agent-threat-rules 0.1.0 → 0.2.0

package/README.md

@@ -1,34 +1,112 @@
-# ATR -- Agent Threat Rules
-### The detection standard for the AI agent era.
+<div align="center">
+
+<img alt="ATR - Agent Threat Rules" src="assets/logo-light.png" width="480" />
+
+### An Open Detection Standard for the AI Agent Era
+
+AI Agent 時代的開放威脅偵測標準 -- 由社群共同定義
+
+<br />
+
+[![GitHub Stars](https://img.shields.io/github/stars/Agent-Threat-Rule/agent-threat-rules?style=flat-square&color=DAA520)](https://github.com/Agent-Threat-Rule/agent-threat-rules/stargazers)
+[![GitHub Forks](https://img.shields.io/github/forks/Agent-Threat-Rule/agent-threat-rules?style=flat-square)](https://github.com/Agent-Threat-Rule/agent-threat-rules/network)
+[![GitHub Watchers](https://img.shields.io/github/watchers/Agent-Threat-Rule/agent-threat-rules?style=flat-square)](https://github.com/Agent-Threat-Rule/agent-threat-rules/watchers)
+[![License](https://img.shields.io/badge/license-MIT-brightgreen?style=flat-square)](LICENSE)
+[![Status](https://img.shields.io/badge/status-RFC-yellow?style=flat-square)](#roadmap)
+[![Rules](https://img.shields.io/badge/rules-49-blue?style=flat-square)](#coverage-map)
+[![MCP](https://img.shields.io/badge/MCP-6_tools-purple?style=flat-square)](#mcp-server)
+
+[English](#what-is-atr) | [Quick Start](docs/quick-start.md) | [Contributing](CONTRIBUTING.md) | [Schema](docs/schema-spec.md)
+
+</div>
+
+---
 
 > Every era of computing gets the detection standard it deserves.
-> Servers got Sigma. Network traffic got Suricata. Malware got YARA.
+> Servers got **Sigma**. Network traffic got **Suricata**. Malware got **YARA**.
 >
 > AI agents face prompt injection, tool poisoning, MCP exploitation,
 > skill supply-chain attacks, and context exfiltration --
-> and until now, there was no standardized way to detect any of them.
+> and until now, there was **no standardized way** to detect any of them.
 >
-> ATR changes that.
+> **ATR is our attempt to change that. But we can't do it alone.**
+
+---
+
+## Why This Matters
+
+AI agents are no longer experiments -- they run in production, with real system access, handling real user data. The attack surface is growing faster than any single team can map.
+
+AI Agent 不再只是實驗。它們運行在生產環境，擁有真實的系統權限，處理真實的使用者資料。攻擊面的增長速度遠超任何單一團隊能覆蓋的範圍。
+
+We started ATR because we saw a gap:
+
+- **OWASP** names the risks, but provides no executable detection rules
+- **MITRE ATLAS** catalogs attack techniques, but offers no detection format
+- **Real CVEs are already here**: CVE-2025-53773 (Copilot RCE), CVE-2025-32711 (EchoLeak), CVE-2025-68143 (MCP server exploit)
+- **Zero standardized, declarative formats** exist for AI agent threat detection
+
+ATR is our first step toward filling that gap -- starting with a YAML-based rule format that security teams can read, write, test, and share. It's early. It's imperfect. But we believe the direction is right, and we need the community's help to get there.
+
+ATR 是我們填補這個空白的第一步。現在還很早期，還不完美。但我們相信方向是對的，而我們需要社群的力量一起走下去。
 
-![Rules](https://img.shields.io/badge/rules-29-green)
-![Categories](https://img.shields.io/badge/categories-9-blue)
-![CVEs](https://img.shields.io/badge/CVE_mappings-11-red)
-![OWASP](https://img.shields.io/badge/OWASP_Agentic_Top_10-100%25-brightgreen)
-![Status](https://img.shields.io/badge/status-RFC-yellow)
-![License](https://img.shields.io/badge/license-MIT-brightgreen)
+---
 
-> **Status: RFC (Request for Comments)** -- This is a draft proposal.
-> We're seeking feedback from the security community before stabilizing.
+## Table of Contents
+
+- [What is ATR? / 什麼是 ATR？](#what-is-atr)
+- [Quick Start / 快速開始](#quick-start)
+- [Design Principles / 設計原則](#design-principles)
+- [Rule Format / 規則格式](#rule-format)
+- [Agent Source Types / 事件來源類型](#agent-source-types)
+- [Coverage Map / 目前覆蓋範圍](#coverage-map)
+- [How to Use / 使用方式](#how-to-use)
+- [Engine Capabilities / 引擎能力](#engine-capabilities)
+- [Directory Structure / 目錄結構](#directory-structure)
+- [MCP Server / MCP 伺服器](#mcp-server)
+- [Three-Layer Detection / 三層偵測架構](#three-layer-detection)
+- [CLI Commands / CLI 指令](#cli-commands)
+- [Contributing / 參與貢獻](#contributing)
+- [Roadmap / 路線圖](#roadmap)
+- [Acknowledgments / 致謝](#acknowledgments)
+
+---
+
+## What is ATR?
+
+ATR (Agent Threat Rules) is a proposed open standard for writing detection rules specifically for AI agent threats. Think **"Sigma for AI Agents"** -- but we're just getting started.
+
+ATR 是一個提議中的開放標準，專門用來撰寫 AI Agent 威脅偵測規則。可以把它想像成 **AI Agent 版的 Sigma** -- 但我們才剛開始。
+
+ATR rules are YAML files that describe:
+
+| Aspect | Description | 說明 |
+|--------|-------------|------|
+| **What** to detect | Patterns in LLM I/O, tool calls, agent behaviors | LLM 輸入輸出、工具呼叫、Agent 行為中的異常模式 |
+| **How** to detect it | Regex patterns, behavioral thresholds, multi-step sequences | 正則匹配、行為閾值、多步驟序列偵測 |
+| **What to do** | Block, alert, quarantine, escalate | 阻擋、警報、隔離、升級處理 |
+| **How to test** | Built-in true positive and true negative test cases | 內建正反測試案例，確保規則品質 |
+
+> **Status: RFC (Request for Comments)** -- This is a draft proposal. The schema, rule format, and engine are all open for discussion. We're actively seeking feedback from the security community before stabilizing.
+>
+> 目前狀態：RFC（徵求意見）。Schema、規則格式、引擎都開放討論中。我們正在積極尋求安全社群的回饋。
+
+---
 
 ## Quick Start
 
+Clone, install, run tests -- three commands to explore what we have so far:
+三行指令，看看我們目前做到哪裡：
+
 ```bash
-# Clone and validate all rules
 git clone https://github.com/Agent-Threat-Rule/agent-threat-rules
 cd agent-threat-rules
 npm install && npm test
 ```
 
+Try the engine in your own project:
+在你的專案中試用 ATR 引擎：
+
 ```typescript
 import { ATREngine } from 'agent-threat-rules';
 
@@ -43,38 +121,32 @@ const matches = engine.evaluate({
 // => [{ rule: { id: 'ATR-2026-001', severity: 'high', ... }, confidence: 0.85 }]
 ```
 
-## What is ATR?
+Found a false positive? A missed detection? [Open an issue](https://github.com/Agent-Threat-Rule/agent-threat-rules/issues) -- that's exactly the kind of feedback we need.
 
-ATR (Agent Threat Rules) is a proposed open standard for writing detection
-rules specifically for AI agent threats. Think **"Sigma for AI Agents."**
+發現誤判？漏偵測？[開個 issue](https://github.com/Agent-Threat-Rule/agent-threat-rules/issues) 告訴我們 -- 這正是我們最需要的回饋。
 
-ATR rules are YAML files that describe:
-- **What** to detect (patterns in LLM I/O, tool calls, agent behaviors)
-- **How** to detect it (regex patterns, behavioral thresholds, multi-step sequences)
-- **What to do** when detected (block, alert, quarantine, escalate)
-- **How to test** the rule (built-in true positive and true negative test cases)
+---
 
-## Why Now?
+## Design Principles
 
-- MCP protocol enables tool use across all major AI frameworks
-- Millions of AI agents are deployed in production as of 2026
-- OWASP LLM Top 10 (2025) identifies risks but provides no executable detection rules
-- OWASP Agentic Top 10 (2026) defines agent-specific threats -- ATR is the first rule set to cover all 10
-- MITRE ATLAS catalogs AI attack techniques, but offers no detection format
-- Real CVEs for AI agents are accelerating: CVE-2025-53773 (Copilot RCE), CVE-2025-32711 (EchoLeak), CVE-2025-68143 (MCP server exploit)
-- Zero standardized, declarative formats exist for agent threat detection
+These are the principles guiding ATR's development. We think they're right, but we're open to being challenged:
 
-## Design Principles
+這些是 ATR 的設計原則。我們認為方向正確，但歡迎挑戰：
 
-1. **Sigma-compatible structure** -- Security teams already know YAML detection rules
-2. **Framework-agnostic** -- Works with LangChain, CrewAI, AutoGen, raw API calls
-3. **Actionable** -- Rules include response actions, not just detection
-4. **Testable** -- Every rule ships with true positive and true negative test cases
-5. **Community-driven** -- The format is open. The rules are contributed by everyone.
+| # | Principle | Description |
+|---|-----------|-------------|
+| 1 | **Sigma-compatible** | Security teams already know YAML detection rules / 安全團隊熟悉的 YAML 格式 |
+| 2 | **Framework-agnostic** | Works with LangChain, CrewAI, AutoGen, raw API calls / 不綁定任何框架 |
+| 3 | **Actionable** | Rules include response actions, not just detection / 規則包含回應動作 |
+| 4 | **Testable** | Every rule ships with true positive & true negative test cases / 每條規則附帶測試案例 |
+| 5 | **Community-driven** | The format is open. The rules are built by everyone. / 開源格式，社群共建 |
+
+---
 
 ## Rule Format
 
-Every ATR rule is a YAML file with the following structure:
+Every ATR rule is a YAML file. Here's a real example from our current rule set:
+每條 ATR 規則都是一個 YAML 檔案。以下是目前規則庫中的實際範例：
 
 ```yaml
 title: Direct Prompt Injection via User Input
@@ -124,10 +196,6 @@ detection:
 response:
   actions: [block_input, alert, snapshot]
   auto_response_threshold: high
-  message_template: |
-    [ATR] Prompt injection attempt detected
-    Rule: {rule_id}
-    Pattern: {matched_pattern}
 
 test_cases:
   true_positives:
@@ -138,10 +206,19 @@ test_cases:
       expected: not_triggered
 ```
 
-See `spec/atr-schema.yaml` for the full schema specification.
+Think a rule needs better patterns? See a detection gap? PRs and issues are welcome.
+覺得規則可以改進？看到偵測盲區？歡迎提交 PR 或 issue。
+
+See [`spec/atr-schema.yaml`](spec/atr-schema.yaml) for the full schema specification.
+
+---
 
 ## Agent Source Types
 
+ATR currently defines 10 event source types. This list will grow as the community identifies new attack surfaces:
+
+ATR 目前定義了 10 種事件來源。隨著社群發現新的攻擊面，這個列表會持續擴展：
+
 | Type | Description | Example Events |
 |------|-------------|----------------|
 | `llm_io` | LLM input/output | User prompts, agent responses |
@@ -155,14 +232,22 @@ See `spec/atr-schema.yaml` for the full schema specification.
 | `skill_permission` | Skill permission requests | Capability grants, scope changes |
 | `skill_chain` | Multi-skill execution chains | Sequential tool invocations across skills |
 
+> Missing a source type relevant to your framework? [Propose it](https://github.com/Agent-Threat-Rule/agent-threat-rules/issues).
+
+---
+
 ## Coverage Map
 
-### OWASP LLM Top 10 (2025) + OWASP Agentic Top 10 (2026)
+### Where We Are Today
+
+We currently have rules across 9 categories, mapped to OWASP and MITRE standards. There are gaps -- and we need help filling them.
+
+目前我們有 9 大類別的規則，對應到 OWASP 和 MITRE 標準。還有很多空白需要填補。
 
 | Attack Category | OWASP LLM | OWASP Agentic | MITRE ATLAS | Rules | Real CVEs |
 |---|---|---|---|---|---|
-| Prompt Injection | LLM01 | ASI01 | AML.T0051 | 5 | CVE-2025-53773, CVE-2025-32711, CVE-2026-24307 |
-| Tool Poisoning | LLM01/LLM05 | ASI02, ASI05 | AML.T0053 | 4 | CVE-2025-68143/68144/68145, CVE-2025-6514, CVE-2025-59536, CVE-2026-21852 |
+| Prompt Injection | LLM01 | ASI01 | AML.T0051 | 5 + 15 predicted | CVE-2025-53773, CVE-2025-32711, CVE-2026-24307 |
+| Tool Poisoning | LLM01/LLM05 | ASI02, ASI05 | AML.T0053 | 4 + 2 predicted | CVE-2025-68143/68144/68145, CVE-2025-6514, CVE-2025-59536, CVE-2026-21852 |
 | Context Exfiltration | LLM02/LLM07 | ASI01, ASI03, ASI06 | AML.T0056/T0057 | 3 | CVE-2025-32711, CVE-2026-24307 |
 | Agent Manipulation | LLM01/LLM06 | ASI01, ASI10 | AML.T0043 | 3 | -- |
 | Privilege Escalation | LLM06 | ASI03 | AML.T0050 | 2 | CVE-2026-0628 |
@@ -171,11 +256,15 @@ See `spec/atr-schema.yaml` for the full schema specification.
 | Data Poisoning | LLM04 | ASI06 | AML.T0020 | 1 | -- |
 | Model Security | LLM03 | ASI04 | AML.T0044 | 2 | -- |
 
-**Total: 29 rules, 11 unique CVEs, 100% OWASP Agentic Top 10 coverage**
+**49 total rules** (32 stable + 17 AI-predicted drafts). Categories like Data Poisoning and Excessive Autonomy have minimal coverage. If you have expertise in these areas, your contributions would be especially valuable.
+
+**49 條規則**（32 條穩定 + 17 條 AI 預測草案）。像 Data Poisoning 和 Excessive Autonomy 這些類別的覆蓋率還很低。如果你在這些領域有專長，你的貢獻會特別有價值。
+
+---
 
 ## How to Use
 
-### Standalone (TypeScript reference engine)
+### TypeScript (reference engine)
 
 ```typescript
 import { ATREngine } from 'agent-threat-rules';
@@ -206,36 +295,17 @@ for rule_file in rules_dir.rglob("*.yaml"):
     print(f"{rule['id']}: {rule['title']} ({rule['severity']})")
 ```
 
-## Directory Structure
+> We'd love to see integrations with more languages and frameworks. If you build one, let us know.
+>
+> 我們期待看到更多語言和框架的整合。如果你做了一個，請告訴我們。
 
-```
-agent-threat-rules/
-  spec/
-    atr-schema.yaml          # Full schema specification
-  rules/
-    prompt-injection/         # 5 rules
-    tool-poisoning/           # 4 rules
-    context-exfiltration/     # 3 rules
-    agent-manipulation/       # 3 rules
-    privilege-escalation/     # 2 rules
-    excessive-autonomy/       # 2 rules
-    skill-compromise/         # 7 rules
-    data-poisoning/           # 1 rule
-    model-security/           # 2 rules
-  tests/
-    validate-rules.ts         # Schema validation for all rules
-  examples/
-    how-to-write-a-rule.md    # Guide for rule authors
-  src/
-    engine.ts                 # ATR evaluation engine
-    session-tracker.ts        # Behavioral session state tracking
-    loader.ts                 # YAML rule loader
-    types.ts                  # TypeScript type definitions
-```
+---
 
 ## Engine Capabilities
 
-The reference engine (`src/engine.ts`) supports:
+The reference engine (`src/engine.ts`) is functional but far from complete:
+
+參考引擎可以運作，但離完善還有很長的路：
 
 | Operator | Status | Description |
 |----------|--------|-------------|
@@ -251,49 +321,241 @@ The reference engine (`src/engine.ts`) supports:
 | `sequence` (ordered) | Partial | Checks pattern co-occurrence, not strict ordering |
 | `behavioral_drift` | Planned | ML-based behavioral baseline comparison |
 
-All 29 current rules use only implemented operators and produce matches correctly.
+The `sequence` operator and `behavioral_drift` detection are areas where we'd especially welcome contributions.
+
+`sequence` 運算子和 `behavioral_drift` 偵測是我們特別歡迎貢獻的方向。
+
+---
+
+## MCP Server
+
+ATR ships with a built-in MCP (Model Context Protocol) server, enabling direct integration with Claude Code, Cursor, Windsurf, and other MCP-compatible AI tools.
+
+ATR 內建 MCP 伺服器，可直接整合 Claude Code、Cursor、Windsurf 等支援 MCP 的 AI 工具。
+
+```bash
+# Start MCP server (stdio transport)
+npx agent-threat-rules mcp
+```
 
-Contributions to extend the engine are welcome -- see [CONTRIBUTING.md](CONTRIBUTING.md).
+Add to your MCP client config (e.g. `claude_desktop_config.json`):
+
+```json
+{
+  "mcpServers": {
+    "atr": {
+      "command": "npx",
+      "args": ["agent-threat-rules", "mcp"]
+    }
+  }
+}
+```
+
+| Tool | Description | 說明 |
+|------|-------------|------|
+| `atr_scan` | Scan text for threats in real-time | 即時掃描文字威脅 |
+| `atr_list_rules` | Browse and filter rules | 瀏覽和篩選規則 |
+| `atr_validate_rule` | Validate rule YAML | 驗證規則 YAML |
+| `atr_submit_proposal` | Generate draft rule from description | 從描述生成草案規則 |
+| `atr_coverage_gaps` | Analyze OWASP/MITRE coverage gaps | 分析 OWASP/MITRE 覆蓋缺口 |
+| `atr_threat_summary` | Get threat intelligence by category | 按類別取得威脅情報 |
+
+---
+
+## Three-Layer Detection
+
+ATR uses a layered detection architecture. Each layer catches what the previous layer misses.
+
+ATR 使用分層偵測架構。每一層捕捉前一層遺漏的威脅。
+
+| Layer | Method | Latency | Status |
+|-------|--------|---------|--------|
+| **Layer 1** | Regex pattern matching | < 1ms | v0.1 shipped |
+| **Layer 2** | Behavioral fingerprinting + drift detection | < 10ms | v0.2 shipped |
+| **Layer 3** | AI semantic analysis (LLM-as-judge) | ~1-5s | v0.2 shipped |
+
+```typescript
+import { ATREngine, SemanticModule, SkillFingerprintStore } from 'agent-threat-rules';
+
+// Layer 1: Pattern matching (always on)
+const engine = new ATREngine({ rulesDir: './rules' });
+await engine.loadRules();
+
+// Layer 2: Behavioral fingerprinting
+const fingerprints = new SkillFingerprintStore();
+
+// Layer 3: AI semantic analysis (optional, requires API key)
+const semantic = new SemanticModule({
+  apiUrl: 'https://api.anthropic.com',
+  apiKey: process.env.LLM_API_KEY!,
+  model: 'claude-sonnet-4-20250514',
+});
+```
+
+A MiroFish swarm intelligence simulation (14 AI agents, 40 rounds) predicted:
+- **30-40%** detection rate with Layer 1 alone
+- **70-80%** detection rate with all three layers combined
+
+MiroFish 群體智慧模擬（14 個 AI agents，40 輪）預測：靜態規則匹配只有 30-40% 偵測率，三層架構可達 70-80%。
+
+See [THREAT-MODEL.md](THREAT-MODEL.md) for detailed analysis and known bypass techniques.
+
+---
+
+## CLI Commands
+
+```bash
+# Scan agent events for threats
+atr scan events.json
+
+# Validate rule files
+atr validate rules/
+
+# Run embedded test cases
+atr test rules/
+
+# Show rule collection statistics
+atr stats
+
+# Start MCP server
+atr mcp
+
+# Interactive rule scaffolding
+atr scaffold
+```
+
+All commands support `--json` output for CI/CD integration.
+所有指令支援 `--json` 輸出，方便 CI/CD 整合。
+
+---
+
+## Directory Structure
+
+```
+agent-threat-rules/
+  spec/
+    atr-schema.yaml             # Schema specification (evolving)
+  rules/
+    prompt-injection/            # Prompt injection (5 stable + 15 predicted)
+    tool-poisoning/              # Tool poisoning (4 stable + 2 predicted)
+    context-exfiltration/        # Context exfiltration (3 rules)
+    agent-manipulation/          # Agent manipulation (3 rules)
+    privilege-escalation/        # Privilege escalation (2 rules)
+    excessive-autonomy/          # Excessive autonomy (2 rules)
+    skill-compromise/            # Skill supply chain (7 rules)
+    data-poisoning/              # Data poisoning (1 rule, needs more)
+    model-security/              # Model security (2 rules, needs more)
+  src/
+    engine.ts                    # ATR evaluation engine (Layer 1)
+    session-tracker.ts           # Behavioral session tracking
+    skill-fingerprint.ts         # Skill fingerprint store (Layer 2)
+    modules/
+      semantic.ts                # LLM-as-judge module (Layer 3)
+      session.ts                 # Session analysis module
+      index.ts                   # Module registry
+    mcp-server.ts                # MCP server (stdio transport)
+    mcp-tools/                   # 6 MCP tool implementations
+    rule-scaffolder.ts           # Interactive rule generator
+    coverage-analyzer.ts         # OWASP/MITRE gap analyzer
+    cli.ts                       # CLI interface
+    loader.ts                    # YAML rule loader
+    types.ts                     # TypeScript type definitions
+  docs/
+    quick-start.md               # 5-minute getting started guide
+    rule-writing-guide.md        # How to write ATR rules
+    contribution-paths.md        # 3 ways to contribute rules
+    mirofish-prediction-guide.md # AI-predicted rule workflow
+    schema-spec.md               # Full schema specification
+  tests/
+    engine.test.ts               # Engine unit tests
+    attack-corpus.test.ts        # Attack pattern corpus tests
+    session-tracker.test.ts      # Session tracker tests
+    validate-rules.ts            # Schema validation for all rules
+```
+
+---
 
 ## Contributing
 
-ATR is MIT-licensed. Contributing requires a text editor, a YAML file,
-and `npx agent-threat-rules test`. No vendor infrastructure needed.
+ATR is only as good as the community behind it. We're looking for people who care about AI security -- whether you have 10 years of experience or 10 minutes of curiosity.
+
+ATR 的價值取決於背後的社群。我們在尋找關心 AI 安全的人 -- 不論你有十年經驗還是十分鐘的好奇心。
+
+| Role | How you can help |
+|------|------------------|
+| **Security Researchers** | Submit new detection rules via PR / 透過 PR 提交新偵測規則 |
+| **AI Framework Developers** | Help improve the `agent_source` spec / 協助改進事件來源規格 |
+| **Red Teamers** | Submit attack patterns you've discovered / 提交你發現的攻擊模式 |
+| **Anyone** | Review existing rules, report false positives, challenge our assumptions / 審查規則、回報誤判、挑戰我們的假設 |
+
+Your first PR doesn't have to be a new rule. Fixing a typo, improving a regex, or adding a test case -- it all counts.
 
-Three ways to contribute, from lowest friction:
+你的第一個 PR 不一定要是新規則。修正錯字、改進正則、新增測試案例 -- 都算貢獻。
 
-1. **Report an evasion** (~15 min) -- Found a bypass? File an issue. Every confirmed evasion becomes a test case.
-2. **Report a false positive** (~20 min) -- Rule triggered on legitimate content? Let us know.
-3. **Submit a new rule** (1-2 hrs) -- Write a YAML detection rule for an attack pattern you have discovered.
+**Three ways to contribute rules / 三種貢獻規則的方式：**
+1. **Manual** -- Write rules from your own security research
+2. **AI-Predicted** -- Generate candidate rules from threat simulations
+3. **Detection-Driven** -- Auto-draft rules from real-world anomalies
 
-See [CONTRIBUTING.md](./CONTRIBUTING.md) for details.
+See [CONTRIBUTING.md](./CONTRIBUTING.md) and [docs/contribution-paths.md](docs/contribution-paths.md) for detailed guidelines.
+
+---
 
 ## Adopters
 
-Organizations and projects using ATR. Add yours via PR.
+Organizations and projects using or evaluating ATR. We'd love to know how you use it.
+使用或評估 ATR 的組織與專案。我們很想知道你怎麼用它。
 
 | Project | How they use ATR |
 |---------|-----------------|
-| *Your project here* | [Submit a PR](./CONTRIBUTING.md) |
+| *Your project here* | [Tell us](https://github.com/Agent-Threat-Rule/agent-threat-rules/issues) |
+
+---
 
 ## Roadmap
 
-- [x] v0.1 -- 29 rules, 9 categories, TypeScript engine, OWASP Agentic Top 10 coverage
-- [ ] v0.2 -- Community-contributed rules, Python reference engine
-- [ ] v0.3 -- Auto-generation from Threat Cloud telemetry
-- [ ] v1.0 -- Stable schema, multi-framework validation
+Where we are and where we're headed -- subject to change based on community input:
+
+我們的現狀和方向 -- 會根據社群回饋調整：
+
+- [x] **v0.1** -- 32 rules, TypeScript engine, OWASP Agentic Top 10 coverage, session tracking
+- [x] **v0.2** -- MCP server (6 tools), Layer 3 semantic detection, 17 AI-predicted rules, skill fingerprinting, rule scaffolder, coverage analyzer, contribution pipeline, 5 documentation guides
+- [ ] **v0.3** -- Embedding similarity detection (Layer 2.5), Python reference engine, multi-language rule patterns
+- [ ] **v1.0** -- Stable schema, multi-framework validation, broad adoption
+
+> Have thoughts on what v1.0 should look like? [Join the discussion](https://github.com/Agent-Threat-Rule/agent-threat-rules/issues).
+
+---
 
 ## Acknowledgments
 
-ATR is inspired by:
-- [Sigma](https://github.com/SigmaHQ/sigma) by Florian Roth and the Sigma community
-- [OWASP LLM Top 10 (2025)](https://owasp.org/www-project-top-10-for-large-language-model-applications/)
-- [OWASP Top 10 for Agentic Applications (2026)](https://genai.owasp.org/resource/owasp-top-10-for-agentic-applications-for-2026/)
-- [MITRE ATLAS](https://atlas.mitre.org/)
-- [NVIDIA Garak](https://github.com/NVIDIA/garak)
-- [Invariant Labs](https://invariantlabs.ai/) -- guardrails and MCP security research
-- [Meta LlamaFirewall](https://ai.meta.com/research/publications/llamafirewall-an-open-source-guardrail-system-for-building-secure-ai-agents/) -- open-source agent guardrails
+ATR builds on the shoulders of these foundational projects:
+ATR 站在這些基礎專案的肩膀上：
+
+- [Sigma](https://github.com/SigmaHQ/sigma) -- Generic signature format for SIEM systems
+- [OWASP LLM Top 10 (2025)](https://owasp.org/www-project-top-10-for-large-language-model-applications/) -- LLM application security risks
+- [OWASP Top 10 for Agentic Applications (2026)](https://genai.owasp.org/resource/owasp-top-10-for-agentic-applications-for-2026/) -- Agent-specific threats
+- [MITRE ATLAS](https://atlas.mitre.org/) -- Adversarial threat landscape for AI systems
+- [NVIDIA Garak](https://github.com/NVIDIA/garak) -- LLM vulnerability scanner
+- [Invariant Labs](https://invariantlabs.ai/) -- Guardrails and MCP security research
+- [Meta LlamaFirewall](https://ai.meta.com/research/publications/llamafirewall-an-open-source-guardrail-system-for-building-secure-ai-agents/) -- Open-source agent guardrails
+
+---
 
 ## License
 
 MIT -- Use it, modify it, build on it.
+
+---
+
+<div align="center">
+
+**ATR is early, imperfect, and open. That's the point.**
+
+ATR 還在早期，還不完美，而且完全開放。這正是重點。
+
+If AI agents are going to be safe, the detection standard can't belong to any single company. It has to be built together.
+
+[![Star History Chart](https://api.star-history.com/svg?repos=Agent-Threat-Rule/agent-threat-rules&type=Date)](https://star-history.com/#Agent-Threat-Rule/agent-threat-rules&Date)
+
+</div>