agent-assurance 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (50) hide show
  1. package/CHANGELOG.md +44 -0
  2. package/CODE_OF_CONDUCT.md +59 -0
  3. package/CONTRIBUTING.md +19 -0
  4. package/LICENSE +21 -0
  5. package/NOTICE +15 -0
  6. package/README.md +89 -0
  7. package/SECURITY.md +13 -0
  8. package/attacks/exfil.yaml +46 -0
  9. package/attacks/injection.yaml +51 -0
  10. package/attacks/tools.yaml +29 -0
  11. package/bun.lock +484 -0
  12. package/dist/adapter/exec.d.ts +10 -0
  13. package/dist/adapter/http.d.ts +7 -0
  14. package/dist/adapter/index.d.ts +5 -0
  15. package/dist/adapter/sdk.d.ts +7 -0
  16. package/dist/adapter/types.d.ts +41 -0
  17. package/dist/attacks/index.d.ts +3 -0
  18. package/dist/attacks/load.d.ts +33 -0
  19. package/dist/attacks/schema.d.ts +206 -0
  20. package/dist/cli.d.ts +2 -0
  21. package/dist/cli.js +24731 -0
  22. package/dist/graph/build.d.ts +60 -0
  23. package/dist/graph/flows.d.ts +14 -0
  24. package/dist/graph/index.d.ts +4 -0
  25. package/dist/graph/trifecta.d.ts +13 -0
  26. package/dist/index.d.ts +18 -0
  27. package/dist/index.js +22956 -0
  28. package/dist/manifest/index.d.ts +3 -0
  29. package/dist/manifest/load.d.ts +25 -0
  30. package/dist/manifest/schema.d.ts +136 -0
  31. package/dist/policy/protected-paths.d.ts +56 -0
  32. package/dist/report/findings.d.ts +52 -0
  33. package/dist/report/human.d.ts +19 -0
  34. package/dist/report/index.d.ts +5 -0
  35. package/dist/report/json.d.ts +39 -0
  36. package/dist/report/sarif.d.ts +57 -0
  37. package/dist/runner/index.d.ts +5 -0
  38. package/dist/runner/oracle.d.ts +46 -0
  39. package/dist/runner/run.d.ts +38 -0
  40. package/dist/runner/sandbox.d.ts +27 -0
  41. package/dist/runner/side-effect.d.ts +32 -0
  42. package/dist/scan.d.ts +43 -0
  43. package/package.json +60 -0
  44. package/policy-pack/README.md +105 -0
  45. package/policy-pack/hooks/guard-config-change.mjs +61 -0
  46. package/policy-pack/hooks/guard-protected-paths.mjs +65 -0
  47. package/policy-pack/managed-settings.json +18 -0
  48. package/policy-pack/protected-paths.json +18 -0
  49. package/policy-pack/settings.json +59 -0
  50. package/policy-pack/spike-bypass.sh +72 -0
@@ -0,0 +1,60 @@
1
+ /**
2
+ * Toxic-flow graph builder (FR-3.1).
3
+ *
4
+ * Turns a Capability Manifest into a directed graph over which we detect *transitive* attack
5
+ * paths that single-prompt scanners miss. Nodes are the agent core, its tools, its untrusted
6
+ * ingress points, and the data scopes it can reach; edges are the data-flow reachability the
7
+ * manifest implies. Every dangerous edge is tagged with the trifecta/RCE *leg* it belongs to,
8
+ * so a declared mitigation can cut exactly that leg.
9
+ *
10
+ * Pure and in-memory — no agent execution — so it is fast (NFR-6, < 60s) and CI-safe (FR-3.4).
11
+ */
12
+ import type { CapabilityManifest, MitigationLeg, SideEffectClass } from "../manifest/schema";
13
+ export type NodeKind = "agent" | "untrusted-ingress" | "data-scope" | "tool";
14
+ export interface GraphNode {
15
+ id: string;
16
+ kind: NodeKind;
17
+ label: string;
18
+ sideEffect?: SideEffectClass;
19
+ sensitivity?: "public" | "private";
20
+ }
21
+ /** A directed data-flow edge. `leg` names the trifecta/RCE leg a mitigation can cut here. */
22
+ export interface GraphEdge {
23
+ from: string;
24
+ to: string;
25
+ leg?: MitigationLeg;
26
+ }
27
+ export interface CapabilityGraph {
28
+ nodes: Map<string, GraphNode>;
29
+ edges: GraphEdge[];
30
+ }
31
+ /**
32
+ * A detected composition risk over the manifest. `mitigated` is true when a declared mitigation
33
+ * breaks at least one leg (the flow is structurally present but claimed-controlled → YELLOW);
34
+ * an unmitigated flow is a critical finding (FR-3.2). `nodes` are the exact manifest-derived
35
+ * node ids that form the flow, so remediation is unambiguous (FR-3.3).
36
+ */
37
+ export interface ToxicFlow {
38
+ id: string;
39
+ kind: "lethal-trifecta" | "untrusted-to-code-exec";
40
+ legs: MitigationLeg[];
41
+ nodes: string[];
42
+ mitigated: boolean;
43
+ brokenLegs: MitigationLeg[];
44
+ rationale: string;
45
+ }
46
+ export declare const AGENT_ID = "agent";
47
+ /** Build the capability graph from a validated manifest. */
48
+ export declare function buildCapabilityGraph(manifest: CapabilityManifest): CapabilityGraph;
49
+ /** The legs a manifest's declared mitigations break (a mitigation counts only with a control). */
50
+ export declare function brokenLegs(manifest: CapabilityManifest): Set<MitigationLeg>;
51
+ /**
52
+ * The source node of a surviving edge into the agent carrying `leg` (undefined if the leg is cut
53
+ * or absent). Robust to data-scope node dedup: a leg is determined by the edge, not by a node's
54
+ * stored sensitivity, so the trifecta verdict never depends on tool declaration order.
55
+ */
56
+ export declare function sourceViaLeg(graph: CapabilityGraph, leg: MitigationLeg, cut: ReadonlySet<MitigationLeg>): GraphNode | undefined;
57
+ /** Direct predecessors of a node, skipping edges whose leg is in `cut`. */
58
+ export declare function predecessors(graph: CapabilityGraph, target: string, cut: ReadonlySet<MitigationLeg>): GraphNode[];
59
+ /** Node ids reachable forward from `start` (BFS), skipping edges whose leg is in `cut`. */
60
+ export declare function reachableFrom(graph: CapabilityGraph, start: string, cut: ReadonlySet<MitigationLeg>): Set<string>;
@@ -0,0 +1,14 @@
1
+ /**
2
+ * General transitive-composition detection (FR-3.1).
3
+ *
4
+ * The lethal trifecta is the flagship (trifecta.ts). This adds the other canonical composition
5
+ * risk — `read_untrusted -> code_exec` — where untrusted content reaching the agent can drive a
6
+ * code-execution tool (config-injection RCE). Returns every detected flow, mitigated or not, so
7
+ * the report can show controlled flows as YELLOW and unmitigated ones as critical.
8
+ */
9
+ import type { CapabilityManifest } from "../manifest/schema";
10
+ import { type ToxicFlow } from "./build";
11
+ /** Detect the untrusted-content -> code-execution path, or null when absent. */
12
+ export declare function findUntrustedToCodeExec(manifest: CapabilityManifest): ToxicFlow | null;
13
+ /** All toxic flows on a manifest: the lethal trifecta plus transitive RCE paths (FR-3.1/3.2). */
14
+ export declare function analyzeToxicFlows(manifest: CapabilityManifest): ToxicFlow[];
@@ -0,0 +1,4 @@
1
+ /** Toxic-flow graph subsystem (FR-3): static composition-risk analysis over a manifest. */
2
+ export * from "./build";
3
+ export * from "./trifecta";
4
+ export * from "./flows";
@@ -0,0 +1,13 @@
1
+ /**
2
+ * Lethal-trifecta query (FR-3.2) — the flagship toxic-flow rule.
3
+ *
4
+ * Flags any composition where private data reaches the agent AND untrusted content reaches the
5
+ * agent (the injection enabler) AND the agent can reach an external-egress sink — with no
6
+ * declared mitigation breaking a leg. This is the runtime, graph-discoverable equivalent of the
7
+ * Agentic Product Standard's `lethal_trifecta_check.py`, and returns the same verdict on the
8
+ * same inputs (see graph.test.ts for the parity assertion).
9
+ */
10
+ import type { CapabilityManifest } from "../manifest/schema";
11
+ import { type ToxicFlow } from "./build";
12
+ /** Detect the lethal trifecta on a manifest. Null when fewer than three legs are present. */
13
+ export declare function findLethalTrifecta(manifest: CapabilityManifest): ToxicFlow | null;
@@ -0,0 +1,18 @@
1
+ /**
2
+ * AAL Core — public entry point.
3
+ *
4
+ * Framework-neutral offensive red-team engine for AI agents. This file re-exports the
5
+ * stable public API as subsystems land (manifest, adapter, graph, attacks, runner, report).
6
+ *
7
+ * INVARIANT: this package imports no AgenticMind code. Keep it that way.
8
+ */
9
+ export declare const AAL_CORE_VERSION: "0.1.0";
10
+ /** Verdict vocabulary. Fail-closed: unknown/inconclusive is `not_verified`, never `safe`. */
11
+ export type Verdict = "pass" | "fail" | "not_verified";
12
+ export * from "./manifest";
13
+ export * from "./adapter";
14
+ export * from "./graph";
15
+ export * from "./attacks";
16
+ export * from "./runner";
17
+ export * from "./report";
18
+ export * from "./scan";