agent-threat-rules 0.4.0 → 1.0.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +161 -52
- package/package.json +3 -1
- package/rules/agent-manipulation/{ATR-2026-030-cross-agent-attack.yaml → ATR-2026-00030-cross-agent-attack.yaml} +3 -1
- package/rules/agent-manipulation/{ATR-2026-032-goal-hijacking.yaml → ATR-2026-00032-goal-hijacking.yaml} +3 -1
- package/rules/agent-manipulation/{ATR-2026-074-cross-agent-privilege-escalation.yaml → ATR-2026-00074-cross-agent-privilege-escalation.yaml} +3 -1
- package/rules/agent-manipulation/{ATR-2026-076-inter-agent-message-spoofing.yaml → ATR-2026-00076-inter-agent-message-spoofing.yaml} +3 -1
- package/rules/agent-manipulation/{ATR-2026-077-human-trust-exploitation.yaml → ATR-2026-00077-human-trust-exploitation.yaml} +3 -1
- package/rules/agent-manipulation/{ATR-2026-108-consensus-sybil-attack.yaml → ATR-2026-00108-consensus-sybil-attack.yaml} +3 -1
- package/rules/agent-manipulation/{ATR-2026-116-a2a-message-validation.yaml → ATR-2026-00116-a2a-message-validation.yaml} +4 -2
- package/rules/agent-manipulation/{ATR-2026-117-agent-identity-spoofing.yaml → ATR-2026-00117-agent-identity-spoofing.yaml} +4 -2
- package/rules/agent-manipulation/{ATR-2026-118-approval-fatigue.yaml → ATR-2026-00118-approval-fatigue.yaml} +3 -1
- package/rules/agent-manipulation/{ATR-2026-119-social-engineering-via-agent.yaml → ATR-2026-00119-social-engineering-via-agent.yaml} +3 -1
- package/rules/agent-manipulation/ATR-2026-00132-casual-authority-escalation.yaml +105 -0
- package/rules/agent-manipulation/ATR-2026-00139-casual-authority-redirect.yaml +53 -0
- package/rules/context-exfiltration/{ATR-2026-020-system-prompt-leak.yaml → ATR-2026-00020-system-prompt-leak.yaml} +3 -1
- package/rules/context-exfiltration/{ATR-2026-021-api-key-exposure.yaml → ATR-2026-00021-api-key-exposure.yaml} +3 -1
- package/rules/context-exfiltration/{ATR-2026-075-agent-memory-manipulation.yaml → ATR-2026-00075-agent-memory-manipulation.yaml} +3 -1
- package/rules/context-exfiltration/{ATR-2026-102-disguised-analytics-exfiltration.yaml → ATR-2026-00102-disguised-analytics-exfiltration.yaml} +3 -1
- package/rules/context-exfiltration/{ATR-2026-113-credential-theft.yaml → ATR-2026-00113-credential-theft.yaml} +3 -1
- package/rules/context-exfiltration/{ATR-2026-114-oauth-token-abuse.yaml → ATR-2026-00114-oauth-token-abuse.yaml} +3 -1
- package/rules/context-exfiltration/{ATR-2026-115-env-var-harvesting.yaml → ATR-2026-00115-env-var-harvesting.yaml} +3 -1
- package/rules/context-exfiltration/ATR-2026-00136-tool-response-data-piggyback.yaml +100 -0
- package/rules/context-exfiltration/ATR-2026-00141-example-format-key-leak.yaml +52 -0
- package/rules/context-exfiltration/ATR-2026-00142-piggyback-transition-words.yaml +55 -0
- package/rules/context-exfiltration/ATR-2026-00145-obfuscated-key-disclosure.yaml +49 -0
- package/rules/context-exfiltration/ATR-2026-00146-env-var-existence-probe.yaml +49 -0
- package/rules/data-poisoning/{ATR-2026-070-data-poisoning.yaml → ATR-2026-00070-data-poisoning.yaml} +3 -1
- package/rules/excessive-autonomy/{ATR-2026-050-runaway-agent-loop.yaml → ATR-2026-00050-runaway-agent-loop.yaml} +3 -1
- package/rules/excessive-autonomy/{ATR-2026-051-resource-exhaustion.yaml → ATR-2026-00051-resource-exhaustion.yaml} +3 -1
- package/rules/excessive-autonomy/{ATR-2026-052-cascading-failure.yaml → ATR-2026-00052-cascading-failure.yaml} +3 -1
- package/rules/excessive-autonomy/{ATR-2026-098-unauthorized-financial-action.yaml → ATR-2026-00098-unauthorized-financial-action.yaml} +3 -1
- package/rules/excessive-autonomy/{ATR-2026-099-high-risk-tool-gate.yaml → ATR-2026-00099-high-risk-tool-gate.yaml} +3 -1
- package/rules/model-security/{ATR-2026-072-model-behavior-extraction.yaml → ATR-2026-00072-model-behavior-extraction.yaml} +3 -1
- package/rules/model-security/{ATR-2026-073-malicious-finetuning-data.yaml → ATR-2026-00073-malicious-finetuning-data.yaml} +3 -1
- package/rules/privilege-escalation/{ATR-2026-040-privilege-escalation.yaml → ATR-2026-00040-privilege-escalation.yaml} +3 -1
- package/rules/privilege-escalation/{ATR-2026-041-scope-creep.yaml → ATR-2026-00041-scope-creep.yaml} +3 -1
- package/rules/privilege-escalation/{ATR-2026-107-delayed-execution-bypass.yaml → ATR-2026-00107-delayed-execution-bypass.yaml} +3 -1
- package/rules/privilege-escalation/{ATR-2026-110-eval-injection.yaml → ATR-2026-00110-eval-injection.yaml} +3 -1
- package/rules/privilege-escalation/{ATR-2026-111-shell-escape.yaml → ATR-2026-00111-shell-escape.yaml} +5 -3
- package/rules/privilege-escalation/{ATR-2026-112-dynamic-import-exploitation.yaml → ATR-2026-00112-dynamic-import-exploitation.yaml} +3 -1
- package/rules/privilege-escalation/ATR-2026-00143-casual-privilege-escalation.yaml +53 -0
- package/rules/privilege-escalation/ATR-2026-00144-rationalized-safety-bypass.yaml +49 -0
- package/rules/prompt-injection/{ATR-2026-001-direct-prompt-injection.yaml → ATR-2026-00001-direct-prompt-injection.yaml} +3 -1
- package/rules/prompt-injection/{ATR-2026-002-indirect-prompt-injection.yaml → ATR-2026-00002-indirect-prompt-injection.yaml} +3 -1
- package/rules/prompt-injection/{ATR-2026-003-jailbreak-attempt.yaml → ATR-2026-00003-jailbreak-attempt.yaml} +3 -1
- package/rules/prompt-injection/{ATR-2026-004-system-prompt-override.yaml → ATR-2026-00004-system-prompt-override.yaml} +3 -1
- package/rules/prompt-injection/{ATR-2026-005-multi-turn-injection.yaml → ATR-2026-00005-multi-turn-injection.yaml} +3 -1
- package/rules/prompt-injection/{ATR-2026-080-encoding-evasion.yaml → ATR-2026-00080-encoding-evasion.yaml} +3 -1
- package/rules/prompt-injection/{ATR-2026-081-semantic-multi-turn.yaml → ATR-2026-00081-semantic-multi-turn.yaml} +3 -1
- package/rules/prompt-injection/{ATR-2026-082-fingerprint-evasion.yaml → ATR-2026-00082-fingerprint-evasion.yaml} +3 -1
- package/rules/prompt-injection/{ATR-2026-083-indirect-tool-injection.yaml → ATR-2026-00083-indirect-tool-injection.yaml} +3 -1
- package/rules/prompt-injection/{ATR-2026-084-structured-data-injection.yaml → ATR-2026-00084-structured-data-injection.yaml} +3 -1
- package/rules/prompt-injection/{ATR-2026-085-audit-evasion.yaml → ATR-2026-00085-audit-evasion.yaml} +3 -1
- package/rules/prompt-injection/{ATR-2026-086-visual-spoofing.yaml → ATR-2026-00086-visual-spoofing.yaml} +3 -1
- package/rules/prompt-injection/{ATR-2026-087-rule-probing.yaml → ATR-2026-00087-rule-probing.yaml} +3 -1
- package/rules/prompt-injection/{ATR-2026-088-adaptive-countermeasure.yaml → ATR-2026-00088-adaptive-countermeasure.yaml} +3 -1
- package/rules/prompt-injection/{ATR-2026-089-polymorphic-skill.yaml → ATR-2026-00089-polymorphic-skill.yaml} +3 -1
- package/rules/prompt-injection/{ATR-2026-090-threat-intel-exfil.yaml → ATR-2026-00090-threat-intel-exfil.yaml} +3 -1
- package/rules/prompt-injection/{ATR-2026-091-nested-payload.yaml → ATR-2026-00091-nested-payload.yaml} +3 -1
- package/rules/prompt-injection/{ATR-2026-092-consensus-poisoning.yaml → ATR-2026-00092-consensus-poisoning.yaml} +3 -1
- package/rules/prompt-injection/{ATR-2026-093-gradual-escalation.yaml → ATR-2026-00093-gradual-escalation.yaml} +3 -1
- package/rules/prompt-injection/{ATR-2026-094-audit-bypass.yaml → ATR-2026-00094-audit-bypass.yaml} +3 -1
- package/rules/prompt-injection/{ATR-2026-097-cjk-injection-patterns.yaml → ATR-2026-00097-cjk-injection-patterns.yaml} +3 -1
- package/rules/prompt-injection/{ATR-2026-104-persona-hijacking.yaml → ATR-2026-00104-persona-hijacking.yaml} +3 -1
- package/rules/prompt-injection/ATR-2026-00130-indirect-authority-claim.yaml +103 -0
- package/rules/prompt-injection/ATR-2026-00131-fictional-academic-framing.yaml +99 -0
- package/rules/prompt-injection/ATR-2026-00133-paraphrase-injection.yaml +117 -0
- package/rules/prompt-injection/ATR-2026-00137-authority-claim-injection.yaml +52 -0
- package/rules/prompt-injection/ATR-2026-00138-fictional-framing-bypass.yaml +51 -0
- package/rules/prompt-injection/ATR-2026-00140-indirect-reference-reversal.yaml +52 -0
- package/rules/prompt-injection/ATR-2026-00148-language-switch-injection.yaml +71 -0
- package/rules/skill-compromise/{ATR-2026-060-skill-impersonation.yaml → ATR-2026-00060-skill-impersonation.yaml} +3 -1
- package/rules/skill-compromise/{ATR-2026-061-description-behavior-mismatch.yaml → ATR-2026-00061-description-behavior-mismatch.yaml} +3 -1
- package/rules/skill-compromise/{ATR-2026-062-hidden-capability.yaml → ATR-2026-00062-hidden-capability.yaml} +3 -1
- package/rules/skill-compromise/{ATR-2026-063-skill-chain-attack.yaml → ATR-2026-00063-skill-chain-attack.yaml} +3 -1
- package/rules/skill-compromise/{ATR-2026-064-over-permissioned-skill.yaml → ATR-2026-00064-over-permissioned-skill.yaml} +3 -1
- package/rules/skill-compromise/{ATR-2026-065-skill-update-attack.yaml → ATR-2026-00065-skill-update-attack.yaml} +3 -1
- package/rules/skill-compromise/{ATR-2026-066-parameter-injection.yaml → ATR-2026-00066-parameter-injection.yaml} +3 -1
- package/rules/skill-compromise/ATR-2026-00120-skill-instruction-injection.yaml +121 -0
- package/rules/skill-compromise/ATR-2026-00121-skill-dangerous-script.yaml +165 -0
- package/rules/skill-compromise/ATR-2026-00122-skill-weaponized-instruction.yaml +114 -0
- package/rules/skill-compromise/ATR-2026-00123-skill-overreach-permissions.yaml +118 -0
- package/rules/skill-compromise/ATR-2026-00124-skill-name-squatting.yaml +98 -0
- package/rules/skill-compromise/ATR-2026-00125-context-poisoning-compaction.yaml +93 -0
- package/rules/skill-compromise/ATR-2026-00126-skill-rug-pull-setup.yaml +99 -0
- package/rules/skill-compromise/ATR-2026-00127-subcommand-overflow.yaml +74 -0
- package/rules/skill-compromise/ATR-2026-00128-html-comment-hidden-payload.yaml +79 -0
- package/rules/skill-compromise/ATR-2026-00129-unicode-smuggling.yaml +73 -0
- package/rules/skill-compromise/ATR-2026-00134-fork-claim-impersonation.yaml +93 -0
- package/rules/skill-compromise/ATR-2026-00135-exfil-url-in-instructions.yaml +82 -0
- package/rules/skill-compromise/ATR-2026-00147-fork-impersonation.yaml +48 -0
- package/rules/tool-poisoning/{ATR-2026-010-mcp-malicious-response.yaml → ATR-2026-00010-mcp-malicious-response.yaml} +3 -1
- package/rules/tool-poisoning/{ATR-2026-011-tool-output-injection.yaml → ATR-2026-00011-tool-output-injection.yaml} +3 -1
- package/rules/tool-poisoning/{ATR-2026-012-unauthorized-tool-call.yaml → ATR-2026-00012-unauthorized-tool-call.yaml} +3 -1
- package/rules/tool-poisoning/{ATR-2026-013-tool-ssrf.yaml → ATR-2026-00013-tool-ssrf.yaml} +3 -1
- package/rules/tool-poisoning/{ATR-2026-095-supply-chain-poisoning.yaml → ATR-2026-00095-supply-chain-poisoning.yaml} +3 -1
- package/rules/tool-poisoning/{ATR-2026-096-registry-poisoning.yaml → ATR-2026-00096-registry-poisoning.yaml} +3 -1
- package/rules/tool-poisoning/{ATR-2026-100-consent-bypass-instruction.yaml → ATR-2026-00100-consent-bypass-instruction.yaml} +3 -1
- package/rules/tool-poisoning/{ATR-2026-101-trust-escalation-override.yaml → ATR-2026-00101-trust-escalation-override.yaml} +3 -1
- package/rules/tool-poisoning/{ATR-2026-103-hidden-safety-bypass-instruction.yaml → ATR-2026-00103-hidden-safety-bypass-instruction.yaml} +3 -1
- package/rules/tool-poisoning/{ATR-2026-105-silent-action-concealment.yaml → ATR-2026-00105-silent-action-concealment.yaml} +3 -1
- package/rules/tool-poisoning/{ATR-2026-106-schema-description-contradiction.yaml → ATR-2026-00106-schema-description-contradiction.yaml} +3 -1
- package/spec/atr-schema.yaml +32 -3
- package/dist/action-executor.d.ts +0 -44
- package/dist/action-executor.d.ts.map +0 -1
- package/dist/action-executor.js +0 -130
- package/dist/action-executor.js.map +0 -1
- package/dist/adapters/default-adapter.d.ts +0 -24
- package/dist/adapters/default-adapter.d.ts.map +0 -1
- package/dist/adapters/default-adapter.js +0 -51
- package/dist/adapters/default-adapter.js.map +0 -1
- package/dist/adapters/stdio-adapter.d.ts +0 -30
- package/dist/adapters/stdio-adapter.d.ts.map +0 -1
- package/dist/adapters/stdio-adapter.js +0 -128
- package/dist/adapters/stdio-adapter.js.map +0 -1
- package/dist/badge.d.ts +0 -42
- package/dist/badge.d.ts.map +0 -1
- package/dist/badge.js +0 -158
- package/dist/badge.js.map +0 -1
- package/dist/capability-extractor.d.ts +0 -35
- package/dist/capability-extractor.d.ts.map +0 -1
- package/dist/capability-extractor.js +0 -91
- package/dist/capability-extractor.js.map +0 -1
- package/dist/cli.d.ts +0 -12
- package/dist/cli.d.ts.map +0 -1
- package/dist/cli.js +0 -892
- package/dist/cli.js.map +0 -1
- package/dist/converters/elastic.d.ts +0 -36
- package/dist/converters/elastic.d.ts.map +0 -1
- package/dist/converters/elastic.js +0 -125
- package/dist/converters/elastic.js.map +0 -1
- package/dist/converters/index.d.ts +0 -28
- package/dist/converters/index.d.ts.map +0 -1
- package/dist/converters/index.js +0 -36
- package/dist/converters/index.js.map +0 -1
- package/dist/converters/splunk.d.ts +0 -19
- package/dist/converters/splunk.d.ts.map +0 -1
- package/dist/converters/splunk.js +0 -148
- package/dist/converters/splunk.js.map +0 -1
- package/dist/coverage-analyzer.d.ts +0 -43
- package/dist/coverage-analyzer.d.ts.map +0 -1
- package/dist/coverage-analyzer.js +0 -329
- package/dist/coverage-analyzer.js.map +0 -1
- package/dist/embedding/build-corpus.d.ts +0 -15
- package/dist/embedding/build-corpus.d.ts.map +0 -1
- package/dist/embedding/build-corpus.js +0 -105
- package/dist/embedding/build-corpus.js.map +0 -1
- package/dist/embedding/model-loader.d.ts +0 -41
- package/dist/embedding/model-loader.d.ts.map +0 -1
- package/dist/embedding/model-loader.js +0 -90
- package/dist/embedding/model-loader.js.map +0 -1
- package/dist/embedding/vector-store.d.ts +0 -41
- package/dist/embedding/vector-store.d.ts.map +0 -1
- package/dist/embedding/vector-store.js +0 -70
- package/dist/embedding/vector-store.js.map +0 -1
- package/dist/engine.d.ts +0 -163
- package/dist/engine.d.ts.map +0 -1
- package/dist/engine.js +0 -869
- package/dist/engine.js.map +0 -1
- package/dist/eval/corpus.d.ts +0 -42
- package/dist/eval/corpus.d.ts.map +0 -1
- package/dist/eval/corpus.js +0 -427
- package/dist/eval/corpus.js.map +0 -1
- package/dist/eval/eval-harness.d.ts +0 -44
- package/dist/eval/eval-harness.d.ts.map +0 -1
- package/dist/eval/eval-harness.js +0 -296
- package/dist/eval/eval-harness.js.map +0 -1
- package/dist/eval/index.d.ts +0 -13
- package/dist/eval/index.d.ts.map +0 -1
- package/dist/eval/index.js +0 -9
- package/dist/eval/index.js.map +0 -1
- package/dist/eval/metrics.d.ts +0 -74
- package/dist/eval/metrics.d.ts.map +0 -1
- package/dist/eval/metrics.js +0 -108
- package/dist/eval/metrics.js.map +0 -1
- package/dist/eval/pint-corpus.d.ts +0 -34
- package/dist/eval/pint-corpus.d.ts.map +0 -1
- package/dist/eval/pint-corpus.js +0 -109
- package/dist/eval/pint-corpus.js.map +0 -1
- package/dist/eval/rule-corpus.d.ts +0 -9
- package/dist/eval/rule-corpus.d.ts.map +0 -1
- package/dist/eval/rule-corpus.js +0 -4780
- package/dist/eval/rule-corpus.js.map +0 -1
- package/dist/eval/rule-metrics.d.ts +0 -34
- package/dist/eval/rule-metrics.d.ts.map +0 -1
- package/dist/eval/rule-metrics.js +0 -92
- package/dist/eval/rule-metrics.js.map +0 -1
- package/dist/eval/run-eval.d.ts +0 -7
- package/dist/eval/run-eval.d.ts.map +0 -1
- package/dist/eval/run-eval.js +0 -11
- package/dist/eval/run-eval.js.map +0 -1
- package/dist/eval/run-pint-benchmark.d.ts +0 -18
- package/dist/eval/run-pint-benchmark.d.ts.map +0 -1
- package/dist/eval/run-pint-benchmark.js +0 -159
- package/dist/eval/run-pint-benchmark.js.map +0 -1
- package/dist/flywheel.d.ts +0 -54
- package/dist/flywheel.d.ts.map +0 -1
- package/dist/flywheel.js +0 -121
- package/dist/flywheel.js.map +0 -1
- package/dist/hook-handler.d.ts +0 -61
- package/dist/hook-handler.d.ts.map +0 -1
- package/dist/hook-handler.js +0 -178
- package/dist/hook-handler.js.map +0 -1
- package/dist/index.d.ts +0 -62
- package/dist/index.d.ts.map +0 -1
- package/dist/index.js +0 -54
- package/dist/index.js.map +0 -1
- package/dist/layer-integration.d.ts +0 -55
- package/dist/layer-integration.d.ts.map +0 -1
- package/dist/layer-integration.js +0 -185
- package/dist/layer-integration.js.map +0 -1
- package/dist/loader.d.ts +0 -21
- package/dist/loader.d.ts.map +0 -1
- package/dist/loader.js +0 -124
- package/dist/loader.js.map +0 -1
- package/dist/mcp-server.d.ts +0 -13
- package/dist/mcp-server.d.ts.map +0 -1
- package/dist/mcp-server.js +0 -220
- package/dist/mcp-server.js.map +0 -1
- package/dist/mcp-tools/coverage-gaps.d.ts +0 -13
- package/dist/mcp-tools/coverage-gaps.d.ts.map +0 -1
- package/dist/mcp-tools/coverage-gaps.js +0 -55
- package/dist/mcp-tools/coverage-gaps.js.map +0 -1
- package/dist/mcp-tools/list-rules.d.ts +0 -17
- package/dist/mcp-tools/list-rules.d.ts.map +0 -1
- package/dist/mcp-tools/list-rules.js +0 -45
- package/dist/mcp-tools/list-rules.js.map +0 -1
- package/dist/mcp-tools/scan.d.ts +0 -24
- package/dist/mcp-tools/scan.d.ts.map +0 -1
- package/dist/mcp-tools/scan.js +0 -94
- package/dist/mcp-tools/scan.js.map +0 -1
- package/dist/mcp-tools/submit-proposal.d.ts +0 -12
- package/dist/mcp-tools/submit-proposal.d.ts.map +0 -1
- package/dist/mcp-tools/submit-proposal.js +0 -103
- package/dist/mcp-tools/submit-proposal.js.map +0 -1
- package/dist/mcp-tools/threat-summary.d.ts +0 -12
- package/dist/mcp-tools/threat-summary.d.ts.map +0 -1
- package/dist/mcp-tools/threat-summary.js +0 -74
- package/dist/mcp-tools/threat-summary.js.map +0 -1
- package/dist/mcp-tools/validate.d.ts +0 -15
- package/dist/mcp-tools/validate.d.ts.map +0 -1
- package/dist/mcp-tools/validate.js +0 -45
- package/dist/mcp-tools/validate.js.map +0 -1
- package/dist/modules/embedding.d.ts +0 -71
- package/dist/modules/embedding.d.ts.map +0 -1
- package/dist/modules/embedding.js +0 -141
- package/dist/modules/embedding.js.map +0 -1
- package/dist/modules/index.d.ts +0 -144
- package/dist/modules/index.d.ts.map +0 -1
- package/dist/modules/index.js +0 -82
- package/dist/modules/index.js.map +0 -1
- package/dist/modules/semantic.d.ts +0 -106
- package/dist/modules/semantic.d.ts.map +0 -1
- package/dist/modules/semantic.js +0 -359
- package/dist/modules/semantic.js.map +0 -1
- package/dist/modules/session.d.ts +0 -70
- package/dist/modules/session.d.ts.map +0 -1
- package/dist/modules/session.js +0 -128
- package/dist/modules/session.js.map +0 -1
- package/dist/rule-scaffolder.d.ts +0 -53
- package/dist/rule-scaffolder.d.ts.map +0 -1
- package/dist/rule-scaffolder.js +0 -301
- package/dist/rule-scaffolder.js.map +0 -1
- package/dist/session-tracker.d.ts +0 -58
- package/dist/session-tracker.d.ts.map +0 -1
- package/dist/session-tracker.js +0 -176
- package/dist/session-tracker.js.map +0 -1
- package/dist/shadow-evaluator.d.ts +0 -48
- package/dist/shadow-evaluator.d.ts.map +0 -1
- package/dist/shadow-evaluator.js +0 -128
- package/dist/shadow-evaluator.js.map +0 -1
- package/dist/skill-fingerprint.d.ts +0 -85
- package/dist/skill-fingerprint.d.ts.map +0 -1
- package/dist/skill-fingerprint.js +0 -284
- package/dist/skill-fingerprint.js.map +0 -1
- package/dist/tier0-invariant.d.ts +0 -49
- package/dist/tier0-invariant.d.ts.map +0 -1
- package/dist/tier0-invariant.js +0 -184
- package/dist/tier0-invariant.js.map +0 -1
- package/dist/tier1-blacklist.d.ts +0 -48
- package/dist/tier1-blacklist.d.ts.map +0 -1
- package/dist/tier1-blacklist.js +0 -91
- package/dist/tier1-blacklist.js.map +0 -1
- package/dist/types.d.ts +0 -190
- package/dist/types.d.ts.map +0 -1
- package/dist/types.js +0 -6
- package/dist/types.js.map +0 -1
- package/dist/verdict.d.ts +0 -26
- package/dist/verdict.d.ts.map +0 -1
- package/dist/verdict.js +0 -127
- package/dist/verdict.js.map +0 -1
package/dist/flywheel.js
DELETED
|
@@ -1,121 +0,0 @@
|
|
|
1
|
-
/**
|
|
2
|
-
* Flywheel Manager -- automates the threat detection → rule generation → promotion cycle.
|
|
3
|
-
*
|
|
4
|
-
* Flow:
|
|
5
|
-
* 1. Tier 4 (LLM) detects novel threat → auto-scaffold rule
|
|
6
|
-
* 2. Rule enters shadow mode → ShadowEvaluator tracks FP rate
|
|
7
|
-
* 3. FP < threshold after N evaluations → auto-promote to stable
|
|
8
|
-
* 4. Promoted rule distributes to all users via Threat Cloud
|
|
9
|
-
*
|
|
10
|
-
* Machine speed, not human speed. No manual proposals or voting required.
|
|
11
|
-
*
|
|
12
|
-
* @module agent-threat-rules/flywheel
|
|
13
|
-
*/
|
|
14
|
-
import { RuleScaffolder } from './rule-scaffolder.js';
|
|
15
|
-
import { ShadowEvaluator } from './shadow-evaluator.js';
|
|
16
|
-
export class FlywheelManager {
|
|
17
|
-
scaffolder;
|
|
18
|
-
shadow;
|
|
19
|
-
config;
|
|
20
|
-
existingIds = new Set();
|
|
21
|
-
constructor(config = {}) {
|
|
22
|
-
this.scaffolder = new RuleScaffolder({ author: 'ATR Flywheel (auto-generated)' });
|
|
23
|
-
this.shadow = new ShadowEvaluator();
|
|
24
|
-
this.config = {
|
|
25
|
-
maxFPRate: config.maxFPRate ?? 0.001,
|
|
26
|
-
minEvaluations: config.minEvaluations ?? 1000,
|
|
27
|
-
onPromote: config.onPromote ?? (() => { }),
|
|
28
|
-
onShadowRule: config.onShadowRule ?? (() => { }),
|
|
29
|
-
};
|
|
30
|
-
}
|
|
31
|
-
/**
|
|
32
|
-
* Called when Tier 4 (LLM semantic) detects a novel threat.
|
|
33
|
-
* Auto-generates a shadow rule from the detection.
|
|
34
|
-
*/
|
|
35
|
-
async onTier4Detection(match, event) {
|
|
36
|
-
// Only generate from high-confidence Tier 4 matches
|
|
37
|
-
if (match.confidence < 0.7)
|
|
38
|
-
return null;
|
|
39
|
-
// Extract category and severity from the match
|
|
40
|
-
const category = match.rule.tags?.category ?? 'prompt-injection';
|
|
41
|
-
const severity = match.rule.severity ?? 'medium';
|
|
42
|
-
// Build example payloads from ATTACK PATTERNS, not just raw content.
|
|
43
|
-
// Priority: matched patterns > event fields > event content
|
|
44
|
-
const payloads = [];
|
|
45
|
-
// 1. Matched patterns from the Tier 4 detection — these ARE the attack signals
|
|
46
|
-
if (match.matchedPatterns.length > 0) {
|
|
47
|
-
payloads.push(...match.matchedPatterns.filter((p) => p.length > 5));
|
|
48
|
-
}
|
|
49
|
-
// 2. Event fields (tool_args, tool_response, etc.) — more specific than content
|
|
50
|
-
if (event.fields) {
|
|
51
|
-
for (const value of Object.values(event.fields)) {
|
|
52
|
-
if (value && value.length > 10) {
|
|
53
|
-
payloads.push(value.slice(0, 500));
|
|
54
|
-
}
|
|
55
|
-
}
|
|
56
|
-
}
|
|
57
|
-
// 3. Event content as fallback — but only if we don't have better signals
|
|
58
|
-
if (payloads.length === 0 && event.content) {
|
|
59
|
-
payloads.push(event.content.slice(0, 500));
|
|
60
|
-
}
|
|
61
|
-
// Ensure at least one payload
|
|
62
|
-
if (payloads.length === 0) {
|
|
63
|
-
payloads.push(match.rule.description ?? match.rule.title);
|
|
64
|
-
}
|
|
65
|
-
const input = {
|
|
66
|
-
title: `Auto: ${match.rule.description?.slice(0, 60) ?? match.rule.title}`,
|
|
67
|
-
category: category,
|
|
68
|
-
severity: severity,
|
|
69
|
-
attackDescription: match.rule.description ?? match.matchedPatterns.join('; '),
|
|
70
|
-
examplePayloads: payloads,
|
|
71
|
-
};
|
|
72
|
-
try {
|
|
73
|
-
const result = this.scaffolder.scaffold(input, this.existingIds);
|
|
74
|
-
const ruleYaml = result.yaml;
|
|
75
|
-
// Parse back to ATRRule object
|
|
76
|
-
const { default: yaml } = await import('js-yaml');
|
|
77
|
-
const rule = yaml.load(ruleYaml);
|
|
78
|
-
rule.status = 'experimental';
|
|
79
|
-
this.existingIds.add(result.id);
|
|
80
|
-
this.shadow.addRule(rule);
|
|
81
|
-
await this.config.onShadowRule(rule);
|
|
82
|
-
return rule;
|
|
83
|
-
}
|
|
84
|
-
catch {
|
|
85
|
-
return null;
|
|
86
|
-
}
|
|
87
|
-
}
|
|
88
|
-
/**
|
|
89
|
-
* Called for every event -- runs shadow evaluation.
|
|
90
|
-
* Returns shadow matches (for logging only, not verdict).
|
|
91
|
-
*/
|
|
92
|
-
evaluateShadow(event) {
|
|
93
|
-
return this.shadow.evaluate(event);
|
|
94
|
-
}
|
|
95
|
-
/** Record user feedback on a shadow match */
|
|
96
|
-
recordFeedback(ruleId, isTruePositive) {
|
|
97
|
-
this.shadow.recordFeedback(ruleId, isTruePositive);
|
|
98
|
-
}
|
|
99
|
-
/**
|
|
100
|
-
* Check for rules ready to promote and execute promotion.
|
|
101
|
-
* Call periodically (e.g., every 15 minutes).
|
|
102
|
-
*/
|
|
103
|
-
async promoteReady() {
|
|
104
|
-
const candidates = this.shadow.getPromotionCandidates(this.config.maxFPRate, this.config.minEvaluations);
|
|
105
|
-
for (const candidate of candidates) {
|
|
106
|
-
// Promote: change status from experimental to stable
|
|
107
|
-
const promoted = { ...candidate.rule, status: 'stable' };
|
|
108
|
-
await this.config.onPromote(promoted, candidate.stats);
|
|
109
|
-
}
|
|
110
|
-
return candidates;
|
|
111
|
-
}
|
|
112
|
-
/** Get shadow evaluator stats */
|
|
113
|
-
getShadowStats() {
|
|
114
|
-
return this.shadow.getAllStats();
|
|
115
|
-
}
|
|
116
|
-
/** Number of rules in shadow mode */
|
|
117
|
-
shadowRuleCount() {
|
|
118
|
-
return this.shadow.size();
|
|
119
|
-
}
|
|
120
|
-
}
|
|
121
|
-
//# sourceMappingURL=flywheel.js.map
|
package/dist/flywheel.js.map
DELETED
|
@@ -1 +0,0 @@
|
|
|
1
|
-
{"version":3,"file":"flywheel.js","sourceRoot":"","sources":["../src/flywheel.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAGH,OAAO,EAAE,cAAc,EAAsB,MAAM,sBAAsB,CAAC;AAC1E,OAAO,EAAE,eAAe,EAA2B,MAAM,uBAAuB,CAAC;AAajF,MAAM,OAAO,eAAe;IACT,UAAU,CAAiB;IAC3B,MAAM,CAAkB;IACxB,MAAM,CAA2B;IACjC,WAAW,GAAG,IAAI,GAAG,EAAU,CAAC;IAEjD,YAAY,SAAyB,EAAE;QACrC,IAAI,CAAC,UAAU,GAAG,IAAI,cAAc,CAAC,EAAE,MAAM,EAAE,+BAA+B,EAAE,CAAC,CAAC;QAClF,IAAI,CAAC,MAAM,GAAG,IAAI,eAAe,EAAE,CAAC;QACpC,IAAI,CAAC,MAAM,GAAG;YACZ,SAAS,EAAE,MAAM,CAAC,SAAS,IAAI,KAAK;YACpC,cAAc,EAAE,MAAM,CAAC,cAAc,IAAI,IAAI;YAC7C,SAAS,EAAE,MAAM,CAAC,SAAS,IAAI,CAAC,GAAG,EAAE,GAAE,CAAC,CAAC;YACzC,YAAY,EAAE,MAAM,CAAC,YAAY,IAAI,CAAC,GAAG,EAAE,GAAE,CAAC,CAAC;SAChD,CAAC;IACJ,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,gBAAgB,CAAC,KAAe,EAAE,KAAiB;QACvD,oDAAoD;QACpD,IAAI,KAAK,CAAC,UAAU,GAAG,GAAG;YAAE,OAAO,IAAI,CAAC;QAExC,+CAA+C;QAC/C,MAAM,QAAQ,GAAG,KAAK,CAAC,IAAI,CAAC,IAAI,EAAE,QAAQ,IAAI,kBAAkB,CAAC;QACjE,MAAM,QAAQ,GAAG,KAAK,CAAC,IAAI,CAAC,QAAQ,IAAI,QAAQ,CAAC;QAEjD,qEAAqE;QACrE,4DAA4D;QAC5D,MAAM,QAAQ,GAAa,EAAE,CAAC;QAE9B,+EAA+E;QAC/E,IAAI,KAAK,CAAC,eAAe,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACrC,QAAQ,CAAC,IAAI,CAAC,GAAG,KAAK,CAAC,eAAe,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC;QACtE,CAAC;QAED,gFAAgF;QAChF,IAAI,KAAK,CAAC,MAAM,EAAE,CAAC;YACjB,KAAK,MAAM,KAAK,IAAI,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,EAAE,CAAC;gBAChD,IAAI,KAAK,IAAI,KAAK,CAAC,MAAM,GAAG,EAAE,EAAE,CAAC;oBAC/B,QAAQ,CAAC,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC,CAAC;gBACrC,CAAC;YACH,CAAC;QACH,CAAC;QAED,0EAA0E;QAC1E,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC,IAAI,KAAK,CAAC,OAAO,EAAE,CAAC;YAC3C,QAAQ,CAAC,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC,CAAC;QAC7C,CAAC;QAED,8BAA8B;QAC9B,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YAC1B,QAAQ,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,WAAW,IAAI,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QAC5D,CAAC;QAED,MAAM,KAAK,GAAkB;YAC3B,KAAK,EAAE,SAAS,KAAK,CAAC,IAAI,CAAC,WAAW,EAAE,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,IAAI,KAAK,CAAC,IAAI,CAAC,KAAK,EAAE;YAC1E,QAAQ,EAAE,QAAqC;YAC/C,QAAQ,EAAE,QAAqC;YAC/C,iBAAiB,EAAE,KAAK,CAAC,IAAI,CAAC,WAAW,IAAI,KAAK,CAAC,eAAe,CAAC,IAAI,CAAC,IAAI,CAAC;YAC7E,eAAe,EAAE,QAAQ;SAC1B,CAAC;QAEF,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,IAAI,CAAC,UAAU,CAAC,QAAQ,CAAC,KAAK,EAAE,IAAI,CAAC,WAAW,CAAC,CAAC;YACjE,MAAM,QAAQ,GAAG,MAAM,CAAC,IAAI,CAAC;YAE7B,+BAA+B;YAC/B,MAAM,EAAE,OAAO,EAAE,IAAI,EAAE,GAAG,MAAM,MAAM,CAAC,SAAS,CAAC,CAAC;YAClD,MAAM,IAAI,GAAG,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAY,CAAC;YAC5C,IAAI,CAAC,MAAM,GAAG,cAAc,CAAC;YAE7B,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC;YAChC,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;YAE1B,MAAM,IAAI,CAAC,MAAM,CAAC,YAAY,CAAC,IAAI,CAAC,CAAC;YAErC,OAAO,IAAI,CAAC;QACd,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;IAED;;;OAGG;IACH,cAAc,CAAC,KAAiB;QAC9B,OAAO,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;IACrC,CAAC;IAED,6CAA6C;IAC7C,cAAc,CAAC,MAAc,EAAE,cAAuB;QACpD,IAAI,CAAC,MAAM,CAAC,cAAc,CAAC,MAAM,EAAE,cAAc,CAAC,CAAC;IACrD,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,YAAY;QAChB,MAAM,UAAU,GAAG,IAAI,CAAC,MAAM,CAAC,sBAAsB,CACnD,IAAI,CAAC,MAAM,CAAC,SAAS,EACrB,IAAI,CAAC,MAAM,CAAC,cAAc,CAC3B,CAAC;QAEF,KAAK,MAAM,SAAS,IAAI,UAAU,EAAE,CAAC;YACnC,qDAAqD;YACrD,MAAM,QAAQ,GAAG,EAAE,GAAG,SAAS,CAAC,IAAI,EAAE,MAAM,EAAE,QAAiB,EAAE,CAAC;YAClE,MAAM,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC,QAAQ,EAAE,SAAS,CAAC,KAAK,CAAC,CAAC;QACzD,CAAC;QAED,OAAO,UAAU,CAAC;IACpB,CAAC;IAED,iCAAiC;IACjC,cAAc;QACZ,OAAO,IAAI,CAAC,MAAM,CAAC,WAAW,EAAE,CAAC;IACnC,CAAC;IAED,qCAAqC;IACrC,eAAe;QACb,OAAO,IAAI,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC;IAC5B,CAAC;CACF"}
|
package/dist/hook-handler.d.ts
DELETED
|
@@ -1,61 +0,0 @@
|
|
|
1
|
-
/**
|
|
2
|
-
* Hook Handler - Bridges Claude Code hooks to the ATR engine.
|
|
3
|
-
*
|
|
4
|
-
* Converts HookInput (PreToolUse/PostToolUse) into AgentEvents,
|
|
5
|
-
* evaluates them, and returns HookOutput for the agent host.
|
|
6
|
-
*
|
|
7
|
-
* Supports a stdio JSON-lines loop for use as a Claude Code hook process.
|
|
8
|
-
*
|
|
9
|
-
* CRITICAL: Fail-open on all errors -- default to "allow" so a
|
|
10
|
-
* bug in the guard never blocks legitimate agent operations.
|
|
11
|
-
*
|
|
12
|
-
* @module agent-threat-rules/hook-handler
|
|
13
|
-
*/
|
|
14
|
-
import type { HookInput, HookOutput } from './types.js';
|
|
15
|
-
import type { ATREngine } from './engine.js';
|
|
16
|
-
import type { ActionExecutor } from './action-executor.js';
|
|
17
|
-
export interface HookHandlerConfig {
|
|
18
|
-
readonly engine: ATREngine;
|
|
19
|
-
readonly executor: ActionExecutor;
|
|
20
|
-
readonly timeoutMs?: number;
|
|
21
|
-
readonly failOpen?: boolean;
|
|
22
|
-
}
|
|
23
|
-
export declare class HookHandler {
|
|
24
|
-
private readonly engine;
|
|
25
|
-
private readonly executor;
|
|
26
|
-
private readonly timeoutMs;
|
|
27
|
-
private readonly failOpen;
|
|
28
|
-
constructor(config: HookHandlerConfig);
|
|
29
|
-
/**
|
|
30
|
-
* Handle a PreToolUse hook event.
|
|
31
|
-
* Converts input to an AgentEvent, evaluates, and returns a HookOutput.
|
|
32
|
-
*/
|
|
33
|
-
handlePreToolUse(input: HookInput): Promise<HookOutput>;
|
|
34
|
-
/**
|
|
35
|
-
* Handle a PostToolUse hook event.
|
|
36
|
-
* Scans the tool output for threats.
|
|
37
|
-
*/
|
|
38
|
-
handlePostToolUse(input: HookInput): Promise<HookOutput>;
|
|
39
|
-
/**
|
|
40
|
-
* Start a stdio JSON-lines loop.
|
|
41
|
-
*
|
|
42
|
-
* Reads one JSON object per line from stdin, dispatches to the
|
|
43
|
-
* appropriate handler, and writes one JSON line to stdout.
|
|
44
|
-
*
|
|
45
|
-
* Exits cleanly when stdin closes.
|
|
46
|
-
*/
|
|
47
|
-
startStdioLoop(): Promise<void>;
|
|
48
|
-
/**
|
|
49
|
-
* Dispatch a HookInput to the appropriate handler.
|
|
50
|
-
*/
|
|
51
|
-
private dispatch;
|
|
52
|
-
/**
|
|
53
|
-
* Evaluate an event with timeout and convert the verdict to HookOutput.
|
|
54
|
-
*/
|
|
55
|
-
private evaluateAndRespond;
|
|
56
|
-
/**
|
|
57
|
-
* Handle errors with fail-open or fail-closed behavior.
|
|
58
|
-
*/
|
|
59
|
-
private handleError;
|
|
60
|
-
}
|
|
61
|
-
//# sourceMappingURL=hook-handler.d.ts.map
|
|
@@ -1 +0,0 @@
|
|
|
1
|
-
{"version":3,"file":"hook-handler.d.ts","sourceRoot":"","sources":["../src/hook-handler.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAGH,OAAO,KAAK,EAEV,SAAS,EACT,UAAU,EAEX,MAAM,YAAY,CAAC;AACpB,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,aAAa,CAAC;AAC7C,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAC;AAK3D,MAAM,WAAW,iBAAiB;IAChC,QAAQ,CAAC,MAAM,EAAE,SAAS,CAAC;IAC3B,QAAQ,CAAC,QAAQ,EAAE,cAAc,CAAC;IAClC,QAAQ,CAAC,SAAS,CAAC,EAAE,MAAM,CAAC;IAC5B,QAAQ,CAAC,QAAQ,CAAC,EAAE,OAAO,CAAC;CAC7B;AAmED,qBAAa,WAAW;IACtB,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAY;IACnC,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAiB;IAC1C,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAS;IACnC,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAU;gBAEvB,MAAM,EAAE,iBAAiB;IAOrC;;;OAGG;IACG,gBAAgB,CAAC,KAAK,EAAE,SAAS,GAAG,OAAO,CAAC,UAAU,CAAC;IAS7D;;;OAGG;IACG,iBAAiB,CAAC,KAAK,EAAE,SAAS,GAAG,OAAO,CAAC,UAAU,CAAC;IAS9D;;;;;;;OAOG;IACG,cAAc,IAAI,OAAO,CAAC,IAAI,CAAC;IAuBrC;;OAEG;YACW,QAAQ;IAWtB;;OAEG;YACW,kBAAkB;IAoBhC;;OAEG;IACH,OAAO,CAAC,WAAW;CAapB"}
|
package/dist/hook-handler.js
DELETED
|
@@ -1,178 +0,0 @@
|
|
|
1
|
-
/**
|
|
2
|
-
* Hook Handler - Bridges Claude Code hooks to the ATR engine.
|
|
3
|
-
*
|
|
4
|
-
* Converts HookInput (PreToolUse/PostToolUse) into AgentEvents,
|
|
5
|
-
* evaluates them, and returns HookOutput for the agent host.
|
|
6
|
-
*
|
|
7
|
-
* Supports a stdio JSON-lines loop for use as a Claude Code hook process.
|
|
8
|
-
*
|
|
9
|
-
* CRITICAL: Fail-open on all errors -- default to "allow" so a
|
|
10
|
-
* bug in the guard never blocks legitimate agent operations.
|
|
11
|
-
*
|
|
12
|
-
* @module agent-threat-rules/hook-handler
|
|
13
|
-
*/
|
|
14
|
-
import { createInterface } from 'node:readline';
|
|
15
|
-
/** Default evaluation timeout in milliseconds */
|
|
16
|
-
const DEFAULT_TIMEOUT_MS = 5_000;
|
|
17
|
-
/**
|
|
18
|
-
* Create an "allow" hook output, used as the safe default.
|
|
19
|
-
*/
|
|
20
|
-
function allowOutput(reason) {
|
|
21
|
-
return Object.freeze({
|
|
22
|
-
decision: 'allow',
|
|
23
|
-
reason: reason ?? 'No threat detected.',
|
|
24
|
-
});
|
|
25
|
-
}
|
|
26
|
-
/**
|
|
27
|
-
* Convert a HookInput into an AgentEvent for engine evaluation.
|
|
28
|
-
*/
|
|
29
|
-
function hookInputToEvent(input) {
|
|
30
|
-
const isPreTool = input.hook === 'PreToolUse';
|
|
31
|
-
const type = isPreTool ? 'tool_call' : 'tool_response';
|
|
32
|
-
const toolInput = input.tool_input ?? {};
|
|
33
|
-
const content = typeof toolInput['content'] === 'string'
|
|
34
|
-
? toolInput['content']
|
|
35
|
-
: JSON.stringify(toolInput);
|
|
36
|
-
const fields = {
|
|
37
|
-
tool_name: input.tool_name ?? '',
|
|
38
|
-
tool_args: JSON.stringify(toolInput),
|
|
39
|
-
content,
|
|
40
|
-
};
|
|
41
|
-
// For PostToolUse, include output/response if present
|
|
42
|
-
if (!isPreTool) {
|
|
43
|
-
const output = toolInput['output'] ?? toolInput['response'];
|
|
44
|
-
if (typeof output === 'string') {
|
|
45
|
-
fields['tool_response'] = output;
|
|
46
|
-
}
|
|
47
|
-
}
|
|
48
|
-
return Object.freeze({
|
|
49
|
-
type,
|
|
50
|
-
timestamp: input.timestamp ?? new Date().toISOString(),
|
|
51
|
-
content,
|
|
52
|
-
fields: Object.freeze(fields),
|
|
53
|
-
sessionId: input.session_id,
|
|
54
|
-
});
|
|
55
|
-
}
|
|
56
|
-
/**
|
|
57
|
-
* Run a promise with a timeout. Resolves to the promise result
|
|
58
|
-
* or rejects with a timeout error.
|
|
59
|
-
*/
|
|
60
|
-
function withTimeout(promise, ms) {
|
|
61
|
-
return new Promise((resolve, reject) => {
|
|
62
|
-
const timer = setTimeout(() => {
|
|
63
|
-
reject(new Error(`Evaluation timed out after ${ms}ms`));
|
|
64
|
-
}, ms);
|
|
65
|
-
promise.then((value) => { clearTimeout(timer); resolve(value); }, (err) => { clearTimeout(timer); reject(err); });
|
|
66
|
-
});
|
|
67
|
-
}
|
|
68
|
-
export class HookHandler {
|
|
69
|
-
engine;
|
|
70
|
-
executor;
|
|
71
|
-
timeoutMs;
|
|
72
|
-
failOpen;
|
|
73
|
-
constructor(config) {
|
|
74
|
-
this.engine = config.engine;
|
|
75
|
-
this.executor = config.executor;
|
|
76
|
-
this.timeoutMs = config.timeoutMs ?? DEFAULT_TIMEOUT_MS;
|
|
77
|
-
this.failOpen = config.failOpen ?? true;
|
|
78
|
-
}
|
|
79
|
-
/**
|
|
80
|
-
* Handle a PreToolUse hook event.
|
|
81
|
-
* Converts input to an AgentEvent, evaluates, and returns a HookOutput.
|
|
82
|
-
*/
|
|
83
|
-
async handlePreToolUse(input) {
|
|
84
|
-
try {
|
|
85
|
-
const event = hookInputToEvent(input);
|
|
86
|
-
return await this.evaluateAndRespond(event);
|
|
87
|
-
}
|
|
88
|
-
catch (err) {
|
|
89
|
-
return this.handleError(err);
|
|
90
|
-
}
|
|
91
|
-
}
|
|
92
|
-
/**
|
|
93
|
-
* Handle a PostToolUse hook event.
|
|
94
|
-
* Scans the tool output for threats.
|
|
95
|
-
*/
|
|
96
|
-
async handlePostToolUse(input) {
|
|
97
|
-
try {
|
|
98
|
-
const event = hookInputToEvent(input);
|
|
99
|
-
return await this.evaluateAndRespond(event);
|
|
100
|
-
}
|
|
101
|
-
catch (err) {
|
|
102
|
-
return this.handleError(err);
|
|
103
|
-
}
|
|
104
|
-
}
|
|
105
|
-
/**
|
|
106
|
-
* Start a stdio JSON-lines loop.
|
|
107
|
-
*
|
|
108
|
-
* Reads one JSON object per line from stdin, dispatches to the
|
|
109
|
-
* appropriate handler, and writes one JSON line to stdout.
|
|
110
|
-
*
|
|
111
|
-
* Exits cleanly when stdin closes.
|
|
112
|
-
*/
|
|
113
|
-
async startStdioLoop() {
|
|
114
|
-
const rl = createInterface({
|
|
115
|
-
input: process.stdin,
|
|
116
|
-
crlfDelay: Infinity,
|
|
117
|
-
});
|
|
118
|
-
for await (const line of rl) {
|
|
119
|
-
const trimmed = line.trim();
|
|
120
|
-
if (!trimmed)
|
|
121
|
-
continue;
|
|
122
|
-
let output;
|
|
123
|
-
try {
|
|
124
|
-
const input = JSON.parse(trimmed);
|
|
125
|
-
output = await this.dispatch(input);
|
|
126
|
-
}
|
|
127
|
-
catch (err) {
|
|
128
|
-
output = this.handleError(err);
|
|
129
|
-
}
|
|
130
|
-
process.stdout.write(JSON.stringify(output) + '\n');
|
|
131
|
-
}
|
|
132
|
-
}
|
|
133
|
-
/**
|
|
134
|
-
* Dispatch a HookInput to the appropriate handler.
|
|
135
|
-
*/
|
|
136
|
-
async dispatch(input) {
|
|
137
|
-
switch (input.hook) {
|
|
138
|
-
case 'PreToolUse':
|
|
139
|
-
return this.handlePreToolUse(input);
|
|
140
|
-
case 'PostToolUse':
|
|
141
|
-
return this.handlePostToolUse(input);
|
|
142
|
-
default:
|
|
143
|
-
return allowOutput(`Unknown hook type: ${String(input.hook)}`);
|
|
144
|
-
}
|
|
145
|
-
}
|
|
146
|
-
/**
|
|
147
|
-
* Evaluate an event with timeout and convert the verdict to HookOutput.
|
|
148
|
-
*/
|
|
149
|
-
async evaluateAndRespond(event) {
|
|
150
|
-
const { verdict } = await withTimeout(this.engine.evaluateWithVerdict(event, this.executor), this.timeoutMs);
|
|
151
|
-
const matchedRules = verdict.matches.map((m) => m.rule.id);
|
|
152
|
-
return Object.freeze({
|
|
153
|
-
decision: verdict.outcome,
|
|
154
|
-
reason: verdict.reason,
|
|
155
|
-
message: verdict.outcome === 'deny'
|
|
156
|
-
? `Blocked: ${verdict.reason}`
|
|
157
|
-
: undefined,
|
|
158
|
-
matched_rules: matchedRules.length > 0
|
|
159
|
-
? Object.freeze(matchedRules)
|
|
160
|
-
: undefined,
|
|
161
|
-
});
|
|
162
|
-
}
|
|
163
|
-
/**
|
|
164
|
-
* Handle errors with fail-open or fail-closed behavior.
|
|
165
|
-
*/
|
|
166
|
-
handleError(err) {
|
|
167
|
-
const message = err instanceof Error ? err.message : String(err);
|
|
168
|
-
process.stderr.write(`[atr-guard] Error: ${message}\n`);
|
|
169
|
-
if (this.failOpen) {
|
|
170
|
-
return allowOutput(`Guard error (fail-open): ${message}`);
|
|
171
|
-
}
|
|
172
|
-
return Object.freeze({
|
|
173
|
-
decision: 'deny',
|
|
174
|
-
reason: `Guard error (fail-closed): ${message}`,
|
|
175
|
-
});
|
|
176
|
-
}
|
|
177
|
-
}
|
|
178
|
-
//# sourceMappingURL=hook-handler.js.map
|
package/dist/hook-handler.js.map
DELETED
|
@@ -1 +0,0 @@
|
|
|
1
|
-
{"version":3,"file":"hook-handler.js","sourceRoot":"","sources":["../src/hook-handler.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAEH,OAAO,EAAE,eAAe,EAAE,MAAM,eAAe,CAAC;AAUhD,iDAAiD;AACjD,MAAM,kBAAkB,GAAG,KAAK,CAAC;AASjC;;GAEG;AACH,SAAS,WAAW,CAAC,MAAe;IAClC,OAAO,MAAM,CAAC,MAAM,CAAC;QACnB,QAAQ,EAAE,OAAyB;QACnC,MAAM,EAAE,MAAM,IAAI,qBAAqB;KACxC,CAAC,CAAC;AACL,CAAC;AAED;;GAEG;AACH,SAAS,gBAAgB,CAAC,KAAgB;IACxC,MAAM,SAAS,GAAG,KAAK,CAAC,IAAI,KAAK,YAAY,CAAC;IAC9C,MAAM,IAAI,GAAG,SAAS,CAAC,CAAC,CAAC,WAAW,CAAC,CAAC,CAAC,eAAe,CAAC;IAEvD,MAAM,SAAS,GAAG,KAAK,CAAC,UAAU,IAAI,EAAE,CAAC;IACzC,MAAM,OAAO,GAAG,OAAO,SAAS,CAAC,SAAS,CAAC,KAAK,QAAQ;QACtD,CAAC,CAAC,SAAS,CAAC,SAAS,CAAC;QACtB,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,SAAS,CAAC,CAAC;IAE9B,MAAM,MAAM,GAA2B;QACrC,SAAS,EAAE,KAAK,CAAC,SAAS,IAAI,EAAE;QAChC,SAAS,EAAE,IAAI,CAAC,SAAS,CAAC,SAAS,CAAC;QACpC,OAAO;KACR,CAAC;IAEF,sDAAsD;IACtD,IAAI,CAAC,SAAS,EAAE,CAAC;QACf,MAAM,MAAM,GAAG,SAAS,CAAC,QAAQ,CAAC,IAAI,SAAS,CAAC,UAAU,CAAC,CAAC;QAC5D,IAAI,OAAO,MAAM,KAAK,QAAQ,EAAE,CAAC;YAC/B,MAAM,CAAC,eAAe,CAAC,GAAG,MAAM,CAAC;QACnC,CAAC;IACH,CAAC;IAED,OAAO,MAAM,CAAC,MAAM,CAAC;QACnB,IAAI;QACJ,SAAS,EAAE,KAAK,CAAC,SAAS,IAAI,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;QACtD,OAAO;QACP,MAAM,EAAE,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC;QAC7B,SAAS,EAAE,KAAK,CAAC,UAAU;KAC5B,CAAC,CAAC;AACL,CAAC;AAED;;;GAGG;AACH,SAAS,WAAW,CAClB,OAAmB,EACnB,EAAU;IAEV,OAAO,IAAI,OAAO,CAAI,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;QACxC,MAAM,KAAK,GAAG,UAAU,CAAC,GAAG,EAAE;YAC5B,MAAM,CAAC,IAAI,KAAK,CAAC,8BAA8B,EAAE,IAAI,CAAC,CAAC,CAAC;QAC1D,CAAC,EAAE,EAAE,CAAC,CAAC;QAEP,OAAO,CAAC,IAAI,CACV,CAAC,KAAK,EAAE,EAAE,GAAG,YAAY,CAAC,KAAK,CAAC,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,EACnD,CAAC,GAAG,EAAE,EAAE,GAAG,YAAY,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAC/C,CAAC;IACJ,CAAC,CAAC,CAAC;AACL,CAAC;AAED,MAAM,OAAO,WAAW;IACL,MAAM,CAAY;IAClB,QAAQ,CAAiB;IACzB,SAAS,CAAS;IAClB,QAAQ,CAAU;IAEnC,YAAY,MAAyB;QACnC,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC,MAAM,CAAC;QAC5B,IAAI,CAAC,QAAQ,GAAG,MAAM,CAAC,QAAQ,CAAC;QAChC,IAAI,CAAC,SAAS,GAAG,MAAM,CAAC,SAAS,IAAI,kBAAkB,CAAC;QACxD,IAAI,CAAC,QAAQ,GAAG,MAAM,CAAC,QAAQ,IAAI,IAAI,CAAC;IAC1C,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,gBAAgB,CAAC,KAAgB;QACrC,IAAI,CAAC;YACH,MAAM,KAAK,GAAG,gBAAgB,CAAC,KAAK,CAAC,CAAC;YACtC,OAAO,MAAM,IAAI,CAAC,kBAAkB,CAAC,KAAK,CAAC,CAAC;QAC9C,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,OAAO,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC;QAC/B,CAAC;IACH,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,iBAAiB,CAAC,KAAgB;QACtC,IAAI,CAAC;YACH,MAAM,KAAK,GAAG,gBAAgB,CAAC,KAAK,CAAC,CAAC;YACtC,OAAO,MAAM,IAAI,CAAC,kBAAkB,CAAC,KAAK,CAAC,CAAC;QAC9C,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,OAAO,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC;QAC/B,CAAC;IACH,CAAC;IAED;;;;;;;OAOG;IACH,KAAK,CAAC,cAAc;QAClB,MAAM,EAAE,GAAG,eAAe,CAAC;YACzB,KAAK,EAAE,OAAO,CAAC,KAAK;YACpB,SAAS,EAAE,QAAQ;SACpB,CAAC,CAAC;QAEH,IAAI,KAAK,EAAE,MAAM,IAAI,IAAI,EAAE,EAAE,CAAC;YAC5B,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;YAC5B,IAAI,CAAC,OAAO;gBAAE,SAAS;YAEvB,IAAI,MAAkB,CAAC;YAEvB,IAAI,CAAC;gBACH,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,CAAc,CAAC;gBAC/C,MAAM,GAAG,MAAM,IAAI,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;YACtC,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,MAAM,GAAG,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC;YACjC,CAAC;YAED,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,GAAG,IAAI,CAAC,CAAC;QACtD,CAAC;IACH,CAAC;IAED;;OAEG;IACK,KAAK,CAAC,QAAQ,CAAC,KAAgB;QACrC,QAAQ,KAAK,CAAC,IAAI,EAAE,CAAC;YACnB,KAAK,YAAY;gBACf,OAAO,IAAI,CAAC,gBAAgB,CAAC,KAAK,CAAC,CAAC;YACtC,KAAK,aAAa;gBAChB,OAAO,IAAI,CAAC,iBAAiB,CAAC,KAAK,CAAC,CAAC;YACvC;gBACE,OAAO,WAAW,CAAC,sBAAsB,MAAM,CAAE,KAA4C,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QAC3G,CAAC;IACH,CAAC;IAED;;OAEG;IACK,KAAK,CAAC,kBAAkB,CAAC,KAAiB;QAChD,MAAM,EAAE,OAAO,EAAE,GAAG,MAAM,WAAW,CACnC,IAAI,CAAC,MAAM,CAAC,mBAAmB,CAAC,KAAK,EAAE,IAAI,CAAC,QAAQ,CAAC,EACrD,IAAI,CAAC,SAAS,CACf,CAAC;QAEF,MAAM,YAAY,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QAE3D,OAAO,MAAM,CAAC,MAAM,CAAC;YACnB,QAAQ,EAAE,OAAO,CAAC,OAAO;YACzB,MAAM,EAAE,OAAO,CAAC,MAAM;YACtB,OAAO,EAAE,OAAO,CAAC,OAAO,KAAK,MAAM;gBACjC,CAAC,CAAC,YAAY,OAAO,CAAC,MAAM,EAAE;gBAC9B,CAAC,CAAC,SAAS;YACb,aAAa,EAAE,YAAY,CAAC,MAAM,GAAG,CAAC;gBACpC,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,YAAY,CAAC;gBAC7B,CAAC,CAAC,SAAS;SACd,CAAC,CAAC;IACL,CAAC;IAED;;OAEG;IACK,WAAW,CAAC,GAAY;QAC9B,MAAM,OAAO,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QACjE,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,sBAAsB,OAAO,IAAI,CAAC,CAAC;QAExD,IAAI,IAAI,CAAC,QAAQ,EAAE,CAAC;YAClB,OAAO,WAAW,CAAC,4BAA4B,OAAO,EAAE,CAAC,CAAC;QAC5D,CAAC;QAED,OAAO,MAAM,CAAC,MAAM,CAAC;YACnB,QAAQ,EAAE,MAAwB;YAClC,MAAM,EAAE,8BAA8B,OAAO,EAAE;SAChD,CAAC,CAAC;IACL,CAAC;CACF"}
|
package/dist/index.d.ts
DELETED
|
@@ -1,62 +0,0 @@
|
|
|
1
|
-
/**
|
|
2
|
-
* ATR (Agent Threat Rules) - Detection format for AI Agent threats
|
|
3
|
-
*
|
|
4
|
-
* ATR is the detection layer: it evaluates agent events against rules
|
|
5
|
-
* and returns match results. It does NOT execute response actions,
|
|
6
|
-
* send notifications, or manage dashboards. Those are the responsibility
|
|
7
|
-
* of products built on ATR (e.g., LlamaFirewall, or your own).
|
|
8
|
-
*
|
|
9
|
-
* ATR 是偵測層:評估 agent 事件、回傳匹配結果。
|
|
10
|
-
* 不執行回應動作、不發通知、不管 dashboard。
|
|
11
|
-
* 那些是建立在 ATR 之上的產品的責任。
|
|
12
|
-
*
|
|
13
|
-
* @module agent-threat-rules
|
|
14
|
-
*/
|
|
15
|
-
export { ATREngine } from './engine.js';
|
|
16
|
-
export type { ATREngineConfig } from './engine.js';
|
|
17
|
-
export { loadRuleFile, loadRulesFromDirectory, validateRule } from './loader.js';
|
|
18
|
-
export { SessionTracker } from './session-tracker.js';
|
|
19
|
-
export type { SessionStateSnapshot } from './session-tracker.js';
|
|
20
|
-
export { InvariantChecker } from './tier0-invariant.js';
|
|
21
|
-
export type { SkillManifest, InvariantViolation, InvariantViolationType } from './tier0-invariant.js';
|
|
22
|
-
export { InMemoryBlacklist, buildBlacklistMatch } from './tier1-blacklist.js';
|
|
23
|
-
export type { BlacklistProvider, BlacklistEntry } from './tier1-blacklist.js';
|
|
24
|
-
export { extractCapabilities } from './capability-extractor.js';
|
|
25
|
-
export type { ExtractedCapabilities } from './capability-extractor.js';
|
|
26
|
-
export { EmbeddingModule } from './modules/embedding.js';
|
|
27
|
-
export type { EmbeddingModuleConfig } from './modules/embedding.js';
|
|
28
|
-
export { VectorStore, loadVectorEntries } from './embedding/vector-store.js';
|
|
29
|
-
export type { VectorEntry, SearchResult } from './embedding/vector-store.js';
|
|
30
|
-
export { TransformersJSModel, MockEmbeddingModel } from './embedding/model-loader.js';
|
|
31
|
-
export type { EmbeddingModel } from './embedding/model-loader.js';
|
|
32
|
-
export { ModuleRegistry } from './modules/index.js';
|
|
33
|
-
export type { ATRModule, ModuleCondition, ModuleResult } from './modules/index.js';
|
|
34
|
-
export { SessionModule } from './modules/session.js';
|
|
35
|
-
/** @beta - Experimental, not production-tested */
|
|
36
|
-
export { SemanticModule } from './modules/semantic.js';
|
|
37
|
-
export type { SemanticModuleConfig } from './modules/semantic.js';
|
|
38
|
-
/** @beta - Experimental, not production-tested */
|
|
39
|
-
export { SkillFingerprintStore } from './skill-fingerprint.js';
|
|
40
|
-
export type { SkillFingerprint, BehaviorAnomaly, SkillFingerprintConfig, } from './skill-fingerprint.js';
|
|
41
|
-
export type { SemanticLayerConfig } from './layer-integration.js';
|
|
42
|
-
export { RuleScaffolder } from './rule-scaffolder.js';
|
|
43
|
-
export type { ScaffoldInput, ScaffoldResult, ScaffoldOptions } from './rule-scaffolder.js';
|
|
44
|
-
export { CoverageAnalyzer } from './coverage-analyzer.js';
|
|
45
|
-
export type { CoverageGap, CoverageReport } from './coverage-analyzer.js';
|
|
46
|
-
export { convertRule, convertAllRules } from './converters/index.js';
|
|
47
|
-
export type { ConvertedQuery, SIEMFormat } from './converters/index.js';
|
|
48
|
-
export { ruleToSPL } from './converters/splunk.js';
|
|
49
|
-
export { ruleToElastic } from './converters/elastic.js';
|
|
50
|
-
export { ShadowEvaluator } from './shadow-evaluator.js';
|
|
51
|
-
export type { PromotionCandidate } from './shadow-evaluator.js';
|
|
52
|
-
export { FlywheelManager } from './flywheel.js';
|
|
53
|
-
export type { FlywheelConfig } from './flywheel.js';
|
|
54
|
-
export { computeVerdict, SEVERITY_RANK, isAutoResponseEnabled } from './verdict.js';
|
|
55
|
-
export { ActionExecutor } from './action-executor.js';
|
|
56
|
-
export type { ActionExecutorConfig } from './action-executor.js';
|
|
57
|
-
export { DefaultAdapter } from './adapters/default-adapter.js';
|
|
58
|
-
export { StdioAdapter } from './adapters/stdio-adapter.js';
|
|
59
|
-
export { HookHandler } from './hook-handler.js';
|
|
60
|
-
export type { HookHandlerConfig } from './hook-handler.js';
|
|
61
|
-
export type { ATRRule, ATRMatch, AgentEvent, AgentEventType, ATRAction, ATRCategory, ATRSeverity, ATRStatus, ATRConfidence, ATRSourceType, ATRMatchType, ATROperator, ATRReferences, ATRTags, ATRAgentSource, ATRDetection, ATRResponse, ATRTestCases, ATRTestCase, ATRPatternCondition, ATRBehavioralCondition, ATRSequenceCondition, ATRSequenceStep, VerdictOutcome, ATRVerdict, ActionResult, ExecutionContext, PlatformAdapter, HookInput, HookOutput, } from './types.js';
|
|
62
|
-
//# sourceMappingURL=index.d.ts.map
|
package/dist/index.d.ts.map
DELETED
|
@@ -1 +0,0 @@
|
|
|
1
|
-
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAGH,OAAO,EAAE,SAAS,EAAE,MAAM,aAAa,CAAC;AACxC,YAAY,EAAE,eAAe,EAAE,MAAM,aAAa,CAAC;AACnD,OAAO,EAAE,YAAY,EAAE,sBAAsB,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AACjF,OAAO,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAC;AACtD,YAAY,EAAE,oBAAoB,EAAE,MAAM,sBAAsB,CAAC;AAGjE,OAAO,EAAE,gBAAgB,EAAE,MAAM,sBAAsB,CAAC;AACxD,YAAY,EAAE,aAAa,EAAE,kBAAkB,EAAE,sBAAsB,EAAE,MAAM,sBAAsB,CAAC;AAGtG,OAAO,EAAE,iBAAiB,EAAE,mBAAmB,EAAE,MAAM,sBAAsB,CAAC;AAC9E,YAAY,EAAE,iBAAiB,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAC;AAG9E,OAAO,EAAE,mBAAmB,EAAE,MAAM,2BAA2B,CAAC;AAChE,YAAY,EAAE,qBAAqB,EAAE,MAAM,2BAA2B,CAAC;AAGvE,OAAO,EAAE,eAAe,EAAE,MAAM,wBAAwB,CAAC;AACzD,YAAY,EAAE,qBAAqB,EAAE,MAAM,wBAAwB,CAAC;AACpE,OAAO,EAAE,WAAW,EAAE,iBAAiB,EAAE,MAAM,6BAA6B,CAAC;AAC7E,YAAY,EAAE,WAAW,EAAE,YAAY,EAAE,MAAM,6BAA6B,CAAC;AAC7E,OAAO,EAAE,mBAAmB,EAAE,kBAAkB,EAAE,MAAM,6BAA6B,CAAC;AACtF,YAAY,EAAE,cAAc,EAAE,MAAM,6BAA6B,CAAC;AAGlE,OAAO,EAAE,cAAc,EAAE,MAAM,oBAAoB,CAAC;AACpD,YAAY,EAAE,SAAS,EAAE,eAAe,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AACnF,OAAO,EAAE,aAAa,EAAE,MAAM,sBAAsB,CAAC;AACrD,kDAAkD;AAClD,OAAO,EAAE,cAAc,EAAE,MAAM,uBAAuB,CAAC;AACvD,YAAY,EAAE,oBAAoB,EAAE,MAAM,uBAAuB,CAAC;AAClE,kDAAkD;AAClD,OAAO,EAAE,qBAAqB,EAAE,MAAM,wBAAwB,CAAC;AAC/D,YAAY,EACV,gBAAgB,EAChB,eAAe,EACf,sBAAsB,GACvB,MAAM,wBAAwB,CAAC;AAChC,YAAY,EAAE,mBAAmB,EAAE,MAAM,wBAAwB,CAAC;AAGlE,OAAO,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAC;AACtD,YAAY,EAAE,aAAa,EAAE,cAAc,EAAE,eAAe,EAAE,MAAM,sBAAsB,CAAC;AAC3F,OAAO,EAAE,gBAAgB,EAAE,MAAM,wBAAwB,CAAC;AAC1D,YAAY,EAAE,WAAW,EAAE,cAAc,EAAE,MAAM,wBAAwB,CAAC;AAG1E,OAAO,EAAE,WAAW,EAAE,eAAe,EAAE,MAAM,uBAAuB,CAAC;AACrE,YAAY,EAAE,cAAc,EAAE,UAAU,EAAE,MAAM,uBAAuB,CAAC;AACxE,OAAO,EAAE,SAAS,EAAE,MAAM,wBAAwB,CAAC;AACnD,OAAO,EAAE,aAAa,EAAE,MAAM,yBAAyB,CAAC;AAGxD,OAAO,EAAE,eAAe,EAAE,MAAM,uBAAuB,CAAC;AACxD,YAAY,EAAE,kBAAkB,EAAE,MAAM,uBAAuB,CAAC;AAChE,OAAO,EAAE,eAAe,EAAE,MAAM,eAAe,CAAC;AAChD,YAAY,EAAE,cAAc,EAAE,MAAM,eAAe,CAAC;AAKpD,OAAO,EAAE,cAAc,EAAE,aAAa,EAAE,qBAAqB,EAAE,MAAM,cAAc,CAAC;AACpF,OAAO,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAC;AACtD,YAAY,EAAE,oBAAoB,EAAE,MAAM,sBAAsB,CAAC;AACjE,OAAO,EAAE,cAAc,EAAE,MAAM,+BAA+B,CAAC;AAC/D,OAAO,EAAE,YAAY,EAAE,MAAM,6BAA6B,CAAC;AAC3D,OAAO,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AAChD,YAAY,EAAE,iBAAiB,EAAE,MAAM,mBAAmB,CAAC;AAC3D,YAAY,EACV,OAAO,EACP,QAAQ,EACR,UAAU,EACV,cAAc,EACd,SAAS,EACT,WAAW,EACX,WAAW,EACX,SAAS,EACT,aAAa,EACb,aAAa,EACb,YAAY,EACZ,WAAW,EACX,aAAa,EACb,OAAO,EACP,cAAc,EACd,YAAY,EACZ,WAAW,EACX,YAAY,EACZ,WAAW,EACX,mBAAmB,EACnB,sBAAsB,EACtB,oBAAoB,EACpB,eAAe,EACf,cAAc,EACd,UAAU,EACV,YAAY,EACZ,gBAAgB,EAChB,eAAe,EACf,SAAS,EACT,UAAU,GACX,MAAM,YAAY,CAAC"}
|
package/dist/index.js
DELETED
|
@@ -1,54 +0,0 @@
|
|
|
1
|
-
/**
|
|
2
|
-
* ATR (Agent Threat Rules) - Detection format for AI Agent threats
|
|
3
|
-
*
|
|
4
|
-
* ATR is the detection layer: it evaluates agent events against rules
|
|
5
|
-
* and returns match results. It does NOT execute response actions,
|
|
6
|
-
* send notifications, or manage dashboards. Those are the responsibility
|
|
7
|
-
* of products built on ATR (e.g., LlamaFirewall, or your own).
|
|
8
|
-
*
|
|
9
|
-
* ATR 是偵測層:評估 agent 事件、回傳匹配結果。
|
|
10
|
-
* 不執行回應動作、不發通知、不管 dashboard。
|
|
11
|
-
* 那些是建立在 ATR 之上的產品的責任。
|
|
12
|
-
*
|
|
13
|
-
* @module agent-threat-rules
|
|
14
|
-
*/
|
|
15
|
-
// ── Core Detection Layer (stable API) ───────────────────────────
|
|
16
|
-
export { ATREngine } from './engine.js';
|
|
17
|
-
export { loadRuleFile, loadRulesFromDirectory, validateRule } from './loader.js';
|
|
18
|
-
export { SessionTracker } from './session-tracker.js';
|
|
19
|
-
// ── Tier 0: Invariant Enforcement (hard boundaries) ──────────────
|
|
20
|
-
export { InvariantChecker } from './tier0-invariant.js';
|
|
21
|
-
// ── Tier 1: Blacklist Provider (known-bad lookup) ────────────────
|
|
22
|
-
export { InMemoryBlacklist, buildBlacklistMatch } from './tier1-blacklist.js';
|
|
23
|
-
// ── Shared Capability Extraction ─────────────────────────────────
|
|
24
|
-
export { extractCapabilities } from './capability-extractor.js';
|
|
25
|
-
// ── Tier 2.5: Embedding Similarity ───────────────────────────────
|
|
26
|
-
export { EmbeddingModule } from './modules/embedding.js';
|
|
27
|
-
export { VectorStore, loadVectorEntries } from './embedding/vector-store.js';
|
|
28
|
-
export { TransformersJSModel, MockEmbeddingModel } from './embedding/model-loader.js';
|
|
29
|
-
// ── Optional Detection Modules (Layer 2-3, beta) ────────────────
|
|
30
|
-
export { ModuleRegistry } from './modules/index.js';
|
|
31
|
-
export { SessionModule } from './modules/session.js';
|
|
32
|
-
/** @beta - Experimental, not production-tested */
|
|
33
|
-
export { SemanticModule } from './modules/semantic.js';
|
|
34
|
-
/** @beta - Experimental, not production-tested */
|
|
35
|
-
export { SkillFingerprintStore } from './skill-fingerprint.js';
|
|
36
|
-
// ── Tooling (rule authoring and coverage analysis) ──────────────
|
|
37
|
-
export { RuleScaffolder } from './rule-scaffolder.js';
|
|
38
|
-
export { CoverageAnalyzer } from './coverage-analyzer.js';
|
|
39
|
-
// ── SIEM Converters (Splunk SPL, Elasticsearch Query DSL) ────────
|
|
40
|
-
export { convertRule, convertAllRules } from './converters/index.js';
|
|
41
|
-
export { ruleToSPL } from './converters/splunk.js';
|
|
42
|
-
export { ruleToElastic } from './converters/elastic.js';
|
|
43
|
-
// ── Flywheel (auto rule generation + shadow + promotion) ─────────
|
|
44
|
-
export { ShadowEvaluator } from './shadow-evaluator.js';
|
|
45
|
-
export { FlywheelManager } from './flywheel.js';
|
|
46
|
-
// ── Integration Helpers (for products built on ATR) ─────────────
|
|
47
|
-
// These help products like LlamaFirewall, etc. build
|
|
48
|
-
// protection layers on top of ATR detection results.
|
|
49
|
-
export { computeVerdict, SEVERITY_RANK, isAutoResponseEnabled } from './verdict.js';
|
|
50
|
-
export { ActionExecutor } from './action-executor.js';
|
|
51
|
-
export { DefaultAdapter } from './adapters/default-adapter.js';
|
|
52
|
-
export { StdioAdapter } from './adapters/stdio-adapter.js';
|
|
53
|
-
export { HookHandler } from './hook-handler.js';
|
|
54
|
-
//# sourceMappingURL=index.js.map
|
package/dist/index.js.map
DELETED
|
@@ -1 +0,0 @@
|
|
|
1
|
-
{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAEH,mEAAmE;AACnE,OAAO,EAAE,SAAS,EAAE,MAAM,aAAa,CAAC;AAExC,OAAO,EAAE,YAAY,EAAE,sBAAsB,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AACjF,OAAO,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAC;AAGtD,oEAAoE;AACpE,OAAO,EAAE,gBAAgB,EAAE,MAAM,sBAAsB,CAAC;AAGxD,oEAAoE;AACpE,OAAO,EAAE,iBAAiB,EAAE,mBAAmB,EAAE,MAAM,sBAAsB,CAAC;AAG9E,oEAAoE;AACpE,OAAO,EAAE,mBAAmB,EAAE,MAAM,2BAA2B,CAAC;AAGhE,oEAAoE;AACpE,OAAO,EAAE,eAAe,EAAE,MAAM,wBAAwB,CAAC;AAEzD,OAAO,EAAE,WAAW,EAAE,iBAAiB,EAAE,MAAM,6BAA6B,CAAC;AAE7E,OAAO,EAAE,mBAAmB,EAAE,kBAAkB,EAAE,MAAM,6BAA6B,CAAC;AAGtF,mEAAmE;AACnE,OAAO,EAAE,cAAc,EAAE,MAAM,oBAAoB,CAAC;AAEpD,OAAO,EAAE,aAAa,EAAE,MAAM,sBAAsB,CAAC;AACrD,kDAAkD;AAClD,OAAO,EAAE,cAAc,EAAE,MAAM,uBAAuB,CAAC;AAEvD,kDAAkD;AAClD,OAAO,EAAE,qBAAqB,EAAE,MAAM,wBAAwB,CAAC;AAQ/D,mEAAmE;AACnE,OAAO,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAC;AAEtD,OAAO,EAAE,gBAAgB,EAAE,MAAM,wBAAwB,CAAC;AAG1D,oEAAoE;AACpE,OAAO,EAAE,WAAW,EAAE,eAAe,EAAE,MAAM,uBAAuB,CAAC;AAErE,OAAO,EAAE,SAAS,EAAE,MAAM,wBAAwB,CAAC;AACnD,OAAO,EAAE,aAAa,EAAE,MAAM,yBAAyB,CAAC;AAExD,oEAAoE;AACpE,OAAO,EAAE,eAAe,EAAE,MAAM,uBAAuB,CAAC;AAExD,OAAO,EAAE,eAAe,EAAE,MAAM,eAAe,CAAC;AAGhD,mEAAmE;AACnE,qDAAqD;AACrD,qDAAqD;AACrD,OAAO,EAAE,cAAc,EAAE,aAAa,EAAE,qBAAqB,EAAE,MAAM,cAAc,CAAC;AACpF,OAAO,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAC;AAEtD,OAAO,EAAE,cAAc,EAAE,MAAM,+BAA+B,CAAC;AAC/D,OAAO,EAAE,YAAY,EAAE,MAAM,6BAA6B,CAAC;AAC3D,OAAO,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC"}
|
|
@@ -1,55 +0,0 @@
|
|
|
1
|
-
/**
|
|
2
|
-
* Layer Integration Helpers
|
|
3
|
-
*
|
|
4
|
-
* Bridges the ATREngine (Layer 1 regex) with:
|
|
5
|
-
* - SkillFingerprintStore (Layer 2 behavioral fingerprinting)
|
|
6
|
-
* - SemanticModule (Layer 3 LLM-as-judge)
|
|
7
|
-
*
|
|
8
|
-
* Extracted from engine.ts to keep file sizes manageable.
|
|
9
|
-
*
|
|
10
|
-
* @module agent-threat-rules/layer-integration
|
|
11
|
-
*/
|
|
12
|
-
import type { AgentEvent, ATRMatch } from './types.js';
|
|
13
|
-
import type { SkillFingerprintStore } from './skill-fingerprint.js';
|
|
14
|
-
import type { SemanticModule, SemanticModuleConfig } from './modules/semantic.js';
|
|
15
|
-
/** Configuration for Layer 3 semantic analysis */
|
|
16
|
-
export interface SemanticLayerConfig {
|
|
17
|
-
/** OpenAI-compatible API key */
|
|
18
|
-
readonly apiKey: string;
|
|
19
|
-
/** API base URL (default: https://api.openai.com) */
|
|
20
|
-
readonly baseUrl?: string;
|
|
21
|
-
/** Model identifier (default: gpt-4o-mini) */
|
|
22
|
-
readonly model?: string;
|
|
23
|
-
}
|
|
24
|
-
/**
|
|
25
|
-
* Resolve the skill identifier from an agent event.
|
|
26
|
-
* Returns undefined if no skill identifier is present.
|
|
27
|
-
*/
|
|
28
|
-
export declare function resolveSkillId(event: AgentEvent): string | undefined;
|
|
29
|
-
/**
|
|
30
|
-
* Run Layer 2 fingerprint analysis on an event.
|
|
31
|
-
* Returns additional ATRMatch entries for any detected anomalies.
|
|
32
|
-
*/
|
|
33
|
-
export declare function runFingerprintLayer(store: SkillFingerprintStore, event: AgentEvent, skillId: string): readonly ATRMatch[];
|
|
34
|
-
/**
|
|
35
|
-
* Determine whether Layer 3 semantic analysis should run.
|
|
36
|
-
*
|
|
37
|
-
* Triggers when:
|
|
38
|
-
* - Any Layer 1/2 match has medium or higher severity
|
|
39
|
-
* - The event explicitly requests deep analysis via metadata
|
|
40
|
-
*/
|
|
41
|
-
export declare function shouldRunSemanticLayer(layer1Matches: readonly ATRMatch[], event: AgentEvent): boolean;
|
|
42
|
-
/**
|
|
43
|
-
* Create a SemanticModule instance from simplified config.
|
|
44
|
-
* Returns undefined if the semantic module cannot be imported.
|
|
45
|
-
*/
|
|
46
|
-
export declare function createSemanticModuleFromConfig(config: SemanticLayerConfig): SemanticModuleConfig;
|
|
47
|
-
/**
|
|
48
|
-
* Run Layer 3 semantic analysis and return upgraded/new matches.
|
|
49
|
-
*
|
|
50
|
-
* The semantic module is called with `analyze_threat` to get a threat score.
|
|
51
|
-
* If the score is >= 0.7, a synthetic high-severity match is produced.
|
|
52
|
-
* If the score is 0.4-0.7, existing matches may have confidence boosted.
|
|
53
|
-
*/
|
|
54
|
-
export declare function runSemanticLayer(semanticModule: SemanticModule, event: AgentEvent, existingMatches: readonly ATRMatch[]): Promise<readonly ATRMatch[]>;
|
|
55
|
-
//# sourceMappingURL=layer-integration.d.ts.map
|
|
@@ -1 +0,0 @@
|
|
|
1
|
-
{"version":3,"file":"layer-integration.d.ts","sourceRoot":"","sources":["../src/layer-integration.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,OAAO,KAAK,EAAE,UAAU,EAAE,QAAQ,EAAwB,MAAM,YAAY,CAAC;AAC7E,OAAO,KAAK,EAAE,qBAAqB,EAAmB,MAAM,wBAAwB,CAAC;AACrF,OAAO,KAAK,EAAE,cAAc,EAAE,oBAAoB,EAAE,MAAM,uBAAuB,CAAC;AAMlF,kDAAkD;AAClD,MAAM,WAAW,mBAAmB;IAClC,gCAAgC;IAChC,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;IACxB,qDAAqD;IACrD,QAAQ,CAAC,OAAO,CAAC,EAAE,MAAM,CAAC;IAC1B,8CAA8C;IAC9C,QAAQ,CAAC,KAAK,CAAC,EAAE,MAAM,CAAC;CACzB;AAcD;;;GAGG;AACH,wBAAgB,cAAc,CAAC,KAAK,EAAE,UAAU,GAAG,MAAM,GAAG,SAAS,CAYpE;AA+BD;;;GAGG;AACH,wBAAgB,mBAAmB,CACjC,KAAK,EAAE,qBAAqB,EAC5B,KAAK,EAAE,UAAU,EACjB,OAAO,EAAE,MAAM,GACd,SAAS,QAAQ,EAAE,CA0BrB;AAaD;;;;;;GAMG;AACH,wBAAgB,sBAAsB,CACpC,aAAa,EAAE,SAAS,QAAQ,EAAE,EAClC,KAAK,EAAE,UAAU,GAChB,OAAO,CAcT;AAED;;;GAGG;AACH,wBAAgB,8BAA8B,CAC5C,MAAM,EAAE,mBAAmB,GAC1B,oBAAoB,CAMtB;AAED;;;;;;GAMG;AACH,wBAAsB,gBAAgB,CACpC,cAAc,EAAE,cAAc,EAC9B,KAAK,EAAE,UAAU,EACjB,eAAe,EAAE,SAAS,QAAQ,EAAE,GACnC,OAAO,CAAC,SAAS,QAAQ,EAAE,CAAC,CAkD9B"}
|