agent-threat-rules 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (68) hide show
  1. package/LICENSE +21 -0
  2. package/README.md +299 -0
  3. package/dist/cli.d.ts +12 -0
  4. package/dist/cli.d.ts.map +1 -0
  5. package/dist/cli.js +544 -0
  6. package/dist/cli.js.map +1 -0
  7. package/dist/engine.d.ts +127 -0
  8. package/dist/engine.d.ts.map +1 -0
  9. package/dist/engine.js +636 -0
  10. package/dist/engine.js.map +1 -0
  11. package/dist/index.d.ts +18 -0
  12. package/dist/index.d.ts.map +1 -0
  13. package/dist/index.js +14 -0
  14. package/dist/index.js.map +1 -0
  15. package/dist/loader.d.ts +21 -0
  16. package/dist/loader.d.ts.map +1 -0
  17. package/dist/loader.js +124 -0
  18. package/dist/loader.js.map +1 -0
  19. package/dist/modules/index.d.ts +143 -0
  20. package/dist/modules/index.d.ts.map +1 -0
  21. package/dist/modules/index.js +80 -0
  22. package/dist/modules/index.js.map +1 -0
  23. package/dist/modules/session.d.ts +70 -0
  24. package/dist/modules/session.d.ts.map +1 -0
  25. package/dist/modules/session.js +128 -0
  26. package/dist/modules/session.js.map +1 -0
  27. package/dist/session-tracker.d.ts +56 -0
  28. package/dist/session-tracker.d.ts.map +1 -0
  29. package/dist/session-tracker.js +175 -0
  30. package/dist/session-tracker.js.map +1 -0
  31. package/dist/types.d.ts +129 -0
  32. package/dist/types.d.ts.map +1 -0
  33. package/dist/types.js +6 -0
  34. package/dist/types.js.map +1 -0
  35. package/package.json +71 -0
  36. package/rules/agent-manipulation/ATR-2026-030-cross-agent-attack.yaml +175 -0
  37. package/rules/agent-manipulation/ATR-2026-032-goal-hijacking.yaml +135 -0
  38. package/rules/agent-manipulation/ATR-2026-074-cross-agent-privilege-escalation.yaml +115 -0
  39. package/rules/agent-manipulation/ATR-2026-076-inter-agent-message-spoofing.yaml +165 -0
  40. package/rules/agent-manipulation/ATR-2026-077-human-trust-exploitation.yaml +144 -0
  41. package/rules/context-exfiltration/ATR-2026-020-system-prompt-leak.yaml +175 -0
  42. package/rules/context-exfiltration/ATR-2026-021-api-key-exposure.yaml +176 -0
  43. package/rules/context-exfiltration/ATR-2026-075-agent-memory-manipulation.yaml +115 -0
  44. package/rules/data-poisoning/ATR-2026-070-data-poisoning.yaml +160 -0
  45. package/rules/excessive-autonomy/ATR-2026-050-runaway-agent-loop.yaml +134 -0
  46. package/rules/excessive-autonomy/ATR-2026-051-resource-exhaustion.yaml +137 -0
  47. package/rules/excessive-autonomy/ATR-2026-052-cascading-failure.yaml +153 -0
  48. package/rules/model-security/ATR-2026-072-model-behavior-extraction.yaml +115 -0
  49. package/rules/model-security/ATR-2026-073-malicious-finetuning-data.yaml +108 -0
  50. package/rules/privilege-escalation/ATR-2026-040-privilege-escalation.yaml +175 -0
  51. package/rules/privilege-escalation/ATR-2026-041-scope-creep.yaml +124 -0
  52. package/rules/prompt-injection/ATR-2026-001-direct-prompt-injection.yaml +265 -0
  53. package/rules/prompt-injection/ATR-2026-002-indirect-prompt-injection.yaml +214 -0
  54. package/rules/prompt-injection/ATR-2026-003-jailbreak-attempt.yaml +250 -0
  55. package/rules/prompt-injection/ATR-2026-004-system-prompt-override.yaml +204 -0
  56. package/rules/prompt-injection/ATR-2026-005-multi-turn-injection.yaml +181 -0
  57. package/rules/skill-compromise/ATR-2026-060-skill-impersonation.yaml +153 -0
  58. package/rules/skill-compromise/ATR-2026-061-description-behavior-mismatch.yaml +98 -0
  59. package/rules/skill-compromise/ATR-2026-062-hidden-capability.yaml +96 -0
  60. package/rules/skill-compromise/ATR-2026-063-skill-chain-attack.yaml +96 -0
  61. package/rules/skill-compromise/ATR-2026-064-over-permissioned-skill.yaml +115 -0
  62. package/rules/skill-compromise/ATR-2026-065-skill-update-attack.yaml +93 -0
  63. package/rules/skill-compromise/ATR-2026-066-parameter-injection.yaml +106 -0
  64. package/rules/tool-poisoning/ATR-2026-010-mcp-malicious-response.yaml +237 -0
  65. package/rules/tool-poisoning/ATR-2026-011-tool-output-injection.yaml +185 -0
  66. package/rules/tool-poisoning/ATR-2026-012-unauthorized-tool-call.yaml +190 -0
  67. package/rules/tool-poisoning/ATR-2026-013-tool-ssrf.yaml +208 -0
  68. package/spec/atr-schema.yaml +375 -0
package/dist/engine.d.ts ADDED
@@ -0,0 +1,127 @@
1
+ /**
2
+ * ATR Engine - Evaluates agent events against ATR rules
3
+ *
4
+ * Core detection engine that:
5
+ * 1. Loads ATR YAML rules from disk
6
+ * 2. Evaluates agent events (LLM I/O, tool calls, behaviors) against rules
7
+ * 3. Returns matched rules with confidence scores
8
+ * 4. Supports two condition formats:
9
+ * - Array format: conditions is an array of {field, operator, value} objects
10
+ * - Named format: conditions is an object map of named condition blocks
11
+ *
12
+ * @module agent-threat-rules/engine
13
+ */
14
+ import type { ATRRule, ATRMatch, AgentEvent } from './types.js';
15
+ import type { SessionTracker } from './session-tracker.js';
16
+ export interface ATREngineConfig {
17
+ /** Directory containing ATR rule YAML files */
18
+ rulesDir?: string;
19
+ /** Pre-loaded rules (for testing or embedding) */
20
+ rules?: ATRRule[];
21
+ /** Enable hot-reload of rule files */
22
+ hotReload?: boolean;
23
+ /** Optional session tracker for behavioral detection across events */
24
+ sessionTracker?: SessionTracker;
25
+ }
26
+ export declare class ATREngine {
27
+ private readonly config;
28
+ private rules;
29
+ private readonly compiledPatterns;
30
+ constructor(config?: ATREngineConfig);
31
+ /**
32
+ * Load rules from configured directory and/or pre-loaded rules.
33
+ */
34
+ loadRules(): Promise<number>;
35
+ /**
36
+ * Load a single rule file and add it to the engine.
37
+ */
38
+ addRuleFile(filePath: string): void;
39
+ /**
40
+ * Add a pre-parsed rule to the engine.
41
+ */
42
+ addRule(rule: ATRRule): void;
43
+ /**
44
+ * Evaluate an agent event against all loaded ATR rules.
45
+ * Returns all matching rules with details.
46
+ */
47
+ evaluate(event: AgentEvent): ATRMatch[];
48
+ /**
49
+ * Evaluate a single rule against an event.
50
+ * Supports both array-format and named-map-format conditions.
51
+ */
52
+ private evaluateRule;
53
+ /**
54
+ * Evaluate array-format conditions: [{field, operator, value}, ...]
55
+ * with condition: "any" | "all"
56
+ */
57
+ private evaluateArrayConditions;
58
+ /**
59
+ * Evaluate a single array-format condition {field, operator, value}.
60
+ */
61
+ private evaluateArrayCondition;
62
+ /**
63
+ * Evaluate named-map-format conditions: {name: {field, patterns, match_type}, ...}
64
+ * with condition: "name1 AND name2" | "name1 OR name2" | "name1"
65
+ */
66
+ private evaluateNamedConditions;
67
+ /**
68
+ * Evaluate a single named condition against an event.
69
+ */
70
+ private evaluateNamedCondition;
71
+ /**
72
+ * Evaluate a pattern matching condition (named format with patterns array).
73
+ */
74
+ private evaluatePatternCondition;
75
+ /**
76
+ * Evaluate a behavioral threshold condition.
77
+ * When a session tracker is available and the event has a sessionId,
78
+ * supports session-derived metrics: call_frequency, pattern_frequency, event_count.
79
+ */
80
+ private evaluateBehavioralCondition;
81
+ /**
82
+ * Resolve a metric value from event metrics or session tracker.
83
+ * Session-derived metrics use the format: "call_frequency:toolName" or "pattern_frequency:pattern".
84
+ */
85
+ private resolveMetricValue;
86
+ /**
87
+ * Parse a window string (e.g. "5m", "1h", "30s") to milliseconds.
88
+ * Defaults to 5 minutes if not specified or unparseable.
89
+ */
90
+ private parseWindowMs;
91
+ /**
92
+ * Evaluate a sequence condition against the current event.
93
+ *
94
+ * Limitation (v0.1): This checks whether patterns from multiple steps
95
+ * co-occur in the current event's content. It does NOT track ordered
96
+ * execution across separate events or enforce time windows.
97
+ * Full session-aware sequence detection is planned for v0.2.
98
+ */
99
+ private evaluateSequenceCondition;
100
+ /**
101
+ * Resolve a field value from an agent event.
102
+ */
103
+ private resolveField;
104
+ /**
105
+ * Evaluate a boolean expression string against condition results.
106
+ * Supports AND, OR, NOT operators.
107
+ */
108
+ private evaluateExpression;
109
+ /**
110
+ * Split expression by operator, respecting parentheses.
111
+ */
112
+ private splitByOperator;
113
+ /**
114
+ * Pre-compile regex patterns for a rule (performance optimization).
115
+ * Supports both array-format and named-map-format conditions.
116
+ */
117
+ private compilePatterns;
118
+ /** Get loaded rule count */
119
+ getRuleCount(): number;
120
+ /** Get all loaded rules */
121
+ getRules(): readonly ATRRule[];
122
+ /** Get a rule by ID */
123
+ getRuleById(id: string): ATRRule | undefined;
124
+ /** Get rules by category */
125
+ getRulesByCategory(category: string): ATRRule[];
126
+ }
127
+ //# sourceMappingURL=engine.d.ts.map
package/dist/engine.d.ts.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"file":"engine.d.ts","sourceRoot":"","sources":["../src/engine.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAEH,OAAO,KAAK,EACV,OAAO,EACP,QAAQ,EACR,UAAU,EAGX,MAAM,YAAY,CAAC;AAEpB,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAC;AAsB3D,MAAM,WAAW,eAAe;IAC9B,+CAA+C;IAC/C,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,kDAAkD;IAClD,KAAK,CAAC,EAAE,OAAO,EAAE,CAAC;IAClB,sCAAsC;IACtC,SAAS,CAAC,EAAE,OAAO,CAAC;IACpB,sEAAsE;IACtE,cAAc,CAAC,EAAE,cAAc,CAAC;CACjC;AAED,qBAAa,SAAS;IAIR,OAAO,CAAC,QAAQ,CAAC,MAAM;IAHnC,OAAO,CAAC,KAAK,CAAiB;IAC9B,OAAO,CAAC,QAAQ,CAAC,gBAAgB,CAA4C;gBAEhD,MAAM,GAAE,eAAoB;IAEzD;;OAEG;IACG,SAAS,IAAI,OAAO,CAAC,MAAM,CAAC;IAyBlC;;OAEG;IACH,WAAW,CAAC,QAAQ,EAAE,MAAM,GAAG,IAAI;IAMnC;;OAEG;IACH,OAAO,CAAC,IAAI,EAAE,OAAO,GAAG,IAAI;IAK5B;;;OAGG;IACH,QAAQ,CAAC,KAAK,EAAE,UAAU,GAAG,QAAQ,EAAE;IAwCvC;;;OAGG;IACH,OAAO,CAAC,YAAY;IAapB;;;OAGG;IACH,OAAO,CAAC,uBAAuB;IAuC/B;;OAEG;IACH,OAAO,CAAC,sBAAsB;IAoE9B;;;OAGG;IACH,OAAO,CAAC,uBAAuB;IAmC/B;;OAEG;IACH,OAAO,CAAC,sBAAsB;IAiC9B;;OAEG;IACH,OAAO,CAAC,wBAAwB;IAqEhC;;;;OAIG;IACH,OAAO,CAAC,2BAA2B;IAoBnC;;;OAGG;IACH,OAAO,CAAC,kBAAkB;IAgC1B;;;OAGG;IACH,OAAO,CAAC,aAAa;IAiBrB;;;;;;;OAOG;IACH,OAAO,CAAC,yBAAyB;IA8BjC;;OAEG;IACH,OAAO,CAAC,YAAY;IAgCpB;;;OAGG;IACH,OAAO,CAAC,kBAAkB;IAsC1B;;OAEG;IACH,OAAO,CAAC,eAAe;IAgCvB;;;OAGG;IACH,OAAO,CAAC,eAAe;IAkDvB,4BAA4B;IAC5B,YAAY,IAAI,MAAM;IAItB,2BAA2B;IAC3B,QAAQ,IAAI,SAAS,OAAO,EAAE;IAI9B,uBAAuB;IACvB,WAAW,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,GAAG,SAAS;IAI5C,4BAA4B;IAC5B,kBAAkB,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,EAAE;CAGhD"}