL, Severity.HIGH)]
+
+    if blocking:
+        label = _c(Severity.CRITICAL, "BLOCKED", use_color)
+        print(f"\n{label} — {len(blocking)} CRITICAL/HIGH finding(s):", file=sys.stderr)
+        print("─" * 60, file=sys.stderr)
+
+    for f in findings:
+        loc = f"{f.file_path.name}:{f.line}" if f.line else f.file_path.name
+        sev_label = _c(f.severity, f"[{f.severity.value}]", use_color)
+        print(f"{sev_label} {f.rule_id} — {f.message}", file=sys.stderr)
+        print(f"  at {loc}", file=sys.stderr)
+        if f.snippet:
+            print(f"  → {f.snippet[:120]}", file=sys.stderr)
+        if f.fix:
+            print(f"  fix: {f.fix}", file=sys.stderr)
+        print(file=sys.stderr)
+
+    if advisory:
+        print(
+            f"Advisory: {len(advisory)} MEDIUM/LOW/INFO finding(s) — not blocking.",
+            file=sys.stderr,
+        )
+
+
+def report_sarif(results: dict[Path, list[Finding]], tool_version: str = "0.1.0") -> str:
+    all_findings = [f for fs in results.values() for f in fs]
+    rule_index: dict[str, int] = {}
+    for f in all_findings:
+        if f.rule_id not in rule_index:
+            rule_index[f.rule_id] = len(rule_index)
+
+    sarif_rules = [
+        {"id": rid, "name": rid.replace("-", ""), "shortDescription": {"text": rid}}
+        for rid in rule_index
+    ]
+
+    sarif_results = []
+    for path, findings in results.items():
+        for f in findings:
+            sarif_results.append({
+                "ruleId": f.rule_id,
+                "ruleIndex": rule_index[f.rule_id],
+                "level": _SARIF_LEVEL[f.severity],
+                "message": {"text": f.message},
+                "locations": [{
+                    "physicalLocation": {
+                        "artifactLocation": {
+                            "uri": str(path),
+                            "uriBaseId": "%SRCROOT%",
+                        },
+                        "region": {"startLine": f.line or 1},
+                    }
+                }],
+            })
+
+    return json.dumps({
+        "$schema": "https://json.schemastore.org/sarif-2.1.0.json",
+        "version": "2.1.0",
+        "runs": [{
+            "tool": {
+                "driver": {
+                    "name": "vigil",
+                    "version": tool_version,
+                    "informationUri": "https://github.com/fwss/vigil",
+                    "rules": sarif_rules,
+                }
+            },
+            "results": sarif_results,
+        }],
+    }, indent=2)
+
+
+def report_json(results: dict[Path, list[Finding]]) -> str:
+    out = []
+    for path, findings in results.items():
+        for f in findings:
+            out.append({
+                "rule_id": f.rule_id,
+                "severity": f.severity.value,
+                "message": f.message,
+                "file": str(path),
+                "line": f.line,
+                "snippet": f.snippet,
+                "fix": f.fix,
+            })
+    return json.dumps(out, indent=2)

vigil/rules/__init__.py

@@ -0,0 +1,103 @@
+from .base import Finding, Rule, Severity, SEVERITY_ORDER
+from .secrets import (
+    AwsAccessKeyRule,
+    HardcodedPasswordRule,
+    HardcodedApiKeyRule,
+    HardcodedTokenRule,
+    EvalInjectionRule,
+    ShellTrueRule,
+    OsSystemRule,
+    JwtSecretRule,
+    PemPrivateKeyRule,
+    CredentialUrlRule,
+    StripeLiveKeyRule,
+    SlackTokenRule,
+    GenericProviderKeyRule,
+)
+from .docker import DockerPortExposureRule, DockerComposeEnvSecretRule
+from .dockerfile import DockerfileEnvSecretRule, DockerfileRootUserRule, DockerfileLatestTagRule
+from .nginx import NginxSecurityHeadersRule
+from .trivy import TrivyIacScanRule
+from .deps import PipAuditRule, NpmAuditRule
+from .k8s import K8sSecurityRule
+from .iam import IamWildcardRule
+from .agency import LlmShellExecRule, AutoApprovalBypassRule, UnboundedAgentLoopRule, LlmOutputFileWriteRule
+from .mcp_security import McpToolPoisoningRule, McpDynamicDescriptionRule, McpShellToolRule
+from .prompt_injection import (
+    UserInputInSystemPromptRule,
+    RawRequestAsLlmContentRule,
+    TemplateInjectionInPromptRule,
+    UnsanitizedToolOutputRule,
+)
+from .shell import ShellSecretInjectionRule
+
+DEFAULT_RULES: list[Rule] = [
+    # Secrets — hardcoded credentials
+    AwsAccessKeyRule(),
+    HardcodedPasswordRule(),
+    HardcodedApiKeyRule(),
+    HardcodedTokenRule(),
+    JwtSecretRule(),
+    PemPrivateKeyRule(),
+    CredentialUrlRule(),
+    StripeLiveKeyRule(),
+    SlackTokenRule(),
+    GenericProviderKeyRule(),
+    # Code injection
+    EvalInjectionRule(),
+    ShellTrueRule(),
+    OsSystemRule(),
+    # Docker IaC
+    DockerPortExposureRule(),
+    DockerComposeEnvSecretRule(),
+    # Dockerfile hardening
+    DockerfileEnvSecretRule(),
+    DockerfileRootUserRule(),
+    DockerfileLatestTagRule(),
+    # nginx security
+    NginxSecurityHeadersRule(),
+    # Trivy IaC deep scan
+    TrivyIacScanRule(),
+    # Dependency CVE scanning
+    PipAuditRule(),
+    NpmAuditRule(),
+    # Kubernetes manifest security
+    K8sSecurityRule(),
+    # IAM policy wildcards
+    IamWildcardRule(),
+    # Excessive agency — AI agents without human oversight
+    LlmShellExecRule(),
+    AutoApprovalBypassRule(),
+    UnboundedAgentLoopRule(),
+    LlmOutputFileWriteRule(),
+    # MCP server security
+    McpToolPoisoningRule(),
+    McpDynamicDescriptionRule(),
+    McpShellToolRule(),
+    # Prompt injection in AI-calling code
+    UserInputInSystemPromptRule(),
+    RawRequestAsLlmContentRule(),
+    TemplateInjectionInPromptRule(),
+    UnsanitizedToolOutputRule(),
+    # Shell script secret leakage
+    ShellSecretInjectionRule(),
+]
+
+__all__ = [
+    "Finding", "Rule", "Severity", "SEVERITY_ORDER", "DEFAULT_RULES",
+    "AwsAccessKeyRule", "HardcodedPasswordRule", "HardcodedApiKeyRule",
+    "HardcodedTokenRule", "EvalInjectionRule", "ShellTrueRule", "OsSystemRule",
+    "JwtSecretRule", "PemPrivateKeyRule", "CredentialUrlRule",
+    "StripeLiveKeyRule", "SlackTokenRule", "GenericProviderKeyRule",
+    "DockerPortExposureRule", "DockerComposeEnvSecretRule",
+    "DockerfileEnvSecretRule", "DockerfileRootUserRule", "DockerfileLatestTagRule",
+    "NginxSecurityHeadersRule",
+    "TrivyIacScanRule",
+    "PipAuditRule", "NpmAuditRule",
+    "K8sSecurityRule",
+    "IamWildcardRule",
+    "LlmShellExecRule", "AutoApprovalBypassRule", "UnboundedAgentLoopRule", "LlmOutputFileWriteRule",
+    "McpToolPoisoningRule", "McpDynamicDescriptionRule", "McpShellToolRule",
+    "UserInputInSystemPromptRule", "RawRequestAsLlmContentRule",
+    "TemplateInjectionInPromptRule", "UnsanitizedToolOutputRule",
+]

vigil/rules/agency.py

@@ -0,0 +1,174 @@
+"""VGL-A001–A004: Excessive agency — AI agents without human oversight.
+
+These rules catch the patterns that make autonomous AI agents unsafe:
+LLM output piped directly to shell, unbounded loops with no kill switch,
+hardcoded auto-approval bypasses, and LLM content written to disk unchecked.
+"""
+from __future__ import annotations
+import re
+from pathlib import Path
+from .base import Finding, Rule, Severity
+
+_AI_EXTS = {".py", ".ts", ".js"}
+
+_LLM_IMPORT = re.compile(
+    r"(?:import|from|require)\s+.*(?:anthropic|openai|langchain|llama|cohere|mistral|google\.generativeai)",
+    re.IGNORECASE,
+)
+_LLM_CALL = re.compile(
+    r"(?:client\.messages\.create|openai\.chat\.completions|\.chat\.|llm\.invoke|llm\.run|chain\.run|agent\.run|model\.generate)",
+)
+
+
+class LlmShellExecRule(Rule):
+    """VGL-A001: LLM output piped directly into shell execution."""
+    id = "VGL-A001"
+    severity = Severity.CRITICAL
+
+    _PAT = re.compile(
+        r"(?:subprocess\.(?:run|call|Popen)|os\.system|os\.popen)\s*\([^)]*"
+        r"\b(?:response|completion|result|output|content|message)\b[^)]*\.(?:content|text|output)",
+    )
+
+    def applies_to(self, path: Path) -> bool:
+        return path.suffix in _AI_EXTS
+
+    def check(self, path: Path) -> list[Finding]:
+        try:
+            lines = path.read_text(errors="ignore").splitlines()
+        except OSError:
+            return []
+        findings = []
+        for i, line in enumerate(lines, 1):
+            if self._PAT.search(line):
+                findings.append(Finding(
+                    rule_id=self.id,
+                    severity=self.severity,
+                    message="LLM output passed directly to shell — command injection risk",
+                    file_path=path,
+                    line=i,
+                    snippet=line.strip()[:120],
+                    fix=(
+                        "Never pass LLM output directly to shell. Parse structured output, "
+                        "validate against an allowlist, require human approval, or use a sandboxed executor."
+                    ),
+                ))
+        return findings
+
+
+class AutoApprovalBypassRule(Rule):
+    """VGL-A002: Hardcoded auto-approval — disables human-in-the-loop gate."""
+    id = "VGL-A002"
+    severity = Severity.HIGH
+
+    _PAT = re.compile(
+        r"(?i)\b(auto_approve|skip_approval|bypass_approval|approve_all|skip_confirmation|skip_review)\s*=\s*True",
+    )
+
+    def applies_to(self, path: Path) -> bool:
+        return path.suffix in _AI_EXTS
+
+    def check(self, path: Path) -> list[Finding]:
+        try:
+            lines = path.read_text(errors="ignore").splitlines()
+        except OSError:
+            return []
+        findings = []
+        for i, line in enumerate(lines, 1):
+            stripped = line.strip()
+            if stripped.startswith("#"):  # commented-out code is not live code
+                continue
+            if self._PAT.search(line):
+                findings.append(Finding(
+                    rule_id=self.id,
+                    severity=self.severity,
+                    message=f"Auto-approval hardcoded — HITL gate bypassed: {stripped[:60]}",
+                    file_path=path,
+                    line=i,
+                    snippet=stripped[:120],
+                    fix=(
+                        "Require explicit human approval for agent actions. Read approval state "
+                        "from SSM or a runtime flag — never hardcode True in source."
+                    ),
+                ))
+        return findings
+
+
+class UnboundedAgentLoopRule(Rule):
+    """VGL-A003: Unbounded agentic loop — while True with LLM calls, no iteration limit."""
+    id = "VGL-A003"
+    severity = Severity.HIGH
+
+    _WHILE_TRUE = re.compile(r"^\s*while\s+True\s*:")
+    _ITER_LIMIT = re.compile(
+        r"\b(max_iterations|max_turns|max_steps|max_loops|iteration_limit|step_limit)\b",
+    )
+
+    def applies_to(self, path: Path) -> bool:
+        return path.suffix in _AI_EXTS
+
+    def check(self, path: Path) -> list[Finding]:
+        try:
+            text = path.read_text(errors="ignore")
+        except OSError:
+            return []
+
+        # Only flag when the file actually makes LLM calls
+        if not _LLM_IMPORT.search(text) and not _LLM_CALL.search(text):
+            return []
+        if self._ITER_LIMIT.search(text):
+            return []
+
+        lines = text.splitlines()
+        findings = []
+        for i, line in enumerate(lines, 1):
+            if self._WHILE_TRUE.match(line):
+                findings.append(Finding(
+                    rule_id=self.id,
+                    severity=self.severity,
+                    message="Unbounded 'while True' loop with LLM calls — no iteration limit found",
+                    file_path=path,
+                    line=i,
+                    snippet=line.strip(),
+                    fix=(
+                        "Add max_iterations and a kill-switch check at the top of the loop. "
+                        "Read the kill switch from SSM so it can be toggled without a deploy."
+                    ),
+                ))
+        return findings
+
+
+class LlmOutputFileWriteRule(Rule):
+    """VGL-A004: LLM response written directly to disk without validation."""
+    id = "VGL-A004"
+    severity = Severity.HIGH
+
+    _PAT = re.compile(
+        r"(?:write_text|\.write)\s*\([^)]*\b(?:llm_output|ai_output|model_output|"
+        r"response\.content|completion\.content|message\.content|result\.text)\b",
+    )
+
+    def applies_to(self, path: Path) -> bool:
+        return path.suffix in _AI_EXTS
+
+    def check(self, path: Path) -> list[Finding]:
+        try:
+            lines = path.read_text(errors="ignore").splitlines()
+        except OSError:
+            return []
+        findings = []
+        for i, line in enumerate(lines, 1):
+            if self._PAT.search(line):
+                findings.append(Finding(
+                    rule_id=self.id,
+                    severity=self.severity,
+                    message="LLM output written to filesystem without validation",
+                    file_path=path,
+                    line=i,
+                    snippet=line.strip()[:120],
+                    fix=(
+                        "Validate and sanitize LLM output before writing to disk. "
+                        "Consider schema validation, content-type checks, or a human review step."
+                    ),
+                ))
+        return findings