@panguard-ai/atr 1.4.3 → 1.5.1

package/dist/converters/splunk.d.ts

@@ -0,0 +1,19 @@
+/**
+ * ATR-to-Splunk SPL Converter
+ *
+ * Converts ATR YAML rules into Splunk Search Processing Language (SPL) queries
+ * that a SOC analyst can use as a starting point for threat hunting.
+ *
+ * @module agent-threat-rules/converters/splunk
+ */
+import type { ATRRule } from '../types.js';
+/**
+ * Convert an ATR rule to a Splunk SPL query string.
+ *
+ * The generated query includes:
+ * - Comment header with rule metadata
+ * - Index/sourcetype base search (generic, analyst should customize)
+ * - Condition clauses joined with appropriate logic
+ */
+export declare function ruleToSPL(rule: ATRRule): string;
+//# sourceMappingURL=splunk.d.ts.map

package/dist/converters/splunk.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"splunk.d.ts","sourceRoot":"","sources":["../../src/converters/splunk.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,KAAK,EAAE,OAAO,EAAqB,MAAM,aAAa,CAAC;AAoD9D;;;;;;;GAOG;AACH,wBAAgB,SAAS,CAAC,IAAI,EAAE,OAAO,GAAG,MAAM,CAqG/C"}

package/dist/converters/splunk.js

@@ -0,0 +1,148 @@
+/**
+ * ATR-to-Splunk SPL Converter
+ *
+ * Converts ATR YAML rules into Splunk Search Processing Language (SPL) queries
+ * that a SOC analyst can use as a starting point for threat hunting.
+ *
+ * @module agent-threat-rules/converters/splunk
+ */
+/**
+ * Escape a string for use in Splunk SPL double-quoted values.
+ */
+function escapeForSPL(value) {
+    return value.replace(/\\/g, '\\\\').replace(/"/g, '\\"');
+}
+/**
+ * Convert a single ATR array condition to an SPL clause.
+ *
+ * Supports operators: regex, contains, exact, starts_with, gt, lt, gte, lte, eq
+ */
+function conditionToSPL(cond) {
+    const field = cond.field;
+    const value = cond.value;
+    switch (cond.operator) {
+        case 'regex':
+            return `| regex ${field}="${escapeForSPL(value)}"`;
+        case 'contains':
+            return `${field}="*${escapeForSPL(value)}*"`;
+        case 'exact':
+            return `${field}="${escapeForSPL(value)}"`;
+        case 'starts_with':
+            return `${field}="${escapeForSPL(value)}*"`;
+        case 'gt':
+            return `| where ${field} > ${Number(value)}`;
+        case 'lt':
+            return `| where ${field} < ${Number(value)}`;
+        case 'gte':
+            return `| where ${field} >= ${Number(value)}`;
+        case 'lte':
+            return `| where ${field} <= ${Number(value)}`;
+        case 'eq':
+            return `| where ${field} == ${Number(value)}`;
+        default:
+            // Fallback: treat unknown operators as a contains search
+            return `${field}="*${escapeForSPL(value)}*"`;
+    }
+}
+/**
+ * Convert an ATR rule to a Splunk SPL query string.
+ *
+ * The generated query includes:
+ * - Comment header with rule metadata
+ * - Index/sourcetype base search (generic, analyst should customize)
+ * - Condition clauses joined with appropriate logic
+ */
+export function ruleToSPL(rule) {
+    const conditions = rule.detection.conditions;
+    const logic = rule.detection.condition; // "any" or "all"
+    const lines = [];
+    // Comment header with rule metadata
+    lines.push(`\`\`\` ATR Rule: ${rule.id} \`\`\``);
+    lines.push(`\`\`\` Title: ${rule.title} \`\`\``);
+    lines.push(`\`\`\` Severity: ${rule.severity} | Category: ${rule.tags.category} \`\`\``);
+    lines.push(`\`\`\` Source: ${rule.agent_source.type} | Condition logic: ${logic} \`\`\``);
+    lines.push('');
+    // Base search -- analyst should adjust index and sourcetype
+    lines.push('index=ai_agent_logs sourcetype=agent_events');
+    if (!Array.isArray(conditions)) {
+        // Named-map format: not common in current rules, emit a placeholder
+        lines.push('```` Warning: Named-map conditions not fully supported. Review manually. ````');
+        return lines.join('\n');
+    }
+    const arrayConditions = conditions;
+    if (arrayConditions.length === 0) {
+        return lines.join('\n');
+    }
+    // For "any" logic with regex conditions, we can combine them using
+    // a single regex with OR (|) alternation where possible, or use
+    // multiple search branches.
+    // For clarity and analyst usability, we emit each condition separately.
+    if (logic === 'all') {
+        // AND logic: chain all conditions sequentially
+        for (const cond of arrayConditions) {
+            lines.push(conditionToSPL(cond));
+        }
+    }
+    else {
+        // OR logic ("any"): use Splunk's multisearch or OR-joined search
+        // For regex conditions, wrap in a single eval+match approach
+        // For simplicity and readability, use OR-joined subsearches
+        const regexConditions = arrayConditions.filter(c => c.operator === 'regex');
+        const otherConditions = arrayConditions.filter(c => c.operator !== 'regex');
+        if (regexConditions.length > 0 && otherConditions.length === 0) {
+            // All regex: combine with OR in eval/match
+            lines.push('| where (');
+            const regexClauses = regexConditions.map((cond, i) => {
+                const prefix = i === 0 ? '    ' : '    OR ';
+                return `${prefix}match(${cond.field}, "${escapeForSPL(cond.value)}")`;
+            });
+            lines.push(...regexClauses);
+            lines.push(')');
+        }
+        else {
+            // Mixed operators: emit each as separate OR clause
+            lines.push('| where (');
+            const clauses = [];
+            for (const cond of arrayConditions) {
+                switch (cond.operator) {
+                    case 'regex':
+                        clauses.push(`match(${cond.field}, "${escapeForSPL(cond.value)}")`);
+                        break;
+                    case 'contains':
+                        clauses.push(`like(${cond.field}, "%${escapeForSPL(cond.value)}%")`);
+                        break;
+                    case 'exact':
+                        clauses.push(`${cond.field}="${escapeForSPL(cond.value)}"`);
+                        break;
+                    case 'starts_with':
+                        clauses.push(`like(${cond.field}, "${escapeForSPL(cond.value)}%")`);
+                        break;
+                    case 'gt':
+                        clauses.push(`${cond.field} > ${Number(cond.value)}`);
+                        break;
+                    case 'lt':
+                        clauses.push(`${cond.field} < ${Number(cond.value)}`);
+                        break;
+                    case 'gte':
+                        clauses.push(`${cond.field} >= ${Number(cond.value)}`);
+                        break;
+                    case 'lte':
+                        clauses.push(`${cond.field} <= ${Number(cond.value)}`);
+                        break;
+                    case 'eq':
+                        clauses.push(`${cond.field} == ${Number(cond.value)}`);
+                        break;
+                    default:
+                        clauses.push(`like(${cond.field}, "%${escapeForSPL(cond.value)}%")`);
+                }
+            }
+            lines.push(clauses.map((c, i) => (i === 0 ? `    ${c}` : `    OR ${c}`)).join('\n'));
+            lines.push(')');
+        }
+    }
+    // Add a table output for the analyst
+    const fields = [...new Set(arrayConditions.map(c => c.field))];
+    lines.push(`| table _time ${fields.join(' ')} source`);
+    return lines.join('\n');
+}
+//# sourceMappingURL=splunk.js.map

package/dist/converters/splunk.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"splunk.js","sourceRoot":"","sources":["../../src/converters/splunk.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAIH;;GAEG;AACH,SAAS,YAAY,CAAC,KAAa;IACjC,OAAO,KAAK,CAAC,OAAO,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC;AAC3D,CAAC;AAED;;;;GAIG;AACH,SAAS,cAAc,CAAC,IAAuB;IAC7C,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC;IACzB,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC;IAEzB,QAAQ,IAAI,CAAC,QAAQ,EAAE,CAAC;QACtB,KAAK,OAAO;YACV,OAAO,WAAW,KAAK,KAAK,YAAY,CAAC,KAAK,CAAC,GAAG,CAAC;QAErD,KAAK,UAAU;YACb,OAAO,GAAG,KAAK,MAAM,YAAY,CAAC,KAAK,CAAC,IAAI,CAAC;QAE/C,KAAK,OAAO;YACV,OAAO,GAAG,KAAK,KAAK,YAAY,CAAC,KAAK,CAAC,GAAG,CAAC;QAE7C,KAAK,aAAa;YAChB,OAAO,GAAG,KAAK,KAAK,YAAY,CAAC,KAAK,CAAC,IAAI,CAAC;QAE9C,KAAK,IAAI;YACP,OAAO,WAAW,KAAK,MAAM,MAAM,CAAC,KAAK,CAAC,EAAE,CAAC;QAE/C,KAAK,IAAI;YACP,OAAO,WAAW,KAAK,MAAM,MAAM,CAAC,KAAK,CAAC,EAAE,CAAC;QAE/C,KAAK,KAAK;YACR,OAAO,WAAW,KAAK,OAAO,MAAM,CAAC,KAAK,CAAC,EAAE,CAAC;QAEhD,KAAK,KAAK;YACR,OAAO,WAAW,KAAK,OAAO,MAAM,CAAC,KAAK,CAAC,EAAE,CAAC;QAEhD,KAAK,IAAI;YACP,OAAO,WAAW,KAAK,OAAO,MAAM,CAAC,KAAK,CAAC,EAAE,CAAC;QAEhD;YACE,yDAAyD;YACzD,OAAO,GAAG,KAAK,MAAM,YAAY,CAAC,KAAK,CAAC,IAAI,CAAC;IACjD,CAAC;AACH,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,UAAU,SAAS,CAAC,IAAa;IACrC,MAAM,UAAU,GAAG,IAAI,CAAC,SAAS,CAAC,UAAU,CAAC;IAC7C,MAAM,KAAK,GAAG,IAAI,CAAC,SAAS,CAAC,SAAS,CAAC,CAAC,iBAAiB;IAEzD,MAAM,KAAK,GAAa,EAAE,CAAC;IAE3B,oCAAoC;IACpC,KAAK,CAAC,IAAI,CAAC,oBAAoB,IAAI,CAAC,EAAE,SAAS,CAAC,CAAC;IACjD,KAAK,CAAC,IAAI,CAAC,iBAAiB,IAAI,CAAC,KAAK,SAAS,CAAC,CAAC;IACjD,KAAK,CAAC,IAAI,CAAC,oBAAoB,IAAI,CAAC,QAAQ,gBAAgB,IAAI,CAAC,IAAI,CAAC,QAAQ,SAAS,CAAC,CAAC;IACzF,KAAK,CAAC,IAAI,CAAC,kBAAkB,IAAI,CAAC,YAAY,CAAC,IAAI,uBAAuB,KAAK,SAAS,CAAC,CAAC;IAC1F,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IAEf,4DAA4D;IAC5D,KAAK,CAAC,IAAI,CAAC,6CAA6C,CAAC,CAAC;IAE1D,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,UAAU,CAAC,EAAE,CAAC;QAC/B,oEAAoE;QACpE,KAAK,CAAC,IAAI,CAAC,+EAA+E,CAAC,CAAC;QAC5F,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAC1B,CAAC;IAED,MAAM,eAAe,GAAG,UAAiC,CAAC;IAE1D,IAAI,eAAe,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACjC,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAC1B,CAAC;IAED,mEAAmE;IACnE,gEAAgE;IAChE,4BAA4B;IAC5B,wEAAwE;IAExE,IAAI,KAAK,KAAK,KAAK,EAAE,CAAC;QACpB,+CAA+C;QAC/C,KAAK,MAAM,IAAI,IAAI,eAAe,EAAE,CAAC;YACnC,KAAK,CAAC,IAAI,CAAC,cAAc,CAAC,IAAI,CAAC,CAAC,CAAC;QACnC,CAAC;IACH,CAAC;SAAM,CAAC;QACN,iEAAiE;QACjE,6DAA6D;QAC7D,4DAA4D;QAC5D,MAAM,eAAe,GAAG,eAAe,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,OAAO,CAAC,CAAC;QAC5E,MAAM,eAAe,GAAG,eAAe,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,OAAO,CAAC,CAAC;QAE5E,IAAI,eAAe,CAAC,MAAM,GAAG,CAAC,IAAI,eAAe,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YAC/D,2CAA2C;YAC3C,KAAK,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;YACxB,MAAM,YAAY,GAAG,eAAe,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,CAAC,EAAE,EAAE;gBACnD,MAAM,MAAM,GAAG,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,SAAS,CAAC;gBAC5C,OAAO,GAAG,MAAM,SAAS,IAAI,CAAC,KAAK,MAAM,YAAY,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC;YACxE,CAAC,CAAC,CAAC;YACH,KAAK,CAAC,IAAI,CAAC,GAAG,YAAY,CAAC,CAAC;YAC5B,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QAClB,CAAC;aAAM,CAAC;YACN,mDAAmD;YACnD,KAAK,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;YACxB,MAAM,OAAO,GAAa,EAAE,CAAC;YAC7B,KAAK,MAAM,IAAI,IAAI,eAAe,EAAE,CAAC;gBACnC,QAAQ,IAAI,CAAC,QAAQ,EAAE,CAAC;oBACtB,KAAK,OAAO;wBACV,OAAO,CAAC,IAAI,CAAC,SAAS,IAAI,CAAC,KAAK,MAAM,YAAY,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;wBACpE,MAAM;oBACR,KAAK,UAAU;wBACb,OAAO,CAAC,IAAI,CAAC,QAAQ,IAAI,CAAC,KAAK,OAAO,YAAY,CAAC,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;wBACrE,MAAM;oBACR,KAAK,OAAO;wBACV,OAAO,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC,KAAK,KAAK,YAAY,CAAC,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;wBAC5D,MAAM;oBACR,KAAK,aAAa;wBAChB,OAAO,CAAC,IAAI,CAAC,QAAQ,IAAI,CAAC,KAAK,MAAM,YAAY,CAAC,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;wBACpE,MAAM;oBACR,KAAK,IAAI;wBACP,OAAO,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC,KAAK,MAAM,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;wBACtD,MAAM;oBACR,KAAK,IAAI;wBACP,OAAO,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC,KAAK,MAAM,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;wBACtD,MAAM;oBACR,KAAK,KAAK;wBACR,OAAO,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC,KAAK,OAAO,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;wBACvD,MAAM;oBACR,KAAK,KAAK;wBACR,OAAO,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC,KAAK,OAAO,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;wBACvD,MAAM;oBACR,KAAK,IAAI;wBACP,OAAO,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC,KAAK,OAAO,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;wBACvD,MAAM;oBACR;wBACE,OAAO,CAAC,IAAI,CAAC,QAAQ,IAAI,CAAC,KAAK,OAAO,YAAY,CAAC,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;gBACzE,CAAC;YACH,CAAC;YACD,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC,CAAC,UAAU,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC;YACrF,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QAClB,CAAC;IACH,CAAC;IAED,qCAAqC;IACrC,MAAM,MAAM,GAAG,CAAC,GAAG,IAAI,GAAG,CAAC,eAAe,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;IAC/D,KAAK,CAAC,IAAI,CAAC,iBAAiB,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;IAEvD,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AAC1B,CAAC"}

package/dist/coverage-analyzer.d.ts

@@ -0,0 +1,43 @@
+/**
+ * ATR Coverage Analyzer - Analyzes rule sets for coverage gaps
+ * against OWASP Agentic Top 10 and MITRE ATLAS frameworks.
+ * @module agent-threat-rules/coverage-analyzer
+ */
+import type { ATRRule } from './types.js';
+export interface CoverageGap {
+    framework: string;
+    riskId: string;
+    riskName: string;
+    currentRuleCount: number;
+    recommendedMin: number;
+}
+export interface CoverageReport {
+    totalRules: number;
+    gaps: CoverageGap[];
+    categoryDistribution: Record<string, number>;
+    suggestions: string[];
+}
+export declare class CoverageAnalyzer {
+    private readonly rules;
+    constructor(rules: readonly ATRRule[]);
+    /**
+     * Analyze the rule set for coverage gaps against OWASP Agentic Top 10,
+     * MITRE ATLAS, and ATR category distribution.
+     */
+    analyze(): CoverageReport;
+    /**
+     * Count how many active rules cover a given framework item,
+     * either by ATR category match or by explicit reference in rule metadata.
+     */
+    private countCoveringRules;
+    /**
+     * Build a distribution count of rules per ATR category.
+     */
+    private buildCategoryDistribution;
+    /**
+     * Generate human-readable suggestions based on identified gaps
+     * and category distribution.
+     */
+    private generateSuggestions;
+}
+//# sourceMappingURL=coverage-analyzer.d.ts.map

package/dist/coverage-analyzer.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"coverage-analyzer.d.ts","sourceRoot":"","sources":["../src/coverage-analyzer.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,EAAE,OAAO,EAAe,MAAM,YAAY,CAAC;AAEvD,MAAM,WAAW,WAAW;IAC1B,SAAS,EAAE,MAAM,CAAC;IAClB,MAAM,EAAE,MAAM,CAAC;IACf,QAAQ,EAAE,MAAM,CAAC;IACjB,gBAAgB,EAAE,MAAM,CAAC;IACzB,cAAc,EAAE,MAAM,CAAC;CACxB;AAED,MAAM,WAAW,cAAc;IAC7B,UAAU,EAAE,MAAM,CAAC;IACnB,IAAI,EAAE,WAAW,EAAE,CAAC;IACpB,oBAAoB,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAC7C,WAAW,EAAE,MAAM,EAAE,CAAC;CACvB;AA4ND,qBAAa,gBAAgB;IAC3B,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAqB;gBAE/B,KAAK,EAAE,SAAS,OAAO,EAAE;IAIrC;;;OAGG;IACH,OAAO,IAAI,cAAc;IA2CzB;;;OAGG;IACH,OAAO,CAAC,kBAAkB;IA0B1B;;OAEG;IACH,OAAO,CAAC,yBAAyB;IAiBjC;;;OAGG;IACH,OAAO,CAAC,mBAAmB;CA6D5B"}

package/dist/coverage-analyzer.js

@@ -0,0 +1,329 @@
+/**
+ * ATR Coverage Analyzer - Analyzes rule sets for coverage gaps
+ * against OWASP Agentic Top 10 and MITRE ATLAS frameworks.
+ * @module agent-threat-rules/coverage-analyzer
+ */
+const OWASP_AGENTIC_TOP_10 = [
+    {
+        id: 'ASI01',
+        name: 'Prompt Injection',
+        categories: ['prompt-injection'],
+        recommendedMin: 3,
+    },
+    {
+        id: 'ASI02',
+        name: 'Tool/Skill Poisoning',
+        categories: ['tool-poisoning'],
+        recommendedMin: 2,
+    },
+    {
+        id: 'ASI03',
+        name: 'Insecure Output Handling',
+        categories: ['context-exfiltration'],
+        recommendedMin: 2,
+    },
+    {
+        id: 'ASI04',
+        name: 'Privilege Escalation',
+        categories: ['privilege-escalation'],
+        recommendedMin: 2,
+    },
+    {
+        id: 'ASI05',
+        name: 'Data Poisoning',
+        categories: ['data-poisoning'],
+        recommendedMin: 2,
+    },
+    {
+        id: 'ASI06',
+        name: 'Excessive Autonomy',
+        categories: ['excessive-autonomy'],
+        recommendedMin: 2,
+    },
+    {
+        id: 'ASI07',
+        name: 'Multi-Agent Manipulation',
+        categories: ['agent-manipulation'],
+        recommendedMin: 2,
+    },
+    {
+        id: 'ASI08',
+        name: 'Model Abuse',
+        categories: ['model-abuse'],
+        recommendedMin: 2,
+    },
+    {
+        id: 'ASI09',
+        name: 'Insufficient Logging',
+        categories: [],
+        recommendedMin: 1,
+        noDirectRules: true,
+    },
+    {
+        id: 'ASI10',
+        name: 'Supply Chain Compromise',
+        categories: ['skill-compromise'],
+        recommendedMin: 2,
+    },
+];
+// ---------------------------------------------------------------------------
+// MITRE ATLAS techniques to check
+// ---------------------------------------------------------------------------
+const MITRE_ATLAS_TECHNIQUES = [
+    {
+        id: 'AML.T0051',
+        name: 'LLM Prompt Injection',
+        categories: ['prompt-injection'],
+        recommendedMin: 1,
+    },
+    {
+        id: 'AML.T0051.000',
+        name: 'LLM Prompt Injection: Direct',
+        categories: ['prompt-injection'],
+        recommendedMin: 1,
+    },
+    {
+        id: 'AML.T0051.001',
+        name: 'LLM Prompt Injection: Indirect',
+        categories: ['prompt-injection'],
+        recommendedMin: 1,
+    },
+    {
+        id: 'AML.T0053',
+        name: 'Data Poisoning',
+        categories: ['data-poisoning'],
+        recommendedMin: 1,
+    },
+    {
+        id: 'AML.T0056',
+        name: 'LLM Plugin Compromise',
+        categories: ['tool-poisoning', 'skill-compromise'],
+        recommendedMin: 1,
+    },
+    {
+        id: 'AML.T0010',
+        name: 'ML Supply Chain Compromise',
+        categories: ['skill-compromise', 'tool-poisoning'],
+        recommendedMin: 1,
+    },
+    {
+        id: 'AML.T0020',
+        name: 'Poison Training Data',
+        categories: ['data-poisoning'],
+        recommendedMin: 1,
+    },
+    {
+        id: 'AML.T0018',
+        name: 'Backdoor ML Model',
+        categories: ['model-abuse', 'data-poisoning'],
+        recommendedMin: 1,
+    },
+    {
+        id: 'AML.T0024',
+        name: 'Exfiltration via ML Inference API',
+        categories: ['context-exfiltration'],
+        recommendedMin: 1,
+    },
+    {
+        id: 'AML.T0040',
+        name: 'ML Model Inference API Access',
+        categories: ['model-abuse'],
+        recommendedMin: 1,
+    },
+    {
+        id: 'AML.T0043',
+        name: 'Craft Adversarial Data',
+        categories: ['data-poisoning', 'prompt-injection'],
+        recommendedMin: 1,
+    },
+    {
+        id: 'AML.T0044',
+        name: 'Full ML Model Access',
+        categories: ['model-abuse'],
+        recommendedMin: 1,
+    },
+    {
+        id: 'AML.T0046',
+        name: 'Evade ML Model',
+        categories: ['prompt-injection', 'agent-manipulation'],
+        recommendedMin: 1,
+    },
+    {
+        id: 'AML.T0047',
+        name: 'ML-Enabled Product/Service Abuse',
+        categories: ['model-abuse', 'excessive-autonomy'],
+        recommendedMin: 1,
+    },
+    {
+        id: 'AML.T0050',
+        name: 'Command and Control via ML Service',
+        categories: ['agent-manipulation'],
+        recommendedMin: 1,
+    },
+    {
+        id: 'AML.T0052.000',
+        name: 'Phishing via LLM',
+        categories: ['model-abuse'],
+        recommendedMin: 1,
+    },
+    {
+        id: 'AML.T0054',
+        name: 'LLM Jailbreak',
+        categories: ['prompt-injection'],
+        recommendedMin: 1,
+    },
+    {
+        id: 'AML.T0055',
+        name: 'Unsafe LLM Output',
+        categories: ['context-exfiltration', 'model-abuse'],
+        recommendedMin: 1,
+    },
+    {
+        id: 'AML.T0057',
+        name: 'LLM Data Leakage',
+        categories: ['context-exfiltration'],
+        recommendedMin: 1,
+    },
+];
+// ---------------------------------------------------------------------------
+// All 9 ATR categories
+// ---------------------------------------------------------------------------
+const ALL_ATR_CATEGORIES = [
+    'prompt-injection',
+    'tool-poisoning',
+    'context-exfiltration',
+    'agent-manipulation',
+    'privilege-escalation',
+    'excessive-autonomy',
+    'data-poisoning',
+    'model-abuse',
+    'skill-compromise',
+];
+// ---------------------------------------------------------------------------
+// CoverageAnalyzer
+// ---------------------------------------------------------------------------
+export class CoverageAnalyzer {
+    rules;
+    constructor(rules) {
+        this.rules = rules;
+    }
+    /**
+     * Analyze the rule set for coverage gaps against OWASP Agentic Top 10,
+     * MITRE ATLAS, and ATR category distribution.
+     */
+    analyze() {
+        const activeRules = this.rules.filter((r) => r.status !== 'deprecated');
+        const categoryDistribution = this.buildCategoryDistribution(activeRules);
+        const gaps = [];
+        // Check OWASP Agentic Top 10
+        for (const item of OWASP_AGENTIC_TOP_10) {
+            const count = this.countCoveringRules(activeRules, item);
+            if (count < item.recommendedMin) {
+                gaps.push({
+                    framework: 'OWASP Agentic Top 10',
+                    riskId: item.id,
+                    riskName: item.name,
+                    currentRuleCount: count,
+                    recommendedMin: item.recommendedMin,
+                });
+            }
+        }
+        // Check MITRE ATLAS techniques
+        for (const item of MITRE_ATLAS_TECHNIQUES) {
+            const count = this.countCoveringRules(activeRules, item);
+            if (count < item.recommendedMin) {
+                gaps.push({
+                    framework: 'MITRE ATLAS',
+                    riskId: item.id,
+                    riskName: item.name,
+                    currentRuleCount: count,
+                    recommendedMin: item.recommendedMin,
+                });
+            }
+        }
+        const suggestions = this.generateSuggestions(gaps, categoryDistribution);
+        return {
+            totalRules: activeRules.length,
+            gaps,
+            categoryDistribution,
+            suggestions,
+        };
+    }
+    /**
+     * Count how many active rules cover a given framework item,
+     * either by ATR category match or by explicit reference in rule metadata.
+     */
+    countCoveringRules(activeRules, item) {
+        if (item.noDirectRules) {
+            return 0;
+        }
+        const covering = new Set();
+        for (const rule of activeRules) {
+            const matchesCategory = item.categories.includes(rule.tags.category);
+            const matchesOwaspRef = rule.references?.owasp_llm?.some((ref) => ref.includes(item.id)) ?? false;
+            const matchesMitreRef = rule.references?.mitre_atlas?.some((ref) => ref.includes(item.id)) ?? false;
+            if (matchesCategory || matchesOwaspRef || matchesMitreRef) {
+                covering.add(rule.id);
+            }
+        }
+        return covering.size;
+    }
+    /**
+     * Build a distribution count of rules per ATR category.
+     */
+    buildCategoryDistribution(activeRules) {
+        const dist = {};
+        for (const cat of ALL_ATR_CATEGORIES) {
+            dist[cat] = 0;
+        }
+        for (const rule of activeRules) {
+            const cat = rule.tags.category;
+            dist[cat] = (dist[cat] ?? 0) + 1;
+        }
+        return dist;
+    }
+    /**
+     * Generate human-readable suggestions based on identified gaps
+     * and category distribution.
+     */
+    generateSuggestions(gaps, categoryDistribution) {
+        const suggestions = [];
+        // Group OWASP gaps
+        const owaspGaps = gaps.filter((g) => g.framework === 'OWASP Agentic Top 10');
+        if (owaspGaps.length > 0) {
+            const ids = owaspGaps.map((g) => g.riskId).join(', ');
+            suggestions.push(`OWASP Agentic Top 10 coverage gaps found for: ${ids}. ` +
+                `Create rules targeting these risk areas to improve coverage.`);
+        }
+        // Group MITRE gaps
+        const mitreGaps = gaps.filter((g) => g.framework === 'MITRE ATLAS');
+        if (mitreGaps.length > 0) {
+            const ids = mitreGaps.map((g) => g.riskId).join(', ');
+            suggestions.push(`MITRE ATLAS technique coverage gaps found for: ${ids}. ` +
+                `Add detection rules or reference mappings for these techniques.`);
+        }
+        // Check for empty categories
+        const emptyCategories = ALL_ATR_CATEGORIES.filter((cat) => (categoryDistribution[cat] ?? 0) === 0);
+        if (emptyCategories.length > 0) {
+            suggestions.push(`No rules found for ATR categories: ${emptyCategories.join(', ')}. ` +
+                `Consider adding at least one rule per category for baseline coverage.`);
+        }
+        // ASI09 (Insufficient Logging) always appears as a gap since no direct rules exist
+        const asi09Gap = gaps.find((g) => g.riskId === 'ASI09');
+        if (asi09Gap) {
+            suggestions.push(`ASI09 (Insufficient Logging) has no direct ATR rule category. ` +
+                `Consider implementing logging validation at the agent framework level ` +
+                `rather than through detection rules.`);
+        }
+        // Suggest overall improvement if many gaps
+        if (gaps.length > 10) {
+            suggestions.push(`${gaps.length} total coverage gaps detected. Prioritize OWASP Agentic Top 10 ` +
+                `gaps first, then address MITRE ATLAS technique gaps.`);
+        }
+        if (suggestions.length === 0) {
+            suggestions.push('Rule coverage looks good across both OWASP and MITRE frameworks.');
+        }
+        return suggestions;
+    }
+}
+//# sourceMappingURL=coverage-analyzer.js.map

package/dist/coverage-analyzer.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"coverage-analyzer.js","sourceRoot":"","sources":["../src/coverage-analyzer.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAgCH,MAAM,oBAAoB,GAA6B;IACrD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,kBAAkB;QACxB,UAAU,EAAE,CAAC,kBAAkB,CAAC;QAChC,cAAc,EAAE,CAAC;KAClB;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,sBAAsB;QAC5B,UAAU,EAAE,CAAC,gBAAgB,CAAC;QAC9B,cAAc,EAAE,CAAC;KAClB;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,0BAA0B;QAChC,UAAU,EAAE,CAAC,sBAAsB,CAAC;QACpC,cAAc,EAAE,CAAC;KAClB;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,sBAAsB;QAC5B,UAAU,EAAE,CAAC,sBAAsB,CAAC;QACpC,cAAc,EAAE,CAAC;KAClB;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,gBAAgB;QACtB,UAAU,EAAE,CAAC,gBAAgB,CAAC;QAC9B,cAAc,EAAE,CAAC;KAClB;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,oBAAoB;QAC1B,UAAU,EAAE,CAAC,oBAAoB,CAAC;QAClC,cAAc,EAAE,CAAC;KAClB;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,0BAA0B;QAChC,UAAU,EAAE,CAAC,oBAAoB,CAAC;QAClC,cAAc,EAAE,CAAC;KAClB;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,aAAa;QACnB,UAAU,EAAE,CAAC,aAAa,CAAC;QAC3B,cAAc,EAAE,CAAC;KAClB;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,sBAAsB;QAC5B,UAAU,EAAE,EAAE;QACd,cAAc,EAAE,CAAC;QACjB,aAAa,EAAE,IAAI;KACpB;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,yBAAyB;QAC/B,UAAU,EAAE,CAAC,kBAAkB,CAAC;QAChC,cAAc,EAAE,CAAC;KAClB;CACF,CAAC;AAEF,8EAA8E;AAC9E,kCAAkC;AAClC,8EAA8E;AAE9E,MAAM,sBAAsB,GAA6B;IACvD;QACE,EAAE,EAAE,WAAW;QACf,IAAI,EAAE,sBAAsB;QAC5B,UAAU,EAAE,CAAC,kBAAkB,CAAC;QAChC,cAAc,EAAE,CAAC;KAClB;IACD;QACE,EAAE,EAAE,eAAe;QACnB,IAAI,EAAE,8BAA8B;QACpC,UAAU,EAAE,CAAC,kBAAkB,CAAC;QAChC,cAAc,EAAE,CAAC;KAClB;IACD;QACE,EAAE,EAAE,eAAe;QACnB,IAAI,EAAE,gCAAgC;QACtC,UAAU,EAAE,CAAC,kBAAkB,CAAC;QAChC,cAAc,EAAE,CAAC;KAClB;IACD;QACE,EAAE,EAAE,WAAW;QACf,IAAI,EAAE,gBAAgB;QACtB,UAAU,EAAE,CAAC,gBAAgB,CAAC;QAC9B,cAAc,EAAE,CAAC;KAClB;IACD;QACE,EAAE,EAAE,WAAW;QACf,IAAI,EAAE,uBAAuB;QAC7B,UAAU,EAAE,CAAC,gBAAgB,EAAE,kBAAkB,CAAC;QAClD,cAAc,EAAE,CAAC;KAClB;IACD;QACE,EAAE,EAAE,WAAW;QACf,IAAI,EAAE,4BAA4B;QAClC,UAAU,EAAE,CAAC,kBAAkB,EAAE,gBAAgB,CAAC;QAClD,cAAc,EAAE,CAAC;KAClB;IACD;QACE,EAAE,EAAE,WAAW;QACf,IAAI,EAAE,sBAAsB;QAC5B,UAAU,EAAE,CAAC,gBAAgB,CAAC;QAC9B,cAAc,EAAE,CAAC;KAClB;IACD;QACE,EAAE,EAAE,WAAW;QACf,IAAI,EAAE,mBAAmB;QACzB,UAAU,EAAE,CAAC,aAAa,EAAE,gBAAgB,CAAC;QAC7C,cAAc,EAAE,CAAC;KAClB;IACD;QACE,EAAE,EAAE,WAAW;QACf,IAAI,EAAE,mCAAmC;QACzC,UAAU,EAAE,CAAC,sBAAsB,CAAC;QACpC,cAAc,EAAE,CAAC;KAClB;IACD;QACE,EAAE,EAAE,WAAW;QACf,IAAI,EAAE,+BAA+B;QACrC,UAAU,EAAE,CAAC,aAAa,CAAC;QAC3B,cAAc,EAAE,CAAC;KAClB;IACD;QACE,EAAE,EAAE,WAAW;QACf,IAAI,EAAE,wBAAwB;QAC9B,UAAU,EAAE,CAAC,gBAAgB,EAAE,kBAAkB,CAAC;QAClD,cAAc,EAAE,CAAC;KAClB;IACD;QACE,EAAE,EAAE,WAAW;QACf,IAAI,EAAE,sBAAsB;QAC5B,UAAU,EAAE,CAAC,aAAa,CAAC;QAC3B,cAAc,EAAE,CAAC;KAClB;IACD;QACE,EAAE,EAAE,WAAW;QACf,IAAI,EAAE,gBAAgB;QACtB,UAAU,EAAE,CAAC,kBAAkB,EAAE,oBAAoB,CAAC;QACtD,cAAc,EAAE,CAAC;KAClB;IACD;QACE,EAAE,EAAE,WAAW;QACf,IAAI,EAAE,kCAAkC;QACxC,UAAU,EAAE,CAAC,aAAa,EAAE,oBAAoB,CAAC;QACjD,cAAc,EAAE,CAAC;KAClB;IACD;QACE,EAAE,EAAE,WAAW;QACf,IAAI,EAAE,oCAAoC;QAC1C,UAAU,EAAE,CAAC,oBAAoB,CAAC;QAClC,cAAc,EAAE,CAAC;KAClB;IACD;QACE,EAAE,EAAE,eAAe;QACnB,IAAI,EAAE,kBAAkB;QACxB,UAAU,EAAE,CAAC,aAAa,CAAC;QAC3B,cAAc,EAAE,CAAC;KAClB;IACD;QACE,EAAE,EAAE,WAAW;QACf,IAAI,EAAE,eAAe;QACrB,UAAU,EAAE,CAAC,kBAAkB,CAAC;QAChC,cAAc,EAAE,CAAC;KAClB;IACD;QACE,EAAE,EAAE,WAAW;QACf,IAAI,EAAE,mBAAmB;QACzB,UAAU,EAAE,CAAC,sBAAsB,EAAE,aAAa,CAAC;QACnD,cAAc,EAAE,CAAC;KAClB;IACD;QACE,EAAE,EAAE,WAAW;QACf,IAAI,EAAE,kBAAkB;QACxB,UAAU,EAAE,CAAC,sBAAsB,CAAC;QACpC,cAAc,EAAE,CAAC;KAClB;CACF,CAAC;AAEF,8EAA8E;AAC9E,uBAAuB;AACvB,8EAA8E;AAE9E,MAAM,kBAAkB,GAA2B;IACjD,kBAAkB;IAClB,gBAAgB;IAChB,sBAAsB;IACtB,oBAAoB;IACpB,sBAAsB;IACtB,oBAAoB;IACpB,gBAAgB;IAChB,aAAa;IACb,kBAAkB;CACnB,CAAC;AAEF,8EAA8E;AAC9E,mBAAmB;AACnB,8EAA8E;AAE9E,MAAM,OAAO,gBAAgB;IACV,KAAK,CAAqB;IAE3C,YAAY,KAAyB;QACnC,IAAI,CAAC,KAAK,GAAG,KAAK,CAAC;IACrB,CAAC;IAED;;;OAGG;IACH,OAAO;QACL,MAAM,WAAW,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,KAAK,YAAY,CAAC,CAAC;QACxE,MAAM,oBAAoB,GAAG,IAAI,CAAC,yBAAyB,CAAC,WAAW,CAAC,CAAC;QACzE,MAAM,IAAI,GAAkB,EAAE,CAAC;QAE/B,6BAA6B;QAC7B,KAAK,MAAM,IAAI,IAAI,oBAAoB,EAAE,CAAC;YACxC,MAAM,KAAK,GAAG,IAAI,CAAC,kBAAkB,CAAC,WAAW,EAAE,IAAI,CAAC,CAAC;YACzD,IAAI,KAAK,GAAG,IAAI,CAAC,cAAc,EAAE,CAAC;gBAChC,IAAI,CAAC,IAAI,CAAC;oBACR,SAAS,EAAE,sBAAsB;oBACjC,MAAM,EAAE,IAAI,CAAC,EAAE;oBACf,QAAQ,EAAE,IAAI,CAAC,IAAI;oBACnB,gBAAgB,EAAE,KAAK;oBACvB,cAAc,EAAE,IAAI,CAAC,cAAc;iBACpC,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,+BAA+B;QAC/B,KAAK,MAAM,IAAI,IAAI,sBAAsB,EAAE,CAAC;YAC1C,MAAM,KAAK,GAAG,IAAI,CAAC,kBAAkB,CAAC,WAAW,EAAE,IAAI,CAAC,CAAC;YACzD,IAAI,KAAK,GAAG,IAAI,CAAC,cAAc,EAAE,CAAC;gBAChC,IAAI,CAAC,IAAI,CAAC;oBACR,SAAS,EAAE,aAAa;oBACxB,MAAM,EAAE,IAAI,CAAC,EAAE;oBACf,QAAQ,EAAE,IAAI,CAAC,IAAI;oBACnB,gBAAgB,EAAE,KAAK;oBACvB,cAAc,EAAE,IAAI,CAAC,cAAc;iBACpC,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,MAAM,WAAW,GAAG,IAAI,CAAC,mBAAmB,CAAC,IAAI,EAAE,oBAAoB,CAAC,CAAC;QAEzE,OAAO;YACL,UAAU,EAAE,WAAW,CAAC,MAAM;YAC9B,IAAI;YACJ,oBAAoB;YACpB,WAAW;SACZ,CAAC;IACJ,CAAC;IAED;;;OAGG;IACK,kBAAkB,CACxB,WAA+B,EAC/B,IAAmB;QAEnB,IAAI,IAAI,CAAC,aAAa,EAAE,CAAC;YACvB,OAAO,CAAC,CAAC;QACX,CAAC;QAED,MAAM,QAAQ,GAAG,IAAI,GAAG,EAAU,CAAC;QAEnC,KAAK,MAAM,IAAI,IAAI,WAAW,EAAE,CAAC;YAC/B,MAAM,eAAe,GAAG,IAAI,CAAC,UAAU,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;YAErE,MAAM,eAAe,GACnB,IAAI,CAAC,UAAU,EAAE,SAAS,EAAE,IAAI,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,GAAG,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC,IAAI,KAAK,CAAC;YAC5E,MAAM,eAAe,GACnB,IAAI,CAAC,UAAU,EAAE,WAAW,EAAE,IAAI,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,GAAG,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC,IAAI,KAAK,CAAC;YAE9E,IAAI,eAAe,IAAI,eAAe,IAAI,eAAe,EAAE,CAAC;gBAC1D,QAAQ,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;YACxB,CAAC;QACH,CAAC;QAED,OAAO,QAAQ,CAAC,IAAI,CAAC;IACvB,CAAC;IAED;;OAEG;IACK,yBAAyB,CAC/B,WAA+B;QAE/B,MAAM,IAAI,GAA2B,EAAE,CAAC;QAExC,KAAK,MAAM,GAAG,IAAI,kBAAkB,EAAE,CAAC;YACrC,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;QAChB,CAAC;QAED,KAAK,MAAM,IAAI,IAAI,WAAW,EAAE,CAAC;YAC/B,MAAM,GAAG,GAAG,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC;YAC/B,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC;QACnC,CAAC;QAED,OAAO,IAAI,CAAC;IACd,CAAC;IAED;;;OAGG;IACK,mBAAmB,CACzB,IAA4B,EAC5B,oBAAsD;QAEtD,MAAM,WAAW,GAAa,EAAE,CAAC;QAEjC,mBAAmB;QACnB,MAAM,SAAS,GAAG,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,SAAS,KAAK,sBAAsB,CAAC,CAAC;QAC7E,IAAI,SAAS,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACzB,MAAM,GAAG,GAAG,SAAS,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YACtD,WAAW,CAAC,IAAI,CACd,iDAAiD,GAAG,IAAI;gBACxD,8DAA8D,CAC/D,CAAC;QACJ,CAAC;QAED,mBAAmB;QACnB,MAAM,SAAS,GAAG,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,SAAS,KAAK,aAAa,CAAC,CAAC;QACpE,IAAI,SAAS,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACzB,MAAM,GAAG,GAAG,SAAS,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YACtD,WAAW,CAAC,IAAI,CACd,kDAAkD,GAAG,IAAI;gBACzD,iEAAiE,CAClE,CAAC;QACJ,CAAC;QAED,6BAA6B;QAC7B,MAAM,eAAe,GAAG,kBAAkB,CAAC,MAAM,CAC/C,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC,oBAAoB,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,KAAK,CAAC,CAChD,CAAC;QACF,IAAI,eAAe,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAC/B,WAAW,CAAC,IAAI,CACd,sCAAsC,eAAe,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI;gBACpE,uEAAuE,CACxE,CAAC;QACJ,CAAC;QAED,mFAAmF;QACnF,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,KAAK,OAAO,CAAC,CAAC;QACxD,IAAI,QAAQ,EAAE,CAAC;YACb,WAAW,CAAC,IAAI,CACd,gEAAgE;gBAChE,wEAAwE;gBACxE,sCAAsC,CACvC,CAAC;QACJ,CAAC;QAED,2CAA2C;QAC3C,IAAI,IAAI,CAAC,MAAM,GAAG,EAAE,EAAE,CAAC;YACrB,WAAW,CAAC,IAAI,CACd,GAAG,IAAI,CAAC,MAAM,iEAAiE;gBAC/E,sDAAsD,CACvD,CAAC;QACJ,CAAC;QAED,IAAI,WAAW,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YAC7B,WAAW,CAAC,IAAI,CAAC,kEAAkE,CAAC,CAAC;QACvF,CAAC;QAED,OAAO,WAAW,CAAC;IACrB,CAAC;CACF"}

package/dist/embedding/build-corpus.d.ts

@@ -0,0 +1,15 @@
+#!/usr/bin/env npx tsx
+/**
+ * Build attack embedding corpus from ATR rule test cases.
+ *
+ * Reads all stable ATR rules, extracts true_positive test cases,
+ * encodes them through all-MiniLM-L6-v2, and saves as JSON.
+ *
+ * Usage:
+ *   npx tsx src/embedding/build-corpus.ts
+ *
+ * Output:
+ *   data/attack-embeddings.json
+ */
+export {};
+//# sourceMappingURL=build-corpus.d.ts.map

package/dist/embedding/build-corpus.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"build-corpus.d.ts","sourceRoot":"","sources":["../../src/embedding/build-corpus.ts"],"names":[],"mappings":";AACA;;;;;;;;;;;GAWG"}