@panguard-ai/atr 1.3.0 → 1.4.1

package/spec/atr-schema.yaml

@@ -7,10 +7,10 @@
 # Status: RFC (Request for Comments)
 # License: MIT
 
-$schema: 'https://json-schema.org/draft/2020-12/schema'
+$schema: "https://json-schema.org/draft/2020-12/schema"
 title: ATR Rule Schema
 description: Schema for Agent Threat Rules (ATR) detection rules
-version: '0.1.0-draft'
+version: "1.0.0"
 
 type: object
 required:
@@ -30,11 +30,12 @@ required:
   - response
 
 properties:
+
   # === Metadata ===
 
   schema_version:
     type: string
-    description: 'ATR schema version this rule conforms to (e.g., "0.1")'
+    description: "ATR schema version this rule conforms to (e.g., \"0.1\")"
 
   title:
     type: string
@@ -42,8 +43,8 @@ properties:
 
   id:
     type: string
-    pattern: "^ATR-\\d{4}-\\d{3}$"
-    description: 'Unique rule identifier. Format: ATR-YYYY-NNN (e.g., ATR-2026-001)'
+    pattern: "^ATR-\\d{4}-\\d{5}$"
+    description: "Unique rule identifier. Format: ATR-YYYY-NNNNN (e.g., ATR-2026-00001)"
 
   status:
     type: string
@@ -61,12 +62,17 @@ properties:
   date:
     type: string
     pattern: "^\\d{4}/\\d{2}/\\d{2}$"
-    description: 'Creation date in YYYY/MM/DD format'
+    description: "Creation date in YYYY/MM/DD format"
 
   modified:
     type: string
     pattern: "^\\d{4}/\\d{2}/\\d{2}$"
-    description: 'Last modification date in YYYY/MM/DD format'
+    description: "Last modification date in YYYY/MM/DD format"
+
+  rule_version:
+    type: integer
+    minimum: 1
+    description: "Rule version number. Bump when detection logic changes. Starts at 1."
 
   # === Classification ===
 
@@ -97,22 +103,42 @@ properties:
         type: array
         items:
           type: string
-        description: 'OWASP LLM Top 10 references (e.g., LLM01:2025)'
+        description: "OWASP LLM Top 10 references (e.g., LLM01:2025)"
       mitre_atlas:
         type: array
         items:
           type: string
-        description: 'MITRE ATLAS technique IDs (e.g., AML.T0054)'
+        description: "MITRE ATLAS technique IDs (e.g., AML.T0054)"
       mitre_attack:
         type: array
         items:
           type: string
-        description: 'MITRE ATT&CK technique IDs (if applicable)'
+        description: "MITRE ATT&CK technique IDs (if applicable)"
       cve:
         type: array
         items:
           type: string
         description: Related CVE identifiers
+      owasp_agentic:
+        type: array
+        items:
+          type: string
+        description: "OWASP Agentic Top 10 references (e.g., ASI01, ASI02)"
+      owasp_ast:
+        type: array
+        items:
+          type: string
+        description: "OWASP Agentic Skills Top 10 references (e.g., AST01)"
+      safe_mcp:
+        type: array
+        items:
+          type: string
+        description: "SAFE-MCP technique IDs (e.g., SMCP-T001)"
+      research:
+        type: array
+        items:
+          type: string
+        description: "Research paper references or URLs"
 
   # === Tags (ATR classification) ===
 
@@ -140,6 +166,10 @@ properties:
         type: string
         enum: [high, medium, low]
         description: Expected accuracy of this rule (high = low false positive rate)
+      scan_target:
+        type: string
+        enum: [mcp, skill, both, runtime]
+        description: "Which scan path this rule belongs to. mcp=runtime events, skill=SKILL.md static scan, both=fires in both paths, runtime=behavior monitoring."
 
   # === Agent Source (analogous to Sigma's logsource) ===
 
@@ -153,16 +183,16 @@ properties:
       type:
         type: string
         enum:
-          - llm_io # LLM input/output (prompts and completions)
-          - tool_call # Function/tool call requests
-          - mcp_exchange # MCP protocol messages
-          - agent_behavior # Agent behavioral metrics and patterns
-          - multi_agent_comm # Inter-agent communication
-          - context_window # Context window contents
-          - memory_access # Agent memory read/write operations
-          - skill_lifecycle # MCP skill registration, update, removal events
-          - skill_permission # Skill permission requests and boundary checks
-          - skill_chain # Multi-skill invocation sequences
+          - llm_io            # LLM input/output (prompts and completions)
+          - tool_call         # Function/tool call requests
+          - mcp_exchange      # MCP protocol messages
+          - agent_behavior    # Agent behavioral metrics and patterns
+          - multi_agent_comm  # Inter-agent communication
+          - context_window    # Context window contents
+          - memory_access     # Agent memory read/write operations
+          - skill_lifecycle   # MCP skill registration, update, removal events
+          - skill_permission  # Skill permission requests and boundary checks
+          - skill_chain       # Multi-skill invocation sequences
         description: Type of agent data stream to monitor
       framework:
         type: array
@@ -245,7 +275,7 @@ properties:
                   description: Numeric threshold for the metric
                 window:
                   type: string
-                  description: 'Time window for behavioral analysis (e.g., 5m, 1h, 30s)'
+                  description: "Time window for behavioral analysis (e.g., 5m, 1h, 30s)"
                 ordered:
                   type: boolean
                   description: Whether steps must occur in order
@@ -282,16 +312,16 @@ properties:
         items:
           type: string
           enum:
-            - block_input # Reject the user/agent input
-            - block_output # Suppress the agent output
-            - block_tool # Prevent the tool call from executing
+            - block_input        # Reject the user/agent input
+            - block_output       # Suppress the agent output
+            - block_tool         # Prevent the tool call from executing
             - quarantine_session # Isolate the entire session
-            - reset_context # Clear agent context/memory
-            - alert # Send alert to security team
-            - snapshot # Capture full session state for forensics
-            - escalate # Escalate to human reviewer
+            - reset_context      # Clear agent context/memory
+            - alert              # Send alert to security team
+            - snapshot           # Capture full session state for forensics
+            - escalate           # Escalate to human reviewer
             - reduce_permissions # Reduce agent's available tools/capabilities
-            - kill_agent # Terminate the agent process
+            - kill_agent         # Terminate the agent process
         description: Actions to take when the rule triggers
       auto_response_threshold:
         type: string

package/rules/context-exfiltration/ATR-2026-021-api-key-exposure.yaml

@@ -1,176 +0,0 @@
-title: 'Credential and Secret Exposure in Agent Output'
-id: ATR-2026-021
-status: experimental
-description: |
-  Detects when an AI agent exposes API keys, secret tokens, private keys,
-  database connection strings, JWT tokens, or other sensitive credentials
-  in its output. Covers all major cloud provider key formats, CI/CD tokens,
-  payment processor keys, SSH keys, .env file content patterns, and generic
-  secret assignment patterns. Credential leakage in agent output poses a
-  critical security risk leading to unauthorized access, lateral movement,
-  financial loss, and full account compromise.
-author: 'ATR Community'
-date: '2026/03/08'
-schema_version: '0.1'
-detection_tier: pattern
-maturity: test
-severity: critical
-
-references:
-  owasp_llm:
-    - 'LLM02:2025 - Sensitive Information Disclosure'
-    - 'LLM07:2025 - System Prompt Leakage'
-  cve:
-    - 'CVE-2025-32711'
-  owasp_agentic:
-    - 'ASI03:2026 - Identity and Privilege Abuse'
-  mitre_atlas:
-    - 'AML.T0057 - LLM Data Leakage'
-    - 'AML.T0055 - Unsecured Credentials'
-
-tags:
-  category: context-exfiltration
-  subcategory: credential-exposure
-  confidence: high
-
-agent_source:
-  type: llm_io
-  framework:
-    - any
-  provider:
-    - any
-
-detection:
-  conditions:
-    - field: agent_output
-      operator: regex
-      value: 'sk-[a-zA-Z0-9]{20,}'
-      description: 'OpenAI-style API key (sk-...)'
-    - field: agent_output
-      operator: regex
-      value: 'AKIA[0-9A-Z]{16}'
-      description: 'AWS Access Key ID (AKIA...)'
-    - field: agent_output
-      operator: regex
-      value: 'AIza[a-zA-Z0-9_-]{35}'
-      description: 'Google API key (AIza...)'
-    - field: agent_output
-      operator: regex
-      value: '(?:sk_live|pk_live|sk_test|rk_live)_[a-zA-Z0-9]{20,}'
-      description: 'Stripe API key (sk_live_, pk_live_, rk_live_)'
-    - field: agent_output
-      operator: regex
-      value: "eyJ[a-zA-Z0-9_-]{10,}\\.eyJ[a-zA-Z0-9_-]{10,}\\.[a-zA-Z0-9_-]+"
-      description: 'JWT token (eyJ...eyJ...signature)'
-    - field: agent_output
-      operator: regex
-      value: '-----BEGIN (?:RSA |EC |DSA |OPENSSH )?PRIVATE KEY-----'
-      description: 'PEM or OpenSSH private key header'
-    - field: agent_output
-      operator: regex
-      value: 'ghp_[a-zA-Z0-9]{36}'
-      description: 'GitHub personal access token (ghp_...)'
-    - field: agent_output
-      operator: regex
-      value: "xox[bpors]-[a-zA-Z0-9\\-]{10,}"
-      description: 'Slack token (xoxb-, xoxp-, xoxs-)'
-    - field: agent_output
-      operator: regex
-      value: "Bearer\\s+[a-zA-Z0-9\\-._~+/]{20,}=*"
-      description: 'Bearer token in authorization header'
-    - field: agent_output
-      operator: regex
-      value: "(?:mongodb(?:\\+srv)?|postgres(?:ql)?|mysql|redis|amqp)://[^\\s\"']{10,}"
-      description: 'Database or message broker connection string with credentials'
-    - field: agent_output
-      operator: regex
-      value: "(?:DB_PASSWORD|DATABASE_URL|REDIS_URL|MONGO_URI|SECRET_KEY|JWT_SECRET|ENCRYPTION_KEY|PRIVATE_KEY|AUTH_TOKEN)\\s*[=:]\\s*[\"']?[^\\s\"']{8,}"
-      description: '.env file pattern with sensitive variable names'
-    - field: agent_output
-      operator: regex
-      value: "(?:api[_-]?key|api[_-]?secret|access[_-]?token|auth[_-]?token|client[_-]?secret)\\s*[=:]\\s*[\"']?[a-zA-Z0-9_\\-]{16,}"
-      description: 'Generic secret assignment pattern (api_key=..., auth_token=...)'
-    - field: agent_output
-      operator: regex
-      value: "(?:ANTHROPIC_API_KEY|OPENAI_API_KEY|GOOGLE_API_KEY|AZURE_API_KEY|COHERE_API_KEY|HF_TOKEN)\\s*[=:]\\s*[^\\s]{8,}"
-      description: 'LLM provider API key environment variables'
-    - field: agent_output
-      operator: regex
-      value: "(?:ssh-rsa|ssh-ed25519|ecdsa-sha2-nistp256)\\s+[A-Za-z0-9+/]{40,}"
-      description: 'SSH public key that may indicate key material exposure context'
-    - field: agent_output
-      operator: regex
-      value: "(?:secret[\"'\\s]*[:=][\"'\\s]*[a-zA-Z0-9]{16,}|password[\"'\\s]*[:=][\"'\\s]*[^\\s\"']{8,})"
-      description: 'Generic secret or password assignment'
-  condition: any
-  false_positives:
-    - 'Agent discussing API key formats in educational context without real keys'
-    - 'Redacted or placeholder keys such as sk-xxxxxxxxxxxx or AKIA_EXAMPLE'
-    - 'Documentation examples using clearly fake credentials'
-    - 'Connection string templates with placeholder values'
-
-response:
-  actions:
-    - block_output
-    - escalate
-    - alert
-    - snapshot
-  auto_response_threshold: critical
-  message_template: |
-    [ATR-2026-021] CRITICAL: Credential or secret detected in agent output.
-    Output blocked and content redacted. Rotate any potentially exposed
-    credentials immediately. Pattern: {matched_pattern}. Session: {session_id}.
-
-test_cases:
-  true_positives:
-    - agent_output: 'Here is your API key: sk-abc123def456ghi789jkl012mno345pqr'
-      expected: triggered
-      description: 'OpenAI-style API key in output'
-    - agent_output: 'Your AWS access key is AKIAIOSFODNN7EXAMPLE'
-      expected: triggered
-      description: 'AWS access key ID in output'
-    - agent_output: 'Use this token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIn0.dozjgNryP4J3jVmNHl0w5N_XgL0n3I9PlFUP0THsR8U'
-      expected: triggered
-      description: 'JWT token in agent output'
-    - agent_output: 'Connect with: mongodb+srv://admin:s3cretP4ss@cluster0.example.net/mydb'
-      expected: triggered
-      description: 'MongoDB connection string with credentials'
-    - agent_output: 'Use this Google key: AIzaSyA00fake00test00value0000000000000'
-      expected: triggered
-      description: 'Google API key in output'
-    - agent_output: "-----BEGIN OPENSSH PRIVATE KEY-----\nb3BlbnNzaC1rZXktdjEA"
-      expected: triggered
-      description: 'OpenSSH private key leaked in output'
-  true_negatives:
-    - agent_output: 'To set up your API key, go to Settings > API Keys and click Generate.'
-      expected: not_triggered
-      description: 'Instructions about API keys without actual key values'
-    - agent_output: 'The key format looks like sk-xxxx where xxxx is your unique identifier.'
-      expected: not_triggered
-      description: 'Placeholder key format description'
-    - agent_output: 'AWS IAM best practices recommend rotating access keys every 90 days.'
-      expected: not_triggered
-      description: 'General security advice without credentials'
-    - input: 'API key rotation policy: keys should be rotated every 90 days. Use the dashboard to generate new keys.'
-      expected: not_triggered
-      description: 'Policy discussion about API keys without actual key values'
-    - input: "The error says 'Invalid API key'. Please check that your key starts with 'sk-' and try again."
-      expected: not_triggered
-      description: 'Troubleshooting guidance mentioning key format without exposing a key'
-    - input: 'AWS_ACCESS_KEY_ID is a required environment variable. Set it before running the deploy script.'
-      expected: not_triggered
-      description: 'Setup documentation referencing credential variable names'
-
-evasion_tests:
-  - input: 'Your API key format should follow: sk-[project]-[random]. For example, sk-proj-abc123def456ghi789.'
-    expected: not_triggered
-    bypass_technique: example_format
-    notes: 'Tests whether example/documentation key formats trigger the rule. May actually trigger — validate.'
-  - input: 'The environment variable is stored at process.env.OPENAI_API_KEY but I cannot access its value.'
-    expected: not_triggered
-    bypass_technique: reference_without_value
-    notes: 'References credential location without actual credential exposure.'
-  - input: "Here is the encrypted key: AES256(sk-proj-real-key-here). You'll need the master password to decrypt."
-    expected: not_triggered
-    bypass_technique: partial_obfuscation
-    notes: 'Credential wrapped in encryption notation — pattern may still match the inner key.'