@panguard-ai/atr 1.4.0 → 1.4.2

package/rules/tool-poisoning/{ATR-2026-012-unauthorized-tool-call.yaml → ATR-2026-00012-unauthorized-tool-call.yaml}

@@ -1,5 +1,6 @@
 title: "Unauthorized Tool Call Detection"
-id: ATR-2026-012
+id: ATR-2026-00012
+rule_version: 1
 status: experimental
 description: >
   Detects unauthorized or malicious tool call attempts including parameter injection,
@@ -31,6 +32,7 @@ references:
 tags:
   category: tool-poisoning
   subcategory: unauthorized-access
+  scan_target: mcp
   confidence: high
 
 agent_source:

package/rules/tool-poisoning/{ATR-2026-013-tool-ssrf.yaml → ATR-2026-00013-tool-ssrf.yaml}

@@ -1,5 +1,6 @@
 title: "SSRF via Agent Tool Calls"
-id: ATR-2026-013
+id: ATR-2026-00013
+rule_version: 1
 status: experimental
 description: >
   Detects Server-Side Request Forgery (SSRF) attempts through agent tool calls.
@@ -37,6 +38,7 @@ references:
 tags:
   category: tool-poisoning
   subcategory: ssrf
+  scan_target: both
   confidence: high
 
 agent_source:

package/rules/tool-poisoning/{ATR-2026-095-supply-chain-poisoning.yaml → ATR-2026-00095-supply-chain-poisoning.yaml}

@@ -1,5 +1,6 @@
 title: "MCP Tool Supply Chain Poisoning"
-id: ATR-2026-095
+id: ATR-2026-00095
+rule_version: 1
 status: draft
 description: >
   Detects tool poisoning attacks targeting the MCP (Model Context Protocol)
@@ -21,6 +22,7 @@ references:
 tags:
   category: tool-poisoning
   subcategory: supply-chain-attack
+  scan_target: mcp
   confidence: medium
 
 agent_source:

package/rules/tool-poisoning/{ATR-2026-096-registry-poisoning.yaml → ATR-2026-00096-registry-poisoning.yaml}

@@ -1,5 +1,6 @@
 title: "Skill Registry Poisoning and Compromised Tool Distribution"
-id: ATR-2026-096
+id: ATR-2026-00096
+rule_version: 1
 status: draft
 description: >
   Detects supply chain attacks that target skill/tool registries and
@@ -23,6 +24,7 @@ references:
 tags:
   category: tool-poisoning
   subcategory: registry-poisoning
+  scan_target: mcp
   confidence: medium
 
 agent_source:

package/rules/tool-poisoning/{ATR-2026-100-consent-bypass-instruction.yaml → ATR-2026-00100-consent-bypass-instruction.yaml}

@@ -1,5 +1,6 @@
 title: "Consent Bypass via Hidden LLM Instructions in Tool Descriptions"
-id: ATR-2026-100
+id: ATR-2026-00100
+rule_version: 1
 status: experimental
 description: |
   Detects tool descriptions that embed instructions directing the LLM to automatically
@@ -26,6 +27,7 @@ references:
 tags:
   category: tool-poisoning
   subcategory: consent-bypass-instruction
+  scan_target: mcp
   confidence: medium
 
 agent_source:

package/rules/tool-poisoning/{ATR-2026-101-trust-escalation-override.yaml → ATR-2026-00101-trust-escalation-override.yaml}

@@ -1,5 +1,6 @@
 title: "Trust Escalation via Authority Override Instructions"
-id: ATR-2026-101
+id: ATR-2026-00101
+rule_version: 1
 status: experimental
 description: |
   Detects MCP tools that instruct the LLM to treat tool output as "authoritative directives"
@@ -25,6 +26,7 @@ references:
 tags:
   category: tool-poisoning
   subcategory: trust-escalation-override
+  scan_target: mcp
   confidence: medium
 
 agent_source:

package/rules/tool-poisoning/{ATR-2026-103-hidden-safety-bypass-instruction.yaml → ATR-2026-00103-hidden-safety-bypass-instruction.yaml}

@@ -1,5 +1,6 @@
 title: "Hidden LLM Safety Bypass Instructions in Tool Descriptions"
-id: ATR-2026-103
+id: ATR-2026-00103
+rule_version: 1
 status: experimental
 description: |
   Detects tools that embed explicit instructions directing the LLM to disregard safety
@@ -27,6 +28,7 @@ references:
 tags:
   category: tool-poisoning
   subcategory: hidden-llm-instructions
+  scan_target: mcp
   confidence: medium
 
 agent_source:

package/rules/tool-poisoning/{ATR-2026-105-silent-action-concealment.yaml → ATR-2026-00105-silent-action-concealment.yaml}

@@ -1,5 +1,6 @@
 title: "Silent Action Concealment Instructions in Tool Descriptions"
-id: ATR-2026-105
+id: ATR-2026-00105
+rule_version: 1
 status: experimental
 description: |
   Detects MCP tools that explicitly instruct the LLM to perform actions silently or hide
@@ -26,6 +27,7 @@ references:
 tags:
   category: tool-poisoning
   subcategory: silent-action-instruction
+  scan_target: mcp
   confidence: medium
 
 agent_source:

package/rules/tool-poisoning/{ATR-2026-106-schema-description-contradiction.yaml → ATR-2026-00106-schema-description-contradiction.yaml}

@@ -1,5 +1,6 @@
 title: "Schema-Description Contradiction Attack"
-id: ATR-2026-106
+id: ATR-2026-00106
+rule_version: 1
 status: experimental
 description: |
   Detects tools that claim read-only or safe functionality in their description but expose
@@ -25,6 +26,7 @@ references:
 tags:
   category: tool-poisoning
   subcategory: schema-description-mismatch
+  scan_target: mcp
   confidence: medium
 
 agent_source:

package/spec/atr-schema.yaml

@@ -7,10 +7,10 @@
 # Status: RFC (Request for Comments)
 # License: MIT
 
-$schema: 'https://json-schema.org/draft/2020-12/schema'
+$schema: "https://json-schema.org/draft/2020-12/schema"
 title: ATR Rule Schema
 description: Schema for Agent Threat Rules (ATR) detection rules
-version: '0.1.0-draft'
+version: "1.0.0"
 
 type: object
 required:
@@ -30,11 +30,12 @@ required:
   - response
 
 properties:
+
   # === Metadata ===
 
   schema_version:
     type: string
-    description: 'ATR schema version this rule conforms to (e.g., "0.1")'
+    description: "ATR schema version this rule conforms to (e.g., \"0.1\")"
 
   title:
     type: string
@@ -42,8 +43,8 @@ properties:
 
   id:
     type: string
-    pattern: "^ATR-\\d{4}-\\d{3}$"
-    description: 'Unique rule identifier. Format: ATR-YYYY-NNN (e.g., ATR-2026-001)'
+    pattern: "^ATR-\\d{4}-\\d{5}$"
+    description: "Unique rule identifier. Format: ATR-YYYY-NNNNN (e.g., ATR-2026-00001)"
 
   status:
     type: string
@@ -61,12 +62,17 @@ properties:
   date:
     type: string
     pattern: "^\\d{4}/\\d{2}/\\d{2}$"
-    description: 'Creation date in YYYY/MM/DD format'
+    description: "Creation date in YYYY/MM/DD format"
 
   modified:
     type: string
     pattern: "^\\d{4}/\\d{2}/\\d{2}$"
-    description: 'Last modification date in YYYY/MM/DD format'
+    description: "Last modification date in YYYY/MM/DD format"
+
+  rule_version:
+    type: integer
+    minimum: 1
+    description: "Rule version number. Bump when detection logic changes. Starts at 1."
 
   # === Classification ===
 
@@ -97,22 +103,42 @@ properties:
         type: array
         items:
           type: string
-        description: 'OWASP LLM Top 10 references (e.g., LLM01:2025)'
+        description: "OWASP LLM Top 10 references (e.g., LLM01:2025)"
       mitre_atlas:
         type: array
         items:
           type: string
-        description: 'MITRE ATLAS technique IDs (e.g., AML.T0054)'
+        description: "MITRE ATLAS technique IDs (e.g., AML.T0054)"
       mitre_attack:
         type: array
         items:
           type: string
-        description: 'MITRE ATT&CK technique IDs (if applicable)'
+        description: "MITRE ATT&CK technique IDs (if applicable)"
       cve:
         type: array
         items:
           type: string
         description: Related CVE identifiers
+      owasp_agentic:
+        type: array
+        items:
+          type: string
+        description: "OWASP Agentic Top 10 references (e.g., ASI01, ASI02)"
+      owasp_ast:
+        type: array
+        items:
+          type: string
+        description: "OWASP Agentic Skills Top 10 references (e.g., AST01)"
+      safe_mcp:
+        type: array
+        items:
+          type: string
+        description: "SAFE-MCP technique IDs (e.g., SMCP-T001)"
+      research:
+        type: array
+        items:
+          type: string
+        description: "Research paper references or URLs"
 
   # === Tags (ATR classification) ===
 
@@ -140,6 +166,10 @@ properties:
         type: string
         enum: [high, medium, low]
         description: Expected accuracy of this rule (high = low false positive rate)
+      scan_target:
+        type: string
+        enum: [mcp, skill, both, runtime]
+        description: "Which scan path this rule belongs to. mcp=runtime events, skill=SKILL.md static scan, both=fires in both paths, runtime=behavior monitoring."
 
   # === Agent Source (analogous to Sigma's logsource) ===
 
@@ -153,16 +183,16 @@ properties:
       type:
         type: string
         enum:
-          - llm_io # LLM input/output (prompts and completions)
-          - tool_call # Function/tool call requests
-          - mcp_exchange # MCP protocol messages
-          - agent_behavior # Agent behavioral metrics and patterns
-          - multi_agent_comm # Inter-agent communication
-          - context_window # Context window contents
-          - memory_access # Agent memory read/write operations
-          - skill_lifecycle # MCP skill registration, update, removal events
-          - skill_permission # Skill permission requests and boundary checks
-          - skill_chain # Multi-skill invocation sequences
+          - llm_io            # LLM input/output (prompts and completions)
+          - tool_call         # Function/tool call requests
+          - mcp_exchange      # MCP protocol messages
+          - agent_behavior    # Agent behavioral metrics and patterns
+          - multi_agent_comm  # Inter-agent communication
+          - context_window    # Context window contents
+          - memory_access     # Agent memory read/write operations
+          - skill_lifecycle   # MCP skill registration, update, removal events
+          - skill_permission  # Skill permission requests and boundary checks
+          - skill_chain       # Multi-skill invocation sequences
         description: Type of agent data stream to monitor
       framework:
         type: array
@@ -245,7 +275,7 @@ properties:
                   description: Numeric threshold for the metric
                 window:
                   type: string
-                  description: 'Time window for behavioral analysis (e.g., 5m, 1h, 30s)'
+                  description: "Time window for behavioral analysis (e.g., 5m, 1h, 30s)"
                 ordered:
                   type: boolean
                   description: Whether steps must occur in order
@@ -282,16 +312,16 @@ properties:
         items:
           type: string
           enum:
-            - block_input # Reject the user/agent input
-            - block_output # Suppress the agent output
-            - block_tool # Prevent the tool call from executing
+            - block_input        # Reject the user/agent input
+            - block_output       # Suppress the agent output
+            - block_tool         # Prevent the tool call from executing
             - quarantine_session # Isolate the entire session
-            - reset_context # Clear agent context/memory
-            - alert # Send alert to security team
-            - snapshot # Capture full session state for forensics
-            - escalate # Escalate to human reviewer
+            - reset_context      # Clear agent context/memory
+            - alert              # Send alert to security team
+            - snapshot           # Capture full session state for forensics
+            - escalate           # Escalate to human reviewer
             - reduce_permissions # Reduce agent's available tools/capabilities
-            - kill_agent # Terminate the agent process
+            - kill_agent         # Terminate the agent process
         description: Actions to take when the rule triggers
       auto_response_threshold:
         type: string