@guava-parity/guard-scanner 13.0.0 → 16.0.0

package/docs/rules/identity-hijack.md

@@ -0,0 +1,140 @@
+# Threat Category: identity-hijack
+
+This document provides explainability for all rules in the `identity-hijack` category.
+
+## Rule: `SOUL_OVERWRITE`
+- **Severity**: CRITICAL
+- **Description**: Identity file overwrite/copy attempt
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `SOUL_REDIRECT`
+- **Severity**: CRITICAL
+- **Description**: Identity file redirect/pipe
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `SOUL_SED_MODIFY`
+- **Severity**: CRITICAL
+- **Description**: sed modification of identity file
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `SOUL_ECHO_WRITE`
+- **Severity**: CRITICAL
+- **Description**: echo redirect to identity file
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `SOUL_PYTHON_WRITE`
+- **Severity**: CRITICAL
+- **Description**: Python write to identity file
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `SOUL_FS_WRITE`
+- **Severity**: CRITICAL
+- **Description**: Node.js write to identity file
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `SOUL_POWERSHELL_WRITE`
+- **Severity**: CRITICAL
+- **Description**: PowerShell write to identity file
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `SOUL_GIT_CHECKOUT`
+- **Severity**: HIGH
+- **Description**: git checkout of identity file
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `SOUL_CHFLAGS_UNLOCK`
+- **Severity**: HIGH
+- **Description**: Immutable flag toggle on identity file
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `SOUL_ATTRIB_UNLOCK`
+- **Severity**: HIGH
+- **Description**: Windows attrib on identity file
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `SOUL_SWAP_PERSONA`
+- **Severity**: CRITICAL
+- **Description**: Persona swap instruction
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `SOUL_EVIL_FILE`
+- **Severity**: CRITICAL
+- **Description**: Evil persona file reference
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `SOUL_HOOK_SWAP`
+- **Severity**: CRITICAL
+- **Description**: Hook-based identity swap at bootstrap
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `SOUL_NAME_OVERRIDE`
+- **Severity**: HIGH
+- **Description**: Agent name/identity override
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `SOUL_MEMORY_WIPE`
+- **Severity**: CRITICAL
+- **Description**: Memory/identity wipe instruction
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `AUTO_REFINE_SOUL_FREEZE`
+- **Severity**: CRITICAL
+- **Description**: Identity Freeze Attack via Immutable Flags
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `XAA_IDENTITY_FORGE`
+- **Severity**: CRITICAL
+- **Description**: XAA (Cross App Access) unauthorized Identity Swapping forge
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+

package/docs/rules/inference-manipulation.md

@@ -0,0 +1,60 @@
+# Threat Category: inference-manipulation
+
+This document provides explainability for all rules in the `inference-manipulation` category.
+
+## Rule: `INFER_LOGIT_BIAS`
+- **Severity**: HIGH
+- **Description**: Inference manipulation: extreme logit_bias forcing specific token output
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `INFER_TEMP_ZERO_EXPLOIT`
+- **Severity**: MEDIUM
+- **Description**: Inference manipulation: temperature=0 exploitation for deterministic extraction
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `INFER_STOP_SEQ_BYPASS`
+- **Severity**: HIGH
+- **Description**: Inference manipulation: stop sequence bypass attempt
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `INFER_SYSTEM_EXTRACT`
+- **Severity**: CRITICAL
+- **Description**: Inference: system prompt extraction via verbatim reproduction request
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `INFER_JAILBREAK_DAN`
+- **Severity**: CRITICAL
+- **Description**: Inference: DAN/jailbreak role-play to bypass content filters
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `INFER_MULTI_TURN_ESCAPE`
+- **Severity**: HIGH
+- **Description**: Inference: multi-turn jailbreak escalation (crescendo attack)
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `INFER_FUNCTION_ABUSE`
+- **Severity**: CRITICAL
+- **Description**: Inference: function call response injection to hijack tool outputs
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+

package/docs/rules/leaky-skills.md

@@ -0,0 +1,52 @@
+# Threat Category: leaky-skills
+
+This document provides explainability for all rules in the `leaky-skills` category.
+
+## Rule: `LEAK_SAVE_KEY_MEMORY`
+- **Severity**: CRITICAL
+- **Description**: Leaky: save secret in agent memory
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `LEAK_SHARE_KEY`
+- **Severity**: CRITICAL
+- **Description**: Leaky: output secret to user
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `LEAK_VERBATIM_CURL`
+- **Severity**: HIGH
+- **Description**: Leaky: verbatim secret in commands
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `LEAK_COLLECT_PII`
+- **Severity**: CRITICAL
+- **Description**: Leaky: PII/financial data collection
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `LEAK_LOG_SECRET`
+- **Severity**: HIGH
+- **Description**: Leaky: session log export
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `LEAK_ENV_IN_PROMPT`
+- **Severity**: HIGH
+- **Description**: Leaky: .env contents through LLM context
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+

package/docs/rules/malicious-code.md

@@ -0,0 +1,108 @@
+# Threat Category: malicious-code
+
+This document provides explainability for all rules in the `malicious-code` category.
+
+## Rule: `MAL_EVAL`
+- **Severity**: HIGH
+- **Description**: Dynamic code evaluation
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `MAL_FUNC_CTOR`
+- **Severity**: HIGH
+- **Description**: Function constructor (dynamic code)
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `MAL_CHILD`
+- **Severity**: MEDIUM
+- **Description**: Child process module
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `MAL_EXEC`
+- **Severity**: MEDIUM
+- **Description**: Command execution
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `MAL_SPAWN`
+- **Severity**: MEDIUM
+- **Description**: Process spawn
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `MAL_SHELL`
+- **Severity**: MEDIUM
+- **Description**: Shell invocation
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `MAL_REVSHELL`
+- **Severity**: CRITICAL
+- **Description**: Reverse/bind shell
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `MAL_SOCKET`
+- **Severity**: HIGH
+- **Description**: Raw socket connection
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `SANDBOX`
+- **Severity**: MEDIUM
+- **Description**: Sandbox/CI environment detection
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `INSIDER_BREAKOUT_SPEED`
+- **Severity**: HIGH
+- **Description**: AI breakout speed: lateral movement pattern across hosts (CrowdStrike sub-30s)
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `NPM_SHAI_HULUD_WORM`
+- **Severity**: CRITICAL
+- **Description**: Shai-Hulud npm worm: lifecycle script self-replication
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `CYBERSTRIKEAI_EXPLOIT`
+- **Severity**: CRITICAL
+- **Description**: CyberStrikeAI: AI-powered large-scale exploitation campaign (55+ countries, FortiGate VPN)
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `VIBE_CODE_SUDO_WIPE`
+- **Severity**: CRITICAL
+- **Description**: Vibe-Code sudo wipe: agent tricked into destructive sudo commands (Moltbot Jailbreak)
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+

package/docs/rules/mcp-security.md

@@ -0,0 +1,148 @@
+# Threat Category: mcp-security
+
+This document provides explainability for all rules in the `mcp-security` category.
+
+## Rule: `MCP_TOOL_POISON`
+- **Severity**: CRITICAL
+- **Description**: MCP Tool Poisoning: hidden instruction
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `MCP_SCHEMA_POISON`
+- **Severity**: CRITICAL
+- **Description**: MCP Schema Poisoning: malicious default
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `MCP_TOKEN_LEAK`
+- **Severity**: HIGH
+- **Description**: MCP01: Token through tool parameters
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `MCP_SHADOW_SERVER`
+- **Severity**: HIGH
+- **Description**: MCP09: Shadow server registration
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `MCP_NO_AUTH`
+- **Severity**: HIGH
+- **Description**: MCP07: Disabled authentication
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `MCP_SSRF_META`
+- **Severity**: CRITICAL
+- **Description**: Cloud metadata endpoint (SSRF)
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `AUTO_REFINE_MCP_REBIND`
+- **Severity**: CRITICAL
+- **Description**: Shadow MCP Localhost Rebinding Attack
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `MCP_BIND_ALL`
+- **Severity**: HIGH
+- **Description**: MCP server bound to all interfaces (0.0.0.0) — remote exploitation risk (36.7% of 7K+ servers)
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `MCP_SHADOW_NAME_COLLISION`
+- **Severity**: HIGH
+- **Description**: MCP Shadowing: naming collision with well-known MCP server (solo.io 2026-03)
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `MCP_OAUTH_CMD_INJECT`
+- **Severity**: CRITICAL
+- **Description**: MCP OAuth Command Injection: Unsanitized OAuth callback code passed to shell
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `MCP_MPMA_PREFERENCE`
+- **Severity**: HIGH
+- **Description**: MCP MPMA: tool preference manipulation to bias agent tool selection
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `MCP_TOOL_SQUATTING`
+- **Severity**: CRITICAL
+- **Description**: MCP Tool Squatting: registering tool with name of well-known built-in
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `MCP_CONSENT_FATIGUE`
+- **Severity**: HIGH
+- **Description**: MCP Consent Fatigue: auto-approval bypasses human-in-the-loop safety
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `MCP_CMD_INJECTION_CHAIN`
+- **Severity**: CRITICAL
+- **Description**: MCP command injection: tool invocation → shell execution chain (43% servers vulnerable)
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `MCP_RUG_PULL`
+- **Severity**: CRITICAL
+- **Description**: MCP Rug-Pull: deferred tool metadata mutation after initial inspection
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `MCP_CREATEMESSAGE_HIJACK`
+- **Severity**: CRITICAL
+- **Description**: MCP Sampling Hijack: createMessage interface abuse to bypass human-in-the-loop controls
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `MCP_8K_OPEN_SERVERS`
+- **Severity**: HIGH
+- **Description**: MCP exposed admin/debug endpoints: 8,000+ servers discovered with unauthenticated access
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `OPENCLAW_CVE_2026_25253`
+- **Severity**: CRITICAL
+- **Description**: OpenClaw CVE-2026-25253 One-Click Gateway Token Steal
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+

package/docs/rules/memory-poisoning.md

@@ -0,0 +1,84 @@
+# Threat Category: memory-poisoning
+
+This document provides explainability for all rules in the `memory-poisoning` category.
+
+## Rule: `MEMPOIS_WRITE_SOUL`
+- **Severity**: CRITICAL
+- **Description**: Memory poisoning: SOUL/IDENTITY file modification
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `MEMPOIS_WRITE_MEMORY`
+- **Severity**: HIGH
+- **Description**: Memory poisoning: agent memory modification
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `MEMPOIS_CHANGE_RULES`
+- **Severity**: CRITICAL
+- **Description**: Memory poisoning: behavioral rule override
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `MEMPOIS_PERSIST`
+- **Severity**: HIGH
+- **Description**: Memory poisoning: persistence instruction
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `MEMPOIS_CODE_WRITE`
+- **Severity**: HIGH
+- **Description**: Memory poisoning: file write to user home
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `ASI06_MEMORY_POISONING`
+- **Severity**: CRITICAL
+- **Description**: ASI06: RAG/Vector DB persistent fake knowledge injection
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `CONTEXTCRUSH_DOC_POISON`
+- **Severity**: CRITICAL
+- **Description**: ContextCrush: planted documentation with hidden instructions for RAG/retrieval poisoning (5-in-1M ASR)
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `MEM_MINJA_QUERY_POISON`
+- **Severity**: CRITICAL
+- **Description**: MINJA: query-only memory poisoning via retrieval injection (95%+ ISR, arXiv:2503.03704)
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `MEM_RAG_DECEPTIVE_REASON`
+- **Severity**: CRITICAL
+- **Description**: RAG deceptive reasoning: poisoned retrieval documents with semantic chains that override agent reasoning
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `MEM_MICROSOFT_BIAS`
+- **Severity**: HIGH
+- **Description**: Memory bias injection: planted entries to bias AI assistant recommendations (Microsoft 2026)
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+

package/docs/rules/model-poisoning.md

@@ -0,0 +1,44 @@
+# Threat Category: model-poisoning
+
+This document provides explainability for all rules in the `model-poisoning` category.
+
+## Rule: `MODEL_WEIGHT_BACKDOOR`
+- **Severity**: CRITICAL
+- **Description**: Model poisoning: backdoor embedded in model weights
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `MODEL_GRADIENT_LEAK`
+- **Severity**: CRITICAL
+- **Description**: Model poisoning: gradient-based data exfiltration during training
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `MODEL_DATASET_POISON`
+- **Severity**: CRITICAL
+- **Description**: Model poisoning: training dataset contamination
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `MODEL_RLHF_EXPLOIT`
+- **Severity**: CRITICAL
+- **Description**: RLHF exploitation: reward model gaming to bypass safety alignment
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `MODEL_QUANTIZE_DEGRADE`
+- **Severity**: HIGH
+- **Description**: Quantization degradation: safety guardrails weakened through aggressive quantization
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+